Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

1

66169f4786...cs.exe

windows7-x64

10

66169f4786...cs.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    149s
  • max time network
    132s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240426-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
  • submitted
    19/05/2024, 03:36 UTC

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    66169f4786642c8c51d82e11d4fef1c0_NeikiAnalytics.exe

  • Size

    4.1MB

  • MD5

    66169f4786642c8c51d82e11d4fef1c0

  • SHA1

    4e0cfc005d8637d2d07daf7e1f2a18cab560e6cb

  • SHA256

    d4a9c9ddfe34e1a0b1dea76ebbeb37a5a74e5eef08223a0cb4b11c07dacffe80

  • SHA512

    d195f38ab65b070dde4f58c95a18f2011fb2bafcb9a04eded2333a02d286abb36bc2bea22e4dde869a5c2583ec47b25b1c075336ad070ef079f074bfde2436ec

  • SSDEEP

    98304:QvzBhIm6zIE7SIO2RhCG9zRnSMmyRgCXxFQG9cd:mzBhDcIv8bCGbNmyXXxFQGyd

Score
10/10
gluptebadiscoverydropperevasionexecutionloaderpersistencerootkitupx

Malware Config

Signatures

  • Glupteba

    Glupteba is a modular loader written in Golang with various components.

    loaderdropperglupteba
  • Glupteba payload 18 IoCs
  • Modifies Windows Firewall 2 TTPs 1 IoCs
    evasion
  • Executes dropped EXE 4 IoCs
  • UPX packed file 6 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Manipulates WinMonFS driver. 1 IoCs

    Roottkits write to WinMonFS to hide directories/files from being detected.

    rootkitevasion
  • Drops file in System32 directory 7 IoCs
  • Checks for VirtualBox DLLs, possible anti-VM trick 1 TTPs 1 IoCs

    Certain files are specific to VirtualBox VMs and can be used to detect execution in a VM.

  • Drops file in Windows directory 4 IoCs
  • Launches sc.exe 1 IoCs

    Sc.exe is a Windows utlilty to control services on the system.

  • Command and Scripting Interpreter: PowerShell 1 TTPs 7 IoCs

    Using powershell.exe command.

    execution
  • Creates scheduled task(s) 1 TTPs 2 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Modifies data under HKEY_USERS 64 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 12 IoCs
  • Suspicious use of WriteProcessMemory 36 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Users\Admin\AppData\Local\Temp\66169f4786642c8c51d82e11d4fef1c0_NeikiAnalytics.exe
    "C:\Users\Admin\AppData\Local\Temp\66169f4786642c8c51d82e11d4fef1c0_NeikiAnalytics.exe"
    1⤵
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:4912
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      powershell -nologo -noprofile
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:1032
    • C:\Users\Admin\AppData\Local\Temp\66169f4786642c8c51d82e11d4fef1c0_NeikiAnalytics.exe
      "C:\Users\Admin\AppData\Local\Temp\66169f4786642c8c51d82e11d4fef1c0_NeikiAnalytics.exe"
      2⤵
      • Adds Run key to start application
      • Checks for VirtualBox DLLs, possible anti-VM trick
      • Drops file in Windows directory
      • Modifies data under HKEY_USERS
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of WriteProcessMemory
      PID:452
      • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        powershell -nologo -noprofile
        3⤵
        • Drops file in System32 directory
        • Command and Scripting Interpreter: PowerShell
        • Modifies data under HKEY_USERS
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:2292
      • C:\Windows\system32\cmd.exe
        C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:3788
        • C:\Windows\system32\netsh.exe
          netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes
          4⤵
          • Modifies Windows Firewall
          PID:2324
      • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        powershell -nologo -noprofile
        3⤵
        • Drops file in System32 directory
        • Command and Scripting Interpreter: PowerShell
        • Modifies data under HKEY_USERS
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:1204
      • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        powershell -nologo -noprofile
        3⤵
        • Drops file in System32 directory
        • Command and Scripting Interpreter: PowerShell
        • Modifies data under HKEY_USERS
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:2388
      • C:\Windows\rss\csrss.exe
        C:\Windows\rss\csrss.exe
        3⤵
        • Executes dropped EXE
        • Adds Run key to start application
        • Manipulates WinMonFS driver.
        • Drops file in Windows directory
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:4064
        • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
          powershell -nologo -noprofile
          4⤵
          • Drops file in System32 directory
          • Command and Scripting Interpreter: PowerShell
          • Modifies data under HKEY_USERS
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:960
        • C:\Windows\SYSTEM32\schtasks.exe
          schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F
          4⤵
          • Creates scheduled task(s)
          PID:4000
        • C:\Windows\SYSTEM32\schtasks.exe
          schtasks /delete /tn ScheduledUpdate /f
          4⤵
            PID:2288
          • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
            powershell -nologo -noprofile
            4⤵
            • Drops file in System32 directory
            • Command and Scripting Interpreter: PowerShell
            • Modifies data under HKEY_USERS
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:4052
          • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
            powershell -nologo -noprofile
            4⤵
            • Drops file in System32 directory
            • Command and Scripting Interpreter: PowerShell
            • Modifies data under HKEY_USERS
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:5020
          • C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
            C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll
            4⤵
            • Executes dropped EXE
            • Suspicious behavior: EnumeratesProcesses
            PID:2120
          • C:\Windows\SYSTEM32\schtasks.exe
            schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F
            4⤵
            • Creates scheduled task(s)
            PID:3596
          • C:\Windows\windefender.exe
            "C:\Windows\windefender.exe"
            4⤵
            • Executes dropped EXE
            • Suspicious use of WriteProcessMemory
            PID:840
            • C:\Windows\SysWOW64\cmd.exe
              cmd.exe /C sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)
              5⤵
              • Suspicious use of WriteProcessMemory
              PID:408
              • C:\Windows\SysWOW64\sc.exe
                sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)
                6⤵
                • Launches sc.exe
                • Suspicious use of AdjustPrivilegeToken
                PID:2056
    • C:\Windows\windefender.exe
      C:\Windows\windefender.exe
      1⤵
      • Executes dropped EXE
      • Modifies data under HKEY_USERS
      PID:3332

