Malware Analysis Report

2024-10-23 20:55

Sample ID 230710-qqpb5sbf9v
Target FirefoxInstallerexe.exe
SHA256 6e977411cea076427e903cba32827b2d78202021f62c6b045c1e4a65042e8d15
Tags
rat vanillarat persistence
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V6

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

6e977411cea076427e903cba32827b2d78202021f62c6b045c1e4a65042e8d15

Threat Level: Known bad

The file FirefoxInstallerexe.exe was found to be: Known bad.

Malicious Activity Summary

rat vanillarat persistence

Vanilla Rat payload

Vanillarat family

VanillaRat

Vanilla Rat payload

Executes dropped EXE

Loads dropped DLL

Checks computer location settings

Legitimate hosting services abused for malware hosting/C2

Adds Run key to start application

Unsigned PE

Enumerates physical storage devices

Program crash

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2023-07-10 13:28

Signatures

Vanilla Rat payload

rat
Description Indicator Process Target
N/A N/A N/A N/A

Vanillarat family

vanillarat

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2023-07-10 13:28

Reported

2023-07-10 13:30

Platform

win7-20230703-en

Max time kernel

149s

Max time network

153s

Command Line

"C:\Users\Admin\AppData\Local\Temp\FirefoxInstallerexe.exe"

Signatures

VanillaRat

rat vanillarat

Vanilla Rat payload

rat
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\svchost.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\svchost.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-719110999-4061093145-1944564496-1000\Software\Microsoft\Windows\CurrentVersion\Run\svchost = "C:\\Users\\Admin\\AppData\\Roaming\\svchost.exe" C:\Users\Admin\AppData\Roaming\svchost.exe N/A

Legitimate hosting services abused for malware hosting/C2

Enumerates physical storage devices

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\FirefoxInstallerexe.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\svchost.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\FirefoxInstallerexe.exe

"C:\Users\Admin\AppData\Local\Temp\FirefoxInstallerexe.exe"

C:\Users\Admin\svchost.exe

"C:\Users\Admin\svchost.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2280 -s 892

