64e589ec7bd006671b3192241c36ab7d87c9f4e93fd0b0d6f5f327de1b9a59ab | Triage

Resubmissions

17/04/2024, 12:37 UTC

240417-pths4afc45 8

17/04/2024, 12:37 UTC

240417-ptg7kafc43 8

17/04/2024, 12:36 UTC

240417-ptcbbafc34 8

17/04/2024, 12:36 UTC

240417-ptbpsafc29 8

17/04/2024, 12:36 UTC

240417-pta39afc28 8

16/04/2024, 13:44 UTC

240416-q1vxnsda7z 8

Analysis

max time kernel
592s
max time network
607s
platform
windows10-2004_x64
resource
win10v2004-20240412-en
resource tags

arch:x64arch:x86image:win10v2004-20240412-enlocale:en-usos:windows10-2004-x64system
submitted
17/04/2024, 12:36 UTC

Sharing

Report Analysis Logs

General

Target

64e589ec7bd006671b3192241c36ab7d87c9f4e93fd0b0d6f5f327de1b9a59ab.exe
Size

5.3MB
MD5

63552c60caeefe5f2d0e4028b3cc65d3
SHA1

dbed3040d53495a6afda01bfb8399376792eb48c
SHA256

64e589ec7bd006671b3192241c36ab7d87c9f4e93fd0b0d6f5f327de1b9a59ab
SHA512

caf92a581afd25daaf9763a382b47fc87141773a8879c24ed855dfe1186b86ed7269b0cf17e8c1caee983eb85008f1161f4df07aabe0e1bb719514b41c365ba0
SSDEEP

98304:vwrOjNr08jQxkFg97Nw76XgfqCPa1AQy2cmw:YC5r0wQxKg97Nw76XgyC6

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

System Information Discovery

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1826666146-2574340311-1877551059-1000\Control Panel\International\Geo\Nation	64e589ec7bd006671b3192241c36ab7d87c9f4e93fd0b0d6f5f327de1b9a59ab.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1826666146-2574340311-1877551059-1000\Control Panel\International\Geo\Nation	svchost.exe

Executes dropped EXE 2 IoCs

pid	Process
4456	svchost.exe
4612	svchost.exe

Unexpected DNS network traffic destination 1 IoCs

Network traffic to other servers than the configured DNS servers was detected on the DNS port.

description	ioc
Destination IP	87.236.195.203

Drops file in Windows directory 4 IoCs

description	ioc	Process
File created	C:\Windows\System\xxx1.bak	svchost.exe
File created	C:\Windows\System\xxx1.bak	64e589ec7bd006671b3192241c36ab7d87c9f4e93fd0b0d6f5f327de1b9a59ab.exe
File created	C:\Windows\System\svchost.exe	64e589ec7bd006671b3192241c36ab7d87c9f4e93fd0b0d6f5f327de1b9a59ab.exe
File opened for modification	C:\Windows\System\svchost.exe	64e589ec7bd006671b3192241c36ab7d87c9f4e93fd0b0d6f5f327de1b9a59ab.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

Scheduled Task/Job

pid	Process
4112	schtasks.exe

Suspicious behavior: EnumeratesProcesses 10 IoCs

pid	Process
2880	powershell.exe
4008	powershell.exe
2880	powershell.exe
4008	powershell.exe
4504	64e589ec7bd006671b3192241c36ab7d87c9f4e93fd0b0d6f5f327de1b9a59ab.exe
4504	64e589ec7bd006671b3192241c36ab7d87c9f4e93fd0b0d6f5f327de1b9a59ab.exe
792	powershell.exe
2828	powershell.exe
792	powershell.exe
2828	powershell.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeDebugPrivilege	2880	powershell.exe
Token: SeDebugPrivilege	4008	powershell.exe
Token: SeDebugPrivilege	792	powershell.exe
Token: SeDebugPrivilege	2828	powershell.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 4504 wrote to memory of 2880	4504	64e589ec7bd006671b3192241c36ab7d87c9f4e93fd0b0d6f5f327de1b9a59ab.exe	85
PID 4504 wrote to memory of 2880	4504	64e589ec7bd006671b3192241c36ab7d87c9f4e93fd0b0d6f5f327de1b9a59ab.exe	85
PID 4504 wrote to memory of 4008	4504	64e589ec7bd006671b3192241c36ab7d87c9f4e93fd0b0d6f5f327de1b9a59ab.exe	87
PID 4504 wrote to memory of 4008	4504	64e589ec7bd006671b3192241c36ab7d87c9f4e93fd0b0d6f5f327de1b9a59ab.exe	87
PID 4504 wrote to memory of 4112	4504	64e589ec7bd006671b3192241c36ab7d87c9f4e93fd0b0d6f5f327de1b9a59ab.exe	91
PID 4504 wrote to memory of 4112	4504	64e589ec7bd006671b3192241c36ab7d87c9f4e93fd0b0d6f5f327de1b9a59ab.exe	91
PID 4504 wrote to memory of 4456	4504	64e589ec7bd006671b3192241c36ab7d87c9f4e93fd0b0d6f5f327de1b9a59ab.exe	93
PID 4504 wrote to memory of 4456	4504	64e589ec7bd006671b3192241c36ab7d87c9f4e93fd0b0d6f5f327de1b9a59ab.exe	93
PID 4456 wrote to memory of 792	4456	svchost.exe	96
PID 4456 wrote to memory of 792	4456	svchost.exe	96
PID 4456 wrote to memory of 2828	4456	svchost.exe	98
PID 4456 wrote to memory of 2828	4456	svchost.exe	98

