Analysis Overview
SHA256
9677f7bc0da5cb2654fb6cc9e0ac3c65208c69cc1d4e7aa7707a30133d058621
Threat Level: Likely malicious
The file 70f758a17090a074e26662dee56282d991ce55a6.exe was found to be: Likely malicious.
Malicious Activity Summary
Sets file to hidden
Executes dropped EXE
Checks computer location settings
Loads dropped DLL
Adds Run key to start application
Command and Scripting Interpreter: PowerShell
Legitimate hosting services abused for malware hosting/C2
Enumerates physical storage devices
Unsigned PE
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Delays execution with timeout.exe
Suspicious use of SetWindowsHookEx
Uses Task Scheduler COM API
Scheduled Task/Job: Scheduled Task
Suspicious behavior: EnumeratesProcesses
Uses Volume Shadow Copy service COM API
Views/modifies file attributes
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-11-13 20:10
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-11-13 20:10
Reported
2024-11-13 20:12
Platform
win7-20240903-en
Max time kernel
149s
Max time network
151s
Command Line
Signatures
Sets file to hidden
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\attrib.exe | N/A |
| N/A | N/A | C:\Windows\System32\attrib.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\System32\$77wininit.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\cmd.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ = "\"C:\\Users\\Admin\\System32\\$77wininit.exe\"" | C:\Users\Admin\AppData\Local\Temp\70f758a17090a074e26662dee56282d991ce55a6.exe | N/A |
Command and Scripting Interpreter: PowerShell
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Legitimate hosting services abused for malware hosting/C2
| Description | Indicator | Process | Target |
| N/A | discord.com | N/A | N/A |
| N/A | discord.com | N/A | N/A |
| N/A | 5.tcp.ngrok.io | N/A | N/A |
| N/A | 5.tcp.ngrok.io | N/A | N/A |
| N/A | 5.tcp.ngrok.io | N/A | N/A |
Enumerates physical storage devices
Delays execution with timeout.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\timeout.exe | N/A |
Scheduled Task/Job: Scheduled Task
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\System32\schtasks.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\70f758a17090a074e26662dee56282d991ce55a6.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\70f758a17090a074e26662dee56282d991ce55a6.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\70f758a17090a074e26662dee56282d991ce55a6.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Users\Admin\System32\$77wininit.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeBackupPrivilege | N/A | C:\Windows\system32\vssvc.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\vssvc.exe | N/A |
| Token: SeAuditPrivilege | N/A | C:\Windows\system32\vssvc.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\70f758a17090a074e26662dee56282d991ce55a6.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\System32\$77wininit.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\System32\$77wininit.exe | N/A |
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Uses Volume Shadow Copy service COM API
Views/modifies file attributes
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\attrib.exe | N/A |
| N/A | N/A | C:\Windows\System32\attrib.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\70f758a17090a074e26662dee56282d991ce55a6.exe
"C:\Users\Admin\AppData\Local\Temp\70f758a17090a074e26662dee56282d991ce55a6.exe"
