Analysis

  • max time kernel
    148s
  • max time network
    146s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20231215-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
  • submitted
    27/01/2024, 11:37 UTC

General

  • Target

    7a238546ba438a42789cf5d6bd08a03f.exe

  • Size

    284KB

  • MD5

    7a238546ba438a42789cf5d6bd08a03f

  • SHA1

    1bb68ee98e317203f4df9b2195533350f58cd0be

  • SHA256

    162d39f277d19f7692d6b420640502debe9327573bdc1d8402d127d94bd98e69

  • SHA512

    be80c3fce348b918dfae6788725869204d4b1d4511b1dded700fa0abd09e88997daa1e968569a7edb42cb648841da6bc9149c6d6ffae9e62b0cf5f4050684977

  • SSDEEP

    3072:ztM6vm1mgc3EPAJjCE/o2LA4qcw5bGIT5eNXy:5E1mgc3EPAJ2L0qZbGINely

Score
7/10
upx

Malware Config

Signatures

  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 7 IoCs
  • UPX packed file 9 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

  • Suspicious use of SetThreadContext 7 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Program crash 5 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\7a238546ba438a42789cf5d6bd08a03f.exe
    "C:\Users\Admin\AppData\Local\Temp\7a238546ba438a42789cf5d6bd08a03f.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious use of WriteProcessMemory
    PID:4032
    • C:\Windows\SysWOW64\svchost.exe
      C:\Windows\system32\\svchost.exe
      2⤵
        PID:4932
      • C:\Users\Admin\AppData\Local\Temp\7a238546ba438a42789cf5d6bd08a03f.exe
        2⤵
        • Checks computer location settings
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:2068
        • C:\Users\Admin\E696D64614\winlogon.exe
          "C:\Users\Admin\E696D64614\winlogon.exe"
          3⤵
          • Executes dropped EXE
          • Suspicious use of SetThreadContext
          • Suspicious use of WriteProcessMemory
          PID:4072
          • C:\Windows\SysWOW64\svchost.exe
            C:\Windows\system32\\svchost.exe
            4⤵
              PID:1808
            • C:\Users\Admin\E696D64614\winlogon.exe
              4⤵
              • Executes dropped EXE
              • Suspicious use of SetThreadContext
              • Suspicious use of SetWindowsHookEx
              • Suspicious use of WriteProcessMemory
              PID:384
              • C:\Users\Admin\E696D64614\winlogon.exe
                "C:\Users\Admin\E696D64614\winlogon.exe"
                5⤵
                • Executes dropped EXE
                PID:1428
                • C:\Windows\SysWOW64\WerFault.exe
                  C:\Windows\SysWOW64\WerFault.exe -u -p 1428 -s 12
                  6⤵
                  • Program crash
                  PID:724
              • C:\Users\Admin\E696D64614\winlogon.exe
                "C:\Users\Admin\E696D64614\winlogon.exe"
                5⤵
                • Executes dropped EXE
                PID:1856
                • C:\Windows\SysWOW64\WerFault.exe
                  C:\Windows\SysWOW64\WerFault.exe -u -p 1856 -s 12
                  6⤵
                  • Program crash
                  PID:4436
              • C:\Users\Admin\E696D64614\winlogon.exe
                "C:\Users\Admin\E696D64614\winlogon.exe"
                5⤵
                • Executes dropped EXE
                PID:2076
                • C:\Windows\SysWOW64\WerFault.exe
                  C:\Windows\SysWOW64\WerFault.exe -u -p 2076 -s 12
                  6⤵
                  • Program crash
                  PID:4172
              • C:\Users\Admin\E696D64614\winlogon.exe
                "C:\Users\Admin\E696D64614\winlogon.exe"
                5⤵
                • Executes dropped EXE
                PID:4428
                • C:\Windows\SysWOW64\WerFault.exe
                  C:\Windows\SysWOW64\WerFault.exe -u -p 4428 -s 12
                  6⤵
                  • Program crash
                  PID:4716
              • C:\Users\Admin\E696D64614\winlogon.exe
                "C:\Users\Admin\E696D64614\winlogon.exe"
                5⤵
                • Executes dropped EXE
                PID:3464
                • C:\Windows\SysWOW64\WerFault.exe
                  C:\Windows\SysWOW64\WerFault.exe -u -p 3464 -s 12
                  6⤵
                  • Program crash
                  PID:4028
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -pss -s 436 -p 1428 -ip 1428
        1⤵
          PID:3084
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -pss -s 472 -p 1856 -ip 1856
          1⤵
            PID:3240
          • C:\Windows\SysWOW64\WerFault.exe
            C:\Windows\SysWOW64\WerFault.exe -pss -s 516 -p 2076 -ip 2076
            1⤵
              PID:4292
            • C:\Windows\SysWOW64\WerFault.exe
              C:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 4428 -ip 4428
              1⤵
                PID:2404
              • C:\Windows\SysWOW64\WerFault.exe
                C:\Windows\SysWOW64\WerFault.exe -pss -s 184 -p 3464 -ip 3464
                1⤵
                  PID:560