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\64e589ec7bd006671b3192241c36ab7d87c9f4e93fd0b0d6f5f327de1b9a59ab.exe
"C:\Users\Admin\AppData\Local\Temp\64e589ec7bd006671b3192241c36ab7d87c9f4e93fd0b0d6f5f327de1b9a59ab.exe"
1⤵
- Checks computer location settings
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4504
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath c:\windows\
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2880
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath \\?\C:\Windows \
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4008
- C:\Windows\SYSTEM32\schtasks.exe
  schtasks /create /sc minute /ED "11/02/2024" /mo 7 /tn "Timer" /tr c:\windows\system\svchost.exe /ru SYSTEM
  2⤵
  - Creates scheduled task(s)
  PID:4112
- C:\Windows\System\svchost.exe
  "C:\Windows\System\svchost.exe" formal
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of WriteProcessMemory
  PID:4456
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath c:\windows\
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:792
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath \\?\C:\Windows \
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2828

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
1⤵
- Executes dropped EXE
PID:4612

Network

DNS

8.8.8.8.in-addr.arpa

Remote address:

8.8.8.8:53

Request

8.8.8.8.in-addr.arpa

IN PTR

Response

8.8.8.8.in-addr.arpa

IN PTR

dnsgoogle
DNS

22.160.190.20.in-addr.arpa

Remote address:

8.8.8.8:53

Request

22.160.190.20.in-addr.arpa

IN PTR

Response
DNS

240.197.17.2.in-addr.arpa

Remote address:

8.8.8.8:53

Request

240.197.17.2.in-addr.arpa

IN PTR

Response

240.197.17.2.in-addr.arpa

IN PTR

a2-17-197-240deploystaticakamaitechnologiescom
DNS

205.47.74.20.in-addr.arpa

Remote address:

8.8.8.8:53

Request

205.47.74.20.in-addr.arpa

IN PTR

Response
DNS

50.23.12.20.in-addr.arpa

Remote address:

8.8.8.8:53

Request

50.23.12.20.in-addr.arpa

IN PTR

Response
DNS

171.39.242.20.in-addr.arpa

Remote address:

8.8.8.8:53

Request

171.39.242.20.in-addr.arpa

IN PTR

Response
DNS

25.14.97.104.in-addr.arpa

Remote address:

8.8.8.8:53

Request

25.14.97.104.in-addr.arpa

IN PTR

Response

25.14.97.104.in-addr.arpa

IN PTR

a104-97-14-25deploystaticakamaitechnologiescom
DNS

172.210.232.199.in-addr.arpa

Remote address:

8.8.8.8:53

Request

172.210.232.199.in-addr.arpa

IN PTR

Response
DNS

21.236.111.52.in-addr.arpa

Remote address:

8.8.8.8:53

Request

21.236.111.52.in-addr.arpa

IN PTR

Response
DNS

189.40.188.131.in-addr.arpa

Remote address:

8.8.8.8:53

Request

189.40.188.131.in-addr.arpa

IN PTR

Response

189.40.188.131.in-addr.arpa

IN PTR

despari informatikuni-erlangende
DNS

32.172.23.94.in-addr.arpa

Remote address:

8.8.8.8:53

Request

32.172.23.94.in-addr.arpa

IN PTR

Response

32.172.23.94.in-addr.arpa

IN PTR

ip32ip-94-23-172eu
DNS

101.143.71.167.in-addr.arpa

Remote address:

8.8.8.8:53

Request

101.143.71.167.in-addr.arpa

IN PTR

Response
DNS

143.49.15.51.in-addr.arpa

Remote address:

8.8.8.8:53

Request

143.49.15.51.in-addr.arpa

IN PTR

Response

143.49.15.51.in-addr.arpa

IN PTR

143-49-15-51 instancesscwcloud
DNS

217.177.135.5.in-addr.arpa

Remote address:

8.8.8.8:53

Request

217.177.135.5.in-addr.arpa

IN PTR

Response

217.177.135.5.in-addr.arpa

IN PTR

toriousxonumicom
DNS

5.86.76.144.in-addr.arpa

Remote address:

8.8.8.8:53

Request

5.86.76.144.in-addr.arpa

IN PTR

Response

5.86.76.144.in-addr.arpa

IN PTR

static58676144clientsyour-serverde
DNS

199.43.76.144.in-addr.arpa

Remote address:

8.8.8.8:53

Request

199.43.76.144.in-addr.arpa

IN PTR

Response

199.43.76.144.in-addr.arpa

IN PTR

static1994376144clientsyour-serverde
DNS

203.195.236.87.in-addr.arpa

Remote address:

8.8.8.8:53

Request

203.195.236.87.in-addr.arpa

IN PTR

Response

203.195.236.87.in-addr.arpa

IN PTR

unassigned-87236195203coolhousingnet
DNS

224.207.39.194.in-addr.arpa

Remote address:

8.8.8.8:53

Request

224.207.39.194.in-addr.arpa

IN PTR

Response

224.207.39.194.in-addr.arpa

IN PTR

purlinduckdnsorg
DNS

44.24.244.185.in-addr.arpa

Remote address:

8.8.8.8:53

Request

44.24.244.185.in-addr.arpa

IN PTR

Response

44.24.244.185.in-addr.arpa

IN PTR

tor43x6nl
DNS

99.92.91.144.in-addr.arpa

Remote address:

8.8.8.8:53

Request

99.92.91.144.in-addr.arpa

IN PTR

Response

99.92.91.144.in-addr.arpa

IN PTR

markusonlinede
DNS

89.177.142.45.in-addr.arpa

Remote address:

8.8.8.8:53

Request

89.177.142.45.in-addr.arpa

IN PTR

Response

89.177.142.45.in-addr.arpa

IN PTR

demonhunterultrasrvde
DNS

113.96.58.176.in-addr.arpa

Remote address:

8.8.8.8:53

Request

113.96.58.176.in-addr.arpa

IN PTR

Response

113.96.58.176.in-addr.arpa

IN PTR

176-58-96-113iplinodeusercontentcom
DNS

125.57.81.51.in-addr.arpa

Remote address:

8.8.8.8:53

Request

125.57.81.51.in-addr.arpa

IN PTR

Response

125.57.81.51.in-addr.arpa

IN PTR

ns1001165ip-51-81-57us
DNS

77.152.126.144.in-addr.arpa

Remote address:

8.8.8.8:53

Request

77.152.126.144.in-addr.arpa

IN PTR

Response

77.152.126.144.in-addr.arpa

IN PTR

readme-tor-exit-router-xquidoorg
DNS

228.181.79.45.in-addr.arpa

Remote address:

8.8.8.8:53

Request

228.181.79.45.in-addr.arpa

IN PTR

Response

228.181.79.45.in-addr.arpa

IN PTR

leoredvwcom
DNS

155.131.46.198.in-addr.arpa

Remote address:

8.8.8.8:53

Request

155.131.46.198.in-addr.arpa

IN PTR

Response

155.131.46.198.in-addr.arpa

IN PTR

198-46-131-155-hostcolocrossingcom
DNS

61.234.204.15.in-addr.arpa

Remote address:

8.8.8.8:53

Request

61.234.204.15.in-addr.arpa

IN PTR

Response

61.234.204.15.in-addr.arpa

IN PTR

vps-f0df77a8vpsovhus
DNS

29.3.148.185.in-addr.arpa

Remote address:

8.8.8.8:53

Request

29.3.148.185.in-addr.arpa

IN PTR

Response

29.3.148.185.in-addr.arpa

IN PTR

this-is-hosted-bypulsedmediacom
DNS

31.138.69.159.in-addr.arpa

Remote address:

8.8.8.8:53

Request

31.138.69.159.in-addr.arpa

IN PTR

Response

31.138.69.159.in-addr.arpa

IN PTR

edward littleprojectde
DNS

81.234.89.174.in-addr.arpa

Remote address:

8.8.8.8:53

Request

81.234.89.174.in-addr.arpa

IN PTR

Response

81.234.89.174.in-addr.arpa

IN PTR

*bras-base-mtrlpq4706w-grc-02-174-89-234-81dslbellca
DNS

13.94.21.65.in-addr.arpa

Remote address:

8.8.8.8:53

Request

13.94.21.65.in-addr.arpa

IN PTR

Response

13.94.21.65.in-addr.arpa

IN PTR

tor-relay zwiebeltoralfde
DNS

45.155.123.77.in-addr.arpa

Remote address:

8.8.8.8:53

Request

45.155.123.77.in-addr.arpa

IN PTR

Response

45.155.123.77.in-addr.arpa

IN PTR

4515512377colostaticdcvoliacom
DNS

63.182.163.194.in-addr.arpa

Remote address:

8.8.8.8:53

Request

63.182.163.194.in-addr.arpa

IN PTR

Response

63.182.163.194.in-addr.arpa

IN PTR

vmd134077 contaboservernet
DNS

49.48.69.158.in-addr.arpa

Remote address:

8.8.8.8:53

Request

49.48.69.158.in-addr.arpa

IN PTR

Response

49.48.69.158.in-addr.arpa

IN PTR

vps-d72db2b2vpsovhca
DNS

120.175.156.94.in-addr.arpa

Remote address:

8.8.8.8:53

Request

120.175.156.94.in-addr.arpa

IN PTR

Response
DNS

239.76.251.198.in-addr.arpa

Remote address:

8.8.8.8:53

Request

239.76.251.198.in-addr.arpa

IN PTR

Response

239.76.251.198.in-addr.arpa

IN PTR

relay4toropeninternetio
DNS

85.86.71.167.in-addr.arpa

Remote address:

8.8.8.8:53

Request

85.86.71.167.in-addr.arpa

IN PTR

Response
DNS

199.193.23.66.in-addr.arpa

Remote address:

8.8.8.8:53

Request

199.193.23.66.in-addr.arpa

IN PTR

Response
DNS

195.56.198.185.in-addr.arpa

Remote address:

8.8.8.8:53

Request

195.56.198.185.in-addr.arpa

IN PTR

Response

195.56.198.185.in-addr.arpa

IN CNAME

195.128-255.56.198.185.in-addr.arpa

195.128-255.56.198.185.in-addr.arpa

IN PTR

185-198-56-195 broadbandcgocableca
DNS

158.131.46.198.in-addr.arpa

Remote address:

8.8.8.8:53

Request

158.131.46.198.in-addr.arpa

IN PTR

Response

158.131.46.198.in-addr.arpa

IN PTR

198-46-131-158-hostcolocrossingcom
DNS

30.33.162.130.in-addr.arpa

Remote address:

8.8.8.8:53

Request

30.33.162.130.in-addr.arpa

IN PTR

Response
DNS

176.190.252.37.in-addr.arpa

Remote address:

8.8.8.8:53

Request

176.190.252.37.in-addr.arpa

IN PTR

Response
DNS

225.162.46.104.in-addr.arpa

Remote address:

8.8.8.8:53

Request

225.162.46.104.in-addr.arpa

IN PTR

Response
DNS

6.10.31.64.in-addr.arpa

Remote address:

8.8.8.8:53

Request

6.10.31.64.in-addr.arpa

IN PTR

Response

6.10.31.64.in-addr.arpa

IN PTR

6-10-31-64staticreverselstnnet
DNS

34.116.251.162.in-addr.arpa

Remote address:

8.8.8.8:53

Request

34.116.251.162.in-addr.arpa

IN PTR

Response

34.116.251.162.in-addr.arpa

IN PTR

34116251162vpshousexyz
DNS

85.175.156.94.in-addr.arpa

Remote address:

8.8.8.8:53

Request

85.175.156.94.in-addr.arpa

IN PTR

Response

85.175.156.94.in-addr.arpa

IN PTR

comegysisacom
DNS

102.247.44.142.in-addr.arpa

Remote address:

8.8.8.8:53

Request

102.247.44.142.in-addr.arpa

IN PTR

Response

102.247.44.142.in-addr.arpa

IN PTR

102 ip-142-44-247net
DNS

213.72.81.51.in-addr.arpa

Remote address:

8.8.8.8:53

Request

213.72.81.51.in-addr.arpa

IN PTR

Response

213.72.81.51.in-addr.arpa

IN PTR

ip213ip-51-81-72us
DNS

18.101.223.82.in-addr.arpa

Remote address:

8.8.8.8:53

Request

18.101.223.82.in-addr.arpa

IN PTR

Response
DNS

235.201.158.51.in-addr.arpa

Remote address:

8.8.8.8:53

Request

235.201.158.51.in-addr.arpa

IN PTR

Response

235.201.158.51.in-addr.arpa

IN PTR

oligarchge
DNS

57.212.244.198.in-addr.arpa

Remote address:

8.8.8.8:53

Request

57.212.244.198.in-addr.arpa

IN PTR

Response

57.212.244.198.in-addr.arpa

IN PTR

ns31514033ip-198-244-212eu
DNS

53.212.90.157.in-addr.arpa

Remote address:

8.8.8.8:53

Request

53.212.90.157.in-addr.arpa

IN PTR

Response

53.212.90.157.in-addr.arpa

IN PTR

itomorikatawaredokinet
DNS

58.140.222.51.in-addr.arpa

Remote address:

8.8.8.8:53

Request

58.140.222.51.in-addr.arpa

IN PTR

Response

58.140.222.51.in-addr.arpa

IN PTR

vps-a1c8b30evpsovhca
DNS

58.140.222.51.in-addr.arpa

Remote address:

8.8.8.8:53

Request

58.140.222.51.in-addr.arpa

IN PTR

Response

58.140.222.51.in-addr.arpa

IN PTR

vps-a1c8b30evpsovhca
DNS

30.33.216.95.in-addr.arpa

Remote address:

8.8.8.8:53

Request

30.33.216.95.in-addr.arpa

IN PTR

Response

30.33.216.95.in-addr.arpa

IN PTR

ukko0x90dk

163.172.194.53:9001

svchost.exe

260 B
5
91.245.255.4:443

svchost.exe

260 B
5
142.4.213.88:443

svchost.exe

260 B
5
127.0.0.1:50471

svchost.exe
127.0.0.1:9150

svchost.exe
85.214.196.178:9001

svchost.exe

260 B
200 B
5
5
45.66.33.45:443

svchost.exe

260 B
5
185.173.179.18:443

svchost.exe

260 B
5
192.34.58.232:9004

svchost.exe

260 B
5
91.219.236.197:443

svchost.exe

260 B
5
86.59.21.38:443

svchost.exe

260 B
200 B
5
5
51.75.82.166:443

svchost.exe

260 B
200 B
5
5
154.35.175.225:443

svchost.exe

260 B
5
195.123.212.228:9001

svchost.exe

260 B
5
131.188.40.189:443

www.3cph.com

tls

svchost.exe

51.7kB
772.5kB
561
573
144.91.92.99:9001

www.ignkt.com

tls

svchost.exe

77.7kB
885.2kB
587
663
144.126.152.77:443

www.2t3w6ww5nxdy3mullrdb2k3.com

tls

svchost.exe

77.2kB
880.9kB
575
653
94.23.172.32:444

www.mzwpy.com

tls

svchost.exe

80.6kB
910.9kB
630
674
87.236.195.203:53

www.cnbvjl3zmngm6ibizcjmbe.com

tls

svchost.exe

74.2kB
799.0kB
564
600
45.142.177.89:443

www.acvibs5iytpmanrdg2vw5s5.com

tls

svchost.exe

80.8kB
883.4kB
592
683
15.204.234.61:9100

www.7g6b.com

tls

svchost.exe

78.7kB
806.1kB
561
619
167.71.143.101:9001

www.7zwpx6eizcmml3arkvq.com

tls

svchost.exe

79.0kB
858.3kB
576
665
176.58.96.113:9001

www.5sqssyr72kg2n.com

tls

svchost.exe

78.9kB
870.2kB
610
674
51.81.57.125:9001

www.uuq5hx5eqegflwha.com

tls

svchost.exe

75.4kB
835.7kB
558
620
51.15.49.143:443

www.gjmqd.com

tls

svchost.exe

78.2kB
873.0kB
594
679
185.244.24.44:8443

www.ncnbn6v3auzc7.com

tls

svchost.exe

75.1kB
831.9kB
562
619
5.135.177.217:443

www.o3vcmhg72pz7.com

tls

svchost.exe

77.2kB
843.4kB
597
625
194.39.207.224:9001

www.5xn55mlfibcwt6pff.com

tls

svchost.exe

75.2kB
826.6kB
565
615
45.79.181.228:9001

www.t4kbgaduuh7x.com

tls

svchost.exe

70.6kB
786.0kB
484
591
144.76.86.5:8080

www.fj7tcb.com

tls

svchost.exe

80.0kB
874.6kB
595
649
144.76.43.199:9001

www.57ytrgp3pqxp3cxt6x7mg.com

tls

svchost.exe

37.7kB
380.9kB
281
287
198.46.131.155:443

www.qszm.com

tls

svchost.exe

3.8kB
6.8kB
16
18
185.148.3.29:9200

www.fdpvl5ggw6ljayb7.com

tls

svchost.exe

3.6kB
5.9kB
13
12
159.69.138.31:9001

www.7voj4jq.com

tls

svchost.exe

19.9kB
41.1kB
67
79
174.89.234.81:1234

www.2t27xrduayj2jtblm2yed.com

tls

svchost.exe

31.3kB
30.3kB
96
96
65.21.94.13:5443

www.jnhoky46.com

tls

svchost.exe

24.4kB
5.9kB
49
49
77.123.155.45:443

www.bpiowqog7dqugcyudl.com

tls

svchost.exe

20.5kB
24.9kB
68
71
194.163.182.63:443

www.yuhxgwk2pg5ie5vmfznr2n36.com

tls

svchost.exe

31.2kB
28.1kB
92
94
158.69.48.49:443

www.34qe6dffssdceshnzakujad.com

tls

svchost.exe

22.8kB
23.4kB
71
71
94.156.175.120:443

www.hfjon6eh3a4.com

tls

svchost.exe

30.0kB
28.6kB
91
94
198.251.76.239:443

www.ydmrlljzq56.com

tls

svchost.exe

30.7kB
29.2kB
93
95
167.71.86.85:443

www.zzhk52lm32eesrfkyi6s.com

tls

svchost.exe

34.3kB
24.3kB
92
93
66.23.193.199:443

www.6j6xf2uqqfupq.com

tls

svchost.exe

27.4kB
31.8kB
91
94
185.198.56.195:9001

www.2snjtmldq7nbmu7.com

tls

svchost.exe

31.3kB
30.3kB
96
96
198.46.131.158:443

www.tq52kxshnwpk3.com

tls

svchost.exe

30.3kB
30.9kB
96
98
130.162.33.30:9001

www.drddaxitswgoedth5brg.com

tls

svchost.exe

27.5kB
35.1kB
94
97
37.252.190.176:443

www.wu4lmxztxmtg3jxy.com

tls

svchost.exe

40.1kB
297.4kB
226
304
64.31.10.6:9000

www.d675hulfzjbg72fb2wqg4.com

tls

svchost.exe

28.5kB
35.1kB
93
98
162.251.116.34:443

www.d66h7rqeytwtuszvsl6h.com

tls

svchost.exe

29.2kB
37.3kB
96
101
94.156.175.85:9001

www.nbptvlgh7h3rpqqvjggroyih4.com

tls

svchost.exe

33.1kB
32.1kB
100
102
142.44.247.102:443

