Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    148s
  • max time network
    150s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    06/11/2024, 02:08 UTC

General

  • Target

    Quotation.exe

  • Size

    1.1MB

  • MD5

    816b7984251ee4c846a7f0d6160624e2

  • SHA1

    be82357d711260a412103e7fde8785febd060974

  • SHA256

    648ee80543d70f070c497309e4c7ce090254374da938799074de93bdaafaff5a

  • SHA512

    81e035b9ffd16b8a31ab23f1d2bf621954cd42b8c0fdf0daffbac12f1964d41d949af68a06259e27bcc8163221cbfdb05f300eca7151ff901a2bcd36ca8b7a4c

  • SSDEEP

    24576:G4nhDoAFAcvHumQbl7nu5v12dUC5YpdBNFQWEZNXLGQ7WczkxFnfbP9:G+hkJcvfyl7nu5vaUCMd5iNXKQKczg

Malware Config

Extracted

Family

agenttesla

Credentials

  • Protocol:
    smtp
  • Host:
    mail.showpiece.trillennium.biz
  • Port:
    587
  • Username:
    build@showpiece.trillennium.biz
  • Password:
    3KJ[T.3]fsSW
  • Email To:
    cool@showpiece.trillennium.biz

Signatures

  • AgentTesla

    Agent Tesla is a remote access tool (RAT) written in visual basic.

  • Agenttesla family
  • Guloader family
  • Guloader,Cloudeye

    A shellcode based downloader first seen in 2020.

  • Loads dropped DLL 1 IoCs
  • Reads WinSCP keys stored on the system 2 TTPs

    Tries to access WinSCP stored sessions.

  • Reads data files stored by FTP clients 2 TTPs

    Tries to access configuration files associated with programs like FileZilla.

  • Reads user/profile data of local email clients 2 TTPs

    Email clients store some user data on disk where infostealers will often target it.

  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
  • Looks up external IP address via web service 2 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Suspicious use of NtCreateThreadExHideFromDebugger 1 IoCs
  • Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Drops file in Program Files directory 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious behavior: MapViewOfSection 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 5 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\Quotation.exe
    "C:\Users\Admin\AppData\Local\Temp\Quotation.exe"
    1⤵
    • Loads dropped DLL
    • Suspicious use of NtSetInformationThreadHideFromDebugger
    • Suspicious use of SetThreadContext
    • Drops file in Program Files directory
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: MapViewOfSection
    • Suspicious use of WriteProcessMemory
    PID:4984
    • C:\Users\Admin\AppData\Local\Temp\Quotation.exe
      "C:\Users\Admin\AppData\Local\Temp\Quotation.exe"
      2⤵
      • Suspicious use of NtCreateThreadExHideFromDebugger
      • Suspicious use of NtSetInformationThreadHideFromDebugger
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of SetWindowsHookEx
      PID:860