                Network

                • flag-us
                  DNS
                  whos.amung.us
                  winlogon.exe
                  Remote address:
                  8.8.8.8:53
                  Request
                  whos.amung.us
                  IN A
                  Response
                  whos.amung.us
                  IN A
                  104.22.74.171
                  whos.amung.us
                  IN A
                  104.22.75.171
                  whos.amung.us
                  IN A
                  172.67.8.141
                • flag-us
                  GET
                  http://whos.amung.us/swidget/26n2qf7pnk0x
                  winlogon.exe
                  Remote address:
                  104.22.74.171:80
                  Request
                  GET /swidget/26n2qf7pnk0x HTTP/1.1
                  Host: whos.amung.us
                  Response
                  HTTP/1.1 307 Temporary Redirect
                  Date: Sat, 27 Jan 2024 11:38:21 GMT
                  Content-Type: text/html; charset=UTF-8
                  Transfer-Encoding: chunked
                  Connection: keep-alive
                  cache-control: no-cache, no-store, must-revalidate
                  location: http://widgets.amung.us/small/00/1.png
                  CF-Cache-Status: DYNAMIC
                  Server: cloudflare
                  CF-RAY: 84c0b57e6e3466c2-AMS
                  alt-svc: h3=":443"; ma=86400
                • flag-us
                  DNS
                  widgets.amung.us
                  winlogon.exe
                  Remote address:
                  8.8.8.8:53
                  Request
                  widgets.amung.us
                  IN A
                  Response
                  widgets.amung.us
                  IN A
                  104.22.75.171
                  widgets.amung.us
                  IN A
                  172.67.8.141
                  widgets.amung.us
                  IN A
                  104.22.74.171
                • flag-us
                  GET
                  http://widgets.amung.us/small/00/1.png
                  winlogon.exe
                  Remote address:
                  104.22.75.171:80
                  Request
                  GET /small/00/1.png HTTP/1.1
                  Host: widgets.amung.us
                  Connection: Keep-Alive
                  Response
                  HTTP/1.1 200 OK
                  Date: Sat, 27 Jan 2024 11:38:22 GMT
                  Content-Type: image/png
                  Content-Length: 308
                  Connection: keep-alive
                  last-modified: Sun, 13 Jun 2010 09:48:29 GMT
                  etag: "4c14a96d-134"
                  expires: Wed, 24 Jan 2024 21:56:36 GMT
                  cache-control: max-age=2678400
                  access-control-allow-origin: *
                  CF-Cache-Status: HIT
                  Age: 308506
                  Accept-Ranges: bytes
                  Server: cloudflare
                  CF-RAY: 84c0b57fbcc7b7e5-AMS
                  alt-svc: h3=":443"; ma=86400
                • flag-us
                  DNS
                  yuiu9nq4uk8a926b2rx2573h5j2y22.ipcheker.com
                  winlogon.exe
                  Remote address:
                  8.8.8.8:53
                  Request
                  yuiu9nq4uk8a926b2rx2573h5j2y22.ipcheker.com
                  IN A
                  Response
                  yuiu9nq4uk8a926b2rx2573h5j2y22.ipcheker.com
                  IN A
                  107.178.223.183
                  yuiu9nq4uk8a926b2rx2573h5j2y22.ipcheker.com
                  IN A
                  104.155.138.21
                • flag-us
                  DNS
                  136.32.126.40.in-addr.arpa
                  Remote address:
                  8.8.8.8:53
                  Request
                  136.32.126.40.in-addr.arpa
                  IN PTR
                  Response
                • flag-us
                  DNS
                  95.221.229.192.in-addr.arpa
