File name:

0082598df77e22bcffdcc6ab45e7be70N.exe

Full analysis: https://app.any.run/tasks/e29762dd-f565-47d2-b186-850fe051888e
Verdict: Malicious activity
Threats:

Crypto mining malware is a resource-intensive threat that infiltrates computers with the purpose of mining cryptocurrencies. This type of threat can be deployed either on an infected machine or a compromised website. In both cases the miner will utilize the computing power of the device and its network bandwidth.

Malware Trends Tracker     >>>
Analysis date: July 07, 2024, 10:50:36
OS: Windows 10 Professional (build: 19045, 64 bit)
Tags:
miner
github
upx
xmrig
Indicators:
MIME: application/x-dosexec
File info: PE32+ executable (console) x86-64 (stripped to external PDB), for MS Windows
MD5:

0082598DF77E22BCFFDCC6AB45E7BE70

SHA1:

B6AD3994F4EAA831F2BFCBDD69BF37E97B144D90

SHA256:

5E581BEE8B66E447E6ECC1DD3E16EDD4BCDF874D2BC83F9A959D3142C1596EAA

SSDEEP:

49152:qHL+THhYqX8kEWkuNYyiSQbvk0jFEQ45rA2C9wvfMoeyNRQjm1gMkHC0IlnASExQ:qHCiU8uxWyiZbv1EQ4F7rNRQjmT

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Drops the executable file immediately after the start

      • 0082598df77e22bcffdcc6ab45e7be70N.exe (PID: 4424)

    • Connects to the CnC server

      • 0082598df77e22bcffdcc6ab45e7be70N.exe (PID: 4424)

    • Scans artifacts that could help determine the target

      • powershell.exe (PID: 1052)

    • XMRIG has been detected (YARA)

      • 0082598df77e22bcffdcc6ab45e7be70N.exe (PID: 4424)

  • SUSPICIOUS

    • Request a resource from the Internet using PowerShell's cmdlet

      • 0082598df77e22bcffdcc6ab45e7be70N.exe (PID: 4424)

    • Starts POWERSHELL.EXE for commands execution

      • 0082598df77e22bcffdcc6ab45e7be70N.exe (PID: 4424)

    • Potential Corporate Privacy Violation

      • 0082598df77e22bcffdcc6ab45e7be70N.exe (PID: 4424)

  • INFO

    • Checks supported languages

      • 0082598df77e22bcffdcc6ab45e7be70N.exe (PID: 4424)

    • Checks proxy server information

      • powershell.exe (PID: 1052)

    • Reads the computer name

      • 0082598df77e22bcffdcc6ab45e7be70N.exe (PID: 4424)

    • Disables trace logs

      • powershell.exe (PID: 1052)

    • Gets data length (POWERSHELL)

      • powershell.exe (PID: 1052)

    • Reads Internet Explorer settings

      • powershell.exe (PID: 1052)

    • UPX packer has been detected

      • 0082598df77e22bcffdcc6ab45e7be70N.exe (PID: 4424)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | UPX compressed Win32 Executable (87.1)
.exe | Generic Win/DOS Executable (6.4)
.exe | DOS Executable Generic (6.4)

EXIF

EXE

MachineType: AMD AMD64
TimeStamp: 2019:09:04 19:31:32+00:00
ImageFileCharacteristics: Executable, Large address aware, No debug
PEType: PE32+
LinkerVersion: 14.22
CodeSize: 540672
InitializedDataSize: 4096
UninitializedDataSize: 3588096
EntryPoint: 0x8ca64
OSVersion: 6
ImageVersion: -
SubsystemVersion: 6
Subsystem: Windows command line
No data.
screenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
117
Monitored processes
3
Malicious processes
1
Suspicious processes
0

Behavior graph

Click at the process to see the details
start THREAT 0082598df77e22bcffdcc6ab45e7be70n.exe conhost.exe no specs powershell.exe

Process information

PID
CMD
Path
Indicators
Parent process
1052powershell.exe -command "Invoke-WebRequest "https://raw.githubusercontent.com/" "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
0082598df77e22bcffdcc6ab45e7be70N.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows PowerShell
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\windowspowershell\v1.0\powershell.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
3780\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exe0082598df77e22bcffdcc6ab45e7be70N.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Console Window Host
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
4424"C:\Users\admin\Desktop\0082598df77e22bcffdcc6ab45e7be70N.exe" C:\Users\admin\Desktop\0082598df77e22bcffdcc6ab45e7be70N.exe
explorer.exe
User:
admin
Integrity Level:
MEDIUM
Modules
Images
c:\users\admin\desktop\0082598df77e22bcffdcc6ab45e7be70n.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
Total events
7 274
Read events
7 249
Write events
25
Delete events
0

