Analysis

  • max time kernel
    158s
  • max time network
    165s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240226-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
  • submitted
    19/06/2024, 21:50 UTC

General

  • Target

    0def1a87472f2d3e633407e031256f0fa5df2d550a46db954eb4b67e2fb28349_NeikiAnalytics.exe

  • Size

    89KB

  • MD5

    68566b294db6b1c61436e54f4f6b1280

  • SHA1

    6ca1bae1c02d08f1ac81f756caa82f2688a08beb

  • SHA256

    0def1a87472f2d3e633407e031256f0fa5df2d550a46db954eb4b67e2fb28349

  • SHA512

    9d72a04e57db14e349955abb531350a964a232e97fc77001599b04836a7343af3458988648fcda7df3ee3e475a51d59943e7f52bbfe9f9d1760c02ef8d3ac071

  • SSDEEP

    1536:k9o65gQK3Zm+Mt9RV5O8oQ9cXFunGm6ManhFLnBqHan6owwosTk8vxA:k9o6fK2XqXQwhnHlqQo8Lvy

Malware Config

Signatures

  • Tinba / TinyBanker

    Banking trojan which uses packet sniffing to steal data.

  • Adds Run key to start application 2 TTPs 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Windows\system32\sihost.exe
    sihost.exe
    1⤵
      PID:2400
    • C:\Windows\system32\svchost.exe
      C:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc
      1⤵
        PID:2420
      • C:\Windows\system32\taskhostw.exe
        taskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}
        1⤵
          PID:2632
        • C:\Windows\Explorer.EXE
          C:\Windows\Explorer.EXE
          1⤵
            PID:3360
            • C:\Users\Admin\AppData\Local\Temp\0def1a87472f2d3e633407e031256f0fa5df2d550a46db954eb4b67e2fb28349_NeikiAnalytics.exe
              "C:\Users\Admin\AppData\Local\Temp\0def1a87472f2d3e633407e031256f0fa5df2d550a46db954eb4b67e2fb28349_NeikiAnalytics.exe"
              2⤵
              • Suspicious use of WriteProcessMemory
              PID:1196
              • C:\Windows\SysWOW64\winver.exe
                winver
                3⤵
                • Adds Run key to start application
                • Suspicious behavior: EnumeratesProcesses
                • Suspicious use of FindShellTrayWindow
                • Suspicious use of WriteProcessMemory
                PID:2788
          • C:\Windows\system32\svchost.exe
            C:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc
            1⤵
              PID:3540
            • C:\Windows\system32\DllHost.exe
              C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
              1⤵
                PID:3784
              • C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
                "C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
                1⤵
                  PID:3892
                • C:\Windows\System32\RuntimeBroker.exe
                  C:\Windows\System32\RuntimeBroker.exe -Embedding
                  1⤵
                  • Suspicious use of AdjustPrivilegeToken
                  PID:4008
                • C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
                  "C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
                  1⤵
                    PID:3112
                  • C:\Windows\System32\RuntimeBroker.exe
                    C:\Windows\System32\RuntimeBroker.exe -Embedding
                    1⤵
                      PID:4188
                    • C:\Windows\System32\RuntimeBroker.exe
                      C:\Windows\System32\RuntimeBroker.exe -Embedding
                      1⤵
                        PID:4592
                      • C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe
                        "C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe" -ServerName:InputApp.AppX9jnwykgrccxc8by3hsrsh07r423xzvav.mca
                        1⤵
                          PID:3356
                        • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                          "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --no-startup-window
                          1⤵
                          • Suspicious use of WriteProcessMemory
                          PID:2448
                          • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                            "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=122.0.6261.70 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=122.0.2365.52 --initial-client-data=0x238,0x23c,0x240,0x234,0x260,0x7ff97c662e98,0x7ff97c662ea4,0x7ff97c662eb0
                            2⤵
                              PID:4388
                            • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                              "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAAAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --mojo-platform-channel-handle=2280 --field-trial-handle=2284,i,15722001240173834669,15048020084704567542,262144 --variations-seed-version /prefetch:2
                              2⤵
                                PID:2864
                              • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --mojo-platform-channel-handle=3224 --field-trial-handle=2284,i,15722001240173834669,15048020084704567542,262144 --variations-seed-version /prefetch:3
                                2⤵
                                  PID:3852
                                • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --mojo-platform-channel-handle=3328 --field-trial-handle=2284,i,15722001240173834669,15048020084704567542,262144 --variations-seed-version /prefetch:8
                                  2⤵
                                    PID:2940
                                  • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --instant-process --no-appcompat-clear --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=11 --mojo-platform-channel-handle=5260 --field-trial-handle=2284,i,15722001240173834669,15048020084704567542,262144 --variations-seed-version /prefetch:1
                                    2⤵
                                      PID:1716
                                    • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --no-appcompat-clear --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=12 --mojo-platform-channel-handle=5468 --field-trial-handle=2284,i,15722001240173834669,15048020084704567542,262144 --variations-seed-version /prefetch:1
                                      2⤵
                                        PID:1164
                                      • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=3852 --field-trial-handle=2284,i,15722001240173834669,15048020084704567542,262144 --variations-seed-version /prefetch:8
                                        2⤵
                                          PID:1796

