Overview

overview

10

Static

static

3

NEAS.89578...xe.exe

windows7-x64

10

NEAS.89578...xe.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    140s
  • max time network
    153s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20231020-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20231020-enlocale:en-usos:windows10-2004-x64system
  • submitted
    05/11/2023, 12:49 UTC

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    NEAS.895780bd55fdc39fcd442cf3e0b84019798a6b4d09fa160c323edf120eeae880exe.exe

  • Size

    660KB

  • MD5

    0a9a21411a503e7617ffe3c1fe190e8c

  • SHA1

    8298c8a9fa4c288ecdea34d8d493d511c3c22bee

  • SHA256

    895780bd55fdc39fcd442cf3e0b84019798a6b4d09fa160c323edf120eeae880

  • SHA512

    b970b5b05b041061689fe445601f312e5cf819d349ad38d9b78e4c8bedda228a7fee52574dd3fd1ddeaf8b252d1cd6e61d39e2abf4be09964d765c01e5de52f5

  • SSDEEP

    12288:epoadswFckSxQPGRVax4VMU5ZcFnMGokXgVj4mTXyXLX:epoadBSxxQPGux4GeQnHodSma

Score
10/10
agentteslakeyloggerspywarestealertrojan

Malware Config

Extracted

Credentials

  • Protocol:     smtp
  • Host:
    us2.smtp.mailhostbox.com
  • Port:
    587
  • Username:
    pearlyn.tan@nuoryons.com
  • Password:
    Loverboy@123

Extracted

Family

agenttesla

Credentials

  • Protocol:     smtp
  • Host:
    us2.smtp.mailhostbox.com
  • Port:
    587
  • Username:
    pearlyn.tan@nuoryons.com
  • Password:
    Loverboy@123
  • Email To:
    pearlyn.tan@nuoryons.com

Signatures

  • AgentTesla

    Agent Tesla is a remote access tool (RAT) written in visual basic.

    keyloggertrojanstealerspywareagenttesla
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Reads user/profile data of local email clients 2 TTPs

    Email clients store some user data on disk where infostealers will often target it.

    spywarestealer
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Creates scheduled task(s) 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Suspicious behavior: EnumeratesProcesses 6 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 14 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\NEAS.895780bd55fdc39fcd442cf3e0b84019798a6b4d09fa160c323edf120eeae880exe.exe
    "C:\Users\Admin\AppData\Local\Temp\NEAS.895780bd55fdc39fcd442cf3e0b84019798a6b4d09fa160c323edf120eeae880exe.exe"
    1⤵
    • Checks computer location settings
    • Suspicious use of SetThreadContext
    • Suspicious use of WriteProcessMemory
    PID:4368
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\acvliyEf.exe"
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:4120
    • C:\Windows\SysWOW64\schtasks.exe
      "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\acvliyEf" /XML "C:\Users\Admin\AppData\Local\Temp\tmpF944.tmp"
      2⤵
      • Creates scheduled task(s)
      PID:2924
    • C:\Users\Admin\AppData\Local\Temp\NEAS.895780bd55fdc39fcd442cf3e0b84019798a6b4d09fa160c323edf120eeae880exe.exe
      "C:\Users\Admin\AppData\Local\Temp\NEAS.895780bd55fdc39fcd442cf3e0b84019798a6b4d09fa160c323edf120eeae880exe.exe"
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:4932

