Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

3

0a0c225f0e...b9.exe

windows7-x64

1

0a0c225f0e...b9.exe

windows10-1703-x64

10

0a0c225f0e...b9.exe

windows10-2004-x64

10

0a0c225f0e...b9.exe

windows11-21h2-x64

10

Resubmissions

09/04/2024, 07:50 UTC

240409-jpmnlahh93 10

09/04/2024, 07:50 UTC

240409-jpl23adc3y 10

09/04/2024, 07:50 UTC

240409-jplrashh89 10

09/04/2024, 07:50 UTC

240409-jpk5rshh88 10

27/01/2024, 20:08 UTC

240127-ywx58schhk 10

02/10/2023, 11:52 UTC

231002-n1vwkabg54 10

Analysis

  • max time kernel
    144s
  • max time network
    152s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20231215-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
  • submitted
    27/01/2024, 20:08 UTC

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    0a0c225f0e5ee941a79f2b7701f1285e4975a2859eb4d025d96d9e366e81abb9.exe

  • Size

    56KB

  • MD5

    979692cd7fc638beea6e9d68c752f360

  • SHA1

    c511ae4d80aaa281c610190aa13630de61ca714c

  • SHA256

    0a0c225f0e5ee941a79f2b7701f1285e4975a2859eb4d025d96d9e366e81abb9

  • SHA512

    d7b7b6a968e6d7b7f3e7f98decb6b331b08122e491bf0b0dbe243223fb177218a758c34830f20c47f2a799acdd146297ec7f930c2bb4d5c6830ce65c8274ea6d

  • SSDEEP

    768:piN4q1eksgR4SiI+rxQ3rjFrXRRWxXyw/Afy8fIaJ/ZB49j9xOOLd9kvAx0:g4HHerjZX7pLjJKjSO5i

Score
10/10
darksideransomware

Malware Config

Extracted

Path

C:\odt\README.45f0f725.TXT

Family

darkside

Ransom Note
----------- [ Welcome to DarkSide ] -------------> What happend? ---------------------------------------------- Your computers and servers are encrypted, backups are deleted. We use strong encryption algorithms, so you cannot decrypt your data. But you can restore everything by purchasing a special program from us - universal decryptor. This program will restore all your network. Follow our instructions below and you will recover all your data. Data leak ---------------------------------------------- First of all we have downloaded more then 500GB data from your network. Included: -Accounting data -Finance data -HR -Employees confidential data(photos, benefits, taxes, etc) -Marketing -Budgets -Taxes(sales tax compliance, property, income and franchise taxes, etc) -Payrolls -Banking data -Arbitration -Scans -Insurance -Reconciliations -Reports(monthly bank inventory, monthly financial, claims reports, etc) -Audits(DHG, insurance audits, etc) -B2B clients config data -Confidentiality 2020 -2020, 2021 Business plans -2019, 2020, 2021 years Closing (full dumps) -and a lot of other sensitive data Your personal leak page: http://darksidc3iux462n6yunevoag52ntvwp6wulaz3zirkmh4cnz6hhj7id.onion/162/thedixiegroup/LCfyHRcwffrYTblpZvoPO3XDbrYPcNu0wVAsH5p49LSjBfzTmtdXT48azXFlMu7q On the page you will find examples of files that have been downloaded. The data is preloaded and will be automatically published if you do not pay. After publication, your data will be available for at least 6 months on our tor cdn servers. We are ready: - To provide you the evidence of stolen data - To delete all the stolen data. What guarantees? ---------------------------------------------- We value our reputation. If we do not do our work and liabilities, nobody will pay us. This is not in our interests. All our decryption software is perfectly tested and will decrypt your data. We will also provide support in case of problems. We guarantee to decrypt one file for free. Go to the site and contact us. How to get access on website? ---------------------------------------------- Using a TOR browser: 1) Download and install TOR browser from this site: https://torproject.org/ 2) Open our website: http://dark24zz36xm4y2phwe7yvnkkkkhxionhfrwp67awpb3r3bdcneivoqd.onion/W57MRI9C7YZJUZEABBBYRQLSUTG22JZ9MAH0WT1ISHC405KP7Z2UWY3AI3J68DNM When you open our website, put the following data in the input form: Key: ug8lgpX3WrFzlEJ6HBWlwJnf7jemhfnlxBw9porj1uuYFTgKbxJQJLYiteQS7DwgZn7dH0fs7qPPWmZ6inPv5GTmSJZNAjGLVIjd4SoiyTdGyophf0zPBxx6uEAOJxM0Woo4ZGeKVoUDHtZsqZNnhMF7aPh54VnKpIJXiZDbZZw4P06xTuw1UMeiTE7wdg7HWZMepAVTzEI2W04RbkPFQHfUgEDcslDxbr83BvopYTYGKFRmtNUMH8OsOZQrOtv50xWDaOfbqxbzfHMJm30QGaGpgylJHQZsscz3XBnwIdvlwBJ9KN4DVgFgziRdvwJrfCP6YN1CYTOQgw1rzqmIU4G1xGYv7rE3jiBY1s4D3Y26SbppTceAVMu1mKx5CFIE3EbtcAsNtEqLHDbPnMCvU6Apwp17TXGob8xXJpEDBZhIzdTaCuybcprwcFNTOzccjbIH81W39MrcJi9mNO3kHRe5fxmIFKvc9v8aQDihGyC65DtdabyBjidXI1NyNONT4PTyrxYqgffPsNDFuzz2yMrXiTAwtAQPqny5BBJQsfVhpLXTtnLvWg1 !!! DANGER !!! DO NOT MODIFY or try to RECOVER any files yourself. We WILL NOT be able to RESTORE them. !!! DANGER !!!
URLs

