hawkeye | 91506ce6b6052875242687efede3b7014aad246956525a2a89cb58b882df070b

Analysis

max time kernel
132s
max time network
145s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
01/09/2024, 12:50 UTC

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

50acb0d9a9bc6cbca94b77ff490d5aff20c453b24c1fdd498a38a0878755d0bd.exe
Size

790KB
MD5

6f42a0a4f4c44c32c274c2383096d515
SHA1

dcef833539c48b66f83c80c7f349bbbb16a057cd
SHA256

50acb0d9a9bc6cbca94b77ff490d5aff20c453b24c1fdd498a38a0878755d0bd
SHA512

87d1b426d2cfbdd609f4d8b2a4bd09ba2afeb101307e3a4dcc8fa9fa9bd1f0498a3ce5bedf50e2fb92c838b0e9a44624ca4d72b5f539cc10245cfedca04b3312
SSDEEP

12288:qUi2iN7WxGv2cEgBsSs4j9a1sEEWPPJK1i2RGPBaVj0FbJqzvH1i4QPuTfj+:qUi1SgPEg2j1HPBKnRq40EvHEvP4fj+

Score

10^/10

hawkeye collection credential_access discovery keylogger spyware stealer trojan

Malware Config

Signatures

HawkEye
HawkEye is a malware kit that has seen continuous development since at least 2013.
keylogger trojan stealer spyware hawkeye
Credentials from Password Stores: Credentials from Web Browsers 1 TTPs
Malicious Access or copy of Web Browser Credential store.
credential_access stealer

Credentials from Web Browsers
T1555.003

Detected Nirsoft tools 9 IoCs

Free utilities often used by attackers which can steal passwords, product keys, etc.

resource	yara_rule
behavioral2/memory/4956-11-0x0000000000400000-0x0000000000488000-memory.dmp	Nirsoft
behavioral2/memory/1948-24-0x0000000000400000-0x000000000041B000-memory.dmp	Nirsoft
behavioral2/memory/1948-22-0x0000000000400000-0x000000000041B000-memory.dmp	Nirsoft
behavioral2/memory/1948-25-0x0000000000400000-0x000000000041B000-memory.dmp	Nirsoft
behavioral2/memory/1948-28-0x0000000000400000-0x000000000041B000-memory.dmp	Nirsoft
behavioral2/memory/744-30-0x0000000000400000-0x0000000000458000-memory.dmp	Nirsoft
behavioral2/memory/744-32-0x0000000000400000-0x0000000000458000-memory.dmp	Nirsoft
behavioral2/memory/744-33-0x0000000000400000-0x0000000000458000-memory.dmp	Nirsoft
behavioral2/memory/744-41-0x0000000000400000-0x0000000000458000-memory.dmp	Nirsoft

NirSoft MailPassView 5 IoCs

Password recovery tool for various email clients

resource	yara_rule
behavioral2/memory/4956-11-0x0000000000400000-0x0000000000488000-memory.dmp	MailPassView
behavioral2/memory/1948-24-0x0000000000400000-0x000000000041B000-memory.dmp	MailPassView
behavioral2/memory/1948-22-0x0000000000400000-0x000000000041B000-memory.dmp	MailPassView
behavioral2/memory/1948-25-0x0000000000400000-0x000000000041B000-memory.dmp	MailPassView
behavioral2/memory/1948-28-0x0000000000400000-0x000000000041B000-memory.dmp	MailPassView

NirSoft WebBrowserPassView 5 IoCs

Password recovery tool for various web browsers

resource	yara_rule
behavioral2/memory/4956-11-0x0000000000400000-0x0000000000488000-memory.dmp	WebBrowserPassView
behavioral2/memory/744-30-0x0000000000400000-0x0000000000458000-memory.dmp	WebBrowserPassView
behavioral2/memory/744-32-0x0000000000400000-0x0000000000458000-memory.dmp	WebBrowserPassView
behavioral2/memory/744-33-0x0000000000400000-0x0000000000458000-memory.dmp	WebBrowserPassView
behavioral2/memory/744-41-0x0000000000400000-0x0000000000458000-memory.dmp	WebBrowserPassView

Uses the VBS compiler for execution 1 TTPs

Scripting
T1064

Accesses Microsoft Outlook accounts 1 TTPs 1 IoCs

collection

Email Collection

T1114

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts	vbc.exe

Looks up external IP address via web service 2 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
40	whatismyipaddress.com
42	whatismyipaddress.com

Suspicious use of SetThreadContext 3 IoCs

description	pid	Process	procid_target
PID 1044 set thread context of 4956	1044	50acb0d9a9bc6cbca94b77ff490d5aff20c453b24c1fdd498a38a0878755d0bd.exe	98
PID 4956 set thread context of 1948	4956	50acb0d9a9bc6cbca94b77ff490d5aff20c453b24c1fdd498a38a0878755d0bd.exe	99
PID 4956 set thread context of 744	4956	50acb0d9a9bc6cbca94b77ff490d5aff20c453b24c1fdd498a38a0878755d0bd.exe	100

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	50acb0d9a9bc6cbca94b77ff490d5aff20c453b24c1fdd498a38a0878755d0bd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	50acb0d9a9bc6cbca94b77ff490d5aff20c453b24c1fdd498a38a0878755d0bd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe

Suspicious behavior: EnumeratesProcesses 5 IoCs

pid	Process
1044	50acb0d9a9bc6cbca94b77ff490d5aff20c453b24c1fdd498a38a0878755d0bd.exe
1044	50acb0d9a9bc6cbca94b77ff490d5aff20c453b24c1fdd498a38a0878755d0bd.exe
744	vbc.exe
744	vbc.exe
4956	50acb0d9a9bc6cbca94b77ff490d5aff20c453b24c1fdd498a38a0878755d0bd.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	1044	50acb0d9a9bc6cbca94b77ff490d5aff20c453b24c1fdd498a38a0878755d0bd.exe
Token: SeDebugPrivilege	4956	50acb0d9a9bc6cbca94b77ff490d5aff20c453b24c1fdd498a38a0878755d0bd.exe

Suspicious use of WriteProcessMemory 29 IoCs

description	pid	Process	procid_target
PID 1044 wrote to memory of 2436	1044	50acb0d9a9bc6cbca94b77ff490d5aff20c453b24c1fdd498a38a0878755d0bd.exe	97
PID 1044 wrote to memory of 2436	1044	50acb0d9a9bc6cbca94b77ff490d5aff20c453b24c1fdd498a38a0878755d0bd.exe	97
PID 1044 wrote to memory of 2436	1044	50acb0d9a9bc6cbca94b77ff490d5aff20c453b24c1fdd498a38a0878755d0bd.exe	97
PID 1044 wrote to memory of 4956	1044	50acb0d9a9bc6cbca94b77ff490d5aff20c453b24c1fdd498a38a0878755d0bd.exe	98
PID 1044 wrote to memory of 4956	1044	50acb0d9a9bc6cbca94b77ff490d5aff20c453b24c1fdd498a38a0878755d0bd.exe	98
PID 1044 wrote to memory of 4956	1044	50acb0d9a9bc6cbca94b77ff490d5aff20c453b24c1fdd498a38a0878755d0bd.exe	98
PID 1044 wrote to memory of 4956	1044	50acb0d9a9bc6cbca94b77ff490d5aff20c453b24c1fdd498a38a0878755d0bd.exe	98
PID 1044 wrote to memory of 4956	1044	50acb0d9a9bc6cbca94b77ff490d5aff20c453b24c1fdd498a38a0878755d0bd.exe	98
PID 1044 wrote to memory of 4956	1044	50acb0d9a9bc6cbca94b77ff490d5aff20c453b24c1fdd498a38a0878755d0bd.exe	98
PID 1044 wrote to memory of 4956	1044	50acb0d9a9bc6cbca94b77ff490d5aff20c453b24c1fdd498a38a0878755d0bd.exe	98
PID 1044 wrote to memory of 4956	1044	50acb0d9a9bc6cbca94b77ff490d5aff20c453b24c1fdd498a38a0878755d0bd.exe	98
PID 4956 wrote to memory of 1948	4956	50acb0d9a9bc6cbca94b77ff490d5aff20c453b24c1fdd498a38a0878755d0bd.exe	99
PID 4956 wrote to memory of 1948	4956	50acb0d9a9bc6cbca94b77ff490d5aff20c453b24c1fdd498a38a0878755d0bd.exe	99
PID 4956 wrote to memory of 1948	4956	50acb0d9a9bc6cbca94b77ff490d5aff20c453b24c1fdd498a38a0878755d0bd.exe	99
PID 4956 wrote to memory of 1948	4956	50acb0d9a9bc6cbca94b77ff490d5aff20c453b24c1fdd498a38a0878755d0bd.exe	99
PID 4956 wrote to memory of 1948	4956	50acb0d9a9bc6cbca94b77ff490d5aff20c453b24c1fdd498a38a0878755d0bd.exe	99
PID 4956 wrote to memory of 1948	4956	50acb0d9a9bc6cbca94b77ff490d5aff20c453b24c1fdd498a38a0878755d0bd.exe	99
PID 4956 wrote to memory of 1948	4956	50acb0d9a9bc6cbca94b77ff490d5aff20c453b24c1fdd498a38a0878755d0bd.exe	99
PID 4956 wrote to memory of 1948	4956	50acb0d9a9bc6cbca94b77ff490d5aff20c453b24c1fdd498a38a0878755d0bd.exe	99
PID 4956 wrote to memory of 1948	4956	50acb0d9a9bc6cbca94b77ff490d5aff20c453b24c1fdd498a38a0878755d0bd.exe	99
PID 4956 wrote to memory of 744	4956	50acb0d9a9bc6cbca94b77ff490d5aff20c453b24c1fdd498a38a0878755d0bd.exe	100
PID 4956 wrote to memory of 744	4956	50acb0d9a9bc6cbca94b77ff490d5aff20c453b24c1fdd498a38a0878755d0bd.exe	100
PID 4956 wrote to memory of 744	4956	50acb0d9a9bc6cbca94b77ff490d5aff20c453b24c1fdd498a38a0878755d0bd.exe	100
PID 4956 wrote to memory of 744	4956	50acb0d9a9bc6cbca94b77ff490d5aff20c453b24c1fdd498a38a0878755d0bd.exe	100
PID 4956 wrote to memory of 744	4956	50acb0d9a9bc6cbca94b77ff490d5aff20c453b24c1fdd498a38a0878755d0bd.exe	100
PID 4956 wrote to memory of 744	4956	50acb0d9a9bc6cbca94b77ff490d5aff20c453b24c1fdd498a38a0878755d0bd.exe	100
PID 4956 wrote to memory of 744	4956	50acb0d9a9bc6cbca94b77ff490d5aff20c453b24c1fdd498a38a0878755d0bd.exe	100
PID 4956 wrote to memory of 744	4956	50acb0d9a9bc6cbca94b77ff490d5aff20c453b24c1fdd498a38a0878755d0bd.exe	100
PID 4956 wrote to memory of 744	4956	50acb0d9a9bc6cbca94b77ff490d5aff20c453b24c1fdd498a38a0878755d0bd.exe	100

