Analysis

  • max time kernel
    164s
  • max time network
    175s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20231215-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
  • submitted
    09-01-2024 15:51

General

  • Target

    4eb8334d5a6d14429b880b4a1f4450c3.exe

  • Size

    296KB

  • MD5

    4eb8334d5a6d14429b880b4a1f4450c3

  • SHA1

    4834652e101b4897e800c74f496e7f078ce82751

  • SHA256

    774f525de34f9a11cb618cd16ebb810c76ed7ba781d2d1a6e4c637c58a9809ba

  • SHA512

    4c9a6cced3c59743939b73c2c405ba206f8ff3b4cde2ff5794f34e6c6ce613a1c7ec4311948f20029eda38275f192056e4b1892c3edb681044ce93473b3cec94

  • SSDEEP

    6144:MlW5ajsvrW/P2vVSdiF65anjd1RKC9G3RBPB9NVe/YSwN931V:M05IsvA7iF65anjd7pwBPBhSwT

Score
7/10

Malware Config

Signatures

  • Executes dropped EXE 64 IoCs
  • Drops file in System32 directory 64 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\4eb8334d5a6d14429b880b4a1f4450c3.exe
    "C:\Users\Admin\AppData\Local\Temp\4eb8334d5a6d14429b880b4a1f4450c3.exe"
    1⤵
    • Drops file in System32 directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:2964
    • C:\Windows\SysWOW64\winlogin.exe
      C:\Windows\system32\winlogin.exe -meltserver "C:\Users\Admin\AppData\Local\Temp\4eb8334d5a6d14429b880b4a1f4450c3.exe"
      2⤵
      • Executes dropped EXE
      • Drops file in System32 directory
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of WriteProcessMemory
      PID:4216
      • C:\Windows\SysWOW64\winlogin.exe
        C:\Windows\system32\winlogin.exe -meltserver "C:\Windows\SysWOW64\winlogin.exe"
        3⤵
        • Executes dropped EXE
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of WriteProcessMemory
        PID:4460
        • C:\Windows\SysWOW64\winlogin.exe
          C:\Windows\system32\winlogin.exe -meltserver "C:\Windows\SysWOW64\winlogin.exe"
          4⤵
          • Executes dropped EXE
          • Drops file in System32 directory
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of WriteProcessMemory
          PID:3092
          • C:\Windows\SysWOW64\winlogin.exe
            C:\Windows\system32\winlogin.exe -meltserver "C:\Windows\SysWOW64\winlogin.exe"
            5⤵
            • Executes dropped EXE
            • Drops file in System32 directory
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of WriteProcessMemory
            PID:3228
            • C:\Windows\SysWOW64\winlogin.exe
              C:\Windows\system32\winlogin.exe -meltserver "C:\Windows\SysWOW64\winlogin.exe"
              6⤵
              • Executes dropped EXE
              • Drops file in System32 directory
              • Suspicious behavior: EnumeratesProcesses
              • Suspicious use of WriteProcessMemory
              PID:4960
              • C:\Windows\SysWOW64\winlogin.exe
                C:\Windows\system32\winlogin.exe -meltserver "C:\Windows\SysWOW64\winlogin.exe"
                7⤵
                • Executes dropped EXE
                • Drops file in System32 directory
                • Suspicious behavior: EnumeratesProcesses
                • Suspicious use of WriteProcessMemory
                PID:1652
                • C:\Windows\SysWOW64\winlogin.exe
                  C:\Windows\system32\winlogin.exe -meltserver "C:\Windows\SysWOW64\winlogin.exe"
                  8⤵
                  • Executes dropped EXE
                  • Drops file in System32 directory
                  • Suspicious behavior: EnumeratesProcesses
                  • Suspicious use of WriteProcessMemory
                  PID:920
                  • C:\Windows\SysWOW64\winlogin.exe
                    C:\Windows\system32\winlogin.exe -meltserver "C:\Windows\SysWOW64\winlogin.exe"
                    9⤵
                    • Executes dropped EXE
                    • Drops file in System32 directory
                    • Suspicious behavior: EnumeratesProcesses
                    • Suspicious use of WriteProcessMemory
                    PID:1636
                    • C:\Windows\SysWOW64\winlogin.exe
                      C:\Windows\system32\winlogin.exe -meltserver "C:\Windows\SysWOW64\winlogin.exe"
                      10⤵
                      • Executes dropped EXE
                      • Suspicious behavior: EnumeratesProcesses
                      • Suspicious use of WriteProcessMemory
                      PID:5088
                      • C:\Windows\SysWOW64\winlogin.exe
                        C:\Windows\system32\winlogin.exe -meltserver "C:\Windows\SysWOW64\winlogin.exe"
                        11⤵
                        • Executes dropped EXE
                        • Drops file in System32 directory
                        • Suspicious behavior: EnumeratesProcesses
                        • Suspicious use of WriteProcessMemory
                        PID:220
                        • C:\Windows\SysWOW64\winlogin.exe
                          C:\Windows\system32\winlogin.exe -meltserver "C:\Windows\SysWOW64\winlogin.exe"
                          12⤵
                          • Executes dropped EXE
                          • Drops file in System32 directory
                          • Suspicious behavior: EnumeratesProcesses
                          • Suspicious use of WriteProcessMemory
                          PID:4552
                          • C:\Windows\SysWOW64\winlogin.exe
                            C:\Windows\system32\winlogin.exe -meltserver "C:\Windows\SysWOW64\winlogin.exe"
                            13⤵
                            • Executes dropped EXE
                            • Drops file in System32 directory
                            • Suspicious behavior: EnumeratesProcesses
                            • Suspicious use of WriteProcessMemory
                            PID:2424
                            • C:\Windows\SysWOW64\winlogin.exe
                              C:\Windows\system32\winlogin.exe -meltserver "C:\Windows\SysWOW64\winlogin.exe"
                              14⤵
                              • Executes dropped EXE
                              • Suspicious behavior: EnumeratesProcesses
                              • Suspicious use of WriteProcessMemory
                              PID:2068
                              • C:\Windows\SysWOW64\winlogin.exe
                                C:\Windows\system32\winlogin.exe -meltserver "C:\Windows\SysWOW64\winlogin.exe"
                                15⤵
                                • Executes dropped EXE
                                • Drops file in System32 directory
                                • Suspicious behavior: EnumeratesProcesses
                                • Suspicious use of WriteProcessMemory
                                PID:3524
                                • C:\Windows\SysWOW64\winlogin.exe
                                  C:\Windows\system32\winlogin.exe -meltserver "C:\Windows\SysWOW64\winlogin.exe"
                                  16⤵
                                  • Executes dropped EXE
                                  • Suspicious behavior: EnumeratesProcesses
                                  • Suspicious use of WriteProcessMemory
                                  PID:4388
                                  • C:\Windows\SysWOW64\winlogin.exe
                                    C:\Windows\system32\winlogin.exe -meltserver "C:\Windows\SysWOW64\winlogin.exe"
                                    17⤵
                                    • Executes dropped EXE
                                    • Drops file in System32 directory
                                    • Suspicious behavior: EnumeratesProcesses
                                    • Suspicious use of WriteProcessMemory
                                    PID:4520
                                    • C:\Windows\SysWOW64\winlogin.exe
                                      C:\Windows\system32\winlogin.exe -meltserver "C:\Windows\SysWOW64\winlogin.exe"
                                      18⤵
                                      • Executes dropped EXE
                                      • Drops file in System32 directory
                                      • Suspicious behavior: EnumeratesProcesses
                                      • Suspicious use of WriteProcessMemory
                                      PID:3576
                                      • C:\Windows\SysWOW64\winlogin.exe
                                        C:\Windows\system32\winlogin.exe -meltserver "C:\Windows\SysWOW64\winlogin.exe"
                                        19⤵
                                        • Executes dropped EXE
                                        • Drops file in System32 directory
                                        • Suspicious behavior: EnumeratesProcesses
                                        • Suspicious use of WriteProcessMemory
                                        PID:1220
                                        • C:\Windows\SysWOW64\winlogin.exe
                                          C:\Windows\system32\winlogin.exe -meltserver "C:\Windows\SysWOW64\winlogin.exe"
                                          20⤵
                                          • Executes dropped EXE
                                          • Drops file in System32 directory
                                          • Suspicious behavior: EnumeratesProcesses
                                          • Suspicious use of WriteProcessMemory
                                          PID:4796
                                          • C:\Windows\SysWOW64\winlogin.exe
                                            C:\Windows\system32\winlogin.exe -meltserver "C:\Windows\SysWOW64\winlogin.exe"
                                            21⤵
                                            • Executes dropped EXE
                                            • Drops file in System32 directory
                                            • Suspicious use of WriteProcessMemory
                                            PID:2356
                                            • C:\Windows\SysWOW64\winlogin.exe
                                              C:\Windows\system32\winlogin.exe -meltserver "C:\Windows\SysWOW64\winlogin.exe"
                                              22⤵
                                              • Executes dropped EXE
                                              • Drops file in System32 directory
                                              • Suspicious use of WriteProcessMemory
                                              PID:2124
                                              • C:\Windows\SysWOW64\winlogin.exe
                                                C:\Windows\system32\winlogin.exe -meltserver "C:\Windows\SysWOW64\winlogin.exe"
                                                23⤵
                                                • Executes dropped EXE
                                                • Drops file in System32 directory
                                                PID:1536
                                                • C:\Windows\SysWOW64\winlogin.exe
                                                  C:\Windows\system32\winlogin.exe -meltserver "C:\Windows\SysWOW64\winlogin.exe"
                                                  24⤵
                                                  • Executes dropped EXE
                                                  • Drops file in System32 directory
                                                  PID:3188
                                                  • C:\Windows\SysWOW64\winlogin.exe
                                                    C:\Windows\system32\winlogin.exe -meltserver "C:\Windows\SysWOW64\winlogin.exe"
                                                    25⤵
                                                    • Executes dropped EXE
                                                    • Drops file in System32 directory
                                                    PID:2408
                                                    • C:\Windows\SysWOW64\winlogin.exe
                                                      C:\Windows\system32\winlogin.exe -meltserver "C:\Windows\SysWOW64\winlogin.exe"
                                                      26⤵
                                                      • Executes dropped EXE
                                                      • Drops file in System32 directory
                                                      PID:3392
                                                      • C:\Windows\SysWOW64\winlogin.exe
                                                        C:\Windows\system32\winlogin.exe -meltserver "C:\Windows\SysWOW64\winlogin.exe"
                                                        27⤵
