Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

3

84eaf81476...28.exe

windows7-x64

10

84eaf81476...28.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    80s
  • max time network
    85s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20230220-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
  • submitted
    05/05/2023, 18:35 UTC

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    84eaf81476b556d9968bea7ee811142aa4e9a731b26055571eb5b2fcc8c22528.exe

  • Size

    567KB

  • MD5

    caa24946e46c1081c0fe16f83787f9bc

  • SHA1

    9a905dd4b2c1adb5b3e8e7c772a3e372dee580ce

  • SHA256

    84eaf81476b556d9968bea7ee811142aa4e9a731b26055571eb5b2fcc8c22528

  • SHA512

    ad291415ac63969ab261d04d312d6a4801dec49ab7bddd416aedd0f8bf8f7fc10d07ea0eb105c9aa828fab5c247be5619c720f8a7a86680cf472eccbe89c2f69

  • SSDEEP

    12288:ZMrqy90NBltD/Bmn/HvgY0pIUQu5HdEJYLcMy/jvl:nyG/rBUvvbvUQkEoS7vl

Score
10/10
redlinedarmdiscoveryevasioninfostealerpersistencespywarestealertrojan

Malware Config

Extracted

Family

redline

Botnet

darm

C2

217.196.96.56:4138

Attributes
  • auth_value

    d88ac8ccc04ab9979b04b46313db1648

Signatures

  • Detects Redline Stealer samples 3 IoCs

    This rule detects the presence of Redline Stealer samples based on their unique strings.

