Overview

overview

10

Static

static

5

96327da8a9...eN.exe

windows7-x64

10

96327da8a9...eN.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    120s
  • max time network
    122s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    07/12/2024, 19:17 UTC

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    96327da8a9e501eb3b578019475004e274fdf7a98f34102c13b37eb5d98d025eN.exe

  • Size

    29KB

  • MD5

    32437f0ee3fe67fb548f7e45e2c30a30

  • SHA1

    cfb02e162991c082423ff619a43d970876ef8430

  • SHA256

    96327da8a9e501eb3b578019475004e274fdf7a98f34102c13b37eb5d98d025e

  • SHA512

    01ecb3e1105055c6e16461b4581d2b30520b5b352169521a0bd1eebb5b00df3251e78f63da1763109ba1f2813269ef03f1b3f5a234f21b01f527f5c0fd0fc376

  • SSDEEP

    768:AEwHupU99d2JE0jNJJ83+8zzqgTdVY9/J:AEwVs+0jNDY1qi/qx

Score
10/10
mydoomdiscoverypersistenceupxworm

Malware Config

Signatures

  • Detects MyDoom family 2 IoCs
  • MyDoom

    MyDoom is a Worm that is written in C++.

    wormmydoom
  • Mydoom family
    mydoom
  • Executes dropped EXE 1 IoCs
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • UPX packed file 18 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Drops file in Windows directory 3 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\96327da8a9e501eb3b578019475004e274fdf7a98f34102c13b37eb5d98d025eN.exe
    "C:\Users\Admin\AppData\Local\Temp\96327da8a9e501eb3b578019475004e274fdf7a98f34102c13b37eb5d98d025eN.exe"
    1⤵
    • Adds Run key to start application
    • Drops file in Windows directory
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:2924
    • C:\Windows\services.exe
      "C:\Windows\services.exe"
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • System Location Discovery: System Language Discovery
      PID:1096