C:\Users\Admin\AppData\Roaming\svchost.exe

"C:\Users\Admin\AppData\Roaming\svchost.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 7.tcp.eu.ngrok.io udp
DE 3.124.67.191:14997 7.tcp.eu.ngrok.io tcp
DE 3.124.67.191:14997 7.tcp.eu.ngrok.io tcp
DE 3.124.67.191:14997 7.tcp.eu.ngrok.io tcp
DE 3.124.67.191:14997 7.tcp.eu.ngrok.io tcp
DE 3.124.67.191:14997 7.tcp.eu.ngrok.io tcp
DE 3.124.67.191:14997 7.tcp.eu.ngrok.io tcp
DE 3.124.67.191:14997 7.tcp.eu.ngrok.io tcp
DE 3.124.67.191:14997 7.tcp.eu.ngrok.io tcp
DE 3.124.67.191:14997 7.tcp.eu.ngrok.io tcp
DE 3.124.67.191:14997 7.tcp.eu.ngrok.io tcp
DE 3.124.67.191:14997 7.tcp.eu.ngrok.io tcp
DE 3.124.67.191:14997 7.tcp.eu.ngrok.io tcp
DE 3.124.67.191:14997 7.tcp.eu.ngrok.io tcp
DE 3.124.67.191:14997 7.tcp.eu.ngrok.io tcp
DE 3.124.67.191:14997 7.tcp.eu.ngrok.io tcp
DE 3.124.67.191:14997 7.tcp.eu.ngrok.io tcp
DE 3.124.67.191:14997 7.tcp.eu.ngrok.io tcp
DE 3.124.67.191:14997 7.tcp.eu.ngrok.io tcp
DE 3.124.67.191:14997 7.tcp.eu.ngrok.io tcp
DE 3.124.67.191:14997 7.tcp.eu.ngrok.io tcp
DE 3.124.67.191:14997 7.tcp.eu.ngrok.io tcp
DE 3.124.67.191:14997 7.tcp.eu.ngrok.io tcp
DE 3.124.67.191:14997 7.tcp.eu.ngrok.io tcp
DE 3.124.67.191:14997 7.tcp.eu.ngrok.io tcp
DE 3.124.67.191:14997 7.tcp.eu.ngrok.io tcp
DE 3.124.67.191:14997 7.tcp.eu.ngrok.io tcp
DE 3.124.67.191:14997 7.tcp.eu.ngrok.io tcp
DE 3.124.67.191:14997 7.tcp.eu.ngrok.io tcp
DE 3.124.67.191:14997 7.tcp.eu.ngrok.io tcp
DE 3.124.67.191:14997 7.tcp.eu.ngrok.io tcp
DE 3.124.67.191:14997 7.tcp.eu.ngrok.io tcp
DE 3.124.67.191:14997 7.tcp.eu.ngrok.io tcp
US 8.8.8.8:53 7.tcp.eu.ngrok.io udp
DE 3.67.15.169:14997 7.tcp.eu.ngrok.io tcp
DE 3.67.15.169:14997 7.tcp.eu.ngrok.io tcp
DE 3.67.15.169:14997 7.tcp.eu.ngrok.io tcp
DE 3.67.15.169:14997 7.tcp.eu.ngrok.io tcp
DE 3.67.15.169:14997 7.tcp.eu.ngrok.io tcp
DE 3.67.15.169:14997 7.tcp.eu.ngrok.io tcp
DE 3.67.15.169:14997 7.tcp.eu.ngrok.io tcp
DE 3.67.15.169:14997 7.tcp.eu.ngrok.io tcp
DE 3.67.15.169:14997 7.tcp.eu.ngrok.io tcp
DE 3.67.15.169:14997 7.tcp.eu.ngrok.io tcp
DE 3.67.15.169:14997 7.tcp.eu.ngrok.io tcp
DE 3.67.15.169:14997 7.tcp.eu.ngrok.io tcp
DE 3.67.15.169:14997 7.tcp.eu.ngrok.io tcp
DE 3.67.15.169:14997 7.tcp.eu.ngrok.io tcp
DE 3.67.15.169:14997 7.tcp.eu.ngrok.io tcp
DE 3.67.15.169:14997 7.tcp.eu.ngrok.io tcp
DE 3.67.15.169:14997 7.tcp.eu.ngrok.io tcp
DE 3.67.15.169:14997 7.tcp.eu.ngrok.io tcp
DE 3.67.15.169:14997 7.tcp.eu.ngrok.io tcp
DE 3.67.15.169:14997 7.tcp.eu.ngrok.io tcp
DE 3.67.15.169:14997 7.tcp.eu.ngrok.io tcp
DE 3.67.15.169:14997 7.tcp.eu.ngrok.io tcp
DE 3.67.15.169:14997 7.tcp.eu.ngrok.io tcp
DE 3.67.15.169:14997 7.tcp.eu.ngrok.io tcp
DE 3.67.15.169:14997 7.tcp.eu.ngrok.io tcp
DE 3.67.15.169:14997 7.tcp.eu.ngrok.io tcp
DE 3.67.15.169:14997 7.tcp.eu.ngrok.io tcp
DE 3.67.15.169:14997 7.tcp.eu.ngrok.io tcp
DE 3.67.15.169:14997 7.tcp.eu.ngrok.io tcp
DE 3.67.15.169:14997 7.tcp.eu.ngrok.io tcp
DE 3.67.15.169:14997 7.tcp.eu.ngrok.io tcp
DE 3.67.15.169:14997 7.tcp.eu.ngrok.io tcp
US 8.8.8.8:53 7.tcp.eu.ngrok.io udp
DE 3.67.15.169:14997 7.tcp.eu.ngrok.io tcp
DE 3.67.15.169:14997 7.tcp.eu.ngrok.io tcp
DE 3.67.15.169:14997 7.tcp.eu.ngrok.io tcp
DE 3.67.15.169:14997 7.tcp.eu.ngrok.io tcp
DE 3.67.15.169:14997 7.tcp.eu.ngrok.io tcp
DE 3.67.15.169:14997 7.tcp.eu.ngrok.io tcp
DE 3.67.15.169:14997 7.tcp.eu.ngrok.io tcp
DE 3.67.15.169:14997 7.tcp.eu.ngrok.io tcp
DE 3.67.15.169:14997 7.tcp.eu.ngrok.io tcp
DE 3.67.15.169:14997 7.tcp.eu.ngrok.io tcp
DE 3.67.15.169:14997 7.tcp.eu.ngrok.io tcp
DE 3.67.15.169:14997 7.tcp.eu.ngrok.io tcp
DE 3.67.15.169:14997 7.tcp.eu.ngrok.io tcp
DE 3.67.15.169:14997 7.tcp.eu.ngrok.io tcp
DE 3.67.15.169:14997 7.tcp.eu.ngrok.io tcp

