Analysis Overview
SHA256
08a04b950c6031066e2e4ad246b25baef1c48c6227a75060e4ca6cbf440a629b
Threat Level: Shows suspicious behavior
The file re-yang-win.exe was found to be: Shows suspicious behavior.
Malicious Activity Summary
Loads dropped DLL
Checks computer location settings
Clipboard Data
Reads user/profile data of web browsers
Legitimate hosting services abused for malware hosting/C2
Looks up external IP address via web service
Unsigned PE
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-11-11 17:10
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-11-11 17:09
Reported
2024-11-11 17:13
Platform
win7-20240903-en
Max time kernel
121s
Max time network
123s
Command Line
Signatures
Processes
C:\Users\Admin\AppData\Local\Temp\re-yang-win.exe
"C:\Users\Admin\AppData\Local\Temp\re-yang-win.exe"
Network
Files
Analysis: behavioral2
Detonation Overview
Submitted
2024-11-11 17:09
Reported
2024-11-11 17:11
Platform
win10v2004-20241007-en
Max time kernel
75s
Max time network
83s
Command Line
Signatures
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\re-yang-win.exe | N/A |
Clipboard Data
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\re-yang-win.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\re-yang-win.exe | N/A |
Reads user/profile data of web browsers
Legitimate hosting services abused for malware hosting/C2
| Description | Indicator | Process | Target |
| N/A | raw.githubusercontent.com | N/A | N/A |
| N/A | raw.githubusercontent.com | N/A | N/A |
| N/A | raw.githubusercontent.com | N/A | N/A |
| N/A | raw.githubusercontent.com | N/A | N/A |
| N/A | raw.githubusercontent.com | N/A | N/A |
| N/A | raw.githubusercontent.com | N/A | N/A |
| N/A | raw.githubusercontent.com | N/A | N/A |
| N/A | raw.githubusercontent.com | N/A | N/A |
| N/A | raw.githubusercontent.com | N/A | N/A |
| N/A | raw.githubusercontent.com | N/A | N/A |
| N/A | raw.githubusercontent.com | N/A | N/A |
| N/A | discord.com | N/A | N/A |
| N/A | raw.githubusercontent.com | N/A | N/A |
| N/A | raw.githubusercontent.com | N/A | N/A |
| N/A | discord.com | N/A | N/A |
| N/A | raw.githubusercontent.com | N/A | N/A |
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | api.ipify.org | N/A | N/A |
| N/A | api.ipify.org | N/A | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\re-yang-win.exe
"C:\Users\Admin\AppData\Local\Temp\re-yang-win.exe"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | raw.githubusercontent.com | udp |
| US | 8.8.8.8:53 | api.proxyscrape.com | udp |
| US | 8.8.8.8:53 | openproxylist.xyz | udp |
| US | 185.199.108.133:443 | raw.githubusercontent.com | tcp |
| US | 104.18.10.5:443 | api.proxyscrape.com | tcp |
| US | 104.18.10.5:443 | api.proxyscrape.com | tcp |
| US | 185.199.108.133:443 | raw.githubusercontent.com | tcp |
| US | 185.199.108.133:443 | raw.githubusercontent.com | tcp |
| US | 185.199.108.133:443 | raw.githubusercontent.com | tcp |
| US | 185.199.108.133:443 | raw.githubusercontent.com | tcp |