Network

  • flag-us
    DNS
    95.221.229.192.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    95.221.229.192.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    74.32.126.40.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    74.32.126.40.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    241.154.82.20.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    241.154.82.20.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    146.78.124.51.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    146.78.124.51.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    155.245.36.23.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    155.245.36.23.in-addr.arpa
    IN PTR
    Response
    155.245.36.23.in-addr.arpa
    IN PTR
    a23-36-245-155deploystaticakamaitechnologiescom
  • flag-us
    DNS
    26.35.223.20.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    26.35.223.20.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    208.194.73.20.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    208.194.73.20.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    us2.smtp.mailhostbox.com
    NEAS.895780bd55fdc39fcd442cf3e0b84019798a6b4d09fa160c323edf120eeae880exe.exe
    Remote address:
    8.8.8.8:53
    Request
    us2.smtp.mailhostbox.com
    IN A
    Response
    us2.smtp.mailhostbox.com
    IN A
    208.91.199.225
    us2.smtp.mailhostbox.com
    IN A
    208.91.198.143
    us2.smtp.mailhostbox.com
    IN A
    208.91.199.223
    us2.smtp.mailhostbox.com
    IN A
    208.91.199.224
  • flag-us
    DNS
    183.59.114.20.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    183.59.114.20.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    225.199.91.208.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    225.199.91.208.in-addr.arpa
    IN PTR
    Response
    225.199.91.208.in-addr.arpa
    IN PTR
    208-91-199-225 unifiedlayercom
  • flag-us
    DNS
    198.187.3.20.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    198.187.3.20.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    240.221.184.93.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    240.221.184.93.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    43.58.199.20.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    43.58.199.20.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    tse1.mm.bing.net
    Remote address:
    8.8.8.8:53
    Request
    tse1.mm.bing.net
    IN A
    Response
    tse1.mm.bing.net
    IN CNAME
    mm-mm.bing.net.trafficmanager.net
    mm-mm.bing.net.trafficmanager.net
    IN CNAME
    dual-a-0001.a-msedge.net
    dual-a-0001.a-msedge.net
    IN A
    204.79.197.200
    dual-a-0001.a-msedge.net
    IN A
    13.107.21.200
  • flag-us
    GET
    https://tse1.mm.bing.net/th?id=OADD2.10239317301720_1RTL8BA2J0Q8NK3V3&pid=21.2&w=1080&h=1920&c=4
    Remote address:
    204.79.197.200:443
    Request
    GET /th?id=OADD2.10239317301720_1RTL8BA2J0Q8NK3V3&pid=21.2&w=1080&h=1920&c=4 HTTP/2.0
    host: tse1.mm.bing.net
    accept: */*
    accept-encoding: gzip, deflate, br
    user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19041
    Response
    HTTP/2.0 200
    cache-control: public, max-age=2592000
    content-length: 727788
    content-type: image/jpeg
    x-cache: TCP_HIT
    access-control-allow-origin: *
    access-control-allow-headers: *
    access-control-allow-methods: GET, POST, OPTIONS
    timing-allow-origin: *
    report-to: {"group":"network-errors","max_age":604800,"endpoints":[{"url":"https://aefd.nelreports.net/api/report?cat=bingth"}]}
    nel: {"report_to":"network-errors","max_age":604800,"success_fraction":0.001,"failure_fraction":1.0}
    accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
    x-msedge-ref: Ref A: F9635CF290294398A160B35FB23920C0 Ref B: AMS04EDGE1416 Ref C: 2023-11-05T12:50:33Z
    date: Sun, 05 Nov 2023 12:50:32 GMT
  • flag-us
    GET
    https://tse1.mm.bing.net/th?id=OADD2.10239317301321_1WU4KPMKVNBS4UXRB&pid=21.2&w=1920&h=1080&c=4
    Remote address:
    204.79.197.200:443
    Request
    GET /th?id=OADD2.10239317301321_1WU4KPMKVNBS4UXRB&pid=21.2&w=1920&h=1080&c=4 HTTP/2.0
    host: tse1.mm.bing.net
    accept: */*
    accept-encoding: gzip, deflate, br
    user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19041
    Response
    HTTP/2.0 200
    cache-control: public, max-age=2592000
    content-length: 221908
    content-type: image/jpeg
    x-cache: TCP_HIT
    access-control-allow-origin: *
    access-control-allow-headers: *
    access-control-allow-methods: GET, POST, OPTIONS
    timing-allow-origin: *
    report-to: {"group":"network-errors","max_age":604800,"endpoints":[{"url":"https://aefd.nelreports.net/api/report?cat=bingth"}]}
    nel: {"report_to":"network-errors","max_age":604800,"success_fraction":0.001,"failure_fraction":1.0}
    accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
    x-msedge-ref: Ref A: 2EFC8896C0BD42C5B2917FD75BC65815 Ref B: AMS04EDGE1416 Ref C: 2023-11-05T12:50:33Z
    date: Sun, 05 Nov 2023 12:50:32 GMT
  • flag-us
    GET
    https://tse1.mm.bing.net/th?id=OADD2.10239317301730_1ZMY9W34LSLV14AW3&pid=21.2&w=1080&h=1920&c=4
    Remote address:
    204.79.197.200:443
    Request
    GET /th?id=OADD2.10239317301730_1ZMY9W34LSLV14AW3&pid=21.2&w=1080&h=1920&c=4 HTTP/2.0
    host: tse1.mm.bing.net
    accept: */*