http://darksidc3iux462n6yunevoag52ntvwp6wulaz3zirkmh4cnz6hhj7id.onion/162/thedixiegroup/LCfyHRcwffrYTblpZvoPO3XDbrYPcNu0wVAsH5p49LSjBfzTmtdXT48azXFlMu7q

http://dark24zz36xm4y2phwe7yvnkkkkhxionhfrwp67awpb3r3bdcneivoqd.onion/W57MRI9C7YZJUZEABBBYRQLSUTG22JZ9MAH0WT1ISHC405KP7Z2UWY3AI3J68DNM

Signatures

  • DarkSide

    Targeted ransomware first seen in August 2020. Operators steal data to use as leverage.

    ransomwaredarkside
  • Renames multiple (150) files with added filename extension

    This suggests ransomware activity of encrypting all the files on the system.

    ransomware
  • Enumerates connected drives 3 TTPs 1 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in System32 directory 14 IoCs
  • Sets desktop wallpaper using registry 2 TTPs 1 IoCs
    ransomware
  • Modifies Control Panel 2 IoCs
    evasion
  • Modifies data under HKEY_USERS 40 IoCs
  • Modifies registry class 5 IoCs
  • Suspicious behavior: EnumeratesProcesses 32 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of WriteProcessMemory 10 IoCs
  • Uses Volume Shadow Copy service COM API

    The Volume Shadow Copy service is used to manage backups/snapshots.

