Malware Analysis Report

2024-10-23 20:55

Sample ID 230709-xz2gdsgb81
Target TeamViewerSetupexeexeexe.exe
SHA256 5a6dfde115172be8d295c748b4a681aabc1e7c105267e84e552c0c24518764df
Tags
rat vanillarat persistence
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V6

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

5a6dfde115172be8d295c748b4a681aabc1e7c105267e84e552c0c24518764df

Threat Level: Known bad

The file TeamViewerSetupexeexeexe.exe was found to be: Known bad.

Malicious Activity Summary

rat vanillarat persistence

Vanillarat family

Vanilla Rat payload

VanillaRat

Vanilla Rat payload

Loads dropped DLL

Executes dropped EXE

Checks computer location settings

Adds Run key to start application

Legitimate hosting services abused for malware hosting/C2

Program crash

Unsigned PE

Enumerates physical storage devices

Suspicious use of WriteProcessMemory

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2023-07-09 19:18

Signatures

Vanilla Rat payload

rat
Description Indicator Process Target
N/A N/A N/A N/A

Vanillarat family

vanillarat

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2023-07-09 19:18

Reported

2023-07-09 19:20

Platform

win7-20230703-en

Max time kernel

149s

Max time network

154s

Command Line

"C:\Users\Admin\AppData\Local\Temp\TeamViewerSetupexeexeexe.exe"

Signatures

VanillaRat

rat vanillarat

Vanilla Rat payload

rat
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\svchost.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\svchost.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-264077997-199365141-898621884-1000\Software\Microsoft\Windows\CurrentVersion\Run\svchost = "C:\\Users\\Admin\\AppData\\Roaming\\svchost.exe" C:\Users\Admin\AppData\Roaming\svchost.exe N/A

Legitimate hosting services abused for malware hosting/C2

Enumerates physical storage devices

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\TeamViewerSetupexeexeexe.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\svchost.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2192 wrote to memory of 2400 N/A C:\Users\Admin\AppData\Local\Temp\TeamViewerSetupexeexeexe.exe C:\Users\Admin\svchost.exe
PID 2192 wrote to memory of 2400 N/A C:\Users\Admin\AppData\Local\Temp\TeamViewerSetupexeexeexe.exe C:\Users\Admin\svchost.exe
PID 2192 wrote to memory of 2400 N/A C:\Users\Admin\AppData\Local\Temp\TeamViewerSetupexeexeexe.exe C:\Users\Admin\svchost.exe
PID 2192 wrote to memory of 2400 N/A C:\Users\Admin\AppData\Local\Temp\TeamViewerSetupexeexeexe.exe C:\Users\Admin\svchost.exe
PID 2192 wrote to memory of 1912 N/A C:\Users\Admin\AppData\Local\Temp\TeamViewerSetupexeexeexe.exe C:\Windows\SysWOW64\WerFault.exe
PID 2192 wrote to memory of 1912 N/A C:\Users\Admin\AppData\Local\Temp\TeamViewerSetupexeexeexe.exe C:\Windows\SysWOW64\WerFault.exe
PID 2192 wrote to memory of 1912 N/A C:\Users\Admin\AppData\Local\Temp\TeamViewerSetupexeexeexe.exe C:\Windows\SysWOW64\WerFault.exe
PID 2192 wrote to memory of 1912 N/A C:\Users\Admin\AppData\Local\Temp\TeamViewerSetupexeexeexe.exe C:\Windows\SysWOW64\WerFault.exe
PID 2400 wrote to memory of 2136 N/A C:\Users\Admin\svchost.exe C:\Users\Admin\AppData\Roaming\svchost.exe
PID 2400 wrote to memory of 2136 N/A C:\Users\Admin\svchost.exe C:\Users\Admin\AppData\Roaming\svchost.exe
PID 2400 wrote to memory of 2136 N/A C:\Users\Admin\svchost.exe C:\Users\Admin\AppData\Roaming\svchost.exe
PID 2400 wrote to memory of 2136 N/A C:\Users\Admin\svchost.exe C:\Users\Admin\AppData\Roaming\svchost.exe

