Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

7

Static

static

7

anyunlock-...up.exe

windows7-x64

7

anyunlock-...up.exe

windows10-2004-x64

7

$PLUGINSDI...Vs.dll

windows7-x64

3

$PLUGINSDI...Vs.dll

windows10-2004-x64

3

$PLUGINSDI...ls.dll

windows7-x64

3

$PLUGINSDI...ls.dll

windows10-2004-x64

3

$PLUGINSDI...em.dll

windows7-x64

3

$PLUGINSDI...em.dll

windows10-2004-x64

3

$PLUGINSDI...up.exe

windows7-x64

7

$PLUGINSDI...up.exe

windows10-2004-x64

7

$PLUGINSDI...ec.dll

windows7-x64

3

$PLUGINSDI...ec.dll

windows10-2004-x64

3

$PLUGINSDI...ss.dll

windows7-x64

3

$PLUGINSDI...ss.dll

windows10-2004-x64

3

$PLUGINSDIR/setup.exe

windows7-x64

1

$PLUGINSDIR/setup.exe

windows10-2004-x64

1

$PLUGINSDI...ll.exe

windows7-x64

7

$PLUGINSDI...ll.exe

windows10-2004-x64

7

$PLUGINSDI...er.dll

windows7-x64

3

$PLUGINSDI...er.dll

windows10-2004-x64

3

$PLUGINSDI...Vs.dll

windows7-x64

3

$PLUGINSDI...Vs.dll

windows10-2004-x64

3

$PLUGINSDI...ib.dll

windows7-x64

1

$PLUGINSDI...ib.dll

windows10-2004-x64

3

$PLUGINSDI...el.dll

windows7-x64

7

$PLUGINSDI...el.dll

windows10-2004-x64

7

$PLUGINSDI...tn.dll

windows7-x64

3

$PLUGINSDI...tn.dll

windows10-2004-x64

3

$PLUGINSDI...em.dll

windows7-x64

3

$PLUGINSDI...em.dll

windows10-2004-x64

3

$PLUGINSDI...gs.dll

windows7-x64

3

$PLUGINSDI...gs.dll

windows10-2004-x64

3

Analysis

  • max time kernel
    143s
  • max time network
    128s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240508-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
  • submitted
    17/05/2024, 07:52 UTC

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    $PLUGINSDIR/uninstall.exe

  • Size

    11.2MB

  • MD5

    19c95f9115e675a52a79c6d8e3e4461c

  • SHA1

    695bdec79f51d3297cb618009f010272d08c23f1

  • SHA256

    59573565cfd215df52c6dd0ade7223167fb3bf8147c140abad145b36f4b3d021

  • SHA512

    b2924364797d97e8be18460045b41be1689222f6c3326b67e9b8f5aaa310bee08672bc0fcc9f9d0b4e0522a686765943b1aa8a631d863da72aad7d92d7940597

  • SSDEEP

    196608:4hKgznK4UZ9oHpWSQQ+87W4DFPwV422RBhox+Ht+FPYLrvaDbP8+uDgCAoB:4hK4K4UZyHdN+8b/hGG+ByvaDzfxoB

Score
7/10

Malware Config

Signatures

  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 9 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Checks processor information in registry 2 TTPs 2 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Suspicious behavior: EnumeratesProcesses 8 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 9 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\uninstall.exe
    "C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\uninstall.exe"
    1⤵
    • Checks computer location settings
    • Loads dropped DLL
    • Checks processor information in registry
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:3612
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c "curl -X POST -H "Content-Type: application/json" -d "{\"client_id\":\"au-Windows\",\"user_id\":\"D2A781B1\",\"events\":[{\"name\":\"Uninstall_SW\",\"params\":{\"engagement_time_msec\":\"1\",\"ea\":\"Launch App\",\"el\":\"1\",\"install_productversion\":\"Official-com-pp\",\"install_trackversion\":\"2.1.0.0\",\"soft_os_version\":\"Windows_64\"}}]}" "https://www.google-analytics.com/mp/collect?measurement_id=G-G1ZWRJY8K8&api_secret=vT2-CR2mSpKugIO5e8H3pQ""
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:4480
      • C:\Windows\SysWOW64\curl.exe
        curl -X POST -H "Content-Type: application/json" -d "{\"client_id\":\"au-Windows\",\"user_id\":\"D2A781B1\",\"events\":[{\"name\":\"Uninstall_SW\",\"params\":{\"engagement_time_msec\":\"1\",\"ea\":\"Launch App\",\"el\":\"1\",\"install_productversion\":\"Official-com-pp\",\"install_trackversion\":\"2.1.0.0\",\"soft_os_version\":\"Windows_64\"}}]}" "https://www.google-analytics.com/mp/collect?measurement_id=G-G1ZWRJY8K8&api_secret=vT2-CR2mSpKugIO5e8H3pQ"
        3⤵
          PID:4240
      • C:\Users\Admin\AppData\Local\Temp\un.exe
        "C:\Users\Admin\AppData\Local\Temp\un.exe" """av:2.1.0" "gv:2.1.0.0" "gs:Official-com-pp" "gi:UA-85655135-16" "an:AnyUnlock - iPhone Password Unlocker" "c:iMobie"""
        2⤵
        • Executes dropped EXE
        • Suspicious use of AdjustPrivilegeToken
        PID:4928
    • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=4100,i,13544508926340531097,6671217806016090640,262144 --variations-seed-version --mojo-platform-channel-handle=1272 /prefetch:8
      1⤵
        PID:3244