Files

memory/2280-54-0x0000000001170000-0x00000000011A6000-memory.dmp

C:\Users\Admin\svchost.exe

MD5 afd5d29bfcddb00b11a869fd2016282d
SHA1 0de3328c8a0dce66d17765665b29662de75e5d15
SHA256 38194b42cc180ab72aed1256447bec9b8b65910241e5a2b97ac29b0c12d95748
SHA512 ce3aaf59162768087bbb34de0767c74ee05e8f13a19559c49896f5249d36900ee14270ade74964c8cd3d8b6bcf684002cf3bddc8d14856907d2b2b2d0026f133

C:\Users\Admin\svchost.exe

MD5 afd5d29bfcddb00b11a869fd2016282d
SHA1 0de3328c8a0dce66d17765665b29662de75e5d15
SHA256 38194b42cc180ab72aed1256447bec9b8b65910241e5a2b97ac29b0c12d95748
SHA512 ce3aaf59162768087bbb34de0767c74ee05e8f13a19559c49896f5249d36900ee14270ade74964c8cd3d8b6bcf684002cf3bddc8d14856907d2b2b2d0026f133

\Users\Admin\svchost.exe

MD5 afd5d29bfcddb00b11a869fd2016282d
SHA1 0de3328c8a0dce66d17765665b29662de75e5d15
SHA256 38194b42cc180ab72aed1256447bec9b8b65910241e5a2b97ac29b0c12d95748
SHA512 ce3aaf59162768087bbb34de0767c74ee05e8f13a19559c49896f5249d36900ee14270ade74964c8cd3d8b6bcf684002cf3bddc8d14856907d2b2b2d0026f133

C:\Users\Admin\svchost.exe

MD5 afd5d29bfcddb00b11a869fd2016282d
SHA1 0de3328c8a0dce66d17765665b29662de75e5d15
SHA256 38194b42cc180ab72aed1256447bec9b8b65910241e5a2b97ac29b0c12d95748
SHA512 ce3aaf59162768087bbb34de0767c74ee05e8f13a19559c49896f5249d36900ee14270ade74964c8cd3d8b6bcf684002cf3bddc8d14856907d2b2b2d0026f133

memory/2100-63-0x00000000002F0000-0x0000000000312000-memory.dmp

\Users\Admin\AppData\Local\Temp\FirefoxInstallerexe.exe

MD5 43797b66dbc85e52db3f9ccbbab6a811
SHA1 47cb18b091310ad396684f0619261332f1164f8d
SHA256 6e977411cea076427e903cba32827b2d78202021f62c6b045c1e4a65042e8d15
SHA512 c50e4c1855c7f44c7d83f650e18cbb05686b85ac993eb828cb8181106dfcf5b4fe732a97839430e44e7ef198dde0e5459a52845ff487597e039e63f4d7561fd5

\Users\Admin\AppData\Local\Temp\FirefoxInstallerexe.exe

MD5 43797b66dbc85e52db3f9ccbbab6a811
SHA1 47cb18b091310ad396684f0619261332f1164f8d
SHA256 6e977411cea076427e903cba32827b2d78202021f62c6b045c1e4a65042e8d15
SHA512 c50e4c1855c7f44c7d83f650e18cbb05686b85ac993eb828cb8181106dfcf5b4fe732a97839430e44e7ef198dde0e5459a52845ff487597e039e63f4d7561fd5

\Users\Admin\AppData\Local\Temp\FirefoxInstallerexe.exe

MD5 43797b66dbc85e52db3f9ccbbab6a811
SHA1 47cb18b091310ad396684f0619261332f1164f8d
SHA256 6e977411cea076427e903cba32827b2d78202021f62c6b045c1e4a65042e8d15
SHA512 c50e4c1855c7f44c7d83f650e18cbb05686b85ac993eb828cb8181106dfcf5b4fe732a97839430e44e7ef198dde0e5459a52845ff487597e039e63f4d7561fd5

