Overview

overview

10

Static

static

3

374a979d2b...4a.exe

windows7-x64

10

374a979d2b...4a.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    153s
  • max time network
    161s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240226-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
  • submitted
    09/03/2024, 14:09 UTC

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    374a979d2b8b45d23e3310676256624ab96bd604c2eb11f327c3e5044a95654a.exe

  • Size

    372KB

  • MD5

    05f62ecabc68ee01d8274a3c97f5b101

  • SHA1

    8128819b7fa55a7a331e933fce52051c66d5e72d

  • SHA256

    374a979d2b8b45d23e3310676256624ab96bd604c2eb11f327c3e5044a95654a

  • SHA512

    e53afc5c9f4cba52c521dbc6f24144bce4f182bdc40a39f94b0005d335cd5384472c48fb04b1e1f6e9dc0a94e58739d6ccda4eff9114f5020054a95c7b903df8

  • SSDEEP

    6144:MfkWFheyVxcO8fo66ZYB9LEpvkWohWS4rNaLGU:BAVgfl6iYpcWot5

Score
10/10
targetcompanyevasionransomware

Malware Config

Extracted

Path

C:\HOW TO BACK FILES.txt

Family

targetcompany

Ransom Note
Hello Your files are encrypted and can not be used We have downloaded your confidential data and are ready to publish it on our blog To return your files in work condition you need decryption tool Follow the instructions to decrypt all your data Do not try to change or restore files yourself, this will break them If you want, on our site you can decrypt one file for free. Free test decryption allowed only for not valuable file with size less than 3MB How to get decryption tool: 1) Download and install TOR browser by this link: https://www.torproject.org/download/ 2) If TOR blocked in your country and you can't access to the link then use any VPN software 3) Run TOR browser and open the site: wtyafjyhwqrgo4a45wdvvwhen3cx4euie73qvlhkhvlrexljoyuklaad.onion/mallox/privateSignin 4) Copy your private ID in the input field. Your Private key: B15F283083FA586B5CEA3390 5) You will see payment information and we can make free test decryption here 6)After payment, you will receive a tool for decrypting files, and we will delete the data that was taken from you Our blog of leaked companies: wtyafjyhwqrgo4a45wdvvwhen3cx4euie73qvlhkhvlrexljoyuklaad.onion If you are unable to contact us through the site, then you can email us: mallox@onionmail.org Waiting for a response via mail can be several days. Do not use it if you have not tried contacting through the site.�
Emails

mallox@onionmail.org

URLs

http://wtyafjyhwqrgo4a45wdvvwhen3cx4euie73qvlhkhvlrexljoyuklaad.onion/mallox/privateSignin

http://wtyafjyhwqrgo4a45wdvvwhen3cx4euie73qvlhkhvlrexljoyuklaad.onion

Signatures

  • TargetCompany,Mallox

    TargetCompany (aka Mallox) is a ransomware which encrypts files using a combination of ChaCha20, AES-128, and Curve25519, first seen in June 2021.

    ransomwaretargetcompany
  • Modifies boot configuration data using bcdedit 1 TTPs 2 IoCs
    ransomwareevasion
  • Renames multiple (769) files with added filename extension

    This suggests ransomware activity of encrypting all the files on the system.

    ransomware
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Enumerates connected drives 3 TTPs 24 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Drops file in Program Files directory 64 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs
  • System policy modification 1 TTPs 1 IoCs
    evasion

Processes

  • C:\Users\Admin\AppData\Local\Temp\374a979d2b8b45d23e3310676256624ab96bd604c2eb11f327c3e5044a95654a.exe
    "C:\Users\Admin\AppData\Local\Temp\374a979d2b8b45d23e3310676256624ab96bd604c2eb11f327c3e5044a95654a.exe"
    1⤵
    • Checks computer location settings
    • Enumerates connected drives
    • Drops file in Program Files directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    • System policy modification
    PID:3696
    • C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /c bcdedit /set {current} bootstatuspolicy ignoreallfailures
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:3052
      • C:\Windows\system32\bcdedit.exe
        bcdedit /set {current} bootstatuspolicy ignoreallfailures
        3⤵
        • Modifies boot configuration data using bcdedit
        PID:4808
    • C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /c bcdedit /set {current} recoveryenabled no
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:2316
      • C:\Windows\system32\bcdedit.exe
        bcdedit /set {current} recoveryenabled no
        3⤵
        • Modifies boot configuration data using bcdedit
        PID:852
  • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=3976 --field-trial-handle=2900,i,14549994492153927475,12895178890800740987,262144 --variations-seed-version /prefetch:8
    1⤵
      PID:1536