      Network

      • flag-us
        DNS
        28.118.140.52.in-addr.arpa
        Remote address:
        8.8.8.8:53
        Request
        28.118.140.52.in-addr.arpa
        IN PTR
        Response
      • flag-us
        DNS
        14.213.58.216.in-addr.arpa
        Remote address:
        8.8.8.8:53
        Request
        14.213.58.216.in-addr.arpa
        IN PTR
        Response
        14.213.58.216.in-addr.arpa
        IN PTR
        lhr25s25-in-f141e100net
        14.213.58.216.in-addr.arpa
        IN PTR
        ber01s14-in-f14�H
      • flag-us
        DNS
        67.169.217.172.in-addr.arpa
        Remote address:
        8.8.8.8:53
        Request
        67.169.217.172.in-addr.arpa
        IN PTR
        Response
        67.169.217.172.in-addr.arpa
        IN PTR
        lhr48s09-in-f31e100net
      • flag-us
        DNS
        98.58.20.217.in-addr.arpa
        Remote address:
        8.8.8.8:53
        Request
        98.58.20.217.in-addr.arpa
        IN PTR
        Response
      • flag-us
        DNS
        8.8.8.8.in-addr.arpa
        Remote address:
        8.8.8.8:53
        Request
        8.8.8.8.in-addr.arpa
        IN PTR
        Response
        8.8.8.8.in-addr.arpa
        IN PTR
        dnsgoogle
      • flag-us
        DNS
        75.159.190.20.in-addr.arpa
        Remote address:
        8.8.8.8:53
        Request
        75.159.190.20.in-addr.arpa
        IN PTR
        Response
      • flag-us
        DNS
        g.bing.com
        Remote address:
        8.8.8.8:53
        Request
        g.bing.com
        IN A
        Response
        g.bing.com
        IN CNAME
        g-bing-com.dual-a-0034.a-msedge.net
        g-bing-com.dual-a-0034.a-msedge.net
        IN CNAME
        dual-a-0034.a-msedge.net
        dual-a-0034.a-msedge.net
        IN A
        204.79.197.237
        dual-a-0034.a-msedge.net
        IN A
        13.107.21.237
      • flag-us
        GET
        https://g.bing.com/neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=85cc3282a55146e291fc03490e7d2f3d&localId=w:59244BCC-88B7-85EB-8DCD-EAE142591B00&deviceId=6896201178070400&anid=
        Remote address:
        204.79.197.237:443
        Request
        GET /neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=85cc3282a55146e291fc03490e7d2f3d&localId=w:59244BCC-88B7-85EB-8DCD-EAE142591B00&deviceId=6896201178070400&anid= HTTP/2.0
        host: g.bing.com
        accept-encoding: gzip, deflate
        user-agent: WindowsShellClient/9.0.40929.0 (Windows)
        Response
        HTTP/2.0 204
        cache-control: no-cache, must-revalidate
        pragma: no-cache
        expires: Fri, 01 Jan 1990 00:00:00 GMT
        set-cookie: MUID=103F70A62E2A66D4285E64242F0D679B; domain=.bing.com; expires=Wed, 11-Jun-2025 07:52:53 GMT; path=/; SameSite=None; Secure; Priority=High;
        strict-transport-security: max-age=31536000; includeSubDomains; preload
        access-control-allow-origin: *
        x-cache: CONFIG_NOCACHE
        accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
        x-msedge-ref: Ref A: 7F5CCF70C5DF4728B90A9AB72E0AE2FE Ref B: LON04EDGE0612 Ref C: 2024-05-17T07:52:53Z
        date: Fri, 17 May 2024 07:52:53 GMT
      • flag-us
        GET
        https://g.bing.com/neg/0?action=emptycreative&adUnitId=11730597&publisherId=251978541&rid=85cc3282a55146e291fc03490e7d2f3d&localId=w:59244BCC-88B7-85EB-8DCD-EAE142591B00&deviceId=6896201178070400&anid=
        Remote address:
        204.79.197.237:443
        Request
        GET /neg/0?action=emptycreative&adUnitId=11730597&publisherId=251978541&rid=85cc3282a55146e291fc03490e7d2f3d&localId=w:59244BCC-88B7-85EB-8DCD-EAE142591B00&deviceId=6896201178070400&anid= HTTP/2.0
        host: g.bing.com
        accept-encoding: gzip, deflate
        user-agent: WindowsShellClient/9.0.40929.0 (Windows)
        cookie: MUID=103F70A62E2A66D4285E64242F0D679B
        Response
        HTTP/2.0 204
        cache-control: no-cache, must-revalidate
        pragma: no-cache
        expires: Fri, 01 Jan 1990 00:00:00 GMT