C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
C:\Windows\System32\attrib.exe
"C:\Windows\System32\attrib.exe" +s +h "C:\Users\Admin\System32"
C:\Windows\System32\attrib.exe
"C:\Windows\System32\attrib.exe" +s +h "C:\Users\Admin\System32\$77wininit.exe"
C:\Windows\system32\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\tmp36A.tmp.bat""
C:\Windows\system32\timeout.exe
timeout 3
C:\Users\Admin\System32\$77wininit.exe
"C:\Users\Admin\System32\$77wininit.exe"
C:\Windows\system32\schtasks.exe
"schtasks.exe" /query /TN $77wininit.exe
C:\Windows\system32\schtasks.exe
"schtasks.exe" /Create /SC ONCE /TN "$77wininit.exe" /TR "C:\Users\Admin\System32\$77wininit.exe \"\$77wininit.exe\" /AsAdmin" /ST 00:01 /IT /F /RL HIGHEST
C:\Windows\system32\schtasks.exe
"schtasks.exe" /query /TN $77wininit.exe
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -ExclusionExtension exe,bat,dll,ps1;exit
C:\Windows\System32\schtasks.exe
"C:\Windows\System32\schtasks.exe" /create /sc daily /tn "wininit_Task-DAILY-21PM" /TR "%MyFile%" /ST 21:00
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | discord.com | udp |
| US | 162.159.136.232:443 | discord.com | tcp |
| US | 8.8.8.8:53 | 5.tcp.ngrok.io | udp |
| US | 3.141.204.47:20636 | 5.tcp.ngrok.io | tcp |
| US | 3.141.204.47:20636 | 5.tcp.ngrok.io | tcp |
| US | 3.141.204.47:20636 | 5.tcp.ngrok.io | tcp |
| US | 3.141.204.47:20636 | 5.tcp.ngrok.io | tcp |
| US | 3.141.204.47:20636 | 5.tcp.ngrok.io | tcp |
| US | 3.141.204.47:20636 | 5.tcp.ngrok.io | tcp |
| US | 3.141.204.47:20636 | 5.tcp.ngrok.io | tcp |
| US | 3.141.204.47:20636 | 5.tcp.ngrok.io | tcp |
| US | 3.141.204.47:20636 | 5.tcp.ngrok.io | tcp |
| US | 3.141.204.47:20636 | 5.tcp.ngrok.io | tcp |
| US | 3.141.204.47:20636 | 5.tcp.ngrok.io | tcp |
| US | 8.8.8.8:53 | 5.tcp.ngrok.io | udp |
| US | 3.137.123.63:20636 | 5.tcp.ngrok.io | tcp |
| US | 3.137.123.63:20636 | 5.tcp.ngrok.io | tcp |
| US | 3.137.123.63:20636 | 5.tcp.ngrok.io | tcp |
| US | 3.137.123.63:20636 | 5.tcp.ngrok.io | tcp |
| US | 3.137.123.63:20636 | 5.tcp.ngrok.io | tcp |
| US | 3.137.123.63:20636 | 5.tcp.ngrok.io | tcp |
| US | 3.137.123.63:20636 | 5.tcp.ngrok.io | tcp |
| US | 3.137.123.63:20636 | 5.tcp.ngrok.io | tcp |
| US | 3.137.123.63:20636 | 5.tcp.ngrok.io | tcp |
| US | 3.137.123.63:20636 | 5.tcp.ngrok.io | tcp |
| US | 3.137.123.63:20636 | 5.tcp.ngrok.io | tcp |
| US | 3.137.123.63:20636 | 5.tcp.ngrok.io | tcp |
| US | 3.137.123.63:20636 | 5.tcp.ngrok.io | tcp |
| US | 3.137.123.63:20636 | 5.tcp.ngrok.io | tcp |
| US | 3.137.123.63:20636 | 5.tcp.ngrok.io | tcp |
| US | 3.137.123.63:20636 | 5.tcp.ngrok.io | tcp |
| US | 3.137.123.63:20636 | 5.tcp.ngrok.io | tcp |
| US | 3.137.123.63:20636 | 5.tcp.ngrok.io | tcp |
| US | 3.137.123.63:20636 | 5.tcp.ngrok.io | tcp |
| US | 3.137.123.63:20636 | 5.tcp.ngrok.io | tcp |
| US | 3.137.123.63:20636 | 5.tcp.ngrok.io | tcp |
| US | 3.137.123.63:20636 | 5.tcp.ngrok.io | tcp |
| US | 3.137.123.63:20636 | 5.tcp.ngrok.io | tcp |
| US | 3.137.123.63:20636 | 5.tcp.ngrok.io | tcp |
| US | 3.137.123.63:20636 | 5.tcp.ngrok.io | tcp |
| US | 3.137.123.63:20636 | 5.tcp.ngrok.io | tcp |
| US | 3.137.123.63:20636 | 5.tcp.ngrok.io | tcp |
| US | 3.137.123.63:20636 | 5.tcp.ngrok.io | tcp |
| US | 3.137.123.63:20636 | 5.tcp.ngrok.io | tcp |
| US | 3.137.123.63:20636 | 5.tcp.ngrok.io | tcp |
| US | 3.137.123.63:20636 | 5.tcp.ngrok.io | tcp |
| US | 3.137.123.63:20636 | 5.tcp.ngrok.io | tcp |
| US | 3.137.123.63:20636 | 5.tcp.ngrok.io | tcp |
