Analysis

  • max time kernel
    1794s
  • max time network
    1795s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240419-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240419-enlocale:en-usos:windows10-2004-x64system
  • submitted
    02/05/2024, 02:08 UTC

General

  • Target

    a ton of ya/ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe

  • Size

    63KB

  • MD5

    222c2d239f4c8a1d73c736c9cc712807

  • SHA1

    c3aa61bd6f8cc640bcfa74c40d9283c9c08c7b3c

  • SHA256

    ff43049677c57277f12a1d97f02af3029d7b75b5ad40303a28f1b0452997969d

  • SHA512

    1f2fea85e45e93916306c234b916d6b4b200dac9656e44f4555f825dd8677cb5e927bd5e7a74bf2fb2f6972a3e6e2d294a6104add162ba3d53a0e6cfedef6a02

  • SSDEEP

    1536:tJc/5q1qoR5PDdAZcIED4VuCkbFybjQ9f0jQRmONww+W:7c/iqoJekbFEQ9W+mONP+W

Malware Config

Extracted

Family

xworm

C2

127.0.0.1:23638

209.25.140.1:5525:23638

bring-recorder.gl.at.ply.gg:23638

action-yesterday.gl.at.ply.gg:23638

147.185.221.19:23638

then-wheel.gl.at.ply.gg::23638

then-wheel.gl.at.ply.gg:23638

teen-modes.gl.at.ply.gg:23638

Attributes
  • Install_directory

    %LocalAppData%

  • install_file

    uwumonster.exe

Signatures

  • Detect Xworm Payload 2 IoCs
  • Xworm

    Xworm is a remote access trojan written in C#.

  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Drops startup file 2 IoCs
  • Executes dropped EXE 30 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Creates scheduled task(s) 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

  • Suspicious use of AdjustPrivilegeToken 32 IoCs
  • Suspicious use of WriteProcessMemory 2 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

Processes

  • C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe
    "C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe"
    1⤵
    • Checks computer location settings
    • Drops startup file
    • Adds Run key to start application
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1448
    • C:\Windows\System32\schtasks.exe
      "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "uwumonster" /tr "C:\Users\Admin\AppData\Local\uwumonster.exe"
      2⤵
      • Creates scheduled task(s)
      PID:4744
  • C:\Users\Admin\AppData\Local\uwumonster.exe
    C:\Users\Admin\AppData\Local\uwumonster.exe
    1⤵
    • Executes dropped EXE
    • Suspicious use of AdjustPrivilegeToken
    PID:4848
  • C:\Users\Admin\AppData\Local\uwumonster.exe
    C:\Users\Admin\AppData\Local\uwumonster.exe
    1⤵
    • Executes dropped EXE
    • Suspicious use of AdjustPrivilegeToken
    PID:2544
  • C:\Users\Admin\AppData\Local\uwumonster.exe
    C:\Users\Admin\AppData\Local\uwumonster.exe
    1⤵
    • Executes dropped EXE
    • Suspicious use of AdjustPrivilegeToken
    PID:1536
  • C:\Users\Admin\AppData\Local\uwumonster.exe
    C:\Users\Admin\AppData\Local\uwumonster.exe
    1⤵
    • Executes dropped EXE
    • Suspicious use of AdjustPrivilegeToken
    PID:1044
  • C:\Users\Admin\AppData\Local\uwumonster.exe
    C:\Users\Admin\AppData\Local\uwumonster.exe
    1⤵
    • Executes dropped EXE
    • Suspicious use of AdjustPrivilegeToken
    PID:4588
  • C:\Users\Admin\AppData\Local\uwumonster.exe
    C:\Users\Admin\AppData\Local\uwumonster.exe
    1⤵
    • Executes dropped EXE
    • Suspicious use of AdjustPrivilegeToken
    PID:4016
  • C:\Users\Admin\AppData\Local\uwumonster.exe
    C:\Users\Admin\AppData\Local\uwumonster.exe
    1⤵
    • Executes dropped EXE
    • Suspicious use of AdjustPrivilegeToken
    PID:4224
  • C:\Users\Admin\AppData\Local\uwumonster.exe
    C:\Users\Admin\AppData\Local\uwumonster.exe
    1⤵
    • Executes dropped EXE
    • Suspicious use of AdjustPrivilegeToken
    PID:384
  • C:\Users\Admin\AppData\Local\uwumonster.exe
    C:\Users\Admin\AppData\Local\uwumonster.exe
    1⤵
    • Executes dropped EXE
    • Suspicious use of AdjustPrivilegeToken
    PID:2016
  • C:\Users\Admin\AppData\Local\uwumonster.exe
    C:\Users\Admin\AppData\Local\uwumonster.exe
    1⤵
    • Executes dropped EXE
    • Suspicious use of AdjustPrivilegeToken
    PID:640
  • C:\Users\Admin\AppData\Local\uwumonster.exe
    C:\Users\Admin\AppData\Local\uwumonster.exe
    1⤵
    • Executes dropped EXE
    • Suspicious use of AdjustPrivilegeToken
    PID:4600
  • C:\Users\Admin\AppData\Local\uwumonster.exe
    C:\Users\Admin\AppData\Local\uwumonster.exe
    1⤵
    • Executes dropped EXE
    • Suspicious use of AdjustPrivilegeToken
    PID:5072
  • C:\Users\Admin\AppData\Local\uwumonster.exe
    C:\Users\Admin\AppData\Local\uwumonster.exe
    1⤵
    • Executes dropped EXE
    • Suspicious use of AdjustPrivilegeToken
    PID:4648
  • C:\Users\Admin\AppData\Local\uwumonster.exe
    C:\Users\Admin\AppData\Local\uwumonster.exe
    1⤵
    • Executes dropped EXE
    • Suspicious use of AdjustPrivilegeToken
    PID:392
  • C:\Users\Admin\AppData\Local\uwumonster.exe
    C:\Users\Admin\AppData\Local\uwumonster.exe
    1⤵
    • Executes dropped EXE
    • Suspicious use of AdjustPrivilegeToken
    PID:1712
  • C:\Users\Admin\AppData\Local\uwumonster.exe
    C:\Users\Admin\AppData\Local\uwumonster.exe
    1⤵
    • Executes dropped EXE
    • Suspicious use of AdjustPrivilegeToken
    PID:4328
  • C:\Users\Admin\AppData\Local\uwumonster.exe
    C:\Users\Admin\AppData\Local\uwumonster.exe
    1⤵
    • Executes dropped EXE
    • Suspicious use of AdjustPrivilegeToken
    PID:2284
  • C:\Users\Admin\AppData\Local\uwumonster.exe
    C:\Users\Admin\AppData\Local\uwumonster.exe
    1⤵
    • Executes dropped EXE
    • Suspicious use of AdjustPrivilegeToken
    PID:2816
  • C:\Users\Admin\AppData\Local\uwumonster.exe
    C:\Users\Admin\AppData\Local\uwumonster.exe
    1⤵
    • Executes dropped EXE
    • Suspicious use of AdjustPrivilegeToken
    PID:4632
  • C:\Users\Admin\AppData\Local\uwumonster.exe
    C:\Users\Admin\AppData\Local\uwumonster.exe
    1⤵
    • Executes dropped EXE
    • Suspicious use of AdjustPrivilegeToken
    PID:4312
  • C:\Users\Admin\AppData\Local\uwumonster.exe
    C:\Users\Admin\AppData\Local\uwumonster.exe
    1⤵
    • Executes dropped EXE
    • Suspicious use of AdjustPrivilegeToken
    PID:1288
  • C:\Users\Admin\AppData\Local\uwumonster.exe
    C:\Users\Admin\AppData\Local\uwumonster.exe
    1⤵
    • Executes dropped EXE
    • Suspicious use of AdjustPrivilegeToken
    PID:3044
  • C:\Users\Admin\AppData\Local\uwumonster.exe
    C:\Users\Admin\AppData\Local\uwumonster.exe
    1⤵
    • Executes dropped EXE
    • Suspicious use of AdjustPrivilegeToken
    PID:4232
  • C:\Users\Admin\AppData\Local\uwumonster.exe
    C:\Users\Admin\AppData\Local\uwumonster.exe
    1⤵
    • Executes dropped EXE
    • Suspicious use of AdjustPrivilegeToken
    PID:2592
  • C:\Users\Admin\AppData\Local\uwumonster.exe
    C:\Users\Admin\AppData\Local\uwumonster.exe
    1⤵
    • Executes dropped EXE
    • Suspicious use of AdjustPrivilegeToken
    PID:2108
  • C:\Users\Admin\AppData\Local\uwumonster.exe
    C:\Users\Admin\AppData\Local\uwumonster.exe
    1⤵
    • Executes dropped EXE
    • Suspicious use of AdjustPrivilegeToken
    PID:4340
  • C:\Users\Admin\AppData\Local\uwumonster.exe
    C:\Users\Admin\AppData\Local\uwumonster.exe
    1⤵
    • Executes dropped EXE
    • Suspicious use of AdjustPrivilegeToken
    PID:3892
  • C:\Users\Admin\AppData\Local\uwumonster.exe
    C:\Users\Admin\AppData\Local\uwumonster.exe
    1⤵
    • Executes dropped EXE
    • Suspicious use of AdjustPrivilegeToken
    PID:3616
  • C:\Users\Admin\AppData\Local\uwumonster.exe
    C:\Users\Admin\AppData\Local\uwumonster.exe
    1⤵
    • Executes dropped EXE
    • Suspicious use of AdjustPrivilegeToken
    PID:4508
  • C:\Users\Admin\AppData\Local\uwumonster.exe
    C:\Users\Admin\AppData\Local\uwumonster.exe
    1⤵
    • Executes dropped EXE
    • Suspicious use of AdjustPrivilegeToken
    PID:4728