                                                        • Executes dropped EXE
                                                        • Drops file in System32 directory
                                                        PID:3112
                                                        • C:\Windows\SysWOW64\winlogin.exe
                                                          C:\Windows\system32\winlogin.exe -meltserver "C:\Windows\SysWOW64\winlogin.exe"
                                                          28⤵
                                                          • Executes dropped EXE
                                                          • Drops file in System32 directory
                                                          PID:3040
                                                          • C:\Windows\SysWOW64\winlogin.exe
                                                            C:\Windows\system32\winlogin.exe -meltserver "C:\Windows\SysWOW64\winlogin.exe"
                                                            29⤵
                                                            • Executes dropped EXE
                                                            • Drops file in System32 directory
                                                            PID:4508
                                                            • C:\Windows\SysWOW64\winlogin.exe
                                                              C:\Windows\system32\winlogin.exe -meltserver "C:\Windows\SysWOW64\winlogin.exe"
                                                              30⤵
                                                              • Executes dropped EXE
                                                              PID:3092
                                                              • C:\Windows\SysWOW64\winlogin.exe
                                                                C:\Windows\system32\winlogin.exe -meltserver "C:\Windows\SysWOW64\winlogin.exe"
                                                                31⤵
                                                                • Executes dropped EXE
                                                                PID:4404
                                                                • C:\Windows\SysWOW64\winlogin.exe
                                                                  C:\Windows\system32\winlogin.exe -meltserver "C:\Windows\SysWOW64\winlogin.exe"
                                                                  32⤵
                                                                  • Executes dropped EXE
                                                                  • Drops file in System32 directory
                                                                  PID:4492
                                                                  • C:\Windows\SysWOW64\winlogin.exe
                                                                    C:\Windows\system32\winlogin.exe -meltserver "C:\Windows\SysWOW64\winlogin.exe"
                                                                    33⤵
                                                                    • Executes dropped EXE
                                                                    • Drops file in System32 directory
                                                                    PID:2396
                                                                    • C:\Windows\SysWOW64\winlogin.exe
                                                                      C:\Windows\system32\winlogin.exe -meltserver "C:\Windows\SysWOW64\winlogin.exe"
                                                                      34⤵
                                                                      • Executes dropped EXE
                                                                      • Drops file in System32 directory
                                                                      PID:1408
                                                                      • C:\Windows\SysWOW64\winlogin.exe
                                                                        C:\Windows\system32\winlogin.exe -meltserver "C:\Windows\SysWOW64\winlogin.exe"
                                                                        35⤵
                                                                        • Executes dropped EXE
                                                                        PID:1796
                                                                        • C:\Windows\SysWOW64\winlogin.exe
                                                                          C:\Windows\system32\winlogin.exe -meltserver "C:\Windows\SysWOW64\winlogin.exe"
                                                                          36⤵
                                                                          • Executes dropped EXE
                                                                          • Drops file in System32 directory
                                                                          PID:2276
                                                                          • C:\Windows\SysWOW64\winlogin.exe
                                                                            C:\Windows\system32\winlogin.exe -meltserver "C:\Windows\SysWOW64\winlogin.exe"
                                                                            37⤵
                                                                            • Executes dropped EXE
                                                                            • Drops file in System32 directory
                                                                            PID:4064
                                                                            • C:\Windows\SysWOW64\winlogin.exe
                                                                              C:\Windows\system32\winlogin.exe -meltserver "C:\Windows\SysWOW64\winlogin.exe"
                                                                              38⤵
                                                                              • Executes dropped EXE
                                                                              • Drops file in System32 directory
                                                                              PID:3524
                                                                              • C:\Windows\SysWOW64\winlogin.exe
                                                                                C:\Windows\system32\winlogin.exe -meltserver "C:\Windows\SysWOW64\winlogin.exe"
                                                                                39⤵
                                                                                • Executes dropped EXE
                                                                                • Drops file in System32 directory
                                                                                PID:4388
                                                                                • C:\Windows\SysWOW64\winlogin.exe
                                                                                  C:\Windows\system32\winlogin.exe -meltserver "C:\Windows\SysWOW64\winlogin.exe"
                                                                                  40⤵
                                                                                  • Executes dropped EXE
                                                                                  PID:1520
                                                                                  • C:\Windows\SysWOW64\winlogin.exe
                                                                                    C:\Windows\system32\winlogin.exe -meltserver "C:\Windows\SysWOW64\winlogin.exe"
                                                                                    41⤵
                                                                                    • Executes dropped EXE
                                                                                    • Drops file in System32 directory
                                                                                    PID:4452
                                                                                    • C:\Windows\SysWOW64\winlogin.exe
                                                                                      C:\Windows\system32\winlogin.exe -meltserver "C:\Windows\SysWOW64\winlogin.exe"
                                                                                      42⤵
                                                                                      • Executes dropped EXE
                                                                                      • Drops file in System32 directory
                                                                                      PID:3604
                                                                                      • C:\Windows\SysWOW64\winlogin.exe
                                                                                        C:\Windows\system32\winlogin.exe -meltserver "C:\Windows\SysWOW64\winlogin.exe"
                                                                                        43⤵
                                                                                        • Executes dropped EXE
                                                                                        PID:4976
                                                                                        • C:\Windows\SysWOW64\winlogin.exe
                                                                                          C:\Windows\system32\winlogin.exe -meltserver "C:\Windows\SysWOW64\winlogin.exe"
                                                                                          44⤵
                                                                                          • Executes dropped EXE
                                                                                          • Drops file in System32 directory
                                                                                          PID:4416
                                                                                          • C:\Windows\SysWOW64\winlogin.exe
                                                                                            C:\Windows\system32\winlogin.exe -meltserver "C:\Windows\SysWOW64\winlogin.exe"
                                                                                            45⤵
                                                                                            • Executes dropped EXE
                                                                                            • Drops file in System32 directory
                                                                                            PID:1072
                                                                                            • C:\Windows\SysWOW64\winlogin.exe
                                                                                              C:\Windows\system32\winlogin.exe -meltserver "C:\Windows\SysWOW64\winlogin.exe"
                                                                                              46⤵
                                                                                              • Executes dropped EXE
                                                                                              • Drops file in System32 directory
                                                                                              PID:2836
                                                                                              • C:\Windows\SysWOW64\winlogin.exe
                                                                                                C:\Windows\system32\winlogin.exe -meltserver "C:\Windows\SysWOW64\winlogin.exe"
                                                                                                47⤵
                                                                                                • Executes dropped EXE
                                                                                                • Drops file in System32 directory
                                                                                                PID:4624
                                                                                                • C:\Windows\SysWOW64\winlogin.exe
