Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

10

037f80f7ee...46.exe

windows7-x64

3

037f80f7ee...46.exe

windows10-2004-x64

10

15e7399aea...b6.exe

windows7-x64

10

15e7399aea...b6.exe

windows10-2004-x64

10

18b4f16f04...7c.exe

windows7-x64

10

18b4f16f04...7c.exe

windows10-2004-x64

10

21d1163cd9...6e.exe

windows7-x64

10

21d1163cd9...6e.exe

windows10-2004-x64

10

26ef9e5b08...1a.exe

windows7-x64

10

26ef9e5b08...1a.exe

windows10-2004-x64

10

28cef7a303...ac.exe

windows7-x64

10

28cef7a303...ac.exe

windows10-2004-x64

32f2d7c0a6...0d.exe

windows7-x64

10

32f2d7c0a6...0d.exe

windows10-2004-x64

10

33d03025fe...fb.exe

windows7-x64

10

33d03025fe...fb.exe

windows10-2004-x64

10

35da8e30ae...fd.exe

windows7-x64

10

35da8e30ae...fd.exe

windows10-2004-x64

10

38e9939621...14.exe

windows7-x64

10

38e9939621...14.exe

windows10-2004-x64

10

43fbcbf411...dd.exe

windows7-x64

10

43fbcbf411...dd.exe

windows10-2004-x64

10

47d09683fc...a3.exe

windows7-x64

10

47d09683fc...a3.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    151s
  • max time network
    165s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20231020-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20231020-enlocale:en-usos:windows10-2004-x64system
  • submitted
    01/11/2023, 15:03 UTC

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    21d1163cd9edb6ae1478f2695e70836e.exe

  • Size

    954KB

  • MD5

    21d1163cd9edb6ae1478f2695e70836e

  • SHA1

    1e18d438a23c0aa9ddf3df4eb81bc0a496e7b166

  • SHA256

    92e20368143782c5dcd729449a940ae0bd670adb81136a2430f58c8cc9762851

  • SHA512

    4cd9808622e15aec9f78f3cf3f8e84ea3ac53c8ced6f48ac8e08296fc90de4f4365d294fa0c7bd34d5453fabe2632955ce8fb1a69cf4df6e1619cc54feee2c57

  • SSDEEP

    12288:ADPWR28Le0cY+Yg9fb9ncA91c+yMBMWR7B0uFN5UQLQ9Z3htSWC9oF0MsLjmMj:Aj+xL9Rk9WA92+3uI7RNGQLchSWhsmA

Score
10/10
agentteslazgratcollectionkeyloggerratspywarestealertrojan

Malware Config

Extracted

Family

agenttesla

Credentials

  • Protocol:     smtp
  • Host:
    mail.mercamaq.com.br
  • Port:
    587
  • Username:
    vendas@mercamaq.com.br
  • Password:
    !#Merc354
  • Email To:
    ops.eg@24x7rooms.com

Signatures

  • AgentTesla

    Agent Tesla is a remote access tool (RAT) written in visual basic.

    keyloggertrojanstealerspywareagenttesla
  • Detect ZGRat V1 1 IoCs
  • ZGRat

    ZGRat is remote access trojan written in C#.

    ratzgrat
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
    collection
  • Looks up external IP address via web service 2 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Creates scheduled task(s) 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Suspicious behavior: EnumeratesProcesses 7 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 17 IoCs
  • outlook_office_path 1 IoCs
  • outlook_win_path 1 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\21d1163cd9edb6ae1478f2695e70836e.exe
    "C:\Users\Admin\AppData\Local\Temp\21d1163cd9edb6ae1478f2695e70836e.exe"
    1⤵
    • Checks computer location settings
    • Suspicious use of SetThreadContext
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2308
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\21d1163cd9edb6ae1478f2695e70836e.exe"
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:1088
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\xAZEVWbiBNwhs.exe"
      2⤵
        PID:712
      • C:\Windows\SysWOW64\schtasks.exe
        "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\xAZEVWbiBNwhs" /XML "C:\Users\Admin\AppData\Local\Temp\tmp7450.tmp"
        2⤵
        • Creates scheduled task(s)
        PID:2032
      • C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
        2⤵
        • Accesses Microsoft Outlook profiles
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of SetWindowsHookEx
        • outlook_office_path
        • outlook_win_path
        PID:2004

