Analysis Overview
SHA256
afe42ee135f9bbcc385db5751b4867e99aa4caa862bcaaf312e4355a5323145d
Threat Level: Known bad
The file System.Runtime.exe was found to be: Known bad.
Malicious Activity Summary
SilverRat
Silverrat family
Sets file to hidden
Checks computer location settings
Executes dropped EXE
Loads dropped DLL
Adds Run key to start application
Command and Scripting Interpreter: PowerShell
Unsigned PE
Enumerates physical storage devices
Suspicious use of SetWindowsHookEx
Views/modifies file attributes
Delays execution with timeout.exe
Scheduled Task/Job: Scheduled Task
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of AdjustPrivilegeToken
Suspicious behavior: EnumeratesProcesses
Uses Volume Shadow Copy service COM API
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2025-02-27 16:06
Signatures
Silverrat family
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2025-02-27 16:06
Reported
2025-02-27 16:09
Platform
win7-20240903-en
Max time kernel
119s
Max time network
120s
Command Line
Signatures
SilverRat
Silverrat family
Sets file to hidden
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\attrib.exe | N/A |
| N/A | N/A | C:\Windows\System32\attrib.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\WinTask\$77Runtime Broker.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\cmd.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ = "\"C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\Templates\\WinTask\\$77Runtime Broker.exe\"" | C:\Users\Admin\AppData\Local\Temp\System.Runtime.exe | N/A |
Command and Scripting Interpreter: PowerShell
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Enumerates physical storage devices
Delays execution with timeout.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\timeout.exe | N/A |
Scheduled Task/Job: Scheduled Task
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\System32\schtasks.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\System.Runtime.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\System.Runtime.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\System.Runtime.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\WinTask\$77Runtime Broker.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeBackupPrivilege | N/A | C:\Windows\system32\vssvc.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\vssvc.exe | N/A |
| Token: SeAuditPrivilege | N/A | C:\Windows\system32\vssvc.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\System.Runtime.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\WinTask\$77Runtime Broker.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\WinTask\$77Runtime Broker.exe | N/A |
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Uses Volume Shadow Copy service COM API
Views/modifies file attributes
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\attrib.exe | N/A |
| N/A | N/A | C:\Windows\System32\attrib.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\System.Runtime.exe
"C:\Users\Admin\AppData\Local\Temp\System.Runtime.exe"
C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
C:\Windows\System32\attrib.exe
"C:\Windows\System32\attrib.exe" +s +h "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\WinTask"
C:\Windows\System32\attrib.exe
"C:\Windows\System32\attrib.exe" +s +h "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\WinTask\$77Runtime Broker.exe"
C:\Windows\system32\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\tmpFCF5.tmp.bat""
C:\Windows\system32\timeout.exe
timeout 3
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\WinTask\$77Runtime Broker.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\WinTask\$77Runtime Broker.exe"
C:\Windows\system32\schtasks.exe
"schtasks.exe" /query /TN $77Runtime Broker.exe
C:\Windows\system32\schtasks.exe
