a4e4e343cf8b6023977421175f1787a4b01eddfcfe7b142b2cbdcff079315b16

Analysis

max time kernel
146s
max time network
146s
platform
windows10-2004_x64
resource
win10v2004-20231222-en
resource tags

arch:x64arch:x86image:win10v2004-20231222-enlocale:en-usos:windows10-2004-x64system
submitted
04/01/2024, 01:01 UTC

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

320f473e994fdb11ab78274c29f46373fb9beee06fc6d36c4ae088f2205d4339.exe
Size

1.9MB
MD5

0c6af8ca5ace541a278647550954406b
SHA1

af114a253494f59e91011d854a3c2f0c12f58198
SHA256

320f473e994fdb11ab78274c29f46373fb9beee06fc6d36c4ae088f2205d4339
SHA512

047094710f62caea9b63d65cf8894d17490bf0e2366dd0fd141f2a88a9a6a9f7d14f99d8e935f047a6b1896c8f36061bea5568c7d95e9fcb14816096cd9287b0
SSDEEP

49152:Ju5z1o02R2cFB3gwqQXSjewyeCx/DLO7b8Zf05yPmsn:ME03yB3gwqqSKbWe8IN

Score

10^/10

collection discovery evasion persistence spyware stealer trojan

Malware Config

Signatures

Modifies Windows Defender Real-time Protection settings 3 TTPs 7 IoCs

evasion trojan

Modify Registry

T1112

Windows Service

T1543.003

Disable or Modify Tools

T1562.001

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	5OP2bQ4.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	5OP2bQ4.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRawWriteNotification = "1"	5OP2bQ4.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection	5OP2bQ4.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	5OP2bQ4.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	5OP2bQ4.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	5OP2bQ4.exe

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\FANBooster131.lnk	5OP2bQ4.exe

Executes dropped EXE 2 IoCs

pid	Process
4000	2VW7324.exe
1588	5OP2bQ4.exe

Loads dropped DLL 1 IoCs

pid	Process
1588	5OP2bQ4.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Windows security modification 2 TTPs 2 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features	5OP2bQ4.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0"	5OP2bQ4.exe

Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs

collection

Email Collection

T1114

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	5OP2bQ4.exe
Key opened	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	5OP2bQ4.exe
Key opened	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	5OP2bQ4.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MaxLoonaFest131 = "C:\\Users\\Admin\\AppData\\Local\\MaxLoonaFest131\\MaxLoonaFest131.exe"	5OP2bQ4.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	320f473e994fdb11ab78274c29f46373fb9beee06fc6d36c4ae088f2205d4339.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
72	ipinfo.io

AutoIT Executable 1 IoCs

AutoIT scripts compiled to PE executables.

resource	yara_rule
behavioral2/files/0x000800000002323c-5.dat	autoit_exe

Suspicious use of NtSetInformationThreadHideFromDebugger 4 IoCs

pid	Process
1588	5OP2bQ4.exe
1588	5OP2bQ4.exe
1588	5OP2bQ4.exe
1588	5OP2bQ4.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
5824	1588	WerFault.exe	100

Creates scheduled task(s) 1 TTPs 2 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
5996	schtasks.exe
2444	schtasks.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Suspicious behavior: EnumeratesProcesses 19 IoCs

pid	Process
4148	msedge.exe
4148	msedge.exe
1648	msedge.exe
1648	msedge.exe
8	msedge.exe
8	msedge.exe
2276	msedge.exe
2276	msedge.exe
5200	powershell.exe
5200	powershell.exe
5200	powershell.exe
1736	identity_helper.exe
1736	identity_helper.exe
1588	5OP2bQ4.exe
1588	5OP2bQ4.exe
3712	msedge.exe
3712	msedge.exe
3712	msedge.exe
3712	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 9 IoCs

pid	Process
8	msedge.exe
8	msedge.exe
8	msedge.exe
8	msedge.exe
8	msedge.exe
8	msedge.exe
8	msedge.exe
8	msedge.exe
8	msedge.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeDebugPrivilege	1588	5OP2bQ4.exe
Token: SeDebugPrivilege	5200	powershell.exe
Token: 33	5404	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	5404	AUDIODG.EXE

Suspicious use of FindShellTrayWindow 29 IoCs

pid	Process
4000	2VW7324.exe
4000	2VW7324.exe
4000	2VW7324.exe
4000	2VW7324.exe
8	msedge.exe
8	msedge.exe
8	msedge.exe
8	msedge.exe
8	msedge.exe
8	msedge.exe
8	msedge.exe
8	msedge.exe
8	msedge.exe
8	msedge.exe
8	msedge.exe
8	msedge.exe
8	msedge.exe
8	msedge.exe
8	msedge.exe
8	msedge.exe
8	msedge.exe
8	msedge.exe
8	msedge.exe
8	msedge.exe
8	msedge.exe
8	msedge.exe
8	msedge.exe
8	msedge.exe
8	msedge.exe

Suspicious use of SendNotifyMessage 28 IoCs

pid	Process
4000	2VW7324.exe
4000	2VW7324.exe
4000	2VW7324.exe
4000	2VW7324.exe
8	msedge.exe
8	msedge.exe
8	msedge.exe
8	msedge.exe
8	msedge.exe
8	msedge.exe
8	msedge.exe
8	msedge.exe
8	msedge.exe
8	msedge.exe
8	msedge.exe
8	msedge.exe
8	msedge.exe
8	msedge.exe
8	msedge.exe
8	msedge.exe
8	msedge.exe
8	msedge.exe
8	msedge.exe
8	msedge.exe
8	msedge.exe
8	msedge.exe
8	msedge.exe
8	msedge.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
1588	5OP2bQ4.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2928 wrote to memory of 4000	2928	320f473e994fdb11ab78274c29f46373fb9beee06fc6d36c4ae088f2205d4339.exe	89
PID 2928 wrote to memory of 4000	2928	320f473e994fdb11ab78274c29f46373fb9beee06fc6d36c4ae088f2205d4339.exe	89
PID 2928 wrote to memory of 4000	2928	320f473e994fdb11ab78274c29f46373fb9beee06fc6d36c4ae088f2205d4339.exe	89
PID 4000 wrote to memory of 8	4000	2VW7324.exe	92
PID 4000 wrote to memory of 8	4000	2VW7324.exe	92
PID 4000 wrote to memory of 3652	4000	2VW7324.exe	94
PID 4000 wrote to memory of 3652	4000	2VW7324.exe	94
PID 8 wrote to memory of 2136	8	msedge.exe	95
PID 8 wrote to memory of 2136	8	msedge.exe	95
PID 3652 wrote to memory of 1572	3652	msedge.exe	96
PID 3652 wrote to memory of 1572	3652	msedge.exe	96
PID 4000 wrote to memory of 1452	4000	2VW7324.exe	97
PID 4000 wrote to memory of 1452	4000	2VW7324.exe	97
PID 1452 wrote to memory of 4552	1452	msedge.exe	98
PID 1452 wrote to memory of 4552	1452	msedge.exe	98
PID 2928 wrote to memory of 1588	2928	320f473e994fdb11ab78274c29f46373fb9beee06fc6d36c4ae088f2205d4339.exe	100
PID 2928 wrote to memory of 1588	2928	320f473e994fdb11ab78274c29f46373fb9beee06fc6d36c4ae088f2205d4339.exe	100
PID 2928 wrote to memory of 1588	2928	320f473e994fdb11ab78274c29f46373fb9beee06fc6d36c4ae088f2205d4339.exe	100
PID 8 wrote to memory of 2456	8	msedge.exe	102
PID 8 wrote to memory of 2456	8	msedge.exe	102
PID 8 wrote to memory of 2456	8	msedge.exe	102
PID 8 wrote to memory of 2456	8	msedge.exe	102
PID 8 wrote to memory of 2456	8	msedge.exe	102
PID 8 wrote to memory of 2456	8	msedge.exe	102
PID 8 wrote to memory of 2456	8	msedge.exe	102
PID 8 wrote to memory of 2456	8	msedge.exe	102
PID 8 wrote to memory of 2456	8	msedge.exe	102
PID 8 wrote to memory of 2456	8	msedge.exe	102
PID 8 wrote to memory of 2456	8	msedge.exe	102
PID 8 wrote to memory of 2456	8	msedge.exe	102
PID 8 wrote to memory of 2456	8	msedge.exe	102
PID 8 wrote to memory of 2456	8	msedge.exe	102
PID 8 wrote to memory of 2456	8	msedge.exe	102
PID 8 wrote to memory of 2456	8	msedge.exe	102
PID 8 wrote to memory of 2456	8	msedge.exe	102
PID 8 wrote to memory of 2456	8	msedge.exe	102
PID 8 wrote to memory of 2456	8	msedge.exe	102
PID 8 wrote to memory of 2456	8	msedge.exe	102
PID 8 wrote to memory of 2456	8	msedge.exe	102
PID 8 wrote to memory of 2456	8	msedge.exe	102
PID 8 wrote to memory of 2456	8	msedge.exe	102
PID 8 wrote to memory of 2456	8	msedge.exe	102
PID 8 wrote to memory of 2456	8	msedge.exe	102
PID 8 wrote to memory of 2456	8	msedge.exe	102
PID 8 wrote to memory of 2456	8	msedge.exe	102
PID 8 wrote to memory of 2456	8	msedge.exe	102
PID 8 wrote to memory of 2456	8	msedge.exe	102
PID 8 wrote to memory of 2456	8	msedge.exe	102
PID 8 wrote to memory of 2456	8	msedge.exe	102
PID 8 wrote to memory of 2456	8	msedge.exe	102
PID 8 wrote to memory of 2456	8	msedge.exe	102
PID 8 wrote to memory of 2456	8	msedge.exe	102
PID 8 wrote to memory of 2456	8	msedge.exe	102
PID 8 wrote to memory of 2456	8	msedge.exe	102
PID 8 wrote to memory of 2456	8	msedge.exe	102
PID 8 wrote to memory of 2456	8	msedge.exe	102
PID 8 wrote to memory of 2456	8	msedge.exe	102
PID 8 wrote to memory of 2456	8	msedge.exe	102
PID 8 wrote to memory of 4148	8	msedge.exe	101
PID 8 wrote to memory of 4148	8	msedge.exe	101
PID 3652 wrote to memory of 4692	3652	msedge.exe	105
PID 3652 wrote to memory of 4692	3652	msedge.exe	105
PID 3652 wrote to memory of 4692	3652	msedge.exe	105
PID 3652 wrote to memory of 4692	3652	msedge.exe	105

