Analysis

  • max time kernel
    140s
  • max time network
    150s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20231020-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20231020-enlocale:en-usos:windows10-2004-x64system
  • submitted
    03-11-2023 04:07

General

  • Target

    21d0424a130446325a54c1d1ebb06f55f1342d911554ef5d56a5d490d4b3acbe.exe

  • Size

    527KB

  • MD5

    a3d6afc43a4d86712ffe2aa629160fb9

  • SHA1

    561484ebca46ed027eea54a73d07495ecda444e3

  • SHA256

    21d0424a130446325a54c1d1ebb06f55f1342d911554ef5d56a5d490d4b3acbe

  • SHA512

    eacb347f07ad989f9329ea4b7c69fdf6ac585b94dc815b0f233389e5ea940f43dd179fec0ed43a9bd2685d7cb80a3345db3a6fa9f6c96e1c6c35daf7b2253891

  • SSDEEP

    12288:rMrZy90zvE6M60ko89xfzw+fvv2SYwM/7M55ht/Q4g:ay0t5o8Tw+fv9YwmghQz

Malware Config

Extracted

Family

redline

Botnet

gruha

C2

77.91.124.55:19071

Attributes
  • auth_value

    2f4cf2e668a540e64775b27535cc6892

Signatures

  • Detect Mystic stealer payload 4 IoCs
  • Detects Healer an antivirus disabler dropper 3 IoCs
  • Healer

    Healer an antivirus disabler dropper.

  • Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs
  • Mystic

    Mystic is an infostealer written in C++.

  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

  • Executes dropped EXE 4 IoCs
  • Windows security modification 2 TTPs 1 IoCs
  • Adds Run key to start application 2 TTPs 2 IoCs
  • Suspicious use of SetThreadContext 2 IoCs
  • Program crash 3 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 32 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\21d0424a130446325a54c1d1ebb06f55f1342d911554ef5d56a5d490d4b3acbe.exe
    "C:\Users\Admin\AppData\Local\Temp\21d0424a130446325a54c1d1ebb06f55f1342d911554ef5d56a5d490d4b3acbe.exe"
    1⤵
    • Adds Run key to start application
    • Suspicious use of WriteProcessMemory
    PID:1508
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z7507389.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z7507389.exe
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious use of WriteProcessMemory
      PID:4164
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\q1712604.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\q1712604.exe
        3⤵
        • Modifies Windows Defender Real-time Protection settings
        • Executes dropped EXE
        • Windows security modification
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:2192
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\r8788629.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\r8788629.exe
        3⤵
        • Executes dropped EXE
        • Suspicious use of SetThreadContext
        • Suspicious use of WriteProcessMemory
        PID:1484
        • C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
          "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
          4⤵
            PID:4376
          • C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
            "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
            4⤵
              PID:32
              • C:\Windows\SysWOW64\WerFault.exe
                C:\Windows\SysWOW64\WerFault.exe -u -p 32 -s 540
                5⤵
                • Program crash
                PID:1336
            • C:\Windows\SysWOW64\WerFault.exe
              C:\Windows\SysWOW64\WerFault.exe -u -p 1484 -s 152
              4⤵
              • Program crash
              PID:2244
        • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\s0981532.exe
          C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\s0981532.exe
          2⤵
          • Executes dropped EXE
          • Suspicious use of SetThreadContext
          • Suspicious use of WriteProcessMemory
          PID:5020
          • C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
            "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
            3⤵
              PID:4200
            • C:\Windows\SysWOW64\WerFault.exe
              C:\Windows\SysWOW64\WerFault.exe -u -p 5020 -s 152
              3⤵
              • Program crash
              PID:3568
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -pss -s 480 -p 1484 -ip 1484
          1⤵
            PID:3280
          • C:\Windows\SysWOW64\WerFault.exe
            C:\Windows\SysWOW64\WerFault.exe -pss -s 424 -p 32 -ip 32
            1⤵
              PID:564
            • C:\Windows\SysWOW64\WerFault.exe
              C:\Windows\SysWOW64\WerFault.exe -pss -s 472 -p 5020 -ip 5020
              1⤵
                PID:2172