| US | 185.199.108.133:443 | raw.githubusercontent.com | tcp |
| US | 104.18.10.5:443 | api.proxyscrape.com | tcp |
| US | 172.67.150.208:443 | openproxylist.xyz | tcp |
| US | 172.67.150.208:443 | openproxylist.xyz | tcp |
| US | 185.199.108.133:443 | raw.githubusercontent.com | tcp |
| US | 185.199.108.133:443 | raw.githubusercontent.com | tcp |
| US | 185.199.108.133:443 | raw.githubusercontent.com | tcp |
| US | 104.18.10.5:443 | api.proxyscrape.com | tcp |
| US | 172.67.150.208:443 | openproxylist.xyz | tcp |
| US | 185.199.108.133:443 | raw.githubusercontent.com | tcp |
| US | 185.199.108.133:443 | raw.githubusercontent.com | tcp |
| US | 185.199.108.133:443 | raw.githubusercontent.com | tcp |
| US | 185.199.108.133:443 | raw.githubusercontent.com | tcp |
| US | 8.8.8.8:53 | 209.205.72.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 88.210.23.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | discord.com | udp |
| US | 162.159.136.232:443 | discord.com | tcp |
| US | 8.8.8.8:53 | api.ipify.org | udp |
| US | 104.26.12.205:443 | api.ipify.org | tcp |
| TH | 134.236.19.94:4145 | tcp | |
| VN | 27.77.228.212:1080 | discordapp.com | tcp |
| US | 167.71.250.32:60319 | tcp | |
| CO | 190.144.112.227:8080 | tcp | |
| ID | 103.40.121.31:8087 | tcp | |
| HK | 49.0.253.51:80 | discordapp.com | tcp |
| US | 72.210.252.137:4145 | tcp | |
| IN | 103.155.54.237:83 | tcp | |
| ID | 43.252.236.114:1080 | tcp | |
| UA | 212.3.104.126:8080 | tcp | |
| NL | 217.100.18.204:8080 | tcp | |
| VE | 138.122.6.91:999 | tcp | |
| TH | 61.7.175.244:8080 | tcp | |
| US | 198.12.255.193:63761 | tcp | |
| US | 64.227.106.157:80 | tcp | |
| GB | 8.208.90.194:9090 | discordapp.com | tcp |
| US | 154.202.116.68:3128 | tcp | |
| FR | 141.94.174.6:57470 | tcp | |
| EC | 45.236.168.169:999 | tcp | |
| US | 8.8.8.8:53 | discordapp.com | udp |
| CO | 186.86.143.161:999 | tcp | |
| TH | 110.77.184.98:4145 | tcp | |
| US | 162.214.201.57:19268 | tcp | |
| AR | 201.234.24.1:4153 | tcp | |
| CL | 45.170.102.1:999 | tcp | |
| NL | 145.40.97.148:10002 | tcp | |
| RU | 178.49.22.23:1080 | tcp | |
| MX | 45.189.236.6:999 | tcp | |
| ID | 103.247.14.37:8199 | tcp | |
| ZA | 105.29.93.193:4145 | tcp | |
| FR | 5.196.101.18:3128 | tcp | |
| PT | 2.83.198.171:80 | tcp | |
| US | 50.63.12.33:52814 | tcp | |
| FR | 13.37.59.99:80 | tcp | |
| SG | 139.162.36.133:1234 | tcp | |
| ID | 103.175.224.93:4444 | tcp | |
| ID | 103.178.194.9:1111 | tcp | |
| ID | 115.124.69.166:3128 | tcp | |
| FR | 212.47.250.252:16379 | tcp | |
| US | 162.240.208.185:51733 | tcp | |
| RU | 79.122.230.20:8080 | tcp | |
| CN | 218.78.65.202:6688 | tcp | |
| TR | 188.132.221.54:8080 | tcp | |
| CZ | 95.80.253.77:33333 | tcp | |
| NL | 188.166.56.246:80 | tcp | |
| SG | 8.219.238.209:15673 | tcp | |
| JP | 8.221.141.88:9080 | tcp | |
| ID | 103.154.230.103:5678 | tcp | |
| HK | 43.128.62.125:23642 | tcp | |
| US | 67.43.42.117:8080 | tcp | |
| ES | 82.223.102.92:9443 | tcp | |
| AT | 213.33.2.28:80 | tcp | |