"schtasks.exe" /Create /SC ONCE /TN "$77Runtime Broker.exe" /TR "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\WinTask\$77Runtime Broker.exe \"\$77Runtime Broker.exe\" /AsAdmin" /ST 00:01 /IT /F /RL HIGHEST
C:\Windows\system32\schtasks.exe
"schtasks.exe" /query /TN $77Runtime Broker.exe
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -ExclusionExtension exe,bat,dll,ps1;exit
C:\Windows\System32\schtasks.exe
"C:\Windows\System32\schtasks.exe" /create /sc hourly /mo 1 /tn "Runtime Broker_Task-HOURLY-01" /tr "%MyFile%" /st 00:00
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | if-eventually.gl.at.ply.gg | udp |
| US | 147.185.221.25:17094 | if-eventually.gl.at.ply.gg | tcp |
| US | 147.185.221.25:17094 | if-eventually.gl.at.ply.gg | tcp |
| US | 147.185.221.25:17094 | if-eventually.gl.at.ply.gg | tcp |
| US | 147.185.221.25:17094 | if-eventually.gl.at.ply.gg | tcp |
Files
memory/1952-0-0x000007FEF5283000-0x000007FEF5284000-memory.dmp
memory/1952-1-0x000000013F4E0000-0x000000013F4F0000-memory.dmp
memory/1952-2-0x000007FEF5280000-0x000007FEF5C6C000-memory.dmp
memory/1952-3-0x000007FEF5283000-0x000007FEF5284000-memory.dmp
memory/1952-4-0x000007FEF5280000-0x000007FEF5C6C000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\tmpFCF5.tmp.bat
| MD5 | d8146630a3aee8916b9cdd3ea8e2d974 |
| SHA1 | 5d0aec6d77fc517590effaff97cde8badc75804f |
| SHA256 | 1f1f3f78f6d76e836275f74cdd3378bc8be9abacf42f01fc17d32ab34e5e9cd9 |
| SHA512 | 08c7da1c55bca595c698ee71d49ea2eb1db3069e7079f12a6ded779eb967ebb3e3df8ba7cbd20b617c079aa80bf7245d4a0646f6a2828980356a9d09365c1062 |
memory/1952-14-0x000007FEF5280000-0x000007FEF5C6C000-memory.dmp
\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\WinTask\$77Runtime Broker.exe
| MD5 | 8f06957fd43a38298aa9d6f4bc52c7a7 |
| SHA1 | 01a72c623c0ce786e01fbc3c165bb1c099a2dc1a |
| SHA256 | afe42ee135f9bbcc385db5751b4867e99aa4caa862bcaaf312e4355a5323145d |
| SHA512 | 4b0283befc959340041cfb8c03caccfe3f32971434f34f85c80eba9921bd6e26e664287ec7826492f2047309bfc86e472aa8cb740008df6cf7b61ac94a54484e |
memory/1792-19-0x000000013FB30000-0x000000013FB40000-memory.dmp
memory/2404-24-0x000000001B690000-0x000000001B972000-memory.dmp
memory/2404-25-0x00000000027E0000-0x00000000027E8000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2025-02-27 16:06
Reported
2025-02-27 16:24
Platform
win10v2004-20250217-en
Max time kernel
1040s
Max time network
1046s
Command Line
Signatures
SilverRat
Silverrat family
Sets file to hidden
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\attrib.exe | N/A |
| N/A | N/A | C:\Windows\System32\attrib.exe | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-100612193-3312047696-905266872-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\System.Runtime.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-100612193-3312047696-905266872-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\WinTask\$77Runtime Broker.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\WinTask\$77Runtime Broker.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ = "\"C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\Templates\\WinTask\\$77Runtime Broker.exe\"" | C:\Users\Admin\AppData\Local\Temp\System.Runtime.exe | N/A |
Command and Scripting Interpreter: PowerShell
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Enumerates physical storage devices
Delays execution with timeout.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\timeout.exe | N/A |
Scheduled Task/Job: Scheduled Task
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SYSTEM32\schtasks.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\WinTask\$77Runtime Broker.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeBackupPrivilege | N/A | C:\Windows\system32\vssvc.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\vssvc.exe | N/A |
