Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    149s
  • max time network
    150s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240508-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
  • submitted
    06/06/2024, 12:20 UTC

General

  • Target

    b249088b9ed63a8f18fb55fc567742d3dd4422d62c989b2b34c1f65987134269.exe

  • Size

    1.9MB

  • MD5

    92ed84d1d3c6d2ac327b1db563a312d4

  • SHA1

    56515f040716a32e4de45994c02ee30e61bde8d4

  • SHA256

    b249088b9ed63a8f18fb55fc567742d3dd4422d62c989b2b34c1f65987134269

  • SHA512

    1368f89fc6d654ce48ae7294a5c01aeb8d9746df14d9b50e8652e1466c0675bcf58262cd4fe9e14a12eda4410679abb5278e023df5f221dcfcb107ff6b24c933

  • SSDEEP

    24576:n/eC7bzaXi7m0wJu0LXolGLbJnR/z4+EbVbw2qug4ctOlQLernWO:nGYz0P0wMS4cdR/z4+UVi4e9Crn

Malware Config

Extracted

Family

stealc

rc4.plain
1
2910114286690104117195131148

Extracted

Family

vidar

C2

https://t.me/r8z0l

https://steamcommunity.com/profiles/76561199698764354

Attributes
  • user_agent

    Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:128.0) Gecko/20100101 Firefox/128.0

Signatures

  • Detect Vidar Stealer 8 IoCs
  • Stealc

    Stealc is an infostealer written in C++.

  • Vidar

    Vidar is an infostealer based on Arkei stealer.

  • Downloads MZ/PE file
  • Executes dropped EXE 1 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

  • Suspicious use of SetThreadContext 1 IoCs
  • Checks processor information in registry 2 TTPs 1 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\b249088b9ed63a8f18fb55fc567742d3dd4422d62c989b2b34c1f65987134269.exe
    "C:\Users\Admin\AppData\Local\Temp\b249088b9ed63a8f18fb55fc567742d3dd4422d62c989b2b34c1f65987134269.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious use of WriteProcessMemory
    PID:380
    • C:\Users\Admin\AppData\Local\Temp\kat6561.tmp
      C:\Users\Admin\AppData\Local\Temp\kat6561.tmp
      2⤵
      • Executes dropped EXE
      • Checks processor information in registry
      • Suspicious behavior: EnumeratesProcesses
      PID:4176

