Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
120s -
max time network
120s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
28/10/2024, 08:23 UTC
Behavioral task
behavioral1
Sample
c8d3c048a92b468514343ac258e5c8047ea66ef3b54e4f4200f7243de06ae31fN.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
c8d3c048a92b468514343ac258e5c8047ea66ef3b54e4f4200f7243de06ae31fN.exe
Resource
win10v2004-20241007-en
General
-
Target
c8d3c048a92b468514343ac258e5c8047ea66ef3b54e4f4200f7243de06ae31fN.exe
-
Size
37KB
-
MD5
0e78a49bf12394a06cf511f72d76c040
-
SHA1
6bac7cc2f03a22654151501a02570b41a9db4365
-
SHA256
c8d3c048a92b468514343ac258e5c8047ea66ef3b54e4f4200f7243de06ae31f
-
SHA512
f5a5797326eae328f3876889c1e4f07d7fb853df6dd1a06545696c2fcc59ae1a9fc1b28f1c4a3b1f592016c31ac20c0704531d8d68b8208040f2b1aef1c0e962
-
SSDEEP
384:ckaIiudjtD+P3V+y0b3+LCtf1QseiXFrAF+rMRTyN/0L+EcoinblneHQM3epzXV2:fFmV10b3+LCtCViVrM+rMRa8Nuzyt
Malware Config
Signatures
-
Modifies Windows Firewall 2 TTPs 1 IoCs
pid Process 1476 netsh.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation c8d3c048a92b468514343ac258e5c8047ea66ef3b54e4f4200f7243de06ae31fN.exe -
Executes dropped EXE 1 IoCs
pid Process 4776 server.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs 4 IoCs
flow ioc 26 0.tcp.eu.ngrok.io 61 0.tcp.eu.ngrok.io 65 0.tcp.eu.ngrok.io 70 0.tcp.eu.ngrok.io -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Event Triggered Execution: Netsh Helper DLL 1 TTPs 3 IoCs
Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.
description ioc Process Key opened \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe Key queried \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe Key value enumerated \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe -
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language c8d3c048a92b468514343ac258e5c8047ea66ef3b54e4f4200f7243de06ae31fN.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language server.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language netsh.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 4776 server.exe 4776 server.exe 4776 server.exe 4776 server.exe 4776 server.exe 4776 server.exe 4776 server.exe 4776 server.exe 4776 server.exe 4776 server.exe 4776 server.exe 4776 server.exe 4776 server.exe 4776 server.exe 4776 server.exe 4776 server.exe 4776 server.exe 4776 server.exe 4776 server.exe 4776 server.exe 4776 server.exe 4776 server.exe 4776 server.exe 4776 server.exe 4776 server.exe 4776 server.exe 4776 server.exe 4776 server.exe 4776 server.exe 4776 server.exe 4776 server.exe 4776 server.exe 4776 server.exe 4776 server.exe 4776 server.exe 4776 server.exe 4776 server.exe 4776 server.exe 4776 server.exe 4776 server.exe 4776 server.exe 4776 server.exe 4776 server.exe 4776 server.exe 4776 server.exe 4776 server.exe 4776 server.exe 4776 server.exe 4776 server.exe 4776 server.exe 4776 server.exe 4776 server.exe 4776 server.exe 4776 server.exe 4776 server.exe 4776 server.exe 4776 server.exe 4776 server.exe 4776 server.exe 4776 server.exe 4776 server.exe 4776 server.exe 4776 server.exe 4776 server.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 4776 server.exe -
Suspicious use of AdjustPrivilegeToken 27 IoCs
