Analysis

  • max time kernel
    146s
  • max time network
    154s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240426-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
  • submitted
    10-05-2024 15:01

General

  • Target

    a6d0e60e46974bcc2b95d79efe42aef131019e1a1db2f71a780c51a68cc36199.exe

  • Size

    514KB

  • MD5

    f7e21fe46471f2c2ed069aef315b7804

  • SHA1

    dd6a5df8e71397f470e69c76f39d1c0cc9005028

  • SHA256

    a6d0e60e46974bcc2b95d79efe42aef131019e1a1db2f71a780c51a68cc36199

  • SHA512

    0a7019ce31cadd53d2bc8034ae4d07e94efd48240077da373c914b86e16a9395e55d53721c5ebd383fa2bae16ae0ab95f8091f1f779f031d7dacf208e2b41fd6

  • SSDEEP

    12288:fMrLy90LKDglCRXwYt1wZvidrr2fIfvZVHex:MybklLYvOvqWIZI

Malware Config

Extracted

Family

amadey

Version

3.86

C2

http://77.91.68.61

Attributes
  • install_dir

    925e7e99c5

  • install_file

    pdates.exe

  • strings_key

    ada76b8b0e1f6892ee93c20ab8946117

  • url_paths

    /rock/index.php

rc4.plain
1
006700e5a2ab05704bbb0c589b88924d

Extracted

Family

redline

Botnet

lande

C2

77.91.124.84:19071

Attributes
  • auth_value

    9fa41701c47df37786234f3373f21208

Signatures

  • Amadey

    Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.

  • Detects Healer an antivirus disabler dropper 2 IoCs
  • Healer

    Healer an antivirus disabler dropper.

  • Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs
  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

  • RedLine payload 2 IoCs
  • SmokeLoader

    Modular backdoor trojan in use since 2014.

  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 9 IoCs
  • Windows security modification 2 TTPs 1 IoCs
  • Adds Run key to start application 2 TTPs 3 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Checks SCSI registry key(s) 3 TTPs 3 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Creates scheduled task(s) 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 44 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\a6d0e60e46974bcc2b95d79efe42aef131019e1a1db2f71a780c51a68cc36199.exe
    "C:\Users\Admin\AppData\Local\Temp\a6d0e60e46974bcc2b95d79efe42aef131019e1a1db2f71a780c51a68cc36199.exe"
    1⤵
    • Adds Run key to start application
    • Suspicious use of WriteProcessMemory
    PID:700
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v3586754.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v3586754.exe
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious use of WriteProcessMemory
      PID:3584
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v0583191.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v0583191.exe
        3⤵
        • Executes dropped EXE
        • Adds Run key to start application
        • Suspicious use of WriteProcessMemory
        PID:1960
        • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\a8862651.exe
          C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\a8862651.exe
          4⤵
          • Modifies Windows Defender Real-time Protection settings
          • Executes dropped EXE
          • Windows security modification
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:3056
        • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\b8953925.exe
          C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\b8953925.exe
          4⤵
          • Checks computer location settings
          • Executes dropped EXE
          • Suspicious use of WriteProcessMemory
          PID:1460
          • C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe
            "C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe"
            5⤵
            • Checks computer location settings
            • Executes dropped EXE
            • Suspicious use of WriteProcessMemory
            PID:2592
            • C:\Windows\SysWOW64\schtasks.exe
              "C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN pdates.exe /TR "C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe" /F
              6⤵
              • Creates scheduled task(s)
              PID:4652
            • C:\Windows\SysWOW64\cmd.exe
              "C:\Windows\System32\cmd.exe" /k echo Y|CACLS "pdates.exe" /P "Admin:N"&&CACLS "pdates.exe" /P "Admin:R" /E&&echo Y|CACLS "..\925e7e99c5" /P "Admin:N"&&CACLS "..\925e7e99c5" /P "Admin:R" /E&&Exit
              6⤵
              • Suspicious use of WriteProcessMemory
              PID:4056
              • C:\Windows\SysWOW64\cmd.exe
                C:\Windows\system32\cmd.exe /S /D /c" echo Y"
                7⤵
                  PID:4732
                • C:\Windows\SysWOW64\cacls.exe
                  CACLS "pdates.exe" /P "Admin:N"
                  7⤵
                    PID:3952
                  • C:\Windows\SysWOW64\cacls.exe
                    CACLS "pdates.exe" /P "Admin:R" /E
                    7⤵
                      PID:4904
                    • C:\Windows\SysWOW64\cmd.exe
                      C:\Windows\system32\cmd.exe /S /D /c" echo Y"
                      7⤵
                        PID:4276
                      • C:\Windows\SysWOW64\cacls.exe
                        CACLS "..\925e7e99c5" /P "Admin:N"
                        7⤵
                          PID:2456
                        • C:\Windows\SysWOW64\cacls.exe
                          CACLS "..\925e7e99c5" /P "Admin:R" /E
                          7⤵
                            PID:3964
                  • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\c7221463.exe
                    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\c7221463.exe
                    3⤵
                    • Executes dropped EXE
                    • Checks SCSI registry key(s)
                    PID:880
                • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\d5562257.exe
                  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\d5562257.exe
                  2⤵
                  • Executes dropped EXE
                  PID:396
              • C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe
                C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe
                1⤵
                • Executes dropped EXE
                PID:2204
              • C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe
                C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe
                1⤵
                • Executes dropped EXE
                PID:4976