                                                                                                  C:\Windows\system32\winlogin.exe -meltserver "C:\Windows\SysWOW64\winlogin.exe"
                                                                                                  48⤵
                                                                                                  • Executes dropped EXE
                                                                                                  • Drops file in System32 directory
                                                                                                  PID:2856
                                                                                                  • C:\Windows\SysWOW64\winlogin.exe
                                                                                                    C:\Windows\system32\winlogin.exe -meltserver "C:\Windows\SysWOW64\winlogin.exe"
                                                                                                    49⤵
                                                                                                    • Executes dropped EXE
                                                                                                    • Drops file in System32 directory
                                                                                                    PID:2408
                                                                                                    • C:\Windows\SysWOW64\winlogin.exe
                                                                                                      C:\Windows\system32\winlogin.exe -meltserver "C:\Windows\SysWOW64\winlogin.exe"
                                                                                                      50⤵
                                                                                                      • Executes dropped EXE
                                                                                                      • Drops file in System32 directory
                                                                                                      PID:3756
                                                                                                      • C:\Windows\SysWOW64\winlogin.exe
                                                                                                        C:\Windows\system32\winlogin.exe -meltserver "C:\Windows\SysWOW64\winlogin.exe"
                                                                                                        51⤵
                                                                                                        • Executes dropped EXE
                                                                                                        • Drops file in System32 directory
                                                                                                        PID:324
                                                                                                        • C:\Windows\SysWOW64\winlogin.exe
                                                                                                          C:\Windows\system32\winlogin.exe -meltserver "C:\Windows\SysWOW64\winlogin.exe"
                                                                                                          52⤵
                                                                                                          • Executes dropped EXE
                                                                                                          • Drops file in System32 directory
                                                                                                          PID:1120
                                                                                                          • C:\Windows\SysWOW64\winlogin.exe
                                                                                                            C:\Windows\system32\winlogin.exe -meltserver "C:\Windows\SysWOW64\winlogin.exe"
                                                                                                            53⤵
                                                                                                            • Executes dropped EXE
                                                                                                            • Drops file in System32 directory
                                                                                                            PID:4220
                                                                                                            • C:\Windows\SysWOW64\winlogin.exe
                                                                                                              C:\Windows\system32\winlogin.exe -meltserver "C:\Windows\SysWOW64\winlogin.exe"
                                                                                                              54⤵
                                                                                                              • Executes dropped EXE
                                                                                                              • Drops file in System32 directory
                                                                                                              PID:3272
                                                                                                              • C:\Windows\SysWOW64\winlogin.exe
                                                                                                                C:\Windows\system32\winlogin.exe -meltserver "C:\Windows\SysWOW64\winlogin.exe"
                                                                                                                55⤵
                                                                                                                • Executes dropped EXE
                                                                                                                • Drops file in System32 directory
                                                                                                                PID:1268
                                                                                                                • C:\Windows\SysWOW64\winlogin.exe
                                                                                                                  C:\Windows\system32\winlogin.exe -meltserver "C:\Windows\SysWOW64\winlogin.exe"
                                                                                                                  56⤵
                                                                                                                  • Executes dropped EXE
                                                                                                                  • Drops file in System32 directory
                                                                                                                  PID:2792
                                                                                                                  • C:\Windows\SysWOW64\winlogin.exe
                                                                                                                    C:\Windows\system32\winlogin.exe -meltserver "C:\Windows\SysWOW64\winlogin.exe"
                                                                                                                    57⤵
                                                                                                                    • Executes dropped EXE
                                                                                                                    • Drops file in System32 directory
                                                                                                                    PID:2384
                                                                                                                    • C:\Windows\SysWOW64\winlogin.exe
                                                                                                                      C:\Windows\system32\winlogin.exe -meltserver "C:\Windows\SysWOW64\winlogin.exe"
                                                                                                                      58⤵
                                                                                                                      • Executes dropped EXE
                                                                                                                      • Drops file in System32 directory
                                                                                                                      PID:2016
                                                                                                                      • C:\Windows\SysWOW64\winlogin.exe
                                                                                                                        C:\Windows\system32\winlogin.exe -meltserver "C:\Windows\SysWOW64\winlogin.exe"
                                                                                                                        59⤵
                                                                                                                        • Executes dropped EXE
                                                                                                                        PID:3328
                                                                                                                        • C:\Windows\SysWOW64\winlogin.exe
                                                                                                                          C:\Windows\system32\winlogin.exe -meltserver "C:\Windows\SysWOW64\winlogin.exe"
                                                                                                                          60⤵
                                                                                                                          • Executes dropped EXE
                                                                                                                          • Drops file in System32 directory
                                                                                                                          PID:1720
                                                                                                                          • C:\Windows\SysWOW64\winlogin.exe
                                                                                                                            C:\Windows\system32\winlogin.exe -meltserver "C:\Windows\SysWOW64\winlogin.exe"
                                                                                                                            61⤵
                                                                                                                            • Executes dropped EXE
                                                                                                                            • Drops file in System32 directory
                                                                                                                            PID:3104
                                                                                                                            • C:\Windows\SysWOW64\winlogin.exe
                                                                                                                              C:\Windows\system32\winlogin.exe -meltserver "C:\Windows\SysWOW64\winlogin.exe"
                                                                                                                              62⤵
                                                                                                                              • Executes dropped EXE
                                                                                                                              • Drops file in System32 directory
                                                                                                                              PID:2276
                                                                                                                              • C:\Windows\SysWOW64\winlogin.exe
                                                                                                                                C:\Windows\system32\winlogin.exe -meltserver "C:\Windows\SysWOW64\winlogin.exe"