www.zhdrfmyftlaeoby6.com

tls

svchost.exe

24.9kB
28.2kB
83
83
127.0.0.1:9150

svchost.exe
51.81.72.213:9001

www.35vm3idir.com

tls

svchost.exe

12.0kB
10.7kB
33
35
82.223.101.18:9001

www.w5wnpjgtpwlltpisicpkod3j.com

tls

svchost.exe

14.8kB
19.8kB
47
49
127.0.0.1:9150

svchost.exe
51.158.201.235:8080

www.734x4hjhlmpgeovi.com

tls

svchost.exe

9.9kB
13.4kB
34
37
198.244.212.57:443

www.penm7v2b23l.com

tls

svchost.exe

11.5kB
10.7kB
33
35
127.0.0.1:9150

svchost.exe
157.90.212.53:443

www.4qlh5lgoqshlrsdujfm7j.com

tls

svchost.exe

9.3kB
12.8kB
32
34
51.222.140.58:443

www.x2sjwg2ndkbeb.com

tls

svchost.exe

12.0kB
10.1kB
32
34
95.216.33.30:443

www.euxb2w727a.com

tls

svchost.exe

7.5kB
11.5kB
27
29

8.8.8.8:53

8.8.8.8.in-addr.arpa

dns

66 B
90 B
1
1

DNS Request

8.8.8.8.in-addr.arpa
8.8.8.8:53

22.160.190.20.in-addr.arpa

dns

72 B
158 B
1
1

DNS Request

22.160.190.20.in-addr.arpa
8.8.8.8:53

240.197.17.2.in-addr.arpa

dns

71 B
135 B
1
1

DNS Request

240.197.17.2.in-addr.arpa
8.8.8.8:53

205.47.74.20.in-addr.arpa

dns

71 B
157 B
1
1

DNS Request

205.47.74.20.in-addr.arpa
8.8.8.8:53

50.23.12.20.in-addr.arpa

dns

70 B
156 B
1
1

DNS Request

50.23.12.20.in-addr.arpa
8.8.8.8:53

171.39.242.20.in-addr.arpa

dns

72 B
158 B
1
1

DNS Request

171.39.242.20.in-addr.arpa
8.8.8.8:53

25.14.97.104.in-addr.arpa

dns

71 B
135 B
1
1

DNS Request

25.14.97.104.in-addr.arpa
8.8.8.8:53

172.210.232.199.in-addr.arpa

dns

74 B
128 B
1
1

DNS Request

172.210.232.199.in-addr.arpa
8.8.8.8:53

21.236.111.52.in-addr.arpa

dns

72 B
158 B
1
1

DNS Request

21.236.111.52.in-addr.arpa
8.8.8.8:53

189.40.188.131.in-addr.arpa

dns

73 B
121 B
1
1

DNS Request

189.40.188.131.in-addr.arpa
8.8.8.8:53

32.172.23.94.in-addr.arpa

dns

71 B
105 B
1
1

DNS Request

32.172.23.94.in-addr.arpa
8.8.8.8:53

101.143.71.167.in-addr.arpa

dns

73 B
140 B
1
1

DNS Request

101.143.71.167.in-addr.arpa
8.8.8.8:53

143.49.15.51.in-addr.arpa

dns

71 B
117 B
1
1

DNS Request

143.49.15.51.in-addr.arpa
8.8.8.8:53

217.177.135.5.in-addr.arpa

dns

72 B
104 B
1
1

DNS Request

217.177.135.5.in-addr.arpa
8.8.8.8:53

5.86.76.144.in-addr.arpa

dns

70 B
125 B
1
1

DNS Request

5.86.76.144.in-addr.arpa
8.8.8.8:53

199.43.76.144.in-addr.arpa

dns

72 B
129 B
1
1

DNS Request

199.43.76.144.in-addr.arpa
8.8.8.8:53

203.195.236.87.in-addr.arpa

dns

73 B
128 B
1
1

DNS Request

203.195.236.87.in-addr.arpa
8.8.8.8:53

224.207.39.194.in-addr.arpa

dns

73 B
105 B
1
1

DNS Request

224.207.39.194.in-addr.arpa
8.8.8.8:53

44.24.244.185.in-addr.arpa

dns

72 B
97 B
1
1

DNS Request

44.24.244.185.in-addr.arpa
8.8.8.8:53

99.92.91.144.in-addr.arpa

dns

71 B
100 B
1
1

DNS Request

99.92.91.144.in-addr.arpa
8.8.8.8:53

89.177.142.45.in-addr.arpa

dns

72 B
109 B
1
1

DNS Request

89.177.142.45.in-addr.arpa
8.8.8.8:53

113.96.58.176.in-addr.arpa

dns

72 B
124 B
1
1

DNS Request

113.96.58.176.in-addr.arpa
8.8.8.8:53

125.57.81.51.in-addr.arpa

dns

71 B
109 B
1
1

DNS Request

125.57.81.51.in-addr.arpa
8.8.8.8:53

77.152.126.144.in-addr.arpa

dns

73 B
121 B
1
1

DNS Request

77.152.126.144.in-addr.arpa
8.8.8.8:53

228.181.79.45.in-addr.arpa

dns

72 B
99 B
1
1

DNS Request

228.181.79.45.in-addr.arpa
8.8.8.8:53

155.131.46.198.in-addr.arpa

dns

73 B
123 B
1
1

DNS Request

155.131.46.198.in-addr.arpa
8.8.8.8:53

61.234.204.15.in-addr.arpa

dns

72 B
109 B
1
1

DNS Request

61.234.204.15.in-addr.arpa
8.8.8.8:53

29.3.148.185.in-addr.arpa

dns

71 B
118 B
1
1

DNS Request

29.3.148.185.in-addr.arpa
8.8.8.8:53

31.138.69.159.in-addr.arpa

dns

72 B
109 B
1
1

DNS Request

31.138.69.159.in-addr.arpa
8.8.8.8:53

81.234.89.174.in-addr.arpa

dns

72 B
140 B
1
1

DNS Request