        set-cookie: MSPTC=OmFVV9R_bMrE3i9-zZUXVAT4adJonxQoLL-5PQTFwJ4; domain=.bing.com; expires=Wed, 11-Jun-2025 07:52:53 GMT; path=/; Partitioned; secure; SameSite=None
        strict-transport-security: max-age=31536000; includeSubDomains; preload
        access-control-allow-origin: *
        x-cache: CONFIG_NOCACHE
        accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
        x-msedge-ref: Ref A: 6804709A14EF42F28CC54949E4D7BBF3 Ref B: LON04EDGE0612 Ref C: 2024-05-17T07:52:53Z
        date: Fri, 17 May 2024 07:52:53 GMT
      • flag-us
        GET
        https://g.bing.com/neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=85cc3282a55146e291fc03490e7d2f3d&localId=w:59244BCC-88B7-85EB-8DCD-EAE142591B00&deviceId=6896201178070400&anid=
        Remote address:
        204.79.197.237:443
        Request
        GET /neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=85cc3282a55146e291fc03490e7d2f3d&localId=w:59244BCC-88B7-85EB-8DCD-EAE142591B00&deviceId=6896201178070400&anid= HTTP/2.0
        host: g.bing.com
        accept-encoding: gzip, deflate
        user-agent: WindowsShellClient/9.0.40929.0 (Windows)
        cookie: MUID=103F70A62E2A66D4285E64242F0D679B; MSPTC=OmFVV9R_bMrE3i9-zZUXVAT4adJonxQoLL-5PQTFwJ4
        Response
        HTTP/2.0 204
        cache-control: no-cache, must-revalidate
        pragma: no-cache
        expires: Fri, 01 Jan 1990 00:00:00 GMT
        strict-transport-security: max-age=31536000; includeSubDomains; preload
        access-control-allow-origin: *
        x-cache: CONFIG_NOCACHE
        accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
        x-msedge-ref: Ref A: E9A7D9084C8C4F38AC99FBA6B0D1DCED Ref B: LON04EDGE0612 Ref C: 2024-05-17T07:52:53Z
        date: Fri, 17 May 2024 07:52:53 GMT
      • flag-be
        GET
        https://www.bing.com/th?id=OADD2.10239359720591_10PHTLBML42K6TRZO&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=24&h=24&dynsize=1&qlt=90
        Remote address:
        88.221.83.250:443
        Request
        GET /th?id=OADD2.10239359720591_10PHTLBML42K6TRZO&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=24&h=24&dynsize=1&qlt=90 HTTP/2.0
        host: www.bing.com
        accept: */*
        cookie: MUID=103F70A62E2A66D4285E64242F0D679B; MSPTC=OmFVV9R_bMrE3i9-zZUXVAT4adJonxQoLL-5PQTFwJ4
        accept-encoding: gzip, deflate, br
        user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19041
        Response
        HTTP/2.0 200
        cache-control: public, max-age=2592000
        content-type: image/png
        access-control-allow-origin: *
        access-control-allow-headers: *
        access-control-allow-methods: GET, POST, OPTIONS
        timing-allow-origin: *
        report-to: {"group":"network-errors","max_age":604800,"endpoints":[{"url":"https://aefd.nelreports.net/api/report?cat=bingth"}]}
        nel: {"report_to":"network-errors","max_age":604800,"success_fraction":0.001,"failure_fraction":1.0}
        content-length: 1107
        date: Fri, 17 May 2024 07:52:54 GMT
        alt-svc: h3=":443"; ma=93600
        x-cdn-traceid: 0.f653dd58.1715932374.36bbb415
      • flag-us
        DNS
        237.197.79.204.in-addr.arpa
        Remote address:
        8.8.8.8:53
        Request
        237.197.79.204.in-addr.arpa
        IN PTR
        Response
      • flag-us
        DNS
        250.83.221.88.in-addr.arpa
        Remote address:
        8.8.8.8:53
        Request
        250.83.221.88.in-addr.arpa
        IN PTR
        Response
        250.83.221.88.in-addr.arpa
        IN PTR
        a88-221-83-250deploystaticakamaitechnologiescom
      • flag-us
        DNS
        104.219.191.52.in-addr.arpa
        Remote address:
        8.8.8.8:53
        Request
        104.219.191.52.in-addr.arpa
        IN PTR
        Response
      • flag-us
        DNS
        157.123.68.40.in-addr.arpa
        Remote address:
        8.8.8.8:53
        Request
        157.123.68.40.in-addr.arpa
        IN PTR
        Response
      • flag-us
        DNS
        171.39.242.20.in-addr.arpa
        Remote address:
        8.8.8.8:53
        Request
        171.39.242.20.in-addr.arpa
        IN PTR
        Response
      • flag-us
