File name:	target.ps1
Full analysis:	https://app.any.run/tasks/f822dda0-9953-420e-829b-8059f656e3fe
Verdict:	Malicious activity
Threats:	A loader is malicious software that infiltrates devices to deliver malicious payloads. This malware is capable of infecting victims’ computers, analyzing their system information, and installing other types of threats, such as trojans or stealers. Criminals usually deliver loaders through phishing emails and links by relying on social engineering to trick users into downloading and running their executables. Loaders employ advanced evasion and persistence tactics to avoid detection. Crypto mining malware is a resource-intensive threat that infiltrates computers with the purpose of mining cryptocurrencies. This type of threat can be deployed either on an infected machine or a compromised website. In both cases the miner will utilize the computing power of the device and its network bandwidth. Malware Trends Tracker >>>
Analysis date:	May 16, 2025, 13:42:52
OS:	Windows 10 Professional (build: 19044, 64 bit)
Tags:	lemonduck miner loader
Indicators:
MIME:	text/plain
File info:	ASCII text, with CRLF line terminators
MD5:	C0CFBB5CF491341B0EEE67C9B13E416A
SHA1:	EB884CA5E6FB3260F96707FC412C79648DC5C91D
SHA256:	6F6340796CAE4C11F8877634CEB56ED15D754C8745B62DF516CDE46F29A32B28
SSDEEP:	24:1U9XeC2Fs82qz4KFYfo7DUjOOp9C2S9ULzjCHOszfSHvhVrYSKTCveKQeQNr/g2d:GZyh2w4u8jvM0jGzfKYPrPVDnkG

PID	Process	Filename		Type
7404	powershell.exe	C:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_fmamyohr.o0y.ps1		text
		MD5:D17FE0A3F47BE24A6453E9EF58C94641	SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
7404	powershell.exe	C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms		binary
		MD5:DA1435406D4BE2CEBF7296E32171372E	SHA256:3711F5EE77842B50464A9FB862FA6D7DCA202DE227D1A275695ABAD5B23D6970
7404	powershell.exe	C:\Users\admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive		binary
		MD5:93AAAF677D6FA24E2CF9B61D10C79BFD	SHA256:13176ED5CCBF4F8AC2EB3870CA04F42026F17D5E0CB105F223A43F32D2E2905B
7404	powershell.exe	C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\IS2U8K9U895CFJF3RIZ7.temp		binary
		MD5:DA1435406D4BE2CEBF7296E32171372E	SHA256:3711F5EE77842B50464A9FB862FA6D7DCA202DE227D1A275695ABAD5B23D6970
7404	powershell.exe	C:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_mx4au510.qfl.psm1		text
		MD5:D17FE0A3F47BE24A6453E9EF58C94641	SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
7404	powershell.exe	C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms~RF10c72a.TMP		binary
		MD5:D040F64E9E7A2BB91ABCA5613424598E	SHA256:D04E0A6940609BD6F3B561B0F6027F5CA4E8C5CF0FB0D0874B380A0374A8D670

PID	Process	Method	HTTP Code	IP	URL	CN	Type	Size	Reputation
6876	RUXIMICS.exe	GET	200	2.16.164.49:80	http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl	unknown	—	—	whitelisted
5496	MoUsoCoreWorker.exe	GET	200	2.16.164.49:80	http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl	unknown	—	—	whitelisted
2104	svchost.exe	GET	200	2.16.164.49:80	http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl	unknown	—	—	whitelisted
5496	MoUsoCoreWorker.exe	GET	200	95.101.149.131:80	http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl	unknown	—	—	whitelisted
2104	svchost.exe	GET	200	95.101.149.131:80	http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl	unknown	—	—	whitelisted
7404	powershell.exe	GET	302	37.48.65.148:80	http://t.hwqloan.com/aa.jsp?ipc_20210609?DESKTOP-JGLLJLDadmin1D1FB0BB-21B9-4FC0-B017-A4DADA231E17*791106803	unknown	—	—	malicious
6876	RUXIMICS.exe	GET	200	95.101.149.131:80	http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl	unknown	—	—	whitelisted
7404	powershell.exe	GET	200	199.59.243.228:80	http://survey-smiles.com/	unknown	—	—	whitelisted
8000	SIHClient.exe	GET	200	95.101.149.131:80	http://www.microsoft.com/pkiops/crl/Microsoft%20Update%20Signing%20CA%202.1.crl	unknown	—	—	whitelisted
8000	SIHClient.exe	GET	200	2.16.164.51:80	http://crl.microsoft.com/pki/crl/products/MicTimStaPCA_2010-07-01.crl	unknown	—	—	whitelisted

