Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
599s -
max time network
637s -
platform
windows7_x64 -
resource
win7v20210408 -
submitted
11/06/2021, 08:16 UTC
Static task
static1
URLScan task
urlscan1
Sample
https://bazaar.abuse.ch/sample/60ef0ca5e6e7d62a7750cfe1c0b08d473cb19a6817a799f035ac56e0d27ce3df/
Behavioral task
behavioral1
Sample
https://bazaar.abuse.ch/sample/60ef0ca5e6e7d62a7750cfe1c0b08d473cb19a6817a799f035ac56e0d27ce3df/
Resource
win7v20210408
General
-
Target
https://bazaar.abuse.ch/sample/60ef0ca5e6e7d62a7750cfe1c0b08d473cb19a6817a799f035ac56e0d27ce3df/
-
Sample
210611-7ve91pm4me
Malware Config
Extracted
C:\$Recycle.Bin\RyukReadMe.html
ryuk
http://rk2zzyh63g5avvii4irkhymha3irblchdfj7prk6zwy23f6kahidkpqd.onion
Signatures
-
Modifies system executable filetype association 2 TTPs 8 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shellex\PropertySheetHandlers\{B41DB860-64E4-11D2-9906-E49FADC173CA} uninstall.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shellex\PropertySheetHandlers\{B41DB860-64E4-11D2-9906-E49FADC173CA}\ uninstall.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shellex\ContextMenuHandlers\WinRAR uninstall.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shellex\ContextMenuHandlers\WinRAR\ = "{B41DB860-64E4-11D2-9906-E49FADC173CA}" uninstall.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shellex\PropertySheetHandlers\{B41DB860-8EE4-11D2-9906-E49FADC173CA} uninstall.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shellex\PropertySheetHandlers\{B41DB860-8EE4-11D2-9906-E49FADC173CA}\ uninstall.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shellex\ContextMenuHandlers\WinRAR32 uninstall.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shellex\ContextMenuHandlers\WinRAR32\ = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}" uninstall.exe -
Registers COM server for autorun 1 TTPs
-
Ryuk
Ransomware distributed via existing botnets, often Trickbot or Emotet.
-
Executes dropped EXE 5 IoCs
pid Process 2188 uninstall.exe 2940 th.exe 992 WinRAR.exe 832 WinRAR.exe 2452 RYUK_JUNE_2021.exe -
Loads dropped DLL 12 IoCs
pid Process 628 winrar-x64-601.exe 2188 uninstall.exe 2188 uninstall.exe 628 winrar-x64-601.exe 1204 Process not Found 1204 Process not Found 1204 Process not Found 1204 Process not Found 1204 Process not Found 1204 Process not Found 1204 Process not Found 1204 Process not Found -
Modifies file permissions 1 TTPs 2 IoCs
pid Process 1380 icacls.exe 2328 icacls.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Enumerates connected drives 3 TTPs 22 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\S: RYUK_JUNE_2021.exe File opened (read-only) \??\O: RYUK_JUNE_2021.exe File opened (read-only) \??\N: RYUK_JUNE_2021.exe File opened (read-only) \??\Z: RYUK_JUNE_2021.exe File opened (read-only) \??\R: RYUK_JUNE_2021.exe File opened (read-only) \??\K: RYUK_JUNE_2021.exe File opened (read-only) \??\G: RYUK_JUNE_2021.exe File opened (read-only) \??\V: RYUK_JUNE_2021.exe File opened (read-only) \??\X: RYUK_JUNE_2021.exe File opened (read-only) \??\U: RYUK_JUNE_2021.exe File opened (read-only) \??\T: RYUK_JUNE_2021.exe File opened (read-only) \??\Q: RYUK_JUNE_2021.exe File opened (read-only) \??\P: RYUK_JUNE_2021.exe File opened (read-only) \??\M: RYUK_JUNE_2021.exe File opened (read-only) \??\H: RYUK_JUNE_2021.exe File opened (read-only) \??\Y: RYUK_JUNE_2021.exe File opened (read-only) \??\E: RYUK_JUNE_2021.exe File opened (read-only) \??\L: RYUK_JUNE_2021.exe File opened (read-only) \??\J: RYUK_JUNE_2021.exe File opened (read-only) \??\I: RYUK_JUNE_2021.exe File opened (read-only) \??\F: RYUK_JUNE_2021.exe File opened (read-only) \??\W: RYUK_JUNE_2021.exe -
Drops file in Program Files directory 64 IoCs
description ioc Process File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\SpecialOccasion\NavigationRight_SelectionSubpicture.png RYUK_JUNE_2021.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\html\title.htm RYUK_JUNE_2021.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.concurrent_1.1.0.v20130327-1442.jar RYUK_JUNE_2021.exe File opened for modification C:\Program Files\Java\jre7\lib\zi\Etc\GMT+12 RYUK_JUNE_2021.exe File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AMT\AUMProduct.cer RYUK_JUNE_2021.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0232795.WMF RYUK_JUNE_2021.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\de-DE\tipresx.dll.mui RYUK_JUNE_2021.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\ResizingPanels\NavigationUp_SelectionSubpicture.png RYUK_JUNE_2021.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.rjmx_5.5.0.165303\schema\triggerActionExceptionHandlers.exsd RYUK_JUNE_2021.exe File opened for modification C:\Program Files\WinRAR\WinCon.SFX winrar-x64-601.exe File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins3d\2d.x3d RYUK_JUNE_2021.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\BD09194_.WMF RYUK_JUNE_2021.exe File opened for modification C:\Program Files\Java\jre7\lib\zi\Asia\Dubai RYUK_JUNE_2021.exe File opened for modification C:\Program Files\VideoLAN\VLC\lua\extensions\RyukReadMe.html RYUK_JUNE_2021.exe File opened for modification C:\Program Files\VideoLAN\VLC\lua\intf\http.luac RYUK_JUNE_2021.exe File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\Mac\CENTEURO.TXT RYUK_JUNE_2021.exe File opened for modification C:\Program Files (x86)\Common Files\System\msadc\en-US\msadcfr.dll.mui RYUK_JUNE_2021.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\ModuleAutoDeps\RyukReadMe.html RYUK_JUNE_2021.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.p2.core_2.3.0.v20131211-1531.jar RYUK_JUNE_2021.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\modules\locale\com-sun-tools-visualvm-jvmstat_ja.jar RYUK_JUNE_2021.exe File opened for modification C:\Program Files\Java\jre7\lib\zi\Europe\Monaco RYUK_JUNE_2021.exe File opened for modification C:\Program Files\Reference Assemblies\RyukReadMe.html RYUK_JUNE_2021.exe File opened for modification C:\Program Files\VideoLAN\VLC\lua\http\dialogs\equalizer_window.html RYUK_JUNE_2021.exe File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\VDKHome\VDK10.LIC RYUK_JUNE_2021.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0151581.WMF RYUK_JUNE_2021.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\RyukReadMe.html RYUK_JUNE_2021.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\NA02389_.WMF RYUK_JUNE_2021.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0386120.JPG RYUK_JUNE_2021.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\fonts\RyukReadMe.html RYUK_JUNE_2021.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Atlantic\South_Georgia RYUK_JUNE_2021.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.core.databinding.beans.nl_zh_4.4.0.v20140623020002.jar RYUK_JUNE_2021.exe File opened for modification C:\Program Files\VideoLAN\VLC\locale\mr\LC_MESSAGES\RyukReadMe.html RYUK_JUNE_2021.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\Office.en-us\BRANDING.DLL RYUK_JUNE_2021.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\Word.en-us\WordMUI.XML RYUK_JUNE_2021.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\ipskor.xml RYUK_JUNE_2021.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Asia\RyukReadMe.html RYUK_JUNE_2021.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-netbeans-swing-plaf_ja.jar RYUK_JUNE_2021.exe File opened for modification C:\Program Files\Java\jre7\lib\zi\America\Whitehorse RYUK_JUNE_2021.exe File opened for modification C:\Program Files\Java\jre7\README.txt RYUK_JUNE_2021.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\Office.en-us\RyukReadMe.html RYUK_JUNE_2021.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0239967.WMF RYUK_JUNE_2021.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\Pets\Scenes_LOOP_BG_PAL.wmv RYUK_JUNE_2021.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\core\locale\com-sun-tools-visualvm-modules-startup_zh_CN.jar RYUK_JUNE_2021.exe File opened for modification C:\Program Files\Java\jre7\lib\zi\Asia\Thimphu RYUK_JUNE_2021.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\LAYERS\LAYERS.INF RYUK_JUNE_2021.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0090027.WMF RYUK_JUNE_2021.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\NA02413_.WMF RYUK_JUNE_2021.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\RyukReadMe.html RYUK_JUNE_2021.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.e4.ui.widgets_1.0.0.v20140514-1823.jar RYUK_JUNE_2021.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.e4.ui.workbench.swt.nl_zh_4.4.0.v20140623020002.jar RYUK_JUNE_2021.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\config\Modules\RyukReadMe.html RYUK_JUNE_2021.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\AN04385_.WMF RYUK_JUNE_2021.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\ipscat.xml RYUK_JUNE_2021.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\Memories\16_9-frame-highlight.png RYUK_JUNE_2021.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\SpecialOccasion\specialoccasion.png RYUK_JUNE_2021.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Manaus RYUK_JUNE_2021.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.greychart.ui.ja_5.5.0.165303.jar RYUK_JUNE_2021.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\SONORA\PREVIEW.GIF RYUK_JUNE_2021.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\scene_button_style_default_Thumbnail.bmp RYUK_JUNE_2021.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.e4.ui.workbench.nl_ja_4.4.0.v20140623020002.jar RYUK_JUNE_2021.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-netbeans-modules-autoupdate-ui.xml RYUK_JUNE_2021.exe File opened for modification C:\Program Files\Java\jre7\lib\zi\America\Barbados RYUK_JUNE_2021.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\AG00172_.GIF RYUK_JUNE_2021.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0107718.WMF RYUK_JUNE_2021.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Enumerates processes with tasklist 1 TTPs 1 IoCs
pid Process 2372 tasklist.exe -
Modifies Internet Explorer Phishing Filter 1 TTPs 2 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\PhishingFilter iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\PhishingFilter\ClientSupported_MigrationTime = 10864b0aab5ed701 iexplore.exe -
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_IVIEWOBJECTDRAW_DMLT9_WITH_GDI \th.exe = "0" th.exe Key created \REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\GPU iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000529101d5c9814b4eb0f580b37542e450000000000200000000001066000000010000200000009c094be830b5796381ea19fedf9e7dce8abc28fd83c55f3e52c159924ce4b8a9000000000e8000000002000020000000dc39d133091d4fac57ddb562ca637edbb7029eab0dfafca5a4f6ad5428923e9220000000e640782592b35d2f97b5dce7781eb1c02252b1644b1691579cd71d87ba915e92400000005759c1872c751f600fcbbdc258c9a5cc9d29ce43ae23a397ed64dc585168d323bc9740f8741708dd6853b8abca26332a41408b7953178fac59ed04d6e298f83f iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION\WinRAR.exe = "11000" th.exe Key created \REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\Main IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\ iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_SPELLCHECKING th.exe Set value (int) \REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_WEBSOCKET\th.exe = "1" th.exe Key created \REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_WINDOW_RESTRICTIONS th.exe Key created \REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000529101d5c9814b4eb0f580b37542e45000000000020000000000106600000001000020000000bb8d9eb267ebea22510b6ff98e5d5477300567d7acfb0cde1cda0dc81cfeac7e000000000e8000000002000020000000dc0bb09036d96a0def10a11593e9c534bdc622a083c898db673551cf05ce67aa90000000dc75e31dd3e7295ffa6eefd33bb92c21fee94b0416f7604f499217f11e435472205c973c552084d18dd628da994e85e603e90a682f361484c066b02fb116c0f82db12c93a6d0a5ef2ef5adadaecb90be64a671acbd4ff7de4bcba62ff01f14b0b92ba5e09e05a1ddc56c6c09c16878e43f7f42a1166c85f82d1f65191715d9e58852c6e01a9130cf9340af4ea278b53040000000a1ef8a84ed30de7c9ece20de5aa4ed2180ef1ddbd92d6dcf9bcfa5e4079777bb1579635385cd9e91f4b75f0a3ec3cb78e3f4f539a81efd4eb26ce688965e5edf iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_GPU_RENDERING th.exe Set value (int) \REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_STATUS_BAR_THROTTLING\th.exe = "1" th.exe Set value (int) \REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_STATUS_BAR_THROTTLING\WinRAR.exe = "1" th.exe Key created \REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_NINPUT_LEGACYMODE th.exe Set value (data) \REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c00000002000000030000000083ffff0083ffffffffffffffffffff2400000024000000aa04000089020000 iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "330171420" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_AJAX_CONNECTIONEVENTS\th.exe = "1" th.exe Key created \REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_SCRIPTURL_MITIGATION th.exe Key created \REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_WEBSOCKET th.exe Key created \REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\DomainSuggestion iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_IVIEWOBJECTDRAW_DMLT9_WITH_GDI th.exe Set value (int) \REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_VALIDATE_NAVIGATE_URL\th.exe = "1" th.exe Set value (int) \REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_ADDON_MANAGEMENT\WinRAR.exe = "0" th.exe Set value (int) \REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\MINIE\TabBandWidth = "500" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\LowRegistry iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_VALIDATE_NAVIGATE_URL\WinRAR.exe = "1" th.exe Key created \REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_WEBOC_POPUPMANAGEMENT th.exe Set value (int) \REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_DISABLE_NAVIGATION_SOUNDS\th.exe = "1" th.exe Key created \REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_WEBOC_DOCUMENT_ZOOM th.exe Set value (data) \REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\Main\DownloadWindowPlacement = 0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_STATUS_BAR_THROTTLING th.exe Key created \REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_ADDON_MANAGEMENT th.exe Key created \REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\Zoom iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\Main winrar-x64-601.exe Key created \REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl th.exe Set value (int) \REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_NINPUT_LEGACYMODE\WinRAR.exe = "0" th.exe Key created \REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\PageSetup iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\Main winrar-x64-601.exe Set value (int) \REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_NINPUT_LEGACYMODE\th.exe = "0" th.exe Key created \REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\MINIE iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_GPU_RENDERING \WinRAR.exe = "1" th.exe Key created \REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_VALIDATE_NAVIGATE_URL th.exe Set value (int) \REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_WINDOW_RESTRICTIONS\th.exe = "0" th.exe Key created \REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION\th.exe = "11000" th.exe Key created \REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\Main th.exe Set value (int) \REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_AJAX_CONNECTIONEVENTS\WinRAR.exe = "1" th.exe Key created \REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\IntelliForms iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\Toolbar iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION th.exe Key created \REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_AJAX_CONNECTIONEVENTS th.exe -
Modifies data under HKEY_USERS 3 IoCs
description ioc Process Key created \REGISTRY\USER\.DEFAULT\Keyboard Layout\Preload regedit.exe Set value (str) \REGISTRY\USER\.DEFAULT\Keyboard Layout\Preload\1 = "00000409" regedit.exe Set value (str) \REGISTRY\USER\.DEFAULT\Keyboard Layout\Preload\2 = "00000419" regedit.exe -
Modifies registry class 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.r04 uninstall.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.r01 uninstall.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.r03 uninstall.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR.ZIP\shellex\PropertySheetHandlers\{B41DB860-64E4-11D2-9906-E49FADC173CA}\ uninstall.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.001\ = "WinRAR" uninstall.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR.REV\DefaultIcon\ = "C:\\Program Files\\WinRAR\\WinRAR.exe,1" uninstall.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\*\shellex\ContextMenuHandlers\WinRAR32\ = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}" uninstall.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR.ZIP\shellex\ContextMenuHandlers\{B41DB860-64E4-11D2-9906-E49FADC173CA}\ uninstall.exe Set value (str) \REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:FMTID = "{00000000-0000-0000-0000-000000000000}" iexplore.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.uu\ = "WinRAR" uninstall.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR.ZIP\DefaultIcon\ = "C:\\Program Files\\WinRAR\\WinRAR.exe,0" uninstall.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shellex\ContextMenuHandlers\WinRAR uninstall.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.r07 uninstall.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR.ZIP uninstall.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR.ZIP\shellex\PropertySheetHandlers\{B41DB860-8EE4-11D2-9906-E49FADC173CA}\ uninstall.exe Set value (data) \REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02 iexplore.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{B41DB860-8EE4-11D2-9906-E49FADC173CA}\InProcServer32\ = "C:\\Program Files\\WinRAR\\rarext32.dll" uninstall.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.r21\ = "WinRAR" uninstall.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.r10 uninstall.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.z\ = "WinRAR" uninstall.exe Key created \REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1 iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0a00000001000000 iexplore.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.lz\ = "WinRAR" uninstall.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.uue uninstall.exe Key created \REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByDirection = "1" iexplore.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{B41DB860-64E4-11D2-9906-E49FADC173CA} uninstall.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.r06 uninstall.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.001 uninstall.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR.REV\shell\open\command uninstall.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.r16\ = "WinRAR" uninstall.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.r29\ = "WinRAR" uninstall.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Folder\ShellEx\DragDropHandlers\WinRAR32\ = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}" uninstall.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\WinRAR uninstall.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Folder\shellex\DragDropHandlers\WinRAR uninstall.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.r21 uninstall.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.zip\ShellNew uninstall.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.zipx\ = "WinRAR" uninstall.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR.ZIP\shellex\ContextMenuHandlers\{B41DB860-8EE4-11D2-9906-E49FADC173CA} uninstall.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR.ZIP\shellex\PropertySheetHandlers\{B41DB860-8EE4-11D2-9906-E49FADC173CA} uninstall.exe Set value (data) \REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0a00000001000000 iexplore.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR.ZIP\ = "WinRAR ZIP archive" uninstall.exe Set value (int) \REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\IconSize = "48" iexplore.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.r01\ = "WinRAR" uninstall.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.uu uninstall.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR.REV\shell uninstall.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR\shellex\DropHandler uninstall.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{B41DB860-64E4-11D2-9906-E49FADC173CA}\InProcServer32 uninstall.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.bz uninstall.exe Set value (int) \REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\IconSize = "16" iexplore.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR.ZIP\shellex\PropertySheetHandlers\{B41DB860-64E4-11D2-9906-E49FADC173CA} uninstall.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.r11\ = "WinRAR" uninstall.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.r17 uninstall.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR.REV uninstall.exe Key created \REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\MRUListEx = ffffffff iexplore.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR uninstall.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR\shellex\PropertySheetHandlers uninstall.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.r14 uninstall.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.r26 uninstall.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR\ = "WinRAR archive" uninstall.exe Set value (int) \REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:PID = "0" iexplore.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.r06\ = "WinRAR" uninstall.exe -
Opens file in notepad (likely ransom note) 1 IoCs
pid Process 464 NOTEPAD.EXE -
Runs .reg file with regedit 1 IoCs
pid Process 1004 regedit.exe -
Runs ping.exe 1 TTPs 1 IoCs
pid Process 996 PING.EXE -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 980 chrome.exe 2464 chrome.exe 1264 chrome.exe 980 taskmgr.exe 980 taskmgr.exe 980 taskmgr.exe 980 taskmgr.exe 980 taskmgr.exe 980 taskmgr.exe 980 taskmgr.exe 980 taskmgr.exe 980 taskmgr.exe 980 taskmgr.exe 980 taskmgr.exe 980 taskmgr.exe 980 taskmgr.exe 980 taskmgr.exe 980 taskmgr.exe 980 taskmgr.exe 980 taskmgr.exe 980 taskmgr.exe 980 taskmgr.exe 980 taskmgr.exe 980 taskmgr.exe 980 taskmgr.exe 980 taskmgr.exe 980 taskmgr.exe 980 taskmgr.exe 980 taskmgr.exe 980 taskmgr.exe 980 taskmgr.exe 980 taskmgr.exe 980 taskmgr.exe 980 taskmgr.exe 980 taskmgr.exe 980 taskmgr.exe 980 taskmgr.exe 980 taskmgr.exe 980 taskmgr.exe 980 taskmgr.exe 980 taskmgr.exe 980 taskmgr.exe 980 taskmgr.exe 980 taskmgr.exe 980 taskmgr.exe 980 taskmgr.exe 980 taskmgr.exe 980 taskmgr.exe 980 taskmgr.exe 980 taskmgr.exe 980 taskmgr.exe 980 taskmgr.exe 980 taskmgr.exe 980 taskmgr.exe 980 taskmgr.exe 980 taskmgr.exe 980 taskmgr.exe 980 taskmgr.exe 980 taskmgr.exe 980 taskmgr.exe 980 taskmgr.exe 980 taskmgr.exe 980 taskmgr.exe 980 taskmgr.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 980 taskmgr.exe -
Suspicious use of AdjustPrivilegeToken 8 IoCs
description pid Process Token: SeDebugPrivilege 2372 tasklist.exe Token: 33 1016 AUDIODG.EXE Token: SeIncBasePriorityPrivilege 1016 AUDIODG.EXE Token: 33 1016 AUDIODG.EXE Token: SeIncBasePriorityPrivilege 1016 AUDIODG.EXE Token: SeDebugPrivilege 980 taskmgr.exe Token: SeShutdownPrivilege 980 taskmgr.exe Token: SeShutdownPrivilege 980 taskmgr.exe -
Suspicious use of FindShellTrayWindow 64 IoCs
pid Process 2512 iexplore.exe 2512 iexplore.exe 992 WinRAR.exe 992 WinRAR.exe 992 WinRAR.exe 992 WinRAR.exe 832 WinRAR.exe 832 WinRAR.exe 832 WinRAR.exe 832 WinRAR.exe 832 WinRAR.exe 980 taskmgr.exe 980 taskmgr.exe 980 taskmgr.exe 980 taskmgr.exe 980 taskmgr.exe 980 taskmgr.exe 980 taskmgr.exe 980 taskmgr.exe 980 taskmgr.exe 980 taskmgr.exe 980 taskmgr.exe 980 taskmgr.exe 980 taskmgr.exe 980 taskmgr.exe 980 taskmgr.exe 980 taskmgr.exe 980 taskmgr.exe 980 taskmgr.exe 980 taskmgr.exe 980 taskmgr.exe 980 taskmgr.exe 980 taskmgr.exe 980 taskmgr.exe 980 taskmgr.exe 980 taskmgr.exe 980 taskmgr.exe 980 taskmgr.exe 980 taskmgr.exe 980 taskmgr.exe 980 taskmgr.exe 980 taskmgr.exe 980 taskmgr.exe 980 taskmgr.exe 980 taskmgr.exe 980 taskmgr.exe 980 taskmgr.exe 980 taskmgr.exe 980 taskmgr.exe 980 taskmgr.exe 980 taskmgr.exe 980 taskmgr.exe 980 taskmgr.exe 980 taskmgr.exe 980 taskmgr.exe 980 taskmgr.exe 980 taskmgr.exe 980 taskmgr.exe 980 taskmgr.exe 980 taskmgr.exe 980 taskmgr.exe 980 taskmgr.exe 980 taskmgr.exe 980 taskmgr.exe -
Suspicious use of SendNotifyMessage 64 IoCs
pid Process 980 taskmgr.exe 980 taskmgr.exe 980 taskmgr.exe 980 taskmgr.exe 980 taskmgr.exe 980 taskmgr.exe 980 taskmgr.exe 980 taskmgr.exe 980 taskmgr.exe 980 taskmgr.exe 980 taskmgr.exe 980 taskmgr.exe 980 taskmgr.exe 980 taskmgr.exe 980 taskmgr.exe 980 taskmgr.exe 980 taskmgr.exe 980 taskmgr.exe 980 taskmgr.exe 980 taskmgr.exe 980 taskmgr.exe 980 taskmgr.exe 980 taskmgr.exe 980 taskmgr.exe 980 taskmgr.exe 980 taskmgr.exe 980 taskmgr.exe 980 taskmgr.exe 980 taskmgr.exe 980 taskmgr.exe 980 taskmgr.exe 980 taskmgr.exe 980 taskmgr.exe 980 taskmgr.exe 980 taskmgr.exe 980 taskmgr.exe 980 taskmgr.exe 980 taskmgr.exe 980 taskmgr.exe 980 taskmgr.exe 980 taskmgr.exe 980 taskmgr.exe 980 taskmgr.exe 980 taskmgr.exe 980 taskmgr.exe 980 taskmgr.exe 980 taskmgr.exe 980 taskmgr.exe 980 taskmgr.exe 980 taskmgr.exe 980 taskmgr.exe 980 taskmgr.exe 980 taskmgr.exe 980 taskmgr.exe 980 taskmgr.exe 980 taskmgr.exe 980 taskmgr.exe 980 taskmgr.exe 980 taskmgr.exe 980 taskmgr.exe 980 taskmgr.exe 980 taskmgr.exe 980 taskmgr.exe 980 taskmgr.exe -
Suspicious use of SetWindowsHookEx 18 IoCs
pid Process 2512 iexplore.exe 2512 iexplore.exe 2888 IEXPLORE.EXE 2888 IEXPLORE.EXE 2888 IEXPLORE.EXE 2888 IEXPLORE.EXE 2888 IEXPLORE.EXE 2888 IEXPLORE.EXE 1576 winrar-x64-601.exe 1576 winrar-x64-601.exe 628 winrar-x64-601.exe 628 winrar-x64-601.exe 2940 th.exe 2940 th.exe 2940 th.exe 2940 th.exe 2888 IEXPLORE.EXE 2512 iexplore.exe -
Suspicious use of WriteProcessMemory 33 IoCs
description pid Process procid_target PID 2512 wrote to memory of 2888 2512 iexplore.exe 40 PID 2512 wrote to memory of 2888 2512 iexplore.exe 40 PID 2512 wrote to memory of 2888 2512 iexplore.exe 40 PID 2512 wrote to memory of 2888 2512 iexplore.exe 40 PID 292 wrote to memory of 1140 292 chrmstp.exe 48 PID 292 wrote to memory of 1140 292 chrmstp.exe 48 PID 292 wrote to memory of 1140 292 chrmstp.exe 48 PID 628 wrote to memory of 2188 628 winrar-x64-601.exe 106 PID 628 wrote to memory of 2188 628 winrar-x64-601.exe 106 PID 628 wrote to memory of 2188 628 winrar-x64-601.exe 106 PID 628 wrote to memory of 2940 628 winrar-x64-601.exe 107 PID 628 wrote to memory of 2940 628 winrar-x64-601.exe 107 PID 628 wrote to memory of 2940 628 winrar-x64-601.exe 107 PID 2940 wrote to memory of 2588 2940 th.exe 108 PID 2940 wrote to memory of 2588 2940 th.exe 108 PID 2940 wrote to memory of 2588 2940 th.exe 108 PID 2588 wrote to memory of 996 2588 cmd.exe 111 PID 2588 wrote to memory of 996 2588 cmd.exe 111 PID 2588 wrote to memory of 996 2588 cmd.exe 111 PID 2588 wrote to memory of 2372 2588 cmd.exe 112 PID 2588 wrote to memory of 2372 2588 cmd.exe 112 PID 2588 wrote to memory of 2372 2588 cmd.exe 112 PID 2588 wrote to memory of 1304 2588 cmd.exe 113 PID 2588 wrote to memory of 1304 2588 cmd.exe 113 PID 2588 wrote to memory of 1304 2588 cmd.exe 113 PID 2452 wrote to memory of 1380 2452 RYUK_JUNE_2021.exe 128 PID 2452 wrote to memory of 1380 2452 RYUK_JUNE_2021.exe 128 PID 2452 wrote to memory of 1380 2452 RYUK_JUNE_2021.exe 128 PID 2452 wrote to memory of 1380 2452 RYUK_JUNE_2021.exe 128 PID 2452 wrote to memory of 2328 2452 RYUK_JUNE_2021.exe 129 PID 2452 wrote to memory of 2328 2452 RYUK_JUNE_2021.exe 129 PID 2452 wrote to memory of 2328 2452 RYUK_JUNE_2021.exe 129 PID 2452 wrote to memory of 2328 2452 RYUK_JUNE_2021.exe 129