        DNS
        13.227.111.52.in-addr.arpa
        Remote address:
        8.8.8.8:53
        Request
        13.227.111.52.in-addr.arpa
        IN PTR
        Response
      • flag-us
        DNS
        79.190.18.2.in-addr.arpa
        Remote address:
        8.8.8.8:53
        Request
        79.190.18.2.in-addr.arpa
        IN PTR
        Response
        79.190.18.2.in-addr.arpa
        IN PTR
        a2-18-190-79deploystaticakamaitechnologiescom
      • flag-us
        DNS
        tse1.mm.bing.net
        Remote address:
        8.8.8.8:53
        Request
        tse1.mm.bing.net
        IN A
        Response
        tse1.mm.bing.net
        IN CNAME
        mm-mm.bing.net.trafficmanager.net
        mm-mm.bing.net.trafficmanager.net
        IN CNAME
        dual-a-0001.a-msedge.net
        dual-a-0001.a-msedge.net
        IN A
        204.79.197.200
        dual-a-0001.a-msedge.net
        IN A
        13.107.21.200
      • flag-us
        GET
        https://tse1.mm.bing.net/th?id=OADD2.10239340783938_154JBSOQL12JS43YR&pid=21.2&c=3&w=1080&h=1920&dynsize=1&qlt=90
        Remote address:
        204.79.197.200:443
        Request
        GET /th?id=OADD2.10239340783938_154JBSOQL12JS43YR&pid=21.2&c=3&w=1080&h=1920&dynsize=1&qlt=90 HTTP/2.0
        host: tse1.mm.bing.net
        accept: */*
        accept-encoding: gzip, deflate, br
        user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19041
        Response
        HTTP/2.0 200
        cache-control: public, max-age=2592000
        content-length: 627437
        content-type: image/jpeg
        x-cache: TCP_HIT
        access-control-allow-origin: *
        access-control-allow-headers: *
        access-control-allow-methods: GET, POST, OPTIONS
        timing-allow-origin: *
        report-to: {"group":"network-errors","max_age":604800,"endpoints":[{"url":"https://aefd.nelreports.net/api/report?cat=bingth&ndcParam=QUZE"}]}
        nel: {"report_to":"network-errors","max_age":604800,"success_fraction":0.001,"failure_fraction":1.0}
        accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
        x-msedge-ref: Ref A: CC15AFD0976749288DF75A6431188707 Ref B: LON04EDGE0911 Ref C: 2024-05-17T07:54:31Z
        date: Fri, 17 May 2024 07:54:31 GMT
      • flag-us
        GET
        https://tse1.mm.bing.net/th?id=OADD2.10239340783939_14IT4JGOWRFC6CMW9&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=1920&h=1080&dynsize=1&qlt=90
        Remote address:
        204.79.197.200:443
        Request
        GET /th?id=OADD2.10239340783939_14IT4JGOWRFC6CMW9&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=1920&h=1080&dynsize=1&qlt=90 HTTP/2.0
        host: tse1.mm.bing.net
        accept: */*
        accept-encoding: gzip, deflate, br
        user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19041
        Response
        HTTP/2.0 200
        cache-control: public, max-age=2592000
        content-length: 792794
        content-type: image/jpeg
        x-cache: TCP_HIT
        access-control-allow-origin: *
        access-control-allow-headers: *
        access-control-allow-methods: GET, POST, OPTIONS
        timing-allow-origin: *
        report-to: {"group":"network-errors","max_age":604800,"endpoints":[{"url":"https://aefd.nelreports.net/api/report?cat=bingth&ndcParam=QUZE"}]}
        nel: {"report_to":"network-errors","max_age":604800,"success_fraction":0.001,"failure_fraction":1.0}
        accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
        x-msedge-ref: Ref A: 8774AA67A7664A598EE528BF8D00AEDB Ref B: LON04EDGE0911 Ref C: 2024-05-17T07:54:31Z
        date: Fri, 17 May 2024 07:54:31 GMT
      • flag-us
        DNS
        41.173.79.40.in-addr.arpa
        Remote address:
        8.8.8.8:53
        Request
        41.173.79.40.in-addr.arpa
        IN PTR
        Response
      • 204.79.197.237:443
        https://g.bing.com/neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=85cc3282a55146e291fc03490e7d2f3d&localId=w:59244BCC-88B7-85EB-8DCD-EAE142591B00&deviceId=6896201178070400&anid=
        tls, http2
        2.0kB
         9.2kB
         21
        19