              Network

              • flag-us
                DNS
                20.160.190.20.in-addr.arpa
                Remote address:
                8.8.8.8:53
                Request
                20.160.190.20.in-addr.arpa
                IN PTR
                Response
              • flag-us
                DNS
                95.221.229.192.in-addr.arpa
                Remote address:
                8.8.8.8:53
                Request
                95.221.229.192.in-addr.arpa
                IN PTR
                Response
              • flag-us
                DNS
                241.154.82.20.in-addr.arpa
                Remote address:
                8.8.8.8:53
                Request
                241.154.82.20.in-addr.arpa
                IN PTR
                Response
              • flag-us
                DNS
                163.252.72.23.in-addr.arpa
                Remote address:
                8.8.8.8:53
                Request
                163.252.72.23.in-addr.arpa
                IN PTR
                Response
                163.252.72.23.in-addr.arpa
                IN PTR
                a23-72-252-163deploystaticakamaitechnologiescom
              • flag-us
                DNS
                146.78.124.51.in-addr.arpa
                Remote address:
                8.8.8.8:53
                Request
                146.78.124.51.in-addr.arpa
                IN PTR
                Response
              • flag-us
                DNS
                39.142.81.104.in-addr.arpa
                Remote address:
                8.8.8.8:53
                Request
                39.142.81.104.in-addr.arpa
                IN PTR
                Response
                39.142.81.104.in-addr.arpa
                IN PTR
                a104-81-142-39deploystaticakamaitechnologiescom
              • flag-us
                DNS
                39.142.81.104.in-addr.arpa
                Remote address:
                8.8.8.8:53
                Request
                39.142.81.104.in-addr.arpa
                IN PTR
              • flag-us
                DNS
                43.58.199.20.in-addr.arpa
                Remote address:
                8.8.8.8:53
                Request
                43.58.199.20.in-addr.arpa
                IN PTR
                Response
              • flag-us
                DNS
                26.35.223.20.in-addr.arpa
                Remote address:
                8.8.8.8:53
                Request
                26.35.223.20.in-addr.arpa
                IN PTR
                Response
              • flag-us
                DNS
                tse1.mm.bing.net
                Remote address:
                8.8.8.8:53
                Request
                tse1.mm.bing.net
                IN A
                Response
                tse1.mm.bing.net
                IN CNAME
                mm-mm.bing.net.trafficmanager.net
                mm-mm.bing.net.trafficmanager.net
                IN CNAME
                dual-a-0001.a-msedge.net
                dual-a-0001.a-msedge.net
                IN A
                204.79.197.200
                dual-a-0001.a-msedge.net
                IN A
                13.107.21.200
              • flag-us
                DNS
                59.128.231.4.in-addr.arpa
                Remote address:
                8.8.8.8:53
                Request
                59.128.231.4.in-addr.arpa
                IN PTR
                Response
              • flag-us
                GET
                https://tse1.mm.bing.net/th?id=OADD2.10239317301295_199VGO4MWX73B9FOK&pid=21.2&w=1920&h=1080&c=4
                Remote address:
                204.79.197.200:443
                Request
                GET /th?id=OADD2.10239317301295_199VGO4MWX73B9FOK&pid=21.2&w=1920&h=1080&c=4 HTTP/2.0
                host: tse1.mm.bing.net
                accept: */*
                accept-encoding: gzip, deflate, br
                user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19041
                Response
                HTTP/2.0 200
                cache-control: public, max-age=2592000
                content-length: 316915
                content-type: image/jpeg
                x-cache: TCP_HIT
                access-control-allow-origin: *
                access-control-allow-headers: *
                access-control-allow-methods: GET, POST, OPTIONS
                timing-allow-origin: *
                report-to: {"group":"network-errors","max_age":604800,"endpoints":[{"url":"https://aefd.nelreports.net/api/report?cat=bingth"}]}
