Analysis Overview
SHA256
6e977411cea076427e903cba32827b2d78202021f62c6b045c1e4a65042e8d15
Threat Level: Known bad
The file FirefoxInstallerexe.exe was found to be: Known bad.
Malicious Activity Summary
Vanilla Rat payload
Vanillarat family
VanillaRat
Vanilla Rat payload
Executes dropped EXE
Loads dropped DLL
Checks computer location settings
Legitimate hosting services abused for malware hosting/C2
Adds Run key to start application
Unsigned PE
Enumerates physical storage devices
Program crash
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V6
Analysis: static1
Detonation Overview
Reported
2023-07-10 13:28
Signatures
Vanilla Rat payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Vanillarat family
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2023-07-10 13:28
Reported
2023-07-10 13:30
Platform
win7-20230703-en
Max time kernel
149s
Max time network
153s
Command Line
Signatures
VanillaRat
Vanilla Rat payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\svchost.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\svchost.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\FirefoxInstallerexe.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | N/A |
| N/A | N/A | C:\Users\Admin\svchost.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-719110999-4061093145-1944564496-1000\Software\Microsoft\Windows\CurrentVersion\Run\svchost = "C:\\Users\\Admin\\AppData\\Roaming\\svchost.exe" | C:\Users\Admin\AppData\Roaming\svchost.exe | N/A |
Legitimate hosting services abused for malware hosting/C2
Enumerates physical storage devices
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Users\Admin\AppData\Local\Temp\FirefoxInstallerexe.exe |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\FirefoxInstallerexe.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\svchost.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\FirefoxInstallerexe.exe
"C:\Users\Admin\AppData\Local\Temp\FirefoxInstallerexe.exe"
C:\Users\Admin\svchost.exe
"C:\Users\Admin\svchost.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2280 -s 892
C:\Users\Admin\AppData\Roaming\svchost.exe
"C:\Users\Admin\AppData\Roaming\svchost.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 7.tcp.eu.ngrok.io | udp |
| DE | 3.124.67.191:14997 | 7.tcp.eu.ngrok.io | tcp |
| DE | 3.124.67.191:14997 | 7.tcp.eu.ngrok.io | tcp |
| DE | 3.124.67.191:14997 | 7.tcp.eu.ngrok.io | tcp |
| DE | 3.124.67.191:14997 | 7.tcp.eu.ngrok.io | tcp |
| DE | 3.124.67.191:14997 | 7.tcp.eu.ngrok.io | tcp |
| DE | 3.124.67.191:14997 | 7.tcp.eu.ngrok.io | tcp |
| DE | 3.124.67.191:14997 | 7.tcp.eu.ngrok.io | tcp |
| DE | 3.124.67.191:14997 | 7.tcp.eu.ngrok.io | tcp |
| DE | 3.124.67.191:14997 | 7.tcp.eu.ngrok.io | tcp |
| DE | 3.124.67.191:14997 | 7.tcp.eu.ngrok.io | tcp |
| DE | 3.124.67.191:14997 | 7.tcp.eu.ngrok.io | tcp |
