Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

3

6b880d602f...6f.exe

windows7-x64

10

6b880d602f...6f.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    149s
  • max time network
    152s
  • platform
    windows7_x64
  • resource
    win7-20240729-en
  • resource tags

    arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system
  • submitted
    07/09/2024, 01:22 UTC

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    6b880d602f77fc4061a3f6b0a7619e9a8899d9e61eeeea4460eec1d900aeb66f.exe

  • Size

    214KB

  • MD5

    8b9be712ba5f26a1f6369833d52193fb

  • SHA1

    187b0a0888114923e4f611ed90402d7bf0e21733

  • SHA256

    6b880d602f77fc4061a3f6b0a7619e9a8899d9e61eeeea4460eec1d900aeb66f

  • SHA512

    33c457fab7b2910452de37d2a263d46b2391bb4b34b0c37793b6f5875180e92cb2caebfb2ab08e72393b0230407505c94eef6b41040c1500b2b4393fb3b58d08

  • SSDEEP

    3072:YASCGfSRnbJBJ0IQALHFv0raVXyPg9a+lfB0pyTbQ:0fSRnbJBJTLlr04C6

Score
10/10
tofseediscoveryevasionexecutionpersistenceprivilege_escalationtrojan

Malware Config

Extracted

Family

tofsee

C2

vanaheim.cn

jotunheim.name

Signatures

  • Tofsee

    Backdoor/botnet which carries out malicious activities based on commands from a C2 server.

    trojantofsee
  • Windows security bypass 2 TTPs 1 IoCs
    evasiontrojan
  • Creates new service(s) 2 TTPs
    persistenceexecution
  • Modifies Windows Firewall 2 TTPs 1 IoCs
    evasion
  • Sets service image path in registry 2 TTPs 1 IoCs
    persistence
  • Deletes itself 1 IoCs
  • Executes dropped EXE 1 IoCs
  • Drops file in System32 directory 2 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Launches sc.exe 3 IoCs

    Sc.exe is a Windows utlilty to control services on the system.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Event Triggered Execution: Netsh Helper DLL 1 TTPs 3 IoCs

    Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

    persistenceprivilege_escalation
  • System Location Discovery: System Language Discovery 1 TTPs 9 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Modifies data under HKEY_USERS 6 IoCs
  • Suspicious use of WriteProcessMemory 30 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\6b880d602f77fc4061a3f6b0a7619e9a8899d9e61eeeea4460eec1d900aeb66f.exe
    "C:\Users\Admin\AppData\Local\Temp\6b880d602f77fc4061a3f6b0a7619e9a8899d9e61eeeea4460eec1d900aeb66f.exe"
    1⤵
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:2284
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /C mkdir C:\Windows\SysWOW64\lgtmihzk\
      2⤵
      • System Location Discovery: System Language Discovery
      PID:2384
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /C move /Y "C:\Users\Admin\AppData\Local\Temp\xjrouhnl.exe" C:\Windows\SysWOW64\lgtmihzk\
      2⤵
      • System Location Discovery: System Language Discovery
      PID:2464
    • C:\Windows\SysWOW64\sc.exe
      "C:\Windows\System32\sc.exe" create lgtmihzk binPath= "C:\Windows\SysWOW64\lgtmihzk\xjrouhnl.exe /d\"C:\Users\Admin\AppData\Local\Temp\6b880d602f77fc4061a3f6b0a7619e9a8899d9e61eeeea4460eec1d900aeb66f.exe\"" type= own start= auto DisplayName= "wifi support"
      2⤵
      • Launches sc.exe
      • System Location Discovery: System Language Discovery
      PID:2812
    • C:\Windows\SysWOW64\sc.exe
      "C:\Windows\System32\sc.exe" description lgtmihzk "wifi internet conection"
      2⤵
      • Launches sc.exe
      • System Location Discovery: System Language Discovery
      PID:2824
    • C:\Windows\SysWOW64\sc.exe
      "C:\Windows\System32\sc.exe" start lgtmihzk
      2⤵
      • Launches sc.exe
      • System Location Discovery: System Language Discovery
      PID:2780
    • C:\Windows\SysWOW64\netsh.exe
      "C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="Host-process for services of Windows" dir=in action=allow program="C:\Windows\SysWOW64\svchost.exe" enable=yes>nul
      2⤵
      • Modifies Windows Firewall
      • Event Triggered Execution: Netsh Helper DLL
      • System Location Discovery: System Language Discovery
      PID:2808
  • C:\Windows\SysWOW64\lgtmihzk\xjrouhnl.exe
    C:\Windows\SysWOW64\lgtmihzk\xjrouhnl.exe /d"C:\Users\Admin\AppData\Local\Temp\6b880d602f77fc4061a3f6b0a7619e9a8899d9e61eeeea4460eec1d900aeb66f.exe"
    1⤵
    • Executes dropped EXE
    • Suspicious use of SetThreadContext
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:2760
    • C:\Windows\SysWOW64\svchost.exe
      svchost.exe
      2⤵
      • Windows security bypass
      • Sets service image path in registry
      • Deletes itself
      • Drops file in System32 directory
      • System Location Discovery: System Language Discovery
      • Modifies data under HKEY_USERS
      PID:2788