    Network

    • flag-us
      DNS
      23.159.190.20.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      23.159.190.20.in-addr.arpa
      IN PTR
      Response
    • flag-us
      DNS
      158.240.127.40.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      158.240.127.40.in-addr.arpa
      IN PTR
      Response
    • flag-us
      DNS
      68.159.190.20.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      68.159.190.20.in-addr.arpa
      IN PTR
      Response
    • flag-us
      DNS
      241.154.82.20.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      241.154.82.20.in-addr.arpa
      IN PTR
      Response
    • flag-us
      DNS
      50.23.12.20.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      50.23.12.20.in-addr.arpa
      IN PTR
      Response
    • flag-us
      DNS
      198.1.85.104.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      198.1.85.104.in-addr.arpa
      IN PTR
      Response
      198.1.85.104.in-addr.arpa
      IN PTR
      a104-85-1-198deploystaticakamaitechnologiescom
    • flag-us
      DNS
      2.136.104.51.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      2.136.104.51.in-addr.arpa
      IN PTR
      Response
    • flag-us
      DNS
      15.164.165.52.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      15.164.165.52.in-addr.arpa
      IN PTR
      Response
    • flag-us
      DNS
      135.1.85.104.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      135.1.85.104.in-addr.arpa
      IN PTR
      Response
      135.1.85.104.in-addr.arpa
      IN PTR
      a104-85-1-135deploystaticakamaitechnologiescom
    • flag-us
      DNS
      119.110.54.20.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      119.110.54.20.in-addr.arpa
      IN PTR
      Response
    • flag-us
      DNS
      api.ipify.org
      RegSvcs.exe
      Remote address:
      8.8.8.8:53
      Request
      api.ipify.org
      IN A
      Response
      api.ipify.org
      IN CNAME
      api4.ipify.org
      api4.ipify.org
      IN A
      173.231.16.77
      api4.ipify.org
      IN A
      64.185.227.156
      api4.ipify.org
      IN A
      104.237.62.212
    • flag-us
      GET
      https://api.ipify.org/
      RegSvcs.exe
      Remote address:
      173.231.16.77:443
      Request
      GET / HTTP/1.1
      User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0
      Host: api.ipify.org
      Connection: Keep-Alive
      Response
      HTTP/1.1 200 OK
      Server: nginx/1.25.1
      Date: Wed, 01 Nov 2023 15:08:37 GMT
      Content-Type: text/plain
      Content-Length: 12
      Connection: keep-alive
      Vary: Origin
    • flag-us
      DNS
      126.179.238.8.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      126.179.238.8.in-addr.arpa
      IN PTR
      Response
    • flag-us
      DNS
      77.16.231.173.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      77.16.231.173.in-addr.arpa
      IN PTR
      Response
      77.16.231.173.in-addr.arpa
      IN PTR
      apiipifyorg
    • flag-us
      DNS
      21.236.111.52.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      21.236.111.52.in-addr.arpa
      IN PTR
      Response
    • flag-us
      DNS
      tse1.mm.bing.net
      Remote address:
      8.8.8.8:53
      Request
      tse1.mm.bing.net
      IN A
      Response
      tse1.mm.bing.net
      IN CNAME
      mm-mm.bing.net.trafficmanager.net
      mm-mm.bing.net.trafficmanager.net
      IN CNAME
      dual-a-0001.a-msedge.net
      dual-a-0001.a-msedge.net
      IN A
      204.79.197.200
      dual-a-0001.a-msedge.net
      IN A
      13.107.21.200
    • flag-us
      GET