        HTTP Request

        GET https://g.bing.com/neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=85cc3282a55146e291fc03490e7d2f3d&localId=w:59244BCC-88B7-85EB-8DCD-EAE142591B00&deviceId=6896201178070400&anid=

        HTTP Response

        204

        HTTP Request

        GET https://g.bing.com/neg/0?action=emptycreative&adUnitId=11730597&publisherId=251978541&rid=85cc3282a55146e291fc03490e7d2f3d&localId=w:59244BCC-88B7-85EB-8DCD-EAE142591B00&deviceId=6896201178070400&anid=

        HTTP Response

        204

        HTTP Request

        GET https://g.bing.com/neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=85cc3282a55146e291fc03490e7d2f3d&localId=w:59244BCC-88B7-85EB-8DCD-EAE142591B00&deviceId=6896201178070400&anid=

        HTTP Response

        204
      • 88.221.83.250:443
        https://www.bing.com/th?id=OADD2.10239359720591_10PHTLBML42K6TRZO&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=24&h=24&dynsize=1&qlt=90
        tls, http2
        1.5kB
         6.4kB
         17
        12

        HTTP Request

        GET https://www.bing.com/th?id=OADD2.10239359720591_10PHTLBML42K6TRZO&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=24&h=24&dynsize=1&qlt=90

        HTTP Response

        200
      • 204.79.197.200:443
        tse1.mm.bing.net
        tls, http2
        1.2kB
         8.1kB
         16
        14
      • 204.79.197.200:443
        https://tse1.mm.bing.net/th?id=OADD2.10239340783939_14IT4JGOWRFC6CMW9&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=1920&h=1080&dynsize=1&qlt=90
        tls, http2
        52.6kB
         1.5MB
         1082
        1079

        HTTP Request

        GET https://tse1.mm.bing.net/th?id=OADD2.10239340783938_154JBSOQL12JS43YR&pid=21.2&c=3&w=1080&h=1920&dynsize=1&qlt=90

        HTTP Request

        GET https://tse1.mm.bing.net/th?id=OADD2.10239340783939_14IT4JGOWRFC6CMW9&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=1920&h=1080&dynsize=1&qlt=90

        HTTP Response

        200

        HTTP Response

        200
      • 8.8.8.8:53
        28.118.140.52.in-addr.arpa
        dns
        72 B
         158 B
         1
        1

        DNS Request

        28.118.140.52.in-addr.arpa

      • 8.8.8.8:53
        14.213.58.216.in-addr.arpa
        dns
        72 B
         141 B
         1
        1