Network

  • flag-us
    DNS
    microsoft.com
    svchost.exe
    Remote address:
    8.8.8.8:53
    Request
    microsoft.com
    IN A
    Response
    microsoft.com
    IN A
    20.236.44.162
    microsoft.com
    IN A
    20.231.239.246
    microsoft.com
    IN A
    20.70.246.20
    microsoft.com
    IN A
    20.76.201.171
    microsoft.com
    IN A
    20.112.250.133
  • flag-us
    DNS
    microsoft.com
    svchost.exe
    Remote address:
    8.8.8.8:53
    Request
    microsoft.com
    IN A
  • flag-us
    DNS
    microsoft.com
    svchost.exe
    Remote address:
    8.8.8.8:53
    Request
    microsoft.com
    IN A
  • flag-us
    DNS
    microsoft.com
    svchost.exe
    Remote address:
    8.8.8.8:53
    Request
    microsoft.com
    IN MX
    Response
    microsoft.com
    IN MX
    microsoft-commail protectionoutlook�
  • flag-us
    DNS
    microsoft-com.mail.protection.outlook.com
    svchost.exe
    Remote address:
    8.8.8.8:53
    Request
    microsoft-com.mail.protection.outlook.com
    IN A
    Response
    microsoft-com.mail.protection.outlook.com
    IN A
    52.101.40.26
    microsoft-com.mail.protection.outlook.com
    IN A
    52.101.42.0
    microsoft-com.mail.protection.outlook.com
    IN A
    52.101.11.0
    microsoft-com.mail.protection.outlook.com
    IN A
    52.101.8.49
  • flag-us
    DNS
    vanaheim.cn
    svchost.exe
    Remote address:
    8.8.8.8:53
    Request
    vanaheim.cn
    IN A
    Response
    vanaheim.cn
    IN A
    77.232.41.29
  • flag-us
    DNS
    vanaheim.cn
    svchost.exe
    Remote address:
    8.8.8.8:53
    Request
    vanaheim.cn
    IN A
  • flag-us
    DNS
    vanaheim.cn
    svchost.exe
    Remote address:
    8.8.8.8:53
    Request
    vanaheim.cn
    IN A
  • flag-us
    DNS
    vanaheim.cn
    svchost.exe
    Remote address:
    8.8.8.8:53
    Request
    vanaheim.cn
    IN A
  • flag-us
    DNS
    yahoo.com
    svchost.exe
    Remote address:
    8.8.8.8:53
    Request
    yahoo.com
    IN MX
    Response
    yahoo.com
    IN MX
    mta6am0yahoodnsnet
    yahoo.com
    IN MX
    mta5�.
    yahoo.com
    IN MX
    mta7�.
  • flag-us
    DNS
    mta6.am0.yahoodns.net
    svchost.exe
    Remote address:
    8.8.8.8:53
    Request
    mta6.am0.yahoodns.net
    IN A
    Response
    mta6.am0.yahoodns.net
    IN A
    98.136.96.91
    mta6.am0.yahoodns.net
    IN A
    67.195.204.73
    mta6.am0.yahoodns.net
    IN A
    67.195.204.77
    mta6.am0.yahoodns.net
    IN A
    98.136.96.74
    mta6.am0.yahoodns.net
    IN A
    67.195.204.72
    mta6.am0.yahoodns.net
    IN A
    67.195.228.106
    mta6.am0.yahoodns.net
    IN A
    67.195.204.74
    mta6.am0.yahoodns.net
    IN A
    98.136.96.77
  • flag-us
    DNS
    google.com
    svchost.exe
    Remote address:
    8.8.8.8:53
    Request
    google.com
    IN MX
    Response
    google.com
    IN MX
    smtp�
  • flag-us
    DNS
    smtp.google.com
    svchost.exe
    Remote address:
    8.8.8.8:53
    Request
    smtp.google.com
    IN A
    Response
    smtp.google.com
    IN A
    142.250.102.27
    smtp.google.com
    IN A
    142.250.27.27
    smtp.google.com
    IN A
    142.250.102.26
    smtp.google.com
    IN A
    142.250.27.26
  • flag-us
    DNS
    70.13.110.194.dnsbl.sorbs.net
    svchost.exe
    Remote address:
    8.8.8.8:53
    Request
    70.13.110.194.dnsbl.sorbs.net
    IN A
  • flag-us
    DNS
    70.13.110.194.dnsbl.sorbs.net
    svchost.exe
    Remote address:
    8.8.8.8:53
    Request
    70.13.110.194.dnsbl.sorbs.net
    IN A
  • flag-us
    DNS
    70.13.110.194.dnsbl.sorbs.net
    svchost.exe
    Remote address:
    8.8.8.8:53
    Request
    70.13.110.194.dnsbl.sorbs.net
    IN A
  • flag-us
    DNS
    70.13.110.194.dnsbl.sorbs.net
    svchost.exe
    Remote address:
    8.8.8.8:53
    Request
    70.13.110.194.dnsbl.sorbs.net
    IN A
  • flag-us
    DNS
    70.13.110.194.dnsbl.sorbs.net
    svchost.exe
    Remote address:
    8.8.8.8:53
    Request
    70.13.110.194.dnsbl.sorbs.net
    IN A
  • flag-us
    DNS
    mail.ru
    svchost.exe
    Remote address:
    8.8.8.8:53
    Request
    mail.ru
    IN MX
    Response
    mail.ru
    IN MX
    mxs�
  • flag-us
    DNS
    mail.ru
    svchost.exe
    Remote address:
    8.8.8.8:53
    Request
    mail.ru
    IN MX
  • flag-us
    DNS
    mail.ru
    svchost.exe
    Remote address:
    8.8.8.8:53
    Request
    mail.ru
    IN MX
  • flag-us
    DNS
    mxs.mail.ru
    svchost.exe
    Remote address:
    8.8.8.8:53
    Request
    mxs.mail.ru
    IN A
    Response
    mxs.mail.ru
    IN A
    94.100.180.31
    mxs.mail.ru
    IN A
    217.69.139.150
  • flag-us
    DNS
    70.13.110.194.bl.spamcop.net
    svchost.exe
    Remote address:
    8.8.8.8:53
    Request
    70.13.110.194.bl.spamcop.net
    IN A
    Response
  • flag-us
    DNS
    70.13.110.194.bl.spamcop.net
    svchost.exe
    Remote address:
    8.8.8.8:53
    Request
    70.13.110.194.bl.spamcop.net
    IN A
  • flag-us
    DNS
    70.13.110.194.bl.spamcop.net
    svchost.exe
    Remote address:
    8.8.8.8:53
    Request
    70.13.110.194.bl.spamcop.net
    IN A
  • flag-us
    DNS
    70.13.110.194.bl.spamcop.net
    svchost.exe
    Remote address:
    8.8.8.8:53
    Request
    70.13.110.194.bl.spamcop.net
    IN A
  • flag-us
    DNS
    70.13.110.194.bl.spamcop.net
    svchost.exe
    Remote address:
    8.8.8.8:53
    Request
    70.13.110.194.bl.spamcop.net
    IN A
  • flag-us
    DNS
    www.google.com
    svchost.exe
    Remote address:
    8.8.8.8:53
    Request
    www.google.com
    IN A
    Response
    www.google.com
    IN A
    142.250.27.104
    www.google.com
    IN A
    142.250.27.99
    www.google.com
    IN A
    142.250.27.105
    www.google.com
    IN A
    142.250.27.147
    www.google.com
    IN A
    142.250.27.103
    www.google.com
    IN A
    142.250.27.106
  • flag-nl