    Network

    • flag-us
      DNS
      149.220.183.52.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      149.220.183.52.in-addr.arpa
      IN PTR
      Response
    • flag-us
      DNS
      79.190.18.2.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      79.190.18.2.in-addr.arpa
      IN PTR
      Response
      79.190.18.2.in-addr.arpa
      IN PTR
      a2-18-190-79deploystaticakamaitechnologiescom
    • flag-us
      DNS
      g.bing.com
      Remote address:
      8.8.8.8:53
      Request
      g.bing.com
      IN A
      Response
      g.bing.com
      IN CNAME
      g-bing-com.dual-a-0034.a-msedge.net
      g-bing-com.dual-a-0034.a-msedge.net
      IN CNAME
      dual-a-0034.a-msedge.net
      dual-a-0034.a-msedge.net
      IN A
      204.79.197.237
      dual-a-0034.a-msedge.net
      IN A
      13.107.21.237
    • flag-us
      GET
      https://g.bing.com/neg/0?action=impression&rlink=https%3A%2F%2Fwww.bing.com%2Faclick%3Fld%3De8W36in6Q1Dxk2EpiBs_O0BDVUCUxfGo3XAaKNEi_wkyv2N0ebkLUMNYBtLxA9sdd2ciHWl2M3ddOb8SosBw-ZgBdVgcMbYG0gmsbpYD97LKcXUPu75m4WLKdc9TE_IYfN-XD7TKzUAfGbj0Wg6TgN-VgF7kM0XyFoBAaUMO03svQvnYJl%26u%3DbWljcm9zb2Z0LWVkZ2UlM2FodHRwcyUzYSUyZiUyZnd3dy54Ym94LmNvbSUyZmdhbWVzJTJmY2FsbC1vZi1kdXR5LW1vZGVybi13YXJmYXJlLWlpaSUzZm9jaWQlM2RpbnBfcm1jX3hib19zdGFydF9UUHRpdGxlX0NvRCUyNmZvcm0lM2RNNTAwNlg%26rlid%3De3355c6480e316b3768a3a4f2fb762d3&TIME=20240426T134311Z&CID=531035994&EID=531035994&tids=15000&adUnitId=11730597&localId=w:416143B6-C385-8B32-96EF-B62827C91949&deviceId=6825828828137038&muid=416143B6C3858B3296EFB62827C91949
      Remote address:
      204.79.197.237:443
      Request
      GET /neg/0?action=impression&rlink=https%3A%2F%2Fwww.bing.com%2Faclick%3Fld%3De8W36in6Q1Dxk2EpiBs_O0BDVUCUxfGo3XAaKNEi_wkyv2N0ebkLUMNYBtLxA9sdd2ciHWl2M3ddOb8SosBw-ZgBdVgcMbYG0gmsbpYD97LKcXUPu75m4WLKdc9TE_IYfN-XD7TKzUAfGbj0Wg6TgN-VgF7kM0XyFoBAaUMO03svQvnYJl%26u%3DbWljcm9zb2Z0LWVkZ2UlM2FodHRwcyUzYSUyZiUyZnd3dy54Ym94LmNvbSUyZmdhbWVzJTJmY2FsbC1vZi1kdXR5LW1vZGVybi13YXJmYXJlLWlpaSUzZm9jaWQlM2RpbnBfcm1jX3hib19zdGFydF9UUHRpdGxlX0NvRCUyNmZvcm0lM2RNNTAwNlg%26rlid%3De3355c6480e316b3768a3a4f2fb762d3&TIME=20240426T134311Z&CID=531035994&EID=531035994&tids=15000&adUnitId=11730597&localId=w:416143B6-C385-8B32-96EF-B62827C91949&deviceId=6825828828137038&muid=416143B6C3858B3296EFB62827C91949 HTTP/2.0
      host: g.bing.com
      accept-encoding: gzip, deflate
      user-agent: WindowsShellClient/9.0.40929.0 (Windows)
      Response
      HTTP/2.0 204
      cache-control: no-cache, must-revalidate
      pragma: no-cache
      expires: Fri, 01 Jan 1990 00:00:00 GMT
      set-cookie: MUID=1E409F6D369C63DF09848BE937276271; domain=.bing.com; expires=Fri, 13-Jun-2025 03:36:27 GMT; path=/; SameSite=None; Secure; Priority=High;
      strict-transport-security: max-age=31536000; includeSubDomains; preload
      access-control-allow-origin: *
      x-cache: CONFIG_NOCACHE
      accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
      x-msedge-ref: Ref A: D1B65253CC8744419E635396C5197090 Ref B: LON04EDGE0812 Ref C: 2024-05-19T03:36:27Z
      date: Sun, 19 May 2024 03:36:27 GMT
    • flag-us
      GET
      https://g.bing.com/neg/0?action=impression&rlink=https%3A%2F%2Fwww.bing.com%2Faclick%3Fld%3De8W36in6Q1Dxk2EpiBs_O0BDVUCUxfGo3XAaKNEi_wkyv2N0ebkLUMNYBtLxA9sdd2ciHWl2M3ddOb8SosBw-ZgBdVgcMbYG0gmsbpYD97LKcXUPu75m4WLKdc9TE_IYfN-XD7TKzUAfGbj0Wg6TgN-VgF7kM0XyFoBAaUMO03svQvnYJl%26u%3DbWljcm9zb2Z0LWVkZ2UlM2FodHRwcyUzYSUyZiUyZnd3dy54Ym94LmNvbSUyZmdhbWVzJTJmY2FsbC1vZi1kdXR5LW1vZGVybi13YXJmYXJlLWlpaSUzZm9jaWQlM2RpbnBfcm1jX3hib19zdGFydF9UUHRpdGxlX0NvRCUyNmZvcm0lM2RNNTAwNlg%26rlid%3De3355c6480e316b3768a3a4f2fb762d3&TIME=20240426T134311Z&CID=531035994&EID=&tids=15000&adUnitId=11730597&localId=w:416143B6-C385-8B32-96EF-B62827C91949&deviceId=6825828828137038&muid=416143B6C3858B3296EFB62827C91949
      Remote address:
      204.79.197.237:443
      Request
      GET /neg/0?action=impression&rlink=https%3A%2F%2Fwww.bing.com%2Faclick%3Fld%3De8W36in6Q1Dxk2EpiBs_O0BDVUCUxfGo3XAaKNEi_wkyv2N0ebkLUMNYBtLxA9sdd2ciHWl2M3ddOb8SosBw-ZgBdVgcMbYG0gmsbpYD97LKcXUPu75m4WLKdc9TE_IYfN-XD7TKzUAfGbj0Wg6TgN-VgF7kM0XyFoBAaUMO03svQvnYJl%26u%3DbWljcm9zb2Z0LWVkZ2UlM2FodHRwcyUzYSUyZiUyZnd3dy54Ym94LmNvbSUyZmdhbWVzJTJmY2FsbC1vZi1kdXR5LW1vZGVybi13YXJmYXJlLWlpaSUzZm9jaWQlM2RpbnBfcm1jX3hib19zdGFydF9UUHRpdGxlX0NvRCUyNmZvcm0lM2RNNTAwNlg%26rlid%3De3355c6480e316b3768a3a4f2fb762d3&TIME=20240426T134311Z&CID=531035994&EID=&tids=15000&adUnitId=11730597&localId=w:416143B6-C385-8B32-96EF-B62827C91949&deviceId=6825828828137038&muid=416143B6C3858B3296EFB62827C91949 HTTP/2.0
      host: g.bing.com
      accept-encoding: gzip, deflate
      user-agent: WindowsShellClient/9.0.40929.0 (Windows)
      cookie: MUID=1E409F6D369C63DF09848BE937276271; _EDGE_S=SID=2189300C2E426CB935F224882F826DDD
      Response
      HTTP/2.0 204
      cache-control: no-cache, must-revalidate
      pragma: no-cache
      expires: Fri, 01 Jan 1990 00:00:00 GMT
      set-cookie: MSPTC=LuNqDiPc14zIFXj891FCnYVljRUQTWyEWQC1W6J2IsA; domain=.bing.com; expires=Fri, 13-Jun-2025 03:36:28 GMT; path=/; Partitioned; secure; SameSite=None
      strict-transport-security: max-age=31536000; includeSubDomains; preload
      access-control-allow-origin: *
      x-cache: CONFIG_NOCACHE
      accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
      x-msedge-ref: Ref A: 7720C38144684A57AB0C17DABBAE3D1C Ref B: LON04EDGE0812 Ref C: 2024-05-19T03:36:28Z
      date: Sun, 19 May 2024 03:36:27 GMT
    • flag-us
      DNS
      237.197.79.204.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      237.197.79.204.in-addr.arpa
      IN PTR
      Response
    • flag-us
      DNS
      22.160.190.20.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      22.160.190.20.in-addr.arpa
      IN PTR
      Response
    • flag-us
      DNS
      95.221.229.192.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      95.221.229.192.in-addr.arpa
      IN PTR
      Response
    • flag-nl
      GET
      https://www.bing.com/aes/c.gif?RG=4faef17f38be412fa1aa6a1874b8b20c&med=10&pubId=251978541&tids=15000&type=mv&reqver=1.0&TIME=20240426T134311Z&adUnitId=11730597&localId=w:416143B6-C385-8B32-96EF-B62827C91949&deviceId=6825828828137038
      Remote address:
      23.62.61.97:443
      Request
