Analysis

  • max time kernel
    140s
  • max time network
    153s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20231020-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20231020-enlocale:en-usos:windows10-2004-x64system
  • submitted
    05/11/2023, 12:49 UTC

General

  • Target

    NEAS.895780bd55fdc39fcd442cf3e0b84019798a6b4d09fa160c323edf120eeae880exe.exe

  • Size

    660KB

  • MD5

    0a9a21411a503e7617ffe3c1fe190e8c

  • SHA1

    8298c8a9fa4c288ecdea34d8d493d511c3c22bee

  • SHA256

    895780bd55fdc39fcd442cf3e0b84019798a6b4d09fa160c323edf120eeae880

  • SHA512

    b970b5b05b041061689fe445601f312e5cf819d349ad38d9b78e4c8bedda228a7fee52574dd3fd1ddeaf8b252d1cd6e61d39e2abf4be09964d765c01e5de52f5

  • SSDEEP

    12288:epoadswFckSxQPGRVax4VMU5ZcFnMGokXgVj4mTXyXLX:epoadBSxxQPGux4GeQnHodSma

Malware Config

Extracted

Credentials

  • Protocol:
    smtp
  • Host:
    us2.smtp.mailhostbox.com
  • Port:
    587
  • Username:
    pearlyn.tan@nuoryons.com
  • Password:
    Loverboy@123

Extracted

Family

agenttesla

Credentials

  • Protocol:
    smtp
  • Host:
    us2.smtp.mailhostbox.com
  • Port:
    587
  • Username:
    pearlyn.tan@nuoryons.com
  • Password:
    Loverboy@123
  • Email To:
    pearlyn.tan@nuoryons.com

Signatures

  • AgentTesla

    Agent Tesla is a remote access tool (RAT) written in visual basic.

  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Reads user/profile data of local email clients 2 TTPs

    Email clients store some user data on disk where infostealers will often target it.

  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Creates scheduled task(s) 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

  • Suspicious behavior: EnumeratesProcesses 6 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 14 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\NEAS.895780bd55fdc39fcd442cf3e0b84019798a6b4d09fa160c323edf120eeae880exe.exe
    "C:\Users\Admin\AppData\Local\Temp\NEAS.895780bd55fdc39fcd442cf3e0b84019798a6b4d09fa160c323edf120eeae880exe.exe"
    1⤵
    • Checks computer location settings
    • Suspicious use of SetThreadContext
    • Suspicious use of WriteProcessMemory
    PID:4368
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\acvliyEf.exe"
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:4120
    • C:\Windows\SysWOW64\schtasks.exe
      "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\acvliyEf" /XML "C:\Users\Admin\AppData\Local\Temp\tmpF944.tmp"
      2⤵
      • Creates scheduled task(s)
      PID:2924
    • C:\Users\Admin\AppData\Local\Temp\NEAS.895780bd55fdc39fcd442cf3e0b84019798a6b4d09fa160c323edf120eeae880exe.exe
      "C:\Users\Admin\AppData\Local\Temp\NEAS.895780bd55fdc39fcd442cf3e0b84019798a6b4d09fa160c323edf120eeae880exe.exe"
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:4932