                                                                                                                                63⤵
                                                                                                                                • Executes dropped EXE
                                                                                                                                • Drops file in System32 directory
                                                                                                                                PID:2356
                                                                                                                                • C:\Windows\SysWOW64\winlogin.exe
                                                                                                                                  C:\Windows\system32\winlogin.exe -meltserver "C:\Windows\SysWOW64\winlogin.exe"
                                                                                                                                  64⤵
                                                                                                                                  • Executes dropped EXE
                                                                                                                                  • Drops file in System32 directory
                                                                                                                                  PID:3768
                                                                                                                                  • C:\Windows\SysWOW64\winlogin.exe
                                                                                                                                    C:\Windows\system32\winlogin.exe -meltserver "C:\Windows\SysWOW64\winlogin.exe"
                                                                                                                                    65⤵
                                                                                                                                    • Executes dropped EXE
                                                                                                                                    • Drops file in System32 directory
                                                                                                                                    PID:2876
                                                                                                                                    • C:\Windows\SysWOW64\winlogin.exe
                                                                                                                                      C:\Windows\system32\winlogin.exe -meltserver "C:\Windows\SysWOW64\winlogin.exe"
                                                                                                                                      66⤵
                                                                                                                                      • Drops file in System32 directory
                                                                                                                                      PID:2836
                                                                                                                                      • C:\Windows\SysWOW64\winlogin.exe
                                                                                                                                        C:\Windows\system32\winlogin.exe -meltserver "C:\Windows\SysWOW64\winlogin.exe"
                                                                                                                                        67⤵
                                                                                                                                        • Drops file in System32 directory
                                                                                                                                        PID:2648
                                                                                                                                        • C:\Windows\SysWOW64\winlogin.exe
                                                                                                                                          C:\Windows\system32\winlogin.exe -meltserver "C:\Windows\SysWOW64\winlogin.exe"
                                                                                                                                          68⤵
                                                                                                                                          • Drops file in System32 directory
                                                                                                                                          PID:4624
                                                                                                                                          • C:\Windows\SysWOW64\winlogin.exe
                                                                                                                                            C:\Windows\system32\winlogin.exe -meltserver "C:\Windows\SysWOW64\winlogin.exe"
                                                                                                                                            69⤵
                                                                                                                                              PID:3384
                                                                                                                                              • C:\Windows\SysWOW64\winlogin.exe
                                                                                                                                                C:\Windows\system32\winlogin.exe -meltserver "C:\Windows\SysWOW64\winlogin.exe"
                                                                                                                                                70⤵
                                                                                                                                                • Drops file in System32 directory
                                                                                                                                                PID:2444
                                                                                                                                                • C:\Windows\SysWOW64\winlogin.exe
                                                                                                                                                  C:\Windows\system32\winlogin.exe -meltserver "C:\Windows\SysWOW64\winlogin.exe"
                                                                                                                                                  71⤵
                                                                                                                                                    PID:3996
                                                                                                                                                    • C:\Windows\SysWOW64\winlogin.exe
                                                                                                                                                      C:\Windows\system32\winlogin.exe -meltserver "C:\Windows\SysWOW64\winlogin.exe"
                                                                                                                                                      72⤵
                                                                                                                                                      • Drops file in System32 directory
                                                                                                                                                      PID:5100
                                                                                                                                                      • C:\Windows\SysWOW64\winlogin.exe
                                                                                                                                                        C:\Windows\system32\winlogin.exe -meltserver "C:\Windows\SysWOW64\winlogin.exe"
                                                                                                                                                        73⤵
                                                                                                                                                        • Drops file in System32 directory
                                                                                                                                                        PID:1704
                                                                                                                                                        • C:\Windows\SysWOW64\winlogin.exe
                                                                                                                                                          C:\Windows\system32\winlogin.exe -meltserver "C:\Windows\SysWOW64\winlogin.exe"
                                                                                                                                                          74⤵
                                                                                                                                                          • Drops file in System32 directory
                                                                                                                                                          PID:4220
                                                                                                                                                          • C:\Windows\SysWOW64\winlogin.exe
                                                                                                                                                            C:\Windows\system32\winlogin.exe -meltserver "C:\Windows\SysWOW64\winlogin.exe"
                                                                                                                                                            75⤵
                                                                                                                                                            • Drops file in System32 directory
                                                                                                                                                            PID:1908
                                                                                                                                                            • C:\Windows\SysWOW64\winlogin.exe
                                                                                                                                                              C:\Windows\system32\winlogin.exe -meltserver "C:\Windows\SysWOW64\winlogin.exe"
                                                                                                                                                              76⤵
                                                                                                                                                              • Drops file in System32 directory
                                                                                                                                                              PID:524
                                                                                                                                                              • C:\Windows\SysWOW64\winlogin.exe
                                                                                                                                                                C:\Windows\system32\winlogin.exe -meltserver "C:\Windows\SysWOW64\winlogin.exe"
                                                                                                                                                                77⤵
                                                                                                                                                                  PID:760

