Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    120s
  • max time network
    120s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    28/10/2024, 08:23 UTC

General

  • Target

    c8d3c048a92b468514343ac258e5c8047ea66ef3b54e4f4200f7243de06ae31fN.exe

  • Size

    37KB

  • MD5

    0e78a49bf12394a06cf511f72d76c040

  • SHA1

    6bac7cc2f03a22654151501a02570b41a9db4365

  • SHA256

    c8d3c048a92b468514343ac258e5c8047ea66ef3b54e4f4200f7243de06ae31f

  • SHA512

    f5a5797326eae328f3876889c1e4f07d7fb853df6dd1a06545696c2fcc59ae1a9fc1b28f1c4a3b1f592016c31ac20c0704531d8d68b8208040f2b1aef1c0e962

  • SSDEEP

    384:ckaIiudjtD+P3V+y0b3+LCtf1QseiXFrAF+rMRTyN/0L+EcoinblneHQM3epzXV2:fFmV10b3+LCtCViVrM+rMRa8Nuzyt

Malware Config

Signatures

  • Modifies Windows Firewall 2 TTPs 1 IoCs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 1 IoCs
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs 4 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Event Triggered Execution: Netsh Helper DLL 1 TTPs 3 IoCs

    Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 27 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\c8d3c048a92b468514343ac258e5c8047ea66ef3b54e4f4200f7243de06ae31fN.exe
    "C:\Users\Admin\AppData\Local\Temp\c8d3c048a92b468514343ac258e5c8047ea66ef3b54e4f4200f7243de06ae31fN.exe"
    1⤵
    • Checks computer location settings
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:2148
    • C:\Users\Admin\AppData\Roaming\server.exe
      "C:\Users\Admin\AppData\Roaming\server.exe"
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: GetForegroundWindowSpam
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:4776
      • C:\Windows\SysWOW64\netsh.exe
        netsh firewall add allowedprogram "C:\Users\Admin\AppData\Roaming\server.exe" "server.exe" ENABLE
        3⤵
        • Modifies Windows Firewall
        • Event Triggered Execution: Netsh Helper DLL
        • System Location Discovery: System Language Discovery
        PID:1476