    stealer
  • Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs
    evasiontrojan
  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    infostealerredline
  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 5 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Windows security modification 2 TTPs 2 IoCs
    evasiontrojan
  • Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
    spyware
  • Adds Run key to start application 2 TTPs 4 IoCs
    persistence
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Program crash 25 IoCs
  • Creates scheduled task(s) 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Suspicious behavior: EnumeratesProcesses 4 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of WriteProcessMemory 39 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\84eaf81476b556d9968bea7ee811142aa4e9a731b26055571eb5b2fcc8c22528.exe
    "C:\Users\Admin\AppData\Local\Temp\84eaf81476b556d9968bea7ee811142aa4e9a731b26055571eb5b2fcc8c22528.exe"
    1⤵
    • Adds Run key to start application
    • Suspicious use of WriteProcessMemory
    PID:1016
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y2352967.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y2352967.exe
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious use of WriteProcessMemory
      PID:1920
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k3408913.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k3408913.exe
        3⤵
        • Executes dropped EXE
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:3928
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\l4682659.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\l4682659.exe
        3⤵
        • Modifies Windows Defender Real-time Protection settings
        • Executes dropped EXE
        • Windows security modification
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:2500
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\m9355492.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\m9355492.exe
      2⤵
      • Checks computer location settings
      • Executes dropped EXE
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of WriteProcessMemory
      PID:968
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -u -p 968 -s 700
        3⤵
        • Program crash
        PID:1856
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -u -p 968 -s 744
        3⤵
        • Program crash
        PID:3360
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -u -p 968 -s 860
        3⤵
        • Program crash
        PID:2788
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -u -p 968 -s 952
        3⤵
        • Program crash
        PID:3744
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -u -p 968 -s 988
        3⤵
        • Program crash
        PID:1268
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -u -p 968 -s 960
        3⤵
        • Program crash
        PID:1624
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -u -p 968 -s 1264
        3⤵
        • Program crash
        PID:4228
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -u -p 968 -s 1292
        3⤵
        • Program crash
        PID:5108
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -u -p 968 -s 1360
        3⤵
        • Program crash
        PID:4388
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -u -p 968 -s 1388
        3⤵
        • Program crash
        PID:1984
      • C:\Users\Admin\AppData\Local\Temp\c3912af058\oneetx.exe
        "C:\Users\Admin\AppData\Local\Temp\c3912af058\oneetx.exe"
        3⤵
        • Checks computer location settings
        • Executes dropped EXE
        • Suspicious use of WriteProcessMemory
        PID:1044
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -u -p 1044 -s 692
          4⤵
          • Program crash
          PID:3712
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -u -p 1044 -s 868
          4⤵
          • Program crash
          PID:4352
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -u -p 1044 -s 932
          4⤵
          • Program crash
          PID:1068
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -u -p 1044 -s 980
          4⤵
          • Program crash
          PID:4284
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -u -p 1044 -s 1076
          4⤵
          • Program crash
          PID:2296
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -u -p 1044 -s 924
          4⤵
          • Program crash
          PID:1992
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -u -p 1044 -s 924
          4⤵
          • Program crash
          PID:404
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -u -p 1044 -s 972
          4⤵
          • Program crash
          PID:4100
        • C:\Windows\SysWOW64\schtasks.exe
          "C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN oneetx.exe /TR "C:\Users\Admin\AppData\Local\Temp\c3912af058\oneetx.exe" /F
          4⤵
          • Creates scheduled task(s)
          PID:4336
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -u -p 1044 -s 876
          4⤵
          • Program crash
          PID:1844
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -u -p 1044 -s 768
          4⤵
          • Program crash
          PID:2768
        • C:\Windows\SysWOW64\cmd.exe
          "C:\Windows\System32\cmd.exe" /k echo Y|CACLS "oneetx.exe" /P "Admin:N"&&CACLS "oneetx.exe" /P "Admin:R" /E&&echo Y|CACLS "..\c3912af058" /P "Admin:N"&&CACLS "..\c3912af058" /P "Admin:R" /E&&Exit
          4⤵
          • Suspicious use of WriteProcessMemory
          PID:3836
          • C:\Windows\SysWOW64\cmd.exe
            C:\Windows\system32\cmd.exe /S /D /c" echo Y"
            5⤵
              PID:2300
            • C:\Windows\SysWOW64\cacls.exe
              CACLS "oneetx.exe" /P "Admin:N"
              5⤵
                PID:1204
              • C:\Windows\SysWOW64\cacls.exe
                CACLS "oneetx.exe" /P "Admin:R" /E
                5⤵
                  PID:4132
                • C:\Windows\SysWOW64\cmd.exe
                  C:\Windows\system32\cmd.exe /S /D /c" echo Y"
                  5⤵
                    PID:208
                  • C:\Windows\SysWOW64\cacls.exe
                    CACLS "..\c3912af058" /P "Admin:N"
                    5⤵
                      PID:2512
                    • C:\Windows\SysWOW64\cacls.exe
                      CACLS "..\c3912af058" /P "Admin:R" /E
                      5⤵
                        PID:3960
                    • C:\Windows\SysWOW64\WerFault.exe
                      C:\Windows\SysWOW64\WerFault.exe -u -p 1044 -s 1304
                      4⤵
                      • Program crash
                      PID:3596
                    • C:\Windows\SysWOW64\WerFault.exe
                      C:\Windows\SysWOW64\WerFault.exe -u -p 1044 -s 1276
                      4⤵
                      • Program crash
                      PID:2612
                    • C:\Windows\SysWOW64\WerFault.exe
                      C:\Windows\SysWOW64\WerFault.exe -u -p 1044 -s 132
                      4⤵
                      • Program crash
                      PID:1464
                    • C:\Windows\SysWOW64\WerFault.exe