Network

  • flag-us
    DNS
    t.me
    kat6561.tmp
    Remote address:
    8.8.8.8:53
    Request
    t.me
    IN A
    Response
    t.me
    IN A
    149.154.167.99
  • flag-nl
    GET
    https://t.me/r8z0l
    kat6561.tmp
    Remote address:
    149.154.167.99:443
    Request
    GET /r8z0l HTTP/1.1
    Host: t.me
    Connection: Keep-Alive
    Cache-Control: no-cache
    Response
    HTTP/1.1 200 OK
    Server: nginx/1.18.0
    Date: Thu, 06 Jun 2024 12:20:29 GMT
    Content-Type: text/html; charset=utf-8
    Content-Length: 12303
    Connection: keep-alive
    Set-Cookie: stel_ssid=48625d0c895d173746_5841569307747572325; expires=Fri, 07 Jun 2024 12:20:29 GMT; path=/; samesite=None; secure; HttpOnly
    Pragma: no-cache
    Cache-control: no-store
    X-Frame-Options: ALLOW-FROM https://web.telegram.org
    Content-Security-Policy: frame-ancestors https://web.telegram.org
    Strict-Transport-Security: max-age=35768000
  • flag-de
    GET
    https://116.202.190.18:5432/
    kat6561.tmp
    Remote address:
    116.202.190.18:5432
    Request
    GET / HTTP/1.1
    User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:128.0) Gecko/20100101 Firefox/128.0
    Host: 116.202.190.18:5432
    Connection: Keep-Alive
    Cache-Control: no-cache
    Response
    HTTP/1.1 200 OK
    Server: nginx
    Date: Thu, 06 Jun 2024 12:20:29 GMT
    Content-Type: text/html; charset=UTF-8
    Transfer-Encoding: chunked
    Connection: keep-alive
  • flag-us
    DNS
    8.8.8.8.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    8.8.8.8.in-addr.arpa
    IN PTR
    Response
    8.8.8.8.in-addr.arpa
    IN PTR
    dnsgoogle
  • flag-us
    DNS
    104.219.191.52.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    104.219.191.52.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    203.107.17.2.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    203.107.17.2.in-addr.arpa
    IN PTR
    Response
    203.107.17.2.in-addr.arpa
    IN PTR
    a2-17-107-203deploystaticakamaitechnologiescom
  • flag-us
    DNS
    99.167.154.149.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    99.167.154.149.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    18.190.202.116.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    18.190.202.116.in-addr.arpa
    IN PTR
    Response
    18.190.202.116.in-addr.arpa
    IN PTR
    static18190202116clients your-serverde
  • flag-de
    POST
    https://116.202.190.18:5432/
    kat6561.tmp
    Remote address:
    116.202.190.18:5432
    Request
    POST / HTTP/1.1
    Content-Type: multipart/form-data; boundary=----FHJEGIIEGIDGIDHJDAKF
    User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:128.0) Gecko/20100101 Firefox/128.0
    Host: 116.202.190.18:5432
    Content-Length: 278
    Connection: Keep-Alive
    Cache-Control: no-cache
    Response
    HTTP/1.1 200 OK
    Server: nginx
    Date: Thu, 06 Jun 2024 12:20:30 GMT
    Content-Type: text/html; charset=UTF-8
    Transfer-Encoding: chunked
    Connection: keep-alive
  • flag-de
    POST
    https://116.202.190.18:5432/
    kat6561.tmp
    Remote address:
    116.202.190.18:5432
    Request
    POST / HTTP/1.1
    Content-Type: multipart/form-data; boundary=----JEHDHIEGIIIDHIDHDHJJ
    User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:128.0) Gecko/20100101 Firefox/128.0
    Host: 116.202.190.18:5432
    Content-Length: 331
    Connection: Keep-Alive
    Cache-Control: no-cache
    Response
    HTTP/1.1 200 OK
    Server: nginx
    Date: Thu, 06 Jun 2024 12:20:30 GMT
    Content-Type: text/html; charset=UTF-8
    Transfer-Encoding: chunked
    Connection: keep-alive
  • flag-us
    DNS
    64.159.190.20.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    64.159.190.20.in-addr.arpa
    IN PTR
    Response
  • flag-de
    POST
    https://116.202.190.18:5432/
    kat6561.tmp
    Remote address:
    116.202.190.18:5432
    Request
    POST / HTTP/1.1
    Content-Type: multipart/form-data; boundary=----IJKFCFHJDBKKFHIEHIDG
    User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:128.0) Gecko/20100101 Firefox/128.0
    Host: 116.202.190.18:5432
    Content-Length: 331
    Connection: Keep-Alive
    Cache-Control: no-cache
    Response
    HTTP/1.1 200 OK
    Server: nginx
    Date: Thu, 06 Jun 2024 12:20:31 GMT
    Content-Type: text/html; charset=UTF-8
    Transfer-Encoding: chunked
    Connection: keep-alive
  • flag-de
    POST