outlook_office_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	5OP2bQ4.exe

outlook_win_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	5OP2bQ4.exe

C:\Users\Admin\AppData\Local\Temp\320f473e994fdb11ab78274c29f46373fb9beee06fc6d36c4ae088f2205d4339.exe
"C:\Users\Admin\AppData\Local\Temp\320f473e994fdb11ab78274c29f46373fb9beee06fc6d36c4ae088f2205d4339.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2928
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\2VW7324.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\2VW7324.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of WriteProcessMemory
  PID:4000
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://accounts.google.com/
    3⤵
    - Enumerates system info in registry
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    - Suspicious use of WriteProcessMemory
    PID:8
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x164,0x168,0x16c,0x140,0x170,0x7ffef8f046f8,0x7ffef8f04708,0x7ffef8f04718
      4⤵
      PID:2136
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2016,4769153376959345098,12861911943021821073,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2132 /prefetch:3
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:4148
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2016,4769153376959345098,12861911943021821073,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2040 /prefetch:2
      4⤵
      PID:2456
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2016,4769153376959345098,12861911943021821073,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2836 /prefetch:8
      4⤵
      PID:1116
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2016,4769153376959345098,12861911943021821073,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3356 /prefetch:1
      4⤵
      PID:4740
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2016,4769153376959345098,12861911943021821073,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3348 /prefetch:1
      4⤵
      PID:4836
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2016,4769153376959345098,12861911943021821073,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3964 /prefetch:1
      4⤵
      PID:4596
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2016,4769153376959345098,12861911943021821073,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4212 /prefetch:1
      4⤵
      PID:5180
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2016,4769153376959345098,12861911943021821073,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5308 /prefetch:1
      4⤵
      PID:5516
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=2016,4769153376959345098,12861911943021821073,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=4052 /prefetch:8
      4⤵
      PID:6104
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=2016,4769153376959345098,12861911943021821073,131072 --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4032 /prefetch:8
      4⤵
      PID:5392
  - - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2016,4769153376959345098,12861911943021821073,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6428 /prefetch:8
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:1736
  - - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2016,4769153376959345098,12861911943021821073,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6428 /prefetch:8
      4⤵
      PID:4660
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2016,4769153376959345098,12861911943021821073,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4528 /prefetch:1
      4⤵
      PID:6044
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2016,4769153376959345098,12861911943021821073,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5548 /prefetch:1
      4⤵
      PID:4368
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2016,4769153376959345098,12861911943021821073,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5860 /prefetch:1
      4⤵
      PID:3512
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2016,4769153376959345098,12861911943021821073,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6468 /prefetch:1
      4⤵
      PID:1804
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2016,4769153376959345098,12861911943021821073,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=5168 /prefetch:2
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:3712
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://facebook.com/login
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3652
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x160,0x164,0x168,0x13c,0x16c,0x7ffef8f046f8,0x7ffef8f04708,0x7ffef8f04718
      4⤵
      PID:1572
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2176,16062424752855210033,6731779252596961332,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2240 /prefetch:3
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:1648
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2176,16062424752855210033,6731779252596961332,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2188 /prefetch:2
      4⤵
      PID:4692
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.youtube.com/
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1452
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x164,0x168,0x16c,0x140,0x170,0x7ffef8f046f8,0x7ffef8f04708,0x7ffef8f04718
      4⤵
      PID:4552
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1472,3380457160740074791,7238868451392339961,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2068 /prefetch:3
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:2276
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\5OP2bQ4.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\5OP2bQ4.exe
  2⤵
  - Modifies Windows Defender Real-time Protection settings
  - Drops startup file
  - Executes dropped EXE
  - Loads dropped DLL
  - Windows security modification
  - Accesses Microsoft Outlook profiles
  - Adds Run key to start application
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  - outlook_office_path
  - outlook_win_path
  PID:1588
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "powershell" Get-MpPreference -verbose
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:5200
- - C:\Windows\SysWOW64\cmd.exe
    "cmd.exe" /c schtasks /create /f /RU "Admin" /tr "C:\ProgramData\OfficeTrackerNMP131\OfficeTrackerNMP131.exe" /tn "OfficeTrackerNMP131 HR" /sc HOURLY /rl HIGHEST
    3⤵
    PID:5556
  - - C:\Windows\SysWOW64\schtasks.exe
      schtasks /create /f /RU "Admin" /tr "C:\ProgramData\OfficeTrackerNMP131\OfficeTrackerNMP131.exe" /tn "OfficeTrackerNMP131 HR" /sc HOURLY /rl HIGHEST
      4⤵
      Creates scheduled task(s)
      PID:5996
- - C:\Windows\SysWOW64\cmd.exe
    "cmd.exe" /c schtasks /create /f /RU "Admin" /tr "C:\ProgramData\OfficeTrackerNMP131\OfficeTrackerNMP131.exe" /tn "OfficeTrackerNMP131 LG" /sc ONLOGON /rl HIGHEST
    3⤵
    PID:6116
  - - C:\Windows\SysWOW64\schtasks.exe
      schtasks /create /f /RU "Admin" /tr "C:\ProgramData\OfficeTrackerNMP131\OfficeTrackerNMP131.exe" /tn "OfficeTrackerNMP131 LG" /sc ONLOGON /rl HIGHEST
      4⤵
      Creates scheduled task(s)
      PID:2444
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1588 -s 3052
    3⤵
    - Program crash
    PID:5824

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4872

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:5352

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x304 0x390
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:5404

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:5944

C:\Windows\System32\mousocoreworker.exe
C:\Windows\System32\mousocoreworker.exe -Embedding
1⤵
PID:4368

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 200 -p 1588 -ip 1588
1⤵
PID:5672

C:\Windows\System32\sihclient.exe
C:\Windows\System32\sihclient.exe /cv DY6gquex7kOdW6kiTyVDvA.0.2
1⤵
PID:2444

Network

DNS

140.32.126.40.in-addr.arpa

Remote address:

8.8.8.8:53

Request

140.32.126.40.in-addr.arpa

IN PTR

Response
DNS

accounts.google.com

msedge.exe

Remote address:

8.8.8.8:53

Request

accounts.google.com

IN A

Response

accounts.google.com

IN A

64.233.166.84
DNS

facebook.com

msedge.exe

Remote address:

8.8.8.8:53

Request

facebook.com

IN A

Response

facebook.com

IN A

163.70.147.35
DNS

180.178.17.96.in-addr.arpa

Remote address:

8.8.8.8:53

Request

180.178.17.96.in-addr.arpa

IN PTR

Response

180.178.17.96.in-addr.arpa

IN PTR

a96-17-178-180deploystaticakamaitechnologiescom
DNS

95.221.229.192.in-addr.arpa

Remote address:

8.8.8.8:53

Request

95.221.229.192.in-addr.arpa

IN PTR

Response
GET

https://accounts.google.com/

msedge.exe

Remote address:

64.233.166.84:443

Request

GET / HTTP/2.0
host: accounts.google.com
sec-ch-ua: "Chromium";v="92", " Not A;Brand";v="99", "Microsoft Edge";v="92"
sec-ch-ua-mobile: ?0
dnt: 1
upgrade-insecure-requests: 1
user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/92.0.4515.131 Safari/537.36 Edg/92.0.902.67
accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
sec-fetch-site: none
sec-fetch-mode: navigate
sec-fetch-user: ?1
sec-fetch-dest: document
accept-encoding: gzip, deflate, br
accept-language: en-US,en;q=0.9
GET

https://accounts.google.com/ServiceLogin?passive=1209600&continue=https%3A%2F%2Faccounts.google.com%2F&followup=https%3A%2F%2Faccounts.google.com%2F

msedge.exe

Remote address:

64.233.166.84:443

Request

GET /ServiceLogin?passive=1209600&continue=https%3A%2F%2Faccounts.google.com%2F&followup=https%3A%2F%2Faccounts.google.com%2F HTTP/2.0
host: accounts.google.com
dnt: 1
upgrade-insecure-requests: 1
user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/92.0.4515.131 Safari/537.36 Edg/92.0.902.67
accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
sec-fetch-site: none
sec-fetch-mode: navigate
sec-fetch-user: ?1
sec-fetch-dest: document
sec-ch-ua: "Chromium";v="92", " Not A;Brand";v="99", "Microsoft Edge";v="92"
sec-ch-ua-mobile: ?0
accept-encoding: gzip, deflate, br
accept-language: en-US,en;q=0.9
cookie: __Host-GAPS=1:BJACe7M5Ob99U06qmv2bH768kBzY3g:cXV4G5GKxIH0a9Fk
GET

https://accounts.google.com/InteractiveLogin?continue=https://accounts.google.com/&followup=https://accounts.google.com/&passive=1209600&ifkv=ASKXGp2Ep0yo8YLAC9DuLk9jqZnzA0L74VClCEp8d2BFUzTYoqTupugKoMmwwxNDXaRkT5gNfxVp

msedge.exe

Remote address:

64.233.166.84:443

Request

GET /InteractiveLogin?continue=https://accounts.google.com/&followup=https://accounts.google.com/&passive=1209600&ifkv=ASKXGp2Ep0yo8YLAC9DuLk9jqZnzA0L74VClCEp8d2BFUzTYoqTupugKoMmwwxNDXaRkT5gNfxVp HTTP/2.0
host: accounts.google.com
dnt: 1
upgrade-insecure-requests: 1
user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/92.0.4515.131 Safari/537.36 Edg/92.0.902.67
accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
sec-fetch-site: none
sec-fetch-mode: navigate
sec-fetch-user: ?1
sec-fetch-dest: document
sec-ch-ua: "Chromium";v="92", " Not A;Brand";v="99", "Microsoft Edge";v="92"
sec-ch-ua-mobile: ?0
sec-ch-ua-full-version: "92.0.902.67"
sec-ch-ua-arch: "x86"
sec-ch-ua-platform: "Windows"
sec-ch-ua-platform-version: "10.0"
sec-ch-ua-model: ""
accept-encoding: gzip, deflate, br
accept-language: en-US,en;q=0.9
cookie: __Host-GAPS=1:BJACe7M5Ob99U06qmv2bH768kBzY3g:cXV4G5GKxIH0a9Fk
DNS

www.youtube.com

msedge.exe

Remote address:

8.8.8.8:53

Request

www.youtube.com

IN A

Response

www.youtube.com

IN CNAME

youtube-ui.l.google.com

youtube-ui.l.google.com

IN A

142.250.187.206

youtube-ui.l.google.com

IN A

142.250.187.238

youtube-ui.l.google.com

IN A

172.217.16.238

youtube-ui.l.google.com

IN A

142.250.178.14

youtube-ui.l.google.com

IN A

142.250.200.46

youtube-ui.l.google.com

IN A

142.250.200.14

youtube-ui.l.google.com

IN A

216.58.201.110

youtube-ui.l.google.com

IN A

216.58.204.78

youtube-ui.l.google.com

IN A

172.217.169.78

youtube-ui.l.google.com

IN A

142.250.179.238

youtube-ui.l.google.com

IN A

142.250.180.14
GET

https://www.youtube.com/

msedge.exe

Remote address:

142.250.187.206:443

Request

GET / HTTP/2.0
host: www.youtube.com
sec-ch-ua: "Chromium";v="92", " Not A;Brand";v="99", "Microsoft Edge";v="92"
sec-ch-ua-mobile: ?0
dnt: 1
upgrade-insecure-requests: 1
user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/92.0.4515.131 Safari/537.36 Edg/92.0.902.67
accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
sec-fetch-site: none
sec-fetch-mode: navigate
sec-fetch-user: ?1
sec-fetch-dest: document
accept-encoding: gzip, deflate, br
accept-language: en-US,en;q=0.9
DNS

www.facebook.com

msedge.exe

Remote address:

8.8.8.8:53

Request

www.facebook.com

IN A

Response

www.facebook.com

IN CNAME

star-mini.c10r.facebook.com

star-mini.c10r.facebook.com

IN A

157.240.221.35
DNS

208.194.73.20.in-addr.arpa

Remote address:

8.8.8.8:53

Request

208.194.73.20.in-addr.arpa

IN PTR

Response
DNS

84.166.233.64.in-addr.arpa

Remote address:

8.8.8.8:53

Request

84.166.233.64.in-addr.arpa

IN PTR

Response

84.166.233.64.in-addr.arpa

IN PTR

wm-in-f841e100net
DNS

206.187.250.142.in-addr.arpa

Remote address:

8.8.8.8:53

Request

206.187.250.142.in-addr.arpa

IN PTR

Response

206.187.250.142.in-addr.arpa

IN PTR

lhr25s33-in-f141e100net
DNS

35.147.70.163.in-addr.arpa

Remote address:

8.8.8.8:53

Request

35.147.70.163.in-addr.arpa

IN PTR

Response

35.147.70.163.in-addr.arpa

IN PTR

edge-star-mini-shv-01-lhr6facebookcom
DNS

35.221.240.157.in-addr.arpa

Remote address:

8.8.8.8:53

Request

35.221.240.157.in-addr.arpa

IN PTR

Response

35.221.240.157.in-addr.arpa

IN PTR

edge-star-mini-shv-01-lhr8facebookcom
DNS

241.154.82.20.in-addr.arpa

Remote address:

8.8.8.8:53

Request

241.154.82.20.in-addr.arpa

IN PTR

Response
DNS

i.ytimg.com

msedge.exe

Remote address:

8.8.8.8:53

Request

i.ytimg.com

IN A

Response

i.ytimg.com

IN A

216.58.201.118

i.ytimg.com

IN A

216.58.204.86

i.ytimg.com

IN A

172.217.169.22

i.ytimg.com

IN A

216.58.212.214

i.ytimg.com

IN A

172.217.169.86

i.ytimg.com

IN A

172.217.169.54

i.ytimg.com

IN A

142.250.179.246

i.ytimg.com

IN A

142.250.180.22

i.ytimg.com

IN A

142.250.187.214

i.ytimg.com

IN A

142.250.187.246

i.ytimg.com

IN A

172.217.16.246

i.ytimg.com

IN A

142.250.178.22

i.ytimg.com

IN A

142.250.200.54

i.ytimg.com

IN A

142.250.200.22
DNS

jnn-pa.googleapis.com

msedge.exe

Remote address:

8.8.8.8:53

Request

jnn-pa.googleapis.com

IN A

Response

jnn-pa.googleapis.com

IN A

142.250.200.42

jnn-pa.googleapis.com

IN A

142.250.200.10

jnn-pa.googleapis.com

IN A

216.58.201.106

jnn-pa.googleapis.com

IN A

216.58.204.74

jnn-pa.googleapis.com

IN A

216.58.213.10

jnn-pa.googleapis.com

IN A

216.58.212.202

jnn-pa.googleapis.com

IN A

172.217.169.42

jnn-pa.googleapis.com

IN A

142.250.179.234

jnn-pa.googleapis.com

IN A

142.250.180.10

jnn-pa.googleapis.com

IN A

142.250.187.202

jnn-pa.googleapis.com

IN A

142.250.187.234

jnn-pa.googleapis.com

IN A

172.217.16.234

jnn-pa.googleapis.com

IN A

142.250.178.10
DNS

167.11.125.74.in-addr.arpa

Remote address:

8.8.8.8:53

Request

167.11.125.74.in-addr.arpa

IN PTR

Response

167.11.125.74.in-addr.arpa

IN PTR

mrs09s02-in-f71e100net
OPTIONS

https://jnn-pa.googleapis.com/$rpc/google.internal.waa.v1.Waa/Create

msedge.exe

Remote address:

142.250.200.42:443

Request

OPTIONS /$rpc/google.internal.waa.v1.Waa/Create HTTP/2.0
host: jnn-pa.googleapis.com
accept: */*
access-control-request-method: POST
access-control-request-headers: content-type,x-goog-api-key,x-user-agent
origin: https://www.youtube.com
user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/92.0.4515.131 Safari/537.36 Edg/92.0.902.67
sec-fetch-mode: cors
sec-fetch-site: cross-site
sec-fetch-dest: empty
referer: https://www.youtube.com/
accept-encoding: gzip, deflate, br
accept-language: en-US,en;q=0.9
GET

https://rr2---sn-hgn7yn7l.googlevideo.com/videoplayback?expire=3978657290&ei=sjUjroDFumNmymlR4AHGGHl&ip=47.48.8.72&id=o-AFYfvhPbJaKNHb9Hb31t0EwqFdfGwugGLqCAk00PtI6Tt&itag=18&source=youtube&requiressl=yes&mh=X6&mm=335%2C01831%2C51577&mn=jXofo%2C45duG%2CKMotd&ms=jXofo%2C45duG%2CKMotd&mv=P&mvi=3&pl=98&ctier=L&initcwndbps=4231059&siu=3&spc=R2k1x_it8-baEp8_poaRH1nXgLS1jyQOZr_yblNLk2sa&vprv=3&svpuc=3&mime=video%2Fmp4&ns=A0GPAhN6unn1qjD5f6pte1tX&cnr=98&ratebypass=yes&dur=68010612&lmt=2156195379231848&mt=3978657290&fvip=3&c=WEB&txp=4231059&n=UoakYyxk0mbZpNEl&sparams=expire%2Cei%2Cip%2Cid%2Citag%2Csource%2Crequiressl%2Csiu%2Cspc%2Cvprv%2Csvpuc%2Cmime%2Cns%2Ccnr%2Cratebypass%2Cdur%2Clmt&sig=IjOeTekEFAxaSHNEga6S2HCLNsfpybvadwzCjMVBDnD4WPUcgqJ5Bb5e6nLp3AUZsOQDrf-X5lTpZjLJzzOHGVqtvro6A5rBkkR7-t4jrOwI&lsparams=mh%2Cmm%2Cmn%2Cms%2Cmv%2Cmvi%2Cpl%2Cinitcwndbps&lsig=IjOeTekEFAxaSHNEga6S2HCLNsfpybvadwzCjMVBDnD4WPUcgqJ5Bb5e6nLp3AUZsOQDrf-X5lTpZjLJzzOHGVqtvro6A5rBkkR7-t4jrOwI

msedge.exe

Remote address:

74.125.11.167:443

Request

GET /videoplayback?expire=3978657290&ei=sjUjroDFumNmymlR4AHGGHl&ip=47.48.8.72&id=o-AFYfvhPbJaKNHb9Hb31t0EwqFdfGwugGLqCAk00PtI6Tt&itag=18&source=youtube&requiressl=yes&mh=X6&mm=335%2C01831%2C51577&mn=jXofo%2C45duG%2CKMotd&ms=jXofo%2C45duG%2CKMotd&mv=P&mvi=3&pl=98&ctier=L&initcwndbps=4231059&siu=3&spc=R2k1x_it8-baEp8_poaRH1nXgLS1jyQOZr_yblNLk2sa&vprv=3&svpuc=3&mime=video%2Fmp4&ns=A0GPAhN6unn1qjD5f6pte1tX&cnr=98&ratebypass=yes&dur=68010612&lmt=2156195379231848&mt=3978657290&fvip=3&c=WEB&txp=4231059&n=UoakYyxk0mbZpNEl&sparams=expire%2Cei%2Cip%2Cid%2Citag%2Csource%2Crequiressl%2Csiu%2Cspc%2Cvprv%2Csvpuc%2Cmime%2Cns%2Ccnr%2Cratebypass%2Cdur%2Clmt&sig=IjOeTekEFAxaSHNEga6S2HCLNsfpybvadwzCjMVBDnD4WPUcgqJ5Bb5e6nLp3AUZsOQDrf-X5lTpZjLJzzOHGVqtvro6A5rBkkR7-t4jrOwI&lsparams=mh%2Cmm%2Cmn%2Cms%2Cmv%2Cmvi%2Cpl%2Cinitcwndbps&lsig=IjOeTekEFAxaSHNEga6S2HCLNsfpybvadwzCjMVBDnD4WPUcgqJ5Bb5e6nLp3AUZsOQDrf-X5lTpZjLJzzOHGVqtvro6A5rBkkR7-t4jrOwI HTTP/1.1
Host: rr2---sn-hgn7yn7l.googlevideo.com
Connection: keep-alive
sec-ch-ua: "Chromium";v="92", " Not A;Brand";v="99", "Microsoft Edge";v="92"
DNT: 1
sec-ch-ua-mobile: ?0
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/92.0.4515.131 Safari/537.36 Edg/92.0.902.67
Accept: */*
Origin: https://www.youtube.com
Sec-Fetch-Site: cross-site
Sec-Fetch-Mode: cors
Sec-Fetch-Dest: empty
Referer: https://www.youtube.com/
Accept-Encoding: gzip, deflate, br
Accept-Language: en-US,en;q=0.9
DNS

ipinfo.io

5OP2bQ4.exe

Remote address:

8.8.8.8:53

Request

ipinfo.io

IN A
DNS

104.241.123.92.in-addr.arpa

Remote address:

8.8.8.8:53

Request

104.241.123.92.in-addr.arpa

IN PTR

Response

104.241.123.92.in-addr.arpa

IN PTR

a92-123-241-104deploystaticakamaitechnologiescom
DNS

18.134.221.88.in-addr.arpa

Remote address:

8.8.8.8:53

Request

18.134.221.88.in-addr.arpa

IN PTR

Response

18.134.221.88.in-addr.arpa

IN PTR

a88-221-134-18deploystaticakamaitechnologiescom
DNS

18.134.221.88.in-addr.arpa

Remote address:

8.8.8.8:53

Request

18.134.221.88.in-addr.arpa

IN PTR
DNS

119.110.54.20.in-addr.arpa

Remote address:

8.8.8.8:53

Request

119.110.54.20.in-addr.arpa

IN PTR

Response
DNS

119.110.54.20.in-addr.arpa

Remote address:

8.8.8.8:53

Request

119.110.54.20.in-addr.arpa

IN PTR
DNS

119.110.54.20.in-addr.arpa

Remote address:

8.8.8.8:53

Request

119.110.54.20.in-addr.arpa

IN PTR
DNS

0.204.248.87.in-addr.arpa

Remote address:

8.8.8.8:53

Request

0.204.248.87.in-addr.arpa

IN PTR

Response

0.204.248.87.in-addr.arpa

IN PTR

https-87-248-204-0lhrllnwnet
DNS

0.204.248.87.in-addr.arpa

Remote address:

8.8.8.8:53

Request

0.204.248.87.in-addr.arpa

IN PTR
DNS

240.221.184.93.in-addr.arpa

Remote address:

8.8.8.8:53

Request

240.221.184.93.in-addr.arpa

IN PTR

Response
DNS

Remote address:

88.221.135.211:80

Response

HTTP/1.1 206 Partial Content

Cache-Control: public, max-age=17280000
Accept-Ranges: bytes
X-AspNetMvc-Version: 5.2
MS-CorrelationId: fdb419ca-bb82-438e-ac59-481089ab18ea
MS-RequestId: c62b8885-3dce-4fdb-943e-42b014d3b60e
MS-CV: FuDIkvp/PUOqVolL.0
Content-Disposition: attachment; filename=Microsoft.WindowsAppRuntime.1.2_2000.802.31.0_x86__8wekyb3d8bbwe.Msix
X-AspNet-Version: 4.0.30319
X-Powered-By: ASP.NET
X-Powered-By: ARR/3.0
X-Powered-By: ASP.NET
X-Azure-Ref-OriginShield: Ref A: 3931C840F9EC47CB98FBAA82F91BFB34 Ref B: CH1AA2040903034 Ref C: 2023-03-15T18:24:30Z
X-MSEdge-Ref: Ref A: CF19AD083D9340C49C57567DEB7E80E2 Ref B: BY3EDGE0405 Ref C: 2023-03-15T18:24:31Z
Last-Modified: Wed, 15 Mar 2023 18:19:22 GMT
ETag: "xVFKVu+y70Rbxkk0UrUZvkwvZDg="
Date: Thu, 04 Jan 2024 01:02:28 GMT
Content-Type: multipart/byteranges; boundary=299EFCA8F0DF3779
Connection: close
X-CID: 2
X-CCC: GB
DNS

211.135.221.88.in-addr.arpa

Remote address:

8.8.8.8:53

Request

211.135.221.88.in-addr.arpa

IN PTR
DNS

211.135.221.88.in-addr.arpa

Remote address:

8.8.8.8:53

Request

211.135.221.88.in-addr.arpa

IN PTR
DNS

Remote address:

8.8.8.8:53

Response

194.178.17.96.in-addr.arpa

IN PTR

a96-17-178-194deploystaticakamaitechnologiescom
DNS

43.58.199.20.in-addr.arpa

Remote address:

8.8.8.8:53

Request

43.58.199.20.in-addr.arpa

IN PTR

Response
DNS

217.135.221.88.in-addr.arpa

Remote address:

8.8.8.8:53

Request

217.135.221.88.in-addr.arpa

IN PTR

Response

217.135.221.88.in-addr.arpa

IN PTR

a88-221-135-217deploystaticakamaitechnologiescom
DNS

tse1.mm.bing.net

Remote address:

8.8.8.8:53

Request

tse1.mm.bing.net

IN A

Response

tse1.mm.bing.net

IN CNAME

mm-mm.bing.net.trafficmanager.net

mm-mm.bing.net.trafficmanager.net

IN CNAME

dual-a-0001.a-msedge.net

dual-a-0001.a-msedge.net

IN A

204.79.197.200

dual-a-0001.a-msedge.net

IN A

13.107.21.200
GET

https://tse1.mm.bing.net/th?id=OADD2.10239317301306_14JKCMWI1LY9W4K6L&pid=21.2&w=1920&h=1080&c=4

Remote address:

204.79.197.200:443

Request

GET /th?id=OADD2.10239317301306_14JKCMWI1LY9W4K6L&pid=21.2&w=1920&h=1080&c=4 HTTP/2.0
host: tse1.mm.bing.net
accept: */*
accept-encoding: gzip, deflate, br
user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19041

Response

HTTP/2.0 200

cache-control: public, max-age=2592000
content-length: 389297
content-type: image/jpeg
x-cache: TCP_HIT
access-control-allow-origin: *
access-control-allow-headers: *
access-control-allow-methods: GET, POST, OPTIONS
timing-allow-origin: *
report-to: {"group":"network-errors","max_age":604800,"endpoints":[{"url":"https://aefd.nelreports.net/api/report?cat=bingth"}]}
nel: {"report_to":"network-errors","max_age":604800,"success_fraction":0.001,"failure_fraction":1.0}
accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
x-msedge-ref: Ref A: D32FA69E813D473A87940CF9EF865EEB Ref B: LON04EDGE0707 Ref C: 2024-01-04T01:03:11Z
date: Thu, 04 Jan 2024 01:03:11 GMT
GET

https://tse1.mm.bing.net/th?id=OADD2.10239317301219_14UAHY3NBMU2Z6DRW&pid=21.2&w=1920&h=1080&c=4

Remote address:

204.79.197.200:443

Request

GET /th?id=OADD2.10239317301219_14UAHY3NBMU2Z6DRW&pid=21.2&w=1920&h=1080&c=4 HTTP/2.0
host: tse1.mm.bing.net
accept: */*
accept-encoding: gzip, deflate, br
user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19041

Response

HTTP/2.0 200

cache-control: public, max-age=2592000
content-length: 324072
content-type: image/jpeg
x-cache: TCP_HIT
access-control-allow-origin: *
access-control-allow-headers: *
access-control-allow-methods: GET, POST, OPTIONS
timing-allow-origin: *
report-to: {"group":"network-errors","max_age":604800,"endpoints":[{"url":"https://aefd.nelreports.net/api/report?cat=bingth"}]}
nel: {"report_to":"network-errors","max_age":604800,"success_fraction":0.001,"failure_fraction":1.0}
accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
x-msedge-ref: Ref A: 48B7A1A0E78E48089DB86FE229A415C2 Ref B: LON04EDGE0707 Ref C: 2024-01-04T01:03:11Z
date: Thu, 04 Jan 2024 01:03:11 GMT
GET

https://tse1.mm.bing.net/th?id=OADD2.10239317301628_1KUT45F8FQUS0QNCJ&pid=21.2&w=1080&h=1920&c=4

Remote address:

204.79.197.200:443

Request

GET /th?id=OADD2.10239317301628_1KUT45F8FQUS0QNCJ&pid=21.2&w=1080&h=1920&c=4 HTTP/2.0
host: tse1.mm.bing.net
accept: */*
accept-encoding: gzip, deflate, br
user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19041

Response

HTTP/2.0 200

cache-control: public, max-age=2592000
content-length: 210177
content-type: image/jpeg
x-cache: TCP_HIT
access-control-allow-origin: *
access-control-allow-headers: *
access-control-allow-methods: GET, POST, OPTIONS
timing-allow-origin: *
report-to: {"group":"network-errors","max_age":604800,"endpoints":[{"url":"https://aefd.nelreports.net/api/report?cat=bingth"}]}
nel: {"report_to":"network-errors","max_age":604800,"success_fraction":0.001,"failure_fraction":1.0}
accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
x-msedge-ref: Ref A: 6FBDE095E77E4DFDBEDE6688B33CA1B8 Ref B: LON04EDGE0707 Ref C: 2024-01-04T01:03:11Z
date: Thu, 04 Jan 2024 01:03:11 GMT
GET

https://tse1.mm.bing.net/th?id=OADD2.10239317301350_1Z4V77U5VD5OSNS2M&pid=21.2&w=1080&h=1920&c=4

Remote address:

204.79.197.200:443

Request

GET /th?id=OADD2.10239317301350_1Z4V77U5VD5OSNS2M&pid=21.2&w=1080&h=1920&c=4 HTTP/2.0
host: tse1.mm.bing.net
accept: */*
accept-encoding: gzip, deflate, br
user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19041
GET

https://tse1.mm.bing.net/th?id=OADD2.10239317301715_1L98D8CO0BH9X0WDY&pid=21.2&w=1080&h=1920&c=4

Remote address:

204.79.197.200:443

Request

GET /th?id=OADD2.10239317301715_1L98D8CO0BH9X0WDY&pid=21.2&w=1080&h=1920&c=4 HTTP/2.0
host: tse1.mm.bing.net
accept: */*
accept-encoding: gzip, deflate, br
user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19041
DNS

81.171.91.138.in-addr.arpa

Remote address:

8.8.8.8:53

Request

81.171.91.138.in-addr.arpa

IN PTR

Response
DNS

32.134.221.88.in-addr.arpa

Remote address:

8.8.8.8:53

Request

32.134.221.88.in-addr.arpa

IN PTR

Response

32.134.221.88.in-addr.arpa

IN PTR

a88-221-134-32deploystaticakamaitechnologiescom

64.233.166.84:443

accounts.google.com

tls, http2

msedge.exe

1.3kB
2.6kB
10
7
163.70.147.35:443

facebook.com

tls, http2

msedge.exe

995 B
788 B
9
7
64.233.166.84:443

https://accounts.google.com/InteractiveLogin?continue=https://accounts.google.com/&followup=https://accounts.google.com/&passive=1209600&ifkv=ASKXGp2Ep0yo8YLAC9DuLk9jqZnzA0L74VClCEp8d2BFUzTYoqTupugKoMmwwxNDXaRkT5gNfxVp

tls, http2

msedge.exe

2.8kB
10.4kB
23
29

HTTP Request

GET https://accounts.google.com/

HTTP Request

GET https://accounts.google.com/ServiceLogin?passive=1209600&continue=https%3A%2F%2Faccounts.google.com%2F&followup=https%3A%2F%2Faccounts.google.com%2F

HTTP Request

GET https://accounts.google.com/InteractiveLogin?continue=https://accounts.google.com/&followup=https://accounts.google.com/&passive=1209600&ifkv=ASKXGp2Ep0yo8YLAC9DuLk9jqZnzA0L74VClCEp8d2BFUzTYoqTupugKoMmwwxNDXaRkT5gNfxVp
142.250.187.206:443

https://www.youtube.com/

tls, http2

msedge.exe

4.3kB
56.0kB
50
52

HTTP Request

GET https://www.youtube.com/
163.70.147.35:443

facebook.com

tls

msedge.exe

1.7kB
3.5kB
13
14
157.240.221.35:443

www.facebook.com

tls

msedge.exe

4.5kB
33.9kB
30
41
216.58.201.118:443

i.ytimg.com

tls

msedge.exe

1.4kB
208 B
7
4
142.250.200.42:443

https://jnn-pa.googleapis.com/$rpc/google.internal.waa.v1.Waa/Create

tls, http2

msedge.exe

1.7kB
6.9kB
13
15

HTTP Request

OPTIONS https://jnn-pa.googleapis.com/$rpc/google.internal.waa.v1.Waa/Create
74.125.11.167:443

rr2---sn-hgn7yn7l.googlevideo.com

tls

msedge.exe

2.5kB
6.4kB
9
9
74.125.11.167:443

rr2---sn-hgn7yn7l.googlevideo.com

tls

msedge.exe

2.4kB
6.4kB
8
9
74.125.11.167:443

msedge.exe

52 B
1
74.125.11.167:443

msedge.exe

190 B
132 B
4
3
74.125.11.167:443

https://rr2---sn-hgn7yn7l.googlevideo.com/videoplayback?expire=3978657290&ei=sjUjroDFumNmymlR4AHGGHl&ip=47.48.8.72&id=o-AFYfvhPbJaKNHb9Hb31t0EwqFdfGwugGLqCAk00PtI6Tt&itag=18&source=youtube&requiressl=yes&mh=X6&mm=335%2C01831%2C51577&mn=jXofo%2C45duG%2CKMotd&ms=jXofo%2C45duG%2CKMotd&mv=P&mvi=3&pl=98&ctier=L&initcwndbps=4231059&siu=3&spc=R2k1x_it8-baEp8_poaRH1nXgLS1jyQOZr_yblNLk2sa&vprv=3&svpuc=3&mime=video%2Fmp4&ns=A0GPAhN6unn1qjD5f6pte1tX&cnr=98&ratebypass=yes&dur=68010612&lmt=2156195379231848&mt=3978657290&fvip=3&c=WEB&txp=4231059&n=UoakYyxk0mbZpNEl&sparams=expire%2Cei%2Cip%2Cid%2Citag%2Csource%2Crequiressl%2Csiu%2Cspc%2Cvprv%2Csvpuc%2Cmime%2Cns%2Ccnr%2Cratebypass%2Cdur%2Clmt&sig=IjOeTekEFAxaSHNEga6S2HCLNsfpybvadwzCjMVBDnD4WPUcgqJ5Bb5e6nLp3AUZsOQDrf-X5lTpZjLJzzOHGVqtvro6A5rBkkR7-t4jrOwI&lsparams=mh%2Cmm%2Cmn%2Cms%2Cmv%2Cmvi%2Cpl%2Cinitcwndbps&lsig=IjOeTekEFAxaSHNEga6S2HCLNsfpybvadwzCjMVBDnD4WPUcgqJ5Bb5e6nLp3AUZsOQDrf-X5lTpZjLJzzOHGVqtvro6A5rBkkR7-t4jrOwI

tls, http

msedge.exe

2.4kB
5.5kB
7
6

HTTP Request

GET https://rr2---sn-hgn7yn7l.googlevideo.com/videoplayback?expire=3978657290&ei=sjUjroDFumNmymlR4AHGGHl&ip=47.48.8.72&id=o-AFYfvhPbJaKNHb9Hb31t0EwqFdfGwugGLqCAk00PtI6Tt&itag=18&source=youtube&requiressl=yes&mh=X6&mm=335%2C01831%2C51577&mn=jXofo%2C45duG%2CKMotd&ms=jXofo%2C45duG%2CKMotd&mv=P&mvi=3&pl=98&ctier=L&initcwndbps=4231059&siu=3&spc=R2k1x_it8-baEp8_poaRH1nXgLS1jyQOZr_yblNLk2sa&vprv=3&svpuc=3&mime=video%2Fmp4&ns=A0GPAhN6unn1qjD5f6pte1tX&cnr=98&ratebypass=yes&dur=68010612&lmt=2156195379231848&mt=3978657290&fvip=3&c=WEB&txp=4231059&n=UoakYyxk0mbZpNEl&sparams=expire%2Cei%2Cip%2Cid%2Citag%2Csource%2Crequiressl%2Csiu%2Cspc%2Cvprv%2Csvpuc%2Cmime%2Cns%2Ccnr%2Cratebypass%2Cdur%2Clmt&sig=IjOeTekEFAxaSHNEga6S2HCLNsfpybvadwzCjMVBDnD4WPUcgqJ5Bb5e6nLp3AUZsOQDrf-X5lTpZjLJzzOHGVqtvro6A5rBkkR7-t4jrOwI&lsparams=mh%2Cmm%2Cmn%2Cms%2Cmv%2Cmvi%2Cpl%2Cinitcwndbps&lsig=IjOeTekEFAxaSHNEga6S2HCLNsfpybvadwzCjMVBDnD4WPUcgqJ5Bb5e6nLp3AUZsOQDrf-X5lTpZjLJzzOHGVqtvro6A5rBkkR7-t4jrOwI
163.70.147.23:443

tls, https

msedge.exe

1.9kB
69.8kB
30
66
193.233.132.62:50500

5OP2bQ4.exe

2.5kB
131.5kB
24
96
204.79.197.200:443

20.9kB
734.4kB
441
527
204.79.197.200:443

46 B
1
20.223.35.26:443

46 B
1
204.79.197.200:443

46 B
1
142.250.180.3:443

msedge.exe

92 B
104 B
2
2
163.70.147.23:443

msedge.exe
163.70.147.23:443

msedge.exe
74.125.11.167:443

msedge.exe
74.125.11.167:443

msedge.exe
163.70.147.35:443

facebook.com

tls, https

msedge.exe

138 B
199 B
3
4
142.250.178.14:443

www.youtube.com

msedge.exe

46 B
52 B
1
1
142.250.200.4:443

msedge.exe

46 B
52 B
1
1
88.221.135.211:80

http

10.9kB
293.6kB
203
213

HTTP Response

206
34.117.186.192:443

5OP2bQ4.exe
20.82.228.9:443
216.58.204.78:443

www.youtube.com

msedge.exe

92 B
52 B
2
1
96.16.110.114:80
204.79.197.200:443

tse1.mm.bing.net

tls, http2

1.4kB
8.3kB
16
14
204.79.197.200:443

tse1.mm.bing.net

tls, http2

1.4kB
8.3kB
16
14
204.79.197.200:443

tse1.mm.bing.net

tls, http2

1.5kB
8.3kB
15
14
204.79.197.200:443

https://tse1.mm.bing.net/th?id=OADD2.10239317301715_1L98D8CO0BH9X0WDY&pid=21.2&w=1080&h=1920&c=4

tls, http2

47.9kB
1.2MB
913
909

HTTP Request

GET https://tse1.mm.bing.net/th?id=OADD2.10239317301306_14JKCMWI1LY9W4K6L&pid=21.2&w=1920&h=1080&c=4

HTTP Request

GET https://tse1.mm.bing.net/th?id=OADD2.10239317301219_14UAHY3NBMU2Z6DRW&pid=21.2&w=1920&h=1080&c=4