    Network

    • flag-us
      DNS
      206.178.17.96.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      206.178.17.96.in-addr.arpa
      IN PTR
      Response
      206.178.17.96.in-addr.arpa
      IN PTR
      a96-17-178-206deploystaticakamaitechnologiescom
    • flag-us
      DNS
      74.32.126.40.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      74.32.126.40.in-addr.arpa
      IN PTR
      Response
    • flag-us
      DNS
      95.221.229.192.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      95.221.229.192.in-addr.arpa
      IN PTR
      Response
    • flag-us
      DNS
      api.ipify.org
      374a979d2b8b45d23e3310676256624ab96bd604c2eb11f327c3e5044a95654a.exe
      Remote address:
      8.8.8.8:53
      Request
      api.ipify.org
      IN A
      Response
      api.ipify.org
      IN A
      104.26.12.205
      api.ipify.org
      IN A
      172.67.74.152
      api.ipify.org
      IN A
      104.26.13.205
    • flag-us
      GET
      http://api.ipify.org/
      374a979d2b8b45d23e3310676256624ab96bd604c2eb11f327c3e5044a95654a.exe
      Remote address:
      104.26.12.205:80
      Request
      GET / HTTP/1.1
      Content-Type: application/x-www-form-urlencoded
      Host: api.ipify.org
      Connection: Keep-Alive
      Cache-Control: no-cache
      Response
      HTTP/1.1 200 OK
      Date: Sat, 09 Mar 2024 14:10:04 GMT
      Content-Type: text/plain
      Content-Length: 12
      Connection: keep-alive
      Vary: Origin
      CF-Cache-Status: DYNAMIC
      Server: cloudflare
      CF-RAY: 861ba577fcb87332-LHR
    • flag-ru
      POST
      http://91.215.85.142/QWEwqdsvsf/ap.php
      374a979d2b8b45d23e3310676256624ab96bd604c2eb11f327c3e5044a95654a.exe
      Remote address:
      91.215.85.142:80
      Request
      POST /QWEwqdsvsf/ap.php HTTP/1.1
      Content-Type: application/x-www-form-urlencoded
      Host: 91.215.85.142
      Content-Length: 160
      Connection: Keep-Alive
      Cache-Control: no-cache
      Response
      HTTP/1.1 200 OK
      Server: nginx/1.22.1
      Date: Sat, 09 Mar 2024 14:10:04 GMT
      Content-Type: text/html; charset=UTF-8
      Transfer-Encoding: chunked
      Connection: keep-alive
      X-Powered-By: PHP/7.4.33
    • flag-us
      DNS
      205.12.26.104.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      205.12.26.104.in-addr.arpa
      IN PTR
      Response
    • flag-us
      DNS
      142.85.215.91.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      142.85.215.91.in-addr.arpa
      IN PTR
      Response
    • flag-us
      DNS
      9.228.82.20.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      9.228.82.20.in-addr.arpa
      IN PTR
      Response
    • flag-us
      DNS
      58.99.105.20.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      58.99.105.20.in-addr.arpa
      IN PTR
      Response
    • flag-us
      DNS
      41.110.16.96.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      41.110.16.96.in-addr.arpa
      IN PTR
      Response
      41.110.16.96.in-addr.arpa
      IN PTR
      a96-16-110-41deploystaticakamaitechnologiescom
    • flag-us
      DNS
      g.bing.com
      Remote address:
      8.8.8.8:53
      Request
      g.bing.com
      IN A
      Response
      g.bing.com
      IN CNAME
      g-bing-com.a-0001.a-msedge.net
      g-bing-com.a-0001.a-msedge.net
