Analysis Overview
SHA256
0d4f6eed0b7579534b2c934d91298ddab1c88ebefc873f5b82243f5b182161ec
Threat Level: Known bad
The file 7ed42ba337d1cb153fb2470c0938fef0 was found to be: Known bad.
Malicious Activity Summary
njRAT/Bladabindi
Checks computer location settings
Executes dropped EXE
Loads dropped DLL
Drops startup file
Adds Run key to start application
Legitimate hosting services abused for malware hosting/C2
Unsigned PE
Enumerates physical storage devices
Views/modifies file attributes
Suspicious use of WriteProcessMemory
Suspicious use of FindShellTrayWindow
Suspicious use of AdjustPrivilegeToken
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-01-29 04:00
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-01-29 04:00
Reported
2024-01-29 04:03
Platform
win7-20231215-en
Max time kernel
149s
Max time network
153s
Command Line
Signatures
njRAT/Bladabindi
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\tmp57F0.tmpizqighvc.exe | C:\Users\Admin\AppData\Local\Temp\tmp57F0.tmpizqighvc.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\tmp57F0.tmpizqighvc.exe | C:\Users\Admin\AppData\Local\Temp\tmp57F0.tmpizqighvc.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Windows.lnk | C:\Users\Admin\AppData\Local\Temp\Payload.exe | N/A |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Windows.lnk | C:\Users\Admin\AppData\Local\Temp\tmp584E.tmpuhjkr.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\tmp57F0.tmpizqighvc.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\tmp584E.tmpuhjkr.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Payload.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\tmp584E.tmpuhjkr.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3308111660-3636268597-2291490419-1000\Software\Microsoft\Windows\CurrentVersion\Run\tmp57F0.tmpizqighvc = "C:\\Users\\Admin\\AppData\\Roaming\\tmp57F0.tmpizqighvc.exe" | C:\Users\Admin\AppData\Local\Temp\tmp57F0.tmpizqighvc.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3308111660-3636268597-2291490419-1000\Software\Microsoft\Windows\CurrentVersion\Run\Windows2 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Payload.exe" | C:\Users\Admin\AppData\Local\Temp\tmp584E.tmpuhjkr.exe | N/A |
Legitimate hosting services abused for malware hosting/C2
| Description | Indicator | Process | Target |
| N/A | 8.tcp.ngrok.io | N/A | N/A |
| N/A | 8.tcp.ngrok.io | N/A | N/A |
| N/A | 8.tcp.ngrok.io | N/A | N/A |
Enumerates physical storage devices
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\tmp57F0.tmpizqighvc.exe | N/A |
Suspicious use of WriteProcessMemory
Views/modifies file attributes
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\attrib.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\7ed42ba337d1cb153fb2470c0938fef0.exe
"C:\Users\Admin\AppData\Local\Temp\7ed42ba337d1cb153fb2470c0938fef0.exe"
C:\Users\Admin\AppData\Local\Temp\tmp57F0.tmpizqighvc.exe
"C:\Users\Admin\AppData\Local\Temp\tmp57F0.tmpizqighvc.exe"
C:\Users\Admin\AppData\Local\Temp\tmp584E.tmpuhjkr.exe