Network

  • flag-us
    DNS
    28.118.140.52.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    28.118.140.52.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    88.210.23.2.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    88.210.23.2.in-addr.arpa
    IN PTR
    Response
    88.210.23.2.in-addr.arpa
    IN PTR
    a2-23-210-88deploystaticakamaitechnologiescom
  • flag-us
    DNS
    2.159.190.20.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    2.159.190.20.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    95.221.229.192.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    95.221.229.192.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    104.219.191.52.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    104.219.191.52.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    196.249.167.52.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    196.249.167.52.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    56.163.245.4.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    56.163.245.4.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    206.23.85.13.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    206.23.85.13.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    92.12.20.2.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    92.12.20.2.in-addr.arpa
    IN PTR
    Response
    92.12.20.2.in-addr.arpa
    IN PTR
    a2-20-12-92deploystaticakamaitechnologiescom
  • flag-us
    DNS
    20.49.80.91.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    20.49.80.91.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    23.236.111.52.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    23.236.111.52.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    m-ou.se
    96327da8a9e501eb3b578019475004e274fdf7a98f34102c13b37eb5d98d025eN.exe
    Remote address:
    8.8.8.8:53
    Request
    m-ou.se
    IN MX
    Response
    m-ou.se
    IN MX
    aspmx2 googlemailcom
    m-ou.se
    IN MX
    alt2aspmxlgoogle�9
    m-ou.se
    IN MX
    �Q
    m-ou.se
    IN MX
    aspmx5�.
    m-ou.se
    IN MX
    alt1�Q
    m-ou.se
    IN MX
    aspmx3�.
    m-ou.se
    IN MX
    aspmx4�.
  • flag-us
    DNS
    aspmx2.googlemail.com
    96327da8a9e501eb3b578019475004e274fdf7a98f34102c13b37eb5d98d025eN.exe
    Remote address:
    8.8.8.8:53
    Request
    aspmx2.googlemail.com
    IN A
    Response
    aspmx2.googlemail.com
    IN A
    142.250.150.26
  • flag-us
    DNS
    acm.org
    96327da8a9e501eb3b578019475004e274fdf7a98f34102c13b37eb5d98d025eN.exe
    Remote address:
    8.8.8.8:53
    Request
    acm.org
    IN MX
    Response
    acm.org
    IN MX
    mail mailroutenet
  • flag-us
    DNS
    mail.mailroute.net
    96327da8a9e501eb3b578019475004e274fdf7a98f34102c13b37eb5d98d025eN.exe
    Remote address:
    8.8.8.8:53
    Request
    mail.mailroute.net
    IN A
    Response
    mail.mailroute.net
    IN A
    199.89.3.120
    mail.mailroute.net
    IN A
    199.89.1.120
  • flag-us
    DNS
    cs.stanford.edu
    96327da8a9e501eb3b578019475004e274fdf7a98f34102c13b37eb5d98d025eN.exe
    Remote address:
    8.8.8.8:53
    Request
    cs.stanford.edu
    IN MX
    Response
    cs.stanford.edu
    IN MX
    cs.stanford.edu
    IN MX
    smtp1�
    cs.stanford.edu
    IN MX
    smtp2�
  • flag-us
    DNS
    cs.stanford.edu
    96327da8a9e501eb3b578019475004e274fdf7a98f34102c13b37eb5d98d025eN.exe
    Remote address:
    8.8.8.8:53
    Request
    cs.stanford.edu
    IN A
    Response
    cs.stanford.edu
    IN A
    171.64.64.64
  • flag-us
    DNS
    burtleburtle.net
    96327da8a9e501eb3b578019475004e274fdf7a98f34102c13b37eb5d98d025eN.exe
    Remote address:
    8.8.8.8:53
    Request
    burtleburtle.net
    IN MX
    Response
    burtleburtle.net
    IN MX
    mx�
  • flag-us
    DNS
    mx.burtleburtle.net
    96327da8a9e501eb3b578019475004e274fdf7a98f34102c13b37eb5d98d025eN.exe
    Remote address:
    8.8.8.8:53
    Request
    mx.burtleburtle.net
    IN A
    Response
    mx.burtleburtle.net
    IN A