        DNS Request

        14.213.58.216.in-addr.arpa

      • 8.8.8.8:53
        67.169.217.172.in-addr.arpa
        dns
        73 B
         111 B
         1
        1

        DNS Request

        67.169.217.172.in-addr.arpa

      • 8.8.8.8:53
        98.58.20.217.in-addr.arpa
        dns
        71 B
         131 B
         1
        1

        DNS Request

        98.58.20.217.in-addr.arpa

      • 8.8.8.8:53
        8.8.8.8.in-addr.arpa
        dns
        66 B
         90 B
         1
        1

        DNS Request

        8.8.8.8.in-addr.arpa

      • 8.8.8.8:53
        75.159.190.20.in-addr.arpa
        dns
        72 B
         158 B
         1
        1

        DNS Request

        75.159.190.20.in-addr.arpa

      • 8.8.8.8:53
        g.bing.com
        dns
        56 B
         151 B
         1
        1

        DNS Request

        g.bing.com

        DNS Response

        204.79.197.237
        13.107.21.237

      • 8.8.8.8:53
        237.197.79.204.in-addr.arpa
        dns
        73 B
         143 B
         1
        1

        DNS Request

        237.197.79.204.in-addr.arpa

      • 8.8.8.8:53
        250.83.221.88.in-addr.arpa
        dns
        72 B
         137 B
         1
        1

        DNS Request

        250.83.221.88.in-addr.arpa

      • 8.8.8.8:53
        104.219.191.52.in-addr.arpa
        dns
        73 B
         147 B
         1
        1

        DNS Request

        104.219.191.52.in-addr.arpa

      • 8.8.8.8:53
        157.123.68.40.in-addr.arpa
        dns
        72 B
         146 B
         1
        1

        DNS Request

        157.123.68.40.in-addr.arpa

      • 8.8.8.8:53
        171.39.242.20.in-addr.arpa
        dns
        72 B
         158 B
         1
        1

        DNS Request

        171.39.242.20.in-addr.arpa

      • 8.8.8.8:53
        13.227.111.52.in-addr.arpa
        dns
        72 B
         158 B
         1
        1

        DNS Request

        13.227.111.52.in-addr.arpa

      • 8.8.8.8:53
        79.190.18.2.in-addr.arpa
        dns
        70 B
         133 B
         1
        1

        DNS Request

        79.190.18.2.in-addr.arpa

      • 8.8.8.8:53
        tse1.mm.bing.net
        dns
        62 B
         173 B
         1
        1

        DNS Request

        tse1.mm.bing.net

        DNS Response

        204.79.197.200
        13.107.21.200

      • 8.8.8.8:53
        41.173.79.40.in-addr.arpa
        dns
        71 B
         145 B
         1
        1

        DNS Request

        41.173.79.40.in-addr.arpa

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Local\Temp\nslE168.tmp\CheckProVs.dll
        Filesize

        7KB

        MD5

        62e85098ce43cb3d5c422e49390b7071

        SHA1

        df6722f155ce2a1379eff53a9ad1611ddecbb3bf

        SHA256

        ee7e26894cbf89c93ae4df15bdb12cd9a21f5deacedfa99a01eefe8fa52daec2

        SHA512

        dfe7438c2b46f822e2a810bc355e5226043547608d19d1c70314e4325c06ad9ad63a797905e30d19f5d9a86ee1a6d9c28f525a298731e79dbf6f3d6441179a8e

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\nslE168.tmp\GoogleTracingLib.dll
        Filesize

        36KB

        MD5

        d8fca35ff95fe00a7174177181f8bd13

        SHA1

        fbafea4d2790dd2c0d022dfb08ded91de7f5265e

        SHA256

        ad873f1e51e6d033e5507235ec735957256ebeeb0d3f22aa0b57bb4bd0846e4c

        SHA512

        eb530b10f137cb0cdfdcd2c11fd9f50f774e0ce44e9d2da3e755f6a6df24fe6e7525c27b109e3e68e9d3e49a889937a22f4d9d78703b1055a83b8a58808a58ba

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\nslE168.tmp\SkinBtn.dll
        Filesize

        4KB

        MD5

        29818862640ac659ce520c9c64e63e9e

        SHA1

        485e1e6cc552fa4f05fb767043b1e7c9eb80be64

        SHA256

        e96afa894a995a6097a405df76155a7a39962ff6cae7a59d89a25e5a34ab9eeb

        SHA512

        ebb94eb21e060fb90ec9c86787eada42c7c9e1e7628ea4b16d3c7b414f554a94d5e4f4abe0e4ee30fddf4f904fd3002770a9b967fbd0feeca353e21079777057