                      C:\Windows\SysWOW64\WerFault.exe -u -p 1044 -s 692
                      4⤵
                      • Program crash
                      PID:3740
                  • C:\Windows\SysWOW64\WerFault.exe
                    C:\Windows\SysWOW64\WerFault.exe -u -p 968 -s 1348
                    3⤵
                    • Program crash
                    PID:4456
              • C:\Windows\SysWOW64\WerFault.exe
                C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 968 -ip 968
                1⤵
                  PID:3588
                • C:\Windows\SysWOW64\WerFault.exe
                  C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 968 -ip 968
                  1⤵
                    PID:4556
                  • C:\Windows\SysWOW64\WerFault.exe
                    C:\Windows\SysWOW64\WerFault.exe -pss -s 184 -p 968 -ip 968
                    1⤵
                      PID:1336
                    • C:\Windows\SysWOW64\WerFault.exe
                      C:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 968 -ip 968
                      1⤵
                        PID:3292
                      • C:\Windows\SysWOW64\WerFault.exe
                        C:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 968 -ip 968
                        1⤵
                          PID:2516
                        • C:\Windows\SysWOW64\WerFault.exe
                          C:\Windows\SysWOW64\WerFault.exe -pss -s 492 -p 968 -ip 968
                          1⤵
                            PID:732
                          • C:\Windows\SysWOW64\WerFault.exe
                            C:\Windows\SysWOW64\WerFault.exe -pss -s 564 -p 968 -ip 968
                            1⤵
                              PID:1036
                            • C:\Windows\SysWOW64\WerFault.exe
                              C:\Windows\SysWOW64\WerFault.exe -pss -s 492 -p 968 -ip 968
                              1⤵
                                PID:1000
                              • C:\Windows\SysWOW64\WerFault.exe
                                C:\Windows\SysWOW64\WerFault.exe -pss -s 184 -p 968 -ip 968
                                1⤵
                                  PID:1392
                                • C:\Windows\SysWOW64\WerFault.exe
                                  C:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 968 -ip 968
                                  1⤵
                                    PID:1840
                                  • C:\Windows\SysWOW64\WerFault.exe
                                    C:\Windows\SysWOW64\WerFault.exe -pss -s 472 -p 968 -ip 968
                                    1⤵
                                      PID:2476
                                    • C:\Windows\SysWOW64\WerFault.exe
                                      C:\Windows\SysWOW64\WerFault.exe -pss -s 492 -p 1044 -ip 1044
                                      1⤵
                                        PID:3248
                                      • C:\Windows\SysWOW64\WerFault.exe
                                        C:\Windows\SysWOW64\WerFault.exe -pss -s 488 -p 1044 -ip 1044
                                        1⤵
                                          PID:4496
                                        • C:\Windows\SysWOW64\WerFault.exe
                                          C:\Windows\SysWOW64\WerFault.exe -pss -s 560 -p 1044 -ip 1044
                                          1⤵
                                            PID:1524
                                          • C:\Windows\SysWOW64\WerFault.exe
                                            C:\Windows\SysWOW64\WerFault.exe -pss -s 488 -p 1044 -ip 1044
                                            1⤵
                                              PID:2844
                                            • C:\Windows\SysWOW64\WerFault.exe
                                              C:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 1044 -ip 1044
                                              1⤵
                                                PID:4544
                                              • C:\Windows\SysWOW64\WerFault.exe
                                                C:\Windows\SysWOW64\WerFault.exe -pss -s 568 -p 1044 -ip 1044
                                                1⤵
                                                  PID:1568
                                                • C:\Windows\SysWOW64\WerFault.exe
                                                  C:\Windows\SysWOW64\WerFault.exe -pss -s 472 -p 1044 -ip 1044
                                                  1⤵
                                                    PID:4568
                                                  • C:\Windows\SysWOW64\WerFault.exe
                                                    C:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 1044 -ip 1044
                                                    1⤵
                                                      PID:2028
                                                    • C:\Windows\SysWOW64\WerFault.exe
                                                      C:\Windows\SysWOW64\WerFault.exe -pss -s 576 -p 1044 -ip 1044
                                                      1⤵
                                                        PID:2104
                                                      • C:\Windows\SysWOW64\WerFault.exe
                                                        C:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 1044 -ip 1044
                                                        1⤵
                                                          PID:776
                                                        • C:\Windows\SysWOW64\WerFault.exe
                                                          C:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 1044 -ip 1044
                                                          1⤵
                                                            PID:1800
                                                          • C:\Windows\SysWOW64\WerFault.exe
                                                            C:\Windows\SysWOW64\WerFault.exe -pss -s 556 -p 1044 -ip 1044
                                                            1⤵
                                                              PID:1820
                                                            • C:\Windows\SysWOW64\WerFault.exe
                                                              C:\Windows\SysWOW64\WerFault.exe -pss -s 592 -p 1044 -ip 1044
                                                              1⤵
                                                                PID:460
                                                              • C:\Windows\SysWOW64\WerFault.exe
                                                                C:\Windows\SysWOW64\WerFault.exe -pss -s 596 -p 1044 -ip 1044
                                                                1⤵
                                                                  PID:896