    65.254.254.51
    mx.burtleburtle.net
    IN A
    65.254.254.52
    mx.burtleburtle.net
    IN A
    65.254.254.50
  • flag-us
    DNS
    alumni.caltech.edu
    96327da8a9e501eb3b578019475004e274fdf7a98f34102c13b37eb5d98d025eN.exe
    Remote address:
    8.8.8.8:53
    Request
    alumni.caltech.edu
    IN MX
    Response
    alumni.caltech.edu
    IN MX
    alumni-caltech-edumail protectionoutlookcom
  • flag-us
    DNS
    alumni-caltech-edu.mail.protection.outlook.com
    96327da8a9e501eb3b578019475004e274fdf7a98f34102c13b37eb5d98d025eN.exe
    Remote address:
    8.8.8.8:53
    Request
    alumni-caltech-edu.mail.protection.outlook.com
    IN A
    Response
    alumni-caltech-edu.mail.protection.outlook.com
    IN A
    52.101.41.0
    alumni-caltech-edu.mail.protection.outlook.com
    IN A
    52.101.42.14
    alumni-caltech-edu.mail.protection.outlook.com
    IN A
    52.101.41.58
    alumni-caltech-edu.mail.protection.outlook.com
    IN A
    52.101.9.17
  • flag-us
    DNS
    gzip.org
    96327da8a9e501eb3b578019475004e274fdf7a98f34102c13b37eb5d98d025eN.exe
    Remote address:
    8.8.8.8:53
    Request
    gzip.org
    IN MX
    Response
    gzip.org
    IN MX
  • flag-us
    DNS
    gzip.org
    96327da8a9e501eb3b578019475004e274fdf7a98f34102c13b37eb5d98d025eN.exe
    Remote address:
    8.8.8.8:53
    Request
    gzip.org
    IN A
    Response
    gzip.org
    IN A
    85.187.148.2
  • flag-us
    DNS
    www.google.com
    96327da8a9e501eb3b578019475004e274fdf7a98f34102c13b37eb5d98d025eN.exe
    Remote address:
    8.8.8.8:53
    Request
    www.google.com
    IN A
    Response
    www.google.com
    IN A
    142.250.187.196
  • flag-us
    DNS
    www.altavista.com
    96327da8a9e501eb3b578019475004e274fdf7a98f34102c13b37eb5d98d025eN.exe
    Remote address:
    8.8.8.8:53
    Request
    www.altavista.com
    IN A
    Response
    www.altavista.com
    IN CNAME
    us.yhs4.search.yahoo.com
    us.yhs4.search.yahoo.com
    IN CNAME
    ds-global3.l7.search.ystg1.b.yahoo.com
    ds-global3.l7.search.ystg1.b.yahoo.com
    IN A
    212.82.100.137
  • flag-gb
    GET
    http://www.google.com/search?hl=en&ie=UTF-8&oe=UTF-8&q=mailto+gzip.org
    96327da8a9e501eb3b578019475004e274fdf7a98f34102c13b37eb5d98d025eN.exe
    Remote address:
    142.250.187.196:80
    Request
    GET /search?hl=en&ie=UTF-8&oe=UTF-8&q=mailto+gzip.org HTTP/1.1
    Accept: */*
    Accept-Encoding: gzip, deflate
    User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)
    Host: www.google.com
    Connection: Keep-Alive
    Response
    HTTP/1.1 302 Found
    Location: http://www.google.com/sorry/index?continue=http://www.google.com/search%3Fhl%3Den%26ie%3DUTF-8%26oe%3DUTF-8%26q%3Dmailto%2Bgzip.org&hl=en&q=EgS117BTGOS_0roGIjBV0jStKsbtP_pMqL57JtjPDKhpvSXBBxoqSh5wsRmX5fGSXYHzMYSnoV54l6wDXxYyAXJKGVNPUlJZX0FCVVNJVkVfTkVUX01FU1NBR0VaAUM
    x-hallmonitor-challenge: CgsI5b_SugYQu-37MRIEtdewUw
    Content-Type: text/html; charset=UTF-8
    Content-Security-Policy: object-src 'none';base-uri 'self';script-src 'nonce-9iVmTNYmuwQsUwWGYfSORQ' 'strict-dynamic' 'report-sample' 'unsafe-eval' 'unsafe-inline' https: http:;report-uri https://csp.withgoogle.com/csp/gws/xsrp
    Date: Sat, 07 Dec 2024 19:20:05 GMT
    Server: gws
    Content-Length: 472
    X-XSS-Protection: 0
    X-Frame-Options: SAMEORIGIN
    Set-Cookie: AEC=AZ6Zc-WS6-KwjV1o9t4eZ7b-KV7C35d4yfrjDUiihP5btIdCDaVq6bMO0HI; expires=Thu, 05-Jun-2025 19:20:05 GMT; path=/; domain=.google.com; Secure; HttpOnly; SameSite=lax
  • flag-gb
    GET
    http://www.google.com/search?hl=en&ie=UTF-8&oe=UTF-8&q=email+gzip.org&num=50
    96327da8a9e501eb3b578019475004e274fdf7a98f34102c13b37eb5d98d025eN.exe
    Remote address:
    142.250.187.196:80
    Request
    GET /search?hl=en&ie=UTF-8&oe=UTF-8&q=email+gzip.org&num=50 HTTP/1.1
    Accept: */*
    Accept-Encoding: gzip, deflate
    User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)
    Host: www.google.com
    Connection: Keep-Alive
  • flag-ie
    GET
    http://www.altavista.com/web/results?q=mailto+acm.org&kgs=0&kls=0&nbq=50