    GET
    http://www.google.com/
    svchost.exe
    Remote address:
    142.250.27.104:80
    Request
    GET / HTTP/1.1
    Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash, */*
    Accept-Language: en
    Accept-Encoding: gzip, deflate
    User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; EmbeddedWB 14,52 from: http://www.bsalsa.com/ EmbeddedWB 14,52; .NET CLR 2.0.50727)
    Host: www.google.com
    Connection: Keep-Alive
    Response
    HTTP/1.1 302 Found
    Location: http://www.google.com/sorry/index?continue=http://www.google.com/&q=EgTCbg1GGMbW7rYGIjDAP8jf4RciOIvqqkWSM85EyxyA8_pivff0pFFSRJOpFTyGIlpSYEjlzgGfncYItREyAXJKGVNPUlJZX0FCVVNJVkVfTkVUX01FU1NBR0VaAUM
    x-hallmonitor-challenge: CgwIxtbutgYQwIvl8gESBMJuDUY
    Content-Type: text/html; charset=UTF-8
    Content-Security-Policy-Report-Only: object-src 'none';base-uri 'self';script-src 'nonce-kpkW-u6-4Lxsr60XvZuK9g' 'strict-dynamic' 'report-sample' 'unsafe-eval' 'unsafe-inline' https: http:;report-uri https://csp.withgoogle.com/csp/gws/other-hp
    Date: Sat, 07 Sep 2024 01:24:22 GMT
    Server: gws
    Content-Length: 396
    X-XSS-Protection: 0
    X-Frame-Options: SAMEORIGIN
    Set-Cookie: AEC=AVYB7co6Dlh7e2J9bD0H37W0pfsxtasVfK_2lVv6Dt4KI-Wqr8aHnT27hjk; expires=Thu, 06-Mar-2025 01:24:22 GMT; path=/; domain=.google.com; Secure; HttpOnly; SameSite=lax
  • flag-nl
    GET
    http://www.google.com/
    svchost.exe
    Remote address:
    142.250.27.104:80
    Request
    GET / HTTP/1.1
    Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash, */*
    Accept-Language: en
    Accept-Encoding: gzip, deflate
    User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; EmbeddedWB 14,52 from: http://www.bsalsa.com/ EmbeddedWB 14,52; .NET CLR 2.0.50727)
    Host: www.google.com
    Connection: Keep-Alive
    Response
    HTTP/1.1 302 Found
    Location: http://www.google.com/sorry/index?continue=http://www.google.com/&q=EgTCbg1GGMbW7rYGIjDAP8jf4RciOIvqqkWSM85EyxyA8_pivff0pFFSRJOpFTyGIlpSYEjlzgGfncYItREyAXJKGVNPUlJZX0FCVVNJVkVfTkVUX01FU1NBR0VaAUM
    x-hallmonitor-challenge: CgwIxtbutgYQsd20qgISBMJuDUY
    Content-Type: text/html; charset=UTF-8
    Content-Security-Policy-Report-Only: object-src 'none';base-uri 'self';script-src 'nonce-u74jxgDpSL_rwQLyUA10Xw' 'strict-dynamic' 'report-sample' 'unsafe-eval' 'unsafe-inline' https: http:;report-uri https://csp.withgoogle.com/csp/gws/other-hp
    Date: Sat, 07 Sep 2024 01:24:22 GMT
    Server: gws
    Content-Length: 396
    X-XSS-Protection: 0
    X-Frame-Options: SAMEORIGIN
    Set-Cookie: AEC=AVYB7cp9ktiZj5EecLQvfo6yrlFx86BcUktpceahYArW-BdlZ-0x-oa5amg; expires=Thu, 06-Mar-2025 01:24:22 GMT; path=/; domain=.google.com; Secure; HttpOnly; SameSite=lax
  • flag-nl
    GET
    http://www.google.com/
    svchost.exe
    Remote address:
    142.250.27.104:80
    Request
    GET / HTTP/1.1
    Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash, */*
    Accept-Language: en
    Accept-Encoding: gzip, deflate
    User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; EmbeddedWB 14,52 from: http://www.bsalsa.com/ EmbeddedWB 14,52; .NET CLR 2.0.50727)
    Host: www.google.com
    Connection: Keep-Alive
    Response
    HTTP/1.1 302 Found
    Location: http://www.google.com/sorry/index?continue=http://www.google.com/&q=EgTCbg1GGMbW7rYGIjDAP8jf4RciOIvqqkWSM85EyxyA8_pivff0pFFSRJOpFTyGIlpSYEjlzgGfncYItREyAXJKGVNPUlJZX0FCVVNJVkVfTkVUX01FU1NBR0VaAUM
    x-hallmonitor-challenge: CgwIxtbutgYQueL2sgISBMJuDUY
    Content-Type: text/html; charset=UTF-8
    Content-Security-Policy-Report-Only: object-src 'none';base-uri 'self';script-src 'nonce-PoE4-Ykyz5-NFsIMAJWUyA' 'strict-dynamic' 'report-sample' 'unsafe-eval' 'unsafe-inline' https: http:;report-uri https://csp.withgoogle.com/csp/gws/other-hp
    Date: Sat, 07 Sep 2024 01:24:22 GMT
    Server: gws
    Content-Length: 396
    X-XSS-Protection: 0
    X-Frame-Options: SAMEORIGIN
    Set-Cookie: AEC=AVYB7cqc8pxXJwDG2KZCq4aC8tiVRrR2_48Z9PSJUHh6XV5PPdcloXuFadY; expires=Thu, 06-Mar-2025 01:24:22 GMT; path=/; domain=.google.com; Secure; HttpOnly; SameSite=lax
  • flag-nl
    GET
    http://www.google.com/
    svchost.exe
    Remote address:
    142.250.27.104:80
    Request
    GET / HTTP/1.1
    Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash, */*
    Accept-Language: en
    Accept-Encoding: gzip, deflate
    User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; EmbeddedWB 14,52 from: http://www.bsalsa.com/ EmbeddedWB 14,52; .NET CLR 2.0.50727)
    Host: www.google.com
    Connection: Keep-Alive
    Response
    HTTP/1.1 302 Found
    Location: http://www.google.com/sorry/index?continue=http://www.google.com/&q=EgTCbg1GGMbW7rYGIjDAP8jf4RciOIvqqkWSM85EyxyA8_pivff0pFFSRJOpFTyGIlpSYEjlzgGfncYItREyAXJKGVNPUlJZX0FCVVNJVkVfTkVUX01FU1NBR0VaAUM
    x-hallmonitor-challenge: CgwIxtbutgYQlrKPsgISBMJuDUY
    Content-Type: text/html; charset=UTF-8
    Content-Security-Policy-Report-Only: object-src 'none';base-uri 'self';script-src 'nonce-fr7HYrEOUBNT_-vuUqsPqg' 'strict-dynamic' 'report-sample' 'unsafe-eval' 'unsafe-inline' https: http:;report-uri https://csp.withgoogle.com/csp/gws/other-hp
    Date: Sat, 07 Sep 2024 01:24:22 GMT
    Server: gws
    Content-Length: 396
    X-XSS-Protection: 0
    X-Frame-Options: SAMEORIGIN
    Set-Cookie: AEC=AVYB7cp5vduh8FZa6THzwwPK9njPICPX6LVh5txLVxcLRWLnztw-roHwdSI; expires=Thu, 06-Mar-2025 01:24:22 GMT; path=/; domain=.google.com; Secure; HttpOnly; SameSite=lax
  • flag-nl
    GET
    http://www.google.com/
    svchost.exe
    Remote address:
    142.250.27.104:80
    Request
    GET / HTTP/1.1
    Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash, */*
    Accept-Language: en
    Accept-Encoding: gzip, deflate
    User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; EmbeddedWB 14,52 from: http://www.bsalsa.com/ EmbeddedWB 14,52; .NET CLR 2.0.50727)