                  Remote address:
                  8.8.8.8:53
                  Request
                  95.221.229.192.in-addr.arpa
                  IN PTR
                  Response
                • flag-us
                  DNS
                  171.74.22.104.in-addr.arpa
                  Remote address:
                  8.8.8.8:53
                  Request
                  171.74.22.104.in-addr.arpa
                  IN PTR
                  Response
                • flag-us
                  DNS
                  194.178.17.96.in-addr.arpa
                  Remote address:
                  8.8.8.8:53
                  Request
                  194.178.17.96.in-addr.arpa
                  IN PTR
                  Response
                  194.178.17.96.in-addr.arpa
                  IN PTR
                  a96-17-178-194deploystaticakamaitechnologiescom
                • flag-us
                  DNS
                  171.75.22.104.in-addr.arpa
                  Remote address:
                  8.8.8.8:53
                  Request
                  171.75.22.104.in-addr.arpa
                  IN PTR
                  Response
                • flag-us
                  GET
                  http://yuiu9nq4uk8a926b2rx2573h5j2y22.ipcheker.com/
                  winlogon.exe
                  Remote address:
                  107.178.223.183:80
                  Request
                  GET / HTTP/1.1
                  User-Agent: �����������Ī������׼��¥��������֡��ư���ä�ο���ʪ
                  Host: yuiu9nq4uk8a926b2rx2573h5j2y22.ipcheker.com
                  Response
                  HTTP/1.1 200 OK
                  Content-Length: 0
                • flag-us
                  DNS
                  riho1h9mzkciynnu51367qe7n4uxp6.ipgreat.com
                  winlogon.exe
                  Remote address:
                  8.8.8.8:53
                  Request
                  riho1h9mzkciynnu51367qe7n4uxp6.ipgreat.com
                  IN A
                  Response
                • flag-us
                  DNS
                  183.223.178.107.in-addr.arpa
                  Remote address:
                  8.8.8.8:53
                  Request
                  183.223.178.107.in-addr.arpa
                  IN PTR
                  Response
                  183.223.178.107.in-addr.arpa
                  IN PTR
                  183223178107bcgoogleusercontentcom
                • flag-us
                  DNS
                  133.211.185.52.in-addr.arpa
                  Remote address:
                  8.8.8.8:53
                  Request
                  133.211.185.52.in-addr.arpa
                  IN PTR
                  Response
                • flag-us
                  DNS
                  76.32.126.40.in-addr.arpa
                  Remote address:
                  8.8.8.8:53
                  Request
                  76.32.126.40.in-addr.arpa
                  IN PTR
                  Response
                • flag-us
                  DNS
                  103.169.127.40.in-addr.arpa
                  Remote address:
                  8.8.8.8:53
                  Request
                  103.169.127.40.in-addr.arpa
                  IN PTR
                  Response
                • flag-us
                  DNS
                  15.164.165.52.in-addr.arpa
                  Remote address:
                  8.8.8.8:53
                  Request
                  15.164.165.52.in-addr.arpa
                  IN PTR
                  Response
                • flag-us
                  DNS
                  58.55.71.13.in-addr.arpa
                  Remote address:
                  8.8.8.8:53
                  Request
                  58.55.71.13.in-addr.arpa
                  IN PTR
                  Response
                • flag-us
                  DNS
                  217.135.221.88.in-addr.arpa
                  Remote address:
                  8.8.8.8:53
                  Request
                  217.135.221.88.in-addr.arpa
                  IN PTR