    https://116.202.190.18:5432/
    kat6561.tmp
    Remote address:
    116.202.190.18:5432
    Request
    POST / HTTP/1.1
    Content-Type: multipart/form-data; boundary=----IECGHJKKJDHIEBFHCAKE
    User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:128.0) Gecko/20100101 Firefox/128.0
    Host: 116.202.190.18:5432
    Content-Length: 332
    Connection: Keep-Alive
    Cache-Control: no-cache
    Response
    HTTP/1.1 200 OK
    Server: nginx
    Date: Thu, 06 Jun 2024 12:20:31 GMT
    Content-Type: text/html; charset=UTF-8
    Transfer-Encoding: chunked
    Connection: keep-alive
  • flag-de
    POST
    https://116.202.190.18:5432/
    kat6561.tmp
    Remote address:
    116.202.190.18:5432
    Request
    POST / HTTP/1.1
    Content-Type: multipart/form-data; boundary=----IJDHCBGHJEGHJJKFHIIE
    User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:128.0) Gecko/20100101 Firefox/128.0
    Host: 116.202.190.18:5432
    Content-Length: 4741
    Connection: Keep-Alive
    Cache-Control: no-cache
    Response
    HTTP/1.1 200 OK
    Server: nginx
    Date: Thu, 06 Jun 2024 12:20:32 GMT
    Content-Type: text/html; charset=UTF-8
    Transfer-Encoding: chunked
    Connection: keep-alive
  • flag-de
    GET
    https://116.202.190.18:5432/sqls.dll
    kat6561.tmp
    Remote address:
    116.202.190.18:5432
    Request
    GET /sqls.dll HTTP/1.1
    User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:128.0) Gecko/20100101 Firefox/128.0
    Host: 116.202.190.18:5432
    Connection: Keep-Alive
    Cache-Control: no-cache
    Response
    HTTP/1.1 200 OK
    Server: nginx
    Date: Thu, 06 Jun 2024 12:20:32 GMT
    Content-Type: application/octet-stream
    Content-Length: 2459136
    Last-Modified: Sun, 02 Jun 2024 19:44:54 GMT
    Connection: keep-alive
    ETag: "665ccbb6-258600"
    Accept-Ranges: bytes
  • flag-de
    POST
    https://116.202.190.18:5432/
    kat6561.tmp
    Remote address:
    116.202.190.18:5432
    Request
    POST / HTTP/1.1
    Content-Type: multipart/form-data; boundary=----CAEHCFCBKKJDGCAKFCFI
    User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:128.0) Gecko/20100101 Firefox/128.0
    Host: 116.202.190.18:5432
    Content-Length: 437
    Connection: Keep-Alive
    Cache-Control: no-cache
    Response
    HTTP/1.1 200 OK
    Server: nginx
    Date: Thu, 06 Jun 2024 12:20:33 GMT
    Content-Type: text/html; charset=UTF-8
    Transfer-Encoding: chunked
    Connection: keep-alive
  • flag-us
    DNS
    15.164.165.52.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    15.164.165.52.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    157.123.68.40.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    157.123.68.40.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    240.197.17.2.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    240.197.17.2.in-addr.arpa
    IN PTR
    Response
    240.197.17.2.in-addr.arpa
    IN PTR
    a2-17-197-240deploystaticakamaitechnologiescom
  • flag-us
    DNS
    tse1.mm.bing.net
    Remote address:
    8.8.8.8:53
    Request
    tse1.mm.bing.net
    IN A
    Response
    tse1.mm.bing.net
    IN CNAME
    mm-mm.bing.net.trafficmanager.net
    mm-mm.bing.net.trafficmanager.net
    IN CNAME
    dual-a-0001.a-msedge.net
    dual-a-0001.a-msedge.net
    IN A
    204.79.197.200
    dual-a-0001.a-msedge.net
    IN A
    13.107.21.200
  • flag-us
    GET
    https://tse1.mm.bing.net/th?id=OADD2.10239370639703_1XZVEAKL3PD7EZGL4&pid=21.2&c=3&w=1080&h=1920&dynsize=1&qlt=90
    Remote address:
    204.79.197.200:443
    Request
    GET /th?id=OADD2.10239370639703_1XZVEAKL3PD7EZGL4&pid=21.2&c=3&w=1080&h=1920&dynsize=1&qlt=90 HTTP/2.0
    host: tse1.mm.bing.net
    accept: */*
    accept-encoding: gzip, deflate, br
    user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19041
    Response
    HTTP/2.0 200
    cache-control: public, max-age=2592000
    content-length: 447956
    content-type: image/jpeg
    x-cache: TCP_HIT
    access-control-allow-origin: *
    access-control-allow-headers: *
    access-control-allow-methods: GET, POST, OPTIONS
    timing-allow-origin: *
    report-to: {"group":"network-errors","max_age":604800,"endpoints":[{"url":"https://aefd.nelreports.net/api/report?cat=bingth&ndcParam=QUZE"}]}
    nel: {"report_to":"network-errors","max_age":604800,"success_fraction":0.001,"failure_fraction":1.0}
    accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