              Network

              • flag-us
                DNS
                8.8.8.8.in-addr.arpa
                Remote address:
                8.8.8.8:53
                Request
                8.8.8.8.in-addr.arpa
                IN PTR
                Response
                8.8.8.8.in-addr.arpa
                IN PTR
                dnsgoogle
              • flag-us
                DNS
                133.211.185.52.in-addr.arpa
                Remote address:
                8.8.8.8:53
                Request
                133.211.185.52.in-addr.arpa
                IN PTR
                Response
              • flag-us
                DNS
                79.190.18.2.in-addr.arpa
                Remote address:
                8.8.8.8:53
                Request
                79.190.18.2.in-addr.arpa
                IN PTR
                Response
                79.190.18.2.in-addr.arpa
                IN PTR
                a2-18-190-79deploystaticakamaitechnologiescom
              • flag-us
                DNS
                72.32.126.40.in-addr.arpa
                Remote address:
                8.8.8.8:53
                Request
                72.32.126.40.in-addr.arpa
                IN PTR
                Response
              • flag-us
                DNS
                26.35.223.20.in-addr.arpa
                Remote address:
                8.8.8.8:53
                Request
                26.35.223.20.in-addr.arpa
                IN PTR
                Response
              • flag-nl
                GET
                https://www.bing.com/th?id=OADD2.10239359720591_10PHTLBML42K6TRZO&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=24&h=24&dynsize=1&qlt=90
                Remote address:
                23.62.61.99:443
                Request
                GET /th?id=OADD2.10239359720591_10PHTLBML42K6TRZO&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=24&h=24&dynsize=1&qlt=90 HTTP/2.0
                host: www.bing.com
                accept: */*
                accept-encoding: gzip, deflate, br
                user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19041
                Response
                HTTP/2.0 200
                cache-control: public, max-age=2592000
                content-type: image/png
                access-control-allow-origin: *
                access-control-allow-headers: *
                access-control-allow-methods: GET, POST, OPTIONS
                timing-allow-origin: *
                report-to: {"group":"network-errors","max_age":604800,"endpoints":[{"url":"https://aefd.nelreports.net/api/report?cat=bingth&ndcParam=QWthbWFp"}]}
                nel: {"report_to":"network-errors","max_age":604800,"success_fraction":0.001,"failure_fraction":1.0}
                content-length: 1107
                date: Fri, 10 May 2024 15:01:55 GMT
                alt-svc: h3=":443"; ma=93600
                x-cdn-traceid: 0.5f3d3e17.1715353315.184bdf1
              • flag-us
                DNS
                99.61.62.23.in-addr.arpa
                Remote address:
                8.8.8.8:53
                Request
                99.61.62.23.in-addr.arpa
                IN PTR
                Response
                99.61.62.23.in-addr.arpa
                IN PTR
                a23-62-61-99deploystaticakamaitechnologiescom
              • flag-us
                DNS
                232.168.11.51.in-addr.arpa
                Remote address:
                8.8.8.8:53
                Request
                232.168.11.51.in-addr.arpa
                IN PTR
                Response
              • flag-us
                DNS
                240.221.184.93.in-addr.arpa
                Remote address:
                8.8.8.8:53
                Request
                240.221.184.93.in-addr.arpa
                IN PTR
                Response
              • flag-us
                DNS
                22.236.111.52.in-addr.arpa
                Remote address:
                8.8.8.8:53
                Request
                22.236.111.52.in-addr.arpa
                IN PTR
                Response
              • flag-us
                DNS
                tse1.mm.bing.net
                Remote address:
                8.8.8.8:53
                Request
                tse1.mm.bing.net
                IN A
                Response
                tse1.mm.bing.net
                IN CNAME
                mm-mm.bing.net.trafficmanager.net
                mm-mm.bing.net.trafficmanager.net
                IN CNAME
                dual-a-0001.a-msedge.net
                dual-a-0001.a-msedge.net
                IN A
                204.79.197.200
                dual-a-0001.a-msedge.net
                IN A
                13.107.21.200
              • flag-us
                GET
                https://tse1.mm.bing.net/th?id=OADD2.10239381702592_1OT5ET7HCG1M9EIRY&pid=21.2&c=3&w=1080&h=1920&dynsize=1&qlt=90
                Remote address:
                204.79.197.200:443
                Request
                GET /th?id=OADD2.10239381702592_1OT5ET7HCG1M9EIRY&pid=21.2&c=3&w=1080&h=1920&dynsize=1&qlt=90 HTTP/2.0
                host: tse1.mm.bing.net
                accept: */*
                accept-encoding: gzip, deflate, br
                user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19041
                Response
                HTTP/2.0 200
                cache-control: public, max-age=2592000
                content-length: 476246
                content-type: image/jpeg
                x-cache: TCP_HIT
                access-control-allow-origin: *