      GET /aes/c.gif?RG=4faef17f38be412fa1aa6a1874b8b20c&med=10&pubId=251978541&tids=15000&type=mv&reqver=1.0&TIME=20240426T134311Z&adUnitId=11730597&localId=w:416143B6-C385-8B32-96EF-B62827C91949&deviceId=6825828828137038 HTTP/2.0
      host: www.bing.com
      accept-encoding: gzip, deflate
      user-agent: WindowsShellClient/9.0.40929.0 (Windows)
      cookie: MUID=1E409F6D369C63DF09848BE937276271
      Response
      HTTP/2.0 200
      cache-control: private,no-store
      pragma: no-cache
      vary: Origin
      p3p: CP=BUS CUR CONo FIN IVDo ONL OUR PHY SAMo TELo
      accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
      x-msedge-ref: Ref A: 0595CA3E47754030A3D1C3ED7D60F2B7 Ref B: DUS30EDGE0415 Ref C: 2024-05-19T03:36:27Z
      content-length: 0
      date: Sun, 19 May 2024 03:36:27 GMT
      set-cookie: _EDGE_S=SID=2189300C2E426CB935F224882F826DDD; path=/; httponly; domain=bing.com
      set-cookie: MUIDB=1E409F6D369C63DF09848BE937276271; path=/; httponly; expires=Fri, 13-Jun-2025 03:36:27 GMT
      alt-svc: h3=":443"; ma=93600
      x-cdn-traceid: 0.5d3d3e17.1716089787.b219ad2
    • flag-us
      DNS
      97.61.62.23.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      97.61.62.23.in-addr.arpa
      IN PTR
      Response
      97.61.62.23.in-addr.arpa
      IN PTR
      a23-62-61-97deploystaticakamaitechnologiescom
    • flag-us
      DNS
      43.58.199.20.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      43.58.199.20.in-addr.arpa
      IN PTR
      Response
    • flag-nl
      GET
      https://www.bing.com/th?id=OADD2.10239359720591_10PHTLBML42K6TRZO&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=24&h=24&dynsize=1&qlt=90
      Remote address:
      23.62.61.97:443
      Request
      GET /th?id=OADD2.10239359720591_10PHTLBML42K6TRZO&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=24&h=24&dynsize=1&qlt=90 HTTP/2.0
      host: www.bing.com
      accept: */*
      cookie: MUID=1E409F6D369C63DF09848BE937276271; _EDGE_S=SID=2189300C2E426CB935F224882F826DDD; MSPTC=LuNqDiPc14zIFXj891FCnYVljRUQTWyEWQC1W6J2IsA; MUIDB=1E409F6D369C63DF09848BE937276271
      accept-encoding: gzip, deflate, br
      user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19041
      Response
      HTTP/2.0 200
      cache-control: public, max-age=2592000
      content-type: image/png
      access-control-allow-origin: *
      access-control-allow-headers: *
      access-control-allow-methods: GET, POST, OPTIONS
      timing-allow-origin: *
      report-to: {"group":"network-errors","max_age":604800,"endpoints":[{"url":"https://aefd.nelreports.net/api/report?cat=bingth&ndcParam=QWthbWFp"}]}
      nel: {"report_to":"network-errors","max_age":604800,"success_fraction":0.001,"failure_fraction":1.0}
      content-length: 1107
      date: Sun, 19 May 2024 03:36:29 GMT
      alt-svc: h3=":443"; ma=93600
      x-cdn-traceid: 0.5d3d3e17.1716089789.b219cf4
    • flag-us
      DNS
      209.205.72.20.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      209.205.72.20.in-addr.arpa
      IN PTR
      Response
    • flag-us
      DNS
      6123632c-1b7c-4863-829b-1d883acc0371.uuid.realupdate.ru
      csrss.exe
      Remote address:
      8.8.8.8:53
      Request
      6123632c-1b7c-4863-829b-1d883acc0371.uuid.realupdate.ru
      IN TXT
      Response
    • flag-us
      DNS
      103.169.127.40.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      103.169.127.40.in-addr.arpa
      IN PTR
      Response
    • flag-us
      DNS
      103.169.127.40.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      103.169.127.40.in-addr.arpa
      IN PTR
    • flag-us
      DNS
      stun3.l.google.com
      csrss.exe
      Remote address:
      8.8.8.8:53
      Request
      stun3.l.google.com
      IN A
      Response
      stun3.l.google.com
      IN A
      74.125.250.129
    • flag-us
      DNS
      server12.realupdate.ru
      csrss.exe
      Remote address:
      8.8.8.8:53
      Request
      server12.realupdate.ru
      IN A
      Response
      server12.realupdate.ru
      IN A
      185.82.216.96
    • flag-us
      DNS
      cdn.discordapp.com
      csrss.exe
      Remote address:
      8.8.8.8:53
      Request
      cdn.discordapp.com
      IN A
      Response
      cdn.discordapp.com
      IN A
      162.159.130.233
      cdn.discordapp.com
      IN A
      162.159.129.233
      cdn.discordapp.com
      IN A
      162.159.133.233
      cdn.discordapp.com
      IN A
      162.159.135.233
      cdn.discordapp.com
      IN A
      162.159.134.233
    • flag-us
      DNS
      carsalessystem.com
      csrss.exe
      Remote address:
      8.8.8.8:53
      Request
      carsalessystem.com
      IN A
      Response
      carsalessystem.com
      IN A
      172.67.221.71
      carsalessystem.com
      IN A
      104.21.94.82
    • flag-us
      DNS
      129.250.125.74.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      129.250.125.74.in-addr.arpa
      IN PTR
      Response
    • flag-us
      DNS
      171.39.242.20.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      171.39.242.20.in-addr.arpa
      IN PTR
      Response
    • flag-us
      DNS
      233.130.159.162.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      233.130.159.162.in-addr.arpa
      IN PTR
      Response
    • flag-us
      DNS
      96.216.82.185.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      96.216.82.185.in-addr.arpa
      IN PTR
      Response
      96.216.82.185.in-addr.arpa
      IN PTR
      dedic-mariadebommarez-1201693hosted-by-itldccom
    • flag-us
      DNS
      71.221.67.172.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      71.221.67.172.in-addr.arpa
      IN PTR
      Response
    • flag-us
      DNS
      77.190.18.2.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      77.190.18.2.in-addr.arpa
      IN PTR
      Response
      77.190.18.2.in-addr.arpa
      IN PTR
      a2-18-190-77deploystaticakamaitechnologiescom
    • flag-us
      DNS
      172.210.232.199.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      172.210.232.199.in-addr.arpa
      IN PTR
      Response
    • flag-us
      DNS
      29.243.111.52.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      29.243.111.52.in-addr.arpa
      IN PTR
      Response
    • flag-us
      DNS
      tse1.mm.bing.net
      Remote address:
      8.8.8.8:53
