Analysis
-
max time kernel
158s -
max time network
165s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
19/06/2024, 21:50 UTC
Static task
static1
Behavioral task
behavioral1
Sample
0def1a87472f2d3e633407e031256f0fa5df2d550a46db954eb4b67e2fb28349_NeikiAnalytics.exe
Resource
win7-20231129-en
Behavioral task
behavioral2
Sample
0def1a87472f2d3e633407e031256f0fa5df2d550a46db954eb4b67e2fb28349_NeikiAnalytics.exe
Resource
win10v2004-20240226-en
General
-
Target
0def1a87472f2d3e633407e031256f0fa5df2d550a46db954eb4b67e2fb28349_NeikiAnalytics.exe
-
Size
89KB
-
MD5
68566b294db6b1c61436e54f4f6b1280
-
SHA1
6ca1bae1c02d08f1ac81f756caa82f2688a08beb
-
SHA256
0def1a87472f2d3e633407e031256f0fa5df2d550a46db954eb4b67e2fb28349
-
SHA512
9d72a04e57db14e349955abb531350a964a232e97fc77001599b04836a7343af3458988648fcda7df3ee3e475a51d59943e7f52bbfe9f9d1760c02ef8d3ac071
-
SSDEEP
1536:k9o65gQK3Zm+Mt9RV5O8oQ9cXFunGm6ManhFLnBqHan6owwosTk8vxA:k9o6fK2XqXQwhnHlqQo8Lvy
Malware Config
Signatures
-
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\BBE366B9 = "C:\\Users\\Admin\\AppData\\Roaming\\BBE366B9\\bin.exe" winver.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2788 winver.exe 2788 winver.exe 2788 winver.exe 2788 winver.exe 2788 winver.exe 2788 winver.exe 2788 winver.exe 2788 winver.exe 2788 winver.exe 2788 winver.exe 2788 winver.exe 2788 winver.exe 2788 winver.exe 2788 winver.exe 2788 winver.exe 2788 winver.exe 2788 winver.exe 2788 winver.exe 2788 winver.exe 2788 winver.exe 2788 winver.exe 2788 winver.exe 2788 winver.exe 2788 winver.exe 2788 winver.exe 2788 winver.exe 2788 winver.exe 2788 winver.exe 2788 winver.exe 2788 winver.exe 2788 winver.exe 2788 winver.exe 2788 winver.exe 2788 winver.exe 2788 winver.exe 2788 winver.exe 2788 winver.exe 2788 winver.exe 2788 winver.exe 2788 winver.exe 2788 winver.exe 2788 winver.exe 2788 winver.exe 2788 winver.exe 2788 winver.exe 2788 winver.exe 2788 winver.exe 2788 winver.exe 2788 winver.exe 2788 winver.exe 2788 winver.exe 2788 winver.exe 2788 winver.exe 2788 winver.exe 2788 winver.exe 2788 winver.exe 2788 winver.exe 2788 winver.exe 2788 winver.exe 2788 winver.exe 2788 winver.exe 2788 winver.exe 2788 winver.exe 2788 winver.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeShutdownPrivilege 4008 RuntimeBroker.exe Token: SeShutdownPrivilege 4008 RuntimeBroker.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
pid Process 2788 winver.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1196 wrote to memory of 2788 1196 0def1a87472f2d3e633407e031256f0fa5df2d550a46db954eb4b67e2fb28349_NeikiAnalytics.exe 92 PID 1196 wrote to memory of 2788 1196 0def1a87472f2d3e633407e031256f0fa5df2d550a46db954eb4b67e2fb28349_NeikiAnalytics.exe 92 PID 1196 wrote to memory of 2788 1196 0def1a87472f2d3e633407e031256f0fa5df2d550a46db954eb4b67e2fb28349_NeikiAnalytics.exe 92 PID 1196 wrote to memory of 2788 1196 0def1a87472f2d3e633407e031256f0fa5df2d550a46db954eb4b67e2fb28349_NeikiAnalytics.exe 92 PID 2788 wrote to memory of 3360 2788 winver.exe 57 PID 2788 wrote to memory of 2400 2788 