| US | 8.8.8.8:53 | 133.108.199.185.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 5.10.18.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 208.150.67.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 232.136.159.162.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 72.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 205.12.26.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 99.59.37.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 212.228.77.27.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 33.12.63.50.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 51.253.0.49.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 88.141.221.8.in-addr.arpa | udp |
| NL | 145.40.97.148:443 | discordapp.com | tcp |
| VN | 113.160.132.33:8080 | discordapp.com | tcp |
| US | 8.8.8.8:53 | 194.90.208.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 148.97.40.145.in-addr.arpa | udp |
| PY | 181.78.95.48:999 | tcp | |
| UA | 176.120.32.135:5678 | tcp | |
| US | 154.202.116.18:3128 | tcp | |
| VN | 222.252.194.204:8080 | discordapp.com | tcp |
| VN | 103.82.37.239:3128 | tcp | |
| MY | 47.250.177.202:8080 | discordapp.com | tcp |
| US | 67.205.190.164:8080 | tcp | |
| IT | 109.73.181.133:4145 | tcp | |
| US | 8.8.8.8:53 | 33.132.160.113.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 202.177.250.47.in-addr.arpa | udp |
| HK | 47.243.114.192:8180 | tcp | |
| US | 47.88.11.3:81 | tcp | |
| US | 64.92.82.58:8080 | tcp | |
| MY | 47.250.177.202:8080 | api.ipify.org | tcp |
| US | 8.8.8.8:53 | 192.114.243.47.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 204.194.252.222.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 3.11.88.47.in-addr.arpa | udp |
| BR | 177.66.52.195:44102 | tcp | |
| US | 192.252.214.20:15864 | tcp | |
| ID | 36.64.5.162:5678 | tcp | |
| HK | 47.238.60.156:3128 | tcp | |
| US | 8.8.8.8:53 | 20.214.252.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 246.56.166.188.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 161.143.86.186.in-addr.arpa | udp |
| KR | 211.223.89.176:56998 | tcp | |
| US | 8.8.8.8:53 | 156.60.238.47.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 28.118.140.52.in-addr.arpa | udp |
| BR | 45.6.95.68:4153 | tcp | |
| BD | 103.114.10.234:8080 | tcp | |
| BR | 20.206.106.192:80 | tcp | |
| PH | 124.106.173.56:8082 | tcp | |
| KR | 222.111.18.67:80 | tcp | |
| UA | 94.158.155.138:54698 | tcp | |
| CL | 45.230.49.2:999 | tcp | |
| ID | 103.191.165.202:8080 | tcp | |
| CA | 72.10.160.94:23703 | tcp | |
| US | 92.112.202.130:6714 | discordapp.com | tcp |
| FR | 178.32.121.183:8080 | tcp | |
| VE | 200.109.66.90:4153 | tcp | |
| NL | 13.81.217.201:80 | tcp | |
| GB | 178.128.172.154:3128 | tcp | |
| BD | 115.127.79.234:8080 | tcp | |
| TH | 202.139.198.15:3060 | tcp | |
| US | 157.230.177.47:7497 | tcp | |
| SG | 185.217.5.3:80 | tcp | |
| CN | 120.26.52.35:8081 | tcp | |
| US | 67.43.37.76:8118 | tcp | |
| CA | 104.207.42.188:3128 | tcp | |
| US | 38.127.172.16:45801 | tcp | |
