Analysis

  • max time kernel
    134s
  • max time network
    108s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240419-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240419-enlocale:en-usos:windows10-2004-x64system
  • submitted
    06/05/2024, 01:48 UTC

General

  • Target

    71d1f22830e0f40506171cda626891b4f954ec22f4a4cd0045b37f8d6c404451.exe

  • Size

    2.0MB

  • MD5

    b5829ea81cde8f48ba1190e20e6bb15d

  • SHA1

    51fbb15275360bbf2a866f339045527e941e1a85

  • SHA256

    71d1f22830e0f40506171cda626891b4f954ec22f4a4cd0045b37f8d6c404451

  • SHA512

    d84e43e6cf342d0e7696be6b1cbcf42dce5d1efe518f4949faa8841ee398a25a63a6e41440eb10ba0d276454ba73752c9ffb17eddbfd0813a636646663e26b4a

  • SSDEEP

    49152:aaXI0V7PoU9lHrHmvtiLGMIqCGLhRSCquJnm:3Y0V7gU9l2tiLGVGLhRvquJnm

Malware Config

Extracted

Family

tofsee

C2

vanaheim.cn

jotunheim.name

Signatures

  • Detect ZGRat V1 1 IoCs
  • Tofsee

    Backdoor/botnet which carries out malicious activities based on commands from a C2 server.

  • ZGRat

    ZGRat is remote access trojan written in C#.

  • Creates new service(s) 2 TTPs
  • Modifies Windows Firewall 2 TTPs 1 IoCs
  • Executes dropped EXE 1 IoCs
  • Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
  • Suspicious use of SetThreadContext 3 IoCs
  • Launches sc.exe 3 IoCs

    Sc.exe is a Windows utlilty to control services on the system.

  • Suspicious behavior: EnumeratesProcesses 7 IoCs
  • Suspicious use of AdjustPrivilegeToken 8 IoCs
  • Suspicious use of WriteProcessMemory 52 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\71d1f22830e0f40506171cda626891b4f954ec22f4a4cd0045b37f8d6c404451.exe
    "C:\Users\Admin\AppData\Local\Temp\71d1f22830e0f40506171cda626891b4f954ec22f4a4cd0045b37f8d6c404451.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:216
    • C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"
      2⤵
      • Suspicious use of SetThreadContext
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:1964
      • C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"
        3⤵
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:2512
    • C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"
      2⤵
        PID:2980
      • C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"
        2⤵
        • Suspicious use of WriteProcessMemory
        PID:4848
        • C:\Windows\SysWOW64\cmd.exe
          "C:\Windows\System32\cmd.exe" /C mkdir C:\Windows\SysWOW64\mfkosshg\
          3⤵
            PID:3296
          • C:\Windows\SysWOW64\cmd.exe
            "C:\Windows\System32\cmd.exe" /C move /Y "C:\Users\Admin\AppData\Local\Temp\iaffmeyc.exe" C:\Windows\SysWOW64\mfkosshg\
            3⤵
              PID:2076
            • C:\Windows\SysWOW64\sc.exe
              "C:\Windows\System32\sc.exe" create mfkosshg binPath= "C:\Windows\SysWOW64\mfkosshg\iaffmeyc.exe /d\"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe\"" type= own start= auto DisplayName= "wifi support"
              3⤵
              • Launches sc.exe
              PID:4084
            • C:\Windows\SysWOW64\sc.exe
              "C:\Windows\System32\sc.exe" description mfkosshg "wifi internet conection"
              3⤵
              • Launches sc.exe
              PID:3548
            • C:\Windows\SysWOW64\sc.exe
              "C:\Windows\System32\sc.exe" start mfkosshg
              3⤵
              • Launches sc.exe
              PID:1996
            • C:\Windows\SysWOW64\netsh.exe
              "C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="Host-process for services of Windows" dir=in action=allow program="C:\Windows\SysWOW64\svchost.exe" enable=yes>nul
              3⤵
              • Modifies Windows Firewall
              PID:3080
        • C:\Windows\SysWOW64\mfkosshg\iaffmeyc.exe
          C:\Windows\SysWOW64\mfkosshg\iaffmeyc.exe /d"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"
          1⤵
          • Executes dropped EXE
          PID:2676