C:\Users\Admin\AppData\Local\Temp\50acb0d9a9bc6cbca94b77ff490d5aff20c453b24c1fdd498a38a0878755d0bd.exe
"C:\Users\Admin\AppData\Local\Temp\50acb0d9a9bc6cbca94b77ff490d5aff20c453b24c1fdd498a38a0878755d0bd.exe"
1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1044
- C:\Users\Admin\AppData\Local\Temp\50acb0d9a9bc6cbca94b77ff490d5aff20c453b24c1fdd498a38a0878755d0bd.exe
  "C:\Users\Admin\AppData\Local\Temp\50acb0d9a9bc6cbca94b77ff490d5aff20c453b24c1fdd498a38a0878755d0bd.exe"
  2⤵
  PID:2436
- C:\Users\Admin\AppData\Local\Temp\50acb0d9a9bc6cbca94b77ff490d5aff20c453b24c1fdd498a38a0878755d0bd.exe
  "C:\Users\Admin\AppData\Local\Temp\50acb0d9a9bc6cbca94b77ff490d5aff20c453b24c1fdd498a38a0878755d0bd.exe"
  2⤵
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:4956
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
    C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext "C:\Users\Admin\AppData\Local\Temp\holdermail.txt"
    3⤵
    - Accesses Microsoft Outlook accounts
    - System Location Discovery: System Language Discovery
    PID:1948
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
    C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext "C:\Users\Admin\AppData\Local\Temp\holderwb.txt"
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    PID:744

Network

DNS

133.211.185.52.in-addr.arpa

Remote address:

8.8.8.8:53

Request

133.211.185.52.in-addr.arpa

IN PTR

Response
DNS

172.214.232.199.in-addr.arpa

Remote address:

8.8.8.8:53

Request

172.214.232.199.in-addr.arpa

IN PTR

Response
DNS

g.bing.com

Remote address:

8.8.8.8:53

Request

g.bing.com

IN A

Response

g.bing.com

IN CNAME

g-bing-com.ax-0001.ax-msedge.net

g-bing-com.ax-0001.ax-msedge.net

IN CNAME

ax-0001.ax-msedge.net

ax-0001.ax-msedge.net

IN A

150.171.27.10

ax-0001.ax-msedge.net

IN A

150.171.28.10
GET

https://g.bing.com/neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=cf51b091c12549bcb852af403a586682&localId=w:46BA0F9A-9D8F-F2F0-D464-1297A0CDD8CE&deviceId=6825833576093963&anid=

Remote address:

150.171.27.10:443

Request

GET /neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=cf51b091c12549bcb852af403a586682&localId=w:46BA0F9A-9D8F-F2F0-D464-1297A0CDD8CE&deviceId=6825833576093963&anid= HTTP/2.0
host: g.bing.com
accept-encoding: gzip, deflate
user-agent: WindowsShellClient/9.0.40929.0 (Windows)

Response

HTTP/2.0 204

cache-control: no-cache, must-revalidate
pragma: no-cache
expires: Fri, 01 Jan 1990 00:00:00 GMT
set-cookie: MUID=39D83C57A83367622F1D28BAA914662F; domain=.bing.com; expires=Fri, 26-Sep-2025 12:50:50 GMT; path=/; SameSite=None; Secure; Priority=High;
strict-transport-security: max-age=31536000; includeSubDomains; preload
access-control-allow-origin: *
x-cache: CONFIG_NOCACHE
accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
x-msedge-ref: Ref A: D819136149D341989C9ABD1F6941BACC Ref B: LON04EDGE0716 Ref C: 2024-09-01T12:50:50Z
date: Sun, 01 Sep 2024 12:50:49 GMT
GET

https://g.bing.com/neg/0?action=emptycreative&adUnitId=11730597&publisherId=251978541&rid=cf51b091c12549bcb852af403a586682&localId=w:46BA0F9A-9D8F-F2F0-D464-1297A0CDD8CE&deviceId=6825833576093963&anid=

Remote address:

150.171.27.10:443

Request

GET /neg/0?action=emptycreative&adUnitId=11730597&publisherId=251978541&rid=cf51b091c12549bcb852af403a586682&localId=w:46BA0F9A-9D8F-F2F0-D464-1297A0CDD8CE&deviceId=6825833576093963&anid= HTTP/2.0
host: g.bing.com
accept-encoding: gzip, deflate
user-agent: WindowsShellClient/9.0.40929.0 (Windows)
cookie: MUID=39D83C57A83367622F1D28BAA914662F

Response

HTTP/2.0 204

cache-control: no-cache, must-revalidate
pragma: no-cache
expires: Fri, 01 Jan 1990 00:00:00 GMT
set-cookie: MSPTC=r_6ehzCjuuPzBphiw-zRLbNuEbq2qoF7Wjjo_xZ04EM; domain=.bing.com; expires=Fri, 26-Sep-2025 12:50:50 GMT; path=/; Partitioned; secure; SameSite=None
strict-transport-security: max-age=31536000; includeSubDomains; preload
access-control-allow-origin: *
x-cache: CONFIG_NOCACHE
accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
x-msedge-ref: Ref A: 1E6469BB05444E6D84486F2C37A173C4 Ref B: LON04EDGE0716 Ref C: 2024-09-01T12:50:50Z
date: Sun, 01 Sep 2024 12:50:49 GMT
GET

https://g.bing.com/neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=cf51b091c12549bcb852af403a586682&localId=w:46BA0F9A-9D8F-F2F0-D464-1297A0CDD8CE&deviceId=6825833576093963&anid=