Processes

C:\Users\Admin\AppData\Local\Temp\TeamViewerSetupexeexeexe.exe

"C:\Users\Admin\AppData\Local\Temp\TeamViewerSetupexeexeexe.exe"

C:\Users\Admin\svchost.exe

"C:\Users\Admin\svchost.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2192 -s 888

C:\Users\Admin\AppData\Roaming\svchost.exe

"C:\Users\Admin\AppData\Roaming\svchost.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 6.tcp.eu.ngrok.io udp
DE 3.66.38.117:16195 6.tcp.eu.ngrok.io tcp
DE 3.66.38.117:16195 6.tcp.eu.ngrok.io tcp
DE 3.66.38.117:16195 6.tcp.eu.ngrok.io tcp
DE 3.66.38.117:16195 6.tcp.eu.ngrok.io tcp
DE 3.66.38.117:16195 6.tcp.eu.ngrok.io tcp
DE 3.66.38.117:16195 6.tcp.eu.ngrok.io tcp
DE 3.66.38.117:16195 6.tcp.eu.ngrok.io tcp
DE 3.66.38.117:16195 6.tcp.eu.ngrok.io tcp
DE 3.66.38.117:16195 6.tcp.eu.ngrok.io tcp
DE 3.66.38.117:16195 6.tcp.eu.ngrok.io tcp
DE 3.66.38.117:16195 6.tcp.eu.ngrok.io tcp
US 8.8.8.8:53 6.tcp.eu.ngrok.io udp
DE 3.69.115.178:16195 6.tcp.eu.ngrok.io tcp
DE 3.69.115.178:16195 6.tcp.eu.ngrok.io tcp
DE 3.69.115.178:16195 6.tcp.eu.ngrok.io tcp
DE 3.69.115.178:16195 6.tcp.eu.ngrok.io tcp
DE 3.69.115.178:16195 6.tcp.eu.ngrok.io tcp
DE 3.69.115.178:16195 6.tcp.eu.ngrok.io tcp
DE 3.69.115.178:16195 6.tcp.eu.ngrok.io tcp
DE 3.69.115.178:16195 6.tcp.eu.ngrok.io tcp
DE 3.69.115.178:16195 6.tcp.eu.ngrok.io tcp
DE 3.69.115.178:16195 6.tcp.eu.ngrok.io tcp
DE 3.69.115.178:16195 6.tcp.eu.ngrok.io tcp
DE 3.69.115.178:16195 6.tcp.eu.ngrok.io tcp
DE 3.69.115.178:16195 6.tcp.eu.ngrok.io tcp
DE 3.69.115.178:16195 6.tcp.eu.ngrok.io tcp
DE 3.69.115.178:16195 6.tcp.eu.ngrok.io tcp
DE 3.69.115.178:16195 6.tcp.eu.ngrok.io tcp
DE 3.69.115.178:16195 6.tcp.eu.ngrok.io tcp
DE 3.69.115.178:16195 6.tcp.eu.ngrok.io tcp
DE 3.69.115.178:16195 6.tcp.eu.ngrok.io tcp
DE 3.69.115.178:16195 6.tcp.eu.ngrok.io tcp
DE 3.69.115.178:16195 6.tcp.eu.ngrok.io tcp
DE 3.69.115.178:16195 6.tcp.eu.ngrok.io tcp
DE 3.69.115.178:16195 6.tcp.eu.ngrok.io tcp
DE 3.69.115.178:16195 6.tcp.eu.ngrok.io tcp
DE 3.69.115.178:16195 6.tcp.eu.ngrok.io tcp
DE 3.69.115.178:16195 6.tcp.eu.ngrok.io tcp
DE 3.69.115.178:16195 6.tcp.eu.ngrok.io tcp
DE 3.69.115.178:16195 6.tcp.eu.ngrok.io tcp
DE 3.69.115.178:16195 6.tcp.eu.ngrok.io tcp
DE 3.69.115.178:16195 6.tcp.eu.ngrok.io tcp
DE 3.69.115.178:16195 6.tcp.eu.ngrok.io tcp
DE 3.69.115.178:16195 6.tcp.eu.ngrok.io tcp
DE 3.69.115.178:16195 6.tcp.eu.ngrok.io tcp
US 8.8.8.8:53 6.tcp.eu.ngrok.io udp
DE 3.69.115.178:16195 6.tcp.eu.ngrok.io tcp
DE 3.69.115.178:16195 6.tcp.eu.ngrok.io tcp
DE 3.69.115.178:16195 6.tcp.eu.ngrok.io tcp
DE 3.69.115.178:16195 6.tcp.eu.ngrok.io tcp
DE 3.69.115.178:16195 6.tcp.eu.ngrok.io tcp
DE 3.69.115.178:16195 6.tcp.eu.ngrok.io tcp
DE 3.69.115.178:16195 6.tcp.eu.ngrok.io tcp
DE 3.69.115.178:16195 6.tcp.eu.ngrok.io tcp
DE 3.69.115.178:16195 6.tcp.eu.ngrok.io tcp
DE 3.69.115.178:16195 6.tcp.eu.ngrok.io tcp
DE 3.69.115.178:16195 6.tcp.eu.ngrok.io tcp
DE 3.69.115.178:16195 6.tcp.eu.ngrok.io tcp
DE 3.69.115.178:16195 6.tcp.eu.ngrok.io tcp
DE 3.69.115.178:16195 6.tcp.eu.ngrok.io tcp
DE 3.69.115.178:16195 6.tcp.eu.ngrok.io tcp
DE 3.69.115.178:16195 6.tcp.eu.ngrok.io tcp
DE 3.69.115.178:16195 6.tcp.eu.ngrok.io tcp