winver.exe 42 PID 2788 wrote to memory of 2420 2788 winver.exe 43 PID 2788 wrote to memory of 2632 2788 winver.exe 47 PID 2788 wrote to memory of 3360 2788 winver.exe 57 PID 2788 wrote to memory of 3540 2788 winver.exe 58 PID 2788 wrote to memory of 3784 2788 winver.exe 59 PID 2788 wrote to memory of 3892 2788 winver.exe 60 PID 2788 wrote to memory of 4008 2788 winver.exe 61 PID 2788 wrote to memory of 3112 2788 winver.exe 62 PID 2788 wrote to memory of 4188 2788 winver.exe 63 PID 2788 wrote to memory of 4592 2788 winver.exe 65 PID 2788 wrote to memory of 3356 2788 winver.exe 76 PID 2788 wrote to memory of 2448 2788 winver.exe 78 PID 2788 wrote to memory of 4388 2788 winver.exe 79 PID 2788 wrote to memory of 2864 2788 winver.exe 80 PID 2788 wrote to memory of 3852 2788 winver.exe 81 PID 2788 wrote to memory of 2940 2788 winver.exe 82 PID 2788 wrote to memory of 1716 2788 winver.exe 84 PID 2788 wrote to memory of 1164 2788 winver.exe 85 PID 2448 wrote to memory of 1796 2448 msedge.exe 98 PID 2448 wrote to memory of 1796 2448 msedge.exe 98 PID 2448 wrote to memory of 1796 2448 msedge.exe 98 PID 2448 wrote to memory of 1796 2448 msedge.exe 98 PID 2448 wrote to memory of 1796 2448 msedge.exe 98 PID 2448 wrote to memory of 1796 2448 msedge.exe 98 PID 2448 wrote to memory of 1796 2448 msedge.exe 98 PID 2448 wrote to memory of 1796 2448 msedge.exe 98 PID 2448 wrote to memory of 1796 2448 msedge.exe 98 PID 2448 wrote to memory of 1796 2448 msedge.exe 98 PID 2448 wrote to memory of 1796 2448 msedge.exe 98 PID 2448 wrote to memory of 1796 2448 msedge.exe 98 PID 2448 wrote to memory of 1796 2448 msedge.exe 98 PID 2448 wrote to memory of 1796 2448 msedge.exe 98 PID 2448 wrote to memory of 1796 2448 msedge.exe 98 PID 2448 wrote to memory of 1796 2448 msedge.exe 98 PID 2448 wrote to memory of 1796 2448 msedge.exe 98 PID 2448 wrote to memory of 1796 2448 msedge.exe 98 PID 2448 wrote to memory of 1796 2448 msedge.exe 98 PID 2448 wrote to memory of 1796 2448 msedge.exe 98 PID 2448 wrote to memory of 1796 2448 msedge.exe 98 PID 2448 wrote to memory of 1796 2448 msedge.exe 98 PID 2448 wrote to memory of 1796 2448 msedge.exe 98 PID 2448 wrote to memory of 1796 2448 msedge.exe 98 PID 2448 wrote to memory of 1796 2448 msedge.exe 98 PID 2448 wrote to memory of 1796 2448 msedge.exe 98 PID 2448 wrote to memory of 1796 2448 msedge.exe 98 PID 2448 wrote to memory of 1796 2448 msedge.exe 98 PID 2448 wrote to memory of 1796 2448 msedge.exe 98 PID 2448 wrote to memory of 1796 2448 msedge.exe 98 PID 2448 wrote to memory of 1796 2448 msedge.exe 98 PID 2448 wrote to memory of 1796 2448 msedge.exe 98 PID 2448 wrote to memory of 1796 2448 msedge.exe 98 PID 2448 wrote to memory of 1796 2448 msedge.exe 98 PID 2448 wrote to memory of 1796 2448 msedge.exe 98 PID 2448 wrote to memory of 1796 2448 msedge.exe 98 PID 2448 wrote to memory of 1796 2448 msedge.exe 98 PID 2448 wrote to memory of 1796 2448 msedge.exe 98 PID 2448 wrote to memory of 1796 2448 msedge.exe 98 PID 2448 wrote to memory of 1796 2448 msedge.exe 98
Processes