      IN CNAME
      dual-a-0001.a-msedge.net
      dual-a-0001.a-msedge.net
      IN A
      204.79.197.200
      dual-a-0001.a-msedge.net
      IN A
      13.107.21.200
    • flag-us
      GET
      https://g.bing.com/neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=8c8bda9c3843499ea8c00f67932bec6d&localId=w:AE07C56D-9F7E-DB3B-D18D-2459C76F841B&deviceId=6825825924912662&anid=
      Remote address:
      204.79.197.200:443
      Request
      GET /neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=8c8bda9c3843499ea8c00f67932bec6d&localId=w:AE07C56D-9F7E-DB3B-D18D-2459C76F841B&deviceId=6825825924912662&anid= HTTP/2.0
      host: g.bing.com
      accept-encoding: gzip, deflate
      user-agent: WindowsShellClient/9.0.40929.0 (Windows)
      Response
      HTTP/2.0 204
      cache-control: no-cache, must-revalidate
      pragma: no-cache
      expires: Fri, 01 Jan 1990 00:00:00 GMT
      set-cookie: MUID=040BDC3BCDC861F80600C806CCEF6063; domain=.bing.com; expires=Thu, 03-Apr-2025 14:10:37 GMT; path=/; SameSite=None; Secure; Priority=High;
      strict-transport-security: max-age=31536000; includeSubDomains; preload
      access-control-allow-origin: *
      x-cache: CONFIG_NOCACHE
      accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
      x-msedge-ref: Ref A: BF7A0AD5C7BA49198791148655F034A8 Ref B: LON04EDGE0615 Ref C: 2024-03-09T14:10:37Z
      date: Sat, 09 Mar 2024 14:10:37 GMT
    • flag-us
      GET
      https://g.bing.com/neg/0?action=emptycreative&adUnitId=11730597&publisherId=251978541&rid=8c8bda9c3843499ea8c00f67932bec6d&localId=w:AE07C56D-9F7E-DB3B-D18D-2459C76F841B&deviceId=6825825924912662&anid=
      Remote address:
      204.79.197.200:443
      Request
      GET /neg/0?action=emptycreative&adUnitId=11730597&publisherId=251978541&rid=8c8bda9c3843499ea8c00f67932bec6d&localId=w:AE07C56D-9F7E-DB3B-D18D-2459C76F841B&deviceId=6825825924912662&anid= HTTP/2.0
      host: g.bing.com
      accept-encoding: gzip, deflate
      user-agent: WindowsShellClient/9.0.40929.0 (Windows)
      cookie: MUID=040BDC3BCDC861F80600C806CCEF6063
      Response
      HTTP/2.0 204
      cache-control: no-cache, must-revalidate
      pragma: no-cache
      expires: Fri, 01 Jan 1990 00:00:00 GMT
      set-cookie: MSPTC=URM69m-SgORHWD7bbhVzGHCu_wt-s4GIQxtuUq09JY8; domain=.bing.com; expires=Thu, 03-Apr-2025 14:10:37 GMT; path=/; Partitioned; secure; SameSite=None
      strict-transport-security: max-age=31536000; includeSubDomains; preload
      access-control-allow-origin: *
      x-cache: CONFIG_NOCACHE
      accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
      x-msedge-ref: Ref A: 816DAFA03ABA479AADAEFEA07252B557 Ref B: LON04EDGE0615 Ref C: 2024-03-09T14:10:37Z
      date: Sat, 09 Mar 2024 14:10:37 GMT
    • flag-us
      GET
      https://g.bing.com/neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=8c8bda9c3843499ea8c00f67932bec6d&localId=w:AE07C56D-9F7E-DB3B-D18D-2459C76F841B&deviceId=6825825924912662&anid=
      Remote address:
      204.79.197.200:443
      Request
      GET /neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=8c8bda9c3843499ea8c00f67932bec6d&localId=w:AE07C56D-9F7E-DB3B-D18D-2459C76F841B&deviceId=6825825924912662&anid= HTTP/2.0
      host: g.bing.com
      accept-encoding: gzip, deflate
      user-agent: WindowsShellClient/9.0.40929.0 (Windows)