                access-control-allow-headers: *
                access-control-allow-methods: GET, POST, OPTIONS
                timing-allow-origin: *
                report-to: {"group":"network-errors","max_age":604800,"endpoints":[{"url":"https://aefd.nelreports.net/api/report?cat=bingth&ndcParam=QUZE"}]}
                nel: {"report_to":"network-errors","max_age":604800,"success_fraction":0.001,"failure_fraction":1.0}
                accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
                x-msedge-ref: Ref A: 4A2F5926CE9543A0832EBBFD320A84EA Ref B: LON04EDGE0607 Ref C: 2024-05-10T15:03:33Z
                date: Fri, 10 May 2024 15:03:33 GMT
              • flag-us
                GET
                https://tse1.mm.bing.net/th?id=OADD2.10239381702593_1BLW9LYE0FMIB48EX&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=1920&h=1080&dynsize=1&qlt=90
                Remote address:
                204.79.197.200:443
                Request
                GET /th?id=OADD2.10239381702593_1BLW9LYE0FMIB48EX&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=1920&h=1080&dynsize=1&qlt=90 HTTP/2.0
                host: tse1.mm.bing.net
                accept: */*
                accept-encoding: gzip, deflate, br
                user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19041
                Response
                HTTP/2.0 200
                cache-control: public, max-age=2592000
                content-length: 499516
                content-type: image/jpeg
                x-cache: TCP_HIT
                access-control-allow-origin: *
                access-control-allow-headers: *
                access-control-allow-methods: GET, POST, OPTIONS
                timing-allow-origin: *
                report-to: {"group":"network-errors","max_age":604800,"endpoints":[{"url":"https://aefd.nelreports.net/api/report?cat=bingth&ndcParam=QUZE"}]}
                nel: {"report_to":"network-errors","max_age":604800,"success_fraction":0.001,"failure_fraction":1.0}
                accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
                x-msedge-ref: Ref A: 127B4D749BBB4890BA8F4D6ACEF7E465 Ref B: LON04EDGE0607 Ref C: 2024-05-10T15:03:33Z
                date: Fri, 10 May 2024 15:03:33 GMT
              • flag-us
                GET
                https://tse1.mm.bing.net/th?id=OADD2.10239381705588_1WA9C34P2B6OXP331&pid=21.2&c=3&w=1080&h=1920&dynsize=1&qlt=90
                Remote address:
                204.79.197.200:443
                Request
                GET /th?id=OADD2.10239381705588_1WA9C34P2B6OXP331&pid=21.2&c=3&w=1080&h=1920&dynsize=1&qlt=90 HTTP/2.0
                host: tse1.mm.bing.net
                accept: */*
                accept-encoding: gzip, deflate, br
                user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19041
                Response
                HTTP/2.0 200
                cache-control: public, max-age=2592000
                content-length: 382817
                content-type: image/jpeg
                x-cache: TCP_HIT
                access-control-allow-origin: *
                access-control-allow-headers: *
                access-control-allow-methods: GET, POST, OPTIONS
                timing-allow-origin: *
                report-to: {"group":"network-errors","max_age":604800,"endpoints":[{"url":"https://aefd.nelreports.net/api/report?cat=bingth&ndcParam=QUZE"}]}
                nel: {"report_to":"network-errors","max_age":604800,"success_fraction":0.001,"failure_fraction":1.0}
                accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
                x-msedge-ref: Ref A: FED53CAA56FD4AE8A4E5D17DBF4FE911 Ref B: LON04EDGE0607 Ref C: 2024-05-10T15:03:33Z
                date: Fri, 10 May 2024 15:03:33 GMT
              • flag-us
                GET
                https://tse1.mm.bing.net/th?id=OADD2.10239381705589_1UZ6HI7DU1RQLXLFR&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=1920&h=1080&dynsize=1&qlt=90
                Remote address:
                204.79.197.200:443
                Request
                GET /th?id=OADD2.10239381705589_1UZ6HI7DU1RQLXLFR&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=1920&h=1080&dynsize=1&qlt=90 HTTP/2.0
                host: tse1.mm.bing.net
                accept: */*
                accept-encoding: gzip, deflate, br
                user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19041
                Response
                HTTP/2.0 200
                cache-control: public, max-age=2592000
                content-length: 464243
                content-type: image/jpeg
                x-cache: TCP_HIT
                access-control-allow-origin: *
                access-control-allow-headers: *
                access-control-allow-methods: GET, POST, OPTIONS
                timing-allow-origin: *
                report-to: {"group":"network-errors","max_age":604800,"endpoints":[{"url":"https://aefd.nelreports.net/api/report?cat=bingth&ndcParam=QUZE"}]}
                nel: {"report_to":"network-errors","max_age":604800,"success_fraction":0.001,"failure_fraction":1.0}
                accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
                x-msedge-ref: Ref A: 34D39BF831F74660870B9DE269F0C4EC Ref B: LON04EDGE0607 Ref C: 2024-05-10T15:03:33Z
                date: Fri, 10 May 2024 15:03:33 GMT
              • 23.62.61.99:443
                https://www.bing.com/th?id=OADD2.10239359720591_10PHTLBML42K6TRZO&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=24&h=24&dynsize=1&qlt=90
                tls, http2
                1.5kB
                6.4kB
                18
                12