                  Response
                  217.135.221.88.in-addr.arpa
                  IN PTR
                  a88-221-135-217deploystaticakamaitechnologiescom
                • flag-us
                  DNS
                  r6fa9b1fvu59516q8kwo1i3bbbsgpt.ipcheker.com
                  winlogon.exe
                  Remote address:
                  8.8.8.8:53
                  Request
                  r6fa9b1fvu59516q8kwo1i3bbbsgpt.ipcheker.com
                  IN A
                  Response
                  r6fa9b1fvu59516q8kwo1i3bbbsgpt.ipcheker.com
                  IN A
                  104.155.138.21
                  r6fa9b1fvu59516q8kwo1i3bbbsgpt.ipcheker.com
                  IN A
                  107.178.223.183
                • flag-us
                  GET
                  http://r6fa9b1fvu59516q8kwo1i3bbbsgpt.ipcheker.com/
                  winlogon.exe
                  Remote address:
                  104.155.138.21:80
                  Request
                  GET / HTTP/1.1
                  User-Agent: �����������Ī������׼��¥��������֡��ư���ä�ο���ʪ
                  Host: r6fa9b1fvu59516q8kwo1i3bbbsgpt.ipcheker.com
                  Response
                  HTTP/1.1 200 OK
                  Content-Length: 0
                • flag-us
                  DNS
                  vmjejw073ty4g05i0a833do0c7gk7x.ipgreat.com
                  winlogon.exe
                  Remote address:
                  8.8.8.8:53
                  Request
                  vmjejw073ty4g05i0a833do0c7gk7x.ipgreat.com
                  IN A
                  Response
                • flag-us
                  DNS
                  21.138.155.104.in-addr.arpa
                  Remote address:
                  8.8.8.8:53
                  Request
                  21.138.155.104.in-addr.arpa
                  IN PTR
                  Response
                  21.138.155.104.in-addr.arpa
                  IN PTR
                  21138155104bcgoogleusercontentcom
                • flag-us
                  DNS
                  4e05d391n96r44epv47823eqr1co6l.ipcheker.com
                  winlogon.exe
                  Remote address:
                  8.8.8.8:53
                  Request
                  4e05d391n96r44epv47823eqr1co6l.ipcheker.com
                  IN A
                  Response
                  4e05d391n96r44epv47823eqr1co6l.ipcheker.com
                  IN A
                  104.155.138.21
                  4e05d391n96r44epv47823eqr1co6l.ipcheker.com
                  IN A
                  107.178.223.183
                • flag-us
                  GET
                  http://4e05d391n96r44epv47823eqr1co6l.ipcheker.com/
                  winlogon.exe
                  Remote address:
                  104.155.138.21:80
                  Request
                  GET / HTTP/1.1
                  User-Agent: �����������Ī������׼��¥��������֡��ư���ä�ο���ʪ
                  Host: 4e05d391n96r44epv47823eqr1co6l.ipcheker.com
                  Response
                  HTTP/1.1 200 OK
                  Content-Length: 0
                • flag-us
                  DNS
                  01wt91nuik663607x58poo40a310ko.ipgreat.com
                  winlogon.exe
                  Remote address:
                  8.8.8.8:53
                  Request
                  01wt91nuik663607x58poo40a310ko.ipgreat.com
                  IN A
                  Response
                • flag-us
                  DNS
                  173.178.17.96.in-addr.arpa
                  Remote address:
                  8.8.8.8:53
                  Request
                  173.178.17.96.in-addr.arpa
                  IN PTR
                  Response
                  173.178.17.96.in-addr.arpa
                  IN PTR
                  a96-17-178-173deploystaticakamaitechnologiescom
                • flag-us
                  DNS
                  u0283735v77liifx77436423s623v1.ipcheker.com
                  winlogon.exe
                  Remote address:
                  8.8.8.8:53
                  Request