      https://tse1.mm.bing.net/th?id=OADD2.10239317301244_17N91ZKZSGROIQHSO&pid=21.2&w=1920&h=1080&c=4
      Remote address:
      204.79.197.200:443
      Request
      GET /th?id=OADD2.10239317301244_17N91ZKZSGROIQHSO&pid=21.2&w=1920&h=1080&c=4 HTTP/2.0
      host: tse1.mm.bing.net
      accept: */*
      accept-encoding: gzip, deflate, br
      user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19041
      Response
      HTTP/2.0 200
      cache-control: public, max-age=2592000
      content-length: 484032
      content-type: image/jpeg
      access-control-allow-origin: *
      access-control-allow-headers: *
      access-control-allow-methods: GET, POST, OPTIONS
      timing-allow-origin: *
      report-to: {"group":"network-errors","max_age":604800,"endpoints":[{"url":"https://aefd.nelreports.net/api/report?cat=bingth"}]}
      nel: {"report_to":"network-errors","max_age":604800,"success_fraction":0.001,"failure_fraction":1.0}
      x-cache: CONFIG_NOCACHE
      accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
      x-msedge-ref: Ref A: C4048F4B61124A17A3C2246E688627FC Ref B: BRU30EDGE0820 Ref C: 2023-11-01T15:09:32Z
      date: Wed, 01 Nov 2023 15:09:32 GMT
    • flag-us
      GET
      https://tse1.mm.bing.net/th?id=OADD2.10239317301222_1FJU5PIOORZE0KYBN&pid=21.2&w=1920&h=1080&c=4
      Remote address:
      204.79.197.200:443
      Request
      GET /th?id=OADD2.10239317301222_1FJU5PIOORZE0KYBN&pid=21.2&w=1920&h=1080&c=4 HTTP/2.0
      host: tse1.mm.bing.net
      accept: */*
      accept-encoding: gzip, deflate, br
      user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19041
      Response
      HTTP/2.0 200
      cache-control: public, max-age=2592000
      content-length: 91993
      content-type: image/jpeg
      access-control-allow-origin: *
      access-control-allow-headers: *
      access-control-allow-methods: GET, POST, OPTIONS
      timing-allow-origin: *
      report-to: {"group":"network-errors","max_age":604800,"endpoints":[{"url":"https://aefd.nelreports.net/api/report?cat=bingth"}]}
      nel: {"report_to":"network-errors","max_age":604800,"success_fraction":0.001,"failure_fraction":1.0}
      x-cache: CONFIG_NOCACHE
      accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
      x-msedge-ref: Ref A: 32E6369C1A40403F89BD5D3CD2E0FBA3 Ref B: BRU30EDGE0820 Ref C: 2023-11-01T15:09:32Z
      date: Wed, 01 Nov 2023 15:09:32 GMT
    • flag-us
      GET
      https://tse1.mm.bing.net/th?id=OADD2.10239317301278_1VRPF8TFV4TZXU6S8&pid=21.2&w=1920&h=1080&c=4
      Remote address:
      204.79.197.200:443
      Request
      GET /th?id=OADD2.10239317301278_1VRPF8TFV4TZXU6S8&pid=21.2&w=1920&h=1080&c=4 HTTP/2.0
      host: tse1.mm.bing.net
      accept: */*
      accept-encoding: gzip, deflate, br
      user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19041
      Response
      HTTP/2.0 200
      cache-control: public, max-age=2592000
      content-length: 384492
      content-type: image/jpeg
      access-control-allow-origin: *
      access-control-allow-headers: *
      access-control-allow-methods: GET, POST, OPTIONS
      timing-allow-origin: *
      report-to: {"group":"network-errors","max_age":604800,"endpoints":[{"url":"https://aefd.nelreports.net/api/report?cat=bingth"}]}
      nel: {"report_to":"network-errors","max_age":604800,"success_fraction":0.001,"failure_fraction":1.0}
      x-cache: CONFIG_NOCACHE
      accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
      x-msedge-ref: Ref A: 555701E49E7340EAA459ACF826AAAE3B Ref B: BRU30EDGE0820 Ref C: 2023-11-01T15:09:32Z
      date: Wed, 01 Nov 2023 15:09:32 GMT
    • flag-us
      GET