    accept-encoding: gzip, deflate, br
    user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19041
    Response
    HTTP/2.0 200
    cache-control: public, max-age=2592000
    content-length: 291493
    content-type: image/jpeg
    x-cache: TCP_HIT
    access-control-allow-origin: *
    access-control-allow-headers: *
    access-control-allow-methods: GET, POST, OPTIONS
    timing-allow-origin: *
    report-to: {"group":"network-errors","max_age":604800,"endpoints":[{"url":"https://aefd.nelreports.net/api/report?cat=bingth"}]}
    nel: {"report_to":"network-errors","max_age":604800,"success_fraction":0.001,"failure_fraction":1.0}
    accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
    x-msedge-ref: Ref A: D19AD029E536429DA723A7B1E4CD3CB0 Ref B: AMS04EDGE1416 Ref C: 2023-11-05T12:50:33Z
    date: Sun, 05 Nov 2023 12:50:32 GMT
  • flag-us
    GET
    https://tse1.mm.bing.net/th?id=OADD2.10239317301311_18QMRZHF9BCDK2OBJ&pid=21.2&w=1920&h=1080&c=4
    Remote address:
    204.79.197.200:443
    Request
    GET /th?id=OADD2.10239317301311_18QMRZHF9BCDK2OBJ&pid=21.2&w=1920&h=1080&c=4 HTTP/2.0
    host: tse1.mm.bing.net
    accept: */*
    accept-encoding: gzip, deflate, br
    user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19041
    Response
    HTTP/2.0 200
    cache-control: public, max-age=2592000
    content-length: 639487
    content-type: image/jpeg
    x-cache: TCP_HIT
    access-control-allow-origin: *
    access-control-allow-headers: *
    access-control-allow-methods: GET, POST, OPTIONS
    timing-allow-origin: *
    report-to: {"group":"network-errors","max_age":604800,"endpoints":[{"url":"https://aefd.nelreports.net/api/report?cat=bingth"}]}
    nel: {"report_to":"network-errors","max_age":604800,"success_fraction":0.001,"failure_fraction":1.0}
    accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
    x-msedge-ref: Ref A: CFBE249E7D264E499F0840B0FD18F76F Ref B: AMS04EDGE1416 Ref C: 2023-11-05T12:50:33Z
    date: Sun, 05 Nov 2023 12:50:32 GMT
  • flag-us
    GET
    https://tse1.mm.bing.net/th?id=OADD2.10239317301145_1Y8CXK45BT2OHNQQQ&pid=21.2&w=1920&h=1080&c=4
    Remote address:
    204.79.197.200:443
    Request
    GET /th?id=OADD2.10239317301145_1Y8CXK45BT2OHNQQQ&pid=21.2&w=1920&h=1080&c=4 HTTP/2.0
    host: tse1.mm.bing.net
    accept: */*
    accept-encoding: gzip, deflate, br
    user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19041
    Response
    HTTP/2.0 200
    cache-control: public, max-age=2592000
    content-length: 300661
    content-type: image/jpeg
    x-cache: TCP_HIT
    access-control-allow-origin: *
    access-control-allow-headers: *
    access-control-allow-methods: GET, POST, OPTIONS
    timing-allow-origin: *
    report-to: {"group":"network-errors","max_age":604800,"endpoints":[{"url":"https://aefd.nelreports.net/api/report?cat=bingth"}]}
    nel: {"report_to":"network-errors","max_age":604800,"success_fraction":0.001,"failure_fraction":1.0}
    accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
    x-msedge-ref: Ref A: 164F731388714FF5A17331F82BAF5CC2 Ref B: AMS04EDGE1416 Ref C: 2023-11-05T12:50:33Z
    date: Sun, 05 Nov 2023 12:50:32 GMT
  • flag-us
    GET
    https://tse1.mm.bing.net/th?id=OADD2.10239317301554_133DWC45UAH2W18HX&pid=21.2&w=1080&h=1920&c=4
    Remote address:
    204.79.197.200:443
    Request
    GET /th?id=OADD2.10239317301554_133DWC45UAH2W18HX&pid=21.2&w=1080&h=1920&c=4 HTTP/2.0
    host: tse1.mm.bing.net
    accept: */*
    accept-encoding: gzip, deflate, br
    user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19041
    Response
    HTTP/2.0 200
    cache-control: public, max-age=2592000
    content-length: 262756
    content-type: image/jpeg
    x-cache: TCP_HIT
    access-control-allow-origin: *
    access-control-allow-headers: *
    access-control-allow-methods: GET, POST, OPTIONS
    timing-allow-origin: *
    report-to: {"group":"network-errors","max_age":604800,"endpoints":[{"url":"https://aefd.nelreports.net/api/report?cat=bingth"}]}
    nel: {"report_to":"network-errors","max_age":604800,"success_fraction":0.001,"failure_fraction":1.0}
    accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
    x-msedge-ref: Ref A: 644F0DE22B524D4E9FEFE3B9B6A64E71 Ref B: AMS04EDGE1416 Ref C: 2023-11-05T12:50:34Z
    date: Sun, 05 Nov 2023 12:50:33 GMT
  • flag-us
    DNS
    43.229.111.52.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    43.229.111.52.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    209.143.182.52.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    209.143.182.52.in-addr.arpa
    IN PTR
    Response
  • 208.91.199.225:587
    us2.smtp.mailhostbox.com
    smtp
    NEAS.895780bd55fdc39fcd442cf3e0b84019798a6b4d09fa160c323edf120eeae880exe.exe
    2.8kB
     7.1kB
     22
    22
  • 204.79.197.200:443
    tse1.mm.bing.net
    tls, http2
    1.2kB
     8.3kB
     16
    14
  • 204.79.197.200:443
    tse1.mm.bing.net
    tls, http2
    1.2kB
     8.3kB
     16
    14
  • 204.79.197.200:443
    tse1.mm.bing.net
    tls, http2
    1.2kB
     8.3kB
     16
    14
  • 204.79.197.200:443
    tse1.mm.bing.net
    tls, http2
    1.2kB
     8.3kB
     16
    14
  • 204.79.197.200:443
    https://tse1.mm.bing.net/th?id=OADD2.10239317301554_133DWC45UAH2W18HX&pid=21.2&w=1080&h=1920&c=4
    tls, http2
    91.2kB
     2.5MB
     1840
    1834