                                      Network

                                      • flag-us
                                        DNS
                                        www.google.com
                                        winver.exe
                                        Remote address:
                                        8.8.8.8:53
                                        Request
                                        www.google.com
                                        IN A
                                        Response
                                        www.google.com
                                        IN A
                                        142.250.187.196
                                      • flag-us
                                        DNS
                                        insamertojertoq.cc
                                        winver.exe
                                        Remote address:
                                        8.8.8.8:53
                                        Request
                                        insamertojertoq.cc
                                        IN A
                                        Response
                                      • flag-us
                                        DNS
                                        196.249.167.52.in-addr.arpa
                                        Remote address:
                                        8.8.8.8:53
                                        Request
                                        196.249.167.52.in-addr.arpa
                                        IN PTR
                                        Response
                                      • flag-us
                                        DNS
                                        172.214.232.199.in-addr.arpa
                                        Remote address:
                                        8.8.8.8:53
                                        Request
                                        172.214.232.199.in-addr.arpa
                                        IN PTR
                                        Response
                                      • flag-us
                                        DNS
                                        172.214.232.199.in-addr.arpa
                                        Remote address:
                                        8.8.8.8:53
                                        Request
                                        172.214.232.199.in-addr.arpa
                                        IN PTR
                                      • flag-us
                                        DNS
                                        76.32.126.40.in-addr.arpa
                                        Remote address:
                                        8.8.8.8:53
                                        Request
                                        76.32.126.40.in-addr.arpa
                                        IN PTR
                                        Response
                                      • flag-us
                                        DNS
                                        76.32.126.40.in-addr.arpa
                                        Remote address:
                                        8.8.8.8:53
                                        Request
                                        76.32.126.40.in-addr.arpa
                                        IN PTR
                                      • flag-us
                                        DNS
                                        chromewebstore.googleapis.com
                                        msedge.exe
                                        Remote address:
                                        8.8.8.8:53
                                        Request
                                        chromewebstore.googleapis.com
                                        IN A
                                        Response
                                        chromewebstore.googleapis.com
                                        IN A
                                        172.217.16.234
                                        chromewebstore.googleapis.com
                                        IN A
                                        142.250.179.234
                                        chromewebstore.googleapis.com
                                        IN A
                                        216.58.212.234
                                        chromewebstore.googleapis.com
                                        IN A
                                        142.250.187.234
                                        chromewebstore.googleapis.com
                                        IN A
                                        142.250.200.10
                                        chromewebstore.googleapis.com
                                        IN A
                                        172.217.169.10
                                        chromewebstore.googleapis.com
                                        IN A
                                        142.250.200.42
                                        chromewebstore.googleapis.com
                                        IN A
                                        142.250.180.10
                                        chromewebstore.googleapis.com
                                        IN A
                                        142.250.178.10
                                        chromewebstore.googleapis.com
                                        IN A
                                        216.58.201.106
                                        chromewebstore.googleapis.com
                                        IN A
                                        216.58.212.202
                                        chromewebstore.googleapis.com
                                        IN A
                                        216.58.204.74
                                        chromewebstore.googleapis.com
                                        IN A
                                        142.250.187.202
                                      • flag-us
                                        DNS
                                        chromewebstore.googleapis.com
                                        msedge.exe
                                        Remote address:
                                        8.8.8.8:53
                                        Request
                                        chromewebstore.googleapis.com
                                        IN Unknown
                                        Response
                                      • flag-us
                                        DNS
                                        pki.goog
                                        msedge.exe
                                        Remote address:
                                        8.8.8.8:53
                                        Request
                                        pki.goog
                                        IN A
                                        Response
                                        pki.goog
                                        IN A
                                        216.239.32.29
                                      • flag-us
                                        DNS
                                        pki.goog
                                        msedge.exe
                                        Remote address:
                                        8.8.8.8:53
                                        Request
                                        pki.goog
                                        IN Unknown
                                        Response
                                      • flag-us
                                        GET
                                        http://pki.goog/gsr1/gsr1.crt
                                        msedge.exe
                                        Remote address:
                                        216.239.32.29:80
                                        Request
                                        GET /gsr1/gsr1.crt HTTP/1.1
                                        Host: pki.goog
                                        Connection: keep-alive
                                        User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.0.0 Safari/537.36 Edg/122.0.0.0
                                        Accept-Encoding: gzip, deflate
                                        Accept-Language: en-US,en;q=0.9
                                        Response
                                        HTTP/1.1 200 OK
                                        Accept-Ranges: bytes
                                        Content-Encoding: gzip
                                        Content-Security-Policy-Report-Only: require-trusted-types-for 'script'; report-uri https://csp.withgoogle.com/csp/cacerts
                                        Cross-Origin-Resource-Policy: cross-origin
                                        Cross-Origin-Opener-Policy: same-origin; report-to="cacerts"
                                        Report-To: {"group":"cacerts","max_age":2592000,"endpoints":[{"url":"https://csp.withgoogle.com/csp/report-to/cacerts"}]}
                                        Content-Length: 797
                                        X-Content-Type-Options: nosniff
                                        Server: sffe
                                        X-XSS-Protection: 0
                                        Date: Wed, 19 Jun 2024 21:27:46 GMT
                                        Expires: Wed, 19 Jun 2024 22:17:46 GMT