      cookie: MUID=040BDC3BCDC861F80600C806CCEF6063; MSPTC=URM69m-SgORHWD7bbhVzGHCu_wt-s4GIQxtuUq09JY8
      Response
      HTTP/2.0 204
      cache-control: no-cache, must-revalidate
      pragma: no-cache
      expires: Fri, 01 Jan 1990 00:00:00 GMT
      strict-transport-security: max-age=31536000; includeSubDomains; preload
      access-control-allow-origin: *
      x-cache: CONFIG_NOCACHE
      accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
      x-msedge-ref: Ref A: BB4AD5665A384BBEBD75FE80594B048F Ref B: LON04EDGE0615 Ref C: 2024-03-09T14:10:37Z
      date: Sat, 09 Mar 2024 14:10:37 GMT
    • flag-us
      DNS
      103.169.127.40.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      103.169.127.40.in-addr.arpa
      IN PTR
      Response
    • flag-us
      DNS
      200.197.79.204.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      200.197.79.204.in-addr.arpa
      IN PTR
      Response
      200.197.79.204.in-addr.arpa
      IN PTR
      a-0001a-msedgenet
    • flag-us
      DNS
      28.118.140.52.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      28.118.140.52.in-addr.arpa
      IN PTR
      Response
    • flag-us
      DNS
      198.187.3.20.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      198.187.3.20.in-addr.arpa
      IN PTR
      Response
    • flag-us
      DNS
      217.135.221.88.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      217.135.221.88.in-addr.arpa
      IN PTR
      Response
      217.135.221.88.in-addr.arpa
      IN PTR
      a88-221-135-217deploystaticakamaitechnologiescom
    • flag-us
      DNS
      217.106.137.52.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      217.106.137.52.in-addr.arpa
      IN PTR
      Response
    • flag-us
      DNS
      175.178.17.96.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      175.178.17.96.in-addr.arpa
      IN PTR
      Response
      175.178.17.96.in-addr.arpa
      IN PTR
      a96-17-178-175deploystaticakamaitechnologiescom
    • flag-us
      DNS
      175.178.17.96.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      175.178.17.96.in-addr.arpa
      IN PTR
    • flag-us
      DNS
      104.219.191.52.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      104.219.191.52.in-addr.arpa
      IN PTR
      Response
    • flag-us
      DNS
      11.227.111.52.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      11.227.111.52.in-addr.arpa
      IN PTR
      Response
    • flag-us
      DNS
      185.178.17.96.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      185.178.17.96.in-addr.arpa
      IN PTR
      Response
      185.178.17.96.in-addr.arpa
      IN PTR
      a96-17-178-185deploystaticakamaitechnologiescom
    • flag-us
      DNS
      185.178.17.96.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      185.178.17.96.in-addr.arpa
      IN PTR
    • flag-us
      DNS
      10.173.189.20.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      10.173.189.20.in-addr.arpa
      IN PTR
      Response
    • flag-us
      DNS
      10.173.189.20.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      10.173.189.20.in-addr.arpa
      IN PTR
    • 104.26.12.205:80
      http://api.ipify.org/
      http
      374a979d2b8b45d23e3310676256624ab96bd604c2eb11f327c3e5044a95654a.exe
      413 B
       400 B
       6
      4