| Token: SeAuditPrivilege | N/A | C:\Windows\system32\vssvc.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\System.Runtime.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\WinTask\$77Runtime Broker.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\WinTask\$77Runtime Broker.exe | N/A |
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Uses Volume Shadow Copy service COM API
Views/modifies file attributes
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\attrib.exe | N/A |
| N/A | N/A | C:\Windows\System32\attrib.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\System.Runtime.exe
"C:\Users\Admin\AppData\Local\Temp\System.Runtime.exe"
C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
C:\Windows\System32\attrib.exe
"C:\Windows\System32\attrib.exe" +s +h "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\WinTask"
C:\Windows\System32\attrib.exe
"C:\Windows\System32\attrib.exe" +s +h "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\WinTask\$77Runtime Broker.exe"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmpBCB8.tmp.bat""
C:\Windows\system32\timeout.exe
timeout 3
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\WinTask\$77Runtime Broker.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\WinTask\$77Runtime Broker.exe"
C:\Windows\SYSTEM32\schtasks.exe
"schtasks.exe" /query /TN $77Runtime Broker.exe
C:\Windows\SYSTEM32\schtasks.exe
"schtasks.exe" /Create /SC ONCE /TN "$77Runtime Broker.exe" /TR "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\WinTask\$77Runtime Broker.exe \"\$77Runtime Broker.exe\" /AsAdmin" /ST 00:01 /IT /F /RL HIGHEST
C:\Windows\SYSTEM32\schtasks.exe
"schtasks.exe" /query /TN $77Runtime Broker.exe
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -ExclusionExtension exe,bat,dll,ps1;exit
C:\Windows\System32\schtasks.exe
"C:\Windows\System32\schtasks.exe" /create /sc hourly /mo 1 /tn "Runtime Broker_Task-HOURLY-01" /tr "%MyFile%" /st 00:00
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 150.171.27.10:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | if-eventually.gl.at.ply.gg | udp |
| US | 147.185.221.25:17094 | if-eventually.gl.at.ply.gg | tcp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 147.185.221.25:17094 | if-eventually.gl.at.ply.gg | tcp |
| US | 147.185.221.25:17094 | if-eventually.gl.at.ply.gg | tcp |
| US | 147.185.221.25:17094 | if-eventually.gl.at.ply.gg | tcp |
| US | 147.185.221.25:17094 | if-eventually.gl.at.ply.gg | tcp |
| US | 147.185.221.25:17094 | if-eventually.gl.at.ply.gg | tcp |
| US | 147.185.221.25:17094 | if-eventually.gl.at.ply.gg | tcp |
| US | 147.185.221.25:17094 | if-eventually.gl.at.ply.gg | tcp |
| US | 147.185.221.25:17094 | if-eventually.gl.at.ply.gg | tcp |
| US | 147.185.221.25:17094 | if-eventually.gl.at.ply.gg | tcp |
| US | 147.185.221.25:17094 | if-eventually.gl.at.ply.gg | tcp |
| US | 147.185.221.25:17094 | if-eventually.gl.at.ply.gg | tcp |
| US | 147.185.221.25:17094 | if-eventually.gl.at.ply.gg | tcp |
| US | 147.185.221.25:17094 | if-eventually.gl.at.ply.gg | tcp |
| US | 147.185.221.25:17094 | if-eventually.gl.at.ply.gg | tcp |
| US | 147.185.221.25:17094 | if-eventually.gl.at.ply.gg | tcp |
| US | 147.185.221.25:17094 | if-eventually.gl.at.ply.gg | tcp |
| US | 147.185.221.25:17094 | if-eventually.gl.at.ply.gg | tcp |
| US | 147.185.221.25:17094 | if-eventually.gl.at.ply.gg | tcp |
| US | 147.185.221.25:17094 | if-eventually.gl.at.ply.gg | tcp |
| US | 147.185.221.25:17094 | if-eventually.gl.at.ply.gg | tcp |
| US | 147.185.221.25:17094 | if-eventually.gl.at.ply.gg | tcp |
| US | 147.185.221.25:17094 | if-eventually.gl.at.ply.gg | tcp |
| US | 147.185.221.25:17094 | if-eventually.gl.at.ply.gg | tcp |
| US | 147.185.221.25:17094 | if-eventually.gl.at.ply.gg | tcp |
| US | 147.185.221.25:17094 | if-eventually.gl.at.ply.gg | tcp |
| US | 147.185.221.25:17094 | if-eventually.gl.at.ply.gg | tcp |
| US | 147.185.221.25:17094 | if-eventually.gl.at.ply.gg | tcp |
| US | 147.185.221.25:17094 | if-eventually.gl.at.ply.gg | tcp |