Remote address:

150.171.27.10:443

Request

GET /neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=cf51b091c12549bcb852af403a586682&localId=w:46BA0F9A-9D8F-F2F0-D464-1297A0CDD8CE&deviceId=6825833576093963&anid= HTTP/2.0
host: g.bing.com
accept-encoding: gzip, deflate
user-agent: WindowsShellClient/9.0.40929.0 (Windows)
cookie: MUID=39D83C57A83367622F1D28BAA914662F; MSPTC=r_6ehzCjuuPzBphiw-zRLbNuEbq2qoF7Wjjo_xZ04EM

Response

HTTP/2.0 204

cache-control: no-cache, must-revalidate
pragma: no-cache
expires: Fri, 01 Jan 1990 00:00:00 GMT
strict-transport-security: max-age=31536000; includeSubDomains; preload
access-control-allow-origin: *
x-cache: CONFIG_NOCACHE
accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
x-msedge-ref: Ref A: DF5875C4FA3D4C0C8BC7EE6F3EE2D82E Ref B: LON04EDGE0716 Ref C: 2024-09-01T12:50:50Z
date: Sun, 01 Sep 2024 12:50:49 GMT
DNS

95.221.229.192.in-addr.arpa

Remote address:

8.8.8.8:53

Request

95.221.229.192.in-addr.arpa

IN PTR

Response
DNS

14.160.190.20.in-addr.arpa

Remote address:

8.8.8.8:53

Request

14.160.190.20.in-addr.arpa

IN PTR

Response
DNS

57.169.31.20.in-addr.arpa

Remote address:

8.8.8.8:53

Request

57.169.31.20.in-addr.arpa

IN PTR

Response
DNS

50.23.12.20.in-addr.arpa

Remote address:

8.8.8.8:53

Request

50.23.12.20.in-addr.arpa

IN PTR

Response
DNS

171.39.242.20.in-addr.arpa

Remote address:

8.8.8.8:53

Request

171.39.242.20.in-addr.arpa

IN PTR

Response
DNS

172.210.232.199.in-addr.arpa

Remote address:

8.8.8.8:53

Request

172.210.232.199.in-addr.arpa

IN PTR

Response
DNS

whatismyipaddress.com

50acb0d9a9bc6cbca94b77ff490d5aff20c453b24c1fdd498a38a0878755d0bd.exe

Remote address:

8.8.8.8:53

Request

whatismyipaddress.com

IN A

Response

whatismyipaddress.com

IN A

104.19.223.79

whatismyipaddress.com

IN A

104.19.222.79
GET

http://whatismyipaddress.com/

50acb0d9a9bc6cbca94b77ff490d5aff20c453b24c1fdd498a38a0878755d0bd.exe

Remote address:

104.19.223.79:80

Request

GET / HTTP/1.1
Host: whatismyipaddress.com
Connection: Keep-Alive

Response

HTTP/1.1 301 Moved Permanently

Date: Sun, 01 Sep 2024 12:51:32 GMT
Content-Type: text/html
Content-Length: 167
Connection: keep-alive
Cache-Control: max-age=3600
Expires: Sun, 01 Sep 2024 13:51:32 GMT
Location: https://whatismyipaddress.com/
Set-Cookie: __cf_bm=Ig9EPVa9QdnwLIivA2tctHmOXxVGmGrqxEvHVInp8dM-1725195092-1.0.1.1-ArYWcBGYI7LPCKv.sQ86k2AbTZZgWHErKr2dUaqfNqbfTwzOpQ4dk411M_8dKECwpCkiBM23VMVVC4BRZlOkPQ; path=/; expires=Sun, 01-Sep-24 13:21:32 GMT; domain=.whatismyipaddress.com; HttpOnly
X-Frame-Options: deny
Server: cloudflare
CF-RAY: 8bc56472ce6306fd-LHR
alt-svc: h3=":443"; ma=86400
GET

https://whatismyipaddress.com/

50acb0d9a9bc6cbca94b77ff490d5aff20c453b24c1fdd498a38a0878755d0bd.exe

Remote address:

104.19.223.79:443

Request

GET / HTTP/1.1
Host: whatismyipaddress.com
Connection: Keep-Alive

Response

HTTP/1.1 403 Forbidden

Date: Sun, 01 Sep 2024 12:51:33 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: close
Accept-CH: Sec-CH-UA-Bitness, Sec-CH-UA-Arch, Sec-CH-UA-Full-Version, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Platform, Sec-CH-UA, UA-Bitness, UA-Arch, UA-Full-Version, UA-Mobile, UA-Model, UA-Platform-Version, UA-Platform, UA
Critical-CH: Sec-CH-UA-Bitness, Sec-CH-UA-Arch, Sec-CH-UA-Full-Version, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Platform, Sec-CH-UA, UA-Bitness, UA-Arch, UA-Full-Version, UA-Mobile, UA-Model, UA-Platform-Version, UA-Platform, UA
Cross-Origin-Embedder-Policy: require-corp
Cross-Origin-Opener-Policy: same-origin
Cross-Origin-Resource-Policy: same-origin
Origin-Agent-Cluster: ?1
Permissions-Policy: accelerometer=(),autoplay=(),browsing-topics=(),camera=(),clipboard-read=(),clipboard-write=(),geolocation=(),gyroscope=(),hid=(),interest-cohort=(),magnetometer=(),microphone=(),payment=(),publickey-credentials-get=(),screen-wake-lock=(),serial=(),sync-xhr=(),usb=()
Referrer-Policy: same-origin
X-Content-Options: nosniff
cf-mitigated: challenge
cf-chl-out: vSh3ZFSGTwM+q7aVymVg7RIOtFNjDT/DeuG9LZAruEEGal8NvTwfvq8lT8iS9bYR3PW6gDpqlqwy5d3e4JliixQfj2NfU/VcrJbxeJhVOCMZQoD2zs2fBjUwDY/NdhvykIXl9qKdNQSlfYG5bDt0Iw==$Dre9vKj2aCfxzjRMDJdwAw==
Cache-Control: private, max-age=0, no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Expires: Thu, 01 Jan 1970 00:00:01 GMT
Set-Cookie: __cf_bm=fRWI_o6JtBywzvrfH8X0wI5fqN8OlkWPIdjonGZXcH8-1725195093-1.0.1.1-DjlCATJzkBPsDSN1DpSWI9.SFX3bigFlbl_NFvM9vPrd0CjK.c0e5vH6UDI5MaWRDIz9h0k6DBIpEp6m5kp9Yw; path=/; expires=Sun, 01-Sep-24 13:21:33 GMT; domain=.whatismyipaddress.com; HttpOnly; Secure
X-Frame-Options: deny
Server: cloudflare
CF-RAY: 8bc56473ec4660f8-LHR
alt-svc: h3=":443"; ma=86400
DNS