    96327da8a9e501eb3b578019475004e274fdf7a98f34102c13b37eb5d98d025eN.exe
    Remote address:
    212.82.100.137:80
    Request
    GET /web/results?q=mailto+acm.org&kgs=0&kls=0&nbq=50 HTTP/1.1
    Accept: */*
    Accept-Encoding: gzip, deflate
    User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)
    Host: www.altavista.com
    Connection: Keep-Alive
    Response
    HTTP/1.1 500 Internal Server Error
    Content-Type: text/plain; charset=utf-8;
    Secure_search_bypass: true
    Date: Sat, 07 Dec 2024 19:20:04 GMT
    Content-Encoding: gzip
    Age: 0
    Transfer-Encoding: chunked
    Connection: keep-alive
    Server: ATS
    X-Content-Type-Options: nosniff
    X-XSS-Protection: 1; mode=block; report=https://csp.search.yahoo.com/xssreport
    Referrer-Policy: no-referrer-when-downgrade
  • flag-ie
    GET
    http://www.altavista.com/web/results?q=mailto+acm.org&kgs=0&kls=0&nbq=20
    96327da8a9e501eb3b578019475004e274fdf7a98f34102c13b37eb5d98d025eN.exe
    Remote address:
    212.82.100.137:80
    Request
    GET /web/results?q=mailto+acm.org&kgs=0&kls=0&nbq=20 HTTP/1.1
    Accept: */*
    Accept-Encoding: gzip, deflate
    User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)
    Host: www.altavista.com
    Connection: Keep-Alive
    Response
    HTTP/1.1 500 Internal Server Error
    Content-Type: text/plain; charset=utf-8;
    Secure_search_bypass: true
    Date: Sat, 07 Dec 2024 19:20:05 GMT
    Content-Encoding: gzip
    Age: 0
    Transfer-Encoding: chunked
    Connection: keep-alive
    Server: ATS
    X-Content-Type-Options: nosniff
    X-XSS-Protection: 1; mode=block; report=https://csp.search.yahoo.com/xssreport
    Referrer-Policy: no-referrer-when-downgrade
  • flag-gb
    GET
    http://www.google.com/search?hl=en&ie=UTF-8&oe=UTF-8&q=mail+burtleburtle.net&num=50
    96327da8a9e501eb3b578019475004e274fdf7a98f34102c13b37eb5d98d025eN.exe
    Remote address:
    142.250.187.196:80
    Request
    GET /search?hl=en&ie=UTF-8&oe=UTF-8&q=mail+burtleburtle.net&num=50 HTTP/1.1
    Accept: */*
    Accept-Encoding: gzip, deflate
    User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)
    Host: www.google.com
    Connection: Keep-Alive
  • flag-us
    DNS
    search.lycos.com
    96327da8a9e501eb3b578019475004e274fdf7a98f34102c13b37eb5d98d025eN.exe
    Remote address:
    8.8.8.8:53
    Request
    search.lycos.com
    IN A
    Response
    search.lycos.com
    IN CNAME
    search-core2.bo3.lycos.com
    search-core2.bo3.lycos.com
    IN A
    209.202.254.10
  • 10.0.77.20:1034
    services.exe
    260 B
     5
  • 172.16.1.116:1034
    services.exe
    260 B
     5
  • 10.0.77.20:1034
    services.exe
    260 B
     5
  • 10.11.161.112:1034
    services.exe
    260 B
     5
  • 10.135.189.123:1034
    services.exe
    260 B
     5
  • 10.127.0.3:1034
    services.exe
  • 142.250.150.26:25
    aspmx2.googlemail.com
    96327da8a9e501eb3b578019475004e274fdf7a98f34102c13b37eb5d98d025eN.exe
    104 B
     2
  • 199.89.3.120:25
    mail.mailroute.net
    96327da8a9e501eb3b578019475004e274fdf7a98f34102c13b37eb5d98d025eN.exe
    104 B
     2
  • 171.64.64.64:25
    cs.stanford.edu
    96327da8a9e501eb3b578019475004e274fdf7a98f34102c13b37eb5d98d025eN.exe
    104 B
     2
  • 171.64.64.64:25
    cs.stanford.edu
    96327da8a9e501eb3b578019475004e274fdf7a98f34102c13b37eb5d98d025eN.exe
    52 B
     1
  • 65.254.254.51:25
    mx.burtleburtle.net
    96327da8a9e501eb3b578019475004e274fdf7a98f34102c13b37eb5d98d025eN.exe
    52 B
     1
  • 52.101.41.0:25
    alumni-caltech-edu.mail.protection.outlook.com
    96327da8a9e501eb3b578019475004e274fdf7a98f34102c13b37eb5d98d025eN.exe
    52 B
     1
  • 85.187.148.2:25
    gzip.org
    96327da8a9e501eb3b578019475004e274fdf7a98f34102c13b37eb5d98d025eN.exe
    52 B
     1
  • 142.250.187.196:80
    http://www.google.com/search?hl=en&ie=UTF-8&oe=UTF-8&q=email+gzip.org&num=50
    http
    96327da8a9e501eb3b578019475004e274fdf7a98f34102c13b37eb5d98d025eN.exe
    918 B
     1.6kB
     6
    5