Network

  • flag-us
    DNS
    183.142.211.20.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    183.142.211.20.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    g.bing.com
    Remote address:
    8.8.8.8:53
    Request
    g.bing.com
    IN A
    Response
    g.bing.com
    IN CNAME
    g-bing-com.dual-a-0034.a-msedge.net
    g-bing-com.dual-a-0034.a-msedge.net
    IN CNAME
    dual-a-0034.a-msedge.net
    dual-a-0034.a-msedge.net
    IN A
    204.79.197.237
    dual-a-0034.a-msedge.net
    IN A
    13.107.21.237
  • flag-us
    GET
    https://g.bing.com/neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=3b826b5fcd624711a3f9e5c9bed89359&localId=w:5128B8A4-055F-6043-9311-1EEEFB4045B4&deviceId=6825828473859725&anid=
    Remote address:
    204.79.197.237:443
    Request
    GET /neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=3b826b5fcd624711a3f9e5c9bed89359&localId=w:5128B8A4-055F-6043-9311-1EEEFB4045B4&deviceId=6825828473859725&anid= HTTP/2.0
    host: g.bing.com
    accept-encoding: gzip, deflate
    user-agent: WindowsShellClient/9.0.40929.0 (Windows)
    Response
    HTTP/2.0 204
    cache-control: no-cache, must-revalidate
    pragma: no-cache
    expires: Fri, 01 Jan 1990 00:00:00 GMT
    set-cookie: MUID=2235B3882BA467E31A47A7FB2A1F667A; domain=.bing.com; expires=Tue, 27-May-2025 07:13:10 GMT; path=/; SameSite=None; Secure; Priority=High;
    strict-transport-security: max-age=31536000; includeSubDomains; preload
    access-control-allow-origin: *
    x-cache: CONFIG_NOCACHE
    accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
    x-msedge-ref: Ref A: B667E4D0AEE24591ADCDEE9944B939C2 Ref B: LON04EDGE0821 Ref C: 2024-05-02T07:13:10Z
    date: Thu, 02 May 2024 07:13:09 GMT
  • flag-us
    GET
    https://g.bing.com/neg/0?action=emptycreative&adUnitId=11730597&publisherId=251978541&rid=3b826b5fcd624711a3f9e5c9bed89359&localId=w:5128B8A4-055F-6043-9311-1EEEFB4045B4&deviceId=6825828473859725&anid=
    Remote address:
    204.79.197.237:443
    Request
    GET /neg/0?action=emptycreative&adUnitId=11730597&publisherId=251978541&rid=3b826b5fcd624711a3f9e5c9bed89359&localId=w:5128B8A4-055F-6043-9311-1EEEFB4045B4&deviceId=6825828473859725&anid= HTTP/2.0
    host: g.bing.com
    accept-encoding: gzip, deflate
    user-agent: WindowsShellClient/9.0.40929.0 (Windows)
    cookie: MUID=2235B3882BA467E31A47A7FB2A1F667A
    Response
    HTTP/2.0 204
    cache-control: no-cache, must-revalidate
    pragma: no-cache
    expires: Fri, 01 Jan 1990 00:00:00 GMT
    set-cookie: MSPTC=scKVkSPAUYTbdStCOgRrjNdoj9e-_8BQV2JjyRXLitY; domain=.bing.com; expires=Tue, 27-May-2025 07:13:10 GMT; path=/; Partitioned; secure; SameSite=None
    strict-transport-security: max-age=31536000; includeSubDomains; preload
    access-control-allow-origin: *
    x-cache: CONFIG_NOCACHE
    accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
    x-msedge-ref: Ref A: C9E33FEB6AD449DA9855844347E7C06B Ref B: LON04EDGE0821 Ref C: 2024-05-02T07:13:10Z
    date: Thu, 02 May 2024 07:13:09 GMT
  • flag-us
    GET
    https://g.bing.com/neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=3b826b5fcd624711a3f9e5c9bed89359&localId=w:5128B8A4-055F-6043-9311-1EEEFB4045B4&deviceId=6825828473859725&anid=
    Remote address:
    204.79.197.237:443
    Request
    GET /neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=3b826b5fcd624711a3f9e5c9bed89359&localId=w:5128B8A4-055F-6043-9311-1EEEFB4045B4&deviceId=6825828473859725&anid= HTTP/2.0
    host: g.bing.com
    accept-encoding: gzip, deflate
    user-agent: WindowsShellClient/9.0.40929.0 (Windows)
    cookie: MUID=2235B3882BA467E31A47A7FB2A1F667A; MSPTC=scKVkSPAUYTbdStCOgRrjNdoj9e-_8BQV2JjyRXLitY
    Response
    HTTP/2.0 204
    cache-control: no-cache, must-revalidate
    pragma: no-cache
    expires: Fri, 01 Jan 1990 00:00:00 GMT
    strict-transport-security: max-age=31536000; includeSubDomains; preload
    access-control-allow-origin: *
    x-cache: CONFIG_NOCACHE
    accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
    x-msedge-ref: Ref A: C0A7FA6E04CF438E95DBD8C37A9163A2 Ref B: LON04EDGE0821 Ref C: 2024-05-02T07:13:10Z
    date: Thu, 02 May 2024 07:13:09 GMT
  • flag-us
    DNS
    237.197.79.204.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    237.197.79.204.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    79.190.18.2.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    79.190.18.2.in-addr.arpa
    IN PTR
    Response
    79.190.18.2.in-addr.arpa
    IN PTR
    a2-18-190-79deploystaticakamaitechnologiescom
  • flag-nl
    GET
    https://www.bing.com/th?id=OADD2.10239359720591_10PHTLBML42K6TRZO&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=24&h=24&dynsize=1&qlt=90
    Remote address:
    23.62.61.72:443
    Request
    GET /th?id=OADD2.10239359720591_10PHTLBML42K6TRZO&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=24&h=24&dynsize=1&qlt=90 HTTP/2.0
    host: www.bing.com
    accept: */*
    cookie: MUID=2235B3882BA467E31A47A7FB2A1F667A; MSPTC=scKVkSPAUYTbdStCOgRrjNdoj9e-_8BQV2JjyRXLitY
    accept-encoding: gzip, deflate, br
    user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19041
    Response
    HTTP/2.0 200
    cache-control: public, max-age=2592000
    content-type: image/png
    access-control-allow-origin: *
    access-control-allow-headers: *
    access-control-allow-methods: GET, POST, OPTIONS
    timing-allow-origin: *
    report-to: {"group":"network-errors","max_age":604800,"endpoints":[{"url":"https://aefd.nelreports.net/api/report?cat=bingth"}]}
    nel: {"report_to":"network-errors","max_age":604800,"success_fraction":0.001,"failure_fraction":1.0}
    content-length: 1107
    date: Thu, 02 May 2024 07:13:11 GMT
    alt-svc: h3=":443"; ma=93600
    x-cdn-traceid: 0.443d3e17.1714633991.be16bfe
  • flag-us
    DNS
    205.47.74.20.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    205.47.74.20.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    205.47.74.20.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    205.47.74.20.in-addr.arpa
    IN PTR
  • flag-us
    DNS
    23.159.190.20.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    23.159.190.20.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    23.159.190.20.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    23.159.190.20.in-addr.arpa
    IN PTR
  • flag-us
    DNS
    72.61.62.23.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    72.61.62.23.in-addr.arpa
    IN PTR
    Response
    72.61.62.23.in-addr.arpa