      Request
      tse1.mm.bing.net
      IN A
      Response
      tse1.mm.bing.net
      IN CNAME
      mm-mm.bing.net.trafficmanager.net
      mm-mm.bing.net.trafficmanager.net
      IN CNAME
      dual-a-0001.a-msedge.net
      dual-a-0001.a-msedge.net
      IN A
      204.79.197.200
      dual-a-0001.a-msedge.net
      IN A
      13.107.21.200
    • flag-us
      GET
      https://tse1.mm.bing.net/th?id=OADD2.10239340783938_154JBSOQL12JS43YR&pid=21.2&c=3&w=1080&h=1920&dynsize=1&qlt=90
      Remote address:
      204.79.197.200:443
      Request
      GET /th?id=OADD2.10239340783938_154JBSOQL12JS43YR&pid=21.2&c=3&w=1080&h=1920&dynsize=1&qlt=90 HTTP/2.0
      host: tse1.mm.bing.net
      accept: */*
      accept-encoding: gzip, deflate, br
      user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19041
      Response
      HTTP/2.0 200
      cache-control: public, max-age=2592000
      content-length: 792794
      content-type: image/jpeg
      x-cache: TCP_HIT
      access-control-allow-origin: *
      access-control-allow-headers: *
      access-control-allow-methods: GET, POST, OPTIONS
      timing-allow-origin: *
      report-to: {"group":"network-errors","max_age":604800,"endpoints":[{"url":"https://aefd.nelreports.net/api/report?cat=bingth&ndcParam=QUZE"}]}
      nel: {"report_to":"network-errors","max_age":604800,"success_fraction":0.001,"failure_fraction":1.0}
      accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
      x-msedge-ref: Ref A: BB8F735E4FD74BB4A65B5005E59E7190 Ref B: LON04EDGE1219 Ref C: 2024-05-19T03:38:07Z
      date: Sun, 19 May 2024 03:38:07 GMT
    • flag-us
      GET
      https://tse1.mm.bing.net/th?id=OADD2.10239340783939_14IT4JGOWRFC6CMW9&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=1920&h=1080&dynsize=1&qlt=90
      Remote address:
      204.79.197.200:443
      Request
      GET /th?id=OADD2.10239340783939_14IT4JGOWRFC6CMW9&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=1920&h=1080&dynsize=1&qlt=90 HTTP/2.0
      host: tse1.mm.bing.net
      accept: */*
      accept-encoding: gzip, deflate, br
      user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19041
      Response
      HTTP/2.0 200
      cache-control: public, max-age=2592000
      content-length: 627437
      content-type: image/jpeg
      x-cache: TCP_HIT
      access-control-allow-origin: *
      access-control-allow-headers: *
      access-control-allow-methods: GET, POST, OPTIONS
      timing-allow-origin: *
      report-to: {"group":"network-errors","max_age":604800,"endpoints":[{"url":"https://aefd.nelreports.net/api/report?cat=bingth&ndcParam=QUZE"}]}
      nel: {"report_to":"network-errors","max_age":604800,"success_fraction":0.001,"failure_fraction":1.0}
      accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
      x-msedge-ref: Ref A: 94B0089C3BE94CDF9BB398C94B40DD66 Ref B: LON04EDGE1219 Ref C: 2024-05-19T03:38:07Z
      date: Sun, 19 May 2024 03:38:07 GMT
    • flag-us
      GET
      https://tse1.mm.bing.net/th?id=OADD2.10239360931610_110BPTPDN41GIXK2B&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=1920&h=1080&dynsize=1&qlt=90
      Remote address:
      204.79.197.200:443
      Request
      GET /th?id=OADD2.10239360931610_110BPTPDN41GIXK2B&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=1920&h=1080&dynsize=1&qlt=90 HTTP/2.0
      host: tse1.mm.bing.net
      accept: */*
      accept-encoding: gzip, deflate, br
      user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19041
      Response
      HTTP/2.0 200
      cache-control: public, max-age=2592000
      content-length: 430689
      content-type: image/jpeg
      x-cache: TCP_HIT
      access-control-allow-origin: *
      access-control-allow-headers: *
      access-control-allow-methods: GET, POST, OPTIONS
      timing-allow-origin: *
      report-to: {"group":"network-errors","max_age":604800,"endpoints":[{"url":"https://aefd.nelreports.net/api/report?cat=bingth&ndcParam=QUZE"}]}
      nel: {"report_to":"network-errors","max_age":604800,"success_fraction":0.001,"failure_fraction":1.0}
      accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
      x-msedge-ref: Ref A: 0ED03407A96B4D2C84791C728A884560 Ref B: LON04EDGE1219 Ref C: 2024-05-19T03:38:07Z
      date: Sun, 19 May 2024 03:38:07 GMT
    • flag-us
      GET
      https://tse1.mm.bing.net/th?id=OADD2.10239360931609_1JAA48IJSET6WWQHH&pid=21.2&c=3&w=1080&h=1920&dynsize=1&qlt=90
      Remote address:
      204.79.197.200:443
      Request
      GET /th?id=OADD2.10239360931609_1JAA48IJSET6WWQHH&pid=21.2&c=3&w=1080&h=1920&dynsize=1&qlt=90 HTTP/2.0
      host: tse1.mm.bing.net
      accept: */*
      accept-encoding: gzip, deflate, br
      user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19041
      Response
      HTTP/2.0 200
      cache-control: public, max-age=2592000
      content-length: 415458
      content-type: image/jpeg
      x-cache: TCP_HIT
      access-control-allow-origin: *
      access-control-allow-headers: *
      access-control-allow-methods: GET, POST, OPTIONS
      timing-allow-origin: *
      report-to: {"group":"network-errors","max_age":604800,"endpoints":[{"url":"https://aefd.nelreports.net/api/report?cat=bingth&ndcParam=QUZE"}]}
      nel: {"report_to":"network-errors","max_age":604800,"success_fraction":0.001,"failure_fraction":1.0}
      accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
      x-msedge-ref: Ref A: A098BB3852034A64BCE4DAF1987897F8 Ref B: LON04EDGE1219 Ref C: 2024-05-19T03:38:08Z
      date: Sun, 19 May 2024 03:38:08 GMT
    • 204.79.197.237:443
      https://g.bing.com/neg/0?action=impression&rlink=https%3A%2F%2Fwww.bing.com%2Faclick%3Fld%3De8W36in6Q1Dxk2EpiBs_O0BDVUCUxfGo3XAaKNEi_wkyv2N0ebkLUMNYBtLxA9sdd2ciHWl2M3ddOb8SosBw-ZgBdVgcMbYG0gmsbpYD97LKcXUPu75m4WLKdc9TE_IYfN-XD7TKzUAfGbj0Wg6TgN-VgF7kM0XyFoBAaUMO03svQvnYJl%26u%3DbWljcm9zb2Z0LWVkZ2UlM2FodHRwcyUzYSUyZiUyZnd3dy54Ym94LmNvbSUyZmdhbWVzJTJmY2FsbC1vZi1kdXR5LW1vZGVybi13YXJmYXJlLWlpaSUzZm9jaWQlM2RpbnBfcm1jX3hib19zdGFydF9UUHRpdGxlX0NvRCUyNmZvcm0lM2RNNTAwNlg%26rlid%3De3355c6480e316b3768a3a4f2fb762d3&TIME=20240426T134311Z&CID=531035994&EID=&tids=15000&adUnitId=11730597&localId=w:416143B6-C385-8B32-96EF-B62827C91949&deviceId=6825828828137038&muid=416143B6C3858B3296EFB62827C91949
      tls, http2
      2.6kB
       9.0kB
       20
      17

