Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    140s
  • max time network
    144s
  • platform
    windows7_x64
  • resource
    win7-20231129-en
  • resource tags

    arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system
  • submitted
    30/12/2023, 22:49 UTC

General

  • Target

    1ef652cf753aac92977c2cfea7fe08c4.exe

  • Size

    3.1MB

  • MD5

    1ef652cf753aac92977c2cfea7fe08c4

  • SHA1

    2c4b9cb5ae6f174c97626c02a4a122e48c43dee2

  • SHA256

    6ebeb06cb2d2beddb16bfd2a4e689ac133b34e734954b694edf0aa2c3ea25ae6

  • SHA512

    3ea9fdbaaf006ffe69b126e92398a779e1887865a8b555f0e39fb31c0ea8edd9d265d79318f3e2ad314dabcab46c4855688472a016c30aafb9aa02ef56870126

  • SSDEEP

    49152:0itOd4k7ydepSSPIZDscC+QZKDVdfu31h:0iK4IIZYfZKDVQFh

Score
10/10

Malware Config

Signatures

  • Blocklisted process makes network request 11 IoCs
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 1 IoCs
  • Looks up external IP address via web service 2 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Uses Tor communications 1 TTPs

    Malware can proxy its traffic through Tor for more anonymity.

  • Drops file in Windows directory 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: MapViewOfSection 1 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\1ef652cf753aac92977c2cfea7fe08c4.exe
    "C:\Users\Admin\AppData\Local\Temp\1ef652cf753aac92977c2cfea7fe08c4.exe"
    1⤵
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:2940
    • C:\Windows\SysWOW64\notepad.exe
      "C:\Windows\system32\notepad.exe"
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: MapViewOfSection
      • Suspicious use of WriteProcessMemory
      PID:1888
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\system32\cmd.exe"
        3⤵
        • Blocklisted process makes network request
        • Loads dropped DLL
        • Drops file in Windows directory
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of SetWindowsHookEx
        PID:2444
        • C:\Users\Admin\AppData\Local\Temp\GetX64BTIT.exe
          "C:\Users\Admin\AppData\Local\Temp\GetX64BTIT.exe"
          4⤵
          • Executes dropped EXE
          PID:1320