| US | 147.185.221.25:17094 | if-eventually.gl.at.ply.gg | tcp |
| US | 147.185.221.25:17094 | if-eventually.gl.at.ply.gg | tcp |
| US | 147.185.221.25:17094 | if-eventually.gl.at.ply.gg | tcp |
| US | 147.185.221.25:17094 | if-eventually.gl.at.ply.gg | tcp |
| US | 147.185.221.25:17094 | if-eventually.gl.at.ply.gg | tcp |
| US | 147.185.221.25:17094 | if-eventually.gl.at.ply.gg | tcp |
| US | 147.185.221.25:17094 | if-eventually.gl.at.ply.gg | tcp |
| US | 147.185.221.25:17094 | if-eventually.gl.at.ply.gg | tcp |
| US | 147.185.221.25:17094 | if-eventually.gl.at.ply.gg | tcp |
| US | 147.185.221.25:17094 | if-eventually.gl.at.ply.gg | tcp |
| US | 147.185.221.25:17094 | if-eventually.gl.at.ply.gg | tcp |
| US | 147.185.221.25:17094 | if-eventually.gl.at.ply.gg | tcp |
| US | 147.185.221.25:17094 | if-eventually.gl.at.ply.gg | tcp |
| US | 147.185.221.25:17094 | if-eventually.gl.at.ply.gg | tcp |
| US | 147.185.221.25:17094 | if-eventually.gl.at.ply.gg | tcp |
| US | 147.185.221.25:17094 | if-eventually.gl.at.ply.gg | tcp |
| US | 147.185.221.25:17094 | if-eventually.gl.at.ply.gg | tcp |
| US | 147.185.221.25:17094 | if-eventually.gl.at.ply.gg | tcp |
| US | 147.185.221.25:17094 | if-eventually.gl.at.ply.gg | tcp |
| US | 147.185.221.25:17094 | if-eventually.gl.at.ply.gg | tcp |
| US | 147.185.221.25:17094 | if-eventually.gl.at.ply.gg | tcp |
| US | 147.185.221.25:17094 | if-eventually.gl.at.ply.gg | tcp |
| US | 147.185.221.25:17094 | if-eventually.gl.at.ply.gg | tcp |
| US | 147.185.221.25:17094 | if-eventually.gl.at.ply.gg | tcp |
| US | 147.185.221.25:17094 | if-eventually.gl.at.ply.gg | tcp |
| US | 147.185.221.25:17094 | if-eventually.gl.at.ply.gg | tcp |
| US | 147.185.221.25:17094 | if-eventually.gl.at.ply.gg | tcp |
| US | 147.185.221.25:17094 | if-eventually.gl.at.ply.gg | tcp |
| US | 147.185.221.25:17094 | if-eventually.gl.at.ply.gg | tcp |
| US | 147.185.221.25:17094 | if-eventually.gl.at.ply.gg | tcp |
| US | 147.185.221.25:17094 | if-eventually.gl.at.ply.gg | tcp |
| US | 147.185.221.25:17094 | if-eventually.gl.at.ply.gg | tcp |
| US | 147.185.221.25:17094 | if-eventually.gl.at.ply.gg | tcp |
| US | 147.185.221.25:17094 | if-eventually.gl.at.ply.gg | tcp |
| US | 147.185.221.25:17094 | if-eventually.gl.at.ply.gg | tcp |
| US | 147.185.221.25:17094 | if-eventually.gl.at.ply.gg | tcp |
| US | 147.185.221.25:17094 | if-eventually.gl.at.ply.gg | tcp |
| US | 147.185.221.25:17094 | if-eventually.gl.at.ply.gg | tcp |
| US | 147.185.221.25:17094 | if-eventually.gl.at.ply.gg | tcp |
| US | 147.185.221.25:17094 | if-eventually.gl.at.ply.gg | tcp |
| US | 147.185.221.25:17094 | if-eventually.gl.at.ply.gg | tcp |
| US | 147.185.221.25:17094 | if-eventually.gl.at.ply.gg | tcp |
| US | 147.185.221.25:17094 | if-eventually.gl.at.ply.gg | tcp |
| US | 147.185.221.25:17094 | if-eventually.gl.at.ply.gg | tcp |
| US | 147.185.221.25:17094 | if-eventually.gl.at.ply.gg | tcp |
| US | 147.185.221.25:17094 | if-eventually.gl.at.ply.gg | tcp |
| US | 147.185.221.25:17094 | if-eventually.gl.at.ply.gg | tcp |
| US | 147.185.221.25:17094 | if-eventually.gl.at.ply.gg | tcp |
| US | 147.185.221.25:17094 | if-eventually.gl.at.ply.gg | tcp |
| US | 147.185.221.25:17094 | if-eventually.gl.at.ply.gg | tcp |
| US | 147.185.221.25:17094 | if-eventually.gl.at.ply.gg | tcp |
| US | 147.185.221.25:17094 | if-eventually.gl.at.ply.gg | tcp |
| US | 147.185.221.25:17094 | if-eventually.gl.at.ply.gg | tcp |
| US | 147.185.221.25:17094 | if-eventually.gl.at.ply.gg | tcp |
| US | 147.185.221.25:17094 | if-eventually.gl.at.ply.gg | tcp |
| US | 147.185.221.25:17094 | if-eventually.gl.at.ply.gg | tcp |
| US | 147.185.221.25:17094 | if-eventually.gl.at.ply.gg | tcp |
| US | 147.185.221.25:17094 | if-eventually.gl.at.ply.gg | tcp |
| US | 147.185.221.25:17094 | if-eventually.gl.at.ply.gg | tcp |