"C:\Users\Admin\AppData\Local\Temp\tmp584E.tmpuhjkr.exe"
C:\Users\Admin\AppData\Local\Temp\Payload.exe
"C:\Users\Admin\AppData\Local\Temp\Payload.exe"
C:\Windows\SysWOW64\attrib.exe
attrib +h +r +s "C:\Users\Admin\AppData\Local\Temp\Payload.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.tcp.ngrok.io | udp |
| US | 3.142.129.56:10093 | 8.tcp.ngrok.io | tcp |
| US | 3.142.129.56:10093 | 8.tcp.ngrok.io | tcp |
| US | 3.142.129.56:10093 | 8.tcp.ngrok.io | tcp |
| US | 3.142.129.56:10093 | 8.tcp.ngrok.io | tcp |
| US | 3.142.129.56:10093 | 8.tcp.ngrok.io | tcp |
| US | 3.142.129.56:10093 | 8.tcp.ngrok.io | tcp |
| US | 3.142.129.56:10093 | 8.tcp.ngrok.io | tcp |
| US | 3.142.129.56:10093 | 8.tcp.ngrok.io | tcp |
| US | 3.142.129.56:10093 | 8.tcp.ngrok.io | tcp |
| US | 3.142.129.56:10093 | 8.tcp.ngrok.io | tcp |
| US | 3.142.129.56:10093 | 8.tcp.ngrok.io | tcp |
| US | 3.142.129.56:10093 | 8.tcp.ngrok.io | tcp |
| US | 3.142.129.56:10093 | 8.tcp.ngrok.io | tcp |
| US | 3.142.129.56:10093 | 8.tcp.ngrok.io | tcp |
| US | 3.142.129.56:10093 | 8.tcp.ngrok.io | tcp |
| US | 3.142.129.56:10093 | 8.tcp.ngrok.io | tcp |
| US | 8.8.8.8:53 | 8.tcp.ngrok.io | udp |
| US | 3.142.167.54:10093 | 8.tcp.ngrok.io | tcp |
| US | 3.142.167.54:10093 | 8.tcp.ngrok.io | tcp |
| US | 3.142.167.54:10093 | 8.tcp.ngrok.io | tcp |
| US | 3.142.167.54:10093 | 8.tcp.ngrok.io | tcp |
| US | 3.142.167.54:10093 | 8.tcp.ngrok.io | tcp |
| US | 3.142.167.54:10093 | 8.tcp.ngrok.io | tcp |
| US | 3.142.167.54:10093 | 8.tcp.ngrok.io | tcp |
| US | 3.142.167.54:10093 | 8.tcp.ngrok.io | tcp |
| US | 3.142.167.54:10093 | 8.tcp.ngrok.io | tcp |
| US | 3.142.167.54:10093 | 8.tcp.ngrok.io | tcp |
| US | 3.142.167.54:10093 | 8.tcp.ngrok.io | tcp |
| US | 3.142.167.54:10093 | 8.tcp.ngrok.io | tcp |
| US | 3.142.167.54:10093 | 8.tcp.ngrok.io | tcp |
| US | 3.142.167.54:10093 | 8.tcp.ngrok.io | tcp |
| US | 3.142.167.54:10093 | 8.tcp.ngrok.io | tcp |
| US | 3.142.167.54:10093 | 8.tcp.ngrok.io | tcp |
| US | 3.142.167.54:10093 | 8.tcp.ngrok.io | tcp |
| US | 3.142.167.54:10093 | 8.tcp.ngrok.io | tcp |
| US | 3.142.167.54:10093 | 8.tcp.ngrok.io | tcp |
| US | 3.142.167.54:10093 | 8.tcp.ngrok.io | tcp |
| US | 3.142.167.54:10093 | 8.tcp.ngrok.io | tcp |
| US | 3.142.167.54:10093 | 8.tcp.ngrok.io | tcp |
| US | 3.142.167.54:10093 | 8.tcp.ngrok.io | tcp |
| US | 3.142.167.54:10093 | 8.tcp.ngrok.io | tcp |
| US | 8.8.8.8:53 | 8.tcp.ngrok.io | udp |
| US | 3.19.130.43:10093 | 8.tcp.ngrok.io | tcp |
| US | 3.19.130.43:10093 | 8.tcp.ngrok.io | tcp |
| US | 3.19.130.43:10093 | 8.tcp.ngrok.io | tcp |
| US | 3.19.130.43:10093 | 8.tcp.ngrok.io | tcp |
| US | 3.19.130.43:10093 | 8.tcp.ngrok.io | tcp |
| US | 3.19.130.43:10093 | 8.tcp.ngrok.io | tcp |
| US | 3.19.130.43:10093 | 8.tcp.ngrok.io | tcp |
| US | 3.19.130.43:10093 | 8.tcp.ngrok.io | tcp |
| US | 3.19.130.43:10093 | 8.tcp.ngrok.io | tcp |
| US | 3.19.130.43:10093 | 8.tcp.ngrok.io | tcp |
| US | 3.19.130.43:10093 | 8.tcp.ngrok.io | tcp |
| US | 3.19.130.43:10093 | 8.tcp.ngrok.io | tcp |
Files