Processes
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe" https://bazaar.abuse.ch/sample/60ef0ca5e6e7d62a7750cfe1c0b08d473cb19a6817a799f035ac56e0d27ce3df/1⤵
- Modifies Internet Explorer Phishing Filter
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2512 -
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2512 CREDAT:275457 /prefetch:22⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:2888
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1064,12628833329736241694,12663670754549899423,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1888 /prefetch:81⤵PID:2684
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1064,12628833329736241694,12663670754549899423,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=540 /prefetch:81⤵PID:2676
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1064,12628833329736241694,12663670754549899423,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4816 /prefetch:11⤵PID:2960
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1064,12628833329736241694,12663670754549899423,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2792 /prefetch:11⤵PID:976
-
C:\Program Files\Google\Chrome\Application\89.0.4389.114\Installer\chrmstp.exe"C:\Program Files\Google\Chrome\Application\89.0.4389.114\Installer\chrmstp.exe" --configure-user-settings --verbose-logging --system-level --channel --force-configure-user-settings1⤵
- Suspicious use of WriteProcessMemory
PID:292 -
C:\Program Files\Google\Chrome\Application\89.0.4389.114\Installer\chrmstp.exe"C:\Program Files\Google\Chrome\Application\89.0.4389.114\Installer\chrmstp.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\Crashpad --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=89.0.4389.114 --initial-client-data=0x13c,0x140,0x144,0x110,0x148,0x13fa3a890,0x13fa3a8a0,0x13fa3a8b02⤵PID:1140
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1064,12628833329736241694,12663670754549899423,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3948 /prefetch:11⤵PID:1848
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1064,12628833329736241694,12663670754549899423,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1524 /prefetch:81⤵
- Suspicious behavior: EnumeratesProcesses
PID:980
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1064,12628833329736241694,12663670754549899423,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4072 /prefetch:81⤵PID:2868
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1064,12628833329736241694,12663670754549899423,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3856 /prefetch:81⤵PID:1636
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1064,12628833329736241694,12663670754549899423,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3776 /prefetch:81⤵PID:1632
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1064,12628833329736241694,12663670754549899423,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3780 /prefetch:81⤵PID:1752
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1064,12628833329736241694,12663670754549899423,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3776 /prefetch:81⤵PID:1976
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1064,12628833329736241694,12663670754549899423,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3788 /prefetch:81⤵PID:320
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1064,12628833329736241694,12663670754549899423,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3832 /prefetch:81⤵PID:832
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1064,12628833329736241694,12663670754549899423,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3860 /prefetch:81⤵PID:1560
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1064,12628833329736241694,12663670754549899423,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4112 /prefetch:81⤵PID:1604
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1064,12628833329736241694,12663670754549899423,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4104 /prefetch:81⤵
- Suspicious behavior: EnumeratesProcesses
PID:2464
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1064,12628833329736241694,12663670754549899423,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4256 /prefetch:81⤵PID:932
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1064,12628833329736241694,12663670754549899423,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3864 /prefetch:81⤵PID:2388
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1064,12628833329736241694,12663670754549899423,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2452 /prefetch:81⤵PID:2208
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1064,12628833329736241694,12663670754549899423,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2648 /prefetch:81⤵PID:2172
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1064,12628833329736241694,12663670754549899423,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3788 /prefetch:81⤵PID:1892
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1064,12628833329736241694,12663670754549899423,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3780 /prefetch:81⤵PID:2012
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1064,12628833329736241694,12663670754549899423,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4268 /prefetch:81⤵PID:2040
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1064,12628833329736241694,12663670754549899423,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4264 /prefetch:81⤵PID:1972
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1064,12628833329736241694,12663670754549899423,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2156 /prefetch:81⤵PID:2896
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1064,12628833329736241694,12663670754549899423,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2116 /prefetch:81⤵PID:2964
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1064,12628833329736241694,12663670754549899423,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3316 /prefetch:81⤵PID:2088
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1064,12628833329736241694,12663670754549899423,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3160 /prefetch:81⤵PID:3008
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1064,12628833329736241694,12663670754549899423,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4076 /prefetch:81⤵PID:3012
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1064,12628833329736241694,12663670754549899423,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3828 /prefetch:81⤵PID:3000
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1064,12628833329736241694,12663670754549899423,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3904 /prefetch:81⤵PID:2988
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1064,12628833329736241694,12663670754549899423,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=43 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5288 /prefetch:11⤵PID:2868
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1064,12628833329736241694,12663670754549899423,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1524 /prefetch:81⤵PID:2104
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1064,12628833329736241694,12663670754549899423,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3528 /prefetch:81⤵PID:2164
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1064,12628833329736241694,12663670754549899423,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3656 /prefetch:81⤵PID:832
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1064,12628833329736241694,12663670754549899423,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3940 /prefetch:81⤵PID:2184
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1064,12628833329736241694,12663670754549899423,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3644 /prefetch:81⤵PID:2404
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1064,12628833329736241694,12663670754549899423,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3844 /prefetch:81⤵PID:2180
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1064,12628833329736241694,12663670754549899423,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2656 /prefetch:81⤵PID:1084
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1064,12628833329736241694,12663670754549899423,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3640 /prefetch:81⤵PID:2056
-
C:\Windows\system32\NOTEPAD.EXE"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\Russian_kb_reg.txt1⤵
- Opens file in notepad (likely ransom note)
PID:464
-
C:\Windows\regedit.exe"regedit.exe" "C:\Users\Admin\Desktop\Russian_kb.reg"1⤵
- Modifies data under HKEY_USERS
- Runs .reg file with regedit
PID:1004
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1064,12628833329736241694,12663670754549899423,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4684 /prefetch:81⤵PID:2436
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1064,12628833329736241694,12663670754549899423,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=53 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2544 /prefetch:11⤵PID:2080
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1064,12628833329736241694,12663670754549899423,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=54 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5152 /prefetch:11⤵PID:2240
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1064,12628833329736241694,12663670754549899423,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=55 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1892 /prefetch:11⤵PID:2704
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1064,12628833329736241694,12663670754549899423,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=3252 /prefetch:81⤵PID:940
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1064,12628833329736241694,12663670754549899423,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=2208 /prefetch:81⤵PID:2652
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1064,12628833329736241694,12663670754549899423,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3668 /prefetch:81⤵
- Suspicious behavior: EnumeratesProcesses
PID:1264
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1064,12628833329736241694,12663670754549899423,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=2552 /prefetch:81⤵PID:3064
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1064,12628833329736241694,12663670754549899423,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5216 /prefetch:81⤵PID:1628
-
C:\Users\Admin\Downloads\winrar-x64-601.exe"C:\Users\Admin\Downloads\winrar-x64-601.exe"1⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:1576
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1064,12628833329736241694,12663670754549899423,131072 --disable-gpu-compositing --lang=en-US --extension-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=61 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3764 /prefetch:11⤵PID:2392
-
C:\Users\Admin\Downloads\winrar-x64-601.exe"C:\Users\Admin\Downloads\winrar-x64-601.exe"1⤵
- Loads dropped DLL
- Drops file in Program Files directory
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:628 -
C:\Program Files\WinRAR\uninstall.exe"C:\Program Files\WinRAR\uninstall.exe" /setup2⤵
- Modifies system executable filetype association
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:2188
-
-
C:\Program Files\WinRAR\th.exe"C:\Program Files\WinRAR\th.exe" -lng English -src wrr -lp thankyou -ver 601 -arch 64 -dom notifier.win-rar.com2⤵
- Executes dropped EXE
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2940 -
C:\Windows\system32\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\_uninsep.bat" "3⤵
- Suspicious use of WriteProcessMemory
PID:2588 -
C:\Windows\system32\PING.EXEping -n 10 localhost4⤵
- Runs ping.exe
PID:996
-
-
C:\Windows\system32\tasklist.exeTaskList4⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:2372
-
-
C:\Windows\system32\find.exeFind "C:\Program Files\WinRAR\th.exe"4⤵PID:1304
-
-
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1064,12628833329736241694,12663670754549899423,131072 --disable-gpu-compositing --lang=en-US --extension-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=62 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1012 /prefetch:11⤵PID:2436
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1064,12628833329736241694,12663670754549899423,131072 --disable-gpu-compositing --lang=en-US --extension-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=63 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4068 /prefetch:11⤵PID:2052
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1064,12628833329736241694,12663670754549899423,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1688 /prefetch:81⤵PID:2104
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1064,12628833329736241694,12663670754549899423,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2928 /prefetch:81⤵PID:1752
-