    x-msedge-ref: Ref A: F67FB7D800B247FCBBA489640C5C6F65 Ref B: LON04EDGE0919 Ref C: 2024-06-06T12:21:32Z
    date: Thu, 06 Jun 2024 12:21:31 GMT
  • flag-us
    GET
    https://tse1.mm.bing.net/th?id=OADD2.10239370639702_1LY06F7YB2ZF9D3G5&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=1920&h=1080&dynsize=1&qlt=90
    Remote address:
    204.79.197.200:443
    Request
    GET /th?id=OADD2.10239370639702_1LY06F7YB2ZF9D3G5&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=1920&h=1080&dynsize=1&qlt=90 HTTP/2.0
    host: tse1.mm.bing.net
    accept: */*
    accept-encoding: gzip, deflate, br
    user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19041
    Response
    HTTP/2.0 200
    cache-control: public, max-age=2592000
    content-length: 664170
    content-type: image/jpeg
    x-cache: TCP_HIT
    access-control-allow-origin: *
    access-control-allow-headers: *
    access-control-allow-methods: GET, POST, OPTIONS
    timing-allow-origin: *
    report-to: {"group":"network-errors","max_age":604800,"endpoints":[{"url":"https://aefd.nelreports.net/api/report?cat=bingth&ndcParam=QUZE"}]}
    nel: {"report_to":"network-errors","max_age":604800,"success_fraction":0.001,"failure_fraction":1.0}
    accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
    x-msedge-ref: Ref A: 7D624F0A477E4C0DA71660F1647FCA43 Ref B: LON04EDGE0919 Ref C: 2024-06-06T12:21:32Z
    date: Thu, 06 Jun 2024 12:21:31 GMT
  • flag-us
    GET
    https://tse1.mm.bing.net/th?id=OADD2.10239385734239_1FZK43O4G75P8OXYJ&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=1920&h=1080&dynsize=1&qlt=90
    Remote address:
    204.79.197.200:443
    Request
    GET /th?id=OADD2.10239385734239_1FZK43O4G75P8OXYJ&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=1920&h=1080&dynsize=1&qlt=90 HTTP/2.0
    host: tse1.mm.bing.net
    accept: */*
    accept-encoding: gzip, deflate, br
    user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19041
    Response
    HTTP/2.0 200
    cache-control: public, max-age=2592000
    content-length: 637660
    content-type: image/jpeg
    x-cache: TCP_HIT
    access-control-allow-origin: *
    access-control-allow-headers: *
    access-control-allow-methods: GET, POST, OPTIONS
    timing-allow-origin: *
    report-to: {"group":"network-errors","max_age":604800,"endpoints":[{"url":"https://aefd.nelreports.net/api/report?cat=bingth&ndcParam=QUZE"}]}
    nel: {"report_to":"network-errors","max_age":604800,"success_fraction":0.001,"failure_fraction":1.0}
    accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
    x-msedge-ref: Ref A: 815CDDF440204624B3C718C462051EFC Ref B: LON04EDGE0919 Ref C: 2024-06-06T12:21:32Z
    date: Thu, 06 Jun 2024 12:21:31 GMT
  • flag-us
    GET
    https://tse1.mm.bing.net/th?id=OADD2.10239370639606_1UY6VCV79VNDR5KH5&pid=21.2&c=3&w=1080&h=1920&dynsize=1&qlt=90
    Remote address:
    204.79.197.200:443
    Request
    GET /th?id=OADD2.10239370639606_1UY6VCV79VNDR5KH5&pid=21.2&c=3&w=1080&h=1920&dynsize=1&qlt=90 HTTP/2.0
    host: tse1.mm.bing.net
    accept: */*
    accept-encoding: gzip, deflate, br
    user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19041
    Response
    HTTP/2.0 200
    cache-control: public, max-age=2592000
    content-length: 634564
    content-type: image/jpeg
    x-cache: TCP_HIT
    access-control-allow-origin: *
    access-control-allow-headers: *
    access-control-allow-methods: GET, POST, OPTIONS
    timing-allow-origin: *
    report-to: {"group":"network-errors","max_age":604800,"endpoints":[{"url":"https://aefd.nelreports.net/api/report?cat=bingth&ndcParam=QUZE"}]}
    nel: {"report_to":"network-errors","max_age":604800,"success_fraction":0.001,"failure_fraction":1.0}
    accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
    x-msedge-ref: Ref A: 3C8FC41545304ACABDD3409346E2C4EA Ref B: LON04EDGE0919 Ref C: 2024-06-06T12:21:32Z
    date: Thu, 06 Jun 2024 12:21:31 GMT
  • flag-us
    GET
    https://tse1.mm.bing.net/th?id=OADD2.10239370639595_1MX6CE6U5QJ1LNKB2&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=1920&h=1080&dynsize=1&qlt=90
    Remote address:
    204.79.197.200:443
    Request
    GET /th?id=OADD2.10239370639595_1MX6CE6U5QJ1LNKB2&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=1920&h=1080&dynsize=1&qlt=90 HTTP/2.0
    host: tse1.mm.bing.net
    accept: */*
    accept-encoding: gzip, deflate, br