      https://tse1.mm.bing.net/th?id=OADD2.10239317301653_1VKC04F354IQVXJN4&pid=21.2&w=1080&h=1920&c=4
      Remote address:
      204.79.197.200:443
      Request
      GET /th?id=OADD2.10239317301653_1VKC04F354IQVXJN4&pid=21.2&w=1080&h=1920&c=4 HTTP/2.0
      host: tse1.mm.bing.net
      accept: */*
      accept-encoding: gzip, deflate, br
      user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19041
      Response
      HTTP/2.0 200
      cache-control: public, max-age=2592000
      content-length: 97422
      content-type: image/jpeg
      access-control-allow-origin: *
      access-control-allow-headers: *
      access-control-allow-methods: GET, POST, OPTIONS
      timing-allow-origin: *
      report-to: {"group":"network-errors","max_age":604800,"endpoints":[{"url":"https://aefd.nelreports.net/api/report?cat=bingth"}]}
      nel: {"report_to":"network-errors","max_age":604800,"success_fraction":0.001,"failure_fraction":1.0}
      x-cache: CONFIG_NOCACHE
      accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
      x-msedge-ref: Ref A: F43D08A55F0547FF83365FFB4702CEC3 Ref B: BRU30EDGE0820 Ref C: 2023-11-01T15:09:32Z
      date: Wed, 01 Nov 2023 15:09:32 GMT
    • flag-us
      GET
      https://tse1.mm.bing.net/th?id=OADD2.10239317301631_1JS0AMCX251CLJ5OX&pid=21.2&w=1080&h=1920&c=4
      Remote address:
      204.79.197.200:443
      Request
      GET /th?id=OADD2.10239317301631_1JS0AMCX251CLJ5OX&pid=21.2&w=1080&h=1920&c=4 HTTP/2.0
      host: tse1.mm.bing.net
      accept: */*
      accept-encoding: gzip, deflate, br
      user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19041
      Response
      HTTP/2.0 200
      cache-control: public, max-age=2592000
      content-length: 345324
      content-type: image/jpeg
      x-cache: TCP_HIT
      access-control-allow-origin: *
      access-control-allow-headers: *
      access-control-allow-methods: GET, POST, OPTIONS
      timing-allow-origin: *
      report-to: {"group":"network-errors","max_age":604800,"endpoints":[{"url":"https://aefd.nelreports.net/api/report?cat=bingth"}]}
      nel: {"report_to":"network-errors","max_age":604800,"success_fraction":0.001,"failure_fraction":1.0}
      accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
      x-msedge-ref: Ref A: 83AF725313AB42B4A339F8AF548BB0F2 Ref B: BRU30EDGE0820 Ref C: 2023-11-01T15:09:33Z
      date: Wed, 01 Nov 2023 15:09:33 GMT
    • flag-us
      GET
      https://tse1.mm.bing.net/th?id=OADD2.10239317301687_13GOH55SKYYKR3YGC&pid=21.2&w=1080&h=1920&c=4
      Remote address:
      204.79.197.200:443
      Request
      GET /th?id=OADD2.10239317301687_13GOH55SKYYKR3YGC&pid=21.2&w=1080&h=1920&c=4 HTTP/2.0
      host: tse1.mm.bing.net
      accept: */*
      accept-encoding: gzip, deflate, br
      user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19041
      Response
      HTTP/2.0 503
      cache-control: no-store
      content-length: 2168
      content-type: text/html
      x-azure-externalerror: 0x80072ee2,OriginTimeout
      x-msedge-ref: Ref A: 2087346C652A4DEBA734E42FBA4B22F2 Ref B: BRU30EDGE0820 Ref C: 2023-11-01T15:09:32Z
      date: Wed, 01 Nov 2023 15:09:35 GMT
    • flag-us
      DNS
      200.197.79.204.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      200.197.79.204.in-addr.arpa
      IN PTR
      Response
      200.197.79.204.in-addr.arpa
      IN PTR
      a-0001a-msedgenet
    • flag-us
      DNS
      4.173.189.20.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      4.173.189.20.in-addr.arpa
      IN PTR
      Response
    • 173.231.16.77:443
      https://api.ipify.org/
      tls, http
      RegSvcs.exe
      1.1kB
       7.1kB
       13
      14