        Network

        • flag-us
          DNS
          178.223.142.52.in-addr.arpa
          Remote address:
          8.8.8.8:53
          Request
          178.223.142.52.in-addr.arpa
          IN PTR
          Response
        • flag-us
          DNS
          16.53.126.40.in-addr.arpa
          Remote address:
          8.8.8.8:53
          Request
          16.53.126.40.in-addr.arpa
          IN PTR
          Response
        • flag-us
          DNS
          16.53.126.40.in-addr.arpa
          Remote address:
          8.8.8.8:53
          Request
          16.53.126.40.in-addr.arpa
          IN PTR
        • flag-us
          DNS
          95.221.229.192.in-addr.arpa
          Remote address:
          8.8.8.8:53
          Request
          95.221.229.192.in-addr.arpa
          IN PTR
          Response
        • flag-us
          DNS
          179.178.17.96.in-addr.arpa
          Remote address:
          8.8.8.8:53
          Request
          179.178.17.96.in-addr.arpa
          IN PTR
          Response
          179.178.17.96.in-addr.arpa
          IN PTR
          a96-17-178-179deploystaticakamaitechnologiescom
        • flag-us
          DNS
          179.178.17.96.in-addr.arpa
          Remote address:
          8.8.8.8:53
          Request
          179.178.17.96.in-addr.arpa
          IN PTR
        • flag-us
          DNS
          241.154.82.20.in-addr.arpa
          Remote address:
          8.8.8.8:53
          Request
          241.154.82.20.in-addr.arpa
          IN PTR
          Response
        • flag-us
          DNS
          88.156.103.20.in-addr.arpa
          Remote address:
          8.8.8.8:53
          Request
          88.156.103.20.in-addr.arpa
          IN PTR
          Response
        • flag-us
          DNS
          195.233.44.23.in-addr.arpa
          Remote address:
          8.8.8.8:53
          Request
          195.233.44.23.in-addr.arpa
          IN PTR
          Response
          195.233.44.23.in-addr.arpa
          IN PTR
          a23-44-233-195deploystaticakamaitechnologiescom
        • flag-us
          DNS
          158.240.127.40.in-addr.arpa
          Remote address:
          8.8.8.8:53
          Request
          158.240.127.40.in-addr.arpa
          IN PTR
          Response
        • flag-us
          DNS
          26.165.165.52.in-addr.arpa
          Remote address:
          8.8.8.8:53
          Request
          26.165.165.52.in-addr.arpa
          IN PTR
          Response
        • flag-us
          DNS
          26.165.165.52.in-addr.arpa
          Remote address:
          8.8.8.8:53
          Request
          26.165.165.52.in-addr.arpa
          IN PTR
        • flag-us
          DNS
          26.165.165.52.in-addr.arpa
          Remote address:
          8.8.8.8:53
          Request
          26.165.165.52.in-addr.arpa
          IN PTR
        • flag-us
          DNS
          206.23.85.13.in-addr.arpa
          Remote address:
          8.8.8.8:53
          Request
          206.23.85.13.in-addr.arpa
          IN PTR
          Response
        • flag-us
          DNS
          18.134.221.88.in-addr.arpa
          Remote address:
          8.8.8.8:53
          Request
          18.134.221.88.in-addr.arpa
          IN PTR
          Response
          18.134.221.88.in-addr.arpa
          IN PTR
          a88-221-134-18deploystaticakamaitechnologiescom
        • flag-us
          DNS
          18.134.221.88.in-addr.arpa
          Remote address:
          8.8.8.8:53
          Request
          18.134.221.88.in-addr.arpa
          IN PTR
        • flag-us
          DNS
          23.236.111.52.in-addr.arpa
          Remote address:
          8.8.8.8:53
          Request
          23.236.111.52.in-addr.arpa
          IN PTR
          Response
        • flag-us
          DNS
          23.236.111.52.in-addr.arpa
          Remote address:
          8.8.8.8:53
          Request
          23.236.111.52.in-addr.arpa
          IN PTR
        • flag-us
          DNS
          82.177.190.20.in-addr.arpa
          Remote address:
          8.8.8.8:53
          Request
          82.177.190.20.in-addr.arpa
          IN PTR
          Response
        • flag-us
          DNS
          82.177.190.20.in-addr.arpa
          Remote address:
          8.8.8.8:53
          Request
          82.177.190.20.in-addr.arpa
          IN PTR
        • flag-us
          DNS
          208.194.73.20.in-addr.arpa
          Remote address:
          8.8.8.8:53
          Request
          208.194.73.20.in-addr.arpa
          IN PTR
          Response
        • flag-us
          DNS
          187.178.17.96.in-addr.arpa
          Remote address:
          8.8.8.8:53
          Request
          187.178.17.96.in-addr.arpa
          IN PTR
          Response
          187.178.17.96.in-addr.arpa
          IN PTR
          a96-17-178-187deploystaticakamaitechnologiescom
        • flag-us
          DNS
          2.136.104.51.in-addr.arpa
          Remote address:
          8.8.8.8:53
          Request
          2.136.104.51.in-addr.arpa
          IN PTR
          Response
        • flag-us
          DNS
          14.173.189.20.in-addr.arpa
          Remote address:
          8.8.8.8:53
          Request
          14.173.189.20.in-addr.arpa
          IN PTR
          Response
        • flag-us
          DNS
          14.173.189.20.in-addr.arpa
          Remote address:
          8.8.8.8:53
          Request
          14.173.189.20.in-addr.arpa
          IN PTR
          Response
        • flag-us
          DNS
          tse1.mm.bing.net
          Remote address:
          8.8.8.8:53
          Request
          tse1.mm.bing.net
          IN A
          Response
          tse1.mm.bing.net
          IN CNAME
          mm-mm.bing.net.trafficmanager.net
          mm-mm.bing.net.trafficmanager.net
          IN CNAME
          dual-a-0001.a-msedge.net
          dual-a-0001.a-msedge.net
          IN A
          204.79.197.200
          dual-a-0001.a-msedge.net
          IN A
          13.107.21.200
        • flag-us
          DNS
          tse1.mm.bing.net
          Remote address:
          8.8.8.8:53
          Request
          tse1.mm.bing.net
          IN A
          Response
          tse1.mm.bing.net
          IN CNAME
          mm-mm.bing.net.trafficmanager.net
          mm-mm.bing.net.trafficmanager.net
          IN CNAME
          dual-a-0001.a-msedge.net
          dual-a-0001.a-msedge.net
          IN A
          204.79.197.200
          dual-a-0001.a-msedge.net
          IN A
          13.107.21.200
        • flag-us
          GET
          https://tse1.mm.bing.net/th?id=OADD2.10239317301041_1126D0IH1Q7UAXX2R&pid=21.2&w=1920&h=1080&c=4
          Remote address:
          204.79.197.200:443
          Request
          GET /th?id=OADD2.10239317301041_1126D0IH1Q7UAXX2R&pid=21.2&w=1920&h=1080&c=4 HTTP/2.0
          host: tse1.mm.bing.net
          accept: */*
          accept-encoding: gzip, deflate, br
          user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19041
          Response
          HTTP/2.0 200
          cache-control: public, max-age=2592000
          content-length: 247144
          content-type: image/jpeg
          x-cache: TCP_HIT
          access-control-allow-origin: *
          access-control-allow-headers: *
          access-control-allow-methods: GET, POST, OPTIONS
          timing-allow-origin: *
          report-to: {"group":"network-errors","max_age":604800,"endpoints":[{"url":"https://aefd.nelreports.net/api/report?cat=bingth"}]}