                HTTP Request

                GET https://www.bing.com/th?id=OADD2.10239359720591_10PHTLBML42K6TRZO&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=24&h=24&dynsize=1&qlt=90

                HTTP Response

                200
              • 77.91.68.61:80
                pdates.exe
                260 B
                5
              • 77.91.124.84:19071
                d5562257.exe
                260 B
                5
              • 77.91.68.61:80
                pdates.exe
                260 B
                5
              • 77.91.124.84:19071
                d5562257.exe
                260 B
                5
              • 77.91.68.61:80
                pdates.exe
                260 B
                5
              • 77.91.124.84:19071
                d5562257.exe
                260 B
                5
              • 204.79.197.200:443
                tse1.mm.bing.net
                tls, http2
                1.2kB
                8.1kB
                16
                14
              • 204.79.197.200:443
                tse1.mm.bing.net
                tls, http2
                1.2kB
                8.1kB
                16
                14
              • 204.79.197.200:443
                tse1.mm.bing.net
                tls, http2
                1.2kB
                8.1kB
                16
                14
              • 204.79.197.200:443
                https://tse1.mm.bing.net/th?id=OADD2.10239381705589_1UZ6HI7DU1RQLXLFR&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=1920&h=1080&dynsize=1&qlt=90
                tls, http2
                68.0kB
                1.9MB
                1384
                1381