| US | 3.137.123.63:20636 | 5.tcp.ngrok.io | tcp |
| US | 3.137.123.63:20636 | 5.tcp.ngrok.io | tcp |
| US | 3.137.123.63:20636 | 5.tcp.ngrok.io | tcp |
| US | 3.137.123.63:20636 | 5.tcp.ngrok.io | tcp |
| US | 3.137.123.63:20636 | 5.tcp.ngrok.io | tcp |
| US | 3.137.123.63:20636 | 5.tcp.ngrok.io | tcp |
| US | 3.137.123.63:20636 | 5.tcp.ngrok.io | tcp |
| US | 3.137.123.63:20636 | 5.tcp.ngrok.io | tcp |
| US | 3.137.123.63:20636 | 5.tcp.ngrok.io | tcp |
| US | 3.137.123.63:20636 | 5.tcp.ngrok.io | tcp |
| US | 8.8.8.8:53 | 5.tcp.ngrok.io | udp |
| US | 3.137.123.63:20636 | 5.tcp.ngrok.io | tcp |
| US | 3.137.123.63:20636 | 5.tcp.ngrok.io | tcp |
| US | 3.137.123.63:20636 | 5.tcp.ngrok.io | tcp |
| US | 3.137.123.63:20636 | 5.tcp.ngrok.io | tcp |
| US | 3.137.123.63:20636 | 5.tcp.ngrok.io | tcp |
| US | 3.137.123.63:20636 | 5.tcp.ngrok.io | tcp |
| US | 3.137.123.63:20636 | 5.tcp.ngrok.io | tcp |
| US | 3.137.123.63:20636 | 5.tcp.ngrok.io | tcp |
| US | 3.137.123.63:20636 | 5.tcp.ngrok.io | tcp |
| US | 3.137.123.63:20636 | 5.tcp.ngrok.io | tcp |
| US | 3.137.123.63:20636 | 5.tcp.ngrok.io | tcp |
| US | 3.137.123.63:20636 | 5.tcp.ngrok.io | tcp |
| US | 3.137.123.63:20636 | 5.tcp.ngrok.io | tcp |
| US | 3.137.123.63:20636 | 5.tcp.ngrok.io | tcp |
| US | 3.137.123.63:20636 | 5.tcp.ngrok.io | tcp |
| US | 3.137.123.63:20636 | 5.tcp.ngrok.io | tcp |
| US | 3.137.123.63:20636 | 5.tcp.ngrok.io | tcp |
| US | 3.137.123.63:20636 | 5.tcp.ngrok.io | tcp |
| US | 3.137.123.63:20636 | 5.tcp.ngrok.io | tcp |
Files
memory/1924-0-0x000007FEF5833000-0x000007FEF5834000-memory.dmp
memory/1924-1-0x000000013F5E0000-0x000000013F5F0000-memory.dmp
memory/1924-2-0x000007FEF5830000-0x000007FEF621C000-memory.dmp
memory/1924-3-0x000007FEF5833000-0x000007FEF5834000-memory.dmp
memory/1924-4-0x000007FEF5830000-0x000007FEF621C000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\tmp36A.tmp.bat
| MD5 | b4fa2a6988b96158c6434d608bd11ee0 |
| SHA1 | 7932875262345ff58553b726b7d9f3979daf369d |
| SHA256 | f82c264d9aaac6868595cc5163d7788447e91bd0e0968b3271209d24e37a1de0 |
| SHA512 | f3371ab70b3796ed3588098cf3a75cd92cbfc179e1b70fdfbc9d948c1a2e533865740c3c7abc630cf9f654758124389f15e297a34404b6ba4d97ef28dc752e5b |
memory/1924-14-0x000007FEF5830000-0x000007FEF621C000-memory.dmp
\Users\Admin\System32\$77wininit.exe
| MD5 | 0ffb0e04f66e70f0cd320df2db61999e |
| SHA1 | 70f758a17090a074e26662dee56282d991ce55a6 |
| SHA256 | 9677f7bc0da5cb2654fb6cc9e0ac3c65208c69cc1d4e7aa7707a30133d058621 |
| SHA512 | c287b991970602307b7ebba6d95acc5b02e0d753565a5c1b4622bd94161912e891ec2896f964bf7f350f72f6ed5eeaa41f9116e63c9cfeea61d40067ed9f79a1 |
memory/796-19-0x000000013F550000-0x000000013F560000-memory.dmp
memory/2648-24-0x000000001B6C0000-0x000000001B9A2000-memory.dmp
memory/2648-25-0x0000000001E00000-0x0000000001E08000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-11-13 20:10
Reported
2024-11-13 20:12
Platform
win10v2004-20241007-en
Max time kernel
147s
Max time network
150s
Command Line
Signatures
Sets file to hidden
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\attrib.exe | N/A |
| N/A | N/A | C:\Windows\System32\attrib.exe | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\70f758a17090a074e26662dee56282d991ce55a6.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\System32\$77wininit.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\System32\$77wininit.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ = "\"C:\\Users\\Admin\\System32\\$77wininit.exe\"" | C:\Users\Admin\AppData\Local\Temp\70f758a17090a074e26662dee56282d991ce55a6.exe | N/A |