        Network

        • flag-us
          DNS
          149.220.183.52.in-addr.arpa
          Remote address:
          8.8.8.8:53
          Request
          149.220.183.52.in-addr.arpa
          IN PTR
          Response
        • flag-us
          DNS
          172.210.232.199.in-addr.arpa
          Remote address:
          8.8.8.8:53
          Request
          172.210.232.199.in-addr.arpa
          IN PTR
          Response
        • flag-us
          DNS
          72.32.126.40.in-addr.arpa
          Remote address:
          8.8.8.8:53
          Request
          72.32.126.40.in-addr.arpa
          IN PTR
          Response
        • flag-nl
          GET
          https://www.bing.com/th?id=OADD2.10239338877209_1W0BYALNC7PUDJ3J3&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=24&h=24&dynsize=1&qlt=90
          Remote address:
          23.62.61.97:443
          Request
          GET /th?id=OADD2.10239338877209_1W0BYALNC7PUDJ3J3&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=24&h=24&dynsize=1&qlt=90 HTTP/2.0
          host: www.bing.com
          accept: */*
          accept-encoding: gzip, deflate, br
          user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19041
          Response
          HTTP/2.0 200
          cache-control: public, max-age=2592000
          content-type: image/png
          access-control-allow-origin: *
          access-control-allow-headers: *
          access-control-allow-methods: GET, POST, OPTIONS
          timing-allow-origin: *
          report-to: {"group":"network-errors","max_age":604800,"endpoints":[{"url":"https://aefd.nelreports.net/api/report?cat=bingth"}]}&ndcParam=QWthbWFp
          nel: {"report_to":"network-errors","max_age":604800,"success_fraction":0.001,"failure_fraction":1.0}
          content-length: 457
          date: Mon, 06 May 2024 01:48:35 GMT
          alt-svc: h3=":443"; ma=93600
          x-cdn-traceid: 0.5d3d3e17.1714960115.e79eb9d
        • flag-us
          DNS
          97.61.62.23.in-addr.arpa
          Remote address:
          8.8.8.8:53
          Request
          97.61.62.23.in-addr.arpa
          IN PTR
          Response
          97.61.62.23.in-addr.arpa
          IN PTR
          a23-62-61-97deploystaticakamaitechnologiescom
        • flag-us
          DNS
          209.205.72.20.in-addr.arpa
          Remote address:
          8.8.8.8:53
          Request
          209.205.72.20.in-addr.arpa
          IN PTR
          Response
        • flag-us
          DNS
          103.169.127.40.in-addr.arpa
          Remote address:
          8.8.8.8:53
          Request
          103.169.127.40.in-addr.arpa
          IN PTR
          Response
        • flag-us
          DNS
          56.126.166.20.in-addr.arpa
          Remote address:
          8.8.8.8:53
          Request
          56.126.166.20.in-addr.arpa
          IN PTR
          Response
        • flag-us
          DNS
          0.205.248.87.in-addr.arpa
          Remote address:
          8.8.8.8:53
          Request
          0.205.248.87.in-addr.arpa
          IN PTR
          Response
          0.205.248.87.in-addr.arpa
          IN PTR
          https-87-248-205-0lgwllnwnet
        • flag-us
          DNS
          77.190.18.2.in-addr.arpa
          Remote address:
          8.8.8.8:53
          Request
          77.190.18.2.in-addr.arpa
          IN PTR
          Response
          77.190.18.2.in-addr.arpa
          IN PTR
          a2-18-190-77deploystaticakamaitechnologiescom
        • flag-us
          DNS
          88.156.103.20.in-addr.arpa
          Remote address:
          8.8.8.8:53
          Request
          88.156.103.20.in-addr.arpa
          IN PTR
          Response
        • flag-us
          DNS
          48.251.17.2.in-addr.arpa
          Remote address:
          8.8.8.8:53
          Request
          48.251.17.2.in-addr.arpa
          IN PTR
          Response
          48.251.17.2.in-addr.arpa
          IN PTR
          a2-17-251-48deploystaticakamaitechnologiescom
        • flag-us
          DNS
          192.122.142.45.in-addr.arpa
          Remote address:
          8.8.8.8:53
          Request
          192.122.142.45.in-addr.arpa
          IN PTR
          Response
          192.122.142.45.in-addr.arpa
          IN PTR
          mainaezanetwork
        • flag-us
          DNS
          240.221.184.93.in-addr.arpa
          Remote address:
          8.8.8.8:53
          Request
          240.221.184.93.in-addr.arpa
          IN PTR
          Response
        • flag-us
          DNS
          48.229.111.52.in-addr.arpa
          Remote address:
          8.8.8.8:53
          Request
          48.229.111.52.in-addr.arpa
          IN PTR
          Response
        • flag-us
          DNS
          tse1.mm.bing.net
          Remote address:
          8.8.8.8:53
          Request
          tse1.mm.bing.net
          IN A
          Response
          tse1.mm.bing.net
          IN CNAME
          mm-mm.bing.net.trafficmanager.net
          mm-mm.bing.net.trafficmanager.net
          IN CNAME
          dual-a-0001.a-msedge.net
          dual-a-0001.a-msedge.net
          IN A
          204.79.197.200
          dual-a-0001.a-msedge.net
          IN A
          13.107.21.200
        • flag-us
          GET
          https://tse1.mm.bing.net/th?id=OADD2.10239351692215_1UJ4FAL91XLA7HB15&pid=21.2&c=3&w=1080&h=1920&dynsize=1&qlt=90
          Remote address:
          204.79.197.200:443
          Request
          GET /th?id=OADD2.10239351692215_1UJ4FAL91XLA7HB15&pid=21.2&c=3&w=1080&h=1920&dynsize=1&qlt=90 HTTP/2.0
          host: tse1.mm.bing.net
          accept: */*
          accept-encoding: gzip, deflate, br