    HTTP Request

    GET http://www.google.com/search?hl=en&ie=UTF-8&oe=UTF-8&q=mailto+gzip.org

    HTTP Response

    302

    HTTP Request

    GET http://www.google.com/search?hl=en&ie=UTF-8&oe=UTF-8&q=email+gzip.org&num=50
  • 212.82.100.137:80
    http://www.altavista.com/web/results?q=mailto+acm.org&kgs=0&kls=0&nbq=20
    http
    96327da8a9e501eb3b578019475004e274fdf7a98f34102c13b37eb5d98d025eN.exe
    916 B
     982 B
     6
    4

    HTTP Request

    GET http://www.altavista.com/web/results?q=mailto+acm.org&kgs=0&kls=0&nbq=50

    HTTP Response

    500

    HTTP Request

    GET http://www.altavista.com/web/results?q=mailto+acm.org&kgs=0&kls=0&nbq=20

    HTTP Response

    500
  • 142.250.187.196:80
    http://www.google.com/search?hl=en&ie=UTF-8&oe=UTF-8&q=mail+burtleburtle.net&num=50
    http
    96327da8a9e501eb3b578019475004e274fdf7a98f34102c13b37eb5d98d025eN.exe
    472 B
     92 B
     3
    2

    HTTP Request

    GET http://www.google.com/search?hl=en&ie=UTF-8&oe=UTF-8&q=mail+burtleburtle.net&num=50
  • 209.202.254.10:80
    search.lycos.com
    96327da8a9e501eb3b578019475004e274fdf7a98f34102c13b37eb5d98d025eN.exe
    52 B
     1
  • 212.82.100.137:80
    96327da8a9e501eb3b578019475004e274fdf7a98f34102c13b37eb5d98d025eN.exe
  • 142.250.187.196:80
    96327da8a9e501eb3b578019475004e274fdf7a98f34102c13b37eb5d98d025eN.exe
  • 212.82.100.137:443
    96327da8a9e501eb3b578019475004e274fdf7a98f34102c13b37eb5d98d025eN.exe
  • 209.202.254.10:443
    96327da8a9e501eb3b578019475004e274fdf7a98f34102c13b37eb5d98d025eN.exe
  • 212.82.100.137:80
    96327da8a9e501eb3b578019475004e274fdf7a98f34102c13b37eb5d98d025eN.exe
  • 142.250.187.196:80
    96327da8a9e501eb3b578019475004e274fdf7a98f34102c13b37eb5d98d025eN.exe
  • 212.82.100.137:443
    96327da8a9e501eb3b578019475004e274fdf7a98f34102c13b37eb5d98d025eN.exe
  • 192.229.221.95:80
    96327da8a9e501eb3b578019475004e274fdf7a98f34102c13b37eb5d98d025eN.exe
  • 142.250.187.196:80
    96327da8a9e501eb3b578019475004e274fdf7a98f34102c13b37eb5d98d025eN.exe
  • 95.100.245.168:80
    96327da8a9e501eb3b578019475004e274fdf7a98f34102c13b37eb5d98d025eN.exe
  • 209.202.254.10:443
    96327da8a9e501eb3b578019475004e274fdf7a98f34102c13b37eb5d98d025eN.exe
  • 88.221.134.137:80
    96327da8a9e501eb3b578019475004e274fdf7a98f34102c13b37eb5d98d025eN.exe
  • 142.250.187.196:80
    96327da8a9e501eb3b578019475004e274fdf7a98f34102c13b37eb5d98d025eN.exe
  • 8.8.8.8:53
    28.118.140.52.in-addr.arpa
    dns
    72 B
     158 B
     1
    1

