Analysis Overview
SHA256
565a2849bb4f871c9b4da984ebddfb8ecc29f8f74806c551d803101b8c42c652
Threat Level: Known bad
The file 8c9c29e59baf663d0b071b9efdec3bea.bin was found to be: Known bad.
Malicious Activity Summary
Vanilla Rat payload
Vanillarat family
VanillaRat
Vanilla Rat payload
Executes dropped EXE
Checks computer location settings
Loads dropped DLL
Legitimate hosting services abused for malware hosting/C2
Adds Run key to start application
Enumerates physical storage devices
Unsigned PE
Suspicious use of WriteProcessMemory
Suspicious use of AdjustPrivilegeToken
MITRE ATT&CK
Enterprise Matrix V6
Analysis: static1
Detonation Overview
Reported
2023-07-18 02:03
Signatures
Vanilla Rat payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Vanillarat family
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2023-07-18 02:03
Reported
2023-07-18 02:06
Platform
win7-20230712-en
Max time kernel
149s
Max time network
152s
Command Line
Signatures
VanillaRat
Vanilla Rat payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\svchost.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\svchost.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\b4d092bdd58610ec77ef6713fe7559c39a52f77d37f8a3c5044e1b95e98f969e.exe | N/A |
| N/A | N/A | C:\Users\Admin\svchost.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4219371764-2579186923-3390623117-1000\Software\Microsoft\Windows\CurrentVersion\Run\svchost = "C:\\Users\\Admin\\AppData\\Roaming\\svchost.exe" | C:\Users\Admin\AppData\Roaming\svchost.exe | N/A |
Legitimate hosting services abused for malware hosting/C2
Enumerates physical storage devices
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\b4d092bdd58610ec77ef6713fe7559c39a52f77d37f8a3c5044e1b95e98f969e.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\svchost.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\b4d092bdd58610ec77ef6713fe7559c39a52f77d37f8a3c5044e1b95e98f969e.exe
"C:\Users\Admin\AppData\Local\Temp\b4d092bdd58610ec77ef6713fe7559c39a52f77d37f8a3c5044e1b95e98f969e.exe"
C:\Users\Admin\svchost.exe
"C:\Users\Admin\svchost.exe"
C:\Users\Admin\AppData\Roaming\svchost.exe
"C:\Users\Admin\AppData\Roaming\svchost.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 4.tcp.eu.ngrok.io | udp |
| DE | 52.28.112.211:19840 | 4.tcp.eu.ngrok.io | tcp |
| DE | 52.28.112.211:19840 | 4.tcp.eu.ngrok.io | tcp |
| DE | 52.28.112.211:19840 | 4.tcp.eu.ngrok.io | tcp |
| DE | 52.28.112.211:19840 | 4.tcp.eu.ngrok.io | tcp |
| DE | 52.28.112.211:19840 | 4.tcp.eu.ngrok.io | tcp |
| DE | 52.28.112.211:19840 | 4.tcp.eu.ngrok.io | tcp |
| DE | 52.28.112.211:19840 | 4.tcp.eu.ngrok.io | tcp |
| DE | 52.28.112.211:19840 | 4.tcp.eu.ngrok.io | tcp |
| DE | 52.28.112.211:19840 | 4.tcp.eu.ngrok.io | tcp |
