Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

3

4c0153b979...a5.exe

windows7-x64

10

4c0153b979...a5.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    150s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    18/10/2024, 16:33 UTC

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    4c0153b979e65346c1d6f863086082ec5ef103cbf6b0f5e8652d61da678a8ca5.exe

  • Size

    390KB

  • MD5

    8c64181ff0dc12c87e443aae94bf6650

  • SHA1

    e91d7ebd17912785caa3e71ef1571dc01b1cd854

  • SHA256

    4c0153b979e65346c1d6f863086082ec5ef103cbf6b0f5e8652d61da678a8ca5

  • SHA512

    4854565b054297dffc13b659a53059ee8731dca02f3027501254551cb4af20b68fb121d03e528151cf910238b49bf00a3827e74e4bb68faf85ebc50d02ad5c17

  • SSDEEP

    12288:ef/X4NTn/xVkNG+w+9OqFoK323qdQYKU3:EXATn/xVkNg+95vdQa

Score
10/10
mimikatzbootkitdiscoverypersistencespywarestealer

Malware Config

Signatures

  • Mimikatz

    mimikatz is an open source tool to dump credentials on Windows.

    mimikatz
  • mimikatz is an open source tool to dump credentials on Windows 1 IoCs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 1 IoCs
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs

    Bootkits write to the MBR to gain persistence at a level below the operating system.

    bootkitpersistence
  • Drops file in Program Files directory 64 IoCs
  • Drops file in Windows directory 4 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistenceexecution
  • Suspicious behavior: EnumeratesProcesses 8 IoCs
  • Suspicious use of AdjustPrivilegeToken 4 IoCs
  • Suspicious use of WriteProcessMemory 11 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\4c0153b979e65346c1d6f863086082ec5ef103cbf6b0f5e8652d61da678a8ca5.exe
    "C:\Users\Admin\AppData\Local\Temp\4c0153b979e65346c1d6f863086082ec5ef103cbf6b0f5e8652d61da678a8ca5.exe"
    1⤵
    • Checks computer location settings
    • Drops file in Windows directory
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:768
    • C:\Windows\SysWOW64\rundll32.exe
      "C:\Windows\System32\rundll32.exe" C:\Windows\dllcm.dat #1
      2⤵
      • Loads dropped DLL
      • Writes to the Master Boot Record (MBR)
      • Drops file in Program Files directory
      • Drops file in Windows directory
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:2996
      • C:\Windows\SysWOW64\cmd.exe
        /c schtasks /Create /SC once /TN "" /TR "C:\Windows\system32\shutdown.exe /r /f" /ST 17:36
        3⤵
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:1812
        • C:\Windows\SysWOW64\schtasks.exe
          schtasks /Create /SC once /TN "" /TR "C:\Windows\system32\shutdown.exe /r /f" /ST 17:36
          4⤵
          • System Location Discovery: System Language Discovery
          • Scheduled Task/Job: Scheduled Task
          PID:1880
      • C:\Users\Admin\AppData\Local\Temp\8E36.tmp
        "C:\Users\Admin\AppData\Local\Temp\8E36.tmp" \\.\pipe\{BCECE8CB-B25D-43DE-B616-8FBF883E4892}
        3⤵
        • Executes dropped EXE
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:4476