Network

  • flag-us
    DNS
    58.55.71.13.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    58.55.71.13.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    95.221.229.192.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    95.221.229.192.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    73.159.190.20.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    73.159.190.20.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    26.35.223.20.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    26.35.223.20.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    196.249.167.52.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    196.249.167.52.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    0.tcp.eu.ngrok.io
    server.exe
    Remote address:
    8.8.8.8:53
    Request
    0.tcp.eu.ngrok.io
    IN A
    Response
    0.tcp.eu.ngrok.io
    IN A
    52.57.120.10
  • flag-us
    DNS
    53.210.109.20.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    53.210.109.20.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    15.164.165.52.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    15.164.165.52.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    75.209.201.84.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    75.209.201.84.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    75.209.201.84.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    75.209.201.84.in-addr.arpa
    IN PTR
  • flag-us
    DNS
    55.36.223.20.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    55.36.223.20.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    0.tcp.eu.ngrok.io
    server.exe
    Remote address:
    8.8.8.8:53
    Request
    0.tcp.eu.ngrok.io
    IN A
    Response
    0.tcp.eu.ngrok.io
    IN A
    18.192.31.30
  • flag-us
    DNS
    0.tcp.eu.ngrok.io
    server.exe
    Remote address:
    8.8.8.8:53
    Request
    0.tcp.eu.ngrok.io
    IN A
    Response
    0.tcp.eu.ngrok.io
    IN A
    18.192.31.30
  • flag-us
    DNS
    48.229.111.52.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    48.229.111.52.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    0.tcp.eu.ngrok.io
    server.exe
    Remote address:
    8.8.8.8:53
    Request
    0.tcp.eu.ngrok.io
    IN A
    Response
    0.tcp.eu.ngrok.io
    IN A
    3.78.28.71
  • flag-us
    DNS
    tse1.mm.bing.net
    Remote address:
    8.8.8.8:53
    Request
    tse1.mm.bing.net
    IN A
    Response
    tse1.mm.bing.net
    IN CNAME
    mm-mm.bing.net.trafficmanager.net
    mm-mm.bing.net.trafficmanager.net
    IN CNAME
    ax-0001.ax-msedge.net
    ax-0001.ax-msedge.net
    IN A
    150.171.27.10
    ax-0001.ax-msedge.net
    IN A
    150.171.28.10
  • flag-us
    GET
    https://tse1.mm.bing.net/th?id=OADD2.10239360284735_1J9G8ZRD0Q7KNETKQ&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=1920&h=1080&dynsize=1&qlt=90
    Remote address:
    150.171.27.10:443
    Request
    GET /th?id=OADD2.10239360284735_1J9G8ZRD0Q7KNETKQ&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=1920&h=1080&dynsize=1&qlt=90 HTTP/2.0
    host: tse1.mm.bing.net
    accept: */*
    accept-encoding: gzip, deflate, br
    user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19041
    Response
    HTTP/2.0 200
    cache-control: public, max-age=2592000
    content-length: 666327
    content-type: image/jpeg
    x-cache: TCP_HIT
    access-control-allow-origin: *
    access-control-allow-headers: *
    access-control-allow-methods: GET, POST, OPTIONS
    timing-allow-origin: *
    report-to: {"group":"network-errors","max_age":604800,"endpoints":[{"url":"https://aefd.nelreports.net/api/report?cat=bingth&ndcParam=QUZE"}]}
    nel: {"report_to":"network-errors","max_age":604800,"success_fraction":0.001,"failure_fraction":1.0}
    accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
    x-msedge-ref: Ref A: 8CF3E435E27F4CB08B92901120840850 Ref B: LON601060105023 Ref C: 2024-10-28T08:25:20Z
    date: Mon, 28 Oct 2024 08:25:20 GMT
  • flag-us
    GET
    https://tse1.mm.bing.net/th?id=OADD2.10239340418565_1OUCQO7VP7RV95UTY&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=1920&h=1080&dynsize=1&qlt=90
    Remote address:
    150.171.27.10:443
