Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

3

c41468fe40...18.dll

windows7-x64

10

c41468fe40...18.dll

windows10-2004-x64

10

Analysis

  • max time kernel
    149s
  • max time network
    126s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240802-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
  • submitted
    27/08/2024, 00:33 UTC

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    c41468fe40e62c704e9673588d427a42_JaffaCakes118.dll

  • Size

    1.2MB

  • MD5

    c41468fe40e62c704e9673588d427a42

  • SHA1

    e093530b29fe73210618c713883b1e14cbe05bdd

  • SHA256

    ff1da268d8bd85b1009b4525397bac1bfa6b6fe374ffe2e30d527c6e2d1acd3e

  • SHA512

    6b1b319d4b7540ab2c66c4baa6c373f204b28d3dd7e4fc3fd5344620232581d56a2abba694acc2112a70773fe32894bae44ed77c6fdd6403e8eaa41111d388f1

  • SSDEEP

    24576:buYfg4LhHr4NFXKJO1aUiDBvZ2+ITHmpclO9N:F9cKrUqZWLAcU

Score
10/10
dridexbotnetevasionpayloadpersistencetrojan

Malware Config

Signatures

  • Dridex

    Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.

    botnetdridex
  • Dridex Shellcode 1 IoCs

    Detects Dridex Payload shellcode injected in Explorer process.

    botnetpayload
  • Executes dropped EXE 3 IoCs
  • Loads dropped DLL 3 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Checks whether UAC is enabled 1 TTPs 4 IoCs
    evasiontrojan
  • Modifies registry class 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 20 IoCs
  • Suspicious use of UnmapMainImage 1 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Windows\system32\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\c41468fe40e62c704e9673588d427a42_JaffaCakes118.dll,#1
    1⤵
    • Checks whether UAC is enabled
    • Suspicious behavior: EnumeratesProcesses
    PID:4996
  • C:\Windows\system32\BdeUISrv.exe
    C:\Windows\system32\BdeUISrv.exe
    1⤵
      PID:4696
    • C:\Users\Admin\AppData\Local\vBS0\BdeUISrv.exe
      C:\Users\Admin\AppData\Local\vBS0\BdeUISrv.exe
      1⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Checks whether UAC is enabled
      PID:2068
    • C:\Windows\system32\iexpress.exe
      C:\Windows\system32\iexpress.exe
      1⤵
        PID:5064
      • C:\Users\Admin\AppData\Local\o3Be4rt5\iexpress.exe
        C:\Users\Admin\AppData\Local\o3Be4rt5\iexpress.exe
        1⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Checks whether UAC is enabled
        PID:2400
      • C:\Windows\system32\systemreset.exe
        C:\Windows\system32\systemreset.exe
        1⤵
          PID:3016
        • C:\Users\Admin\AppData\Local\qeUJqU\systemreset.exe
          C:\Users\Admin\AppData\Local\qeUJqU\systemreset.exe
          1⤵
          • Executes dropped EXE
          • Loads dropped DLL
          • Checks whether UAC is enabled
          PID:2912

        Network

        • flag-us
          DNS
          149.220.183.52.in-addr.arpa
          Remote address:
          8.8.8.8:53
          Request
          149.220.183.52.in-addr.arpa
          IN PTR
          Response
        • flag-us
          DNS
          149.220.183.52.in-addr.arpa
          Remote address:
          8.8.8.8:53
          Request
          149.220.183.52.in-addr.arpa
          IN PTR
        • flag-us
          DNS
          149.220.183.52.in-addr.arpa
          Remote address:
          8.8.8.8:53
          Request
          149.220.183.52.in-addr.arpa
          IN PTR
        • flag-us
          DNS
          240.221.184.93.in-addr.arpa
          Remote address:
          8.8.8.8:53
          Request
          240.221.184.93.in-addr.arpa
          IN PTR
          Response
        • flag-us
          DNS
          240.221.184.93.in-addr.arpa
          Remote address:
          8.8.8.8:53
          Request
          240.221.184.93.in-addr.arpa
          IN PTR
        • flag-us
          DNS
          240.221.184.93.in-addr.arpa
          Remote address:
          8.8.8.8:53
          Request
          240.221.184.93.in-addr.arpa
          IN PTR
        • flag-us
          DNS
          95.221.229.192.in-addr.arpa
          Remote address:
          8.8.8.8:53
          Request
          95.221.229.192.in-addr.arpa
          IN PTR
          Response
        • flag-us
          DNS
          95.221.229.192.in-addr.arpa
          Remote address:
          8.8.8.8:53
          Request
          95.221.229.192.in-addr.arpa
          IN PTR
        • flag-us
          DNS
          88.156.103.20.in-addr.arpa
          Remote address:
          8.8.8.8:53
          Request
          88.156.103.20.in-addr.arpa
          IN PTR
          Response
        • flag-us
          DNS
          88.156.103.20.in-addr.arpa
          Remote address:
          8.8.8.8:53
          Request
          88.156.103.20.in-addr.arpa
          IN PTR
        • flag-us
          DNS
          71.31.126.40.in-addr.arpa
          Remote address:
          8.8.8.8:53
          Request
          71.31.126.40.in-addr.arpa
          IN PTR
          Response
        • flag-us
          DNS
          104.219.191.52.in-addr.arpa
          Remote address:
          8.8.8.8:53
          Request
          104.219.191.52.in-addr.arpa
          IN PTR
          Response
        • flag-us
          DNS
          26.165.165.52.in-addr.arpa
          Remote address:
          8.8.8.8:53
          Request
          26.165.165.52.in-addr.arpa
          IN PTR
          Response
        • flag-us
          DNS
          15.164.165.52.in-addr.arpa
          Remote address:
          8.8.8.8:53
          Request
          15.164.165.52.in-addr.arpa
          IN PTR
          Response
        • flag-us
          DNS
          172.210.232.199.in-addr.arpa
          Remote address:
          8.8.8.8:53
          Request
          172.210.232.199.in-addr.arpa
          IN PTR
          Response
        • flag-us
          DNS
          57.169.31.20.in-addr.arpa
          Remote address:
          8.8.8.8:53
          Request
          57.169.31.20.in-addr.arpa
          IN PTR
          Response
        • flag-us
          DNS
          19.229.111.52.in-addr.arpa
          Remote address:
          8.8.8.8:53
          Request
          19.229.111.52.in-addr.arpa
          IN PTR
          Response
        • flag-us
          DNS
          tse1.mm.bing.net
          Remote address:
          8.8.8.8:53
          Request
          tse1.mm.bing.net
          IN A
          Response
          tse1.mm.bing.net
          IN CNAME
          mm-mm.bing.net.trafficmanager.net
          mm-mm.bing.net.trafficmanager.net
          IN CNAME
          ax-0001.ax-msedge.net
          ax-0001.ax-msedge.net
          IN A
          150.171.27.10
          ax-0001.ax-msedge.net
          IN A
          150.171.28.10
        • flag-us
          GET
          https://tse1.mm.bing.net/th?id=OADD2.10239317301498_17NQSSF7P234KKL2V&pid=21.2&c=3&w=1080&h=1920&dynsize=1&qlt=90
          Remote address:
          150.171.27.10:443
          Request
          GET /th?id=OADD2.10239317301498_17NQSSF7P234KKL2V&pid=21.2&c=3&w=1080&h=1920&dynsize=1&qlt=90 HTTP/2.0
          host: tse1.mm.bing.net
          accept: */*
          accept-encoding: gzip, deflate, br
          user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19041
          Response
          HTTP/2.0 200
          cache-control: public, max-age=2592000
          content-length: 576031
          content-type: image/jpeg
          x-cache: TCP_HIT
          access-control-allow-origin: *
          access-control-allow-headers: *
          access-control-allow-methods: GET, POST, OPTIONS
          timing-allow-origin: *
          report-to: {"group":"network-errors","max_age":604800,"endpoints":[{"url":"https://aefd.nelreports.net/api/report?cat=bingth&ndcParam=QUZE"}]}
          nel: {"report_to":"network-errors","max_age":604800,"success_fraction":0.001,"failure_fraction":1.0}
          accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
          x-msedge-ref: Ref A: 129F13A3D1C04EE29C0F90F60526EA07 Ref B: LON04EDGE0819 Ref C: 2024-08-27T00:34:49Z
          date: Tue, 27 Aug 2024 00:34:49 GMT
        • flag-us
          GET
          https://tse1.mm.bing.net/th?id=OADD2.10239340418591_10FJHPMA48A1P20JW&pid=21.2&c=3&w=1080&h=1920&dynsize=1&qlt=90
          Remote address:
          150.171.27.10:443
          Request
          GET /th?id=OADD2.10239340418591_10FJHPMA48A1P20JW&pid=21.2&c=3&w=1080&h=1920&dynsize=1&qlt=90 HTTP/2.0
          host: tse1.mm.bing.net
          accept: */*
          accept-encoding: gzip, deflate, br
          user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19041
          Response
          HTTP/2.0 200
          cache-control: public, max-age=2592000
          content-length: 325315
          content-type: image/jpeg
          x-cache: TCP_HIT
          access-control-allow-origin: *
          access-control-allow-headers: *
          access-control-allow-methods: GET, POST, OPTIONS
          timing-allow-origin: *
          report-to: {"group":"network-errors","max_age":604800,"endpoints":[{"url":"https://aefd.nelreports.net/api/report?cat=bingth&ndcParam=QUZE"}]}
          nel: {"report_to":"network-errors","max_age":604800,"success_fraction":0.001,"failure_fraction":1.0}
          accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
          x-msedge-ref: Ref A: DE87DCC4F1DF476ABE79B33129FA40B0 Ref B: LON04EDGE0819 Ref C: 2024-08-27T00:34:49Z
          date: Tue, 27 Aug 2024 00:34:49 GMT
        • flag-us
          GET
          https://tse1.mm.bing.net/th?id=OADD2.10239317301344_1GOP24OENRO4Y0GB9&pid=21.2&c=3&w=1080&h=1920&dynsize=1&qlt=90
          Remote address:
          150.171.27.10:443
          Request
          GET /th?id=OADD2.10239317301344_1GOP24OENRO4Y0GB9&pid=21.2&c=3&w=1080&h=1920&dynsize=1&qlt=90 HTTP/2.0
          host: tse1.mm.bing.net
          accept: */*
          accept-encoding: gzip, deflate, br
          user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19041
          Response
          HTTP/2.0 200
          cache-control: public, max-age=2592000
          content-length: 422962
          content-type: image/jpeg
          x-cache: TCP_HIT
          access-control-allow-origin: *
          access-control-allow-headers: *
          access-control-allow-methods: GET, POST, OPTIONS
          timing-allow-origin: *
          report-to: {"group":"network-errors","max_age":604800,"endpoints":[{"url":"https://aefd.nelreports.net/api/report?cat=bingth&ndcParam=QUZE"}]}
          nel: {"report_to":"network-errors","max_age":604800,"success_fraction":0.001,"failure_fraction":1.0}
          accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
          x-msedge-ref: Ref A: D4BB23F624AD45869F8AE56CC804BA9C Ref B: LON04EDGE0819 Ref C: 2024-08-27T00:34:49Z
          date: Tue, 27 Aug 2024 00:34:49 GMT
        • flag-us
          GET
          https://tse1.mm.bing.net/th?id=OADD2.10239317300911_1B8OV3E40VLMAHOY2&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=1920&h=1080&dynsize=1&qlt=90
          Remote address:
          150.171.27.10:443
          Request
          GET /th?id=OADD2.10239317300911_1B8OV3E40VLMAHOY2&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=1920&h=1080&dynsize=1&qlt=90 HTTP/2.0
          host: tse1.mm.bing.net
          accept: */*
          accept-encoding: gzip, deflate, br
          user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19041
          Response
          HTTP/2.0 200
          cache-control: public, max-age=2592000
          content-length: 519962
          content-type: image/jpeg
          x-cache: TCP_HIT
          access-control-allow-origin: *
          access-control-allow-headers: *
          access-control-allow-methods: GET, POST, OPTIONS
          timing-allow-origin: *
          report-to: {"group":"network-errors","max_age":604800,"endpoints":[{"url":"https://aefd.nelreports.net/api/report?cat=bingth&ndcParam=QUZE"}]}
          nel: {"report_to":"network-errors","max_age":604800,"success_fraction":0.001,"failure_fraction":1.0}
          accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
          x-msedge-ref: Ref A: 7431F95C38BE4788A72DC42A17E18FBC Ref B: LON04EDGE0819 Ref C: 2024-08-27T00:34:49Z
          date: Tue, 27 Aug 2024 00:34:49 GMT
        • flag-us
          GET
          https://tse1.mm.bing.net/th?id=OADD2.10239317301065_19TESU14MC7PCJXY2&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=1920&h=1080&dynsize=1&qlt=90
          Remote address:
          150.171.27.10:443
          Request
          GET /th?id=OADD2.10239317301065_19TESU14MC7PCJXY2&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=1920&h=1080&dynsize=1&qlt=90 HTTP/2.0
          host: tse1.mm.bing.net
          accept: */*
          accept-encoding: gzip, deflate, br
          user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19041
          Response
          HTTP/2.0 200
          cache-control: public, max-age=2592000
          content-length: 485352
          content-type: image/jpeg
          x-cache: TCP_HIT
          access-control-allow-origin: *
          access-control-allow-headers: *
          access-control-allow-methods: GET, POST, OPTIONS
          timing-allow-origin: *
          report-to: {"group":"network-errors","max_age":604800,"endpoints":[{"url":"https://aefd.nelreports.net/api/report?cat=bingth&ndcParam=QUZE"}]}
          nel: {"report_to":"network-errors","max_age":604800,"success_fraction":0.001,"failure_fraction":1.0}
          accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
          x-msedge-ref: Ref A: 5D2D0406E38B4E0ABD9C1DB4B50FC438 Ref B: LON04EDGE0819 Ref C: 2024-08-27T00:34:49Z
          date: Tue, 27 Aug 2024 00:34:49 GMT
        • flag-us
          GET
          https://tse1.mm.bing.net/th?id=OADD2.10239340418592_1RYDTURC2A8KOBZ9U&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=1920&h=1080&dynsize=1&qlt=90
          Remote address:
          150.171.27.10:443
          Request
          GET /th?id=OADD2.10239340418592_1RYDTURC2A8KOBZ9U&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=1920&h=1080&dynsize=1&qlt=90 HTTP/2.0
          host: tse1.mm.bing.net
          accept: */*
          accept-encoding: gzip, deflate, br
          user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19041
          Response
          HTTP/2.0 200
          cache-control: public, max-age=2592000
          content-length: 473521
          content-type: image/jpeg
          x-cache: TCP_HIT
          access-control-allow-origin: *
          access-control-allow-headers: *
          access-control-allow-methods: GET, POST, OPTIONS
          timing-allow-origin: *
          report-to: {"group":"network-errors","max_age":604800,"endpoints":[{"url":"https://aefd.nelreports.net/api/report?cat=bingth&ndcParam=QUZE"}]}
          nel: {"report_to":"network-errors","max_age":604800,"success_fraction":0.001,"failure_fraction":1.0}
          accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
          x-msedge-ref: Ref A: B6902E96034D4700A9334FA396E14F62 Ref B: LON04EDGE0819 Ref C: 2024-08-27T00:34:50Z
          date: Tue, 27 Aug 2024 00:34:49 GMT
        • flag-us
          DNS
          10.27.171.150.in-addr.arpa
          Remote address:
          8.8.8.8:53
          Request
          10.27.171.150.in-addr.arpa
          IN PTR
          Response
        • 150.171.27.10:443
          tse1.mm.bing.net
          tls, http2
          1.2kB
           6.9kB
           16
          13
        • 150.171.27.10:443
          tse1.mm.bing.net
          tls, http2
          1.2kB
           6.9kB
           16
          13
        • 150.171.27.10:443
          tse1.mm.bing.net
          tls, http2
          1.2kB
           6.9kB
           16
          13
        • 150.171.27.10:443
          https://tse1.mm.bing.net/th?id=OADD2.10239340418592_1RYDTURC2A8KOBZ9U&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=1920&h=1080&dynsize=1&qlt=90
          tls, http2
          100.1kB
           2.9MB
           2133
          2128

          HTTP Request

          GET https://tse1.mm.bing.net/th?id=OADD2.10239317301498_17NQSSF7P234KKL2V&pid=21.2&c=3&w=1080&h=1920&dynsize=1&qlt=90

          HTTP Request

          GET https://tse1.mm.bing.net/th?id=OADD2.10239340418591_10FJHPMA48A1P20JW&pid=21.2&c=3&w=1080&h=1920&dynsize=1&qlt=90

          HTTP Request

          GET https://tse1.mm.bing.net/th?id=OADD2.10239317301344_1GOP24OENRO4Y0GB9&pid=21.2&c=3&w=1080&h=1920&dynsize=1&qlt=90

          HTTP Request

          GET https://tse1.mm.bing.net/th?id=OADD2.10239317300911_1B8OV3E40VLMAHOY2&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=1920&h=1080&dynsize=1&qlt=90

          HTTP Response

          200

          HTTP Response

          200

          HTTP Response

          200

          HTTP Request

          GET https://tse1.mm.bing.net/th?id=OADD2.10239317301065_19TESU14MC7PCJXY2&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=1920&h=1080&dynsize=1&qlt=90

          HTTP Request

          GET https://tse1.mm.bing.net/th?id=OADD2.10239340418592_1RYDTURC2A8KOBZ9U&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=1920&h=1080&dynsize=1&qlt=90

          HTTP Response

          200

          HTTP Response

          200

          HTTP Response

          200
        • 150.171.27.10:443
          tse1.mm.bing.net
          tls, http2
          1.2kB
           7.8kB
           15
          13
        • 8.8.8.8:53
          149.220.183.52.in-addr.arpa
          dns
          219 B
           147 B
           3
          1

          DNS Request

          149.220.183.52.in-addr.arpa

          DNS Request

          149.220.183.52.in-addr.arpa

          DNS Request

          149.220.183.52.in-addr.arpa

        • 8.8.8.8:53
          240.221.184.93.in-addr.arpa
          dns
          219 B
           144 B
           3
          1

          DNS Request

          240.221.184.93.in-addr.arpa

          DNS Request

          240.221.184.93.in-addr.arpa

          DNS Request

          240.221.184.93.in-addr.arpa

        • 8.8.8.8:53
          95.221.229.192.in-addr.arpa
          dns
          146 B
           144 B
           2
          1

          DNS Request

          95.221.229.192.in-addr.arpa

          DNS Request

          95.221.229.192.in-addr.arpa

        • 8.8.8.8:53
          88.156.103.20.in-addr.arpa
          dns
          144 B
           158 B
           2
          1

          DNS Request

          88.156.103.20.in-addr.arpa

          DNS Request

          88.156.103.20.in-addr.arpa

        • 8.8.8.8:53
          71.31.126.40.in-addr.arpa
          dns
          71 B
           157 B
           1
          1

          DNS Request

          71.31.126.40.in-addr.arpa

        • 8.8.8.8:53
          104.219.191.52.in-addr.arpa
          dns
          73 B
           147 B
           1
          1

          DNS Request

          104.219.191.52.in-addr.arpa

        • 8.8.8.8:53
          26.165.165.52.in-addr.arpa
          dns
          72 B
           146 B
           1
          1

          DNS Request

          26.165.165.52.in-addr.arpa

        • 8.8.8.8:53
          15.164.165.52.in-addr.arpa
          dns
          72 B
           146 B
           1
          1

          DNS Request

          15.164.165.52.in-addr.arpa

        • 8.8.8.8:53
          172.210.232.199.in-addr.arpa
          dns
          74 B
           128 B
           1
          1

          DNS Request

          172.210.232.199.in-addr.arpa

        • 8.8.8.8:53
          57.169.31.20.in-addr.arpa
          dns
          71 B
           157 B
           1
          1

          DNS Request

          57.169.31.20.in-addr.arpa

        • 8.8.8.8:53
          19.229.111.52.in-addr.arpa
          dns
          72 B
           158 B
           1
          1

          DNS Request

          19.229.111.52.in-addr.arpa

        • 8.8.8.8:53
          tse1.mm.bing.net
          dns
          62 B
           170 B
           1
          1

          DNS Request

          tse1.mm.bing.net

          DNS Response

          150.171.27.10
          150.171.28.10

        • 8.8.8.8:53
          10.27.171.150.in-addr.arpa
          dns
          72 B
           158 B
           1
          1

          DNS Request

          10.27.171.150.in-addr.arpa

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\o3Be4rt5\VERSION.dll
          Filesize

          1.2MB

          MD5

          a7066a36d3518d4ac6f590309439fbb9

          SHA1

          bc8e40a44a057a083af2bf111bbec49882b81121

          SHA256

          264ca2cc9e2185ad01eb3a4230adc78274d5d8b530c860464a422f819a1d8770

          SHA512

          46169f6b2e1070518926ba3337e721e52b18b80566444d0dca318a61ef7016a200b3d6036f96983ad7c748ecb7f66d95cc27dca4c528e20887bc2ecd31dafb82

          Download Submit

        • C:\Users\Admin\AppData\Local\o3Be4rt5\iexpress.exe
          Filesize

          166KB

          MD5

          17b93a43e25d821d01af40ba6babcc8c

          SHA1

          97c978d78056d995f751dfef1388d7cce4cc404a

          SHA256

          d070b79fa254c528babb73d607a7a8fd53db89795d751f42fc0a283b61a76fd3

          SHA512

          6b5743b37a3be8ae9ee2ab84e0749c32c60544298a7cce396470aa40bbd13f2e838d5d98159f21d500d20817c51ebce4b1d2f554e3e05f6c7fc97bc9d70ea391

          Download Submit

        • C:\Users\Admin\AppData\Local\qeUJqU\DUI70.dll
          Filesize

          1.4MB

          MD5

          1555d2789e07d6a3564a2427eea1c2c6

          SHA1

          4f7af3ff5ab87a3b26dfb28232991135e2f0c30f

          SHA256

          6603b0f292124260d08fefc0785ff7c3479c3147e4417af8d3fbfa4f16c88e05

          SHA512

          377dd0acded83a67b634d7fc14c1f33dd792e01a0b94c33f5436a99c35dec17021b1ffa3d2e54cb91dc821419a60ed9f6f16e97655f09a39861aacf74824ffff

          Download Submit

        • C:\Users\Admin\AppData\Local\qeUJqU\systemreset.exe
          Filesize

          508KB

          MD5

          325ff647506adb89514defdd1c372194

          SHA1

          84234ff97d6ddc8a4ea21303ea842aa76a74e0ea

          SHA256

          ebff6159a7627234f94f606afa2e55e98e1548fd197d22779a5fcff24aa477ad

          SHA512

          8a9758f4af0264be08d684125827ef11efe651138059f6b463c52476f8a8e1bed94d093042f85893cb3e37c5f3ba7b55c6ce9394595001e661bccbc578da3868

          Download Submit

        • C:\Users\Admin\AppData\Local\vBS0\BdeUISrv.exe
          Filesize

          54KB

          MD5

          8595075667ff2c9a9f9e2eebc62d8f53

          SHA1

          c48b54e571f05d4e21d015bb3926c2129f19191a

          SHA256

          20b05c77f898be08737082e969b39f54fa39753c8c0a06142eb7ad5e0764a2db

          SHA512

          080dbcdd9234c07efe6cea4919ffa305fdc381ccebed9d1020dd6551b54e20e52387e62a344502fa4a85249defd0f9b506528b8dd34675bc9f51f664b8fc4d88

          Download Submit

        • C:\Users\Admin\AppData\Local\vBS0\WTSAPI32.dll
          Filesize

          1.2MB

          MD5

          6ab8e9bd5b7c3f459a95c6d7ee1a70dd

          SHA1

          b81cf522485096d08060b9581ad137af0d9d5374

          SHA256

          d4c321e039ad623dcc87ace41838410b93660653eb680fb2cd75b2919e266d94

          SHA512

          a85452aaa654cb4aaef8bab0e555aab727741348467ebaeb1d57469dfcce144850b87ec11f29c4fe341cc413e542eed82e14e224ffd469947e39ca6178fd0014

          Download Submit

        • C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Yfsfrqrlkk.lnk
          Filesize

          1KB

          MD5

          be326bbb6dc01115f0865e80a8b0f94d

          SHA1

          3b0ef2198f41400e52e7833c5c5c00f5e0f532b9

          SHA256

          ef989e449c329c648ff765e746d02ff31751177834b7b3f26a092f9f5f54ea24

          SHA512

          24f760d9d28a95244ecb6e8074ffa5a573cec078d863145527612452c33d6a9675b137a582ede285d468a264db9268f44f2da4a09cedb1902e52cab5525a2db5

          Download Submit

        • memory/2068-51-0x00007FFC195A0000-0x00007FFC196D1000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/2068-46-0x00007FFC195A0000-0x00007FFC196D1000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/2068-45-0x0000025410C70000-0x0000025410C77000-memory.dmp

          Filesize

          28KB

          Download

        • memory/2400-68-0x00007FFC195A0000-0x00007FFC196D1000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/2400-62-0x000001A328540000-0x000001A328547000-memory.dmp

          Filesize

          28KB

          Download

        • memory/2912-79-0x00007FFC19560000-0x00007FFC196D6000-memory.dmp

          Filesize

          1.5MB

          Download

        • memory/2912-82-0x00000278E9530000-0x00000278E9537000-memory.dmp

          Filesize

          28KB

          Download

        • memory/2912-85-0x00007FFC19560000-0x00007FFC196D6000-memory.dmp

          Filesize

          1.5MB

          Download

        • memory/3428-29-0x00007FFC28E30000-0x00007FFC28E40000-memory.dmp

          Filesize

          64KB

          Download

        • memory/3428-15-0x0000000140000000-0x0000000140130000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/3428-35-0x0000000140000000-0x0000000140130000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/3428-6-0x00007FFC28DAA000-0x00007FFC28DAB000-memory.dmp

          Filesize

          4KB

          Download

        • memory/3428-8-0x0000000140000000-0x0000000140130000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/3428-10-0x0000000140000000-0x0000000140130000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/3428-11-0x0000000140000000-0x0000000140130000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/3428-12-0x0000000140000000-0x0000000140130000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/3428-13-0x0000000140000000-0x0000000140130000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/3428-16-0x0000000140000000-0x0000000140130000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/3428-28-0x0000000000F90000-0x0000000000F97000-memory.dmp

          Filesize

          28KB

          Download

        • memory/3428-4-0x0000000003150000-0x0000000003151000-memory.dmp

          Filesize

          4KB

          Download

        • memory/3428-24-0x0000000140000000-0x0000000140130000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/3428-14-0x0000000140000000-0x0000000140130000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/3428-7-0x0000000140000000-0x0000000140130000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/3428-9-0x0000000140000000-0x0000000140130000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/4996-0-0x00007FFC195B0000-0x00007FFC196E0000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/4996-38-0x00007FFC195B0000-0x00007FFC196E0000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/4996-3-0x0000017B799A0000-0x0000017B799A7000-memory.dmp

          Filesize

          28KB

          Download

        We care about your privacy.

        This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.