-
C:\Windows\system32\sihost.exesihost.exe1⤵PID:2400
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc1⤵PID:2420
-
C:\Windows\system32\taskhostw.exetaskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}1⤵PID:2632
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵PID:3360
-
C:\Users\Admin\AppData\Local\Temp\0def1a87472f2d3e633407e031256f0fa5df2d550a46db954eb4b67e2fb28349_NeikiAnalytics.exe"C:\Users\Admin\AppData\Local\Temp\0def1a87472f2d3e633407e031256f0fa5df2d550a46db954eb4b67e2fb28349_NeikiAnalytics.exe"2⤵
- Suspicious use of WriteProcessMemory
PID:1196 -
C:\Windows\SysWOW64\winver.exewinver3⤵
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:2788
-
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc1⤵PID:3540
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵PID:3784
-
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca1⤵PID:3892
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵
- Suspicious use of AdjustPrivilegeToken
PID:4008
-
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca1⤵PID:3112
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:4188
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:4592
-
C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe" -ServerName:InputApp.AppX9jnwykgrccxc8by3hsrsh07r423xzvav.mca1⤵PID:3356
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --no-startup-window1⤵
- Suspicious use of WriteProcessMemory
PID:2448 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=122.0.6261.70 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=122.0.2365.52 --initial-client-data=0x238,0x23c,0x240,0x234,0x260,0x7ff97c662e98,0x7ff97c662ea4,0x7ff97c662eb02⤵PID:4388
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAAAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --mojo-platform-channel-handle=2280 --field-trial-handle=2284,i,15722001240173834669,15048020084704567542,262144 --variations-seed-version /prefetch:22⤵PID:2864
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --mojo-platform-channel-handle=3224 --field-trial-handle=2284,i,15722001240173834669,15048020084704567542,262144 --variations-seed-version /prefetch:32⤵PID:3852
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --mojo-platform-channel-handle=3328 --field-trial-handle=2284,i,15722001240173834669,15048020084704567542,262144 --variations-seed-version /prefetch:82⤵PID:2940
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --instant-process --no-appcompat-clear --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=11 --mojo-platform-channel-handle=5260 --field-trial-handle=2284,i,15722001240173834669,15048020084704567542,262144 --variations-seed-version /prefetch:12⤵PID:1716
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --no-appcompat-clear --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=12 --mojo-platform-channel-handle=5468 --field-trial-handle=2284,i,15722001240173834669,15048020084704567542,262144 --variations-seed-version /prefetch:12⤵PID:1164