| DE | 3.124.67.191:14997 | 7.tcp.eu.ngrok.io | tcp |
| DE | 3.124.67.191:14997 | 7.tcp.eu.ngrok.io | tcp |
| DE | 3.124.67.191:14997 | 7.tcp.eu.ngrok.io | tcp |
| DE | 3.124.67.191:14997 | 7.tcp.eu.ngrok.io | tcp |
| DE | 3.124.67.191:14997 | 7.tcp.eu.ngrok.io | tcp |
| DE | 3.124.67.191:14997 | 7.tcp.eu.ngrok.io | tcp |
| DE | 3.124.67.191:14997 | 7.tcp.eu.ngrok.io | tcp |
| DE | 3.124.67.191:14997 | 7.tcp.eu.ngrok.io | tcp |
| DE | 3.124.67.191:14997 | 7.tcp.eu.ngrok.io | tcp |
| DE | 3.124.67.191:14997 | 7.tcp.eu.ngrok.io | tcp |
| DE | 3.124.67.191:14997 | 7.tcp.eu.ngrok.io | tcp |
| DE | 3.124.67.191:14997 | 7.tcp.eu.ngrok.io | tcp |
| DE | 3.124.67.191:14997 | 7.tcp.eu.ngrok.io | tcp |
| DE | 3.124.67.191:14997 | 7.tcp.eu.ngrok.io | tcp |
| DE | 3.124.67.191:14997 | 7.tcp.eu.ngrok.io | tcp |
| DE | 3.124.67.191:14997 | 7.tcp.eu.ngrok.io | tcp |
| DE | 3.124.67.191:14997 | 7.tcp.eu.ngrok.io | tcp |
| DE | 3.124.67.191:14997 | 7.tcp.eu.ngrok.io | tcp |
| DE | 3.124.67.191:14997 | 7.tcp.eu.ngrok.io | tcp |
| DE | 3.124.67.191:14997 | 7.tcp.eu.ngrok.io | tcp |
| DE | 3.124.67.191:14997 | 7.tcp.eu.ngrok.io | tcp |
| US | 8.8.8.8:53 | 7.tcp.eu.ngrok.io | udp |
| DE | 3.67.15.169:14997 | 7.tcp.eu.ngrok.io | tcp |
| DE | 3.67.15.169:14997 | 7.tcp.eu.ngrok.io | tcp |
| DE | 3.67.15.169:14997 | 7.tcp.eu.ngrok.io | tcp |
| DE | 3.67.15.169:14997 | 7.tcp.eu.ngrok.io | tcp |
| DE | 3.67.15.169:14997 | 7.tcp.eu.ngrok.io | tcp |
| DE | 3.67.15.169:14997 | 7.tcp.eu.ngrok.io | tcp |
| DE | 3.67.15.169:14997 | 7.tcp.eu.ngrok.io | tcp |
| DE | 3.67.15.169:14997 | 7.tcp.eu.ngrok.io | tcp |
| DE | 3.67.15.169:14997 | 7.tcp.eu.ngrok.io | tcp |
| DE | 3.67.15.169:14997 | 7.tcp.eu.ngrok.io | tcp |
| DE | 3.67.15.169:14997 | 7.tcp.eu.ngrok.io | tcp |
| DE | 3.67.15.169:14997 | 7.tcp.eu.ngrok.io | tcp |
| DE | 3.67.15.169:14997 | 7.tcp.eu.ngrok.io | tcp |
| DE | 3.67.15.169:14997 | 7.tcp.eu.ngrok.io | tcp |
| DE | 3.67.15.169:14997 | 7.tcp.eu.ngrok.io | tcp |
| DE | 3.67.15.169:14997 | 7.tcp.eu.ngrok.io | tcp |
| DE | 3.67.15.169:14997 | 7.tcp.eu.ngrok.io | tcp |
| DE | 3.67.15.169:14997 | 7.tcp.eu.ngrok.io | tcp |
| DE | 3.67.15.169:14997 | 7.tcp.eu.ngrok.io | tcp |
| DE | 3.67.15.169:14997 | 7.tcp.eu.ngrok.io | tcp |
| DE | 3.67.15.169:14997 | 7.tcp.eu.ngrok.io | tcp |
| DE | 3.67.15.169:14997 | 7.tcp.eu.ngrok.io | tcp |
| DE | 3.67.15.169:14997 | 7.tcp.eu.ngrok.io | tcp |
| DE | 3.67.15.169:14997 | 7.tcp.eu.ngrok.io | tcp |
| DE | 3.67.15.169:14997 | 7.tcp.eu.ngrok.io | tcp |
| DE | 3.67.15.169:14997 | 7.tcp.eu.ngrok.io | tcp |
| DE | 3.67.15.169:14997 | 7.tcp.eu.ngrok.io | tcp |
| DE | 3.67.15.169:14997 | 7.tcp.eu.ngrok.io | tcp |
| DE | 3.67.15.169:14997 | 7.tcp.eu.ngrok.io | tcp |
| DE | 3.67.15.169:14997 | 7.tcp.eu.ngrok.io | tcp |
| DE | 3.67.15.169:14997 | 7.tcp.eu.ngrok.io | tcp |