Network

  • flag-us
    DNS
    8.8.8.8.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    8.8.8.8.in-addr.arpa
    IN PTR
    Response
    8.8.8.8.in-addr.arpa
    IN PTR
    dnsgoogle
  • flag-us
    DNS
    228.249.119.40.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    228.249.119.40.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    240.221.184.93.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    240.221.184.93.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    g.bing.com
    Remote address:
    8.8.8.8:53
    Request
    g.bing.com
    IN A
    Response
    g.bing.com
    IN CNAME
    g-bing-com.ax-0001.ax-msedge.net
    g-bing-com.ax-0001.ax-msedge.net
    IN CNAME
    ax-0001.ax-msedge.net
    ax-0001.ax-msedge.net
    IN A
    150.171.27.10
    ax-0001.ax-msedge.net
    IN A
    150.171.28.10
  • flag-us
    GET
    https://g.bing.com/neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=aaa84cb5cce741f7aceba58c9c40f37d&localId=w:0C449796-1E55-FEFD-C5A5-A0B044A63D2B&deviceId=6896208601980624&anid=
    Remote address:
    150.171.27.10:443
    Request
    GET /neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=aaa84cb5cce741f7aceba58c9c40f37d&localId=w:0C449796-1E55-FEFD-C5A5-A0B044A63D2B&deviceId=6896208601980624&anid= HTTP/2.0
    host: g.bing.com
    accept-encoding: gzip, deflate
    user-agent: WindowsShellClient/9.0.40929.0 (Windows)
    Response
    HTTP/2.0 204
    cache-control: no-cache, must-revalidate
    pragma: no-cache
    expires: Fri, 01 Jan 1990 00:00:00 GMT
    set-cookie: MUID=2F3F10319F6160C40242051E9E506130; domain=.bing.com; expires=Mon, 01-Dec-2025 02:08:26 GMT; path=/; SameSite=None; Secure; Priority=High;
    strict-transport-security: max-age=31536000; includeSubDomains; preload
    access-control-allow-origin: *
    x-cache: CONFIG_NOCACHE
    accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
    x-msedge-ref: Ref A: 210E9C1B962C43C6B04384C0331853F2 Ref B: LON601060102029 Ref C: 2024-11-06T02:08:26Z
    date: Wed, 06 Nov 2024 02:08:26 GMT
  • flag-us
    GET
    https://g.bing.com/neg/0?action=emptycreative&adUnitId=11730597&publisherId=251978541&rid=aaa84cb5cce741f7aceba58c9c40f37d&localId=w:0C449796-1E55-FEFD-C5A5-A0B044A63D2B&deviceId=6896208601980624&anid=
    Remote address:
    150.171.27.10:443
    Request
    GET /neg/0?action=emptycreative&adUnitId=11730597&publisherId=251978541&rid=aaa84cb5cce741f7aceba58c9c40f37d&localId=w:0C449796-1E55-FEFD-C5A5-A0B044A63D2B&deviceId=6896208601980624&anid= HTTP/2.0
    host: g.bing.com
    accept-encoding: gzip, deflate
    user-agent: WindowsShellClient/9.0.40929.0 (Windows)
    cookie: MUID=2F3F10319F6160C40242051E9E506130
    Response
    HTTP/2.0 204
    cache-control: no-cache, must-revalidate
    pragma: no-cache
    expires: Fri, 01 Jan 1990 00:00:00 GMT
    set-cookie: MSPTC=VEdKjA2SaGPCMSCXSmfJd5lsPkRSxdBUXOBmHSU8aXc; domain=.bing.com; expires=Mon, 01-Dec-2025 02:08:26 GMT; path=/; Partitioned; secure; SameSite=None
    strict-transport-security: max-age=31536000; includeSubDomains; preload
    access-control-allow-origin: *
    x-cache: CONFIG_NOCACHE
    accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
    x-msedge-ref: Ref A: E824770A42484939B1AFD7FE90EC81C0 Ref B: LON601060102029 Ref C: 2024-11-06T02:08:26Z
    date: Wed, 06 Nov 2024 02:08:26 GMT
  • flag-us
    GET
    https://g.bing.com/neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=aaa84cb5cce741f7aceba58c9c40f37d&localId=w:0C449796-1E55-FEFD-C5A5-A0B044A63D2B&deviceId=6896208601980624&anid=
    Remote address:
    150.171.27.10:443
    Request
    GET /neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=aaa84cb5cce741f7aceba58c9c40f37d&localId=w:0C449796-1E55-FEFD-C5A5-A0B044A63D2B&deviceId=6896208601980624&anid= HTTP/2.0
    host: g.bing.com
    accept-encoding: gzip, deflate
    user-agent: WindowsShellClient/9.0.40929.0 (Windows)
    cookie: MUID=2F3F10319F6160C40242051E9E506130; MSPTC=VEdKjA2SaGPCMSCXSmfJd5lsPkRSxdBUXOBmHSU8aXc
    Response
    HTTP/2.0 204
    cache-control: no-cache, must-revalidate
    pragma: no-cache
    expires: Fri, 01 Jan 1990 00:00:00 GMT
    strict-transport-security: max-age=31536000; includeSubDomains; preload
    access-control-allow-origin: *
    x-cache: CONFIG_NOCACHE
    accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
    x-msedge-ref: Ref A: 5D53A22795E6455494C14497B1FDE906 Ref B: LON601060102029 Ref C: 2024-11-06T02:08:26Z
    date: Wed, 06 Nov 2024 02:08:26 GMT
  • flag-us
    DNS
    138.32.126.40.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    138.32.126.40.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    95.221.229.192.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    95.221.229.192.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    45.19.74.20.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    45.19.74.20.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    10.27.171.150.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    10.27.171.150.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    13.86.106.20.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    13.86.106.20.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    drive.google.com
    Quotation.exe
    Remote address:
    8.8.8.8:53
    Request