description pid Process Token: SeDebugPrivilege 4776 server.exe Token: 33 4776 server.exe Token: SeIncBasePriorityPrivilege 4776 server.exe Token: 33 4776 server.exe Token: SeIncBasePriorityPrivilege 4776 server.exe Token: 33 4776 server.exe Token: SeIncBasePriorityPrivilege 4776 server.exe Token: 33 4776 server.exe Token: SeIncBasePriorityPrivilege 4776 server.exe Token: 33 4776 server.exe Token: SeIncBasePriorityPrivilege 4776 server.exe Token: 33 4776 server.exe Token: SeIncBasePriorityPrivilege 4776 server.exe Token: 33 4776 server.exe Token: SeIncBasePriorityPrivilege 4776 server.exe Token: 33 4776 server.exe Token: SeIncBasePriorityPrivilege 4776 server.exe Token: 33 4776 server.exe Token: SeIncBasePriorityPrivilege 4776 server.exe Token: 33 4776 server.exe Token: SeIncBasePriorityPrivilege 4776 server.exe Token: 33 4776 server.exe Token: SeIncBasePriorityPrivilege 4776 server.exe Token: 33 4776 server.exe Token: SeIncBasePriorityPrivilege 4776 server.exe Token: 33 4776 server.exe Token: SeIncBasePriorityPrivilege 4776 server.exe -
Suspicious use of WriteProcessMemory 6 IoCs
description pid Process procid_target PID 2148 wrote to memory of 4776 2148 c8d3c048a92b468514343ac258e5c8047ea66ef3b54e4f4200f7243de06ae31fN.exe 94 PID 2148 wrote to memory of 4776 2148 c8d3c048a92b468514343ac258e5c8047ea66ef3b54e4f4200f7243de06ae31fN.exe 94 PID 2148 wrote to memory of 4776 2148 c8d3c048a92b468514343ac258e5c8047ea66ef3b54e4f4200f7243de06ae31fN.exe 94 PID 4776 wrote to memory of 1476 4776 server.exe 98 PID 4776 wrote to memory of 1476 4776 server.exe 98 PID 4776 wrote to memory of 1476 4776 server.exe 98
Processes
-
C:\Users\Admin\AppData\Local\Temp\c8d3c048a92b468514343ac258e5c8047ea66ef3b54e4f4200f7243de06ae31fN.exe"C:\Users\Admin\AppData\Local\Temp\c8d3c048a92b468514343ac258e5c8047ea66ef3b54e4f4200f7243de06ae31fN.exe"1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2148 -
C:\Users\Admin\AppData\Roaming\server.exe"C:\Users\Admin\AppData\Roaming\server.exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4776 -
C:\Windows\SysWOW64\netsh.exenetsh firewall add allowedprogram "C:\Users\Admin\AppData\Roaming\server.exe" "server.exe" ENABLE3⤵
- Modifies Windows Firewall
- Event Triggered Execution: Netsh Helper DLL
- System Location Discovery: System Language Discovery
PID:1476
-
-
Network
-
Remote address:8.8.8.8:53Request58.55.71.13.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request95.221.229.192.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request73.159.190.20.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request26.35.223.20.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request196.249.167.52.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request0.tcp.eu.ngrok.ioIN AResponse0.tcp.eu.ngrok.ioIN A52.57.120.10
-
Remote address:8.8.8.8:53Request53.210.109.20.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request15.164.165.52.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request75.209.201.84.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request75.209.201.84.in-addr.arpaIN PTR
-
Remote address:8.8.8.8:53Request55.36.223.20.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request0.tcp.eu.ngrok.ioIN AResponse0.tcp.eu.ngrok.ioIN A18.192.31.30
-
Remote address:8.8.8.8:53Request0.tcp.eu.ngrok.ioIN AResponse0.tcp.eu.ngrok.ioIN A18.192.31.30
-
Remote address:8.8.8.8:53Request48.229.111.52.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request0.tcp.eu.ngrok.ioIN AResponse0.tcp.eu.ngrok.ioIN A3.78.28.71
-