Network

  • flag-us
    DNS
    95.221.229.192.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    95.221.229.192.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    74.32.126.40.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    74.32.126.40.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    241.154.82.20.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    241.154.82.20.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    146.78.124.51.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    146.78.124.51.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    155.245.36.23.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    155.245.36.23.in-addr.arpa
    IN PTR
    Response
    155.245.36.23.in-addr.arpa
    IN PTR
    a23-36-245-155deploystaticakamaitechnologiescom
  • flag-us
    DNS
    26.35.223.20.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    26.35.223.20.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    208.194.73.20.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    208.194.73.20.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    us2.smtp.mailhostbox.com
    NEAS.895780bd55fdc39fcd442cf3e0b84019798a6b4d09fa160c323edf120eeae880exe.exe
    Remote address:
    8.8.8.8:53
    Request
    us2.smtp.mailhostbox.com
    IN A
    Response
    us2.smtp.mailhostbox.com
    IN A
    208.91.199.225
    us2.smtp.mailhostbox.com
    IN A
    208.91.198.143
    us2.smtp.mailhostbox.com
    IN A
    208.91.199.223
    us2.smtp.mailhostbox.com
    IN A
    208.91.199.224
  • flag-us
    DNS
    183.59.114.20.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    183.59.114.20.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    225.199.91.208.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    225.199.91.208.in-addr.arpa
    IN PTR
    Response
    225.199.91.208.in-addr.arpa
    IN PTR
    208-91-199-225 unifiedlayercom
  • flag-us
    DNS
    198.187.3.20.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    198.187.3.20.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    240.221.184.93.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    240.221.184.93.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    43.58.199.20.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    43.58.199.20.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    tse1.mm.bing.net
    Remote address:
    8.8.8.8:53
    Request
    tse1.mm.bing.net
    IN A
    Response
    tse1.mm.bing.net
    IN CNAME
    mm-mm.bing.net.trafficmanager.net
    mm-mm.bing.net.trafficmanager.net
    IN CNAME
    dual-a-0001.a-msedge.net
    dual-a-0001.a-msedge.net
    IN A
    204.79.197.200
    dual-a-0001.a-msedge.net
    IN A
    13.107.21.200
  • flag-us
    GET
    https://tse1.mm.bing.net/th?id=OADD2.10239317301720_1RTL8BA2J0Q8NK3V3&pid=21.2&w=1080&h=1920&c=4
    Remote address:
    204.79.197.200:443
    Request
    GET /th?id=OADD2.10239317301720_1RTL8BA2J0Q8NK3V3&pid=21.2&w=1080&h=1920&c=4 HTTP/2.0
    host: tse1.mm.bing.net
    accept: */*
    accept-encoding: gzip, deflate, br
    user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19041
    Response
    HTTP/2.0 200
    cache-control: public, max-age=2592000
    content-length: 727788
    content-type: image/jpeg
    x-cache: TCP_HIT
    access-control-allow-origin: *
    access-control-allow-headers: *
    access-control-allow-methods: GET, POST, OPTIONS
    timing-allow-origin: *
    report-to: {"group":"network-errors","max_age":604800,"endpoints":[{"url":"https://aefd.nelreports.net/api/report?cat=bingth"}]}