                HTTP Request

                GET https://tse1.mm.bing.net/th?id=OADD2.10239381702592_1OT5ET7HCG1M9EIRY&pid=21.2&c=3&w=1080&h=1920&dynsize=1&qlt=90

                HTTP Request

                GET https://tse1.mm.bing.net/th?id=OADD2.10239381702593_1BLW9LYE0FMIB48EX&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=1920&h=1080&dynsize=1&qlt=90

                HTTP Request

                GET https://tse1.mm.bing.net/th?id=OADD2.10239381705588_1WA9C34P2B6OXP331&pid=21.2&c=3&w=1080&h=1920&dynsize=1&qlt=90

                HTTP Request

                GET https://tse1.mm.bing.net/th?id=OADD2.10239381705589_1UZ6HI7DU1RQLXLFR&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=1920&h=1080&dynsize=1&qlt=90

                HTTP Response

                200

                HTTP Response

                200

                HTTP Response

                200

                HTTP Response

                200
              • 77.91.124.84:19071
                d5562257.exe
                260 B
                5
              • 77.91.124.84:19071
                d5562257.exe
                156 B
                3
              • 8.8.8.8:53
                8.8.8.8.in-addr.arpa
                dns
                66 B
                90 B
                1
                1

                DNS Request

                8.8.8.8.in-addr.arpa

              • 8.8.8.8:53
                133.211.185.52.in-addr.arpa
                dns
                73 B
                147 B
                1
                1

                DNS Request

                133.211.185.52.in-addr.arpa

              • 8.8.8.8:53
                79.190.18.2.in-addr.arpa
                dns
                70 B
                133 B
                1
                1

                DNS Request

                79.190.18.2.in-addr.arpa

              • 8.8.8.8:53
                72.32.126.40.in-addr.arpa
                dns
                71 B
                157 B
                1
                1

                DNS Request

                72.32.126.40.in-addr.arpa

              • 8.8.8.8:53
                26.35.223.20.in-addr.arpa
                dns
                71 B
                157 B
                1
                1

                DNS Request

                26.35.223.20.in-addr.arpa

              • 8.8.8.8:53
                99.61.62.23.in-addr.arpa
                dns
                70 B
                133 B
                1
                1

                DNS Request

                99.61.62.23.in-addr.arpa

              • 8.8.8.8:53
                232.168.11.51.in-addr.arpa
                dns
                72 B
                158 B
                1
                1

                DNS Request

                232.168.11.51.in-addr.arpa

              • 8.8.8.8:53
                240.221.184.93.in-addr.arpa
                dns
                73 B
                144 B
                1
                1

                DNS Request

                240.221.184.93.in-addr.arpa

              • 8.8.8.8:53
                22.236.111.52.in-addr.arpa
                dns
                72 B
                158 B
                1
                1

                DNS Request

                22.236.111.52.in-addr.arpa

              • 8.8.8.8:53
                tse1.mm.bing.net
                dns
                62 B
                173 B
                1
                1

                DNS Request

                tse1.mm.bing.net

                DNS Response

                204.79.197.200
                13.107.21.200

              MITRE ATT&CK Enterprise v15

              Replay Monitor

              Loading Replay Monitor...

              Downloads

              • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\d5562257.exe

                Filesize

                173KB

                MD5

                dd1b74d72e67cd28e02b713caa05cd7f

                SHA1

                02286dcf5d2539e63754bd5a56ee0953841afda8

                SHA256

                562ee5ce9c7b451285a96cffe1f7428b556334bf295af063e6955d31f1eb4470

                SHA512

                c8883f6fcd2673e48dee8503374833a4ec7fcf13cb42973c2fba691979f04992839642ceb16272ab6274edfe2aace8b5ac624679aaf57eed721b74ee752613f4

              • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v3586754.exe

                Filesize

                359KB

                MD5

                a98b1aee60c9293eabf6ba711aae5e96

                SHA1

                6573a0977e8cde85cf914e7e376eea4ca5668606

                SHA256

                0e6d7f7ff55818ac5bf366f2e957793f82661203f1b7412ec047e41d38d1e854

                SHA512

                8d31d93243f4873555a1a55433563fc3bf92936b38699485b926aa6a4beb28f1a1d6efda1b62294b1143128d3b13c80093fc56397fccef3c1e2d9fe9dd623bcb

              • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\c7221463.exe

                Filesize

                36KB

                MD5

                a6d4c00a349bb3d0526f26bfe72c9bcd

                SHA1

                7cd634b68818146282dd8eb3294840ca2045f669

                SHA256

                4769f9625dffff062609fbefc3dd946c173cff9b2eec343f8f9512e4300e0826

                SHA512

                a0b89dcfae8d4072f3562a80eb1b83a31f3b7c22c37fdc77681bd010c9962a8e798210d46c6af110f66c47313d48afe27a220fecb45f4c42ca417f466602e4fb

              • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v0583191.exe

                Filesize

                234KB

                MD5

                34cc0804c3666c5778836863e11ebde8

                SHA1

                5d5c4709f92cdafa8e45d6c1103db993d8572ed8

                SHA256

                dd9a03ed05e0ebe313b7d9afe5ad05fc5f818989efa4bb335b47bf9acdfb5b42

                SHA512

                6ad265aa04b181fc3f37290cab648801f4fabd3f47e647994dd4eea3aebfd61f756d1ce12110a21b4f41ba8a4b3216b0339732d410f963fde3758d1d4aed6002

              • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\a8862651.exe

                Filesize

                12KB

                MD5

                e3f66fef21fa2c33ecb7ee8b38167083

                SHA1

                6bea6eaa6c71590aacd5a56b2393f8f8dec7aad9

                SHA256

                d87bafa19ea183158a9651bfd9f5c0470d090809cad9016ab81ca87a98f09e43

                SHA512

                b3d5e22e6ec85c589982f1e3423bfbe610be32bd5063de49a00595224b403bf32ca530f7b5e70d3286bee837b690d1c781e4fe35b58738897fe3a10249c92cd6

              • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\b8953925.exe

                Filesize

                225KB

                MD5

                f1a07eabecfbbf04548b08631dbed1cf

                SHA1

                b6e90a72e3aeaedeabd206065b36fde14f5bb939

                SHA256

                398d014293a7a2412e7d5e0fdb08a97a1674ff1c5f5a6a46b8e4ee2e0869c2c0

                SHA512

                56b1f02bc4c5e778095cafa6b4c5ad3150448278bffeabc900fd0b7e39a12462b2c571ebbf3201614df296378c062144d79e36e034f86377ff4b1d2cb31e80b4

              • memory/396-47-0x000000000A600000-0x000000000A70A000-memory.dmp

                Filesize

                1.0MB

              • memory/396-44-0x0000000000650000-0x0000000000680000-memory.dmp

                Filesize

                192KB

              • memory/396-45-0x0000000004E30000-0x0000000004E36000-memory.dmp

                Filesize

                24KB

              • memory/396-46-0x000000000AA90000-0x000000000B0A8000-memory.dmp

                Filesize

                6.1MB

              • memory/396-48-0x000000000A540000-0x000000000A552000-memory.dmp

                Filesize

                72KB

              • memory/396-49-0x000000000A5A0000-0x000000000A5DC000-memory.dmp

                Filesize

                240KB

              • memory/396-50-0x0000000002920000-0x000000000296C000-memory.dmp

                Filesize

                304KB

              • memory/880-40-0x0000000000400000-0x0000000000409000-memory.dmp

                Filesize

                36KB

              • memory/3056-22-0x0000000000F40000-0x0000000000F4A000-memory.dmp

                Filesize

                40KB

              • memory/3056-21-0x00007FFB0A1A3000-0x00007FFB0A1A5000-memory.dmp

                Filesize

                8KB

              We care about your privacy.

              This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.