    Host: www.google.com
    Connection: Keep-Alive
    Response
    HTTP/1.1 302 Found
    Location: http://www.google.com/sorry/index?continue=http://www.google.com/&q=EgTCbg1GGMbW7rYGIjDAP8jf4RciOIvqqkWSM85EyxyA8_pivff0pFFSRJOpFTyGIlpSYEjlzgGfncYItREyAXJKGVNPUlJZX0FCVVNJVkVfTkVUX01FU1NBR0VaAUM
    x-hallmonitor-challenge: CgwIxtbutgYQkPulkgISBMJuDUY
    Content-Type: text/html; charset=UTF-8
    Content-Security-Policy-Report-Only: object-src 'none';base-uri 'self';script-src 'nonce-zF_f55nAsyUkU8fKK48pfQ' 'strict-dynamic' 'report-sample' 'unsafe-eval' 'unsafe-inline' https: http:;report-uri https://csp.withgoogle.com/csp/gws/other-hp
    Date: Sat, 07 Sep 2024 01:24:22 GMT
    Server: gws
    Content-Length: 396
    X-XSS-Protection: 0
    X-Frame-Options: SAMEORIGIN
    Set-Cookie: AEC=AVYB7cqBGxHl-VsR7il8NWc07PhxNrVN9ZBlMwdTr_sbJxfo8XgL4F1X8Q; expires=Thu, 06-Mar-2025 01:24:22 GMT; path=/; domain=.google.com; Secure; HttpOnly; SameSite=lax
  • flag-nl
    GET
    http://www.google.com/
    svchost.exe
    Remote address:
    142.250.27.104:80
    Request
    GET / HTTP/1.1
    Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash, */*
    Accept-Language: en
    Accept-Encoding: gzip, deflate
    User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; EmbeddedWB 14,52 from: http://www.bsalsa.com/ EmbeddedWB 14,52; .NET CLR 2.0.50727)
    Host: www.google.com
    Connection: Keep-Alive
    Response
    HTTP/1.1 302 Found
    Location: http://www.google.com/sorry/index?continue=http://www.google.com/&q=EgTCbg1GGMbW7rYGIjDAP8jf4RciOIvqqkWSM85EyxyA8_pivff0pFFSRJOpFTyGIlpSYEjlzgGfncYItREyAXJKGVNPUlJZX0FCVVNJVkVfTkVUX01FU1NBR0VaAUM
    x-hallmonitor-challenge: CgwIxtbutgYQ_-qJtQISBMJuDUY
    Content-Type: text/html; charset=UTF-8
    Content-Security-Policy-Report-Only: object-src 'none';base-uri 'self';script-src 'nonce-9EL13Z_grJuBaI1IcIqHYg' 'strict-dynamic' 'report-sample' 'unsafe-eval' 'unsafe-inline' https: http:;report-uri https://csp.withgoogle.com/csp/gws/other-hp
    Date: Sat, 07 Sep 2024 01:24:22 GMT
    Server: gws
    Content-Length: 396
    X-XSS-Protection: 0
    X-Frame-Options: SAMEORIGIN
    Set-Cookie: AEC=AVYB7cpRYHQTgomTxiXdIcqARio_Vcto5fVBQDjgWy1Si2B19dk67KaQXw; expires=Thu, 06-Mar-2025 01:24:22 GMT; path=/; domain=.google.com; Secure; HttpOnly; SameSite=lax
  • flag-nl
    GET
    http://www.google.com/
    svchost.exe
    Remote address:
    142.250.27.104:80
    Request
    GET / HTTP/1.1
    Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash, */*
    Accept-Language: en
    Accept-Encoding: gzip, deflate
    User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; EmbeddedWB 14,52 from: http://www.bsalsa.com/ EmbeddedWB 14,52; .NET CLR 2.0.50727)
    Host: www.google.com
    Connection: Keep-Alive
    Response
    HTTP/1.1 302 Found
    Location: http://www.google.com/sorry/index?continue=http://www.google.com/&q=EgTCbg1GGMbW7rYGIjDAP8jf4RciOIvqqkWSM85EyxyA8_pivff0pFFSRJOpFTyGIlpSYEjlzgGfncYItREyAXJKGVNPUlJZX0FCVVNJVkVfTkVUX01FU1NBR0VaAUM
    x-hallmonitor-challenge: CgwIxtbutgYQlKyfogISBMJuDUY
    Content-Type: text/html; charset=UTF-8
    Content-Security-Policy-Report-Only: object-src 'none';base-uri 'self';script-src 'nonce-kXwvV4bkVOO05paaG79F6Q' 'strict-dynamic' 'report-sample' 'unsafe-eval' 'unsafe-inline' https: http:;report-uri https://csp.withgoogle.com/csp/gws/other-hp
    Date: Sat, 07 Sep 2024 01:24:22 GMT
    Server: gws
    Content-Length: 396
    X-XSS-Protection: 0
    X-Frame-Options: SAMEORIGIN
    Set-Cookie: AEC=AVYB7co3aXuwiebPXBRuWRWSWR_FG6e9EWWUESw0mq9UCMPnnTbcQ7NylwA; expires=Thu, 06-Mar-2025 01:24:22 GMT; path=/; domain=.google.com; Secure; HttpOnly; SameSite=lax
  • flag-us
    DNS
    70.13.110.194.zen.spamhaus.org
    svchost.exe
    Remote address:
    8.8.8.8:53
    Request
    70.13.110.194.zen.spamhaus.org
    IN A
    Response
  • flag-us
    DNS
    70.13.110.194.sbl-xbl.spamhaus.org
    svchost.exe
    Remote address:
    8.8.8.8:53
    Request
    70.13.110.194.sbl-xbl.spamhaus.org
    IN A
    Response
  • flag-us
    DNS
    70.13.110.194.cbl.abuseat.org
    svchost.exe
    Remote address:
    8.8.8.8:53
    Request
    70.13.110.194.cbl.abuseat.org
    IN A
    Response
  • flag-us
    DNS
    70.13.110.194.dnsbl.sorbs.net
    svchost.exe
    Remote address:
    8.8.8.8:53
    Request
    70.13.110.194.dnsbl.sorbs.net
    IN A
    Response
  • flag-us
    DNS
    macelleriamarinodonato.altervista.org
    svchost.exe
    Remote address:
    8.8.8.8:53
    Request
    macelleriamarinodonato.altervista.org
    IN A
    Response
    macelleriamarinodonato.altervista.org
    IN A
    168.119.8.211
  • flag-de
    POST
    http://macelleriamarinodonato.altervista.org/Macelleria/wp-content/plugins/wp-instead-bot/index.php
    svchost.exe
    Remote address:
    168.119.8.211:80
    Request
    POST /Macelleria/wp-content/plugins/wp-instead-bot/index.php HTTP/1.1
    Host: macelleriamarinodonato.altervista.org
    Connection: close
    Accept-Encoding: gzip,deflate
    Content-Type: application/x-www-form-urlencoded
    Content-Length: 67
    Accept: */*
    Accept-Language: *
    User-Agent: Mozilla/5.0 (compatible; MSIE 10.6; Windows NT 10.0; WOW64; Trident/6.0; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)
    Referer: http://macelleriamarinodonato.altervista.org
    Response
    HTTP/1.1 200 OK
    Date: Sat, 07 Sep 2024 01:24:28 GMT
    Server: Apache
    Vary: Accept-Encoding
    Content-Encoding: gzip
    Connection: close
    Transfer-Encoding: chunked
    Content-Type: text/html; charset=UTF-8
  • flag-us
    DNS
    70.13.110.194.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    70.13.110.194.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    t.me
    svchost.exe
    Remote address:
    8.8.8.8:53
    Request
    t.me
    IN A
    Response
    t.me