| US | 147.185.221.25:17094 | if-eventually.gl.at.ply.gg | tcp |
| US | 147.185.221.25:17094 | if-eventually.gl.at.ply.gg | tcp |
| US | 147.185.221.25:17094 | if-eventually.gl.at.ply.gg | tcp |
| US | 147.185.221.25:17094 | if-eventually.gl.at.ply.gg | tcp |
| US | 147.185.221.25:17094 | if-eventually.gl.at.ply.gg | tcp |
| US | 147.185.221.25:17094 | if-eventually.gl.at.ply.gg | tcp |
| US | 147.185.221.25:17094 | if-eventually.gl.at.ply.gg | tcp |
| US | 147.185.221.25:17094 | if-eventually.gl.at.ply.gg | tcp |
| US | 147.185.221.25:17094 | if-eventually.gl.at.ply.gg | tcp |
| US | 147.185.221.25:17094 | if-eventually.gl.at.ply.gg | tcp |
| US | 147.185.221.25:17094 | if-eventually.gl.at.ply.gg | tcp |
| US | 147.185.221.25:17094 | if-eventually.gl.at.ply.gg | tcp |
| US | 147.185.221.25:17094 | if-eventually.gl.at.ply.gg | tcp |
| US | 147.185.221.25:17094 | if-eventually.gl.at.ply.gg | tcp |
| US | 147.185.221.25:17094 | if-eventually.gl.at.ply.gg | tcp |
| US | 147.185.221.25:17094 | if-eventually.gl.at.ply.gg | tcp |
| US | 147.185.221.25:17094 | if-eventually.gl.at.ply.gg | tcp |
| US | 147.185.221.25:17094 | if-eventually.gl.at.ply.gg | tcp |
| US | 147.185.221.25:17094 | if-eventually.gl.at.ply.gg | tcp |
| US | 147.185.221.25:17094 | if-eventually.gl.at.ply.gg | tcp |
| US | 147.185.221.25:17094 | if-eventually.gl.at.ply.gg | tcp |
| US | 147.185.221.25:17094 | if-eventually.gl.at.ply.gg | tcp |
| US | 147.185.221.25:17094 | if-eventually.gl.at.ply.gg | tcp |
| US | 147.185.221.25:17094 | if-eventually.gl.at.ply.gg | tcp |
| US | 147.185.221.25:17094 | if-eventually.gl.at.ply.gg | tcp |
| US | 147.185.221.25:17094 | if-eventually.gl.at.ply.gg | tcp |
| US | 147.185.221.25:17094 | if-eventually.gl.at.ply.gg | tcp |
| US | 147.185.221.25:17094 | if-eventually.gl.at.ply.gg | tcp |
| US | 147.185.221.25:17094 | if-eventually.gl.at.ply.gg | tcp |
| US | 147.185.221.25:17094 | if-eventually.gl.at.ply.gg | tcp |
| US | 147.185.221.25:17094 | if-eventually.gl.at.ply.gg | tcp |
| US | 147.185.221.25:17094 | if-eventually.gl.at.ply.gg | tcp |
| US | 147.185.221.25:17094 | if-eventually.gl.at.ply.gg | tcp |
| US | 147.185.221.25:17094 | if-eventually.gl.at.ply.gg | tcp |
| US | 147.185.221.25:17094 | if-eventually.gl.at.ply.gg | tcp |
| US | 147.185.221.25:17094 | if-eventually.gl.at.ply.gg | tcp |
| US | 147.185.221.25:17094 | if-eventually.gl.at.ply.gg | tcp |
| US | 147.185.221.25:17094 | if-eventually.gl.at.ply.gg | tcp |
| US | 147.185.221.25:17094 | if-eventually.gl.at.ply.gg | tcp |
| US | 147.185.221.25:17094 | if-eventually.gl.at.ply.gg | tcp |
| US | 147.185.221.25:17094 | if-eventually.gl.at.ply.gg | tcp |
| US | 147.185.221.25:17094 | if-eventually.gl.at.ply.gg | tcp |
| US | 147.185.221.25:17094 | if-eventually.gl.at.ply.gg | tcp |
| US | 147.185.221.25:17094 | if-eventually.gl.at.ply.gg | tcp |
| US | 147.185.221.25:17094 | if-eventually.gl.at.ply.gg | tcp |
| US | 147.185.221.25:17094 | if-eventually.gl.at.ply.gg | tcp |
| US | 147.185.221.25:17094 | if-eventually.gl.at.ply.gg | tcp |
| US | 147.185.221.25:17094 | if-eventually.gl.at.ply.gg | tcp |
| US | 147.185.221.25:17094 | if-eventually.gl.at.ply.gg | tcp |
| US | 147.185.221.25:17094 | if-eventually.gl.at.ply.gg | tcp |
| US | 147.185.221.25:17094 | if-eventually.gl.at.ply.gg | tcp |
| US | 147.185.221.25:17094 | if-eventually.gl.at.ply.gg | tcp |
| US | 147.185.221.25:17094 | if-eventually.gl.at.ply.gg | tcp |
| US | 147.185.221.25:17094 | if-eventually.gl.at.ply.gg | tcp |
| US | 147.185.221.25:17094 | if-eventually.gl.at.ply.gg | tcp |
| US | 147.185.221.25:17094 | if-eventually.gl.at.ply.gg | tcp |
| US | 147.185.221.25:17094 | if-eventually.gl.at.ply.gg | tcp |
| US | 147.185.221.25:17094 | if-eventually.gl.at.ply.gg | tcp |
| US | 147.185.221.25:17094 | if-eventually.gl.at.ply.gg | tcp |
| US | 147.185.221.25:17094 | if-eventually.gl.at.ply.gg | tcp |