C:\Program Files\WinRAR\WinRAR.exe"C:\Program Files\WinRAR\WinRAR.exe" x -iext -ow -ver -imon1 -- "C:\Users\Admin\Desktop\PACO_60ef0ca5e6e7d62a7750cfe1c0b08d473cb19a6817a799f035ac56e0d27ce3df.zip" C:\Users\Admin\Desktop\PACO_60ef0ca5e6e7d62a7750cfe1c0b08d473cb19a6817a799f035ac56e0d27ce3df\1⤵
- Executes dropped EXE
- Suspicious use of FindShellTrayWindow
PID:992
-
C:\Windows\system32\AUDIODG.EXEC:\Windows\system32\AUDIODG.EXE 0x55c1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1016
-
C:\Program Files\WinRAR\WinRAR.exe"C:\Program Files\WinRAR\WinRAR.exe" x -iext -ow -ver -imon1 -- "C:\Users\Admin\Desktop\PACO_60ef0ca5e6e7d62a7750cfe1c0b08d473cb19a6817a799f035ac56e0d27ce3df\60ef0ca5e6e7d62a7750cfe1c0b08d473cb19a6817a799f035ac56e0d27ce3df.zip" C:\Users\Admin\Desktop\PACO_60ef0ca5e6e7d62a7750cfe1c0b08d473cb19a6817a799f035ac56e0d27ce3df\1⤵
- Executes dropped EXE
- Suspicious use of FindShellTrayWindow
PID:832
-
C:\Windows\System32\taskmgr.exe"C:\Windows\System32\taskmgr.exe"1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:980
-
C:\Users\Admin\Desktop\RYUK_JUNE_2021.exe"C:\Users\Admin\Desktop\RYUK_JUNE_2021.exe"1⤵
- Executes dropped EXE
- Enumerates connected drives
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:2452 -
C:\Windows\SysWOW64\icacls.exeicacls "C:\*" /grant Everyone:F /T /C /Q2⤵
- Modifies file permissions
PID:1380
-
-
C:\Windows\SysWOW64\icacls.exeicacls "D:\*" /grant Everyone:F /T /C /Q2⤵
- Modifies file permissions
PID:2328
-
Network
-
Remote address:8.8.8.8:53Requestaccounts.google.comIN AResponseaccounts.google.comIN A172.217.17.109
-
Remote address:8.8.8.8:53Requestaccounts.google.comIN A
-
Remote address:8.8.8.8:53Requestaccounts.google.comIN A
-
Remote address:8.8.8.8:53Requestaccounts.google.comIN A
-
Remote address:8.8.8.8:53Requestaccounts.google.comIN A
-
Remote address:8.8.8.8:53Requestredirector.gvt1.comIN AResponseredirector.gvt1.comIN A172.217.17.78
-
Remote address:8.8.8.8:53Requestredirector.gvt1.comIN A
-
Remote address:8.8.8.8:53Requestredirector.gvt1.comIN A
-
Remote address:8.8.8.8:53Requestredirector.gvt1.comIN A
-
Remote address:8.8.8.8:53Requestredirector.gvt1.comIN A
-
Remote address:8.8.8.8:53Requestclients2.google.comIN AResponseclients2.google.comIN CNAMEclients.l.google.comclients.l.google.comIN A172.217.20.78
-
Remote address:8.8.8.8:53Requestclients2.google.comIN A
-
Remote address:8.8.8.8:53Requestclients2.google.comIN A
-
Remote address:8.8.8.8:53Requestclients2.google.comIN A
-
Remote address:8.8.8.8:53Requestclients2.google.comIN A
-
Remote address:8.8.8.8:53Requestdns.googleIN AResponsedns.googleIN A8.8.8.8dns.googleIN A8.8.4.4
-
Remote address:8.8.8.8:53Requestdns.googleIN A
-
Remote address:8.8.8.8:53Requestdns.googleIN A
-
Remote address:8.8.8.8:53Requestdns.googleIN AResponsedns.googleIN A8.8.8.8dns.googleIN A8.8.4.4
-
Remote address:8.8.8.8:53Requestdns.googleIN A
-
Remote address:8.8.8.8:53Requestdns.googleIN A
-
Remote address:8.8.8.8:53Requestdns.googleIN AResponsedns.googleIN A8.8.8.8dns.googleIN A8.8.4.4
-
Remote address:8.8.8.8:53Requestdns.googleIN A
-
Remote address:8.8.8.8:53Requestdns.googleIN A
-
Remote address:8.8.8.8:53Requestwww.google.comIN AResponsewww.google.comIN A142.250.179.196
-
Remote address:8.8.8.8:53Requestpki.googIN AResponsepki.googIN A216.239.32.29
-
Remote address:216.239.32.29:80RequestGET /gsr1/gsr1.crt HTTP/1.1
Connection: Keep-Alive
Accept: */*
User-Agent: Microsoft-CryptoAPI/6.1
Host: pki.goog
ResponseHTTP/1.1 200 OK
Vary: Accept-Encoding
Content-Type: application/pkix-cert
Cross-Origin-Resource-Policy: same-site
Content-Length: 889
Date: Fri, 11 Jun 2021 08:06:52 GMT
Expires: Fri, 11 Jun 2021 09:06:52 GMT
Last-Modified: Wed, 20 May 2020 16:45:00 GMT
X-Content-Type-Options: nosniff
Server: sffe
X-XSS-Protection: 0
Age: 633
Cache-Control: public, max-age=3600
-
Remote address:216.239.32.29:80RequestGET /gsr1/gsr1.crt HTTP/1.1
Connection: Keep-Alive
Accept: */*
User-Agent: Microsoft-CryptoAPI/6.1
Host: pki.goog
ResponseHTTP/1.1 200 OK
Vary: Accept-Encoding
Content-Type: application/pkix-cert
Content-Security-Policy-Report-Only: require-trusted-types-for 'script'; report-uri https://csp.withgoogle.com/csp/cacerts
Cross-Origin-Resource-Policy: same-site
Content-Length: 889
Date: Fri, 11 Jun 2021 07:37:17 GMT
Expires: Fri, 11 Jun 2021 08:37:17 GMT
Last-Modified: Wed, 20 May 2020 16:45:00 GMT
X-Content-Type-Options: nosniff
Server: sffe
X-XSS-Protection: 0
Age: 2408
Cache-Control: public, max-age=3600
-
Remote address:216.239.32.29:80RequestGET /gsr1/gsr1.crt HTTP/1.1
Connection: Keep-Alive
Accept: */*
User-Agent: Microsoft-CryptoAPI/6.1
Host: pki.goog
ResponseHTTP/1.1 200 OK
Vary: Accept-Encoding
Content-Type: application/pkix-cert
Content-Security-Policy-Report-Only: require-trusted-types-for 'script'; report-uri https://csp.withgoogle.com/csp/cacerts
Cross-Origin-Resource-Policy: same-site
Content-Length: 889
Date: Fri, 11 Jun 2021 07:37:17 GMT
Expires: Fri, 11 Jun 2021 08:37:17 GMT
Last-Modified: Wed, 20 May 2020 16:45:00 GMT
X-Content-Type-Options: nosniff
Server: sffe
X-XSS-Protection: 0
Age: 2408
Cache-Control: public, max-age=3600
-
Remote address:216.239.32.29:80RequestGET /gsr1/gsr1.crt HTTP/1.1
Connection: Keep-Alive
Accept: */*
User-Agent: Microsoft-CryptoAPI/6.1
Host: pki.goog
ResponseHTTP/1.1 200 OK
Vary: Accept-Encoding
Content-Type: application/pkix-cert
Cross-Origin-Resource-Policy: same-site
Content-Length: 889
Date: Fri, 11 Jun 2021 08:06:52 GMT
Expires: Fri, 11 Jun 2021 09:06:52 GMT
Last-Modified: Wed, 20 May 2020 16:45:00 GMT
X-Content-Type-Options: nosniff
Server: sffe
X-XSS-Protection: 0
Age: 633
Cache-Control: public, max-age=3600
-
Remote address:8.8.8.8:53Requestwww.download.windowsupdate.comIN AResponsewww.download.windowsupdate.comIN CNAMEwu-fg-shim.trafficmanager.netwu-fg-shim.trafficmanager.netIN CNAME2-01-3cf7-0009.cdx.cedexis.net2-01-3cf7-0009.cdx.cedexis.netIN CNAMEfg.download.windowsupdate.com.c.footprint.netfg.download.windowsupdate.com.c.footprint.netIN A8.238.111.254fg.download.windowsupdate.com.c.footprint.netIN A67.24.35.254fg.download.windowsupdate.com.c.footprint.netIN A67.26.109.254fg.download.windowsupdate.com.c.footprint.netIN A8.253.208.112fg.download.windowsupdate.com.c.footprint.netIN A8.253.208.120
-
Remote address:8.8.8.8:53Requestwww.download.windowsupdate.comIN AResponsewww.download.windowsupdate.comIN CNAMEwu-fg-shim.trafficmanager.netwu-fg-shim.trafficmanager.netIN CNAME2-01-3cf7-0009.cdx.cedexis.net2-01-3cf7-0009.cdx.cedexis.netIN CNAMEdownload.windowsupdate.com.edgesuite.netdownload.windowsupdate.com.edgesuite.netIN CNAMEa767.dspw65.akamai.neta767.dspw65.akamai.netIN A84.53.175.122a767.dspw65.akamai.netIN A84.53.175.34
-
Remote address:8.8.8.8:53Requestwww.download.windowsupdate.comIN AResponsewww.download.windowsupdate.comIN CNAMEwu-fg-shim.trafficmanager.netwu-fg-shim.trafficmanager.netIN CNAME2-01-3cf7-0009.cdx.cedexis.net2-01-3cf7-0009.cdx.cedexis.netIN CNAMEdownload.windowsupdate.com.edgesuite.netdownload.windowsupdate.com.edgesuite.netIN CNAMEa767.dspw65.akamai.neta767.dspw65.akamai.netIN A84.53.175.122a767.dspw65.akamai.netIN A84.53.175.34
-
Remote address:8.8.8.8:53Requestwww.download.windowsupdate.comIN AResponsewww.download.windowsupdate.comIN CNAMEwu-fg-shim.trafficmanager.netwu-fg-shim.trafficmanager.netIN CNAME2-01-3cf7-0009.cdx.cedexis.net2-01-3cf7-0009.cdx.cedexis.netIN CNAMEdownload.windowsupdate.com.edgesuite.netdownload.windowsupdate.com.edgesuite.netIN CNAMEa767.dspw65.akamai.neta767.dspw65.akamai.netIN A84.53.175.122a767.dspw65.akamai.netIN A84.53.175.34
-
Remote address:8.8.8.8:53Requestclients2.google.comIN AResponseclients2.google.comIN CNAMEclients.l.google.comclients.l.google.comIN A172.217.20.78
-
Remote address:8.8.8.8:53Requestredirector.gvt1.comIN AResponseredirector.gvt1.comIN A172.217.17.78
-
Remote address:8.8.8.8:53Requestclientservices.googleapis.comIN AResponseclientservices.googleapis.comIN A142.250.179.131
-
Remote address:8.8.8.8:53Requestaccounts.google.comIN AResponseaccounts.google.comIN A172.217.17.109
-
Remote address:8.8.8.8:53Requestssl.gstatic.comIN AResponsessl.gstatic.comIN A172.217.17.35
-
Remote address:8.8.8.8:53Requestaccounts.google.comIN AResponseaccounts.google.comIN A172.217.17.109
-
Remote address:8.8.8.8:53Requestdns.googleIN AResponsedns.googleIN A8.8.8.8dns.googleIN A8.8.4.4
-
Remote address:8.8.8.8:53Requestdns.googleIN AResponsedns.googleIN A8.8.8.8dns.googleIN A8.8.4.4
-
Remote address:8.8.8.8:53Requestwww.gstatic.comIN AResponsewww.gstatic.comIN A142.250.179.131
-
Remote address:8.8.8.8:53Requestclients2.google.comIN AResponseclients2.google.comIN CNAMEclients.l.google.comclients.l.google.comIN A172.217.20.78
-
Remote address:8.8.8.8:53Requestwww.google.comIN AResponsewww.google.comIN A142.250.179.196
-
Remote address:8.8.8.8:53Requestgo.microsoft.comIN AResponsego.microsoft.comIN CNAMEgo.microsoft.com.edgekey.netgo.microsoft.com.edgekey.netIN CNAMEe11290.dspg.akamaiedge.nete11290.dspg.akamaiedge.netIN A95.101.206.92
-
Remote address:8.8.8.8:53Requestbazaar.abuse.chIN AResponsebazaar.abuse.chIN CNAMEp2.shared.global.fastly.netp2.shared.global.fastly.netIN A151.101.2.49p2.shared.global.fastly.netIN A151.101.66.49p2.shared.global.fastly.netIN A151.101.130.49p2.shared.global.fastly.netIN A151.101.194.49
-
GEThttp://redirector.gvt1.com/edgedl/chromewebstore/L2Nocm9tZV9leHRlbnNpb24vYmxvYnMvNzI0QUFXNV9zT2RvdUwyMERESEZGVmJnQQ/1.0.0.6_nmmhkkegccagdldgiimedpiccmgmieda.crxRemote address:172.217.17.78:80RequestGET /edgedl/chromewebstore/L2Nocm9tZV9leHRlbnNpb24vYmxvYnMvNzI0QUFXNV9zT2RvdUwyMERESEZGVmJnQQ/1.0.0.6_nmmhkkegccagdldgiimedpiccmgmieda.crx HTTP/1.1
Host: redirector.gvt1.com
Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/89.0.4389.114 Safari/537.36
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.9
ResponseHTTP/1.1 302 Found
Pragma: no-cache
Expires: Fri, 01 Jan 1990 00:00:00 GMT
Cache-Control: no-cache, must-revalidate
X-Content-Type-Options: nosniff
Location: http://r5---sn-aigzrne7.gvt1.com/edgedl/chromewebstore/L2Nocm9tZV9leHRlbnNpb24vYmxvYnMvNzI0QUFXNV9zT2RvdUwyMERESEZGVmJnQQ/1.0.0.6_nmmhkkegccagdldgiimedpiccmgmieda.crx?cms_redirect=yes&mh=e_&mip=154.61.71.13&mm=28&mn=sn-aigzrne7&ms=nvh&mt=1623399140&mv=m&mvi=5&pl=24&rmhost=r3---sn-aigzrne7.gvt1.com&shardbypass=yes&smhost=r3---sn-aigzrn7k.gvt1.com
Content-Type: text/html; charset=UTF-8
Server: ClientMapServer
Content-Length: 592
X-XSS-Protection: 0
X-Frame-Options: SAMEORIGIN
-
GEThttp://r5---sn-aigzrne7.gvt1.com/edgedl/chromewebstore/L2Nocm9tZV9leHRlbnNpb24vYmxvYnMvNzI0QUFXNV9zT2RvdUwyMERESEZGVmJnQQ/1.0.0.6_nmmhkkegccagdldgiimedpiccmgmieda.crx?cms_redirect=yes&mh=e_&mip=154.61.71.13&mm=28&mn=sn-aigzrne7&ms=nvh&mt=1623399140&mv=m&mvi=5&pl=24&rmhost=r3---sn-aigzrne7.gvt1.com&shardbypass=yes&smhost=r3---sn-aigzrn7k.gvt1.comRemote address:74.125.4.170:80RequestGET /edgedl/chromewebstore/L2Nocm9tZV9leHRlbnNpb24vYmxvYnMvNzI0QUFXNV9zT2RvdUwyMERESEZGVmJnQQ/1.0.0.6_nmmhkkegccagdldgiimedpiccmgmieda.crx?cms_redirect=yes&mh=e_&mip=154.61.71.13&mm=28&mn=sn-aigzrne7&ms=nvh&mt=1623399140&mv=m&mvi=5&pl=24&rmhost=r3---sn-aigzrne7.gvt1.com&shardbypass=yes&smhost=r3---sn-aigzrn7k.gvt1.com HTTP/1.1
Host: r5---sn-aigzrne7.gvt1.com
Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/89.0.4389.114 Safari/537.36
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.9
ResponseHTTP/1.1 200 OK
Cache-Control: public,max-age=86400
Content-Disposition: attachment
Content-Length: 248531
Content-Security-Policy: default-src 'none'
Content-Type: application/x-chrome-extension
Etag: "83cafb"
Server: downloads
X-Content-Type-Options: nosniff
X-Frame-Options: SAMEORIGIN
X-Xss-Protection: 0
Date: Fri, 11 Jun 2021 00:31:04 GMT
Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000,h3-T051=":443"; ma=2592000,h3-Q050=":443"; ma=2592000,h3-Q046=":443"; ma=2592000,h3-Q043=":443"; ma=2592000,quic=":443"; ma=2592000; v="46,43"
Last-Modified: Fri, 29 Jan 2021 00:09:35 GMT
Connection: keep-alive
Vary: Origin
-
Remote address:8.8.8.8:53Requestsecure.globalsign.comIN AResponsesecure.globalsign.comIN CNAMEglobal.prd.cdn.globalsign.comglobal.prd.cdn.globalsign.comIN CNAMEprod.globalsign.map.fastly.netprod.globalsign.map.fastly.netIN A151.101.2.133prod.globalsign.map.fastly.netIN A151.101.66.133prod.globalsign.map.fastly.netIN A151.101.130.133prod.globalsign.map.fastly.netIN A151.101.194.133
-
Remote address:8.8.8.8:53Requestsecure.globalsign.comIN AResponsesecure.globalsign.comIN CNAMEglobal.prd.cdn.globalsign.comglobal.prd.cdn.globalsign.comIN CNAMEprod.globalsign.map.fastly.netprod.globalsign.map.fastly.netIN A151.101.2.133prod.globalsign.map.fastly.netIN A151.101.66.133prod.globalsign.map.fastly.netIN A151.101.130.133prod.globalsign.map.fastly.netIN A151.101.194.133
-
Remote address:8.8.8.8:53Requestwww.download.windowsupdate.comIN AResponsewww.download.windowsupdate.comIN CNAMEwu-fg-shim.trafficmanager.netwu-fg-shim.trafficmanager.netIN CNAME2-01-3cf7-0009.cdx.cedexis.net2-01-3cf7-0009.cdx.cedexis.netIN CNAMEcds.d2s7q6s2.hwcdn.netcds.d2s7q6s2.hwcdn.netIN A205.185.216.10cds.d2s7q6s2.hwcdn.netIN A205.185.216.42
-
Remote address:8.8.8.8:53Requestwww.download.windowsupdate.comIN AResponsewww.download.windowsupdate.comIN CNAMEwu-fg-shim.trafficmanager.netwu-fg-shim.trafficmanager.netIN CNAME2-01-3cf7-0009.cdx.cedexis.net2-01-3cf7-0009.cdx.cedexis.netIN CNAMEcds.d2s7q6s2.hwcdn.netcds.d2s7q6s2.hwcdn.netIN A205.185.216.10cds.d2s7q6s2.hwcdn.netIN A205.185.216.42
-
Remote address:8.8.8.8:53Requestcacerts.digicert.comIN AResponsecacerts.digicert.comIN CNAMEcdn.digicertcdn.comcdn.digicertcdn.comIN A104.18.11.39cdn.digicertcdn.comIN A104.18.10.39
-
Remote address:8.8.8.8:53Requestedgedl.me.gvt1.comIN AResponseedgedl.me.gvt1.comIN A34.104.35.123
-
HEADhttp://edgedl.me.gvt1.com/edgedl/release2/chrome_component/CLzUPOY7PeNCWmHSoqszxQ_9.27.0/ANtasjH7xNWfWeoqykUYSZoRemote address:34.104.35.123:80RequestHEAD /edgedl/release2/chrome_component/CLzUPOY7PeNCWmHSoqszxQ_9.27.0/ANtasjH7xNWfWeoqykUYSZo HTTP/1.1