81.234.89.174.in-addr.arpa
8.8.8.8:53

13.94.21.65.in-addr.arpa

dns

70 B
110 B
1
1

DNS Request

13.94.21.65.in-addr.arpa
8.8.8.8:53

45.155.123.77.in-addr.arpa

dns

72 B
123 B
1
1

DNS Request

45.155.123.77.in-addr.arpa
8.8.8.8:53

63.182.163.194.in-addr.arpa

dns

73 B
114 B
1
1

DNS Request

63.182.163.194.in-addr.arpa
8.8.8.8:53

49.48.69.158.in-addr.arpa

dns

71 B
108 B
1
1

DNS Request

49.48.69.158.in-addr.arpa
8.8.8.8:53

120.175.156.94.in-addr.arpa

dns

73 B
124 B
1
1

DNS Request

120.175.156.94.in-addr.arpa
8.8.8.8:53

239.76.251.198.in-addr.arpa

dns

73 B
113 B
1
1

DNS Request

239.76.251.198.in-addr.arpa
8.8.8.8:53

85.86.71.167.in-addr.arpa

dns

71 B
138 B
1
1

DNS Request

85.86.71.167.in-addr.arpa
8.8.8.8:53

199.193.23.66.in-addr.arpa

dns

72 B
133 B
1
1

DNS Request

199.193.23.66.in-addr.arpa
8.8.8.8:53

195.56.198.185.in-addr.arpa

dns

73 B
149 B
1
1

DNS Request

195.56.198.185.in-addr.arpa
8.8.8.8:53

158.131.46.198.in-addr.arpa

dns

73 B
123 B
1
1

DNS Request

158.131.46.198.in-addr.arpa
8.8.8.8:53

30.33.162.130.in-addr.arpa

dns

72 B
157 B
1
1

DNS Request

30.33.162.130.in-addr.arpa
8.8.8.8:53

176.190.252.37.in-addr.arpa

dns

73 B
131 B
1
1

DNS Request

176.190.252.37.in-addr.arpa
8.8.8.8:53

225.162.46.104.in-addr.arpa

dns

73 B
147 B
1
1

DNS Request

225.162.46.104.in-addr.arpa
8.8.8.8:53

6.10.31.64.in-addr.arpa

dns

69 B
117 B
1
1

DNS Request

6.10.31.64.in-addr.arpa
8.8.8.8:53

34.116.251.162.in-addr.arpa

dns

73 B
114 B
1
1

DNS Request

34.116.251.162.in-addr.arpa
8.8.8.8:53

85.175.156.94.in-addr.arpa

dns

72 B
100 B
1
1

DNS Request

85.175.156.94.in-addr.arpa
8.8.8.8:53

102.247.44.142.in-addr.arpa

dns

73 B
108 B
1
1

DNS Request

102.247.44.142.in-addr.arpa
8.8.8.8:53

213.72.81.51.in-addr.arpa

dns

71 B
105 B
1
1

DNS Request

213.72.81.51.in-addr.arpa
8.8.8.8:53

18.101.223.82.in-addr.arpa

dns

72 B
137 B
1
1

DNS Request

18.101.223.82.in-addr.arpa
8.8.8.8:53

235.201.158.51.in-addr.arpa

dns

73 B
98 B
1
1

DNS Request

235.201.158.51.in-addr.arpa
8.8.8.8:53

57.212.244.198.in-addr.arpa

dns

73 B
115 B
1
1

DNS Request

57.212.244.198.in-addr.arpa
8.8.8.8:53

53.212.90.157.in-addr.arpa

dns

72 B
110 B
1
1

DNS Request

53.212.90.157.in-addr.arpa
8.8.8.8:53

58.140.222.51.in-addr.arpa

dns

144 B
218 B
2
2

DNS Request

58.140.222.51.in-addr.arpa

DNS Request

58.140.222.51.in-addr.arpa
8.8.8.8:53

30.33.216.95.in-addr.arpa

dns

71 B
97 B
1
1

DNS Request

30.33.216.95.in-addr.arpa

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

Persistence

Scheduled Task/Job

Privilege Escalation

Scheduled Task/Job

Defense Evasion

Credential Access

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
d85ba6ff808d9e5444a4b369f5bc2730

SHA1
31aa9d96590fff6981b315e0b391b575e4c0804a

SHA256
84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

SHA512
8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
bd5940f08d0be56e65e5f2aaf47c538e

SHA1
d7e31b87866e5e383ab5499da64aba50f03e8443

SHA256
2d2f364c75bd2897504249f42cdf1d19374f5230aad68fa9154ea3d03e3031a6

SHA512
c34d10c7e07da44a180fae9889b61f08903aa84e8ddfa80c31c272b1ef9d491b8cec6b8a4c836c3cb1583fe8f4955c6a8db872515de3a9e10eae09610c959406

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
34f595487e6bfd1d11c7de88ee50356a

SHA1
4caad088c15766cc0fa1f42009260e9a02f953bb

SHA256
0f9a4b52e01cb051052228a55d0515911b7ef5a8db3cf925528c746df511424d

SHA512
10976c5deaf9fac449e703e852c3b08d099f430de2d7c7b8e2525c35d63e28b890e5aab63feff9b20bca0aaf9f35a3ba411aee3fbeee9ea59f90ed25bd617a0b

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_3fs24dnh.jvf.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Roaming\tor\cached-microdesc-consensus.tmp