\Users\Admin\AppData\Local\Temp\FirefoxInstallerexe.exe

MD5 43797b66dbc85e52db3f9ccbbab6a811
SHA1 47cb18b091310ad396684f0619261332f1164f8d
SHA256 6e977411cea076427e903cba32827b2d78202021f62c6b045c1e4a65042e8d15
SHA512 c50e4c1855c7f44c7d83f650e18cbb05686b85ac993eb828cb8181106dfcf5b4fe732a97839430e44e7ef198dde0e5459a52845ff487597e039e63f4d7561fd5

\Users\Admin\AppData\Local\Temp\FirefoxInstallerexe.exe

MD5 43797b66dbc85e52db3f9ccbbab6a811
SHA1 47cb18b091310ad396684f0619261332f1164f8d
SHA256 6e977411cea076427e903cba32827b2d78202021f62c6b045c1e4a65042e8d15
SHA512 c50e4c1855c7f44c7d83f650e18cbb05686b85ac993eb828cb8181106dfcf5b4fe732a97839430e44e7ef198dde0e5459a52845ff487597e039e63f4d7561fd5

\Users\Admin\AppData\Roaming\svchost.exe

MD5 afd5d29bfcddb00b11a869fd2016282d
SHA1 0de3328c8a0dce66d17765665b29662de75e5d15
SHA256 38194b42cc180ab72aed1256447bec9b8b65910241e5a2b97ac29b0c12d95748
SHA512 ce3aaf59162768087bbb34de0767c74ee05e8f13a19559c49896f5249d36900ee14270ade74964c8cd3d8b6bcf684002cf3bddc8d14856907d2b2b2d0026f133

C:\Users\Admin\AppData\Roaming\svchost.exe

MD5 afd5d29bfcddb00b11a869fd2016282d
SHA1 0de3328c8a0dce66d17765665b29662de75e5d15
SHA256 38194b42cc180ab72aed1256447bec9b8b65910241e5a2b97ac29b0c12d95748
SHA512 ce3aaf59162768087bbb34de0767c74ee05e8f13a19559c49896f5249d36900ee14270ade74964c8cd3d8b6bcf684002cf3bddc8d14856907d2b2b2d0026f133

C:\Users\Admin\AppData\Roaming\svchost.exe

MD5 afd5d29bfcddb00b11a869fd2016282d
SHA1 0de3328c8a0dce66d17765665b29662de75e5d15
SHA256 38194b42cc180ab72aed1256447bec9b8b65910241e5a2b97ac29b0c12d95748
SHA512 ce3aaf59162768087bbb34de0767c74ee05e8f13a19559c49896f5249d36900ee14270ade74964c8cd3d8b6bcf684002cf3bddc8d14856907d2b2b2d0026f133

memory/392-76-0x0000000000C20000-0x0000000000C42000-memory.dmp

memory/392-77-0x00000000008E0000-0x0000000000920000-memory.dmp

memory/392-78-0x00000000008E0000-0x0000000000920000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2023-07-10 13:28

Reported

2023-07-10 13:30

Platform

win10v2004-20230703-en

Max time kernel

149s

Max time network

154s

Command Line

"C:\Users\Admin\AppData\Local\Temp\FirefoxInstallerexe.exe"

Signatures

VanillaRat

rat vanillarat

Vanilla Rat payload

rat
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-1043950675-1972537973-2972532878-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\FirefoxInstallerexe.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1043950675-1972537973-2972532878-1000\Control Panel\International\Geo\Nation C:\Users\Admin\svchost.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\svchost.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\svchost.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-1043950675-1972537973-2972532878-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\svchost = "C:\\Users\\Admin\\AppData\\Roaming\\svchost.exe" C:\Users\Admin\AppData\Roaming\svchost.exe N/A

Legitimate hosting services abused for malware hosting/C2

Enumerates physical storage devices

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\FirefoxInstallerexe.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\svchost.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\FirefoxInstallerexe.exe

"C:\Users\Admin\AppData\Local\Temp\FirefoxInstallerexe.exe"

C:\Users\Admin\svchost.exe

"C:\Users\Admin\svchost.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4872 -ip 4872