    ransomware

Processes

  • C:\Users\Admin\AppData\Local\Temp\0a0c225f0e5ee941a79f2b7701f1285e4975a2859eb4d025d96d9e366e81abb9.exe
    "C:\Users\Admin\AppData\Local\Temp\0a0c225f0e5ee941a79f2b7701f1285e4975a2859eb4d025d96d9e366e81abb9.exe"
    1⤵
      PID:1440
    • C:\Users\Admin\AppData\Local\Temp\0a0c225f0e5ee941a79f2b7701f1285e4975a2859eb4d025d96d9e366e81abb9.exe
      "C:\Users\Admin\AppData\Local\Temp\0a0c225f0e5ee941a79f2b7701f1285e4975a2859eb4d025d96d9e366e81abb9.exe"
      1⤵
      • Suspicious use of WriteProcessMemory
      PID:4396
      • C:\Users\Admin\AppData\Local\Temp\0a0c225f0e5ee941a79f2b7701f1285e4975a2859eb4d025d96d9e366e81abb9.exe
        "C:\Users\Admin\AppData\Local\Temp\0a0c225f0e5ee941a79f2b7701f1285e4975a2859eb4d025d96d9e366e81abb9.exe"
        2⤵
        • Drops file in System32 directory
        • Sets desktop wallpaper using registry
        • Modifies Control Panel
        • Modifies data under HKEY_USERS
        • Modifies registry class
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of WriteProcessMemory
        PID:2284
        • C:\Users\Admin\AppData\Local\Temp\0a0c225f0e5ee941a79f2b7701f1285e4975a2859eb4d025d96d9e366e81abb9.exe
          C:\Users\Admin\AppData\Local\Temp\0a0c225f0e5ee941a79f2b7701f1285e4975a2859eb4d025d96d9e366e81abb9.exe -work worker0 job0-2284
          3⤵
          • Modifies data under HKEY_USERS
          • Suspicious behavior: EnumeratesProcesses
          PID:2980
        • C:\Users\Admin\AppData\Local\Temp\0a0c225f0e5ee941a79f2b7701f1285e4975a2859eb4d025d96d9e366e81abb9.exe
          C:\Users\Admin\AppData\Local\Temp\0a0c225f0e5ee941a79f2b7701f1285e4975a2859eb4d025d96d9e366e81abb9.exe -work worker1 job1-2284
          3⤵
          • Enumerates connected drives
          PID:1428
    • C:\Windows\system32\vssvc.exe
      C:\Windows\system32\vssvc.exe
      1⤵
      • Suspicious use of AdjustPrivilegeToken
      PID:4868