    drive.google.com
    IN A
    Response
    drive.google.com
    IN A
    142.250.187.206
  • flag-gb
    GET
    https://drive.google.com/uc?export=download&id=1bbmPht414dtBMJVsXpJfN6hufkXy59VA
    Quotation.exe
    Remote address:
    142.250.187.206:443
    Request
    GET /uc?export=download&id=1bbmPht414dtBMJVsXpJfN6hufkXy59VA HTTP/1.1
    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0
    Host: drive.google.com
    Cache-Control: no-cache
    Response
    HTTP/1.1 303 See Other
    Content-Type: application/binary
    Cache-Control: no-cache, no-store, max-age=0, must-revalidate
    Pragma: no-cache
    Expires: Mon, 01 Jan 1990 00:00:00 GMT
    Date: Wed, 06 Nov 2024 02:08:43 GMT
    Location: https://drive.usercontent.google.com/download?id=1bbmPht414dtBMJVsXpJfN6hufkXy59VA&export=download
    Strict-Transport-Security: max-age=31536000
    Content-Security-Policy: script-src 'nonce-97SiL8FKTNusLk1SxiZvRQ' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self'
    Content-Security-Policy: script-src 'unsafe-inline' 'unsafe-eval' blob: data: 'self' https://apis.google.com https://ssl.gstatic.com https://www.google.com https://www.googletagmanager.com https://www.gstatic.com https://www.google-analytics.com;report-uri /_/DriveUntrustedContentHttp/cspreport/allowlist
    Content-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreport
    Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
    Cross-Origin-Opener-Policy: same-origin
    Permissions-Policy: ch-ua-arch=*, ch-ua-bitness=*, ch-ua-full-version=*, ch-ua-full-version-list=*, ch-ua-model=*, ch-ua-wow64=*, ch-ua-form-factors=*, ch-ua-platform=*, ch-ua-platform-version=*
    Server: ESF
    Content-Length: 0
    X-XSS-Protection: 0
    X-Frame-Options: SAMEORIGIN
    X-Content-Type-Options: nosniff
    Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000
  • flag-us
    DNS
    c.pki.goog
    Quotation.exe
    Remote address:
    8.8.8.8:53
    Request
    c.pki.goog
    IN A
    Response
    c.pki.goog
    IN CNAME
    pki-goog.l.google.com
    pki-goog.l.google.com
    IN A
    142.250.187.227
  • flag-gb
    GET
    http://c.pki.goog/r/r1.crl
    Quotation.exe
    Remote address:
    142.250.187.227:80
    Request
    GET /r/r1.crl HTTP/1.1
    Connection: Keep-Alive
    Accept: */*
    User-Agent: Microsoft-CryptoAPI/10.0
    Host: c.pki.goog
    Response
    HTTP/1.1 200 OK
    Accept-Ranges: bytes
    Content-Security-Policy-Report-Only: require-trusted-types-for 'script'; report-uri https://csp.withgoogle.com/csp/cacerts
    Cross-Origin-Resource-Policy: cross-origin
    Cross-Origin-Opener-Policy: same-origin; report-to="cacerts"
    Report-To: {"group":"cacerts","max_age":2592000,"endpoints":[{"url":"https://csp.withgoogle.com/csp/report-to/cacerts"}]}
    Content-Length: 854
    X-Content-Type-Options: nosniff
    Server: sffe
    X-XSS-Protection: 0
    Date: Wed, 06 Nov 2024 01:44:57 GMT
    Expires: Wed, 06 Nov 2024 02:34:57 GMT
    Cache-Control: public, max-age=3000
    Age: 1426
    Last-Modified: Thu, 25 Jul 2024 14:48:00 GMT
    Content-Type: application/pkix-crl
    Vary: Accept-Encoding
  • flag-us
    DNS
    o.pki.goog
    Quotation.exe
    Remote address:
    8.8.8.8:53
    Request
    o.pki.goog
    IN A
    Response
    o.pki.goog
    IN CNAME
    pki-goog.l.google.com
    pki-goog.l.google.com
    IN A
    142.250.187.227
  • flag-gb
    GET
    http://o.pki.goog/wr2/MFIwUDBOMEwwSjAJBgUrDgMCGgUABBRTQtSEi8EX%2BbYUTXd8%2ByMxD3s1zQQU3hse7XkV1D43JMMhu%2Bw0OW1CsjACEQDzySkSNBgXtBKLijHUmMxR
    Quotation.exe
    Remote address:
    142.250.187.227:80
    Request
    GET /wr2/MFIwUDBOMEwwSjAJBgUrDgMCGgUABBRTQtSEi8EX%2BbYUTXd8%2ByMxD3s1zQQU3hse7XkV1D43JMMhu%2Bw0OW1CsjACEQDzySkSNBgXtBKLijHUmMxR HTTP/1.1
    Connection: Keep-Alive
    Accept: */*
    User-Agent: Microsoft-CryptoAPI/10.0
    Host: o.pki.goog
    Response
    HTTP/1.1 200 OK
    Server: ocsp_responder
    Content-Length: 472
    X-XSS-Protection: 0
    X-Frame-Options: SAMEORIGIN
    Date: Wed, 06 Nov 2024 02:07:59 GMT
    Cache-Control: public, max-age=14400
    Content-Type: application/ocsp-response
    Age: 44
  • flag-gb
    GET
    http://o.pki.goog/wr2/MFEwTzBNMEswSTAJBgUrDgMCGgUABBRTQtSEi8EX%2BbYUTXd8%2ByMxD3s1zQQU3hse7XkV1D43JMMhu%2Bw0OW1CsjACECt1gF5RMj4mChEciVJIkog%3D
    Quotation.exe
    Remote address:
    142.250.187.227:80
    Request
    GET /wr2/MFEwTzBNMEswSTAJBgUrDgMCGgUABBRTQtSEi8EX%2BbYUTXd8%2ByMxD3s1zQQU3hse7XkV1D43JMMhu%2Bw0OW1CsjACECt1gF5RMj4mChEciVJIkog%3D HTTP/1.1
    Connection: Keep-Alive
    Accept: */*
    User-Agent: Microsoft-CryptoAPI/10.0
    Host: o.pki.goog
    Response
    HTTP/1.1 200 OK
    Server: ocsp_responder
    Content-Length: 471
    X-XSS-Protection: 0
    X-Frame-Options: SAMEORIGIN
    Date: Wed, 06 Nov 2024 02:07:36 GMT
    Cache-Control: public, max-age=14400
    Content-Type: application/ocsp-response
    Age: 67
  • flag-us
    DNS
    drive.usercontent.google.com
    Quotation.exe
    Remote address:
    8.8.8.8:53
    Request
    drive.usercontent.google.com
    IN A
    Response
    drive.usercontent.google.com
    IN A
    172.217.16.225
  • flag-gb
    GET
    https://drive.usercontent.google.com/download?id=1bbmPht414dtBMJVsXpJfN6hufkXy59VA&export=download
    Quotation.exe
    Remote address:
    172.217.16.225:443
    Request
    GET /download?id=1bbmPht414dtBMJVsXpJfN6hufkXy59VA&export=download HTTP/1.1
    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0
    Cache-Control: no-cache
    Host: drive.usercontent.google.com
    Connection: Keep-Alive
    Response
    HTTP/1.1 200 OK
    Content-Type: application/octet-stream
    Content-Security-Policy: sandbox
    Content-Security-Policy: default-src 'none'
    Content-Security-Policy: frame-ancestors 'none'
    X-Content-Security-Policy: sandbox
    Cross-Origin-Opener-Policy: same-origin
    Cross-Origin-Embedder-Policy: require-corp
    Cross-Origin-Resource-Policy: same-site
    X-Content-Type-Options: nosniff
    Content-Disposition: attachment; filename="rdUaNvnbGprIsBLOHb175.bin"
    Access-Control-Allow-Origin: *
    Access-Control-Allow-Credentials: false
    Access-Control-Allow-Headers: Accept, Accept-Language, Authorization, Cache-Control, Content-Disposition, Content-Encoding, Content-Language, Content-Length, Content-MD5, Content-Range, Content-Type, Date, developer-token, financial-institution-id, X-Goog-Sn-Metadata, X-Goog-Sn-PatientId, GData-Version, google-cloud-resource-prefix, linked-customer-id, login-customer-id, x-goog-request-params, Host, If-Match, If-Modified-Since, If-None-Match, If-Unmodified-Since, Origin, OriginToken, Pragma, Range, request-id, Slug, Transfer-Encoding, hotrod-board-name, hotrod-chrome-cpu-model, hotrod-chrome-processors, Want-Digest, X-Ad-Manager-Impersonation, x-chrome-connected, X-ClientDetails, X-Client-Pctx, X-Client-Version, x-debug-settings-metadata, X-Firebase-Locale, X-Goog-Firebase-Installations-Auth, X-Firebase-Client, X-Firebase-Client-Log-Type, X-Firebase-GMPID, X-Firebase-Auth-Token, X-Firebase-AppCheck, X-Firebase-Token, X-Goog-Drive-Client-Version, X-Goog-Drive-Resource-Keys, X-GData-Client, X-GData-Key, X-GoogApps-Allowed-Domains, X-Goog-AdX-Buyer-Impersonation, X-Goog-Api-Client, X-Goog-Visibilities, X-Goog-AuthUser, X-Google-EOM, x-goog-ext-124712974-jspb, x-goog-ext-467253834-jspb, x-goog-ext-353267353-bin, x-goog-ext-353267353-jspb, x-goog-ext-251363160-jspb, x-goog-ext-259736195-jspb, x-goog-ext-477772811-jspb, x-goog-ext-359275022-bin, x-goog-ext-328800237-jspb, x-goog-ext-202735639-bin, x-goog-ext-223435598-bin, X-Goog-PageId, X-Goog-Encode-Response-If-Executable, X-Goog-Correlation-Id, X-Goog-Request-Info, X-Goog-Request-Reason, X-Goog-Request-Time, X-Goog-Experiments, x-goog-iam-authority-selector, x-goog-iam-authorization-token, X-Goog-Spatula, X-Goog-Travel-Bgr, X-Goog-Travel-Settings, X-Goog-Upload-Command, X-Goog-Upload-Content-Disposition, X-Goog-Upload-Content-Length, X-Goog-Upload-Content-Type, X-Goog-Upload-File-Name, X-Goog-Upload-Header-Content-Encoding, X-Goog-Upload-Header-Content-Length, X-Goog-Upload-Header-Content-Type, X-Goog-Upload-Header-Transfer-Encoding, X-Goog-Upload-Offset, X-Goog-Upload-Protocol, x-goog-user-project, X-Goog-Visitor-Id, X-Goog-FieldMask, X-Google-Project-Override, x-goog-maps-api-salt, x-goog-maps-api-signature, x-goog-maps-client-id, X-Goog-Api-Key, x-goog-spanner-database-role, X-HTTP-Method-Override, X-JavaScript-User-Agent, X-Pan-Versionid, X-Proxied-User-IP, X-Origin, X-Referer, X-Requested-With, X-Stadia-Client-Context, X-Upload-Content-Length, X-Upload-Content-Type, X-Use-Alt-Service, X-Use-HTTP-Status-Code-Override, X-Ios-Bundle-Identifier, X-Places-Ios-Sdk, X-Android-Package, X-Android-Cert, X-Places-Android-Sdk, X-Goog-Maps-Ios-Uuid, X-Goog-Maps-Android-Uuid, X-Ariane-Xsrf-Token, X-YouTube-Bootstrap-Logged-In, X-YouTube-VVT, X-YouTube-Page-CL, X-YouTube-Page-Timestamp, X-Compass-Routing-Destination, x-framework-xsrf-token, X-Goog-Meeting-ABR, X-Goog-Meeting-Botguardid, X-Goog-Meeting-ClientInfo, X-Goog-Meeting-ClientVersion, X-Goog-Meeting-Debugid, X-Goog-Meeting-Identifier, X-Goog-Meeting-Interop-Cohorts, X-Goog-Meeting-Interop-Type, X-Goog-Meeting-OidcIdToken, X-Goog-Meeting-RtcClient, X-Goog-Meeting-StartSource, X-Goog-Meeting-Token, X-Goog-Meeting-Viewer-Token, X-Client-Data, x-sdm-id-token, X-Sfdc-Authorization, MIME-Version, Content-Transfer-Encoding, X-Earth-Engine-App-ID-Token, X-Earth-Engine-Computation-Profile, X-Earth-Engine-Computation-Profiling, X-Play-Console-Experiments-Override, X-Play-Console-Session-Id, x-alkali-account-key, x-alkali-application-key, x-alkali-auth-apps-namespace, x-alkali-auth-entities-namespace, x-alkali-auth-entity, x-alkali-client-locale, EES-S7E-MODE, cast-device-capabilities, X-Server-Timeout, x-foyer-client-environment, x-goog-greenenergyuserappservice-metadata, x-goog-sherlog-context, X-Server-Token, x-rfui-request-context, x-goog-nest-jwt, X-Cloud-Trace-Context, traceparent, x-goog-chat-space-id, x-goog-pan-request-context, X-AppInt-Credentials
    Access-Control-Allow-Methods: GET,HEAD,OPTIONS
    Accept-Ranges: bytes
    Content-Length: 240192
    Last-Modified: Tue, 05 Nov 2024 11:56:59 GMT
    X-GUploader-UploadID: AHmUCY30rR3SyUiKq55FoqFfjzJoh6kXe-ipOoWzS7soojeJiEFxwpkFI7YHsfLqfQAC57fx3h8
    Date: Wed, 06 Nov 2024 02:08:46 GMT
    Expires: Wed, 06 Nov 2024 02:08:46 GMT
    Cache-Control: private, max-age=0
    X-Goog-Hash: crc32c=dK1fKg==
    Server: UploadServer
    Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000
  • flag-us
    DNS