| ID | 103.4.167.69:8080 | tcp | |
| TZ | 41.59.90.171:80 | tcp | |
| BD | 103.231.239.166:58080 | tcp | |
| SG | 8.219.5.240:8118 | tcp | |
| US | 8.8.8.8:53 | 76.37.43.67.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 188.42.207.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 130.202.112.92.in-addr.arpa | udp |
| PE | 200.123.15.125:999 | tcp | |
| BR | 45.234.100.102:1080 | tcp | |
| LU | 104.244.75.78:31534 | tcp | |
| IN | 103.209.88.72:8080 | tcp | |
| US | 8.8.8.8:53 | 240.5.219.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 78.75.244.104.in-addr.arpa | udp |
| TH | 49.0.199.132:8089 | tcp | |
| CA | 72.10.160.171:26735 | tcp | |
| CN | 114.226.31.226:1080 | tcp | |
| ID | 103.242.104.242:8080 | tcp | |
| US | 8.8.8.8:53 | 149.220.183.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 132.199.0.49.in-addr.arpa | udp |
| NL | 165.225.240.95:10605 | tcp | |
| CO | 168.90.13.162:999 | tcp | |
| MK | 79.125.195.102:5678 | tcp | |
| US | 205.207.102.209:8282 | tcp | |
| CO | 190.7.138.78:80 | tcp | |
| ID | 103.146.197.43:4996 | tcp | |
| IR | 2.176.206.3:8080 | tcp | |
| CN | 121.37.207.154:3127 | tcp | |
| CO | 190.145.120.182:5678 | tcp | |
| TW | 106.105.118.250:80 | tcp | |
| CO | 45.162.82.244:8080 | tcp | |
| TH | 118.173.230.19:1080 | tcp | |
| CO | 170.239.205.74:8080 | tcp | |
| CN | 39.107.89.178:80 | tcp | |
| US | 8.8.8.8:53 | 171.90.59.41.in-addr.arpa | udp |
| RU | 185.112.224.151:1080 | tcp | |
| FR | 46.105.35.193:8080 | tcp | |
| US | 167.172.159.43:49633 | tcp | |
| BO | 200.58.87.195:8080 | tcp | |
| TH | 110.238.116.82:1080 | discordapp.com | tcp |
| ID | 36.64.86.27:8080 | tcp | |
| ID | 43.225.66.185:8080 | tcp | |
| IN | 103.243.114.206:8080 | tcp | |
| US | 63.141.128.163:80 | tcp | |
| GR | 195.130.115.208:33333 | tcp | |
| RU | 79.173.75.182:3629 | tcp | |
| GB | 104.249.29.73:5766 | tcp | |
| US | 50.204.219.226:80 | tcp | |
| CM | 41.77.210.210:80 | tcp | |
| IR | 91.108.132.142:8080 | tcp | |
| US | 8.8.8.8:53 | 82.116.238.110.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 163.128.141.63.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 73.29.249.104.in-addr.arpa | udp |
| MX | 45.175.238.0:999 | tcp | |
| CN | 58.209.139.191:8089 | tcp | |
| IN | 103.6.184.222:39241 | tcp | |
| JP | 61.118.38.234:60808 | discordapp.com | tcp |
| DE | 173.249.47.186:27204 | tcp | |
| TW | 211.22.151.163:60808 | tcp | |
| ID | 103.131.104.125:10800 | tcp | |
| CA | 67.43.227.228:17003 | tcp | |
| US | 89.117.130.19:80 | discordapp.com | tcp |
| BR | 187.62.64.155:45005 | tcp | |
| BR | 187.86.132.146:8080 | tcp | |
| ID | 43.252.237.98:4145 | tcp | |
| HK | 47.243.124.21:9091 | tcp | |
| ZA | 41.21.182.179:5678 | tcp | |
| US | 8.8.8.8:53 | 21.124.243.47.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 179.182.21.41.in-addr.arpa | udp |
| RS | 89.216.52.217:4153 | tcp | |
| DO | 181.37.240.89:999 | tcp | |
| SG | 34.87.84.105:80 | tcp | |
| ZA | 41.21.182.179:5678 | tcp | |
| TH | 1.179.144.41:8080 | tcp | |
