eternity | hxxps://github[.]com/L3GOGT/Growtopia-Duplicator-Exploit/releases/download/working/GT[.]Duplicator[.]Exploit[.]zip

Analysis

max time kernel
150s
max time network
154s
platform
windows10-2004_x64
resource
win10v2004-20231127-en
resource tags

arch:x64arch:x86image:win10v2004-20231127-enlocale:en-usos:windows10-2004-x64system
submitted
28/11/2023, 13:52 UTC

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://github.com/L3GOGT/Growtopia-Duplicator-Exploit/releases/download/working/GT.Duplicator.Exploit.zip

Score

10^/10

eternity stealer

Malware Config

Signatures

Detects Eternity stealer 2 IoCs

stealer

resource	yara_rule
behavioral1/memory/2292-103-0x0000000000990000-0x0000000000A76000-memory.dmp	eternity_stealer
behavioral1/files/0x0008000000023128-143.dat	eternity_stealer

Eternity
Eternity Project is a malware kit offering an info stealer, clipper, worm, coin miner, ransomware, and DDoS bot.
eternity

Drops startup file 4 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\SystemFreezer.exe	SystemFreezer.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\SystemFreezer.exe	SystemFreezer.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\SystemFreezer.exe	SystemFreezer.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\SystemFreezer.exe	SystemFreezer.exe

Executes dropped EXE 3 IoCs

pid	Process
3180	dcd.exe
4836	dcd.exe
4836	dcd.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3635043082-2972811465-3176142135-1000_Classes\Local Settings	msedge.exe

Suspicious behavior: EnumeratesProcesses 12 IoCs

pid	Process
8	msedge.exe
8	msedge.exe
4524	msedge.exe
4524	msedge.exe
4992	identity_helper.exe
4992	identity_helper.exe
1320	msedge.exe
1320	msedge.exe
4884	msedge.exe
4884	msedge.exe
4884	msedge.exe
4884	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 8 IoCs

pid	Process
8	msedge.exe
8	msedge.exe
8	msedge.exe
8	msedge.exe
8	msedge.exe
8	msedge.exe
8	msedge.exe
8	msedge.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	2292	SystemFreezer.exe
Token: SeDebugPrivilege	5084	SystemFreezer.exe
Token: SeDebugPrivilege	628	SystemFreezer.exe

Suspicious use of FindShellTrayWindow 33 IoCs

pid	Process
8	msedge.exe
8	msedge.exe
8	msedge.exe
8	msedge.exe
8	msedge.exe
8	msedge.exe
8	msedge.exe
8	msedge.exe
8	msedge.exe
8	msedge.exe
8	msedge.exe
8	msedge.exe
8	msedge.exe
8	msedge.exe
8	msedge.exe
8	msedge.exe
8	msedge.exe
8	msedge.exe
8	msedge.exe
8	msedge.exe
8	msedge.exe
8	msedge.exe
8	msedge.exe
8	msedge.exe
8	msedge.exe
8	msedge.exe
8	msedge.exe
8	msedge.exe
8	msedge.exe
8	msedge.exe
8	msedge.exe
8	msedge.exe
8	msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
8	msedge.exe
8	msedge.exe
8	msedge.exe
8	msedge.exe
8	msedge.exe
8	msedge.exe
8	msedge.exe
8	msedge.exe
8	msedge.exe
8	msedge.exe
8	msedge.exe
8	msedge.exe
8	msedge.exe
8	msedge.exe
8	msedge.exe
8	msedge.exe
8	msedge.exe
8	msedge.exe
8	msedge.exe
8	msedge.exe
8	msedge.exe
8	msedge.exe
8	msedge.exe
8	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 8 wrote to memory of 3140	8	msedge.exe	87
PID 8 wrote to memory of 3140	8	msedge.exe	87
PID 8 wrote to memory of 4868	8	msedge.exe	89
PID 8 wrote to memory of 4868	8	msedge.exe	89
PID 8 wrote to memory of 4868	8	msedge.exe	89
PID 8 wrote to memory of 4868	8	msedge.exe	89
PID 8 wrote to memory of 4868	8	msedge.exe	89
PID 8 wrote to memory of 4868	8	msedge.exe	89
PID 8 wrote to memory of 4868	8	msedge.exe	89
PID 8 wrote to memory of 4868	8	msedge.exe	89
PID 8 wrote to memory of 4868	8	msedge.exe	89
PID 8 wrote to memory of 4868	8	msedge.exe	89
PID 8 wrote to memory of 4868	8	msedge.exe	89
PID 8 wrote to memory of 4868	8	msedge.exe	89
PID 8 wrote to memory of 4868	8	msedge.exe	89
PID 8 wrote to memory of 4868	8	msedge.exe	89
PID 8 wrote to memory of 4868	8	msedge.exe	89
PID 8 wrote to memory of 4868	8	msedge.exe	89
PID 8 wrote to memory of 4868	8	msedge.exe	89
PID 8 wrote to memory of 4868	8	msedge.exe	89
PID 8 wrote to memory of 4868	8	msedge.exe	89
PID 8 wrote to memory of 4868	8	msedge.exe	89
PID 8 wrote to memory of 4868	8	msedge.exe	89
PID 8 wrote to memory of 4868	8	msedge.exe	89
PID 8 wrote to memory of 4868	8	msedge.exe	89
PID 8 wrote to memory of 4868	8	msedge.exe	89
PID 8 wrote to memory of 4868	8	msedge.exe	89
PID 8 wrote to memory of 4868	8	msedge.exe	89
PID 8 wrote to memory of 4868	8	msedge.exe	89
PID 8 wrote to memory of 4868	8	msedge.exe	89
PID 8 wrote to memory of 4868	8	msedge.exe	89
PID 8 wrote to memory of 4868	8	msedge.exe	89
PID 8 wrote to memory of 4868	8	msedge.exe	89
PID 8 wrote to memory of 4868	8	msedge.exe	89
PID 8 wrote to memory of 4868	8	msedge.exe	89
PID 8 wrote to memory of 4868	8	msedge.exe	89
PID 8 wrote to memory of 4868	8	msedge.exe	89
PID 8 wrote to memory of 4868	8	msedge.exe	89
PID 8 wrote to memory of 4868	8	msedge.exe	89
PID 8 wrote to memory of 4868	8	msedge.exe	89
PID 8 wrote to memory of 4868	8	msedge.exe	89
PID 8 wrote to memory of 4868	8	msedge.exe	89
PID 8 wrote to memory of 4524	8	msedge.exe	91
PID 8 wrote to memory of 4524	8	msedge.exe	91
PID 8 wrote to memory of 1636	8	msedge.exe	90
PID 8 wrote to memory of 1636	8	msedge.exe	90
PID 8 wrote to memory of 1636	8	msedge.exe	90
PID 8 wrote to memory of 1636	8	msedge.exe	90
PID 8 wrote to memory of 1636	8	msedge.exe	90
PID 8 wrote to memory of 1636	8	msedge.exe	90
PID 8 wrote to memory of 1636	8	msedge.exe	90
PID 8 wrote to memory of 1636	8	msedge.exe	90
PID 8 wrote to memory of 1636	8	msedge.exe	90
PID 8 wrote to memory of 1636	8	msedge.exe	90
PID 8 wrote to memory of 1636	8	msedge.exe	90
PID 8 wrote to memory of 1636	8	msedge.exe	90
PID 8 wrote to memory of 1636	8	msedge.exe	90
PID 8 wrote to memory of 1636	8	msedge.exe	90
PID 8 wrote to memory of 1636	8	msedge.exe	90
PID 8 wrote to memory of 1636	8	msedge.exe	90
PID 8 wrote to memory of 1636	8	msedge.exe	90
PID 8 wrote to memory of 1636	8	msedge.exe	90
PID 8 wrote to memory of 1636	8	msedge.exe	90
PID 8 wrote to memory of 1636	8	msedge.exe	90