    nel: {"report_to":"network-errors","max_age":604800,"success_fraction":0.001,"failure_fraction":1.0}
    accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
    x-msedge-ref: Ref A: F9635CF290294398A160B35FB23920C0 Ref B: AMS04EDGE1416 Ref C: 2023-11-05T12:50:33Z
    date: Sun, 05 Nov 2023 12:50:32 GMT
  • flag-us
    GET
    https://tse1.mm.bing.net/th?id=OADD2.10239317301321_1WU4KPMKVNBS4UXRB&pid=21.2&w=1920&h=1080&c=4
    Remote address:
    204.79.197.200:443
    Request
    GET /th?id=OADD2.10239317301321_1WU4KPMKVNBS4UXRB&pid=21.2&w=1920&h=1080&c=4 HTTP/2.0
    host: tse1.mm.bing.net
    accept: */*
    accept-encoding: gzip, deflate, br
    user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19041
    Response
    HTTP/2.0 200
    cache-control: public, max-age=2592000
    content-length: 221908
    content-type: image/jpeg
    x-cache: TCP_HIT
    access-control-allow-origin: *
    access-control-allow-headers: *
    access-control-allow-methods: GET, POST, OPTIONS
    timing-allow-origin: *
    report-to: {"group":"network-errors","max_age":604800,"endpoints":[{"url":"https://aefd.nelreports.net/api/report?cat=bingth"}]}
    nel: {"report_to":"network-errors","max_age":604800,"success_fraction":0.001,"failure_fraction":1.0}
    accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
    x-msedge-ref: Ref A: 2EFC8896C0BD42C5B2917FD75BC65815 Ref B: AMS04EDGE1416 Ref C: 2023-11-05T12:50:33Z
    date: Sun, 05 Nov 2023 12:50:32 GMT
  • flag-us
    GET
    https://tse1.mm.bing.net/th?id=OADD2.10239317301730_1ZMY9W34LSLV14AW3&pid=21.2&w=1080&h=1920&c=4
    Remote address:
    204.79.197.200:443
    Request
    GET /th?id=OADD2.10239317301730_1ZMY9W34LSLV14AW3&pid=21.2&w=1080&h=1920&c=4 HTTP/2.0
    host: tse1.mm.bing.net
    accept: */*
    accept-encoding: gzip, deflate, br
    user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19041
    Response
    HTTP/2.0 200
    cache-control: public, max-age=2592000
    content-length: 291493
    content-type: image/jpeg
    x-cache: TCP_HIT
    access-control-allow-origin: *
    access-control-allow-headers: *
    access-control-allow-methods: GET, POST, OPTIONS
    timing-allow-origin: *
    report-to: {"group":"network-errors","max_age":604800,"endpoints":[{"url":"https://aefd.nelreports.net/api/report?cat=bingth"}]}
    nel: {"report_to":"network-errors","max_age":604800,"success_fraction":0.001,"failure_fraction":1.0}
    accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
    x-msedge-ref: Ref A: D19AD029E536429DA723A7B1E4CD3CB0 Ref B: AMS04EDGE1416 Ref C: 2023-11-05T12:50:33Z
    date: Sun, 05 Nov 2023 12:50:32 GMT
  • flag-us
    GET
    https://tse1.mm.bing.net/th?id=OADD2.10239317301311_18QMRZHF9BCDK2OBJ&pid=21.2&w=1920&h=1080&c=4
    Remote address:
    204.79.197.200:443
    Request
    GET /th?id=OADD2.10239317301311_18QMRZHF9BCDK2OBJ&pid=21.2&w=1920&h=1080&c=4 HTTP/2.0
    host: tse1.mm.bing.net
    accept: */*
    accept-encoding: gzip, deflate, br
    user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19041
    Response
    HTTP/2.0 200
    cache-control: public, max-age=2592000
    content-length: 639487
    content-type: image/jpeg
    x-cache: TCP_HIT
    access-control-allow-origin: *
    access-control-allow-headers: *
    access-control-allow-methods: GET, POST, OPTIONS
    timing-allow-origin: *
    report-to: {"group":"network-errors","max_age":604800,"endpoints":[{"url":"https://aefd.nelreports.net/api/report?cat=bingth"}]}
    nel: {"report_to":"network-errors","max_age":604800,"success_fraction":0.001,"failure_fraction":1.0}
    accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
    x-msedge-ref: Ref A: CFBE249E7D264E499F0840B0FD18F76F Ref B: AMS04EDGE1416 Ref C: 2023-11-05T12:50:33Z
    date: Sun, 05 Nov 2023 12:50:32 GMT
  • flag-us
    GET
    https://tse1.mm.bing.net/th?id=OADD2.10239317301145_1Y8CXK45BT2OHNQQQ&pid=21.2&w=1920&h=1080&c=4
    Remote address:
    204.79.197.200:443
    Request
    GET /th?id=OADD2.10239317301145_1Y8CXK45BT2OHNQQQ&pid=21.2&w=1920&h=1080&c=4 HTTP/2.0
    host: tse1.mm.bing.net
    accept: */*
    accept-encoding: gzip, deflate, br
    user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19041
    Response
    HTTP/2.0 200
    cache-control: public, max-age=2592000
    content-length: 300661
    content-type: image/jpeg
    x-cache: TCP_HIT
    access-control-allow-origin: *
    access-control-allow-headers: *
    access-control-allow-methods: GET, POST, OPTIONS
    timing-allow-origin: *
    report-to: {"group":"network-errors","max_age":604800,"endpoints":[{"url":"https://aefd.nelreports.net/api/report?cat=bingth"}]}
    nel: {"report_to":"network-errors","max_age":604800,"success_fraction":0.001,"failure_fraction":1.0}
    accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
    x-msedge-ref: Ref A: 164F731388714FF5A17331F82BAF5CC2 Ref B: AMS04EDGE1416 Ref C: 2023-11-05T12:50:33Z
    date: Sun, 05 Nov 2023 12:50:32 GMT
  • flag-us
    GET
    https://tse1.mm.bing.net/th?id=OADD2.10239317301554_133DWC45UAH2W18HX&pid=21.2&w=1080&h=1920&c=4
    Remote address:
    204.79.197.200:443
    Request
    GET /th?id=OADD2.10239317301554_133DWC45UAH2W18HX&pid=21.2&w=1080&h=1920&c=4 HTTP/2.0
    host: tse1.mm.bing.net
    accept: */*
    accept-encoding: gzip, deflate, br
    user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19041
    Response
    HTTP/2.0 200
    cache-control: public, max-age=2592000
    content-length: 262756
    content-type: image/jpeg
    x-cache: TCP_HIT
    access-control-allow-origin: *
    access-control-allow-headers: *
    access-control-allow-methods: GET, POST, OPTIONS
    timing-allow-origin: *
    report-to: {"group":"network-errors","max_age":604800,"endpoints":[{"url":"https://aefd.nelreports.net/api/report?cat=bingth"}]}
    nel: {"report_to":"network-errors","max_age":604800,"success_fraction":0.001,"failure_fraction":1.0}
    accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
    x-msedge-ref: Ref A: 644F0DE22B524D4E9FEFE3B9B6A64E71 Ref B: AMS04EDGE1416 Ref C: 2023-11-05T12:50:34Z
    date: Sun, 05 Nov 2023 12:50:33 GMT
  • flag-us
    DNS
    43.229.111.52.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    43.229.111.52.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    209.143.182.52.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    209.143.182.52.in-addr.arpa
    IN PTR
    Response
  • 208.91.199.225:587
    us2.smtp.mailhostbox.com
    smtp
    NEAS.895780bd55fdc39fcd442cf3e0b84019798a6b4d09fa160c323edf120eeae880exe.exe
    2.8kB
    7.1kB
    22
    22
  • 204.79.197.200:443
    tse1.mm.bing.net
    tls, http2
    1.2kB
    8.3kB
    16
    14
  • 204.79.197.200:443
    tse1.mm.bing.net
    tls, http2
    1.2kB
    8.3kB
    16
    14
  • 204.79.197.200:443
    tse1.mm.bing.net
    tls, http2
    1.2kB
    8.3kB
    16
    14
  • 204.79.197.200:443
    tse1.mm.bing.net
    tls, http2
    1.2kB
    8.3kB
    16
    14
  • 204.79.197.200:443
    https://tse1.mm.bing.net/th?id=OADD2.10239317301554_133DWC45UAH2W18HX&pid=21.2&w=1080&h=1920&c=4
    tls, http2
    91.2kB
    2.5MB
    1840
    1834