          user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19041
          Response
          HTTP/2.0 200
          cache-control: public, max-age=2592000
          content-length: 449656
          content-type: image/jpeg
          x-cache: TCP_HIT
          access-control-allow-origin: *
          access-control-allow-headers: *
          access-control-allow-methods: GET, POST, OPTIONS
          timing-allow-origin: *
          report-to: {"group":"network-errors","max_age":604800,"endpoints":[{"url":"https://aefd.nelreports.net/api/report?cat=bingth"}]}&ndcParam=QUZE
          nel: {"report_to":"network-errors","max_age":604800,"success_fraction":0.001,"failure_fraction":1.0}
          accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
          x-msedge-ref: Ref A: 2FFCD23D2EEC41F5B8AFC1146E12C719 Ref B: LON04EDGE0721 Ref C: 2024-05-06T01:50:13Z
          date: Mon, 06 May 2024 01:50:12 GMT
        • flag-us
          GET
          https://tse1.mm.bing.net/th?id=OADD2.10239351692210_1AKNUXTAY2T0XUMCR&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=1920&h=1080&dynsize=1&qlt=90
          Remote address:
          204.79.197.200:443
          Request
          GET /th?id=OADD2.10239351692210_1AKNUXTAY2T0XUMCR&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=1920&h=1080&dynsize=1&qlt=90 HTTP/2.0
          host: tse1.mm.bing.net
          accept: */*
          accept-encoding: gzip, deflate, br
          user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19041
          Response
          HTTP/2.0 200
          cache-control: public, max-age=2592000
          content-length: 468637
          content-type: image/jpeg
          x-cache: TCP_HIT
          access-control-allow-origin: *
          access-control-allow-headers: *
          access-control-allow-methods: GET, POST, OPTIONS
          timing-allow-origin: *
          report-to: {"group":"network-errors","max_age":604800,"endpoints":[{"url":"https://aefd.nelreports.net/api/report?cat=bingth"}]}&ndcParam=QUZE
          nel: {"report_to":"network-errors","max_age":604800,"success_fraction":0.001,"failure_fraction":1.0}
          accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
          x-msedge-ref: Ref A: BB87BBF6DDBC49D89394AD64734EDC40 Ref B: LON04EDGE0721 Ref C: 2024-05-06T01:50:13Z
          date: Mon, 06 May 2024 01:50:12 GMT
        • flag-us
          GET
          https://tse1.mm.bing.net/th?id=OADD2.10239360931611_1SOG5TNNJKE1WH1R0&pid=21.2&c=3&w=1080&h=1920&dynsize=1&qlt=90
          Remote address:
          204.79.197.200:443
          Request
          GET /th?id=OADD2.10239360931611_1SOG5TNNJKE1WH1R0&pid=21.2&c=3&w=1080&h=1920&dynsize=1&qlt=90 HTTP/2.0
          host: tse1.mm.bing.net
          accept: */*
          accept-encoding: gzip, deflate, br
          user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19041
          Response
          HTTP/2.0 200
          cache-control: public, max-age=2592000
          content-length: 621794
          content-type: image/jpeg
          x-cache: TCP_HIT
          access-control-allow-origin: *
          access-control-allow-headers: *
          access-control-allow-methods: GET, POST, OPTIONS
          timing-allow-origin: *
          report-to: {"group":"network-errors","max_age":604800,"endpoints":[{"url":"https://aefd.nelreports.net/api/report?cat=bingth"}]}&ndcParam=QUZE
          nel: {"report_to":"network-errors","max_age":604800,"success_fraction":0.001,"failure_fraction":1.0}
          accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
          x-msedge-ref: Ref A: A6614675DBFB48D1AB2AE2646CFBEB03 Ref B: LON04EDGE0721 Ref C: 2024-05-06T01:50:13Z
          date: Mon, 06 May 2024 01:50:12 GMT
        • flag-us
          GET
          https://tse1.mm.bing.net/th?id=OADD2.10239360931612_153L2SVWUYAQUME4E&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=1920&h=1080&dynsize=1&qlt=90
          Remote address:
          204.79.197.200:443
          Request
          GET /th?id=OADD2.10239360931612_153L2SVWUYAQUME4E&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=1920&h=1080&dynsize=1&qlt=90 HTTP/2.0
          host: tse1.mm.bing.net
          accept: */*
          accept-encoding: gzip, deflate, br
          user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19041
          Response
          HTTP/2.0 200
          cache-control: public, max-age=2592000
          content-length: 659775
          content-type: image/jpeg
          x-cache: TCP_HIT
          access-control-allow-origin: *
          access-control-allow-headers: *
          access-control-allow-methods: GET, POST, OPTIONS
          timing-allow-origin: *
          report-to: {"group":"network-errors","max_age":604800,"endpoints":[{"url":"https://aefd.nelreports.net/api/report?cat=bingth"}]}&ndcParam=QUZE
          nel: {"report_to":"network-errors","max_age":604800,"success_fraction":0.001,"failure_fraction":1.0}
          accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
          x-msedge-ref: Ref A: 64511C2C05FC428683910DEEE2711991 Ref B: LON04EDGE0721 Ref C: 2024-05-06T01:50:13Z
          date: Mon, 06 May 2024 01:50:12 GMT
        • flag-us
          DNS
          205.47.74.20.in-addr.arpa
          Remote address:
          8.8.8.8:53
          Request
          205.47.74.20.in-addr.arpa
          IN PTR
          Response
        • 23.62.61.97:443
          https://www.bing.com/th?id=OADD2.10239338877209_1W0BYALNC7PUDJ3J3&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=24&h=24&dynsize=1&qlt=90
          tls, http2
          1.5kB
          5.7kB
          17
          11