| US | 147.185.221.25:17094 | if-eventually.gl.at.ply.gg | tcp |
| US | 147.185.221.25:17094 | if-eventually.gl.at.ply.gg | tcp |
| US | 147.185.221.25:17094 | if-eventually.gl.at.ply.gg | tcp |
| US | 147.185.221.25:17094 | if-eventually.gl.at.ply.gg | tcp |
| US | 147.185.221.25:17094 | if-eventually.gl.at.ply.gg | tcp |
| US | 147.185.221.25:17094 | if-eventually.gl.at.ply.gg | tcp |
| US | 147.185.221.25:17094 | if-eventually.gl.at.ply.gg | tcp |
| US | 147.185.221.25:17094 | if-eventually.gl.at.ply.gg | tcp |
| US | 147.185.221.25:17094 | if-eventually.gl.at.ply.gg | tcp |
| US | 147.185.221.25:17094 | if-eventually.gl.at.ply.gg | tcp |
| US | 147.185.221.25:17094 | if-eventually.gl.at.ply.gg | tcp |
| US | 147.185.221.25:17094 | if-eventually.gl.at.ply.gg | tcp |
| US | 147.185.221.25:17094 | if-eventually.gl.at.ply.gg | tcp |
| US | 147.185.221.25:17094 | if-eventually.gl.at.ply.gg | tcp |
| US | 147.185.221.25:17094 | if-eventually.gl.at.ply.gg | tcp |
| US | 147.185.221.25:17094 | if-eventually.gl.at.ply.gg | tcp |
| US | 147.185.221.25:17094 | if-eventually.gl.at.ply.gg | tcp |
| US | 147.185.221.25:17094 | if-eventually.gl.at.ply.gg | tcp |
| US | 147.185.221.25:17094 | if-eventually.gl.at.ply.gg | tcp |
| US | 147.185.221.25:17094 | if-eventually.gl.at.ply.gg | tcp |
| US | 147.185.221.25:17094 | if-eventually.gl.at.ply.gg | tcp |
| US | 147.185.221.25:17094 | if-eventually.gl.at.ply.gg | tcp |
| US | 147.185.221.25:17094 | if-eventually.gl.at.ply.gg | tcp |
| US | 147.185.221.25:17094 | if-eventually.gl.at.ply.gg | tcp |
| US | 147.185.221.25:17094 | if-eventually.gl.at.ply.gg | tcp |
| US | 147.185.221.25:17094 | if-eventually.gl.at.ply.gg | tcp |
| US | 147.185.221.25:17094 | if-eventually.gl.at.ply.gg | tcp |
| US | 147.185.221.25:17094 | if-eventually.gl.at.ply.gg | tcp |
| US | 147.185.221.25:17094 | if-eventually.gl.at.ply.gg | tcp |
| US | 147.185.221.25:17094 | if-eventually.gl.at.ply.gg | tcp |
| US | 147.185.221.25:17094 | if-eventually.gl.at.ply.gg | tcp |
| US | 147.185.221.25:17094 | if-eventually.gl.at.ply.gg | tcp |
| US | 147.185.221.25:17094 | if-eventually.gl.at.ply.gg | tcp |
| US | 147.185.221.25:17094 | if-eventually.gl.at.ply.gg | tcp |
| US | 147.185.221.25:17094 | if-eventually.gl.at.ply.gg | tcp |
| US | 147.185.221.25:17094 | if-eventually.gl.at.ply.gg | tcp |
| US | 147.185.221.25:17094 | if-eventually.gl.at.ply.gg | tcp |
| US | 147.185.221.25:17094 | if-eventually.gl.at.ply.gg | tcp |
| US | 147.185.221.25:17094 | if-eventually.gl.at.ply.gg | tcp |
| US | 147.185.221.25:17094 | if-eventually.gl.at.ply.gg | tcp |
| US | 147.185.221.25:17094 | if-eventually.gl.at.ply.gg | tcp |
| US | 147.185.221.25:17094 | if-eventually.gl.at.ply.gg | tcp |
| US | 147.185.221.25:17094 | if-eventually.gl.at.ply.gg | tcp |
| US | 147.185.221.25:17094 | if-eventually.gl.at.ply.gg | tcp |
| US | 147.185.221.25:17094 | if-eventually.gl.at.ply.gg | tcp |
| US | 147.185.221.25:17094 | if-eventually.gl.at.ply.gg | tcp |
| US | 147.185.221.25:17094 | if-eventually.gl.at.ply.gg | tcp |
| US | 147.185.221.25:17094 | if-eventually.gl.at.ply.gg | tcp |
| US | 147.185.221.25:17094 | if-eventually.gl.at.ply.gg | tcp |
| US | 147.185.221.25:17094 | if-eventually.gl.at.ply.gg | tcp |
| US | 147.185.221.25:17094 | if-eventually.gl.at.ply.gg | tcp |
| US | 147.185.221.25:17094 | if-eventually.gl.at.ply.gg | tcp |
| US | 147.185.221.25:17094 | if-eventually.gl.at.ply.gg | tcp |
| US | 147.185.221.25:17094 | if-eventually.gl.at.ply.gg | tcp |
| US | 147.185.221.25:17094 | if-eventually.gl.at.ply.gg | tcp |
| US | 147.185.221.25:17094 | if-eventually.gl.at.ply.gg | tcp |
| US | 147.185.221.25:17094 | if-eventually.gl.at.ply.gg | tcp |
| US | 147.185.221.25:17094 | if-eventually.gl.at.ply.gg | tcp |
| US | 147.185.221.25:17094 | if-eventually.gl.at.ply.gg | tcp |