Remote address:8.8.8.8:53Requesttse1.mm.bing.netIN AResponsetse1.mm.bing.netIN CNAMEmm-mm.bing.net.trafficmanager.netmm-mm.bing.net.trafficmanager.netIN CNAMEax-0001.ax-msedge.netax-0001.ax-msedge.netIN A150.171.27.10ax-0001.ax-msedge.netIN A150.171.28.10
-
GEThttps://tse1.mm.bing.net/th?id=OADD2.10239360284735_1J9G8ZRD0Q7KNETKQ&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=1920&h=1080&dynsize=1&qlt=90Remote address:150.171.27.10:443RequestGET /th?id=OADD2.10239360284735_1J9G8ZRD0Q7KNETKQ&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=1920&h=1080&dynsize=1&qlt=90 HTTP/2.0
host: tse1.mm.bing.net
accept: */*
accept-encoding: gzip, deflate, br
user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19041
ResponseHTTP/2.0 200
content-length: 666327
content-type: image/jpeg
x-cache: TCP_HIT
access-control-allow-origin: *
access-control-allow-headers: *
access-control-allow-methods: GET, POST, OPTIONS
timing-allow-origin: *
report-to: {"group":"network-errors","max_age":604800,"endpoints":[{"url":"https://aefd.nelreports.net/api/report?cat=bingth&ndcParam=QUZE"}]}
nel: {"report_to":"network-errors","max_age":604800,"success_fraction":0.001,"failure_fraction":1.0}
accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
x-msedge-ref: Ref A: 8CF3E435E27F4CB08B92901120840850 Ref B: LON601060105023 Ref C: 2024-10-28T08:25:20Z
date: Mon, 28 Oct 2024 08:25:20 GMT
-
GEThttps://tse1.mm.bing.net/th?id=OADD2.10239340418565_1OUCQO7VP7RV95UTY&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=1920&h=1080&dynsize=1&qlt=90Remote address:150.171.27.10:443RequestGET /th?id=OADD2.10239340418565_1OUCQO7VP7RV95UTY&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=1920&h=1080&dynsize=1&qlt=90 HTTP/2.0
host: tse1.mm.bing.net
accept: */*
accept-encoding: gzip, deflate, br
user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19041
ResponseHTTP/2.0 200
content-length: 679182
content-type: image/jpeg
x-cache: TCP_HIT
access-control-allow-origin: *
access-control-allow-headers: *
access-control-allow-methods: GET, POST, OPTIONS
timing-allow-origin: *
report-to: {"group":"network-errors","max_age":604800,"endpoints":[{"url":"https://aefd.nelreports.net/api/report?cat=bingth&ndcParam=QUZE"}]}
nel: {"report_to":"network-errors","max_age":604800,"success_fraction":0.001,"failure_fraction":1.0}
accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
x-msedge-ref: Ref A: D0D7151694A542A590A473FDC40A38DD Ref B: LON601060105023 Ref C: 2024-10-28T08:25:20Z
date: Mon, 28 Oct 2024 08:25:20 GMT
-
GEThttps://tse1.mm.bing.net/th?id=OADD2.10239360284736_11427X8L96F0YA4AW&pid=21.2&c=3&w=1080&h=1920&dynsize=1&qlt=90Remote address:150.171.27.10:443RequestGET /th?id=OADD2.10239360284736_11427X8L96F0YA4AW&pid=21.2&c=3&w=1080&h=1920&dynsize=1&qlt=90 HTTP/2.0
host: tse1.mm.bing.net
accept: */*
accept-encoding: gzip, deflate, br
user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19041
ResponseHTTP/2.0 200
content-length: 436830
content-type: image/jpeg
x-cache: TCP_HIT
access-control-allow-origin: *
access-control-allow-headers: *
access-control-allow-methods: GET, POST, OPTIONS
timing-allow-origin: *
report-to: {"group":"network-errors","max_age":604800,"endpoints":[{"url":"https://aefd.nelreports.net/api/report?cat=bingth&ndcParam=QUZE"}]}
nel: {"report_to":"network-errors","max_age":604800,"success_fraction":0.001,"failure_fraction":1.0}
accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