| DE | 52.28.112.211:19840 | 4.tcp.eu.ngrok.io | tcp |
| DE | 52.28.112.211:19840 | 4.tcp.eu.ngrok.io | tcp |
| DE | 52.28.112.211:19840 | 4.tcp.eu.ngrok.io | tcp |
| DE | 52.28.112.211:19840 | 4.tcp.eu.ngrok.io | tcp |
| DE | 52.28.112.211:19840 | 4.tcp.eu.ngrok.io | tcp |
| DE | 52.28.112.211:19840 | 4.tcp.eu.ngrok.io | tcp |
| DE | 52.28.112.211:19840 | 4.tcp.eu.ngrok.io | tcp |
| DE | 52.28.112.211:19840 | 4.tcp.eu.ngrok.io | tcp |
| DE | 52.28.112.211:19840 | 4.tcp.eu.ngrok.io | tcp |
| DE | 52.28.112.211:19840 | 4.tcp.eu.ngrok.io | tcp |
| DE | 52.28.112.211:19840 | 4.tcp.eu.ngrok.io | tcp |
| DE | 52.28.112.211:19840 | 4.tcp.eu.ngrok.io | tcp |
| DE | 52.28.112.211:19840 | 4.tcp.eu.ngrok.io | tcp |
| DE | 52.28.112.211:19840 | 4.tcp.eu.ngrok.io | tcp |
| DE | 52.28.112.211:19840 | 4.tcp.eu.ngrok.io | tcp |
| DE | 52.28.112.211:19840 | 4.tcp.eu.ngrok.io | tcp |
| DE | 52.28.112.211:19840 | 4.tcp.eu.ngrok.io | tcp |
| DE | 52.28.112.211:19840 | 4.tcp.eu.ngrok.io | tcp |
| DE | 52.28.112.211:19840 | 4.tcp.eu.ngrok.io | tcp |
| DE | 52.28.112.211:19840 | 4.tcp.eu.ngrok.io | tcp |
| DE | 52.28.112.211:19840 | 4.tcp.eu.ngrok.io | tcp |
| DE | 52.28.112.211:19840 | 4.tcp.eu.ngrok.io | tcp |
| DE | 52.28.112.211:19840 | 4.tcp.eu.ngrok.io | tcp |
| DE | 52.28.112.211:19840 | 4.tcp.eu.ngrok.io | tcp |
| DE | 52.28.112.211:19840 | 4.tcp.eu.ngrok.io | tcp |
| DE | 52.28.112.211:19840 | 4.tcp.eu.ngrok.io | tcp |
| DE | 52.28.112.211:19840 | 4.tcp.eu.ngrok.io | tcp |
| DE | 52.28.112.211:19840 | 4.tcp.eu.ngrok.io | tcp |
| DE | 52.28.112.211:19840 | 4.tcp.eu.ngrok.io | tcp |
| DE | 52.28.112.211:19840 | 4.tcp.eu.ngrok.io | tcp |
| DE | 52.28.112.211:19840 | 4.tcp.eu.ngrok.io | tcp |
| DE | 52.28.112.211:19840 | 4.tcp.eu.ngrok.io | tcp |
| DE | 52.28.112.211:19840 | 4.tcp.eu.ngrok.io | tcp |
| DE | 52.28.112.211:19840 | 4.tcp.eu.ngrok.io | tcp |
| DE | 52.28.112.211:19840 | 4.tcp.eu.ngrok.io | tcp |
| DE | 52.28.112.211:19840 | 4.tcp.eu.ngrok.io | tcp |
| DE | 52.28.112.211:19840 | 4.tcp.eu.ngrok.io | tcp |
| DE | 52.28.112.211:19840 | 4.tcp.eu.ngrok.io | tcp |
| DE | 52.28.112.211:19840 | 4.tcp.eu.ngrok.io | tcp |
| DE | 52.28.112.211:19840 | 4.tcp.eu.ngrok.io | tcp |
| DE | 52.28.112.211:19840 | 4.tcp.eu.ngrok.io | tcp |
| DE | 52.28.112.211:19840 | 4.tcp.eu.ngrok.io | tcp |
| DE | 52.28.112.211:19840 | 4.tcp.eu.ngrok.io | tcp |
| US | 8.8.8.8:53 | 4.tcp.eu.ngrok.io | udp |
| DE | 3.127.253.86:19840 | 4.tcp.eu.ngrok.io | tcp |
| US | 8.8.8.8:53 | 4.tcp.eu.ngrok.io | udp |
| DE | 52.28.112.211:19840 | 4.tcp.eu.ngrok.io | tcp |
| DE | 52.28.112.211:19840 | 4.tcp.eu.ngrok.io | tcp |
| DE | 52.28.112.211:19840 | 4.tcp.eu.ngrok.io | tcp |
| DE | 52.28.112.211:19840 | 4.tcp.eu.ngrok.io | tcp |
| DE | 52.28.112.211:19840 | 4.tcp.eu.ngrok.io | tcp |