    HTTP Request

    GET https://tse1.mm.bing.net/th?id=OADD2.10239317301720_1RTL8BA2J0Q8NK3V3&pid=21.2&w=1080&h=1920&c=4

    HTTP Request

    GET https://tse1.mm.bing.net/th?id=OADD2.10239317301321_1WU4KPMKVNBS4UXRB&pid=21.2&w=1920&h=1080&c=4

    HTTP Request

    GET https://tse1.mm.bing.net/th?id=OADD2.10239317301730_1ZMY9W34LSLV14AW3&pid=21.2&w=1080&h=1920&c=4

    HTTP Request

    GET https://tse1.mm.bing.net/th?id=OADD2.10239317301311_18QMRZHF9BCDK2OBJ&pid=21.2&w=1920&h=1080&c=4

    HTTP Request

    GET https://tse1.mm.bing.net/th?id=OADD2.10239317301145_1Y8CXK45BT2OHNQQQ&pid=21.2&w=1920&h=1080&c=4

    HTTP Response

    200

    HTTP Response

    200

    HTTP Response

    200

    HTTP Response

    200

    HTTP Response

    200

    HTTP Request

    GET https://tse1.mm.bing.net/th?id=OADD2.10239317301554_133DWC45UAH2W18HX&pid=21.2&w=1080&h=1920&c=4

    HTTP Response

    200
  • 8.8.8.8:53
    95.221.229.192.in-addr.arpa
    dns
    73 B
     144 B
     1
    1

    DNS Request

    95.221.229.192.in-addr.arpa

  • 8.8.8.8:53
    74.32.126.40.in-addr.arpa
    dns
    71 B
     157 B
     1
    1

    DNS Request

    74.32.126.40.in-addr.arpa

  • 8.8.8.8:53
    241.154.82.20.in-addr.arpa
    dns
    72 B
     158 B
     1
    1

    DNS Request

    241.154.82.20.in-addr.arpa

  • 8.8.8.8:53
    146.78.124.51.in-addr.arpa
    dns
    72 B
     158 B
     1
    1

    DNS Request

    146.78.124.51.in-addr.arpa

  • 8.8.8.8:53
    155.245.36.23.in-addr.arpa
    dns
    72 B
     137 B
     1
    1

    DNS Request

    155.245.36.23.in-addr.arpa

  • 8.8.8.8:53
    26.35.223.20.in-addr.arpa
    dns
    71 B
     157 B
     1
    1

    DNS Request

    26.35.223.20.in-addr.arpa

  • 8.8.8.8:53
    208.194.73.20.in-addr.arpa
    dns
    72 B
     158 B
     1
    1