Command and Scripting Interpreter: PowerShell
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Legitimate hosting services abused for malware hosting/C2
| Description | Indicator | Process | Target |
| N/A | 5.tcp.ngrok.io | N/A | N/A |
| N/A | discord.com | N/A | N/A |
| N/A | discord.com | N/A | N/A |
| N/A | 5.tcp.ngrok.io | N/A | N/A |
| N/A | 5.tcp.ngrok.io | N/A | N/A |
Enumerates physical storage devices
Delays execution with timeout.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\timeout.exe | N/A |
Scheduled Task/Job: Scheduled Task
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SYSTEM32\schtasks.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeBackupPrivilege | N/A | C:\Windows\system32\vssvc.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\vssvc.exe | N/A |
| Token: SeAuditPrivilege | N/A | C:\Windows\system32\vssvc.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\70f758a17090a074e26662dee56282d991ce55a6.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\System32\$77wininit.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\System32\$77wininit.exe | N/A |
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Uses Volume Shadow Copy service COM API
Views/modifies file attributes
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\attrib.exe | N/A |
| N/A | N/A | C:\Windows\System32\attrib.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\70f758a17090a074e26662dee56282d991ce55a6.exe
"C:\Users\Admin\AppData\Local\Temp\70f758a17090a074e26662dee56282d991ce55a6.exe"
C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
C:\Windows\System32\attrib.exe
"C:\Windows\System32\attrib.exe" +s +h "C:\Users\Admin\System32"
C:\Windows\System32\attrib.exe
"C:\Windows\System32\attrib.exe" +s +h "C:\Users\Admin\System32\$77wininit.exe"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmpE1A5.tmp.bat""
C:\Windows\system32\timeout.exe
timeout 3
C:\Users\Admin\System32\$77wininit.exe
"C:\Users\Admin\System32\$77wininit.exe"
C:\Windows\SYSTEM32\schtasks.exe
"schtasks.exe" /query /TN $77wininit.exe
C:\Windows\SYSTEM32\schtasks.exe
"schtasks.exe" /Create /SC ONCE /TN "$77wininit.exe" /TR "C:\Users\Admin\System32\$77wininit.exe \"\$77wininit.exe\" /AsAdmin" /ST 00:01 /IT /F /RL HIGHEST
C:\Windows\SYSTEM32\schtasks.exe
"schtasks.exe" /query /TN $77wininit.exe
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -ExclusionExtension exe,bat,dll,ps1;exit
C:\Windows\System32\schtasks.exe
"C:\Windows\System32\schtasks.exe" /create /sc daily /tn "wininit_Task-DAILY-21PM" /TR "%MyFile%" /ST 21:00
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 102.144.22.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 104.219.191.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 76.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | discord.com | udp |
| US | 162.159.138.232:443 | discord.com | tcp |
| US | 8.8.8.8:53 | 5.tcp.ngrok.io | udp |
| US | 8.8.8.8:53 | 56.163.245.4.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.42.69.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 232.138.159.162.in-addr.arpa | udp |
| US | 3.141.126.222:20636 | 5.tcp.ngrok.io | tcp |
| US | 8.8.8.8:53 | 82.190.18.2.in-addr.arpa | udp |
| US | 3.141.126.222:20636 | 5.tcp.ngrok.io | tcp |
| US | 3.141.126.222:20636 | 5.tcp.ngrok.io | tcp |