| DE | 52.28.112.211:19840 | 4.tcp.eu.ngrok.io | tcp |
| DE | 52.28.112.211:19840 | 4.tcp.eu.ngrok.io | tcp |
| DE | 52.28.112.211:19840 | 4.tcp.eu.ngrok.io | tcp |
| DE | 52.28.112.211:19840 | 4.tcp.eu.ngrok.io | tcp |
| DE | 52.28.112.211:19840 | 4.tcp.eu.ngrok.io | tcp |
| DE | 52.28.112.211:19840 | 4.tcp.eu.ngrok.io | tcp |
| DE | 52.28.112.211:19840 | 4.tcp.eu.ngrok.io | tcp |
| DE | 52.28.112.211:19840 | 4.tcp.eu.ngrok.io | tcp |
| DE | 52.28.112.211:19840 | 4.tcp.eu.ngrok.io | tcp |
| DE | 52.28.112.211:19840 | 4.tcp.eu.ngrok.io | tcp |
| US | 8.8.8.8:53 | 4.tcp.eu.ngrok.io | udp |
| DE | 18.198.77.177:19840 | 4.tcp.eu.ngrok.io | tcp |
| DE | 18.198.77.177:19840 | 4.tcp.eu.ngrok.io | tcp |
| DE | 18.198.77.177:19840 | 4.tcp.eu.ngrok.io | tcp |
| DE | 18.198.77.177:19840 | 4.tcp.eu.ngrok.io | tcp |
| DE | 18.198.77.177:19840 | 4.tcp.eu.ngrok.io | tcp |
| DE | 18.198.77.177:19840 | 4.tcp.eu.ngrok.io | tcp |
| DE | 18.198.77.177:19840 | 4.tcp.eu.ngrok.io | tcp |
| DE | 18.198.77.177:19840 | 4.tcp.eu.ngrok.io | tcp |
| DE | 18.198.77.177:19840 | 4.tcp.eu.ngrok.io | tcp |
| DE | 18.198.77.177:19840 | 4.tcp.eu.ngrok.io | tcp |
| DE | 18.198.77.177:19840 | 4.tcp.eu.ngrok.io | tcp |
| DE | 18.198.77.177:19840 | 4.tcp.eu.ngrok.io | tcp |
| DE | 18.198.77.177:19840 | 4.tcp.eu.ngrok.io | tcp |
| DE | 18.198.77.177:19840 | 4.tcp.eu.ngrok.io | tcp |
| DE | 18.198.77.177:19840 | 4.tcp.eu.ngrok.io | tcp |
| DE | 18.198.77.177:19840 | 4.tcp.eu.ngrok.io | tcp |
| DE | 18.198.77.177:19840 | 4.tcp.eu.ngrok.io | tcp |
| DE | 18.198.77.177:19840 | 4.tcp.eu.ngrok.io | tcp |
| DE | 18.198.77.177:19840 | 4.tcp.eu.ngrok.io | tcp |
| DE | 18.198.77.177:19840 | 4.tcp.eu.ngrok.io | tcp |
| DE | 18.198.77.177:19840 | 4.tcp.eu.ngrok.io | tcp |
| DE | 18.198.77.177:19840 | 4.tcp.eu.ngrok.io | tcp |
| DE | 18.198.77.177:19840 | 4.tcp.eu.ngrok.io | tcp |
| DE | 18.198.77.177:19840 | 4.tcp.eu.ngrok.io | tcp |
| DE | 18.198.77.177:19840 | 4.tcp.eu.ngrok.io | tcp |
| DE | 18.198.77.177:19840 | 4.tcp.eu.ngrok.io | tcp |
| DE | 18.198.77.177:19840 | 4.tcp.eu.ngrok.io | tcp |
| DE | 18.198.77.177:19840 | 4.tcp.eu.ngrok.io | tcp |
| DE | 18.198.77.177:19840 | 4.tcp.eu.ngrok.io | tcp |
| DE | 18.198.77.177:19840 | 4.tcp.eu.ngrok.io | tcp |
| DE | 18.198.77.177:19840 | 4.tcp.eu.ngrok.io | tcp |
| DE | 18.198.77.177:19840 | 4.tcp.eu.ngrok.io | tcp |
| DE | 18.198.77.177:19840 | 4.tcp.eu.ngrok.io | tcp |
| DE | 18.198.77.177:19840 | 4.tcp.eu.ngrok.io | tcp |
| DE | 18.198.77.177:19840 | 4.tcp.eu.ngrok.io | tcp |
| DE | 18.198.77.177:19840 | 4.tcp.eu.ngrok.io | tcp |
| DE | 18.198.77.177:19840 | 4.tcp.eu.ngrok.io | tcp |
| DE | 18.198.77.177:19840 | 4.tcp.eu.ngrok.io | tcp |
| DE | 18.198.77.177:19840 | 4.tcp.eu.ngrok.io | tcp |