    IN A
    149.154.167.99
  • flag-us
    DNS
    api.steampowered.com
    svchost.exe
    Remote address:
    8.8.8.8:53
    Request
    api.steampowered.com
    IN A
    Response
    api.steampowered.com
    IN A
    104.82.131.75
  • flag-gb
    GET
    http://api.steampowered.com/ISteamUser/GetFriendList/v1/?key=063C978AB3826751FA44EC88D8EC9387&steamid=76561198862874568
    svchost.exe
    Remote address:
    104.82.131.75:80
    Request
    GET /ISteamUser/GetFriendList/v1/?key=063C978AB3826751FA44EC88D8EC9387&steamid=76561198862874568 HTTP/1.1
    User-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.0.0 Safari/537.36
    host: api.steampowered.com
    accept-encoding: gzip, deflate
    Connection: close
    Response
    HTTP/1.1 200 OK
    Server: nginx
    Content-Type: application/json; charset=UTF-8
    Vary: Accept-Encoding
    Content-Encoding: gzip
    Content-Length: 251
    Expires: Sat, 07 Sep 2024 01:24:38 GMT
    Date: Sat, 07 Sep 2024 01:24:38 GMT
    Connection: close
  • flag-us
    DNS
    api.steampowered.com
    svchost.exe
    Remote address:
    8.8.8.8:53
    Request
    api.steampowered.com
    IN A
    Response
    api.steampowered.com
    IN A
    104.82.131.75
  • flag-gb
    GET
    http://api.steampowered.com/IPlayerService/GetOwnedGames/v1/?key=01B98D39E4618BB1F4081371B93CB963&steamid=76561198365449719&include_played_free_games=1
    svchost.exe
    Remote address:
    104.82.131.75:80
    Request
    GET /IPlayerService/GetOwnedGames/v1/?key=01B98D39E4618BB1F4081371B93CB963&steamid=76561198365449719&include_played_free_games=1 HTTP/1.1
    User-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.0.0 Safari/537.36
    host: api.steampowered.com
    accept-encoding: gzip, deflate
    Connection: close
    Response
    HTTP/1.1 200 OK
    Server: nginx
    Content-Type: application/json; charset=UTF-8
    X-eresult: 15
    Vary: Accept-Encoding
    Content-Encoding: gzip
    Expires: Sat, 07 Sep 2024 01:25:02 GMT
    Date: Sat, 07 Sep 2024 01:25:02 GMT
    Content-Length: 35
    Connection: close
    X-N: S
  • flag-us
    DNS
    www.google.ru
    svchost.exe
    Remote address:
    8.8.8.8:53
    Request
    www.google.ru
    IN A
    Response
    www.google.ru
    IN A
    142.250.102.94
  • flag-us
    DNS
    www.google.fr
    svchost.exe
    Remote address:
    8.8.8.8:53
    Request
    www.google.fr
    IN A
    Response
    www.google.fr
    IN A
    142.250.27.94
  • flag-us
    DNS
    t.me
    svchost.exe
    Remote address:
    8.8.8.8:53
    Request
    t.me
    IN A
    Response
    t.me
    IN A
    149.154.167.99
  • flag-us
    DNS
    vodka.money
    svchost.exe
    Remote address:
    8.8.8.8:53
    Request
    vodka.money
    IN A
    Response
    vodka.money
    IN A
    45.81.58.5
  • flag-us
    DNS
    api.vk.com
    svchost.exe
    Remote address:
    8.8.8.8:53
    Request
    api.vk.com
    IN A
    Response
    api.vk.com
    IN A
    87.240.139.193
    api.vk.com
    IN A
    87.240.190.75
    api.vk.com
    IN A
    87.240.137.207
    api.vk.com
    IN A
    87.240.190.70
    api.vk.com
    IN A
    93.186.225.205
    api.vk.com
    IN A
    87.240.137.208
    api.vk.com
    IN A
    87.240.129.140
    api.vk.com
    IN A
    87.240.137.130
    api.vk.com
    IN A
    87.240.137.206
  • flag-us
    DNS
    steamcommunity.com
    svchost.exe
    Remote address:
    8.8.8.8:53
    Request
    steamcommunity.com
    IN A
    Response
    steamcommunity.com
    IN A
    104.82.131.75
  • flag-us
    DNS
    api.steampowered.com
    svchost.exe
    Remote address:
    8.8.8.8:53
    Request
    api.steampowered.com
    IN A
    Response
    api.steampowered.com
    IN A
    104.82.131.75
  • flag-gb
    GET
    http://api.steampowered.com/IPlayerService/GetOwnedGames/v1/?key=7F31E675166ED17F3E2BC0C40571467C&steamid=76561199071854120&include_played_free_games=1
    svchost.exe
    Remote address:
    104.82.131.75:80
    Request
    GET /IPlayerService/GetOwnedGames/v1/?key=7F31E675166ED17F3E2BC0C40571467C&steamid=76561199071854120&include_played_free_games=1 HTTP/1.1
    User-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.0.0 Safari/537.36
    host: api.steampowered.com
    accept-encoding: gzip, deflate
    Connection: close
    Response
    HTTP/1.1 200 OK
    Server: nginx
    Content-Type: application/json; charset=UTF-8
    X-eresult: 1
    Vary: Accept-Encoding
    Content-Encoding: gzip
    Content-Length: 535
    Expires: Sat, 07 Sep 2024 01:25:29 GMT
    Date: Sat, 07 Sep 2024 01:25:29 GMT
    Connection: close
    X-N: S
  • 20.236.44.162:80
    microsoft.com
    svchost.exe
    190 B
     92 B
     4
    2
  • 52.101.40.26:25
    microsoft-com.mail.protection.outlook.com
    svchost.exe
    152 B
     3
  • 77.232.41.29:443
    vanaheim.cn
    https
    svchost.exe
    520 B
     542 B
     6
    5
  • 62.122.184.58:485
    svchost.exe
    152 B
     3
  • 98.136.96.91:25
    mta6.am0.yahoodns.net
    svchost.exe
    152 B
     3
  • 62.122.184.58:485
    svchost.exe
    11.0kB
     579.3kB
     228
    428
  • 142.250.102.27:25
    smtp.google.com
    svchost.exe
    152 B
     3
  • 94.100.180.31:25
    mxs.mail.ru
    svchost.exe
    152 B
     3
  • 176.111.174.109:421
    svchost.exe
    2.9kB
     2.4kB
     20
    20
  • 45.143.201.238:421
    svchost.exe
    2.7kB
     2.2kB
     20
    23
  • 176.113.115.84:421
    svchost.exe
    2.0kB
     1.3kB
     12
    13
  • 193.143.1.5:421
    svchost.exe
    65.8kB
     7.5kB
     78
    72
  • 176.113.115.135:421
    svchost.exe
    24.3kB
     7.3kB
     56
    52
  • 176.113.115.136:421
    svchost.exe
    7.8kB
     3.2kB
     34
    30
  • 176.111.174.92:421
    svchost.exe
    16.9kB
     5.6kB
     47
    46
  • 142.250.27.104:80
    http://www.google.com/
    http
    svchost.exe
    597 B
     1.4kB
     5
    4