      HTTP Request

      GET http://api.ipify.org/

      HTTP Response

      200
    • 91.215.85.142:80
      http://91.215.85.142/QWEwqdsvsf/ap.php
      http
      374a979d2b8b45d23e3310676256624ab96bd604c2eb11f327c3e5044a95654a.exe
      612 B
       437 B
       6
      5

      HTTP Request

      POST http://91.215.85.142/QWEwqdsvsf/ap.php

      HTTP Response

      200
    • 10.127.0.1:445
      260 B
       5
    • 10.127.0.1:139
      260 B
       5
    • 20.231.121.79:80
      46 B
       1
    • 204.79.197.200:443
      https://g.bing.com/neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=8c8bda9c3843499ea8c00f67932bec6d&localId=w:AE07C56D-9F7E-DB3B-D18D-2459C76F841B&deviceId=6825825924912662&anid=
      tls, http2
      2.0kB
       9.2kB
       21
      18

      HTTP Request

      GET https://g.bing.com/neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=8c8bda9c3843499ea8c00f67932bec6d&localId=w:AE07C56D-9F7E-DB3B-D18D-2459C76F841B&deviceId=6825825924912662&anid=

      HTTP Response

      204

      HTTP Request

      GET https://g.bing.com/neg/0?action=emptycreative&adUnitId=11730597&publisherId=251978541&rid=8c8bda9c3843499ea8c00f67932bec6d&localId=w:AE07C56D-9F7E-DB3B-D18D-2459C76F841B&deviceId=6825825924912662&anid=

      HTTP Response

      204

      HTTP Request

      GET https://g.bing.com/neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=8c8bda9c3843499ea8c00f67932bec6d&localId=w:AE07C56D-9F7E-DB3B-D18D-2459C76F841B&deviceId=6825825924912662&anid=

      HTTP Response

      204
    • 10.127.0.1:135
      374a979d2b8b45d23e3310676256624ab96bd604c2eb11f327c3e5044a95654a.exe
      260 B
       5
    • 10.127.0.1:135
      374a979d2b8b45d23e3310676256624ab96bd604c2eb11f327c3e5044a95654a.exe
      260 B
       5
    • 10.127.0.1:445
      260 B
       5
    • 10.127.0.1:139
      260 B
       5
    • 154.61.71.13:445
      260 B
       5
    • 154.61.71.13:139
      260 B
       5
    • 154.61.71.13:135
      374a979d2b8b45d23e3310676256624ab96bd604c2eb11f327c3e5044a95654a.exe
      156 B
       3
    • 8.8.8.8:53
      206.178.17.96.in-addr.arpa
      dns
      72 B
       137 B
       1
      1

      DNS Request

      206.178.17.96.in-addr.arpa

    • 8.8.8.8:53
      74.32.126.40.in-addr.arpa
      dns
      71 B
       157 B
       1
      1

      DNS Request

      74.32.126.40.in-addr.arpa

    • 8.8.8.8:53
      95.221.229.192.in-addr.arpa
      dns
      73 B
       144 B
       1
      1

      DNS Request

      95.221.229.192.in-addr.arpa

    • 8.8.8.8:53
      api.ipify.org
      dns
      374a979d2b8b45d23e3310676256624ab96bd604c2eb11f327c3e5044a95654a.exe
      59 B
       107 B
       1
      1

      DNS Request

      api.ipify.org

      DNS Response

      104.26.12.205
      172.67.74.152
      104.26.13.205

    • 8.8.8.8:53
      205.12.26.104.in-addr.arpa
      dns
      72 B
       134 B
       1
      1

      DNS Request

      205.12.26.104.in-addr.arpa

    • 8.8.8.8:53
      142.85.215.91.in-addr.arpa
      dns
      72 B
       132 B
       1
      1

      DNS Request

      142.85.215.91.in-addr.arpa

    • 8.8.8.8:53
      9.228.82.20.in-addr.arpa
      dns
      70 B
       156 B
       1
      1

      DNS Request

      9.228.82.20.in-addr.arpa

    • 8.8.8.8:53
      58.99.105.20.in-addr.arpa
      dns
      71 B
       157 B
       1
      1

      DNS Request

      58.99.105.20.in-addr.arpa

    • 8.8.8.8:53
      41.110.16.96.in-addr.arpa
      dns
      71 B
       135 B
       1
      1

      DNS Request

      41.110.16.96.in-addr.arpa

    • 8.8.8.8:53
      g.bing.com
      dns
      56 B
       158 B
       1
      1

      DNS Request

      g.bing.com

      DNS Response

      204.79.197.200
      13.107.21.200

    • 8.8.8.8:53
      103.169.127.40.in-addr.arpa
      dns
      73 B
       147 B
       1
      1

      DNS Request

      103.169.127.40.in-addr.arpa

    • 8.8.8.8:53
      200.197.79.204.in-addr.arpa
      dns
      73 B
       106 B
       1
      1

      DNS Request

      200.197.79.204.in-addr.arpa

    • 8.8.8.8:53
      28.118.140.52.in-addr.arpa
      dns
      72 B
       158 B
       1
      1