Files

memory/2192-54-0x0000000000FE0000-0x000000000100E000-memory.dmp

\Users\Admin\svchost.exe

MD5 99198c628ae018b8b7d043514141bded
SHA1 fa9b200d99530fb5efb36e7f928ad01f4dec5ed8
SHA256 160c2339126bc7800801d9d41d688f88d2d2656f711e8bc53a74fe179510e895
SHA512 0dd0f1210120d2a3838135f250460cac64ad50ee4d7393409923dadde0f8a791288ef0a2cba96e6b9ee8bb27e190b403d3c1dfd2f4a0e2262543100fdd404f4a

C:\Users\Admin\svchost.exe

MD5 99198c628ae018b8b7d043514141bded
SHA1 fa9b200d99530fb5efb36e7f928ad01f4dec5ed8
SHA256 160c2339126bc7800801d9d41d688f88d2d2656f711e8bc53a74fe179510e895
SHA512 0dd0f1210120d2a3838135f250460cac64ad50ee4d7393409923dadde0f8a791288ef0a2cba96e6b9ee8bb27e190b403d3c1dfd2f4a0e2262543100fdd404f4a

C:\Users\Admin\svchost.exe

MD5 99198c628ae018b8b7d043514141bded
SHA1 fa9b200d99530fb5efb36e7f928ad01f4dec5ed8
SHA256 160c2339126bc7800801d9d41d688f88d2d2656f711e8bc53a74fe179510e895
SHA512 0dd0f1210120d2a3838135f250460cac64ad50ee4d7393409923dadde0f8a791288ef0a2cba96e6b9ee8bb27e190b403d3c1dfd2f4a0e2262543100fdd404f4a