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://github.com/L3GOGT/Growtopia-Duplicator-Exploit/releases/download/working/GT.Duplicator.Exploit.zip
1⤵
- Enumerates system info in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:8
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff8ec1946f8,0x7ff8ec194708,0x7ff8ec194718
  2⤵
  PID:3140
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2072,3929024001078929481,17588997358885815400,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2088 /prefetch:2
  2⤵
  PID:4868
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2072,3929024001078929481,17588997358885815400,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2732 /prefetch:8
  2⤵
  PID:1636
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2072,3929024001078929481,17588997358885815400,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2316 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4524
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2072,3929024001078929481,17588997358885815400,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3392 /prefetch:1
  2⤵
  PID:572
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2072,3929024001078929481,17588997358885815400,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3424 /prefetch:1
  2⤵
  PID:2188
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2072,3929024001078929481,17588997358885815400,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5272 /prefetch:1
  2⤵
  PID:1484
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2072,3929024001078929481,17588997358885815400,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5232 /prefetch:1
  2⤵
  PID:2208
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2072,3929024001078929481,17588997358885815400,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5492 /prefetch:8
  2⤵
  PID:4152
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2072,3929024001078929481,17588997358885815400,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5492 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4992
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2072,3929024001078929481,17588997358885815400,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=5548 /prefetch:8
  2⤵
  PID:556
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2072,3929024001078929481,17588997358885815400,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5052 /prefetch:1
  2⤵
  PID:4456
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2072,3929024001078929481,17588997358885815400,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5748 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1320
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2072,3929024001078929481,17588997358885815400,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6000 /prefetch:1
  2⤵
  PID:4428
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2072,3929024001078929481,17588997358885815400,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5988 /prefetch:1
  2⤵
  PID:1844
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2072,3929024001078929481,17588997358885815400,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5476 /prefetch:1
  2⤵
  PID:3308
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2072,3929024001078929481,17588997358885815400,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=3440 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4884

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2516

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4392

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:2168

C:\Users\Admin\AppData\Local\Temp\Temp1_GT.Duplicator.Exploit.zip\GT Duplicator Exploit\SystemFreezer.exe
"C:\Users\Admin\AppData\Local\Temp\Temp1_GT.Duplicator.Exploit.zip\GT Duplicator Exploit\SystemFreezer.exe"
1⤵
- Drops startup file
- Suspicious use of AdjustPrivilegeToken
PID:2292
- C:\Users\Admin\AppData\Local\Temp\dcd.exe
  "C:\Users\Admin\AppData\Local\Temp\dcd.exe" -path=""
  2⤵
  - Executes dropped EXE
  PID:3180

C:\Users\Admin\AppData\Local\Temp\Temp1_GT.Duplicator.Exploit.zip\GT Duplicator Exploit\SystemFreezer.exe
"C:\Users\Admin\AppData\Local\Temp\Temp1_GT.Duplicator.Exploit.zip\GT Duplicator Exploit\SystemFreezer.exe"
1⤵
- Drops startup file
- Suspicious use of AdjustPrivilegeToken
PID:5084
- C:\Users\Admin\AppData\Local\Temp\dcd.exe
  "C:\Users\Admin\AppData\Local\Temp\dcd.exe" -path=""
  2⤵
  - Executes dropped EXE
  PID:4836

C:\Users\Admin\AppData\Local\Temp\Temp1_GT.Duplicator.Exploit.zip\GT Duplicator Exploit\SystemFreezer.exe
"C:\Users\Admin\AppData\Local\Temp\Temp1_GT.Duplicator.Exploit.zip\GT Duplicator Exploit\SystemFreezer.exe"
1⤵
- Drops startup file
- Suspicious use of AdjustPrivilegeToken
PID:628
- C:\Users\Admin\AppData\Local\Temp\dcd.exe
  "C:\Users\Admin\AppData\Local\Temp\dcd.exe" -path=""
  2⤵
  - Executes dropped EXE
  PID:4836

Network

DNS

67.31.126.40.in-addr.arpa

Remote address:

8.8.8.8:53

Request

67.31.126.40.in-addr.arpa

IN PTR

Response
DNS

github.com

msedge.exe

Remote address:

8.8.8.8:53

Request

github.com

IN A

Response

github.com

IN A

140.82.121.4
GET

https://github.com/L3GOGT/Growtopia-Duplicator-Exploit/releases/download/working/GT.Duplicator.Exploit.zip

msedge.exe

Remote address:

140.82.121.4:443

Request

GET /L3GOGT/Growtopia-Duplicator-Exploit/releases/download/working/GT.Duplicator.Exploit.zip HTTP/2.0
host: github.com
sec-ch-ua: "Chromium";v="92", " Not A;Brand";v="99", "Microsoft Edge";v="92"
sec-ch-ua-mobile: ?0
dnt: 1
upgrade-insecure-requests: 1
user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/92.0.4515.131 Safari/537.36 Edg/92.0.902.67
accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
sec-fetch-site: none
sec-fetch-mode: navigate
sec-fetch-user: ?1
sec-fetch-dest: document
accept-encoding: gzip, deflate, br
accept-language: en-US,en;q=0.9

Response

HTTP/2.0 302

server: GitHub.com
date: Tue, 28 Nov 2023 13:52:13 GMT
content-type: text/html; charset=utf-8
vary: X-PJAX, X-PJAX-Container, Turbo-Visit, Turbo-Frame, Accept-Encoding, Accept, X-Requested-With
location: https://objects.githubusercontent.com/github-production-release-asset-2e65be/720728519/61dfee5a-f15d-4efe-af74-89e64074c3e8?X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Credential=AKIAIWNJYAX4CSVEH53A%2F20231128%2Fus-east-1%2Fs3%2Faws4_request&X-Amz-Date=20231128T135213Z&X-Amz-Expires=300&X-Amz-Signature=015bdac000d887ef1119379a29a54a90df4fc22aa6110245de2f8a59376b7574&X-Amz-SignedHeaders=host&actor_id=0&key_id=0&repo_id=720728519&response-content-disposition=attachment%3B%20filename%3DGT.Duplicator.Exploit.zip&response-content-type=application%2Foctet-stream
cache-control: no-cache
strict-transport-security: max-age=31536000; includeSubdomains; preload
x-frame-options: deny
x-content-type-options: nosniff
x-xss-protection: 0
referrer-policy: no-referrer-when-downgrade
content-security-policy: default-src 'none'; base-uri 'self'; child-src github.com/assets-cdn/worker/ gist.github.com/assets-cdn/worker/; connect-src 'self' uploads.github.com www.githubstatus.com collector.github.com raw.githubusercontent.com api.githubcopilot.com api.github.com github-cloud.s3.amazonaws.com github-production-repository-file-5c1aeb.s3.amazonaws.com github-production-upload-manifest-file-7fdce7.s3.amazonaws.com github-production-user-asset-6210df.s3.amazonaws.com cdn.optimizely.com logx.optimizely.com/v1/events objects-origin.githubusercontent.com *.actions.githubusercontent.com wss://*.actions.githubusercontent.com productionresultssa0.blob.core.windows.net/ productionresultssa1.blob.core.windows.net/ productionresultssa2.blob.core.windows.net/ productionresultssa3.blob.core.windows.net/ productionresultssa4.blob.core.windows.net/ productionresultssa5.blob.core.windows.net/ productionresultssa6.blob.core.windows.net/ productionresultssa7.blob.core.windows.net/ productionresultssa8.blob.core.windows.net/ productionresultssa9.blob.core.windows.net/ github-production-repository-image-32fea6.s3.amazonaws.com github-production-release-asset-2e65be.s3.amazonaws.com insights.github.com wss://alive.github.com; font-src github.githubassets.com; form-action 'self' github.com gist.github.com objects-origin.githubusercontent.com; frame-ancestors 'none'; frame-src viewscreen.githubusercontent.com notebooks.githubusercontent.com support.github.com; img-src 'self' data: github.githubassets.com media.githubusercontent.com camo.githubusercontent.com identicons.github.com avatars.githubusercontent.com github-cloud.s3.amazonaws.com objects.githubusercontent.com secured-user-images.githubusercontent.com/ user-images.githubusercontent.com/ private-user-images.githubusercontent.com opengraph.githubassets.com github-production-user-asset-6210df.s3.amazonaws.com customer-stories-feed.github.com spotlights-feed.github.com objects-origin.githubusercontent.com *.githubusercontent.com; manifest-src 'self'; media-src github.com user-images.githubusercontent.com/ secured-user-images.githubusercontent.com/ private-user-images.githubusercontent.com github-production-user-asset-6210df.s3.amazonaws.com gist.github.com; script-src github.githubassets.com; style-src 'unsafe-inline' github.githubassets.com; upgrade-insecure-requests; worker-src github.com/assets-cdn/worker/ gist.github.com/assets-cdn/worker/
content-length: 0
x-github-request-id: E8B0:62AC:1EBEFC2E:1F304021:6565F08D
DNS