                  u0283735v77liifx77436423s623v1.ipcheker.com
                  IN A
                  Response
                  u0283735v77liifx77436423s623v1.ipcheker.com
                  IN A
                  107.178.223.183
                  u0283735v77liifx77436423s623v1.ipcheker.com
                  IN A
                  104.155.138.21
                • flag-us
                  GET
                  http://u0283735v77liifx77436423s623v1.ipcheker.com/
                  winlogon.exe
                  Remote address:
                  107.178.223.183:80
                  Request
                  GET / HTTP/1.1
                  User-Agent: �����������Ī������׼��¥��������֡��ư���ä�ο���ʪ
                  Host: u0283735v77liifx77436423s623v1.ipcheker.com
                  Response
                  HTTP/1.1 200 OK
                  Content-Length: 0
                • flag-us
                  DNS
                  7203680j351poe6iu934a47o03dpq2.ipgreat.com
                  winlogon.exe
                  Remote address:
                  8.8.8.8:53
                  Request
                  7203680j351poe6iu934a47o03dpq2.ipgreat.com
                  IN A
                  Response
                • flag-us
                  DNS
                  14.173.189.20.in-addr.arpa
                  Remote address:
                  8.8.8.8:53
                  Request
                  14.173.189.20.in-addr.arpa
                  IN PTR
                  Response
                • flag-us
                  DNS
                  17c870rh37gj6kpqt5j26w82ovd88e.ipcheker.com
                  winlogon.exe
                  Remote address:
                  8.8.8.8:53
                  Request
                  17c870rh37gj6kpqt5j26w82ovd88e.ipcheker.com
                  IN A
                  Response
                  17c870rh37gj6kpqt5j26w82ovd88e.ipcheker.com
                  IN A
                  107.178.223.183
                  17c870rh37gj6kpqt5j26w82ovd88e.ipcheker.com
                  IN A
                  104.155.138.21
                • flag-us
                  DNS
                  17c870rh37gj6kpqt5j26w82ovd88e.ipcheker.com
                  winlogon.exe
                  Remote address:
                  8.8.8.8:53
                  Request
                  17c870rh37gj6kpqt5j26w82ovd88e.ipcheker.com
                  IN A
                  Response
                  17c870rh37gj6kpqt5j26w82ovd88e.ipcheker.com
                  IN A
                  107.178.223.183
                  17c870rh37gj6kpqt5j26w82ovd88e.ipcheker.com
                  IN A
                  104.155.138.21
                • flag-us
                  GET
                  http://17c870rh37gj6kpqt5j26w82ovd88e.ipcheker.com/
                  winlogon.exe
                  Remote address:
                  107.178.223.183:80
                  Request
                  GET / HTTP/1.1
                  User-Agent: �����������Ī������׼��¥��������֡��ư���ä�ο���ʪ
                  Host: 17c870rh37gj6kpqt5j26w82ovd88e.ipcheker.com
                  Response
                  HTTP/1.1 200 OK
                  Content-Length: 0
                • flag-us
                  DNS
                  pmrlb8gg195qv00omfo7833wl1n7w8.ipgreat.com
                  winlogon.exe
                  Remote address:
                  8.8.8.8:53
                  Request
                  pmrlb8gg195qv00omfo7833wl1n7w8.ipgreat.com
                  IN A
                  Response
                • flag-us
                  DNS
                  pmrlb8gg195qv00omfo7833wl1n7w8.ipgreat.com
                  winlogon.exe
                  Remote address:
                  8.8.8.8:53
                  Request
                  pmrlb8gg195qv00omfo7833wl1n7w8.ipgreat.com
                  IN A
                  Response
                • 104.22.74.171:80
                  http://whos.amung.us/swidget/26n2qf7pnk0x
                  http
                  winlogon.exe
                  335 B
                  549 B
                  6
                  4