PID	Process	IP	Domain	ASN	CN	Reputation
4	System	192.168.100.255:137	—	—	—	whitelisted
6876	RUXIMICS.exe	4.231.128.59:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	IE	whitelisted
5496	MoUsoCoreWorker.exe	4.231.128.59:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	IE	whitelisted
2104	svchost.exe	4.231.128.59:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	IE	whitelisted
4	System	192.168.100.255:138	—	—	—	whitelisted
6544	svchost.exe	20.190.160.20:443	login.live.com	MICROSOFT-CORP-MSN-AS-BLOCK	NL	whitelisted
6876	RUXIMICS.exe	2.16.164.49:80	crl.microsoft.com	Akamai International B.V.	NL	whitelisted
5496	MoUsoCoreWorker.exe	2.16.164.49:80	crl.microsoft.com	Akamai International B.V.	NL	whitelisted
2104	svchost.exe	2.16.164.49:80	crl.microsoft.com	Akamai International B.V.	NL	whitelisted
6876	RUXIMICS.exe	95.101.149.131:80	www.microsoft.com	Akamai International B.V.	NL	whitelisted

Domain	IP	Reputation
settings-win.data.microsoft.com	4.231.128.59 51.104.136.2	whitelisted
google.com	216.58.206.78	whitelisted
login.live.com	20.190.160.20 40.126.32.140 40.126.32.134 40.126.32.136 20.190.160.132 20.190.160.17 20.190.160.14 20.190.160.3	whitelisted
crl.microsoft.com	2.16.164.49 2.16.164.106 2.16.164.51 2.16.164.18 2.16.164.89 2.16.164.81 2.16.164.107 2.16.164.32 2.16.164.16 2.16.164.58 2.16.164.112 2.16.164.121 2.16.164.113 2.16.164.130 2.16.164.131 2.16.164.34 2.16.164.123	whitelisted
www.microsoft.com	95.101.149.131	whitelisted
t.hwqloan.com	37.48.65.148	malicious
survey-smiles.com	199.59.243.228	whitelisted
slscr.update.microsoft.com	20.12.23.50	whitelisted
fe3cr.delivery.mp.microsoft.com	13.85.23.206	whitelisted
activation-v2.sls.microsoft.com	20.83.72.98	whitelisted

General Info

target.ps1

C0CFBB5CF491341B0EEE67C9B13E416A

EB884CA5E6FB3260F96707FC412C79648DC5C91D

6F6340796CAE4C11F8877634CEB56ED15D754C8745B62DF516CDE46F29A32B28

24:1U9XeC2Fs82qz4KFYfo7DUjOOp9C2S9ULzjCHOszfSHvhVrYSKTCveKQeQNr/g2d:GZyh2w4u8jvM0jGzfKYPrPVDnkG

Software environment set and analysis options

Launch configuration

Software preset

Hotfixes

Behavior activities

MALICIOUS

LEMONDUCK has been detected (SURICATA)

Bypass execution policy to execute commands

Connects to the CnC server

Downloads the requested resource (POWERSHELL)

SUSPICIOUS

Contacting a server suspected of hosting an CnC

Process requests binary or script from the Internet

Uses base64 encoding (POWERSHELL)

INFO

Checks proxy server information

Disables trace logs

Script raised an exception (POWERSHELL)

Reads the software policy settings

Malware configuration

Static information

Video and screenshots

Processes

Behavior graph

Specs description

Process information

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Registry activity

Modification events

Files activity

Dropped files

Network activity

HTTP requests

Connections

DNS requests

Threats

Debug output strings