x-msedge-ref: Ref A: 06B0A3DFB850481A811A67DB32461A9D Ref B: LON601060105023 Ref C: 2024-10-28T08:25:20Z
date: Mon, 28 Oct 2024 08:25:20 GMT
-
GEThttps://tse1.mm.bing.net/th?id=OADD2.10239340418566_1KUOCUMD7VRU52NBF&pid=21.2&c=3&w=1080&h=1920&dynsize=1&qlt=90Remote address:150.171.27.10:443RequestGET /th?id=OADD2.10239340418566_1KUOCUMD7VRU52NBF&pid=21.2&c=3&w=1080&h=1920&dynsize=1&qlt=90 HTTP/2.0
host: tse1.mm.bing.net
accept: */*
accept-encoding: gzip, deflate, br
user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19041
ResponseHTTP/2.0 200
content-length: 344530
content-type: image/jpeg
x-cache: TCP_HIT
access-control-allow-origin: *
access-control-allow-headers: *
access-control-allow-methods: GET, POST, OPTIONS
timing-allow-origin: *
report-to: {"group":"network-errors","max_age":604800,"endpoints":[{"url":"https://aefd.nelreports.net/api/report?cat=bingth&ndcParam=QUZE"}]}
nel: {"report_to":"network-errors","max_age":604800,"success_fraction":0.001,"failure_fraction":1.0}
accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
x-msedge-ref: Ref A: A6BBB804F6DF49B9AF900DB0FE509947 Ref B: LON601060105023 Ref C: 2024-10-28T08:25:20Z
date: Mon, 28 Oct 2024 08:25:20 GMT
-
GEThttps://tse1.mm.bing.net/th?id=OADD2.10239398629831_1XETNM7TBCG6PTKQG&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=1920&h=1080&dynsize=1&qlt=90Remote address:150.171.27.10:443RequestGET /th?id=OADD2.10239398629831_1XETNM7TBCG6PTKQG&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=1920&h=1080&dynsize=1&qlt=90 HTTP/2.0
host: tse1.mm.bing.net
accept: */*
accept-encoding: gzip, deflate, br
user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19041
ResponseHTTP/2.0 200
content-length: 644823
content-type: image/jpeg
x-cache: TCP_HIT
access-control-allow-origin: *
access-control-allow-headers: *
access-control-allow-methods: GET, POST, OPTIONS
timing-allow-origin: *
report-to: {"group":"network-errors","max_age":604800,"endpoints":[{"url":"https://aefd.nelreports.net/api/report?cat=bingth&ndcParam=QUZE"}]}
nel: {"report_to":"network-errors","max_age":604800,"success_fraction":0.001,"failure_fraction":1.0}
accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
x-msedge-ref: Ref A: BF807E87C4D4417BB22B816CA6F18804 Ref B: LON601060105023 Ref C: 2024-10-28T08:25:20Z
date: Mon, 28 Oct 2024 08:25:20 GMT
-
GEThttps://tse1.mm.bing.net/th?id=OADD2.10239398629832_1AECK4YD8K87JKVB5&pid=21.2&c=3&w=1080&h=1920&dynsize=1&qlt=90Remote address:150.171.27.10:443RequestGET /th?id=OADD2.10239398629832_1AECK4YD8K87JKVB5&pid=21.2&c=3&w=1080&h=1920&dynsize=1&qlt=90 HTTP/2.0
host: tse1.mm.bing.net
accept: */*
accept-encoding: gzip, deflate, br
user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19041
ResponseHTTP/2.0 200
content-length: 488443
content-type: image/jpeg
x-cache: TCP_HIT
access-control-allow-origin: *
access-control-allow-headers: *
access-control-allow-methods: GET, POST, OPTIONS
timing-allow-origin: *
report-to: {"group":"network-errors","max_age":604800,"endpoints":[{"url":"https://aefd.nelreports.net/api/report?cat=bingth&ndcParam=QUZE"}]}
nel: {"report_to":"network-errors","max_age":604800,"success_fraction":0.001,"failure_fraction":1.0}
accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
x-msedge-ref: Ref A: C9501A8D253A4B628FF7D3D74D728DAE Ref B: LON601060105023 Ref C: 2024-10-28T08:25:21Z
date: Mon, 28 Oct 2024 08:25:20 GMT