| DE | 3.67.15.169:14997 | 7.tcp.eu.ngrok.io | tcp |
| US | 8.8.8.8:53 | 7.tcp.eu.ngrok.io | udp |
| DE | 3.67.15.169:14997 | 7.tcp.eu.ngrok.io | tcp |
| DE | 3.67.15.169:14997 | 7.tcp.eu.ngrok.io | tcp |
| DE | 3.67.15.169:14997 | 7.tcp.eu.ngrok.io | tcp |
| DE | 3.67.15.169:14997 | 7.tcp.eu.ngrok.io | tcp |
| DE | 3.67.15.169:14997 | 7.tcp.eu.ngrok.io | tcp |
| DE | 3.67.15.169:14997 | 7.tcp.eu.ngrok.io | tcp |
| DE | 3.67.15.169:14997 | 7.tcp.eu.ngrok.io | tcp |
| DE | 3.67.15.169:14997 | 7.tcp.eu.ngrok.io | tcp |
| DE | 3.67.15.169:14997 | 7.tcp.eu.ngrok.io | tcp |
| DE | 3.67.15.169:14997 | 7.tcp.eu.ngrok.io | tcp |
| DE | 3.67.15.169:14997 | 7.tcp.eu.ngrok.io | tcp |
| DE | 3.67.15.169:14997 | 7.tcp.eu.ngrok.io | tcp |
| DE | 3.67.15.169:14997 | 7.tcp.eu.ngrok.io | tcp |
| DE | 3.67.15.169:14997 | 7.tcp.eu.ngrok.io | tcp |
| DE | 3.67.15.169:14997 | 7.tcp.eu.ngrok.io | tcp |
Files
memory/2280-54-0x0000000001170000-0x00000000011A6000-memory.dmp
C:\Users\Admin\svchost.exe
| MD5 | afd5d29bfcddb00b11a869fd2016282d |
| SHA1 | 0de3328c8a0dce66d17765665b29662de75e5d15 |
| SHA256 | 38194b42cc180ab72aed1256447bec9b8b65910241e5a2b97ac29b0c12d95748 |
| SHA512 | ce3aaf59162768087bbb34de0767c74ee05e8f13a19559c49896f5249d36900ee14270ade74964c8cd3d8b6bcf684002cf3bddc8d14856907d2b2b2d0026f133 |
C:\Users\Admin\svchost.exe
| MD5 | afd5d29bfcddb00b11a869fd2016282d |
| SHA1 | 0de3328c8a0dce66d17765665b29662de75e5d15 |
| SHA256 | 38194b42cc180ab72aed1256447bec9b8b65910241e5a2b97ac29b0c12d95748 |
| SHA512 | ce3aaf59162768087bbb34de0767c74ee05e8f13a19559c49896f5249d36900ee14270ade74964c8cd3d8b6bcf684002cf3bddc8d14856907d2b2b2d0026f133 |
\Users\Admin\svchost.exe
| MD5 | afd5d29bfcddb00b11a869fd2016282d |
| SHA1 | 0de3328c8a0dce66d17765665b29662de75e5d15 |
| SHA256 | 38194b42cc180ab72aed1256447bec9b8b65910241e5a2b97ac29b0c12d95748 |
| SHA512 | ce3aaf59162768087bbb34de0767c74ee05e8f13a19559c49896f5249d36900ee14270ade74964c8cd3d8b6bcf684002cf3bddc8d14856907d2b2b2d0026f133 |
C:\Users\Admin\svchost.exe
| MD5 | afd5d29bfcddb00b11a869fd2016282d |
| SHA1 | 0de3328c8a0dce66d17765665b29662de75e5d15 |
| SHA256 | 38194b42cc180ab72aed1256447bec9b8b65910241e5a2b97ac29b0c12d95748 |
| SHA512 | ce3aaf59162768087bbb34de0767c74ee05e8f13a19559c49896f5249d36900ee14270ade74964c8cd3d8b6bcf684002cf3bddc8d14856907d2b2b2d0026f133 |
memory/2100-63-0x00000000002F0000-0x0000000000312000-memory.dmp
\Users\Admin\AppData\Local\Temp\FirefoxInstallerexe.exe
| MD5 | 43797b66dbc85e52db3f9ccbbab6a811 |
| SHA1 | 47cb18b091310ad396684f0619261332f1164f8d |
| SHA256 | 6e977411cea076427e903cba32827b2d78202021f62c6b045c1e4a65042e8d15 |
| SHA512 | c50e4c1855c7f44c7d83f650e18cbb05686b85ac993eb828cb8181106dfcf5b4fe732a97839430e44e7ef198dde0e5459a52845ff487597e039e63f4d7561fd5 |
\Users\Admin\AppData\Local\Temp\FirefoxInstallerexe.exe