Modification events

(PID) Process:(1052) powershell.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\powershell_RASAPI32
Operation:writeName:EnableFileTracing
Value:
0
(PID) Process:(1052) powershell.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\powershell_RASAPI32
Operation:writeName:EnableAutoFileTracing
Value:
0
(PID) Process:(1052) powershell.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\powershell_RASAPI32
Operation:writeName:EnableConsoleTracing
Value:
0
(PID) Process:(1052) powershell.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\powershell_RASAPI32
Operation:writeName:FileTracingMask
Value:
(PID) Process:(1052) powershell.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\powershell_RASAPI32
Operation:writeName:ConsoleTracingMask
Value:
(PID) Process:(1052) powershell.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\powershell_RASAPI32
Operation:writeName:MaxFileSize
Value:
1048576
(PID) Process:(1052) powershell.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\powershell_RASAPI32
Operation:writeName:FileDirectory
Value:
%windir%\tracing
(PID) Process:(1052) powershell.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\powershell_RASMANCS
Operation:writeName:EnableFileTracing
Value:
0
(PID) Process:(1052) powershell.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\powershell_RASMANCS
Operation:writeName:EnableAutoFileTracing
Value:
0
(PID) Process:(1052) powershell.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\powershell_RASMANCS
Operation:writeName:EnableConsoleTracing
Value:
0
Executable files
0
Suspicious files
8
Text files
103
Unknown types
0

Dropped files

PID
Process
Filename
Type
1052powershell.exeC:\Users\admin\AppData\Local\Microsoft\Windows\INetCache\IE\RR3E01RZ\discussions-9d3cffcbc704[1].csstext
MD5:4459D0FDFC5ED2870B953934786D8E24
SHA256:23ED3D33C252B1B7E1498309F994EBC5448D5ED2D2BB48B580607517BE62B76C
1052powershell.exeC:\Users\admin\AppData\Local\Microsoft\Windows\INetCache\IE\KCV3KQBA\primer-primitives-8500c2c7ce5f[1].csstext
MD5:E9C08B9BA681AD6606BD18F264E73EF6
SHA256:B08C9718118F5B814E632AC3DC0D8E009E5DC2913DF183F0ED322E6817E997DF
1052powershell.exeC:\Users\admin\AppData\Local\Microsoft\Windows\INetCache\IE\E4DJRUXW\dashboard-e264a87d442a[1].csstext
MD5:4928C91622B4AB71D3C741516CE3A27C
SHA256:595243D90FC171C6B9C6C1192A76057BA9066AB963AA6A77918070D2BC52CCCF
1052powershell.exeC:\Users\admin\AppData\Local\Microsoft\Windows\INetCache\IE\RR3E01RZ\global-526475a50099[1].csstext
MD5:1D84A1218AC4D2D6FA58318B710FE1C2
SHA256:8336CF6CBCD22D18CF68EEDB45141E5724C1C9BFCE2FAA71267C528B79D0C085
1052powershell.exeC:\Users\admin\AppData\Local\Microsoft\Windows\INetCache\IE\AH8CR9J5\site-3ab44dbdb8a0[1].csstext
MD5:6898D881FB9B6758FB5A65B3B9FAC739
SHA256:2BB851AA74118BB53F44AE8BA20C228638AA5D08DFDE84581A3D67FCFEC05B7D
1052powershell.exeC:\Users\admin\AppData\Local\Microsoft\Windows\INetCache\IE\AH8CR9J5\github-0c7b5281bcc9[1].csstext
MD5:D93B35EDA2F4E99E5555C4CEA314C18B
SHA256:92C3D2D683BC4CDC52CF25451B52341558BBF6665C9C326AAD3D3C2EA0EB9372
1052powershell.exeC:\Users\admin\AppData\Local\Microsoft\Windows\INetCache\IE\KCV3KQBA\light-efd2f2257c96[1].csstext
MD5:B8473FDB0F4749DE99341662AEC850F2
SHA256:8AABC55D211FC93ACB563C9CF30732577212A998196F73B067F9795C8D1EF72B
1052powershell.exeC:\Users\admin\AppData\Local\Microsoft\Windows\INetCache\IE\E4DJRUXW\vendors-node_modules_github_mini-throttle_dist_index_js-node_modules_smoothscroll-polyfill_di-75db2e-e091a6d939e9[1].jstext
MD5:2658FA77142D9A38479A85AC41A84CD9
SHA256:3F9C752182A74F07C7BB37F01119DB83F14577A530D19F3899BCB4A448D838A9
1052powershell.exeC:\Users\admin\AppData\Local\Microsoft\Windows\INetCache\IE\RR3E01RZ\vendors-node_modules_dompurify_dist_purify_js-810e4b1b9abd[1].jstext
MD5:917054FF94AF6B65EF610AA7B541865A
SHA256:3B0D2012948870AF14B480BED5535B34C5F7E649A2C9C13234C319FBF8D2D7DB
1052powershell.exeC:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_bvexsg5g.eiv.ps1text
MD5:D17FE0A3F47BE24A6453E9EF58C94641
SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
113
TCP/UDP connections
21
DNS requests
5
Threats
16