Network

  • flag-us
    DNS
    i.imgur.com
    Remote address:
    8.8.8.8:53
    Request
    i.imgur.com
    IN A
    Response
    i.imgur.com
    IN CNAME
    ipv4.imgur.map.fastly.net
    ipv4.imgur.map.fastly.net
    IN A
    199.232.168.193
  • flag-us
    DNS
    i.imgur.com
    Remote address:
    8.8.8.8:53
    Request
    i.imgur.com
    IN A
  • flag-us
    HEAD
    https://i.imgur.com/tc6bGvH.png
    Remote address:
    199.232.168.193:443
    Request
    HEAD /tc6bGvH.png HTTP/1.1
    Connection: Keep-Alive
    Accept: */*
    Accept-Encoding: identity
    User-Agent: Microsoft BITS/7.5
    Host: i.imgur.com
    Response
    HTTP/1.1 200 OK
    Connection: keep-alive
    Content-Length: 550472
    Content-Type: image/png
    Last-Modified: Mon, 18 Jan 2021 19:44:24 GMT
    ETag: "8a0495e7d2efa7e2e0f7b66a01aaafd1"
    x-amz-storage-class: STANDARD_IA
    X-Amz-Cf-Pop: IAD12-P2
    X-Amz-Cf-Id: lg2mQvp5BbZO2q0uV5BiUWaj2qJR-v8HcdbRA6cbzUcvtNWkzlzprw==
    cache-control: public, max-age=31536000
    Accept-Ranges: bytes
    Date: Thu, 04 Jan 2024 18:11:50 GMT
    Age: 0
    X-Served-By: cache-iad-kiad7000062-IAD, cache-par-lfpg1960027-PAR
    X-Cache: Miss from cloudfront, HIT, MISS
    X-Cache-Hits: 1, 0
    X-Timer: S1704391911.667333,VS0,VE161
    Strict-Transport-Security: max-age=300
    Access-Control-Allow-Methods: GET, OPTIONS
    Access-Control-Allow-Origin: *
    Server: cat factory 1.0
    X-Content-Type-Options: nosniff
  • flag-us
    GET
    https://i.imgur.com/tc6bGvH.png
    Remote address:
    199.232.168.193:443
    Request
    GET /tc6bGvH.png HTTP/1.1
    Connection: Keep-Alive
    Accept: */*
    Accept-Encoding: identity
    If-Unmodified-Since: Mon, 18 Jan 2021 19:44:24 GMT
    Range: bytes=0-4707
    User-Agent: Microsoft BITS/7.5
    Host: i.imgur.com
    Response
    HTTP/1.1 206 Partial Content
    Connection: keep-alive
    Content-Length: 4708
    Content-Type: image/png
    Last-Modified: Mon, 18 Jan 2021 19:44:24 GMT
    ETag: "8a0495e7d2efa7e2e0f7b66a01aaafd1"
    x-amz-storage-class: STANDARD_IA
    X-Amz-Cf-Pop: IAD12-P2
    X-Amz-Cf-Id: lg2mQvp5BbZO2q0uV5BiUWaj2qJR-v8HcdbRA6cbzUcvtNWkzlzprw==
    cache-control: public, max-age=31536000
    Accept-Ranges: bytes
    Date: Thu, 04 Jan 2024 18:11:54 GMT
    Age: 4
    X-Served-By: cache-iad-kiad7000062-IAD, cache-par-lfpg1960027-PAR
    X-Cache: Miss from cloudfront, HIT, HIT
    X-Cache-Hits: 1, 1
    X-Timer: S1704391915.956450,VS0,VE0
    Strict-Transport-Security: max-age=300
    Access-Control-Allow-Methods: GET, OPTIONS
    Access-Control-Allow-Origin: *
    Server: cat factory 1.0
    X-Content-Type-Options: nosniff
    Content-Range: bytes 0-4707/550472
  • flag-us
    GET
    https://i.imgur.com/tc6bGvH.png
    Remote address:
    199.232.168.193:443
    Request
    GET /tc6bGvH.png HTTP/1.1
    Connection: Keep-Alive
    Accept: */*
    Accept-Encoding: identity
    If-Unmodified-Since: Mon, 18 Jan 2021 19:44:24 GMT
    Range: bytes=4708-11960
    User-Agent: Microsoft BITS/7.5
    Host: i.imgur.com
    Response
    HTTP/1.1 206 Partial Content
    Connection: keep-alive
    Content-Length: 7253
    Content-Type: image/png
    Last-Modified: Mon, 18 Jan 2021 19:44:24 GMT
    ETag: "8a0495e7d2efa7e2e0f7b66a01aaafd1"
    x-amz-storage-class: STANDARD_IA
    X-Amz-Cf-Pop: IAD12-P2
    X-Amz-Cf-Id: lg2mQvp5BbZO2q0uV5BiUWaj2qJR-v8HcdbRA6cbzUcvtNWkzlzprw==
    cache-control: public, max-age=31536000
    Accept-Ranges: bytes
    Date: Thu, 04 Jan 2024 18:11:58 GMT
    Age: 7
    X-Served-By: cache-iad-kiad7000062-IAD, cache-par-lfpg1960027-PAR
    X-Cache: Miss from cloudfront, HIT, HIT
    X-Cache-Hits: 1, 2
    X-Timer: S1704391918.063075,VS0,VE0
    Strict-Transport-Security: max-age=300
    Access-Control-Allow-Methods: GET, OPTIONS
    Access-Control-Allow-Origin: *
    Server: cat factory 1.0
    X-Content-Type-Options: nosniff
    Content-Range: bytes 4708-11960/550472
  • flag-us
    GET
    https://i.imgur.com/tc6bGvH.png
    Remote address:
    199.232.168.193:443
    Request
    GET /tc6bGvH.png HTTP/1.1
    Connection: Keep-Alive
    Accept: */*
    Accept-Encoding: identity
    If-Unmodified-Since: Mon, 18 Jan 2021 19:44:24 GMT
    Range: bytes=11961-22121
    User-Agent: Microsoft BITS/7.5