| MD5 | 43797b66dbc85e52db3f9ccbbab6a811 |
| SHA1 | 47cb18b091310ad396684f0619261332f1164f8d |
| SHA256 | 6e977411cea076427e903cba32827b2d78202021f62c6b045c1e4a65042e8d15 |
| SHA512 | c50e4c1855c7f44c7d83f650e18cbb05686b85ac993eb828cb8181106dfcf5b4fe732a97839430e44e7ef198dde0e5459a52845ff487597e039e63f4d7561fd5 |
\Users\Admin\AppData\Local\Temp\FirefoxInstallerexe.exe
| MD5 | 43797b66dbc85e52db3f9ccbbab6a811 |
| SHA1 | 47cb18b091310ad396684f0619261332f1164f8d |
| SHA256 | 6e977411cea076427e903cba32827b2d78202021f62c6b045c1e4a65042e8d15 |
| SHA512 | c50e4c1855c7f44c7d83f650e18cbb05686b85ac993eb828cb8181106dfcf5b4fe732a97839430e44e7ef198dde0e5459a52845ff487597e039e63f4d7561fd5 |
\Users\Admin\AppData\Local\Temp\FirefoxInstallerexe.exe
| MD5 | 43797b66dbc85e52db3f9ccbbab6a811 |
| SHA1 | 47cb18b091310ad396684f0619261332f1164f8d |
| SHA256 | 6e977411cea076427e903cba32827b2d78202021f62c6b045c1e4a65042e8d15 |
| SHA512 | c50e4c1855c7f44c7d83f650e18cbb05686b85ac993eb828cb8181106dfcf5b4fe732a97839430e44e7ef198dde0e5459a52845ff487597e039e63f4d7561fd5 |
\Users\Admin\AppData\Local\Temp\FirefoxInstallerexe.exe
| MD5 | 43797b66dbc85e52db3f9ccbbab6a811 |
| SHA1 | 47cb18b091310ad396684f0619261332f1164f8d |
| SHA256 | 6e977411cea076427e903cba32827b2d78202021f62c6b045c1e4a65042e8d15 |
| SHA512 | c50e4c1855c7f44c7d83f650e18cbb05686b85ac993eb828cb8181106dfcf5b4fe732a97839430e44e7ef198dde0e5459a52845ff487597e039e63f4d7561fd5 |
\Users\Admin\AppData\Roaming\svchost.exe
| MD5 | afd5d29bfcddb00b11a869fd2016282d |
| SHA1 | 0de3328c8a0dce66d17765665b29662de75e5d15 |
| SHA256 | 38194b42cc180ab72aed1256447bec9b8b65910241e5a2b97ac29b0c12d95748 |
| SHA512 | ce3aaf59162768087bbb34de0767c74ee05e8f13a19559c49896f5249d36900ee14270ade74964c8cd3d8b6bcf684002cf3bddc8d14856907d2b2b2d0026f133 |
C:\Users\Admin\AppData\Roaming\svchost.exe
| MD5 | afd5d29bfcddb00b11a869fd2016282d |
| SHA1 | 0de3328c8a0dce66d17765665b29662de75e5d15 |
| SHA256 | 38194b42cc180ab72aed1256447bec9b8b65910241e5a2b97ac29b0c12d95748 |
| SHA512 | ce3aaf59162768087bbb34de0767c74ee05e8f13a19559c49896f5249d36900ee14270ade74964c8cd3d8b6bcf684002cf3bddc8d14856907d2b2b2d0026f133 |
C:\Users\Admin\AppData\Roaming\svchost.exe
| MD5 | afd5d29bfcddb00b11a869fd2016282d |
| SHA1 | 0de3328c8a0dce66d17765665b29662de75e5d15 |
| SHA256 | 38194b42cc180ab72aed1256447bec9b8b65910241e5a2b97ac29b0c12d95748 |
| SHA512 | ce3aaf59162768087bbb34de0767c74ee05e8f13a19559c49896f5249d36900ee14270ade74964c8cd3d8b6bcf684002cf3bddc8d14856907d2b2b2d0026f133 |
memory/392-76-0x0000000000C20000-0x0000000000C42000-memory.dmp
memory/392-77-0x00000000008E0000-0x0000000000920000-memory.dmp
memory/392-78-0x00000000008E0000-0x0000000000920000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2023-07-10 13:28
Reported
2023-07-10 13:30
Platform
win10v2004-20230703-en