                                        Cache-Control: public, max-age=3000
                                        Age: 1395
                                        Last-Modified: Wed, 20 May 2020 16:45:00 GMT
                                        Content-Type: application/pkix-cert
                                        Vary: Accept-Encoding
                                      • flag-us
                                        GET
                                        http://pki.goog/repo/certs/gtsr1.der
                                        msedge.exe
                                        Remote address:
                                        216.239.32.29:80
                                        Request
                                        GET /repo/certs/gtsr1.der HTTP/1.1
                                        Host: pki.goog
                                        Connection: keep-alive
                                        User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.0.0 Safari/537.36 Edg/122.0.0.0
                                        Accept-Encoding: gzip, deflate
                                        Accept-Language: en-US,en;q=0.9
                                        Response
                                        HTTP/1.1 200 OK
                                        Accept-Ranges: bytes
                                        Content-Security-Policy-Report-Only: require-trusted-types-for 'script'; report-uri https://csp.withgoogle.com/csp/cacerts
                                        Cross-Origin-Resource-Policy: cross-origin
                                        Cross-Origin-Opener-Policy: same-origin; report-to="cacerts"
                                        Report-To: {"group":"cacerts","max_age":2592000,"endpoints":[{"url":"https://csp.withgoogle.com/csp/report-to/cacerts"}]}
                                        Content-Length: 1371
                                        X-Content-Type-Options: nosniff
                                        Server: sffe
                                        X-XSS-Protection: 0
                                        Date: Wed, 19 Jun 2024 21:27:58 GMT
                                        Expires: Wed, 19 Jun 2024 22:17:58 GMT
                                        Cache-Control: public, max-age=3000
                                        Age: 1383
                                        Last-Modified: Sun, 25 Jun 2023 02:58:00 GMT
                                        Content-Type: application/pkix-cert
                                        Vary: Accept-Encoding
                                      • flag-us
                                        GET
                                        http://pki.goog/repo/certs/gts1c3.der
                                        msedge.exe
                                        Remote address:
                                        216.239.32.29:80
                                        Request
                                        GET /repo/certs/gts1c3.der HTTP/1.1
                                        Host: pki.goog
                                        Connection: keep-alive
                                        User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.0.0 Safari/537.36 Edg/122.0.0.0
                                        Accept-Encoding: gzip, deflate
                                        Accept-Language: en-US,en;q=0.9
                                        Response
                                        HTTP/1.1 200 OK
                                        Accept-Ranges: bytes
                                        Content-Encoding: gzip
                                        Content-Security-Policy-Report-Only: require-trusted-types-for 'script'; report-uri https://csp.withgoogle.com/csp/cacerts
                                        Cross-Origin-Resource-Policy: cross-origin
                                        Cross-Origin-Opener-Policy: same-origin; report-to="cacerts"
                                        Report-To: {"group":"cacerts","max_age":2592000,"endpoints":[{"url":"https://csp.withgoogle.com/csp/report-to/cacerts"}]}
                                        Content-Length: 1304
                                        X-Content-Type-Options: nosniff
                                        Server: sffe
                                        X-XSS-Protection: 0
                                        Date: Wed, 19 Jun 2024 21:28:33 GMT
                                        Expires: Wed, 19 Jun 2024 22:18:33 GMT
                                        Cache-Control: public, max-age=3000
                                        Age: 1348
                                        Last-Modified: Mon, 17 Aug 2020 09:45:00 GMT
                                        Content-Type: application/pkix-cert
                                        Vary: Accept-Encoding
                                      • flag-us
                                        DNS
                                        234.16.217.172.in-addr.arpa
                                        Remote address:
                                        8.8.8.8:53
                                        Request
                                        234.16.217.172.in-addr.arpa
                                        IN PTR
                                        Response
                                        234.16.217.172.in-addr.arpa
                                        IN PTR
                                        lhr48s28-in-f101e100net
                                        234.16.217.172.in-addr.arpa
                                        IN PTR
                                        mad08s04-in-f10�I
                                      • flag-us
                                        DNS
                                        234.16.217.172.in-addr.arpa
                                        Remote address:
                                        8.8.8.8:53
                                        Request
                                        234.16.217.172.in-addr.arpa
                                        IN PTR
                                      • flag-us
                                        DNS
                                        29.32.239.216.in-addr.arpa
                                        Remote address:
                                        8.8.8.8:53
                                        Request
                                        29.32.239.216.in-addr.arpa
                                        IN PTR
                                        Response
                                        29.32.239.216.in-addr.arpa
                                        IN PTR
                                        any-in-201d1e100net
                                      • flag-us
                                        DNS
                                        29.32.239.216.in-addr.arpa
                                        Remote address:
                                        8.8.8.8:53
                                        Request
                                        29.32.239.216.in-addr.arpa
                                        IN PTR
                                      • flag-us
                                        DNS
                                        insamertojertoq.cc
                                        winver.exe
                                        Remote address:
                                        8.8.8.8:53
                                        Request
                                        insamertojertoq.cc
                                        IN A
                                        Response
                                      • flag-us
                                        DNS
                                        yxjsibeugmmj.com
                                        winver.exe
                                        Remote address:
                                        8.8.8.8:53
                                        Request
                                        yxjsibeugmmj.com
                                        IN A
                                        Response
                                        yxjsibeugmmj.com
                                        IN A
                                        216.218.185.162
                                      • flag-us
                                        DNS
                                        yxjsibeugmmj.com
                                        winver.exe
                                        Remote address:
                                        8.8.8.8:53
                                        Request
                                        yxjsibeugmmj.com
                                        IN A
                                      • flag-us
                                        POST
                                        http://yxjsibeugmmj.com/in0odrfqwbio0sa/
                                        winver.exe
                                        Remote address:
                                        216.218.185.162:80
                                        Request
                                        POST /in0odrfqwbio0sa/ HTTP/1.0
                                        Host: yxjsibeugmmj.com
                                        Content-Length: 157
                                        Response
                                        HTTP/1.1 200 OK
                                        Server: nginx/1.21.6
                                        Date: Wed, 19 Jun 2024 21:51:09 GMT
                                        Content-Type: application/octet-stream