                                                                Network

                                                                • flag-us
                                                                  DNS
                                                                  217.106.137.52.in-addr.arpa
                                                                  Remote address:
                                                                  8.8.8.8:53
                                                                  Request
                                                                  217.106.137.52.in-addr.arpa
                                                                  IN PTR
                                                                  Response
                                                                • flag-us
                                                                  DNS
                                                                  76.32.126.40.in-addr.arpa
                                                                  Remote address:
                                                                  8.8.8.8:53
                                                                  Request
                                                                  76.32.126.40.in-addr.arpa
                                                                  IN PTR
                                                                  Response
                                                                • flag-us
                                                                  DNS
                                                                  56.96.196.217.in-addr.arpa
                                                                  Remote address:
                                                                  8.8.8.8:53
                                                                  Request
                                                                  56.96.196.217.in-addr.arpa
                                                                  IN PTR
                                                                  Response
                                                                • flag-us
                                                                  DNS
                                                                  95.221.229.192.in-addr.arpa
                                                                  Remote address:
                                                                  8.8.8.8:53
                                                                  Request
                                                                  95.221.229.192.in-addr.arpa
                                                                  IN PTR
                                                                  Response
                                                                • flag-us
                                                                  DNS
                                                                  154.239.44.20.in-addr.arpa
                                                                  Remote address:
                                                                  8.8.8.8:53
                                                                  Request
                                                                  154.239.44.20.in-addr.arpa
                                                                  IN PTR
                                                                  Response
                                                                • flag-us
                                                                  DNS
                                                                  183.59.114.20.in-addr.arpa
                                                                  Remote address:
                                                                  8.8.8.8:53
                                                                  Request
                                                                  183.59.114.20.in-addr.arpa
                                                                  IN PTR
                                                                  Response
                                                                • flag-us
                                                                  DNS
                                                                  198.187.3.20.in-addr.arpa
                                                                  Remote address:
                                                                  8.8.8.8:53
                                                                  Request
                                                                  198.187.3.20.in-addr.arpa
                                                                  IN PTR
                                                                  Response
                                                                • flag-us
                                                                  DNS
                                                                  44.8.109.52.in-addr.arpa
                                                                  Remote address:
                                                                  8.8.8.8:53
                                                                  Request
                                                                  44.8.109.52.in-addr.arpa
                                                                  IN PTR
                                                                  Response
                                                                • flag-us
                                                                  DNS
                                                                  241.150.49.20.in-addr.arpa
                                                                  Remote address:
                                                                  8.8.8.8:53
                                                                  Request
                                                                  241.150.49.20.in-addr.arpa
                                                                  IN PTR
                                                                  Response
                                                                • flag-us
                                                                  DNS
                                                                  254.22.238.8.in-addr.arpa
                                                                  Remote address:
                                                                  8.8.8.8:53
                                                                  Request
                                                                  254.22.238.8.in-addr.arpa
                                                                  IN PTR
                                                                  Response
                                                                • flag-fi
                                                                  POST
                                                                  http://77.91.124.20/store/games/index.php
                                                                  oneetx.exe
                                                                  Remote address:
                                                                  77.91.124.20:80
                                                                  Request
                                                                  POST /store/games/index.php HTTP/1.1
                                                                  Content-Type: application/x-www-form-urlencoded
                                                                  Host: 77.91.124.20
                                                                  Content-Length: 89
                                                                  Cache-Control: no-cache
                                                                  Response
                                                                  HTTP/1.1 200 OK
                                                                  Server: nginx/1.18.0 (Ubuntu)
                                                                  Date: Fri, 05 May 2023 19:06:15 GMT
                                                                  Content-Type: text/html; charset=UTF-8
                                                                  Transfer-Encoding: chunked
                                                                  Connection: keep-alive
                                                                • flag-us
                                                                  DNS
                                                                  20.124.91.77.in-addr.arpa
                                                                  Remote address:
                                                                  8.8.8.8:53
                                                                  Request
                                                                  20.124.91.77.in-addr.arpa
                                                                  IN PTR
                                                                  Response
                                                                  20.124.91.77.in-addr.arpa
                                                                  IN PTR
                                                                • 217.196.96.56:4138
                                                                  k3408913.exe
                                                                  9.2kB
                                                                   7.0kB
                                                                   38
                                                                  25
                                                                • 20.189.173.13:443
                                                                  322 B
                                                                   7
                                                                • 77.91.124.20:80
                                                                  http://77.91.124.20/store/games/index.php
                                                                  http
                                                                  oneetx.exe
                                                                  427 B
                                                                   327 B
                                                                   4
                                                                  3

                                                                  HTTP Request

                                                                  POST http://77.91.124.20/store/games/index.php

                                                                  HTTP Response

                                                                  200
                                                                • 8.8.8.8:53
                                                                  217.106.137.52.in-addr.arpa
                                                                  dns
                                                                  73 B
                                                                   147 B
                                                                   1
                                                                  1