| DE | 18.198.77.177:19840 | 4.tcp.eu.ngrok.io | tcp |
| DE | 18.198.77.177:19840 | 4.tcp.eu.ngrok.io | tcp |
| DE | 18.198.77.177:19840 | 4.tcp.eu.ngrok.io | tcp |
| DE | 18.198.77.177:19840 | 4.tcp.eu.ngrok.io | tcp |
| DE | 18.198.77.177:19840 | 4.tcp.eu.ngrok.io | tcp |
| DE | 18.198.77.177:19840 | 4.tcp.eu.ngrok.io | tcp |
| DE | 18.198.77.177:19840 | 4.tcp.eu.ngrok.io | tcp |
| DE | 18.198.77.177:19840 | 4.tcp.eu.ngrok.io | tcp |
| DE | 18.198.77.177:19840 | 4.tcp.eu.ngrok.io | tcp |
| DE | 18.198.77.177:19840 | 4.tcp.eu.ngrok.io | tcp |
| DE | 18.198.77.177:19840 | 4.tcp.eu.ngrok.io | tcp |
| DE | 18.198.77.177:19840 | 4.tcp.eu.ngrok.io | tcp |
| DE | 18.198.77.177:19840 | 4.tcp.eu.ngrok.io | tcp |
| DE | 18.198.77.177:19840 | 4.tcp.eu.ngrok.io | tcp |
| US | 8.8.8.8:53 | 4.tcp.eu.ngrok.io | udp |
| DE | 3.127.59.75:19840 | 4.tcp.eu.ngrok.io | tcp |
| DE | 3.127.59.75:19840 | 4.tcp.eu.ngrok.io | tcp |
| DE | 3.127.59.75:19840 | 4.tcp.eu.ngrok.io | tcp |
| DE | 3.127.59.75:19840 | 4.tcp.eu.ngrok.io | tcp |
| DE | 3.127.59.75:19840 | 4.tcp.eu.ngrok.io | tcp |
Files
memory/2236-54-0x0000000000DE0000-0x0000000000E2A000-memory.dmp
memory/2236-55-0x0000000073CE0000-0x00000000743CE000-memory.dmp
\Users\Admin\svchost.exe
| MD5 | 2e5422412d23d9f1c1dff78719447728 |
| SHA1 | 00440171a8963d4454aa8e63fb3a25fd85585091 |
| SHA256 | 3f0ce66700b7011c8fa2e8a1709c43fb79882721afa0f5e1bbeb8a5c29d81d03 |
| SHA512 | 77b31e4a05b73495b4ca8698b046bef8cdec82845d316b304679b2521529be38d1dd0cd4e471cf04097ce734f588312214687ec0c8582a5ff5676b68b4e61521 |
C:\Users\Admin\svchost.exe
| MD5 | 2e5422412d23d9f1c1dff78719447728 |
| SHA1 | 00440171a8963d4454aa8e63fb3a25fd85585091 |
| SHA256 | 3f0ce66700b7011c8fa2e8a1709c43fb79882721afa0f5e1bbeb8a5c29d81d03 |
| SHA512 | 77b31e4a05b73495b4ca8698b046bef8cdec82845d316b304679b2521529be38d1dd0cd4e471cf04097ce734f588312214687ec0c8582a5ff5676b68b4e61521 |
C:\Users\Admin\svchost.exe
| MD5 | 2e5422412d23d9f1c1dff78719447728 |
| SHA1 | 00440171a8963d4454aa8e63fb3a25fd85585091 |
| SHA256 | 3f0ce66700b7011c8fa2e8a1709c43fb79882721afa0f5e1bbeb8a5c29d81d03 |
| SHA512 | 77b31e4a05b73495b4ca8698b046bef8cdec82845d316b304679b2521529be38d1dd0cd4e471cf04097ce734f588312214687ec0c8582a5ff5676b68b4e61521 |
memory/2960-64-0x00000000010B0000-0x00000000010D2000-memory.dmp
C:\Users\Admin\svchost.exe
| MD5 | 2e5422412d23d9f1c1dff78719447728 |
| SHA1 | 00440171a8963d4454aa8e63fb3a25fd85585091 |
| SHA256 | 3f0ce66700b7011c8fa2e8a1709c43fb79882721afa0f5e1bbeb8a5c29d81d03 |
| SHA512 | 77b31e4a05b73495b4ca8698b046bef8cdec82845d316b304679b2521529be38d1dd0cd4e471cf04097ce734f588312214687ec0c8582a5ff5676b68b4e61521 |
memory/2236-66-0x0000000073CE0000-0x00000000743CE000-memory.dmp
memory/2960-65-0x0000000073CE0000-0x00000000743CE000-memory.dmp