    Request
    GET /th?id=OADD2.10239340418565_1OUCQO7VP7RV95UTY&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=1920&h=1080&dynsize=1&qlt=90 HTTP/2.0
    host: tse1.mm.bing.net
    accept: */*
    accept-encoding: gzip, deflate, br
    user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19041
    Response
    HTTP/2.0 200
    cache-control: public, max-age=2592000
    content-length: 679182
    content-type: image/jpeg
    x-cache: TCP_HIT
    access-control-allow-origin: *
    access-control-allow-headers: *
    access-control-allow-methods: GET, POST, OPTIONS
    timing-allow-origin: *
    report-to: {"group":"network-errors","max_age":604800,"endpoints":[{"url":"https://aefd.nelreports.net/api/report?cat=bingth&ndcParam=QUZE"}]}
    nel: {"report_to":"network-errors","max_age":604800,"success_fraction":0.001,"failure_fraction":1.0}
    accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
    x-msedge-ref: Ref A: D0D7151694A542A590A473FDC40A38DD Ref B: LON601060105023 Ref C: 2024-10-28T08:25:20Z
    date: Mon, 28 Oct 2024 08:25:20 GMT
  • flag-us
    GET
    https://tse1.mm.bing.net/th?id=OADD2.10239360284736_11427X8L96F0YA4AW&pid=21.2&c=3&w=1080&h=1920&dynsize=1&qlt=90
    Remote address:
    150.171.27.10:443
    Request
    GET /th?id=OADD2.10239360284736_11427X8L96F0YA4AW&pid=21.2&c=3&w=1080&h=1920&dynsize=1&qlt=90 HTTP/2.0
    host: tse1.mm.bing.net
    accept: */*
    accept-encoding: gzip, deflate, br
    user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19041
    Response
    HTTP/2.0 200
    cache-control: public, max-age=2592000
    content-length: 436830
    content-type: image/jpeg
    x-cache: TCP_HIT
    access-control-allow-origin: *
    access-control-allow-headers: *
    access-control-allow-methods: GET, POST, OPTIONS
    timing-allow-origin: *
    report-to: {"group":"network-errors","max_age":604800,"endpoints":[{"url":"https://aefd.nelreports.net/api/report?cat=bingth&ndcParam=QUZE"}]}
    nel: {"report_to":"network-errors","max_age":604800,"success_fraction":0.001,"failure_fraction":1.0}
    accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
    x-msedge-ref: Ref A: 06B0A3DFB850481A811A67DB32461A9D Ref B: LON601060105023 Ref C: 2024-10-28T08:25:20Z
    date: Mon, 28 Oct 2024 08:25:20 GMT
  • flag-us
    GET
    https://tse1.mm.bing.net/th?id=OADD2.10239340418566_1KUOCUMD7VRU52NBF&pid=21.2&c=3&w=1080&h=1920&dynsize=1&qlt=90
    Remote address:
    150.171.27.10:443
    Request
    GET /th?id=OADD2.10239340418566_1KUOCUMD7VRU52NBF&pid=21.2&c=3&w=1080&h=1920&dynsize=1&qlt=90 HTTP/2.0
    host: tse1.mm.bing.net
    accept: */*
    accept-encoding: gzip, deflate, br
    user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19041
    Response
    HTTP/2.0 200
    cache-control: public, max-age=2592000
    content-length: 344530
    content-type: image/jpeg
    x-cache: TCP_HIT
    access-control-allow-origin: *
    access-control-allow-headers: *
    access-control-allow-methods: GET, POST, OPTIONS
    timing-allow-origin: *
    report-to: {"group":"network-errors","max_age":604800,"endpoints":[{"url":"https://aefd.nelreports.net/api/report?cat=bingth&ndcParam=QUZE"}]}
    nel: {"report_to":"network-errors","max_age":604800,"success_fraction":0.001,"failure_fraction":1.0}
    accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
    x-msedge-ref: Ref A: A6BBB804F6DF49B9AF900DB0FE509947 Ref B: LON601060105023 Ref C: 2024-10-28T08:25:20Z
    date: Mon, 28 Oct 2024 08:25:20 GMT
  • flag-us
    GET
    https://tse1.mm.bing.net/th?id=OADD2.10239398629831_1XETNM7TBCG6PTKQG&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=1920&h=1080&dynsize=1&qlt=90
    Remote address:
    150.171.27.10:443
    Request
    GET /th?id=OADD2.10239398629831_1XETNM7TBCG6PTKQG&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=1920&h=1080&dynsize=1&qlt=90 HTTP/2.0
    host: tse1.mm.bing.net
    accept: */*
    accept-encoding: gzip, deflate, br
    user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19041
    Response
    HTTP/2.0 200
    cache-control: public, max-age=2592000
    content-length: 644823
    content-type: image/jpeg
    x-cache: TCP_HIT
    access-control-allow-origin: *