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4872 -s 1492

C:\Users\Admin\AppData\Roaming\svchost.exe

"C:\Users\Admin\AppData\Roaming\svchost.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 136.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 7.tcp.eu.ngrok.io udp
DE 3.126.224.214:14997 7.tcp.eu.ngrok.io tcp
DE 3.126.224.214:14997 7.tcp.eu.ngrok.io tcp
DE 3.126.224.214:14997 7.tcp.eu.ngrok.io tcp
DE 3.126.224.214:14997 7.tcp.eu.ngrok.io tcp
DE 3.126.224.214:14997 7.tcp.eu.ngrok.io tcp
DE 3.126.224.214:14997 7.tcp.eu.ngrok.io tcp
DE 3.126.224.214:14997 7.tcp.eu.ngrok.io tcp
DE 3.126.224.214:14997 7.tcp.eu.ngrok.io tcp
DE 3.126.224.214:14997 7.tcp.eu.ngrok.io tcp
DE 3.126.224.214:14997 7.tcp.eu.ngrok.io tcp
DE 3.126.224.214:14997 7.tcp.eu.ngrok.io tcp
DE 3.126.224.214:14997 7.tcp.eu.ngrok.io tcp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
DE 3.126.224.214:14997 7.tcp.eu.ngrok.io tcp
DE 3.126.224.214:14997 7.tcp.eu.ngrok.io tcp
US 8.8.8.8:53 57.169.31.20.in-addr.arpa udp
DE 3.126.224.214:14997 7.tcp.eu.ngrok.io tcp
US 8.8.8.8:53 140.121.18.2.in-addr.arpa udp
DE 3.126.224.214:14997 7.tcp.eu.ngrok.io tcp
DE 3.126.224.214:14997 7.tcp.eu.ngrok.io tcp
DE 3.126.224.214:14997 7.tcp.eu.ngrok.io tcp
DE 3.126.224.214:14997 7.tcp.eu.ngrok.io tcp
DE 3.126.224.214:14997 7.tcp.eu.ngrok.io tcp
DE 3.126.224.214:14997 7.tcp.eu.ngrok.io tcp
DE 3.126.224.214:14997 7.tcp.eu.ngrok.io tcp
DE 3.126.224.214:14997 7.tcp.eu.ngrok.io tcp
DE 3.126.224.214:14997 7.tcp.eu.ngrok.io tcp
DE 3.126.224.214:14997 7.tcp.eu.ngrok.io tcp
DE 3.126.224.214:14997 7.tcp.eu.ngrok.io tcp
US 8.8.8.8:53 8.3.197.209.in-addr.arpa udp
DE 3.126.224.214:14997 7.tcp.eu.ngrok.io tcp
DE 3.126.224.214:14997 7.tcp.eu.ngrok.io tcp
US 8.8.8.8:53 7.tcp.eu.ngrok.io udp
DE 3.124.67.191:14997 7.tcp.eu.ngrok.io tcp
DE 3.124.67.191:14997 7.tcp.eu.ngrok.io tcp
DE 3.124.67.191:14997 7.tcp.eu.ngrok.io tcp
DE 3.124.67.191:14997 7.tcp.eu.ngrok.io tcp
DE 3.124.67.191:14997 7.tcp.eu.ngrok.io tcp
DE 3.124.67.191:14997 7.tcp.eu.ngrok.io tcp
DE 3.124.67.191:14997 7.tcp.eu.ngrok.io tcp
DE 3.124.67.191:14997 7.tcp.eu.ngrok.io tcp
DE 3.124.67.191:14997 7.tcp.eu.ngrok.io tcp
US 8.8.8.8:53 45.8.109.52.in-addr.arpa udp
DE 3.124.67.191:14997 7.tcp.eu.ngrok.io tcp
DE 3.124.67.191:14997 7.tcp.eu.ngrok.io tcp
DE 3.124.67.191:14997 7.tcp.eu.ngrok.io tcp
DE 3.124.67.191:14997 7.tcp.eu.ngrok.io tcp
DE 3.124.67.191:14997 7.tcp.eu.ngrok.io tcp
DE 3.124.67.191:14997 7.tcp.eu.ngrok.io tcp
DE 3.124.67.191:14997 7.tcp.eu.ngrok.io tcp
DE 3.124.67.191:14997 7.tcp.eu.ngrok.io tcp
DE 3.124.67.191:14997 7.tcp.eu.ngrok.io tcp
DE 3.124.67.191:14997 7.tcp.eu.ngrok.io tcp
DE 3.124.67.191:14997 7.tcp.eu.ngrok.io tcp
DE 3.124.67.191:14997 7.tcp.eu.ngrok.io tcp
DE 3.124.67.191:14997 7.tcp.eu.ngrok.io tcp
DE 3.124.67.191:14997 7.tcp.eu.ngrok.io tcp
DE 3.124.67.191:14997 7.tcp.eu.ngrok.io tcp
DE 3.124.67.191:14997 7.tcp.eu.ngrok.io tcp
DE 3.124.67.191:14997 7.tcp.eu.ngrok.io tcp
DE 3.124.67.191:14997 7.tcp.eu.ngrok.io tcp
DE 3.124.67.191:14997 7.tcp.eu.ngrok.io tcp
US 8.8.8.8:53 7.tcp.eu.ngrok.io udp
DE 3.68.56.232:14997 7.tcp.eu.ngrok.io tcp
DE 3.68.56.232:14997 7.tcp.eu.ngrok.io tcp
DE 3.68.56.232:14997 7.tcp.eu.ngrok.io tcp
DE 3.68.56.232:14997 7.tcp.eu.ngrok.io tcp
DE 3.68.56.232:14997 7.tcp.eu.ngrok.io tcp
DE 3.68.56.232:14997 7.tcp.eu.ngrok.io tcp
DE 3.68.56.232:14997 7.tcp.eu.ngrok.io tcp
DE 3.68.56.232:14997 7.tcp.eu.ngrok.io tcp
DE 3.68.56.232:14997 7.tcp.eu.ngrok.io tcp
DE 3.68.56.232:14997 7.tcp.eu.ngrok.io tcp