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\nslE168.tmp\System.dll
        Filesize

        11KB

        MD5

        ca332bb753b0775d5e806e236ddcec55

        SHA1

        f35ef76592f20850baef2ebbd3c9a2cfb5ad8d8f

        SHA256

        df5ae79fa558dc7af244ec6e53939563b966e7dbd8867e114e928678dbd56e5d

        SHA512

        2de0956a1ad58ad7086e427e89b819089f2a7f1e4133ed2a0a736adc0614e8588ebe2d97f1b59ab8886d662aeb40e0b4838c6a65fbfc652253e3a45664a03a00

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\nslE168.tmp\nsProcess.dll
        Filesize

        4KB

        MD5

        f0438a894f3a7e01a4aae8d1b5dd0289

        SHA1

        b058e3fcfb7b550041da16bf10d8837024c38bf6

        SHA256

        30c6c3dd3cc7fcea6e6081ce821adc7b2888542dae30bf00e881c0a105eb4d11

        SHA512

        f91fcea19cbddf8086affcb63fe599dc2b36351fc81ac144f58a80a524043ddeaa3943f36c86ebae45dd82e8faf622ea7b7c9b776e74c54b93df2963cfe66cc7

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\nslE168.tmp\registry.dll
        Filesize

        24KB

        MD5

        2b7007ed0262ca02ef69d8990815cbeb

        SHA1

        2eabe4f755213666dbbbde024a5235ddde02b47f

        SHA256

        0b25b20f26de5d5bd795f934c70447112b4981343fcb2dfab3374a4018d28c2d

        SHA512

        aa75ee59ca0b8530eb7298b74e5f334ae9d14129f603b285a3170b82103cfdcc175af8185317e6207142517769e69a24b34fcdf0f58ed50a4960cbe8c22a0aca

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\nslE168.tmp\un.exe
        Filesize

        11.7MB

        MD5

        cbea93b5c3fc5080bb200c58edc14dd6

        SHA1

        4204117c82823c54dc5e3f05a4c1ff667fefb331

        SHA256

        ee8c4d17e67236e84faa12696aed1b4a8d5b529b73adc2a6b2787e26e96d191c

        SHA512

        2977e50a98ef9bb76f3f63a0909c6fbca0f08ceeb8d796c3c57364474736cb5d3a8803c32f6a6f7cc66c89129aead2e37c87369b96160bef6df6aff7a4171e8a

        Download Submit

      • memory/3612-30-0x0000000003410000-0x0000000003469000-memory.dmp

        Filesize

        356KB

        Download

      • memory/4928-68-0x00000000748C0000-0x0000000075070000-memory.dmp

        Filesize

        7.7MB

        Download

      • memory/4928-67-0x0000000000310000-0x0000000000ED0000-memory.dmp

        Filesize

        11.8MB

        Download

      • memory/4928-66-0x00000000748CE000-0x00000000748CF000-memory.dmp

        Filesize

        4KB

        Download

      • memory/4928-69-0x00000000058F0000-0x0000000005956000-memory.dmp

        Filesize

        408KB

        Download

      • memory/4928-70-0x0000000006630000-0x000000000668A000-memory.dmp

        Filesize

        360KB

        Download

      • memory/4928-71-0x0000000006AB0000-0x0000000006AD0000-memory.dmp

        Filesize

        128KB

        Download

      • memory/4928-73-0x0000000009750000-0x0000000009758000-memory.dmp

        Filesize

        32KB

        Download

      • memory/4928-72-0x0000000006DD0000-0x0000000007124000-memory.dmp

        Filesize

        3.3MB

        Download

      • memory/4928-74-0x0000000006870000-0x0000000006878000-memory.dmp

        Filesize

        32KB

        Download

      • memory/4928-75-0x00000000097A0000-0x00000000097D8000-memory.dmp

        Filesize

        224KB

        Download

      • memory/4928-76-0x0000000006820000-0x000000000682E000-memory.dmp

        Filesize

        56KB

        Download

      • memory/4928-77-0x00000000748CE000-0x00000000748CF000-memory.dmp

        Filesize

        4KB

        Download

      • memory/4928-78-0x00000000748C0000-0x0000000075070000-memory.dmp

        Filesize

        7.7MB

        Download

      We care about your privacy.

      This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.