Analysis

  • max time kernel
    142s
  • max time network
    153s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240508-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
  • submitted
    09/05/2024, 12:57 UTC

General

  • Target

    488c7cb3b3ae680032b59617bf38fb807c934eab7717cda13ee71996311ea718.exe

  • Size

    390KB

  • MD5

    078e639bdbe157831788e26267526968

  • SHA1

    0b642da53c3113b7494a76d768dd718f2dacd118

  • SHA256

    488c7cb3b3ae680032b59617bf38fb807c934eab7717cda13ee71996311ea718

  • SHA512

    0cdbb92f05f7439d891c870bfb31acfac9684f351cebb7816a4320e136008b1f243ec3a37e06be4661f5d57c67b845e83a207fa43dead8c525fb64f1cbf158d8

  • SSDEEP

    12288:cMr6y90GnTK6c3hvStGHQcHnl9DPLxUe:GyHe6c3tStSvH3LxD

Malware Config

Extracted

Family

amadey

Version

3.85

C2

http://77.91.68.3

Attributes
  • install_dir

    3ec1f323b5

  • install_file

    danke.exe

  • strings_key

    827021be90f1e85ab27949ea7e9347e8

  • url_paths

    /home/love/index.php

rc4.plain
1
006700e5a2ab05704bbb0c589b88924d

Extracted

Family

redline

Botnet

nasa

C2

77.91.68.68:19071

Attributes
  • auth_value

    6da71218d8a9738ea3a9a78b5677589b

Signatures

  • Amadey

    Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.

  • Detects Healer an antivirus disabler dropper 2 IoCs
  • Healer

    Healer an antivirus disabler dropper.

  • Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs
  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

  • RedLine payload 2 IoCs
  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 7 IoCs
  • Windows security modification 2 TTPs 1 IoCs
  • Adds Run key to start application 2 TTPs 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Creates scheduled task(s) 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

  • Suspicious behavior: EnumeratesProcesses 3 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 38 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\488c7cb3b3ae680032b59617bf38fb807c934eab7717cda13ee71996311ea718.exe
    "C:\Users\Admin\AppData\Local\Temp\488c7cb3b3ae680032b59617bf38fb807c934eab7717cda13ee71996311ea718.exe"
    1⤵
    • Adds Run key to start application
    • Suspicious use of WriteProcessMemory
    PID:1152
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y3511036.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y3511036.exe
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious use of WriteProcessMemory
      PID:3716
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k3083728.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k3083728.exe
        3⤵
        • Modifies Windows Defender Real-time Protection settings
        • Executes dropped EXE
        • Windows security modification
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:4864
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\l9319236.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\l9319236.exe
        3⤵
        • Checks computer location settings
        • Executes dropped EXE
        • Suspicious use of WriteProcessMemory
        PID:1956
        • C:\Users\Admin\AppData\Local\Temp\3ec1f323b5\danke.exe
          "C:\Users\Admin\AppData\Local\Temp\3ec1f323b5\danke.exe"
          4⤵
          • Checks computer location settings
          • Executes dropped EXE
          • Suspicious use of WriteProcessMemory
          PID:2696
          • C:\Windows\SysWOW64\schtasks.exe
            "C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN danke.exe /TR "C:\Users\Admin\AppData\Local\Temp\3ec1f323b5\danke.exe" /F
            5⤵
            • Creates scheduled task(s)
            PID:4504
          • C:\Windows\SysWOW64\cmd.exe
            "C:\Windows\System32\cmd.exe" /k echo Y|CACLS "danke.exe" /P "Admin:N"&&CACLS "danke.exe" /P "Admin:R" /E&&echo Y|CACLS "..\3ec1f323b5" /P "Admin:N"&&CACLS "..\3ec1f323b5" /P "Admin:R" /E&&Exit
            5⤵
            • Suspicious use of WriteProcessMemory
            PID:3984
            • C:\Windows\SysWOW64\cmd.exe
              C:\Windows\system32\cmd.exe /S /D /c" echo Y"
              6⤵
                PID:4428
              • C:\Windows\SysWOW64\cacls.exe
                CACLS "danke.exe" /P "Admin:N"
                6⤵
                  PID:1752
                • C:\Windows\SysWOW64\cacls.exe
                  CACLS "danke.exe" /P "Admin:R" /E
                  6⤵
                    PID:4464
                  • C:\Windows\SysWOW64\cmd.exe
                    C:\Windows\system32\cmd.exe /S /D /c" echo Y"
                    6⤵
                      PID:3564
                    • C:\Windows\SysWOW64\cacls.exe
                      CACLS "..\3ec1f323b5" /P "Admin:N"
                      6⤵
                        PID:3620
                      • C:\Windows\SysWOW64\cacls.exe
                        CACLS "..\3ec1f323b5" /P "Admin:R" /E
                        6⤵
                          PID:3476
                • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\n1169798.exe
                  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\n1169798.exe
                  2⤵
                  • Executes dropped EXE
                  PID:1364
              • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=3440,i,11266875042087428226,16669718873272757238,262144 --variations-seed-version --mojo-platform-channel-handle=4084 /prefetch:8
                1⤵
                  PID:368
                • C:\Users\Admin\AppData\Local\Temp\3ec1f323b5\danke.exe
                  C:\Users\Admin\AppData\Local\Temp\3ec1f323b5\danke.exe
                  1⤵
                  • Executes dropped EXE
                  PID:3580
                • C:\Users\Admin\AppData\Local\Temp\3ec1f323b5\danke.exe
                  C:\Users\Admin\AppData\Local\Temp\3ec1f323b5\danke.exe
                  1⤵
                  • Executes dropped EXE
                  PID:3220