    IN PTR
    a23-62-61-72deploystaticakamaitechnologiescom
  • flag-us
    DNS
    72.61.62.23.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    72.61.62.23.in-addr.arpa
    IN PTR
  • flag-us
    DNS
    bring-recorder.gl.at.ply.gg
    ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe
    Remote address:
    8.8.8.8:53
    Request
    bring-recorder.gl.at.ply.gg
    IN A
    Response
    bring-recorder.gl.at.ply.gg
    IN A
    147.185.221.19
  • flag-us
    DNS
    26.165.165.52.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    26.165.165.52.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    15.164.165.52.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    15.164.165.52.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    172.210.232.199.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    172.210.232.199.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    action-yesterday.gl.at.ply.gg
    ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe
    Remote address:
    8.8.8.8:53
    Request
    action-yesterday.gl.at.ply.gg
    IN A
    Response
    action-yesterday.gl.at.ply.gg
    IN A
    147.185.221.19
  • flag-us
    DNS
    43.58.199.20.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    43.58.199.20.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    34.251.17.2.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    34.251.17.2.in-addr.arpa
    IN PTR
    Response
    34.251.17.2.in-addr.arpa
    IN PTR
    a2-17-251-34deploystaticakamaitechnologiescom
  • flag-us
    DNS
    then-wheel.gl.at.ply.gg
    ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe
    Remote address:
    8.8.8.8:53
    Request
    then-wheel.gl.at.ply.gg
    IN A
    Response
    then-wheel.gl.at.ply.gg
    IN A
    147.185.221.19
  • flag-us
    DNS
    22.236.111.52.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    22.236.111.52.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    tse1.mm.bing.net
    Remote address:
    8.8.8.8:53
    Request
    tse1.mm.bing.net
    IN A
    Response
    tse1.mm.bing.net
    IN CNAME
    mm-mm.bing.net.trafficmanager.net
    mm-mm.bing.net.trafficmanager.net
    IN CNAME
    dual-a-0001.a-msedge.net
    dual-a-0001.a-msedge.net
    IN A
    204.79.197.200
    dual-a-0001.a-msedge.net
    IN A
    13.107.21.200
  • flag-us
    GET
    https://tse1.mm.bing.net/th?id=OADD2.10239370255172_1LGH0N1M3BEVIZPTE&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=1920&h=1080&dynsize=1&qlt=90
    Remote address:
    204.79.197.200:443
    Request
    GET /th?id=OADD2.10239370255172_1LGH0N1M3BEVIZPTE&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=1920&h=1080&dynsize=1&qlt=90 HTTP/2.0
    host: tse1.mm.bing.net
    accept: */*
    accept-encoding: gzip, deflate, br
    user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19041
    Response
    HTTP/2.0 200
    cache-control: public, max-age=2592000
    content-length: 565422
    content-type: image/jpeg
    x-cache: TCP_HIT
    access-control-allow-origin: *
    access-control-allow-headers: *
    access-control-allow-methods: GET, POST, OPTIONS
    timing-allow-origin: *
    report-to: {"group":"network-errors","max_age":604800,"endpoints":[{"url":"https://aefd.nelreports.net/api/report?cat=bingth"}]}&ndcParam=QUZE
    nel: {"report_to":"network-errors","max_age":604800,"success_fraction":0.001,"failure_fraction":1.0}
    accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
    x-msedge-ref: Ref A: CBA1CC6E8CC34D0B88DC7B800AEB845C Ref B: LON04EDGE1218 Ref C: 2024-05-02T07:14:49Z
    date: Thu, 02 May 2024 07:14:48 GMT
  • flag-us
    GET
    https://tse1.mm.bing.net/th?id=OADD2.10239360313430_12K7UVO7ZVIINTRIE&pid=21.2&c=3&w=1080&h=1920&dynsize=1&qlt=90
    Remote address:
    204.79.197.200:443
    Request
    GET /th?id=OADD2.10239360313430_12K7UVO7ZVIINTRIE&pid=21.2&c=3&w=1080&h=1920&dynsize=1&qlt=90 HTTP/2.0
    host: tse1.mm.bing.net
    accept: */*
    accept-encoding: gzip, deflate, br
    user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19041
    Response
    HTTP/2.0 200
    cache-control: public, max-age=2592000
    content-length: 442324
    content-type: image/jpeg
    x-cache: TCP_HIT
    access-control-allow-origin: *
    access-control-allow-headers: *
    access-control-allow-methods: GET, POST, OPTIONS
    timing-allow-origin: *
    report-to: {"group":"network-errors","max_age":604800,"endpoints":[{"url":"https://aefd.nelreports.net/api/report?cat=bingth"}]}&ndcParam=QUZE
    nel: {"report_to":"network-errors","max_age":604800,"success_fraction":0.001,"failure_fraction":1.0}
    accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
    x-msedge-ref: Ref A: E69322E416F842F8BE1B8AB0EA665BC4 Ref B: LON04EDGE1218 Ref C: 2024-05-02T07:14:49Z
    date: Thu, 02 May 2024 07:14:48 GMT
  • flag-us
    GET
    https://tse1.mm.bing.net/th?id=OADD2.10239370255173_1DU5CK10FBZ5UERKJ&pid=21.2&c=3&w=1080&h=1920&dynsize=1&qlt=90
    Remote address:
    204.79.197.200:443
    Request
    GET /th?id=OADD2.10239370255173_1DU5CK10FBZ5UERKJ&pid=21.2&c=3&w=1080&h=1920&dynsize=1&qlt=90 HTTP/2.0
    host: tse1.mm.bing.net
    accept: */*
    accept-encoding: gzip, deflate, br
    user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19041
    Response
    HTTP/2.0 200
    cache-control: public, max-age=2592000
    content-length: 583094
    content-type: image/jpeg
    x-cache: TCP_HIT
    access-control-allow-origin: *
    access-control-allow-headers: *
    access-control-allow-methods: GET, POST, OPTIONS
    timing-allow-origin: *
    report-to: {"group":"network-errors","max_age":604800,"endpoints":[{"url":"https://aefd.nelreports.net/api/report?cat=bingth"}]}&ndcParam=QUZE
    nel: {"report_to":"network-errors","max_age":604800,"success_fraction":0.001,"failure_fraction":1.0}
    accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
    x-msedge-ref: Ref A: 15A104518CF34F47BC38F64E34073835 Ref B: LON04EDGE1218 Ref C: 2024-05-02T07:14:49Z
    date: Thu, 02 May 2024 07:14:48 GMT
  • flag-us
    GET
    https://tse1.mm.bing.net/th?id=OADD2.10239360313429_1X5GXWWD8KTODKAD6&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=1920&h=1080&dynsize=1&qlt=90
    Remote address:
    204.79.197.200:443
    Request
    GET /th?id=OADD2.10239360313429_1X5GXWWD8KTODKAD6&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=1920&h=1080&dynsize=1&qlt=90 HTTP/2.0
    host: tse1.mm.bing.net
    accept: */*
    accept-encoding: gzip, deflate, br