    206.187.250.142.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    206.187.250.142.in-addr.arpa
    IN PTR
    Response
    206.187.250.142.in-addr.arpa
    IN PTR
    lhr25s33-in-f141e100net
  • flag-us
    DNS
    227.187.250.142.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    227.187.250.142.in-addr.arpa
    IN PTR
    Response
    227.187.250.142.in-addr.arpa
    IN PTR
    lhr25s34-in-f31e100net
  • flag-us
    DNS
    225.16.217.172.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    225.16.217.172.in-addr.arpa
    IN PTR
    Response
    225.16.217.172.in-addr.arpa
    IN PTR
    lhr48s28-in-f11e100net
    225.16.217.172.in-addr.arpa
    IN PTR
    mad08s04-in-f1�H
  • flag-us
    DNS
    api.ipify.org
    Quotation.exe
    Remote address:
    8.8.8.8:53
    Request
    api.ipify.org
    IN A
    Response
    api.ipify.org
    IN A
    104.26.13.205
    api.ipify.org
    IN A
    104.26.12.205
    api.ipify.org
    IN A
    172.67.74.152
  • flag-us
    GET
    https://api.ipify.org/
    Quotation.exe
    Remote address:
    104.26.13.205:443
    Request
    GET / HTTP/1.1
    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0
    Host: api.ipify.org
    Connection: Keep-Alive
    Response
    HTTP/1.1 200 OK
    Date: Wed, 06 Nov 2024 02:08:49 GMT
    Content-Type: text/plain
    Content-Length: 13
    Connection: keep-alive
    Vary: Origin
    cf-cache-status: DYNAMIC
    Server: cloudflare
    CF-RAY: 8de189b1fc6c6100-LHR
    server-timing: cfL4;desc="?proto=TCP&rtt=23334&sent=6&recv=6&lost=0&retrans=0&sent_bytes=2978&recv_bytes=452&delivery_rate=156920&cwnd=253&unsent_bytes=0&cid=0dd473427ca8e862&ts=143&x=0"
  • flag-us
    DNS
    205.13.26.104.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    205.13.26.104.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    53.210.109.20.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    53.210.109.20.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    15.164.165.52.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    15.164.165.52.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    103.209.201.84.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    103.209.201.84.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    48.229.111.52.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    48.229.111.52.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    tse1.mm.bing.net
    Remote address:
    8.8.8.8:53
    Request
    tse1.mm.bing.net
    IN A
    Response
    tse1.mm.bing.net
    IN CNAME
    mm-mm.bing.net.trafficmanager.net
    mm-mm.bing.net.trafficmanager.net
    IN CNAME
    ax-0001.ax-msedge.net
    ax-0001.ax-msedge.net
    IN A
    150.171.28.10
    ax-0001.ax-msedge.net
    IN A
    150.171.27.10
  • flag-us
    GET
    https://tse1.mm.bing.net/th?id=OADD2.10239340418569_13408TD3CSPQQLS8W&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=1920&h=1080&dynsize=1&qlt=90
    Remote address:
    150.171.28.10:443
    Request
    GET /th?id=OADD2.10239340418569_13408TD3CSPQQLS8W&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=1920&h=1080&dynsize=1&qlt=90 HTTP/2.0
    host: tse1.mm.bing.net
    accept: */*
    accept-encoding: gzip, deflate, br
    user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19041
    Response
    HTTP/2.0 200
    cache-control: public, max-age=2592000
    content-length: 712130
    content-type: image/jpeg
    x-cache: TCP_HIT
    access-control-allow-origin: *
    access-control-allow-headers: *
    access-control-allow-methods: GET, POST, OPTIONS
    timing-allow-origin: *
    report-to: {"group":"network-errors","max_age":604800,"endpoints":[{"url":"https://aefd.nelreports.net/api/report?cat=bingth&ndcParam=QUZE"}]}
    nel: {"report_to":"network-errors","max_age":604800,"success_fraction":0.001,"failure_fraction":1.0}
    accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
    x-msedge-ref: Ref A: 57EF7EEE5DE04D6AA0D7BB68AE35FF4B Ref B: LON601060107060 Ref C: 2024-11-06T02:10:06Z
    date: Wed, 06 Nov 2024 02:10:06 GMT
  • flag-us
    GET
    https://tse1.mm.bing.net/th?id=OADD2.10239317301050_1PONXOEJ6RIZQGBZT&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=1920&h=1080&dynsize=1&qlt=90
    Remote address:
    150.171.28.10:443
    Request
    GET /th?id=OADD2.10239317301050_1PONXOEJ6RIZQGBZT&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=1920&h=1080&dynsize=1&qlt=90 HTTP/2.0
    host: tse1.mm.bing.net
    accept: */*
    accept-encoding: gzip, deflate, br
    user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19041
    Response
    HTTP/2.0 200
    cache-control: public, max-age=2592000
    content-length: 815230
    content-type: image/jpeg
    x-cache: TCP_HIT
    access-control-allow-origin: *
    access-control-allow-headers: *
    access-control-allow-methods: GET, POST, OPTIONS
    timing-allow-origin: *
    report-to: {"group":"network-errors","max_age":604800,"endpoints":[{"url":"https://aefd.nelreports.net/api/report?cat=bingth&ndcParam=QUZE"}]}
    nel: {"report_to":"network-errors","max_age":604800,"success_fraction":0.001,"failure_fraction":1.0}
    accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
    x-msedge-ref: Ref A: 479F34E0387C413097345CFA5418C29F Ref B: LON601060107060 Ref C: 2024-11-06T02:10:06Z
    date: Wed, 06 Nov 2024 02:10:06 GMT
  • flag-us