      HTTP Request

      GET https://g.bing.com/neg/0?action=impression&rlink=https%3A%2F%2Fwww.bing.com%2Faclick%3Fld%3De8W36in6Q1Dxk2EpiBs_O0BDVUCUxfGo3XAaKNEi_wkyv2N0ebkLUMNYBtLxA9sdd2ciHWl2M3ddOb8SosBw-ZgBdVgcMbYG0gmsbpYD97LKcXUPu75m4WLKdc9TE_IYfN-XD7TKzUAfGbj0Wg6TgN-VgF7kM0XyFoBAaUMO03svQvnYJl%26u%3DbWljcm9zb2Z0LWVkZ2UlM2FodHRwcyUzYSUyZiUyZnd3dy54Ym94LmNvbSUyZmdhbWVzJTJmY2FsbC1vZi1kdXR5LW1vZGVybi13YXJmYXJlLWlpaSUzZm9jaWQlM2RpbnBfcm1jX3hib19zdGFydF9UUHRpdGxlX0NvRCUyNmZvcm0lM2RNNTAwNlg%26rlid%3De3355c6480e316b3768a3a4f2fb762d3&TIME=20240426T134311Z&CID=531035994&EID=531035994&tids=15000&adUnitId=11730597&localId=w:416143B6-C385-8B32-96EF-B62827C91949&deviceId=6825828828137038&muid=416143B6C3858B3296EFB62827C91949

      HTTP Response

      204

      HTTP Request

      GET https://g.bing.com/neg/0?action=impression&rlink=https%3A%2F%2Fwww.bing.com%2Faclick%3Fld%3De8W36in6Q1Dxk2EpiBs_O0BDVUCUxfGo3XAaKNEi_wkyv2N0ebkLUMNYBtLxA9sdd2ciHWl2M3ddOb8SosBw-ZgBdVgcMbYG0gmsbpYD97LKcXUPu75m4WLKdc9TE_IYfN-XD7TKzUAfGbj0Wg6TgN-VgF7kM0XyFoBAaUMO03svQvnYJl%26u%3DbWljcm9zb2Z0LWVkZ2UlM2FodHRwcyUzYSUyZiUyZnd3dy54Ym94LmNvbSUyZmdhbWVzJTJmY2FsbC1vZi1kdXR5LW1vZGVybi13YXJmYXJlLWlpaSUzZm9jaWQlM2RpbnBfcm1jX3hib19zdGFydF9UUHRpdGxlX0NvRCUyNmZvcm0lM2RNNTAwNlg%26rlid%3De3355c6480e316b3768a3a4f2fb762d3&TIME=20240426T134311Z&CID=531035994&EID=&tids=15000&adUnitId=11730597&localId=w:416143B6-C385-8B32-96EF-B62827C91949&deviceId=6825828828137038&muid=416143B6C3858B3296EFB62827C91949

      HTTP Response

      204
    • 23.62.61.97:443
      https://www.bing.com/aes/c.gif?RG=4faef17f38be412fa1aa6a1874b8b20c&med=10&pubId=251978541&tids=15000&type=mv&reqver=1.0&TIME=20240426T134311Z&adUnitId=11730597&localId=w:416143B6-C385-8B32-96EF-B62827C91949&deviceId=6825828828137038
      tls, http2
      1.5kB
       5.4kB
       17
      13

      HTTP Request

      GET https://www.bing.com/aes/c.gif?RG=4faef17f38be412fa1aa6a1874b8b20c&med=10&pubId=251978541&tids=15000&type=mv&reqver=1.0&TIME=20240426T134311Z&adUnitId=11730597&localId=w:416143B6-C385-8B32-96EF-B62827C91949&deviceId=6825828828137038

      HTTP Response

      200
    • 23.62.61.97:443
      https://www.bing.com/th?id=OADD2.10239359720591_10PHTLBML42K6TRZO&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=24&h=24&dynsize=1&qlt=90
      tls, http2
      1.7kB
       6.4kB
       18
      13

      HTTP Request

      GET https://www.bing.com/th?id=OADD2.10239359720591_10PHTLBML42K6TRZO&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=24&h=24&dynsize=1&qlt=90

      HTTP Response

      200
    • 162.159.130.233:443
      cdn.discordapp.com
      tls
      csrss.exe
      1.3kB
       5.3kB
       15
      17
    • 185.82.216.96:443
      server12.realupdate.ru
      tls
      csrss.exe
      1.4kB
       5.0kB
       13
      14
    • 172.67.221.71:443
      carsalessystem.com
      tls
      csrss.exe
      86.9kB
       2.2MB
       1635
      1628
    • 185.82.216.96:443
      server12.realupdate.ru
      tls
      csrss.exe
      1.3kB
       4.6kB
       12
      13
    • 204.79.197.200:443
      tse1.mm.bing.net
      tls, http2
      1.2kB
       8.1kB
       16
      14
    • 204.79.197.200:443
      tse1.mm.bing.net
      tls, http2
      1.2kB
       8.1kB
       16
      14
    • 204.79.197.200:443
      https://tse1.mm.bing.net/th?id=OADD2.10239360931609_1JAA48IJSET6WWQHH&pid=21.2&c=3&w=1080&h=1920&dynsize=1&qlt=90
      tls, http2
      81.0kB
       2.4MB
       1707
      1703

      HTTP Request

      GET https://tse1.mm.bing.net/th?id=OADD2.10239340783938_154JBSOQL12JS43YR&pid=21.2&c=3&w=1080&h=1920&dynsize=1&qlt=90

      HTTP Request

      GET https://tse1.mm.bing.net/th?id=OADD2.10239340783939_14IT4JGOWRFC6CMW9&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=1920&h=1080&dynsize=1&qlt=90

      HTTP Request

      GET https://tse1.mm.bing.net/th?id=OADD2.10239360931610_110BPTPDN41GIXK2B&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=1920&h=1080&dynsize=1&qlt=90

      HTTP Response

      200

      HTTP Response

      200

      HTTP Response

      200

      HTTP Request

      GET https://tse1.mm.bing.net/th?id=OADD2.10239360931609_1JAA48IJSET6WWQHH&pid=21.2&c=3&w=1080&h=1920&dynsize=1&qlt=90

      HTTP Response

      200
    • 204.79.197.200:443
      tse1.mm.bing.net
      tls, http2
      1.2kB
       589 B
       11
      8
    • 185.82.216.96:443
      server12.realupdate.ru
      tls
      csrss.exe
      1.9kB
       4.7kB
       12
      14
    • 8.8.8.8:53
      149.220.183.52.in-addr.arpa
      dns
      73 B
       147 B
       1
      1