    DNS Request

    28.118.140.52.in-addr.arpa

  • 8.8.8.8:53
    88.210.23.2.in-addr.arpa
    dns
    70 B
     133 B
     1
    1

    DNS Request

    88.210.23.2.in-addr.arpa

  • 8.8.8.8:53
    2.159.190.20.in-addr.arpa
    dns
    71 B
     157 B
     1
    1

    DNS Request

    2.159.190.20.in-addr.arpa

  • 8.8.8.8:53
    95.221.229.192.in-addr.arpa
    dns
    73 B
     144 B
     1
    1

    DNS Request

    95.221.229.192.in-addr.arpa

  • 8.8.8.8:53
    104.219.191.52.in-addr.arpa
    dns
    73 B
     147 B
     1
    1

    DNS Request

    104.219.191.52.in-addr.arpa

  • 8.8.8.8:53
    196.249.167.52.in-addr.arpa
    dns
    73 B
     147 B
     1
    1

    DNS Request

    196.249.167.52.in-addr.arpa

  • 8.8.8.8:53
    56.163.245.4.in-addr.arpa
    dns
    71 B
     157 B
     1
    1

    DNS Request

    56.163.245.4.in-addr.arpa

  • 8.8.8.8:53
    206.23.85.13.in-addr.arpa
    dns
    71 B
     145 B
     1
    1

    DNS Request

    206.23.85.13.in-addr.arpa

  • 8.8.8.8:53
    92.12.20.2.in-addr.arpa
    dns
    69 B
     131 B
     1
    1

    DNS Request

    92.12.20.2.in-addr.arpa

  • 8.8.8.8:53
    20.49.80.91.in-addr.arpa
    dns
    70 B
     145 B
     1
    1

    DNS Request

    20.49.80.91.in-addr.arpa

  • 8.8.8.8:53
    23.236.111.52.in-addr.arpa
    dns
    72 B
     158 B
     1
    1

    DNS Request

    23.236.111.52.in-addr.arpa

  • 8.8.8.8:53
    m-ou.se
    dns
    96327da8a9e501eb3b578019475004e274fdf7a98f34102c13b37eb5d98d025eN.exe
    53 B
     232 B
     1
    1

    DNS Request

    m-ou.se

  • 8.8.8.8:53
    aspmx2.googlemail.com
    dns
    96327da8a9e501eb3b578019475004e274fdf7a98f34102c13b37eb5d98d025eN.exe
    67 B
     83 B
     1
    1

    DNS Request

    aspmx2.googlemail.com

    DNS Response

    142.250.150.26

  • 8.8.8.8:53
    acm.org
    dns
    96327da8a9e501eb3b578019475004e274fdf7a98f34102c13b37eb5d98d025eN.exe
    53 B
     87 B
     1
    1