                                        Content-Length: 0
                                        Connection: close
                                      • flag-us
                                        DNS
                                        lngothvvceon.com
                                        winver.exe
                                        Remote address:
                                        8.8.8.8:53
                                        Request
                                        lngothvvceon.com
                                        IN A
                                        Response
                                        lngothvvceon.com
                                        IN A
                                        216.218.185.162
                                      • flag-us
                                        POST
                                        http://lngothvvceon.com/in0odrfqwbio0sa/
                                        winver.exe
                                        Remote address:
                                        216.218.185.162:80
                                        Request
                                        POST /in0odrfqwbio0sa/ HTTP/1.0
                                        Host: lngothvvceon.com
                                        Content-Length: 157
                                        Response
                                        HTTP/1.1 200 OK
                                        Server: nginx/1.21.6
                                        Date: Wed, 19 Jun 2024 21:51:11 GMT
                                        Content-Type: application/octet-stream
                                        Content-Length: 0
                                        Connection: close
                                      • flag-us
                                        DNS
                                        162.185.218.216.in-addr.arpa
                                        Remote address:
                                        8.8.8.8:53
                                        Request
                                        162.185.218.216.in-addr.arpa
                                        IN PTR
                                        Response
                                        162.185.218.216.in-addr.arpa
                                        IN CNAME
                                        162.160-29.185.218.216.in-addr.arpa
                                        162.160-29.185.218.216.in-addr.arpa
                                        IN PTR
                                        216-218-185-162sinkhole shadowserverorg
                                      • flag-us
                                        DNS
                                        162.185.218.216.in-addr.arpa
                                        Remote address:
                                        8.8.8.8:53
                                        Request
                                        162.185.218.216.in-addr.arpa
                                        IN PTR
                                      • flag-us
                                        DNS
                                        tbiimhetdqyn.com
                                        winver.exe
                                        Remote address:
                                        8.8.8.8:53
                                        Request
                                        tbiimhetdqyn.com
                                        IN A
                                        Response
                                      • flag-us
                                        DNS
                                        tbiimhetdqyn.net
                                        winver.exe
                                        Remote address:
                                        8.8.8.8:53
                                        Request
                                        tbiimhetdqyn.net
                                        IN A
                                        Response
                                        tbiimhetdqyn.net
                                        IN A
                                        216.218.185.162
                                      • flag-us
                                        DNS
                                        tbiimhetdqyn.net
                                        winver.exe
                                        Remote address:
                                        8.8.8.8:53
                                        Request
                                        tbiimhetdqyn.net
                                        IN A
                                      • flag-us
                                        POST
                                        http://tbiimhetdqyn.net/in0odrfqwbio0sa/
                                        winver.exe
                                        Remote address:
                                        216.218.185.162:80
                                        Request
                                        POST /in0odrfqwbio0sa/ HTTP/1.0
                                        Host: tbiimhetdqyn.net
                                        Content-Length: 157
                                        Response
                                        HTTP/1.1 200 OK
                                        Server: nginx/1.21.6
                                        Date: Wed, 19 Jun 2024 21:51:13 GMT
                                        Content-Type: application/octet-stream
                                        Content-Length: 0
                                        Connection: close
                                      • flag-us
                                        DNS
                                        pmiqpskfkwkc.com
                                        winver.exe
                                        Remote address:
                                        8.8.8.8:53
                                        Request
                                        pmiqpskfkwkc.com
                                        IN A
                                        Response
                                      • flag-us
                                        DNS
                                        pmiqpskfkwkc.net
                                        winver.exe
                                        Remote address:
                                        8.8.8.8:53
                                        Request
                                        pmiqpskfkwkc.net
                                        IN A
                                        Response
                                        pmiqpskfkwkc.net
                                        IN A
                                        216.218.185.162
                                      • flag-us
                                        DNS
                                        183.59.114.20.in-addr.arpa
                                        Remote address:
                                        8.8.8.8:53
                                        Request
                                        183.59.114.20.in-addr.arpa
                                        IN PTR
                                        Response
                                      • flag-us
                                        POST
                                        http://pmiqpskfkwkc.net/in0odrfqwbio0sa/
                                        winver.exe
                                        Remote address:
                                        216.218.185.162:80
                                        Request
                                        POST /in0odrfqwbio0sa/ HTTP/1.0
                                        Host: pmiqpskfkwkc.net
                                        Content-Length: 157
                                        Response
                                        HTTP/1.1 200 OK
                                        Server: nginx/1.21.6
                                        Date: Wed, 19 Jun 2024 21:51:14 GMT
                                        Content-Type: application/octet-stream
                                        Content-Length: 0
                                        Connection: close
                                      • flag-us
                                        DNS
                                        osghqrdmlyhh.com
                                        winver.exe
                                        Remote address:
                                        8.8.8.8:53
                                        Request
                                        osghqrdmlyhh.com
                                        IN A
                                        Response
                                      • flag-us
                                        DNS
                                        osghqrdmlyhh.com
                                        winver.exe
                                        Remote address:
                                        8.8.8.8:53
                                        Request
                                        osghqrdmlyhh.com
                                        IN A
                                      • flag-us
                                        DNS
                                        osghqrdmlyhh.com
                                        winver.exe
                                        Remote address:
                                        8.8.8.8:53
                                        Request
                                        osghqrdmlyhh.com
                                        IN A