    user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19041
    Response
    HTTP/2.0 200
    cache-control: public, max-age=2592000
    content-length: 612524
    content-type: image/jpeg
    x-cache: TCP_HIT
    access-control-allow-origin: *
    access-control-allow-headers: *
    access-control-allow-methods: GET, POST, OPTIONS
    timing-allow-origin: *
    report-to: {"group":"network-errors","max_age":604800,"endpoints":[{"url":"https://aefd.nelreports.net/api/report?cat=bingth&ndcParam=QUZE"}]}
    nel: {"report_to":"network-errors","max_age":604800,"success_fraction":0.001,"failure_fraction":1.0}
    accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
    x-msedge-ref: Ref A: BF365ED26F80451A9C563ED14B3AFDF8 Ref B: LON04EDGE0919 Ref C: 2024-06-06T12:21:32Z
    date: Thu, 06 Jun 2024 12:21:31 GMT
  • flag-us
    GET
    https://tse1.mm.bing.net/th?id=OADD2.10239385734245_139410YUSZG979RFN&pid=21.2&c=3&w=1080&h=1920&dynsize=1&qlt=90
    Remote address:
    204.79.197.200:443
    Request
    GET /th?id=OADD2.10239385734245_139410YUSZG979RFN&pid=21.2&c=3&w=1080&h=1920&dynsize=1&qlt=90 HTTP/2.0
    host: tse1.mm.bing.net
    accept: */*
    accept-encoding: gzip, deflate, br
    user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19041
    Response
    HTTP/2.0 200
    cache-control: public, max-age=2592000
    content-length: 435390
    content-type: image/jpeg
    x-cache: TCP_HIT
    access-control-allow-origin: *
    access-control-allow-headers: *
    access-control-allow-methods: GET, POST, OPTIONS
    timing-allow-origin: *
    report-to: {"group":"network-errors","max_age":604800,"endpoints":[{"url":"https://aefd.nelreports.net/api/report?cat=bingth&ndcParam=QUZE"}]}
    nel: {"report_to":"network-errors","max_age":604800,"success_fraction":0.001,"failure_fraction":1.0}
    accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
    x-msedge-ref: Ref A: 0DC576DA6B8F48239EBCBB2F6A4F29DF Ref B: LON04EDGE0919 Ref C: 2024-06-06T12:21:32Z
    date: Thu, 06 Jun 2024 12:21:31 GMT
  • flag-us
    DNS
    55.36.223.20.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    55.36.223.20.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    200.197.79.204.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    200.197.79.204.in-addr.arpa
    IN PTR
    Response
    200.197.79.204.in-addr.arpa
    IN PTR
    a-0001a-msedgenet
  • flag-us
    DNS
    249.197.17.2.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    249.197.17.2.in-addr.arpa
    IN PTR
    Response
    249.197.17.2.in-addr.arpa
    IN PTR
    a2-17-197-249deploystaticakamaitechnologiescom
  • flag-us
    DNS
    14.227.111.52.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    14.227.111.52.in-addr.arpa
    IN PTR
    Response
  • flag-nl
    GET
    https://www.bing.com/th?id=OADD2.10239359720591_10PHTLBML42K6TRZO&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=24&h=24&dynsize=1&qlt=90
    Remote address:
    23.62.61.129:443
    Request
    GET /th?id=OADD2.10239359720591_10PHTLBML42K6TRZO&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=24&h=24&dynsize=1&qlt=90 HTTP/2.0
    host: www.bing.com
    accept: */*
    accept-encoding: gzip, deflate, br
    user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19041
    Response
    HTTP/2.0 200
    cache-control: public, max-age=2592000
    content-type: image/png
    access-control-allow-origin: *
    access-control-allow-headers: *
    access-control-allow-methods: GET, POST, OPTIONS
    timing-allow-origin: *
    report-to: {"group":"network-errors","max_age":604800,"endpoints":[{"url":"https://aefd.nelreports.net/api/report?cat=bingth&ndcParam=QWthbWFp"}]}
    nel: {"report_to":"network-errors","max_age":604800,"success_fraction":0.001,"failure_fraction":1.0}
    content-length: 1107
    date: Thu, 06 Jun 2024 12:22:04 GMT
    alt-svc: h3=":443"; ma=93600
    x-cdn-traceid: 0.7d3d3e17.1717676524.3926d09
  • flag-us
    DNS
    129.61.62.23.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    129.61.62.23.in-addr.arpa
    IN PTR
    Response
    129.61.62.23.in-addr.arpa
    IN PTR
    a23-62-61-129deploystaticakamaitechnologiescom
  • flag-us
    DNS
    136.71.105.51.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    136.71.105.51.in-addr.arpa
    IN PTR
    Response
  • 149.154.167.99:443
    https://t.me/r8z0l
    tls, http
    kat6561.tmp
    1.5kB
    19.4kB
    24
    20