                Network

                • flag-us
                  DNS
                  g.bing.com
                  Remote address:
                  8.8.8.8:53
                  Request
                  g.bing.com
                  IN A
                  Response
                  g.bing.com
                  IN CNAME
                  g-bing-com.dual-a-0034.a-msedge.net
                  g-bing-com.dual-a-0034.a-msedge.net
                  IN CNAME
                  dual-a-0034.a-msedge.net
                  dual-a-0034.a-msedge.net
                  IN A
                  204.79.197.237
                  dual-a-0034.a-msedge.net
                  IN A
                  13.107.21.237
                • flag-us
                  GET
                  https://g.bing.com/neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=d18ec75ba5e54615a2ba7dbfa3adde04&localId=w:59244BCC-88B7-85EB-8DCD-EAE142591B00&deviceId=6896201178070400&anid=
                  Remote address:
                  204.79.197.237:443
                  Request
                  GET /neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=d18ec75ba5e54615a2ba7dbfa3adde04&localId=w:59244BCC-88B7-85EB-8DCD-EAE142591B00&deviceId=6896201178070400&anid= HTTP/2.0
                  host: g.bing.com
                  accept-encoding: gzip, deflate
                  user-agent: WindowsShellClient/9.0.40929.0 (Windows)
                  Response
                  HTTP/2.0 204
                  cache-control: no-cache, must-revalidate
                  pragma: no-cache
                  expires: Fri, 01 Jan 1990 00:00:00 GMT
                  set-cookie: MUID=1ED6058E94AA65B6327911F4954A649D; domain=.bing.com; expires=Tue, 03-Jun-2025 12:57:26 GMT; path=/; SameSite=None; Secure; Priority=High;
                  strict-transport-security: max-age=31536000; includeSubDomains; preload
                  access-control-allow-origin: *
                  x-cache: CONFIG_NOCACHE
                  accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
                  x-msedge-ref: Ref A: EA0AD2191394476991C7A457F8BBA669 Ref B: LON04EDGE1021 Ref C: 2024-05-09T12:57:26Z
                  date: Thu, 09 May 2024 12:57:26 GMT
                • flag-us
                  GET
                  https://g.bing.com/neg/0?action=emptycreative&adUnitId=11730597&publisherId=251978541&rid=d18ec75ba5e54615a2ba7dbfa3adde04&localId=w:59244BCC-88B7-85EB-8DCD-EAE142591B00&deviceId=6896201178070400&anid=
                  Remote address:
                  204.79.197.237:443
                  Request
                  GET /neg/0?action=emptycreative&adUnitId=11730597&publisherId=251978541&rid=d18ec75ba5e54615a2ba7dbfa3adde04&localId=w:59244BCC-88B7-85EB-8DCD-EAE142591B00&deviceId=6896201178070400&anid= HTTP/2.0
                  host: g.bing.com
                  accept-encoding: gzip, deflate
                  user-agent: WindowsShellClient/9.0.40929.0 (Windows)
                  cookie: MUID=1ED6058E94AA65B6327911F4954A649D
                  Response
                  HTTP/2.0 204
                  cache-control: no-cache, must-revalidate
                  pragma: no-cache
                  expires: Fri, 01 Jan 1990 00:00:00 GMT
                  set-cookie: MSPTC=N_loHsVNpdZzFphFg0UkhZNDFZ138XcQb6tEJAv72M0; domain=.bing.com; expires=Tue, 03-Jun-2025 12:57:27 GMT; path=/; Partitioned; secure; SameSite=None
                  strict-transport-security: max-age=31536000; includeSubDomains; preload
                  access-control-allow-origin: *
                  x-cache: CONFIG_NOCACHE
                  accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
                  x-msedge-ref: Ref A: 9CE2030B0B9240B9976FAFACB8514067 Ref B: LON04EDGE1021 Ref C: 2024-05-09T12:57:27Z
                  date: Thu, 09 May 2024 12:57:26 GMT