    access-control-allow-headers: *
    access-control-allow-methods: GET, POST, OPTIONS
    timing-allow-origin: *
    report-to: {"group":"network-errors","max_age":604800,"endpoints":[{"url":"https://aefd.nelreports.net/api/report?cat=bingth&ndcParam=QUZE"}]}
    nel: {"report_to":"network-errors","max_age":604800,"success_fraction":0.001,"failure_fraction":1.0}
    accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
    x-msedge-ref: Ref A: BF807E87C4D4417BB22B816CA6F18804 Ref B: LON601060105023 Ref C: 2024-10-28T08:25:20Z
    date: Mon, 28 Oct 2024 08:25:20 GMT
  • flag-us
    GET
    https://tse1.mm.bing.net/th?id=OADD2.10239398629832_1AECK4YD8K87JKVB5&pid=21.2&c=3&w=1080&h=1920&dynsize=1&qlt=90
    Remote address:
    150.171.27.10:443
    Request
    GET /th?id=OADD2.10239398629832_1AECK4YD8K87JKVB5&pid=21.2&c=3&w=1080&h=1920&dynsize=1&qlt=90 HTTP/2.0
    host: tse1.mm.bing.net
    accept: */*
    accept-encoding: gzip, deflate, br
    user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19041
    Response
    HTTP/2.0 200
    cache-control: public, max-age=2592000
    content-length: 488443
    content-type: image/jpeg
    x-cache: TCP_HIT
    access-control-allow-origin: *
    access-control-allow-headers: *
    access-control-allow-methods: GET, POST, OPTIONS
    timing-allow-origin: *
    report-to: {"group":"network-errors","max_age":604800,"endpoints":[{"url":"https://aefd.nelreports.net/api/report?cat=bingth&ndcParam=QUZE"}]}
    nel: {"report_to":"network-errors","max_age":604800,"success_fraction":0.001,"failure_fraction":1.0}
    accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
    x-msedge-ref: Ref A: C9501A8D253A4B628FF7D3D74D728DAE Ref B: LON601060105023 Ref C: 2024-10-28T08:25:21Z
    date: Mon, 28 Oct 2024 08:25:20 GMT
  • flag-us
    DNS
    88.156.103.20.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    88.156.103.20.in-addr.arpa
    IN PTR
    Response
  • 52.57.120.10:11347
    0.tcp.eu.ngrok.io
    server.exe
    260 B
    200 B
    5
    5
  • 52.57.120.10:11347
    0.tcp.eu.ngrok.io
    server.exe
    260 B
    200 B
    5
    5
  • 52.57.120.10:11347
    0.tcp.eu.ngrok.io
    server.exe
    260 B
    200 B
    5
    5
  • 52.57.120.10:11347
    0.tcp.eu.ngrok.io
    server.exe
    260 B
    200 B
    5
    5
  • 52.57.120.10:11347
    0.tcp.eu.ngrok.io
    server.exe
    260 B
    200 B
    5
    5
  • 52.57.120.10:11347
    0.tcp.eu.ngrok.io
    server.exe
    260 B
    200 B
    5
    5
  • 52.57.120.10:11347
    0.tcp.eu.ngrok.io
    server.exe
    260 B
    200 B
    5
    5
  • 52.57.120.10:11347
    0.tcp.eu.ngrok.io
    server.exe
    260 B
    200 B
    5
    5
  • 52.57.120.10:11347
    0.tcp.eu.ngrok.io
    server.exe
    260 B
    160 B
    5
    4
  • 52.57.120.10:11347
    0.tcp.eu.ngrok.io
    server.exe
    260 B
    200 B
    5
    5
  • 52.57.120.10:11347
    0.tcp.eu.ngrok.io
    server.exe
    260 B
    200 B
    5
    5
  • 52.57.120.10:11347
    0.tcp.eu.ngrok.io
    server.exe
    260 B
    200 B
    5
    5
  • 52.57.120.10:11347
    0.tcp.eu.ngrok.io
    server.exe
    260 B
    200 B
    5
    5
  • 52.57.120.10:11347
    0.tcp.eu.ngrok.io
    server.exe
    260 B
    200 B
    5
    5
  • 18.192.31.30:11347
    0.tcp.eu.ngrok.io
    server.exe
    260 B
    200 B
    5
    5
  • 18.192.31.30:11347
    0.tcp.eu.ngrok.io
    server.exe
    260 B
    200 B
    5
    5
  • 18.192.31.30:11347
    0.tcp.eu.ngrok.io
    server.exe
    260 B
    200 B
    5
    5
  • 18.192.31.30:11347
    0.tcp.eu.ngrok.io
    server.exe
    260 B
    200 B
    5
    5
  • 3.78.28.71:11347
    0.tcp.eu.ngrok.io
    server.exe
    260 B
    200 B
    5
    5
  • 3.78.28.71:11347
    0.tcp.eu.ngrok.io
    server.exe
    260 B
    200 B
    5
    5
  • 150.171.27.10:443
    tse1.mm.bing.net
    tls, http2
    1.2kB
    6.9kB
    15
    13
  • 150.171.27.10:443
    tse1.mm.bing.net
    tls, http2
    1.2kB
    6.9kB
    15
    13
  • 150.171.27.10:443
    tse1.mm.bing.net
    tls, http2
    1.2kB
    6.9kB
    15
    13
  • 150.171.27.10:443
    https://tse1.mm.bing.net/th?id=OADD2.10239398629832_1AECK4YD8K87JKVB5&pid=21.2&c=3&w=1080&h=1920&dynsize=1&qlt=90
    tls, http2
    116.4kB
    3.4MB
    2455
    2450