          nel: {"report_to":"network-errors","max_age":604800,"success_fraction":0.001,"failure_fraction":1.0}
          accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
          x-msedge-ref: Ref A: 42933B764F4948B797F1D31BC47FE5CA Ref B: LON04EDGE0609 Ref C: 2024-01-09T15:54:35Z
          date: Tue, 09 Jan 2024 15:54:35 GMT
        • flag-us
          GET
          https://tse1.mm.bing.net/th?id=OADD2.10239317300952_1E3SWPMLL78HDQL83&pid=21.2&w=1920&h=1080&c=4
          Remote address:
          204.79.197.200:443
          Request
          GET /th?id=OADD2.10239317300952_1E3SWPMLL78HDQL83&pid=21.2&w=1920&h=1080&c=4 HTTP/2.0
          host: tse1.mm.bing.net
          accept: */*
          accept-encoding: gzip, deflate, br
          user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19041
          Response
          HTTP/2.0 200
          cache-control: public, max-age=2592000
          content-length: 395990
          content-type: image/jpeg
          x-cache: TCP_HIT
          access-control-allow-origin: *
          access-control-allow-headers: *
          access-control-allow-methods: GET, POST, OPTIONS
          timing-allow-origin: *
          report-to: {"group":"network-errors","max_age":604800,"endpoints":[{"url":"https://aefd.nelreports.net/api/report?cat=bingth"}]}
          nel: {"report_to":"network-errors","max_age":604800,"success_fraction":0.001,"failure_fraction":1.0}
          accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
          x-msedge-ref: Ref A: 30DD4CAFA7A047118F19B45991B99D5D Ref B: LON04EDGE0609 Ref C: 2024-01-09T15:54:35Z
          date: Tue, 09 Jan 2024 15:54:35 GMT
        • flag-us
          GET
          https://tse1.mm.bing.net/th?id=OADD2.10239317300950_1CI16BMH94QQ9WZ43&pid=21.2&w=1920&h=1080&c=4
          Remote address:
          204.79.197.200:443
          Request
          GET /th?id=OADD2.10239317300950_1CI16BMH94QQ9WZ43&pid=21.2&w=1920&h=1080&c=4 HTTP/2.0
          host: tse1.mm.bing.net
          accept: */*
          accept-encoding: gzip, deflate, br
          user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19041
          Response
          HTTP/2.0 200
          cache-control: public, max-age=2592000
          content-length: 508519
          content-type: image/jpeg
          x-cache: TCP_HIT
          access-control-allow-origin: *
          access-control-allow-headers: *
          access-control-allow-methods: GET, POST, OPTIONS
          timing-allow-origin: *
          report-to: {"group":"network-errors","max_age":604800,"endpoints":[{"url":"https://aefd.nelreports.net/api/report?cat=bingth"}]}
          nel: {"report_to":"network-errors","max_age":604800,"success_fraction":0.001,"failure_fraction":1.0}
          accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
          x-msedge-ref: Ref A: B34C9BBCAC0E427A97D71CAC497F3F69 Ref B: LON04EDGE0609 Ref C: 2024-01-09T15:54:35Z
          date: Tue, 09 Jan 2024 15:54:35 GMT
        • flag-us
          GET
          https://tse1.mm.bing.net/th?id=OADD2.10239317301385_10GXZBGQGK7BVOQK7&pid=21.2&w=1080&h=1920&c=4
          Remote address:
          204.79.197.200:443
          Request
          GET /th?id=OADD2.10239317301385_10GXZBGQGK7BVOQK7&pid=21.2&w=1080&h=1920&c=4 HTTP/2.0
          host: tse1.mm.bing.net
          accept: */*
          accept-encoding: gzip, deflate, br
          user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19041
          Response
          HTTP/2.0 200
          cache-control: public, max-age=2592000
          content-length: 295420
          content-type: image/jpeg
          x-cache: TCP_HIT
          access-control-allow-origin: *
          access-control-allow-headers: *
          access-control-allow-methods: GET, POST, OPTIONS
          timing-allow-origin: *
          report-to: {"group":"network-errors","max_age":604800,"endpoints":[{"url":"https://aefd.nelreports.net/api/report?cat=bingth"}]}
          nel: {"report_to":"network-errors","max_age":604800,"success_fraction":0.001,"failure_fraction":1.0}
          accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
          x-msedge-ref: Ref A: AD6849A8D2C04B4E97842FA47FE77948 Ref B: LON04EDGE0609 Ref C: 2024-01-09T15:54:36Z
          date: Tue, 09 Jan 2024 15:54:35 GMT
        • flag-us
          GET
          https://tse1.mm.bing.net/th?id=OADD2.10239317301383_1L76EFRJ4S38LB1VW&pid=21.2&w=1080&h=1920&c=4
          Remote address:
          204.79.197.200:443
          Request
          GET /th?id=OADD2.10239317301383_1L76EFRJ4S38LB1VW&pid=21.2&w=1080&h=1920&c=4 HTTP/2.0
          host: tse1.mm.bing.net
          accept: */*
          accept-encoding: gzip, deflate, br
          user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19041
          Response
          HTTP/2.0 200
          cache-control: public, max-age=2592000
          content-length: 391016
          content-type: image/jpeg
          x-cache: TCP_HIT
          access-control-allow-origin: *
          access-control-allow-headers: *
          access-control-allow-methods: GET, POST, OPTIONS
          timing-allow-origin: *
          report-to: {"group":"network-errors","max_age":604800,"endpoints":[{"url":"https://aefd.nelreports.net/api/report?cat=bingth"}]}
          nel: {"report_to":"network-errors","max_age":604800,"success_fraction":0.001,"failure_fraction":1.0}
          accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
          x-msedge-ref: Ref A: FC8E6E886BB04AE9A18AA528B12E1D32 Ref B: LON04EDGE0609 Ref C: 2024-01-09T15:54:36Z
          date: Tue, 09 Jan 2024 15:54:35 GMT
        • flag-us
          GET
          https://tse1.mm.bing.net/th?id=OADD2.10239317301474_1G2Z87D10T03QEF39&pid=21.2&w=1080&h=1920&c=4
          Remote address:
          204.79.197.200:443
          Request
          GET /th?id=OADD2.10239317301474_1G2Z87D10T03QEF39&pid=21.2&w=1080&h=1920&c=4 HTTP/2.0
          host: tse1.mm.bing.net
          accept: */*
          accept-encoding: gzip, deflate, br
          user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19041
          Response
          HTTP/2.0 200
          cache-control: public, max-age=2592000
          content-length: 351983
          content-type: image/jpeg
          x-cache: TCP_HIT
          access-control-allow-origin: *
          access-control-allow-headers: *
          access-control-allow-methods: GET, POST, OPTIONS
          timing-allow-origin: *
          report-to: {"group":"network-errors","max_age":604800,"endpoints":[{"url":"https://aefd.nelreports.net/api/report?cat=bingth"}]}
          nel: {"report_to":"network-errors","max_age":604800,"success_fraction":0.001,"failure_fraction":1.0}
          accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
          x-msedge-ref: Ref A: 316899109D134FBBBD5C339147F61D19 Ref B: LON04EDGE0609 Ref C: 2024-01-09T15:54:37Z
          date: Tue, 09 Jan 2024 15:54:36 GMT
        • 204.79.197.200:443
          tse1.mm.bing.net
          tls, http2
          1.2kB
          8.3kB
          16
          14
        • 204.79.197.200:443
          tse1.mm.bing.net
          tls, http2
          1.2kB
          8.3kB
          16
          14
        • 204.79.197.200:443
          https://tse1.mm.bing.net/th?id=OADD2.10239317301474_1G2Z87D10T03QEF39&pid=21.2&w=1080&h=1920&c=4
          tls, http2
          80.5kB
          2.3MB
          1665
          1660