    Host: i.imgur.com
    Response
    HTTP/1.1 206 Partial Content
    Connection: keep-alive
    Content-Length: 10161
    Content-Type: image/png
    Last-Modified: Mon, 18 Jan 2021 19:44:24 GMT
    ETag: "8a0495e7d2efa7e2e0f7b66a01aaafd1"
    x-amz-storage-class: STANDARD_IA
    X-Amz-Cf-Pop: IAD12-P2
    X-Amz-Cf-Id: lg2mQvp5BbZO2q0uV5BiUWaj2qJR-v8HcdbRA6cbzUcvtNWkzlzprw==
    cache-control: public, max-age=31536000
    Accept-Ranges: bytes
    Date: Thu, 04 Jan 2024 18:12:00 GMT
    Age: 9
    X-Served-By: cache-iad-kiad7000062-IAD, cache-par-lfpg1960027-PAR
    X-Cache: Miss from cloudfront, HIT, HIT
    X-Cache-Hits: 1, 3
    X-Timer: S1704391920.069147,VS0,VE0
    Strict-Transport-Security: max-age=300
    Access-Control-Allow-Methods: GET, OPTIONS
    Access-Control-Allow-Origin: *
    Server: cat factory 1.0
    X-Content-Type-Options: nosniff
    Content-Range: bytes 11961-22121/550472
  • flag-us
    GET
    https://i.imgur.com/tc6bGvH.png
    Remote address:
    199.232.168.193:443
    Request
    GET /tc6bGvH.png HTTP/1.1
    Connection: Keep-Alive
    Accept: */*
    Accept-Encoding: identity
    If-Unmodified-Since: Mon, 18 Jan 2021 19:44:24 GMT
    Range: bytes=22122-39501
    User-Agent: Microsoft BITS/7.5
    Host: i.imgur.com
    Response
    HTTP/1.1 206 Partial Content
    Connection: keep-alive
    Content-Length: 17380
    Content-Type: image/png
    Last-Modified: Mon, 18 Jan 2021 19:44:24 GMT
    ETag: "8a0495e7d2efa7e2e0f7b66a01aaafd1"
    x-amz-storage-class: STANDARD_IA
    X-Amz-Cf-Pop: IAD12-P2
    X-Amz-Cf-Id: lg2mQvp5BbZO2q0uV5BiUWaj2qJR-v8HcdbRA6cbzUcvtNWkzlzprw==
    cache-control: public, max-age=31536000
    Accept-Ranges: bytes
    Date: Thu, 04 Jan 2024 18:12:02 GMT
    Age: 12
    X-Served-By: cache-iad-kiad7000062-IAD, cache-par-lfpg1960027-PAR
    X-Cache: Miss from cloudfront, HIT, HIT
    X-Cache-Hits: 1, 4
    X-Timer: S1704391922.379796,VS0,VE0
    Strict-Transport-Security: max-age=300
    Access-Control-Allow-Methods: GET, OPTIONS
    Access-Control-Allow-Origin: *
    Server: cat factory 1.0
    X-Content-Type-Options: nosniff
    Content-Range: bytes 22122-39501/550472
  • flag-us
    GET
    https://i.imgur.com/tc6bGvH.png
    Remote address:
    199.232.168.193:443
    Request
    GET /tc6bGvH.png HTTP/1.1
    Connection: Keep-Alive
    Accept: */*
    Accept-Encoding: identity
    If-Unmodified-Since: Mon, 18 Jan 2021 19:44:24 GMT
    Range: bytes=39502-53463
    User-Agent: Microsoft BITS/7.5
    Host: i.imgur.com
    Response
    HTTP/1.1 206 Partial Content
    Connection: keep-alive
    Content-Length: 13962
    Content-Type: image/png
    Last-Modified: Mon, 18 Jan 2021 19:44:24 GMT
    ETag: "8a0495e7d2efa7e2e0f7b66a01aaafd1"
    x-amz-storage-class: STANDARD_IA
    X-Amz-Cf-Pop: IAD12-P2
    X-Amz-Cf-Id: lg2mQvp5BbZO2q0uV5BiUWaj2qJR-v8HcdbRA6cbzUcvtNWkzlzprw==
    cache-control: public, max-age=31536000
    Accept-Ranges: bytes
    Date: Thu, 04 Jan 2024 18:12:03 GMT
    Age: 12
    X-Served-By: cache-iad-kiad7000062-IAD, cache-par-lfpg1960027-PAR
    X-Cache: Miss from cloudfront, HIT, HIT
    X-Cache-Hits: 1, 5
    X-Timer: S1704391923.121266,VS0,VE0
    Strict-Transport-Security: max-age=300
    Access-Control-Allow-Methods: GET, OPTIONS
    Access-Control-Allow-Origin: *
    Server: cat factory 1.0
    X-Content-Type-Options: nosniff
    Content-Range: bytes 39502-53463/550472
  • flag-us
    GET
    https://i.imgur.com/tc6bGvH.png
    Remote address:
    199.232.168.193:443
    Request
    GET /tc6bGvH.png HTTP/1.1
    Connection: Keep-Alive
    Accept: */*
    Accept-Encoding: identity
    If-Unmodified-Since: Mon, 18 Jan 2021 19:44:24 GMT
    Range: bytes=53464-82813
    User-Agent: Microsoft BITS/7.5
    Host: i.imgur.com
    Response
    HTTP/1.1 206 Partial Content
    Connection: keep-alive
    Content-Length: 29350
    Content-Type: image/png
    Last-Modified: Mon, 18 Jan 2021 19:44:24 GMT
    ETag: "8a0495e7d2efa7e2e0f7b66a01aaafd1"
    x-amz-storage-class: STANDARD_IA
    X-Amz-Cf-Pop: IAD12-P2
    X-Amz-Cf-Id: lg2mQvp5BbZO2q0uV5BiUWaj2qJR-v8HcdbRA6cbzUcvtNWkzlzprw==
    cache-control: public, max-age=31536000
    Accept-Ranges: bytes
    Date: Thu, 04 Jan 2024 18:12:04 GMT
    Age: 13