      HTTP Request

      GET https://api.ipify.org/

      HTTP Response

      200
    • 204.79.197.200:443
      https://tse1.mm.bing.net/th?id=OADD2.10239317301687_13GOH55SKYYKR3YGC&pid=21.2&w=1080&h=1920&c=4
      tls, http2
      51.0kB
       1.5MB
       1082
      1079

      HTTP Request

      GET https://tse1.mm.bing.net/th?id=OADD2.10239317301244_17N91ZKZSGROIQHSO&pid=21.2&w=1920&h=1080&c=4

      HTTP Request

      GET https://tse1.mm.bing.net/th?id=OADD2.10239317301222_1FJU5PIOORZE0KYBN&pid=21.2&w=1920&h=1080&c=4

      HTTP Request

      GET https://tse1.mm.bing.net/th?id=OADD2.10239317301278_1VRPF8TFV4TZXU6S8&pid=21.2&w=1920&h=1080&c=4

      HTTP Request

      GET https://tse1.mm.bing.net/th?id=OADD2.10239317301653_1VKC04F354IQVXJN4&pid=21.2&w=1080&h=1920&c=4

      HTTP Request

      GET https://tse1.mm.bing.net/th?id=OADD2.10239317301631_1JS0AMCX251CLJ5OX&pid=21.2&w=1080&h=1920&c=4

      HTTP Response

      200

      HTTP Response

      200

      HTTP Response

      200

      HTTP Response

      200

      HTTP Request

      GET https://tse1.mm.bing.net/th?id=OADD2.10239317301687_13GOH55SKYYKR3YGC&pid=21.2&w=1080&h=1920&c=4

      HTTP Response

      200

      HTTP Response

      503
    • 204.79.197.200:443
      tse1.mm.bing.net
      tls, http2
      1.2kB
       8.3kB
       16
      14
    • 204.79.197.200:443
      tse1.mm.bing.net
      tls, http2
      1.2kB
       8.3kB
       16
      14
    • 204.79.197.200:443
      tse1.mm.bing.net
      tls, http2
      1.2kB
       8.3kB
       16
      14
    • 204.79.197.200:443
      tse1.mm.bing.net
      tls, http2
      1.2kB
       8.3kB
       16
      14
    • 8.8.8.8:53
      23.159.190.20.in-addr.arpa
      dns
      72 B
       158 B
       1
      1

      DNS Request

      23.159.190.20.in-addr.arpa

    • 8.8.8.8:53
      158.240.127.40.in-addr.arpa
      dns
      73 B
       147 B
       1
      1

      DNS Request

      158.240.127.40.in-addr.arpa

    • 8.8.8.8:53
      68.159.190.20.in-addr.arpa
      dns
      72 B
       158 B
       1
      1

      DNS Request

      68.159.190.20.in-addr.arpa

    • 8.8.8.8:53
      241.154.82.20.in-addr.arpa
      dns
      72 B
       158 B
       1
      1

      DNS Request

      241.154.82.20.in-addr.arpa

    • 8.8.8.8:53
      50.23.12.20.in-addr.arpa
      dns
      70 B
       156 B
       1
      1

      DNS Request

      50.23.12.20.in-addr.arpa

    • 8.8.8.8:53
      198.1.85.104.in-addr.arpa
      dns
      71 B
       135 B
       1
      1

      DNS Request

      198.1.85.104.in-addr.arpa

    • 8.8.8.8:53
      2.136.104.51.in-addr.arpa
      dns
      71 B
       157 B
       1
      1

      DNS Request

      2.136.104.51.in-addr.arpa

    • 8.8.8.8:53
      15.164.165.52.in-addr.arpa
      dns
      72 B
       146 B
       1
      1

      DNS Request

      15.164.165.52.in-addr.arpa

    • 8.8.8.8:53
      135.1.85.104.in-addr.arpa
      dns
      71 B
       135 B
       1
      1

      DNS Request

      135.1.85.104.in-addr.arpa

    • 8.8.8.8:53
      119.110.54.20.in-addr.arpa
      dns
      72 B
       158 B
       1
      1

      DNS Request

      119.110.54.20.in-addr.arpa

    • 8.8.8.8:53
      api.ipify.org
      dns
      RegSvcs.exe
      59 B
       126 B
       1
      1

      DNS Request

      api.ipify.org

      DNS Response

      173.231.16.77
      64.185.227.156
      104.237.62.212

    • 8.8.8.8:53
      126.179.238.8.in-addr.arpa
      dns
      72 B
       126 B
       1
      1