    user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19041
    Response
    HTTP/2.0 200
    cache-control: public, max-age=2592000
    content-length: 394521
    content-type: image/jpeg
    x-cache: TCP_HIT
    access-control-allow-origin: *
    access-control-allow-headers: *
    access-control-allow-methods: GET, POST, OPTIONS
    timing-allow-origin: *
    report-to: {"group":"network-errors","max_age":604800,"endpoints":[{"url":"https://aefd.nelreports.net/api/report?cat=bingth"}]}&ndcParam=QUZE
    nel: {"report_to":"network-errors","max_age":604800,"success_fraction":0.001,"failure_fraction":1.0}
    accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
    x-msedge-ref: Ref A: 6F02C306FF144A9F8DDFFE3825702E23 Ref B: LON04EDGE1218 Ref C: 2024-05-02T07:14:49Z
    date: Thu, 02 May 2024 07:14:48 GMT
  • flag-us
    DNS
    200.197.79.204.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    200.197.79.204.in-addr.arpa
    IN PTR
    Response
    200.197.79.204.in-addr.arpa
    IN PTR
    a-0001a-msedgenet
  • flag-us
    DNS
    253.15.104.51.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    253.15.104.51.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    teen-modes.gl.at.ply.gg
    ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe
    Remote address:
    8.8.8.8:53
    Request
    teen-modes.gl.at.ply.gg
    IN A
    Response
    teen-modes.gl.at.ply.gg
    IN A
    147.185.221.19
  • flag-us
    DNS
    teen-modes.gl.at.ply.gg
    ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe
    Remote address:
    8.8.8.8:53
    Request
    teen-modes.gl.at.ply.gg
    IN A
    Response
    teen-modes.gl.at.ply.gg
    IN A
    147.185.221.19
  • flag-us
    DNS
    action-yesterday.gl.at.ply.gg
    ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe
    Remote address:
    8.8.8.8:53
    Request
    action-yesterday.gl.at.ply.gg
    IN A
    Response
    action-yesterday.gl.at.ply.gg
    IN A
    147.185.221.19
  • flag-us
    DNS
    bring-recorder.gl.at.ply.gg
    ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe
    Remote address:
    8.8.8.8:53
    Request
    bring-recorder.gl.at.ply.gg
    IN A
    Response
    bring-recorder.gl.at.ply.gg
    IN A
    147.185.221.19
  • flag-us
    DNS
    then-wheel.gl.at.ply.gg
    ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe
    Remote address:
    8.8.8.8:53
    Request
    then-wheel.gl.at.ply.gg
    IN A
    Response
    then-wheel.gl.at.ply.gg
    IN A
    147.185.221.19
  • flag-us
    DNS
    teen-modes.gl.at.ply.gg
    ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe
    Remote address:
    8.8.8.8:53
    Request
    teen-modes.gl.at.ply.gg
    IN A
    Response
    teen-modes.gl.at.ply.gg
    IN A
    147.185.221.19
  • flag-us
    DNS
    bring-recorder.gl.at.ply.gg
    ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe
    Remote address:
    8.8.8.8:53
    Request
    bring-recorder.gl.at.ply.gg
    IN A
    Response
    bring-recorder.gl.at.ply.gg
    IN A
    147.185.221.19
  • flag-us
    DNS
    then-wheel.gl.at.ply.gg
    ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe
    Remote address:
    8.8.8.8:53
    Request
    then-wheel.gl.at.ply.gg
    IN A
    Response
    then-wheel.gl.at.ply.gg
    IN A
    147.185.221.19
  • flag-us
    DNS
    then-wheel.gl.at.ply.gg
    ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe
    Remote address:
    8.8.8.8:53
    Request
    then-wheel.gl.at.ply.gg
    IN A
    Response
    then-wheel.gl.at.ply.gg
    IN A
    147.185.221.19
  • flag-us
    DNS
    bring-recorder.gl.at.ply.gg
    ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe
    Remote address:
    8.8.8.8:53
    Request
    bring-recorder.gl.at.ply.gg
    IN A
    Response
    bring-recorder.gl.at.ply.gg
    IN A
    147.185.221.19
  • flag-us
    DNS
    action-yesterday.gl.at.ply.gg
    ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe
    Remote address:
    8.8.8.8:53
    Request
    action-yesterday.gl.at.ply.gg
    IN A
    Response
    action-yesterday.gl.at.ply.gg
    IN A
    147.185.221.19
  • flag-us
    DNS
    teen-modes.gl.at.ply.gg
    ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe
    Remote address:
    8.8.8.8:53
    Request
    teen-modes.gl.at.ply.gg
    IN A
    Response
    teen-modes.gl.at.ply.gg
    IN A
    147.185.221.19
  • flag-us
    DNS
    bring-recorder.gl.at.ply.gg
    ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe
    Remote address:
    8.8.8.8:53
    Request
    bring-recorder.gl.at.ply.gg
    IN A
    Response
    bring-recorder.gl.at.ply.gg
    IN A
    147.185.221.19
  • flag-us
    DNS
    action-yesterday.gl.at.ply.gg
    ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe
    Remote address:
    8.8.8.8:53
    Request
    action-yesterday.gl.at.ply.gg
    IN A
    Response
    action-yesterday.gl.at.ply.gg
    IN A
    147.185.221.19
  • flag-us
    DNS
    teen-modes.gl.at.ply.gg
    ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe
    Remote address:
    8.8.8.8:53
    Request
    teen-modes.gl.at.ply.gg
    IN A
    Response
    teen-modes.gl.at.ply.gg
    IN A
    147.185.221.19
  • flag-us
    DNS
    then-wheel.gl.at.ply.gg
    ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe
    Remote address:
    8.8.8.8:53
    Request
    then-wheel.gl.at.ply.gg
    IN A
    Response
    then-wheel.gl.at.ply.gg
    IN A
    147.185.221.19
  • flag-us
    DNS
    teen-modes.gl.at.ply.gg
    ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe
    Remote address:
    8.8.8.8:53
    Request
    teen-modes.gl.at.ply.gg
    IN A
    Response
    teen-modes.gl.at.ply.gg
    IN A
    147.185.221.19
  • flag-us
    DNS
    bring-recorder.gl.at.ply.gg
    ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe
    Remote address:
    8.8.8.8:53
    Request
    bring-recorder.gl.at.ply.gg
    IN A
    Response
    bring-recorder.gl.at.ply.gg
    IN A
    147.185.221.19
  • flag-us
    DNS
    action-yesterday.gl.at.ply.gg
    ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe
    Remote address:
    8.8.8.8:53
    Request
    action-yesterday.gl.at.ply.gg
    IN A
    Response
    action-yesterday.gl.at.ply.gg
    IN A
    147.185.221.19
  • 204.79.197.237:443
    https://g.bing.com/neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=3b826b5fcd624711a3f9e5c9bed89359&localId=w:5128B8A4-055F-6043-9311-1EEEFB4045B4&deviceId=6825828473859725&anid=
    tls, http2
    2.0kB
    9.2kB
    22
    19