          HTTP Request

          GET https://www.bing.com/th?id=OADD2.10239338877209_1W0BYALNC7PUDJ3J3&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=24&h=24&dynsize=1&qlt=90

          HTTP Response

          200
        • 45.142.122.192:47398
          InstallUtil.exe
          31.7kB
          13.4kB
          34
          21
        • 204.79.197.200:443
          tse1.mm.bing.net
          tls, http2
          1.2kB
          8.1kB
          16
          14
        • 204.79.197.200:443
          https://tse1.mm.bing.net/th?id=OADD2.10239360931612_153L2SVWUYAQUME4E&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=1920&h=1080&dynsize=1&qlt=90
          tls, http2
          82.8kB
          2.3MB
          1666
          1663

          HTTP Request

          GET https://tse1.mm.bing.net/th?id=OADD2.10239351692215_1UJ4FAL91XLA7HB15&pid=21.2&c=3&w=1080&h=1920&dynsize=1&qlt=90

          HTTP Request

          GET https://tse1.mm.bing.net/th?id=OADD2.10239351692210_1AKNUXTAY2T0XUMCR&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=1920&h=1080&dynsize=1&qlt=90

          HTTP Request

          GET https://tse1.mm.bing.net/th?id=OADD2.10239360931611_1SOG5TNNJKE1WH1R0&pid=21.2&c=3&w=1080&h=1920&dynsize=1&qlt=90