      DNS Request

      149.220.183.52.in-addr.arpa

    • 8.8.8.8:53
      79.190.18.2.in-addr.arpa
      dns
      70 B
       133 B
       1
      1

      DNS Request

      79.190.18.2.in-addr.arpa

    • 8.8.8.8:53
      g.bing.com
      dns
      56 B
       151 B
       1
      1

      DNS Request

      g.bing.com

      DNS Response

      204.79.197.237
      13.107.21.237

    • 8.8.8.8:53
      237.197.79.204.in-addr.arpa
      dns
      73 B
       143 B
       1
      1

      DNS Request

      237.197.79.204.in-addr.arpa

    • 8.8.8.8:53
      22.160.190.20.in-addr.arpa
      dns
      72 B
       158 B
       1
      1

      DNS Request

      22.160.190.20.in-addr.arpa

    • 8.8.8.8:53
      95.221.229.192.in-addr.arpa
      dns
      73 B
       144 B
       1
      1

      DNS Request

      95.221.229.192.in-addr.arpa

    • 8.8.8.8:53
      97.61.62.23.in-addr.arpa
      dns
      70 B
       133 B
       1
      1

      DNS Request

      97.61.62.23.in-addr.arpa

    • 8.8.8.8:53
      43.58.199.20.in-addr.arpa
      dns
      71 B
       157 B
       1
      1

      DNS Request

      43.58.199.20.in-addr.arpa

    • 8.8.8.8:53
      209.205.72.20.in-addr.arpa
      dns
      72 B
       158 B
       1
      1

      DNS Request

      209.205.72.20.in-addr.arpa

    • 8.8.8.8:53
      6123632c-1b7c-4863-829b-1d883acc0371.uuid.realupdate.ru
      dns
      csrss.exe
      101 B
       167 B
       1
      1

      DNS Request

      6123632c-1b7c-4863-829b-1d883acc0371.uuid.realupdate.ru

    • 8.8.8.8:53
      103.169.127.40.in-addr.arpa
      dns
      146 B
       147 B
       2
      1

      DNS Request

      103.169.127.40.in-addr.arpa

      DNS Request

      103.169.127.40.in-addr.arpa

    • 8.8.8.8:53
      stun3.l.google.com
      dns
      csrss.exe
      64 B
       80 B
       1
      1

      DNS Request

      stun3.l.google.com

      DNS Response

      74.125.250.129

    • 8.8.8.8:53
      server12.realupdate.ru
      dns
      csrss.exe
      68 B
       84 B
       1
      1

      DNS Request

      server12.realupdate.ru

      DNS Response

      185.82.216.96

    • 8.8.8.8:53
      cdn.discordapp.com
      dns
      csrss.exe
      64 B
       144 B
       1
      1

      DNS Request

      cdn.discordapp.com

      DNS Response

      162.159.130.233
      162.159.129.233
      162.159.133.233
      162.159.135.233
      162.159.134.233

    • 74.125.250.129:19302
      stun3.l.google.com
      csrss.exe
      48 B
       60 B
       1
      1
    • 8.8.8.8:53
      carsalessystem.com
      dns
      csrss.exe
      64 B
       96 B
       1
      1

      DNS Request

      carsalessystem.com

      DNS Response

      172.67.221.71
      104.21.94.82

    • 8.8.8.8:53
      129.250.125.74.in-addr.arpa
      dns
      73 B
       133 B
       1
      1

      DNS Request

      129.250.125.74.in-addr.arpa

    • 8.8.8.8:53
      171.39.242.20.in-addr.arpa
      dns
      72 B
       158 B
       1
      1

      DNS Request

      171.39.242.20.in-addr.arpa

    • 8.8.8.8:53
      233.130.159.162.in-addr.arpa
      dns
      74 B
       136 B
       1
      1

      DNS Request

      233.130.159.162.in-addr.arpa

    • 8.8.8.8:53
      96.216.82.185.in-addr.arpa
      dns
      72 B
       135 B
       1
      1

      DNS Request

      96.216.82.185.in-addr.arpa

    • 8.8.8.8:53
      71.221.67.172.in-addr.arpa
      dns
      72 B
       134 B
       1
      1

      DNS Request

      71.221.67.172.in-addr.arpa

    • 8.8.8.8:53
      77.190.18.2.in-addr.arpa
      dns
      70 B
       133 B
       1
      1

      DNS Request

      77.190.18.2.in-addr.arpa

    • 8.8.8.8:53
      29.243.111.52.in-addr.arpa
      dns
      72 B
       158 B
       1
      1

      DNS Request

      29.243.111.52.in-addr.arpa

    • 8.8.8.8:53
      172.210.232.199.in-addr.arpa
      dns
      74 B
       128 B
       1
      1

      DNS Request

      172.210.232.199.in-addr.arpa

    • 8.8.8.8:53
      tse1.mm.bing.net
      dns
      62 B
       173 B
       1
      1

      DNS Request

      tse1.mm.bing.net

      DNS Response

      204.79.197.200
      13.107.21.200

    MITRE ATT&CK Enterprise v15

    Reconnaissance

    Resource Development

    Initial Access

    Execution

    Command and Scripting Interpreter

    1
    T1059

    PowerShell

    1
    T1059.001

    Scheduled Task/Job

    1
    T1053

    Persistence

    Boot or Logon Autostart Execution

    1
    T1547

    Registry Run Keys / Startup Folder

    1
    T1547.001

    Create or Modify System Process

    1
    T1543

    Windows Service

    1
    T1543.003

    Scheduled Task/Job

    1
    T1053

    Privilege Escalation

    Boot or Logon Autostart Execution

    1
    T1547

    Registry Run Keys / Startup Folder

    1
    T1547.001

    Create or Modify System Process

    1
    T1543

    Windows Service

    1
    T1543.003

    Scheduled Task/Job

    1
    T1053

    Defense Evasion

    Impair Defenses

    1
    T1562

    Disable or Modify System Firewall

    1
    T1562.004

    Modify Registry

    1
    T1112

    Credential Access

    Discovery

    Query Registry

    2
    T1012

    System Information Discovery

    1
    T1082

    Lateral Movement

    Collection

    Command and Control

    Exfiltration

    Impact

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_nw35kati.wss.ps1
      Filesize

      60B

      MD5

      d17fe0a3f47be24a6453e9ef58c94641

      SHA1

      6ab83620379fc69f80c0242105ddffd7d98d5d9d

      SHA256

      96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

      SHA512

      5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
      Filesize

      281KB

      MD5

      d98e33b66343e7c96158444127a117f6

      SHA1

      bb716c5509a2bf345c6c1152f6e3e1452d39d50d

      SHA256

      5de4e2b07a26102fe527606ce5da1d5a4b938967c9d380a3c5fe86e2e34aaaf1

      SHA512

      705275e4a1ba8205eb799a8cf1737bc8ba686925e52c9198a6060a7abeee65552a85b814ac494a4b975d496a63be285f19a6265550585f2fc85824c42d7efab5