4.121.82.140.in-addr.arpa

Remote address:

8.8.8.8:53

Request

4.121.82.140.in-addr.arpa

IN PTR

Response

4.121.82.140.in-addr.arpa

IN PTR

lb-140-82-121-4-fragithubcom
DNS

95.221.229.192.in-addr.arpa

Remote address:

8.8.8.8:53

Request

95.221.229.192.in-addr.arpa

IN PTR

Response
DNS

198.1.85.104.in-addr.arpa

Remote address:

8.8.8.8:53

Request

198.1.85.104.in-addr.arpa

IN PTR

Response

198.1.85.104.in-addr.arpa

IN PTR

a104-85-1-198deploystaticakamaitechnologiescom
DNS

objects.githubusercontent.com

msedge.exe

Remote address:

8.8.8.8:53

Request

objects.githubusercontent.com

IN A

Response

objects.githubusercontent.com

IN A

185.199.108.133

objects.githubusercontent.com

IN A

185.199.109.133

objects.githubusercontent.com

IN A

185.199.110.133

objects.githubusercontent.com

IN A

185.199.111.133
GET

https://objects.githubusercontent.com/github-production-release-asset-2e65be/720728519/61dfee5a-f15d-4efe-af74-89e64074c3e8?X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Credential=AKIAIWNJYAX4CSVEH53A%2F20231128%2Fus-east-1%2Fs3%2Faws4_request&X-Amz-Date=20231128T135213Z&X-Amz-Expires=300&X-Amz-Signature=015bdac000d887ef1119379a29a54a90df4fc22aa6110245de2f8a59376b7574&X-Amz-SignedHeaders=host&actor_id=0&key_id=0&repo_id=720728519&response-content-disposition=attachment%3B%20filename%3DGT.Duplicator.Exploit.zip&response-content-type=application%2Foctet-stream

msedge.exe

Remote address:

185.199.108.133:443

Request

GET /github-production-release-asset-2e65be/720728519/61dfee5a-f15d-4efe-af74-89e64074c3e8?X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Credential=AKIAIWNJYAX4CSVEH53A%2F20231128%2Fus-east-1%2Fs3%2Faws4_request&X-Amz-Date=20231128T135213Z&X-Amz-Expires=300&X-Amz-Signature=015bdac000d887ef1119379a29a54a90df4fc22aa6110245de2f8a59376b7574&X-Amz-SignedHeaders=host&actor_id=0&key_id=0&repo_id=720728519&response-content-disposition=attachment%3B%20filename%3DGT.Duplicator.Exploit.zip&response-content-type=application%2Foctet-stream HTTP/2.0
host: objects.githubusercontent.com
dnt: 1
upgrade-insecure-requests: 1
user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/92.0.4515.131 Safari/537.36 Edg/92.0.902.67
accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
sec-fetch-site: none
sec-fetch-mode: navigate
sec-fetch-user: ?1
sec-fetch-dest: document
sec-ch-ua: "Chromium";v="92", " Not A;Brand";v="99", "Microsoft Edge";v="92"
sec-ch-ua-mobile: ?0
accept-encoding: gzip, deflate, br
accept-language: en-US,en;q=0.9

Response

HTTP/2.0 200

content-type: application/octet-stream
content-md5: GfO0C695U/IGjsPxSKLBqg==
last-modified: Sun, 19 Nov 2023 12:22:25 GMT
etag: "0x8DBE8FA30AAC443"
server: Windows-Azure-Blob/1.0 Microsoft-HTTPAPI/2.0
x-ms-request-id: 5edde0d4-001e-0005-1b02-22338e000000
x-ms-version: 2020-04-08
x-ms-creation-time: Sun, 19 Nov 2023 12:22:25 GMT
x-ms-lease-status: unlocked
x-ms-lease-state: available
x-ms-blob-type: BlockBlob
content-disposition: attachment; filename=GT.Duplicator.Exploit.zip
x-ms-server-encrypted: true
via: 1.1 varnish, 1.1 varnish
accept-ranges: bytes
date: Tue, 28 Nov 2023 13:52:14 GMT
age: 0
x-served-by: cache-iad-kcgs7200156-IAD, cache-ams21049-AMS
x-cache: MISS, MISS
x-cache-hits: 0, 0
x-timer: S1701179534.065010,VS0,VE200
content-length: 621971
DNS

133.108.199.185.in-addr.arpa

Remote address:

8.8.8.8:53

Request

133.108.199.185.in-addr.arpa

IN PTR

Response

133.108.199.185.in-addr.arpa

IN PTR

cdn-185-199-108-133githubcom
DNS

9.228.82.20.in-addr.arpa

Remote address:

8.8.8.8:53

Request

9.228.82.20.in-addr.arpa

IN PTR

Response
DNS

g.bing.com

Remote address:

8.8.8.8:53

Request

g.bing.com

IN A

Response

g.bing.com

IN CNAME

g-bing-com.a-0001.a-msedge.net

g-bing-com.a-0001.a-msedge.net

IN CNAME

dual-a-0001.a-msedge.net

dual-a-0001.a-msedge.net

IN A

204.79.197.200

dual-a-0001.a-msedge.net

IN A

13.107.21.200
GET

https://g.bing.com/neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=bcbb8f4ef115421f80ba1d9d12532185&localId=w:5DA71B07-9A86-3028-7BAC-0A2B03A6FF03&deviceId=6896189400010801&anid=

Remote address:

204.79.197.200:443

Request

GET /neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=bcbb8f4ef115421f80ba1d9d12532185&localId=w:5DA71B07-9A86-3028-7BAC-0A2B03A6FF03&deviceId=6896189400010801&anid= HTTP/2.0
host: g.bing.com
accept-encoding: gzip, deflate
user-agent: WindowsShellClient/9.0.40929.0 (Windows)

Response

HTTP/2.0 204

cache-control: no-cache, must-revalidate
pragma: no-cache
expires: Fri, 01 Jan 1990 00:00:00 GMT
set-cookie: MUID=2A476F7E58156B910E6D7CA9595D6AD8; domain=.bing.com; expires=Sun, 22-Dec-2024 13:52:19 GMT; path=/; SameSite=None; Secure; Priority=High;
strict-transport-security: max-age=31536000; includeSubDomains; preload
access-control-allow-origin: *
x-cache: CONFIG_NOCACHE
accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
x-msedge-ref: Ref A: 3989A48A86A04827AC828F0B5CC2D2FC Ref B: BRU30EDGE0907 Ref C: 2023-11-28T13:52:19Z
date: Tue, 28 Nov 2023 13:52:18 GMT
GET

https://g.bing.com/neg/0?action=emptycreative&adUnitId=11730597&publisherId=251978541&rid=bcbb8f4ef115421f80ba1d9d12532185&localId=w:5DA71B07-9A86-3028-7BAC-0A2B03A6FF03&deviceId=6896189400010801&anid=

Remote address:

204.79.197.200:443

Request

GET /neg/0?action=emptycreative&adUnitId=11730597&publisherId=251978541&rid=bcbb8f4ef115421f80ba1d9d12532185&localId=w:5DA71B07-9A86-3028-7BAC-0A2B03A6FF03&deviceId=6896189400010801&anid= HTTP/2.0
host: g.bing.com
accept-encoding: gzip, deflate
user-agent: WindowsShellClient/9.0.40929.0 (Windows)
cookie: MUID=2A476F7E58156B910E6D7CA9595D6AD8

Response

HTTP/2.0 204

cache-control: no-cache, must-revalidate
pragma: no-cache
expires: Fri, 01 Jan 1990 00:00:00 GMT
strict-transport-security: max-age=31536000; includeSubDomains; preload
access-control-allow-origin: *
x-cache: CONFIG_NOCACHE
accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
x-msedge-ref: Ref A: 45C4889E966842BB9B390BD15808588A Ref B: BRU30EDGE0907 Ref C: 2023-11-28T13:52:19Z
date: Tue, 28 Nov 2023 13:52:18 GMT
GET

https://g.bing.com/neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=bcbb8f4ef115421f80ba1d9d12532185&localId=w:5DA71B07-9A86-3028-7BAC-0A2B03A6FF03&deviceId=6896189400010801&anid=

Remote address:

204.79.197.200:443

Request

GET /neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=bcbb8f4ef115421f80ba1d9d12532185&localId=w:5DA71B07-9A86-3028-7BAC-0A2B03A6FF03&deviceId=6896189400010801&anid= HTTP/2.0
host: g.bing.com
accept-encoding: gzip, deflate
user-agent: WindowsShellClient/9.0.40929.0 (Windows)
cookie: MUID=2A476F7E58156B910E6D7CA9595D6AD8

Response

HTTP/2.0 204

cache-control: no-cache, must-revalidate
pragma: no-cache
expires: Fri, 01 Jan 1990 00:00:00 GMT
strict-transport-security: max-age=31536000; includeSubDomains; preload
access-control-allow-origin: *
x-cache: CONFIG_NOCACHE
accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
x-msedge-ref: Ref A: 1298DE09DCE44B9699EB991884C9C6DB Ref B: BRU30EDGE0907 Ref C: 2023-11-28T13:52:19Z
date: Tue, 28 Nov 2023 13:52:18 GMT
DNS

200.197.79.204.in-addr.arpa

Remote address:

8.8.8.8:53

Request

200.197.79.204.in-addr.arpa

IN PTR

Response

200.197.79.204.in-addr.arpa

IN PTR

a-0001a-msedgenet
DNS

203.33.253.131.in-addr.arpa

Remote address:

8.8.8.8:53

Request

203.33.253.131.in-addr.arpa

IN PTR

Response

203.33.253.131.in-addr.arpa

IN PTR

a-0003 dc-msedgenet
DNS

103.169.127.40.in-addr.arpa

Remote address:

8.8.8.8:53

Request

103.169.127.40.in-addr.arpa

IN PTR

Response
DNS

15.164.165.52.in-addr.arpa

Remote address:

8.8.8.8:53

Request

15.164.165.52.in-addr.arpa

IN PTR

Response
DNS

25.14.97.104.in-addr.arpa

Remote address:

8.8.8.8:53

Request

25.14.97.104.in-addr.arpa

IN PTR

Response

25.14.97.104.in-addr.arpa

IN PTR

a104-97-14-25deploystaticakamaitechnologiescom
DNS

google.com

SystemFreezer.exe

Remote address:

8.8.8.8:53

Request

google.com

IN A

Response

google.com

IN A

142.250.179.142
GET

http://google.com/generate_204

SystemFreezer.exe

Remote address:

142.250.179.142:80

Request

GET /generate_204 HTTP/1.1
Host: google.com
Connection: Keep-Alive

Response

HTTP/1.1 204 No Content

Content-Length: 0
Cross-Origin-Resource-Policy: cross-origin
Date: Tue, 28 Nov 2023 13:52:44 GMT
DNS

142.179.250.142.in-addr.arpa

Remote address:

8.8.8.8:53

Request

142.179.250.142.in-addr.arpa

IN PTR

Response

142.179.250.142.in-addr.arpa

IN PTR

ams17s10-in-f141e100net
DNS

api.imgbb.com

SystemFreezer.exe

Remote address:

8.8.8.8:53

Request

api.imgbb.com

IN A

Response

api.imgbb.com

IN A

188.114.97.0

api.imgbb.com

IN A

188.114.96.0
POST

https://api.imgbb.com/1/upload?key=78adae1bfa0e608b56435fa339987449

SystemFreezer.exe

Remote address:

188.114.97.0:443

Request

POST /1/upload?key=78adae1bfa0e608b56435fa339987449 HTTP/1.1
Accept: application/json
Content-Type: application/x-www-form-urlencoded
Host: api.imgbb.com
Content-Length: 88722
Connection: Keep-Alive

Response

HTTP/1.1 400 Bad Request

Date: Tue, 28 Nov 2023 13:52:46 GMT
Content-Type: application/json; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
access-control-allow-origin: *
access-control-allow-headers: Cache-Control, X-Requested-With, Content-Type
access-control-allow-methods: POST, GET, OPTIONS
last-modified: Tue, 28 Nov 2023 13:52:46GMT
Cache-Control: no-cache, must-revalidate
pragma: no-cache
CF-Cache-Status: DYNAMIC
Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=nR7K3DEl6%2B1A5zUIIZ7%2FO1PFT9WeS25o5cm14RpuFXCOVyB9Hqae%2F%2Bq9Bt1e%2BLCq0d2er%2B2mu%2Blv8LYtP3GHIEWtbRae6Gfp55lVCG32beY8BEBc7%2Fe5p4F9I4fzYUJ6"}],"group":"cf-nel","max_age":604800}
NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
Server: cloudflare
CF-RAY: 82d317e10c651c84-AMS
alt-svc: h3=":443"; ma=86400
DNS

eterprx.net

SystemFreezer.exe

Remote address:

8.8.8.8:53

Request

eterprx.net

IN A

Response

eterprx.net

IN A

104.21.20.223

eterprx.net

IN A

172.67.194.181
POST

https://eterprx.net/api/accounts

SystemFreezer.exe

Remote address:

104.21.20.223:443

Request

POST /api/accounts HTTP/1.1
Content-Type: application/x-www-form-urlencoded
Host: eterprx.net
Content-Length: 221
Connection: Keep-Alive

Response

HTTP/1.1 400 Bad Request

Date: Tue, 28 Nov 2023 13:52:46 GMT
Content-Type: application/json
Content-Length: 23
Connection: keep-alive
x-powered-by: PHP/7.2.34
cache-control: no-cache, private
x-ratelimit-limit: 30
x-ratelimit-remaining: 29
vary: User-Agent
x-turbo-charged-by: LiteSpeed
CF-Cache-Status: DYNAMIC
Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=g2SoWJbe4Y%2F0aaV0UQAIV0h3Yds86HpCr49IZLrazNoSGrIkBwoYj7x%2Fk0NsDuHZ667Weun2TM7hd56oMyvOzPURgghnHVNq1E%2BYVFVAbwH0XGhf4ntRTe6nXA8HDg%3D%3D"}],"group":"cf-nel","max_age":604800}
NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
Server: cloudflare
CF-RAY: 82d317e20e29660a-AMS
alt-svc: h3=":443"; ma=86400
DNS

eternitypr.net

SystemFreezer.exe

Remote address:

8.8.8.8:53

Request

eternitypr.net

IN A

Response

eternitypr.net

IN A

172.67.199.29

eternitypr.net

IN A

104.21.21.142
POST

https://eternitypr.net/api/accounts

SystemFreezer.exe

Remote address:

172.67.199.29:443

Request

POST /api/accounts HTTP/1.1
Content-Type: application/x-www-form-urlencoded
Host: eternitypr.net
Content-Length: 221
Connection: Keep-Alive