    DNS Request

    acm.org

  • 8.8.8.8:53
    mail.mailroute.net
    dns
    96327da8a9e501eb3b578019475004e274fdf7a98f34102c13b37eb5d98d025eN.exe
    64 B
     96 B
     1
    1

    DNS Request

    mail.mailroute.net

    DNS Response

    199.89.3.120
    199.89.1.120

  • 8.8.8.8:53
    cs.stanford.edu
    dns
    96327da8a9e501eb3b578019475004e274fdf7a98f34102c13b37eb5d98d025eN.exe
    61 B
     121 B
     1
    1

    DNS Request

    cs.stanford.edu

  • 8.8.8.8:53
    cs.stanford.edu
    dns
    96327da8a9e501eb3b578019475004e274fdf7a98f34102c13b37eb5d98d025eN.exe
    61 B
     77 B
     1
    1

    DNS Request

    cs.stanford.edu

    DNS Response

    171.64.64.64

  • 8.8.8.8:53
    burtleburtle.net
    dns
    96327da8a9e501eb3b578019475004e274fdf7a98f34102c13b37eb5d98d025eN.exe
    62 B
     81 B
     1
    1

    DNS Request

    burtleburtle.net

  • 8.8.8.8:53
    mx.burtleburtle.net
    dns
    96327da8a9e501eb3b578019475004e274fdf7a98f34102c13b37eb5d98d025eN.exe
    65 B
     113 B
     1
    1

    DNS Request

    mx.burtleburtle.net

    DNS Response

    65.254.254.51
    65.254.254.52
    65.254.254.50

  • 8.8.8.8:53
    alumni.caltech.edu
    dns
    96327da8a9e501eb3b578019475004e274fdf7a98f34102c13b37eb5d98d025eN.exe
    64 B
     126 B
     1
    1

    DNS Request

    alumni.caltech.edu

  • 8.8.8.8:53
    alumni-caltech-edu.mail.protection.outlook.com
    dns
    96327da8a9e501eb3b578019475004e274fdf7a98f34102c13b37eb5d98d025eN.exe
    92 B
     156 B
     1
    1

    DNS Request

    alumni-caltech-edu.mail.protection.outlook.com

    DNS Response

    52.101.41.0
    52.101.42.14
    52.101.41.58
    52.101.9.17

  • 8.8.8.8:53
    gzip.org
    dns
    96327da8a9e501eb3b578019475004e274fdf7a98f34102c13b37eb5d98d025eN.exe
    54 B
     70 B
     1
    1

    DNS Request

    gzip.org

  • 8.8.8.8:53
    gzip.org
    dns
    96327da8a9e501eb3b578019475004e274fdf7a98f34102c13b37eb5d98d025eN.exe
    54 B
     70 B
     1
    1

    DNS Request

    gzip.org

    DNS Response

    85.187.148.2

  • 8.8.8.8:53
    www.google.com
    dns
    96327da8a9e501eb3b578019475004e274fdf7a98f34102c13b37eb5d98d025eN.exe
    60 B
     76 B
     1
    1

    DNS Request

    www.google.com

    DNS Response

    142.250.187.196

  • 8.8.8.8:53
    www.altavista.com
    dns
    96327da8a9e501eb3b578019475004e274fdf7a98f34102c13b37eb5d98d025eN.exe
    63 B
     157 B
     1
    1

    DNS Request

    www.altavista.com

    DNS Response

    212.82.100.137

  • 8.8.8.8:53
    search.lycos.com
    dns
    96327da8a9e501eb3b578019475004e274fdf7a98f34102c13b37eb5d98d025eN.exe
    62 B
     109 B
     1
    1

    DNS Request

    search.lycos.com

    DNS Response

    209.202.254.10

  • 8.8.8.8:53
  • 8.8.8.8:53
  • 8.8.8.8:53
  • 8.8.8.8:53
  • 8.8.8.8:53
  • 8.8.8.8:53