    HTTP Request

    GET https://g.bing.com/neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=3b826b5fcd624711a3f9e5c9bed89359&localId=w:5128B8A4-055F-6043-9311-1EEEFB4045B4&deviceId=6825828473859725&anid=

    HTTP Response

    204

    HTTP Request

    GET https://g.bing.com/neg/0?action=emptycreative&adUnitId=11730597&publisherId=251978541&rid=3b826b5fcd624711a3f9e5c9bed89359&localId=w:5128B8A4-055F-6043-9311-1EEEFB4045B4&deviceId=6825828473859725&anid=

    HTTP Response

    204

    HTTP Request

    GET https://g.bing.com/neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=3b826b5fcd624711a3f9e5c9bed89359&localId=w:5128B8A4-055F-6043-9311-1EEEFB4045B4&deviceId=6825828473859725&anid=

    HTTP Response

    204
  • 23.62.61.72:443
    https://www.bing.com/th?id=OADD2.10239359720591_10PHTLBML42K6TRZO&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=24&h=24&dynsize=1&qlt=90
    tls, http2
    1.5kB
    6.3kB
    16
    11

    HTTP Request

    GET https://www.bing.com/th?id=OADD2.10239359720591_10PHTLBML42K6TRZO&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=24&h=24&dynsize=1&qlt=90

    HTTP Response

    200
  • 147.185.221.19:23638
    bring-recorder.gl.at.ply.gg
    ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe
    260 B
    5
  • 147.185.221.19:23638
    action-yesterday.gl.at.ply.gg
    ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe
    260 B
    5
  • 147.185.221.19:23638
    then-wheel.gl.at.ply.gg
    ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe
    260 B
    5
  • 147.185.221.19:23638
    then-wheel.gl.at.ply.gg
    ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe
    260 B
    5
  • 204.79.197.200:443
    https://tse1.mm.bing.net/th?id=OADD2.10239360313429_1X5GXWWD8KTODKAD6&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=1920&h=1080&dynsize=1&qlt=90
    tls, http2
    70.8kB
    2.1MB
    1507
    1505

    HTTP Request

    GET https://tse1.mm.bing.net/th?id=OADD2.10239370255172_1LGH0N1M3BEVIZPTE&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=1920&h=1080&dynsize=1&qlt=90

    HTTP Request

    GET https://tse1.mm.bing.net/th?id=OADD2.10239360313430_12K7UVO7ZVIINTRIE&pid=21.2&c=3&w=1080&h=1920&dynsize=1&qlt=90

    HTTP Request

    GET https://tse1.mm.bing.net/th?id=OADD2.10239370255173_1DU5CK10FBZ5UERKJ&pid=21.2&c=3&w=1080&h=1920&dynsize=1&qlt=90

    HTTP Request

    GET https://tse1.mm.bing.net/th?id=OADD2.10239360313429_1X5GXWWD8KTODKAD6&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=1920&h=1080&dynsize=1&qlt=90

    HTTP Response

    200

    HTTP Response

    200

    HTTP Response

    200

    HTTP Response

    200
  • 204.79.197.200:443
    tse1.mm.bing.net
    tls, http2
    1.2kB
    8.1kB
    16
    14
  • 204.79.197.200:443
    tse1.mm.bing.net
    tls, http2
    1.2kB
    8.1kB
    16
    14
  • 204.79.197.200:443
    tse1.mm.bing.net
    tls, http2
    1.2kB
    8.1kB
    16
    14
  • 147.185.221.19:23638
    then-wheel.gl.at.ply.gg
    ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe
    260 B
    5
  • 127.0.0.1:23638
    ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe
  • 147.185.221.19:23638
    teen-modes.gl.at.ply.gg
    ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe
    260 B
    5
  • 147.185.221.19:23638
    teen-modes.gl.at.ply.gg
    ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe
    260 B
    5
  • 147.185.221.19:23638
    teen-modes.gl.at.ply.gg
    ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe
    260 B
    5
  • 147.185.221.19:23638
    teen-modes.gl.at.ply.gg
    ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe
    260 B
    5
  • 147.185.221.19:23638
    teen-modes.gl.at.ply.gg
    ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe
    260 B
    5
  • 147.185.221.19:23638
    teen-modes.gl.at.ply.gg
    ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe
    260 B
    5
  • 147.185.221.19:23638
    teen-modes.gl.at.ply.gg
    ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe
    260 B
    5
  • 147.185.221.19:23638
    action-yesterday.gl.at.ply.gg
    ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe
    260 B
    5
  • 147.185.221.19:23638
    action-yesterday.gl.at.ply.gg
    ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe
    260 B
    5
  • 147.185.221.19:23638
    action-yesterday.gl.at.ply.gg
    ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe
    260 B
    5
  • 147.185.221.19:23638
    action-yesterday.gl.at.ply.gg
    ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe
    260 B
    5
  • 127.0.0.1:23638
    ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe
  • 147.185.221.19:23638
    bring-recorder.gl.at.ply.gg
    ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe
    260 B
    5
  • 147.185.221.19:23638
    bring-recorder.gl.at.ply.gg
    ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe
    260 B
    5
  • 147.185.221.19:23638
    then-wheel.gl.at.ply.gg
    ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe
    260 B
    5
  • 147.185.221.19:23638
    then-wheel.gl.at.ply.gg
    ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe
    260 B
    5
  • 127.0.0.1:23638
    ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe
  • 147.185.221.19:23638
    then-wheel.gl.at.ply.gg
    ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe
    260 B
    5
  • 147.185.221.19:23638
    teen-modes.gl.at.ply.gg
    ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe
    260 B
