Analysis Overview
SHA256
203b9d7b8796ea071beb263723991d57a40b25b77d0cbd2e4bd8dff62601331e
Threat Level: Known bad
The file TeamViewer_Setup.exe was found to be: Known bad.
Malicious Activity Summary
Vanilla Rat payload
VanillaRat
Vanillarat family
Vanilla Rat payload
Checks computer location settings
Executes dropped EXE
Loads dropped DLL
Adds Run key to start application
Legitimate hosting services abused for malware hosting/C2
Drops file in System32 directory
Unsigned PE
Enumerates physical storage devices
Suspicious use of AdjustPrivilegeToken
Modifies registry key
Suspicious use of WriteProcessMemory
Suspicious behavior: EnumeratesProcesses
MITRE ATT&CK
Enterprise Matrix V6
Analysis: static1
Detonation Overview
Reported
2023-07-17 10:58
Signatures
Vanilla Rat payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Vanillarat family
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2023-07-17 10:58
Reported
2023-07-17 11:00
Platform
win7-20230712-en
Max time kernel
149s
Max time network
142s
Command Line
Signatures
VanillaRat
Vanilla Rat payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\dllhоst.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\сsrss.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\TeamViewer_Setup.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\dllhоst.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ChromeUpdate = "C:\\Windows\\SysWOW64\\dllhоst.exe" | C:\Windows\SysWOW64\reg.exe | N/A |
Legitimate hosting services abused for malware hosting/C2
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\SysWOW64\dllhоst.exe | C:\Users\Admin\AppData\Local\Temp\TeamViewer_Setup.exe | N/A |
| File created | C:\Windows\SysWOW64\сsrss.exe | C:\Windows\SysWOW64\dllhоst.exe | N/A |
Enumerates physical storage devices
Modifies registry key
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\reg.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\TeamViewer_Setup.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\dllhоst.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\сsrss.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\TeamViewer_Setup.exe
"C:\Users\Admin\AppData\Local\Temp\TeamViewer_Setup.exe"
C:\Windows\SysWOW64\dllhоst.exe
"C:\Windows\System32\dllhоst.exe"
C:\Windows\SysWOW64\reg.exe
reg add HKLM\Software\Microsoft\Windows\CurrentVersion\Run /v ChromeUpdate /t REG_SZ /d C:\Windows\SysWOW64\dllhоst.exe /f
C:\Windows\SysWOW64\сsrss.exe
"C:\Windows\SysWOW64\сsrss.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 7.tcp.eu.ngrok.io | udp |
| DE | 3.67.15.169:13001 | 7.tcp.eu.ngrok.io | tcp |
| DE | 3.67.15.169:13001 | 7.tcp.eu.ngrok.io | tcp |
| DE | 3.67.15.169:13001 | 7.tcp.eu.ngrok.io | tcp |
| DE | 3.67.15.169:13001 | 7.tcp.eu.ngrok.io | tcp |
| DE | 3.67.15.169:13001 | 7.tcp.eu.ngrok.io | tcp |
| DE | 3.67.15.169:13001 | 7.tcp.eu.ngrok.io | tcp |
| DE | 3.67.15.169:13001 | 7.tcp.eu.ngrok.io | tcp |
| DE | 3.67.15.169:13001 | 7.tcp.eu.ngrok.io | tcp |