    Network

    • flag-us
      DNS
      baroquetees.com
      0a0c225f0e5ee941a79f2b7701f1285e4975a2859eb4d025d96d9e366e81abb9.exe
      Remote address:
      8.8.8.8:53
      Request
      baroquetees.com
      IN A
      Response
      baroquetees.com
      IN A
      103.224.212.215
    • flag-us
      POST
      https://baroquetees.com/099Zzcwu9
      0a0c225f0e5ee941a79f2b7701f1285e4975a2859eb4d025d96d9e366e81abb9.exe
      Remote address:
      103.224.212.215:443
      Request
      POST /099Zzcwu9 HTTP/1.1
      Accept: */*
      Connection: keep-alive
      Accept-Encoding: gzip, deflate, br
      Content-Type: text/plain
      User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:79.0) Gecko/20100101 Firefox/80.0
      Host: baroquetees.com
      Content-Length: 430
      Cache-Control: no-cache
      Response
      HTTP/1.1 302 Found
      date: Sat, 27 Jan 2024 20:09:13 GMT
      server: Apache
      set-cookie: __tad=1706386153.6464954; expires=Tue, 24-Jan-2034 20:09:13 GMT; Max-Age=315360000
      location: http://ww25.baroquetees.com/099Zzcwu9?subid1=20240128-0709-134b-a866-7133347885b5
      content-length: 2
      content-type: text/html; charset=UTF-8
      connection: close
    • flag-us
      DNS
      215.212.224.103.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      215.212.224.103.in-addr.arpa
      IN PTR
      Response
      215.212.224.103.in-addr.arpa
      IN PTR
      lb-212-215abovecom
    • flag-us
      DNS
      28.118.140.52.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      28.118.140.52.in-addr.arpa
      IN PTR
      Response
    • flag-us
      DNS
      28.118.140.52.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      28.118.140.52.in-addr.arpa
      IN PTR
    • flag-us
      DNS
      187.178.17.96.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      187.178.17.96.in-addr.arpa
      IN PTR
      Response
      187.178.17.96.in-addr.arpa
      IN PTR
      a96-17-178-187deploystaticakamaitechnologiescom
    • flag-us
      DNS
      40.13.222.173.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      40.13.222.173.in-addr.arpa
      IN PTR
      Response
      40.13.222.173.in-addr.arpa
      IN PTR
      a173-222-13-40deploystaticakamaitechnologiescom
    • flag-us
      DNS
      193.179.17.96.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      193.179.17.96.in-addr.arpa
      IN PTR
      Response
      193.179.17.96.in-addr.arpa
      IN PTR
      a96-17-179-193deploystaticakamaitechnologiescom
    • flag-us
      DNS
      ww25.baroquetees.com
      0a0c225f0e5ee941a79f2b7701f1285e4975a2859eb4d025d96d9e366e81abb9.exe
      Remote address:
      8.8.8.8:53
      Request
      ww25.baroquetees.com
      IN A
      Response
      ww25.baroquetees.com
      IN CNAME
      77026.bodis.com
      77026.bodis.com
      IN A
      199.59.243.225
    • flag-us
      GET
      http://ww25.baroquetees.com/099Zzcwu9?subid1=20240128-0709-134b-a866-7133347885b5
      0a0c225f0e5ee941a79f2b7701f1285e4975a2859eb4d025d96d9e366e81abb9.exe
      Remote address:
      199.59.243.225:80
      Request
      GET /099Zzcwu9?subid1=20240128-0709-134b-a866-7133347885b5 HTTP/1.1
      Accept: */*
      Connection: keep-alive
      Accept-Encoding: gzip, deflate, br
      User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:79.0) Gecko/20100101 Firefox/80.0
      Cache-Control: no-cache
      Host: ww25.baroquetees.com
      Cookie: __tad=1706386153.6464954
      Response
      HTTP/1.1 200 OK
      date: Sat, 27 Jan 2024 20:09:14 GMT
      content-type: text/html; charset=utf-8
      content-length: 1194
      x-request-id: 06bb00f5-e472-43f4-879a-f28b4457f38a
      cache-control: no-store, max-age=0
      accept-ch: sec-ch-prefers-color-scheme
      critical-ch: sec-ch-prefers-color-scheme
      vary: sec-ch-prefers-color-scheme
      x-adblock-key: MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBANDrp2lz7AOmADaN8tA50LsWcjLFyQFcb/P2Txc58oYOeILb3vBw7J6f4pamkAQVSQuqYsKx3YzdUHCvbVZvFUsCAwEAAQ==_rQ0WTYIz46XEe7nwlnDf5Ja981KlJhLKNDFDnM+iZDeLxxsN8E6yJM/SfjKoNV1CAiS7c+4aOT4zXg4e+xnhkw==
      set-cookie: parking_session=06bb00f5-e472-43f4-879a-f28b4457f38a; expires=Sat, 27 Jan 2024 20:24:14 GMT; path=/
    • flag-us
      DNS
      rumahsia.com
      0a0c225f0e5ee941a79f2b7701f1285e4975a2859eb4d025d96d9e366e81abb9.exe
      Remote address:
      8.8.8.8:53
      Request
      rumahsia.com
      IN A
      Response
    • flag-us
      DNS
      225.243.59.199.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      225.243.59.199.in-addr.arpa
      IN PTR
      Response
    • flag-us
      POST
      https://baroquetees.com/3
      0a0c225f0e5ee941a79f2b7701f1285e4975a2859eb4d025d96d9e366e81abb9.exe
      Remote address:
      103.224.212.215:443
      Request
      POST /3 HTTP/1.1
      Accept: */*
      Connection: keep-alive
      Accept-Encoding: gzip, deflate, br