      Download Submit

    • C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log
      Filesize

      2KB

      MD5

      968cb9309758126772781b83adb8a28f

      SHA1

      8da30e71accf186b2ba11da1797cf67f8f78b47c

      SHA256

      92099c10776bb7e3f2a8d1b82d4d40d0c4627e4f1bf754a6e58dfd2c2e97042a

      SHA512

      4bd50732f8af4d688d95999bddfd296115d7033ddc38f86c9fb1f47fde202bffa27e9088bebcaa3064ca946af2f5c1ca6cbde49d0907f0005c7ab42874515dd3

      Download Submit

    • C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
      Filesize

      19KB

      MD5

      54163fdb81b113a485c9dc186662d344

      SHA1

      f9188808ad4f348104e790064aead5deecbb01db

      SHA256

      7bf4df9d471b9f6cace3879b80322ff7ed61e4a868e36f17c0a4b67708fe8564

      SHA512

      8fb7f251128384c649b7cf5a0b3f3d733c9279975b0f01d01253f9658906cdc3657176cecaffbe995b33b4869ab81a1162229f119239dccb6f262e2af0a3db08

      Download Submit

    • C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
      Filesize

      19KB

      MD5

      73920b99fbae4e1d0ae273177ca85e52

      SHA1

      f2b5288f982c63433e43b87b4b73a7a789d8b227

      SHA256

      1e0fd4d3624456a699fd8f7d30ea2e7e2bb0cf81306848789a9810f7ba10f02e

      SHA512

      f3568defacc8fc1f70c5705f27215f35b939b0dab4d3b748d30a85b5d80ab6a38344e9ac5cfa3c02309df5055c7adaa3f67b45ae097fbe4115cff21ea7b459db

      Download Submit

    • C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
      Filesize

      19KB

      MD5

      c19f8d89b072917771b2256dd264af57

      SHA1

      21c7f0bcd9227798264cdbc9c0da3dd98bfccca1

      SHA256

      84a072180f05d7b3c0ddb0d33244dc805b02a2bb725bc80a17a341b966e95a9c

      SHA512

      f1f1dbfea9df7700614ff2b8305b2c2c7337002f26d8c2154f2514e4331e4bedb43662ec9d70cb20d0fe10767a12d7afd43e7b32af1f0fe9e3042595967f7c68

      Download Submit

    • C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
      Filesize

      19KB

      MD5

      397aa1b398239197c73b62ff629001d8

      SHA1

      963339ae7701cf8716f20758e1b9515162751fc3

      SHA256

      17bed2463f1fb38ac065d9b95995568210409874cf0608e045f642ccb1660d25

      SHA512

      3b148e977ddc24779e663edf298968f8ae8694e9d5dfe3e834e8a01dcf171e91e6134590d61202c95cd918ac544611f27a2406be663a9159471846a15b98fe44

      Download Submit

    • C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
      Filesize

      19KB

      MD5

      783e822c3f12f23a7cc4055aa05fe274

      SHA1

      c9434adfba62eb8e256ada7d5588258a3406253a

      SHA256

      7f367254da15fe7bb39cd2446a88b322006cba17cc48503195f4fd509b33e3e3

      SHA512

      def820dfefe81a508c67a6d5edc8ccbe0145cde3b72211a556abeefb2a6b7528c48e573050d968a487005c411f2a914fd55dd25f80384a8604bbbd167af5142f

      Download Submit

    • C:\Windows\rss\csrss.exe
      Filesize

      4.1MB

      MD5

      66169f4786642c8c51d82e11d4fef1c0

      SHA1

      4e0cfc005d8637d2d07daf7e1f2a18cab560e6cb

      SHA256

      d4a9c9ddfe34e1a0b1dea76ebbeb37a5a74e5eef08223a0cb4b11c07dacffe80

      SHA512

      d195f38ab65b070dde4f58c95a18f2011fb2bafcb9a04eded2333a02d286abb36bc2bea22e4dde869a5c2583ec47b25b1c075336ad070ef079f074bfde2436ec

      Download Submit

    • C:\Windows\windefender.exe
      Filesize

      2.0MB

      MD5

      8e67f58837092385dcf01e8a2b4f5783

      SHA1

      012c49cfd8c5d06795a6f67ea2baf2a082cf8625

      SHA256

      166ddb03ff3c89bd4525ac390067e180fdd08f10fbcf4aadb0189541673c03fa

      SHA512

      40d8ae12663fc1851e171d9d86cea8bb12487b734c218d7b6f9742eb07d4ca265065cbd6d0bb908f8bda7e3d955c458dfe3fd13265bbf573b9351e0a2bf691ec