C:\Users\Admin\svchost.exe

MD5 99198c628ae018b8b7d043514141bded
SHA1 fa9b200d99530fb5efb36e7f928ad01f4dec5ed8
SHA256 160c2339126bc7800801d9d41d688f88d2d2656f711e8bc53a74fe179510e895
SHA512 0dd0f1210120d2a3838135f250460cac64ad50ee4d7393409923dadde0f8a791288ef0a2cba96e6b9ee8bb27e190b403d3c1dfd2f4a0e2262543100fdd404f4a

memory/2400-63-0x0000000000C50000-0x0000000000C72000-memory.dmp

\Users\Admin\AppData\Local\Temp\TeamViewerSetupexeexeexe.exe

MD5 3854db59d8c7964dde765803e7e380b6
SHA1 e5d981f6798cb902b7091944cdd7badafb7e0322
SHA256 5a6dfde115172be8d295c748b4a681aabc1e7c105267e84e552c0c24518764df
SHA512 3c239f667c92716ae6ac2e01cf208d18b4ab0eab61d776b757b151ff9899ba8648593c37b0b9f7c26f672255c07951b62b1cd1fb0ac84431f0aaf18690db83fa

\Users\Admin\AppData\Local\Temp\TeamViewerSetupexeexeexe.exe

MD5 3854db59d8c7964dde765803e7e380b6
SHA1 e5d981f6798cb902b7091944cdd7badafb7e0322
SHA256 5a6dfde115172be8d295c748b4a681aabc1e7c105267e84e552c0c24518764df
SHA512 3c239f667c92716ae6ac2e01cf208d18b4ab0eab61d776b757b151ff9899ba8648593c37b0b9f7c26f672255c07951b62b1cd1fb0ac84431f0aaf18690db83fa

\Users\Admin\AppData\Local\Temp\TeamViewerSetupexeexeexe.exe

MD5 3854db59d8c7964dde765803e7e380b6
SHA1 e5d981f6798cb902b7091944cdd7badafb7e0322
SHA256 5a6dfde115172be8d295c748b4a681aabc1e7c105267e84e552c0c24518764df
SHA512 3c239f667c92716ae6ac2e01cf208d18b4ab0eab61d776b757b151ff9899ba8648593c37b0b9f7c26f672255c07951b62b1cd1fb0ac84431f0aaf18690db83fa

\Users\Admin\AppData\Local\Temp\TeamViewerSetupexeexeexe.exe

MD5 3854db59d8c7964dde765803e7e380b6
SHA1 e5d981f6798cb902b7091944cdd7badafb7e0322
SHA256 5a6dfde115172be8d295c748b4a681aabc1e7c105267e84e552c0c24518764df
SHA512 3c239f667c92716ae6ac2e01cf208d18b4ab0eab61d776b757b151ff9899ba8648593c37b0b9f7c26f672255c07951b62b1cd1fb0ac84431f0aaf18690db83fa

\Users\Admin\AppData\Local\Temp\TeamViewerSetupexeexeexe.exe

MD5 3854db59d8c7964dde765803e7e380b6
SHA1 e5d981f6798cb902b7091944cdd7badafb7e0322
SHA256 5a6dfde115172be8d295c748b4a681aabc1e7c105267e84e552c0c24518764df
SHA512 3c239f667c92716ae6ac2e01cf208d18b4ab0eab61d776b757b151ff9899ba8648593c37b0b9f7c26f672255c07951b62b1cd1fb0ac84431f0aaf18690db83fa

memory/2400-70-0x0000000000C10000-0x0000000000C50000-memory.dmp

\Users\Admin\AppData\Roaming\svchost.exe

MD5 99198c628ae018b8b7d043514141bded
SHA1 fa9b200d99530fb5efb36e7f928ad01f4dec5ed8
SHA256 160c2339126bc7800801d9d41d688f88d2d2656f711e8bc53a74fe179510e895
SHA512 0dd0f1210120d2a3838135f250460cac64ad50ee4d7393409923dadde0f8a791288ef0a2cba96e6b9ee8bb27e190b403d3c1dfd2f4a0e2262543100fdd404f4a