    HTTP Request

    GET http://www.google.com/

    HTTP Response

    302
  • 142.250.27.104:80
    http://www.google.com/
    http
    svchost.exe
    597 B
     1.4kB
     5
    4

    HTTP Request

    GET http://www.google.com/

    HTTP Response

    302
  • 142.250.27.104:80
    http://www.google.com/
    http
    svchost.exe
    597 B
     1.4kB
     5
    4

    HTTP Request

    GET http://www.google.com/

    HTTP Response

    302
  • 142.250.27.104:80
    http://www.google.com/
    http
    svchost.exe
    597 B
     1.4kB
     5
    4

    HTTP Request

    GET http://www.google.com/

    HTTP Response

    302
  • 142.250.27.104:80
    http://www.google.com/
    http
    svchost.exe
    597 B
     1.4kB
     5
    4

    HTTP Request

    GET http://www.google.com/

    HTTP Response

    302
  • 142.250.27.104:80
    http://www.google.com/
    http
    svchost.exe
    597 B
     1.4kB
     5
    4

    HTTP Request

    GET http://www.google.com/

    HTTP Response

    302
  • 142.250.27.104:80
    http://www.google.com/
    http
    svchost.exe
    597 B
     1.4kB
     5
    4

    HTTP Request

    GET http://www.google.com/

    HTTP Response

    302
  • 168.119.8.211:80
    http://macelleriamarinodonato.altervista.org/Macelleria/wp-content/plugins/wp-instead-bot/index.php
    http
    svchost.exe
    855 B
     520 B
     6
    6

    HTTP Request

    POST http://macelleriamarinodonato.altervista.org/Macelleria/wp-content/plugins/wp-instead-bot/index.php

    HTTP Response

    200
  • 149.154.167.99:443
    t.me
    tls
    svchost.exe
    2.1kB
     26.2kB
     25
    33
  • 104.82.131.75:80
    http://api.steampowered.com/ISteamUser/GetFriendList/v1/?key=063C978AB3826751FA44EC88D8EC9387&steamid=76561198862874568
    http
    svchost.exe
    640 B
     1.3kB
     7
    7

    HTTP Request

    GET http://api.steampowered.com/ISteamUser/GetFriendList/v1/?key=063C978AB3826751FA44EC88D8EC9387&steamid=76561198862874568

    HTTP Response

    200
  • 104.82.131.75:80
    http://api.steampowered.com/IPlayerService/GetOwnedGames/v1/?key=01B98D39E4618BB1F4081371B93CB963&steamid=76561198365449719&include_played_free_games=1
    http
    svchost.exe
    574 B
     514 B
     5
    5

    HTTP Request

    GET http://api.steampowered.com/IPlayerService/GetOwnedGames/v1/?key=01B98D39E4618BB1F4081371B93CB963&steamid=76561198365449719&include_played_free_games=1

    HTTP Response

    200
  • 142.250.102.94:443
    www.google.ru
    tls
    svchost.exe
    1.4kB
     6.7kB
     14
    14
  • 142.250.27.94:443
    www.google.fr
    tls
    svchost.exe
    2.1kB
     7.6kB
     15
    16
  • 149.154.167.99:443
    t.me
    tls
    svchost.exe
    1.8kB
     25.9kB
     19
    29
  • 62.122.184.58:485
    svchost.exe
    2.7kB
     1.0kB
     14
    17
  • 45.81.58.5:443
    vodka.money
    tls
    svchost.exe
    1.7kB
     4.6kB
     13
    13
  • 142.250.27.104:443
    www.google.com
    tls
    svchost.exe
    1.9kB
     10.4kB
     15
    18
  • 87.240.139.193:443
    api.vk.com
    tls
    svchost.exe
    1.7kB
     7.8kB
     16
    13
  • 104.82.131.75:443
    steamcommunity.com
    tls
    svchost.exe
    820 B
     4.0kB
     9
    9
  • 104.82.131.75:80
    http://api.steampowered.com/IPlayerService/GetOwnedGames/v1/?key=7F31E675166ED17F3E2BC0C40571467C&steamid=76561199071854120&include_played_free_games=1
    http
    svchost.exe
    620 B
     1.0kB
     6
    5

    HTTP Request

    GET http://api.steampowered.com/IPlayerService/GetOwnedGames/v1/?key=7F31E675166ED17F3E2BC0C40571467C&steamid=76561199071854120&include_played_free_games=1

    HTTP Response

    200
  • 18.165.231.221:443
    svchost.exe
  • 8.8.8.8:53
    microsoft.com
    dns
    svchost.exe
    177 B
     139 B
     3
    1