Connection: Keep-Alive
Accept: */*
Accept-Encoding: identity
User-Agent: Microsoft BITS/7.5
Host: edgedl.me.gvt1.com
ResponseHTTP/1.1 200 OK
content-disposition: attachment
content-length: 47502
content-security-policy: default-src 'none'
content-type: application/octet-stream
etag: "a1249b"
last-modified: Fri, 07 May 2021 17:49:07 GMT
server: Google-Edge-Cache
x-content-type-options: nosniff
x-frame-options: SAMEORIGIN
x-xss-protection: 0
date: Thu, 10 Jun 2021 16:44:25 GMT
age: 56006
alt-svc: h3=":443"; ma=2592000, h3-Q050=":443"; ma=2592000, h3-29=":443"; ma=2592000
cache-control: public,max-age=86400
-
GEThttp://edgedl.me.gvt1.com/edgedl/release2/chrome_component/CLzUPOY7PeNCWmHSoqszxQ_9.27.0/ANtasjH7xNWfWeoqykUYSZoRemote address:34.104.35.123:80RequestGET /edgedl/release2/chrome_component/CLzUPOY7PeNCWmHSoqszxQ_9.27.0/ANtasjH7xNWfWeoqykUYSZo HTTP/1.1
Connection: Keep-Alive
Accept: */*
Accept-Encoding: identity
If-Unmodified-Since: Fri, 07 May 2021 17:49:07 GMT
Range: bytes=0-5354
User-Agent: Microsoft BITS/7.5
Host: edgedl.me.gvt1.com
ResponseHTTP/1.1 206 Partial Content
content-disposition: attachment
content-length: 5355
content-security-policy: default-src 'none'
content-type: application/octet-stream
etag: "a1249b"
last-modified: Fri, 07 May 2021 17:49:07 GMT
server: Google-Edge-Cache
x-content-type-options: nosniff
x-frame-options: SAMEORIGIN
x-xss-protection: 0
date: Thu, 10 Jun 2021 16:44:25 GMT
age: 56044
content-range: bytes 0-5354/47502
alt-svc: h3=":443"; ma=2592000, h3-Q050=":443"; ma=2592000, h3-29=":443"; ma=2592000
cache-control: public,max-age=86400
-
Remote address:8.8.8.8:53Requestieonline.microsoft.comIN AResponseieonline.microsoft.comIN CNAMEany.edge.bing.comany.edge.bing.comIN A204.79.197.200
-
Remote address:8.8.8.8:53Requestocsp.digicert.comIN AResponseocsp.digicert.comIN CNAMEcs9.wac.phicdn.netcs9.wac.phicdn.netIN A93.184.220.29
-
Remote address:8.8.8.8:53Requestcrl.verisign.comIN AResponsecrl.verisign.comIN CNAMEcrl-symcprod.digicert.comcrl-symcprod.digicert.comIN CNAMEcs9.wac.phicdn.netcs9.wac.phicdn.netIN A72.21.91.29
-
Remote address:8.8.8.8:53Requestwww.microsoft.comIN AResponsewww.microsoft.comIN CNAMEwww.microsoft.com-c-3.edgekey.netwww.microsoft.com-c-3.edgekey.netIN CNAMEwww.microsoft.com-c-3.edgekey.net.globalredir.akadns.netwww.microsoft.com-c-3.edgekey.net.globalredir.akadns.netIN CNAMEe13678.dscb.akamaiedge.nete13678.dscb.akamaiedge.netIN A2.21.41.70
-
Remote address:8.8.8.8:53Requestwww.download.windowsupdate.comIN AResponsewww.download.windowsupdate.comIN CNAMEwu-fg-shim.trafficmanager.netwu-fg-shim.trafficmanager.netIN CNAME2-01-3cf7-0009.cdx.cedexis.net2-01-3cf7-0009.cdx.cedexis.netIN CNAMEdownload.windowsupdate.com.edgesuite.netdownload.windowsupdate.com.edgesuite.netIN CNAMEa767.dspw65.akamai.neta767.dspw65.akamai.netIN A84.53.175.122a767.dspw65.akamai.netIN A84.53.175.99
-
GEThttps://bazaar.abuse.ch/sample/60ef0ca5e6e7d62a7750cfe1c0b08d473cb19a6817a799f035ac56e0d27ce3df/IEXPLORE.EXERemote address:151.101.2.49:443RequestGET /sample/60ef0ca5e6e7d62a7750cfe1c0b08d473cb19a6817a799f035ac56e0d27ce3df/ HTTP/1.1
Accept: text/html, application/xhtml+xml, */*
Accept-Language: en-US
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
Accept-Encoding: gzip, deflate
Host: bazaar.abuse.ch
Connection: Keep-Alive
ResponseHTTP/1.1 200 OK
Content-Length: 6210
Server: Apache/2
Strict-Transport-Security: max-age=15768000 ; includeSubDomains
Permissions-Policy: accelerometer=(), ambient-light-sensor=(), autoplay=(), camera=(), encrypted-media=(), fullscreen=(), geolocation=(), gyroscope=(), magnetometer=(), microphone=(), midi=(), payment=(), picture-in-picture=(), speaker=(), usb=(), vr=()
Referrer-Policy: strict-origin-when-cross-origin
Expect-CT: enforce, max-age=86400
Content-Security-Policy: default-src 'self' https://fonts.gstatic.com:443 data:; style-src 'self' 'unsafe-inline' https://www.gstatic.com:443 https://fonts.googleapis.com:443; script-src 'self' 'unsafe-inline' 'unsafe-eval' https://www.gstatic.com:443 https://www.google.com/recaptcha/; frame-src https://www.google.com/recaptcha/; img-src 'self' data: https:; object-src 'none'
Cross-Origin-Opener-Policy: same-origin; report-to="default"
Cross-Origin-Resource-Policy: same-site
Cache-Control: no-store, no-cache, must-revalidate
Set-Cookie: BAZAAR=st0s0o8mj6frr784g7t150hp08; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Pragma: no-cache
Content-Encoding: gzip
X-Content-Type-Options: nosniff
X-Frame-Options: sameorigin
X-XSS-Protection: 1; mode=block
Content-Type: text/html; charset=UTF-8
Accept-Ranges: bytes
Date: Fri, 11 Jun 2021 08:20:28 GMT
Via: 1.1 varnish
X-Served-By: cache-ams21052-AMS
X-Cache: MISS
X-Cache-Hits: 0
X-Timer: S1623399628.961118,VS0,VE935
Vary: Accept-Encoding
-
Remote address:151.101.2.49:443RequestGET /css/bootstrap.min.css HTTP/1.1
Accept: text/css, */*
Referer: https://bazaar.abuse.ch/sample/60ef0ca5e6e7d62a7750cfe1c0b08d473cb19a6817a799f035ac56e0d27ce3df/
Accept-Language: en-US
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
Accept-Encoding: gzip, deflate
Host: bazaar.abuse.ch
Connection: Keep-Alive
Cookie: BAZAAR=st0s0o8mj6frr784g7t150hp08
ResponseHTTP/1.1 200 OK
Content-Length: 23238
Server: Apache/2
Strict-Transport-Security: max-age=15768000 ; includeSubDomains
Permissions-Policy: accelerometer=(), ambient-light-sensor=(), autoplay=(), camera=(), encrypted-media=(), fullscreen=(), geolocation=(), gyroscope=(), magnetometer=(), microphone=(), midi=(), payment=(), picture-in-picture=(), speaker=(), usb=(), vr=()
Referrer-Policy: strict-origin-when-cross-origin
Expect-CT: enforce, max-age=86400
Content-Security-Policy: default-src 'self' https://fonts.gstatic.com:443 data:; style-src 'self' 'unsafe-inline' https://www.gstatic.com:443 https://fonts.googleapis.com:443; script-src 'self' 'unsafe-inline' 'unsafe-eval' https://www.gstatic.com:443 https://www.google.com/recaptcha/; frame-src https://www.google.com/recaptcha/; img-src 'self' data: https:; object-src 'none'
Cross-Origin-Opener-Policy: same-origin; report-to="default"
Cross-Origin-Resource-Policy: same-site
Last-Modified: Tue, 31 Mar 2020 10:58:16 GMT
ETag: "2606e-5a22471e07c28-gzip"
Cache-Control: max-age=15552000
Expires: Sun, 05 Dec 2021 23:52:19 GMT
Content-Encoding: gzip
X-Content-Type-Options: nosniff
X-Frame-Options: sameorigin
X-XSS-Protection: 1; mode=block
Content-Type: text/css
Accept-Ranges: bytes
Date: Fri, 11 Jun 2021 08:20:28 GMT
Via: 1.1 varnish
Age: 203290
X-Served-By: cache-ams21052-AMS
X-Cache: HIT
X-Cache-Hits: 1
X-Timer: S1623399629.943839,VS0,VE1
Vary: Accept-Encoding
-
Remote address:151.101.2.49:443RequestGET /css/jumbotron.css HTTP/1.1
Accept: text/css, */*
Referer: https://bazaar.abuse.ch/sample/60ef0ca5e6e7d62a7750cfe1c0b08d473cb19a6817a799f035ac56e0d27ce3df/
Accept-Language: en-US
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
Accept-Encoding: gzip, deflate
Host: bazaar.abuse.ch
Connection: Keep-Alive
Cookie: BAZAAR=st0s0o8mj6frr784g7t150hp08
ResponseHTTP/1.1 200 OK
Content-Length: 114
Server: Apache/2
Strict-Transport-Security: max-age=15768000 ; includeSubDomains
Permissions-Policy: accelerometer=(), ambient-light-sensor=(), autoplay=(), camera=(), encrypted-media=(), fullscreen=(), geolocation=(), gyroscope=(), magnetometer=(), microphone=(), midi=(), payment=(), picture-in-picture=(), speaker=(), usb=(), vr=()
Referrer-Policy: strict-origin-when-cross-origin
Expect-CT: enforce, max-age=86400
Content-Security-Policy: default-src 'self' https://fonts.gstatic.com:443 data:; style-src 'self' 'unsafe-inline' https://www.gstatic.com:443 https://fonts.googleapis.com:443; script-src 'self' 'unsafe-inline' 'unsafe-eval' https://www.gstatic.com:443 https://www.google.com/recaptcha/; frame-src https://www.google.com/recaptcha/; img-src 'self' data: https:; object-src 'none'
Cross-Origin-Opener-Policy: same-origin; report-to="default"
Cross-Origin-Resource-Policy: same-site
Last-Modified: Tue, 31 Mar 2020 10:58:18 GMT
ETag: "6b-5a22471fee1ff-gzip"
Cache-Control: max-age=15552000
Expires: Sun, 05 Dec 2021 23:52:19 GMT
Content-Encoding: gzip
X-Content-Type-Options: nosniff
X-Frame-Options: sameorigin
X-XSS-Protection: 1; mode=block
Content-Type: text/css
Accept-Ranges: bytes
Date: Fri, 11 Jun 2021 08:20:28 GMT
Via: 1.1 varnish
Age: 203290
X-Served-By: cache-ams21052-AMS
X-Cache: HIT
X-Cache-Hits: 1
X-Timer: S1623399629.951978,VS0,VE1
Vary: Accept-Encoding
-
Remote address:151.101.2.49:443RequestGET /js/jquery-3.5.1.min.js HTTP/1.1
Accept: application/javascript, */*;q=0.8
Referer: https://bazaar.abuse.ch/sample/60ef0ca5e6e7d62a7750cfe1c0b08d473cb19a6817a799f035ac56e0d27ce3df/
Accept-Language: en-US
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
Accept-Encoding: gzip, deflate
Host: bazaar.abuse.ch
Connection: Keep-Alive
Cookie: BAZAAR=st0s0o8mj6frr784g7t150hp08
ResponseHTTP/1.1 200 OK
Content-Length: 30910
Server: Apache/2
Strict-Transport-Security: max-age=15768000 ; includeSubDomains
Permissions-Policy: accelerometer=(), ambient-light-sensor=(), autoplay=(), camera=(), encrypted-media=(), fullscreen=(), geolocation=(), gyroscope=(), magnetometer=(), microphone=(), midi=(), payment=(), picture-in-picture=(), speaker=(), usb=(), vr=()
Referrer-Policy: strict-origin-when-cross-origin
Expect-CT: enforce, max-age=86400
Content-Security-Policy: default-src 'self' https://fonts.gstatic.com:443 data:; style-src 'self' 'unsafe-inline' https://www.gstatic.com:443 https://fonts.googleapis.com:443; script-src 'self' 'unsafe-inline' 'unsafe-eval' https://www.gstatic.com:443 https://www.google.com/recaptcha/; frame-src https://www.google.com/recaptcha/; img-src 'self' data: https:; object-src 'none'
Cross-Origin-Opener-Policy: same-origin; report-to="default"
Cross-Origin-Resource-Policy: same-site
Last-Modified: Sun, 11 Oct 2020 08:47:56 GMT
ETag: "15d84-5b1613cf494c6-gzip"
Cache-Control: max-age=15552000
Expires: Mon, 06 Dec 2021 01:09:51 GMT
Content-Encoding: gzip
X-Content-Type-Options: nosniff
X-Frame-Options: sameorigin
X-XSS-Protection: 1; mode=block
Content-Type: application/javascript
Accept-Ranges: bytes
Date: Fri, 11 Jun 2021 08:20:29 GMT
Via: 1.1 varnish
Age: 198637
X-Served-By: cache-ams21052-AMS
X-Cache: HIT
X-Cache-Hits: 1
X-Timer: S1623399629.080407,VS0,VE1
Vary: Accept-Encoding
-
Remote address:151.101.2.49:443RequestGET /js/popper.min.js HTTP/1.1
Accept: application/javascript, */*;q=0.8
Referer: https://bazaar.abuse.ch/sample/60ef0ca5e6e7d62a7750cfe1c0b08d473cb19a6817a799f035ac56e0d27ce3df/
Accept-Language: en-US
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
Accept-Encoding: gzip, deflate
Host: bazaar.abuse.ch
Connection: Keep-Alive
Cookie: BAZAAR=st0s0o8mj6frr784g7t150hp08
ResponseHTTP/1.1 200 OK
Content-Length: 7313
Server: Apache/2
Strict-Transport-Security: max-age=15768000 ; includeSubDomains
Permissions-Policy: accelerometer=(), ambient-light-sensor=(), autoplay=(), camera=(), encrypted-media=(), fullscreen=(), geolocation=(), gyroscope=(), magnetometer=(), microphone=(), midi=(), payment=(), picture-in-picture=(), speaker=(), usb=(), vr=()
Referrer-Policy: strict-origin-when-cross-origin
Expect-CT: enforce, max-age=86400
Content-Security-Policy: default-src 'self' https://fonts.gstatic.com:443 data:; style-src 'self' 'unsafe-inline' https://www.gstatic.com:443 https://fonts.googleapis.com:443; script-src 'self' 'unsafe-inline' 'unsafe-eval' https://www.gstatic.com:443 https://www.google.com/recaptcha/; frame-src https://www.google.com/recaptcha/; img-src 'self' data: https:; object-src 'none'
Cross-Origin-Opener-Policy: same-origin; report-to="default"
Cross-Origin-Resource-Policy: same-site
Last-Modified: Tue, 31 Mar 2020 10:56:39 GMT
ETag: "5083-5a2246c1372cb-gzip"
Cache-Control: max-age=15552000
Expires: Tue, 07 Dec 2021 01:26:34 GMT
Content-Encoding: gzip
X-Content-Type-Options: nosniff
X-Frame-Options: sameorigin
X-XSS-Protection: 1; mode=block
Content-Type: application/javascript
Accept-Ranges: bytes
Date: Fri, 11 Jun 2021 08:20:29 GMT
Via: 1.1 varnish
Age: 111235
X-Served-By: cache-ams21052-AMS
X-Cache: HIT
X-Cache-Hits: 1
X-Timer: S1623399629.149871,VS0,VE1
Vary: Accept-Encoding
-
Remote address:151.101.2.49:443RequestGET /js/bootstrap.min.js HTTP/1.1
Accept: application/javascript, */*;q=0.8
Referer: https://bazaar.abuse.ch/sample/60ef0ca5e6e7d62a7750cfe1c0b08d473cb19a6817a799f035ac56e0d27ce3df/
Accept-Language: en-US
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
Accept-Encoding: gzip, deflate
Host: bazaar.abuse.ch
Connection: Keep-Alive
Cookie: BAZAAR=st0s0o8mj6frr784g7t150hp08
ResponseHTTP/1.1 200 OK
Content-Length: 15921
Server: Apache/2
Strict-Transport-Security: max-age=15768000 ; includeSubDomains
Permissions-Policy: accelerometer=(), ambient-light-sensor=(), autoplay=(), camera=(), encrypted-media=(), fullscreen=(), geolocation=(), gyroscope=(), magnetometer=(), microphone=(), midi=(), payment=(), picture-in-picture=(), speaker=(), usb=(), vr=()
Referrer-Policy: strict-origin-when-cross-origin
Expect-CT: enforce, max-age=86400
Content-Security-Policy: default-src 'self' https://fonts.gstatic.com:443 data:; style-src 'self' 'unsafe-inline' https://www.gstatic.com:443 https://fonts.googleapis.com:443; script-src 'self' 'unsafe-inline' 'unsafe-eval' https://www.gstatic.com:443 https://www.google.com/recaptcha/; frame-src https://www.google.com/recaptcha/; img-src 'self' data: https:; object-src 'none'
Cross-Origin-Opener-Policy: same-origin; report-to="default"
Cross-Origin-Resource-Policy: same-site
Last-Modified: Tue, 31 Mar 2020 10:56:36 GMT
ETag: "ea6a-5a2246be52e25-gzip"
Cache-Control: max-age=15552000
Expires: Mon, 06 Dec 2021 01:09:51 GMT
Content-Encoding: gzip
X-Content-Type-Options: nosniff
X-Frame-Options: sameorigin
X-XSS-Protection: 1; mode=block