C:\Users\Admin\AppData\Roaming\svchost.exe

MD5 99198c628ae018b8b7d043514141bded
SHA1 fa9b200d99530fb5efb36e7f928ad01f4dec5ed8
SHA256 160c2339126bc7800801d9d41d688f88d2d2656f711e8bc53a74fe179510e895
SHA512 0dd0f1210120d2a3838135f250460cac64ad50ee4d7393409923dadde0f8a791288ef0a2cba96e6b9ee8bb27e190b403d3c1dfd2f4a0e2262543100fdd404f4a

C:\Users\Admin\AppData\Roaming\svchost.exe

MD5 99198c628ae018b8b7d043514141bded
SHA1 fa9b200d99530fb5efb36e7f928ad01f4dec5ed8
SHA256 160c2339126bc7800801d9d41d688f88d2d2656f711e8bc53a74fe179510e895
SHA512 0dd0f1210120d2a3838135f250460cac64ad50ee4d7393409923dadde0f8a791288ef0a2cba96e6b9ee8bb27e190b403d3c1dfd2f4a0e2262543100fdd404f4a

memory/2136-77-0x0000000000A60000-0x0000000000A82000-memory.dmp

memory/2136-78-0x0000000004CE0000-0x0000000004D20000-memory.dmp

memory/2136-79-0x0000000004CE0000-0x0000000004D20000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2023-07-09 19:18

Reported

2023-07-09 19:20

Platform

win10v2004-20230703-en

Max time kernel

149s

Max time network

155s

Command Line

"C:\Users\Admin\AppData\Local\Temp\TeamViewerSetupexeexeexe.exe"

Signatures

VanillaRat

rat vanillarat

Vanilla Rat payload

rat
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-1043950675-1972537973-2972532878-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\TeamViewerSetupexeexeexe.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1043950675-1972537973-2972532878-1000\Control Panel\International\Geo\Nation C:\Users\Admin\svchost.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\svchost.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\svchost.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-1043950675-1972537973-2972532878-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\svchost = "C:\\Users\\Admin\\AppData\\Roaming\\svchost.exe" C:\Users\Admin\AppData\Roaming\svchost.exe N/A

Legitimate hosting services abused for malware hosting/C2

Enumerates physical storage devices

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\TeamViewerSetupexeexeexe.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\svchost.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\TeamViewerSetupexeexeexe.exe

"C:\Users\Admin\AppData\Local\Temp\TeamViewerSetupexeexeexe.exe"

C:\Users\Admin\svchost.exe

"C:\Users\Admin\svchost.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4792 -ip 4792