          HTTP Request

          GET https://tse1.mm.bing.net/th?id=OADD2.10239360931612_153L2SVWUYAQUME4E&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=1920&h=1080&dynsize=1&qlt=90

          HTTP Response

          200

          HTTP Response

          200

          HTTP Response

          200

          HTTP Response

          200
        • 204.79.197.200:443
          tse1.mm.bing.net
          tls, http2
          1.2kB
          8.1kB
          16
          14
        • 204.79.197.200:443
          tse1.mm.bing.net
          tls, http2
          1.2kB
          8.1kB
          16
          14
        • 8.8.8.8:53
          149.220.183.52.in-addr.arpa
          dns
          73 B
          147 B
          1
          1

          DNS Request

          149.220.183.52.in-addr.arpa

        • 8.8.8.8:53
          172.210.232.199.in-addr.arpa
          dns
          74 B
          128 B
          1
          1

          DNS Request

          172.210.232.199.in-addr.arpa

        • 8.8.8.8:53
          72.32.126.40.in-addr.arpa
          dns
          71 B
          157 B
          1
          1

          DNS Request

          72.32.126.40.in-addr.arpa

        • 8.8.8.8:53
          97.61.62.23.in-addr.arpa
          dns
          70 B
          133 B
          1
          1

          DNS Request

          97.61.62.23.in-addr.arpa

        • 8.8.8.8:53
          209.205.72.20.in-addr.arpa
          dns
          72 B
          158 B
          1
          1

          DNS Request

          209.205.72.20.in-addr.arpa

        • 8.8.8.8:53
          103.169.127.40.in-addr.arpa
          dns
          73 B
          147 B
          1
          1

          DNS Request

          103.169.127.40.in-addr.arpa

        • 8.8.8.8:53
          56.126.166.20.in-addr.arpa
          dns
          72 B
          158 B
          1
          1

          DNS Request

          56.126.166.20.in-addr.arpa

        • 8.8.8.8:53
          0.205.248.87.in-addr.arpa
          dns
          71 B
          116 B
          1
          1

          DNS Request

          0.205.248.87.in-addr.arpa

        • 8.8.8.8:53
          77.190.18.2.in-addr.arpa
          dns
          70 B
          133 B
          1
          1

          DNS Request

          77.190.18.2.in-addr.arpa

        • 8.8.8.8:53
          88.156.103.20.in-addr.arpa
          dns
          72 B
          158 B
          1
          1

          DNS Request

          88.156.103.20.in-addr.arpa

        • 8.8.8.8:53
          48.251.17.2.in-addr.arpa
          dns
          70 B
          133 B
          1
          1

          DNS Request

          48.251.17.2.in-addr.arpa

        • 8.8.8.8:53
          192.122.142.45.in-addr.arpa
          dns
          73 B
          104 B
          1
          1

          DNS Request

          192.122.142.45.in-addr.arpa

        • 8.8.8.8:53
          240.221.184.93.in-addr.arpa
          dns
          73 B
          144 B
          1
          1

          DNS Request

          240.221.184.93.in-addr.arpa

        • 8.8.8.8:53
          48.229.111.52.in-addr.arpa
          dns
          72 B
          158 B
          1
          1

          DNS Request

          48.229.111.52.in-addr.arpa

        • 8.8.8.8:53
          tse1.mm.bing.net
          dns
          62 B
          173 B
          1
          1

          DNS Request

          tse1.mm.bing.net

          DNS Response

          204.79.197.200
          13.107.21.200

        • 8.8.8.8:53
          205.47.74.20.in-addr.arpa
          dns
          71 B
          157 B
          1
          1

          DNS Request

          205.47.74.20.in-addr.arpa

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\Temp\iaffmeyc.exe

          Filesize

          14.9MB

          MD5

          bdfbf7fda5d7c51d784a5bf06a385ace

          SHA1

          6e6bd7168c6b9c1963c274275fc37985aa92c69a

          SHA256

          94887828952ce08e3d5c749dee4206b775f734a23404fd59b47821bd87042375

          SHA512

          c48d8209f58ce9031e0bae96e44b21b22ab8ae3fa7f2bb9e2c91bda0387735fe61b5f078147c1e35743f3c55f302adedaa1336fcafb86664659bb3e607678749