C:\Users\Admin\AppData\Local\Temp\tmp57F0.tmpizqighvc.exe
| MD5 | 9d02de8e771827f73c26a3d669e579d7 |
| SHA1 | 4a8cdec5afa86832bafd59f17812896b47c4464f |
| SHA256 | 0531fa8add852becdab7c5235a9de90de117c0c6b06dcbcc58a397538e968f96 |
| SHA512 | daa07f74ab83c2c6bd183b679aa5cd9e055985f402bae968ee422cab4a056cad0a5b7ae5e30f65846eb041711f203751b809f75efc35cdd46920275a55787dc6 |
C:\Users\Admin\AppData\Local\Temp\tmp584E.tmpuhjkr.exe
| MD5 | 67f4d91c4725ce8f1d86e15f49ef57c2 |
| SHA1 | de32cb8976e32543130eda1f3f8a495f324502f8 |
| SHA256 | 485dadce98a6cbc3c5ce2a5208bd22975451f3e00826c40e7fad474d1a05c679 |
| SHA512 | 348ed6bb2f8ee62cfae877d86dcc7ad2b915f6875aaf4c8c773d00754e9c77652f5db717cf7e2aaaa9f1418baae33aee1b61814dd921acb64049b74b842a86e0 |
memory/2936-11-0x000007FEF5C50000-0x000007FEF65ED000-memory.dmp
memory/2720-13-0x0000000000AC0000-0x0000000000B40000-memory.dmp
memory/2796-12-0x0000000074B80000-0x000000007512B000-memory.dmp
memory/2720-14-0x000007FEF5C50000-0x000007FEF65ED000-memory.dmp
memory/2796-15-0x0000000074B80000-0x000000007512B000-memory.dmp
memory/2796-16-0x00000000005D0000-0x0000000000610000-memory.dmp
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\tmp57F0.tmpizqighvc.exe
| MD5 | c56edc1cf17484d49de0876be36b4f8c |
| SHA1 | 39959fb755bcaf23c92fd91fee93d33b64ae8d91 |
| SHA256 | 3796edc5afea91e6d0890d1d67558d10370206f5b1685c40752ff9d3d67df9e9 |
| SHA512 | c3cd566761acfa6dbc7e363704a5c8e5d1773d1ace5ee33ab9c8d61691d2d44da790f0bc9764298b2345157e4a043f8dab1000120fac6f0d3ea93c304f1eddfc |
memory/2552-29-0x0000000074B80000-0x000000007512B000-memory.dmp
memory/2552-30-0x00000000004C0000-0x0000000000500000-memory.dmp
memory/2552-32-0x0000000074B80000-0x000000007512B000-memory.dmp
memory/2796-31-0x0000000074B80000-0x000000007512B000-memory.dmp
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\Windows.lnk
| MD5 | 565df4165447568662fdba324b8d3337 |
| SHA1 | e2e8e657599c98d5542cb2ead057e8782f176344 |
| SHA256 | 9811ac66c473f94ee4df4a142c51c468594edb84369aebc127a04aee29a472c1 |
| SHA512 | 012cee46578f1c434065bcbef9c24fbf9fd5b267e88d239658f5afc19dff0f1d308b5c2ec5663185dbbcc3576cde1490f3303110ab1be23d88bf9a757d94a7f1 |
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Windows.lnk
| MD5 | cf9247d361eb82e0998705690cf8bec9 |
| SHA1 | 9806ffc837a20d9928fd93aaebef55f8c51a711f |
| SHA256 | 663bfa5f36559bf94c7e665fbd29154e12df25976b5ce960f1a80ad5188d32c7 |
| SHA512 | 32b3130415ea527fd796afc84286e522c1690b01772de10325806f31d61b7c4a4e18f0f6cfd705ee30bd5bc882493e0e64eee508514405abb5c1a0230cee1674 |
memory/2720-37-0x0000000000AC0000-0x0000000000B40000-memory.dmp
memory/2720-38-0x000007FEF5C50000-0x000007FEF65ED000-memory.dmp
memory/2552-39-0x0000000074B80000-0x000000007512B000-memory.dmp
memory/2552-40-0x00000000004C0000-0x0000000000500000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-01-29 04:00
Reported
2024-01-29 04:02
Platform
win10v2004-20231215-en
Max time kernel
148s
Max time network
150s
Command Line
Signatures
njRAT/Bladabindi