memory/2960-67-0x0000000004E20000-0x0000000004E60000-memory.dmp
\Users\Admin\AppData\Roaming\svchost.exe
| MD5 | 2e5422412d23d9f1c1dff78719447728 |
| SHA1 | 00440171a8963d4454aa8e63fb3a25fd85585091 |
| SHA256 | 3f0ce66700b7011c8fa2e8a1709c43fb79882721afa0f5e1bbeb8a5c29d81d03 |
| SHA512 | 77b31e4a05b73495b4ca8698b046bef8cdec82845d316b304679b2521529be38d1dd0cd4e471cf04097ce734f588312214687ec0c8582a5ff5676b68b4e61521 |
memory/2944-75-0x00000000001C0000-0x00000000001E2000-memory.dmp
C:\Users\Admin\AppData\Roaming\svchost.exe
| MD5 | 2e5422412d23d9f1c1dff78719447728 |
| SHA1 | 00440171a8963d4454aa8e63fb3a25fd85585091 |
| SHA256 | 3f0ce66700b7011c8fa2e8a1709c43fb79882721afa0f5e1bbeb8a5c29d81d03 |
| SHA512 | 77b31e4a05b73495b4ca8698b046bef8cdec82845d316b304679b2521529be38d1dd0cd4e471cf04097ce734f588312214687ec0c8582a5ff5676b68b4e61521 |
memory/2960-76-0x0000000073CE0000-0x00000000743CE000-memory.dmp
C:\Users\Admin\AppData\Roaming\svchost.exe
| MD5 | 2e5422412d23d9f1c1dff78719447728 |
| SHA1 | 00440171a8963d4454aa8e63fb3a25fd85585091 |
| SHA256 | 3f0ce66700b7011c8fa2e8a1709c43fb79882721afa0f5e1bbeb8a5c29d81d03 |
| SHA512 | 77b31e4a05b73495b4ca8698b046bef8cdec82845d316b304679b2521529be38d1dd0cd4e471cf04097ce734f588312214687ec0c8582a5ff5676b68b4e61521 |
memory/2944-77-0x0000000073CE0000-0x00000000743CE000-memory.dmp
memory/2944-78-0x0000000004D20000-0x0000000004D60000-memory.dmp
memory/2944-79-0x0000000073CE0000-0x00000000743CE000-memory.dmp
memory/2944-80-0x0000000004D20000-0x0000000004D60000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2023-07-18 02:03
Reported
2023-07-18 02:06
Platform
win10v2004-20230703-en
Max time kernel
149s
Max time network
155s
Command Line
Signatures
VanillaRat
Vanilla Rat payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-3195054982-4292022746-1467505928-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\b4d092bdd58610ec77ef6713fe7559c39a52f77d37f8a3c5044e1b95e98f969e.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3195054982-4292022746-1467505928-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\svchost.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\svchost.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\svchost.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3195054982-4292022746-1467505928-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\svchost = "C:\\Users\\Admin\\AppData\\Roaming\\svchost.exe" | C:\Users\Admin\AppData\Roaming\svchost.exe | N/A |
Legitimate hosting services abused for malware hosting/C2
Enumerates physical storage devices