                                                                  DNS Request

                                                                  217.106.137.52.in-addr.arpa

                                                                • 8.8.8.8:53
                                                                  76.32.126.40.in-addr.arpa
                                                                  dns
                                                                  71 B
                                                                   157 B
                                                                   1
                                                                  1

                                                                  DNS Request

                                                                  76.32.126.40.in-addr.arpa

                                                                • 8.8.8.8:53
                                                                  56.96.196.217.in-addr.arpa
                                                                  dns
                                                                  72 B
                                                                   132 B
                                                                   1
                                                                  1

                                                                  DNS Request

                                                                  56.96.196.217.in-addr.arpa

                                                                • 8.8.8.8:53
                                                                  95.221.229.192.in-addr.arpa
                                                                  dns
                                                                  73 B
                                                                   144 B
                                                                   1
                                                                  1

                                                                  DNS Request

                                                                  95.221.229.192.in-addr.arpa

                                                                • 8.8.8.8:53
                                                                  154.239.44.20.in-addr.arpa
                                                                  dns
                                                                  72 B
                                                                   158 B
                                                                   1
                                                                  1

                                                                  DNS Request

                                                                  154.239.44.20.in-addr.arpa

                                                                • 8.8.8.8:53
                                                                  183.59.114.20.in-addr.arpa
                                                                  dns
                                                                  72 B
                                                                   158 B
                                                                   1
                                                                  1

                                                                  DNS Request

                                                                  183.59.114.20.in-addr.arpa

                                                                • 8.8.8.8:53
                                                                  198.187.3.20.in-addr.arpa
                                                                  dns
                                                                  71 B
                                                                   157 B
                                                                   1
                                                                  1

                                                                  DNS Request

                                                                  198.187.3.20.in-addr.arpa

                                                                • 8.8.8.8:53
                                                                  44.8.109.52.in-addr.arpa
                                                                  dns
                                                                  70 B
                                                                   144 B
                                                                   1
                                                                  1

                                                                  DNS Request

                                                                  44.8.109.52.in-addr.arpa

                                                                • 8.8.8.8:53
                                                                  241.150.49.20.in-addr.arpa
                                                                  dns
                                                                  72 B
                                                                   158 B
                                                                   1
                                                                  1

                                                                  DNS Request

                                                                  241.150.49.20.in-addr.arpa

                                                                • 8.8.8.8:53
                                                                  254.22.238.8.in-addr.arpa
                                                                  dns
                                                                  71 B
                                                                   125 B
                                                                   1
                                                                  1

                                                                  DNS Request

                                                                  254.22.238.8.in-addr.arpa

                                                                • 8.8.8.8:53
                                                                  20.124.91.77.in-addr.arpa
                                                                  dns
                                                                  71 B
                                                                   84 B
                                                                   1
                                                                  1

                                                                  DNS Request

                                                                  20.124.91.77.in-addr.arpa

                                                                MITRE ATT&CK Enterprise v6

                                                                Replay Monitor

                                                                Loading Replay Monitor...

                                                                Downloads

                                                                • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\m9355492.exe
                                                                  Filesize

                                                                  271KB

                                                                  MD5

                                                                  81779ab246d3928416b9058a498f3ed7

                                                                  SHA1

                                                                  1accd4ee0f83c438f2f3a3617ceb987362f950ec

                                                                  SHA256

                                                                  1b02383c5a2f69e4ae7bb6e58d3b239bf64f6ae4431869e1ff4b1c41d6a7cd96

                                                                  SHA512

                                                                  3b48100dc3a0bb172aee9bd500490caa889b4697a7ced7e162059aaea3c0782e09892397c9586ea8ba57a8c04c7d8cdb73145874f77a473dceb1f1cd6b9540ac

                                                                  Download Submit

                                                                • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\m9355492.exe
                                                                  Filesize

                                                                  271KB

                                                                  MD5

                                                                  81779ab246d3928416b9058a498f3ed7

                                                                  SHA1

                                                                  1accd4ee0f83c438f2f3a3617ceb987362f950ec

                                                                  SHA256

                                                                  1b02383c5a2f69e4ae7bb6e58d3b239bf64f6ae4431869e1ff4b1c41d6a7cd96

                                                                  SHA512

                                                                  3b48100dc3a0bb172aee9bd500490caa889b4697a7ced7e162059aaea3c0782e09892397c9586ea8ba57a8c04c7d8cdb73145874f77a473dceb1f1cd6b9540ac