Content-Type: application/javascript
Accept-Ranges: bytes
Date: Fri, 11 Jun 2021 08:20:29 GMT
Via: 1.1 varnish
Age: 198638
X-Served-By: cache-ams21052-AMS
X-Cache: HIT
X-Cache-Hits: 1
X-Timer: S1623399629.153728,VS0,VE0
Vary: Accept-Encoding
-
Remote address:151.101.2.49:443RequestGET /js/clipboard.min.js HTTP/1.1
Accept: application/javascript, */*;q=0.8
Referer: https://bazaar.abuse.ch/sample/60ef0ca5e6e7d62a7750cfe1c0b08d473cb19a6817a799f035ac56e0d27ce3df/
Accept-Language: en-US
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
Accept-Encoding: gzip, deflate
Host: bazaar.abuse.ch
Connection: Keep-Alive
Cookie: BAZAAR=st0s0o8mj6frr784g7t150hp08
ResponseHTTP/1.1 200 OK
Content-Length: 3356
Server: Apache/2
Strict-Transport-Security: max-age=15768000 ; includeSubDomains
Permissions-Policy: accelerometer=(), ambient-light-sensor=(), autoplay=(), camera=(), encrypted-media=(), fullscreen=(), geolocation=(), gyroscope=(), magnetometer=(), microphone=(), midi=(), payment=(), picture-in-picture=(), speaker=(), usb=(), vr=()
Referrer-Policy: strict-origin-when-cross-origin
Expect-CT: enforce, max-age=86400
Content-Security-Policy: default-src 'self' https://fonts.gstatic.com:443 data:; style-src 'self' 'unsafe-inline' https://www.gstatic.com:443 https://fonts.googleapis.com:443; script-src 'self' 'unsafe-inline' 'unsafe-eval' https://www.gstatic.com:443 https://www.google.com/recaptcha/; frame-src https://www.google.com/recaptcha/; img-src 'self' data: https:; object-src 'none'
Cross-Origin-Opener-Policy: same-origin; report-to="default"
Cross-Origin-Resource-Policy: same-site
Last-Modified: Tue, 31 Mar 2020 10:56:37 GMT
ETag: "2a02-5a2246bfa7baf-gzip"
Cache-Control: max-age=15552000
Expires: Tue, 07 Dec 2021 01:43:19 GMT
Content-Encoding: gzip
X-Content-Type-Options: nosniff
X-Frame-Options: sameorigin
X-XSS-Protection: 1; mode=block
Content-Type: application/javascript
Accept-Ranges: bytes
Date: Fri, 11 Jun 2021 08:20:29 GMT
Via: 1.1 varnish
Age: 110230
X-Served-By: cache-ams21052-AMS
X-Cache: HIT
X-Cache-Hits: 1
X-Timer: S1623399629.158246,VS0,VE0
Vary: Accept-Encoding
-
Remote address:151.101.2.49:443RequestGET /js/bazaar_functions.js HTTP/1.1
Accept: application/javascript, */*;q=0.8
Referer: https://bazaar.abuse.ch/sample/60ef0ca5e6e7d62a7750cfe1c0b08d473cb19a6817a799f035ac56e0d27ce3df/
Accept-Language: en-US
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
Accept-Encoding: gzip, deflate
Host: bazaar.abuse.ch
Connection: Keep-Alive
Cookie: BAZAAR=st0s0o8mj6frr784g7t150hp08
ResponseHTTP/1.1 200 OK
Content-Length: 4030
Server: Apache/2
Strict-Transport-Security: max-age=15768000 ; includeSubDomains
Permissions-Policy: accelerometer=(), ambient-light-sensor=(), autoplay=(), camera=(), encrypted-media=(), fullscreen=(), geolocation=(), gyroscope=(), magnetometer=(), microphone=(), midi=(), payment=(), picture-in-picture=(), speaker=(), usb=(), vr=()
Referrer-Policy: strict-origin-when-cross-origin
Expect-CT: enforce, max-age=86400
Content-Security-Policy: default-src 'self' https://fonts.gstatic.com:443 data:; style-src 'self' 'unsafe-inline' https://www.gstatic.com:443 https://fonts.googleapis.com:443; script-src 'self' 'unsafe-inline' 'unsafe-eval' https://www.gstatic.com:443 https://www.google.com/recaptcha/; frame-src https://www.google.com/recaptcha/; img-src 'self' data: https:; object-src 'none'
Cross-Origin-Opener-Policy: same-origin; report-to="default"
Cross-Origin-Resource-Policy: same-site
Last-Modified: Sat, 29 May 2021 07:02:35 GMT
ETag: "7337-5c37293b6c57d-gzip"
Cache-Control: max-age=15552000
Expires: Tue, 07 Dec 2021 01:43:19 GMT
Content-Encoding: gzip
X-Content-Type-Options: nosniff
X-Frame-Options: sameorigin
X-XSS-Protection: 1; mode=block
Content-Type: application/javascript
Accept-Ranges: bytes
Date: Fri, 11 Jun 2021 08:20:29 GMT
Via: 1.1 varnish
Age: 110230
X-Served-By: cache-ams21052-AMS
X-Cache: HIT
X-Cache-Hits: 1
X-Timer: S1623399629.208404,VS0,VE0
Vary: Accept-Encoding
-
Remote address:151.101.2.49:443RequestGET /js/svg-pan-zoom.min.js HTTP/1.1
Accept: application/javascript, */*;q=0.8
Referer: https://bazaar.abuse.ch/sample/60ef0ca5e6e7d62a7750cfe1c0b08d473cb19a6817a799f035ac56e0d27ce3df/
Accept-Language: en-US
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
Accept-Encoding: gzip, deflate
Host: bazaar.abuse.ch
Connection: Keep-Alive
Cookie: BAZAAR=st0s0o8mj6frr784g7t150hp08
ResponseHTTP/1.1 200 OK
Content-Length: 8236
Server: Apache/2
Strict-Transport-Security: max-age=15768000 ; includeSubDomains
Permissions-Policy: accelerometer=(), ambient-light-sensor=(), autoplay=(), camera=(), encrypted-media=(), fullscreen=(), geolocation=(), gyroscope=(), magnetometer=(), microphone=(), midi=(), payment=(), picture-in-picture=(), speaker=(), usb=(), vr=()
Referrer-Policy: strict-origin-when-cross-origin
Expect-CT: enforce, max-age=86400
Content-Security-Policy: default-src 'self' https://fonts.gstatic.com:443 data:; style-src 'self' 'unsafe-inline' https://www.gstatic.com:443 https://fonts.googleapis.com:443; script-src 'self' 'unsafe-inline' 'unsafe-eval' https://www.gstatic.com:443 https://www.google.com/recaptcha/; frame-src https://www.google.com/recaptcha/; img-src 'self' data: https:; object-src 'none'
Cross-Origin-Opener-Policy: same-origin; report-to="default"
Cross-Origin-Resource-Policy: same-site
Last-Modified: Mon, 20 Jul 2020 12:51:44 GMT
ETag: "7448-5aadef80a8e54-gzip"
Cache-Control: max-age=15552000
Expires: Mon, 06 Dec 2021 23:23:06 GMT
Content-Encoding: gzip
X-Content-Type-Options: nosniff
X-Frame-Options: sameorigin
X-XSS-Protection: 1; mode=block
Content-Type: application/javascript
Accept-Ranges: bytes
Date: Fri, 11 Jun 2021 08:20:29 GMT
Via: 1.1 varnish
Age: 118643
X-Served-By: cache-ams21052-AMS
X-Cache: HIT
X-Cache-Hits: 1
X-Timer: S1623399629.291482,VS0,VE0
Vary: Accept-Encoding
-
Remote address:142.250.179.131:80RequestGET /generate_204 HTTP/1.1
Host: www.gstatic.com
Connection: keep-alive
Pragma: no-cache
Cache-Control: no-cache
User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/89.0.4389.114 Safari/537.36
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.9
ResponseHTTP/1.1 204 No Content
Date: Fri, 11 Jun 2021 08:20:19 GMT
-
Remote address:151.101.2.49:443RequestGET /css/all.min.css HTTP/1.1
Accept: text/css, */*
Referer: https://bazaar.abuse.ch/sample/60ef0ca5e6e7d62a7750cfe1c0b08d473cb19a6817a799f035ac56e0d27ce3df/
Accept-Language: en-US
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
Accept-Encoding: gzip, deflate
Host: bazaar.abuse.ch
Connection: Keep-Alive
Cookie: BAZAAR=st0s0o8mj6frr784g7t150hp08
ResponseHTTP/1.1 200 OK
Content-Length: 12674
Server: Apache/2
Strict-Transport-Security: max-age=15768000 ; includeSubDomains
Permissions-Policy: accelerometer=(), ambient-light-sensor=(), autoplay=(), camera=(), encrypted-media=(), fullscreen=(), geolocation=(), gyroscope=(), magnetometer=(), microphone=(), midi=(), payment=(), picture-in-picture=(), speaker=(), usb=(), vr=()
Referrer-Policy: strict-origin-when-cross-origin
Expect-CT: enforce, max-age=86400
Content-Security-Policy: default-src 'self' https://fonts.gstatic.com:443 data:; style-src 'self' 'unsafe-inline' https://www.gstatic.com:443 https://fonts.googleapis.com:443; script-src 'self' 'unsafe-inline' 'unsafe-eval' https://www.gstatic.com:443 https://www.google.com/recaptcha/; frame-src https://www.google.com/recaptcha/; img-src 'self' data: https:; object-src 'none'
Cross-Origin-Opener-Policy: same-origin; report-to="default"
Cross-Origin-Resource-Policy: same-site
Last-Modified: Tue, 31 Mar 2020 10:58:13 GMT
ETag: "e4d2-5a22471b39eea-gzip"
Cache-Control: max-age=15552000
Expires: Mon, 06 Dec 2021 00:02:18 GMT
Content-Encoding: gzip
X-Content-Type-Options: nosniff
X-Frame-Options: sameorigin
X-XSS-Protection: 1; mode=block
Content-Type: text/css
Accept-Ranges: bytes
Date: Fri, 11 Jun 2021 08:20:57 GMT
Via: 1.1 varnish
Age: 202719
X-Served-By: cache-ams21025-AMS
X-Cache: HIT
X-Cache-Hits: 1
X-Timer: S1623399657.087562,VS0,VE0
Vary: Accept-Encoding
-
Remote address:151.101.2.49:443RequestGET /webfonts/fa-solid-900.eot? HTTP/1.1
Accept: */*
Referer: https://bazaar.abuse.ch/sample/60ef0ca5e6e7d62a7750cfe1c0b08d473cb19a6817a799f035ac56e0d27ce3df/
Accept-Language: en-US
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
Origin: https://bazaar.abuse.ch
Accept-Encoding: gzip, deflate
Host: bazaar.abuse.ch
Connection: Keep-Alive
Cookie: BAZAAR=st0s0o8mj6frr784g7t150hp08
ResponseHTTP/1.1 200 OK
Content-Length: 104371
Server: Apache/2
Strict-Transport-Security: max-age=15768000 ; includeSubDomains
Permissions-Policy: accelerometer=(), ambient-light-sensor=(), autoplay=(), camera=(), encrypted-media=(), fullscreen=(), geolocation=(), gyroscope=(), magnetometer=(), microphone=(), midi=(), payment=(), picture-in-picture=(), speaker=(), usb=(), vr=()
Referrer-Policy: strict-origin-when-cross-origin
Expect-CT: enforce, max-age=86400
Content-Security-Policy: default-src 'self' https://fonts.gstatic.com:443 data:; style-src 'self' 'unsafe-inline' https://www.gstatic.com:443 https://fonts.googleapis.com:443; script-src 'self' 'unsafe-inline' 'unsafe-eval' https://www.gstatic.com:443 https://www.google.com/recaptcha/; frame-src https://www.google.com/recaptcha/; img-src 'self' data: https:; object-src 'none'
Cross-Origin-Opener-Policy: same-origin; report-to="default"
Cross-Origin-Resource-Policy: same-site
Cache-Control: max-age=2628000, public
Last-Modified: Tue, 31 Mar 2020 10:33:20 GMT
ETag: "31896-5a22418b4a5ee"
X-Content-Type-Options: nosniff
X-Frame-Options: sameorigin
X-XSS-Protection: 1; mode=block
Content-Type: application/vnd.ms-fontobject
Content-Encoding: gzip
Accept-Ranges: bytes
Date: Fri, 11 Jun 2021 08:20:57 GMT
Via: 1.1 varnish
Age: 194263
X-Served-By: cache-ams21025-AMS
X-Cache: HIT
X-Cache-Hits: 1
X-Timer: S1623399657.445015,VS0,VE1
Vary: Accept-Encoding
-
Remote address:151.101.2.49:443RequestGET /favicon.ico HTTP/1.1
Accept: */*
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
Host: bazaar.abuse.ch
Connection: Keep-Alive
Cookie: BAZAAR=st0s0o8mj6frr784g7t150hp08
ResponseHTTP/1.1 200 OK
Content-Length: 543
Server: Apache/2
Strict-Transport-Security: max-age=15768000 ; includeSubDomains
Permissions-Policy: accelerometer=(), ambient-light-sensor=(), autoplay=(), camera=(), encrypted-media=(), fullscreen=(), geolocation=(), gyroscope=(), magnetometer=(), microphone=(), midi=(), payment=(), picture-in-picture=(), speaker=(), usb=(), vr=()
Referrer-Policy: strict-origin-when-cross-origin
Expect-CT: enforce, max-age=86400
Content-Security-Policy: default-src 'self' https://fonts.gstatic.com:443 data:; style-src 'self' 'unsafe-inline' https://www.gstatic.com:443 https://fonts.googleapis.com:443; script-src 'self' 'unsafe-inline' 'unsafe-eval' https://www.gstatic.com:443 https://www.google.com/recaptcha/; frame-src https://www.google.com/recaptcha/; img-src 'self' data: https:; object-src 'none'
Cross-Origin-Opener-Policy: same-origin; report-to="default"
Cross-Origin-Resource-Policy: same-site
Last-Modified: Tue, 17 Mar 2020 13:15:06 GMT
ETag: "208-5a10cb977cbc9"
X-Content-Type-Options: nosniff
X-Frame-Options: sameorigin
X-XSS-Protection: 1; mode=block
Content-Type: image/vnd.microsoft.icon
Content-Encoding: gzip
Accept-Ranges: bytes
Date: Fri, 11 Jun 2021 08:21:04 GMT
Via: 1.1 varnish
Age: 520
X-Served-By: cache-ams21025-AMS
X-Cache: HIT
X-Cache-Hits: 1
X-Timer: S1623399664.055789,VS0,VE0
Vary: Accept-Encoding
-
GEThttps://bazaar.abuse.ch/download/60ef0ca5e6e7d62a7750cfe1c0b08d473cb19a6817a799f035ac56e0d27ce3df/IEXPLORE.EXERemote address:151.101.2.49:443RequestGET /download/60ef0ca5e6e7d62a7750cfe1c0b08d473cb19a6817a799f035ac56e0d27ce3df/ HTTP/1.1
Accept: text/html, application/xhtml+xml, */*
Referer: https://bazaar.abuse.ch/sample/60ef0ca5e6e7d62a7750cfe1c0b08d473cb19a6817a799f035ac56e0d27ce3df/
Accept-Language: en-US
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
Accept-Encoding: gzip, deflate
Host: bazaar.abuse.ch
Connection: Keep-Alive
Cookie: BAZAAR=st0s0o8mj6frr784g7t150hp08
ResponseHTTP/1.1 200 OK
Content-Length: 1553
Server: Apache/2
Strict-Transport-Security: max-age=15768000 ; includeSubDomains
Permissions-Policy: accelerometer=(), ambient-light-sensor=(), autoplay=(), camera=(), encrypted-media=(), fullscreen=(), geolocation=(), gyroscope=(), magnetometer=(), microphone=(), midi=(), payment=(), picture-in-picture=(), speaker=(), usb=(), vr=()
Referrer-Policy: strict-origin-when-cross-origin
Expect-CT: enforce, max-age=86400
Content-Security-Policy: default-src 'self' https://fonts.gstatic.com:443 data:; style-src 'self' 'unsafe-inline' https://www.gstatic.com:443 https://fonts.googleapis.com:443; script-src 'self' 'unsafe-inline' 'unsafe-eval' https://www.gstatic.com:443 https://www.google.com/recaptcha/; frame-src https://www.google.com/recaptcha/; img-src 'self' data: https:; object-src 'none'
Cross-Origin-Opener-Policy: same-origin; report-to="default"
Cross-Origin-Resource-Policy: same-site
Cache-Control: no-store, no-cache, must-revalidate
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Pragma: no-cache
Content-Encoding: gzip
X-Content-Type-Options: nosniff
X-Frame-Options: sameorigin
X-XSS-Protection: 1; mode=block
Content-Type: text/html; charset=UTF-8
Accept-Ranges: bytes
Date: Fri, 11 Jun 2021 08:21:25 GMT
Via: 1.1 varnish
Age: 0
X-Served-By: cache-ams21025-AMS
X-Cache: MISS
X-Cache-Hits: 0
X-Timer: S1623399686.555171,VS0,VE126
Vary: Accept-Encoding
-
Remote address:151.101.2.49:443RequestGET /download/e5838a957f097ff8/ HTTP/1.1
Accept: text/html, application/xhtml+xml, */*
Referer: https://bazaar.abuse.ch/download/60ef0ca5e6e7d62a7750cfe1c0b08d473cb19a6817a799f035ac56e0d27ce3df/
Accept-Language: en-US
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