    GET
    https://tse1.mm.bing.net/th?id=OADD2.10239340418570_1AILBHE008ZL9RHPC&pid=21.2&c=3&w=1080&h=1920&dynsize=1&qlt=90
    Remote address:
    150.171.28.10:443
    Request
    GET /th?id=OADD2.10239340418570_1AILBHE008ZL9RHPC&pid=21.2&c=3&w=1080&h=1920&dynsize=1&qlt=90 HTTP/2.0
    host: tse1.mm.bing.net
    accept: */*
    accept-encoding: gzip, deflate, br
    user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19041
    Response
    HTTP/2.0 200
    cache-control: public, max-age=2592000
    content-length: 759952
    content-type: image/jpeg
    x-cache: TCP_HIT
    access-control-allow-origin: *
    access-control-allow-headers: *
    access-control-allow-methods: GET, POST, OPTIONS
    timing-allow-origin: *
    report-to: {"group":"network-errors","max_age":604800,"endpoints":[{"url":"https://aefd.nelreports.net/api/report?cat=bingth&ndcParam=QUZE"}]}
    nel: {"report_to":"network-errors","max_age":604800,"success_fraction":0.001,"failure_fraction":1.0}
    accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
    x-msedge-ref: Ref A: 6A750B48ABA9495EA129D0DD86FC143F Ref B: LON601060107060 Ref C: 2024-11-06T02:10:06Z
    date: Wed, 06 Nov 2024 02:10:06 GMT
  • flag-us
    GET
    https://tse1.mm.bing.net/th?id=OADD2.10239317301218_1B7RSJ3ZTR7CQSX5W&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=1920&h=1080&dynsize=1&qlt=90
    Remote address:
    150.171.28.10:443
    Request
    GET /th?id=OADD2.10239317301218_1B7RSJ3ZTR7CQSX5W&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=1920&h=1080&dynsize=1&qlt=90 HTTP/2.0
    host: tse1.mm.bing.net
    accept: */*
    accept-encoding: gzip, deflate, br
    user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19041
    Response
    HTTP/2.0 200
    cache-control: public, max-age=2592000
    content-length: 854785
    content-type: image/jpeg
    x-cache: TCP_HIT
    access-control-allow-origin: *
    access-control-allow-headers: *
    access-control-allow-methods: GET, POST, OPTIONS
    timing-allow-origin: *
    report-to: {"group":"network-errors","max_age":604800,"endpoints":[{"url":"https://aefd.nelreports.net/api/report?cat=bingth&ndcParam=QUZE"}]}
    nel: {"report_to":"network-errors","max_age":604800,"success_fraction":0.001,"failure_fraction":1.0}
    accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
    x-msedge-ref: Ref A: 372AD6AF0B6742469DCAC8AE9BEA2922 Ref B: LON601060107060 Ref C: 2024-11-06T02:10:06Z
    date: Wed, 06 Nov 2024 02:10:06 GMT
  • flag-us
    GET
    https://tse1.mm.bing.net/th?id=OADD2.10239317301483_19RYSE32QNNQ30Z96&pid=21.2&c=3&w=1080&h=1920&dynsize=1&qlt=90
    Remote address:
    150.171.28.10:443
    Request
    GET /th?id=OADD2.10239317301483_19RYSE32QNNQ30Z96&pid=21.2&c=3&w=1080&h=1920&dynsize=1&qlt=90 HTTP/2.0
    host: tse1.mm.bing.net
    accept: */*
    accept-encoding: gzip, deflate, br
    user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19041
    Response
    HTTP/2.0 200
    cache-control: public, max-age=2592000
    content-length: 717983
    content-type: image/jpeg
    x-cache: TCP_HIT
    access-control-allow-origin: *
    access-control-allow-headers: *
    access-control-allow-methods: GET, POST, OPTIONS
    timing-allow-origin: *
    report-to: {"group":"network-errors","max_age":604800,"endpoints":[{"url":"https://aefd.nelreports.net/api/report?cat=bingth&ndcParam=QUZE"}]}
    nel: {"report_to":"network-errors","max_age":604800,"success_fraction":0.001,"failure_fraction":1.0}
    accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
    x-msedge-ref: Ref A: 73CD939549454F0C962E774602417902 Ref B: LON601060107060 Ref C: 2024-11-06T02:10:06Z
    date: Wed, 06 Nov 2024 02:10:06 GMT
  • flag-us
    GET
    https://tse1.mm.bing.net/th?id=OADD2.10239317301627_1W86XP38C3HTKT30H&pid=21.2&c=3&w=1080&h=1920&dynsize=1&qlt=90
    Remote address:
    150.171.28.10:443
    Request
    GET /th?id=OADD2.10239317301627_1W86XP38C3HTKT30H&pid=21.2&c=3&w=1080&h=1920&dynsize=1&qlt=90 HTTP/2.0
    host: tse1.mm.bing.net
    accept: */*
    accept-encoding: gzip, deflate, br
    user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19041
    Response
    HTTP/2.0 200
    cache-control: public, max-age=2592000
    content-length: 776202
    content-type: image/jpeg
    x-cache: TCP_HIT
    access-control-allow-origin: *
    access-control-allow-headers: *
    access-control-allow-methods: GET, POST, OPTIONS
    timing-allow-origin: *
    report-to: {"group":"network-errors","max_age":604800,"endpoints":[{"url":"https://aefd.nelreports.net/api/report?cat=bingth&ndcParam=QUZE"}]}
    nel: {"report_to":"network-errors","max_age":604800,"success_fraction":0.001,"failure_fraction":1.0}
    accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
    x-msedge-ref: Ref A: 2FACD9D55E204C1C893574C5737EBF86 Ref B: LON601060107060 Ref C: 2024-11-06T02:10:06Z
    date: Wed, 06 Nov 2024 02:10:06 GMT
  • flag-us
    DNS
    88.156.103.20.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    88.156.103.20.in-addr.arpa
    IN PTR
    Response
  • 150.171.27.10:443
    https://g.bing.com/neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=aaa84cb5cce741f7aceba58c9c40f37d&localId=w:0C449796-1E55-FEFD-C5A5-A0B044A63D2B&deviceId=6896208601980624&anid=
    tls, http2
    2.0kB
    9.4kB
    21
    19