-
Remote address:8.8.8.8:53Request88.156.103.20.in-addr.arpaIN PTRResponse
-
260 B 200 B 5 5
-
260 B 200 B 5 5
-
260 B 200 B 5 5
-
260 B 200 B 5 5
-
260 B 200 B 5 5
-
260 B 200 B 5 5
-
260 B 200 B 5 5
-
260 B 200 B 5 5
-
260 B 160 B 5 4
-
260 B 200 B 5 5
-
260 B 200 B 5 5
-
260 B 200 B 5 5
-
260 B 200 B 5 5
-
260 B 200 B 5 5
-
260 B 200 B 5 5
-
260 B 200 B 5 5
-
260 B 200 B 5 5
-
260 B 200 B 5 5
-
260 B 200 B 5 5
-
260 B 200 B 5 5
-
1.2kB 6.9kB 15 13
-
1.2kB 6.9kB 15 13
-
1.2kB 6.9kB 15 13
-
150.171.27.10:443https://tse1.mm.bing.net/th?id=OADD2.10239398629832_1AECK4YD8K87JKVB5&pid=21.2&c=3&w=1080&h=1920&dynsize=1&qlt=90tls, http2116.4kB 3.4MB 2455 2450
HTTP Request
GET https://tse1.mm.bing.net/th?id=OADD2.10239360284735_1J9G8ZRD0Q7KNETKQ&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=1920&h=1080&dynsize=1&qlt=90HTTP Request
GET https://tse1.mm.bing.net/th?id=OADD2.10239340418565_1OUCQO7VP7RV95UTY&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=1920&h=1080&dynsize=1&qlt=90HTTP Request
GET https://tse1.mm.bing.net/th?id=OADD2.10239360284736_11427X8L96F0YA4AW&pid=21.2&c=3&w=1080&h=1920&dynsize=1&qlt=90HTTP Request
GET https://tse1.mm.bing.net/th?id=OADD2.10239340418566_1KUOCUMD7VRU52NBF&pid=21.2&c=3&w=1080&h=1920&dynsize=1&qlt=90HTTP Request
GET https://tse1.mm.bing.net/th?id=OADD2.10239398629831_1XETNM7TBCG6PTKQG&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=1920&h=1080&dynsize=1&qlt=90HTTP Response
200HTTP Response
200HTTP Response
200HTTP Response
200HTTP Response
200HTTP Request
GET https://tse1.mm.bing.net/th?id=OADD2.10239398629832_1AECK4YD8K87JKVB5&pid=21.2&c=3&w=1080&h=1920&dynsize=1&qlt=90HTTP Response
200 -
1.2kB 6.9kB 15 13
-
260 B 200 B 5 5
-
260 B 200 B 5 5
-
260 B 200 B 5 5
-
260 B 200 B 5 5
-
52 B 40 B 1 1
-
70 B 144 B 1 1
DNS Request
58.55.71.13.in-addr.arpa
-
72 B 158 B 1 1
DNS Request
73.159.190.20.in-addr.arpa
-
73 B 144 B 1 1
DNS Request
95.221.229.192.in-addr.arpa
-
71 B 157 B 1 1
DNS Request
26.35.223.20.in-addr.arpa
-
73 B 147 B 1 1
DNS Request
196.249.167.52.in-addr.arpa
-
63 B 79 B 1 1
DNS Request
0.tcp.eu.ngrok.io
DNS Response
52.57.120.10
-
72 B 158 B 1 1
DNS Request
53.210.109.20.in-addr.arpa
-
72 B 146 B 1 1
DNS Request
15.164.165.52.in-addr.arpa
-
144 B 132 B 2 1
DNS Request
75.209.201.84.in-addr.arpa
DNS Request
75.209.201.84.in-addr.arpa
-
71 B 157 B 1 1
DNS Request
55.36.223.20.in-addr.arpa
-
63 B 79 B 1 1
DNS Request
0.tcp.eu.ngrok.io
DNS Response
18.192.31.30
-
63 B 79 B 1 1
DNS Request
0.tcp.eu.ngrok.io
DNS Response
18.192.31.30
-
72 B 158 B 1 1
DNS Request
48.229.111.52.in-addr.arpa
-
63 B 79 B 1 1
DNS Request
0.tcp.eu.ngrok.io
DNS Response
3.78.28.71
-
62 B 170 B 1 1
DNS Request
tse1.mm.bing.net
DNS Response
150.171.27.10150.171.28.10
-
72 B 158 B 1 1
DNS Request
88.156.103.20.in-addr.arpa
MITRE ATT&CK Enterprise v15
Persistence
Create or Modify System Process
1Windows Service
1Event Triggered Execution
1Netsh Helper DLL
1Privilege Escalation
Create or Modify System Process
1Windows Service
1Event Triggered Execution
1Netsh Helper DLL
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
37KB
MD50e78a49bf12394a06cf511f72d76c040
SHA16bac7cc2f03a22654151501a02570b41a9db4365
SHA256c8d3c048a92b468514343ac258e5c8047ea66ef3b54e4f4200f7243de06ae31f
SHA512f5a5797326eae328f3876889c1e4f07d7fb853df6dd1a06545696c2fcc59ae1a9fc1b28f1c4a3b1f592016c31ac20c0704531d8d68b8208040f2b1aef1c0e962