Response

HTTP/1.1 400 Bad Request

Date: Tue, 28 Nov 2023 13:52:46 GMT
Content-Type: application/json
Content-Length: 23
Connection: keep-alive
x-powered-by: PHP/7.2.34
cache-control: no-cache, private
x-ratelimit-limit: 30
x-ratelimit-remaining: 29
vary: User-Agent
x-turbo-charged-by: LiteSpeed
CF-Cache-Status: DYNAMIC
Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=azgDfX1WpJ2aHj%2FRSDTITfaauazqt5DLLoHgMY0c4xMCY2mVwXPTzjHtxN%2B8PTZLgq3697ZG8E5I6J8n6lqaamwP3rerDTd5c6j5gecF0CvglkILQJ4WQnpRfplyErr86w%3D%3D"}],"group":"cf-nel","max_age":604800}
NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
Server: cloudflare
CF-RAY: 82d317e3294e1c90-AMS
alt-svc: h3=":443"; ma=86400
DNS

0.97.114.188.in-addr.arpa

Remote address:

8.8.8.8:53

Request

0.97.114.188.in-addr.arpa

IN PTR

Response
DNS

223.20.21.104.in-addr.arpa

Remote address:

8.8.8.8:53

Request

223.20.21.104.in-addr.arpa

IN PTR

Response
DNS

29.199.67.172.in-addr.arpa

Remote address:

8.8.8.8:53

Request

29.199.67.172.in-addr.arpa

IN PTR

Response
DNS

126.23.238.8.in-addr.arpa

Remote address:

8.8.8.8:53

Request

126.23.238.8.in-addr.arpa

IN PTR

Response
GET

http://google.com/generate_204

SystemFreezer.exe

Remote address:

142.250.179.142:80

Request

GET /generate_204 HTTP/1.1
Host: google.com
Connection: Keep-Alive

Response

HTTP/1.1 204 No Content

Content-Length: 0
Cross-Origin-Resource-Policy: cross-origin
Date: Tue, 28 Nov 2023 13:53:15 GMT
POST

https://api.imgbb.com/1/upload?key=78adae1bfa0e608b56435fa339987449

SystemFreezer.exe

Remote address:

188.114.97.0:443

Request

POST /1/upload?key=78adae1bfa0e608b56435fa339987449 HTTP/1.1
Accept: application/json
Content-Type: application/x-www-form-urlencoded
Host: api.imgbb.com
Content-Length: 88780
Connection: Keep-Alive

Response

HTTP/1.1 400 Bad Request

Date: Tue, 28 Nov 2023 13:53:16 GMT
Content-Type: application/json; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
access-control-allow-origin: *
access-control-allow-headers: Cache-Control, X-Requested-With, Content-Type
access-control-allow-methods: POST, GET, OPTIONS
last-modified: Tue, 28 Nov 2023 13:53:16GMT
Cache-Control: no-cache, must-revalidate
pragma: no-cache
CF-Cache-Status: DYNAMIC
Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=GEPM15lB6tRIsJyYLAxLVT%2BEcQN53bsKi79jz8zG2%2B4zzUiZvrDPYlI%2BEYZZhTiKzqLiihW39ToghQ18VLQR7OvhX8z2Ox9y6UuRYMMo%2BNRqZm2lt6JOHBAKIcTCUgmM"}],"group":"cf-nel","max_age":604800}
NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
Server: cloudflare
CF-RAY: 82d3189b88ddb706-AMS
alt-svc: h3=":443"; ma=86400
POST

https://eterprx.net/api/accounts

SystemFreezer.exe

Remote address:

104.21.20.223:443

Request

POST /api/accounts HTTP/1.1
Content-Type: application/x-www-form-urlencoded
Host: eterprx.net
Content-Length: 221
Connection: Keep-Alive

Response

HTTP/1.1 400 Bad Request

Date: Tue, 28 Nov 2023 13:53:16 GMT
Content-Type: application/json
Content-Length: 23
Connection: keep-alive
x-powered-by: PHP/7.2.34
cache-control: no-cache, private
x-ratelimit-limit: 30
x-ratelimit-remaining: 28
vary: User-Agent
x-turbo-charged-by: LiteSpeed
CF-Cache-Status: DYNAMIC
Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=YmnFOMNDQkke2l8x%2FKTruPQUoNAzPTOUNO1p0wX6A2hGCObPhFhOVcFMzG9teDeDgvbUUlTjABdVLuSBhopH%2BDI5yR3XlVQJQ%2BtR%2Byu3GJjt6CLULvcs4C8xns2MUw%3D%3D"}],"group":"cf-nel","max_age":604800}
NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
Server: cloudflare
CF-RAY: 82d3189c59896692-AMS
alt-svc: h3=":443"; ma=86400
POST

https://eternitypr.net/api/accounts

SystemFreezer.exe

Remote address:

172.67.199.29:443

Request

POST /api/accounts HTTP/1.1
Content-Type: application/x-www-form-urlencoded
Host: eternitypr.net
Content-Length: 221
Connection: Keep-Alive

Response

HTTP/1.1 400 Bad Request

Date: Tue, 28 Nov 2023 13:53:16 GMT
Content-Type: application/json
Content-Length: 23
Connection: keep-alive
x-powered-by: PHP/7.2.34
cache-control: no-cache, private
x-ratelimit-limit: 30
x-ratelimit-remaining: 28
vary: User-Agent
x-turbo-charged-by: LiteSpeed
CF-Cache-Status: DYNAMIC
Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=eRcas3BbTw3P8IdEIN%2FVjyXQRjguIsIuQrd7Oym07aDodeWbKQYcln5sXxmJFG3MJb6tJBjI5J2cCK2KFnzFaibj9kB1ytAv6WSI5avR8SyX2PSJqJkJUwq5tJX8lNoPNA%3D%3D"}],"group":"cf-nel","max_age":604800}
NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
Server: cloudflare
CF-RAY: 82d3189d4c0c0bb0-AMS
alt-svc: h3=":443"; ma=86400
DNS

43.229.111.52.in-addr.arpa

Remote address:

8.8.8.8:53

Request

43.229.111.52.in-addr.arpa

IN PTR

Response
GET

http://google.com/generate_204

SystemFreezer.exe

Remote address:

142.250.179.142:80

Request

GET /generate_204 HTTP/1.1
Host: google.com
Connection: Keep-Alive

Response

HTTP/1.1 204 No Content

Content-Length: 0
Cross-Origin-Resource-Policy: cross-origin
Date: Tue, 28 Nov 2023 13:54:01 GMT
POST

https://api.imgbb.com/1/upload?key=78adae1bfa0e608b56435fa339987449

SystemFreezer.exe

Remote address:

188.114.97.0:443

Request

POST /1/upload?key=78adae1bfa0e608b56435fa339987449 HTTP/1.1
Accept: application/json
Content-Type: application/x-www-form-urlencoded
Host: api.imgbb.com
Content-Length: 88780
Connection: Keep-Alive

Response

HTTP/1.1 400 Bad Request

Date: Tue, 28 Nov 2023 13:54:01 GMT
Content-Type: application/json; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
access-control-allow-origin: *
access-control-allow-headers: Cache-Control, X-Requested-With, Content-Type
access-control-allow-methods: POST, GET, OPTIONS
last-modified: Tue, 28 Nov 2023 13:54:01GMT
Cache-Control: no-cache, must-revalidate
pragma: no-cache
CF-Cache-Status: DYNAMIC
Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=BzleUYrKox51CBFm7Un1McYrcmpBUaHIfXFIPJoyIvwi%2FHYX0gRUscAzDtrfsARRUZryJd6goc93ufvSEq5SnR3zSSizg6t9ILrqdmNTTCwzcOCaz%2FBeY3%2FKf%2F5o%2B6%2Bx"}],"group":"cf-nel","max_age":604800}
NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
Server: cloudflare
CF-RAY: 82d319ba198a672a-AMS
alt-svc: h3=":443"; ma=86400
POST

https://eterprx.net/api/accounts

SystemFreezer.exe

Remote address:

104.21.20.223:443

Request

POST /api/accounts HTTP/1.1
Content-Type: application/x-www-form-urlencoded
Host: eterprx.net
Content-Length: 221
Connection: Keep-Alive

Response

HTTP/1.1 400 Bad Request

Date: Tue, 28 Nov 2023 13:54:02 GMT
Content-Type: application/json
Content-Length: 23
Connection: keep-alive
x-powered-by: PHP/7.2.34
cache-control: no-cache, private
x-ratelimit-limit: 30
x-ratelimit-remaining: 29
vary: User-Agent
x-turbo-charged-by: LiteSpeed
CF-Cache-Status: DYNAMIC
Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=Q0K2PDqlyhJiP78NPPqam4opuXZvH1HAytYz5zsKIUhPEwrJFtrgsx8eYqysDX1YLpkjhymo5QPQO9cX5Wg2eMXCZvMcKAzeHxAWsEwqZCAf3s1hnwH%2B1hC0Er4I6g%3D%3D"}],"group":"cf-nel","max_age":604800}
NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
Server: cloudflare
CF-RAY: 82d319bb1e220e6c-AMS
alt-svc: h3=":443"; ma=86400
POST

https://eternitypr.net/api/accounts

SystemFreezer.exe

Remote address:

172.67.199.29:443

Request

POST /api/accounts HTTP/1.1
Content-Type: application/x-www-form-urlencoded
Host: eternitypr.net
Content-Length: 221
Connection: Keep-Alive

Response

HTTP/1.1 400 Bad Request

Date: Tue, 28 Nov 2023 13:54:02 GMT
Content-Type: application/json
Content-Length: 23
Connection: keep-alive
x-powered-by: PHP/7.2.34
cache-control: no-cache, private
x-ratelimit-limit: 30
x-ratelimit-remaining: 29
vary: User-Agent
x-turbo-charged-by: LiteSpeed
CF-Cache-Status: DYNAMIC
Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=fGvCic%2F%2BvYKvSEr%2BFRdpyQ0OSjANvkOKkXQmziFSZt7qUgpj%2FQoMJaYY2zPXq6xFUSh1GcgAj3gbdNhmI%2B8j7JgVeCxsTFxxlf%2BAwLT3ooMGtpT2FsPQsdGuhYFNFW090A%3D%3D"}],"group":"cf-nel","max_age":604800}
NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
Server: cloudflare
CF-RAY: 82d319bcfef8669f-AMS
alt-svc: h3=":443"; ma=86400
DNS

9.73.50.20.in-addr.arpa

Remote address:

8.8.8.8:53

Request

9.73.50.20.in-addr.arpa

IN PTR

Response

140.82.121.4:443

https://github.com/L3GOGT/Growtopia-Duplicator-Exploit/releases/download/working/GT.Duplicator.Exploit.zip

tls, http2

msedge.exe

2.0kB
7.3kB
17
18

HTTP Request

GET https://github.com/L3GOGT/Growtopia-Duplicator-Exploit/releases/download/working/GT.Duplicator.Exploit.zip

HTTP Response

302
140.82.121.4:443

github.com

tls

msedge.exe

1.1kB
3.3kB
11
8
185.199.108.133:443

https://objects.githubusercontent.com/github-production-release-asset-2e65be/720728519/61dfee5a-f15d-4efe-af74-89e64074c3e8?X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Credential=AKIAIWNJYAX4CSVEH53A%2F20231128%2Fus-east-1%2Fs3%2Faws4_request&X-Amz-Date=20231128T135213Z&X-Amz-Expires=300&X-Amz-Signature=015bdac000d887ef1119379a29a54a90df4fc22aa6110245de2f8a59376b7574&X-Amz-SignedHeaders=host&actor_id=0&key_id=0&repo_id=720728519&response-content-disposition=attachment%3B%20filename%3DGT.Duplicator.Exploit.zip&response-content-type=application%2Foctet-stream

tls, http2

msedge.exe

13.2kB
650.5kB
254
493

HTTP Request

GET https://objects.githubusercontent.com/github-production-release-asset-2e65be/720728519/61dfee5a-f15d-4efe-af74-89e64074c3e8?X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Credential=AKIAIWNJYAX4CSVEH53A%2F20231128%2Fus-east-1%2Fs3%2Faws4_request&X-Amz-Date=20231128T135213Z&X-Amz-Expires=300&X-Amz-Signature=015bdac000d887ef1119379a29a54a90df4fc22aa6110245de2f8a59376b7574&X-Amz-SignedHeaders=host&actor_id=0&key_id=0&repo_id=720728519&response-content-disposition=attachment%3B%20filename%3DGT.Duplicator.Exploit.zip&response-content-type=application%2Foctet-stream

HTTP Response

200
204.79.197.200:443

https://g.bing.com/neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=bcbb8f4ef115421f80ba1d9d12532185&localId=w:5DA71B07-9A86-3028-7BAC-0A2B03A6FF03&deviceId=6896189400010801&anid=

tls, http2

1.9kB
9.3kB
22
20

HTTP Request

GET https://g.bing.com/neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=bcbb8f4ef115421f80ba1d9d12532185&localId=w:5DA71B07-9A86-3028-7BAC-0A2B03A6FF03&deviceId=6896189400010801&anid=

HTTP Response

204

HTTP Request

GET https://g.bing.com/neg/0?action=emptycreative&adUnitId=11730597&publisherId=251978541&rid=bcbb8f4ef115421f80ba1d9d12532185&localId=w:5DA71B07-9A86-3028-7BAC-0A2B03A6FF03&deviceId=6896189400010801&anid=

HTTP Response

204

HTTP Request

GET https://g.bing.com/neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=bcbb8f4ef115421f80ba1d9d12532185&localId=w:5DA71B07-9A86-3028-7BAC-0A2B03A6FF03&deviceId=6896189400010801&anid=