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\b4d092bdd58610ec77ef6713fe7559c39a52f77d37f8a3c5044e1b95e98f969e.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\svchost.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 4680 wrote to memory of 4932 | N/A | C:\Users\Admin\AppData\Local\Temp\b4d092bdd58610ec77ef6713fe7559c39a52f77d37f8a3c5044e1b95e98f969e.exe | C:\Users\Admin\svchost.exe |
| PID 4680 wrote to memory of 4932 | N/A | C:\Users\Admin\AppData\Local\Temp\b4d092bdd58610ec77ef6713fe7559c39a52f77d37f8a3c5044e1b95e98f969e.exe | C:\Users\Admin\svchost.exe |
| PID 4680 wrote to memory of 4932 | N/A | C:\Users\Admin\AppData\Local\Temp\b4d092bdd58610ec77ef6713fe7559c39a52f77d37f8a3c5044e1b95e98f969e.exe | C:\Users\Admin\svchost.exe |
| PID 4932 wrote to memory of 4676 | N/A | C:\Users\Admin\svchost.exe | C:\Users\Admin\AppData\Roaming\svchost.exe |
| PID 4932 wrote to memory of 4676 | N/A | C:\Users\Admin\svchost.exe | C:\Users\Admin\AppData\Roaming\svchost.exe |
| PID 4932 wrote to memory of 4676 | N/A | C:\Users\Admin\svchost.exe | C:\Users\Admin\AppData\Roaming\svchost.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\b4d092bdd58610ec77ef6713fe7559c39a52f77d37f8a3c5044e1b95e98f969e.exe
"C:\Users\Admin\AppData\Local\Temp\b4d092bdd58610ec77ef6713fe7559c39a52f77d37f8a3c5044e1b95e98f969e.exe"
C:\Users\Admin\svchost.exe
"C:\Users\Admin\svchost.exe"
C:\Users\Admin\AppData\Roaming\svchost.exe
"C:\Users\Admin\AppData\Roaming\svchost.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 2.136.104.51.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 8.3.197.209.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 68.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.35.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 9.228.82.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 54.120.234.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 155.245.36.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 59.128.231.4.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 4.tcp.eu.ngrok.io | udp |
| DE | 52.28.112.211:19840 | 4.tcp.eu.ngrok.io | tcp |
| DE | 52.28.112.211:19840 | 4.tcp.eu.ngrok.io | tcp |
| DE | 52.28.112.211:19840 | 4.tcp.eu.ngrok.io | tcp |
| DE | 52.28.112.211:19840 | 4.tcp.eu.ngrok.io | tcp |
| DE | 52.28.112.211:19840 | 4.tcp.eu.ngrok.io | tcp |
| DE | 52.28.112.211:19840 | 4.tcp.eu.ngrok.io | tcp |
| DE | 52.28.112.211:19840 | 4.tcp.eu.ngrok.io | tcp |
| DE | 52.28.112.211:19840 | 4.tcp.eu.ngrok.io | tcp |
| DE | 52.28.112.211:19840 | 4.tcp.eu.ngrok.io | tcp |
| DE | 52.28.112.211:19840 | 4.tcp.eu.ngrok.io | tcp |
| DE | 52.28.112.211:19840 | 4.tcp.eu.ngrok.io | tcp |
| US | 8.8.8.8:53 | 50.23.12.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 206.23.85.13.in-addr.arpa | udp |
| DE | 52.28.112.211:19840 | 4.tcp.eu.ngrok.io | tcp |
| DE | 52.28.112.211:19840 | 4.tcp.eu.ngrok.io | tcp |
| DE | 52.28.112.211:19840 | 4.tcp.eu.ngrok.io | tcp |