| RU | 62.33.207.201:80 | tcp | |
| PH | 143.44.191.108:8080 | tcp | |
| HN | 179.49.112.134:999 | tcp | |
| PR | 192.254.106.89:999 | tcp | |
| IT | 37.207.45.15:48678 | tcp | |
| MX | 177.241.233.10:999 | tcp | |
| CN | 114.226.31.226:1080 | tcp | |
| FR | 51.15.212.207:16379 | tcp | |
| US | 8.8.8.8:53 | 234.38.118.61.in-addr.arpa | udp |
| KE | 41.139.234.127:8080 | tcp | |
| CA | 158.51.210.75:8888 | tcp | |
| DE | 213.136.75.65:9761 | tcp | |
| IR | 193.176.242.186:80 | tcp | |
| RU | 212.33.248.45:1080 | tcp | |
| ID | 103.217.217.190:8080 | discordapp.com | tcp |
| GB | 217.69.126.221:6091 | tcp | |
| US | 8.8.8.8:53 | 221.126.69.217.in-addr.arpa | udp |
| BR | 170.78.94.200:5678 | tcp | |
| US | 8.8.8.8:53 | 200.163.202.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 19.130.117.89.in-addr.arpa | udp |
| SE | 130.255.160.238:4243 | tcp | |
| US | 8.8.8.8:53 | 241.42.69.40.in-addr.arpa | udp |
| IT | 34.154.161.152:80 | tcp | |
| CA | 104.207.58.127:3128 | discordapp.com | tcp |
| US | 154.214.1.160:3128 | discordapp.com | tcp |
| CA | 67.43.236.22:22079 | tcp | |
| IQ | 45.81.144.23:8080 | tcp | |
| PK | 210.56.2.106:8080 | tcp | |
| AR | 181.88.73.150:5678 | tcp | |
| TH | 110.164.175.110:8080 | tcp | |
| US | 8.8.8.8:53 | 190.217.217.103.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 127.58.207.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 160.1.214.154.in-addr.arpa | udp |
| US | 12.218.209.130:13326 | tcp | |
| US | 63.143.57.117:80 | tcp | |
| US | 184.178.172.25:15291 | discordapp.com | tcp |
| CN | 122.9.4.213:80 | tcp | |
| TH | 165.154.232.175:14051 | tcp | |
| CO | 177.93.33.92:999 | tcp | |
| DE | 3.71.239.218:80 | discordapp.com | tcp |
| CN | 113.225.137.246:7891 | tcp | |
| US | 23.81.127.76:8118 | tcp | |
| CA | 67.43.236.20:23977 | tcp | |
| CA | 104.207.46.15:3128 | tcp | |
| IN | 47.247.218.29:3129 | discordapp.com | tcp |
| PL | 185.49.31.205:8080 | discordapp.com | tcp |
| NG | 41.184.212.3:4153 | tcp | |
| LT | 46.36.70.104:46964 | tcp | |
| IN | 103.78.171.10:83 | tcp | |
| PL | 185.49.31.205:8080 | discordapp.com | tcp |
| FI | 65.108.9.181:80 | tcp | |
| CA | 67.43.227.228:29789 | tcp | |
| PL | 185.49.31.205:8080 | discordapp.com | tcp |
| US | 51.81.186.179:26620 | tcp | |
| US | 8.8.8.8:53 | 75.209.201.84.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 117.57.143.63.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 205.31.49.185.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 15.46.207.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 218.239.71.3.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 25.172.178.184.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 29.218.247.47.in-addr.arpa | udp |
| PL | 185.49.31.205:8080 | discordapp.com | tcp |
| IN | 103.82.157.105:8080 | tcp | |
| AU | 1.0.0.123:80 | tcp | |
| CN | 182.204.178.100:8089 | tcp | |
| US | 8.8.8.8:53 | 123.0.0.1.in-addr.arpa | udp |
| PL | 51.83.184.241:9191 | tcp | |
| ID | 223.25.110.225:1080 | tcp | |