    HTTP Request

    GET https://tse1.mm.bing.net/th?id=OADD2.10239317301720_1RTL8BA2J0Q8NK3V3&pid=21.2&w=1080&h=1920&c=4

    HTTP Request

    GET https://tse1.mm.bing.net/th?id=OADD2.10239317301321_1WU4KPMKVNBS4UXRB&pid=21.2&w=1920&h=1080&c=4

    HTTP Request

    GET https://tse1.mm.bing.net/th?id=OADD2.10239317301730_1ZMY9W34LSLV14AW3&pid=21.2&w=1080&h=1920&c=4

    HTTP Request

    GET https://tse1.mm.bing.net/th?id=OADD2.10239317301311_18QMRZHF9BCDK2OBJ&pid=21.2&w=1920&h=1080&c=4

    HTTP Request

    GET https://tse1.mm.bing.net/th?id=OADD2.10239317301145_1Y8CXK45BT2OHNQQQ&pid=21.2&w=1920&h=1080&c=4

    HTTP Response

    200

    HTTP Response

    200

    HTTP Response

    200

    HTTP Response

    200

    HTTP Response

    200

    HTTP Request

    GET https://tse1.mm.bing.net/th?id=OADD2.10239317301554_133DWC45UAH2W18HX&pid=21.2&w=1080&h=1920&c=4

    HTTP Response

    200
  • 8.8.8.8:53
    95.221.229.192.in-addr.arpa
    dns
    73 B
    144 B
    1
    1

    DNS Request

    95.221.229.192.in-addr.arpa

  • 8.8.8.8:53
    74.32.126.40.in-addr.arpa
    dns
    71 B
    157 B
    1
    1

    DNS Request

    74.32.126.40.in-addr.arpa

  • 8.8.8.8:53
    241.154.82.20.in-addr.arpa
    dns
    72 B
    158 B
    1
    1

    DNS Request

    241.154.82.20.in-addr.arpa

  • 8.8.8.8:53
    146.78.124.51.in-addr.arpa
    dns
    72 B
    158 B
    1
    1

    DNS Request

    146.78.124.51.in-addr.arpa

  • 8.8.8.8:53
    155.245.36.23.in-addr.arpa
    dns
    72 B
    137 B
    1
    1

    DNS Request

    155.245.36.23.in-addr.arpa

  • 8.8.8.8:53
    26.35.223.20.in-addr.arpa
    dns
    71 B
    157 B
    1
    1

    DNS Request

    26.35.223.20.in-addr.arpa

  • 8.8.8.8:53
    208.194.73.20.in-addr.arpa
    dns
    72 B
    158 B
    1
    1

    DNS Request

    208.194.73.20.in-addr.arpa

  • 8.8.8.8:53
    us2.smtp.mailhostbox.com
    dns
    NEAS.895780bd55fdc39fcd442cf3e0b84019798a6b4d09fa160c323edf120eeae880exe.exe
    70 B
    134 B
    1
    1

    DNS Request

    us2.smtp.mailhostbox.com

    DNS Response

    208.91.199.225
    208.91.198.143
    208.91.199.223
    208.91.199.224

  • 8.8.8.8:53
    183.59.114.20.in-addr.arpa
    dns
    72 B
    158 B
    1
    1

    DNS Request

    183.59.114.20.in-addr.arpa

  • 8.8.8.8:53
    225.199.91.208.in-addr.arpa
    dns
    73 B
    118 B
    1
    1

    DNS Request

    225.199.91.208.in-addr.arpa

  • 8.8.8.8:53
    198.187.3.20.in-addr.arpa
    dns
    71 B
    157 B
    1
    1

    DNS Request

    198.187.3.20.in-addr.arpa

  • 8.8.8.8:53
    240.221.184.93.in-addr.arpa
    dns
    73 B
    144 B
    1
    1

    DNS Request

    240.221.184.93.in-addr.arpa

  • 8.8.8.8:53
    43.58.199.20.in-addr.arpa
    dns
    71 B
    157 B
    1
    1

    DNS Request

    43.58.199.20.in-addr.arpa

  • 8.8.8.8:53
    tse1.mm.bing.net
    dns
    62 B
    173 B
    1
    1

    DNS Request

    tse1.mm.bing.net

    DNS Response

    204.79.197.200
    13.107.21.200

  • 8.8.8.8:53
    43.229.111.52.in-addr.arpa
    dns
    72 B
    158 B
    1
    1