          HTTP Request

          GET https://tse1.mm.bing.net/th?id=OADD2.10239317301041_1126D0IH1Q7UAXX2R&pid=21.2&w=1920&h=1080&c=4

          HTTP Request

          GET https://tse1.mm.bing.net/th?id=OADD2.10239317300952_1E3SWPMLL78HDQL83&pid=21.2&w=1920&h=1080&c=4

          HTTP Request

          GET https://tse1.mm.bing.net/th?id=OADD2.10239317300950_1CI16BMH94QQ9WZ43&pid=21.2&w=1920&h=1080&c=4

          HTTP Response

          200

          HTTP Response

          200

          HTTP Request

          GET https://tse1.mm.bing.net/th?id=OADD2.10239317301385_10GXZBGQGK7BVOQK7&pid=21.2&w=1080&h=1920&c=4

          HTTP Response

          200

          HTTP Request

          GET https://tse1.mm.bing.net/th?id=OADD2.10239317301383_1L76EFRJ4S38LB1VW&pid=21.2&w=1080&h=1920&c=4

          HTTP Response

          200

          HTTP Response

          200

          HTTP Request

          GET https://tse1.mm.bing.net/th?id=OADD2.10239317301474_1G2Z87D10T03QEF39&pid=21.2&w=1080&h=1920&c=4

          HTTP Response

          200
        • 52.142.223.178:80
        • 8.8.8.8:53
          178.223.142.52.in-addr.arpa
          dns
          73 B
          147 B
          1
          1

          DNS Request

          178.223.142.52.in-addr.arpa

        • 8.8.8.8:53
          16.53.126.40.in-addr.arpa
          dns
          142 B
          157 B
          2
          1

          DNS Request

          16.53.126.40.in-addr.arpa

          DNS Request

          16.53.126.40.in-addr.arpa

        • 8.8.8.8:53
          95.221.229.192.in-addr.arpa
          dns
          73 B
          144 B
          1
          1

          DNS Request

          95.221.229.192.in-addr.arpa

        • 8.8.8.8:53
          179.178.17.96.in-addr.arpa
          dns
          144 B
          137 B
          2
          1

          DNS Request

          179.178.17.96.in-addr.arpa

          DNS Request

          179.178.17.96.in-addr.arpa

        • 8.8.8.8:53
          241.154.82.20.in-addr.arpa
          dns
          72 B
          158 B
          1
          1

          DNS Request

          241.154.82.20.in-addr.arpa

        • 8.8.8.8:53
          88.156.103.20.in-addr.arpa
          dns
          72 B
          158 B
          1
          1

          DNS Request

          88.156.103.20.in-addr.arpa

        • 8.8.8.8:53
          195.233.44.23.in-addr.arpa
          dns
          72 B
          137 B
          1
          1

          DNS Request

          195.233.44.23.in-addr.arpa

        • 8.8.8.8:53
          158.240.127.40.in-addr.arpa
          dns
          73 B
          147 B
          1
          1

          DNS Request

          158.240.127.40.in-addr.arpa

        • 8.8.8.8:53
          26.165.165.52.in-addr.arpa
          dns
          216 B
          146 B
          3
          1

          DNS Request

          26.165.165.52.in-addr.arpa

          DNS Request

          26.165.165.52.in-addr.arpa

          DNS Request

          26.165.165.52.in-addr.arpa

        • 8.8.8.8:53
          206.23.85.13.in-addr.arpa
          dns
          71 B
          145 B
          1
          1

          DNS Request

          206.23.85.13.in-addr.arpa

        • 8.8.8.8:53
          18.134.221.88.in-addr.arpa
          dns
          144 B
          137 B
          2
          1

          DNS Request

          18.134.221.88.in-addr.arpa

          DNS Request

          18.134.221.88.in-addr.arpa

        • 8.8.8.8:53
          23.236.111.52.in-addr.arpa
          dns
          144 B
          158 B
          2
          1

          DNS Request

          23.236.111.52.in-addr.arpa

          DNS Request

          23.236.111.52.in-addr.arpa

        • 8.8.8.8:53
          82.177.190.20.in-addr.arpa
          dns
          144 B
          158 B
          2
          1

          DNS Request

          82.177.190.20.in-addr.arpa

          DNS Request

          82.177.190.20.in-addr.arpa

        • 8.8.8.8:53
          208.194.73.20.in-addr.arpa
          dns
          72 B
          158 B
          1
          1

          DNS Request

          208.194.73.20.in-addr.arpa

        • 8.8.8.8:53
          187.178.17.96.in-addr.arpa
          dns
          72 B
          137 B
          1
          1

          DNS Request

          187.178.17.96.in-addr.arpa

        • 8.8.8.8:53
          2.136.104.51.in-addr.arpa
          dns
          71 B
          157 B
          1
          1

          DNS Request

          2.136.104.51.in-addr.arpa

        • 8.8.8.8:53
          14.173.189.20.in-addr.arpa
          dns
          144 B
          316 B
          2
          2

          DNS Request

          14.173.189.20.in-addr.arpa

          DNS Request

          14.173.189.20.in-addr.arpa

        • 8.8.8.8:53
          tse1.mm.bing.net
          dns
          124 B
          346 B
          2
          2

          DNS Request

          tse1.mm.bing.net

          DNS Request

          tse1.mm.bing.net

          DNS Response

          204.79.197.200
          13.107.21.200

          DNS Response

          204.79.197.200
          13.107.21.200

        • 8.8.8.8:53

        MITRE ATT&CK Matrix

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Windows\SysWOW64\winlogin.exe

          Filesize

          296KB

          MD5

          90572d0c451c502d171901d3b1b74036

          SHA1

          fad8b86d9217fe607961a1f89a701532fc49642a

          SHA256

          0ec11901f8d00ffaa654e7bf0a5606c5a4b83f5c844ff0c8f86b5e514d45761c

          SHA512

          7978d0e8e1945dc4a7b7a09527ec3e02db57452fde40bb87395ba3175680a7c7b96a7748936055f4d18cded8353d0b80babee8718711d8e65cd7fd25be6a0b71