    HTTP Request

    GET https://t.me/r8z0l

    HTTP Response

    200
  • 116.202.190.18:5432
    https://116.202.190.18:5432/
    tls, http
    kat6561.tmp
    966 B
    2.7kB
    11
    8

    HTTP Request

    GET https://116.202.190.18:5432/

    HTTP Response

    200
  • 116.202.190.18:5432
    https://116.202.190.18:5432/
    tls, http
    kat6561.tmp
    1.4kB
    622 B
    9
    6

    HTTP Request

    POST https://116.202.190.18:5432/

    HTTP Response

    200
  • 116.202.190.18:5432
    https://116.202.190.18:5432/
    tls, http
    kat6561.tmp
    1.5kB
    2.2kB
    10
    7

    HTTP Request

    POST https://116.202.190.18:5432/

    HTTP Response

    200
  • 116.202.190.18:5432
    https://116.202.190.18:5432/
    tls, http
    kat6561.tmp
    1.6kB
    6.3kB
    13
    10

    HTTP Request

    POST https://116.202.190.18:5432/

    HTTP Response

    200
  • 116.202.190.18:5432
    https://116.202.190.18:5432/
    tls, http
    kat6561.tmp
    1.4kB
    672 B
    9
    6

    HTTP Request

    POST https://116.202.190.18:5432/

    HTTP Response

    200
  • 116.202.190.18:5432
    https://116.202.190.18:5432/
    tls, http
    kat6561.tmp
    6.0kB
    605 B
    13
    7

    HTTP Request

    POST https://116.202.190.18:5432/

    HTTP Response

    200
  • 116.202.190.18:5432
    https://116.202.190.18:5432/sqls.dll
    tls, http
    kat6561.tmp
    116.5kB
    2.7MB
    1953
    1949

    HTTP Request

    GET https://116.202.190.18:5432/sqls.dll

    HTTP Response

    200
  • 116.202.190.18:5432
    https://116.202.190.18:5432/
    tls, http
    kat6561.tmp
    1.5kB
    528 B
    8
    5