    X-Served-By: cache-iad-kiad7000062-IAD, cache-par-lfpg1960027-PAR
    X-Cache: Miss from cloudfront, HIT, HIT
    X-Cache-Hits: 1, 6
    X-Timer: S1704391924.112844,VS0,VE0
    Strict-Transport-Security: max-age=300
    Access-Control-Allow-Methods: GET, OPTIONS
    Access-Control-Allow-Origin: *
    Server: cat factory 1.0
    X-Content-Type-Options: nosniff
    Content-Range: bytes 53464-82813/550472
  • flag-us
    GET
    https://i.imgur.com/tc6bGvH.png
    Remote address:
    199.232.168.193:443
    Request
    GET /tc6bGvH.png HTTP/1.1
    Connection: Keep-Alive
    Accept: */*
    Accept-Encoding: identity
    If-Unmodified-Since: Mon, 18 Jan 2021 19:44:24 GMT
    Range: bytes=82814-142790
    User-Agent: Microsoft BITS/7.5
    Host: i.imgur.com
    Response
    HTTP/1.1 206 Partial Content
    Connection: keep-alive
    Content-Length: 59977
    Content-Type: image/png
    Last-Modified: Mon, 18 Jan 2021 19:44:24 GMT
    ETag: "8a0495e7d2efa7e2e0f7b66a01aaafd1"
    x-amz-storage-class: STANDARD_IA
    X-Amz-Cf-Pop: IAD12-P2
    X-Amz-Cf-Id: lg2mQvp5BbZO2q0uV5BiUWaj2qJR-v8HcdbRA6cbzUcvtNWkzlzprw==
    cache-control: public, max-age=31536000
    Accept-Ranges: bytes
    Date: Thu, 04 Jan 2024 18:12:05 GMT
    Age: 14
    X-Served-By: cache-iad-kiad7000062-IAD, cache-par-lfpg1960027-PAR
    X-Cache: Miss from cloudfront, HIT, HIT
    X-Cache-Hits: 1, 7
    X-Timer: S1704391925.127769,VS0,VE0
    Strict-Transport-Security: max-age=300
    Access-Control-Allow-Methods: GET, OPTIONS
    Access-Control-Allow-Origin: *
    Server: cat factory 1.0
    X-Content-Type-Options: nosniff
    Content-Range: bytes 82814-142790/550472
  • flag-us
    GET
    https://i.imgur.com/tc6bGvH.png
    Remote address:
    199.232.168.193:443
    Request
    GET /tc6bGvH.png HTTP/1.1
    Connection: Keep-Alive
    Accept: */*
    Accept-Encoding: identity
    If-Unmodified-Since: Mon, 18 Jan 2021 19:44:24 GMT
    Range: bytes=142791-229067
    User-Agent: Microsoft BITS/7.5
    Host: i.imgur.com
    Response
    HTTP/1.1 206 Partial Content
    Connection: keep-alive
    Content-Length: 86277
    Content-Type: image/png
    Last-Modified: Mon, 18 Jan 2021 19:44:24 GMT
    ETag: "8a0495e7d2efa7e2e0f7b66a01aaafd1"
    x-amz-storage-class: STANDARD_IA
    X-Amz-Cf-Pop: IAD12-P2
    X-Amz-Cf-Id: lg2mQvp5BbZO2q0uV5BiUWaj2qJR-v8HcdbRA6cbzUcvtNWkzlzprw==
    cache-control: public, max-age=31536000
    Accept-Ranges: bytes
    Date: Thu, 04 Jan 2024 18:12:06 GMT
    Age: 15
    X-Served-By: cache-iad-kiad7000062-IAD, cache-par-lfpg1960027-PAR
    X-Cache: Miss from cloudfront, HIT, HIT
    X-Cache-Hits: 1, 8
    X-Timer: S1704391926.149504,VS0,VE0
    Strict-Transport-Security: max-age=300
    Access-Control-Allow-Methods: GET, OPTIONS
    Access-Control-Allow-Origin: *
    Server: cat factory 1.0
    X-Content-Type-Options: nosniff
    Content-Range: bytes 142791-229067/550472
  • flag-us
    GET
    https://i.imgur.com/tc6bGvH.png
    Remote address:
    199.232.168.193:443
    Request
    GET /tc6bGvH.png HTTP/1.1
    Connection: Keep-Alive
    Accept: */*
    Accept-Encoding: identity
    If-Unmodified-Since: Mon, 18 Jan 2021 19:44:24 GMT
    Range: bytes=229068-327278
    User-Agent: Microsoft BITS/7.5
    Host: i.imgur.com
    Response
    HTTP/1.1 206 Partial Content
    Connection: keep-alive
    Content-Length: 98211
    Content-Type: image/png
    Last-Modified: Mon, 18 Jan 2021 19:44:24 GMT
    ETag: "8a0495e7d2efa7e2e0f7b66a01aaafd1"
    x-amz-storage-class: STANDARD_IA
    X-Amz-Cf-Pop: IAD12-P2
    X-Amz-Cf-Id: lg2mQvp5BbZO2q0uV5BiUWaj2qJR-v8HcdbRA6cbzUcvtNWkzlzprw==
    cache-control: public, max-age=31536000
    Accept-Ranges: bytes
    Date: Thu, 04 Jan 2024 18:12:07 GMT
    Age: 16
    X-Served-By: cache-iad-kiad7000062-IAD, cache-par-lfpg1960027-PAR
    X-Cache: Miss from cloudfront, HIT, HIT
    X-Cache-Hits: 1, 9
    X-Timer: S1704391927.155251,VS0,VE0
    Strict-Transport-Security: max-age=300
    Access-Control-Allow-Methods: GET, OPTIONS
    Access-Control-Allow-Origin: *
    Server: cat factory 1.0
    X-Content-Type-Options: nosniff
    Content-Range: bytes 229068-327278/550472
  • flag-us
    GET
    https://i.imgur.com/tc6bGvH.png
    Remote address:
    199.232.168.193:443
    Request
    GET /tc6bGvH.png HTTP/1.1