                nel: {"report_to":"network-errors","max_age":604800,"success_fraction":0.001,"failure_fraction":1.0}
                accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
                x-msedge-ref: Ref A: CA07E37E036F4B4CAA278D8DCEEBF229 Ref B: BRU30EDGE0813 Ref C: 2023-11-03T04:08:18Z
                date: Fri, 03 Nov 2023 04:08:18 GMT
              • flag-us
                GET
                https://tse1.mm.bing.net/th?id=OADD2.10239317301623_1VUR2KBQVO06G93HJ&pid=21.2&w=1080&h=1920&c=4
                Remote address:
                204.79.197.200:443
                Request
                GET /th?id=OADD2.10239317301623_1VUR2KBQVO06G93HJ&pid=21.2&w=1080&h=1920&c=4 HTTP/2.0
                host: tse1.mm.bing.net
                accept: */*
                accept-encoding: gzip, deflate, br
                user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19041
                Response
                HTTP/2.0 200
                cache-control: public, max-age=2592000
                content-length: 421003
                content-type: image/jpeg
                x-cache: TCP_HIT
                access-control-allow-origin: *
                access-control-allow-headers: *
                access-control-allow-methods: GET, POST, OPTIONS
                timing-allow-origin: *
                report-to: {"group":"network-errors","max_age":604800,"endpoints":[{"url":"https://aefd.nelreports.net/api/report?cat=bingth"}]}
                nel: {"report_to":"network-errors","max_age":604800,"success_fraction":0.001,"failure_fraction":1.0}
                accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
                x-msedge-ref: Ref A: AF054FDBA36243B49D6C1F44D4D3E141 Ref B: BRU30EDGE0813 Ref C: 2023-11-03T04:08:18Z
                date: Fri, 03 Nov 2023 04:08:18 GMT
              • flag-us
                GET
                https://tse1.mm.bing.net/th?id=OADD2.10239317301274_1PA1BJMKSSMY4Z5BP&pid=21.2&w=1920&h=1080&c=4
                Remote address:
                204.79.197.200:443
                Request
                GET /th?id=OADD2.10239317301274_1PA1BJMKSSMY4Z5BP&pid=21.2&w=1920&h=1080&c=4 HTTP/2.0
                host: tse1.mm.bing.net
                accept: */*
                accept-encoding: gzip, deflate, br
                user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19041
                Response
                HTTP/2.0 200
                cache-control: public, max-age=2592000
                content-length: 238322
                content-type: image/jpeg
                x-cache: TCP_HIT
                access-control-allow-origin: *
                access-control-allow-headers: *
                access-control-allow-methods: GET, POST, OPTIONS
                timing-allow-origin: *
                report-to: {"group":"network-errors","max_age":604800,"endpoints":[{"url":"https://aefd.nelreports.net/api/report?cat=bingth"}]}
                nel: {"report_to":"network-errors","max_age":604800,"success_fraction":0.001,"failure_fraction":1.0}
                accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
                x-msedge-ref: Ref A: 3CC96788501C445687D83B76C559E6C3 Ref B: BRU30EDGE0813 Ref C: 2023-11-03T04:08:18Z
                date: Fri, 03 Nov 2023 04:08:18 GMT
              • flag-us
                GET
                https://tse1.mm.bing.net/th?id=OADD2.10239317301214_1PJAY06J5HO947G63&pid=21.2&w=1920&h=1080&c=4
                Remote address:
                204.79.197.200:443
                Request
                GET /th?id=OADD2.10239317301214_1PJAY06J5HO947G63&pid=21.2&w=1920&h=1080&c=4 HTTP/2.0
                host: tse1.mm.bing.net
                accept: */*
                accept-encoding: gzip, deflate, br
                user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19041
                Response
                HTTP/2.0 200
                cache-control: public, max-age=2592000
                content-length: 361046
                content-type: image/jpeg
                x-cache: TCP_HIT
                access-control-allow-origin: *
                access-control-allow-headers: *
                access-control-allow-methods: GET, POST, OPTIONS
                timing-allow-origin: *
                report-to: {"group":"network-errors","max_age":604800,"endpoints":[{"url":"https://aefd.nelreports.net/api/report?cat=bingth"}]}
                nel: {"report_to":"network-errors","max_age":604800,"success_fraction":0.001,"failure_fraction":1.0}
                accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
                x-msedge-ref: Ref A: E80EAC17D1B54284B2FFBA35E9899A9A Ref B: BRU30EDGE0813 Ref C: 2023-11-03T04:08:18Z
                date: Fri, 03 Nov 2023 04:08:18 GMT
              • flag-us
                GET
                https://tse1.mm.bing.net/th?id=OADD2.10239317301683_1HSDAIPF7ZNRJKYTI&pid=21.2&w=1080&h=1920&c=4
                Remote address:
                204.79.197.200:443
                Request
                GET /th?id=OADD2.10239317301683_1HSDAIPF7ZNRJKYTI&pid=21.2&w=1080&h=1920&c=4 HTTP/2.0
                host: tse1.mm.bing.net
                accept: */*
                accept-encoding: gzip, deflate, br
                user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19041
                Response
                HTTP/2.0 200
                cache-control: public, max-age=2592000
                content-length: 202205
                content-type: image/jpeg
                x-cache: TCP_HIT
                access-control-allow-origin: *
                access-control-allow-headers: *
                access-control-allow-methods: GET, POST, OPTIONS
                timing-allow-origin: *
                report-to: {"group":"network-errors","max_age":604800,"endpoints":[{"url":"https://aefd.nelreports.net/api/report?cat=bingth"}]}
                nel: {"report_to":"network-errors","max_age":604800,"success_fraction":0.001,"failure_fraction":1.0}
                accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
                x-msedge-ref: Ref A: 951004847FB04F0A975FB5F1D298CE2F Ref B: BRU30EDGE0813 Ref C: 2023-11-03T04:08:18Z
                date: Fri, 03 Nov 2023 04:08:18 GMT
              • flag-us
                GET
                https://tse1.mm.bing.net/th?id=OADD2.10239317301704_1DMLWCC7QA5PEMQP4&pid=21.2&w=1080&h=1920&c=4
                Remote address:
                204.79.197.200:443
                Request
                GET /th?id=OADD2.10239317301704_1DMLWCC7QA5PEMQP4&pid=21.2&w=1080&h=1920&c=4 HTTP/2.0
                host: tse1.mm.bing.net
                accept: */*
                accept-encoding: gzip, deflate, br
                user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19041
                Response
                HTTP/2.0 200
                cache-control: public, max-age=2592000
                content-length: 332088
                content-type: image/jpeg
                x-cache: TCP_HIT
                access-control-allow-origin: *
                access-control-allow-headers: *
                access-control-allow-methods: GET, POST, OPTIONS
                timing-allow-origin: *
                report-to: {"group":"network-errors","max_age":604800,"endpoints":[{"url":"https://aefd.nelreports.net/api/report?cat=bingth"}]}
                nel: {"report_to":"network-errors","max_age":604800,"success_fraction":0.001,"failure_fraction":1.0}
                accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
                x-msedge-ref: Ref A: 2C7E1E53AF25493C88599CE93649752E Ref B: BRU30EDGE0813 Ref C: 2023-11-03T04:08:19Z
                date: Fri, 03 Nov 2023 04:08:19 GMT
              • flag-us
                DNS
                254.23.238.8.in-addr.arpa
                Remote address:
                8.8.8.8:53
                Request
                254.23.238.8.in-addr.arpa
                IN PTR
                Response
              • flag-us
                DNS
                13.227.111.52.in-addr.arpa
                Remote address:
                8.8.8.8:53
                Request
                13.227.111.52.in-addr.arpa
                IN PTR
                Response
              • 77.91.124.55:19071
                AppLaunch.exe
                260 B
                5
              • 204.79.197.200:443
                tse1.mm.bing.net
                tls, http2
                1.2kB
                8.2kB
                16
                13
              • 204.79.197.200:443
                tse1.mm.bing.net
                tls, http2
                1.2kB
                8.3kB
                16
                14
              • 204.79.197.200:443
                tse1.mm.bing.net
                tls, http2
                1.2kB
                8.3kB
                16
                14
              • 204.79.197.200:443
                https://tse1.mm.bing.net/th?id=OADD2.10239317301704_1DMLWCC7QA5PEMQP4&pid=21.2&w=1080&h=1920&c=4
                tls, http2
                66.2kB
                1.9MB
                1413
                1409