    HTTP Request

    POST https://116.202.190.18:5432/

    HTTP Response

    200
  • 204.79.197.200:443
    tse1.mm.bing.net
    tls, http2
    1.2kB
    8.1kB
    16
    14
  • 204.79.197.200:443
    tse1.mm.bing.net
    tls, http2
    1.2kB
    8.1kB
    16
    13
  • 204.79.197.200:443
    https://tse1.mm.bing.net/th?id=OADD2.10239385734245_139410YUSZG979RFN&pid=21.2&c=3&w=1080&h=1920&dynsize=1&qlt=90
    tls, http2
    122.8kB
    3.6MB
    2578
    2573

    HTTP Request

    GET https://tse1.mm.bing.net/th?id=OADD2.10239370639703_1XZVEAKL3PD7EZGL4&pid=21.2&c=3&w=1080&h=1920&dynsize=1&qlt=90

    HTTP Request

    GET https://tse1.mm.bing.net/th?id=OADD2.10239370639702_1LY06F7YB2ZF9D3G5&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=1920&h=1080&dynsize=1&qlt=90

    HTTP Request

    GET https://tse1.mm.bing.net/th?id=OADD2.10239385734239_1FZK43O4G75P8OXYJ&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=1920&h=1080&dynsize=1&qlt=90

    HTTP Request

    GET https://tse1.mm.bing.net/th?id=OADD2.10239370639606_1UY6VCV79VNDR5KH5&pid=21.2&c=3&w=1080&h=1920&dynsize=1&qlt=90

    HTTP Request

    GET https://tse1.mm.bing.net/th?id=OADD2.10239370639595_1MX6CE6U5QJ1LNKB2&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=1920&h=1080&dynsize=1&qlt=90

    HTTP Response

    200

    HTTP Response

    200

    HTTP Response

    200

    HTTP Response

    200

    HTTP Response

    200

    HTTP Request

    GET https://tse1.mm.bing.net/th?id=OADD2.10239385734245_139410YUSZG979RFN&pid=21.2&c=3&w=1080&h=1920&dynsize=1&qlt=90

    HTTP Response

    200
  • 204.79.197.200:443
    tse1.mm.bing.net
    tls, http2
    1.2kB
    8.1kB
    16
    14
  • 204.79.197.200:443
    tse1.mm.bing.net
    tls, http2
    1.2kB
    8.1kB
    16
    14
  • 23.62.61.129:443
    https://www.bing.com/th?id=OADD2.10239359720591_10PHTLBML42K6TRZO&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=24&h=24&dynsize=1&qlt=90
    tls, http2
    1.5kB
    6.3kB
    17
    11

    HTTP Request

    GET https://www.bing.com/th?id=OADD2.10239359720591_10PHTLBML42K6TRZO&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=24&h=24&dynsize=1&qlt=90

    HTTP Response

    200
  • 8.8.8.8:53
    t.me
    dns
    kat6561.tmp
    50 B
    66 B
    1
    1

    DNS Request

    t.me

    DNS Response

    149.154.167.99

  • 8.8.8.8:53
    8.8.8.8.in-addr.arpa
    dns
    66 B
    90 B
    1
    1

    DNS Request

    8.8.8.8.in-addr.arpa

  • 8.8.8.8:53
    104.219.191.52.in-addr.arpa
    dns
    73 B
    147 B
    1
    1

    DNS Request

    104.219.191.52.in-addr.arpa

  • 8.8.8.8:53
    203.107.17.2.in-addr.arpa
    dns
    71 B
    135 B
    1
    1

    DNS Request

    203.107.17.2.in-addr.arpa

  • 8.8.8.8:53
    99.167.154.149.in-addr.arpa
    dns
    73 B
    166 B
    1
    1

    DNS Request

    99.167.154.149.in-addr.arpa

  • 8.8.8.8:53
    18.190.202.116.in-addr.arpa
    dns
    73 B
    131 B
    1
    1