                  HTTP Request

                  GET http://whos.amung.us/swidget/26n2qf7pnk0x

                  HTTP Response

                  307
                • 104.22.75.171:80
                  http://widgets.amung.us/small/00/1.png
                  http
                  winlogon.exe
                  356 B
                  915 B
                  6
                  4

                  HTTP Request

                  GET http://widgets.amung.us/small/00/1.png

                  HTTP Response

                  200
                • 107.178.223.183:80
                  http://yuiu9nq4uk8a926b2rx2573h5j2y22.ipcheker.com/
                  http
                  winlogon.exe
                  733 B
                  530 B
                  13
                  12

                  HTTP Request

                  GET http://yuiu9nq4uk8a926b2rx2573h5j2y22.ipcheker.com/

                  HTTP Response

                  200
                • 104.155.138.21:80
                  http://r6fa9b1fvu59516q8kwo1i3bbbsgpt.ipcheker.com/
                  http
                  winlogon.exe
                  411 B
                  250 B
                  6
                  5

                  HTTP Request

                  GET http://r6fa9b1fvu59516q8kwo1i3bbbsgpt.ipcheker.com/

                  HTTP Response

                  200
                • 104.155.138.21:80
                  http://4e05d391n96r44epv47823eqr1co6l.ipcheker.com/
                  http
                  winlogon.exe
                  457 B
                  290 B
                  7
                  6

                  HTTP Request

                  GET http://4e05d391n96r44epv47823eqr1co6l.ipcheker.com/

                  HTTP Response

                  200
                • 107.178.223.183:80
                  http://u0283735v77liifx77436423s623v1.ipcheker.com/
                  http
                  winlogon.exe
                  457 B
                  290 B
                  7
                  6

                  HTTP Request

                  GET http://u0283735v77liifx77436423s623v1.ipcheker.com/

                  HTTP Response

                  200
                • 107.178.223.183:80
                  http://17c870rh37gj6kpqt5j26w82ovd88e.ipcheker.com/
                  http
                  winlogon.exe
                  365 B
                  210 B
                  5
                  4

                  HTTP Request

                  GET http://17c870rh37gj6kpqt5j26w82ovd88e.ipcheker.com/

                  HTTP Response

                  200
                • 8.8.8.8:53
                  whos.amung.us
                  dns
                  winlogon.exe
                  59 B
                  107 B
                  1
                  1

                  DNS Request

                  whos.amung.us

                  DNS Response

                  104.22.74.171
                  104.22.75.171
                  172.67.8.141

                • 8.8.8.8:53
                  widgets.amung.us
                  dns
                  winlogon.exe
                  62 B
                  110 B
                  1
                  1

                  DNS Request

                  widgets.amung.us

                  DNS Response

                  104.22.75.171
                  172.67.8.141
                  104.22.74.171

                • 8.8.8.8:53
                  yuiu9nq4uk8a926b2rx2573h5j2y22.ipcheker.com
                  dns
                  winlogon.exe
                  89 B
                  121 B
                  1
                  1

                  DNS Request

                  yuiu9nq4uk8a926b2rx2573h5j2y22.ipcheker.com

                  DNS Response

                  107.178.223.183
                  104.155.138.21

                • 8.8.8.8:53
                  136.32.126.40.in-addr.arpa
                  dns
                  72 B
                  158 B
                  1
                  1

                  DNS Request

                  136.32.126.40.in-addr.arpa

                • 8.8.8.8:53
                  95.221.229.192.in-addr.arpa
                  dns
                  73 B
                  144 B
                  1
                  1

                  DNS Request

                  95.221.229.192.in-addr.arpa

                • 8.8.8.8:53
                  171.74.22.104.in-addr.arpa
                  dns
                  72 B
                  134 B
                  1
                  1