    Connection: Keep-Alive
    Accept: */*
    Accept-Encoding: identity
    If-Unmodified-Since: Mon, 18 Jan 2021 19:44:24 GMT
    Range: bytes=327279-419271
    User-Agent: Microsoft BITS/7.5
    Host: i.imgur.com
    Response
    HTTP/1.1 206 Partial Content
    Connection: keep-alive
    Content-Length: 91993
    Content-Type: image/png
    Last-Modified: Mon, 18 Jan 2021 19:44:24 GMT
    ETag: "8a0495e7d2efa7e2e0f7b66a01aaafd1"
    x-amz-storage-class: STANDARD_IA
    X-Amz-Cf-Pop: IAD12-P2
    X-Amz-Cf-Id: lg2mQvp5BbZO2q0uV5BiUWaj2qJR-v8HcdbRA6cbzUcvtNWkzlzprw==
    cache-control: public, max-age=31536000
    Accept-Ranges: bytes
    Date: Thu, 04 Jan 2024 18:12:08 GMT
    Age: 18
    X-Served-By: cache-iad-kiad7000062-IAD, cache-par-lfpg1960027-PAR
    X-Cache: Miss from cloudfront, HIT, HIT
    X-Cache-Hits: 1, 10
    X-Timer: S1704391928.479750,VS0,VE0
    Strict-Transport-Security: max-age=300
    Access-Control-Allow-Methods: GET, OPTIONS
    Access-Control-Allow-Origin: *
    Server: cat factory 1.0
    X-Content-Type-Options: nosniff
    Content-Range: bytes 327279-419271/550472
  • flag-us
    GET
    https://i.imgur.com/tc6bGvH.png
    Remote address:
    199.232.168.193:443
    Request
    GET /tc6bGvH.png HTTP/1.1
    Connection: Keep-Alive
    Accept: */*
    Accept-Encoding: identity
    If-Unmodified-Since: Mon, 18 Jan 2021 19:44:24 GMT
    Range: bytes=419272-496399
    User-Agent: Microsoft BITS/7.5
    Host: i.imgur.com
    Response
    HTTP/1.1 206 Partial Content
    Connection: keep-alive
    Content-Length: 77128
    Content-Type: image/png
    Last-Modified: Mon, 18 Jan 2021 19:44:24 GMT
    ETag: "8a0495e7d2efa7e2e0f7b66a01aaafd1"
    x-amz-storage-class: STANDARD_IA
    X-Amz-Cf-Pop: IAD12-P2
    X-Amz-Cf-Id: lg2mQvp5BbZO2q0uV5BiUWaj2qJR-v8HcdbRA6cbzUcvtNWkzlzprw==
    cache-control: public, max-age=31536000
    Accept-Ranges: bytes
    Date: Thu, 04 Jan 2024 18:12:09 GMT
    Age: 19
    X-Served-By: cache-iad-kiad7000062-IAD, cache-par-lfpg1960027-PAR
    X-Cache: Miss from cloudfront, HIT, HIT
    X-Cache-Hits: 1, 11
    X-Timer: S1704391930.588618,VS0,VE0
    Strict-Transport-Security: max-age=300
    Access-Control-Allow-Methods: GET, OPTIONS
    Access-Control-Allow-Origin: *
    Server: cat factory 1.0
    X-Content-Type-Options: nosniff
    Content-Range: bytes 419272-496399/550472
  • flag-us
    GET
    https://i.imgur.com/tc6bGvH.png
    Remote address:
    199.232.168.193:443
    Request
    GET /tc6bGvH.png HTTP/1.1
    Connection: Keep-Alive
    Accept: */*
    Accept-Encoding: identity
    If-Unmodified-Since: Mon, 18 Jan 2021 19:44:24 GMT
    Range: bytes=496400-550471
    User-Agent: Microsoft BITS/7.5
    Host: i.imgur.com
    Response
    HTTP/1.1 206 Partial Content
    Connection: keep-alive
    Content-Length: 54072
    Content-Type: image/png
    Last-Modified: Mon, 18 Jan 2021 19:44:24 GMT
    ETag: "8a0495e7d2efa7e2e0f7b66a01aaafd1"
    x-amz-storage-class: STANDARD_IA
    X-Amz-Cf-Pop: IAD12-P2
    X-Amz-Cf-Id: lg2mQvp5BbZO2q0uV5BiUWaj2qJR-v8HcdbRA6cbzUcvtNWkzlzprw==
    cache-control: public, max-age=31536000
    Accept-Ranges: bytes
    Date: Thu, 04 Jan 2024 18:12:10 GMT
    Age: 20
    X-Served-By: cache-iad-kiad7000062-IAD, cache-par-lfpg1960027-PAR
    X-Cache: Miss from cloudfront, HIT, HIT
    X-Cache-Hits: 1, 12
    X-Timer: S1704391931.800972,VS0,VE0
    Strict-Transport-Security: max-age=300
    Access-Control-Allow-Methods: GET, OPTIONS
    Access-Control-Allow-Origin: *
    Server: cat factory 1.0
    X-Content-Type-Options: nosniff
    Content-Range: bytes 496400-550471/550472
  • flag-us
    DNS
    www.microsoft.com
    Remote address:
    8.8.8.8:53
    Request
    www.microsoft.com
    IN A
    Response
    www.microsoft.com
    IN CNAME
    www.microsoft.com-c-3.edgekey.net
    www.microsoft.com-c-3.edgekey.net
    IN CNAME
    www.microsoft.com-c-3.edgekey.net.globalredir.akadns.net
    www.microsoft.com-c-3.edgekey.net.globalredir.akadns.net
    IN CNAME
    e13678.dscb.akamaiedge.net
    e13678.dscb.akamaiedge.net
    IN A
    2.17.5.133
  • flag-us
    DNS
    www.microsoft.com
    Remote address:
    8.8.8.8:53
    Request
    www.microsoft.com
    IN A
  • flag-us
    DNS
    i.imgur.com
    Remote address:
    8.8.8.8:53
    Request
    i.imgur.com
    IN A
    Response
    i.imgur.com
    IN CNAME
    ipv4.imgur.map.fastly.net
    ipv4.imgur.map.fastly.net
    IN A
    151.101.60.193
  • flag-de
    GET
    http://131.188.40.189/tor/status-vote/current/consensus
    cmd.exe
    Remote address:
    131.188.40.189:80
    Request
    GET /tor/status-vote/current/consensus HTTP/1.0
    Host: 131.188.40.189
    Response
    HTTP/1.0 200 OK
    Date: Thu, 04 Jan 2024 18:12:35 GMT
    Content-Type: text/plain
    X-Your-Address-Is: 89.149.23.59
    Content-Encoding: identity
    Expires: Thu, 04 Jan 2024 19:00:00 GMT
    Vary: X-Or-Diff-From-Consensus
  • flag-us
    DNS
    api.ipify.org
    cmd.exe
    Remote address:
    8.8.8.8:53
    Request
    api.ipify.org
    IN A
    Response
    api.ipify.org
    IN CNAME
    api4.ipify.org
    api4.ipify.org
    IN A
    104.237.62.212
    api4.ipify.org
    IN A
    64.185.227.156
    api4.ipify.org
    IN A
    173.231.16.77
  • flag-de
    GET
    http://193.23.244.244/tor/server/fp/63e742d4f2552c0299e563cc7013c20575042630
    cmd.exe
    Remote address:
    193.23.244.244:80
    Request
    GET /tor/server/fp/63e742d4f2552c0299e563cc7013c20575042630 HTTP/1.0
    Host: 193.23.244.244
    Response
    HTTP/1.0 200 OK
    Date: Thu, 04 Jan 2024 18:13:02 GMT
    Content-Type: text/plain
    X-Your-Address-Is: 89.149.23.59
    Content-Encoding: identity
    Expires: Sat, 06 Jan 2024 18:13:02 GMT
  • flag-us
    DNS
    time-a.nist.gov
    cmd.exe
    Remote address:
    8.8.8.8:53
    Request
    time-a.nist.gov
    IN A
    Response
    time-a.nist.gov
    IN CNAME
    time-a-g.nist.gov
    time-a-g.nist.gov
    IN A
    129.6.15.28
  • flag-us
    DNS
    time-a-g.nist.gov
    cmd.exe
    Remote address:
    8.8.8.8:53
    Request
    time-a-g.nist.gov
    IN A
    Response
    time-a-g.nist.gov
    IN A
    129.6.15.28
  • flag-us
    DNS
    time-a-g.nist.gov
    cmd.exe
    Remote address:
    8.8.8.8:53
    Request
    time-a-g.nist.gov
    IN A
  • flag-us
    DNS
    time.nist.gov
    cmd.exe
    Remote address:
    8.8.8.8:53
    Request
    time.nist.gov
    IN A
    Response
    time.nist.gov
    IN CNAME
    ntp1.glb.nist.gov
    ntp1.glb.nist.gov
    IN A
    132.163.97.3
  • flag-de
    GET
    http://193.23.244.244/tor/server/fp/083c52051140db8af770bd40c7c8883efff4caf3
    cmd.exe
    Remote address:
    193.23.244.244:80
    Request
    GET /tor/server/fp/083c52051140db8af770bd40c7c8883efff4caf3 HTTP/1.0
    Host: 193.23.244.244
    Response
    HTTP/1.0 200 OK
    Date: Thu, 04 Jan 2024 18:13:48 GMT
    Content-Type: text/plain
    X-Your-Address-Is: 89.149.23.59
    Content-Encoding: identity
    Expires: Sat, 06 Jan 2024 18:13:48 GMT
  • flag-de
    GET
    http://193.23.244.244/tor/server/fp/2776b79f177cab267ef5334ccfcfa82356082e8f
    cmd.exe
    Remote address:
    193.23.244.244:80
    Request
    GET /tor/server/fp/2776b79f177cab267ef5334ccfcfa82356082e8f HTTP/1.0
    Host: 193.23.244.244
    Response
    HTTP/1.0 200 OK
    Date: Thu, 04 Jan 2024 18:13:58 GMT
    Content-Type: text/plain
    X-Your-Address-Is: 89.149.23.59
    Content-Encoding: identity
    Expires: Sat, 06 Jan 2024 18:13:58 GMT
  • flag-de
    GET
    http://193.23.244.244/tor/server/fp/a347d0563fc397d434898395fee6e8395e2f18a0
    cmd.exe
    Remote address:
    193.23.244.244:80
    Request
    GET /tor/server/fp/a347d0563fc397d434898395fee6e8395e2f18a0 HTTP/1.0
    Host: 193.23.244.244
    Response
    HTTP/1.0 200 OK
    Date: Thu, 04 Jan 2024 18:14:02 GMT
    Content-Type: text/plain
    X-Your-Address-Is: 89.149.23.59
    Content-Encoding: identity
    Expires: Sat, 06 Jan 2024 18:14:02 GMT
  • flag-de
    GET
    http://193.23.244.244/tor/server/fp/950e02db326d28101e29286044c5714a204f3222
    Remote address:
    193.23.244.244:80
    Request
    GET /tor/server/fp/950e02db326d28101e29286044c5714a204f3222 HTTP/1.0
    Host: 193.23.244.244
    Response
    HTTP/1.0 200 OK
    Date: Thu, 04 Jan 2024 18:14:02 GMT
    Content-Type: text/plain
    X-Your-Address-Is: 89.149.23.59
    Content-Encoding: identity
    Expires: Sat, 06 Jan 2024 18:14:02 GMT
  • 199.232.168.193:443
    https://i.imgur.com/tc6bGvH.png
    tls, http
    17.2kB
    592.2kB
    276
    452