Max time kernel
149s
Max time network
154s
Command Line
Signatures
VanillaRat
Vanilla Rat payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-1043950675-1972537973-2972532878-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\FirefoxInstallerexe.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1043950675-1972537973-2972532878-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\svchost.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\svchost.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\svchost.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1043950675-1972537973-2972532878-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\svchost = "C:\\Users\\Admin\\AppData\\Roaming\\svchost.exe" | C:\Users\Admin\AppData\Roaming\svchost.exe | N/A |
Legitimate hosting services abused for malware hosting/C2
Enumerates physical storage devices
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Users\Admin\AppData\Local\Temp\FirefoxInstallerexe.exe |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\FirefoxInstallerexe.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\svchost.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 4872 wrote to memory of 1148 | N/A | C:\Users\Admin\AppData\Local\Temp\FirefoxInstallerexe.exe | C:\Users\Admin\svchost.exe |
| PID 4872 wrote to memory of 1148 | N/A | C:\Users\Admin\AppData\Local\Temp\FirefoxInstallerexe.exe | C:\Users\Admin\svchost.exe |
| PID 4872 wrote to memory of 1148 | N/A | C:\Users\Admin\AppData\Local\Temp\FirefoxInstallerexe.exe | C:\Users\Admin\svchost.exe |
| PID 1148 wrote to memory of 3344 | N/A | C:\Users\Admin\svchost.exe | C:\Users\Admin\AppData\Roaming\svchost.exe |
| PID 1148 wrote to memory of 3344 | N/A | C:\Users\Admin\svchost.exe | C:\Users\Admin\AppData\Roaming\svchost.exe |
| PID 1148 wrote to memory of 3344 | N/A | C:\Users\Admin\svchost.exe | C:\Users\Admin\AppData\Roaming\svchost.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\FirefoxInstallerexe.exe
"C:\Users\Admin\AppData\Local\Temp\FirefoxInstallerexe.exe"
C:\Users\Admin\svchost.exe
"C:\Users\Admin\svchost.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4872 -ip 4872
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4872 -s 1492
C:\Users\Admin\AppData\Roaming\svchost.exe
"C:\Users\Admin\AppData\Roaming\svchost.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 136.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 7.tcp.eu.ngrok.io | udp |
| DE | 3.126.224.214:14997 | 7.tcp.eu.ngrok.io | tcp |
| DE | 3.126.224.214:14997 | 7.tcp.eu.ngrok.io | tcp |
| DE | 3.126.224.214:14997 | 7.tcp.eu.ngrok.io | tcp |
| DE | 3.126.224.214:14997 | 7.tcp.eu.ngrok.io | tcp |
| DE | 3.126.224.214:14997 | 7.tcp.eu.ngrok.io | tcp |
| DE | 3.126.224.214:14997 | 7.tcp.eu.ngrok.io | tcp |
| DE | 3.126.224.214:14997 | 7.tcp.eu.ngrok.io | tcp |