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=3852 --field-trial-handle=2284,i,15722001240173834669,15048020084704567542,262144 --variations-seed-version /prefetch:82⤵PID:1796
-
Network
-
Remote address:8.8.8.8:53Requestwww.google.comIN AResponsewww.google.comIN A142.250.187.196
-
Remote address:8.8.8.8:53Requestinsamertojertoq.ccIN AResponse
-
Remote address:8.8.8.8:53Request196.249.167.52.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request172.214.232.199.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request172.214.232.199.in-addr.arpaIN PTR
-
Remote address:8.8.8.8:53Request76.32.126.40.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request76.32.126.40.in-addr.arpaIN PTR
-
Remote address:8.8.8.8:53Requestchromewebstore.googleapis.comIN AResponsechromewebstore.googleapis.comIN A172.217.16.234chromewebstore.googleapis.comIN A142.250.179.234chromewebstore.googleapis.comIN A216.58.212.234chromewebstore.googleapis.comIN A142.250.187.234chromewebstore.googleapis.comIN A142.250.200.10chromewebstore.googleapis.comIN A172.217.169.10chromewebstore.googleapis.comIN A142.250.200.42chromewebstore.googleapis.comIN A142.250.180.10chromewebstore.googleapis.comIN A142.250.178.10chromewebstore.googleapis.comIN A216.58.201.106chromewebstore.googleapis.comIN A216.58.212.202chromewebstore.googleapis.comIN A216.58.204.74chromewebstore.googleapis.comIN A142.250.187.202
-
Remote address:8.8.8.8:53Requestchromewebstore.googleapis.comIN UnknownResponse
-
Remote address:8.8.8.8:53Requestpki.googIN AResponsepki.googIN A216.239.32.29
-
Remote address:8.8.8.8:53Requestpki.googIN UnknownResponse
-
Remote address:216.239.32.29:80RequestGET /gsr1/gsr1.crt HTTP/1.1
Host: pki.goog
Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.0.0 Safari/537.36 Edg/122.0.0.0
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.9
ResponseHTTP/1.1 200 OK
Content-Encoding: gzip
Content-Security-Policy-Report-Only: require-trusted-types-for 'script'; report-uri https://csp.withgoogle.com/csp/cacerts
Cross-Origin-Resource-Policy: cross-origin
Cross-Origin-Opener-Policy: same-origin; report-to="cacerts"
Report-To: {"group":"cacerts","max_age":2592000,"endpoints":[{"url":"https://csp.withgoogle.com/csp/report-to/cacerts"}]}
Content-Length: 797
X-Content-Type-Options: nosniff
Server: sffe
X-XSS-Protection: 0
Date: Wed, 19 Jun 2024 21:27:46 GMT
Expires: Wed, 19 Jun 2024 22:17:46 GMT
Cache-Control: public, max-age=3000
Age: 1395
Last-Modified: Wed, 20 May 2020 16:45:00 GMT
Content-Type: application/pkix-cert
Vary: Accept-Encoding
-
Remote address:216.239.32.29:80RequestGET /repo/certs/gtsr1.der HTTP/1.1
Host: pki.goog
Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.0.0 Safari/537.36 Edg/122.0.0.0
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.9
ResponseHTTP/1.1 200 OK
Content-Security-Policy-Report-Only: require-trusted-types-for 'script'; report-uri https://csp.withgoogle.com/csp/cacerts
Cross-Origin-Resource-Policy: cross-origin
Cross-Origin-Opener-Policy: same-origin; report-to="cacerts"
Report-To: {"group":"cacerts","max_age":2592000,"endpoints":[{"url":"https://csp.withgoogle.com/csp/report-to/cacerts"}]}