                                      • flag-us
                                        DNS
                                        18.31.95.13.in-addr.arpa
                                        Remote address:
                                        8.8.8.8:53
                                        Request
                                        18.31.95.13.in-addr.arpa
                                        IN PTR
                                        Response
                                      • flag-us
                                        DNS
                                        osghqrdmlyhh.net
                                        winver.exe
                                        Remote address:
                                        8.8.8.8:53
                                        Request
                                        osghqrdmlyhh.net
                                        IN A
                                        Response
                                        osghqrdmlyhh.net
                                        IN A
                                        216.218.185.162
                                      • flag-us
                                        DNS
                                        osghqrdmlyhh.net
                                        winver.exe
                                        Remote address:
                                        8.8.8.8:53
                                        Request
                                        osghqrdmlyhh.net
                                        IN A
                                      • flag-us
                                        POST
                                        http://osghqrdmlyhh.net/in0odrfqwbio0sa/
                                        winver.exe
                                        Remote address:
                                        216.218.185.162:80
                                        Request
                                        POST /in0odrfqwbio0sa/ HTTP/1.0
                                        Host: osghqrdmlyhh.net
                                        Content-Length: 157
                                        Response
                                        HTTP/1.1 200 OK
                                        Server: nginx/1.21.6
                                        Date: Wed, 19 Jun 2024 21:51:19 GMT
                                        Content-Type: application/octet-stream
                                        Connection: close
                                      • flag-us
                                        DNS
                                        97.17.167.52.in-addr.arpa
                                        Remote address:
                                        8.8.8.8:53
                                        Request
                                        97.17.167.52.in-addr.arpa
                                        IN PTR
                                        Response
                                      • flag-us
                                        DNS
                                        97.17.167.52.in-addr.arpa
                                        Remote address:
                                        8.8.8.8:53
                                        Request
                                        97.17.167.52.in-addr.arpa
                                        IN PTR
                                      • flag-us
                                        DNS
                                        103.169.127.40.in-addr.arpa
                                        Remote address:
                                        8.8.8.8:53
                                        Request
                                        103.169.127.40.in-addr.arpa
                                        IN PTR
                                        Response
                                      • flag-us
                                        DNS
                                        217.106.137.52.in-addr.arpa
                                        Remote address:
                                        8.8.8.8:53
                                        Request
                                        217.106.137.52.in-addr.arpa
                                        IN PTR
                                        Response
                                      • flag-us
                                        DNS
                                        2.36.159.162.in-addr.arpa
                                        Remote address:
                                        8.8.8.8:53
                                        Request
                                        2.36.159.162.in-addr.arpa
                                        IN PTR
                                        Response
                                      • flag-us
                                        DNS
                                        2.36.159.162.in-addr.arpa
                                        Remote address:
                                        8.8.8.8:53
                                        Request
                                        2.36.159.162.in-addr.arpa
                                        IN PTR
                                      • flag-us
                                        DNS
                                        103.169.127.40.in-addr.arpa
                                        Remote address:
                                        8.8.8.8:53
                                        Request
                                        103.169.127.40.in-addr.arpa
                                        IN PTR
                                        Response
                                      • flag-us
                                        DNS
                                        92.12.20.2.in-addr.arpa
                                        Remote address:
                                        8.8.8.8:53
                                        Request
                                        92.12.20.2.in-addr.arpa
                                        IN PTR
                                        Response
                                        92.12.20.2.in-addr.arpa
                                        IN PTR
                                        a2-20-12-92deploystaticakamaitechnologiescom
                                      • flag-us
                                        DNS
                                        82.90.14.23.in-addr.arpa
                                        Remote address:
                                        8.8.8.8:53
                                        Request
                                        82.90.14.23.in-addr.arpa
                                        IN PTR
                                        Response
                                        82.90.14.23.in-addr.arpa
                                        IN PTR
                                        a23-14-90-82deploystaticakamaitechnologiescom
                                      • flag-us
                                        DNS
                                        13.227.111.52.in-addr.arpa
                                        Remote address:
                                        8.8.8.8:53
                                        Request
                                        13.227.111.52.in-addr.arpa
                                        IN PTR
                                        Response
                                      • flag-us
                                        DNS
                                        0.204.248.87.in-addr.arpa
                                        Remote address:
                                        8.8.8.8:53
                                        Request
                                        0.204.248.87.in-addr.arpa
                                        IN PTR
                                        Response
                                        0.204.248.87.in-addr.arpa
                                        IN PTR
                                        https-87-248-204-0lhrllnwnet
                                      • flag-us
                                        DNS
                                        8.173.189.20.in-addr.arpa
                                        Remote address:
                                        8.8.8.8:53
                                        Request
                                        8.173.189.20.in-addr.arpa
                                        IN PTR
                                        Response
                                      • 172.217.16.234:443
                                        chromewebstore.googleapis.com
                                        tls
                                        msedge.exe
                                        1.0kB
                                        5.2kB
                                        8
                                        7
                                      • 216.239.32.29:80
                                        pki.goog
                                        msedge.exe
                                        242 B
                                        156 B
                                        5
                                        3
                                      • 216.239.32.29:80
                                        http://pki.goog/repo/certs/gts1c3.der
                                        http
                                        msedge.exe
                                        1.3kB
                                        6.1kB
                                        10
                                        10