| DE | 3.67.15.169:13001 | 7.tcp.eu.ngrok.io | tcp |
| DE | 3.67.15.169:13001 | 7.tcp.eu.ngrok.io | tcp |
| DE | 3.67.15.169:13001 | 7.tcp.eu.ngrok.io | tcp |
| DE | 3.67.15.169:13001 | 7.tcp.eu.ngrok.io | tcp |
| DE | 3.67.15.169:13001 | 7.tcp.eu.ngrok.io | tcp |
| US | 8.8.8.8:53 | 7.tcp.eu.ngrok.io | udp |
| DE | 3.125.188.168:13001 | 7.tcp.eu.ngrok.io | tcp |
| DE | 3.125.188.168:13001 | 7.tcp.eu.ngrok.io | tcp |
| DE | 3.125.188.168:13001 | 7.tcp.eu.ngrok.io | tcp |
| DE | 3.125.188.168:13001 | 7.tcp.eu.ngrok.io | tcp |
| DE | 3.125.188.168:13001 | 7.tcp.eu.ngrok.io | tcp |
| DE | 3.125.188.168:13001 | 7.tcp.eu.ngrok.io | tcp |
| DE | 3.125.188.168:13001 | 7.tcp.eu.ngrok.io | tcp |
| DE | 3.125.188.168:13001 | 7.tcp.eu.ngrok.io | tcp |
| DE | 3.125.188.168:13001 | 7.tcp.eu.ngrok.io | tcp |
| DE | 3.125.188.168:13001 | 7.tcp.eu.ngrok.io | tcp |
| DE | 3.125.188.168:13001 | 7.tcp.eu.ngrok.io | tcp |
| DE | 3.125.188.168:13001 | 7.tcp.eu.ngrok.io | tcp |
| DE | 3.125.188.168:13001 | 7.tcp.eu.ngrok.io | tcp |
| DE | 3.125.188.168:13001 | 7.tcp.eu.ngrok.io | tcp |
| DE | 3.125.188.168:13001 | 7.tcp.eu.ngrok.io | tcp |
| DE | 3.125.188.168:13001 | 7.tcp.eu.ngrok.io | tcp |
| DE | 3.125.188.168:13001 | 7.tcp.eu.ngrok.io | tcp |
| US | 8.8.8.8:53 | 7.tcp.eu.ngrok.io | udp |
| DE | 3.125.188.168:13001 | 7.tcp.eu.ngrok.io | tcp |
| DE | 3.125.188.168:13001 | 7.tcp.eu.ngrok.io | tcp |
| DE | 3.125.188.168:13001 | 7.tcp.eu.ngrok.io | tcp |
| DE | 3.125.188.168:13001 | 7.tcp.eu.ngrok.io | tcp |
| DE | 3.125.188.168:13001 | 7.tcp.eu.ngrok.io | tcp |
| DE | 3.125.188.168:13001 | 7.tcp.eu.ngrok.io | tcp |
| DE | 3.125.188.168:13001 | 7.tcp.eu.ngrok.io | tcp |
| DE | 3.125.188.168:13001 | 7.tcp.eu.ngrok.io | tcp |
| DE | 3.125.188.168:13001 | 7.tcp.eu.ngrok.io | tcp |
| DE | 3.125.188.168:13001 | 7.tcp.eu.ngrok.io | tcp |
| DE | 3.125.188.168:13001 | 7.tcp.eu.ngrok.io | tcp |
| DE | 3.125.188.168:13001 | 7.tcp.eu.ngrok.io | tcp |
| DE | 3.125.188.168:13001 | 7.tcp.eu.ngrok.io | tcp |
| DE | 3.125.188.168:13001 | 7.tcp.eu.ngrok.io | tcp |
| DE | 3.125.188.168:13001 | 7.tcp.eu.ngrok.io | tcp |
| DE | 3.125.188.168:13001 | 7.tcp.eu.ngrok.io | tcp |
| DE | 3.125.188.168:13001 | 7.tcp.eu.ngrok.io | tcp |
| DE | 3.125.188.168:13001 | 7.tcp.eu.ngrok.io | tcp |
| DE | 3.125.188.168:13001 | 7.tcp.eu.ngrok.io | tcp |
| DE | 3.125.188.168:13001 | 7.tcp.eu.ngrok.io | tcp |
| DE | 3.125.188.168:13001 | 7.tcp.eu.ngrok.io | tcp |
| DE | 3.125.188.168:13001 | 7.tcp.eu.ngrok.io | tcp |
| DE | 3.125.188.168:13001 | 7.tcp.eu.ngrok.io | tcp |
| DE | 3.125.188.168:13001 | 7.tcp.eu.ngrok.io | tcp |
| DE | 3.125.188.168:13001 | tcp |
Files
memory/2324-54-0x0000000001230000-0x0000000001262000-memory.dmp
memory/2324-55-0x0000000074750000-0x0000000074E3E000-memory.dmp
\Windows\SysWOW64\dllhоst.exe
| MD5 | 2bdc96dbce5e135529f676c6b88764c7 |
| SHA1 | 580f2ab7c6f326c623bbd7ae4868f42daa0571e4 |