      Content-Type: text/plain
      User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:79.0) Gecko/20100101 Firefox/80.0
      Host: baroquetees.com
      Content-Length: 238
      Cache-Control: no-cache
      Cookie: __tad=1706386153.6464954
      Response
      HTTP/1.1 302 Found
      date: Sat, 27 Jan 2024 20:09:16 GMT
      server: Apache
      location: http://ww25.baroquetees.com/3?subid1=20240128-0709-1609-96fb-7e3a6f36925b
      content-length: 2
      content-type: text/html; charset=UTF-8
      connection: close
    • flag-us
      GET
      http://ww25.baroquetees.com/3?subid1=20240128-0709-1609-96fb-7e3a6f36925b
      0a0c225f0e5ee941a79f2b7701f1285e4975a2859eb4d025d96d9e366e81abb9.exe
      Remote address:
      199.59.243.225:80
      Request
      GET /3?subid1=20240128-0709-1609-96fb-7e3a6f36925b HTTP/1.1
      Accept: */*
      Connection: keep-alive
      Accept-Encoding: gzip, deflate, br
      User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:79.0) Gecko/20100101 Firefox/80.0
      Cache-Control: no-cache
      Host: ww25.baroquetees.com
      Cookie: __tad=1706386153.6464954; parking_session=06bb00f5-e472-43f4-879a-f28b4457f38a
      Response
      HTTP/1.1 200 OK
      date: Sat, 27 Jan 2024 20:09:15 GMT
      content-type: text/html; charset=utf-8
      content-length: 1182
      x-request-id: 266c4d80-acd9-4768-a23b-68c76f35082f
      cache-control: no-store, max-age=0
      accept-ch: sec-ch-prefers-color-scheme
      critical-ch: sec-ch-prefers-color-scheme
      vary: sec-ch-prefers-color-scheme
      x-adblock-key: MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBANDrp2lz7AOmADaN8tA50LsWcjLFyQFcb/P2Txc58oYOeILb3vBw7J6f4pamkAQVSQuqYsKx3YzdUHCvbVZvFUsCAwEAAQ==_JnnqDU/70Sw1LXt0FKcDszgoq/fckFheSYi9IBK8WgMBPF7YR2J8ij/NKXRkDnfpI1NQCTXBWXleYujinzMi7Q==
      set-cookie: parking_session=06bb00f5-e472-43f4-879a-f28b4457f38a; expires=Sat, 27 Jan 2024 20:24:16 GMT
    • flag-us
      DNS
      140.32.126.40.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      140.32.126.40.in-addr.arpa
      IN PTR
      Response
    • flag-us
      DNS
      95.221.229.192.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      95.221.229.192.in-addr.arpa
      IN PTR
      Response
    • flag-us
      DNS
      241.150.49.20.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      241.150.49.20.in-addr.arpa
      IN PTR
      Response
    • flag-us
      DNS
      103.169.127.40.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      103.169.127.40.in-addr.arpa
      IN PTR
      Response
    • flag-us
      DNS
      198.187.3.20.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      198.187.3.20.in-addr.arpa
      IN PTR
      Response
    • flag-us
      DNS
      134.71.91.104.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      134.71.91.104.in-addr.arpa
      IN PTR
      Response
      134.71.91.104.in-addr.arpa
      IN PTR
      a104-91-71-134deploystaticakamaitechnologiescom
    • flag-us
      DNS
      104.219.191.52.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      104.219.191.52.in-addr.arpa
      IN PTR
      Response
    • flag-us
      DNS
      114.110.16.96.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      114.110.16.96.in-addr.arpa
      IN PTR
      Response
      114.110.16.96.in-addr.arpa
      IN PTR
      a96-16-110-114deploystaticakamaitechnologiescom
    • flag-us
      DNS
      205.178.17.96.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      205.178.17.96.in-addr.arpa
      IN PTR
      Response
      205.178.17.96.in-addr.arpa
      IN PTR
      a96-17-178-205deploystaticakamaitechnologiescom
    • flag-us
      DNS
      14.227.111.52.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      14.227.111.52.in-addr.arpa
      IN PTR
      Response
    • flag-us
      DNS
      201.178.17.96.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      201.178.17.96.in-addr.arpa
      IN PTR
      Response
      201.178.17.96.in-addr.arpa
      IN PTR
      a96-17-178-201deploystaticakamaitechnologiescom
    • flag-us
      DNS
      79.121.231.20.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      79.121.231.20.in-addr.arpa
      IN PTR
      Response
    • flag-us
      DNS
      79.121.231.20.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      79.121.231.20.in-addr.arpa
      IN PTR
      Response
    • flag-us
      DNS
      26.178.89.13.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      26.178.89.13.in-addr.arpa
      IN PTR
      Response
    • flag-us
      DNS
      26.178.89.13.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      26.178.89.13.in-addr.arpa
      IN PTR
      Response
    • 103.224.212.215:443
      https://baroquetees.com/099Zzcwu9
      tls, http
      0a0c225f0e5ee941a79f2b7701f1285e4975a2859eb4d025d96d9e366e81abb9.exe
      1.8kB
       7.9kB
       17
      12