                                        HTTP Request

                                        GET http://pki.goog/gsr1/gsr1.crt

                                        HTTP Response

                                        200

                                        HTTP Request

                                        GET http://pki.goog/repo/certs/gtsr1.der

                                        HTTP Response

                                        200

                                        HTTP Request

                                        GET http://pki.goog/repo/certs/gts1c3.der

                                        HTTP Response

                                        200
                                      • 216.218.185.162:80
                                        http://yxjsibeugmmj.com/in0odrfqwbio0sa/
                                        http
                                        winver.exe
                                        507 B
                                        400 B
                                        6
                                        6

                                        HTTP Request

                                        POST http://yxjsibeugmmj.com/in0odrfqwbio0sa/

                                        HTTP Response

                                        200
                                      • 216.218.185.162:80
                                        http://lngothvvceon.com/in0odrfqwbio0sa/
                                        http
                                        winver.exe
                                        680 B
                                        400 B
                                        7
                                        6

                                        HTTP Request

                                        POST http://lngothvvceon.com/in0odrfqwbio0sa/

                                        HTTP Response

                                        200
                                      • 216.218.185.162:80
                                        http://tbiimhetdqyn.net/in0odrfqwbio0sa/
                                        http
                                        winver.exe
                                        611 B
                                        360 B
                                        6
                                        5

                                        HTTP Request

                                        POST http://tbiimhetdqyn.net/in0odrfqwbio0sa/

                                        HTTP Response

                                        200
                                      • 216.218.185.162:80
                                        http://pmiqpskfkwkc.net/in0odrfqwbio0sa/
                                        http
                                        winver.exe
                                        553 B
                                        400 B
                                        7
                                        6

                                        HTTP Request

                                        POST http://pmiqpskfkwkc.net/in0odrfqwbio0sa/

                                        HTTP Response

                                        200
                                      • 216.218.185.162:80
                                        http://osghqrdmlyhh.net/in0odrfqwbio0sa/
                                        http
                                        winver.exe
                                        1.6kB
                                        1.3kB
                                        30
                                        29

                                        HTTP Request

                                        POST http://osghqrdmlyhh.net/in0odrfqwbio0sa/

                                        HTTP Response

                                        200
                                      • 8.8.8.8:53
                                        www.google.com
                                        dns
                                        winver.exe
                                        60 B
                                        76 B
                                        1
                                        1

                                        DNS Request

                                        www.google.com

                                        DNS Response

                                        142.250.187.196

                                      • 8.8.8.8:53
                                        insamertojertoq.cc
                                        dns
                                        winver.exe
                                        64 B
                                        131 B
                                        1
                                        1

                                        DNS Request

                                        insamertojertoq.cc

                                      • 8.8.8.8:53
                                        196.249.167.52.in-addr.arpa
                                        dns
                                        73 B
                                        147 B
                                        1
                                        1

                                        DNS Request

                                        196.249.167.52.in-addr.arpa

                                      • 8.8.8.8:53
                                        172.214.232.199.in-addr.arpa
                                        dns
                                        148 B
                                        128 B
                                        2
                                        1

                                        DNS Request

                                        172.214.232.199.in-addr.arpa

                                        DNS Request

                                        172.214.232.199.in-addr.arpa

                                      • 8.8.8.8:53
                                        76.32.126.40.in-addr.arpa
                                        dns
                                        142 B
                                        157 B
                                        2
                                        1

                                        DNS Request

                                        76.32.126.40.in-addr.arpa

                                        DNS Request

                                        76.32.126.40.in-addr.arpa

                                      • 8.8.8.8:53
                                        chromewebstore.googleapis.com
                                        dns
                                        msedge.exe
                                        75 B
                                        283 B
                                        1
                                        1

                                        DNS Request

                                        chromewebstore.googleapis.com

                                        DNS Response

                                        172.217.16.234
                                        142.250.179.234
                                        216.58.212.234
                                        142.250.187.234
                                        142.250.200.10
                                        172.217.169.10
                                        142.250.200.42
                                        142.250.180.10
                                        142.250.178.10
                                        216.58.201.106
                                        216.58.212.202
                                        216.58.204.74
                                        142.250.187.202

                                      • 8.8.8.8:53
                                        chromewebstore.googleapis.com
                                        dns
                                        msedge.exe
                                        75 B
                                        132 B
                                        1
                                        1

                                        DNS Request

                                        chromewebstore.googleapis.com

                                      • 8.8.8.8:53
                                        pki.goog
                                        dns
                                        msedge.exe
                                        54 B
                                        70 B
                                        1
                                        1

                                        DNS Request

                                        pki.goog

                                        DNS Response

                                        216.239.32.29

                                      • 8.8.8.8:53
                                        pki.goog
                                        dns
                                        msedge.exe
                                        54 B
                                        128 B
                                        1
                                        1

                                        DNS Request

                                        pki.goog

                                      • 8.8.8.8:53
                                        234.16.217.172.in-addr.arpa
                                        dns
                                        146 B
                                        142 B
                                        2
                                        1

                                        DNS Request

                                        234.16.217.172.in-addr.arpa

                                        DNS Request

                                        234.16.217.172.in-addr.arpa

                                      • 8.8.8.8:53
                                        29.32.239.216.in-addr.arpa
                                        dns
                                        144 B
                                        107 B
                                        2
                                        1

                                        DNS Request

                                        29.32.239.216.in-addr.arpa

                                        DNS Request

                                        29.32.239.216.in-addr.arpa

                                      • 8.8.8.8:53
                                        insamertojertoq.cc
                                        dns
                                        winver.exe
                                        64 B
                                        131 B
                                        1
                                        1