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
GET
301
140.82.121.4:443
https://raw.githubusercontent.com/
unknown
unknown
GET
200
40.127.240.158:443
https://settings-win.data.microsoft.com/settings/v3.0/WSD/WaasMedic?os=Windows&osVer=10.0.19041.1.amd64fre.vb_release.191206-&appVer=10.0.19041.3758&ring=Retail&sku=48&deviceClass=Windows.Desktop&locale=en-US&deviceId=BAD99146-31D3-4EC6-A1A4-BE76F32BA5D4
unknown
binary
3.41 Kb
unknown
GET
200
185.199.108.154:443
https://github.githubassets.com/assets/primer-primitives-8500c2c7ce5f.css
unknown
text
8.33 Kb
unknown
GET
200
140.82.121.4:443
https://github.com/
unknown
html
234 Kb
unknown
GET
200
185.199.109.154:443
https://github.githubassets.com/assets/light-efd2f2257c96.css
unknown
text
48.4 Kb
unknown
GET
200
185.199.109.154:443
https://github.githubassets.com/assets/dark-6b1e37da2254.css
unknown
text
48.3 Kb
unknown
GET
200
185.199.110.154:443
https://github.githubassets.com/assets/primer-61560ce103d3.css
unknown
text
333 Kb
unknown
GET
200
185.199.110.154:443
https://github.githubassets.com/assets/discussions-9d3cffcbc704.css
unknown
text
4.96 Kb
unknown
GET
200
185.199.111.154:443
https://github.githubassets.com/assets/global-526475a50099.css
unknown
text
282 Kb
unknown
GET
200
185.199.109.154:443
https://github.githubassets.com/assets/vendors-node_modules_primer_behaviors_dist_esm_focus-zone_js-03bcda509ec9.js
unknown
binary
8.70 Kb
unknown
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:138
whitelisted
4032
svchost.exe
239.255.255.250:1900
whitelisted
4424
0082598df77e22bcffdcc6ab45e7be70N.exe
3.120.98.217:8080
AMAZON-02
DE
unknown
1052
powershell.exe
185.199.110.133:443
raw.githubusercontent.com
FASTLY
US
unknown
6004
svchost.exe
51.104.136.2:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
2248
svchost.exe
51.104.136.2:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
1052
powershell.exe
140.82.121.3:443
github.com
GITHUB
US
unknown
1052
powershell.exe
185.199.109.154:443
github.githubassets.com
FASTLY
US
unknown
4
System
192.168.100.255:137
whitelisted
3040
OfficeClickToRun.exe
20.189.173.28:443
self.events.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
unknown

DNS requests

Domain
IP
Reputation
raw.githubusercontent.com
  • 185.199.110.133
  • 185.199.108.133
  • 185.199.111.133
  • 185.199.109.133
shared
settings-win.data.microsoft.com
  • 51.104.136.2
whitelisted
github.com
  • 140.82.121.3
shared
github.githubassets.com
  • 185.199.109.154
  • 185.199.108.154
  • 185.199.111.154
  • 185.199.110.154
whitelisted
self.events.data.microsoft.com
  • 20.189.173.28
whitelisted

Threats

PID
Process
Class
Message
Unknown Traffic
ET USER_AGENTS Microsoft Dr Watson User-Agent (MSDW)
4424
0082598df77e22bcffdcc6ab45e7be70N.exe
Potential Corporate Privacy Violation
ET POLICY Cryptocurrency Miner Checkin
2168
svchost.exe
Not Suspicious Traffic
INFO [ANY.RUN] Attempting to access raw user content on GitHub
Not Suspicious Traffic
ET INFO Windows Powershell User-Agent Usage
Not Suspicious Traffic
ET INFO Windows Powershell User-Agent Usage
4424
0082598df77e22bcffdcc6ab45e7be70N.exe
Potential Corporate Privacy Violation
ET POLICY Cryptocurrency Miner Checkin
4424
0082598df77e22bcffdcc6ab45e7be70N.exe
Potential Corporate Privacy Violation
ET POLICY Cryptocurrency Miner Checkin
4424
0082598df77e22bcffdcc6ab45e7be70N.exe
Potential Corporate Privacy Violation
ET POLICY Cryptocurrency Miner Checkin
4424
0082598df77e22bcffdcc6ab45e7be70N.exe
Potential Corporate Privacy Violation
ET POLICY Cryptocurrency Miner Checkin
4424
0082598df77e22bcffdcc6ab45e7be70N.exe
Potential Corporate Privacy Violation
ET POLICY Cryptocurrency Miner Checkin
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2026 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
0082598df77e22bcffdcc6ab45e7be70N.exe