HTTP Response

204
142.250.179.142:80

http://google.com/generate_204

http

SystemFreezer.exe

302 B
259 B
5
3

HTTP Request

GET http://google.com/generate_204

HTTP Response

204
188.114.97.0:443

https://api.imgbb.com/1/upload?key=78adae1bfa0e608b56435fa339987449

tls, http

SystemFreezer.exe

92.4kB
7.5kB
73
39

HTTP Request

POST https://api.imgbb.com/1/upload?key=78adae1bfa0e608b56435fa339987449

HTTP Response

400
104.21.20.223:443

https://eterprx.net/api/accounts

tls, http

SystemFreezer.exe

1.1kB
3.9kB
9
8

HTTP Request

POST https://eterprx.net/api/accounts

HTTP Response

400
172.67.199.29:443

https://eternitypr.net/api/accounts

tls, http

SystemFreezer.exe

1.1kB
3.9kB
9
8

HTTP Request

POST https://eternitypr.net/api/accounts

HTTP Response

400
142.250.179.142:80

http://google.com/generate_204

http

SystemFreezer.exe

302 B
259 B
5
3

HTTP Request

GET http://google.com/generate_204

HTTP Response

204
188.114.97.0:443

https://api.imgbb.com/1/upload?key=78adae1bfa0e608b56435fa339987449

tls, http

SystemFreezer.exe

92.4kB
7.3kB
73
36

HTTP Request

POST https://api.imgbb.com/1/upload?key=78adae1bfa0e608b56435fa339987449

HTTP Response

400
104.21.20.223:443

https://eterprx.net/api/accounts

tls, http

SystemFreezer.exe

1.1kB
3.9kB
9
8

HTTP Request

POST https://eterprx.net/api/accounts

HTTP Response

400
172.67.199.29:443

https://eternitypr.net/api/accounts

tls, http

SystemFreezer.exe

1.1kB
3.9kB
9
8

HTTP Request

POST https://eternitypr.net/api/accounts

HTTP Response

400
142.250.179.142:80

http://google.com/generate_204

http

SystemFreezer.exe

302 B
259 B
5
3

HTTP Request

GET http://google.com/generate_204

HTTP Response

204
188.114.97.0:443

https://api.imgbb.com/1/upload?key=78adae1bfa0e608b56435fa339987449

tls, http

SystemFreezer.exe

92.4kB
7.4kB
73
38

HTTP Request

POST https://api.imgbb.com/1/upload?key=78adae1bfa0e608b56435fa339987449

HTTP Response

400
104.21.20.223:443

https://eterprx.net/api/accounts

tls, http

SystemFreezer.exe

1.1kB
3.9kB
9
8

HTTP Request

POST https://eterprx.net/api/accounts

HTTP Response

400
172.67.199.29:443

https://eternitypr.net/api/accounts

tls, http

SystemFreezer.exe

1.1kB
3.9kB
9
8

HTTP Request

POST https://eternitypr.net/api/accounts

HTTP Response

400

8.8.8.8:53

67.31.126.40.in-addr.arpa

dns

71 B
157 B
1
1

DNS Request

67.31.126.40.in-addr.arpa
8.8.8.8:53

github.com

dns

msedge.exe

56 B
72 B
1
1

DNS Request

github.com

DNS Response

140.82.121.4
8.8.8.8:53

4.121.82.140.in-addr.arpa

dns

71 B
115 B
1
1

DNS Request

4.121.82.140.in-addr.arpa
8.8.8.8:53

95.221.229.192.in-addr.arpa

dns

73 B
144 B
1
1

DNS Request

95.221.229.192.in-addr.arpa
8.8.8.8:53

198.1.85.104.in-addr.arpa

dns

71 B
135 B
1
1

DNS Request

198.1.85.104.in-addr.arpa
8.8.8.8:53

objects.githubusercontent.com

dns

msedge.exe

75 B
139 B
1
1

DNS Request

objects.githubusercontent.com

DNS Response

185.199.108.133

185.199.109.133

185.199.110.133

185.199.111.133
8.8.8.8:53

133.108.199.185.in-addr.arpa

dns

74 B
118 B
1
1

DNS Request

133.108.199.185.in-addr.arpa
224.0.0.251:5353

514 B
8
8.8.8.8:53

9.228.82.20.in-addr.arpa

dns

70 B
156 B
1
1

DNS Request

9.228.82.20.in-addr.arpa
8.8.8.8:53

g.bing.com

dns

56 B
158 B
1
1

DNS Request

g.bing.com

DNS Response

204.79.197.200

13.107.21.200
8.8.8.8:53

200.197.79.204.in-addr.arpa

dns

73 B
106 B
1
1

DNS Request

200.197.79.204.in-addr.arpa
8.8.8.8:53

203.33.253.131.in-addr.arpa

dns

73 B
107 B
1
1

DNS Request

203.33.253.131.in-addr.arpa
8.8.8.8:53

103.169.127.40.in-addr.arpa

dns

73 B
147 B
1
1

DNS Request

103.169.127.40.in-addr.arpa
8.8.8.8:53

15.164.165.52.in-addr.arpa

dns

72 B
146 B
1
1

DNS Request

15.164.165.52.in-addr.arpa
8.8.8.8:53

25.14.97.104.in-addr.arpa

dns

71 B
135 B
1
1

DNS Request

25.14.97.104.in-addr.arpa
8.8.8.8:53

google.com

dns

SystemFreezer.exe

56 B
72 B
1
1

DNS Request

google.com

DNS Response

142.250.179.142
8.8.8.8:53

142.179.250.142.in-addr.arpa

dns

74 B
113 B
1
1

DNS Request

142.179.250.142.in-addr.arpa
8.8.8.8:53

api.imgbb.com

dns

SystemFreezer.exe

59 B
91 B
1
1

DNS Request

api.imgbb.com

DNS Response

188.114.97.0

188.114.96.0
8.8.8.8:53

eterprx.net

dns

SystemFreezer.exe

57 B
89 B
1
1

DNS Request

eterprx.net

DNS Response

104.21.20.223

172.67.194.181
8.8.8.8:53

eternitypr.net

dns

SystemFreezer.exe

60 B
92 B
1
1

DNS Request

eternitypr.net

DNS Response

172.67.199.29

104.21.21.142
8.8.8.8:53

0.97.114.188.in-addr.arpa

dns

71 B
133 B
1
1

DNS Request

0.97.114.188.in-addr.arpa
8.8.8.8:53

223.20.21.104.in-addr.arpa

dns

72 B
134 B
1
1

DNS Request

223.20.21.104.in-addr.arpa
8.8.8.8:53

29.199.67.172.in-addr.arpa

dns

72 B
134 B
1
1

DNS Request

29.199.67.172.in-addr.arpa
8.8.8.8:53

126.23.238.8.in-addr.arpa

dns

71 B
125 B
1
1

DNS Request

126.23.238.8.in-addr.arpa
8.8.8.8:53

43.229.111.52.in-addr.arpa

dns

72 B
158 B
1
1

DNS Request

43.229.111.52.in-addr.arpa
8.8.8.8:53

9.73.50.20.in-addr.arpa

dns

69 B
155 B
1
1

DNS Request

9.73.50.20.in-addr.arpa

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\8098e008-9e02-4728-bf94-30b8a677882a.tmp

Filesize
10KB

MD5
ac0ca66ac4c91ca3b77783527979b645

SHA1
317c25230f0a90a5ecd27fbac4a5cc38d7dc5c5c

SHA256
6b06c317071768e8c127cfbb5390664a552d273d1357aa523a120bfba1a6c71f

SHA512
07b45f6509b702bc334a4423ea8f1e718e2e1d6040917088e6b96a9a57f04801a9d221fcefa173976dcda9bc575ca08fb44f82ade528ddf67daffd6be1aebebc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
208a234643c411e1b919e904ee20115e

SHA1
400b6e6860953f981bfe4716c345b797ed5b2b5b

SHA256
af80020ae43388bbd3db31c75aade369d489a30a933574dea19163e094d5f458

SHA512
2779b96325234c836cbb91820ee332ed56c15b534ec0c7770b322a5c03849ec3ee67b0ec7978e1fab563eeed1cea96f5155d7b942702555d9352ff6711a548d2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
265B

MD5
f5cd008cf465804d0e6f39a8d81f9a2d

SHA1
6b2907356472ed4a719e5675cc08969f30adc855

SHA256
fcea95cc39dc6c2a925f5aed739dbedaa405ee4ce127f535fcf1c751b2b8fb5d

SHA512
dc97034546a4c94bdaa6f644b5cfd1e477209de9a03a5b02a360c254a406c1d647d6f90860f385e27387b35631c41f0886cb543ede9116436941b9af6cd3285d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
111B

MD5
285252a2f6327d41eab203dc2f402c67

SHA1
acedb7ba5fbc3ce914a8bf386a6f72ca7baa33c6

SHA256
5dfc321417fc31359f23320ea68014ebfd793c5bbed55f77dab4180bbd4a2026

SHA512
11ce7cb484fee66894e63c31db0d6b7ef66ad0327d4e7e2eb85f3bcc2e836a3a522c68d681e84542e471e54f765e091efe1ee4065641b0299b15613eb32dcc0d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
6f530f1f11bf69ff10ee37e799208bc0

SHA1
1f90bb1505616020ca14368bc1162d5e6d68a871

SHA256
fa7fde1d2ddd376a9a65addbc35ab23fe71e8f4f06fe24d9b7a9bd151d8670f5

SHA512
f6afebacfd754739f1e0486fd1666d2b40e2706b6fab96d83cd786c17ca57f86206833e3df2e7a5caafb2aea7f7386274001956a7079bd18d6b50b4593a92d19

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
7199eab038c28907bacfecd816d387ee

SHA1
efc8cb53429081ecca1d4284e2ee2a2db6e69c71

SHA256
4c27360601cfcc7cde3522dd490c4878802c10be7587f31dc616483b74227067

SHA512
07c23132e7aed82c0d736f22436a63b06f20e72fd4570ae78d037dcce31358dad205797593f6c008a30e1275332201c191d8064a2857a78e7824dc85d8c6685a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Secure Preferences