    HTTP Request

    HEAD https://i.imgur.com/tc6bGvH.png

    HTTP Response

    200

    HTTP Request

    GET https://i.imgur.com/tc6bGvH.png

    HTTP Response

    206

    HTTP Request

    GET https://i.imgur.com/tc6bGvH.png

    HTTP Response

    206

    HTTP Request

    GET https://i.imgur.com/tc6bGvH.png

    HTTP Response

    206

    HTTP Request

    GET https://i.imgur.com/tc6bGvH.png

    HTTP Response

    206

    HTTP Request

    GET https://i.imgur.com/tc6bGvH.png

    HTTP Response

    206

    HTTP Request

    GET https://i.imgur.com/tc6bGvH.png

    HTTP Response

    206

    HTTP Request

    GET https://i.imgur.com/tc6bGvH.png

    HTTP Response

    206

    HTTP Request

    GET https://i.imgur.com/tc6bGvH.png

    HTTP Response

    206

    HTTP Request

    GET https://i.imgur.com/tc6bGvH.png

    HTTP Response

    206

    HTTP Request

    GET https://i.imgur.com/tc6bGvH.png

    HTTP Response

    206

    HTTP Request

    GET https://i.imgur.com/tc6bGvH.png

    HTTP Response

    206

    HTTP Request

    GET https://i.imgur.com/tc6bGvH.png

    HTTP Response

    206
  • 131.188.40.189:80
    http://131.188.40.189/tor/status-vote/current/consensus
    http
    cmd.exe
    70.9kB
    3.5MB
    1483
    2494

    HTTP Request

    GET http://131.188.40.189/tor/status-vote/current/consensus

    HTTP Response

    200
  • 104.237.62.212:443
    api.ipify.org
    tls
    cmd.exe
    603 B
    251 B
    8
    6
  • 193.23.244.244:80
    http://193.23.244.244/tor/server/fp/63e742d4f2552c0299e563cc7013c20575042630
    http
    cmd.exe
    371 B
    2.6kB
    6
    5

    HTTP Request

    GET http://193.23.244.244/tor/server/fp/63e742d4f2552c0299e563cc7013c20575042630

    HTTP Response

    200
  • 192.227.193.56:443
    tls
    cmd.exe
    466 B
    219 B
    8
    5
  • 129.6.15.28:13
    time-a.nist.gov
    cmd.exe
    426 B
    172 B
    9
    4
  • 129.6.15.28:13
    time-a-g.nist.gov
    cmd.exe
    242 B
    132 B
    5
    3
  • 132.163.97.3:13
    time.nist.gov
    cmd.exe
    294 B
    275 B
    6
    5
  • 193.23.244.244:80
    http://193.23.244.244/tor/server/fp/083c52051140db8af770bd40c7c8883efff4caf3
    http
    cmd.exe
    423 B
    2.9kB
    7
    5

    HTTP Request

    GET http://193.23.244.244/tor/server/fp/083c52051140db8af770bd40c7c8883efff4caf3

    HTTP Response

    200
  • 212.227.165.251:443
    tls, https
    cmd.exe
    4.4kB
    7.9kB
    17
    17
  • 193.23.244.244:80
    http://193.23.244.244/tor/server/fp/2776b79f177cab267ef5334ccfcfa82356082e8f
    http
    cmd.exe
    371 B
    2.6kB
    6
    5

    HTTP Request

    GET http://193.23.244.244/tor/server/fp/2776b79f177cab267ef5334ccfcfa82356082e8f

    HTTP Response

    200
  • 193.23.244.244:80
    http://193.23.244.244/tor/server/fp/a347d0563fc397d434898395fee6e8395e2f18a0
    http
    cmd.exe
    607 B
    16.1kB
    11
    14

    HTTP Request

    GET http://193.23.244.244/tor/server/fp/a347d0563fc397d434898395fee6e8395e2f18a0

    HTTP Response

    200
  • 193.23.244.244:80
    http://193.23.244.244/tor/server/fp/950e02db326d28101e29286044c5714a204f3222
    http
    417 B
    2.7kB
    7
    5

    HTTP Request

    GET http://193.23.244.244/tor/server/fp/950e02db326d28101e29286044c5714a204f3222

    HTTP Response

    200
  • 135.148.150.100:443
    tls
    325 B
    219 B
    5
    5
  • 8.8.8.8:53
    i.imgur.com
    dns
    114 B
    112 B
    2
    1

    DNS Request

    i.imgur.com

    DNS Request

    i.imgur.com

    DNS Response

    199.232.168.193

  • 8.8.8.8:53
    www.microsoft.com
    dns
    126 B
    230 B
    2
    1

    DNS Request

    www.microsoft.com

    DNS Request

    www.microsoft.com

    DNS Response

    2.17.5.133

  • 8.8.8.8:53
    i.imgur.com
    dns
    57 B
    112 B
    1
    1

    DNS Request

    i.imgur.com

    DNS Response

    151.101.60.193

  • 8.8.8.8:53
    api.ipify.org
    dns
    cmd.exe
    59 B
    126 B
    1
    1