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-3791175113-1062217823-1177695025-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\7ed42ba337d1cb153fb2470c0938fef0.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3791175113-1062217823-1177695025-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\tmp4305.tmpuhjkr.exe | N/A |
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Windows.lnk | C:\Users\Admin\AppData\Local\Temp\tmp4305.tmpuhjkr.exe | N/A |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\tmp4287.tmpizqighvc.exe | C:\Users\Admin\AppData\Local\Temp\tmp4287.tmpizqighvc.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\tmp4287.tmpizqighvc.exe | C:\Users\Admin\AppData\Local\Temp\tmp4287.tmpizqighvc.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Windows.lnk | C:\Users\Admin\AppData\Local\Temp\Payload.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\tmp4287.tmpizqighvc.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\tmp4305.tmpuhjkr.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Payload.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3791175113-1062217823-1177695025-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\tmp4287.tmpizqighvc = "C:\\Users\\Admin\\AppData\\Roaming\\tmp4287.tmpizqighvc.exe" | C:\Users\Admin\AppData\Local\Temp\tmp4287.tmpizqighvc.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3791175113-1062217823-1177695025-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Windows2 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Payload.exe" | C:\Users\Admin\AppData\Local\Temp\tmp4305.tmpuhjkr.exe | N/A |
Legitimate hosting services abused for malware hosting/C2
| Description | Indicator | Process | Target |
| N/A | 8.tcp.ngrok.io | N/A | N/A |
| N/A | 8.tcp.ngrok.io | N/A | N/A |
| N/A | 8.tcp.ngrok.io | N/A | N/A |
| N/A | 8.tcp.ngrok.io | N/A | N/A |
Enumerates physical storage devices
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\tmp4287.tmpizqighvc.exe | N/A |
Suspicious use of WriteProcessMemory
Views/modifies file attributes
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\attrib.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\7ed42ba337d1cb153fb2470c0938fef0.exe
"C:\Users\Admin\AppData\Local\Temp\7ed42ba337d1cb153fb2470c0938fef0.exe"
C:\Users\Admin\AppData\Local\Temp\tmp4305.tmpuhjkr.exe
"C:\Users\Admin\AppData\Local\Temp\tmp4305.tmpuhjkr.exe"
C:\Users\Admin\AppData\Local\Temp\tmp4287.tmpizqighvc.exe
"C:\Users\Admin\AppData\Local\Temp\tmp4287.tmpizqighvc.exe"
C:\Windows\SysWOW64\attrib.exe
attrib +h +r +s "C:\Users\Admin\AppData\Local\Temp\Payload.exe"
C:\Users\Admin\AppData\Local\Temp\Payload.exe
"C:\Users\Admin\AppData\Local\Temp\Payload.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 241.150.49.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 180.178.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 73.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 8.tcp.ngrok.io | udp |
| US | 3.142.129.56:10093 | 8.tcp.ngrok.io | tcp |