| DE | 3.126.224.214:14997 | 7.tcp.eu.ngrok.io | tcp |
| DE | 3.126.224.214:14997 | 7.tcp.eu.ngrok.io | tcp |
| DE | 3.126.224.214:14997 | 7.tcp.eu.ngrok.io | tcp |
| DE | 3.126.224.214:14997 | 7.tcp.eu.ngrok.io | tcp |
| DE | 3.126.224.214:14997 | 7.tcp.eu.ngrok.io | tcp |
| US | 8.8.8.8:53 | 183.59.114.20.in-addr.arpa | udp |
| DE | 3.126.224.214:14997 | 7.tcp.eu.ngrok.io | tcp |
| DE | 3.126.224.214:14997 | 7.tcp.eu.ngrok.io | tcp |
| US | 8.8.8.8:53 | 57.169.31.20.in-addr.arpa | udp |
| DE | 3.126.224.214:14997 | 7.tcp.eu.ngrok.io | tcp |
| US | 8.8.8.8:53 | 140.121.18.2.in-addr.arpa | udp |
| DE | 3.126.224.214:14997 | 7.tcp.eu.ngrok.io | tcp |
| DE | 3.126.224.214:14997 | 7.tcp.eu.ngrok.io | tcp |
| DE | 3.126.224.214:14997 | 7.tcp.eu.ngrok.io | tcp |
| DE | 3.126.224.214:14997 | 7.tcp.eu.ngrok.io | tcp |
| DE | 3.126.224.214:14997 | 7.tcp.eu.ngrok.io | tcp |
| DE | 3.126.224.214:14997 | 7.tcp.eu.ngrok.io | tcp |
| DE | 3.126.224.214:14997 | 7.tcp.eu.ngrok.io | tcp |
| DE | 3.126.224.214:14997 | 7.tcp.eu.ngrok.io | tcp |
| DE | 3.126.224.214:14997 | 7.tcp.eu.ngrok.io | tcp |
| DE | 3.126.224.214:14997 | 7.tcp.eu.ngrok.io | tcp |
| DE | 3.126.224.214:14997 | 7.tcp.eu.ngrok.io | tcp |
| US | 8.8.8.8:53 | 8.3.197.209.in-addr.arpa | udp |
| DE | 3.126.224.214:14997 | 7.tcp.eu.ngrok.io | tcp |
| DE | 3.126.224.214:14997 | 7.tcp.eu.ngrok.io | tcp |
| US | 8.8.8.8:53 | 7.tcp.eu.ngrok.io | udp |
| DE | 3.124.67.191:14997 | 7.tcp.eu.ngrok.io | tcp |
| DE | 3.124.67.191:14997 | 7.tcp.eu.ngrok.io | tcp |
| DE | 3.124.67.191:14997 | 7.tcp.eu.ngrok.io | tcp |
| DE | 3.124.67.191:14997 | 7.tcp.eu.ngrok.io | tcp |
| DE | 3.124.67.191:14997 | 7.tcp.eu.ngrok.io | tcp |
| DE | 3.124.67.191:14997 | 7.tcp.eu.ngrok.io | tcp |
| DE | 3.124.67.191:14997 | 7.tcp.eu.ngrok.io | tcp |
| DE | 3.124.67.191:14997 | 7.tcp.eu.ngrok.io | tcp |
| DE | 3.124.67.191:14997 | 7.tcp.eu.ngrok.io | tcp |
| US | 8.8.8.8:53 | 45.8.109.52.in-addr.arpa | udp |
| DE | 3.124.67.191:14997 | 7.tcp.eu.ngrok.io | tcp |
| DE | 3.124.67.191:14997 | 7.tcp.eu.ngrok.io | tcp |
| DE | 3.124.67.191:14997 | 7.tcp.eu.ngrok.io | tcp |
| DE | 3.124.67.191:14997 | 7.tcp.eu.ngrok.io | tcp |
| DE | 3.124.67.191:14997 | 7.tcp.eu.ngrok.io | tcp |
| DE | 3.124.67.191:14997 | 7.tcp.eu.ngrok.io | tcp |
| DE | 3.124.67.191:14997 | 7.tcp.eu.ngrok.io | tcp |
| DE | 3.124.67.191:14997 | 7.tcp.eu.ngrok.io | tcp |
| DE | 3.124.67.191:14997 | 7.tcp.eu.ngrok.io | tcp |
| DE | 3.124.67.191:14997 | 7.tcp.eu.ngrok.io | tcp |
| DE | 3.124.67.191:14997 | 7.tcp.eu.ngrok.io | tcp |
| DE | 3.124.67.191:14997 | 7.tcp.eu.ngrok.io | tcp |
| DE | 3.124.67.191:14997 | 7.tcp.eu.ngrok.io | tcp |
| DE | 3.124.67.191:14997 | 7.tcp.eu.ngrok.io | tcp |
| DE | 3.124.67.191:14997 | 7.tcp.eu.ngrok.io | tcp |
| DE | 3.124.67.191:14997 | 7.tcp.eu.ngrok.io | tcp |