Accept-Encoding: gzip, deflate
Host: bazaar.abuse.ch
Connection: Keep-Alive
Cookie: BAZAAR=st0s0o8mj6frr784g7t150hp08
ResponseHTTP/1.1 200 OK
Content-Length: 69966
Server: Apache/2
Strict-Transport-Security: max-age=15768000 ; includeSubDomains
Permissions-Policy: accelerometer=(), ambient-light-sensor=(), autoplay=(), camera=(), encrypted-media=(), fullscreen=(), geolocation=(), gyroscope=(), magnetometer=(), microphone=(), midi=(), payment=(), picture-in-picture=(), speaker=(), usb=(), vr=()
Referrer-Policy: strict-origin-when-cross-origin
Expect-CT: enforce, max-age=86400
Content-Security-Policy: default-src 'self' https://fonts.gstatic.com:443 data:; style-src 'self' 'unsafe-inline' https://www.gstatic.com:443 https://fonts.googleapis.com:443; script-src 'self' 'unsafe-inline' 'unsafe-eval' https://www.gstatic.com:443 https://www.google.com/recaptcha/; frame-src https://www.google.com/recaptcha/; img-src 'self' data: https:; object-src 'none'
Cross-Origin-Opener-Policy: same-origin; report-to="default"
Cross-Origin-Resource-Policy: same-site
Cache-Control: no-store, no-cache, must-revalidate
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Pragma: no-cache
Content-Disposition: attachment; filename=60ef0ca5e6e7d62a7750cfe1c0b08d473cb19a6817a799f035ac56e0d27ce3df.zip
X-Content-Type-Options: nosniff
X-Frame-Options: sameorigin
X-XSS-Protection: 1; mode=block
Content-Type: application/zip
Accept-Ranges: bytes
Date: Fri, 11 Jun 2021 08:21:31 GMT
Via: 1.1 varnish
Age: 0
X-Served-By: cache-ams21025-AMS
X-Cache: MISS
X-Cache-Hits: 0
X-Timer: S1623399691.878281,VS0,VE185
-
Remote address:151.101.2.49:443RequestGET /css/custom.css HTTP/1.1
Accept: text/css, */*
Referer: https://bazaar.abuse.ch/sample/60ef0ca5e6e7d62a7750cfe1c0b08d473cb19a6817a799f035ac56e0d27ce3df/
Accept-Language: en-US
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
Accept-Encoding: gzip, deflate
Host: bazaar.abuse.ch
Connection: Keep-Alive
Cookie: BAZAAR=st0s0o8mj6frr784g7t150hp08
ResponseHTTP/1.1 200 OK
Content-Length: 1711
Server: Apache/2
Strict-Transport-Security: max-age=15768000 ; includeSubDomains
Permissions-Policy: accelerometer=(), ambient-light-sensor=(), autoplay=(), camera=(), encrypted-media=(), fullscreen=(), geolocation=(), gyroscope=(), magnetometer=(), microphone=(), midi=(), payment=(), picture-in-picture=(), speaker=(), usb=(), vr=()
Referrer-Policy: strict-origin-when-cross-origin
Expect-CT: enforce, max-age=86400
Content-Security-Policy: default-src 'self' https://fonts.gstatic.com:443 data:; style-src 'self' 'unsafe-inline' https://www.gstatic.com:443 https://fonts.googleapis.com:443; script-src 'self' 'unsafe-inline' 'unsafe-eval' https://www.gstatic.com:443 https://www.google.com/recaptcha/; frame-src https://www.google.com/recaptcha/; img-src 'self' data: https:; object-src 'none'
Cross-Origin-Opener-Policy: same-origin; report-to="default"
Cross-Origin-Resource-Policy: same-site
Last-Modified: Wed, 07 Apr 2021 16:12:03 GMT
ETag: "15b4-5bf6431001ea7-gzip"
Cache-Control: max-age=15552000
Expires: Mon, 06 Dec 2021 00:25:05 GMT
Content-Encoding: gzip
X-Content-Type-Options: nosniff
X-Frame-Options: sameorigin
X-XSS-Protection: 1; mode=block
Content-Type: text/css
Accept-Ranges: bytes
Date: Fri, 11 Jun 2021 08:20:51 GMT
Via: 1.1 varnish
Age: 201346
X-Served-By: cache-ams21054-AMS
X-Cache: HIT
X-Cache-Hits: 1
X-Timer: S1623399651.407116,VS0,VE0
Vary: Accept-Encoding
-
Remote address:151.101.2.49:443RequestGET /images/malwarebazaar_logo.png HTTP/1.1
Accept: image/png, image/svg+xml, image/*;q=0.8, */*;q=0.5
Referer: https://bazaar.abuse.ch/sample/60ef0ca5e6e7d62a7750cfe1c0b08d473cb19a6817a799f035ac56e0d27ce3df/
Accept-Language: en-US
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
Accept-Encoding: gzip, deflate
Host: bazaar.abuse.ch
Connection: Keep-Alive
Cookie: BAZAAR=st0s0o8mj6frr784g7t150hp08
ResponseHTTP/1.1 200 OK
Content-Length: 4866
Server: Apache/2
Strict-Transport-Security: max-age=15768000 ; includeSubDomains
Permissions-Policy: accelerometer=(), ambient-light-sensor=(), autoplay=(), camera=(), encrypted-media=(), fullscreen=(), geolocation=(), gyroscope=(), magnetometer=(), microphone=(), midi=(), payment=(), picture-in-picture=(), speaker=(), usb=(), vr=()
Referrer-Policy: strict-origin-when-cross-origin
Expect-CT: enforce, max-age=86400
Content-Security-Policy: default-src 'self' https://fonts.gstatic.com:443 data:; style-src 'self' 'unsafe-inline' https://www.gstatic.com:443 https://fonts.googleapis.com:443; script-src 'self' 'unsafe-inline' 'unsafe-eval' https://www.gstatic.com:443 https://www.google.com/recaptcha/; frame-src https://www.google.com/recaptcha/; img-src 'self' data: https:; object-src 'none'
Cross-Origin-Opener-Policy: same-origin; report-to="default"
Cross-Origin-Resource-Policy: same-site
Last-Modified: Sun, 11 Oct 2020 09:36:52 GMT
ETag: "1302-5b161ebf5e105"
Cache-Control: max-age=31104000
Expires: Sun, 05 Jun 2022 03:52:24 GMT
X-Content-Type-Options: nosniff
X-Frame-Options: sameorigin
X-XSS-Protection: 1; mode=block
Content-Type: image/png
Accept-Ranges: bytes
Date: Fri, 11 Jun 2021 08:20:57 GMT
Via: 1.1 varnish
Age: 102513
X-Served-By: cache-ams21072-AMS
X-Cache: HIT
X-Cache-Hits: 1
X-Timer: S1623399657.220352,VS0,VE0
-
Remote address:151.101.2.49:443RequestGET /webfonts/fa-regular-400.eot? HTTP/1.1
Accept: */*
Referer: https://bazaar.abuse.ch/sample/60ef0ca5e6e7d62a7750cfe1c0b08d473cb19a6817a799f035ac56e0d27ce3df/
Accept-Language: en-US
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
Origin: https://bazaar.abuse.ch
Accept-Encoding: gzip, deflate
Host: bazaar.abuse.ch
Connection: Keep-Alive
Cookie: BAZAAR=st0s0o8mj6frr784g7t150hp08
ResponseHTTP/1.1 200 OK
Content-Length: 16841
Server: Apache/2
Strict-Transport-Security: max-age=15768000 ; includeSubDomains
Permissions-Policy: accelerometer=(), ambient-light-sensor=(), autoplay=(), camera=(), encrypted-media=(), fullscreen=(), geolocation=(), gyroscope=(), magnetometer=(), microphone=(), midi=(), payment=(), picture-in-picture=(), speaker=(), usb=(), vr=()
Referrer-Policy: strict-origin-when-cross-origin
Expect-CT: enforce, max-age=86400
Content-Security-Policy: default-src 'self' https://fonts.gstatic.com:443 data:; style-src 'self' 'unsafe-inline' https://www.gstatic.com:443 https://fonts.googleapis.com:443; script-src 'self' 'unsafe-inline' 'unsafe-eval' https://www.gstatic.com:443 https://www.google.com/recaptcha/; frame-src https://www.google.com/recaptcha/; img-src 'self' data: https:; object-src 'none'
Cross-Origin-Opener-Policy: same-origin; report-to="default"
Cross-Origin-Resource-Policy: same-site
Cache-Control: max-age=2628000, public
Last-Modified: Tue, 31 Mar 2020 10:33:19 GMT
ETag: "8656-5a22418a3cd1a"
X-Content-Type-Options: nosniff
X-Frame-Options: sameorigin
X-XSS-Protection: 1; mode=block
Content-Type: application/vnd.ms-fontobject
Content-Encoding: gzip
Accept-Ranges: bytes
Date: Fri, 11 Jun 2021 08:20:57 GMT
Via: 1.1 varnish
Age: 104463
X-Served-By: cache-ams21072-AMS
X-Cache: HIT
X-Cache-Hits: 1
X-Timer: S1623399657.442676,VS0,VE1
Vary: Accept-Encoding
-
Remote address:151.101.2.49:443RequestGET /images/avatar/1014590600652447744.jpg HTTP/1.1
Accept: image/png, image/svg+xml, image/*;q=0.8, */*;q=0.5
Referer: https://bazaar.abuse.ch/sample/60ef0ca5e6e7d62a7750cfe1c0b08d473cb19a6817a799f035ac56e0d27ce3df/
Accept-Language: en-US
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
Accept-Encoding: gzip, deflate
Host: bazaar.abuse.ch
Connection: Keep-Alive
Cookie: BAZAAR=st0s0o8mj6frr784g7t150hp08
ResponseHTTP/1.1 200 OK
Content-Length: 1959
Server: Apache/2
Strict-Transport-Security: max-age=15768000 ; includeSubDomains
Permissions-Policy: accelerometer=(), ambient-light-sensor=(), autoplay=(), camera=(), encrypted-media=(), fullscreen=(), geolocation=(), gyroscope=(), magnetometer=(), microphone=(), midi=(), payment=(), picture-in-picture=(), speaker=(), usb=(), vr=()
Referrer-Policy: strict-origin-when-cross-origin
Expect-CT: enforce, max-age=86400
Content-Security-Policy: default-src 'self' https://fonts.gstatic.com:443 data:; style-src 'self' 'unsafe-inline' https://www.gstatic.com:443 https://fonts.googleapis.com:443; script-src 'self' 'unsafe-inline' 'unsafe-eval' https://www.gstatic.com:443 https://www.google.com/recaptcha/; frame-src https://www.google.com/recaptcha/; img-src 'self' data: https:; object-src 'none'
Cross-Origin-Opener-Policy: same-origin; report-to="default"
Cross-Origin-Resource-Policy: same-site
Last-Modified: Tue, 25 May 2021 19:22:28 GMT
ETag: "7a7-5c32c725c9501"
Cache-Control: max-age=31104000
Expires: Sat, 04 Jun 2022 00:37:48 GMT
X-Content-Type-Options: nosniff
X-Frame-Options: sameorigin
X-XSS-Protection: 1; mode=block
Content-Type: image/jpeg
Accept-Ranges: bytes
Date: Fri, 11 Jun 2021 08:20:57 GMT
Via: 1.1 varnish
Age: 200588
X-Served-By: cache-ams21043-AMS
X-Cache: HIT
X-Cache-Hits: 1
X-Timer: S1623399657.087866,VS0,VE0
-
Remote address:151.101.2.49:443RequestGET /images/flags/us.png HTTP/1.1
Accept: image/png, image/svg+xml, image/*;q=0.8, */*;q=0.5
Referer: https://bazaar.abuse.ch/sample/60ef0ca5e6e7d62a7750cfe1c0b08d473cb19a6817a799f035ac56e0d27ce3df/
Accept-Language: en-US
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
Accept-Encoding: gzip, deflate
Host: bazaar.abuse.ch
Connection: Keep-Alive
Cookie: BAZAAR=st0s0o8mj6frr784g7t150hp08
ResponseHTTP/1.1 200 OK
Content-Length: 609
Server: Apache/2
Strict-Transport-Security: max-age=15768000 ; includeSubDomains
Permissions-Policy: accelerometer=(), ambient-light-sensor=(), autoplay=(), camera=(), encrypted-media=(), fullscreen=(), geolocation=(), gyroscope=(), magnetometer=(), microphone=(), midi=(), payment=(), picture-in-picture=(), speaker=(), usb=(), vr=()
Referrer-Policy: strict-origin-when-cross-origin
Expect-CT: enforce, max-age=86400
Content-Security-Policy: default-src 'self' https://fonts.gstatic.com:443 data:; style-src 'self' 'unsafe-inline' https://www.gstatic.com:443 https://fonts.googleapis.com:443; script-src 'self' 'unsafe-inline' 'unsafe-eval' https://www.gstatic.com:443 https://www.google.com/recaptcha/; frame-src https://www.google.com/recaptcha/; img-src 'self' data: https:; object-src 'none'
Cross-Origin-Opener-Policy: same-origin; report-to="default"
Cross-Origin-Resource-Policy: same-site
Last-Modified: Mon, 23 Dec 2019 12:33:13 GMT
ETag: "261-59a5e3b2b19f4"
Cache-Control: max-age=31104000
Expires: Sun, 05 Jun 2022 00:32:42 GMT
X-Content-Type-Options: nosniff
X-Frame-Options: sameorigin
X-XSS-Protection: 1; mode=block
Content-Type: image/png
Accept-Ranges: bytes
Date: Fri, 11 Jun 2021 08:20:56 GMT
Via: 1.1 varnish
Age: 114494
X-Served-By: cache-ams21056-AMS
X-Cache: HIT
X-Cache-Hits: 1
X-Timer: S1623399657.801319,VS0,VE0
-
Remote address:8.8.8.8:53Requestnotifier.win-rar.comIN AResponsenotifier.win-rar.comIN A51.195.68.173
-
GEThttp://edgedl.me.gvt1.com/edgedl/release2/chrome_component/CLzUPOY7PeNCWmHSoqszxQ_9.27.0/ANtasjH7xNWfWeoqykUYSZoRemote address:34.104.35.123:80RequestGET /edgedl/release2/chrome_component/CLzUPOY7PeNCWmHSoqszxQ_9.27.0/ANtasjH7xNWfWeoqykUYSZo HTTP/1.1
Connection: Keep-Alive
Accept: */*
Accept-Encoding: identity
If-Unmodified-Since: Fri, 07 May 2021 17:49:07 GMT
Range: bytes=5355-12438
User-Agent: Microsoft BITS/7.5
Host: edgedl.me.gvt1.com
ResponseHTTP/1.1 206 Partial Content
content-disposition: attachment
content-length: 7084
content-security-policy: default-src 'none'
content-type: application/octet-stream
etag: "a1249b"
last-modified: Fri, 07 May 2021 17:49:07 GMT
server: Google-Edge-Cache
x-content-type-options: nosniff
x-frame-options: SAMEORIGIN
x-xss-protection: 0
date: Thu, 10 Jun 2021 16:44:25 GMT
age: 56235
content-range: bytes 5355-12438/47502
alt-svc: h3=":443"; ma=2592000, h3-Q050=":443"; ma=2592000, h3-29=":443"; ma=2592000
cache-control: public,max-age=86400
-
GEThttp://edgedl.me.gvt1.com/edgedl/release2/chrome_component/CLzUPOY7PeNCWmHSoqszxQ_9.27.0/ANtasjH7xNWfWeoqykUYSZoRemote address:34.104.35.123:80RequestGET /edgedl/release2/chrome_component/CLzUPOY7PeNCWmHSoqszxQ_9.27.0/ANtasjH7xNWfWeoqykUYSZo HTTP/1.1
Connection: Keep-Alive
Accept: */*
Accept-Encoding: identity
If-Unmodified-Since: Fri, 07 May 2021 17:49:07 GMT
Range: bytes=12439-19381
User-Agent: Microsoft BITS/7.5
Host: edgedl.me.gvt1.com
ResponseHTTP/1.1 206 Partial Content
content-disposition: attachment
content-length: 6943
content-security-policy: default-src 'none'
content-type: application/octet-stream
etag: "a1249b"
last-modified: Fri, 07 May 2021 17:49:07 GMT
server: Google-Edge-Cache
x-content-type-options: nosniff
x-frame-options: SAMEORIGIN
x-xss-protection: 0
date: Thu, 10 Jun 2021 16:44:25 GMT
age: 56385
content-range: bytes 12439-19381/47502
alt-svc: h3=":443"; ma=2592000, h3-Q050=":443"; ma=2592000, h3-29=":443"; ma=2592000
cache-control: public,max-age=86400
-
GEThttp://edgedl.me.gvt1.com/edgedl/release2/chrome_component/CLzUPOY7PeNCWmHSoqszxQ_9.27.0/ANtasjH7xNWfWeoqykUYSZoRemote address:34.104.35.123:80RequestGET /edgedl/release2/chrome_component/CLzUPOY7PeNCWmHSoqszxQ_9.27.0/ANtasjH7xNWfWeoqykUYSZo HTTP/1.1
Connection: Keep-Alive
Accept: */*
Accept-Encoding: identity
If-Unmodified-Since: Fri, 07 May 2021 17:49:07 GMT
Range: bytes=19382-26876
User-Agent: Microsoft BITS/7.5
Host: edgedl.me.gvt1.com
ResponseHTTP/1.1 206 Partial Content
content-disposition: attachment
content-length: 7495
content-security-policy: default-src 'none'
content-type: application/octet-stream
etag: "a1249b"
last-modified: Fri, 07 May 2021 17:49:07 GMT
server: Google-Edge-Cache
x-content-type-options: nosniff
x-frame-options: SAMEORIGIN
x-xss-protection: 0
date: Thu, 10 Jun 2021 16:44:25 GMT
age: 56521
content-range: bytes 19382-26876/47502
alt-svc: h3=":443"; ma=2592000, h3-Q050=":443"; ma=2592000, h3-29=":443"; ma=2592000