| US | 147.185.221.25:17094 | if-eventually.gl.at.ply.gg | tcp |
| US | 147.185.221.25:17094 | if-eventually.gl.at.ply.gg | tcp |
| US | 147.185.221.25:17094 | if-eventually.gl.at.ply.gg | tcp |
| US | 147.185.221.25:17094 | if-eventually.gl.at.ply.gg | tcp |
| US | 147.185.221.25:17094 | if-eventually.gl.at.ply.gg | tcp |
| US | 147.185.221.25:17094 | if-eventually.gl.at.ply.gg | tcp |
| US | 147.185.221.25:17094 | if-eventually.gl.at.ply.gg | tcp |
| US | 147.185.221.25:17094 | if-eventually.gl.at.ply.gg | tcp |
| US | 147.185.221.25:17094 | if-eventually.gl.at.ply.gg | tcp |
| US | 147.185.221.25:17094 | if-eventually.gl.at.ply.gg | tcp |
| US | 147.185.221.25:17094 | if-eventually.gl.at.ply.gg | tcp |
| US | 147.185.221.25:17094 | if-eventually.gl.at.ply.gg | tcp |
| US | 147.185.221.25:17094 | if-eventually.gl.at.ply.gg | tcp |
| US | 147.185.221.25:17094 | if-eventually.gl.at.ply.gg | tcp |
| US | 147.185.221.25:17094 | if-eventually.gl.at.ply.gg | tcp |
| US | 147.185.221.25:17094 | if-eventually.gl.at.ply.gg | tcp |
| US | 147.185.221.25:17094 | if-eventually.gl.at.ply.gg | tcp |
| US | 147.185.221.25:17094 | if-eventually.gl.at.ply.gg | tcp |
| US | 147.185.221.25:17094 | if-eventually.gl.at.ply.gg | tcp |
| US | 147.185.221.25:17094 | if-eventually.gl.at.ply.gg | tcp |
| US | 147.185.221.25:17094 | if-eventually.gl.at.ply.gg | tcp |
| US | 147.185.221.25:17094 | if-eventually.gl.at.ply.gg | tcp |
| US | 147.185.221.25:17094 | if-eventually.gl.at.ply.gg | tcp |
| US | 147.185.221.25:17094 | if-eventually.gl.at.ply.gg | tcp |
| US | 147.185.221.25:17094 | if-eventually.gl.at.ply.gg | tcp |
| US | 147.185.221.25:17094 | if-eventually.gl.at.ply.gg | tcp |
| US | 147.185.221.25:17094 | if-eventually.gl.at.ply.gg | tcp |
| US | 147.185.221.25:17094 | if-eventually.gl.at.ply.gg | tcp |
| US | 147.185.221.25:17094 | if-eventually.gl.at.ply.gg | tcp |
| US | 147.185.221.25:17094 | if-eventually.gl.at.ply.gg | tcp |
| US | 147.185.221.25:17094 | if-eventually.gl.at.ply.gg | tcp |
| US | 147.185.221.25:17094 | if-eventually.gl.at.ply.gg | tcp |
| US | 147.185.221.25:17094 | if-eventually.gl.at.ply.gg | tcp |
| US | 147.185.221.25:17094 | if-eventually.gl.at.ply.gg | tcp |
| US | 147.185.221.25:17094 | if-eventually.gl.at.ply.gg | tcp |
| US | 147.185.221.25:17094 | if-eventually.gl.at.ply.gg | tcp |
| US | 147.185.221.25:17094 | if-eventually.gl.at.ply.gg | tcp |
| US | 147.185.221.25:17094 | if-eventually.gl.at.ply.gg | tcp |
| US | 147.185.221.25:17094 | if-eventually.gl.at.ply.gg | tcp |
| US | 147.185.221.25:17094 | if-eventually.gl.at.ply.gg | tcp |
| US | 147.185.221.25:17094 | if-eventually.gl.at.ply.gg | tcp |
| US | 147.185.221.25:17094 | if-eventually.gl.at.ply.gg | tcp |
| US | 147.185.221.25:17094 | if-eventually.gl.at.ply.gg | tcp |
| US | 147.185.221.25:17094 | if-eventually.gl.at.ply.gg | tcp |
| US | 147.185.221.25:17094 | if-eventually.gl.at.ply.gg | tcp |
| US | 147.185.221.25:17094 | if-eventually.gl.at.ply.gg | tcp |
| US | 147.185.221.25:17094 | if-eventually.gl.at.ply.gg | tcp |
| US | 147.185.221.25:17094 | if-eventually.gl.at.ply.gg | tcp |
| US | 147.185.221.25:17094 | if-eventually.gl.at.ply.gg | tcp |
| US | 147.185.221.25:17094 | if-eventually.gl.at.ply.gg | tcp |
| US | 147.185.221.25:17094 | if-eventually.gl.at.ply.gg | tcp |
| US | 147.185.221.25:17094 | if-eventually.gl.at.ply.gg | tcp |
| US | 147.185.221.25:17094 | if-eventually.gl.at.ply.gg | tcp |
| US | 147.185.221.25:17094 | if-eventually.gl.at.ply.gg | tcp |
| US | 147.185.221.25:17094 | if-eventually.gl.at.ply.gg | tcp |
| US | 147.185.221.25:17094 | if-eventually.gl.at.ply.gg | tcp |
| US | 147.185.221.25:17094 | if-eventually.gl.at.ply.gg | tcp |
| US | 147.185.221.25:17094 | if-eventually.gl.at.ply.gg | tcp |
| US | 147.185.221.25:17094 | if-eventually.gl.at.ply.gg | tcp |
| US | 147.185.221.25:17094 | if-eventually.gl.at.ply.gg | tcp |