| US | 8.8.8.8:53 | 56.129.142.3.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 183.142.211.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 28.118.140.52.in-addr.arpa | udp |
| US | 3.142.129.56:10093 | 8.tcp.ngrok.io | tcp |
| US | 3.142.129.56:10093 | 8.tcp.ngrok.io | tcp |
| US | 3.142.129.56:10093 | 8.tcp.ngrok.io | tcp |
| US | 3.142.129.56:10093 | 8.tcp.ngrok.io | tcp |
| US | 3.142.129.56:10093 | 8.tcp.ngrok.io | tcp |
| US | 8.8.8.8:53 | 26.165.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 56.126.166.20.in-addr.arpa | udp |
| US | 3.142.129.56:10093 | 8.tcp.ngrok.io | tcp |
| US | 8.8.8.8:53 | 217.135.221.88.in-addr.arpa | udp |
| US | 3.142.129.56:10093 | 8.tcp.ngrok.io | tcp |
| US | 3.142.129.56:10093 | 8.tcp.ngrok.io | tcp |
| US | 3.142.129.56:10093 | 8.tcp.ngrok.io | tcp |
| US | 3.142.129.56:10093 | 8.tcp.ngrok.io | tcp |
| US | 3.142.129.56:10093 | 8.tcp.ngrok.io | tcp |
| US | 3.142.129.56:10093 | 8.tcp.ngrok.io | tcp |
| US | 3.142.129.56:10093 | 8.tcp.ngrok.io | tcp |
| US | 3.142.129.56:10093 | 8.tcp.ngrok.io | tcp |
| US | 3.142.129.56:10093 | 8.tcp.ngrok.io | tcp |
| US | 8.8.8.8:53 | 8.tcp.ngrok.io | udp |
| US | 3.142.129.56:10093 | 8.tcp.ngrok.io | tcp |
| US | 8.8.8.8:53 | 8.tcp.ngrok.io | udp |
| US | 3.142.167.4:10093 | 8.tcp.ngrok.io | tcp |
| US | 8.8.8.8:53 | 4.167.142.3.in-addr.arpa | udp |
| US | 3.142.167.4:10093 | 8.tcp.ngrok.io | tcp |
| US | 8.8.8.8:53 | 81.171.91.138.in-addr.arpa | udp |
| US | 3.142.167.4:10093 | 8.tcp.ngrok.io | tcp |
| US | 3.142.167.4:10093 | 8.tcp.ngrok.io | tcp |
| US | 3.142.167.4:10093 | 8.tcp.ngrok.io | tcp |
| US | 3.142.167.4:10093 | 8.tcp.ngrok.io | tcp |
| US | 3.142.167.4:10093 | 8.tcp.ngrok.io | tcp |
| US | 3.142.167.4:10093 | 8.tcp.ngrok.io | tcp |
| US | 3.142.167.4:10093 | 8.tcp.ngrok.io | tcp |
| US | 3.142.167.4:10093 | 8.tcp.ngrok.io | tcp |
| US | 8.8.8.8:53 | 19.229.111.52.in-addr.arpa | udp |
| US | 3.142.167.4:10093 | 8.tcp.ngrok.io | tcp |
| US | 8.8.8.8:53 | 173.178.17.96.in-addr.arpa | udp |
| US | 3.142.167.4:10093 | 8.tcp.ngrok.io | tcp |
| US | 3.142.167.4:10093 | 8.tcp.ngrok.io | tcp |
| US | 3.142.167.4:10093 | 8.tcp.ngrok.io | tcp |
| US | 3.142.167.4:10093 | 8.tcp.ngrok.io | tcp |
| US | 3.142.167.4:10093 | 8.tcp.ngrok.io | tcp |
| US | 3.142.167.4:10093 | 8.tcp.ngrok.io | tcp |
| US | 3.142.167.4:10093 | 8.tcp.ngrok.io | tcp |
| US | 3.142.167.4:10093 | 8.tcp.ngrok.io | tcp |
| US | 3.142.167.4:10093 | 8.tcp.ngrok.io | tcp |
| US | 3.142.167.4:10093 | 8.tcp.ngrok.io | tcp |
| US | 3.142.167.4:10093 | 8.tcp.ngrok.io | tcp |
| US | 3.142.167.4:10093 | 8.tcp.ngrok.io | tcp |
| US | 3.142.167.4:10093 | 8.tcp.ngrok.io | tcp |
| US | 8.8.8.8:53 | 8.tcp.ngrok.io | udp |
| US | 3.142.81.166:10093 | 8.tcp.ngrok.io | tcp |
| US | 8.8.8.8:53 | 166.81.142.3.in-addr.arpa | udp |
| US | 3.142.81.166:10093 | 8.tcp.ngrok.io | tcp |
| US | 3.142.81.166:10093 | 8.tcp.ngrok.io | tcp |
| US | 3.142.81.166:10093 | 8.tcp.ngrok.io | tcp |
| US | 3.142.81.166:10093 | 8.tcp.ngrok.io | tcp |
| US | 3.142.81.166:10093 | 8.tcp.ngrok.io | tcp |
| US | 3.142.81.166:10093 | 8.tcp.ngrok.io | tcp |