Content-Length: 1371
X-Content-Type-Options: nosniff
Server: sffe
X-XSS-Protection: 0
Date: Wed, 19 Jun 2024 21:27:58 GMT
Expires: Wed, 19 Jun 2024 22:17:58 GMT
Cache-Control: public, max-age=3000
Age: 1383
Last-Modified: Sun, 25 Jun 2023 02:58:00 GMT
Content-Type: application/pkix-cert
Vary: Accept-Encoding
-
Remote address:216.239.32.29:80RequestGET /repo/certs/gts1c3.der HTTP/1.1
Host: pki.goog
Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.0.0 Safari/537.36 Edg/122.0.0.0
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.9
ResponseHTTP/1.1 200 OK
Content-Encoding: gzip
Content-Security-Policy-Report-Only: require-trusted-types-for 'script'; report-uri https://csp.withgoogle.com/csp/cacerts
Cross-Origin-Resource-Policy: cross-origin
Cross-Origin-Opener-Policy: same-origin; report-to="cacerts"
Report-To: {"group":"cacerts","max_age":2592000,"endpoints":[{"url":"https://csp.withgoogle.com/csp/report-to/cacerts"}]}
Content-Length: 1304
X-Content-Type-Options: nosniff
Server: sffe
X-XSS-Protection: 0
Date: Wed, 19 Jun 2024 21:28:33 GMT
Expires: Wed, 19 Jun 2024 22:18:33 GMT
Cache-Control: public, max-age=3000
Age: 1348
Last-Modified: Mon, 17 Aug 2020 09:45:00 GMT
Content-Type: application/pkix-cert
Vary: Accept-Encoding
-
Remote address:8.8.8.8:53Request234.16.217.172.in-addr.arpaIN PTRResponse234.16.217.172.in-addr.arpaIN PTRlhr48s28-in-f101e100net234.16.217.172.in-addr.arpaIN PTRmad08s04-in-f10�I
-
Remote address:8.8.8.8:53Request234.16.217.172.in-addr.arpaIN PTR
-
Remote address:8.8.8.8:53Request29.32.239.216.in-addr.arpaIN PTRResponse29.32.239.216.in-addr.arpaIN PTRany-in-201d1e100net
-
Remote address:8.8.8.8:53Request29.32.239.216.in-addr.arpaIN PTR
-
Remote address:8.8.8.8:53Requestinsamertojertoq.ccIN AResponse
-
Remote address:8.8.8.8:53Requestyxjsibeugmmj.comIN AResponseyxjsibeugmmj.comIN A216.218.185.162
-
Remote address:8.8.8.8:53Requestyxjsibeugmmj.comIN A
-
Remote address:216.218.185.162:80RequestPOST /in0odrfqwbio0sa/ HTTP/1.0
Host: yxjsibeugmmj.com
Content-Length: 157
ResponseHTTP/1.1 200 OK
Date: Wed, 19 Jun 2024 21:51:09 GMT
Content-Type: application/octet-stream
Content-Length: 0
Connection: close
-
Remote address:8.8.8.8:53Requestlngothvvceon.comIN AResponselngothvvceon.comIN A216.218.185.162
-
Remote address:216.218.185.162:80RequestPOST /in0odrfqwbio0sa/ HTTP/1.0
Host: lngothvvceon.com
Content-Length: 157
ResponseHTTP/1.1 200 OK
Date: Wed, 19 Jun 2024 21:51:11 GMT
Content-Type: application/octet-stream
Content-Length: 0
Connection: close
-
Remote address:8.8.8.8:53Request162.185.218.216.in-addr.arpaIN PTRResponse162.185.218.216.in-addr.arpaIN CNAME162.160-29.185.218.216.in-addr.arpa162.160-29.185.218.216.in-addr.arpaIN PTR216-218-185-162sinkholeshadowserverorg
-
Remote address:8.8.8.8:53Request162.185.218.216.in-addr.arpaIN PTR
-
Remote address:8.8.8.8:53Requesttbiimhetdqyn.comIN AResponse
-
Remote address:8.8.8.8:53Requesttbiimhetdqyn.netIN AResponsetbiimhetdqyn.netIN A216.218.185.162
-
Remote address:8.8.8.8:53Requesttbiimhetdqyn.netIN A