                HTTP Request

                GET https://tse1.mm.bing.net/th?id=OADD2.10239317301295_199VGO4MWX73B9FOK&pid=21.2&w=1920&h=1080&c=4

                HTTP Request

                GET https://tse1.mm.bing.net/th?id=OADD2.10239317301623_1VUR2KBQVO06G93HJ&pid=21.2&w=1080&h=1920&c=4

                HTTP Request

                GET https://tse1.mm.bing.net/th?id=OADD2.10239317301274_1PA1BJMKSSMY4Z5BP&pid=21.2&w=1920&h=1080&c=4

                HTTP Request

                GET https://tse1.mm.bing.net/th?id=OADD2.10239317301214_1PJAY06J5HO947G63&pid=21.2&w=1920&h=1080&c=4

                HTTP Request

                GET https://tse1.mm.bing.net/th?id=OADD2.10239317301683_1HSDAIPF7ZNRJKYTI&pid=21.2&w=1080&h=1920&c=4

                HTTP Response

                200

                HTTP Response

                200

                HTTP Response

                200

                HTTP Response

                200

                HTTP Response

                200

                HTTP Request

                GET https://tse1.mm.bing.net/th?id=OADD2.10239317301704_1DMLWCC7QA5PEMQP4&pid=21.2&w=1080&h=1920&c=4

                HTTP Response

                200
              • 204.79.197.200:443
                tse1.mm.bing.net
                tls, http2
                1.2kB
                8.3kB
                16
                14
              • 77.91.124.55:19071
                AppLaunch.exe
                260 B
                5
              • 77.91.124.55:19071
                AppLaunch.exe
                260 B
                5
              • 77.91.124.55:19071
                AppLaunch.exe
                260 B
                5
              • 77.91.124.55:19071
                AppLaunch.exe
                260 B
                5
              • 8.8.8.8:53
                20.160.190.20.in-addr.arpa
                dns
                72 B
                158 B
                1
                1

                DNS Request

                20.160.190.20.in-addr.arpa

              • 8.8.8.8:53
                95.221.229.192.in-addr.arpa
                dns
                73 B
                144 B
                1
                1

                DNS Request

                95.221.229.192.in-addr.arpa

              • 8.8.8.8:53
                241.154.82.20.in-addr.arpa
                dns
                72 B
                158 B
                1
                1

                DNS Request

                241.154.82.20.in-addr.arpa

              • 8.8.8.8:53
                163.252.72.23.in-addr.arpa
                dns
                72 B
                137 B
                1
                1

                DNS Request

                163.252.72.23.in-addr.arpa

              • 8.8.8.8:53
                146.78.124.51.in-addr.arpa
                dns
                72 B
                158 B
                1
                1

                DNS Request

                146.78.124.51.in-addr.arpa

              • 8.8.8.8:53
                39.142.81.104.in-addr.arpa
                dns
                144 B
                137 B
                2
                1

                DNS Request

                39.142.81.104.in-addr.arpa

                DNS Request

                39.142.81.104.in-addr.arpa

              • 8.8.8.8:53
                43.58.199.20.in-addr.arpa
                dns
                71 B
                157 B
                1
                1

                DNS Request

                43.58.199.20.in-addr.arpa

              • 8.8.8.8:53
                26.35.223.20.in-addr.arpa
                dns
                71 B
                157 B
                1
                1