Files

memory/4872-133-0x0000000000E10000-0x0000000000E46000-memory.dmp

C:\Users\Admin\svchost.exe

MD5 afd5d29bfcddb00b11a869fd2016282d
SHA1 0de3328c8a0dce66d17765665b29662de75e5d15
SHA256 38194b42cc180ab72aed1256447bec9b8b65910241e5a2b97ac29b0c12d95748
SHA512 ce3aaf59162768087bbb34de0767c74ee05e8f13a19559c49896f5249d36900ee14270ade74964c8cd3d8b6bcf684002cf3bddc8d14856907d2b2b2d0026f133

C:\Users\Admin\svchost.exe

MD5 afd5d29bfcddb00b11a869fd2016282d
SHA1 0de3328c8a0dce66d17765665b29662de75e5d15
SHA256 38194b42cc180ab72aed1256447bec9b8b65910241e5a2b97ac29b0c12d95748
SHA512 ce3aaf59162768087bbb34de0767c74ee05e8f13a19559c49896f5249d36900ee14270ade74964c8cd3d8b6bcf684002cf3bddc8d14856907d2b2b2d0026f133

C:\Users\Admin\svchost.exe

MD5 afd5d29bfcddb00b11a869fd2016282d
SHA1 0de3328c8a0dce66d17765665b29662de75e5d15
SHA256 38194b42cc180ab72aed1256447bec9b8b65910241e5a2b97ac29b0c12d95748
SHA512 ce3aaf59162768087bbb34de0767c74ee05e8f13a19559c49896f5249d36900ee14270ade74964c8cd3d8b6bcf684002cf3bddc8d14856907d2b2b2d0026f133

memory/1148-164-0x0000000000600000-0x0000000000622000-memory.dmp

memory/1148-165-0x0000000005BB0000-0x0000000006154000-memory.dmp

memory/1148-166-0x0000000005600000-0x0000000005692000-memory.dmp

memory/1148-167-0x0000000005390000-0x000000000539A000-memory.dmp

C:\Users\Admin\AppData\Roaming\svchost.exe

MD5 afd5d29bfcddb00b11a869fd2016282d
SHA1 0de3328c8a0dce66d17765665b29662de75e5d15
SHA256 38194b42cc180ab72aed1256447bec9b8b65910241e5a2b97ac29b0c12d95748
SHA512 ce3aaf59162768087bbb34de0767c74ee05e8f13a19559c49896f5249d36900ee14270ade74964c8cd3d8b6bcf684002cf3bddc8d14856907d2b2b2d0026f133

C:\Users\Admin\AppData\Roaming\svchost.exe

MD5 afd5d29bfcddb00b11a869fd2016282d
SHA1 0de3328c8a0dce66d17765665b29662de75e5d15
SHA256 38194b42cc180ab72aed1256447bec9b8b65910241e5a2b97ac29b0c12d95748
SHA512 ce3aaf59162768087bbb34de0767c74ee05e8f13a19559c49896f5249d36900ee14270ade74964c8cd3d8b6bcf684002cf3bddc8d14856907d2b2b2d0026f133