| US | 3.141.126.222:20636 | 5.tcp.ngrok.io | tcp |
| US | 3.141.126.222:20636 | 5.tcp.ngrok.io | tcp |
| US | 3.141.126.222:20636 | 5.tcp.ngrok.io | tcp |
| US | 3.141.126.222:20636 | 5.tcp.ngrok.io | tcp |
| US | 3.141.126.222:20636 | 5.tcp.ngrok.io | tcp |
| US | 3.141.126.222:20636 | 5.tcp.ngrok.io | tcp |
| US | 3.141.126.222:20636 | 5.tcp.ngrok.io | tcp |
| US | 3.141.126.222:20636 | 5.tcp.ngrok.io | tcp |
| US | 3.141.126.222:20636 | 5.tcp.ngrok.io | tcp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 3.141.126.222:20636 | 5.tcp.ngrok.io | tcp |
| US | 3.141.126.222:20636 | 5.tcp.ngrok.io | tcp |
| US | 3.141.126.222:20636 | 5.tcp.ngrok.io | tcp |
| US | 3.141.126.222:20636 | 5.tcp.ngrok.io | tcp |
| US | 3.141.126.222:20636 | 5.tcp.ngrok.io | tcp |
| US | 3.141.126.222:20636 | 5.tcp.ngrok.io | tcp |
| US | 3.141.126.222:20636 | 5.tcp.ngrok.io | tcp |
| US | 3.141.126.222:20636 | 5.tcp.ngrok.io | tcp |
| US | 3.141.126.222:20636 | 5.tcp.ngrok.io | tcp |
| US | 3.141.126.222:20636 | 5.tcp.ngrok.io | tcp |
| US | 8.8.8.8:53 | 5.tcp.ngrok.io | udp |
| US | 3.137.123.63:20636 | 5.tcp.ngrok.io | tcp |
| US | 3.137.123.63:20636 | 5.tcp.ngrok.io | tcp |
| US | 8.8.8.8:53 | 11.227.111.52.in-addr.arpa | udp |
| US | 3.137.123.63:20636 | 5.tcp.ngrok.io | tcp |
| US | 3.137.123.63:20636 | 5.tcp.ngrok.io | tcp |
| US | 3.137.123.63:20636 | 5.tcp.ngrok.io | tcp |
| US | 3.137.123.63:20636 | 5.tcp.ngrok.io | tcp |
| US | 3.137.123.63:20636 | 5.tcp.ngrok.io | tcp |
| US | 3.137.123.63:20636 | 5.tcp.ngrok.io | tcp |
| US | 8.8.8.8:53 | 5.tcp.ngrok.io | udp |
| US | 3.142.157.76:20636 | 5.tcp.ngrok.io | tcp |
| US | 3.142.157.76:20636 | 5.tcp.ngrok.io | tcp |
| US | 3.142.157.76:20636 | 5.tcp.ngrok.io | tcp |
| US | 3.142.157.76:20636 | 5.tcp.ngrok.io | tcp |
| US | 3.142.157.76:20636 | 5.tcp.ngrok.io | tcp |
| US | 3.142.157.76:20636 | 5.tcp.ngrok.io | tcp |
| US | 3.142.157.76:20636 | 5.tcp.ngrok.io | tcp |
| US | 3.142.157.76:20636 | 5.tcp.ngrok.io | tcp |
| US | 3.142.157.76:20636 | 5.tcp.ngrok.io | tcp |
| US | 3.142.157.76:20636 | 5.tcp.ngrok.io | tcp |
| US | 3.142.157.76:20636 | 5.tcp.ngrok.io | tcp |
| US | 3.142.157.76:20636 | 5.tcp.ngrok.io | tcp |
Files
memory/4296-0-0x00007FFCC7303000-0x00007FFCC7305000-memory.dmp
memory/4296-1-0x0000000000E90000-0x0000000000EA0000-memory.dmp
memory/4296-2-0x00007FFCC7300000-0x00007FFCC7DC1000-memory.dmp
memory/4296-3-0x00007FFCC7303000-0x00007FFCC7305000-memory.dmp
memory/4296-4-0x00007FFCC7300000-0x00007FFCC7DC1000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\tmpE1A5.tmp.bat
| MD5 | 8b7258d973caefbcd6ab0462ea50b144 |
| SHA1 | 613dc20250f78416dd494a8f60a917654f716dc8 |
| SHA256 | b2d14c301f476f2e07a8f2db073afa2c36d96c5c713a1b2f93ee4c9c5e18915b |
| SHA512 | 1c0097ac36d7d2427b699478c13c3275646fc08a07b88b2605a4790b42b65fcc3354b9c7dfd421b6aea0f16728266c1ce5a96b922ebeb03c230cfed04badb02e |
memory/4296-10-0x00007FFCC7300000-0x00007FFCC7DC1000-memory.dmp
C:\Users\Admin\System32\$77wininit.exe
| MD5 | 0ffb0e04f66e70f0cd320df2db61999e |
| SHA1 | 70f758a17090a074e26662dee56282d991ce55a6 |
| SHA256 | 9677f7bc0da5cb2654fb6cc9e0ac3c65208c69cc1d4e7aa7707a30133d058621 |
| SHA512 | c287b991970602307b7ebba6d95acc5b02e0d753565a5c1b4622bd94161912e891ec2896f964bf7f350f72f6ed5eeaa41f9116e63c9cfeea61d40067ed9f79a1 |
memory/3404-14-0x000002B8C3050000-0x000002B8C3072000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_riihvaq3.xoe.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |