Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
119s -
max time network
141s -
platform
windows7_x64 -
resource
win7-20241010-en -
resource tags
-
submitted
19/03/2025, 06:00 UTC
General
-
Target
cerber.exe
-
Size
645KB
-
MD5
c81bf51e6e148ffcd51c0d0b538d6a19
-
SHA1
5aa0dfa5141306e7bfecbd0ae781f8bb284b53e4
-
SHA256
c0dfc434fb3b71fad599144d5d5ca3ca1897b8101b4be3daaf611a047893f06d
-
SHA512
b4ec4ccec37d71b61dd5873dbc7e994aa86d2450ba97b7e086ddb7578105f4bf0b05cc01605708b95325c31b1d805b94ba05c5fb73b5a74b49a2e33845241bb2
-
SSDEEP
6144:k9DlI5/u8f1mr+4RJ99MpDa52RX5wRDhOOU0qsRyYgv:elYmDXEpDHRXP01yYC
Score
10/10
Malware Config
Extracted
Path
C:\Users\Admin\Desktop\_R_E_A_D___T_H_I_S___CT5M38_.txt
Family
cerber
Ransom Note
CERBER RANSOMWARE
-----
YOUR DOCUMENTS, PH0TOS, DATABASES AND OTHER IMPORTANT FILES HAVE BEEN ENCRYPTED!
-----
The only way to decrypt y0ur files is to receive the private key and decryption program.
To receive the private key and decryption program go to any decrypted folder,
inside there is the special file (*_READ_THIS_FILE_*) with complete instructions
how to decrypt your files.
If you cannot find any (*_READ_THIS_FILE_*) file at your PC, follow the instructions below:
-----
1. Download "Tor Browser" from https://www.torproject.org/ and install it.
2. In the "Tor Browser" open your personal page here:
http://p27dokhpz2n7nvgr.onion/2A21-6239-6521-0446-9E5F
Note! This page is available via "Tor Browser" only.
-----
Also you can use temporary addresses on your personal page without using "Tor Browser".
-----
1. http://p27dokhpz2n7nvgr.12hygy.top/2A21-6239-6521-0446-9E5F
2. http://p27dokhpz2n7nvgr.14ewqv.top/2A21-6239-6521-0446-9E5F
3. http://p27dokhpz2n7nvgr.14vvrc.top/2A21-6239-6521-0446-9E5F
4. http://p27dokhpz2n7nvgr.129p1t.top/2A21-6239-6521-0446-9E5F
5. http://p27dokhpz2n7nvgr.1apgrn.top/2A21-6239-6521-0446-9E5F
-----
Note! These are temporary addresses! They will be available for a limited amount of time!
-----
URLs
http://p27dokhpz2n7nvgr.onion/2A21-6239-6521-0446-9E5F
http://p27dokhpz2n7nvgr.12hygy.top/2A21-6239-6521-0446-9E5F
http://p27dokhpz2n7nvgr.14ewqv.top/2A21-6239-6521-0446-9E5F
http://p27dokhpz2n7nvgr.14vvrc.top/2A21-6239-6521-0446-9E5F
http://p27dokhpz2n7nvgr.129p1t.top/2A21-6239-6521-0446-9E5F
http://p27dokhpz2n7nvgr.1apgrn.top/2A21-6239-6521-0446-9E5F
Signatures
-
Cerber
Cerber is a widely used ransomware-as-a-service (RaaS), first seen in 2017.
-
Cerber family
-
Detect Neshta payload 3 IoCs
-
Neshta
Malware from the neshta family is designed to infect itself into other files to spread itself and cause damage.
-
Neshta family
-
Blocklisted process makes network request 5 IoCs
-
Contacts a large (1098) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Modifies Windows Firewall 2 TTPs 2 IoCs
-
Drops startup file 1 IoCs
-
Executes dropped EXE 1 IoCs
-
Loads dropped DLL 4 IoCs
-
Modifies system executable filetype association 2 TTPs 1 IoCs
-
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Drops file in System32 directory 38 IoCs
-
Sets desktop wallpaper using registry 2 TTPs 1 IoCs
-
Drops file in Program Files directory 64 IoCs
-
Drops file in Windows directory 64 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Event Triggered Execution: Netsh Helper DLL 1 TTPs 6 IoCs
Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.
-
System Location Discovery: System Language Discovery 1 TTPs 9 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 1 IoCs
Adversaries may check for Internet connectivity on compromised systems.
-
Kills process with taskkill 1 IoCs
-
Modifies Internet Explorer settings 1 TTPs 1 IoCs
-
Modifies registry class 1 IoCs
-
Opens file in notepad (likely ransom note) 1 IoCs
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 2 IoCs
-
Suspicious use of UnmapMainImage 1 IoCs
-
Suspicious use of WriteProcessMemory 32 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\cerber.exe"C:\Users\Admin\AppData\Local\Temp\cerber.exe"1⤵
- Loads dropped DLL
- Modifies system executable filetype association
- Drops file in Program Files directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\3582-490\cerber.exe"C:\Users\Admin\AppData\Local\Temp\3582-490\cerber.exe"2⤵
- Drops startup file
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Sets desktop wallpaper using registry
- Drops file in Program Files directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\netsh.exeC:\Windows\system32\netsh.exe advfirewall set allprofiles state on3⤵
- Modifies Windows Firewall
- Event Triggered Execution: Netsh Helper DLL
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\netsh.exeC:\Windows\system32\netsh.exe advfirewall reset3⤵
- Modifies Windows Firewall
- Event Triggered Execution: Netsh Helper DLL
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\mshta.exe"C:\Windows\SysWOW64\mshta.exe" "C:\Users\Admin\Desktop\_R_E_A_D___T_H_I_S___5EDHJDN_.hta"3⤵
- Blocklisted process makes network request
- System Location Discovery: System Language Discovery
- Modifies Internet Explorer settings
-
-
C:\Windows\SysWOW64\NOTEPAD.EXE"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\_R_E_A_D___T_H_I_S___CT5M38_.txt3⤵
- System Location Discovery: System Language Discovery
- Opens file in notepad (likely ransom note)
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe"3⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im "cerber.exe"4⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\PING.EXEping -n 1 127.0.0.14⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
-
-
-
Network
-
DNSapi.blockcypher.comRequestapi.blockcypher.comIN AResponseapi.blockcypher.comIN A172.67.17.223api.blockcypher.comIN A104.20.99.10api.blockcypher.comIN A104.20.98.10
-
GEThttp://api.blockcypher.com/v1/btc/main/addrs/17gd1msp5FnMcEMF1MitTNSsYs7w7AQyCt?_=1742364051029RequestGET /v1/btc/main/addrs/17gd1msp5FnMcEMF1MitTNSsYs7w7AQyCt?_=1742364051029 HTTP/1.1
Accept: */*
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.3)
Host: api.blockcypher.com
Connection: Keep-Alive
ResponseHTTP/1.1 403 Forbidden
Date: Wed, 19 Mar 2025 06:00:55 GMT
Content-Type: application/json
Transfer-Encoding: chunked
Connection: keep-alive
Access-Control-Allow-Headers: Origin, X-Requested-With, Content-Type, Accept
Access-Control-Allow-Methods: GET, POST, PUT, DELETE
Access-Control-Allow-Origin: *
X-Ratelimit-Remaining: 1
cf-cache-status: DYNAMIC
Server: cloudflare
CF-RAY: 922ac090a9f88e49-LHR
Content-Encoding: gzip
-
DNSbtc.blockr.ioRequestbtc.blockr.ioIN AResponse
-
DNSbitaps.comRequestbitaps.comIN AResponsebitaps.comIN A178.128.255.179
-
DNSchain.soRequestchain.soIN AResponsechain.soIN A172.67.40.90chain.soIN A104.22.65.108chain.soIN A104.22.64.108
-
GEThttps://chain.so/api/v2/address/btc/17gd1msp5FnMcEMF1MitTNSsYs7w7AQyCt?_=1742364058539RequestGET /api/v2/address/btc/17gd1msp5FnMcEMF1MitTNSsYs7w7AQyCt?_=1742364058539 HTTP/1.1
Accept: */*
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.3)
Host: chain.so
Connection: Keep-Alive
ResponseHTTP/1.1 404 Not Found
Date: Wed, 19 Mar 2025 06:01:00 GMT
Content-Type: application/json; charset=utf-8
Transfer-Encoding: chunked
Connection: keep-alive
status: 404 Not Found
Cache-Control: no-cache
referrer-policy: strict-origin-when-cross-origin
x-permitted-cross-domain-policies: none
x-xss-protection: 0
x-request-id: 47bbcf3e-f384-44ef-9a2f-b43e5746be0f
x-download-options: noopen
x-frame-options: SAMEORIGIN
x-content-type-options: nosniff
content-security-policy: default-src 'self' js.stripe.com challenges.cloudflare.com static.cloudflareinsights.com; font-src 'self' data:; img-src 'self' data:; object-src 'none'; script-src 'self' js.stripe.com challenges.cloudflare.com static.cloudflareinsights.com 'nonce-'; style-src 'self'; connect-src 'self' wss://ws.chain.so js.stripe.com challenges.cloudflare.com; frame-src 'self' challenges.cloudflare.com js.stripe.com
Content-Encoding: gzip
vary: accept-encoding
cf-cache-status: DYNAMIC
Server: cloudflare
CF-RAY: 922ac0b11ae094cc-LHR
alt-svc: h3=":443"; ma=86400
-
DNSc.pki.googRequestc.pki.googIN AResponsec.pki.googIN CNAMEpki-goog.l.google.compki-goog.l.google.comIN A142.250.180.3
-
GEThttp://c.pki.goog/r/gsr1.crlRequestGET /r/gsr1.crl HTTP/1.1
Connection: Keep-Alive
Accept: */*
User-Agent: Microsoft-CryptoAPI/6.1
Host: c.pki.goog
ResponseHTTP/1.1 200 OK
Accept-Ranges: bytes
Content-Security-Policy-Report-Only: require-trusted-types-for 'script'; report-uri https://csp.withgoogle.com/csp/cacerts
Cross-Origin-Resource-Policy: cross-origin
Cross-Origin-Opener-Policy: same-origin; report-to="cacerts"
Report-To: {"group":"cacerts","max_age":2592000,"endpoints":[{"url":"https://csp.withgoogle.com/csp/report-to/cacerts"}]}
Content-Length: 1739
X-Content-Type-Options: nosniff
Server: sffe
X-XSS-Protection: 0
Date: Wed, 19 Mar 2025 05:48:17 GMT
Expires: Wed, 19 Mar 2025 06:38:17 GMT
Cache-Control: public, max-age=3000
Age: 763
Last-Modified: Tue, 07 Jan 2025 07:28:00 GMT
Content-Type: application/pkix-crl
Vary: Accept-Encoding
-
GEThttp://c.pki.goog/r/r4.crlRequestGET /r/r4.crl HTTP/1.1
Connection: Keep-Alive
Accept: */*
User-Agent: Microsoft-CryptoAPI/6.1
Host: c.pki.goog
ResponseHTTP/1.1 200 OK
Accept-Ranges: bytes
Content-Security-Policy-Report-Only: require-trusted-types-for 'script'; report-uri https://csp.withgoogle.com/csp/cacerts
Cross-Origin-Resource-Policy: cross-origin
Cross-Origin-Opener-Policy: same-origin; report-to="cacerts"
Report-To: {"group":"cacerts","max_age":2592000,"endpoints":[{"url":"https://csp.withgoogle.com/csp/report-to/cacerts"}]}
Content-Length: 436
X-Content-Type-Options: nosniff
Server: sffe
X-XSS-Protection: 0
Date: Wed, 19 Mar 2025 05:48:17 GMT
Expires: Wed, 19 Mar 2025 06:38:17 GMT
Cache-Control: public, max-age=3000
Age: 763
Last-Modified: Thu, 25 Jul 2024 14:48:00 GMT
Content-Type: application/pkix-crl
Vary: Accept-Encoding
-
DNSwww.microsoft.comRequestwww.microsoft.comIN AResponsewww.microsoft.comIN CNAMEwww.microsoft.com-c-3.edgekey.netwww.microsoft.com-c-3.edgekey.netIN CNAMEwww.microsoft.com-c-3.edgekey.net.globalredir.akadns.netwww.microsoft.com-c-3.edgekey.net.globalredir.akadns.netIN CNAMEe13678.dscb.akamaiedge.nete13678.dscb.akamaiedge.netIN A23.192.18.101
-
GEThttp://www.microsoft.com/pkiops/crl/MicCodSigPCA2011_2011-07-08.crlRequestGET /pkiops/crl/MicCodSigPCA2011_2011-07-08.crl HTTP/1.1
Connection: Keep-Alive
Accept: */*
If-Modified-Since: Sun, 18 Aug 2024 00:23:49 GMT
User-Agent: Microsoft-CryptoAPI/6.1
Host: www.microsoft.com
ResponseHTTP/1.1 200 OK
Content-Length: 1078
Content-Type: application/octet-stream
Content-MD5: HqJzZuA065RHozzmOcAUiQ==
Last-Modified: Tue, 14 Jan 2025 20:41:31 GMT
ETag: 0x8DD34DBD43549F4
x-ms-request-id: 90d94cda-601e-004e-55c9-667962000000
x-ms-version: 2009-09-19
x-ms-lease-status: unlocked
x-ms-blob-type: BlockBlob
Date: Wed, 19 Mar 2025 06:01:30 GMT
Connection: keep-alive
TLS_version: UNKNOWN
ms-cv: CASMicrosoftCV5852635b.0
ms-cv-esi: CASMicrosoftCV5852635b.0
X-RTag: RT
-
DNScrl.microsoft.comRequestcrl.microsoft.comIN AResponsecrl.microsoft.comIN CNAMEcrl.www.ms.akadns.netcrl.www.ms.akadns.netIN CNAMEa1363.dscg.akamai.neta1363.dscg.akamai.netIN A2.18.190.73a1363.dscg.akamai.netIN A2.18.190.80
-
GEThttp://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crlRequestGET /pki/crl/products/MicRooCerAut2011_2011_03_22.crl HTTP/1.1
Connection: Keep-Alive
Accept: */*
If-Modified-Since: Thu, 26 Sep 2024 02:21:11 GMT
User-Agent: Microsoft-CryptoAPI/6.1
Host: crl.microsoft.com
ResponseHTTP/1.1 200 OK
Content-Length: 825
Content-Type: application/octet-stream
Content-MD5: O14L1mQEVqdJ2RVebBNXJw==
Last-Modified: Wed, 26 Feb 2025 21:48:51 GMT
ETag: 0x8DD56AF5BD2A499
Server: Windows-Azure-Blob/1.0 Microsoft-HTTPAPI/2.0
x-ms-request-id: 9d5e7724-501e-0055-49a0-884761000000
x-ms-version: 2009-09-19
x-ms-lease-status: unlocked
x-ms-blob-type: BlockBlob
Date: Wed, 19 Mar 2025 06:01:30 GMT
Connection: keep-alive
No results found
-
178.33.158.0:6893 -
178.33.158.1:6893
-
178.33.158.2:6893
-
178.33.158.3:6893
-
178.33.158.4:6893
-
178.33.158.5:6893
-
178.33.158.6:6893
-
178.33.158.7:6893
-
178.33.158.8:6893
-
178.33.158.9:6893
-
178.33.158.10:6893
-
178.33.158.11:6893
-
178.33.158.12:6893
-
178.33.158.13:6893
-
178.33.158.14:6893
-
178.33.158.15:6893
-
178.33.158.16:6893
-
178.33.158.17:6893
-
178.33.158.18:6893
-
178.33.158.19:6893
-
178.33.158.20:6893
-
178.33.158.21:6893
-
178.33.158.22:6893
-
178.33.158.23:6893
-
178.33.158.24:6893
-
178.33.158.25:6893
-
178.33.158.26:6893
-
178.33.158.27:6893
-
178.33.158.28:6893
-
178.33.158.29:6893
-
178.33.158.30:6893
-
178.33.158.31:6893
-
178.33.159.0:6893
-
178.33.159.1:6893
-
178.33.159.2:6893
-
178.33.159.3:6893
-
178.33.159.4:6893
-
178.33.159.5:6893
-
178.33.159.6:6893
-
178.33.159.7:6893
-
178.33.159.8:6893
-
178.33.159.9:6893
-
178.33.159.10:6893
-
178.33.159.11:6893
-
178.33.159.12:6893
-
178.33.159.13:6893
-
178.33.159.14:6893
-
178.33.159.15:6893
-
178.33.159.16:6893
-
178.33.159.17:6893
-
178.33.159.18:6893
-
178.33.159.19:6893
-
178.33.159.20:6893
-
178.33.159.21:6893
-
178.33.159.22:6893
-
178.33.159.23:6893
-
178.33.159.24:6893
-
178.33.159.25:6893
-
178.33.159.26:6893
-
178.33.159.27:6893
-
178.33.159.28:6893
-
178.33.159.29:6893
-
178.33.159.30:6893
-
178.33.159.31:6893
-
178.33.160.0:6893
-
178.33.160.1:6893
-
178.33.160.2:6893
-
178.33.160.3:6893
-
178.33.160.4:6893
-
178.33.160.5:6893
-
178.33.160.6:6893
-
178.33.160.7:6893
-
178.33.160.8:6893
-
178.33.160.9:6893
-
178.33.160.10:6893
-
178.33.160.11:6893
-
178.33.160.12:6893
-
178.33.160.13:6893
-
178.33.160.14:6893
-
178.33.160.15:6893
-
178.33.160.16:6893
-
178.33.160.17:6893
-
178.33.160.18:6893
-
178.33.160.19:6893
-
178.33.160.20:6893
-
178.33.160.21:6893
-
178.33.160.22:6893
-
178.33.160.23:6893
-
178.33.160.24:6893
-
178.33.160.25:6893
-
178.33.160.26:6893
-
178.33.160.27:6893
-
178.33.160.28:6893
-
178.33.160.29:6893
-
178.33.160.30:6893
-
178.33.160.31:6893
-
178.33.160.32:6893
-
178.33.160.33:6893
-
178.33.160.34:6893
-
178.33.160.35:6893
-
178.33.160.36:6893
-
178.33.160.37:6893
-
178.33.160.38:6893
-
178.33.160.39:6893
-
178.33.160.40:6893
-
178.33.160.41:6893
-
178.33.160.42:6893
-
178.33.160.43:6893
-
178.33.160.44:6893
-
178.33.160.45:6893
-
178.33.160.46:6893
-
178.33.160.47:6893
-
178.33.160.48:6893
-
178.33.160.49:6893
-
178.33.160.50:6893
-
178.33.160.51:6893
-
178.33.160.52:6893
-
178.33.160.53:6893
-
178.33.160.54:6893
-
178.33.160.55:6893
-
178.33.160.56:6893
-
178.33.160.57:6893
-
178.33.160.58:6893
-
178.33.160.59:6893
-
178.33.160.60:6893
-
178.33.160.61:6893
-
178.33.160.62:6893
-
178.33.160.63:6893
-
178.33.160.64:6893
-
178.33.160.65:6893
-
178.33.160.66:6893
-
178.33.160.67:6893
-
178.33.160.68:6893
-
178.33.160.69:6893
-
178.33.160.70:6893
-
178.33.160.71:6893
-
178.33.160.72:6893
-
178.33.160.73:6893
-
178.33.160.74:6893
-
178.33.160.75:6893
-
178.33.160.76:6893
-
178.33.160.77:6893
-
178.33.160.78:6893
-
178.33.160.79:6893
-
178.33.160.80:6893
-
178.33.160.81:6893
-
178.33.160.82:6893
-
178.33.160.83:6893
-
178.33.160.84:6893
-
178.33.160.85:6893
-
178.33.160.86:6893
-
178.33.160.87:6893
-
178.33.160.88:6893
-
178.33.160.89:6893
-
178.33.160.90:6893
-
178.33.160.91:6893
-
178.33.160.92:6893
-
178.33.160.93:6893
-
178.33.160.94:6893
-
178.33.160.95:6893
-
178.33.160.96:6893
-
178.33.160.97:6893
-
178.33.160.98:6893
-
178.33.160.99:6893
-
178.33.160.100:6893
-
178.33.160.101:6893
-
178.33.160.102:6893
-
178.33.160.103:6893
-
178.33.160.104:6893
-
178.33.160.105:6893
-
178.33.160.106:6893
-
178.33.160.107:6893
-
178.33.160.108:6893
-
178.33.160.109:6893
-
178.33.160.110:6893
-
178.33.160.111:6893
-
178.33.160.112:6893
-
178.33.160.113:6893
-
178.33.160.114:6893
-
178.33.160.115:6893
-
178.33.160.116:6893
-
178.33.160.117:6893
-
178.33.160.118:6893
-
178.33.160.119:6893
-
178.33.160.120:6893
-
178.33.160.121:6893
-
178.33.160.122:6893
-
178.33.160.123:6893
-
178.33.160.124:6893
-
178.33.160.125:6893
-
178.33.160.126:6893
-
178.33.160.127:6893
-
178.33.160.128:6893
-
178.33.160.129:6893
-
178.33.160.130:6893
-
178.33.160.131:6893
-
178.33.160.132:6893
-
178.33.160.133:6893
-
178.33.160.134:6893
-
178.33.160.135:6893
-
178.33.160.136:6893
-
178.33.160.137:6893
-
178.33.160.138:6893
-
178.33.160.139:6893
-
178.33.160.140:6893
-
178.33.160.141:6893
-
178.33.160.142:6893
-
178.33.160.143:6893
-
178.33.160.144:6893
-
178.33.160.145:6893
-
178.33.160.146:6893
-
178.33.160.147:6893
-
178.33.160.148:6893
-
178.33.160.149:6893
-
178.33.160.150:6893
-
178.33.160.151:6893
-
178.33.160.152:6893
-
178.33.160.153:6893
-
178.33.160.154:6893
-
178.33.160.155:6893
-
178.33.160.156:6893
-
178.33.160.157:6893
-
178.33.160.158:6893
-
178.33.160.159:6893
-
178.33.160.160:6893
-
178.33.160.161:6893
-
178.33.160.162:6893
-
178.33.160.163:6893
-
178.33.160.164:6893
-
178.33.160.165:6893
-
178.33.160.166:6893
-
178.33.160.167:6893
-
178.33.160.168:6893
-
178.33.160.169:6893
-
178.33.160.170:6893
-
178.33.160.171:6893
-
178.33.160.172:6893
-
178.33.160.173:6893
-
178.33.160.174:6893
-
178.33.160.175:6893
-
178.33.160.176:6893
-
178.33.160.177:6893
-
178.33.160.178:6893
-
178.33.160.179:6893
-
178.33.160.180:6893
-
178.33.160.181:6893
-
178.33.160.182:6893
-
178.33.160.183:6893
-
178.33.160.184:6893
-
178.33.160.185:6893
-
178.33.160.186:6893
-
178.33.160.187:6893
-
178.33.160.188:6893
-
178.33.160.189:6893
-
178.33.160.190:6893
-
178.33.160.191:6893
-
178.33.160.192:6893
-
178.33.160.193:6893
-
178.33.160.194:6893
-
178.33.160.195:6893
-
178.33.160.196:6893
-
178.33.160.197:6893
-
178.33.160.198:6893
-
178.33.160.199:6893
-
178.33.160.200:6893
-
178.33.160.201:6893
-
178.33.160.202:6893
-
178.33.160.203:6893
-
178.33.160.204:6893
-
178.33.160.205:6893
-
178.33.160.206:6893
-
178.33.160.207:6893
-
178.33.160.208:6893
-
178.33.160.209:6893
-
178.33.160.210:6893
-
178.33.160.211:6893
-
178.33.160.212:6893
-
178.33.160.213:6893
-
178.33.160.214:6893
-
178.33.160.215:6893
-
178.33.160.216:6893
-
178.33.160.217:6893
-
178.33.160.218:6893
-
178.33.160.219:6893
-
178.33.160.220:6893
-
178.33.160.221:6893
-
178.33.160.222:6893
-
178.33.160.223:6893
-
178.33.160.224:6893
-
178.33.160.225:6893
-
178.33.160.226:6893
-
178.33.160.227:6893
-
178.33.160.228:6893
-
178.33.160.229:6893
-
178.33.160.230:6893
-
178.33.160.231:6893
-
178.33.160.232:6893
-
178.33.160.233:6893
-
178.33.160.234:6893
-
178.33.160.235:6893
-
178.33.160.236:6893
-
178.33.160.237:6893
-
178.33.160.238:6893
-
178.33.160.239:6893
-
178.33.160.240:6893
-
178.33.160.241:6893
-
178.33.160.242:6893
-
178.33.160.243:6893
-
178.33.160.244:6893
-
178.33.160.245:6893
-
178.33.160.246:6893
-
178.33.160.247:6893
-
178.33.160.248:6893
-
178.33.160.249:6893
-
178.33.160.250:6893
-
178.33.160.251:6893
-
178.33.160.252:6893
-
178.33.160.253:6893
-
178.33.160.254:6893
-
178.33.160.255:6893
-
178.33.161.0:6893
-
178.33.161.1:6893
-
178.33.161.2:6893
-
178.33.161.3:6893
-
178.33.161.4:6893
-
178.33.161.5:6893
-
178.33.161.6:6893
-
178.33.161.7:6893
-
178.33.161.8:6893
-
178.33.161.9:6893
-
178.33.161.10:6893
-
178.33.161.11:6893
-
178.33.161.12:6893
-
178.33.161.13:6893
-
178.33.161.14:6893
-
178.33.161.15:6893
-
178.33.161.16:6893
-
178.33.161.17:6893
-
178.33.161.18:6893
-
178.33.161.19:6893
-
178.33.161.20:6893
-
178.33.161.21:6893
-
178.33.161.22:6893
-
178.33.161.23:6893
-
178.33.161.24:6893
-
178.33.161.25:6893
-
178.33.161.26:6893
-
178.33.161.27:6893
-
178.33.161.28:6893
-
178.33.161.29:6893
-
178.33.161.30:6893
-
178.33.161.31:6893
-
178.33.161.32:6893
-
178.33.161.33:6893
-
178.33.161.34:6893
-
178.33.161.35:6893
-
178.33.161.36:6893
-
178.33.161.37:6893
-
178.33.161.38:6893
-
178.33.161.39:6893
-
178.33.161.40:6893
-
178.33.161.41:6893
-
178.33.161.42:6893
-
178.33.161.43:6893
-
178.33.161.44:6893
-
178.33.161.45:6893
-
178.33.161.46:6893
-
178.33.161.47:6893
-
178.33.161.48:6893
-
178.33.161.49:6893
-
178.33.161.50:6893
-
178.33.161.51:6893
-
178.33.161.52:6893
-
178.33.161.53:6893
-
178.33.161.54:6893
-
178.33.161.55:6893
-
178.33.161.56:6893
-
178.33.161.57:6893
-
178.33.161.58:6893
-
178.33.161.59:6893
-
178.33.161.60:6893
-
178.33.161.61:6893
-
178.33.161.62:6893
-
178.33.161.63:6893
-
178.33.161.64:6893
-
178.33.161.65:6893
-
178.33.161.66:6893
-
178.33.161.67:6893
-
178.33.161.68:6893
-
178.33.161.69:6893
-
178.33.161.70:6893
-
178.33.161.71:6893
-
178.33.161.72:6893
-
178.33.161.73:6893
-
178.33.161.74:6893
-
178.33.161.75:6893
-
178.33.161.76:6893
-
178.33.161.77:6893
-
178.33.161.78:6893
-
178.33.161.79:6893
-
178.33.161.80:6893
-
178.33.161.81:6893
-
178.33.161.82:6893
-
178.33.161.83:6893
-
178.33.161.84:6893
-
178.33.161.85:6893
-
178.33.161.86:6893
-
178.33.161.87:6893
-
178.33.161.88:6893
-
178.33.161.89:6893
-
178.33.161.90:6893
-
178.33.161.91:6893
-
178.33.161.92:6893
-
178.33.161.93:6893
-
178.33.161.94:6893
-
178.33.161.95:6893
-
178.33.161.96:6893
-
178.33.161.97:6893
-
178.33.161.98:6893
-
178.33.161.99:6893
-
178.33.161.100:6893
-
178.33.161.101:6893
-
178.33.161.102:6893
-
178.33.161.103:6893
-
178.33.161.104:6893
-
178.33.161.105:6893
-
178.33.161.106:6893
-
178.33.161.107:6893
-
178.33.161.108:6893
-
178.33.161.109:6893
-
178.33.161.110:6893
-
178.33.161.111:6893
-
178.33.161.112:6893
-
178.33.161.113:6893
-
178.33.161.114:6893
-
178.33.161.115:6893
-
178.33.161.116:6893
-
178.33.161.117:6893
-
178.33.161.118:6893
-
178.33.161.119:6893
-
178.33.161.120:6893
-
178.33.161.121:6893
-
178.33.161.122:6893
-
178.33.161.123:6893
-
178.33.161.124:6893
-
178.33.161.125:6893
-
178.33.161.126:6893
-
178.33.161.127:6893
-
178.33.161.128:6893
-
178.33.161.129:6893
-
178.33.161.130:6893
-
178.33.161.131:6893
-
178.33.161.132:6893
-
178.33.161.133:6893
-
178.33.161.134:6893
-
178.33.161.135:6893
-
178.33.161.136:6893
-
178.33.161.137:6893
-
178.33.161.138:6893
-
178.33.161.139:6893
-
178.33.161.140:6893
-
178.33.161.141:6893
-
178.33.161.142:6893
-
178.33.161.143:6893
-
178.33.161.144:6893
-
178.33.161.145:6893
-
178.33.161.146:6893
-
178.33.161.147:6893
-
178.33.161.148:6893
-
178.33.161.149:6893
-
178.33.161.150:6893
-
178.33.161.151:6893
-
178.33.161.152:6893
-
178.33.161.153:6893
-
178.33.161.154:6893
-
178.33.161.155:6893
-
178.33.161.156:6893
-
178.33.161.157:6893
-
178.33.161.158:6893
-
178.33.161.159:6893
-
178.33.161.160:6893
-
178.33.161.161:6893
-
178.33.161.162:6893
-
178.33.161.163:6893
-
178.33.161.164:6893
-
178.33.161.165:6893