    HTTP Request

    GET https://tse1.mm.bing.net/th?id=OADD2.10239360284735_1J9G8ZRD0Q7KNETKQ&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=1920&h=1080&dynsize=1&qlt=90

    HTTP Request

    GET https://tse1.mm.bing.net/th?id=OADD2.10239340418565_1OUCQO7VP7RV95UTY&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=1920&h=1080&dynsize=1&qlt=90

    HTTP Request

    GET https://tse1.mm.bing.net/th?id=OADD2.10239360284736_11427X8L96F0YA4AW&pid=21.2&c=3&w=1080&h=1920&dynsize=1&qlt=90

    HTTP Request

    GET https://tse1.mm.bing.net/th?id=OADD2.10239340418566_1KUOCUMD7VRU52NBF&pid=21.2&c=3&w=1080&h=1920&dynsize=1&qlt=90

    HTTP Request

    GET https://tse1.mm.bing.net/th?id=OADD2.10239398629831_1XETNM7TBCG6PTKQG&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=1920&h=1080&dynsize=1&qlt=90

    HTTP Response

    200

    HTTP Response

    200

    HTTP Response

    200

    HTTP Response

    200

    HTTP Response

    200

    HTTP Request

    GET https://tse1.mm.bing.net/th?id=OADD2.10239398629832_1AECK4YD8K87JKVB5&pid=21.2&c=3&w=1080&h=1920&dynsize=1&qlt=90

    HTTP Response

    200
  • 150.171.27.10:443
    tse1.mm.bing.net
    tls, http2
    1.2kB
    6.9kB
    15
    13
  • 3.78.28.71:11347
    0.tcp.eu.ngrok.io
    server.exe
    260 B
    200 B
    5
    5
  • 3.78.28.71:11347
    0.tcp.eu.ngrok.io
    server.exe
    260 B
    200 B
    5
    5
  • 3.78.28.71:11347
    0.tcp.eu.ngrok.io
    server.exe
    260 B
    200 B
    5
    5
  • 3.78.28.71:11347
    0.tcp.eu.ngrok.io
    server.exe
    260 B
    200 B
    5
    5
  • 3.78.28.71:11347
    0.tcp.eu.ngrok.io
    server.exe
    52 B
    40 B
    1
    1
  • 8.8.8.8:53
    58.55.71.13.in-addr.arpa
    dns
    70 B
    144 B
    1
    1

    DNS Request

    58.55.71.13.in-addr.arpa

  • 8.8.8.8:53
    73.159.190.20.in-addr.arpa
    dns
    72 B
    158 B
    1
    1

    DNS Request

    73.159.190.20.in-addr.arpa

  • 8.8.8.8:53
    95.221.229.192.in-addr.arpa
    dns
    73 B
    144 B
    1
    1

    DNS Request

    95.221.229.192.in-addr.arpa

  • 8.8.8.8:53
    26.35.223.20.in-addr.arpa
    dns
    71 B
    157 B
    1
    1

    DNS Request

    26.35.223.20.in-addr.arpa

  • 8.8.8.8:53
    196.249.167.52.in-addr.arpa
    dns
    73 B
    147 B
    1
    1