    DNS Request

    208.194.73.20.in-addr.arpa

  • 8.8.8.8:53
    us2.smtp.mailhostbox.com
    dns
    NEAS.895780bd55fdc39fcd442cf3e0b84019798a6b4d09fa160c323edf120eeae880exe.exe
    70 B
     134 B
     1
    1

    DNS Request

    us2.smtp.mailhostbox.com

    DNS Response

    208.91.199.225
    208.91.198.143
    208.91.199.223
    208.91.199.224

  • 8.8.8.8:53
    183.59.114.20.in-addr.arpa
    dns
    72 B
     158 B
     1
    1

    DNS Request

    183.59.114.20.in-addr.arpa

  • 8.8.8.8:53
    225.199.91.208.in-addr.arpa
    dns
    73 B
     118 B
     1
    1

    DNS Request

    225.199.91.208.in-addr.arpa

  • 8.8.8.8:53
    198.187.3.20.in-addr.arpa
    dns
    71 B
     157 B
     1
    1

    DNS Request

    198.187.3.20.in-addr.arpa

  • 8.8.8.8:53
    240.221.184.93.in-addr.arpa
    dns
    73 B
     144 B
     1
    1

    DNS Request

    240.221.184.93.in-addr.arpa

  • 8.8.8.8:53
    43.58.199.20.in-addr.arpa
    dns
    71 B
     157 B
     1
    1

    DNS Request

    43.58.199.20.in-addr.arpa

  • 8.8.8.8:53
    tse1.mm.bing.net
    dns
    62 B
     173 B
     1
    1

    DNS Request

    tse1.mm.bing.net

    DNS Response

    204.79.197.200
    13.107.21.200

  • 8.8.8.8:53
    43.229.111.52.in-addr.arpa
    dns
    72 B
     158 B
     1
    1

    DNS Request

    43.229.111.52.in-addr.arpa

  • 8.8.8.8:53
    209.143.182.52.in-addr.arpa
    dns
    73 B
     147 B
     1
    1

    DNS Request

    209.143.182.52.in-addr.arpa

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\NEAS.895780bd55fdc39fcd442cf3e0b84019798a6b4d09fa160c323edf120eeae880exe.exe.log
    Filesize

    1KB

    MD5

    b7b9acb869ccc7f7ecb5304ec0384dee

    SHA1

    6a90751c95817903ee833d59a0abbef425a613b3

    SHA256

    8cb00a15cd942a1861c573d86d6fb430512c8e2f80f6349f48b16b8709ca7aa4

    SHA512

    7bec881ac5f59ac26f1be1e7e26d63f040c06369de10c1c246e531a4395d27c335d9acc647ecdedb48ed37bdc2dc405a4cfc11762e1c00659a49be259eaf8764

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_ilowgxmg.gw4.ps1
    Filesize

    60B

    MD5

    d17fe0a3f47be24a6453e9ef58c94641

    SHA1

    6ab83620379fc69f80c0242105ddffd7d98d5d9d

    SHA256

    96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

    SHA512

    5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\tmpF944.tmp
    Filesize

    1KB

    MD5

    a011aaa9939d8411e0290aedb4520e6f

    SHA1

    b525d5ad64cb56d3b6e921e0fe42ba7e3a2b8253

    SHA256

    a7f0538e1957da43f375993410c32e22a224ee7d5ef8629d3a1183f50fb0304f

    SHA512

    f0b22bb3b47aa168fd10a18a1240a53e3c1c30c31fd981bd26f1d136f32b476d63d18d29c0eae104ff28f21f538089e6eeace5173ba4b8f634935424a3157bf5

    Download Submit

  • memory/4120-31-0x0000000005F60000-0x0000000005FC6000-memory.dmp

    Filesize

    408KB

    Download

  • memory/4120-62-0x0000000007BF0000-0x0000000007C86000-memory.dmp

    Filesize

    600KB

    Download

  • memory/4120-73-0x00000000749A0000-0x0000000075150000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/4120-70-0x0000000005190000-0x00000000051A0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/4120-69-0x0000000007CB0000-0x0000000007CB8000-memory.dmp

    Filesize

    32KB

    Download

  • memory/4120-68-0x0000000007CD0000-0x0000000007CEA000-memory.dmp

    Filesize

    104KB

    Download

  • memory/4120-67-0x0000000007BD0000-0x0000000007BE4000-memory.dmp

    Filesize

    80KB

    Download

  • memory/4120-41-0x0000000006260000-0x00000000065B4000-memory.dmp

    Filesize

    3.3MB

    Download

  • memory/4120-65-0x0000000007BC0000-0x0000000007BCE000-memory.dmp

    Filesize

    56KB

    Download

  • memory/4120-64-0x00000000749A0000-0x0000000075150000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/4120-17-0x0000000005090000-0x00000000050C6000-memory.dmp