      Download Submit

    • memory/452-133-0x0000000000400000-0x0000000000D1C000-memory.dmp

      Filesize

      9.1MB

      Download

    • memory/452-55-0x0000000002970000-0x0000000002D69000-memory.dmp

      Filesize

      4.0MB

      Download

    • memory/840-219-0x0000000000400000-0x00000000008DF000-memory.dmp

      Filesize

      4.9MB

      Download

    • memory/840-224-0x0000000000400000-0x00000000008DF000-memory.dmp

      Filesize

      4.9MB

      Download

    • memory/960-146-0x000000006FF60000-0x000000006FFAC000-memory.dmp

      Filesize

      304KB

      Download

    • memory/960-147-0x00000000700E0000-0x0000000070434000-memory.dmp

      Filesize

      3.3MB

      Download

    • memory/1032-28-0x0000000007740000-0x0000000007772000-memory.dmp

      Filesize

      200KB

      Download

    • memory/1032-10-0x00000000054C0000-0x0000000005526000-memory.dmp

      Filesize

      408KB

      Download

    • memory/1032-27-0x0000000007580000-0x000000000759A000-memory.dmp

      Filesize

      104KB

      Download

    • memory/1032-29-0x000000006FF60000-0x000000006FFAC000-memory.dmp

      Filesize

      304KB

      Download

    • memory/1032-30-0x00000000740C0000-0x0000000074870000-memory.dmp

      Filesize

      7.7MB

      Download

    • memory/1032-31-0x00000000700E0000-0x0000000070434000-memory.dmp

      Filesize

      3.3MB

      Download

    • memory/1032-4-0x00000000740CE000-0x00000000740CF000-memory.dmp

      Filesize

      4KB

      Download

    • memory/1032-41-0x0000000007780000-0x000000000779E000-memory.dmp

      Filesize

      120KB

      Download

    • memory/1032-43-0x00000000740C0000-0x0000000074870000-memory.dmp

      Filesize

      7.7MB

      Download

    • memory/1032-42-0x00000000077A0000-0x0000000007843000-memory.dmp

      Filesize

      652KB

      Download

    • memory/1032-44-0x0000000007890000-0x000000000789A000-memory.dmp

      Filesize

      40KB

      Download

    • memory/1032-45-0x00000000079A0000-0x0000000007A36000-memory.dmp

      Filesize

      600KB

      Download

    • memory/1032-46-0x00000000078A0000-0x00000000078B1000-memory.dmp

      Filesize

      68KB

      Download

    • memory/1032-47-0x00000000078E0000-0x00000000078EE000-memory.dmp

      Filesize

      56KB

      Download

    • memory/1032-48-0x0000000007900000-0x0000000007914000-memory.dmp

      Filesize

      80KB

      Download

    • memory/1032-49-0x0000000007940000-0x000000000795A000-memory.dmp

      Filesize

      104KB

      Download

    • memory/1032-50-0x0000000007930000-0x0000000007938000-memory.dmp

      Filesize

      32KB

      Download

    • memory/1032-53-0x00000000740C0000-0x0000000074870000-memory.dmp

      Filesize

      7.7MB

      Download

    • memory/1032-25-0x00000000074E0000-0x0000000007556000-memory.dmp

      Filesize

      472KB

      Download

    • memory/1032-5-0x0000000002BD0000-0x0000000002C06000-memory.dmp

      Filesize

      216KB

      Download

    • memory/1032-6-0x00000000056B0000-0x0000000005CD8000-memory.dmp

      Filesize

      6.2MB

      Download

    • memory/1032-7-0x00000000740C0000-0x0000000074870000-memory.dmp

      Filesize

      7.7MB

      Download

    • memory/1032-8-0x00000000740C0000-0x0000000074870000-memory.dmp

      Filesize

      7.7MB

      Download

    • memory/1032-9-0x0000000005220000-0x0000000005242000-memory.dmp

      Filesize

      136KB

      Download

    • memory/1032-11-0x0000000005530000-0x0000000005596000-memory.dmp

      Filesize

      408KB

      Download

    • memory/1032-26-0x0000000007BE0000-0x000000000825A000-memory.dmp

      Filesize

      6.5MB

      Download

    • memory/1032-21-0x0000000005CE0000-0x0000000006034000-memory.dmp

      Filesize

      3.3MB

      Download

    • memory/1032-24-0x0000000006770000-0x00000000067B4000-memory.dmp

      Filesize

      272KB

      Download

    • memory/1032-23-0x00000000061E0000-0x000000000622C000-memory.dmp

      Filesize

      304KB

      Download

    • memory/1032-22-0x00000000061B0000-0x00000000061CE000-memory.dmp

      Filesize

      120KB

      Download

    • memory/1204-95-0x000000006FF60000-0x000000006FFAC000-memory.dmp

      Filesize

      304KB

      Download

    • memory/1204-96-0x00000000706E0000-0x0000000070A34000-memory.dmp

      Filesize

      3.3MB

      Download

    • memory/2292-78-0x0000000007EB0000-0x0000000007EC1000-memory.dmp

      Filesize

      68KB

      Download

    • memory/2292-66-0x000000006FF60000-0x000000006FFAC000-memory.dmp

      Filesize

      304KB

      Download

    • memory/2292-67-0x00000000706E0000-0x0000000070A34000-memory.dmp

      Filesize

      3.3MB

      Download

    • memory/2292-56-0x00000000062E0000-0x0000000006634000-memory.dmp

      Filesize

      3.3MB

      Download

    • memory/2292-77-0x0000000007B70000-0x0000000007C13000-memory.dmp

      Filesize

      652KB

      Download

    • memory/2292-79-0x0000000007F00000-0x0000000007F14000-memory.dmp

      Filesize

      80KB

      Download

    • memory/2388-118-0x000000006FF60000-0x000000006FFAC000-memory.dmp

      Filesize

      304KB

      Download

    • memory/2388-119-0x00000000706E0000-0x0000000070A34000-memory.dmp

      Filesize

      3.3MB

      Download

    • memory/3332-228-0x0000000000400000-0x00000000008DF000-memory.dmp

      Filesize

      4.9MB

      Download

    • memory/3332-223-0x0000000000400000-0x00000000008DF000-memory.dmp

      Filesize

      4.9MB

      Download

    • memory/3332-233-0x0000000000400000-0x00000000008DF000-memory.dmp

      Filesize

      4.9MB

      Download

    • memory/4052-167-0x00000000058D0000-0x0000000005C24000-memory.dmp

      Filesize

      3.3MB

      Download

    • memory/4052-170-0x000000006FE80000-0x000000006FECC000-memory.dmp

      Filesize

      304KB

      Download

    • memory/4052-181-0x0000000007260000-0x0000000007303000-memory.dmp

      Filesize

      652KB

      Download

    • memory/4052-182-0x0000000005DE0000-0x0000000005DF1000-memory.dmp

      Filesize

      68KB

      Download

    • memory/4052-183-0x0000000005E20000-0x0000000005E34000-memory.dmp

      Filesize

      80KB

      Download

    • memory/4052-171-0x0000000070630000-0x0000000070984000-memory.dmp

      Filesize

      3.3MB

      Download

    • memory/4052-169-0x00000000060A0000-0x00000000060EC000-memory.dmp

      Filesize

      304KB

      Download

    • memory/4064-227-0x0000000000400000-0x0000000000D1C000-memory.dmp

      Filesize

      9.1MB

      Download

    • memory/4064-242-0x0000000000400000-0x0000000000D1C000-memory.dmp

      Filesize

      9.1MB

      Download

    • memory/4064-258-0x0000000000400000-0x0000000000D1C000-memory.dmp

      Filesize

      9.1MB

      Download

    • memory/4064-214-0x0000000000400000-0x0000000000D1C000-memory.dmp

      Filesize

      9.1MB

      Download

    • memory/4064-254-0x0000000000400000-0x0000000000D1C000-memory.dmp

      Filesize

      9.1MB

      Download

    • memory/4064-251-0x0000000000400000-0x0000000000D1C000-memory.dmp

      Filesize

      9.1MB

      Download

    • memory/4064-249-0x0000000000400000-0x0000000000D1C000-memory.dmp

      Filesize

      9.1MB

      Download

    • memory/4064-246-0x0000000000400000-0x0000000000D1C000-memory.dmp

      Filesize

      9.1MB

      Download

    • memory/4064-225-0x0000000000400000-0x0000000000D1C000-memory.dmp

      Filesize

      9.1MB

      Download

    • memory/4064-239-0x0000000000400000-0x0000000000D1C000-memory.dmp

      Filesize

      9.1MB

      Download

    • memory/4064-237-0x0000000000400000-0x0000000000D1C000-memory.dmp

      Filesize

      9.1MB

      Download

    • memory/4064-230-0x0000000000400000-0x0000000000D1C000-memory.dmp

      Filesize

      9.1MB

      Download

    • memory/4064-234-0x0000000000400000-0x0000000000D1C000-memory.dmp

      Filesize

      9.1MB

      Download

    • memory/4912-116-0x0000000000400000-0x0000000000D1C000-memory.dmp

      Filesize

      9.1MB

      Download

    • memory/4912-83-0x0000000002E50000-0x000000000373B000-memory.dmp

      Filesize

      8.9MB

      Download

    • memory/4912-82-0x0000000002A50000-0x0000000002E50000-memory.dmp

      Filesize

      4.0MB

      Download

    • memory/4912-2-0x0000000002E50000-0x000000000373B000-memory.dmp

      Filesize

      8.9MB

      Download

    • memory/4912-3-0x0000000000400000-0x0000000000D1C000-memory.dmp

      Filesize

      9.1MB

      Download

    • memory/4912-1-0x0000000002A50000-0x0000000002E50000-memory.dmp

      Filesize

      4.0MB

      Download

    • memory/5020-198-0x0000000070000000-0x0000000070354000-memory.dmp

      Filesize

      3.3MB

      Download

    • memory/5020-194-0x0000000005A40000-0x0000000005D94000-memory.dmp

      Filesize

      3.3MB

      Download

    • memory/5020-197-0x000000006FE80000-0x000000006FECC000-memory.dmp

      Filesize

      304KB

      Download

    We care about your privacy.

    This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.