                                                                  Download Submit

                                                                • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y2352967.exe
                                                                  Filesize

                                                                  307KB

                                                                  MD5

                                                                  9c5dfc30a5bee2d08408ce5a877b188f

                                                                  SHA1

                                                                  addc263d11eafb773badf65439996a3e209134b5

                                                                  SHA256

                                                                  cf6e1bd597f35d5aef86cc913c1728a5e2c29f8555c16a882e78a57037fe656d

                                                                  SHA512

                                                                  b2c5edc7c2750a0691e73ad4ee29ac38ea3dba44f1ac95387a81807b3222123f58bb5b8a36454d45b8a36afe3eeb0356866d196e0bb1fdd53a6afc4a8de65fc7

                                                                  Download Submit

                                                                • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y2352967.exe
                                                                  Filesize

                                                                  307KB

                                                                  MD5

                                                                  9c5dfc30a5bee2d08408ce5a877b188f

                                                                  SHA1

                                                                  addc263d11eafb773badf65439996a3e209134b5

                                                                  SHA256

                                                                  cf6e1bd597f35d5aef86cc913c1728a5e2c29f8555c16a882e78a57037fe656d

                                                                  SHA512

                                                                  b2c5edc7c2750a0691e73ad4ee29ac38ea3dba44f1ac95387a81807b3222123f58bb5b8a36454d45b8a36afe3eeb0356866d196e0bb1fdd53a6afc4a8de65fc7

                                                                  Download Submit

                                                                • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k3408913.exe
                                                                  Filesize

                                                                  168KB

                                                                  MD5

                                                                  9c4f06d6587126a5fcad06153c9549d2

                                                                  SHA1

                                                                  3ecc868d213a41cdf44d4a5e4250d9bf0a927207

                                                                  SHA256

                                                                  c7c3e0d1362999dcd37073cfe762ba2798de5e69f95e617ffdfd50609ad1447f

                                                                  SHA512

                                                                  6cbca46912e7bfa25d19ec236d185188619f2c76cc5f7babebb86b0948c30fc6722a736e265e02de250dbfa6404c5a5c7d0e42ed721dd694506700498f77f528

                                                                  Download Submit

                                                                • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k3408913.exe
                                                                  Filesize

                                                                  168KB

                                                                  MD5

                                                                  9c4f06d6587126a5fcad06153c9549d2

                                                                  SHA1

                                                                  3ecc868d213a41cdf44d4a5e4250d9bf0a927207

                                                                  SHA256

                                                                  c7c3e0d1362999dcd37073cfe762ba2798de5e69f95e617ffdfd50609ad1447f

                                                                  SHA512

                                                                  6cbca46912e7bfa25d19ec236d185188619f2c76cc5f7babebb86b0948c30fc6722a736e265e02de250dbfa6404c5a5c7d0e42ed721dd694506700498f77f528

                                                                  Download Submit

                                                                • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\l4682659.exe
                                                                  Filesize

                                                                  177KB

                                                                  MD5

                                                                  1e979260a87ef5139028cbf5529f71c4

                                                                  SHA1

                                                                  cc7028974c9c709c8e20b9568e3602a58eca1125

                                                                  SHA256

                                                                  c586f1eb20eda195e27deb055c3602f04b441461cf33f1e87df0fdfa26feb1b2

                                                                  SHA512

                                                                  eaace329002afdf1908f5f881577ae53038e4b300f474d1a205d76d0c2259b5e6ea56a0c7c66a2bf7972156708aab38d284c71b2cb89daa58735d3fb961e3a1f

                                                                  Download Submit

                                                                • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\l4682659.exe
                                                                  Filesize

                                                                  177KB

                                                                  MD5

                                                                  1e979260a87ef5139028cbf5529f71c4

                                                                  SHA1

                                                                  cc7028974c9c709c8e20b9568e3602a58eca1125

                                                                  SHA256

                                                                  c586f1eb20eda195e27deb055c3602f04b441461cf33f1e87df0fdfa26feb1b2

                                                                  SHA512

                                                                  eaace329002afdf1908f5f881577ae53038e4b300f474d1a205d76d0c2259b5e6ea56a0c7c66a2bf7972156708aab38d284c71b2cb89daa58735d3fb961e3a1f