    DNS Request

    43.229.111.52.in-addr.arpa

  • 8.8.8.8:53
    209.143.182.52.in-addr.arpa
    dns
    73 B
    147 B
    1
    1

    DNS Request

    209.143.182.52.in-addr.arpa

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\NEAS.895780bd55fdc39fcd442cf3e0b84019798a6b4d09fa160c323edf120eeae880exe.exe.log

    Filesize

    1KB

    MD5

    b7b9acb869ccc7f7ecb5304ec0384dee

    SHA1

    6a90751c95817903ee833d59a0abbef425a613b3

    SHA256

    8cb00a15cd942a1861c573d86d6fb430512c8e2f80f6349f48b16b8709ca7aa4

    SHA512

    7bec881ac5f59ac26f1be1e7e26d63f040c06369de10c1c246e531a4395d27c335d9acc647ecdedb48ed37bdc2dc405a4cfc11762e1c00659a49be259eaf8764

  • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_ilowgxmg.gw4.ps1

    Filesize

    60B

    MD5

    d17fe0a3f47be24a6453e9ef58c94641

    SHA1

    6ab83620379fc69f80c0242105ddffd7d98d5d9d

    SHA256

    96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

    SHA512

    5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

  • C:\Users\Admin\AppData\Local\Temp\tmpF944.tmp

    Filesize

    1KB

    MD5

    a011aaa9939d8411e0290aedb4520e6f

    SHA1

    b525d5ad64cb56d3b6e921e0fe42ba7e3a2b8253

    SHA256

    a7f0538e1957da43f375993410c32e22a224ee7d5ef8629d3a1183f50fb0304f

    SHA512

    f0b22bb3b47aa168fd10a18a1240a53e3c1c30c31fd981bd26f1d136f32b476d63d18d29c0eae104ff28f21f538089e6eeace5173ba4b8f634935424a3157bf5