Filesize
2.6MB

MD5
e7634067c1219da664e2c13a622988bf

SHA1
b354b3912ec59fefecdaa660af50c679b136b6ca

SHA256
e1f51b61149b811c5029caaa39ddf54faa18fcd18bbcf432155ad324fbc0fdb7

SHA512
b61ea1448ec13e88c66e043c0f99d95a2626e631841bec0b0e2e1dd6cbbcb8f8587d414f3ad32794ccdadf7c763910ed844220684f3edc71109f47fe4353c944

Download Submit
C:\Users\Admin\AppData\Roaming\tor\cached-microdescs.new

Filesize
13.6MB

MD5
5180ec2cf30c8d62e2435eecdbb503d1

SHA1
9eca47df86d46b7d7d28a9e68f67775bfb4623a7

SHA256
c863fc0e535dd788fa31f30c2161305c7e6fb7ac4a728096127aee045f7a62d0

SHA512
18d373610332207333254d48127261c5b1fcae615f0b3261fa60b6ce44b3434c9f00a09fe1e3bfca73d81b5dcbcfee8c8881a0f6da5542d8afd38952fcc791a8

Download Submit
C:\Windows\System\svchost.exe

Filesize
5.3MB

MD5
63552c60caeefe5f2d0e4028b3cc65d3

SHA1
dbed3040d53495a6afda01bfb8399376792eb48c

SHA256
64e589ec7bd006671b3192241c36ab7d87c9f4e93fd0b0d6f5f327de1b9a59ab

SHA512
caf92a581afd25daaf9763a382b47fc87141773a8879c24ed855dfe1186b86ed7269b0cf17e8c1caee983eb85008f1161f4df07aabe0e1bb719514b41c365ba0

Download Submit
memory/792-82-0x00007FF8D0E10000-0x00007FF8D18D1000-memory.dmp

Filesize
10.8MB

Download
memory/792-71-0x00007FF8D0E10000-0x00007FF8D18D1000-memory.dmp

Filesize
10.8MB

Download
memory/2828-83-0x00007FF8D0E10000-0x00007FF8D18D1000-memory.dmp

Filesize
10.8MB

Download
memory/2828-77-0x00007FF8D0E10000-0x00007FF8D18D1000-memory.dmp

Filesize
10.8MB

Download
memory/2828-78-0x00000244F5380000-0x00000244F5390000-memory.dmp

Filesize
64KB

Download
memory/2880-38-0x00007FF8D1010000-0x00007FF8D1AD1000-memory.dmp

Filesize
10.8MB

Download
memory/2880-30-0x0000028A267D0000-0x0000028A267E0000-memory.dmp

Filesize
64KB

Download
memory/2880-32-0x0000028A267D0000-0x0000028A267E0000-memory.dmp

Filesize
64KB

Download
memory/2880-7-0x0000028A409B0000-0x0000028A409D2000-memory.dmp

Filesize
136KB

Download
memory/2880-26-0x00007FF8D1010000-0x00007FF8D1AD1000-memory.dmp

Filesize
10.8MB

Download
memory/4008-29-0x0000022A76F60000-0x0000022A76F70000-memory.dmp

Filesize
64KB

Download
memory/4008-31-0x0000022A76F60000-0x0000022A76F70000-memory.dmp

Filesize
64KB

Download
memory/4008-39-0x00007FF8D1010000-0x00007FF8D1AD1000-memory.dmp

Filesize
10.8MB

Download
memory/4008-27-0x00007FF8D1010000-0x00007FF8D1AD1000-memory.dmp

Filesize
10.8MB

Download
memory/4008-28-0x0000022A76F60000-0x0000022A76F70000-memory.dmp

Filesize
64KB

Download
memory/4456-100-0x0000000140000000-0x0000000140644400-memory.dmp

Filesize
6.3MB

Download
memory/4456-54-0x0000000140000000-0x0000000140644400-memory.dmp

Filesize
6.3MB

Download
memory/4456-56-0x0000000140000000-0x0000000140644400-memory.dmp

Filesize
6.3MB

Download
memory/4456-84-0x0000000015540000-0x0000000015A3C000-memory.dmp

Filesize
5.0MB

Download
memory/4504-6-0x0000000140000000-0x0000000140644400-memory.dmp

Filesize
6.3MB

Download
memory/4504-5-0x0000000140000000-0x0000000140644400-memory.dmp

Filesize
6.3MB

Download
memory/4504-0-0x0000000140000000-0x0000000140644400-memory.dmp

Filesize
6.3MB

Download
memory/4504-50-0x0000000140000000-0x0000000140644400-memory.dmp

Filesize
6.3MB

Download
memory/4504-4-0x0000000140000000-0x0000000140644400-memory.dmp

Filesize
6.3MB

Download
memory/4504-3-0x0000000140000000-0x0000000140644400-memory.dmp

Filesize
6.3MB

Download
memory/4612-170-0x0000000140000000-0x0000000140644400-memory.dmp

Filesize
6.3MB

Download
memory/4612-172-0x0000000140000000-0x0000000140644400-memory.dmp

Filesize
6.3MB

Download
memory/4612-176-0x0000000140000000-0x0000000140644400-memory.dmp

Filesize
6.3MB

Download