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4792 -s 1472

C:\Users\Admin\AppData\Roaming\svchost.exe

"C:\Users\Admin\AppData\Roaming\svchost.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 126.211.247.8.in-addr.arpa udp
US 8.8.8.8:53 6.tcp.eu.ngrok.io udp
DE 3.66.38.117:16195 6.tcp.eu.ngrok.io tcp
DE 3.66.38.117:16195 6.tcp.eu.ngrok.io tcp
DE 3.66.38.117:16195 6.tcp.eu.ngrok.io tcp
DE 3.66.38.117:16195 6.tcp.eu.ngrok.io tcp
DE 3.66.38.117:16195 6.tcp.eu.ngrok.io tcp
DE 3.66.38.117:16195 6.tcp.eu.ngrok.io tcp
DE 3.66.38.117:16195 6.tcp.eu.ngrok.io tcp
DE 3.66.38.117:16195 6.tcp.eu.ngrok.io tcp
DE 3.66.38.117:16195 6.tcp.eu.ngrok.io tcp
DE 3.66.38.117:16195 6.tcp.eu.ngrok.io tcp
DE 3.66.38.117:16195 6.tcp.eu.ngrok.io tcp
DE 3.66.38.117:16195 6.tcp.eu.ngrok.io tcp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 56.126.166.20.in-addr.arpa udp
DE 3.66.38.117:16195 6.tcp.eu.ngrok.io tcp
DE 3.66.38.117:16195 6.tcp.eu.ngrok.io tcp
DE 3.66.38.117:16195 6.tcp.eu.ngrok.io tcp
DE 3.66.38.117:16195 6.tcp.eu.ngrok.io tcp
DE 3.66.38.117:16195 6.tcp.eu.ngrok.io tcp
DE 3.66.38.117:16195 6.tcp.eu.ngrok.io tcp
DE 3.66.38.117:16195 6.tcp.eu.ngrok.io tcp
DE 3.66.38.117:16195 6.tcp.eu.ngrok.io tcp
DE 3.66.38.117:16195 6.tcp.eu.ngrok.io tcp
DE 3.66.38.117:16195 6.tcp.eu.ngrok.io tcp
DE 3.66.38.117:16195 6.tcp.eu.ngrok.io tcp
US 8.8.8.8:53 6.tcp.eu.ngrok.io udp
DE 3.68.171.119:16195 6.tcp.eu.ngrok.io tcp
DE 3.68.171.119:16195 6.tcp.eu.ngrok.io tcp
DE 3.68.171.119:16195 6.tcp.eu.ngrok.io tcp
US 8.8.8.8:53 126.131.255.8.in-addr.arpa udp
DE 3.68.171.119:16195 6.tcp.eu.ngrok.io tcp
DE 3.68.171.119:16195 6.tcp.eu.ngrok.io tcp
DE 3.68.171.119:16195 6.tcp.eu.ngrok.io tcp
DE 3.68.171.119:16195 6.tcp.eu.ngrok.io tcp
DE 3.68.171.119:16195 6.tcp.eu.ngrok.io tcp
DE 3.68.171.119:16195 6.tcp.eu.ngrok.io tcp
DE 3.68.171.119:16195 6.tcp.eu.ngrok.io tcp
DE 3.68.171.119:16195 6.tcp.eu.ngrok.io tcp
DE 3.68.171.119:16195 6.tcp.eu.ngrok.io tcp
DE 3.68.171.119:16195 6.tcp.eu.ngrok.io tcp
US 8.8.8.8:53 11.227.111.52.in-addr.arpa udp
DE 3.68.171.119:16195 6.tcp.eu.ngrok.io tcp
DE 3.68.171.119:16195 6.tcp.eu.ngrok.io tcp
DE 3.68.171.119:16195 6.tcp.eu.ngrok.io tcp
US 8.8.8.8:53 126.129.241.8.in-addr.arpa udp
DE 3.68.171.119:16195 6.tcp.eu.ngrok.io tcp
DE 3.68.171.119:16195 6.tcp.eu.ngrok.io tcp
DE 3.68.171.119:16195 6.tcp.eu.ngrok.io tcp
DE 3.68.171.119:16195 6.tcp.eu.ngrok.io tcp
DE 3.68.171.119:16195 6.tcp.eu.ngrok.io tcp
DE 3.68.171.119:16195 6.tcp.eu.ngrok.io tcp
DE 3.68.171.119:16195 6.tcp.eu.ngrok.io tcp
DE 3.68.171.119:16195 6.tcp.eu.ngrok.io tcp
DE 3.68.171.119:16195 6.tcp.eu.ngrok.io tcp
DE 3.68.171.119:16195 6.tcp.eu.ngrok.io tcp
DE 3.68.171.119:16195 6.tcp.eu.ngrok.io tcp
DE 3.68.171.119:16195 6.tcp.eu.ngrok.io tcp
US 8.8.8.8:53 6.tcp.eu.ngrok.io udp
DE 3.69.157.220:16195 6.tcp.eu.ngrok.io tcp
DE 3.69.157.220:16195 6.tcp.eu.ngrok.io tcp
DE 3.69.157.220:16195 6.tcp.eu.ngrok.io tcp
DE 3.69.157.220:16195 6.tcp.eu.ngrok.io tcp
DE 3.69.157.220:16195 6.tcp.eu.ngrok.io tcp
DE 3.69.157.220:16195 6.tcp.eu.ngrok.io tcp
DE 3.69.157.220:16195 6.tcp.eu.ngrok.io tcp
DE 3.69.157.220:16195 6.tcp.eu.ngrok.io tcp
DE 3.69.157.220:16195 6.tcp.eu.ngrok.io tcp
DE 3.69.157.220:16195 6.tcp.eu.ngrok.io tcp
DE 3.69.157.220:16195 6.tcp.eu.ngrok.io tcp
DE 3.69.157.220:16195 6.tcp.eu.ngrok.io tcp
DE 3.69.157.220:16195 6.tcp.eu.ngrok.io tcp
DE 3.69.157.220:16195 6.tcp.eu.ngrok.io tcp
DE 3.69.157.220:16195 6.tcp.eu.ngrok.io tcp