                  DNS Request

                  171.74.22.104.in-addr.arpa

                • 8.8.8.8:53
                  194.178.17.96.in-addr.arpa
                  dns
                  72 B
                  137 B
                  1
                  1

                  DNS Request

                  194.178.17.96.in-addr.arpa

                • 8.8.8.8:53
                  171.75.22.104.in-addr.arpa
                  dns
                  72 B
                  134 B
                  1
                  1

                  DNS Request

                  171.75.22.104.in-addr.arpa

                • 8.8.8.8:53
                  riho1h9mzkciynnu51367qe7n4uxp6.ipgreat.com
                  dns
                  winlogon.exe
                  88 B
                  161 B
                  1
                  1

                  DNS Request

                  riho1h9mzkciynnu51367qe7n4uxp6.ipgreat.com

                • 8.8.8.8:53
                  183.223.178.107.in-addr.arpa
                  dns
                  74 B
                  128 B
                  1
                  1

                  DNS Request

                  183.223.178.107.in-addr.arpa

                • 8.8.8.8:53
                  133.211.185.52.in-addr.arpa
                  dns
                  73 B
                  147 B
                  1
                  1

                  DNS Request

                  133.211.185.52.in-addr.arpa

                • 8.8.8.8:53
                  76.32.126.40.in-addr.arpa
                  dns
                  71 B
                  157 B
                  1
                  1

                  DNS Request

                  76.32.126.40.in-addr.arpa

                • 8.8.8.8:53
                  103.169.127.40.in-addr.arpa
                  dns
                  73 B
                  147 B
                  1
                  1

                  DNS Request

                  103.169.127.40.in-addr.arpa

                • 8.8.8.8:53
                  15.164.165.52.in-addr.arpa
                  dns
                  72 B
                  146 B
                  1
                  1

                  DNS Request

                  15.164.165.52.in-addr.arpa

                • 8.8.8.8:53
                  58.55.71.13.in-addr.arpa
                  dns
                  70 B
                  144 B
                  1
                  1

                  DNS Request

                  58.55.71.13.in-addr.arpa

                • 8.8.8.8:53
                  217.135.221.88.in-addr.arpa
                  dns
                  73 B
                  139 B
                  1
                  1

                  DNS Request

                  217.135.221.88.in-addr.arpa

                • 8.8.8.8:53
                  r6fa9b1fvu59516q8kwo1i3bbbsgpt.ipcheker.com
                  dns
                  winlogon.exe
                  89 B
                  121 B
                  1
                  1

                  DNS Request

                  r6fa9b1fvu59516q8kwo1i3bbbsgpt.ipcheker.com

                  DNS Response

                  104.155.138.21
                  107.178.223.183

                • 8.8.8.8:53
                  vmjejw073ty4g05i0a833do0c7gk7x.ipgreat.com
                  dns
                  winlogon.exe
                  88 B
                  161 B
                  1
                  1

                  DNS Request

                  vmjejw073ty4g05i0a833do0c7gk7x.ipgreat.com

                • 8.8.8.8:53
                  21.138.155.104.in-addr.arpa
                  dns
                  73 B
                  126 B
                  1
                  1

                  DNS Request

                  21.138.155.104.in-addr.arpa

                • 8.8.8.8:53
                  4e05d391n96r44epv47823eqr1co6l.ipcheker.com
                  dns
                  winlogon.exe
                  89 B
                  121 B
                  1
                  1

                  DNS Request

                  4e05d391n96r44epv47823eqr1co6l.ipcheker.com

                  DNS Response

                  104.155.138.21
                  107.178.223.183

                • 8.8.8.8:53
                  01wt91nuik663607x58poo40a310ko.ipgreat.com
                  dns
                  winlogon.exe
                  88 B
                  161 B
                  1
                  1

                  DNS Request

                  01wt91nuik663607x58poo40a310ko.ipgreat.com

                • 8.8.8.8:53
                  173.178.17.96.in-addr.arpa
                  dns
                  72 B
                  137 B
                  1
                  1