| US | 147.185.221.25:17094 | if-eventually.gl.at.ply.gg | tcp |
| US | 147.185.221.25:17094 | if-eventually.gl.at.ply.gg | tcp |
| US | 147.185.221.25:17094 | if-eventually.gl.at.ply.gg | tcp |
| US | 147.185.221.25:17094 | if-eventually.gl.at.ply.gg | tcp |
| US | 147.185.221.25:17094 | if-eventually.gl.at.ply.gg | tcp |
| US | 147.185.221.25:17094 | if-eventually.gl.at.ply.gg | tcp |
| US | 147.185.221.25:17094 | if-eventually.gl.at.ply.gg | tcp |
| US | 147.185.221.25:17094 | if-eventually.gl.at.ply.gg | tcp |
| US | 147.185.221.25:17094 | if-eventually.gl.at.ply.gg | tcp |
| US | 147.185.221.25:17094 | if-eventually.gl.at.ply.gg | tcp |
| US | 147.185.221.25:17094 | if-eventually.gl.at.ply.gg | tcp |
| US | 147.185.221.25:17094 | if-eventually.gl.at.ply.gg | tcp |
| US | 147.185.221.25:17094 | if-eventually.gl.at.ply.gg | tcp |
| US | 147.185.221.25:17094 | if-eventually.gl.at.ply.gg | tcp |
| US | 147.185.221.25:17094 | if-eventually.gl.at.ply.gg | tcp |
| US | 147.185.221.25:17094 | if-eventually.gl.at.ply.gg | tcp |
| US | 147.185.221.25:17094 | if-eventually.gl.at.ply.gg | tcp |
| US | 147.185.221.25:17094 | if-eventually.gl.at.ply.gg | tcp |
| US | 147.185.221.25:17094 | if-eventually.gl.at.ply.gg | tcp |
| US | 147.185.221.25:17094 | if-eventually.gl.at.ply.gg | tcp |
| US | 147.185.221.25:17094 | if-eventually.gl.at.ply.gg | tcp |
| US | 147.185.221.25:17094 | if-eventually.gl.at.ply.gg | tcp |
| US | 147.185.221.25:17094 | if-eventually.gl.at.ply.gg | tcp |
| US | 147.185.221.25:17094 | if-eventually.gl.at.ply.gg | tcp |
| US | 147.185.221.25:17094 | if-eventually.gl.at.ply.gg | tcp |
| US | 147.185.221.25:17094 | if-eventually.gl.at.ply.gg | tcp |
| US | 147.185.221.25:17094 | if-eventually.gl.at.ply.gg | tcp |
| US | 147.185.221.25:17094 | if-eventually.gl.at.ply.gg | tcp |
| US | 147.185.221.25:17094 | if-eventually.gl.at.ply.gg | tcp |
| US | 147.185.221.25:17094 | if-eventually.gl.at.ply.gg | tcp |
| US | 147.185.221.25:17094 | if-eventually.gl.at.ply.gg | tcp |
| US | 147.185.221.25:17094 | if-eventually.gl.at.ply.gg | tcp |
| US | 147.185.221.25:17094 | if-eventually.gl.at.ply.gg | tcp |
| US | 147.185.221.25:17094 | if-eventually.gl.at.ply.gg | tcp |
| US | 147.185.221.25:17094 | if-eventually.gl.at.ply.gg | tcp |
| US | 8.8.8.8:53 | if-eventually.gl.at.ply.gg | udp |
| US | 147.185.221.25:17094 | if-eventually.gl.at.ply.gg | tcp |
| US | 147.185.221.25:17094 | if-eventually.gl.at.ply.gg | tcp |
| US | 147.185.221.25:17094 | if-eventually.gl.at.ply.gg | tcp |
Files
memory/2544-0-0x00007FFEB4993000-0x00007FFEB4995000-memory.dmp
memory/2544-1-0x0000000000F70000-0x0000000000F80000-memory.dmp
memory/2544-2-0x00007FFEB4990000-0x00007FFEB5451000-memory.dmp
memory/2544-3-0x00007FFEB4993000-0x00007FFEB4995000-memory.dmp
memory/2544-4-0x00007FFEB4990000-0x00007FFEB5451000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\tmpBCB8.tmp.bat
| MD5 | 1caf1c28ee80c7346d11a1bdd874d7dc |
| SHA1 | 6049c4c2ee0c224ce02d8e82a1bbc8c57e0961f6 |
| SHA256 | cc7cdd77562f8fa3e1adf6aedc268d6a0f53d05889ff26d2517de739774b5137 |
| SHA512 | aafe3e6f55ab330c209edcf3cf9b1dad24b392bf539a660d7778605c2cbf629a9f6994c194807a0f1a102a2932898424caafa18a8a234df9d8810f3cff6d8ca5 |
memory/2544-10-0x00007FFEB4990000-0x00007FFEB5451000-memory.dmp
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\WinTask\$77Runtime Broker.exe
| MD5 | 8f06957fd43a38298aa9d6f4bc52c7a7 |
| SHA1 | 01a72c623c0ce786e01fbc3c165bb1c099a2dc1a |
| SHA256 | afe42ee135f9bbcc385db5751b4867e99aa4caa862bcaaf312e4355a5323145d |
| SHA512 | 4b0283befc959340041cfb8c03caccfe3f32971434f34f85c80eba9921bd6e26e664287ec7826492f2047309bfc86e472aa8cb740008df6cf7b61ac94a54484e |
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_a1yuneoi.3tt.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
memory/2020-21-0x000001E738260000-0x000001E738282000-memory.dmp