79.223.19.104.in-addr.arpa

Remote address:

8.8.8.8:53

Request

79.223.19.104.in-addr.arpa

IN PTR

Response
DNS

73.144.22.2.in-addr.arpa

Remote address:

8.8.8.8:53

Request

73.144.22.2.in-addr.arpa

IN PTR

Response

73.144.22.2.in-addr.arpa

IN PTR

a2-22-144-73deploystaticakamaitechnologiescom
DNS

ftp.snugshinvn.com

50acb0d9a9bc6cbca94b77ff490d5aff20c453b24c1fdd498a38a0878755d0bd.exe

Remote address:

8.8.8.8:53

Request

ftp.snugshinvn.com

IN A

Response
DNS

21.236.111.52.in-addr.arpa

Remote address:

8.8.8.8:53

Request

21.236.111.52.in-addr.arpa

IN PTR

Response
DNS

tse1.mm.bing.net

Remote address:

8.8.8.8:53

Request

tse1.mm.bing.net

IN A

Response

tse1.mm.bing.net

IN CNAME

mm-mm.bing.net.trafficmanager.net

mm-mm.bing.net.trafficmanager.net

IN CNAME

ax-0001.ax-msedge.net

ax-0001.ax-msedge.net

IN A

150.171.28.10

ax-0001.ax-msedge.net

IN A

150.171.27.10
GET

https://tse1.mm.bing.net/th?id=OADD2.10239340418591_10FJHPMA48A1P20JW&pid=21.2&c=3&w=1080&h=1920&dynsize=1&qlt=90

Remote address:

150.171.28.10:443

Request

GET /th?id=OADD2.10239340418591_10FJHPMA48A1P20JW&pid=21.2&c=3&w=1080&h=1920&dynsize=1&qlt=90 HTTP/2.0
host: tse1.mm.bing.net
accept: */*
accept-encoding: gzip, deflate, br
user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19041

Response

HTTP/2.0 200

cache-control: public, max-age=2592000
content-length: 679182
content-type: image/jpeg
x-cache: TCP_HIT
access-control-allow-origin: *
access-control-allow-headers: *
access-control-allow-methods: GET, POST, OPTIONS
timing-allow-origin: *
report-to: {"group":"network-errors","max_age":604800,"endpoints":[{"url":"https://aefd.nelreports.net/api/report?cat=bingth&ndcParam=QUZE"}]}
nel: {"report_to":"network-errors","max_age":604800,"success_fraction":0.001,"failure_fraction":1.0}
accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
x-msedge-ref: Ref A: D64EAD7D7F1C431B9B99ED3C2D1FE135 Ref B: LON04EDGE0606 Ref C: 2024-09-01T12:52:27Z
date: Sun, 01 Sep 2024 12:52:27 GMT
GET

https://tse1.mm.bing.net/th?id=OADD2.10239360284736_11427X8L96F0YA4AW&pid=21.2&c=3&w=1080&h=1920&dynsize=1&qlt=90

Remote address:

150.171.28.10:443

Request

GET /th?id=OADD2.10239360284736_11427X8L96F0YA4AW&pid=21.2&c=3&w=1080&h=1920&dynsize=1&qlt=90 HTTP/2.0
host: tse1.mm.bing.net
accept: */*
accept-encoding: gzip, deflate, br
user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19041

Response

HTTP/2.0 200

cache-control: public, max-age=2592000
content-length: 325315
content-type: image/jpeg
x-cache: TCP_HIT
access-control-allow-origin: *
access-control-allow-headers: *
access-control-allow-methods: GET, POST, OPTIONS
timing-allow-origin: *
report-to: {"group":"network-errors","max_age":604800,"endpoints":[{"url":"https://aefd.nelreports.net/api/report?cat=bingth&ndcParam=QUZE"}]}
nel: {"report_to":"network-errors","max_age":604800,"success_fraction":0.001,"failure_fraction":1.0}
accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
x-msedge-ref: Ref A: 67FD8E43F26E42AC951E59D80D60F9FA Ref B: LON04EDGE0606 Ref C: 2024-09-01T12:52:27Z
date: Sun, 01 Sep 2024 12:52:27 GMT
GET

https://tse1.mm.bing.net/th?id=OADD2.10239340418592_1RYDTURC2A8KOBZ9U&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=1920&h=1080&dynsize=1&qlt=90

Remote address:

150.171.28.10:443

Request

GET /th?id=OADD2.10239340418592_1RYDTURC2A8KOBZ9U&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=1920&h=1080&dynsize=1&qlt=90 HTTP/2.0
host: tse1.mm.bing.net
accept: */*
accept-encoding: gzip, deflate, br
user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19041

Response

HTTP/2.0 200

cache-control: public, max-age=2592000
content-length: 473521
content-type: image/jpeg
x-cache: TCP_HIT
access-control-allow-origin: *
access-control-allow-headers: *
access-control-allow-methods: GET, POST, OPTIONS
timing-allow-origin: *
report-to: {"group":"network-errors","max_age":604800,"endpoints":[{"url":"https://aefd.nelreports.net/api/report?cat=bingth&ndcParam=QUZE"}]}
nel: {"report_to":"network-errors","max_age":604800,"success_fraction":0.001,"failure_fraction":1.0}
accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
x-msedge-ref: Ref A: A2C674AB1C304DD888EE10A312720D5F Ref B: LON04EDGE0606 Ref C: 2024-09-01T12:52:27Z
date: Sun, 01 Sep 2024 12:52:27 GMT
GET

https://tse1.mm.bing.net/th?id=OADD2.10239360433144_1RLNQD8OFQA9LQ1KZ&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=1920&h=1080&dynsize=1&qlt=90

Remote address:

150.171.28.10:443

Request

GET /th?id=OADD2.10239360433144_1RLNQD8OFQA9LQ1KZ&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=1920&h=1080&dynsize=1&qlt=90 HTTP/2.0
host: tse1.mm.bing.net
accept: */*
accept-encoding: gzip, deflate, br
user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19041

Response

HTTP/2.0 200

cache-control: public, max-age=2592000
content-length: 584217
content-type: image/jpeg
x-cache: TCP_HIT
access-control-allow-origin: *
access-control-allow-headers: *
access-control-allow-methods: GET, POST, OPTIONS
timing-allow-origin: *
report-to: {"group":"network-errors","max_age":604800,"endpoints":[{"url":"https://aefd.nelreports.net/api/report?cat=bingth&ndcParam=QUZE"}]}
nel: {"report_to":"network-errors","max_age":604800,"success_fraction":0.001,"failure_fraction":1.0}
accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
x-msedge-ref: Ref A: DBAC11A623934393813F287B879460EB Ref B: LON04EDGE0606 Ref C: 2024-09-01T12:52:27Z
date: Sun, 01 Sep 2024 12:52:27 GMT
GET

https://tse1.mm.bing.net/th?id=OADD2.10239360284735_1J9G8ZRD0Q7KNETKQ&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=1920&h=1080&dynsize=1&qlt=90

Remote address:

150.171.28.10:443

Request

GET /th?id=OADD2.10239360284735_1J9G8ZRD0Q7KNETKQ&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=1920&h=1080&dynsize=1&qlt=90 HTTP/2.0
host: tse1.mm.bing.net
accept: */*
accept-encoding: gzip, deflate, br
user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19041

Response

HTTP/2.0 200

cache-control: public, max-age=2592000
content-length: 666327
content-type: image/jpeg
x-cache: TCP_HIT
access-control-allow-origin: *
access-control-allow-headers: *
access-control-allow-methods: GET, POST, OPTIONS
timing-allow-origin: *
report-to: {"group":"network-errors","max_age":604800,"endpoints":[{"url":"https://aefd.nelreports.net/api/report?cat=bingth&ndcParam=QUZE"}]}
nel: {"report_to":"network-errors","max_age":604800,"success_fraction":0.001,"failure_fraction":1.0}
accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
x-msedge-ref: Ref A: 5CA9C7A1F0F9454D8BFCCF18FED3E34C Ref B: LON04EDGE0606 Ref C: 2024-09-01T12:52:27Z
date: Sun, 01 Sep 2024 12:52:27 GMT
GET

https://tse1.mm.bing.net/th?id=OADD2.10239360433145_1P8I9JAN4TGEHJX5M&pid=21.2&c=3&w=1080&h=1920&dynsize=1&qlt=90

Remote address:

150.171.28.10:443

Request

GET /th?id=OADD2.10239360433145_1P8I9JAN4TGEHJX5M&pid=21.2&c=3&w=1080&h=1920&dynsize=1&qlt=90 HTTP/2.0
host: tse1.mm.bing.net
accept: */*
accept-encoding: gzip, deflate, br
user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19041

Response

HTTP/2.0 200

cache-control: public, max-age=2592000
content-length: 482331
content-type: image/jpeg
x-cache: TCP_HIT
access-control-allow-origin: *
access-control-allow-headers: *
access-control-allow-methods: GET, POST, OPTIONS
timing-allow-origin: *
report-to: {"group":"network-errors","max_age":604800,"endpoints":[{"url":"https://aefd.nelreports.net/api/report?cat=bingth&ndcParam=QUZE"}]}
nel: {"report_to":"network-errors","max_age":604800,"success_fraction":0.001,"failure_fraction":1.0}
accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
x-msedge-ref: Ref A: FFD9927ED06043B2AB41F516964F39C9 Ref B: LON04EDGE0606 Ref C: 2024-09-01T12:52:27Z
date: Sun, 01 Sep 2024 12:52:27 GMT
DNS

205.47.74.20.in-addr.arpa

Remote address:

8.8.8.8:53

Request

205.47.74.20.in-addr.arpa

IN PTR

Response
DNS

10.28.171.150.in-addr.arpa

Remote address:

8.8.8.8:53

Request

10.28.171.150.in-addr.arpa

IN PTR

Response

150.171.27.10:443

https://g.bing.com/neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=cf51b091c12549bcb852af403a586682&localId=w:46BA0F9A-9D8F-F2F0-D464-1297A0CDD8CE&deviceId=6825833576093963&anid=

tls, http2

2.0kB
9.4kB
22
19

HTTP Request

GET https://g.bing.com/neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=cf51b091c12549bcb852af403a586682&localId=w:46BA0F9A-9D8F-F2F0-D464-1297A0CDD8CE&deviceId=6825833576093963&anid=

HTTP Response

204

HTTP Request

GET https://g.bing.com/neg/0?action=emptycreative&adUnitId=11730597&publisherId=251978541&rid=cf51b091c12549bcb852af403a586682&localId=w:46BA0F9A-9D8F-F2F0-D464-1297A0CDD8CE&deviceId=6825833576093963&anid=

HTTP Response

204

HTTP Request

GET https://g.bing.com/neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=cf51b091c12549bcb852af403a586682&localId=w:46BA0F9A-9D8F-F2F0-D464-1297A0CDD8CE&deviceId=6825833576093963&anid=

HTTP Response

204
104.19.223.79:80

http://whatismyipaddress.com/

http

50acb0d9a9bc6cbca94b77ff490d5aff20c453b24c1fdd498a38a0878755d0bd.exe

347 B
951 B
6
4

HTTP Request

GET http://whatismyipaddress.com/

HTTP Response

301
104.19.223.79:443

https://whatismyipaddress.com/

tls, http

50acb0d9a9bc6cbca94b77ff490d5aff20c453b24c1fdd498a38a0878755d0bd.exe

1.2kB
22.9kB
19
30

HTTP Request

GET https://whatismyipaddress.com/

HTTP Response

403
52.111.227.11:443

322 B
7
150.171.28.10:443

tse1.mm.bing.net

tls, http2

1.2kB
6.9kB
15
13
150.171.28.10:443

tse1.mm.bing.net

tls, http2

1.2kB
6.9kB
15
13
150.171.28.10:443

tse1.mm.bing.net

tls, http2

1.2kB
6.9kB
15
13
150.171.28.10:443

tse1.mm.bing.net

tls, http2

1.2kB
6.9kB
15
12
150.171.28.10:443

https://tse1.mm.bing.net/th?id=OADD2.10239360433145_1P8I9JAN4TGEHJX5M&pid=21.2&c=3&w=1080&h=1920&dynsize=1&qlt=90

tls, http2

114.2kB
3.3MB
2409
2403

HTTP Request

GET https://tse1.mm.bing.net/th?id=OADD2.10239340418591_10FJHPMA48A1P20JW&pid=21.2&c=3&w=1080&h=1920&dynsize=1&qlt=90

HTTP Request

GET https://tse1.mm.bing.net/th?id=OADD2.10239360284736_11427X8L96F0YA4AW&pid=21.2&c=3&w=1080&h=1920&dynsize=1&qlt=90

HTTP Request

GET https://tse1.mm.bing.net/th?id=OADD2.10239340418592_1RYDTURC2A8KOBZ9U&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=1920&h=1080&dynsize=1&qlt=90

HTTP Request

GET https://tse1.mm.bing.net/th?id=OADD2.10239360433144_1RLNQD8OFQA9LQ1KZ&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=1920&h=1080&dynsize=1&qlt=90

HTTP Request

GET https://tse1.mm.bing.net/th?id=OADD2.10239360284735_1J9G8ZRD0Q7KNETKQ&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=1920&h=1080&dynsize=1&qlt=90

HTTP Response

200

HTTP Response

200

HTTP Response

200

HTTP Response

200

HTTP Response

200

HTTP Request

GET https://tse1.mm.bing.net/th?id=OADD2.10239360433145_1P8I9JAN4TGEHJX5M&pid=21.2&c=3&w=1080&h=1920&dynsize=1&qlt=90