      DNS Request

      28.118.140.52.in-addr.arpa

    • 8.8.8.8:53
      198.187.3.20.in-addr.arpa
      dns
      71 B
       157 B
       1
      1

      DNS Request

      198.187.3.20.in-addr.arpa

    • 8.8.8.8:53
      217.135.221.88.in-addr.arpa
      dns
      73 B
       139 B
       1
      1

      DNS Request

      217.135.221.88.in-addr.arpa

    • 8.8.8.8:53
      217.106.137.52.in-addr.arpa
      dns
      73 B
       147 B
       1
      1

      DNS Request

      217.106.137.52.in-addr.arpa

    • 8.8.8.8:53
      175.178.17.96.in-addr.arpa
      dns
      144 B
       137 B
       2
      1

      DNS Request

      175.178.17.96.in-addr.arpa

      DNS Request

      175.178.17.96.in-addr.arpa

    • 8.8.8.8:53
      104.219.191.52.in-addr.arpa
      dns
      73 B
       147 B
       1
      1

      DNS Request

      104.219.191.52.in-addr.arpa

    • 8.8.8.8:53
      11.227.111.52.in-addr.arpa
      dns
      72 B
       158 B
       1
      1

      DNS Request

      11.227.111.52.in-addr.arpa

    • 8.8.8.8:53
      185.178.17.96.in-addr.arpa
      dns
      144 B
       137 B
       2
      1

      DNS Request

      185.178.17.96.in-addr.arpa

      DNS Request

      185.178.17.96.in-addr.arpa

    • 8.8.8.8:53
      10.173.189.20.in-addr.arpa
      dns
      144 B
       158 B
       2
      1

      DNS Request

      10.173.189.20.in-addr.arpa

      DNS Request

      10.173.189.20.in-addr.arpa

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\HOW TO BACK FILES.txt
      Filesize

      1KB

      MD5

      939909eb53710f611df0377c28593e46

      SHA1

      f3538bf16101461c48da6779ce6b0574f8ea6100

      SHA256

      15dc929fe63449daceed96a8b2d14836f402171561ab692d3d2fa23f1155b547

      SHA512

      683df4a3ee8808f39958794c73391267955d780c36b0b6907b860aeced68a05ef69ee4d3238fd100940958e2d762d44600eca9896a88290855341979044cfbc2

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\debugLog.txt
      Filesize

      4KB

      MD5

      bf2abe322b3d0981850886a5355cd850

      SHA1

      7d2360363dabb0bd08f5d6b0e13cd4e63dd0874a

      SHA256

      0fd376e8c35bb81af2b13b0247ab356d8029dd108efd86e0ebe3552efa716839

      SHA512

      bb24af862e149ef3f91b96572d285f8ea7b601e722567a58e8d1cdb1e730dda78acae85b2d7af6935238627f07eecd60bb05e20e9f99b8b5a8e3d0c09f3ac0b8

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\debugLog.txt
      Filesize

      2KB

      MD5

      67c98b54df6ff8667daca52feea6af47

      SHA1

      304aa9cae495bcb66b2fe334392709d24ae11131

      SHA256

      530cdcf584492ba98ae0eefe00621aa41d4fc51e42586316de496f0dc1ac41f0

      SHA512

      4cf4be1586b11ea28aee5f4327fc333ac678642e3ab243d46e3d6a7a829918a1f54f63ca2717fba9fe92dbcdbfa36405db895e36c77f5837488f1912b5fa5f31

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\debugLog.txt
      Filesize

      5KB

      MD5

      7652e2815eb7981f6122f26b74552806

      SHA1

      442e5155373db3528aeac459ca92ed21da32a1e0

      SHA256

      093d934a0cb6e3b3e1437d7ae25c4a0bc97267967474d53963cda16bf2746ba3

      SHA512

      8b1ce7a89f50c6bc637f3eaa7d0983435a9fb4e3d84046ced9b06aa8d6441b82ab159dbb622a3348bab6aaa2554aa69fed31db66dec13af534b3e5a3bc7069e5

      Download Submit

    We care about your privacy.

    This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.