      DNS Request

      126.179.238.8.in-addr.arpa

    • 8.8.8.8:53
      77.16.231.173.in-addr.arpa
      dns
      72 B
       99 B
       1
      1

      DNS Request

      77.16.231.173.in-addr.arpa

    • 8.8.8.8:53
      21.236.111.52.in-addr.arpa
      dns
      72 B
       158 B
       1
      1

      DNS Request

      21.236.111.52.in-addr.arpa

    • 8.8.8.8:53
      tse1.mm.bing.net
      dns
      62 B
       173 B
       1
      1

      DNS Request

      tse1.mm.bing.net

      DNS Response

      204.79.197.200
      13.107.21.200

    • 8.8.8.8:53
      200.197.79.204.in-addr.arpa
      dns
      73 B
       106 B
       1
      1

      DNS Request

      200.197.79.204.in-addr.arpa

    • 8.8.8.8:53
      4.173.189.20.in-addr.arpa
      dns
      71 B
       157 B
       1
      1

      DNS Request

      4.173.189.20.in-addr.arpa

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_gghorfjp.zba.ps1
      Filesize

      60B

      MD5

      d17fe0a3f47be24a6453e9ef58c94641

      SHA1

      6ab83620379fc69f80c0242105ddffd7d98d5d9d

      SHA256

      96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

      SHA512

      5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\tmp7450.tmp
      Filesize

      1KB

      MD5

      3760170cf3cda4321172b53b16cab6aa

      SHA1

      f83ed8ccce9190bab2b89dfca70d897f497da2ab

      SHA256

      4c8d1cec346faa14b4d9b77cddaee1750d9270349b9e59ea7b0b814f1961f849

      SHA512

      85f86909d9b24401b60c910571c80ca9b07cc642122c53a0acaa26a175b3533698194e8d6e2cc368e34cd495c3767584c23543b94472c75a71004c9e4c95619b