HTTP Request

GET https://tse1.mm.bing.net/th?id=OADD2.10239317301628_1KUT45F8FQUS0QNCJ&pid=21.2&w=1080&h=1920&c=4

HTTP Response

200

HTTP Response

200

HTTP Response

200

HTTP Request

GET https://tse1.mm.bing.net/th?id=OADD2.10239317301350_1Z4V77U5VD5OSNS2M&pid=21.2&w=1080&h=1920&c=4

HTTP Request

GET https://tse1.mm.bing.net/th?id=OADD2.10239317301715_1L98D8CO0BH9X0WDY&pid=21.2&w=1080&h=1920&c=4
204.79.197.200:443

tse1.mm.bing.net

tls, http2

1.5kB
8.2kB
15
13
96.17.178.174:80

8.8.8.8:53

140.32.126.40.in-addr.arpa

dns

72 B
158 B
1
1

DNS Request

140.32.126.40.in-addr.arpa
8.8.8.8:53

accounts.google.com

dns

msedge.exe

65 B
81 B
1
1

DNS Request

accounts.google.com

DNS Response

64.233.166.84
8.8.8.8:53

facebook.com

dns

msedge.exe

58 B
74 B
1
1

DNS Request

facebook.com

DNS Response

163.70.147.35
8.8.8.8:53

180.178.17.96.in-addr.arpa

dns

72 B
137 B
1
1

DNS Request

180.178.17.96.in-addr.arpa
8.8.8.8:53

95.221.229.192.in-addr.arpa

dns

73 B
144 B
1
1

DNS Request

95.221.229.192.in-addr.arpa
8.8.8.8:53

www.youtube.com

dns

msedge.exe

61 B
271 B
1
1

DNS Request

www.youtube.com

DNS Response

142.250.187.206

142.250.187.238

172.217.16.238

142.250.178.14

142.250.200.46

142.250.200.14

216.58.201.110

216.58.204.78

172.217.169.78

142.250.179.238

142.250.180.14
64.233.166.84:443

accounts.google.com

https

msedge.exe

6.7kB
121.2kB
52
94
8.8.8.8:53

www.facebook.com

dns

msedge.exe

62 B
107 B
1
1

DNS Request

www.facebook.com

DNS Response

157.240.221.35
8.8.8.8:53

208.194.73.20.in-addr.arpa

dns

72 B
158 B
1
1

DNS Request

208.194.73.20.in-addr.arpa
8.8.8.8:53

84.166.233.64.in-addr.arpa

dns

72 B
105 B
1
1

DNS Request

84.166.233.64.in-addr.arpa
8.8.8.8:53

206.187.250.142.in-addr.arpa

dns

74 B
113 B
1
1

DNS Request

206.187.250.142.in-addr.arpa
8.8.8.8:53

35.147.70.163.in-addr.arpa

dns

72 B
125 B
1
1

DNS Request

35.147.70.163.in-addr.arpa
8.8.8.8:53

35.221.240.157.in-addr.arpa

dns

73 B
126 B
1
1

DNS Request

35.221.240.157.in-addr.arpa
8.8.8.8:53

241.154.82.20.in-addr.arpa

dns

72 B
158 B
1
1

DNS Request

241.154.82.20.in-addr.arpa
142.250.187.206:443

www.youtube.com

https

msedge.exe

17.1kB
1.7MB
202
1268
8.8.8.8:53

i.ytimg.com

dns

msedge.exe

57 B
281 B
1
1

DNS Request

i.ytimg.com

DNS Response

216.58.201.118

216.58.204.86

172.217.169.22

216.58.212.214

172.217.169.86

172.217.169.54

142.250.179.246

142.250.180.22

142.250.187.214

142.250.187.246

172.217.16.246

142.250.178.22

142.250.200.54

142.250.200.22
142.250.180.3:443

msedge.exe

123 B
360 B
2
3
142.250.180.3:443

https

msedge.exe

2.4kB
34.6kB
20
31
8.8.8.8:53

jnn-pa.googleapis.com

dns

msedge.exe

67 B
275 B
1
1

DNS Request

jnn-pa.googleapis.com

DNS Response

142.250.200.42

142.250.200.10

216.58.201.106

216.58.204.74

216.58.213.10

216.58.212.202

172.217.169.42

142.250.179.234

142.250.180.10

142.250.187.202

142.250.187.234

172.217.16.234

142.250.178.10
8.8.8.8:53

167.11.125.74.in-addr.arpa

dns

72 B
110 B
1
1

DNS Request

167.11.125.74.in-addr.arpa
142.250.200.42:443

jnn-pa.googleapis.com

https

msedge.exe

7.0kB
51.3kB
33
48
224.0.0.251:5353

msedge.exe

197 B
3
8.8.8.8:53

ipinfo.io

dns

5OP2bQ4.exe

55 B
1

DNS Request

ipinfo.io
216.58.204.78:443

www.youtube.com

https

msedge.exe

3.6kB
8.8kB
9
12
216.58.204.78:443

www.youtube.com

https

msedge.exe

14.5kB
3.4kB
27
24
8.8.8.8:53

104.241.123.92.in-addr.arpa

dns

73 B
139 B
1
1

DNS Request

104.241.123.92.in-addr.arpa
8.8.8.8:53

18.134.221.88.in-addr.arpa

dns

144 B
137 B
2
1

DNS Request

18.134.221.88.in-addr.arpa

DNS Request

18.134.221.88.in-addr.arpa
8.8.8.8:53

119.110.54.20.in-addr.arpa

dns

216 B
158 B
3
1

DNS Request

119.110.54.20.in-addr.arpa

DNS Request

119.110.54.20.in-addr.arpa

DNS Request

119.110.54.20.in-addr.arpa
8.8.8.8:53
8.8.8.8:53
8.8.8.8:53
8.8.8.8:53
8.8.8.8:53
8.8.8.8:53
8.8.8.8:53
8.8.8.8:53
8.8.8.8:53
8.8.8.8:53
8.8.8.8:53
8.8.8.8:53

0.204.248.87.in-addr.arpa

dns

142 B
116 B
2
1

DNS Request

0.204.248.87.in-addr.arpa

DNS Request

0.204.248.87.in-addr.arpa
8.8.8.8:53

240.221.184.93.in-addr.arpa

dns

73 B
144 B
1
1

DNS Request

240.221.184.93.in-addr.arpa
8.8.8.8:53
8.8.8.8:53
8.8.8.8:53
8.8.8.8:53
8.8.8.8:53
8.8.8.8:53
8.8.8.8:53
8.8.8.8:53
8.8.8.8:53

211.135.221.88.in-addr.arpa

dns

146 B
2

DNS Request

211.135.221.88.in-addr.arpa

DNS Request

211.135.221.88.in-addr.arpa
8.8.8.8:53
8.8.8.8:53
8.8.8.8:53
8.8.8.8:53
8.8.8.8:53
8.8.8.8:53
8.8.8.8:53
8.8.8.8:53
8.8.8.8:53
8.8.8.8:53
8.8.8.8:53
8.8.8.8:53

dns

137 B
1
8.8.8.8:53
8.8.8.8:53
8.8.8.8:53
8.8.8.8:53
8.8.8.8:53
8.8.8.8:53
8.8.8.8:53
8.8.8.8:53

43.58.199.20.in-addr.arpa

dns

71 B
157 B
1
1

DNS Request

43.58.199.20.in-addr.arpa
8.8.8.8:53

217.135.221.88.in-addr.arpa

dns

73 B
139 B
1
1

DNS Request

217.135.221.88.in-addr.arpa
8.8.8.8:53

tse1.mm.bing.net

dns

62 B
173 B
1
1

DNS Request

tse1.mm.bing.net

DNS Response

204.79.197.200

13.107.21.200
8.8.8.8:53

81.171.91.138.in-addr.arpa

dns

72 B
146 B
1
1

DNS Request

81.171.91.138.in-addr.arpa
8.8.8.8:53

32.134.221.88.in-addr.arpa

dns

72 B
137 B
1
1

DNS Request

32.134.221.88.in-addr.arpa

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Defense Evasion

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Email Collection

T1114

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
1386433ecc349475d39fb1e4f9e149a0

SHA1
f04f71ac77cb30f1d04fd16d42852322a8b2680f

SHA256
a7c79320a37d3516823f533e0ca73ed54fc4cdade9999b9827d06ea9f8916bbc

SHA512
fcd5449c58ead25955d01739929c42ffc89b9007bc2c8779c05271f2d053be66e05414c410738c35572ef31811aff908e7fe3dd7a9cef33c27acb308a420280e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
8a1d28b5eda8ec0917a7e1796d3aa193