| DE | 168.119.226.2:8080 | tcp | |
| HK | 94.74.121.234:1080 | tcp | |
| EG | 41.65.163.68:1981 | tcp | |
| CO | 170.239.205.74:8080 | tcp | |
| GB | 8.208.90.194:82 | tcp | |
| US | 8.8.8.8:53 | 241.184.83.51.in-addr.arpa | udp |
| FR | 164.132.112.208:23829 | tcp | |
| US | 5.161.98.204:20703 | tcp | |
| BR | 20.206.106.192:80 | tcp | |
| KE | 102.213.248.24:8080 | tcp | |
| UA | 62.122.201.246:50129 | tcp | |
| ME | 94.102.234.186:32650 | tcp | |
| VN | 27.73.18.185:1080 | tcp | |
| VN | 171.228.165.210:14005 | tcp | |
| ID | 103.124.136.138:3125 | tcp | |
| US | 216.173.76.144:6771 | discordapp.com | tcp |
| MX | 187.189.138.42:8888 | tcp | |
| CN | 39.104.62.128:8081 | tcp | |
| DE | 5.9.169.87:30000 | tcp | |
| US | 8.8.8.8:53 | 144.76.173.216.in-addr.arpa | udp |
| US | 47.252.11.233:8443 | discordapp.com | tcp |
| US | 8.8.8.8:53 | 233.11.252.47.in-addr.arpa | udp |
| VN | 27.77.228.212:1080 | tcp | |
| RS | 178.148.229.161:5678 | tcp | |
| PH | 180.191.23.221:8081 | tcp | |
| US | 47.252.11.233:8443 | api.ipify.org | tcp |
| CA | 142.44.212.57:30439 | tcp | |
| US | 47.88.29.108:9999 | tcp | |
| TH | 101.109.0.94:8080 | tcp | |
| AR | 190.225.164.15:33333 | tcp | |
| CL | 45.173.123.102:999 | tcp | |
| HK | 148.66.6.214:80 | tcp | |
| US | 8.8.8.8:53 | 108.29.88.47.in-addr.arpa | udp |
| UA | 91.203.114.71:42905 | tcp | |
| DE | 5.189.172.158:3128 | tcp | |
| CO | 45.233.169.25:999 | tcp | |
| TH | 182.52.217.142:8080 | tcp | |
| US | 104.18.103.125:80 | tcp | |
| US | 198.20.191.198:7254 | discordapp.com | tcp |
| CO | 181.48.155.78:8003 | tcp | |
| IR | 178.21.163.24:80 | discordapp.com | tcp |
| US | 98.162.25.23:4145 | tcp | |
| ID | 43.243.140.194:8080 | tcp | |
| US | 47.88.11.3:8123 | tcp | |
| US | 50.170.90.24:80 | tcp | |
| ID | 103.35.153.74:8080 | tcp | |
| US | 8.8.8.8:53 | 214.6.66.148.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 125.103.18.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 198.191.20.198.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 25.169.233.45.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 24.163.21.178.in-addr.arpa | udp |
| IN | 103.84.178.2:4153 | tcp | |
| IR | 188.121.103.205:80 | tcp | |
| NL | 147.75.34.103:10001 | tcp | |
| ID | 114.7.97.222:35010 | tcp | |
| BR | 177.21.237.100:8080 | tcp | |
| EG | 41.65.236.53:1976 | tcp | |
| US | 8.8.8.8:53 | 103.34.75.147.in-addr.arpa | udp |
| US | 162.214.170.144:3434 | tcp | |
| TW | 125.227.225.157:3389 | tcp | |
| US | 162.243.102.207:9764 | tcp | |
| TW | 59.125.223.105:80 | tcp | |
| DZ | 41.111.187.214:80 | tcp | |
| AE | 2.50.47.254:8080 | tcp | |
| US | 50.217.226.43:80 | tcp | |
| ID | 36.67.136.21:80 | tcp | |
| IN | 182.48.204.35:8080 | tcp | |
| US | 98.162.96.41:4145 | tcp | |
| VN | 42.96.10.104:3128 | tcp | |
| N/A | 127.0.0.1:80 | tcp | |
| KH | 49.156.42.210:5678 | tcp | |
| DE | 47.91.95.174:56 | tcp | |
| US | 8.8.8.8:53 | 207.102.243.162.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 43.226.217.50.in-addr.arpa | udp |