                  DNS Request

                  173.178.17.96.in-addr.arpa

                • 8.8.8.8:53
                  u0283735v77liifx77436423s623v1.ipcheker.com
                  dns
                  winlogon.exe
                  89 B
                  121 B
                  1
                  1

                  DNS Request

                  u0283735v77liifx77436423s623v1.ipcheker.com

                  DNS Response

                  107.178.223.183
                  104.155.138.21

                • 8.8.8.8:53
                  7203680j351poe6iu934a47o03dpq2.ipgreat.com
                  dns
                  winlogon.exe
                  88 B
                  161 B
                  1
                  1

                  DNS Request

                  7203680j351poe6iu934a47o03dpq2.ipgreat.com

                • 8.8.8.8:53
                  14.173.189.20.in-addr.arpa
                  dns
                  72 B
                  158 B
                  1
                  1

                  DNS Request

                  14.173.189.20.in-addr.arpa

                • 8.8.8.8:53
                  17c870rh37gj6kpqt5j26w82ovd88e.ipcheker.com
                  dns
                  winlogon.exe
                  178 B
                  242 B
                  2
                  2

                  DNS Request

                  17c870rh37gj6kpqt5j26w82ovd88e.ipcheker.com

                  DNS Request

                  17c870rh37gj6kpqt5j26w82ovd88e.ipcheker.com

                  DNS Response

                  107.178.223.183
                  104.155.138.21

                  DNS Response

                  107.178.223.183
                  104.155.138.21

                • 8.8.8.8:53
                  pmrlb8gg195qv00omfo7833wl1n7w8.ipgreat.com
                  dns
                  winlogon.exe
                  176 B
                  322 B
                  2
                  2

                  DNS Request

                  pmrlb8gg195qv00omfo7833wl1n7w8.ipgreat.com

                  DNS Request

                  pmrlb8gg195qv00omfo7833wl1n7w8.ipgreat.com

                MITRE ATT&CK Enterprise v15

                Replay Monitor

                Loading Replay Monitor...

                Downloads

                • C:\Users\Admin\E696D64614\winlogon.exe

                  Filesize

                  284KB

                  MD5

                  7a238546ba438a42789cf5d6bd08a03f

                  SHA1

                  1bb68ee98e317203f4df9b2195533350f58cd0be

                  SHA256

                  162d39f277d19f7692d6b420640502debe9327573bdc1d8402d127d94bd98e69

                  SHA512

                  be80c3fce348b918dfae6788725869204d4b1d4511b1dded700fa0abd09e88997daa1e968569a7edb42cb648841da6bc9149c6d6ffae9e62b0cf5f4050684977

                • memory/384-52-0x0000000000400000-0x0000000000419000-memory.dmp

                  Filesize

                  100KB

                • memory/384-46-0x0000000000400000-0x0000000000419000-memory.dmp

                  Filesize

                  100KB

                • memory/384-40-0x0000000000400000-0x0000000000419000-memory.dmp

                  Filesize

                  100KB

                • memory/384-34-0x0000000000400000-0x0000000000419000-memory.dmp

                  Filesize

                  100KB

                • memory/384-28-0x0000000000400000-0x0000000000419000-memory.dmp

                  Filesize

                  100KB

                • memory/2068-4-0x0000000000400000-0x0000000000419000-memory.dmp

                  Filesize

                  100KB

                • memory/2068-15-0x0000000000400000-0x0000000000419000-memory.dmp

                  Filesize

                  100KB

                • memory/2068-0-0x0000000000400000-0x0000000000419000-memory.dmp

                  Filesize

                  100KB

                • memory/2068-3-0x0000000000400000-0x0000000000419000-memory.dmp

                  Filesize

                  100KB

                • memory/4032-2-0x0000000000400000-0x0000000000421000-memory.dmp

                  Filesize

                  132KB

                • memory/4072-20-0x0000000000400000-0x0000000000421000-memory.dmp

                  Filesize

                  132KB

                We care about your privacy.

                This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.