    DNS Request

    18.190.202.116.in-addr.arpa

  • 8.8.8.8:53
    64.159.190.20.in-addr.arpa
    dns
    72 B
    158 B
    1
    1

    DNS Request

    64.159.190.20.in-addr.arpa

  • 8.8.8.8:53
    157.123.68.40.in-addr.arpa
    dns
    72 B
    146 B
    1
    1

    DNS Request

    157.123.68.40.in-addr.arpa

  • 8.8.8.8:53
    15.164.165.52.in-addr.arpa
    dns
    72 B
    146 B
    1
    1

    DNS Request

    15.164.165.52.in-addr.arpa

  • 8.8.8.8:53
    240.197.17.2.in-addr.arpa
    dns
    71 B
    135 B
    1
    1

    DNS Request

    240.197.17.2.in-addr.arpa

  • 8.8.8.8:53
    tse1.mm.bing.net
    dns
    62 B
    173 B
    1
    1

    DNS Request

    tse1.mm.bing.net

    DNS Response

    204.79.197.200
    13.107.21.200

  • 8.8.8.8:53
    55.36.223.20.in-addr.arpa
    dns
    71 B
    157 B
    1
    1

    DNS Request

    55.36.223.20.in-addr.arpa

  • 8.8.8.8:53
    200.197.79.204.in-addr.arpa
    dns
    73 B
    106 B
    1
    1

    DNS Request

    200.197.79.204.in-addr.arpa

  • 8.8.8.8:53
    249.197.17.2.in-addr.arpa
    dns
    71 B
    135 B
    1
    1

    DNS Request

    249.197.17.2.in-addr.arpa

  • 8.8.8.8:53
    14.227.111.52.in-addr.arpa
    dns
    72 B
    158 B
    1
    1

    DNS Request

    14.227.111.52.in-addr.arpa

  • 8.8.8.8:53
    129.61.62.23.in-addr.arpa
    dns
    71 B
    135 B
    1
    1

    DNS Request

    129.61.62.23.in-addr.arpa

  • 8.8.8.8:53
    136.71.105.51.in-addr.arpa
    dns
    72 B
    158 B
    1
    1

    DNS Request

    136.71.105.51.in-addr.arpa

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\kat6561.tmp

    Filesize

    861KB

    MD5

    66064dbdb70a5eb15ebf3bf65aba254b

    SHA1

    0284fd320f99f62aca800fb1251eff4c31ec4ed7

    SHA256

    6a94dbda2dd1edcff2331061d65e1baf09d4861cc7ba590c5ec754f3ac96a795

    SHA512

    b05c6c09ae7372c381fba591c3cb13a69a2451b9d38da1a95aac89413d7438083475d06796acb5440cd6ec65b030c9fa6cbdaa0d2fe91a926bae6499c360f17f

  • memory/380-0-0x0000000002230000-0x0000000002231000-memory.dmp

    Filesize

    4KB

  • memory/380-1-0x0000000002970000-0x0000000002AD6000-memory.dmp

    Filesize

    1.4MB

  • memory/380-10-0x0000000000400000-0x00000000005DF000-memory.dmp

    Filesize

    1.9MB

  • memory/4176-9-0x0000000000400000-0x0000000000648000-memory.dmp

    Filesize

    2.3MB

  • memory/4176-8-0x0000000000400000-0x0000000000648000-memory.dmp

    Filesize

    2.3MB

  • memory/4176-4-0x0000000000400000-0x0000000000648000-memory.dmp

    Filesize

    2.3MB

  • memory/4176-13-0x0000000000400000-0x0000000000648000-memory.dmp

    Filesize

    2.3MB

  • memory/4176-14-0x0000000000400000-0x0000000000648000-memory.dmp

    Filesize

    2.3MB

  • memory/4176-17-0x000000001B7D0000-0x000000001BA2F000-memory.dmp

    Filesize

    2.4MB

  • memory/4176-31-0x0000000000400000-0x0000000000648000-memory.dmp

    Filesize

    2.3MB

  • memory/4176-32-0x0000000000400000-0x0000000000648000-memory.dmp

    Filesize

    2.3MB

We care about your privacy.

This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.