        • memory/216-18-0x0000000074C60000-0x0000000075410000-memory.dmp

          Filesize

          7.7MB

        • memory/216-2-0x0000000005DE0000-0x0000000006384000-memory.dmp

          Filesize

          5.6MB

        • memory/216-3-0x00000000058D0000-0x0000000005962000-memory.dmp

          Filesize

          584KB

        • memory/216-4-0x0000000005970000-0x0000000005A0C000-memory.dmp

          Filesize

          624KB

        • memory/216-5-0x0000000074C60000-0x0000000075410000-memory.dmp

          Filesize

          7.7MB

        • memory/216-6-0x0000000006750000-0x0000000006794000-memory.dmp

          Filesize

          272KB

        • memory/216-7-0x0000000006A10000-0x0000000006A1A000-memory.dmp

          Filesize

          40KB

        • memory/216-8-0x00000000076F0000-0x000000000770A000-memory.dmp

          Filesize

          104KB

        • memory/216-9-0x0000000007720000-0x0000000007726000-memory.dmp

          Filesize

          24KB

        • memory/216-10-0x0000000074C6E000-0x0000000074C6F000-memory.dmp

          Filesize

          4KB

        • memory/216-11-0x0000000074C60000-0x0000000075410000-memory.dmp

          Filesize

          7.7MB

        • memory/216-1-0x0000000000C60000-0x0000000000E62000-memory.dmp

          Filesize

          2.0MB

        • memory/216-24-0x0000000074C60000-0x0000000075410000-memory.dmp

          Filesize

          7.7MB

        • memory/216-14-0x0000000074C60000-0x0000000075410000-memory.dmp

          Filesize

          7.7MB

        • memory/216-0-0x0000000074C6E000-0x0000000074C6F000-memory.dmp

          Filesize

          4KB

        • memory/1964-16-0x0000000074C60000-0x0000000075410000-memory.dmp

          Filesize

          7.7MB

        • memory/1964-15-0x0000000074C60000-0x0000000075410000-memory.dmp

          Filesize

          7.7MB

        • memory/1964-17-0x0000000074C60000-0x0000000075410000-memory.dmp

          Filesize

          7.7MB

        • memory/1964-19-0x0000000074C60000-0x0000000075410000-memory.dmp

          Filesize

          7.7MB

        • memory/1964-20-0x0000000074C60000-0x0000000075410000-memory.dmp

          Filesize

          7.7MB

        • memory/1964-12-0x0000000000400000-0x0000000000538000-memory.dmp

          Filesize

          1.2MB

        • memory/1964-29-0x0000000074C60000-0x0000000075410000-memory.dmp

          Filesize

          7.7MB

        • memory/1964-13-0x0000000000400000-0x0000000000538000-memory.dmp

          Filesize

          1.2MB

        • memory/2512-35-0x00000000083A0000-0x00000000083EC000-memory.dmp

          Filesize

          304KB

        • memory/2512-31-0x0000000008750000-0x0000000008D68000-memory.dmp

          Filesize

          6.1MB

        • memory/2512-32-0x0000000008290000-0x000000000839A000-memory.dmp

          Filesize

          1.0MB

        • memory/2512-33-0x00000000081D0000-0x00000000081E2000-memory.dmp

          Filesize

          72KB

        • memory/2512-34-0x0000000008230000-0x000000000826C000-memory.dmp

          Filesize

          240KB

        • memory/2512-27-0x0000000000400000-0x0000000000484000-memory.dmp

          Filesize

          528KB

        • memory/2512-36-0x00000000084B0000-0x0000000008516000-memory.dmp

          Filesize

          408KB

        • memory/2512-37-0x0000000008DF0000-0x0000000008E66000-memory.dmp

          Filesize

          472KB

        • memory/2512-38-0x0000000008DB0000-0x0000000008DCE000-memory.dmp

          Filesize

          120KB

        • memory/2512-40-0x000000000ACE0000-0x000000000B20C000-memory.dmp

          Filesize

          5.2MB

        • memory/2512-39-0x000000000A3E0000-0x000000000A5A2000-memory.dmp

          Filesize

          1.8MB

        • memory/4848-23-0x0000000000400000-0x0000000000415000-memory.dmp

          Filesize

          84KB

        • memory/4848-21-0x0000000000400000-0x0000000000415000-memory.dmp

          Filesize

          84KB

        We care about your privacy.

        This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.