| RU | 188.234.248.18:8080 | tcp | |
| US | 204.242.0.222:25647 | tcp | |
| US | 157.230.82.155:29451 | tcp | |
| US | 8.8.8.8:53 | 174.95.91.47.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 71.208.201.84.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Local\Temp\pkg-e4HPfM\5c9a74674baa49a8cc3965a2d84a4f89cd4ea1a459a9b493fc02a581c95bf3a8
| MD5 | 04bfbfec8db966420fe4c7b85ebb506a |
| SHA1 | 939bb742a354a92e1dcd3661a62d69e48030a335 |
| SHA256 | da2172ce055fa47d6a0ea1c90654f530abed33f69a74d52fab06c4c7653b48fd |
| SHA512 | 4ea97a9a120ed5bee8638e0a69561c2159fc3769062d7102167b0e92b4f1a5c002a761bd104282425f6cee8d0e39dbe7e12ad4e4a38570c3f90f31b65072dd65 |
C:\Users\Admin\AppData\Local\Temp\pkg-e4HPfM\b9a7b76665d92af2d90cc6a15ffdc1a79635559cbc1c40bd1f83c4c4449cd442
| MD5 | 66a65322c9d362a23cf3d3f7735d5430 |
| SHA1 | ed59f3e4b0b16b759b866ef7293d26a1512b952e |
| SHA256 | f806f89dc41dde00ca7124dc1e649bdc9b08ff2eff5c891b764f3e5aefa9548c |
| SHA512 | 0a44d12852fc4c74658a49f886c4bc7c715c48a7cb5a3dcf40c9f1d305ca991dd2c2cb3d0b5fd070b307a8f331938c5213188cbb2d27d47737cc1c4f34a1ea21 |
memory/4176-135-0x00007FFF749C3000-0x00007FFF749C5000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_vkc1ltp2.5gb.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
memory/4176-145-0x000001DFCE750000-0x000001DFCE772000-memory.dmp
memory/4176-146-0x00007FFF749C0000-0x00007FFF75481000-memory.dmp
memory/4176-147-0x00007FFF749C0000-0x00007FFF75481000-memory.dmp
memory/4176-151-0x00007FFF749C0000-0x00007FFF75481000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
| MD5 | 8740e7db6a0d290c198447b1f16d5281 |
| SHA1 | ab54460bb918f4af8a651317c8b53a8f6bfb70cd |
| SHA256 | f45b0efc0833020dfeeaad0adc8ed10b0f85e0bc491baf9e1a4da089636bccf5 |
| SHA512 | d91fe9666c4923c8e90e5a785db96e5613b8cb3bf28983296a2f381ccdcd73d15254268548e156c8150a9a531712602313ba65f74cec5784341c8d66b088750b |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | d8b9a260789a22d72263ef3bb119108c |
| SHA1 | 376a9bd48726f422679f2cd65003442c0b6f6dd5 |
| SHA256 | d69d47e428298f194850d14c3ce375e7926128a0bfb62c1e75940ab206f8fddc |
| SHA512 | 550314fab1e363851a7543c989996a440d95f7c9db9695cce5abaad64523f377f48790aa091d66368f50f941179440b1fa94448289ee514d5b5a2f4fe6225e9b |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 446dd1cf97eaba21cf14d03aebc79f27 |
| SHA1 | 36e4cc7367e0c7b40f4a8ace272941ea46373799 |
| SHA256 | a7de5177c68a64bd48b36d49e2853799f4ebcfa8e4761f7cc472f333dc5f65cf |
| SHA512 | a6d754709f30b122112ae30e5ab22486393c5021d33da4d1304c061863d2e1e79e8aeb029cae61261bb77d0e7becd53a7b0106d6ea4368b4c302464e3d941cf7 |
C:\Users\Admin\AppData\Local\Temp\config.yml
| MD5 | 98d55c31ac02b32ac3c147cad3a97ed0 |
| SHA1 | 1d72218c5cdd5cfe65187d66833eeaa16fad9368 |
| SHA256 | b61bac80531f43058953c0747218203b4794908db361ed0a032d79f1168f6bdc |
| SHA512 | 36e48ab538dc41350ad4cb2a0127a1727db54b136e65f12526ac1648d884e462a28ebf7f7ca85eff37da5e7de9baddac9b28819395e65a7eb3dc83dbdd50f78e |