cache-control: public,max-age=86400
-
GEThttp://edgedl.me.gvt1.com/edgedl/release2/chrome_component/CLzUPOY7PeNCWmHSoqszxQ_9.27.0/ANtasjH7xNWfWeoqykUYSZoRemote address:34.104.35.123:80RequestGET /edgedl/release2/chrome_component/CLzUPOY7PeNCWmHSoqszxQ_9.27.0/ANtasjH7xNWfWeoqykUYSZo HTTP/1.1
Connection: Keep-Alive
Accept: */*
Accept-Encoding: identity
If-Unmodified-Since: Fri, 07 May 2021 17:49:07 GMT
Range: bytes=26877-35050
User-Agent: Microsoft BITS/7.5
Host: edgedl.me.gvt1.com
ResponseHTTP/1.1 206 Partial Content
content-disposition: attachment
content-length: 8174
content-security-policy: default-src 'none'
content-type: application/octet-stream
etag: "a1249b"
last-modified: Fri, 07 May 2021 17:49:07 GMT
server: Google-Edge-Cache
x-content-type-options: nosniff
x-frame-options: SAMEORIGIN
x-xss-protection: 0
date: Thu, 10 Jun 2021 16:44:25 GMT
age: 56531
content-range: bytes 26877-35050/47502
alt-svc: h3=":443"; ma=2592000, h3-Q050=":443"; ma=2592000, h3-29=":443"; ma=2592000
cache-control: public,max-age=86400
-
GEThttp://edgedl.me.gvt1.com/edgedl/release2/chrome_component/CLzUPOY7PeNCWmHSoqszxQ_9.27.0/ANtasjH7xNWfWeoqykUYSZoRemote address:34.104.35.123:80RequestGET /edgedl/release2/chrome_component/CLzUPOY7PeNCWmHSoqszxQ_9.27.0/ANtasjH7xNWfWeoqykUYSZo HTTP/1.1
Connection: Keep-Alive
Accept: */*
Accept-Encoding: identity
If-Unmodified-Since: Fri, 07 May 2021 17:49:07 GMT
Range: bytes=35051-42880
User-Agent: Microsoft BITS/7.5
Host: edgedl.me.gvt1.com
ResponseHTTP/1.1 206 Partial Content
content-disposition: attachment
content-length: 7830
content-security-policy: default-src 'none'
content-type: application/octet-stream
etag: "a1249b"
last-modified: Fri, 07 May 2021 17:49:07 GMT
server: Google-Edge-Cache
x-content-type-options: nosniff
x-frame-options: SAMEORIGIN
x-xss-protection: 0
date: Thu, 10 Jun 2021 16:44:25 GMT
age: 56539
content-range: bytes 35051-42880/47502
alt-svc: h3=":443"; ma=2592000, h3-Q050=":443"; ma=2592000, h3-29=":443"; ma=2592000
cache-control: public,max-age=86400
-
GEThttp://edgedl.me.gvt1.com/edgedl/release2/chrome_component/CLzUPOY7PeNCWmHSoqszxQ_9.27.0/ANtasjH7xNWfWeoqykUYSZoRemote address:34.104.35.123:80RequestGET /edgedl/release2/chrome_component/CLzUPOY7PeNCWmHSoqszxQ_9.27.0/ANtasjH7xNWfWeoqykUYSZo HTTP/1.1
Connection: Keep-Alive
Accept: */*
Accept-Encoding: identity
If-Unmodified-Since: Fri, 07 May 2021 17:49:07 GMT
Range: bytes=42881-47501
User-Agent: Microsoft BITS/7.5
Host: edgedl.me.gvt1.com
ResponseHTTP/1.1 206 Partial Content
content-disposition: attachment
content-length: 4621
content-security-policy: default-src 'none'
content-type: application/octet-stream
etag: "a1249b"
last-modified: Fri, 07 May 2021 17:49:07 GMT
server: Google-Edge-Cache
x-content-type-options: nosniff
x-frame-options: SAMEORIGIN
x-xss-protection: 0
date: Thu, 10 Jun 2021 16:44:25 GMT
age: 56546
content-range: bytes 42881-47501/47502
alt-svc: h3=":443"; ma=2592000, h3-Q050=":443"; ma=2592000, h3-29=":443"; ma=2592000
cache-control: public,max-age=86400
-
909 B 5.2kB 8 8
-
909 B 5.2kB 8 8
-
863 B 3.5kB 7 7
-
909 B 5.2kB 8 8
-
909 B 5.2kB 8 8
-
863 B 3.5kB 7 7
-
863 B 3.5kB 7 7
-
357 B 2.8kB 5 5
HTTP Request
GET http://pki.goog/gsr1/gsr1.crtHTTP Response
200 -
357 B 3.0kB 5 5
HTTP Request
GET http://pki.goog/gsr1/gsr1.crtHTTP Response
200 -
357 B 3.0kB 5 5
HTTP Request
GET http://pki.goog/gsr1/gsr1.crtHTTP Response
200 -
351 B 1.5kB 5 4
HTTP Request
GET http://pki.goog/gsr1/gsr1.crtHTTP Response
200 -
863 B 3.5kB 7 7
-
909 B 5.2kB 8 8
-
863 B 4.2kB 7 7
-
909 B 6.8kB 8 9
-
909 B 4.7kB 8 8
-
909 B 4.7kB 8 8
-
909 B 5.2kB 8 8
-
863 B 3.5kB 7 7
-
909 B 5.2kB 8 8
-
909 B 6.8kB 8 9
-
909 B 4.7kB 8 8
-
3.0kB 10.1kB 31 40
-
2.2kB 8.3kB 23 27
-
2.2kB 6.7kB 23 28
-
2.0kB 7.7kB 20 23
-
3.0kB 11.5kB 19 23
-
2.4kB 32.4kB 28 34
-
172.217.17.78:80http://redirector.gvt1.com/edgedl/chromewebstore/L2Nocm9tZV9leHRlbnNpb24vYmxvYnMvNzI0QUFXNV9zT2RvdUwyMERESEZGVmJnQQ/1.0.0.6_nmmhkkegccagdldgiimedpiccmgmieda.crxhttp953 B 3.1kB 12 12
HTTP Request
GET http://redirector.gvt1.com/edgedl/chromewebstore/L2Nocm9tZV9leHRlbnNpb24vYmxvYnMvNzI0QUFXNV9zT2RvdUwyMERESEZGVmJnQQ/1.0.0.6_nmmhkkegccagdldgiimedpiccmgmieda.crxHTTP Response
302 -
74.125.4.170:80http://r5---sn-aigzrne7.gvt1.com/edgedl/chromewebstore/L2Nocm9tZV9leHRlbnNpb24vYmxvYnMvNzI0QUFXNV9zT2RvdUwyMERESEZGVmJnQQ/1.0.0.6_nmmhkkegccagdldgiimedpiccmgmieda.crx?cms_redirect=yes&mh=e_&mip=154.61.71.13&mm=28&mn=sn-aigzrne7&ms=nvh&mt=1623399140&mv=m&mvi=5&pl=24&rmhost=r3---sn-aigzrne7.gvt1.com&shardbypass=yes&smhost=r3---sn-aigzrn7k.gvt1.comhttp5.4kB 256.7kB 105 187
HTTP Request
GET http://r5---sn-aigzrne7.gvt1.com/edgedl/chromewebstore/L2Nocm9tZV9leHRlbnNpb24vYmxvYnMvNzI0QUFXNV9zT2RvdUwyMERESEZGVmJnQQ/1.0.0.6_nmmhkkegccagdldgiimedpiccmgmieda.crx?cms_redirect=yes&mh=e_&mip=154.61.71.13&mm=28&mn=sn-aigzrne7&ms=nvh&mt=1623399140&mv=m&mvi=5&pl=24&rmhost=r3---sn-aigzrne7.gvt1.com&shardbypass=yes&smhost=r3---sn-aigzrn7k.gvt1.comHTTP Response
200 -
1.9kB 6.7kB 19 21
-
786 B 5.3kB 10 9
-
786 B 5.4kB 10 11
-
2.0kB 8.3kB 19 20
-
2.1kB 7.3kB 19 19
-
3.8kB 45.6kB 42 57
-
605 B 498 B 7 6
-
2.4kB 6.6kB 18 19
-
2.2kB 7.3kB 19 20
-
2.2kB 9.2kB 19 21
-
3.0kB 43.7kB 33 44
-
5.6kB 92.6kB 66 97
-
989 B 3.1kB 9 6
-
9.5kB 326.6kB 155 261
-
943 B 4.5kB 8 9
-
943 B 4.4kB 8 7
-
943 B 4.4kB 8 7
-
943 B 4.5kB 8 9
-
943 B 4.4kB 8 8
-
3.2kB 25.2kB 34 38
-
943 B 4.6kB 8 7
-
943 B 4.7kB 8 9
-
2.6kB 25.1kB 27 37
-
2.0kB 5.1kB 18 19
-
5.3kB 7.0kB 20 17
-
18.8kB 8.3kB 37 39
-
5.6kB 9.5kB 22 23
-
34.104.35.123:80http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/CLzUPOY7PeNCWmHSoqszxQ_9.27.0/ANtasjH7xNWfWeoqykUYSZohttp509 B 1.3kB 6 6
HTTP Request
HEAD http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/CLzUPOY7PeNCWmHSoqszxQ_9.27.0/ANtasjH7xNWfWeoqykUYSZoHTTP Response
200 -
2.2kB 6.6kB 23 26
-
122.1kB 7.1MB 2626 5051
-
34.104.35.123:80http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/CLzUPOY7PeNCWmHSoqszxQ_9.27.0/ANtasjH7xNWfWeoqykUYSZohttp673 B 6.5kB 8 10
HTTP Request
GET http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/CLzUPOY7PeNCWmHSoqszxQ_9.27.0/ANtasjH7xNWfWeoqykUYSZoHTTP Response
206 -
707 B 7.5kB 8 12
-
3.6kB 6.5kB 21 19
-
98 B 52 B 2 1
-
98 B 52 B 2 1
-
605 B 538 B 7 7
-
1.8kB 5.4kB 17 15
-
1.9kB 10.7kB 13 16
-
2.3kB 8.8kB 18 20
-
87.5kB 5.0MB 1789 3400
-
943 B 3.3kB 8 9
-
605 B 498 B 7 6
-
7.1kB 122.8kB 58 102
HTTP Request
GET https://bazaar.abuse.ch/sample/60ef0ca5e6e7d62a7750cfe1c0b08d473cb19a6817a799f035ac56e0d27ce3df/HTTP Response
200HTTP Request
GET https://bazaar.abuse.ch/css/bootstrap.min.cssHTTP Response
200HTTP Request
GET https://bazaar.abuse.ch/css/jumbotron.cssHTTP Response
200HTTP Request
GET https://bazaar.abuse.ch/js/jquery-3.5.1.min.jsHTTP Response
200HTTP Request
GET https://bazaar.abuse.ch/js/popper.min.jsHTTP Response
200HTTP Request
GET https://bazaar.abuse.ch/js/bootstrap.min.jsHTTP Response
200HTTP Request
GET https://bazaar.abuse.ch/js/clipboard.min.jsHTTP Response
200HTTP Request
GET https://bazaar.abuse.ch/js/bazaar_functions.jsHTTP Response
200HTTP Request
GET https://bazaar.abuse.ch/js/svg-pan-zoom.min.jsHTTP Response
200 -
733 B 534 B 9 8
HTTP Request
GET http://www.gstatic.com/generate_204HTTP Response
204 -
7.3kB 8.7kB 22 22
-
6.6kB 213.3kB 88 159
HTTP Request
GET https://bazaar.abuse.ch/css/all.min.cssHTTP Response
200HTTP Request
GET https://bazaar.abuse.ch/webfonts/fa-solid-900.eot?HTTP Response
200HTTP Request
GET https://bazaar.abuse.ch/favicon.icoHTTP Response
200HTTP Request
GET https://bazaar.abuse.ch/download/60ef0ca5e6e7d62a7750cfe1c0b08d473cb19a6817a799f035ac56e0d27ce3df/HTTP Response
200HTTP Request
GET https://bazaar.abuse.ch/download/e5838a957f097ff8/HTTP Response
200 -
1.1kB 4.0kB 8 8
HTTP Request
GET https://bazaar.abuse.ch/css/custom.cssHTTP Response
200 -
2.0kB 28.0kB 17 26
HTTP Request
GET https://bazaar.abuse.ch/images/malwarebazaar_logo.pngHTTP Response
200HTTP Request
GET https://bazaar.abuse.ch/webfonts/fa-regular-400.eot?HTTP Response
200 -
151.101.2.49:443https://bazaar.abuse.ch/images/avatar/1014590600652447744.jpgtls, httpIEXPLORE.EXE1.2kB 4.9kB 8 9
HTTP Request
GET https://bazaar.abuse.ch/images/avatar/1014590600652447744.jpgHTTP Response
200 -
1.1kB 2.7kB 7 7
HTTP Request
GET https://bazaar.abuse.ch/images/flags/us.pngHTTP Response
200 -
2.1kB 8.1kB 20 24
-
619 B 3.0kB 7 7
-
34.104.35.123:80http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/CLzUPOY7PeNCWmHSoqszxQ_9.27.0/ANtasjH7xNWfWeoqykUYSZohttp671 B 8.1kB 8 10
HTTP Request
GET http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/CLzUPOY7PeNCWmHSoqszxQ_9.27.0/ANtasjH7xNWfWeoqykUYSZoHTTP Response
206 -
34.104.35.123:80http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/CLzUPOY7PeNCWmHSoqszxQ_9.27.0/ANtasjH7xNWfWeoqykUYSZohttp672 B 7.9kB 8 10
HTTP Request
GET http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/CLzUPOY7PeNCWmHSoqszxQ_9.27.0/ANtasjH7xNWfWeoqykUYSZoHTTP Response
206 -
34.104.35.123:80http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/CLzUPOY7PeNCWmHSoqszxQ_9.27.0/ANtasjH7xNWfWeoqykUYSZohttp2.1kB 31.7kB 20 28
HTTP Request
GET http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/CLzUPOY7PeNCWmHSoqszxQ_9.27.0/ANtasjH7xNWfWeoqykUYSZoHTTP Response
206HTTP Request
GET http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/CLzUPOY7PeNCWmHSoqszxQ_9.27.0/ANtasjH7xNWfWeoqykUYSZoHTTP Response
206HTTP Request
GET http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/CLzUPOY7PeNCWmHSoqszxQ_9.27.0/ANtasjH7xNWfWeoqykUYSZoHTTP Response
206HTTP Request
GET http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/CLzUPOY7PeNCWmHSoqszxQ_9.27.0/ANtasjH7xNWfWeoqykUYSZoHTTP Response
206
-
325 B 81 B 5 1
DNS Request
accounts.google.com
DNS Request
accounts.google.com
DNS Request
accounts.google.com
DNS Request
accounts.google.com
DNS Request
accounts.google.com
DNS Response
172.217.17.109
-
325 B 81 B 5 1
DNS Request
redirector.gvt1.com
DNS Request
redirector.gvt1.com
DNS Request
redirector.gvt1.com
DNS Request
redirector.gvt1.com
DNS Request
redirector.gvt1.com
DNS Response
172.217.17.78
-
325 B 105 B 5 1
DNS Request
clients2.google.com
DNS Request
clients2.google.com
DNS Request
clients2.google.com
DNS Request
clients2.google.com
DNS Request
clients2.google.com
DNS Response
172.217.20.78
-
168 B 88 B 3 1
DNS Request
dns.google
DNS Request
dns.google
DNS Request
dns.google
DNS Response
8.8.8.88.8.4.4
-
168 B 88 B 3 1
DNS Request
dns.google
DNS Request
dns.google
DNS Request
dns.google
DNS Response
8.8.8.88.8.4.4
-
168 B 88 B 3 1
DNS Request
dns.google
DNS Request
dns.google
DNS Request
dns.google
DNS Response
8.8.8.88.8.4.4
-
60 B 76 B 1 1
DNS Request
www.google.com
DNS Response
142.250.179.196
-
54 B 70 B 1 1
DNS Request
pki.goog
DNS Response
216.239.32.29
-
76 B 296 B 1 1
DNS Request
www.download.windowsupdate.com
DNS Response
8.238.111.25467.24.35.25467.26.109.2548.253.208.1128.253.208.120
-
76 B 276 B 1 1
DNS Request
www.download.windowsupdate.com
DNS Response
84.53.175.12284.53.175.34
-
76 B 276 B 1 1
DNS Request
www.download.windowsupdate.com
DNS Response
84.53.175.12284.53.175.34
-
76 B 276 B 1 1
DNS Request
www.download.windowsupdate.com
DNS Response
84.53.175.12284.53.175.34
-
65 B 105 B 1 1
DNS Request
clients2.google.com
DNS Response
172.217.20.78
-
65 B 81 B 1 1
DNS Request
redirector.gvt1.com
DNS Response
172.217.17.78
-
75 B 91 B 1 1
DNS Request
clientservices.googleapis.com
DNS Response
142.250.179.131
-
65 B 81 B 1 1
DNS Request
accounts.google.com
DNS Response
172.217.17.109
-
61 B 77 B 1 1
DNS Request
ssl.gstatic.com
DNS Response
172.217.17.35
-
65 B 81 B 1 1
DNS Request
accounts.google.com
DNS Response
172.217.17.109
-
56 B 88 B 1 1
DNS Request
dns.google
DNS Response
8.8.8.88.8.4.4
-
56 B 88 B 1 1
DNS Request
dns.google
DNS Response
8.8.8.88.8.4.4
-
61 B 77 B 1 1
DNS Request
www.gstatic.com
DNS Response
142.250.179.131
-
65 B 105 B 1 1
DNS Request
clients2.google.com
DNS Response
172.217.20.78
-
60 B 76 B 1 1
DNS Request
www.google.com
DNS Response
142.250.179.196
-
62 B 157 B 1 1
DNS Request
go.microsoft.com
DNS Response
95.101.206.92
-
61 B 166 B 1 1
DNS Request
bazaar.abuse.ch
DNS Response
151.101.2.49151.101.66.49151.101.130.49151.101.194.49
-
11.7kB 24.6kB 85 107
-
11.8kB 1.1MB 145 787
-
4.2kB 8.1kB 18 18
-
2.4kB 10.1kB 8 13
-
17.6kB 109.3kB 70 109
-
67 B 204 B 1 1
DNS Request
secure.globalsign.com
DNS Response
151.101.2.133151.101.66.133151.101.130.133151.101.194.133
-
67 B 204 B 1 1
DNS Request
secure.globalsign.com
DNS Response
151.101.2.133151.101.66.133151.101.130.133151.101.194.133
-
76 B 225 B 1 1
DNS Request
www.download.windowsupdate.com
DNS Response
205.185.216.10205.185.216.42
-
76 B 225 B 1 1
DNS Request
www.download.windowsupdate.com
DNS Response
205.185.216.10205.185.216.42
-
3.8kB 9.5kB 9 12
-
66 B 128 B 1 1
DNS Request
cacerts.digicert.com
DNS Response
104.18.11.39104.18.10.39
-
204 B 3
-
2.3kB 6.0kB 7 10
-
64 B 80 B 1 1
DNS Request
edgedl.me.gvt1.com
DNS Response
34.104.35.123
-
2.2kB 8.4kB 10 13
-
3.2kB 7.4kB 8 9
-
68 B 112 B 1 1
DNS Request
ieonline.microsoft.com
DNS Response
204.79.197.200
-
63 B 111 B 1 1
DNS Request
ocsp.digicert.com
DNS Response
93.184.220.29
-
3.2kB 3.1kB 6 7
-
2.4kB 3.9kB 9 11
-
62 B 146 B 1 1
DNS Request
crl.verisign.com
DNS Response
72.21.91.29
-
63 B 230 B 1 1
DNS Request
www.microsoft.com
DNS Response
2.21.41.70
-
76 B 276 B 1 1
DNS Request
www.download.windowsupdate.com
DNS Response
84.53.175.12284.53.175.99
-
4.9kB 9.0kB 31 39
-
2.7kB 3.3kB 12 15
-
2.4kB 7.6kB 11 13
-
3.8kB 7.9kB 11 15
-
2.0kB 3.1kB 6 7
-
2.7kB 7.4kB 10 14
-
3.3kB 3.2kB 7 8
-
4.0kB 11.5kB 15 17
-
3.7kB 21.9kB 12 19
-
66 B 82 B 1 1
DNS Request
notifier.win-rar.com
DNS Response
51.195.68.173
-
2.3kB 4.6kB 6 8
-
2.0kB 3.1kB 6 7
-
2.0kB 3.1kB 6 7
-
2.0kB 3.1kB 6 7
-
2.0kB 3.1kB 6 7
-
1.7kB 7.3kB 5 8
-
2.1kB 4.5kB 7 8
-
2.4kB 4.6kB 8 9