Network

  • flag-us
    DNS
    228.249.119.40.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    228.249.119.40.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    88.210.23.2.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    88.210.23.2.in-addr.arpa
    IN PTR
    Response
    88.210.23.2.in-addr.arpa
    IN PTR
    a2-23-210-88deploystaticakamaitechnologiescom
  • flag-us
    DNS
    23.159.190.20.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    23.159.190.20.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    95.221.229.192.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    95.221.229.192.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    171.39.242.20.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    171.39.242.20.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    56.163.245.4.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    56.163.245.4.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    98.117.19.2.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    98.117.19.2.in-addr.arpa
    IN PTR
    Response
    98.117.19.2.in-addr.arpa
    IN PTR
    a2-19-117-98deploystaticakamaitechnologiescom
  • flag-us
    DNS
    83.210.23.2.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    83.210.23.2.in-addr.arpa
    IN PTR
    Response
    83.210.23.2.in-addr.arpa
    IN PTR
    a2-23-210-83deploystaticakamaitechnologiescom
  • flag-us
    DNS
    11.227.111.52.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    11.227.111.52.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    tse1.mm.bing.net
    Remote address:
    8.8.8.8:53
    Request
    tse1.mm.bing.net
    IN A
    Response
    tse1.mm.bing.net
    IN CNAME
    mm-mm.bing.net.trafficmanager.net
    mm-mm.bing.net.trafficmanager.net
    IN CNAME
    ax-0001.ax-msedge.net
    ax-0001.ax-msedge.net
    IN A
    150.171.27.10
    ax-0001.ax-msedge.net
    IN A
    150.171.28.10
  • flag-us
    GET
    https://tse1.mm.bing.net/th?id=OADD2.10239398629743_1TH437YUI5ZNDOHAL&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=1920&h=1080&dynsize=1&qlt=90
    Remote address:
    150.171.27.10:443
    Request
    GET /th?id=OADD2.10239398629743_1TH437YUI5ZNDOHAL&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=1920&h=1080&dynsize=1&qlt=90 HTTP/2.0
    host: tse1.mm.bing.net
    accept: */*
    accept-encoding: gzip, deflate, br
    user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19041
    Response
    HTTP/2.0 200
    cache-control: public, max-age=2592000
    content-length: 470956
    content-type: image/jpeg
    x-cache: TCP_HIT
    access-control-allow-origin: *
    access-control-allow-headers: *
    access-control-allow-methods: GET, POST, OPTIONS
    timing-allow-origin: *
    report-to: {"group":"network-errors","max_age":604800,"endpoints":[{"url":"https://aefd.nelreports.net/api/report?cat=bingth&ndcParam=QUZE"}]}
    nel: {"report_to":"network-errors","max_age":604800,"success_fraction":0.001,"failure_fraction":1.0}
    accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
    x-msedge-ref: Ref A: 29D65900D88D4BEFA1CC8435993DEFF9 Ref B: LON601060103052 Ref C: 2024-10-18T16:35:25Z
    date: Fri, 18 Oct 2024 16:35:24 GMT
  • flag-us
    GET
    https://tse1.mm.bing.net/th?id=OADD2.10239317301209_1YG8XJG78E6WL3S49&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=1920&h=1080&dynsize=1&qlt=90
    Remote address:
    150.171.27.10:443
    Request
    GET /th?id=OADD2.10239317301209_1YG8XJG78E6WL3S49&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=1920&h=1080&dynsize=1&qlt=90 HTTP/2.0
    host: tse1.mm.bing.net
    accept: */*
    accept-encoding: gzip, deflate, br
    user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19041
    Response
    HTTP/2.0 200
    cache-control: public, max-age=2592000
    content-length: 761871
    content-type: image/jpeg
    x-cache: TCP_HIT
    access-control-allow-origin: *
    access-control-allow-headers: *
    access-control-allow-methods: GET, POST, OPTIONS
    timing-allow-origin: *
    report-to: {"group":"network-errors","max_age":604800,"endpoints":[{"url":"https://aefd.nelreports.net/api/report?cat=bingth&ndcParam=QUZE"}]}
    nel: {"report_to":"network-errors","max_age":604800,"success_fraction":0.001,"failure_fraction":1.0}
    accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
    x-msedge-ref: Ref A: 172503A74F0245EEBEA19F75223D3840 Ref B: LON601060103052 Ref C: 2024-10-18T16:35:25Z
    date: Fri, 18 Oct 2024 16:35:24 GMT
  • flag-us
    GET
    https://tse1.mm.bing.net/th?id=OADD2.10239317301618_18EK60OU3ULIWMD9V&pid=21.2&c=3&w=1080&h=1920&dynsize=1&qlt=90
    Remote address:
    150.171.27.10:443
    Request
    GET /th?id=OADD2.10239317301618_18EK60OU3ULIWMD9V&pid=21.2&c=3&w=1080&h=1920&dynsize=1&qlt=90 HTTP/2.0
    host: tse1.mm.bing.net
    accept: */*
    accept-encoding: gzip, deflate, br
    user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19041
    Response
    HTTP/2.0 200
    cache-control: public, max-age=2592000
    content-length: 910935
    content-type: image/jpeg
    x-cache: TCP_HIT
    access-control-allow-origin: *
    access-control-allow-headers: *
    access-control-allow-methods: GET, POST, OPTIONS
    timing-allow-origin: *
    report-to: {"group":"network-errors","max_age":604800,"endpoints":[{"url":"https://aefd.nelreports.net/api/report?cat=bingth&ndcParam=QUZE"}]}
    nel: {"report_to":"network-errors","max_age":604800,"success_fraction":0.001,"failure_fraction":1.0}
    accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
    x-msedge-ref: Ref A: 7F2EB931F66D41C6ADFBB0FF0CE8A005 Ref B: LON601060103052 Ref C: 2024-10-18T16:35:25Z
    date: Fri, 18 Oct 2024 16:35:24 GMT
  • flag-us
    GET
    https://tse1.mm.bing.net/th?id=OADD2.10239398629744_18YK2WB1TP6K8QRMK&pid=21.2&c=3&w=1080&h=1920&dynsize=1&qlt=90
    Remote address:
    150.171.27.10:443
    Request
    GET /th?id=OADD2.10239398629744_18YK2WB1TP6K8QRMK&pid=21.2&c=3&w=1080&h=1920&dynsize=1&qlt=90 HTTP/2.0
    host: tse1.mm.bing.net
    accept: */*
    accept-encoding: gzip, deflate, br
    user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19041
    Response
    HTTP/2.0 200
    cache-control: public, max-age=2592000
    content-length: 435129
    content-type: image/jpeg
    x-cache: TCP_HIT
    access-control-allow-origin: *
    access-control-allow-headers: *
    access-control-allow-methods: GET, POST, OPTIONS
    timing-allow-origin: *
    report-to: {"group":"network-errors","max_age":604800,"endpoints":[{"url":"https://aefd.nelreports.net/api/report?cat=bingth&ndcParam=QUZE"}]}
    nel: {"report_to":"network-errors","max_age":604800,"success_fraction":0.001,"failure_fraction":1.0}
    accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
    x-msedge-ref: Ref A: 1EA2D4BB7B36443CB7363C8B9032CCD8 Ref B: LON601060103052 Ref C: 2024-10-18T16:35:25Z
    date: Fri, 18 Oct 2024 16:35:24 GMT
  • flag-us
    DNS
    10.27.171.150.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    10.27.171.150.in-addr.arpa
    IN PTR
    Response
  • 10.127.0.0:445
    rundll32.exe
    104 B
     2
  • 40.119.249.228:445
    settings-win.data.microsoft.com
    260 B
     5
  • 37.27.61.184:445
    260 B
     5
  • 10.127.0.1:445
    260 B
     5
  • 37.27.61.184:139
    260 B
     5
  • 10.127.0.1:139
    260 B
     5
  • 40.119.249.228:139
    settings-win.data.microsoft.com
    260 B
     5
  • 10.127.0.0:139
    rundll32.exe
    104 B
     2
  • 10.127.0.1:445
    rundll32.exe
    104 B
     2
  • 10.127.0.1:139
    rundll32.exe
    104 B
     2
  • 10.127.0.2:445
    rundll32.exe
    104 B
     2
  • 10.127.0.2:139
    rundll32.exe
    104 B
     2
  • 10.127.0.3:445
    rundll32.exe
    104 B
     2
  • 10.127.0.3:139
    rundll32.exe
    104 B
     2
  • 10.127.0.4:445
    rundll32.exe
    104 B
     2
  • 10.127.0.4:139
    rundll32.exe
    104 B
     2
  • 10.127.0.5:445
    rundll32.exe
    104 B
     2
  • 10.127.0.5:139
    rundll32.exe
    104 B
     2
  • 10.127.0.6:445
    rundll32.exe
    104 B
     2
  • 10.127.0.6:139
    rundll32.exe
    104 B
     2
  • 10.127.0.7:445
    rundll32.exe
    104 B
     2
  • 10.127.0.7:139
    rundll32.exe
    104 B
     2
  • 10.127.0.8:445
    rundll32.exe
    104 B
     2
  • 10.127.0.8:139
    rundll32.exe
    104 B
     2
  • 10.127.0.9:445
    rundll32.exe
    104 B
     2
  • 10.127.0.9:139
    rundll32.exe
    104 B
     2
  • 10.127.0.10:445
    rundll32.exe
    104 B
     2
  • 10.127.0.10:139
    rundll32.exe
    104 B
     2
  • 10.127.0.11:445
    rundll32.exe
    104 B
     2
  • 10.127.0.11:139
    rundll32.exe
    104 B
     2
  • 10.127.0.12:445
    rundll32.exe
  • 10.127.0.12:139
    rundll32.exe
    104 B
     2
  • 10.127.0.13:445
    rundll32.exe
    104 B
     2
  • 10.127.0.13:139
    rundll32.exe
    104 B
     2
  • 10.127.0.14:445
    rundll32.exe
    104 B
     2
  • 10.127.0.14:139
    rundll32.exe
    104 B
     2
  • 10.127.0.15:445
    rundll32.exe
    104 B
     2
  • 10.127.0.15:139
    rundll32.exe
    104 B
     2
  • 10.127.0.16:445
    rundll32.exe
    104 B
     2
  • 10.127.0.16:139
    rundll32.exe
    104 B
     2
  • 10.127.0.17:445
    rundll32.exe
    104 B
     2
  • 10.127.0.17:139
    rundll32.exe
    104 B
     2
  • 10.127.0.18:445
    rundll32.exe
    104 B
     2
  • 10.127.0.18:139
    rundll32.exe
    104 B
     2
  • 10.127.0.19:445
    rundll32.exe
    104 B
     2
  • 10.127.0.19:139
    rundll32.exe
    104 B
     2
  • 10.127.0.20:445
    rundll32.exe
    104 B
     2
  • 10.127.0.20:139
    rundll32.exe
    104 B
     2
  • 10.127.0.21:445
    rundll32.exe
    104 B
     2
  • 10.127.0.21:139
    rundll32.exe
    104 B
     2
  • 10.127.0.22:445
    rundll32.exe
    104 B
     2
  • 10.127.0.22:139
    rundll32.exe
    104 B
     2
  • 10.127.0.23:445
    rundll32.exe
    104 B
     2
  • 10.127.0.23:139
    rundll32.exe
    104 B
     2
  • 10.127.0.24:445
    rundll32.exe
    104 B
     2
  • 10.127.0.24:139
    rundll32.exe
    104 B
     2
  • 150.171.27.10:443
    tse1.mm.bing.net
    tls, http2
    1.2kB
     6.9kB
     15
    13
  • 150.171.27.10:443
    tse1.mm.bing.net
    tls, http2
    1.2kB
     6.9kB
     15
    13
  • 150.171.27.10:443
    tse1.mm.bing.net
    tls, http2
    1.2kB
     6.9kB
     15
    13
  • 150.171.27.10:443
    https://tse1.mm.bing.net/th?id=OADD2.10239398629744_18YK2WB1TP6K8QRMK&pid=21.2&c=3&w=1080&h=1920&dynsize=1&qlt=90
    tls, http2
    95.0kB
     2.7MB
     1951
    1946

    HTTP Request

    GET https://tse1.mm.bing.net/th?id=OADD2.10239398629743_1TH437YUI5ZNDOHAL&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=1920&h=1080&dynsize=1&qlt=90

    HTTP Request

    GET https://tse1.mm.bing.net/th?id=OADD2.10239317301209_1YG8XJG78E6WL3S49&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=1920&h=1080&dynsize=1&qlt=90

    HTTP Request

    GET https://tse1.mm.bing.net/th?id=OADD2.10239317301618_18EK60OU3ULIWMD9V&pid=21.2&c=3&w=1080&h=1920&dynsize=1&qlt=90

    HTTP Request

    GET https://tse1.mm.bing.net/th?id=OADD2.10239398629744_18YK2WB1TP6K8QRMK&pid=21.2&c=3&w=1080&h=1920&dynsize=1&qlt=90

    HTTP Response

    200

    HTTP Response

    200

    HTTP Response

    200

    HTTP Response

    200
  • 10.127.0.25:445
    rundll32.exe
    104 B
     2
  • 10.127.0.25:139
    rundll32.exe
    104 B
     2
  • 10.127.0.26:445
    rundll32.exe
    104 B
     2
  • 10.127.0.26:139
    rundll32.exe
    104 B
     2
  • 10.127.0.27:445
    rundll32.exe
    104 B
     2
  • 10.127.0.27:139
    rundll32.exe
    104 B
     2
  • 10.127.0.28:445
    rundll32.exe
    104 B
     2
  • 10.127.0.28:139
    rundll32.exe
    104 B
     2
  • 10.127.0.29:445
    rundll32.exe
    104 B
     2
  • 10.127.0.29:139
    rundll32.exe
    104 B
     2
  • 10.127.0.30:445
    rundll32.exe
    104 B
     2
  • 10.127.0.30:139
    rundll32.exe
    104 B
     2
  • 10.127.0.31:445
    rundll32.exe
    104 B
     2
  • 10.127.0.31:139
    rundll32.exe
    104 B
     2
  • 10.127.0.32:445
    rundll32.exe
    104 B
     2
  • 10.127.0.32:139
    rundll32.exe
    104 B
     2
  • 10.127.0.33:445
    rundll32.exe
    104 B
     2
  • 10.127.0.33:139
    rundll32.exe
    104 B
     2
  • 10.127.0.34:445
    rundll32.exe
    104 B
     2
  • 10.127.0.34:139
    rundll32.exe
    104 B
     2
  • 10.127.0.35:445
    rundll32.exe
    104 B
     2
  • 10.127.0.35:139
    rundll32.exe
    104 B
     2
  • 10.127.0.36:445
    rundll32.exe
    104 B
     2
  • 10.127.0.36:139
    rundll32.exe
    104 B
     2
  • 10.127.0.37:445
    rundll32.exe
  • 8.8.8.8:53
    228.249.119.40.in-addr.arpa
    dns
    73 B
     159 B
     1
    1

    DNS Request

    228.249.119.40.in-addr.arpa

  • 8.8.8.8:53
    88.210.23.2.in-addr.arpa
    dns
    70 B
     133 B
     1
    1

    DNS Request

    88.210.23.2.in-addr.arpa

  • 8.8.8.8:53
    23.159.190.20.in-addr.arpa
    dns
    72 B
     158 B
     1
    1

    DNS Request

    23.159.190.20.in-addr.arpa

  • 8.8.8.8:53
    95.221.229.192.in-addr.arpa
    dns
    73 B
     144 B
     1
    1

    DNS Request

    95.221.229.192.in-addr.arpa

  • 8.8.8.8:53
    171.39.242.20.in-addr.arpa
    dns
    72 B
     158 B
     1
    1

    DNS Request

    171.39.242.20.in-addr.arpa

  • 8.8.8.8:53
    56.163.245.4.in-addr.arpa
    dns
    71 B
     157 B
     1
    1

    DNS Request

    56.163.245.4.in-addr.arpa

  • 8.8.8.8:53
    98.117.19.2.in-addr.arpa
    dns
    70 B
     133 B
     1
    1

    DNS Request

    98.117.19.2.in-addr.arpa

  • 8.8.8.8:53
    83.210.23.2.in-addr.arpa
    dns
    70 B
     133 B
     1
    1

    DNS Request

    83.210.23.2.in-addr.arpa

  • 8.8.8.8:53
    11.227.111.52.in-addr.arpa
    dns
    72 B
     158 B
     1
    1

    DNS Request

    11.227.111.52.in-addr.arpa

  • 8.8.8.8:53
    tse1.mm.bing.net
    dns
    62 B
     170 B
     1
    1

    DNS Request

    tse1.mm.bing.net

    DNS Response

    150.171.27.10
    150.171.28.10

  • 8.8.8.8:53
    10.27.171.150.in-addr.arpa
    dns
    72 B
     158 B
     1
    1

    DNS Request

    10.27.171.150.in-addr.arpa

  • 8.8.8.8:53

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\8E36.tmp
    Filesize

    55KB

    MD5

    7e37ab34ecdcc3e77e24522ddfd4852d

    SHA1

    38e2855e11e353cedf9a8a4f2f2747f1c5c07fcf

    SHA256

    02ef73bd2458627ed7b397ec26ee2de2e92c71a0e7588f78734761d8edbdcd9f

    SHA512

    1b037a2aa8bf951d2ffe2f724aa0b2fbb39c2173215806ba0327bda7b096301d887f9bb7db46f9e04584b16aa6b1aaeaf67f0ecf5f20eb02ceac27c8753ca587

    Download Submit

  • C:\Windows\dllcm.dat
    Filesize

    353KB

    MD5

    7c0747971df2d07ceca15f0edc0a9f6e

    SHA1

    4db833ba4ddf88c36d6956928721547e1e221c0d

    SHA256

    4dd22017d6f77573cc0f4999d22b45f1d71e6435350d4a5654ee1e93fec30827

    SHA512

    d5da33a23fa39441901b9f4cc08468692d076545ffd29c082982fde7e93bb27464445478a37629a47d56594fd019863a1de52573c47ccf8d2252eb2047f8606e

    Download Submit

  • memory/2996-3-0x0000000002E40000-0x0000000002E9E000-memory.dmp

    Filesize

    376KB

    Download

  • memory/2996-11-0x0000000002E40000-0x0000000002E9E000-memory.dmp

    Filesize

    376KB

    Download

  • memory/2996-14-0x0000000002E40000-0x0000000002E9E000-memory.dmp

    Filesize

    376KB

    Download

  • memory/2996-12-0x0000000002E40000-0x0000000002E9E000-memory.dmp

    Filesize

    376KB

    Download

  • memory/2996-25-0x0000000002E40000-0x0000000002E9E000-memory.dmp

    Filesize

    376KB

    Download

We care about your privacy.

This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.