        • memory/220-30-0x0000000000400000-0x000000000044F000-memory.dmp

          Filesize

          316KB

        • memory/920-23-0x0000000000400000-0x000000000044F000-memory.dmp

          Filesize

          316KB

        • memory/1072-107-0x0000000000400000-0x000000000044F000-memory.dmp

          Filesize

          316KB

        • memory/1220-48-0x0000000000400000-0x000000000044F000-memory.dmp

          Filesize

          316KB

        • memory/1408-85-0x0000000000400000-0x000000000044F000-memory.dmp

          Filesize

          316KB

        • memory/1520-97-0x0000000000400000-0x000000000044F000-memory.dmp

          Filesize

          316KB

        • memory/1536-58-0x0000000000400000-0x000000000044F000-memory.dmp

          Filesize

          316KB

        • memory/1636-26-0x0000000000400000-0x000000000044F000-memory.dmp

          Filesize

          316KB

        • memory/1636-24-0x0000000000400000-0x000000000044F000-memory.dmp

          Filesize

          316KB

        • memory/1652-19-0x0000000000400000-0x000000000044F000-memory.dmp

          Filesize

          316KB

        • memory/1652-20-0x0000000000400000-0x000000000044F000-memory.dmp

          Filesize

          316KB

        • memory/1796-87-0x0000000000400000-0x000000000044F000-memory.dmp

          Filesize

          316KB

        • memory/2068-37-0x0000000000400000-0x000000000044F000-memory.dmp

          Filesize

          316KB

        • memory/2068-35-0x0000000000400000-0x000000000044F000-memory.dmp

          Filesize

          316KB

        • memory/2124-55-0x0000000000400000-0x000000000044F000-memory.dmp

          Filesize

          316KB

        • memory/2124-54-0x0000000000400000-0x000000000044F000-memory.dmp

          Filesize

          316KB

        • memory/2276-89-0x0000000000400000-0x000000000044F000-memory.dmp

          Filesize

          316KB

        • memory/2356-53-0x0000000000400000-0x000000000044F000-memory.dmp

          Filesize

          316KB

        • memory/2396-81-0x0000000000400000-0x000000000044F000-memory.dmp

          Filesize

          316KB

        • memory/2396-82-0x0000000000400000-0x000000000044F000-memory.dmp

          Filesize

          316KB

        • memory/2408-115-0x0000000000400000-0x000000000044F000-memory.dmp

          Filesize

          316KB

        • memory/2408-63-0x0000000000400000-0x000000000044F000-memory.dmp

          Filesize

          316KB

        • memory/2408-61-0x0000000000400000-0x000000000044F000-memory.dmp

          Filesize

          316KB

        • memory/2424-34-0x0000000000400000-0x000000000044F000-memory.dmp

          Filesize

          316KB

        • memory/2836-108-0x0000000000400000-0x000000000044F000-memory.dmp

          Filesize

          316KB

        • memory/2856-113-0x0000000000400000-0x000000000044F000-memory.dmp

          Filesize

          316KB

        • memory/2964-0-0x0000000000400000-0x000000000044F000-memory.dmp

          Filesize

          316KB

        • memory/2964-6-0x0000000000400000-0x000000000044F000-memory.dmp

          Filesize

          316KB

        • memory/3040-71-0x0000000000400000-0x000000000044F000-memory.dmp

          Filesize

          316KB

        • memory/3040-69-0x0000000000400000-0x000000000044F000-memory.dmp

          Filesize

          316KB

        • memory/3092-12-0x0000000000400000-0x000000000044F000-memory.dmp

          Filesize

          316KB

        • memory/3092-75-0x0000000000400000-0x000000000044F000-memory.dmp

          Filesize

          316KB

        • memory/3092-14-0x0000000000400000-0x000000000044F000-memory.dmp

          Filesize

          316KB

        • memory/3112-68-0x0000000000400000-0x000000000044F000-memory.dmp

          Filesize

          316KB

        • memory/3112-66-0x0000000000400000-0x000000000044F000-memory.dmp

          Filesize

          316KB

        • memory/3188-60-0x0000000000400000-0x000000000044F000-memory.dmp

          Filesize

          316KB

        • memory/3228-16-0x0000000000400000-0x000000000044F000-memory.dmp

          Filesize

          316KB

        • memory/3392-65-0x0000000000400000-0x000000000044F000-memory.dmp

          Filesize

          316KB

        • memory/3524-93-0x0000000000400000-0x000000000044F000-memory.dmp

          Filesize

          316KB

        • memory/3524-39-0x0000000000400000-0x000000000044F000-memory.dmp

          Filesize

          316KB

        • memory/3576-47-0x0000000000400000-0x000000000044F000-memory.dmp

          Filesize

          316KB

        • memory/3576-45-0x0000000000400000-0x000000000044F000-memory.dmp

          Filesize

          316KB

        • memory/3604-101-0x0000000000400000-0x000000000044F000-memory.dmp

          Filesize

          316KB

        • memory/4064-90-0x0000000000400000-0x000000000044F000-memory.dmp

          Filesize

          316KB

        • memory/4216-4-0x0000000000400000-0x000000000044F000-memory.dmp

          Filesize

          316KB

        • memory/4216-8-0x0000000000400000-0x000000000044F000-memory.dmp

          Filesize

          316KB

        • memory/4388-95-0x0000000000400000-0x000000000044F000-memory.dmp

          Filesize

          316KB

        • memory/4388-40-0x0000000000400000-0x000000000044F000-memory.dmp

          Filesize

          316KB

        • memory/4388-42-0x0000000000400000-0x000000000044F000-memory.dmp

          Filesize

          316KB

        • memory/4404-76-0x0000000000400000-0x000000000044F000-memory.dmp

          Filesize

          316KB

        • memory/4404-78-0x0000000000400000-0x000000000044F000-memory.dmp

          Filesize

          316KB

        • memory/4416-105-0x0000000000400000-0x000000000044F000-memory.dmp

          Filesize

          316KB

        • memory/4452-99-0x0000000000400000-0x000000000044F000-memory.dmp

          Filesize

          316KB

        • memory/4460-9-0x0000000000400000-0x000000000044F000-memory.dmp

          Filesize

          316KB

        • memory/4460-11-0x0000000000400000-0x000000000044F000-memory.dmp

          Filesize

          316KB

        • memory/4492-80-0x0000000000400000-0x000000000044F000-memory.dmp

          Filesize

          316KB

        • memory/4508-73-0x0000000000400000-0x000000000044F000-memory.dmp

          Filesize

          316KB

        • memory/4520-44-0x0000000000400000-0x000000000044F000-memory.dmp

          Filesize

          316KB

        • memory/4552-32-0x0000000000400000-0x000000000044F000-memory.dmp

          Filesize

          316KB

        • memory/4624-111-0x0000000000400000-0x000000000044F000-memory.dmp

          Filesize

          316KB

        • memory/4796-51-0x0000000000400000-0x000000000044F000-memory.dmp

          Filesize

          316KB

        • memory/4960-18-0x0000000000400000-0x000000000044F000-memory.dmp

          Filesize

          316KB

        • memory/4976-103-0x0000000000400000-0x000000000044F000-memory.dmp

          Filesize

          316KB

        • memory/5088-28-0x0000000000400000-0x000000000044F000-memory.dmp

          Filesize

          316KB

        We care about your privacy.

        This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.