    DNS Request

    196.249.167.52.in-addr.arpa

  • 8.8.8.8:53
    0.tcp.eu.ngrok.io
    dns
    server.exe
    63 B
    79 B
    1
    1

    DNS Request

    0.tcp.eu.ngrok.io

    DNS Response

    52.57.120.10

  • 8.8.8.8:53
    53.210.109.20.in-addr.arpa
    dns
    72 B
    158 B
    1
    1

    DNS Request

    53.210.109.20.in-addr.arpa

  • 8.8.8.8:53
    15.164.165.52.in-addr.arpa
    dns
    72 B
    146 B
    1
    1

    DNS Request

    15.164.165.52.in-addr.arpa

  • 8.8.8.8:53
    75.209.201.84.in-addr.arpa
    dns
    144 B
    132 B
    2
    1

    DNS Request

    75.209.201.84.in-addr.arpa

    DNS Request

    75.209.201.84.in-addr.arpa

  • 8.8.8.8:53
    55.36.223.20.in-addr.arpa
    dns
    71 B
    157 B
    1
    1

    DNS Request

    55.36.223.20.in-addr.arpa

  • 8.8.8.8:53
    0.tcp.eu.ngrok.io
    dns
    server.exe
    63 B
    79 B
    1
    1

    DNS Request

    0.tcp.eu.ngrok.io

    DNS Response

    18.192.31.30

  • 8.8.8.8:53
    0.tcp.eu.ngrok.io
    dns
    server.exe
    63 B
    79 B
    1
    1

    DNS Request

    0.tcp.eu.ngrok.io

    DNS Response

    18.192.31.30

  • 8.8.8.8:53
    48.229.111.52.in-addr.arpa
    dns
    72 B
    158 B
    1
    1

    DNS Request

    48.229.111.52.in-addr.arpa

  • 8.8.8.8:53
    0.tcp.eu.ngrok.io
    dns
    server.exe
    63 B
    79 B
    1
    1

    DNS Request

    0.tcp.eu.ngrok.io

    DNS Response

    3.78.28.71

  • 8.8.8.8:53
    tse1.mm.bing.net
    dns
    62 B
    170 B
    1
    1

    DNS Request

    tse1.mm.bing.net

    DNS Response

    150.171.27.10
    150.171.28.10

  • 8.8.8.8:53
    88.156.103.20.in-addr.arpa
    dns
    72 B
    158 B
    1
    1

    DNS Request

    88.156.103.20.in-addr.arpa

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Roaming\server.exe

    Filesize

    37KB

    MD5

    0e78a49bf12394a06cf511f72d76c040

    SHA1

    6bac7cc2f03a22654151501a02570b41a9db4365

    SHA256

    c8d3c048a92b468514343ac258e5c8047ea66ef3b54e4f4200f7243de06ae31f

    SHA512

    f5a5797326eae328f3876889c1e4f07d7fb853df6dd1a06545696c2fcc59ae1a9fc1b28f1c4a3b1f592016c31ac20c0704531d8d68b8208040f2b1aef1c0e962

  • memory/2148-0-0x0000000074BC2000-0x0000000074BC3000-memory.dmp

    Filesize

    4KB

  • memory/2148-1-0x0000000074BC0000-0x0000000075171000-memory.dmp

    Filesize

    5.7MB

  • memory/2148-2-0x0000000074BC0000-0x0000000075171000-memory.dmp

    Filesize

    5.7MB

  • memory/2148-12-0x0000000074BC0000-0x0000000075171000-memory.dmp

    Filesize

    5.7MB

  • memory/4776-13-0x0000000074BC0000-0x0000000075171000-memory.dmp

    Filesize

    5.7MB

  • memory/4776-14-0x0000000074BC0000-0x0000000075171000-memory.dmp

    Filesize

    5.7MB

  • memory/4776-15-0x0000000074BC0000-0x0000000075171000-memory.dmp

    Filesize

    5.7MB

We care about your privacy.

This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.