    5
  • 127.0.0.1:23638
    ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe
  • 147.185.221.19:23638
    teen-modes.gl.at.ply.gg
    ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe
    260 B
    5
  • 147.185.221.19:23638
    teen-modes.gl.at.ply.gg
    ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe
    260 B
    5
  • 147.185.221.19:23638
    teen-modes.gl.at.ply.gg
    ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe
    260 B
    5
  • 127.0.0.1:23638
    ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe
  • 147.185.221.19:23638
    bring-recorder.gl.at.ply.gg
    ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe
    260 B
    5
  • 147.185.221.19:23638
    then-wheel.gl.at.ply.gg
    ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe
    260 B
    5
  • 127.0.0.1:23638
    ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe
  • 147.185.221.19:23638
    then-wheel.gl.at.ply.gg
    ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe
    260 B
    5
  • 147.185.221.19:23638
    then-wheel.gl.at.ply.gg
    ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe
    260 B
    5
  • 147.185.221.19:23638
    then-wheel.gl.at.ply.gg
    ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe
    260 B
    5
  • 147.185.221.19:23638
    then-wheel.gl.at.ply.gg
    ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe
    260 B
    5
  • 147.185.221.19:23638
    bring-recorder.gl.at.ply.gg
    ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe
    260 B
    5
  • 147.185.221.19:23638
    bring-recorder.gl.at.ply.gg
    ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe
    260 B
    5
  • 147.185.221.19:23638
    bring-recorder.gl.at.ply.gg
    ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe
    260 B
    5
  • 147.185.221.19:23638
    bring-recorder.gl.at.ply.gg
    ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe
    260 B
    5
  • 147.185.221.19:23638
    bring-recorder.gl.at.ply.gg
    ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe
    260 B
    5
  • 147.185.221.19:23638
    action-yesterday.gl.at.ply.gg
    ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe
    260 B
    5
  • 147.185.221.19:23638
    action-yesterday.gl.at.ply.gg
    ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe
    260 B
    5
  • 147.185.221.19:23638
    teen-modes.gl.at.ply.gg
    ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe
    260 B
    5
  • 147.185.221.19:23638
    teen-modes.gl.at.ply.gg
    ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe
    260 B
    5
  • 147.185.221.19:23638
    teen-modes.gl.at.ply.gg
    ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe
    260 B
    5
  • 147.185.221.19:23638
    bring-recorder.gl.at.ply.gg
    ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe
    260 B
    5
  • 147.185.221.19:23638
    bring-recorder.gl.at.ply.gg
    ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe
    260 B
    5
  • 147.185.221.19:23638
    bring-recorder.gl.at.ply.gg
    ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe
    260 B
    5
  • 127.0.0.1:23638
    ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe
  • 147.185.221.19:23638
    bring-recorder.gl.at.ply.gg
    ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe
    260 B
    5
  • 147.185.221.19:23638
    bring-recorder.gl.at.ply.gg
    ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe
    260 B
    5
  • 147.185.221.19:23638
    bring-recorder.gl.at.ply.gg
    ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe
    260 B
    5
  • 147.185.221.19:23638
    action-yesterday.gl.at.ply.gg
    ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe
    260 B
    5
  • 147.185.221.19:23638
    action-yesterday.gl.at.ply.gg
    ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe
    260 B
    5
  • 147.185.221.19:23638
    teen-modes.gl.at.ply.gg
    ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe
    260 B
    5
  • 147.185.221.19:23638
    teen-modes.gl.at.ply.gg
    ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe
    260 B
    5
  • 147.185.221.19:23638
    then-wheel.gl.at.ply.gg
    ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe
    260 B
    5
  • 147.185.221.19:23638
    teen-modes.gl.at.ply.gg
    ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe
    260 B
    5
  • 147.185.221.19:23638
    teen-modes.gl.at.ply.gg
    ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe
    260 B
    5
  • 147.185.221.19:23638
    teen-modes.gl.at.ply.gg
    ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe
    260 B
    5
  • 147.185.221.19:23638
    bring-recorder.gl.at.ply.gg
    ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe
    260 B
    5
  • 147.185.221.19:23638
    bring-recorder.gl.at.ply.gg
    ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe
    260 B
    5
  • 147.185.221.19:23638
    action-yesterday.gl.at.ply.gg
    ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe
    260 B
    5
  • 147.185.221.19:23638
    action-yesterday.gl.at.ply.gg
    ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe
    260 B
    5
  • 147.185.221.19:23638
    action-yesterday.gl.at.ply.gg
    ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe
    260 B
    5
  • 147.185.221.19:23638
    action-yesterday.gl.at.ply.gg
    ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe
    208 B
    4
  • 8.8.8.8:53
    183.142.211.20.in-addr.arpa
    dns
    73 B
    159 B
    1
    1