                • flag-us
                  GET
                  https://g.bing.com/neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=d18ec75ba5e54615a2ba7dbfa3adde04&localId=w:59244BCC-88B7-85EB-8DCD-EAE142591B00&deviceId=6896201178070400&anid=
                  Remote address:
                  204.79.197.237:443
                  Request
                  GET /neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=d18ec75ba5e54615a2ba7dbfa3adde04&localId=w:59244BCC-88B7-85EB-8DCD-EAE142591B00&deviceId=6896201178070400&anid= HTTP/2.0
                  host: g.bing.com
                  accept-encoding: gzip, deflate
                  user-agent: WindowsShellClient/9.0.40929.0 (Windows)
                  cookie: MUID=1ED6058E94AA65B6327911F4954A649D; MSPTC=N_loHsVNpdZzFphFg0UkhZNDFZ138XcQb6tEJAv72M0
                  Response
                  HTTP/2.0 204
                  cache-control: no-cache, must-revalidate
                  pragma: no-cache
                  expires: Fri, 01 Jan 1990 00:00:00 GMT
                  strict-transport-security: max-age=31536000; includeSubDomains; preload
                  access-control-allow-origin: *
                  x-cache: CONFIG_NOCACHE
                  accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
                  x-msedge-ref: Ref A: 23D10BC80EA448D7A0D710091B5C8668 Ref B: LON04EDGE1021 Ref C: 2024-05-09T12:57:27Z
                  date: Thu, 09 May 2024 12:57:26 GMT
                • flag-be
                  GET
                  https://www.bing.com/th?id=OADD2.10239368184744_14DPBWVU0KKOKDZ8E&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=48&h=48&dynsize=1&qlt=90
                  Remote address:
                  88.221.83.202:443
                  Request
                  GET /th?id=OADD2.10239368184744_14DPBWVU0KKOKDZ8E&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=48&h=48&dynsize=1&qlt=90 HTTP/2.0
                  host: www.bing.com
                  accept: */*
                  cookie: MUID=1ED6058E94AA65B6327911F4954A649D; MSPTC=N_loHsVNpdZzFphFg0UkhZNDFZ138XcQb6tEJAv72M0
                  accept-encoding: gzip, deflate, br
                  user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19041
                  Response
                  HTTP/2.0 200
                  cache-control: public, max-age=2592000
                  content-type: image/png
                  access-control-allow-origin: *
                  access-control-allow-headers: *
                  access-control-allow-methods: GET, POST, OPTIONS
                  timing-allow-origin: *
                  report-to: {"group":"network-errors","max_age":604800,"endpoints":[{"url":"https://aefd.nelreports.net/api/report?cat=bingth"}]}
                  nel: {"report_to":"network-errors","max_age":604800,"success_fraction":0.001,"failure_fraction":1.0}
                  content-length: 5773
                  date: Thu, 09 May 2024 12:57:27 GMT
                  alt-svc: h3=":443"; ma=93600
                  x-cdn-traceid: 0.c653dd58.1715259447.12d2c6dc
                • flag-be
                  GET
                  https://www.bing.com/th?id=OADD2.10239359720591_10PHTLBML42K6TRZO&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=24&h=24&dynsize=1&qlt=90
                  Remote address:
                  88.221.83.202:443
                  Request
                  GET /th?id=OADD2.10239359720591_10PHTLBML42K6TRZO&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=24&h=24&dynsize=1&qlt=90 HTTP/2.0
                  host: www.bing.com
                  accept: */*
                  cookie: MUID=1ED6058E94AA65B6327911F4954A649D; MSPTC=N_loHsVNpdZzFphFg0UkhZNDFZ138XcQb6tEJAv72M0
                  accept-encoding: gzip, deflate, br