Filesize
24KB

MD5
5a6206a3489650bf4a9c3ce44a428126

SHA1
3137a909ef8b098687ec536c57caa1bacc77224b

SHA256
0a9e623c6df237c02a585539bffb8249de48949c6d074fe0aaf43063731a3e28

SHA512
980da83c3142bf08433ec1770a2ec5f5560daf3ee680466f89beae8290e921c0db677489daad055fbc1f196388f8bc4f60e050600381f860b06d330062440a78

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
3360cb9430c3e9491d08df94ce7aa18b

SHA1
7dfc1554ec47ab9a472d47e77baf064a371860b7

SHA256
9ddf1048c52129818182bf4d8150ac4c3e3845d08d6dce9b1350256216ac33fe

SHA512
ebca653f018925b6333923272f1f0c6aea41c4c08619c7e2a1d401b7cfa317b61f9516db8b81cba5c3d060659f3ab7f2c71205f9a782d98c9b6aec2171b43e3f

Download Submit
C:\Users\Admin\AppData\Local\Temp\dcd.exe

Filesize
227KB

MD5
b5ac46e446cead89892628f30a253a06

SHA1
f4ad1044a7f77a1b02155c3a355a1bb4177076ca

SHA256
def7afcb65126c4b04a7cbf08c693f357a707aa99858cac09a8d5e65f3177669

SHA512
bcabbac6f75c1d41364406db457c62f5135a78f763f6db08c1626f485c64db4d9ba3b3c8bc0b5508d917e445fd220ffa66ebc35221bd06560446c109818e8e87

Download Submit
C:\Users\Admin\AppData\Local\Temp\dcd.exe

Filesize
227KB

MD5
b5ac46e446cead89892628f30a253a06

SHA1
f4ad1044a7f77a1b02155c3a355a1bb4177076ca

SHA256
def7afcb65126c4b04a7cbf08c693f357a707aa99858cac09a8d5e65f3177669

SHA512
bcabbac6f75c1d41364406db457c62f5135a78f763f6db08c1626f485c64db4d9ba3b3c8bc0b5508d917e445fd220ffa66ebc35221bd06560446c109818e8e87

Download Submit
C:\Users\Admin\AppData\Local\Temp\dcd.exe

Filesize
227KB

MD5
b5ac46e446cead89892628f30a253a06

SHA1
f4ad1044a7f77a1b02155c3a355a1bb4177076ca

SHA256
def7afcb65126c4b04a7cbf08c693f357a707aa99858cac09a8d5e65f3177669

SHA512
bcabbac6f75c1d41364406db457c62f5135a78f763f6db08c1626f485c64db4d9ba3b3c8bc0b5508d917e445fd220ffa66ebc35221bd06560446c109818e8e87

Download Submit
C:\Users\Admin\AppData\Local\Temp\dcd.exe

Filesize
227KB

MD5
b5ac46e446cead89892628f30a253a06

SHA1
f4ad1044a7f77a1b02155c3a355a1bb4177076ca

SHA256
def7afcb65126c4b04a7cbf08c693f357a707aa99858cac09a8d5e65f3177669

SHA512
bcabbac6f75c1d41364406db457c62f5135a78f763f6db08c1626f485c64db4d9ba3b3c8bc0b5508d917e445fd220ffa66ebc35221bd06560446c109818e8e87

Download Submit
C:\Users\Admin\AppData\Local\Temp\dcd.exe

Filesize
227KB

MD5
b5ac46e446cead89892628f30a253a06

SHA1
f4ad1044a7f77a1b02155c3a355a1bb4177076ca

SHA256
def7afcb65126c4b04a7cbf08c693f357a707aa99858cac09a8d5e65f3177669

SHA512
bcabbac6f75c1d41364406db457c62f5135a78f763f6db08c1626f485c64db4d9ba3b3c8bc0b5508d917e445fd220ffa66ebc35221bd06560446c109818e8e87

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\SystemFreezer.exe

Filesize
884KB

MD5
c535be7d5fca25b986c17ff8dda9d482

SHA1
99199849ab5140e0df64083ae70c9b65265308f7

SHA256
07cc4f727bac2537a45421540107751df24bb736d6e471d90f84e73366e111e0

SHA512
c7ac6268ce848f7137e9c31407abbad528f0129d1c436c831b79ca30ec304ebd7da0d94fe70128be3c3c383edb85b59c9a546e8e64e6cec11be414c7bd4159c2

Download Submit
C:\Users\Admin\Downloads\GT.Duplicator.Exploit.zip

Filesize
607KB

MD5
19f3b40baf7953f2068ec3f148a2c1aa

SHA1
d7c9d9307d317177d7b8f394b838e57f0157bbc5

SHA256
3064f41531487ee3b9205367940d50ab150775008c1ff13b92069cbbbb828e1f

SHA512
364b8b24cef388466d5365d7a6a738082770e4be648d1de3745df346ebabcf838749f16dfe647133550e5922c90ee5fe464e3528691a7e05bdcc55a379bde6c0

Download Submit
memory/628-181-0x00007FF8D8270000-0x00007FF8D8D31000-memory.dmp

Filesize
10.8MB

Download
memory/628-176-0x000000001B980000-0x000000001B990000-memory.dmp

Filesize
64KB

Download
memory/628-175-0x000000001B980000-0x000000001B990000-memory.dmp

Filesize
64KB

Download
memory/628-174-0x000000001B980000-0x000000001B990000-memory.dmp

Filesize
64KB

Download
memory/628-173-0x0000000001440000-0x0000000001441000-memory.dmp

Filesize
4KB

Download
memory/628-172-0x00007FF8D8270000-0x00007FF8D8D31000-memory.dmp

Filesize
10.8MB

Download
memory/2292-111-0x000000001B770000-0x000000001B780000-memory.dmp

Filesize
64KB

Download
memory/2292-105-0x0000000002B60000-0x0000000002BB0000-memory.dmp

Filesize
320KB

Download
memory/2292-106-0x0000000001260000-0x0000000001261000-memory.dmp

Filesize
4KB

Download
memory/2292-107-0x0000000001260000-0x0000000001261000-memory.dmp

Filesize
4KB

Download
memory/2292-108-0x000000001B770000-0x000000001B780000-memory.dmp

Filesize
64KB

Download
memory/2292-109-0x0000000002BB0000-0x0000000002BEE000-memory.dmp

Filesize
248KB

Download
memory/2292-110-0x000000001B770000-0x000000001B780000-memory.dmp

Filesize
64KB

Download
memory/2292-120-0x00007FF8D8680000-0x00007FF8D9141000-memory.dmp

Filesize
10.8MB

Download
memory/2292-103-0x0000000000990000-0x0000000000A76000-memory.dmp

Filesize
920KB

Download
memory/2292-104-0x00007FF8D8680000-0x00007FF8D9141000-memory.dmp

Filesize
10.8MB

Download
memory/5084-136-0x0000000000900000-0x0000000000901000-memory.dmp

Filesize
4KB

Download
memory/5084-144-0x00007FF8D8150000-0x00007FF8D8C11000-memory.dmp

Filesize
10.8MB

Download
memory/5084-134-0x00007FF8D8150000-0x00007FF8D8C11000-memory.dmp

Filesize
10.8MB

Download
memory/5084-135-0x0000000000900000-0x0000000000901000-memory.dmp

Filesize
4KB

Download
memory/5084-138-0x000000001AD50000-0x000000001AD60000-memory.dmp

Filesize
64KB

Download
memory/5084-137-0x000000001AD50000-0x000000001AD60000-memory.dmp

Filesize
64KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

DNS Request

DNS Request

DNS Response

DNS Request

DNS Request

DNS Request

DNS Request

DNS Response

DNS Request

DNS Request

DNS Request

DNS Response

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Response

DNS Request

DNS Request

DNS Response

DNS Request

DNS Response

DNS Request

DNS Response

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

We care about your privacy.