    DNS Request

    183.142.211.20.in-addr.arpa

  • 8.8.8.8:53
    g.bing.com
    dns
    56 B
    151 B
    1
    1

    DNS Request

    g.bing.com

    DNS Response

    204.79.197.237
    13.107.21.237

  • 8.8.8.8:53
    237.197.79.204.in-addr.arpa
    dns
    73 B
    143 B
    1
    1

    DNS Request

    237.197.79.204.in-addr.arpa

  • 8.8.8.8:53
    79.190.18.2.in-addr.arpa
    dns
    70 B
    133 B
    1
    1

    DNS Request

    79.190.18.2.in-addr.arpa

  • 8.8.8.8:53
    23.159.190.20.in-addr.arpa
    dns
    144 B
    158 B
    2
    1

    DNS Request

    23.159.190.20.in-addr.arpa

    DNS Request

    23.159.190.20.in-addr.arpa

  • 8.8.8.8:53
    205.47.74.20.in-addr.arpa
    dns
    142 B
    157 B
    2
    1

    DNS Request

    205.47.74.20.in-addr.arpa

    DNS Request

    205.47.74.20.in-addr.arpa

  • 8.8.8.8:53
    72.61.62.23.in-addr.arpa
    dns
    140 B
    133 B
    2
    1

    DNS Request

    72.61.62.23.in-addr.arpa

    DNS Request

    72.61.62.23.in-addr.arpa

  • 8.8.8.8:53
    bring-recorder.gl.at.ply.gg
    dns
    ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe
    73 B
    89 B
    1
    1

    DNS Request

    bring-recorder.gl.at.ply.gg

    DNS Response

    147.185.221.19

  • 8.8.8.8:53
    26.165.165.52.in-addr.arpa
    dns
    72 B
    146 B
    1
    1

    DNS Request

    26.165.165.52.in-addr.arpa

  • 8.8.8.8:53
    15.164.165.52.in-addr.arpa
    dns
    72 B
    146 B
    1
    1

    DNS Request

    15.164.165.52.in-addr.arpa

  • 8.8.8.8:53
    172.210.232.199.in-addr.arpa
    dns
    74 B
    128 B
    1
    1

    DNS Request

    172.210.232.199.in-addr.arpa

  • 8.8.8.8:53
    action-yesterday.gl.at.ply.gg
    dns
    ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe
    75 B
    91 B
    1
    1

    DNS Request

    action-yesterday.gl.at.ply.gg

    DNS Response

    147.185.221.19

  • 8.8.8.8:53
    43.58.199.20.in-addr.arpa
    dns
    71 B
    157 B
    1
    1

    DNS Request

    43.58.199.20.in-addr.arpa

  • 8.8.8.8:53
    34.251.17.2.in-addr.arpa
    dns
    70 B
    133 B
    1
    1

    DNS Request

    34.251.17.2.in-addr.arpa

  • 8.8.8.8:53
    then-wheel.gl.at.ply.gg
    dns
    ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe
    69 B
    85 B
    1
    1

    DNS Request

    then-wheel.gl.at.ply.gg

    DNS Response

    147.185.221.19

  • 8.8.8.8:53
    22.236.111.52.in-addr.arpa
    dns
    72 B
    158 B
    1
    1

    DNS Request

    22.236.111.52.in-addr.arpa

  • 8.8.8.8:53
    tse1.mm.bing.net
    dns
    62 B
    173 B
    1
    1

    DNS Request

    tse1.mm.bing.net

    DNS Response

    204.79.197.200
    13.107.21.200

  • 8.8.8.8:53
    200.197.79.204.in-addr.arpa
    dns
    73 B
    106 B
    1
    1

    DNS Request

    200.197.79.204.in-addr.arpa

  • 8.8.8.8:53
    253.15.104.51.in-addr.arpa
    dns
    72 B
    146 B
    1
    1

    DNS Request

    253.15.104.51.in-addr.arpa

  • 8.8.8.8:53
    teen-modes.gl.at.ply.gg
    dns
    ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe
    69 B
    85 B
    1
    1