    DNS Request

    microsoft.com

    DNS Request

    microsoft.com

    DNS Request

    microsoft.com

    DNS Response

    20.236.44.162
    20.231.239.246
    20.70.246.20
    20.76.201.171
    20.112.250.133

  • 8.8.8.8:53
    microsoft.com
    dns
    svchost.exe
    59 B
     113 B
     1
    1

    DNS Request

    microsoft.com

  • 8.8.8.8:53
    microsoft-com.mail.protection.outlook.com
    dns
    svchost.exe
    87 B
     151 B
     1
    1

    DNS Request

    microsoft-com.mail.protection.outlook.com

    DNS Response

    52.101.40.26
    52.101.42.0
    52.101.11.0
    52.101.8.49

  • 8.8.8.8:53
    vanaheim.cn
    dns
    svchost.exe
    228 B
     73 B
     4
    1

    DNS Request

    vanaheim.cn

    DNS Request

    vanaheim.cn

    DNS Request

    vanaheim.cn

    DNS Request

    vanaheim.cn

    DNS Response

    77.232.41.29

  • 8.8.8.8:53
    yahoo.com
    dns
    svchost.exe
    55 B
     134 B
     1
    1

    DNS Request

    yahoo.com

  • 8.8.8.8:53
    mta6.am0.yahoodns.net
    dns
    svchost.exe
    67 B
     195 B
     1
    1

    DNS Request

    mta6.am0.yahoodns.net

    DNS Response

    98.136.96.91
    67.195.204.73
    67.195.204.77
    98.136.96.74
    67.195.204.72
    67.195.228.106
    67.195.204.74
    98.136.96.77

  • 8.8.8.8:53
    google.com
    dns
    svchost.exe
    56 B
     77 B
     1
    1

    DNS Request

    google.com

  • 8.8.8.8:53
    smtp.google.com
    dns
    svchost.exe
    61 B
     125 B
     1
    1

    DNS Request

    smtp.google.com

    DNS Response

    142.250.102.27
    142.250.27.27
    142.250.102.26
    142.250.27.26

  • 8.8.8.8:53
    70.13.110.194.dnsbl.sorbs.net
    dns
    svchost.exe
    375 B
     5

    DNS Request

    70.13.110.194.dnsbl.sorbs.net

    DNS Request

    70.13.110.194.dnsbl.sorbs.net

    DNS Request

    70.13.110.194.dnsbl.sorbs.net

    DNS Request

    70.13.110.194.dnsbl.sorbs.net

    DNS Request

    70.13.110.194.dnsbl.sorbs.net

  • 8.8.8.8:53
    mail.ru
    dns
    svchost.exe
    159 B
     73 B
     3
    1

    DNS Request

    mail.ru

    DNS Request

    mail.ru

    DNS Request

    mail.ru

  • 8.8.8.8:53
    mxs.mail.ru
    dns
    svchost.exe
    57 B
     89 B
     1
    1

    DNS Request

    mxs.mail.ru

    DNS Response

    94.100.180.31
    217.69.139.150

  • 8.8.8.8:53
    70.13.110.194.bl.spamcop.net
    dns
    svchost.exe
    370 B
     127 B
     5
    1

    DNS Request

    70.13.110.194.bl.spamcop.net

    DNS Request

    70.13.110.194.bl.spamcop.net

    DNS Request

    70.13.110.194.bl.spamcop.net

    DNS Request

    70.13.110.194.bl.spamcop.net

    DNS Request

    70.13.110.194.bl.spamcop.net

  • 8.8.8.8:53
    www.google.com
    dns
    svchost.exe
    60 B
     156 B
     1
    1

    DNS Request

    www.google.com

    DNS Response

    142.250.27.104
    142.250.27.99
    142.250.27.105
    142.250.27.147
    142.250.27.103
    142.250.27.106

  • 8.8.8.8:53
    70.13.110.194.zen.spamhaus.org
    dns
    svchost.exe
    76 B
     140 B
     1
    1

    DNS Request

    70.13.110.194.zen.spamhaus.org

  • 8.8.8.8:53
    70.13.110.194.sbl-xbl.spamhaus.org
    dns
    svchost.exe
    80 B
     144 B
     1
    1

    DNS Request

    70.13.110.194.sbl-xbl.spamhaus.org

  • 8.8.8.8:53
    70.13.110.194.cbl.abuseat.org
    dns
    svchost.exe
    75 B
     148 B
     1
    1

    DNS Request

    70.13.110.194.cbl.abuseat.org

  • 8.8.8.8:53
    70.13.110.194.dnsbl.sorbs.net
    dns
    svchost.exe
    75 B
     132 B
     1
    1

    DNS Request

    70.13.110.194.dnsbl.sorbs.net

  • 8.8.8.8:53
    macelleriamarinodonato.altervista.org
    dns
    svchost.exe
    83 B
     99 B
     1
    1

    DNS Request

    macelleriamarinodonato.altervista.org

    DNS Response

    168.119.8.211

  • 8.8.8.8:53
    70.13.110.194.in-addr.arpa
    dns
    72 B
     148 B
     1
    1

    DNS Request

    70.13.110.194.in-addr.arpa

  • 8.8.8.8:53
    t.me
    dns
    svchost.exe
    50 B
     66 B
     1
    1

    DNS Request

    t.me

    DNS Response

    149.154.167.99

  • 8.8.8.8:53
    api.steampowered.com
    dns
    svchost.exe
    66 B
     82 B
     1
    1

    DNS Request

    api.steampowered.com

    DNS Response

    104.82.131.75

  • 8.8.8.8:53
    api.steampowered.com
    dns
    svchost.exe
    66 B
     82 B
     1
    1

    DNS Request

    api.steampowered.com

    DNS Response

    104.82.131.75

  • 8.8.8.8:53
    www.google.ru
    dns
    svchost.exe
    59 B
     75 B
     1
    1

    DNS Request

    www.google.ru

    DNS Response

    142.250.102.94

  • 8.8.8.8:53
    www.google.fr
    dns
    svchost.exe
    59 B
     75 B
     1
    1

    DNS Request

    www.google.fr

    DNS Response

    142.250.27.94

  • 8.8.8.8:53
    t.me
    dns
    svchost.exe
    50 B
     66 B
     1
    1

    DNS Request

    t.me

    DNS Response

    149.154.167.99

  • 8.8.8.8:53
    vodka.money
    dns
    svchost.exe
    57 B
     73 B
     1
    1

    DNS Request

    vodka.money

    DNS Response

    45.81.58.5

  • 8.8.8.8:53
    api.vk.com
    dns
    svchost.exe
    56 B
     200 B
     1
    1