| DE | 3.124.67.191:14997 | 7.tcp.eu.ngrok.io | tcp |
| DE | 3.124.67.191:14997 | 7.tcp.eu.ngrok.io | tcp |
| DE | 3.124.67.191:14997 | 7.tcp.eu.ngrok.io | tcp |
| US | 8.8.8.8:53 | 7.tcp.eu.ngrok.io | udp |
| DE | 3.68.56.232:14997 | 7.tcp.eu.ngrok.io | tcp |
| DE | 3.68.56.232:14997 | 7.tcp.eu.ngrok.io | tcp |
| DE | 3.68.56.232:14997 | 7.tcp.eu.ngrok.io | tcp |
| DE | 3.68.56.232:14997 | 7.tcp.eu.ngrok.io | tcp |
| DE | 3.68.56.232:14997 | 7.tcp.eu.ngrok.io | tcp |
| DE | 3.68.56.232:14997 | 7.tcp.eu.ngrok.io | tcp |
| DE | 3.68.56.232:14997 | 7.tcp.eu.ngrok.io | tcp |
| DE | 3.68.56.232:14997 | 7.tcp.eu.ngrok.io | tcp |
| DE | 3.68.56.232:14997 | 7.tcp.eu.ngrok.io | tcp |
| DE | 3.68.56.232:14997 | 7.tcp.eu.ngrok.io | tcp |
Files
memory/4872-133-0x0000000000E10000-0x0000000000E46000-memory.dmp
C:\Users\Admin\svchost.exe
| MD5 | afd5d29bfcddb00b11a869fd2016282d |
| SHA1 | 0de3328c8a0dce66d17765665b29662de75e5d15 |
| SHA256 | 38194b42cc180ab72aed1256447bec9b8b65910241e5a2b97ac29b0c12d95748 |
| SHA512 | ce3aaf59162768087bbb34de0767c74ee05e8f13a19559c49896f5249d36900ee14270ade74964c8cd3d8b6bcf684002cf3bddc8d14856907d2b2b2d0026f133 |
C:\Users\Admin\svchost.exe
| MD5 | afd5d29bfcddb00b11a869fd2016282d |
| SHA1 | 0de3328c8a0dce66d17765665b29662de75e5d15 |
| SHA256 | 38194b42cc180ab72aed1256447bec9b8b65910241e5a2b97ac29b0c12d95748 |
| SHA512 | ce3aaf59162768087bbb34de0767c74ee05e8f13a19559c49896f5249d36900ee14270ade74964c8cd3d8b6bcf684002cf3bddc8d14856907d2b2b2d0026f133 |
C:\Users\Admin\svchost.exe
| MD5 | afd5d29bfcddb00b11a869fd2016282d |
| SHA1 | 0de3328c8a0dce66d17765665b29662de75e5d15 |
| SHA256 | 38194b42cc180ab72aed1256447bec9b8b65910241e5a2b97ac29b0c12d95748 |
| SHA512 | ce3aaf59162768087bbb34de0767c74ee05e8f13a19559c49896f5249d36900ee14270ade74964c8cd3d8b6bcf684002cf3bddc8d14856907d2b2b2d0026f133 |
memory/1148-164-0x0000000000600000-0x0000000000622000-memory.dmp
memory/1148-165-0x0000000005BB0000-0x0000000006154000-memory.dmp
memory/1148-166-0x0000000005600000-0x0000000005692000-memory.dmp
memory/1148-167-0x0000000005390000-0x000000000539A000-memory.dmp
C:\Users\Admin\AppData\Roaming\svchost.exe
| MD5 | afd5d29bfcddb00b11a869fd2016282d |
| SHA1 | 0de3328c8a0dce66d17765665b29662de75e5d15 |
| SHA256 | 38194b42cc180ab72aed1256447bec9b8b65910241e5a2b97ac29b0c12d95748 |
| SHA512 | ce3aaf59162768087bbb34de0767c74ee05e8f13a19559c49896f5249d36900ee14270ade74964c8cd3d8b6bcf684002cf3bddc8d14856907d2b2b2d0026f133 |
C:\Users\Admin\AppData\Roaming\svchost.exe
| MD5 | afd5d29bfcddb00b11a869fd2016282d |
| SHA1 | 0de3328c8a0dce66d17765665b29662de75e5d15 |
| SHA256 | 38194b42cc180ab72aed1256447bec9b8b65910241e5a2b97ac29b0c12d95748 |
| SHA512 | ce3aaf59162768087bbb34de0767c74ee05e8f13a19559c49896f5249d36900ee14270ade74964c8cd3d8b6bcf684002cf3bddc8d14856907d2b2b2d0026f133 |