| SHA256 | a0ad6a336ea6eb88b3ee5c053ad14c6407de5baa3220bc66059d093e0d9d9ceb |
| SHA512 | 5682b35829f564ee41f8474288fd55e892373686c17084b10ee739e2dd0fa4d63a147a795f7f27ae32da599686d9458091b8a716272d5ad8d7fbe56b7c0cb453 |
C:\Windows\SysWOW64\dllhоst.exe
| MD5 | 2bdc96dbce5e135529f676c6b88764c7 |
| SHA1 | 580f2ab7c6f326c623bbd7ae4868f42daa0571e4 |
| SHA256 | a0ad6a336ea6eb88b3ee5c053ad14c6407de5baa3220bc66059d093e0d9d9ceb |
| SHA512 | 5682b35829f564ee41f8474288fd55e892373686c17084b10ee739e2dd0fa4d63a147a795f7f27ae32da599686d9458091b8a716272d5ad8d7fbe56b7c0cb453 |
C:\Windows\SysWOW64\dllhоst.exe
| MD5 | 2bdc96dbce5e135529f676c6b88764c7 |
| SHA1 | 580f2ab7c6f326c623bbd7ae4868f42daa0571e4 |
| SHA256 | a0ad6a336ea6eb88b3ee5c053ad14c6407de5baa3220bc66059d093e0d9d9ceb |
| SHA512 | 5682b35829f564ee41f8474288fd55e892373686c17084b10ee739e2dd0fa4d63a147a795f7f27ae32da599686d9458091b8a716272d5ad8d7fbe56b7c0cb453 |
memory/1356-64-0x00000000001C0000-0x00000000001E8000-memory.dmp
memory/1356-63-0x0000000074750000-0x0000000074E3E000-memory.dmp
memory/2324-65-0x0000000074750000-0x0000000074E3E000-memory.dmp
memory/1356-66-0x0000000004CA0000-0x0000000004CE0000-memory.dmp
\Windows\SysWOW64\сsrss.exe
| MD5 | baf28af74bec2fee218fc030c48ff403 |
| SHA1 | 904379111848e20d2910e7122ea0713dc7dd76f4 |
| SHA256 | 60ee28f72aad91470ce00cb75c029b0b2fbf440d734bdec00bd5bf8a6adfca5c |
| SHA512 | 6fcc43d6898a7e60a8c9ebdac31a4fc074ad0c20cbe4297b8d632ab653a01450a6b57cd43ae5126ff542517f1b6d43c56d62d23c863aa2e70650a9d265e6d081 |
C:\Windows\SysWOW64\сsrss.exe
| MD5 | baf28af74bec2fee218fc030c48ff403 |
| SHA1 | 904379111848e20d2910e7122ea0713dc7dd76f4 |
| SHA256 | 60ee28f72aad91470ce00cb75c029b0b2fbf440d734bdec00bd5bf8a6adfca5c |
| SHA512 | 6fcc43d6898a7e60a8c9ebdac31a4fc074ad0c20cbe4297b8d632ab653a01450a6b57cd43ae5126ff542517f1b6d43c56d62d23c863aa2e70650a9d265e6d081 |
C:\Windows\SysWOW64\сsrss.exe
| MD5 | baf28af74bec2fee218fc030c48ff403 |
| SHA1 | 904379111848e20d2910e7122ea0713dc7dd76f4 |
| SHA256 | 60ee28f72aad91470ce00cb75c029b0b2fbf440d734bdec00bd5bf8a6adfca5c |
| SHA512 | 6fcc43d6898a7e60a8c9ebdac31a4fc074ad0c20cbe4297b8d632ab653a01450a6b57cd43ae5126ff542517f1b6d43c56d62d23c863aa2e70650a9d265e6d081 |
memory/3036-74-0x0000000000080000-0x00000000000A2000-memory.dmp
memory/3036-75-0x0000000074750000-0x0000000074E3E000-memory.dmp
memory/3036-76-0x0000000004C40000-0x0000000004C80000-memory.dmp
memory/1356-77-0x0000000074750000-0x0000000074E3E000-memory.dmp
memory/1356-78-0x0000000004CA0000-0x0000000004CE0000-memory.dmp
memory/3036-79-0x0000000074750000-0x0000000074E3E000-memory.dmp
memory/3036-80-0x0000000004C40000-0x0000000004C80000-memory.dmp
memory/3036-81-0x0000000004C40000-0x0000000004C80000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2023-07-17 10:58
Reported
2023-07-17 11:00
Platform
win10v2004-20230703-en
Max time kernel
150s
Max time network
155s
Command Line
Signatures
VanillaRat