-
Remote address:216.218.185.162:80RequestPOST /in0odrfqwbio0sa/ HTTP/1.0
Host: tbiimhetdqyn.net
Content-Length: 157
ResponseHTTP/1.1 200 OK
Date: Wed, 19 Jun 2024 21:51:13 GMT
Content-Type: application/octet-stream
Content-Length: 0
Connection: close
-
Remote address:8.8.8.8:53Requestpmiqpskfkwkc.comIN AResponse
-
Remote address:8.8.8.8:53Requestpmiqpskfkwkc.netIN AResponsepmiqpskfkwkc.netIN A216.218.185.162
-
Remote address:8.8.8.8:53Request183.59.114.20.in-addr.arpaIN PTRResponse
-
Remote address:216.218.185.162:80RequestPOST /in0odrfqwbio0sa/ HTTP/1.0
Host: pmiqpskfkwkc.net
Content-Length: 157
ResponseHTTP/1.1 200 OK
Date: Wed, 19 Jun 2024 21:51:14 GMT
Content-Type: application/octet-stream
Content-Length: 0
Connection: close
-
Remote address:8.8.8.8:53Requestosghqrdmlyhh.comIN AResponse
-
Remote address:8.8.8.8:53Requestosghqrdmlyhh.comIN A
-
Remote address:8.8.8.8:53Requestosghqrdmlyhh.comIN A
-
Remote address:8.8.8.8:53Request18.31.95.13.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Requestosghqrdmlyhh.netIN AResponseosghqrdmlyhh.netIN A216.218.185.162
-
Remote address:8.8.8.8:53Requestosghqrdmlyhh.netIN A
-
Remote address:216.218.185.162:80RequestPOST /in0odrfqwbio0sa/ HTTP/1.0
Host: osghqrdmlyhh.net
Content-Length: 157
ResponseHTTP/1.1 200 OK
Date: Wed, 19 Jun 2024 21:51:19 GMT
Content-Type: application/octet-stream
Connection: close
-
Remote address:8.8.8.8:53Request97.17.167.52.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request97.17.167.52.in-addr.arpaIN PTR
-
Remote address:8.8.8.8:53Request103.169.127.40.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request217.106.137.52.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request2.36.159.162.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request2.36.159.162.in-addr.arpaIN PTR
-
Remote address:8.8.8.8:53Request103.169.127.40.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request92.12.20.2.in-addr.arpaIN PTRResponse92.12.20.2.in-addr.arpaIN PTRa2-20-12-92deploystaticakamaitechnologiescom
-
Remote address:8.8.8.8:53Request82.90.14.23.in-addr.arpaIN PTRResponse82.90.14.23.in-addr.arpaIN PTRa23-14-90-82deploystaticakamaitechnologiescom
-
Remote address:8.8.8.8:53Request13.227.111.52.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request0.204.248.87.in-addr.arpaIN PTRResponse0.204.248.87.in-addr.arpaIN PTRhttps-87-248-204-0lhrllnwnet
-
Remote address:8.8.8.8:53Request8.173.189.20.in-addr.arpaIN PTRResponse
-
1.0kB 5.2kB 8 7
-
242 B 156 B 5 3
-
1.3kB 6.1kB 10 10
HTTP Request
GET http://pki.goog/gsr1/gsr1.crtHTTP Response
200HTTP Request
GET http://pki.goog/repo/certs/gtsr1.derHTTP Response
200HTTP Request
GET http://pki.goog/repo/certs/gts1c3.derHTTP Response
200 -
507 B 400 B 6 6
HTTP Request
POST http://yxjsibeugmmj.com/in0odrfqwbio0sa/HTTP Response
200 -
680 B 400 B 7 6
HTTP Request
POST http://lngothvvceon.com/in0odrfqwbio0sa/HTTP Response
200 -
611 B 360 B 6 5
HTTP Request
POST http://tbiimhetdqyn.net/in0odrfqwbio0sa/HTTP Response
200 -
553 B 400 B 7 6