      HTTP Request

      POST https://baroquetees.com/099Zzcwu9

      HTTP Response

      302
    • 199.59.243.225:80
      http://ww25.baroquetees.com/099Zzcwu9?subid1=20240128-0709-134b-a866-7133347885b5
      http
      0a0c225f0e5ee941a79f2b7701f1285e4975a2859eb4d025d96d9e366e81abb9.exe
      736 B
       2.8kB
       9
      6

      HTTP Request

      GET http://ww25.baroquetees.com/099Zzcwu9?subid1=20240128-0709-134b-a866-7133347885b5

      HTTP Response

      200
    • 103.224.212.215:443
      https://baroquetees.com/3
      tls, http
      0a0c225f0e5ee941a79f2b7701f1285e4975a2859eb4d025d96d9e366e81abb9.exe
      1.5kB
       661 B
       10
      6

      HTTP Request

      POST https://baroquetees.com/3

      HTTP Response

      302
    • 199.59.243.225:80
      http://ww25.baroquetees.com/3?subid1=20240128-0709-1609-96fb-7e3a6f36925b
      http
      0a0c225f0e5ee941a79f2b7701f1285e4975a2859eb4d025d96d9e366e81abb9.exe
      782 B
       2.7kB
       9
      6

      HTTP Request

      GET http://ww25.baroquetees.com/3?subid1=20240128-0709-1609-96fb-7e3a6f36925b

      HTTP Response

      200
    • 8.8.8.8:53
      baroquetees.com
      dns
      0a0c225f0e5ee941a79f2b7701f1285e4975a2859eb4d025d96d9e366e81abb9.exe
      61 B
       77 B
       1
      1

      DNS Request

      baroquetees.com

      DNS Response

      103.224.212.215

    • 8.8.8.8:53
      215.212.224.103.in-addr.arpa
      dns
      74 B
       108 B
       1
      1

      DNS Request

      215.212.224.103.in-addr.arpa

    • 8.8.8.8:53
      28.118.140.52.in-addr.arpa
      dns
      144 B
       158 B
       2
      1

      DNS Request

      28.118.140.52.in-addr.arpa

      DNS Request

      28.118.140.52.in-addr.arpa

    • 8.8.8.8:53
      187.178.17.96.in-addr.arpa
      dns
      72 B
       137 B
       1
      1

      DNS Request

      187.178.17.96.in-addr.arpa

    • 8.8.8.8:53
      40.13.222.173.in-addr.arpa
      dns
      72 B
       137 B
       1
      1

      DNS Request

      40.13.222.173.in-addr.arpa

    • 8.8.8.8:53
      193.179.17.96.in-addr.arpa
      dns
      72 B
       137 B
       1
      1

      DNS Request

      193.179.17.96.in-addr.arpa

    • 8.8.8.8:53
      ww25.baroquetees.com
      dns
      0a0c225f0e5ee941a79f2b7701f1285e4975a2859eb4d025d96d9e366e81abb9.exe
      66 B
       108 B
       1
      1

