Analysis
-
max time kernel
141s -
max time network
138s -
platform
windows10-2004_x64 -
resource
win10v2004-20240709-en -
resource tags
arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system -
submitted
19-07-2024 04:07
Behavioral task
behavioral1
Sample
SolaraTSBV2.0.exe
Resource
win7-20240708-en
Behavioral task
behavioral2
Sample
SolaraTSBV2.0.exe
Resource
win10v2004-20240709-en
Behavioral task
behavioral3
Sample
Stub.pyc
Resource
win7-20240708-en
Behavioral task
behavioral4
Sample
Stub.pyc
Resource
win10v2004-20240709-en
General
-
Target
SolaraTSBV2.0.exe
-
Size
22.8MB
-
MD5
db65708af40f2682eabc532e71cdfbce
-
SHA1
935346957fcdc18d3e8ed59c3496a6c521ff3295
-
SHA256
aa262cc1ddfb11c8e14f8628fe7af6f796b8da482f67aeb3f487cfb7567111a4
-
SHA512
ed9753917d239f5f76b4d9eb6437eb51f1b69a903959956d0210f6baa3601f1f6a1fab5b071df5e01e154c064f6dd111716c9d82a8b6a0ead7f535bb488f5632
-
SSDEEP
393216:n+7h2Jp5MivX+9/pWFGR7c2BsnqrIW1RaDH:n+7hEvX+9/pWKGFeq
Malware Config
Signatures
-
Exela Stealer
Exela Stealer is an open source stealer originally written in .NET and later transitioned to Python that was first observed in August 2023.
-
Grants admin privileges 1 TTPs
Uses net.exe to modify the user's privileges.
-
Modifies Windows Firewall 2 TTPs 2 IoCs
pid Process 1400 netsh.exe 1460 netsh.exe -
Loads dropped DLL 31 IoCs
pid Process 2800 SolaraTSBV2.0.exe 2800 SolaraTSBV2.0.exe 2800 SolaraTSBV2.0.exe 2800 SolaraTSBV2.0.exe 2800 SolaraTSBV2.0.exe 2800 SolaraTSBV2.0.exe 2800 SolaraTSBV2.0.exe 2800 SolaraTSBV2.0.exe 2800 SolaraTSBV2.0.exe 2800 SolaraTSBV2.0.exe 2800 SolaraTSBV2.0.exe 2800 SolaraTSBV2.0.exe 2800 SolaraTSBV2.0.exe 2800 SolaraTSBV2.0.exe 2800 SolaraTSBV2.0.exe 2800 SolaraTSBV2.0.exe 2800 SolaraTSBV2.0.exe 2800 SolaraTSBV2.0.exe 2800 SolaraTSBV2.0.exe 2800 SolaraTSBV2.0.exe 2800 SolaraTSBV2.0.exe 2800 SolaraTSBV2.0.exe 2800 SolaraTSBV2.0.exe 2800 SolaraTSBV2.0.exe 2800 SolaraTSBV2.0.exe 2800 SolaraTSBV2.0.exe 2800 SolaraTSBV2.0.exe 2800 SolaraTSBV2.0.exe 2800 SolaraTSBV2.0.exe 2800 SolaraTSBV2.0.exe 2800 SolaraTSBV2.0.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
resource yara_rule behavioral2/files/0x0007000000023510-46.dat upx behavioral2/memory/2800-50-0x00007FFAA0F00000-0x00007FFAA14E8000-memory.dmp upx behavioral2/files/0x00070000000234e1-52.dat upx behavioral2/files/0x0007000000023511-63.dat upx behavioral2/files/0x000700000002350e-62.dat upx behavioral2/files/0x000700000002350b-61.dat upx behavioral2/files/0x0007000000023509-60.dat upx behavioral2/files/0x000700000002350a-59.dat upx behavioral2/memory/2800-58-0x00007FFAB3BF0000-0x00007FFAB3C14000-memory.dmp upx behavioral2/files/0x00070000000234eb-78.dat upx behavioral2/memory/2800-79-0x00007FFAB7D70000-0x00007FFAB7D7F000-memory.dmp upx behavioral2/files/0x00070000000234e8-75.dat upx behavioral2/files/0x00070000000234df-82.dat upx behavioral2/files/0x00070000000234e4-83.dat upx behavioral2/memory/2800-87-0x00007FFAB01C0000-0x00007FFAB01ED000-memory.dmp upx behavioral2/files/0x00070000000234e9-88.dat upx behavioral2/memory/2800-86-0x00007FFAB3BD0000-0x00007FFAB3BE9000-memory.dmp upx behavioral2/files/0x0007000000023512-89.dat upx behavioral2/memory/2800-90-0x00007FFAB0190000-0x00007FFAB01B3000-memory.dmp upx behavioral2/memory/2800-91-0x00007FFAAD160000-0x00007FFAAD2D3000-memory.dmp upx behavioral2/memory/2800-85-0x00007FFAB4C30000-0x00007FFAB4C3D000-memory.dmp upx behavioral2/memory/2800-84-0x00007FFAB6340000-0x00007FFAB6359000-memory.dmp upx behavioral2/files/0x00070000000234ea-77.dat upx behavioral2/files/0x00070000000234e7-74.dat upx behavioral2/files/0x00070000000234e6-73.dat upx behavioral2/files/0x00070000000234e5-72.dat upx behavioral2/files/0x00070000000234e3-70.dat upx behavioral2/files/0x00070000000234e2-69.dat upx behavioral2/files/0x00070000000234e0-68.dat upx behavioral2/files/0x00070000000234de-66.dat upx behavioral2/files/0x0007000000023513-65.dat upx behavioral2/memory/2800-93-0x00007FFAB0020000-0x00007FFAB004E000-memory.dmp upx behavioral2/memory/2800-95-0x00007FFAAFE90000-0x00007FFAAFF48000-memory.dmp upx behavioral2/memory/2800-98-0x00007FFAACDE0000-0x00007FFAAD155000-memory.dmp upx behavioral2/memory/2800-101-0x00007FFAB3B30000-0x00007FFAB3B45000-memory.dmp upx behavioral2/files/0x000700000002350d-104.dat upx behavioral2/memory/2800-108-0x00007FFAB0000000-0x00007FFAB0014000-memory.dmp upx behavioral2/memory/2800-107-0x00007FFAB09C0000-0x00007FFAB09D4000-memory.dmp upx behavioral2/memory/2800-106-0x00007FFAB3AA0000-0x00007FFAB3AB2000-memory.dmp upx behavioral2/memory/2800-110-0x00007FFAA0F00000-0x00007FFAA14E8000-memory.dmp upx behavioral2/memory/2800-115-0x00007FFAAF4F0000-0x00007FFAAF512000-memory.dmp upx behavioral2/memory/2800-114-0x00007FFAB3BF0000-0x00007FFAB3C14000-memory.dmp upx behavioral2/files/0x0007000000023515-113.dat upx behavioral2/files/0x00070000000234ed-116.dat upx behavioral2/files/0x00070000000234ef-118.dat upx behavioral2/files/0x00070000000234ee-120.dat upx behavioral2/files/0x00070000000234f0-123.dat upx behavioral2/memory/2800-111-0x00007FFAAA130000-0x00007FFAAA24C000-memory.dmp upx behavioral2/files/0x0007000000023506-127.dat upx behavioral2/files/0x0007000000023508-126.dat upx behavioral2/memory/2800-133-0x00007FFAABC20000-0x00007FFAABC3E000-memory.dmp upx behavioral2/memory/2800-132-0x00007FFAB08E0000-0x00007FFAB08EA000-memory.dmp upx behavioral2/memory/2800-131-0x00007FFAAC2C0000-0x00007FFAAC2D1000-memory.dmp upx behavioral2/memory/2800-130-0x00007FFAACB80000-0x00007FFAACBCA000-memory.dmp upx behavioral2/memory/2800-129-0x00007FFAACBD0000-0x00007FFAACBE9000-memory.dmp upx behavioral2/memory/2800-128-0x00007FFAAFAF0000-0x00007FFAAFB07000-memory.dmp upx behavioral2/memory/2800-136-0x00007FFAA0800000-0x00007FFAA0EF4000-memory.dmp upx behavioral2/memory/2800-135-0x00007FFAB6340000-0x00007FFAB6359000-memory.dmp upx behavioral2/memory/2800-140-0x00007FFAAA0F0000-0x00007FFAAA128000-memory.dmp upx behavioral2/memory/2800-139-0x00007FFAAD160000-0x00007FFAAD2D3000-memory.dmp upx behavioral2/memory/2800-138-0x00007FFAB0190000-0x00007FFAB01B3000-memory.dmp upx behavioral2/memory/2800-190-0x00007FFAB0020000-0x00007FFAB004E000-memory.dmp upx behavioral2/memory/2800-191-0x00007FFAAFE80000-0x00007FFAAFE8D000-memory.dmp upx behavioral2/memory/2800-208-0x00007FFAAFE90000-0x00007FFAAFF48000-memory.dmp upx -
Legitimate hosting services abused for malware hosting/C2 1 TTPs 6 IoCs
flow ioc 32 discord.com 27 discord.com 28 discord.com 29 discord.com 30 discord.com 31 discord.com -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 20 ip-api.com -
Hide Artifacts: Hidden Files and Directories 1 TTPs 1 IoCs
pid Process 4868 cmd.exe -
Launches sc.exe 1 IoCs
Sc.exe is a Windows utlilty to control services on the system.