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\tmp5D6A.tmp
    Filesize

    29KB

    MD5

    fae9ddcfb0520a4d7b0d8797a0caca3c

    SHA1

    d7f31c41ca77d450283324242dc31f3af5f203b4

    SHA256

    29e771e4d27c94ed2906aabe3b6cf7dbd90a44b5efb1c482daf225e272351dee

    SHA512

    6d66015d6d4625d5232ba42aab0d5dec3c8bed341c490cf50a91d8a86a7d62893c5b1d3bdbba7b5ff3086c7737762d8714ff969fdd52d74638af85334e9e4430

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\zincite.log
    Filesize

    352B

    MD5

    8dba887a558723d945309ffc16ba0790

    SHA1

    1cbe0f8bc7cd012cafe2919e6b3c9d78e184a6b9

    SHA256

    39098dfd767cacc5f50542057b2d1ad5986a8a79e82db248e1ae79c13b62b492

    SHA512

    3244224dbf123cb9d334be9ed666d5c1f55e9ed9e653ed98e84a34fb23f14edece0366de3a75a8bea50ea99e1f14891e6c01eb6ddac2674d427509717539d8ee

    Download Submit

  • C:\Windows\services.exe
    Filesize

    8KB

    MD5

    b0fe74719b1b647e2056641931907f4a

    SHA1

    e858c206d2d1542a79936cb00d85da853bfc95e2

    SHA256

    bf316f51d0c345d61eaee3940791b64e81f676e3bca42bad61073227bee6653c

    SHA512

    9c82e88264696d0dadef9c0442ad8d1183e48f0fb355a4fc9bf4fa5db4e27745039f98b1fd1febff620a5ded6dd493227f00d7d2e74b19757685aa8655f921c2

    Download Submit

  • memory/1096-33-0x0000000000400000-0x0000000000408000-memory.dmp

    Filesize

    32KB

    Download

  • memory/1096-38-0x0000000000400000-0x0000000000408000-memory.dmp

    Filesize

    32KB

    Download

  • memory/1096-16-0x0000000000400000-0x0000000000408000-memory.dmp

    Filesize

    32KB

    Download

  • memory/1096-21-0x0000000000400000-0x0000000000408000-memory.dmp

    Filesize

    32KB

    Download

  • memory/1096-26-0x0000000000400000-0x0000000000408000-memory.dmp

    Filesize

    32KB

    Download

  • memory/1096-28-0x0000000000400000-0x0000000000408000-memory.dmp

    Filesize

    32KB

    Download

  • memory/1096-5-0x0000000000400000-0x0000000000408000-memory.dmp

    Filesize

    32KB

    Download

  • memory/1096-15-0x0000000000400000-0x0000000000408000-memory.dmp

    Filesize

    32KB

    Download

  • memory/1096-40-0x0000000000400000-0x0000000000408000-memory.dmp

    Filesize

    32KB

    Download

  • memory/1096-45-0x0000000000400000-0x0000000000408000-memory.dmp

    Filesize

    32KB

    Download

  • memory/1096-50-0x0000000000400000-0x0000000000408000-memory.dmp

    Filesize

    32KB

    Download

  • memory/1096-52-0x0000000000400000-0x0000000000408000-memory.dmp

    Filesize

    32KB

    Download

  • memory/1096-57-0x0000000000400000-0x0000000000408000-memory.dmp

    Filesize

    32KB

    Download

  • memory/2924-56-0x0000000000500000-0x0000000000510200-memory.dmp

    Filesize

    64KB

    Download

  • memory/2924-13-0x0000000000500000-0x0000000000510200-memory.dmp

    Filesize

    64KB

    Download

  • memory/2924-0-0x0000000000500000-0x0000000000510200-memory.dmp

    Filesize

    64KB

    Download

We care about your privacy.

This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.