  • memory/4120-31-0x0000000005F60000-0x0000000005FC6000-memory.dmp

    Filesize

    408KB

  • memory/4120-62-0x0000000007BF0000-0x0000000007C86000-memory.dmp

    Filesize

    600KB

  • memory/4120-73-0x00000000749A0000-0x0000000075150000-memory.dmp

    Filesize

    7.7MB

  • memory/4120-70-0x0000000005190000-0x00000000051A0000-memory.dmp

    Filesize

    64KB

  • memory/4120-69-0x0000000007CB0000-0x0000000007CB8000-memory.dmp

    Filesize

    32KB

  • memory/4120-68-0x0000000007CD0000-0x0000000007CEA000-memory.dmp

    Filesize

    104KB

  • memory/4120-67-0x0000000007BD0000-0x0000000007BE4000-memory.dmp

    Filesize

    80KB

  • memory/4120-41-0x0000000006260000-0x00000000065B4000-memory.dmp

    Filesize

    3.3MB

  • memory/4120-65-0x0000000007BC0000-0x0000000007BCE000-memory.dmp

    Filesize

    56KB

  • memory/4120-64-0x00000000749A0000-0x0000000075150000-memory.dmp

    Filesize

    7.7MB

  • memory/4120-17-0x0000000005090000-0x00000000050C6000-memory.dmp

    Filesize

    216KB

  • memory/4120-18-0x00000000749A0000-0x0000000075150000-memory.dmp

    Filesize

    7.7MB

  • memory/4120-19-0x0000000005190000-0x00000000051A0000-memory.dmp

    Filesize

    64KB

  • memory/4120-63-0x0000000007B70000-0x0000000007B81000-memory.dmp

    Filesize

    68KB

  • memory/4120-22-0x00000000057D0000-0x0000000005DF8000-memory.dmp

    Filesize

    6.2MB

  • memory/4120-42-0x0000000006630000-0x000000000664E000-memory.dmp

    Filesize

    120KB

  • memory/4120-21-0x0000000005190000-0x00000000051A0000-memory.dmp

    Filesize

    64KB

  • memory/4120-61-0x00000000079E0000-0x00000000079EA000-memory.dmp

    Filesize

    40KB

  • memory/4120-60-0x0000000007970000-0x000000000798A000-memory.dmp

    Filesize

    104KB

  • memory/4120-59-0x0000000007FB0000-0x000000000862A000-memory.dmp

    Filesize

    6.5MB

  • memory/4120-58-0x0000000007850000-0x00000000078F3000-memory.dmp

    Filesize

    652KB

  • memory/4120-30-0x0000000005EC0000-0x0000000005EE2000-memory.dmp

    Filesize

    136KB

  • memory/4120-56-0x0000000006C10000-0x0000000006C2E000-memory.dmp

    Filesize

    120KB

  • memory/4120-46-0x0000000070620000-0x000000007066C000-memory.dmp

    Filesize

    304KB

  • memory/4120-45-0x0000000007610000-0x0000000007642000-memory.dmp

    Filesize

    200KB

  • memory/4120-66-0x0000000005190000-0x00000000051A0000-memory.dmp

    Filesize

    64KB

  • memory/4120-44-0x000000007F5B0000-0x000000007F5C0000-memory.dmp

    Filesize

    64KB

  • memory/4120-43-0x0000000006690000-0x00000000066DC000-memory.dmp

    Filesize

    304KB

  • memory/4368-8-0x00000000749A0000-0x0000000075150000-memory.dmp

    Filesize

    7.7MB

  • memory/4368-7-0x0000000005410000-0x000000000541E000-memory.dmp

    Filesize

    56KB

  • memory/4368-1-0x0000000000450000-0x00000000004FC000-memory.dmp

    Filesize

    688KB

  • memory/4368-5-0x0000000004F00000-0x0000000004F10000-memory.dmp

    Filesize

    64KB

  • memory/4368-6-0x0000000004F30000-0x0000000004F3A000-memory.dmp

    Filesize

    40KB

  • memory/4368-11-0x00000000067E0000-0x000000000685A000-memory.dmp

    Filesize

    488KB

  • memory/4368-9-0x0000000004F00000-0x0000000004F10000-memory.dmp

    Filesize

    64KB

  • memory/4368-26-0x00000000749A0000-0x0000000075150000-memory.dmp

    Filesize

    7.7MB

  • memory/4368-12-0x000000000A410000-0x000000000A4AC000-memory.dmp

    Filesize

    624KB

  • memory/4368-0-0x00000000749A0000-0x0000000075150000-memory.dmp

    Filesize

    7.7MB

  • memory/4368-4-0x0000000004FF0000-0x0000000005344000-memory.dmp

    Filesize

    3.3MB

  • memory/4368-2-0x0000000005500000-0x0000000005AA4000-memory.dmp

    Filesize

    5.6MB

  • memory/4368-3-0x0000000004F50000-0x0000000004FE2000-memory.dmp

    Filesize

    584KB

  • memory/4368-10-0x00000000054E0000-0x00000000054EA000-memory.dmp

    Filesize

    40KB

  • memory/4932-27-0x00000000749A0000-0x0000000075150000-memory.dmp

    Filesize

    7.7MB

  • memory/4932-23-0x0000000000400000-0x0000000000440000-memory.dmp

    Filesize

    256KB

  • memory/4932-28-0x0000000005710000-0x0000000005776000-memory.dmp

    Filesize

    408KB

  • memory/4932-57-0x0000000006660000-0x00000000066B0000-memory.dmp

    Filesize

    320KB

  • memory/4932-29-0x00000000057E0000-0x00000000057F0000-memory.dmp

    Filesize

    64KB

  • memory/4932-74-0x00000000749A0000-0x0000000075150000-memory.dmp

    Filesize

    7.7MB

  • memory/4932-75-0x00000000057E0000-0x00000000057F0000-memory.dmp

    Filesize

    64KB

We care about your privacy.

This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.