Analysis

  • max time kernel
    149s
  • max time network
    151s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    04-11-2024 13:08

General

  • Target

    528ad5dc092a66925b6937b2fcd574b7112ef2c6e3f94e3c1900620b6dacf804.exe

  • Size

    690KB

  • MD5

    142ee86df8e3e6a378a0a2cdcc63ae9a

  • SHA1

    d00cb34a3bb32eb4c992606cb754e0b140aca581

  • SHA256

    528ad5dc092a66925b6937b2fcd574b7112ef2c6e3f94e3c1900620b6dacf804

  • SHA512

    d0337b96e0622d10688ce80aa949822d2d3859f53eceaf8dfb32d7486265d44a76d77c04bbeb9ce591c52b8778c92731b68e49c8ff8dbf4f049ffeca58e542c8

  • SSDEEP

    12288:Uy90RniNLv01IPY0vNlcBVviF00Jj25mJ9DhFvQE:Uy6nms1IPcPvWd25c9FZb

Malware Config

Signatures

  • Detects Healer an antivirus disabler dropper 17 IoCs
  • Healer

    Healer an antivirus disabler dropper.

  • Healer family
  • Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs
  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

  • RedLine payload 20 IoCs
  • Redline family
  • Executes dropped EXE 3 IoCs
  • Windows security modification 2 TTPs 2 IoCs
  • Adds Run key to start application 2 TTPs 2 IoCs
  • Program crash 1 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 9 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\528ad5dc092a66925b6937b2fcd574b7112ef2c6e3f94e3c1900620b6dacf804.exe
    "C:\Users\Admin\AppData\Local\Temp\528ad5dc092a66925b6937b2fcd574b7112ef2c6e3f94e3c1900620b6dacf804.exe"
    1⤵
    • Adds Run key to start application
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:2864
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un236178.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un236178.exe
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:3204
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\02975496.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\02975496.exe
        3⤵
        • Modifies Windows Defender Real-time Protection settings
        • Executes dropped EXE
        • Windows security modification
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:3732
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -u -p 3732 -s 1052
          4⤵
          • Program crash
          PID:1672
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk363092.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk363092.exe
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Suspicious use of AdjustPrivilegeToken
        PID:4488
  • C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 3732 -ip 3732
    1⤵
      PID:4724

    Network

    • flag-us
      DNS
      8.8.8.8.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      8.8.8.8.in-addr.arpa
      IN PTR
      Response
      8.8.8.8.in-addr.arpa
      IN PTR
      dnsgoogle
    • flag-us
      DNS
      97.17.167.52.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      97.17.167.52.in-addr.arpa
      IN PTR
      Response
    • flag-us
      DNS
      97.17.167.52.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      97.17.167.52.in-addr.arpa
      IN PTR
    • flag-us
      DNS
      83.210.23.2.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      83.210.23.2.in-addr.arpa
      IN PTR
      Response
      83.210.23.2.in-addr.arpa
      IN PTR
      a2-23-210-83deploystaticakamaitechnologiescom
    • flag-us
      DNS
      83.210.23.2.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      83.210.23.2.in-addr.arpa
      IN PTR
    • flag-us
      DNS
      67.31.126.40.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      67.31.126.40.in-addr.arpa
      IN PTR
      Response
    • flag-us
      DNS
      205.47.74.20.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      205.47.74.20.in-addr.arpa
      IN PTR
      Response
    • flag-us
      DNS
      13.86.106.20.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      13.86.106.20.in-addr.arpa
      IN PTR
      Response
    • flag-us
      DNS
      200.163.202.172.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      200.163.202.172.in-addr.arpa
      IN PTR
      Response
    • flag-us
      DNS
      171.39.242.20.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      171.39.242.20.in-addr.arpa
      IN PTR
      Response
    • flag-us
      DNS
      106.209.201.84.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      106.209.201.84.in-addr.arpa
      IN PTR
      Response
    • flag-us
      DNS
      88.210.23.2.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      88.210.23.2.in-addr.arpa
      IN PTR
      Response
      88.210.23.2.in-addr.arpa
      IN PTR
      a2-23-210-88deploystaticakamaitechnologiescom
    • flag-us
      DNS
      26.35.223.20.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      26.35.223.20.in-addr.arpa
      IN PTR
      Response
    • flag-us
      DNS
      48.229.111.52.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      48.229.111.52.in-addr.arpa
      IN PTR
      Response
    • flag-us
      DNS
      tse1.mm.bing.net
      Remote address:
      8.8.8.8:53
      Request
      tse1.mm.bing.net
      IN A
      Response
      tse1.mm.bing.net
      IN CNAME
      mm-mm.bing.net.trafficmanager.net
      mm-mm.bing.net.trafficmanager.net
      IN CNAME
      ax-0001.ax-msedge.net
      ax-0001.ax-msedge.net
      IN A
      150.171.28.10
      ax-0001.ax-msedge.net
      IN A
      150.171.27.10
    • flag-us
      GET
      https://tse1.mm.bing.net/th?id=OADD2.10239340418604_1C96RL77YFK8DKA16&pid=21.2&c=3&w=1080&h=1920&dynsize=1&qlt=90
      Remote address:
      150.171.28.10:443
      Request
      GET /th?id=OADD2.10239340418604_1C96RL77YFK8DKA16&pid=21.2&c=3&w=1080&h=1920&dynsize=1&qlt=90 HTTP/2.0
      host: tse1.mm.bing.net
      accept: */*
      accept-encoding: gzip, deflate, br
      user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19041
      Response
      HTTP/2.0 200
      cache-control: public, max-age=2592000
      content-length: 588459
      content-type: image/jpeg
      x-cache: TCP_HIT
      access-control-allow-origin: *
      access-control-allow-headers: *
      access-control-allow-methods: GET, POST, OPTIONS
      timing-allow-origin: *
      report-to: {"group":"network-errors","max_age":604800,"endpoints":[{"url":"https://aefd.nelreports.net/api/report?cat=bingth&ndcParam=QUZE"}]}
      nel: {"report_to":"network-errors","max_age":604800,"success_fraction":0.001,"failure_fraction":1.0}
      accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
      x-msedge-ref: Ref A: C71B0AA520DC40B6B94E52205C6BA194 Ref B: LON601060104025 Ref C: 2024-11-04T13:10:12Z
      date: Mon, 04 Nov 2024 13:10:12 GMT
    • flag-us
      GET
      https://tse1.mm.bing.net/th?id=OADD2.10239317301623_1VUR2KBQVO06G93HJ&pid=21.2&c=3&w=1080&h=1920&dynsize=1&qlt=90
      Remote address:
      150.171.28.10:443
      Request
      GET /th?id=OADD2.10239317301623_1VUR2KBQVO06G93HJ&pid=21.2&c=3&w=1080&h=1920&dynsize=1&qlt=90 HTTP/2.0
      host: tse1.mm.bing.net
      accept: */*
      accept-encoding: gzip, deflate, br
      user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19041
      Response
      HTTP/2.0 200
      cache-control: public, max-age=2592000
      content-length: 707951
      content-type: image/jpeg
      x-cache: TCP_HIT
      access-control-allow-origin: *
      access-control-allow-headers: *
      access-control-allow-methods: GET, POST, OPTIONS
      timing-allow-origin: *
      report-to: {"group":"network-errors","max_age":604800,"endpoints":[{"url":"https://aefd.nelreports.net/api/report?cat=bingth&ndcParam=QUZE"}]}
      nel: {"report_to":"network-errors","max_age":604800,"success_fraction":0.001,"failure_fraction":1.0}
      accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
      x-msedge-ref: Ref A: 701226AE112A459D8BEE31AD693F423F Ref B: LON601060104025 Ref C: 2024-11-04T13:10:12Z
      date: Mon, 04 Nov 2024 13:10:12 GMT
    • flag-us
      GET
      https://tse1.mm.bing.net/th?id=OADD2.10239340418603_15DZPLB0SHJXVDM66&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=1920&h=1080&dynsize=1&qlt=90
      Remote address:
      150.171.28.10:443
      Request
      GET /th?id=OADD2.10239340418603_15DZPLB0SHJXVDM66&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=1920&h=1080&dynsize=1&qlt=90 HTTP/2.0
      host: tse1.mm.bing.net
      accept: */*
      accept-encoding: gzip, deflate, br
      user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19041
      Response
      HTTP/2.0 200
      cache-control: public, max-age=2592000
      content-length: 399216
      content-type: image/jpeg
      x-cache: TCP_HIT
      access-control-allow-origin: *
      access-control-allow-headers: *
      access-control-allow-methods: GET, POST, OPTIONS
      timing-allow-origin: *
      report-to: {"group":"network-errors","max_age":604800,"endpoints":[{"url":"https://aefd.nelreports.net/api/report?cat=bingth&ndcParam=QUZE"}]}
      nel: {"report_to":"network-errors","max_age":604800,"success_fraction":0.001,"failure_fraction":1.0}
      accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
      x-msedge-ref: Ref A: D9B55E23F481471CB9B5C7A535CF0C82 Ref B: LON601060104025 Ref C: 2024-11-04T13:10:12Z
      date: Mon, 04 Nov 2024 13:10:12 GMT
    • flag-us
      GET
      https://tse1.mm.bing.net/th?id=OADD2.10239317301214_1PJAY06J5HO947G63&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=1920&h=1080&dynsize=1&qlt=90
      Remote address:
      150.171.28.10:443
      Request
      GET /th?id=OADD2.10239317301214_1PJAY06J5HO947G63&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=1920&h=1080&dynsize=1&qlt=90 HTTP/2.0
      host: tse1.mm.bing.net
      accept: */*
      accept-encoding: gzip, deflate, br
      user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19041
      Response
      HTTP/2.0 200
      cache-control: public, max-age=2592000
      content-length: 417325
      content-type: image/jpeg
      x-cache: TCP_HIT
      access-control-allow-origin: *
      access-control-allow-headers: *
      access-control-allow-methods: GET, POST, OPTIONS
      timing-allow-origin: *
      report-to: {"group":"network-errors","max_age":604800,"endpoints":[{"url":"https://aefd.nelreports.net/api/report?cat=bingth&ndcParam=QUZE"}]}
      nel: {"report_to":"network-errors","max_age":604800,"success_fraction":0.001,"failure_fraction":1.0}
      accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
      x-msedge-ref: Ref A: F874DFC147C44E3F975D7CC92C40890B Ref B: LON601060104025 Ref C: 2024-11-04T13:10:12Z
      date: Mon, 04 Nov 2024 13:10:12 GMT
    • flag-us
      GET
      https://tse1.mm.bing.net/th?id=OADD2.10239317301079_1C0V2OISTJJIJUHWS&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=1920&h=1080&dynsize=1&qlt=90
      Remote address:
      150.171.28.10:443
      Request
      GET /th?id=OADD2.10239317301079_1C0V2OISTJJIJUHWS&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=1920&h=1080&dynsize=1&qlt=90 HTTP/2.0
      host: tse1.mm.bing.net
      accept: */*
      accept-encoding: gzip, deflate, br
      user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19041
      Response
      HTTP/2.0 200
      cache-control: public, max-age=2592000
      content-length: 694443
      content-type: image/jpeg
      x-cache: TCP_HIT
      access-control-allow-origin: *
      access-control-allow-headers: *
      access-control-allow-methods: GET, POST, OPTIONS
      timing-allow-origin: *
      report-to: {"group":"network-errors","max_age":604800,"endpoints":[{"url":"https://aefd.nelreports.net/api/report?cat=bingth&ndcParam=QUZE"}]}
      nel: {"report_to":"network-errors","max_age":604800,"success_fraction":0.001,"failure_fraction":1.0}
      accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
      x-msedge-ref: Ref A: 87114AD18DA24EC9976D37D833440560 Ref B: LON601060104025 Ref C: 2024-11-04T13:10:12Z
      date: Mon, 04 Nov 2024 13:10:12 GMT
    • flag-us
      GET
      https://tse1.mm.bing.net/th?id=OADD2.10239317301512_1AX3RCN5D9AJKN0AW&pid=21.2&c=3&w=1080&h=1920&dynsize=1&qlt=90
      Remote address:
      150.171.28.10:443
      Request
      GET /th?id=OADD2.10239317301512_1AX3RCN5D9AJKN0AW&pid=21.2&c=3&w=1080&h=1920&dynsize=1&qlt=90 HTTP/2.0
      host: tse1.mm.bing.net
      accept: */*
      accept-encoding: gzip, deflate, br
      user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19041
      Response
      HTTP/2.0 200
      cache-control: public, max-age=2592000
      content-length: 785891
      content-type: image/jpeg
      x-cache: TCP_HIT
      access-control-allow-origin: *
      access-control-allow-headers: *
      access-control-allow-methods: GET, POST, OPTIONS
      timing-allow-origin: *
      report-to: {"group":"network-errors","max_age":604800,"endpoints":[{"url":"https://aefd.nelreports.net/api/report?cat=bingth&ndcParam=QUZE"}]}
      nel: {"report_to":"network-errors","max_age":604800,"success_fraction":0.001,"failure_fraction":1.0}
      accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
      x-msedge-ref: Ref A: 1B62FED39645455BA231314F3CE78587 Ref B: LON601060104025 Ref C: 2024-11-04T13:10:12Z
      date: Mon, 04 Nov 2024 13:10:12 GMT
    • flag-us
      DNS
      10.28.171.150.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      10.28.171.150.in-addr.arpa
      IN PTR
      Response
    • flag-us
      DNS
      11.73.50.20.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      11.73.50.20.in-addr.arpa
      IN PTR
      Response
    • 185.161.248.143:38452
      rk363092.exe
      260 B
      5
    • 185.161.248.143:38452
      rk363092.exe
      260 B
      5
    • 185.161.248.143:38452
      rk363092.exe
      260 B
      5
    • 185.161.248.143:38452
      rk363092.exe
      260 B
      5
    • 185.161.248.143:38452
      rk363092.exe
      260 B
      5
    • 150.171.28.10:443
      https://tse1.mm.bing.net/th?id=OADD2.10239317301512_1AX3RCN5D9AJKN0AW&pid=21.2&c=3&w=1080&h=1920&dynsize=1&qlt=90
      tls, http2
      128.0kB
      3.7MB
      2708
      2704

      HTTP Request

      GET https://tse1.mm.bing.net/th?id=OADD2.10239340418604_1C96RL77YFK8DKA16&pid=21.2&c=3&w=1080&h=1920&dynsize=1&qlt=90

      HTTP Request

      GET https://tse1.mm.bing.net/th?id=OADD2.10239317301623_1VUR2KBQVO06G93HJ&pid=21.2&c=3&w=1080&h=1920&dynsize=1&qlt=90

      HTTP Request

      GET https://tse1.mm.bing.net/th?id=OADD2.10239340418603_15DZPLB0SHJXVDM66&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=1920&h=1080&dynsize=1&qlt=90

      HTTP Request

      GET https://tse1.mm.bing.net/th?id=OADD2.10239317301214_1PJAY06J5HO947G63&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=1920&h=1080&dynsize=1&qlt=90

      HTTP Request

      GET https://tse1.mm.bing.net/th?id=OADD2.10239317301079_1C0V2OISTJJIJUHWS&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=1920&h=1080&dynsize=1&qlt=90

      HTTP Response

      200

      HTTP Response

      200

      HTTP Response

      200

      HTTP Response

      200

      HTTP Response

      200

      HTTP Request

      GET https://tse1.mm.bing.net/th?id=OADD2.10239317301512_1AX3RCN5D9AJKN0AW&pid=21.2&c=3&w=1080&h=1920&dynsize=1&qlt=90

      HTTP Response

      200
    • 150.171.28.10:443
      tse1.mm.bing.net
      tls, http2
      1.2kB
      6.9kB
      15
      13
    • 150.171.28.10:443
      tse1.mm.bing.net
      tls, http2
      1.2kB
      6.9kB
      15
      12
    • 150.171.28.10:443
      tse1.mm.bing.net
      tls, http2
      1.2kB
      6.9kB
      15
      13
    • 150.171.28.10:443
      tse1.mm.bing.net
      tls, http2
      1.2kB
      6.9kB
      15
      13
    • 185.161.248.143:38452
      rk363092.exe
      260 B
      5
    • 185.161.248.143:38452
      rk363092.exe
      156 B
      3
    • 8.8.8.8:53
      8.8.8.8.in-addr.arpa
      dns
      66 B
      90 B
      1
      1

      DNS Request

      8.8.8.8.in-addr.arpa

    • 8.8.8.8:53
      97.17.167.52.in-addr.arpa
      dns
      142 B
      145 B
      2
      1

      DNS Request

      97.17.167.52.in-addr.arpa

      DNS Request

      97.17.167.52.in-addr.arpa

    • 8.8.8.8:53
      83.210.23.2.in-addr.arpa
      dns
      140 B
      133 B
      2
      1

      DNS Request

      83.210.23.2.in-addr.arpa

      DNS Request

      83.210.23.2.in-addr.arpa

    • 8.8.8.8:53
      67.31.126.40.in-addr.arpa
      dns
      71 B
      157 B
      1
      1

      DNS Request

      67.31.126.40.in-addr.arpa

    • 8.8.8.8:53
      205.47.74.20.in-addr.arpa
      dns
      71 B
      157 B
      1
      1

      DNS Request

      205.47.74.20.in-addr.arpa

    • 8.8.8.8:53
      13.86.106.20.in-addr.arpa
      dns
      71 B
      157 B
      1
      1

      DNS Request

      13.86.106.20.in-addr.arpa

    • 8.8.8.8:53
      200.163.202.172.in-addr.arpa
      dns
      74 B
      160 B
      1
      1

      DNS Request

      200.163.202.172.in-addr.arpa

    • 8.8.8.8:53
      171.39.242.20.in-addr.arpa
      dns
      72 B
      158 B
      1
      1

      DNS Request

      171.39.242.20.in-addr.arpa

    • 8.8.8.8:53
      106.209.201.84.in-addr.arpa
      dns
      73 B
      133 B
      1
      1

      DNS Request

      106.209.201.84.in-addr.arpa

    • 8.8.8.8:53
      88.210.23.2.in-addr.arpa
      dns
      70 B
      133 B
      1
      1

      DNS Request

      88.210.23.2.in-addr.arpa

    • 8.8.8.8:53
      26.35.223.20.in-addr.arpa
      dns
      71 B
      157 B
      1
      1

      DNS Request

      26.35.223.20.in-addr.arpa

    • 8.8.8.8:53
      48.229.111.52.in-addr.arpa
      dns
      72 B
      158 B
      1
      1

      DNS Request

      48.229.111.52.in-addr.arpa

    • 8.8.8.8:53
      tse1.mm.bing.net
      dns
      62 B
      170 B
      1
      1

      DNS Request

      tse1.mm.bing.net

      DNS Response

      150.171.28.10
      150.171.27.10

    • 8.8.8.8:53
      10.28.171.150.in-addr.arpa
      dns
      72 B
      158 B
      1
      1

      DNS Request

      10.28.171.150.in-addr.arpa

    • 8.8.8.8:53
      11.73.50.20.in-addr.arpa
      dns
      70 B
      156 B
      1
      1

      DNS Request

      11.73.50.20.in-addr.arpa

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un236178.exe

      Filesize

      536KB

      MD5

      13b4b227aeee903d04f18a6305b0d9c1

      SHA1

      746544e229cd17c48416b86a7de6bb0f9722354f

      SHA256

      943dc071357be5d2d7f57626225d6051ee87c69012eb13ad21f723f01a37c917

      SHA512

      48bcb87b6ae8947dd9c87b6a573632b515d4e6ae19601060bed65e7cf05bb1b5e6f8c18053c670f80711c74fb1907c796ba36188c1ccfddb50c924a839c35458

    • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\02975496.exe

      Filesize

      259KB

      MD5

      509b1240c8701ef2bed7edacf1db1c41

      SHA1

      ddcbb052ac9badfd50ebf1406968d3d7749852da

      SHA256

      3e7c5f4038bc4f6579bf2fcd1d6fc1578cefd20d1946f042283cf465221773db

      SHA512

      87de975561f2e10129d34f1cb78f2efdbe844057858cfc55a7d7e6f1b6af26274db82132db150c8a54ad37869ff451ba13faf3801bd7a453a3c8a6086c8dc150

    • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk363092.exe

      Filesize

      341KB

      MD5

      545118faae736a0082babf1e77055cde

      SHA1

      158b6ddfb2de367348f44c13841885da32e7f4c7

      SHA256

      cd6cae57558528886649491cb32710737ee8fa08c2d4e924ee3e6f6c8fd1ca3f

      SHA512

      75e1c5e9fd5134431e12fe7c5e12efd908d606143189ec899c15c498606e73e4b2bca67ca4a2ed2f5b35deb721e306d623eaa8282866de7320ea7cefd0697992

    • memory/3732-15-0x0000000000470000-0x0000000000570000-memory.dmp

      Filesize

      1024KB

    • memory/3732-17-0x0000000000400000-0x0000000000455000-memory.dmp

      Filesize

      340KB

    • memory/3732-16-0x0000000000400000-0x0000000000430000-memory.dmp

      Filesize

      192KB

    • memory/3732-18-0x0000000000400000-0x0000000000455000-memory.dmp

      Filesize

      340KB

    • memory/3732-19-0x00000000022C0000-0x00000000022DA000-memory.dmp

      Filesize

      104KB

    • memory/3732-20-0x0000000004AB0000-0x0000000005054000-memory.dmp

      Filesize

      5.6MB

    • memory/3732-21-0x0000000004A00000-0x0000000004A18000-memory.dmp

      Filesize

      96KB

    • memory/3732-49-0x0000000004A00000-0x0000000004A13000-memory.dmp

      Filesize

      76KB

    • memory/3732-47-0x0000000004A00000-0x0000000004A13000-memory.dmp

      Filesize

      76KB

    • memory/3732-46-0x0000000004A00000-0x0000000004A13000-memory.dmp

      Filesize

      76KB

    • memory/3732-43-0x0000000004A00000-0x0000000004A13000-memory.dmp

      Filesize

      76KB

    • memory/3732-41-0x0000000004A00000-0x0000000004A13000-memory.dmp

      Filesize

      76KB

    • memory/3732-39-0x0000000004A00000-0x0000000004A13000-memory.dmp

      Filesize

      76KB

    • memory/3732-37-0x0000000004A00000-0x0000000004A13000-memory.dmp

      Filesize

      76KB

    • memory/3732-35-0x0000000004A00000-0x0000000004A13000-memory.dmp

      Filesize

      76KB

    • memory/3732-33-0x0000000004A00000-0x0000000004A13000-memory.dmp

      Filesize

      76KB

    • memory/3732-31-0x0000000004A00000-0x0000000004A13000-memory.dmp

      Filesize

      76KB

    • memory/3732-30-0x0000000004A00000-0x0000000004A13000-memory.dmp

      Filesize

      76KB

    • memory/3732-27-0x0000000004A00000-0x0000000004A13000-memory.dmp

      Filesize

      76KB

    • memory/3732-25-0x0000000004A00000-0x0000000004A13000-memory.dmp

      Filesize

      76KB

    • memory/3732-23-0x0000000004A00000-0x0000000004A13000-memory.dmp

      Filesize

      76KB

    • memory/3732-22-0x0000000004A00000-0x0000000004A13000-memory.dmp

      Filesize

      76KB

    • memory/3732-50-0x0000000000470000-0x0000000000570000-memory.dmp

      Filesize

      1024KB

    • memory/3732-51-0x0000000000400000-0x0000000000430000-memory.dmp

      Filesize

      192KB

    • memory/3732-54-0x0000000000400000-0x0000000000455000-memory.dmp

      Filesize

      340KB

    • memory/3732-55-0x0000000000400000-0x0000000000430000-memory.dmp

      Filesize

      192KB

    • memory/4488-60-0x0000000004A20000-0x0000000004A5C000-memory.dmp

      Filesize

      240KB

    • memory/4488-61-0x0000000005050000-0x000000000508A000-memory.dmp

      Filesize

      232KB

    • memory/4488-65-0x0000000005050000-0x0000000005085000-memory.dmp

      Filesize

      212KB

    • memory/4488-73-0x0000000005050000-0x0000000005085000-memory.dmp

      Filesize

      212KB

    • memory/4488-95-0x0000000005050000-0x0000000005085000-memory.dmp

      Filesize

      212KB

    • memory/4488-93-0x0000000005050000-0x0000000005085000-memory.dmp

      Filesize

      212KB

    • memory/4488-91-0x0000000005050000-0x0000000005085000-memory.dmp

      Filesize

      212KB

    • memory/4488-87-0x0000000005050000-0x0000000005085000-memory.dmp

      Filesize

      212KB

    • memory/4488-85-0x0000000005050000-0x0000000005085000-memory.dmp

      Filesize

      212KB

    • memory/4488-83-0x0000000005050000-0x0000000005085000-memory.dmp

      Filesize

      212KB

    • memory/4488-81-0x0000000005050000-0x0000000005085000-memory.dmp

      Filesize

      212KB

    • memory/4488-79-0x0000000005050000-0x0000000005085000-memory.dmp

      Filesize

      212KB

    • memory/4488-77-0x0000000005050000-0x0000000005085000-memory.dmp

      Filesize

      212KB

    • memory/4488-75-0x0000000005050000-0x0000000005085000-memory.dmp

      Filesize

      212KB

    • memory/4488-71-0x0000000005050000-0x0000000005085000-memory.dmp

      Filesize

      212KB

    • memory/4488-69-0x0000000005050000-0x0000000005085000-memory.dmp

      Filesize

      212KB

    • memory/4488-67-0x0000000005050000-0x0000000005085000-memory.dmp

      Filesize

      212KB

    • memory/4488-89-0x0000000005050000-0x0000000005085000-memory.dmp

      Filesize

      212KB

    • memory/4488-63-0x0000000005050000-0x0000000005085000-memory.dmp

      Filesize

      212KB

    • memory/4488-62-0x0000000005050000-0x0000000005085000-memory.dmp

      Filesize

      212KB

    • memory/4488-854-0x0000000007550000-0x0000000007B68000-memory.dmp

      Filesize

      6.1MB

    • memory/4488-855-0x0000000007BF0000-0x0000000007C02000-memory.dmp

      Filesize

      72KB

    • memory/4488-856-0x0000000007C10000-0x0000000007D1A000-memory.dmp

      Filesize

      1.0MB

    • memory/4488-857-0x0000000007D30000-0x0000000007D6C000-memory.dmp

      Filesize

      240KB

    • memory/4488-858-0x0000000002510000-0x000000000255C000-memory.dmp

      Filesize

      304KB

    We care about your privacy.

    This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.