                                        DNS Request

                                        insamertojertoq.cc

                                      • 8.8.8.8:53
                                        yxjsibeugmmj.com
                                        dns
                                        winver.exe
                                        124 B
                                        78 B
                                        2
                                        1

                                        DNS Request

                                        yxjsibeugmmj.com

                                        DNS Request

                                        yxjsibeugmmj.com

                                        DNS Response

                                        216.218.185.162

                                      • 8.8.8.8:53
                                        lngothvvceon.com
                                        dns
                                        winver.exe
                                        62 B
                                        78 B
                                        1
                                        1

                                        DNS Request

                                        lngothvvceon.com

                                        DNS Response

                                        216.218.185.162

                                      • 8.8.8.8:53
                                        162.185.218.216.in-addr.arpa
                                        dns
                                        148 B
                                        154 B
                                        2
                                        1

                                        DNS Request

                                        162.185.218.216.in-addr.arpa

                                        DNS Request

                                        162.185.218.216.in-addr.arpa

                                      • 8.8.8.8:53
                                        tbiimhetdqyn.com
                                        dns
                                        winver.exe
                                        62 B
                                        135 B
                                        1
                                        1

                                        DNS Request

                                        tbiimhetdqyn.com

                                      • 8.8.8.8:53
                                        tbiimhetdqyn.net
                                        dns
                                        winver.exe
                                        124 B
                                        78 B
                                        2
                                        1

                                        DNS Request

                                        tbiimhetdqyn.net

                                        DNS Request

                                        tbiimhetdqyn.net

                                        DNS Response

                                        216.218.185.162

                                      • 8.8.8.8:53
                                        pmiqpskfkwkc.com
                                        dns
                                        winver.exe
                                        62 B
                                        135 B
                                        1
                                        1

                                        DNS Request

                                        pmiqpskfkwkc.com

                                      • 8.8.8.8:53
                                        pmiqpskfkwkc.net
                                        dns
                                        winver.exe
                                        62 B
                                        78 B
                                        1
                                        1

                                        DNS Request

                                        pmiqpskfkwkc.net

                                        DNS Response

                                        216.218.185.162

                                      • 8.8.8.8:53
                                        183.59.114.20.in-addr.arpa
                                        dns
                                        72 B
                                        158 B
                                        1
                                        1

                                        DNS Request

                                        183.59.114.20.in-addr.arpa

                                      • 8.8.8.8:53
                                        osghqrdmlyhh.com
                                        dns
                                        winver.exe
                                        186 B
                                        135 B
                                        3
                                        1

                                        DNS Request

                                        osghqrdmlyhh.com

                                        DNS Request

                                        osghqrdmlyhh.com

                                        DNS Request

                                        osghqrdmlyhh.com

                                      • 8.8.8.8:53
                                        18.31.95.13.in-addr.arpa
                                        dns
                                        70 B
                                        144 B
                                        1
                                        1

                                        DNS Request

                                        18.31.95.13.in-addr.arpa

                                      • 8.8.8.8:53
                                        osghqrdmlyhh.net
                                        dns
                                        winver.exe
                                        124 B
                                        78 B
                                        2
                                        1

                                        DNS Request

                                        osghqrdmlyhh.net

                                        DNS Request

                                        osghqrdmlyhh.net

                                        DNS Response

                                        216.218.185.162

                                      • 8.8.8.8:53
                                        97.17.167.52.in-addr.arpa
                                        dns
                                        142 B
                                        145 B
                                        2
                                        1

                                        DNS Request

                                        97.17.167.52.in-addr.arpa

                                        DNS Request

                                        97.17.167.52.in-addr.arpa

                                      • 8.8.8.8:53
                                        103.169.127.40.in-addr.arpa
                                        dns
                                        73 B
                                        147 B
                                        1
                                        1

                                        DNS Request

                                        103.169.127.40.in-addr.arpa

                                      • 8.8.8.8:53
                                        217.106.137.52.in-addr.arpa
                                        dns
                                        73 B
                                        147 B
                                        1
                                        1

                                        DNS Request

                                        217.106.137.52.in-addr.arpa

                                      • 8.8.8.8:53
                                        2.36.159.162.in-addr.arpa
                                        dns
                                        142 B
                                        133 B
                                        2
                                        1

                                        DNS Request

                                        2.36.159.162.in-addr.arpa

                                        DNS Request

                                        2.36.159.162.in-addr.arpa

                                      • 8.8.8.8:53
                                        103.169.127.40.in-addr.arpa
                                        dns
                                        73 B
                                        147 B
                                        1
                                        1

                                        DNS Request

                                        103.169.127.40.in-addr.arpa

                                      • 8.8.8.8:53
                                        92.12.20.2.in-addr.arpa
                                        dns
                                        69 B
                                        131 B
                                        1
                                        1

                                        DNS Request

                                        92.12.20.2.in-addr.arpa

                                      • 8.8.8.8:53
                                        82.90.14.23.in-addr.arpa
                                        dns
                                        70 B
                                        133 B
                                        1
                                        1

                                        DNS Request

                                        82.90.14.23.in-addr.arpa

                                      • 8.8.8.8:53
                                        13.227.111.52.in-addr.arpa
                                        dns
                                        72 B
                                        158 B
                                        1
                                        1

                                        DNS Request

                                        13.227.111.52.in-addr.arpa

                                      • 8.8.8.8:53
                                        0.204.248.87.in-addr.arpa
                                        dns
                                        71 B
                                        116 B
                                        1
                                        1

                                        DNS Request

                                        0.204.248.87.in-addr.arpa

                                      • 8.8.8.8:53
                                        8.173.189.20.in-addr.arpa
                                        dns
                                        71 B
                                        157 B
                                        1
                                        1

                                        DNS Request

                                        8.173.189.20.in-addr.arpa

                                      MITRE ATT&CK Enterprise v15

                                      Replay Monitor

                                      Loading Replay Monitor...