pid Process 3656 sc.exe -
Detects Pyinstaller 1 IoCs
resource yara_rule behavioral2/files/0x0008000000023519-152.dat pyinstaller -
Event Triggered Execution: Netsh Helper DLL 1 TTPs 9 IoCs
Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.
description ioc Process Key opened \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh netsh.exe Key opened \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh netsh.exe Key value enumerated \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh netsh.exe Key queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh netsh.exe Key value enumerated \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh netsh.exe Key queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh netsh.exe Key value enumerated \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh netsh.exe Key queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh netsh.exe Key opened \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh netsh.exe -
Collects information from the system 1 TTPs 1 IoCs
Uses WMIC.exe to find detailed system information.
pid Process 320 WMIC.exe -
Detects videocard installed 1 TTPs 1 IoCs
Uses WMIC.exe to determine videocard installed.
pid Process 4488 WMIC.exe -
Enumerates processes with tasklist 1 TTPs 5 IoCs
pid Process 1660 tasklist.exe 2036 tasklist.exe 4512 tasklist.exe 2156 tasklist.exe 2964 tasklist.exe -
Gathers network information 2 TTPs 2 IoCs
Uses commandline utility to view network configuration.
pid Process 3880 ipconfig.exe 4320 NETSTAT.EXE -
Gathers system information 1 TTPs 1 IoCs
Runs systeminfo.exe.
pid Process 464 systeminfo.exe -
Runs net.exe
-
Suspicious behavior: EnumeratesProcesses 3 IoCs
pid Process 4788 powershell.exe 4788 powershell.exe 4788 powershell.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeIncreaseQuotaPrivilege 4488 WMIC.exe Token: SeSecurityPrivilege 4488 WMIC.exe Token: SeTakeOwnershipPrivilege 4488 WMIC.exe Token: SeLoadDriverPrivilege 4488 WMIC.exe Token: SeSystemProfilePrivilege 4488 WMIC.exe Token: SeSystemtimePrivilege 4488 WMIC.exe Token: SeProfSingleProcessPrivilege 4488 WMIC.exe Token: SeIncBasePriorityPrivilege 4488 WMIC.exe Token: SeCreatePagefilePrivilege 4488 WMIC.exe Token: SeBackupPrivilege 4488 WMIC.exe Token: SeRestorePrivilege 4488 WMIC.exe Token: SeIncreaseQuotaPrivilege 1500 WMIC.exe Token: SeShutdownPrivilege 4488 WMIC.exe Token: SeDebugPrivilege 4488 WMIC.exe Token: SeSecurityPrivilege 1500 WMIC.exe Token: SeSystemEnvironmentPrivilege 4488 WMIC.exe Token: SeRemoteShutdownPrivilege 4488 WMIC.exe Token: SeTakeOwnershipPrivilege 1500 WMIC.exe Token: SeUndockPrivilege 4488 WMIC.exe Token: SeLoadDriverPrivilege 1500 WMIC.exe Token: SeManageVolumePrivilege 4488 WMIC.exe Token: SeSystemProfilePrivilege 1500 WMIC.exe Token: 33 4488 WMIC.exe Token: SeSystemtimePrivilege 1500 WMIC.exe Token: 34 4488 WMIC.exe Token: SeProfSingleProcessPrivilege 1500 WMIC.exe Token: 35 4488 WMIC.exe Token: SeIncBasePriorityPrivilege 1500 WMIC.exe Token: 36 4488 WMIC.exe Token: SeCreatePagefilePrivilege 1500 WMIC.exe Token: SeBackupPrivilege 1500 WMIC.exe Token: SeRestorePrivilege 1500 WMIC.exe Token: SeShutdownPrivilege 1500 WMIC.exe Token: SeDebugPrivilege 1500 WMIC.exe Token: SeSystemEnvironmentPrivilege 1500 WMIC.exe Token: SeRemoteShutdownPrivilege 1500 WMIC.exe Token: SeUndockPrivilege 1500 WMIC.exe Token: SeManageVolumePrivilege 1500 WMIC.exe Token: 33 1500 WMIC.exe Token: 34 1500 WMIC.exe Token: 35 1500 WMIC.exe Token: 36 1500 WMIC.exe Token: SeDebugPrivilege 1660 tasklist.exe Token: SeIncreaseQuotaPrivilege 4488 WMIC.exe Token: SeSecurityPrivilege 4488 WMIC.exe Token: SeTakeOwnershipPrivilege 4488 WMIC.exe Token: SeLoadDriverPrivilege 4488 WMIC.exe Token: SeSystemProfilePrivilege 4488 WMIC.exe Token: SeSystemtimePrivilege 4488 WMIC.exe Token: SeProfSingleProcessPrivilege 4488 WMIC.exe Token: SeIncBasePriorityPrivilege 4488 WMIC.exe Token: SeCreatePagefilePrivilege 4488 WMIC.exe Token: SeBackupPrivilege 4488 WMIC.exe Token: SeRestorePrivilege 4488 WMIC.exe Token: SeShutdownPrivilege 4488 WMIC.exe Token: SeDebugPrivilege 4488 WMIC.exe Token: SeSystemEnvironmentPrivilege 4488 WMIC.exe Token: SeRemoteShutdownPrivilege 4488 WMIC.exe Token: SeUndockPrivilege 4488 WMIC.exe Token: SeManageVolumePrivilege 4488 WMIC.exe Token: 33 4488 WMIC.exe Token: 34 4488 WMIC.exe Token: 35 4488 WMIC.exe Token: 36 4488 WMIC.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 3648 wrote to memory of 2800 3648 SolaraTSBV2.0.exe 85 PID 3648 wrote to memory of 2800 3648 SolaraTSBV2.0.exe 85 PID 2800 wrote to memory of 3840 2800 SolaraTSBV2.0.exe 88 PID 2800 wrote to memory of 3840 2800 SolaraTSBV2.0.exe 88 PID 2800 wrote to memory of 5072 2800 SolaraTSBV2.0.exe 90 PID 2800 wrote to memory of 5072 2800 SolaraTSBV2.0.exe 90 PID 2800 wrote to memory of 3988 2800 SolaraTSBV2.0.exe 91 PID 2800 wrote to memory of 3988 2800 SolaraTSBV2.0.exe 91 PID 2800 wrote to memory of 4988 2800 SolaraTSBV2.0.exe 92 PID 2800 wrote to memory of 4988 2800 SolaraTSBV2.0.exe 92 PID 2800 wrote to memory of 2220 2800 SolaraTSBV2.0.exe 94 PID 2800 wrote to memory of 2220 2800 SolaraTSBV2.0.exe 94 PID 5072 wrote to memory of 4488 5072 cmd.exe 98 PID 5072 wrote to memory of 4488 5072 cmd.exe 98 PID 3988 wrote to memory of 1500 3988 cmd.exe 100 PID 3988 wrote to memory of 1500 3988 cmd.exe 100 PID 2220 wrote to memory of 1660 2220 cmd.exe 99 PID 2220 wrote to memory of 1660 2220 cmd.exe 99 PID 2800 wrote to memory of 3368 2800 SolaraTSBV2.0.exe 102 PID 2800 wrote to memory of 3368 2800 SolaraTSBV2.0.exe 102 PID 3368 wrote to memory of 536 3368 cmd.exe 104 PID 3368 wrote to memory of 536 3368 cmd.exe 104 PID 2800 wrote to memory of 4404 2800 SolaraTSBV2.0.exe 105 PID 2800 wrote to memory of 4404 2800 SolaraTSBV2.0.exe 105 PID 2800 wrote to memory of 1096 2800 SolaraTSBV2.0.exe 106 PID 2800 wrote to memory of 1096 2800 SolaraTSBV2.0.exe 106 PID 1096 wrote to memory of 2036 1096 cmd.exe 109 PID 1096 wrote to memory of 2036 1096 cmd.exe 109 PID 4404 wrote to memory of 4172 4404 cmd.exe 110 PID 4404 wrote to memory of 4172 4404 cmd.exe 110 PID 2800 wrote to memory of 4868 2800 SolaraTSBV2.0.exe 111 PID 2800 wrote to memory of 4868 2800 SolaraTSBV2.0.exe 111 PID 4868 wrote to memory of 4820 4868 cmd.exe 113 PID 4868 wrote to memory of 4820 4868 cmd.exe 113 PID 2800 wrote to memory of 4736 2800 SolaraTSBV2.0.exe 114 PID 2800 wrote to memory of 4736 2800 SolaraTSBV2.0.exe 114 PID 2800 wrote to memory of 3808 2800 SolaraTSBV2.0.exe 116 PID 2800 wrote to memory of 3808 2800 SolaraTSBV2.0.exe 116 PID 4736 wrote to memory of 2824 4736 cmd.exe 118 PID 4736 wrote to memory of 2824 4736 cmd.exe 118 PID 3808 wrote to memory of 4512 3808 cmd.exe 119 PID 3808 wrote to memory of 4512 3808 cmd.exe 119 PID 2800 wrote to memory of 3116 2800 SolaraTSBV2.0.exe 120 PID 2800 wrote to memory of 3116 2800 SolaraTSBV2.0.exe 120 PID 2800 wrote to memory of 2324 2800 SolaraTSBV2.0.exe 121 PID 2800 wrote to memory of 2324 2800 SolaraTSBV2.0.exe 121 PID 2800 wrote to memory of 2784 2800 SolaraTSBV2.0.exe 122 PID 2800 wrote to memory of 2784 2800 SolaraTSBV2.0.exe 122 PID 2800 wrote to memory of 4892 2800 SolaraTSBV2.0.exe 124 PID 2800 wrote to memory of 4892 2800 SolaraTSBV2.0.exe 124 PID 2324 wrote to memory of 3700 2324 cmd.exe 128 PID 2324 wrote to memory of 3700 2324 cmd.exe 128 PID 3116 wrote to memory of 4612 3116 cmd.exe 129 PID 3116 wrote to memory of 4612 3116 cmd.exe 129 PID 3700 wrote to memory of 4876 3700 cmd.exe 130 PID 3700 wrote to memory of 4876 3700 cmd.exe 130 PID 4892 wrote to memory of 4788 4892 cmd.exe 131 PID 4892 wrote to memory of 4788 4892 cmd.exe 131 PID 4612 wrote to memory of 2244 4612 cmd.exe 132 PID 4612 wrote to memory of 2244 4612 cmd.exe 132 PID 2784 wrote to memory of 2156 2784 cmd.exe 133 PID 2784 wrote to memory of 2156 2784 cmd.exe 133 PID 2800 wrote to memory of 832 2800 SolaraTSBV2.0.exe 134 PID 2800 wrote to memory of 832 2800 SolaraTSBV2.0.exe 134 -
Views/modifies file attributes 1 TTPs 1 IoCs
pid Process 4820 attrib.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\SolaraTSBV2.0.exe"C:\Users\Admin\AppData\Local\Temp\SolaraTSBV2.0.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:3648 -
C:\Users\Admin\AppData\Local\Temp\SolaraTSBV2.0.exe"C:\Users\Admin\AppData\Local\Temp\SolaraTSBV2.0.exe"2⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2800 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "ver"3⤵PID:3840
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "wmic path win32_VideoController get name"3⤵
- Suspicious use of WriteProcessMemory
PID:5072 -
C:\Windows\System32\Wbem\WMIC.exewmic path win32_VideoController get name4⤵
- Detects videocard installed
- Suspicious use of AdjustPrivilegeToken
PID:4488
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "wmic computersystem get Manufacturer"3⤵
- Suspicious use of WriteProcessMemory
PID:3988 -
C:\Windows\System32\Wbem\WMIC.exewmic computersystem get Manufacturer4⤵
- Suspicious use of AdjustPrivilegeToken
PID:1500
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "gdb --version"3⤵PID:4988
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "tasklist"3⤵
- Suspicious use of WriteProcessMemory
PID:2220 -
C:\Windows\system32\tasklist.exetasklist4⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:1660
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "wmic path Win32_ComputerSystem get Manufacturer"3⤵
- Suspicious use of WriteProcessMemory
PID:3368 -
C:\Windows\System32\Wbem\WMIC.exewmic path Win32_ComputerSystem get Manufacturer4⤵PID:536
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"3⤵
- Suspicious use of WriteProcessMemory
PID:4404 -
C:\Windows\System32\Wbem\WMIC.exewmic csproduct get uuid4⤵PID:4172
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "tasklist"3⤵
- Suspicious use of WriteProcessMemory
PID:1096 -
C:\Windows\system32\tasklist.exetasklist4⤵
- Enumerates processes with tasklist
PID:2036
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "attrib +h +s "C:\Users\Admin\AppData\Local\ExelaUpdateService\Exela.exe""3⤵
- Hide Artifacts: Hidden Files and Directories
- Suspicious use of WriteProcessMemory
PID:4868 -
C:\Windows\system32\attrib.exeattrib +h +s "C:\Users\Admin\AppData\Local\ExelaUpdateService\Exela.exe"4⤵
- Views/modifies file attributes
PID:4820
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "mshta "javascript:var sh=new ActiveXObject('WScript.Shell'); sh.Popup('The Program can\x22t start because api-ms-win-crt-runtime-|l1-1-.dll is missing from your computer. Try reinstalling the program to fix this problem', 0, 'System Error', 0+16);close()""3⤵
- Suspicious use of WriteProcessMemory
PID:4736 -
C:\Windows\system32\mshta.exemshta "javascript:var sh=new ActiveXObject('WScript.Shell'); sh.Popup('The Program can\x22t start because api-ms-win-crt-runtime-|l1-1-.dll is missing from your computer. Try reinstalling the program to fix this problem', 0, 'System Error', 0+16);close()"4⤵PID:2824
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "tasklist"3⤵
- Suspicious use of WriteProcessMemory
PID:3808 -
C:\Windows\system32\tasklist.exetasklist4⤵
- Enumerates processes with tasklist
PID:4512
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "cmd.exe /c chcp"3⤵
- Suspicious use of WriteProcessMemory
PID:3116 -
C:\Windows\system32\cmd.execmd.exe /c chcp4⤵
- Suspicious use of WriteProcessMemory
PID:4612 -
C:\Windows\system32\chcp.comchcp5⤵PID:2244
-
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "cmd.exe /c chcp"3⤵
- Suspicious use of WriteProcessMemory
PID:2324 -
C:\Windows\system32\cmd.execmd.exe /c chcp4⤵
- Suspicious use of WriteProcessMemory
PID:3700 -
C:\Windows\system32\chcp.comchcp5⤵PID:4876
-
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "tasklist /FO LIST"3⤵
- Suspicious use of WriteProcessMemory
PID:2784 -
C:\Windows\system32\tasklist.exetasklist /FO LIST4⤵
- Enumerates processes with tasklist
PID:2156
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "powershell.exe Get-Clipboard"3⤵
- Suspicious use of WriteProcessMemory
PID:4892 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe Get-Clipboard4⤵
- Suspicious behavior: EnumeratesProcesses
PID:4788
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "netsh wlan show profiles"3⤵PID:832
-
C:\Windows\system32\netsh.exenetsh wlan show profiles4⤵
- Event Triggered Execution: Netsh Helper DLL
PID:4048
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "echo ####System Info#### & systeminfo & echo ####System Version#### & ver & echo ####Host Name#### & hostname & echo ####Environment Variable#### & set & echo ####Logical Disk#### & wmic logicaldisk get caption,description,providername & echo ####User Info#### & net user & echo ####Online User#### & query user & echo ####Local Group#### & net localgroup & echo ####Administrators Info#### & net localgroup administrators & echo ####Guest User Info#### & net user guest & echo ####Administrator User Info#### & net user administrator & echo ####Startup Info#### & wmic startup get caption,command & echo ####Tasklist#### & tasklist /svc & echo ####Ipconfig#### & ipconfig/all & echo ####Hosts#### & type C:\WINDOWS\System32\drivers\etc\hosts & echo ####Route Table#### & route print & echo ####Arp Info#### & arp -a & echo ####Netstat#### & netstat -ano & echo ####Service Info#### & sc query type= service state= all & echo ####Firewallinfo#### & netsh firewall show state & netsh firewall show config"3⤵PID:2492
-
C:\Windows\system32\systeminfo.exesysteminfo4⤵
- Gathers system information
PID:464
-
-
C:\Windows\system32\HOSTNAME.EXEhostname4⤵PID:1784
-
-
C:\Windows\System32\Wbem\WMIC.exewmic logicaldisk get caption,description,providername4⤵
- Collects information from the system
PID:320
-
-
C:\Windows\system32\net.exenet user4⤵PID:4036
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 user5⤵PID:1600
-
-
-
C:\Windows\system32\query.exequery user4⤵PID:820
-
C:\Windows\system32\quser.exe"C:\Windows\system32\quser.exe"5⤵PID:2220
-
-
-
C:\Windows\system32\net.exenet localgroup4⤵PID:1732
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 localgroup5⤵PID:2252
-
-
-
C:\Windows\system32\net.exenet localgroup administrators4⤵PID:668
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 localgroup administrators5⤵PID:4172
-
-
-
C:\Windows\system32\net.exenet user guest4⤵PID:4764
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 user guest5⤵PID:4772
-
-
-
C:\Windows\system32\net.exenet user administrator4⤵PID:3272
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 user administrator5⤵PID:1308
-
-
-
C:\Windows\System32\Wbem\WMIC.exewmic startup get caption,command4⤵PID:2036
-
-
C:\Windows\system32\tasklist.exetasklist /svc4⤵
- Enumerates processes with tasklist
PID:2964
-
-
C:\Windows\system32\ipconfig.exeipconfig /all4⤵
- Gathers network information
PID:3880
-
-
C:\Windows\system32\ROUTE.EXEroute print4⤵PID:220
-
-
C:\Windows\system32\ARP.EXEarp -a4⤵PID:4316
-
-
C:\Windows\system32\NETSTAT.EXEnetstat -ano4⤵
- Gathers network information
PID:4320
-
-
C:\Windows\system32\sc.exesc query type= service state= all4⤵
- Launches sc.exe
PID:3656
-
-
C:\Windows\system32\netsh.exenetsh firewall show state4⤵
- Modifies Windows Firewall
- Event Triggered Execution: Netsh Helper DLL
PID:1460
-
-
C:\Windows\system32\netsh.exenetsh firewall show config4⤵
- Modifies Windows Firewall
- Event Triggered Execution: Netsh Helper DLL
PID:1400
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"3⤵PID:2860
-
C:\Windows\System32\Wbem\WMIC.exewmic csproduct get uuid4⤵PID:2852
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"3⤵PID:4264
-
C:\Windows\System32\Wbem\WMIC.exewmic csproduct get uuid4⤵PID:216
-
-
-
Network
-
Remote address:8.8.8.8:53Request209.205.72.20.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request172.214.232.199.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Requestip-api.comIN AResponseip-api.comIN A208.95.112.1
-
Remote address:208.95.112.1:80RequestGET /json HTTP/1.1
Host: ip-api.com
Accept: */*
Accept-Encoding: gzip, deflate
User-Agent: Python/3.11 aiohttp/3.9.3
ResponseHTTP/1.1 200 OK
Content-Type: application/json; charset=utf-8
Content-Length: 311
Access-Control-Allow-Origin: *
X-Ttl: 60
X-Rl: 44
-
Remote address:8.8.8.8:53Request1.112.95.208.in-addr.arpaIN PTRResponse1.112.95.208.in-addr.arpaIN PTRip-apicom
-
Remote address:8.8.8.8:53Requestdiscord.comIN AResponsediscord.comIN A162.159.135.232discord.comIN A162.159.128.233discord.comIN A162.159.136.232discord.comIN A162.159.138.232discord.comIN A162.159.137.232
-
Remote address:8.8.8.8:53Request232.135.159.162.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request233.128.159.162.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request232.136.159.162.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request232.138.159.162.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request232.137.159.162.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request28.118.140.52.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request241.150.49.20.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request157.123.68.40.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request198.187.3.20.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request88.156.103.20.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request43.229.111.52.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Requesttse1.mm.bing.netIN AResponsetse1.mm.bing.netIN CNAMEmm-mm.bing.net.trafficmanager.netmm-mm.bing.net.trafficmanager.netIN CNAMEax-0001.ax-msedge.netax-0001.ax-msedge.netIN A150.171.27.10ax-0001.ax-msedge.netIN A150.171.28.10
-
GEThttps://tse1.mm.bing.net/th?id=OADD2.10239340418597_1J0EQ8ZTOVJVXHV7G&pid=21.2&c=3&w=1080&h=1920&dynsize=1&qlt=90Remote address:150.171.27.10:443RequestGET /th?id=OADD2.10239340418597_1J0EQ8ZTOVJVXHV7G&pid=21.2&c=3&w=1080&h=1920&dynsize=1&qlt=90 HTTP/2.0
host: tse1.mm.bing.net
accept: */*
accept-encoding: gzip, deflate, br
user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19041
ResponseHTTP/2.0 200
content-length: 539839
content-type: image/jpeg
x-cache: TCP_HIT
access-control-allow-origin: *
access-control-allow-headers: *
access-control-allow-methods: GET, POST, OPTIONS
timing-allow-origin: *
report-to: {"group":"network-errors","max_age":604800,"endpoints":[{"url":"https://aefd.nelreports.net/api/report?cat=bingth&ndcParam=QUZE"}]}
nel: {"report_to":"network-errors","max_age":604800,"success_fraction":0.001,"failure_fraction":1.0}
accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
x-msedge-ref: Ref A: 53DC1B6B4EA1423387A2C40C6D9DE7E3 Ref B: LON04EDGE0820 Ref C: 2024-07-19T04:09:46Z
date: Fri, 19 Jul 2024 04:09:46 GMT
-
GEThttps://tse1.mm.bing.net/th?id=OADD2.10239317301490_1LPSK7N2TS8HCTMAM&pid=21.2&c=3&w=1080&h=1920&dynsize=1&qlt=90Remote address:150.171.27.10:443RequestGET /th?id=OADD2.10239317301490_1LPSK7N2TS8HCTMAM&pid=21.2&c=3&w=1080&h=1920&dynsize=1&qlt=90 HTTP/2.0
host: tse1.mm.bing.net
accept: */*
accept-encoding: gzip, deflate, br
user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19041
ResponseHTTP/2.0 200
content-length: 492694
content-type: image/jpeg
x-cache: TCP_HIT
access-control-allow-origin: *
access-control-allow-headers: *
access-control-allow-methods: GET, POST, OPTIONS
timing-allow-origin: *
report-to: {"group":"network-errors","max_age":604800,"endpoints":[{"url":"https://aefd.nelreports.net/api/report?cat=bingth&ndcParam=QUZE"}]}
nel: {"report_to":"network-errors","max_age":604800,"success_fraction":0.001,"failure_fraction":1.0}
accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
x-msedge-ref: Ref A: 31A98217622C46D4A5873AA542D644B7 Ref B: LON04EDGE0820 Ref C: 2024-07-19T04:09:46Z
date: Fri, 19 Jul 2024 04:09:46 GMT
-
GEThttps://tse1.mm.bing.net/th?id=OADD2.10239360494465_1WL11PE3QHWZ3Q9V1&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=1920&h=1080&dynsize=1&qlt=90Remote address:150.171.27.10:443RequestGET /th?id=OADD2.10239360494465_1WL11PE3QHWZ3Q9V1&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=1920&h=1080&dynsize=1&qlt=90 HTTP/2.0
host: tse1.mm.bing.net
accept: */*
accept-encoding: gzip, deflate, br
user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19041
ResponseHTTP/2.0 200
content-length: 374381
content-type: image/jpeg
x-cache: TCP_HIT
access-control-allow-origin: *
access-control-allow-headers: *
access-control-allow-methods: GET, POST, OPTIONS
timing-allow-origin: *
report-to: {"group":"network-errors","max_age":604800,"endpoints":[{"url":"https://aefd.nelreports.net/api/report?cat=bingth&ndcParam=QUZE"}]}
nel: {"report_to":"network-errors","max_age":604800,"success_fraction":0.001,"failure_fraction":1.0}
accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
x-msedge-ref: Ref A: 6A1ED1F73613429297007CABDA4B41D1 Ref B: LON04EDGE0820 Ref C: 2024-07-19T04:09:46Z
date: Fri, 19 Jul 2024 04:09:46 GMT
-
GEThttps://tse1.mm.bing.net/th?id=OADD2.10239340418598_1HURUV6S4V3U642BB&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=1920&h=1080&dynsize=1&qlt=90Remote address:150.171.27.10:443RequestGET /th?id=OADD2.10239340418598_1HURUV6S4V3U642BB&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=1920&h=1080&dynsize=1&qlt=90 HTTP/2.0
host: tse1.mm.bing.net
accept: */*
accept-encoding: gzip, deflate, br
user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19041
ResponseHTTP/2.0 200
content-length: 618450
content-type: image/jpeg
x-cache: TCP_HIT
access-control-allow-origin: *
access-control-allow-headers: *
access-control-allow-methods: GET, POST, OPTIONS
timing-allow-origin: *
report-to: {"group":"network-errors","max_age":604800,"endpoints":[{"url":"https://aefd.nelreports.net/api/report?cat=bingth&ndcParam=QUZE"}]}
nel: {"report_to":"network-errors","max_age":604800,"success_fraction":0.001,"failure_fraction":1.0}
accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
x-msedge-ref: Ref A: BF08BED6C9884B70AA9BB86EA2E88A84 Ref B: LON04EDGE0820 Ref C: 2024-07-19T04:09:46Z
date: Fri, 19 Jul 2024 04:09:46 GMT
-
GEThttps://tse1.mm.bing.net/th?id=OADD2.10239317301057_1JHF9NK2IDFKNUSZM&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=1920&h=1080&dynsize=1&qlt=90Remote address:150.171.27.10:443RequestGET /th?id=OADD2.10239317301057_1JHF9NK2IDFKNUSZM&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=1920&h=1080&dynsize=1&qlt=90 HTTP/2.0
host: tse1.mm.bing.net
accept: */*
accept-encoding: gzip, deflate, br
user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19041
ResponseHTTP/2.0 200
content-length: 668702
content-type: image/jpeg
x-cache: TCP_HIT
access-control-allow-origin: *
access-control-allow-headers: *
access-control-allow-methods: GET, POST, OPTIONS
timing-allow-origin: *
report-to: {"group":"network-errors","max_age":604800,"endpoints":[{"url":"https://aefd.nelreports.net/api/report?cat=bingth&ndcParam=QUZE"}]}
nel: {"report_to":"network-errors","max_age":604800,"success_fraction":0.001,"failure_fraction":1.0}
accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
x-msedge-ref: Ref A: 47E73BF5A5B24B9ABACAF2A761D693AB Ref B: LON04EDGE0820 Ref C: 2024-07-19T04:09:46Z
date: Fri, 19 Jul 2024 04:09:46 GMT
-
GEThttps://tse1.mm.bing.net/th?id=OADD2.10239360494466_1NE7RS5P7DA5W3Y3W&pid=21.2&c=3&w=1080&h=1920&dynsize=1&qlt=90Remote address:150.171.27.10:443RequestGET /th?id=OADD2.10239360494466_1NE7RS5P7DA5W3Y3W&pid=21.2&c=3&w=1080&h=1920&dynsize=1&qlt=90 HTTP/2.0
host: tse1.mm.bing.net
accept: */*
accept-encoding: gzip, deflate, br
user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19041
ResponseHTTP/2.0 200
content-length: 491307
content-type: image/jpeg
x-cache: TCP_HIT
access-control-allow-origin: *
access-control-allow-headers: *
access-control-allow-methods: GET, POST, OPTIONS
timing-allow-origin: *
report-to: {"group":"network-errors","max_age":604800,"endpoints":[{"url":"https://aefd.nelreports.net/api/report?cat=bingth&ndcParam=QUZE"}]}
nel: {"report_to":"network-errors","max_age":604800,"success_fraction":0.001,"failure_fraction":1.0}
accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
x-msedge-ref: Ref A: FA1B30DB421C429585540C22287DAD9C Ref B: LON04EDGE0820 Ref C: 2024-07-19T04:09:47Z
date: Fri, 19 Jul 2024 04:09:46 GMT
-
Remote address:8.8.8.8:53Request25.140.123.92.in-addr.arpaIN PTRResponse25.140.123.92.in-addr.arpaIN PTRa92-123-140-25deploystaticakamaitechnologiescom
-
-
354 B 620 B 5 3
HTTP Request
GET http://ip-api.com/jsonHTTP Response
200 -
-
-
-
-
793 B 2.8kB 6 5
-
793 B 2.8kB 6 5
-
793 B 2.8kB 6 5
-
793 B 2.8kB 6 5
-
793 B 2.8kB 6 5
-
1.2kB 6.9kB 15 13
-
1.2kB 6.9kB 15 13
-
1.2kB 6.9kB 15 13
-
150.171.27.10:443https://tse1.mm.bing.net/th?id=OADD2.10239360494466_1NE7RS5P7DA5W3Y3W&pid=21.2&c=3&w=1080&h=1920&dynsize=1&qlt=90tls, http2131.4kB 3.3MB 2399 2392
HTTP Request
GET https://tse1.mm.bing.net/th?id=OADD2.10239340418597_1J0EQ8ZTOVJVXHV7G&pid=21.2&c=3&w=1080&h=1920&dynsize=1&qlt=90HTTP Request
GET https://tse1.mm.bing.net/th?id=OADD2.10239317301490_1LPSK7N2TS8HCTMAM&pid=21.2&c=3&w=1080&h=1920&dynsize=1&qlt=90HTTP Request
GET https://tse1.mm.bing.net/th?id=OADD2.10239360494465_1WL11PE3QHWZ3Q9V1&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=1920&h=1080&dynsize=1&qlt=90HTTP Request
GET https://tse1.mm.bing.net/th?id=OADD2.10239340418598_1HURUV6S4V3U642BB&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=1920&h=1080&dynsize=1&qlt=90HTTP Request
GET https://tse1.mm.bing.net/th?id=OADD2.10239317301057_1JHF9NK2IDFKNUSZM&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=1920&h=1080&dynsize=1&qlt=90HTTP Response
200HTTP Response
200HTTP Response
200HTTP Response
200HTTP Response
200HTTP Request
GET https://tse1.mm.bing.net/th?id=OADD2.10239360494466_1NE7RS5P7DA5W3Y3W&pid=21.2&c=3&w=1080&h=1920&dynsize=1&qlt=90HTTP Response
200 -
1.2kB 6.9kB 15 13
-
72 B 158 B 1 1
DNS Request
209.205.72.20.in-addr.arpa
-
74 B 128 B 1 1
DNS Request
172.214.232.199.in-addr.arpa
-
56 B 72 B 1 1
DNS Request
ip-api.com
DNS Response
208.95.112.1
-
71 B 95 B 1 1
DNS Request
1.112.95.208.in-addr.arpa
-
57 B 137 B 1 1
DNS Request
discord.com
DNS Response
162.159.135.232162.159.128.233162.159.136.232162.159.138.232162.159.137.232
-
74 B 136 B 1 1
DNS Request
232.135.159.162.in-addr.arpa
-
74 B 136 B 1 1
DNS Request
233.128.159.162.in-addr.arpa
-
74 B 136 B 1 1
DNS Request
232.136.159.162.in-addr.arpa
-
74 B 136 B 1 1
DNS Request
232.138.159.162.in-addr.arpa
-
74 B 136 B 1 1
DNS Request
232.137.159.162.in-addr.arpa
-
72 B 158 B 1 1
DNS Request
28.118.140.52.in-addr.arpa
-
72 B 158 B 1 1
DNS Request
241.150.49.20.in-addr.arpa
-
72 B 146 B 1 1
DNS Request
157.123.68.40.in-addr.arpa
-
71 B 157 B 1 1
DNS Request
198.187.3.20.in-addr.arpa
-
72 B 158 B 1 1
DNS Request
88.156.103.20.in-addr.arpa
-
72 B 158 B 1 1
DNS Request
43.229.111.52.in-addr.arpa
-
62 B 170 B 1 1
DNS Request
tse1.mm.bing.net
DNS Response
150.171.27.10150.171.28.10
-
72 B 137 B 1 1
DNS Request
25.140.123.92.in-addr.arpa
MITRE ATT&CK Enterprise v15
Persistence
Account Manipulation
1Create or Modify System Process
1Windows Service
1Event Triggered Execution
1Netsh Helper DLL
1Privilege Escalation
Account Manipulation
1Create or Modify System Process
1Windows Service
1Event Triggered Execution
1Netsh Helper DLL
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
22.8MB
MD5db65708af40f2682eabc532e71cdfbce
SHA1935346957fcdc18d3e8ed59c3496a6c521ff3295
SHA256aa262cc1ddfb11c8e14f8628fe7af6f796b8da482f67aeb3f487cfb7567111a4
SHA512ed9753917d239f5f76b4d9eb6437eb51f1b69a903959956d0210f6baa3601f1f6a1fab5b071df5e01e154c064f6dd111716c9d82a8b6a0ead7f535bb488f5632
-
Filesize
96KB
MD5f12681a472b9dd04a812e16096514974
SHA16fd102eb3e0b0e6eef08118d71f28702d1a9067c
SHA256d66c3b47091ceb3f8d3cc165a43d285ae919211a0c0fcb74491ee574d8d464f8
SHA5127d3accbf84de73fb0c5c0de812a9ed600d39cd7ed0f99527ca86a57ce63f48765a370e913e3a46ffc2ccd48ee07d823dafdd157710eef9e7cc1eb7505dc323a2
-
Filesize
34KB
MD51b8ce772a230a5da8cbdccd8914080a5
SHA140d4faf1308d1af6ef9f3856a4f743046fd0ead5
SHA256fa5a1e7031de5849ab2ab5a177e366b41e1df6bbd90c8d2418033a01c740771f
SHA512d2fc21b9f58b57065b337c3513e7e6c3e2243b73c5a230e81c91dafcb6724b521ad766667848ba8d0a428d530691ffc4020de6ce9ce1eaa2bf5e15338114a603
-
Filesize
46KB
MD580c69a1d87f0c82d6c4268e5a8213b78
SHA1bae059da91d48eaac4f1bb45ca6feee2c89a2c06
SHA256307359f1b2552b60839385eb63d74cbfe75cd5efdb4e7cd0bb7d296fa67d8a87
SHA512542cf4ba19dd6a91690340779873e0cb8864b28159f55917f98a192ff9c449aba2d617e9b2b3932ddfeee13021706577ab164e5394e0513fe4087af6bc39d40d
-
Filesize
71KB
MD52443ecaddfe40ee5130539024324e7fc
SHA1ea74aaf7848de0a078a1510c3430246708631108
SHA2569a5892ac0cd00c44cd7744d60c9459f302d5984ddb395caea52e4d8fd9bca2da
SHA5125896af78cf208e1350cf2c31f913aa100098dd1cf4bae77cd2a36ec7695015986ec9913df8d2ebc9992f8f7d48bba102647dc5ee7f776593ae7be36f46bd5c93
-
Filesize
57KB
MD5b4c41a4a46e1d08206c109ce547480c7
SHA19588387007a49ec2304160f27376aedca5bc854d
SHA2569925ab71a4d74ce0ccc036034d422782395dd496472bd2d7b6d617f4d6ddc1f9
SHA51230debb8e766b430a57f3f6649eeb04eb0aad75ab50423252585db7e28a974d629eb81844a05f5cb94c1702308d3feda7a7a99cb37458e2acb8e87efc486a1d33
-
Filesize
104KB
MD5e9501519a447b13dcca19e09140c9e84
SHA1472b1aa072454d065dfe415a05036ffd8804c181
SHA2566b5fe2dea13b84e40b0278d1702aa29e9e2091f9dc09b64bbff5fd419a604c3c
SHA512ef481e0e4f9b277642652cd090634e1c04702df789e2267a87205e0fe12b00f1de6cdd4fafb51da01efa726606c0b57fcb2ea373533c772983fc4777dc0acc63
-
Filesize
33KB
MD50629bdb5ff24ce5e88a2ddcede608aee
SHA147323370992b80dafb6f210b0d0229665b063afb
SHA256f404bb8371618bbd782201f092a3bcd7a96d3c143787ebea1d8d86ded1f4b3b8
SHA5123faeff1a19893257c17571b89963af37534c189421585ea03dd6a3017d28803e9d08b0e4daceee01ffeda21da60e68d10083fe7dbdbbde313a6b489a40e70952
-
Filesize
84KB
MD5bfca96ed7647b31dd2919bedebb856b8
SHA17d802d5788784f8b6bfbb8be491c1f06600737ac
SHA256032b1a139adcff84426b6e156f9987b501ad42ecfb18170b10fb54da0157392e
SHA5123a2926b79c90c3153c88046d316a081c8ddfb181d5f7c849ea6ae55cb13c6adba3a0434f800c4a30017d2fbab79d459432a2e88487914b54a897c4301c778551
-
Filesize
25KB
MD5849b4203c5f9092db9022732d8247c97
SHA1ed7bd0d6dcdcfa07f754b98acf44a7cfe5dcb353
SHA25645bfbab1d2373cf7a8af19e5887579b8a306b3ad0c4f57e8f666339177f1f807
SHA512cc618b4fc918b423e5dbdcbc45206653133df16bf2125fd53bafef8f7850d2403564cf80f8a5d4abb4a8928ff1262f80f23c633ea109a18556d1871aff81cd39
-
Filesize
30KB
MD597a40f53a81c39469cc7c8dd00f51b5d
SHA16c3916fe42e7977d8a6b53bfbc5a579abcf22a83
SHA25611879a429c996fee8be891af2bec7d00f966593f1e01ca0a60bd2005feb4176f
SHA51202af654ab73b6c8bf15a81c0e9071c8faf064c529b1439a2ab476e1026c860cf7d01472945112d4583e5da8e4c57f1df2700331440be80066dbb6a7e89e1c5af
-
Filesize
24KB
MD50614691624f99748ef1d971419bdb80d
SHA139c52450ed7e31e935b5b0e49d03330f2057747d
SHA256ac7972502144e9e01e53001e8eec3fc9ab063564678b784d024da2036ba7384d
SHA512184bc172c7bb8a1fb55c4c23950cbe5e0b5a3c96c1c555ed8476edf79c5c729ed297112ee01b45d771e5c0055d2dc402b566967d1900b5abf683ee8e668c5b26
-
Filesize
41KB
MD504e7eb0b6861495233247ac5bb33a89a
SHA1c4d43474e0b378a00845cca044f68e224455612a
SHA2567efe25284a4663df9458603bf0988b0f47c7dcf56119e3e853e6bda80831a383
SHA512d4ea0484363edf284ac08a1c3356cc3112d410dd80fe5010c1777acf88dbd830e9f668b593e252033d657a3431a79f7b68d09eb071d0c2ceb51632dbe9b8ed97
-
Filesize
54KB
MD5d9eeeeacc3a586cf2dbf6df366f6029e
SHA14ff9fb2842a13e9371ce7894ec4fe331b6af9219
SHA25667649e1e8acd348834efb2c927ab6a7599cf76b2c0c0a50b137b3be89c482e29
SHA5120b9f1d80fb92c796682dba94a75fbce0e4fbeaedccd50e21d42d4b9366463a830109a8cd4300aa62b41910655f8ca96ecc609ea8a1b84236250b6fd08c965830
-
Filesize
60KB
MD5fd0f4aed22736098dc146936cbf0ad1d
SHA1e520def83b8efdbca9dd4b384a15880b036ee0cf
SHA25650404a6a3de89497e9a1a03ff3df65c6028125586dced1a006d2abb9009a9892
SHA512c8f3c04d87da19041f28e1d474c8eb052fe8c03ffd88f0681ef4a2ffe29755cfd5b9c100a1b1d2fdb233cb0f70e367af500cbd3cd4ce77475f441f2b2aa0ab8a
-
Filesize
21KB
MD53377ae26c2987cfee095dff160f2c86c
SHA10ca6aa60618950e6d91a7dea530a65a1cdf16625
SHA2569534cb9c997a17f0004fb70116e0141bdd516373b37bbd526d91ad080daa3a2b
SHA5128e408b84e2130ff48b8004154d1bdf6a08109d0b40f9fafb6f55e9f215e418e05dca819f411c802792a9d9936a55d6b90460121583e5568579a0fda6935852ee
-
Filesize
26KB
MD509b11699cdba4bc48cc6885a87af625a
SHA14f2882a14aea02b8fbf880485f19c43ba1f853ad
SHA256f6fe3a897a1d55e7f5de95f81ea6fcbc791329d6eaef6f33eb4227043b87adc1
SHA512c74c8caffd7b4c04828a0ff13efffe35feeb28917bed80179b1a4a9e8750c2e2156ce1307fb737efd8b4bf6ce2fda09b301bf33ac216045cf7638681db2d3368
-
Filesize
78KB
MD5f1f62b84c0b35781907bb21592bc4505
SHA1fe87d2ffad8ce88db37bafcc99d81a217a08ab9f
SHA256d0dda39645e4c7077ffb31b51a20765406c4d93a2df4d1813ed7ee639d9c002a
SHA512b901b769802c1d5c9dd2cfa2585386fa1c3d824a335262c9306da2aa01924e52d132c20b913940a1cf9d27251c041b5470aa652b4e6a072a7644d328dc270923
-
Filesize
24KB
MD54d3a451a342357750063c159cd2757cf
SHA1eb2d48a21b4a71279d3be521e7b6db2f39e1c435
SHA2568ec1721df7ad36c7f770e7a7a5b0e4a0016d9cefc349148e8c28220d58619fcf
SHA5124378adc0546a4ed430ee2cbb14fbb62424c7c135335e0dff8a677991105f5a83ddf4b36c694ae6fe473da20b88182361274e27fd71a5b20ce2f01d4e36963ed3
-
Filesize
19KB
MD5791d5c587c717986b9f43bcb197b9e18
SHA13e460efe0aeab8f776658c3b776fb148650fe5f2
SHA2565d74710030f51eee0e7b4de7b53ec45b552f01c2016767ea12038d0e23999896
SHA512785bc62a274e05e315a278b143afc6b597444ba61d420a4a2c2dcd7c46b08ab03aeca42429b6c6e8d548405e1602aeb24312f85878f12ab19cea0985dae28131
-
Filesize
1.4MB
MD583d235e1f5b0ee5b0282b5ab7244f6c4
SHA1629a1ce71314d7abbce96674a1ddf9f38c4a5e9c
SHA256db389a9e14bfac6ee5cce17d41f9637d3ff8b702cc74102db8643e78659670a0
SHA51277364aff24cfc75ee32e50973b7d589b4a896d634305d965ecbc31a9e0097e270499dbec93126092eb11f3f1ad97692db6ca5927d3d02f3d053336d6267d7e5f
-
Filesize
2.0MB
MD5001536e476bf36e77c61e5e60d96ea76
SHA179f4768cf796262febd62f7d9d3d510f6c9d816f
SHA256364c6887349315afe5343bb2613002cd2b860af427a76aeceab591272b6f50a5
SHA512948141c8eee69e20f3497520fcdd2836aab6d01a16a9639aef0869795ca454b684bec79a77bf1c16da2a339ee4adaf56ac6c839c15b5e4ef912d5d94edb83a90
-
Filesize
35KB
MD515b0df96344baf6a4c72766721943e52
SHA1a3666e88594d1ec97de23b9242f346c43a34c070
SHA256abb6f497003738db2407b01dfa0abc61f6bc7fdb2452c52f76ab11f5430d844f
SHA5124fbf295d0882646b8c4b3284f11331fb12767fd1404d78d3e4d88a434896058c2df05dd1a2d9c8ce696d2d3aad8c7251d00d95c399df2e8c11bb319f87a4385e
-
Filesize
1.1MB
MD586cfc84f8407ab1be6cc64a9702882ef
SHA186f3c502ed64df2a5e10b085103c2ffc9e3a4130
SHA25611b89cc5531b2a6b89fbbb406ebe8fb01f0bf789e672131b0354e10f9e091307
SHA512b33f59497127cb1b4c1781693380576187c562563a9e367ce8abc14c97c51053a28af559cdd8bd66181012083e562c8a8771e3d46adeba269a848153a8e9173c
-
Filesize
24KB
MD5decbba3add4c2246928ab385fb16a21e
SHA15f019eff11de3122ffa67a06d52d446a3448b75e
SHA2564b43c1e42f6050ddb8e184c8ec4fb1de4a6001e068ece8e6ad47de0cc9fd4a2d
SHA512760a42a3eb3ca13fa7b95d3bd0f411c270594ae3cf1d3cda349fa4f8b06ebe548b60cd438d68e2da37de0bc6f1c711823f5e917da02ed7047a45779ee08d7012
-
Filesize
203KB
MD56cd33578bc5629930329ca3303f0fae1
SHA1f2f8e3248a72f98d27f0cfa0010e32175a18487f
SHA2564150ee603ad2da7a6cb6a895cb5bd928e3a99af7e73c604de1fc224e0809fdb0
SHA512c236a6ccc8577c85509d378c1ef014621cab6f6f4aa26796ff32d8eec8e98ded2e55d358a7d236594f7a48646dc2a6bf25b42a37aed549440d52873ebca4713e
-
Filesize
20KB
MD5eeaded775eabfaaede5ca025f55fd273
SHA18eefb3b9d85b4d5ad4033308f8af2a24e8792e02
SHA256db4d6a74a3301788d32905b2ccc525e9a8e2219f1a36924464871cf211f115a0
SHA512a6055d5604cc53428d89b308c223634cd94082be0ba4081513974e1826775d6e9fc26180c816d9a38fead89b5e04c5e7cf729c056bfae0ed74d6885c921b70ad
-
Filesize
86KB
MD5fe0e32bfe3764ed5321454e1a01c81ec
SHA17690690df0a73bdcc54f0f04b674fc8a9a8f45fb
SHA256b399bff10812e9ea2c9800f74cb0e5002f9d9379baf1a3cef9d438caca35dc92
SHA512d1777f9e684a9e4174e18651e6d921ae11757ecdbeb4ee678c6a28e0903a4b9ab9f6e1419670b4d428ee20f86c7d424177ed9daf4365cf2ee376fcd065c1c92d
-
Filesize
64KB
MD534e49bb1dfddf6037f0001d9aefe7d61
SHA1a25a39dca11cdc195c9ecd49e95657a3e4fe3215
SHA2564055d1b9e553b78c244143ab6b48151604003b39a9bf54879dee9175455c1281
SHA512edb715654baaf499cf788bcacd5657adcf9f20b37b02671abe71bda334629344415ed3a7e95cb51164e66a7aa3ed4bf84acb05649ccd55e3f64036f3178b7856
-
Filesize
1.6MB
MD5db09c9bbec6134db1766d369c339a0a1
SHA1c156d9f2d0e80b4cf41794cd9b8b1e8a352e0a0b
SHA256b1aac1e461174bbae952434e4dac092590d72b9832a04457c94bd9bb7ee8ad79
SHA512653a7fff6a2b6bffb9ea2c0b72ddb83c9c53d555e798eea47101b0d932358180a01af2b9dab9c27723057439c1eaffb8d84b9b41f6f9cd1c3c934f1794104d45
-
Filesize
24KB
MD5c39459806c712b3b3242f8376218c1e1
SHA185d254fb6cc5d6ed20a04026bff1158c8fd0a530
SHA2567cbd4339285d145b422afa280cee685258bc659806be9cf8b334805bc45b29c9
SHA512b727c6d1cd451d658e174161135d3be48d7efda21c775b8145bc527a54d6592bfc50919276c6498d2e2233ac1524c1699f59f0f467cc6e43e5b5e9558c87f49d
-
Filesize
608KB
MD5895f001ae969364432372329caf08b6a
SHA14567fc6672501648b277fe83e6b468a7a2155ddf
SHA256f5dd29e1e99cf8967f7f81487dc624714dcbec79c1630f929d5507fc95cbfad7
SHA51205b4559d283ea84174da72a6c11b8b93b1586b4e7d8cda8d745c814f8f6dff566e75f9d7890f32bd9dfe43485244973860f83f96ba39296e28127c9396453261
-
Filesize
293KB
MD506a5e52caf03426218f0c08fc02cc6b8
SHA1ae232c63620546716fbb97452d73948ebfd06b35
SHA256118c31faa930f2849a14c3133df36420a5832114df90d77b09cde0ad5f96f33a
SHA512546b1a01f36d3689b0fdeeda8b1ce55e7d3451731ca70fffe6627d542fff19d7a70e27147cab1920aae8bed88272342908d4e9d671d7aba74abb5db398b90718
-
Filesize
40KB
MD59a8f969ecdf0c15734c1d582d2ae35d8
SHA1a40691e81982f610a062e49a5ad29cffb5a2f5a8
SHA256874e52cceae9a3c967bac7b628f4144c32e51fc77f519542fc1bac19045ecde8
SHA512e0deb59abef7440f30effb1aab6295b5a50c817f685be30b21a3c453e3099b97fd71984e6ca6a6c6e0021abb6e906838566f402b00a11813e67a4e00b119619f
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82