Vanilla Rat payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-3011986978-2180659500-3669311805-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\TeamViewer_Setup.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3011986978-2180659500-3669311805-1000\Control Panel\International\Geo\Nation | C:\Windows\SysWOW64\dllhоst.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\dllhоst.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\сsrss.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Run | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ChromeUpdate = "C:\\Windows\\SysWOW64\\dllhоst.exe" | C:\Windows\SysWOW64\reg.exe | N/A |
Legitimate hosting services abused for malware hosting/C2
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\SysWOW64\dllhоst.exe | C:\Users\Admin\AppData\Local\Temp\TeamViewer_Setup.exe | N/A |
| File created | C:\Windows\SysWOW64\сsrss.exe | C:\Windows\SysWOW64\dllhоst.exe | N/A |
Enumerates physical storage devices
Modifies registry key
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\reg.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\TeamViewer_Setup.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\dllhоst.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2868 wrote to memory of 2016 | N/A | C:\Users\Admin\AppData\Local\Temp\TeamViewer_Setup.exe | C:\Windows\SysWOW64\dllhоst.exe |
| PID 2868 wrote to memory of 2016 | N/A | C:\Users\Admin\AppData\Local\Temp\TeamViewer_Setup.exe | C:\Windows\SysWOW64\dllhоst.exe |
| PID 2868 wrote to memory of 2016 | N/A | C:\Users\Admin\AppData\Local\Temp\TeamViewer_Setup.exe | C:\Windows\SysWOW64\dllhоst.exe |
| PID 2016 wrote to memory of 2708 | N/A | C:\Windows\SysWOW64\dllhоst.exe | C:\Windows\SysWOW64\reg.exe |
| PID 2016 wrote to memory of 2708 | N/A | C:\Windows\SysWOW64\dllhоst.exe | C:\Windows\SysWOW64\reg.exe |
| PID 2016 wrote to memory of 2708 | N/A | C:\Windows\SysWOW64\dllhоst.exe | C:\Windows\SysWOW64\reg.exe |
| PID 2016 wrote to memory of 1320 | N/A | C:\Windows\SysWOW64\dllhоst.exe | C:\Windows\SysWOW64\сsrss.exe |
| PID 2016 wrote to memory of 1320 | N/A | C:\Windows\SysWOW64\dllhоst.exe | C:\Windows\SysWOW64\сsrss.exe |
| PID 2016 wrote to memory of 1320 | N/A | C:\Windows\SysWOW64\dllhоst.exe | C:\Windows\SysWOW64\сsrss.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\TeamViewer_Setup.exe
"C:\Users\Admin\AppData\Local\Temp\TeamViewer_Setup.exe"
C:\Windows\SysWOW64\dllhоst.exe
"C:\Windows\System32\dllhоst.exe"
C:\Windows\SysWOW64\reg.exe
reg add HKLM\Software\Microsoft\Windows\CurrentVersion\Run /v ChromeUpdate /t REG_SZ /d C:\Windows\SysWOW64\dllhоst.exe /f
C:\Windows\SysWOW64\сsrss.exe
"C:\Windows\SysWOW64\сsrss.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 158.240.127.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 254.3.248.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 68.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 43.58.199.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 7.tcp.eu.ngrok.io | udp |