| DE | 52.28.112.211:19840 | 4.tcp.eu.ngrok.io | tcp |
| DE | 52.28.112.211:19840 | 4.tcp.eu.ngrok.io | tcp |
| DE | 52.28.112.211:19840 | 4.tcp.eu.ngrok.io | tcp |
| DE | 52.28.112.211:19840 | 4.tcp.eu.ngrok.io | tcp |
| DE | 52.28.112.211:19840 | 4.tcp.eu.ngrok.io | tcp |
| DE | 52.28.112.211:19840 | 4.tcp.eu.ngrok.io | tcp |
| DE | 52.28.112.211:19840 | 4.tcp.eu.ngrok.io | tcp |
| DE | 52.28.112.211:19840 | 4.tcp.eu.ngrok.io | tcp |
| DE | 52.28.112.211:19840 | 4.tcp.eu.ngrok.io | tcp |
| DE | 52.28.112.211:19840 | 4.tcp.eu.ngrok.io | tcp |
| DE | 52.28.112.211:19840 | 4.tcp.eu.ngrok.io | tcp |
| US | 8.8.8.8:53 | 4.tcp.eu.ngrok.io | udp |
| DE | 18.198.77.177:19840 | 4.tcp.eu.ngrok.io | tcp |
| DE | 18.198.77.177:19840 | 4.tcp.eu.ngrok.io | tcp |
| DE | 18.198.77.177:19840 | 4.tcp.eu.ngrok.io | tcp |
| DE | 18.198.77.177:19840 | 4.tcp.eu.ngrok.io | tcp |
| DE | 18.198.77.177:19840 | 4.tcp.eu.ngrok.io | tcp |
| DE | 18.198.77.177:19840 | 4.tcp.eu.ngrok.io | tcp |
| DE | 18.198.77.177:19840 | 4.tcp.eu.ngrok.io | tcp |
| DE | 18.198.77.177:19840 | 4.tcp.eu.ngrok.io | tcp |
| DE | 18.198.77.177:19840 | 4.tcp.eu.ngrok.io | tcp |
| DE | 18.198.77.177:19840 | 4.tcp.eu.ngrok.io | tcp |
| US | 8.8.8.8:53 | 63.13.109.52.in-addr.arpa | udp |
| DE | 18.198.77.177:19840 | 4.tcp.eu.ngrok.io | tcp |
| DE | 18.198.77.177:19840 | 4.tcp.eu.ngrok.io | tcp |
| DE | 18.198.77.177:19840 | 4.tcp.eu.ngrok.io | tcp |
| DE | 18.198.77.177:19840 | 4.tcp.eu.ngrok.io | tcp |
| DE | 18.198.77.177:19840 | 4.tcp.eu.ngrok.io | tcp |
| DE | 18.198.77.177:19840 | 4.tcp.eu.ngrok.io | tcp |
| DE | 18.198.77.177:19840 | 4.tcp.eu.ngrok.io | tcp |
| DE | 18.198.77.177:19840 | 4.tcp.eu.ngrok.io | tcp |
| US | 8.8.8.8:53 | 216.74.101.95.in-addr.arpa | udp |
| DE | 18.198.77.177:19840 | 4.tcp.eu.ngrok.io | tcp |
| DE | 18.198.77.177:19840 | 4.tcp.eu.ngrok.io | tcp |
| DE | 18.198.77.177:19840 | 4.tcp.eu.ngrok.io | tcp |
| DE | 18.198.77.177:19840 | 4.tcp.eu.ngrok.io | tcp |
| DE | 18.198.77.177:19840 | 4.tcp.eu.ngrok.io | tcp |
| DE | 18.198.77.177:19840 | 4.tcp.eu.ngrok.io | tcp |
| DE | 18.198.77.177:19840 | 4.tcp.eu.ngrok.io | tcp |
| DE | 18.198.77.177:19840 | 4.tcp.eu.ngrok.io | tcp |
| DE | 18.198.77.177:19840 | 4.tcp.eu.ngrok.io | tcp |
| US | 8.8.8.8:53 | 4.tcp.eu.ngrok.io | udp |
| DE | 3.127.59.75:19840 | 4.tcp.eu.ngrok.io | tcp |
| DE | 3.127.59.75:19840 | 4.tcp.eu.ngrok.io | tcp |
| DE | 3.127.59.75:19840 | 4.tcp.eu.ngrok.io | tcp |
| DE | 3.127.59.75:19840 | 4.tcp.eu.ngrok.io | tcp |
| DE | 3.127.59.75:19840 | 4.tcp.eu.ngrok.io | tcp |
| DE | 3.127.59.75:19840 | 4.tcp.eu.ngrok.io | tcp |
| DE | 3.127.59.75:19840 | 4.tcp.eu.ngrok.io | tcp |
| DE | 3.127.59.75:19840 | 4.tcp.eu.ngrok.io | tcp |
| US | 8.8.8.8:53 | 170.117.168.52.in-addr.arpa | udp |