                                                                  Download Submit

                                                                • C:\Users\Admin\AppData\Local\Temp\c3912af058\oneetx.exe
                                                                  Filesize

                                                                  271KB

                                                                  MD5

                                                                  81779ab246d3928416b9058a498f3ed7

                                                                  SHA1

                                                                  1accd4ee0f83c438f2f3a3617ceb987362f950ec

                                                                  SHA256

                                                                  1b02383c5a2f69e4ae7bb6e58d3b239bf64f6ae4431869e1ff4b1c41d6a7cd96

                                                                  SHA512

                                                                  3b48100dc3a0bb172aee9bd500490caa889b4697a7ced7e162059aaea3c0782e09892397c9586ea8ba57a8c04c7d8cdb73145874f77a473dceb1f1cd6b9540ac

                                                                  Download Submit

                                                                • C:\Users\Admin\AppData\Local\Temp\c3912af058\oneetx.exe
                                                                  Filesize

                                                                  271KB

                                                                  MD5

                                                                  81779ab246d3928416b9058a498f3ed7

                                                                  SHA1

                                                                  1accd4ee0f83c438f2f3a3617ceb987362f950ec

                                                                  SHA256

                                                                  1b02383c5a2f69e4ae7bb6e58d3b239bf64f6ae4431869e1ff4b1c41d6a7cd96

                                                                  SHA512

                                                                  3b48100dc3a0bb172aee9bd500490caa889b4697a7ced7e162059aaea3c0782e09892397c9586ea8ba57a8c04c7d8cdb73145874f77a473dceb1f1cd6b9540ac

                                                                  Download Submit

                                                                • C:\Users\Admin\AppData\Local\Temp\c3912af058\oneetx.exe
                                                                  Filesize

                                                                  271KB

                                                                  MD5

                                                                  81779ab246d3928416b9058a498f3ed7

                                                                  SHA1

                                                                  1accd4ee0f83c438f2f3a3617ceb987362f950ec

                                                                  SHA256

                                                                  1b02383c5a2f69e4ae7bb6e58d3b239bf64f6ae4431869e1ff4b1c41d6a7cd96

                                                                  SHA512

                                                                  3b48100dc3a0bb172aee9bd500490caa889b4697a7ced7e162059aaea3c0782e09892397c9586ea8ba57a8c04c7d8cdb73145874f77a473dceb1f1cd6b9540ac