| DE | 3.68.56.232:13001 | 7.tcp.eu.ngrok.io | tcp |
| US | 8.8.8.8:53 | 232.56.68.3.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 2.136.104.51.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 208.194.73.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 157.123.68.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 198.187.3.20.in-addr.arpa | udp |
| DE | 3.68.56.232:13001 | 7.tcp.eu.ngrok.io | tcp |
| DE | 3.68.56.232:13001 | 7.tcp.eu.ngrok.io | tcp |
| DE | 3.68.56.232:13001 | 7.tcp.eu.ngrok.io | tcp |
| DE | 3.68.56.232:13001 | 7.tcp.eu.ngrok.io | tcp |
| DE | 3.68.56.232:13001 | 7.tcp.eu.ngrok.io | tcp |
| DE | 3.68.56.232:13001 | 7.tcp.eu.ngrok.io | tcp |
| DE | 3.68.56.232:13001 | 7.tcp.eu.ngrok.io | tcp |
| US | 8.8.8.8:53 | 126.178.238.8.in-addr.arpa | udp |
| DE | 3.68.56.232:13001 | 7.tcp.eu.ngrok.io | tcp |
| US | 8.8.8.8:53 | 7.tcp.eu.ngrok.io | udp |
| DE | 3.125.188.168:13001 | 7.tcp.eu.ngrok.io | tcp |
| US | 8.8.8.8:53 | 55.36.223.20.in-addr.arpa | udp |
| DE | 3.125.188.168:13001 | 7.tcp.eu.ngrok.io | tcp |
| DE | 3.125.188.168:13001 | 7.tcp.eu.ngrok.io | tcp |
| DE | 3.125.188.168:13001 | 7.tcp.eu.ngrok.io | tcp |
| DE | 3.125.188.168:13001 | 7.tcp.eu.ngrok.io | tcp |
| DE | 3.125.188.168:13001 | 7.tcp.eu.ngrok.io | tcp |
| US | 8.8.8.8:53 | 168.188.125.3.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 1.77.109.52.in-addr.arpa | udp |
| DE | 3.125.188.168:13001 | 7.tcp.eu.ngrok.io | tcp |
| DE | 3.125.188.168:13001 | 7.tcp.eu.ngrok.io | tcp |
| DE | 3.125.188.168:13001 | 7.tcp.eu.ngrok.io | tcp |
| US | 8.8.8.8:53 | 7.tcp.eu.ngrok.io | udp |
| DE | 3.68.56.232:13001 | 7.tcp.eu.ngrok.io | tcp |
| DE | 3.68.56.232:13001 | 7.tcp.eu.ngrok.io | tcp |
| US | 8.8.8.8:53 | 216.74.101.95.in-addr.arpa | udp |
| DE | 3.68.56.232:13001 | 7.tcp.eu.ngrok.io | tcp |
| DE | 3.68.56.232:13001 | 7.tcp.eu.ngrok.io | tcp |
| DE | 3.68.56.232:13001 | 7.tcp.eu.ngrok.io | tcp |
| DE | 3.68.56.232:13001 | 7.tcp.eu.ngrok.io | tcp |
| DE | 3.68.56.232:13001 | 7.tcp.eu.ngrok.io | tcp |
| DE | 3.68.56.232:13001 | 7.tcp.eu.ngrok.io | tcp |
| DE | 3.68.56.232:13001 | 7.tcp.eu.ngrok.io | tcp |
| DE | 3.68.56.232:13001 | 7.tcp.eu.ngrok.io | tcp |
| DE | 3.68.56.232:13001 | 7.tcp.eu.ngrok.io | tcp |
| DE | 3.68.56.232:13001 | 7.tcp.eu.ngrok.io | tcp |
| DE | 3.68.56.232:13001 | 7.tcp.eu.ngrok.io | tcp |
| DE | 3.68.56.232:13001 | 7.tcp.eu.ngrok.io | tcp |
| US | 8.8.8.8:53 | 137.71.105.51.in-addr.arpa | udp |
| DE | 3.68.56.232:13001 | 7.tcp.eu.ngrok.io | tcp |
| DE | 3.68.56.232:13001 | 7.tcp.eu.ngrok.io | tcp |
Files
memory/2868-133-0x0000000000940000-0x0000000000972000-memory.dmp
memory/2868-134-0x0000000074B80000-0x0000000075330000-memory.dmp
C:\Windows\SysWOW64\dllhоst.exe
| MD5 | 2bdc96dbce5e135529f676c6b88764c7 |
| SHA1 | 580f2ab7c6f326c623bbd7ae4868f42daa0571e4 |
| SHA256 | a0ad6a336ea6eb88b3ee5c053ad14c6407de5baa3220bc66059d093e0d9d9ceb |