                DNS Request

                26.35.223.20.in-addr.arpa

              • 8.8.8.8:53
                tse1.mm.bing.net
                dns
                62 B
                173 B
                1
                1

                DNS Request

                tse1.mm.bing.net

                DNS Response

                204.79.197.200
                13.107.21.200

              • 8.8.8.8:53
                59.128.231.4.in-addr.arpa
                dns
                71 B
                157 B
                1
                1

                DNS Request

                59.128.231.4.in-addr.arpa

              • 8.8.8.8:53
                254.23.238.8.in-addr.arpa
                dns
                71 B
                125 B
                1
                1

                DNS Request

                254.23.238.8.in-addr.arpa

              • 8.8.8.8:53
                13.227.111.52.in-addr.arpa
                dns
                72 B
                158 B
                1
                1

                DNS Request

                13.227.111.52.in-addr.arpa

              MITRE ATT&CK Enterprise v15

              Replay Monitor

              Loading Replay Monitor...

              Downloads

              • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\s0981532.exe

                Filesize

                310KB

                MD5

                86527f1cd9f4956ba87076c0875a5d91

                SHA1

                e551435216e95b802ba75f79073321ed6655f15c

                SHA256

                d8f105ee220b6e99af532bc281740b57a043bf0bb53cd184e90148d04fef4d14

                SHA512

                9d40dacc49d12e0a341a6f4267c6ccddeac734f8aa8e0fc20d30395ff258ce66c870159e5abd857992ea8243b839bf7adcdc0f319ec7cc45eb9b4634cf09b3fa

              • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\s0981532.exe

                Filesize

                310KB

                MD5

                86527f1cd9f4956ba87076c0875a5d91

                SHA1

                e551435216e95b802ba75f79073321ed6655f15c

                SHA256

                d8f105ee220b6e99af532bc281740b57a043bf0bb53cd184e90148d04fef4d14

                SHA512

                9d40dacc49d12e0a341a6f4267c6ccddeac734f8aa8e0fc20d30395ff258ce66c870159e5abd857992ea8243b839bf7adcdc0f319ec7cc45eb9b4634cf09b3fa

              • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z7507389.exe

                Filesize

                295KB

                MD5

                ce9e2943c4562f0ca2295319470450dd

                SHA1

                116e75a0e819aa36e422fe1027e6ac879afdd858

                SHA256

                4ac99fae79d6b54ea4e1ff1b147d8648a7e0e93ba502c09520fc7d41807b865e

                SHA512

                a15f0d6afe1def5f01326ffc5f7e56ccb747e387f1b47f13cc99140ee1050b3a3b2c754a0395daafebcbc9399539a534066a20d8590fdeb88246b89ec287d82a

              • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z7507389.exe

                Filesize

                295KB

                MD5

                ce9e2943c4562f0ca2295319470450dd

                SHA1

                116e75a0e819aa36e422fe1027e6ac879afdd858

                SHA256

                4ac99fae79d6b54ea4e1ff1b147d8648a7e0e93ba502c09520fc7d41807b865e

                SHA512

                a15f0d6afe1def5f01326ffc5f7e56ccb747e387f1b47f13cc99140ee1050b3a3b2c754a0395daafebcbc9399539a534066a20d8590fdeb88246b89ec287d82a

              • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\q1712604.exe

                Filesize

                11KB

                MD5

                76989d4a2115b82a2049cdb33100157a

                SHA1

                a88856b86bd4d4740012517c0fbfdebaccebe04a

                SHA256

                fa80a2a8759ff817e06922be933215968a162f55089cd6f26190648fffb15be4

                SHA512

                19719e3eed92c9d907ae53f7d9f77c6421f78d7c6c4094ea87b195f80816a474b124472a0fef4f5bd66eac4939fc89f885332b3a56912b18c4e694b9980107b6

              • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\q1712604.exe

                Filesize

                11KB

                MD5

                76989d4a2115b82a2049cdb33100157a

                SHA1

                a88856b86bd4d4740012517c0fbfdebaccebe04a

                SHA256

                fa80a2a8759ff817e06922be933215968a162f55089cd6f26190648fffb15be4

                SHA512

                19719e3eed92c9d907ae53f7d9f77c6421f78d7c6c4094ea87b195f80816a474b124472a0fef4f5bd66eac4939fc89f885332b3a56912b18c4e694b9980107b6

              • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\r8788629.exe

                Filesize

                276KB

                MD5

                2befaa9683c4c672ffd2eb9fe9a80782

                SHA1

                04ec4e0ea3e2f104673b721844dd77674b890839

                SHA256

                3b1a7d89461bd526930e994886400dafb69bc8fa88ee1cd5fa53a734cd2ee71f

                SHA512

                f8943820277cbfb0d7becaa63f43bc82013ee074fb4e20f682297c9edc056d3c02f1ed60c9645ea88c03a65a86d2790dce4d48813cfda65792c1164757a1f2a9

              • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\r8788629.exe

                Filesize

                276KB

                MD5

                2befaa9683c4c672ffd2eb9fe9a80782

                SHA1

                04ec4e0ea3e2f104673b721844dd77674b890839

                SHA256

                3b1a7d89461bd526930e994886400dafb69bc8fa88ee1cd5fa53a734cd2ee71f

                SHA512

                f8943820277cbfb0d7becaa63f43bc82013ee074fb4e20f682297c9edc056d3c02f1ed60c9645ea88c03a65a86d2790dce4d48813cfda65792c1164757a1f2a9

              • memory/32-24-0x0000000000400000-0x0000000000428000-memory.dmp

                Filesize

                160KB

              • memory/32-26-0x0000000000400000-0x0000000000428000-memory.dmp

                Filesize

                160KB

              • memory/32-22-0x0000000000400000-0x0000000000428000-memory.dmp

                Filesize

                160KB

              • memory/32-23-0x0000000000400000-0x0000000000428000-memory.dmp

                Filesize

                160KB

              • memory/2192-16-0x00007FFB13B70000-0x00007FFB14631000-memory.dmp

                Filesize

                10.8MB

              • memory/2192-18-0x00007FFB13B70000-0x00007FFB14631000-memory.dmp

                Filesize

                10.8MB

              • memory/2192-15-0x00007FFB13B70000-0x00007FFB14631000-memory.dmp

                Filesize

                10.8MB

              • memory/2192-14-0x0000000000CA0000-0x0000000000CAA000-memory.dmp

                Filesize

                40KB

              • memory/4200-33-0x0000000006080000-0x0000000006698000-memory.dmp

                Filesize

                6.1MB

              • memory/4200-31-0x0000000073A70000-0x0000000074220000-memory.dmp

                Filesize

                7.7MB

              • memory/4200-32-0x0000000003380000-0x0000000003386000-memory.dmp

                Filesize

                24KB

              • memory/4200-30-0x0000000000400000-0x0000000000430000-memory.dmp

                Filesize

                192KB

              • memory/4200-34-0x0000000005B70000-0x0000000005C7A000-memory.dmp

                Filesize

                1.0MB

              • memory/4200-35-0x0000000005950000-0x0000000005960000-memory.dmp

                Filesize

                64KB

              • memory/4200-36-0x00000000058E0000-0x00000000058F2000-memory.dmp

                Filesize

                72KB

              • memory/4200-37-0x0000000005A60000-0x0000000005A9C000-memory.dmp

                Filesize

                240KB

              • memory/4200-38-0x0000000005AA0000-0x0000000005AEC000-memory.dmp

                Filesize

                304KB

              • memory/4200-39-0x0000000073A70000-0x0000000074220000-memory.dmp

                Filesize

                7.7MB

              • memory/4200-40-0x0000000005950000-0x0000000005960000-memory.dmp

                Filesize

                64KB

              We care about your privacy.

              This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.