| US | 3.142.81.166:10093 | 8.tcp.ngrok.io | tcp |
| US | 3.142.81.166:10093 | 8.tcp.ngrok.io | tcp |
| US | 3.142.81.166:10093 | 8.tcp.ngrok.io | tcp |
Files
memory/2256-0-0x000000001BCD0000-0x000000001BD76000-memory.dmp
memory/2256-2-0x0000000001720000-0x0000000001730000-memory.dmp
memory/2256-1-0x00007FF85DEA0000-0x00007FF85E841000-memory.dmp
memory/2256-4-0x00007FF85DEA0000-0x00007FF85E841000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\tmp4287.tmpizqighvc.exe
| MD5 | 9d02de8e771827f73c26a3d669e579d7 |
| SHA1 | 4a8cdec5afa86832bafd59f17812896b47c4464f |
| SHA256 | 0531fa8add852becdab7c5235a9de90de117c0c6b06dcbcc58a397538e968f96 |
| SHA512 | daa07f74ab83c2c6bd183b679aa5cd9e055985f402bae968ee422cab4a056cad0a5b7ae5e30f65846eb041711f203751b809f75efc35cdd46920275a55787dc6 |
C:\Users\Admin\AppData\Local\Temp\tmp4305.tmpuhjkr.exe
| MD5 | 67f4d91c4725ce8f1d86e15f49ef57c2 |
| SHA1 | de32cb8976e32543130eda1f3f8a495f324502f8 |
| SHA256 | 485dadce98a6cbc3c5ce2a5208bd22975451f3e00826c40e7fad474d1a05c679 |
| SHA512 | 348ed6bb2f8ee62cfae877d86dcc7ad2b915f6875aaf4c8c773d00754e9c77652f5db717cf7e2aaaa9f1418baae33aee1b61814dd921acb64049b74b842a86e0 |
memory/3572-27-0x000000001C090000-0x000000001C0F2000-memory.dmp
memory/3572-26-0x0000000000ED0000-0x0000000000EE0000-memory.dmp
memory/2256-28-0x00007FF85DEA0000-0x00007FF85E841000-memory.dmp
memory/3572-29-0x00007FF85DEA0000-0x00007FF85E841000-memory.dmp
memory/3572-24-0x000000001BB00000-0x000000001BFCE000-memory.dmp
memory/3572-23-0x00007FF85DEA0000-0x00007FF85E841000-memory.dmp
memory/3908-31-0x0000000001060000-0x0000000001070000-memory.dmp
memory/3908-30-0x0000000074B60000-0x0000000075111000-memory.dmp
memory/3572-34-0x000000001C9F0000-0x000000001CA8C000-memory.dmp
memory/3572-38-0x0000000000ED0000-0x0000000000EE0000-memory.dmp
memory/4028-49-0x0000000074B60000-0x0000000075111000-memory.dmp
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Windows.lnk
| MD5 | 22cb0526d259a32938e991b4d90f8c40 |
| SHA1 | 743a47e1b9f4941c4c7450bf650e2c2c62b10fd9 |
| SHA256 | 454087eae3ab0ef4cbe2389aa85dfee562a0cb92e7fd3ed4f35a5c8089b9e295 |
| SHA512 | c7dd4c17565bce130750b1a44a88edaeba193a95edac1f3dc25f9e5e24643a15867b91cce549f08d41ecb6d969a6fa843b593d1f88b481b79beb64eb155be511 |
memory/4028-50-0x0000000074B60000-0x0000000075111000-memory.dmp
memory/3908-48-0x0000000074B60000-0x0000000075111000-memory.dmp
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\Windows.lnk
| MD5 | ea09e68527bab5fd3c199172a8e34245 |
| SHA1 | 28fdeb23907f350133827d84b2af791e6eb1776c |
| SHA256 | 070dd70f232d0f6af8db13d0653be8102617dd0233d8fb4d3b5bc15d78e8f751 |
| SHA512 | ab13c8807319a660bbe8efa91b413a5f7ec8b36cc7e1d18a374622f09671a2f612acc0bafa51b6df7bbd067451adaafdef0d489d2f67162606a720b04ec063cd |
memory/3572-55-0x0000000000ED0000-0x0000000000EE0000-memory.dmp
memory/3572-56-0x00007FF85DEA0000-0x00007FF85E841000-memory.dmp
memory/3572-57-0x0000000000ED0000-0x0000000000EE0000-memory.dmp
memory/4028-58-0x0000000074B60000-0x0000000075111000-memory.dmp