                                      Downloads

                                      • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

                                        Filesize

                                        9KB

                                        MD5

                                        5453b1c8f0cc705a5cfd7860133fb82b

                                        SHA1

                                        cdc7a93ffa1919a0d552c2b39a0570a4e50b56a7

                                        SHA256

                                        4b2ca3bb8086bbca2f9c99b94b5c93c7192020e67a48ba6308279998fa61057b

                                        SHA512

                                        b0833d76eb3cbe8b172e1978b0150f1c56f8a7e345c1a51e561cdfb73224ffb8da94f52e3a7326ce701e7917e23d1242d12f81df22d693e9ae010085971b14ca

                                      • memory/1196-10-0x0000000000400000-0x000000000041D000-memory.dmp

                                        Filesize

                                        116KB

                                      • memory/1196-1-0x00000000023A0000-0x0000000002DA0000-memory.dmp

                                        Filesize

                                        10.0MB

                                      • memory/1196-11-0x00000000023A0000-0x0000000002DA0000-memory.dmp

                                        Filesize

                                        10.0MB

                                      • memory/1196-0-0x0000000000500000-0x0000000000502000-memory.dmp

                                        Filesize

                                        8KB

                                      • memory/2400-21-0x0000000000A90000-0x0000000000A96000-memory.dmp

                                        Filesize

                                        24KB

                                      • memory/2400-12-0x0000000000A90000-0x0000000000A96000-memory.dmp

                                        Filesize

                                        24KB

                                      • memory/2420-13-0x0000000000520000-0x0000000000526000-memory.dmp

                                        Filesize

                                        24KB

                                      • memory/2420-22-0x0000000000520000-0x0000000000526000-memory.dmp

                                        Filesize

                                        24KB

                                      • memory/2632-23-0x0000000000860000-0x0000000000866000-memory.dmp

                                        Filesize

                                        24KB

                                      • memory/2632-14-0x0000000000860000-0x0000000000866000-memory.dmp

                                        Filesize

                                        24KB

                                      • memory/2788-6-0x0000000000CB0000-0x0000000000CB6000-memory.dmp

                                        Filesize

                                        24KB

                                      • memory/2788-7-0x0000000076FF2000-0x0000000076FF3000-memory.dmp

                                        Filesize

                                        4KB

                                      • memory/2788-50-0x0000000000CB0000-0x0000000000CB6000-memory.dmp

                                        Filesize

                                        24KB

                                      • memory/3112-27-0x0000000000410000-0x0000000000416000-memory.dmp

                                        Filesize

                                        24KB

                                      • memory/3356-30-0x0000000000C80000-0x0000000000C86000-memory.dmp

                                        Filesize

                                        24KB

                                      • memory/3356-33-0x0000000000C80000-0x0000000000C86000-memory.dmp

                                        Filesize

                                        24KB

                                      • memory/3360-2-0x0000000000D40000-0x0000000000D46000-memory.dmp

                                        Filesize

                                        24KB

                                      • memory/3360-9-0x00007FF9A430D000-0x00007FF9A430E000-memory.dmp

                                        Filesize

                                        4KB

                                      • memory/3360-15-0x0000000000D50000-0x0000000000D56000-memory.dmp

                                        Filesize

                                        24KB

                                      • memory/3360-20-0x0000000000D50000-0x0000000000D56000-memory.dmp

                                        Filesize

                                        24KB

                                      • memory/3360-8-0x0000000000D40000-0x0000000000D46000-memory.dmp

                                        Filesize

                                        24KB

                                      • memory/3540-24-0x0000000000090000-0x0000000000096000-memory.dmp

                                        Filesize

                                        24KB

                                      • memory/3540-16-0x0000000000090000-0x0000000000096000-memory.dmp

                                        Filesize

                                        24KB

                                      • memory/3784-17-0x0000000000040000-0x0000000000046000-memory.dmp

                                        Filesize

                                        24KB

                                      • memory/3892-25-0x0000000000F70000-0x0000000000F76000-memory.dmp

                                        Filesize

                                        24KB

                                      • memory/3892-18-0x0000000000F70000-0x0000000000F76000-memory.dmp

                                        Filesize

                                        24KB

                                      • memory/4008-26-0x0000000000AB0000-0x0000000000AB6000-memory.dmp

                                        Filesize

                                        24KB

                                      • memory/4008-19-0x0000000000AB0000-0x0000000000AB6000-memory.dmp

                                        Filesize

                                        24KB

                                      • memory/4188-31-0x00000000005F0000-0x00000000005F6000-memory.dmp

                                        Filesize

                                        24KB

                                      • memory/4188-28-0x00000000005F0000-0x00000000005F6000-memory.dmp

                                        Filesize

                                        24KB

                                      • memory/4592-32-0x0000000000830000-0x0000000000836000-memory.dmp

                                        Filesize

                                        24KB

                                      • memory/4592-29-0x0000000000830000-0x0000000000836000-memory.dmp

                                        Filesize

                                        24KB

                                      We care about your privacy.

                                      This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.