HTTP Response

200

8.8.8.8:53

133.211.185.52.in-addr.arpa

dns

73 B
147 B
1
1

DNS Request

133.211.185.52.in-addr.arpa
8.8.8.8:53

172.214.232.199.in-addr.arpa

dns

74 B
128 B
1
1

DNS Request

172.214.232.199.in-addr.arpa
8.8.8.8:53

g.bing.com

dns

56 B
148 B
1
1

DNS Request

g.bing.com

DNS Response

150.171.27.10

150.171.28.10
8.8.8.8:53

95.221.229.192.in-addr.arpa

dns

73 B
144 B
1
1

DNS Request

95.221.229.192.in-addr.arpa
8.8.8.8:53

14.160.190.20.in-addr.arpa

dns

72 B
158 B
1
1

DNS Request

14.160.190.20.in-addr.arpa
8.8.8.8:53

57.169.31.20.in-addr.arpa

dns

71 B
157 B
1
1

DNS Request

57.169.31.20.in-addr.arpa
8.8.8.8:53

50.23.12.20.in-addr.arpa

dns

70 B
156 B
1
1

DNS Request

50.23.12.20.in-addr.arpa
8.8.8.8:53

171.39.242.20.in-addr.arpa

dns

72 B
158 B
1
1

DNS Request

171.39.242.20.in-addr.arpa
8.8.8.8:53

172.210.232.199.in-addr.arpa

dns

74 B
128 B
1
1

DNS Request

172.210.232.199.in-addr.arpa
8.8.8.8:53

whatismyipaddress.com

dns

50acb0d9a9bc6cbca94b77ff490d5aff20c453b24c1fdd498a38a0878755d0bd.exe

67 B
99 B
1
1

DNS Request

whatismyipaddress.com

DNS Response

104.19.223.79

104.19.222.79
8.8.8.8:53

79.223.19.104.in-addr.arpa

dns

72 B
134 B
1
1

DNS Request

79.223.19.104.in-addr.arpa
8.8.8.8:53

73.144.22.2.in-addr.arpa

dns

70 B
133 B
1
1

DNS Request

73.144.22.2.in-addr.arpa
8.8.8.8:53

ftp.snugshinvn.com

dns

50acb0d9a9bc6cbca94b77ff490d5aff20c453b24c1fdd498a38a0878755d0bd.exe

64 B
137 B
1
1

DNS Request

ftp.snugshinvn.com
8.8.8.8:53

21.236.111.52.in-addr.arpa

dns

72 B
158 B
1
1

DNS Request

21.236.111.52.in-addr.arpa
8.8.8.8:53

tse1.mm.bing.net

dns

62 B
170 B
1
1

DNS Request

tse1.mm.bing.net

DNS Response

150.171.28.10

150.171.27.10
8.8.8.8:53

205.47.74.20.in-addr.arpa

dns

71 B
157 B
1
1

DNS Request

205.47.74.20.in-addr.arpa
8.8.8.8:53

10.28.171.150.in-addr.arpa

dns

72 B
158 B
1
1

DNS Request

10.28.171.150.in-addr.arpa

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scripting

T1064

Persistence

Privilege Escalation

Defense Evasion

Scripting

T1064

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Email Collection

T1114

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\50acb0d9a9bc6cbca94b77ff490d5aff20c453b24c1fdd498a38a0878755d0bd.exe.log

Filesize
1KB

MD5
8ec831f3e3a3f77e4a7b9cd32b48384c

SHA1
d83f09fd87c5bd86e045873c231c14836e76a05c

SHA256
7667e538030e3f8ce2886e47a01af24cb0ea70528b1e821c5d8832c5076cb982

SHA512
26bffa2406b66368bd412bf25869a792631455645992cdcade2dbc13a2e56fb546414a6a9223b94c96c38d89187add6678d4779a88b38b0c9e36be8527b213c3

Download Submit
C:\Users\Admin\AppData\Local\Temp\holderwb.txt

Filesize
3KB

MD5
f94dc819ca773f1e3cb27abbc9e7fa27

SHA1
9a7700efadc5ea09ab288544ef1e3cd876255086

SHA256
a3377ade83786c2bdff5db19ff4dbfd796da4312402b5e77c4c63e38cc6eff92

SHA512
72a2c10d7a53a7f9a319dab66d77ed65639e9aa885b551e0055fc7eaf6ef33bbf109205b42ae11555a0f292563914bc6edb63b310c6f9bda9564095f77ab9196

Download Submit
memory/744-41-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download
memory/744-30-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download
memory/744-32-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download
memory/744-33-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download
memory/744-39-0x0000000000460000-0x0000000000529000-memory.dmp

Filesize
804KB

Download
memory/1044-4-0x0000000004BD0000-0x0000000004BDA000-memory.dmp

Filesize
40KB

Download
memory/1044-8-0x0000000074AB0000-0x0000000075260000-memory.dmp

Filesize
7.7MB

Download
memory/1044-9-0x00000000059E0000-0x0000000005A7C000-memory.dmp

Filesize
624KB

Download
memory/1044-10-0x0000000005C80000-0x0000000005D2C000-memory.dmp

Filesize
688KB

Download
memory/1044-7-0x0000000074ABE000-0x0000000074ABF000-memory.dmp

Filesize
4KB

Download
memory/1044-6-0x0000000004DE0000-0x0000000004DEE000-memory.dmp

Filesize
56KB

Download
memory/1044-14-0x0000000074AB0000-0x0000000075260000-memory.dmp

Filesize
7.7MB

Download
memory/1044-5-0x0000000074AB0000-0x0000000075260000-memory.dmp

Filesize
7.7MB

Download
memory/1044-0-0x0000000074ABE000-0x0000000074ABF000-memory.dmp

Filesize
4KB

Download
memory/1044-3-0x0000000004C40000-0x0000000004CD2000-memory.dmp

Filesize
584KB

Download
memory/1044-2-0x0000000005150000-0x00000000056F4000-memory.dmp

Filesize
5.6MB

Download
memory/1044-1-0x0000000000100000-0x00000000001CC000-memory.dmp

Filesize
816KB

Download
memory/1948-25-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/1948-22-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/1948-24-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/1948-28-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/4956-29-0x0000000074AB0000-0x0000000075260000-memory.dmp

Filesize
7.7MB

Download
memory/4956-21-0x0000000008090000-0x0000000008098000-memory.dmp

Filesize
32KB

Download
memory/4956-20-0x00000000077B0000-0x0000000007816000-memory.dmp

Filesize
408KB

Download
memory/4956-17-0x0000000005460000-0x00000000054B6000-memory.dmp

Filesize
344KB

Download
memory/4956-16-0x0000000074AB0000-0x0000000075260000-memory.dmp

Filesize
7.7MB

Download
memory/4956-15-0x0000000074AB0000-0x0000000075260000-memory.dmp

Filesize
7.7MB

Download
memory/4956-11-0x0000000000400000-0x0000000000488000-memory.dmp

Filesize
544KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Request

HTTP Request

HTTP Request

HTTP Request

HTTP Response

HTTP Response

HTTP Response

HTTP Response

HTTP Response

HTTP Request

HTTP Response

DNS Request

DNS Request

DNS Request

DNS Response

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Response

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Response

DNS Request

DNS Request

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

We care about your privacy.