    DNS Request

    teen-modes.gl.at.ply.gg

    DNS Response

    147.185.221.19

  • 8.8.8.8:53
    teen-modes.gl.at.ply.gg
    dns
    ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe
    69 B
    85 B
    1
    1

    DNS Request

    teen-modes.gl.at.ply.gg

    DNS Response

    147.185.221.19

  • 8.8.8.8:53
    action-yesterday.gl.at.ply.gg
    dns
    ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe
    75 B
    91 B
    1
    1

    DNS Request

    action-yesterday.gl.at.ply.gg

    DNS Response

    147.185.221.19

  • 8.8.8.8:53
    bring-recorder.gl.at.ply.gg
    dns
    ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe
    73 B
    89 B
    1
    1

    DNS Request

    bring-recorder.gl.at.ply.gg

    DNS Response

    147.185.221.19

  • 8.8.8.8:53
    then-wheel.gl.at.ply.gg
    dns
    ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe
    69 B
    85 B
    1
    1

    DNS Request

    then-wheel.gl.at.ply.gg

    DNS Response

    147.185.221.19

  • 8.8.8.8:53
    teen-modes.gl.at.ply.gg
    dns
    ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe
    69 B
    85 B
    1
    1

    DNS Request

    teen-modes.gl.at.ply.gg

    DNS Response

    147.185.221.19

  • 8.8.8.8:53
    bring-recorder.gl.at.ply.gg
    dns
    ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe
    73 B
    89 B
    1
    1

    DNS Request

    bring-recorder.gl.at.ply.gg

    DNS Response

    147.185.221.19

  • 8.8.8.8:53
    then-wheel.gl.at.ply.gg
    dns
    ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe
    69 B
    85 B
    1
    1

    DNS Request

    then-wheel.gl.at.ply.gg

    DNS Response

    147.185.221.19

  • 8.8.8.8:53
    then-wheel.gl.at.ply.gg
    dns
    ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe
    69 B
    85 B
    1
    1

    DNS Request

    then-wheel.gl.at.ply.gg

    DNS Response

    147.185.221.19

  • 8.8.8.8:53
    bring-recorder.gl.at.ply.gg
    dns
    ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe
    73 B
    89 B
    1
    1

    DNS Request

    bring-recorder.gl.at.ply.gg

    DNS Response

    147.185.221.19

  • 8.8.8.8:53
    action-yesterday.gl.at.ply.gg
    dns
    ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe
    75 B
    91 B
    1
    1

    DNS Request

    action-yesterday.gl.at.ply.gg

    DNS Response

    147.185.221.19

  • 8.8.8.8:53
    teen-modes.gl.at.ply.gg
    dns
    ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe
    69 B
    85 B
    1
    1

    DNS Request

    teen-modes.gl.at.ply.gg

    DNS Response

    147.185.221.19

  • 8.8.8.8:53
    bring-recorder.gl.at.ply.gg
    dns
    ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe
    73 B
    89 B
    1
    1

    DNS Request

    bring-recorder.gl.at.ply.gg

    DNS Response

    147.185.221.19

  • 8.8.8.8:53
    action-yesterday.gl.at.ply.gg
    dns
    ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe
    75 B
    91 B
    1
    1

    DNS Request

    action-yesterday.gl.at.ply.gg

    DNS Response

    147.185.221.19

  • 8.8.8.8:53
    teen-modes.gl.at.ply.gg
    dns
    ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe
    69 B
    85 B
    1
    1

    DNS Request

    teen-modes.gl.at.ply.gg

    DNS Response

    147.185.221.19

  • 8.8.8.8:53
    then-wheel.gl.at.ply.gg
    dns
    ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe
    69 B
    85 B
    1
    1

    DNS Request

    then-wheel.gl.at.ply.gg

    DNS Response

    147.185.221.19

  • 8.8.8.8:53
    teen-modes.gl.at.ply.gg
    dns
    ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe
    69 B
    85 B
    1
    1

    DNS Request

    teen-modes.gl.at.ply.gg

    DNS Response

    147.185.221.19

  • 8.8.8.8:53
    bring-recorder.gl.at.ply.gg
    dns
    ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe
    73 B
    89 B
    1
    1

    DNS Request

    bring-recorder.gl.at.ply.gg

    DNS Response

    147.185.221.19

  • 8.8.8.8:53
    action-yesterday.gl.at.ply.gg
    dns
    ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy -.exe
    75 B
    91 B
    1
    1

    DNS Request

    action-yesterday.gl.at.ply.gg

    DNS Response

    147.185.221.19

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\uwumonster.exe.log

    Filesize

    654B

    MD5

    2ff39f6c7249774be85fd60a8f9a245e

    SHA1

    684ff36b31aedc1e587c8496c02722c6698c1c4e

    SHA256

    e1b91642d85d98124a6a31f710e137ab7fd90dec30e74a05ab7fcf3b7887dced

    SHA512

    1d7e8b92ef4afd463d62cfa7e8b9d1799db5bf2a263d3cd7840df2e0a1323d24eb595b5f8eb615c6cb15f9e3a7b4fc99f8dd6a3d34479222e966ec708998aed1

  • C:\Users\Admin\AppData\Local\uwumonster.exe

    Filesize

    63KB

    MD5

    222c2d239f4c8a1d73c736c9cc712807

    SHA1

    c3aa61bd6f8cc640bcfa74c40d9283c9c08c7b3c

    SHA256

    ff43049677c57277f12a1d97f02af3029d7b75b5ad40303a28f1b0452997969d

    SHA512

    1f2fea85e45e93916306c234b916d6b4b200dac9656e44f4555f825dd8677cb5e927bd5e7a74bf2fb2f6972a3e6e2d294a6104add162ba3d53a0e6cfedef6a02

  • memory/1448-0-0x00007FFEBE1D3000-0x00007FFEBE1D5000-memory.dmp

    Filesize

    8KB

  • memory/1448-1-0x00000000007E0000-0x00000000007F6000-memory.dmp

    Filesize

    88KB

  • memory/1448-6-0x00007FFEBE1D0000-0x00007FFEBEC91000-memory.dmp

    Filesize

    10.8MB

  • memory/1448-7-0x00007FFEBE1D0000-0x00007FFEBEC91000-memory.dmp

    Filesize

    10.8MB

  • memory/4848-10-0x00007FFEBE1D0000-0x00007FFEBEC91000-memory.dmp

    Filesize

    10.8MB

  • memory/4848-12-0x00007FFEBE1D0000-0x00007FFEBEC91000-memory.dmp

    Filesize

    10.8MB

We care about your privacy.

This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.