| SHA512 | 5682b35829f564ee41f8474288fd55e892373686c17084b10ee739e2dd0fa4d63a147a795f7f27ae32da599686d9458091b8a716272d5ad8d7fbe56b7c0cb453 |
C:\Windows\SysWOW64\dllhоst.exe
| MD5 | 2bdc96dbce5e135529f676c6b88764c7 |
| SHA1 | 580f2ab7c6f326c623bbd7ae4868f42daa0571e4 |
| SHA256 | a0ad6a336ea6eb88b3ee5c053ad14c6407de5baa3220bc66059d093e0d9d9ceb |
| SHA512 | 5682b35829f564ee41f8474288fd55e892373686c17084b10ee739e2dd0fa4d63a147a795f7f27ae32da599686d9458091b8a716272d5ad8d7fbe56b7c0cb453 |
C:\Windows\SysWOW64\dllhоst.exe
| MD5 | 2bdc96dbce5e135529f676c6b88764c7 |
| SHA1 | 580f2ab7c6f326c623bbd7ae4868f42daa0571e4 |
| SHA256 | a0ad6a336ea6eb88b3ee5c053ad14c6407de5baa3220bc66059d093e0d9d9ceb |
| SHA512 | 5682b35829f564ee41f8474288fd55e892373686c17084b10ee739e2dd0fa4d63a147a795f7f27ae32da599686d9458091b8a716272d5ad8d7fbe56b7c0cb453 |
memory/2016-149-0x0000000000630000-0x0000000000658000-memory.dmp
memory/2016-148-0x0000000074B80000-0x0000000075330000-memory.dmp
memory/2868-147-0x0000000074B80000-0x0000000075330000-memory.dmp
memory/2016-150-0x0000000004F20000-0x0000000004FBC000-memory.dmp
memory/2016-151-0x0000000005570000-0x0000000005B14000-memory.dmp
memory/2016-152-0x0000000004FC0000-0x0000000005052000-memory.dmp
memory/2016-153-0x0000000005230000-0x0000000005240000-memory.dmp
memory/2016-154-0x0000000004F10000-0x0000000004F1A000-memory.dmp
memory/2016-155-0x00000000051B0000-0x0000000005206000-memory.dmp
C:\Windows\SysWOW64\сsrss.exe
| MD5 | baf28af74bec2fee218fc030c48ff403 |
| SHA1 | 904379111848e20d2910e7122ea0713dc7dd76f4 |
| SHA256 | 60ee28f72aad91470ce00cb75c029b0b2fbf440d734bdec00bd5bf8a6adfca5c |
| SHA512 | 6fcc43d6898a7e60a8c9ebdac31a4fc074ad0c20cbe4297b8d632ab653a01450a6b57cd43ae5126ff542517f1b6d43c56d62d23c863aa2e70650a9d265e6d081 |
C:\Windows\SysWOW64\сsrss.exe
| MD5 | baf28af74bec2fee218fc030c48ff403 |
| SHA1 | 904379111848e20d2910e7122ea0713dc7dd76f4 |
| SHA256 | 60ee28f72aad91470ce00cb75c029b0b2fbf440d734bdec00bd5bf8a6adfca5c |
| SHA512 | 6fcc43d6898a7e60a8c9ebdac31a4fc074ad0c20cbe4297b8d632ab653a01450a6b57cd43ae5126ff542517f1b6d43c56d62d23c863aa2e70650a9d265e6d081 |
C:\Windows\SysWOW64\сsrss.exe
| MD5 | baf28af74bec2fee218fc030c48ff403 |
| SHA1 | 904379111848e20d2910e7122ea0713dc7dd76f4 |
| SHA256 | 60ee28f72aad91470ce00cb75c029b0b2fbf440d734bdec00bd5bf8a6adfca5c |
| SHA512 | 6fcc43d6898a7e60a8c9ebdac31a4fc074ad0c20cbe4297b8d632ab653a01450a6b57cd43ae5126ff542517f1b6d43c56d62d23c863aa2e70650a9d265e6d081 |
memory/1320-167-0x0000000000110000-0x0000000000132000-memory.dmp
memory/1320-168-0x0000000074B80000-0x0000000075330000-memory.dmp
memory/1320-169-0x0000000004C40000-0x0000000004C50000-memory.dmp
memory/1320-170-0x0000000008FE0000-0x0000000009046000-memory.dmp
memory/2016-171-0x0000000074B80000-0x0000000075330000-memory.dmp
memory/2016-172-0x0000000005230000-0x0000000005240000-memory.dmp
memory/1320-173-0x0000000074B80000-0x0000000075330000-memory.dmp
memory/1320-174-0x0000000004C40000-0x0000000004C50000-memory.dmp