      DNS Request

      ww25.baroquetees.com

      DNS Response

      199.59.243.225

    • 8.8.8.8:53
      rumahsia.com
      dns
      0a0c225f0e5ee941a79f2b7701f1285e4975a2859eb4d025d96d9e366e81abb9.exe
      58 B
       131 B
       1
      1

      DNS Request

      rumahsia.com

    • 8.8.8.8:53
      225.243.59.199.in-addr.arpa
      dns
      73 B
       131 B
       1
      1

      DNS Request

      225.243.59.199.in-addr.arpa

    • 8.8.8.8:53
      140.32.126.40.in-addr.arpa
      dns
      72 B
       158 B
       1
      1

      DNS Request

      140.32.126.40.in-addr.arpa

    • 8.8.8.8:53
      95.221.229.192.in-addr.arpa
      dns
      73 B
       144 B
       1
      1

      DNS Request

      95.221.229.192.in-addr.arpa

    • 8.8.8.8:53
      241.150.49.20.in-addr.arpa
      dns
      72 B
       158 B
       1
      1

      DNS Request

      241.150.49.20.in-addr.arpa

    • 8.8.8.8:53
      103.169.127.40.in-addr.arpa
      dns
      73 B
       147 B
       1
      1

      DNS Request

      103.169.127.40.in-addr.arpa

    • 8.8.8.8:53
      198.187.3.20.in-addr.arpa
      dns
      71 B
       157 B
       1
      1

      DNS Request

      198.187.3.20.in-addr.arpa

    • 8.8.8.8:53
      134.71.91.104.in-addr.arpa
      dns
      72 B
       137 B
       1
      1

      DNS Request

      134.71.91.104.in-addr.arpa

    • 8.8.8.8:53
      104.219.191.52.in-addr.arpa
      dns
      73 B
       147 B
       1
      1

      DNS Request

      104.219.191.52.in-addr.arpa

    • 8.8.8.8:53
      114.110.16.96.in-addr.arpa
      dns
      72 B
       137 B
       1
      1

      DNS Request

      114.110.16.96.in-addr.arpa

    • 8.8.8.8:53
      205.178.17.96.in-addr.arpa
      dns
      72 B
       137 B
       1
      1

      DNS Request

      205.178.17.96.in-addr.arpa

    • 8.8.8.8:53
      14.227.111.52.in-addr.arpa
      dns
      72 B
       158 B
       1
      1

      DNS Request

      14.227.111.52.in-addr.arpa

    • 8.8.8.8:53
      201.178.17.96.in-addr.arpa
      dns
      72 B
       137 B
       1
      1

      DNS Request

      201.178.17.96.in-addr.arpa

    • 8.8.8.8:53
      79.121.231.20.in-addr.arpa
      dns
      144 B
       316 B
       2
      2

      DNS Request

      79.121.231.20.in-addr.arpa

      DNS Request

      79.121.231.20.in-addr.arpa

    • 8.8.8.8:53
      26.178.89.13.in-addr.arpa
      dns
      142 B
       290 B
       2
      2

      DNS Request

      26.178.89.13.in-addr.arpa

      DNS Request

      26.178.89.13.in-addr.arpa

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\odt\README.45f0f725.TXT
      Filesize

      3KB

      MD5

      164aa420be8e0c2bcdef574355edaa32

      SHA1

      4336eaafedfc18a27cdf42bffad63b5a54ea8231

      SHA256

      b326d11dd90c2e4efb0a384981f71c2bd1a6faa0553d6389acb08945b699f73d

      SHA512

      fd1437bc4f45e3f4b5c3d0e7fca9383f45edceb5c8cb603d0b8ee98350a5f2468c2aabdb66f16bdee0bac49afefa4300a093a54ee43b1ff28a541ae612e34d9d

      Download Submit

    We care about your privacy.

    This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.