Files

memory/4792-133-0x00000000002A0000-0x00000000002CE000-memory.dmp

C:\Users\Admin\svchost.exe

MD5 99198c628ae018b8b7d043514141bded
SHA1 fa9b200d99530fb5efb36e7f928ad01f4dec5ed8
SHA256 160c2339126bc7800801d9d41d688f88d2d2656f711e8bc53a74fe179510e895
SHA512 0dd0f1210120d2a3838135f250460cac64ad50ee4d7393409923dadde0f8a791288ef0a2cba96e6b9ee8bb27e190b403d3c1dfd2f4a0e2262543100fdd404f4a

C:\Users\Admin\svchost.exe

MD5 99198c628ae018b8b7d043514141bded
SHA1 fa9b200d99530fb5efb36e7f928ad01f4dec5ed8
SHA256 160c2339126bc7800801d9d41d688f88d2d2656f711e8bc53a74fe179510e895
SHA512 0dd0f1210120d2a3838135f250460cac64ad50ee4d7393409923dadde0f8a791288ef0a2cba96e6b9ee8bb27e190b403d3c1dfd2f4a0e2262543100fdd404f4a

C:\Users\Admin\svchost.exe

MD5 99198c628ae018b8b7d043514141bded
SHA1 fa9b200d99530fb5efb36e7f928ad01f4dec5ed8
SHA256 160c2339126bc7800801d9d41d688f88d2d2656f711e8bc53a74fe179510e895
SHA512 0dd0f1210120d2a3838135f250460cac64ad50ee4d7393409923dadde0f8a791288ef0a2cba96e6b9ee8bb27e190b403d3c1dfd2f4a0e2262543100fdd404f4a

memory/1940-164-0x0000000000160000-0x0000000000182000-memory.dmp

memory/1940-165-0x00000000055B0000-0x0000000005B54000-memory.dmp

memory/1940-166-0x00000000050F0000-0x0000000005182000-memory.dmp

memory/1940-167-0x0000000005190000-0x000000000519A000-memory.dmp

C:\Users\Admin\AppData\Roaming\svchost.exe

MD5 99198c628ae018b8b7d043514141bded
SHA1 fa9b200d99530fb5efb36e7f928ad01f4dec5ed8
SHA256 160c2339126bc7800801d9d41d688f88d2d2656f711e8bc53a74fe179510e895
SHA512 0dd0f1210120d2a3838135f250460cac64ad50ee4d7393409923dadde0f8a791288ef0a2cba96e6b9ee8bb27e190b403d3c1dfd2f4a0e2262543100fdd404f4a

C:\Users\Admin\AppData\Roaming\svchost.exe

MD5 99198c628ae018b8b7d043514141bded
SHA1 fa9b200d99530fb5efb36e7f928ad01f4dec5ed8
SHA256 160c2339126bc7800801d9d41d688f88d2d2656f711e8bc53a74fe179510e895
SHA512 0dd0f1210120d2a3838135f250460cac64ad50ee4d7393409923dadde0f8a791288ef0a2cba96e6b9ee8bb27e190b403d3c1dfd2f4a0e2262543100fdd404f4a