                  user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19041
                  Response
                  HTTP/2.0 200
                  cache-control: public, max-age=2592000
                  content-type: image/png
                  access-control-allow-origin: *
                  access-control-allow-headers: *
                  access-control-allow-methods: GET, POST, OPTIONS
                  timing-allow-origin: *
                  report-to: {"group":"network-errors","max_age":604800,"endpoints":[{"url":"https://aefd.nelreports.net/api/report?cat=bingth"}]}
                  nel: {"report_to":"network-errors","max_age":604800,"success_fraction":0.001,"failure_fraction":1.0}
                  content-length: 1107
                  date: Thu, 09 May 2024 12:57:27 GMT
                  alt-svc: h3=":443"; ma=93600
                  x-cdn-traceid: 0.c653dd58.1715259447.12d2c716
                • flag-us
                  DNS
                  8.8.8.8.in-addr.arpa
                  Remote address:
                  8.8.8.8:53
                  Request
                  8.8.8.8.in-addr.arpa
                  IN PTR
                  Response
                  8.8.8.8.in-addr.arpa
                  IN PTR
                  dnsgoogle
                • flag-us
                  DNS
                  73.159.190.20.in-addr.arpa
                  Remote address:
                  8.8.8.8:53
                  Request
                  73.159.190.20.in-addr.arpa
                  IN PTR
                  Response
                • flag-us
                  DNS
                  79.190.18.2.in-addr.arpa
                  Remote address:
                  8.8.8.8:53
                  Request
                  79.190.18.2.in-addr.arpa
                  IN PTR
                  Response
                  79.190.18.2.in-addr.arpa
                  IN PTR
                  a2-18-190-79deploystaticakamaitechnologiescom
                • flag-us
                  DNS
                  237.197.79.204.in-addr.arpa
                  Remote address:
                  8.8.8.8:53
                  Request
                  237.197.79.204.in-addr.arpa
                  IN PTR
                  Response
                • flag-us
                  DNS
                  26.35.223.20.in-addr.arpa
                  Remote address:
                  8.8.8.8:53
                  Request
                  26.35.223.20.in-addr.arpa
                  IN PTR
                  Response
                • flag-us
                  DNS
                  202.83.221.88.in-addr.arpa
                  Remote address:
                  8.8.8.8:53
                  Request
                  202.83.221.88.in-addr.arpa
                  IN PTR
                  Response
                  202.83.221.88.in-addr.arpa
                  IN PTR
                  a88-221-83-202deploystaticakamaitechnologiescom
                • flag-us
                  DNS
                  19.229.111.52.in-addr.arpa
                  Remote address:
                  8.8.8.8:53
                  Request
                  19.229.111.52.in-addr.arpa
                  IN PTR
                  Response
                • flag-us
                  DNS
                  172.210.232.199.in-addr.arpa
                  Remote address:
                  8.8.8.8:53
                  Request
                  172.210.232.199.in-addr.arpa
                  IN PTR
                  Response
                • 204.79.197.237:443
                  https://g.bing.com/neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=d18ec75ba5e54615a2ba7dbfa3adde04&localId=w:59244BCC-88B7-85EB-8DCD-EAE142591B00&deviceId=6896201178070400&anid=
                  tls, http2
                  2.0kB
                  9.2kB
                  22
                  19