    Filesize

    216KB

    Download

  • memory/4120-18-0x00000000749A0000-0x0000000075150000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/4120-19-0x0000000005190000-0x00000000051A0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/4120-63-0x0000000007B70000-0x0000000007B81000-memory.dmp

    Filesize

    68KB

    Download

  • memory/4120-22-0x00000000057D0000-0x0000000005DF8000-memory.dmp

    Filesize

    6.2MB

    Download

  • memory/4120-42-0x0000000006630000-0x000000000664E000-memory.dmp

    Filesize

    120KB

    Download

  • memory/4120-21-0x0000000005190000-0x00000000051A0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/4120-61-0x00000000079E0000-0x00000000079EA000-memory.dmp

    Filesize

    40KB

    Download

  • memory/4120-60-0x0000000007970000-0x000000000798A000-memory.dmp

    Filesize

    104KB

    Download

  • memory/4120-59-0x0000000007FB0000-0x000000000862A000-memory.dmp

    Filesize

    6.5MB

    Download

  • memory/4120-58-0x0000000007850000-0x00000000078F3000-memory.dmp

    Filesize

    652KB

    Download

  • memory/4120-30-0x0000000005EC0000-0x0000000005EE2000-memory.dmp

    Filesize

    136KB

    Download

  • memory/4120-56-0x0000000006C10000-0x0000000006C2E000-memory.dmp

    Filesize

    120KB

    Download

  • memory/4120-46-0x0000000070620000-0x000000007066C000-memory.dmp

    Filesize

    304KB

    Download

  • memory/4120-45-0x0000000007610000-0x0000000007642000-memory.dmp

    Filesize

    200KB

    Download

  • memory/4120-66-0x0000000005190000-0x00000000051A0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/4120-44-0x000000007F5B0000-0x000000007F5C0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/4120-43-0x0000000006690000-0x00000000066DC000-memory.dmp

    Filesize

    304KB

    Download

  • memory/4368-8-0x00000000749A0000-0x0000000075150000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/4368-7-0x0000000005410000-0x000000000541E000-memory.dmp

    Filesize

    56KB

    Download

  • memory/4368-1-0x0000000000450000-0x00000000004FC000-memory.dmp

    Filesize

    688KB

    Download

  • memory/4368-5-0x0000000004F00000-0x0000000004F10000-memory.dmp

    Filesize

    64KB

    Download

  • memory/4368-6-0x0000000004F30000-0x0000000004F3A000-memory.dmp

    Filesize

    40KB

    Download

  • memory/4368-11-0x00000000067E0000-0x000000000685A000-memory.dmp

    Filesize

    488KB

    Download

  • memory/4368-9-0x0000000004F00000-0x0000000004F10000-memory.dmp

    Filesize

    64KB

    Download

  • memory/4368-26-0x00000000749A0000-0x0000000075150000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/4368-12-0x000000000A410000-0x000000000A4AC000-memory.dmp

    Filesize

    624KB

    Download

  • memory/4368-0-0x00000000749A0000-0x0000000075150000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/4368-4-0x0000000004FF0000-0x0000000005344000-memory.dmp

    Filesize

    3.3MB

    Download

  • memory/4368-2-0x0000000005500000-0x0000000005AA4000-memory.dmp

    Filesize

    5.6MB

    Download

  • memory/4368-3-0x0000000004F50000-0x0000000004FE2000-memory.dmp

    Filesize

    584KB

    Download

  • memory/4368-10-0x00000000054E0000-0x00000000054EA000-memory.dmp

    Filesize

    40KB

    Download

  • memory/4932-27-0x00000000749A0000-0x0000000075150000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/4932-23-0x0000000000400000-0x0000000000440000-memory.dmp

    Filesize

    256KB

    Download

  • memory/4932-28-0x0000000005710000-0x0000000005776000-memory.dmp

    Filesize

    408KB

    Download

  • memory/4932-57-0x0000000006660000-0x00000000066B0000-memory.dmp

    Filesize

    320KB

    Download

  • memory/4932-29-0x00000000057E0000-0x00000000057F0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/4932-74-0x00000000749A0000-0x0000000075150000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/4932-75-0x00000000057E0000-0x00000000057F0000-memory.dmp

    Filesize

    64KB

    Download

We care about your privacy.

This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.