    HTTP Request

    GET https://g.bing.com/neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=aaa84cb5cce741f7aceba58c9c40f37d&localId=w:0C449796-1E55-FEFD-C5A5-A0B044A63D2B&deviceId=6896208601980624&anid=

    HTTP Response

    204

    HTTP Request

    GET https://g.bing.com/neg/0?action=emptycreative&adUnitId=11730597&publisherId=251978541&rid=aaa84cb5cce741f7aceba58c9c40f37d&localId=w:0C449796-1E55-FEFD-C5A5-A0B044A63D2B&deviceId=6896208601980624&anid=

    HTTP Response

    204

    HTTP Request

    GET https://g.bing.com/neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=aaa84cb5cce741f7aceba58c9c40f37d&localId=w:0C449796-1E55-FEFD-C5A5-A0B044A63D2B&deviceId=6896208601980624&anid=

    HTTP Response

    204
  • 142.250.187.206:443
    https://drive.google.com/uc?export=download&id=1bbmPht414dtBMJVsXpJfN6hufkXy59VA
    tls, http
    Quotation.exe
    1.2kB
    8.9kB
    15
    12

    HTTP Request

    GET https://drive.google.com/uc?export=download&id=1bbmPht414dtBMJVsXpJfN6hufkXy59VA

    HTTP Response

    303
  • 142.250.187.227:80
    http://c.pki.goog/r/r1.crl
    http
    Quotation.exe
    395 B
    1.8kB
    6
    5

    HTTP Request

    GET http://c.pki.goog/r/r1.crl

    HTTP Response

    200
  • 142.250.187.227:80
    http://o.pki.goog/wr2/MFEwTzBNMEswSTAJBgUrDgMCGgUABBRTQtSEi8EX%2BbYUTXd8%2ByMxD3s1zQQU3hse7XkV1D43JMMhu%2Bw0OW1CsjACECt1gF5RMj4mChEciVJIkog%3D
    http
    Quotation.exe
    830 B
    1.6kB
    8
    5

    HTTP Request

    GET http://o.pki.goog/wr2/MFIwUDBOMEwwSjAJBgUrDgMCGgUABBRTQtSEi8EX%2BbYUTXd8%2ByMxD3s1zQQU3hse7XkV1D43JMMhu%2Bw0OW1CsjACEQDzySkSNBgXtBKLijHUmMxR

    HTTP Response

    200

    HTTP Request

    GET http://o.pki.goog/wr2/MFEwTzBNMEswSTAJBgUrDgMCGgUABBRTQtSEi8EX%2BbYUTXd8%2ByMxD3s1zQQU3hse7XkV1D43JMMhu%2Bw0OW1CsjACECt1gF5RMj4mChEciVJIkog%3D

    HTTP Response

    200
  • 172.217.16.225:443
    https://drive.usercontent.google.com/download?id=1bbmPht414dtBMJVsXpJfN6hufkXy59VA&export=download
    tls, http
    Quotation.exe
    9.7kB
    262.8kB
    198
    195

    HTTP Request

    GET https://drive.usercontent.google.com/download?id=1bbmPht414dtBMJVsXpJfN6hufkXy59VA&export=download

    HTTP Response

    200
  • 104.26.13.205:443
    https://api.ipify.org/
    tls, http
    Quotation.exe
    854 B
    3.8kB
    9
    9

    HTTP Request

    GET https://api.ipify.org/

    HTTP Response

    200
  • 150.171.28.10:443
    tse1.mm.bing.net
    tls, http2
    1.2kB
    6.9kB
    15
    13
  • 150.171.28.10:443
    tse1.mm.bing.net
    tls, http2
    1.2kB
    6.9kB
    15
    13
  • 150.171.28.10:443
    tse1.mm.bing.net
    tls, http2
    1.2kB
    6.9kB
    15
    13
  • 150.171.28.10:443
    https://tse1.mm.bing.net/th?id=OADD2.10239317301627_1W86XP38C3HTKT30H&pid=21.2&c=3&w=1080&h=1920&dynsize=1&qlt=90
    tls, http2
    165.2kB
    4.8MB
    3471
    3466

    HTTP Request

    GET https://tse1.mm.bing.net/th?id=OADD2.10239340418569_13408TD3CSPQQLS8W&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=1920&h=1080&dynsize=1&qlt=90

    HTTP Request

    GET https://tse1.mm.bing.net/th?id=OADD2.10239317301050_1PONXOEJ6RIZQGBZT&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=1920&h=1080&dynsize=1&qlt=90

    HTTP Request

    GET https://tse1.mm.bing.net/th?id=OADD2.10239340418570_1AILBHE008ZL9RHPC&pid=21.2&c=3&w=1080&h=1920&dynsize=1&qlt=90

    HTTP Request

    GET https://tse1.mm.bing.net/th?id=OADD2.10239317301218_1B7RSJ3ZTR7CQSX5W&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=1920&h=1080&dynsize=1&qlt=90

    HTTP Request

    GET https://tse1.mm.bing.net/th?id=OADD2.10239317301483_19RYSE32QNNQ30Z96&pid=21.2&c=3&w=1080&h=1920&dynsize=1&qlt=90

    HTTP Response

    200

    HTTP Response

    200

    HTTP Response

    200

    HTTP Response

    200

    HTTP Response

    200

    HTTP Request

    GET https://tse1.mm.bing.net/th?id=OADD2.10239317301627_1W86XP38C3HTKT30H&pid=21.2&c=3&w=1080&h=1920&dynsize=1&qlt=90

    HTTP Response

    200
  • 150.171.28.10:443
    tse1.mm.bing.net
    tls, http2
    1.2kB
    6.9kB
    15
    13
  • 8.8.8.8:53
    8.8.8.8.in-addr.arpa
    dns
    66 B
    90 B
    1
    1

    DNS Request

    8.8.8.8.in-addr.arpa

  • 8.8.8.8:53
    228.249.119.40.in-addr.arpa
    dns
    73 B
    159 B
    1
    1

    DNS Request

    228.249.119.40.in-addr.arpa

  • 8.8.8.8:53
    240.221.184.93.in-addr.arpa
    dns
    73 B
    144 B
    1
    1

    DNS Request

    240.221.184.93.in-addr.arpa

  • 8.8.8.8:53
    g.bing.com
    dns
    56 B
    148 B
    1
    1

    DNS Request

    g.bing.com

    DNS Response

    150.171.27.10
    150.171.28.10

  • 8.8.8.8:53
    138.32.126.40.in-addr.arpa
    dns
    72 B
    158 B
    1
    1

    DNS Request

    138.32.126.40.in-addr.arpa

  • 8.8.8.8:53
    95.221.229.192.in-addr.arpa
    dns
    73 B
    144 B
    1
    1