SHA1
5604a535bf3e5492b9bf3ade78ca7d463a4bfdb2

SHA256
dfaf6313fd293f6013f58fb6790fd38ca2f04931403267b7a6aef7bfa81d50bb

SHA512
51b5bec82ff9ffb45fee5c9dd1d51559c351253489ea83a66e290459975d8ca899cde4f3bb5afbaa7a3f0b169f87a7514d8df88baaeec5bd72d190fd6d3e041b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
2KB

MD5
283e9c6938dc2370fd65c01ea48c84c1

SHA1
324ac57063c5297a9bfedcfa12b41b9766e19bb3

SHA256
9c8f7856d4822fbf4052356c0a13c40760538036e75a83e76ab53e1089dd2cbe

SHA512
fcca3c394e755396301d61aea47ec092d63f60eb37f798736ce570520f27910b4e149ed2a3368a46cf6fa4645e17039bbbad6b1b2aae6ca71400a55d4a39ac3c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
96001d7e7957bd6f856fc9a88c31f9db

SHA1
bd414186263cd518f438bce1864dcc9c3d0d0488

SHA256
de8e95fdc609d4d49c5acae9979960f3609d8b5c8ea92bbca1f84b8a1f57e29f

SHA512
8636d0e806f5bd29f4e2984065c94e6298dd2c9e8f4b75457486f2ccb50f2990e6173ad340e2c1f33285d90968ffc00a3ccee1e2dfd609e29a5dd4bc5d5e86f2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
2KB

MD5
115121827dbc3e7a14acff6333db1889

SHA1
fe883f0e3414f3426eb370198317650e7901cca1

SHA256
c0d77b71daa8b01ea02b902d47b554ce6589d2c757f2aa86b02e0b0bb8e9c7b2

SHA512
d164704bed650d317bf906f3a2b39db79aa3c5af81435b2ef44b2431efc1f45dbc00498192716c7e7fdc89705930d9dac369d23f0795f5f38f696f7fa4eeecdc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
2KB

MD5
6834bcce00768e5be5f0be2f0bf5d029

SHA1
5b5093870879e9fa17bbeb0587819b8751494d40

SHA256
8c1d84a0545cff20bfb207d55d08693547dce108840d0b249ffc467e27db4532

SHA512
158a72c23f92c3d1553ea7d0354ed68680b5d366d287755b3944baa08ed144a8bfc7cfd31b31602f01014614d530f44df469d033b63cf4c9b5a53cbe3ffd1eb2

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\2VW7324.exe

Filesize
894KB

MD5
779db1fcaa2b01c67fa62fdcf541137c

SHA1
85aa8928790bc40c8dcfac0585e87526d285905b

SHA256
0b343aceb8665dabb2f978310bc369bcac837bc19c7422d059fd485d50bb2c42

SHA512
b657c28f2159a283214b8ad103492f467e79bbd6465385bde9f15e5c3712433e7d77bf08b5637c2d4dcd7c2fa85fe4704ce0cf4096af4097861762fe10f5a00f

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\5OP2bQ4.exe

Filesize
1.2MB

MD5
ab812696602745c67219e64b261d236c

SHA1
2ede1b91dc93469214e1cdd59220b70cb6fb8652

SHA256
40908148235975b5961d7057def9967fdaf563c9416cd1824db2f7a6f4928df3

SHA512
e8e5b84aa7319a96ce31b0b12c8a9dac7a5a505a93b931664ad5b4a3ec5b15ffb565545030654d21df640c94d33425ac7cb46af8f8b1eaa5533c6fb53ced26b5

Download Submit
memory/1588-25-0x0000000000650000-0x0000000000AAE000-memory.dmp

Filesize
4.4MB

Download
memory/1588-56-0x0000000008870000-0x00000000088E6000-memory.dmp

Filesize
472KB

Download
memory/1588-42-0x0000000000650000-0x0000000000AAE000-memory.dmp

Filesize
4.4MB

Download
memory/1588-567-0x0000000000650000-0x0000000000AAE000-memory.dmp

Filesize
4.4MB

Download
memory/1588-550-0x0000000000650000-0x0000000000AAE000-memory.dmp

Filesize
4.4MB

Download
memory/1588-463-0x000000000A630000-0x000000000A984000-memory.dmp

Filesize
3.3MB

Download
memory/1588-461-0x0000000000650000-0x0000000000AAE000-memory.dmp

Filesize
4.4MB

Download
memory/1588-462-0x000000000A090000-0x000000000A0AE000-memory.dmp

Filesize
120KB

Download
memory/1588-369-0x0000000000650000-0x0000000000AAE000-memory.dmp

Filesize
4.4MB

Download
memory/5200-194-0x0000000002A20000-0x0000000002A30000-memory.dmp

Filesize
64KB

Download
memory/5200-231-0x0000000007790000-0x00000000077A1000-memory.dmp

Filesize
68KB

Download
memory/5200-122-0x0000000006730000-0x000000000677C000-memory.dmp

Filesize
304KB

Download
memory/5200-174-0x000000007F740000-0x000000007F750000-memory.dmp

Filesize
64KB

Download
memory/5200-89-0x0000000073690000-0x0000000073E40000-memory.dmp

Filesize
7.7MB

Download
memory/5200-195-0x0000000006830000-0x000000000684E000-memory.dmp

Filesize
120KB

Download
memory/5200-197-0x0000000007260000-0x0000000007303000-memory.dmp

Filesize
652KB

Download
memory/5200-176-0x000000006FD20000-0x000000006FD6C000-memory.dmp

Filesize
304KB

Download
memory/5200-175-0x0000000006850000-0x0000000006882000-memory.dmp

Filesize
200KB

Download
memory/5200-204-0x0000000007BD0000-0x000000000824A000-memory.dmp

Filesize
6.5MB

Download
memory/5200-205-0x0000000007590000-0x00000000075AA000-memory.dmp

Filesize
104KB

Download
memory/5200-209-0x0000000007600000-0x000000000760A000-memory.dmp

Filesize
40KB

Download
memory/5200-222-0x0000000007810000-0x00000000078A6000-memory.dmp

Filesize
600KB

Download
memory/5200-116-0x0000000006230000-0x000000000624E000-memory.dmp

Filesize
120KB

Download
memory/5200-323-0x00000000077C0000-0x00000000077CE000-memory.dmp

Filesize
56KB

Download
memory/5200-324-0x00000000077D0000-0x00000000077E4000-memory.dmp

Filesize
80KB

Download
memory/5200-326-0x00000000078B0000-0x00000000078B8000-memory.dmp

Filesize
32KB

Download
memory/5200-325-0x00000000078D0000-0x00000000078EA000-memory.dmp

Filesize
104KB

Download
memory/5200-340-0x0000000073690000-0x0000000073E40000-memory.dmp

Filesize
7.7MB

Download
memory/5200-105-0x0000000005DD0000-0x0000000006124000-memory.dmp

Filesize
3.3MB

Download
memory/5200-90-0x0000000005420000-0x0000000005A48000-memory.dmp

Filesize
6.2MB

Download
memory/5200-99-0x0000000005B80000-0x0000000005BE6000-memory.dmp

Filesize
408KB

Download
memory/5200-100-0x0000000005C60000-0x0000000005CC6000-memory.dmp

Filesize
408KB

Download
memory/5200-93-0x00000000052B0000-0x00000000052D2000-memory.dmp

Filesize
136KB

Download
memory/5200-91-0x0000000002A20000-0x0000000002A30000-memory.dmp

Filesize
64KB

Download
memory/5200-92-0x0000000002A20000-0x0000000002A30000-memory.dmp

Filesize
64KB

Download
memory/5200-88-0x0000000002940000-0x0000000002976000-memory.dmp

Filesize
216KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

HTTP Request

HTTP Request

HTTP Request

HTTP Request

HTTP Request

HTTP Request

HTTP Response

HTTP Request

HTTP Request

HTTP Request

HTTP Response

HTTP Response

HTTP Response

HTTP Request

HTTP Request

DNS Request

DNS Request

DNS Response

DNS Request

DNS Response

DNS Request

DNS Request

DNS Request

DNS Response

DNS Request

DNS Response

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Response

DNS Request

DNS Response

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Response

DNS Request

DNS Request

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

We care about your privacy.