-
178.33.161.166:6893
-
178.33.161.167:6893
-
178.33.161.168:6893
-
178.33.161.169:6893
-
178.33.161.170:6893
-
178.33.161.171:6893
-
178.33.161.172:6893
-
178.33.161.173:6893
-
178.33.161.174:6893
-
178.33.161.175:6893
-
178.33.161.176:6893
-
178.33.161.177:6893
-
178.33.161.178:6893
-
178.33.161.179:6893
MITRE ATT&CK Enterprise v15
Persistence
Create or Modify System Process
1Windows Service
1Event Triggered Execution
2Change Default File Association
1Netsh Helper DLL
1Privilege Escalation
Create or Modify System Process
1Windows Service
1Event Triggered Execution
2Change Default File Association
1Netsh Helper DLL
1Defense Evasion
Impair Defenses
1Disable or Modify System Firewall
1Modify Registry
3Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
1Credentials In Files
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
547KB
MD5cf6c595d3e5e9667667af096762fd9c4
SHA19bb44da8d7f6457099cb56e4f7d1026963dce7ce
SHA256593e60cc30ae0789448547195af77f550387f6648d45847ea244dd0dd7abf03d
SHA512ff4f789df9e6a6d0fbe12b3250f951fcf11e857906c65e96a30bb46266e7e1180d6103a03db2f3764e0d1346b2de7afba8259ba080057e4a268e45e8654dfa80
-
Filesize
71KB
MD583142242e97b8953c386f988aa694e4a
SHA1833ed12fc15b356136dcdd27c61a50f59c5c7d50
SHA256d72761e1a334a754ce8250e3af7ea4bf25301040929fd88cf9e50b4a9197d755
SHA512bb6da177bd16d163f377d9b4c63f6d535804137887684c113cc2f643ceab4f34338c06b5a29213c23d375e95d22ef417eac928822dfb3688ce9e2de9d5242d10
-
Filesize
183KB
MD5109cab5505f5e065b63d01361467a83b
SHA14ed78955b9272a9ed689b51bf2bf4a86a25e53fc
SHA256ea6b7f51e85835c09259d9475a7d246c3e764ad67c449673f9dc97172c351673
SHA512753a6da5d6889dd52f40208e37f2b8c185805ef81148682b269fff5aa84a46d710fe0ebfe05bce625da2e801e1c26745998a41266fa36bf47bc088a224d730cc
-
Filesize
75KB
MD597080c15f25c013b9c23746a1790b524
SHA18edf0cf14e348367bbc27aab81d31ae5ce110c94
SHA256457f5e9fa2796935c893850291450614e588b7d95e7d4d4c1e2b60dc5b75f83c
SHA512ac31f0039ae8d0c3bee73d04b48cb80e81e411e8cc779b7f2538336bf75b4bf8b3835348b967153e435c357e1d21ab471a7cc389362b068545b56b9cc8c76bb9
-
Filesize
1KB
MD511c22817df99865dda3cc9bafe466f63
SHA1cd7ef922e3bd2c955c936a2542bc69df99e004b3
SHA256edd64f1a470ef2c1278c3b808a29e3d45558692b5ac7b800d55d5d0f1a276102
SHA512a1fcf1a7fb13e960b68f094173846c026fd734ab87bf800e103289abcccf25dff4fa3a33e833267cee3d92227a13fa39f75f8da9b93520dfd6bfa758d25b57c5
-
Filesize
252KB
MD59e2b9928c89a9d0da1d3e8f4bd96afa7
SHA1ec66cda99f44b62470c6930e5afda061579cde35
SHA2568899b4ed3446b7d55b54defbc1acb7c5392a4b3bc8ec2cdc7c31171708965043
SHA5122ca5ad1d0e12a8049de885b90b7f56fe77c868e0d6dae4ec4b6f3bc0bf7b2e73295cc9b1328c2b45357ffb0d7804622ab3f91a56140b098e93b691032d508156
-
Filesize
604KB
MD58b6bc16fd137c09a08b02bbe1bb7d670
SHA1c69a0f6c6f809c01db92ca658fcf1b643391a2b7
SHA256e67834d1e8b38ec5864cfa101b140aeaba8f1900a6e269e6a94c90fcbfe56678
SHA512b53d2cc0fe5fa52262ace9f6e6ea3f5ce84935009822a3394bfe49c4d15dfeaa96bfe10ce77ffa93dbf81e5428122aa739a94bc709f203bc346597004fd75a24
-
Filesize
212KB
-
Filesize
212KB
-
Filesize
212KB
-
Filesize
212KB
-
Filesize
212KB
-
Filesize
212KB
-
Filesize
196KB
-
Filesize
212KB
-
Filesize
108KB
-
Filesize
108KB