    DNS Request

    95.221.229.192.in-addr.arpa

  • 8.8.8.8:53
    45.19.74.20.in-addr.arpa
    dns
    70 B
    156 B
    1
    1

    DNS Request

    45.19.74.20.in-addr.arpa

  • 8.8.8.8:53
    10.27.171.150.in-addr.arpa
    dns
    72 B
    158 B
    1
    1

    DNS Request

    10.27.171.150.in-addr.arpa

  • 8.8.8.8:53
    13.86.106.20.in-addr.arpa
    dns
    71 B
    157 B
    1
    1

    DNS Request

    13.86.106.20.in-addr.arpa

  • 8.8.8.8:53
    drive.google.com
    dns
    Quotation.exe
    62 B
    78 B
    1
    1

    DNS Request

    drive.google.com

    DNS Response

    142.250.187.206

  • 8.8.8.8:53
    c.pki.goog
    dns
    Quotation.exe
    56 B
    107 B
    1
    1

    DNS Request

    c.pki.goog

    DNS Response

    142.250.187.227

  • 8.8.8.8:53
    o.pki.goog
    dns
    Quotation.exe
    56 B
    107 B
    1
    1

    DNS Request

    o.pki.goog

    DNS Response

    142.250.187.227

  • 8.8.8.8:53
    drive.usercontent.google.com
    dns
    Quotation.exe
    74 B
    90 B
    1
    1

    DNS Request

    drive.usercontent.google.com

    DNS Response

    172.217.16.225

  • 8.8.8.8:53
    206.187.250.142.in-addr.arpa
    dns
    74 B
    113 B
    1
    1

    DNS Request

    206.187.250.142.in-addr.arpa

  • 8.8.8.8:53
    227.187.250.142.in-addr.arpa
    dns
    74 B
    112 B
    1
    1

    DNS Request

    227.187.250.142.in-addr.arpa

  • 8.8.8.8:53
    225.16.217.172.in-addr.arpa
    dns
    73 B
    140 B
    1
    1

    DNS Request

    225.16.217.172.in-addr.arpa

  • 8.8.8.8:53
    api.ipify.org
    dns
    Quotation.exe
    59 B
    107 B
    1
    1

    DNS Request

    api.ipify.org

    DNS Response

    104.26.13.205
    104.26.12.205
    172.67.74.152

  • 8.8.8.8:53
    205.13.26.104.in-addr.arpa
    dns
    72 B
    134 B
    1
    1

    DNS Request

    205.13.26.104.in-addr.arpa

  • 8.8.8.8:53
    53.210.109.20.in-addr.arpa
    dns
    72 B
    158 B
    1
    1

    DNS Request

    53.210.109.20.in-addr.arpa

  • 8.8.8.8:53
    15.164.165.52.in-addr.arpa
    dns
    72 B
    146 B
    1
    1

    DNS Request

    15.164.165.52.in-addr.arpa

  • 8.8.8.8:53
    103.209.201.84.in-addr.arpa
    dns
    73 B
    133 B
    1
    1

    DNS Request

    103.209.201.84.in-addr.arpa

  • 8.8.8.8:53
    48.229.111.52.in-addr.arpa
    dns
    72 B
    158 B
    1
    1

    DNS Request

    48.229.111.52.in-addr.arpa

  • 8.8.8.8:53
    tse1.mm.bing.net
    dns
    62 B
    170 B
    1
    1

    DNS Request

    tse1.mm.bing.net

    DNS Response

    150.171.28.10
    150.171.27.10

  • 8.8.8.8:53
    88.156.103.20.in-addr.arpa
    dns
    72 B
    158 B
    1
    1

    DNS Request

    88.156.103.20.in-addr.arpa

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\nsiB316.tmp\System.dll

    Filesize

    12KB

    MD5

    d6f54d2cefdf58836805796f55bfc846

    SHA1

    b980addc1a755b968dd5799179d3b4f1c2de9d2d

    SHA256

    f917aef484d1fbb4d723b2e2d3045cb6f5f664e61fbb3d5c577bd1c215de55d9

    SHA512

    ce67da936a93d46ef7e81abc8276787c82fd844c03630ba18afc3528c7e420c3228bfe82aeda083bb719f2d1314afae913362abd1e220cb364606519690d45db

  • memory/860-35-0x0000000037840000-0x0000000037DE4000-memory.dmp

    Filesize

    5.6MB

  • memory/860-18-0x0000000001A80000-0x00000000049DE000-memory.dmp

    Filesize

    47.4MB

  • memory/860-31-0x0000000000820000-0x0000000001A74000-memory.dmp

    Filesize

    18.3MB

  • memory/860-32-0x0000000001A80000-0x00000000049DE000-memory.dmp

    Filesize

    47.4MB

  • memory/860-33-0x0000000000820000-0x0000000001A74000-memory.dmp

    Filesize

    18.3MB

  • memory/860-34-0x0000000000820000-0x0000000000860000-memory.dmp

    Filesize

    256KB

  • memory/860-36-0x0000000037770000-0x00000000377D6000-memory.dmp

    Filesize

    408KB

  • memory/860-37-0x0000000038420000-0x0000000038470000-memory.dmp

    Filesize

    320KB

  • memory/860-38-0x0000000038470000-0x0000000038502000-memory.dmp

    Filesize

    584KB

  • memory/860-39-0x00000000386D0000-0x00000000386DA000-memory.dmp

    Filesize

    40KB

  • memory/4984-16-0x0000000077101000-0x0000000077221000-memory.dmp

    Filesize

    1.1MB

  • memory/4984-17-0x0000000004DD0000-0x0000000007D2E000-memory.dmp

    Filesize

    47.4MB

  • memory/4984-15-0x0000000004DD0000-0x0000000007D2E000-memory.dmp

    Filesize

    47.4MB

We care about your privacy.

This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.