      Download Submit

    • memory/1088-58-0x00000000076C0000-0x0000000007D3A000-memory.dmp

      Filesize

      6.5MB

      Download

    • memory/1088-61-0x0000000007300000-0x0000000007396000-memory.dmp

      Filesize

      600KB

      Download

    • memory/1088-56-0x0000000006340000-0x000000000635E000-memory.dmp

      Filesize

      120KB

      Download

    • memory/1088-46-0x0000000074DC0000-0x0000000074E0C000-memory.dmp

      Filesize

      304KB

      Download

    • memory/1088-45-0x0000000006F20000-0x0000000006F52000-memory.dmp

      Filesize

      200KB

      Download

    • memory/1088-44-0x000000007EE90000-0x000000007EEA0000-memory.dmp

      Filesize

      64KB

      Download

    • memory/1088-70-0x0000000074560000-0x0000000074D10000-memory.dmp

      Filesize

      7.7MB

      Download

    • memory/1088-66-0x00000000073A0000-0x00000000073A8000-memory.dmp

      Filesize

      32KB

      Download

    • memory/1088-65-0x00000000073C0000-0x00000000073DA000-memory.dmp

      Filesize

      104KB

      Download

    • memory/1088-64-0x00000000072C0000-0x00000000072D4000-memory.dmp

      Filesize

      80KB

      Download

    • memory/1088-63-0x00000000072B0000-0x00000000072BE000-memory.dmp

      Filesize

      56KB

      Download

    • memory/1088-17-0x0000000002450000-0x0000000002486000-memory.dmp

      Filesize

      216KB

      Download

    • memory/1088-18-0x0000000074560000-0x0000000074D10000-memory.dmp

      Filesize

      7.7MB

      Download

    • memory/1088-20-0x0000000002440000-0x0000000002450000-memory.dmp

      Filesize

      64KB

      Download

    • memory/1088-22-0x0000000004F50000-0x0000000005578000-memory.dmp

      Filesize

      6.2MB

      Download

    • memory/1088-21-0x0000000002440000-0x0000000002450000-memory.dmp

      Filesize

      64KB

      Download

    • memory/1088-62-0x0000000007280000-0x0000000007291000-memory.dmp

      Filesize

      68KB

      Download

    • memory/1088-57-0x0000000006F60000-0x0000000007003000-memory.dmp

      Filesize

      652KB

      Download

    • memory/1088-43-0x0000000002440000-0x0000000002450000-memory.dmp

      Filesize

      64KB

      Download

    • memory/1088-25-0x0000000004E80000-0x0000000004EA2000-memory.dmp

      Filesize

      136KB

      Download

    • memory/1088-42-0x00000000062D0000-0x000000000631C000-memory.dmp

      Filesize

      304KB

      Download

    • memory/1088-41-0x0000000005D90000-0x0000000005DAE000-memory.dmp

      Filesize

      120KB

      Download

    • memory/1088-60-0x00000000070F0000-0x00000000070FA000-memory.dmp

      Filesize

      40KB

      Download

    • memory/1088-40-0x00000000056A0000-0x0000000005706000-memory.dmp

      Filesize

      408KB

      Download

    • memory/1088-59-0x0000000007080000-0x000000000709A000-memory.dmp

      Filesize

      104KB

      Download

    • memory/2004-29-0x0000000005690000-0x00000000056F6000-memory.dmp

      Filesize

      408KB

      Download

    • memory/2004-28-0x0000000005720000-0x0000000005730000-memory.dmp

      Filesize

      64KB

      Download

    • memory/2004-27-0x0000000074560000-0x0000000074D10000-memory.dmp

      Filesize

      7.7MB

      Download

    • memory/2004-24-0x0000000000400000-0x0000000000430000-memory.dmp

      Filesize

      192KB

      Download

    • memory/2004-71-0x0000000074560000-0x0000000074D10000-memory.dmp

      Filesize

      7.7MB

      Download

    • memory/2004-72-0x0000000005720000-0x0000000005730000-memory.dmp

      Filesize

      64KB

      Download

    • memory/2004-73-0x00000000070E0000-0x0000000007130000-memory.dmp

      Filesize

      320KB

      Download

    • memory/2004-74-0x0000000007360000-0x0000000007522000-memory.dmp

      Filesize

      1.8MB

      Download

    • memory/2308-12-0x0000000009B50000-0x0000000009EA4000-memory.dmp

      Filesize

      3.3MB

      Download

    • memory/2308-0-0x0000000074560000-0x0000000074D10000-memory.dmp

      Filesize

      7.7MB

      Download

    • memory/2308-11-0x0000000007360000-0x00000000073FC000-memory.dmp

      Filesize

      624KB

      Download

    • memory/2308-3-0x0000000005A70000-0x0000000005B02000-memory.dmp

      Filesize

      584KB

      Download

    • memory/2308-23-0x0000000009FF0000-0x000000000A022000-memory.dmp

      Filesize

      200KB

      Download

    • memory/2308-2-0x0000000006020000-0x00000000065C4000-memory.dmp

      Filesize

      5.6MB

      Download

    • memory/2308-1-0x0000000000F10000-0x0000000001004000-memory.dmp

      Filesize

      976KB

      Download

    • memory/2308-30-0x0000000074560000-0x0000000074D10000-memory.dmp

      Filesize

      7.7MB

      Download

    • memory/2308-10-0x0000000007230000-0x000000000729A000-memory.dmp

      Filesize

      424KB

      Download

    • memory/2308-9-0x0000000006E50000-0x0000000006E5C000-memory.dmp

      Filesize

      48KB

      Download

    • memory/2308-8-0x0000000005CF0000-0x0000000005D00000-memory.dmp

      Filesize

      64KB

      Download

    • memory/2308-7-0x0000000074560000-0x0000000074D10000-memory.dmp

      Filesize

      7.7MB

      Download

    • memory/2308-6-0x0000000005C70000-0x0000000005C86000-memory.dmp

      Filesize

      88KB

      Download

    • memory/2308-5-0x00000000059F0000-0x00000000059FA000-memory.dmp

      Filesize

      40KB

      Download

    • memory/2308-4-0x0000000005CF0000-0x0000000005D00000-memory.dmp

      Filesize

      64KB

      Download

    We care about your privacy.

    This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.