    DNS Request

    api.ipify.org

    DNS Response

    104.237.62.212
    64.185.227.156
    173.231.16.77

  • 8.8.8.8:53
    time-a.nist.gov
    dns
    cmd.exe
    61 B
    100 B
    1
    1

    DNS Request

    time-a.nist.gov

    DNS Response

    129.6.15.28

  • 8.8.8.8:53
    time-a-g.nist.gov
    dns
    cmd.exe
    126 B
    79 B
    2
    1

    DNS Request

    time-a-g.nist.gov

    DNS Request

    time-a-g.nist.gov

    DNS Response

    129.6.15.28

  • 8.8.8.8:53
    time.nist.gov
    dns
    cmd.exe
    59 B
    98 B
    1
    1

    DNS Request

    time.nist.gov

    DNS Response

    132.163.97.3

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\GetX64BTIT.exe

    Filesize

    3KB

    MD5

    b4cd27f2b37665f51eb9fe685ec1d373

    SHA1

    7f08febf0fdb7fc9f8bf35a10fb11e7de431abe0

    SHA256

    91f1023142b7babf6ff75dad984c2a35bde61dc9e61f45483f4b65008576d581

    SHA512

    e025f65224d78f5fd0abebe281ac0d44a385b2641e367cf39eed6aefada20a112ac47f94d7febc4424f1db6a6947bac16ff83ef93a8d745b3cddfdbe64c49a1e

  • C:\Users\Admin\AppData\Local\Temp\x64btit.txt

    Filesize

    28B

    MD5

    ebc99b8fff3a6ff144ca58f73d2b9d7b

    SHA1

    9f2e6623fd0074cd3f9dbb59d184d32098d83133

    SHA256

    a29526f00c9f0de050c7003624ddc94e1dd0419f16c99b328d67f073352ac535

    SHA512

    9acc3b34348403ec74f2bb234f6f4853e771815fd517a573a6c6dcb9c73083d385fa16970e3953ee0b366716dbd012442cf1399d3064e0c5c2928dde72e7a198

  • memory/1888-8-0x00000000001F0000-0x00000000001F8000-memory.dmp

    Filesize

    32KB

  • memory/1888-2-0x0000000000090000-0x0000000000092000-memory.dmp

    Filesize

    8KB

  • memory/1888-14-0x0000000004580000-0x0000000004604000-memory.dmp

    Filesize

    528KB

  • memory/1888-9-0x0000000004580000-0x0000000004604000-memory.dmp

    Filesize

    528KB

  • memory/2444-20-0x0000000000400000-0x000000000049F000-memory.dmp

    Filesize

    636KB

  • memory/2444-22-0x0000000000400000-0x000000000049F000-memory.dmp

    Filesize

    636KB

  • memory/2444-10-0x0000000000400000-0x000000000049F000-memory.dmp

    Filesize

    636KB

  • memory/2444-11-0x0000000000400000-0x000000000049F000-memory.dmp

    Filesize

    636KB

  • memory/2444-12-0x0000000000090000-0x0000000000098000-memory.dmp

    Filesize

    32KB

  • memory/2444-42-0x0000000000400000-0x000000000049F000-memory.dmp

    Filesize

    636KB

  • memory/2444-18-0x0000000000400000-0x000000000049F000-memory.dmp

    Filesize

    636KB

  • memory/2444-19-0x0000000000400000-0x000000000049F000-memory.dmp

    Filesize

    636KB

  • memory/2444-40-0x0000000000400000-0x000000000049F000-memory.dmp

    Filesize

    636KB

  • memory/2444-21-0x0000000000400000-0x000000000049F000-memory.dmp

    Filesize

    636KB

  • memory/2444-23-0x0000000000400000-0x000000000049F000-memory.dmp

    Filesize

    636KB

  • memory/2444-38-0x0000000000400000-0x000000000049F000-memory.dmp

    Filesize

    636KB

  • memory/2444-37-0x0000000000400000-0x000000000049F000-memory.dmp

    Filesize

    636KB

  • memory/2444-36-0x0000000000400000-0x000000000049F000-memory.dmp

    Filesize

    636KB

  • memory/2444-33-0x00000000002C0000-0x00000000002DF000-memory.dmp

    Filesize

    124KB

  • memory/2444-35-0x0000000000400000-0x000000000049F000-memory.dmp

    Filesize

    636KB

  • memory/2444-31-0x0000000010000000-0x0000000010016000-memory.dmp

    Filesize

    88KB

  • memory/2940-1-0x0000000000280000-0x000000000028A000-memory.dmp

    Filesize

    40KB

  • memory/2940-3-0x0000000000400000-0x0000000000738000-memory.dmp

    Filesize

    3.2MB

  • memory/2940-6-0x0000000000280000-0x000000000028A000-memory.dmp

    Filesize

    40KB

  • memory/2940-0-0x0000000000230000-0x0000000000231000-memory.dmp

    Filesize

    4KB

  • memory/2940-4-0x0000000000230000-0x0000000000231000-memory.dmp

    Filesize

    4KB

We care about your privacy.

This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.