                  HTTP Request

                  GET https://g.bing.com/neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=d18ec75ba5e54615a2ba7dbfa3adde04&localId=w:59244BCC-88B7-85EB-8DCD-EAE142591B00&deviceId=6896201178070400&anid=

                  HTTP Response

                  204

                  HTTP Request

                  GET https://g.bing.com/neg/0?action=emptycreative&adUnitId=11730597&publisherId=251978541&rid=d18ec75ba5e54615a2ba7dbfa3adde04&localId=w:59244BCC-88B7-85EB-8DCD-EAE142591B00&deviceId=6896201178070400&anid=

                  HTTP Response

                  204

                  HTTP Request

                  GET https://g.bing.com/neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=d18ec75ba5e54615a2ba7dbfa3adde04&localId=w:59244BCC-88B7-85EB-8DCD-EAE142591B00&deviceId=6896201178070400&anid=

                  HTTP Response

                  204
                • 88.221.83.202:443
                  https://www.bing.com/th?id=OADD2.10239359720591_10PHTLBML42K6TRZO&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=24&h=24&dynsize=1&qlt=90
                  tls, http2
                  1.9kB
                  12.8kB
                  23
                  17

                  HTTP Request

                  GET https://www.bing.com/th?id=OADD2.10239368184744_14DPBWVU0KKOKDZ8E&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=48&h=48&dynsize=1&qlt=90

                  HTTP Response

                  200

                  HTTP Request

                  GET https://www.bing.com/th?id=OADD2.10239359720591_10PHTLBML42K6TRZO&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=24&h=24&dynsize=1&qlt=90

                  HTTP Response

                  200
                • 88.221.83.202:443
                  www.bing.com
                  tls, http2
                  1.0kB
                  4.7kB
                  13
                  9
                • 77.91.68.3:80
                  danke.exe
                  260 B
                  5
                • 77.91.68.68:19071
                  n1169798.exe
                  260 B
                  5
                • 77.91.68.68:19071
                  n1169798.exe
                  260 B
                  5
                • 77.91.68.3:80
                  danke.exe
                  260 B
                  5
                • 77.91.68.68:19071
                  n1169798.exe
                  260 B
                  5
                • 77.91.68.3:80
                  danke.exe
                  260 B
                  5
                • 77.91.68.68:19071
                  n1169798.exe
                  260 B
                  5
                • 77.91.68.3:80
                  danke.exe
                  260 B
                  5
                • 77.91.68.68:19071
                  n1169798.exe
                  260 B
                  5
                • 77.91.68.3:80
                  danke.exe
                  208 B
                  4
                • 77.91.68.68:19071
                  n1169798.exe
                  208 B
                  4
                • 8.8.8.8:53
                  g.bing.com
                  dns
                  56 B
                  151 B
                  1
                  1

                  DNS Request

                  g.bing.com

                  DNS Response

                  204.79.197.237
                  13.107.21.237

                • 8.8.8.8:53
                  8.8.8.8.in-addr.arpa
                  dns
                  66 B
                  90 B
                  1
                  1

                  DNS Request

                  8.8.8.8.in-addr.arpa

                • 8.8.8.8:53
                  73.159.190.20.in-addr.arpa
                  dns
                  72 B
                  158 B
                  1
                  1

                  DNS Request

                  73.159.190.20.in-addr.arpa

                • 8.8.8.8:53
                  79.190.18.2.in-addr.arpa
                  dns
                  70 B
                  133 B
                  1
                  1

                  DNS Request

                  79.190.18.2.in-addr.arpa

                • 8.8.8.8:53
                  237.197.79.204.in-addr.arpa
                  dns
                  73 B
                  143 B
                  1
                  1

                  DNS Request

                  237.197.79.204.in-addr.arpa

                • 8.8.8.8:53
                  26.35.223.20.in-addr.arpa
                  dns
                  71 B
                  157 B
                  1
                  1

                  DNS Request

                  26.35.223.20.in-addr.arpa

                • 8.8.8.8:53
                  202.83.221.88.in-addr.arpa
                  dns
                  72 B
                  137 B
                  1
                  1

                  DNS Request

                  202.83.221.88.in-addr.arpa

                • 8.8.8.8:53
                  19.229.111.52.in-addr.arpa
                  dns
                  72 B
                  158 B
                  1
                  1

                  DNS Request

                  19.229.111.52.in-addr.arpa

                • 8.8.8.8:53
                  172.210.232.199.in-addr.arpa
                  dns
                  74 B
                  128 B
                  1
                  1

                  DNS Request

                  172.210.232.199.in-addr.arpa

                MITRE ATT&CK Enterprise v15

                Replay Monitor

                Loading Replay Monitor...