    DNS Request

    api.vk.com

    DNS Response

    87.240.139.193
    87.240.190.75
    87.240.137.207
    87.240.190.70
    93.186.225.205
    87.240.137.208
    87.240.129.140
    87.240.137.130
    87.240.137.206

  • 8.8.8.8:53
    steamcommunity.com
    dns
    svchost.exe
    64 B
     80 B
     1
    1

    DNS Request

    steamcommunity.com

    DNS Response

    104.82.131.75

  • 8.8.8.8:53
    api.steampowered.com
    dns
    svchost.exe
    66 B
     82 B
     1
    1

    DNS Request

    api.steampowered.com

    DNS Response

    104.82.131.75

  • 8.8.8.8:53

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

System Services

1
T1569

Service Execution

1
T1569.002

Persistence

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Create or Modify System Process

2
T1543

Windows Service

2
T1543.003

Event Triggered Execution

1
T1546

Netsh Helper DLL

1
T1546.007

Privilege Escalation

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Create or Modify System Process

2
T1543

Windows Service

2
T1543.003

Event Triggered Execution

1
T1546

Netsh Helper DLL

1
T1546.007

Defense Evasion

Impair Defenses

2
T1562

Disable or Modify System Firewall

1
T1562.004

Disable or Modify Tools

1
T1562.001

Modify Registry

2
T1112

Credential Access

Discovery

System Information Discovery

1
T1082

System Location Discovery

1
T1614

System Language Discovery

1
T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\xjrouhnl.exe
    Filesize

    13.1MB

    MD5

    e5075afbe3cf028c8ac58d44128e8d7c

    SHA1

    dd8512457f4bf1e1324d423824d1165823926272

    SHA256

    dfb1278b8490f0c8de57c3e52da00020aaa5c8c18761daec02873dfea7b24949

    SHA512

    2dbc11f99074c63dfd1c95dbcc07f39a5a6711faead63296b9cebcd1641478d5cecc200241a85b8ca1af6d859fef7b6956fdf90b946fab718280bf100cec55e3

    Download Submit

  • memory/2284-15-0x0000000000220000-0x0000000000233000-memory.dmp

    Filesize

    76KB

    Download

  • memory/2284-2-0x0000000000220000-0x0000000000233000-memory.dmp

    Filesize

    76KB

    Download

  • memory/2284-3-0x0000000000400000-0x0000000000415000-memory.dmp

    Filesize

    84KB

    Download

  • memory/2284-1-0x00000000008A0000-0x00000000009A0000-memory.dmp

    Filesize

    1024KB

    Download

  • memory/2284-16-0x0000000000400000-0x0000000000415000-memory.dmp

    Filesize

    84KB

    Download

  • memory/2284-14-0x0000000000400000-0x000000000043C000-memory.dmp

    Filesize

    240KB

    Download

  • memory/2760-12-0x0000000000400000-0x000000000043C000-memory.dmp

    Filesize

    240KB

    Download

  • memory/2788-50-0x00000000002B0000-0x00000000002B5000-memory.dmp

    Filesize

    20KB

    Download

  • memory/2788-42-0x0000000000220000-0x0000000000230000-memory.dmp

    Filesize

    64KB

    Download

  • memory/2788-10-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2788-17-0x0000000000110000-0x0000000000125000-memory.dmp

    Filesize

    84KB

    Download

  • memory/2788-18-0x0000000000110000-0x0000000000125000-memory.dmp

    Filesize

    84KB

    Download

  • memory/2788-27-0x0000000000220000-0x0000000000230000-memory.dmp

    Filesize

    64KB

    Download

  • memory/2788-20-0x0000000001C30000-0x0000000001E3F000-memory.dmp

    Filesize

    2.1MB

    Download

  • memory/2788-24-0x0000000000080000-0x0000000000086000-memory.dmp

    Filesize

    24KB

    Download

  • memory/2788-23-0x0000000001C30000-0x0000000001E3F000-memory.dmp

    Filesize

    2.1MB

    Download

  • memory/2788-46-0x0000000000220000-0x0000000000230000-memory.dmp

    Filesize

    64KB

    Download

  • memory/2788-11-0x0000000000110000-0x0000000000125000-memory.dmp

    Filesize

    84KB

    Download

  • memory/2788-47-0x00000000002B0000-0x00000000002B5000-memory.dmp

    Filesize

    20KB

    Download

  • memory/2788-45-0x0000000000220000-0x0000000000230000-memory.dmp

    Filesize

    64KB

    Download

  • memory/2788-44-0x0000000000220000-0x0000000000230000-memory.dmp

    Filesize

    64KB

    Download

  • memory/2788-43-0x0000000000220000-0x0000000000230000-memory.dmp

    Filesize

    64KB

    Download

  • memory/2788-8-0x0000000000110000-0x0000000000125000-memory.dmp

    Filesize

    84KB

    Download

  • memory/2788-41-0x0000000000220000-0x0000000000230000-memory.dmp

    Filesize

    64KB

    Download

  • memory/2788-40-0x0000000000220000-0x0000000000230000-memory.dmp

    Filesize

    64KB

    Download

  • memory/2788-39-0x0000000000220000-0x0000000000230000-memory.dmp

    Filesize

    64KB

    Download

  • memory/2788-38-0x0000000000220000-0x0000000000230000-memory.dmp

    Filesize

    64KB

    Download

  • memory/2788-37-0x0000000000220000-0x0000000000230000-memory.dmp

    Filesize

    64KB

    Download

  • memory/2788-36-0x0000000000220000-0x0000000000230000-memory.dmp

    Filesize

    64KB

    Download

  • memory/2788-35-0x0000000000220000-0x0000000000230000-memory.dmp

    Filesize

    64KB

    Download

  • memory/2788-34-0x0000000000220000-0x0000000000230000-memory.dmp

    Filesize

    64KB

    Download

  • memory/2788-33-0x0000000000220000-0x0000000000230000-memory.dmp

    Filesize

    64KB

    Download

  • memory/2788-32-0x0000000000220000-0x0000000000230000-memory.dmp

    Filesize

    64KB

    Download

  • memory/2788-31-0x0000000000220000-0x0000000000230000-memory.dmp

    Filesize

    64KB

    Download

  • memory/2788-30-0x0000000000220000-0x0000000000230000-memory.dmp

    Filesize

    64KB

    Download

  • memory/2788-51-0x00000000057F0000-0x0000000005BFB000-memory.dmp

    Filesize

    4.0MB

    Download

  • memory/2788-54-0x00000000057F0000-0x0000000005BFB000-memory.dmp

    Filesize

    4.0MB

    Download

  • memory/2788-55-0x00000000007D0000-0x00000000007D7000-memory.dmp

    Filesize

    28KB

    Download

We care about your privacy.

This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.