| DE | 3.127.59.75:19840 | 4.tcp.eu.ngrok.io | tcp |
| DE | 3.127.59.75:19840 | 4.tcp.eu.ngrok.io | tcp |
| DE | 3.127.59.75:19840 | 4.tcp.eu.ngrok.io | tcp |
| DE | 3.127.59.75:19840 | 4.tcp.eu.ngrok.io | tcp |
Files
memory/4680-133-0x0000000074D60000-0x0000000075510000-memory.dmp
memory/4680-134-0x0000000000970000-0x00000000009BA000-memory.dmp
memory/4680-135-0x0000000005360000-0x00000000053FC000-memory.dmp
C:\Users\Admin\svchost.exe
| MD5 | 2e5422412d23d9f1c1dff78719447728 |
| SHA1 | 00440171a8963d4454aa8e63fb3a25fd85585091 |
| SHA256 | 3f0ce66700b7011c8fa2e8a1709c43fb79882721afa0f5e1bbeb8a5c29d81d03 |
| SHA512 | 77b31e4a05b73495b4ca8698b046bef8cdec82845d316b304679b2521529be38d1dd0cd4e471cf04097ce734f588312214687ec0c8582a5ff5676b68b4e61521 |
C:\Users\Admin\svchost.exe
| MD5 | 2e5422412d23d9f1c1dff78719447728 |
| SHA1 | 00440171a8963d4454aa8e63fb3a25fd85585091 |
| SHA256 | 3f0ce66700b7011c8fa2e8a1709c43fb79882721afa0f5e1bbeb8a5c29d81d03 |
| SHA512 | 77b31e4a05b73495b4ca8698b046bef8cdec82845d316b304679b2521529be38d1dd0cd4e471cf04097ce734f588312214687ec0c8582a5ff5676b68b4e61521 |
C:\Users\Admin\svchost.exe
| MD5 | 2e5422412d23d9f1c1dff78719447728 |
| SHA1 | 00440171a8963d4454aa8e63fb3a25fd85585091 |
| SHA256 | 3f0ce66700b7011c8fa2e8a1709c43fb79882721afa0f5e1bbeb8a5c29d81d03 |
| SHA512 | 77b31e4a05b73495b4ca8698b046bef8cdec82845d316b304679b2521529be38d1dd0cd4e471cf04097ce734f588312214687ec0c8582a5ff5676b68b4e61521 |
memory/4932-166-0x0000000000720000-0x0000000000742000-memory.dmp
memory/4932-168-0x0000000074D60000-0x0000000075510000-memory.dmp
memory/4680-170-0x0000000074D60000-0x0000000075510000-memory.dmp
memory/4932-169-0x0000000005BD0000-0x0000000006174000-memory.dmp
memory/4932-171-0x0000000005720000-0x00000000057B2000-memory.dmp
memory/4932-172-0x00000000057E0000-0x00000000057EA000-memory.dmp
C:\Users\Admin\AppData\Roaming\svchost.exe
| MD5 | 2e5422412d23d9f1c1dff78719447728 |
| SHA1 | 00440171a8963d4454aa8e63fb3a25fd85585091 |
| SHA256 | 3f0ce66700b7011c8fa2e8a1709c43fb79882721afa0f5e1bbeb8a5c29d81d03 |
| SHA512 | 77b31e4a05b73495b4ca8698b046bef8cdec82845d316b304679b2521529be38d1dd0cd4e471cf04097ce734f588312214687ec0c8582a5ff5676b68b4e61521 |
C:\Users\Admin\AppData\Roaming\svchost.exe
| MD5 | 2e5422412d23d9f1c1dff78719447728 |
| SHA1 | 00440171a8963d4454aa8e63fb3a25fd85585091 |
| SHA256 | 3f0ce66700b7011c8fa2e8a1709c43fb79882721afa0f5e1bbeb8a5c29d81d03 |
| SHA512 | 77b31e4a05b73495b4ca8698b046bef8cdec82845d316b304679b2521529be38d1dd0cd4e471cf04097ce734f588312214687ec0c8582a5ff5676b68b4e61521 |
memory/4932-184-0x0000000074D60000-0x0000000075510000-memory.dmp
memory/4676-185-0x0000000074D60000-0x0000000075510000-memory.dmp
memory/4676-186-0x0000000074D60000-0x0000000075510000-memory.dmp