                                                                  Download Submit

                                                                • memory/968-201-0x00000000007A0000-0x00000000007D5000-memory.dmp

                                                                  Filesize

                                                                  212KB

                                                                  Download

                                                                • memory/968-202-0x0000000000400000-0x00000000006C3000-memory.dmp

                                                                  Filesize

                                                                  2.8MB

                                                                  Download

                                                                • memory/968-217-0x0000000000400000-0x00000000006C3000-memory.dmp

                                                                  Filesize

                                                                  2.8MB

                                                                  Download

                                                                • memory/1044-218-0x0000000000400000-0x00000000006C3000-memory.dmp

                                                                  Filesize

                                                                  2.8MB

                                                                  Download

                                                                • memory/1044-219-0x0000000000400000-0x00000000006C3000-memory.dmp

                                                                  Filesize

                                                                  2.8MB

                                                                  Download

                                                                • memory/2500-194-0x00000000049B0000-0x00000000049C0000-memory.dmp

                                                                  Filesize

                                                                  64KB

                                                                  Download

                                                                • memory/2500-186-0x0000000004950000-0x0000000004962000-memory.dmp

                                                                  Filesize

                                                                  72KB

                                                                  Download

                                                                • memory/2500-195-0x00000000049B0000-0x00000000049C0000-memory.dmp

                                                                  Filesize

                                                                  64KB

                                                                  Download

                                                                • memory/2500-193-0x00000000049B0000-0x00000000049C0000-memory.dmp

                                                                  Filesize

                                                                  64KB

                                                                  Download

                                                                • memory/2500-165-0x0000000004950000-0x0000000004962000-memory.dmp

                                                                  Filesize

                                                                  72KB

                                                                  Download

                                                                • memory/2500-166-0x0000000004950000-0x0000000004962000-memory.dmp

                                                                  Filesize

                                                                  72KB

                                                                  Download

                                                                • memory/2500-168-0x0000000004950000-0x0000000004962000-memory.dmp

                                                                  Filesize

                                                                  72KB

                                                                  Download

                                                                • memory/2500-170-0x0000000004950000-0x0000000004962000-memory.dmp

                                                                  Filesize

                                                                  72KB

                                                                  Download

                                                                • memory/2500-172-0x0000000004950000-0x0000000004962000-memory.dmp

                                                                  Filesize

                                                                  72KB

                                                                  Download

                                                                • memory/2500-174-0x0000000004950000-0x0000000004962000-memory.dmp

                                                                  Filesize

                                                                  72KB

                                                                  Download

                                                                • memory/2500-176-0x0000000004950000-0x0000000004962000-memory.dmp

                                                                  Filesize

                                                                  72KB

                                                                  Download

                                                                • memory/2500-178-0x0000000004950000-0x0000000004962000-memory.dmp

                                                                  Filesize

                                                                  72KB

                                                                  Download

                                                                • memory/2500-180-0x0000000004950000-0x0000000004962000-memory.dmp

                                                                  Filesize

                                                                  72KB

                                                                  Download

                                                                • memory/2500-182-0x0000000004950000-0x0000000004962000-memory.dmp

                                                                  Filesize

                                                                  72KB

                                                                  Download

                                                                • memory/2500-184-0x0000000004950000-0x0000000004962000-memory.dmp

                                                                  Filesize

                                                                  72KB

                                                                  Download

                                                                • memory/2500-192-0x0000000004950000-0x0000000004962000-memory.dmp

                                                                  Filesize

                                                                  72KB

                                                                  Download

                                                                • memory/2500-188-0x0000000004950000-0x0000000004962000-memory.dmp

                                                                  Filesize

                                                                  72KB

                                                                  Download

                                                                • memory/2500-190-0x0000000004950000-0x0000000004962000-memory.dmp

                                                                  Filesize

                                                                  72KB

                                                                  Download

                                                                • memory/3928-154-0x000000000ACD0000-0x000000000AD62000-memory.dmp

                                                                  Filesize

                                                                  584KB

                                                                  Download

                                                                • memory/3928-148-0x000000000AE10000-0x000000000B428000-memory.dmp

                                                                  Filesize

                                                                  6.1MB

                                                                  Download

                                                                • memory/3928-157-0x000000000B530000-0x000000000B596000-memory.dmp

                                                                  Filesize

                                                                  408KB

                                                                  Download

                                                                • memory/3928-159-0x000000000C260000-0x000000000C422000-memory.dmp

                                                                  Filesize

                                                                  1.8MB

                                                                  Download

                                                                • memory/3928-156-0x000000000B9E0000-0x000000000BF84000-memory.dmp

                                                                  Filesize

                                                                  5.6MB

                                                                  Download

                                                                • memory/3928-155-0x0000000005460000-0x0000000005470000-memory.dmp

                                                                  Filesize

                                                                  64KB

                                                                  Download

                                                                • memory/3928-152-0x000000000A8A0000-0x000000000A8DC000-memory.dmp

                                                                  Filesize

                                                                  240KB

                                                                  Download

                                                                • memory/3928-160-0x000000000C960000-0x000000000CE8C000-memory.dmp

                                                                  Filesize

                                                                  5.2MB

                                                                  Download

                                                                • memory/3928-158-0x000000000B8F0000-0x000000000B940000-memory.dmp

                                                                  Filesize

                                                                  320KB

                                                                  Download

                                                                • memory/3928-151-0x0000000005460000-0x0000000005470000-memory.dmp

                                                                  Filesize

                                                                  64KB

                                                                  Download

                                                                • memory/3928-150-0x000000000A840000-0x000000000A852000-memory.dmp

                                                                  Filesize

                                                                  72KB

                                                                  Download

                                                                • memory/3928-149-0x000000000A910000-0x000000000AA1A000-memory.dmp

                                                                  Filesize

                                                                  1.0MB

                                                                  Download

                                                                • memory/3928-153-0x000000000ABB0000-0x000000000AC26000-memory.dmp

                                                                  Filesize

                                                                  472KB

                                                                  Download

                                                                • memory/3928-147-0x0000000000AD0000-0x0000000000B00000-memory.dmp

                                                                  Filesize

                                                                  192KB

                                                                  Download

                                                                We care about your privacy.

                                                                This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.