                Downloads

                • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\n1169798.exe

                  Filesize

                  172KB

                  MD5

                  712b7e2f9c05ab8b12fcc06598ac4894

                  SHA1

                  f727b41b8647c6c737b937365a30fc363b760c8b

                  SHA256

                  88fc56b6ecdbbc3261dcb3efc808628d93624244f41b401b781a00fde547f88e

                  SHA512

                  4e4581109a2050155aba7f9c2b74c46eef92530741244d59bcf40e3eb839d5ffc09dcda91a67ca883506fb2ee2a01cb8d22872d901f40ab95b43330022304cfe

                • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y3511036.exe

                  Filesize

                  235KB

                  MD5

                  136e65445941788b2614fb902f6d0347

                  SHA1

                  961f3f99a3819676d0e472b2f4dfd3a12292004a

                  SHA256

                  7159034f3afc9aedf5719534119d61e4737ebee634e7974951fd591c82295eab

                  SHA512

                  d936cf92d1ce1b17286074540c54f4aa351c72788006984bb6080a74c67c70638c1a3b8d7f6c19580b3b31e1b6d2f26a9fbecc14b39feb5331c6562323d694e6

                • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k3083728.exe

                  Filesize

                  11KB

                  MD5

                  7e93bacbbc33e6652e147e7fe07572a0

                  SHA1

                  421a7167da01c8da4dc4d5234ca3dd84e319e762

                  SHA256

                  850cd190aaeebcf1505674d97f51756f325e650320eaf76785d954223a9bee38

                  SHA512

                  250169d7b6fcebff400be89edae8340f14130ced70c340ba9da9f225f62b52b35f6645bfb510962efb866f988688cb42392561d3e6b72194bc89d310ea43aa91

                • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\l9319236.exe

                  Filesize

                  224KB

                  MD5

                  8c6b79ec436d7cf6950a804c1ec7d3e9

                  SHA1

                  4a589d5605d8ef785fdc78b0bf64e769e3a21ad6

                  SHA256

                  4e1377f9874f333dcb0b1b758e3131949e667fc39aadf3091e4e3b7cdbaeef1d

                  SHA512

                  06f2de433876963bb7bbddbe93cab0b7dd22164d1c10726294445944dcf5fa4a0fb450fc683c32565177a81a6103f6a5f11d291958bc7fcff7fdb9cf41a001ce

                • memory/1364-36-0x0000000005080000-0x000000000518A000-memory.dmp

                  Filesize

                  1.0MB

                • memory/1364-33-0x00000000004F0000-0x0000000000520000-memory.dmp

                  Filesize

                  192KB

                • memory/1364-34-0x0000000004CD0000-0x0000000004CD6000-memory.dmp

                  Filesize

                  24KB

                • memory/1364-35-0x0000000005550000-0x0000000005B68000-memory.dmp

                  Filesize

                  6.1MB

                • memory/1364-37-0x0000000004FC0000-0x0000000004FD2000-memory.dmp

                  Filesize

                  72KB

                • memory/1364-38-0x0000000005020000-0x000000000505C000-memory.dmp

                  Filesize

                  240KB

                • memory/1364-39-0x0000000005190000-0x00000000051DC000-memory.dmp

                  Filesize

                  304KB

                • memory/4864-15-0x00000000005E0000-0x00000000005EA000-memory.dmp

                  Filesize

                  40KB

                • memory/4864-14-0x00007FFE9F8C3000-0x00007FFE9F8C5000-memory.dmp

                  Filesize

                  8KB

                We care about your privacy.

                This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.