HTTP Request
POST http://pmiqpskfkwkc.net/in0odrfqwbio0sa/HTTP Response
200 -
1.6kB 1.3kB 30 29
HTTP Request
POST http://osghqrdmlyhh.net/in0odrfqwbio0sa/HTTP Response
200
-
60 B 76 B 1 1
DNS Request
www.google.com
DNS Response
142.250.187.196
-
64 B 131 B 1 1
DNS Request
insamertojertoq.cc
-
73 B 147 B 1 1
DNS Request
196.249.167.52.in-addr.arpa
-
148 B 128 B 2 1
DNS Request
172.214.232.199.in-addr.arpa
DNS Request
172.214.232.199.in-addr.arpa
-
142 B 157 B 2 1
DNS Request
76.32.126.40.in-addr.arpa
DNS Request
76.32.126.40.in-addr.arpa
-
75 B 283 B 1 1
DNS Request
chromewebstore.googleapis.com
DNS Response
172.217.16.234142.250.179.234216.58.212.234142.250.187.234142.250.200.10172.217.169.10142.250.200.42142.250.180.10142.250.178.10216.58.201.106216.58.212.202216.58.204.74142.250.187.202
-
75 B 132 B 1 1
DNS Request
chromewebstore.googleapis.com
-
54 B 70 B 1 1
DNS Request
pki.goog
DNS Response
216.239.32.29
-
54 B 128 B 1 1
DNS Request
pki.goog
-
146 B 142 B 2 1
DNS Request
234.16.217.172.in-addr.arpa
DNS Request
234.16.217.172.in-addr.arpa
-
144 B 107 B 2 1
DNS Request
29.32.239.216.in-addr.arpa
DNS Request
29.32.239.216.in-addr.arpa
-
64 B 131 B 1 1
DNS Request
insamertojertoq.cc
-
124 B 78 B 2 1
DNS Request
yxjsibeugmmj.com
DNS Request
yxjsibeugmmj.com
DNS Response
216.218.185.162
-
62 B 78 B 1 1
DNS Request
lngothvvceon.com
DNS Response
216.218.185.162
-
148 B 154 B 2 1
DNS Request
162.185.218.216.in-addr.arpa
DNS Request
162.185.218.216.in-addr.arpa
-
62 B 135 B 1 1
DNS Request
tbiimhetdqyn.com
-
124 B 78 B 2 1
DNS Request
tbiimhetdqyn.net
DNS Request
tbiimhetdqyn.net
DNS Response
216.218.185.162
-
62 B 135 B 1 1
DNS Request
pmiqpskfkwkc.com
-
62 B 78 B 1 1
DNS Request
pmiqpskfkwkc.net
DNS Response
216.218.185.162
-
72 B 158 B 1 1
DNS Request
183.59.114.20.in-addr.arpa
-
186 B 135 B 3 1
DNS Request
osghqrdmlyhh.com
DNS Request
osghqrdmlyhh.com
DNS Request
osghqrdmlyhh.com
-
70 B 144 B 1 1
DNS Request
18.31.95.13.in-addr.arpa
-
124 B 78 B 2 1
DNS Request
osghqrdmlyhh.net
DNS Request
osghqrdmlyhh.net
DNS Response
216.218.185.162
-
142 B 145 B 2 1
DNS Request
97.17.167.52.in-addr.arpa
DNS Request
97.17.167.52.in-addr.arpa
-
73 B 147 B 1 1
DNS Request
103.169.127.40.in-addr.arpa
-
73 B 147 B 1 1
DNS Request
217.106.137.52.in-addr.arpa
-
142 B 133 B 2 1
DNS Request
2.36.159.162.in-addr.arpa
DNS Request
2.36.159.162.in-addr.arpa
-
73 B 147 B 1 1
DNS Request
103.169.127.40.in-addr.arpa
-
69 B 131 B 1 1
DNS Request
92.12.20.2.in-addr.arpa
-
70 B 133 B 1 1
DNS Request
82.90.14.23.in-addr.arpa
-
72 B 158 B 1 1
DNS Request
13.227.111.52.in-addr.arpa
-
71 B 116 B 1 1
DNS Request
0.204.248.87.in-addr.arpa
-
71 B 157 B 1 1
DNS Request
8.173.189.20.in-addr.arpa
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
9KB
MD55453b1c8f0cc705a5cfd7860133fb82b
SHA1cdc7a93ffa1919a0d552c2b39a0570a4e50b56a7
SHA2564b2ca3bb8086bbca2f9c99b94b5c93c7192020e67a48ba6308279998fa61057b
SHA512b0833d76eb3cbe8b172e1978b0150f1c56f8a7e345c1a51e561cdfb73224ffb8da94f52e3a7326ce701e7917e23d1242d12f81df22d693e9ae010085971b14ca